Functional Hazard Assessment

Functional Hazard Assessment (FHA) is the top-level safety analysis prescribed by ARP4761 and ARP4754A for civil aircraft development. It is conducted at the aircraft level — before subsystems are designed — and asks a deceptively simple question: what could go wrong, and how bad would it be? The assessment enumerates aircraft functions (flight, navigation, communication, landing) and assigns each a hazard classification based on the severity of its failure: from No Safety Effect (Class E) to Catastrophic (Class A). These classifications are not estimates of probability; they are judgments of consequence. A function whose failure would kill everyone on board is Class A regardless of how unlikely that failure is.

The FHA's power lies in its position at the top of the safety pyramid. Every subsequent analysis — preliminary system safety assessment, fault tree analysis, common-cause analysis — inherits the hazard classes defined here. If the FHA misclassifies a hazard, or misses a functional interaction that produces an emergent failure mode, the entire safety architecture downstream is compromised. The standard recognizes this and prescribes a structured process: functional decomposition, failure condition identification, hazard classification, and verification that the classification is complete. But completeness is not verifiable. The FHA is a creative act masquerading as a mechanical one, and its quality depends on the imagination of the engineers conducting it.