1 INTRODUCTION According to the Flight Safety Foundation (http://flightsafety.org/), the causes of aircraft inci- dents over the last decade are shown to result from human errors (54%) and mechanical failures (28%). These percentages have only evolved very slightly over the years, however there is a trend of reduction in the number of incidents. In fact the incident rate decreased from 1.32 per million flights in 1996 to 0.64 (reduction of 50%) in 2010. This study demon- strates that flying is a safe and secure transport means and that safety is a major concern for the avi- ation industry, obviously including Airbus. The aim of the safety assessment process is to ve- rify the conformity of the aircraft design with the re- quirements specified by airworthiness authorities, and notably with those requirements specified in the EASA’s CS25 document. In recent years, the Air- worthiness Recommended Practices, SAE’s and EUROCAE’s ARP 4754A/ED-79A and ARP 4761 (universally applied industry norms), have evolved to include the use of formal modeling. This formal modeling is intended as a means of verifying that proposed aircraft architectures fulfill their safety re- quirements. In recent years, Airbus was involved in a European project named ISAAC (Improvement of Safety Activities on Aeronautical Complex Systems) (Akerlund, O. and al. 2006) intended to study the improvement of aircraft safety and security using formal models. Currently Airbus produces models (based on the AltaRica language) in order to simu- late several critical and complex systems in the in- ternal project RoSaS (Robustness and Safety in the System design) (Bernard, R. 2009). The motivation in writing this paper is the need to support the safety processes at the beginning of the design process at the point in time where aircraft architects are defining the functional behavior of an aircraft without detailed knowledge of any physical solution, even if systems performance are studied in parallel. Aircraft architects define requirements at this abstract level, named aircraft level, and allocate each function and its associated requirement to spe- cific systems. Among these requirements, there are some safety ones, determined from the Aircraft Functional Hazard Assessment (A/C FHA) by safety analysts for the aircraft architects. The second section of this paper focuses on the A/C FHA process and its limitations. The third sec- tion of this paper introduces operational and func- tional models proposed by the aircraft architects which may present possible solutions to resolve the previously identified limitations. Because this solu- tion is not complete, we present in the fourth section of this paper, our models, updated to include addi- tional safety aspects. We also show what kind of analyses can be achieved with our formal models. Finally, in the fifth section, we include our approach in a well defined methodology, in accordance with the safety processes. 2 AIRCRAFT FHA AND MODELS 2.1 Functional Hazard Assessment at aircraft level Currently, the safety assessment process, at Airbus, consists in the generation, the updating and the veri- fication of safety requirements at the same time as Towards Model-Based Functional Hazard Assessment at Aircraft Level S. Maitrehenry & S. Metge Airbus Operation S.A.S., Toulouse, France Y. Ait-Ameur ENSMA-LISI, Poitiers - Futuroscope, France P. Bieber Onera, Toulouse, France ABSTRACT: This paper presents a method and a new modelling approach to analyse the operational and functional safety of aircraft. We focus on Functional Hazard Assessment (FHA) at aircraft level, which is the first safety analysis, occurring in the design process of aircraft. This assessment has some restrictions due to its complexity, in particular in determination of the impacts of failures during flight and in determination of the most relevant failure combinations. The proposed method is based on formal and hierarchical models us- ing the AltaRica language.