System Safety Assessments, 68706-68735 [2024-18511]
Download as PDF
<![CDATA[
68706
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
[Docket No.: FAA–2022–1544; Amdt. No.
25–152]
risk associated with new technology in
flight control systems. The intended
effect of this rulemaking is to improve
aviation safety by making system safety
assessment (SSA) certification
requirements more comprehensive and
consistent.
RIN 2120–AJ99
DATES:
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
Effective September 26, 2024.
For information on where to
obtain copies of rulemaking documents
and other information related to this
final rule, see ‘‘How to Obtain
Additional Information’’ in the
SUPPLEMENTARY INFORMATION section of
this document.
ADDRESSES:
System Safety Assessments
Federal Aviation
Administration (FAA), Department of
Transportation (DOT).
ACTION: Final rule.
AGENCY:
The FAA is amending certain
airworthiness regulations to standardize
the criteria for conducting safety
assessments for systems, including
flight controls and powerplants,
installed on transport category
airplanes. With this action, the FAA
seeks to reduce risk associated with
airplane accidents and incidents that
have occurred in service, and reduce
SUMMARY:
FOR FURTHER INFORMATION CONTACT:
Todd Martin, Technical Policy Branch,
Policy and Standards Division, Aircraft
Certification Service, Federal Aviation
Administration, 2200 South 216th
Street, Des Moines, WA 98198;
telephone and fax (206) 231–3210; email
Todd.Martin@faa.gov.
SUPPLEMENTARY INFORMATION:
I. Authority for This Rulemaking
The FAA’s authority to issue rules on
aviation safety is found in Title 49 of the
United States Code. Subtitle I, Section
106 describes the authority of the FAA
Administrator. Subtitle VII, Aviation
Programs, describes in more detail the
scope of the FAA’s authority.
This rulemaking is promulgated
under the authority described in
Subtitle VII, Part A, Subpart III, Section
44701, ‘‘General Requirements.’’ Under
that section, the FAA is charged with
promoting safe flight of civil aircraft in
air commerce by prescribing regulations
and minimum standards for the design
and performance of aircraft that the
Administrator finds necessary for safety
in air commerce. This regulation is
within the scope of that authority. It
prescribes new safety standards for the
design and operation of transport
category airplanes.
II. Acronyms Frequently Used in This
Document
TABLE 1—ACRONYMS FREQUENTLY USED IN THIS DOCUMENT
Acronym
Definition
AC .......................................................................
AD .......................................................................
AFM ....................................................................
ALS .....................................................................
ARAC ..................................................................
ASAWG ...............................................................
CAST ..................................................................
CMR ....................................................................
CS–25 .................................................................
CSL+1 .................................................................
EASA ..................................................................
ELOS ..................................................................
EWIS ...................................................................
FCHWG ..............................................................
FTHWG ...............................................................
ICA ......................................................................
LDHWG ...............................................................
NTSB ..................................................................
PPIHWG .............................................................
SDAHWG ............................................................
SLF .....................................................................
SSA .....................................................................
ddrumheller on DSK120RN23PROD with RULES2
Table of Contents
I. Authority for This Rulemaking
II. Acronyms Frequently Used in This
Document
III. Overview of Final Rule
IV. Background
A. Statement of the Problem
B. Related Actions
C. NTSB Recommendations
D. Summary of the NPRM
E. General Overview of Comments
V. Discussion of Comments and the Final
Rule
A. Section 25.4, Definitions
B. Section 25.302, Interaction of Systems
and Structures
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
Advisory Circular.
Airworthiness Directive.
Airplane Flight Manual.
Airworthiness Limitations section.
Aviation Rulemaking Advisory Committee.
Airplane Level Safety Analysis Working Group.
Commercial Aviation Safety Team.
Certification Maintenance Requirement.
Certification Specifications for Large Aeroplanes (issued by EASA).
Catastrophic Single Latent Failure Plus One (a failure condition).
European Union Aviation Safety Agency.
Equivalent Level of Safety.
Electrical Wiring Interconnection System.
Flight Controls Harmonization Working Group.
Flight Test Harmonization Working Group.
Instructions for Continued Airworthiness.
Loads and Dynamics Harmonization Working Group.
National Transportation Safety Board.
Powerplant Installation Harmonization Working Group.
System Design and Analysis Harmonization Working Group.
Significant Latent Failure.
System Safety Assessment.
C. Section 25.629, Aeroelastic Stability
Requirements
D. Section 25.671, Flight Control Systems
E. Section 25.901, Engine Installation
F. Section 25.933, Reversing Systems
G. Section 25.1301, Function and
Installation
H. Section 25.1309, Equipment, Systems
and Installations
I. Section 25.1365, Electrical Appliances,
Motors, and Transformers
J. Miscellaneous Comments
K. Advisory Material
VI. Regulatory Notices and Analyses
A. Regulatory Evaluation
B. Regulatory Flexibility Determination
C. International Trade Impact Assessment
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
D. Unfunded Mandates Assessment
E. Paperwork Reduction Act
F. International Compatibility
G. Environmental Analysis
VII. Executive Order Determinations
A. Executive Order 13132, Federalism
B. Executive Order 13175, Consultation
and Coordination With Indian Tribal
Governments
C. Executive Order 13211, Regulations
That Significantly Affect Energy Supply,
Distribution, or Use
D. Executive Order 13609, Promoting
International Regulatory Cooperation
VIII. Additional Information
A. Electronic Access and Filing
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
B. Small Business Regulatory Enforcement
Fairness Act
III. Overview of Final Rule
ddrumheller on DSK120RN23PROD with RULES2
The FAA is amending regulations in
title 14, Code of Federal Regulations (14
CFR) part 25 (Airworthiness Standards:
Transport Category Airplanes) related to
the safety assessment 1 of airplane
systems. The changes to part 25 affect
applicants for type certification and
operators of transport category
airplanes. Applicants for type
certification will be required to conduct
their SSAs in accordance with the
revised regulations. Changes to the
Instructions for Continued
Airworthiness (ICA) affect operators of
newly certified airplanes, although the
impact on those operators is not
significant.
The FAA is revising and adding new
safety standards to reduce the likelihood
of potentially catastrophic risks due to
latent failures in critical systems.
Because modern aircraft systems (for
example, avionics and fly-by-wire
systems) are much more integrated than
they were when the current safety
criteria in § 25.1309 and other system
safety assessment rules were established
in 1970,2 the new standards are more
consistent for all systems of the
airplane, reducing the chance of a
hazard falling into a gap between the
different regulatory requirements for
different systems.
Consistent criteria for conducting
SSAs also provides predictability for
applicants by reducing the number of
issue papers and special conditions
necessary for airplane certification
projects.3
Specifically, this final rule—
• Requires that applicants limit the
likelihood of a catastrophic failure
condition that results from a
combination of two failures, either of
which could be latent for more than one
flight. See § 25.1309(b)(5).
• Revises safety assessment
regulations to eliminate ambiguity in,
and provide consistency between, the
safety assessments that applicants must
conduct for different types of airplane
systems. Section 25.1309 continues to
contain the safety assessment criteria
applicable to most airplane systems.
Section 25.901(c) (powerplant
installations) is amended to remove
1 A system safety assessment is a structured
process intended to systematically identify the risks
pertinent to the design of aircraft systems, and to
show that the systems meet safety requirements.
2 35 FR 5665 (Apr. 8, 1970).
3 As discussed in the preamble, special
conditions are rules of particular applicability that
the FAA issues to address novel or unusual design
features. See 14 CFR 21.16.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
general system safety criteria. Instead,
the powerplant installations covered in
this section are required to comply with
§ 25.1309 (system safety criteria).
Section 25.933(a) (thrust reversing
systems) allows compliance with
§ 25.1309 as an option. Sections 25.671,
25.901, and 25.933 continue to contain
criteria specific to flight control
systems, powerplant installations, and
thrust reversing systems, respectively,
that are not addressed by § 25.1309.
• Requires applicants to assess and
account for any effect that the failure of
a system could have on the structural
performance of the airplane. See
§ 25.302.
• Defines the different types of failure
of flight control systems, including
jams, and defines the criteria for safety
assessment of those types of failures.
See § 25.671.
• Requires applicants to include, in
the Airworthiness Limitations Section
(ALS) of the airplane’s ICA, necessary
maintenance tasks that applicants
identify during their SSAs. See
§ 25.1309(e).
• Removes the ‘‘function properly
when installed’’ criterion in
§ 25.1301(a)(4) for installed equipment
whose function is not needed for safe
operation of the airplane.
IV. Background
A. Statement of the Problem
This action is necessary because
airplane accidents, incidents, and
service difficulties have occurred as a
result of failures in airplane systems.
Some of these occurrences were caused,
in part, by insufficient design standards
for controlling the risk of latent failures,
which are failures that are not detected
or annunciated when they occur.
Current FAA regulations do not prevent
the certification of an airplane with a
latent failure that, when combined with
another failure, could cause a hazardous
or catastrophic accident.
Also, current regulations do not
require establishment of mandatory
inspections for significant latent failures
(SLFs) that may pose a risk in
maintaining the airworthiness of the
airplane design. Such inspections are
currently undertaken as industry
practice and may be necessary to reduce
exposure to these latent failures so
airplanes continue to meet safety
standards while in service.
Additionally, current regulations do
not adequately address new technology
in flight control systems and the effects
these systems can have on
controllability and structural capability.
These issues are currently addressed by
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
68707
special conditions and equivalent level
of safety (ELOS) findings.
This action is also necessary to
address flight control systems whose
failure can affect the loads imposed on
the airplane structure.
Lastly, certain system safety
requirements have not been
standardized across airplane systems.
These regulations have specified
different safety assessment criteria for
different systems, which can lead to
inconsistent standards across the
airplane. Also, when systems that
traditionally have been separate become
integrated using new technology,
applicants have expressed uncertainty
regarding which standard to apply.
The FAA is addressing these issues by
revising the system safety assessment
requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory
Committee (ARAC) Recommendations
Advances in flight controls
technology, increased airplane system
integration, and certain incidents,
accidents, and service difficulties
related to system failures prompted the
FAA to task the ARAC with developing
recommendations for new or revised
requirements and compliance methods
related to the safety assessment of
airplane and powerplant systems. The
ARAC accepted tasks on various
airplane systems issues and assigned
them to the Powerplant Installation
Harmonization Working Group
(PPIHWG),4 Flight Controls
Harmonization Working Group
(FCHWG),5 Loads and Dynamics
Harmonization Working Group
(LDHWG),6 and System Design and
Analysis Harmonization Working Group
(SDAHWG).7 The FAA also tasked the
ARAC to make recommendations for
harmonizing the relevant part 25 rules
with the corresponding European
certification specifications for large
airplanes.8 The ARAC accepted this task
4 57
FR 58844 (Dec. 11, 1992).
FR 45554 (Aug. 26, 1998).
6 59 FR 30081 (Jun. 10, 1994).
7 61 FR 26246 (May 24, 1996).
8 As the FAA noted in the Federal Register in
1993: ‘‘The FAA announced at the Joint Aviation
Authorities (JAA)-Federal Aviation Administration
(FAA) Harmonization Conference in Toronto,
Ontario, Canada, (June 2–5, 1992) that it would
consolidate within the Aviation Rulemaking
Advisory Committee structure an ongoing objective
to ‘‘harmonize’’ the Joint Aviation Requirements
(JAR) and the Federal Aviation Regulations (FAR).
Coincident with that announcement, the FAA
assigned to the ARAC those projects related to JAR/
FAR 25, 33 and 35 harmonization which were then
in the process of being coordinated between the
JAA and the FAA.’’ 58 FR 13819, 13820 (Mar. 15,
1993).
5 63
E:\FR\FM\27AUR2.SGM
27AUR2
68708
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
and assigned it to the relevant working
groups.
Although the working groups each
addressed the subject of managing latent
failures in safety critical systems, their
recommendations were not consistent
when defining the criteria for latent
failures. After reviewing the relevant
regulations and the recommendations
from the working groups, the FAA,
along with the European, Canadian, and
Brazilian civil aviation authorities,
identified a need to standardize SSA
criteria.
Therefore, in 2006, the FAA tasked
the ARAC, which assigned the task to
the Airplane-Level Safety Assessment
Working Group (ASAWG),9 with
creating consistent SSA criteria. The
ASAWG completed its work in May
2010 and recommended a set of
consistent requirements that would
apply to all systems. Specific areas
addressed in the recommendation report
include latent failures, aging and wear,
Master Minimum Equipment Lists, and
flight and diversion time. The ASAWG
recommended that the general system
safety criteria for all airplane systems be
governed by § 25.1309, and
recommended adjustments to the
regulations and advisory material
addressed by the working groups
mentioned previously, to implement
consistent system safety criteria. All
ARAC working group recommendation
reports are available in the docket for
this final rule.
2. Harmonization With European Union
Aviation Safety Agency (EASA)
Certification Standards
EASA certification standards for large
airplanes (CS–25) prescribes the
airworthiness standards corresponding
to 14 CFR part 25 for transport category
airplanes certified by the European
Union. Applicants for FAA type
certification of transport category
airplanes may also seek EASA
validation of the FAA’s type certificate.
Where part 25 and CS–25 differ, an
applicant must meet both airworthiness
standards to obtain a U.S. type
certificate and validation of the type
certificate by foreign authorities, or
obtain exemptions, equivalent level of
safety findings or special conditions, or
the foreign authority’s equivalent to
those, as necessary to meet one standard
in lieu of the other. Where FAA and
EASA can maintain harmonized
requirements, applicants for type
certification benefit by having a single
set of requirements with which they
must show compliance, thereby
reducing the cost and complexity of
9 71
FR 14284 (Mar. 21, 2006).
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
certification and ensuring a consistent
level of safety.
EASA incorporated the SDAHWGrecommended changes to CS/§§ 25.1301
and 25.1309, and associated guidance,
in its initial issuance of CS–25 on
October 17, 2003.10 EASA incorporated
the criteria regarding interaction of
systems and structures recommended by
the LDHWG into its regulatory
framework as CS 25.302 and appendix
K of CS–25 at amendment 25/1 on
December 12, 2005.11 EASA
incorporated the PPIHWGrecommended changes to CS/
§§ 25.901(c) and 25.933(a)(1), and
associated guidance, at amendment 25/
1. EASA incorporated the ASAWGrecommended regulatory and advisory
material implementing consistent SSA
criteria, at amendment 25/24 to CS–25,
on January 10, 2020.12 This final rule
harmonizes FAA requirements with
those of EASA to the extent possible,
with differences described in the section
entitled ‘‘Discussion of Comments and
the Final Rule.’’
that applicants fully address wearrelated failures so that, to the maximum
extent possible, such failures will not be
catastrophic. The requirement to
include certification maintenance
requirements (CMRs) in the ALS
responds to this safety recommendation,
as well as the ACs accompanying this
final rule that contain guidance on
assessing wear-related failures as part of
the SSA.
In Safety Recommendation A–14–119,
the NTSB recommends that the FAA
provide its certification engineers with
written guidance and training to ensure
that assumptions, data sources, and
analytical techniques are fully identified
and justified in applicants’ safety
assessments for designs incorporating
new technology. Additionally, the
NTSB recommends that an appropriate
level of conservatism be included in the
analysis or design, consistent with the
intent of the draft guidance material that
the SDAHWG recommended. AC
25.1309–1B, accompanying this final
rule, contains the guidance.16
C. NTSB Recommendations
This final rule addresses National
Transportation Safety Board (NTSB)
Safety Recommendations A–99–22, A–
99–23,13 A–02–51,14 and A–14–119.15
In Safety Recommendation A–99–22,
the NTSB recommends that the FAA
ensure that future transport category
airplanes provide a reliably redundant
rudder actuation system. In Safety
Recommendation A–99–23, the NTSB
recommends that the FAA require type
certificate applicants to show that
transport category airplanes are capable
of continued safe flight and landing
after jamming of a flight control at any
deflection possible, up to and including
its full deflection, unless the applicant
shows that such a jam is extremely
improbable. The final rule addresses
these recommendations by revising
§ 25.671(c).
In Safety Recommendation A–02–51,
the NTSB recommends that the FAA
review and revise airplane certification
regulations, and associated guidance,
applicable to the certification of
transport category airplanes, to ensure
D. Summary of the NPRM
The FAA issued an NPRM on
December 8, 2022 (87 FR 75424), that
proposed amending certain
airworthiness regulations. These
regulations concern safety assessments
for systems, including flight controls
and powerplants, installed on transport
category airplanes. The NPRM
explained how the proposed regulations
would reduce risk associated with
airplane accidents and incidents that
have occurred in service, and reduce
risk associated with new technology in
flight control systems. This action
finalizes the proposal with changes
made to address comments.
10 www.easa.europa.eu/en/downloads/1516/en.
11 www.easa.europa.eu/en/document-library/
certification-specifications/cs-25-amendment-1.
12 www.easa.europa.eu/en/downloads/108354/en.
13 NTSB Safety Recommendations A–99–22 and
A–99–23 are available in the docket and at
www.ntsb.gov/safety/safety-recs/recletters/A99_20_
29.pdf.
14 NTSB Safety Recommendation A–02–51 is
available in the docket and at www.ntsb.gov/safety/
safety-recs/recletters/A02_36_51.pdf.
15 NTSB Safety Recommendation A–14–119 is
available in the docket and www.ntsb.gov/safety/
safety-recs/recletters/A-14-113-127.pdf.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
E. General Overview of Comments
V. Discussion of Comments and the
Final Rule
Harmonization
The NPRM explained that the FAA’s
proposed rule would harmonize with
the requirements of EASA to the extent
possible, although there were
differences in the requirements and
language of the FAA’s proposed
regulations compared to EASA’s
corresponding regulations in CS–25.
Almost all organizational commenters
requested the FAA revise the proposed
rule to harmonize more closely with
EASA CS–25. These commenters
expressed concern that differences
between the FAA’s proposal and
16 This advisory circular, and the other advisory
circulars that accompany this final rule, are in the
docket.
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
EASA’s existing regulations would
burden applicants requesting validation
of a type certificate issued by another
civil aviation authority because the
applicants would have to meet two sets
of requirements and show multiple
means of compliance for certification of
the same design. As discussed below,
the FAA decided to address this
concern by increasing harmonization of
its final rule with the corresponding
EASA CS–25 requirements.
The FAA acknowledges that there are
some remaining differences between the
FAA’s and EASA’s regulations on this
topic. The majority of differences
between the final rule and the
corresponding CS–25 regulations are
differences in wording or structure that
were made to satisfy FAA rulemaking
constraints or improve the final rule
language due to requests from
commenters. Although a few differences
may be significant standards
differences,17 as subsequently
explained, the FAA does not expect
these differences to increase the cost
and complexity of certification for
applicants pursuing validation nor
result in a different level of safety
between authorities.
In addition, the commenters
addressed the draft ACs that
accompanied the NPRM. The FAA’s
responses to these comments can be
found at the Dynamic Regulatory
System (drs.faa.gov), along with the
finalized ACs.
A. Section 25.4, Definitions
In the NPRM, the FAA proposed new
§ 25.4 to define certain terms that the
FAA is using in these revised
regulations for system safety assessment
of transport category airplanes.
ddrumheller on DSK120RN23PROD with RULES2
1. Add Definitions
Boeing and GAMA/AIA requested the
FAA add definitions of several terms to
§ 25.4, including ‘‘continued safe flight
and landing,’’ ‘‘flightcrew,’’ ‘‘cabin
crew,’’ ‘‘ground crew,’’ ‘‘maintenance
personnel,’’ ‘‘exposure time,’’ ‘‘safety
requirements’’ and ‘‘candidate CMR.’’
GAMA/AIA requested the FAA explain
why some terms, but not others, were
defined in proposed § 25.4.
The FAA does not agree to add new
terms to § 25.4 in this final rule. The
FAA’s intent in adding § 25.4 is to
define key terms that are new to part 25
17 Significant standards difference (SSD) refers to
a validating authority airworthiness standard that
either differs significantly from the certifying
authority (CA) standard or has no CA equivalent.
Reference: Technical Implementation Procedures
for Airworthiness and Environmental Certification
between the FAA and EASA, Revision 7, dated
October 19, 2023, in the docket.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
rule text and used in the regulations that
are part of this rulemaking (e.g., failure
condition categories and probabilities).
AC 25.671–1, Control Systems—
General, and AC 25.1309–1B, System
Design and Analysis, include additional
definitions for terms related to the
requirements of §§ 25.671 and 25.1309.
Boeing, GAMA/AIA, and Gulfstream
suggested that the FAA add definitions
for terms commonly used throughout
part 25 regulations (e.g., ‘‘impractical,’’
‘‘essential’’ and ‘‘critical’’). The FAA
declines to define additional terms used
in part 25, because the FAA does not
intend § 25.4 to include every term that
is repeated in part 25.
2. Remove Definitions
ANAC, Bombardier, and Garmin
requested the FAA not adopt proposed
§ 25.4, Definitions. ANAC preferred that
the FAA define these terms in 14 CFR
part 1, Definitions and Abbreviations,
while Bombardier and Garmin preferred
that the FAA define these terms in
guidance so that they can be more easily
changed as needed. Gulfstream also
noted that several terms that the FAA
proposed to be included in § 25.4 are
not extensively used in part 25 and
should be relocated to AC 25.1309–1B.
The FAA does not agree to omit new
§ 25.4 from the final rule. Section 25.4
is necessary to define key terms and
concepts that are new to part 25 rule
text and part of this rulemaking. AC
25.1309–1B provides further
information on these terms.
Gulfstream requested that the FAA
move ‘‘hazardous failure condition’’ to
AC 25.1309, unless the definition is
applicable to ‘‘hazardous’’ across all
regulations.
The FAA does not agree to move this
definition to the AC. The definition for
‘‘hazardous failure condition’’ in
§ 25.4(b)(2) only applies to the part 25
regulations in which that exact phrase is
used, and it does not apply to the terms
‘‘hazard’’ or ‘‘hazardous,’’ which are
used throughout part 25 in different
contexts. The FAA’s use of ‘‘hazardous’’
across other part 25 rules does not
necessarily imply a hazardous effect on
the aircraft, flightcrew, or occupants.
While not relevant to the Gulfstream
comment, the FAA notes a similar
situation exists with the term
‘‘extremely remote.’’ The § 25.4(c)(3)
definition of ‘‘extremely remote failure
condition’’ does not apply to the term
‘‘extremely remote’’ as used in § 25.933
or § 25.937. When those regulations
were published, the term ‘‘extremely
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
68709
remote’’ meant ‘‘extremely improbable,’’
as used today.18
3. Revise Definitions
TCCA commented that the proposed
definitions of ‘‘major failure condition’’
and ‘‘hazardous failure condition’’ do
not include a pilot compensation aspect
and suggested changes to these
definitions. TCCA suggested adding ‘‘(5)
Considerable pilot compensation is
required for control’’ to the definition of
‘‘major failure condition’’ and ‘‘(4)
Intense pilot compensation is required
to retain’’ to the definition of
‘‘hazardous failure condition’’ in
accordance with a pilot task-oriented
approach for evaluating airplane
handling qualities. The FAA does not
agree to change the definitions as
suggested. The FAA’s definitions of
‘‘major failure condition’’ and
‘‘hazardous failure condition’’ already
include the effects on the flightcrew and
their workload. Lastly, the definitions of
‘‘major failure condition’’ and
‘‘hazardous failure condition’’ specified
in § 25.4 are harmonized with those
specified in EASA AMC 25.1309.
Changing those definitions would
disharmonize them with that AMC.
GAMA/AIA and Gulfstream requested
the FAA replace ‘‘persons’’ with
‘‘occupants’’ in the § 25.4 definition of
‘‘hazardous failure condition.’’ The
commenters stated that the use of
‘‘persons’’ in lieu of ‘‘occupants’’ is an
unsubstantiated expansion of the scope
of the safety analysis to include people
not on the aircraft. In addition, EASA’s
definition uses ‘‘occupants.’’ The FAA
does not agree with this request. The
FAA intends the term ‘‘persons’’ not to
be limited to aircraft occupants.
Although EASA’s definition uses the
term ‘‘occupants,’’ EASA has
interpreted ‘‘occupants’’ to include
persons other than airplane occupants
in its Acceptable Means of Compliance
(AMC) 25.1309. Specifically, AMC
25.1309 states, ‘‘Where relevant, the
effects on persons other than the
aeroplane occupants should be taken
18 The use of the term ‘‘extremely remote’’ in
§§ 25.933 and 25.937 dates to the initial issue of 14
CFR in 1965. Section 25.933 was based on Civil Air
Regulation (CAR) 4b.407, which was adopted at
amendment 4b–01, May 17, 1954. Section 25.937
was based on CAR 4b.408, which was adopted at
amendment 4b–6, July 8, 1957. The term
‘‘extremely remote’’ also appeared in CAR 04.310
on November 9, 1945. The FAA also stated in the
Federal Register in 2001, ‘‘The term ‘extremely
improbable’ (or its predecessor term, ‘extremely
remote’) has been used in 14 CFR part 25 for many
years. The objective of this term has been to
describe a condition (usually a failure condition)
that has a probability of occurrence so remote that
it is not anticipated to occur in service on any
transport category airplane.’’ 66 FR 23086, 23108
(May 7, 2001).
E:\FR\FM\27AUR2.SGM
27AUR2
ddrumheller on DSK120RN23PROD with RULES2
68710
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
into account when assessing failure
conditions in compliance with CS
25.1309.’’
TCCA commented that the FAA
should revise its definition of
‘‘hazardous failure condition’’ to
exclude fatalities. TCCA stated that any
fatalities should be considered
catastrophic. The FAA did not make
this change in this final rule, as doing
so would not be consistent with longstanding FAA equivalent safety
findings, nor with industry standards
and practice, and would disharmonize
the definition of ‘‘hazardous failure
condition’’ with EASA AMC 25.1309.
Boeing and GAMA/AIA requested the
FAA revise the definition of
‘‘catastrophic failure condition’’ to
incorporate a note regarding failure
conditions, which would prevent
continued safe flight and landing
(CSFL). Boeing also requested the FAA
standardize the definition across the
ACs associated with this rulemaking
because the draft ACs were not
consistent in their use of CSFL and
associating this concept with
‘‘catastrophic failure condition.’’ The
FAA partially agrees with this request.
The FAA added a note to the definition
of ‘‘catastrophic failure condition’’ in
AC 25.1309–1B to indicate that a failure
condition that would prevent continued
safe flight and landing should be
classified as ‘‘catastrophic’’ unless
otherwise defined in other, more
specific, ACs. The FAA did not add the
note to the regulatory definition in
§ 25.4 because the note is guidance on
the application of the definition.
Boeing requested that the FAA update
the § 25.4(b)(1) definition of ‘‘major
failure condition’’ to add ‘‘physical
discomfort’’ as an effect on the flight
crew and to use the term ‘‘cabin crew’’
instead of ‘‘flight attendants’’ for
consistency with EASA Acceptable
Means of Compliance (AMC) 25.1309.
The FAA agrees and has incorporated
these updates in the final rule for
§ 25.4(b)(1).
GAMA/AIA and Gulfstream requested
the FAA remove § 25.4(b)(1)(iv) (‘‘An
effect of similar severity’’) from the
definition of ‘‘major failure condition’’
in § 25.4(b)(1). They stated this is a new
addition to the definition and may cause
confusion. The FAA does not agree to
remove ‘‘an effect of similar severity’’
from the definition. This phrase
replaces the term ‘‘for example’’ in
EASA’s definition. This does not add
any additional criteria to the existing
safety objective of ‘‘major’’ severity.
Boeing and GAMA/AIA requested the
FAA revise the definition of ‘‘significant
latent failure’’ to ‘‘Any latent failure that
is present in any combination of failures
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
or events resulting in a hazardous or
catastrophic failure condition.’’ Boeing
stated that this proposed definition
minimizes possible misunderstanding
or misinterpretation of the significant
latent failure. The FAA did not make
this change because the wording of the
significant latent failure definition is
well-established and unchanged from
AC 25.1309–1A.
Except for the foregoing updates to
the definition of ‘‘major failure
condition’’ in § 25.4(b)(1), new § 25.4,
Definitions, is adopted as proposed.
B. Section 25.302, Interaction of
Systems and Structures
In the NPRM, the FAA proposed a
new section, § 25.302, that would
require an applicant to account for
systems, and their possible failure,
when assessing the structural
performance of its proposed design.
Modern flight control systems are more
sophisticated than their predecessors
and offer advantages such as load
limiting and alleviation. However, as
the FAA discussed in the NPRM, these
systems can also have failure states that
may allow the system to function in
degraded modes that flightcrews may
not readily detect and in which the load
alleviation or limiting function may be
adversely affected.
The FAA based much of its proposed
regulation on the requirements of
special conditions that the FAA has
issued for several years to address these
concerns on previous certification
programs. However, as detailed in the
NPRM, proposed § 25.302 included a
number of differences compared to the
special conditions and as compared to
EASA CS 25.302. The primary objective
of the § 25.302 rule that the FAA
proposed in the NPRM was to reduce
confusion for authorities and applicants
by simplifying the rule text relative to
previously-issued special conditions.
ATR, Boeing, Bombardier, TCCA,
Airbus, EASA, GAMA/AIA, Gulfstream,
and ANAC did not object to the FAA
codifying the terms of its special
conditions that it has been issuing to
address this issue. However, they
requested the FAA harmonize (by using
the same language and, if possible, the
same paragraph and appendix
numbering for) proposed § 25.302 as
EASA CS 25.302, which includes
Appendix K by reference.
The FAA recognizes the benefits of
harmonization. These benefits include
regulatory predictability and the
reduction of burden on applicants and
civil aviation authorities. Therefore,
except as discussed below, in this final
rule, the FAA has harmonized new
§ 25.302 with EASA CS 25.302 to match
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
the language and structure of EASA’s
rule to the extent allowed by FAA
rulemaking constraints.
In this final rule, the FAA has revised
the proposed § 25.302 to more closely
harmonize with EASA CS 25.302, which
includes Appendix K by reference. The
FAA has revised proposed § 25.302 to
harmonize with CS 25.302 in the
determination of structural safety
factors; the load conditions that the
applicant must consider following
system failures; residual strength
substantiation; fatigue and damage
tolerance; failure indications; and
dispatch with known failure conditions.
The FAA is revising these requirements
relative to what was proposed in the
NPRM because much of the criteria in
CS 25.302 more closely matches the
FAA Interaction of Systems and
Structures special conditions that have
been applied on numerous transport
category airplane programs and have
proven to provide a satisfactory level of
safety.19 Also, the NPRM proposal, if
adopted, would have introduced a
number of differences between FAA and
EASA requirements and created a
potential certification burden.
The FAA stated in the NPRM that the
proposed § 25.302(e), which would have
provided structural requirements for
dispatch under the master minimum
equipment list provided by the
applicant, would provide safety benefits
by using a simpler approach to address
the risk associated with dispatching an
airplane with known failure conditions.
However, the FAA agrees with
commenters that two different sets of
criteria (FAA and EASA) would only
cause more difficulty for manufacturers,
the FAA, and other civil aviation
authorities. The FAA also stated in the
NPRM that proposed § 25.302 would
provide safety benefits by using simpler,
and in some cases more conservative,
criteria compared with CS 25.302 and
previous FAA special conditions. The
FAA agrees with commenters that its
special conditions, which used the same
factor-of-safety formulae as used in CS
25.302, have proven to provide a
satisfactory level of safety and that more
conservative criteria are not necessary.
By more closely harmonizing with CS
25.302 and previous FAA special
conditions, applicants will be able to
rely on past practices. The public could
have reasonably anticipated the FAA
would adopt final rule text that closely
harmonizes with CS 25.302, given the
FAA’s prior special conditions, the
common safety purpose of the FAA and
EASA regulations on this topic, and the
19 87 FR 16626 (Mar. 24, 2022); 82 FR 36328
(Aug. 4, 2017).
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
harmonization discussion throughout
the NPRM.
In this final rule, the FAA has also
revised § 25.302 to harmonize with CS
25.302 in terms of the rule structure and
paragraph numbering, although CS–25
includes CS 25.302 criteria within
Appendix K, while 14 CFR part 25
includes all criteria directly in § 25.302.
The regulatory text proposed by the
FAA in the NPRM did not require
applicants to consider the effect of
nonlinearities, but the preamble
reflected the FAA’s assumption that
applicants would do so. Consistent with
CS 25.302, in this final rule, the FAA
has made this consideration a regulatory
requirement.
In the NPRM, the FAA stated that
proposed § 25.302 would not include
any aeroelastic stability requirements,
only loads requirements. The FAA did
not revise this final rule to harmonize
with CS 25.302 in terms of aeroelastic
stability criteria. As discussed in the
NPRM, the FAA finds that the failure
criteria specified in § 25.629 are
adequate, and there is no need to
propose different failure criteria in
§ 25.302.
Airbus, Boeing, Bombardier, Dassault,
DeHavilland, GAMA/AIA, Gulfstream,
Pratt & Whitney, and TCCA requested
specific changes to proposed § 25.302 in
the event the FAA chose not to
harmonize § 25.302 with EASA CS
25.302. The requested specific changes
are no longer applicable as the FAA has
largely harmonized § 25.302 in this final
rule with EASA CS 25.302.
Airbus proposed that the FAA
consolidate, into new § 25.302, the
requirement of § 25.305(f) that the
airplane must be designed to withstand
any forced structural vibration resulting
from any failure, malfunction, or
adverse condition in the flight control
system. The FAA does not agree. In this
final rule, the FAA keeps those as
separate requirements because the
requirement in § 25.305(f) may apply to
systems and failures not addressed by
§ 25.302. Also, § 25.305(f) is currently
harmonized with CS 25.305(f).
1. Summary of Requirements
For airplanes equipped with systems
that affect structural performance,
§ 25.302, in this final rule, requires the
applicant take into account the
influence of these systems and their
failure conditions when showing
compliance with the requirements of
subparts C and D of 14 CFR part 25.
New § 25.302(b) specifies requirements
for when the systems are fully operative.
New § 25.302(c) specifies requirements
for failure conditions at the time of
occurrence (§ 25.302(c)(1)) and for the
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
continuation of flight (§ 25.302(c)(2)).
New § 25.302(c) includes requirements
related to structural vibrations, residual
strength, and fatigue and damage
tolerance for these failure conditions.
Finally, the rule provides failure
indication (§ 25.302(d)) and dispatch
requirements (§ 25.302(e)).
2. Applicability
Boeing, Bombardier, DeHavilland,
GAMA/AIA, and Pratt & Whitney
requested that the FAA clarify the
applicability of proposed § 25.302,
including whether the FAA’s final rule
would apply only, as did the FAA’s
special conditions and EASA CS 25.302,
to the airplane structure whose failure
could prevent continued safe flight and
landing. The applicability of § 25.302 in
this final rule is as follows.
As stated in the final rule text,
§ 25.302 applies to systems that affect
structural performance, either directly
or as a result of a failure or malfunction.
A system affects structural performance
if it can induce loads on the airplane or
change the response of the airplane to
inputs such as gusts or pilot actions.
Examples of these systems include
flight control systems, autopilots,
stability augmentation systems, load
alleviation systems, and fuel
management systems.
Section 25.302, in this final rule,
specifies the loads that the applicant’s
analysis must apply to structure, taking
into account the systems defined above,
operating normally and in the failed
state. As stated in the final rule text,
these structural requirements apply only
to structure whose failure could prevent
continued safe flight and landing. This
limitation is consistent with the
requirements of the special conditions
that the FAA has been applying for
more than twenty years.
Section 25.302, in this final rule and
as proposed in the NPRM, does not
apply to the flight control jam
conditions covered by § 25.671(c)(3) or
the discrete source events covered by
§ 25.571(e). Section 25.302 also does not
apply to any failure or event that is
external to (not part of) the system being
evaluated and that would itself cause
structural damage.
3. Clarification of Terms
In this final rule, § 25.302(b) states
that with the system fully operative, the
applicant must investigate the effect of
nonlinearities sufficiently beyond limit
conditions to ensure the behavior of the
system presents no detrimental effects
compared to the behavior below limit
conditions. The intent of this sentence
is to require the applicant to investigate
the system effects ‘‘sufficiently beyond
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
68711
limit’’ to ensure that no detrimental
effects could occur at limit load or just
beyond.
Sections 25.302(c)(1)(ii) and (c)(2)(iii)
of this final rule include a reference to
residual strength substantiation. This is
referring to the residual strength
substantiation required by § 25.571(b).
Section 25.302(c)(2)(iv) of this final
rule states that if the loads induced by
the failure condition have a significant
effect on fatigue or damage tolerance,
then the applicant must take their
effects into account. A failure condition
has a ‘‘significant’’ effect on fatigue or
damage tolerance if it would result in a
change to inspection thresholds,
inspection intervals, or life limits.
Section 25.302(d)(1) of this final rule
requires the flightcrew to be made aware
of certain failure conditions before
flight, as far as practicable. In this case,
‘‘as far as practicable’’ means that if
automatic failure indication can detect
such a failure using current technology,
then that failure should be so monitored
and indicated to the flightcrew before
flight.
4. Significant Standards Differences
Between § 25.302 and EASA CS 25.302
Section 25.302 of this final rule differs
from CS 25.302 and Appendix K, as
discussed below.
As noted above, unlike CS 25.302,
new § 25.302 does not include any
aeroelastic stability requirements.
Section 25.629 and CS 25.629 both
specify flutter speed margins for failure
conditions, but CS 25.302 includes
additional aeroelastic failure criteria. As
indicated in the NPRM, the FAA finds
the failure criteria specified in § 25.629
to be adequate, and additional failure
criteria in § 25.302 are unnecessary.
This is a significant standards difference
between § 25.302 and CS 25.302.
The NPRM proposed, and in this final
rule § 25.302 requires, the evaluation of
any system failure condition not shown
to be extremely improbable or that
results from a single failure. Several
commenters, including Bombardier,
Airbus, and TCCA, stated that single
failures that an applicant shows to be
extremely improbable should not be
included in § 25.302, while Boeing
agreed that single failures should be
included regardless of probability. The
FAA does not agree to exclude single
failures from § 25.302 in this final rule
for the following reasons:
(1) To be consistent with §§ 25.671
and 25.1309, both of which require the
evaluation of single failures, and related
guidance, and past practice for these
regulations, the FAA determined, as
indicated in the NPRM, that single
E:\FR\FM\27AUR2.SGM
27AUR2
68712
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
failures should be assumed to occur
regardless of probability.
(2) The typical language of the FAA’s
Interaction of Systems and Structures
special conditions, used to address this
issue on a variety of transport category
airplane programs for more than twenty
years, refers to any system failure
condition ‘‘not shown to be extremely
improbable.’’ Even though the special
conditions have not explicitly
mentioned single failures, the FAA’s
long-standing position on single failures
is that they cannot be accepted as being
extremely improbable. As noted in AC
25.1309–1A, dated June 21, 1988: ‘‘In
general, a failure condition resulting
from a single failure mode of a device
cannot be accepted as being extremely
improbable.’’
(3) The FAA has determined that not
including single failures in the
evaluation would reduce safety.
To conclude, CS 25.302 requires the
evaluation of any system failure
condition not shown to be extremely
improbable, and that rule does not
explicitly mention single failures.
Therefore, this is a significant standards
difference between § 25.302 in this final
rule and CS 25.302.
CS 25.302 and § 25.302 in this final
rule both require evaluation of failure
conditions that affect structural
performance, and for these failure
conditions, both rules specify certain
load conditions that must be evaluated
for the continuation of flight. Section
25.302 includes an additional
requirement not included in CS 25.302:
Section 25.302(c)(2)(i)(F) requires the
applicant to evaluate any other load
condition for which a system is
specifically installed or tailored to
reduce the loads of that condition.
‘‘Tailored’’ means the system is
designed or modified to change the
response of the airplane to inputs such
as gusts or pilot actions and thereby
affect the resulting loads on the
airplane. This is necessary to account
for any systems that are designed to
reduce the loads resulting from load
conditions not specified in
§ 25.302(c)(2)(i)(A) through (E) and
whose failure would increase loads
relative to the design load level. This is
a significant standards difference
between § 25.302 and CS 25.302.
5. Nonsignificant Standards Differences
Between § 25.302 and EASA CS 25.302
Section 25.302 does not include
paragraphs (a) and (b) from CS–25
Appendix K, K25.1 General, except for
one sentence from K25.1(a). That
sentence indicates that the criteria in
§ 25.302 are only applicable to structure
whose failure could prevent continued
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
safe flight and landing. Also, new
§ 25.302(c), discussed above, does not
include paragraph (c)(3) from Appendix
K, K25.2 Effects of Systems on
Structures. The FAA did not include
these paragraphs because the FAA
determined they are general in nature
and do not contain any specific
requirements.
Section 25.302 does not include the
definitions found in paragraph K25.1(c).
The FAA determined these terms are
sufficiently understood and do not need
to be provided in the rule.
While § 25.302 is mostly harmonized
with CS 25.302, there are a number of
minor differences in wording, as
follows:
CS–25 K25.2 paragraph (b) provides
requirements for a fully operative
system. Section 25.302(b) mandates the
same requirements but states them more
succinctly.
CS–25 K25.2 paragraph (c) provides
requirements for a failed system.
Section 25.302(c) mandates the same
requirements but removes passive voice
and states those requirements more
succinctly.
CS–25 K25.2 paragraph (d) provides
failure indication requirements. Section
25.302(d) mandates the same
requirements but does not include the
last two sentences of K25.2 paragraph
(d)(1) because they are unnecessary
given the first two sentences of
paragraph (d)(1).
CS–25 K25.2 paragraph (e) and
§ 25.302(e) of this final rule address
dispatch requirements. In § 25.302(e),
the FAA includes a specific reference to
the Master Minimum Equipment List,
which the operator uses to develop their
Minimum Equipment List, the primary
document that controls dispatch
requirements. Also, CS 25.302(e)
includes a requirement that flight and
operational limitations be such that
being in a failure state and then
encountering limit load is extremely
improbable. The FAA did not include
this requirement because § 25.302(e)
already includes specific criteria related
to dispatch, and this requirement could
potentially conflict with those criteria.
Finally, EASA includes CS 25.302
criteria within CS–25 Appendix K,
while this final rule includes the
equivalent criteria in § 25.302.
In conclusion, to address the potential
effects of aircraft systems on structure,
the FAA does not adopt the text of
§ 25.302 that the FAA proposed in the
NPRM. Instead, the FAA, as requested
by several commenters, adopts a new
§ 25.302 that more closely hews to the
language of the FAA’s longstanding
special conditions on this topic and to
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
EASA CS 25.302, with the modifications
set forth in the foregoing discussion.
C. Section 25.629, Aeroelastic Stability
Requirements
Summary of Changes to Current Rule
Section 25.629 establishes several
requirements to ensure the aeroelastic
stability of the airplane. For example, it
requires the applicant to consider the
potential effect of several types of
failures on the airplane’s aeroelastic
stability. In the NPRM, the FAA
proposed to revise paragraphs (b) and
(d) of this section, as discussed below.
In this final rule, the FAA is revising
the paragraph numbers of § 25.629 to
correspond with EASA’s rule (i.e.,
§ 25.629(d)(9) becomes (d)(10);
§ 25.629(d)(10) becomes (d)(11); and the
failure evaluation requirements are
introduced in § 25.629(d)(9)), as
requested by commenters and explained
below. The FAA is also revising the text
in § 25.629(d)(9), as requested by
commenters and as explained below, to
harmonize with EASA CS 25.629(d)(9)
and to clarify when the new failure
evaluation requirements are applicable.
Furthermore, as requested by
commenters and explained below, the
FAA is not revising § 25.629(b), as was
proposed in the NPRM, to include the
reference to § 25.333. Instead, the FAA
is revising § 25.629(a) to clarify that the
aeroelastic evaluation must include any
condition of operation within the
maneuvering envelope. This revision to
proposed § 25.629(a) is consistent with
current existing industry practice of
evaluating the aeroelastic impact of
loads due to allowed maneuvers for part
25 airplanes and is stated explicitly in
§ 23.629 at amendment 23–63 20 and
EASA CS 23.629 amendment 23/4. The
FAA also revised § 25.629(a) in this
final rule to consistently use the
singular term ‘‘evaluation’’ where it
appears in order to prevent confusion.
1. Paragraphs (a) and (b)
In the NPRM, the FAA proposed to
specify that the aeroelastic stability
envelope addressed by § 25.629(b)
includes the range of load factors in
§ 25.333, Flight Maneuvering Envelope.
GAMA/AIA, Gulfstream,
DeHavilland, Airbus, Bombardier, and
Boeing requested the FAA not make this
change. The commenters stated this
would be an expansion of the traditional
scope of § 25.629 and that it would
disharmonize the FAA’s rule with
EASA rules. The commenters also stated
that the structural design envelope
defined in § 25.333 is not intended for
20 76
E:\FR\FM\27AUR2.SGM
FR 75736 (December 2, 2011).
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
aeroelastic stability analysis and should
not be confused with the normal flight
envelope of an airplane.
The FAA agrees with the commenters
that the proposed change would
disharmonize with CS 25.629 and
potentially confuse the FAA’s
aeroelastic stability requirements with
the strength requirements of § 25.333.
Therefore, in this final rule, the FAA
did not adopt the reference to § 25.333
in § 25.629(b), which remains
unchanged.
However, including conditions within
the flight maneuvering envelope that is
described in § 25.333 in aeroelastic
stability evaluations is common practice
because such conditions are anticipated
to be encountered in flight and therefore
need to be free from aeroelastic
instabilities. Thus, although paragraph
(b) of § 25.629 does not reference
§ 25.333, in this final rule, paragraph (a)
of § 25.629 now states that the
aeroelastic evaluation must ‘‘include
any condition of operation within the
maneuvering envelope.’’ This change to
§ 25.629(a) is consistent with § 23.629 at
amendment 23–63 and EASA CS 23.629
amendment 23/4, which also address
conditions of operation in paragraph (a).
The FAA has also issued AC 25.629–1C,
Aeroelastic Stability Substantiation of
Transport Category Airplanes, to
provide more details, further clarify the
intent of the rule change, and provide
an acceptable means of compliance.
2. Paragraph (d)
In the NPRM, the FAA proposed to
relocate certain requirements for
applicants to analyze specific failures
from § 25.671(c)(2) to § 25.629(d).
Gulfstream requested the FAA revise
proposed § 25.629(d) to consider the
probability of the noted failure
conditions and exclude extremely
improbable failure combinations.
Gulfstream stated that current
§ 25.671(c)(2) states ‘‘Any combination
of failures not shown to be extremely
improbable. . .’’; however, proposed
§ 25.629(d)(10) would not have limited
its scope to ‘‘combination of failures not
shown to be extremely improbable.’’ In
addition, GAMA/AIA requested the
FAA not adopt proposed § 25.629(d)(10)
and instead leave these requirements in
current § 25.671. GAMA/AIA stated that
by explicitly adding the failures to
proposed § 25.629(d)(10), regardless of
probability, a more strenuous
requirement is added without
justification. GAMA asserted that
retention of the exclusion of extremely
improbable combinations will serve to
incentivize designs of higher reliability.
The FAA does not agree with these
requests. The FAA does not agree with
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
the commenters’ suggestions to limit the
required consideration to failures that
the applicant cannot show are extremely
improbable. The stated conditions need
to be considered by the applicant
regardless of probability calculations if
the airplane’s aeroelastic stability relies
on flight control system stiffness,
damping, or a combination of both.
Proposed § 25.629(d)(10), which is now
paragraph (d)(9) in the final rule,
reflects current industry practice and
existing guidance in AC 25.629–1B and
EASA Acceptable Means of Compliance
(AMC) § 25.629. In addition, the
requested change would have
introduced a significant difference
between the standards of the FAA and
EASA CS 25.629.
Boeing, Bombardier, and Gulfstream
requested that proposed paragraph
§ 25.629(d)(10) be more closely
harmonized with the corresponding CS
25.629 paragraph in its introductory text
to include the text ‘‘where aeroelastic
stability relies on flight control system
stiffness and/or damping’’ to provide
clarity to the application of this
requirement. The FAA agrees with this
request because it clarifies the situations
for which failure evaluations are
required and has updated § 25.629(d)(9)
in the final rule to more closely
harmonize with EASA and to include
the text ‘‘where aeroelastic stability
relies on flight control system stiffness,
damping, or both.’’
Airbus requested that the FAA
remove the reference to § 25.671 from
current § 25.629(d)(9). Airbus stated that
this reference may no longer be
applicable because, in the NPRM, the
FAA proposed to consolidate the
requirements in current § 25.671(c)(1)
and (c)(2) under proposed § 25.1309.
In this final rule, the FAA has
redesignated paragraph (d)(9) of
§ 25.629 as paragraph (d)(10) and
updated § 25.671(c) to align with CS
25.671(c). The FAA has retained the
reference to § 25.671 in § 25.629(d)(10)
because, in the final rule, applicants
must still evaluate the failure conditions
of paragraph § 25.671(c) under
§ 25.629(d)(10).
D. Section 25.671, Flight Control
Systems
In the NPRM, the FAA proposed a
number of revisions and additions to
§ 25.671, as summarized and discussed
below. Airbus, ANAC, Boeing, GAMA,
Gulfstream, Safran, and TCCA requested
the FAA harmonize one or more
paragraphs of § 25.671 with EASA CS
25.671. The FAA agrees with these
requests and, in this final rule, has
changed proposed § 25.671(a), (b), (c),
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
68713
(d), (e), and (f) to better align with EASA
CS 25.671.
1. Paragraph (a)
In the NPRM, the FAA proposed to
revise § 25.671(a) by referring to each
‘‘flight control’’ and ‘‘flight control
system’’ instead of ‘‘control’’ and
‘‘control system.’’ To harmonize with
CS 25.671(a), the final rule now refers
only to each ‘‘flight control system.’’
This is not a substantive change from
the NPRM.
In the NPRM, the FAA also proposed
to revise § 25.671(a) to require the flight
control system to continue to properly
operate, and not hinder airplane
recovery when the airplane experiences
certain conditions, including any
‘‘pitch, roll, or yaw rate, or vertical load
factor.’’ The FAA proposed that this
change would ensure there would be no
features or unique characteristics of the
flight control system that restrict the
pilot’s ability to recover from any
attitude, pitch, roll or yaw rate, or
vertical load factor expected to occur
due to operating or environmental
conditions. ANAC and TCCA suggested
changing proposed § 25.671(a) to specify
‘‘any flight dynamics parameter’’
instead of ‘‘any pitch, roll, yaw rate, or
vertical load factor’’ to harmonize with
EASA language. The FAA does not
agree. The suggested change would be a
potentially open-ended requirement
because ‘‘any flight dynamics
parameter’’ could mean many different
parameters. The text in § 25.671(a) 21 is
more specific, sufficient to accomplish
its purpose, and is adopted as proposed.
2. Paragraph (b)
In the NPRM, the FAA proposed to
revise § 25.671(b) by referring to
incorrect assembly that could result in
‘‘failure of the system to perform its
intended function.’’ To harmonize with
CS 25.671(b), the final rule now refers
to incorrect assembly that could result
in ‘‘failure or malfunctioning of the
system.’’ This is not a substantive
change from the NPRM.
An individual commenter requested
the FAA move the requirement to
minimize the probability of incorrect
assembly from § 25.671(b) to § 25.1309
and make it applicable to all systems.
The commenter stated that designing a
system to ensure it can only be
assembled correctly is a basic good
engineering practice. The FAA does not
agree to make this change to the
regulation. The requirements of
§ 25.671(b) apply only to flight control
systems. Other systems are subject to
different requirements for minimizing
21 AC
E:\FR\FM\27AUR2.SGM
25.671–1 provides additional information.
27AUR2
68714
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
incorrect assembly and different
marking requirements. The incorrect
assembly addressed by § 25.671(b) is
that which could result in failure or
malfunctioning of the system. Section
25.1309(a) requires the proper
functioning of the equipment, systems,
and installations whose function is
required by subchapter C of title 14. The
issue of incorrect assembly is addressed
in AC 25.1309–1B, by reference to
Aerospace Recommended Practice
(ARP) 4761 ‘‘Guidelines and Methods
for Conducting the Safety Assessment
Process on Civil Airborne Systems and
Equipment.’’ Improper assembly within
ARP4761 is a manufacturing
consideration with consideration to
common mode type sources or failures/
errors only.
ANAC requested the FAA harmonize
proposed § 25.671(b) with EASA CS
25.671(b) by adding ‘‘taking into
consideration the potential consequence
of incorrect assembly’’ to the
requirement. The FAA does not agree
with this request. The general
requirements of this paragraph apply to
each element of each flight control
system regardless of the potential
consequence of incorrect assembly.
Revised § 25.671(b) is therefore
adopted as proposed.
3. Introductory Text of Paragraph (c)
The NPRM proposed certain
conforming changes to the introductory
text of paragraph (c), as a result of the
FAA’s proposal to remove the flight
control system failure criteria of
§ 25.671(c)(1) and (c)(2) and substitute
the general criteria of 14 CFR 25.1309.
As explained below, the FAA decided to
retain the specific criteria of
§ 25.671(c)(1) and (c)(2), and so the
proposed changes to the introductory
text of paragraph (c) are now no longer
necessary. Therefore, in this final rule,
the introductory paragraph (c) is
unchanged from the current paragraph
(c), except as described herein.
The current § 25.671(c) introductory
text refers to the flight control system
and surfaces (including trim, lift, drag,
and feel systems). To harmonize with
CS 25.671(c), the final rule refers only
to the flight control system, which
includes surfaces and the other
referenced systems. This is not a
significant change.
The current § 25.671(c) introductory
text requires the applicant to show that
the airplane is capable of continued safe
flight and landing after jams and other
failures ‘‘without requiring exceptional
piloting skill or strength.’’ Gulfstream
requested the FAA not remove ‘‘without
requiring exceptional skill or strength’’
from § 25.671(c). The FAA does not
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
agree because that clause is now
included in the definition of continued
safe flight and landing provided in AC
25.671–1. Therefore, including this
phrase in § 25.671(c) is no longer
necessary. The final rule is also
harmonized with CS 25.671(c) and AMC
25.671 in this regard.
Gulfstream requested the FAA not
eliminate, as it proposed in the NPRM,
the § 25.671(c) requirement for probable
flight control failures to have only
‘‘minor’’ effects. The company stated
that minor failures for § 25.1309 tend to
only have a functional hazard
assessment (FHA)-level review in the
SSA. There is no specific requirement in
§ 25.1309(b) to address minor failures.
As such, there may be probable flight
control failures that are not explicitly
addressed by the § 25.1309(b) process.
The FAA agrees. The final rule retains
the noted text.
ANAC requested the FAA move the
requirement that compliance be shown
‘‘by analysis, test, or both . . .’’ from
§ 25.671(c) to AC 25.671–1, stating that
this text is guidance. The FAA does not
agree. This portion of the text in
§ 25.671(c) was not proposed to be
revised in the NPRM, has been in place
for many decades in the current rule, is
understood by applicants, and is
harmonized with CS 25.671(c).
4. Paragraphs (c)(1) and (c)(2)
The NPRM proposed that current
§ 25.671(c)(1) and (c)(2) be removed and
all flight control system failures be
covered by § 25.1309. Boeing, Airbus,
ANAC, GAMA/AIA, Gulfstream, and
TCCA requested the FAA retain the
current § 25.671(c)(1) and (c)(2) in order
to better align § 25.671(c) with EASA CS
25.671(c). The FAA agrees with
commenters that removing
§ 25.671(c)(1) and (c)(2) would create a
certification burden due to differences
with EASA requirements and because
different means of compliance are
normally used for §§ 25.671(c) and
25.1309(b), as described in their
respective ACs. Therefore, the FAA
agrees to retain § 25.671(c)(1) and (c)(2).
If the FAA chose not to change
§ 25.671(c)(1) and (c)(2), TCCA, ANAC,
Bombardier, and Boeing requested
specific changes to § 25.671(c) in order
to more closely harmonize with EASA
CS 25.671(c). The requested changes are
no longer relevant as the FAA has
decided to retain § 25.671(c)(1) and
(c)(2).
5. Paragraph (c)(3)
In the NPRM, the FAA proposed that
revised § 25.671(c) would address flight
control jams. With the retention of
§ 25.671(c)(1) and (c)(2), described
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
above, flight control jams will continue
to be addressed by § 25.671(c)(3). The
proposed rule would have addressed
flight control jams in § 25.671(c)(1),
(c)(2), and (c)(3). The corresponding
paragraphs for these requirements in
this final rule are § 25.671(c)(3)(i),
(c)(3)(ii), and (c)(3)(iii).
To harmonize with CS 25.671(c)(3)
and as recommended by the ARAC
FCHWG, and as described in the NPRM,
this final rule refers to jams of a flight
control surface or pilot control that are
‘‘fixed in position’’ due to a physical
interference.
6. Exception in Paragraph (c)(3)(ii)
Proposed § 25.671(c)(2) would have
excepted jams that occur immediately
before touchdown if the applicant were
able to show that such jams are
extremely improbable. (In this final rule,
§ 25.671(c)(2) is renumbered as
§ 25.671(c)(3)(ii).) The FAA proposed
this exception due to the lack of
practical means for applicants to show
compliance, and the short duration of
the potential hazard.
GAMA/AIA and Gulfstream requested
the FAA revise proposed § 25.671(c)(2)
to incorporate the 2002 ARAC FCHWG
recommendation, which excluded
consideration of jams occurring
immediately before touchdown
regardless of probability.
The FAA agrees that the consideration
of jams before touchdown should not be
linked with a numerical estimate of the
probability of the jam. Instead, in this
final rule the FAA has reworded
§ 25.671(c)(3)(ii) to exclude
consideration of jams immediately prior
to touchdown if the risk of a potential
jam is minimized to the extent practical.
AC 25.671–1 provides guidance on
acceptable means of showing
compliance with this requirement.
This is a difference between
§ 25.671(c)(3)(ii) and EASA CS
25.671(c)(3)(ii) because CS
25.671(c)(3)(ii) does not include an
exception for jams occurring just before
touchdown. The FAA expects this
difference to have no effect in practice
because EASA guidance included in
Acceptable Means of Compliance (AMC)
§ 25.671 similarly allows jams before
touchdown to be excluded if an
assessment of the design shows that all
practical precautions have been taken.
Therefore, the FAA finds that, with this
final rule, there will not be a significant
standards difference between the FAA
and EASA requirements.
Airbus asked that the FAA also except
jams during the takeoff phase because,
in both cases, exposure time is limited.
The FAA does not agree. The ARAC
FCHWG did not recommend excluding
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
the takeoff phase, only the landing
phase. Although flight control jams can
occur during takeoff, practical design
solutions can be put in place to mitigate
such jams. Note that AC 25.671–1 states
that, for jams that occur during takeoff,
the applicant may assume that if the jam
is detected prior to V1, the takeoff will
be rejected.
DeHavilland requested confirmation
that the new requirements related to
flight control jams do not change what
the company describes as accepted
current practice. That practice would
allow jams in spring-tab mechanisms
that could occur during takeoff to be
evaluated probabilistically, and the
short exposure time during takeoff
could be considered in determining the
probability of such jams. This final rule
requires the applicant to determine the
type of jam or failure being assessed. For
those flight control jams evaluated
under § 25.671(c)(3), the probability of
the jam, and the short exposure time
during takeoff, may not be considered in
showing compliance with that
regulation. The FAA did not change the
rule or associated guidance as a result
of this comment.
ddrumheller on DSK120RN23PROD with RULES2
7. Paragraph (c)(3)(iii)
Section 25.671(c)(3)(iii) states that in
addition to the jam being evaluated, any
additional failure conditions that could
prevent continued safe flight and
landing must have a combined
probability of 1/1000 or less, rather than
‘‘less than 1/1000’’ as proposed in the
NPRM. This harmonizes with CS
25.671(c)(3).
GAMA/AIA requested that the FAA
use ‘‘failure states’’ in place of ‘‘failure
conditions’’ in § 25.671(c)(3)(iii) because
the 2002 ARAC FCHWG report used
‘‘failure states.’’ The FAA does not
agree. The term ‘‘failure conditions’’ is
well-understood, has been used for
many years, and is appropriately used
in this regulation. In addition, CS
25.671(c)(3) also refers to ‘‘failure
conditions.’’ The FAA added guidance
in AC 25.671–1 to explain this
requirement.
Except for the differences noted in the
foregoing discussion, revised § 25.671(c)
is adopted as proposed.
8. Paragraph (d)
Section 25.671(d) requires that the
airplane remain controllable if all
engines fail. In the NPRM, the FAA
proposed to add a requirement that an
approach and flare to a landing and
controlled stop must also be possible,
assuming that a suitable runway is
available. GAMA/AIA, TCCA, and
Boeing requested the FAA add ‘‘and
flare to ditching’’ to the new
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
requirements. Since the most likely
scenario leading to a controlled ditching
is loss of all engines, the scenario is
relevant, according to the commenters.
The FAA agrees with this request
because a flare to a ditching may require
different reconfiguration than would be
required for landing; for example, flap
settings and pitch attitude. Adding the
flare to a ditching requirement to
§ 25.671(d) will also harmonize the rule
with CS 25.671(d).
Gulfstream and GAMA/AIA requested
the FAA remove the requirement for a
controlled stop from proposed
§ 25.671(d) as they felt a braking
requirement should not be added to a
general flight control system
requirement. The FAA does not agree.
Stopping capability can be affected by
flight controls, including spoilers, flaps,
and rudder. In addition, this would
result in a difference compared to EASA
CS–25 language.
TCCA and ANAC requested that the
FAA remove the following sentence
from proposed § 25.671(d): ‘‘The
applicant may show compliance with
this requirement by analysis where the
applicant has shown that analysis to be
reliable.’’ The commenters stated that
this sentence describes an acceptable
means of compliance, which is
adequately covered in the
corresponding guidance. The FAA
agrees and did not include this sentence
in the final rule.
Except for the changes noted in the
foregoing discussion, § 25.671(d) is
adopted as proposed.
9. Paragraph (e)
In the NPRM, the FAA proposed to
add new § 25.671(e), requiring the flight
control system to indicate whenever the
primary control means are near the limit
of control authority. The FAA proposed
this change due to the lack of direct
tactile link between the flightdeck
control and the control surface on
airplanes equipped with fly-by-wire
control systems.
DeHavilland requested that the FAA
use ‘‘must provide appropriate feedback
to the flight crew . . .’’ in place of
‘‘must indicate to the flight crew’’ in
new § 25.671(e). The company stated
that for non-fly-by-wire systems, the air
loads are either naturally sensed or
simulated. The company also
commented that the use of the word
‘‘indicate’’ in the proposed requirement
has a potential for misinterpretation, as
tactile feedback is not normally
considered as an ‘‘indication.’’ The
commenter acknowledged draft AC
25.671–X addresses use of feel forces
and cockpit control movement to meet
this requirement.
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
68715
The FAA does not agree to make this
change. As noted by the commenter, the
AC addresses use of tactile feedback as
a method of compliance with this
requirement.
ANAC and TCCA commented that the
FAA should harmonize the new
requirement of § 25.671(e) with CS
25.671(e) to remove any possible
misunderstanding. The FAA agrees. The
proposed rule stated that the ‘‘flight
control system’’ must indicate to the
flightcrew whenever the primary control
means is near the limit of control
authority. This final rule is revised to
harmonize with CS 25.671(e) and
requires ‘‘the airplane’’ to be designed to
indicate to the flightcrew whenever the
primary control means is near the limit
of control authority. This is not a
substantive change.
10. Paragraph (f)
In the NPRM, the FAA proposed to
add new § 25.671(f), requiring that the
flight control system alert the flightcrew
whenever the airplane enters any mode
that significantly changes or degrades
the normal handling or operational
characteristics of the airplane.
ANAC and TCCA commented that the
FAA should fully harmonize § 25.671(f)
with CS 25.671(f) to remove any
possible misunderstanding. The FAA
agrees. The proposed rule would have
required that the flight control system
alert the flightcrew whenever the
airplane enters a flight control mode of
concern. This final rule is revised to
harmonize with CS 25.671(f) and thus
requires the system to provide
‘‘appropriate flightcrew alerting.’’ This
is not a substantive change.
11. Relationship Between §§ 25.671(c)
and 25.1309
ANAC, Boeing, and GE sought
clarification from the FAA on the
applicability of §§ 25.671(c) and
25.1309, particularly in light of the
changes proposed in the NPRM. As
explained above, the FAA decided to
retain the structure of existing
§ 25.671(c) in the final rule, which will
address the concerns raised by these
commenters. The FAA provides the
following additional explanation
relative to the requirements of the final
rule. Section 25.1309 applies to all
systems and equipment installed on the
airplane, including the flight control
system. Section 25.671(c) also applies to
the flight control system. The safety
requirements in § 25.671(c)(1) and (c)(2)
correspond with those in
§ 25.1309(b)(1). There are no
fundamental differences between these
two sets of safety requirements as they
apply to the flight control system.
E:\FR\FM\27AUR2.SGM
27AUR2
68716
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
However, different methods of
compliance may be used to comply with
§ 25.671(c)(1) and (c)(2) as compared to
§ 25.1309(b)(1).
Sections 25.671(c)(1) and (c)(2)
require the airplane to be capable of
continued safe flight and landing after
any single failure and after any
combination of failures not shown to be
extremely improbable. Section 25.1309
requires that these failure conditions not
be catastrophic. While worded
differently, these requirements are
functionally equivalent. AC 25.1309–1B
states that a flight control system failure
condition that would prevent continued
safe flight and landing should be
classified as catastrophic. AC 25.671–1
provides specific criteria unique to the
assessment of flight control system
failures. AC 25.1309–1B also provides
guidance on assessing failure conditions
that apply to the flight control system.
Sections 25.1309(b)(2) through (b)(5),
(c), and (e) also apply to the flight
control system. There are no
requirements in § 25.671 that
correspond to these subparagraphs.
E. Section 25.901, Engine Installation
In the NPRM, the FAA proposed that
§ 25.901(c) would specify that the
requirements of § 25.1309 would apply
to powerplant installations. The FAA
also proposed to remove the prohibition
in § 25.901(c) on catastrophic single
failures and probable combinations of
failures since addressing such failures
would be adequately addressed by the
proposed § 25.1309(b). The FAA
proposed that these changes would
harmonize § 25.901(c) with EASA CS
25.901(c).
Pratt & Whitney requested that the
FAA add to § 25.901(c) the phrase ‘‘or
any other failure consistent with
existing § 33.75 single element
exception requirements’’ to ensure
consistency with § 25.901(c) and
existing requirements. The FAA does
not agree with the request. The
referenced exception requirements only
address instances in which the failure of
the single element is likely to result in
a hazardous engine effect. These effects
are among the conditions applicants use
for evaluating the hazard to the engine
under engine airworthiness
requirements, which do not consider the
effect of the airplane installation. For
example, hazardous effects on the
engine may not necessarily result in a
catastrophic failure at the airplane level.
Since the requirements of § 33.75 are
independent of the aircraft
airworthiness requirements, they are
inadequate for evaluating the hazard to
the aircraft installation. The exceptions
to § 25.1309(b) that the FAA has
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
identified in § 25.901(c) are consistent
with existing powerplant installation
requirements in part 25 and compliance
showings to § 25.901(c) before adoption
of this final rule. Expanding the
exceptions to § 25.1309(b) to include
aspects of § 33.75 would not be
consistent with existing part 25
powerplant installation requirements.
The potential failure conditions of the
engine type design that should be
excepted from § 25.1309(b) are
adequately addressed by the exceptions
identified by § 25.901(c).
The FAA therefore adopts revised
§ 25.901(c) as proposed.
F. Section 25.933, Reversing Systems
In the NPRM, the FAA proposed to
add a ‘‘reliability option’’ for thrust
reversers to § 25.933(a), allowing
applicants to show that an unwanted
deployment of the reverser is extremely
improbable (i.e., complies with 14 CFR
25.1309(b)), instead of only that the
airplane remains controllable if the
reverser deploys in flight.
GAMA/AIA commented that the
proposed wording of § 25.933(a) does
not clearly communicate that the
controllability option would still require
compliance with § 25.1309, as noted in
the regulatory evaluation (footnote 58 of
the NPRM). GAMA/AIA requested the
wording of § 25.933(a) be changed to
clearly define the requirement to show
compliance with § 25.1309 regardless of
controllability.
The FAA acknowledges that
compliance with § 25.1309 is required
regardless of which option an applicant
chooses under § 25.933(a) since
§ 25.901(c) requires compliance with
§ 25.1309. However, the FAA partially
agrees, and in this final rule has revised
§ 25.933(a) to clarify, that when an
applicant chooses the reliability option
(new § 25.933(a)(ii)), the applicant must
account for the potential hazard to the
airplane assuming the airplane would
not be capable of continued safe flight
and landing during and after an in-flight
thrust reversal when showing
compliance with § 25.1309(b). Section
25.901(c) applies to the powerplant and
auxiliary power unit (APU) installation,
except for the specific items listed in
new § 25.901(c). Compliance with
§ 25.1309 is required for the powerplant
and APU installation, which includes
the thrust reversing system, per the new
§ 25.901(c). The FAA finds that it is
unnecessary to restate in § 25.933(a)(1)
that compliance with § 25.1309 is
required for the reversing system since
it is already required by the new
§ 25.901(c) and not one of the items
excepted.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
Air Tech Consulting objected to the
‘‘reliability option’’ that the FAA
proposed in the NPRM. The commenter
cited three inflight reverser
deployments in the past twelve months
as justification for maintaining the
existing rule.
The FAA does not agree with this
request. The incidents cited by the
commenter were not in-flight thrust
reverser deployments, only component
failures or false indications.22 The FAA
has made equivalent safety findings on
many proposed airplane models based
on the ARAC PPIHWG
recommendations for § 25.933(a)(1) and
certified many designs using the
reliability approach rather than the
controllability approach in current
§ 25.933(a)(1). The FAA does not agree
that these particular in-service events
show that the systems would not have
met § 25.1309(b) or that the
longstanding reliability approach for
certification of the thrust reverser
system is inadequately safe.
TCCA commented that systems design
often needs to strike a balance between
availability (system performs its
intended function when needed) and
integrity (protecting against system
malfunctions). TCCA requested that the
FAA revise §§ 25.933 and 25.1309(b) to
emphasize the need to consider system
availability in conjunction with
integrity.
The FAA agrees that system
availability is an important
consideration when designing the thrust
reverser system. However, there are
already applicable airworthiness
requirements, such as §§ 25.901(b)(2)
and 25.1309(a)(1), that address system
availability and reliability and that are
related to the system’s effect on airplane
safety. It is not necessary to provide
additional emphasis on system
22 Each of the three cited events were the result
of either a false indication of an unlocked reverser
door or failure of the primary lock followed by a
small movement of a reverser door until the
secondary lock engaged, where the movement was
enough to result in an unlocked reverser indication.
In either circumstance, the reverser door did not
deploy and an actual in-flight thrust reversal did
not occur. Also, after the close of the comment
period for this rule, a FedEx Boeing Model MD–11
experienced an unwanted in-flight deployment on
June 21, 2023. The thrust reversers on the airplane
were not certified using the reliability approach;
however, the design was reviewed by the FAA and
Boeing (formerly Douglas) using the ‘‘Criteria for
Assessing Transport Turbojet Fleet Thrust Reverser
System Safety,’’ Revision A, dated June 1, 1994,
which was a reference document used by the ARAC
PPIHWG to develop recommendations for changes
to § 25.933(a). Boeing used a mixed approach, in
which the company demonstrated the Model MD–
11 was controllable following an unwanted in-flight
deployment within certain portions of the flight
envelope and showed reliability, using a thrust
reverser SSA, for the remainder of the flight
envelope.
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
availability within §§ 25.933 and
25.1309(b) since these existing
requirements are adequate to address
the availability of thrust reverser
system. Section 25.933(a)(1) addresses
the specific failure condition of an
unwanted in-flight deployment only,
and § 25.1309(b) addresses the safety of
equipment and systems as installed on
the airplane. Therefore, the FAA does
not agree with the commenter’s request
since requirements that influence
system availability and the relationship
with propulsion system reliability,
which apply to the thrust reverser
system, are already addressed in
existing regulations. The FAA included
guidance on § 25.901(b)(2) that is related
to §§ 25.901(c) and 25.1309(b) in AC
25.901–1. Guidance for § 25.1309(a)(1)
can be found in AC 25.1309–1B.
The FAA therefore adopts revised
§ 25.933 as proposed.
G. Section 25.1301, Function and
Installation
In the NPRM, the FAA proposed to
remove the ‘‘function properly when
installed’’ criterion in § 25.1301(a)(4) for
installed equipment whose function is
not needed for safe operation of the
airplane. In addition, the FAA proposed
to remove § 25.1301(b) because it is
redundant and unnecessary. Section
25.1301(b) required that a proposed
airplane’s EWIS meet the requirements
of subpart H of part 25. The FAA
proposed removing § 25.1301(b) because
subpart H specifies its applicability and
the requirements in subpart H can stand
alone. The FAA received no substantive
comments on proposed § 25.1301.
The FAA therefore adopts revised
§ 25.1301 as proposed.
H. Section 25.1309, Equipment, Systems
and Installations
ddrumheller on DSK120RN23PROD with RULES2
1. Applicability
In the NPRM, the introductory
paragraph of proposed § 25.1309
explained that regulation would apply
to any equipment or system installed on
the airplane except as provided in
paragraphs (e) and (f). Boeing, ANAC,
Gulfstream, GAMA/AIA, and Garmin
requested that the FAA delete
paragraphs (e) and (f) of proposed
§ 25.1309 and move their content to the
introductory paragraph to align with CS
25.1309. The commenters also noted
that these paragraphs included
regulatory exceptions to § 25.1309 and
showing compliance to an ‘‘exception’’
raised administrative issues. The FAA
agrees and updated § 25.1309
accordingly.
Proposed § 25.1309(e) would have
excluded flight control jams governed
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
by § 25.671(c) from the proposed singlefailure requirement in
§ 25.1309(b)(1)(ii). Gulfstream proposed
that flight control jams be excluded
from all of § 25.1309 and stated that
additional guidance would be needed if
flight control jams were not excluded
from § 25.1309(b). Although the FAA
has historically used § 25.671(c) rather
than § 25.1309 to address flight control
jams, the FAA does not agree that flight
control jams should be excluded from
the other paragraphs of § 25.1309
because those requirements apply to
flight control systems and are necessary
for managing the risk of flight control
jams.
The FAA agrees, however, that flight
control jams should be excluded from
all of § 25.1309(b), and the final rule is
revised accordingly. The FAA did not
intend § 25.1309(b) to apply to flight
control jams because an evaluation of
the failure conditions under
§ 25.1309(b) requires the applicant to
determine numerical probabilities,
which is not practical for flight control
jams. Since EASA CS 25.1309 excludes
flight control jams from only CS
25.1309(b)(1)(ii), this is a substantive
difference between the FAA and EASA’s
regulations.
Proposed § 25.1309(f)(1) stated that
§ 25.1309(b) does not apply to single
failures in the brake system because
such failures are addressed by
§ 25.735(b)(1). GAMA/AIA requested
the FAA change ‘‘single failures’’ to
‘‘failures’’ to be consistent with
§ 25.735. The FAA does not agree with
this request because other types of
failures in the brake system should be
evaluated under § 25.1309(b).
Proposed § 25.1309(f)(2) stated that
§ 25.1309(b) would not apply to the
failure effects addressed by
§§ 25.810(a)(1)(v) and 25.812.
Gulfstream and GAMA/AIA requested
that the FAA replace ‘‘25.810(a)(1)(v)’’
with ‘‘25.810’’ to harmonize with CS
25.1309. The FAA does not agree
because § 25.810(a)(1)(v) provides
specific deployment and usability
criteria for certain means of evacuation
assistance, and this subparagraph alone
is relevant to the exception discussion.
However, the FAA updated ‘‘failure
effects’’ to ‘‘failure conditions’’ to
harmonize with CS 25.1309.
EASA requested that the FAA clarify
the exception from compliance with
§ 25.1309(b) that proposed
§ 25.1309(f)(3) would have provided
regarding § 25.1193, ‘‘Cowling and
nacelle skin,’’ and suggested that the
FAA change it from § 25.1193 to
§ 25.1193(a). EASA also stated that there
may be value in considering § 25.1193
as applicable under § 25.1309 for
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
68717
systems that are used for opening or
closing doors and monitoring proper
closure/latched conditions.
Furthermore, EASA asked why
§ 25.1193 was not also included in the
propeller debris release exception in
proposed § 25.1309(f)(4).
The FAA made no changes to the final
rule in response to these comments. The
NPRM explains that §§ 25.1193 and
25.905(d) already require applicants to
consider the specific failures of fires
from uncontained engine failures and
engine case burn-through. Thus, it is not
necessary to consider these same
failures under § 25.1309 as well.
Furthermore, nacelle cowl door
opening, closure, position monitoring,
latching, and other potential failure
conditions are discussed in AC 25.901–
1 for compliance with §§ 25.901(c) and
25.1309.
2. Paragraph (a)
In the NPRM, the FAA proposed to
require that all installed airplane
equipment and systems whose improper
functioning would reduce safety
perform as intended under the airplane
operating and environmental conditions
(§ 25.1309(a)(1)). The FAA also
proposed that all equipment and
systems not subject to the foregoing
requirement not have an adverse effect
on the safety of the airplane or its
occupants (proposed § 25.1309(a)(2)).
The latter requirement would have
allowed such equipment to be approved
by the FAA even if it may not perform
as intended.
ANAC commented that proposed
§ 25.1309(a)(1) stated ‘‘equipment and
systems, as installed, must meet’’ this
requirement, while the ARAC SDAHWG
recommended wording states
‘‘equipment and systems must be
designed and installed so that . . . .’’ 23
ANAC recommended that the FAA
adopt the proposed ARAC wording and
match EASA CS 25.1309. The FAA
agrees to harmonize the rule text to
avoid any possible interpretation
differences and this final rule has
updated § 25.1309(a).
GAMA/AIA and Boeing requested the
FAA revise proposed § 25.1309(a)(1) to
replace ‘‘whose improper functioning
would reduce safety’’ with ‘‘whose
function is necessary for safe operation
of the airplane.’’ The commenters were
concerned that using the proposed
phrase could result in equipment,
systems, and installations intended for
convenience to be subjected to
§ 25.1309(a)(1) requirements. The FAA
23 www.faa.gov/regulations_policies/rulemaking/
committees/documents/media/TAEsdaT25241996.pdf.
E:\FR\FM\27AUR2.SGM
27AUR2
ddrumheller on DSK120RN23PROD with RULES2
68718
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
did not revise § 25.1309(a)(1) as
suggested because this change would
exclude evaluation of systems whose
failure would have a safety effect. The
suggested change would also
disharmonize this rule with EASA CS
25.1309(a)(1).
Bombardier requested the FAA
harmonize its proposed § 25.1309(a)(2)
rule text of ‘‘functioning normally or
abnormally’’ with the CS 25.1309(a)(2)
rule text of ‘‘not a source of danger.’’
The FAA declines to update proposed
§ 25.1309(a)(2) as suggested. Although
the phrase ‘‘functioning normally or
abnormally’’ used in proposed
§ 25.1309(a)(2) is different from the ‘‘not
a source of danger in themselves’’ used
in EASA CS 25.1309(a)(2), the FAA
considers these phrases as having
generally the same meaning. ‘‘Not a
source of danger’’ is largely synonymous
with ‘‘safe.’’ An applicant must evaluate
the systems addressed by § 25.1309(a)(2)
to verify that their normal operation and
failure or abnormal functioning have no
safety effect (i.e., they do not affect the
operational capability of the airplane,
do not increase flightcrew workload,
and do not affect the safety of
passengers or cabin crew).
GAMA/AIA requested the FAA
change ‘‘must not adversely affect’’ in
proposed § 25.1309(a)(2) to ‘‘do not
adversely affect’’ as used in CS
25.1309(a)(2). GAMA/AIA stated that
using ‘‘do not’’ in the regulation instead
of ‘‘must not’’ changes the tone from
preventative to evaluative. The FAA
agrees and updated § 25.1309(a)(2) to
align with CS 25.1309(a)(2).
Bombardier questioned whether
§ 25.1309(a)(2) should be interpreted by
applicants to apply to electromagnetic
interference (EMI) generated by systems
operating abnormally. In a related
question, Bombardier asked the FAA to
clarify what applicants should address
in a qualitative failure evaluation of
equipment and systems under
§ 25.1309(a)(2). Bombardier stated that
the NPRM preamble implies that
applicants would have to show that an
equipment failure will not result in
increased electromagnetic emissions;
however, Bombardier does not consider
this to be the intent of proposed
§ 25.1309(a)(2).
The FAA intends that systems
addressed under § 25.1309(a)(2), in this
final rule, do not have to meet the
former requirement that they ‘‘perform
as intended’’ when installed. AC
25.1309–1B explains that the systems
addressed by § 25.1309(a)(2) should be
designed so that their failures have no
safety effect. In addition, normal
installation practices can be used to
isolate these systems, and a qualitative
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
installation evaluation based on
engineering judgment can be used to
determine that the failure or improper
functioning of these systems would not
affect the safety of the airplane. Thus,
the extent of EMI testing that is required
for systems addressed under
§ 25.1309(a)(1) is not required for
systems addressed under
§ 25.1309(a)(2). However, if there is a
risk that the failure of a system
addressed under § 25.1309(a)(2) will
result in electromagnetic emissions that
affect the proper function of systems
addressed under § 25.1309(a)(1), then
formal methods such as testing or
analysis may be used to evaluate the
failure in lieu of a qualitative
installation evaluation that uses
engineering judgment to conclude that
electromagnetic omissions would not
occur.
Except for the foregoing changes,
§ 25.1309(a) is adopted as proposed.
3. Paragraph (b)
Section 25.1309(b) requires applicants
to assess safety at the airplane level for
airplane systems and associated
components, evaluated separately and
in relation to other systems, and
requires that the airplane’s systems and
components meet certain reliability
standards. In the NPRM, the FAA
proposed to revise § 25.1309(b) to
address design and installation so that
each catastrophic failure condition is
extremely improbable and does not
result from a single failure, each
hazardous failure condition is extremely
remote, and each major failure
condition is remote.
In this final rule, the FAA has
adopted proposed § 25.1309(b)(1)
through (b)(3) with no changes but
revised § 25.1309(b)(4) and (b)(5) to
align with the corresponding sections of
EASA CS 25.1309.
Proposed § 25.1309(b)(4) would have
required that significant latent failures
(SLFs) be eliminated, except if the
Administrator determined that doing so
was impractical. If the applicant proved
to the Administrator that such
elimination was impractical, the
regulation would have required the
applicant to limit the likelihood of the
SLF to 1/1000 between inspections. If
the applicant proved that such
limitation was impractical, then the
proposed regulation would have
required the applicant to minimize the
length of time the failure would be
present but undetected.
Garmin expressed concern that the 1/
1000 requirement in proposed
§ 25.1309(b)(4)(i) could be burdensome
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
without a cutset 24 limit because no
matter how many cutsets deep the latent
failure is (e.g., 3, 4, 5, or more cutsets),
it still would have to meet the 1/1000
requirement unless the applicant
obtains agreement with the FAA that it
has been adequately minimized. Thus,
Garmin recommended that the FAA
remove the 1/1000 requirement from
§ 25.1309(b)(4) to align with EASA and
suggested that the 1/1000 requirement
be moved to AC 25.1309–1B as one way
to show the SLF is minimized. Garmin
proposed that a cutset limit be applied
to either the 1/1000 requirement within
§ 25.1309(b)(4) or to the definition of
SLF if the FAA did not remove the 1/
1000 requirement from § 25.1309(b)(4)
in the final rule. The FAA agrees to
remove the 1/1000 criteria from
§ 25.1309(b)(4) and include it in AC
25.1309–1B as a possible means of
compliance. This change is consistent
with the ASAWG recommendations that
led to this rulemaking. Specifically, the
ASAWG specific risk tasking report
recommendations that the FAA require
applicants to control specific risks of
concern did not include a recommended
limit latency requirement for all SLFs.
The report only recommended a limit
latency requirement of 1/1000 for
CSL+1 failure combinations (ASAWG
report, section 6.4.1.2).
ANAC, TCCA, and Bombardier
requested the FAA harmonize
§ 25.1309(b)(4) with CS 25.1309(b)(4) by
removing the 1/1000 criterion, while
EASA requested the FAA provide a
rationale for not harmonizing. The FAA
agrees to harmonize § 25.1309(b)(4) with
CS 25.1309(b)(4).
Both regulations address eliminating
SLFs as far as practical and minimizing
the latency of the SLF if such
elimination is not practical. This
ensures that the applicant evaluates
each SLF, eliminates it when practical,
and minimizes its latency if elimination
is not practical. However, in this final
rule, § 25.1309(b)(4) includes a new
exclusion, requested by Garmin, from
these proposed requirements for latent
failures. This exclusion is described in
the following paragraph.
Garmin requested that the FAA
modify proposed § 25.1309(b)(4) to
exclude the requirements for latent
failures where the applicant meets the
requirements of § 25.1309(b)(1) and
(b)(2) with the latent failure assumed, in
the applicant’s risk assessment, to have
already occurred, or where the applicant
took no credit in that risk assessment for
the latency period. The FAA agrees to
add this exclusion to § 25.1309(b)(4)
24 A cutset is a number of failures or events that
when combined will result in a system failure.
E:\FR\FM\27AUR2.SGM
27AUR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
because it meets the decision criteria
that the specific risk of concern will be
evaluated as per the 2010 ARAC
ASAWG specific risk tasking report.25
When a latent failure or the specific risk
of concern is assumed as having
occurred, its probability becomes 1 in
the calculation of the failure condition.
This probability of 1 is the same as
stating that no credit is taken for a
latency period. This is a difference
between § 25.1309(b)(4) and CS
25.1309(b)(4) since EASA’s rule does
not contain this exclusion. The FAA
does not expect this difference to be
significant because the exclusion in
§ 25.1309(b)(4) allows applicants to use
a conservative assessment of a failure
condition to show compliance.
GAMA/AIA, Gulfstream, and Boeing
requested language for the
§ 25.1309(b)(4) final rule that was
different from what the NPRM proposed
and what EASA published in CS–25.
The commenters’ proposal provides
criteria for acceptance of SLFs that
depend on the probability and severity
of the outcome. The FAA did not update
the rule language as suggested; however,
the FAA has incorporated the approach
as a means of compliance for the
catastrophic failure conditions in AC
25.1309–1B. This approach also
incentivizes development of practical
designs that meet the safety objectives of
§ 25.1309(b)(1) and (b)(2). The approach
for hazardous failure conditions was not
included in AC 25.1309–1B since it was
not considered in the 2010 ARAC
ASAWG specific risk tasking report.
ANAC, Garmin, and Airbus requested
changes to proposed § 25.1309(b)(4)(i)
and (b)(4)(ii). The suggested changes are
no longer relevant because paragraphs
(i) and (ii) are not included in the
§ 25.1309(b)(4) final rule.
Proposed § 25.1309(b)(5) provided a
new standard for limiting the risk of a
catastrophic failure combination that
results from two failures, either of
which could be latent for more than one
flight. ANAC stated that the criteria in
proposed § 25.1309(b)(5) is significantly
different from the criteria in CS
25.1309(b)(5) and these differences may
burden applicants by requiring them to
comply with two different sets of
criteria and may result in different
product configurations. TCCA
commented that differences between the
proposed FAA rule and CS–25, both in
wording and intent, would result in
significant difficulties and increase the
burden on applicants, particularly given
the inherent complexity of safety
assessments both at system and aircraft
25 ASAWG report, revision 5.0, Section 6.1.2,
Figure 6–1.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
level. EASA stated that having different
criteria in § 25.1309(b)(5)(iii) and CS
25.1309(b)(5)(iii) would result in a
duplication of effort for applicants. The
FAA agrees that differences between
FAA and EASA requirements could
result in increased burden on applicants
and civil aviation authorities. The final
rule is therefore revised to improve
harmonization, as described below.
Several commenters recommended
changes to § 25.1309(b)(5). TCCA and
ANAC recommended that the FAA fully
harmonize § 25.1309(b)(5) and CS
25.1309(b)(5), while EASA encouraged
the FAA to implement the same criteria
as CS 25.1309(b)(5)(iii). GAMA/AIA and
Garmin suggested the FAA harmonize
§ 25.1309(b)(5)(i) with CS
25.1309(b)(5)(i) by changing ‘‘fault
tolerance’’ to ‘‘redundancy.’’ Boeing
suggested the FAA update
§ 25.1309(b)(5)(ii) to ‘‘. . . the residual
average probability per flight hour of the
catastrophic failure condition occurring
due to all subsequent single failures is
remote.’’ Airbus and Gulfstream
preferred that the FAA harmonize
§ 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii), while GAMA/AIA
preferred the FAA’s proposed wording
for § 25.1309(b)(5)(iii). Boeing suggested
the FAA change § 25.1309(b)(5)(iii) to
‘‘The probability of the latent failure
occurring over its maximum exposure
time does not exceed 1/1000.’’
The FAA uses the term ‘‘fault
tolerance’’ in § 25.1309(b)(5)(i) instead
of ‘‘redundancy’’ as used in CS
25.1309(b)(5)(i) because the term
‘‘redundancy’’ could be interpreted as a
prescriptive design requirement, and
§ 25.1309 is intended to be a
performance-based rule. In this final
rule, the FAA revised § 25.1309(b)(5)(ii)
to refer to ‘‘the residual average
probability’’ of the catastrophic failure
condition following a single latent
failure. The term ‘‘residual average
probability’’ is the remaining probability
of a failure condition given the presence
of a single latent failure. This change
aligns with the recommendations from
the 2010 ARAC ASAWG specific risk
tasking recommendation report, sections
6.3.1.6 and 6.3.1.7. The final rule uses
‘‘all subsequent active failures’’ rather
than the proposed § 25.1309(b)(5)’s ‘‘all
subsequent single failures’’ to ensure the
applicant accounts for the residual
average probability of all active failures
in a failure condition. Finally, the FAA
agrees to harmonize § 25.1309(b)(5)(iii)
with CS 25.1309(b)(5)(iii) to ensure that
combined probability of all the latent
failures is accounted for as
recommended by the commenters,
except that the FAA uses ‘‘active
failure’’ in § 25.1309(b)(5)(iii), instead of
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
68719
‘‘evident failure’’ as used in CS
25.1309(b)(5)(iii). Having harmonized
§ 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii), the FAA does not
expect the differences in wording
between § 25.1309(b)(5) and CS
25.1309(b)(5) to be burdensome to
applicants.
4. Paragraph (c)
In the NPRM, proposed § 25.1309(c)
would require the applicant to provide
information concerning unsafe system
operating conditions to enable the
flightcrew to take corrective action and
to show that the design of systems and
controls, including indications and
annunciations, minimizes crew errors
that could create additional hazards.
ANAC, TCCA, and Boeing requested the
FAA revise proposed § 25.1309(c) to
include ‘‘in a timely manner’’ as part of
the corrective action to be taken by the
flightcrew. The FAA has updated the
final rule accordingly. This change more
closely harmonizes § 25.1309(c) with CS
25.1309(c). In addition, the discussion
of this proposal in the NPRM preamble
refers to the importance of providing
timely and effective annunciations to
allow appropriate crew action.
TCCA requested that the FAA align
the wording of proposed § 25.1309(c)
with CS 25.1309(c). TCCA stated that
the first sentence of proposed
§ 25.1309(c) does not correctly reflect
the intent of the rule, which is for the
airplane and systems to provide
information to the flightcrew when
necessary for safe operation. TCCA
explained that ‘‘the applicant must
provide information’’ could be
interpreted as requiring the applicant to
provide documentation or training
instead of flightcrew alerts as intended.
The FAA agrees and revised the first
sentence of § 25.1309(c) to say that the
airplane and systems provide the
necessary information. This will
harmonize the intent with the
corresponding sentence in CS
25.1309(c).
To further harmonize with EASA’s
rule, the FAA revised the second
sentence of § 25.1309(c) to require that
systems and controls, including
‘‘information,’’ indications, and
annunciations, be designed to minimize
crew errors. ‘‘Information’’ refers to the
same term used in the first sentence of
§ 25.1309(c) and has the same intent as
used in § 25.1302.
5. Paragraph (d)
In the NPRM, the FAA proposed to
move the requirements of § 25.1309(d)
regarding mandatory methods showing
compliance with § 25.1309(b) to
guidance (AC 25.1309–1B). The NPRM
E:\FR\FM\27AUR2.SGM
27AUR2
68720
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
proposed that new § 25.1309(d) would
require applicants to establish
‘‘Certification Maintenance
Requirements,’’ or CMRs, as limitations
in the airplane’s Instructions for
Continued Airworthiness. Applicants
have long used CMRs, such as
mandatory inspections at scheduled
intervals, to show that their proposed
design complies with § 25.1309 and
other part 25 regulations that establish
reliability requirements.
In this final rule, however, the FAA
is moving the CMR requirement to
§ 25.1309(e), as discussed in the
following section. Accordingly, the FAA
is revising § 25.1309(d) to ‘‘Reserved’’ as
requested by Boeing, TCCA, and Safran.
This will be a difference between
§ 25.1309(d) and CS 25.1309(d) because
the latter states that applicants must
assess Electrical Wiring Interconnection
System (EWIS) per CS 25.1709. The
FAA expects this difference to have no
effect in practice because § 25.1309 is a
general requirement that applies to all
systems, including EWIS. In addition,
§ 25.1709 addresses system safety of
EWIS, and § 25.1709 is harmonized with
CS 25.1709.
6. Paragraph (e)
In the NPRM, the FAA proposed that
§ 25.1309(d) would require an applicant
to establish CMRs to prevent
development of the failure conditions
described in § 25.1309(b) and to include
these CMRs in the ALS. In the final rule,
these requirements are now in
§ 25.1309(e).
The FAA’s proposed CMR
requirement referenced § 25.1309(b),
which addresses catastrophic,
hazardous, and major failure conditions.
Boeing, GAMA/AIA, Gulfstream, and
Garmin suggested that the requirement
to establish CMRs in § 25.1309(d) be
limited to CMRs that address
catastrophic and hazardous failure
conditions in § 25.1309(b)(1) and (b)(2).
TCCA commented that the NPRM
describes CMRs as tasks to detect safety
significant failures that result in
hazardous or catastrophic conditions
but recommended that major failure
conditions should also be considered.
The FAA declines to restrict the use
of CMRs to catastrophic and hazardous
failure conditions. Although a CMR is
primarily used to establish a required
maintenance task that would detect
issues such as the wear out or a hidden
failure of an item whose failure is
associated with a hazardous or
catastrophic failure condition, a CMR
may also be used to detect a latent
failure that would, in combination with
one specific failure or event, result in a
major failure condition. The SSA
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
identifies the need for a scheduled
maintenance task. It may be necessary
for applicants to include a CMR in the
ALS of the ICA for a major failure
condition if the maintenance task is not
provided in other areas of the ICA. An
acceptable process for selecting CMRs is
provided in AC 25–19A, Certification
Maintenance Requirements.26
ANAC questioned whether the FAA
intended proposed § 25.1309(d) to
require CMRs for all failure conditions
and requested the FAA clarify in the
final rule language that CMRs be
established ‘‘as necessary.’’ The FAA
agrees to add the words ‘‘as necessary’’
to the final rule. As explained in AC 25–
19A, the process of creating CMRs to
control risk of failures described in
§ 25.1309(b) begins with identifying
candidate CMRs (CCMRs) until a
committee of experts determines they
are CMRs. Thus, the FAA does not
require CMRs for all failure conditions,
and not every CCMR will become a
CMR. Although adding ‘‘as necessary’’
results in different language between
§ 25.1309(e) and CS 25.1309(e), this
difference does not affect harmonization
between the FAA and EASA because the
guidance for selecting CMRs is aligned.
Garmin requested the FAA reword
proposed § 25.1309(d) to require the
safety analysis to identify the CCMRs
that must be dispositioned using a
process acceptable to the Administrator
to identify which CCMRs should be
airworthiness limitations. Garmin stated
that the proposed wording seems to
preclude the use of AC 25–19A to first
identify and classify CCMRs. The FAA
does not agree with this request. The
final rule requires CMRs to be
established and included in the ALS of
the airplane’s ICA. The associated
guidance in AC 25–19A provides a
method of compliance, which includes
identifying and dispositioning CCMRs
as CMRs. The FAA also did not adopt
the commenter’s proposed change
because it would result in a difference
compared to corresponding EASA
regulations and guidance.
Airbus commented that the word
‘‘detect’’ is more appropriate than the
word ‘‘prevent’’ used in proposed
§ 25.1309(d) since failures will be
detected during CMR tasks. The FAA
did not replace ‘‘prevent’’ with ‘‘detect’’
since the intent of this rule is to prevent
the development of the failure condition
by detecting the existence of a latent
failure.
26 Available
PO 00000
at drs.faa.gov.
Frm 00016
Fmt 4701
Sfmt 4700
I. Section 25.1365, Electrical
Appliances, Motors, and Transformers
In the NPRM, the FAA proposed to
remove the reference to § 25.1309(d)
from § 25.1365(a) because § 25.1309(d)
would no longer contain mandatory
methods for demonstrating compliance
with § 25.1309(b). GAMA/AIA and
Gulfstream commented that the FAA
should remove §§ 25.1431(a),
25.1351(a)(2), and 25.1365(a), as those
regulations are redundant to or simply
point to compliance with § 25.1309. The
FAA does not agree with this request
because removing §§ 25.1431(a),
25.1351(a)(2), and 25.1365(a) may have
unintended consequences. In addition,
removal of these regulations was not
proposed in the NPRM. The FAA did
not change this final rule as a result of
this comment but has removed the
reference to § 25.1309(d) from
§ 25.1365(a) as proposed in the NPRM.
J. Section H25.4(a) of Appendix H,
Airworthiness Limitations Section
The FAA adopts § H25.4(a) of
appendix H as proposed in the NPRM.
The FAA received no comments on this
section.
K. Miscellaneous Comments
1. Applicability of § 25.1309 to
Electromagnetic Conditions
Bombardier commented that the
NPRM preamble indicates that the FAA
did not intend proposed § 25.1309(b)
and the associated advisory material to
change how type certificate applicants
account for systems’ exposure to highintensity radiated fields (HIRF) and
lightning. Bombardier requested that the
FAA clarify whether this same principle
applies to electromagnetic conditions in
other regulations (e.g., §§ 25.1353,
25.1431, 25.899). The FAA does not
intend revised § 25.1309 and the
associated advisory material to take
precedence over or supersede how
applicants address electromagnetic
conditions in accordance with other
regulations.
2. Revise Nonregulatory Definitions
This section addresses commenters’
requests to revise definitions that the
FAA provided in the NPRM preamble or
in draft AC 25.1309–1B. The FAA also
proposed in the NPRM that some of
these definitions would be included in
new § 25.4. The following paragraphs
address the definitions of hazardous
failure condition, latent failure, single
failure, event, and failure condition.
The FAA included a table of
definitions in the preamble of the
NPRM. The table included some
definitions given in proposed § 25.4 and
E:\FR\FM\27AUR2.SGM
27AUR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
provided additional definitions that
were not in proposed § 25.4. That table
is not included in this final rule;
applicants should instead refer to this
preamble, final § 25.4 and AC 25.1309–
1B. Relevant definitions are provided in
§ 25.4 Definitions or in the appropriate
AC.
GAMA/AIA, Airbus, Boeing,
Bombardier, and Garmin requested that
the FAA remove the following language
from the preamble definition of
‘‘hazardous failure condition:’’ ‘‘Note:
For the purpose of performing a safety
assessment, a ‘small number’ of fatal
injuries means one such injury.’’ The
commenters stated that considering a
‘‘small number’’ of fatal injuries to be
one such injury for the purpose of
performing safety assessments is too
restrictive. This note was only in the
preamble and not in the proposed
regulatory definition in § 25.4, as the
FAA considered it guidance on the
application of the definition. The FAA
agrees to remove this note from AC
25.1309–1B. The note is not included in
AMC § 25.1309, nor was it included in
any of the relevant ARAC
recommendations. Given the difficulty
and context-dependent nature of
estimating whether a failure condition
would result in one or multiple fatal
injuries, the FAA finds that it is not
necessary to define ‘‘small number’’ in
order to provide the necessary
separation between hazardous and
catastrophic failure conditions.
Historically, applicants have assessed
this aspect of the definition of
‘‘hazardous failure condition’’
differently based on the size of the
airplane, number of occupants, and fleet
size. The FAA will continue to accept
this practice.
ANAC commented that the FAA’s
definition of ‘‘latent failure’’ in the
NPRM preamble table (‘‘a failure that is
not apparent to the flightcrew or
maintenance personnel’’) may be
confusing since the maintenance crew
will detect latent failures through
periodic maintenance activities such as
CMRs. ANAC recommended the FAA
use the following definition of latent
failure: ‘‘A failure which is not detected
and/or annunciated when it occurs.’’
The FAA agrees and has updated the
definition of ‘‘latent failure’’ in AC
25.1309–1B. Boeing, GAMA/AIA,
TCCA, and Garmin requested that the
FAA modify the definition of ‘‘latent
failure’’ to include the qualifier ‘‘for
more than one flight’’ to ensure
consistent understanding and
application. The FAA did not make this
change because the definition of ‘‘latent
failure’’ includes undetectable failures
regardless of the latency period. AC
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
25.1309–1B has been updated to
provide additional guidance on the
appropriate duration of a latent failure;
that is, an acceptable means of
compliance to SLF minimization is to
show that the failure would not be
latent for more than one flight.
TCCA requested that the FAA clarify
the intent of the phrase ‘‘common
causes’’ as used in the NPRM preamble
table’s definition of single failure or
state that common causes may include
external events that are not considered
failures (e.g., bird strike). TCCA stated
that the NPRM preamble and draft AC
25.1309–1B definitions of ‘‘failure’’
include a note that errors and events are
not considered failures and that this
creates an apparent conflict where the
definition of single failures includes
common causes. Airbus also stated that
external events are not system failures
and questioned whether external failure
conditions should be explicitly
excluded from § 25.1309 because they
are already covered by their own
regulations (e.g., bird strike is
specifically addressed under § 25.631).
In response, the FAA has updated the
single failure definition in AC 25.1309–
1B to be the same as provided by the
ARAC SDAHWG recommendations
report that included a draft AC 25.1309
(see the ‘‘Arsenal’’ draft AC 25.1309 ).27
In addition, the FAA updated the note
within the definition of ‘‘failure’’ in AC
25.1309–1B to remove the word
‘‘events.’’ In general, an SSA addresses
how systems are affected by an external
event, such as a bird strike, using a
common cause analysis or a single event
cause where the external event is
assumed without a probability.
Bombardier stated that the FAA’s
definition of ‘‘single failure’’ in the
preamble table was ambiguous and
implied that a single failure would
affect multiple ‘‘components, parts or
elements’’ when most single failures
will affect single components or parts.
Bombardier requested the FAA revise
the definition to ‘‘a single occurrence
that affects the operation of a
component, part, or element such that it
no longer functions as intended’’ or not
adopt the definition. The FAA updated
the definition of ‘‘single failure’’ to ‘‘any
failure or set of failures that cannot be
shown to be independent from each
other’’ in AC 25.1309–1B. The FAA did
not make the requested change because
the FAA intends that applicants treat a
common mode failure of multiple
27 Available in the docket as part of the SDAHWG
recommendation, ‘‘Task 2—System and Analysis
Harmonization and Technology Update,’’ pp. 61–
99, and at www.faa.gov/regulations_policies/
rulemaking/committees/documents/media/
TAEsdaT2–5241996.pdf.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
68721
components, parts, or elements as a
‘‘single failure,’’ and this connection
would be lost if the FAA were to revise
the definition as Boeing proposed.
TCCA recommended that the FAA
consider changing the term ‘‘event’’ in
the preamble table to ‘‘external event’’
to align with EASA CS–25, ARP4754B
‘‘Guidelines for Development of Civil
Aircraft and Systems,’’ and ARP4761A.
The FAA agrees and has updated
‘‘event’’ to ‘‘external event’’ in AC
25.1309–1B.
Boeing requested that the FAA
address ‘‘collisions (intentional or not)’’
in the definition of ‘‘event.’’ Boeing
stated that this change would provide
clarity that collisions are not events to
be considered as part of required safety
assessments. Although the FAA updated
the term ‘‘event’’ to ‘‘external event’’ in
AC 25.1309–1B, the FAA did not change
its definition in response to this
comment. The definition of ‘‘external
events’’ states that it does not cover
sabotage or other similar intentional
acts. Intentional collisions are
intentional acts and, therefore, not an
‘‘external event.’’ Unintentional
collision may be due to failure of
onboard system equipment, which is
excluded from this definition since its
origin is not distinct from that of the
airplane. Unintentional collision may be
due to flightcrew error, which is already
excluded.
The preamble table’s definition of
‘‘failure condition’’ referenced a
condition that affected ‘‘the airplane, its
occupants, or other persons.’’
Bombardier requested that the FAA
remove ‘‘or other persons’’ from this
definition or provide guidance as to
how applicants can assess potential
effects on other persons and how these
effects would relate to severity
classification. The FAA declines to
change the definition of ‘‘failure
condition’’ in AC 25.1309–1B. The FAA
included the words ‘‘or other persons’’
to account for the effects on persons
other than the airplane occupants that
applicants should take into
consideration when assessing failure
conditions for compliance with
§ 25.1309. AC 25.1309–1B provides
guidance on the type of persons, the
risks to be considered, and how
applicants can classify the failure
conditions given the effects on other
persons that do not include airplane
occupants. For example, ground
maintenance crew involved in servicing
the airplane while ‘in-service’ could
have a risk of an inadvertent door
coming open or thrust reverser
movement.
E:\FR\FM\27AUR2.SGM
27AUR2
ddrumheller on DSK120RN23PROD with RULES2
68722
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
3. Revise Other Regulations
In the NPRM, the FAA proposed that
the revised § 25.1309(b) would not
apply to single failures in the brake
system because those failures are
adequately addressed by § 25.735(b)(1).
An individual commenter
recommended changes to current
§ 25.735, ‘‘Brakes and braking systems,’’
stating that parts of § 25.735 are no
longer relevant or need to be updated to
reflect modern braking systems. The
commenter requested changes to
§ 25.735 and corresponding changes to
AC 25.1309–1B. Gulfstream also
requested that the FAA add a paragraph
to § 25.735 to address braking capability
with all engines inoperative. The FAA
does not agree with these requests. The
FAA did not propose changes to
§ 25.735 in the NPRM, and such changes
are outside the scope of this rulemaking.
GAMA/AIA and Bombardier
requested that the FAA revise § 25.672,
‘‘Stability augmentation and automatic
and power-operated systems,’’ in this
rulemaking package. GAMA/AIA stated
that proposed § 25.671(c) removed the
failures that § 25.672 is referencing.
Bombardier suggested that the FAA
remove § 25.672(c) because the failures
addressed under § 25.672(c) could be
addressed entirely under § 25.1309(b) or
clarify that the intent of § 25.672(c) does
not apply to modern fly-by-wire aircraft.
In addition, GAMA/AIA requested that
the FAA add guidance for § 25.672 that
reflects the recommendations made by
the FTHWG. The FAA did not change
this final rule or associated guidance
material as a result of these comments.
Revising § 25.672 is unnecessary
because § 25.672(b) refers to failures
specified in § 25.671(c), and the final
rule for § 25.671(c) includes these
failures. Section 25.672(c) contains
requirements that are in addition to the
requirements of § 25.1309(b). The FAA
declines to add guidance at this time for
§ 25.672 based on recommendations
made by the FTHWG because further
discussion is needed to harmonize the
guidance for § 25.672 with other
regulatory authorities; the FAA notes
these discussions are ongoing in a
Certification Authorities for Transport
Airplanes (CATA) harmonization
activity.28 The FAA does not agree to
clarify that the intent of § 25.672(c) does
not apply to modern fly-by-wire aircraft
because the FAA has not made this
determination.
4. Revise Cost-Benefit Analysis
Garmin commented on the NPRM that
the cost-benefit analysis does not
28 www.faa.gov/aircraft/air_cert/design_
approvals/transport/transport_intl/cata.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
consider the impact on amended type
certificate (ATC) or supplemental type
certificate (STC) projects that would be
considered significant under § 21.101,
known as the Changed Product Rule. In
addition, MARPA requested the FAA
clarify the applicability of the SSA rule
to parts manufacturer approval (PMA)
applicants and STC applicants. If the
SSA rule is applicable to PMA and STC
applicants, MARPA requested that the
FAA adjust the cost-benefit analysis
accordingly, complete a Regulatory
Flexibility Act analysis, and make the
revised cost-benefit analysis and
Regulatory Flexibility Act analysis
available for comment in a
supplemental NPRM.
This final rule updates the costbenefit analysis to take account of the
fact that the final rule closely
harmonizes with the corresponding
EASA rule. Since U.S. manufacturers
already are required to meet the EASA
requirements, the closely harmonized
provisions of the final rule impose no or
minimal costs. In future STC or ATC
projects where the design change is
determined under the Changed Product
Rule to be a significant product level
change, the Changed Product Rule will
then require that the certification basis
of those projects be updated. The costbenefit analysis for the Changed Product
Rule, however, has determined that the
required updated certification basis for
such projects is cost-beneficial.29 PMAs
(replacement articles) are managed in
accordance with Subpart K to part 21.
The final rule will apply only at that
time in the future when a PMA (or nonsignificant STC) applicant seeks to
modify a product that already has the
final rule in its certification basis.
Accordingly, the FAA finds that neither
a Regulatory Flexibility Act analysis nor
a supplemental NPRM is required.
Garmin commented that the cost
discussion misses the fact that
§ 25.1309(b)(4), without a cutset limit,
could result in additional costs to
redesign the systems from what has
historically been acceptable and
conventional. Garmin also stated that
the 1/1000 requirement could be
applied to any level of cutset, which
could drive design changes, and that
there are additional costs to negotiate
with the FAA to produce the analysis
that proves 1/1000 is met or that latency
is minimized; thus, the FAA should
revise the cost-benefit analysis to
include those costs.
In this final rule, the FAA is not
adopting the 1/1000 requirement that it
had proposed for § 25.1309(b)(4); that
section will not apply if the associated
29 65
PO 00000
FR 36266, June 7, 2000.
Frm 00018
Fmt 4701
Sfmt 4700
system meets the average risk
requirements of § 25.1309(b)(1) and
(b)(2), assuming the SLF has occurred.
Moreover, the FAA has moved the 1/
1000 criterion to AC 25.1309–1B as
guidance. These changes address the
commenter’s concern that proposed
§ 25.1309(b)(4) needed a minimal cutset
limit. There may be demonstration or
negotiation costs to show impracticality
or minimization of the SLF latency, but
these costs are already accounted for in
the cost-benefit analysis of the Changed
Product Rule, § 21.101.
Garmin questioned whether the FAA
has adequately justified the cost of
applying the specific risk criteria of
proposed § 25.1309(b)(4) and (b)(5) to
systems that have not historically had
such a requirement. Garmin also
requested that the FAA update the cost
discussion for specific risk to
acknowledge that for most of the aircraft
systems the existing § 25.1309(b) is the
right baseline. Given that in the final
rule, the § 25.1309(b)(4) and (b)(5)
requirements are closely aligned with
the corresponding EASA requirements,
the FAA responds that the correct
baseline is the EASA rule since it is
already in place. Using that baseline, the
additional cost to manufacturers is, at
most, minimal since manufacturers
already have to meet the corresponding
EASA requirements.
Garmin stated that if the FAA
regulations remain different from
EASA’s, then the cost of an applicant’s
validation to differing expectations
should be considered. Also, TCCA
commented that the cost-benefit
assessment could improve by increasing
harmonization. As already noted, the
FAA has increased the level of
harmonization between the final rule
and EASA CS–25, as compared to the
NPRM, to such an extent that the
remaining costs associated with this
rulemaking are minimal.
5. Aircraft Certification, Safety, and
Accountability Act
The preamble of the NPRM included
a summary of the FAA’s ongoing
implementation of Section 115 of the
Aircraft Certification, Safety, and
Accountability Act (ACSAA). The FAA
received one comment on these
implementation activities, a supportive
comment from ALPA. The FAA
continues to take action to implement
Section 115, including the revision of
relevant guidance documents such as
AC 25.1309–1B, which the FAA issued
as part of this rulemaking.
6. Other
The FAA received a request from
GAMA/AIA to include a file within the
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
docket that contained the FAA’s
responses to all NPRM comments that
the FAA received. The FAA does not
agree with this request. This final rule
discusses the comments in detail.
Additionally, many comments on the
NPRM are no longer relevant because
the FAA has revised the final rule to
increase harmonization with EASA CS–
25.
The FAA also received comments
from Airbus, Boeing, Bombardier,
EASA, GAMA/AIA, and TCCA to revise
specific preamble text of the NPRM.
This final rule does not restate the
entirety of the NPRM preamble, so
specific editorial suggestions are not
applicable, except as noted in the
preceding discussion of definitions. No
changes were made to this final rule in
this regard.
ddrumheller on DSK120RN23PROD with RULES2
K. Advisory Material
The FAA has issued three new ACs
and revisions to two existing ACs to
provide guidance material for
acceptable means, but not the only
means, of showing compliance with the
regulations in this final rule. These ACs
are available in the public docket for
this rulemaking:
• AC 25.671–1, Control Systems—
General.
• AC 25.901–1, Safety Assessment of
Powerplant Installations.
• AC 25.933–1, Unwanted In-Flight
Thrust Reversal of Turbojet Thrust
Reversers.
• AC 25.629–1C, Aeroelastic Stability
Substantiation of Transport Category
Airplanes.
• AC 25.1309–1B, System Design and
Analysis.
VI. Regulatory Notices and Analyses
Federal agencies consider impacts of
regulatory actions under a variety of
executive orders and other
requirements. First, Executive Order
12866 and Executive Order 13563, as
amended by Executive Order 14094
(‘‘Modernizing Regulatory Review’’),
direct that each Federal agency shall
propose or adopt a regulation only upon
a reasoned determination that the
benefits of the intended regulation
justify the costs. Second, the Regulatory
Flexibility Act of 1980 (Pub. L. 96–354)
requires agencies to analyze the
economic impact of regulatory changes
on small entities. Third, the Trade
Agreements Act (Pub. L. 96–39)
prohibits agencies from setting
standards that create unnecessary
obstacles to the foreign commerce of the
United States. Fourth, the Unfunded
Mandates Reform Act of 1995 (Pub. L.
104–4) requires agencies to prepare a
written assessment of the costs, benefits,
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
and other effects of proposed or final
rules that include a Federal mandate
that may result in the expenditure by
State, local, or tribal governments, in the
aggregate, or by the private sector, of
$100,000,000 or more annually
(adjusted annually for inflation) in any
one year. The current threshold after
adjustment for inflation is $183,000,000,
using the most current (2023) Implicit
Price Deflator for the Gross Domestic
Product. The FAA has provided a
detailed Regulatory Impact Analysis
(RIA) in the docket for this rulemaking.
This portion of the preamble
summarizes the FAA’s analysis of the
economic impacts of this final rule.
In conducting these analyses, the FAA
determined that this final rule (1) has
benefits that justify its costs; (2) is not
significant under section 3(f)(1) of
Executive Order 12866 as amended; (3)
will not have a significant economic
impact on a substantial number of small
entities; (4) will not create unnecessary
obstacles to the foreign commerce of the
United States; and (5) will not impose
an unfunded mandate on State, local, or
tribal governments, or on the private
sector. These analyses are summarized
below.
A. Regulatory Evaluation
1. Summary of Rule Provisions
In the NPRM, the FAA proposed to
amend certain airworthiness regulations
to standardize the criteria for
conducting safety assessments for
systems, including flight controls and
powerplants, installed on transport
category airplanes. This final rule
generally is adopted as proposed. In
some provisions, the FAA has increased
the level of harmonization between the
final rule and EASA CS–25, as
compared to the NPRM, to such an
extent that the remaining costs
associated with this rulemaking are
minimal.
The predominant action of the final
rule will:
• Require applicants to minimize, to
the extent possible, the problem of
significant latent failures (SLFs), a
problem that is highlighted in the case
of catastrophic dual failures, where a
latent failure can leave the airplane one
active failure away from a catastrophic
accident.
The rule also:
• Institutes an ‘‘airplane-level’’ SSA
that will integrate and, to the extent
possible, standardize safety assessment
criteria across critical airplane systems:
Æ Reflecting the much greater
integration of modern aircraft systems
(e.g., avionics and fly-by-wire systems)
as compared to what they were when
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
68723
the current safety criteria in § 25.1309
and other system safety assessment
rules were established in 1970.30
Æ Including removal of general
systems safety criteria from § 25.901(c)
[Powerplant Installation] and pointing
to § 25.1309 (General System Safety
Criteria) for these criteria, and allowing
a ‘‘reliability’’ (§ 25.1309) option in
addition to the current ‘‘controllability’’
requirement for developing designs for
turbojet thrust reversing systems
(§ 25.933).
• Requires CMRs to identify and
restrict exposure to the SLF conditions
addressed in § 25.1309 and requires
CMRs to be contained in the ALS of the
ICA.
• Updates SSA requirements in order
to address new technology in flight
control systems and the effects these
systems can have on airplane
controllability.
Æ For airplanes equipped with fly-bywire control systems, compensates for a
lack of direct tactile link between
flightdeck control and control surface by
providing natural or artificial control
feel forces or flightcrew alerting
• Requires assessment of the effect of
system failures on airplane structural
loads.
• Revises applicability of the
requirement that equipment and
systems perform their intended
functions:
Æ Broadens the applicability of
§ 25.1309 to include any equipment or
system installed in the airplane
regardless of whether it is required for
type certification, operating approval, or
is optional equipment.
Æ Allows equipment associated with
passenger amenities (e.g., entertainment
displays and audio systems) not to work
as intended as long as the failure of such
systems would not affect airplane safety.
2. Cost and Benefits of the Final Rule
As discussed below, the FAA finds
that all provisions of this final rule are
closely harmonized with corresponding
EASA provisions already in effect. This
means that manufacturers face no
additional cost because they already
have to meet the EASA requirements,
and in most cases, the provisions of this
final rule are cost-beneficial owing to
reduced costs from joint harmonization.
Some provisions of the final rule are
cost-relieving. Moreover, most, if not all,
of the rule provisions are already in
effect owing to industry practice, ELOS
findings, or special conditions.31 There
30 35
FR 5665 (Apr. 8, 1970).
FAA issues special conditions when we
find that the airworthiness regulations for an
31 The
E:\FR\FM\27AUR2.SGM
Continued
27AUR2
68724
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
is no additional cost for provisions that
are already voluntary industry practice
or voluntary ELOS findings. Special
conditions have been required, but
owing to the long duration of these
special conditions (20–40 years), the
FAA finds that they are now accepted
by industry as the low-cost actions for
the issues addressed, so there is no
change with codification and, therefore,
no additional cost. The FAA asked for
comments on this last finding in the
NPRM and received none.
There was no change to § 25.1301 in
the final rule compared to the NPRM,
and there were no changes to
§ 25.1309(a) in the final rule except for
a small change in § 25.1309(a)(2) to
match the ARAC language and to
harmonize with EASA.
The rule revises current § 25.1309(a)
into two paragraphs. Section
25.1309(a)(1) revises the applicability of
the § 25.1309(a) requirement that
equipment and systems perform their
intended function. Section 25.1309(a)(1)
clarifies that the rule applies to any
equipment or system installed in the
airplane regardless of whether it is
required for type certification, operating
approval, or is optional equipment. As
this requirement harmonizes closely
with EASA’s corresponding
requirement, with which part 25
manufacturers are already required to
comply, there is no additional cost.
However, the requirement has reduced
costs from joint harmonization and,
therefore, will be cost-beneficial.
Along with an associated change to
§ 25.1301, ‘‘Function and Installation,’’
§ 25.1309(a)(2) will allow equipment
associated with passenger amenities
(e.g., entertainment displays and audio
systems) not to function as intended as
long as the failure of such systems do
not affect airplane safety. No safety
benefit is derived from demonstrating
that such equipment performs as
intended if failing to perform as
intended will not affect safety.
Accordingly, this change will reduce the
certification cost of passenger amenities
for airplane manufacturers without
affecting safety; therefore, this change is
cost-beneficial.
The current rule requires that airplane
systems and associated components be
designed so that any failure condition
that ‘‘would prevent the continued safe
flight and landing of the airplane’’
(catastrophic failure condition) is
‘‘extremely improbable,’’ a condition
specified in AC 25.1309–1A (6–21–
1988) as ‘‘on the order of ≤10¥9 per
flight hour.’’ This is the traditional
‘‘average risk’’ requirement and is
retained in the final rule at
§ 25.1309(b)(1)(i).
The current rule requires any failure
condition that ‘‘would reduce the
capability of the airplane or the ability
of the crew to cope with adverse
operating conditions’’ to be
‘‘improbable’’ (on the order of 10¥9 < p
≤10¥5), a failure condition specified in
current AC 25.1309–1A as ‘‘major.’’
Current practice, however, has been to
use the SDAHWG recommended
‘‘Arsenal’’ draft AC 25.1309 (6–10–2002)
under which the previous ‘‘major’’
failure condition has been divided into
two categories: ‘‘hazardous’’ (on the
order of 10¥9 < p ≤10¥7) and ‘‘major’’
(on the order of 10¥7 < p ≤10¥5),
categories that have been incorporated
into this final rule in § 25.1309(b)(2) and
(b)(3). These changes can be thought of
as the average risk criteria for hazardous
and major failure conditions.
As it harmonizes with corresponding
EASA major and hazardous categories
and is current industry practice, this
rule change is cost-beneficial as it
entails no additional costs but is costbeneficial from reduced costs of joint
harmonization. The FAA asked for
comments on this finding but received
none. Moreover, the rule structure and
intent are in perfect harmony with
EASA’s corresponding requirements
and, therefore, will entail no additional
cost to manufacturers.
As recommended by the SDAHWG,
§ 25.1309(b)(1)(ii) will explicitly require
that single failures must not result in
catastrophic failures—the ‘‘no single
failure’’ fail-safe requirement. As it
harmonizes with the equivalent EASA
requirement and is already current
industry practice, this requirement is
cost-beneficial as it entails no additional
costs but has reduced costs from joint
harmonization.32
aircraft, aircraft engine, or propeller design do not
contain adequate safety standards, because of a
novel or unusual design feature. These special
conditions stay in place until they are replaced by
adequate regulations, as is done in this rulemaking.
32 The no single failure requirement was
inadvertently removed in 1970 but remained
industry practice. At the same time, the no single
failure requirement was made explicit for flight
controls, and in 1977 was made explicit for
powerplants.
a. Section 25.1309 Equipment, Systems,
and Installations
ddrumheller on DSK120RN23PROD with RULES2
i. Sections 25.1309(b)(1), (b)(2), and
(b)(3) (Average Risk and Fail-Safe
Criteria)
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
ii. Sections 25.1309(b)(4) and (b)(5)
(Specific Risk Criteria)
Sections 25.1309(b)(4) and (b)(5)
represent the predominant change to
existing SSA requirements in that they
are adding specific risk approaches to
SSA to supplement the traditional
average risk approach in order to
address the problem of latent failures.
Section 25.1309(b)(4) requires the
elimination of SLFs to the extent
practical, or, if not practical, to
minimize them so as to limit situations
where the airplane is one failure away
from a catastrophic accident. (This is
particularly important in the case of
catastrophic CSL+1 dual failures
specifically addressed in the section on
§ 25.1309(b)(5) immediately following.)
The NPRM also required that the
product of the maximum time the latent
failure is expected to be present and its
average failure rate not exceed 1/1000.
Based on comments on the NPRM that
this requirement was onerous and not in
harmony with EASA, this provision was
moved to AC 25.1309–1B, System
Design and Analysis, as a possible
means of compliance.
Several commenters on the NPRM
also pointed out that, in many cases, it
would be wasteful to require analysis of
an SLF with sufficient redundancy that
the average risk criteria continued to
hold even when setting the SLF
probability to unity.33 Consequently,
§ 25.1309(b)(4) does not apply in those
cases. This exception is not in the
corresponding CS 25.1309(b)(4), but
even with this difference, compared to
the NPRM, this provision is more
closely harmonized with the EASA
provision as the FAA has removed an
intermediate step—the less than 1/1000
criterion—that is not in the EASA rule
and moved it to AC 25.1309–1B.
Accordingly, the FAA finds no costs
to this provision as manufacturers
already have to comply with a
corresponding EASA provision.
Moreover, elimination of SLFs when
practical is already industry practice.
Since the provision entails no costs, the
FAA finds the rule to be cost-beneficial
because of reduced costs from joint
harmonization.
33 SLFs are identified at the beginning of an SSA,
or during a Preliminary SSA, in which the
manufacturer undertakes a functional hazard
assessment on the basis of which a hazard’s ‘‘hazard
classification’’ is validated as catastrophic,
hazardous, etc. These evaluations are qualitative
and are independent of ‘‘average’’ risk criteria that
a catastrophic failure condition should be
‘‘extremely improbable’’ or ≤10¥9, or that a
hazardous failure condition should be ‘‘extremely
remote’’, or ≤10¥7.
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
iii. Section 25.1309(b)(5) (CSL+1 Dual
Failures)
ddrumheller on DSK120RN23PROD with RULES2
A ‘‘CSL+1 (Catastrophic Single Latent
Plus One)’’ refers to a catastrophic
failure condition caused by a single
latent failure and an active (evident)
failure. Section 25.1309(b)(5)(i), adopted
as proposed, is similar to § 25.1309(b)(4)
in that it also requires the dual failure
to be eliminated if practical. An
example is an AD action that eliminated
the CSL+1 dual failure that caused the
catastrophic Lauda Air Flight 004
(1994); the AD required that a third lock
be added to the thrust reverser system.
This change converted the dual failure
condition to a triple failure condition
and removed the airplane from a
situation where it was one failure away
from a catastrophic accident.
If the dual failure condition cannot be
eliminated, additional control is
appropriate beyond the traditional
‘‘extremely improbable’’ (average risk)
requirement applied to a combination of
failures. The additional control takes the
form of two specific risk criteria: (1) a
requirement to ‘‘limit residual
probability’’ (§ 25.1309(b)(5)(ii)) and (2)
a ‘‘limit latency’’ requirement
(§ 25.1309(b)(5)(iii)).
The requirement to limit the residual
probability limits the probability of a
catastrophic failure in the presence of a
latent failure to be ‘‘remote’’ (on the
order of ≤10¥5). So, this requirement
limits the risk of a catastrophic accident
in the situation where a latent failure
has occurred, and the airplane is a
single failure away from a catastrophic
accident.34 The limit latency
requirement limits the probability of the
latent failure itself to be ≤1/1000 so as
to limit the time between maintenance
inspections, that the airplane is
operating one failure away from a
catastrophic accident.35 36 There are no
substantial changes to § 25.1309(b)(5) in
the final rule compared to the NPRM.
The FAA finds that § 25.1309(b)(5) is
in perfect harmony with CS
25.1309(b)(5) in structure and intent and
closely harmonizes in rule language.
Accordingly, there is no cost to this
provision because manufacturers
already have to comply with an
equivalent EASA requirement.
34 More generally, if multiple active failures could
cause a catastrophic accident in the presence of the
latent failure, the average probability (per flight
hour) of these active failures must be remote.
35 More generally, the sum of the probabilities of
the latent failures combined with an active failure
must be ≤ 1/1000.
36 Since the 10¥9 average risk criterion must also
be met, if residual risk is on the order of 10¥5, the
latent failure rate must be 10¥4 or less. Conversely,
if the latent failure rate is at 10¥3, residual risk
must be on the order of 10¥6 or less.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
68725
Therefore, this rule is cost-beneficial
because of reduced costs from joint
harmonization.
been moved to § 25.1309(e) (see next
section) and § 25.1309(d) is now
reserved.
iv. Section 25.1309(c) (Flightcrew
Alerting)
Section 25.1309(c) currently requires
that warning information be provided to
the flightcrew to alert them to unsafe
system operating conditions and to
enable them to take appropriate
corrective action. Revised § 25.1309(c)
requires that information be provided to
the flightcrew concerning unsafe system
operating conditions, rather than
requiring only warnings and, in a
change to the NPRM that more closely
harmonizes with the corresponding
EASA provision, that it be provided in
a timely manner. The revision will
remove an incompatibility with
§ 25.1322, which allows other sensory
and tactile feedback from the airplane
caused by inherent airplane
characteristics to be used in lieu of
dedicated indications and
annunciations if the applicant can show
such feedback is sufficiently timely and
effective to allow the crew to take
corrective action.
These changes closely harmonize
§ 25.1309(c) with CS 25.1309(c). Owing
to close harmonization with EASA’s
rule already in place, there is no cost
entailed by these rule changes.
vi. Section 25.1309(e) and H25.4
(Certification Maintenance
Requirements)
CMRs are inspection and maintenance
tasks and associated inspection intervals
that are used to identify and restrict
exposure of critical airplane safety
systems to catastrophic and hazardous
failure conditions, including wearrelated failures. An example
highlighting the importance of CMRs is
the catastrophic crash of Alaskan
Airlines, Flight 261, in the Pacific
Ocean off the California coast on
January 31, 2000, killing all 88
passengers and crew.37 The NTSB
determined that the probable cause of
this accident was a catastrophic loss of
airplane pitch control resulting from inflight failure of the jackscrew assembly
of the horizontal stabilizer trim system.
That failure was related to maintenance
of this system, specifically the
accelerated excessive wear of a critical
part as a result of insufficient
lubrication.
Section 25.1309(e) is a new
provision 38 requiring that CMRs be
established, as necessary, to prevent
catastrophic and hazardous failure
conditions, and occasionally, major
failure conditions, described in
§ 25.1309(b). The CMR requirement was
proposed in § 25.1309(d) in the NPRM.
The ‘‘as necessary’’ qualifier was added
in the final rule to clarify that the FAA
does not require CMRs for all failure
conditions. Section 25.1309(e) also will
require these CMRs to be contained in
the ALS of the ICA required by
§ 25.1529. This latter requirement is an
industry recommendation via the SE–
172 Taskforce to the Commercial
Aviation Safety Team (CAST) 39 and
responds to the Taskforce’s recognition
that CMRs are critical to safety and
should have treatment similar to other
Airworthiness Limitations.
Both of these requirements will codify
industry practice and will harmonize
with CS 25.1309 and H25.4, so industry
will incur no additional costs. The rule
is cost-beneficial from reduced costs of
joint harmonization.40
v. Section 25.1309(d) (Reserved)
Current § 25.1309(d) specifies that
compliance to § 25.1309(b) must be
shown by analysis and appropriate
testing, and must consider possible
modes of failure, including
malfunctions and damage, and also that
the assessment considers crew warning
cues, corrective action required, and the
capability of detecting faults. With this
rulemaking, for two reasons, the FAA
moves that content to AC 25.1309–1B,
along with expanded guidance on the
safety assessment process: (1) Section
25.1309 is a performance-based
regulation for which methods of
compliance are more appropriately
provided in guidance, and (2) the items
for consideration listed in § 25.1309(d)
constitute an incomplete method of
compliance to § 25.1309(b). This change
is cost-beneficial because requirements
have been relegated to guidance
material, giving manufacturers greater
flexibility.
CS 25.1309(d) simply states that EWIS
must be assessed per CS 25.1709. The
current FAA rule has the same
requirement in § 25.1309(f), but it was
removed in the NPRM on the basis of
redundancy, and proposed § 25.1309(d)
was used for the CMR requirement. In
the final rule, the CMR requirement has
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
37 NTSB Safety Recommendation A–02–51 is
available in the docket and at www.ntsb.gov/safety/
safety-recs/recletters/A02_36_51.pdf.
38 The NPRM § 25.1309(e) specified that the flight
control jam conditions addressed by § 25.671(c) do
not apply to § 25.1309(b)(1)(ii). This exclusion is
now in the introductory paragraph of § 25.1309.
39 skybrary.aero/sites/default/files/bookshelf/
2553.pdf.
40 EASA. Certification Specifications and
Acceptable Means of Compliance for Large
E:\FR\FM\27AUR2.SGM
Continued
27AUR2
68726
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
vii. Section 25.1309(f) (Removed)
The FAA has removed paragraph (f)
from § 25.1309 and paragraph (b) from
§ 25.1301. Section 25.1301(b) requires
that the airplane’s EWIS meet the
requirements of subpart H of 14 CFR
part 25. Subpart H was created (at
amendment 25–123, in 2007) as the
single place for the majority of wiring
certification requirements. The
references in §§ 25.1301(b) and
25.1309(f) are redundant and
unnecessary because subpart H specifies
their applicability. The NPRM
§ 25.1301(f) was used to specify
exceptions to § 25.1309(b), which are
now provided in the introduction of
§ 25.1309.
ddrumheller on DSK120RN23PROD with RULES2
b. Section 25.629 Aeroelasticity
Stability Requirements
The FAA is revising § 25.629(a) to add
wording to clarify that the aeroelastic
evaluation must include any condition
of operation within the maneuvering
envelope. This is current industry
practice because such conditions are
allowed operational conditions and,
therefore, need to be free from
aeroelastic instabilities. Also, this
requirement is stated explicitly for part
23 airplanes in 14 CFR part 23 and CS–
23. The FAA is also revising § 25.629(a)
to consistently use the singular term
‘‘evaluation’’ where it appears in order
to prevent confusion.
Section 25.671(c)(2) currently
specifies examples of failure
combinations that require evaluation,
including dual electrical and dual
hydraulic system failures and any single
failure combined with any probable
hydraulic or electrical failure. Section
25.629(d)(9) currently requires that the
airplane be shown to be free from flutter
considering various failure conditions
considered under § 25.671, which
include the example failure conditions
specified in § 25.671(c)(2). These
examples are being removed from
current § 25.671(c)(2). These failure
conditions, however, have provided an
important design standard for dual
actuators on flight control surfaces that
rely on retention of restraint stiffness or
damping for flutter prevention.
Therefore, the FAA relocates these
examples to the aeroelastic stability
requirements of § 25.629(d) and made
changes to the paragraph numbers to
correspond with EASA’s rule, as
requested by commenters. These
changes are cost-beneficial owing to
complete harmonization with the
corresponding CS 25.629 provision.
Aeroplanes (CS–25), Amendment 20, 25 August
2017.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
The NPRM also proposed a change to
§ 25.629(b) that would require that
design conditions include the range of
load factors specified in § 25.333.
Commenters objected that the proposed
change was an expansion of the
traditional scope of § 25.629, and it
disharmonized with EASA
requirements. The FAA agreed to
remove the proposed change to
§ 25.629(b), substituting an alternative
change in § 25.629(a), clarifying that
aeroelastic evaluation must include any
condition of operation within the
maneuvering envelope. This revision
has no cost as it is clarifying and is
current industry practice.
c. Section 25.671 General (Control
Systems)
i. Section 25.671(a), (d), (e), and (f)
(Control Systems)
The substantive revisions to these
requirements are the new criteria in the
second sentence of § 25.671(a); the
addition of the phrase, ‘‘and an
approach and flare to a landing and
controlled stop, and flare to a ditching,
is possible’’ in § 25.671(d); and the new
requirements in § 25.671(e) and (f). The
modification to § 25.671(d) clarifies that
controllability when all engines fail
includes the capability to approach and
flare to a landing and controlled stop,
and flare to a ditching, and harmonizes
with CS 25.671(d). In the NPRM,
§ 25.671(d) includes the sentence: ‘‘The
applicant may show compliance with
this requirement by analysis where the
applicant has shown that analysis to be
reliable.’’ This sentence is not included
in the final rule as it describes an
acceptable means of compliance, which
is adequately covered in the
corresponding guidance.
The new paragraph (e) of § 25.671
requires that the airplane be designed to
indicate to the flightcrew whenever the
primary control means are near the limit
of control authority. On airplanes
equipped with fly-by-wire control
systems, there is no direct tactile link
between the flightdeck control and the
control surface, and the flightcrew may
not be aware of the actual control
surface position. If the control surface is
near the limit of control authority, and
the flightcrew is unaware of that
position, it could negatively affect the
flightcrew’s ability to control the
airplane in the event of an emergency.
The airplane could meet this
requirement through natural or artificial
control feel forces, by cockpit control
movement if shown to be effective, or by
flightcrew alerting that complies with
§ 25.1322.
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
The new paragraph (f) of § 25.671
requires that appropriate flight crew
alerting be provided if the flight control
system has multiple modes of operation
whenever the airplane enters any mode
that significantly changes or degrades
the normal handling or operational
characteristics of the airplane. On some
flight control system designs, there may
be sub-modes of operation that change
or degrade the normal handling or
operational characteristics of the
airplane. Similar to control surface
awareness, the flightcrew should be
made aware if the airplane is operating
in such a sub-mode. Aside from the one
change already noted, there are no
substantial changes to § 25.671(a), (d),
(e), and (f) in the final rule compared to
the NPRM.
Manufacturers face little or no
additional cost from these provisions
because they are already required by CS
25.671 in language that exactly matches
§ 25.671 in language structure and
closely matches § 25.671 in the language
itself. Therefore, there is no additional
cost resulting from these provisions.
Moreover, since industry has been
meeting the new criteria in § 25.671(a),
(e), and (f) under special conditions
since the early 1980s, the FAA believes
that industry now accepts § 25.671(a),
(e), and (f) as necessary low-cost actions.
Again, there is no additional cost. For
this reason, the FCHWG recommended
these new criteria with little debate.
ii. Section 25.671(b) (Minimize
Probability of Incorrect Assembly)
Section 25.671(b) is revised to allow
distinctive and permanent marking for
flight control systems to minimize the
probability of incorrect assembly only
when design means are impractical.
Aside from minor language changes,
there are no changes to this provision in
the final rule relative to the NPRM. It is
expert consensus that the physical
prevention of misassembly by design is
safer than reliance on marking, which
can be overlooked or ignored. Although
not flight control related, fuel tank
access doors provide an example. Since
these doors are required to have greater
strength because of the location, fuel
tank access door systems are designed
so that other doors will not securely fit
in the fuel tank access door openings.
Since distinctive and permanent
marking to minimize the probability of
incorrect assembly is disallowed only
when design means are practical, the
expected gain in safety benefits from the
reduced probability of incorrect
assembly is greater than the costs of the
rule revision.
Accordingly, the FAA finds this
provision to be cost-beneficial. The FAA
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
requested comments on this finding and
received none. In any case,
manufacturers face no additional cost
because § 25.671(b) closely aligns with
CS 25.671(b) with which they must
already comply.
iii. Section 25.671(c) (Flight Control
Jams)
For flight controls, revised § 25.671(c)
is analogous to § 25.1309(b) in having
requirements for the single failure
(§ 25.671(c)(1)), the combinational
failure (§ 25.671(c)(2)), and specific risk
(§ 25.671(c)(3)). Sections 25.671(c)(1)
and (c)(2) have some language changes,
but the intent of each provision is
unchanged from the current rule. The
NPRM proposed to remove
§ 25.671(c)(1) and (c)(2) because all
single and combinational failures are
covered by the foundational § 25.1309.
However, the FAA agrees with
commenters that § 25.671(c)(1) and
(c)(2) should be retained because
removal would disharmonize with
EASA’s corresponding requirements
and because different means of
compliance are normally used for
§ 25.671(c) and § 25.1309(b).
Accordingly, paragraphs (c)(1) and (c)(2)
of current § 25.671 are retained in the
final rule. Section 25.671(c)(3) is revised
as follows:
(1) In § 25.671(c)(3), the FAA clarifies
that the provision applies only to jams
due to a physical interference (e.g.,
foreign or loose object, system icing,
corroded bearings). All other failures or
events that result in either a control
surface, pilot control, or component
being fixed in position are addressed
under § 25.671(c)(1) and (c)(2) and
§ 25.302 where applicable.
(2) Section 25.671(c)(3) no longer
addresses a runaway of a flight control
surface and subsequent jam. A failure
that results in uncommanded control
surface movement is addressed by
§ 25.671(c)(1) and (c)(2).
(3) Section 25.671(c)(3)(iii) is a new
requirement specifying that given a jam,
the combined probability is 1/1000 or
less that any additional failure
conditions could prevent continued safe
flight and landing. This requirement is
to ensure adequate reliability of any
system necessary to alleviate the jam
when it occurs. This specific risk
requirement is analogous to the 1/1000
latent specific risk requirement for
potential catastrophic single latent
failure plus one (CSL+1) failure
conditions discussed above for
§ 25.1309(b)(5), which is required to
ensure a safety margin in the event of an
active failure.
(4) While current § 25.671(c)(3) allows
the use of probability analysis,
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
applicants have generally been unable
to demonstrate that jamming conditions
are ‘‘extremely improbable,’’ except for
conditions that occur during a very
limited time just prior to landing.
Because of this issue with probability
assessment for jams, the FAA has
revised § 25.671(c)(3) to require that the
manufacturer’s safety assessments
assume that jamming conditions will
occur—probability set equal to one—
when showing that the airplane is
capable of continued safe flight and
landing. For the same reason, the
jamming conditions of § 25.671(c)(3) are
excluded from the probability
requirements of § 25.1309(b).
The assumption that the jam will
occur—and that the airplane will be
able to withstand it—does not apply to
jamming conditions that occur
immediately before touchdown if the
risk of a jam is minimized to the extent
practical. For jams that occur just before
landing, some amount of time and
altitude is necessary in order to recover,
and there is no practical means by
which a recovery can be demonstrated.
Hence the requirement that the risk of
a jam be minimized to the extent
practical. (This is a change from the
NPRM where the requirement was that
the applicant show that such jams are
extremely improbable.) This change
creates a difference in the language of
§ 25.671(c)(3)(ii) and CS 25.671(3)(ii)
because EASA does not have this
exception in its rule.
In its Acceptable Means of
Compliance (AMC) § 25.671, however,
EASA states that, ‘‘if continued safe
flight and landing cannot be
demonstrated, perform a qualitative
assessment of the design, relative to jam
prevention and jam alleviation means,
to show that all practical precautions
have been taken . . . .’’ Consequently,
the FAA expects the difference between
§ 25.671(c)(3)(ii) and CS 25.671(c)(3)(ii)
to have no effect in practice. There are
no additional substantial differences
between the final rule and the NPRM
with respect to § 25.671(c)(3).
Section 25.671 has changed from the
NPRM to the point where it is almost
perfectly aligned in structure and intent,
and closely aligned in text language,
with CS 25.671. Section 25.671 is now
so closely aligned that there is no
additional cost from the FAA provision
because manufacturers already have to
meet the EASA provision. Moreover, as
already noted, industry has been
meeting the new criteria in § 25.671(a),
(e), and (f) under special conditions
since the early 1980s. Because of that
experience, the FAA believes that
manufacturers now accept these special
conditions as the low-cost necessary
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
68727
actions. Again, there is no additional
cost. Finally, the FAA believes that
§ 25.671(c)(3) is already accepted as the
low-cost industry practice as it has been
used by many manufacturers under a
voluntary ELOS.
d. Section 25.901 Installation
(Powerplants)
The revision to § 25.901(c) moves
basic systems safety criteria to § 25.1309
and is finalized as proposed. In so
doing, § 25.901(c) clarifies that
§ 25.1309 applies to powerplant (engine)
installations, as it does for all airplane
systems. Accordingly, the current
provision in § 25.901(c) prohibiting
catastrophic single failures or probable
combinations of failures is removed.
Design requirements do not change as a
result of this revision to the rule.
There are no substantial changes in
the final rule compared to the NPRM.
The revision exactly harmonizes the
structure and very closely harmonizes
the text of § 25.901(c) with EASA’s
corresponding CS 25.901(c).
Accordingly, the revision is costbeneficial as it provides reduced costs
from joint harmonization since
manufacturers already must already
comply with CS 25.901(c). The FAA
asked for comments on this finding in
the NPRM and received none.
e. Section 25.933 Reversing Systems
(Controllability and Reliability Options)
In the event of an inadvertent
activation of the thrust reverser during
flight, current § 25.933(a) requires that
the airplane be capable of ‘‘continued
flight and landing.’’ The service history
of airplanes certified under the current
rule—most prominently, the
aforementioned catastrophic Lauda Air
accident in Thailand—has demonstrated
that the intent of this ‘‘fail-safe’’
requirement had not been achieved. As
discussed in the section on
§ 25.1309(b)(5) above, the catastrophic
failure condition that caused the Lauda
Air accident was corrected by adding
redundancy to convert a dual failure
condition to a triple failure condition.
This revision to § 25.933(a) further
addresses the thrust reverser issue with
a revised § 25.933(a)(1)(i) that retains
‘‘controllability’’ from the current rule
as an option, but also revises
§ 25.933(a)(1)(ii) to provide an
additional ‘‘reliability’’ option using the
requirements of § 25.1309(b).41 The
41 It should be noted that the controllability
option would still require compliance with
§ 25.1309. But when an applicant demonstrates
compliance using the controllability option, that
ensures that an unwanted thrust reversal in flight
would be classified at worst as a ‘‘major’’ failure,
E:\FR\FM\27AUR2.SGM
Continued
27AUR2
68728
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
reliability option recognizes that
§ 25.1309 applies to all systems. There
are no substantial differences between
the final rule and the NPRM with
respect to § 25.933(a).
The final rule (and NPRM) for
§ 25.933(a) is in close harmony with the
corresponding CS 25.933(a) as it is
identical in rule structure and intent.
Accordingly, there is no additional cost
to this rule as manufacturers already
have to comply with CS 25.933(a).
Moreover, § 25.933(a) is cost-beneficial
as it allows flexibility in design
development, enabling manufacturers to
achieve the intended level of safety in
the most cost-effective manner.
f. Section 25.302 Interaction of Systems
and Structures
There are many technical differences
between the NPRM and the final rule.
Nine major commenters, including
Boeing and Airbus, asked the FAA to
harmonize with EASA CS 25.302, even
to the extent of using the same language
and paragraph numbering. Commenters
noted that CS 25.302 matches the FAA
Interaction of Systems and Structures
special condition that has been used for
many years. Commenters stated that the
differences between FAA and EASA
requirements would create a substantial
certification burden. The FAA agrees
with the commenters and, except where
discussed below, has agreed to match
the language and structure of EASA’s
rule to the extent possible.
i. Section 25.302(b) System Fully
Operative
The applicant must derive limit
loads 42 for the limit conditions
specified in subpart C, taking into
account the behavior of the system up
to the limit loads. The applicant must
show that the airplane meets the
strength requirements of subparts C and
D, using the appropriate factor of safety
to derive ultimate loads from these limit
loads. Section 25.302(b) is less verbose
than the corresponding EASA text but
uses some of the same language and has
the same intent as EASA’s version.
Since § 25.302(b) harmonizes with
EASA CS 25.302(b), there are no
incremental costs from paragraph (b),
and the provision is cost-beneficial
because of joint harmonization.
ii. Section 25.302(c) System in the
Failure Condition
This section applies for any failure
condition not shown to be extremely
improbable or that results from a single
failure. CS 25.302(c) requires the
evaluation of any system failure
condition not shown to be extremely
improbable but does not explicitly
mention single failures. Nevertheless,
evaluation of single failures would be
required when evaluating CS 25.302.
This is because single failures cannot be
shown by a probability analysis to be
extremely improbable. As noted in AC
25.1309–1A, dated June 21, 1988, ‘‘In
general, a failure condition resulting
from a single failure mode of a device
cannot be accepted as being extremely
improbable.’’ Extremely improbable
failure conditions are those having an
average probability per flight hour of 1
× 10¥9 or less. The FAA would not
accept a probability analysis showing a
single failure to be extremely
improbable because such an estimation
would not be considered reliable. An
unreliable estimate could inadvertently
result in a level of risk that was unsafe
and not justified by any cost savings
obtained. Accordingly, the FAA finds to
be cost-beneficial the requirement of
§ 25.302(c) to evaluate any system
failure condition resulting from a single
failure.
At the time of occurrence, the
applicant must determine the loads
occurring at the time of failure and
immediately after failure. For static
strength substantiation, the airplane
must be able to withstand the ultimate
loads determined by multiplying the
loads by a factor of safety related to the
probability that the failure occurs. The
factor of safety (F.S.) is shown in Figure
1.
FS
1.5
1.25
10-9
10-S
1
PJ- Probablly of occurrence of faire mode J(per hall')
Figure 1 shows the factor of safety to
be constant at 1.5 between a probability
of failure of 1.0 and 10¥5, and between
10¥5 and 10¥9 declines linearly from
1.5 to 1.25 as Pj goes from 10¥5 to 10¥9,
where Pj is the probability of failure.
The factor of safety is not allowed to be
below 1.5 at high probabilities of failure
thereby making compliance with § 25.1309(b) much
easier.
42 Design loads are typically expressed in terms
of limit loads, which are then multiplied by a factor
of safety, usually 1.5, to determine ultimate loads.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
(>10¥5). For low probabilities of failure
(<10¥5), the F.S. falls as the probability
of failure falls but is not allowed to be
less than 1.25 as the probability of
E:\FR\FM\27AUR2.SGM
27AUR2
ER27AU24.000</GPH>
ddrumheller on DSK120RN23PROD with RULES2
Figure 1 Factor of safety at the time of occurrence
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
failure falls towards extreme
improbability at 10¥9. Note that the
probability of failure axis is in
logarithmic scale. In the NPRM, this
figure was not used as the FAA kept the
factor of safety at 1.5 regardless of the
probability of failure. In the final rule,
this provision is cost-relieving relative
to the NPRM because the FAA is now
harmonizing with the less stringent
EASA provision.
For residual strength substantiation,
the airplane must be able to withstand
two-thirds of the ultimate loads.
Residual strength is the strength that
remains as the airplane structure
deteriorates over time, so this test
requires a prediction of that
deterioration.
Failures of the system that result in
forced structural vibrations (oscillatory
failures) must not produce loads that
could result in detrimental deformation
of primary structure. A forced structural
vibration or oscillatory failure occurs
when an oscillating system is driven by
a periodic force that is external to the
system.
For the continuation of the flight,
loads are determined for a limited set of
conditions, as noted in § 25.302(c)(2)(i).
Section 25.302(c)(2)(i)(F) is an
68729
additional rule provision not in CS
25.302. This provision requires that if
any system is installed or tailored to
reduce the loads of a part 25 load
condition, then that load condition must
also be evaluated. This provision is
necessary to account for any such
systems as their failure will increase
loads. The FAA believes this is a lowcost provision, having been applied in
only a few cases over many years.
For static strength substantiation, the
structure must be able to withstand the
loads determined in § 25.302(c)(2)(i)
multiplied by a factor of safety, as
shown in Figure 2.
FS
1.5
1.0
I
I
10-9
10.S
QJ .. Probablly of being In fain condllon j
1
Figure 2 Factor of safety for continuation of flight
Figure 2 shows the factor of safety
falls linearly from 1.5 to 1.0 as Qj
declines from 1 to 10¥5, and the factor
of safety is constant at 1.0 between 10¥5
and 10¥9, where Qj = (Tj)(Pj), where Tj
is the average time in the failure
condition (in hours), and Pj is the
probability of failure (per hour) or
failure rate. So Qj is the (average)
cumulative probability of failure. In
contrast to the F.S. at the time of failure
occurrence (Figure 1), the F.S. for
continuation of flight (Figure 2) is
allowed to fall immediately below 1.5 as
failure probability falls from the highest
probability of 1, and in contrast to the
minimum F.S. of 1.25 for Figure 1, the
Figure 2 safety margin is allowed to fall
to 1.0 at 10¥5, where it remains as the
probability of failure falls to extreme
improbability at 10¥9. As with Figure 1,
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
note that the Figure 2 probability of
failure axis is in logarithmic scale.
In the NPRM, this figure was not used
as the FAA did not vary the factor of
safety with the probability of system
failure. The NPRM provision was less
stringent than the final rule in reducing
the factor of safety to 1.0 if the failure
was annunciated. However, the NPRM
provision applied to all load conditions
in subpart C, whereas in the final rule,
the provision applies to the limited set
of subpart C load conditions specified in
§ 25.302(c)(2)(i) so that, overall, in
harmonizing with EASA, final rule
provision is cost-relieving relative to the
NPRM.
For residual strength substantiation,
the airplane must be able to withstand
two-thirds of the ultimate loads. If the
loads induced by the failure condition
have a significant effect on fatigue or
damage tolerance, then their effects
must be taken into account. A failure
condition has a ‘‘significant’’ effect on
fatigue or damage tolerance if it would
result in a change to inspection
thresholds, inspection intervals, or life
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
limits. Unlike EASA’s rule, § 25.302(c)
does not include aeroelasticity stability
requirements. Both CS 25.302 and CS
25.629 specify flutter speed margins for
failure conditions. In CS 25.629, for the
group of failures covered by CS 25.302,
the margins are based on the probability
of the condition’s occurrence, whereas,
for the remaining failure conditions, a
single speed margin is defined, similar
to § 25.629, regardless of probability.
The FAA believes the current speed
margins specified in § 25.629 are
adequate, and there is no need for more
specific failure criteria based on
probability of occurrence and speed
margins. The current speed margin
specified in § 25.629, which has been in
place since amendment 25–0 of 14 CFR
part 25, has proven effective in service.
For that reason, non-provision has little
impact.
Summary of Cost-Benefit Analysis for
§ 25.302(c)
The FAA finds that § 25.302(c)
harmonizes very closely in structure
with CS 25.302(c) and closely in rule
E:\FR\FM\27AUR2.SGM
27AUR2
ER27AU24.001</GPH>
ddrumheller on DSK120RN23PROD with RULES2
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition
j (in hours)
Pj = Probability of occurrence of failure mode
j (per hour)
68730
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
language, aside from the single failure
requirement, the additional load
provision of § 25.302(c)(2)(i)(F), and the
lack of aeroelasticity stability
requirements in § 25.302(c). Because of
this close harmonization, there is little
or no additional cost to that required by
EASA certification. Moreover, because
of the imposition of the FAA’s
Interaction of Systems and Structures
special conditions for more than twenty
years, the FAA believes that industry is
so well-adapted to the special
conditions that it is now the industry’s
low-cost necessary action. Thus, no
change is implied by the rule, and,
therefore, there is little or no additional
cost. The provision is cost-beneficial
owing to cost savings from joint
harmonization.
ddrumheller on DSK120RN23PROD with RULES2
iii. Section 25.302(d) Failure Indications
Section 25.302(d) requires that the
system be checked for failure conditions
discussed in § 25.302(c)(2), for example,
using a CMR procedure. As far as
practicable, the flightcrew must be made
aware of these failures before flight.
Manufacturers are allowed relief in the
F.S. requirement shown in Figure 2, as
in § 25.302(c)(2). However, any failure
condition, not extremely improbable,
that results in an F.S. below 1.25 in
Figure 2 must be alerted to the crew.
This latter requirement sounds
contradictory since it means the
flightcrew must be alerted when the
probability of failure is low enough for
the safety factor to be less than 1.25. It
appears alerting the flightcrew is
substituted for a higher factor of safety.
A manufacturer finding alerting the
flightcrew too onerous can reverse the
substitution by having a higher factor of
safety.
The language of this paragraph closely
matches that of CS 25.302(d), except for
some additional verbiage that does not
change the intent. For the same reasons
given for paragraph (c) of § 25.302, there
is no additional cost from this
provision, and the provision is costbeneficial owing to the cost savings
from joint harmonization.
iv. Section 25.302(e) Dispatch With
Known Failure Conditions
The applicant forecasts the
probability of the failure condition (‘‘at
the time of occurrence’’ in § 25.302(c))
and how many days the airplane will be
in that dispatch configuration. That
probability is then combined with the
probability of subsequent failures to
calculate Qj, the probability of being in
the dispatched condition, and the
subsequent failure condition. Qj is then
used in Figure 2 to establish the
required safety margins, the same safety
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
margin relief allowed in § 25.302(c)(2)
and in § 25.302(d).
The FAA excludes one sentence
related to dispatch limitations from
§ 25.302(e) that is in CS 25.302 because
its intent and application are unclear.
Otherwise, § 25.302(e) closely
harmonizes with CS 25.302. The FAA
special conditions and the
corresponding CS 25.302 have provided
an adequate service record. For the same
reasons given for paragraphs (c) and (d)
of § 25.302, there is no additional cost
from this provision, and the provision is
cost-beneficial owing to the reduced
costs from joint harmonization.
B. Regulatory Flexibility Determination
The Regulatory Flexibility Act (RFA)
of 1980, Public Law 96–354, 94 Stat.
1164 (5 U.S.C. 601–612), as amended by
the Small Business Regulatory
Enforcement Fairness Act of 1996 (Pub.
L. 104–121, 110 Stat. 857, Mar. 29,
1996) and the Small Business Jobs Act
of 2010 (Pub. L. 111–240, 124 Stat. 2504
Sept. 27, 2010), requires Federal
agencies to consider the effects of the
regulatory action on small business and
other small entities and to minimize any
significant economic impact. The term
‘‘small entities’’ comprises small
businesses and not-for-profit
organizations that are independently
owned and operated and are not
dominant in their fields, and
governmental jurisdictions with
populations of less than 50,000.
Garmin commented on the NPRM that
the cost-benefit analysis does not
consider the impact on ATC or STC
projects that would be considered
significant under § 21.101, the Changed
Product Rule. In addition, MARPA
requested that the FAA clarify the
applicability of the SSA rule to PMA
applicants and STC applicants. If the
SSA rule is applicable to PMA and STC
applicants, MARPA requested that the
FAA adjust the cost-benefit analysis
accordingly, complete a Regulatory
Flexibility Act analysis, and make the
revised cost-benefit analysis and
Regulatory Flexibility Act analysis
available for comment in a
supplemental NPRM.
This final rule updates the costbenefit analysis to take account of the
fact that the final rule closely
harmonizes with the corresponding
EASA rule. Since U.S. manufacturers
already are required to meet the EASA
requirements, the closely harmonized
provisions of the final rule impose no or
minimal costs. In future STC or ATC
projects where the design change is
determined under the Changed Product
Rule to be a significant product level
change, the Changed Product rule will
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
then require that the certification basis
of those projects be updated. The costbenefit analysis for the Changed Product
Rule, however, has determined that the
required updated certification basis for
such projects is cost-beneficial. PMAs
(replacement articles) are managed in
accordance with Subpart K to part 21.
The final rule will apply only at that
time in the future when a PMA (or nonsignificant STC) applicant seeks to
modify a product that already has the
final rule in its certification basis.
Accordingly, the FAA finds that neither
a Regulatory Flexibility Act analysis nor
a supplemental NPRM is required.
If an agency determines that a
rulemaking will not result in a
significant economic impact on a
substantial number of small entities, the
head of the agency may so certify under
section 605(b) of the RFA. Since there
are no or minimal additional costs to
this final rule, the FAA certifies that the
final rule will not have a significant
economic impact on a substantial
number of small entities.
C. International Trade Impact
Assessment
The Trade Agreements Act of 1979
(Pub. L. 96–39), as amended by the
Uruguay Round Agreements Act (Pub.
L. 103–465), prohibits Federal agencies
from establishing standards or engaging
in related activities that create
unnecessary obstacles to the foreign
commerce of the United States.
Pursuant to these Acts, the
establishment of standards is not
considered an unnecessary obstacle to
the foreign commerce of the United
States, so long as the standard has a
legitimate domestic objective, such as
the protection of safety and does not
operate in a manner that excludes
imports that meet this objective. The
statute also requires consideration of
international standards and, where
appropriate, that they be the basis for
U.S. standards.
The FAA has assessed the potential
effect of this final rule and determined
that its purpose is to ensure the safety
of U.S. civil aviation. Therefore, this
final rule is in compliance with the
Trade Agreements Act.
D. Unfunded Mandates Assessment
The Unfunded Mandates Reform Act
of 1995 (2 U.S.C. 1531–1538) governs
the issuance of Federal regulations that
require unfunded mandates. An
unfunded mandate is a regulation that
requires a State, local, or tribal
government or the private sector to
incur direct costs without the Federal
government having first provided the
funds to pay those costs. The FAA
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
determined that the proposed rule will
not result in the expenditure of $183
million or more by State, local, or tribal
governments, in the aggregate, or the
private sector, in any one year.
E. Paperwork Reduction Act
The Paperwork Reduction Act of 1995
(44 U.S.C. 3507(d)) requires that the
FAA consider the impact of paperwork
and other information collection
burdens imposed on the public. The
FAA has determined that there is no
new requirement for information
collection associated with this final
rule.
F. International Compatibility
In keeping with U.S. obligations
under the Convention on International
Civil Aviation, it is FAA policy to
conform to International Civil Aviation
Organization (ICAO) Standards and
Recommended Practices to the
maximum extent practicable. The FAA
has determined that there are no ICAO
Standards and Recommended Practices
that correspond to these regulations.
G. Environmental Analysis
FAA Order 1050.1F identifies FAA
actions that are categorically excluded
from preparation of an environmental
assessment or environmental impact
statement under the National
Environmental Policy Act (NEPA) in the
absence of extraordinary circumstances.
The FAA has determined this
rulemaking action qualifies for the
categorical exclusion identified in
paragraph 5–6.6 for regulations and
involves no extraordinary
circumstances.
VII. Executive Order Determinations
ddrumheller on DSK120RN23PROD with RULES2
A. Executive Order 13132, Federalism
The FAA has analyzed this final rule
under the principles and criteria of
Executive Order (E.O.) 13132,
Federalism (64 FR 43255, August 10,
1999). The FAA has determined that
this action will not have a substantial
direct effect on the States, or the
relationship between the Federal
Government and the States, or on the
distribution of power and
responsibilities among the various
levels of government, and, therefore,
will not have federalism implications.
B. Executive Order 13175, Consultation
and Coordination With Indian Tribal
Governments
Consistent with Executive Order
13175, Consultation and Coordination
with Indian Tribal Governments,43 and
FAA Order 1210.20, American Indian
43 65
FR 67249 (Nov. 6, 2000).
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
and Alaska Native Tribal Consultation
Policy and Procedures,44 the FAA
ensures that Federally Recognized
Tribes (Tribes) are given the opportunity
to provide meaningful and timely input
regarding proposed Federal actions that
have the potential to have substantial
direct effects on one or more Indian
tribes, on the relationship between the
Federal government and Indian tribes,
or on the distribution of power and
responsibilities between the Federal
government and Indian tribes; or to
affect uniquely or significantly their
respective Tribes. At this point, the FAA
has not identified any unique or
significant effects, environmental or
otherwise, on tribes resulting from this
final rule.
C. Executive Order 13211, Regulations
That Significantly Affect Energy Supply,
Distribution, or Use
The FAA analyzed this final rule
under E.O. 13211, Actions Concerning
Regulations that Significantly Affect
Energy Supply, Distribution, or Use (66
FR 28355, May 18, 2001). The FAA has
determined that it is not a ‘‘significant
energy action’’ under the executive
order and is not likely to have a
significant adverse effect on the supply,
distribution, or use of energy.
D. Executive Order 13609, Promoting
International Regulatory Cooperation
Executive Order 13609, Promoting
International Regulatory Cooperation,
promotes international regulatory
cooperation to meet shared challenges
involving health, safety, labor, security,
environmental, and other issues and to
reduce, eliminate, or prevent
unnecessary differences in regulatory
requirements. The FAA has analyzed
this action under the policies and
agency responsibilities of Executive
Order 13609 and has determined that
this action will have no effect on
international regulatory cooperation.
In January of 2020, EASA published
CS–25 amendment 24, which bore many
similarities to the proposals in the
NPRM, including added criteria for
latent failures in CS 25.1309. This final
rule harmonizes FAA requirements with
EASA’s requirements to the extent
possible.
VIII. Additional Information
A. Electronic Access and Filing
A copy of the NPRM, all comments
received, this final rule, and all
background material may be viewed
online at www.regulations.gov using the
44 FAA
Order No. 1210.20 (Jan. 28, 2004),
available at www.faa.gov/documentLibrary/media/
1210.pdf.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
68731
docket number listed above. A copy of
this final rule will be placed in the
docket. Electronic retrieval help and
guidelines are available on the website.
It is available 24 hours each day, 365
days each year. An electronic copy of
this document may also be downloaded
from the Office of the Federal Register’s
website at www.federalregister.gov and
the Government Publishing Office’s
website at www.govinfo.gov. A copy
may also be found at the FAA’s
Regulations and Policies website at
www.faa.gov/regulations_policies.
Copies may also be obtained by
sending a request to the Federal
Aviation Administration, Office of
Rulemaking, ARM–1, 800 Independence
Avenue SW, Washington, DC 20591, or
by calling (202) 267–9677. Commenters
must identify the docket or notice
number of this rulemaking.
All documents the FAA considered in
developing this final rule, including
economic analyses and technical
reports, may be accessed in the
electronic docket for this rulemaking.
B. Small Business Regulatory
Enforcement Fairness Act
The Small Business Regulatory
Enforcement Fairness Act (SBREFA) of
1996 requires the FAA to comply with
small entity requests for information or
advice about compliance with statutes
and regulations within its jurisdiction.
A small entity with questions regarding
this document may contact its local
FAA official, or the person listed under
the FOR FURTHER INFORMATION CONTACT
heading at the beginning of the
preamble. To find out more about
SBREFA on the internet, visit
www.faa.gov/regulations_policies/
rulemaking/sbre_act/.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Life-limited
parts, Reporting and recordkeeping
requirements.
The Amendment
In consideration of the foregoing, the
Federal Aviation Administration
amends chapter I of title 14, Code of
Federal Regulations as follows:
PART 25—AIRWORTHINESS
STANDARDS: TRANSPORT
CATEGORY AIRPLANES
1. The authority citation for part 25
continues to read as follows:
■
Authority: 49 U.S.C. 106(f), 106(g), 40113,
44701, 44702 and 44704.
■
2. Add § 25.4 to read as follows:
E:\FR\FM\27AUR2.SGM
27AUR2
68732
§ 25.4
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
Definitions.
ddrumheller on DSK120RN23PROD with RULES2
(a) For the purposes of this part, the
following general definitions apply:
(1) Certification maintenance
requirement means a required
scheduled maintenance task established
during the design certification of the
airplane systems as an airworthiness
limitation of the type certificate or
supplemental type certificate.
(2) Significant latent failure is a latent
failure that, in combination with one or
more specific failures or events, would
result in a hazardous or catastrophic
failure condition.
(b) For purposes of this part, the
following failure conditions, in order of
increasing severity, apply:
(1) Major failure condition means a
failure condition that would reduce the
capability of the airplane or the ability
of the flightcrew to cope with adverse
operating conditions, to the extent that
there would be—
(i) A significant reduction in safety
margins or functional capabilities,
(ii) A physical discomfort or a
significant increase in flightcrew
workload or in conditions impairing the
efficiency of the flightcrew,
(iii) Physical distress to passengers or
cabin crew, possibly including injuries,
or
(iv) An effect of similar severity.
(2) Hazardous failure condition
means a failure condition that would
reduce the capability of the airplane or
the ability of the flightcrew to cope with
adverse operating conditions, to the
extent that there would be—
(i) A large reduction in safety margins
or functional capabilities,
(ii) Physical distress or excessive
workload such that the flightcrew
cannot be relied upon to perform their
tasks accurately or completely, or
(iii) Serious or fatal injuries to a
relatively small number of persons other
than the flightcrew.
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
(3) Catastrophic failure condition
means a failure condition that would
result in multiple fatalities, usually with
the loss of the airplane.
(c) For purposes of this part, the
following failure conditions in order of
decreasing probability apply:
(1) Probable failure condition means a
failure condition that is anticipated to
occur one or more times during the
entire operational life of each airplane
of a given type.
(2) Remote failure condition means a
failure condition that is not anticipated
to occur to each airplane of a given type
during its entire operational life, but
which may occur several times during
the total operational life of a number of
airplanes of a given type.
(3) Extremely remote failure condition
means a failure condition that is not
anticipated to occur to each airplane of
a given type during its entire
operational life, but which may occur a
few times during the total operational
life of all airplanes of a given type.
(4) Extremely improbable failure
condition means a failure condition that
is not anticipated to occur during the
total operational life of all airplanes of
a given type.
■ 3. Add § 25.302 to read as follows:
§ 25.302 Interaction of systems and
structures.
For airplanes equipped with systems
that affect structural performance, either
directly or as a result of a failure or
malfunction, the influence of these
systems and their failure conditions
must be taken into account when
showing compliance with the
requirements of subparts C and D of this
part. These criteria are only applicable
to structure whose failure could prevent
continued safe flight and landing.
(a) General. The applicant must use
the following criteria in determining the
influence of a system and its failure
conditions on the airplane structure.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
(b) System fully operative. With the
system fully operative, the following
criteria apply:
(1) The applicant must derive limit
loads for the limit conditions specified
in subpart C of this part, taking into
account the behavior of the system up
to the limit loads. System nonlinearities
must be taken into account.
(2) The applicant must show that the
airplane meets the strength
requirements of subparts C and D of this
part, using the appropriate factor of
safety to derive ultimate loads from the
limit loads defined in paragraph (b)(1)
of this section. The effect of
nonlinearities must be investigated
sufficiently beyond limit conditions to
ensure the behavior of the system
presents no detrimental effects
compared to the behavior below limit
conditions. However, conditions beyond
limit conditions need not be considered
when it can be shown that the airplane
has design features that will not allow
it to exceed those limit conditions.
(3) Reserved.
(c) System in the failure condition.
For any system failure condition not
shown to be extremely improbable or
that results from a single failure, the
following criteria apply:
(1) At the time of occurrence. The
applicant must establish a realistic
scenario, starting from 1g level flight
conditions, and including pilot
corrective actions, to determine the
loads occurring at the time of failure
and immediately after failure.
(i) For static strength substantiation,
the airplane must be able to withstand
the ultimate loads determined by
multiplying the loads in paragraph (c)(1)
of this section by a factor of safety that
is related to the probability of
occurrence of the failure. The factor of
safety (F.S.) is defined in Figure 1.
Figure 1 to paragraph (c)(1)(i)
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
68733
FS
1.5
1.25
10-9
10-5
1
PJ • Probablly of ocanence of febe mode J(per hcu')
Figure 1 Factor of safety at the time of occurrence
(ii) For residual strength
substantiation, the airplane must be able
to withstand two thirds of the ultimate
loads defined in paragraph (c)(1)(i) of
this section. For pressurized cabins,
these loads must be combined with the
normal operating differential pressure.
(iii) Reserved.
(iv) Failures of the system that result
in forced structural vibrations
(oscillatory failures) must not produce
loads that could result in detrimental
deformation of primary structure.
(2) For the continuation of the flight.
For the airplane, in the system failed
state and considering any appropriate
reconfiguration and flight limitations,
the following apply:
(i) The loads derived from the
following conditions at speeds up to VC/
MC, or the speed limitation prescribed
for the remainder of the flight must be
determined:
(A) the limit symmetrical
maneuvering conditions specified in
§§ 25.331 and 25.345,
(B) the limit gust and turbulence
conditions specified in §§ 25.341 and
25.345,
(C) the limit rolling conditions
specified in § 25.349 and the limit
unsymmetrical conditions specified in
§§ 25.367 and 25.427(b) and (c),
(D) the limit yaw maneuvering
conditions specified in § 25.351,
(E) the limit ground loading
conditions specified in §§ 25.473 and
25.491, and
(F) any other subpart C of this part
load condition for which a system is
specifically installed or tailored to
reduce the loads of that condition.
(ii) For static strength substantiation,
each part of the structure must be able
to withstand the loads in paragraph
(c)(2)(i) of this section multiplied by a
factor of safety that depends on the
probability of being in this failure
condition. The factor of safety is defined
in Figure 2.
Figure 2 to paragraph (c)(2)(ii)
FS
1.5
1.0
I
I
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition
j (in hours)
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
Pj = Probability of occurrence of failure mode
j (per hour)
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
If Pj is greater than 10¥3 per flight hour, then
a 1.5 factor of safety must be applied in
E:\FR\FM\27AUR2.SGM
27AUR2
ER27AU24.003</GPH>
Figure 2 Factor of safety for continuation offlight
ER27AU24.002</GPH>
ddrumheller on DSK120RN23PROD with RULES2
10-9
10-5
1
QJ- Probablly of being In fab'e condllon J
68734
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
lieu of the factor of safety defined in
Figure 2.
(iii) For residual strength
substantiation, the airplane must be able
to withstand two thirds of the ultimate
loads defined in paragraph (c)(2)(ii) of
this section. For pressurized cabins,
these loads must be combined with the
normal operating differential pressure.
(iv) If the loads induced by the failure
condition have a significant effect on
fatigue or damage tolerance then their
effects must be taken into account.
(v) Reserved.
(vi) Reserved.
(3) Reserved.
(d) Failure indications. For system
failure detection and indication, the
following apply:
(1) The system must be checked for
failure conditions evaluated under
paragraph (c) of this section that
degrade the structural capability below
the level required by subparts C
(excluding § 25.302) and D of this part
or that reduce the reliability of the
remaining system. As far as practicable,
these failures must be indicated to the
flightcrew before flight.
(2) The existence of any failure
condition evaluated under paragraph (c)
of this section that results in a factor of
safety between the airplane strength and
the loads of subpart C of this part below
1.25 must be indicated to the flightcrew.
(e) Dispatch with known failure
conditions. If the airplane is to be
dispatched in a known system failure
condition that affects structural
performance or affects the reliability of
the remaining system to maintain
structural performance, then the Master
Minimum Equipment List must ensure
the provisions of § 25.302 are met for
the dispatched condition and for any
subsequent failures. Flight limitations
and operational limitations may be
taken into account in establishing Qj as
the combined probability of being in the
dispatched failure condition and the
subsequent failure condition for the
safety margins in Figure 2. No reduction
in these safety margins is allowed if the
subsequent system failure rate is greater
than 10¥3 per flight hour.
■ 4. Amend § 25.629 by revising
paragraph (a) and (d) introductory text,
redesignating paragraphs (d)(9) and (10)
as paragraphs (d)(10) and (11), and
adding a new paragraph (d)(9) to read as
follows:
§ 25.629 Aeroelastic stability
requirements.
(a) General. The aeroelastic stability
evaluation required under this section
includes flutter, divergence, control
reversal and any undue loss of stability
and control as a result of structural
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
deformation. The aeroelastic evaluation
must include whirl modes associated
with any propeller or rotating device
that contributes significant dynamic
forces. Additionally, the evaluation
must include any condition of operation
within the maneuvering envelope.
Compliance with this section must be
shown by analyses, wind tunnel tests,
ground vibration tests, flight tests, or
other means found necessary by the
Administrator.
*
*
*
*
*
(d) Failures, malfunctions, and
adverse conditions. The failures,
malfunctions, and adverse conditions
that must be considered in showing
compliance with this section are:
*
*
*
*
*
(9) The following flight control system
failure combinations in which
aeroelastic stability relies on flight
control system stiffness, damping or
both:
(i) Any dual hydraulic system failure.
(ii) Any dual electrical system failure.
(iii) Any single failure in combination
with any probable hydraulic or
electrical system failure.
*
*
*
*
*
■ 5. Revise § 25.671 to read as follows:
§ 25.671
General.
(a) Each flight control system must
operate with the ease, smoothness, and
positiveness appropriate to its function.
The flight control system must continue
to operate and respond appropriately to
commands, and must not hinder
airplane recovery, when the airplane is
experiencing any pitch, roll, or yaw rate,
or vertical load factor that could occur
due to operating or environmental
conditions, or when the airplane is in
any attitude.
(b) Each element of each flight control
system must be designed, or
distinctively and permanently marked,
to minimize the probability of incorrect
assembly that could result in failure or
malfunctioning of the system. The
applicant may use distinctive and
permanent marking only where design
means are impractical.
(c) The airplane must be shown by
analysis, test, or both, to be capable of
continued safe flight and landing after
any of the following failures or jams in
the flight control system within the
normal flight envelope. Probable
malfunctions must have only minor
effects on control system operation and
must be capable of being readily
counteracted by the pilot.
(1) Any single failure, excluding
failures of the type defined in
§ 25.671(c)(3);
(2) Any combination of failures not
shown to be extremely improbable,
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
excluding failures of the type defined in
§ 25.671(c)(3); and
(3) Any failure or event that results in
a jam of a flight control surface or pilot
control that is fixed in position due to
a physical interference. The jam must be
evaluated as follows:
(i) The jam must be considered at any
normally encountered position of the
control surface or pilot control.
(ii) The jam must be assumed to occur
anywhere within the normal flight
envelope and during any flight phase
except during the time immediately
before touchdown if the risk of a
potential jam is minimized to the extent
practical.
(iii) In the presence of the jam, any
additional failure conditions that could
prevent continued safe flight and
landing must have a combined
probability of 1/1000 or less.
(d) If all engines fail at any point in
the flight, the airplane must be
controllable, and an approach and flare
to a landing and controlled stop, and
flare to a ditching, must be possible,
without requiring exceptional piloting
skill or strength.
(e) The airplane must be designed to
indicate to the flightcrew whenever the
primary control means is near the limit
of control authority.
(f) If the flight control system has
multiple modes of operation,
appropriate flightcrew alerting must be
provided whenever the airplane enters
any mode that significantly changes or
degrades the normal handling or
operational characteristics of the
airplane.
■ 6. Amend § 25.901 by revising
paragraph (c) to read as follows:
§ 25.901
Installation.
*
*
*
*
*
(c) For each powerplant and auxiliary
power unit installation, the applicant
must comply with the requirements of
§ 25.1309, except that the effects of the
following failures need not comply with
§ 25.1309(b)—
(1) Engine case burn-through or
rupture,
(2) Uncontained engine rotor failure,
and
(3) Propeller debris release.
*
*
*
*
*
■ 7. Amend § 25.933 by revising
paragraph (a)(1) to read as follows:
§ 25.933
Reversing systems.
(a) * * *
(1) For each system intended for
ground operation only, the applicant
must show—
(i) The airplane is capable of
continued safe flight and landing during
and after any thrust reversal in flight; or
E:\FR\FM\27AUR2.SGM
27AUR2
Federal Register / Vol. 89, No. 166 / Tuesday, August 27, 2024 / Rules and Regulations
(ii) The system complies with
§ 25.1309(b) using the assumption the
airplane would not be capable of
continued safe flight and landing during
and after an in-flight thrust reversal.
*
*
*
*
*
■ 8. Revise § 25.1301 to read as follows:
§ 25.1301
Function and installation.
Each item of installed equipment
must—
(a) Be of a kind and design
appropriate to its intended function;
(b) Be labeled as to its identification,
function, or operating limitations, or
any applicable combination of these
factors; and
(c) Be installed according to
limitations specified for that equipment.
■ 9. Revise § 25.1309 to read as follows:
§ 25.1309 Equipment, systems, and
installations.
ddrumheller on DSK120RN23PROD with RULES2
The requirements of this section,
except as identified below, apply to any
equipment or system as installed on the
airplane. Although this section does not
apply to the performance and flight
characteristic requirements of subpart B
of this part, or to the structural
requirements of subparts C and D of this
part, it does apply to any system on
which compliance with any of those
requirements is dependent. Section
25.1309(b) does not apply to the flight
control jam conditions addressed by
§ 25.671(c)(3); single failures in the
brake system addressed by
§ 25.735(b)(1); the failure conditions
addressed by §§ 25.810(a)(1)(v) and
25.812; uncontained engine rotor
failure, engine case rupture, or engine
case burn-through failures addressed by
§§ 25.903(d)(1) and 25.1193 and part 33
of this chapter; and propeller debris
release failures addressed by § 25.905(d)
and part 35 of this chapter.
(a) The airplane’s equipment and
systems must be designed and installed
so that:
(1) The equipment and systems
required for type certification or by
operating rules, or whose improper
functioning would reduce safety,
perform as intended under the airplane
VerDate Sep<11>2014
17:51 Aug 26, 2024
Jkt 262001
operating and environmental
conditions; and
(2) Other equipment and systems,
functioning normally or abnormally, do
not adversely affect the safety of the
airplane or its occupants or the proper
functioning of the equipment and
systems addressed by paragraph (a)(1) of
this section.
(b) The airplane systems and
associated components, evaluated
separately and in relation to other
systems, must be designed and installed
so that they meet all of the following
requirements:
(1) Each catastrophic failure
condition—
(i) Must be extremely improbable; and
(ii) Must not result from a single
failure.
(2) Each hazardous failure condition
must be extremely remote.
(3) Each major failure condition must
be remote.
(4) Each significant latent failure must
be eliminated as far as practical, or, if
not practical to eliminate, the latency of
the significant latent failure must be
minimized. However, the requirements
of the previous sentence do not apply if
the associated system meets the
requirements of paragraphs (b)(1) and
(b)(2) of this section, assuming the
significant latent failure has occurred.
(5) For each catastrophic failure
condition that results from two failures,
either of which could be latent for more
than one flight, the applicant must show
that—
(i) It is impractical to provide
additional fault tolerance; and
(ii) Given the occurrence of any single
latent failure, the residual average
probability of the catastrophic failure
condition due to all subsequent active
failures is remote; and
(iii) The sum of the probabilities of
the latent failures that are combined
with each active failure does not exceed
1/1000.
(c) The airplane and systems must
provide information concerning unsafe
system operating conditions to the
flightcrew to enable them to take
appropriate corrective action in a timely
PO 00000
Frm 00031
Fmt 4701
Sfmt 9990
68735
manner. Systems and controls,
including information, indications, and
annunciations, must be designed to
minimize flightcrew errors that could
create additional hazards.
(d) Reserved.
(e) The applicant must establish
certification maintenance requirements
as necessary to prevent the development
of the failure conditions described in
paragraph (b) of this section. These
requirements must be included in the
Airworthiness Limitations section of the
Instructions for Continued
Airworthiness required by § 25.1529.
■ 10. Amend § 25.1365 by revising
paragraph (a) to read as follows:
§ 25.1365 Electrical appliances, motors,
and transformers.
(a) An applicant must show that, in
the event of a failure of the electrical
supply or control system, the design and
installation of domestic appliances meet
the requirements of § 25.1309(b) and (c).
Domestic appliances are items such as
cooktops, ovens, coffee makers, water
heaters, refrigerators, and toilet flush
systems that are placed on the airplane
to provide service amenities to
passengers.
*
*
*
*
*
■ 11. Revise section H25.4 of appendix
H to part 25 by adding paragraph (a)(6)
to read as follows:
Appendix H to Part 25—Instructions for
Continued Airworthiness
*
*
*
*
*
H25.4 Airworthiness Limitations section.
*
*
*
*
*
(a) * * *
(6) Each certification maintenance
requirement established to comply with any
of the applicable provisions of part 25.
*
*
*
*
*
Issued under authority provided by 49
U.S.C. 106(f), 106(g), 44701(a), and 44704 in
Washington, DC.
Michael Gordon Whitaker,
Administrator.
[FR Doc. 2024–18511 Filed 8–26–24; 8:45 am]
BILLING CODE 4910–13–P
E:\FR\FM\27AUR2.SGM
27AUR2
]]>Agencies
[Federal Register Volume 89, Number 166 (Tuesday, August 27, 2024)]
[Rules and Regulations]
[Pages 68706-68735]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-18511]
[[Page 68705]]
Vol. 89
Tuesday,
No. 166
August 27, 2024
Part II
Department of Transportation
-----------------------------------------------------------------------
Federal Aviation Administration
-----------------------------------------------------------------------
14 CFR Part 25
System Safety Assessments; Final Rule
��Federal Register / Vol. 89 , No. 166 / Tuesday, August 27, 2024 /
Rules and Regulations��
[[Page 68706]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No.: FAA-2022-1544; Amdt. No. 25-152]
RIN 2120-AJ99
System Safety Assessments
AGENCY: Federal Aviation Administration (FAA), Department of
Transportation (DOT).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The FAA is amending certain airworthiness regulations to
standardize the criteria for conducting safety assessments for systems,
including flight controls and powerplants, installed on transport
category airplanes. With this action, the FAA seeks to reduce risk
associated with airplane accidents and incidents that have occurred in
service, and reduce risk associated with new technology in flight
control systems. The intended effect of this rulemaking is to improve
aviation safety by making system safety assessment (SSA) certification
requirements more comprehensive and consistent.
DATES: Effective September 26, 2024.
ADDRESSES: For information on where to obtain copies of rulemaking
documents and other information related to this final rule, see ``How
to Obtain Additional Information'' in the SUPPLEMENTARY INFORMATION
section of this document.
FOR FURTHER INFORMATION CONTACT: Todd Martin, Technical Policy Branch,
Policy and Standards Division, Aircraft Certification Service, Federal
Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198;
telephone and fax (206) 231-3210; email [email protected].
SUPPLEMENTARY INFORMATION:
I. Authority for This Rulemaking
The FAA's authority to issue rules on aviation safety is found in
Title 49 of the United States Code. Subtitle I, Section 106 describes
the authority of the FAA Administrator. Subtitle VII, Aviation
Programs, describes in more detail the scope of the FAA's authority.
This rulemaking is promulgated under the authority described in
Subtitle VII, Part A, Subpart III, Section 44701, ``General
Requirements.'' Under that section, the FAA is charged with promoting
safe flight of civil aircraft in air commerce by prescribing
regulations and minimum standards for the design and performance of
aircraft that the Administrator finds necessary for safety in air
commerce. This regulation is within the scope of that authority. It
prescribes new safety standards for the design and operation of
transport category airplanes.
II. Acronyms Frequently Used in This Document
Table 1--Acronyms Frequently Used in This Document
------------------------------------------------------------------------
Acronym Definition
------------------------------------------------------------------------
AC........................... Advisory Circular.
AD........................... Airworthiness Directive.
AFM.......................... Airplane Flight Manual.
ALS.......................... Airworthiness Limitations section.
ARAC......................... Aviation Rulemaking Advisory Committee.
ASAWG........................ Airplane Level Safety Analysis Working
Group.
CAST......................... Commercial Aviation Safety Team.
CMR.......................... Certification Maintenance Requirement.
CS-25........................ Certification Specifications for Large
Aeroplanes (issued by EASA).
CSL+1........................ Catastrophic Single Latent Failure Plus
One (a failure condition).
EASA......................... European Union Aviation Safety Agency.
ELOS......................... Equivalent Level of Safety.
EWIS......................... Electrical Wiring Interconnection System.
FCHWG........................ Flight Controls Harmonization Working
Group.
FTHWG........................ Flight Test Harmonization Working Group.
ICA.......................... Instructions for Continued Airworthiness.
LDHWG........................ Loads and Dynamics Harmonization Working
Group.
NTSB......................... National Transportation Safety Board.
PPIHWG....................... Powerplant Installation Harmonization
Working Group.
SDAHWG....................... System Design and Analysis Harmonization
Working Group.
SLF.......................... Significant Latent Failure.
SSA.......................... System Safety Assessment.
------------------------------------------------------------------------
Table of Contents
I. Authority for This Rulemaking
II. Acronyms Frequently Used in This Document
III. Overview of Final Rule
IV. Background
A. Statement of the Problem
B. Related Actions
C. NTSB Recommendations
D. Summary of the NPRM
E. General Overview of Comments
V. Discussion of Comments and the Final Rule
A. Section 25.4, Definitions
B. Section 25.302, Interaction of Systems and Structures
C. Section 25.629, Aeroelastic Stability Requirements
D. Section 25.671, Flight Control Systems
E. Section 25.901, Engine Installation
F. Section 25.933, Reversing Systems
G. Section 25.1301, Function and Installation
H. Section 25.1309, Equipment, Systems and Installations
I. Section 25.1365, Electrical Appliances, Motors, and
Transformers
J. Miscellaneous Comments
K. Advisory Material
VI. Regulatory Notices and Analyses
A. Regulatory Evaluation
B. Regulatory Flexibility Determination
C. International Trade Impact Assessment
D. Unfunded Mandates Assessment
E. Paperwork Reduction Act
F. International Compatibility
G. Environmental Analysis
VII. Executive Order Determinations
A. Executive Order 13132, Federalism
B. Executive Order 13175, Consultation and Coordination With
Indian Tribal Governments
C. Executive Order 13211, Regulations That Significantly Affect
Energy Supply, Distribution, or Use
D. Executive Order 13609, Promoting International Regulatory
Cooperation
VIII. Additional Information
A. Electronic Access and Filing
[[Page 68707]]
B. Small Business Regulatory Enforcement Fairness Act
III. Overview of Final Rule
The FAA is amending regulations in title 14, Code of Federal
Regulations (14 CFR) part 25 (Airworthiness Standards: Transport
Category Airplanes) related to the safety assessment \1\ of airplane
systems. The changes to part 25 affect applicants for type
certification and operators of transport category airplanes. Applicants
for type certification will be required to conduct their SSAs in
accordance with the revised regulations. Changes to the Instructions
for Continued Airworthiness (ICA) affect operators of newly certified
airplanes, although the impact on those operators is not significant.
---------------------------------------------------------------------------
\1\ A system safety assessment is a structured process intended
to systematically identify the risks pertinent to the design of
aircraft systems, and to show that the systems meet safety
requirements.
---------------------------------------------------------------------------
The FAA is revising and adding new safety standards to reduce the
likelihood of potentially catastrophic risks due to latent failures in
critical systems.
Because modern aircraft systems (for example, avionics and fly-by-
wire systems) are much more integrated than they were when the current
safety criteria in Sec. 25.1309 and other system safety assessment
rules were established in 1970,\2\ the new standards are more
consistent for all systems of the airplane, reducing the chance of a
hazard falling into a gap between the different regulatory requirements
for different systems.
---------------------------------------------------------------------------
\2\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
Consistent criteria for conducting SSAs also provides
predictability for applicants by reducing the number of issue papers
and special conditions necessary for airplane certification
projects.\3\
---------------------------------------------------------------------------
\3\ As discussed in the preamble, special conditions are rules
of particular applicability that the FAA issues to address novel or
unusual design features. See 14 CFR 21.16.
---------------------------------------------------------------------------
Specifically, this final rule--
Requires that applicants limit the likelihood of a
catastrophic failure condition that results from a combination of two
failures, either of which could be latent for more than one flight. See
Sec. 25.1309(b)(5).
Revises safety assessment regulations to eliminate
ambiguity in, and provide consistency between, the safety assessments
that applicants must conduct for different types of airplane systems.
Section 25.1309 continues to contain the safety assessment criteria
applicable to most airplane systems. Section 25.901(c) (powerplant
installations) is amended to remove general system safety criteria.
Instead, the powerplant installations covered in this section are
required to comply with Sec. 25.1309 (system safety criteria). Section
25.933(a) (thrust reversing systems) allows compliance with Sec.
25.1309 as an option. Sections 25.671, 25.901, and 25.933 continue to
contain criteria specific to flight control systems, powerplant
installations, and thrust reversing systems, respectively, that are not
addressed by Sec. 25.1309.
Requires applicants to assess and account for any effect
that the failure of a system could have on the structural performance
of the airplane. See Sec. 25.302.
Defines the different types of failure of flight control
systems, including jams, and defines the criteria for safety assessment
of those types of failures. See Sec. 25.671.
Requires applicants to include, in the Airworthiness
Limitations Section (ALS) of the airplane's ICA, necessary maintenance
tasks that applicants identify during their SSAs. See Sec. 25.1309(e).
Removes the ``function properly when installed'' criterion
in Sec. 25.1301(a)(4) for installed equipment whose function is not
needed for safe operation of the airplane.
IV. Background
A. Statement of the Problem
This action is necessary because airplane accidents, incidents, and
service difficulties have occurred as a result of failures in airplane
systems. Some of these occurrences were caused, in part, by
insufficient design standards for controlling the risk of latent
failures, which are failures that are not detected or annunciated when
they occur. Current FAA regulations do not prevent the certification of
an airplane with a latent failure that, when combined with another
failure, could cause a hazardous or catastrophic accident.
Also, current regulations do not require establishment of mandatory
inspections for significant latent failures (SLFs) that may pose a risk
in maintaining the airworthiness of the airplane design. Such
inspections are currently undertaken as industry practice and may be
necessary to reduce exposure to these latent failures so airplanes
continue to meet safety standards while in service.
Additionally, current regulations do not adequately address new
technology in flight control systems and the effects these systems can
have on controllability and structural capability. These issues are
currently addressed by special conditions and equivalent level of
safety (ELOS) findings.
This action is also necessary to address flight control systems
whose failure can affect the loads imposed on the airplane structure.
Lastly, certain system safety requirements have not been
standardized across airplane systems. These regulations have specified
different safety assessment criteria for different systems, which can
lead to inconsistent standards across the airplane. Also, when systems
that traditionally have been separate become integrated using new
technology, applicants have expressed uncertainty regarding which
standard to apply.
The FAA is addressing these issues by revising the system safety
assessment requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
Advances in flight controls technology, increased airplane system
integration, and certain incidents, accidents, and service difficulties
related to system failures prompted the FAA to task the ARAC with
developing recommendations for new or revised requirements and
compliance methods related to the safety assessment of airplane and
powerplant systems. The ARAC accepted tasks on various airplane systems
issues and assigned them to the Powerplant Installation Harmonization
Working Group (PPIHWG),\4\ Flight Controls Harmonization Working Group
(FCHWG),\5\ Loads and Dynamics Harmonization Working Group (LDHWG),\6\
and System Design and Analysis Harmonization Working Group (SDAHWG).\7\
The FAA also tasked the ARAC to make recommendations for harmonizing
the relevant part 25 rules with the corresponding European
certification specifications for large airplanes.\8\ The ARAC accepted
this task
[[Page 68708]]
and assigned it to the relevant working groups.
---------------------------------------------------------------------------
\4\ 57 FR 58844 (Dec. 11, 1992).
\5\ 63 FR 45554 (Aug. 26, 1998).
\6\ 59 FR 30081 (Jun. 10, 1994).
\7\ 61 FR 26246 (May 24, 1996).
\8\ As the FAA noted in the Federal Register in 1993: ``The FAA
announced at the Joint Aviation Authorities (JAA)-Federal Aviation
Administration (FAA) Harmonization Conference in Toronto, Ontario,
Canada, (June 2-5, 1992) that it would consolidate within the
Aviation Rulemaking Advisory Committee structure an ongoing
objective to ``harmonize'' the Joint Aviation Requirements (JAR) and
the Federal Aviation Regulations (FAR). Coincident with that
announcement, the FAA assigned to the ARAC those projects related to
JAR/FAR 25, 33 and 35 harmonization which were then in the process
of being coordinated between the JAA and the FAA.'' 58 FR 13819,
13820 (Mar. 15, 1993).
---------------------------------------------------------------------------
Although the working groups each addressed the subject of managing
latent failures in safety critical systems, their recommendations were
not consistent when defining the criteria for latent failures. After
reviewing the relevant regulations and the recommendations from the
working groups, the FAA, along with the European, Canadian, and
Brazilian civil aviation authorities, identified a need to standardize
SSA criteria.
Therefore, in 2006, the FAA tasked the ARAC, which assigned the
task to the Airplane-Level Safety Assessment Working Group (ASAWG),\9\
with creating consistent SSA criteria. The ASAWG completed its work in
May 2010 and recommended a set of consistent requirements that would
apply to all systems. Specific areas addressed in the recommendation
report include latent failures, aging and wear, Master Minimum
Equipment Lists, and flight and diversion time. The ASAWG recommended
that the general system safety criteria for all airplane systems be
governed by Sec. 25.1309, and recommended adjustments to the
regulations and advisory material addressed by the working groups
mentioned previously, to implement consistent system safety criteria.
All ARAC working group recommendation reports are available in the
docket for this final rule.
---------------------------------------------------------------------------
\9\ 71 FR 14284 (Mar. 21, 2006).
---------------------------------------------------------------------------
2. Harmonization With European Union Aviation Safety Agency (EASA)
Certification Standards
EASA certification standards for large airplanes (CS-25) prescribes
the airworthiness standards corresponding to 14 CFR part 25 for
transport category airplanes certified by the European Union.
Applicants for FAA type certification of transport category airplanes
may also seek EASA validation of the FAA's type certificate. Where part
25 and CS-25 differ, an applicant must meet both airworthiness
standards to obtain a U.S. type certificate and validation of the type
certificate by foreign authorities, or obtain exemptions, equivalent
level of safety findings or special conditions, or the foreign
authority's equivalent to those, as necessary to meet one standard in
lieu of the other. Where FAA and EASA can maintain harmonized
requirements, applicants for type certification benefit by having a
single set of requirements with which they must show compliance,
thereby reducing the cost and complexity of certification and ensuring
a consistent level of safety.
EASA incorporated the SDAHWG-recommended changes to CS/Sec. Sec.
25.1301 and 25.1309, and associated guidance, in its initial issuance
of CS-25 on October 17, 2003.\10\ EASA incorporated the criteria
regarding interaction of systems and structures recommended by the
LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-
25 at amendment 25/1 on December 12, 2005.\11\ EASA incorporated the
PPIHWG-recommended changes to CS/Sec. Sec. 25.901(c) and 25.933(a)(1),
and associated guidance, at amendment 25/1. EASA incorporated the
ASAWG-recommended regulatory and advisory material implementing
consistent SSA criteria, at amendment 25/24 to CS-25, on January 10,
2020.\12\ This final rule harmonizes FAA requirements with those of
EASA to the extent possible, with differences described in the section
entitled ``Discussion of Comments and the Final Rule.''
---------------------------------------------------------------------------
\10\ www.easa.europa.eu/en/downloads/1516/en.
\11\ www.easa.europa.eu/en/document-library/certification-
specifications/cs-25-amendment-1.
\12\ www.easa.europa.eu/en/downloads/108354/en.
---------------------------------------------------------------------------
C. NTSB Recommendations
This final rule addresses National Transportation Safety Board
(NTSB) Safety Recommendations A-99-22, A-99-23,\13\ A-02-51,\14\ and A-
14-119.\15\
---------------------------------------------------------------------------
\13\ NTSB Safety Recommendations A-99-22 and A-99-23 are
available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf.
\14\ NTSB Safety Recommendation A-02-51 is available in the
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
\15\ NTSB Safety Recommendation A-14-119 is available in the
docket and www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf.
---------------------------------------------------------------------------
In Safety Recommendation A-99-22, the NTSB recommends that the FAA
ensure that future transport category airplanes provide a reliably
redundant rudder actuation system. In Safety Recommendation A-99-23,
the NTSB recommends that the FAA require type certificate applicants to
show that transport category airplanes are capable of continued safe
flight and landing after jamming of a flight control at any deflection
possible, up to and including its full deflection, unless the applicant
shows that such a jam is extremely improbable. The final rule addresses
these recommendations by revising Sec. 25.671(c).
In Safety Recommendation A-02-51, the NTSB recommends that the FAA
review and revise airplane certification regulations, and associated
guidance, applicable to the certification of transport category
airplanes, to ensure that applicants fully address wear-related
failures so that, to the maximum extent possible, such failures will
not be catastrophic. The requirement to include certification
maintenance requirements (CMRs) in the ALS responds to this safety
recommendation, as well as the ACs accompanying this final rule that
contain guidance on assessing wear-related failures as part of the SSA.
In Safety Recommendation A-14-119, the NTSB recommends that the FAA
provide its certification engineers with written guidance and training
to ensure that assumptions, data sources, and analytical techniques are
fully identified and justified in applicants' safety assessments for
designs incorporating new technology. Additionally, the NTSB recommends
that an appropriate level of conservatism be included in the analysis
or design, consistent with the intent of the draft guidance material
that the SDAHWG recommended. AC 25.1309-1B, accompanying this final
rule, contains the guidance.\16\
---------------------------------------------------------------------------
\16\ This advisory circular, and the other advisory circulars
that accompany this final rule, are in the docket.
---------------------------------------------------------------------------
D. Summary of the NPRM
The FAA issued an NPRM on December 8, 2022 (87 FR 75424), that
proposed amending certain airworthiness regulations. These regulations
concern safety assessments for systems, including flight controls and
powerplants, installed on transport category airplanes. The NPRM
explained how the proposed regulations would reduce risk associated
with airplane accidents and incidents that have occurred in service,
and reduce risk associated with new technology in flight control
systems. This action finalizes the proposal with changes made to
address comments.
E. General Overview of Comments
V. Discussion of Comments and the Final Rule
Harmonization
The NPRM explained that the FAA's proposed rule would harmonize
with the requirements of EASA to the extent possible, although there
were differences in the requirements and language of the FAA's proposed
regulations compared to EASA's corresponding regulations in CS-25.
Almost all organizational commenters requested the FAA revise the
proposed rule to harmonize more closely with EASA CS-25. These
commenters expressed concern that differences between the FAA's
proposal and
[[Page 68709]]
EASA's existing regulations would burden applicants requesting
validation of a type certificate issued by another civil aviation
authority because the applicants would have to meet two sets of
requirements and show multiple means of compliance for certification of
the same design. As discussed below, the FAA decided to address this
concern by increasing harmonization of its final rule with the
corresponding EASA CS-25 requirements.
The FAA acknowledges that there are some remaining differences
between the FAA's and EASA's regulations on this topic. The majority of
differences between the final rule and the corresponding CS-25
regulations are differences in wording or structure that were made to
satisfy FAA rulemaking constraints or improve the final rule language
due to requests from commenters. Although a few differences may be
significant standards differences,\17\ as subsequently explained, the
FAA does not expect these differences to increase the cost and
complexity of certification for applicants pursuing validation nor
result in a different level of safety between authorities.
---------------------------------------------------------------------------
\17\ Significant standards difference (SSD) refers to a
validating authority airworthiness standard that either differs
significantly from the certifying authority (CA) standard or has no
CA equivalent. Reference: Technical Implementation Procedures for
Airworthiness and Environmental Certification between the FAA and
EASA, Revision 7, dated October 19, 2023, in the docket.
---------------------------------------------------------------------------
In addition, the commenters addressed the draft ACs that
accompanied the NPRM. The FAA's responses to these comments can be
found at the Dynamic Regulatory System (drs.faa.gov), along with the
finalized ACs.
A. Section 25.4, Definitions
In the NPRM, the FAA proposed new Sec. 25.4 to define certain
terms that the FAA is using in these revised regulations for system
safety assessment of transport category airplanes.
1. Add Definitions
Boeing and GAMA/AIA requested the FAA add definitions of several
terms to Sec. 25.4, including ``continued safe flight and landing,''
``flightcrew,'' ``cabin crew,'' ``ground crew,'' ``maintenance
personnel,'' ``exposure time,'' ``safety requirements'' and ``candidate
CMR.'' GAMA/AIA requested the FAA explain why some terms, but not
others, were defined in proposed Sec. 25.4.
The FAA does not agree to add new terms to Sec. 25.4 in this final
rule. The FAA's intent in adding Sec. 25.4 is to define key terms that
are new to part 25 rule text and used in the regulations that are part
of this rulemaking (e.g., failure condition categories and
probabilities). AC 25.671-1, Control Systems--General, and AC 25.1309-
1B, System Design and Analysis, include additional definitions for
terms related to the requirements of Sec. Sec. 25.671 and 25.1309.
Boeing, GAMA/AIA, and Gulfstream suggested that the FAA add
definitions for terms commonly used throughout part 25 regulations
(e.g., ``impractical,'' ``essential'' and ``critical''). The FAA
declines to define additional terms used in part 25, because the FAA
does not intend Sec. 25.4 to include every term that is repeated in
part 25.
2. Remove Definitions
ANAC, Bombardier, and Garmin requested the FAA not adopt proposed
Sec. 25.4, Definitions. ANAC preferred that the FAA define these terms
in 14 CFR part 1, Definitions and Abbreviations, while Bombardier and
Garmin preferred that the FAA define these terms in guidance so that
they can be more easily changed as needed. Gulfstream also noted that
several terms that the FAA proposed to be included in Sec. 25.4 are
not extensively used in part 25 and should be relocated to AC 25.1309-
1B.
The FAA does not agree to omit new Sec. 25.4 from the final rule.
Section 25.4 is necessary to define key terms and concepts that are new
to part 25 rule text and part of this rulemaking. AC 25.1309-1B
provides further information on these terms.
Gulfstream requested that the FAA move ``hazardous failure
condition'' to AC 25.1309, unless the definition is applicable to
``hazardous'' across all regulations.
The FAA does not agree to move this definition to the AC. The
definition for ``hazardous failure condition'' in Sec. 25.4(b)(2) only
applies to the part 25 regulations in which that exact phrase is used,
and it does not apply to the terms ``hazard'' or ``hazardous,'' which
are used throughout part 25 in different contexts. The FAA's use of
``hazardous'' across other part 25 rules does not necessarily imply a
hazardous effect on the aircraft, flightcrew, or occupants. While not
relevant to the Gulfstream comment, the FAA notes a similar situation
exists with the term ``extremely remote.'' The Sec. 25.4(c)(3)
definition of ``extremely remote failure condition'' does not apply to
the term ``extremely remote'' as used in Sec. 25.933 or Sec. 25.937.
When those regulations were published, the term ``extremely remote''
meant ``extremely improbable,'' as used today.\18\
---------------------------------------------------------------------------
\18\ The use of the term ``extremely remote'' in Sec. Sec.
25.933 and 25.937 dates to the initial issue of 14 CFR in 1965.
Section 25.933 was based on Civil Air Regulation (CAR) 4b.407, which
was adopted at amendment 4b-01, May 17, 1954. Section 25.937 was
based on CAR 4b.408, which was adopted at amendment 4b-6, July 8,
1957. The term ``extremely remote'' also appeared in CAR 04.310 on
November 9, 1945. The FAA also stated in the Federal Register in
2001, ``The term `extremely improbable' (or its predecessor term,
`extremely remote') has been used in 14 CFR part 25 for many years.
The objective of this term has been to describe a condition (usually
a failure condition) that has a probability of occurrence so remote
that it is not anticipated to occur in service on any transport
category airplane.'' 66 FR 23086, 23108 (May 7, 2001).
---------------------------------------------------------------------------
3. Revise Definitions
TCCA commented that the proposed definitions of ``major failure
condition'' and ``hazardous failure condition'' do not include a pilot
compensation aspect and suggested changes to these definitions. TCCA
suggested adding ``(5) Considerable pilot compensation is required for
control'' to the definition of ``major failure condition'' and ``(4)
Intense pilot compensation is required to retain'' to the definition of
``hazardous failure condition'' in accordance with a pilot task-
oriented approach for evaluating airplane handling qualities. The FAA
does not agree to change the definitions as suggested. The FAA's
definitions of ``major failure condition'' and ``hazardous failure
condition'' already include the effects on the flightcrew and their
workload. Lastly, the definitions of ``major failure condition'' and
``hazardous failure condition'' specified in Sec. 25.4 are harmonized
with those specified in EASA AMC 25.1309. Changing those definitions
would disharmonize them with that AMC.
GAMA/AIA and Gulfstream requested the FAA replace ``persons'' with
``occupants'' in the Sec. 25.4 definition of ``hazardous failure
condition.'' The commenters stated that the use of ``persons'' in lieu
of ``occupants'' is an unsubstantiated expansion of the scope of the
safety analysis to include people not on the aircraft. In addition,
EASA's definition uses ``occupants.'' The FAA does not agree with this
request. The FAA intends the term ``persons'' not to be limited to
aircraft occupants. Although EASA's definition uses the term
``occupants,'' EASA has interpreted ``occupants'' to include persons
other than airplane occupants in its Acceptable Means of Compliance
(AMC) 25.1309. Specifically, AMC 25.1309 states, ``Where relevant, the
effects on persons other than the aeroplane occupants should be taken
[[Page 68710]]
into account when assessing failure conditions in compliance with CS
25.1309.''
TCCA commented that the FAA should revise its definition of
``hazardous failure condition'' to exclude fatalities. TCCA stated that
any fatalities should be considered catastrophic. The FAA did not make
this change in this final rule, as doing so would not be consistent
with long-standing FAA equivalent safety findings, nor with industry
standards and practice, and would disharmonize the definition of
``hazardous failure condition'' with EASA AMC 25.1309.
Boeing and GAMA/AIA requested the FAA revise the definition of
``catastrophic failure condition'' to incorporate a note regarding
failure conditions, which would prevent continued safe flight and
landing (CSFL). Boeing also requested the FAA standardize the
definition across the ACs associated with this rulemaking because the
draft ACs were not consistent in their use of CSFL and associating this
concept with ``catastrophic failure condition.'' The FAA partially
agrees with this request. The FAA added a note to the definition of
``catastrophic failure condition'' in AC 25.1309-1B to indicate that a
failure condition that would prevent continued safe flight and landing
should be classified as ``catastrophic'' unless otherwise defined in
other, more specific, ACs. The FAA did not add the note to the
regulatory definition in Sec. 25.4 because the note is guidance on the
application of the definition.
Boeing requested that the FAA update the Sec. 25.4(b)(1)
definition of ``major failure condition'' to add ``physical
discomfort'' as an effect on the flight crew and to use the term
``cabin crew'' instead of ``flight attendants'' for consistency with
EASA Acceptable Means of Compliance (AMC) 25.1309. The FAA agrees and
has incorporated these updates in the final rule for Sec. 25.4(b)(1).
GAMA/AIA and Gulfstream requested the FAA remove Sec.
25.4(b)(1)(iv) (``An effect of similar severity'') from the definition
of ``major failure condition'' in Sec. 25.4(b)(1). They stated this is
a new addition to the definition and may cause confusion. The FAA does
not agree to remove ``an effect of similar severity'' from the
definition. This phrase replaces the term ``for example'' in EASA's
definition. This does not add any additional criteria to the existing
safety objective of ``major'' severity.
Boeing and GAMA/AIA requested the FAA revise the definition of
``significant latent failure'' to ``Any latent failure that is present
in any combination of failures or events resulting in a hazardous or
catastrophic failure condition.'' Boeing stated that this proposed
definition minimizes possible misunderstanding or misinterpretation of
the significant latent failure. The FAA did not make this change
because the wording of the significant latent failure definition is
well-established and unchanged from AC 25.1309-1A.
Except for the foregoing updates to the definition of ``major
failure condition'' in Sec. 25.4(b)(1), new Sec. 25.4, Definitions,
is adopted as proposed.
B. Section 25.302, Interaction of Systems and Structures
In the NPRM, the FAA proposed a new section, Sec. 25.302, that
would require an applicant to account for systems, and their possible
failure, when assessing the structural performance of its proposed
design. Modern flight control systems are more sophisticated than their
predecessors and offer advantages such as load limiting and
alleviation. However, as the FAA discussed in the NPRM, these systems
can also have failure states that may allow the system to function in
degraded modes that flightcrews may not readily detect and in which the
load alleviation or limiting function may be adversely affected.
The FAA based much of its proposed regulation on the requirements
of special conditions that the FAA has issued for several years to
address these concerns on previous certification programs. However, as
detailed in the NPRM, proposed Sec. 25.302 included a number of
differences compared to the special conditions and as compared to EASA
CS 25.302. The primary objective of the Sec. 25.302 rule that the FAA
proposed in the NPRM was to reduce confusion for authorities and
applicants by simplifying the rule text relative to previously-issued
special conditions.
ATR, Boeing, Bombardier, TCCA, Airbus, EASA, GAMA/AIA, Gulfstream,
and ANAC did not object to the FAA codifying the terms of its special
conditions that it has been issuing to address this issue. However,
they requested the FAA harmonize (by using the same language and, if
possible, the same paragraph and appendix numbering for) proposed Sec.
25.302 as EASA CS 25.302, which includes Appendix K by reference.
The FAA recognizes the benefits of harmonization. These benefits
include regulatory predictability and the reduction of burden on
applicants and civil aviation authorities. Therefore, except as
discussed below, in this final rule, the FAA has harmonized new Sec.
25.302 with EASA CS 25.302 to match the language and structure of
EASA's rule to the extent allowed by FAA rulemaking constraints.
In this final rule, the FAA has revised the proposed Sec. 25.302
to more closely harmonize with EASA CS 25.302, which includes Appendix
K by reference. The FAA has revised proposed Sec. 25.302 to harmonize
with CS 25.302 in the determination of structural safety factors; the
load conditions that the applicant must consider following system
failures; residual strength substantiation; fatigue and damage
tolerance; failure indications; and dispatch with known failure
conditions. The FAA is revising these requirements relative to what was
proposed in the NPRM because much of the criteria in CS 25.302 more
closely matches the FAA Interaction of Systems and Structures special
conditions that have been applied on numerous transport category
airplane programs and have proven to provide a satisfactory level of
safety.\19\ Also, the NPRM proposal, if adopted, would have introduced
a number of differences between FAA and EASA requirements and created a
potential certification burden.
---------------------------------------------------------------------------
\19\ 87 FR 16626 (Mar. 24, 2022); 82 FR 36328 (Aug. 4, 2017).
---------------------------------------------------------------------------
The FAA stated in the NPRM that the proposed Sec. 25.302(e), which
would have provided structural requirements for dispatch under the
master minimum equipment list provided by the applicant, would provide
safety benefits by using a simpler approach to address the risk
associated with dispatching an airplane with known failure conditions.
However, the FAA agrees with commenters that two different sets of
criteria (FAA and EASA) would only cause more difficulty for
manufacturers, the FAA, and other civil aviation authorities. The FAA
also stated in the NPRM that proposed Sec. 25.302 would provide safety
benefits by using simpler, and in some cases more conservative,
criteria compared with CS 25.302 and previous FAA special conditions.
The FAA agrees with commenters that its special conditions, which used
the same factor-of-safety formulae as used in CS 25.302, have proven to
provide a satisfactory level of safety and that more conservative
criteria are not necessary. By more closely harmonizing with CS 25.302
and previous FAA special conditions, applicants will be able to rely on
past practices. The public could have reasonably anticipated the FAA
would adopt final rule text that closely harmonizes with CS 25.302,
given the FAA's prior special conditions, the common safety purpose of
the FAA and EASA regulations on this topic, and the
[[Page 68711]]
harmonization discussion throughout the NPRM.
In this final rule, the FAA has also revised Sec. 25.302 to
harmonize with CS 25.302 in terms of the rule structure and paragraph
numbering, although CS-25 includes CS 25.302 criteria within Appendix
K, while 14 CFR part 25 includes all criteria directly in Sec. 25.302.
The regulatory text proposed by the FAA in the NPRM did not require
applicants to consider the effect of nonlinearities, but the preamble
reflected the FAA's assumption that applicants would do so. Consistent
with CS 25.302, in this final rule, the FAA has made this consideration
a regulatory requirement.
In the NPRM, the FAA stated that proposed Sec. 25.302 would not
include any aeroelastic stability requirements, only loads
requirements. The FAA did not revise this final rule to harmonize with
CS 25.302 in terms of aeroelastic stability criteria. As discussed in
the NPRM, the FAA finds that the failure criteria specified in Sec.
25.629 are adequate, and there is no need to propose different failure
criteria in Sec. 25.302.
Airbus, Boeing, Bombardier, Dassault, DeHavilland, GAMA/AIA,
Gulfstream, Pratt & Whitney, and TCCA requested specific changes to
proposed Sec. 25.302 in the event the FAA chose not to harmonize Sec.
25.302 with EASA CS 25.302. The requested specific changes are no
longer applicable as the FAA has largely harmonized Sec. 25.302 in
this final rule with EASA CS 25.302.
Airbus proposed that the FAA consolidate, into new Sec. 25.302,
the requirement of Sec. 25.305(f) that the airplane must be designed
to withstand any forced structural vibration resulting from any
failure, malfunction, or adverse condition in the flight control
system. The FAA does not agree. In this final rule, the FAA keeps those
as separate requirements because the requirement in Sec. 25.305(f) may
apply to systems and failures not addressed by Sec. 25.302. Also,
Sec. 25.305(f) is currently harmonized with CS 25.305(f).
1. Summary of Requirements
For airplanes equipped with systems that affect structural
performance, Sec. 25.302, in this final rule, requires the applicant
take into account the influence of these systems and their failure
conditions when showing compliance with the requirements of subparts C
and D of 14 CFR part 25. New Sec. 25.302(b) specifies requirements for
when the systems are fully operative. New Sec. 25.302(c) specifies
requirements for failure conditions at the time of occurrence (Sec.
25.302(c)(1)) and for the continuation of flight (Sec. 25.302(c)(2)).
New Sec. 25.302(c) includes requirements related to structural
vibrations, residual strength, and fatigue and damage tolerance for
these failure conditions. Finally, the rule provides failure indication
(Sec. 25.302(d)) and dispatch requirements (Sec. 25.302(e)).
2. Applicability
Boeing, Bombardier, DeHavilland, GAMA/AIA, and Pratt & Whitney
requested that the FAA clarify the applicability of proposed Sec.
25.302, including whether the FAA's final rule would apply only, as did
the FAA's special conditions and EASA CS 25.302, to the airplane
structure whose failure could prevent continued safe flight and
landing. The applicability of Sec. 25.302 in this final rule is as
follows.
As stated in the final rule text, Sec. 25.302 applies to systems
that affect structural performance, either directly or as a result of a
failure or malfunction. A system affects structural performance if it
can induce loads on the airplane or change the response of the airplane
to inputs such as gusts or pilot actions.
Examples of these systems include flight control systems,
autopilots, stability augmentation systems, load alleviation systems,
and fuel management systems.
Section 25.302, in this final rule, specifies the loads that the
applicant's analysis must apply to structure, taking into account the
systems defined above, operating normally and in the failed state. As
stated in the final rule text, these structural requirements apply only
to structure whose failure could prevent continued safe flight and
landing. This limitation is consistent with the requirements of the
special conditions that the FAA has been applying for more than twenty
years.
Section 25.302, in this final rule and as proposed in the NPRM,
does not apply to the flight control jam conditions covered by Sec.
25.671(c)(3) or the discrete source events covered by Sec. 25.571(e).
Section 25.302 also does not apply to any failure or event that is
external to (not part of) the system being evaluated and that would
itself cause structural damage.
3. Clarification of Terms
In this final rule, Sec. 25.302(b) states that with the system
fully operative, the applicant must investigate the effect of
nonlinearities sufficiently beyond limit conditions to ensure the
behavior of the system presents no detrimental effects compared to the
behavior below limit conditions. The intent of this sentence is to
require the applicant to investigate the system effects ``sufficiently
beyond limit'' to ensure that no detrimental effects could occur at
limit load or just beyond.
Sections 25.302(c)(1)(ii) and (c)(2)(iii) of this final rule
include a reference to residual strength substantiation. This is
referring to the residual strength substantiation required by Sec.
25.571(b).
Section 25.302(c)(2)(iv) of this final rule states that if the
loads induced by the failure condition have a significant effect on
fatigue or damage tolerance, then the applicant must take their effects
into account. A failure condition has a ``significant'' effect on
fatigue or damage tolerance if it would result in a change to
inspection thresholds, inspection intervals, or life limits.
Section 25.302(d)(1) of this final rule requires the flightcrew to
be made aware of certain failure conditions before flight, as far as
practicable. In this case, ``as far as practicable'' means that if
automatic failure indication can detect such a failure using current
technology, then that failure should be so monitored and indicated to
the flightcrew before flight.
4. Significant Standards Differences Between Sec. 25.302 and EASA CS
25.302
Section 25.302 of this final rule differs from CS 25.302 and
Appendix K, as discussed below.
As noted above, unlike CS 25.302, new Sec. 25.302 does not include
any aeroelastic stability requirements. Section 25.629 and CS 25.629
both specify flutter speed margins for failure conditions, but CS
25.302 includes additional aeroelastic failure criteria. As indicated
in the NPRM, the FAA finds the failure criteria specified in Sec.
25.629 to be adequate, and additional failure criteria in Sec. 25.302
are unnecessary. This is a significant standards difference between
Sec. 25.302 and CS 25.302.
The NPRM proposed, and in this final rule Sec. 25.302 requires,
the evaluation of any system failure condition not shown to be
extremely improbable or that results from a single failure. Several
commenters, including Bombardier, Airbus, and TCCA, stated that single
failures that an applicant shows to be extremely improbable should not
be included in Sec. 25.302, while Boeing agreed that single failures
should be included regardless of probability. The FAA does not agree to
exclude single failures from Sec. 25.302 in this final rule for the
following reasons:
(1) To be consistent with Sec. Sec. 25.671 and 25.1309, both of
which require the evaluation of single failures, and related guidance,
and past practice for these regulations, the FAA determined, as
indicated in the NPRM, that single
[[Page 68712]]
failures should be assumed to occur regardless of probability.
(2) The typical language of the FAA's Interaction of Systems and
Structures special conditions, used to address this issue on a variety
of transport category airplane programs for more than twenty years,
refers to any system failure condition ``not shown to be extremely
improbable.'' Even though the special conditions have not explicitly
mentioned single failures, the FAA's long-standing position on single
failures is that they cannot be accepted as being extremely improbable.
As noted in AC 25.1309-1A, dated June 21, 1988: ``In general, a failure
condition resulting from a single failure mode of a device cannot be
accepted as being extremely improbable.''
(3) The FAA has determined that not including single failures in
the evaluation would reduce safety.
To conclude, CS 25.302 requires the evaluation of any system
failure condition not shown to be extremely improbable, and that rule
does not explicitly mention single failures. Therefore, this is a
significant standards difference between Sec. 25.302 in this final
rule and CS 25.302.
CS 25.302 and Sec. 25.302 in this final rule both require
evaluation of failure conditions that affect structural performance,
and for these failure conditions, both rules specify certain load
conditions that must be evaluated for the continuation of flight.
Section 25.302 includes an additional requirement not included in CS
25.302: Section 25.302(c)(2)(i)(F) requires the applicant to evaluate
any other load condition for which a system is specifically installed
or tailored to reduce the loads of that condition. ``Tailored'' means
the system is designed or modified to change the response of the
airplane to inputs such as gusts or pilot actions and thereby affect
the resulting loads on the airplane. This is necessary to account for
any systems that are designed to reduce the loads resulting from load
conditions not specified in Sec. 25.302(c)(2)(i)(A) through (E) and
whose failure would increase loads relative to the design load level.
This is a significant standards difference between Sec. 25.302 and CS
25.302.
5. Nonsignificant Standards Differences Between Sec. 25.302 and EASA
CS 25.302
Section 25.302 does not include paragraphs (a) and (b) from CS-25
Appendix K, K25.1 General, except for one sentence from K25.1(a). That
sentence indicates that the criteria in Sec. 25.302 are only
applicable to structure whose failure could prevent continued safe
flight and landing. Also, new Sec. 25.302(c), discussed above, does
not include paragraph (c)(3) from Appendix K, K25.2 Effects of Systems
on Structures. The FAA did not include these paragraphs because the FAA
determined they are general in nature and do not contain any specific
requirements.
Section 25.302 does not include the definitions found in paragraph
K25.1(c). The FAA determined these terms are sufficiently understood
and do not need to be provided in the rule.
While Sec. 25.302 is mostly harmonized with CS 25.302, there are a
number of minor differences in wording, as follows:
CS-25 K25.2 paragraph (b) provides requirements for a fully
operative system. Section 25.302(b) mandates the same requirements but
states them more succinctly.
CS-25 K25.2 paragraph (c) provides requirements for a failed
system. Section 25.302(c) mandates the same requirements but removes
passive voice and states those requirements more succinctly.
CS-25 K25.2 paragraph (d) provides failure indication requirements.
Section 25.302(d) mandates the same requirements but does not include
the last two sentences of K25.2 paragraph (d)(1) because they are
unnecessary given the first two sentences of paragraph (d)(1).
CS-25 K25.2 paragraph (e) and Sec. 25.302(e) of this final rule
address dispatch requirements. In Sec. 25.302(e), the FAA includes a
specific reference to the Master Minimum Equipment List, which the
operator uses to develop their Minimum Equipment List, the primary
document that controls dispatch requirements. Also, CS 25.302(e)
includes a requirement that flight and operational limitations be such
that being in a failure state and then encountering limit load is
extremely improbable. The FAA did not include this requirement because
Sec. 25.302(e) already includes specific criteria related to dispatch,
and this requirement could potentially conflict with those criteria.
Finally, EASA includes CS 25.302 criteria within CS-25 Appendix K,
while this final rule includes the equivalent criteria in Sec. 25.302.
In conclusion, to address the potential effects of aircraft systems
on structure, the FAA does not adopt the text of Sec. 25.302 that the
FAA proposed in the NPRM. Instead, the FAA, as requested by several
commenters, adopts a new Sec. 25.302 that more closely hews to the
language of the FAA's longstanding special conditions on this topic and
to EASA CS 25.302, with the modifications set forth in the foregoing
discussion.
C. Section 25.629, Aeroelastic Stability Requirements
Summary of Changes to Current Rule
Section 25.629 establishes several requirements to ensure the
aeroelastic stability of the airplane. For example, it requires the
applicant to consider the potential effect of several types of failures
on the airplane's aeroelastic stability. In the NPRM, the FAA proposed
to revise paragraphs (b) and (d) of this section, as discussed below.
In this final rule, the FAA is revising the paragraph numbers of
Sec. 25.629 to correspond with EASA's rule (i.e., Sec. 25.629(d)(9)
becomes (d)(10); Sec. 25.629(d)(10) becomes (d)(11); and the failure
evaluation requirements are introduced in Sec. 25.629(d)(9)), as
requested by commenters and explained below. The FAA is also revising
the text in Sec. 25.629(d)(9), as requested by commenters and as
explained below, to harmonize with EASA CS 25.629(d)(9) and to clarify
when the new failure evaluation requirements are applicable.
Furthermore, as requested by commenters and explained below, the FAA is
not revising Sec. 25.629(b), as was proposed in the NPRM, to include
the reference to Sec. 25.333. Instead, the FAA is revising Sec.
25.629(a) to clarify that the aeroelastic evaluation must include any
condition of operation within the maneuvering envelope. This revision
to proposed Sec. 25.629(a) is consistent with current existing
industry practice of evaluating the aeroelastic impact of loads due to
allowed maneuvers for part 25 airplanes and is stated explicitly in
Sec. 23.629 at amendment 23-63 \20\ and EASA CS 23.629 amendment 23/4.
The FAA also revised Sec. 25.629(a) in this final rule to consistently
use the singular term ``evaluation'' where it appears in order to
prevent confusion.
---------------------------------------------------------------------------
\20\ 76 FR 75736 (December 2, 2011).
---------------------------------------------------------------------------
1. Paragraphs (a) and (b)
In the NPRM, the FAA proposed to specify that the aeroelastic
stability envelope addressed by Sec. 25.629(b) includes the range of
load factors in Sec. 25.333, Flight Maneuvering Envelope.
GAMA/AIA, Gulfstream, DeHavilland, Airbus, Bombardier, and Boeing
requested the FAA not make this change. The commenters stated this
would be an expansion of the traditional scope of Sec. 25.629 and that
it would disharmonize the FAA's rule with EASA rules. The commenters
also stated that the structural design envelope defined in Sec. 25.333
is not intended for
[[Page 68713]]
aeroelastic stability analysis and should not be confused with the
normal flight envelope of an airplane.
The FAA agrees with the commenters that the proposed change would
disharmonize with CS 25.629 and potentially confuse the FAA's
aeroelastic stability requirements with the strength requirements of
Sec. 25.333. Therefore, in this final rule, the FAA did not adopt the
reference to Sec. 25.333 in Sec. 25.629(b), which remains unchanged.
However, including conditions within the flight maneuvering
envelope that is described in Sec. 25.333 in aeroelastic stability
evaluations is common practice because such conditions are anticipated
to be encountered in flight and therefore need to be free from
aeroelastic instabilities. Thus, although paragraph (b) of Sec. 25.629
does not reference Sec. 25.333, in this final rule, paragraph (a) of
Sec. 25.629 now states that the aeroelastic evaluation must ``include
any condition of operation within the maneuvering envelope.'' This
change to Sec. 25.629(a) is consistent with Sec. 23.629 at amendment
23-63 and EASA CS 23.629 amendment 23/4, which also address conditions
of operation in paragraph (a). The FAA has also issued AC 25.629-1C,
Aeroelastic Stability Substantiation of Transport Category Airplanes,
to provide more details, further clarify the intent of the rule change,
and provide an acceptable means of compliance.
2. Paragraph (d)
In the NPRM, the FAA proposed to relocate certain requirements for
applicants to analyze specific failures from Sec. 25.671(c)(2) to
Sec. 25.629(d).
Gulfstream requested the FAA revise proposed Sec. 25.629(d) to
consider the probability of the noted failure conditions and exclude
extremely improbable failure combinations. Gulfstream stated that
current Sec. 25.671(c)(2) states ``Any combination of failures not
shown to be extremely improbable. . .''; however, proposed Sec.
25.629(d)(10) would not have limited its scope to ``combination of
failures not shown to be extremely improbable.'' In addition, GAMA/AIA
requested the FAA not adopt proposed Sec. 25.629(d)(10) and instead
leave these requirements in current Sec. 25.671. GAMA/AIA stated that
by explicitly adding the failures to proposed Sec. 25.629(d)(10),
regardless of probability, a more strenuous requirement is added
without justification. GAMA asserted that retention of the exclusion of
extremely improbable combinations will serve to incentivize designs of
higher reliability.
The FAA does not agree with these requests. The FAA does not agree
with the commenters' suggestions to limit the required consideration to
failures that the applicant cannot show are extremely improbable. The
stated conditions need to be considered by the applicant regardless of
probability calculations if the airplane's aeroelastic stability relies
on flight control system stiffness, damping, or a combination of both.
Proposed Sec. 25.629(d)(10), which is now paragraph (d)(9) in the
final rule, reflects current industry practice and existing guidance in
AC 25.629-1B and EASA Acceptable Means of Compliance (AMC) Sec.
25.629. In addition, the requested change would have introduced a
significant difference between the standards of the FAA and EASA CS
25.629.
Boeing, Bombardier, and Gulfstream requested that proposed
paragraph Sec. 25.629(d)(10) be more closely harmonized with the
corresponding CS 25.629 paragraph in its introductory text to include
the text ``where aeroelastic stability relies on flight control system
stiffness and/or damping'' to provide clarity to the application of
this requirement. The FAA agrees with this request because it clarifies
the situations for which failure evaluations are required and has
updated Sec. 25.629(d)(9) in the final rule to more closely harmonize
with EASA and to include the text ``where aeroelastic stability relies
on flight control system stiffness, damping, or both.''
Airbus requested that the FAA remove the reference to Sec. 25.671
from current Sec. 25.629(d)(9). Airbus stated that this reference may
no longer be applicable because, in the NPRM, the FAA proposed to
consolidate the requirements in current Sec. 25.671(c)(1) and (c)(2)
under proposed Sec. 25.1309.
In this final rule, the FAA has redesignated paragraph (d)(9) of
Sec. 25.629 as paragraph (d)(10) and updated Sec. 25.671(c) to align
with CS 25.671(c). The FAA has retained the reference to Sec. 25.671
in Sec. 25.629(d)(10) because, in the final rule, applicants must
still evaluate the failure conditions of paragraph Sec. 25.671(c)
under Sec. 25.629(d)(10).
D. Section 25.671, Flight Control Systems
In the NPRM, the FAA proposed a number of revisions and additions
to Sec. 25.671, as summarized and discussed below. Airbus, ANAC,
Boeing, GAMA, Gulfstream, Safran, and TCCA requested the FAA harmonize
one or more paragraphs of Sec. 25.671 with EASA CS 25.671. The FAA
agrees with these requests and, in this final rule, has changed
proposed Sec. 25.671(a), (b), (c), (d), (e), and (f) to better align
with EASA CS 25.671.
1. Paragraph (a)
In the NPRM, the FAA proposed to revise Sec. 25.671(a) by
referring to each ``flight control'' and ``flight control system''
instead of ``control'' and ``control system.'' To harmonize with CS
25.671(a), the final rule now refers only to each ``flight control
system.'' This is not a substantive change from the NPRM.
In the NPRM, the FAA also proposed to revise Sec. 25.671(a) to
require the flight control system to continue to properly operate, and
not hinder airplane recovery when the airplane experiences certain
conditions, including any ``pitch, roll, or yaw rate, or vertical load
factor.'' The FAA proposed that this change would ensure there would be
no features or unique characteristics of the flight control system that
restrict the pilot's ability to recover from any attitude, pitch, roll
or yaw rate, or vertical load factor expected to occur due to operating
or environmental conditions. ANAC and TCCA suggested changing proposed
Sec. 25.671(a) to specify ``any flight dynamics parameter'' instead of
``any pitch, roll, yaw rate, or vertical load factor'' to harmonize
with EASA language. The FAA does not agree. The suggested change would
be a potentially open-ended requirement because ``any flight dynamics
parameter'' could mean many different parameters. The text in Sec.
25.671(a) \21\ is more specific, sufficient to accomplish its purpose,
and is adopted as proposed.
---------------------------------------------------------------------------
\21\ AC 25.671-1 provides additional information.
---------------------------------------------------------------------------
2. Paragraph (b)
In the NPRM, the FAA proposed to revise Sec. 25.671(b) by
referring to incorrect assembly that could result in ``failure of the
system to perform its intended function.'' To harmonize with CS
25.671(b), the final rule now refers to incorrect assembly that could
result in ``failure or malfunctioning of the system.'' This is not a
substantive change from the NPRM.
An individual commenter requested the FAA move the requirement to
minimize the probability of incorrect assembly from Sec. 25.671(b) to
Sec. 25.1309 and make it applicable to all systems. The commenter
stated that designing a system to ensure it can only be assembled
correctly is a basic good engineering practice. The FAA does not agree
to make this change to the regulation. The requirements of Sec.
25.671(b) apply only to flight control systems. Other systems are
subject to different requirements for minimizing
[[Page 68714]]
incorrect assembly and different marking requirements. The incorrect
assembly addressed by Sec. 25.671(b) is that which could result in
failure or malfunctioning of the system. Section 25.1309(a) requires
the proper functioning of the equipment, systems, and installations
whose function is required by subchapter C of title 14. The issue of
incorrect assembly is addressed in AC 25.1309-1B, by reference to
Aerospace Recommended Practice (ARP) 4761 ``Guidelines and Methods for
Conducting the Safety Assessment Process on Civil Airborne Systems and
Equipment.'' Improper assembly within ARP4761 is a manufacturing
consideration with consideration to common mode type sources or
failures/errors only.
ANAC requested the FAA harmonize proposed Sec. 25.671(b) with EASA
CS 25.671(b) by adding ``taking into consideration the potential
consequence of incorrect assembly'' to the requirement. The FAA does
not agree with this request. The general requirements of this paragraph
apply to each element of each flight control system regardless of the
potential consequence of incorrect assembly.
Revised Sec. 25.671(b) is therefore adopted as proposed.
3. Introductory Text of Paragraph (c)
The NPRM proposed certain conforming changes to the introductory
text of paragraph (c), as a result of the FAA's proposal to remove the
flight control system failure criteria of Sec. 25.671(c)(1) and (c)(2)
and substitute the general criteria of 14 CFR 25.1309. As explained
below, the FAA decided to retain the specific criteria of Sec.
25.671(c)(1) and (c)(2), and so the proposed changes to the
introductory text of paragraph (c) are now no longer necessary.
Therefore, in this final rule, the introductory paragraph (c) is
unchanged from the current paragraph (c), except as described herein.
The current Sec. 25.671(c) introductory text refers to the flight
control system and surfaces (including trim, lift, drag, and feel
systems). To harmonize with CS 25.671(c), the final rule refers only to
the flight control system, which includes surfaces and the other
referenced systems. This is not a significant change.
The current Sec. 25.671(c) introductory text requires the
applicant to show that the airplane is capable of continued safe flight
and landing after jams and other failures ``without requiring
exceptional piloting skill or strength.'' Gulfstream requested the FAA
not remove ``without requiring exceptional skill or strength'' from
Sec. 25.671(c). The FAA does not agree because that clause is now
included in the definition of continued safe flight and landing
provided in AC 25.671-1. Therefore, including this phrase in Sec.
25.671(c) is no longer necessary. The final rule is also harmonized
with CS 25.671(c) and AMC 25.671 in this regard.
Gulfstream requested the FAA not eliminate, as it proposed in the
NPRM, the Sec. 25.671(c) requirement for probable flight control
failures to have only ``minor'' effects. The company stated that minor
failures for Sec. 25.1309 tend to only have a functional hazard
assessment (FHA)-level review in the SSA. There is no specific
requirement in Sec. 25.1309(b) to address minor failures. As such,
there may be probable flight control failures that are not explicitly
addressed by the Sec. 25.1309(b) process. The FAA agrees. The final
rule retains the noted text.
ANAC requested the FAA move the requirement that compliance be
shown ``by analysis, test, or both . . .'' from Sec. 25.671(c) to AC
25.671-1, stating that this text is guidance. The FAA does not agree.
This portion of the text in Sec. 25.671(c) was not proposed to be
revised in the NPRM, has been in place for many decades in the current
rule, is understood by applicants, and is harmonized with CS 25.671(c).
4. Paragraphs (c)(1) and (c)(2)
The NPRM proposed that current Sec. 25.671(c)(1) and (c)(2) be
removed and all flight control system failures be covered by Sec.
25.1309. Boeing, Airbus, ANAC, GAMA/AIA, Gulfstream, and TCCA requested
the FAA retain the current Sec. 25.671(c)(1) and (c)(2) in order to
better align Sec. 25.671(c) with EASA CS 25.671(c). The FAA agrees
with commenters that removing Sec. 25.671(c)(1) and (c)(2) would
create a certification burden due to differences with EASA requirements
and because different means of compliance are normally used for
Sec. Sec. 25.671(c) and 25.1309(b), as described in their respective
ACs. Therefore, the FAA agrees to retain Sec. 25.671(c)(1) and (c)(2).
If the FAA chose not to change Sec. 25.671(c)(1) and (c)(2), TCCA,
ANAC, Bombardier, and Boeing requested specific changes to Sec.
25.671(c) in order to more closely harmonize with EASA CS 25.671(c).
The requested changes are no longer relevant as the FAA has decided to
retain Sec. 25.671(c)(1) and (c)(2).
5. Paragraph (c)(3)
In the NPRM, the FAA proposed that revised Sec. 25.671(c) would
address flight control jams. With the retention of Sec. 25.671(c)(1)
and (c)(2), described above, flight control jams will continue to be
addressed by Sec. 25.671(c)(3). The proposed rule would have addressed
flight control jams in Sec. 25.671(c)(1), (c)(2), and (c)(3). The
corresponding paragraphs for these requirements in this final rule are
Sec. 25.671(c)(3)(i), (c)(3)(ii), and (c)(3)(iii).
To harmonize with CS 25.671(c)(3) and as recommended by the ARAC
FCHWG, and as described in the NPRM, this final rule refers to jams of
a flight control surface or pilot control that are ``fixed in
position'' due to a physical interference.
6. Exception in Paragraph (c)(3)(ii)
Proposed Sec. 25.671(c)(2) would have excepted jams that occur
immediately before touchdown if the applicant were able to show that
such jams are extremely improbable. (In this final rule, Sec.
25.671(c)(2) is renumbered as Sec. 25.671(c)(3)(ii).) The FAA proposed
this exception due to the lack of practical means for applicants to
show compliance, and the short duration of the potential hazard.
GAMA/AIA and Gulfstream requested the FAA revise proposed Sec.
25.671(c)(2) to incorporate the 2002 ARAC FCHWG recommendation, which
excluded consideration of jams occurring immediately before touchdown
regardless of probability.
The FAA agrees that the consideration of jams before touchdown
should not be linked with a numerical estimate of the probability of
the jam. Instead, in this final rule the FAA has reworded Sec.
25.671(c)(3)(ii) to exclude consideration of jams immediately prior to
touchdown if the risk of a potential jam is minimized to the extent
practical. AC 25.671-1 provides guidance on acceptable means of showing
compliance with this requirement.
This is a difference between Sec. 25.671(c)(3)(ii) and EASA CS
25.671(c)(3)(ii) because CS 25.671(c)(3)(ii) does not include an
exception for jams occurring just before touchdown. The FAA expects
this difference to have no effect in practice because EASA guidance
included in Acceptable Means of Compliance (AMC) Sec. 25.671 similarly
allows jams before touchdown to be excluded if an assessment of the
design shows that all practical precautions have been taken. Therefore,
the FAA finds that, with this final rule, there will not be a
significant standards difference between the FAA and EASA requirements.
Airbus asked that the FAA also except jams during the takeoff phase
because, in both cases, exposure time is limited. The FAA does not
agree. The ARAC FCHWG did not recommend excluding
[[Page 68715]]
the takeoff phase, only the landing phase. Although flight control jams
can occur during takeoff, practical design solutions can be put in
place to mitigate such jams. Note that AC 25.671-1 states that, for
jams that occur during takeoff, the applicant may assume that if the
jam is detected prior to V1, the takeoff will be rejected.
DeHavilland requested confirmation that the new requirements
related to flight control jams do not change what the company describes
as accepted current practice. That practice would allow jams in spring-
tab mechanisms that could occur during takeoff to be evaluated
probabilistically, and the short exposure time during takeoff could be
considered in determining the probability of such jams. This final rule
requires the applicant to determine the type of jam or failure being
assessed. For those flight control jams evaluated under Sec.
25.671(c)(3), the probability of the jam, and the short exposure time
during takeoff, may not be considered in showing compliance with that
regulation. The FAA did not change the rule or associated guidance as a
result of this comment.
7. Paragraph (c)(3)(iii)
Section 25.671(c)(3)(iii) states that in addition to the jam being
evaluated, any additional failure conditions that could prevent
continued safe flight and landing must have a combined probability of
1/1000 or less, rather than ``less than 1/1000'' as proposed in the
NPRM. This harmonizes with CS 25.671(c)(3).
GAMA/AIA requested that the FAA use ``failure states'' in place of
``failure conditions'' in Sec. 25.671(c)(3)(iii) because the 2002 ARAC
FCHWG report used ``failure states.'' The FAA does not agree. The term
``failure conditions'' is well-understood, has been used for many
years, and is appropriately used in this regulation. In addition, CS
25.671(c)(3) also refers to ``failure conditions.'' The FAA added
guidance in AC 25.671-1 to explain this requirement.
Except for the differences noted in the foregoing discussion,
revised Sec. 25.671(c) is adopted as proposed.
8. Paragraph (d)
Section 25.671(d) requires that the airplane remain controllable if
all engines fail. In the NPRM, the FAA proposed to add a requirement
that an approach and flare to a landing and controlled stop must also
be possible, assuming that a suitable runway is available. GAMA/AIA,
TCCA, and Boeing requested the FAA add ``and flare to ditching'' to the
new requirements. Since the most likely scenario leading to a
controlled ditching is loss of all engines, the scenario is relevant,
according to the commenters. The FAA agrees with this request because a
flare to a ditching may require different reconfiguration than would be
required for landing; for example, flap settings and pitch attitude.
Adding the flare to a ditching requirement to Sec. 25.671(d) will also
harmonize the rule with CS 25.671(d).
Gulfstream and GAMA/AIA requested the FAA remove the requirement
for a controlled stop from proposed Sec. 25.671(d) as they felt a
braking requirement should not be added to a general flight control
system requirement. The FAA does not agree. Stopping capability can be
affected by flight controls, including spoilers, flaps, and rudder. In
addition, this would result in a difference compared to EASA CS-25
language.
TCCA and ANAC requested that the FAA remove the following sentence
from proposed Sec. 25.671(d): ``The applicant may show compliance with
this requirement by analysis where the applicant has shown that
analysis to be reliable.'' The commenters stated that this sentence
describes an acceptable means of compliance, which is adequately
covered in the corresponding guidance. The FAA agrees and did not
include this sentence in the final rule.
Except for the changes noted in the foregoing discussion, Sec.
25.671(d) is adopted as proposed.
9. Paragraph (e)
In the NPRM, the FAA proposed to add new Sec. 25.671(e), requiring
the flight control system to indicate whenever the primary control
means are near the limit of control authority. The FAA proposed this
change due to the lack of direct tactile link between the flightdeck
control and the control surface on airplanes equipped with fly-by-wire
control systems.
DeHavilland requested that the FAA use ``must provide appropriate
feedback to the flight crew . . .'' in place of ``must indicate to the
flight crew'' in new Sec. 25.671(e). The company stated that for non-
fly-by-wire systems, the air loads are either naturally sensed or
simulated. The company also commented that the use of the word
``indicate'' in the proposed requirement has a potential for
misinterpretation, as tactile feedback is not normally considered as an
``indication.'' The commenter acknowledged draft AC 25.671-X addresses
use of feel forces and cockpit control movement to meet this
requirement.
The FAA does not agree to make this change. As noted by the
commenter, the AC addresses use of tactile feedback as a method of
compliance with this requirement.
ANAC and TCCA commented that the FAA should harmonize the new
requirement of Sec. 25.671(e) with CS 25.671(e) to remove any possible
misunderstanding. The FAA agrees. The proposed rule stated that the
``flight control system'' must indicate to the flightcrew whenever the
primary control means is near the limit of control authority. This
final rule is revised to harmonize with CS 25.671(e) and requires ``the
airplane'' to be designed to indicate to the flightcrew whenever the
primary control means is near the limit of control authority. This is
not a substantive change.
10. Paragraph (f)
In the NPRM, the FAA proposed to add new Sec. 25.671(f), requiring
that the flight control system alert the flightcrew whenever the
airplane enters any mode that significantly changes or degrades the
normal handling or operational characteristics of the airplane.
ANAC and TCCA commented that the FAA should fully harmonize Sec.
25.671(f) with CS 25.671(f) to remove any possible misunderstanding.
The FAA agrees. The proposed rule would have required that the flight
control system alert the flightcrew whenever the airplane enters a
flight control mode of concern. This final rule is revised to harmonize
with CS 25.671(f) and thus requires the system to provide ``appropriate
flightcrew alerting.'' This is not a substantive change.
11. Relationship Between Sec. Sec. 25.671(c) and 25.1309
ANAC, Boeing, and GE sought clarification from the FAA on the
applicability of Sec. Sec. 25.671(c) and 25.1309, particularly in
light of the changes proposed in the NPRM. As explained above, the FAA
decided to retain the structure of existing Sec. 25.671(c) in the
final rule, which will address the concerns raised by these commenters.
The FAA provides the following additional explanation relative to the
requirements of the final rule. Section 25.1309 applies to all systems
and equipment installed on the airplane, including the flight control
system. Section 25.671(c) also applies to the flight control system.
The safety requirements in Sec. 25.671(c)(1) and (c)(2) correspond
with those in Sec. 25.1309(b)(1). There are no fundamental differences
between these two sets of safety requirements as they apply to the
flight control system.
[[Page 68716]]
However, different methods of compliance may be used to comply with
Sec. 25.671(c)(1) and (c)(2) as compared to Sec. 25.1309(b)(1).
Sections 25.671(c)(1) and (c)(2) require the airplane to be capable
of continued safe flight and landing after any single failure and after
any combination of failures not shown to be extremely improbable.
Section 25.1309 requires that these failure conditions not be
catastrophic. While worded differently, these requirements are
functionally equivalent. AC 25.1309-1B states that a flight control
system failure condition that would prevent continued safe flight and
landing should be classified as catastrophic. AC 25.671-1 provides
specific criteria unique to the assessment of flight control system
failures. AC 25.1309-1B also provides guidance on assessing failure
conditions that apply to the flight control system.
Sections 25.1309(b)(2) through (b)(5), (c), and (e) also apply to
the flight control system. There are no requirements in Sec. 25.671
that correspond to these subparagraphs.
E. Section 25.901, Engine Installation
In the NPRM, the FAA proposed that Sec. 25.901(c) would specify
that the requirements of Sec. 25.1309 would apply to powerplant
installations. The FAA also proposed to remove the prohibition in Sec.
25.901(c) on catastrophic single failures and probable combinations of
failures since addressing such failures would be adequately addressed
by the proposed Sec. 25.1309(b). The FAA proposed that these changes
would harmonize Sec. 25.901(c) with EASA CS 25.901(c).
Pratt & Whitney requested that the FAA add to Sec. 25.901(c) the
phrase ``or any other failure consistent with existing Sec. 33.75
single element exception requirements'' to ensure consistency with
Sec. 25.901(c) and existing requirements. The FAA does not agree with
the request. The referenced exception requirements only address
instances in which the failure of the single element is likely to
result in a hazardous engine effect. These effects are among the
conditions applicants use for evaluating the hazard to the engine under
engine airworthiness requirements, which do not consider the effect of
the airplane installation. For example, hazardous effects on the engine
may not necessarily result in a catastrophic failure at the airplane
level. Since the requirements of Sec. 33.75 are independent of the
aircraft airworthiness requirements, they are inadequate for evaluating
the hazard to the aircraft installation. The exceptions to Sec.
25.1309(b) that the FAA has identified in Sec. 25.901(c) are
consistent with existing powerplant installation requirements in part
25 and compliance showings to Sec. 25.901(c) before adoption of this
final rule. Expanding the exceptions to Sec. 25.1309(b) to include
aspects of Sec. 33.75 would not be consistent with existing part 25
powerplant installation requirements. The potential failure conditions
of the engine type design that should be excepted from Sec. 25.1309(b)
are adequately addressed by the exceptions identified by Sec.
25.901(c).
The FAA therefore adopts revised Sec. 25.901(c) as proposed.
F. Section 25.933, Reversing Systems
In the NPRM, the FAA proposed to add a ``reliability option'' for
thrust reversers to Sec. 25.933(a), allowing applicants to show that
an unwanted deployment of the reverser is extremely improbable (i.e.,
complies with 14 CFR 25.1309(b)), instead of only that the airplane
remains controllable if the reverser deploys in flight.
GAMA/AIA commented that the proposed wording of Sec. 25.933(a)
does not clearly communicate that the controllability option would
still require compliance with Sec. 25.1309, as noted in the regulatory
evaluation (footnote 58 of the NPRM). GAMA/AIA requested the wording of
Sec. 25.933(a) be changed to clearly define the requirement to show
compliance with Sec. 25.1309 regardless of controllability.
The FAA acknowledges that compliance with Sec. 25.1309 is required
regardless of which option an applicant chooses under Sec. 25.933(a)
since Sec. 25.901(c) requires compliance with Sec. 25.1309. However,
the FAA partially agrees, and in this final rule has revised Sec.
25.933(a) to clarify, that when an applicant chooses the reliability
option (new Sec. 25.933(a)(ii)), the applicant must account for the
potential hazard to the airplane assuming the airplane would not be
capable of continued safe flight and landing during and after an in-
flight thrust reversal when showing compliance with Sec. 25.1309(b).
Section 25.901(c) applies to the powerplant and auxiliary power unit
(APU) installation, except for the specific items listed in new Sec.
25.901(c). Compliance with Sec. 25.1309 is required for the powerplant
and APU installation, which includes the thrust reversing system, per
the new Sec. 25.901(c). The FAA finds that it is unnecessary to
restate in Sec. 25.933(a)(1) that compliance with Sec. 25.1309 is
required for the reversing system since it is already required by the
new Sec. 25.901(c) and not one of the items excepted.
Air Tech Consulting objected to the ``reliability option'' that the
FAA proposed in the NPRM. The commenter cited three inflight reverser
deployments in the past twelve months as justification for maintaining
the existing rule.
The FAA does not agree with this request. The incidents cited by
the commenter were not in-flight thrust reverser deployments, only
component failures or false indications.\22\ The FAA has made
equivalent safety findings on many proposed airplane models based on
the ARAC PPIHWG recommendations for Sec. 25.933(a)(1) and certified
many designs using the reliability approach rather than the
controllability approach in current Sec. 25.933(a)(1). The FAA does
not agree that these particular in-service events show that the systems
would not have met Sec. 25.1309(b) or that the longstanding
reliability approach for certification of the thrust reverser system is
inadequately safe.
---------------------------------------------------------------------------
\22\ Each of the three cited events were the result of either a
false indication of an unlocked reverser door or failure of the
primary lock followed by a small movement of a reverser door until
the secondary lock engaged, where the movement was enough to result
in an unlocked reverser indication. In either circumstance, the
reverser door did not deploy and an actual in-flight thrust reversal
did not occur. Also, after the close of the comment period for this
rule, a FedEx Boeing Model MD-11 experienced an unwanted in-flight
deployment on June 21, 2023. The thrust reversers on the airplane
were not certified using the reliability approach; however, the
design was reviewed by the FAA and Boeing (formerly Douglas) using
the ``Criteria for Assessing Transport Turbojet Fleet Thrust
Reverser System Safety,'' Revision A, dated June 1, 1994, which was
a reference document used by the ARAC PPIHWG to develop
recommendations for changes to Sec. 25.933(a). Boeing used a mixed
approach, in which the company demonstrated the Model MD-11 was
controllable following an unwanted in-flight deployment within
certain portions of the flight envelope and showed reliability,
using a thrust reverser SSA, for the remainder of the flight
envelope.
---------------------------------------------------------------------------
TCCA commented that systems design often needs to strike a balance
between availability (system performs its intended function when
needed) and integrity (protecting against system malfunctions). TCCA
requested that the FAA revise Sec. Sec. 25.933 and 25.1309(b) to
emphasize the need to consider system availability in conjunction with
integrity.
The FAA agrees that system availability is an important
consideration when designing the thrust reverser system. However, there
are already applicable airworthiness requirements, such as Sec. Sec.
25.901(b)(2) and 25.1309(a)(1), that address system availability and
reliability and that are related to the system's effect on airplane
safety. It is not necessary to provide additional emphasis on system
[[Page 68717]]
availability within Sec. Sec. 25.933 and 25.1309(b) since these
existing requirements are adequate to address the availability of
thrust reverser system. Section 25.933(a)(1) addresses the specific
failure condition of an unwanted in-flight deployment only, and Sec.
25.1309(b) addresses the safety of equipment and systems as installed
on the airplane. Therefore, the FAA does not agree with the commenter's
request since requirements that influence system availability and the
relationship with propulsion system reliability, which apply to the
thrust reverser system, are already addressed in existing regulations.
The FAA included guidance on Sec. 25.901(b)(2) that is related to
Sec. Sec. 25.901(c) and 25.1309(b) in AC 25.901-1. Guidance for Sec.
25.1309(a)(1) can be found in AC 25.1309-1B.
The FAA therefore adopts revised Sec. 25.933 as proposed.
G. Section 25.1301, Function and Installation
In the NPRM, the FAA proposed to remove the ``function properly
when installed'' criterion in Sec. 25.1301(a)(4) for installed
equipment whose function is not needed for safe operation of the
airplane. In addition, the FAA proposed to remove Sec. 25.1301(b)
because it is redundant and unnecessary. Section 25.1301(b) required
that a proposed airplane's EWIS meet the requirements of subpart H of
part 25. The FAA proposed removing Sec. 25.1301(b) because subpart H
specifies its applicability and the requirements in subpart H can stand
alone. The FAA received no substantive comments on proposed Sec.
25.1301.
The FAA therefore adopts revised Sec. 25.1301 as proposed.
H. Section 25.1309, Equipment, Systems and Installations
1. Applicability
In the NPRM, the introductory paragraph of proposed Sec. 25.1309
explained that regulation would apply to any equipment or system
installed on the airplane except as provided in paragraphs (e) and (f).
Boeing, ANAC, Gulfstream, GAMA/AIA, and Garmin requested that the FAA
delete paragraphs (e) and (f) of proposed Sec. 25.1309 and move their
content to the introductory paragraph to align with CS 25.1309. The
commenters also noted that these paragraphs included regulatory
exceptions to Sec. 25.1309 and showing compliance to an ``exception''
raised administrative issues. The FAA agrees and updated Sec. 25.1309
accordingly.
Proposed Sec. 25.1309(e) would have excluded flight control jams
governed by Sec. 25.671(c) from the proposed single-failure
requirement in Sec. 25.1309(b)(1)(ii). Gulfstream proposed that flight
control jams be excluded from all of Sec. 25.1309 and stated that
additional guidance would be needed if flight control jams were not
excluded from Sec. 25.1309(b). Although the FAA has historically used
Sec. 25.671(c) rather than Sec. 25.1309 to address flight control
jams, the FAA does not agree that flight control jams should be
excluded from the other paragraphs of Sec. 25.1309 because those
requirements apply to flight control systems and are necessary for
managing the risk of flight control jams.
The FAA agrees, however, that flight control jams should be
excluded from all of Sec. 25.1309(b), and the final rule is revised
accordingly. The FAA did not intend Sec. 25.1309(b) to apply to flight
control jams because an evaluation of the failure conditions under
Sec. 25.1309(b) requires the applicant to determine numerical
probabilities, which is not practical for flight control jams. Since
EASA CS 25.1309 excludes flight control jams from only CS
25.1309(b)(1)(ii), this is a substantive difference between the FAA and
EASA's regulations.
Proposed Sec. 25.1309(f)(1) stated that Sec. 25.1309(b) does not
apply to single failures in the brake system because such failures are
addressed by Sec. 25.735(b)(1). GAMA/AIA requested the FAA change
``single failures'' to ``failures'' to be consistent with Sec. 25.735.
The FAA does not agree with this request because other types of
failures in the brake system should be evaluated under Sec.
25.1309(b).
Proposed Sec. 25.1309(f)(2) stated that Sec. 25.1309(b) would not
apply to the failure effects addressed by Sec. Sec. 25.810(a)(1)(v)
and 25.812. Gulfstream and GAMA/AIA requested that the FAA replace
``25.810(a)(1)(v)'' with ``25.810'' to harmonize with CS 25.1309. The
FAA does not agree because Sec. 25.810(a)(1)(v) provides specific
deployment and usability criteria for certain means of evacuation
assistance, and this subparagraph alone is relevant to the exception
discussion. However, the FAA updated ``failure effects'' to ``failure
conditions'' to harmonize with CS 25.1309.
EASA requested that the FAA clarify the exception from compliance
with Sec. 25.1309(b) that proposed Sec. 25.1309(f)(3) would have
provided regarding Sec. 25.1193, ``Cowling and nacelle skin,'' and
suggested that the FAA change it from Sec. 25.1193 to Sec.
25.1193(a). EASA also stated that there may be value in considering
Sec. 25.1193 as applicable under Sec. 25.1309 for systems that are
used for opening or closing doors and monitoring proper closure/latched
conditions. Furthermore, EASA asked why Sec. 25.1193 was not also
included in the propeller debris release exception in proposed Sec.
25.1309(f)(4).
The FAA made no changes to the final rule in response to these
comments. The NPRM explains that Sec. Sec. 25.1193 and 25.905(d)
already require applicants to consider the specific failures of fires
from uncontained engine failures and engine case burn-through. Thus, it
is not necessary to consider these same failures under Sec. 25.1309 as
well. Furthermore, nacelle cowl door opening, closure, position
monitoring, latching, and other potential failure conditions are
discussed in AC 25.901-1 for compliance with Sec. Sec. 25.901(c) and
25.1309.
2. Paragraph (a)
In the NPRM, the FAA proposed to require that all installed
airplane equipment and systems whose improper functioning would reduce
safety perform as intended under the airplane operating and
environmental conditions (Sec. 25.1309(a)(1)). The FAA also proposed
that all equipment and systems not subject to the foregoing requirement
not have an adverse effect on the safety of the airplane or its
occupants (proposed Sec. 25.1309(a)(2)). The latter requirement would
have allowed such equipment to be approved by the FAA even if it may
not perform as intended.
ANAC commented that proposed Sec. 25.1309(a)(1) stated ``equipment
and systems, as installed, must meet'' this requirement, while the ARAC
SDAHWG recommended wording states ``equipment and systems must be
designed and installed so that . . . .'' \23\ ANAC recommended that the
FAA adopt the proposed ARAC wording and match EASA CS 25.1309. The FAA
agrees to harmonize the rule text to avoid any possible interpretation
differences and this final rule has updated Sec. 25.1309(a).
---------------------------------------------------------------------------
\23\ www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
GAMA/AIA and Boeing requested the FAA revise proposed Sec.
25.1309(a)(1) to replace ``whose improper functioning would reduce
safety'' with ``whose function is necessary for safe operation of the
airplane.'' The commenters were concerned that using the proposed
phrase could result in equipment, systems, and installations intended
for convenience to be subjected to Sec. 25.1309(a)(1) requirements.
The FAA
[[Page 68718]]
did not revise Sec. 25.1309(a)(1) as suggested because this change
would exclude evaluation of systems whose failure would have a safety
effect. The suggested change would also disharmonize this rule with
EASA CS 25.1309(a)(1).
Bombardier requested the FAA harmonize its proposed Sec.
25.1309(a)(2) rule text of ``functioning normally or abnormally'' with
the CS 25.1309(a)(2) rule text of ``not a source of danger.'' The FAA
declines to update proposed Sec. 25.1309(a)(2) as suggested. Although
the phrase ``functioning normally or abnormally'' used in proposed
Sec. 25.1309(a)(2) is different from the ``not a source of danger in
themselves'' used in EASA CS 25.1309(a)(2), the FAA considers these
phrases as having generally the same meaning. ``Not a source of
danger'' is largely synonymous with ``safe.'' An applicant must
evaluate the systems addressed by Sec. 25.1309(a)(2) to verify that
their normal operation and failure or abnormal functioning have no
safety effect (i.e., they do not affect the operational capability of
the airplane, do not increase flightcrew workload, and do not affect
the safety of passengers or cabin crew).
GAMA/AIA requested the FAA change ``must not adversely affect'' in
proposed Sec. 25.1309(a)(2) to ``do not adversely affect'' as used in
CS 25.1309(a)(2). GAMA/AIA stated that using ``do not'' in the
regulation instead of ``must not'' changes the tone from preventative
to evaluative. The FAA agrees and updated Sec. 25.1309(a)(2) to align
with CS 25.1309(a)(2).
Bombardier questioned whether Sec. 25.1309(a)(2) should be
interpreted by applicants to apply to electromagnetic interference
(EMI) generated by systems operating abnormally. In a related question,
Bombardier asked the FAA to clarify what applicants should address in a
qualitative failure evaluation of equipment and systems under Sec.
25.1309(a)(2). Bombardier stated that the NPRM preamble implies that
applicants would have to show that an equipment failure will not result
in increased electromagnetic emissions; however, Bombardier does not
consider this to be the intent of proposed Sec. 25.1309(a)(2).
The FAA intends that systems addressed under Sec. 25.1309(a)(2),
in this final rule, do not have to meet the former requirement that
they ``perform as intended'' when installed. AC 25.1309-1B explains
that the systems addressed by Sec. 25.1309(a)(2) should be designed so
that their failures have no safety effect. In addition, normal
installation practices can be used to isolate these systems, and a
qualitative installation evaluation based on engineering judgment can
be used to determine that the failure or improper functioning of these
systems would not affect the safety of the airplane. Thus, the extent
of EMI testing that is required for systems addressed under Sec.
25.1309(a)(1) is not required for systems addressed under Sec.
25.1309(a)(2). However, if there is a risk that the failure of a system
addressed under Sec. 25.1309(a)(2) will result in electromagnetic
emissions that affect the proper function of systems addressed under
Sec. 25.1309(a)(1), then formal methods such as testing or analysis
may be used to evaluate the failure in lieu of a qualitative
installation evaluation that uses engineering judgment to conclude that
electromagnetic omissions would not occur.
Except for the foregoing changes, Sec. 25.1309(a) is adopted as
proposed.
3. Paragraph (b)
Section 25.1309(b) requires applicants to assess safety at the
airplane level for airplane systems and associated components,
evaluated separately and in relation to other systems, and requires
that the airplane's systems and components meet certain reliability
standards. In the NPRM, the FAA proposed to revise Sec. 25.1309(b) to
address design and installation so that each catastrophic failure
condition is extremely improbable and does not result from a single
failure, each hazardous failure condition is extremely remote, and each
major failure condition is remote.
In this final rule, the FAA has adopted proposed Sec.
25.1309(b)(1) through (b)(3) with no changes but revised Sec.
25.1309(b)(4) and (b)(5) to align with the corresponding sections of
EASA CS 25.1309.
Proposed Sec. 25.1309(b)(4) would have required that significant
latent failures (SLFs) be eliminated, except if the Administrator
determined that doing so was impractical. If the applicant proved to
the Administrator that such elimination was impractical, the regulation
would have required the applicant to limit the likelihood of the SLF to
1/1000 between inspections. If the applicant proved that such
limitation was impractical, then the proposed regulation would have
required the applicant to minimize the length of time the failure would
be present but undetected.
Garmin expressed concern that the 1/1000 requirement in proposed
Sec. 25.1309(b)(4)(i) could be burdensome without a cutset \24\ limit
because no matter how many cutsets deep the latent failure is (e.g., 3,
4, 5, or more cutsets), it still would have to meet the 1/1000
requirement unless the applicant obtains agreement with the FAA that it
has been adequately minimized. Thus, Garmin recommended that the FAA
remove the 1/1000 requirement from Sec. 25.1309(b)(4) to align with
EASA and suggested that the 1/1000 requirement be moved to AC 25.1309-
1B as one way to show the SLF is minimized. Garmin proposed that a
cutset limit be applied to either the 1/1000 requirement within Sec.
25.1309(b)(4) or to the definition of SLF if the FAA did not remove the
1/1000 requirement from Sec. 25.1309(b)(4) in the final rule. The FAA
agrees to remove the 1/1000 criteria from Sec. 25.1309(b)(4) and
include it in AC 25.1309-1B as a possible means of compliance. This
change is consistent with the ASAWG recommendations that led to this
rulemaking. Specifically, the ASAWG specific risk tasking report
recommendations that the FAA require applicants to control specific
risks of concern did not include a recommended limit latency
requirement for all SLFs. The report only recommended a limit latency
requirement of 1/1000 for CSL+1 failure combinations (ASAWG report,
section 6.4.1.2).
---------------------------------------------------------------------------
\24\ A cutset is a number of failures or events that when
combined will result in a system failure.
---------------------------------------------------------------------------
ANAC, TCCA, and Bombardier requested the FAA harmonize Sec.
25.1309(b)(4) with CS 25.1309(b)(4) by removing the 1/1000 criterion,
while EASA requested the FAA provide a rationale for not harmonizing.
The FAA agrees to harmonize Sec. 25.1309(b)(4) with CS 25.1309(b)(4).
Both regulations address eliminating SLFs as far as practical and
minimizing the latency of the SLF if such elimination is not practical.
This ensures that the applicant evaluates each SLF, eliminates it when
practical, and minimizes its latency if elimination is not practical.
However, in this final rule, Sec. 25.1309(b)(4) includes a new
exclusion, requested by Garmin, from these proposed requirements for
latent failures. This exclusion is described in the following
paragraph.
Garmin requested that the FAA modify proposed Sec. 25.1309(b)(4)
to exclude the requirements for latent failures where the applicant
meets the requirements of Sec. 25.1309(b)(1) and (b)(2) with the
latent failure assumed, in the applicant's risk assessment, to have
already occurred, or where the applicant took no credit in that risk
assessment for the latency period. The FAA agrees to add this exclusion
to Sec. 25.1309(b)(4)
[[Page 68719]]
because it meets the decision criteria that the specific risk of
concern will be evaluated as per the 2010 ARAC ASAWG specific risk
tasking report.\25\ When a latent failure or the specific risk of
concern is assumed as having occurred, its probability becomes 1 in the
calculation of the failure condition. This probability of 1 is the same
as stating that no credit is taken for a latency period. This is a
difference between Sec. 25.1309(b)(4) and CS 25.1309(b)(4) since
EASA's rule does not contain this exclusion. The FAA does not expect
this difference to be significant because the exclusion in Sec.
25.1309(b)(4) allows applicants to use a conservative assessment of a
failure condition to show compliance.
---------------------------------------------------------------------------
\25\ ASAWG report, revision 5.0, Section 6.1.2, Figure 6-1.
---------------------------------------------------------------------------
GAMA/AIA, Gulfstream, and Boeing requested language for the Sec.
25.1309(b)(4) final rule that was different from what the NPRM proposed
and what EASA published in CS-25. The commenters' proposal provides
criteria for acceptance of SLFs that depend on the probability and
severity of the outcome. The FAA did not update the rule language as
suggested; however, the FAA has incorporated the approach as a means of
compliance for the catastrophic failure conditions in AC 25.1309-1B.
This approach also incentivizes development of practical designs that
meet the safety objectives of Sec. 25.1309(b)(1) and (b)(2). The
approach for hazardous failure conditions was not included in AC
25.1309-1B since it was not considered in the 2010 ARAC ASAWG specific
risk tasking report.
ANAC, Garmin, and Airbus requested changes to proposed Sec.
25.1309(b)(4)(i) and (b)(4)(ii). The suggested changes are no longer
relevant because paragraphs (i) and (ii) are not included in the Sec.
25.1309(b)(4) final rule.
Proposed Sec. 25.1309(b)(5) provided a new standard for limiting
the risk of a catastrophic failure combination that results from two
failures, either of which could be latent for more than one flight.
ANAC stated that the criteria in proposed Sec. 25.1309(b)(5) is
significantly different from the criteria in CS 25.1309(b)(5) and these
differences may burden applicants by requiring them to comply with two
different sets of criteria and may result in different product
configurations. TCCA commented that differences between the proposed
FAA rule and CS-25, both in wording and intent, would result in
significant difficulties and increase the burden on applicants,
particularly given the inherent complexity of safety assessments both
at system and aircraft level. EASA stated that having different
criteria in Sec. 25.1309(b)(5)(iii) and CS 25.1309(b)(5)(iii) would
result in a duplication of effort for applicants. The FAA agrees that
differences between FAA and EASA requirements could result in increased
burden on applicants and civil aviation authorities. The final rule is
therefore revised to improve harmonization, as described below.
Several commenters recommended changes to Sec. 25.1309(b)(5). TCCA
and ANAC recommended that the FAA fully harmonize Sec. 25.1309(b)(5)
and CS 25.1309(b)(5), while EASA encouraged the FAA to implement the
same criteria as CS 25.1309(b)(5)(iii). GAMA/AIA and Garmin suggested
the FAA harmonize Sec. 25.1309(b)(5)(i) with CS 25.1309(b)(5)(i) by
changing ``fault tolerance'' to ``redundancy.'' Boeing suggested the
FAA update Sec. 25.1309(b)(5)(ii) to ``. . . the residual average
probability per flight hour of the catastrophic failure condition
occurring due to all subsequent single failures is remote.'' Airbus and
Gulfstream preferred that the FAA harmonize Sec. 25.1309(b)(5)(iii)
with CS 25.1309(b)(5)(iii), while GAMA/AIA preferred the FAA's proposed
wording for Sec. 25.1309(b)(5)(iii). Boeing suggested the FAA change
Sec. 25.1309(b)(5)(iii) to ``The probability of the latent failure
occurring over its maximum exposure time does not exceed 1/1000.''
The FAA uses the term ``fault tolerance'' in Sec. 25.1309(b)(5)(i)
instead of ``redundancy'' as used in CS 25.1309(b)(5)(i) because the
term ``redundancy'' could be interpreted as a prescriptive design
requirement, and Sec. 25.1309 is intended to be a performance-based
rule. In this final rule, the FAA revised Sec. 25.1309(b)(5)(ii) to
refer to ``the residual average probability'' of the catastrophic
failure condition following a single latent failure. The term
``residual average probability'' is the remaining probability of a
failure condition given the presence of a single latent failure. This
change aligns with the recommendations from the 2010 ARAC ASAWG
specific risk tasking recommendation report, sections 6.3.1.6 and
6.3.1.7. The final rule uses ``all subsequent active failures'' rather
than the proposed Sec. 25.1309(b)(5)'s ``all subsequent single
failures'' to ensure the applicant accounts for the residual average
probability of all active failures in a failure condition. Finally, the
FAA agrees to harmonize Sec. 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii) to ensure that combined probability of all the
latent failures is accounted for as recommended by the commenters,
except that the FAA uses ``active failure'' in Sec.
25.1309(b)(5)(iii), instead of ``evident failure'' as used in CS
25.1309(b)(5)(iii). Having harmonized Sec. 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii), the FAA does not expect the differences in wording
between Sec. 25.1309(b)(5) and CS 25.1309(b)(5) to be burdensome to
applicants.
4. Paragraph (c)
In the NPRM, proposed Sec. 25.1309(c) would require the applicant
to provide information concerning unsafe system operating conditions to
enable the flightcrew to take corrective action and to show that the
design of systems and controls, including indications and
annunciations, minimizes crew errors that could create additional
hazards. ANAC, TCCA, and Boeing requested the FAA revise proposed Sec.
25.1309(c) to include ``in a timely manner'' as part of the corrective
action to be taken by the flightcrew. The FAA has updated the final
rule accordingly. This change more closely harmonizes Sec. 25.1309(c)
with CS 25.1309(c). In addition, the discussion of this proposal in the
NPRM preamble refers to the importance of providing timely and
effective annunciations to allow appropriate crew action.
TCCA requested that the FAA align the wording of proposed Sec.
25.1309(c) with CS 25.1309(c). TCCA stated that the first sentence of
proposed Sec. 25.1309(c) does not correctly reflect the intent of the
rule, which is for the airplane and systems to provide information to
the flightcrew when necessary for safe operation. TCCA explained that
``the applicant must provide information'' could be interpreted as
requiring the applicant to provide documentation or training instead of
flightcrew alerts as intended. The FAA agrees and revised the first
sentence of Sec. 25.1309(c) to say that the airplane and systems
provide the necessary information. This will harmonize the intent with
the corresponding sentence in CS 25.1309(c).
To further harmonize with EASA's rule, the FAA revised the second
sentence of Sec. 25.1309(c) to require that systems and controls,
including ``information,'' indications, and annunciations, be designed
to minimize crew errors. ``Information'' refers to the same term used
in the first sentence of Sec. 25.1309(c) and has the same intent as
used in Sec. 25.1302.
5. Paragraph (d)
In the NPRM, the FAA proposed to move the requirements of Sec.
25.1309(d) regarding mandatory methods showing compliance with Sec.
25.1309(b) to guidance (AC 25.1309-1B). The NPRM
[[Page 68720]]
proposed that new Sec. 25.1309(d) would require applicants to
establish ``Certification Maintenance Requirements,'' or CMRs, as
limitations in the airplane's Instructions for Continued Airworthiness.
Applicants have long used CMRs, such as mandatory inspections at
scheduled intervals, to show that their proposed design complies with
Sec. 25.1309 and other part 25 regulations that establish reliability
requirements.
In this final rule, however, the FAA is moving the CMR requirement
to Sec. 25.1309(e), as discussed in the following section.
Accordingly, the FAA is revising Sec. 25.1309(d) to ``Reserved'' as
requested by Boeing, TCCA, and Safran. This will be a difference
between Sec. 25.1309(d) and CS 25.1309(d) because the latter states
that applicants must assess Electrical Wiring Interconnection System
(EWIS) per CS 25.1709. The FAA expects this difference to have no
effect in practice because Sec. 25.1309 is a general requirement that
applies to all systems, including EWIS. In addition, Sec. 25.1709
addresses system safety of EWIS, and Sec. 25.1709 is harmonized with
CS 25.1709.
6. Paragraph (e)
In the NPRM, the FAA proposed that Sec. 25.1309(d) would require
an applicant to establish CMRs to prevent development of the failure
conditions described in Sec. 25.1309(b) and to include these CMRs in
the ALS. In the final rule, these requirements are now in Sec.
25.1309(e).
The FAA's proposed CMR requirement referenced Sec. 25.1309(b),
which addresses catastrophic, hazardous, and major failure conditions.
Boeing, GAMA/AIA, Gulfstream, and Garmin suggested that the requirement
to establish CMRs in Sec. 25.1309(d) be limited to CMRs that address
catastrophic and hazardous failure conditions in Sec. 25.1309(b)(1)
and (b)(2). TCCA commented that the NPRM describes CMRs as tasks to
detect safety significant failures that result in hazardous or
catastrophic conditions but recommended that major failure conditions
should also be considered.
The FAA declines to restrict the use of CMRs to catastrophic and
hazardous failure conditions. Although a CMR is primarily used to
establish a required maintenance task that would detect issues such as
the wear out or a hidden failure of an item whose failure is associated
with a hazardous or catastrophic failure condition, a CMR may also be
used to detect a latent failure that would, in combination with one
specific failure or event, result in a major failure condition. The SSA
identifies the need for a scheduled maintenance task. It may be
necessary for applicants to include a CMR in the ALS of the ICA for a
major failure condition if the maintenance task is not provided in
other areas of the ICA. An acceptable process for selecting CMRs is
provided in AC 25-19A, Certification Maintenance Requirements.\26\
---------------------------------------------------------------------------
\26\ Available at drs.faa.gov.
---------------------------------------------------------------------------
ANAC questioned whether the FAA intended proposed Sec. 25.1309(d)
to require CMRs for all failure conditions and requested the FAA
clarify in the final rule language that CMRs be established ``as
necessary.'' The FAA agrees to add the words ``as necessary'' to the
final rule. As explained in AC 25-19A, the process of creating CMRs to
control risk of failures described in Sec. 25.1309(b) begins with
identifying candidate CMRs (CCMRs) until a committee of experts
determines they are CMRs. Thus, the FAA does not require CMRs for all
failure conditions, and not every CCMR will become a CMR. Although
adding ``as necessary'' results in different language between Sec.
25.1309(e) and CS 25.1309(e), this difference does not affect
harmonization between the FAA and EASA because the guidance for
selecting CMRs is aligned.
Garmin requested the FAA reword proposed Sec. 25.1309(d) to
require the safety analysis to identify the CCMRs that must be
dispositioned using a process acceptable to the Administrator to
identify which CCMRs should be airworthiness limitations. Garmin stated
that the proposed wording seems to preclude the use of AC 25-19A to
first identify and classify CCMRs. The FAA does not agree with this
request. The final rule requires CMRs to be established and included in
the ALS of the airplane's ICA. The associated guidance in AC 25-19A
provides a method of compliance, which includes identifying and
dispositioning CCMRs as CMRs. The FAA also did not adopt the
commenter's proposed change because it would result in a difference
compared to corresponding EASA regulations and guidance.
Airbus commented that the word ``detect'' is more appropriate than
the word ``prevent'' used in proposed Sec. 25.1309(d) since failures
will be detected during CMR tasks. The FAA did not replace ``prevent''
with ``detect'' since the intent of this rule is to prevent the
development of the failure condition by detecting the existence of a
latent failure.
I. Section 25.1365, Electrical Appliances, Motors, and Transformers
In the NPRM, the FAA proposed to remove the reference to Sec.
25.1309(d) from Sec. 25.1365(a) because Sec. 25.1309(d) would no
longer contain mandatory methods for demonstrating compliance with
Sec. 25.1309(b). GAMA/AIA and Gulfstream commented that the FAA should
remove Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a), as those
regulations are redundant to or simply point to compliance with Sec.
25.1309. The FAA does not agree with this request because removing
Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a) may have
unintended consequences. In addition, removal of these regulations was
not proposed in the NPRM. The FAA did not change this final rule as a
result of this comment but has removed the reference to Sec.
25.1309(d) from Sec. 25.1365(a) as proposed in the NPRM.
J. Section H25.4(a) of Appendix H, Airworthiness Limitations Section
The FAA adopts Sec. H25.4(a) of appendix H as proposed in the
NPRM. The FAA received no comments on this section.
K. Miscellaneous Comments
1. Applicability of Sec. 25.1309 to Electromagnetic Conditions
Bombardier commented that the NPRM preamble indicates that the FAA
did not intend proposed Sec. 25.1309(b) and the associated advisory
material to change how type certificate applicants account for systems'
exposure to high-intensity radiated fields (HIRF) and lightning.
Bombardier requested that the FAA clarify whether this same principle
applies to electromagnetic conditions in other regulations (e.g.,
Sec. Sec. 25.1353, 25.1431, 25.899). The FAA does not intend revised
Sec. 25.1309 and the associated advisory material to take precedence
over or supersede how applicants address electromagnetic conditions in
accordance with other regulations.
2. Revise Nonregulatory Definitions
This section addresses commenters' requests to revise definitions
that the FAA provided in the NPRM preamble or in draft AC 25.1309-1B.
The FAA also proposed in the NPRM that some of these definitions would
be included in new Sec. 25.4. The following paragraphs address the
definitions of hazardous failure condition, latent failure, single
failure, event, and failure condition.
The FAA included a table of definitions in the preamble of the
NPRM. The table included some definitions given in proposed Sec. 25.4
and
[[Page 68721]]
provided additional definitions that were not in proposed Sec. 25.4.
That table is not included in this final rule; applicants should
instead refer to this preamble, final Sec. 25.4 and AC 25.1309-1B.
Relevant definitions are provided in Sec. 25.4 Definitions or in the
appropriate AC.
GAMA/AIA, Airbus, Boeing, Bombardier, and Garmin requested that the
FAA remove the following language from the preamble definition of
``hazardous failure condition:'' ``Note: For the purpose of performing
a safety assessment, a `small number' of fatal injuries means one such
injury.'' The commenters stated that considering a ``small number'' of
fatal injuries to be one such injury for the purpose of performing
safety assessments is too restrictive. This note was only in the
preamble and not in the proposed regulatory definition in Sec. 25.4,
as the FAA considered it guidance on the application of the definition.
The FAA agrees to remove this note from AC 25.1309-1B. The note is not
included in AMC Sec. 25.1309, nor was it included in any of the
relevant ARAC recommendations. Given the difficulty and context-
dependent nature of estimating whether a failure condition would result
in one or multiple fatal injuries, the FAA finds that it is not
necessary to define ``small number'' in order to provide the necessary
separation between hazardous and catastrophic failure conditions.
Historically, applicants have assessed this aspect of the definition of
``hazardous failure condition'' differently based on the size of the
airplane, number of occupants, and fleet size. The FAA will continue to
accept this practice.
ANAC commented that the FAA's definition of ``latent failure'' in
the NPRM preamble table (``a failure that is not apparent to the
flightcrew or maintenance personnel'') may be confusing since the
maintenance crew will detect latent failures through periodic
maintenance activities such as CMRs. ANAC recommended the FAA use the
following definition of latent failure: ``A failure which is not
detected and/or annunciated when it occurs.'' The FAA agrees and has
updated the definition of ``latent failure'' in AC 25.1309-1B. Boeing,
GAMA/AIA, TCCA, and Garmin requested that the FAA modify the definition
of ``latent failure'' to include the qualifier ``for more than one
flight'' to ensure consistent understanding and application. The FAA
did not make this change because the definition of ``latent failure''
includes undetectable failures regardless of the latency period. AC
25.1309-1B has been updated to provide additional guidance on the
appropriate duration of a latent failure; that is, an acceptable means
of compliance to SLF minimization is to show that the failure would not
be latent for more than one flight.
TCCA requested that the FAA clarify the intent of the phrase
``common causes'' as used in the NPRM preamble table's definition of
single failure or state that common causes may include external events
that are not considered failures (e.g., bird strike). TCCA stated that
the NPRM preamble and draft AC 25.1309-1B definitions of ``failure''
include a note that errors and events are not considered failures and
that this creates an apparent conflict where the definition of single
failures includes common causes. Airbus also stated that external
events are not system failures and questioned whether external failure
conditions should be explicitly excluded from Sec. 25.1309 because
they are already covered by their own regulations (e.g., bird strike is
specifically addressed under Sec. 25.631). In response, the FAA has
updated the single failure definition in AC 25.1309-1B to be the same
as provided by the ARAC SDAHWG recommendations report that included a
draft AC 25.1309 (see the ``Arsenal'' draft AC 25.1309 ).\27\
---------------------------------------------------------------------------
\27\ Available in the docket as part of the SDAHWG
recommendation, ``Task 2--System and Analysis Harmonization and
Technology Update,'' pp. 61-99, and at www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
In addition, the FAA updated the note within the definition of
``failure'' in AC 25.1309-1B to remove the word ``events.'' In general,
an SSA addresses how systems are affected by an external event, such as
a bird strike, using a common cause analysis or a single event cause
where the external event is assumed without a probability.
Bombardier stated that the FAA's definition of ``single failure''
in the preamble table was ambiguous and implied that a single failure
would affect multiple ``components, parts or elements'' when most
single failures will affect single components or parts. Bombardier
requested the FAA revise the definition to ``a single occurrence that
affects the operation of a component, part, or element such that it no
longer functions as intended'' or not adopt the definition. The FAA
updated the definition of ``single failure'' to ``any failure or set of
failures that cannot be shown to be independent from each other'' in AC
25.1309-1B. The FAA did not make the requested change because the FAA
intends that applicants treat a common mode failure of multiple
components, parts, or elements as a ``single failure,'' and this
connection would be lost if the FAA were to revise the definition as
Boeing proposed.
TCCA recommended that the FAA consider changing the term ``event''
in the preamble table to ``external event'' to align with EASA CS-25,
ARP4754B ``Guidelines for Development of Civil Aircraft and Systems,''
and ARP4761A. The FAA agrees and has updated ``event'' to ``external
event'' in AC 25.1309-1B.
Boeing requested that the FAA address ``collisions (intentional or
not)'' in the definition of ``event.'' Boeing stated that this change
would provide clarity that collisions are not events to be considered
as part of required safety assessments. Although the FAA updated the
term ``event'' to ``external event'' in AC 25.1309-1B, the FAA did not
change its definition in response to this comment. The definition of
``external events'' states that it does not cover sabotage or other
similar intentional acts. Intentional collisions are intentional acts
and, therefore, not an ``external event.'' Unintentional collision may
be due to failure of onboard system equipment, which is excluded from
this definition since its origin is not distinct from that of the
airplane. Unintentional collision may be due to flightcrew error, which
is already excluded.
The preamble table's definition of ``failure condition'' referenced
a condition that affected ``the airplane, its occupants, or other
persons.'' Bombardier requested that the FAA remove ``or other
persons'' from this definition or provide guidance as to how applicants
can assess potential effects on other persons and how these effects
would relate to severity classification. The FAA declines to change the
definition of ``failure condition'' in AC 25.1309-1B. The FAA included
the words ``or other persons'' to account for the effects on persons
other than the airplane occupants that applicants should take into
consideration when assessing failure conditions for compliance with
Sec. 25.1309. AC 25.1309-1B provides guidance on the type of persons,
the risks to be considered, and how applicants can classify the failure
conditions given the effects on other persons that do not include
airplane occupants. For example, ground maintenance crew involved in
servicing the airplane while `in-service' could have a risk of an
inadvertent door coming open or thrust reverser movement.
[[Page 68722]]
3. Revise Other Regulations
In the NPRM, the FAA proposed that the revised Sec. 25.1309(b)
would not apply to single failures in the brake system because those
failures are adequately addressed by Sec. 25.735(b)(1). An individual
commenter recommended changes to current Sec. 25.735, ``Brakes and
braking systems,'' stating that parts of Sec. 25.735 are no longer
relevant or need to be updated to reflect modern braking systems. The
commenter requested changes to Sec. 25.735 and corresponding changes
to AC 25.1309-1B. Gulfstream also requested that the FAA add a
paragraph to Sec. 25.735 to address braking capability with all
engines inoperative. The FAA does not agree with these requests. The
FAA did not propose changes to Sec. 25.735 in the NPRM, and such
changes are outside the scope of this rulemaking.
GAMA/AIA and Bombardier requested that the FAA revise Sec. 25.672,
``Stability augmentation and automatic and power-operated systems,'' in
this rulemaking package. GAMA/AIA stated that proposed Sec. 25.671(c)
removed the failures that Sec. 25.672 is referencing. Bombardier
suggested that the FAA remove Sec. 25.672(c) because the failures
addressed under Sec. 25.672(c) could be addressed entirely under Sec.
25.1309(b) or clarify that the intent of Sec. 25.672(c) does not apply
to modern fly-by-wire aircraft. In addition, GAMA/AIA requested that
the FAA add guidance for Sec. 25.672 that reflects the recommendations
made by the FTHWG. The FAA did not change this final rule or associated
guidance material as a result of these comments. Revising Sec. 25.672
is unnecessary because Sec. 25.672(b) refers to failures specified in
Sec. 25.671(c), and the final rule for Sec. 25.671(c) includes these
failures. Section 25.672(c) contains requirements that are in addition
to the requirements of Sec. 25.1309(b). The FAA declines to add
guidance at this time for Sec. 25.672 based on recommendations made by
the FTHWG because further discussion is needed to harmonize the
guidance for Sec. 25.672 with other regulatory authorities; the FAA
notes these discussions are ongoing in a Certification Authorities for
Transport Airplanes (CATA) harmonization activity.\28\ The FAA does not
agree to clarify that the intent of Sec. 25.672(c) does not apply to
modern fly-by-wire aircraft because the FAA has not made this
determination.
---------------------------------------------------------------------------
\28\ www.faa.gov/aircraft/air_cert/design_approvals/transport/transport_intl/cata.
---------------------------------------------------------------------------
4. Revise Cost-Benefit Analysis
Garmin commented on the NPRM that the cost-benefit analysis does
not consider the impact on amended type certificate (ATC) or
supplemental type certificate (STC) projects that would be considered
significant under Sec. 21.101, known as the Changed Product Rule. In
addition, MARPA requested the FAA clarify the applicability of the SSA
rule to parts manufacturer approval (PMA) applicants and STC
applicants. If the SSA rule is applicable to PMA and STC applicants,
MARPA requested that the FAA adjust the cost-benefit analysis
accordingly, complete a Regulatory Flexibility Act analysis, and make
the revised cost-benefit analysis and Regulatory Flexibility Act
analysis available for comment in a supplemental NPRM.
This final rule updates the cost-benefit analysis to take account
of the fact that the final rule closely harmonizes with the
corresponding EASA rule. Since U.S. manufacturers already are required
to meet the EASA requirements, the closely harmonized provisions of the
final rule impose no or minimal costs. In future STC or ATC projects
where the design change is determined under the Changed Product Rule to
be a significant product level change, the Changed Product Rule will
then require that the certification basis of those projects be updated.
The cost-benefit analysis for the Changed Product Rule, however, has
determined that the required updated certification basis for such
projects is cost-beneficial.\29\ PMAs (replacement articles) are
managed in accordance with Subpart K to part 21. The final rule will
apply only at that time in the future when a PMA (or non-significant
STC) applicant seeks to modify a product that already has the final
rule in its certification basis. Accordingly, the FAA finds that
neither a Regulatory Flexibility Act analysis nor a supplemental NPRM
is required.
---------------------------------------------------------------------------
\29\ 65 FR 36266, June 7, 2000.
---------------------------------------------------------------------------
Garmin commented that the cost discussion misses the fact that
Sec. 25.1309(b)(4), without a cutset limit, could result in additional
costs to redesign the systems from what has historically been
acceptable and conventional. Garmin also stated that the 1/1000
requirement could be applied to any level of cutset, which could drive
design changes, and that there are additional costs to negotiate with
the FAA to produce the analysis that proves 1/1000 is met or that
latency is minimized; thus, the FAA should revise the cost-benefit
analysis to include those costs.
In this final rule, the FAA is not adopting the 1/1000 requirement
that it had proposed for Sec. 25.1309(b)(4); that section will not
apply if the associated system meets the average risk requirements of
Sec. 25.1309(b)(1) and (b)(2), assuming the SLF has occurred.
Moreover, the FAA has moved the 1/1000 criterion to AC 25.1309-1B as
guidance. These changes address the commenter's concern that proposed
Sec. 25.1309(b)(4) needed a minimal cutset limit. There may be
demonstration or negotiation costs to show impracticality or
minimization of the SLF latency, but these costs are already accounted
for in the cost-benefit analysis of the Changed Product Rule, Sec.
21.101.
Garmin questioned whether the FAA has adequately justified the cost
of applying the specific risk criteria of proposed Sec. 25.1309(b)(4)
and (b)(5) to systems that have not historically had such a
requirement. Garmin also requested that the FAA update the cost
discussion for specific risk to acknowledge that for most of the
aircraft systems the existing Sec. 25.1309(b) is the right baseline.
Given that in the final rule, the Sec. 25.1309(b)(4) and (b)(5)
requirements are closely aligned with the corresponding EASA
requirements, the FAA responds that the correct baseline is the EASA
rule since it is already in place. Using that baseline, the additional
cost to manufacturers is, at most, minimal since manufacturers already
have to meet the corresponding EASA requirements.
Garmin stated that if the FAA regulations remain different from
EASA's, then the cost of an applicant's validation to differing
expectations should be considered. Also, TCCA commented that the cost-
benefit assessment could improve by increasing harmonization. As
already noted, the FAA has increased the level of harmonization between
the final rule and EASA CS-25, as compared to the NPRM, to such an
extent that the remaining costs associated with this rulemaking are
minimal.
5. Aircraft Certification, Safety, and Accountability Act
The preamble of the NPRM included a summary of the FAA's ongoing
implementation of Section 115 of the Aircraft Certification, Safety,
and Accountability Act (ACSAA). The FAA received one comment on these
implementation activities, a supportive comment from ALPA. The FAA
continues to take action to implement Section 115, including the
revision of relevant guidance documents such as AC 25.1309-1B, which
the FAA issued as part of this rulemaking.
6. Other
The FAA received a request from GAMA/AIA to include a file within
the
[[Page 68723]]
docket that contained the FAA's responses to all NPRM comments that the
FAA received. The FAA does not agree with this request. This final rule
discusses the comments in detail. Additionally, many comments on the
NPRM are no longer relevant because the FAA has revised the final rule
to increase harmonization with EASA CS-25.
The FAA also received comments from Airbus, Boeing, Bombardier,
EASA, GAMA/AIA, and TCCA to revise specific preamble text of the NPRM.
This final rule does not restate the entirety of the NPRM preamble, so
specific editorial suggestions are not applicable, except as noted in
the preceding discussion of definitions. No changes were made to this
final rule in this regard.
K. Advisory Material
The FAA has issued three new ACs and revisions to two existing ACs
to provide guidance material for acceptable means, but not the only
means, of showing compliance with the regulations in this final rule.
These ACs are available in the public docket for this rulemaking:
AC 25.671-1, Control Systems--General.
AC 25.901-1, Safety Assessment of Powerplant
Installations.
AC 25.933-1, Unwanted In-Flight Thrust Reversal of
Turbojet Thrust Reversers.
AC 25.629-1C, Aeroelastic Stability Substantiation of
Transport Category Airplanes.
AC 25.1309-1B, System Design and Analysis.
VI. Regulatory Notices and Analyses
Federal agencies consider impacts of regulatory actions under a
variety of executive orders and other requirements. First, Executive
Order 12866 and Executive Order 13563, as amended by Executive Order
14094 (``Modernizing Regulatory Review''), direct that each Federal
agency shall propose or adopt a regulation only upon a reasoned
determination that the benefits of the intended regulation justify the
costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354)
requires agencies to analyze the economic impact of regulatory changes
on small entities. Third, the Trade Agreements Act (Pub. L. 96-39)
prohibits agencies from setting standards that create unnecessary
obstacles to the foreign commerce of the United States. Fourth, the
Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies
to prepare a written assessment of the costs, benefits, and other
effects of proposed or final rules that include a Federal mandate that
may result in the expenditure by State, local, or tribal governments,
in the aggregate, or by the private sector, of $100,000,000 or more
annually (adjusted annually for inflation) in any one year. The current
threshold after adjustment for inflation is $183,000,000, using the
most current (2023) Implicit Price Deflator for the Gross Domestic
Product. The FAA has provided a detailed Regulatory Impact Analysis
(RIA) in the docket for this rulemaking. This portion of the preamble
summarizes the FAA's analysis of the economic impacts of this final
rule.
In conducting these analyses, the FAA determined that this final
rule (1) has benefits that justify its costs; (2) is not significant
under section 3(f)(1) of Executive Order 12866 as amended; (3) will not
have a significant economic impact on a substantial number of small
entities; (4) will not create unnecessary obstacles to the foreign
commerce of the United States; and (5) will not impose an unfunded
mandate on State, local, or tribal governments, or on the private
sector. These analyses are summarized below.
A. Regulatory Evaluation
1. Summary of Rule Provisions
In the NPRM, the FAA proposed to amend certain airworthiness
regulations to standardize the criteria for conducting safety
assessments for systems, including flight controls and powerplants,
installed on transport category airplanes. This final rule generally is
adopted as proposed. In some provisions, the FAA has increased the
level of harmonization between the final rule and EASA CS-25, as
compared to the NPRM, to such an extent that the remaining costs
associated with this rulemaking are minimal.
The predominant action of the final rule will:
Require applicants to minimize, to the extent possible,
the problem of significant latent failures (SLFs), a problem that is
highlighted in the case of catastrophic dual failures, where a latent
failure can leave the airplane one active failure away from a
catastrophic accident.
The rule also:
Institutes an ``airplane-level'' SSA that will integrate
and, to the extent possible, standardize safety assessment criteria
across critical airplane systems:
[cir] Reflecting the much greater integration of modern aircraft
systems (e.g., avionics and fly-by-wire systems) as compared to what
they were when the current safety criteria in Sec. 25.1309 and other
system safety assessment rules were established in 1970.\30\
---------------------------------------------------------------------------
\30\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
[cir] Including removal of general systems safety criteria from
Sec. 25.901(c) [Powerplant Installation] and pointing to Sec. 25.1309
(General System Safety Criteria) for these criteria, and allowing a
``reliability'' (Sec. 25.1309) option in addition to the current
``controllability'' requirement for developing designs for turbojet
thrust reversing systems (Sec. 25.933).
Requires CMRs to identify and restrict exposure to the SLF
conditions addressed in Sec. 25.1309 and requires CMRs to be contained
in the ALS of the ICA.
Updates SSA requirements in order to address new
technology in flight control systems and the effects these systems can
have on airplane controllability.
[cir] For airplanes equipped with fly-by-wire control systems,
compensates for a lack of direct tactile link between flightdeck
control and control surface by providing natural or artificial control
feel forces or flightcrew alerting
Requires assessment of the effect of system failures on
airplane structural loads.
Revises applicability of the requirement that equipment
and systems perform their intended functions:
[cir] Broadens the applicability of Sec. 25.1309 to include any
equipment or system installed in the airplane regardless of whether it
is required for type certification, operating approval, or is optional
equipment.
[cir] Allows equipment associated with passenger amenities (e.g.,
entertainment displays and audio systems) not to work as intended as
long as the failure of such systems would not affect airplane safety.
2. Cost and Benefits of the Final Rule
As discussed below, the FAA finds that all provisions of this final
rule are closely harmonized with corresponding EASA provisions already
in effect. This means that manufacturers face no additional cost
because they already have to meet the EASA requirements, and in most
cases, the provisions of this final rule are cost-beneficial owing to
reduced costs from joint harmonization. Some provisions of the final
rule are cost-relieving. Moreover, most, if not all, of the rule
provisions are already in effect owing to industry practice, ELOS
findings, or special conditions.\31\ There
[[Page 68724]]
is no additional cost for provisions that are already voluntary
industry practice or voluntary ELOS findings. Special conditions have
been required, but owing to the long duration of these special
conditions (20-40 years), the FAA finds that they are now accepted by
industry as the low-cost actions for the issues addressed, so there is
no change with codification and, therefore, no additional cost. The FAA
asked for comments on this last finding in the NPRM and received none.
---------------------------------------------------------------------------
\31\ The FAA issues special conditions when we find that the
airworthiness regulations for an aircraft, aircraft engine, or
propeller design do not contain adequate safety standards, because
of a novel or unusual design feature. These special conditions stay
in place until they are replaced by adequate regulations, as is done
in this rulemaking.
---------------------------------------------------------------------------
a. Section 25.1309 Equipment, Systems, and Installations
There was no change to Sec. 25.1301 in the final rule compared to
the NPRM, and there were no changes to Sec. 25.1309(a) in the final
rule except for a small change in Sec. 25.1309(a)(2) to match the ARAC
language and to harmonize with EASA.
The rule revises current Sec. 25.1309(a) into two paragraphs.
Section 25.1309(a)(1) revises the applicability of the Sec. 25.1309(a)
requirement that equipment and systems perform their intended function.
Section 25.1309(a)(1) clarifies that the rule applies to any equipment
or system installed in the airplane regardless of whether it is
required for type certification, operating approval, or is optional
equipment. As this requirement harmonizes closely with EASA's
corresponding requirement, with which part 25 manufacturers are already
required to comply, there is no additional cost. However, the
requirement has reduced costs from joint harmonization and, therefore,
will be cost-beneficial.
Along with an associated change to Sec. 25.1301, ``Function and
Installation,'' Sec. 25.1309(a)(2) will allow equipment associated
with passenger amenities (e.g., entertainment displays and audio
systems) not to function as intended as long as the failure of such
systems do not affect airplane safety. No safety benefit is derived
from demonstrating that such equipment performs as intended if failing
to perform as intended will not affect safety. Accordingly, this change
will reduce the certification cost of passenger amenities for airplane
manufacturers without affecting safety; therefore, this change is cost-
beneficial.
i. Sections 25.1309(b)(1), (b)(2), and (b)(3) (Average Risk and Fail-
Safe Criteria)
The current rule requires that airplane systems and associated
components be designed so that any failure condition that ``would
prevent the continued safe flight and landing of the airplane''
(catastrophic failure condition) is ``extremely improbable,'' a
condition specified in AC 25.1309-1A (6-21-1988) as ``on the order of
<=10-9 per flight hour.'' This is the traditional ``average
risk'' requirement and is retained in the final rule at Sec.
25.1309(b)(1)(i).
The current rule requires any failure condition that ``would reduce
the capability of the airplane or the ability of the crew to cope with
adverse operating conditions'' to be ``improbable'' (on the order of
10-9 < p <=10-5), a failure condition specified
in current AC 25.1309-1A as ``major.'' Current practice, however, has
been to use the SDAHWG recommended ``Arsenal'' draft AC 25.1309 (6-10-
2002) under which the previous ``major'' failure condition has been
divided into two categories: ``hazardous'' (on the order of
10-9 < p <=10-7) and ``major'' (on the order of
10-7 < p <=10-5), categories that have been
incorporated into this final rule in Sec. 25.1309(b)(2) and (b)(3).
These changes can be thought of as the average risk criteria for
hazardous and major failure conditions.
As it harmonizes with corresponding EASA major and hazardous
categories and is current industry practice, this rule change is cost-
beneficial as it entails no additional costs but is cost-beneficial
from reduced costs of joint harmonization. The FAA asked for comments
on this finding but received none. Moreover, the rule structure and
intent are in perfect harmony with EASA's corresponding requirements
and, therefore, will entail no additional cost to manufacturers.
As recommended by the SDAHWG, Sec. 25.1309(b)(1)(ii) will
explicitly require that single failures must not result in catastrophic
failures--the ``no single failure'' fail-safe requirement. As it
harmonizes with the equivalent EASA requirement and is already current
industry practice, this requirement is cost-beneficial as it entails no
additional costs but has reduced costs from joint harmonization.\32\
---------------------------------------------------------------------------
\32\ The no single failure requirement was inadvertently removed
in 1970 but remained industry practice. At the same time, the no
single failure requirement was made explicit for flight controls,
and in 1977 was made explicit for powerplants.
---------------------------------------------------------------------------
ii. Sections 25.1309(b)(4) and (b)(5) (Specific Risk Criteria)
Sections 25.1309(b)(4) and (b)(5) represent the predominant change
to existing SSA requirements in that they are adding specific risk
approaches to SSA to supplement the traditional average risk approach
in order to address the problem of latent failures.
Section 25.1309(b)(4) requires the elimination of SLFs to the
extent practical, or, if not practical, to minimize them so as to limit
situations where the airplane is one failure away from a catastrophic
accident. (This is particularly important in the case of catastrophic
CSL+1 dual failures specifically addressed in the section on Sec.
25.1309(b)(5) immediately following.) The NPRM also required that the
product of the maximum time the latent failure is expected to be
present and its average failure rate not exceed 1/1000. Based on
comments on the NPRM that this requirement was onerous and not in
harmony with EASA, this provision was moved to AC 25.1309-1B, System
Design and Analysis, as a possible means of compliance.
Several commenters on the NPRM also pointed out that, in many
cases, it would be wasteful to require analysis of an SLF with
sufficient redundancy that the average risk criteria continued to hold
even when setting the SLF probability to unity.\33\ Consequently, Sec.
25.1309(b)(4) does not apply in those cases. This exception is not in
the corresponding CS 25.1309(b)(4), but even with this difference,
compared to the NPRM, this provision is more closely harmonized with
the EASA provision as the FAA has removed an intermediate step--the
less than 1/1000 criterion--that is not in the EASA rule and moved it
to AC 25.1309-1B.
---------------------------------------------------------------------------
\33\ SLFs are identified at the beginning of an SSA, or during a
Preliminary SSA, in which the manufacturer undertakes a functional
hazard assessment on the basis of which a hazard's ``hazard
classification'' is validated as catastrophic, hazardous, etc. These
evaluations are qualitative and are independent of ``average'' risk
criteria that a catastrophic failure condition should be ``extremely
improbable'' or <=10-9, or that a hazardous failure
condition should be ``extremely remote'', or <=10-7.
---------------------------------------------------------------------------
Accordingly, the FAA finds no costs to this provision as
manufacturers already have to comply with a corresponding EASA
provision. Moreover, elimination of SLFs when practical is already
industry practice. Since the provision entails no costs, the FAA finds
the rule to be cost-beneficial because of reduced costs from joint
harmonization.
[[Page 68725]]
iii. Section 25.1309(b)(5) (CSL+1 Dual Failures)
A ``CSL+1 (Catastrophic Single Latent Plus One)'' refers to a
catastrophic failure condition caused by a single latent failure and an
active (evident) failure. Section 25.1309(b)(5)(i), adopted as
proposed, is similar to Sec. 25.1309(b)(4) in that it also requires
the dual failure to be eliminated if practical. An example is an AD
action that eliminated the CSL+1 dual failure that caused the
catastrophic Lauda Air Flight 004 (1994); the AD required that a third
lock be added to the thrust reverser system. This change converted the
dual failure condition to a triple failure condition and removed the
airplane from a situation where it was one failure away from a
catastrophic accident.
If the dual failure condition cannot be eliminated, additional
control is appropriate beyond the traditional ``extremely improbable''
(average risk) requirement applied to a combination of failures. The
additional control takes the form of two specific risk criteria: (1) a
requirement to ``limit residual probability'' (Sec. 25.1309(b)(5)(ii))
and (2) a ``limit latency'' requirement (Sec. 25.1309(b)(5)(iii)).
The requirement to limit the residual probability limits the
probability of a catastrophic failure in the presence of a latent
failure to be ``remote'' (on the order of <=10-5). So, this
requirement limits the risk of a catastrophic accident in the situation
where a latent failure has occurred, and the airplane is a single
failure away from a catastrophic accident.\34\ The limit latency
requirement limits the probability of the latent failure itself to be
<=1/1000 so as to limit the time between maintenance inspections, that
the airplane is operating one failure away from a catastrophic
accident.\35\ \36\ There are no substantial changes to Sec.
25.1309(b)(5) in the final rule compared to the NPRM.
---------------------------------------------------------------------------
\34\ More generally, if multiple active failures could cause a
catastrophic accident in the presence of the latent failure, the
average probability (per flight hour) of these active failures must
be remote.
\35\ More generally, the sum of the probabilities of the latent
failures combined with an active failure must be <= 1/1000.
\36\ Since the 10-9 average risk criterion must also
be met, if residual risk is on the order of 10-5, the
latent failure rate must be 10-4 or less. Conversely, if
the latent failure rate is at 10-3, residual risk must be
on the order of 10-6 or less.
---------------------------------------------------------------------------
The FAA finds that Sec. 25.1309(b)(5) is in perfect harmony with
CS 25.1309(b)(5) in structure and intent and closely harmonizes in rule
language. Accordingly, there is no cost to this provision because
manufacturers already have to comply with an equivalent EASA
requirement. Therefore, this rule is cost-beneficial because of reduced
costs from joint harmonization.
iv. Section 25.1309(c) (Flightcrew Alerting)
Section 25.1309(c) currently requires that warning information be
provided to the flightcrew to alert them to unsafe system operating
conditions and to enable them to take appropriate corrective action.
Revised Sec. 25.1309(c) requires that information be provided to the
flightcrew concerning unsafe system operating conditions, rather than
requiring only warnings and, in a change to the NPRM that more closely
harmonizes with the corresponding EASA provision, that it be provided
in a timely manner. The revision will remove an incompatibility with
Sec. 25.1322, which allows other sensory and tactile feedback from the
airplane caused by inherent airplane characteristics to be used in lieu
of dedicated indications and annunciations if the applicant can show
such feedback is sufficiently timely and effective to allow the crew to
take corrective action.
These changes closely harmonize Sec. 25.1309(c) with CS
25.1309(c). Owing to close harmonization with EASA's rule already in
place, there is no cost entailed by these rule changes.
v. Section 25.1309(d) (Reserved)
Current Sec. 25.1309(d) specifies that compliance to Sec.
25.1309(b) must be shown by analysis and appropriate testing, and must
consider possible modes of failure, including malfunctions and damage,
and also that the assessment considers crew warning cues, corrective
action required, and the capability of detecting faults. With this
rulemaking, for two reasons, the FAA moves that content to AC 25.1309-
1B, along with expanded guidance on the safety assessment process: (1)
Section 25.1309 is a performance-based regulation for which methods of
compliance are more appropriately provided in guidance, and (2) the
items for consideration listed in Sec. 25.1309(d) constitute an
incomplete method of compliance to Sec. 25.1309(b). This change is
cost-beneficial because requirements have been relegated to guidance
material, giving manufacturers greater flexibility.
CS 25.1309(d) simply states that EWIS must be assessed per CS
25.1709. The current FAA rule has the same requirement in Sec.
25.1309(f), but it was removed in the NPRM on the basis of redundancy,
and proposed Sec. 25.1309(d) was used for the CMR requirement. In the
final rule, the CMR requirement has been moved to Sec. 25.1309(e) (see
next section) and Sec. 25.1309(d) is now reserved.
vi. Section 25.1309(e) and H25.4 (Certification Maintenance
Requirements)
CMRs are inspection and maintenance tasks and associated inspection
intervals that are used to identify and restrict exposure of critical
airplane safety systems to catastrophic and hazardous failure
conditions, including wear-related failures. An example highlighting
the importance of CMRs is the catastrophic crash of Alaskan Airlines,
Flight 261, in the Pacific Ocean off the California coast on January
31, 2000, killing all 88 passengers and crew.\37\ The NTSB determined
that the probable cause of this accident was a catastrophic loss of
airplane pitch control resulting from in-flight failure of the
jackscrew assembly of the horizontal stabilizer trim system. That
failure was related to maintenance of this system, specifically the
accelerated excessive wear of a critical part as a result of
insufficient lubrication.
---------------------------------------------------------------------------
\37\ NTSB Safety Recommendation A-02-51 is available in the
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
---------------------------------------------------------------------------
Section 25.1309(e) is a new provision \38\ requiring that CMRs be
established, as necessary, to prevent catastrophic and hazardous
failure conditions, and occasionally, major failure conditions,
described in Sec. 25.1309(b). The CMR requirement was proposed in
Sec. 25.1309(d) in the NPRM. The ``as necessary'' qualifier was added
in the final rule to clarify that the FAA does not require CMRs for all
failure conditions. Section 25.1309(e) also will require these CMRs to
be contained in the ALS of the ICA required by Sec. 25.1529. This
latter requirement is an industry recommendation via the SE-172
Taskforce to the Commercial Aviation Safety Team (CAST) \39\ and
responds to the Taskforce's recognition that CMRs are critical to
safety and should have treatment similar to other Airworthiness
Limitations.
---------------------------------------------------------------------------
\38\ The NPRM Sec. 25.1309(e) specified that the flight control
jam conditions addressed by Sec. 25.671(c) do not apply to Sec.
25.1309(b)(1)(ii). This exclusion is now in the introductory
paragraph of Sec. 25.1309.
\39\ skybrary.aero/sites/default/files/bookshelf/2553.pdf.
---------------------------------------------------------------------------
Both of these requirements will codify industry practice and will
harmonize with CS 25.1309 and H25.4, so industry will incur no
additional costs. The rule is cost-beneficial from reduced costs of
joint harmonization.\40\
---------------------------------------------------------------------------
\40\ EASA. Certification Specifications and Acceptable Means of
Compliance for Large Aeroplanes (CS-25), Amendment 20, 25 August
2017.
---------------------------------------------------------------------------
[[Page 68726]]
vii. Section 25.1309(f) (Removed)
The FAA has removed paragraph (f) from Sec. 25.1309 and paragraph
(b) from Sec. 25.1301. Section 25.1301(b) requires that the airplane's
EWIS meet the requirements of subpart H of 14 CFR part 25. Subpart H
was created (at amendment 25-123, in 2007) as the single place for the
majority of wiring certification requirements. The references in
Sec. Sec. 25.1301(b) and 25.1309(f) are redundant and unnecessary
because subpart H specifies their applicability. The NPRM Sec.
25.1301(f) was used to specify exceptions to Sec. 25.1309(b), which
are now provided in the introduction of Sec. 25.1309.
b. Section 25.629 Aeroelasticity Stability Requirements
The FAA is revising Sec. 25.629(a) to add wording to clarify that
the aeroelastic evaluation must include any condition of operation
within the maneuvering envelope. This is current industry practice
because such conditions are allowed operational conditions and,
therefore, need to be free from aeroelastic instabilities. Also, this
requirement is stated explicitly for part 23 airplanes in 14 CFR part
23 and CS-23. The FAA is also revising Sec. 25.629(a) to consistently
use the singular term ``evaluation'' where it appears in order to
prevent confusion.
Section 25.671(c)(2) currently specifies examples of failure
combinations that require evaluation, including dual electrical and
dual hydraulic system failures and any single failure combined with any
probable hydraulic or electrical failure. Section 25.629(d)(9)
currently requires that the airplane be shown to be free from flutter
considering various failure conditions considered under Sec. 25.671,
which include the example failure conditions specified in Sec.
25.671(c)(2). These examples are being removed from current Sec.
25.671(c)(2). These failure conditions, however, have provided an
important design standard for dual actuators on flight control surfaces
that rely on retention of restraint stiffness or damping for flutter
prevention. Therefore, the FAA relocates these examples to the
aeroelastic stability requirements of Sec. 25.629(d) and made changes
to the paragraph numbers to correspond with EASA's rule, as requested
by commenters. These changes are cost-beneficial owing to complete
harmonization with the corresponding CS 25.629 provision.
The NPRM also proposed a change to Sec. 25.629(b) that would
require that design conditions include the range of load factors
specified in Sec. 25.333. Commenters objected that the proposed change
was an expansion of the traditional scope of Sec. 25.629, and it
disharmonized with EASA requirements. The FAA agreed to remove the
proposed change to Sec. 25.629(b), substituting an alternative change
in Sec. 25.629(a), clarifying that aeroelastic evaluation must include
any condition of operation within the maneuvering envelope. This
revision has no cost as it is clarifying and is current industry
practice.
c. Section 25.671 General (Control Systems)
i. Section 25.671(a), (d), (e), and (f) (Control Systems)
The substantive revisions to these requirements are the new
criteria in the second sentence of Sec. 25.671(a); the addition of the
phrase, ``and an approach and flare to a landing and controlled stop,
and flare to a ditching, is possible'' in Sec. 25.671(d); and the new
requirements in Sec. 25.671(e) and (f). The modification to Sec.
25.671(d) clarifies that controllability when all engines fail includes
the capability to approach and flare to a landing and controlled stop,
and flare to a ditching, and harmonizes with CS 25.671(d). In the NPRM,
Sec. 25.671(d) includes the sentence: ``The applicant may show
compliance with this requirement by analysis where the applicant has
shown that analysis to be reliable.'' This sentence is not included in
the final rule as it describes an acceptable means of compliance, which
is adequately covered in the corresponding guidance.
The new paragraph (e) of Sec. 25.671 requires that the airplane be
designed to indicate to the flightcrew whenever the primary control
means are near the limit of control authority. On airplanes equipped
with fly-by-wire control systems, there is no direct tactile link
between the flightdeck control and the control surface, and the
flightcrew may not be aware of the actual control surface position. If
the control surface is near the limit of control authority, and the
flightcrew is unaware of that position, it could negatively affect the
flightcrew's ability to control the airplane in the event of an
emergency. The airplane could meet this requirement through natural or
artificial control feel forces, by cockpit control movement if shown to
be effective, or by flightcrew alerting that complies with Sec.
25.1322.
The new paragraph (f) of Sec. 25.671 requires that appropriate
flight crew alerting be provided if the flight control system has
multiple modes of operation whenever the airplane enters any mode that
significantly changes or degrades the normal handling or operational
characteristics of the airplane. On some flight control system designs,
there may be sub-modes of operation that change or degrade the normal
handling or operational characteristics of the airplane. Similar to
control surface awareness, the flightcrew should be made aware if the
airplane is operating in such a sub-mode. Aside from the one change
already noted, there are no substantial changes to Sec. 25.671(a),
(d), (e), and (f) in the final rule compared to the NPRM.
Manufacturers face little or no additional cost from these
provisions because they are already required by CS 25.671 in language
that exactly matches Sec. 25.671 in language structure and closely
matches Sec. 25.671 in the language itself. Therefore, there is no
additional cost resulting from these provisions. Moreover, since
industry has been meeting the new criteria in Sec. 25.671(a), (e), and
(f) under special conditions since the early 1980s, the FAA believes
that industry now accepts Sec. 25.671(a), (e), and (f) as necessary
low-cost actions. Again, there is no additional cost. For this reason,
the FCHWG recommended these new criteria with little debate.
ii. Section 25.671(b) (Minimize Probability of Incorrect Assembly)
Section 25.671(b) is revised to allow distinctive and permanent
marking for flight control systems to minimize the probability of
incorrect assembly only when design means are impractical. Aside from
minor language changes, there are no changes to this provision in the
final rule relative to the NPRM. It is expert consensus that the
physical prevention of misassembly by design is safer than reliance on
marking, which can be overlooked or ignored. Although not flight
control related, fuel tank access doors provide an example. Since these
doors are required to have greater strength because of the location,
fuel tank access door systems are designed so that other doors will not
securely fit in the fuel tank access door openings.
Since distinctive and permanent marking to minimize the probability
of incorrect assembly is disallowed only when design means are
practical, the expected gain in safety benefits from the reduced
probability of incorrect assembly is greater than the costs of the rule
revision.
Accordingly, the FAA finds this provision to be cost-beneficial.
The FAA
[[Page 68727]]
requested comments on this finding and received none. In any case,
manufacturers face no additional cost because Sec. 25.671(b) closely
aligns with CS 25.671(b) with which they must already comply.
iii. Section 25.671(c) (Flight Control Jams)
For flight controls, revised Sec. 25.671(c) is analogous to Sec.
25.1309(b) in having requirements for the single failure (Sec.
25.671(c)(1)), the combinational failure (Sec. 25.671(c)(2)), and
specific risk (Sec. 25.671(c)(3)). Sections 25.671(c)(1) and (c)(2)
have some language changes, but the intent of each provision is
unchanged from the current rule. The NPRM proposed to remove Sec.
25.671(c)(1) and (c)(2) because all single and combinational failures
are covered by the foundational Sec. 25.1309. However, the FAA agrees
with commenters that Sec. 25.671(c)(1) and (c)(2) should be retained
because removal would disharmonize with EASA's corresponding
requirements and because different means of compliance are normally
used for Sec. 25.671(c) and Sec. 25.1309(b). Accordingly, paragraphs
(c)(1) and (c)(2) of current Sec. 25.671 are retained in the final
rule. Section 25.671(c)(3) is revised as follows:
(1) In Sec. 25.671(c)(3), the FAA clarifies that the provision
applies only to jams due to a physical interference (e.g., foreign or
loose object, system icing, corroded bearings). All other failures or
events that result in either a control surface, pilot control, or
component being fixed in position are addressed under Sec.
25.671(c)(1) and (c)(2) and Sec. 25.302 where applicable.
(2) Section 25.671(c)(3) no longer addresses a runaway of a flight
control surface and subsequent jam. A failure that results in
uncommanded control surface movement is addressed by Sec. 25.671(c)(1)
and (c)(2).
(3) Section 25.671(c)(3)(iii) is a new requirement specifying that
given a jam, the combined probability is 1/1000 or less that any
additional failure conditions could prevent continued safe flight and
landing. This requirement is to ensure adequate reliability of any
system necessary to alleviate the jam when it occurs. This specific
risk requirement is analogous to the 1/1000 latent specific risk
requirement for potential catastrophic single latent failure plus one
(CSL+1) failure conditions discussed above for Sec. 25.1309(b)(5),
which is required to ensure a safety margin in the event of an active
failure.
(4) While current Sec. 25.671(c)(3) allows the use of probability
analysis, applicants have generally been unable to demonstrate that
jamming conditions are ``extremely improbable,'' except for conditions
that occur during a very limited time just prior to landing. Because of
this issue with probability assessment for jams, the FAA has revised
Sec. 25.671(c)(3) to require that the manufacturer's safety
assessments assume that jamming conditions will occur--probability set
equal to one--when showing that the airplane is capable of continued
safe flight and landing. For the same reason, the jamming conditions of
Sec. 25.671(c)(3) are excluded from the probability requirements of
Sec. 25.1309(b).
The assumption that the jam will occur--and that the airplane will
be able to withstand it--does not apply to jamming conditions that
occur immediately before touchdown if the risk of a jam is minimized to
the extent practical. For jams that occur just before landing, some
amount of time and altitude is necessary in order to recover, and there
is no practical means by which a recovery can be demonstrated. Hence
the requirement that the risk of a jam be minimized to the extent
practical. (This is a change from the NPRM where the requirement was
that the applicant show that such jams are extremely improbable.) This
change creates a difference in the language of Sec. 25.671(c)(3)(ii)
and CS 25.671(3)(ii) because EASA does not have this exception in its
rule.
In its Acceptable Means of Compliance (AMC) Sec. 25.671, however,
EASA states that, ``if continued safe flight and landing cannot be
demonstrated, perform a qualitative assessment of the design, relative
to jam prevention and jam alleviation means, to show that all practical
precautions have been taken . . . .'' Consequently, the FAA expects the
difference between Sec. 25.671(c)(3)(ii) and CS 25.671(c)(3)(ii) to
have no effect in practice. There are no additional substantial
differences between the final rule and the NPRM with respect to Sec.
25.671(c)(3).
Section 25.671 has changed from the NPRM to the point where it is
almost perfectly aligned in structure and intent, and closely aligned
in text language, with CS 25.671. Section 25.671 is now so closely
aligned that there is no additional cost from the FAA provision because
manufacturers already have to meet the EASA provision. Moreover, as
already noted, industry has been meeting the new criteria in Sec.
25.671(a), (e), and (f) under special conditions since the early 1980s.
Because of that experience, the FAA believes that manufacturers now
accept these special conditions as the low-cost necessary actions.
Again, there is no additional cost. Finally, the FAA believes that
Sec. 25.671(c)(3) is already accepted as the low-cost industry
practice as it has been used by many manufacturers under a voluntary
ELOS.
d. Section 25.901 Installation (Powerplants)
The revision to Sec. 25.901(c) moves basic systems safety criteria
to Sec. 25.1309 and is finalized as proposed. In so doing, Sec.
25.901(c) clarifies that Sec. 25.1309 applies to powerplant (engine)
installations, as it does for all airplane systems. Accordingly, the
current provision in Sec. 25.901(c) prohibiting catastrophic single
failures or probable combinations of failures is removed. Design
requirements do not change as a result of this revision to the rule.
There are no substantial changes in the final rule compared to the
NPRM. The revision exactly harmonizes the structure and very closely
harmonizes the text of Sec. 25.901(c) with EASA's corresponding CS
25.901(c). Accordingly, the revision is cost-beneficial as it provides
reduced costs from joint harmonization since manufacturers already must
already comply with CS 25.901(c). The FAA asked for comments on this
finding in the NPRM and received none.
e. Section 25.933 Reversing Systems (Controllability and Reliability
Options)
In the event of an inadvertent activation of the thrust reverser
during flight, current Sec. 25.933(a) requires that the airplane be
capable of ``continued flight and landing.'' The service history of
airplanes certified under the current rule--most prominently, the
aforementioned catastrophic Lauda Air accident in Thailand--has
demonstrated that the intent of this ``fail-safe'' requirement had not
been achieved. As discussed in the section on Sec. 25.1309(b)(5)
above, the catastrophic failure condition that caused the Lauda Air
accident was corrected by adding redundancy to convert a dual failure
condition to a triple failure condition. This revision to Sec.
25.933(a) further addresses the thrust reverser issue with a revised
Sec. 25.933(a)(1)(i) that retains ``controllability'' from the current
rule as an option, but also revises Sec. 25.933(a)(1)(ii) to provide
an additional ``reliability'' option using the requirements of Sec.
25.1309(b).\41\ The
[[Page 68728]]
reliability option recognizes that Sec. 25.1309 applies to all
systems. There are no substantial differences between the final rule
and the NPRM with respect to Sec. 25.933(a).
---------------------------------------------------------------------------
\41\ It should be noted that the controllability option would
still require compliance with Sec. 25.1309. But when an applicant
demonstrates compliance using the controllability option, that
ensures that an unwanted thrust reversal in flight would be
classified at worst as a ``major'' failure, thereby making
compliance with Sec. 25.1309(b) much easier.
---------------------------------------------------------------------------
The final rule (and NPRM) for Sec. 25.933(a) is in close harmony
with the corresponding CS 25.933(a) as it is identical in rule
structure and intent. Accordingly, there is no additional cost to this
rule as manufacturers already have to comply with CS 25.933(a).
Moreover, Sec. 25.933(a) is cost-beneficial as it allows flexibility
in design development, enabling manufacturers to achieve the intended
level of safety in the most cost-effective manner.
f. Section 25.302 Interaction of Systems and Structures
There are many technical differences between the NPRM and the final
rule. Nine major commenters, including Boeing and Airbus, asked the FAA
to harmonize with EASA CS 25.302, even to the extent of using the same
language and paragraph numbering. Commenters noted that CS 25.302
matches the FAA Interaction of Systems and Structures special condition
that has been used for many years. Commenters stated that the
differences between FAA and EASA requirements would create a
substantial certification burden. The FAA agrees with the commenters
and, except where discussed below, has agreed to match the language and
structure of EASA's rule to the extent possible.
i. Section 25.302(b) System Fully Operative
The applicant must derive limit loads \42\ for the limit conditions
specified in subpart C, taking into account the behavior of the system
up to the limit loads. The applicant must show that the airplane meets
the strength requirements of subparts C and D, using the appropriate
factor of safety to derive ultimate loads from these limit loads.
Section 25.302(b) is less verbose than the corresponding EASA text but
uses some of the same language and has the same intent as EASA's
version. Since Sec. 25.302(b) harmonizes with EASA CS 25.302(b), there
are no incremental costs from paragraph (b), and the provision is cost-
beneficial because of joint harmonization.
---------------------------------------------------------------------------
\42\ Design loads are typically expressed in terms of limit
loads, which are then multiplied by a factor of safety, usually 1.5,
to determine ultimate loads.
---------------------------------------------------------------------------
ii. Section 25.302(c) System in the Failure Condition
This section applies for any failure condition not shown to be
extremely improbable or that results from a single failure. CS
25.302(c) requires the evaluation of any system failure condition not
shown to be extremely improbable but does not explicitly mention single
failures. Nevertheless, evaluation of single failures would be required
when evaluating CS 25.302. This is because single failures cannot be
shown by a probability analysis to be extremely improbable. As noted in
AC 25.1309-1A, dated June 21, 1988, ``In general, a failure condition
resulting from a single failure mode of a device cannot be accepted as
being extremely improbable.'' Extremely improbable failure conditions
are those having an average probability per flight hour of 1 x
10-9 or less. The FAA would not accept a probability
analysis showing a single failure to be extremely improbable because
such an estimation would not be considered reliable. An unreliable
estimate could inadvertently result in a level of risk that was unsafe
and not justified by any cost savings obtained. Accordingly, the FAA
finds to be cost-beneficial the requirement of Sec. 25.302(c) to
evaluate any system failure condition resulting from a single failure.
At the time of occurrence, the applicant must determine the loads
occurring at the time of failure and immediately after failure. For
static strength substantiation, the airplane must be able to withstand
the ultimate loads determined by multiplying the loads by a factor of
safety related to the probability that the failure occurs. The factor
of safety (F.S.) is shown in Figure 1.
[GRAPHIC] [TIFF OMITTED] TR27AU24.000
Figure 1 shows the factor of safety to be constant at 1.5 between a
probability of failure of 1.0 and 10-5, and between
10-5 and 10-9 declines linearly from 1.5 to 1.25
as Pj goes from 10-5 to 10-9, where Pj is the
probability of failure. The factor of safety is not allowed to be below
1.5 at high probabilities of failure (>10-5). For low
probabilities of failure (<10-5), the F.S. falls as the
probability of failure falls but is not allowed to be less than 1.25 as
the probability of
[[Page 68729]]
failure falls towards extreme improbability at 10-9. Note
that the probability of failure axis is in logarithmic scale. In the
NPRM, this figure was not used as the FAA kept the factor of safety at
1.5 regardless of the probability of failure. In the final rule, this
provision is cost-relieving relative to the NPRM because the FAA is now
harmonizing with the less stringent EASA provision.
For residual strength substantiation, the airplane must be able to
withstand two-thirds of the ultimate loads. Residual strength is the
strength that remains as the airplane structure deteriorates over time,
so this test requires a prediction of that deterioration.
Failures of the system that result in forced structural vibrations
(oscillatory failures) must not produce loads that could result in
detrimental deformation of primary structure. A forced structural
vibration or oscillatory failure occurs when an oscillating system is
driven by a periodic force that is external to the system.
For the continuation of the flight, loads are determined for a
limited set of conditions, as noted in Sec. 25.302(c)(2)(i). Section
25.302(c)(2)(i)(F) is an additional rule provision not in CS 25.302.
This provision requires that if any system is installed or tailored to
reduce the loads of a part 25 load condition, then that load condition
must also be evaluated. This provision is necessary to account for any
such systems as their failure will increase loads. The FAA believes
this is a low-cost provision, having been applied in only a few cases
over many years.
For static strength substantiation, the structure must be able to
withstand the loads determined in Sec. 25.302(c)(2)(i) multiplied by a
factor of safety, as shown in Figure 2.
[GRAPHIC] [TIFF OMITTED] TR27AU24.001
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)
Figure 2 shows the factor of safety falls linearly from 1.5 to 1.0
as Qj declines from 1 to 10-5, and the factor of safety is
constant at 1.0 between 10-5 and 10-9, where Qj =
(Tj)(Pj), where Tj is the average time in the failure condition (in
hours), and Pj is the probability of failure (per hour) or failure
rate. So Qj is the (average) cumulative probability of failure. In
contrast to the F.S. at the time of failure occurrence (Figure 1), the
F.S. for continuation of flight (Figure 2) is allowed to fall
immediately below 1.5 as failure probability falls from the highest
probability of 1, and in contrast to the minimum F.S. of 1.25 for
Figure 1, the Figure 2 safety margin is allowed to fall to 1.0 at
10-5, where it remains as the probability of failure falls
to extreme improbability at 10-9. As with Figure 1, note
that the Figure 2 probability of failure axis is in logarithmic scale.
In the NPRM, this figure was not used as the FAA did not vary the
factor of safety with the probability of system failure. The NPRM
provision was less stringent than the final rule in reducing the factor
of safety to 1.0 if the failure was annunciated. However, the NPRM
provision applied to all load conditions in subpart C, whereas in the
final rule, the provision applies to the limited set of subpart C load
conditions specified in Sec. 25.302(c)(2)(i) so that, overall, in
harmonizing with EASA, final rule provision is cost-relieving relative
to the NPRM.
For residual strength substantiation, the airplane must be able to
withstand two-thirds of the ultimate loads. If the loads induced by the
failure condition have a significant effect on fatigue or damage
tolerance, then their effects must be taken into account. A failure
condition has a ``significant'' effect on fatigue or damage tolerance
if it would result in a change to inspection thresholds, inspection
intervals, or life limits. Unlike EASA's rule, Sec. 25.302(c) does not
include aeroelasticity stability requirements. Both CS 25.302 and CS
25.629 specify flutter speed margins for failure conditions. In CS
25.629, for the group of failures covered by CS 25.302, the margins are
based on the probability of the condition's occurrence, whereas, for
the remaining failure conditions, a single speed margin is defined,
similar to Sec. 25.629, regardless of probability. The FAA believes
the current speed margins specified in Sec. 25.629 are adequate, and
there is no need for more specific failure criteria based on
probability of occurrence and speed margins. The current speed margin
specified in Sec. 25.629, which has been in place since amendment 25-0
of 14 CFR part 25, has proven effective in service. For that reason,
non-provision has little impact.
Summary of Cost-Benefit Analysis for Sec. 25.302(c)
The FAA finds that Sec. 25.302(c) harmonizes very closely in
structure with CS 25.302(c) and closely in rule
[[Page 68730]]
language, aside from the single failure requirement, the additional
load provision of Sec. 25.302(c)(2)(i)(F), and the lack of
aeroelasticity stability requirements in Sec. 25.302(c). Because of
this close harmonization, there is little or no additional cost to that
required by EASA certification. Moreover, because of the imposition of
the FAA's Interaction of Systems and Structures special conditions for
more than twenty years, the FAA believes that industry is so well-
adapted to the special conditions that it is now the industry's low-
cost necessary action. Thus, no change is implied by the rule, and,
therefore, there is little or no additional cost. The provision is
cost-beneficial owing to cost savings from joint harmonization.
iii. Section 25.302(d) Failure Indications
Section 25.302(d) requires that the system be checked for failure
conditions discussed in Sec. 25.302(c)(2), for example, using a CMR
procedure. As far as practicable, the flightcrew must be made aware of
these failures before flight. Manufacturers are allowed relief in the
F.S. requirement shown in Figure 2, as in Sec. 25.302(c)(2). However,
any failure condition, not extremely improbable, that results in an
F.S. below 1.25 in Figure 2 must be alerted to the crew. This latter
requirement sounds contradictory since it means the flightcrew must be
alerted when the probability of failure is low enough for the safety
factor to be less than 1.25. It appears alerting the flightcrew is
substituted for a higher factor of safety. A manufacturer finding
alerting the flightcrew too onerous can reverse the substitution by
having a higher factor of safety.
The language of this paragraph closely matches that of CS
25.302(d), except for some additional verbiage that does not change the
intent. For the same reasons given for paragraph (c) of Sec. 25.302,
there is no additional cost from this provision, and the provision is
cost-beneficial owing to the cost savings from joint harmonization.
iv. Section 25.302(e) Dispatch With Known Failure Conditions
The applicant forecasts the probability of the failure condition
(``at the time of occurrence'' in Sec. 25.302(c)) and how many days
the airplane will be in that dispatch configuration. That probability
is then combined with the probability of subsequent failures to
calculate Qj, the probability of being in the dispatched condition, and
the subsequent failure condition. Qj is then used in Figure 2 to
establish the required safety margins, the same safety margin relief
allowed in Sec. 25.302(c)(2) and in Sec. 25.302(d).
The FAA excludes one sentence related to dispatch limitations from
Sec. 25.302(e) that is in CS 25.302 because its intent and application
are unclear. Otherwise, Sec. 25.302(e) closely harmonizes with CS
25.302. The FAA special conditions and the corresponding CS 25.302 have
provided an adequate service record. For the same reasons given for
paragraphs (c) and (d) of Sec. 25.302, there is no additional cost
from this provision, and the provision is cost-beneficial owing to the
reduced costs from joint harmonization.
B. Regulatory Flexibility Determination
The Regulatory Flexibility Act (RFA) of 1980, Public Law 96-354, 94
Stat. 1164 (5 U.S.C. 601-612), as amended by the Small Business
Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121, 110 Stat.
857, Mar. 29, 1996) and the Small Business Jobs Act of 2010 (Pub. L.
111-240, 124 Stat. 2504 Sept. 27, 2010), requires Federal agencies to
consider the effects of the regulatory action on small business and
other small entities and to minimize any significant economic impact.
The term ``small entities'' comprises small businesses and not-for-
profit organizations that are independently owned and operated and are
not dominant in their fields, and governmental jurisdictions with
populations of less than 50,000.
Garmin commented on the NPRM that the cost-benefit analysis does
not consider the impact on ATC or STC projects that would be considered
significant under Sec. 21.101, the Changed Product Rule. In addition,
MARPA requested that the FAA clarify the applicability of the SSA rule
to PMA applicants and STC applicants. If the SSA rule is applicable to
PMA and STC applicants, MARPA requested that the FAA adjust the cost-
benefit analysis accordingly, complete a Regulatory Flexibility Act
analysis, and make the revised cost-benefit analysis and Regulatory
Flexibility Act analysis available for comment in a supplemental NPRM.
This final rule updates the cost-benefit analysis to take account
of the fact that the final rule closely harmonizes with the
corresponding EASA rule. Since U.S. manufacturers already are required
to meet the EASA requirements, the closely harmonized provisions of the
final rule impose no or minimal costs. In future STC or ATC projects
where the design change is determined under the Changed Product Rule to
be a significant product level change, the Changed Product rule will
then require that the certification basis of those projects be updated.
The cost-benefit analysis for the Changed Product Rule, however, has
determined that the required updated certification basis for such
projects is cost-beneficial. PMAs (replacement articles) are managed in
accordance with Subpart K to part 21. The final rule will apply only at
that time in the future when a PMA (or non-significant STC) applicant
seeks to modify a product that already has the final rule in its
certification basis. Accordingly, the FAA finds that neither a
Regulatory Flexibility Act analysis nor a supplemental NPRM is
required.
If an agency determines that a rulemaking will not result in a
significant economic impact on a substantial number of small entities,
the head of the agency may so certify under section 605(b) of the RFA.
Since there are no or minimal additional costs to this final rule, the
FAA certifies that the final rule will not have a significant economic
impact on a substantial number of small entities.
C. International Trade Impact Assessment
The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal
agencies from establishing standards or engaging in related activities
that create unnecessary obstacles to the foreign commerce of the United
States. Pursuant to these Acts, the establishment of standards is not
considered an unnecessary obstacle to the foreign commerce of the
United States, so long as the standard has a legitimate domestic
objective, such as the protection of safety and does not operate in a
manner that excludes imports that meet this objective. The statute also
requires consideration of international standards and, where
appropriate, that they be the basis for U.S. standards.
The FAA has assessed the potential effect of this final rule and
determined that its purpose is to ensure the safety of U.S. civil
aviation. Therefore, this final rule is in compliance with the Trade
Agreements Act.
D. Unfunded Mandates Assessment
The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538)
governs the issuance of Federal regulations that require unfunded
mandates. An unfunded mandate is a regulation that requires a State,
local, or tribal government or the private sector to incur direct costs
without the Federal government having first provided the funds to pay
those costs. The FAA
[[Page 68731]]
determined that the proposed rule will not result in the expenditure of
$183 million or more by State, local, or tribal governments, in the
aggregate, or the private sector, in any one year.
E. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires
that the FAA consider the impact of paperwork and other information
collection burdens imposed on the public. The FAA has determined that
there is no new requirement for information collection associated with
this final rule.
F. International Compatibility
In keeping with U.S. obligations under the Convention on
International Civil Aviation, it is FAA policy to conform to
International Civil Aviation Organization (ICAO) Standards and
Recommended Practices to the maximum extent practicable. The FAA has
determined that there are no ICAO Standards and Recommended Practices
that correspond to these regulations.
G. Environmental Analysis
FAA Order 1050.1F identifies FAA actions that are categorically
excluded from preparation of an environmental assessment or
environmental impact statement under the National Environmental Policy
Act (NEPA) in the absence of extraordinary circumstances. The FAA has
determined this rulemaking action qualifies for the categorical
exclusion identified in paragraph 5-6.6 for regulations and involves no
extraordinary circumstances.
VII. Executive Order Determinations
A. Executive Order 13132, Federalism
The FAA has analyzed this final rule under the principles and
criteria of Executive Order (E.O.) 13132, Federalism (64 FR 43255,
August 10, 1999). The FAA has determined that this action will not have
a substantial direct effect on the States, or the relationship between
the Federal Government and the States, or on the distribution of power
and responsibilities among the various levels of government, and,
therefore, will not have federalism implications.
B. Executive Order 13175, Consultation and Coordination With Indian
Tribal Governments
Consistent with Executive Order 13175, Consultation and
Coordination with Indian Tribal Governments,\43\ and FAA Order 1210.20,
American Indian and Alaska Native Tribal Consultation Policy and
Procedures,\44\ the FAA ensures that Federally Recognized Tribes
(Tribes) are given the opportunity to provide meaningful and timely
input regarding proposed Federal actions that have the potential to
have substantial direct effects on one or more Indian tribes, on the
relationship between the Federal government and Indian tribes, or on
the distribution of power and responsibilities between the Federal
government and Indian tribes; or to affect uniquely or significantly
their respective Tribes. At this point, the FAA has not identified any
unique or significant effects, environmental or otherwise, on tribes
resulting from this final rule.
---------------------------------------------------------------------------
\43\ 65 FR 67249 (Nov. 6, 2000).
\44\ FAA Order No. 1210.20 (Jan. 28, 2004), available at
www.faa.gov/documentLibrary/media/1210.pdf.
---------------------------------------------------------------------------
C. Executive Order 13211, Regulations That Significantly Affect Energy
Supply, Distribution, or Use
The FAA analyzed this final rule under E.O. 13211, Actions
Concerning Regulations that Significantly Affect Energy Supply,
Distribution, or Use (66 FR 28355, May 18, 2001). The FAA has
determined that it is not a ``significant energy action'' under the
executive order and is not likely to have a significant adverse effect
on the supply, distribution, or use of energy.
D. Executive Order 13609, Promoting International Regulatory
Cooperation
Executive Order 13609, Promoting International Regulatory
Cooperation, promotes international regulatory cooperation to meet
shared challenges involving health, safety, labor, security,
environmental, and other issues and to reduce, eliminate, or prevent
unnecessary differences in regulatory requirements. The FAA has
analyzed this action under the policies and agency responsibilities of
Executive Order 13609 and has determined that this action will have no
effect on international regulatory cooperation.
In January of 2020, EASA published CS-25 amendment 24, which bore
many similarities to the proposals in the NPRM, including added
criteria for latent failures in CS 25.1309. This final rule harmonizes
FAA requirements with EASA's requirements to the extent possible.
VIII. Additional Information
A. Electronic Access and Filing
A copy of the NPRM, all comments received, this final rule, and all
background material may be viewed online at www.regulations.gov using
the docket number listed above. A copy of this final rule will be
placed in the docket. Electronic retrieval help and guidelines are
available on the website. It is available 24 hours each day, 365 days
each year. An electronic copy of this document may also be downloaded
from the Office of the Federal Register's website at
www.federalregister.gov and the Government Publishing Office's website
at www.govinfo.gov. A copy may also be found at the FAA's Regulations
and Policies website at www.faa.gov/regulations_policies.
Copies may also be obtained by sending a request to the Federal
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence
Avenue SW, Washington, DC 20591, or by calling (202) 267-9677.
Commenters must identify the docket or notice number of this
rulemaking.
All documents the FAA considered in developing this final rule,
including economic analyses and technical reports, may be accessed in
the electronic docket for this rulemaking.
B. Small Business Regulatory Enforcement Fairness Act
The Small Business Regulatory Enforcement Fairness Act (SBREFA) of
1996 requires the FAA to comply with small entity requests for
information or advice about compliance with statutes and regulations
within its jurisdiction. A small entity with questions regarding this
document may contact its local FAA official, or the person listed under
the FOR FURTHER INFORMATION CONTACT heading at the beginning of the
preamble. To find out more about SBREFA on the internet, visit
www.faa.gov/regulations_policies/rulemaking/sbre_act/.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Life-limited parts, Reporting and
recordkeeping requirements.
The Amendment
In consideration of the foregoing, the Federal Aviation
Administration amends chapter I of title 14, Code of Federal
Regulations as follows:
PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES
0
1. The authority citation for part 25 continues to read as follows:
Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and
44704.
0
2. Add Sec. 25.4 to read as follows:
[[Page 68732]]
Sec. 25.4 Definitions.
(a) For the purposes of this part, the following general
definitions apply:
(1) Certification maintenance requirement means a required
scheduled maintenance task established during the design certification
of the airplane systems as an airworthiness limitation of the type
certificate or supplemental type certificate.
(2) Significant latent failure is a latent failure that, in
combination with one or more specific failures or events, would result
in a hazardous or catastrophic failure condition.
(b) For purposes of this part, the following failure conditions, in
order of increasing severity, apply:
(1) Major failure condition means a failure condition that would
reduce the capability of the airplane or the ability of the flightcrew
to cope with adverse operating conditions, to the extent that there
would be--
(i) A significant reduction in safety margins or functional
capabilities,
(ii) A physical discomfort or a significant increase in flightcrew
workload or in conditions impairing the efficiency of the flightcrew,
(iii) Physical distress to passengers or cabin crew, possibly
including injuries, or
(iv) An effect of similar severity.
(2) Hazardous failure condition means a failure condition that
would reduce the capability of the airplane or the ability of the
flightcrew to cope with adverse operating conditions, to the extent
that there would be--
(i) A large reduction in safety margins or functional capabilities,
(ii) Physical distress or excessive workload such that the
flightcrew cannot be relied upon to perform their tasks accurately or
completely, or
(iii) Serious or fatal injuries to a relatively small number of
persons other than the flightcrew.
(3) Catastrophic failure condition means a failure condition that
would result in multiple fatalities, usually with the loss of the
airplane.
(c) For purposes of this part, the following failure conditions in
order of decreasing probability apply:
(1) Probable failure condition means a failure condition that is
anticipated to occur one or more times during the entire operational
life of each airplane of a given type.
(2) Remote failure condition means a failure condition that is not
anticipated to occur to each airplane of a given type during its entire
operational life, but which may occur several times during the total
operational life of a number of airplanes of a given type.
(3) Extremely remote failure condition means a failure condition
that is not anticipated to occur to each airplane of a given type
during its entire operational life, but which may occur a few times
during the total operational life of all airplanes of a given type.
(4) Extremely improbable failure condition means a failure
condition that is not anticipated to occur during the total operational
life of all airplanes of a given type.
0
3. Add Sec. 25.302 to read as follows:
Sec. 25.302 Interaction of systems and structures.
For airplanes equipped with systems that affect structural
performance, either directly or as a result of a failure or
malfunction, the influence of these systems and their failure
conditions must be taken into account when showing compliance with the
requirements of subparts C and D of this part. These criteria are only
applicable to structure whose failure could prevent continued safe
flight and landing.
(a) General. The applicant must use the following criteria in
determining the influence of a system and its failure conditions on the
airplane structure.
(b) System fully operative. With the system fully operative, the
following criteria apply:
(1) The applicant must derive limit loads for the limit conditions
specified in subpart C of this part, taking into account the behavior
of the system up to the limit loads. System nonlinearities must be
taken into account.
(2) The applicant must show that the airplane meets the strength
requirements of subparts C and D of this part, using the appropriate
factor of safety to derive ultimate loads from the limit loads defined
in paragraph (b)(1) of this section. The effect of nonlinearities must
be investigated sufficiently beyond limit conditions to ensure the
behavior of the system presents no detrimental effects compared to the
behavior below limit conditions. However, conditions beyond limit
conditions need not be considered when it can be shown that the
airplane has design features that will not allow it to exceed those
limit conditions.
(3) Reserved.
(c) System in the failure condition. For any system failure
condition not shown to be extremely improbable or that results from a
single failure, the following criteria apply:
(1) At the time of occurrence. The applicant must establish a
realistic scenario, starting from 1g level flight conditions, and
including pilot corrective actions, to determine the loads occurring at
the time of failure and immediately after failure.
(i) For static strength substantiation, the airplane must be able
to withstand the ultimate loads determined by multiplying the loads in
paragraph (c)(1) of this section by a factor of safety that is related
to the probability of occurrence of the failure. The factor of safety
(F.S.) is defined in Figure 1.
Figure 1 to paragraph (c)(1)(i)
[[Page 68733]]
[GRAPHIC] [TIFF OMITTED] TR27AU24.002
(ii) For residual strength substantiation, the airplane must be
able to withstand two thirds of the ultimate loads defined in paragraph
(c)(1)(i) of this section. For pressurized cabins, these loads must be
combined with the normal operating differential pressure.
(iii) Reserved.
(iv) Failures of the system that result in forced structural
vibrations (oscillatory failures) must not produce loads that could
result in detrimental deformation of primary structure.
(2) For the continuation of the flight. For the airplane, in the
system failed state and considering any appropriate reconfiguration and
flight limitations, the following apply:
(i) The loads derived from the following conditions at speeds up to
VC/MC, or the speed limitation prescribed for the
remainder of the flight must be determined:
(A) the limit symmetrical maneuvering conditions specified in
Sec. Sec. 25.331 and 25.345,
(B) the limit gust and turbulence conditions specified in
Sec. Sec. 25.341 and 25.345,
(C) the limit rolling conditions specified in Sec. 25.349 and the
limit unsymmetrical conditions specified in Sec. Sec. 25.367 and
25.427(b) and (c),
(D) the limit yaw maneuvering conditions specified in Sec. 25.351,
(E) the limit ground loading conditions specified in Sec. Sec.
25.473 and 25.491, and
(F) any other subpart C of this part load condition for which a
system is specifically installed or tailored to reduce the loads of
that condition.
(ii) For static strength substantiation, each part of the structure
must be able to withstand the loads in paragraph (c)(2)(i) of this
section multiplied by a factor of safety that depends on the
probability of being in this failure condition. The factor of safety is
defined in Figure 2.
Figure 2 to paragraph (c)(2)(ii)
[GRAPHIC] [TIFF OMITTED] TR27AU24.003
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)
If Pj is greater than 10-3 per flight hour, then a 1.5
factor of safety must be applied in
[[Page 68734]]
lieu of the factor of safety defined in Figure 2.
(iii) For residual strength substantiation, the airplane must be
able to withstand two thirds of the ultimate loads defined in paragraph
(c)(2)(ii) of this section. For pressurized cabins, these loads must be
combined with the normal operating differential pressure.
(iv) If the loads induced by the failure condition have a
significant effect on fatigue or damage tolerance then their effects
must be taken into account.
(v) Reserved.
(vi) Reserved.
(3) Reserved.
(d) Failure indications. For system failure detection and
indication, the following apply:
(1) The system must be checked for failure conditions evaluated
under paragraph (c) of this section that degrade the structural
capability below the level required by subparts C (excluding Sec.
25.302) and D of this part or that reduce the reliability of the
remaining system. As far as practicable, these failures must be
indicated to the flightcrew before flight.
(2) The existence of any failure condition evaluated under
paragraph (c) of this section that results in a factor of safety
between the airplane strength and the loads of subpart C of this part
below 1.25 must be indicated to the flightcrew.
(e) Dispatch with known failure conditions. If the airplane is to
be dispatched in a known system failure condition that affects
structural performance or affects the reliability of the remaining
system to maintain structural performance, then the Master Minimum
Equipment List must ensure the provisions of Sec. 25.302 are met for
the dispatched condition and for any subsequent failures. Flight
limitations and operational limitations may be taken into account in
establishing Qj as the combined probability of being in the dispatched
failure condition and the subsequent failure condition for the safety
margins in Figure 2. No reduction in these safety margins is allowed if
the subsequent system failure rate is greater than 10-3 per
flight hour.
0
4. Amend Sec. 25.629 by revising paragraph (a) and (d) introductory
text, redesignating paragraphs (d)(9) and (10) as paragraphs (d)(10)
and (11), and adding a new paragraph (d)(9) to read as follows:
Sec. 25.629 Aeroelastic stability requirements.
(a) General. The aeroelastic stability evaluation required under
this section includes flutter, divergence, control reversal and any
undue loss of stability and control as a result of structural
deformation. The aeroelastic evaluation must include whirl modes
associated with any propeller or rotating device that contributes
significant dynamic forces. Additionally, the evaluation must include
any condition of operation within the maneuvering envelope. Compliance
with this section must be shown by analyses, wind tunnel tests, ground
vibration tests, flight tests, or other means found necessary by the
Administrator.
* * * * *
(d) Failures, malfunctions, and adverse conditions. The failures,
malfunctions, and adverse conditions that must be considered in showing
compliance with this section are:
* * * * *
(9) The following flight control system failure combinations in
which aeroelastic stability relies on flight control system stiffness,
damping or both:
(i) Any dual hydraulic system failure.
(ii) Any dual electrical system failure.
(iii) Any single failure in combination with any probable hydraulic
or electrical system failure.
* * * * *
0
5. Revise Sec. 25.671 to read as follows:
Sec. 25.671 General.
(a) Each flight control system must operate with the ease,
smoothness, and positiveness appropriate to its function. The flight
control system must continue to operate and respond appropriately to
commands, and must not hinder airplane recovery, when the airplane is
experiencing any pitch, roll, or yaw rate, or vertical load factor that
could occur due to operating or environmental conditions, or when the
airplane is in any attitude.
(b) Each element of each flight control system must be designed, or
distinctively and permanently marked, to minimize the probability of
incorrect assembly that could result in failure or malfunctioning of
the system. The applicant may use distinctive and permanent marking
only where design means are impractical.
(c) The airplane must be shown by analysis, test, or both, to be
capable of continued safe flight and landing after any of the following
failures or jams in the flight control system within the normal flight
envelope. Probable malfunctions must have only minor effects on control
system operation and must be capable of being readily counteracted by
the pilot.
(1) Any single failure, excluding failures of the type defined in
Sec. 25.671(c)(3);
(2) Any combination of failures not shown to be extremely
improbable, excluding failures of the type defined in Sec.
25.671(c)(3); and
(3) Any failure or event that results in a jam of a flight control
surface or pilot control that is fixed in position due to a physical
interference. The jam must be evaluated as follows:
(i) The jam must be considered at any normally encountered position
of the control surface or pilot control.
(ii) The jam must be assumed to occur anywhere within the normal
flight envelope and during any flight phase except during the time
immediately before touchdown if the risk of a potential jam is
minimized to the extent practical.
(iii) In the presence of the jam, any additional failure conditions
that could prevent continued safe flight and landing must have a
combined probability of 1/1000 or less.
(d) If all engines fail at any point in the flight, the airplane
must be controllable, and an approach and flare to a landing and
controlled stop, and flare to a ditching, must be possible, without
requiring exceptional piloting skill or strength.
(e) The airplane must be designed to indicate to the flightcrew
whenever the primary control means is near the limit of control
authority.
(f) If the flight control system has multiple modes of operation,
appropriate flightcrew alerting must be provided whenever the airplane
enters any mode that significantly changes or degrades the normal
handling or operational characteristics of the airplane.
0
6. Amend Sec. 25.901 by revising paragraph (c) to read as follows:
Sec. 25.901 Installation.
* * * * *
(c) For each powerplant and auxiliary power unit installation, the
applicant must comply with the requirements of Sec. 25.1309, except
that the effects of the following failures need not comply with Sec.
25.1309(b)--
(1) Engine case burn-through or rupture,
(2) Uncontained engine rotor failure, and
(3) Propeller debris release.
* * * * *
0
7. Amend Sec. 25.933 by revising paragraph (a)(1) to read as follows:
Sec. 25.933 Reversing systems.
(a) * * *
(1) For each system intended for ground operation only, the
applicant must show--
(i) The airplane is capable of continued safe flight and landing
during and after any thrust reversal in flight; or
[[Page 68735]]
(ii) The system complies with Sec. 25.1309(b) using the assumption
the airplane would not be capable of continued safe flight and landing
during and after an in-flight thrust reversal.
* * * * *
0
8. Revise Sec. 25.1301 to read as follows:
Sec. 25.1301 Function and installation.
Each item of installed equipment must--
(a) Be of a kind and design appropriate to its intended function;
(b) Be labeled as to its identification, function, or operating
limitations, or any applicable combination of these factors; and
(c) Be installed according to limitations specified for that
equipment.
0
9. Revise Sec. 25.1309 to read as follows:
Sec. 25.1309 Equipment, systems, and installations.
The requirements of this section, except as identified below, apply
to any equipment or system as installed on the airplane. Although this
section does not apply to the performance and flight characteristic
requirements of subpart B of this part, or to the structural
requirements of subparts C and D of this part, it does apply to any
system on which compliance with any of those requirements is dependent.
Section 25.1309(b) does not apply to the flight control jam conditions
addressed by Sec. 25.671(c)(3); single failures in the brake system
addressed by Sec. 25.735(b)(1); the failure conditions addressed by
Sec. Sec. 25.810(a)(1)(v) and 25.812; uncontained engine rotor
failure, engine case rupture, or engine case burn-through failures
addressed by Sec. Sec. 25.903(d)(1) and 25.1193 and part 33 of this
chapter; and propeller debris release failures addressed by Sec.
25.905(d) and part 35 of this chapter.
(a) The airplane's equipment and systems must be designed and
installed so that:
(1) The equipment and systems required for type certification or by
operating rules, or whose improper functioning would reduce safety,
perform as intended under the airplane operating and environmental
conditions; and
(2) Other equipment and systems, functioning normally or
abnormally, do not adversely affect the safety of the airplane or its
occupants or the proper functioning of the equipment and systems
addressed by paragraph (a)(1) of this section.
(b) The airplane systems and associated components, evaluated
separately and in relation to other systems, must be designed and
installed so that they meet all of the following requirements:
(1) Each catastrophic failure condition--
(i) Must be extremely improbable; and
(ii) Must not result from a single failure.
(2) Each hazardous failure condition must be extremely remote.
(3) Each major failure condition must be remote.
(4) Each significant latent failure must be eliminated as far as
practical, or, if not practical to eliminate, the latency of the
significant latent failure must be minimized. However, the requirements
of the previous sentence do not apply if the associated system meets
the requirements of paragraphs (b)(1) and (b)(2) of this section,
assuming the significant latent failure has occurred.
(5) For each catastrophic failure condition that results from two
failures, either of which could be latent for more than one flight, the
applicant must show that--
(i) It is impractical to provide additional fault tolerance; and
(ii) Given the occurrence of any single latent failure, the
residual average probability of the catastrophic failure condition due
to all subsequent active failures is remote; and
(iii) The sum of the probabilities of the latent failures that are
combined with each active failure does not exceed 1/1000.
(c) The airplane and systems must provide information concerning
unsafe system operating conditions to the flightcrew to enable them to
take appropriate corrective action in a timely manner. Systems and
controls, including information, indications, and annunciations, must
be designed to minimize flightcrew errors that could create additional
hazards.
(d) Reserved.
(e) The applicant must establish certification maintenance
requirements as necessary to prevent the development of the failure
conditions described in paragraph (b) of this section. These
requirements must be included in the Airworthiness Limitations section
of the Instructions for Continued Airworthiness required by Sec.
25.1529.
0
10. Amend Sec. 25.1365 by revising paragraph (a) to read as follows:
Sec. 25.1365 Electrical appliances, motors, and transformers.
(a) An applicant must show that, in the event of a failure of the
electrical supply or control system, the design and installation of
domestic appliances meet the requirements of Sec. 25.1309(b) and (c).
Domestic appliances are items such as cooktops, ovens, coffee makers,
water heaters, refrigerators, and toilet flush systems that are placed
on the airplane to provide service amenities to passengers.
* * * * *
0
11. Revise section H25.4 of appendix H to part 25 by adding paragraph
(a)(6) to read as follows:
Appendix H to Part 25--Instructions for Continued Airworthiness
* * * * *
H25.4 Airworthiness Limitations section.
* * * * *
(a) * * *
(6) Each certification maintenance requirement established to
comply with any of the applicable provisions of part 25.
* * * * *
Issued under authority provided by 49 U.S.C. 106(f), 106(g),
44701(a), and 44704 in Washington, DC.
Michael Gordon Whitaker,
Administrator.
[FR Doc. 2024-18511 Filed 8-26-24; 8:45 am]
BILLING CODE 4910-13-P
