[Federal Register Volume 78, Number 122 (Tuesday, June 25, 2013)]
[Rules and Regulations]
[Pages 37958-37962]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-13841]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 23
[Docket No. FAA-2013-0493; Special Conditions No. 23-260-SC]
Special Conditions: Cessna Aircraft Company, Model J182T;
Electronic Engine Control System Installation
AGENCY: Federal Aviation Administration (FAA), DOT.
ACTION: Final special conditions; request for comments.
-----------------------------------------------------------------------
SUMMARY: These special conditions are issued for the Cessna Aircraft
Company (Cessna) Model J182T airplane. This airplane will have a novel
or unusual design feature(s) associated with the installation of an
electronic engine control. The applicable airworthiness regulations do
not contain adequate or appropriate safety standards for this design
feature. These special conditions contain the additional safety
standards that the Administrator considers necessary to establish a
level of safety equivalent to that established by the existing
airworthiness standards.
DATES: The effective date of these special conditions is June 25, 2013.
We must receive your comments by July 25, 2013.
ADDRESSES: Send comments identified by docket number [FAA-2013-0493]
using any of the following methods:
[ssquf] Federal eRegulations Portal: Go to http://www.regulations.gov and follow the online instructions for sending your
comments electronically.
[ssquf] Mail: Send comments to Docket Operations, M-30, U.S.
Department of Transportation (DOT), 1200 New Jersey Avenue SE., Room
W12-140, West Building Ground Floor, Washington, DC 20590-0001.
[ssquf] Hand Delivery of Courier: Take comments to Docket
Operations in Room W12-140 of the West Building Ground Floor at 1200
New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m.,
Monday through Friday, except Federal holidays.
[ssquf] Fax: Fax comments to Docket Operations at 202-493-2251.
Privacy: The FAA will post all comments it receives, without
change, to http://www.regulations.gov, including any personal
information the commenter provides. Using the search function of the
docket Web site, anyone can find and read the electronic form of all
comments received into any FAA docket, including the name of the
individual sending the comment (or signing the comment for an
association, business, labor union, etc.). DOT's complete Privacy Act
Statement can be found in the Federal Register published on April 11,
2000 (65 FR 19477-19478), as well as at http://DocketsInfo.dot.gov.
Docket: Background documents or comments received may be read at
http://www.regulations.gov at any time. Follow the online instructions
for accessing the docket or go to the Docket Operations in Room W12-140
of the West Building Ground Floor at 1200 New Jersey Avenue SE.,
Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday,
except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Mr. Peter Rouse, Federal Aviation
Administration, Small Airplane Directorate, Aircraft Certification
Service, 901 Locust, Room 301, Kansas City, MO 64106; telephone (816)
329-4135; facsimile (816) 329-4090.
SUPPLEMENTARY INFORMATION: The FAA has determined that notice and
opportunity for prior public comment hereon are impracticable because
these procedures would significantly delay issuance of the design
approval and thus delivery of the affected aircraft. In addition, the
substance of these special conditions has been subject to the public
comment process in several prior instances with no substantive comments
received. The FAA therefore finds that good cause exists for making
these special conditions effective upon issuance.
Comments Invited
We invite interested people to take part in this rulemaking by
sending written comments, data, or views. The most helpful comments
reference a specific portion of the special conditions, explain the
reason for any recommended change, and include supporting data. We ask
that you send us two copies of written comments.
We will consider all comments we receive on or before the closing
date for comments. We will consider comments filed late if it is
possible to do so without incurring expense or delay. We may change
these special conditions based on the comments we receive.
Background
On April 2, 2012, Cessna Aircraft Company applied for an amendment
to Type Certificate No. 3A13 to include the new model J182T which will
incorporate the installation of the Societe de Motorisation
Aeronautiques (SMA) Engines, Inc. SR305-230E-C1 which is a four-stroke,
air cooled, diesel cycle engine that uses turbine (jet) fuel. The J182T
incorporates an engine controlled by an electronic engine
[[Page 37959]]
control (EEC), also known as a Full Authority Digital Engine Control
(FADEC). The EEC system performs critical functions throughout the
operational envelope such as the control of the fuel flow and ignition.
These functions and their impact on the engine are required by 14 CFR
parts 33 and 23. Additionally, the EEC systems have incorporated
functions, that while not required in either parts 33 or 23, have
potential failure(s) and malfunction(s) that may be catastrophic or
unacceptably degrade the airplane level of safety. Examples of the
additional functions include thrust management, engine parameter
indication, engine speed synchronization, engine torque equalization,
etc. Considerations for installation of EEC systems were not envisaged
and are not adequately addressed in part 23. Therefore, special
conditions are required to define the additional safety standards the
Administrator considers necessary to establish a level of safety
equivalent to the existing airworthiness standards. Cessna will use an
EEC instead of a traditional mechanical control system on the J182T
airplane. The J182T, which is a derivative of the T182T currently
approved under Type Certificate No. 3A13, is an aluminum, four place,
single engine airplane with a cantilever high wing, with the SMA SR305-
230E-C1 diesel cycle engine and equipped with an electronic engine
control.
The EEC is part 33 certified as part of the engine, and the
certification requirements for engine control systems are driven by
part 33 requirements. The guidance for the part 33 EEC certification
requirement is contained in two advisory circulars: AC 33.28-1 and AC
33.28-2. The EEC certification, as part of the engine, addresses those
aspects of the engine specifically addressed by part 33 and is not
intended to address part 23 installation requirements. However, the
guidance does highlight some of the installation aspects that the
engine applicant should consider during engine certification. The
installation of an engine with an EEC system requires evaluation of
environmental effects and possible effects on or by other airplane
systems, including the part 23 installation aspects of the EEC
functions. For example, the indirect effects of lightning, radio
interference with other airplane electronic systems, and shared engine
and airplane data and power sources.
The regulatory requirements in part 23 for evaluating the
installation of complex electronic systems are contained in Sec.
23.1309. However, when Sec. 23.1309 was developed, the requirements of
the rule excluded powerplant systems as part of the certificated engine
(reference Sec. 23.1309(f)(1), amendment No. 23-49). Although the
parts of the system that are not certificated with the engine could be
evaluated using the criteria of Sec. 23.1309, the analysis would be
incomplete because it would not include the effects of the aircraft
supplied power and data failures on the engine control system, and the
resulting effects on engine power/thrust. The integral nature of EEC
installations require review of EEC functionality at the airplane level
because behavior acceptable for part 33 certification may not be
acceptable for part 23 certification.
The Small Airplane Directorate has applied a Special Condition for
over a decade that required all EEC installations to comply with the
requirements of Sec. Sec. 23.1309(a) through (e), amendment No. 23-49.
The rationale for applying Sec. 23.1309 was that it was an existing
rule that contained the best available requirements to apply to the
installation of a complex electronic system; in this case, an
electronic engine control with aircraft interfaces. Additionally,
Special Conditions for High Intensity Radiated Fields (HIRF) were also
applied prior to the codification of Sec. 23.1308.
There are several difficulties for propulsion systems directly
complying with the requirements of Sec. 23.1309. There are conflicts
between the guidance material for Sec. 23.1309 and propulsion system
capabilities and failure susceptibilities. The following figure is an
excerpt from AC 23.1309-1E showing the relationship among airplane
classes, probabilities, severity of failure conditions, and software
and complex hardware Development Assurance Level.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Classification of failure No safety effect Minor Major Hazardous Catastrophic
conditions --------------------------------------------------------------------------------------------------------------------
------------------------------------ No probability
Allowable qualitative probability requirement Probable Remote Extremely remote Extremely improbable
--------------------------------------------------------------------------------------------------------------------------------------------------------
Effect on Airplane................. No effect on Slight reduction in Significant reduction Large reduction in Normally with hull
operational functional in functional functional loss.
capabilities or safety. capabilities or capabilities or capabilities or
safety margins. safety margins. safety margins.
Effect on Occupants................ Inconvenience for Physical discomfort Physical distress to Serious or fatal Multiple fatalities.
passengers. for passengers. passengers, possibly injury to an
including injuries. occupant.
Effect on Flight Crew.............. No effect on flight Slight increase in Physical discomfort Physical distress or Fatal Injury or
crew. workload or use of or a significant excessive workload incapacitation.
emergency procedures. increase in workload. impairs ability to
perform tasks.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Classes of Airplanes Allowable Quantitative Probabilities and Software (SW) and Complex Hardware (HW) Development Assurance Levels (Note
2)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Class I (Typically SRE 6,000 pounds No Probability or SW <10-\3\ Note 1 P=D... <10-\4\ Notes 1 and 4 <10-\5\ Note 4 P=C, <10-\6\ Note 3 P=C,
or less). and HW Development P=C, S=D. S=D. S=C.
Assurance Levels
Requirement.
Class II (Typically MRE, STE, or No Probability or SW <10-\3\ Note 1 P=D... <10-\5\ Notes 1 and 4 <10-\6\ Note 4 P=C, <10-\7\ Note 3 P=C,
MTE 6,000 pounds or less). and HW Development P=C, S=D. S=C. S=C.
Assurance Levels
Requirement.
[[Page 37960]]
Class III (Typically SRE, STE, MRE, No Probability or SW <10-\3\ Note 1 P=D... <10-\5\ Notes 1 and 4 <10-\7\ Note 4 P=C, <10-\8\ Note 3 P=B,
and MTE greater than 6,000 pounds). and HW Development P=C, S=D. S=C. S=C.
Assurance Levels
Requirement.
Class IV (Typically Commuter No Probability or SW <10-\3\ Note 1 P=D... <10-\5\ Notes 1 and 4 <10-\7\ Note 4 P=B, <10-\9\ Note 3 P=A,
Category). and HW Development P=C, S=D. S=C. S=B.
Assurance Levels
Requirement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note 1: Numerical values indicate an order of probability range and are provided here as a reference.
Note 2: The letters of the alphabet denote the typical SW and HW Development Assurance Levels for Primary System (P) and Secondary System (S). For
example, HW or SW Development Assurance Level A on Primary System is noted by P=A.
Note 3: At airplane function level, no single failure will result in a Catastrophic Failure Condition.
Note 4. Secondary System (S) may not be required to meet probability goals. If installed, S should meet stated criteria.
Difference Between Part 23 and Part 33 Guidance, Loss of Thrust or
Power Control
There is a conflict between the EEC system loss-of-thrust-control
(LOTC), or loss-of-power control (LOPC), probability per hour
requirements given in part 33 guidance material and the failure rate
requirements associated with the hazard created by a total loss of
power/thrust as given in part 23 AC 23.1309-1E guidance. The part 33
requirements for engine control LOTC/LOPC probabilities are shown
below:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Engine type Average LOTC/LOPC events per million hours Maximum LOTC/LOPC events per million hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
Turbine Engine........................... 10 (1 x 10-05 per hour)............................... 100 (1 x 10-04 per hour).
Reciprocating Engine..................... 45 (4.5 x 10-05 per hour)............................. 450 (4.5 x 10-04 per hour).
--------------------------------------------------------------------------------------------------------------------------------------------------------
Note: See AC 33.28-1, AC 33.28-2 and ANE-1993-33.28TLD-Rl for further guidance.
The part 23 classification of the failure condition for LOTC/LOPC
event on a single engine airplane ranges from Hazardous to
Catastrophic. The classification of the failure condition for a single
engine LOTC/LOPC event on a multi-engine airplane ranges from Major to
Catastrophic. The classification of the failure condition for a multi-
engine LOTC/LOPC event on a multi-engine airplane is Catastrophic. From
the AC 23.1309-lE failure probability values, it is obvious that a
single engine airplane electronic engine control system will not be
able to meet the failure probabilities as shown in the guidance
material for Sec. 23.1309. As a result, applicants have
inappropriately declared a reduced hazard severity for a failure of the
electronic engine control system. This is not the intent of Sec.
23.1309. The greater hazard severity should be associated with lower
probabilities of failure, and higher probabilities of failure should
not artificially establish lower hazard severities. There is also a
conflict between the classification of the failure condition of an
electronic engine control system and the required test levels for the
effects of lightning and high intensity radiated frequency (HIRF).
Testing to a level lower than required for a catastrophic failure
results in a lower level of safety than the mechanical system it
replaces. This is contrary to the intent of certification requirements.
Time Limited Dispatch
The advent of electronic engine controls also created the ability
to dispatch with certain allowable loss of functionality and/or
redundancy. This is known as Time Limited Dispatch (TLD). The TLD
allowable configurations must meet the specific risk LOTC/LOPC failure
probabilities. FAA Policy Statement, ANE-1993-33.28TLD-Rl, defines the
full up and TLD allowable failure probabilities for turbine engines.
The ability to use TLD is a risk management endeavor that uses a
limited time between inspection/maintenance intervals to mitigate the
hazard. As such, the FAA has issued specific guidance for part 23
aircraft in addition to Policy Statement, ANE-1993-33.28TLD-Rl, in
order to capture the necessary time limits between maintenance
intervals.
Additional Functions
The advent of electronic engine controls also led to incorporating
functions that; while not required by the CFRs; also introduce
potentially catastrophic failure(s) and malfunction(s). Consequently,
incorporation of these additional functions must be shown to retain
part 23 safety levels. These additional functions have included thrust
management, portions of engine indication otherwise provided as part of
the engine installation, engine speed synchronization, ignition
control, auto-feather, etc.
Part 25, unlike part 23, does not apply Sec. 25.1309 via special
condition to the electronic engine control installation. Section
25.1309 is applicable to the powerplant installations in general and as
a whole. The part 25 hazard classifications for LOTC/LOPC differ from
part 23 due to the required multi-engine configuration of part 25
aircraft. Additional applicable part 25 subpart E requirements are
those contained within Sec. 25.901(b)(2) and (c):
Sec. 25.901--Installation.
a. Rule Text.
(b) For each powerplant--
(2) The components of the installation must be constructed,
arranged, and installed so as to ensure their continued safe
operation between normal inspections or overhauls;
(c) For each powerplant and auxiliary power unit installation,
it must be established that no single failure or malfunction or
probable combination of failures will jeopardize the safe operation
of the airplane except that the failure of structural elements need
not be considered if the probability of such failure is extremely
remote.
[[Page 37961]]
The following are excerpts from guidance provided in FAA Policy
Statement, PS-ANM100-2002-00073:
Section 25.901--Installation.
b. Intent of Rule:
Sec. 25.901(b)(2) is intended to require such
preventative maintenance as is necessary to ensure that components
of the powerplant installation do not cease safe functioning.
Sec. 25.901(c) is intended to define, in general
terms, the foreseeable failures that each powerplant and auxiliary
power unit installation must be shown to safely accommodate.
(7) Sec. 25.901(c): Section 25.901(c) is intended to provide an
overall safety assessment of the powerplant installation. It is
intended to augment rather than replace other, more specific
applicable Part 25 design and performance standards for transport
category airplanes. When assessing the potential hazards to the
aircraft caused by the powerplant installation, the effects of an
engine case rupture, uncontained engine rotor failure, engine case
burnthrough, and propeller debris release are excluded from Sec.
25.901(c). The effects and rates of these failures are minimized by
compliance with Part 33 (``Airworthiness Standards: Aircraft
Engines''; Part 35 (``Airworthiness Standards: Propellers''; Sec.
25.903(d)(l) (``Engines''; Sec. 25.905(d) (``Propellers''; and
Sec. 25.1193 (``Cowling and nacelle skin''. Furthermore, the
effects of encountering environmental threats or other operating
conditions more severe than those for which the aircraft is
certified (such as volcanic ash or operation above placard speeds)
need not be considered in the Sec. 25.901(c) compliance process.
However, if a failure or malfunction can affect the subsequent
environmental qualification or other operational capability of the
installation, this effect should be accounted/or in the Sec.
25.901(c) assessment.
(a) Compliance with Sec. 25.901(c) may be shown by a System Safety
Assessment (SSA) substantiated by appropriate testing and/or
comparable service experience. Such an assessment may range from a
simple report that offers descriptive details associated with a
failure condition, interprets test results, compares two similar
systems, or offers other qualitative information; to a detailed
failure analysis that may include estimated numerical probabilities.
The depth and scope of an acceptable SSA depends on:
the complexity and criticality of the functions
performed by the system(s) under consideration,
the severity of related failure conditions,
the uniqueness of the design and extent of relevant
service experience,
the number and complexity of the identified causal
failure scenarios, and
the detectability of contributing failures.
(b) Historically, the use of a ``bottom-up single failure
analysis,'' such as a Failure Modes and Effects Analysis (FMEA), has
been a popular safety assessment method with many applicants.
Wherever the effects of a failure are found to be operationally
``latent,'' then the effects of the ``next worst'' failure are
assessed. In this approach, the ``probable combinations of
failures'' are assumed only to be a single latent failure plus ``the
next worst'' failure. When assessing the failure effects of a simple
mechanical, hydro-mechanical, or electrical system, where
independence from the effects of failures elsewhere in the aircraft
can be assumed, this can be an effective and relatively simple means
of assuring that the design is adequately ``fail-safe.'' However, as
the integration and diversity of functions and technologies in the
subject design increase, particularly when digital avionics are
involved, the resulting increases in complexity, interdependence,
and parts count make this ``latents-plus-one'' assumption about the
``probable combinations of failure'' questionable. Consequently, to
ensure that the design is ``fail-safe'' for a sufficient number of
co-existing failures, probability methods are typically necessary.
(d) In carrying out the SSA for the powerplant installation for
Sec. 25.90I(c), the results of the engine (and propeller) failure
analyses (reference Sec. 33.28 and Sec. 33.75) should be used as
inputs for those powerplant failure effects that can have an impact
on the aircraft. However, the SSA undertaken in response to Part 33
and Part 35 may not address all the potential effects that an engine
and propeller as installed may have on the aircraft. For those
failure conditions covered by analysis under Part 33 and/or Part 35,
and for which the installation has no effect on the conclusions
derived from these analyses, no additional analyses will be required
to demonstrate compliance to Sec. 25.901(c).
There is language similar to Sec. 25.901(c) contained in Sec.
23.1141(e):
Sec. 23.1141--Powerplant controls: General.
(e) For turbine engine powered airplanes, no single failure or
malfunction, or probable combination thereof, in any powerplant
control system may cause the failure of any powerplant function
necessary for safety.
The requirements contained within Sec. 23.114l(e) were originally
intended for the mechanical control interfaces on turbine engines. The
rule was first promulgated at amendment 23-7, effective on September
14, 1969. The preamble justifying the rule change states:
This proposal would, in effect require that the need for system
redundancy, alternate devices, and duplication of functions be
determined in the design of turbine powerplant control systems.
The overall intent of the above cited rules is to provide a robust
and fault tolerant engine control installation that ensures that no
single failure or malfunction or probable combination of failures will
jeopardize the safe operation of the airplane.
Type Certification Basis
Under the provisions of Sec. 21.101, Cessna must show that the
model J182T meets the applicable provisions of the regulations
incorporated by reference in Type Certificate No. 3A13 or the
applicable regulations in effect on the date of application for the
change to the model T182T. The regulations incorporated by reference in
the type certificate are commonly referred to as the ``original type
certification basis.'' In addition, the J182T certification basis
includes special conditions and equivalent levels of safety.
If the Administrator finds that the applicable airworthiness
regulations (i.e., 14 CFR part 23) do not contain adequate or
appropriate safety standards for the J182T because of a novel or
unusual design feature, special conditions are prescribed under the
provisions of Sec. 21.16.
In addition to the applicable airworthiness regulations and special
conditions, the J182T must comply with the fuel vent and exhaust
emission requirements of 14 CFR part 34 and the noise certification
requirements of 14 CFR part 36.
The FAA issues special conditions, as defined in Sec. 11.19, under
Sec. 11.38 and they become part of the type certification basis under
Sec. 21.101.
Special conditions are initially applicable to the model for which
they are issued. Should the type certificate for that model be amended
later to include any other model that incorporates the same novel or
unusual design feature, or should any other model already included on
the same type certificate be modified to incorporate the same novel or
unusual design feature, the special conditions would also apply to the
other model.
Novel or Unusual Design Features
The J182T will incorporate the following novel or unusual design
features: Electronic engine control system.
Discussion
These special conditions address the certification requirements for
the installation of Electronic Engine Control (EEC) systems on part 23
airplanes. As described in the background section, the advisory
circular and policy guidance between part 33 and part 23 contains
differences that can lead to conflicting certification requirements. As
such, these special conditions are necessary in order to provide a
reasonable means of compliance that removes the conflicts between part
33 and part 23. The intent of these special conditions is to provide a
robust and fault tolerant electronic engine control installation that
ensures no single failure or malfunction or probable combination of
failures will jeopardize the safe operation of the airplane.
[[Page 37962]]
Applicability
As discussed above, these special conditions are applicable to the
model J182T. Should Cessna apply at a later date for a change to the
type certificate to include another model incorporating the same novel
or unusual design feature, the special conditions would apply to that
model as well.
Conclusion
This action affects only certain novel or unusual design features
on one model of airplane. It is not a rule of general applicability and
affects only the applicant who applied to the FAA for approval of these
features on the airplane.
The substance of these special conditions has been subjected to the
notice and comment period in several prior instances and has been
derived without substantive change from those previously issued. It is
unlikely that prior public comment would result in a significant change
from the substance contained herein. Therefore, because a delay would
significantly affect the certification of the airplane, which is
imminent, the FAA has determined that prior public notice and comment
are unnecessary and impracticable, and good cause exists for adopting
these special conditions upon issuance. The FAA is requesting comments
to allow interested persons to submit views that may not have been
submitted in response to the prior opportunities for comment described
above.
List of Subjects in 14 CFR Part 23
Aircraft, Aviation safety, Signs and symbols.
Citation
The authority citation for these special conditions is as follows:
Authority: 49 U.S.C. 106(g), 40113 and 44701; 14 CFR 21.16 and
21.101; and 14 CFR 11.38 and 11.19.
The Special Conditions
Accordingly, pursuant to the authority delegated to me by the
Administrator, the following special conditions are issued as part of
the type certification basis for Cessna Model J182T airplanes.
1. Electronic Engine Control
a. For electronic engine control system installations, it must be
established that no single failure or malfunction or probable
combinations of failures of Electronic Engine Control (EEC) system
components will have an effect on the system, as installed in the
airplane, that causes the loss-of-thrust-control (LOTC), or loss-of-
power-control (LOPC) probability of the system to exceed those allowed
in part 33 certification.
b. Electronic engine control system installations must be evaluated
for environmental and atmospheric conditions, including lightning. The
EEC system lightning and High-Intensity Radiated Fields (HIRF) effects
that result in LOTC/LOPC must be shown to comply with the HIRF and
lightning requirements appropriate for catastrophic failure conditions.
c. The components of the installation must be constructed,
arranged, and installed so as to ensure their continued safe operation
between normal inspections or overhauls.
d. Functions incorporated into any electronic engine control that
make it part of any equipment, systems or installation whose functions
are beyond that of basic engine control, and which may also introduce
system failures and malfunctions, are not exempt from Sec. 23.1309 and
must be shown to meet part 23 levels of safety as derived from Sec.
23.1309. Part 33 certification data, if applicable, may be used to show
compliance with any part 23 requirements. If part 33 data is to be used
to substantiate compliance with part 23 requirements, then the part 23
applicant must be able to provide this data for their showing of
compliance.
Note: The term ``probable'' in the context of ``probable
combination of failures'' does not have the same meaning as in AC
23.1309-1E. The term ``probable'' in ``probable combination of
failures'' means ``foreseeable,'' or (in AC 23.1309-1E terms), ``not
extremely improbable.''
Issued in Kansas City, Missouri on May 29, 2013.
Earl Lawrence,
Manager, Small Airplane Directorate, Aircraft Certification Service.
[FR Doc. 2013-13841 Filed 6-24-13; 8:45 am]
BILLING CODE 4910-13-P