How to Assign and Decompose Development Assurance Level (DAL)?

In aerospace development and certification, few decisions carry as much weight as assigning and decomposing Development Assurance Levels (DAL). Get it right, and your certification pathway becomes structured and straight-forward. Get it wrong, and you risk costly rework, validation and verification issues, and program delays.

In our previous post, “What is Development Assurance Level (DAL) in Aerospace?”, we

explored how DAL influences every aircraft (and system) function and component — from software to complex hardware— driving the level of rigor required in development. But once the theory is established, the real challenge begins:

How do you actually assign DAL correctly? And how do you decompose accurately?

Although DAL has been part of aerospace guidance since the early 1990s, detailed, practical guides on assignment and decomposition remain limited. Over the years, working closely with OEMs, Tier 1, and Tier 2 suppliers, we’ve seen the same questions surface repeatedly — especially under rigorous and resource-limited certification environment.

In this post, we’ll share a practical, experience-based approach to assigning and decomposing DAL — along with lessons learned from two decades of supporting safety-critical programs — presented in a clear and easy-to-apply way.

The need to decompose DAL

In the development framework defined by SAE ARP4754B and SAE ARP4761A, the Development Assurance Level (DAL) assigned to a function reflects the severity of its

associated failure conditions. As the Development Assurance Level (DAL) increases, the required development rigor increases as well to instill confidence that development errors have been minimized. Modern aircraft architectures often involve numerous components, suppliers, and distributed development teams. Applying a high DAL uniformly across an entire system would significantly increase development cost, schedule pressure, and V&V effort.

To give some relief, DAL reduction and decomposition provides a means to allocate safety requirements across multiple architectural elements so that the overall safety objective is met without imposing unnecessary rigor on every component. However, decomposition must be performed carefully and justified through necessary safety analysis. When applied incorrectly, it can introduce safety gaps, raise certification concerns, and potentially delay or derail compliance demonstrations with authorities.

FDAL Assignment and Decomposition

FDAL Assignment

The FDAL assignment starts at the functional level either in the PASA and/or the PSSA. Every function is allocated a DAL based on the worst severity of its failure conditions (derived from AFHA or SFHA). This process is the input to the subsequent IDAL assignment which is discussed in the later part of the blog.

At the higher level when no architectural information is available the FDAL assignment is very straightforward. Table 1 decribes the assignment at the highest level

Table 1: FDAL Assignment 

Note: This FDAL assignment is derived from advisory materials and general recommended practices such as SAE ARP4761A and SAE ARP 4754B/ED-79B.

As discussed before, the reduction and decomposition of DAL is highly sought after to adequately assign the available resources of the development program. To achieve this, the OEMs may discuss with the certifying authorities regarding the applicability of DAL on the type of systems on-board the aircraft. The OEMs may also come to agreement with the certification authorities to reduce the functional DAL for some system types.

As a result, the acceptable Development Assurance Levels (DAL) may be established for a certain project by means of a safety-centric Issue Paper. This issue paper contains guidelines, list of objectives and requirements that the OEM would show compliance to.

Take for example a small aircraft, intended to be certified under Part 23 regulations, the following, described in Table 2, may potentially be established between the authorities and OEM.

Table 2: Possible FDAL Reductions

FDAL Decomposition

As the system and aircraft development process moves forward, more and more information becomes available regarding the architecture of the aircraft and system functions. This information is applied to achieve FDAL assignment and decomposition for the functions.

Once the top-level FDAL is assigned based on the worst severity of the failure condition in the Functional Failure Sets (FFS), the failure condition is further analyzed to identify all the contributing members of the aircraft. If the failure condition is identified to have multiple (two or more) members, the safety analyst must review each member for claims of independence, separation and portioning.

Therefore, for a failure condition with multiple members, if the functional independence claims can be sufficiently proved and substantiated for the contributing members, DAL for each independent contributing members can be reduced to a lower level. Refer to the Table 3 for possible means to reduce and decompose the DAL.

Table 3: FDAL Decomposition

Other means of DAL Reduction

Often there are protection functions that are implemented on the aircraft and systems. These protection functions protect the aircraft from external events. An event is classified as external if the occurrence is distinct from the aircraft, for e.g. cabin and/or baggage compartment fires.

If the probability of occurrence of the external event can be accurately estimated, the top-level FDAL can be adjusted based on the probability values of the external event.

For instance, a loss of fire protection function is classified as CAT, this drives the initial FDAL assignment to FDAL A. However, the probability of occurrence of fire may be estimated reasonably to 1E-7 based on FAA AC25.1309-1B and FAA AC 33.75-1 (specifically for extremely remote occurrence). The FDAL assignment for the fire protection function can be lowered to FDAL C based on the Figure 1.

IDAL Assignment and Decomposition

The IDAL assignment is conducted for hardware and software components of the function at the lowest level. The IDAL assignment follows the same approach that is defined for FDAL assignment in the previous section.

The process of IDAL assignment and decomposition is done as part of the PSSA process as more information about the architecture and associated components is available. The FDAL assignment to the function is taken as the input which is developed further to the hardware and software contributing to top-level hazard. This is developed further to individual Airborne Electronic Hardware (AEH) level. The development of Fault Trees is highly helpful in identifying the LRUs and components that may directly lead to the top-level failure condition. These fault trees may be used for IDAL assignment and decomposition.

But, consider this:

For simple hardware items that are fully analyzable, i.e., those items whose design, failure modes, failure rate values and testing can be reasonably implemented no IDAL is assigned to such hardware components, both ARP4761A and ARP4754B recommends this. However, this consideration needs to be accurately and adequately substantiated in the safety artefacts that are prepared as part of the safety lifecycle.

Conclusion

In summary, FDALs are allocated to aircraft and system-level functions based on the highest severity associated with their failure conditions. This process takes into account considerations such as functional independence, architectural mitigation, and exposure to external events that may justify a reduction to the assigned DAL. One key takeaway - there is no direct correlation between Functional (or Item) Development Assurance Level and numerical probabilities of the components.

The IDAL assignment and decomposition approach closely mirrors that of the FDAL, ensuring that item-level development rigor aligns with the safety objectives established at higher levels. It is important to note, however, that simple hardware items that can be fully and deterministically analyzed are not assigned an IDAL.

Although this framework of objective-based approach is rooted only in the aerospace domain, many of the underlying principles and techniques are equally applicable to other industries to develop safe systems.