[Federal Register Volume 64, Number 174 (Thursday, September 9, 1999)]
[Notices]
[Pages 49043-49047]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-23394]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
[Policy Statement Number ANM-99-1]
Improving Flightcrew Awareness During Autopilot Operation
AGENCY: Federal Aviation Administration, DOT.
ACTION: Notice of policy statement; request for comments.
-----------------------------------------------------------------------
SUMMARY: This document announces an FAA proposed general statement of
policy applicable to the type certification of transport category
airplanes. This document advises the public, in particular
manufacturers of transport category airplanes and automatic flight
control (autopilot) systems, that FAA, when certifying automatic pilot
installations, intends to evaluate various items that will improve the
flightcrew's awareness during autopilot operation. This notice is
necessary to advise the public of FAA policy and give all interested
persons an opportunity to present their views on the policy statement.
DATES: Comments must be received on or before October 12, 1999.
ADDRESSES: Send all comments on this policy statement to the individual
identified under FOR FURTHER INFORMATION CONTACT.
FOR FURTHER INFORMATION CONTACT: Dale Dunford, Federal Aviation
Administration, Transport Airplane Directorate, Transport Standards
Staff, Airplane & Flightcrew Interface Branch, ANM-111, 1601 Lind
Avenue SW., Renton, WA 98055-4056; telephone (425) 227-2239; fax (425)
227-1100; e-mail: Dale.D[email protected].
SUPPLEMENTARY INFORMATION:
Comments Invited
Interested persons are invited to comment on this policy statement
by submitting such written data, views, or
[[Page 49044]]
arguments as they may desire. Commenters should identify the Policy
Statement Number of this policy statement, and submit comments, in
duplicate, to the address specified above. The Transport Airplane
Directorate will consider all communications received on or before the
closing date for comments.
Background
Recent incidents and accidents that have occurred worldwide
involving pilot/autopilot interactions have emphasized to the FAA the
need to reexamine the current certification policy relative to
autopilot issues.
In 1991, the National Transportation Safety Board (NTSB) began an
investigation as a result of an incident involving a transport category
airplane that experienced an inflight upset. When the airplane was in
cruise at flight level 310, the flightcrew noted that the inertial
navigation system ``FAIL'' lights had illuminated. When the flightcrew
crosschecked the instrument panel, they determined that the airplane
was in a steep right-wing-down banking angle. The flight lost
approximately 10,000 feet of altitude and the airplane approached
supersonic speeds before recovery could be completed. The airplane
eventually made a successful landing, and there were no injuries.
Investigation of the incident revealed, among other things, that a
failure in the autopilot system could cause an airplane to slowly roll
into a banking attitude. The roll rate induced from such a failure of
the autopilot system may be barely perceptible to the flightcrew; it
also may be difficult to detect without external visual attitude
references or continuous close monitoring of the flight attitude
instruments.
The NTSB has advised the FAA of its concern that some autopilot
failures can result in changes in attitude at rates that may be
imperceptible to the flightcrews, and thus remain undetected until the
airplane reaches significant attitude deviations.
FAA Evaluation of Flight Crew/Flight Deck Automation Interfaces
In 1994, the FAA launched an in-depth study to evaluate all
flightcrew/flight deck automation interfaces of current generation
transport category airplanes. The FAA charted a Human Factor Team to
conduct the study. Team members included experts from the FAA, the
European Joint Airworthiness Authorities (JAA), and academia. The
objective of the study was to look beyond the label of ``flightcrew
error,'' and investigate the contributing factors from the perspective
of design, flightcrew training/qualifications, operations, and
regulatory processes. The team also was tasked to develop
recommendations to address any problems identified.
With regard to autopilot issues, the Team identified several
specific problematic issues, including:
Pilot/autopilot interactions that create hazardous out-of-
trim conditions;
Autopilots that can produce hazardous speed conditions and
may attempt maneuvers that would not normally be expected by a pilot;
and
Insufficient wording in the Airplane Flight Manual
regarding the capabilities and limitations of the autopilot.
Regulatory Initiatives
The FAA has acknowledged the autopilot issues raised by both the
NTSB and the Human Factor Team, and has taken steps to address them.
For example, the FAA has tasked a new Aviation Regulation Advisory
Committee (ARAC) working group to review and propose harmonized
revisions to the following three conditions:
14 CFR 25.1329 (``Automatic Pilot System''), which
contains FAA's standard for certifying automatic pilot systems on
transport category airplanes;
Advisory Circular (AC) 25-1329-1A (``Automatic Pilot
System Approval''), dated July 8, 1968, which describes an acceptable
means by which compliance with the automatic pilot installation
requirements of Sec. 25.1329 may be shown; and
14 CFR 25.1335 (``Flight Director Systems''), which
contains FAA's standards for certifying flight director systems on
transport category airplanes.
The work of this ARAC working group, known as the Flight Guidance
Systems Harmonization Working Group (FGSHWG), currently is in progress.
Current Certification Standards
In general, automatic pilot systems on transport category airplanes
traditionally have been certified in accordance with Sec. 25.1329 on
the basis that they are conveniences to reduce flightcrew workload, and
that they do not relieve the flightcrew of any responsibility for
assuring proper flight path management. As a result, the autopilot
evaluation criteria contained in AC 25.1329-1A, are primarily concerned
with the effects of autopilot failures on the airplane. The most recent
revision to AC 25-7A, ``Flight Test Guide for Certification of
Transport Category Airplanes,'' also defines some evaluation criteria
for determining whether the autopilot is performing its intended
function of relieving the flightcrew of some of their control
functions.
Accordingly, even when the flightcrew is not manually performing a
specific flight path control function, the FAA expected the flightcrew
to be ``aware'' when this function is not being performed safely, and
to take appropriate and timely corrective action. The installation
certification guidelines presented in AC 25.1329-1A, for example, state
``* * * at least one pilot (should) monitor the behavior of the
airplane and associated autopilot performance at all times.''
In certifying all autopilot systems to date, the FAA has accepted
the premise that the capability for this flightcrew ``awareness'' comes
from either:
Adherence to operational training and/or procedures,
A dedicated failure detection and annunciation feature on
the flight deck; or
Inherent aircraft operational cues (e.g., a perceived
change of aircraft attitude or change of engine noise).
As evidenced by recent relevant accident and incident cases, one
cannot assume that the flightcrew will reliably detect and accommodate
adverse autopilot behavior solely from inherent operational cues; other
cues are needed.
Inherent operational cues can be insufficient because:
1. During normal autopilot operations, the flightcrew may not be
able to detect operational cues related to significant changes in
aerodynamic characteristics, such as drag and controllability, as
effectively as during manual operation. One specific example of this is
the change of control response or ``feel'' during low speed operations
as ice accumulates on the airplane surfaces, gradually and
imperceptibly reducing control authority. This condition can progress,
intangible to the flightcrew, until the autopilot exhausts its control
authority and automatically disengages. The flightcrew then is suddenly
required to take manual control of the airplane, which (1) is not in
proper trim, (2) is at a low margin-to-stall, and (3) has significantly
degraded aerodynamic performance.
2. As pointed out by the NTSB, and acknowledged by the FAA, some
autopilot failures can result in changes in attitude at rates that may
be imperceptible to the flightcrew, and thus remain undetected until
the airplane reaches significant attitude deviations.
Neither the certification standards nor the relevant advisory
material currently contain actions or detailed guidance to address
these types of scenarios. In light
[[Page 49045]]
of this, the FAA finds it necessary and appropriate to provide
additional guidelines for the provision of design features needed to
enable flightcrew control and awareness of the unintended changes of
speed and attitude during the operation of the autopilot system. This
information, presented here in the form of a general statement of
policy, clarifies, details, and formally states items that the FAA:
Assumes concerning the flightcrew's awareness capability;
Employs or accepts on an on-going basis in making
compliance findings relative to autopilot systems; and
Considers frequently in the development of a means to
prevent recurrences of the accident/incident scenarios described
previously, or to enable an appropriate and timely response to other
situations that could result in similar circumstances.
Effect of General Statement of Policy
Much of the information presented has been developed from service
experience garnered and flightcrew conventions practices throughout the
years since the guidance contained in AC 25.1329-1A was published in
1968. The FAA has assembled this information and is presenting it in
this general statement of policy as a set of ``guidelines'' that are
appropriate for use with Sec. 25.1329 for autopilot certification.
Additionally, as discussed previously, actions currently are
underway to revise the applicable airworthiness standards
(Sec. 25.1329) and associated advisory material (AC 25.1329-1A) to more
fully address the autopilot system and other flight deck issues. Until
then, the guidance provided in this general statement of policy would
serve as a reference to assist in the certification of new autopilot
systems.
However, the general policy stated in this document is not intended
to establish a binding norm; it does not constitute a new regulation
and the FAA would not apply or rely upon it as a regulation. The FAA
Aircraft Certification Offices (ACO) that certify transport category
airplanes and/or the automatic pilot systems installed on them should
generally attempt to follow this policy, when appropriate. However, in
determining compliance with certification standards, each ACO has the
discretion not to apply these guidelines where it determines that they
are inappropriate. The ACO should coordinate with the Transport
Airplane Directorate, for purposes of standardization, whenever the ACO
determines that some deviation from this policy is appropriate.
Applicants should expect that the certificating officials would
consider this information when making findings of compliance relevant
to new certificate actions. Applicants also may consider the material
contained in this proposed policy statement as supplemental to that
currently contained in AC 25.1329-1A when developing a means of
compliance with the relevant certification standards.
Also, as with all advisory material, this statement of policy
identifies one means, but not the only means, of compliance.
Because this proposed general statement of policy only announces
what the FAA seeks to establish as policy, the FAA considers it to be
an issue for which public comment is appropriate. Therefore, the FAA
requests comment on the following proposed general statement of policy
relevant to certification standards for autopilot systems.
For the convenience of the reader, this proposed general statement
of policy has been formatted in outline form.
General Statement of Policy
1. General
1.a. Operational experience has shown that flightcrews may not have
adequate awareness of potentially hazardous aircraft states or adequate
capability to anticipate sudden, unexpected actions of the autopilot.
In this regard, the autopilot design should take into consideration
conditions that could create hazardous deviations in the flight path,
specifically:
Conditions that could make continued autopilot operation
unsafe, or
Conditions that could cause manual control of an upset
following autopilot disengagement to require exceptional piloting skill
or alertness. (Refer to 14 CFR Sec. 25.1329(f), ``Automatic Pilot
System''.)
Note that automatic disengagement may not be the safest autopilot
response for all cases, particularly with trim conditions that could
lead to a significant upset.
1.b. If automatic functions are provided that may be used with the
autopilot (e.g., automatic thrust control or yaw damper), and use of
the autopilot is permitted with any of these functions inoperative,
then the design of the autopilot should comply with the provisions of
this general policy statement and Advisory Circular 25.1329-1A,
``Automatic Pilot Systems Aproval'' with these functions operative and
inoperative.
1.c. The auto pilot should perform its intended function in all
configurations in which it may be used throughout all appropriate
maneuvers and environmental conditions, including turbulence and icing,
unless an appropriate operating limitations or statement is included in
the Airplane Flight Manual.
2. Definitions
2.a. The term autopilot is synonymous with the term automatic
pilot. The term autopilot includes the sensors, computers, power
supplies, servo-motors, servo-actuators, and associated wiring
necessary for its function. It includes any displays and controls
necessary for the pilot to manage and supervise the system.
2.b. The term autothrust is synonymous with the term autothrottle
or automatic throttle control.
2.c. The term hazardous flight path deviations includes deviations
from the intended flight path that may lead to a hazardous state,
aircraft attitude and attitude rates that will place the airplane in a
hazardous state, and extreme high and low energy conditions that place
the airplane in a hazardous state.
2.d. The term extemely improbable is defined as the average
probability per flight hour of the occurrence of an event (e.g., a
failure condition) which is on the order of 1 x 10-9 or
less. Catastrophic failure conditions must be extremely improbably
(ref. Sec. 25.1309(b)(1)).
2.e. The term warning is defined as an indication for a hazard
requiring immediate corrective action by the flightcrew.
2.f. The term caution is defined as an indication for an event
requiring immediate crew awarness and possibly requiring subsequent
timely corrective crew action.
3. Design, Installation, and Maintenance
3.a. The autopilot system design should not possess
characteristics, in normal operation or when failed, that would degrade
safety or lead to an unsafe condition, unless such failures can be
limited by design or the effects can be limited and mitigated by the
pilot response within a reasonable time. The allowable probability of
any failure should be based on its safety effects in accordance with
the requirement of Sec. 25.1309.
3.b. Adequate precautions should be taken in the design process,
and adequate procedures should be specified in the maintenance manual,
to prevent the incorrect installation, connection, or adjustment of
parts of the autopilot if such errors would create a hazard to the
airplane (e.g., torque clutches or limit switches with a range
[[Page 49046]]
of adjustment such that maladjustment could be hazardous).
3.c. The autopilot should be designed and installed so that the
tolerances demonstrated during certifcation tests can be maintained in
service.
4. System Response
4.a. The autopilot should not cause nuisance oscillations, undue
control activity, or sudden large attitude changes, especially, when
configuration or power changes are taking place. All maneuvers should
be accomplished smoothly, accurately, and in a manner similar to normal
pilot control.
4.b. The autopilot should not command a maneuver resulting in an
unsafe attitude such that the pilot, without using exceptional skill or
strength, cannot safely take over control of the airplane.
4.c. The engagement of the autopilot should be transient-free in
both steady and dynamic conditions.
4.d. Except for failure conditions that are shown to be extremely
improbable, the pilot should be able to disengage the autopilot at any
time without unacceptable out-of-trim forces. Forces on the manual
controls, that result from an out-of-trim condition occurring after
autopilot disconnect, are considered unacceptable if the sudden
application of these forces:
Require exceptional piloting skill, alertness, or
strength; and
Risk exceeding the airplane limit loads.
These forces should be less than the maximum one-hand force limits
specified in Sec. 25.143(c) (``Controllability and maneuverability,
General'').
4.e. Any automatic system disengagement of the autopilot should not
result in an unsafe attitude, attitude-rate, or energy condition such
that the pilot, without using exceptional skill or strength, cannot
safely take over control of the airplane.
4.f. Transients occurring during autopilot disengagement in normal
conditions, including operations at the boundaries of the normal
operational parameters, should not cause unacceptable airplane
responses. An airplane response is unacceptable if the flightcrew
cannot return the airplane to its normal flight condition under full
manual control:
Without exceeding the loads or speed limits appropriate to
the flight condition,
Without engaging in any dangerous maneuver during
recovery, and
Without forces greater than those given in Sec. 25.143(c).
5. Controls, Displays, and Alerting
5.a. Unless the probability of failure of the quick-disconnect
button on the control wheel, or equivalent, is shown to be extremely
improbable, an alternative means of disengagement, that is readily
accessible in flight, should be provided.
5.b. The controls, displays, and alerts should be designated to
minimize crew errors.
5.c. Mode, state, status, and malfunction indications should be
presented in a manner compatible with the procedures and assigned tasks
of the flightcrew. The indications should be grouped in a logical and
consistent manner and be visible from each pilot's station under all
expected lighting conditions.
5.d. Autopilot Disconnect Warning:
5.d.(1) Disengagement of the autopilot, whether intended by the
pilot or not, should trigger both an aural and visual warning during
any phase of flight, since immediate pilot action is required.
5.d.(2) The aural alert associated with the autopilot disconnect
should be unique and distinct. The aural alert should be cancelable by
the pilot pushing the quick-disconnect button on the control wheel or
stick. The aural alert should sound until canceled by the pilot, except
that a minimum cycle should sound. If the autopilot is disengaged by
means of the quick-disconnect button, then an additional push of this
button should be required to cancel the aural alert.
5.e. An aural alert and visual caution should be provided to the
flightcrew for conditions that:
Could make continued autopilot operation unsafe, or
Could cause the manual control of an upset following
autopilot disengagment to require exceptional piloting skill or
alertness.
5.e.(1) The flightcrew alert should be generated before the
conditions lead to an automatic disconnect, unsafe attitude, or stall
warning.
5.e.(2) Whenever possible, the alert should provide the flightcrew
enough time to be prepared with hands of the controls and to take
appropriate corrective action (e.g., change thrust, set trim,
disconnect autopilot).
5.e.(3) The thresholds for triggering the flightcrew alert should
be designed carefully, with consideration for undue distraction (e.g.,
nuisance alerts) and potential ``rippling'' of multiple alerts
triggered by the same or related conditions, which could mask or
override the sounding of this alert.
5.e.(4) Conditions that should be considered for the flightcrew
alert, and possibly automatic disengagement, include, but are not
limited to:
Limits of autopilot control authority;
Out-of-trim;
Excessive trim rates;
Airspeeds greater than those intended for autopilot
operations;
Low speeds, (less than 1.2 VS1 for the current
flap configuration, but greater than 1.07 VS); and
Bank and pitch angles beyond those intended for autopilot
operation.
5.f. The means provided to comply with Sec. 25.1329(h) (mode
indications when coupled with airborne navigation equipment) should
also give an appropriate indication when:
5.f.(1) The autopilot cannot engage the mode selected by the
flightcrew; and
5.f.(2) The system automatically makes a mode change or mode
disengagement that is considered operationally significant and,
perhaps, unexpected. (For example, a change from altitude capture to
altitude hold is significant, but expected; while a change from
vertical path mode to vertical speed mode is both operationally
significant and unexpected.)
5.g. If the autopilot has envelope limiting or protection
capability, the system should trigger an alert to indicate to the
pilots when envelope limiting or protection is invoked.
6. Engagement
If a flight director is available and active, the autopilot should
engage in the same models as the flight director and provide consistent
flight path guidance.
7. Airplane Flight Manual
Operating procedures for use with the autopilot should be
established (see Sec. 25.1585 (``Operating Procedures'')) and
documented. In this regard, the Airplane Flight Manual (AFM) should:
7.a. Identify conditions under which the autopilot will or will not
engage, will disengage, or will revert to another mode. These
conditions should include, but not be limited to:
7.a.(1) engagement above and below design speeds,
7.a.(2) engagement in a specific mode versus speed,
7.a.(3) engagement in a specific configuration versus speed,
7.a.(4) engagement in a specific configuration versus speed,
7.a.(5) engagement asymmetric configuration,
7.a.(6) engagement with asymmetric thrust,
7.a.(7) disengagement due to excessive low and high energy
conditions, and
[[Page 49047]]
7.a.(8) disengagement due to forces applied to the control wheel or
stick by the pilot.
7.b. Define the circumstances in which the autopilot should be
engaged, disengaged, or used in a mode with greater or lesser
authority.
7.c. Identify appropriate combinations of autopilot and manual/
autothrust usage.
7.d Identify inappropriate combinations of autopilot and manual/
autothrust usage.
7.e. Define the characteristics and principles of the autopilot
design that have operational safety considerations.
7.f. Identify all prohibitions in the use of the autopilot
regarding:
7.f.(1) loss or degradation of equipment,
7.f.(2) specific phases of flight,
7.f.(3) specific environmental conditions (e.g., icing,
turbulence), and
7.f.(4) specific operational conditions (e.g., low or high speed,
extreme attitudes).
7.g. Identify all limitations in the use of the autopilot
regarding:
7.g.(1) loss or degradation of equipment,
7.f.(2) specific phases of flight,
7.f.(3) specific environmental conditions (e.g., icing,
turbulence), and
7.f.(4) specific operational conditions (e.g., low or high speed,
extreme attitudes), and
7.g.(5) unique indications of limiting conditions (e.g., unusual
lateral trim or a ``RETRIM ROLL'' message due to icing conditions).
Conclusion
As discussed previously, the FAA intends to update 14 CFR 25.1329
and associated Advisory Circular (AC) 25.1329-1A to more fully address
the autopilot issues found in this proposed general statement of policy
and others. Until then, this general statement of policy, when
finalized, will serve as a reference to supplement Sec. 25.1329, and
for use in the certification of new autopilot systems. Please inform
the appropriate flight controls and systems designated engineering
representatives (DER) of this proposed general statement of policy.
Issued in Renton, Washington, on August 30, 1999.
Dorenda D. Baker,
Acting Manager, Transport Airplane Directorate, Aircraft Certification
Service.
[FR Doc. 99-23394 Filed 9-8-99; 8:45 am]
BILLING CODE 4910-13-M