ASTM F3479-20

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation:F3479 −20
Standard Specification for
Failure Tolerance for Occupant Safety of Suborbital
Vehicles
This standard is issued under the fixed designation F3479; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope 2.2 RTCA Standards:
RTCA DO-178 Software Considerations in Airborne Sys-
1.1 This specification provides system safety engineering
tems and Equipment Certification
and failure tolerance requirements applicable to occupant
RTCADO-278 Software IntegrityAssurance Considerations
safety for suborbital vehicles.
for Communication, Navigation, Surveillance and Air
1.2 This specification is not intended to provide failure Traffic Management (CNS/ATM) Systems
tolerance requirements for conditions that do not impact 2.3 SAE Standards:
SAE ARP 4754A Guidelines for Development of Civil
occupant safety. For example, conditions resulting in facility
Aircraft and Systems
damage, vehicle damage, loss of mission objectives, or adverse
SAEARP 4761 Guidelines and Methods for Conducting the
impact to public safety that do not also have an impact to
SafetyAssessment Process on CivilAirborne Systems and
occupantsafetyarenotsubjecttotherequirementsidentifiedin
Equipment
this specification. This specification does not address malfunc-
2.4 Other Standards:
tions caused by malicious attacks on software systems.
IEEE/EIA 12207 International Standard - Systems and soft-
1.3 This standard does not purport to address all of the
ware engineering
safety concerns, if any, associated with its use. It is the
MIL-STD-882E Department of Defense Standard Practice
responsibility of the user of this standard to establish appro-
System Safety
priate safety, health, and environmental practices and deter-
3. Terminology
mine the applicability of regulatory limitations prior to use.
1.4 This international standard was developed in accor-
3.1 Definitions:
dance with internationally recognized principles on standard- 3.1.1 catastrophic event—loss of life or permanent disabil-
ity for the purposes of this specification.
ization established in the Decision on Principles for the
Development of International Standards, Guides and Recom-
3.1.2 failure condition—a condition, or set of conditions,
mendations issued by the World Trade Organization Technical
that affects the operation of a component, part, or element such
Barriers to Trade (TBT) Committee.
that it can no longer function as intended. Types of failure
conditions that should be considered include:
2. Referenced Documents
3.1.2.1 incorrect function—incorrect functional output(s),
when required, and functional outputs produced at the wrong
2.1 NASA Handbooks:
time (inadvertent function).
NASA/SP-2010-580 NASA System Safety Handbook Vol-
ume 1: System Safety Framework and Concepts for
3.1.2.2 loss of function—theabsenceoffunctionaloutput(s),
Implementation
when required.
NASA/SP-2014-612 NASA System Safety Handbook Vol-
3.1.2.3 safety critical function or item—a failure of the
ume 2: System Safety Concepts, Guidelines, and Imple-
function or item causes one or more failure conditions that
mentation Examples
result in a catastrophic event.
Available from RTCA, Inc. (RTCA), 1150 18th NW, Suite 910, Washington,
This specification is under the jurisdiction of ASTM Committee F47 on DC 20036, https://www.rtca.org.
Commercial Spaceflight and is the direct responsibility of Subcommittee F47.01 on Available from SAE International (SAE), 400 Commonwealth Dr.,Warrendale,
Occupant Safety of Suborbital Vehicles. PA 15096, http://www.sae.org.
Current edition approved Oct. 1, 2020. Published November 2020. DOI: Available from Institute of Electrical and Electronics Engineers, Inc. (IEEE),
10.1520/F3479-20 445 Hoes Ln., Piscataway, NJ 08854-4141, http://www.ieee.org.
2 6
Available from NASATechnical Reports Server (NTRS), NASAHeadquarters, Available from DLA Document Services, Building 4/D, 700 Robbins Ave.,
300 E. Street, SW, Suite 5R30, Washington, DC 20546, https://ntrs.nasa.gov. Philadelphia, PA 19111-5094, http://quicksearch.dla.mil.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
F3479−20
3.1.3 failure tolerance—the ability to sustain a certain (1) Software development methods and standards, includ-
number of failures and still retain capability to satisfy safety ing how intended software behaviors are defined.
objectives. (2) Software design (for example, architecture definition,
components/modules definition, interface definition, data defi-
4. Requirements
nitions).
4.1 System Safety Engineering:
(3) Validation and verification, including integration veri-
4.1.1 A structured system safety engineering process shall
fication.
be implemented to identify and characterize each hazard,
(4) Approach to analyze and approve off-the-shelf soft-
assess the risk to occupant safety, reduce risks through the use
ware.
of hazard elimination and mitigation measures, and verify that
(5) Activities that support identification and removal of
risks have been reduced to an acceptable level. The process
latent design errors in any and all software lifecycle data, with
shall:
independence. In this context, independence reduces the op-
4.1.1.1 Identify and describe hazards and the associated
portunity for latent design errors by relying on a second set of
causes, including those that result from:
eyes. Examples of independence include review by peers in the
(1) Component, subsystem, or system failures;
same organization, by a separate organization within the
(2) Software errors and operations;
company, or by a third party.
(3) Human errors;
4.1.3 Methods for Addressing Human Error—A method for
(4) Functional and physical interfaces;
assessing human errors shall be defined to assess the contribu-
(5) Incompatible materials;
tion of human errors to catastrophic events.The method should
(6) Environmental conditions;
facilitate characterization of human error risk as well as
(7) Biological sources; and
tolerance of the system to human errors that may result in a
(8) Interactions of any of the above.
catastrophic event, regardless of likelihood.
4.1.1.2 Identify and describe each safety-critical system and
4.1.4 Industry System Safety Standards and Methods—Note
function.
thatthelistingofthefollowingstandardsshallnotbeconstrued
4.1.1.3 Implement a hazard control strategy that will pre-
to constrain compliance with system safety engineering re-
vent the occurrence of the hazard, or mitigate the risk to an
quirements only by means of the listed standards. Other system
acceptable level. These hazard controls may include, but are
safety engineering approaches may be employed provided that
not limited to, the following:
they are evaluated for compliance with this specification. The
(1) Failure tolerance,
compliance matrix in Appendix X1 provides an example for
(2) Sufficient design margins,
capturing compliance. Compliance with the following system
(3) Operational constraints,
safety standards is expected to satisfy the system safety
(4) Monitoring of safety-critical systems,
engineering requirements of this specification:
(5) An environmental qualification and acceptance testing
4.1.4.1 SAE ARP-4761,
program,
4.1.4.2 SAE ARP-4754,
(6) Operating and emergency response procedures, and
4.1.4.3 MIL-STD-882E,
(7) Training or certification.
4.1.4.4 NASA System Safety Handbook Volume 1 and
4.1.1.4 Verify that the hazard controls and risk mitigation
Volume 2, and
measures have been successfully implemented through objec-
4.1.4.5 Software safety standards:
tive verification evidence.
(1) RTCA DO-178,
4.1.1.5 Assess the impact of design or operational changes,
(2) RTCA DO-278,
including review of all existing hazard analyses and updating
(3) IEEE/EIA12207, and
as necessary to reflect any new causes, mitigations, and
4.1.4.6 Human error assessment methods:
changes to overall risk.
(1) Technique for human error-rate prediction (THERP),
4.1.1.6 Assess the impact or reported problems/anomalies
(2) Human error assessment and reduction technique
against a fielded system configuration, including:
(HEART), and
(1) Reviewing all existing hazard analyses and updating as
(3) Human/procedure hazard and operability study
necessary to reflect any new causes, mitigations, or changes to
(Human-HAZOP).
overall risk.
4.2 Hardware Failure Tolerance to Catastrophic Events—
(2) Disposition the continued use of the fielded system
The vehicle shall control hazards that can lead to catastrophic
configuration with which the reported problems/anomalies are
events with no less than single failure tolerance for hardware
associated.
failures. A risk-informed approach may be employed to deter-
4.1.1.7 See Appendix X2 for additional considerations.
mine where greater than single failure tolerance is appropriate.
4.1.2 Software System Safety:
For zero fault tolerant items, see Section 5 covering Single
4.1.2.1 Hazards from computing systems and software
Points of Failure.
should be considered as an integral component of the system
safety engineering process as outlined in 4.1. 4.3 Human Error Tolerance to Catastrophic Events—No
4.1.2.2 A software development and verification process single inadvertent action, incorrect action, or failure to perform
and maintenance approach should be documented and main- an action shall result in a catastrophic event. In specific cases
tained. The process should, at a minimum, include: where human error does not immediately or irreversibly result
F3479−20
inacatastrophicevent—eventsforwhichcorrectiveactionsare characteristics, component life tracking and limited life parts
possible, where cues that show the need for corrective action inspection and preemptive replacement.
are available, and where sufficient time exists for crew to
reliably recognize the condition and respond with corrective 6. Common Cause Assessment
action—this requirement is satisfied.
6.1 Acommon cause assessment (CCA) shall be performed
to identify any potential sources of failure that may compro-
5. Single Points of Failure
mise the failure tolerance of the system (that is, the hardware
5.1 Where high confidence can be established in the reli-
failure tolerance requirements defined in this specification).
ability of a component for which a failure, on its own results in
Common cause sources to be considered include, but are not
a catastrophic event, exemption may be claimed against the
limited to, common design, common environments, common
failure tolerance requirements in this specification. Such com-
location, and common procedures
ponents represent single points of failure. Examples of single
points of failure typically include, but are not limited to,
7. Limitations on Failure Tolerance
structural failure of primary structure, pressure vessels, and
pressurized lines and fittings. Other examples include compo- 7.1 If crew intervention is required to satisfy failure toler-
ance requirements (for example, by activating a backup
nents where it is either impractical or impossible to implement
a design solution that would satisfy failure tolerance require- system), the system shall provide cues indicating the need for
crew intervention, and the time required for crew intervention
ments.
shall include time for the crew to recognize intervention cues
5.2 Strategies shall be implemented to establish confidence
and the time to perform the intervention. If the cues are
in the expected reliability of single point of failure components
inadequate to provide sufficient crew recognition, and the time
for the specific failure conditions that result in a catastrophic
required for crew intervention exceeds the time to criticality of
event. Strategies should ensure the design adequately controls
a failure condition that would result in a catastrophic event
the likelihood of such component failures, ensure that the
(with acceptable margin to account for variation in crew
manufacturing process adequately controls manufacturing de-
response), then the system shall be designed to satisfy its
fects that would increase the likelihood of failure of such
failure tolerance requirements without relying on crew inter-
components, and ensure that the operations and maintenance
vention.
processes adequately control the likelihood of such component
failures over the life of the system. Examples of strategies
8. Keywords
include, but are not limited to, understanding and bounding the
failure modes and environments,
...