System Safety Assessments, 68706-68735 [2024-18511]
Download as PDFAgencies
[Federal Register Volume 89, Number 166 (Tuesday, August 27, 2024)] [Rules and Regulations] [Pages 68706-68735] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2024-18511] [[Page 68705]] Vol. 89 Tuesday, No. 166 August 27, 2024 Part II Department of Transportation ----------------------------------------------------------------------- Federal Aviation Administration ----------------------------------------------------------------------- 14 CFR Part 25 System Safety Assessments; Final Rule Federal Register / Vol. 89 , No. 166 / Tuesday, August 27, 2024 / Rules and Regulations [[Page 68706]] ----------------------------------------------------------------------- DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 25 [Docket No.: FAA-2022-1544; Amdt. No. 25-152] RIN 2120-AJ99 System Safety Assessments AGENCY: Federal Aviation Administration (FAA), Department of Transportation (DOT). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The FAA is amending certain airworthiness regulations to standardize the criteria for conducting safety assessments for systems, including flight controls and powerplants, installed on transport category airplanes. With this action, the FAA seeks to reduce risk associated with airplane accidents and incidents that have occurred in service, and reduce risk associated with new technology in flight control systems. The intended effect of this rulemaking is to improve aviation safety by making system safety assessment (SSA) certification requirements more comprehensive and consistent. DATES: Effective September 26, 2024. ADDRESSES: For information on where to obtain copies of rulemaking documents and other information related to this final rule, see ``How to Obtain Additional Information'' in the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: Todd Martin, Technical Policy Branch, Policy and Standards Division, Aircraft Certification Service, Federal Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; telephone and fax (206) 231-3210; email [email protected]. SUPPLEMENTARY INFORMATION: I. Authority for This Rulemaking The FAA's authority to issue rules on aviation safety is found in Title 49 of the United States Code. Subtitle I, Section 106 describes the authority of the FAA Administrator. Subtitle VII, Aviation Programs, describes in more detail the scope of the FAA's authority. This rulemaking is promulgated under the authority described in Subtitle VII, Part A, Subpart III, Section 44701, ``General Requirements.'' Under that section, the FAA is charged with promoting safe flight of civil aircraft in air commerce by prescribing regulations and minimum standards for the design and performance of aircraft that the Administrator finds necessary for safety in air commerce. This regulation is within the scope of that authority. It prescribes new safety standards for the design and operation of transport category airplanes. II. Acronyms Frequently Used in This Document Table 1--Acronyms Frequently Used in This Document ------------------------------------------------------------------------ Acronym Definition ------------------------------------------------------------------------ AC........................... Advisory Circular. AD........................... Airworthiness Directive. AFM.......................... Airplane Flight Manual. ALS.......................... Airworthiness Limitations section. ARAC......................... Aviation Rulemaking Advisory Committee. ASAWG........................ Airplane Level Safety Analysis Working Group. CAST......................... Commercial Aviation Safety Team. CMR.......................... Certification Maintenance Requirement. CS-25........................ Certification Specifications for Large Aeroplanes (issued by EASA). CSL+1........................ Catastrophic Single Latent Failure Plus One (a failure condition). EASA......................... European Union Aviation Safety Agency. ELOS......................... Equivalent Level of Safety. EWIS......................... Electrical Wiring Interconnection System. FCHWG........................ Flight Controls Harmonization Working Group. FTHWG........................ Flight Test Harmonization Working Group. ICA.......................... Instructions for Continued Airworthiness. LDHWG........................ Loads and Dynamics Harmonization Working Group. NTSB......................... National Transportation Safety Board. PPIHWG....................... Powerplant Installation Harmonization Working Group. SDAHWG....................... System Design and Analysis Harmonization Working Group. SLF.......................... Significant Latent Failure. SSA.......................... System Safety Assessment. ------------------------------------------------------------------------ Table of Contents I. Authority for This Rulemaking II. Acronyms Frequently Used in This Document III. Overview of Final Rule IV. Background A. Statement of the Problem B. Related Actions C. NTSB Recommendations D. Summary of the NPRM E. General Overview of Comments V. Discussion of Comments and the Final Rule A. Section 25.4, Definitions B. Section 25.302, Interaction of Systems and Structures C. Section 25.629, Aeroelastic Stability Requirements D. Section 25.671, Flight Control Systems E. Section 25.901, Engine Installation F. Section 25.933, Reversing Systems G. Section 25.1301, Function and Installation H. Section 25.1309, Equipment, Systems and Installations I. Section 25.1365, Electrical Appliances, Motors, and Transformers J. Miscellaneous Comments K. Advisory Material VI. Regulatory Notices and Analyses A. Regulatory Evaluation B. Regulatory Flexibility Determination C. International Trade Impact Assessment D. Unfunded Mandates Assessment E. Paperwork Reduction Act F. International Compatibility G. Environmental Analysis VII. Executive Order Determinations A. Executive Order 13132, Federalism B. Executive Order 13175, Consultation and Coordination With Indian Tribal Governments C. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use D. Executive Order 13609, Promoting International Regulatory Cooperation VIII. Additional Information A. Electronic Access and Filing [[Page 68707]] B. Small Business Regulatory Enforcement Fairness Act III. Overview of Final Rule The FAA is amending regulations in title 14, Code of Federal Regulations (14 CFR) part 25 (Airworthiness Standards: Transport Category Airplanes) related to the safety assessment \1\ of airplane systems. The changes to part 25 affect applicants for type certification and operators of transport category airplanes. Applicants for type certification will be required to conduct their SSAs in accordance with the revised regulations. Changes to the Instructions for Continued Airworthiness (ICA) affect operators of newly certified airplanes, although the impact on those operators is not significant. --------------------------------------------------------------------------- \1\ A system safety assessment is a structured process intended to systematically identify the risks pertinent to the design of aircraft systems, and to show that the systems meet safety requirements. --------------------------------------------------------------------------- The FAA is revising and adding new safety standards to reduce the likelihood of potentially catastrophic risks due to latent failures in critical systems. Because modern aircraft systems (for example, avionics and fly-by- wire systems) are much more integrated than they were when the current safety criteria in Sec. 25.1309 and other system safety assessment rules were established in 1970,\2\ the new standards are more consistent for all systems of the airplane, reducing the chance of a hazard falling into a gap between the different regulatory requirements for different systems. --------------------------------------------------------------------------- \2\ 35 FR 5665 (Apr. 8, 1970). --------------------------------------------------------------------------- Consistent criteria for conducting SSAs also provides predictability for applicants by reducing the number of issue papers and special conditions necessary for airplane certification projects.\3\ --------------------------------------------------------------------------- \3\ As discussed in the preamble, special conditions are rules of particular applicability that the FAA issues to address novel or unusual design features. See 14 CFR 21.16. --------------------------------------------------------------------------- Specifically, this final rule--Requires that applicants limit the likelihood of a catastrophic failure condition that results from a combination of two failures, either of which could be latent for more than one flight. See Sec. 25.1309(b)(5). Revises safety assessment regulations to eliminate ambiguity in, and provide consistency between, the safety assessments that applicants must conduct for different types of airplane systems. Section 25.1309 continues to contain the safety assessment criteria applicable to most airplane systems. Section 25.901(c) (powerplant installations) is amended to remove general system safety criteria. Instead, the powerplant installations covered in this section are required to comply with Sec. 25.1309 (system safety criteria). Section 25.933(a) (thrust reversing systems) allows compliance with Sec. 25.1309 as an option. Sections 25.671, 25.901, and 25.933 continue to contain criteria specific to flight control systems, powerplant installations, and thrust reversing systems, respectively, that are not addressed by Sec. 25.1309. Requires applicants to assess and account for any effect that the failure of a system could have on the structural performance of the airplane. See Sec. 25.302. Defines the different types of failure of flight control systems, including jams, and defines the criteria for safety assessment of those types of failures. See Sec. 25.671. Requires applicants to include, in the Airworthiness Limitations Section (ALS) of the airplane's ICA, necessary maintenance tasks that applicants identify during their SSAs. See Sec. 25.1309(e). Removes the ``function properly when installed'' criterion in Sec. 25.1301(a)(4) for installed equipment whose function is not needed for safe operation of the airplane. IV. Background A. Statement of the Problem This action is necessary because airplane accidents, incidents, and service difficulties have occurred as a result of failures in airplane systems. Some of these occurrences were caused, in part, by insufficient design standards for controlling the risk of latent failures, which are failures that are not detected or annunciated when they occur. Current FAA regulations do not prevent the certification of an airplane with a latent failure that, when combined with another failure, could cause a hazardous or catastrophic accident. Also, current regulations do not require establishment of mandatory inspections for significant latent failures (SLFs) that may pose a risk in maintaining the airworthiness of the airplane design. Such inspections are currently undertaken as industry practice and may be necessary to reduce exposure to these latent failures so airplanes continue to meet safety standards while in service. Additionally, current regulations do not adequately address new technology in flight control systems and the effects these systems can have on controllability and structural capability. These issues are currently addressed by special conditions and equivalent level of safety (ELOS) findings. This action is also necessary to address flight control systems whose failure can affect the loads imposed on the airplane structure. Lastly, certain system safety requirements have not been standardized across airplane systems. These regulations have specified different safety assessment criteria for different systems, which can lead to inconsistent standards across the airplane. Also, when systems that traditionally have been separate become integrated using new technology, applicants have expressed uncertainty regarding which standard to apply. The FAA is addressing these issues by revising the system safety assessment requirements in part 25. B. Related Actions 1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations Advances in flight controls technology, increased airplane system integration, and certain incidents, accidents, and service difficulties related to system failures prompted the FAA to task the ARAC with developing recommendations for new or revised requirements and compliance methods related to the safety assessment of airplane and powerplant systems. The ARAC accepted tasks on various airplane systems issues and assigned them to the Powerplant Installation Harmonization Working Group (PPIHWG),\4\ Flight Controls Harmonization Working Group (FCHWG),\5\ Loads and Dynamics Harmonization Working Group (LDHWG),\6\ and System Design and Analysis Harmonization Working Group (SDAHWG).\7\ The FAA also tasked the ARAC to make recommendations for harmonizing the relevant part 25 rules with the corresponding European certification specifications for large airplanes.\8\ The ARAC accepted this task [[Page 68708]] and assigned it to the relevant working groups. --------------------------------------------------------------------------- \4\ 57 FR 58844 (Dec. 11, 1992). \5\ 63 FR 45554 (Aug. 26, 1998). \6\ 59 FR 30081 (Jun. 10, 1994). \7\ 61 FR 26246 (May 24, 1996). \8\ As the FAA noted in the Federal Register in 1993: ``The FAA announced at the Joint Aviation Authorities (JAA)-Federal Aviation Administration (FAA) Harmonization Conference in Toronto, Ontario, Canada, (June 2-5, 1992) that it would consolidate within the Aviation Rulemaking Advisory Committee structure an ongoing objective to ``harmonize'' the Joint Aviation Requirements (JAR) and the Federal Aviation Regulations (FAR). Coincident with that announcement, the FAA assigned to the ARAC those projects related to JAR/FAR 25, 33 and 35 harmonization which were then in the process of being coordinated between the JAA and the FAA.'' 58 FR 13819, 13820 (Mar. 15, 1993). --------------------------------------------------------------------------- Although the working groups each addressed the subject of managing latent failures in safety critical systems, their recommendations were not consistent when defining the criteria for latent failures. After reviewing the relevant regulations and the recommendations from the working groups, the FAA, along with the European, Canadian, and Brazilian civil aviation authorities, identified a need to standardize SSA criteria. Therefore, in 2006, the FAA tasked the ARAC, which assigned the task to the Airplane-Level Safety Assessment Working Group (ASAWG),\9\ with creating consistent SSA criteria. The ASAWG completed its work in May 2010 and recommended a set of consistent requirements that would apply to all systems. Specific areas addressed in the recommendation report include latent failures, aging and wear, Master Minimum Equipment Lists, and flight and diversion time. The ASAWG recommended that the general system safety criteria for all airplane systems be governed by Sec. 25.1309, and recommended adjustments to the regulations and advisory material addressed by the working groups mentioned previously, to implement consistent system safety criteria. All ARAC working group recommendation reports are available in the docket for this final rule. --------------------------------------------------------------------------- \9\ 71 FR 14284 (Mar. 21, 2006). --------------------------------------------------------------------------- 2. Harmonization With European Union Aviation Safety Agency (EASA) Certification Standards EASA certification standards for large airplanes (CS-25) prescribes the airworthiness standards corresponding to 14 CFR part 25 for transport category airplanes certified by the European Union. Applicants for FAA type certification of transport category airplanes may also seek EASA validation of the FAA's type certificate. Where part 25 and CS-25 differ, an applicant must meet both airworthiness standards to obtain a U.S. type certificate and validation of the type certificate by foreign authorities, or obtain exemptions, equivalent level of safety findings or special conditions, or the foreign authority's equivalent to those, as necessary to meet one standard in lieu of the other. Where FAA and EASA can maintain harmonized requirements, applicants for type certification benefit by having a single set of requirements with which they must show compliance, thereby reducing the cost and complexity of certification and ensuring a consistent level of safety. EASA incorporated the SDAHWG-recommended changes to CS/Sec. Sec. 25.1301 and 25.1309, and associated guidance, in its initial issuance of CS-25 on October 17, 2003.\10\ EASA incorporated the criteria regarding interaction of systems and structures recommended by the LDHWG into its regulatory framework as CS 25.302 and appendix K of CS- 25 at amendment 25/1 on December 12, 2005.\11\ EASA incorporated the PPIHWG-recommended changes to CS/Sec. Sec. 25.901(c) and 25.933(a)(1), and associated guidance, at amendment 25/1. EASA incorporated the ASAWG-recommended regulatory and advisory material implementing consistent SSA criteria, at amendment 25/24 to CS-25, on January 10, 2020.\12\ This final rule harmonizes FAA requirements with those of EASA to the extent possible, with differences described in the section entitled ``Discussion of Comments and the Final Rule.'' --------------------------------------------------------------------------- \10\ www.easa.europa.eu/en/downloads/1516/en. \11\ www.easa.europa.eu/en/document-library/certification- specifications/cs-25-amendment-1. \12\ www.easa.europa.eu/en/downloads/108354/en. --------------------------------------------------------------------------- C. NTSB Recommendations This final rule addresses National Transportation Safety Board (NTSB) Safety Recommendations A-99-22, A-99-23,\13\ A-02-51,\14\ and A- 14-119.\15\ --------------------------------------------------------------------------- \13\ NTSB Safety Recommendations A-99-22 and A-99-23 are available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf. \14\ NTSB Safety Recommendation A-02-51 is available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf. \15\ NTSB Safety Recommendation A-14-119 is available in the docket and www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf. --------------------------------------------------------------------------- In Safety Recommendation A-99-22, the NTSB recommends that the FAA ensure that future transport category airplanes provide a reliably redundant rudder actuation system. In Safety Recommendation A-99-23, the NTSB recommends that the FAA require type certificate applicants to show that transport category airplanes are capable of continued safe flight and landing after jamming of a flight control at any deflection possible, up to and including its full deflection, unless the applicant shows that such a jam is extremely improbable. The final rule addresses these recommendations by revising Sec. 25.671(c). In Safety Recommendation A-02-51, the NTSB recommends that the FAA review and revise airplane certification regulations, and associated guidance, applicable to the certification of transport category airplanes, to ensure that applicants fully address wear-related failures so that, to the maximum extent possible, such failures will not be catastrophic. The requirement to include certification maintenance requirements (CMRs) in the ALS responds to this safety recommendation, as well as the ACs accompanying this final rule that contain guidance on assessing wear-related failures as part of the SSA. In Safety Recommendation A-14-119, the NTSB recommends that the FAA provide its certification engineers with written guidance and training to ensure that assumptions, data sources, and analytical techniques are fully identified and justified in applicants' safety assessments for designs incorporating new technology. Additionally, the NTSB recommends that an appropriate level of conservatism be included in the analysis or design, consistent with the intent of the draft guidance material that the SDAHWG recommended. AC 25.1309-1B, accompanying this final rule, contains the guidance.\16\ --------------------------------------------------------------------------- \16\ This advisory circular, and the other advisory circulars that accompany this final rule, are in the docket. --------------------------------------------------------------------------- D. Summary of the NPRM The FAA issued an NPRM on December 8, 2022 (87 FR 75424), that proposed amending certain airworthiness regulations. These regulations concern safety assessments for systems, including flight controls and powerplants, installed on transport category airplanes. The NPRM explained how the proposed regulations would reduce risk associated with airplane accidents and incidents that have occurred in service, and reduce risk associated with new technology in flight control systems. This action finalizes the proposal with changes made to address comments. E. General Overview of Comments V. Discussion of Comments and the Final Rule Harmonization The NPRM explained that the FAA's proposed rule would harmonize with the requirements of EASA to the extent possible, although there were differences in the requirements and language of the FAA's proposed regulations compared to EASA's corresponding regulations in CS-25. Almost all organizational commenters requested the FAA revise the proposed rule to harmonize more closely with EASA CS-25. These commenters expressed concern that differences between the FAA's proposal and [[Page 68709]] EASA's existing regulations would burden applicants requesting validation of a type certificate issued by another civil aviation authority because the applicants would have to meet two sets of requirements and show multiple means of compliance for certification of the same design. As discussed below, the FAA decided to address this concern by increasing harmonization of its final rule with the corresponding EASA CS-25 requirements. The FAA acknowledges that there are some remaining differences between the FAA's and EASA's regulations on this topic. The majority of differences between the final rule and the corresponding CS-25 regulations are differences in wording or structure that were made to satisfy FAA rulemaking constraints or improve the final rule language due to requests from commenters. Although a few differences may be significant standards differences,\17\ as subsequently explained, the FAA does not expect these differences to increase the cost and complexity of certification for applicants pursuing validation nor result in a different level of safety between authorities. --------------------------------------------------------------------------- \17\ Significant standards difference (SSD) refers to a validating authority airworthiness standard that either differs significantly from the certifying authority (CA) standard or has no CA equivalent. Reference: Technical Implementation Procedures for Airworthiness and Environmental Certification between the FAA and EASA, Revision 7, dated October 19, 2023, in the docket. --------------------------------------------------------------------------- In addition, the commenters addressed the draft ACs that accompanied the NPRM. The FAA's responses to these comments can be found at the Dynamic Regulatory System (drs.faa.gov), along with the finalized ACs. A. Section 25.4, Definitions In the NPRM, the FAA proposed new Sec. 25.4 to define certain terms that the FAA is using in these revised regulations for system safety assessment of transport category airplanes. 1. Add Definitions Boeing and GAMA/AIA requested the FAA add definitions of several terms to Sec. 25.4, including ``continued safe flight and landing,'' ``flightcrew,'' ``cabin crew,'' ``ground crew,'' ``maintenance personnel,'' ``exposure time,'' ``safety requirements'' and ``candidate CMR.'' GAMA/AIA requested the FAA explain why some terms, but not others, were defined in proposed Sec. 25.4. The FAA does not agree to add new terms to Sec. 25.4 in this final rule. The FAA's intent in adding Sec. 25.4 is to define key terms that are new to part 25 rule text and used in the regulations that are part of this rulemaking (e.g., failure condition categories and probabilities). AC 25.671-1, Control Systems--General, and AC 25.1309- 1B, System Design and Analysis, include additional definitions for terms related to the requirements of Sec. Sec. 25.671 and 25.1309. Boeing, GAMA/AIA, and Gulfstream suggested that the FAA add definitions for terms commonly used throughout part 25 regulations (e.g., ``impractical,'' ``essential'' and ``critical''). The FAA declines to define additional terms used in part 25, because the FAA does not intend Sec. 25.4 to include every term that is repeated in part 25. 2. Remove Definitions ANAC, Bombardier, and Garmin requested the FAA not adopt proposed Sec. 25.4, Definitions. ANAC preferred that the FAA define these terms in 14 CFR part 1, Definitions and Abbreviations, while Bombardier and Garmin preferred that the FAA define these terms in guidance so that they can be more easily changed as needed. Gulfstream also noted that several terms that the FAA proposed to be included in Sec. 25.4 are not extensively used in part 25 and should be relocated to AC 25.1309- 1B. The FAA does not agree to omit new Sec. 25.4 from the final rule. Section 25.4 is necessary to define key terms and concepts that are new to part 25 rule text and part of this rulemaking. AC 25.1309-1B provides further information on these terms. Gulfstream requested that the FAA move ``hazardous failure condition'' to AC 25.1309, unless the definition is applicable to ``hazardous'' across all regulations. The FAA does not agree to move this definition to the AC. The definition for ``hazardous failure condition'' in Sec. 25.4(b)(2) only applies to the part 25 regulations in which that exact phrase is used, and it does not apply to the terms ``hazard'' or ``hazardous,'' which are used throughout part 25 in different contexts. The FAA's use of ``hazardous'' across other part 25 rules does not necessarily imply a hazardous effect on the aircraft, flightcrew, or occupants. While not relevant to the Gulfstream comment, the FAA notes a similar situation exists with the term ``extremely remote.'' The Sec. 25.4(c)(3) definition of ``extremely remote failure condition'' does not apply to the term ``extremely remote'' as used in Sec. 25.933 or Sec. 25.937. When those regulations were published, the term ``extremely remote'' meant ``extremely improbable,'' as used today.\18\ --------------------------------------------------------------------------- \18\ The use of the term ``extremely remote'' in Sec. Sec. 25.933 and 25.937 dates to the initial issue of 14 CFR in 1965. Section 25.933 was based on Civil Air Regulation (CAR) 4b.407, which was adopted at amendment 4b-01, May 17, 1954. Section 25.937 was based on CAR 4b.408, which was adopted at amendment 4b-6, July 8, 1957. The term ``extremely remote'' also appeared in CAR 04.310 on November 9, 1945. The FAA also stated in the Federal Register in 2001, ``The term `extremely improbable' (or its predecessor term, `extremely remote') has been used in 14 CFR part 25 for many years. The objective of this term has been to describe a condition (usually a failure condition) that has a probability of occurrence so remote that it is not anticipated to occur in service on any transport category airplane.'' 66 FR 23086, 23108 (May 7, 2001). --------------------------------------------------------------------------- 3. Revise Definitions TCCA commented that the proposed definitions of ``major failure condition'' and ``hazardous failure condition'' do not include a pilot compensation aspect and suggested changes to these definitions. TCCA suggested adding ``(5) Considerable pilot compensation is required for control'' to the definition of ``major failure condition'' and ``(4) Intense pilot compensation is required to retain'' to the definition of ``hazardous failure condition'' in accordance with a pilot task- oriented approach for evaluating airplane handling qualities. The FAA does not agree to change the definitions as suggested. The FAA's definitions of ``major failure condition'' and ``hazardous failure condition'' already include the effects on the flightcrew and their workload. Lastly, the definitions of ``major failure condition'' and ``hazardous failure condition'' specified in Sec. 25.4 are harmonized with those specified in EASA AMC 25.1309. Changing those definitions would disharmonize them with that AMC. GAMA/AIA and Gulfstream requested the FAA replace ``persons'' with ``occupants'' in the Sec. 25.4 definition of ``hazardous failure condition.'' The commenters stated that the use of ``persons'' in lieu of ``occupants'' is an unsubstantiated expansion of the scope of the safety analysis to include people not on the aircraft. In addition, EASA's definition uses ``occupants.'' The FAA does not agree with this request. The FAA intends the term ``persons'' not to be limited to aircraft occupants. Although EASA's definition uses the term ``occupants,'' EASA has interpreted ``occupants'' to include persons other than airplane occupants in its Acceptable Means of Compliance (AMC) 25.1309. Specifically, AMC 25.1309 states, ``Where relevant, the effects on persons other than the aeroplane occupants should be taken [[Page 68710]] into account when assessing failure conditions in compliance with CS 25.1309.'' TCCA commented that the FAA should revise its definition of ``hazardous failure condition'' to exclude fatalities. TCCA stated that any fatalities should be considered catastrophic. The FAA did not make this change in this final rule, as doing so would not be consistent with long-standing FAA equivalent safety findings, nor with industry standards and practice, and would disharmonize the definition of ``hazardous failure condition'' with EASA AMC 25.1309. Boeing and GAMA/AIA requested the FAA revise the definition of ``catastrophic failure condition'' to incorporate a note regarding failure conditions, which would prevent continued safe flight and landing (CSFL). Boeing also requested the FAA standardize the definition across the ACs associated with this rulemaking because the draft ACs were not consistent in their use of CSFL and associating this concept with ``catastrophic failure condition.'' The FAA partially agrees with this request. The FAA added a note to the definition of ``catastrophic failure condition'' in AC 25.1309-1B to indicate that a failure condition that would prevent continued safe flight and landing should be classified as ``catastrophic'' unless otherwise defined in other, more specific, ACs. The FAA did not add the note to the regulatory definition in Sec. 25.4 because the note is guidance on the application of the definition. Boeing requested that the FAA update the Sec. 25.4(b)(1) definition of ``major failure condition'' to add ``physical discomfort'' as an effect on the flight crew and to use the term ``cabin crew'' instead of ``flight attendants'' for consistency with EASA Acceptable Means of Compliance (AMC) 25.1309. The FAA agrees and has incorporated these updates in the final rule for Sec. 25.4(b)(1). GAMA/AIA and Gulfstream requested the FAA remove Sec. 25.4(b)(1)(iv) (``An effect of similar severity'') from the definition of ``major failure condition'' in Sec. 25.4(b)(1). They stated this is a new addition to the definition and may cause confusion. The FAA does not agree to remove ``an effect of similar severity'' from the definition. This phrase replaces the term ``for example'' in EASA's definition. This does not add any additional criteria to the existing safety objective of ``major'' severity. Boeing and GAMA/AIA requested the FAA revise the definition of ``significant latent failure'' to ``Any latent failure that is present in any combination of failures or events resulting in a hazardous or catastrophic failure condition.'' Boeing stated that this proposed definition minimizes possible misunderstanding or misinterpretation of the significant latent failure. The FAA did not make this change because the wording of the significant latent failure definition is well-established and unchanged from AC 25.1309-1A. Except for the foregoing updates to the definition of ``major failure condition'' in Sec. 25.4(b)(1), new Sec. 25.4, Definitions, is adopted as proposed. B. Section 25.302, Interaction of Systems and Structures In the NPRM, the FAA proposed a new section, Sec. 25.302, that would require an applicant to account for systems, and their possible failure, when assessing the structural performance of its proposed design. Modern flight control systems are more sophisticated than their predecessors and offer advantages such as load limiting and alleviation. However, as the FAA discussed in the NPRM, these systems can also have failure states that may allow the system to function in degraded modes that flightcrews may not readily detect and in which the load alleviation or limiting function may be adversely affected. The FAA based much of its proposed regulation on the requirements of special conditions that the FAA has issued for several years to address these concerns on previous certification programs. However, as detailed in the NPRM, proposed Sec. 25.302 included a number of differences compared to the special conditions and as compared to EASA CS 25.302. The primary objective of the Sec. 25.302 rule that the FAA proposed in the NPRM was to reduce confusion for authorities and applicants by simplifying the rule text relative to previously-issued special conditions. ATR, Boeing, Bombardier, TCCA, Airbus, EASA, GAMA/AIA, Gulfstream, and ANAC did not object to the FAA codifying the terms of its special conditions that it has been issuing to address this issue. However, they requested the FAA harmonize (by using the same language and, if possible, the same paragraph and appendix numbering for) proposed Sec. 25.302 as EASA CS 25.302, which includes Appendix K by reference. The FAA recognizes the benefits of harmonization. These benefits include regulatory predictability and the reduction of burden on applicants and civil aviation authorities. Therefore, except as discussed below, in this final rule, the FAA has harmonized new Sec. 25.302 with EASA CS 25.302 to match the language and structure of EASA's rule to the extent allowed by FAA rulemaking constraints. In this final rule, the FAA has revised the proposed Sec. 25.302 to more closely harmonize with EASA CS 25.302, which includes Appendix K by reference. The FAA has revised proposed Sec. 25.302 to harmonize with CS 25.302 in the determination of structural safety factors; the load conditions that the applicant must consider following system failures; residual strength substantiation; fatigue and damage tolerance; failure indications; and dispatch with known failure conditions. The FAA is revising these requirements relative to what was proposed in the NPRM because much of the criteria in CS 25.302 more closely matches the FAA Interaction of Systems and Structures special conditions that have been applied on numerous transport category airplane programs and have proven to provide a satisfactory level of safety.\19\ Also, the NPRM proposal, if adopted, would have introduced a number of differences between FAA and EASA requirements and created a potential certification burden. --------------------------------------------------------------------------- \19\ 87 FR 16626 (Mar. 24, 2022); 82 FR 36328 (Aug. 4, 2017). --------------------------------------------------------------------------- The FAA stated in the NPRM that the proposed Sec. 25.302(e), which would have provided structural requirements for dispatch under the master minimum equipment list provided by the applicant, would provide safety benefits by using a simpler approach to address the risk associated with dispatching an airplane with known failure conditions. However, the FAA agrees with commenters that two different sets of criteria (FAA and EASA) would only cause more difficulty for manufacturers, the FAA, and other civil aviation authorities. The FAA also stated in the NPRM that proposed Sec. 25.302 would provide safety benefits by using simpler, and in some cases more conservative, criteria compared with CS 25.302 and previous FAA special conditions. The FAA agrees with commenters that its special conditions, which used the same factor-of-safety formulae as used in CS 25.302, have proven to provide a satisfactory level of safety and that more conservative criteria are not necessary. By more closely harmonizing with CS 25.302 and previous FAA special conditions, applicants will be able to rely on past practices. The public could have reasonably anticipated the FAA would adopt final rule text that closely harmonizes with CS 25.302, given the FAA's prior special conditions, the common safety purpose of the FAA and EASA regulations on this topic, and the [[Page 68711]] harmonization discussion throughout the NPRM. In this final rule, the FAA has also revised Sec. 25.302 to harmonize with CS 25.302 in terms of the rule structure and paragraph numbering, although CS-25 includes CS 25.302 criteria within Appendix K, while 14 CFR part 25 includes all criteria directly in Sec. 25.302. The regulatory text proposed by the FAA in the NPRM did not require applicants to consider the effect of nonlinearities, but the preamble reflected the FAA's assumption that applicants would do so. Consistent with CS 25.302, in this final rule, the FAA has made this consideration a regulatory requirement. In the NPRM, the FAA stated that proposed Sec. 25.302 would not include any aeroelastic stability requirements, only loads requirements. The FAA did not revise this final rule to harmonize with CS 25.302 in terms of aeroelastic stability criteria. As discussed in the NPRM, the FAA finds that the failure criteria specified in Sec. 25.629 are adequate, and there is no need to propose different failure criteria in Sec. 25.302. Airbus, Boeing, Bombardier, Dassault, DeHavilland, GAMA/AIA, Gulfstream, Pratt & Whitney, and TCCA requested specific changes to proposed Sec. 25.302 in the event the FAA chose not to harmonize Sec. 25.302 with EASA CS 25.302. The requested specific changes are no longer applicable as the FAA has largely harmonized Sec. 25.302 in this final rule with EASA CS 25.302. Airbus proposed that the FAA consolidate, into new Sec. 25.302, the requirement of Sec. 25.305(f) that the airplane must be designed to withstand any forced structural vibration resulting from any failure, malfunction, or adverse condition in the flight control system. The FAA does not agree. In this final rule, the FAA keeps those as separate requirements because the requirement in Sec. 25.305(f) may apply to systems and failures not addressed by Sec. 25.302. Also, Sec. 25.305(f) is currently harmonized with CS 25.305(f). 1. Summary of Requirements For airplanes equipped with systems that affect structural performance, Sec. 25.302, in this final rule, requires the applicant take into account the influence of these systems and their failure conditions when showing compliance with the requirements of subparts C and D of 14 CFR part 25. New Sec. 25.302(b) specifies requirements for when the systems are fully operative. New Sec. 25.302(c) specifies requirements for failure conditions at the time of occurrence (Sec. 25.302(c)(1)) and for the continuation of flight (Sec. 25.302(c)(2)). New Sec. 25.302(c) includes requirements related to structural vibrations, residual strength, and fatigue and damage tolerance for these failure conditions. Finally, the rule provides failure indication (Sec. 25.302(d)) and dispatch requirements (Sec. 25.302(e)). 2. Applicability Boeing, Bombardier, DeHavilland, GAMA/AIA, and Pratt & Whitney requested that the FAA clarify the applicability of proposed Sec. 25.302, including whether the FAA's final rule would apply only, as did the FAA's special conditions and EASA CS 25.302, to the airplane structure whose failure could prevent continued safe flight and landing. The applicability of Sec. 25.302 in this final rule is as follows. As stated in the final rule text, Sec. 25.302 applies to systems that affect structural performance, either directly or as a result of a failure or malfunction. A system affects structural performance if it can induce loads on the airplane or change the response of the airplane to inputs such as gusts or pilot actions. Examples of these systems include flight control systems, autopilots, stability augmentation systems, load alleviation systems, and fuel management systems. Section 25.302, in this final rule, specifies the loads that the applicant's analysis must apply to structure, taking into account the systems defined above, operating normally and in the failed state. As stated in the final rule text, these structural requirements apply only to structure whose failure could prevent continued safe flight and landing. This limitation is consistent with the requirements of the special conditions that the FAA has been applying for more than twenty years. Section 25.302, in this final rule and as proposed in the NPRM, does not apply to the flight control jam conditions covered by Sec. 25.671(c)(3) or the discrete source events covered by Sec. 25.571(e). Section 25.302 also does not apply to any failure or event that is external to (not part of) the system being evaluated and that would itself cause structural damage. 3. Clarification of Terms In this final rule, Sec. 25.302(b) states that with the system fully operative, the applicant must investigate the effect of nonlinearities sufficiently beyond limit conditions to ensure the behavior of the system presents no detrimental effects compared to the behavior below limit conditions. The intent of this sentence is to require the applicant to investigate the system effects ``sufficiently beyond limit'' to ensure that no detrimental effects could occur at limit load or just beyond. Sections 25.302(c)(1)(ii) and (c)(2)(iii) of this final rule include a reference to residual strength substantiation. This is referring to the residual strength substantiation required by Sec. 25.571(b). Section 25.302(c)(2)(iv) of this final rule states that if the loads induced by the failure condition have a significant effect on fatigue or damage tolerance, then the applicant must take their effects into account. A failure condition has a ``significant'' effect on fatigue or damage tolerance if it would result in a change to inspection thresholds, inspection intervals, or life limits. Section 25.302(d)(1) of this final rule requires the flightcrew to be made aware of certain failure conditions before flight, as far as practicable. In this case, ``as far as practicable'' means that if automatic failure indication can detect such a failure using current technology, then that failure should be so monitored and indicated to the flightcrew before flight. 4. Significant Standards Differences Between Sec. 25.302 and EASA CS 25.302 Section 25.302 of this final rule differs from CS 25.302 and Appendix K, as discussed below. As noted above, unlike CS 25.302, new Sec. 25.302 does not include any aeroelastic stability requirements. Section 25.629 and CS 25.629 both specify flutter speed margins for failure conditions, but CS 25.302 includes additional aeroelastic failure criteria. As indicated in the NPRM, the FAA finds the failure criteria specified in Sec. 25.629 to be adequate, and additional failure criteria in Sec. 25.302 are unnecessary. This is a significant standards difference between Sec. 25.302 and CS 25.302. The NPRM proposed, and in this final rule Sec. 25.302 requires, the evaluation of any system failure condition not shown to be extremely improbable or that results from a single failure. Several commenters, including Bombardier, Airbus, and TCCA, stated that single failures that an applicant shows to be extremely improbable should not be included in Sec. 25.302, while Boeing agreed that single failures should be included regardless of probability. The FAA does not agree to exclude single failures from Sec. 25.302 in this final rule for the following reasons: (1) To be consistent with Sec. Sec. 25.671 and 25.1309, both of which require the evaluation of single failures, and related guidance, and past practice for these regulations, the FAA determined, as indicated in the NPRM, that single [[Page 68712]] failures should be assumed to occur regardless of probability. (2) The typical language of the FAA's Interaction of Systems and Structures special conditions, used to address this issue on a variety of transport category airplane programs for more than twenty years, refers to any system failure condition ``not shown to be extremely improbable.'' Even though the special conditions have not explicitly mentioned single failures, the FAA's long-standing position on single failures is that they cannot be accepted as being extremely improbable. As noted in AC 25.1309-1A, dated June 21, 1988: ``In general, a failure condition resulting from a single failure mode of a device cannot be accepted as being extremely improbable.'' (3) The FAA has determined that not including single failures in the evaluation would reduce safety. To conclude, CS 25.302 requires the evaluation of any system failure condition not shown to be extremely improbable, and that rule does not explicitly mention single failures. Therefore, this is a significant standards difference between Sec. 25.302 in this final rule and CS 25.302. CS 25.302 and Sec. 25.302 in this final rule both require evaluation of failure conditions that affect structural performance, and for these failure conditions, both rules specify certain load conditions that must be evaluated for the continuation of flight. Section 25.302 includes an additional requirement not included in CS 25.302: Section 25.302(c)(2)(i)(F) requires the applicant to evaluate any other load condition for which a system is specifically installed or tailored to reduce the loads of that condition. ``Tailored'' means the system is designed or modified to change the response of the airplane to inputs such as gusts or pilot actions and thereby affect the resulting loads on the airplane. This is necessary to account for any systems that are designed to reduce the loads resulting from load conditions not specified in Sec. 25.302(c)(2)(i)(A) through (E) and whose failure would increase loads relative to the design load level. This is a significant standards difference between Sec. 25.302 and CS 25.302. 5. Nonsignificant Standards Differences Between Sec. 25.302 and EASA CS 25.302 Section 25.302 does not include paragraphs (a) and (b) from CS-25 Appendix K, K25.1 General, except for one sentence from K25.1(a). That sentence indicates that the criteria in Sec. 25.302 are only applicable to structure whose failure could prevent continued safe flight and landing. Also, new Sec. 25.302(c), discussed above, does not include paragraph (c)(3) from Appendix K, K25.2 Effects of Systems on Structures. The FAA did not include these paragraphs because the FAA determined they are general in nature and do not contain any specific requirements. Section 25.302 does not include the definitions found in paragraph K25.1(c). The FAA determined these terms are sufficiently understood and do not need to be provided in the rule. While Sec. 25.302 is mostly harmonized with CS 25.302, there are a number of minor differences in wording, as follows: CS-25 K25.2 paragraph (b) provides requirements for a fully operative system. Section 25.302(b) mandates the same requirements but states them more succinctly. CS-25 K25.2 paragraph (c) provides requirements for a failed system. Section 25.302(c) mandates the same requirements but removes passive voice and states those requirements more succinctly. CS-25 K25.2 paragraph (d) provides failure indication requirements. Section 25.302(d) mandates the same requirements but does not include the last two sentences of K25.2 paragraph (d)(1) because they are unnecessary given the first two sentences of paragraph (d)(1). CS-25 K25.2 paragraph (e) and Sec. 25.302(e) of this final rule address dispatch requirements. In Sec. 25.302(e), the FAA includes a specific reference to the Master Minimum Equipment List, which the operator uses to develop their Minimum Equipment List, the primary document that controls dispatch requirements. Also, CS 25.302(e) includes a requirement that flight and operational limitations be such that being in a failure state and then encountering limit load is extremely improbable. The FAA did not include this requirement because Sec. 25.302(e) already includes specific criteria related to dispatch, and this requirement could potentially conflict with those criteria. Finally, EASA includes CS 25.302 criteria within CS-25 Appendix K, while this final rule includes the equivalent criteria in Sec. 25.302. In conclusion, to address the potential effects of aircraft systems on structure, the FAA does not adopt the text of Sec. 25.302 that the FAA proposed in the NPRM. Instead, the FAA, as requested by several commenters, adopts a new Sec. 25.302 that more closely hews to the language of the FAA's longstanding special conditions on this topic and to EASA CS 25.302, with the modifications set forth in the foregoing discussion. C. Section 25.629, Aeroelastic Stability Requirements Summary of Changes to Current Rule Section 25.629 establishes several requirements to ensure the aeroelastic stability of the airplane. For example, it requires the applicant to consider the potential effect of several types of failures on the airplane's aeroelastic stability. In the NPRM, the FAA proposed to revise paragraphs (b) and (d) of this section, as discussed below. In this final rule, the FAA is revising the paragraph numbers of Sec. 25.629 to correspond with EASA's rule (i.e., Sec. 25.629(d)(9) becomes (d)(10); Sec. 25.629(d)(10) becomes (d)(11); and the failure evaluation requirements are introduced in Sec. 25.629(d)(9)), as requested by commenters and explained below. The FAA is also revising the text in Sec. 25.629(d)(9), as requested by commenters and as explained below, to harmonize with EASA CS 25.629(d)(9) and to clarify when the new failure evaluation requirements are applicable. Furthermore, as requested by commenters and explained below, the FAA is not revising Sec. 25.629(b), as was proposed in the NPRM, to include the reference to Sec. 25.333. Instead, the FAA is revising Sec. 25.629(a) to clarify that the aeroelastic evaluation must include any condition of operation within the maneuvering envelope. This revision to proposed Sec. 25.629(a) is consistent with current existing industry practice of evaluating the aeroelastic impact of loads due to allowed maneuvers for part 25 airplanes and is stated explicitly in Sec. 23.629 at amendment 23-63 \20\ and EASA CS 23.629 amendment 23/4. The FAA also revised Sec. 25.629(a) in this final rule to consistently use the singular term ``evaluation'' where it appears in order to prevent confusion. --------------------------------------------------------------------------- \20\ 76 FR 75736 (December 2, 2011). --------------------------------------------------------------------------- 1. Paragraphs (a) and (b) In the NPRM, the FAA proposed to specify that the aeroelastic stability envelope addressed by Sec. 25.629(b) includes the range of load factors in Sec. 25.333, Flight Maneuvering Envelope. GAMA/AIA, Gulfstream, DeHavilland, Airbus, Bombardier, and Boeing requested the FAA not make this change. The commenters stated this would be an expansion of the traditional scope of Sec. 25.629 and that it would disharmonize the FAA's rule with EASA rules. The commenters also stated that the structural design envelope defined in Sec. 25.333 is not intended for [[Page 68713]] aeroelastic stability analysis and should not be confused with the normal flight envelope of an airplane. The FAA agrees with the commenters that the proposed change would disharmonize with CS 25.629 and potentially confuse the FAA's aeroelastic stability requirements with the strength requirements of Sec. 25.333. Therefore, in this final rule, the FAA did not adopt the reference to Sec. 25.333 in Sec. 25.629(b), which remains unchanged. However, including conditions within the flight maneuvering envelope that is described in Sec. 25.333 in aeroelastic stability evaluations is common practice because such conditions are anticipated to be encountered in flight and therefore need to be free from aeroelastic instabilities. Thus, although paragraph (b) of Sec. 25.629 does not reference Sec. 25.333, in this final rule, paragraph (a) of Sec. 25.629 now states that the aeroelastic evaluation must ``include any condition of operation within the maneuvering envelope.'' This change to Sec. 25.629(a) is consistent with Sec. 23.629 at amendment 23-63 and EASA CS 23.629 amendment 23/4, which also address conditions of operation in paragraph (a). The FAA has also issued AC 25.629-1C, Aeroelastic Stability Substantiation of Transport Category Airplanes, to provide more details, further clarify the intent of the rule change, and provide an acceptable means of compliance. 2. Paragraph (d) In the NPRM, the FAA proposed to relocate certain requirements for applicants to analyze specific failures from Sec. 25.671(c)(2) to Sec. 25.629(d). Gulfstream requested the FAA revise proposed Sec. 25.629(d) to consider the probability of the noted failure conditions and exclude extremely improbable failure combinations. Gulfstream stated that current Sec. 25.671(c)(2) states ``Any combination of failures not shown to be extremely improbable. . .''; however, proposed Sec. 25.629(d)(10) would not have limited its scope to ``combination of failures not shown to be extremely improbable.'' In addition, GAMA/AIA requested the FAA not adopt proposed Sec. 25.629(d)(10) and instead leave these requirements in current Sec. 25.671. GAMA/AIA stated that by explicitly adding the failures to proposed Sec. 25.629(d)(10), regardless of probability, a more strenuous requirement is added without justification. GAMA asserted that retention of the exclusion of extremely improbable combinations will serve to incentivize designs of higher reliability. The FAA does not agree with these requests. The FAA does not agree with the commenters' suggestions to limit the required consideration to failures that the applicant cannot show are extremely improbable. The stated conditions need to be considered by the applicant regardless of probability calculations if the airplane's aeroelastic stability relies on flight control system stiffness, damping, or a combination of both. Proposed Sec. 25.629(d)(10), which is now paragraph (d)(9) in the final rule, reflects current industry practice and existing guidance in AC 25.629-1B and EASA Acceptable Means of Compliance (AMC) Sec. 25.629. In addition, the requested change would have introduced a significant difference between the standards of the FAA and EASA CS 25.629. Boeing, Bombardier, and Gulfstream requested that proposed paragraph Sec. 25.629(d)(10) be more closely harmonized with the corresponding CS 25.629 paragraph in its introductory text to include the text ``where aeroelastic stability relies on flight control system stiffness and/or damping'' to provide clarity to the application of this requirement. The FAA agrees with this request because it clarifies the situations for which failure evaluations are required and has updated Sec. 25.629(d)(9) in the final rule to more closely harmonize with EASA and to include the text ``where aeroelastic stability relies on flight control system stiffness, damping, or both.'' Airbus requested that the FAA remove the reference to Sec. 25.671 from current Sec. 25.629(d)(9). Airbus stated that this reference may no longer be applicable because, in the NPRM, the FAA proposed to consolidate the requirements in current Sec. 25.671(c)(1) and (c)(2) under proposed Sec. 25.1309. In this final rule, the FAA has redesignated paragraph (d)(9) of Sec. 25.629 as paragraph (d)(10) and updated Sec. 25.671(c) to align with CS 25.671(c). The FAA has retained the reference to Sec. 25.671 in Sec. 25.629(d)(10) because, in the final rule, applicants must still evaluate the failure conditions of paragraph Sec. 25.671(c) under Sec. 25.629(d)(10). D. Section 25.671, Flight Control Systems In the NPRM, the FAA proposed a number of revisions and additions to Sec. 25.671, as summarized and discussed below. Airbus, ANAC, Boeing, GAMA, Gulfstream, Safran, and TCCA requested the FAA harmonize one or more paragraphs of Sec. 25.671 with EASA CS 25.671. The FAA agrees with these requests and, in this final rule, has changed proposed Sec. 25.671(a), (b), (c), (d), (e), and (f) to better align with EASA CS 25.671. 1. Paragraph (a) In the NPRM, the FAA proposed to revise Sec. 25.671(a) by referring to each ``flight control'' and ``flight control system'' instead of ``control'' and ``control system.'' To harmonize with CS 25.671(a), the final rule now refers only to each ``flight control system.'' This is not a substantive change from the NPRM. In the NPRM, the FAA also proposed to revise Sec. 25.671(a) to require the flight control system to continue to properly operate, and not hinder airplane recovery when the airplane experiences certain conditions, including any ``pitch, roll, or yaw rate, or vertical load factor.'' The FAA proposed that this change would ensure there would be no features or unique characteristics of the flight control system that restrict the pilot's ability to recover from any attitude, pitch, roll or yaw rate, or vertical load factor expected to occur due to operating or environmental conditions. ANAC and TCCA suggested changing proposed Sec. 25.671(a) to specify ``any flight dynamics parameter'' instead of ``any pitch, roll, yaw rate, or vertical load factor'' to harmonize with EASA language. The FAA does not agree. The suggested change would be a potentially open-ended requirement because ``any flight dynamics parameter'' could mean many different parameters. The text in Sec. 25.671(a) \21\ is more specific, sufficient to accomplish its purpose, and is adopted as proposed. --------------------------------------------------------------------------- \21\ AC 25.671-1 provides additional information. --------------------------------------------------------------------------- 2. Paragraph (b) In the NPRM, the FAA proposed to revise Sec. 25.671(b) by referring to incorrect assembly that could result in ``failure of the system to perform its intended function.'' To harmonize with CS 25.671(b), the final rule now refers to incorrect assembly that could result in ``failure or malfunctioning of the system.'' This is not a substantive change from the NPRM. An individual commenter requested the FAA move the requirement to minimize the probability of incorrect assembly from Sec. 25.671(b) to Sec. 25.1309 and make it applicable to all systems. The commenter stated that designing a system to ensure it can only be assembled correctly is a basic good engineering practice. The FAA does not agree to make this change to the regulation. The requirements of Sec. 25.671(b) apply only to flight control systems. Other systems are subject to different requirements for minimizing [[Page 68714]] incorrect assembly and different marking requirements. The incorrect assembly addressed by Sec. 25.671(b) is that which could result in failure or malfunctioning of the system. Section 25.1309(a) requires the proper functioning of the equipment, systems, and installations whose function is required by subchapter C of title 14. The issue of incorrect assembly is addressed in AC 25.1309-1B, by reference to Aerospace Recommended Practice (ARP) 4761 ``Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment.'' Improper assembly within ARP4761 is a manufacturing consideration with consideration to common mode type sources or failures/errors only. ANAC requested the FAA harmonize proposed Sec. 25.671(b) with EASA CS 25.671(b) by adding ``taking into consideration the potential consequence of incorrect assembly'' to the requirement. The FAA does not agree with this request. The general requirements of this paragraph apply to each element of each flight control system regardless of the potential consequence of incorrect assembly. Revised Sec. 25.671(b) is therefore adopted as proposed. 3. Introductory Text of Paragraph (c) The NPRM proposed certain conforming changes to the introductory text of paragraph (c), as a result of the FAA's proposal to remove the flight control system failure criteria of Sec. 25.671(c)(1) and (c)(2) and substitute the general criteria of 14 CFR 25.1309. As explained below, the FAA decided to retain the specific criteria of Sec. 25.671(c)(1) and (c)(2), and so the proposed changes to the introductory text of paragraph (c) are now no longer necessary. Therefore, in this final rule, the introductory paragraph (c) is unchanged from the current paragraph (c), except as described herein. The current Sec. 25.671(c) introductory text refers to the flight control system and surfaces (including trim, lift, drag, and feel systems). To harmonize with CS 25.671(c), the final rule refers only to the flight control system, which includes surfaces and the other referenced systems. This is not a significant change. The current Sec. 25.671(c) introductory text requires the applicant to show that the airplane is capable of continued safe flight and landing after jams and other failures ``without requiring exceptional piloting skill or strength.'' Gulfstream requested the FAA not remove ``without requiring exceptional skill or strength'' from Sec. 25.671(c). The FAA does not agree because that clause is now included in the definition of continued safe flight and landing provided in AC 25.671-1. Therefore, including this phrase in Sec. 25.671(c) is no longer necessary. The final rule is also harmonized with CS 25.671(c) and AMC 25.671 in this regard. Gulfstream requested the FAA not eliminate, as it proposed in the NPRM, the Sec. 25.671(c) requirement for probable flight control failures to have only ``minor'' effects. The company stated that minor failures for Sec. 25.1309 tend to only have a functional hazard assessment (FHA)-level review in the SSA. There is no specific requirement in Sec. 25.1309(b) to address minor failures. As such, there may be probable flight control failures that are not explicitly addressed by the Sec. 25.1309(b) process. The FAA agrees. The final rule retains the noted text. ANAC requested the FAA move the requirement that compliance be shown ``by analysis, test, or both . . .'' from Sec. 25.671(c) to AC 25.671-1, stating that this text is guidance. The FAA does not agree. This portion of the text in Sec. 25.671(c) was not proposed to be revised in the NPRM, has been in place for many decades in the current rule, is understood by applicants, and is harmonized with CS 25.671(c). 4. Paragraphs (c)(1) and (c)(2) The NPRM proposed that current Sec. 25.671(c)(1) and (c)(2) be removed and all flight control system failures be covered by Sec. 25.1309. Boeing, Airbus, ANAC, GAMA/AIA, Gulfstream, and TCCA requested the FAA retain the current Sec. 25.671(c)(1) and (c)(2) in order to better align Sec. 25.671(c) with EASA CS 25.671(c). The FAA agrees with commenters that removing Sec. 25.671(c)(1) and (c)(2) would create a certification burden due to differences with EASA requirements and because different means of compliance are normally used for Sec. Sec. 25.671(c) and 25.1309(b), as described in their respective ACs. Therefore, the FAA agrees to retain Sec. 25.671(c)(1) and (c)(2). If the FAA chose not to change Sec. 25.671(c)(1) and (c)(2), TCCA, ANAC, Bombardier, and Boeing requested specific changes to Sec. 25.671(c) in order to more closely harmonize with EASA CS 25.671(c). The requested changes are no longer relevant as the FAA has decided to retain Sec. 25.671(c)(1) and (c)(2). 5. Paragraph (c)(3) In the NPRM, the FAA proposed that revised Sec. 25.671(c) would address flight control jams. With the retention of Sec. 25.671(c)(1) and (c)(2), described above, flight control jams will continue to be addressed by Sec. 25.671(c)(3). The proposed rule would have addressed flight control jams in Sec. 25.671(c)(1), (c)(2), and (c)(3). The corresponding paragraphs for these requirements in this final rule are Sec. 25.671(c)(3)(i), (c)(3)(ii), and (c)(3)(iii). To harmonize with CS 25.671(c)(3) and as recommended by the ARAC FCHWG, and as described in the NPRM, this final rule refers to jams of a flight control surface or pilot control that are ``fixed in position'' due to a physical interference. 6. Exception in Paragraph (c)(3)(ii) Proposed Sec. 25.671(c)(2) would have excepted jams that occur immediately before touchdown if the applicant were able to show that such jams are extremely improbable. (In this final rule, Sec. 25.671(c)(2) is renumbered as Sec. 25.671(c)(3)(ii).) The FAA proposed this exception due to the lack of practical means for applicants to show compliance, and the short duration of the potential hazard. GAMA/AIA and Gulfstream requested the FAA revise proposed Sec. 25.671(c)(2) to incorporate the 2002 ARAC FCHWG recommendation, which excluded consideration of jams occurring immediately before touchdown regardless of probability. The FAA agrees that the consideration of jams before touchdown should not be linked with a numerical estimate of the probability of the jam. Instead, in this final rule the FAA has reworded Sec. 25.671(c)(3)(ii) to exclude consideration of jams immediately prior to touchdown if the risk of a potential jam is minimized to the extent practical. AC 25.671-1 provides guidance on acceptable means of showing compliance with this requirement. This is a difference between Sec. 25.671(c)(3)(ii) and EASA CS 25.671(c)(3)(ii) because CS 25.671(c)(3)(ii) does not include an exception for jams occurring just before touchdown. The FAA expects this difference to have no effect in practice because EASA guidance included in Acceptable Means of Compliance (AMC) Sec. 25.671 similarly allows jams before touchdown to be excluded if an assessment of the design shows that all practical precautions have been taken. Therefore, the FAA finds that, with this final rule, there will not be a significant standards difference between the FAA and EASA requirements. Airbus asked that the FAA also except jams during the takeoff phase because, in both cases, exposure time is limited. The FAA does not agree. The ARAC FCHWG did not recommend excluding [[Page 68715]] the takeoff phase, only the landing phase. Although flight control jams can occur during takeoff, practical design solutions can be put in place to mitigate such jams. Note that AC 25.671-1 states that, for jams that occur during takeoff, the applicant may assume that if the jam is detected prior to V 1 , the takeoff will be rejected. DeHavilland requested confirmation that the new requirements related to flight control jams do not change what the company describes as accepted current practice. That practice would allow jams in spring- tab mechanisms that could occur during takeoff to be evaluated probabilistically, and the short exposure time during takeoff could be considered in determining the probability of such jams. This final rule requires the applicant to determine the type of jam or failure being assessed. For those flight control jams evaluated under Sec. 25.671(c)(3), the probability of the jam, and the short exposure time during takeoff, may not be considered in showing compliance with that regulation. The FAA did not change the rule or associated guidance as a result of this comment. 7. Paragraph (c)(3)(iii) Section 25.671(c)(3)(iii) states that in addition to the jam being evaluated, any additional failure conditions that could prevent continued safe flight and landing must have a combined probability of 1/1000 or less, rather than ``less than 1/1000'' as proposed in the NPRM. This harmonizes with CS 25.671(c)(3). GAMA/AIA requested that the FAA use ``failure states'' in place of ``failure conditions'' in Sec. 25.671(c)(3)(iii) because the 2002 ARAC FCHWG report used ``failure states.'' The FAA does not agree. The term ``failure conditions'' is well-understood, has been used for many years, and is appropriately used in this regulation. In addition, CS 25.671(c)(3) also refers to ``failure conditions.'' The FAA added guidance in AC 25.671-1 to explain this requirement. Except for the differences noted in the foregoing discussion, revised Sec. 25.671(c) is adopted as proposed. 8. Paragraph (d) Section 25.671(d) requires that the airplane remain controllable if all engines fail. In the NPRM, the FAA proposed to add a requirement that an approach and flare to a landing and controlled stop must also be possible, assuming that a suitable runway is available. GAMA/AIA, TCCA, and Boeing requested the FAA add ``and flare to ditching'' to the new requirements. Since the most likely scenario leading to a controlled ditching is loss of all engines, the scenario is relevant, according to the commenters. The FAA agrees with this request because a flare to a ditching may require different reconfiguration than would be required for landing; for example, flap settings and pitch attitude. Adding the flare to a ditching requirement to Sec. 25.671(d) will also harmonize the rule with CS 25.671(d). Gulfstream and GAMA/AIA requested the FAA remove the requirement for a controlled stop from proposed Sec. 25.671(d) as they felt a braking requirement should not be added to a general flight control system requirement. The FAA does not agree. Stopping capability can be affected by flight controls, including spoilers, flaps, and rudder. In addition, this would result in a difference compared to EASA CS-25 language. TCCA and ANAC requested that the FAA remove the following sentence from proposed Sec. 25.671(d): ``The applicant may show compliance with this requirement by analysis where the applicant has shown that analysis to be reliable.'' The commenters stated that this sentence describes an acceptable means of compliance, which is adequately covered in the corresponding guidance. The FAA agrees and did not include this sentence in the final rule. Except for the changes noted in the foregoing discussion, Sec. 25.671(d) is adopted as proposed. 9. Paragraph (e) In the NPRM, the FAA proposed to add new Sec. 25.671(e), requiring the flight control system to indicate whenever the primary control means are near the limit of control authority. The FAA proposed this change due to the lack of direct tactile link between the flightdeck control and the control surface on airplanes equipped with fly-by-wire control systems. DeHavilland requested that the FAA use ``must provide appropriate feedback to the flight crew . . .'' in place of ``must indicate to the flight crew'' in new Sec. 25.671(e). The company stated that for non- fly-by-wire systems, the air loads are either naturally sensed or simulated. The company also commented that the use of the word ``indicate'' in the proposed requirement has a potential for misinterpretation, as tactile feedback is not normally considered as an ``indication.'' The commenter acknowledged draft AC 25.671-X addresses use of feel forces and cockpit control movement to meet this requirement. The FAA does not agree to make this change. As noted by the commenter, the AC addresses use of tactile feedback as a method of compliance with this requirement. ANAC and TCCA commented that the FAA should harmonize the new requirement of Sec. 25.671(e) with CS 25.671(e) to remove any possible misunderstanding. The FAA agrees. The proposed rule stated that the ``flight control system'' must indicate to the flightcrew whenever the primary control means is near the limit of control authority. This final rule is revised to harmonize with CS 25.671(e) and requires ``the airplane'' to be designed to indicate to the flightcrew whenever the primary control means is near the limit of control authority. This is not a substantive change. 10. Paragraph (f) In the NPRM, the FAA proposed to add new Sec. 25.671(f), requiring that the flight control system alert the flightcrew whenever the airplane enters any mode that significantly changes or degrades the normal handling or operational characteristics of the airplane. ANAC and TCCA commented that the FAA should fully harmonize Sec. 25.671(f) with CS 25.671(f) to remove any possible misunderstanding. The FAA agrees. The proposed rule would have required that the flight control system alert the flightcrew whenever the airplane enters a flight control mode of concern. This final rule is revised to harmonize with CS 25.671(f) and thus requires the system to provide ``appropriate flightcrew alerting.'' This is not a substantive change. 11. Relationship Between Sec. Sec. 25.671(c) and 25.1309 ANAC, Boeing, and GE sought clarification from the FAA on the applicability of Sec. Sec. 25.671(c) and 25.1309, particularly in light of the changes proposed in the NPRM. As explained above, the FAA decided to retain the structure of existing Sec. 25.671(c) in the final rule, which will address the concerns raised by these commenters. The FAA provides the following additional explanation relative to the requirements of the final rule. Section 25.1309 applies to all systems and equipment installed on the airplane, including the flight control system. Section 25.671(c) also applies to the flight control system. The safety requirements in Sec. 25.671(c)(1) and (c)(2) correspond with those in Sec. 25.1309(b)(1). There are no fundamental differences between these two sets of safety requirements as they apply to the flight control system. [[Page 68716]] However, different methods of compliance may be used to comply with Sec. 25.671(c)(1) and (c)(2) as compared to Sec. 25.1309(b)(1). Sections 25.671(c)(1) and (c)(2) require the airplane to be capable of continued safe flight and landing after any single failure and after any combination of failures not shown to be extremely improbable. Section 25.1309 requires that these failure conditions not be catastrophic. While worded differently, these requirements are functionally equivalent. AC 25.1309-1B states that a flight control system failure condition that would prevent continued safe flight and landing should be classified as catastrophic. AC 25.671-1 provides specific criteria unique to the assessment of flight control system failures. AC 25.1309-1B also provides guidance on assessing failure conditions that apply to the flight control system. Sections 25.1309(b)(2) through (b)(5), (c), and (e) also apply to the flight control system. There are no requirements in Sec. 25.671 that correspond to these subparagraphs. E. Section 25.901, Engine Installation In the NPRM, the FAA proposed that Sec. 25.901(c) would specify that the requirements of Sec. 25.1309 would apply to powerplant installations. The FAA also proposed to remove the prohibition in Sec. 25.901(c) on catastrophic single failures and probable combinations of failures since addressing such failures would be adequately addressed by the proposed Sec. 25.1309(b). The FAA proposed that these changes would harmonize Sec. 25.901(c) with EASA CS 25.901(c). Pratt & Whitney requested that the FAA add to Sec. 25.901(c) the phrase ``or any other failure consistent with existing Sec. 33.75 single element exception requirements'' to ensure consistency with Sec. 25.901(c) and existing requirements. The FAA does not agree with the request. The referenced exception requirements only address instances in which the failure of the single element is likely to result in a hazardous engine effect. These effects are among the conditions applicants use for evaluating the hazard to the engine under engine airworthiness requirements, which do not consider the effect of the airplane installation. For example, hazardous effects on the engine may not necessarily result in a catastrophic failure at the airplane level. Since the requirements of Sec. 33.75 are independent of the aircraft airworthiness requirements, they are inadequate for evaluating the hazard to the aircraft installation. The exceptions to Sec. 25.1309(b) that the FAA has identified in Sec. 25.901(c) are consistent with existing powerplant installation requirements in part 25 and compliance showings to Sec. 25.901(c) before adoption of this final rule. Expanding the exceptions to Sec. 25.1309(b) to include aspects of Sec. 33.75 would not be consistent with existing part 25 powerplant installation requirements. The potential failure conditions of the engine type design that should be excepted from Sec. 25.1309(b) are adequately addressed by the exceptions identified by Sec. 25.901(c). The FAA therefore adopts revised Sec. 25.901(c) as proposed. F. Section 25.933, Reversing Systems In the NPRM, the FAA proposed to add a ``reliability option'' for thrust reversers to Sec. 25.933(a), allowing applicants to show that an unwanted deployment of the reverser is extremely improbable (i.e., complies with 14 CFR 25.1309(b)), instead of only that the airplane remains controllable if the reverser deploys in flight. GAMA/AIA commented that the proposed wording of Sec. 25.933(a) does not clearly communicate that the controllability option would still require compliance with Sec. 25.1309, as noted in the regulatory evaluation (footnote 58 of the NPRM). GAMA/AIA requested the wording of Sec. 25.933(a) be changed to clearly define the requirement to show compliance with Sec. 25.1309 regardless of controllability. The FAA acknowledges that compliance with Sec. 25.1309 is required regardless of which option an applicant chooses under Sec. 25.933(a) since Sec. 25.901(c) requires compliance with Sec. 25.1309. However, the FAA partially agrees, and in this final rule has revised Sec. 25.933(a) to clarify, that when an applicant chooses the reliability option (new Sec. 25.933(a)(ii)), the applicant must account for the potential hazard to the airplane assuming the airplane would not be capable of continued safe flight and landing during and after an in- flight thrust reversal when showing compliance with Sec. 25.1309(b). Section 25.901(c) applies to the powerplant and auxiliary power unit (APU) installation, except for the specific items listed in new Sec. 25.901(c). Compliance with Sec. 25.1309 is required for the powerplant and APU installation, which includes the thrust reversing system, per the new Sec. 25.901(c). The FAA finds that it is unnecessary to restate in Sec. 25.933(a)(1) that compliance with Sec. 25.1309 is required for the reversing system since it is already required by the new Sec. 25.901(c) and not one of the items excepted. Air Tech Consulting objected to the ``reliability option'' that the FAA proposed in the NPRM. The commenter cited three inflight reverser deployments in the past twelve months as justification for maintaining the existing rule. The FAA does not agree with this request. The incidents cited by the commenter were not in-flight thrust reverser deployments, only component failures or false indications.\22\ The FAA has made equivalent safety findings on many proposed airplane models based on the ARAC PPIHWG recommendations for Sec. 25.933(a)(1) and certified many designs using the reliability approach rather than the controllability approach in current Sec. 25.933(a)(1). The FAA does not agree that these particular in-service events show that the systems would not have met Sec. 25.1309(b) or that the longstanding reliability approach for certification of the thrust reverser system is inadequately safe. --------------------------------------------------------------------------- \22\ Each of the three cited events were the result of either a false indication of an unlocked reverser door or failure of the primary lock followed by a small movement of a reverser door until the secondary lock engaged, where the movement was enough to result in an unlocked reverser indication. In either circumstance, the reverser door did not deploy and an actual in-flight thrust reversal did not occur. Also, after the close of the comment period for this rule, a FedEx Boeing Model MD-11 experienced an unwanted in-flight deployment on June 21, 2023. The thrust reversers on the airplane were not certified using the reliability approach; however, the design was reviewed by the FAA and Boeing (formerly Douglas) using the ``Criteria for Assessing Transport Turbojet Fleet Thrust Reverser System Safety,'' Revision A, dated June 1, 1994, which was a reference document used by the ARAC PPIHWG to develop recommendations for changes to Sec. 25.933(a). Boeing used a mixed approach, in which the company demonstrated the Model MD-11 was controllable following an unwanted in-flight deployment within certain portions of the flight envelope and showed reliability, using a thrust reverser SSA, for the remainder of the flight envelope. --------------------------------------------------------------------------- TCCA commented that systems design often needs to strike a balance between availability (system performs its intended function when needed) and integrity (protecting against system malfunctions). TCCA requested that the FAA revise Sec. Sec. 25.933 and 25.1309(b) to emphasize the need to consider system availability in conjunction with integrity. The FAA agrees that system availability is an important consideration when designing the thrust reverser system. However, there are already applicable airworthiness requirements, such as Sec. Sec. 25.901(b)(2) and 25.1309(a)(1), that address system availability and reliability and that are related to the system's effect on airplane safety. It is not necessary to provide additional emphasis on system [[Page 68717]] availability within Sec. Sec. 25.933 and 25.1309(b) since these existing requirements are adequate to address the availability of thrust reverser system. Section 25.933(a)(1) addresses the specific failure condition of an unwanted in-flight deployment only, and Sec. 25.1309(b) addresses the safety of equipment and systems as installed on the airplane. Therefore, the FAA does not agree with the commenter's request since requirements that influence system availability and the relationship with propulsion system reliability, which apply to the thrust reverser system, are already addressed in existing regulations. The FAA included guidance on Sec. 25.901(b)(2) that is related to Sec. Sec. 25.901(c) and 25.1309(b) in AC 25.901-1. Guidance for Sec. 25.1309(a)(1) can be found in AC 25.1309-1B. The FAA therefore adopts revised Sec. 25.933 as proposed. G. Section 25.1301, Function and Installation In the NPRM, the FAA proposed to remove the ``function properly when installed'' criterion in Sec. 25.1301(a)(4) for installed equipment whose function is not needed for safe operation of the airplane. In addition, the FAA proposed to remove Sec. 25.1301(b) because it is redundant and unnecessary. Section 25.1301(b) required that a proposed airplane's EWIS meet the requirements of subpart H of part 25. The FAA proposed removing Sec. 25.1301(b) because subpart H specifies its applicability and the requirements in subpart H can stand alone. The FAA received no substantive comments on proposed Sec. 25.1301. The FAA therefore adopts revised Sec. 25.1301 as proposed. H. Section 25.1309, Equipment, Systems and Installations 1. Applicability In the NPRM, the introductory paragraph of proposed Sec. 25.1309 explained that regulation would apply to any equipment or system installed on the airplane except as provided in paragraphs (e) and (f). Boeing, ANAC, Gulfstream, GAMA/AIA, and Garmin requested that the FAA delete paragraphs (e) and (f) of proposed Sec. 25.1309 and move their content to the introductory paragraph to align with CS 25.1309. The commenters also noted that these paragraphs included regulatory exceptions to Sec. 25.1309 and showing compliance to an ``exception'' raised administrative issues. The FAA agrees and updated Sec. 25.1309 accordingly. Proposed Sec. 25.1309(e) would have excluded flight control jams governed by Sec. 25.671(c) from the proposed single-failure requirement in Sec. 25.1309(b)(1)(ii). Gulfstream proposed that flight control jams be excluded from all of Sec. 25.1309 and stated that additional guidance would be needed if flight control jams were not excluded from Sec. 25.1309(b). Although the FAA has historically used Sec. 25.671(c) rather than Sec. 25.1309 to address flight control jams, the FAA does not agree that flight control jams should be excluded from the other paragraphs of Sec. 25.1309 because those requirements apply to flight control systems and are necessary for managing the risk of flight control jams. The FAA agrees, however, that flight control jams should be excluded from all of Sec. 25.1309(b), and the final rule is revised accordingly. The FAA did not intend Sec. 25.1309(b) to apply to flight control jams because an evaluation of the failure conditions under Sec. 25.1309(b) requires the applicant to determine numerical probabilities, which is not practical for flight control jams. Since EASA CS 25.1309 excludes flight control jams from only CS 25.1309(b)(1)(ii), this is a substantive difference between the FAA and EASA's regulations. Proposed Sec. 25.1309(f)(1) stated that Sec. 25.1309(b) does not apply to single failures in the brake system because such failures are addressed by Sec. 25.735(b)(1). GAMA/AIA requested the FAA change ``single failures'' to ``failures'' to be consistent with Sec. 25.735. The FAA does not agree with this request because other types of failures in the brake system should be evaluated under Sec. 25.1309(b). Proposed Sec. 25.1309(f)(2) stated that Sec. 25.1309(b) would not apply to the failure effects addressed by Sec. Sec. 25.810(a)(1)(v) and 25.812. Gulfstream and GAMA/AIA requested that the FAA replace ``25.810(a)(1)(v)'' with ``25.810'' to harmonize with CS 25.1309. The FAA does not agree because Sec. 25.810(a)(1)(v) provides specific deployment and usability criteria for certain means of evacuation assistance, and this subparagraph alone is relevant to the exception discussion. However, the FAA updated ``failure effects'' to ``failure conditions'' to harmonize with CS 25.1309. EASA requested that the FAA clarify the exception from compliance with Sec. 25.1309(b) that proposed Sec. 25.1309(f)(3) would have provided regarding Sec. 25.1193, ``Cowling and nacelle skin,'' and suggested that the FAA change it from Sec. 25.1193 to Sec. 25.1193(a). EASA also stated that there may be value in considering Sec. 25.1193 as applicable under Sec. 25.1309 for systems that are used for opening or closing doors and monitoring proper closure/latched conditions. Furthermore, EASA asked why Sec. 25.1193 was not also included in the propeller debris release exception in proposed Sec. 25.1309(f)(4). The FAA made no changes to the final rule in response to these comments. The NPRM explains that Sec. Sec. 25.1193 and 25.905(d) already require applicants to consider the specific failures of fires from uncontained engine failures and engine case burn-through. Thus, it is not necessary to consider these same failures under Sec. 25.1309 as well. Furthermore, nacelle cowl door opening, closure, position monitoring, latching, and other potential failure conditions are discussed in AC 25.901-1 for compliance with Sec. Sec. 25.901(c) and 25.1309. 2. Paragraph (a) In the NPRM, the FAA proposed to require that all installed airplane equipment and systems whose improper functioning would reduce safety perform as intended under the airplane operating and environmental conditions (Sec. 25.1309(a)(1)). The FAA also proposed that all equipment and systems not subject to the foregoing requirement not have an adverse effect on the safety of the airplane or its occupants (proposed Sec. 25.1309(a)(2)). The latter requirement would have allowed such equipment to be approved by the FAA even if it may not perform as intended. ANAC commented that proposed Sec. 25.1309(a)(1) stated ``equipment and systems, as installed, must meet'' this requirement, while the ARAC SDAHWG recommended wording states ``equipment and systems must be designed and installed so that . . . .'' \23\ ANAC recommended that the FAA adopt the proposed ARAC wording and match EASA CS 25.1309. The FAA agrees to harmonize the rule text to avoid any possible interpretation differences and this final rule has updated Sec. 25.1309(a). --------------------------------------------------------------------------- \23\ www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf. --------------------------------------------------------------------------- GAMA/AIA and Boeing requested the FAA revise proposed Sec. 25.1309(a)(1) to replace ``whose improper functioning would reduce safety'' with ``whose function is necessary for safe operation of the airplane.'' The commenters were concerned that using the proposed phrase could result in equipment, systems, and installations intended for convenience to be subjected to Sec. 25.1309(a)(1) requirements. The FAA [[Page 68718]] did not revise Sec. 25.1309(a)(1) as suggested because this change would exclude evaluation of systems whose failure would have a safety effect. The suggested change would also disharmonize this rule with EASA CS 25.1309(a)(1). Bombardier requested the FAA harmonize its proposed Sec. 25.1309(a)(2) rule text of ``functioning normally or abnormally'' with the CS 25.1309(a)(2) rule text of ``not a source of danger.'' The FAA declines to update proposed Sec. 25.1309(a)(2) as suggested. Although the phrase ``functioning normally or abnormally'' used in proposed Sec. 25.1309(a)(2) is different from the ``not a source of danger in themselves'' used in EASA CS 25.1309(a)(2), the FAA considers these phrases as having generally the same meaning. ``Not a source of danger'' is largely synonymous with ``safe.'' An applicant must evaluate the systems addressed by Sec. 25.1309(a)(2) to verify that their normal operation and failure or abnormal functioning have no safety effect (i.e., they do not affect the operational capability of the airplane, do not increase flightcrew workload, and do not affect the safety of passengers or cabin crew). GAMA/AIA requested the FAA change ``must not adversely affect'' in proposed Sec. 25.1309(a)(2) to ``do not adversely affect'' as used in CS 25.1309(a)(2). GAMA/AIA stated that using ``do not'' in the regulation instead of ``must not'' changes the tone from preventative to evaluative. The FAA agrees and updated Sec. 25.1309(a)(2) to align with CS 25.1309(a)(2). Bombardier questioned whether Sec. 25.1309(a)(2) should be interpreted by applicants to apply to electromagnetic interference (EMI) generated by systems operating abnormally. In a related question, Bombardier asked the FAA to clarify what applicants should address in a qualitative failure evaluation of equipment and systems under Sec. 25.1309(a)(2). Bombardier stated that the NPRM preamble implies that applicants would have to show that an equipment failure will not result in increased electromagnetic emissions; however, Bombardier does not consider this to be the intent of proposed Sec. 25.1309(a)(2). The FAA intends that systems addressed under Sec. 25.1309(a)(2), in this final rule, do not have to meet the former requirement that they ``perform as intended'' when installed. AC 25.1309-1B explains that the systems addressed by Sec. 25.1309(a)(2) should be designed so that their failures have no safety effect. In addition, normal installation practices can be used to isolate these systems, and a qualitative installation evaluation based on engineering judgment can be used to determine that the failure or improper functioning of these systems would not affect the safety of the airplane. Thus, the extent of EMI testing that is required for systems addressed under Sec. 25.1309(a)(1) is not required for systems addressed under Sec. 25.1309(a)(2). However, if there is a risk that the failure of a system addressed under Sec. 25.1309(a)(2) will result in electromagnetic emissions that affect the proper function of systems addressed under Sec. 25.1309(a)(1), then formal methods such as testing or analysis may be used to evaluate the failure in lieu of a qualitative installation evaluation that uses engineering judgment to conclude that electromagnetic omissions would not occur. Except for the foregoing changes, Sec. 25.1309(a) is adopted as proposed. 3. Paragraph (b) Section 25.1309(b) requires applicants to assess safety at the airplane level for airplane systems and associated components, evaluated separately and in relation to other systems, and requires that the airplane's systems and components meet certain reliability standards. In the NPRM, the FAA proposed to revise Sec. 25.1309(b) to address design and installation so that each catastrophic failure condition is extremely improbable and does not result from a single failure, each hazardous failure condition is extremely remote, and each major failure condition is remote. In this final rule, the FAA has adopted proposed Sec. 25.1309(b)(1) through (b)(3) with no changes but revised Sec. 25.1309(b)(4) and (b)(5) to align with the corresponding sections of EASA CS 25.1309. Proposed Sec. 25.1309(b)(4) would have required that significant latent failures (SLFs) be eliminated, except if the Administrator determined that doing so was impractical. If the applicant proved to the Administrator that such elimination was impractical, the regulation would have required the applicant to limit the likelihood of the SLF to 1/1000 between inspections. If the applicant proved that such limitation was impractical, then the proposed regulation would have required the applicant to minimize the length of time the failure would be present but undetected. Garmin expressed concern that the 1/1000 requirement in proposed Sec. 25.1309(b)(4)(i) could be burdensome without a cutset \24\ limit because no matter how many cutsets deep the latent failure is (e.g., 3, 4, 5, or more cutsets), it still would have to meet the 1/1000 requirement unless the applicant obtains agreement with the FAA that it has been adequately minimized. Thus, Garmin recommended that the FAA remove the 1/1000 requirement from Sec. 25.1309(b)(4) to align with EASA and suggested that the 1/1000 requirement be moved to AC 25.1309- 1B as one way to show the SLF is minimized. Garmin proposed that a cutset limit be applied to either the 1/1000 requirement within Sec. 25.1309(b)(4) or to the definition of SLF if the FAA did not remove the 1/1000 requirement from Sec. 25.1309(b)(4) in the final rule. The FAA agrees to remove the 1/1000 criteria from Sec. 25.1309(b)(4) and include it in AC 25.1309-1B as a possible means of compliance. This change is consistent with the ASAWG recommendations that led to this rulemaking. Specifically, the ASAWG specific risk tasking report recommendations that the FAA require applicants to control specific risks of concern did not include a recommended limit latency requirement for all SLFs. The report only recommended a limit latency requirement of 1/1000 for CSL+1 failure combinations (ASAWG report, section 6.4.1.2). --------------------------------------------------------------------------- \24\ A cutset is a number of failures or events that when combined will result in a system failure. --------------------------------------------------------------------------- ANAC, TCCA, and Bombardier requested the FAA harmonize Sec. 25.1309(b)(4) with CS 25.1309(b)(4) by removing the 1/1000 criterion, while EASA requested the FAA provide a rationale for not harmonizing. The FAA agrees to harmonize Sec. 25.1309(b)(4) with CS 25.1309(b)(4). Both regulations address eliminating SLFs as far as practical and minimizing the latency of the SLF if such elimination is not practical. This ensures that the applicant evaluates each SLF, eliminates it when practical, and minimizes its latency if elimination is not practical. However, in this final rule, Sec. 25.1309(b)(4) includes a new exclusion, requested by Garmin, from these proposed requirements for latent failures. This exclusion is described in the following paragraph. Garmin requested that the FAA modify proposed Sec. 25.1309(b)(4) to exclude the requirements for latent failures where the applicant meets the requirements of Sec. 25.1309(b)(1) and (b)(2) with the latent failure assumed, in the applicant's risk assessment, to have already occurred, or where the applicant took no credit in that risk assessment for the latency period. The FAA agrees to add this exclusion to Sec. 25.1309(b)(4) [[Page 68719]] because it meets the decision criteria that the specific risk of concern will be evaluated as per the 2010 ARAC ASAWG specific risk tasking report.\25\ When a latent failure or the specific risk of concern is assumed as having occurred, its probability becomes 1 in the calculation of the failure condition. This probability of 1 is the same as stating that no credit is taken for a latency period. This is a difference between Sec. 25.1309(b)(4) and CS 25.1309(b)(4) since EASA's rule does not contain this exclusion. The FAA does not expect this difference to be significant because the exclusion in Sec. 25.1309(b)(4) allows applicants to use a conservative assessment of a failure condition to show compliance. --------------------------------------------------------------------------- \25\ ASAWG report, revision 5.0, Section 6.1.2, Figure 6-1. --------------------------------------------------------------------------- GAMA/AIA, Gulfstream, and Boeing requested language for the Sec. 25.1309(b)(4) final rule that was different from what the NPRM proposed and what EASA published in CS-25. The commenters' proposal provides criteria for acceptance of SLFs that depend on the probability and severity of the outcome. The FAA did not update the rule language as suggested; however, the FAA has incorporated the approach as a means of compliance for the catastrophic failure conditions in AC 25.1309-1B. This approach also incentivizes development of practical designs that meet the safety objectives of Sec. 25.1309(b)(1) and (b)(2). The approach for hazardous failure conditions was not included in AC 25.1309-1B since it was not considered in the 2010 ARAC ASAWG specific risk tasking report. ANAC, Garmin, and Airbus requested changes to proposed Sec. 25.1309(b)(4)(i) and (b)(4)(ii). The suggested changes are no longer relevant because paragraphs (i) and (ii) are not included in the Sec. 25.1309(b)(4) final rule. Proposed Sec. 25.1309(b)(5) provided a new standard for limiting the risk of a catastrophic failure combination that results from two failures, either of which could be latent for more than one flight. ANAC stated that the criteria in proposed Sec. 25.1309(b)(5) is significantly different from the criteria in CS 25.1309(b)(5) and these differences may burden applicants by requiring them to comply with two different sets of criteria and may result in different product configurations. TCCA commented that differences between the proposed FAA rule and CS-25, both in wording and intent, would result in significant difficulties and increase the burden on applicants, particularly given the inherent complexity of safety assessments both at system and aircraft level. EASA stated that having different criteria in Sec. 25.1309(b)(5)(iii) and CS 25.1309(b)(5)(iii) would result in a duplication of effort for applicants. The FAA agrees that differences between FAA and EASA requirements could result in increased burden on applicants and civil aviation authorities. The final rule is therefore revised to improve harmonization, as described below. Several commenters recommended changes to Sec. 25.1309(b)(5). TCCA and ANAC recommended that the FAA fully harmonize Sec. 25.1309(b)(5) and CS 25.1309(b)(5), while EASA encouraged the FAA to implement the same criteria as CS 25.1309(b)(5)(iii). GAMA/AIA and Garmin suggested the FAA harmonize Sec. 25.1309(b)(5)(i) with CS 25.1309(b)(5)(i) by changing ``fault tolerance'' to ``redundancy.'' Boeing suggested the FAA update Sec. 25.1309(b)(5)(ii) to ``. . . the residual average probability per flight hour of the catastrophic failure condition occurring due to all subsequent single failures is remote.'' Airbus and Gulfstream preferred that the FAA harmonize Sec. 25.1309(b)(5)(iii) with CS 25.1309(b)(5)(iii), while GAMA/AIA preferred the FAA's proposed wording for Sec. 25.1309(b)(5)(iii). Boeing suggested the FAA change Sec. 25.1309(b)(5)(iii) to ``The probability of the latent failure occurring over its maximum exposure time does not exceed 1/1000.'' The FAA uses the term ``fault tolerance'' in Sec. 25.1309(b)(5)(i) instead of ``redundancy'' as used in CS 25.1309(b)(5)(i) because the term ``redundancy'' could be interpreted as a prescriptive design requirement, and Sec. 25.1309 is intended to be a performance-based rule. In this final rule, the FAA revised Sec. 25.1309(b)(5)(ii) to refer to ``the residual average probability'' of the catastrophic failure condition following a single latent failure. The term ``residual average probability'' is the remaining probability of a failure condition given the presence of a single latent failure. This change aligns with the recommendations from the 2010 ARAC ASAWG specific risk tasking recommendation report, sections 6.3.1.6 and 6.3.1.7. The final rule uses ``all subsequent active failures'' rather than the proposed Sec. 25.1309(b)(5)'s ``all subsequent single failures'' to ensure the applicant accounts for the residual average probability of all active failures in a failure condition. Finally, the FAA agrees to harmonize Sec. 25.1309(b)(5)(iii) with CS 25.1309(b)(5)(iii) to ensure that combined probability of all the latent failures is accounted for as recommended by the commenters, except that the FAA uses ``active failure'' in Sec. 25.1309(b)(5)(iii), instead of ``evident failure'' as used in CS 25.1309(b)(5)(iii). Having harmonized Sec. 25.1309(b)(5)(iii) with CS 25.1309(b)(5)(iii), the FAA does not expect the differences in wording between Sec. 25.1309(b)(5) and CS 25.1309(b)(5) to be burdensome to applicants. 4. Paragraph (c) In the NPRM, proposed Sec. 25.1309(c) would require the applicant to provide information concerning unsafe system operating conditions to enable the flightcrew to take corrective action and to show that the design of systems and controls, including indications and annunciations, minimizes crew errors that could create additional hazards. ANAC, TCCA, and Boeing requested the FAA revise proposed Sec. 25.1309(c) to include ``in a timely manner'' as part of the corrective action to be taken by the flightcrew. The FAA has updated the final rule accordingly. This change more closely harmonizes Sec. 25.1309(c) with CS 25.1309(c). In addition, the discussion of this proposal in the NPRM preamble refers to the importance of providing timely and effective annunciations to allow appropriate crew action. TCCA requested that the FAA align the wording of proposed Sec. 25.1309(c) with CS 25.1309(c). TCCA stated that the first sentence of proposed Sec. 25.1309(c) does not correctly reflect the intent of the rule, which is for the airplane and systems to provide information to the flightcrew when necessary for safe operation. TCCA explained that ``the applicant must provide information'' could be interpreted as requiring the applicant to provide documentation or training instead of flightcrew alerts as intended. The FAA agrees and revised the first sentence of Sec. 25.1309(c) to say that the airplane and systems provide the necessary information. This will harmonize the intent with the corresponding sentence in CS 25.1309(c). To further harmonize with EASA's rule, the FAA revised the second sentence of Sec. 25.1309(c) to require that systems and controls, including ``information,'' indications, and annunciations, be designed to minimize crew errors. ``Information'' refers to the same term used in the first sentence of Sec. 25.1309(c) and has the same intent as used in Sec. 25.1302. 5. Paragraph (d) In the NPRM, the FAA proposed to move the requirements of Sec. 25.1309(d) regarding mandatory methods showing compliance with Sec. 25.1309(b) to guidance (AC 25.1309-1B). The NPRM [[Page 68720]] proposed that new Sec. 25.1309(d) would require applicants to establish ``Certification Maintenance Requirements,'' or CMRs, as limitations in the airplane's Instructions for Continued Airworthiness. Applicants have long used CMRs, such as mandatory inspections at scheduled intervals, to show that their proposed design complies with Sec. 25.1309 and other part 25 regulations that establish reliability requirements. In this final rule, however, the FAA is moving the CMR requirement to Sec. 25.1309(e), as discussed in the following section. Accordingly, the FAA is revising Sec. 25.1309(d) to ``Reserved'' as requested by Boeing, TCCA, and Safran. This will be a difference between Sec. 25.1309(d) and CS 25.1309(d) because the latter states that applicants must assess Electrical Wiring Interconnection System (EWIS) per CS 25.1709. The FAA expects this difference to have no effect in practice because Sec. 25.1309 is a general requirement that applies to all systems, including EWIS. In addition, Sec. 25.1709 addresses system safety of EWIS, and Sec. 25.1709 is harmonized with CS 25.1709. 6. Paragraph (e) In the NPRM, the FAA proposed that Sec. 25.1309(d) would require an applicant to establish CMRs to prevent development of the failure conditions described in Sec. 25.1309(b) and to include these CMRs in the ALS. In the final rule, these requirements are now in Sec. 25.1309(e). The FAA's proposed CMR requirement referenced Sec. 25.1309(b), which addresses catastrophic, hazardous, and major failure conditions. Boeing, GAMA/AIA, Gulfstream, and Garmin suggested that the requirement to establish CMRs in Sec. 25.1309(d) be limited to CMRs that address catastrophic and hazardous failure conditions in Sec. 25.1309(b)(1) and (b)(2). TCCA commented that the NPRM describes CMRs as tasks to detect safety significant failures that result in hazardous or catastrophic conditions but recommended that major failure conditions should also be considered. The FAA declines to restrict the use of CMRs to catastrophic and hazardous failure conditions. Although a CMR is primarily used to establish a required maintenance task that would detect issues such as the wear out or a hidden failure of an item whose failure is associated with a hazardous or catastrophic failure condition, a CMR may also be used to detect a latent failure that would, in combination with one specific failure or event, result in a major failure condition. The SSA identifies the need for a scheduled maintenance task. It may be necessary for applicants to include a CMR in the ALS of the ICA for a major failure condition if the maintenance task is not provided in other areas of the ICA. An acceptable process for selecting CMRs is provided in AC 25-19A, Certification Maintenance Requirements.\26\ --------------------------------------------------------------------------- \26\ Available at drs.faa.gov. --------------------------------------------------------------------------- ANAC questioned whether the FAA intended proposed Sec. 25.1309(d) to require CMRs for all failure conditions and requested the FAA clarify in the final rule language that CMRs be established ``as necessary.'' The FAA agrees to add the words ``as necessary'' to the final rule. As explained in AC 25-19A, the process of creating CMRs to control risk of failures described in Sec. 25.1309(b) begins with identifying candidate CMRs (CCMRs) until a committee of experts determines they are CMRs. Thus, the FAA does not require CMRs for all failure conditions, and not every CCMR will become a CMR. Although adding ``as necessary'' results in different language between Sec. 25.1309(e) and CS 25.1309(e), this difference does not affect harmonization between the FAA and EASA because the guidance for selecting CMRs is aligned. Garmin requested the FAA reword proposed Sec. 25.1309(d) to require the safety analysis to identify the CCMRs that must be dispositioned using a process acceptable to the Administrator to identify which CCMRs should be airworthiness limitations. Garmin stated that the proposed wording seems to preclude the use of AC 25-19A to first identify and classify CCMRs. The FAA does not agree with this request. The final rule requires CMRs to be established and included in the ALS of the airplane's ICA. The associated guidance in AC 25-19A provides a method of compliance, which includes identifying and dispositioning CCMRs as CMRs. The FAA also did not adopt the commenter's proposed change because it would result in a difference compared to corresponding EASA regulations and guidance. Airbus commented that the word ``detect'' is more appropriate than the word ``prevent'' used in proposed Sec. 25.1309(d) since failures will be detected during CMR tasks. The FAA did not replace ``prevent'' with ``detect'' since the intent of this rule is to prevent the development of the failure condition by detecting the existence of a latent failure. I. Section 25.1365, Electrical Appliances, Motors, and Transformers In the NPRM, the FAA proposed to remove the reference to Sec. 25.1309(d) from Sec. 25.1365(a) because Sec. 25.1309(d) would no longer contain mandatory methods for demonstrating compliance with Sec. 25.1309(b). GAMA/AIA and Gulfstream commented that the FAA should remove Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a), as those regulations are redundant to or simply point to compliance with Sec. 25.1309. The FAA does not agree with this request because removing Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a) may have unintended consequences. In addition, removal of these regulations was not proposed in the NPRM. The FAA did not change this final rule as a result of this comment but has removed the reference to Sec. 25.1309(d) from Sec. 25.1365(a) as proposed in the NPRM. J. Section H25.4(a) of Appendix H, Airworthiness Limitations Section The FAA adopts Sec. H25.4(a) of appendix H as proposed in the NPRM. The FAA received no comments on this section. K. Miscellaneous Comments 1. Applicability of Sec. 25.1309 to Electromagnetic Conditions Bombardier commented that the NPRM preamble indicates that the FAA did not intend proposed Sec. 25.1309(b) and the associated advisory material to change how type certificate applicants account for systems' exposure to high-intensity radiated fields (HIRF) and lightning. Bombardier requested that the FAA clarify whether this same principle applies to electromagnetic conditions in other regulations (e.g., Sec. Sec. 25.1353, 25.1431, 25.899). The FAA does not intend revised Sec. 25.1309 and the associated advisory material to take precedence over or supersede how applicants address electromagnetic conditions in accordance with other regulations. 2. Revise Nonregulatory Definitions This section addresses commenters' requests to revise definitions that the FAA provided in the NPRM preamble or in draft AC 25.1309-1B. The FAA also proposed in the NPRM that some of these definitions would be included in new Sec. 25.4. The following paragraphs address the definitions of hazardous failure condition, latent failure, single failure, event, and failure condition. The FAA included a table of definitions in the preamble of the NPRM. The table included some definitions given in proposed Sec. 25.4 and [[Page 68721]] provided additional definitions that were not in proposed Sec. 25.4. That table is not included in this final rule; applicants should instead refer to this preamble, final Sec. 25.4 and AC 25.1309-1B. Relevant definitions are provided in Sec. 25.4 Definitions or in the appropriate AC. GAMA/AIA, Airbus, Boeing, Bombardier, and Garmin requested that the FAA remove the following language from the preamble definition of ``hazardous failure condition:'' ``Note: For the purpose of performing a safety assessment, a `small number' of fatal injuries means one such injury.'' The commenters stated that considering a ``small number'' of fatal injuries to be one such injury for the purpose of performing safety assessments is too restrictive. This note was only in the preamble and not in the proposed regulatory definition in Sec. 25.4, as the FAA considered it guidance on the application of the definition. The FAA agrees to remove this note from AC 25.1309-1B. The note is not included in AMC Sec. 25.1309, nor was it included in any of the relevant ARAC recommendations. Given the difficulty and context- dependent nature of estimating whether a failure condition would result in one or multiple fatal injuries, the FAA finds that it is not necessary to define ``small number'' in order to provide the necessary separation between hazardous and catastrophic failure conditions. Historically, applicants have assessed this aspect of the definition of ``hazardous failure condition'' differently based on the size of the airplane, number of occupants, and fleet size. The FAA will continue to accept this practice. ANAC commented that the FAA's definition of ``latent failure'' in the NPRM preamble table (``a failure that is not apparent to the flightcrew or maintenance personnel'') may be confusing since the maintenance crew will detect latent failures through periodic maintenance activities such as CMRs. ANAC recommended the FAA use the following definition of latent failure: ``A failure which is not detected and/or annunciated when it occurs.'' The FAA agrees and has updated the definition of ``latent failure'' in AC 25.1309-1B. Boeing, GAMA/AIA, TCCA, and Garmin requested that the FAA modify the definition of ``latent failure'' to include the qualifier ``for more than one flight'' to ensure consistent understanding and application. The FAA did not make this change because the definition of ``latent failure'' includes undetectable failures regardless of the latency period. AC 25.1309-1B has been updated to provide additional guidance on the appropriate duration of a latent failure; that is, an acceptable means of compliance to SLF minimization is to show that the failure would not be latent for more than one flight. TCCA requested that the FAA clarify the intent of the phrase ``common causes'' as used in the NPRM preamble table's definition of single failure or state that common causes may include external events that are not considered failures (e.g., bird strike). TCCA stated that the NPRM preamble and draft AC 25.1309-1B definitions of ``failure'' include a note that errors and events are not considered failures and that this creates an apparent conflict where the definition of single failures includes common causes. Airbus also stated that external events are not system failures and questioned whether external failure conditions should be explicitly excluded from Sec. 25.1309 because they are already covered by their own regulations (e.g., bird strike is specifically addressed under Sec. 25.631). In response, the FAA has updated the single failure definition in AC 25.1309-1B to be the same as provided by the ARAC SDAHWG recommendations report that included a draft AC 25.1309 (see the ``Arsenal'' draft AC 25.1309 ).\27\ --------------------------------------------------------------------------- \27\ Available in the docket as part of the SDAHWG recommendation, ``Task 2--System and Analysis Harmonization and Technology Update,'' pp. 61-99, and at www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf. --------------------------------------------------------------------------- In addition, the FAA updated the note within the definition of ``failure'' in AC 25.1309-1B to remove the word ``events.'' In general, an SSA addresses how systems are affected by an external event, such as a bird strike, using a common cause analysis or a single event cause where the external event is assumed without a probability. Bombardier stated that the FAA's definition of ``single failure'' in the preamble table was ambiguous and implied that a single failure would affect multiple ``components, parts or elements'' when most single failures will affect single components or parts. Bombardier requested the FAA revise the definition to ``a single occurrence that affects the operation of a component, part, or element such that it no longer functions as intended'' or not adopt the definition. The FAA updated the definition of ``single failure'' to ``any failure or set of failures that cannot be shown to be independent from each other'' in AC 25.1309-1B. The FAA did not make the requested change because the FAA intends that applicants treat a common mode failure of multiple components, parts, or elements as a ``single failure,'' and this connection would be lost if the FAA were to revise the definition as Boeing proposed. TCCA recommended that the FAA consider changing the term ``event'' in the preamble table to ``external event'' to align with EASA CS-25, ARP4754B ``Guidelines for Development of Civil Aircraft and Systems,'' and ARP4761A. The FAA agrees and has updated ``event'' to ``external event'' in AC 25.1309-1B. Boeing requested that the FAA address ``collisions (intentional or not)'' in the definition of ``event.'' Boeing stated that this change would provide clarity that collisions are not events to be considered as part of required safety assessments. Although the FAA updated the term ``event'' to ``external event'' in AC 25.1309-1B, the FAA did not change its definition in response to this comment. The definition of ``external events'' states that it does not cover sabotage or other similar intentional acts. Intentional collisions are intentional acts and, therefore, not an ``external event.'' Unintentional collision may be due to failure of onboard system equipment, which is excluded from this definition since its origin is not distinct from that of the airplane. Unintentional collision may be due to flightcrew error, which is already excluded. The preamble table's definition of ``failure condition'' referenced a condition that affected ``the airplane, its occupants, or other persons.'' Bombardier requested that the FAA remove ``or other persons'' from this definition or provide guidance as to how applicants can assess potential effects on other persons and how these effects would relate to severity classification. The FAA declines to change the definition of ``failure condition'' in AC 25.1309-1B. The FAA included the words ``or other persons'' to account for the effects on persons other than the airplane occupants that applicants should take into consideration when assessing failure conditions for compliance with Sec. 25.1309. AC 25.1309-1B provides guidance on the type of persons, the risks to be considered, and how applicants can classify the failure conditions given the effects on other persons that do not include airplane occupants. For example, ground maintenance crew involved in servicing the airplane while `in-service' could have a risk of an inadvertent door coming open or thrust reverser movement. [[Page 68722]] 3. Revise Other Regulations In the NPRM, the FAA proposed that the revised Sec. 25.1309(b) would not apply to single failures in the brake system because those failures are adequately addressed by Sec. 25.735(b)(1). An individual commenter recommended changes to current Sec. 25.735, ``Brakes and braking systems,'' stating that parts of Sec. 25.735 are no longer relevant or need to be updated to reflect modern braking systems. The commenter requested changes to Sec. 25.735 and corresponding changes to AC 25.1309-1B. Gulfstream also requested that the FAA add a paragraph to Sec. 25.735 to address braking capability with all engines inoperative. The FAA does not agree with these requests. The FAA did not propose changes to Sec. 25.735 in the NPRM, and such changes are outside the scope of this rulemaking. GAMA/AIA and Bombardier requested that the FAA revise Sec. 25.672, ``Stability augmentation and automatic and power-operated systems,'' in this rulemaking package. GAMA/AIA stated that proposed Sec. 25.671(c) removed the failures that Sec. 25.672 is referencing. Bombardier suggested that the FAA remove Sec. 25.672(c) because the failures addressed under Sec. 25.672(c) could be addressed entirely under Sec. 25.1309(b) or clarify that the intent of Sec. 25.672(c) does not apply to modern fly-by-wire aircraft. In addition, GAMA/AIA requested that the FAA add guidance for Sec. 25.672 that reflects the recommendations made by the FTHWG. The FAA did not change this final rule or associated guidance material as a result of these comments. Revising Sec. 25.672 is unnecessary because Sec. 25.672(b) refers to failures specified in Sec. 25.671(c), and the final rule for Sec. 25.671(c) includes these failures. Section 25.672(c) contains requirements that are in addition to the requirements of Sec. 25.1309(b). The FAA declines to add guidance at this time for Sec. 25.672 based on recommendations made by the FTHWG because further discussion is needed to harmonize the guidance for Sec. 25.672 with other regulatory authorities; the FAA notes these discussions are ongoing in a Certification Authorities for Transport Airplanes (CATA) harmonization activity.\28\ The FAA does not agree to clarify that the intent of Sec. 25.672(c) does not apply to modern fly-by-wire aircraft because the FAA has not made this determination. --------------------------------------------------------------------------- \28\ www.faa.gov/aircraft/air_cert/design_approvals/transport/transport_intl/cata. --------------------------------------------------------------------------- 4. Revise Cost-Benefit Analysis Garmin commented on the NPRM that the cost-benefit analysis does not consider the impact on amended type certificate (ATC) or supplemental type certificate (STC) projects that would be considered significant under Sec. 21.101, known as the Changed Product Rule. In addition, MARPA requested the FAA clarify the applicability of the SSA rule to parts manufacturer approval (PMA) applicants and STC applicants. If the SSA rule is applicable to PMA and STC applicants, MARPA requested that the FAA adjust the cost-benefit analysis accordingly, complete a Regulatory Flexibility Act analysis, and make the revised cost-benefit analysis and Regulatory Flexibility Act analysis available for comment in a supplemental NPRM. This final rule updates the cost-benefit analysis to take account of the fact that the final rule closely harmonizes with the corresponding EASA rule. Since U.S. manufacturers already are required to meet the EASA requirements, the closely harmonized provisions of the final rule impose no or minimal costs. In future STC or ATC projects where the design change is determined under the Changed Product Rule to be a significant product level change, the Changed Product Rule will then require that the certification basis of those projects be updated. The cost-benefit analysis for the Changed Product Rule, however, has determined that the required updated certification basis for such projects is cost-beneficial.\29\ PMAs (replacement articles) are managed in accordance with Subpart K to part 21. The final rule will apply only at that time in the future when a PMA (or non-significant STC) applicant seeks to modify a product that already has the final rule in its certification basis. Accordingly, the FAA finds that neither a Regulatory Flexibility Act analysis nor a supplemental NPRM is required. --------------------------------------------------------------------------- \29\ 65 FR 36266, June 7, 2000. --------------------------------------------------------------------------- Garmin commented that the cost discussion misses the fact that Sec. 25.1309(b)(4), without a cutset limit, could result in additional costs to redesign the systems from what has historically been acceptable and conventional. Garmin also stated that the 1/1000 requirement could be applied to any level of cutset, which could drive design changes, and that there are additional costs to negotiate with the FAA to produce the analysis that proves 1/1000 is met or that latency is minimized; thus, the FAA should revise the cost-benefit analysis to include those costs. In this final rule, the FAA is not adopting the 1/1000 requirement that it had proposed for Sec. 25.1309(b)(4); that section will not apply if the associated system meets the average risk requirements of Sec. 25.1309(b)(1) and (b)(2), assuming the SLF has occurred. Moreover, the FAA has moved the 1/1000 criterion to AC 25.1309-1B as guidance. These changes address the commenter's concern that proposed Sec. 25.1309(b)(4) needed a minimal cutset limit. There may be demonstration or negotiation costs to show impracticality or minimization of the SLF latency, but these costs are already accounted for in the cost-benefit analysis of the Changed Product Rule, Sec. 21.101. Garmin questioned whether the FAA has adequately justified the cost of applying the specific risk criteria of proposed Sec. 25.1309(b)(4) and (b)(5) to systems that have not historically had such a requirement. Garmin also requested that the FAA update the cost discussion for specific risk to acknowledge that for most of the aircraft systems the existing Sec. 25.1309(b) is the right baseline. Given that in the final rule, the Sec. 25.1309(b)(4) and (b)(5) requirements are closely aligned with the corresponding EASA requirements, the FAA responds that the correct baseline is the EASA rule since it is already in place. Using that baseline, the additional cost to manufacturers is, at most, minimal since manufacturers already have to meet the corresponding EASA requirements. Garmin stated that if the FAA regulations remain different from EASA's, then the cost of an applicant's validation to differing expectations should be considered. Also, TCCA commented that the cost- benefit assessment could improve by increasing harmonization. As already noted, the FAA has increased the level of harmonization between the final rule and EASA CS-25, as compared to the NPRM, to such an extent that the remaining costs associated with this rulemaking are minimal. 5. Aircraft Certification, Safety, and Accountability Act The preamble of the NPRM included a summary of the FAA's ongoing implementation of Section 115 of the Aircraft Certification, Safety, and Accountability Act (ACSAA). The FAA received one comment on these implementation activities, a supportive comment from ALPA. The FAA continues to take action to implement Section 115, including the revision of relevant guidance documents such as AC 25.1309-1B, which the FAA issued as part of this rulemaking. 6. Other The FAA received a request from GAMA/AIA to include a file within the [[Page 68723]] docket that contained the FAA's responses to all NPRM comments that the FAA received. The FAA does not agree with this request. This final rule discusses the comments in detail. Additionally, many comments on the NPRM are no longer relevant because the FAA has revised the final rule to increase harmonization with EASA CS-25. The FAA also received comments from Airbus, Boeing, Bombardier, EASA, GAMA/AIA, and TCCA to revise specific preamble text of the NPRM. This final rule does not restate the entirety of the NPRM preamble, so specific editorial suggestions are not applicable, except as noted in the preceding discussion of definitions. No changes were made to this final rule in this regard. K. Advisory Material The FAA has issued three new ACs and revisions to two existing ACs to provide guidance material for acceptable means, but not the only means, of showing compliance with the regulations in this final rule. These ACs are available in the public docket for this rulemaking:AC 25.671-1, Control Systems--General. AC 25.901-1, Safety Assessment of Powerplant Installations. AC 25.933-1, Unwanted In-Flight Thrust Reversal of Turbojet Thrust Reversers. AC 25.629-1C, Aeroelastic Stability Substantiation of Transport Category Airplanes. AC 25.1309-1B, System Design and Analysis. VI. Regulatory Notices and Analyses Federal agencies consider impacts of regulatory actions under a variety of executive orders and other requirements. First, Executive Order 12866 and Executive Order 13563, as amended by Executive Order 14094 (``Modernizing Regulatory Review''), direct that each Federal agency shall propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify the costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (Pub. L. 96-39) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate that may result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more annually (adjusted annually for inflation) in any one year. The current threshold after adjustment for inflation is $183,000,000, using the most current (2023) Implicit Price Deflator for the Gross Domestic Product. The FAA has provided a detailed Regulatory Impact Analysis (RIA) in the docket for this rulemaking. This portion of the preamble summarizes the FAA's analysis of the economic impacts of this final rule. In conducting these analyses, the FAA determined that this final rule (1) has benefits that justify its costs; (2) is not significant under section 3(f)(1) of Executive Order 12866 as amended; (3) will not have a significant economic impact on a substantial number of small entities; (4) will not create unnecessary obstacles to the foreign commerce of the United States; and (5) will not impose an unfunded mandate on State, local, or tribal governments, or on the private sector. These analyses are summarized below. A. Regulatory Evaluation 1. Summary of Rule Provisions In the NPRM, the FAA proposed to amend certain airworthiness regulations to standardize the criteria for conducting safety assessments for systems, including flight controls and powerplants, installed on transport category airplanes. This final rule generally is adopted as proposed. In some provisions, the FAA has increased the level of harmonization between the final rule and EASA CS-25, as compared to the NPRM, to such an extent that the remaining costs associated with this rulemaking are minimal. The predominant action of the final rule will: Require applicants to minimize, to the extent possible, the problem of significant latent failures (SLFs), a problem that is highlighted in the case of catastrophic dual failures, where a latent failure can leave the airplane one active failure away from a catastrophic accident. The rule also: Institutes an ``airplane-level'' SSA that will integrate and, to the extent possible, standardize safety assessment criteria across critical airplane systems: [cir] Reflecting the much greater integration of modern aircraft systems (e.g., avionics and fly-by-wire systems) as compared to what they were when the current safety criteria in Sec. 25.1309 and other system safety assessment rules were established in 1970.\30\ --------------------------------------------------------------------------- \30\ 35 FR 5665 (Apr. 8, 1970). --------------------------------------------------------------------------- [cir] Including removal of general systems safety criteria from Sec. 25.901(c) [Powerplant Installation] and pointing to Sec. 25.1309 (General System Safety Criteria) for these criteria, and allowing a ``reliability'' (Sec. 25.1309) option in addition to the current ``controllability'' requirement for developing designs for turbojet thrust reversing systems (Sec. 25.933). Requires CMRs to identify and restrict exposure to the SLF conditions addressed in Sec. 25.1309 and requires CMRs to be contained in the ALS of the ICA. Updates SSA requirements in order to address new technology in flight control systems and the effects these systems can have on airplane controllability. [cir] For airplanes equipped with fly-by-wire control systems, compensates for a lack of direct tactile link between flightdeck control and control surface by providing natural or artificial control feel forces or flightcrew alerting Requires assessment of the effect of system failures on airplane structural loads. Revises applicability of the requirement that equipment and systems perform their intended functions: [cir] Broadens the applicability of Sec. 25.1309 to include any equipment or system installed in the airplane regardless of whether it is required for type certification, operating approval, or is optional equipment. [cir] Allows equipment associated with passenger amenities (e.g., entertainment displays and audio systems) not to work as intended as long as the failure of such systems would not affect airplane safety. 2. Cost and Benefits of the Final Rule As discussed below, the FAA finds that all provisions of this final rule are closely harmonized with corresponding EASA provisions already in effect. This means that manufacturers face no additional cost because they already have to meet the EASA requirements, and in most cases, the provisions of this final rule are cost-beneficial owing to reduced costs from joint harmonization. Some provisions of the final rule are cost-relieving. Moreover, most, if not all, of the rule provisions are already in effect owing to industry practice, ELOS findings, or special conditions.\31\ There [[Page 68724]] is no additional cost for provisions that are already voluntary industry practice or voluntary ELOS findings. Special conditions have been required, but owing to the long duration of these special conditions (20-40 years), the FAA finds that they are now accepted by industry as the low-cost actions for the issues addressed, so there is no change with codification and, therefore, no additional cost. The FAA asked for comments on this last finding in the NPRM and received none. --------------------------------------------------------------------------- \31\ The FAA issues special conditions when we find that the airworthiness regulations for an aircraft, aircraft engine, or propeller design do not contain adequate safety standards, because of a novel or unusual design feature. These special conditions stay in place until they are replaced by adequate regulations, as is done in this rulemaking. --------------------------------------------------------------------------- a. Section 25.1309 Equipment, Systems, and Installations There was no change to Sec. 25.1301 in the final rule compared to the NPRM, and there were no changes to Sec. 25.1309(a) in the final rule except for a small change in Sec. 25.1309(a)(2) to match the ARAC language and to harmonize with EASA. The rule revises current Sec. 25.1309(a) into two paragraphs. Section 25.1309(a)(1) revises the applicability of the Sec. 25.1309(a) requirement that equipment and systems perform their intended function. Section 25.1309(a)(1) clarifies that the rule applies to any equipment or system installed in the airplane regardless of whether it is required for type certification, operating approval, or is optional equipment. As this requirement harmonizes closely with EASA's corresponding requirement, with which part 25 manufacturers are already required to comply, there is no additional cost. However, the requirement has reduced costs from joint harmonization and, therefore, will be cost-beneficial. Along with an associated change to Sec. 25.1301, ``Function and Installation,'' Sec. 25.1309(a)(2) will allow equipment associated with passenger amenities (e.g., entertainment displays and audio systems) not to function as intended as long as the failure of such systems do not affect airplane safety. No safety benefit is derived from demonstrating that such equipment performs as intended if failing to perform as intended will not affect safety. Accordingly, this change will reduce the certification cost of passenger amenities for airplane manufacturers without affecting safety; therefore, this change is cost- beneficial. i. Sections 25.1309(b)(1), (b)(2), and (b)(3) (Average Risk and Fail- Safe Criteria) The current rule requires that airplane systems and associated components be designed so that any failure condition that ``would prevent the continued safe flight and landing of the airplane'' (catastrophic failure condition) is ``extremely improbable,'' a condition specified in AC 25.1309-1A (6-21-1988) as ``on the order of <=10-9 per flight hour.'' This is the traditional ``average risk'' requirement and is retained in the final rule at Sec. 25.1309(b)(1)(i). The current rule requires any failure condition that ``would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions'' to be ``improbable'' (on the order of 10-9 < p <=10-5), a failure condition specified in current AC 25.1309-1A as ``major.'' Current practice, however, has been to use the SDAHWG recommended ``Arsenal'' draft AC 25.1309 (6-10- 2002) under which the previous ``major'' failure condition has been divided into two categories: ``hazardous'' (on the order of 10-9 < p <=10-7) and ``major'' (on the order of 10-7 < p <=10-5), categories that have been incorporated into this final rule in Sec. 25.1309(b)(2) and (b)(3). These changes can be thought of as the average risk criteria for hazardous and major failure conditions. As it harmonizes with corresponding EASA major and hazardous categories and is current industry practice, this rule change is cost- beneficial as it entails no additional costs but is cost-beneficial from reduced costs of joint harmonization. The FAA asked for comments on this finding but received none. Moreover, the rule structure and intent are in perfect harmony with EASA's corresponding requirements and, therefore, will entail no additional cost to manufacturers. As recommended by the SDAHWG, Sec. 25.1309(b)(1)(ii) will explicitly require that single failures must not result in catastrophic failures--the ``no single failure'' fail-safe requirement. As it harmonizes with the equivalent EASA requirement and is already current industry practice, this requirement is cost-beneficial as it entails no additional costs but has reduced costs from joint harmonization.\32\ --------------------------------------------------------------------------- \32\ The no single failure requirement was inadvertently removed in 1970 but remained industry practice. At the same time, the no single failure requirement was made explicit for flight controls, and in 1977 was made explicit for powerplants. --------------------------------------------------------------------------- ii. Sections 25.1309(b)(4) and (b)(5) (Specific Risk Criteria) Sections 25.1309(b)(4) and (b)(5) represent the predominant change to existing SSA requirements in that they are adding specific risk approaches to SSA to supplement the traditional average risk approach in order to address the problem of latent failures. Section 25.1309(b)(4) requires the elimination of SLFs to the extent practical, or, if not practical, to minimize them so as to limit situations where the airplane is one failure away from a catastrophic accident. (This is particularly important in the case of catastrophic CSL+1 dual failures specifically addressed in the section on Sec. 25.1309(b)(5) immediately following.) The NPRM also required that the product of the maximum time the latent failure is expected to be present and its average failure rate not exceed 1/1000. Based on comments on the NPRM that this requirement was onerous and not in harmony with EASA, this provision was moved to AC 25.1309-1B, System Design and Analysis, as a possible means of compliance. Several commenters on the NPRM also pointed out that, in many cases, it would be wasteful to require analysis of an SLF with sufficient redundancy that the average risk criteria continued to hold even when setting the SLF probability to unity.\33\ Consequently, Sec. 25.1309(b)(4) does not apply in those cases. This exception is not in the corresponding CS 25.1309(b)(4), but even with this difference, compared to the NPRM, this provision is more closely harmonized with the EASA provision as the FAA has removed an intermediate step--the less than 1/1000 criterion--that is not in the EASA rule and moved it to AC 25.1309-1B. --------------------------------------------------------------------------- \33\ SLFs are identified at the beginning of an SSA, or during a Preliminary SSA, in which the manufacturer undertakes a functional hazard assessment on the basis of which a hazard's ``hazard classification'' is validated as catastrophic, hazardous, etc. These evaluations are qualitative and are independent of ``average'' risk criteria that a catastrophic failure condition should be ``extremely improbable'' or <=10-9, or that a hazardous failure condition should be ``extremely remote'', or <=10-7. --------------------------------------------------------------------------- Accordingly, the FAA finds no costs to this provision as manufacturers already have to comply with a corresponding EASA provision. Moreover, elimination of SLFs when practical is already industry practice. Since the provision entails no costs, the FAA finds the rule to be cost-beneficial because of reduced costs from joint harmonization. [[Page 68725]] iii. Section 25.1309(b)(5) (CSL+1 Dual Failures) A ``CSL+1 (Catastrophic Single Latent Plus One)'' refers to a catastrophic failure condition caused by a single latent failure and an active (evident) failure. Section 25.1309(b)(5)(i), adopted as proposed, is similar to Sec. 25.1309(b)(4) in that it also requires the dual failure to be eliminated if practical. An example is an AD action that eliminated the CSL+1 dual failure that caused the catastrophic Lauda Air Flight 004 (1994); the AD required that a third lock be added to the thrust reverser system. This change converted the dual failure condition to a triple failure condition and removed the airplane from a situation where it was one failure away from a catastrophic accident. If the dual failure condition cannot be eliminated, additional control is appropriate beyond the traditional ``extremely improbable'' (average risk) requirement applied to a combination of failures. The additional control takes the form of two specific risk criteria: (1) a requirement to ``limit residual probability'' (Sec. 25.1309(b)(5)(ii)) and (2) a ``limit latency'' requirement (Sec. 25.1309(b)(5)(iii)). The requirement to limit the residual probability limits the probability of a catastrophic failure in the presence of a latent failure to be ``remote'' (on the order of <=10-5). So, this requirement limits the risk of a catastrophic accident in the situation where a latent failure has occurred, and the airplane is a single failure away from a catastrophic accident.\34\ The limit latency requirement limits the probability of the latent failure itself to be <=1/1000 so as to limit the time between maintenance inspections, that the airplane is operating one failure away from a catastrophic accident.\35\ \36\ There are no substantial changes to Sec. 25.1309(b)(5) in the final rule compared to the NPRM. --------------------------------------------------------------------------- \34\ More generally, if multiple active failures could cause a catastrophic accident in the presence of the latent failure, the average probability (per flight hour) of these active failures must be remote. \35\ More generally, the sum of the probabilities of the latent failures combined with an active failure must be <= 1/1000. \36\ Since the 10-9 average risk criterion must also be met, if residual risk is on the order of 10-5, the latent failure rate must be 10-4 or less. Conversely, if the latent failure rate is at 10-3, residual risk must be on the order of 10-6 or less. --------------------------------------------------------------------------- The FAA finds that Sec. 25.1309(b)(5) is in perfect harmony with CS 25.1309(b)(5) in structure and intent and closely harmonizes in rule language. Accordingly, there is no cost to this provision because manufacturers already have to comply with an equivalent EASA requirement. Therefore, this rule is cost-beneficial because of reduced costs from joint harmonization. iv. Section 25.1309(c) (Flightcrew Alerting) Section 25.1309(c) currently requires that warning information be provided to the flightcrew to alert them to unsafe system operating conditions and to enable them to take appropriate corrective action. Revised Sec. 25.1309(c) requires that information be provided to the flightcrew concerning unsafe system operating conditions, rather than requiring only warnings and, in a change to the NPRM that more closely harmonizes with the corresponding EASA provision, that it be provided in a timely manner. The revision will remove an incompatibility with Sec. 25.1322, which allows other sensory and tactile feedback from the airplane caused by inherent airplane characteristics to be used in lieu of dedicated indications and annunciations if the applicant can show such feedback is sufficiently timely and effective to allow the crew to take corrective action. These changes closely harmonize Sec. 25.1309(c) with CS 25.1309(c). Owing to close harmonization with EASA's rule already in place, there is no cost entailed by these rule changes. v. Section 25.1309(d) (Reserved) Current Sec. 25.1309(d) specifies that compliance to Sec. 25.1309(b) must be shown by analysis and appropriate testing, and must consider possible modes of failure, including malfunctions and damage, and also that the assessment considers crew warning cues, corrective action required, and the capability of detecting faults. With this rulemaking, for two reasons, the FAA moves that content to AC 25.1309- 1B, along with expanded guidance on the safety assessment process: (1) Section 25.1309 is a performance-based regulation for which methods of compliance are more appropriately provided in guidance, and (2) the items for consideration listed in Sec. 25.1309(d) constitute an incomplete method of compliance to Sec. 25.1309(b). This change is cost-beneficial because requirements have been relegated to guidance material, giving manufacturers greater flexibility. CS 25.1309(d) simply states that EWIS must be assessed per CS 25.1709. The current FAA rule has the same requirement in Sec. 25.1309(f), but it was removed in the NPRM on the basis of redundancy, and proposed Sec. 25.1309(d) was used for the CMR requirement. In the final rule, the CMR requirement has been moved to Sec. 25.1309(e) (see next section) and Sec. 25.1309(d) is now reserved. vi. Section 25.1309(e) and H25.4 (Certification Maintenance Requirements) CMRs are inspection and maintenance tasks and associated inspection intervals that are used to identify and restrict exposure of critical airplane safety systems to catastrophic and hazardous failure conditions, including wear-related failures. An example highlighting the importance of CMRs is the catastrophic crash of Alaskan Airlines, Flight 261, in the Pacific Ocean off the California coast on January 31, 2000, killing all 88 passengers and crew.\37\ The NTSB determined that the probable cause of this accident was a catastrophic loss of airplane pitch control resulting from in-flight failure of the jackscrew assembly of the horizontal stabilizer trim system. That failure was related to maintenance of this system, specifically the accelerated excessive wear of a critical part as a result of insufficient lubrication. --------------------------------------------------------------------------- \37\ NTSB Safety Recommendation A-02-51 is available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf. --------------------------------------------------------------------------- Section 25.1309(e) is a new provision \38\ requiring that CMRs be established, as necessary, to prevent catastrophic and hazardous failure conditions, and occasionally, major failure conditions, described in Sec. 25.1309(b). The CMR requirement was proposed in Sec. 25.1309(d) in the NPRM. The ``as necessary'' qualifier was added in the final rule to clarify that the FAA does not require CMRs for all failure conditions. Section 25.1309(e) also will require these CMRs to be contained in the ALS of the ICA required by Sec. 25.1529. This latter requirement is an industry recommendation via the SE-172 Taskforce to the Commercial Aviation Safety Team (CAST) \39\ and responds to the Taskforce's recognition that CMRs are critical to safety and should have treatment similar to other Airworthiness Limitations. --------------------------------------------------------------------------- \38\ The NPRM Sec. 25.1309(e) specified that the flight control jam conditions addressed by Sec. 25.671(c) do not apply to Sec. 25.1309(b)(1)(ii). This exclusion is now in the introductory paragraph of Sec. 25.1309. \39\ skybrary.aero/sites/default/files/bookshelf/2553.pdf. --------------------------------------------------------------------------- Both of these requirements will codify industry practice and will harmonize with CS 25.1309 and H25.4, so industry will incur no additional costs. The rule is cost-beneficial from reduced costs of joint harmonization.\40\ --------------------------------------------------------------------------- \40\ EASA. Certification Specifications and Acceptable Means of Compliance for Large Aeroplanes (CS-25), Amendment 20, 25 August 2017. --------------------------------------------------------------------------- [[Page 68726]] vii. Section 25.1309(f) (Removed) The FAA has removed paragraph (f) from Sec. 25.1309 and paragraph (b) from Sec. 25.1301. Section 25.1301(b) requires that the airplane's EWIS meet the requirements of subpart H of 14 CFR part 25. Subpart H was created (at amendment 25-123, in 2007) as the single place for the majority of wiring certification requirements. The references in Sec. Sec. 25.1301(b) and 25.1309(f) are redundant and unnecessary because subpart H specifies their applicability. The NPRM Sec. 25.1301(f) was used to specify exceptions to Sec. 25.1309(b), which are now provided in the introduction of Sec. 25.1309. b. Section 25.629 Aeroelasticity Stability Requirements The FAA is revising Sec. 25.629(a) to add wording to clarify that the aeroelastic evaluation must include any condition of operation within the maneuvering envelope. This is current industry practice because such conditions are allowed operational conditions and, therefore, need to be free from aeroelastic instabilities. Also, this requirement is stated explicitly for part 23 airplanes in 14 CFR part 23 and CS-23. The FAA is also revising Sec. 25.629(a) to consistently use the singular term ``evaluation'' where it appears in order to prevent confusion. Section 25.671(c)(2) currently specifies examples of failure combinations that require evaluation, including dual electrical and dual hydraulic system failures and any single failure combined with any probable hydraulic or electrical failure. Section 25.629(d)(9) currently requires that the airplane be shown to be free from flutter considering various failure conditions considered under Sec. 25.671, which include the example failure conditions specified in Sec. 25.671(c)(2). These examples are being removed from current Sec. 25.671(c)(2). These failure conditions, however, have provided an important design standard for dual actuators on flight control surfaces that rely on retention of restraint stiffness or damping for flutter prevention. Therefore, the FAA relocates these examples to the aeroelastic stability requirements of Sec. 25.629(d) and made changes to the paragraph numbers to correspond with EASA's rule, as requested by commenters. These changes are cost-beneficial owing to complete harmonization with the corresponding CS 25.629 provision. The NPRM also proposed a change to Sec. 25.629(b) that would require that design conditions include the range of load factors specified in Sec. 25.333. Commenters objected that the proposed change was an expansion of the traditional scope of Sec. 25.629, and it disharmonized with EASA requirements. The FAA agreed to remove the proposed change to Sec. 25.629(b), substituting an alternative change in Sec. 25.629(a), clarifying that aeroelastic evaluation must include any condition of operation within the maneuvering envelope. This revision has no cost as it is clarifying and is current industry practice. c. Section 25.671 General (Control Systems) i. Section 25.671(a), (d), (e), and (f) (Control Systems) The substantive revisions to these requirements are the new criteria in the second sentence of Sec. 25.671(a); the addition of the phrase, ``and an approach and flare to a landing and controlled stop, and flare to a ditching, is possible'' in Sec. 25.671(d); and the new requirements in Sec. 25.671(e) and (f). The modification to Sec. 25.671(d) clarifies that controllability when all engines fail includes the capability to approach and flare to a landing and controlled stop, and flare to a ditching, and harmonizes with CS 25.671(d). In the NPRM, Sec. 25.671(d) includes the sentence: ``The applicant may show compliance with this requirement by analysis where the applicant has shown that analysis to be reliable.'' This sentence is not included in the final rule as it describes an acceptable means of compliance, which is adequately covered in the corresponding guidance. The new paragraph (e) of Sec. 25.671 requires that the airplane be designed to indicate to the flightcrew whenever the primary control means are near the limit of control authority. On airplanes equipped with fly-by-wire control systems, there is no direct tactile link between the flightdeck control and the control surface, and the flightcrew may not be aware of the actual control surface position. If the control surface is near the limit of control authority, and the flightcrew is unaware of that position, it could negatively affect the flightcrew's ability to control the airplane in the event of an emergency. The airplane could meet this requirement through natural or artificial control feel forces, by cockpit control movement if shown to be effective, or by flightcrew alerting that complies with Sec. 25.1322. The new paragraph (f) of Sec. 25.671 requires that appropriate flight crew alerting be provided if the flight control system has multiple modes of operation whenever the airplane enters any mode that significantly changes or degrades the normal handling or operational characteristics of the airplane. On some flight control system designs, there may be sub-modes of operation that change or degrade the normal handling or operational characteristics of the airplane. Similar to control surface awareness, the flightcrew should be made aware if the airplane is operating in such a sub-mode. Aside from the one change already noted, there are no substantial changes to Sec. 25.671(a), (d), (e), and (f) in the final rule compared to the NPRM. Manufacturers face little or no additional cost from these provisions because they are already required by CS 25.671 in language that exactly matches Sec. 25.671 in language structure and closely matches Sec. 25.671 in the language itself. Therefore, there is no additional cost resulting from these provisions. Moreover, since industry has been meeting the new criteria in Sec. 25.671(a), (e), and (f) under special conditions since the early 1980s, the FAA believes that industry now accepts Sec. 25.671(a), (e), and (f) as necessary low-cost actions. Again, there is no additional cost. For this reason, the FCHWG recommended these new criteria with little debate. ii. Section 25.671(b) (Minimize Probability of Incorrect Assembly) Section 25.671(b) is revised to allow distinctive and permanent marking for flight control systems to minimize the probability of incorrect assembly only when design means are impractical. Aside from minor language changes, there are no changes to this provision in the final rule relative to the NPRM. It is expert consensus that the physical prevention of misassembly by design is safer than reliance on marking, which can be overlooked or ignored. Although not flight control related, fuel tank access doors provide an example. Since these doors are required to have greater strength because of the location, fuel tank access door systems are designed so that other doors will not securely fit in the fuel tank access door openings. Since distinctive and permanent marking to minimize the probability of incorrect assembly is disallowed only when design means are practical, the expected gain in safety benefits from the reduced probability of incorrect assembly is greater than the costs of the rule revision. Accordingly, the FAA finds this provision to be cost-beneficial. The FAA [[Page 68727]] requested comments on this finding and received none. In any case, manufacturers face no additional cost because Sec. 25.671(b) closely aligns with CS 25.671(b) with which they must already comply. iii. Section 25.671(c) (Flight Control Jams) For flight controls, revised Sec. 25.671(c) is analogous to Sec. 25.1309(b) in having requirements for the single failure (Sec. 25.671(c)(1)), the combinational failure (Sec. 25.671(c)(2)), and specific risk (Sec. 25.671(c)(3)). Sections 25.671(c)(1) and (c)(2) have some language changes, but the intent of each provision is unchanged from the current rule. The NPRM proposed to remove Sec. 25.671(c)(1) and (c)(2) because all single and combinational failures are covered by the foundational Sec. 25.1309. However, the FAA agrees with commenters that Sec. 25.671(c)(1) and (c)(2) should be retained because removal would disharmonize with EASA's corresponding requirements and because different means of compliance are normally used for Sec. 25.671(c) and Sec. 25.1309(b). Accordingly, paragraphs (c)(1) and (c)(2) of current Sec. 25.671 are retained in the final rule. Section 25.671(c)(3) is revised as follows: (1) In Sec. 25.671(c)(3), the FAA clarifies that the provision applies only to jams due to a physical interference (e.g., foreign or loose object, system icing, corroded bearings). All other failures or events that result in either a control surface, pilot control, or component being fixed in position are addressed under Sec. 25.671(c)(1) and (c)(2) and Sec. 25.302 where applicable. (2) Section 25.671(c)(3) no longer addresses a runaway of a flight control surface and subsequent jam. A failure that results in uncommanded control surface movement is addressed by Sec. 25.671(c)(1) and (c)(2). (3) Section 25.671(c)(3)(iii) is a new requirement specifying that given a jam, the combined probability is 1/1000 or less that any additional failure conditions could prevent continued safe flight and landing. This requirement is to ensure adequate reliability of any system necessary to alleviate the jam when it occurs. This specific risk requirement is analogous to the 1/1000 latent specific risk requirement for potential catastrophic single latent failure plus one (CSL+1) failure conditions discussed above for Sec. 25.1309(b)(5), which is required to ensure a safety margin in the event of an active failure. (4) While current Sec. 25.671(c)(3) allows the use of probability analysis, applicants have generally been unable to demonstrate that jamming conditions are ``extremely improbable,'' except for conditions that occur during a very limited time just prior to landing. Because of this issue with probability assessment for jams, the FAA has revised Sec. 25.671(c)(3) to require that the manufacturer's safety assessments assume that jamming conditions will occur--probability set equal to one--when showing that the airplane is capable of continued safe flight and landing. For the same reason, the jamming conditions of Sec. 25.671(c)(3) are excluded from the probability requirements of Sec. 25.1309(b). The assumption that the jam will occur--and that the airplane will be able to withstand it--does not apply to jamming conditions that occur immediately before touchdown if the risk of a jam is minimized to the extent practical. For jams that occur just before landing, some amount of time and altitude is necessary in order to recover, and there is no practical means by which a recovery can be demonstrated. Hence the requirement that the risk of a jam be minimized to the extent practical. (This is a change from the NPRM where the requirement was that the applicant show that such jams are extremely improbable.) This change creates a difference in the language of Sec. 25.671(c)(3)(ii) and CS 25.671(3)(ii) because EASA does not have this exception in its rule. In its Acceptable Means of Compliance (AMC) Sec. 25.671, however, EASA states that, ``if continued safe flight and landing cannot be demonstrated, perform a qualitative assessment of the design, relative to jam prevention and jam alleviation means, to show that all practical precautions have been taken . . . .'' Consequently, the FAA expects the difference between Sec. 25.671(c)(3)(ii) and CS 25.671(c)(3)(ii) to have no effect in practice. There are no additional substantial differences between the final rule and the NPRM with respect to Sec. 25.671(c)(3). Section 25.671 has changed from the NPRM to the point where it is almost perfectly aligned in structure and intent, and closely aligned in text language, with CS 25.671. Section 25.671 is now so closely aligned that there is no additional cost from the FAA provision because manufacturers already have to meet the EASA provision. Moreover, as already noted, industry has been meeting the new criteria in Sec. 25.671(a), (e), and (f) under special conditions since the early 1980s. Because of that experience, the FAA believes that manufacturers now accept these special conditions as the low-cost necessary actions. Again, there is no additional cost. Finally, the FAA believes that Sec. 25.671(c)(3) is already accepted as the low-cost industry practice as it has been used by many manufacturers under a voluntary ELOS. d. Section 25.901 Installation (Powerplants) The revision to Sec. 25.901(c) moves basic systems safety criteria to Sec. 25.1309 and is finalized as proposed. In so doing, Sec. 25.901(c) clarifies that Sec. 25.1309 applies to powerplant (engine) installations, as it does for all airplane systems. Accordingly, the current provision in Sec. 25.901(c) prohibiting catastrophic single failures or probable combinations of failures is removed. Design requirements do not change as a result of this revision to the rule. There are no substantial changes in the final rule compared to the NPRM. The revision exactly harmonizes the structure and very closely harmonizes the text of Sec. 25.901(c) with EASA's corresponding CS 25.901(c). Accordingly, the revision is cost-beneficial as it provides reduced costs from joint harmonization since manufacturers already must already comply with CS 25.901(c). The FAA asked for comments on this finding in the NPRM and received none. e. Section 25.933 Reversing Systems (Controllability and Reliability Options) In the event of an inadvertent activation of the thrust reverser during flight, current Sec. 25.933(a) requires that the airplane be capable of ``continued flight and landing.'' The service history of airplanes certified under the current rule--most prominently, the aforementioned catastrophic Lauda Air accident in Thailand--has demonstrated that the intent of this ``fail-safe'' requirement had not been achieved. As discussed in the section on Sec. 25.1309(b)(5) above, the catastrophic failure condition that caused the Lauda Air accident was corrected by adding redundancy to convert a dual failure condition to a triple failure condition. This revision to Sec. 25.933(a) further addresses the thrust reverser issue with a revised Sec. 25.933(a)(1)(i) that retains ``controllability'' from the current rule as an option, but also revises Sec. 25.933(a)(1)(ii) to provide an additional ``reliability'' option using the requirements of Sec. 25.1309(b).\41\ The [[Page 68728]] reliability option recognizes that Sec. 25.1309 applies to all systems. There are no substantial differences between the final rule and the NPRM with respect to Sec. 25.933(a). --------------------------------------------------------------------------- \41\ It should be noted that the controllability option would still require compliance with Sec. 25.1309. But when an applicant demonstrates compliance using the controllability option, that ensures that an unwanted thrust reversal in flight would be classified at worst as a ``major'' failure, thereby making compliance with Sec. 25.1309(b) much easier. --------------------------------------------------------------------------- The final rule (and NPRM) for Sec. 25.933(a) is in close harmony with the corresponding CS 25.933(a) as it is identical in rule structure and intent. Accordingly, there is no additional cost to this rule as manufacturers already have to comply with CS 25.933(a). Moreover, Sec. 25.933(a) is cost-beneficial as it allows flexibility in design development, enabling manufacturers to achieve the intended level of safety in the most cost-effective manner. f. Section 25.302 Interaction of Systems and Structures There are many technical differences between the NPRM and the final rule. Nine major commenters, including Boeing and Airbus, asked the FAA to harmonize with EASA CS 25.302, even to the extent of using the same language and paragraph numbering. Commenters noted that CS 25.302 matches the FAA Interaction of Systems and Structures special condition that has been used for many years. Commenters stated that the differences between FAA and EASA requirements would create a substantial certification burden. The FAA agrees with the commenters and, except where discussed below, has agreed to match the language and structure of EASA's rule to the extent possible. i. Section 25.302(b) System Fully Operative The applicant must derive limit loads \42\ for the limit conditions specified in subpart C, taking into account the behavior of the system up to the limit loads. The applicant must show that the airplane meets the strength requirements of subparts C and D, using the appropriate factor of safety to derive ultimate loads from these limit loads. Section 25.302(b) is less verbose than the corresponding EASA text but uses some of the same language and has the same intent as EASA's version. Since Sec. 25.302(b) harmonizes with EASA CS 25.302(b), there are no incremental costs from paragraph (b), and the provision is cost- beneficial because of joint harmonization. --------------------------------------------------------------------------- \42\ Design loads are typically expressed in terms of limit loads, which are then multiplied by a factor of safety, usually 1.5, to determine ultimate loads. --------------------------------------------------------------------------- ii. Section 25.302(c) System in the Failure Condition This section applies for any failure condition not shown to be extremely improbable or that results from a single failure. CS 25.302(c) requires the evaluation of any system failure condition not shown to be extremely improbable but does not explicitly mention single failures. Nevertheless, evaluation of single failures would be required when evaluating CS 25.302. This is because single failures cannot be shown by a probability analysis to be extremely improbable. As noted in AC 25.1309-1A, dated June 21, 1988, ``In general, a failure condition resulting from a single failure mode of a device cannot be accepted as being extremely improbable.'' Extremely improbable failure conditions are those having an average probability per flight hour of 1 x 10-9 or less. The FAA would not accept a probability analysis showing a single failure to be extremely improbable because such an estimation would not be considered reliable. An unreliable estimate could inadvertently result in a level of risk that was unsafe and not justified by any cost savings obtained. Accordingly, the FAA finds to be cost-beneficial the requirement of Sec. 25.302(c) to evaluate any system failure condition resulting from a single failure. At the time of occurrence, the applicant must determine the loads occurring at the time of failure and immediately after failure. For static strength substantiation, the airplane must be able to withstand the ultimate loads determined by multiplying the loads by a factor of safety related to the probability that the failure occurs. The factor of safety (F.S.) is shown in Figure 1. [GRAPHIC] [TIFF OMITTED] TR27AU24.000 Figure 1 shows the factor of safety to be constant at 1.5 between a probability of failure of 1.0 and 10-5, and between 10-5 and 10-9 declines linearly from 1.5 to 1.25 as Pj goes from 10-5 to 10-9, where Pj is the probability of failure. The factor of safety is not allowed to be below 1.5 at high probabilities of failure (>10-5). For low probabilities of failure (<10-5), the F.S. falls as the probability of failure falls but is not allowed to be less than 1.25 as the probability of [[Page 68729]] failure falls towards extreme improbability at 10-9. Note that the probability of failure axis is in logarithmic scale. In the NPRM, this figure was not used as the FAA kept the factor of safety at 1.5 regardless of the probability of failure. In the final rule, this provision is cost-relieving relative to the NPRM because the FAA is now harmonizing with the less stringent EASA provision. For residual strength substantiation, the airplane must be able to withstand two-thirds of the ultimate loads. Residual strength is the strength that remains as the airplane structure deteriorates over time, so this test requires a prediction of that deterioration. Failures of the system that result in forced structural vibrations (oscillatory failures) must not produce loads that could result in detrimental deformation of primary structure. A forced structural vibration or oscillatory failure occurs when an oscillating system is driven by a periodic force that is external to the system. For the continuation of the flight, loads are determined for a limited set of conditions, as noted in Sec. 25.302(c)(2)(i). Section 25.302(c)(2)(i)(F) is an additional rule provision not in CS 25.302. This provision requires that if any system is installed or tailored to reduce the loads of a part 25 load condition, then that load condition must also be evaluated. This provision is necessary to account for any such systems as their failure will increase loads. The FAA believes this is a low-cost provision, having been applied in only a few cases over many years. For static strength substantiation, the structure must be able to withstand the loads determined in Sec. 25.302(c)(2)(i) multiplied by a factor of safety, as shown in Figure 2. [GRAPHIC] [TIFF OMITTED] TR27AU24.001 Qj = (Tj)(Pj) where: Tj = Average time spent in failure condition j (in hours) Pj = Probability of occurrence of failure mode j (per hour) Figure 2 shows the factor of safety falls linearly from 1.5 to 1.0 as Qj declines from 1 to 10-5, and the factor of safety is constant at 1.0 between 10-5 and 10-9, where Qj = (Tj)(Pj), where Tj is the average time in the failure condition (in hours), and Pj is the probability of failure (per hour) or failure rate. So Qj is the (average) cumulative probability of failure. In contrast to the F.S. at the time of failure occurrence (Figure 1), the F.S. for continuation of flight (Figure 2) is allowed to fall immediately below 1.5 as failure probability falls from the highest probability of 1, and in contrast to the minimum F.S. of 1.25 for Figure 1, the Figure 2 safety margin is allowed to fall to 1.0 at 10-5, where it remains as the probability of failure falls to extreme improbability at 10-9. As with Figure 1, note that the Figure 2 probability of failure axis is in logarithmic scale. In the NPRM, this figure was not used as the FAA did not vary the factor of safety with the probability of system failure. The NPRM provision was less stringent than the final rule in reducing the factor of safety to 1.0 if the failure was annunciated. However, the NPRM provision applied to all load conditions in subpart C, whereas in the final rule, the provision applies to the limited set of subpart C load conditions specified in Sec. 25.302(c)(2)(i) so that, overall, in harmonizing with EASA, final rule provision is cost-relieving relative to the NPRM. For residual strength substantiation, the airplane must be able to withstand two-thirds of the ultimate loads. If the loads induced by the failure condition have a significant effect on fatigue or damage tolerance, then their effects must be taken into account. A failure condition has a ``significant'' effect on fatigue or damage tolerance if it would result in a change to inspection thresholds, inspection intervals, or life limits. Unlike EASA's rule, Sec. 25.302(c) does not include aeroelasticity stability requirements. Both CS 25.302 and CS 25.629 specify flutter speed margins for failure conditions. In CS 25.629, for the group of failures covered by CS 25.302, the margins are based on the probability of the condition's occurrence, whereas, for the remaining failure conditions, a single speed margin is defined, similar to Sec. 25.629, regardless of probability. The FAA believes the current speed margins specified in Sec. 25.629 are adequate, and there is no need for more specific failure criteria based on probability of occurrence and speed margins. The current speed margin specified in Sec. 25.629, which has been in place since amendment 25-0 of 14 CFR part 25, has proven effective in service. For that reason, non-provision has little impact. Summary of Cost-Benefit Analysis for Sec. 25.302(c) The FAA finds that Sec. 25.302(c) harmonizes very closely in structure with CS 25.302(c) and closely in rule [[Page 68730]] language, aside from the single failure requirement, the additional load provision of Sec. 25.302(c)(2)(i)(F), and the lack of aeroelasticity stability requirements in Sec. 25.302(c). Because of this close harmonization, there is little or no additional cost to that required by EASA certification. Moreover, because of the imposition of the FAA's Interaction of Systems and Structures special conditions for more than twenty years, the FAA believes that industry is so well- adapted to the special conditions that it is now the industry's low- cost necessary action. Thus, no change is implied by the rule, and, therefore, there is little or no additional cost. The provision is cost-beneficial owing to cost savings from joint harmonization. iii. Section 25.302(d) Failure Indications Section 25.302(d) requires that the system be checked for failure conditions discussed in Sec. 25.302(c)(2), for example, using a CMR procedure. As far as practicable, the flightcrew must be made aware of these failures before flight. Manufacturers are allowed relief in the F.S. requirement shown in Figure 2, as in Sec. 25.302(c)(2). However, any failure condition, not extremely improbable, that results in an F.S. below 1.25 in Figure 2 must be alerted to the crew. This latter requirement sounds contradictory since it means the flightcrew must be alerted when the probability of failure is low enough for the safety factor to be less than 1.25. It appears alerting the flightcrew is substituted for a higher factor of safety. A manufacturer finding alerting the flightcrew too onerous can reverse the substitution by having a higher factor of safety. The language of this paragraph closely matches that of CS 25.302(d), except for some additional verbiage that does not change the intent. For the same reasons given for paragraph (c) of Sec. 25.302, there is no additional cost from this provision, and the provision is cost-beneficial owing to the cost savings from joint harmonization. iv. Section 25.302(e) Dispatch With Known Failure Conditions The applicant forecasts the probability of the failure condition (``at the time of occurrence'' in Sec. 25.302(c)) and how many days the airplane will be in that dispatch configuration. That probability is then combined with the probability of subsequent failures to calculate Qj, the probability of being in the dispatched condition, and the subsequent failure condition. Qj is then used in Figure 2 to establish the required safety margins, the same safety margin relief allowed in Sec. 25.302(c)(2) and in Sec. 25.302(d). The FAA excludes one sentence related to dispatch limitations from Sec. 25.302(e) that is in CS 25.302 because its intent and application are unclear. Otherwise, Sec. 25.302(e) closely harmonizes with CS 25.302. The FAA special conditions and the corresponding CS 25.302 have provided an adequate service record. For the same reasons given for paragraphs (c) and (d) of Sec. 25.302, there is no additional cost from this provision, and the provision is cost-beneficial owing to the reduced costs from joint harmonization. B. Regulatory Flexibility Determination The Regulatory Flexibility Act (RFA) of 1980, Public Law 96-354, 94 Stat. 1164 (5 U.S.C. 601-612), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121, 110 Stat. 857, Mar. 29, 1996) and the Small Business Jobs Act of 2010 (Pub. L. 111-240, 124 Stat. 2504 Sept. 27, 2010), requires Federal agencies to consider the effects of the regulatory action on small business and other small entities and to minimize any significant economic impact. The term ``small entities'' comprises small businesses and not-for- profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of less than 50,000. Garmin commented on the NPRM that the cost-benefit analysis does not consider the impact on ATC or STC projects that would be considered significant under Sec. 21.101, the Changed Product Rule. In addition, MARPA requested that the FAA clarify the applicability of the SSA rule to PMA applicants and STC applicants. If the SSA rule is applicable to PMA and STC applicants, MARPA requested that the FAA adjust the cost- benefit analysis accordingly, complete a Regulatory Flexibility Act analysis, and make the revised cost-benefit analysis and Regulatory Flexibility Act analysis available for comment in a supplemental NPRM. This final rule updates the cost-benefit analysis to take account of the fact that the final rule closely harmonizes with the corresponding EASA rule. Since U.S. manufacturers already are required to meet the EASA requirements, the closely harmonized provisions of the final rule impose no or minimal costs. In future STC or ATC projects where the design change is determined under the Changed Product Rule to be a significant product level change, the Changed Product rule will then require that the certification basis of those projects be updated. The cost-benefit analysis for the Changed Product Rule, however, has determined that the required updated certification basis for such projects is cost-beneficial. PMAs (replacement articles) are managed in accordance with Subpart K to part 21. The final rule will apply only at that time in the future when a PMA (or non-significant STC) applicant seeks to modify a product that already has the final rule in its certification basis. Accordingly, the FAA finds that neither a Regulatory Flexibility Act analysis nor a supplemental NPRM is required. If an agency determines that a rulemaking will not result in a significant economic impact on a substantial number of small entities, the head of the agency may so certify under section 605(b) of the RFA. Since there are no or minimal additional costs to this final rule, the FAA certifies that the final rule will not have a significant economic impact on a substantial number of small entities. C. International Trade Impact Assessment The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal agencies from establishing standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. Pursuant to these Acts, the establishment of standards is not considered an unnecessary obstacle to the foreign commerce of the United States, so long as the standard has a legitimate domestic objective, such as the protection of safety and does not operate in a manner that excludes imports that meet this objective. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards. The FAA has assessed the potential effect of this final rule and determined that its purpose is to ensure the safety of U.S. civil aviation. Therefore, this final rule is in compliance with the Trade Agreements Act. D. Unfunded Mandates Assessment The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) governs the issuance of Federal regulations that require unfunded mandates. An unfunded mandate is a regulation that requires a State, local, or tribal government or the private sector to incur direct costs without the Federal government having first provided the funds to pay those costs. The FAA [[Page 68731]] determined that the proposed rule will not result in the expenditure of $183 million or more by State, local, or tribal governments, in the aggregate, or the private sector, in any one year. E. Paperwork Reduction Act The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires that the FAA consider the impact of paperwork and other information collection burdens imposed on the public. The FAA has determined that there is no new requirement for information collection associated with this final rule. F. International Compatibility In keeping with U.S. obligations under the Convention on International Civil Aviation, it is FAA policy to conform to International Civil Aviation Organization (ICAO) Standards and Recommended Practices to the maximum extent practicable. The FAA has determined that there are no ICAO Standards and Recommended Practices that correspond to these regulations. G. Environmental Analysis FAA Order 1050.1F identifies FAA actions that are categorically excluded from preparation of an environmental assessment or environmental impact statement under the National Environmental Policy Act (NEPA) in the absence of extraordinary circumstances. The FAA has determined this rulemaking action qualifies for the categorical exclusion identified in paragraph 5-6.6 for regulations and involves no extraordinary circumstances. VII. Executive Order Determinations A. Executive Order 13132, Federalism The FAA has analyzed this final rule under the principles and criteria of Executive Order (E.O.) 13132, Federalism (64 FR 43255, August 10, 1999). The FAA has determined that this action will not have a substantial direct effect on the States, or the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, will not have federalism implications. B. Executive Order 13175, Consultation and Coordination With Indian Tribal Governments Consistent with Executive Order 13175, Consultation and Coordination with Indian Tribal Governments,\43\ and FAA Order 1210.20, American Indian and Alaska Native Tribal Consultation Policy and Procedures,\44\ the FAA ensures that Federally Recognized Tribes (Tribes) are given the opportunity to provide meaningful and timely input regarding proposed Federal actions that have the potential to have substantial direct effects on one or more Indian tribes, on the relationship between the Federal government and Indian tribes, or on the distribution of power and responsibilities between the Federal government and Indian tribes; or to affect uniquely or significantly their respective Tribes. At this point, the FAA has not identified any unique or significant effects, environmental or otherwise, on tribes resulting from this final rule. --------------------------------------------------------------------------- \43\ 65 FR 67249 (Nov. 6, 2000). \44\ FAA Order No. 1210.20 (Jan. 28, 2004), available at www.faa.gov/documentLibrary/media/1210.pdf. --------------------------------------------------------------------------- C. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use The FAA analyzed this final rule under E.O. 13211, Actions Concerning Regulations that Significantly Affect Energy Supply, Distribution, or Use (66 FR 28355, May 18, 2001). The FAA has determined that it is not a ``significant energy action'' under the executive order and is not likely to have a significant adverse effect on the supply, distribution, or use of energy. D. Executive Order 13609, Promoting International Regulatory Cooperation Executive Order 13609, Promoting International Regulatory Cooperation, promotes international regulatory cooperation to meet shared challenges involving health, safety, labor, security, environmental, and other issues and to reduce, eliminate, or prevent unnecessary differences in regulatory requirements. The FAA has analyzed this action under the policies and agency responsibilities of Executive Order 13609 and has determined that this action will have no effect on international regulatory cooperation. In January of 2020, EASA published CS-25 amendment 24, which bore many similarities to the proposals in the NPRM, including added criteria for latent failures in CS 25.1309. This final rule harmonizes FAA requirements with EASA's requirements to the extent possible. VIII. Additional Information A. Electronic Access and Filing A copy of the NPRM, all comments received, this final rule, and all background material may be viewed online at www.regulations.gov using the docket number listed above. A copy of this final rule will be placed in the docket. Electronic retrieval help and guidelines are available on the website. It is available 24 hours each day, 365 days each year. An electronic copy of this document may also be downloaded from the Office of the Federal Register's website at www.federalregister.gov and the Government Publishing Office's website at www.govinfo.gov. A copy may also be found at the FAA's Regulations and Policies website at www.faa.gov/regulations_policies. Copies may also be obtained by sending a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue SW, Washington, DC 20591, or by calling (202) 267-9677. Commenters must identify the docket or notice number of this rulemaking. All documents the FAA considered in developing this final rule, including economic analyses and technical reports, may be accessed in the electronic docket for this rulemaking. B. Small Business Regulatory Enforcement Fairness Act The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires the FAA to comply with small entity requests for information or advice about compliance with statutes and regulations within its jurisdiction. A small entity with questions regarding this document may contact its local FAA official, or the person listed under the FOR FURTHER INFORMATION CONTACT heading at the beginning of the preamble. To find out more about SBREFA on the internet, visit www.faa.gov/regulations_policies/rulemaking/sbre_act/. List of Subjects in 14 CFR Part 25 Aircraft, Aviation safety, Life-limited parts, Reporting and recordkeeping requirements. The Amendment In consideration of the foregoing, the Federal Aviation Administration amends chapter I of title 14, Code of Federal Regulations as follows: PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES 0 1. The authority citation for part 25 continues to read as follows: Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 44704. 0 2. Add Sec. 25.4 to read as follows: [[Page 68732]] Sec. 25.4 Definitions. (a) For the purposes of this part, the following general definitions apply: (1) Certification maintenance requirement means a required scheduled maintenance task established during the design certification of the airplane systems as an airworthiness limitation of the type certificate or supplemental type certificate. (2) Significant latent failure is a latent failure that, in combination with one or more specific failures or events, would result in a hazardous or catastrophic failure condition. (b) For purposes of this part, the following failure conditions, in order of increasing severity, apply: (1) Major failure condition means a failure condition that would reduce the capability of the airplane or the ability of the flightcrew to cope with adverse operating conditions, to the extent that there would be-- (i) A significant reduction in safety margins or functional capabilities, (ii) A physical discomfort or a significant increase in flightcrew workload or in conditions impairing the efficiency of the flightcrew, (iii) Physical distress to passengers or cabin crew, possibly including injuries, or (iv) An effect of similar severity. (2) Hazardous failure condition means a failure condition that would reduce the capability of the airplane or the ability of the flightcrew to cope with adverse operating conditions, to the extent that there would be-- (i) A large reduction in safety margins or functional capabilities, (ii) Physical distress or excessive workload such that the flightcrew cannot be relied upon to perform their tasks accurately or completely, or (iii) Serious or fatal injuries to a relatively small number of persons other than the flightcrew. (3) Catastrophic failure condition means a failure condition that would result in multiple fatalities, usually with the loss of the airplane. (c) For purposes of this part, the following failure conditions in order of decreasing probability apply: (1) Probable failure condition means a failure condition that is anticipated to occur one or more times during the entire operational life of each airplane of a given type. (2) Remote failure condition means a failure condition that is not anticipated to occur to each airplane of a given type during its entire operational life, but which may occur several times during the total operational life of a number of airplanes of a given type. (3) Extremely remote failure condition means a failure condition that is not anticipated to occur to each airplane of a given type during its entire operational life, but which may occur a few times during the total operational life of all airplanes of a given type. (4) Extremely improbable failure condition means a failure condition that is not anticipated to occur during the total operational life of all airplanes of a given type. 0 3. Add Sec. 25.302 to read as follows: Sec. 25.302 Interaction of systems and structures. For airplanes equipped with systems that affect structural performance, either directly or as a result of a failure or malfunction, the influence of these systems and their failure conditions must be taken into account when showing compliance with the requirements of subparts C and D of this part. These criteria are only applicable to structure whose failure could prevent continued safe flight and landing. (a) General. The applicant must use the following criteria in determining the influence of a system and its failure conditions on the airplane structure. (b) System fully operative. With the system fully operative, the following criteria apply: (1) The applicant must derive limit loads for the limit conditions specified in subpart C of this part, taking into account the behavior of the system up to the limit loads. System nonlinearities must be taken into account. (2) The applicant must show that the airplane meets the strength requirements of subparts C and D of this part, using the appropriate factor of safety to derive ultimate loads from the limit loads defined in paragraph (b)(1) of this section. The effect of nonlinearities must be investigated sufficiently beyond limit conditions to ensure the behavior of the system presents no detrimental effects compared to the behavior below limit conditions. However, conditions beyond limit conditions need not be considered when it can be shown that the airplane has design features that will not allow it to exceed those limit conditions. (3) Reserved. (c) System in the failure condition. For any system failure condition not shown to be extremely improbable or that results from a single failure, the following criteria apply: (1) At the time of occurrence. The applicant must establish a realistic scenario, starting from 1g level flight conditions, and including pilot corrective actions, to determine the loads occurring at the time of failure and immediately after failure. (i) For static strength substantiation, the airplane must be able to withstand the ultimate loads determined by multiplying the loads in paragraph (c)(1) of this section by a factor of safety that is related to the probability of occurrence of the failure. The factor of safety (F.S.) is defined in Figure 1. Figure 1 to paragraph (c)(1)(i) [[Page 68733]] [GRAPHIC] [TIFF OMITTED] TR27AU24.002 (ii) For residual strength substantiation, the airplane must be able to withstand two thirds of the ultimate loads defined in paragraph (c)(1)(i) of this section. For pressurized cabins, these loads must be combined with the normal operating differential pressure. (iii) Reserved. (iv) Failures of the system that result in forced structural vibrations (oscillatory failures) must not produce loads that could result in detrimental deformation of primary structure. (2) For the continuation of the flight. For the airplane, in the system failed state and considering any appropriate reconfiguration and flight limitations, the following apply: (i) The loads derived from the following conditions at speeds up to V C /MC , or the speed limitation prescribed for the remainder of the flight must be determined: (A) the limit symmetrical maneuvering conditions specified in Sec. Sec. 25.331 and 25.345, (B) the limit gust and turbulence conditions specified in Sec. Sec. 25.341 and 25.345, (C) the limit rolling conditions specified in Sec. 25.349 and the limit unsymmetrical conditions specified in Sec. Sec. 25.367 and 25.427(b) and (c), (D) the limit yaw maneuvering conditions specified in Sec. 25.351, (E) the limit ground loading conditions specified in Sec. Sec. 25.473 and 25.491, and (F) any other subpart C of this part load condition for which a system is specifically installed or tailored to reduce the loads of that condition. (ii) For static strength substantiation, each part of the structure must be able to withstand the loads in paragraph (c)(2)(i) of this section multiplied by a factor of safety that depends on the probability of being in this failure condition. The factor of safety is defined in Figure 2. Figure 2 to paragraph (c)(2)(ii) [GRAPHIC] [TIFF OMITTED] TR27AU24.003 Qj = (Tj)(Pj) where: Tj = Average time spent in failure condition j (in hours) Pj = Probability of occurrence of failure mode j (per hour) If Pj is greater than 10-3 per flight hour, then a 1.5 factor of safety must be applied in [[Page 68734]] lieu of the factor of safety defined in Figure 2. (iii) For residual strength substantiation, the airplane must be able to withstand two thirds of the ultimate loads defined in paragraph (c)(2)(ii) of this section. For pressurized cabins, these loads must be combined with the normal operating differential pressure. (iv) If the loads induced by the failure condition have a significant effect on fatigue or damage tolerance then their effects must be taken into account. (v) Reserved. (vi) Reserved. (3) Reserved. (d) Failure indications. For system failure detection and indication, the following apply: (1) The system must be checked for failure conditions evaluated under paragraph (c) of this section that degrade the structural capability below the level required by subparts C (excluding Sec. 25.302) and D of this part or that reduce the reliability of the remaining system. As far as practicable, these failures must be indicated to the flightcrew before flight. (2) The existence of any failure condition evaluated under paragraph (c) of this section that results in a factor of safety between the airplane strength and the loads of subpart C of this part below 1.25 must be indicated to the flightcrew. (e) Dispatch with known failure conditions. If the airplane is to be dispatched in a known system failure condition that affects structural performance or affects the reliability of the remaining system to maintain structural performance, then the Master Minimum Equipment List must ensure the provisions of Sec. 25.302 are met for the dispatched condition and for any subsequent failures. Flight limitations and operational limitations may be taken into account in establishing Qj as the combined probability of being in the dispatched failure condition and the subsequent failure condition for the safety margins in Figure 2. No reduction in these safety margins is allowed if the subsequent system failure rate is greater than 10-3 per flight hour. 0 4. Amend Sec. 25.629 by revising paragraph (a) and (d) introductory text, redesignating paragraphs (d)(9) and (10) as paragraphs (d)(10) and (11), and adding a new paragraph (d)(9) to read as follows: Sec. 25.629 Aeroelastic stability requirements. (a) General. The aeroelastic stability evaluation required under this section includes flutter, divergence, control reversal and any undue loss of stability and control as a result of structural deformation. The aeroelastic evaluation must include whirl modes associated with any propeller or rotating device that contributes significant dynamic forces. Additionally, the evaluation must include any condition of operation within the maneuvering envelope. Compliance with this section must be shown by analyses, wind tunnel tests, ground vibration tests, flight tests, or other means found necessary by the Administrator. * * * * * (d) Failures, malfunctions, and adverse conditions. The failures, malfunctions, and adverse conditions that must be considered in showing compliance with this section are: * * * * * (9) The following flight control system failure combinations in which aeroelastic stability relies on flight control system stiffness, damping or both: (i) Any dual hydraulic system failure. (ii) Any dual electrical system failure. (iii) Any single failure in combination with any probable hydraulic or electrical system failure. * * * * * 0 5. Revise Sec. 25.671 to read as follows: Sec. 25.671 General. (a) Each flight control system must operate with the ease, smoothness, and positiveness appropriate to its function. The flight control system must continue to operate and respond appropriately to commands, and must not hinder airplane recovery, when the airplane is experiencing any pitch, roll, or yaw rate, or vertical load factor that could occur due to operating or environmental conditions, or when the airplane is in any attitude. (b) Each element of each flight control system must be designed, or distinctively and permanently marked, to minimize the probability of incorrect assembly that could result in failure or malfunctioning of the system. The applicant may use distinctive and permanent marking only where design means are impractical. (c) The airplane must be shown by analysis, test, or both, to be capable of continued safe flight and landing after any of the following failures or jams in the flight control system within the normal flight envelope. Probable malfunctions must have only minor effects on control system operation and must be capable of being readily counteracted by the pilot. (1) Any single failure, excluding failures of the type defined in Sec. 25.671(c)(3); (2) Any combination of failures not shown to be extremely improbable, excluding failures of the type defined in Sec. 25.671(c)(3); and (3) Any failure or event that results in a jam of a flight control surface or pilot control that is fixed in position due to a physical interference. The jam must be evaluated as follows: (i) The jam must be considered at any normally encountered position of the control surface or pilot control. (ii) The jam must be assumed to occur anywhere within the normal flight envelope and during any flight phase except during the time immediately before touchdown if the risk of a potential jam is minimized to the extent practical. (iii) In the presence of the jam, any additional failure conditions that could prevent continued safe flight and landing must have a combined probability of 1/1000 or less. (d) If all engines fail at any point in the flight, the airplane must be controllable, and an approach and flare to a landing and controlled stop, and flare to a ditching, must be possible, without requiring exceptional piloting skill or strength. (e) The airplane must be designed to indicate to the flightcrew whenever the primary control means is near the limit of control authority. (f) If the flight control system has multiple modes of operation, appropriate flightcrew alerting must be provided whenever the airplane enters any mode that significantly changes or degrades the normal handling or operational characteristics of the airplane. 0 6. Amend Sec. 25.901 by revising paragraph (c) to read as follows: Sec. 25.901 Installation. * * * * * (c) For each powerplant and auxiliary power unit installation, the applicant must comply with the requirements of Sec. 25.1309, except that the effects of the following failures need not comply with Sec. 25.1309(b)-- (1) Engine case burn-through or rupture, (2) Uncontained engine rotor failure, and (3) Propeller debris release. * * * * * 0 7. Amend Sec. 25.933 by revising paragraph (a)(1) to read as follows: Sec. 25.933 Reversing systems. (a) * * * (1) For each system intended for ground operation only, the applicant must show-- (i) The airplane is capable of continued safe flight and landing during and after any thrust reversal in flight; or [[Page 68735]] (ii) The system complies with Sec. 25.1309(b) using the assumption the airplane would not be capable of continued safe flight and landing during and after an in-flight thrust reversal. * * * * * 0 8. Revise Sec. 25.1301 to read as follows: Sec. 25.1301 Function and installation. Each item of installed equipment must-- (a) Be of a kind and design appropriate to its intended function; (b) Be labeled as to its identification, function, or operating limitations, or any applicable combination of these factors; and (c) Be installed according to limitations specified for that equipment. 0 9. Revise Sec. 25.1309 to read as follows: Sec. 25.1309 Equipment, systems, and installations. The requirements of this section, except as identified below, apply to any equipment or system as installed on the airplane. Although this section does not apply to the performance and flight characteristic requirements of subpart B of this part, or to the structural requirements of subparts C and D of this part, it does apply to any system on which compliance with any of those requirements is dependent. Section 25.1309(b) does not apply to the flight control jam conditions addressed by Sec. 25.671(c)(3); single failures in the brake system addressed by Sec. 25.735(b)(1); the failure conditions addressed by Sec. Sec. 25.810(a)(1)(v) and 25.812; uncontained engine rotor failure, engine case rupture, or engine case burn-through failures addressed by Sec. Sec. 25.903(d)(1) and 25.1193 and part 33 of this chapter; and propeller debris release failures addressed by Sec. 25.905(d) and part 35 of this chapter. (a) The airplane's equipment and systems must be designed and installed so that: (1) The equipment and systems required for type certification or by operating rules, or whose improper functioning would reduce safety, perform as intended under the airplane operating and environmental conditions; and (2) Other equipment and systems, functioning normally or abnormally, do not adversely affect the safety of the airplane or its occupants or the proper functioning of the equipment and systems addressed by paragraph (a)(1) of this section. (b) The airplane systems and associated components, evaluated separately and in relation to other systems, must be designed and installed so that they meet all of the following requirements: (1) Each catastrophic failure condition-- (i) Must be extremely improbable; and (ii) Must not result from a single failure. (2) Each hazardous failure condition must be extremely remote. (3) Each major failure condition must be remote. (4) Each significant latent failure must be eliminated as far as practical, or, if not practical to eliminate, the latency of the significant latent failure must be minimized. However, the requirements of the previous sentence do not apply if the associated system meets the requirements of paragraphs (b)(1) and (b)(2) of this section, assuming the significant latent failure has occurred. (5) For each catastrophic failure condition that results from two failures, either of which could be latent for more than one flight, the applicant must show that-- (i) It is impractical to provide additional fault tolerance; and (ii) Given the occurrence of any single latent failure, the residual average probability of the catastrophic failure condition due to all subsequent active failures is remote; and (iii) The sum of the probabilities of the latent failures that are combined with each active failure does not exceed 1/1000. (c) The airplane and systems must provide information concerning unsafe system operating conditions to the flightcrew to enable them to take appropriate corrective action in a timely manner. Systems and controls, including information, indications, and annunciations, must be designed to minimize flightcrew errors that could create additional hazards. (d) Reserved. (e) The applicant must establish certification maintenance requirements as necessary to prevent the development of the failure conditions described in paragraph (b) of this section. These requirements must be included in the Airworthiness Limitations section of the Instructions for Continued Airworthiness required by Sec. 25.1529. 0 10. Amend Sec. 25.1365 by revising paragraph (a) to read as follows: Sec. 25.1365 Electrical appliances, motors, and transformers. (a) An applicant must show that, in the event of a failure of the electrical supply or control system, the design and installation of domestic appliances meet the requirements of Sec. 25.1309(b) and (c). Domestic appliances are items such as cooktops, ovens, coffee makers, water heaters, refrigerators, and toilet flush systems that are placed on the airplane to provide service amenities to passengers. * * * * * 0 11. Revise section H25.4 of appendix H to part 25 by adding paragraph (a)(6) to read as follows: Appendix H to Part 25--Instructions for Continued Airworthiness * * * * * H25.4 Airworthiness Limitations section. * * * * * (a) * * * (6) Each certification maintenance requirement established to comply with any of the applicable provisions of part 25. * * * * * Issued under authority provided by 49 U.S.C. 106(f), 106(g), 44701(a), and 44704 in Washington, DC. Michael Gordon Whitaker, Administrator. [FR Doc. 2024-18511 Filed 8-26-24; 8:45 am] BILLING CODE 4910-13-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
