System Safety Assessments, 75424-75454 [2022-26369]
Download as PDF
<![CDATA[
75424
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No.: FAA–2022–1544; Notice No.
23–04]
RIN 2120–AJ99
System Safety Assessments
Federal Aviation
Administration (FAA), Department of
Transportation (DOT).
ACTION: Notice of proposed rulemaking
(NPRM).
AGENCY:
The FAA proposes to amend
certain airworthiness regulations to
standardize the criteria for conducting
safety assessments for systems,
including flight controls and
powerplants, installed on transport
category airplanes. With this action, the
FAA seeks to reduce risk associated
with airplane accidents and incidents
that have occurred in service, and
reduce risk associated with new
technology in flight control systems.
The intended effect of this proposed
action is to improve aviation safety by
making system safety assessment (SSA)
certification requirements more
comprehensive and consistent.
DATES: Send comments on or before
March 8, 2023.
ADDRESSES: Send comments identified
by docket number FAA–2022–1544
using any of the following methods:
SUMMARY:
• Federal eRulemaking Portal: Go to
https://www.regulations.gov and follow
the online instructions for sending your
comments electronically.
• Mail: Send comments to Docket
Operations, M–30; U.S. Department of
Transportation (DOT), 1200 New Jersey
Avenue SE, Room W12–140, West
Building Ground Floor, Washington, DC
20590–0001.
• Hand Delivery or Courier: Take
comments to Docket Operations in
Room W12–140 of the West Building
Ground Floor at 1200 New Jersey
Avenue SE, Washington, DC, between 9
a.m. and 5 p.m., Monday through
Friday, except Federal holidays.
• Fax: Fax comments to Docket
Operations at (202) 493–2251.
Privacy: In accordance with 5 U.S.C.
553(c), DOT solicits comments from the
public to better inform its rulemaking
process. DOT posts these comments,
without edit, including any personal
information the commenter provides, to
www.regulations.gov, as described in
the system of records notice (DOT/ALL–
14 FDMS), which you can review at
https://www.dot.gov/privacy.
Docket: Background documents or
comments received may be read at
https://www.regulations.gov at any time.
Follow the online instructions for
accessing the docket or go to the Docket
Operations in Room W12–140 of the
West Building Ground Floor at 1200
New Jersey Avenue SE, Washington,
DC, between 9 a.m. and 5 p.m., Monday
through Friday, except Federal holidays.
FOR FURTHER INFORMATION CONTACT:
Suzanne Masterson, Strategic Policy
Transport Section, AIR–614, Strategic
Policy Management Branch, Policy and
Innovation Division, Aircraft
Certification Service, Federal Aviation
Administration, 2200 South 216th
Street, Des Moines, WA 98198;
telephone and fax (206) 231–3211; email
Suzanne.Masterson@faa.gov.
SUPPLEMENTARY INFORMATION:
Authority for This Rulemaking
The FAA’s authority to issue rules on
aviation safety is found in Title 49 of the
United States Code. Subtitle I, Section
106 describes the authority of the FAA
Administrator. Subtitle VII, Aviation
Programs, describes in more detail the
scope of the agency’s authority.
This rulemaking is promulgated
under the authority described in
Subtitle VII, Part A, Subpart III, Section
44701, ‘‘General Requirements.’’ Under
that section, the FAA is charged with
promoting safe flight of civil aircraft in
air commerce by prescribing regulations
and minimum standards for the design
and performance of aircraft that the
Administrator finds necessary for safety
in air commerce. This regulation is
within the scope of that authority. It
prescribes new safety standards for the
design and operation of transport
category airplanes.
Acronyms and Frequently Used Terms
TABLE 1—ACRONYMS FREQUENTLY USED IN THIS PREAMBLE
lotter on DSK11XQN23PROD with PROPOSALS3
Acronym
Definition
AC .......................................................................
AD .......................................................................
AFM ....................................................................
ALS .....................................................................
ARAC ..................................................................
ASAWG ...............................................................
CAST ..................................................................
CMR ....................................................................
CS–25 .................................................................
CSL+1 .................................................................
EASA ..................................................................
ELOS ..................................................................
EWIS ...................................................................
FCHWG ..............................................................
ICA ......................................................................
LDHWG ...............................................................
NTSB ..................................................................
PPIHWG .............................................................
SDAHWG ............................................................
SLF .....................................................................
SSA .....................................................................
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Advisory Circular.
Airworthiness Directive.
Airplane Flight Manual.
Airworthiness Limitations section.
Aviation Rulemaking Advisory Committee.
Airplane-Level Safety Analysis Working Group.
Commercial Aviation Safety Team.
Certification Maintenance Requirement.
Certification Specifications for Large Aeroplanes (issued by EASA).
Catastrophic Single Latent Failure Plus One (a failure condition).
European Union Aviation Safety Agency.
Equivalent Level of Safety.
Electrical Wiring Interconnection System.
Flight Controls Harmonization Working Group.
Instructions for Continued Airworthiness.
Loads and Dynamics Harmonization Working Group.
National Transportation Safety Board.
Powerplant Installation Harmonization Working Group.
System Design and Analysis Harmonization Working Group.
Significant Latent Failure.
System Safety Assessment.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
75425
TABLE 2—TERMS USED IN THIS NOTICE OF PROPOSED RULEMAKING
Term
Definition
General
Certification maintenance requirement (CMR) *.
Error ................................................
Event ...............................................
Failure .............................................
Failure condition ..............................
Latent failure ...................................
Single failure ...................................
Structural performance ...................
A required scheduled maintenance task established during the design certification of the airplane systems
as an airworthiness limitation of the type certificate or supplemental type certificate.
An omission or incorrect action by a crewmember or maintenance personnel, or a mistake in requirements,
design, or implementation.
An occurrence that has its origin distinct from the airplane, such as atmospheric conditions (e.g., gusts,
temperature variations, icing, and lightning strikes); runway conditions; conditions of communication,
navigation, and surveillance services; bird-strike; cabin and baggage fires (not initiated by features installed on the airplane). The term does not cover sabotage or other similar intentional acts.
An occurrence that affects the operation of a component, part, or element such that it no longer functions
as intended. This includes both loss of function and malfunction.
Note: Errors and events may cause failures or influence their effects but are not considered to be failures.
A condition, caused or contributed to by one or more failures or errors, that has either a direct or consequential effect on the airplane, its occupants, or other persons, accounting for—
• Flight phase,
• Relevant adverse operational or environmental conditions, and
• External events.
A failure that is not apparent to the flightcrew or maintenance personnel.
Any occurrence, or set of occurrences, that cannot be shown to be independent from each other (e.g., failures due to a common cause), that affect the operation of components, parts, or elements such that
they no longer function as intended. (See definition of ‘‘Failure.’’)
The capability of the airplane to meet the structural requirements of 14 CFR part 25.
Failure conditions in order of increasing severity
Minor failure condition .....................
Major failure condition * ...................
Hazardous failure condition * ..........
Catastrophic failure condition * .......
A failure condition that would not significantly reduce airplane safety and would only require flightcrew actions that are well within their capabilities. Minor failure conditions may result in—
• A slight reduction in safety margins or functional capabilities,
• A slight increase in flightcrew workload, such as routine flight plan changes,
• Some physical discomfort to passengers or flight attendants, or
• An effect of similar severity.
A failure condition that would reduce the capability of the airplane or the ability of the flightcrew to cope
with adverse operating conditions, to the extent that there would be—
• A significant reduction in safety margins or functional capabilities,
• A significant increase in flightcrew workload or in conditions impairing the efficiency of the flightcrew,
• Physical distress to passengers or flight attendants, possibly including injuries, or
• An effect of similar severity.
A failure condition that would reduce the capability of the airplane or the ability of the flightcrew to cope
with adverse operating conditions, to the extent that there would be—
• A large reduction in safety margins or functional capabilities,
• Physical distress or excessive workload such that the flightcrew cannot be relied upon to perform
their tasks accurately or completely, or
• Serious or fatal injuries to a relatively small number of persons other than the flightcrew.
Note: For the purpose of performing a safety assessment, a ‘‘small number’’ of fatal injuries means one
such injury.
A failure condition that would result in multiple fatalities, usually with the loss of the airplane.
Terms related to latent failures
Significant latent failure * .................
Catastrophic single latent failure
plus one (CSL+1).
A latent failure that, in combination with one or more specific failures or events, would result in a hazardous or catastrophic failure condition.
A catastrophic failure condition that results from a combination of two failures, either of which could be latent for more than one flight.
Failure conditions in order of decreasing probability
Probable failure condition * .............
Remote failure condition * ...............
lotter on DSK11XQN23PROD with PROPOSALS3
Extremely remote failure condition *
Extremely
improbable
condition*.
failure
A failure condition that is anticipated to occur one or more times during the entire operational life of each
airplane of a given type.
A failure condition that is not anticipated to occur to each airplane of a given type during its entire operational life, but which may occur several times during the total operational life of a number of airplanes
of a given type.
A failure condition that is not anticipated to occur to each airplane of a given type during its entire operational life, but which may occur a few times during the total operational life of all airplanes of a given
type.
A failure condition that is not anticipated to occur during the total operational life of all airplanes of a given
type.
* These terms are also defined in proposed new § 25.4 Definitions.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
E:\FR\FM\08DEP3.SGM
08DEP3
75426
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
Contents
I. Overview of Proposed Rule
II. Background
A. Statement of the Problem
B. Related Actions
1. Aviation Rulemaking Advisory
Committee (ARAC) Recommendations
2. FAA Review of Service Difficulty
Reports
3. Commercial Aviation Safety Team Task
Force Study Regarding Gaps in
Maintenance Process
4. Equivalent Level of Safety Findings and
Special Conditions
5. Harmonization with European Union
Aviation Safety Agency (EASA)
Certification Standards
6. Aircraft Certification, Safety, and
Accountability Act
C. NTSB Recommendations
III. Discussion of the Proposed Rule
A. Consistent Safety Assessment Criteria
for Airplane Systems
1. Average Risk Criteria (§ 25.1309(b)(1),
(2), and (3))
2. Latent Failures in System Designs
B. Consistent Application and
Interpretation of Requirements for
Equipment, Systems, and Installations
1. Applicability of § 25.1309
2. Exceptions From Applicability of
§ 25.1309
3. Flightcrew Alerting and Errors
C. Interaction of Systems and Structures
(New § 25.302)
1. Applicability of New § 25.302
2. Normal Operation
3. Failure Condition Effect on Structural
Performance
4. Dispatch in a System Failed State
5. Differences Between Proposed § 25.302
and EASA CS 25.302
D. Turbojet Thrust Reversing Systems
E. Flight Control Systems Safety
Assessment Criteria
1. Changes to § 25.671(c) Failure Criteria
2. Other Changes to § 25.671
F. Certification Maintenance Requirements
G. Miscellaneous Amendments
1. Method of Compliance With § 25.1309(b)
2. Failure Examples Related to Flutter
3. Other Changes to § 25.629
4. EWIS Requirements
5. Removal of Redundant Requirements
H. Petitions for Rulemaking
I. Advisory Material
IV. Regulatory Notices and Analyses
A. Regulatory Evaluation
1. Costs and Benefits of this Proposed Rule
2. Who is potentially affected by this
Proposed Rule?
3. Assumptions and Sources of Information
4. Costs of the Proposed Specific Risk Rule
5. Benefits of the Proposed Specific Risk
Rule
6. Summary of Costs and Benefits of
Specific Risk Rule
7. Section 25.1309: Equipment, Systems,
and Installations
8. Section 25.671: General Control Systems
9. Section 25.901: Installation Engines
10. Section 25.933: Reversing Systems
11. Section 25.302: Interaction of Systems
and Structures
B. Regulatory Flexibility Determination
C. International Trade Impact Assessment
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
D. Unfunded Mandates Assessment
E. Paperwork Reduction Act
F. International Compatibility and
Cooperation
G. Environmental Analysis
V. Executive Order Determinations
A. Executive Order 13132, Federalism
B. Executive Order 13211, Regulations
That Significantly Affect Energy Supply,
Distribution, or Use
C. Executive Order 13609, International
Cooperation
VI. Additional Information
A. Comments Invited
B. Availability of Rulemaking Documents
I. Overview of Proposed Rule
The FAA proposes to revise
regulations in title 14, Code of Federal
Regulations (14 CFR) part 25
(Airworthiness Standards: Transport
Category Airplanes) related to the safety
assessment 1 of airplane systems. The
proposed changes to part 25 would
affect applicants for type certification
and operators of transport category
airplanes. Applicants for type
certification would be required to
conduct their SSAs in accordance with
the revised regulations. Proposed
changes to the ICA would affect
operators of newly certified airplanes,
although the impact on those operators
would not be significant.
The FAA proposes revised and new
safety standards to reduce the likelihood
of potentially catastrophic risks due to
latent failures in critical systems. The
standards would require the elimination
of such risks as far as practical. When
it is not practical to eliminate such a
risk, the standards would require the
reduction and management of any
remaining risk. The proposed standards
would also improve the likelihood that
operators discover latent failures and
address them before they become an
unsafe condition, rather than
discovering them after they occur and
the FAA addressing them with
airworthiness directives (ADs).
Because modern aircraft systems (for
example, avionics and fly-by-wire
systems) are much more integrated than
they were when the current safety
criteria in § 25.1309 and other system
safety assessment rules were established
in 1970,2 the new standards proposed in
this rule would be consistent for all
systems of the airplane, reducing the
chance of a hazard falling into a gap
between the different regulatory
requirements for different systems.
Consistent criteria for conducting
SSAs would also provide predictability
1 A system safety assessment is a structured
process intended to systematically identify the risks
pertinent to the design of aircraft systems, and to
show that the systems meet safety requirements.
2 35 FR 5665 (Apr. 8, 1970).
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
for applicants by reducing the number
of issue papers and special conditions
necessary for airplane certification
projects.3
Specifically, the proposed rule
would—
• Require that applicants limit the
likelihood of a catastrophic failure
condition that results from a
combination of two failures, either of
which could be latent. In this proposal,
the FAA refers to this particular failure
condition as a Catastrophic Single
Latent Failure Plus One (CSL+1)
because it consists of the catastrophic
condition that results from a single
latent failure plus one additional failure.
See proposed § 25.1309(b)(5).
• Revise safety assessment
regulations to eliminate ambiguity in,
and provide consistency between, the
safety assessments that applicants must
conduct for different types of airplane
systems. Section 25.1309 would
continue to contain the safety
assessment criteria applicable to most
airplane systems. Sections 25.671(c)
(flight control systems) and 25.901(c)
(powerplant installations) would be
amended to remove general system
safety criteria. Instead, the systems
covered in these sections would be
required to comply with § 25.1309
(system safety criteria). Section
25.933(a) (thrust reversing systems)
would allow compliance with § 25.1309
as an option. Sections 25.671, 25.901,
and 25.933 would continue to contain
criteria for safety assessments specific to
flight control systems, powerplant
installations, and thrust reversing
systems, respectively.
• Require applicants to assess and
account for any effect that the failure of
a system could have on the structural
performance of the airplane. See
proposed § 25.302.
• Define the different types of failure
of flight control systems, including
jams, and define the criteria for safety
assessment of those types of failures.
See proposed § 25.671.
• Require applicants to include, in
the Airworthiness Limitations Section
(ALS) of the airplane’s Instructions for
Continued Airworthiness (ICA),
necessary maintenance tasks that
3 Special conditions are rules of particular
applicability that the FAA issues to address novel
or unusual design features. See 14 CFR 21.16, and
section 2–4(j)(3) of FAA Order 8110.4C, Type
Certification. The latter is available at drs.faa.gov,
and as noted therein, the FAA uses the issue paper
process to develop the terms of these special
conditions. See FAA Order 8110.112A,
Standardized Procedures for Usage of Issue Papers
and Development of Equivalent Levels of Safety
Memorandums, and Advisory Circular 20–166A,
Issue Paper Process, available at drs.faa.gov.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
applicants identify during their SSAs.
See proposed § 25.1309(d).
• Remove the ‘‘function properly
when installed’’ criterion in
§ 25.1301(a)(4) for installed equipment
whose function is not needed for safe
operation of the airplane.
II. Background
lotter on DSK11XQN23PROD with PROPOSALS3
A. Statement of the Problem
This proposed action is necessary
because airplane accidents, incidents,
and service difficulties have occurred as
a result of failures in airplane systems.
Some of these occurrences were caused,
in part, by insufficient design standards
for controlling the risk of latent failures.
Current FAA regulations do not prevent
the unintended operation of an airplane
with a latent failure that, when
combined with another failure, could
cause an accident. For example, in 1991,
a Boeing Model 767 series airplane
operated by Lauda Air took off with a
contaminated thrust reverser control
valve. This contamination was ‘‘latent’’
because it was undetected. The accident
investigation found that a short circuit
occurred, and together with the
contaminated control valve, caused the
thrust reverser to unintentionally
deploy in flight. As a result, the airplane
subsequently crashed, resulting in 223
fatalities.4
Also, current regulations do not
require establishment of mandatory
inspections for significant latent failures
that may pose a risk in maintaining the
airworthiness of the airplane design.
Such inspections may be necessary to
reduce an airplane’s exposure to these
latent failures, so airplanes continue to
meet safety standards while in service.
Additionally, current regulations do
not adequately address new technology
in flight control systems and the effects
these systems can have on
controllability and structural capability.
For example, on airplanes equipped
with fly-by-wire control systems, there
is no mechanical link between the
flightdeck control and the control
surface, so the flightcrew may not be
aware of the actual control surface
position. Also, on some flight control
system designs, there may be submodes
of operation that change or degrade the
normal handling or operational
characteristics of the airplane.
Flightcrew awareness of both the
operational mode of the airplane and
the control surface positions are
4 Lauda Air B767 Accident Report by the Aircraft
Accident Investigation Committee, Ministry of
Transport and Communications, Thailand, is
available in the docket and at https://
lessonslearned.faa.gov/Lauda/
LaudaAccidentReport.pdf.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
necessary design features to ensure
safety of flight but are not required by
current regulations.
This action is also necessary to
address flight control systems whose
failure can affect the loads imposed on
the airplane structure. As an example,
some airplanes are equipped with
rudder limiters, which reduce the
maximum deflection of the rudder at
higher airspeeds, thereby reducing the
maximum loads on the rudder and
vertical stabilizer. Failure of the rudder
limiter can result in higher loads on
these surfaces in the event of a
significant rudder maneuver. Excessive
loads can lead to structural damage and
catastrophic failure. Current regulations
do not require applicants to account for
these potentially higher loads in the
structural design of the airplane.
Lastly, certain system safety
requirements are not standardized
across airplane systems. Current
regulations specify different safety
assessment criteria for different systems,
which can lead to inconsistent
standards across the airplane. Also,
when systems that traditionally have
been separate become integrated using
new technology, applicants may be
unsure which standard to apply.
The FAA proposes to address these
issues by revising the system safety
assessment requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory
Committee (ARAC) Recommendations
Advances in flight controls
technology, increased airplane system
integration, and certain incidents,
accidents, and service difficulties
related to system failures prompted the
FAA to task the ARAC with developing
recommendations for new or revised
requirements and compliance methods
related to the safety assessment of
airplane and powerplant systems. The
ARAC accepted tasks on various
airplane systems issues and assigned
them to the Powerplant Installation
Harmonization Working Group
(PPIHWG), 5 Flight Controls
Harmonization Working Group
(FCHWG), 6 Loads and Dynamics
Harmonization Working Group
(LDHWG), 7 and System Design and
Analysis Harmonization Working Group
(SDAHWG).8 The FAA also tasked the
ARAC to make recommendations for
harmonizing the relevant part 25 rules
with the corresponding European
certification specifications for large
5 57
FR 58844 (Dec. 11, 1992).
FR 45554 (Aug. 26, 1998).
7 59 FR 30081 (Jun. 10, 1994).
8 61 FR 26246 (May 24, 1996).
6 63
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
75427
airplanes.9 The ARAC accepted this task
and assigned it to the relevant working
groups.
In developing their recommendations,
the PPIHWG and FCHWG reviewed the
investigations of two transport category
airplane accidents. In the May 1991
Lauda Air accident, discussed
previously, an unintentional thrust
reverser deployment on a Boeing Model
767 series airplane caused a loss of
airplane controllability.10 In the
September 1994 USAir accident, the
NTSB considered a malfunction of the
rudder actuation system on a Boeing
Model 737–300 series airplane, to have
likely initiated a loss of airplane
controllability that resulted in the
airplane impacting the ground near
Pittsburgh, Pennsylvania.11 The
investigations of these two accidents
identified hazards resulting from
potential CSL+1 failure conditions in
safety critical systems.
The PPIHWG recommended revisions
to § 25.901(c), to address failures and
malfunctions of powerplant and
auxiliary power unit (APU)
installations, and to § 25.933, to address
failures and malfunctions of thrust
reversing systems. The FCHWG
recommended changes to § 25.671 to
address failures and jamming of flight
control systems. The LDHWG
recommended the addition of a new
rule, § 25.302, to address systems that
directly, or as a result of a failure or
malfunction, would affect the structural
performance of the airplane. The
SDAHWG recommended revisions to
§§ 25.1301 and 25.1309, and further
changes to § 25.901(c). Each working
group also recommended advisory
material to accompany the
recommended regulatory changes. The
SDAHWG named their recommended
9 As the FAA noted in the Federal Register in
1993: ‘‘The FAA announced at the Joint Aviation
Authorities (JAA)-Federal Aviation Administration
(FAA) Harmonization Conference in Toronto,
Ontario, Canada, (June 2–5, 1992) that it would
consolidate within the Aviation Rulemaking
Advisory Committee structure an ongoing objective
to ‘‘harmonize’’ the Joint Aviation Requirements
(JAR) and the Federal Aviation Regulations (FAR).
Coincident with that announcement, the FAA
assigned to the ARAC those projects related to JAR/
FAR 25, 33 and 35 harmonization which were then
in the process of being coordinated between the
JAA and the FAA.’’ 58 FR 13819, 13820 (Mar. 15,
1993).
10 See footnote 4.
11 NTSB Accident Report NTSB/AAR–09/01,
Uncontrolled Descent and Collision with Terrain,
USAir Flight 427, Boeing 737–300, N513AU, Near
Aliquippa, Pennsylvania, September 8, 1994, is
available in the docket and at https://
lessonslearned.faa.gov/USAir427/usair427_ntsb_
report.pdf.
E:\FR\FM\08DEP3.SGM
08DEP3
75428
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
revision to AC 25.1309–1A as the
‘‘Arsenal’’ version.12
Although the working groups each
addressed the subject of managing latent
failures in safety critical systems, their
recommendations were not consistent
when defining the criteria for latent
failures. After reviewing the relevant
regulations, and the recommendations
from the working groups, the FAA,
along with the European, Canadian, and
Brazilian civil aviation authorities,
identified a need to standardize SSA
criteria. These authorities were
concerned that the safety criteria
recommended by the working groups
could result in differing safety
assessments across various critical
systems. Differing standards could
result in an inappropriately low level of
safety on some critical systems, or,
conversely, unnecessarily apply the
most stringent standard to every system
in a set of integrated systems.
Therefore, in 2006, the FAA tasked
ARAC, which assigned the task to the
Airplane-Level Safety Assessment
Working Group (ASAWG),13 with
creating consistent SSA criteria and
developing new criteria for ‘‘specific
risk.’’ ‘‘Specific risk’’ is the risk on a
given flight resulting from the existence
of a particular condition (for example, a
latent failure) on that flight. It is
differentiated from ‘‘average risk,’’
which is the risk on a typical flight of
all airplanes of a particular model for a
typical duration.
The ASAWG completed its work in
May 2010 and recommended a set of
consistent requirements that would
apply to all systems. Specific areas
addressed in the recommendation report
include latent failures, aging and wear,
Master Minimum Equipment Lists, and
flight and diversion time. The ASAWG
recommended that the general system
safety criteria for all airplane systems be
governed by § 25.1309, and
recommended adjustments to the
regulations and advisory material
addressed by the working groups
mentioned previously, to implement
12 The ‘‘Arsenal’’ version is a draft revision of AC
25.1309–1A, developed by the ARAC SDAHWG.
Applicants can use it in conjunction with a request
for an ELOS finding for, or exemption from,
§§ 25.1301 and 25.1309, per FAA Policy PS–
ANM100–00–113–1034, Use of ARAC (Aviation
Rulemaking Advisory Committee) Recommended
Rulemaking not yet formally adopted by the FAA,
as a basis for equivalent level of safety or exemption
to Part 25, dated January 4, 2001, available at
https://drs.faa.gov. The ‘‘Arsenal’’ version is
available in the docket as part of the SDAHWG
recommendation, Task 2—System and Analysis
Harmonization and Technology Update, pp. 61–99,
and at https://www.faa.gov/regulations_policies/
rulemaking/committees/documents/media/
TAEsdaT2-5241996.pdf.
13 71 FR 14284 (Mar. 21, 2006).
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
consistent system safety criteria. All
ARAC working group recommendation
reports are available in the docket for
this NPRM.
2. FAA Review of Service Difficulty
Reports
One ASAWG recommendation
responded to the need to prevent a
catastrophic failure condition resulting
from two failures, when either failure is
latent (undetected) for more than one
flight. In such a case, the first failure is
latent, and thus persists undetected, and
the second failure is active (detected)
because its occurrence results in a
catastrophic accident. In consideration
of this recommendation, the FAA
reviewed a number of past service
difficulty reports 14 that could have led
to catastrophic accidents if the latent
failure had been followed by another
failure. These include:
• A latent failure of a fire
extinguisher control switch that, if
coupled with an active failure such as
an engine fire, could have resulted in an
uncontrollable engine fire.15
• A latent failure of the high-lift
system 16 brake that, if coupled with an
active failure such as a high-lift system
transmission driveshaft failure, could
have resulted in loss of control.17
• A latent failure of a high-lift system
proximity sensor that, if coupled with
an active failure such as a high-lift drive
system failure, could have resulted in
loss of control.18
The FAA has determined that such
service difficulties were, in part, a
consequence of insufficient design
standards for controlling the risk due to
latent failures, and the FAA expects
similar service difficulties in the future
if the standards are not revised to
manage such risks.
3. Commercial Aviation Safety Team
Task Force Study Regarding Gaps in
Maintenance Process
In 2009, the Commercial Aviation
Safety Team (CAST) 19 chartered a task
14 Service difficulty reports are reports of
occurrences or detection of failures, malfunctions,
and defects, as required by 14 CFR 91.1415,
121.703, 125.409, 135.415 and 145.221, as
applicable to the type of operation of the aircraft.
15 A report of the failure of a certain engine fire
shutoff switch led to Airworthiness Directive (AD)
2005–01–13, Amendment 39–13938 (70 FR 2339,
January 13, 2005).
16 A ‘‘high-lift’’ system is a system that increases
the amount of lift produced by an airplane wing.
17 Multiple reports of failure of a certain high-lift
system brake led to AD 2009–20–12, Amendment
39–16035 (74 FR 50686, October 1, 2009)
18 Multiple reports of failure of a certain high-lift
system proximity sensor led to AD 2014–03–08,
Amendment 39–17745 (79 FR 9398, February 19,
2014).
19 Founded in 1998, CAST is a cooperative
government-industry initiative. CAST is co-chaired
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
force, led by the FAA Flight Standards
Service, Aircraft Maintenance Division,
to conduct a study to identify and
correct gaps in operators’ maintenance
processes. The objective of the task force
was to ensure that the level of safety
provided at certification would be
sustained throughout the life of the
airplane.
In 2011, the task force reported on the
gaps it found, and recommended
mitigation strategies.20 One of the
identified gaps (GAP 009) was that the
current regulations do not require use of
Certification Maintenance Requirements
(CMRs),21 which identify inspections of
systems for significant latent failures
that are necessary to preserve the
airplane’s reliability. The FAA has been
recommending in advisory circulars (AC
25.1309–1A and AC 25–19, and AC 25–
19A) to establish the need for
inspections of critical systems where
latent failures could exist. Since CMRs
are critical to safety, the task force
recommended the FAA require their
use.
4. Equivalent Level of Safety Findings
and Special Conditions
The FAA has applied most of the SSA
criteria proposed in this NPRM to
certification projects for the past 15
years, through equivalent level of safety
(ELOS) findings under § 21.21. The
topics of these findings include flight
control systems (§ 25.671(c)) as
recommended by the FCHWG; thrust
reversers (§ 25.933(a)(1)) as
recommended by the PPIHWG; and
general SSA criteria (§§ 25.1301 and
25.1309) as recommended by the
SDAHWG.
Modern transport category airplanes
are equipped with systems that, directly
or as a result of failure or malfunction,
affect structural performance. However,
current regulations do not require
applicants to take into account loads on
the airplane due to the effects of system
failures on structural performance.
Therefore, the FAA has applied special
conditions that require the effects of
by a senior-level official of the air transport
industry and by the FAA Associate Administrator
for Aviation Safety.
20 More information on CAST and the task force
findings is available in the docket and on the
internet at https://www.skybrary.aero/sites/default/
files/bookshelf/2553.pdf.
21 CMRs are defined in Advisory Circular (AC)
25.1309–1A, System Design and Analysis, dated
June 21, 1988; and AC 25–19A, Certification
Maintenance Requirements, dated October 3, 2011.
The FAA plans to revise AC 25.1309–1 as described
in this document, and the CMR definition would
conform to the definition provided in Table 2 and
in new § 25.4, Definitions. The CMR definition in
AC 25–19A already conforms to the definition
provided in Table 2. That AC is not being revised
as part of this rulemaking.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
system failures be taken into account in
the design. The FAA based the
provisions of these special conditions,
titled ‘‘Interaction of Systems and
Structures,’’ on the criteria developed
by the ARAC working groups, and
propose to codify these special
conditions in proposed § 25.302.
Finally, the FAA has applied the
requirements in proposed § 25.671(a),
(e), and (f) for fly-by-wire control
systems to recent type certificate
applications through means of
compliance issue papers and special
conditions.
5. Harmonization With European Union
Aviation Safety Agency (EASA)
Certification Standards
EASA certification standards for large
airplanes (CS–25) prescribes the
airworthiness standards corresponding
to 14 CFR part 25 for transport category
airplanes certified by the European
Union. Applicants for FAA type
certification of transport category
airplanes may also seek EASA
validation of the FAA’s type certificate.
Where part 25 and CS–25 differ, an
applicant must meet both airworthiness
standards to obtain a U.S. type
certificate and validation of the type
certificate by foreign authorities, or
obtain exemptions, ELOS findings or
special conditions, or the foreign
authority’s equivalent to those, as
necessary to meet one standard in lieu
of the other. Where FAA and EASA can
maintain harmonized requirements,
applicants for type certification benefit
by having a single set of requirements
with which they must show
compliance, thereby reducing the cost
and complexity of certification and
codifying a consistent level of safety.
EASA incorporated the SDAHWGrecommended changes to §§ 25.1301
and 25.1309, and associated guidance,
in its initial issuance of CS–25 on
October 17, 2003.22 EASA incorporated
the criteria regarding interaction of
systems and structures recommended by
the LDHWG into its regulatory
framework as CS 25.302 and appendix
K of CS–25 at amendment 25/1 on
December 12, 2005.23 EASA
incorporated the ASAWG-recommended
regulatory and advisory material
implementing consistent SSA criteria, at
amendment 25/24 to CS–25, on January
10, 2020.24 This proposed NPRM would
harmonize FAA requirements with
22 https://www.easa.europa.eu/en/downloads/
1516/en.
23 https://www.easa.europa.eu/en/documentlibrary/certification-specifications/cs-25amendment-1.
24 https://www.easa.europa.eu/en/downloads/
108354/en.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
EASA to the extent possible, with
differences described in the Discussion
of the Proposed Rule.
6. Aircraft Certification, Safety, and
Accountability Act
This proposal would update the
requirements and guidance for system
safety assessments to support, in part,
the requirements of the Aircraft
Certification, Safety, and Accountability
Act, Public Law 116–260 (the Act).
Section 115(b)(1)(A) of the Act states
that the Administrator of the FAA shall
require an applicant for an amended
type certificate for a transport airplane
to perform a system safety assessment
with respect to each proposed design
change that the Administrator
determines is significant, with such
assessment considering the airplanelevel effects of individual errors,
malfunctions, or failures and realistic
pilot response times to such errors,
malfunctions, or failures. Currently,
§ 25.1309 requires this action, not just
for significant design changes, but for all
design changes affecting systems.
Specifically, § 25.1309(b) requires
applicants assess safety at the airplane
level for airplane systems and
associated components, considered
separately and in relation to other
systems. Section 25.1309(d) specifies
that compliance to § 25.1309(b) must be
shown by analysis and appropriate
testing, and must consider possible
modes of failure, including
malfunctions and damage and also that
the assessment consider crew warning
cues, corrective action required, and the
capability of detecting faults. In the
context of § 25.1309, ‘‘corrective action’’
means flightcrew procedures for use
after failure detection to enable
continued safe flight and landing.25 The
proposed § 25.1309 would remove the
current content of § 25.1309(d), and
place that content in draft AC 25.1309–
1B, along with expanded guidance on
the safety assessment process, because
(1) the proposed § 25.1309 would be a
performance-based regulation for which
methods of compliance are more
appropriately provided in guidance, and
(2) the items for consideration listed in
§ 25.1309(d) constitute an incomplete
method of compliance to § 25.1309(b),
as explained in section III.G.1 of this
preamble.
Section 115(b)(1)(B) of the Act states
that the system safety assessments
required by section 115(b)(1)(A) of the
Act be updated for each subsequent
25 AC 25.1309–1A provides guidance on
including flightcrew corrective action in showing
compliance to § 25.1309. Draft AC 25.1309–1B,
sections 5.3 and 5.4, would provide updated
guidance.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
75429
proposed design change that the
Administrator determines is significant.
As discussed, § 25.1309 already requires
this action not just for significant design
changes, but for all design changes
affecting systems. This proposed
rulemaking would update the analysis
necessary for airplane-level effects of
individual errors, malfunctions, or
failures.
Section 115(b)(1)(C) of the Act states
that applicants must provide to the FAA
the data and assumptions underlying
each assessment and amended
assessment. Draft AC 25.1309–1B,
which accompanies this rulemaking,
states that a system safety assessment, to
show compliance, should provide data
such as component failure rates and
their sources and applicability, and
support any assumptions made. Section
7.9 of the draft AC provides detailed
guidance on identification and
justification of assumptions, data, and
analytic techniques.
Section 115(b)(1)(D) of the Act states
that applicants must provide for
document traceability and clarity of
explanations for changes to aircraft type
designs and system safety assessment
certification documents. Appendix C of
Draft AC 25.1309–1B, describes the
safety assessment process, and states
that a system safety assessment, to show
compliance, should include, among
other things, a statement of the
functions, boundaries, and interfaces of
the system and a description that
establishes correctness and
completeness and traces the work
leading to the conclusions of the SSA.
These updates to system safety
assessment requirements, and to
implementing guidance, would provide
a foundation to address how human
(flight crew) response is treated and
validated within the context of the
required analysis. As required by
Section 126 of the Act, the FAA is
researching pilot responses to errors,
malfunctions and failures, and may use
that research in the future to update
guidance in this regard.
C. NTSB Recommendations
As a result of the aforementioned
1994 Pittsburgh accident, the National
Transportation Safety Board (NTSB)
issued two safety recommendations
relevant to this rulemaking, A–99–22
and A–99–23.26 In Safety
Recommendation A–99–22, the NTSB
recommends that the FAA ensure that
future transport category airplanes
26 NTSB Safety Recommendations A–99–22 and
A–99–23 are available in the docket and at https://
www.ntsb.gov/safety/safety-recs/recletters/A99_20_
29.pdf.
E:\FR\FM\08DEP3.SGM
08DEP3
lotter on DSK11XQN23PROD with PROPOSALS3
75430
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
provide a reliably redundant rudder
actuation system. In Safety
Recommendation A–99–23, the NTSB
recommends that the FAA require type
certificate applicants to show that
transport category airplanes are capable
of continued safe flight and landing
after jamming of a flight control at any
deflection possible, up to and including
its full deflection, unless the applicant
shows that such a jam is extremely
improbable. This proposed rule would
implement these recommendations by
revising § 25.671(c).
The NTSB issued Safety
Recommendation A–02–51 27 following
an accident in January 2000, in which
a McDonnell Douglas Model MD–83
airplane crashed into the Pacific Ocean
off the coast of California. The NTSB
determined that the probable cause of
this accident was a loss of airplane pitch
control resulting from the in-flight
failure of the jackscrew assembly of the
horizontal stabilizer trim system. This
failure was related to maintenance of
this critical system; specifically, the
excessive and accelerated wear of a
critical part as a result of insufficient
lubrication. In Safety Recommendation
A–02–51, the NTSB recommends that
the FAA review and revise airplane
certification regulations, and associated
guidance applicable to the certification
of transport category airplanes, to
ensure that applicants fully address
wear-related failures so that, to the
maximum extent possible, such failures
will not be catastrophic. The proposed
requirement to include CMRs in the
ALS would respond to this safety
recommendation, as would the draft
ACs accompanying this NPRM that
contain guidance on assessing wearrelated failures as part of the SSA.
The NTSB issued Safety
Recommendation A–14–119 28
following an incident in January 2013,
in which the APU lithium-ion battery
installed in a Boeing Model 787–8
airplane caught fire when the airplane
was parked at a gate at Logan
International Airport in Boston,
Massachusetts. In Safety
Recommendation A–14–119 the NTSB
recommends that the FAA to provide its
certification engineers with written
guidance and training to ensure that
assumptions, data sources, and
analytical techniques are fully identified
and justified in applicants’ safety
assessments for designs incorporating
new technology. Additionally, the
27 NTSB Safety Recommendation A–02–51 is
available in the docket and at https://www.ntsb.gov/
safety/safety-recs/recletters/A02_36_51.pdf.
28 NTSB Safety Recommendation A–14–119 is
available in the docket and https://www.ntsb.gov/
safety/safety-recs/recletters/A-14-113-127.pdf.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
NTSB recommends that an appropriate
level of conservatism be included in the
analysis or design, consistent with the
intent of the draft guidance material that
the SDAHWG recommended. Draft AC
25.1309–1B, accompanying this NPRM,
would contain the recommended
guidance.29
III. Discussion of the Proposed Rule
After consideration of the issues in
the Statement of Problem, the relevant
NTSB recommendations, and ARAC
recommendations, the FAA proposes to
revise several regulations to change how
applicants would conduct SSAs.
A. Consistent Safety Assessment Criteria
for Airplane Systems
1. Average Risk Criteria (§ 25.1309(b)(1),
(2), and (3))
Current § 25.1309(b) requires
applicants to design the systems and
associated components (considered both
separately and in relation to each other)
of their proposed transport category
airplane to meet two criteria. First, these
systems must be designed so that the
occurrence of any failure condition
which would prevent the safe flight and
landing of the airplane is extremely
improbable (§ 25.1309(b)(1)). Second,
each system must be designed so that
the likelihood of any other failure
condition which would reduce the
capability of the airplane, or of its
flightcrew, to cope with adverse
operating conditions is improbable
(§ 25.1309(b)(2)).
The FAA proposes to revise
§ 25.1309(b) to establish risk criteria that
can be used consistently across multiple
airplane systems, harmonize FAA
regulations with EASA Certification
Specifications for Large Aeroplanes (CS)
25.1309(b), and codify commonly issued
ELOS findings. The proposed revisions
would require that type certificate
applicants design and install airplane
systems and associated components,
evaluated both separately and in
relation to other systems, so that—
• Each catastrophic failure condition
is extremely improbable and does not
result from a single failure;
• Each hazardous failure condition is
extremely remote; and
• Each major failure condition is
remote.
As noted previously, the current rule
(§ 25.1309(b)(2)) requires any failure
condition that would reduce the
capability of the airplane or the ability
of the crew to cope with adverse
operating conditions to be ‘‘improbable’’
29 This advisory circular, and the other advisory
circulars that accompany this proposal, are in the
docket for review and comment.
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
(on the order of 10¥9 < p ≤ 10¥5, where
p is probability of failure per flight
hour). This condition is characterized
by AC 25.1309–1A as ‘‘major,’’ and it
represents a broad spectrum of
probability.
As previously discussed, the FAA has
issued ELOS findings for more than a
decade to accept use of the ARACrecommended revision to §§ 25.1301
and 25.1309 in lieu of §§ 25.1301 and
25.1309, and the accompanying
‘‘Arsenal’’ version of AC 25.1309–1 as
the method of compliance. In the
‘‘Arsenal’’ version, the ‘‘major’’ failure
condition is divided into two categories:
‘‘hazardous’’ and ‘‘major’’, with
corresponding probability requirements
of ‘‘extremely remote’’ (on the order of
10¥9 < p ≤ 10¥7) and ‘‘remote’’ (on the
order of 10¥7 < p ≤ 10¥5).’’ The granular
assessment of failure conditions in the
‘‘Arsenal’’ version is beneficial because
it allows for more accurate analysis of
highly integrated systems and better
differentiation of failure effects on
flightcrew than the current requirements
of § 25.1309(b). The ‘‘hazardous’’
category in the ‘‘Arsenal’’ version
corresponds to the more severe end of
the ‘‘major’’ category in current
§ 25.1309(b)(2), which is referred to as
‘‘severe major’’ in AC 25.1309–1A,
‘‘System Design and Analysis,’’ dated
June 21, 1988.
This proposal would codify current
practice by adding the ‘‘hazardous’’
failure condition category and its
probability requirement, replace the
probability term ‘‘improbable’’ with
‘‘remote’’ for major failure conditions,
and prohibit catastrophic single failure.
a. Inclusion of Specific Failure
Condition Categories and Probabilities
An objective of this proposal is to
align the regulatory terms used in 14
CFR part 25 to describe failure
condition categories and probabilities
with the terms used in the most recent
transport airplane certification projects
(whose SSAs use the methods in the
‘‘Arsenal’’ version of AC 25.1309–1 and
in EASA CS 25.1309 and accompanying
guidance). Proposed § 25.1309(b) would
use terms that are already used by the
aviation industry to describe failure
condition categories and probabilities.
Additionally, since the FAA also uses
these terms in other part 25 regulations,
such as §§ 25.671, 25.981, and 25.1709,
the FAA proposes to define them in a
new § 25.4, ‘‘Definitions.’’ Although the
terminology in § 25.1309(b) would
change from the current regulations, the
intent and usage of those terms would
not change as a result.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
b. Prohibiting Catastrophic Single
Failures
Proposed § 25.1309(b)(1)(ii) would
prohibit a proposed design from
allowing any single failure that could
result in a catastrophic failure condition
(i.e., a ‘‘fail-safe’’ design requirement).
The requirement that applicants assume
that any single failure could occur and
that such failure not prevent continued
safe flight and landing was codified in
1965 as § 25.1309. The FAA
inadvertently removed from § 25.1309
the requirement for fail-safe design in
1970 at amendment 25–23,30 although
the agency retained guidance on failsafe design. The purpose of the FAA’s
guidance on fail-safe design, has been to
convey the objectives of the fail-safe
design concept, and provide principles
and techniques for its usage by
applicants.
Amendment 25–23 also amended
§ 25.671(c) to prohibit catastrophic
single failures in flight control systems.
At that time, § 25.901(c) applied
§ 25.1309 to powerplant installation,
requiring applicants to assume in their
safety assessments that any single
failure could occur. With amendment
25–40 in 1977,31 the FAA amended
§ 25.901(c) to explicitly prohibit
catastrophic single failures in systems
associated with the powerplant
installation because § 25.1309 did not
prohibit catastrophic single failures.
This proposed rule would also make
the requirements for safety assessments
of flight control systems and powerplant
installations consistent with the
requirements for other systems in regard
to prohibiting catastrophic single
failures. Systems covered by the
proposed §§ 25.671(c) and 25.901(c)
would be required to comply with the
§ 25.1309 prohibition of catastrophic
single failures under all operating and
environmental conditions under which
the airplane was approved to operate.
Incorporation of fail-safe design
requirements across all the critical
systems of the airplane would ensure
consistent safety objectives are
implemented. Further discussion of
proposed changes to §§ 25.671(c) and
25.901(c) is provided in sections III.E
and III.B.2.d of this preamble,
respectively.
lotter on DSK11XQN23PROD with PROPOSALS3
2. Latent Failures in System Designs
a. Proposed Criteria—§ 25.1309(b)(4)
The FAA proposes to add a new
paragraph (b)(4) to § 25.1309 that would
require applicants to avoid SLFs
whenever practical. The purpose of
30 35
FR 5674 (Apr. 8, 1970).
31 42 FR 15042 (Mar. 17, 1977).
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
proposed § 25.1309(b)(4) is to reduce an
airplane’s exposure to SLFs by
establishing the following hierarchy of
safety requirements. First, the applicant
must eliminate SLFs. If the elimination
of the SLF is not practical, then the
applicant must limit the likelihood of
that SLF to 1/1000 between inspections.
If the applicant proves that it is not
practical to comply with the 1/1000
criterion, then the applicant must
design the system to minimize the
failure’s latency; that is, minimize the
length of time the failure is expected to
be present, and remain undetected.
The FAA intends the proposed rule to
minimize the latency of SLFs and
achieve the safety objective of the
ASAWG’s recommendation to avoid
SLFs whenever practical. The FCHWG,
PPIHWG, and ASAWG each
recommended the 1/1000 value to limit
the latency period in the failure
conditions specific to that working
group’s technical area. The FAA
proposes that application of the 1/1000
criterion to every system that may
contain a SLF is a necessary safety
measure that an applicant can apply.
This 1/1000 criterion is necessary to
reduce exposure of the airplane to latent
failures that leave the airplane one
failure away from a hazardous or
catastrophic condition. This criterion is
cost effective as described in the costs
and benefits section of this NPRM.
An applicant may be able to show, in
rare situations, that it is not practical to
meet the 1/1000 criterion. One possible
example is if compliance with the
1/1000 criterion would necessitate
complex or invasive maintenance tasks
on the flight line, increasing the risk of
incorrect maintenance. In such
situations, safety may be better served if
the operator inspects for latent failures
at a maintenance facility or at a longer
inspection interval, even though the
longer inspection interval could mean
the probability of the latent failure
exceeds 1/1000; however, the applicant
must minimize the time the failure is
expected to be present. The FAA
expects that an applicant would likely
integrate these steps into its normal
design processes. During the FAA’s
review of an applicant’s proposed
demonstration of compliance with the
other provisions of § 25.1309(b), if the
FAA determines that it may be practical
to eliminate or further reduce exposure
to a SLF, then these proposed
regulations would require the applicant
to either redesign the system or
demonstrate the impracticality of that
redesign.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
75431
b. Proposed Criteria—§ 25.1309(b)(5)
The FAA proposes a new standard for
limiting the risk of a CSL+1 failure
condition (a catastrophic failure
combination that results from a single
latent failure plus one additional
failure). Under current regulations, an
operator could unknowingly dispatch
an airplane with a potential CSL+1
failure condition. Under this proposal,
when conducting SSAs, an applicant
would be required to apply additional
criteria in proposed § 25.1309(b)(5)
(pertaining to additional fault tolerance,
residual risk, and probability of latent
failures) to limit the specific risk of a
CSL+1 failure condition, in addition to
the requirement in § 25.1309(b)(1).32
i. Additional Fault Tolerance
For each potential catastrophic failure
condition that results from two failures,
either of which could be latent for more
than one flight, the applicant would be
required by § 25.1309(b)(5)(i) to show
that it is impractical to design the
system with additional fault tolerance.
For example, if practical, the applicant
could add a failure monitor, thereby
eliminating the latency of the first
(undetected) failure. Or, the applicant
could design additional redundancy in
the system, so that the second failure
would not be catastrophic. In either
case, the condition resulting from the
failure combination would no longer
create a CSL+1 failure condition.
ii. Limiting the Residual Risk to a
‘‘Remote’’ Probability
The FAA proposes § 25.1309(b)(5)(ii),
which would adopt the ASAWG
recommendation to limit the total
probability that any single failure could
lead to a catastrophe following a latent
failure. This total probability could be
no greater than ‘‘remote.’’ The ASAWG
recommended the ‘‘remote’’ criterion
based on the reliability of components
typically used in systems that have a
redundant means to protect against
catastrophic single failures. These
components have demonstrated a level
of reliability, on the order of 1x10¥5 per
flight hour, which was consistent with
the SDAHWG’s recommended
probability guidelines (the ‘‘Arsenal’’
version of AC 25.1309, and EASA
Acceptable Means of Compliance
25.1309) for showing ‘‘remote’’
probability. The ASAWG reasoned that
establishing a higher standard than
‘‘remote’’ could require redesign of
systems that have an acceptable in32 The draft Regulatory Impact Analysis in the
docket for this rulemaking refers to this part of the
proposal as the ‘‘specific risk rule.’’
E:\FR\FM\08DEP3.SGM
08DEP3
75432
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
service safety record, and the FAA
agrees with this rationale.
Therefore, the FAA proposes that this
‘‘remote’’ criterion, in combination with
the criterion to limit latency to a
maximum probability of 1/1000, would
establish an acceptable level of safety
for potential CSL+1 failure conditions.
Also, if a system has multiple potential
failure combinations that lead to the
same CSL+1 failure condition, each
combination of which contains the same
latent failure, the applicant would be
required to sum the probabilities of the
non-latent failures. The resulting sum of
probabilities would also have to meet
the ‘‘remote’’ criterion.
lotter on DSK11XQN23PROD with PROPOSALS3
iii. Limiting the Probability of Latent
Failures to 1/1000
Proposed § 25.1309(b)(5)(iii) would
limit the probability of occurrence of a
latent failure in a CSL+1 combination to
1/1000. The 1/1000 value would be the
proposed maximum allowable
probability of a latent failure. To
comply, the applicant would multiply
the maximum time the latent failure is
allowed to be present by the component
failure rate, and show that the resultant
value is less than or equal to 1/1000.
The maximum time is typically the time
between inspections. The ASAWG
recommended limiting the probability
of occurrence of a latent failure in a
CSL+1 combination to be ‘‘on the order
of’’ 1/1000 or less. The FAA and
Transport Canada submitted dissenting
opinions, documented in the ASAWG
final report, that the phrase ‘‘on the
order of’’ would defeat the purpose of
establishing a clear criterion for limiting
the likelihood of a latent failure;
therefore, this proposal omits that
phrase. Instead, the 1/1000 value would
be the maximum allowable probability
of a latent failure occurring between
inspections.
To determine this 1/1000 limit, the
ASAWG drew on the knowledge of the
FCHWG and PPIHWG, both of which
determined that 1/1000 was a practical
limit on the probability of a latent
failure in the flight control and thrust
reversing systems. The ASAWG
evaluated safety analysis data and found
that the probability of a latent failure
between inspections very rarely
exceeded 1/1000.33 The FAA has
accepted this numerical value in the
certification of these particular systems
through ELOS findings and determined
that applicants can apply it across all
systems.
33 The
ASAWG recommendation report is
available in the docket for this NPRM.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
B. Consistent Application and
Interpretation of Requirements for
Equipment, Systems, and Installations
1. Applicability of § 25.1309
Applicants have raised numerous
questions regarding the applicability of
§ 25.1309. The FAA therefore proposes
to revise § 25.1309 as follows:
a. Introductory Paragraph of § 25.1309
The FAA proposes to add an
introductory paragraph to § 25.1309,
which specifies that the rule applies to
all systems and equipment on the
airplane. Section 25.1309(a) currently
requires that applicants design and
show that only the equipment, systems,
and installations whose functioning is
required by Subchapter C—Aircraft will
perform their intended functions under
any foreseeable operating condition
(amendment 25–123, dated December
10, 2007). This proposed rule would
adopt the SDAHWG’s recommendation
to remove the limitation to Subchapter
C, which would broaden the
applicability of § 25.1309 to any system
or equipment as installed on the
airplane, regardless of whether it is
required for type certification or by
operating rules.
b. Section 25.1309(a)—Criteria for Two
Classes of Installed Equipment and
Systems
The FAA proposes to remove
§ 25.1301(a)(4), which requires that
installed equipment function properly
when installed, and address that
requirement through proposed
§ 25.1309(a), which would contain
requirements for two different classes of
equipment and systems installed in the
airplane: (1) equipment and systems
that are required for type certification or
by operating rules, or whose improper
functioning would reduce safety; and (2)
all other systems.
c. Section 25.1309(a)(1)—Airplane
Equipment and Systems Whose
Improper Functioning Would Reduce
Safety
Proposed § 25.1309(a)(1) would apply
to all installed airplane equipment and
systems whose improper functioning
would reduce safety, regardless of
whether the equipment or system is
required by type certification rules or
operating rules. Such equipment and
systems would be required to perform as
intended under the airplane operating
and environmental conditions. A failure
or malfunction of equipment or systems
reduces safety if the failure or
malfunction results in a minor or more
severe failure condition. The FAA
recognizes, however, that failures may
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
occur throughout the operational life of
the airplane, and that a failed system
may no longer perform as intended. The
acceptability of failures and their
associated risks are covered by the failsafe regulations, such as §§ 25.901(c),
25.1309(b), 25.671(c), 25.735(b)(1),
25.810(a)(1)(v), 25.812, 25.903(d)(1), and
25.1316.
The FAA further proposes new
§ 25.1309(a)(1) to require that
equipment and systems perform as
intended not just under airplane
operating conditions as required by
current § 25.1309(a), but under
environmental conditions as well. This
change is needed to remove an
ambiguity in the current regulations,
and ensure that an applicant’s safety
assessment is complete.
Current § 25.1309(a) requires that
each such item perform its intended
functions under ‘‘any foreseeable
operating condition,’’ but does not
mention ‘‘environmental conditions.’’
The method of compliance to the rule in
AC 25.1309–1A discusses both types of
conditions. To perform the safety
assessment using the method in that AC,
the applicant must account for the
airplane operating conditions (such as
weight, center of gravity, altitudes, flap
positions) and the environmental
conditions that the airplane is
reasonably expected to encounter (such
as atmospheric turbulence, lightning, or
precipitation).
The FAA has not required that
systems and components perform as
intended in foreseeable but easily
avoidable environmental conditions,
such as volcanic ash clouds. Thus, the
FAA proposes to remove ‘‘any
foreseeable’’ from § 25.1309(a)(1). This
change would also harmonize with CS
25.1309(a)(1).
The intent of this change is to ensure
that the applicant evaluates the
continued function of equipment and
systems—
• Throughout the airplane’s normal
operating envelope, as defined by the
airplane flight manual (AFM), together
with any modification to that envelope
associated with abnormal or emergency
procedures, and any anticipated crew
action; and
• Under the anticipated external and
internal airplane environmental
conditions in which the equipment and
systems must perform as intended.
The proposed language in
§ 25.1309(a)(1) is consistent with
existing FAA guidance 34 regarding
environmental conditions because it
34 AC 25.1309–1A, section 8.e. provides guidance
on incorporation of environmental conditions in
SSA.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
would allow that, even if certain
environmental conditions are
foreseeable, performing as intended in
those conditions is not always possible.
For example, ash clouds from volcanic
eruptions are foreseeable, but an
applicant does not have to show that the
airplane can safely operate in such
clouds, relying instead on forecasting
and air traffic control means to avoid
such conditions.
d. Section 25.1309(a)(2—Equipment and
Systems With No Effect on the Safety of
the Airplane or Its Occupants
Current § 25.1309(a) requires that all
equipment, systems, and installations
function properly when installed.
However, the proper functioning of nonessential equipment is typically not
necessary for safe operation of the
airplane. These non-essential systems
include passenger amenities such as
entertainment displays, audio systems,
in-flight telephones, non-emergency
lighting, and food storage and
preparation.
Proposed § 25.1309(a)(2) would
require all equipment and systems not
subject to proposed § 25.1309(a)(1) to
not have an adverse effect on the safety
of the airplane or its occupants, and
would allow such equipment to be
approved even if that equipment may
not perform as intended. Consequently,
this proposal would reduce the testing
needed for those equipment and
systems installations, because they
would not need to meet the operational
and environmental condition
requirements of proposed
§ 25.1309(a)(1). The proposed
§ 25.1309(a)(2) would, however, require
applicants to test such systems,
equipment, and installations to show
that their normal or abnormal
functioning does not adversely affect the
proper functioning of the equipment,
systems, and installations covered by
proposed § 25.1309(a)(1); and does not
otherwise adversely affect the safety of
the airplane or its occupants.
No safety benefit is derived from
demonstrating that equipment performs
as intended, if failing to perform as
intended would not impact safety.
Instead, the FAA would expect that an
applicant perform a qualitative
evaluation of the design and installation
of such equipment and systems
installed in the airplane to determine
that neither their normal operation nor
their failure would adversely affect crew
workload, operation of other systems, or
the safety of persons.
The FAA expects normal installation
practices to result in sufficiently
obvious isolation of the impacts of such
equipment on safety that compliance
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
can be based on a relatively simple
qualitative installation evaluation. If the
possible impacts, including failure
modes or effects, are uncertain, or
isolation between systems is provided
by complex means, then more formal
structured evaluation methods or a
design change may be necessary.
Guidance on performing qualitative
evaluations is provided in draft AC
25.1309–1B.
This proposed change would reduce
the cost of certification to airplane and
equipment manufacturers and modifiers
without reducing the level of safety
provided by part 25.
e. Applicability of § 25.1309 to InService and Out-of-Service Conditions
Applicants have questioned whether,
when showing compliance with
§ 25.1309, they must consider out-ofservice conditions or risks to persons
other than the occupants of the airplane.
Compliance with § 25.1309 applies to
flight operating conditions as well as
ground operating conditions, consistent
with current practice. Draft AC 25.1309–
1B, specifies that compliance is
applicable to ground operating
conditions when the airplane is in
service. An airplane is in service from
the time the airplane arrives at a gate or
other location for pre-flight
preparations, until it is removed from
service. While ground operating
conditions include conditions
associated with line maintenance and
refueling, dispatch determinations,
embarkation and disembarkation, and
taxi, they do not include periods of shop
maintenance, storage, or other out-ofservice activities. Applicants should
also account for threats to people on the
ground or adjacent to the airplane
during ground operations, electric shock
threats to mechanics, and other similar
situations.
f. Applicability of § 25.1309 to High
Intensity Radiated Fields and Lightning
Exposure
The ASAWG recommended that a
future committee address how
applicants should account for systems’
exposure to high intensity radiated
fields (HIRF) and lightning when
showing compliance with § 25.1309(b).
The FAA acknowledges that follow-on
regulatory or policy action may be
necessary to ensure this topic is
addressed in a manner that is both
effective and practical. This proposed
rule and the associated advisory
material are not intended to change how
type certificate applicants account for
systems’ exposure to HIRF and lightning
when demonstrating compliance with
§ 25.1309. Historically, considerations
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
75433
of lightning and HIRF in determining
failure effects have been limited to
specific potential failures of concern,
such as failure of protection features,
including critical isolation features, that
are dedicated to protecting the airplane
from the effects of lightning. Under the
proposed changes to § 25.1309,
applicants would continue to apply
§ 25.1309 in addressing the effects of
HIRF and lightning as described in the
prior sentence. Testing and qualitative
evaluations may still be used as a means
of compliance. Use of lightning and
HIRF probabilities in quantitative
analyses is also still allowed but not
required. The proposed revision to
§ 25.1309 would not supersede the more
specific requirements of §§ 25.1316 and
25.1317.
2. Exceptions From Applicability of
§ 25.1309
a. Flight Control Jams Addressed by
§ 25.671
Proposed § 25.1309(e) would exclude
the flight control jams governed by
§ 25.671 from the proposed singlefailure requirement in
§ 25.1309(b)(1)(ii). The FAA has
historically used § 25.671(c) rather than
§ 25.1309 to regulate the risk of flight
control jams. Proposed § 25.671(c)
would continue this approach because
flight control jams are an unusual
failure condition in which the control
position is critical to the outcome of the
condition. Therefore, specifying a flight
control jam as a ‘‘single failure’’ does
not fully define the failure condition
because the control position is not
defined. The current and proposed
§ 25.671(c) specify that the applicant
must evaluate flight control jams at
‘‘normally encountered’’ positions.
Additionally, proposed § 25.671(c)
would not require evaluation of flight
control jams immediately before
touchdown if the applicant shows that
such jams are extremely improbable, as
explained later in this preamble in the
section entitled, ‘‘Changes to
§ 25.671(c)(3).’’ Therefore, this type of
failure would be excluded from the
prohibition on a single failure being the
cause of a catastrophic failure condition
under § 25.1309(b)(1)(ii).
b. Brakes and Braking Systems,
Addressed by § 25.735
Proposed § 25.1309(b) would not
apply to single failures in the brake
system. Those failures are adequately
addressed by § 25.735(b)(1) at
amendment 25–107, which limits the
effect of a single failure of the brake
system to doubling the stopping
distance of the brake roll. The diverse
E:\FR\FM\08DEP3.SGM
08DEP3
75434
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
circumstances under which such a
failure could occur make any structured
determination of its outcome or
frequency indeterminate. The proposed
§ 25.1309 would apply to all other
failures in the brake system.
c. Emergency Egress Assist Means and
Escape Routes, Addressed by § 25.810,
and Emergency Lighting, Addressed by
§ 25.812
Proposed § 25.1309(f) would also
exclude the failure effects addressed by
§§ 25.810(a)(1)(v) and 25.812 from
§ 25.1309(b). The failure conditions
relevant to the cabin safety equipment
installations addressed by
§§ 25.810(a)(1)(v) (escape slides) and
25.812 (emergency lighting) are
associated with varied evacuation
scenarios for which the probability of
occurrence cannot be determined due to
the multitude of factors that can lead to
an evacuation. For these types of
equipment, the FAA has not been able
to define appropriate scenarios under
which an applicant could demonstrate
compliance with § 25.1309(b). The FAA
considers it acceptable in terms of
safety, to require particular design
features or specific reliability
demonstrations for these types of
equipment and, therefore, the FAA
proposes to exclude them from the
requirements of § 25.1309(b).
lotter on DSK11XQN23PROD with PROPOSALS3
d. Powerplant—Installation, Addressed
by § 25.901(c)
The FAA proposes to revise
§ 25.901(c) to state that the requirements
of § 25.1309 apply to powerplant and
APU installations and to list the failures
that do not need to comply with
§ 25.1309(b). Those exceptions, which
would be consistent with existing
requirements, are engine case burnthrough or rupture, uncontained engine
rotor failure, and propeller debris
release. The FAA specifies those
exceptions in proposed §§ 25.901(c) and
25.1309(f). Excepting these failures from
§ 25.1309(b) would not degrade the level
of safety from that required by current
regulations. An applicant must already
minimize the effects and occurrence
rates of these failures when complying
with:
• Part 33, ‘‘Airworthiness Standards:
Aircraft Engines.’’
• Part 35, ‘‘Airworthiness Standards:
Propellers.’’
• Paragraph (d)(1) of § 25.903,
‘‘Engines.’’
• Paragraph (d) of § 25.905,
‘‘Propellers.’’
• Section 25.1193, ‘‘Cowling and
nacelle skin.’’
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
This proposed revision would also
harmonize § 25.901(c) with CS
25.901(c).
3. Flightcrew Alerting and Errors
a. Categorization of Required Flightcrew
Information
Section 25.1309(c) currently requires
that warning information must be
provided to the flightcrew to alert them
to unsafe system operating conditions,
and to enable them to take appropriate
corrective action. The FAA proposes to
revise § 25.1309(c) to require
information be provided to the
flightcrew concerning unsafe system
operating conditions, rather than
requiring only warnings. The proposed
revisions to § 25.1309(c) would make
the provision compatible with the
requirements of current § 25.1322
(‘‘Warning, caution, and advisory
lights’’), which details requirements for
the presentation of warning, caution,
and advisory alerts installed on the
flight deck. For example, § 25.1322
requires a warning indication if
immediate action by a flightcrew
member were necessary; however, the
particular method of indication would
depend on the urgency and need for
flightcrew awareness or action that is
necessary for the particular failure. The
proposed revision to § 25.1309(c) (to
remove the requirement for ‘‘alert’’)
would remove an incompatibility with
§ 25.1322, which allows other sensory
and tactile feedback from the airplane
caused by inherent airplane
characteristics to be used in lieu of
dedicated indications and
annunciations if the applicant can show
such feedback is sufficiently timely and
effective to allow the crew to take
corrective action.35
b. Minimization of Crew Errors
Proposed § 25.1309(c) would require
that applicants design ‘‘systems and
controls, including indications and
annunciations’’ to minimize crew errors
that could create additional hazards.
The proposed change would remove a
reference to ‘‘warnings,’’ which are
addressed in § 25.1322, and instead use
the broader phrase ‘‘indications and
annunciations.’’ The additional hazards
that an applicant’s proposed design
must minimize, under this proposal, are
those that could occur after a failure and
those caused by inappropriate actions
made by a crewmember in response to
the failure. As specified in § 25.1585,
any flightcrew procedures necessary to
ensure continued safe flight and landing
after the occurrence of a failure
35 See draft AC 25.1309–1B, sections 5.3.1.6 and
5.4.1.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
indication or annunciation must be
described in the approved AFM, AFM
revision, or AFM supplement, unless
the FAA evaluates the procedures and
accepts that the procedures are part of
normal aviation abilities.
C. Interaction of Systems and Structures
(New § 25.302)
The FAA proposes a new section,
§ 25.302, that would require an
applicant to account for systems, and
their possible failure, when assessing
the structural performance of its
proposed design.
As a result of advances in flight
control technology, the structure
requirements in part 25 do not provide
an adequate regulatory basis to establish
an acceptable level of safety for
airplanes equipped with systems that
affect structural performance such as the
electronic flight control system. Earlier
automatic control systems usually had
two failure states: loss of function and
malfunction. Flightcrews could readily
detect these conditions. The new
electronic flight control systems are
more sophisticated and offer advantages
that include load limiting and load
alleviation.36 Failures in these systems,
however, may allow the system to
function in degraded modes that
flightcrews may not readily detect, and
in which load alleviation may be lost or
reduced.
The LDHWG developed
recommendations for design standards
for airplanes equipped with systems
that, directly or as a result of failure,
affect the structural performance of the
airplane. Structural performance is the
capability of the airplane to meet the
structural requirements of part 25.
While the FAA has applied the
LDHWG recommendations for design
standards to airplane certification
programs since 1999 via special
conditions, on December 12, 2005,
EASA incorporated the design standards
developed by the LDHWG into its
regulatory framework as CS 25.302 and
appendix K of CS–25 at amendment 25/
1.37 Similarly, the FAA now proposes to
adopt these criteria, with some
modifications, as new § 25.302. The
codification of these requirements in
36 ‘‘Load limiting and load alleviation’’ refer to
the reduction of structural loads by automatic
control surface limits or movements. For example,
vertical tail loads may be reduced by a rudder
limiter that automatically reduces the rudder
deflection upper limit as speed increases. Wing
load alleviation may be accomplished by automatic
upward movements of the outboard ailerons during
a pitch up maneuver, thereby reducing the loads on
the outboard portion of the wing.
37 https://www.easa.europa.eu/en/documentlibrary/certification-specifications/cs-25amendment-1.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
part 25 will eliminate the need for the
FAA to issue special conditions on
future certification projects. This will
result in increased efficiency for both
the FAA and the industry in
certification programs, without
impacting the level of safety.
1. Applicability of New § 25.302
Proposed § 25.302 would apply to all
systems that affect structural
performance of the airplane. A system
affects structural performance if it can
induce loads on the airframe, or change
the response of the airplane to inputs
such as gusts or pilot actions, either
when operating normally or as a result
of failure. Examples of systems that can
affect structural performance are load
alleviation systems, modal suppression
systems, stability augmentation systems,
and fuel management systems, as well
as hydraulic, electrical, and mechanical
systems.
lotter on DSK11XQN23PROD with PROPOSALS3
2. Normal Operation
Proposed § 25.302 would require that
an applicant account for the influence of
systems, operating normally, when
showing compliance with subparts C
and D of part 25. The proposed rule
would require an applicant to derive
limit loads for the conditions specified
in subpart C and to account for any
behavior or effect of the system on the
structural performance of the airplane.
This means that the applicant would
need to account for any significant
nonlinearity, including the rate of
displacement of control surfaces,
thresholds, or any other system
nonlinearities, when deriving limit
loads.
Proposed § 25.302 would also require
that an applicant shows that the
airplane meets the strength
requirements of part 25 for static and
residual strength, using specified factors
to derive ultimate loads from the limit
loads. The proposed rule would require
the applicant to investigate the effect of
nonlinearities beyond limit conditions
to ensure that the behavior of the system
presents no anomaly compared to the
system’s behavior below limit
conditions.
3. Failure Condition Effect on Structural
Performance
Proposed § 25.302(a) through (e)
would require an applicant to assess the
effect of failure conditions on the
airplane’s structural performance.
Proposed § 25.302 would require
assessment of all failure conditions not
shown to be extremely improbable, or
that result from a single failure, as
typically determined by the applicant’s
system safety assessment.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Proposed § 25.302(a) would require
that the airplane’s design be able to
withstand the loads, including control
system loads, resulting from failure
conditions, at speeds up to VC/MC, the
design cruising speed. Such loads are
limit loads as described in § 25.301, and
an applicant then applies a safety
factor 38 of 1.5 to determine the
airplane’s ultimate loads. Proposed
§ 25.302(a) would require the applicant
to determine the loads assuming
‘‘realistic scenarios, including pilot
corrective actions.’’ Draft AC 25.1309—
1B and AC 25.671–X, ‘‘Control
Systems—General,’’ would provide
guidance for applicants on means of
determining these effects of failure
conditions, including realistic effects.
Under the proposed rule, the applicant
would be responsible for developing
scenarios that describe the response of
the airplane and the response of the
pilots following a failure condition,
using the guidance in those ACs or
another acceptable method.
Proposed § 25.302(b) would require
that, in the system-failed state (i.e., after
a particular system has failed), the
airplane be able to withstand the limit
flight and ground load conditions
specified in subpart C. The applicant
would only be required to assess flight
conditions at speeds up to VC/MC or the
speed limitation prescribed by the AFM
for the remainder of the flight. An
applicant must apply a safety factor of
1.5 to determine ultimate loads, with
two exceptions.
The first proposed exception to
§ 25.302(b) would allow a safety factor
of 1.0, rather than 1.5, if the failure
condition would be immediately
annunciated or otherwise obvious to the
flightcrew. The proposed rule would
also allow the applicant to take into
account any relevant reconfiguration
and flight limitations specified in the
AFM. The FAA proposes a safety factor
of 1.0 in this case because the
probability is very low that a design
load condition would occur after a
system failure on the same flight. The
probability of an extreme maneuver (i.e.,
a maneuver that would result in load
levels approaching design limit loads) is
further reduced because the pilot would
be aware that a failure condition had
occurred. If relying on annunciation as
the method of informing the flightcrew,
the applicant should show that the
relevant annunciation system is reliable
per § 25.1309(b).
38 A safety factor is a design factor used, in this
instance, to provide for the possibility of loads
greater than those anticipated in normal operating
conditions, and for uncertainties in design.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
75435
The second proposed exception to
§ 25.302(b) would allow a safety factor
of 1.25 if the failure condition would
not be annunciated but the probability
is extremely remote. The FAA proposes
a safety factor of 1.25 in this case
because the probability is very low that
an extremely remote failure condition
and a design load condition would
occur on the same airplane, even if the
failure condition would not be
annunciated.
The FAA does not intend for
proposed § 25.302 to require an
applicant to evaluate every subpart C
load condition under every possible
failure condition and at each speed,
altitude, and payload configuration for
which the airplane is designed. Instead,
the FAA anticipates that the applicant
would first identify those failure
conditions that could impact the loads
analysis required by subpart C. The
applicant would then select load
conditions that the applicant presumes
could be affected by those failure
conditions. Given the appropriate safety
factor (1.0, 1.25, or 1.5), the applicant
would then determine whether any of
these load conditions, when affected by
a failure condition, would yield higher
loads than the load conditions without
the effects of the failure condition. If so,
the applicant would expand its analysis,
as necessary, to ensure that the
requirement of proposed § 25.302 would
be met.
Proposed § 25.302(c) would require
that, when conducting the damage
tolerance evaluation required by
§ 25.571, the applicant take into account
the fatigue loads induced by any failure
condition. The rule would require that
these fatigue loads be included as part
of the typical loading spectra 39 at a rate
commensurate with the probability of
their occurrence.
If a failure condition could affect the
airplane’s residual strength loads,
proposed § 25.302(d) would require the
applicant to conduct a residual strength
evaluation as specified in § 25.571(b)
under the assumption that the failure
condition had occurred. The proposed
rule would allow an applicant to
calculate these loads using at least twothirds of each of the safety factors
specified for the static strength
assessment. The applicant would
conduct this residual strength
evaluation, which assumes a system
failure condition has occurred,
separately from the normal residual
strength evaluation required by
§ 25.571(b), which does not assume a
39 ‘‘Typical loading spectra’’ is described in AC
25.571–1D, Damage Tolerance and Fatigue
Evaluation of Structure.
E:\FR\FM\08DEP3.SGM
08DEP3
75436
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
system failure condition has occurred.
The two-thirds factor in proposed
§ 25.302(d) is consistent with the
method of determining residual strength
loads in § 25.571(b).40
Proposed § 25.302 would not apply to
the flight control jam conditions
covered by proposed § 25.671(c), or the
discrete source events already covered
by § 25.571(e). Proposed § 25.671(c) and
current § 25.571(e) establish criteria to
address these specific failures, and the
respective ACs, draft AC 25.671–X and
current AC 25.571–1D, Damage
Tolerance and Fatigue Evaluation of
Structure, would describe methods of
compliance. Proposed § 25.302 would
also not apply to any failure or event
that is external to (not part of) the
system being evaluated and that would
itself cause structural damage. These
conditions are already addressed by
other rules, such as §§ 25.365, 25.571,
25.841, and 25.901.
4. Dispatch in a System-Failed State
Proposed § 25.302(e) would provide
structural requirements for dispatch
under the master minimum equipment
list developed by the applicant. If the
list would allow dispatch in a systemfailed state, the airplane would need to
continue to meet the design load
requirements of subpart C in that
system-failed state, without any
reduction in safety factor. The applicant
would be allowed to take into account
any relevant operating limitations,
including configuration changes,
specified for the dispatched
configuration. In addition, the airplane
would also need to meet § 25.302(a) and
(b), accounting for any subsequent
single failure, and separately, any
combination of failures not shown to be
extremely remote.
lotter on DSK11XQN23PROD with PROPOSALS3
5. Differences Between Proposed
§ 25.302 and EASA CS 25.302
As noted previously, EASA has
incorporated the criteria regarding
interaction of systems and structures
criteria recommended by the LDHWG
into its regulatory framework as CS
25.302 and appendix K of CS–25.
Proposed § 25.302 differs from CS
25.302 and appendix K in a number of
ways.
i. Determination of Safety Factor
The most significant difference
between the proposed § 25.302 and CS
25.302 is that the latter defines
structural factors of safety and the
flutter speed margin on a sliding scale
40 In § 25.571(b), residual strength loads are
determined using a safety factor of 1.0, which is
two-thirds of the typical safety factor of 1.5 required
by § 25.303.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
based on probability, while the
proposed § 25.302 specifies discrete
safety factors and does not change the
flutter speed margin currently specified
in § 25.629, as described below.
ii. Flutter Speed Margin
Proposed § 25.302 does not include
any aeroelastic stability requirements
and would only address the effect of
systems on loads requirements. Section
25.629 and CS 25.302 both specify
flutter speed margins for failure
conditions. The margins in CS 25.302
are based on the probability of the
condition’s occurrence, while § 25.629
defines a single speed margin for every
failure condition regardless of its
probability. The FAA believes the
current speed margin specified in
§ 25.629 is adequate, and there is no
need to propose more specific failure
criteria based on probability of
occurrence. The current speed margin
specified in § 25.629, which has been in
place since Amendment 25–0 of 14 CFR
part 25, has proven effective in service.
iii. Regulatory Structure Differences
The FAA’s proposal is contained
entirely within § 25.302 and does not
add a new appendix to part 25. Also, the
FAA’s proposal would not include the
two paragraphs in appendix K of CS–25
that are general in nature and do not
contain any specific requirements.
These paragraphs, K25.1(a) and (b) of
CS–25, discuss application of the
requirements in the appendix.
iv. Fully Operative Condition
Appendix K of CS–25 includes
several paragraphs that require
evaluation of the airplane in a systemfully-operative condition. The FAA’s
proposal would replace those
paragraphs with a simpler requirement
that the applicant account for the effects
of systems when showing compliance
with the requirements of subparts C and
D. The FAA does not regard this as a
substantive difference in the criteria.
v. Safety Factor at the Time of Failure
For the applicant’s assessment of the
failure condition at the time the failure
occurs, CS 25.302 allows a reduced
safety factor, ranging from 1.5 to 1.25,
based on the probability of the failure.
The FAA’s proposal would require a
safety factor of 1.5, regardless of the
probability of the failure. The FAA
determined it’s better to define
structural strength capability using
discrete factors of safety rather than a
sliding scale based on probability
because probability estimates are not
that precise. The FAA also determined
the proposed 1.5 safety factor
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
requirement would be easily met by
applicants for type certification because
systems that affect structural
performance are typically passive
systems, which alleviate loads rather
than initiate loads.
vi. Safety Factor for Continued Flight
After Initial Failure
For the assessment of continued
flight, after the initial failure condition
occurs, CS 25.302 requires the applicant
to determine loads for several subpart C
load conditions. In contrast, the FAA’s
proposal would require the applicant to
determine loads for any subpart C load
condition that would be affected by the
failure condition. In addition, CS 25.302
allows a reduced safety factor, ranging
from 1.5 to 1.0, based on the probability
of the failure condition’s occurrence. In
contrast, the FAA’s proposal would
specify a safety factor of 1.5, unless the
failure condition would be annunciated,
in which case the rule would allow a
safety factor of 1.0; or, if the failure
condition was extremely remote, the
rule would allow a safety factor of 1.25.
As noted above, the FAA proposes to
use discrete factors of safety rather than
a sliding scale based on probability
because probability estimates are not
that precise. The FAA proposed rule
would be simpler to apply than EASA’s
method because an applicant would use
discrete safety factors, rather than
sliding scales. For failures that are
annunciated, this proposal would be
less stringent than CS 25.302, since
proposed § 25.302 would allow a safety
factor of 1.0 regardless of the probability
of failure. However, the FAA’s proposal
recognizes that annunciation of the
failure would limit exposure to a
subsequent design load condition to the
remainder of the flight. Because of the
very low probability of a system failure
condition followed by a design load
condition occurring on the same flight,
the FAA believes a safety factor of 1.0
is appropriate.
vii. Fatigue and Damage Tolerance
Both § 25.571 and CS 25.571 require
a ‘‘residual strength evaluation’’ of the
airplane that demonstrates structural
strength capability in the presence of
fatigue cracks and any other anticipated
environmental or accidental damage.
The residual strength loads used for
those evaluations are limit loads (safety
factor of 1.0). Proposed § 25.302 would
mimic the requirement in CS 25.302 for
an additional assessment of residual
strength using two-thirds of the loads
specified for the continuation of flight.
However, these loads would vary
between § 25.302 and CS 25.302, as
described in the previous paragraph.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
Proposed § 25.302 would also echo CS
25.302’s requirement that the applicant
evaluate the fatigue loads induced by
any failure condition. However, the
FAA proposal is more specific than CS
25.302 in how that evaluation would be
accomplished.
viii. Failure Annunciation
CS 25.302 outlines various failure
annunciation criteria for affected system
failure conditions. The FAA’s proposal
does not specify annunciation criteria,
but instead determines the allowable
safety factor based upon whether the
failure condition would be annunciated.
lotter on DSK11XQN23PROD with PROPOSALS3
ix. Dispatch Configuration
CS 25.302 requires that anticipated
dispatch configurations meet the
strength and flutter aspects of CS
25.302, while accounting for the
probability of the airplane being in that
configuration. The FAA’s proposal
would require that the structural
strength criteria in the proposed rule—
§ 25.302(a) through (b)—be met for the
airplane in the dispatch configuration
while accounting for any subsequent
single failure or any subsequent
combination of failures not shown to be
extremely remote.
D. Turbojet Thrust Reversing Systems
The current regulation for thrust
reversals in flight, § 25.933(a)(1),
requires that, during any reversal in
flight, the engine will produce no more
than flight-idle thrust. Additionally,
current § 25.933(a)(1) requires an
applicant to show that each operable
reverser can be restored to the forward
thrust position, and that the airplane is
capable of continued safe flight and
landing under any possible position of
the thrust reverser. Proposed
§ 25.933(a)(1)(ii) would allow an
applicant to demonstrate compliance
with § 25.1309(b) for these thrust
reversing systems.
The application of the current
standards has not precluded the loss of
airplane control following the unwanted
in-flight deployment of the thrust
reverser. The investigation of the 1991
Lauda Air accident involving a Boeing
Model 767 airplane revealed that an
unwanted in-flight thrust reversal at
high speeds and high power conditions
on an airplane with wing-mounted,
high-bypass turbofan engines can result
in disruption of air flow over the wing
and the loss of lift and controllability.
Until this accident, the service history
of in-flight thrust reverser deployment
incidents indicated that an in-flight
thrust reverser deployment at high
power would not result in a catastrophic
event. However, engine installations on
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
modern transport category airplanes
include high—bypass turbofan engines
mounted close to the wing, and forward
of the wing leading edge, to reduce
aerodynamic drag and provide sufficient
ground clearance. As a result, these
airplanes do not have a sufficient
control margin in the event of an
unwanted in-flight thrust reversal and,
therefore, cannot comply with the rule
during all phases of flight.
To allow applicants for type
certification flexibility in their design
and achieve the intended level of safety,
the FAA proposes to allow an applicant
to demonstrate using a system safety
assessment, per the proposed 14 CFR
25.1309(b), that unwanted deployment
of the thrust reverser will not occur in
flight. The FAA derived this option,
known as the ‘‘reliability option,’’ from
the PPIHWG’s recommendations.41
The PPIHWG evaluated methods used
by applicants to assure reliability of
other critical systems to determine if
applicants could effectively apply the
same requirements to thrust reverser
systems. The PPIHWG concluded that
design features such as redundant
locking mechanisms (eliminating
catastrophic single failures) in
conjunction with more rigorous design
and maintenance assessments (reducing
exposure to latent failures) can provide
a level of safety equivalent to the
current rule. The FAA agrees.
Allowing an applicant to develop
thrust reversing systems in compliance
with § 25.1309, especially by reducing
those systems’ exposure to SLFs, would
improve the level of safety because
unwanted in-flight thrust reverser
deployments would not be expected to
occur during the entire operational life
of all airplanes of one type, and
eliminate the need for flightcrew
procedures in response to an in-flight
thrust reversal. Proposed § 25.1309
would provide a level of safety at least
equivalent to current § 25.933(a)(1)(ii).
This reliability option would allow an
applicant to use a more practical
approach to show compliance in all
phases of flight for all known engine
installations.
This proposal is consistent with the
FAA’s current practice because the FAA
has been implementing the PPIHWG’s
recommendations through ELOS
findings on specific projects since 1994.
The FAA has accepted SSAs that show
that in-flight thrust reverser deployment
is extremely improbable as an
alternative to flight tests that show full
controllability across the entire flight
41 For more information about the PPIHWG’s
recommendations, see the PPIHWG report in the
docket for this rulemaking.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
75437
envelope. The FAA has also accepted a
combination of these two methods to
allow applicants for type certification
more flexibility when demonstrating an
ELOS. For example, within that portion
of the flight envelope where
controllability cannot be shown,
applicants have shown that the
probability of an unwanted in-flight
thrust reversal is extremely improbable.
Conversely, applicants who have shown
compliance primarily using the
reliability option have shown that there
are portions of the flight envelope where
the airplane is controllable, and an
unwanted in-flight deployment can be
classified as less severe than
catastrophic. This mixed approach has
allowed applicants more flexibility in
the thrust reverser system design and
maintenance intervals than under the
traditional rule. Under current ELOS
determinations, applicants select either
option, or combine them, to achieve the
level of safety intended by the rule.
With this proposal, the FAA regulations
would continue to allow such
combinations, but without the need for
an ELOS. This will result in increased
efficiency for both the FAA and the
industry in certification programs,
without impacting the level of safety
established by § 25.933(a)(1).
Based on the PPIHWG’s
recommendations, the FAA also
proposes that the current requirements
in § 25.933(a)(1)—that each operable
reverser can be restored to the forward
thrust position, and that during any
reversal in flight the engine will
produce no more than flight-idle
thrust—would no longer be necessary
given the other proposed changes to this
section. If a design can meet
§ 25.1309(b) without these features, then
they need not be mandatory. Further, in
accordance with proposed § 25.1309(a),
any properly functioning thrust reverser
would be required to respond
appropriately to all anticipated
flightcrew commands.
E. Flight Control Systems Safety
Assessment Criteria
1. Changes to § 25.671(c) Failure Criteria
a. Changes to § 25.671(c), (c)(1), and
(c)(2)
The current design and failure criteria
for flight control systems, in § 25.671(c),
were largely derived from Civil Air
Regulations 4b.320, which preceded the
current 14 CFR part 25 standards
established in 1965. The FAA updated
those requirements in amendment 25–
23 (35 FR 5674, April 8, 1970) to
account for automatic and powered
flight control technology improvements
and to consolidate the failure criteria
E:\FR\FM\08DEP3.SGM
08DEP3
75438
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
and make them applicable to the entire
control system.
Section 25.671(c) requires that the
airplane be capable of continued safe
flight and landing following the failure
conditions listed in § 25.671(c)(1) and
(2) and the jamming conditions in
§ 25.671(c)(3).
Paragraph (c)(1) of § 25.671 requires
an applicant to show continued safe
flight and landing following any single
failure.
Paragraph (c)(2) requires the applicant
to show continued safe flight and
landing following any combination of
failures not shown to be extremely
improbable. Paragraph (c)(2) also
includes examples of failures that must
be evaluated.
The FAA proposes to remove the
flight control system failure criteria in
§ 25.671(c)(1) and (2), including the
examples of specific failures that must
be evaluated, and instead require safety
assessment of flight control systems to
be regulated by § 25.1309. Section
25.1309 would be used to address the
flight control SSA, except with regard to
jamming. The FAA also proposes to
retain the examples in § 25.671(c)(2) as
failures, that must be considered in
showing compliance with § 25.629 as
discussed later in this preamble (section
I.A.2).
Finally, current § 25.671(c) requires
that probable failures have only minor
effects and be capable of being readily
counteracted by the pilot. The FAA
proposes to remove this requirement
because its effect on safety would be
covered by proposed § 25.1309.
Proposed § 25.1309 would require that
each major failure condition be remote,
which means that probable failures
(more likely than remote) must have
only minor effects (must not be major).
lotter on DSK11XQN23PROD with PROPOSALS3
b. Changes to § 25.671(c)(3)
Section 25.671(c)(3) requires that an
applicant evaluate any jam in a control
position normally encountered, as well
as runaway 42 of a flight control to an
adverse position and subsequent jam.
The FAA proposes to consolidate the
current § 25.671(c)(3) flight control jams
requirement under § 25.671(c) and
revise as described below.
The flight control jams requirement in
§ 25.671(c)(3) has generated debate
about the meaning of a ‘‘normally
encountered’’ control position. This
phrase came under scrutiny after two
Boeing Model 737 accidents, and the
FAA and NTSB investigations that
42 A runaway of a flight control occurs when the
control surface moves to its fully extended position
without pilot input and as the result of some type
of failure.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
followed.43 44 The issue was whether
‘‘normally encountered’’ should be
interpreted as a small control surface
deflection, which occurs routinely, or as
a large or even full control surface
deflection, which occurs much less
frequently. Demonstrating compliance
assuming a fully deflected and jammed
control surface is much more difficult
than doing so with a small control
surface deflection. In May 1995, the
FAA issued a policy letter specifying
what ‘‘normally encountered’’ control
positions (which included large
deflections) should be used for
compliance with § 25.671(c)(3).45 In
October 1996, the NTSB issued Safety
Recommendation A–96–108, later
superseded by Safety Recommendation
A–99–23, which recommended that
applicants evaluate control jams at
fully-deflected control positions. The
FCHWG considered the NTSB safety
recommendation in developing its
recommendation. The FCHWG
recommended that the phrase ‘‘normally
encountered’’ be retained in the rule,
and that an FAA AC define the
‘‘normally encountered’’ control
positions. The FAA proposes to adopt
the FCHWG recommendation.
Draft AC 25.671–X would explain that
the FAA considers ‘‘normally
encountered’’ positions as the range of
control surface deflections, from neutral
to the largest deflection expected to
occur in 1,000 random operational
flights, without considering other
failures. The AC would also provide
guidance for performance based criteria
that define environmental and
operational maneuver conditions, and
the resulting deflections that could be
considered normally encountered
positions.
A second compliance issue related to
§ 25.671(c)(3) stems from an applicant’s
use of probability analysis to show that
a jam, or a runaway and jam, is
‘‘extremely improbable.’’ Section
25.671(c)(3) requires the airplane to be
capable of continued safe flight and
landing after experiencing jamming
conditions, including runaway of a
flight control surface and subsequent
jam, unless the jamming condition is
shown to be extremely improbable or
the jam can be alleviated. While current
§ 25.671(c)(3) allows the use of
43 NTSB Aircraft Accident Report NTSB/AAR–
01/01 is available in the docket and at https://
www.ntsb.gov/investigations/AccidentReports/
Reports/AAR0101.pdf.
44 NTSB Aircraft Accident Report NTSB/AAR–
99/01 is available in the docket and at https://
www.ntsb.gov/investigations/AccidentReports/
Reports/AAR9901.pdf.
45 Policy Statement PS–ANM100–1995–00020 is
available in the docket and at https://www.faa.gov/
regulations_policies/policy_guidance/.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
probability analysis, applicants have
generally been unable to demonstrate
that jamming conditions are ‘‘extremely
improbable,’’ except for conditions that
occur during a very limited time just
prior to landing. Therefore, the FAA
proposes to revise § 25.671(c) to require
that the applicant’s safety assessments
assume that the specified jamming
conditions will occur, regardless of
those conditions’ probability. The FAA
also proposes to exclude jamming
conditions that occur immediately
before touchdown if these can be shown
to be extremely improbable. For jams
that occur just before landing, some
amount of time and altitude is necessary
in order to recover, and there is no
practical means by which a recovery can
be demonstrated. Therefore, the
applicant would be allowed to show
such a jamming condition is extremely
improbable based on the limited time
exposure.
The FAA also proposes to revise
§ 25.671(c) to define the types of jams
that must be evaluated as those that
result in a flight control surface or pilot
control that is fixed in position due to
a physical interference.
Proposed § 25.671(c) would also
require that, in the presence of a jam
evaluated under that paragraph, any
additional failure conditions that could
prevent continued safe flight and
landing must have a combined
probability of less than 1/1000. This is
to ensure adequate reliability of any
system necessary to alleviate the jam
when it occurs.
Lastly, the FAA proposes to remove
the requirement to account for a
runaway of a flight control surface and
subsequent jam. The FAA does not
believe it is necessary to include this
requirement in § 25.671 because the
SSA required by § 25.1309 would
account for any failure condition that
leads to a runaway of a flight control
surface. Runaways of flight control
surfaces will be evaluated under
§ 25.1309 regardless of whether they are
due to an external source, such as a
foreign object or control system icing, or
due to failures that are internal to the
flight control system.
2. Other Changes to § 25.671
The FAA proposes to revise
§ 25.671(a) to add a requirement that the
flight control system continue to operate
and respond as designed to commands,
and not hinder airplane recovery, when
the airplane experiences any pitch, roll,
or yaw rate, or vertical load factor that
could occur due to operating or
environmental conditions, or when the
airplane is in any attitude. This would
ensure there are no features or unique
E:\FR\FM\08DEP3.SGM
08DEP3
lotter on DSK11XQN23PROD with PROPOSALS3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
characteristics (including, for example,
computer errors that might occur at
certain airplane bank angles) of the
control system design that would
restrict the pilot’s ability to recover from
any attitude, rate of rotation, or vertical
load factor expected to occur due to
operating or environmental conditions.
The phrase ‘‘operating or environmental
conditions’’ would have the same
meaning as in proposed § 25.1309(a)(1):
the full normal operating envelope of
the airplane, as defined by the AFM,
together with any modification to that
envelope associated with abnormal or
emergency procedures, and any
anticipated crew action. That envelope
includes other external environmental
conditions that the airplane is
reasonably expected to encounter, such
as atmospheric turbulence.
The FAA proposes to revise
§ 25.671(b) to require that the system be
designed or marked to avoid incorrect
assembly that could result in ‘‘failure of
the system to perform its intended
function,’’ rather than in the
‘‘malfunctioning of the system.’’ The
FAA also proposes to revise § 25.671(b)
to restrict the use of such marking to
cases in which compliance by design
means is impractical. The objective of
these proposed changes is to ensure that
the system performs its intended
function.46
Section 25.671(d) requires that the
airplane remain controllable if all
engines fail. The FAA proposes to revise
this section to require that not only
must the airplane be controllable
following failure of all engines, but that
an approach and flare to a landing and
controlled stop must also be possible,
assuming that a suitable runway is
available. The proposed rule would also
apply the requirement to the failure of
all engines at any point in the flight.
The FAA also proposes to make the last
sentence of § 25.671(d) active voice by
changing it from ‘‘Compliance with this
requirement may be shown by analysis
where that method has been shown to
be reliable,’’ to ‘‘The applicant may
show compliance with this requirement
by analysis where the applicant has
shown that analysis to be reliable.’’ This
revision would not change the
substance of the requirement.
The FAA also proposes to add a new
paragraph (e) to § 25.671, which would
require that the flight control system
indicate to the flightcrew whenever the
primary control means are near the limit
46 Draft AC 25.671–X will note that by
‘‘assembled’’ in § 25.671(b), the FAA means not
only the connection of physical parts, but also the
installation of software that will be part of the
approved design. This reflects current practice and
echoes the installation requirements of § 25.1301.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
of control authority. On airplanes
equipped with fly-by-wire control
systems, there is no direct tactile link
between the flightdeck control and the
control surface, and the flightcrew may
not be aware of the actual control
surface position. If the control surface is
near the limit of control authority, and
the flightcrew is unaware of that
position, it could negatively affect the
flightcrew’s ability to control the
airplane in the event of an emergency.
The flight control system could meet
this requirement through natural or
artificial control feel forces, by cockpit
control movement if shown to be
effective, or by flightcrew alerting that
complies with §§ 25.1309(c) and
25.1322.
The FAA also proposes to add a new
paragraph (f) to § 25.671, which would
require that the flight control system
alert the flightcrew whenever the
airplane enters any mode that
significantly changes or degrades the
normal handling or operational
characteristics of the airplane. On some
flight control system designs, there may
be submodes of operation that change or
degrade the normal handling or
operational characteristics of the
airplane. Similar to control surface
awareness, the flightcrew should be
made aware if the airplane is operating
in such a submode.
The FAA derived the requirements of
proposed § 25.671(e) and (f) from its
experience certifying applications for
fly-by-wire systems. The proposed
requirements summarized in this
section for revision to § 25.671 have
been applied on numerous programs
through ELOS findings. Codifying these
requirements in part 25 would result in
increased efficiency for both the FAA
and the industry in certification
programs, without impacting the level
of safety.
F. Certification Maintenance
Requirements
Section H25.4(a) of appendix H to
part 25 requires that airworthiness
limitations within the ICA reside in a
segregated and clearly distinguishable
section titled ‘‘Airworthiness
Limitations section.’’ The ALS is
required to include mandatory
maintenance actions approved by
§ 25.571 for damage tolerant structures,
by § 25.981 for fuel tank systems, and by
§ 25.1701 for the electrical wiring
interconnection system (EWIS).
However, section H25.4 does not
include the maintenance actions
typically established during the
certification process as CMRs, using the
guidance in AC 25–19A, Certification
Maintenance Requirements. As a result,
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
75439
the current regulations are not
consistent in how they address systemrelated maintenance requirements.
AC 25.1309–1A provides guidance for
an applicant to include maintenance
actions when it shows compliance with
§ 25.1309, and AC 25–19A provides
guidance on the selection,
documentation, and control of CMR to
implement such maintenance actions.
CMRs, when properly implemented, are
required tasks to detect safety
significant failures that would, in
combination with one or more other
failures, result in a hazardous or
catastrophic failure condition. CMRs are
developed to show compliance to
§ 25.1309, and other regulations
requiring safety analyses such as
§§ 25.671, 25.783, 25.901, and 25.933.
As described in AC 25–19A,
establishing CMRs is not always
necessary if there is another suitable
method to identify the needed
maintenance task to prevent a failure
condition from developing.
In practice, industry and the other
certification authorities have treated
CMRs as equivalent to airworthiness
limitations. CMRs are currently
considered by operators as the systems
counterpart to the airworthiness
limitations for primary structures, fuel
tank systems, and EWIS. However,
unlike these airworthiness limitation
items, the CMRs do not have a
regulatory basis upon which to
standardize their development.
Airworthiness limitations for systems
that have hazardous and catastrophic
failure effects are just as relevant to the
safety of the airplane as the
airworthiness limitations currently
required for fuel tank systems, EWIS,
and damage tolerant primary structures.
Many applicants have been voluntarily
including CMRs in the ALS of the ICA.
Based on the forgoing, the FAA
proposes to revise § 25.1309(d) to
require the applicant to establish CMRs
to prevent development of the failure
conditions described in § 25.1309(b).
Section 25.1309(d) would require these
maintenance requirements to be
included in the ALS of the ICA required
by § 25.1529. This proposal would
codify current industry practice the
FAA has accepted as a means of
compliance with § 25.1309 and other
system safety regulations, for many
years.
In addition, the type certification
process often results in the
establishment of CMRs for systems that
are not regulated by § 25.1309 (for
example, a CMR may be established for
flutter prevention under § 25.629). To
provide a common regulatory basis for
such CMRs, including those established
E:\FR\FM\08DEP3.SGM
08DEP3
75440
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
under § 25.1309, the FAA proposes a
new section, H25.4(a)(6). This proposed
rule would require an applicant to
include any CMR in the ALS of the ICA,
if the CMR was established to comply
with any applicable provisions of part
25.
G. Miscellaneous Amendments
lotter on DSK11XQN23PROD with PROPOSALS3
1. Method of Compliance With
§ 25.1309(b)
The FAA proposes to remove current
§ 25.1309(d). Section 25.1309(d)
currently requires an applicant to show
that a design complies with § 25.1309(b)
by using analysis, and where necessary,
ground, flight, or simulator testing.
Section 25.1309(d) also describes the
features that the applicant’s analysis
must consider.
The FAA reconsidered the
requirement in § 25.1309(d) and
concluded that this requirement is no
longer needed within the regulatory
text, since it specifies a particular, yet
incomplete, process for compliance
with § 25.1309(b). This conclusion is
consistent with the SDAHWG
recommendation to remove § 25.1309(d)
and place the process for compliance
with § 25.1309(b) into non-mandatory
guidance material. Removing these steps
from the regulation is not intended to
alter the evaluations required by
§ 25.1309(b). Instead, it is intended to
reflect that § 25.1309(b) provides
performance-based requirements for
which the methods of compliance
should be appropriate to the particular
system. In addition, the current
§ 25.1309(d) provides an incomplete list
of considerations, and other, equally
important factors may need to be
included in the applicant’s proposed
assessments. These factors can include
environmental conditions, complexity
of the design, common cause of multiple
failures, flightcrew capability and
workload, and safety margin after a
failure, all of which will vary for each
application and which the FAA will
discuss in the accompanying draft
guidance.
Because § 25.1309(d) would no longer
prescribe specific methods for
demonstrating compliance with
§ 25.1309(b), the FAA also proposes to
remove the reference to § 25.1309(d)
from § 25.1365(a). This change would
not affect the level of safety provided by
the current rule, because § 25.1365(a)
would continue to reference the
requirements of § 25.1309(b). This
proposal would harmonize § 25.1365(a)
with CS 25.1365(a).
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
2. Failure Examples Related To Flutter
5. Removal of Redundant Requirements
This proposal would relocate several
specific failures from § 25.671(c)(2) to
the aeroelastic stability requirements of
§ 25.629. Section 25.671(c)(2) specifies
examples of failure combinations that
must be evaluated, including dual
electrical and dual hydraulic system
failures, and any single failure
combined with any probable hydraulic
or electrical failure. Section 25.629(d)(9)
currently requires that the airplane be
shown to be free from flutter
considering various failure conditions
considered under § 25.671, which
includes those failure conditions
specified in § 25.671(c)(2). The FAA is
proposing to remove those examples
from § 25.671(c)(2) in conjunction with
related changes to § 25.1309 described
in section III.E of this preamble.
However, the specific failure conditions
identified in § 25.671(c)(2) have
provided an important design standard
for dual actuators on flight control
surfaces that rely on retention of
restraint stiffness or damping for flutter
prevention. Therefore, this proposal
relocates these failure conditions from
§ 25.671(c)(2) to the aeroelastic stability
requirements of § 25.629(d). This change
would not affect the level of safety
provided in current §§ 25.671(c)(2) and
25.629(d).
The FAA proposes to remove
paragraph (e) from § 25.1309. The
requirements of paragraph (e) concern
compliance with § 25.1309(a) and (b) for
electrical system and equipment design.
The requirements of paragraph (e) are
unnecessary because they are redundant
to the general risk assessment of
§ 25.1309 and to §§ 25.1351 through
25.1365 specifically related to electrical
systems.
3. Other Changes to § 25.629
Section 25.629(b) requires the
airplane to be free from aeroelastic
instability for ‘‘all configurations and
design conditions’’ within the speed
and altitude envelopes specified in
§ 25.629(b)(1) and (2). Such design
conditions include the range of load
factors within the normal flight
envelope. The normal flight envelope is
defined in § 25.333. Therefore, this
proposal would specify that the
aeroelastic stability envelope includes
the range of load factors specified in
§ 25.333.
4. EWIS Requirements
The FAA proposes to remove
paragraph (b) from § 25.1301 and to
remove paragraph (f) from § 25.1309.
Section 25.1301(b) requires that a
proposed airplane’s EWIS meet the
requirements of subpart H of part 25.
Subpart H was created (at amendment
25–123, in 2007) as the single place for
the majority of wiring certification
requirements. The references in
§§ 25.1301(b) and 25.1309(f) are
redundant and unnecessary because
subpart H specifies its applicability. The
FAA has determined that such
redundancy is not needed because the
subpart H requirements can stand alone.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
H. Petitions for Rulemaking
During the development of this
proposed rule, the FAA considered two
relevant petitions for rulemaking
submitted in 1986. Summaries of these
petitions were published in the Federal
Register.47 The petitions and a
disposition of the petitions are included
in the docket for this NPRM. This
NPRM proposes some changes that were
suggested in those petitions, including
adding definitions of probability
terms 48 and revising the methods for
accounting for failure effects.49 See
proposed §§ 25.4 and 25.1309.
I. Advisory Material
The FAA has drafted three new ACs
and revisions to two existing ACs to
provide guidance material for
acceptable means, but not the only
means, of showing compliance with the
regulations proposed for revision by this
NPRM. The FAA will post the draft ACs
in the docket and on the ‘‘Aviation
Safety Draft Documents Open for
Comment’’ web page at https://
www.faa.gov/aircraft/draft_docs/.50 The
FAA requests that you submit
comments on the draft AC through
either the docket or through that web
page. The draft ACs are as follows:
• AC 25.671–X, Control Systems—
General.
• AC 25.901–X, Safety Assessment of
Powerplant Installations.
• AC 25.933–X, Unwanted In-Flight
Thrust Reversal of Turbojet Thrust
Reversers.
• AC 25.629–1C, Aeroelastic Stability
Substantiation of Transport Category
Airplanes.
• AC 25.1309–1B, System Design and
Analysis.
47 51 FR 33061 (Sept. 18, 1986) and 52 FR 1924
(Jan. 16, 1987).
48 Including ‘‘extremely improbable’’ and
‘‘probable’’ with regard to failure conditions.
49 Including the ‘‘fail-safe’’ requirement, and
specifying exceptions in § 25.1309 for certain
failure effects specified in other sections and
subparts of part 25.
50 To submit comments via the ‘‘Aviation Safety
Draft Documents Open for Comment’’ web page,
https://www.faa.gov/aircraft/draft_docs/, please
follow the instructions found on that web page.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
IV. Regulatory Notices and Analyses
Changes to Federal regulations must
undergo several economic analyses.
First, Executive Order 12866 and
Executive Order 13563 direct that each
Federal agency shall propose or adopt a
regulation only upon a reasoned
determination that the benefits of the
intended regulation justify its costs.
Second, the Regulatory Flexibility Act
of 1980 (Pub. L. 96–354) requires
agencies to analyze the economic
impact of regulatory changes on small
entities. Third, the Trade Agreements
Act (Pub. L. 96–39) prohibits agencies
from setting standards that create
unnecessary obstacles to the foreign
commerce of the United States. In
developing U.S. standards, the Trade
Act requires agencies to consider
international standards and, where
appropriate, that they be the basis of
U.S. standards. Fourth, the Unfunded
Mandates Reform Act of 1995 (Pub. L.
104–4) requires agencies to prepare a
written assessment of the costs, benefits,
and other effects of proposed or final
rules that include a Federal mandate
likely to result in the expenditure by
State, local, or tribal governments, in the
aggregate, or by the private sector, of
$100 million or more annually (adjusted
for inflation with base year of 1995).
This portion of the preamble
summarizes the FAA’s analysis of the
economic impacts of the proposed rule.
The FAA suggests readers seeking
greater detail read the Regulatory Impact
Analysis in the docket for this
rulemaking.
In conducting these analyses, the FAA
determined that this proposed rule (1)
has benefits that justify its costs; (2) is
not an economically ‘‘significant
regulatory action’’ as defined in section
3(f) of Executive Order 12866; (3) would
not have a significant economic impact
on a substantial number of small
entities; (4) would not create
unnecessary obstacles to the foreign
commerce of the United States; and (5)
would not impose an unfunded
mandate on state, local, or tribal
governments, or on the private sector by
exceeding the threshold identified
above. These analyses are summarized
below.
lotter on DSK11XQN23PROD with PROPOSALS3
A. Regulatory Evaluation
1. Costs and Benefits of This Proposed
Rule
The predominant cost impact of this
proposed rule results from proposed
requirements addressing catastrophic
dual failures (CSL+1), where the first
failure is latent (unknown until
discovered by crew or maintenance
personnel), which, in combination with
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
a second active failure, results in a
catastrophic accident. Without the rule,
unsafe conditions in service associated
with potential CSL+1 failure conditions
would continue to be addressed, after
certification, by airworthiness directives
(ADs).51 Accordingly, the costs of ADs
avoided because of the rule would be
benefits of the rule in the form of cost
savings. ADs resulting from potential
CSL+1 failure conditions are occurring
at such a high rate that the benefits of
avoiding these ADs, by themselves,
exceed the costs of the specific risk rule,
§ 25.1309(b)(5). At a 7 percent discount
rate, the FAA finds that the cost savings
resulting from the proposed specific risk
rule to be $24.6 million, exceeding the
$15.5 million cost of the rule, and
resulting in $9.1 million in net cost
savings. At a 3 percent discount rate, the
FAA finds that the cost savings are
$46.79 million, exceeding a $24.65
million cost, and resulting in $22.14
million in net benefits.
The FAA finds all other provisions of
this proposed rule to be cost beneficial
or to have zero or minimal cost.
2. Who is potentially affected by this
proposed rule?
Applicants for type certification, and
operators, of part 25 airplanes are
potentially affected by this proposed
rule.
3. Assumptions and Sources of
Information
• The FAA uses three percent and
seven percent discount rates to estimate
present value and annualized costs and
cost savings based on OMB guidance.52
• Source: Airplane certification costs,
https://www.faa.gov/, Regulations &
Policies, Rulemaking, Committees—
Advisory and Rulemaking Committees,
Topics—Transport Airplane and
Engines (TAE) Subcommittee (Active),
Airplane-level Safety Analysis Complete
File, ARAC ASAWG Report, Specific
Risk Tasking, appendix A, p. 104.
Source: ASAWG Recommendation
Report, ‘‘SPECIFIC RISK TASKING,’’
April 2010 (pp. 64, 104). These costs are
updated to 2021 dollars by the ratio of
the 2021 GDP implicit price deflator to
the 2010 GDP implicit price deflator,
viz. 118.490/96.164 = 1.232. U.S.
Bureau of Economic Analysis. ‘‘Table
1.1.4. Price Indexes for GDP.’’ Click
‘‘Modify’’ icon and refresh table with
first and last years of period.
51 ADs are rules issued by the FAA that require
specific actions to address an unsafe condition on
an aircraft or other aviation product.
52 OMB Circular A–4, Regulatory Analysis (2003),
https://www.whitehouse.gov/sites/whitehouse.gov/
files/omb/circulars/A4/a-4.pdf.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
75441
• For manufacturers of large part 25
airplanes (large transports): 2 U.S.
airplane certifications in next 10-year
period, with 24 annual U.S. deliveries
per U.S. certification; 1 foreign airplane
certification in next 10-year period, with
16 annual U.S. deliveries per foreign
certification; 23-year airplane
production run, and 28-year retirement
age. For manufacturers of business jets
(small part 25 airplanes): 2 U.S.
airplane certifications in next 10-year
period, 21 annual U.S. deliveries per
U.S. certification and 28-year
production run; 3 foreign airplane
certifications in next 10-year period, 11
annual U.S. deliveries per foreign
certification and; 16-year airplane
production run, 30-year retirement age.
For benefits of avoided ADs (6): Average
number of certifications for U.S.manufactured airplanes. See the
Regulatory Impact Analysis available in
the docket for more details.
• The period of analysis for large
airplanes is 23 + 28 = 51 years to
account for a product life cycle
determined by a 23-year production
period and a 28-year service period. The
period of analysis for business jets is 28
+ 30 = 58 years to account for a product
life cycle determined by a 28-year
production period and a 30-year service
period.
• Average flight hours per year: Large
part 25 airplanes—3,000, Source:
FlightGlobal’s FlightFleets Analyzer,
www.ascendworldwide.com. (Average
annual flight hours = 3,040 for all
narrowbody, widebody, and regional
jets, at least one year old, operated by
U.S. airlines as of August 28, 2018.)
4. Costs of the Proposed Specific Risk
Rule
To calculate the compliance costs for
new U.S. certifications, the FAA
assumes that all new certifications will
be approved one year after the effective
date of the rule, with production
beginning one year later. Using an
airplane life cycle model detailed in the
Regulatory Impact Analysis available in
the docket, for large part 25 airplanes
(large transports) the FAA bases
compliance costs on 2 new certificates,
delivery of 24 airplanes per certificate
per year to U.S. operators, production
runs of 23 years, and an airplane
retirement age of 28 years. The costs of
compliance for large transports are
calculated over an airplane life cycle of
51 years (the period from first delivery
to last retirement), beginning in year 1
and ending in year 51. The small part
25 airplane category is a business jet
category. For part 25 business jets, the
FAA bases compliance costs on 2 new
certificates, delivery of 21 airplanes per
E:\FR\FM\08DEP3.SGM
08DEP3
75442
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
certificate per year to U.S. operators,
production runs of 28 years, and an
airplane retirement age of 30 years. The
costs of compliance for part 25 business
jets are calculated over an airplane life
cycle of 45 years, beginning in year 1
and ending in year 47.
Unit industry cost estimates for the
specific risk rule, § 25.1309(b)(5), were
provided by the ASAWG in its report,
‘‘Specific Risk Tasking.’’ 53 High costs
were reported by Boeing and Cessna in
contrast to the zero or near-zero costs
reported by the other manufacturers.
This was the result of (1) Boeing and
Cessna using the existing § 25.1309
amendment as a baseline and not taking
into account voluntary ELOS actions
they have taken; and (2) high hardware
and operating costs reported by Cessna
that were 20 to 30 times the comparable
costs reported by Boeing. The FAA was
unable to verify these high costs. The
FAA’s rationale and procedure to adjust
for these costs follows.
The FAA adjusted Boeing’s
engineering cost estimate by taking into
account the extent to which voluntary
ELOS actions for the Boeing Model 787
already address the problems of
potential CSL+1 dual catastrophic
failures. This adjustment allows the
FAA to reduce Boeing’s estimate to 13.3
percent of its reported value. This large
adjustment reflects the importance of
two factors: (1) the ELOS action for
flight control systems—the FAA
estimates that flight control systems
constitute 60 percent of existing
potential CSL+1 failure conditions, and
(2) that 25 percent of potential CSL+1
failure conditions have already been
addressed.
Moreover, for the few CSL+1
combinations not already meeting the
proposed rule, no hardware change
would be necessary as only the
inspection intervals would be affected.
Accordingly, expected hardware costs
and fuel burn costs are reduced to zero,
leaving only non-recurring engineering
costs and maintenance costs.
Large transports and business jets
have similar system safety architectures
because they both meet the ‘‘no single
failure’’ and ‘‘extremely improbable’’
(10¥9) average risk criteria.
Accordingly, the FAA has determined
that the Boeing Model 787 cost analysis
also applies to Cessna, so that Cessna’s
engineering cost estimate should also be
reduced to 13.3 percent of reported
value, and its hardware and fuel burn
cost should be reduced to zero.
With these adjustments, industry unit
cost estimates are shown in table 3
below, along with a summary of the
production life cycle data. See the
Regulatory Impact Analysis available in
the docket for more detail on the
industry unit cost estimates.
TABLE 3—INDUSTRY PRODUCTION AND UNIT COST DATA FOR ESTIMATING COSTS OF PROPOSED SPECIFIC RISK RULE
[Cost values—$2021]
Part 25
business
jet airplanes
Part 25 large
transports
Production Estimates:
Number of Certifications (10 years) ...............................................................................................................
Production Life (Years) ...................................................................................................................................
U.S. Deliveries to U.S. Operators per Certification per Year ........................................................................
Retirement Age (Years) ..................................................................................................................................
Foreign Deliveries to U.S. Operators per Year ..............................................................................................
Engineering & Production Costs:
Non-Recurring Engineering Costs per Model ................................................................................................
Recurring Costs (Hardware & Installation) per Airplane ................................................................................
Operating Costs .....................................................................................................................................................
Incremental Maintenance Costs per Airplane per Year .................................................................................
Incremental Fuel Burn per Airplane per Year ................................................................................................
2
23
24
28
16
2
30
21
30
33
$1,353,982
0
$1,231
$1,231
0
$453,734
0
$164
$164
0
Note: Details may not add up to totals due to rounding.
Employing these unit cost estimates
in the airplane life cycle model referred
to above, the FAA estimates the costs of
the specific risk rule over the large
transport and business jet life cycles and
show the results by major cost
component in table 4 below.
TABLE 4—SUMMARY OF COSTS OF PROPOSED SPECIFIC RISK RULE
[$2021]
Cost
($ mil.)
lotter on DSK11XQN23PROD with PROPOSALS3
Cost category
Part 25
large
transports
Non-Recurring Engineering Costs ...................................
Hardware & Installation Costs .........................................
Operating Costs (Maintenance) .......................................
53 See https://www.faa.gov/, Regulations &
Policies, Rulemaking, Committees—Advisory and
Rulemaking Committees, Topics—Transport
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Present value cost
($ mil.)
Part 25
business
jets
2.74
0.0
50.7
All
part 25
airplanes
0.9
0.0
8.4
Airplane and Engines (TAE) Subcommittee
(Active), Airplane-level Safety Analysis Complete
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
3.6
0.0
59.1
Part 25
large
transports
2.5
0.0
10.8
Part 25
business
jets
0.8
0.0
1.7
All
part 25
airplanes
3.4
0.0
12.5
File, ARAC ASAWG Report, Specific Risk Tasking
(April 2010), appendix A, p. 104.
E:\FR\FM\08DEP3.SGM
08DEP3
75443
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
TABLE 4—SUMMARY OF COSTS OF PROPOSED SPECIFIC RISK RULE—Continued
[$2021]
Cost
($ mil.)
Cost category
Part 25
large
transports
Total ..........................................................................
Present value cost
($ mil.)
Part 25
business
jets
53.4
All
part 25
airplanes
9.3
62.7
Part 25
large
transports
13.3
Part 25
business
jets
2.5
All
part 25
airplanes
15.8
Note 1: Present Value Cost is calculated using a 7 percent discount rate. The FAA presents estimates using a 3 percent discount rate in the
Regulatory Impact Analysis available in the docket for this proposed rule.
Note 2: Details may not add up to totals due to rounding.
lotter on DSK11XQN23PROD with PROPOSALS3
5. Benefits of the Proposed Specific Risk
Rule
As discussed more fully in the
Regulatory Impact Analysis available in
the docket for this proposed rule, the
proposed specific risk rule would (1)
eliminate the risk of CSL+1 failure
conditions by requiring additional
redundancy, or (2) limit the risk of
CSL+1 failure conditions by limiting the
probabilities of the dual latent and
active failures. CSL+1 failure conditions
probably caused three accidents, which
resulted in the destruction of the
airplane and the fatalities of all
passengers and crew. These accidents
were Lauda Air Flight 004 (Boeing
Model 767) in 1991, resulting in the
fatalities of 233 passengers and crew;
USAir Flight 427 (Boeing Model 737) in
1994, resulting in the fatalities of 132
passengers and crew; and the earlier
United Airlines Flight 585 (Boeing
Model 737) in 1991, resulting in the
fatalities of 25 passengers and crew.
For the Lauda Air accident, the Thai
investigating committee found the
probable cause to be an uncommanded
in-flight deployment of the airplane’s
left engine thrust reverser, resulting in
loss of airplane control. The airplane
was equipped with a double lock thrust
reverser system that operated as follows.
If a pilot wanted to deploy the thrust
reversers, he or she raised the thrust
reverser lever, which set the directional
control valve (DCV) (1st lock) to the
deploy position and opened the
hydraulic isolation valve (HIV) (2nd
lock), allowing hydraulic pressure to
open the thrust reverser door. The
investigating committee found that one
likely cause of uncommanded
deployment was contamination of the
DCV that made it susceptible to
increased pressure on its deploy side
(latent failure). When the HIV
inadvertently opened due to a short
circuit (active failure), hydraulic
pressure became available to the
susceptible DCV causing a change in the
valve position from ‘‘stow’’ to ‘‘deploy’’
with consequent deployment and the
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
catastrophic accident. Once discovered,
this potential CSL+1 failure condition
was eliminated by an AD action
mandating an additional valve (3rd
lock). (Please see the Regulatory Impact
Analysis available in the docket for
discussion of the CSL+1 failure
conditions that the NTSB concluded to
be the probable cause of the USAir
Flight 427 and United Airlines Flight
585 accidents.)
The FAA finds that, if the specific risk
rule had been in effect, the likelihood of
these accidents occurring would have
been reduced. Since the FAA has
already issued ADs to prevent
reoccurrence of these CSL+1 accidents,
the FAA does not use them in
estimating benefits from this rule.
However, without the rule, unsafe
conditions in service associated with
potential CSL+1 failure conditions
would continue to be addressed by ADs.
Accordingly, the costs of the ADs
avoided because of the rule would be
benefits of the rule in the form of cost
savings. The FAA first provides an
overview of the benefits estimation, and
then provides the details.
a. Overview of Avoided AD Benefits
For the ten-year period of 2008 to
2017, the FAA searched for all new
(including superseding) ADs that were
associated with potential CSL+1 failure
conditions and found 15 such ADs. In
order to simplify the analysis, the cost
of an AD was estimated based only on
the basic wage and cost of materials data
provided in the AD (or referenced
service bulletins) for required
inspections or repairs/replacements, for
all airplanes that were affected by the
AD. As in the cost section above, the
FAA updated cost to 2021 dollars. Since
labor costs were given in hours as well
as in current dollars, labor costs were
particularly easy to update since the
FAA could simply use labor hours and
the 2021 AD wage rate of $85 per
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
hour.54 In one or two cases, the costs of
an AD were adjusted based on
information obtained from the safety
engineer referenced in the AD. ‘‘Oncondition’’ costs were not included in
calculated AD costs because such costs
depend on an unknown number of
airplanes identified on inspection as
requiring repair or parts replacement.
AD costs often occurred several months
or years following the AD effective date
because of time allowed for compliance
and because of ongoing inspection costs.
For 4 of the 15 ADs, there is no
terminating action so the affected
airplanes are required to be periodically
inspected over their entire service lives.
Present value AD costs in issuance-year
dollars were calculated by discounting
these future year costs to the year of AD
issuance at the rate of 7 percent. These
present value AD costs were adjusted to
2021 dollars using the GDP implicit
price deflator. The total cost of the 15
ADs in 2021 dollars is then summed
from the individual AD costs.
b. Details of Avoided AD Benefits
Table 5 shows cost of each of the 15
ADs that were associated with potential
CSL+1 failure conditions. For each AD,
the table provides the following
information:
• AD No.;
• Effective date of the AD;
• Airplane Model;
• PV AD Cost ($2021);
• The potential CSL+1 failure
condition; and
• Required AD Actions.
Airworthiness Directive No. 8 is split
into two results because, after an initial
AD was issued and complied with, it
was later determined that a wider range
of part numbers should have been
checked, which meant re-inspection for
a large number of airplanes that had
already been inspected. So No. 8a shows
the costs for the number of airplanes the
FAA estimates have already been
checked in the initial AD, while No. 8b
54 See the Regulatory Impact Analysis available in
the docket for more details on the labor rate and
hours used in this analysis.
E:\FR\FM\08DEP3.SGM
08DEP3
75444
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
shows the new costs in the superseding
AD for the airplanes already checked as
well as for the newly affected airplanes.
AD No. 15 is also shown in two parts,
with No. 15a showing the results for the
main recurring action and No. 15b
showing the results for a concurrent
nonrecurring action for a subset of
affected airplanes, required in order to
ensure the effectiveness of the test
required by the main recurring action.
Airworthiness Directives Nos. 1, 2, 4
and 15a are the four ADs with recurring
actions lasting the lifetime of the
airplanes. The total present value costs
for these ADs were calculated using AD
unit cost data and individual airplane
data from the Aircraft section of
FlightGlobal’s FlightFleets Analyzer.
For each airplane already in the affected
fleet at the AD’s effective date, costs
were calculated for the remaining years
of an assumed 28-year life, with yearly
costs discounted back to the AD’s
effective date but valued in 2021
dollars. For each airplane entering the
affected fleet after the AD’s effective
date, costs were calculated for its entire
assumed 28-year life with an additional
discount factor for time between the
AD’s effective date and the in-service
date of the airplane. Actual life was
used instead of a 28-year life if airplanes
were retired (or written off) early. Data
for August 2018 was used for AD Nos.
1, 2 and 15a. But for AD No. 4, data as
of the AD’s effective date, September 26,
2012, was used in order to simplify the
calculations. The affected model—
Boeing Model 757—ended production
in 2004, so few, if any, additional
airplanes would be entering the affected
fleet after the AD’s 2012 effective date,
and fewer of the affected airplanes
would have to be retrieved from the
‘‘Retired/Written Off’’ file than if a more
recent date was used.
The FAA notes that all 15 ADs apply
to large transport airplanes and none
apply to business jets. This result is not
surprising, since part 25 business jets
account for a small percentage of the
total flight hours for part 25 airplanes.
Given the FAA’s assumptions, the life
cycle airplane model estimates that part
25 business jets account for just 10.3
percent of all part 25 flight hours. This
particular result does not mean that
CSL+1 failure conditions cannot occur
on part 25 business jets. In fact, while
this regulatory evaluation was being
written, an immediate final rule AD was
published 55 for a potential CSL+1
failure condition in a Gulfstream Model
GVI business jet. Since this AD occurs
outside the 10-year 2008–2017 sampling
window, the FAA did not include it in
its analysis.
As table 5 below shows, total AD
costs sum to $64,195,574. The
avoidance of these costs are benefits that
the FAA used to estimate benefits of the
proposed specific risk rule. Over the
period of AD selection, 2008 to 2017,
however, there were, on average,
approximately six new airplane models
brought to the market by U.S.
manufacturers. Since the FAA estimated
the costs of the proposed rule assuming
two new model certifications, in order
to make the estimate of the value of
avoided ADs comparable, the FAA
divided these costs by three. The FAA
then divided the adjusted costs by 10 to
estimate the average annual AD costs
over the 10-year sample period. Finally,
recognizing that no rule is perfectly
effective, the FAA estimated that the
proposed rule would be 90 percent
effective and, accordingly, reduce the
annual estimates by 10 percent. These
reduced annual estimates are then used
in the life cycle airplane model to
estimate the benefits of the proposed
rule in a manner analogous to the
estimate of the costs of the proposed
rule. Dividing $64,195,574 by 3 × 10 =
30 and multiplying by 90 percent, the
FAA obtained an estimate of average
annual benefits of $2,139,852. This then
is the estimate of the average annual
value of the ADs that will be avoided
over the 51-year life cycle of our two
airplane models as a result of the
proposed specific risk rule. The present
value of $2,139,852 for 51 years can be
calculated with the present value
annuity formula, PVA = C [1–1/(1+r)n]/
r = $2,139,852 × [1–1/(1.07)47]/.07 =
$26.4 million, where C = $2,139,852 is
the average annual ‘‘cash flow’’ benefit,
r = 0.07 is the discount rate, and n = 51
years is the annuity length in years.
However, to make benefits compatible
with the cost of the rule analysis, the
FAA must discount for an additional
year to account for our assumed year for
certification of the airplane models.
Therefore, the present value of the AD
cost savings is $24.5/1.07 = $24.6
million.
lotter on DSK11XQN23PROD with PROPOSALS3
TABLE 5—SSA CSL+1 COSTS SAVINGS BY AD
AD No.
Effective date of AD
1 ......
2008–06–06
April 16, 2008 ............
All Boeing 767
airplanes.
$1,168,710
2 ......
2009–14–06
August 12, 2009 ........
All Boeing 777
airplanes.
55 83
Airplane model
PV AD cost
($2021)
No.
Potential CSL+1 failure condition
Required AD actions
Repetitive inspections, lubrication, freeplay
measurement, and corrective action, as specified in Boeing Alert
Service Bulletins 767–
27A0194 or 767–
27A0195, both Revision
1, dated July 21, 2005;
or both Revision 2,
dated July 13, 2006; as
applicable.
853,970
Extensive corrosion was found on the outside rod of
a ballscrew in the drive mechanism of the horizontal stabilizer trim actuator (HSTA) of a Boeing
Model 757 airplane (AD for which is No. 4 below).
The HSTA drive mechanisms on Boeing airplanes
are designed similarly, in that they are of the rodwithin-a-rod configuration. The corrosion was on
the outside rod, which functions as a screw that
drives the stabilizer and is the primary load path.
If the outside rod fails, load is transferred to the
secondary load path—the inner rod—whose job is
to hold the horizontal stabilizer in place so it does
not run away causing loss of airplane control. In
such a case, the flightcrew would typically be instructed to land at a suitable airport as soon as
possible. Since corrosion of the outer rod could
imply corrosion of the inner rod also, this AD reveals a potential CSL+1 catastrophic accident
where active failure of the outer rod occurs in conjunction with an already failed inner rod.
See AD No. 1 above ..................................................
Fmt 4701
Sfmt 4702
FR 48918 (Sept. 28, 2018).
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
PO 00000
Frm 00022
E:\FR\FM\08DEP3.SGM
08DEP3
Maintenance record check
and same actions as
AD No. 1.
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
75445
lotter on DSK11XQN23PROD with PROPOSALS3
TABLE 5—SSA CSL+1 COSTS SAVINGS BY AD—Continued
No.
AD No.
Effective date of AD
3 ......
2011–27–03
February 10, 2012 .....
All Boeing 737
airplanes.
4 ......
2012–16–16
September 26, 2012 ..
5 ......
2009–20–12
November 5, 2009 .....
All Boeing 757
airplanes.
Certain Boeing
747 airplanes,
as identified in
Boeing Special
Attention Service Bulletin
747–27–2422,
dated October
30, 2008.
6 ......
2013–17–03
October 4, 2013 ........
7 ......
2011–22–02
November 29, 2011 ...
8a ....
2014–03–08
March 26, 2014 .........
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Airplane model
PV AD cost
($2021)
Potential CSL+1 failure condition
Required AD actions
3,709,424
See AD No. 1 above ..................................................
3,052,050
See AD No. 1 above ..................................................
Modification as specified
in Boeing Alert Service
Bulletin 737–27A1278,
Revision 1, dated January 7, 2010; or Boeing
Alert Service Bulletin
737–27A1277, Revision
2, dated January 8,
2010; as applicable.
See AD No. 1 above.
16,353,670
The FAA received several reports that the inboard
trailing edge flaps on Boeing Model 747 airplanes
were partially retracted from the commanded position due to failure of transmission carbon disk
‘‘no-back’’ brakes. This AD highlights a potential
CSL+1 failure condition in which the no-back
brake fails to hold the flap in its commanded position (latent failure) and the flap system transmission driveshaft breaks (active failure), causing
the flap to ‘‘freewheel.’’ The no-back brake failure
is latent because when it occurs, there is no
means to check it in place without disconnecting
the driveshaft and removing the gearbox in which
it resides from the airplane. The dual failure would
create unbalanced aerodynamic forces between
wings that could cause the airplane to roll into a
severe attitude, resulting in catastrophic loss of
control.
See AD No. 5 above ..................................................
Airbus A330–200
and –300;
A340–200 and
–300; and
A340–541 and
–642 series
airplanes.
All Airbus A310
and A300 B4–
600 and
–600R, F4–
600R (collectively called
A300–600) series airplanes.
All Airbus A318,
A319, A320,
and A321 series airplanes.
PO 00000
Frm 00023
3,048,381
526,557
535,501
Fmt 4701
This AD results from mandatory continuing airworthiness information (MCAI) originated by EASA. An
operator reported several cases of wire damage
at the pylon/wing interface. Analysis revealed that
the wire damage was due to deficient information
in installation drawings and job cards. The CSL+1
problem here stems from the fact that Low Pressure Valve (LPV) wires were not segregated by
design. The function of the LPV is to control the
fuel supply at the engine-to-pylon interface. In
case of fire, the fuel supply to the engines (or
APU) is shut off by the LPVs, which are electrically actuated by operation of the engine (or
APU) fire handle. The wire chafing could induce
dormant failure of the LPV, preventing its closure
and leading to an uncontrolled engine (or APU)
fire.
This AD was prompted by an investigation finding
that when target and proximity sensors with certain combinations of serial numbers are installed
on a flap interconnecting strut, the target signal
may not be detected. Between the trailing edge
flaps (inboard and outboard) of an Airbus Model
A320 wing, there is an interconnecting strut,
whose function is to temporarily hold a flap if the
flap’s drive system disconnects in flight at the
gearbox (which is connected to the wing). The
interconnecting strut has a proximity sensor that
reads the relative movement between the flaps.
The proximity sensor operates on the same principle as sensors used in a house alarm system.
When a window is opened, the target mounted in
the window moves away from the sensor installed
in the windowsill. The alarm system knows the
window is open. Similarly, if a flap drive system
disconnects, there would be relative movement
between the flaps observed by the sensor causing
the flap control computer to shut down the flap
system, thus preventing asymmetric flap movement between the wings. Given latent failure of an
interconnecting strut sensor, a flap drive system
disconnect could result in asymmetric flap panel
movement and consequent loss of airplane control.
Sfmt 4702
E:\FR\FM\08DEP3.SGM
08DEP3
Replace trailing edge (TE)
no-back brakes with
skewed roller no-back
brakes.
Assume immediate terminating action: Replacement of all 4 JURID
wing tip brakes (WTBs)
with MIBA WTBs.
Modification of the electrical installation in the
pylon/wing interface to
avoid wire damage.
Inspect to determine part
numbers of the interconnecting struts installed on the wings
and the serial numbers
of the associated target
and proximity sensors,
and replace the interconnecting strut if applicable.
75446
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
TABLE 5—SSA CSL+1 COSTS SAVINGS BY AD—Continued
AD No.
Effective date of AD
8b ....
2017–24–07
January 5, 2018 ........
All Airbus A318,
A319, A320,
and A321 series airplanes.
1,512,126
Same as above. This superseding AD was issued
because EASA determined that a wider range of
part numbers of affected interconnecting struts
should be checked.
9 ......
2014–11–10
August 19, 2014 ........
Bombardier CL–
600–2B19 (Regional Jet Series 100 &
440), S/Ns
7003–8110 inclusive.
1,881,761
10 ....
2015–19–01
October 21, 2015 ......
Boeing 777 airplanes, Line
Nos. 1 through
1104 inclusive.
16,150
11 ....
2015–19–04
October 21, 2015 ......
50,150
12 ....
2015–19–09
November 3, 2015 .....
All Boeing 757
airplanes.
All Boeing 787–8
airplanes.
This AD was prompted by reports that the shear pin
in the input lever of several PFS (Pitch Feel Simulator) units failed due to fatigue, and by the development of a re-designed PFS unit, eliminating the
need for repetitive functional tests. With latent failure of a PFS unit due to a failed shear pin, the
failure of the second PFS unit would result in loss
of pitch feel forces and consequent reduced control of the airplane. Loss of tactile feedback typically causes the pilot to overshoot commands to
the control system. As an analogy, consider an
automobile steering wheel. At low speeds, the feel
is soft (requiring large turns to steer the front
wheels a given amount). At high speeds, the feel
is designed to be harder (requiring more force to
steer the wheels a given amount). If the feel unit
fails, we can still steer, but because the forces are
the same at low and high speeds, we could lose
control of the car at high speeds.
This AD was prompted by reports of latently-failed
fuel shutoff valves caused by a design error that
affects both valve control and indication of the
valve’s position. As a result, the failure can lead
to a large number of flights with the fuel shutoff
valve failed in the open position without the operator being aware of the failure. Latent failures of
the fuel shutoff valve to the engine (or APU) could
result in an inability to shut off fuel to the engine
(or APU) and an uncontrollable fire that could lead
to catastrophic wing failure.
See AD No. 10 above ................................................
111,421
See AD No. 10 above ................................................
13 ....
2015–21–09
October 28, 2015 ......
38,250
See AD No. 10 above ................................................
1. Revise maintenance or
inspection program.
2. Replace engine and
APU shutoff valve actuators with new actuators.
See AD No. 10 above.
14 ....
2015–21–10
October 28, 2015 ......
105,740
See AD No. 10 above ................................................
See AD No. 10 above.
15a ..
2016–04–06
April 1, 2016 ..............
2,455,178
During a simulated fire test in the forward cargo
compartment on 737–800 airplanes, smoke penetrated into the passenger cabin and flightdeck
when in the fire suppression configuration. The
smoke was observed entering the passenger
cabin, during steady state cruise and descent
conditions, in quantities significantly higher than
amounts found acceptable during previous certification tests. Small amounts of smoke were observed in the flightdeck. A subsequent Boeing review found that there was no maintenance procedure available to inspect the components used to
reconfigure the air distribution system. Latent failure of the equipment cooling system or low pressure environmental control system, in combination
with a cargo fire, could result in smoke in the
main cabin and flightdeck and possible loss of airplane control. The maintenance procedure could
reduce the likelihood of such latent failures.
Recurring test: Repetitive
Smoke Clearance—
Operational Test for
correct operation of the
equipment cooling and
low pressure environmental control systems.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Airplane model
PV AD cost
($2021)
No.
All Boeing 767
airplanes.
All Boeing 737–
600, –700,
–700C, –800,
and –900 airplanes.
All Boeing 737–
600, –700,
–700C, –800,
and –900 airplanes.
PO 00000
Frm 00024
Fmt 4701
Potential CSL+1 failure condition
Sfmt 4702
E:\FR\FM\08DEP3.SGM
08DEP3
Required AD actions
Because of the nearly
4-year difference in the
AD dates, in addition to
inspection of new airplanes, all of the airplanes that had been
already inspected under
the AD 2014–03–08 requirements have to be
re-inspected under
2017–24–07.
Replace pitch feel simulator (PFS) units with
redesigned PFS units.
This action would terminate the currently required repetitive function tests.
Revise maintenance or inspection program, as
applicable, to require a
new airworthiness limitation—a daily operational check of the fuel
shutoff valve position
indication.
See AD No. 10 above.
75447
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
TABLE 5—SSA CSL+1 COSTS SAVINGS BY AD—Continued
PV AD cost
($2021)
No.
AD No.
Effective date of AD
Airplane model
15b ..
2016–04–06
April 1, 2016 ..............
Certain Boeing
737–600,
–700, –700C,
–800,.
–900, and ...........
–900ER series
airplanes.
28,776,535
Potential CSL+1 failure condition
Required AD actions
Incorporation of this non-recurring action (required
by Boeing Special Attention Service Bulletin 737–
26A1137, Revision 1, dated August 13, 2009) is
necessary to ensure that the Smoke Clearance
Mode-Operational Test result of the recurring action is satisfactory.
Concurrent non-recurring
action: Install new relays and do wiring
changes to the environmental control system
Total = $64,195,524
Sources: The Federal Register reference for each AD is noted in ‘‘Appendix Table 6’’ of the ‘‘Regulatory Evaluation’’ in the docket.
Note 1: Information in the ADs was in some cases supplemented and corrected by the FAA safety engineers assigned to the ADs or by the Systems Policy Branch
(AIR-630), Safety Risk Management Section (AIR–633).
Note 2: For non-recurring actions, we assume compliance times to be at, or close to, the midpoint of the compliance period specified in the AD (or associated service bulletin). For recurring actions, we assume compliance times to be at the end of a compliance period, or somewhat earlier. See ‘‘Appendix Table 6’’ in the ‘‘Regulatory Evaluation’’ for details on data assumptions and calculations.
6. Summary of Costs and Benefits of
Specific Risk Rule
In table 6 below, the FAA summarizes
the costs and benefits of the proposed
specific risk rule. As the table shows,
the proposed rule is cost-beneficial with
present value cost savings of $24.6
million far exceeding present value
costs of $15.8 million. Net cost savings
are $8.8 million in present value. A
similar analysis at a 3 percent discount
rate finds present value cost savings to
be $43.6 million, exceeding $31.7
million in present value costs, and
resulting in $11.9 million in net cost
savings.
TABLE 6—SUMMARY OF COST-BENEFIT ANALYSIS FOR SPECIFIC RISK RULE
[Present value $2021 millions]
Part 25
large transports
Cost category
Part 25
business jets
Part 25
airplanes
Non-Recurring Engineering Costs .........................................................................................
Hardware & Installation Costs per Airplane ..........................................................................
Operating Costs per Airplane per Year .................................................................................
$2.5
0.0
10.8
$0.8
0.0
1.7
$3.4
0.0
12.5
Total PV Costs .......................................................................................................................
13.3
2.5
15.8
Cost Savings (Value of Avoided ADs) ..................................................................................
................................
..........................
24.6
Net Cost Savings ...................................................................................................................
................................
..........................
8.8
Note 1: Cost savings reflect assumption of 90 percent rule effectiveness.
Note 2: Numbers may not add to totals due to rounding. Present values are calculated using a discount rate of seven percent. Present values
using a three percent discount rate are provided in the Regulatory Impact Analysis available in the docket.
lotter on DSK11XQN23PROD with PROPOSALS3
7. Section 25.1309: Equipment, Systems,
and Installations
In section I.A.5 above, the FAA
undertook the cost benefit analysis of
the proposed specific risk rule,
§ 25.1309(b)(5). This section discusses
the remaining paragraphs of § 25.1309.
a. Section 25.1309(a)
The proposed rule would revise
§ 25.1309(a) into two paragraphs.
Proposed § 25.1309(a)(1) would revise
the applicability of the § 25.1309(a)
requirement that equipment and
systems perform their functions as
intended. Proposed § 25.1309(a)(1)
clarifies that it applies to any equipment
or system installed in the airplane, and
whose improper functioning would
reduce safety, regardless of whether it is
required for type certification, operating
approval, or is optional equipment. As
this requirement merely harmonizes
with EASA’s corresponding
requirement, with which part 25
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
manufacturers are already in
compliance, there is no additional cost.
However, the requirement has the
minimal benefits of the reduced cost of
joint harmonization and, therefore,
would be cost beneficial.
Along with an associated change to
§ 25.1301, Function and Installation,
proposed § 25.1309(a)(2) would allow
equipment associated with passenger
amenities (e.g., entertainment displays
and audio systems) not to function as
intended as long as the failure of such
systems would not affect airplane safety.
No safety benefit is derived from
demonstrating that such equipment
performs as intended, if failing to
perform as intended would not affect
safety. Accordingly, this proposed
change would reduce the certification
cost of passenger amenities for airplane
manufacturers without affecting safety,
and, therefore, this proposed change
would be cost-beneficial.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
b. Section 25.1309(b)(1), (2), and (3):
Average Risk and Fail Safe Criteria
The current rule requires airplane
systems and associated components be
designed so that any failure condition
that would prevent the continued safe
flight and landing of the airplane
(catastrophic failure condition) is
‘‘extremely improbable,’’ a condition
specified in current AC 25.1309–1A as
having a probability on the order of
≤10¥9 per flight hour. However, as
recommended by the SDAHWG, the
proposed text of § 25.1309(b) would
explicitly require that single failures
must not result in catastrophic
failures—the ‘‘no single failure’’ fail-safe
requirement. As it harmonizes with the
equivalent EASA requirement and is
already current industry practice (see
the ‘‘Arsenal’’ version of AC 25.1309),
this proposed ‘‘no single failure’’
requirement would be cost beneficial as
it entails no additional cost but has
E:\FR\FM\08DEP3.SGM
08DEP3
75448
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
benefits from the reduced costs of joint
harmonization.56
The current rule requires any failure
condition that would reduce the
capability of the airplane or the ability
of the crew to cope with adverse
operating conditions to be ‘‘improbable’’
(on the order of 10¥9 < p ≤ 10¥5, where
p is probability), a condition specified
under current AC 25.1309–1A as
‘‘major.’’ Current practice, however, is
the ‘‘Arsenal’’ version of AC 25.1309,
under which the old ‘‘major’’ failure
condition has been divided into two
categories: ‘‘hazardous’’ (on the order of
10¥9 < p ≤ 10¥7) and ‘‘major’’ (on the
order of 10¥7 < p ≤ 10¥5). These
categories have been incorporated into
the proposed rule. As it harmonizes
with corresponding EASA major and
hazardous categories and is current
industry practice, this proposed rule
change would be cost beneficial as it
entails no additional costs but has
benefits from the reduced costs of joint
harmonization.
e. Section 25.1309(d) and H25.4:
Certification Maintenance Requirements
Proposed § 25.1309(d) would be a
new rule requiring that CMRs be
established, as necessary, to prevent
catastrophic and hazardous failure
conditions described in proposed
§ 25.1309(b). The proposed rule also
would require these CMRs to be
contained in the ALS of the ICA
required by § 25.1529. This latter
requirement is an industry
recommendation via the SE–172
Taskforce to CAST 57, and it addresses
the taskforce’s recognition that CMRs
are critical to safety and should be
treated similarly to other airworthiness
limitations.
Both of these proposed requirements
would codify industry practice and
would harmonize with EASA’s changes
to CS 25.1309 and H25.4, and so would
entail no additional costs. However, the
requirements would have the benefits of
reduced joint harmonization costs and,
therefore, would be cost beneficial.
c. Section 25.1309(b)(4): Limit Latency
Criteria
8. Section 25.671: General Control
Systems
Proposed § 25.1309(b)(4) specifies
criteria that would apply to any SLF.
The purpose of proposed § 25.1309(b)(4)
is to limit SLFs whenever practical so as
to limit conditions where the airplane is
one failure away from a hazardous or
catastrophic accident.
It is already industry practice to
eliminate SLFs when practical, as
required by proposed § 25.1309(b)(4)(i);
therefore, the proposal would entail no
additional cost. In any case, proposed
§ 25.1309(b)(4) is cost beneficial because
proposed paragraph (4)(i) is limited by
paragraph (4)(ii) and, further, under
§ 25.1309(b)(4)(iii), both paragraphs
(4)(i) and (b)(4)(ii) are not required
when impractical.
lotter on DSK11XQN23PROD with PROPOSALS3
d. Section 25.1309(c): Flightcrew
Alerting
Section 25.1309(c) would continue to
require that the flightcrew be provided
with information concerning unsafe
system operating conditions. Section
25.1322 would continue to require that
alerting be provided. The only proposed
change in this rule is to remove the
conflict with § 25.1322, Flightcrew
Alerting. Accordingly, there is no cost
(or benefit) entailed by the proposed
rule change.
56 The no single failure requirement was
inadvertently removed in 1970 but remained
industry practice. At the same time, the no single
failure requirement was made explicit for flight
controls and, in 1977, was made explicit for
powerplants.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
a. Section 25.671(a), (d), (e), and (f)
Since industry has been meeting the
proposed criteria in paragraphs (a), (e),
and (f) under special conditions since
the early 1980s, the FAA believes that
these proposed criteria are now met at
minimal cost. The modification to
§ 25.671(d) clarifies that controllability
includes the capability to flare to a
landing and controlled stop. The FAA
believes that if the airplane is
controllable, the manufacturer will be
able to meet the requirement for flare
and braking capability at minimal cost.
The FAA requests comments on these
findings.
b. Section 25.671(b): Minimize
Probability of Incorrect Assembly
Section 25.671(b) would be revised to
allow distinctive and permanent
marking to minimize the probability of
incorrect assembly only when design
means are impractical. This revision
was recommended by the FCHWG. It is
expert consensus that the physical
prevention of misassembly by design is
safer than reliance on marking, which
can be overlooked or ignored. Since
distinctive and permanent marking to
minimize the probability of incorrect
assembly is disallowed only when
design means are practical, the expected
gain in safety benefits from the reduced
probability of incorrect assembly would
57 More information on CAST and the task force
findings is available in the docket and on the
internet at https://www.skybrary.aero/bookshelf/
views/bookDetails.php?bookId=2553.
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
be greater than the costs of the proposed
revision. The FAA requests comments
on its finding that this provision is costbeneficial.
c. Section 25.671(c)
The FAA proposes to revise
§ 25.671(c). Current § 25.671(c)(1) and
(c)(2) would be removed, because the
applicability of § 25.1309 would be
clarified to be any equipment or system
as installed on the airplane, so it would
apply to flight control systems and
would accomplish the safety objective
of § 25.671(c)(1) and (c)(2). Proposed
25.671(c) differs from the current rule as
follows:
• Proposed § 25.671(c) addresses only
jams that are due to a physical
interference, for example, foreign or
loose object, system icing, corroded
bearings, etc. (Jams due to other reasons
are covered by § 25.1309.)
• Proposed § 25.671(c) does not allow
jams to be considered extremely
improbable, except those jams that
occur just before landing.
• Proposed § 25.671(c)(3) specifies
that, given a jam due to a physical
interference, the combined probability
is less than 1/1000 that any additional
failure conditions could prevent
continued safe flight and landing. As
the main intent of § 25.671(c)(3) is to
limit the probability of a latent failure
of any jam alleviation device (such as a
breakout device), § 25.671(c)(3) is
largely redundant to the proposed
§ 25.1309(b)(5) latent risk requirement.
• Proposed § 25.671(c) would no
longer address a runaway of a flight
control surface and subsequent jam as
such jams would be adequately
addressed by proposed § 25.1309.
As proposed § 25.671(c) has been
used by many manufacturers as an
ELOS, the FAA believes its use is
current practice. Accordingly, there are
no additional costs (or benefits) from
§ 25.671(c)(1). The FAA requests
comments on this conclusion.
9. Section 25.901: Installation Engines
Proposed § 25.901 would specify that
§ 25.1309 applies to powerplant
installations, as it does for all airplane
systems. Accordingly, the current
provision in § 25.901(c) prohibiting
catastrophic single failures or probable
combinations of failures would be
removed. Applicant requirements
would not change as a result of this
revised rule. The proposed revision
would harmonize § 25.901(c) with
EASA’s corresponding CS 25.901(c).
Accordingly, the proposed revision
would be cost-beneficial as it entails no
additional cost but has benefits from the
reduced costs of joint harmonization.
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
The FAA requests comments on this
conclusion.
lotter on DSK11XQN23PROD with PROPOSALS3
10. Section 25.933: Reversing Systems
Proposed § 25.933(a)(1)(i) retains, as
an option, the ‘‘controllability’’ standard
of the current rule. Proposed
§ 25.933(a)(1)(ii) is an additional,
‘‘reliability,’’ option. The service history
of airplanes certified under the current
rule—most prominently, the Lauda Air
accident—demonstrates that the fail-safe
intent of the controllability requirement
had not been achieved.
The PPIHWG recommended adding
the reliability option, concluding that
applicants should be allowed to select
the most suitable option for their
particular type designs or failure
conditions addressed. This option is
especially valuable given its
improvement implied by the proposed
revision to § 25.1309.58 This proposed
change allows additional flexibility in
design development, thus reducing
costs by allowing manufacturers to
achieve the intended level of safety in
the most cost-effective manner. As this
proposed rule would be cost relieving,
it would be cost beneficial. The FAA
requests comments on this conclusion.
11. Section 25.302: Interaction of
Systems and Structures
Proposed § 25.302 would be a new
rule that would incorporate, with some
modifications, the criteria the LDHWG
recommended in December 2000, and
the FCHWG in September 2002. EASA
has already incorporated the criteria
developed by the LDHWG into CS
25.302 and appendix K of CS–25.
The proposed rule would specifically
address any system failure condition
considered under § 25.1309 that can
affect the structural performance of the
airplane. Systems affect structural
performance if they induce loads on the
airframe or if they change the response
of the airplane to inputs such as gusts
or pilot actions, either directly or as a
result of failure. Systems that affect
structural performance are flight control
computers, autopilots, stability
augmentation systems, load alleviations
systems, and fuel management systems.
The proposed rule would also apply to
hydraulic systems, electrical systems,
and mechanical systems.
U.S. part 25 manufacturers already
comply with EASA’s CS 25.302, which
went into effect in November 2004.
58 It should be noted that the controllability
option would still require compliance with
§ 25.1309. But when an applicant demonstrates
compliance using the controllability option, an
unwanted thrust reversal in flight will be classified
at worst as a ‘‘major’’ failure, thereby making
compliance with § 25.1309(b) much easier.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
Accordingly, the costs of compliance
with the FAA’s proposed § 25.302
depends on the extent to which it
harmonizes with CS 25.302. If the
provisions of proposed § 25.302 are
identical with, less onerous than, or,
more generally, satisfied by, the
provisions of CS 25.302, then
compliance with CS 25.302 would also
mean compliance with proposed
§ 25.302. This harmonization means
U.S. part 25 manufacturers would incur
no incremental compliance costs. If the
provisions of proposed § 25.302 are
more onerous than, or, more generally,
not satisfied by, the provisions of CS
25.302, then manufacturers would incur
incremental compliance costs.
The FAA now assesses the benefits
and costs of proposed § 25.302 by
section:
a. Section 25.302(a): At the Time of
Failure Occurrence
For the assessment of the initial
failure condition, EASA’s CS 25.302
allows the safety factor to decline
linearly from 1.5 to 1.25 as the
probability of failure declines from 10¥5
to 10¥9 per flight hour but proposed
§ 25.302(a) keeps the factor at 1.5. The
FAA proposal, therefore, would be more
conservative in this regard, but, after
two decades of special conditions, this
more conservative factor is now easily
met by manufacturers. Therefore, the
cost effect would be minimal. As safety
would be higher compared to CS 25.302,
this proposed requirement would be
cost beneficial. The FAA requests
comments on this finding.
b. Section 25.302(b): Continuation of
Flight After Failure
CS 25.302 requires that loads be
determined for several CS–25 design
load conditions, whereas the FAA
proposal would require that loads be
determined for any design load
condition that would be affected. CS
25.302 requires a safety factor of 1.5 for
a failure condition with a failure rate
above 10¥5, but which declines linearly
to 1.0 as probability declines from 10¥5
to 10¥9.
The FAA proposal specifies a safety
factor of 1.5 but would reduce the safety
factor to 1.0 if the failure condition is
annunciated, because the probability of
an extreme maneuver would be reduced
as the pilot would be aware that a
failure condition had occurred. The
FAA would reduce the safety factor to
1.25 if the failure condition is extremely
remote (probability of the order of
≤10¥7 per flight hour). The probability
is very low that a design load condition
would occur subsequent to a system
failure on the same flight. The FAA
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
75449
proposal, therefore, is less conservative
than the EASA requirement in requiring
lower safety factors, particularly for
annunciated failures; and most failures
that affect structures would be
annunciated.
The FAA proposal is more
conservative, however, in applying to
all load conditions specified in subpart
C, with the possible result of higher
engineering, hardware, and operating
compliance costs relative to EASA
requirements. Nevertheless, the FAA
believes that the safety benefits would
continue to outweigh the costs. The
FAA requests comments on this
conclusion.
c. Section 25.302(d)
This proposed rule would require the
residual strength evaluation be
conducted according to § 25.571—the
fatigue and damage tolerance rule—and
it, therefore, assesses the residual
strength load conditions in § 25.571,
rather than the load conditions listed in
CS 25.302. This proposed change would
result in little or no increase in
workload and, consequently, would
have minimal cost because
manufacturers already use the § 25.571
process and because the differences in
load conditions between the two
provisions are not significant. The FAA
requests comments on this finding.
d. Section 25.302(e): Dispatch
Requirements
CS 25.302 requires that anticipated
dispatch configurations be addressed by
meeting the strength and flutter aspects
of CS 25.302 taking into account the
probability of being in that
configuration. CS 25.302 includes:
‘‘Flight limitations and expected
operational limitations may be taken
into account in establishing . . . the
combined probability of being in the
dispatched failure condition and the
subsequent failure condition for the
safety margins . . . . ’’ 59 This means
that the applicant must combine the
probability of being in the dispatched
state with the probability of subsequent
failures to determine safety margins.
This analysis obviously involves a fair
amount of probability work. Moreover,
for the dispatched configuration, CS
25.302 would consider any failure
condition not shown to be extremely
improbable (on the order of ≤10¥9 per
flight hour). Several applicants have
specifically objected to the CS dispatch
rule because of this latter requirement.
In contrast, the FAA proposal is
simpler, less onerous, and involves less
59 EASA CS–25, amendment 11, dated July 4,
2011.
E:\FR\FM\08DEP3.SGM
08DEP3
75450
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS3
probability work. First, the proposal
does not include flutter criteria. Second,
the proposal assumes a probability of
one for the dispatched configuration,
and subsequent failures would be
considered only if they were single
failures or if they are not extremely
remote (of the order of ≤10¥7 per flight
hour). The FAA believes that the
incremental cost of the simpler and less
onerous FAA proposal is so low that the
safety benefits of the proposal would
continue to outweigh the costs. The
FAA requests comments on this finding.
B. Regulatory Flexibility Determination
The Regulatory Flexibility Act of 1980
(Pub. L. 96–354) (RFA) establishes ‘‘as a
principle of regulatory issuance that
agencies shall endeavor, consistent with
the objectives of the rule and of
applicable statutes, to fit regulatory and
informational requirements to the scale
of the businesses, organizations, and
governmental jurisdictions subject to
regulation. To achieve this principle,
agencies are required to solicit and
consider flexible regulatory proposals
and to explain the rationale for their
actions to assure that such proposals are
given serious consideration.’’ The RFA
covers a wide range of small entities,
including small businesses, not-forprofit organizations, and small
governmental jurisdictions. Agencies
must perform a review to determine
whether a rule will have a significant
economic impact on a substantial
number of small entities. If the agency
determines that it will, the agency must
prepare a regulatory flexibility analysis
as described in the RFA.
However, if an agency determines that
a rule is not expected to have a
significant economic impact on a
substantial number of small entities,
section 605(b) of the RFA provides that
the head of the agency may so certify,
and a regulatory flexibility analysis is
not required. The certification must
include a statement providing the
factual basis for this determination, and
the reasoning should be clear.
All U.S. manufacturers (applicants for
type certification) of large transports or
part 25 business jets are large companies
with more than 1,500 employees or are
subsidiaries of large companies sodefined and, therefore, are not classified
as small entities by the Small Business
Administration.60 Operators of part 25
airplanes will be directly affected by the
$1,102 annual incremental operating
cost (maintenance) per large transport
and the $147 annual incremental
60 The Small Business Administration criterion
for small aircraft manufacturers is 1,500 employees
or less.
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
operating cost per part 25 business jet.
These costs are minimal, especially
compared to the high annual operating
cost of part 25 airplanes.
If an agency determines that a
rulemaking will not result in a
significant economic impact on a
substantial number of small entities, the
head of the agency may so certify under
section 605(b) of the RFA. Therefore, as
provided in section 605(b), the head of
the FAA proposes that this proposed
rulemaking would not result in a
significant economic impact on a
substantial number of small entities.
The FAA requests comments on this
determination.
C. International Trade Impact
Assessment
The Trade Agreements Act of 1979
(Pub. L. 96–39), as amended by the
Uruguay Round Agreements Act (Pub.
L. 103–465), prohibits Federal agencies
from establishing standards or engaging
in related activities that create
unnecessary obstacles to the foreign
commerce of the United States.
Pursuant to these Acts, the
establishment of standards is not
considered an unnecessary obstacle to
the foreign commerce of the United
States, so long as the standard has a
legitimate domestic objective, such as
the protection of safety, and does not
operate in a manner that excludes
imports that meet this objective. The
statute also requires consideration of
international standards and, where
appropriate, that they be the basis for
U.S. standards.
The FAA has assessed the effect of
this proposed rule and determined that
its purpose is to ensure the safety of
U.S. civil aviation. Therefore, this
proposed rule is in compliance with the
Trade Agreements Act.
D. Unfunded Mandates Assessment
Title II of the Unfunded Mandates
Reform Act of 1995 (Pub. L. 104–4)
requires each Federal agency to prepare
a written statement assessing the effects
of any Federal mandate in a proposed or
final agency rule that may result in an
expenditure of $100 million or more (in
1995 dollars) in any one year by State,
local, and tribal governments, in the
aggregate, or by the private sector; such
a mandate is deemed to be a ‘‘significant
regulatory action.’’ The FAA currently
uses an inflation-adjusted value of
$155.0 million in lieu of $100 million.
This proposed rule does not contain
such a mandate; therefore, the
requirements of Title II of the Act do not
apply.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
E. Paperwork Reduction Act
The Paperwork Reduction Act of 1995
(44 U.S.C. 3507(d)) requires that the
FAA consider the impact of paperwork
and other information collection
burdens imposed on the public. The
FAA has determined that there would
be no new requirement for information
collection associated with this proposed
rule.
F. International Compatibility and
Cooperation
In keeping with U.S. obligations
under the Convention on International
Civil Aviation, it is FAA policy to
conform to International Civil Aviation
Organization (ICAO) Standards and
Recommended Practices to the
maximum extent practicable. The FAA
has determined that there are no ICAO
Standards and Recommended Practices
that correspond to these proposed
regulations.
In January of 2020, EASA published
CS 25 amendment 24, which bore many
similarities to this proposal, including
added criteria for latent failures in CS
25.1309.
G. Environmental Analysis
FAA Order 1050.1F identifies FAA
actions that are categorically excluded
from preparation of an environmental
assessment or environmental impact
statement under the National
Environmental Policy Act in the
absence of extraordinary circumstances.
The FAA has determined this
rulemaking action qualifies for the
categorical exclusion identified in
paragraph 5–6.6 and involves no
extraordinary circumstances.
V. Executive Order Determinations
A. Executive Order 13132, Federalism
The FAA has analyzed this proposed
rule under the principles and criteria of
Executive Order 13132, ‘‘Federalism’’
(64 FR 43255, August 10, 1999). The
agency has determined that this action
would not have a substantial direct
effect on the States, or the relationship
between the Federal Government and
the States, or on the distribution of
power and responsibilities among the
various levels of government, and,
therefore, would not have federalism
implications.
B. Executive Order 13211, Regulations
That Significantly Affect Energy Supply,
Distribution, or Use
The FAA analyzed this proposed rule
under Executive Order 13211, ‘‘Actions
Concerning Regulations that
Significantly Affect Energy Supply,
Distribution, or Use’’ (66 FR 28355, May
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
18, 2001). The agency has determined
that it would not be a ‘‘significant
energy action’’ under the Executive
order and would not be likely to have
a significant adverse effect on the
supply, distribution, or use of energy.
C. Executive Order 13609, International
Cooperation
Executive Order 13609, ‘‘Promoting
International Regulatory Cooperation,’’
(77 FR 26413, May 4, 2012) promotes
international regulatory cooperation to
meet shared challenges involving
health, safety, labor, security,
environmental, and other issues and to
reduce, eliminate, or prevent
unnecessary differences in regulatory
requirements. The FAA has analyzed
this action under the policies and
agency responsibilities of Executive
Order 13609 and has determined that
this action would have no effect on
international regulatory cooperation.
VI. Additional Information
lotter on DSK11XQN23PROD with PROPOSALS3
A. Comments Invited
The FAA invites interested persons to
participate in this rulemaking by
submitting written comments, data, or
views. The agency also invites
comments relating to the economic,
environmental, energy, or federalism
impacts that might result from adopting
the proposals in this document. The
most helpful comments reference a
specific portion of the proposal, explain
the reason for any recommended
change, and include supporting data. To
ensure the docket does not contain
duplicate comments, commenters
should send only one copy of written
comments, or if comments are filed
electronically, commenters should
submit only one time.
Except for Confidential Business
Information (CBI) as described in the
following paragraph, and other
information as described in 14 CFR
11.35, the FAA will file in the docket all
comments it receives, as well as a report
summarizing each substantive public
contact with FAA personnel concerning
this proposed rulemaking. Before acting
on this proposal, the FAA will consider
all comments it receives on or before the
closing date for comments. The FAA
will consider comments filed after the
comment period has closed if it is
possible to do so without incurring
expense or delay. The agency may
change this proposal in light of the
comments it receives.
Confidential Business Information:
Confidential Business Information (CBI)
is commercial or financial information
that is both customarily and actually
treated as private by its owner. Under
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
the Freedom of Information Act (FOIA)
(5 U.S.C. 552), CBI is exempt from
public disclosure. If your comments
responsive to this NPRM contain
commercial or financial information
that is customarily treated as private,
that you actually treat as private, and
that is relevant or responsive to this
NPRM, it is important that you clearly
designate the submitted comments as
CBI. Please mark each page of your
submission containing CBI as
‘‘PROPIN.’’ The FAA will treat such
marked submissions as confidential
under the FOIA, and they will not be
placed in the public docket of this
NPRM. Submissions containing CBI
should be sent to Suzanne Masterson,
Strategic Policy Transport Section, AIR–
614, Strategic Policy Management
Branch, Policy and Innovation Division,
Aircraft Certification Service, Federal
Aviation Administration, 2200 South
216th Street, Des Moines, WA 98198;
email Suzanne.Masterson@faa.gov. Any
commentary that the FAA receives
which is not specifically designated as
CBI will be placed in the public docket
for this rulemaking.
B. Availability of Rulemaking
Documents
An electronic copy of rulemaking
documents may be obtained from the
internet by—
1. Searching the Federal eRulemaking
Portal at www.regulations.gov;
2. Visiting the FAA’s Regulations and
Policies web page at www.faa.gov/
regulations_policies; or
3. Accessing the Government Printing
Office’s web page at www.GovInfo.gov.
Copies may also be obtained by
sending a request to the Federal
Aviation Administration, Office of
Rulemaking, ARM–1, 800 Independence
Avenue SW, Washington, DC 20591, or
by calling (202) 267–9680. Commenters
must identify the docket or notice
number of this rulemaking.
All documents the FAA considered in
developing this proposed rule,
including economic analyses and
technical reports, may be accessed from
the internet through the Federal
eRulemaking Portal referenced in item
(1) above.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Reporting
and recordkeeping requirements.
The Proposed Amendment
In consideration of the foregoing, the
Federal Aviation Administration
proposes to amend chapter I of title 14,
Code of Federal Regulations as follows:
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
75451
PART 25—AIRWORTHINESS
STANDARDS: TRANSPORT
CATEGORY AIRPLANES
1. The authority citation for part 25
continues to read as follows:
■
Authority: 49 U.S.C. 106(f), 106(g), 40113,
44701, 44702 and 44704.
■
2. Add § 25.4 to read as follows:
§ 25.4
Definitions.
(a) For the purposes of this part, the
following general definitions apply:
(1) Certification maintenance
requirement means a required
scheduled maintenance task established
during the design certification of the
airplane systems as an airworthiness
limitation of the type certificate or
supplemental type certificate.
(2) Significant latent failure is a latent
failure that, in combination with one or
more specific failures or events, would
result in a hazardous or catastrophic
failure condition.
(b) For purposes of this part, the
following failure conditions, in order of
increasing severity, apply:
(1) Major failure condition means a
failure condition that would reduce the
capability of the airplane or the ability
of the flightcrew to cope with adverse
operating conditions, to the extent that
there would be—
(i) A significant reduction in safety
margins or functional capabilities,
(ii) A significant increase in
flightcrew workload or in conditions
impairing the efficiency of the
flightcrew,
(iii) Physical distress to passengers or
flight attendants, possibly including
injuries, or
(iv) An effect of similar severity.
(2) Hazardous failure condition
means a failure condition that would
reduce the capability of the airplane or
the ability of the flightcrew to cope with
adverse operating conditions, to the
extent that there would be—
(i) A large reduction in safety margins
or functional capabilities,
(ii) Physical distress or excessive
workload such that the flightcrew
cannot be relied upon to perform their
tasks accurately or completely, or
(iii) Serious or fatal injuries to a
relatively small number of persons other
than the flightcrew.
(3) Catastrophic failure condition
means a failure condition that would
result in multiple fatalities, usually with
the loss of the airplane.
(c) For purposes of this part, the
following failure conditions in order of
decreasing probability apply:
(1) Probable failure condition means a
failure condition that is anticipated to
E:\FR\FM\08DEP3.SGM
08DEP3
75452
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
occur one or more times during the
entire operational life of each airplane
of a given type.
(2) Remote failure condition means a
failure condition that is not anticipated
to occur to each airplane of a given type
during its entire operational life, but
which may occur several times during
the total operational life of all airplanes
of a given type.
(3) Extremely remote failure condition
means a failure condition that is not
anticipated to occur to each airplane of
a given type during its entire
operational life, but which may occur a
few times during the total operational
life of all airplanes of a given type.
(4) Extremely improbable failure
condition means a failure condition that
is not anticipated to occur during the
total operational life of all airplanes of
a given type.
■ 3. Add § 25.302 to subpart C to read
as follows:
lotter on DSK11XQN23PROD with PROPOSALS3
§ 25.302 Interaction of systems and
structures.
This section applies to systems that
affect the structural performance of the
airplane. The applicant must include
the effects of systems when conducting
the analyses and tests necessary to show
compliance with subparts C and D of
this part. For any system failure
condition that either results from a
single failure or is not extremely
improbable, paragraphs (a) through (e)
of this section apply. This section does
not apply to the flight control jam
conditions prescribed in § 25.671(c) or
the discrete source events prescribed in
§ 25.571(e).
(a) Loads occurring at the time of
failure and immediately after failure.
The airplane must be able to withstand
the loads occurring at the time of failure
and immediately after failure. The
applicant must determine these loads at
speeds up to VC/MC, starting from 1-g
level flight conditions, and assuming
realistic scenarios, including pilot
corrective actions. These are limit loads,
and the applicant must apply a safety
factor of 1.5 to determine ultimate loads.
(b) Limit flight and ground loads
following the system failure. In the
system-failed state, the airplane must be
able to withstand the limit flight and
ground loads specified in subpart C of
this part at speeds up to VC/MC or the
speed limitation specified for the
remainder of the flight. The applicant
must apply a safety factor of 1.5 to
determine ultimate loads, except as
provided in paragraphs (b)(1) or (2) of
this section.
(1) If the failure would be
immediately annunciated or otherwise
obvious to the flightcrew, then the
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
applicant may use a safety factor of 1.0.
The applicant may also take into
account any resulting configuration
changes or operating limitations
specified in the Airplane Flight Manual.
(2) If the failure would not be
immediately annunciated or otherwise
obvious to the flightcrew, but the failure
condition is extremely remote, then the
applicant may use a safety factor of 1.25.
(c) Damage tolerance evaluation.
When conducting the damage tolerance
evaluation required by § 25.571, the
applicant must take into account the
fatigue loads induced by any failure
condition. These fatigue loads must be
included as part of the typical loading
spectra at a rate commensurate with the
probability of their occurrence.
(d) Residual strength loads. For any
probable failure condition that would
affect the residual strength loads
prescribed in § 25.571(b), the applicant
must conduct a residual strength
evaluation as prescribed in that
paragraph under the assumption that
the failure condition has occurred. The
applicant must calculate these residual
strength loads using at least two-thirds
of the applicable safety factor specified
in paragraph (b) of this section.
(e) Master Minimum Equipment List.
If the applicant submits for approval a
Master Minimum Equipment List that
allows dispatch in a system-failed state
that can affect structural performance,
the following requirements apply:
(1) In the dispatched configuration,
the airplane must meet the design load
requirements of subpart C of this part,
assuming any operating limitations,
including configuration changes, that
apply to the dispatched airplane; and
(2) In the dispatched configuration,
the airplane must meet the requirements
of paragraphs (a) and (b) of this section,
taking into account any subsequent
single failure, and separately, any
combination of failures that are not
extremely remote.
■ 4. Amend § 25.629 by revising the
introductory text of paragraphs (b) and
(d), redesignating paragraph (d)(10) as
paragraph (d)(11), and adding paragraph
(d)(10) to read as follows:
§ 25.629 Aeroelastic stability
requirements.
*
*
*
*
*
(b) Aeroelastic stability envelopes.
The airplane must be free from
aeroelastic instability within the
aeroelastic stability envelopes described
in this paragraph for all configurations
and design conditions, and for the load
factors specified in § 25.333.
*
*
*
*
*
(d) Failures, malfunctions, and
adverse conditions. The failures,
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
malfunctions, and adverse conditions
that must be considered in showing
compliance with this section are:
*
*
*
*
*
(10) Each of the following failure
combinations:
(i) Any dual hydraulic system failure.
(ii) Any dual electrical system failure.
(iii) Any single failure in combination
with any probable hydraulic or
electrical failure.
*
*
*
*
*
■ 5. Revise § 25.671 to read as follows:
§ 25.671
General.
(a) Each flight control and flight
control system must operate with the
ease, smoothness, and positiveness
appropriate to its function. The flight
control system must continue to operate
and respond appropriately to
commands, and must not hinder
airplane recovery, when the airplane is
experiencing any pitch, roll, or yaw rate,
or vertical load factor that could occur
due to operating or environmental
conditions, or when the airplane is in
any attitude.
(b) Each element of each flight control
system must be designed, or
distinctively and permanently marked,
to minimize the probability of incorrect
assembly that could result in failure of
the system to perform its intended
function. The applicant may use
distinctive and permanent marking only
where design means are impractical.
(c) The applicant must show by
analysis, test, or both that the airplane
is capable of continued safe flight and
landing after any failure or event that
results in a jam of a flight control
surface or pilot control due to a physical
interference.
(1) The applicant must assume the
jam evaluated under this paragraph
occurs at any normally encountered
position of the flight control surface or
pilot control.
(2) The applicant must assume the
jam evaluated under this paragraph
occurs anywhere within the normal
flight envelope, except that the
applicant need not account for flight
control jams that occur immediately
before touchdown if the applicant
shows that such jams are extremely
improbable.
(3) In the presence of a jam evaluated
under this paragraph, any additional
failure conditions that could prevent
continued safe flight and landing must
have a combined probability of less than
1/1000.
(d) If all engines fail at any point in
the flight, the airplane must be
controllable, and an approach and flare
to a landing and controlled stop must be
E:\FR\FM\08DEP3.SGM
08DEP3
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
possible without requiring exceptional
piloting skill or strength. The applicant
may show compliance with this
requirement by analysis where the
applicant has shown that analysis to be
reliable.
(e) The flight control system must
indicate to the flightcrew whenever the
primary control means is near the limit
of control authority.
(f) If the flight control system has
multiple modes of operation, the system
must alert the flightcrew whenever the
airplane enters any mode that
significantly changes or degrades the
normal handling or operational
characteristics of the airplane.
■ 6. Amend § 25.901 by revising
paragraph (c) to read as follows:
§ 25.901
Installation.
*
*
*
*
*
(c) For each powerplant and auxiliary
power unit installation, the applicant
must comply with the requirements of
§ 25.1309, except that the effects of the
following failures need not comply with
§ 25.1309(b)—
(1) Engine case burn-through or
rupture,
(2) Uncontained engine rotor failure,
and
(3) Propeller debris release.
*
*
*
*
*
■ 7. Amend § 25.933 by revising
paragraph (a)(1) to read as follows:
§ 25.933
Reversing systems.
(a) * * *
(1) For each system intended for
ground operation only, the applicant
must show—
(i) The airplane is capable of
continued safe flight and landing during
and after any thrust reversal in flight; or
(ii) The system complies with
§ 25.1309(b).
*
*
*
*
*
■ 8. Revise § 25.1301 to read as follows:
§ 25.1301
Function and installation.
lotter on DSK11XQN23PROD with PROPOSALS3
Each item of installed equipment
must—
(a) Be of a kind and design
appropriate to its intended function;
(b) Be labeled as to its identification,
function, or operating limitations, or
any applicable combination of these
factors; and
(c) Be installed according to
limitations specified for that equipment.
■ 9. Revise § 25.1309 to read as follows:
§ 25.1309 Equipment, systems, and
installations.
Except as provided in paragraphs (e)
and (f) of this section, this section
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
applies to any equipment or system as
installed on the airplane. The applicant
need not account for this section when
showing compliance with the
performance and flight characteristic
requirements of subpart B of this part
and the structural requirements of
subparts C and D of this part, except
that this section applies to any system
on which compliance with any of those
requirements is dependent.
(a) The airplane’s equipment and
systems, as installed, must meet the
following requirements:
(1) The equipment and systems
required for type certification or by
operating rules, or whose improper
functioning would reduce safety, must
perform as intended under the airplane
operating and environmental
conditions; and
(2) Other equipment and systems
functioning normally or abnormally
must not adversely affect the safety of
the airplane or its occupants, or the
proper functioning of the equipment
and systems addressed by paragraph
(a)(1) of this section.
(b) Each of the airplane’s systems and
associated components, as installed, and
evaluated both separately and in
relation to other systems, must meet all
of the following requirements:
(1) Each catastrophic failure
condition—
(i) Must be extremely improbable; and
(ii) Must not result from a single
failure.
(2) Each hazardous failure condition
must be extremely remote.
(3) Each major failure condition must
be remote.
(4) Each significant latent failure must
be eliminated except—
(i) If the Administrator finds it would
be impractical for the applicant to
comply with paragraph (b)(4) of this
section, the product of the maximum
time the failure is expected to be present
and its average failure rate must not
exceed 1/1000; or
(ii) If the Administrator finds it would
be impractical for the applicant to
comply with paragraph (b)(4)(i) of this
section, the applicant must minimize
the time the failure is expected to be
present.
(5) For each catastrophic failure
condition that results from two failures,
either of which could be latent for more
than one flight, the applicant must show
that—
(i) It is impractical to provide
additional fault tolerance;
(ii) Given the occurrence of any single
latent failure, the probability of the
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
75453
catastrophic failure condition occurring
due to all subsequent single failures is
remote; and
(iii) The product of the maximum
time the latent failure is expected to be
present and its average failure rate does
not exceed 1/1000.
(c) The applicant must provide
information concerning unsafe system
operating conditions in order to enable
the flightcrew to take corrective action.
The applicant must show that the
design of systems and controls,
including indications and
annunciations, minimizes crew errors
that could create additional hazards.
(d) The applicant must establish
certification maintenance requirements
to prevent development of the failure
conditions described in paragraph (b) of
this section. These requirements must
be included in the Airworthiness
Limitations section of the Instructions
for Continued Airworthiness required
by § 25.1529.
(e) Section 25.1309(b)(1)(ii) does not
apply to the flight control jam
conditions addressed by § 25.671(c).
(f) Section 25.1309(b) does not apply
to—
(1) Single failures in the brake system
addressed by § 25.735(b)(1);
(2) Failure effects addressed by
§§ 25.810(a)(1)(v) and 25.812;
(3) Uncontained engine rotor failure,
engine case rupture, or engine case
burn-through failures addressed by
§§ 25.903(d)(1) and 25.1193 and part 33
of this chapter; and
(4) Propeller debris release failures
addressed by § 25.905(d) and part 35 of
this chapter.
■ 10. Amend § 25.1365 by revising
paragraph (a) to read as follows:
§ 25.1365 Electrical appliances, motors,
and transformers.
(a) An applicant must show that, in
the event of a failure of the electrical
supply or control system, the design and
installation of domestic appliances meet
the requirements of § 25.1309(b) and (c).
Domestic appliances are items such as
cooktops, ovens, coffee makers, water
heaters, refrigerators, and toilet flush
systems that are placed on the airplane
to provide service amenities to
passengers.
*
*
*
*
*
■ 11. In appendix H to part 25, under
the heading H25.4, add paragraph (a)(6)
to read as follows:
E:\FR\FM\08DEP3.SGM
08DEP3
75454
Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / Proposed Rules
Appendix H to Part 25—Instructions for
Continued Airworthiness
*
*
H25.4
*
*
*
*
Airworthiness Limitations Section
*
*
*
(a) * * *
(6) Each certification maintenance
requirement established to comply with any
of the applicable provisions of part 25.
*
*
*
*
*
Issued in Washington, DC, on November
30, 2022.
Lirio Liu,
Executive Director, Aircraft Certification
Service.
[FR Doc. 2022–26369 Filed 12–7–22; 8:45 am]
*
lotter on DSK11XQN23PROD with PROPOSALS3
BILLING CODE 4910–13–P
VerDate Sep<11>2014
18:38 Dec 07, 2022
Jkt 259001
PO 00000
Frm 00032
Fmt 4701
Sfmt 9990
E:\FR\FM\08DEP3.SGM
08DEP3
]]>Agencies
[Federal Register Volume 87, Number 235 (Thursday, December 8, 2022)]
[Proposed Rules]
[Pages 75424-75454]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26369]
[[Page 75423]]
Vol. 87
Thursday,
No. 235
December 8, 2022
Part IV
Department of Transportation
-----------------------------------------------------------------------
Federal Aviation Administration
-----------------------------------------------------------------------
14 CFR Part 25
System Safety Assessments; Proposed Rule
��Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 /
Proposed Rules��
[[Page 75424]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No.: FAA-2022-1544; Notice No. 23-04]
RIN 2120-AJ99
System Safety Assessments
AGENCY: Federal Aviation Administration (FAA), Department of
Transportation (DOT).
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: The FAA proposes to amend certain airworthiness regulations to
standardize the criteria for conducting safety assessments for systems,
including flight controls and powerplants, installed on transport
category airplanes. With this action, the FAA seeks to reduce risk
associated with airplane accidents and incidents that have occurred in
service, and reduce risk associated with new technology in flight
control systems. The intended effect of this proposed action is to
improve aviation safety by making system safety assessment (SSA)
certification requirements more comprehensive and consistent.
DATES: Send comments on or before March 8, 2023.
ADDRESSES: Send comments identified by docket number FAA-2022-1544
using any of the following methods:
Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for sending your
comments electronically.
Mail: Send comments to Docket Operations, M-30; U.S.
Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room
W12-140, West Building Ground Floor, Washington, DC 20590-0001.
Hand Delivery or Courier: Take comments to Docket
Operations in Room W12-140 of the West Building Ground Floor at 1200
New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday
through Friday, except Federal holidays.
Fax: Fax comments to Docket Operations at (202) 493-2251.
Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments
from the public to better inform its rulemaking process. DOT posts
these comments, without edit, including any personal information the
commenter provides, to www.regulations.gov, as described in the system
of records notice (DOT/ALL-14 FDMS), which you can review at https://www.dot.gov/privacy.
Docket: Background documents or comments received may be read at
https://www.regulations.gov at any time. Follow the online instructions
for accessing the docket or go to the Docket Operations in Room W12-140
of the West Building Ground Floor at 1200 New Jersey Avenue SE,
Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday,
except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Suzanne Masterson, Strategic Policy
Transport Section, AIR-614, Strategic Policy Management Branch, Policy
and Innovation Division, Aircraft Certification Service, Federal
Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198;
telephone and fax (206) 231-3211; email [email protected].
SUPPLEMENTARY INFORMATION:
Authority for This Rulemaking
The FAA's authority to issue rules on aviation safety is found in
Title 49 of the United States Code. Subtitle I, Section 106 describes
the authority of the FAA Administrator. Subtitle VII, Aviation
Programs, describes in more detail the scope of the agency's authority.
This rulemaking is promulgated under the authority described in
Subtitle VII, Part A, Subpart III, Section 44701, ``General
Requirements.'' Under that section, the FAA is charged with promoting
safe flight of civil aircraft in air commerce by prescribing
regulations and minimum standards for the design and performance of
aircraft that the Administrator finds necessary for safety in air
commerce. This regulation is within the scope of that authority. It
prescribes new safety standards for the design and operation of
transport category airplanes.
Acronyms and Frequently Used Terms
Table 1--Acronyms Frequently Used in This Preamble
------------------------------------------------------------------------
Acronym Definition
------------------------------------------------------------------------
AC........................... Advisory Circular.
AD........................... Airworthiness Directive.
AFM.......................... Airplane Flight Manual.
ALS.......................... Airworthiness Limitations section.
ARAC......................... Aviation Rulemaking Advisory Committee.
ASAWG........................ Airplane[dash]Level Safety Analysis
Working Group.
CAST......................... Commercial Aviation Safety Team.
CMR.......................... Certification Maintenance Requirement.
CS-25........................ Certification Specifications for Large
Aeroplanes (issued by EASA).
CSL+1........................ Catastrophic Single Latent Failure Plus
One (a failure condition).
EASA......................... European Union Aviation Safety Agency.
ELOS......................... Equivalent Level of Safety.
EWIS......................... Electrical Wiring Interconnection System.
FCHWG........................ Flight Controls Harmonization Working
Group.
ICA.......................... Instructions for Continued Airworthiness.
LDHWG........................ Loads and Dynamics Harmonization Working
Group.
NTSB......................... National Transportation Safety Board.
PPIHWG....................... Powerplant Installation Harmonization
Working Group.
SDAHWG....................... System Design and Analysis Harmonization
Working Group.
SLF.......................... Significant Latent Failure.
SSA.......................... System Safety Assessment.
------------------------------------------------------------------------
[[Page 75425]]
Table 2--Terms Used in This Notice of Proposed Rulemaking
----------------------------------------------------------------------------------------------------------------
Term Definition
----------------------------------------------------------------------------------------------------------------
General
----------------------------------------------------------------------------------------------------------------
Certification maintenance requirement A required scheduled maintenance task established during the design
(CMR) *. certification of the airplane systems as an airworthiness limitation
of the type certificate or supplemental type certificate.
Error.................................. An omission or incorrect action by a crewmember or maintenance
personnel, or a mistake in requirements, design, or implementation.
Event.................................. An occurrence that has its origin distinct from the airplane, such as
atmospheric conditions (e.g., gusts, temperature variations, icing,
and lightning strikes); runway conditions; conditions of
communication, navigation, and surveillance services;
bird[dash]strike; cabin and baggage fires (not initiated by features
installed on the airplane). The term does not cover sabotage or other
similar intentional acts.
Failure................................ An occurrence that affects the operation of a component, part, or
element such that it no longer functions as intended. This includes
both loss of function and malfunction.
Note: Errors and events may cause failures or influence their effects
but are not considered to be failures.
Failure condition...................... A condition, caused or contributed to by one or more failures or
errors, that has either a direct or consequential effect on the
airplane, its occupants, or other persons, accounting for--
Flight phase,
Relevant adverse operational or environmental conditions,
and
External events.
Latent failure......................... A failure that is not apparent to the flightcrew or maintenance
personnel.
Single failure......................... Any occurrence, or set of occurrences, that cannot be shown to be
independent from each other (e.g., failures due to a common cause),
that affect the operation of components, parts, or elements such that
they no longer function as intended. (See definition of ``Failure.'')
Structural performance................. The capability of the airplane to meet the structural requirements of
14 CFR part 25.
----------------------------------------------------------------------------------------------------------------
Failure conditions in order of increasing severity
----------------------------------------------------------------------------------------------------------------
Minor failure condition................ A failure condition that would not significantly reduce airplane safety
and would only require flightcrew actions that are well within their
capabilities. Minor failure conditions may result in--
A slight reduction in safety margins or functional
capabilities,
A slight increase in flightcrew workload, such as routine
flight plan changes,
Some physical discomfort to passengers or flight
attendants, or
An effect of similar severity.
Major failure condition *.............. A failure condition that would reduce the capability of the airplane or
the ability of the flightcrew to cope with adverse operating
conditions, to the extent that there would be--
A significant reduction in safety margins or functional
capabilities,
A significant increase in flightcrew workload or in
conditions impairing the efficiency of the flightcrew,
Physical distress to passengers or flight attendants,
possibly including injuries, or
An effect of similar severity.
Hazardous failure condition *.......... A failure condition that would reduce the capability of the airplane or
the ability of the flightcrew to cope with adverse operating
conditions, to the extent that there would be--
A large reduction in safety margins or functional
capabilities,
Physical distress or excessive workload such that the
flightcrew cannot be relied upon to perform their tasks accurately
or completely, or
Serious or fatal injuries to a relatively small number of
persons other than the flightcrew.
Note: For the purpose of performing a safety assessment, a ``small
number'' of fatal injuries means one such injury.
Catastrophic failure condition *....... A failure condition that would result in multiple fatalities, usually
with the loss of the airplane.
----------------------------------------------------------------------------------------------------------------
Terms related to latent failures
----------------------------------------------------------------------------------------------------------------
Significant latent failure *........... A latent failure that, in combination with one or more specific
failures or events, would result in a hazardous or catastrophic
failure condition.
Catastrophic single latent failure plus A catastrophic failure condition that results from a combination of two
one (CSL+1). failures, either of which could be latent for more than one flight.
----------------------------------------------------------------------------------------------------------------
Failure conditions in order of decreasing probability
----------------------------------------------------------------------------------------------------------------
Probable failure condition *........... A failure condition that is anticipated to occur one or more times
during the entire operational life of each airplane of a given type.
Remote failure condition *............. A failure condition that is not anticipated to occur to each airplane
of a given type during its entire operational life, but which may
occur several times during the total operational life of a number of
airplanes of a given type.
Extremely remote failure condition *... A failure condition that is not anticipated to occur to each airplane
of a given type during its entire operational life, but which may
occur a few times during the total operational life of all airplanes
of a given type.
Extremely improbable failure condition* A failure condition that is not anticipated to occur during the total
operational life of all airplanes of a given type.
----------------------------------------------------------------------------------------------------------------
* These terms are also defined in proposed new Sec. 25.4 Definitions.
[[Page 75426]]
Contents
I. Overview of Proposed Rule
II. Background
A. Statement of the Problem
B. Related Actions
1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
2. FAA Review of Service Difficulty Reports
3. Commercial Aviation Safety Team Task Force Study Regarding
Gaps in Maintenance Process
4. Equivalent Level of Safety Findings and Special Conditions
5. Harmonization with European Union Aviation Safety Agency
(EASA) Certification Standards
6. Aircraft Certification, Safety, and Accountability Act
C. NTSB Recommendations
III. Discussion of the Proposed Rule
A. Consistent Safety Assessment Criteria for Airplane Systems
1. Average Risk Criteria (Sec. 25.1309(b)(1), (2), and (3))
2. Latent Failures in System Designs
B. Consistent Application and Interpretation of Requirements for
Equipment, Systems, and Installations
1. Applicability of Sec. 25.1309
2. Exceptions From Applicability of Sec. 25.1309
3. Flightcrew Alerting and Errors
C. Interaction of Systems and Structures (New Sec. 25.302)
1. Applicability of New Sec. 25.302
2. Normal Operation
3. Failure Condition Effect on Structural Performance
4. Dispatch in a System Failed State
5. Differences Between Proposed Sec. 25.302 and EASA CS 25.302
D. Turbojet Thrust Reversing Systems
E. Flight Control Systems Safety Assessment Criteria
1. Changes to Sec. 25.671(c) Failure Criteria
2. Other Changes to Sec. 25.671
F. Certification Maintenance Requirements
G. Miscellaneous Amendments
1. Method of Compliance With Sec. 25.1309(b)
2. Failure Examples Related to Flutter
3. Other Changes to Sec. 25.629
4. EWIS Requirements
5. Removal of Redundant Requirements
H. Petitions for Rulemaking
I. Advisory Material
IV. Regulatory Notices and Analyses
A. Regulatory Evaluation
1. Costs and Benefits of this Proposed Rule
2. Who is potentially affected by this Proposed Rule?
3. Assumptions and Sources of Information
4. Costs of the Proposed Specific Risk Rule
5. Benefits of the Proposed Specific Risk Rule
6. Summary of Costs and Benefits of Specific Risk Rule
7. Section 25.1309: Equipment, Systems, and Installations
8. Section 25.671: General Control Systems
9. Section 25.901: Installation Engines
10. Section 25.933: Reversing Systems
11. Section 25.302: Interaction of Systems and Structures
B. Regulatory Flexibility Determination
C. International Trade Impact Assessment
D. Unfunded Mandates Assessment
E. Paperwork Reduction Act
F. International Compatibility and Cooperation
G. Environmental Analysis
V. Executive Order Determinations
A. Executive Order 13132, Federalism
B. Executive Order 13211, Regulations That Significantly Affect
Energy Supply, Distribution, or Use
C. Executive Order 13609, International Cooperation
VI. Additional Information
A. Comments Invited
B. Availability of Rulemaking Documents
I. Overview of Proposed Rule
The FAA proposes to revise regulations in title 14, Code of Federal
Regulations (14 CFR) part 25 (Airworthiness Standards: Transport
Category Airplanes) related to the safety assessment \1\ of airplane
systems. The proposed changes to part 25 would affect applicants for
type certification and operators of transport category airplanes.
Applicants for type certification would be required to conduct their
SSAs in accordance with the revised regulations. Proposed changes to
the ICA would affect operators of newly certified airplanes, although
the impact on those operators would not be significant.
---------------------------------------------------------------------------
\1\ A system safety assessment is a structured process intended
to systematically identify the risks pertinent to the design of
aircraft systems, and to show that the systems meet safety
requirements.
---------------------------------------------------------------------------
The FAA proposes revised and new safety standards to reduce the
likelihood of potentially catastrophic risks due to latent failures in
critical systems. The standards would require the elimination of such
risks as far as practical. When it is not practical to eliminate such a
risk, the standards would require the reduction and management of any
remaining risk. The proposed standards would also improve the
likelihood that operators discover latent failures and address them
before they become an unsafe condition, rather than discovering them
after they occur and the FAA addressing them with airworthiness
directives (ADs).
Because modern aircraft systems (for example, avionics and fly-by-
wire systems) are much more integrated than they were when the current
safety criteria in Sec. 25.1309 and other system safety assessment
rules were established in 1970,\2\ the new standards proposed in this
rule would be consistent for all systems of the airplane, reducing the
chance of a hazard falling into a gap between the different regulatory
requirements for different systems.
---------------------------------------------------------------------------
\2\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
Consistent criteria for conducting SSAs would also provide
predictability for applicants by reducing the number of issue papers
and special conditions necessary for airplane certification
projects.\3\
---------------------------------------------------------------------------
\3\ Special conditions are rules of particular applicability
that the FAA issues to address novel or unusual design features. See
14 CFR 21.16, and section 2-4(j)(3) of FAA Order 8110.4C, Type
Certification. The latter is available at drs.faa.gov, and as noted
therein, the FAA uses the issue paper process to develop the terms
of these special conditions. See FAA Order 8110.112A, Standardized
Procedures for Usage of Issue Papers and Development of Equivalent
Levels of Safety Memorandums, and Advisory Circular 20-166A, Issue
Paper Process, available at drs.faa.gov.
---------------------------------------------------------------------------
Specifically, the proposed rule would--
Require that applicants limit the likelihood of a
catastrophic failure condition that results from a combination of two
failures, either of which could be latent. In this proposal, the FAA
refers to this particular failure condition as a Catastrophic Single
Latent Failure Plus One (CSL+1) because it consists of the catastrophic
condition that results from a single latent failure plus one additional
failure. See proposed Sec. 25.1309(b)(5).
Revise safety assessment regulations to eliminate
ambiguity in, and provide consistency between, the safety assessments
that applicants must conduct for different types of airplane systems.
Section 25.1309 would continue to contain the safety assessment
criteria applicable to most airplane systems. Sections 25.671(c)
(flight control systems) and 25.901(c) (powerplant installations) would
be amended to remove general system safety criteria. Instead, the
systems covered in these sections would be required to comply with
Sec. 25.1309 (system safety criteria). Section 25.933(a) (thrust
reversing systems) would allow compliance with Sec. 25.1309 as an
option. Sections 25.671, 25.901, and 25.933 would continue to contain
criteria for safety assessments specific to flight control systems,
powerplant installations, and thrust reversing systems, respectively.
Require applicants to assess and account for any effect
that the failure of a system could have on the structural performance
of the airplane. See proposed Sec. 25.302.
Define the different types of failure of flight control
systems, including jams, and define the criteria for safety assessment
of those types of failures. See proposed Sec. 25.671.
Require applicants to include, in the Airworthiness
Limitations Section (ALS) of the airplane's Instructions for Continued
Airworthiness (ICA), necessary maintenance tasks that
[[Page 75427]]
applicants identify during their SSAs. See proposed Sec. 25.1309(d).
Remove the ``function properly when installed'' criterion
in Sec. 25.1301(a)(4) for installed equipment whose function is not
needed for safe operation of the airplane.
II. Background
A. Statement of the Problem
This proposed action is necessary because airplane accidents,
incidents, and service difficulties have occurred as a result of
failures in airplane systems. Some of these occurrences were caused, in
part, by insufficient design standards for controlling the risk of
latent failures. Current FAA regulations do not prevent the unintended
operation of an airplane with a latent failure that, when combined with
another failure, could cause an accident. For example, in 1991, a
Boeing Model 767 series airplane operated by Lauda Air took off with a
contaminated thrust reverser control valve. This contamination was
``latent'' because it was undetected. The accident investigation found
that a short circuit occurred, and together with the contaminated
control valve, caused the thrust reverser to unintentionally deploy in
flight. As a result, the airplane subsequently crashed, resulting in
223 fatalities.\4\
---------------------------------------------------------------------------
\4\ Lauda Air B767 Accident Report by the Aircraft Accident
Investigation Committee, Ministry of Transport and Communications,
Thailand, is available in the docket and at https://lessonslearned.faa.gov/Lauda/LaudaAccidentReport.pdf.
---------------------------------------------------------------------------
Also, current regulations do not require establishment of mandatory
inspections for significant latent failures that may pose a risk in
maintaining the airworthiness of the airplane design. Such inspections
may be necessary to reduce an airplane's exposure to these latent
failures, so airplanes continue to meet safety standards while in
service.
Additionally, current regulations do not adequately address new
technology in flight control systems and the effects these systems can
have on controllability and structural capability. For example, on
airplanes equipped with fly-by-wire control systems, there is no
mechanical link between the flightdeck control and the control surface,
so the flightcrew may not be aware of the actual control surface
position. Also, on some flight control system designs, there may be
submodes of operation that change or degrade the normal handling or
operational characteristics of the airplane. Flightcrew awareness of
both the operational mode of the airplane and the control surface
positions are necessary design features to ensure safety of flight but
are not required by current regulations.
This action is also necessary to address flight control systems
whose failure can affect the loads imposed on the airplane structure.
As an example, some airplanes are equipped with rudder limiters, which
reduce the maximum deflection of the rudder at higher airspeeds,
thereby reducing the maximum loads on the rudder and vertical
stabilizer. Failure of the rudder limiter can result in higher loads on
these surfaces in the event of a significant rudder maneuver. Excessive
loads can lead to structural damage and catastrophic failure. Current
regulations do not require applicants to account for these potentially
higher loads in the structural design of the airplane.
Lastly, certain system safety requirements are not standardized
across airplane systems. Current regulations specify different safety
assessment criteria for different systems, which can lead to
inconsistent standards across the airplane. Also, when systems that
traditionally have been separate become integrated using new
technology, applicants may be unsure which standard to apply.
The FAA proposes to address these issues by revising the system
safety assessment requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
Advances in flight controls technology, increased airplane system
integration, and certain incidents, accidents, and service difficulties
related to system failures prompted the FAA to task the ARAC with
developing recommendations for new or revised requirements and
compliance methods related to the safety assessment of airplane and
powerplant systems. The ARAC accepted tasks on various airplane systems
issues and assigned them to the Powerplant Installation Harmonization
Working Group (PPIHWG),\5\ Flight Controls Harmonization Working Group
(FCHWG),\6\ Loads and Dynamics Harmonization Working Group (LDHWG),\7\
and System Design and Analysis Harmonization Working Group (SDAHWG).\8\
The FAA also tasked the ARAC to make recommendations for harmonizing
the relevant part 25 rules with the corresponding European
certification specifications for large airplanes.\9\ The ARAC accepted
this task and assigned it to the relevant working groups.
---------------------------------------------------------------------------
\5\ 57 FR 58844 (Dec. 11, 1992).
\6\ 63 FR 45554 (Aug. 26, 1998).
\7\ 59 FR 30081 (Jun. 10, 1994).
\8\ 61 FR 26246 (May 24, 1996).
\9\ As the FAA noted in the Federal Register in 1993: ``The FAA
announced at the Joint Aviation Authorities (JAA)-Federal Aviation
Administration (FAA) Harmonization Conference in Toronto, Ontario,
Canada, (June 2-5, 1992) that it would consolidate within the
Aviation Rulemaking Advisory Committee structure an ongoing
objective to ``harmonize'' the Joint Aviation Requirements (JAR) and
the Federal Aviation Regulations (FAR). Coincident with that
announcement, the FAA assigned to the ARAC those projects related to
JAR/FAR 25, 33 and 35 harmonization which were then in the process
of being coordinated between the JAA and the FAA.'' 58 FR 13819,
13820 (Mar. 15, 1993).
---------------------------------------------------------------------------
In developing their recommendations, the PPIHWG and FCHWG reviewed
the investigations of two transport category airplane accidents. In the
May 1991 Lauda Air accident, discussed previously, an unintentional
thrust reverser deployment on a Boeing Model 767 series airplane caused
a loss of airplane controllability.\10\ In the September 1994 USAir
accident, the NTSB considered a malfunction of the rudder actuation
system on a Boeing Model 737-300 series airplane, to have likely
initiated a loss of airplane controllability that resulted in the
airplane impacting the ground near Pittsburgh, Pennsylvania.\11\ The
investigations of these two accidents identified hazards resulting from
potential CSL+1 failure conditions in safety critical systems.
---------------------------------------------------------------------------
\10\ See footnote 4.
\11\ NTSB Accident Report NTSB/AAR-09/01, Uncontrolled Descent
and Collision with Terrain, USAir Flight 427, Boeing 737-300,
N513AU, Near Aliquippa, Pennsylvania, September 8, 1994, is
available in the docket and at https://lessonslearned.faa.gov/USAir427/usair427_ntsb_report.pdf.
---------------------------------------------------------------------------
The PPIHWG recommended revisions to Sec. 25.901(c), to address
failures and malfunctions of powerplant and auxiliary power unit (APU)
installations, and to Sec. 25.933, to address failures and
malfunctions of thrust reversing systems. The FCHWG recommended changes
to Sec. 25.671 to address failures and jamming of flight control
systems. The LDHWG recommended the addition of a new rule, Sec.
25.302, to address systems that directly, or as a result of a failure
or malfunction, would affect the structural performance of the
airplane. The SDAHWG recommended revisions to Sec. Sec. 25.1301 and
25.1309, and further changes to Sec. 25.901(c). Each working group
also recommended advisory material to accompany the recommended
regulatory changes. The SDAHWG named their recommended
[[Page 75428]]
revision to AC 25.1309-1A as the ``Arsenal'' version.\12\
---------------------------------------------------------------------------
\12\ The ``Arsenal'' version is a draft revision of AC 25.1309-
1A, developed by the ARAC SDAHWG. Applicants can use it in
conjunction with a request for an ELOS finding for, or exemption
from, Sec. Sec. 25.1301 and 25.1309, per FAA Policy PS-ANM100-00-
113-1034, Use of ARAC (Aviation Rulemaking Advisory Committee)
Recommended Rulemaking not yet formally adopted by the FAA, as a
basis for equivalent level of safety or exemption to Part 25, dated
January 4, 2001, available at https://drs.faa.gov. The ``Arsenal''
version is available in the docket as part of the SDAHWG
recommendation, Task 2--System and Analysis Harmonization and
Technology Update, pp. 61-99, and at https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
Although the working groups each addressed the subject of managing
latent failures in safety critical systems, their recommendations were
not consistent when defining the criteria for latent failures. After
reviewing the relevant regulations, and the recommendations from the
working groups, the FAA, along with the European, Canadian, and
Brazilian civil aviation authorities, identified a need to standardize
SSA criteria. These authorities were concerned that the safety criteria
recommended by the working groups could result in differing safety
assessments across various critical systems. Differing standards could
result in an inappropriately low level of safety on some critical
systems, or, conversely, unnecessarily apply the most stringent
standard to every system in a set of integrated systems.
Therefore, in 2006, the FAA tasked ARAC, which assigned the task to
the Airplane-Level Safety Assessment Working Group (ASAWG),\13\ with
creating consistent SSA criteria and developing new criteria for
``specific risk.'' ``Specific risk'' is the risk on a given flight
resulting from the existence of a particular condition (for example, a
latent failure) on that flight. It is differentiated from ``average
risk,'' which is the risk on a typical flight of all airplanes of a
particular model for a typical duration.
---------------------------------------------------------------------------
\13\ 71 FR 14284 (Mar. 21, 2006).
---------------------------------------------------------------------------
The ASAWG completed its work in May 2010 and recommended a set of
consistent requirements that would apply to all systems. Specific areas
addressed in the recommendation report include latent failures, aging
and wear, Master Minimum Equipment Lists, and flight and diversion
time. The ASAWG recommended that the general system safety criteria for
all airplane systems be governed by Sec. 25.1309, and recommended
adjustments to the regulations and advisory material addressed by the
working groups mentioned previously, to implement consistent system
safety criteria. All ARAC working group recommendation reports are
available in the docket for this NPRM.
2. FAA Review of Service Difficulty Reports
One ASAWG recommendation responded to the need to prevent a
catastrophic failure condition resulting from two failures, when either
failure is latent (undetected) for more than one flight. In such a
case, the first failure is latent, and thus persists undetected, and
the second failure is active (detected) because its occurrence results
in a catastrophic accident. In consideration of this recommendation,
the FAA reviewed a number of past service difficulty reports \14\ that
could have led to catastrophic accidents if the latent failure had been
followed by another failure. These include:
---------------------------------------------------------------------------
\14\ Service difficulty reports are reports of occurrences or
detection of failures, malfunctions, and defects, as required by 14
CFR 91.1415, 121.703, 125.409, 135.415 and 145.221, as applicable to
the type of operation of the aircraft.
---------------------------------------------------------------------------
A latent failure of a fire extinguisher control switch
that, if coupled with an active failure such as an engine fire, could
have resulted in an uncontrollable engine fire.\15\
---------------------------------------------------------------------------
\15\ A report of the failure of a certain engine fire shutoff
switch led to Airworthiness Directive (AD) 2005-01-13, Amendment 39-
13938 (70 FR 2339, January 13, 2005).
---------------------------------------------------------------------------
A latent failure of the high-lift system \16\ brake that,
if coupled with an active failure such as a high-lift system
transmission driveshaft failure, could have resulted in loss of
control.\17\
---------------------------------------------------------------------------
\16\ A ``high-lift'' system is a system that increases the
amount of lift produced by an airplane wing.
\17\ Multiple reports of failure of a certain high-lift system
brake led to AD 2009-20-12, Amendment 39-16035 (74 FR 50686, October
1, 2009)
---------------------------------------------------------------------------
A latent failure of a high-lift system proximity sensor
that, if coupled with an active failure such as a high-lift drive
system failure, could have resulted in loss of control.\18\
---------------------------------------------------------------------------
\18\ Multiple reports of failure of a certain high-lift system
proximity sensor led to AD 2014-03-08, Amendment 39-17745 (79 FR
9398, February 19, 2014).
---------------------------------------------------------------------------
The FAA has determined that such service difficulties were, in
part, a consequence of insufficient design standards for controlling
the risk due to latent failures, and the FAA expects similar service
difficulties in the future if the standards are not revised to manage
such risks.
3. Commercial Aviation Safety Team Task Force Study Regarding Gaps in
Maintenance Process
In 2009, the Commercial Aviation Safety Team (CAST) \19\ chartered
a task force, led by the FAA Flight Standards Service, Aircraft
Maintenance Division, to conduct a study to identify and correct gaps
in operators' maintenance processes. The objective of the task force
was to ensure that the level of safety provided at certification would
be sustained throughout the life of the airplane.
---------------------------------------------------------------------------
\19\ Founded in 1998, CAST is a cooperative government-industry
initiative. CAST is co-chaired by a senior-level official of the air
transport industry and by the FAA Associate Administrator for
Aviation Safety.
---------------------------------------------------------------------------
In 2011, the task force reported on the gaps it found, and
recommended mitigation strategies.\20\ One of the identified gaps (GAP
009) was that the current regulations do not require use of
Certification Maintenance Requirements (CMRs),\21\ which identify
inspections of systems for significant latent failures that are
necessary to preserve the airplane's reliability. The FAA has been
recommending in advisory circulars (AC 25.1309-1A and AC 25-19, and AC
25-19A) to establish the need for inspections of critical systems where
latent failures could exist. Since CMRs are critical to safety, the
task force recommended the FAA require their use.
---------------------------------------------------------------------------
\20\ More information on CAST and the task force findings is
available in the docket and on the internet at https://www.skybrary.aero/sites/default/files/bookshelf/2553.pdf.
\21\ CMRs are defined in Advisory Circular (AC) 25.1309-1A,
System Design and Analysis, dated June 21, 1988; and AC 25-19A,
Certification Maintenance Requirements, dated October 3, 2011. The
FAA plans to revise AC 25.1309-1 as described in this document, and
the CMR definition would conform to the definition provided in Table
2 and in new Sec. 25.4, Definitions. The CMR definition in AC 25-
19A already conforms to the definition provided in Table 2. That AC
is not being revised as part of this rulemaking.
---------------------------------------------------------------------------
4. Equivalent Level of Safety Findings and Special Conditions
The FAA has applied most of the SSA criteria proposed in this NPRM
to certification projects for the past 15 years, through equivalent
level of safety (ELOS) findings under Sec. 21.21. The topics of these
findings include flight control systems (Sec. 25.671(c)) as
recommended by the FCHWG; thrust reversers (Sec. 25.933(a)(1)) as
recommended by the PPIHWG; and general SSA criteria (Sec. Sec. 25.1301
and 25.1309) as recommended by the SDAHWG.
Modern transport category airplanes are equipped with systems that,
directly or as a result of failure or malfunction, affect structural
performance. However, current regulations do not require applicants to
take into account loads on the airplane due to the effects of system
failures on structural performance. Therefore, the FAA has applied
special conditions that require the effects of
[[Page 75429]]
system failures be taken into account in the design. The FAA based the
provisions of these special conditions, titled ``Interaction of Systems
and Structures,'' on the criteria developed by the ARAC working groups,
and propose to codify these special conditions in proposed Sec.
25.302.
Finally, the FAA has applied the requirements in proposed Sec.
25.671(a), (e), and (f) for fly-by-wire control systems to recent type
certificate applications through means of compliance issue papers and
special conditions.
5. Harmonization With European Union Aviation Safety Agency (EASA)
Certification Standards
EASA certification standards for large airplanes (CS-25) prescribes
the airworthiness standards corresponding to 14 CFR part 25 for
transport category airplanes certified by the European Union.
Applicants for FAA type certification of transport category airplanes
may also seek EASA validation of the FAA's type certificate. Where part
25 and CS-25 differ, an applicant must meet both airworthiness
standards to obtain a U.S. type certificate and validation of the type
certificate by foreign authorities, or obtain exemptions, ELOS findings
or special conditions, or the foreign authority's equivalent to those,
as necessary to meet one standard in lieu of the other. Where FAA and
EASA can maintain harmonized requirements, applicants for type
certification benefit by having a single set of requirements with which
they must show compliance, thereby reducing the cost and complexity of
certification and codifying a consistent level of safety.
EASA incorporated the SDAHWG-recommended changes to Sec. Sec.
25.1301 and 25.1309, and associated guidance, in its initial issuance
of CS-25 on October 17, 2003.\22\ EASA incorporated the criteria
regarding interaction of systems and structures recommended by the
LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-
25 at amendment 25/1 on December 12, 2005.\23\ EASA incorporated the
ASAWG-recommended regulatory and advisory material implementing
consistent SSA criteria, at amendment 25/24 to CS-25, on January 10,
2020.\24\ This proposed NPRM would harmonize FAA requirements with EASA
to the extent possible, with differences described in the Discussion of
the Proposed Rule.
---------------------------------------------------------------------------
\22\ https://www.easa.europa.eu/en/downloads/1516/en..
\23\ https://www.easa.europa.eu/en/document-library/certification-specifications/cs-25-amendment-1.
\24\ https://www.easa.europa.eu/en/downloads/108354/en.
---------------------------------------------------------------------------
6. Aircraft Certification, Safety, and Accountability Act
This proposal would update the requirements and guidance for system
safety assessments to support, in part, the requirements of the
Aircraft Certification, Safety, and Accountability Act, Public Law 116-
260 (the Act). Section 115(b)(1)(A) of the Act states that the
Administrator of the FAA shall require an applicant for an amended type
certificate for a transport airplane to perform a system safety
assessment with respect to each proposed design change that the
Administrator determines is significant, with such assessment
considering the airplane-level effects of individual errors,
malfunctions, or failures and realistic pilot response times to such
errors, malfunctions, or failures. Currently, Sec. 25.1309 requires
this action, not just for significant design changes, but for all
design changes affecting systems. Specifically, Sec. 25.1309(b)
requires applicants assess safety at the airplane level for airplane
systems and associated components, considered separately and in
relation to other systems. Section 25.1309(d) specifies that compliance
to Sec. 25.1309(b) must be shown by analysis and appropriate testing,
and must consider possible modes of failure, including malfunctions and
damage and also that the assessment consider crew warning cues,
corrective action required, and the capability of detecting faults. In
the context of Sec. 25.1309, ``corrective action'' means flightcrew
procedures for use after failure detection to enable continued safe
flight and landing.\25\ The proposed Sec. 25.1309 would remove the
current content of Sec. 25.1309(d), and place that content in draft AC
25.1309-1B, along with expanded guidance on the safety assessment
process, because (1) the proposed Sec. 25.1309 would be a performance-
based regulation for which methods of compliance are more appropriately
provided in guidance, and (2) the items for consideration listed in
Sec. 25.1309(d) constitute an incomplete method of compliance to Sec.
25.1309(b), as explained in section III.G.1 of this preamble.
---------------------------------------------------------------------------
\25\ AC 25.1309-1A provides guidance on including flightcrew
corrective action in showing compliance to Sec. 25.1309. Draft AC
25.1309-1B, sections 5.3 and 5.4, would provide updated guidance.
---------------------------------------------------------------------------
Section 115(b)(1)(B) of the Act states that the system safety
assessments required by section 115(b)(1)(A) of the Act be updated for
each subsequent proposed design change that the Administrator
determines is significant. As discussed, Sec. 25.1309 already requires
this action not just for significant design changes, but for all design
changes affecting systems. This proposed rulemaking would update the
analysis necessary for airplane-level effects of individual errors,
malfunctions, or failures.
Section 115(b)(1)(C) of the Act states that applicants must provide
to the FAA the data and assumptions underlying each assessment and
amended assessment. Draft AC 25.1309-1B, which accompanies this
rulemaking, states that a system safety assessment, to show compliance,
should provide data such as component failure rates and their sources
and applicability, and support any assumptions made. Section 7.9 of the
draft AC provides detailed guidance on identification and justification
of assumptions, data, and analytic techniques.
Section 115(b)(1)(D) of the Act states that applicants must provide
for document traceability and clarity of explanations for changes to
aircraft type designs and system safety assessment certification
documents. Appendix C of Draft AC 25.1309-1B, describes the safety
assessment process, and states that a system safety assessment, to show
compliance, should include, among other things, a statement of the
functions, boundaries, and interfaces of the system and a description
that establishes correctness and completeness and traces the work
leading to the conclusions of the SSA.
These updates to system safety assessment requirements, and to
implementing guidance, would provide a foundation to address how human
(flight crew) response is treated and validated within the context of
the required analysis. As required by Section 126 of the Act, the FAA
is researching pilot responses to errors, malfunctions and failures,
and may use that research in the future to update guidance in this
regard.
C. NTSB Recommendations
As a result of the aforementioned 1994 Pittsburgh accident, the
National Transportation Safety Board (NTSB) issued two safety
recommendations relevant to this rulemaking, A-99-22 and A-99-23.\26\
In Safety Recommendation A-99-22, the NTSB recommends that the FAA
ensure that future transport category airplanes
[[Page 75430]]
provide a reliably redundant rudder actuation system. In Safety
Recommendation A-99-23, the NTSB recommends that the FAA require type
certificate applicants to show that transport category airplanes are
capable of continued safe flight and landing after jamming of a flight
control at any deflection possible, up to and including its full
deflection, unless the applicant shows that such a jam is extremely
improbable. This proposed rule would implement these recommendations by
revising Sec. 25.671(c).
---------------------------------------------------------------------------
\26\ NTSB Safety Recommendations A-99-22 and A-99-23 are
available in the docket and at https://www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf.
---------------------------------------------------------------------------
The NTSB issued Safety Recommendation A-02-51 \27\ following an
accident in January 2000, in which a McDonnell Douglas Model MD-83
airplane crashed into the Pacific Ocean off the coast of California.
The NTSB determined that the probable cause of this accident was a loss
of airplane pitch control resulting from the in-flight failure of the
jackscrew assembly of the horizontal stabilizer trim system. This
failure was related to maintenance of this critical system;
specifically, the excessive and accelerated wear of a critical part as
a result of insufficient lubrication. In Safety Recommendation A-02-51,
the NTSB recommends that the FAA review and revise airplane
certification regulations, and associated guidance applicable to the
certification of transport category airplanes, to ensure that
applicants fully address wear-related failures so that, to the maximum
extent possible, such failures will not be catastrophic. The proposed
requirement to include CMRs in the ALS would respond to this safety
recommendation, as would the draft ACs accompanying this NPRM that
contain guidance on assessing wear-related failures as part of the SSA.
---------------------------------------------------------------------------
\27\ NTSB Safety Recommendation A-02-51 is available in the
docket and at https://www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
---------------------------------------------------------------------------
The NTSB issued Safety Recommendation A-14-119 \28\ following an
incident in January 2013, in which the APU lithium-ion battery
installed in a Boeing Model 787-8 airplane caught fire when the
airplane was parked at a gate at Logan International Airport in Boston,
Massachusetts. In Safety Recommendation A-14-119 the NTSB recommends
that the FAA to provide its certification engineers with written
guidance and training to ensure that assumptions, data sources, and
analytical techniques are fully identified and justified in applicants'
safety assessments for designs incorporating new technology.
Additionally, the NTSB recommends that an appropriate level of
conservatism be included in the analysis or design, consistent with the
intent of the draft guidance material that the SDAHWG recommended.
Draft AC 25.1309-1B, accompanying this NPRM, would contain the
recommended guidance.\29\
---------------------------------------------------------------------------
\28\ NTSB Safety Recommendation A-14-119 is available in the
docket and https://www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf.
\29\ This advisory circular, and the other advisory circulars
that accompany this proposal, are in the docket for review and
comment.
---------------------------------------------------------------------------
III. Discussion of the Proposed Rule
After consideration of the issues in the Statement of Problem, the
relevant NTSB recommendations, and ARAC recommendations, the FAA
proposes to revise several regulations to change how applicants would
conduct SSAs.
A. Consistent Safety Assessment Criteria for Airplane Systems
1. Average Risk Criteria (Sec. 25.1309(b)(1), (2), and (3))
Current Sec. 25.1309(b) requires applicants to design the systems
and associated components (considered both separately and in relation
to each other) of their proposed transport category airplane to meet
two criteria. First, these systems must be designed so that the
occurrence of any failure condition which would prevent the safe flight
and landing of the airplane is extremely improbable (Sec.
25.1309(b)(1)). Second, each system must be designed so that the
likelihood of any other failure condition which would reduce the
capability of the airplane, or of its flightcrew, to cope with adverse
operating conditions is improbable (Sec. 25.1309(b)(2)).
The FAA proposes to revise Sec. 25.1309(b) to establish risk
criteria that can be used consistently across multiple airplane
systems, harmonize FAA regulations with EASA Certification
Specifications for Large Aeroplanes (CS) 25.1309(b), and codify
commonly issued ELOS findings. The proposed revisions would require
that type certificate applicants design and install airplane systems
and associated components, evaluated both separately and in relation to
other systems, so that--
Each catastrophic failure condition is extremely
improbable and does not result from a single failure;
Each hazardous failure condition is extremely remote; and
Each major failure condition is remote.
As noted previously, the current rule (Sec. 25.1309(b)(2))
requires any failure condition that would reduce the capability of the
airplane or the ability of the crew to cope with adverse operating
conditions to be ``improbable'' (on the order of 10-9 < p <=
10-5, where p is probability of failure per flight hour).
This condition is characterized by AC 25.1309-1A as ``major,'' and it
represents a broad spectrum of probability.
As previously discussed, the FAA has issued ELOS findings for more
than a decade to accept use of the ARAC-recommended revision to
Sec. Sec. 25.1301 and 25.1309 in lieu of Sec. Sec. 25.1301 and
25.1309, and the accompanying ``Arsenal'' version of AC 25.1309-1 as
the method of compliance. In the ``Arsenal'' version, the ``major''
failure condition is divided into two categories: ``hazardous'' and
``major'', with corresponding probability requirements of ``extremely
remote'' (on the order of 10-9 < p <= 10-7) and
``remote'' (on the order of 10-7 < p <= 10-5).''
The granular assessment of failure conditions in the ``Arsenal''
version is beneficial because it allows for more accurate analysis of
highly integrated systems and better differentiation of failure effects
on flightcrew than the current requirements of Sec. 25.1309(b). The
``hazardous'' category in the ``Arsenal'' version corresponds to the
more severe end of the ``major'' category in current Sec.
25.1309(b)(2), which is referred to as ``severe major'' in AC 25.1309-
1A, ``System Design and Analysis,'' dated June 21, 1988.
This proposal would codify current practice by adding the
``hazardous'' failure condition category and its probability
requirement, replace the probability term ``improbable'' with
``remote'' for major failure conditions, and prohibit catastrophic
single failure.
a. Inclusion of Specific Failure Condition Categories and Probabilities
An objective of this proposal is to align the regulatory terms used
in 14 CFR part 25 to describe failure condition categories and
probabilities with the terms used in the most recent transport airplane
certification projects (whose SSAs use the methods in the ``Arsenal''
version of AC 25.1309-1 and in EASA CS 25.1309 and accompanying
guidance). Proposed Sec. 25.1309(b) would use terms that are already
used by the aviation industry to describe failure condition categories
and probabilities. Additionally, since the FAA also uses these terms in
other part 25 regulations, such as Sec. Sec. 25.671, 25.981, and
25.1709, the FAA proposes to define them in a new Sec. 25.4,
``Definitions.'' Although the terminology in Sec. 25.1309(b) would
change from the current regulations, the intent and usage of those
terms would not change as a result.
[[Page 75431]]
b. Prohibiting Catastrophic Single Failures
Proposed Sec. 25.1309(b)(1)(ii) would prohibit a proposed design
from allowing any single failure that could result in a catastrophic
failure condition (i.e., a ``fail-safe'' design requirement). The
requirement that applicants assume that any single failure could occur
and that such failure not prevent continued safe flight and landing was
codified in 1965 as Sec. 25.1309. The FAA inadvertently removed from
Sec. 25.1309 the requirement for fail-safe design in 1970 at amendment
25-23,\30\ although the agency retained guidance on fail-safe design.
The purpose of the FAA's guidance on fail-safe design, has been to
convey the objectives of the fail-safe design concept, and provide
principles and techniques for its usage by applicants.
---------------------------------------------------------------------------
\30\ 35 FR 5674 (Apr. 8, 1970).
---------------------------------------------------------------------------
Amendment 25-23 also amended Sec. 25.671(c) to prohibit
catastrophic single failures in flight control systems. At that time,
Sec. 25.901(c) applied Sec. 25.1309 to powerplant installation,
requiring applicants to assume in their safety assessments that any
single failure could occur. With amendment 25-40 in 1977,\31\ the FAA
amended Sec. 25.901(c) to explicitly prohibit catastrophic single
failures in systems associated with the powerplant installation because
Sec. 25.1309 did not prohibit catastrophic single failures.
---------------------------------------------------------------------------
\31\ 42 FR 15042 (Mar. 17, 1977).
---------------------------------------------------------------------------
This proposed rule would also make the requirements for safety
assessments of flight control systems and powerplant installations
consistent with the requirements for other systems in regard to
prohibiting catastrophic single failures. Systems covered by the
proposed Sec. Sec. 25.671(c) and 25.901(c) would be required to comply
with the Sec. 25.1309 prohibition of catastrophic single failures
under all operating and environmental conditions under which the
airplane was approved to operate. Incorporation of fail-safe design
requirements across all the critical systems of the airplane would
ensure consistent safety objectives are implemented. Further discussion
of proposed changes to Sec. Sec. 25.671(c) and 25.901(c) is provided
in sections III.E and III.B.2.d of this preamble, respectively.
2. Latent Failures in System Designs
a. Proposed Criteria--Sec. 25.1309(b)(4)
The FAA proposes to add a new paragraph (b)(4) to Sec. 25.1309
that would require applicants to avoid SLFs whenever practical. The
purpose of proposed Sec. 25.1309(b)(4) is to reduce an airplane's
exposure to SLFs by establishing the following hierarchy of safety
requirements. First, the applicant must eliminate SLFs. If the
elimination of the SLF is not practical, then the applicant must limit
the likelihood of that SLF to 1/1000 between inspections. If the
applicant proves that it is not practical to comply with the 1/1000
criterion, then the applicant must design the system to minimize the
failure's latency; that is, minimize the length of time the failure is
expected to be present, and remain undetected.
The FAA intends the proposed rule to minimize the latency of SLFs
and achieve the safety objective of the ASAWG's recommendation to avoid
SLFs whenever practical. The FCHWG, PPIHWG, and ASAWG each recommended
the 1/1000 value to limit the latency period in the failure conditions
specific to that working group's technical area. The FAA proposes that
application of the 1/1000 criterion to every system that may contain a
SLF is a necessary safety measure that an applicant can apply. This 1/
1000 criterion is necessary to reduce exposure of the airplane to
latent failures that leave the airplane one failure away from a
hazardous or catastrophic condition. This criterion is cost effective
as described in the costs and benefits section of this NPRM.
An applicant may be able to show, in rare situations, that it is
not practical to meet the 1/1000 criterion. One possible example is if
compliance with the 1/1000 criterion would necessitate complex or
invasive maintenance tasks on the flight line, increasing the risk of
incorrect maintenance. In such situations, safety may be better served
if the operator inspects for latent failures at a maintenance facility
or at a longer inspection interval, even though the longer inspection
interval could mean the probability of the latent failure exceeds 1/
1000; however, the applicant must minimize the time the failure is
expected to be present. The FAA expects that an applicant would likely
integrate these steps into its normal design processes. During the
FAA's review of an applicant's proposed demonstration of compliance
with the other provisions of Sec. 25.1309(b), if the FAA determines
that it may be practical to eliminate or further reduce exposure to a
SLF, then these proposed regulations would require the applicant to
either redesign the system or demonstrate the impracticality of that
redesign.
b. Proposed Criteria--Sec. 25.1309(b)(5)
The FAA proposes a new standard for limiting the risk of a CSL+1
failure condition (a catastrophic failure combination that results from
a single latent failure plus one additional failure). Under current
regulations, an operator could unknowingly dispatch an airplane with a
potential CSL+1 failure condition. Under this proposal, when conducting
SSAs, an applicant would be required to apply additional criteria in
proposed Sec. 25.1309(b)(5) (pertaining to additional fault tolerance,
residual risk, and probability of latent failures) to limit the
specific risk of a CSL+1 failure condition, in addition to the
requirement in Sec. 25.1309(b)(1).\32\
---------------------------------------------------------------------------
\32\ The draft Regulatory Impact Analysis in the docket for this
rulemaking refers to this part of the proposal as the ``specific
risk rule.''
---------------------------------------------------------------------------
i. Additional Fault Tolerance
For each potential catastrophic failure condition that results from
two failures, either of which could be latent for more than one flight,
the applicant would be required by Sec. 25.1309(b)(5)(i) to show that
it is impractical to design the system with additional fault tolerance.
For example, if practical, the applicant could add a failure monitor,
thereby eliminating the latency of the first (undetected) failure. Or,
the applicant could design additional redundancy in the system, so that
the second failure would not be catastrophic. In either case, the
condition resulting from the failure combination would no longer create
a CSL+1 failure condition.
ii. Limiting the Residual Risk to a ``Remote'' Probability
The FAA proposes Sec. 25.1309(b)(5)(ii), which would adopt the
ASAWG recommendation to limit the total probability that any single
failure could lead to a catastrophe following a latent failure. This
total probability could be no greater than ``remote.'' The ASAWG
recommended the ``remote'' criterion based on the reliability of
components typically used in systems that have a redundant means to
protect against catastrophic single failures. These components have
demonstrated a level of reliability, on the order of
1x10-\5\ per flight hour, which was consistent with the
SDAHWG's recommended probability guidelines (the ``Arsenal'' version of
AC 25.1309, and EASA Acceptable Means of Compliance 25.1309) for
showing ``remote'' probability. The ASAWG reasoned that establishing a
higher standard than ``remote'' could require redesign of systems that
have an acceptable in-
[[Page 75432]]
service safety record, and the FAA agrees with this rationale.
Therefore, the FAA proposes that this ``remote'' criterion, in
combination with the criterion to limit latency to a maximum
probability of 1/1000, would establish an acceptable level of safety
for potential CSL+1 failure conditions. Also, if a system has multiple
potential failure combinations that lead to the same CSL+1 failure
condition, each combination of which contains the same latent failure,
the applicant would be required to sum the probabilities of the non-
latent failures. The resulting sum of probabilities would also have to
meet the ``remote'' criterion.
iii. Limiting the Probability of Latent Failures to 1/1000
Proposed Sec. 25.1309(b)(5)(iii) would limit the probability of
occurrence of a latent failure in a CSL+1 combination to 1/1000. The 1/
1000 value would be the proposed maximum allowable probability of a
latent failure. To comply, the applicant would multiply the maximum
time the latent failure is allowed to be present by the component
failure rate, and show that the resultant value is less than or equal
to 1/1000. The maximum time is typically the time between inspections.
The ASAWG recommended limiting the probability of occurrence of a
latent failure in a CSL+1 combination to be ``on the order of'' 1/1000
or less. The FAA and Transport Canada submitted dissenting opinions,
documented in the ASAWG final report, that the phrase ``on the order
of'' would defeat the purpose of establishing a clear criterion for
limiting the likelihood of a latent failure; therefore, this proposal
omits that phrase. Instead, the 1/1000 value would be the maximum
allowable probability of a latent failure occurring between
inspections.
To determine this 1/1000 limit, the ASAWG drew on the knowledge of
the FCHWG and PPIHWG, both of which determined that 1/1000 was a
practical limit on the probability of a latent failure in the flight
control and thrust reversing systems. The ASAWG evaluated safety
analysis data and found that the probability of a latent failure
between inspections very rarely exceeded 1/1000.\33\ The FAA has
accepted this numerical value in the certification of these particular
systems through ELOS findings and determined that applicants can apply
it across all systems.
---------------------------------------------------------------------------
\33\ The ASAWG recommendation report is available in the docket
for this NPRM.
---------------------------------------------------------------------------
B. Consistent Application and Interpretation of Requirements for
Equipment, Systems, and Installations
1. Applicability of Sec. 25.1309
Applicants have raised numerous questions regarding the
applicability of Sec. 25.1309. The FAA therefore proposes to revise
Sec. 25.1309 as follows:
a. Introductory Paragraph of Sec. 25.1309
The FAA proposes to add an introductory paragraph to Sec. 25.1309,
which specifies that the rule applies to all systems and equipment on
the airplane. Section 25.1309(a) currently requires that applicants
design and show that only the equipment, systems, and installations
whose functioning is required by Subchapter C--Aircraft will perform
their intended functions under any foreseeable operating condition
(amendment 25-123, dated December 10, 2007). This proposed rule would
adopt the SDAHWG's recommendation to remove the limitation to
Subchapter C, which would broaden the applicability of Sec. 25.1309 to
any system or equipment as installed on the airplane, regardless of
whether it is required for type certification or by operating rules.
b. Section 25.1309(a)--Criteria for Two Classes of Installed Equipment
and Systems
The FAA proposes to remove Sec. 25.1301(a)(4), which requires that
installed equipment function properly when installed, and address that
requirement through proposed Sec. 25.1309(a), which would contain
requirements for two different classes of equipment and systems
installed in the airplane: (1) equipment and systems that are required
for type certification or by operating rules, or whose improper
functioning would reduce safety; and (2) all other systems.
c. Section 25.1309(a)(1)--Airplane Equipment and Systems Whose Improper
Functioning Would Reduce Safety
Proposed Sec. 25.1309(a)(1) would apply to all installed airplane
equipment and systems whose improper functioning would reduce safety,
regardless of whether the equipment or system is required by type
certification rules or operating rules. Such equipment and systems
would be required to perform as intended under the airplane operating
and environmental conditions. A failure or malfunction of equipment or
systems reduces safety if the failure or malfunction results in a minor
or more severe failure condition. The FAA recognizes, however, that
failures may occur throughout the operational life of the airplane, and
that a failed system may no longer perform as intended. The
acceptability of failures and their associated risks are covered by the
fail-safe regulations, such as Sec. Sec. 25.901(c), 25.1309(b),
25.671(c), 25.735(b)(1), 25.810(a)(1)(v), 25.812, 25.903(d)(1), and
25.1316.
The FAA further proposes new Sec. 25.1309(a)(1) to require that
equipment and systems perform as intended not just under airplane
operating conditions as required by current Sec. 25.1309(a), but under
environmental conditions as well. This change is needed to remove an
ambiguity in the current regulations, and ensure that an applicant's
safety assessment is complete.
Current Sec. 25.1309(a) requires that each such item perform its
intended functions under ``any foreseeable operating condition,'' but
does not mention ``environmental conditions.'' The method of compliance
to the rule in AC 25.1309-1A discusses both types of conditions. To
perform the safety assessment using the method in that AC, the
applicant must account for the airplane operating conditions (such as
weight, center of gravity, altitudes, flap positions) and the
environmental conditions that the airplane is reasonably expected to
encounter (such as atmospheric turbulence, lightning, or
precipitation).
The FAA has not required that systems and components perform as
intended in foreseeable but easily avoidable environmental conditions,
such as volcanic ash clouds. Thus, the FAA proposes to remove ``any
foreseeable'' from Sec. 25.1309(a)(1). This change would also
harmonize with CS 25.1309(a)(1).
The intent of this change is to ensure that the applicant evaluates
the continued function of equipment and systems--
Throughout the airplane's normal operating envelope, as
defined by the airplane flight manual (AFM), together with any
modification to that envelope associated with abnormal or emergency
procedures, and any anticipated crew action; and
Under the anticipated external and internal airplane
environmental conditions in which the equipment and systems must
perform as intended.
The proposed language in Sec. 25.1309(a)(1) is consistent with
existing FAA guidance \34\ regarding environmental conditions because
it
[[Page 75433]]
would allow that, even if certain environmental conditions are
foreseeable, performing as intended in those conditions is not always
possible. For example, ash clouds from volcanic eruptions are
foreseeable, but an applicant does not have to show that the airplane
can safely operate in such clouds, relying instead on forecasting and
air traffic control means to avoid such conditions.
---------------------------------------------------------------------------
\34\ AC 25.1309-1A, section 8.e. provides guidance on
incorporation of environmental conditions in SSA.
---------------------------------------------------------------------------
d. Section 25.1309(a)(2--Equipment and Systems With No Effect on the
Safety of the Airplane or Its Occupants
Current Sec. 25.1309(a) requires that all equipment, systems, and
installations function properly when installed. However, the proper
functioning of non-essential equipment is typically not necessary for
safe operation of the airplane. These non-essential systems include
passenger amenities such as entertainment displays, audio systems, in-
flight telephones, non-emergency lighting, and food storage and
preparation.
Proposed Sec. 25.1309(a)(2) would require all equipment and
systems not subject to proposed Sec. 25.1309(a)(1) to not have an
adverse effect on the safety of the airplane or its occupants, and
would allow such equipment to be approved even if that equipment may
not perform as intended. Consequently, this proposal would reduce the
testing needed for those equipment and systems installations, because
they would not need to meet the operational and environmental condition
requirements of proposed Sec. 25.1309(a)(1). The proposed Sec.
25.1309(a)(2) would, however, require applicants to test such systems,
equipment, and installations to show that their normal or abnormal
functioning does not adversely affect the proper functioning of the
equipment, systems, and installations covered by proposed Sec.
25.1309(a)(1); and does not otherwise adversely affect the safety of
the airplane or its occupants.
No safety benefit is derived from demonstrating that equipment
performs as intended, if failing to perform as intended would not
impact safety. Instead, the FAA would expect that an applicant perform
a qualitative evaluation of the design and installation of such
equipment and systems installed in the airplane to determine that
neither their normal operation nor their failure would adversely affect
crew workload, operation of other systems, or the safety of persons.
The FAA expects normal installation practices to result in
sufficiently obvious isolation of the impacts of such equipment on
safety that compliance can be based on a relatively simple qualitative
installation evaluation. If the possible impacts, including failure
modes or effects, are uncertain, or isolation between systems is
provided by complex means, then more formal structured evaluation
methods or a design change may be necessary. Guidance on performing
qualitative evaluations is provided in draft AC 25.1309-1B.
This proposed change would reduce the cost of certification to
airplane and equipment manufacturers and modifiers without reducing the
level of safety provided by part 25.
e. Applicability of Sec. 25.1309 to In-Service and Out-of-Service
Conditions
Applicants have questioned whether, when showing compliance with
Sec. 25.1309, they must consider out-of-service conditions or risks to
persons other than the occupants of the airplane. Compliance with Sec.
25.1309 applies to flight operating conditions as well as ground
operating conditions, consistent with current practice. Draft AC
25.1309-1B, specifies that compliance is applicable to ground operating
conditions when the airplane is in service. An airplane is in service
from the time the airplane arrives at a gate or other location for pre-
flight preparations, until it is removed from service. While ground
operating conditions include conditions associated with line
maintenance and refueling, dispatch determinations, embarkation and
disembarkation, and taxi, they do not include periods of shop
maintenance, storage, or other out-of-service activities. Applicants
should also account for threats to people on the ground or adjacent to
the airplane during ground operations, electric shock threats to
mechanics, and other similar situations.
f. Applicability of Sec. 25.1309 to High Intensity Radiated Fields and
Lightning Exposure
The ASAWG recommended that a future committee address how
applicants should account for systems' exposure to high intensity
radiated fields (HIRF) and lightning when showing compliance with Sec.
25.1309(b). The FAA acknowledges that follow-on regulatory or policy
action may be necessary to ensure this topic is addressed in a manner
that is both effective and practical. This proposed rule and the
associated advisory material are not intended to change how type
certificate applicants account for systems' exposure to HIRF and
lightning when demonstrating compliance with Sec. 25.1309.
Historically, considerations of lightning and HIRF in determining
failure effects have been limited to specific potential failures of
concern, such as failure of protection features, including critical
isolation features, that are dedicated to protecting the airplane from
the effects of lightning. Under the proposed changes to Sec. 25.1309,
applicants would continue to apply Sec. 25.1309 in addressing the
effects of HIRF and lightning as described in the prior sentence.
Testing and qualitative evaluations may still be used as a means of
compliance. Use of lightning and HIRF probabilities in quantitative
analyses is also still allowed but not required. The proposed revision
to Sec. 25.1309 would not supersede the more specific requirements of
Sec. Sec. 25.1316 and 25.1317.
2. Exceptions From Applicability of Sec. 25.1309
a. Flight Control Jams Addressed by Sec. 25.671
Proposed Sec. 25.1309(e) would exclude the flight control jams
governed by Sec. 25.671 from the proposed single-failure requirement
in Sec. 25.1309(b)(1)(ii). The FAA has historically used Sec.
25.671(c) rather than Sec. 25.1309 to regulate the risk of flight
control jams. Proposed Sec. 25.671(c) would continue this approach
because flight control jams are an unusual failure condition in which
the control position is critical to the outcome of the condition.
Therefore, specifying a flight control jam as a ``single failure'' does
not fully define the failure condition because the control position is
not defined. The current and proposed Sec. 25.671(c) specify that the
applicant must evaluate flight control jams at ``normally encountered''
positions. Additionally, proposed Sec. 25.671(c) would not require
evaluation of flight control jams immediately before touchdown if the
applicant shows that such jams are extremely improbable, as explained
later in this preamble in the section entitled, ``Changes to Sec.
25.671(c)(3).'' Therefore, this type of failure would be excluded from
the prohibition on a single failure being the cause of a catastrophic
failure condition under Sec. 25.1309(b)(1)(ii).
b. Brakes and Braking Systems, Addressed by Sec. 25.735
Proposed Sec. 25.1309(b) would not apply to single failures in the
brake system. Those failures are adequately addressed by Sec.
25.735(b)(1) at amendment 25-107, which limits the effect of a single
failure of the brake system to doubling the stopping distance of the
brake roll. The diverse
[[Page 75434]]
circumstances under which such a failure could occur make any
structured determination of its outcome or frequency indeterminate. The
proposed Sec. 25.1309 would apply to all other failures in the brake
system.
c. Emergency Egress Assist Means and Escape Routes, Addressed by Sec.
25.810, and Emergency Lighting, Addressed by Sec. 25.812
Proposed Sec. 25.1309(f) would also exclude the failure effects
addressed by Sec. Sec. 25.810(a)(1)(v) and 25.812 from Sec.
25.1309(b). The failure conditions relevant to the cabin safety
equipment installations addressed by Sec. Sec. 25.810(a)(1)(v) (escape
slides) and 25.812 (emergency lighting) are associated with varied
evacuation scenarios for which the probability of occurrence cannot be
determined due to the multitude of factors that can lead to an
evacuation. For these types of equipment, the FAA has not been able to
define appropriate scenarios under which an applicant could demonstrate
compliance with Sec. 25.1309(b). The FAA considers it acceptable in
terms of safety, to require particular design features or specific
reliability demonstrations for these types of equipment and, therefore,
the FAA proposes to exclude them from the requirements of Sec.
25.1309(b).
d. Powerplant--Installation, Addressed by Sec. 25.901(c)
The FAA proposes to revise Sec. 25.901(c) to state that the
requirements of Sec. 25.1309 apply to powerplant and APU installations
and to list the failures that do not need to comply with Sec.
25.1309(b). Those exceptions, which would be consistent with existing
requirements, are engine case burn-through or rupture, uncontained
engine rotor failure, and propeller debris release. The FAA specifies
those exceptions in proposed Sec. Sec. 25.901(c) and 25.1309(f).
Excepting these failures from Sec. 25.1309(b) would not degrade the
level of safety from that required by current regulations. An applicant
must already minimize the effects and occurrence rates of these
failures when complying with:
Part 33, ``Airworthiness Standards: Aircraft Engines.''
Part 35, ``Airworthiness Standards: Propellers.''
Paragraph (d)(1) of Sec. 25.903, ``Engines.''
Paragraph (d) of Sec. 25.905, ``Propellers.''
Section 25.1193, ``Cowling and nacelle skin.''
This proposed revision would also harmonize Sec. 25.901(c) with CS
25.901(c).
3. Flightcrew Alerting and Errors
a. Categorization of Required Flightcrew Information
Section 25.1309(c) currently requires that warning information must
be provided to the flightcrew to alert them to unsafe system operating
conditions, and to enable them to take appropriate corrective action.
The FAA proposes to revise Sec. 25.1309(c) to require information be
provided to the flightcrew concerning unsafe system operating
conditions, rather than requiring only warnings. The proposed revisions
to Sec. 25.1309(c) would make the provision compatible with the
requirements of current Sec. 25.1322 (``Warning, caution, and advisory
lights''), which details requirements for the presentation of warning,
caution, and advisory alerts installed on the flight deck. For example,
Sec. 25.1322 requires a warning indication if immediate action by a
flightcrew member were necessary; however, the particular method of
indication would depend on the urgency and need for flightcrew
awareness or action that is necessary for the particular failure. The
proposed revision to Sec. 25.1309(c) (to remove the requirement for
``alert'') would remove an incompatibility with Sec. 25.1322, which
allows other sensory and tactile feedback from the airplane caused by
inherent airplane characteristics to be used in lieu of dedicated
indications and annunciations if the applicant can show such feedback
is sufficiently timely and effective to allow the crew to take
corrective action.\35\
---------------------------------------------------------------------------
\35\ See draft AC 25.1309-1B, sections 5.3.1.6 and 5.4.1.
---------------------------------------------------------------------------
b. Minimization of Crew Errors
Proposed Sec. 25.1309(c) would require that applicants design
``systems and controls, including indications and annunciations'' to
minimize crew errors that could create additional hazards. The proposed
change would remove a reference to ``warnings,'' which are addressed in
Sec. 25.1322, and instead use the broader phrase ``indications and
annunciations.'' The additional hazards that an applicant's proposed
design must minimize, under this proposal, are those that could occur
after a failure and those caused by inappropriate actions made by a
crewmember in response to the failure. As specified in Sec. 25.1585,
any flightcrew procedures necessary to ensure continued safe flight and
landing after the occurrence of a failure indication or annunciation
must be described in the approved AFM, AFM revision, or AFM supplement,
unless the FAA evaluates the procedures and accepts that the procedures
are part of normal aviation abilities.
C. Interaction of Systems and Structures (New Sec. 25.302)
The FAA proposes a new section, Sec. 25.302, that would require an
applicant to account for systems, and their possible failure, when
assessing the structural performance of its proposed design.
As a result of advances in flight control technology, the structure
requirements in part 25 do not provide an adequate regulatory basis to
establish an acceptable level of safety for airplanes equipped with
systems that affect structural performance such as the electronic
flight control system. Earlier automatic control systems usually had
two failure states: loss of function and malfunction. Flightcrews could
readily detect these conditions. The new electronic flight control
systems are more sophisticated and offer advantages that include load
limiting and load alleviation.\36\ Failures in these systems, however,
may allow the system to function in degraded modes that flightcrews may
not readily detect, and in which load alleviation may be lost or
reduced.
---------------------------------------------------------------------------
\36\ ``Load limiting and load alleviation'' refer to the
reduction of structural loads by automatic control surface limits or
movements. For example, vertical tail loads may be reduced by a
rudder limiter that automatically reduces the rudder deflection
upper limit as speed increases. Wing load alleviation may be
accomplished by automatic upward movements of the outboard ailerons
during a pitch up maneuver, thereby reducing the loads on the
outboard portion of the wing.
---------------------------------------------------------------------------
The LDHWG developed recommendations for design standards for
airplanes equipped with systems that, directly or as a result of
failure, affect the structural performance of the airplane. Structural
performance is the capability of the airplane to meet the structural
requirements of part 25.
While the FAA has applied the LDHWG recommendations for design
standards to airplane certification programs since 1999 via special
conditions, on December 12, 2005, EASA incorporated the design
standards developed by the LDHWG into its regulatory framework as CS
25.302 and appendix K of CS-25 at amendment 25/1.\37\ Similarly, the
FAA now proposes to adopt these criteria, with some modifications, as
new Sec. 25.302. The codification of these requirements in
[[Page 75435]]
part 25 will eliminate the need for the FAA to issue special conditions
on future certification projects. This will result in increased
efficiency for both the FAA and the industry in certification programs,
without impacting the level of safety.
---------------------------------------------------------------------------
\37\ https://www.easa.europa.eu/en/document-library/certification-specifications/cs-25-amendment-1.
---------------------------------------------------------------------------
1. Applicability of New Sec. 25.302
Proposed Sec. 25.302 would apply to all systems that affect
structural performance of the airplane. A system affects structural
performance if it can induce loads on the airframe, or change the
response of the airplane to inputs such as gusts or pilot actions,
either when operating normally or as a result of failure. Examples of
systems that can affect structural performance are load alleviation
systems, modal suppression systems, stability augmentation systems, and
fuel management systems, as well as hydraulic, electrical, and
mechanical systems.
2. Normal Operation
Proposed Sec. 25.302 would require that an applicant account for
the influence of systems, operating normally, when showing compliance
with subparts C and D of part 25. The proposed rule would require an
applicant to derive limit loads for the conditions specified in subpart
C and to account for any behavior or effect of the system on the
structural performance of the airplane. This means that the applicant
would need to account for any significant nonlinearity, including the
rate of displacement of control surfaces, thresholds, or any other
system nonlinearities, when deriving limit loads.
Proposed Sec. 25.302 would also require that an applicant shows
that the airplane meets the strength requirements of part 25 for static
and residual strength, using specified factors to derive ultimate loads
from the limit loads. The proposed rule would require the applicant to
investigate the effect of nonlinearities beyond limit conditions to
ensure that the behavior of the system presents no anomaly compared to
the system's behavior below limit conditions.
3. Failure Condition Effect on Structural Performance
Proposed Sec. 25.302(a) through (e) would require an applicant to
assess the effect of failure conditions on the airplane's structural
performance. Proposed Sec. 25.302 would require assessment of all
failure conditions not shown to be extremely improbable, or that result
from a single failure, as typically determined by the applicant's
system safety assessment.
Proposed Sec. 25.302(a) would require that the airplane's design
be able to withstand the loads, including control system loads,
resulting from failure conditions, at speeds up to VC/
MC, the design cruising speed. Such loads are limit loads as
described in Sec. 25.301, and an applicant then applies a safety
factor \38\ of 1.5 to determine the airplane's ultimate loads. Proposed
Sec. 25.302(a) would require the applicant to determine the loads
assuming ``realistic scenarios, including pilot corrective actions.''
Draft AC 25.1309--1B and AC 25.671-X, ``Control Systems--General,''
would provide guidance for applicants on means of determining these
effects of failure conditions, including realistic effects. Under the
proposed rule, the applicant would be responsible for developing
scenarios that describe the response of the airplane and the response
of the pilots following a failure condition, using the guidance in
those ACs or another acceptable method.
---------------------------------------------------------------------------
\38\ A safety factor is a design factor used, in this instance,
to provide for the possibility of loads greater than those
anticipated in normal operating conditions, and for uncertainties in
design.
---------------------------------------------------------------------------
Proposed Sec. 25.302(b) would require that, in the system-failed
state (i.e., after a particular system has failed), the airplane be
able to withstand the limit flight and ground load conditions specified
in subpart C. The applicant would only be required to assess flight
conditions at speeds up to VC/MC or the speed
limitation prescribed by the AFM for the remainder of the flight. An
applicant must apply a safety factor of 1.5 to determine ultimate
loads, with two exceptions.
The first proposed exception to Sec. 25.302(b) would allow a
safety factor of 1.0, rather than 1.5, if the failure condition would
be immediately annunciated or otherwise obvious to the flightcrew. The
proposed rule would also allow the applicant to take into account any
relevant reconfiguration and flight limitations specified in the AFM.
The FAA proposes a safety factor of 1.0 in this case because the
probability is very low that a design load condition would occur after
a system failure on the same flight. The probability of an extreme
maneuver (i.e., a maneuver that would result in load levels approaching
design limit loads) is further reduced because the pilot would be aware
that a failure condition had occurred. If relying on annunciation as
the method of informing the flightcrew, the applicant should show that
the relevant annunciation system is reliable per Sec. 25.1309(b).
The second proposed exception to Sec. 25.302(b) would allow a
safety factor of 1.25 if the failure condition would not be annunciated
but the probability is extremely remote. The FAA proposes a safety
factor of 1.25 in this case because the probability is very low that an
extremely remote failure condition and a design load condition would
occur on the same airplane, even if the failure condition would not be
annunciated.
The FAA does not intend for proposed Sec. 25.302 to require an
applicant to evaluate every subpart C load condition under every
possible failure condition and at each speed, altitude, and payload
configuration for which the airplane is designed. Instead, the FAA
anticipates that the applicant would first identify those failure
conditions that could impact the loads analysis required by subpart C.
The applicant would then select load conditions that the applicant
presumes could be affected by those failure conditions. Given the
appropriate safety factor (1.0, 1.25, or 1.5), the applicant would then
determine whether any of these load conditions, when affected by a
failure condition, would yield higher loads than the load conditions
without the effects of the failure condition. If so, the applicant
would expand its analysis, as necessary, to ensure that the requirement
of proposed Sec. 25.302 would be met.
Proposed Sec. 25.302(c) would require that, when conducting the
damage tolerance evaluation required by Sec. 25.571, the applicant
take into account the fatigue loads induced by any failure condition.
The rule would require that these fatigue loads be included as part of
the typical loading spectra \39\ at a rate commensurate with the
probability of their occurrence.
---------------------------------------------------------------------------
\39\ ``Typical loading spectra'' is described in AC 25.571-1D,
Damage Tolerance and Fatigue Evaluation of Structure.
---------------------------------------------------------------------------
If a failure condition could affect the airplane's residual
strength loads, proposed Sec. 25.302(d) would require the applicant to
conduct a residual strength evaluation as specified in Sec. 25.571(b)
under the assumption that the failure condition had occurred. The
proposed rule would allow an applicant to calculate these loads using
at least two-thirds of each of the safety factors specified for the
static strength assessment. The applicant would conduct this residual
strength evaluation, which assumes a system failure condition has
occurred, separately from the normal residual strength evaluation
required by Sec. 25.571(b), which does not assume a
[[Page 75436]]
system failure condition has occurred. The two-thirds factor in
proposed Sec. 25.302(d) is consistent with the method of determining
residual strength loads in Sec. 25.571(b).\40\
---------------------------------------------------------------------------
\40\ In Sec. 25.571(b), residual strength loads are determined
using a safety factor of 1.0, which is two-thirds of the typical
safety factor of 1.5 required by Sec. 25.303.
---------------------------------------------------------------------------
Proposed Sec. 25.302 would not apply to the flight control jam
conditions covered by proposed Sec. 25.671(c), or the discrete source
events already covered by Sec. 25.571(e). Proposed Sec. 25.671(c) and
current Sec. 25.571(e) establish criteria to address these specific
failures, and the respective ACs, draft AC 25.671-X and current AC
25.571-1D, Damage Tolerance and Fatigue Evaluation of Structure, would
describe methods of compliance. Proposed Sec. 25.302 would also not
apply to any failure or event that is external to (not part of) the
system being evaluated and that would itself cause structural damage.
These conditions are already addressed by other rules, such as
Sec. Sec. 25.365, 25.571, 25.841, and 25.901.
4. Dispatch in a System-Failed State
Proposed Sec. 25.302(e) would provide structural requirements for
dispatch under the master minimum equipment list developed by the
applicant. If the list would allow dispatch in a system-failed state,
the airplane would need to continue to meet the design load
requirements of subpart C in that system-failed state, without any
reduction in safety factor. The applicant would be allowed to take into
account any relevant operating limitations, including configuration
changes, specified for the dispatched configuration. In addition, the
airplane would also need to meet Sec. 25.302(a) and (b), accounting
for any subsequent single failure, and separately, any combination of
failures not shown to be extremely remote.
5. Differences Between Proposed Sec. 25.302 and EASA CS 25.302
As noted previously, EASA has incorporated the criteria regarding
interaction of systems and structures criteria recommended by the LDHWG
into its regulatory framework as CS 25.302 and appendix K of CS-25.
Proposed Sec. 25.302 differs from CS 25.302 and appendix K in a number
of ways.
i. Determination of Safety Factor
The most significant difference between the proposed Sec. 25.302
and CS 25.302 is that the latter defines structural factors of safety
and the flutter speed margin on a sliding scale based on probability,
while the proposed Sec. 25.302 specifies discrete safety factors and
does not change the flutter speed margin currently specified in Sec.
25.629, as described below.
ii. Flutter Speed Margin
Proposed Sec. 25.302 does not include any aeroelastic stability
requirements and would only address the effect of systems on loads
requirements. Section 25.629 and CS 25.302 both specify flutter speed
margins for failure conditions. The margins in CS 25.302 are based on
the probability of the condition's occurrence, while Sec. 25.629
defines a single speed margin for every failure condition regardless of
its probability. The FAA believes the current speed margin specified in
Sec. 25.629 is adequate, and there is no need to propose more specific
failure criteria based on probability of occurrence. The current speed
margin specified in Sec. 25.629, which has been in place since
Amendment 25-0 of 14 CFR part 25, has proven effective in service.
iii. Regulatory Structure Differences
The FAA's proposal is contained entirely within Sec. 25.302 and
does not add a new appendix to part 25. Also, the FAA's proposal would
not include the two paragraphs in appendix K of CS-25 that are general
in nature and do not contain any specific requirements. These
paragraphs, K25.1(a) and (b) of CS-25, discuss application of the
requirements in the appendix.
iv. Fully Operative Condition
Appendix K of CS-25 includes several paragraphs that require
evaluation of the airplane in a system-fully-operative condition. The
FAA's proposal would replace those paragraphs with a simpler
requirement that the applicant account for the effects of systems when
showing compliance with the requirements of subparts C and D. The FAA
does not regard this as a substantive difference in the criteria.
v. Safety Factor at the Time of Failure
For the applicant's assessment of the failure condition at the time
the failure occurs, CS 25.302 allows a reduced safety factor, ranging
from 1.5 to 1.25, based on the probability of the failure. The FAA's
proposal would require a safety factor of 1.5, regardless of the
probability of the failure. The FAA determined it's better to define
structural strength capability using discrete factors of safety rather
than a sliding scale based on probability because probability estimates
are not that precise. The FAA also determined the proposed 1.5 safety
factor requirement would be easily met by applicants for type
certification because systems that affect structural performance are
typically passive systems, which alleviate loads rather than initiate
loads.
vi. Safety Factor for Continued Flight After Initial Failure
For the assessment of continued flight, after the initial failure
condition occurs, CS 25.302 requires the applicant to determine loads
for several subpart C load conditions. In contrast, the FAA's proposal
would require the applicant to determine loads for any subpart C load
condition that would be affected by the failure condition. In addition,
CS 25.302 allows a reduced safety factor, ranging from 1.5 to 1.0,
based on the probability of the failure condition's occurrence. In
contrast, the FAA's proposal would specify a safety factor of 1.5,
unless the failure condition would be annunciated, in which case the
rule would allow a safety factor of 1.0; or, if the failure condition
was extremely remote, the rule would allow a safety factor of 1.25. As
noted above, the FAA proposes to use discrete factors of safety rather
than a sliding scale based on probability because probability estimates
are not that precise. The FAA proposed rule would be simpler to apply
than EASA's method because an applicant would use discrete safety
factors, rather than sliding scales. For failures that are annunciated,
this proposal would be less stringent than CS 25.302, since proposed
Sec. 25.302 would allow a safety factor of 1.0 regardless of the
probability of failure. However, the FAA's proposal recognizes that
annunciation of the failure would limit exposure to a subsequent design
load condition to the remainder of the flight. Because of the very low
probability of a system failure condition followed by a design load
condition occurring on the same flight, the FAA believes a safety
factor of 1.0 is appropriate.
vii. Fatigue and Damage Tolerance
Both Sec. 25.571 and CS 25.571 require a ``residual strength
evaluation'' of the airplane that demonstrates structural strength
capability in the presence of fatigue cracks and any other anticipated
environmental or accidental damage. The residual strength loads used
for those evaluations are limit loads (safety factor of 1.0). Proposed
Sec. 25.302 would mimic the requirement in CS 25.302 for an additional
assessment of residual strength using two-thirds of the loads specified
for the continuation of flight. However, these loads would vary between
Sec. 25.302 and CS 25.302, as described in the previous paragraph.
[[Page 75437]]
Proposed Sec. 25.302 would also echo CS 25.302's requirement that the
applicant evaluate the fatigue loads induced by any failure condition.
However, the FAA proposal is more specific than CS 25.302 in how that
evaluation would be accomplished.
viii. Failure Annunciation
CS 25.302 outlines various failure annunciation criteria for
affected system failure conditions. The FAA's proposal does not specify
annunciation criteria, but instead determines the allowable safety
factor based upon whether the failure condition would be annunciated.
ix. Dispatch Configuration
CS 25.302 requires that anticipated dispatch configurations meet
the strength and flutter aspects of CS 25.302, while accounting for the
probability of the airplane being in that configuration. The FAA's
proposal would require that the structural strength criteria in the
proposed rule--Sec. 25.302(a) through (b)--be met for the airplane in
the dispatch configuration while accounting for any subsequent single
failure or any subsequent combination of failures not shown to be
extremely remote.
D. Turbojet Thrust Reversing Systems
The current regulation for thrust reversals in flight, Sec.
25.933(a)(1), requires that, during any reversal in flight, the engine
will produce no more than flight-idle thrust. Additionally, current
Sec. 25.933(a)(1) requires an applicant to show that each operable
reverser can be restored to the forward thrust position, and that the
airplane is capable of continued safe flight and landing under any
possible position of the thrust reverser. Proposed Sec.
25.933(a)(1)(ii) would allow an applicant to demonstrate compliance
with Sec. 25.1309(b) for these thrust reversing systems.
The application of the current standards has not precluded the loss
of airplane control following the unwanted in-flight deployment of the
thrust reverser. The investigation of the 1991 Lauda Air accident
involving a Boeing Model 767 airplane revealed that an unwanted in-
flight thrust reversal at high speeds and high power conditions on an
airplane with wing-mounted, high-bypass turbofan engines can result in
disruption of air flow over the wing and the loss of lift and
controllability. Until this accident, the service history of in-flight
thrust reverser deployment incidents indicated that an in-flight thrust
reverser deployment at high power would not result in a catastrophic
event. However, engine installations on modern transport category
airplanes include high--bypass turbofan engines mounted close to the
wing, and forward of the wing leading edge, to reduce aerodynamic drag
and provide sufficient ground clearance. As a result, these airplanes
do not have a sufficient control margin in the event of an unwanted in-
flight thrust reversal and, therefore, cannot comply with the rule
during all phases of flight.
To allow applicants for type certification flexibility in their
design and achieve the intended level of safety, the FAA proposes to
allow an applicant to demonstrate using a system safety assessment, per
the proposed 14 CFR 25.1309(b), that unwanted deployment of the thrust
reverser will not occur in flight. The FAA derived this option, known
as the ``reliability option,'' from the PPIHWG's recommendations.\41\
---------------------------------------------------------------------------
\41\ For more information about the PPIHWG's recommendations,
see the PPIHWG report in the docket for this rulemaking.
---------------------------------------------------------------------------
The PPIHWG evaluated methods used by applicants to assure
reliability of other critical systems to determine if applicants could
effectively apply the same requirements to thrust reverser systems. The
PPIHWG concluded that design features such as redundant locking
mechanisms (eliminating catastrophic single failures) in conjunction
with more rigorous design and maintenance assessments (reducing
exposure to latent failures) can provide a level of safety equivalent
to the current rule. The FAA agrees.
Allowing an applicant to develop thrust reversing systems in
compliance with Sec. 25.1309, especially by reducing those systems'
exposure to SLFs, would improve the level of safety because unwanted
in-flight thrust reverser deployments would not be expected to occur
during the entire operational life of all airplanes of one type, and
eliminate the need for flightcrew procedures in response to an in-
flight thrust reversal. Proposed Sec. 25.1309 would provide a level of
safety at least equivalent to current Sec. 25.933(a)(1)(ii). This
reliability option would allow an applicant to use a more practical
approach to show compliance in all phases of flight for all known
engine installations.
This proposal is consistent with the FAA's current practice because
the FAA has been implementing the PPIHWG's recommendations through ELOS
findings on specific projects since 1994. The FAA has accepted SSAs
that show that in-flight thrust reverser deployment is extremely
improbable as an alternative to flight tests that show full
controllability across the entire flight envelope. The FAA has also
accepted a combination of these two methods to allow applicants for
type certification more flexibility when demonstrating an ELOS. For
example, within that portion of the flight envelope where
controllability cannot be shown, applicants have shown that the
probability of an unwanted in-flight thrust reversal is extremely
improbable. Conversely, applicants who have shown compliance primarily
using the reliability option have shown that there are portions of the
flight envelope where the airplane is controllable, and an unwanted in-
flight deployment can be classified as less severe than catastrophic.
This mixed approach has allowed applicants more flexibility in the
thrust reverser system design and maintenance intervals than under the
traditional rule. Under current ELOS determinations, applicants select
either option, or combine them, to achieve the level of safety intended
by the rule. With this proposal, the FAA regulations would continue to
allow such combinations, but without the need for an ELOS. This will
result in increased efficiency for both the FAA and the industry in
certification programs, without impacting the level of safety
established by Sec. 25.933(a)(1).
Based on the PPIHWG's recommendations, the FAA also proposes that
the current requirements in Sec. 25.933(a)(1)--that each operable
reverser can be restored to the forward thrust position, and that
during any reversal in flight the engine will produce no more than
flight-idle thrust--would no longer be necessary given the other
proposed changes to this section. If a design can meet Sec. 25.1309(b)
without these features, then they need not be mandatory. Further, in
accordance with proposed Sec. 25.1309(a), any properly functioning
thrust reverser would be required to respond appropriately to all
anticipated flightcrew commands.
E. Flight Control Systems Safety Assessment Criteria
1. Changes to Sec. 25.671(c) Failure Criteria
a. Changes to Sec. 25.671(c), (c)(1), and (c)(2)
The current design and failure criteria for flight control systems,
in Sec. 25.671(c), were largely derived from Civil Air Regulations
4b.320, which preceded the current 14 CFR part 25 standards established
in 1965. The FAA updated those requirements in amendment 25-23 (35 FR
5674, April 8, 1970) to account for automatic and powered flight
control technology improvements and to consolidate the failure criteria
[[Page 75438]]
and make them applicable to the entire control system.
Section 25.671(c) requires that the airplane be capable of
continued safe flight and landing following the failure conditions
listed in Sec. 25.671(c)(1) and (2) and the jamming conditions in
Sec. 25.671(c)(3).
Paragraph (c)(1) of Sec. 25.671 requires an applicant to show
continued safe flight and landing following any single failure.
Paragraph (c)(2) requires the applicant to show continued safe
flight and landing following any combination of failures not shown to
be extremely improbable. Paragraph (c)(2) also includes examples of
failures that must be evaluated.
The FAA proposes to remove the flight control system failure
criteria in Sec. 25.671(c)(1) and (2), including the examples of
specific failures that must be evaluated, and instead require safety
assessment of flight control systems to be regulated by Sec. 25.1309.
Section 25.1309 would be used to address the flight control SSA, except
with regard to jamming. The FAA also proposes to retain the examples in
Sec. 25.671(c)(2) as failures, that must be considered in showing
compliance with Sec. 25.629 as discussed later in this preamble
(section I.A.2).
Finally, current Sec. 25.671(c) requires that probable failures
have only minor effects and be capable of being readily counteracted by
the pilot. The FAA proposes to remove this requirement because its
effect on safety would be covered by proposed Sec. 25.1309. Proposed
Sec. 25.1309 would require that each major failure condition be
remote, which means that probable failures (more likely than remote)
must have only minor effects (must not be major).
b. Changes to Sec. 25.671(c)(3)
Section 25.671(c)(3) requires that an applicant evaluate any jam in
a control position normally encountered, as well as runaway \42\ of a
flight control to an adverse position and subsequent jam. The FAA
proposes to consolidate the current Sec. 25.671(c)(3) flight control
jams requirement under Sec. 25.671(c) and revise as described below.
---------------------------------------------------------------------------
\42\ A runaway of a flight control occurs when the control
surface moves to its fully extended position without pilot input and
as the result of some type of failure.
---------------------------------------------------------------------------
The flight control jams requirement in Sec. 25.671(c)(3) has
generated debate about the meaning of a ``normally encountered''
control position. This phrase came under scrutiny after two Boeing
Model 737 accidents, and the FAA and NTSB investigations that
followed.43 44 The issue was whether ``normally
encountered'' should be interpreted as a small control surface
deflection, which occurs routinely, or as a large or even full control
surface deflection, which occurs much less frequently. Demonstrating
compliance assuming a fully deflected and jammed control surface is
much more difficult than doing so with a small control surface
deflection. In May 1995, the FAA issued a policy letter specifying what
``normally encountered'' control positions (which included large
deflections) should be used for compliance with Sec. 25.671(c)(3).\45\
In October 1996, the NTSB issued Safety Recommendation A-96-108, later
superseded by Safety Recommendation A-99-23, which recommended that
applicants evaluate control jams at fully-deflected control positions.
The FCHWG considered the NTSB safety recommendation in developing its
recommendation. The FCHWG recommended that the phrase ``normally
encountered'' be retained in the rule, and that an FAA AC define the
``normally encountered'' control positions. The FAA proposes to adopt
the FCHWG recommendation.
---------------------------------------------------------------------------
\43\ NTSB Aircraft Accident Report NTSB/AAR-01/01 is available
in the docket and at https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR0101.pdf.
\44\ NTSB Aircraft Accident Report NTSB/AAR-99/01 is available
in the docket and at https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR9901.pdf.
\45\ Policy Statement PS-ANM100-1995-00020 is available in the
docket and at https://www.faa.gov/regulations_policies/policy_guidance/.
---------------------------------------------------------------------------
Draft AC 25.671-X would explain that the FAA considers ``normally
encountered'' positions as the range of control surface deflections,
from neutral to the largest deflection expected to occur in 1,000
random operational flights, without considering other failures. The AC
would also provide guidance for performance based criteria that define
environmental and operational maneuver conditions, and the resulting
deflections that could be considered normally encountered positions.
A second compliance issue related to Sec. 25.671(c)(3) stems from
an applicant's use of probability analysis to show that a jam, or a
runaway and jam, is ``extremely improbable.'' Section 25.671(c)(3)
requires the airplane to be capable of continued safe flight and
landing after experiencing jamming conditions, including runaway of a
flight control surface and subsequent jam, unless the jamming condition
is shown to be extremely improbable or the jam can be alleviated. While
current Sec. 25.671(c)(3) allows the use of probability analysis,
applicants have generally been unable to demonstrate that jamming
conditions are ``extremely improbable,'' except for conditions that
occur during a very limited time just prior to landing. Therefore, the
FAA proposes to revise Sec. 25.671(c) to require that the applicant's
safety assessments assume that the specified jamming conditions will
occur, regardless of those conditions' probability. The FAA also
proposes to exclude jamming conditions that occur immediately before
touchdown if these can be shown to be extremely improbable. For jams
that occur just before landing, some amount of time and altitude is
necessary in order to recover, and there is no practical means by which
a recovery can be demonstrated. Therefore, the applicant would be
allowed to show such a jamming condition is extremely improbable based
on the limited time exposure.
The FAA also proposes to revise Sec. 25.671(c) to define the types
of jams that must be evaluated as those that result in a flight control
surface or pilot control that is fixed in position due to a physical
interference.
Proposed Sec. 25.671(c) would also require that, in the presence
of a jam evaluated under that paragraph, any additional failure
conditions that could prevent continued safe flight and landing must
have a combined probability of less than 1/1000. This is to ensure
adequate reliability of any system necessary to alleviate the jam when
it occurs.
Lastly, the FAA proposes to remove the requirement to account for a
runaway of a flight control surface and subsequent jam. The FAA does
not believe it is necessary to include this requirement in Sec. 25.671
because the SSA required by Sec. 25.1309 would account for any failure
condition that leads to a runaway of a flight control surface. Runaways
of flight control surfaces will be evaluated under Sec. 25.1309
regardless of whether they are due to an external source, such as a
foreign object or control system icing, or due to failures that are
internal to the flight control system.
2. Other Changes to Sec. 25.671
The FAA proposes to revise Sec. 25.671(a) to add a requirement
that the flight control system continue to operate and respond as
designed to commands, and not hinder airplane recovery, when the
airplane experiences any pitch, roll, or yaw rate, or vertical load
factor that could occur due to operating or environmental conditions,
or when the airplane is in any attitude. This would ensure there are no
features or unique
[[Page 75439]]
characteristics (including, for example, computer errors that might
occur at certain airplane bank angles) of the control system design
that would restrict the pilot's ability to recover from any attitude,
rate of rotation, or vertical load factor expected to occur due to
operating or environmental conditions. The phrase ``operating or
environmental conditions'' would have the same meaning as in proposed
Sec. 25.1309(a)(1): the full normal operating envelope of the
airplane, as defined by the AFM, together with any modification to that
envelope associated with abnormal or emergency procedures, and any
anticipated crew action. That envelope includes other external
environmental conditions that the airplane is reasonably expected to
encounter, such as atmospheric turbulence.
The FAA proposes to revise Sec. 25.671(b) to require that the
system be designed or marked to avoid incorrect assembly that could
result in ``failure of the system to perform its intended function,''
rather than in the ``malfunctioning of the system.'' The FAA also
proposes to revise Sec. 25.671(b) to restrict the use of such marking
to cases in which compliance by design means is impractical. The
objective of these proposed changes is to ensure that the system
performs its intended function.\46\
---------------------------------------------------------------------------
\46\ Draft AC 25.671-X will note that by ``assembled'' in Sec.
25.671(b), the FAA means not only the connection of physical parts,
but also the installation of software that will be part of the
approved design. This reflects current practice and echoes the
installation requirements of Sec. 25.1301.
---------------------------------------------------------------------------
Section 25.671(d) requires that the airplane remain controllable if
all engines fail. The FAA proposes to revise this section to require
that not only must the airplane be controllable following failure of
all engines, but that an approach and flare to a landing and controlled
stop must also be possible, assuming that a suitable runway is
available. The proposed rule would also apply the requirement to the
failure of all engines at any point in the flight. The FAA also
proposes to make the last sentence of Sec. 25.671(d) active voice by
changing it from ``Compliance with this requirement may be shown by
analysis where that method has been shown to be reliable,'' to ``The
applicant may show compliance with this requirement by analysis where
the applicant has shown that analysis to be reliable.'' This revision
would not change the substance of the requirement.
The FAA also proposes to add a new paragraph (e) to Sec. 25.671,
which would require that the flight control system indicate to the
flightcrew whenever the primary control means are near the limit of
control authority. On airplanes equipped with fly-by-wire control
systems, there is no direct tactile link between the flightdeck control
and the control surface, and the flightcrew may not be aware of the
actual control surface position. If the control surface is near the
limit of control authority, and the flightcrew is unaware of that
position, it could negatively affect the flightcrew's ability to
control the airplane in the event of an emergency. The flight control
system could meet this requirement through natural or artificial
control feel forces, by cockpit control movement if shown to be
effective, or by flightcrew alerting that complies with Sec. Sec.
25.1309(c) and 25.1322.
The FAA also proposes to add a new paragraph (f) to Sec. 25.671,
which would require that the flight control system alert the flightcrew
whenever the airplane enters any mode that significantly changes or
degrades the normal handling or operational characteristics of the
airplane. On some flight control system designs, there may be submodes
of operation that change or degrade the normal handling or operational
characteristics of the airplane. Similar to control surface awareness,
the flightcrew should be made aware if the airplane is operating in
such a submode.
The FAA derived the requirements of proposed Sec. 25.671(e) and
(f) from its experience certifying applications for fly-by-wire
systems. The proposed requirements summarized in this section for
revision to Sec. 25.671 have been applied on numerous programs through
ELOS findings. Codifying these requirements in part 25 would result in
increased efficiency for both the FAA and the industry in certification
programs, without impacting the level of safety.
F. Certification Maintenance Requirements
Section H25.4(a) of appendix H to part 25 requires that
airworthiness limitations within the ICA reside in a segregated and
clearly distinguishable section titled ``Airworthiness Limitations
section.'' The ALS is required to include mandatory maintenance actions
approved by Sec. 25.571 for damage tolerant structures, by Sec.
25.981 for fuel tank systems, and by Sec. 25.1701 for the electrical
wiring interconnection system (EWIS). However, section H25.4 does not
include the maintenance actions typically established during the
certification process as CMRs, using the guidance in AC 25-19A,
Certification Maintenance Requirements. As a result, the current
regulations are not consistent in how they address system-related
maintenance requirements.
AC 25.1309-1A provides guidance for an applicant to include
maintenance actions when it shows compliance with Sec. 25.1309, and AC
25-19A provides guidance on the selection, documentation, and control
of CMR to implement such maintenance actions. CMRs, when properly
implemented, are required tasks to detect safety significant failures
that would, in combination with one or more other failures, result in a
hazardous or catastrophic failure condition. CMRs are developed to show
compliance to Sec. 25.1309, and other regulations requiring safety
analyses such as Sec. Sec. 25.671, 25.783, 25.901, and 25.933. As
described in AC 25-19A, establishing CMRs is not always necessary if
there is another suitable method to identify the needed maintenance
task to prevent a failure condition from developing.
In practice, industry and the other certification authorities have
treated CMRs as equivalent to airworthiness limitations. CMRs are
currently considered by operators as the systems counterpart to the
airworthiness limitations for primary structures, fuel tank systems,
and EWIS. However, unlike these airworthiness limitation items, the
CMRs do not have a regulatory basis upon which to standardize their
development. Airworthiness limitations for systems that have hazardous
and catastrophic failure effects are just as relevant to the safety of
the airplane as the airworthiness limitations currently required for
fuel tank systems, EWIS, and damage tolerant primary structures. Many
applicants have been voluntarily including CMRs in the ALS of the ICA.
Based on the forgoing, the FAA proposes to revise Sec. 25.1309(d)
to require the applicant to establish CMRs to prevent development of
the failure conditions described in Sec. 25.1309(b). Section
25.1309(d) would require these maintenance requirements to be included
in the ALS of the ICA required by Sec. 25.1529. This proposal would
codify current industry practice the FAA has accepted as a means of
compliance with Sec. 25.1309 and other system safety regulations, for
many years.
In addition, the type certification process often results in the
establishment of CMRs for systems that are not regulated by Sec.
25.1309 (for example, a CMR may be established for flutter prevention
under Sec. 25.629). To provide a common regulatory basis for such
CMRs, including those established
[[Page 75440]]
under Sec. 25.1309, the FAA proposes a new section, H25.4(a)(6). This
proposed rule would require an applicant to include any CMR in the ALS
of the ICA, if the CMR was established to comply with any applicable
provisions of part 25.
G. Miscellaneous Amendments
1. Method of Compliance With Sec. 25.1309(b)
The FAA proposes to remove current Sec. 25.1309(d). Section
25.1309(d) currently requires an applicant to show that a design
complies with Sec. 25.1309(b) by using analysis, and where necessary,
ground, flight, or simulator testing. Section 25.1309(d) also describes
the features that the applicant's analysis must consider.
The FAA reconsidered the requirement in Sec. 25.1309(d) and
concluded that this requirement is no longer needed within the
regulatory text, since it specifies a particular, yet incomplete,
process for compliance with Sec. 25.1309(b). This conclusion is
consistent with the SDAHWG recommendation to remove Sec. 25.1309(d)
and place the process for compliance with Sec. 25.1309(b) into non-
mandatory guidance material. Removing these steps from the regulation
is not intended to alter the evaluations required by Sec. 25.1309(b).
Instead, it is intended to reflect that Sec. 25.1309(b) provides
performance-based requirements for which the methods of compliance
should be appropriate to the particular system. In addition, the
current Sec. 25.1309(d) provides an incomplete list of considerations,
and other, equally important factors may need to be included in the
applicant's proposed assessments. These factors can include
environmental conditions, complexity of the design, common cause of
multiple failures, flightcrew capability and workload, and safety
margin after a failure, all of which will vary for each application and
which the FAA will discuss in the accompanying draft guidance.
Because Sec. 25.1309(d) would no longer prescribe specific methods
for demonstrating compliance with Sec. 25.1309(b), the FAA also
proposes to remove the reference to Sec. 25.1309(d) from Sec.
25.1365(a). This change would not affect the level of safety provided
by the current rule, because Sec. 25.1365(a) would continue to
reference the requirements of Sec. 25.1309(b). This proposal would
harmonize Sec. 25.1365(a) with CS 25.1365(a).
2. Failure Examples Related To Flutter
This proposal would relocate several specific failures from Sec.
25.671(c)(2) to the aeroelastic stability requirements of Sec. 25.629.
Section 25.671(c)(2) specifies examples of failure combinations that
must be evaluated, including dual electrical and dual hydraulic system
failures, and any single failure combined with any probable hydraulic
or electrical failure. Section 25.629(d)(9) currently requires that the
airplane be shown to be free from flutter considering various failure
conditions considered under Sec. 25.671, which includes those failure
conditions specified in Sec. 25.671(c)(2). The FAA is proposing to
remove those examples from Sec. 25.671(c)(2) in conjunction with
related changes to Sec. 25.1309 described in section III.E of this
preamble. However, the specific failure conditions identified in Sec.
25.671(c)(2) have provided an important design standard for dual
actuators on flight control surfaces that rely on retention of
restraint stiffness or damping for flutter prevention. Therefore, this
proposal relocates these failure conditions from Sec. 25.671(c)(2) to
the aeroelastic stability requirements of Sec. 25.629(d). This change
would not affect the level of safety provided in current Sec. Sec.
25.671(c)(2) and 25.629(d).
3. Other Changes to Sec. 25.629
Section 25.629(b) requires the airplane to be free from aeroelastic
instability for ``all configurations and design conditions'' within the
speed and altitude envelopes specified in Sec. 25.629(b)(1) and (2).
Such design conditions include the range of load factors within the
normal flight envelope. The normal flight envelope is defined in Sec.
25.333. Therefore, this proposal would specify that the aeroelastic
stability envelope includes the range of load factors specified in
Sec. 25.333.
4. EWIS Requirements
The FAA proposes to remove paragraph (b) from Sec. 25.1301 and to
remove paragraph (f) from Sec. 25.1309. Section 25.1301(b) requires
that a proposed airplane's EWIS meet the requirements of subpart H of
part 25. Subpart H was created (at amendment 25-123, in 2007) as the
single place for the majority of wiring certification requirements. The
references in Sec. Sec. 25.1301(b) and 25.1309(f) are redundant and
unnecessary because subpart H specifies its applicability. The FAA has
determined that such redundancy is not needed because the subpart H
requirements can stand alone.
5. Removal of Redundant Requirements
The FAA proposes to remove paragraph (e) from Sec. 25.1309. The
requirements of paragraph (e) concern compliance with Sec. 25.1309(a)
and (b) for electrical system and equipment design. The requirements of
paragraph (e) are unnecessary because they are redundant to the general
risk assessment of Sec. 25.1309 and to Sec. Sec. 25.1351 through
25.1365 specifically related to electrical systems.
H. Petitions for Rulemaking
During the development of this proposed rule, the FAA considered
two relevant petitions for rulemaking submitted in 1986. Summaries of
these petitions were published in the Federal Register.\47\ The
petitions and a disposition of the petitions are included in the docket
for this NPRM. This NPRM proposes some changes that were suggested in
those petitions, including adding definitions of probability terms \48\
and revising the methods for accounting for failure effects.\49\ See
proposed Sec. Sec. 25.4 and 25.1309.
---------------------------------------------------------------------------
\47\ 51 FR 33061 (Sept. 18, 1986) and 52 FR 1924 (Jan. 16,
1987).
\48\ Including ``extremely improbable'' and ``probable'' with
regard to failure conditions.
\49\ Including the ``fail-safe'' requirement, and specifying
exceptions in Sec. 25.1309 for certain failure effects specified in
other sections and subparts of part 25.
---------------------------------------------------------------------------
I. Advisory Material
The FAA has drafted three new ACs and revisions to two existing ACs
to provide guidance material for acceptable means, but not the only
means, of showing compliance with the regulations proposed for revision
by this NPRM. The FAA will post the draft ACs in the docket and on the
``Aviation Safety Draft Documents Open for Comment'' web page at https://www.faa.gov/aircraft/draft_docs/.\50\ The FAA requests that you submit
comments on the draft AC through either the docket or through that web
page. The draft ACs are as follows:
---------------------------------------------------------------------------
\50\ To submit comments via the ``Aviation Safety Draft
Documents Open for Comment'' web page, https://www.faa.gov/aircraft/draft_docs/, please follow the instructions found on that web page.
---------------------------------------------------------------------------
AC 25.671-X, Control Systems--General.
AC 25.901-X, Safety Assessment of Powerplant
Installations.
AC 25.933-X, Unwanted In-Flight Thrust Reversal of
Turbojet Thrust Reversers.
AC 25.629-1C, Aeroelastic Stability Substantiation of
Transport Category Airplanes.
AC 25.1309-1B, System Design and Analysis.
[[Page 75441]]
IV. Regulatory Notices and Analyses
Changes to Federal regulations must undergo several economic
analyses. First, Executive Order 12866 and Executive Order 13563 direct
that each Federal agency shall propose or adopt a regulation only upon
a reasoned determination that the benefits of the intended regulation
justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub.
L. 96-354) requires agencies to analyze the economic impact of
regulatory changes on small entities. Third, the Trade Agreements Act
(Pub. L. 96-39) prohibits agencies from setting standards that create
unnecessary obstacles to the foreign commerce of the United States. In
developing U.S. standards, the Trade Act requires agencies to consider
international standards and, where appropriate, that they be the basis
of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995
(Pub. L. 104-4) requires agencies to prepare a written assessment of
the costs, benefits, and other effects of proposed or final rules that
include a Federal mandate likely to result in the expenditure by State,
local, or tribal governments, in the aggregate, or by the private
sector, of $100 million or more annually (adjusted for inflation with
base year of 1995). This portion of the preamble summarizes the FAA's
analysis of the economic impacts of the proposed rule. The FAA suggests
readers seeking greater detail read the Regulatory Impact Analysis in
the docket for this rulemaking.
In conducting these analyses, the FAA determined that this proposed
rule (1) has benefits that justify its costs; (2) is not an
economically ``significant regulatory action'' as defined in section
3(f) of Executive Order 12866; (3) would not have a significant
economic impact on a substantial number of small entities; (4) would
not create unnecessary obstacles to the foreign commerce of the United
States; and (5) would not impose an unfunded mandate on state, local,
or tribal governments, or on the private sector by exceeding the
threshold identified above. These analyses are summarized below.
A. Regulatory Evaluation
1. Costs and Benefits of This Proposed Rule
The predominant cost impact of this proposed rule results from
proposed requirements addressing catastrophic dual failures (CSL+1),
where the first failure is latent (unknown until discovered by crew or
maintenance personnel), which, in combination with a second active
failure, results in a catastrophic accident. Without the rule, unsafe
conditions in service associated with potential CSL+1 failure
conditions would continue to be addressed, after certification, by
airworthiness directives (ADs).\51\ Accordingly, the costs of ADs
avoided because of the rule would be benefits of the rule in the form
of cost savings. ADs resulting from potential CSL+1 failure conditions
are occurring at such a high rate that the benefits of avoiding these
ADs, by themselves, exceed the costs of the specific risk rule, Sec.
25.1309(b)(5). At a 7 percent discount rate, the FAA finds that the
cost savings resulting from the proposed specific risk rule to be $24.6
million, exceeding the $15.5 million cost of the rule, and resulting in
$9.1 million in net cost savings. At a 3 percent discount rate, the FAA
finds that the cost savings are $46.79 million, exceeding a $24.65
million cost, and resulting in $22.14 million in net benefits.
---------------------------------------------------------------------------
\51\ ADs are rules issued by the FAA that require specific
actions to address an unsafe condition on an aircraft or other
aviation product.
---------------------------------------------------------------------------
The FAA finds all other provisions of this proposed rule to be cost
beneficial or to have zero or minimal cost.
2. Who is potentially affected by this proposed rule?
Applicants for type certification, and operators, of part 25
airplanes are potentially affected by this proposed rule.
3. Assumptions and Sources of Information
The FAA uses three percent and seven percent discount
rates to estimate present value and annualized costs and cost savings
based on OMB guidance.\52\
---------------------------------------------------------------------------
\52\ OMB Circular A-4, Regulatory Analysis (2003), https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A4/a-4.pdf.
---------------------------------------------------------------------------
Source: Airplane certification costs, https://www.faa.gov/
, Regulations & Policies, Rulemaking, Committees--Advisory and
Rulemaking Committees, Topics--Transport Airplane and Engines (TAE)
Subcommittee (Active), Airplane-level Safety Analysis Complete File,
ARAC ASAWG Report, Specific Risk Tasking, appendix A, p. 104. Source:
ASAWG Recommendation Report, ``SPECIFIC RISK TASKING,'' April 2010 (pp.
64, 104). These costs are updated to 2021 dollars by the ratio of the
2021 GDP implicit price deflator to the 2010 GDP implicit price
deflator, viz. 118.490/96.164 = 1.232. U.S. Bureau of Economic
Analysis. ``Table 1.1.4. Price Indexes for GDP.'' Click ``Modify'' icon
and refresh table with first and last years of period.
For manufacturers of large part 25 airplanes (large
transports): 2 U.S. airplane certifications in next 10-year period,
with 24 annual U.S. deliveries per U.S. certification; 1 foreign
airplane certification in next 10-year period, with 16 annual U.S.
deliveries per foreign certification; 23-year airplane production run,
and 28-year retirement age. For manufacturers of business jets (small
part 25 airplanes): 2 U.S. airplane certifications in next 10-year
period, 21 annual U.S. deliveries per U.S. certification and 28-year
production run; 3 foreign airplane certifications in next 10-year
period, 11 annual U.S. deliveries per foreign certification and; 16-
year airplane production run, 30-year retirement age. For benefits of
avoided ADs (6): Average number of certifications for U.S.-manufactured
airplanes. See the Regulatory Impact Analysis available in the docket
for more details.
The period of analysis for large airplanes is 23 + 28 = 51
years to account for a product life cycle determined by a 23-year
production period and a 28-year service period. The period of analysis
for business jets is 28 + 30 = 58 years to account for a product life
cycle determined by a 28-year production period and a 30-year service
period.
Average flight hours per year: Large part 25 airplanes--
3,000, Source: FlightGlobal's FlightFleets Analyzer,
www.ascendworldwide.com. (Average annual flight hours = 3,040 for all
narrowbody, widebody, and regional jets, at least one year old,
operated by U.S. airlines as of August 28, 2018.)
4. Costs of the Proposed Specific Risk Rule
To calculate the compliance costs for new U.S. certifications, the
FAA assumes that all new certifications will be approved one year after
the effective date of the rule, with production beginning one year
later. Using an airplane life cycle model detailed in the Regulatory
Impact Analysis available in the docket, for large part 25 airplanes
(large transports) the FAA bases compliance costs on 2 new
certificates, delivery of 24 airplanes per certificate per year to U.S.
operators, production runs of 23 years, and an airplane retirement age
of 28 years. The costs of compliance for large transports are
calculated over an airplane life cycle of 51 years (the period from
first delivery to last retirement), beginning in year 1 and ending in
year 51. The small part 25 airplane category is a business jet
category. For part 25 business jets, the FAA bases compliance costs on
2 new certificates, delivery of 21 airplanes per
[[Page 75442]]
certificate per year to U.S. operators, production runs of 28 years,
and an airplane retirement age of 30 years. The costs of compliance for
part 25 business jets are calculated over an airplane life cycle of 45
years, beginning in year 1 and ending in year 47.
Unit industry cost estimates for the specific risk rule, Sec.
25.1309(b)(5), were provided by the ASAWG in its report, ``Specific
Risk Tasking.'' \53\ High costs were reported by Boeing and Cessna in
contrast to the zero or near-zero costs reported by the other
manufacturers. This was the result of (1) Boeing and Cessna using the
existing Sec. 25.1309 amendment as a baseline and not taking into
account voluntary ELOS actions they have taken; and (2) high hardware
and operating costs reported by Cessna that were 20 to 30 times the
comparable costs reported by Boeing. The FAA was unable to verify these
high costs. The FAA's rationale and procedure to adjust for these costs
follows.
---------------------------------------------------------------------------
\53\ See https://www.faa.gov/, Regulations & Policies,
Rulemaking, Committees--Advisory and Rulemaking Committees, Topics--
Transport Airplane and Engines (TAE) Subcommittee (Active),
Airplane-level Safety Analysis Complete File, ARAC ASAWG Report,
Specific Risk Tasking (April 2010), appendix A, p. 104.
---------------------------------------------------------------------------
The FAA adjusted Boeing's engineering cost estimate by taking into
account the extent to which voluntary ELOS actions for the Boeing Model
787 already address the problems of potential CSL+1 dual catastrophic
failures. This adjustment allows the FAA to reduce Boeing's estimate to
13.3 percent of its reported value. This large adjustment reflects the
importance of two factors: (1) the ELOS action for flight control
systems--the FAA estimates that flight control systems constitute 60
percent of existing potential CSL+1 failure conditions, and (2) that 25
percent of potential CSL+1 failure conditions have already been
addressed.
Moreover, for the few CSL+1 combinations not already meeting the
proposed rule, no hardware change would be necessary as only the
inspection intervals would be affected. Accordingly, expected hardware
costs and fuel burn costs are reduced to zero, leaving only non-
recurring engineering costs and maintenance costs.
Large transports and business jets have similar system safety
architectures because they both meet the ``no single failure'' and
``extremely improbable'' (10-9) average risk criteria.
Accordingly, the FAA has determined that the Boeing Model 787 cost
analysis also applies to Cessna, so that Cessna's engineering cost
estimate should also be reduced to 13.3 percent of reported value, and
its hardware and fuel burn cost should be reduced to zero.
With these adjustments, industry unit cost estimates are shown in
table 3 below, along with a summary of the production life cycle data.
See the Regulatory Impact Analysis available in the docket for more
detail on the industry unit cost estimates.
Table 3--Industry Production and Unit Cost Data for Estimating Costs of
Proposed Specific Risk Rule
[Cost values--$2021]
------------------------------------------------------------------------
Part 25
Part 25 large business jet
transports airplanes
------------------------------------------------------------------------
Production Estimates:
Number of Certifications (10 years) 2 2
Production Life (Years)............ 23 30
U.S. Deliveries to U.S. Operators 24 21
per Certification per Year........
Retirement Age (Years)............. 28 30
Foreign Deliveries to U.S. 16 33
Operators per Year................
Engineering & Production Costs:
Non-Recurring Engineering Costs per $1,353,982 $453,734
Model.............................
Recurring Costs (Hardware & 0 0
Installation) per Airplane........
Operating Costs........................ $1,231 $164
Incremental Maintenance Costs per $1,231 $164
Airplane per Year.................
Incremental Fuel Burn per Airplane 0 0
per Year..........................
------------------------------------------------------------------------
Note: Details may not add up to totals due to rounding.
Employing these unit cost estimates in the airplane life cycle
model referred to above, the FAA estimates the costs of the specific
risk rule over the large transport and business jet life cycles and
show the results by major cost component in table 4 below.
Table 4--Summary of Costs of Proposed Specific Risk Rule
[$2021]
----------------------------------------------------------------------------------------------------------------
Cost ($ mil.) Present value cost ($ mil.)
-----------------------------------------------------------------------------
Cost category Part 25 Part 25 Part 25 Part 25
large business All part 25 large business All part 25
transports jets airplanes transports jets airplanes
----------------------------------------------------------------------------------------------------------------
Non[dash]Recurring Engineering 2.74 0.9 3.6 2.5 0.8 3.4
Costs............................
Hardware & Installation Costs..... 0.0 0.0 0.0 0.0 0.0 0.0
Operating Costs (Maintenance)..... 50.7 8.4 59.1 10.8 1.7 12.5
-----------------------------------------------------------------------------
[[Page 75443]]
Total......................... 53.4 9.3 62.7 13.3 2.5 15.8
----------------------------------------------------------------------------------------------------------------
Note 1: Present Value Cost is calculated using a 7 percent discount rate. The FAA presents estimates using a 3
percent discount rate in the Regulatory Impact Analysis available in the docket for this proposed rule.
Note 2: Details may not add up to totals due to rounding.
5. Benefits of the Proposed Specific Risk Rule
As discussed more fully in the Regulatory Impact Analysis available
in the docket for this proposed rule, the proposed specific risk rule
would (1) eliminate the risk of CSL+1 failure conditions by requiring
additional redundancy, or (2) limit the risk of CSL+1 failure
conditions by limiting the probabilities of the dual latent and active
failures. CSL+1 failure conditions probably caused three accidents,
which resulted in the destruction of the airplane and the fatalities of
all passengers and crew. These accidents were Lauda Air Flight 004
(Boeing Model 767) in 1991, resulting in the fatalities of 233
passengers and crew; USAir Flight 427 (Boeing Model 737) in 1994,
resulting in the fatalities of 132 passengers and crew; and the earlier
United Airlines Flight 585 (Boeing Model 737) in 1991, resulting in the
fatalities of 25 passengers and crew.
For the Lauda Air accident, the Thai investigating committee found
the probable cause to be an uncommanded in-flight deployment of the
airplane's left engine thrust reverser, resulting in loss of airplane
control. The airplane was equipped with a double lock thrust reverser
system that operated as follows. If a pilot wanted to deploy the thrust
reversers, he or she raised the thrust reverser lever, which set the
directional control valve (DCV) (1st lock) to the deploy position and
opened the hydraulic isolation valve (HIV) (2nd lock), allowing
hydraulic pressure to open the thrust reverser door. The investigating
committee found that one likely cause of uncommanded deployment was
contamination of the DCV that made it susceptible to increased pressure
on its deploy side (latent failure). When the HIV inadvertently opened
due to a short circuit (active failure), hydraulic pressure became
available to the susceptible DCV causing a change in the valve position
from ``stow'' to ``deploy'' with consequent deployment and the
catastrophic accident. Once discovered, this potential CSL+1 failure
condition was eliminated by an AD action mandating an additional valve
(3rd lock). (Please see the Regulatory Impact Analysis available in the
docket for discussion of the CSL+1 failure conditions that the NTSB
concluded to be the probable cause of the USAir Flight 427 and United
Airlines Flight 585 accidents.)
The FAA finds that, if the specific risk rule had been in effect,
the likelihood of these accidents occurring would have been reduced.
Since the FAA has already issued ADs to prevent reoccurrence of these
CSL+1 accidents, the FAA does not use them in estimating benefits from
this rule. However, without the rule, unsafe conditions in service
associated with potential CSL+1 failure conditions would continue to be
addressed by ADs. Accordingly, the costs of the ADs avoided because of
the rule would be benefits of the rule in the form of cost savings. The
FAA first provides an overview of the benefits estimation, and then
provides the details.
a. Overview of Avoided AD Benefits
For the ten-year period of 2008 to 2017, the FAA searched for all
new (including superseding) ADs that were associated with potential
CSL+1 failure conditions and found 15 such ADs. In order to simplify
the analysis, the cost of an AD was estimated based only on the basic
wage and cost of materials data provided in the AD (or referenced
service bulletins) for required inspections or repairs/replacements,
for all airplanes that were affected by the AD. As in the cost section
above, the FAA updated cost to 2021 dollars. Since labor costs were
given in hours as well as in current dollars, labor costs were
particularly easy to update since the FAA could simply use labor hours
and the 2021 AD wage rate of $85 per hour.\54\ In one or two cases, the
costs of an AD were adjusted based on information obtained from the
safety engineer referenced in the AD. ``On-condition'' costs were not
included in calculated AD costs because such costs depend on an unknown
number of airplanes identified on inspection as requiring repair or
parts replacement. AD costs often occurred several months or years
following the AD effective date because of time allowed for compliance
and because of ongoing inspection costs. For 4 of the 15 ADs, there is
no terminating action so the affected airplanes are required to be
periodically inspected over their entire service lives. Present value
AD costs in issuance-year dollars were calculated by discounting these
future year costs to the year of AD issuance at the rate of 7 percent.
These present value AD costs were adjusted to 2021 dollars using the
GDP implicit price deflator. The total cost of the 15 ADs in 2021
dollars is then summed from the individual AD costs.
---------------------------------------------------------------------------
\54\ See the Regulatory Impact Analysis available in the docket
for more details on the labor rate and hours used in this analysis.
---------------------------------------------------------------------------
b. Details of Avoided AD Benefits
Table 5 shows cost of each of the 15 ADs that were associated with
potential CSL+1 failure conditions. For each AD, the table provides the
following information:
AD No.;
Effective date of the AD;
Airplane Model;
PV AD Cost ($2021);
The potential CSL+1 failure condition; and
Required AD Actions.
Airworthiness Directive No. 8 is split into two results because,
after an initial AD was issued and complied with, it was later
determined that a wider range of part numbers should have been checked,
which meant re-inspection for a large number of airplanes that had
already been inspected. So No. 8a shows the costs for the number of
airplanes the FAA estimates have already been checked in the initial
AD, while No. 8b
[[Page 75444]]
shows the new costs in the superseding AD for the airplanes already
checked as well as for the newly affected airplanes. AD No. 15 is also
shown in two parts, with No. 15a showing the results for the main
recurring action and No. 15b showing the results for a concurrent
nonrecurring action for a subset of affected airplanes, required in
order to ensure the effectiveness of the test required by the main
recurring action.
Airworthiness Directives Nos. 1, 2, 4 and 15a are the four ADs with
recurring actions lasting the lifetime of the airplanes. The total
present value costs for these ADs were calculated using AD unit cost
data and individual airplane data from the Aircraft section of
FlightGlobal's FlightFleets Analyzer. For each airplane already in the
affected fleet at the AD's effective date, costs were calculated for
the remaining years of an assumed 28-year life, with yearly costs
discounted back to the AD's effective date but valued in 2021 dollars.
For each airplane entering the affected fleet after the AD's effective
date, costs were calculated for its entire assumed 28-year life with an
additional discount factor for time between the AD's effective date and
the in-service date of the airplane. Actual life was used instead of a
28-year life if airplanes were retired (or written off) early. Data for
August 2018 was used for AD Nos. 1, 2 and 15a. But for AD No. 4, data
as of the AD's effective date, September 26, 2012, was used in order to
simplify the calculations. The affected model--Boeing Model 757--ended
production in 2004, so few, if any, additional airplanes would be
entering the affected fleet after the AD's 2012 effective date, and
fewer of the affected airplanes would have to be retrieved from the
``Retired/Written Off'' file than if a more recent date was used.
The FAA notes that all 15 ADs apply to large transport airplanes
and none apply to business jets. This result is not surprising, since
part 25 business jets account for a small percentage of the total
flight hours for part 25 airplanes. Given the FAA's assumptions, the
life cycle airplane model estimates that part 25 business jets account
for just 10.3 percent of all part 25 flight hours. This particular
result does not mean that CSL+1 failure conditions cannot occur on part
25 business jets. In fact, while this regulatory evaluation was being
written, an immediate final rule AD was published \55\ for a potential
CSL+1 failure condition in a Gulfstream Model GVI business jet. Since
this AD occurs outside the 10-year 2008-2017 sampling window, the FAA
did not include it in its analysis.
---------------------------------------------------------------------------
\55\ 83 FR 48918 (Sept. 28, 2018).
---------------------------------------------------------------------------
As table 5 below shows, total AD costs sum to $64,195,574. The
avoidance of these costs are benefits that the FAA used to estimate
benefits of the proposed specific risk rule. Over the period of AD
selection, 2008 to 2017, however, there were, on average, approximately
six new airplane models brought to the market by U.S. manufacturers.
Since the FAA estimated the costs of the proposed rule assuming two new
model certifications, in order to make the estimate of the value of
avoided ADs comparable, the FAA divided these costs by three. The FAA
then divided the adjusted costs by 10 to estimate the average annual AD
costs over the 10-year sample period. Finally, recognizing that no rule
is perfectly effective, the FAA estimated that the proposed rule would
be 90 percent effective and, accordingly, reduce the annual estimates
by 10 percent. These reduced annual estimates are then used in the life
cycle airplane model to estimate the benefits of the proposed rule in a
manner analogous to the estimate of the costs of the proposed rule.
Dividing $64,195,574 by 3 x 10 = 30 and multiplying by 90 percent, the
FAA obtained an estimate of average annual benefits of $2,139,852. This
then is the estimate of the average annual value of the ADs that will
be avoided over the 51-year life cycle of our two airplane models as a
result of the proposed specific risk rule. The present value of
$2,139,852 for 51 years can be calculated with the present value
annuity formula, PVA = C [1-1/(1+r)\n\]/r = $2,139,852 x [1-1/
(1.07)\47\]/.07 = $26.4 million, where C = $2,139,852 is the average
annual ``cash flow'' benefit, r = 0.07 is the discount rate, and n = 51
years is the annuity length in years. However, to make benefits
compatible with the cost of the rule analysis, the FAA must discount
for an additional year to account for our assumed year for
certification of the airplane models. Therefore, the present value of
the AD cost savings is $24.5/1.07 = $24.6 million.
Table 5--SSA CSL+1 Costs Savings by AD
--------------------------------------------------------------------------------------------------------------------------------------------------------
PV AD cost
No. AD No. Effective date of AD Airplane model ($2021) Potential CSL+1 failure condition Required AD actions
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.......... 2008-06-06........ April 16, 2008............. All Boeing 767 $1,168,710 Extensive corrosion was found on Repetitive
airplanes. the outside rod of a ballscrew in inspections,
the drive mechanism of the lubrication,
horizontal stabilizer trim freeplay
actuator (HSTA) of a Boeing Model measurement, and
757 airplane (AD for which is No. corrective action,
4 below). The HSTA drive as specified in
mechanisms on Boeing airplanes Boeing Alert
are designed similarly, in that Service Bulletins
they are of the rod-within-a-rod 767-27A0194 or 767-
configuration. The corrosion was 27A0195, both
on the outside rod, which Revision 1, dated
functions as a screw that drives July 21, 2005; or
the stabilizer and is the primary both Revision 2,
load path. If the outside rod dated July 13,
fails, load is transferred to the 2006; as
secondary load path--the inner applicable.
rod--whose job is to hold the
horizontal stabilizer in place so
it does not run away causing loss
of airplane control. In such a
case, the flightcrew would
typically be instructed to land
at a suitable airport as soon as
possible. Since corrosion of the
outer rod could imply corrosion
of the inner rod also, this AD
reveals a potential CSL+1
catastrophic accident where
active failure of the outer rod
occurs in conjunction with an
already failed inner rod.
2.......... 2009-14-06........ August 12, 2009............ All Boeing 777 853,970 See AD No. 1 above................ Maintenance record
airplanes. check and same
actions as AD No.
1.
[[Page 75445]]
3.......... 2011-27-03........ February 10, 2012.......... All Boeing 737 3,709,424 See AD No. 1 above................ Modification as
airplanes. specified in
Boeing Alert
Service Bulletin
737-27A1278,
Revision 1, dated
January 7, 2010;
or Boeing Alert
Service Bulletin
737-27A1277,
Revision 2, dated
January 8, 2010;
as applicable.
4.......... 2012-16-16........ September 26, 2012......... All Boeing 757 3,052,050 See AD No. 1 above................ See AD No. 1 above.
airplanes.
5.......... 2009-20-12........ November 5, 2009........... Certain Boeing 747 16,353,670 The FAA received several reports Replace trailing
airplanes, as that the inboard trailing edge edge (TE)
identified in flaps on Boeing Model 747 no[dash]back
Boeing Special airplanes were partially brakes with skewed
Attention Service retracted from the commanded roller no-back
Bulletin 747-27- position due to failure of brakes.
2422, dated transmission carbon disk ``no-
October 30, 2008. back'' brakes. This AD highlights
a potential CSL+1 failure
condition in which the no-back
brake fails to hold the flap in
its commanded position (latent
failure) and the flap system
transmission driveshaft breaks
(active failure), causing the
flap to ``freewheel.'' The no-
back brake failure is latent
because when it occurs, there is
no means to check it in place
without disconnecting the
driveshaft and removing the
gearbox in which it resides from
the airplane. The dual failure
would create unbalanced
aerodynamic forces between wings
that could cause the airplane to
roll into a severe attitude,
resulting in catastrophic loss of
control.
6.......... 2013-17-03........ October 4, 2013............ Airbus A330-200 and 3,048,381 See AD No. 5 above................ Assume immediate
-300; A340-200 and terminating
-300; and A340-541 action:
and -642 series Replacement of all
airplanes. 4 JURID wing tip
brakes (WTBs) with
MIBA WTBs.
7.......... 2011-22-02........ November 29, 2011.......... All Airbus A310 and 526,557 This AD results from mandatory Modification of the
A300 B4-600 and - continuing airworthiness electrical
600R, F4-600R information (MCAI) originated by installation in
(collectively EASA. An operator reported the pylon/wing
called A300-600) several cases of wire damage at interface to avoid
series airplanes. the pylon/wing interface. wire damage.
Analysis revealed that the wire
damage was due to deficient
information in installation
drawings and job cards. The CSL+1
problem here stems from the fact
that Low Pressure Valve (LPV)
wires were not segregated by
design. The function of the LPV
is to control the fuel supply at
the engine-to-pylon interface. In
case of fire, the fuel supply to
the engines (or APU) is shut off
by the LPVs, which are
electrically actuated by
operation of the engine (or APU)
fire handle. The wire chafing
could induce dormant failure of
the LPV, preventing its closure
and leading to an uncontrolled
engine (or APU) fire.
8a......... 2014-03-08........ March 26, 2014............. All Airbus A318, 535,501 This AD was prompted by an Inspect to
A319, A320, and investigation finding that when determine part
A321 series target and proximity sensors with numbers of the
airplanes. certain combinations of serial interconnecting
numbers are installed on a flap struts installed
interconnecting strut, the target on the wings and
signal may not be detected. the serial numbers
Between the trailing edge flaps of the associated
(inboard and outboard) of an target and
Airbus Model A320 wing, there is proximity sensors,
an interconnecting strut, whose and replace the
function is to temporarily hold a interconnecting
flap if the flap's drive system strut if
disconnects in flight at the applicable.
gearbox (which is connected to
the wing). The interconnecting
strut has a proximity sensor that
reads the relative movement
between the flaps. The proximity
sensor operates on the same
principle as sensors used in a
house alarm system. When a window
is opened, the target mounted in
the window moves away from the
sensor installed in the
windowsill. The alarm system
knows the window is open.
Similarly, if a flap drive system
disconnects, there would be
relative movement between the
flaps observed by the sensor
causing the flap control computer
to shut down the flap system,
thus preventing asymmetric flap
movement between the wings. Given
latent failure of an
interconnecting strut sensor, a
flap drive system disconnect
could result in asymmetric flap
panel movement and consequent
loss of airplane control.
[[Page 75446]]
8b......... 2017-24-07........ January 5, 2018............ All Airbus A318, 1,512,126 Same as above. This superseding AD Because of the
A319, A320, and was issued because EASA nearly 4[dash]year
A321 series determined that a wider range of difference in the
airplanes. part numbers of affected AD dates, in
interconnecting struts should be addition to
checked. inspection of new
airplanes, all of
the airplanes that
had been already
inspected under
the AD 2014-03-08
requirements have
to be re-inspected
under 2017-24-07.
9.......... 2014-11-10........ August 19, 2014............ Bombardier CL-600- 1,881,761 This AD was prompted by reports Replace pitch feel
2B19 (Regional Jet that the shear pin in the input simulator (PFS)
Series 100 & 440), lever of several PFS (Pitch Feel units with
S/Ns 7003-8110 Simulator) units failed due to redesigned PFS
inclusive. fatigue, and by the development units. This action
of a re-designed PFS unit, would terminate
eliminating the need for the currently
repetitive functional tests. With required
latent failure of a PFS unit due repetitive
to a failed shear pin, the function tests.
failure of the second PFS unit
would result in loss of pitch
feel forces and consequent
reduced control of the airplane.
Loss of tactile feedback
typically causes the pilot to
overshoot commands to the control
system. As an analogy, consider
an automobile steering wheel. At
low speeds, the feel is soft
(requiring large turns to steer
the front wheels a given amount).
At high speeds, the feel is
designed to be harder (requiring
more force to steer the wheels a
given amount). If the feel unit
fails, we can still steer, but
because the forces are the same
at low and high speeds, we could
lose control of the car at high
speeds.
10......... 2015-19-01........ October 21, 2015........... Boeing 777 16,150 This AD was prompted by reports of Revise maintenance
airplanes, Line latently-failed fuel shutoff or inspection
Nos. 1 through valves caused by a design error program, as
1104 inclusive. that affects both valve control applicable, to
and indication of the valve's require a new
position. As a result, the airworthiness
failure can lead to a large limitation--a
number of flights with the fuel daily operational
shutoff valve failed in the open check of the fuel
position without the operator shutoff valve
being aware of the failure. position
Latent failures of the fuel indication.
shutoff valve to the engine (or
APU) could result in an inability
to shut off fuel to the engine
(or APU) and an uncontrollable
fire that could lead to
catastrophic wing failure.
11......... 2015-19-04........ October 21, 2015........... All Boeing 757 50,150 See AD No. 10 above............... See AD No. 10
airplanes. above.
12......... 2015-19-09........ November 3, 2015........... All Boeing 787-8 111,421 See AD No. 10 above............... 1. Revise
airplanes. maintenance or
inspection
program.
2. Replace engine
and APU shutoff
valve actuators
with new
actuators.
13......... 2015-21-09........ October 28, 2015........... All Boeing 767 38,250 See AD No. 10 above............... See AD No. 10
airplanes. above.
14......... 2015-21-10........ October 28, 2015........... All Boeing 737-600, 105,740 See AD No. 10 above............... See AD No. 10
-700, -700C, -800, above.
and -900 airplanes.
15a........ 2016-04-06........ April 1, 2016.............. All Boeing 737-600, 2,455,178 During a simulated fire test in Recurring test:
-700, -700C, -800, the forward cargo compartment on Repetitive Smoke
and -900 airplanes. 737-800 airplanes, smoke Clearance--Operati
penetrated into the passenger onal Test for
cabin and flightdeck when in the correct operation
fire suppression configuration. of the equipment
The smoke was observed entering cooling and low
the passenger cabin, during pressure
steady state cruise and descent environmental
conditions, in quantities control systems.
significantly higher than amounts
found acceptable during previous
certification tests. Small
amounts of smoke were observed in
the flightdeck. A subsequent
Boeing review found that there
was no maintenance procedure
available to inspect the
components used to reconfigure
the air distribution system.
Latent failure of the equipment
cooling system or low pressure
environmental control system, in
combination with a cargo fire,
could result in smoke in the main
cabin and flightdeck and possible
loss of airplane control. The
maintenance procedure could
reduce the likelihood of such
latent failures.
[[Page 75447]]
15b........ 2016-04-06........ April 1, 2016.............. Certain Boeing 737- 28,776,535 Incorporation of this Concurrent
600, -700, -700C, - non[dash]recurring action non[dash]recurring
800,. (required by Boeing Special action: Install
-900, and.......... Attention Service Bulletin 737- new relays and do
-900ER series 26A1137, Revision 1, dated August wiring changes to
airplanes. 13, 2009) is necessary to ensure the environmental
that the Smoke Clearance control system
Mode[dash]Operational Test result
of the recurring action is
satisfactory.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total = $64,195,524
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sources: The Federal Register reference for each AD is noted in ``Appendix Table 6'' of the ``Regulatory Evaluation'' in the docket.
Note 1: Information in the ADs was in some cases supplemented and corrected by the FAA safety engineers assigned to the ADs or by the Systems Policy
Branch (AIR[dash]630), Safety Risk Management Section (AIR-633).
Note 2: For non[dash]recurring actions, we assume compliance times to be at, or close to, the midpoint of the compliance period specified in the AD (or
associated service bulletin). For recurring actions, we assume compliance times to be at the end of a compliance period, or somewhat earlier. See
``Appendix Table 6'' in the ``Regulatory Evaluation'' for details on data assumptions and calculations.
6. Summary of Costs and Benefits of Specific Risk Rule
In table 6 below, the FAA summarizes the costs and benefits of the
proposed specific risk rule. As the table shows, the proposed rule is
cost-beneficial with present value cost savings of $24.6 million far
exceeding present value costs of $15.8 million. Net cost savings are
$8.8 million in present value. A similar analysis at a 3 percent
discount rate finds present value cost savings to be $43.6 million,
exceeding $31.7 million in present value costs, and resulting in $11.9
million in net cost savings.
Table 6--Summary of Cost-Benefit Analysis for Specific Risk Rule
[Present value $2021 millions]
----------------------------------------------------------------------------------------------------------------
Part 25 large Part 25 Part 25
Cost category transports business jets airplanes
----------------------------------------------------------------------------------------------------------------
Non-Recurring Engineering Costs............................... $2.5 $0.8 $3.4
Hardware & Installation Costs per Airplane.................... 0.0 0.0 0.0
Operating Costs per Airplane per Year......................... 10.8 1.7 12.5
-------------------------------------------------
Total PV Costs................................................ 13.3 2.5 15.8
-------------------------------------------------
Cost Savings (Value of Avoided ADs)........................... .................. ............... 24.6
-------------------------------------------------
Net Cost Savings.............................................. .................. ............... 8.8
----------------------------------------------------------------------------------------------------------------
Note 1: Cost savings reflect assumption of 90 percent rule effectiveness.
Note 2: Numbers may not add to totals due to rounding. Present values are calculated using a discount rate of
seven percent. Present values using a three percent discount rate are provided in the Regulatory Impact
Analysis available in the docket.
7. Section 25.1309: Equipment, Systems, and Installations
In section I.A.5 above, the FAA undertook the cost benefit analysis
of the proposed specific risk rule, Sec. 25.1309(b)(5). This section
discusses the remaining paragraphs of Sec. 25.1309.
a. Section 25.1309(a)
The proposed rule would revise Sec. 25.1309(a) into two
paragraphs. Proposed Sec. 25.1309(a)(1) would revise the applicability
of the Sec. 25.1309(a) requirement that equipment and systems perform
their functions as intended. Proposed Sec. 25.1309(a)(1) clarifies
that it applies to any equipment or system installed in the airplane,
and whose improper functioning would reduce safety, regardless of
whether it is required for type certification, operating approval, or
is optional equipment. As this requirement merely harmonizes with
EASA's corresponding requirement, with which part 25 manufacturers are
already in compliance, there is no additional cost. However, the
requirement has the minimal benefits of the reduced cost of joint
harmonization and, therefore, would be cost beneficial.
Along with an associated change to Sec. 25.1301, Function and
Installation, proposed Sec. 25.1309(a)(2) would allow equipment
associated with passenger amenities (e.g., entertainment displays and
audio systems) not to function as intended as long as the failure of
such systems would not affect airplane safety. No safety benefit is
derived from demonstrating that such equipment performs as intended, if
failing to perform as intended would not affect safety. Accordingly,
this proposed change would reduce the certification cost of passenger
amenities for airplane manufacturers without affecting safety, and,
therefore, this proposed change would be cost-beneficial.
b. Section 25.1309(b)(1), (2), and (3): Average Risk and Fail Safe
Criteria
The current rule requires airplane systems and associated
components be designed so that any failure condition that would prevent
the continued safe flight and landing of the airplane (catastrophic
failure condition) is ``extremely improbable,'' a condition specified
in current AC 25.1309-1A as having a probability on the order of
<=10-\9\ per flight hour. However, as recommended by the
SDAHWG, the proposed text of Sec. 25.1309(b) would explicitly require
that single failures must not result in catastrophic failures--the ``no
single failure'' fail-safe requirement. As it harmonizes with the
equivalent EASA requirement and is already current industry practice
(see the ``Arsenal'' version of AC 25.1309), this proposed ``no single
failure'' requirement would be cost beneficial as it entails no
additional cost but has
[[Page 75448]]
benefits from the reduced costs of joint harmonization.\56\
---------------------------------------------------------------------------
\56\ The no single failure requirement was inadvertently removed
in 1970 but remained industry practice. At the same time, the no
single failure requirement was made explicit for flight controls
and, in 1977, was made explicit for powerplants.
---------------------------------------------------------------------------
The current rule requires any failure condition that would reduce
the capability of the airplane or the ability of the crew to cope with
adverse operating conditions to be ``improbable'' (on the order of
10-\9\ < p <= 10-\5\, where p is probability), a
condition specified under current AC 25.1309-1A as ``major.'' Current
practice, however, is the ``Arsenal'' version of AC 25.1309, under
which the old ``major'' failure condition has been divided into two
categories: ``hazardous'' (on the order of 10-\9\ < p <=
10-\7\) and ``major'' (on the order of 10-\7\ < p
<= 10-\5\). These categories have been incorporated into the
proposed rule. As it harmonizes with corresponding EASA major and
hazardous categories and is current industry practice, this proposed
rule change would be cost beneficial as it entails no additional costs
but has benefits from the reduced costs of joint harmonization.
c. Section 25.1309(b)(4): Limit Latency Criteria
Proposed Sec. 25.1309(b)(4) specifies criteria that would apply to
any SLF. The purpose of proposed Sec. 25.1309(b)(4) is to limit SLFs
whenever practical so as to limit conditions where the airplane is one
failure away from a hazardous or catastrophic accident.
It is already industry practice to eliminate SLFs when practical,
as required by proposed Sec. 25.1309(b)(4)(i); therefore, the proposal
would entail no additional cost. In any case, proposed Sec.
25.1309(b)(4) is cost beneficial because proposed paragraph (4)(i) is
limited by paragraph (4)(ii) and, further, under Sec.
25.1309(b)(4)(iii), both paragraphs (4)(i) and (b)(4)(ii) are not
required when impractical.
d. Section 25.1309(c): Flightcrew Alerting
Section 25.1309(c) would continue to require that the flightcrew be
provided with information concerning unsafe system operating
conditions. Section 25.1322 would continue to require that alerting be
provided. The only proposed change in this rule is to remove the
conflict with Sec. 25.1322, Flightcrew Alerting. Accordingly, there is
no cost (or benefit) entailed by the proposed rule change.
e. Section 25.1309(d) and H25.4: Certification Maintenance Requirements
Proposed Sec. 25.1309(d) would be a new rule requiring that CMRs
be established, as necessary, to prevent catastrophic and hazardous
failure conditions described in proposed Sec. 25.1309(b). The proposed
rule also would require these CMRs to be contained in the ALS of the
ICA required by Sec. 25.1529. This latter requirement is an industry
recommendation via the SE-172 Taskforce to CAST \57\, and it addresses
the taskforce's recognition that CMRs are critical to safety and should
be treated similarly to other airworthiness limitations.
---------------------------------------------------------------------------
\57\ More information on CAST and the task force findings is
available in the docket and on the internet at https://www.skybrary.aero/bookshelf/views/bookDetails.php?bookId=2553.
---------------------------------------------------------------------------
Both of these proposed requirements would codify industry practice
and would harmonize with EASA's changes to CS 25.1309 and H25.4, and so
would entail no additional costs. However, the requirements would have
the benefits of reduced joint harmonization costs and, therefore, would
be cost beneficial.
8. Section 25.671: General Control Systems
a. Section 25.671(a), (d), (e), and (f)
Since industry has been meeting the proposed criteria in paragraphs
(a), (e), and (f) under special conditions since the early 1980s, the
FAA believes that these proposed criteria are now met at minimal cost.
The modification to Sec. 25.671(d) clarifies that controllability
includes the capability to flare to a landing and controlled stop. The
FAA believes that if the airplane is controllable, the manufacturer
will be able to meet the requirement for flare and braking capability
at minimal cost. The FAA requests comments on these findings.
b. Section 25.671(b): Minimize Probability of Incorrect Assembly
Section 25.671(b) would be revised to allow distinctive and
permanent marking to minimize the probability of incorrect assembly
only when design means are impractical. This revision was recommended
by the FCHWG. It is expert consensus that the physical prevention of
misassembly by design is safer than reliance on marking, which can be
overlooked or ignored. Since distinctive and permanent marking to
minimize the probability of incorrect assembly is disallowed only when
design means are practical, the expected gain in safety benefits from
the reduced probability of incorrect assembly would be greater than the
costs of the proposed revision. The FAA requests comments on its
finding that this provision is cost-beneficial.
c. Section 25.671(c)
The FAA proposes to revise Sec. 25.671(c). Current Sec.
25.671(c)(1) and (c)(2) would be removed, because the applicability of
Sec. 25.1309 would be clarified to be any equipment or system as
installed on the airplane, so it would apply to flight control systems
and would accomplish the safety objective of Sec. 25.671(c)(1) and
(c)(2). Proposed 25.671(c) differs from the current rule as follows:
Proposed Sec. 25.671(c) addresses only jams that are due
to a physical interference, for example, foreign or loose object,
system icing, corroded bearings, etc. (Jams due to other reasons are
covered by Sec. 25.1309.)
Proposed Sec. 25.671(c) does not allow jams to be
considered extremely improbable, except those jams that occur just
before landing.
Proposed Sec. 25.671(c)(3) specifies that, given a jam
due to a physical interference, the combined probability is less than
1/1000 that any additional failure conditions could prevent continued
safe flight and landing. As the main intent of Sec. 25.671(c)(3) is to
limit the probability of a latent failure of any jam alleviation device
(such as a breakout device), Sec. 25.671(c)(3) is largely redundant to
the proposed Sec. 25.1309(b)(5) latent risk requirement.
Proposed Sec. 25.671(c) would no longer address a runaway
of a flight control surface and subsequent jam as such jams would be
adequately addressed by proposed Sec. 25.1309.
As proposed Sec. 25.671(c) has been used by many manufacturers as
an ELOS, the FAA believes its use is current practice. Accordingly,
there are no additional costs (or benefits) from Sec. 25.671(c)(1).
The FAA requests comments on this conclusion.
9. Section 25.901: Installation Engines
Proposed Sec. 25.901 would specify that Sec. 25.1309 applies to
powerplant installations, as it does for all airplane systems.
Accordingly, the current provision in Sec. 25.901(c) prohibiting
catastrophic single failures or probable combinations of failures would
be removed. Applicant requirements would not change as a result of this
revised rule. The proposed revision would harmonize Sec. 25.901(c)
with EASA's corresponding CS 25.901(c). Accordingly, the proposed
revision would be cost-beneficial as it entails no additional cost but
has benefits from the reduced costs of joint harmonization.
[[Page 75449]]
The FAA requests comments on this conclusion.
10. Section 25.933: Reversing Systems
Proposed Sec. 25.933(a)(1)(i) retains, as an option, the
``controllability'' standard of the current rule. Proposed Sec.
25.933(a)(1)(ii) is an additional, ``reliability,'' option. The service
history of airplanes certified under the current rule--most
prominently, the Lauda Air accident--demonstrates that the fail-safe
intent of the controllability requirement had not been achieved.
The PPIHWG recommended adding the reliability option, concluding
that applicants should be allowed to select the most suitable option
for their particular type designs or failure conditions addressed. This
option is especially valuable given its improvement implied by the
proposed revision to Sec. 25.1309.\58\ This proposed change allows
additional flexibility in design development, thus reducing costs by
allowing manufacturers to achieve the intended level of safety in the
most cost-effective manner. As this proposed rule would be cost
relieving, it would be cost beneficial. The FAA requests comments on
this conclusion.
---------------------------------------------------------------------------
\58\ It should be noted that the controllability option would
still require compliance with Sec. 25.1309. But when an applicant
demonstrates compliance using the controllability option, an
unwanted thrust reversal in flight will be classified at worst as a
``major'' failure, thereby making compliance with Sec. 25.1309(b)
much easier.
---------------------------------------------------------------------------
11. Section 25.302: Interaction of Systems and Structures
Proposed Sec. 25.302 would be a new rule that would incorporate,
with some modifications, the criteria the LDHWG recommended in December
2000, and the FCHWG in September 2002. EASA has already incorporated
the criteria developed by the LDHWG into CS 25.302 and appendix K of
CS-25.
The proposed rule would specifically address any system failure
condition considered under Sec. 25.1309 that can affect the structural
performance of the airplane. Systems affect structural performance if
they induce loads on the airframe or if they change the response of the
airplane to inputs such as gusts or pilot actions, either directly or
as a result of failure. Systems that affect structural performance are
flight control computers, autopilots, stability augmentation systems,
load alleviations systems, and fuel management systems. The proposed
rule would also apply to hydraulic systems, electrical systems, and
mechanical systems.
U.S. part 25 manufacturers already comply with EASA's CS 25.302,
which went into effect in November 2004. Accordingly, the costs of
compliance with the FAA's proposed Sec. 25.302 depends on the extent
to which it harmonizes with CS 25.302. If the provisions of proposed
Sec. 25.302 are identical with, less onerous than, or, more generally,
satisfied by, the provisions of CS 25.302, then compliance with CS
25.302 would also mean compliance with proposed Sec. 25.302. This
harmonization means U.S. part 25 manufacturers would incur no
incremental compliance costs. If the provisions of proposed Sec.
25.302 are more onerous than, or, more generally, not satisfied by, the
provisions of CS 25.302, then manufacturers would incur incremental
compliance costs.
The FAA now assesses the benefits and costs of proposed Sec.
25.302 by section:
a. Section 25.302(a): At the Time of Failure Occurrence
For the assessment of the initial failure condition, EASA's CS
25.302 allows the safety factor to decline linearly from 1.5 to 1.25 as
the probability of failure declines from 10-5 to
10-9 per flight hour but proposed Sec. 25.302(a) keeps the
factor at 1.5. The FAA proposal, therefore, would be more conservative
in this regard, but, after two decades of special conditions, this more
conservative factor is now easily met by manufacturers. Therefore, the
cost effect would be minimal. As safety would be higher compared to CS
25.302, this proposed requirement would be cost beneficial. The FAA
requests comments on this finding.
b. Section 25.302(b): Continuation of Flight After Failure
CS 25.302 requires that loads be determined for several CS-25
design load conditions, whereas the FAA proposal would require that
loads be determined for any design load condition that would be
affected. CS 25.302 requires a safety factor of 1.5 for a failure
condition with a failure rate above 10-5, but which declines
linearly to 1.0 as probability declines from 10-5 to
10-9.
The FAA proposal specifies a safety factor of 1.5 but would reduce
the safety factor to 1.0 if the failure condition is annunciated,
because the probability of an extreme maneuver would be reduced as the
pilot would be aware that a failure condition had occurred. The FAA
would reduce the safety factor to 1.25 if the failure condition is
extremely remote (probability of the order of <=10-7 per
flight hour). The probability is very low that a design load condition
would occur subsequent to a system failure on the same flight. The FAA
proposal, therefore, is less conservative than the EASA requirement in
requiring lower safety factors, particularly for annunciated failures;
and most failures that affect structures would be annunciated.
The FAA proposal is more conservative, however, in applying to all
load conditions specified in subpart C, with the possible result of
higher engineering, hardware, and operating compliance costs relative
to EASA requirements. Nevertheless, the FAA believes that the safety
benefits would continue to outweigh the costs. The FAA requests
comments on this conclusion.
c. Section 25.302(d)
This proposed rule would require the residual strength evaluation
be conducted according to Sec. 25.571--the fatigue and damage
tolerance rule--and it, therefore, assesses the residual strength load
conditions in Sec. 25.571, rather than the load conditions listed in
CS 25.302. This proposed change would result in little or no increase
in workload and, consequently, would have minimal cost because
manufacturers already use the Sec. 25.571 process and because the
differences in load conditions between the two provisions are not
significant. The FAA requests comments on this finding.
d. Section 25.302(e): Dispatch Requirements
CS 25.302 requires that anticipated dispatch configurations be
addressed by meeting the strength and flutter aspects of CS 25.302
taking into account the probability of being in that configuration. CS
25.302 includes: ``Flight limitations and expected operational
limitations may be taken into account in establishing . . . the
combined probability of being in the dispatched failure condition and
the subsequent failure condition for the safety margins . . . . '' \59\
This means that the applicant must combine the probability of being in
the dispatched state with the probability of subsequent failures to
determine safety margins. This analysis obviously involves a fair
amount of probability work. Moreover, for the dispatched configuration,
CS 25.302 would consider any failure condition not shown to be
extremely improbable (on the order of <=10-9 per flight
hour). Several applicants have specifically objected to the CS dispatch
rule because of this latter requirement.
---------------------------------------------------------------------------
\59\ EASA CS-25, amendment 11, dated July 4, 2011.
---------------------------------------------------------------------------
In contrast, the FAA proposal is simpler, less onerous, and
involves less
[[Page 75450]]
probability work. First, the proposal does not include flutter
criteria. Second, the proposal assumes a probability of one for the
dispatched configuration, and subsequent failures would be considered
only if they were single failures or if they are not extremely remote
(of the order of <=10-7 per flight hour). The FAA believes
that the incremental cost of the simpler and less onerous FAA proposal
is so low that the safety benefits of the proposal would continue to
outweigh the costs. The FAA requests comments on this finding.
B. Regulatory Flexibility Determination
The Regulatory Flexibility Act of 1980 (Pub. L. 96-354) (RFA)
establishes ``as a principle of regulatory issuance that agencies shall
endeavor, consistent with the objectives of the rule and of applicable
statutes, to fit regulatory and informational requirements to the scale
of the businesses, organizations, and governmental jurisdictions
subject to regulation. To achieve this principle, agencies are required
to solicit and consider flexible regulatory proposals and to explain
the rationale for their actions to assure that such proposals are given
serious consideration.'' The RFA covers a wide range of small entities,
including small businesses, not-for-profit organizations, and small
governmental jurisdictions. Agencies must perform a review to determine
whether a rule will have a significant economic impact on a substantial
number of small entities. If the agency determines that it will, the
agency must prepare a regulatory flexibility analysis as described in
the RFA.
However, if an agency determines that a rule is not expected to
have a significant economic impact on a substantial number of small
entities, section 605(b) of the RFA provides that the head of the
agency may so certify, and a regulatory flexibility analysis is not
required. The certification must include a statement providing the
factual basis for this determination, and the reasoning should be
clear.
All U.S. manufacturers (applicants for type certification) of large
transports or part 25 business jets are large companies with more than
1,500 employees or are subsidiaries of large companies so-defined and,
therefore, are not classified as small entities by the Small Business
Administration.\60\ Operators of part 25 airplanes will be directly
affected by the $1,102 annual incremental operating cost (maintenance)
per large transport and the $147 annual incremental operating cost per
part 25 business jet. These costs are minimal, especially compared to
the high annual operating cost of part 25 airplanes.
---------------------------------------------------------------------------
\60\ The Small Business Administration criterion for small
aircraft manufacturers is 1,500 employees or less.
---------------------------------------------------------------------------
If an agency determines that a rulemaking will not result in a
significant economic impact on a substantial number of small entities,
the head of the agency may so certify under section 605(b) of the RFA.
Therefore, as provided in section 605(b), the head of the FAA proposes
that this proposed rulemaking would not result in a significant
economic impact on a substantial number of small entities. The FAA
requests comments on this determination.
C. International Trade Impact Assessment
The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal
agencies from establishing standards or engaging in related activities
that create unnecessary obstacles to the foreign commerce of the United
States. Pursuant to these Acts, the establishment of standards is not
considered an unnecessary obstacle to the foreign commerce of the
United States, so long as the standard has a legitimate domestic
objective, such as the protection of safety, and does not operate in a
manner that excludes imports that meet this objective. The statute also
requires consideration of international standards and, where
appropriate, that they be the basis for U.S. standards.
The FAA has assessed the effect of this proposed rule and
determined that its purpose is to ensure the safety of U.S. civil
aviation. Therefore, this proposed rule is in compliance with the Trade
Agreements Act.
D. Unfunded Mandates Assessment
Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires each Federal agency to prepare a written statement
assessing the effects of any Federal mandate in a proposed or final
agency rule that may result in an expenditure of $100 million or more
(in 1995 dollars) in any one year by State, local, and tribal
governments, in the aggregate, or by the private sector; such a mandate
is deemed to be a ``significant regulatory action.'' The FAA currently
uses an inflation-adjusted value of $155.0 million in lieu of $100
million. This proposed rule does not contain such a mandate; therefore,
the requirements of Title II of the Act do not apply.
E. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires
that the FAA consider the impact of paperwork and other information
collection burdens imposed on the public. The FAA has determined that
there would be no new requirement for information collection associated
with this proposed rule.
F. International Compatibility and Cooperation
In keeping with U.S. obligations under the Convention on
International Civil Aviation, it is FAA policy to conform to
International Civil Aviation Organization (ICAO) Standards and
Recommended Practices to the maximum extent practicable. The FAA has
determined that there are no ICAO Standards and Recommended Practices
that correspond to these proposed regulations.
In January of 2020, EASA published CS 25 amendment 24, which bore
many similarities to this proposal, including added criteria for latent
failures in CS 25.1309.
G. Environmental Analysis
FAA Order 1050.1F identifies FAA actions that are categorically
excluded from preparation of an environmental assessment or
environmental impact statement under the National Environmental Policy
Act in the absence of extraordinary circumstances. The FAA has
determined this rulemaking action qualifies for the categorical
exclusion identified in paragraph 5-6.6 and involves no extraordinary
circumstances.
V. Executive Order Determinations
A. Executive Order 13132, Federalism
The FAA has analyzed this proposed rule under the principles and
criteria of Executive Order 13132, ``Federalism'' (64 FR 43255, August
10, 1999). The agency has determined that this action would not have a
substantial direct effect on the States, or the relationship between
the Federal Government and the States, or on the distribution of power
and responsibilities among the various levels of government, and,
therefore, would not have federalism implications.
B. Executive Order 13211, Regulations That Significantly Affect Energy
Supply, Distribution, or Use
The FAA analyzed this proposed rule under Executive Order 13211,
``Actions Concerning Regulations that Significantly Affect Energy
Supply, Distribution, or Use'' (66 FR 28355, May
[[Page 75451]]
18, 2001). The agency has determined that it would not be a
``significant energy action'' under the Executive order and would not
be likely to have a significant adverse effect on the supply,
distribution, or use of energy.
C. Executive Order 13609, International Cooperation
Executive Order 13609, ``Promoting International Regulatory
Cooperation,'' (77 FR 26413, May 4, 2012) promotes international
regulatory cooperation to meet shared challenges involving health,
safety, labor, security, environmental, and other issues and to reduce,
eliminate, or prevent unnecessary differences in regulatory
requirements. The FAA has analyzed this action under the policies and
agency responsibilities of Executive Order 13609 and has determined
that this action would have no effect on international regulatory
cooperation.
VI. Additional Information
A. Comments Invited
The FAA invites interested persons to participate in this
rulemaking by submitting written comments, data, or views. The agency
also invites comments relating to the economic, environmental, energy,
or federalism impacts that might result from adopting the proposals in
this document. The most helpful comments reference a specific portion
of the proposal, explain the reason for any recommended change, and
include supporting data. To ensure the docket does not contain
duplicate comments, commenters should send only one copy of written
comments, or if comments are filed electronically, commenters should
submit only one time.
Except for Confidential Business Information (CBI) as described in
the following paragraph, and other information as described in 14 CFR
11.35, the FAA will file in the docket all comments it receives, as
well as a report summarizing each substantive public contact with FAA
personnel concerning this proposed rulemaking. Before acting on this
proposal, the FAA will consider all comments it receives on or before
the closing date for comments. The FAA will consider comments filed
after the comment period has closed if it is possible to do so without
incurring expense or delay. The agency may change this proposal in
light of the comments it receives.
Confidential Business Information: Confidential Business
Information (CBI) is commercial or financial information that is both
customarily and actually treated as private by its owner. Under the
Freedom of Information Act (FOIA) (5 U.S.C. 552), CBI is exempt from
public disclosure. If your comments responsive to this NPRM contain
commercial or financial information that is customarily treated as
private, that you actually treat as private, and that is relevant or
responsive to this NPRM, it is important that you clearly designate the
submitted comments as CBI. Please mark each page of your submission
containing CBI as ``PROPIN.'' The FAA will treat such marked
submissions as confidential under the FOIA, and they will not be placed
in the public docket of this NPRM. Submissions containing CBI should be
sent to Suzanne Masterson, Strategic Policy Transport Section, AIR-614,
Strategic Policy Management Branch, Policy and Innovation Division,
Aircraft Certification Service, Federal Aviation Administration, 2200
South 216th Street, Des Moines, WA 98198; email
[email protected]. Any commentary that the FAA receives which
is not specifically designated as CBI will be placed in the public
docket for this rulemaking.
B. Availability of Rulemaking Documents
An electronic copy of rulemaking documents may be obtained from the
internet by--
1. Searching the Federal eRulemaking Portal at www.regulations.gov;
2. Visiting the FAA's Regulations and Policies web page at
www.faa.gov/regulations_policies; or
3. Accessing the Government Printing Office's web page at
www.GovInfo.gov.
Copies may also be obtained by sending a request to the Federal
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence
Avenue SW, Washington, DC 20591, or by calling (202) 267-9680.
Commenters must identify the docket or notice number of this
rulemaking.
All documents the FAA considered in developing this proposed rule,
including economic analyses and technical reports, may be accessed from
the internet through the Federal eRulemaking Portal referenced in item
(1) above.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Reporting and recordkeeping
requirements.
The Proposed Amendment
In consideration of the foregoing, the Federal Aviation
Administration proposes to amend chapter I of title 14, Code of Federal
Regulations as follows:
PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES
0
1. The authority citation for part 25 continues to read as follows:
Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and
44704.
0
2. Add Sec. 25.4 to read as follows:
Sec. 25.4 Definitions.
(a) For the purposes of this part, the following general
definitions apply:
(1) Certification maintenance requirement means a required
scheduled maintenance task established during the design certification
of the airplane systems as an airworthiness limitation of the type
certificate or supplemental type certificate.
(2) Significant latent failure is a latent failure that, in
combination with one or more specific failures or events, would result
in a hazardous or catastrophic failure condition.
(b) For purposes of this part, the following failure conditions, in
order of increasing severity, apply:
(1) Major failure condition means a failure condition that would
reduce the capability of the airplane or the ability of the flightcrew
to cope with adverse operating conditions, to the extent that there
would be--
(i) A significant reduction in safety margins or functional
capabilities,
(ii) A significant increase in flightcrew workload or in conditions
impairing the efficiency of the flightcrew,
(iii) Physical distress to passengers or flight attendants,
possibly including injuries, or
(iv) An effect of similar severity.
(2) Hazardous failure condition means a failure condition that
would reduce the capability of the airplane or the ability of the
flightcrew to cope with adverse operating conditions, to the extent
that there would be--
(i) A large reduction in safety margins or functional capabilities,
(ii) Physical distress or excessive workload such that the
flightcrew cannot be relied upon to perform their tasks accurately or
completely, or
(iii) Serious or fatal injuries to a relatively small number of
persons other than the flightcrew.
(3) Catastrophic failure condition means a failure condition that
would result in multiple fatalities, usually with the loss of the
airplane.
(c) For purposes of this part, the following failure conditions in
order of decreasing probability apply:
(1) Probable failure condition means a failure condition that is
anticipated to
[[Page 75452]]
occur one or more times during the entire operational life of each
airplane of a given type.
(2) Remote failure condition means a failure condition that is not
anticipated to occur to each airplane of a given type during its entire
operational life, but which may occur several times during the total
operational life of all airplanes of a given type.
(3) Extremely remote failure condition means a failure condition
that is not anticipated to occur to each airplane of a given type
during its entire operational life, but which may occur a few times
during the total operational life of all airplanes of a given type.
(4) Extremely improbable failure condition means a failure
condition that is not anticipated to occur during the total operational
life of all airplanes of a given type.
0
3. Add Sec. 25.302 to subpart C to read as follows:
Sec. 25.302 Interaction of systems and structures.
This section applies to systems that affect the structural
performance of the airplane. The applicant must include the effects of
systems when conducting the analyses and tests necessary to show
compliance with subparts C and D of this part. For any system failure
condition that either results from a single failure or is not extremely
improbable, paragraphs (a) through (e) of this section apply. This
section does not apply to the flight control jam conditions prescribed
in Sec. 25.671(c) or the discrete source events prescribed in Sec.
25.571(e).
(a) Loads occurring at the time of failure and immediately after
failure. The airplane must be able to withstand the loads occurring at
the time of failure and immediately after failure. The applicant must
determine these loads at speeds up to VC/MC,
starting from 1-g level flight conditions, and assuming realistic
scenarios, including pilot corrective actions. These are limit loads,
and the applicant must apply a safety factor of 1.5 to determine
ultimate loads.
(b) Limit flight and ground loads following the system failure. In
the system-failed state, the airplane must be able to withstand the
limit flight and ground loads specified in subpart C of this part at
speeds up to VC/MC or the speed limitation
specified for the remainder of the flight. The applicant must apply a
safety factor of 1.5 to determine ultimate loads, except as provided in
paragraphs (b)(1) or (2) of this section.
(1) If the failure would be immediately annunciated or otherwise
obvious to the flightcrew, then the applicant may use a safety factor
of 1.0. The applicant may also take into account any resulting
configuration changes or operating limitations specified in the
Airplane Flight Manual.
(2) If the failure would not be immediately annunciated or
otherwise obvious to the flightcrew, but the failure condition is
extremely remote, then the applicant may use a safety factor of 1.25.
(c) Damage tolerance evaluation. When conducting the damage
tolerance evaluation required by Sec. 25.571, the applicant must take
into account the fatigue loads induced by any failure condition. These
fatigue loads must be included as part of the typical loading spectra
at a rate commensurate with the probability of their occurrence.
(d) Residual strength loads. For any probable failure condition
that would affect the residual strength loads prescribed in Sec.
25.571(b), the applicant must conduct a residual strength evaluation as
prescribed in that paragraph under the assumption that the failure
condition has occurred. The applicant must calculate these residual
strength loads using at least two-thirds of the applicable safety
factor specified in paragraph (b) of this section.
(e) Master Minimum Equipment List. If the applicant submits for
approval a Master Minimum Equipment List that allows dispatch in a
system-failed state that can affect structural performance, the
following requirements apply:
(1) In the dispatched configuration, the airplane must meet the
design load requirements of subpart C of this part, assuming any
operating limitations, including configuration changes, that apply to
the dispatched airplane; and
(2) In the dispatched configuration, the airplane must meet the
requirements of paragraphs (a) and (b) of this section, taking into
account any subsequent single failure, and separately, any combination
of failures that are not extremely remote.
0
4. Amend Sec. 25.629 by revising the introductory text of paragraphs
(b) and (d), redesignating paragraph (d)(10) as paragraph (d)(11), and
adding paragraph (d)(10) to read as follows:
Sec. 25.629 Aeroelastic stability requirements.
* * * * *
(b) Aeroelastic stability envelopes. The airplane must be free from
aeroelastic instability within the aeroelastic stability envelopes
described in this paragraph for all configurations and design
conditions, and for the load factors specified in Sec. 25.333.
* * * * *
(d) Failures, malfunctions, and adverse conditions. The failures,
malfunctions, and adverse conditions that must be considered in showing
compliance with this section are:
* * * * *
(10) Each of the following failure combinations:
(i) Any dual hydraulic system failure.
(ii) Any dual electrical system failure.
(iii) Any single failure in combination with any probable hydraulic
or electrical failure.
* * * * *
0
5. Revise Sec. 25.671 to read as follows:
Sec. 25.671 General.
(a) Each flight control and flight control system must operate with
the ease, smoothness, and positiveness appropriate to its function. The
flight control system must continue to operate and respond
appropriately to commands, and must not hinder airplane recovery, when
the airplane is experiencing any pitch, roll, or yaw rate, or vertical
load factor that could occur due to operating or environmental
conditions, or when the airplane is in any attitude.
(b) Each element of each flight control system must be designed, or
distinctively and permanently marked, to minimize the probability of
incorrect assembly that could result in failure of the system to
perform its intended function. The applicant may use distinctive and
permanent marking only where design means are impractical.
(c) The applicant must show by analysis, test, or both that the
airplane is capable of continued safe flight and landing after any
failure or event that results in a jam of a flight control surface or
pilot control due to a physical interference.
(1) The applicant must assume the jam evaluated under this
paragraph occurs at any normally encountered position of the flight
control surface or pilot control.
(2) The applicant must assume the jam evaluated under this
paragraph occurs anywhere within the normal flight envelope, except
that the applicant need not account for flight control jams that occur
immediately before touchdown if the applicant shows that such jams are
extremely improbable.
(3) In the presence of a jam evaluated under this paragraph, any
additional failure conditions that could prevent continued safe flight
and landing must have a combined probability of less than 1/1000.
(d) If all engines fail at any point in the flight, the airplane
must be controllable, and an approach and flare to a landing and
controlled stop must be
[[Page 75453]]
possible without requiring exceptional piloting skill or strength. The
applicant may show compliance with this requirement by analysis where
the applicant has shown that analysis to be reliable.
(e) The flight control system must indicate to the flightcrew
whenever the primary control means is near the limit of control
authority.
(f) If the flight control system has multiple modes of operation,
the system must alert the flightcrew whenever the airplane enters any
mode that significantly changes or degrades the normal handling or
operational characteristics of the airplane.
0
6. Amend Sec. 25.901 by revising paragraph (c) to read as follows:
Sec. 25.901 Installation.
* * * * *
(c) For each powerplant and auxiliary power unit installation, the
applicant must comply with the requirements of Sec. 25.1309, except
that the effects of the following failures need not comply with Sec.
25.1309(b)--
(1) Engine case burn-through or rupture,
(2) Uncontained engine rotor failure, and
(3) Propeller debris release.
* * * * *
0
7. Amend Sec. 25.933 by revising paragraph (a)(1) to read as follows:
Sec. 25.933 Reversing systems.
(a) * * *
(1) For each system intended for ground operation only, the
applicant must show--
(i) The airplane is capable of continued safe flight and landing
during and after any thrust reversal in flight; or
(ii) The system complies with Sec. 25.1309(b).
* * * * *
0
8. Revise Sec. 25.1301 to read as follows:
Sec. 25.1301 Function and installation.
Each item of installed equipment must--
(a) Be of a kind and design appropriate to its intended function;
(b) Be labeled as to its identification, function, or operating
limitations, or any applicable combination of these factors; and
(c) Be installed according to limitations specified for that
equipment.
0
9. Revise Sec. 25.1309 to read as follows:
Sec. 25.1309 Equipment, systems, and installations.
Except as provided in paragraphs (e) and (f) of this section, this
section applies to any equipment or system as installed on the
airplane. The applicant need not account for this section when showing
compliance with the performance and flight characteristic requirements
of subpart B of this part and the structural requirements of subparts C
and D of this part, except that this section applies to any system on
which compliance with any of those requirements is dependent.
(a) The airplane's equipment and systems, as installed, must meet
the following requirements:
(1) The equipment and systems required for type certification or by
operating rules, or whose improper functioning would reduce safety,
must perform as intended under the airplane operating and environmental
conditions; and
(2) Other equipment and systems functioning normally or abnormally
must not adversely affect the safety of the airplane or its occupants,
or the proper functioning of the equipment and systems addressed by
paragraph (a)(1) of this section.
(b) Each of the airplane's systems and associated components, as
installed, and evaluated both separately and in relation to other
systems, must meet all of the following requirements:
(1) Each catastrophic failure condition--
(i) Must be extremely improbable; and
(ii) Must not result from a single failure.
(2) Each hazardous failure condition must be extremely remote.
(3) Each major failure condition must be remote.
(4) Each significant latent failure must be eliminated except--
(i) If the Administrator finds it would be impractical for the
applicant to comply with paragraph (b)(4) of this section, the product
of the maximum time the failure is expected to be present and its
average failure rate must not exceed 1/1000; or
(ii) If the Administrator finds it would be impractical for the
applicant to comply with paragraph (b)(4)(i) of this section, the
applicant must minimize the time the failure is expected to be present.
(5) For each catastrophic failure condition that results from two
failures, either of which could be latent for more than one flight, the
applicant must show that--
(i) It is impractical to provide additional fault tolerance;
(ii) Given the occurrence of any single latent failure, the
probability of the catastrophic failure condition occurring due to all
subsequent single failures is remote; and
(iii) The product of the maximum time the latent failure is
expected to be present and its average failure rate does not exceed 1/
1000.
(c) The applicant must provide information concerning unsafe system
operating conditions in order to enable the flightcrew to take
corrective action. The applicant must show that the design of systems
and controls, including indications and annunciations, minimizes crew
errors that could create additional hazards.
(d) The applicant must establish certification maintenance
requirements to prevent development of the failure conditions described
in paragraph (b) of this section. These requirements must be included
in the Airworthiness Limitations section of the Instructions for
Continued Airworthiness required by Sec. 25.1529.
(e) Section 25.1309(b)(1)(ii) does not apply to the flight control
jam conditions addressed by Sec. 25.671(c).
(f) Section 25.1309(b) does not apply to--
(1) Single failures in the brake system addressed by Sec.
25.735(b)(1);
(2) Failure effects addressed by Sec. Sec. 25.810(a)(1)(v) and
25.812;
(3) Uncontained engine rotor failure, engine case rupture, or
engine case burn-through failures addressed by Sec. Sec. 25.903(d)(1)
and 25.1193 and part 33 of this chapter; and
(4) Propeller debris release failures addressed by Sec. 25.905(d)
and part 35 of this chapter.
0
10. Amend Sec. 25.1365 by revising paragraph (a) to read as follows:
Sec. 25.1365 Electrical appliances, motors, and transformers.
(a) An applicant must show that, in the event of a failure of the
electrical supply or control system, the design and installation of
domestic appliances meet the requirements of Sec. 25.1309(b) and (c).
Domestic appliances are items such as cooktops, ovens, coffee makers,
water heaters, refrigerators, and toilet flush systems that are placed
on the airplane to provide service amenities to passengers.
* * * * *
0
11. In appendix H to part 25, under the heading H25.4, add paragraph
(a)(6) to read as follows:
[[Page 75454]]
Appendix H to Part 25--Instructions for Continued Airworthiness
* * * * *
H25.4 Airworthiness Limitations Section
* * * * *
(a) * * *
(6) Each certification maintenance requirement established to
comply with any of the applicable provisions of part 25.
* * * * *
Issued in Washington, DC, on November 30, 2022.
Lirio Liu,
Executive Director, Aircraft Certification Service.
[FR Doc. 2022-26369 Filed 12-7-22; 8:45 am]
BILLING CODE 4910-13-P
