[Federal Register Volume 89, Number 166 (Tuesday, August 27, 2024)]
[Rules and Regulations]
[Pages 68706-68735]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-18511]
[[Page 68705]]
Vol. 89
Tuesday,
No. 166
August 27, 2024
Part II
Department of Transportation
-----------------------------------------------------------------------
Federal Aviation Administration
-----------------------------------------------------------------------
14 CFR Part 25
System Safety Assessments; Final Rule
��Federal Register / Vol. 89 , No. 166 / Tuesday, August 27, 2024 /
Rules and Regulations��
[[Page 68706]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No.: FAA-2022-1544; Amdt. No. 25-152]
RIN 2120-AJ99
System Safety Assessments
AGENCY: Federal Aviation Administration (FAA), Department of
Transportation (DOT).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The FAA is amending certain airworthiness regulations to
standardize the criteria for conducting safety assessments for systems,
including flight controls and powerplants, installed on transport
category airplanes. With this action, the FAA seeks to reduce risk
associated with airplane accidents and incidents that have occurred in
service, and reduce risk associated with new technology in flight
control systems. The intended effect of this rulemaking is to improve
aviation safety by making system safety assessment (SSA) certification
requirements more comprehensive and consistent.
DATES: Effective September 26, 2024.
ADDRESSES: For information on where to obtain copies of rulemaking
documents and other information related to this final rule, see ``How
to Obtain Additional Information'' in the SUPPLEMENTARY INFORMATION
section of this document.
FOR FURTHER INFORMATION CONTACT: Todd Martin, Technical Policy Branch,
Policy and Standards Division, Aircraft Certification Service, Federal
Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198;
telephone and fax (206) 231-3210; email [email protected].
SUPPLEMENTARY INFORMATION:
I. Authority for This Rulemaking
The FAA's authority to issue rules on aviation safety is found in
Title 49 of the United States Code. Subtitle I, Section 106 describes
the authority of the FAA Administrator. Subtitle VII, Aviation
Programs, describes in more detail the scope of the FAA's authority.
This rulemaking is promulgated under the authority described in
Subtitle VII, Part A, Subpart III, Section 44701, ``General
Requirements.'' Under that section, the FAA is charged with promoting
safe flight of civil aircraft in air commerce by prescribing
regulations and minimum standards for the design and performance of
aircraft that the Administrator finds necessary for safety in air
commerce. This regulation is within the scope of that authority. It
prescribes new safety standards for the design and operation of
transport category airplanes.
II. Acronyms Frequently Used in This Document
Table 1--Acronyms Frequently Used in This Document
------------------------------------------------------------------------
Acronym Definition
------------------------------------------------------------------------
AC........................... Advisory Circular.
AD........................... Airworthiness Directive.
AFM.......................... Airplane Flight Manual.
ALS.......................... Airworthiness Limitations section.
ARAC......................... Aviation Rulemaking Advisory Committee.
ASAWG........................ Airplane Level Safety Analysis Working
Group.
CAST......................... Commercial Aviation Safety Team.
CMR.......................... Certification Maintenance Requirement.
CS-25........................ Certification Specifications for Large
Aeroplanes (issued by EASA).
CSL+1........................ Catastrophic Single Latent Failure Plus
One (a failure condition).
EASA......................... European Union Aviation Safety Agency.
ELOS......................... Equivalent Level of Safety.
EWIS......................... Electrical Wiring Interconnection System.
FCHWG........................ Flight Controls Harmonization Working
Group.
FTHWG........................ Flight Test Harmonization Working Group.
ICA.......................... Instructions for Continued Airworthiness.
LDHWG........................ Loads and Dynamics Harmonization Working
Group.
NTSB......................... National Transportation Safety Board.
PPIHWG....................... Powerplant Installation Harmonization
Working Group.
SDAHWG....................... System Design and Analysis Harmonization
Working Group.
SLF.......................... Significant Latent Failure.
SSA.......................... System Safety Assessment.
------------------------------------------------------------------------
Table of Contents
I. Authority for This Rulemaking
II. Acronyms Frequently Used in This Document
III. Overview of Final Rule
IV. Background
A. Statement of the Problem
B. Related Actions
C. NTSB Recommendations
D. Summary of the NPRM
E. General Overview of Comments
V. Discussion of Comments and the Final Rule
A. Section 25.4, Definitions
B. Section 25.302, Interaction of Systems and Structures
C. Section 25.629, Aeroelastic Stability Requirements
D. Section 25.671, Flight Control Systems
E. Section 25.901, Engine Installation
F. Section 25.933, Reversing Systems
G. Section 25.1301, Function and Installation
H. Section 25.1309, Equipment, Systems and Installations
I. Section 25.1365, Electrical Appliances, Motors, and
Transformers
J. Miscellaneous Comments
K. Advisory Material
VI. Regulatory Notices and Analyses
A. Regulatory Evaluation
B. Regulatory Flexibility Determination
C. International Trade Impact Assessment
D. Unfunded Mandates Assessment
E. Paperwork Reduction Act
F. International Compatibility
G. Environmental Analysis
VII. Executive Order Determinations
A. Executive Order 13132, Federalism
B. Executive Order 13175, Consultation and Coordination With
Indian Tribal Governments
C. Executive Order 13211, Regulations That Significantly Affect
Energy Supply, Distribution, or Use
D. Executive Order 13609, Promoting International Regulatory
Cooperation
VIII. Additional Information
A. Electronic Access and Filing
[[Page 68707]]
B. Small Business Regulatory Enforcement Fairness Act
III. Overview of Final Rule
The FAA is amending regulations in title 14, Code of Federal
Regulations (14 CFR) part 25 (Airworthiness Standards: Transport
Category Airplanes) related to the safety assessment \1\ of airplane
systems. The changes to part 25 affect applicants for type
certification and operators of transport category airplanes. Applicants
for type certification will be required to conduct their SSAs in
accordance with the revised regulations. Changes to the Instructions
for Continued Airworthiness (ICA) affect operators of newly certified
airplanes, although the impact on those operators is not significant.
---------------------------------------------------------------------------
\1\ A system safety assessment is a structured process intended
to systematically identify the risks pertinent to the design of
aircraft systems, and to show that the systems meet safety
requirements.
---------------------------------------------------------------------------
The FAA is revising and adding new safety standards to reduce the
likelihood of potentially catastrophic risks due to latent failures in
critical systems.
Because modern aircraft systems (for example, avionics and fly-by-
wire systems) are much more integrated than they were when the current
safety criteria in Sec. 25.1309 and other system safety assessment
rules were established in 1970,\2\ the new standards are more
consistent for all systems of the airplane, reducing the chance of a
hazard falling into a gap between the different regulatory requirements
for different systems.
---------------------------------------------------------------------------
\2\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
Consistent criteria for conducting SSAs also provides
predictability for applicants by reducing the number of issue papers
and special conditions necessary for airplane certification
projects.\3\
---------------------------------------------------------------------------
\3\ As discussed in the preamble, special conditions are rules
of particular applicability that the FAA issues to address novel or
unusual design features. See 14 CFR 21.16.
---------------------------------------------------------------------------
Specifically, this final rule--
Requires that applicants limit the likelihood of a
catastrophic failure condition that results from a combination of two
failures, either of which could be latent for more than one flight. See
Sec. 25.1309(b)(5).
Revises safety assessment regulations to eliminate
ambiguity in, and provide consistency between, the safety assessments
that applicants must conduct for different types of airplane systems.
Section 25.1309 continues to contain the safety assessment criteria
applicable to most airplane systems. Section 25.901(c) (powerplant
installations) is amended to remove general system safety criteria.
Instead, the powerplant installations covered in this section are
required to comply with Sec. 25.1309 (system safety criteria). Section
25.933(a) (thrust reversing systems) allows compliance with Sec.
25.1309 as an option. Sections 25.671, 25.901, and 25.933 continue to
contain criteria specific to flight control systems, powerplant
installations, and thrust reversing systems, respectively, that are not
addressed by Sec. 25.1309.
Requires applicants to assess and account for any effect
that the failure of a system could have on the structural performance
of the airplane. See Sec. 25.302.
Defines the different types of failure of flight control
systems, including jams, and defines the criteria for safety assessment
of those types of failures. See Sec. 25.671.
Requires applicants to include, in the Airworthiness
Limitations Section (ALS) of the airplane's ICA, necessary maintenance
tasks that applicants identify during their SSAs. See Sec. 25.1309(e).
Removes the ``function properly when installed'' criterion
in Sec. 25.1301(a)(4) for installed equipment whose function is not
needed for safe operation of the airplane.
IV. Background
A. Statement of the Problem
This action is necessary because airplane accidents, incidents, and
service difficulties have occurred as a result of failures in airplane
systems. Some of these occurrences were caused, in part, by
insufficient design standards for controlling the risk of latent
failures, which are failures that are not detected or annunciated when
they occur. Current FAA regulations do not prevent the certification of
an airplane with a latent failure that, when combined with another
failure, could cause a hazardous or catastrophic accident.
Also, current regulations do not require establishment of mandatory
inspections for significant latent failures (SLFs) that may pose a risk
in maintaining the airworthiness of the airplane design. Such
inspections are currently undertaken as industry practice and may be
necessary to reduce exposure to these latent failures so airplanes
continue to meet safety standards while in service.
Additionally, current regulations do not adequately address new
technology in flight control systems and the effects these systems can
have on controllability and structural capability. These issues are
currently addressed by special conditions and equivalent level of
safety (ELOS) findings.
This action is also necessary to address flight control systems
whose failure can affect the loads imposed on the airplane structure.
Lastly, certain system safety requirements have not been
standardized across airplane systems. These regulations have specified
different safety assessment criteria for different systems, which can
lead to inconsistent standards across the airplane. Also, when systems
that traditionally have been separate become integrated using new
technology, applicants have expressed uncertainty regarding which
standard to apply.
The FAA is addressing these issues by revising the system safety
assessment requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
Advances in flight controls technology, increased airplane system
integration, and certain incidents, accidents, and service difficulties
related to system failures prompted the FAA to task the ARAC with
developing recommendations for new or revised requirements and
compliance methods related to the safety assessment of airplane and
powerplant systems. The ARAC accepted tasks on various airplane systems
issues and assigned them to the Powerplant Installation Harmonization
Working Group (PPIHWG),\4\ Flight Controls Harmonization Working Group
(FCHWG),\5\ Loads and Dynamics Harmonization Working Group (LDHWG),\6\
and System Design and Analysis Harmonization Working Group (SDAHWG).\7\
The FAA also tasked the ARAC to make recommendations for harmonizing
the relevant part 25 rules with the corresponding European
certification specifications for large airplanes.\8\ The ARAC accepted
this task
[[Page 68708]]
and assigned it to the relevant working groups.
---------------------------------------------------------------------------
\4\ 57 FR 58844 (Dec. 11, 1992).
\5\ 63 FR 45554 (Aug. 26, 1998).
\6\ 59 FR 30081 (Jun. 10, 1994).
\7\ 61 FR 26246 (May 24, 1996).
\8\ As the FAA noted in the Federal Register in 1993: ``The FAA
announced at the Joint Aviation Authorities (JAA)-Federal Aviation
Administration (FAA) Harmonization Conference in Toronto, Ontario,
Canada, (June 2-5, 1992) that it would consolidate within the
Aviation Rulemaking Advisory Committee structure an ongoing
objective to ``harmonize'' the Joint Aviation Requirements (JAR) and
the Federal Aviation Regulations (FAR). Coincident with that
announcement, the FAA assigned to the ARAC those projects related to
JAR/FAR 25, 33 and 35 harmonization which were then in the process
of being coordinated between the JAA and the FAA.'' 58 FR 13819,
13820 (Mar. 15, 1993).
---------------------------------------------------------------------------
Although the working groups each addressed the subject of managing
latent failures in safety critical systems, their recommendations were
not consistent when defining the criteria for latent failures. After
reviewing the relevant regulations and the recommendations from the
working groups, the FAA, along with the European, Canadian, and
Brazilian civil aviation authorities, identified a need to standardize
SSA criteria.
Therefore, in 2006, the FAA tasked the ARAC, which assigned the
task to the Airplane-Level Safety Assessment Working Group (ASAWG),\9\
with creating consistent SSA criteria. The ASAWG completed its work in
May 2010 and recommended a set of consistent requirements that would
apply to all systems. Specific areas addressed in the recommendation
report include latent failures, aging and wear, Master Minimum
Equipment Lists, and flight and diversion time. The ASAWG recommended
that the general system safety criteria for all airplane systems be
governed by Sec. 25.1309, and recommended adjustments to the
regulations and advisory material addressed by the working groups
mentioned previously, to implement consistent system safety criteria.
All ARAC working group recommendation reports are available in the
docket for this final rule.
---------------------------------------------------------------------------
\9\ 71 FR 14284 (Mar. 21, 2006).
---------------------------------------------------------------------------
2. Harmonization With European Union Aviation Safety Agency (EASA)
Certification Standards
EASA certification standards for large airplanes (CS-25) prescribes
the airworthiness standards corresponding to 14 CFR part 25 for
transport category airplanes certified by the European Union.
Applicants for FAA type certification of transport category airplanes
may also seek EASA validation of the FAA's type certificate. Where part
25 and CS-25 differ, an applicant must meet both airworthiness
standards to obtain a U.S. type certificate and validation of the type
certificate by foreign authorities, or obtain exemptions, equivalent
level of safety findings or special conditions, or the foreign
authority's equivalent to those, as necessary to meet one standard in
lieu of the other. Where FAA and EASA can maintain harmonized
requirements, applicants for type certification benefit by having a
single set of requirements with which they must show compliance,
thereby reducing the cost and complexity of certification and ensuring
a consistent level of safety.
EASA incorporated the SDAHWG-recommended changes to CS/Sec. Sec.
25.1301 and 25.1309, and associated guidance, in its initial issuance
of CS-25 on October 17, 2003.\10\ EASA incorporated the criteria
regarding interaction of systems and structures recommended by the
LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-
25 at amendment 25/1 on December 12, 2005.\11\ EASA incorporated the
PPIHWG-recommended changes to CS/Sec. Sec. 25.901(c) and 25.933(a)(1),
and associated guidance, at amendment 25/1. EASA incorporated the
ASAWG-recommended regulatory and advisory material implementing
consistent SSA criteria, at amendment 25/24 to CS-25, on January 10,
2020.\12\ This final rule harmonizes FAA requirements with those of
EASA to the extent possible, with differences described in the section
entitled ``Discussion of Comments and the Final Rule.''
---------------------------------------------------------------------------
\10\ www.easa.europa.eu/en/downloads/1516/en.
\11\ www.easa.europa.eu/en/document-library/certification-
specifications/cs-25-amendment-1.
\12\ www.easa.europa.eu/en/downloads/108354/en.
---------------------------------------------------------------------------
C. NTSB Recommendations
This final rule addresses National Transportation Safety Board
(NTSB) Safety Recommendations A-99-22, A-99-23,\13\ A-02-51,\14\ and A-
14-119.\15\
---------------------------------------------------------------------------
\13\ NTSB Safety Recommendations A-99-22 and A-99-23 are
available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf.
\14\ NTSB Safety Recommendation A-02-51 is available in the
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
\15\ NTSB Safety Recommendation A-14-119 is available in the
docket and www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf.
---------------------------------------------------------------------------
In Safety Recommendation A-99-22, the NTSB recommends that the FAA
ensure that future transport category airplanes provide a reliably
redundant rudder actuation system. In Safety Recommendation A-99-23,
the NTSB recommends that the FAA require type certificate applicants to
show that transport category airplanes are capable of continued safe
flight and landing after jamming of a flight control at any deflection
possible, up to and including its full deflection, unless the applicant
shows that such a jam is extremely improbable. The final rule addresses
these recommendations by revising Sec. 25.671(c).
In Safety Recommendation A-02-51, the NTSB recommends that the FAA
review and revise airplane certification regulations, and associated
guidance, applicable to the certification of transport category
airplanes, to ensure that applicants fully address wear-related
failures so that, to the maximum extent possible, such failures will
not be catastrophic. The requirement to include certification
maintenance requirements (CMRs) in the ALS responds to this safety
recommendation, as well as the ACs accompanying this final rule that
contain guidance on assessing wear-related failures as part of the SSA.
In Safety Recommendation A-14-119, the NTSB recommends that the FAA
provide its certification engineers with written guidance and training
to ensure that assumptions, data sources, and analytical techniques are
fully identified and justified in applicants' safety assessments for
designs incorporating new technology. Additionally, the NTSB recommends
that an appropriate level of conservatism be included in the analysis
or design, consistent with the intent of the draft guidance material
that the SDAHWG recommended. AC 25.1309-1B, accompanying this final
rule, contains the guidance.\16\
---------------------------------------------------------------------------
\16\ This advisory circular, and the other advisory circulars
that accompany this final rule, are in the docket.
---------------------------------------------------------------------------
D. Summary of the NPRM
The FAA issued an NPRM on December 8, 2022 (87 FR 75424), that
proposed amending certain airworthiness regulations. These regulations
concern safety assessments for systems, including flight controls and
powerplants, installed on transport category airplanes. The NPRM
explained how the proposed regulations would reduce risk associated
with airplane accidents and incidents that have occurred in service,
and reduce risk associated with new technology in flight control
systems. This action finalizes the proposal with changes made to
address comments.
E. General Overview of Comments
V. Discussion of Comments and the Final Rule
Harmonization
The NPRM explained that the FAA's proposed rule would harmonize
with the requirements of EASA to the extent possible, although there
were differences in the requirements and language of the FAA's proposed
regulations compared to EASA's corresponding regulations in CS-25.
Almost all organizational commenters requested the FAA revise the
proposed rule to harmonize more closely with EASA CS-25. These
commenters expressed concern that differences between the FAA's
proposal and
[[Page 68709]]
EASA's existing regulations would burden applicants requesting
validation of a type certificate issued by another civil aviation
authority because the applicants would have to meet two sets of
requirements and show multiple means of compliance for certification of
the same design. As discussed below, the FAA decided to address this
concern by increasing harmonization of its final rule with the
corresponding EASA CS-25 requirements.
The FAA acknowledges that there are some remaining differences
between the FAA's and EASA's regulations on this topic. The majority of
differences between the final rule and the corresponding CS-25
regulations are differences in wording or structure that were made to
satisfy FAA rulemaking constraints or improve the final rule language
due to requests from commenters. Although a few differences may be
significant standards differences,\17\ as subsequently explained, the
FAA does not expect these differences to increase the cost and
complexity of certification for applicants pursuing validation nor
result in a different level of safety between authorities.
---------------------------------------------------------------------------
\17\ Significant standards difference (SSD) refers to a
validating authority airworthiness standard that either differs
significantly from the certifying authority (CA) standard or has no
CA equivalent. Reference: Technical Implementation Procedures for
Airworthiness and Environmental Certification between the FAA and
EASA, Revision 7, dated October 19, 2023, in the docket.
---------------------------------------------------------------------------
In addition, the commenters addressed the draft ACs that
accompanied the NPRM. The FAA's responses to these comments can be
found at the Dynamic Regulatory System (drs.faa.gov), along with the
finalized ACs.
A. Section 25.4, Definitions
In the NPRM, the FAA proposed new Sec. 25.4 to define certain
terms that the FAA is using in these revised regulations for system
safety assessment of transport category airplanes.
1. Add Definitions
Boeing and GAMA/AIA requested the FAA add definitions of several
terms to Sec. 25.4, including ``continued safe flight and landing,''
``flightcrew,'' ``cabin crew,'' ``ground crew,'' ``maintenance
personnel,'' ``exposure time,'' ``safety requirements'' and ``candidate
CMR.'' GAMA/AIA requested the FAA explain why some terms, but not
others, were defined in proposed Sec. 25.4.
The FAA does not agree to add new terms to Sec. 25.4 in this final
rule. The FAA's intent in adding Sec. 25.4 is to define key terms that
are new to part 25 rule text and used in the regulations that are part
of this rulemaking (e.g., failure condition categories and
probabilities). AC 25.671-1, Control Systems--General, and AC 25.1309-
1B, System Design and Analysis, include additional definitions for
terms related to the requirements of Sec. Sec. 25.671 and 25.1309.
Boeing, GAMA/AIA, and Gulfstream suggested that the FAA add
definitions for terms commonly used throughout part 25 regulations
(e.g., ``impractical,'' ``essential'' and ``critical''). The FAA
declines to define additional terms used in part 25, because the FAA
does not intend Sec. 25.4 to include every term that is repeated in
part 25.
2. Remove Definitions
ANAC, Bombardier, and Garmin requested the FAA not adopt proposed
Sec. 25.4, Definitions. ANAC preferred that the FAA define these terms
in 14 CFR part 1, Definitions and Abbreviations, while Bombardier and
Garmin preferred that the FAA define these terms in guidance so that
they can be more easily changed as needed. Gulfstream also noted that
several terms that the FAA proposed to be included in Sec. 25.4 are
not extensively used in part 25 and should be relocated to AC 25.1309-
1B.
The FAA does not agree to omit new Sec. 25.4 from the final rule.
Section 25.4 is necessary to define key terms and concepts that are new
to part 25 rule text and part of this rulemaking. AC 25.1309-1B
provides further information on these terms.
Gulfstream requested that the FAA move ``hazardous failure
condition'' to AC 25.1309, unless the definition is applicable to
``hazardous'' across all regulations.
The FAA does not agree to move this definition to the AC. The
definition for ``hazardous failure condition'' in Sec. 25.4(b)(2) only
applies to the part 25 regulations in which that exact phrase is used,
and it does not apply to the terms ``hazard'' or ``hazardous,'' which
are used throughout part 25 in different contexts. The FAA's use of
``hazardous'' across other part 25 rules does not necessarily imply a
hazardous effect on the aircraft, flightcrew, or occupants. While not
relevant to the Gulfstream comment, the FAA notes a similar situation
exists with the term ``extremely remote.'' The Sec. 25.4(c)(3)
definition of ``extremely remote failure condition'' does not apply to
the term ``extremely remote'' as used in Sec. 25.933 or Sec. 25.937.
When those regulations were published, the term ``extremely remote''
meant ``extremely improbable,'' as used today.\18\
---------------------------------------------------------------------------
\18\ The use of the term ``extremely remote'' in Sec. Sec.
25.933 and 25.937 dates to the initial issue of 14 CFR in 1965.
Section 25.933 was based on Civil Air Regulation (CAR) 4b.407, which
was adopted at amendment 4b-01, May 17, 1954. Section 25.937 was
based on CAR 4b.408, which was adopted at amendment 4b-6, July 8,
1957. The term ``extremely remote'' also appeared in CAR 04.310 on
November 9, 1945. The FAA also stated in the Federal Register in
2001, ``The term `extremely improbable' (or its predecessor term,
`extremely remote') has been used in 14 CFR part 25 for many years.
The objective of this term has been to describe a condition (usually
a failure condition) that has a probability of occurrence so remote
that it is not anticipated to occur in service on any transport
category airplane.'' 66 FR 23086, 23108 (May 7, 2001).
---------------------------------------------------------------------------
3. Revise Definitions
TCCA commented that the proposed definitions of ``major failure
condition'' and ``hazardous failure condition'' do not include a pilot
compensation aspect and suggested changes to these definitions. TCCA
suggested adding ``(5) Considerable pilot compensation is required for
control'' to the definition of ``major failure condition'' and ``(4)
Intense pilot compensation is required to retain'' to the definition of
``hazardous failure condition'' in accordance with a pilot task-
oriented approach for evaluating airplane handling qualities. The FAA
does not agree to change the definitions as suggested. The FAA's
definitions of ``major failure condition'' and ``hazardous failure
condition'' already include the effects on the flightcrew and their
workload. Lastly, the definitions of ``major failure condition'' and
``hazardous failure condition'' specified in Sec. 25.4 are harmonized
with those specified in EASA AMC 25.1309. Changing those definitions
would disharmonize them with that AMC.
GAMA/AIA and Gulfstream requested the FAA replace ``persons'' with
``occupants'' in the Sec. 25.4 definition of ``hazardous failure
condition.'' The commenters stated that the use of ``persons'' in lieu
of ``occupants'' is an unsubstantiated expansion of the scope of the
safety analysis to include people not on the aircraft. In addition,
EASA's definition uses ``occupants.'' The FAA does not agree with this
request. The FAA intends the term ``persons'' not to be limited to
aircraft occupants. Although EASA's definition uses the term
``occupants,'' EASA has interpreted ``occupants'' to include persons
other than airplane occupants in its Acceptable Means of Compliance
(AMC) 25.1309. Specifically, AMC 25.1309 states, ``Where relevant, the
effects on persons other than the aeroplane occupants should be taken
[[Page 68710]]
into account when assessing failure conditions in compliance with CS
25.1309.''
TCCA commented that the FAA should revise its definition of
``hazardous failure condition'' to exclude fatalities. TCCA stated that
any fatalities should be considered catastrophic. The FAA did not make
this change in this final rule, as doing so would not be consistent
with long-standing FAA equivalent safety findings, nor with industry
standards and practice, and would disharmonize the definition of
``hazardous failure condition'' with EASA AMC 25.1309.
Boeing and GAMA/AIA requested the FAA revise the definition of
``catastrophic failure condition'' to incorporate a note regarding
failure conditions, which would prevent continued safe flight and
landing (CSFL). Boeing also requested the FAA standardize the
definition across the ACs associated with this rulemaking because the
draft ACs were not consistent in their use of CSFL and associating this
concept with ``catastrophic failure condition.'' The FAA partially
agrees with this request. The FAA added a note to the definition of
``catastrophic failure condition'' in AC 25.1309-1B to indicate that a
failure condition that would prevent continued safe flight and landing
should be classified as ``catastrophic'' unless otherwise defined in
other, more specific, ACs. The FAA did not add the note to the
regulatory definition in Sec. 25.4 because the note is guidance on the
application of the definition.
Boeing requested that the FAA update the Sec. 25.4(b)(1)
definition of ``major failure condition'' to add ``physical
discomfort'' as an effect on the flight crew and to use the term
``cabin crew'' instead of ``flight attendants'' for consistency with
EASA Acceptable Means of Compliance (AMC) 25.1309. The FAA agrees and
has incorporated these updates in the final rule for Sec. 25.4(b)(1).
GAMA/AIA and Gulfstream requested the FAA remove Sec.
25.4(b)(1)(iv) (``An effect of similar severity'') from the definition
of ``major failure condition'' in Sec. 25.4(b)(1). They stated this is
a new addition to the definition and may cause confusion. The FAA does
not agree to remove ``an effect of similar severity'' from the
definition. This phrase replaces the term ``for example'' in EASA's
definition. This does not add any additional criteria to the existing
safety objective of ``major'' severity.
Boeing and GAMA/AIA requested the FAA revise the definition of
``significant latent failure'' to ``Any latent failure that is present
in any combination of failures or events resulting in a hazardous or
catastrophic failure condition.'' Boeing stated that this proposed
definition minimizes possible misunderstanding or misinterpretation of
the significant latent failure. The FAA did not make this change
because the wording of the significant latent failure definition is
well-established and unchanged from AC 25.1309-1A.
Except for the foregoing updates to the definition of ``major
failure condition'' in Sec. 25.4(b)(1), new Sec. 25.4, Definitions,
is adopted as proposed.
B. Section 25.302, Interaction of Systems and Structures
In the NPRM, the FAA proposed a new section, Sec. 25.302, that
would require an applicant to account for systems, and their possible
failure, when assessing the structural performance of its proposed
design. Modern flight control systems are more sophisticated than their
predecessors and offer advantages such as load limiting and
alleviation. However, as the FAA discussed in the NPRM, these systems
can also have failure states that may allow the system to function in
degraded modes that flightcrews may not readily detect and in which the
load alleviation or limiting function may be adversely affected.
The FAA based much of its proposed regulation on the requirements
of special conditions that the FAA has issued for several years to
address these concerns on previous certification programs. However, as
detailed in the NPRM, proposed Sec. 25.302 included a number of
differences compared to the special conditions and as compared to EASA
CS 25.302. The primary objective of the Sec. 25.302 rule that the FAA
proposed in the NPRM was to reduce confusion for authorities and
applicants by simplifying the rule text relative to previously-issued
special conditions.
ATR, Boeing, Bombardier, TCCA, Airbus, EASA, GAMA/AIA, Gulfstream,
and ANAC did not object to the FAA codifying the terms of its special
conditions that it has been issuing to address this issue. However,
they requested the FAA harmonize (by using the same language and, if
possible, the same paragraph and appendix numbering for) proposed Sec.
25.302 as EASA CS 25.302, which includes Appendix K by reference.
The FAA recognizes the benefits of harmonization. These benefits
include regulatory predictability and the reduction of burden on
applicants and civil aviation authorities. Therefore, except as
discussed below, in this final rule, the FAA has harmonized new Sec.
25.302 with EASA CS 25.302 to match the language and structure of
EASA's rule to the extent allowed by FAA rulemaking constraints.
In this final rule, the FAA has revised the proposed Sec. 25.302
to more closely harmonize with EASA CS 25.302, which includes Appendix
K by reference. The FAA has revised proposed Sec. 25.302 to harmonize
with CS 25.302 in the determination of structural safety factors; the
load conditions that the applicant must consider following system
failures; residual strength substantiation; fatigue and damage
tolerance; failure indications; and dispatch with known failure
conditions. The FAA is revising these requirements relative to what was
proposed in the NPRM because much of the criteria in CS 25.302 more
closely matches the FAA Interaction of Systems and Structures special
conditions that have been applied on numerous transport category
airplane programs and have proven to provide a satisfactory level of
safety.\19\ Also, the NPRM proposal, if adopted, would have introduced
a number of differences between FAA and EASA requirements and created a
potential certification burden.
---------------------------------------------------------------------------
\19\ 87 FR 16626 (Mar. 24, 2022); 82 FR 36328 (Aug. 4, 2017).
---------------------------------------------------------------------------
The FAA stated in the NPRM that the proposed Sec. 25.302(e), which
would have provided structural requirements for dispatch under the
master minimum equipment list provided by the applicant, would provide
safety benefits by using a simpler approach to address the risk
associated with dispatching an airplane with known failure conditions.
However, the FAA agrees with commenters that two different sets of
criteria (FAA and EASA) would only cause more difficulty for
manufacturers, the FAA, and other civil aviation authorities. The FAA
also stated in the NPRM that proposed Sec. 25.302 would provide safety
benefits by using simpler, and in some cases more conservative,
criteria compared with CS 25.302 and previous FAA special conditions.
The FAA agrees with commenters that its special conditions, which used
the same factor-of-safety formulae as used in CS 25.302, have proven to
provide a satisfactory level of safety and that more conservative
criteria are not necessary. By more closely harmonizing with CS 25.302
and previous FAA special conditions, applicants will be able to rely on
past practices. The public could have reasonably anticipated the FAA
would adopt final rule text that closely harmonizes with CS 25.302,
given the FAA's prior special conditions, the common safety purpose of
the FAA and EASA regulations on this topic, and the
[[Page 68711]]
harmonization discussion throughout the NPRM.
In this final rule, the FAA has also revised Sec. 25.302 to
harmonize with CS 25.302 in terms of the rule structure and paragraph
numbering, although CS-25 includes CS 25.302 criteria within Appendix
K, while 14 CFR part 25 includes all criteria directly in Sec. 25.302.
The regulatory text proposed by the FAA in the NPRM did not require
applicants to consider the effect of nonlinearities, but the preamble
reflected the FAA's assumption that applicants would do so. Consistent
with CS 25.302, in this final rule, the FAA has made this consideration
a regulatory requirement.
In the NPRM, the FAA stated that proposed Sec. 25.302 would not
include any aeroelastic stability requirements, only loads
requirements. The FAA did not revise this final rule to harmonize with
CS 25.302 in terms of aeroelastic stability criteria. As discussed in
the NPRM, the FAA finds that the failure criteria specified in Sec.
25.629 are adequate, and there is no need to propose different failure
criteria in Sec. 25.302.
Airbus, Boeing, Bombardier, Dassault, DeHavilland, GAMA/AIA,
Gulfstream, Pratt & Whitney, and TCCA requested specific changes to
proposed Sec. 25.302 in the event the FAA chose not to harmonize Sec.
25.302 with EASA CS 25.302. The requested specific changes are no
longer applicable as the FAA has largely harmonized Sec. 25.302 in
this final rule with EASA CS 25.302.
Airbus proposed that the FAA consolidate, into new Sec. 25.302,
the requirement of Sec. 25.305(f) that the airplane must be designed
to withstand any forced structural vibration resulting from any
failure, malfunction, or adverse condition in the flight control
system. The FAA does not agree. In this final rule, the FAA keeps those
as separate requirements because the requirement in Sec. 25.305(f) may
apply to systems and failures not addressed by Sec. 25.302. Also,
Sec. 25.305(f) is currently harmonized with CS 25.305(f).
1. Summary of Requirements
For airplanes equipped with systems that affect structural
performance, Sec. 25.302, in this final rule, requires the applicant
take into account the influence of these systems and their failure
conditions when showing compliance with the requirements of subparts C
and D of 14 CFR part 25. New Sec. 25.302(b) specifies requirements for
when the systems are fully operative. New Sec. 25.302(c) specifies
requirements for failure conditions at the time of occurrence (Sec.
25.302(c)(1)) and for the continuation of flight (Sec. 25.302(c)(2)).
New Sec. 25.302(c) includes requirements related to structural
vibrations, residual strength, and fatigue and damage tolerance for
these failure conditions. Finally, the rule provides failure indication
(Sec. 25.302(d)) and dispatch requirements (Sec. 25.302(e)).
2. Applicability
Boeing, Bombardier, DeHavilland, GAMA/AIA, and Pratt & Whitney
requested that the FAA clarify the applicability of proposed Sec.
25.302, including whether the FAA's final rule would apply only, as did
the FAA's special conditions and EASA CS 25.302, to the airplane
structure whose failure could prevent continued safe flight and
landing. The applicability of Sec. 25.302 in this final rule is as
follows.
As stated in the final rule text, Sec. 25.302 applies to systems
that affect structural performance, either directly or as a result of a
failure or malfunction. A system affects structural performance if it
can induce loads on the airplane or change the response of the airplane
to inputs such as gusts or pilot actions.
Examples of these systems include flight control systems,
autopilots, stability augmentation systems, load alleviation systems,
and fuel management systems.
Section 25.302, in this final rule, specifies the loads that the
applicant's analysis must apply to structure, taking into account the
systems defined above, operating normally and in the failed state. As
stated in the final rule text, these structural requirements apply only
to structure whose failure could prevent continued safe flight and
landing. This limitation is consistent with the requirements of the
special conditions that the FAA has been applying for more than twenty
years.
Section 25.302, in this final rule and as proposed in the NPRM,
does not apply to the flight control jam conditions covered by Sec.
25.671(c)(3) or the discrete source events covered by Sec. 25.571(e).
Section 25.302 also does not apply to any failure or event that is
external to (not part of) the system being evaluated and that would
itself cause structural damage.
3. Clarification of Terms
In this final rule, Sec. 25.302(b) states that with the system
fully operative, the applicant must investigate the effect of
nonlinearities sufficiently beyond limit conditions to ensure the
behavior of the system presents no detrimental effects compared to the
behavior below limit conditions. The intent of this sentence is to
require the applicant to investigate the system effects ``sufficiently
beyond limit'' to ensure that no detrimental effects could occur at
limit load or just beyond.
Sections 25.302(c)(1)(ii) and (c)(2)(iii) of this final rule
include a reference to residual strength substantiation. This is
referring to the residual strength substantiation required by Sec.
25.571(b).
Section 25.302(c)(2)(iv) of this final rule states that if the
loads induced by the failure condition have a significant effect on
fatigue or damage tolerance, then the applicant must take their effects
into account. A failure condition has a ``significant'' effect on
fatigue or damage tolerance if it would result in a change to
inspection thresholds, inspection intervals, or life limits.
Section 25.302(d)(1) of this final rule requires the flightcrew to
be made aware of certain failure conditions before flight, as far as
practicable. In this case, ``as far as practicable'' means that if
automatic failure indication can detect such a failure using current
technology, then that failure should be so monitored and indicated to
the flightcrew before flight.
4. Significant Standards Differences Between Sec. 25.302 and EASA CS
25.302
Section 25.302 of this final rule differs from CS 25.302 and
Appendix K, as discussed below.
As noted above, unlike CS 25.302, new Sec. 25.302 does not include
any aeroelastic stability requirements. Section 25.629 and CS 25.629
both specify flutter speed margins for failure conditions, but CS
25.302 includes additional aeroelastic failure criteria. As indicated
in the NPRM, the FAA finds the failure criteria specified in Sec.
25.629 to be adequate, and additional failure criteria in Sec. 25.302
are unnecessary. This is a significant standards difference between
Sec. 25.302 and CS 25.302.
The NPRM proposed, and in this final rule Sec. 25.302 requires,
the evaluation of any system failure condition not shown to be
extremely improbable or that results from a single failure. Several
commenters, including Bombardier, Airbus, and TCCA, stated that single
failures that an applicant shows to be extremely improbable should not
be included in Sec. 25.302, while Boeing agreed that single failures
should be included regardless of probability. The FAA does not agree to
exclude single failures from Sec. 25.302 in this final rule for the
following reasons:
(1) To be consistent with Sec. Sec. 25.671 and 25.1309, both of
which require the evaluation of single failures, and related guidance,
and past practice for these regulations, the FAA determined, as
indicated in the NPRM, that single
[[Page 68712]]
failures should be assumed to occur regardless of probability.
(2) The typical language of the FAA's Interaction of Systems and
Structures special conditions, used to address this issue on a variety
of transport category airplane programs for more than twenty years,
refers to any system failure condition ``not shown to be extremely
improbable.'' Even though the special conditions have not explicitly
mentioned single failures, the FAA's long-standing position on single
failures is that they cannot be accepted as being extremely improbable.
As noted in AC 25.1309-1A, dated June 21, 1988: ``In general, a failure
condition resulting from a single failure mode of a device cannot be
accepted as being extremely improbable.''
(3) The FAA has determined that not including single failures in
the evaluation would reduce safety.
To conclude, CS 25.302 requires the evaluation of any system
failure condition not shown to be extremely improbable, and that rule
does not explicitly mention single failures. Therefore, this is a
significant standards difference between Sec. 25.302 in this final
rule and CS 25.302.
CS 25.302 and Sec. 25.302 in this final rule both require
evaluation of failure conditions that affect structural performance,
and for these failure conditions, both rules specify certain load
conditions that must be evaluated for the continuation of flight.
Section 25.302 includes an additional requirement not included in CS
25.302: Section 25.302(c)(2)(i)(F) requires the applicant to evaluate
any other load condition for which a system is specifically installed
or tailored to reduce the loads of that condition. ``Tailored'' means
the system is designed or modified to change the response of the
airplane to inputs such as gusts or pilot actions and thereby affect
the resulting loads on the airplane. This is necessary to account for
any systems that are designed to reduce the loads resulting from load
conditions not specified in Sec. 25.302(c)(2)(i)(A) through (E) and
whose failure would increase loads relative to the design load level.
This is a significant standards difference between Sec. 25.302 and CS
25.302.
5. Nonsignificant Standards Differences Between Sec. 25.302 and EASA
CS 25.302
Section 25.302 does not include paragraphs (a) and (b) from CS-25
Appendix K, K25.1 General, except for one sentence from K25.1(a). That
sentence indicates that the criteria in Sec. 25.302 are only
applicable to structure whose failure could prevent continued safe
flight and landing. Also, new Sec. 25.302(c), discussed above, does
not include paragraph (c)(3) from Appendix K, K25.2 Effects of Systems
on Structures. The FAA did not include these paragraphs because the FAA
determined they are general in nature and do not contain any specific
requirements.
Section 25.302 does not include the definitions found in paragraph
K25.1(c). The FAA determined these terms are sufficiently understood
and do not need to be provided in the rule.
While Sec. 25.302 is mostly harmonized with CS 25.302, there are a
number of minor differences in wording, as follows:
CS-25 K25.2 paragraph (b) provides requirements for a fully
operative system. Section 25.302(b) mandates the same requirements but
states them more succinctly.
CS-25 K25.2 paragraph (c) provides requirements for a failed
system. Section 25.302(c) mandates the same requirements but removes
passive voice and states those requirements more succinctly.
CS-25 K25.2 paragraph (d) provides failure indication requirements.
Section 25.302(d) mandates the same requirements but does not include
the last two sentences of K25.2 paragraph (d)(1) because they are
unnecessary given the first two sentences of paragraph (d)(1).
CS-25 K25.2 paragraph (e) and Sec. 25.302(e) of this final rule
address dispatch requirements. In Sec. 25.302(e), the FAA includes a
specific reference to the Master Minimum Equipment List, which the
operator uses to develop their Minimum Equipment List, the primary
document that controls dispatch requirements. Also, CS 25.302(e)
includes a requirement that flight and operational limitations be such
that being in a failure state and then encountering limit load is
extremely improbable. The FAA did not include this requirement because
Sec. 25.302(e) already includes specific criteria related to dispatch,
and this requirement could potentially conflict with those criteria.
Finally, EASA includes CS 25.302 criteria within CS-25 Appendix K,
while this final rule includes the equivalent criteria in Sec. 25.302.
In conclusion, to address the potential effects of aircraft systems
on structure, the FAA does not adopt the text of Sec. 25.302 that the
FAA proposed in the NPRM. Instead, the FAA, as requested by several
commenters, adopts a new Sec. 25.302 that more closely hews to the
language of the FAA's longstanding special conditions on this topic and
to EASA CS 25.302, with the modifications set forth in the foregoing
discussion.
C. Section 25.629, Aeroelastic Stability Requirements
Summary of Changes to Current Rule
Section 25.629 establishes several requirements to ensure the
aeroelastic stability of the airplane. For example, it requires the
applicant to consider the potential effect of several types of failures
on the airplane's aeroelastic stability. In the NPRM, the FAA proposed
to revise paragraphs (b) and (d) of this section, as discussed below.
In this final rule, the FAA is revising the paragraph numbers of
Sec. 25.629 to correspond with EASA's rule (i.e., Sec. 25.629(d)(9)
becomes (d)(10); Sec. 25.629(d)(10) becomes (d)(11); and the failure
evaluation requirements are introduced in Sec. 25.629(d)(9)), as
requested by commenters and explained below. The FAA is also revising
the text in Sec. 25.629(d)(9), as requested by commenters and as
explained below, to harmonize with EASA CS 25.629(d)(9) and to clarify
when the new failure evaluation requirements are applicable.
Furthermore, as requested by commenters and explained below, the FAA is
not revising Sec. 25.629(b), as was proposed in the NPRM, to include
the reference to Sec. 25.333. Instead, the FAA is revising Sec.
25.629(a) to clarify that the aeroelastic evaluation must include any
condition of operation within the maneuvering envelope. This revision
to proposed Sec. 25.629(a) is consistent with current existing
industry practice of evaluating the aeroelastic impact of loads due to
allowed maneuvers for part 25 airplanes and is stated explicitly in
Sec. 23.629 at amendment 23-63 \20\ and EASA CS 23.629 amendment 23/4.
The FAA also revised Sec. 25.629(a) in this final rule to consistently
use the singular term ``evaluation'' where it appears in order to
prevent confusion.
---------------------------------------------------------------------------
\20\ 76 FR 75736 (December 2, 2011).
---------------------------------------------------------------------------
1. Paragraphs (a) and (b)
In the NPRM, the FAA proposed to specify that the aeroelastic
stability envelope addressed by Sec. 25.629(b) includes the range of
load factors in Sec. 25.333, Flight Maneuvering Envelope.
GAMA/AIA, Gulfstream, DeHavilland, Airbus, Bombardier, and Boeing
requested the FAA not make this change. The commenters stated this
would be an expansion of the traditional scope of Sec. 25.629 and that
it would disharmonize the FAA's rule with EASA rules. The commenters
also stated that the structural design envelope defined in Sec. 25.333
is not intended for
[[Page 68713]]
aeroelastic stability analysis and should not be confused with the
normal flight envelope of an airplane.
The FAA agrees with the commenters that the proposed change would
disharmonize with CS 25.629 and potentially confuse the FAA's
aeroelastic stability requirements with the strength requirements of
Sec. 25.333. Therefore, in this final rule, the FAA did not adopt the
reference to Sec. 25.333 in Sec. 25.629(b), which remains unchanged.
However, including conditions within the flight maneuvering
envelope that is described in Sec. 25.333 in aeroelastic stability
evaluations is common practice because such conditions are anticipated
to be encountered in flight and therefore need to be free from
aeroelastic instabilities. Thus, although paragraph (b) of Sec. 25.629
does not reference Sec. 25.333, in this final rule, paragraph (a) of
Sec. 25.629 now states that the aeroelastic evaluation must ``include
any condition of operation within the maneuvering envelope.'' This
change to Sec. 25.629(a) is consistent with Sec. 23.629 at amendment
23-63 and EASA CS 23.629 amendment 23/4, which also address conditions
of operation in paragraph (a). The FAA has also issued AC 25.629-1C,
Aeroelastic Stability Substantiation of Transport Category Airplanes,
to provide more details, further clarify the intent of the rule change,
and provide an acceptable means of compliance.
2. Paragraph (d)
In the NPRM, the FAA proposed to relocate certain requirements for
applicants to analyze specific failures from Sec. 25.671(c)(2) to
Sec. 25.629(d).
Gulfstream requested the FAA revise proposed Sec. 25.629(d) to
consider the probability of the noted failure conditions and exclude
extremely improbable failure combinations. Gulfstream stated that
current Sec. 25.671(c)(2) states ``Any combination of failures not
shown to be extremely improbable. . .''; however, proposed Sec.
25.629(d)(10) would not have limited its scope to ``combination of
failures not shown to be extremely improbable.'' In addition, GAMA/AIA
requested the FAA not adopt proposed Sec. 25.629(d)(10) and instead
leave these requirements in current Sec. 25.671. GAMA/AIA stated that
by explicitly adding the failures to proposed Sec. 25.629(d)(10),
regardless of probability, a more strenuous requirement is added
without justification. GAMA asserted that retention of the exclusion of
extremely improbable combinations will serve to incentivize designs of
higher reliability.
The FAA does not agree with these requests. The FAA does not agree
with the commenters' suggestions to limit the required consideration to
failures that the applicant cannot show are extremely improbable. The
stated conditions need to be considered by the applicant regardless of
probability calculations if the airplane's aeroelastic stability relies
on flight control system stiffness, damping, or a combination of both.
Proposed Sec. 25.629(d)(10), which is now paragraph (d)(9) in the
final rule, reflects current industry practice and existing guidance in
AC 25.629-1B and EASA Acceptable Means of Compliance (AMC) Sec.
25.629. In addition, the requested change would have introduced a
significant difference between the standards of the FAA and EASA CS
25.629.
Boeing, Bombardier, and Gulfstream requested that proposed
paragraph Sec. 25.629(d)(10) be more closely harmonized with the
corresponding CS 25.629 paragraph in its introductory text to include
the text ``where aeroelastic stability relies on flight control system
stiffness and/or damping'' to provide clarity to the application of
this requirement. The FAA agrees with this request because it clarifies
the situations for which failure evaluations are required and has
updated Sec. 25.629(d)(9) in the final rule to more closely harmonize
with EASA and to include the text ``where aeroelastic stability relies
on flight control system stiffness, damping, or both.''
Airbus requested that the FAA remove the reference to Sec. 25.671
from current Sec. 25.629(d)(9). Airbus stated that this reference may
no longer be applicable because, in the NPRM, the FAA proposed to
consolidate the requirements in current Sec. 25.671(c)(1) and (c)(2)
under proposed Sec. 25.1309.
In this final rule, the FAA has redesignated paragraph (d)(9) of
Sec. 25.629 as paragraph (d)(10) and updated Sec. 25.671(c) to align
with CS 25.671(c). The FAA has retained the reference to Sec. 25.671
in Sec. 25.629(d)(10) because, in the final rule, applicants must
still evaluate the failure conditions of paragraph Sec. 25.671(c)
under Sec. 25.629(d)(10).
D. Section 25.671, Flight Control Systems
In the NPRM, the FAA proposed a number of revisions and additions
to Sec. 25.671, as summarized and discussed below. Airbus, ANAC,
Boeing, GAMA, Gulfstream, Safran, and TCCA requested the FAA harmonize
one or more paragraphs of Sec. 25.671 with EASA CS 25.671. The FAA
agrees with these requests and, in this final rule, has changed
proposed Sec. 25.671(a), (b), (c), (d), (e), and (f) to better align
with EASA CS 25.671.
1. Paragraph (a)
In the NPRM, the FAA proposed to revise Sec. 25.671(a) by
referring to each ``flight control'' and ``flight control system''
instead of ``control'' and ``control system.'' To harmonize with CS
25.671(a), the final rule now refers only to each ``flight control
system.'' This is not a substantive change from the NPRM.
In the NPRM, the FAA also proposed to revise Sec. 25.671(a) to
require the flight control system to continue to properly operate, and
not hinder airplane recovery when the airplane experiences certain
conditions, including any ``pitch, roll, or yaw rate, or vertical load
factor.'' The FAA proposed that this change would ensure there would be
no features or unique characteristics of the flight control system that
restrict the pilot's ability to recover from any attitude, pitch, roll
or yaw rate, or vertical load factor expected to occur due to operating
or environmental conditions. ANAC and TCCA suggested changing proposed
Sec. 25.671(a) to specify ``any flight dynamics parameter'' instead of
``any pitch, roll, yaw rate, or vertical load factor'' to harmonize
with EASA language. The FAA does not agree. The suggested change would
be a potentially open-ended requirement because ``any flight dynamics
parameter'' could mean many different parameters. The text in Sec.
25.671(a) \21\ is more specific, sufficient to accomplish its purpose,
and is adopted as proposed.
---------------------------------------------------------------------------
\21\ AC 25.671-1 provides additional information.
---------------------------------------------------------------------------
2. Paragraph (b)
In the NPRM, the FAA proposed to revise Sec. 25.671(b) by
referring to incorrect assembly that could result in ``failure of the
system to perform its intended function.'' To harmonize with CS
25.671(b), the final rule now refers to incorrect assembly that could
result in ``failure or malfunctioning of the system.'' This is not a
substantive change from the NPRM.
An individual commenter requested the FAA move the requirement to
minimize the probability of incorrect assembly from Sec. 25.671(b) to
Sec. 25.1309 and make it applicable to all systems. The commenter
stated that designing a system to ensure it can only be assembled
correctly is a basic good engineering practice. The FAA does not agree
to make this change to the regulation. The requirements of Sec.
25.671(b) apply only to flight control systems. Other systems are
subject to different requirements for minimizing
[[Page 68714]]
incorrect assembly and different marking requirements. The incorrect
assembly addressed by Sec. 25.671(b) is that which could result in
failure or malfunctioning of the system. Section 25.1309(a) requires
the proper functioning of the equipment, systems, and installations
whose function is required by subchapter C of title 14. The issue of
incorrect assembly is addressed in AC 25.1309-1B, by reference to
Aerospace Recommended Practice (ARP) 4761 ``Guidelines and Methods for
Conducting the Safety Assessment Process on Civil Airborne Systems and
Equipment.'' Improper assembly within ARP4761 is a manufacturing
consideration with consideration to common mode type sources or
failures/errors only.
ANAC requested the FAA harmonize proposed Sec. 25.671(b) with EASA
CS 25.671(b) by adding ``taking into consideration the potential
consequence of incorrect assembly'' to the requirement. The FAA does
not agree with this request. The general requirements of this paragraph
apply to each element of each flight control system regardless of the
potential consequence of incorrect assembly.
Revised Sec. 25.671(b) is therefore adopted as proposed.
3. Introductory Text of Paragraph (c)
The NPRM proposed certain conforming changes to the introductory
text of paragraph (c), as a result of the FAA's proposal to remove the
flight control system failure criteria of Sec. 25.671(c)(1) and (c)(2)
and substitute the general criteria of 14 CFR 25.1309. As explained
below, the FAA decided to retain the specific criteria of Sec.
25.671(c)(1) and (c)(2), and so the proposed changes to the
introductory text of paragraph (c) are now no longer necessary.
Therefore, in this final rule, the introductory paragraph (c) is
unchanged from the current paragraph (c), except as described herein.
The current Sec. 25.671(c) introductory text refers to the flight
control system and surfaces (including trim, lift, drag, and feel
systems). To harmonize with CS 25.671(c), the final rule refers only to
the flight control system, which includes surfaces and the other
referenced systems. This is not a significant change.
The current Sec. 25.671(c) introductory text requires the
applicant to show that the airplane is capable of continued safe flight
and landing after jams and other failures ``without requiring
exceptional piloting skill or strength.'' Gulfstream requested the FAA
not remove ``without requiring exceptional skill or strength'' from
Sec. 25.671(c). The FAA does not agree because that clause is now
included in the definition of continued safe flight and landing
provided in AC 25.671-1. Therefore, including this phrase in Sec.
25.671(c) is no longer necessary. The final rule is also harmonized
with CS 25.671(c) and AMC 25.671 in this regard.
Gulfstream requested the FAA not eliminate, as it proposed in the
NPRM, the Sec. 25.671(c) requirement for probable flight control
failures to have only ``minor'' effects. The company stated that minor
failures for Sec. 25.1309 tend to only have a functional hazard
assessment (FHA)-level review in the SSA. There is no specific
requirement in Sec. 25.1309(b) to address minor failures. As such,
there may be probable flight control failures that are not explicitly
addressed by the Sec. 25.1309(b) process. The FAA agrees. The final
rule retains the noted text.
ANAC requested the FAA move the requirement that compliance be
shown ``by analysis, test, or both . . .'' from Sec. 25.671(c) to AC
25.671-1, stating that this text is guidance. The FAA does not agree.
This portion of the text in Sec. 25.671(c) was not proposed to be
revised in the NPRM, has been in place for many decades in the current
rule, is understood by applicants, and is harmonized with CS 25.671(c).
4. Paragraphs (c)(1) and (c)(2)
The NPRM proposed that current Sec. 25.671(c)(1) and (c)(2) be
removed and all flight control system failures be covered by Sec.
25.1309. Boeing, Airbus, ANAC, GAMA/AIA, Gulfstream, and TCCA requested
the FAA retain the current Sec. 25.671(c)(1) and (c)(2) in order to
better align Sec. 25.671(c) with EASA CS 25.671(c). The FAA agrees
with commenters that removing Sec. 25.671(c)(1) and (c)(2) would
create a certification burden due to differences with EASA requirements
and because different means of compliance are normally used for
Sec. Sec. 25.671(c) and 25.1309(b), as described in their respective
ACs. Therefore, the FAA agrees to retain Sec. 25.671(c)(1) and (c)(2).
If the FAA chose not to change Sec. 25.671(c)(1) and (c)(2), TCCA,
ANAC, Bombardier, and Boeing requested specific changes to Sec.
25.671(c) in order to more closely harmonize with EASA CS 25.671(c).
The requested changes are no longer relevant as the FAA has decided to
retain Sec. 25.671(c)(1) and (c)(2).
5. Paragraph (c)(3)
In the NPRM, the FAA proposed that revised Sec. 25.671(c) would
address flight control jams. With the retention of Sec. 25.671(c)(1)
and (c)(2), described above, flight control jams will continue to be
addressed by Sec. 25.671(c)(3). The proposed rule would have addressed
flight control jams in Sec. 25.671(c)(1), (c)(2), and (c)(3). The
corresponding paragraphs for these requirements in this final rule are
Sec. 25.671(c)(3)(i), (c)(3)(ii), and (c)(3)(iii).
To harmonize with CS 25.671(c)(3) and as recommended by the ARAC
FCHWG, and as described in the NPRM, this final rule refers to jams of
a flight control surface or pilot control that are ``fixed in
position'' due to a physical interference.
6. Exception in Paragraph (c)(3)(ii)
Proposed Sec. 25.671(c)(2) would have excepted jams that occur
immediately before touchdown if the applicant were able to show that
such jams are extremely improbable. (In this final rule, Sec.
25.671(c)(2) is renumbered as Sec. 25.671(c)(3)(ii).) The FAA proposed
this exception due to the lack of practical means for applicants to
show compliance, and the short duration of the potential hazard.
GAMA/AIA and Gulfstream requested the FAA revise proposed Sec.
25.671(c)(2) to incorporate the 2002 ARAC FCHWG recommendation, which
excluded consideration of jams occurring immediately before touchdown
regardless of probability.
The FAA agrees that the consideration of jams before touchdown
should not be linked with a numerical estimate of the probability of
the jam. Instead, in this final rule the FAA has reworded Sec.
25.671(c)(3)(ii) to exclude consideration of jams immediately prior to
touchdown if the risk of a potential jam is minimized to the extent
practical. AC 25.671-1 provides guidance on acceptable means of showing
compliance with this requirement.
This is a difference between Sec. 25.671(c)(3)(ii) and EASA CS
25.671(c)(3)(ii) because CS 25.671(c)(3)(ii) does not include an
exception for jams occurring just before touchdown. The FAA expects
this difference to have no effect in practice because EASA guidance
included in Acceptable Means of Compliance (AMC) Sec. 25.671 similarly
allows jams before touchdown to be excluded if an assessment of the
design shows that all practical precautions have been taken. Therefore,
the FAA finds that, with this final rule, there will not be a
significant standards difference between the FAA and EASA requirements.
Airbus asked that the FAA also except jams during the takeoff phase
because, in both cases, exposure time is limited. The FAA does not
agree. The ARAC FCHWG did not recommend excluding
[[Page 68715]]
the takeoff phase, only the landing phase. Although flight control jams
can occur during takeoff, practical design solutions can be put in
place to mitigate such jams. Note that AC 25.671-1 states that, for
jams that occur during takeoff, the applicant may assume that if the
jam is detected prior to V1, the takeoff will be rejected.
DeHavilland requested confirmation that the new requirements
related to flight control jams do not change what the company describes
as accepted current practice. That practice would allow jams in spring-
tab mechanisms that could occur during takeoff to be evaluated
probabilistically, and the short exposure time during takeoff could be
considered in determining the probability of such jams. This final rule
requires the applicant to determine the type of jam or failure being
assessed. For those flight control jams evaluated under Sec.
25.671(c)(3), the probability of the jam, and the short exposure time
during takeoff, may not be considered in showing compliance with that
regulation. The FAA did not change the rule or associated guidance as a
result of this comment.
7. Paragraph (c)(3)(iii)
Section 25.671(c)(3)(iii) states that in addition to the jam being
evaluated, any additional failure conditions that could prevent
continued safe flight and landing must have a combined probability of
1/1000 or less, rather than ``less than 1/1000'' as proposed in the
NPRM. This harmonizes with CS 25.671(c)(3).
GAMA/AIA requested that the FAA use ``failure states'' in place of
``failure conditions'' in Sec. 25.671(c)(3)(iii) because the 2002 ARAC
FCHWG report used ``failure states.'' The FAA does not agree. The term
``failure conditions'' is well-understood, has been used for many
years, and is appropriately used in this regulation. In addition, CS
25.671(c)(3) also refers to ``failure conditions.'' The FAA added
guidance in AC 25.671-1 to explain this requirement.
Except for the differences noted in the foregoing discussion,
revised Sec. 25.671(c) is adopted as proposed.
8. Paragraph (d)
Section 25.671(d) requires that the airplane remain controllable if
all engines fail. In the NPRM, the FAA proposed to add a requirement
that an approach and flare to a landing and controlled stop must also
be possible, assuming that a suitable runway is available. GAMA/AIA,
TCCA, and Boeing requested the FAA add ``and flare to ditching'' to the
new requirements. Since the most likely scenario leading to a
controlled ditching is loss of all engines, the scenario is relevant,
according to the commenters. The FAA agrees with this request because a
flare to a ditching may require different reconfiguration than would be
required for landing; for example, flap settings and pitch attitude.
Adding the flare to a ditching requirement to Sec. 25.671(d) will also
harmonize the rule with CS 25.671(d).
Gulfstream and GAMA/AIA requested the FAA remove the requirement
for a controlled stop from proposed Sec. 25.671(d) as they felt a
braking requirement should not be added to a general flight control
system requirement. The FAA does not agree. Stopping capability can be
affected by flight controls, including spoilers, flaps, and rudder. In
addition, this would result in a difference compared to EASA CS-25
language.
TCCA and ANAC requested that the FAA remove the following sentence
from proposed Sec. 25.671(d): ``The applicant may show compliance with
this requirement by analysis where the applicant has shown that
analysis to be reliable.'' The commenters stated that this sentence
describes an acceptable means of compliance, which is adequately
covered in the corresponding guidance. The FAA agrees and did not
include this sentence in the final rule.
Except for the changes noted in the foregoing discussion, Sec.
25.671(d) is adopted as proposed.
9. Paragraph (e)
In the NPRM, the FAA proposed to add new Sec. 25.671(e), requiring
the flight control system to indicate whenever the primary control
means are near the limit of control authority. The FAA proposed this
change due to the lack of direct tactile link between the flightdeck
control and the control surface on airplanes equipped with fly-by-wire
control systems.
DeHavilland requested that the FAA use ``must provide appropriate
feedback to the flight crew . . .'' in place of ``must indicate to the
flight crew'' in new Sec. 25.671(e). The company stated that for non-
fly-by-wire systems, the air loads are either naturally sensed or
simulated. The company also commented that the use of the word
``indicate'' in the proposed requirement has a potential for
misinterpretation, as tactile feedback is not normally considered as an
``indication.'' The commenter acknowledged draft AC 25.671-X addresses
use of feel forces and cockpit control movement to meet this
requirement.
The FAA does not agree to make this change. As noted by the
commenter, the AC addresses use of tactile feedback as a method of
compliance with this requirement.
ANAC and TCCA commented that the FAA should harmonize the new
requirement of Sec. 25.671(e) with CS 25.671(e) to remove any possible
misunderstanding. The FAA agrees. The proposed rule stated that the
``flight control system'' must indicate to the flightcrew whenever the
primary control means is near the limit of control authority. This
final rule is revised to harmonize with CS 25.671(e) and requires ``the
airplane'' to be designed to indicate to the flightcrew whenever the
primary control means is near the limit of control authority. This is
not a substantive change.
10. Paragraph (f)
In the NPRM, the FAA proposed to add new Sec. 25.671(f), requiring
that the flight control system alert the flightcrew whenever the
airplane enters any mode that significantly changes or degrades the
normal handling or operational characteristics of the airplane.
ANAC and TCCA commented that the FAA should fully harmonize Sec.
25.671(f) with CS 25.671(f) to remove any possible misunderstanding.
The FAA agrees. The proposed rule would have required that the flight
control system alert the flightcrew whenever the airplane enters a
flight control mode of concern. This final rule is revised to harmonize
with CS 25.671(f) and thus requires the system to provide ``appropriate
flightcrew alerting.'' This is not a substantive change.
11. Relationship Between Sec. Sec. 25.671(c) and 25.1309
ANAC, Boeing, and GE sought clarification from the FAA on the
applicability of Sec. Sec. 25.671(c) and 25.1309, particularly in
light of the changes proposed in the NPRM. As explained above, the FAA
decided to retain the structure of existing Sec. 25.671(c) in the
final rule, which will address the concerns raised by these commenters.
The FAA provides the following additional explanation relative to the
requirements of the final rule. Section 25.1309 applies to all systems
and equipment installed on the airplane, including the flight control
system. Section 25.671(c) also applies to the flight control system.
The safety requirements in Sec. 25.671(c)(1) and (c)(2) correspond
with those in Sec. 25.1309(b)(1). There are no fundamental differences
between these two sets of safety requirements as they apply to the
flight control system.
[[Page 68716]]
However, different methods of compliance may be used to comply with
Sec. 25.671(c)(1) and (c)(2) as compared to Sec. 25.1309(b)(1).
Sections 25.671(c)(1) and (c)(2) require the airplane to be capable
of continued safe flight and landing after any single failure and after
any combination of failures not shown to be extremely improbable.
Section 25.1309 requires that these failure conditions not be
catastrophic. While worded differently, these requirements are
functionally equivalent. AC 25.1309-1B states that a flight control
system failure condition that would prevent continued safe flight and
landing should be classified as catastrophic. AC 25.671-1 provides
specific criteria unique to the assessment of flight control system
failures. AC 25.1309-1B also provides guidance on assessing failure
conditions that apply to the flight control system.
Sections 25.1309(b)(2) through (b)(5), (c), and (e) also apply to
the flight control system. There are no requirements in Sec. 25.671
that correspond to these subparagraphs.
E. Section 25.901, Engine Installation
In the NPRM, the FAA proposed that Sec. 25.901(c) would specify
that the requirements of Sec. 25.1309 would apply to powerplant
installations. The FAA also proposed to remove the prohibition in Sec.
25.901(c) on catastrophic single failures and probable combinations of
failures since addressing such failures would be adequately addressed
by the proposed Sec. 25.1309(b). The FAA proposed that these changes
would harmonize Sec. 25.901(c) with EASA CS 25.901(c).
Pratt & Whitney requested that the FAA add to Sec. 25.901(c) the
phrase ``or any other failure consistent with existing Sec. 33.75
single element exception requirements'' to ensure consistency with
Sec. 25.901(c) and existing requirements. The FAA does not agree with
the request. The referenced exception requirements only address
instances in which the failure of the single element is likely to
result in a hazardous engine effect. These effects are among the
conditions applicants use for evaluating the hazard to the engine under
engine airworthiness requirements, which do not consider the effect of
the airplane installation. For example, hazardous effects on the engine
may not necessarily result in a catastrophic failure at the airplane
level. Since the requirements of Sec. 33.75 are independent of the
aircraft airworthiness requirements, they are inadequate for evaluating
the hazard to the aircraft installation. The exceptions to Sec.
25.1309(b) that the FAA has identified in Sec. 25.901(c) are
consistent with existing powerplant installation requirements in part
25 and compliance showings to Sec. 25.901(c) before adoption of this
final rule. Expanding the exceptions to Sec. 25.1309(b) to include
aspects of Sec. 33.75 would not be consistent with existing part 25
powerplant installation requirements. The potential failure conditions
of the engine type design that should be excepted from Sec. 25.1309(b)
are adequately addressed by the exceptions identified by Sec.
25.901(c).
The FAA therefore adopts revised Sec. 25.901(c) as proposed.
F. Section 25.933, Reversing Systems
In the NPRM, the FAA proposed to add a ``reliability option'' for
thrust reversers to Sec. 25.933(a), allowing applicants to show that
an unwanted deployment of the reverser is extremely improbable (i.e.,
complies with 14 CFR 25.1309(b)), instead of only that the airplane
remains controllable if the reverser deploys in flight.
GAMA/AIA commented that the proposed wording of Sec. 25.933(a)
does not clearly communicate that the controllability option would
still require compliance with Sec. 25.1309, as noted in the regulatory
evaluation (footnote 58 of the NPRM). GAMA/AIA requested the wording of
Sec. 25.933(a) be changed to clearly define the requirement to show
compliance with Sec. 25.1309 regardless of controllability.
The FAA acknowledges that compliance with Sec. 25.1309 is required
regardless of which option an applicant chooses under Sec. 25.933(a)
since Sec. 25.901(c) requires compliance with Sec. 25.1309. However,
the FAA partially agrees, and in this final rule has revised Sec.
25.933(a) to clarify, that when an applicant chooses the reliability
option (new Sec. 25.933(a)(ii)), the applicant must account for the
potential hazard to the airplane assuming the airplane would not be
capable of continued safe flight and landing during and after an in-
flight thrust reversal when showing compliance with Sec. 25.1309(b).
Section 25.901(c) applies to the powerplant and auxiliary power unit
(APU) installation, except for the specific items listed in new Sec.
25.901(c). Compliance with Sec. 25.1309 is required for the powerplant
and APU installation, which includes the thrust reversing system, per
the new Sec. 25.901(c). The FAA finds that it is unnecessary to
restate in Sec. 25.933(a)(1) that compliance with Sec. 25.1309 is
required for the reversing system since it is already required by the
new Sec. 25.901(c) and not one of the items excepted.
Air Tech Consulting objected to the ``reliability option'' that the
FAA proposed in the NPRM. The commenter cited three inflight reverser
deployments in the past twelve months as justification for maintaining
the existing rule.
The FAA does not agree with this request. The incidents cited by
the commenter were not in-flight thrust reverser deployments, only
component failures or false indications.\22\ The FAA has made
equivalent safety findings on many proposed airplane models based on
the ARAC PPIHWG recommendations for Sec. 25.933(a)(1) and certified
many designs using the reliability approach rather than the
controllability approach in current Sec. 25.933(a)(1). The FAA does
not agree that these particular in-service events show that the systems
would not have met Sec. 25.1309(b) or that the longstanding
reliability approach for certification of the thrust reverser system is
inadequately safe.
---------------------------------------------------------------------------
\22\ Each of the three cited events were the result of either a
false indication of an unlocked reverser door or failure of the
primary lock followed by a small movement of a reverser door until
the secondary lock engaged, where the movement was enough to result
in an unlocked reverser indication. In either circumstance, the
reverser door did not deploy and an actual in-flight thrust reversal
did not occur. Also, after the close of the comment period for this
rule, a FedEx Boeing Model MD-11 experienced an unwanted in-flight
deployment on June 21, 2023. The thrust reversers on the airplane
were not certified using the reliability approach; however, the
design was reviewed by the FAA and Boeing (formerly Douglas) using
the ``Criteria for Assessing Transport Turbojet Fleet Thrust
Reverser System Safety,'' Revision A, dated June 1, 1994, which was
a reference document used by the ARAC PPIHWG to develop
recommendations for changes to Sec. 25.933(a). Boeing used a mixed
approach, in which the company demonstrated the Model MD-11 was
controllable following an unwanted in-flight deployment within
certain portions of the flight envelope and showed reliability,
using a thrust reverser SSA, for the remainder of the flight
envelope.
---------------------------------------------------------------------------
TCCA commented that systems design often needs to strike a balance
between availability (system performs its intended function when
needed) and integrity (protecting against system malfunctions). TCCA
requested that the FAA revise Sec. Sec. 25.933 and 25.1309(b) to
emphasize the need to consider system availability in conjunction with
integrity.
The FAA agrees that system availability is an important
consideration when designing the thrust reverser system. However, there
are already applicable airworthiness requirements, such as Sec. Sec.
25.901(b)(2) and 25.1309(a)(1), that address system availability and
reliability and that are related to the system's effect on airplane
safety. It is not necessary to provide additional emphasis on system
[[Page 68717]]
availability within Sec. Sec. 25.933 and 25.1309(b) since these
existing requirements are adequate to address the availability of
thrust reverser system. Section 25.933(a)(1) addresses the specific
failure condition of an unwanted in-flight deployment only, and Sec.
25.1309(b) addresses the safety of equipment and systems as installed
on the airplane. Therefore, the FAA does not agree with the commenter's
request since requirements that influence system availability and the
relationship with propulsion system reliability, which apply to the
thrust reverser system, are already addressed in existing regulations.
The FAA included guidance on Sec. 25.901(b)(2) that is related to
Sec. Sec. 25.901(c) and 25.1309(b) in AC 25.901-1. Guidance for Sec.
25.1309(a)(1) can be found in AC 25.1309-1B.
The FAA therefore adopts revised Sec. 25.933 as proposed.
G. Section 25.1301, Function and Installation
In the NPRM, the FAA proposed to remove the ``function properly
when installed'' criterion in Sec. 25.1301(a)(4) for installed
equipment whose function is not needed for safe operation of the
airplane. In addition, the FAA proposed to remove Sec. 25.1301(b)
because it is redundant and unnecessary. Section 25.1301(b) required
that a proposed airplane's EWIS meet the requirements of subpart H of
part 25. The FAA proposed removing Sec. 25.1301(b) because subpart H
specifies its applicability and the requirements in subpart H can stand
alone. The FAA received no substantive comments on proposed Sec.
25.1301.
The FAA therefore adopts revised Sec. 25.1301 as proposed.
H. Section 25.1309, Equipment, Systems and Installations
1. Applicability
In the NPRM, the introductory paragraph of proposed Sec. 25.1309
explained that regulation would apply to any equipment or system
installed on the airplane except as provided in paragraphs (e) and (f).
Boeing, ANAC, Gulfstream, GAMA/AIA, and Garmin requested that the FAA
delete paragraphs (e) and (f) of proposed Sec. 25.1309 and move their
content to the introductory paragraph to align with CS 25.1309. The
commenters also noted that these paragraphs included regulatory
exceptions to Sec. 25.1309 and showing compliance to an ``exception''
raised administrative issues. The FAA agrees and updated Sec. 25.1309
accordingly.
Proposed Sec. 25.1309(e) would have excluded flight control jams
governed by Sec. 25.671(c) from the proposed single-failure
requirement in Sec. 25.1309(b)(1)(ii). Gulfstream proposed that flight
control jams be excluded from all of Sec. 25.1309 and stated that
additional guidance would be needed if flight control jams were not
excluded from Sec. 25.1309(b). Although the FAA has historically used
Sec. 25.671(c) rather than Sec. 25.1309 to address flight control
jams, the FAA does not agree that flight control jams should be
excluded from the other paragraphs of Sec. 25.1309 because those
requirements apply to flight control systems and are necessary for
managing the risk of flight control jams.
The FAA agrees, however, that flight control jams should be
excluded from all of Sec. 25.1309(b), and the final rule is revised
accordingly. The FAA did not intend Sec. 25.1309(b) to apply to flight
control jams because an evaluation of the failure conditions under
Sec. 25.1309(b) requires the applicant to determine numerical
probabilities, which is not practical for flight control jams. Since
EASA CS 25.1309 excludes flight control jams from only CS
25.1309(b)(1)(ii), this is a substantive difference between the FAA and
EASA's regulations.
Proposed Sec. 25.1309(f)(1) stated that Sec. 25.1309(b) does not
apply to single failures in the brake system because such failures are
addressed by Sec. 25.735(b)(1). GAMA/AIA requested the FAA change
``single failures'' to ``failures'' to be consistent with Sec. 25.735.
The FAA does not agree with this request because other types of
failures in the brake system should be evaluated under Sec.
25.1309(b).
Proposed Sec. 25.1309(f)(2) stated that Sec. 25.1309(b) would not
apply to the failure effects addressed by Sec. Sec. 25.810(a)(1)(v)
and 25.812. Gulfstream and GAMA/AIA requested that the FAA replace
``25.810(a)(1)(v)'' with ``25.810'' to harmonize with CS 25.1309. The
FAA does not agree because Sec. 25.810(a)(1)(v) provides specific
deployment and usability criteria for certain means of evacuation
assistance, and this subparagraph alone is relevant to the exception
discussion. However, the FAA updated ``failure effects'' to ``failure
conditions'' to harmonize with CS 25.1309.
EASA requested that the FAA clarify the exception from compliance
with Sec. 25.1309(b) that proposed Sec. 25.1309(f)(3) would have
provided regarding Sec. 25.1193, ``Cowling and nacelle skin,'' and
suggested that the FAA change it from Sec. 25.1193 to Sec.
25.1193(a). EASA also stated that there may be value in considering
Sec. 25.1193 as applicable under Sec. 25.1309 for systems that are
used for opening or closing doors and monitoring proper closure/latched
conditions. Furthermore, EASA asked why Sec. 25.1193 was not also
included in the propeller debris release exception in proposed Sec.
25.1309(f)(4).
The FAA made no changes to the final rule in response to these
comments. The NPRM explains that Sec. Sec. 25.1193 and 25.905(d)
already require applicants to consider the specific failures of fires
from uncontained engine failures and engine case burn-through. Thus, it
is not necessary to consider these same failures under Sec. 25.1309 as
well. Furthermore, nacelle cowl door opening, closure, position
monitoring, latching, and other potential failure conditions are
discussed in AC 25.901-1 for compliance with Sec. Sec. 25.901(c) and
25.1309.
2. Paragraph (a)
In the NPRM, the FAA proposed to require that all installed
airplane equipment and systems whose improper functioning would reduce
safety perform as intended under the airplane operating and
environmental conditions (Sec. 25.1309(a)(1)). The FAA also proposed
that all equipment and systems not subject to the foregoing requirement
not have an adverse effect on the safety of the airplane or its
occupants (proposed Sec. 25.1309(a)(2)). The latter requirement would
have allowed such equipment to be approved by the FAA even if it may
not perform as intended.
ANAC commented that proposed Sec. 25.1309(a)(1) stated ``equipment
and systems, as installed, must meet'' this requirement, while the ARAC
SDAHWG recommended wording states ``equipment and systems must be
designed and installed so that . . . .'' \23\ ANAC recommended that the
FAA adopt the proposed ARAC wording and match EASA CS 25.1309. The FAA
agrees to harmonize the rule text to avoid any possible interpretation
differences and this final rule has updated Sec. 25.1309(a).
---------------------------------------------------------------------------
\23\ www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
GAMA/AIA and Boeing requested the FAA revise proposed Sec.
25.1309(a)(1) to replace ``whose improper functioning would reduce
safety'' with ``whose function is necessary for safe operation of the
airplane.'' The commenters were concerned that using the proposed
phrase could result in equipment, systems, and installations intended
for convenience to be subjected to Sec. 25.1309(a)(1) requirements.
The FAA
[[Page 68718]]
did not revise Sec. 25.1309(a)(1) as suggested because this change
would exclude evaluation of systems whose failure would have a safety
effect. The suggested change would also disharmonize this rule with
EASA CS 25.1309(a)(1).
Bombardier requested the FAA harmonize its proposed Sec.
25.1309(a)(2) rule text of ``functioning normally or abnormally'' with
the CS 25.1309(a)(2) rule text of ``not a source of danger.'' The FAA
declines to update proposed Sec. 25.1309(a)(2) as suggested. Although
the phrase ``functioning normally or abnormally'' used in proposed
Sec. 25.1309(a)(2) is different from the ``not a source of danger in
themselves'' used in EASA CS 25.1309(a)(2), the FAA considers these
phrases as having generally the same meaning. ``Not a source of
danger'' is largely synonymous with ``safe.'' An applicant must
evaluate the systems addressed by Sec. 25.1309(a)(2) to verify that
their normal operation and failure or abnormal functioning have no
safety effect (i.e., they do not affect the operational capability of
the airplane, do not increase flightcrew workload, and do not affect
the safety of passengers or cabin crew).
GAMA/AIA requested the FAA change ``must not adversely affect'' in
proposed Sec. 25.1309(a)(2) to ``do not adversely affect'' as used in
CS 25.1309(a)(2). GAMA/AIA stated that using ``do not'' in the
regulation instead of ``must not'' changes the tone from preventative
to evaluative. The FAA agrees and updated Sec. 25.1309(a)(2) to align
with CS 25.1309(a)(2).
Bombardier questioned whether Sec. 25.1309(a)(2) should be
interpreted by applicants to apply to electromagnetic interference
(EMI) generated by systems operating abnormally. In a related question,
Bombardier asked the FAA to clarify what applicants should address in a
qualitative failure evaluation of equipment and systems under Sec.
25.1309(a)(2). Bombardier stated that the NPRM preamble implies that
applicants would have to show that an equipment failure will not result
in increased electromagnetic emissions; however, Bombardier does not
consider this to be the intent of proposed Sec. 25.1309(a)(2).
The FAA intends that systems addressed under Sec. 25.1309(a)(2),
in this final rule, do not have to meet the former requirement that
they ``perform as intended'' when installed. AC 25.1309-1B explains
that the systems addressed by Sec. 25.1309(a)(2) should be designed so
that their failures have no safety effect. In addition, normal
installation practices can be used to isolate these systems, and a
qualitative installation evaluation based on engineering judgment can
be used to determine that the failure or improper functioning of these
systems would not affect the safety of the airplane. Thus, the extent
of EMI testing that is required for systems addressed under Sec.
25.1309(a)(1) is not required for systems addressed under Sec.
25.1309(a)(2). However, if there is a risk that the failure of a system
addressed under Sec. 25.1309(a)(2) will result in electromagnetic
emissions that affect the proper function of systems addressed under
Sec. 25.1309(a)(1), then formal methods such as testing or analysis
may be used to evaluate the failure in lieu of a qualitative
installation evaluation that uses engineering judgment to conclude that
electromagnetic omissions would not occur.
Except for the foregoing changes, Sec. 25.1309(a) is adopted as
proposed.
3. Paragraph (b)
Section 25.1309(b) requires applicants to assess safety at the
airplane level for airplane systems and associated components,
evaluated separately and in relation to other systems, and requires
that the airplane's systems and components meet certain reliability
standards. In the NPRM, the FAA proposed to revise Sec. 25.1309(b) to
address design and installation so that each catastrophic failure
condition is extremely improbable and does not result from a single
failure, each hazardous failure condition is extremely remote, and each
major failure condition is remote.
In this final rule, the FAA has adopted proposed Sec.
25.1309(b)(1) through (b)(3) with no changes but revised Sec.
25.1309(b)(4) and (b)(5) to align with the corresponding sections of
EASA CS 25.1309.
Proposed Sec. 25.1309(b)(4) would have required that significant
latent failures (SLFs) be eliminated, except if the Administrator
determined that doing so was impractical. If the applicant proved to
the Administrator that such elimination was impractical, the regulation
would have required the applicant to limit the likelihood of the SLF to
1/1000 between inspections. If the applicant proved that such
limitation was impractical, then the proposed regulation would have
required the applicant to minimize the length of time the failure would
be present but undetected.
Garmin expressed concern that the 1/1000 requirement in proposed
Sec. 25.1309(b)(4)(i) could be burdensome without a cutset \24\ limit
because no matter how many cutsets deep the latent failure is (e.g., 3,
4, 5, or more cutsets), it still would have to meet the 1/1000
requirement unless the applicant obtains agreement with the FAA that it
has been adequately minimized. Thus, Garmin recommended that the FAA
remove the 1/1000 requirement from Sec. 25.1309(b)(4) to align with
EASA and suggested that the 1/1000 requirement be moved to AC 25.1309-
1B as one way to show the SLF is minimized. Garmin proposed that a
cutset limit be applied to either the 1/1000 requirement within Sec.
25.1309(b)(4) or to the definition of SLF if the FAA did not remove the
1/1000 requirement from Sec. 25.1309(b)(4) in the final rule. The FAA
agrees to remove the 1/1000 criteria from Sec. 25.1309(b)(4) and
include it in AC 25.1309-1B as a possible means of compliance. This
change is consistent with the ASAWG recommendations that led to this
rulemaking. Specifically, the ASAWG specific risk tasking report
recommendations that the FAA require applicants to control specific
risks of concern did not include a recommended limit latency
requirement for all SLFs. The report only recommended a limit latency
requirement of 1/1000 for CSL+1 failure combinations (ASAWG report,
section 6.4.1.2).
---------------------------------------------------------------------------
\24\ A cutset is a number of failures or events that when
combined will result in a system failure.
---------------------------------------------------------------------------
ANAC, TCCA, and Bombardier requested the FAA harmonize Sec.
25.1309(b)(4) with CS 25.1309(b)(4) by removing the 1/1000 criterion,
while EASA requested the FAA provide a rationale for not harmonizing.
The FAA agrees to harmonize Sec. 25.1309(b)(4) with CS 25.1309(b)(4).
Both regulations address eliminating SLFs as far as practical and
minimizing the latency of the SLF if such elimination is not practical.
This ensures that the applicant evaluates each SLF, eliminates it when
practical, and minimizes its latency if elimination is not practical.
However, in this final rule, Sec. 25.1309(b)(4) includes a new
exclusion, requested by Garmin, from these proposed requirements for
latent failures. This exclusion is described in the following
paragraph.
Garmin requested that the FAA modify proposed Sec. 25.1309(b)(4)
to exclude the requirements for latent failures where the applicant
meets the requirements of Sec. 25.1309(b)(1) and (b)(2) with the
latent failure assumed, in the applicant's risk assessment, to have
already occurred, or where the applicant took no credit in that risk
assessment for the latency period. The FAA agrees to add this exclusion
to Sec. 25.1309(b)(4)
[[Page 68719]]
because it meets the decision criteria that the specific risk of
concern will be evaluated as per the 2010 ARAC ASAWG specific risk
tasking report.\25\ When a latent failure or the specific risk of
concern is assumed as having occurred, its probability becomes 1 in the
calculation of the failure condition. This probability of 1 is the same
as stating that no credit is taken for a latency period. This is a
difference between Sec. 25.1309(b)(4) and CS 25.1309(b)(4) since
EASA's rule does not contain this exclusion. The FAA does not expect
this difference to be significant because the exclusion in Sec.
25.1309(b)(4) allows applicants to use a conservative assessment of a
failure condition to show compliance.
---------------------------------------------------------------------------
\25\ ASAWG report, revision 5.0, Section 6.1.2, Figure 6-1.
---------------------------------------------------------------------------
GAMA/AIA, Gulfstream, and Boeing requested language for the Sec.
25.1309(b)(4) final rule that was different from what the NPRM proposed
and what EASA published in CS-25. The commenters' proposal provides
criteria for acceptance of SLFs that depend on the probability and
severity of the outcome. The FAA did not update the rule language as
suggested; however, the FAA has incorporated the approach as a means of
compliance for the catastrophic failure conditions in AC 25.1309-1B.
This approach also incentivizes development of practical designs that
meet the safety objectives of Sec. 25.1309(b)(1) and (b)(2). The
approach for hazardous failure conditions was not included in AC
25.1309-1B since it was not considered in the 2010 ARAC ASAWG specific
risk tasking report.
ANAC, Garmin, and Airbus requested changes to proposed Sec.
25.1309(b)(4)(i) and (b)(4)(ii). The suggested changes are no longer
relevant because paragraphs (i) and (ii) are not included in the Sec.
25.1309(b)(4) final rule.
Proposed Sec. 25.1309(b)(5) provided a new standard for limiting
the risk of a catastrophic failure combination that results from two
failures, either of which could be latent for more than one flight.
ANAC stated that the criteria in proposed Sec. 25.1309(b)(5) is
significantly different from the criteria in CS 25.1309(b)(5) and these
differences may burden applicants by requiring them to comply with two
different sets of criteria and may result in different product
configurations. TCCA commented that differences between the proposed
FAA rule and CS-25, both in wording and intent, would result in
significant difficulties and increase the burden on applicants,
particularly given the inherent complexity of safety assessments both
at system and aircraft level. EASA stated that having different
criteria in Sec. 25.1309(b)(5)(iii) and CS 25.1309(b)(5)(iii) would
result in a duplication of effort for applicants. The FAA agrees that
differences between FAA and EASA requirements could result in increased
burden on applicants and civil aviation authorities. The final rule is
therefore revised to improve harmonization, as described below.
Several commenters recommended changes to Sec. 25.1309(b)(5). TCCA
and ANAC recommended that the FAA fully harmonize Sec. 25.1309(b)(5)
and CS 25.1309(b)(5), while EASA encouraged the FAA to implement the
same criteria as CS 25.1309(b)(5)(iii). GAMA/AIA and Garmin suggested
the FAA harmonize Sec. 25.1309(b)(5)(i) with CS 25.1309(b)(5)(i) by
changing ``fault tolerance'' to ``redundancy.'' Boeing suggested the
FAA update Sec. 25.1309(b)(5)(ii) to ``. . . the residual average
probability per flight hour of the catastrophic failure condition
occurring due to all subsequent single failures is remote.'' Airbus and
Gulfstream preferred that the FAA harmonize Sec. 25.1309(b)(5)(iii)
with CS 25.1309(b)(5)(iii), while GAMA/AIA preferred the FAA's proposed
wording for Sec. 25.1309(b)(5)(iii). Boeing suggested the FAA change
Sec. 25.1309(b)(5)(iii) to ``The probability of the latent failure
occurring over its maximum exposure time does not exceed 1/1000.''
The FAA uses the term ``fault tolerance'' in Sec. 25.1309(b)(5)(i)
instead of ``redundancy'' as used in CS 25.1309(b)(5)(i) because the
term ``redundancy'' could be interpreted as a prescriptive design
requirement, and Sec. 25.1309 is intended to be a performance-based
rule. In this final rule, the FAA revised Sec. 25.1309(b)(5)(ii) to
refer to ``the residual average probability'' of the catastrophic
failure condition following a single latent failure. The term
``residual average probability'' is the remaining probability of a
failure condition given the presence of a single latent failure. This
change aligns with the recommendations from the 2010 ARAC ASAWG
specific risk tasking recommendation report, sections 6.3.1.6 and
6.3.1.7. The final rule uses ``all subsequent active failures'' rather
than the proposed Sec. 25.1309(b)(5)'s ``all subsequent single
failures'' to ensure the applicant accounts for the residual average
probability of all active failures in a failure condition. Finally, the
FAA agrees to harmonize Sec. 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii) to ensure that combined probability of all the
latent failures is accounted for as recommended by the commenters,
except that the FAA uses ``active failure'' in Sec.
25.1309(b)(5)(iii), instead of ``evident failure'' as used in CS
25.1309(b)(5)(iii). Having harmonized Sec. 25.1309(b)(5)(iii) with CS
25.1309(b)(5)(iii), the FAA does not expect the differences in wording
between Sec. 25.1309(b)(5) and CS 25.1309(b)(5) to be burdensome to
applicants.
4. Paragraph (c)
In the NPRM, proposed Sec. 25.1309(c) would require the applicant
to provide information concerning unsafe system operating conditions to
enable the flightcrew to take corrective action and to show that the
design of systems and controls, including indications and
annunciations, minimizes crew errors that could create additional
hazards. ANAC, TCCA, and Boeing requested the FAA revise proposed Sec.
25.1309(c) to include ``in a timely manner'' as part of the corrective
action to be taken by the flightcrew. The FAA has updated the final
rule accordingly. This change more closely harmonizes Sec. 25.1309(c)
with CS 25.1309(c). In addition, the discussion of this proposal in the
NPRM preamble refers to the importance of providing timely and
effective annunciations to allow appropriate crew action.
TCCA requested that the FAA align the wording of proposed Sec.
25.1309(c) with CS 25.1309(c). TCCA stated that the first sentence of
proposed Sec. 25.1309(c) does not correctly reflect the intent of the
rule, which is for the airplane and systems to provide information to
the flightcrew when necessary for safe operation. TCCA explained that
``the applicant must provide information'' could be interpreted as
requiring the applicant to provide documentation or training instead of
flightcrew alerts as intended. The FAA agrees and revised the first
sentence of Sec. 25.1309(c) to say that the airplane and systems
provide the necessary information. This will harmonize the intent with
the corresponding sentence in CS 25.1309(c).
To further harmonize with EASA's rule, the FAA revised the second
sentence of Sec. 25.1309(c) to require that systems and controls,
including ``information,'' indications, and annunciations, be designed
to minimize crew errors. ``Information'' refers to the same term used
in the first sentence of Sec. 25.1309(c) and has the same intent as
used in Sec. 25.1302.
5. Paragraph (d)
In the NPRM, the FAA proposed to move the requirements of Sec.
25.1309(d) regarding mandatory methods showing compliance with Sec.
25.1309(b) to guidance (AC 25.1309-1B). The NPRM
[[Page 68720]]
proposed that new Sec. 25.1309(d) would require applicants to
establish ``Certification Maintenance Requirements,'' or CMRs, as
limitations in the airplane's Instructions for Continued Airworthiness.
Applicants have long used CMRs, such as mandatory inspections at
scheduled intervals, to show that their proposed design complies with
Sec. 25.1309 and other part 25 regulations that establish reliability
requirements.
In this final rule, however, the FAA is moving the CMR requirement
to Sec. 25.1309(e), as discussed in the following section.
Accordingly, the FAA is revising Sec. 25.1309(d) to ``Reserved'' as
requested by Boeing, TCCA, and Safran. This will be a difference
between Sec. 25.1309(d) and CS 25.1309(d) because the latter states
that applicants must assess Electrical Wiring Interconnection System
(EWIS) per CS 25.1709. The FAA expects this difference to have no
effect in practice because Sec. 25.1309 is a general requirement that
applies to all systems, including EWIS. In addition, Sec. 25.1709
addresses system safety of EWIS, and Sec. 25.1709 is harmonized with
CS 25.1709.
6. Paragraph (e)
In the NPRM, the FAA proposed that Sec. 25.1309(d) would require
an applicant to establish CMRs to prevent development of the failure
conditions described in Sec. 25.1309(b) and to include these CMRs in
the ALS. In the final rule, these requirements are now in Sec.
25.1309(e).
The FAA's proposed CMR requirement referenced Sec. 25.1309(b),
which addresses catastrophic, hazardous, and major failure conditions.
Boeing, GAMA/AIA, Gulfstream, and Garmin suggested that the requirement
to establish CMRs in Sec. 25.1309(d) be limited to CMRs that address
catastrophic and hazardous failure conditions in Sec. 25.1309(b)(1)
and (b)(2). TCCA commented that the NPRM describes CMRs as tasks to
detect safety significant failures that result in hazardous or
catastrophic conditions but recommended that major failure conditions
should also be considered.
The FAA declines to restrict the use of CMRs to catastrophic and
hazardous failure conditions. Although a CMR is primarily used to
establish a required maintenance task that would detect issues such as
the wear out or a hidden failure of an item whose failure is associated
with a hazardous or catastrophic failure condition, a CMR may also be
used to detect a latent failure that would, in combination with one
specific failure or event, result in a major failure condition. The SSA
identifies the need for a scheduled maintenance task. It may be
necessary for applicants to include a CMR in the ALS of the ICA for a
major failure condition if the maintenance task is not provided in
other areas of the ICA. An acceptable process for selecting CMRs is
provided in AC 25-19A, Certification Maintenance Requirements.\26\
---------------------------------------------------------------------------
\26\ Available at drs.faa.gov.
---------------------------------------------------------------------------
ANAC questioned whether the FAA intended proposed Sec. 25.1309(d)
to require CMRs for all failure conditions and requested the FAA
clarify in the final rule language that CMRs be established ``as
necessary.'' The FAA agrees to add the words ``as necessary'' to the
final rule. As explained in AC 25-19A, the process of creating CMRs to
control risk of failures described in Sec. 25.1309(b) begins with
identifying candidate CMRs (CCMRs) until a committee of experts
determines they are CMRs. Thus, the FAA does not require CMRs for all
failure conditions, and not every CCMR will become a CMR. Although
adding ``as necessary'' results in different language between Sec.
25.1309(e) and CS 25.1309(e), this difference does not affect
harmonization between the FAA and EASA because the guidance for
selecting CMRs is aligned.
Garmin requested the FAA reword proposed Sec. 25.1309(d) to
require the safety analysis to identify the CCMRs that must be
dispositioned using a process acceptable to the Administrator to
identify which CCMRs should be airworthiness limitations. Garmin stated
that the proposed wording seems to preclude the use of AC 25-19A to
first identify and classify CCMRs. The FAA does not agree with this
request. The final rule requires CMRs to be established and included in
the ALS of the airplane's ICA. The associated guidance in AC 25-19A
provides a method of compliance, which includes identifying and
dispositioning CCMRs as CMRs. The FAA also did not adopt the
commenter's proposed change because it would result in a difference
compared to corresponding EASA regulations and guidance.
Airbus commented that the word ``detect'' is more appropriate than
the word ``prevent'' used in proposed Sec. 25.1309(d) since failures
will be detected during CMR tasks. The FAA did not replace ``prevent''
with ``detect'' since the intent of this rule is to prevent the
development of the failure condition by detecting the existence of a
latent failure.
I. Section 25.1365, Electrical Appliances, Motors, and Transformers
In the NPRM, the FAA proposed to remove the reference to Sec.
25.1309(d) from Sec. 25.1365(a) because Sec. 25.1309(d) would no
longer contain mandatory methods for demonstrating compliance with
Sec. 25.1309(b). GAMA/AIA and Gulfstream commented that the FAA should
remove Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a), as those
regulations are redundant to or simply point to compliance with Sec.
25.1309. The FAA does not agree with this request because removing
Sec. Sec. 25.1431(a), 25.1351(a)(2), and 25.1365(a) may have
unintended consequences. In addition, removal of these regulations was
not proposed in the NPRM. The FAA did not change this final rule as a
result of this comment but has removed the reference to Sec.
25.1309(d) from Sec. 25.1365(a) as proposed in the NPRM.
J. Section H25.4(a) of Appendix H, Airworthiness Limitations Section
The FAA adopts Sec. H25.4(a) of appendix H as proposed in the
NPRM. The FAA received no comments on this section.
K. Miscellaneous Comments
1. Applicability of Sec. 25.1309 to Electromagnetic Conditions
Bombardier commented that the NPRM preamble indicates that the FAA
did not intend proposed Sec. 25.1309(b) and the associated advisory
material to change how type certificate applicants account for systems'
exposure to high-intensity radiated fields (HIRF) and lightning.
Bombardier requested that the FAA clarify whether this same principle
applies to electromagnetic conditions in other regulations (e.g.,
Sec. Sec. 25.1353, 25.1431, 25.899). The FAA does not intend revised
Sec. 25.1309 and the associated advisory material to take precedence
over or supersede how applicants address electromagnetic conditions in
accordance with other regulations.
2. Revise Nonregulatory Definitions
This section addresses commenters' requests to revise definitions
that the FAA provided in the NPRM preamble or in draft AC 25.1309-1B.
The FAA also proposed in the NPRM that some of these definitions would
be included in new Sec. 25.4. The following paragraphs address the
definitions of hazardous failure condition, latent failure, single
failure, event, and failure condition.
The FAA included a table of definitions in the preamble of the
NPRM. The table included some definitions given in proposed Sec. 25.4
and
[[Page 68721]]
provided additional definitions that were not in proposed Sec. 25.4.
That table is not included in this final rule; applicants should
instead refer to this preamble, final Sec. 25.4 and AC 25.1309-1B.
Relevant definitions are provided in Sec. 25.4 Definitions or in the
appropriate AC.
GAMA/AIA, Airbus, Boeing, Bombardier, and Garmin requested that the
FAA remove the following language from the preamble definition of
``hazardous failure condition:'' ``Note: For the purpose of performing
a safety assessment, a `small number' of fatal injuries means one such
injury.'' The commenters stated that considering a ``small number'' of
fatal injuries to be one such injury for the purpose of performing
safety assessments is too restrictive. This note was only in the
preamble and not in the proposed regulatory definition in Sec. 25.4,
as the FAA considered it guidance on the application of the definition.
The FAA agrees to remove this note from AC 25.1309-1B. The note is not
included in AMC Sec. 25.1309, nor was it included in any of the
relevant ARAC recommendations. Given the difficulty and context-
dependent nature of estimating whether a failure condition would result
in one or multiple fatal injuries, the FAA finds that it is not
necessary to define ``small number'' in order to provide the necessary
separation between hazardous and catastrophic failure conditions.
Historically, applicants have assessed this aspect of the definition of
``hazardous failure condition'' differently based on the size of the
airplane, number of occupants, and fleet size. The FAA will continue to
accept this practice.
ANAC commented that the FAA's definition of ``latent failure'' in
the NPRM preamble table (``a failure that is not apparent to the
flightcrew or maintenance personnel'') may be confusing since the
maintenance crew will detect latent failures through periodic
maintenance activities such as CMRs. ANAC recommended the FAA use the
following definition of latent failure: ``A failure which is not
detected and/or annunciated when it occurs.'' The FAA agrees and has
updated the definition of ``latent failure'' in AC 25.1309-1B. Boeing,
GAMA/AIA, TCCA, and Garmin requested that the FAA modify the definition
of ``latent failure'' to include the qualifier ``for more than one
flight'' to ensure consistent understanding and application. The FAA
did not make this change because the definition of ``latent failure''
includes undetectable failures regardless of the latency period. AC
25.1309-1B has been updated to provide additional guidance on the
appropriate duration of a latent failure; that is, an acceptable means
of compliance to SLF minimization is to show that the failure would not
be latent for more than one flight.
TCCA requested that the FAA clarify the intent of the phrase
``common causes'' as used in the NPRM preamble table's definition of
single failure or state that common causes may include external events
that are not considered failures (e.g., bird strike). TCCA stated that
the NPRM preamble and draft AC 25.1309-1B definitions of ``failure''
include a note that errors and events are not considered failures and
that this creates an apparent conflict where the definition of single
failures includes common causes. Airbus also stated that external
events are not system failures and questioned whether external failure
conditions should be explicitly excluded from Sec. 25.1309 because
they are already covered by their own regulations (e.g., bird strike is
specifically addressed under Sec. 25.631). In response, the FAA has
updated the single failure definition in AC 25.1309-1B to be the same
as provided by the ARAC SDAHWG recommendations report that included a
draft AC 25.1309 (see the ``Arsenal'' draft AC 25.1309 ).\27\
---------------------------------------------------------------------------
\27\ Available in the docket as part of the SDAHWG
recommendation, ``Task 2--System and Analysis Harmonization and
Technology Update,'' pp. 61-99, and at www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
In addition, the FAA updated the note within the definition of
``failure'' in AC 25.1309-1B to remove the word ``events.'' In general,
an SSA addresses how systems are affected by an external event, such as
a bird strike, using a common cause analysis or a single event cause
where the external event is assumed without a probability.
Bombardier stated that the FAA's definition of ``single failure''
in the preamble table was ambiguous and implied that a single failure
would affect multiple ``components, parts or elements'' when most
single failures will affect single components or parts. Bombardier
requested the FAA revise the definition to ``a single occurrence that
affects the operation of a component, part, or element such that it no
longer functions as intended'' or not adopt the definition. The FAA
updated the definition of ``single failure'' to ``any failure or set of
failures that cannot be shown to be independent from each other'' in AC
25.1309-1B. The FAA did not make the requested change because the FAA
intends that applicants treat a common mode failure of multiple
components, parts, or elements as a ``single failure,'' and this
connection would be lost if the FAA were to revise the definition as
Boeing proposed.
TCCA recommended that the FAA consider changing the term ``event''
in the preamble table to ``external event'' to align with EASA CS-25,
ARP4754B ``Guidelines for Development of Civil Aircraft and Systems,''
and ARP4761A. The FAA agrees and has updated ``event'' to ``external
event'' in AC 25.1309-1B.
Boeing requested that the FAA address ``collisions (intentional or
not)'' in the definition of ``event.'' Boeing stated that this change
would provide clarity that collisions are not events to be considered
as part of required safety assessments. Although the FAA updated the
term ``event'' to ``external event'' in AC 25.1309-1B, the FAA did not
change its definition in response to this comment. The definition of
``external events'' states that it does not cover sabotage or other
similar intentional acts. Intentional collisions are intentional acts
and, therefore, not an ``external event.'' Unintentional collision may
be due to failure of onboard system equipment, which is excluded from
this definition since its origin is not distinct from that of the
airplane. Unintentional collision may be due to flightcrew error, which
is already excluded.
The preamble table's definition of ``failure condition'' referenced
a condition that affected ``the airplane, its occupants, or other
persons.'' Bombardier requested that the FAA remove ``or other
persons'' from this definition or provide guidance as to how applicants
can assess potential effects on other persons and how these effects
would relate to severity classification. The FAA declines to change the
definition of ``failure condition'' in AC 25.1309-1B. The FAA included
the words ``or other persons'' to account for the effects on persons
other than the airplane occupants that applicants should take into
consideration when assessing failure conditions for compliance with
Sec. 25.1309. AC 25.1309-1B provides guidance on the type of persons,
the risks to be considered, and how applicants can classify the failure
conditions given the effects on other persons that do not include
airplane occupants. For example, ground maintenance crew involved in
servicing the airplane while `in-service' could have a risk of an
inadvertent door coming open or thrust reverser movement.
[[Page 68722]]
3. Revise Other Regulations
In the NPRM, the FAA proposed that the revised Sec. 25.1309(b)
would not apply to single failures in the brake system because those
failures are adequately addressed by Sec. 25.735(b)(1). An individual
commenter recommended changes to current Sec. 25.735, ``Brakes and
braking systems,'' stating that parts of Sec. 25.735 are no longer
relevant or need to be updated to reflect modern braking systems. The
commenter requested changes to Sec. 25.735 and corresponding changes
to AC 25.1309-1B. Gulfstream also requested that the FAA add a
paragraph to Sec. 25.735 to address braking capability with all
engines inoperative. The FAA does not agree with these requests. The
FAA did not propose changes to Sec. 25.735 in the NPRM, and such
changes are outside the scope of this rulemaking.
GAMA/AIA and Bombardier requested that the FAA revise Sec. 25.672,
``Stability augmentation and automatic and power-operated systems,'' in
this rulemaking package. GAMA/AIA stated that proposed Sec. 25.671(c)
removed the failures that Sec. 25.672 is referencing. Bombardier
suggested that the FAA remove Sec. 25.672(c) because the failures
addressed under Sec. 25.672(c) could be addressed entirely under Sec.
25.1309(b) or clarify that the intent of Sec. 25.672(c) does not apply
to modern fly-by-wire aircraft. In addition, GAMA/AIA requested that
the FAA add guidance for Sec. 25.672 that reflects the recommendations
made by the FTHWG. The FAA did not change this final rule or associated
guidance material as a result of these comments. Revising Sec. 25.672
is unnecessary because Sec. 25.672(b) refers to failures specified in
Sec. 25.671(c), and the final rule for Sec. 25.671(c) includes these
failures. Section 25.672(c) contains requirements that are in addition
to the requirements of Sec. 25.1309(b). The FAA declines to add
guidance at this time for Sec. 25.672 based on recommendations made by
the FTHWG because further discussion is needed to harmonize the
guidance for Sec. 25.672 with other regulatory authorities; the FAA
notes these discussions are ongoing in a Certification Authorities for
Transport Airplanes (CATA) harmonization activity.\28\ The FAA does not
agree to clarify that the intent of Sec. 25.672(c) does not apply to
modern fly-by-wire aircraft because the FAA has not made this
determination.
---------------------------------------------------------------------------
\28\ www.faa.gov/aircraft/air_cert/design_approvals/transport/transport_intl/cata.
---------------------------------------------------------------------------
4. Revise Cost-Benefit Analysis
Garmin commented on the NPRM that the cost-benefit analysis does
not consider the impact on amended type certificate (ATC) or
supplemental type certificate (STC) projects that would be considered
significant under Sec. 21.101, known as the Changed Product Rule. In
addition, MARPA requested the FAA clarify the applicability of the SSA
rule to parts manufacturer approval (PMA) applicants and STC
applicants. If the SSA rule is applicable to PMA and STC applicants,
MARPA requested that the FAA adjust the cost-benefit analysis
accordingly, complete a Regulatory Flexibility Act analysis, and make
the revised cost-benefit analysis and Regulatory Flexibility Act
analysis available for comment in a supplemental NPRM.
This final rule updates the cost-benefit analysis to take account
of the fact that the final rule closely harmonizes with the
corresponding EASA rule. Since U.S. manufacturers already are required
to meet the EASA requirements, the closely harmonized provisions of the
final rule impose no or minimal costs. In future STC or ATC projects
where the design change is determined under the Changed Product Rule to
be a significant product level change, the Changed Product Rule will
then require that the certification basis of those projects be updated.
The cost-benefit analysis for the Changed Product Rule, however, has
determined that the required updated certification basis for such
projects is cost-beneficial.\29\ PMAs (replacement articles) are
managed in accordance with Subpart K to part 21. The final rule will
apply only at that time in the future when a PMA (or non-significant
STC) applicant seeks to modify a product that already has the final
rule in its certification basis. Accordingly, the FAA finds that
neither a Regulatory Flexibility Act analysis nor a supplemental NPRM
is required.
---------------------------------------------------------------------------
\29\ 65 FR 36266, June 7, 2000.
---------------------------------------------------------------------------
Garmin commented that the cost discussion misses the fact that
Sec. 25.1309(b)(4), without a cutset limit, could result in additional
costs to redesign the systems from what has historically been
acceptable and conventional. Garmin also stated that the 1/1000
requirement could be applied to any level of cutset, which could drive
design changes, and that there are additional costs to negotiate with
the FAA to produce the analysis that proves 1/1000 is met or that
latency is minimized; thus, the FAA should revise the cost-benefit
analysis to include those costs.
In this final rule, the FAA is not adopting the 1/1000 requirement
that it had proposed for Sec. 25.1309(b)(4); that section will not
apply if the associated system meets the average risk requirements of
Sec. 25.1309(b)(1) and (b)(2), assuming the SLF has occurred.
Moreover, the FAA has moved the 1/1000 criterion to AC 25.1309-1B as
guidance. These changes address the commenter's concern that proposed
Sec. 25.1309(b)(4) needed a minimal cutset limit. There may be
demonstration or negotiation costs to show impracticality or
minimization of the SLF latency, but these costs are already accounted
for in the cost-benefit analysis of the Changed Product Rule, Sec.
21.101.
Garmin questioned whether the FAA has adequately justified the cost
of applying the specific risk criteria of proposed Sec. 25.1309(b)(4)
and (b)(5) to systems that have not historically had such a
requirement. Garmin also requested that the FAA update the cost
discussion for specific risk to acknowledge that for most of the
aircraft systems the existing Sec. 25.1309(b) is the right baseline.
Given that in the final rule, the Sec. 25.1309(b)(4) and (b)(5)
requirements are closely aligned with the corresponding EASA
requirements, the FAA responds that the correct baseline is the EASA
rule since it is already in place. Using that baseline, the additional
cost to manufacturers is, at most, minimal since manufacturers already
have to meet the corresponding EASA requirements.
Garmin stated that if the FAA regulations remain different from
EASA's, then the cost of an applicant's validation to differing
expectations should be considered. Also, TCCA commented that the cost-
benefit assessment could improve by increasing harmonization. As
already noted, the FAA has increased the level of harmonization between
the final rule and EASA CS-25, as compared to the NPRM, to such an
extent that the remaining costs associated with this rulemaking are
minimal.
5. Aircraft Certification, Safety, and Accountability Act
The preamble of the NPRM included a summary of the FAA's ongoing
implementation of Section 115 of the Aircraft Certification, Safety,
and Accountability Act (ACSAA). The FAA received one comment on these
implementation activities, a supportive comment from ALPA. The FAA
continues to take action to implement Section 115, including the
revision of relevant guidance documents such as AC 25.1309-1B, which
the FAA issued as part of this rulemaking.
6. Other
The FAA received a request from GAMA/AIA to include a file within
the
[[Page 68723]]
docket that contained the FAA's responses to all NPRM comments that the
FAA received. The FAA does not agree with this request. This final rule
discusses the comments in detail. Additionally, many comments on the
NPRM are no longer relevant because the FAA has revised the final rule
to increase harmonization with EASA CS-25.
The FAA also received comments from Airbus, Boeing, Bombardier,
EASA, GAMA/AIA, and TCCA to revise specific preamble text of the NPRM.
This final rule does not restate the entirety of the NPRM preamble, so
specific editorial suggestions are not applicable, except as noted in
the preceding discussion of definitions. No changes were made to this
final rule in this regard.
K. Advisory Material
The FAA has issued three new ACs and revisions to two existing ACs
to provide guidance material for acceptable means, but not the only
means, of showing compliance with the regulations in this final rule.
These ACs are available in the public docket for this rulemaking:
AC 25.671-1, Control Systems--General.
AC 25.901-1, Safety Assessment of Powerplant
Installations.
AC 25.933-1, Unwanted In-Flight Thrust Reversal of
Turbojet Thrust Reversers.
AC 25.629-1C, Aeroelastic Stability Substantiation of
Transport Category Airplanes.
AC 25.1309-1B, System Design and Analysis.
VI. Regulatory Notices and Analyses
Federal agencies consider impacts of regulatory actions under a
variety of executive orders and other requirements. First, Executive
Order 12866 and Executive Order 13563, as amended by Executive Order
14094 (``Modernizing Regulatory Review''), direct that each Federal
agency shall propose or adopt a regulation only upon a reasoned
determination that the benefits of the intended regulation justify the
costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354)
requires agencies to analyze the economic impact of regulatory changes
on small entities. Third, the Trade Agreements Act (Pub. L. 96-39)
prohibits agencies from setting standards that create unnecessary
obstacles to the foreign commerce of the United States. Fourth, the
Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies
to prepare a written assessment of the costs, benefits, and other
effects of proposed or final rules that include a Federal mandate that
may result in the expenditure by State, local, or tribal governments,
in the aggregate, or by the private sector, of $100,000,000 or more
annually (adjusted annually for inflation) in any one year. The current
threshold after adjustment for inflation is $183,000,000, using the
most current (2023) Implicit Price Deflator for the Gross Domestic
Product. The FAA has provided a detailed Regulatory Impact Analysis
(RIA) in the docket for this rulemaking. This portion of the preamble
summarizes the FAA's analysis of the economic impacts of this final
rule.
In conducting these analyses, the FAA determined that this final
rule (1) has benefits that justify its costs; (2) is not significant
under section 3(f)(1) of Executive Order 12866 as amended; (3) will not
have a significant economic impact on a substantial number of small
entities; (4) will not create unnecessary obstacles to the foreign
commerce of the United States; and (5) will not impose an unfunded
mandate on State, local, or tribal governments, or on the private
sector. These analyses are summarized below.
A. Regulatory Evaluation
1. Summary of Rule Provisions
In the NPRM, the FAA proposed to amend certain airworthiness
regulations to standardize the criteria for conducting safety
assessments for systems, including flight controls and powerplants,
installed on transport category airplanes. This final rule generally is
adopted as proposed. In some provisions, the FAA has increased the
level of harmonization between the final rule and EASA CS-25, as
compared to the NPRM, to such an extent that the remaining costs
associated with this rulemaking are minimal.
The predominant action of the final rule will:
Require applicants to minimize, to the extent possible,
the problem of significant latent failures (SLFs), a problem that is
highlighted in the case of catastrophic dual failures, where a latent
failure can leave the airplane one active failure away from a
catastrophic accident.
The rule also:
Institutes an ``airplane-level'' SSA that will integrate
and, to the extent possible, standardize safety assessment criteria
across critical airplane systems:
[cir] Reflecting the much greater integration of modern aircraft
systems (e.g., avionics and fly-by-wire systems) as compared to what
they were when the current safety criteria in Sec. 25.1309 and other
system safety assessment rules were established in 1970.\30\
---------------------------------------------------------------------------
\30\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
[cir] Including removal of general systems safety criteria from
Sec. 25.901(c) [Powerplant Installation] and pointing to Sec. 25.1309
(General System Safety Criteria) for these criteria, and allowing a
``reliability'' (Sec. 25.1309) option in addition to the current
``controllability'' requirement for developing designs for turbojet
thrust reversing systems (Sec. 25.933).
Requires CMRs to identify and restrict exposure to the SLF
conditions addressed in Sec. 25.1309 and requires CMRs to be contained
in the ALS of the ICA.
Updates SSA requirements in order to address new
technology in flight control systems and the effects these systems can
have on airplane controllability.
[cir] For airplanes equipped with fly-by-wire control systems,
compensates for a lack of direct tactile link between flightdeck
control and control surface by providing natural or artificial control
feel forces or flightcrew alerting
Requires assessment of the effect of system failures on
airplane structural loads.
Revises applicability of the requirement that equipment
and systems perform their intended functions:
[cir] Broadens the applicability of Sec. 25.1309 to include any
equipment or system installed in the airplane regardless of whether it
is required for type certification, operating approval, or is optional
equipment.
[cir] Allows equipment associated with passenger amenities (e.g.,
entertainment displays and audio systems) not to work as intended as
long as the failure of such systems would not affect airplane safety.
2. Cost and Benefits of the Final Rule
As discussed below, the FAA finds that all provisions of this final
rule are closely harmonized with corresponding EASA provisions already
in effect. This means that manufacturers face no additional cost
because they already have to meet the EASA requirements, and in most
cases, the provisions of this final rule are cost-beneficial owing to
reduced costs from joint harmonization. Some provisions of the final
rule are cost-relieving. Moreover, most, if not all, of the rule
provisions are already in effect owing to industry practice, ELOS
findings, or special conditions.\31\ There
[[Page 68724]]
is no additional cost for provisions that are already voluntary
industry practice or voluntary ELOS findings. Special conditions have
been required, but owing to the long duration of these special
conditions (20-40 years), the FAA finds that they are now accepted by
industry as the low-cost actions for the issues addressed, so there is
no change with codification and, therefore, no additional cost. The FAA
asked for comments on this last finding in the NPRM and received none.
---------------------------------------------------------------------------
\31\ The FAA issues special conditions when we find that the
airworthiness regulations for an aircraft, aircraft engine, or
propeller design do not contain adequate safety standards, because
of a novel or unusual design feature. These special conditions stay
in place until they are replaced by adequate regulations, as is done
in this rulemaking.
---------------------------------------------------------------------------
a. Section 25.1309 Equipment, Systems, and Installations
There was no change to Sec. 25.1301 in the final rule compared to
the NPRM, and there were no changes to Sec. 25.1309(a) in the final
rule except for a small change in Sec. 25.1309(a)(2) to match the ARAC
language and to harmonize with EASA.
The rule revises current Sec. 25.1309(a) into two paragraphs.
Section 25.1309(a)(1) revises the applicability of the Sec. 25.1309(a)
requirement that equipment and systems perform their intended function.
Section 25.1309(a)(1) clarifies that the rule applies to any equipment
or system installed in the airplane regardless of whether it is
required for type certification, operating approval, or is optional
equipment. As this requirement harmonizes closely with EASA's
corresponding requirement, with which part 25 manufacturers are already
required to comply, there is no additional cost. However, the
requirement has reduced costs from joint harmonization and, therefore,
will be cost-beneficial.
Along with an associated change to Sec. 25.1301, ``Function and
Installation,'' Sec. 25.1309(a)(2) will allow equipment associated
with passenger amenities (e.g., entertainment displays and audio
systems) not to function as intended as long as the failure of such
systems do not affect airplane safety. No safety benefit is derived
from demonstrating that such equipment performs as intended if failing
to perform as intended will not affect safety. Accordingly, this change
will reduce the certification cost of passenger amenities for airplane
manufacturers without affecting safety; therefore, this change is cost-
beneficial.
i. Sections 25.1309(b)(1), (b)(2), and (b)(3) (Average Risk and Fail-
Safe Criteria)
The current rule requires that airplane systems and associated
components be designed so that any failure condition that ``would
prevent the continued safe flight and landing of the airplane''
(catastrophic failure condition) is ``extremely improbable,'' a
condition specified in AC 25.1309-1A (6-21-1988) as ``on the order of
<=10-9 per flight hour.'' This is the traditional ``average
risk'' requirement and is retained in the final rule at Sec.
25.1309(b)(1)(i).
The current rule requires any failure condition that ``would reduce
the capability of the airplane or the ability of the crew to cope with
adverse operating conditions'' to be ``improbable'' (on the order of
10-9 < p <=10-5), a failure condition specified
in current AC 25.1309-1A as ``major.'' Current practice, however, has
been to use the SDAHWG recommended ``Arsenal'' draft AC 25.1309 (6-10-
2002) under which the previous ``major'' failure condition has been
divided into two categories: ``hazardous'' (on the order of
10-9 < p <=10-7) and ``major'' (on the order of
10-7 < p <=10-5), categories that have been
incorporated into this final rule in Sec. 25.1309(b)(2) and (b)(3).
These changes can be thought of as the average risk criteria for
hazardous and major failure conditions.
As it harmonizes with corresponding EASA major and hazardous
categories and is current industry practice, this rule change is cost-
beneficial as it entails no additional costs but is cost-beneficial
from reduced costs of joint harmonization. The FAA asked for comments
on this finding but received none. Moreover, the rule structure and
intent are in perfect harmony with EASA's corresponding requirements
and, therefore, will entail no additional cost to manufacturers.
As recommended by the SDAHWG, Sec. 25.1309(b)(1)(ii) will
explicitly require that single failures must not result in catastrophic
failures--the ``no single failure'' fail-safe requirement. As it
harmonizes with the equivalent EASA requirement and is already current
industry practice, this requirement is cost-beneficial as it entails no
additional costs but has reduced costs from joint harmonization.\32\
---------------------------------------------------------------------------
\32\ The no single failure requirement was inadvertently removed
in 1970 but remained industry practice. At the same time, the no
single failure requirement was made explicit for flight controls,
and in 1977 was made explicit for powerplants.
---------------------------------------------------------------------------
ii. Sections 25.1309(b)(4) and (b)(5) (Specific Risk Criteria)
Sections 25.1309(b)(4) and (b)(5) represent the predominant change
to existing SSA requirements in that they are adding specific risk
approaches to SSA to supplement the traditional average risk approach
in order to address the problem of latent failures.
Section 25.1309(b)(4) requires the elimination of SLFs to the
extent practical, or, if not practical, to minimize them so as to limit
situations where the airplane is one failure away from a catastrophic
accident. (This is particularly important in the case of catastrophic
CSL+1 dual failures specifically addressed in the section on Sec.
25.1309(b)(5) immediately following.) The NPRM also required that the
product of the maximum time the latent failure is expected to be
present and its average failure rate not exceed 1/1000. Based on
comments on the NPRM that this requirement was onerous and not in
harmony with EASA, this provision was moved to AC 25.1309-1B, System
Design and Analysis, as a possible means of compliance.
Several commenters on the NPRM also pointed out that, in many
cases, it would be wasteful to require analysis of an SLF with
sufficient redundancy that the average risk criteria continued to hold
even when setting the SLF probability to unity.\33\ Consequently, Sec.
25.1309(b)(4) does not apply in those cases. This exception is not in
the corresponding CS 25.1309(b)(4), but even with this difference,
compared to the NPRM, this provision is more closely harmonized with
the EASA provision as the FAA has removed an intermediate step--the
less than 1/1000 criterion--that is not in the EASA rule and moved it
to AC 25.1309-1B.
---------------------------------------------------------------------------
\33\ SLFs are identified at the beginning of an SSA, or during a
Preliminary SSA, in which the manufacturer undertakes a functional
hazard assessment on the basis of which a hazard's ``hazard
classification'' is validated as catastrophic, hazardous, etc. These
evaluations are qualitative and are independent of ``average'' risk
criteria that a catastrophic failure condition should be ``extremely
improbable'' or <=10-9, or that a hazardous failure
condition should be ``extremely remote'', or <=10-7.
---------------------------------------------------------------------------
Accordingly, the FAA finds no costs to this provision as
manufacturers already have to comply with a corresponding EASA
provision. Moreover, elimination of SLFs when practical is already
industry practice. Since the provision entails no costs, the FAA finds
the rule to be cost-beneficial because of reduced costs from joint
harmonization.
[[Page 68725]]
iii. Section 25.1309(b)(5) (CSL+1 Dual Failures)
A ``CSL+1 (Catastrophic Single Latent Plus One)'' refers to a
catastrophic failure condition caused by a single latent failure and an
active (evident) failure. Section 25.1309(b)(5)(i), adopted as
proposed, is similar to Sec. 25.1309(b)(4) in that it also requires
the dual failure to be eliminated if practical. An example is an AD
action that eliminated the CSL+1 dual failure that caused the
catastrophic Lauda Air Flight 004 (1994); the AD required that a third
lock be added to the thrust reverser system. This change converted the
dual failure condition to a triple failure condition and removed the
airplane from a situation where it was one failure away from a
catastrophic accident.
If the dual failure condition cannot be eliminated, additional
control is appropriate beyond the traditional ``extremely improbable''
(average risk) requirement applied to a combination of failures. The
additional control takes the form of two specific risk criteria: (1) a
requirement to ``limit residual probability'' (Sec. 25.1309(b)(5)(ii))
and (2) a ``limit latency'' requirement (Sec. 25.1309(b)(5)(iii)).
The requirement to limit the residual probability limits the
probability of a catastrophic failure in the presence of a latent
failure to be ``remote'' (on the order of <=10-5). So, this
requirement limits the risk of a catastrophic accident in the situation
where a latent failure has occurred, and the airplane is a single
failure away from a catastrophic accident.\34\ The limit latency
requirement limits the probability of the latent failure itself to be
<=1/1000 so as to limit the time between maintenance inspections, that
the airplane is operating one failure away from a catastrophic
accident.\35\ \36\ There are no substantial changes to Sec.
25.1309(b)(5) in the final rule compared to the NPRM.
---------------------------------------------------------------------------
\34\ More generally, if multiple active failures could cause a
catastrophic accident in the presence of the latent failure, the
average probability (per flight hour) of these active failures must
be remote.
\35\ More generally, the sum of the probabilities of the latent
failures combined with an active failure must be <= 1/1000.
\36\ Since the 10-9 average risk criterion must also
be met, if residual risk is on the order of 10-5, the
latent failure rate must be 10-4 or less. Conversely, if
the latent failure rate is at 10-3, residual risk must be
on the order of 10-6 or less.
---------------------------------------------------------------------------
The FAA finds that Sec. 25.1309(b)(5) is in perfect harmony with
CS 25.1309(b)(5) in structure and intent and closely harmonizes in rule
language. Accordingly, there is no cost to this provision because
manufacturers already have to comply with an equivalent EASA
requirement. Therefore, this rule is cost-beneficial because of reduced
costs from joint harmonization.
iv. Section 25.1309(c) (Flightcrew Alerting)
Section 25.1309(c) currently requires that warning information be
provided to the flightcrew to alert them to unsafe system operating
conditions and to enable them to take appropriate corrective action.
Revised Sec. 25.1309(c) requires that information be provided to the
flightcrew concerning unsafe system operating conditions, rather than
requiring only warnings and, in a change to the NPRM that more closely
harmonizes with the corresponding EASA provision, that it be provided
in a timely manner. The revision will remove an incompatibility with
Sec. 25.1322, which allows other sensory and tactile feedback from the
airplane caused by inherent airplane characteristics to be used in lieu
of dedicated indications and annunciations if the applicant can show
such feedback is sufficiently timely and effective to allow the crew to
take corrective action.
These changes closely harmonize Sec. 25.1309(c) with CS
25.1309(c). Owing to close harmonization with EASA's rule already in
place, there is no cost entailed by these rule changes.
v. Section 25.1309(d) (Reserved)
Current Sec. 25.1309(d) specifies that compliance to Sec.
25.1309(b) must be shown by analysis and appropriate testing, and must
consider possible modes of failure, including malfunctions and damage,
and also that the assessment considers crew warning cues, corrective
action required, and the capability of detecting faults. With this
rulemaking, for two reasons, the FAA moves that content to AC 25.1309-
1B, along with expanded guidance on the safety assessment process: (1)
Section 25.1309 is a performance-based regulation for which methods of
compliance are more appropriately provided in guidance, and (2) the
items for consideration listed in Sec. 25.1309(d) constitute an
incomplete method of compliance to Sec. 25.1309(b). This change is
cost-beneficial because requirements have been relegated to guidance
material, giving manufacturers greater flexibility.
CS 25.1309(d) simply states that EWIS must be assessed per CS
25.1709. The current FAA rule has the same requirement in Sec.
25.1309(f), but it was removed in the NPRM on the basis of redundancy,
and proposed Sec. 25.1309(d) was used for the CMR requirement. In the
final rule, the CMR requirement has been moved to Sec. 25.1309(e) (see
next section) and Sec. 25.1309(d) is now reserved.
vi. Section 25.1309(e) and H25.4 (Certification Maintenance
Requirements)
CMRs are inspection and maintenance tasks and associated inspection
intervals that are used to identify and restrict exposure of critical
airplane safety systems to catastrophic and hazardous failure
conditions, including wear-related failures. An example highlighting
the importance of CMRs is the catastrophic crash of Alaskan Airlines,
Flight 261, in the Pacific Ocean off the California coast on January
31, 2000, killing all 88 passengers and crew.\37\ The NTSB determined
that the probable cause of this accident was a catastrophic loss of
airplane pitch control resulting from in-flight failure of the
jackscrew assembly of the horizontal stabilizer trim system. That
failure was related to maintenance of this system, specifically the
accelerated excessive wear of a critical part as a result of
insufficient lubrication.
---------------------------------------------------------------------------
\37\ NTSB Safety Recommendation A-02-51 is available in the
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
---------------------------------------------------------------------------
Section 25.1309(e) is a new provision \38\ requiring that CMRs be
established, as necessary, to prevent catastrophic and hazardous
failure conditions, and occasionally, major failure conditions,
described in Sec. 25.1309(b). The CMR requirement was proposed in
Sec. 25.1309(d) in the NPRM. The ``as necessary'' qualifier was added
in the final rule to clarify that the FAA does not require CMRs for all
failure conditions. Section 25.1309(e) also will require these CMRs to
be contained in the ALS of the ICA required by Sec. 25.1529. This
latter requirement is an industry recommendation via the SE-172
Taskforce to the Commercial Aviation Safety Team (CAST) \39\ and
responds to the Taskforce's recognition that CMRs are critical to
safety and should have treatment similar to other Airworthiness
Limitations.
---------------------------------------------------------------------------
\38\ The NPRM Sec. 25.1309(e) specified that the flight control
jam conditions addressed by Sec. 25.671(c) do not apply to Sec.
25.1309(b)(1)(ii). This exclusion is now in the introductory
paragraph of Sec. 25.1309.
\39\ skybrary.aero/sites/default/files/bookshelf/2553.pdf.
---------------------------------------------------------------------------
Both of these requirements will codify industry practice and will
harmonize with CS 25.1309 and H25.4, so industry will incur no
additional costs. The rule is cost-beneficial from reduced costs of
joint harmonization.\40\
---------------------------------------------------------------------------
\40\ EASA. Certification Specifications and Acceptable Means of
Compliance for Large Aeroplanes (CS-25), Amendment 20, 25 August
2017.
---------------------------------------------------------------------------
[[Page 68726]]
vii. Section 25.1309(f) (Removed)
The FAA has removed paragraph (f) from Sec. 25.1309 and paragraph
(b) from Sec. 25.1301. Section 25.1301(b) requires that the airplane's
EWIS meet the requirements of subpart H of 14 CFR part 25. Subpart H
was created (at amendment 25-123, in 2007) as the single place for the
majority of wiring certification requirements. The references in
Sec. Sec. 25.1301(b) and 25.1309(f) are redundant and unnecessary
because subpart H specifies their applicability. The NPRM Sec.
25.1301(f) was used to specify exceptions to Sec. 25.1309(b), which
are now provided in the introduction of Sec. 25.1309.
b. Section 25.629 Aeroelasticity Stability Requirements
The FAA is revising Sec. 25.629(a) to add wording to clarify that
the aeroelastic evaluation must include any condition of operation
within the maneuvering envelope. This is current industry practice
because such conditions are allowed operational conditions and,
therefore, need to be free from aeroelastic instabilities. Also, this
requirement is stated explicitly for part 23 airplanes in 14 CFR part
23 and CS-23. The FAA is also revising Sec. 25.629(a) to consistently
use the singular term ``evaluation'' where it appears in order to
prevent confusion.
Section 25.671(c)(2) currently specifies examples of failure
combinations that require evaluation, including dual electrical and
dual hydraulic system failures and any single failure combined with any
probable hydraulic or electrical failure. Section 25.629(d)(9)
currently requires that the airplane be shown to be free from flutter
considering various failure conditions considered under Sec. 25.671,
which include the example failure conditions specified in Sec.
25.671(c)(2). These examples are being removed from current Sec.
25.671(c)(2). These failure conditions, however, have provided an
important design standard for dual actuators on flight control surfaces
that rely on retention of restraint stiffness or damping for flutter
prevention. Therefore, the FAA relocates these examples to the
aeroelastic stability requirements of Sec. 25.629(d) and made changes
to the paragraph numbers to correspond with EASA's rule, as requested
by commenters. These changes are cost-beneficial owing to complete
harmonization with the corresponding CS 25.629 provision.
The NPRM also proposed a change to Sec. 25.629(b) that would
require that design conditions include the range of load factors
specified in Sec. 25.333. Commenters objected that the proposed change
was an expansion of the traditional scope of Sec. 25.629, and it
disharmonized with EASA requirements. The FAA agreed to remove the
proposed change to Sec. 25.629(b), substituting an alternative change
in Sec. 25.629(a), clarifying that aeroelastic evaluation must include
any condition of operation within the maneuvering envelope. This
revision has no cost as it is clarifying and is current industry
practice.
c. Section 25.671 General (Control Systems)
i. Section 25.671(a), (d), (e), and (f) (Control Systems)
The substantive revisions to these requirements are the new
criteria in the second sentence of Sec. 25.671(a); the addition of the
phrase, ``and an approach and flare to a landing and controlled stop,
and flare to a ditching, is possible'' in Sec. 25.671(d); and the new
requirements in Sec. 25.671(e) and (f). The modification to Sec.
25.671(d) clarifies that controllability when all engines fail includes
the capability to approach and flare to a landing and controlled stop,
and flare to a ditching, and harmonizes with CS 25.671(d). In the NPRM,
Sec. 25.671(d) includes the sentence: ``The applicant may show
compliance with this requirement by analysis where the applicant has
shown that analysis to be reliable.'' This sentence is not included in
the final rule as it describes an acceptable means of compliance, which
is adequately covered in the corresponding guidance.
The new paragraph (e) of Sec. 25.671 requires that the airplane be
designed to indicate to the flightcrew whenever the primary control
means are near the limit of control authority. On airplanes equipped
with fly-by-wire control systems, there is no direct tactile link
between the flightdeck control and the control surface, and the
flightcrew may not be aware of the actual control surface position. If
the control surface is near the limit of control authority, and the
flightcrew is unaware of that position, it could negatively affect the
flightcrew's ability to control the airplane in the event of an
emergency. The airplane could meet this requirement through natural or
artificial control feel forces, by cockpit control movement if shown to
be effective, or by flightcrew alerting that complies with Sec.
25.1322.
The new paragraph (f) of Sec. 25.671 requires that appropriate
flight crew alerting be provided if the flight control system has
multiple modes of operation whenever the airplane enters any mode that
significantly changes or degrades the normal handling or operational
characteristics of the airplane. On some flight control system designs,
there may be sub-modes of operation that change or degrade the normal
handling or operational characteristics of the airplane. Similar to
control surface awareness, the flightcrew should be made aware if the
airplane is operating in such a sub-mode. Aside from the one change
already noted, there are no substantial changes to Sec. 25.671(a),
(d), (e), and (f) in the final rule compared to the NPRM.
Manufacturers face little or no additional cost from these
provisions because they are already required by CS 25.671 in language
that exactly matches Sec. 25.671 in language structure and closely
matches Sec. 25.671 in the language itself. Therefore, there is no
additional cost resulting from these provisions. Moreover, since
industry has been meeting the new criteria in Sec. 25.671(a), (e), and
(f) under special conditions since the early 1980s, the FAA believes
that industry now accepts Sec. 25.671(a), (e), and (f) as necessary
low-cost actions. Again, there is no additional cost. For this reason,
the FCHWG recommended these new criteria with little debate.
ii. Section 25.671(b) (Minimize Probability of Incorrect Assembly)
Section 25.671(b) is revised to allow distinctive and permanent
marking for flight control systems to minimize the probability of
incorrect assembly only when design means are impractical. Aside from
minor language changes, there are no changes to this provision in the
final rule relative to the NPRM. It is expert consensus that the
physical prevention of misassembly by design is safer than reliance on
marking, which can be overlooked or ignored. Although not flight
control related, fuel tank access doors provide an example. Since these
doors are required to have greater strength because of the location,
fuel tank access door systems are designed so that other doors will not
securely fit in the fuel tank access door openings.
Since distinctive and permanent marking to minimize the probability
of incorrect assembly is disallowed only when design means are
practical, the expected gain in safety benefits from the reduced
probability of incorrect assembly is greater than the costs of the rule
revision.
Accordingly, the FAA finds this provision to be cost-beneficial.
The FAA
[[Page 68727]]
requested comments on this finding and received none. In any case,
manufacturers face no additional cost because Sec. 25.671(b) closely
aligns with CS 25.671(b) with which they must already comply.
iii. Section 25.671(c) (Flight Control Jams)
For flight controls, revised Sec. 25.671(c) is analogous to Sec.
25.1309(b) in having requirements for the single failure (Sec.
25.671(c)(1)), the combinational failure (Sec. 25.671(c)(2)), and
specific risk (Sec. 25.671(c)(3)). Sections 25.671(c)(1) and (c)(2)
have some language changes, but the intent of each provision is
unchanged from the current rule. The NPRM proposed to remove Sec.
25.671(c)(1) and (c)(2) because all single and combinational failures
are covered by the foundational Sec. 25.1309. However, the FAA agrees
with commenters that Sec. 25.671(c)(1) and (c)(2) should be retained
because removal would disharmonize with EASA's corresponding
requirements and because different means of compliance are normally
used for Sec. 25.671(c) and Sec. 25.1309(b). Accordingly, paragraphs
(c)(1) and (c)(2) of current Sec. 25.671 are retained in the final
rule. Section 25.671(c)(3) is revised as follows:
(1) In Sec. 25.671(c)(3), the FAA clarifies that the provision
applies only to jams due to a physical interference (e.g., foreign or
loose object, system icing, corroded bearings). All other failures or
events that result in either a control surface, pilot control, or
component being fixed in position are addressed under Sec.
25.671(c)(1) and (c)(2) and Sec. 25.302 where applicable.
(2) Section 25.671(c)(3) no longer addresses a runaway of a flight
control surface and subsequent jam. A failure that results in
uncommanded control surface movement is addressed by Sec. 25.671(c)(1)
and (c)(2).
(3) Section 25.671(c)(3)(iii) is a new requirement specifying that
given a jam, the combined probability is 1/1000 or less that any
additional failure conditions could prevent continued safe flight and
landing. This requirement is to ensure adequate reliability of any
system necessary to alleviate the jam when it occurs. This specific
risk requirement is analogous to the 1/1000 latent specific risk
requirement for potential catastrophic single latent failure plus one
(CSL+1) failure conditions discussed above for Sec. 25.1309(b)(5),
which is required to ensure a safety margin in the event of an active
failure.
(4) While current Sec. 25.671(c)(3) allows the use of probability
analysis, applicants have generally been unable to demonstrate that
jamming conditions are ``extremely improbable,'' except for conditions
that occur during a very limited time just prior to landing. Because of
this issue with probability assessment for jams, the FAA has revised
Sec. 25.671(c)(3) to require that the manufacturer's safety
assessments assume that jamming conditions will occur--probability set
equal to one--when showing that the airplane is capable of continued
safe flight and landing. For the same reason, the jamming conditions of
Sec. 25.671(c)(3) are excluded from the probability requirements of
Sec. 25.1309(b).
The assumption that the jam will occur--and that the airplane will
be able to withstand it--does not apply to jamming conditions that
occur immediately before touchdown if the risk of a jam is minimized to
the extent practical. For jams that occur just before landing, some
amount of time and altitude is necessary in order to recover, and there
is no practical means by which a recovery can be demonstrated. Hence
the requirement that the risk of a jam be minimized to the extent
practical. (This is a change from the NPRM where the requirement was
that the applicant show that such jams are extremely improbable.) This
change creates a difference in the language of Sec. 25.671(c)(3)(ii)
and CS 25.671(3)(ii) because EASA does not have this exception in its
rule.
In its Acceptable Means of Compliance (AMC) Sec. 25.671, however,
EASA states that, ``if continued safe flight and landing cannot be
demonstrated, perform a qualitative assessment of the design, relative
to jam prevention and jam alleviation means, to show that all practical
precautions have been taken . . . .'' Consequently, the FAA expects the
difference between Sec. 25.671(c)(3)(ii) and CS 25.671(c)(3)(ii) to
have no effect in practice. There are no additional substantial
differences between the final rule and the NPRM with respect to Sec.
25.671(c)(3).
Section 25.671 has changed from the NPRM to the point where it is
almost perfectly aligned in structure and intent, and closely aligned
in text language, with CS 25.671. Section 25.671 is now so closely
aligned that there is no additional cost from the FAA provision because
manufacturers already have to meet the EASA provision. Moreover, as
already noted, industry has been meeting the new criteria in Sec.
25.671(a), (e), and (f) under special conditions since the early 1980s.
Because of that experience, the FAA believes that manufacturers now
accept these special conditions as the low-cost necessary actions.
Again, there is no additional cost. Finally, the FAA believes that
Sec. 25.671(c)(3) is already accepted as the low-cost industry
practice as it has been used by many manufacturers under a voluntary
ELOS.
d. Section 25.901 Installation (Powerplants)
The revision to Sec. 25.901(c) moves basic systems safety criteria
to Sec. 25.1309 and is finalized as proposed. In so doing, Sec.
25.901(c) clarifies that Sec. 25.1309 applies to powerplant (engine)
installations, as it does for all airplane systems. Accordingly, the
current provision in Sec. 25.901(c) prohibiting catastrophic single
failures or probable combinations of failures is removed. Design
requirements do not change as a result of this revision to the rule.
There are no substantial changes in the final rule compared to the
NPRM. The revision exactly harmonizes the structure and very closely
harmonizes the text of Sec. 25.901(c) with EASA's corresponding CS
25.901(c). Accordingly, the revision is cost-beneficial as it provides
reduced costs from joint harmonization since manufacturers already must
already comply with CS 25.901(c). The FAA asked for comments on this
finding in the NPRM and received none.
e. Section 25.933 Reversing Systems (Controllability and Reliability
Options)
In the event of an inadvertent activation of the thrust reverser
during flight, current Sec. 25.933(a) requires that the airplane be
capable of ``continued flight and landing.'' The service history of
airplanes certified under the current rule--most prominently, the
aforementioned catastrophic Lauda Air accident in Thailand--has
demonstrated that the intent of this ``fail-safe'' requirement had not
been achieved. As discussed in the section on Sec. 25.1309(b)(5)
above, the catastrophic failure condition that caused the Lauda Air
accident was corrected by adding redundancy to convert a dual failure
condition to a triple failure condition. This revision to Sec.
25.933(a) further addresses the thrust reverser issue with a revised
Sec. 25.933(a)(1)(i) that retains ``controllability'' from the current
rule as an option, but also revises Sec. 25.933(a)(1)(ii) to provide
an additional ``reliability'' option using the requirements of Sec.
25.1309(b).\41\ The
[[Page 68728]]
reliability option recognizes that Sec. 25.1309 applies to all
systems. There are no substantial differences between the final rule
and the NPRM with respect to Sec. 25.933(a).
---------------------------------------------------------------------------
\41\ It should be noted that the controllability option would
still require compliance with Sec. 25.1309. But when an applicant
demonstrates compliance using the controllability option, that
ensures that an unwanted thrust reversal in flight would be
classified at worst as a ``major'' failure, thereby making
compliance with Sec. 25.1309(b) much easier.
---------------------------------------------------------------------------
The final rule (and NPRM) for Sec. 25.933(a) is in close harmony
with the corresponding CS 25.933(a) as it is identical in rule
structure and intent. Accordingly, there is no additional cost to this
rule as manufacturers already have to comply with CS 25.933(a).
Moreover, Sec. 25.933(a) is cost-beneficial as it allows flexibility
in design development, enabling manufacturers to achieve the intended
level of safety in the most cost-effective manner.
f. Section 25.302 Interaction of Systems and Structures
There are many technical differences between the NPRM and the final
rule. Nine major commenters, including Boeing and Airbus, asked the FAA
to harmonize with EASA CS 25.302, even to the extent of using the same
language and paragraph numbering. Commenters noted that CS 25.302
matches the FAA Interaction of Systems and Structures special condition
that has been used for many years. Commenters stated that the
differences between FAA and EASA requirements would create a
substantial certification burden. The FAA agrees with the commenters
and, except where discussed below, has agreed to match the language and
structure of EASA's rule to the extent possible.
i. Section 25.302(b) System Fully Operative
The applicant must derive limit loads \42\ for the limit conditions
specified in subpart C, taking into account the behavior of the system
up to the limit loads. The applicant must show that the airplane meets
the strength requirements of subparts C and D, using the appropriate
factor of safety to derive ultimate loads from these limit loads.
Section 25.302(b) is less verbose than the corresponding EASA text but
uses some of the same language and has the same intent as EASA's
version. Since Sec. 25.302(b) harmonizes with EASA CS 25.302(b), there
are no incremental costs from paragraph (b), and the provision is cost-
beneficial because of joint harmonization.
---------------------------------------------------------------------------
\42\ Design loads are typically expressed in terms of limit
loads, which are then multiplied by a factor of safety, usually 1.5,
to determine ultimate loads.
---------------------------------------------------------------------------
ii. Section 25.302(c) System in the Failure Condition
This section applies for any failure condition not shown to be
extremely improbable or that results from a single failure. CS
25.302(c) requires the evaluation of any system failure condition not
shown to be extremely improbable but does not explicitly mention single
failures. Nevertheless, evaluation of single failures would be required
when evaluating CS 25.302. This is because single failures cannot be
shown by a probability analysis to be extremely improbable. As noted in
AC 25.1309-1A, dated June 21, 1988, ``In general, a failure condition
resulting from a single failure mode of a device cannot be accepted as
being extremely improbable.'' Extremely improbable failure conditions
are those having an average probability per flight hour of 1 x
10-9 or less. The FAA would not accept a probability
analysis showing a single failure to be extremely improbable because
such an estimation would not be considered reliable. An unreliable
estimate could inadvertently result in a level of risk that was unsafe
and not justified by any cost savings obtained. Accordingly, the FAA
finds to be cost-beneficial the requirement of Sec. 25.302(c) to
evaluate any system failure condition resulting from a single failure.
At the time of occurrence, the applicant must determine the loads
occurring at the time of failure and immediately after failure. For
static strength substantiation, the airplane must be able to withstand
the ultimate loads determined by multiplying the loads by a factor of
safety related to the probability that the failure occurs. The factor
of safety (F.S.) is shown in Figure 1.
[GRAPHIC] [TIFF OMITTED] TR27AU24.000
Figure 1 shows the factor of safety to be constant at 1.5 between a
probability of failure of 1.0 and 10-5, and between
10-5 and 10-9 declines linearly from 1.5 to 1.25
as Pj goes from 10-5 to 10-9, where Pj is the
probability of failure. The factor of safety is not allowed to be below
1.5 at high probabilities of failure (>10-5). For low
probabilities of failure (<10-5), the F.S. falls as the
probability of failure falls but is not allowed to be less than 1.25 as
the probability of
[[Page 68729]]
failure falls towards extreme improbability at 10-9. Note
that the probability of failure axis is in logarithmic scale. In the
NPRM, this figure was not used as the FAA kept the factor of safety at
1.5 regardless of the probability of failure. In the final rule, this
provision is cost-relieving relative to the NPRM because the FAA is now
harmonizing with the less stringent EASA provision.
For residual strength substantiation, the airplane must be able to
withstand two-thirds of the ultimate loads. Residual strength is the
strength that remains as the airplane structure deteriorates over time,
so this test requires a prediction of that deterioration.
Failures of the system that result in forced structural vibrations
(oscillatory failures) must not produce loads that could result in
detrimental deformation of primary structure. A forced structural
vibration or oscillatory failure occurs when an oscillating system is
driven by a periodic force that is external to the system.
For the continuation of the flight, loads are determined for a
limited set of conditions, as noted in Sec. 25.302(c)(2)(i). Section
25.302(c)(2)(i)(F) is an additional rule provision not in CS 25.302.
This provision requires that if any system is installed or tailored to
reduce the loads of a part 25 load condition, then that load condition
must also be evaluated. This provision is necessary to account for any
such systems as their failure will increase loads. The FAA believes
this is a low-cost provision, having been applied in only a few cases
over many years.
For static strength substantiation, the structure must be able to
withstand the loads determined in Sec. 25.302(c)(2)(i) multiplied by a
factor of safety, as shown in Figure 2.
[GRAPHIC] [TIFF OMITTED] TR27AU24.001
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)
Figure 2 shows the factor of safety falls linearly from 1.5 to 1.0
as Qj declines from 1 to 10-5, and the factor of safety is
constant at 1.0 between 10-5 and 10-9, where Qj =
(Tj)(Pj), where Tj is the average time in the failure condition (in
hours), and Pj is the probability of failure (per hour) or failure
rate. So Qj is the (average) cumulative probability of failure. In
contrast to the F.S. at the time of failure occurrence (Figure 1), the
F.S. for continuation of flight (Figure 2) is allowed to fall
immediately below 1.5 as failure probability falls from the highest
probability of 1, and in contrast to the minimum F.S. of 1.25 for
Figure 1, the Figure 2 safety margin is allowed to fall to 1.0 at
10-5, where it remains as the probability of failure falls
to extreme improbability at 10-9. As with Figure 1, note
that the Figure 2 probability of failure axis is in logarithmic scale.
In the NPRM, this figure was not used as the FAA did not vary the
factor of safety with the probability of system failure. The NPRM
provision was less stringent than the final rule in reducing the factor
of safety to 1.0 if the failure was annunciated. However, the NPRM
provision applied to all load conditions in subpart C, whereas in the
final rule, the provision applies to the limited set of subpart C load
conditions specified in Sec. 25.302(c)(2)(i) so that, overall, in
harmonizing with EASA, final rule provision is cost-relieving relative
to the NPRM.
For residual strength substantiation, the airplane must be able to
withstand two-thirds of the ultimate loads. If the loads induced by the
failure condition have a significant effect on fatigue or damage
tolerance, then their effects must be taken into account. A failure
condition has a ``significant'' effect on fatigue or damage tolerance
if it would result in a change to inspection thresholds, inspection
intervals, or life limits. Unlike EASA's rule, Sec. 25.302(c) does not
include aeroelasticity stability requirements. Both CS 25.302 and CS
25.629 specify flutter speed margins for failure conditions. In CS
25.629, for the group of failures covered by CS 25.302, the margins are
based on the probability of the condition's occurrence, whereas, for
the remaining failure conditions, a single speed margin is defined,
similar to Sec. 25.629, regardless of probability. The FAA believes
the current speed margins specified in Sec. 25.629 are adequate, and
there is no need for more specific failure criteria based on
probability of occurrence and speed margins. The current speed margin
specified in Sec. 25.629, which has been in place since amendment 25-0
of 14 CFR part 25, has proven effective in service. For that reason,
non-provision has little impact.
Summary of Cost-Benefit Analysis for Sec. 25.302(c)
The FAA finds that Sec. 25.302(c) harmonizes very closely in
structure with CS 25.302(c) and closely in rule
[[Page 68730]]
language, aside from the single failure requirement, the additional
load provision of Sec. 25.302(c)(2)(i)(F), and the lack of
aeroelasticity stability requirements in Sec. 25.302(c). Because of
this close harmonization, there is little or no additional cost to that
required by EASA certification. Moreover, because of the imposition of
the FAA's Interaction of Systems and Structures special conditions for
more than twenty years, the FAA believes that industry is so well-
adapted to the special conditions that it is now the industry's low-
cost necessary action. Thus, no change is implied by the rule, and,
therefore, there is little or no additional cost. The provision is
cost-beneficial owing to cost savings from joint harmonization.
iii. Section 25.302(d) Failure Indications
Section 25.302(d) requires that the system be checked for failure
conditions discussed in Sec. 25.302(c)(2), for example, using a CMR
procedure. As far as practicable, the flightcrew must be made aware of
these failures before flight. Manufacturers are allowed relief in the
F.S. requirement shown in Figure 2, as in Sec. 25.302(c)(2). However,
any failure condition, not extremely improbable, that results in an
F.S. below 1.25 in Figure 2 must be alerted to the crew. This latter
requirement sounds contradictory since it means the flightcrew must be
alerted when the probability of failure is low enough for the safety
factor to be less than 1.25. It appears alerting the flightcrew is
substituted for a higher factor of safety. A manufacturer finding
alerting the flightcrew too onerous can reverse the substitution by
having a higher factor of safety.
The language of this paragraph closely matches that of CS
25.302(d), except for some additional verbiage that does not change the
intent. For the same reasons given for paragraph (c) of Sec. 25.302,
there is no additional cost from this provision, and the provision is
cost-beneficial owing to the cost savings from joint harmonization.
iv. Section 25.302(e) Dispatch With Known Failure Conditions
The applicant forecasts the probability of the failure condition
(``at the time of occurrence'' in Sec. 25.302(c)) and how many days
the airplane will be in that dispatch configuration. That probability
is then combined with the probability of subsequent failures to
calculate Qj, the probability of being in the dispatched condition, and
the subsequent failure condition. Qj is then used in Figure 2 to
establish the required safety margins, the same safety margin relief
allowed in Sec. 25.302(c)(2) and in Sec. 25.302(d).
The FAA excludes one sentence related to dispatch limitations from
Sec. 25.302(e) that is in CS 25.302 because its intent and application
are unclear. Otherwise, Sec. 25.302(e) closely harmonizes with CS
25.302. The FAA special conditions and the corresponding CS 25.302 have
provided an adequate service record. For the same reasons given for
paragraphs (c) and (d) of Sec. 25.302, there is no additional cost
from this provision, and the provision is cost-beneficial owing to the
reduced costs from joint harmonization.
B. Regulatory Flexibility Determination
The Regulatory Flexibility Act (RFA) of 1980, Public Law 96-354, 94
Stat. 1164 (5 U.S.C. 601-612), as amended by the Small Business
Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121, 110 Stat.
857, Mar. 29, 1996) and the Small Business Jobs Act of 2010 (Pub. L.
111-240, 124 Stat. 2504 Sept. 27, 2010), requires Federal agencies to
consider the effects of the regulatory action on small business and
other small entities and to minimize any significant economic impact.
The term ``small entities'' comprises small businesses and not-for-
profit organizations that are independently owned and operated and are
not dominant in their fields, and governmental jurisdictions with
populations of less than 50,000.
Garmin commented on the NPRM that the cost-benefit analysis does
not consider the impact on ATC or STC projects that would be considered
significant under Sec. 21.101, the Changed Product Rule. In addition,
MARPA requested that the FAA clarify the applicability of the SSA rule
to PMA applicants and STC applicants. If the SSA rule is applicable to
PMA and STC applicants, MARPA requested that the FAA adjust the cost-
benefit analysis accordingly, complete a Regulatory Flexibility Act
analysis, and make the revised cost-benefit analysis and Regulatory
Flexibility Act analysis available for comment in a supplemental NPRM.
This final rule updates the cost-benefit analysis to take account
of the fact that the final rule closely harmonizes with the
corresponding EASA rule. Since U.S. manufacturers already are required
to meet the EASA requirements, the closely harmonized provisions of the
final rule impose no or minimal costs. In future STC or ATC projects
where the design change is determined under the Changed Product Rule to
be a significant product level change, the Changed Product rule will
then require that the certification basis of those projects be updated.
The cost-benefit analysis for the Changed Product Rule, however, has
determined that the required updated certification basis for such
projects is cost-beneficial. PMAs (replacement articles) are managed in
accordance with Subpart K to part 21. The final rule will apply only at
that time in the future when a PMA (or non-significant STC) applicant
seeks to modify a product that already has the final rule in its
certification basis. Accordingly, the FAA finds that neither a
Regulatory Flexibility Act analysis nor a supplemental NPRM is
required.
If an agency determines that a rulemaking will not result in a
significant economic impact on a substantial number of small entities,
the head of the agency may so certify under section 605(b) of the RFA.
Since there are no or minimal additional costs to this final rule, the
FAA certifies that the final rule will not have a significant economic
impact on a substantial number of small entities.
C. International Trade Impact Assessment
The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal
agencies from establishing standards or engaging in related activities
that create unnecessary obstacles to the foreign commerce of the United
States. Pursuant to these Acts, the establishment of standards is not
considered an unnecessary obstacle to the foreign commerce of the
United States, so long as the standard has a legitimate domestic
objective, such as the protection of safety and does not operate in a
manner that excludes imports that meet this objective. The statute also
requires consideration of international standards and, where
appropriate, that they be the basis for U.S. standards.
The FAA has assessed the potential effect of this final rule and
determined that its purpose is to ensure the safety of U.S. civil
aviation. Therefore, this final rule is in compliance with the Trade
Agreements Act.
D. Unfunded Mandates Assessment
The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538)
governs the issuance of Federal regulations that require unfunded
mandates. An unfunded mandate is a regulation that requires a State,
local, or tribal government or the private sector to incur direct costs
without the Federal government having first provided the funds to pay
those costs. The FAA
[[Page 68731]]
determined that the proposed rule will not result in the expenditure of
$183 million or more by State, local, or tribal governments, in the
aggregate, or the private sector, in any one year.
E. Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires
that the FAA consider the impact of paperwork and other information
collection burdens imposed on the public. The FAA has determined that
there is no new requirement for information collection associated with
this final rule.
F. International Compatibility
In keeping with U.S. obligations under the Convention on
International Civil Aviation, it is FAA policy to conform to
International Civil Aviation Organization (ICAO) Standards and
Recommended Practices to the maximum extent practicable. The FAA has
determined that there are no ICAO Standards and Recommended Practices
that correspond to these regulations.
G. Environmental Analysis
FAA Order 1050.1F identifies FAA actions that are categorically
excluded from preparation of an environmental assessment or
environmental impact statement under the National Environmental Policy
Act (NEPA) in the absence of extraordinary circumstances. The FAA has
determined this rulemaking action qualifies for the categorical
exclusion identified in paragraph 5-6.6 for regulations and involves no
extraordinary circumstances.
VII. Executive Order Determinations
A. Executive Order 13132, Federalism
The FAA has analyzed this final rule under the principles and
criteria of Executive Order (E.O.) 13132, Federalism (64 FR 43255,
August 10, 1999). The FAA has determined that this action will not have
a substantial direct effect on the States, or the relationship between
the Federal Government and the States, or on the distribution of power
and responsibilities among the various levels of government, and,
therefore, will not have federalism implications.
B. Executive Order 13175, Consultation and Coordination With Indian
Tribal Governments
Consistent with Executive Order 13175, Consultation and
Coordination with Indian Tribal Governments,\43\ and FAA Order 1210.20,
American Indian and Alaska Native Tribal Consultation Policy and
Procedures,\44\ the FAA ensures that Federally Recognized Tribes
(Tribes) are given the opportunity to provide meaningful and timely
input regarding proposed Federal actions that have the potential to
have substantial direct effects on one or more Indian tribes, on the
relationship between the Federal government and Indian tribes, or on
the distribution of power and responsibilities between the Federal
government and Indian tribes; or to affect uniquely or significantly
their respective Tribes. At this point, the FAA has not identified any
unique or significant effects, environmental or otherwise, on tribes
resulting from this final rule.
---------------------------------------------------------------------------
\43\ 65 FR 67249 (Nov. 6, 2000).
\44\ FAA Order No. 1210.20 (Jan. 28, 2004), available at
www.faa.gov/documentLibrary/media/1210.pdf.
---------------------------------------------------------------------------
C. Executive Order 13211, Regulations That Significantly Affect Energy
Supply, Distribution, or Use
The FAA analyzed this final rule under E.O. 13211, Actions
Concerning Regulations that Significantly Affect Energy Supply,
Distribution, or Use (66 FR 28355, May 18, 2001). The FAA has
determined that it is not a ``significant energy action'' under the
executive order and is not likely to have a significant adverse effect
on the supply, distribution, or use of energy.
D. Executive Order 13609, Promoting International Regulatory
Cooperation
Executive Order 13609, Promoting International Regulatory
Cooperation, promotes international regulatory cooperation to meet
shared challenges involving health, safety, labor, security,
environmental, and other issues and to reduce, eliminate, or prevent
unnecessary differences in regulatory requirements. The FAA has
analyzed this action under the policies and agency responsibilities of
Executive Order 13609 and has determined that this action will have no
effect on international regulatory cooperation.
In January of 2020, EASA published CS-25 amendment 24, which bore
many similarities to the proposals in the NPRM, including added
criteria for latent failures in CS 25.1309. This final rule harmonizes
FAA requirements with EASA's requirements to the extent possible.
VIII. Additional Information
A. Electronic Access and Filing
A copy of the NPRM, all comments received, this final rule, and all
background material may be viewed online at www.regulations.gov using
the docket number listed above. A copy of this final rule will be
placed in the docket. Electronic retrieval help and guidelines are
available on the website. It is available 24 hours each day, 365 days
each year. An electronic copy of this document may also be downloaded
from the Office of the Federal Register's website at
www.federalregister.gov and the Government Publishing Office's website
at www.govinfo.gov. A copy may also be found at the FAA's Regulations
and Policies website at www.faa.gov/regulations_policies.
Copies may also be obtained by sending a request to the Federal
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence
Avenue SW, Washington, DC 20591, or by calling (202) 267-9677.
Commenters must identify the docket or notice number of this
rulemaking.
All documents the FAA considered in developing this final rule,
including economic analyses and technical reports, may be accessed in
the electronic docket for this rulemaking.
B. Small Business Regulatory Enforcement Fairness Act
The Small Business Regulatory Enforcement Fairness Act (SBREFA) of
1996 requires the FAA to comply with small entity requests for
information or advice about compliance with statutes and regulations
within its jurisdiction. A small entity with questions regarding this
document may contact its local FAA official, or the person listed under
the FOR FURTHER INFORMATION CONTACT heading at the beginning of the
preamble. To find out more about SBREFA on the internet, visit
www.faa.gov/regulations_policies/rulemaking/sbre_act/.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Life-limited parts, Reporting and
recordkeeping requirements.
The Amendment
In consideration of the foregoing, the Federal Aviation
Administration amends chapter I of title 14, Code of Federal
Regulations as follows:
PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES
0
1. The authority citation for part 25 continues to read as follows:
Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and
44704.
0
2. Add Sec. 25.4 to read as follows:
[[Page 68732]]
Sec. 25.4 Definitions.
(a) For the purposes of this part, the following general
definitions apply:
(1) Certification maintenance requirement means a required
scheduled maintenance task established during the design certification
of the airplane systems as an airworthiness limitation of the type
certificate or supplemental type certificate.
(2) Significant latent failure is a latent failure that, in
combination with one or more specific failures or events, would result
in a hazardous or catastrophic failure condition.
(b) For purposes of this part, the following failure conditions, in
order of increasing severity, apply:
(1) Major failure condition means a failure condition that would
reduce the capability of the airplane or the ability of the flightcrew
to cope with adverse operating conditions, to the extent that there
would be--
(i) A significant reduction in safety margins or functional
capabilities,
(ii) A physical discomfort or a significant increase in flightcrew
workload or in conditions impairing the efficiency of the flightcrew,
(iii) Physical distress to passengers or cabin crew, possibly
including injuries, or
(iv) An effect of similar severity.
(2) Hazardous failure condition means a failure condition that
would reduce the capability of the airplane or the ability of the
flightcrew to cope with adverse operating conditions, to the extent
that there would be--
(i) A large reduction in safety margins or functional capabilities,
(ii) Physical distress or excessive workload such that the
flightcrew cannot be relied upon to perform their tasks accurately or
completely, or
(iii) Serious or fatal injuries to a relatively small number of
persons other than the flightcrew.
(3) Catastrophic failure condition means a failure condition that
would result in multiple fatalities, usually with the loss of the
airplane.
(c) For purposes of this part, the following failure conditions in
order of decreasing probability apply:
(1) Probable failure condition means a failure condition that is
anticipated to occur one or more times during the entire operational
life of each airplane of a given type.
(2) Remote failure condition means a failure condition that is not
anticipated to occur to each airplane of a given type during its entire
operational life, but which may occur several times during the total
operational life of a number of airplanes of a given type.
(3) Extremely remote failure condition means a failure condition
that is not anticipated to occur to each airplane of a given type
during its entire operational life, but which may occur a few times
during the total operational life of all airplanes of a given type.
(4) Extremely improbable failure condition means a failure
condition that is not anticipated to occur during the total operational
life of all airplanes of a given type.
0
3. Add Sec. 25.302 to read as follows:
Sec. 25.302 Interaction of systems and structures.
For airplanes equipped with systems that affect structural
performance, either directly or as a result of a failure or
malfunction, the influence of these systems and their failure
conditions must be taken into account when showing compliance with the
requirements of subparts C and D of this part. These criteria are only
applicable to structure whose failure could prevent continued safe
flight and landing.
(a) General. The applicant must use the following criteria in
determining the influence of a system and its failure conditions on the
airplane structure.
(b) System fully operative. With the system fully operative, the
following criteria apply:
(1) The applicant must derive limit loads for the limit conditions
specified in subpart C of this part, taking into account the behavior
of the system up to the limit loads. System nonlinearities must be
taken into account.
(2) The applicant must show that the airplane meets the strength
requirements of subparts C and D of this part, using the appropriate
factor of safety to derive ultimate loads from the limit loads defined
in paragraph (b)(1) of this section. The effect of nonlinearities must
be investigated sufficiently beyond limit conditions to ensure the
behavior of the system presents no detrimental effects compared to the
behavior below limit conditions. However, conditions beyond limit
conditions need not be considered when it can be shown that the
airplane has design features that will not allow it to exceed those
limit conditions.
(3) Reserved.
(c) System in the failure condition. For any system failure
condition not shown to be extremely improbable or that results from a
single failure, the following criteria apply:
(1) At the time of occurrence. The applicant must establish a
realistic scenario, starting from 1g level flight conditions, and
including pilot corrective actions, to determine the loads occurring at
the time of failure and immediately after failure.
(i) For static strength substantiation, the airplane must be able
to withstand the ultimate loads determined by multiplying the loads in
paragraph (c)(1) of this section by a factor of safety that is related
to the probability of occurrence of the failure. The factor of safety
(F.S.) is defined in Figure 1.
Figure 1 to paragraph (c)(1)(i)
[[Page 68733]]
[GRAPHIC] [TIFF OMITTED] TR27AU24.002
(ii) For residual strength substantiation, the airplane must be
able to withstand two thirds of the ultimate loads defined in paragraph
(c)(1)(i) of this section. For pressurized cabins, these loads must be
combined with the normal operating differential pressure.
(iii) Reserved.
(iv) Failures of the system that result in forced structural
vibrations (oscillatory failures) must not produce loads that could
result in detrimental deformation of primary structure.
(2) For the continuation of the flight. For the airplane, in the
system failed state and considering any appropriate reconfiguration and
flight limitations, the following apply:
(i) The loads derived from the following conditions at speeds up to
VC/MC, or the speed limitation prescribed for the
remainder of the flight must be determined:
(A) the limit symmetrical maneuvering conditions specified in
Sec. Sec. 25.331 and 25.345,
(B) the limit gust and turbulence conditions specified in
Sec. Sec. 25.341 and 25.345,
(C) the limit rolling conditions specified in Sec. 25.349 and the
limit unsymmetrical conditions specified in Sec. Sec. 25.367 and
25.427(b) and (c),
(D) the limit yaw maneuvering conditions specified in Sec. 25.351,
(E) the limit ground loading conditions specified in Sec. Sec.
25.473 and 25.491, and
(F) any other subpart C of this part load condition for which a
system is specifically installed or tailored to reduce the loads of
that condition.
(ii) For static strength substantiation, each part of the structure
must be able to withstand the loads in paragraph (c)(2)(i) of this
section multiplied by a factor of safety that depends on the
probability of being in this failure condition. The factor of safety is
defined in Figure 2.
Figure 2 to paragraph (c)(2)(ii)
[GRAPHIC] [TIFF OMITTED] TR27AU24.003
Qj = (Tj)(Pj) where:
Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)
If Pj is greater than 10-3 per flight hour, then a 1.5
factor of safety must be applied in
[[Page 68734]]
lieu of the factor of safety defined in Figure 2.
(iii) For residual strength substantiation, the airplane must be
able to withstand two thirds of the ultimate loads defined in paragraph
(c)(2)(ii) of this section. For pressurized cabins, these loads must be
combined with the normal operating differential pressure.
(iv) If the loads induced by the failure condition have a
significant effect on fatigue or damage tolerance then their effects
must be taken into account.
(v) Reserved.
(vi) Reserved.
(3) Reserved.
(d) Failure indications. For system failure detection and
indication, the following apply:
(1) The system must be checked for failure conditions evaluated
under paragraph (c) of this section that degrade the structural
capability below the level required by subparts C (excluding Sec.
25.302) and D of this part or that reduce the reliability of the
remaining system. As far as practicable, these failures must be
indicated to the flightcrew before flight.
(2) The existence of any failure condition evaluated under
paragraph (c) of this section that results in a factor of safety
between the airplane strength and the loads of subpart C of this part
below 1.25 must be indicated to the flightcrew.
(e) Dispatch with known failure conditions. If the airplane is to
be dispatched in a known system failure condition that affects
structural performance or affects the reliability of the remaining
system to maintain structural performance, then the Master Minimum
Equipment List must ensure the provisions of Sec. 25.302 are met for
the dispatched condition and for any subsequent failures. Flight
limitations and operational limitations may be taken into account in
establishing Qj as the combined probability of being in the dispatched
failure condition and the subsequent failure condition for the safety
margins in Figure 2. No reduction in these safety margins is allowed if
the subsequent system failure rate is greater than 10-3 per
flight hour.
0
4. Amend Sec. 25.629 by revising paragraph (a) and (d) introductory
text, redesignating paragraphs (d)(9) and (10) as paragraphs (d)(10)
and (11), and adding a new paragraph (d)(9) to read as follows:
Sec. 25.629 Aeroelastic stability requirements.
(a) General. The aeroelastic stability evaluation required under
this section includes flutter, divergence, control reversal and any
undue loss of stability and control as a result of structural
deformation. The aeroelastic evaluation must include whirl modes
associated with any propeller or rotating device that contributes
significant dynamic forces. Additionally, the evaluation must include
any condition of operation within the maneuvering envelope. Compliance
with this section must be shown by analyses, wind tunnel tests, ground
vibration tests, flight tests, or other means found necessary by the
Administrator.
* * * * *
(d) Failures, malfunctions, and adverse conditions. The failures,
malfunctions, and adverse conditions that must be considered in showing
compliance with this section are:
* * * * *
(9) The following flight control system failure combinations in
which aeroelastic stability relies on flight control system stiffness,
damping or both:
(i) Any dual hydraulic system failure.
(ii) Any dual electrical system failure.
(iii) Any single failure in combination with any probable hydraulic
or electrical system failure.
* * * * *
0
5. Revise Sec. 25.671 to read as follows:
Sec. 25.671 General.
(a) Each flight control system must operate with the ease,
smoothness, and positiveness appropriate to its function. The flight
control system must continue to operate and respond appropriately to
commands, and must not hinder airplane recovery, when the airplane is
experiencing any pitch, roll, or yaw rate, or vertical load factor that
could occur due to operating or environmental conditions, or when the
airplane is in any attitude.
(b) Each element of each flight control system must be designed, or
distinctively and permanently marked, to minimize the probability of
incorrect assembly that could result in failure or malfunctioning of
the system. The applicant may use distinctive and permanent marking
only where design means are impractical.
(c) The airplane must be shown by analysis, test, or both, to be
capable of continued safe flight and landing after any of the following
failures or jams in the flight control system within the normal flight
envelope. Probable malfunctions must have only minor effects on control
system operation and must be capable of being readily counteracted by
the pilot.
(1) Any single failure, excluding failures of the type defined in
Sec. 25.671(c)(3);
(2) Any combination of failures not shown to be extremely
improbable, excluding failures of the type defined in Sec.
25.671(c)(3); and
(3) Any failure or event that results in a jam of a flight control
surface or pilot control that is fixed in position due to a physical
interference. The jam must be evaluated as follows:
(i) The jam must be considered at any normally encountered position
of the control surface or pilot control.
(ii) The jam must be assumed to occur anywhere within the normal
flight envelope and during any flight phase except during the time
immediately before touchdown if the risk of a potential jam is
minimized to the extent practical.
(iii) In the presence of the jam, any additional failure conditions
that could prevent continued safe flight and landing must have a
combined probability of 1/1000 or less.
(d) If all engines fail at any point in the flight, the airplane
must be controllable, and an approach and flare to a landing and
controlled stop, and flare to a ditching, must be possible, without
requiring exceptional piloting skill or strength.
(e) The airplane must be designed to indicate to the flightcrew
whenever the primary control means is near the limit of control
authority.
(f) If the flight control system has multiple modes of operation,
appropriate flightcrew alerting must be provided whenever the airplane
enters any mode that significantly changes or degrades the normal
handling or operational characteristics of the airplane.
0
6. Amend Sec. 25.901 by revising paragraph (c) to read as follows:
Sec. 25.901 Installation.
* * * * *
(c) For each powerplant and auxiliary power unit installation, the
applicant must comply with the requirements of Sec. 25.1309, except
that the effects of the following failures need not comply with Sec.
25.1309(b)--
(1) Engine case burn-through or rupture,
(2) Uncontained engine rotor failure, and
(3) Propeller debris release.
* * * * *
0
7. Amend Sec. 25.933 by revising paragraph (a)(1) to read as follows:
Sec. 25.933 Reversing systems.
(a) * * *
(1) For each system intended for ground operation only, the
applicant must show--
(i) The airplane is capable of continued safe flight and landing
during and after any thrust reversal in flight; or
[[Page 68735]]
(ii) The system complies with Sec. 25.1309(b) using the assumption
the airplane would not be capable of continued safe flight and landing
during and after an in-flight thrust reversal.
* * * * *
0
8. Revise Sec. 25.1301 to read as follows:
Sec. 25.1301 Function and installation.
Each item of installed equipment must--
(a) Be of a kind and design appropriate to its intended function;
(b) Be labeled as to its identification, function, or operating
limitations, or any applicable combination of these factors; and
(c) Be installed according to limitations specified for that
equipment.
0
9. Revise Sec. 25.1309 to read as follows:
Sec. 25.1309 Equipment, systems, and installations.
The requirements of this section, except as identified below, apply
to any equipment or system as installed on the airplane. Although this
section does not apply to the performance and flight characteristic
requirements of subpart B of this part, or to the structural
requirements of subparts C and D of this part, it does apply to any
system on which compliance with any of those requirements is dependent.
Section 25.1309(b) does not apply to the flight control jam conditions
addressed by Sec. 25.671(c)(3); single failures in the brake system
addressed by Sec. 25.735(b)(1); the failure conditions addressed by
Sec. Sec. 25.810(a)(1)(v) and 25.812; uncontained engine rotor
failure, engine case rupture, or engine case burn-through failures
addressed by Sec. Sec. 25.903(d)(1) and 25.1193 and part 33 of this
chapter; and propeller debris release failures addressed by Sec.
25.905(d) and part 35 of this chapter.
(a) The airplane's equipment and systems must be designed and
installed so that:
(1) The equipment and systems required for type certification or by
operating rules, or whose improper functioning would reduce safety,
perform as intended under the airplane operating and environmental
conditions; and
(2) Other equipment and systems, functioning normally or
abnormally, do not adversely affect the safety of the airplane or its
occupants or the proper functioning of the equipment and systems
addressed by paragraph (a)(1) of this section.
(b) The airplane systems and associated components, evaluated
separately and in relation to other systems, must be designed and
installed so that they meet all of the following requirements:
(1) Each catastrophic failure condition--
(i) Must be extremely improbable; and
(ii) Must not result from a single failure.
(2) Each hazardous failure condition must be extremely remote.
(3) Each major failure condition must be remote.
(4) Each significant latent failure must be eliminated as far as
practical, or, if not practical to eliminate, the latency of the
significant latent failure must be minimized. However, the requirements
of the previous sentence do not apply if the associated system meets
the requirements of paragraphs (b)(1) and (b)(2) of this section,
assuming the significant latent failure has occurred.
(5) For each catastrophic failure condition that results from two
failures, either of which could be latent for more than one flight, the
applicant must show that--
(i) It is impractical to provide additional fault tolerance; and
(ii) Given the occurrence of any single latent failure, the
residual average probability of the catastrophic failure condition due
to all subsequent active failures is remote; and
(iii) The sum of the probabilities of the latent failures that are
combined with each active failure does not exceed 1/1000.
(c) The airplane and systems must provide information concerning
unsafe system operating conditions to the flightcrew to enable them to
take appropriate corrective action in a timely manner. Systems and
controls, including information, indications, and annunciations, must
be designed to minimize flightcrew errors that could create additional
hazards.
(d) Reserved.
(e) The applicant must establish certification maintenance
requirements as necessary to prevent the development of the failure
conditions described in paragraph (b) of this section. These
requirements must be included in the Airworthiness Limitations section
of the Instructions for Continued Airworthiness required by Sec.
25.1529.
0
10. Amend Sec. 25.1365 by revising paragraph (a) to read as follows:
Sec. 25.1365 Electrical appliances, motors, and transformers.
(a) An applicant must show that, in the event of a failure of the
electrical supply or control system, the design and installation of
domestic appliances meet the requirements of Sec. 25.1309(b) and (c).
Domestic appliances are items such as cooktops, ovens, coffee makers,
water heaters, refrigerators, and toilet flush systems that are placed
on the airplane to provide service amenities to passengers.
* * * * *
0
11. Revise section H25.4 of appendix H to part 25 by adding paragraph
(a)(6) to read as follows:
Appendix H to Part 25--Instructions for Continued Airworthiness
* * * * *
H25.4 Airworthiness Limitations section.
* * * * *
(a) * * *
(6) Each certification maintenance requirement established to
comply with any of the applicable provisions of part 25.
* * * * *
Issued under authority provided by 49 U.S.C. 106(f), 106(g),
44701(a), and 44704 in Washington, DC.
Michael Gordon Whitaker,
Administrator.
[FR Doc. 2024-18511 Filed 8-26-24; 8:45 am]
BILLING CODE 4910-13-P