[Federal Register Volume 76, Number 173 (Wednesday, September 7, 2011)]
[Proposed Rules]
[Pages 55293-55296]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-22890]



[[Page 55293]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 23

[Docket No. CE313; Notice No. 23-10-03-SC]


Special Conditions: Diamond Aircraft Industries, Model DA-40NG; 
Electronic Engine Control (EEC) System

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Notice of proposed special conditions.

-----------------------------------------------------------------------

SUMMARY: This notice proposes special conditions for the Diamond 
Aircraft Industries (DAI), model DA-40NG airplane. This airplane will 
have a novel or unusual design feature(s) associated with an electronic 
engine control (EEC), also known as a Full Authority Digital Engine 
Control (FADEC). The applicable airworthiness regulations do not 
contain adequate or appropriate safety standards for this design 
feature. These proposed special conditions contain the additional 
safety standards that the Administrator considers necessary to 
establish a level of safety equivalent to that established by the 
existing airworthiness standards.

DATES: Comments must be received on or before October 7, 2011.

ADDRESSES: Comments on this proposal may be mailed in duplicate to: 
Federal Aviation Administration, Regional Counsel, ACE-7, Attention: 
Rules Docket, Docket No. CE313, 901 Locust, Room 506, Kansas City, 
Missouri 64106, or delivered in duplicate to the Regional Counsel at 
the above address. Comments must be marked: CE313. Comments may be 
inspected in the Rules Docket weekdays, except Federal holidays, 
between 7:30 a.m. and 4 p.m.

FOR FURTHER INFORMATION CONTACT: Pete Rouse, Federal Aviation 
Administration, Aircraft Certification Service, Small Airplane 
Directorate, ACE-111, 901 Locust, Kansas City, Missouri, 816-329-4135, 
fax 816-329-4090.

SUPPLEMENTARY INFORMATION:

Comments Invited

    Interested persons are invited to participate in the making of 
these proposed special conditions by submitting such written data, 
views, or arguments as they may desire. Communications should identify 
the regulatory docket or notice number and be submitted in duplicate to 
the address specified above. All communications received on or before 
the closing date for comments will be considered by the Administrator. 
The proposals described in this notice may be changed in light of the 
comments received. All comments received will be available in the Rules 
Docket for examination by interested persons, both before and after the 
closing date for comments. A report summarizing each substantive public 
contact with FAA personnel concerning this rulemaking will be filed in 
the docket. Persons wishing the FAA to acknowledge receipt of their 
comments submitted in response to this notice must include with those 
comments a self-addressed, stamped postcard on which the following 
statement is made: ``Comments to Docket No. CE313.'' The postcard will 
be date stamped and returned to the commenter.

Background

    On May 11, 2010 Diamond Aircraft Industry GmbH applied for an 
amendment to Type Certificate No. A47CE to include the new model DA-
40NG with the Austro Engine GmbH model E4 ADE. The model DA-40NG, which 
is a derivative of the model DA-40 currently approved under Type 
Certificate No. A47CE, is a fully composite, four place, single-engine 
airplane with a cantilever low wing, T-tail airplane with the Austro 
Engine GmbH model E4 diesel engine and an increased maximum takeoff 
gross weight from 1150 kilograms (kg) to 1280 kg (2535 pounds (lbs) to 
2816 lbs).
    DAI will use an EEC instead of a traditional mechanical control 
system on the model DA-40NG airplane. The EEC is certified as part of 
the engine design certification, and the certification requirements for 
engine control systems are driven by 14 CFR part 33 certification 
requirements. The guidance for the part 33 EEC certification 
requirement is contained in two advisory circulars: Advisory Circular 
(AC) 33.28-1 and AC 33.28-2. The EEC certification, as part of the 
engine, addresses those aspects of the engine specifically addressed by 
part 33 and is not intended to address 14 CFR part 23 installation 
requirements. However, the guidance does highlight some of the aspects 
of installation that the engine applicant should consider during engine 
certification. The installation of an engine with an EEC system 
requires evaluation of environmental effects and possible effects on or 
by other airplane systems, including the part 23 installation aspects 
of the EEC functions. For example, the indirect effects of lightning, 
radio interference with other airplane electronic systems, and shared 
engine and airplane data and power sources.
    The regulatory requirements in part 23 for evaluating the 
installation of complex electronic systems are contained in Sec.  
23.1309. However, when Sec.  23.1309 was developed, the requirements of 
the rule were specifically excluded from applying to powerplant systems 
provided as part of the engine (reference Sec.  23.1309(f)(1)). 
Although the parts of the system that are not certificated with the 
engine could be evaluated using the criteria of Sec.  23.1309, the 
analysis would not be useful and not be complete because it would not 
include the effects of the aircraft supplied power and data failures on 
the engine control system, and the resulting effects on engine power/
thrust. The integral nature of EEC installations require review of EEC 
functionality at the airplane level, as behavior acceptable for part 33 
certification may not be acceptable for part 23 certification.
    For over a decade, the Small Airplane Directorate has applied a 
special condition that required all EEC installations to comply with 
the requirements of Sec.  23.1309(a) through (e). The rationale for 
applying Sec.  23.1309 was that it was an existing rule that contained 
the best available requirements to apply to the installation of a 
complex electronic system; in this case, an EEC with aircraft 
interfaces. Additionally, special conditions for High Intensity 
Radiated Fields (HIRF) were also applied prior to the codification of 
Sec.  23.1308.
    There are several difficulties for propulsion systems directly 
complying with the requirements of Sec.  23.1309. There are conflicts 
between the guidance material for Sec.  23.1309 and propulsion system 
capabilities and failure susceptibilities. The following figure is an 
excerpt from AC 23.1309-1D.

[[Page 55294]]



--------------------------------------------------------------------------------------------------------------------------------------------------------
     Classification of failure          No safety effect              Minor                  Major                Hazardous             Catastrophic
             conditions             --------------------------------------------------------------------------------------------------------------------
------------------------------------     No probability
Allowable  qualitative  probability        requirement              Probable                 Remote            Extremely remote     Extremely improbable
--------------------------------------------------------------------------------------------------------------------------------------------------------
Effect on Airplane.................  No effect on            Slight reduction in     Significant reduction  Large reduction in     Normally with hull
                                      operational             functional              in functional          functional             loss.
                                      capabilities or         capabilities or         capabilities or        capabilities or
                                      safety.                 safety margins.         safety margins.        safety margins.
Effect on Occupants................  Inconvenience for       Physical discomfort     Physical distress to   Serious or fatal       Multiple fatalities.
                                      passengers.             for passengers.         passengers, possibly   injury to an
                                                                                      including injuries.    occupant.
Effect on Flight Crew..............  No effect on flight     Slight increase in      Physical discomfort    Physical distress or   Fatal injury or
                                      crew.                   workload or use of      or a significant       excessive workload     incapacitation.
                                                              emergency procedures.   increase in workload.  impairs ability to
                                                                                                             perform tasks.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Classes of                           Allowable Quantitative Probabilities and Software (SW) and Complex Hardware (HW) DALs (Note 2).
airplanes:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Class I............................  No Probability or SW &  <10-3.................  <10-4................  <10-5................  <10-6
(Typically SRE under 6,000 lbs.)...   HW DALs Requirement.   Note 1 & 4............  Notes 1 & 4..........  Notes 4..............  Note 3
                                                             P=D, S=D..............  P=C, S=D.............  P=C, S=D.............  P=C, S=C.
                                                                                     P=D, S=D (Note 5)....  P=D, S=D (Note 5)....
Class II...........................  No Probability or SW &  <10-3.................  <10-5................  <10-6................  <10-7
(Typically MRE, STE, or MTE under     HW DALs Requirement.   Note 1 & 4............  Notes 1 & 4..........  Notes 4..............  Note 3
 6000 lbs.).                                                 P=D, S=D..............  P=C, S=D.............  P=C, S=C.............  P=C, S=C.
                                                                                     P=D, S=D (Note 5)....  P=D, S=D (Note 5)....
Class III..........................  No Probability or SW &  <10-3.................  <10-5................  <10-7................  <10-8
(Typically SRE, STE, MRE, & MTE       HW DALs Requirement.   Note 1 & 4............  Notes 1 & 4..........  Notes 4..............  Note 3.
 equal or over 6000 lbs.).                                   P=D, S=D..............  P=C, S=D.............  P=C, S=C.............  P=B, S=C.
Class IV...........................  No Probability or SW &  <10-3.................  <10-5................  <10-7................  <10-9
(Typically Commuter Category)......   HW DALs Requirement.   Note 1 & 4............  Notes 1 & 4..........  Notes 4..............  Note 3
                                                             P=D, S=D..............  P=C, S=D.............  P=B, S=C.............  P=A, S=B.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note 1: Numerical values indicate an order of probability range and are provided here as a reference. The applicant is usually not required to perform a
  quantitative analysis for minor and major failure conditions. See figure 3.
Note 2: The alphabets denote the typical SW and HW DALs for most primary system (P) and secondary system (S). For example, HW or SW DALs Level A on
  primary system is noted by P=A. See paragraphs 13 & 21 for more guidance.
Note 3: At airplane function level, no single failure will result in a catastrophic failure condition.
Note 4: Secondary system (S) may not be required to meet probability goals. If installed, S should meet stated criteria.
Note 5: A reduction of DALs applies only for navigation, communication, and surveillance systems if an altitude encoding altimeter transponder is
  installed and it provides the appropriate mitigations. See paragraphs 13 & 21 for more information.

    There is a conflict between the EEC system loss-of-thrust-control 
(LOTC), or loss-of-power-control (LOPC), probability per hour 
requirements given in part 33 guidance material and the failure rate 
requirements associated with the hazard created by a total loss of 
power/thrust as given in part 23 AC 23.1309-1D guidance. The part 33 
requirements for engine control LOTC/LOPC probabilities are shown 
below:

----------------------------------------------------------------------------------------------------------------
                                        Average LOTC/LOPC  events
             Engine type                    per million hours        Maximum LOTC/LOPC  events per million hours
----------------------------------------------------------------------------------------------------------------
Turbine Engine......................  10 (1 x 10-05 per hour).....  100 (1 x 10-04 per hour).
Reciprocating Engine................  45 (4.5 x 10-05 per hour)...  450 (4.5 x 10-04 per hour).
----------------------------------------------------------------------------------------------------------------


    Note: See AC 33.28-1, AC 33.28-2 and ANE-1993-33.28TLD-R1 for 
further guidance.

    The classification of the failure condition for LOTC/LOPC event on 
a single engine airplane ranges from Hazardous to Catastrophic. The 
classification of the failure condition for a single engine LOTC/LOPC 
event on a multi-engine airplane ranges from Major to Catastrophic. The 
classification of the failure condition for a multi-engine LOTC/LOPC 
event on a multi-engine airplane is Catastrophic. From the AC 23.1309-
1D failure probability values, it is obvious that a single engine 
airplane EEC system will not be able to meet the failure probabilities 
as shown in the guidance material for Sec.  23.1309. As a result, 
applicants have elected to declare a reduced hazard severity for a 
failure of the EEC system. This is not the intent of Sec.  23.1309. The 
greater hazard severity should be associated with lower probabilities 
of failure, and higher probabilities of failure should not establish 
the lower hazard severities. There is also a conflict between the 
classification of the failure condition for a failure of an EEC system 
and the required test levels for the effects of lightning and high 
intensity radiated frequency (HIRF). Testing to a level lower than 
required for a catastrophic failure results in a lower level of safety 
than the mechanical system it replaces.

[[Page 55295]]

This is contrary to the intent of certification requirements.
    The advent of EEC also created/established the ability to dispatch 
with certain allowable loss of functionality and/or redundancy. This is 
known as Time-Limited Dispatch (TLD). The TLD allowable configurations 
must meet the specific risk LOTC/LOPC failure probabilities. FAA policy 
statement, ANE-1993-33.28TLD-R1, defines the full up and TLD allowable 
failure probabilities for turbine engines. The ability to use TLD is a 
risk management endeavor that uses a limited time period between 
inspection/maintenance intervals to mitigate the hazard. As such, the 
FAA has issued specific guidance for part 23 airplanes in addition to 
policy statement, ANE-1993-33.28TLD-R1, in order to adequately capture 
the necessary time limits between maintenance intervals. A means of 
compliance issue paper giving specific guidance can be generated, if 
desired, for the applicant.
    The advent of EEC also led to incorporation of functions that, 
while not required by the CFRs, also introduce potentially catastrophic 
failure(s) and malfunction(s). Consequently, incorporation of these 
additional functions must be shown to retain part 23 levels of safety. 
These additional functions have included thrust management, portions of 
engine indication otherwise provided as part of the engine 
installation, engine speed synchronization, ignition control, auto-
feather, etc.
    The certification of an airplane to the standards of 14 CFR part 25 
does not require the application of Sec.  25.1309 via special condition 
to the EEC installation. In part 25, Sec.  25.1309 is applicable to the 
powerplant installations in general and as a whole. The part 25 
consequences differ from part 23 due to the required multi-engine 
configuration of part 25 airplanes. Additional applicable part 25, 
Subpart E requirements are those contained within Sec.  25.901(b)(2) 
and (c):

Section 25.901--Installation

    (b) For each powerplant--
    (2) The components of the installation must be constructed, 
arranged, and installed so as to ensure their continued safe operation 
between normal inspections or overhauls;
    (c) For each powerplant and auxiliary power unit installation, it 
must be established that no single failure or malfunction or probable 
combination of failures will jeopardize the safe operation of the 
airplane except that the failure of structural elements need not be 
considered if the probability of such failure is extremely remote.
    There is language similar to part 25, Sec.  25.901(c) contained in 
part 23, Sec.  23.1141(e):

Section 23.1141--Powerplant Controls: General

    (e) For turbine engine powered airplanes, no single failure or 
malfunction, or probable combination thereof, in any powerplant control 
system may cause the failure of any powerplant function necessary for 
safety.
    The requirements contained within Sec.  23.1141(e) were originally 
intended for the mechanical control interfaces on turbine engines. The 
rule was first promulgated at Amendment 23-7, effective on September 
14, 1969. The preamble justifying the rule change states:

    ``This proposal would, in effect require that the need for 
system redundancy, alternate devices, and duplication of functions 
be determined in the design of turbine powerplant control systems.''

    The overall intent of the above cited rules is to provide a robust 
and fault tolerant engine control installation that ensures that no 
single failure or malfunction or probable combination of failures will 
jeopardize the safe operation of the airplane.
    Given the unique requirements of an EEC installation, and the lack 
of specific regulatory requirements, a special condition will be 
applied to all EEC installations in part 23 airplanes. This special 
condition is not applicable to the part 33 engine certification 
requirements, and it specifically excludes any part 33 references. 
Compliance with this special condition may necessitate changes to the 
EEC, and may require additional part 33 compliance showings. In like 
manner, changes to the EEC at the part 33 level may require additional 
compliance showings to this special condition. The overall intent of 
this special condition is to leverage off of the part 33 compliance as 
much as possible and address the airplane level effects of an EEC 
installation.
    The EEC system includes all of the subsystems on the aircraft that 
interface with the EEC and provide aircraft data and electrical power. 
This special condition is applicable to and includes all functions of 
the EEC system that have an effect at the airplane level. An example of 
this is control of the turbine engine compressor variable geometry 
(VG): the VG function in itself is not an airplane function, but 
changes to the VG scheduling will require re-substantiating compliance 
to part 23 requirements, such as Sec.  23.939.
    The components that should be considered part of the EEC system are 
defined in Society of Automotive Engineers (SAE) document, Aerospace 
Recommended Practice (ARP) 5107B, Guidelines for Time-Limited-Dispatch 
(TLD) Analysis for Electronic Engine Control Systems, section 6.4. This 
guidance is intended for turbine engine installations; however, the 
intent is applicable to piston engine installations. A means of 
compliance issue paper giving specific guidance can be generated, if 
desired, for the applicant.
    Part 33 certification data, if applicable, may be used to show 
compliance with the requirements of part 23 installation requirements; 
however, compliance with the part 33 requirements does not constitute 
compliance with the requirements of part 23, nor automatically imply 
that the engine is installable on a part 23 airplane. The part 23 
applicant is required to show compliance in accordance with part 21. If 
part 33 data is to be used, then the part 23 applicant must be able to 
provide this data for their showing of compliance to the part 23 
requirements.

Type Certification Basis

    Under the provisions of Sec.  21.101, DAI must show that the model 
DA-40NG meets the applicable provisions of the regulations incorporated 
by reference in Type Certificate No. A47CE or the applicable 
regulations in effect on the date of application for the change to the 
model DA-40. The regulations incorporated by reference in the type 
certificate are commonly referred to as the ``original type 
certification basis.''
    If the Administrator finds that the applicable airworthiness 
regulations (i.e., 14 CFR part 23) do not contain adequate or 
appropriate safety standards for the model DA-40NG because of a novel 
or unusual design feature, special conditions are prescribed under the 
provisions of Sec.  21.16.
    In addition to the applicable airworthiness regulations and special 
conditions, the model DA-40NG must comply with the fuel vent and 
exhaust emission requirements of 14 CFR part 34 and the noise 
certification requirements of 14 CFR part 36.
    The FAA issues special conditions, as appropriate, as defined in 
Sec.  11.19, under Sec.  11.38, and they become part of the type 
certification basis under Sec.  21.101(b)(2).
    Special conditions are initially applicable to the model for which 
they are issued. Should the type certificate for that model be amended 
later to

[[Page 55296]]

include any other model that incorporates the same novel or unusual 
design feature, or should any other model already included on the same 
type certificate be modified to incorporate the same novel or unusual 
design feature, the special conditions would also apply to the other 
model under the provisions of Sec.  21.101(a)(1).

Novel or Unusual Design Features

    The model DA-40NG will incorporate the following novel or unusual 
design features:
    Electronic engine control system.

Applicability

    As discussed above, these special conditions are applicable to the 
model DA-40NG. Should DAI apply at a later date for a change to the 
type certificate to include another model incorporating the same novel 
or unusual design feature, the special conditions would apply to that 
model.

Conclusion

    This action affects only certain novel or unusual design features 
on one model of airplane. It is not a rule of general applicability, 
and it affects only the applicant who applied to the FAA for approval 
of these features on the airplane.

List of Subjects in 14 CFR Part 23

    Aircraft, Aviation safety, Signs and symbols.

Citation

    The authority citation for these special conditions is as follows:

    Authority:  49 U.S.C. 106(g), 40113 and 44701; 14 CFR 21.16 and 
21.17; and 14 CFR 11.38 and 11.19.

The Proposed Special Conditions

    Accordingly, pursuant to the authority delegated to me by the 
Administrator, the FAA proposes the following special conditions as 
part of the type certification basis for Diamond Aircraft Industry GmbH 
model DA-40NG with the installation of the Austro Engine GmbH model E4 
aircraft diesel engine.
1. Electronic Engine Control
    a. For electronic engine control system installations, it must be 
established that no single failure or malfunction or probable 
combinations of failures of Electronic Engine Control (EEC) system 
components will have an effect on the system, as installed in the 
airplane, that causes the loss-of-thrust-control (LOTC), or loss-of-
power-control (LOPC) probability of the system to exceed those allowed 
in part 33 certification.
    b. Electronic engine control system installations must be evaluated 
for environmental and atmospheric conditions, including lightning. The 
EEC system lightning and High-Intensity Radiated Fields (HIRF) effects 
that result in LOTC/LOPC should be considered catastrophic.
    c. The components of the installation must be constructed, 
arranged, and installed so as to ensure their continued safe operation 
between normal inspections or overhauls.
    d. Functions incorporated into any electronic engine control that 
make it part of any equipment, systems or installation whose functions 
are beyond that of basic engine control, and which may also introduce 
system failures and malfunctions, are not exempt from Sec.  23.1309 and 
must be shown to meet part 23 levels of safety as derived from Sec.  
23.1309. Part 33 certification data, if applicable, may be used to show 
compliance with any part 23 requirements. If part 33 data is to be used 
to substantiate compliance with part 23 requirements, then the part 23 
applicant must be able to provide this data for their showing of 
compliance.

    Note:  The term ``probable'' in the context of ``probable 
combination of failures'' does not have the same meaning as in AC 
23.1309-1D. The term ``probable'' in ``probable combination of 
failures'' means ``foreseeable,'' or (in AC 23.1309-1D terms), ``not 
extremely improbable.''


    Issued in Kansas City, Missouri, on August 31, 2011.
Earl Lawrence,
Manager, Small Airplane Directorate, Aircraft Certification Service.
[FR Doc. 2011-22890 Filed 9-6-11; 8:45 am]
BILLING CODE 4910-13-P