ARP4761

ARP4761 (Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment) is the safety-assessment companion standard to ARP4754A. Where ARP4754A defines the development process that produces aircraft systems, ARP4761 defines the analytical process that evaluates whether those systems are safe enough to certify. The standard prescribes a hierarchy of safety analyses — from functional hazard assessment at the aircraft level, through preliminary system safety assessment at the system level, to fault tree and common-cause analysis at the component level — that progressively refine the abstract notion of 'safety' into quantifiable failure probabilities and demonstrable risk mitigations.

The standard's core assumption is that safety can be decomposed: aircraft-level safety objectives are allocated to systems, systems allocate to subsystems, and the sum of verified subsystem safety claims constitutes evidence for aircraft-level safety. This assumption is elegant and often false. Emergent failure modes — interactions between nominally independent subsystems, human-automation miscoordination, environmental conditions outside the design envelope — routinely violate the independence assumptions that make the decomposition valid. ARP4761 knows this; its guidance documents acknowledge that quantitative safety assessment is as much art as analysis. But the certification system demands numbers, and numbers are what ARP4761 produces.