Written By: Mike Ingram, President & CEO
Shadin converter products are pretty far down the tier levels of products delivered to an aircraft. We are the ‘glue’ that avionics need to talk to each other. Hopefully we’ve been designed into the program, but many times there is an ‘oh sh*t, call Shadin’ moment. Either way, the data passing through a Shadin converter will need to meet the same certification levels as your systems being integrated.
Before jumping into the avionics certification activities, I need to start at the airplane level. The OEM must define an Aircraft Fault Hazard Assessment (AFHA) and a Preliminary Aircraft Safety Assessment (PASA). The AFHA contains all the hazards and failures that could happen to the aircraft independent of the aircraft design. The PASA is the document that contains the analysis of impacts when there are interdependencies within the proposed architecture. It shows what one system failure, e.g. electrical system, has on the failure modes in the AFHA. So, the main purpose of the PASA is to evaluate multiple architectures to determine the best one with the lowest risk. The AFHA and PASA are used to define the safety levels required for the aircraft ‘Systems’, of which the avionics ‘system’ and the individual avionics units, are derived.
Avionics certification starts with the System Functional Hazard Assessment (SFHA) that is flowed down from the AFHA. The avionics supplier would then build a Preliminary System Safety Assessment (PSSA) to determine what level of criticality the equipment needs to meet. The PSSA is based on the aircraft(s) architecture and the type of aircraft. The aircraft and avionics safety assessment processes follow the FAA Advisory Circulars (ACs) guidance (AC 23 or 25-1309) on the condition level for what happens when the avionics fail or present hazardous or misleading information. There are five levels – Catastrophic, Hazardous, Major, Minor, and No Effect – and each maps to a level of integrity that is needed to be met by the avionics. For example, catastrophic events may happen no greater than once in 10^9 times or hours, that’s once in a billion hours.
FAA Certification Condition Levels
- Catastrophic – Failure likely to cause deaths, usually with loss of the airplane.
- Hazardous – Failure has a large negative impact on safety or performance or reduces the ability of the crew to operate the aircraft due to physical distress or a higher workload or causes serious or fatal injuries among the passengers.
- Major – Failure significantly reduces the safety margin or significantly increases crew workload. May result in passenger discomfort (or even minor injuries).
- Minor – Failure slightly reduces the safety margin or slightly increases crew workload. Examples might include causing passenger inconvenience or a routine flight plan change.
- No Effect – Failure has no impact on safety, aircraft operation, or crew workload.
These levels also ‘map’ to the level of Functional Development Assurance Level (FDAL) that the software or firmware needs to be designed to, in other words, the rigor that the engineers must verify and test their code to. It’s a bit more involved but for simplicity’s sake, you could map Catastrophic to FDAL-A, Hazardous to FDAL-B, Major to FDAL-C, Minor to FDAL-D, and No Effect to FDAL-E. The guidance on what steps need to be followed to meet these different FDAL levels is contained in DO-178C for software compliance and DO-254 for firmware (the code in an FPGA or ASIC) compliance.
Onward… the avionics must be certified on an aircraft platform as part of the airplane Type Certificate (TC) or Supplemental Type Certificate (STC), the STC is used for retrofitting equipment onto a previously TC’d plane. Lilium recently posted their plans to achieve the TC on their 7-seat eVTOL (https://lilium.com/newsroom-detail/path-to-certification-of-the-7-seater-lilium-jet, it is worth reading).
For avionics components, there are a few different paths – Parts Manufacture Authorization (PMA), TSO-A, or being directly incorporated into the TC. The best path for the avionics supplier is to TSO since this enables the customer to integrate the TSO’d part more easily without needing to re-do much, if any, certification on the part. In order to submit for a TSO, your company must have an FAA approved quality management system, and sorry folks being AS9100 certified is not good enough.
Ok, I’ll end it there for this week and dive down the TSO path for next week. Thanks for reading.