[Federal Register Volume 89, Number 166 (Tuesday, August 27, 2024)]
[Rules and Regulations]
[Pages 68706-68735]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-18511]



[[Page 68705]]

Vol. 89

Tuesday,

No. 166

August 27, 2024

Part II





Department of Transportation





-----------------------------------------------------------------------





 Federal Aviation Administration





-----------------------------------------------------------------------





14 CFR Part 25





System Safety Assessments; Final Rule

  Federal Register / Vol. 89 , No. 166 / Tuesday, August 27, 2024 / 
Rules and Regulations  

[[Page 68706]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 25

[Docket No.: FAA-2022-1544; Amdt. No. 25-152]
RIN 2120-AJ99


System Safety Assessments

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The FAA is amending certain airworthiness regulations to 
standardize the criteria for conducting safety assessments for systems, 
including flight controls and powerplants, installed on transport 
category airplanes. With this action, the FAA seeks to reduce risk 
associated with airplane accidents and incidents that have occurred in 
service, and reduce risk associated with new technology in flight 
control systems. The intended effect of this rulemaking is to improve 
aviation safety by making system safety assessment (SSA) certification 
requirements more comprehensive and consistent.

DATES: Effective September 26, 2024.

ADDRESSES: For information on where to obtain copies of rulemaking 
documents and other information related to this final rule, see ``How 
to Obtain Additional Information'' in the SUPPLEMENTARY INFORMATION 
section of this document.

FOR FURTHER INFORMATION CONTACT: Todd Martin, Technical Policy Branch, 
Policy and Standards Division, Aircraft Certification Service, Federal 
Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; 
telephone and fax (206) 231-3210; email [email protected].

SUPPLEMENTARY INFORMATION:

I. Authority for This Rulemaking

    The FAA's authority to issue rules on aviation safety is found in 
Title 49 of the United States Code. Subtitle I, Section 106 describes 
the authority of the FAA Administrator. Subtitle VII, Aviation 
Programs, describes in more detail the scope of the FAA's authority.
    This rulemaking is promulgated under the authority described in 
Subtitle VII, Part A, Subpart III, Section 44701, ``General 
Requirements.'' Under that section, the FAA is charged with promoting 
safe flight of civil aircraft in air commerce by prescribing 
regulations and minimum standards for the design and performance of 
aircraft that the Administrator finds necessary for safety in air 
commerce. This regulation is within the scope of that authority. It 
prescribes new safety standards for the design and operation of 
transport category airplanes.

II. Acronyms Frequently Used in This Document

           Table 1--Acronyms Frequently Used in This Document
------------------------------------------------------------------------
           Acronym                             Definition
------------------------------------------------------------------------
AC...........................  Advisory Circular.
AD...........................  Airworthiness Directive.
AFM..........................  Airplane Flight Manual.
ALS..........................  Airworthiness Limitations section.
ARAC.........................  Aviation Rulemaking Advisory Committee.
ASAWG........................  Airplane Level Safety Analysis Working
                                Group.
CAST.........................  Commercial Aviation Safety Team.
CMR..........................  Certification Maintenance Requirement.
CS-25........................  Certification Specifications for Large
                                Aeroplanes (issued by EASA).
CSL+1........................  Catastrophic Single Latent Failure Plus
                                One (a failure condition).
EASA.........................  European Union Aviation Safety Agency.
ELOS.........................  Equivalent Level of Safety.
EWIS.........................  Electrical Wiring Interconnection System.
FCHWG........................  Flight Controls Harmonization Working
                                Group.
FTHWG........................  Flight Test Harmonization Working Group.
ICA..........................  Instructions for Continued Airworthiness.
LDHWG........................  Loads and Dynamics Harmonization Working
                                Group.
NTSB.........................  National Transportation Safety Board.
PPIHWG.......................  Powerplant Installation Harmonization
                                Working Group.
SDAHWG.......................  System Design and Analysis Harmonization
                                Working Group.
SLF..........................  Significant Latent Failure.
SSA..........................  System Safety Assessment.
------------------------------------------------------------------------

Table of Contents

I. Authority for This Rulemaking
II. Acronyms Frequently Used in This Document
III. Overview of Final Rule
IV. Background
    A. Statement of the Problem
    B. Related Actions
    C. NTSB Recommendations
    D. Summary of the NPRM
    E. General Overview of Comments
V. Discussion of Comments and the Final Rule
    A. Section 25.4, Definitions
    B. Section 25.302, Interaction of Systems and Structures
    C. Section 25.629, Aeroelastic Stability Requirements
    D. Section 25.671, Flight Control Systems
    E. Section 25.901, Engine Installation
    F. Section 25.933, Reversing Systems
    G. Section 25.1301, Function and Installation
    H. Section 25.1309, Equipment, Systems and Installations
    I. Section 25.1365, Electrical Appliances, Motors, and 
Transformers
    J. Miscellaneous Comments
    K. Advisory Material
VI. Regulatory Notices and Analyses
    A. Regulatory Evaluation
    B. Regulatory Flexibility Determination
    C. International Trade Impact Assessment
    D. Unfunded Mandates Assessment
    E. Paperwork Reduction Act
    F. International Compatibility
    G. Environmental Analysis
VII. Executive Order Determinations
    A. Executive Order 13132, Federalism
    B. Executive Order 13175, Consultation and Coordination With 
Indian Tribal Governments
    C. Executive Order 13211, Regulations That Significantly Affect 
Energy Supply, Distribution, or Use
    D. Executive Order 13609, Promoting International Regulatory 
Cooperation
VIII. Additional Information
    A. Electronic Access and Filing

[[Page 68707]]

    B. Small Business Regulatory Enforcement Fairness Act

III. Overview of Final Rule

    The FAA is amending regulations in title 14, Code of Federal 
Regulations (14 CFR) part 25 (Airworthiness Standards: Transport 
Category Airplanes) related to the safety assessment \1\ of airplane 
systems. The changes to part 25 affect applicants for type 
certification and operators of transport category airplanes. Applicants 
for type certification will be required to conduct their SSAs in 
accordance with the revised regulations. Changes to the Instructions 
for Continued Airworthiness (ICA) affect operators of newly certified 
airplanes, although the impact on those operators is not significant.
---------------------------------------------------------------------------

    \1\ A system safety assessment is a structured process intended 
to systematically identify the risks pertinent to the design of 
aircraft systems, and to show that the systems meet safety 
requirements.
---------------------------------------------------------------------------

    The FAA is revising and adding new safety standards to reduce the 
likelihood of potentially catastrophic risks due to latent failures in 
critical systems.
    Because modern aircraft systems (for example, avionics and fly-by-
wire systems) are much more integrated than they were when the current 
safety criteria in Sec.  25.1309 and other system safety assessment 
rules were established in 1970,\2\ the new standards are more 
consistent for all systems of the airplane, reducing the chance of a 
hazard falling into a gap between the different regulatory requirements 
for different systems.
---------------------------------------------------------------------------

    \2\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------

    Consistent criteria for conducting SSAs also provides 
predictability for applicants by reducing the number of issue papers 
and special conditions necessary for airplane certification 
projects.\3\
---------------------------------------------------------------------------

    \3\ As discussed in the preamble, special conditions are rules 
of particular applicability that the FAA issues to address novel or 
unusual design features. See 14 CFR 21.16.
---------------------------------------------------------------------------

    Specifically, this final rule--
     Requires that applicants limit the likelihood of a 
catastrophic failure condition that results from a combination of two 
failures, either of which could be latent for more than one flight. See 
Sec.  25.1309(b)(5).
     Revises safety assessment regulations to eliminate 
ambiguity in, and provide consistency between, the safety assessments 
that applicants must conduct for different types of airplane systems. 
Section 25.1309 continues to contain the safety assessment criteria 
applicable to most airplane systems. Section 25.901(c) (powerplant 
installations) is amended to remove general system safety criteria. 
Instead, the powerplant installations covered in this section are 
required to comply with Sec.  25.1309 (system safety criteria). Section 
25.933(a) (thrust reversing systems) allows compliance with Sec.  
25.1309 as an option. Sections 25.671, 25.901, and 25.933 continue to 
contain criteria specific to flight control systems, powerplant 
installations, and thrust reversing systems, respectively, that are not 
addressed by Sec.  25.1309.
     Requires applicants to assess and account for any effect 
that the failure of a system could have on the structural performance 
of the airplane. See Sec.  25.302.
     Defines the different types of failure of flight control 
systems, including jams, and defines the criteria for safety assessment 
of those types of failures. See Sec.  25.671.
     Requires applicants to include, in the Airworthiness 
Limitations Section (ALS) of the airplane's ICA, necessary maintenance 
tasks that applicants identify during their SSAs. See Sec.  25.1309(e).
     Removes the ``function properly when installed'' criterion 
in Sec.  25.1301(a)(4) for installed equipment whose function is not 
needed for safe operation of the airplane.

IV. Background

A. Statement of the Problem

    This action is necessary because airplane accidents, incidents, and 
service difficulties have occurred as a result of failures in airplane 
systems. Some of these occurrences were caused, in part, by 
insufficient design standards for controlling the risk of latent 
failures, which are failures that are not detected or annunciated when 
they occur. Current FAA regulations do not prevent the certification of 
an airplane with a latent failure that, when combined with another 
failure, could cause a hazardous or catastrophic accident.
    Also, current regulations do not require establishment of mandatory 
inspections for significant latent failures (SLFs) that may pose a risk 
in maintaining the airworthiness of the airplane design. Such 
inspections are currently undertaken as industry practice and may be 
necessary to reduce exposure to these latent failures so airplanes 
continue to meet safety standards while in service.
    Additionally, current regulations do not adequately address new 
technology in flight control systems and the effects these systems can 
have on controllability and structural capability. These issues are 
currently addressed by special conditions and equivalent level of 
safety (ELOS) findings.
    This action is also necessary to address flight control systems 
whose failure can affect the loads imposed on the airplane structure.
    Lastly, certain system safety requirements have not been 
standardized across airplane systems. These regulations have specified 
different safety assessment criteria for different systems, which can 
lead to inconsistent standards across the airplane. Also, when systems 
that traditionally have been separate become integrated using new 
technology, applicants have expressed uncertainty regarding which 
standard to apply.
    The FAA is addressing these issues by revising the system safety 
assessment requirements in part 25.

B. Related Actions

1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
    Advances in flight controls technology, increased airplane system 
integration, and certain incidents, accidents, and service difficulties 
related to system failures prompted the FAA to task the ARAC with 
developing recommendations for new or revised requirements and 
compliance methods related to the safety assessment of airplane and 
powerplant systems. The ARAC accepted tasks on various airplane systems 
issues and assigned them to the Powerplant Installation Harmonization 
Working Group (PPIHWG),\4\ Flight Controls Harmonization Working Group 
(FCHWG),\5\ Loads and Dynamics Harmonization Working Group (LDHWG),\6\ 
and System Design and Analysis Harmonization Working Group (SDAHWG).\7\ 
The FAA also tasked the ARAC to make recommendations for harmonizing 
the relevant part 25 rules with the corresponding European 
certification specifications for large airplanes.\8\ The ARAC accepted 
this task

[[Page 68708]]

and assigned it to the relevant working groups.
---------------------------------------------------------------------------

    \4\ 57 FR 58844 (Dec. 11, 1992).
    \5\ 63 FR 45554 (Aug. 26, 1998).
    \6\ 59 FR 30081 (Jun. 10, 1994).
    \7\ 61 FR 26246 (May 24, 1996).
    \8\ As the FAA noted in the Federal Register in 1993: ``The FAA 
announced at the Joint Aviation Authorities (JAA)-Federal Aviation 
Administration (FAA) Harmonization Conference in Toronto, Ontario, 
Canada, (June 2-5, 1992) that it would consolidate within the 
Aviation Rulemaking Advisory Committee structure an ongoing 
objective to ``harmonize'' the Joint Aviation Requirements (JAR) and 
the Federal Aviation Regulations (FAR). Coincident with that 
announcement, the FAA assigned to the ARAC those projects related to 
JAR/FAR 25, 33 and 35 harmonization which were then in the process 
of being coordinated between the JAA and the FAA.'' 58 FR 13819, 
13820 (Mar. 15, 1993).
---------------------------------------------------------------------------

    Although the working groups each addressed the subject of managing 
latent failures in safety critical systems, their recommendations were 
not consistent when defining the criteria for latent failures. After 
reviewing the relevant regulations and the recommendations from the 
working groups, the FAA, along with the European, Canadian, and 
Brazilian civil aviation authorities, identified a need to standardize 
SSA criteria.
    Therefore, in 2006, the FAA tasked the ARAC, which assigned the 
task to the Airplane-Level Safety Assessment Working Group (ASAWG),\9\ 
with creating consistent SSA criteria. The ASAWG completed its work in 
May 2010 and recommended a set of consistent requirements that would 
apply to all systems. Specific areas addressed in the recommendation 
report include latent failures, aging and wear, Master Minimum 
Equipment Lists, and flight and diversion time. The ASAWG recommended 
that the general system safety criteria for all airplane systems be 
governed by Sec.  25.1309, and recommended adjustments to the 
regulations and advisory material addressed by the working groups 
mentioned previously, to implement consistent system safety criteria. 
All ARAC working group recommendation reports are available in the 
docket for this final rule.
---------------------------------------------------------------------------

    \9\ 71 FR 14284 (Mar. 21, 2006).
---------------------------------------------------------------------------

2. Harmonization With European Union Aviation Safety Agency (EASA) 
Certification Standards
    EASA certification standards for large airplanes (CS-25) prescribes 
the airworthiness standards corresponding to 14 CFR part 25 for 
transport category airplanes certified by the European Union. 
Applicants for FAA type certification of transport category airplanes 
may also seek EASA validation of the FAA's type certificate. Where part 
25 and CS-25 differ, an applicant must meet both airworthiness 
standards to obtain a U.S. type certificate and validation of the type 
certificate by foreign authorities, or obtain exemptions, equivalent 
level of safety findings or special conditions, or the foreign 
authority's equivalent to those, as necessary to meet one standard in 
lieu of the other. Where FAA and EASA can maintain harmonized 
requirements, applicants for type certification benefit by having a 
single set of requirements with which they must show compliance, 
thereby reducing the cost and complexity of certification and ensuring 
a consistent level of safety.
    EASA incorporated the SDAHWG-recommended changes to CS/Sec. Sec.  
25.1301 and 25.1309, and associated guidance, in its initial issuance 
of CS-25 on October 17, 2003.\10\ EASA incorporated the criteria 
regarding interaction of systems and structures recommended by the 
LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-
25 at amendment 25/1 on December 12, 2005.\11\ EASA incorporated the 
PPIHWG-recommended changes to CS/Sec. Sec.  25.901(c) and 25.933(a)(1), 
and associated guidance, at amendment 25/1. EASA incorporated the 
ASAWG-recommended regulatory and advisory material implementing 
consistent SSA criteria, at amendment 25/24 to CS-25, on January 10, 
2020.\12\ This final rule harmonizes FAA requirements with those of 
EASA to the extent possible, with differences described in the section 
entitled ``Discussion of Comments and the Final Rule.''
---------------------------------------------------------------------------

    \10\ www.easa.europa.eu/en/downloads/1516/en.
    \11\ www.easa.europa.eu/en/document-library/certification-
specifications/cs-25-amendment-1.
    \12\ www.easa.europa.eu/en/downloads/108354/en.
---------------------------------------------------------------------------

C. NTSB Recommendations

    This final rule addresses National Transportation Safety Board 
(NTSB) Safety Recommendations A-99-22, A-99-23,\13\ A-02-51,\14\ and A-
14-119.\15\
---------------------------------------------------------------------------

    \13\ NTSB Safety Recommendations A-99-22 and A-99-23 are 
available in the docket and at www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf.
    \14\ NTSB Safety Recommendation A-02-51 is available in the 
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
    \15\ NTSB Safety Recommendation A-14-119 is available in the 
docket and www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf.
---------------------------------------------------------------------------

    In Safety Recommendation A-99-22, the NTSB recommends that the FAA 
ensure that future transport category airplanes provide a reliably 
redundant rudder actuation system. In Safety Recommendation A-99-23, 
the NTSB recommends that the FAA require type certificate applicants to 
show that transport category airplanes are capable of continued safe 
flight and landing after jamming of a flight control at any deflection 
possible, up to and including its full deflection, unless the applicant 
shows that such a jam is extremely improbable. The final rule addresses 
these recommendations by revising Sec.  25.671(c).
    In Safety Recommendation A-02-51, the NTSB recommends that the FAA 
review and revise airplane certification regulations, and associated 
guidance, applicable to the certification of transport category 
airplanes, to ensure that applicants fully address wear-related 
failures so that, to the maximum extent possible, such failures will 
not be catastrophic. The requirement to include certification 
maintenance requirements (CMRs) in the ALS responds to this safety 
recommendation, as well as the ACs accompanying this final rule that 
contain guidance on assessing wear-related failures as part of the SSA.
    In Safety Recommendation A-14-119, the NTSB recommends that the FAA 
provide its certification engineers with written guidance and training 
to ensure that assumptions, data sources, and analytical techniques are 
fully identified and justified in applicants' safety assessments for 
designs incorporating new technology. Additionally, the NTSB recommends 
that an appropriate level of conservatism be included in the analysis 
or design, consistent with the intent of the draft guidance material 
that the SDAHWG recommended. AC 25.1309-1B, accompanying this final 
rule, contains the guidance.\16\
---------------------------------------------------------------------------

    \16\ This advisory circular, and the other advisory circulars 
that accompany this final rule, are in the docket.
---------------------------------------------------------------------------

D. Summary of the NPRM

    The FAA issued an NPRM on December 8, 2022 (87 FR 75424), that 
proposed amending certain airworthiness regulations. These regulations 
concern safety assessments for systems, including flight controls and 
powerplants, installed on transport category airplanes. The NPRM 
explained how the proposed regulations would reduce risk associated 
with airplane accidents and incidents that have occurred in service, 
and reduce risk associated with new technology in flight control 
systems. This action finalizes the proposal with changes made to 
address comments.

E. General Overview of Comments

V. Discussion of Comments and the Final Rule

Harmonization

    The NPRM explained that the FAA's proposed rule would harmonize 
with the requirements of EASA to the extent possible, although there 
were differences in the requirements and language of the FAA's proposed 
regulations compared to EASA's corresponding regulations in CS-25. 
Almost all organizational commenters requested the FAA revise the 
proposed rule to harmonize more closely with EASA CS-25. These 
commenters expressed concern that differences between the FAA's 
proposal and

[[Page 68709]]

EASA's existing regulations would burden applicants requesting 
validation of a type certificate issued by another civil aviation 
authority because the applicants would have to meet two sets of 
requirements and show multiple means of compliance for certification of 
the same design. As discussed below, the FAA decided to address this 
concern by increasing harmonization of its final rule with the 
corresponding EASA CS-25 requirements.
    The FAA acknowledges that there are some remaining differences 
between the FAA's and EASA's regulations on this topic. The majority of 
differences between the final rule and the corresponding CS-25 
regulations are differences in wording or structure that were made to 
satisfy FAA rulemaking constraints or improve the final rule language 
due to requests from commenters. Although a few differences may be 
significant standards differences,\17\ as subsequently explained, the 
FAA does not expect these differences to increase the cost and 
complexity of certification for applicants pursuing validation nor 
result in a different level of safety between authorities.
---------------------------------------------------------------------------

    \17\ Significant standards difference (SSD) refers to a 
validating authority airworthiness standard that either differs 
significantly from the certifying authority (CA) standard or has no 
CA equivalent. Reference: Technical Implementation Procedures for 
Airworthiness and Environmental Certification between the FAA and 
EASA, Revision 7, dated October 19, 2023, in the docket.
---------------------------------------------------------------------------

    In addition, the commenters addressed the draft ACs that 
accompanied the NPRM. The FAA's responses to these comments can be 
found at the Dynamic Regulatory System (drs.faa.gov), along with the 
finalized ACs.

A. Section 25.4, Definitions

    In the NPRM, the FAA proposed new Sec.  25.4 to define certain 
terms that the FAA is using in these revised regulations for system 
safety assessment of transport category airplanes.
1. Add Definitions
    Boeing and GAMA/AIA requested the FAA add definitions of several 
terms to Sec.  25.4, including ``continued safe flight and landing,'' 
``flightcrew,'' ``cabin crew,'' ``ground crew,'' ``maintenance 
personnel,'' ``exposure time,'' ``safety requirements'' and ``candidate 
CMR.'' GAMA/AIA requested the FAA explain why some terms, but not 
others, were defined in proposed Sec.  25.4.
    The FAA does not agree to add new terms to Sec.  25.4 in this final 
rule. The FAA's intent in adding Sec.  25.4 is to define key terms that 
are new to part 25 rule text and used in the regulations that are part 
of this rulemaking (e.g., failure condition categories and 
probabilities). AC 25.671-1, Control Systems--General, and AC 25.1309-
1B, System Design and Analysis, include additional definitions for 
terms related to the requirements of Sec. Sec.  25.671 and 25.1309.
    Boeing, GAMA/AIA, and Gulfstream suggested that the FAA add 
definitions for terms commonly used throughout part 25 regulations 
(e.g., ``impractical,'' ``essential'' and ``critical''). The FAA 
declines to define additional terms used in part 25, because the FAA 
does not intend Sec.  25.4 to include every term that is repeated in 
part 25.
2. Remove Definitions
    ANAC, Bombardier, and Garmin requested the FAA not adopt proposed 
Sec.  25.4, Definitions. ANAC preferred that the FAA define these terms 
in 14 CFR part 1, Definitions and Abbreviations, while Bombardier and 
Garmin preferred that the FAA define these terms in guidance so that 
they can be more easily changed as needed. Gulfstream also noted that 
several terms that the FAA proposed to be included in Sec.  25.4 are 
not extensively used in part 25 and should be relocated to AC 25.1309-
1B.
    The FAA does not agree to omit new Sec.  25.4 from the final rule. 
Section 25.4 is necessary to define key terms and concepts that are new 
to part 25 rule text and part of this rulemaking. AC 25.1309-1B 
provides further information on these terms.
    Gulfstream requested that the FAA move ``hazardous failure 
condition'' to AC 25.1309, unless the definition is applicable to 
``hazardous'' across all regulations.
    The FAA does not agree to move this definition to the AC. The 
definition for ``hazardous failure condition'' in Sec.  25.4(b)(2) only 
applies to the part 25 regulations in which that exact phrase is used, 
and it does not apply to the terms ``hazard'' or ``hazardous,'' which 
are used throughout part 25 in different contexts. The FAA's use of 
``hazardous'' across other part 25 rules does not necessarily imply a 
hazardous effect on the aircraft, flightcrew, or occupants. While not 
relevant to the Gulfstream comment, the FAA notes a similar situation 
exists with the term ``extremely remote.'' The Sec.  25.4(c)(3) 
definition of ``extremely remote failure condition'' does not apply to 
the term ``extremely remote'' as used in Sec.  25.933 or Sec.  25.937. 
When those regulations were published, the term ``extremely remote'' 
meant ``extremely improbable,'' as used today.\18\
---------------------------------------------------------------------------

    \18\ The use of the term ``extremely remote'' in Sec. Sec.  
25.933 and 25.937 dates to the initial issue of 14 CFR in 1965. 
Section 25.933 was based on Civil Air Regulation (CAR) 4b.407, which 
was adopted at amendment 4b-01, May 17, 1954. Section 25.937 was 
based on CAR 4b.408, which was adopted at amendment 4b-6, July 8, 
1957. The term ``extremely remote'' also appeared in CAR 04.310 on 
November 9, 1945. The FAA also stated in the Federal Register in 
2001, ``The term `extremely improbable' (or its predecessor term, 
`extremely remote') has been used in 14 CFR part 25 for many years. 
The objective of this term has been to describe a condition (usually 
a failure condition) that has a probability of occurrence so remote 
that it is not anticipated to occur in service on any transport 
category airplane.'' 66 FR 23086, 23108 (May 7, 2001).
---------------------------------------------------------------------------

3. Revise Definitions
    TCCA commented that the proposed definitions of ``major failure 
condition'' and ``hazardous failure condition'' do not include a pilot 
compensation aspect and suggested changes to these definitions. TCCA 
suggested adding ``(5) Considerable pilot compensation is required for 
control'' to the definition of ``major failure condition'' and ``(4) 
Intense pilot compensation is required to retain'' to the definition of 
``hazardous failure condition'' in accordance with a pilot task-
oriented approach for evaluating airplane handling qualities. The FAA 
does not agree to change the definitions as suggested. The FAA's 
definitions of ``major failure condition'' and ``hazardous failure 
condition'' already include the effects on the flightcrew and their 
workload. Lastly, the definitions of ``major failure condition'' and 
``hazardous failure condition'' specified in Sec.  25.4 are harmonized 
with those specified in EASA AMC 25.1309. Changing those definitions 
would disharmonize them with that AMC.
    GAMA/AIA and Gulfstream requested the FAA replace ``persons'' with 
``occupants'' in the Sec.  25.4 definition of ``hazardous failure 
condition.'' The commenters stated that the use of ``persons'' in lieu 
of ``occupants'' is an unsubstantiated expansion of the scope of the 
safety analysis to include people not on the aircraft. In addition, 
EASA's definition uses ``occupants.'' The FAA does not agree with this 
request. The FAA intends the term ``persons'' not to be limited to 
aircraft occupants. Although EASA's definition uses the term 
``occupants,'' EASA has interpreted ``occupants'' to include persons 
other than airplane occupants in its Acceptable Means of Compliance 
(AMC) 25.1309. Specifically, AMC 25.1309 states, ``Where relevant, the 
effects on persons other than the aeroplane occupants should be taken

[[Page 68710]]

into account when assessing failure conditions in compliance with CS 
25.1309.''
    TCCA commented that the FAA should revise its definition of 
``hazardous failure condition'' to exclude fatalities. TCCA stated that 
any fatalities should be considered catastrophic. The FAA did not make 
this change in this final rule, as doing so would not be consistent 
with long-standing FAA equivalent safety findings, nor with industry 
standards and practice, and would disharmonize the definition of 
``hazardous failure condition'' with EASA AMC 25.1309.
    Boeing and GAMA/AIA requested the FAA revise the definition of 
``catastrophic failure condition'' to incorporate a note regarding 
failure conditions, which would prevent continued safe flight and 
landing (CSFL). Boeing also requested the FAA standardize the 
definition across the ACs associated with this rulemaking because the 
draft ACs were not consistent in their use of CSFL and associating this 
concept with ``catastrophic failure condition.'' The FAA partially 
agrees with this request. The FAA added a note to the definition of 
``catastrophic failure condition'' in AC 25.1309-1B to indicate that a 
failure condition that would prevent continued safe flight and landing 
should be classified as ``catastrophic'' unless otherwise defined in 
other, more specific, ACs. The FAA did not add the note to the 
regulatory definition in Sec.  25.4 because the note is guidance on the 
application of the definition.
    Boeing requested that the FAA update the Sec.  25.4(b)(1) 
definition of ``major failure condition'' to add ``physical 
discomfort'' as an effect on the flight crew and to use the term 
``cabin crew'' instead of ``flight attendants'' for consistency with 
EASA Acceptable Means of Compliance (AMC) 25.1309. The FAA agrees and 
has incorporated these updates in the final rule for Sec.  25.4(b)(1).
    GAMA/AIA and Gulfstream requested the FAA remove Sec.  
25.4(b)(1)(iv) (``An effect of similar severity'') from the definition 
of ``major failure condition'' in Sec.  25.4(b)(1). They stated this is 
a new addition to the definition and may cause confusion. The FAA does 
not agree to remove ``an effect of similar severity'' from the 
definition. This phrase replaces the term ``for example'' in EASA's 
definition. This does not add any additional criteria to the existing 
safety objective of ``major'' severity.
    Boeing and GAMA/AIA requested the FAA revise the definition of 
``significant latent failure'' to ``Any latent failure that is present 
in any combination of failures or events resulting in a hazardous or 
catastrophic failure condition.'' Boeing stated that this proposed 
definition minimizes possible misunderstanding or misinterpretation of 
the significant latent failure. The FAA did not make this change 
because the wording of the significant latent failure definition is 
well-established and unchanged from AC 25.1309-1A.
    Except for the foregoing updates to the definition of ``major 
failure condition'' in Sec.  25.4(b)(1), new Sec.  25.4, Definitions, 
is adopted as proposed.

B. Section 25.302, Interaction of Systems and Structures

    In the NPRM, the FAA proposed a new section, Sec.  25.302, that 
would require an applicant to account for systems, and their possible 
failure, when assessing the structural performance of its proposed 
design. Modern flight control systems are more sophisticated than their 
predecessors and offer advantages such as load limiting and 
alleviation. However, as the FAA discussed in the NPRM, these systems 
can also have failure states that may allow the system to function in 
degraded modes that flightcrews may not readily detect and in which the 
load alleviation or limiting function may be adversely affected.
    The FAA based much of its proposed regulation on the requirements 
of special conditions that the FAA has issued for several years to 
address these concerns on previous certification programs. However, as 
detailed in the NPRM, proposed Sec.  25.302 included a number of 
differences compared to the special conditions and as compared to EASA 
CS 25.302. The primary objective of the Sec.  25.302 rule that the FAA 
proposed in the NPRM was to reduce confusion for authorities and 
applicants by simplifying the rule text relative to previously-issued 
special conditions.
    ATR, Boeing, Bombardier, TCCA, Airbus, EASA, GAMA/AIA, Gulfstream, 
and ANAC did not object to the FAA codifying the terms of its special 
conditions that it has been issuing to address this issue. However, 
they requested the FAA harmonize (by using the same language and, if 
possible, the same paragraph and appendix numbering for) proposed Sec.  
25.302 as EASA CS 25.302, which includes Appendix K by reference.
    The FAA recognizes the benefits of harmonization. These benefits 
include regulatory predictability and the reduction of burden on 
applicants and civil aviation authorities. Therefore, except as 
discussed below, in this final rule, the FAA has harmonized new Sec.  
25.302 with EASA CS 25.302 to match the language and structure of 
EASA's rule to the extent allowed by FAA rulemaking constraints.
    In this final rule, the FAA has revised the proposed Sec.  25.302 
to more closely harmonize with EASA CS 25.302, which includes Appendix 
K by reference. The FAA has revised proposed Sec.  25.302 to harmonize 
with CS 25.302 in the determination of structural safety factors; the 
load conditions that the applicant must consider following system 
failures; residual strength substantiation; fatigue and damage 
tolerance; failure indications; and dispatch with known failure 
conditions. The FAA is revising these requirements relative to what was 
proposed in the NPRM because much of the criteria in CS 25.302 more 
closely matches the FAA Interaction of Systems and Structures special 
conditions that have been applied on numerous transport category 
airplane programs and have proven to provide a satisfactory level of 
safety.\19\ Also, the NPRM proposal, if adopted, would have introduced 
a number of differences between FAA and EASA requirements and created a 
potential certification burden.
---------------------------------------------------------------------------

    \19\ 87 FR 16626 (Mar. 24, 2022); 82 FR 36328 (Aug. 4, 2017).
---------------------------------------------------------------------------

    The FAA stated in the NPRM that the proposed Sec.  25.302(e), which 
would have provided structural requirements for dispatch under the 
master minimum equipment list provided by the applicant, would provide 
safety benefits by using a simpler approach to address the risk 
associated with dispatching an airplane with known failure conditions. 
However, the FAA agrees with commenters that two different sets of 
criteria (FAA and EASA) would only cause more difficulty for 
manufacturers, the FAA, and other civil aviation authorities. The FAA 
also stated in the NPRM that proposed Sec.  25.302 would provide safety 
benefits by using simpler, and in some cases more conservative, 
criteria compared with CS 25.302 and previous FAA special conditions. 
The FAA agrees with commenters that its special conditions, which used 
the same factor-of-safety formulae as used in CS 25.302, have proven to 
provide a satisfactory level of safety and that more conservative 
criteria are not necessary. By more closely harmonizing with CS 25.302 
and previous FAA special conditions, applicants will be able to rely on 
past practices. The public could have reasonably anticipated the FAA 
would adopt final rule text that closely harmonizes with CS 25.302, 
given the FAA's prior special conditions, the common safety purpose of 
the FAA and EASA regulations on this topic, and the

[[Page 68711]]

harmonization discussion throughout the NPRM.
    In this final rule, the FAA has also revised Sec.  25.302 to 
harmonize with CS 25.302 in terms of the rule structure and paragraph 
numbering, although CS-25 includes CS 25.302 criteria within Appendix 
K, while 14 CFR part 25 includes all criteria directly in Sec.  25.302.
    The regulatory text proposed by the FAA in the NPRM did not require 
applicants to consider the effect of nonlinearities, but the preamble 
reflected the FAA's assumption that applicants would do so. Consistent 
with CS 25.302, in this final rule, the FAA has made this consideration 
a regulatory requirement.
    In the NPRM, the FAA stated that proposed Sec.  25.302 would not 
include any aeroelastic stability requirements, only loads 
requirements. The FAA did not revise this final rule to harmonize with 
CS 25.302 in terms of aeroelastic stability criteria. As discussed in 
the NPRM, the FAA finds that the failure criteria specified in Sec.  
25.629 are adequate, and there is no need to propose different failure 
criteria in Sec.  25.302.
    Airbus, Boeing, Bombardier, Dassault, DeHavilland, GAMA/AIA, 
Gulfstream, Pratt & Whitney, and TCCA requested specific changes to 
proposed Sec.  25.302 in the event the FAA chose not to harmonize Sec.  
25.302 with EASA CS 25.302. The requested specific changes are no 
longer applicable as the FAA has largely harmonized Sec.  25.302 in 
this final rule with EASA CS 25.302.
    Airbus proposed that the FAA consolidate, into new Sec.  25.302, 
the requirement of Sec.  25.305(f) that the airplane must be designed 
to withstand any forced structural vibration resulting from any 
failure, malfunction, or adverse condition in the flight control 
system. The FAA does not agree. In this final rule, the FAA keeps those 
as separate requirements because the requirement in Sec.  25.305(f) may 
apply to systems and failures not addressed by Sec.  25.302. Also, 
Sec.  25.305(f) is currently harmonized with CS 25.305(f).
1. Summary of Requirements
    For airplanes equipped with systems that affect structural 
performance, Sec.  25.302, in this final rule, requires the applicant 
take into account the influence of these systems and their failure 
conditions when showing compliance with the requirements of subparts C 
and D of 14 CFR part 25. New Sec.  25.302(b) specifies requirements for 
when the systems are fully operative. New Sec.  25.302(c) specifies 
requirements for failure conditions at the time of occurrence (Sec.  
25.302(c)(1)) and for the continuation of flight (Sec.  25.302(c)(2)). 
New Sec.  25.302(c) includes requirements related to structural 
vibrations, residual strength, and fatigue and damage tolerance for 
these failure conditions. Finally, the rule provides failure indication 
(Sec.  25.302(d)) and dispatch requirements (Sec.  25.302(e)).
2. Applicability
    Boeing, Bombardier, DeHavilland, GAMA/AIA, and Pratt & Whitney 
requested that the FAA clarify the applicability of proposed Sec.  
25.302, including whether the FAA's final rule would apply only, as did 
the FAA's special conditions and EASA CS 25.302, to the airplane 
structure whose failure could prevent continued safe flight and 
landing. The applicability of Sec.  25.302 in this final rule is as 
follows.
    As stated in the final rule text, Sec.  25.302 applies to systems 
that affect structural performance, either directly or as a result of a 
failure or malfunction. A system affects structural performance if it 
can induce loads on the airplane or change the response of the airplane 
to inputs such as gusts or pilot actions.
    Examples of these systems include flight control systems, 
autopilots, stability augmentation systems, load alleviation systems, 
and fuel management systems.
    Section 25.302, in this final rule, specifies the loads that the 
applicant's analysis must apply to structure, taking into account the 
systems defined above, operating normally and in the failed state. As 
stated in the final rule text, these structural requirements apply only 
to structure whose failure could prevent continued safe flight and 
landing. This limitation is consistent with the requirements of the 
special conditions that the FAA has been applying for more than twenty 
years.
    Section 25.302, in this final rule and as proposed in the NPRM, 
does not apply to the flight control jam conditions covered by Sec.  
25.671(c)(3) or the discrete source events covered by Sec.  25.571(e). 
Section 25.302 also does not apply to any failure or event that is 
external to (not part of) the system being evaluated and that would 
itself cause structural damage.
3. Clarification of Terms
    In this final rule, Sec.  25.302(b) states that with the system 
fully operative, the applicant must investigate the effect of 
nonlinearities sufficiently beyond limit conditions to ensure the 
behavior of the system presents no detrimental effects compared to the 
behavior below limit conditions. The intent of this sentence is to 
require the applicant to investigate the system effects ``sufficiently 
beyond limit'' to ensure that no detrimental effects could occur at 
limit load or just beyond.
    Sections 25.302(c)(1)(ii) and (c)(2)(iii) of this final rule 
include a reference to residual strength substantiation. This is 
referring to the residual strength substantiation required by Sec.  
25.571(b).
    Section 25.302(c)(2)(iv) of this final rule states that if the 
loads induced by the failure condition have a significant effect on 
fatigue or damage tolerance, then the applicant must take their effects 
into account. A failure condition has a ``significant'' effect on 
fatigue or damage tolerance if it would result in a change to 
inspection thresholds, inspection intervals, or life limits.
    Section 25.302(d)(1) of this final rule requires the flightcrew to 
be made aware of certain failure conditions before flight, as far as 
practicable. In this case, ``as far as practicable'' means that if 
automatic failure indication can detect such a failure using current 
technology, then that failure should be so monitored and indicated to 
the flightcrew before flight.
4. Significant Standards Differences Between Sec.  25.302 and EASA CS 
25.302
    Section 25.302 of this final rule differs from CS 25.302 and 
Appendix K, as discussed below.
    As noted above, unlike CS 25.302, new Sec.  25.302 does not include 
any aeroelastic stability requirements. Section 25.629 and CS 25.629 
both specify flutter speed margins for failure conditions, but CS 
25.302 includes additional aeroelastic failure criteria. As indicated 
in the NPRM, the FAA finds the failure criteria specified in Sec.  
25.629 to be adequate, and additional failure criteria in Sec.  25.302 
are unnecessary. This is a significant standards difference between 
Sec.  25.302 and CS 25.302.
    The NPRM proposed, and in this final rule Sec.  25.302 requires, 
the evaluation of any system failure condition not shown to be 
extremely improbable or that results from a single failure. Several 
commenters, including Bombardier, Airbus, and TCCA, stated that single 
failures that an applicant shows to be extremely improbable should not 
be included in Sec.  25.302, while Boeing agreed that single failures 
should be included regardless of probability. The FAA does not agree to 
exclude single failures from Sec.  25.302 in this final rule for the 
following reasons:
    (1) To be consistent with Sec. Sec.  25.671 and 25.1309, both of 
which require the evaluation of single failures, and related guidance, 
and past practice for these regulations, the FAA determined, as 
indicated in the NPRM, that single

[[Page 68712]]

failures should be assumed to occur regardless of probability.
    (2) The typical language of the FAA's Interaction of Systems and 
Structures special conditions, used to address this issue on a variety 
of transport category airplane programs for more than twenty years, 
refers to any system failure condition ``not shown to be extremely 
improbable.'' Even though the special conditions have not explicitly 
mentioned single failures, the FAA's long-standing position on single 
failures is that they cannot be accepted as being extremely improbable. 
As noted in AC 25.1309-1A, dated June 21, 1988: ``In general, a failure 
condition resulting from a single failure mode of a device cannot be 
accepted as being extremely improbable.''
    (3) The FAA has determined that not including single failures in 
the evaluation would reduce safety.
    To conclude, CS 25.302 requires the evaluation of any system 
failure condition not shown to be extremely improbable, and that rule 
does not explicitly mention single failures. Therefore, this is a 
significant standards difference between Sec.  25.302 in this final 
rule and CS 25.302.
    CS 25.302 and Sec.  25.302 in this final rule both require 
evaluation of failure conditions that affect structural performance, 
and for these failure conditions, both rules specify certain load 
conditions that must be evaluated for the continuation of flight. 
Section 25.302 includes an additional requirement not included in CS 
25.302: Section 25.302(c)(2)(i)(F) requires the applicant to evaluate 
any other load condition for which a system is specifically installed 
or tailored to reduce the loads of that condition. ``Tailored'' means 
the system is designed or modified to change the response of the 
airplane to inputs such as gusts or pilot actions and thereby affect 
the resulting loads on the airplane. This is necessary to account for 
any systems that are designed to reduce the loads resulting from load 
conditions not specified in Sec.  25.302(c)(2)(i)(A) through (E) and 
whose failure would increase loads relative to the design load level. 
This is a significant standards difference between Sec.  25.302 and CS 
25.302.
5. Nonsignificant Standards Differences Between Sec.  25.302 and EASA 
CS 25.302
    Section 25.302 does not include paragraphs (a) and (b) from CS-25 
Appendix K, K25.1 General, except for one sentence from K25.1(a). That 
sentence indicates that the criteria in Sec.  25.302 are only 
applicable to structure whose failure could prevent continued safe 
flight and landing. Also, new Sec.  25.302(c), discussed above, does 
not include paragraph (c)(3) from Appendix K, K25.2 Effects of Systems 
on Structures. The FAA did not include these paragraphs because the FAA 
determined they are general in nature and do not contain any specific 
requirements.
    Section 25.302 does not include the definitions found in paragraph 
K25.1(c). The FAA determined these terms are sufficiently understood 
and do not need to be provided in the rule.
    While Sec.  25.302 is mostly harmonized with CS 25.302, there are a 
number of minor differences in wording, as follows:
    CS-25 K25.2 paragraph (b) provides requirements for a fully 
operative system. Section 25.302(b) mandates the same requirements but 
states them more succinctly.
    CS-25 K25.2 paragraph (c) provides requirements for a failed 
system. Section 25.302(c) mandates the same requirements but removes 
passive voice and states those requirements more succinctly.
    CS-25 K25.2 paragraph (d) provides failure indication requirements. 
Section 25.302(d) mandates the same requirements but does not include 
the last two sentences of K25.2 paragraph (d)(1) because they are 
unnecessary given the first two sentences of paragraph (d)(1).
    CS-25 K25.2 paragraph (e) and Sec.  25.302(e) of this final rule 
address dispatch requirements. In Sec.  25.302(e), the FAA includes a 
specific reference to the Master Minimum Equipment List, which the 
operator uses to develop their Minimum Equipment List, the primary 
document that controls dispatch requirements. Also, CS 25.302(e) 
includes a requirement that flight and operational limitations be such 
that being in a failure state and then encountering limit load is 
extremely improbable. The FAA did not include this requirement because 
Sec.  25.302(e) already includes specific criteria related to dispatch, 
and this requirement could potentially conflict with those criteria.
    Finally, EASA includes CS 25.302 criteria within CS-25 Appendix K, 
while this final rule includes the equivalent criteria in Sec.  25.302.
    In conclusion, to address the potential effects of aircraft systems 
on structure, the FAA does not adopt the text of Sec.  25.302 that the 
FAA proposed in the NPRM. Instead, the FAA, as requested by several 
commenters, adopts a new Sec.  25.302 that more closely hews to the 
language of the FAA's longstanding special conditions on this topic and 
to EASA CS 25.302, with the modifications set forth in the foregoing 
discussion.

C. Section 25.629, Aeroelastic Stability Requirements

Summary of Changes to Current Rule
    Section 25.629 establishes several requirements to ensure the 
aeroelastic stability of the airplane. For example, it requires the 
applicant to consider the potential effect of several types of failures 
on the airplane's aeroelastic stability. In the NPRM, the FAA proposed 
to revise paragraphs (b) and (d) of this section, as discussed below.
    In this final rule, the FAA is revising the paragraph numbers of 
Sec.  25.629 to correspond with EASA's rule (i.e., Sec.  25.629(d)(9) 
becomes (d)(10); Sec.  25.629(d)(10) becomes (d)(11); and the failure 
evaluation requirements are introduced in Sec.  25.629(d)(9)), as 
requested by commenters and explained below. The FAA is also revising 
the text in Sec.  25.629(d)(9), as requested by commenters and as 
explained below, to harmonize with EASA CS 25.629(d)(9) and to clarify 
when the new failure evaluation requirements are applicable. 
Furthermore, as requested by commenters and explained below, the FAA is 
not revising Sec.  25.629(b), as was proposed in the NPRM, to include 
the reference to Sec.  25.333. Instead, the FAA is revising Sec.  
25.629(a) to clarify that the aeroelastic evaluation must include any 
condition of operation within the maneuvering envelope. This revision 
to proposed Sec.  25.629(a) is consistent with current existing 
industry practice of evaluating the aeroelastic impact of loads due to 
allowed maneuvers for part 25 airplanes and is stated explicitly in 
Sec.  23.629 at amendment 23-63 \20\ and EASA CS 23.629 amendment 23/4. 
The FAA also revised Sec.  25.629(a) in this final rule to consistently 
use the singular term ``evaluation'' where it appears in order to 
prevent confusion.
---------------------------------------------------------------------------

    \20\ 76 FR 75736 (December 2, 2011).
---------------------------------------------------------------------------

1. Paragraphs (a) and (b)
    In the NPRM, the FAA proposed to specify that the aeroelastic 
stability envelope addressed by Sec.  25.629(b) includes the range of 
load factors in Sec.  25.333, Flight Maneuvering Envelope.
    GAMA/AIA, Gulfstream, DeHavilland, Airbus, Bombardier, and Boeing 
requested the FAA not make this change. The commenters stated this 
would be an expansion of the traditional scope of Sec.  25.629 and that 
it would disharmonize the FAA's rule with EASA rules. The commenters 
also stated that the structural design envelope defined in Sec.  25.333 
is not intended for

[[Page 68713]]

aeroelastic stability analysis and should not be confused with the 
normal flight envelope of an airplane.
    The FAA agrees with the commenters that the proposed change would 
disharmonize with CS 25.629 and potentially confuse the FAA's 
aeroelastic stability requirements with the strength requirements of 
Sec.  25.333. Therefore, in this final rule, the FAA did not adopt the 
reference to Sec.  25.333 in Sec.  25.629(b), which remains unchanged.
    However, including conditions within the flight maneuvering 
envelope that is described in Sec.  25.333 in aeroelastic stability 
evaluations is common practice because such conditions are anticipated 
to be encountered in flight and therefore need to be free from 
aeroelastic instabilities. Thus, although paragraph (b) of Sec.  25.629 
does not reference Sec.  25.333, in this final rule, paragraph (a) of 
Sec.  25.629 now states that the aeroelastic evaluation must ``include 
any condition of operation within the maneuvering envelope.'' This 
change to Sec.  25.629(a) is consistent with Sec.  23.629 at amendment 
23-63 and EASA CS 23.629 amendment 23/4, which also address conditions 
of operation in paragraph (a). The FAA has also issued AC 25.629-1C, 
Aeroelastic Stability Substantiation of Transport Category Airplanes, 
to provide more details, further clarify the intent of the rule change, 
and provide an acceptable means of compliance.
2. Paragraph (d)
    In the NPRM, the FAA proposed to relocate certain requirements for 
applicants to analyze specific failures from Sec.  25.671(c)(2) to 
Sec.  25.629(d).
    Gulfstream requested the FAA revise proposed Sec.  25.629(d) to 
consider the probability of the noted failure conditions and exclude 
extremely improbable failure combinations. Gulfstream stated that 
current Sec.  25.671(c)(2) states ``Any combination of failures not 
shown to be extremely improbable. . .''; however, proposed Sec.  
25.629(d)(10) would not have limited its scope to ``combination of 
failures not shown to be extremely improbable.'' In addition, GAMA/AIA 
requested the FAA not adopt proposed Sec.  25.629(d)(10) and instead 
leave these requirements in current Sec.  25.671. GAMA/AIA stated that 
by explicitly adding the failures to proposed Sec.  25.629(d)(10), 
regardless of probability, a more strenuous requirement is added 
without justification. GAMA asserted that retention of the exclusion of 
extremely improbable combinations will serve to incentivize designs of 
higher reliability.
    The FAA does not agree with these requests. The FAA does not agree 
with the commenters' suggestions to limit the required consideration to 
failures that the applicant cannot show are extremely improbable. The 
stated conditions need to be considered by the applicant regardless of 
probability calculations if the airplane's aeroelastic stability relies 
on flight control system stiffness, damping, or a combination of both. 
Proposed Sec.  25.629(d)(10), which is now paragraph (d)(9) in the 
final rule, reflects current industry practice and existing guidance in 
AC 25.629-1B and EASA Acceptable Means of Compliance (AMC) Sec.  
25.629. In addition, the requested change would have introduced a 
significant difference between the standards of the FAA and EASA CS 
25.629.
    Boeing, Bombardier, and Gulfstream requested that proposed 
paragraph Sec.  25.629(d)(10) be more closely harmonized with the 
corresponding CS 25.629 paragraph in its introductory text to include 
the text ``where aeroelastic stability relies on flight control system 
stiffness and/or damping'' to provide clarity to the application of 
this requirement. The FAA agrees with this request because it clarifies 
the situations for which failure evaluations are required and has 
updated Sec.  25.629(d)(9) in the final rule to more closely harmonize 
with EASA and to include the text ``where aeroelastic stability relies 
on flight control system stiffness, damping, or both.''
    Airbus requested that the FAA remove the reference to Sec.  25.671 
from current Sec.  25.629(d)(9). Airbus stated that this reference may 
no longer be applicable because, in the NPRM, the FAA proposed to 
consolidate the requirements in current Sec.  25.671(c)(1) and (c)(2) 
under proposed Sec.  25.1309.
    In this final rule, the FAA has redesignated paragraph (d)(9) of 
Sec.  25.629 as paragraph (d)(10) and updated Sec.  25.671(c) to align 
with CS 25.671(c). The FAA has retained the reference to Sec.  25.671 
in Sec.  25.629(d)(10) because, in the final rule, applicants must 
still evaluate the failure conditions of paragraph Sec.  25.671(c) 
under Sec.  25.629(d)(10).

D. Section 25.671, Flight Control Systems

    In the NPRM, the FAA proposed a number of revisions and additions 
to Sec.  25.671, as summarized and discussed below. Airbus, ANAC, 
Boeing, GAMA, Gulfstream, Safran, and TCCA requested the FAA harmonize 
one or more paragraphs of Sec.  25.671 with EASA CS 25.671. The FAA 
agrees with these requests and, in this final rule, has changed 
proposed Sec.  25.671(a), (b), (c), (d), (e), and (f) to better align 
with EASA CS 25.671.
1. Paragraph (a)
    In the NPRM, the FAA proposed to revise Sec.  25.671(a) by 
referring to each ``flight control'' and ``flight control system'' 
instead of ``control'' and ``control system.'' To harmonize with CS 
25.671(a), the final rule now refers only to each ``flight control 
system.'' This is not a substantive change from the NPRM.
    In the NPRM, the FAA also proposed to revise Sec.  25.671(a) to 
require the flight control system to continue to properly operate, and 
not hinder airplane recovery when the airplane experiences certain 
conditions, including any ``pitch, roll, or yaw rate, or vertical load 
factor.'' The FAA proposed that this change would ensure there would be 
no features or unique characteristics of the flight control system that 
restrict the pilot's ability to recover from any attitude, pitch, roll 
or yaw rate, or vertical load factor expected to occur due to operating 
or environmental conditions. ANAC and TCCA suggested changing proposed 
Sec.  25.671(a) to specify ``any flight dynamics parameter'' instead of 
``any pitch, roll, yaw rate, or vertical load factor'' to harmonize 
with EASA language. The FAA does not agree. The suggested change would 
be a potentially open-ended requirement because ``any flight dynamics 
parameter'' could mean many different parameters. The text in Sec.  
25.671(a) \21\ is more specific, sufficient to accomplish its purpose, 
and is adopted as proposed.
---------------------------------------------------------------------------

    \21\ AC 25.671-1 provides additional information.
---------------------------------------------------------------------------

2. Paragraph (b)
    In the NPRM, the FAA proposed to revise Sec.  25.671(b) by 
referring to incorrect assembly that could result in ``failure of the 
system to perform its intended function.'' To harmonize with CS 
25.671(b), the final rule now refers to incorrect assembly that could 
result in ``failure or malfunctioning of the system.'' This is not a 
substantive change from the NPRM.
    An individual commenter requested the FAA move the requirement to 
minimize the probability of incorrect assembly from Sec.  25.671(b) to 
Sec.  25.1309 and make it applicable to all systems. The commenter 
stated that designing a system to ensure it can only be assembled 
correctly is a basic good engineering practice. The FAA does not agree 
to make this change to the regulation. The requirements of Sec.  
25.671(b) apply only to flight control systems. Other systems are 
subject to different requirements for minimizing

[[Page 68714]]

incorrect assembly and different marking requirements. The incorrect 
assembly addressed by Sec.  25.671(b) is that which could result in 
failure or malfunctioning of the system. Section 25.1309(a) requires 
the proper functioning of the equipment, systems, and installations 
whose function is required by subchapter C of title 14. The issue of 
incorrect assembly is addressed in AC 25.1309-1B, by reference to 
Aerospace Recommended Practice (ARP) 4761 ``Guidelines and Methods for 
Conducting the Safety Assessment Process on Civil Airborne Systems and 
Equipment.'' Improper assembly within ARP4761 is a manufacturing 
consideration with consideration to common mode type sources or 
failures/errors only.
    ANAC requested the FAA harmonize proposed Sec.  25.671(b) with EASA 
CS 25.671(b) by adding ``taking into consideration the potential 
consequence of incorrect assembly'' to the requirement. The FAA does 
not agree with this request. The general requirements of this paragraph 
apply to each element of each flight control system regardless of the 
potential consequence of incorrect assembly.
    Revised Sec.  25.671(b) is therefore adopted as proposed.
3. Introductory Text of Paragraph (c)
    The NPRM proposed certain conforming changes to the introductory 
text of paragraph (c), as a result of the FAA's proposal to remove the 
flight control system failure criteria of Sec.  25.671(c)(1) and (c)(2) 
and substitute the general criteria of 14 CFR 25.1309. As explained 
below, the FAA decided to retain the specific criteria of Sec.  
25.671(c)(1) and (c)(2), and so the proposed changes to the 
introductory text of paragraph (c) are now no longer necessary. 
Therefore, in this final rule, the introductory paragraph (c) is 
unchanged from the current paragraph (c), except as described herein.
    The current Sec.  25.671(c) introductory text refers to the flight 
control system and surfaces (including trim, lift, drag, and feel 
systems). To harmonize with CS 25.671(c), the final rule refers only to 
the flight control system, which includes surfaces and the other 
referenced systems. This is not a significant change.
    The current Sec.  25.671(c) introductory text requires the 
applicant to show that the airplane is capable of continued safe flight 
and landing after jams and other failures ``without requiring 
exceptional piloting skill or strength.'' Gulfstream requested the FAA 
not remove ``without requiring exceptional skill or strength'' from 
Sec.  25.671(c). The FAA does not agree because that clause is now 
included in the definition of continued safe flight and landing 
provided in AC 25.671-1. Therefore, including this phrase in Sec.  
25.671(c) is no longer necessary. The final rule is also harmonized 
with CS 25.671(c) and AMC 25.671 in this regard.
    Gulfstream requested the FAA not eliminate, as it proposed in the 
NPRM, the Sec.  25.671(c) requirement for probable flight control 
failures to have only ``minor'' effects. The company stated that minor 
failures for Sec.  25.1309 tend to only have a functional hazard 
assessment (FHA)-level review in the SSA. There is no specific 
requirement in Sec.  25.1309(b) to address minor failures. As such, 
there may be probable flight control failures that are not explicitly 
addressed by the Sec.  25.1309(b) process. The FAA agrees. The final 
rule retains the noted text.
    ANAC requested the FAA move the requirement that compliance be 
shown ``by analysis, test, or both . . .'' from Sec.  25.671(c) to AC 
25.671-1, stating that this text is guidance. The FAA does not agree. 
This portion of the text in Sec.  25.671(c) was not proposed to be 
revised in the NPRM, has been in place for many decades in the current 
rule, is understood by applicants, and is harmonized with CS 25.671(c).
4. Paragraphs (c)(1) and (c)(2)
    The NPRM proposed that current Sec.  25.671(c)(1) and (c)(2) be 
removed and all flight control system failures be covered by Sec.  
25.1309. Boeing, Airbus, ANAC, GAMA/AIA, Gulfstream, and TCCA requested 
the FAA retain the current Sec.  25.671(c)(1) and (c)(2) in order to 
better align Sec.  25.671(c) with EASA CS 25.671(c). The FAA agrees 
with commenters that removing Sec.  25.671(c)(1) and (c)(2) would 
create a certification burden due to differences with EASA requirements 
and because different means of compliance are normally used for 
Sec. Sec.  25.671(c) and 25.1309(b), as described in their respective 
ACs. Therefore, the FAA agrees to retain Sec.  25.671(c)(1) and (c)(2).
    If the FAA chose not to change Sec.  25.671(c)(1) and (c)(2), TCCA, 
ANAC, Bombardier, and Boeing requested specific changes to Sec.  
25.671(c) in order to more closely harmonize with EASA CS 25.671(c). 
The requested changes are no longer relevant as the FAA has decided to 
retain Sec.  25.671(c)(1) and (c)(2).
5. Paragraph (c)(3)
    In the NPRM, the FAA proposed that revised Sec.  25.671(c) would 
address flight control jams. With the retention of Sec.  25.671(c)(1) 
and (c)(2), described above, flight control jams will continue to be 
addressed by Sec.  25.671(c)(3). The proposed rule would have addressed 
flight control jams in Sec.  25.671(c)(1), (c)(2), and (c)(3). The 
corresponding paragraphs for these requirements in this final rule are 
Sec.  25.671(c)(3)(i), (c)(3)(ii), and (c)(3)(iii).
    To harmonize with CS 25.671(c)(3) and as recommended by the ARAC 
FCHWG, and as described in the NPRM, this final rule refers to jams of 
a flight control surface or pilot control that are ``fixed in 
position'' due to a physical interference.
6. Exception in Paragraph (c)(3)(ii)
    Proposed Sec.  25.671(c)(2) would have excepted jams that occur 
immediately before touchdown if the applicant were able to show that 
such jams are extremely improbable. (In this final rule, Sec.  
25.671(c)(2) is renumbered as Sec.  25.671(c)(3)(ii).) The FAA proposed 
this exception due to the lack of practical means for applicants to 
show compliance, and the short duration of the potential hazard.
    GAMA/AIA and Gulfstream requested the FAA revise proposed Sec.  
25.671(c)(2) to incorporate the 2002 ARAC FCHWG recommendation, which 
excluded consideration of jams occurring immediately before touchdown 
regardless of probability.
    The FAA agrees that the consideration of jams before touchdown 
should not be linked with a numerical estimate of the probability of 
the jam. Instead, in this final rule the FAA has reworded Sec.  
25.671(c)(3)(ii) to exclude consideration of jams immediately prior to 
touchdown if the risk of a potential jam is minimized to the extent 
practical. AC 25.671-1 provides guidance on acceptable means of showing 
compliance with this requirement.
    This is a difference between Sec.  25.671(c)(3)(ii) and EASA CS 
25.671(c)(3)(ii) because CS 25.671(c)(3)(ii) does not include an 
exception for jams occurring just before touchdown. The FAA expects 
this difference to have no effect in practice because EASA guidance 
included in Acceptable Means of Compliance (AMC) Sec.  25.671 similarly 
allows jams before touchdown to be excluded if an assessment of the 
design shows that all practical precautions have been taken. Therefore, 
the FAA finds that, with this final rule, there will not be a 
significant standards difference between the FAA and EASA requirements.
    Airbus asked that the FAA also except jams during the takeoff phase 
because, in both cases, exposure time is limited. The FAA does not 
agree. The ARAC FCHWG did not recommend excluding

[[Page 68715]]

the takeoff phase, only the landing phase. Although flight control jams 
can occur during takeoff, practical design solutions can be put in 
place to mitigate such jams. Note that AC 25.671-1 states that, for 
jams that occur during takeoff, the applicant may assume that if the 
jam is detected prior to V1, the takeoff will be rejected.
    DeHavilland requested confirmation that the new requirements 
related to flight control jams do not change what the company describes 
as accepted current practice. That practice would allow jams in spring-
tab mechanisms that could occur during takeoff to be evaluated 
probabilistically, and the short exposure time during takeoff could be 
considered in determining the probability of such jams. This final rule 
requires the applicant to determine the type of jam or failure being 
assessed. For those flight control jams evaluated under Sec.  
25.671(c)(3), the probability of the jam, and the short exposure time 
during takeoff, may not be considered in showing compliance with that 
regulation. The FAA did not change the rule or associated guidance as a 
result of this comment.
7. Paragraph (c)(3)(iii)
    Section 25.671(c)(3)(iii) states that in addition to the jam being 
evaluated, any additional failure conditions that could prevent 
continued safe flight and landing must have a combined probability of 
1/1000 or less, rather than ``less than 1/1000'' as proposed in the 
NPRM. This harmonizes with CS 25.671(c)(3).
    GAMA/AIA requested that the FAA use ``failure states'' in place of 
``failure conditions'' in Sec.  25.671(c)(3)(iii) because the 2002 ARAC 
FCHWG report used ``failure states.'' The FAA does not agree. The term 
``failure conditions'' is well-understood, has been used for many 
years, and is appropriately used in this regulation. In addition, CS 
25.671(c)(3) also refers to ``failure conditions.'' The FAA added 
guidance in AC 25.671-1 to explain this requirement.
    Except for the differences noted in the foregoing discussion, 
revised Sec.  25.671(c) is adopted as proposed.
8. Paragraph (d)
    Section 25.671(d) requires that the airplane remain controllable if 
all engines fail. In the NPRM, the FAA proposed to add a requirement 
that an approach and flare to a landing and controlled stop must also 
be possible, assuming that a suitable runway is available. GAMA/AIA, 
TCCA, and Boeing requested the FAA add ``and flare to ditching'' to the 
new requirements. Since the most likely scenario leading to a 
controlled ditching is loss of all engines, the scenario is relevant, 
according to the commenters. The FAA agrees with this request because a 
flare to a ditching may require different reconfiguration than would be 
required for landing; for example, flap settings and pitch attitude. 
Adding the flare to a ditching requirement to Sec.  25.671(d) will also 
harmonize the rule with CS 25.671(d).
    Gulfstream and GAMA/AIA requested the FAA remove the requirement 
for a controlled stop from proposed Sec.  25.671(d) as they felt a 
braking requirement should not be added to a general flight control 
system requirement. The FAA does not agree. Stopping capability can be 
affected by flight controls, including spoilers, flaps, and rudder. In 
addition, this would result in a difference compared to EASA CS-25 
language.
    TCCA and ANAC requested that the FAA remove the following sentence 
from proposed Sec.  25.671(d): ``The applicant may show compliance with 
this requirement by analysis where the applicant has shown that 
analysis to be reliable.'' The commenters stated that this sentence 
describes an acceptable means of compliance, which is adequately 
covered in the corresponding guidance. The FAA agrees and did not 
include this sentence in the final rule.
    Except for the changes noted in the foregoing discussion, Sec.  
25.671(d) is adopted as proposed.
9. Paragraph (e)
    In the NPRM, the FAA proposed to add new Sec.  25.671(e), requiring 
the flight control system to indicate whenever the primary control 
means are near the limit of control authority. The FAA proposed this 
change due to the lack of direct tactile link between the flightdeck 
control and the control surface on airplanes equipped with fly-by-wire 
control systems.
    DeHavilland requested that the FAA use ``must provide appropriate 
feedback to the flight crew . . .'' in place of ``must indicate to the 
flight crew'' in new Sec.  25.671(e). The company stated that for non-
fly-by-wire systems, the air loads are either naturally sensed or 
simulated. The company also commented that the use of the word 
``indicate'' in the proposed requirement has a potential for 
misinterpretation, as tactile feedback is not normally considered as an 
``indication.'' The commenter acknowledged draft AC 25.671-X addresses 
use of feel forces and cockpit control movement to meet this 
requirement.
    The FAA does not agree to make this change. As noted by the 
commenter, the AC addresses use of tactile feedback as a method of 
compliance with this requirement.
    ANAC and TCCA commented that the FAA should harmonize the new 
requirement of Sec.  25.671(e) with CS 25.671(e) to remove any possible 
misunderstanding. The FAA agrees. The proposed rule stated that the 
``flight control system'' must indicate to the flightcrew whenever the 
primary control means is near the limit of control authority. This 
final rule is revised to harmonize with CS 25.671(e) and requires ``the 
airplane'' to be designed to indicate to the flightcrew whenever the 
primary control means is near the limit of control authority. This is 
not a substantive change.
10. Paragraph (f)
    In the NPRM, the FAA proposed to add new Sec.  25.671(f), requiring 
that the flight control system alert the flightcrew whenever the 
airplane enters any mode that significantly changes or degrades the 
normal handling or operational characteristics of the airplane.
    ANAC and TCCA commented that the FAA should fully harmonize Sec.  
25.671(f) with CS 25.671(f) to remove any possible misunderstanding. 
The FAA agrees. The proposed rule would have required that the flight 
control system alert the flightcrew whenever the airplane enters a 
flight control mode of concern. This final rule is revised to harmonize 
with CS 25.671(f) and thus requires the system to provide ``appropriate 
flightcrew alerting.'' This is not a substantive change.
11. Relationship Between Sec. Sec.  25.671(c) and 25.1309
    ANAC, Boeing, and GE sought clarification from the FAA on the 
applicability of Sec. Sec.  25.671(c) and 25.1309, particularly in 
light of the changes proposed in the NPRM. As explained above, the FAA 
decided to retain the structure of existing Sec.  25.671(c) in the 
final rule, which will address the concerns raised by these commenters. 
The FAA provides the following additional explanation relative to the 
requirements of the final rule. Section 25.1309 applies to all systems 
and equipment installed on the airplane, including the flight control 
system. Section 25.671(c) also applies to the flight control system. 
The safety requirements in Sec.  25.671(c)(1) and (c)(2) correspond 
with those in Sec.  25.1309(b)(1). There are no fundamental differences 
between these two sets of safety requirements as they apply to the 
flight control system.

[[Page 68716]]

However, different methods of compliance may be used to comply with 
Sec.  25.671(c)(1) and (c)(2) as compared to Sec.  25.1309(b)(1).
    Sections 25.671(c)(1) and (c)(2) require the airplane to be capable 
of continued safe flight and landing after any single failure and after 
any combination of failures not shown to be extremely improbable. 
Section 25.1309 requires that these failure conditions not be 
catastrophic. While worded differently, these requirements are 
functionally equivalent. AC 25.1309-1B states that a flight control 
system failure condition that would prevent continued safe flight and 
landing should be classified as catastrophic. AC 25.671-1 provides 
specific criteria unique to the assessment of flight control system 
failures. AC 25.1309-1B also provides guidance on assessing failure 
conditions that apply to the flight control system.
    Sections 25.1309(b)(2) through (b)(5), (c), and (e) also apply to 
the flight control system. There are no requirements in Sec.  25.671 
that correspond to these subparagraphs.

E. Section 25.901, Engine Installation

    In the NPRM, the FAA proposed that Sec.  25.901(c) would specify 
that the requirements of Sec.  25.1309 would apply to powerplant 
installations. The FAA also proposed to remove the prohibition in Sec.  
25.901(c) on catastrophic single failures and probable combinations of 
failures since addressing such failures would be adequately addressed 
by the proposed Sec.  25.1309(b). The FAA proposed that these changes 
would harmonize Sec.  25.901(c) with EASA CS 25.901(c).
    Pratt & Whitney requested that the FAA add to Sec.  25.901(c) the 
phrase ``or any other failure consistent with existing Sec.  33.75 
single element exception requirements'' to ensure consistency with 
Sec.  25.901(c) and existing requirements. The FAA does not agree with 
the request. The referenced exception requirements only address 
instances in which the failure of the single element is likely to 
result in a hazardous engine effect. These effects are among the 
conditions applicants use for evaluating the hazard to the engine under 
engine airworthiness requirements, which do not consider the effect of 
the airplane installation. For example, hazardous effects on the engine 
may not necessarily result in a catastrophic failure at the airplane 
level. Since the requirements of Sec.  33.75 are independent of the 
aircraft airworthiness requirements, they are inadequate for evaluating 
the hazard to the aircraft installation. The exceptions to Sec.  
25.1309(b) that the FAA has identified in Sec.  25.901(c) are 
consistent with existing powerplant installation requirements in part 
25 and compliance showings to Sec.  25.901(c) before adoption of this 
final rule. Expanding the exceptions to Sec.  25.1309(b) to include 
aspects of Sec.  33.75 would not be consistent with existing part 25 
powerplant installation requirements. The potential failure conditions 
of the engine type design that should be excepted from Sec.  25.1309(b) 
are adequately addressed by the exceptions identified by Sec.  
25.901(c).
    The FAA therefore adopts revised Sec.  25.901(c) as proposed.

F. Section 25.933, Reversing Systems

    In the NPRM, the FAA proposed to add a ``reliability option'' for 
thrust reversers to Sec.  25.933(a), allowing applicants to show that 
an unwanted deployment of the reverser is extremely improbable (i.e., 
complies with 14 CFR 25.1309(b)), instead of only that the airplane 
remains controllable if the reverser deploys in flight.
    GAMA/AIA commented that the proposed wording of Sec.  25.933(a) 
does not clearly communicate that the controllability option would 
still require compliance with Sec.  25.1309, as noted in the regulatory 
evaluation (footnote 58 of the NPRM). GAMA/AIA requested the wording of 
Sec.  25.933(a) be changed to clearly define the requirement to show 
compliance with Sec.  25.1309 regardless of controllability.
    The FAA acknowledges that compliance with Sec.  25.1309 is required 
regardless of which option an applicant chooses under Sec.  25.933(a) 
since Sec.  25.901(c) requires compliance with Sec.  25.1309. However, 
the FAA partially agrees, and in this final rule has revised Sec.  
25.933(a) to clarify, that when an applicant chooses the reliability 
option (new Sec.  25.933(a)(ii)), the applicant must account for the 
potential hazard to the airplane assuming the airplane would not be 
capable of continued safe flight and landing during and after an in-
flight thrust reversal when showing compliance with Sec.  25.1309(b). 
Section 25.901(c) applies to the powerplant and auxiliary power unit 
(APU) installation, except for the specific items listed in new Sec.  
25.901(c). Compliance with Sec.  25.1309 is required for the powerplant 
and APU installation, which includes the thrust reversing system, per 
the new Sec.  25.901(c). The FAA finds that it is unnecessary to 
restate in Sec.  25.933(a)(1) that compliance with Sec.  25.1309 is 
required for the reversing system since it is already required by the 
new Sec.  25.901(c) and not one of the items excepted.
    Air Tech Consulting objected to the ``reliability option'' that the 
FAA proposed in the NPRM. The commenter cited three inflight reverser 
deployments in the past twelve months as justification for maintaining 
the existing rule.
    The FAA does not agree with this request. The incidents cited by 
the commenter were not in-flight thrust reverser deployments, only 
component failures or false indications.\22\ The FAA has made 
equivalent safety findings on many proposed airplane models based on 
the ARAC PPIHWG recommendations for Sec.  25.933(a)(1) and certified 
many designs using the reliability approach rather than the 
controllability approach in current Sec.  25.933(a)(1). The FAA does 
not agree that these particular in-service events show that the systems 
would not have met Sec.  25.1309(b) or that the longstanding 
reliability approach for certification of the thrust reverser system is 
inadequately safe.
---------------------------------------------------------------------------

    \22\ Each of the three cited events were the result of either a 
false indication of an unlocked reverser door or failure of the 
primary lock followed by a small movement of a reverser door until 
the secondary lock engaged, where the movement was enough to result 
in an unlocked reverser indication. In either circumstance, the 
reverser door did not deploy and an actual in-flight thrust reversal 
did not occur. Also, after the close of the comment period for this 
rule, a FedEx Boeing Model MD-11 experienced an unwanted in-flight 
deployment on June 21, 2023. The thrust reversers on the airplane 
were not certified using the reliability approach; however, the 
design was reviewed by the FAA and Boeing (formerly Douglas) using 
the ``Criteria for Assessing Transport Turbojet Fleet Thrust 
Reverser System Safety,'' Revision A, dated June 1, 1994, which was 
a reference document used by the ARAC PPIHWG to develop 
recommendations for changes to Sec.  25.933(a). Boeing used a mixed 
approach, in which the company demonstrated the Model MD-11 was 
controllable following an unwanted in-flight deployment within 
certain portions of the flight envelope and showed reliability, 
using a thrust reverser SSA, for the remainder of the flight 
envelope.
---------------------------------------------------------------------------

    TCCA commented that systems design often needs to strike a balance 
between availability (system performs its intended function when 
needed) and integrity (protecting against system malfunctions). TCCA 
requested that the FAA revise Sec. Sec.  25.933 and 25.1309(b) to 
emphasize the need to consider system availability in conjunction with 
integrity.
    The FAA agrees that system availability is an important 
consideration when designing the thrust reverser system. However, there 
are already applicable airworthiness requirements, such as Sec. Sec.  
25.901(b)(2) and 25.1309(a)(1), that address system availability and 
reliability and that are related to the system's effect on airplane 
safety. It is not necessary to provide additional emphasis on system

[[Page 68717]]

availability within Sec. Sec.  25.933 and 25.1309(b) since these 
existing requirements are adequate to address the availability of 
thrust reverser system. Section 25.933(a)(1) addresses the specific 
failure condition of an unwanted in-flight deployment only, and Sec.  
25.1309(b) addresses the safety of equipment and systems as installed 
on the airplane. Therefore, the FAA does not agree with the commenter's 
request since requirements that influence system availability and the 
relationship with propulsion system reliability, which apply to the 
thrust reverser system, are already addressed in existing regulations. 
The FAA included guidance on Sec.  25.901(b)(2) that is related to 
Sec. Sec.  25.901(c) and 25.1309(b) in AC 25.901-1. Guidance for Sec.  
25.1309(a)(1) can be found in AC 25.1309-1B.
    The FAA therefore adopts revised Sec.  25.933 as proposed.

G. Section 25.1301, Function and Installation

    In the NPRM, the FAA proposed to remove the ``function properly 
when installed'' criterion in Sec.  25.1301(a)(4) for installed 
equipment whose function is not needed for safe operation of the 
airplane. In addition, the FAA proposed to remove Sec.  25.1301(b) 
because it is redundant and unnecessary. Section 25.1301(b) required 
that a proposed airplane's EWIS meet the requirements of subpart H of 
part 25. The FAA proposed removing Sec.  25.1301(b) because subpart H 
specifies its applicability and the requirements in subpart H can stand 
alone. The FAA received no substantive comments on proposed Sec.  
25.1301.
    The FAA therefore adopts revised Sec.  25.1301 as proposed.

H. Section 25.1309, Equipment, Systems and Installations

1. Applicability
    In the NPRM, the introductory paragraph of proposed Sec.  25.1309 
explained that regulation would apply to any equipment or system 
installed on the airplane except as provided in paragraphs (e) and (f). 
Boeing, ANAC, Gulfstream, GAMA/AIA, and Garmin requested that the FAA 
delete paragraphs (e) and (f) of proposed Sec.  25.1309 and move their 
content to the introductory paragraph to align with CS 25.1309. The 
commenters also noted that these paragraphs included regulatory 
exceptions to Sec.  25.1309 and showing compliance to an ``exception'' 
raised administrative issues. The FAA agrees and updated Sec.  25.1309 
accordingly.
    Proposed Sec.  25.1309(e) would have excluded flight control jams 
governed by Sec.  25.671(c) from the proposed single-failure 
requirement in Sec.  25.1309(b)(1)(ii). Gulfstream proposed that flight 
control jams be excluded from all of Sec.  25.1309 and stated that 
additional guidance would be needed if flight control jams were not 
excluded from Sec.  25.1309(b). Although the FAA has historically used 
Sec.  25.671(c) rather than Sec.  25.1309 to address flight control 
jams, the FAA does not agree that flight control jams should be 
excluded from the other paragraphs of Sec.  25.1309 because those 
requirements apply to flight control systems and are necessary for 
managing the risk of flight control jams.
    The FAA agrees, however, that flight control jams should be 
excluded from all of Sec.  25.1309(b), and the final rule is revised 
accordingly. The FAA did not intend Sec.  25.1309(b) to apply to flight 
control jams because an evaluation of the failure conditions under 
Sec.  25.1309(b) requires the applicant to determine numerical 
probabilities, which is not practical for flight control jams. Since 
EASA CS 25.1309 excludes flight control jams from only CS 
25.1309(b)(1)(ii), this is a substantive difference between the FAA and 
EASA's regulations.
    Proposed Sec.  25.1309(f)(1) stated that Sec.  25.1309(b) does not 
apply to single failures in the brake system because such failures are 
addressed by Sec.  25.735(b)(1). GAMA/AIA requested the FAA change 
``single failures'' to ``failures'' to be consistent with Sec.  25.735. 
The FAA does not agree with this request because other types of 
failures in the brake system should be evaluated under Sec.  
25.1309(b).
    Proposed Sec.  25.1309(f)(2) stated that Sec.  25.1309(b) would not 
apply to the failure effects addressed by Sec. Sec.  25.810(a)(1)(v) 
and 25.812. Gulfstream and GAMA/AIA requested that the FAA replace 
``25.810(a)(1)(v)'' with ``25.810'' to harmonize with CS 25.1309. The 
FAA does not agree because Sec.  25.810(a)(1)(v) provides specific 
deployment and usability criteria for certain means of evacuation 
assistance, and this subparagraph alone is relevant to the exception 
discussion. However, the FAA updated ``failure effects'' to ``failure 
conditions'' to harmonize with CS 25.1309.
    EASA requested that the FAA clarify the exception from compliance 
with Sec.  25.1309(b) that proposed Sec.  25.1309(f)(3) would have 
provided regarding Sec.  25.1193, ``Cowling and nacelle skin,'' and 
suggested that the FAA change it from Sec.  25.1193 to Sec.  
25.1193(a). EASA also stated that there may be value in considering 
Sec.  25.1193 as applicable under Sec.  25.1309 for systems that are 
used for opening or closing doors and monitoring proper closure/latched 
conditions. Furthermore, EASA asked why Sec.  25.1193 was not also 
included in the propeller debris release exception in proposed Sec.  
25.1309(f)(4).
    The FAA made no changes to the final rule in response to these 
comments. The NPRM explains that Sec. Sec.  25.1193 and 25.905(d) 
already require applicants to consider the specific failures of fires 
from uncontained engine failures and engine case burn-through. Thus, it 
is not necessary to consider these same failures under Sec.  25.1309 as 
well. Furthermore, nacelle cowl door opening, closure, position 
monitoring, latching, and other potential failure conditions are 
discussed in AC 25.901-1 for compliance with Sec. Sec.  25.901(c) and 
25.1309.
2. Paragraph (a)
    In the NPRM, the FAA proposed to require that all installed 
airplane equipment and systems whose improper functioning would reduce 
safety perform as intended under the airplane operating and 
environmental conditions (Sec.  25.1309(a)(1)). The FAA also proposed 
that all equipment and systems not subject to the foregoing requirement 
not have an adverse effect on the safety of the airplane or its 
occupants (proposed Sec.  25.1309(a)(2)). The latter requirement would 
have allowed such equipment to be approved by the FAA even if it may 
not perform as intended.
    ANAC commented that proposed Sec.  25.1309(a)(1) stated ``equipment 
and systems, as installed, must meet'' this requirement, while the ARAC 
SDAHWG recommended wording states ``equipment and systems must be 
designed and installed so that . . . .'' \23\ ANAC recommended that the 
FAA adopt the proposed ARAC wording and match EASA CS 25.1309. The FAA 
agrees to harmonize the rule text to avoid any possible interpretation 
differences and this final rule has updated Sec.  25.1309(a).
---------------------------------------------------------------------------

    \23\ www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------

    GAMA/AIA and Boeing requested the FAA revise proposed Sec.  
25.1309(a)(1) to replace ``whose improper functioning would reduce 
safety'' with ``whose function is necessary for safe operation of the 
airplane.'' The commenters were concerned that using the proposed 
phrase could result in equipment, systems, and installations intended 
for convenience to be subjected to Sec.  25.1309(a)(1) requirements. 
The FAA

[[Page 68718]]

did not revise Sec.  25.1309(a)(1) as suggested because this change 
would exclude evaluation of systems whose failure would have a safety 
effect. The suggested change would also disharmonize this rule with 
EASA CS 25.1309(a)(1).
    Bombardier requested the FAA harmonize its proposed Sec.  
25.1309(a)(2) rule text of ``functioning normally or abnormally'' with 
the CS 25.1309(a)(2) rule text of ``not a source of danger.'' The FAA 
declines to update proposed Sec.  25.1309(a)(2) as suggested. Although 
the phrase ``functioning normally or abnormally'' used in proposed 
Sec.  25.1309(a)(2) is different from the ``not a source of danger in 
themselves'' used in EASA CS 25.1309(a)(2), the FAA considers these 
phrases as having generally the same meaning. ``Not a source of 
danger'' is largely synonymous with ``safe.'' An applicant must 
evaluate the systems addressed by Sec.  25.1309(a)(2) to verify that 
their normal operation and failure or abnormal functioning have no 
safety effect (i.e., they do not affect the operational capability of 
the airplane, do not increase flightcrew workload, and do not affect 
the safety of passengers or cabin crew).
    GAMA/AIA requested the FAA change ``must not adversely affect'' in 
proposed Sec.  25.1309(a)(2) to ``do not adversely affect'' as used in 
CS 25.1309(a)(2). GAMA/AIA stated that using ``do not'' in the 
regulation instead of ``must not'' changes the tone from preventative 
to evaluative. The FAA agrees and updated Sec.  25.1309(a)(2) to align 
with CS 25.1309(a)(2).
    Bombardier questioned whether Sec.  25.1309(a)(2) should be 
interpreted by applicants to apply to electromagnetic interference 
(EMI) generated by systems operating abnormally. In a related question, 
Bombardier asked the FAA to clarify what applicants should address in a 
qualitative failure evaluation of equipment and systems under Sec.  
25.1309(a)(2). Bombardier stated that the NPRM preamble implies that 
applicants would have to show that an equipment failure will not result 
in increased electromagnetic emissions; however, Bombardier does not 
consider this to be the intent of proposed Sec.  25.1309(a)(2).
    The FAA intends that systems addressed under Sec.  25.1309(a)(2), 
in this final rule, do not have to meet the former requirement that 
they ``perform as intended'' when installed. AC 25.1309-1B explains 
that the systems addressed by Sec.  25.1309(a)(2) should be designed so 
that their failures have no safety effect. In addition, normal 
installation practices can be used to isolate these systems, and a 
qualitative installation evaluation based on engineering judgment can 
be used to determine that the failure or improper functioning of these 
systems would not affect the safety of the airplane. Thus, the extent 
of EMI testing that is required for systems addressed under Sec.  
25.1309(a)(1) is not required for systems addressed under Sec.  
25.1309(a)(2). However, if there is a risk that the failure of a system 
addressed under Sec.  25.1309(a)(2) will result in electromagnetic 
emissions that affect the proper function of systems addressed under 
Sec.  25.1309(a)(1), then formal methods such as testing or analysis 
may be used to evaluate the failure in lieu of a qualitative 
installation evaluation that uses engineering judgment to conclude that 
electromagnetic omissions would not occur.
    Except for the foregoing changes, Sec.  25.1309(a) is adopted as 
proposed.
3. Paragraph (b)
    Section 25.1309(b) requires applicants to assess safety at the 
airplane level for airplane systems and associated components, 
evaluated separately and in relation to other systems, and requires 
that the airplane's systems and components meet certain reliability 
standards. In the NPRM, the FAA proposed to revise Sec.  25.1309(b) to 
address design and installation so that each catastrophic failure 
condition is extremely improbable and does not result from a single 
failure, each hazardous failure condition is extremely remote, and each 
major failure condition is remote.
    In this final rule, the FAA has adopted proposed Sec.  
25.1309(b)(1) through (b)(3) with no changes but revised Sec.  
25.1309(b)(4) and (b)(5) to align with the corresponding sections of 
EASA CS 25.1309.
    Proposed Sec.  25.1309(b)(4) would have required that significant 
latent failures (SLFs) be eliminated, except if the Administrator 
determined that doing so was impractical. If the applicant proved to 
the Administrator that such elimination was impractical, the regulation 
would have required the applicant to limit the likelihood of the SLF to 
1/1000 between inspections. If the applicant proved that such 
limitation was impractical, then the proposed regulation would have 
required the applicant to minimize the length of time the failure would 
be present but undetected.
    Garmin expressed concern that the 1/1000 requirement in proposed 
Sec.  25.1309(b)(4)(i) could be burdensome without a cutset \24\ limit 
because no matter how many cutsets deep the latent failure is (e.g., 3, 
4, 5, or more cutsets), it still would have to meet the 1/1000 
requirement unless the applicant obtains agreement with the FAA that it 
has been adequately minimized. Thus, Garmin recommended that the FAA 
remove the 1/1000 requirement from Sec.  25.1309(b)(4) to align with 
EASA and suggested that the 1/1000 requirement be moved to AC 25.1309-
1B as one way to show the SLF is minimized. Garmin proposed that a 
cutset limit be applied to either the 1/1000 requirement within Sec.  
25.1309(b)(4) or to the definition of SLF if the FAA did not remove the 
1/1000 requirement from Sec.  25.1309(b)(4) in the final rule. The FAA 
agrees to remove the 1/1000 criteria from Sec.  25.1309(b)(4) and 
include it in AC 25.1309-1B as a possible means of compliance. This 
change is consistent with the ASAWG recommendations that led to this 
rulemaking. Specifically, the ASAWG specific risk tasking report 
recommendations that the FAA require applicants to control specific 
risks of concern did not include a recommended limit latency 
requirement for all SLFs. The report only recommended a limit latency 
requirement of 1/1000 for CSL+1 failure combinations (ASAWG report, 
section 6.4.1.2).
---------------------------------------------------------------------------

    \24\ A cutset is a number of failures or events that when 
combined will result in a system failure.
---------------------------------------------------------------------------

    ANAC, TCCA, and Bombardier requested the FAA harmonize Sec.  
25.1309(b)(4) with CS 25.1309(b)(4) by removing the 1/1000 criterion, 
while EASA requested the FAA provide a rationale for not harmonizing. 
The FAA agrees to harmonize Sec.  25.1309(b)(4) with CS 25.1309(b)(4).
    Both regulations address eliminating SLFs as far as practical and 
minimizing the latency of the SLF if such elimination is not practical. 
This ensures that the applicant evaluates each SLF, eliminates it when 
practical, and minimizes its latency if elimination is not practical. 
However, in this final rule, Sec.  25.1309(b)(4) includes a new 
exclusion, requested by Garmin, from these proposed requirements for 
latent failures. This exclusion is described in the following 
paragraph.
    Garmin requested that the FAA modify proposed Sec.  25.1309(b)(4) 
to exclude the requirements for latent failures where the applicant 
meets the requirements of Sec.  25.1309(b)(1) and (b)(2) with the 
latent failure assumed, in the applicant's risk assessment, to have 
already occurred, or where the applicant took no credit in that risk 
assessment for the latency period. The FAA agrees to add this exclusion 
to Sec.  25.1309(b)(4)

[[Page 68719]]

because it meets the decision criteria that the specific risk of 
concern will be evaluated as per the 2010 ARAC ASAWG specific risk 
tasking report.\25\ When a latent failure or the specific risk of 
concern is assumed as having occurred, its probability becomes 1 in the 
calculation of the failure condition. This probability of 1 is the same 
as stating that no credit is taken for a latency period. This is a 
difference between Sec.  25.1309(b)(4) and CS 25.1309(b)(4) since 
EASA's rule does not contain this exclusion. The FAA does not expect 
this difference to be significant because the exclusion in Sec.  
25.1309(b)(4) allows applicants to use a conservative assessment of a 
failure condition to show compliance.
---------------------------------------------------------------------------

    \25\ ASAWG report, revision 5.0, Section 6.1.2, Figure 6-1.
---------------------------------------------------------------------------

    GAMA/AIA, Gulfstream, and Boeing requested language for the Sec.  
25.1309(b)(4) final rule that was different from what the NPRM proposed 
and what EASA published in CS-25. The commenters' proposal provides 
criteria for acceptance of SLFs that depend on the probability and 
severity of the outcome. The FAA did not update the rule language as 
suggested; however, the FAA has incorporated the approach as a means of 
compliance for the catastrophic failure conditions in AC 25.1309-1B. 
This approach also incentivizes development of practical designs that 
meet the safety objectives of Sec.  25.1309(b)(1) and (b)(2). The 
approach for hazardous failure conditions was not included in AC 
25.1309-1B since it was not considered in the 2010 ARAC ASAWG specific 
risk tasking report.
    ANAC, Garmin, and Airbus requested changes to proposed Sec.  
25.1309(b)(4)(i) and (b)(4)(ii). The suggested changes are no longer 
relevant because paragraphs (i) and (ii) are not included in the Sec.  
25.1309(b)(4) final rule.
    Proposed Sec.  25.1309(b)(5) provided a new standard for limiting 
the risk of a catastrophic failure combination that results from two 
failures, either of which could be latent for more than one flight. 
ANAC stated that the criteria in proposed Sec.  25.1309(b)(5) is 
significantly different from the criteria in CS 25.1309(b)(5) and these 
differences may burden applicants by requiring them to comply with two 
different sets of criteria and may result in different product 
configurations. TCCA commented that differences between the proposed 
FAA rule and CS-25, both in wording and intent, would result in 
significant difficulties and increase the burden on applicants, 
particularly given the inherent complexity of safety assessments both 
at system and aircraft level. EASA stated that having different 
criteria in Sec.  25.1309(b)(5)(iii) and CS 25.1309(b)(5)(iii) would 
result in a duplication of effort for applicants. The FAA agrees that 
differences between FAA and EASA requirements could result in increased 
burden on applicants and civil aviation authorities. The final rule is 
therefore revised to improve harmonization, as described below.
    Several commenters recommended changes to Sec.  25.1309(b)(5). TCCA 
and ANAC recommended that the FAA fully harmonize Sec.  25.1309(b)(5) 
and CS 25.1309(b)(5), while EASA encouraged the FAA to implement the 
same criteria as CS 25.1309(b)(5)(iii). GAMA/AIA and Garmin suggested 
the FAA harmonize Sec.  25.1309(b)(5)(i) with CS 25.1309(b)(5)(i) by 
changing ``fault tolerance'' to ``redundancy.'' Boeing suggested the 
FAA update Sec.  25.1309(b)(5)(ii) to ``. . . the residual average 
probability per flight hour of the catastrophic failure condition 
occurring due to all subsequent single failures is remote.'' Airbus and 
Gulfstream preferred that the FAA harmonize Sec.  25.1309(b)(5)(iii) 
with CS 25.1309(b)(5)(iii), while GAMA/AIA preferred the FAA's proposed 
wording for Sec.  25.1309(b)(5)(iii). Boeing suggested the FAA change 
Sec.  25.1309(b)(5)(iii) to ``The probability of the latent failure 
occurring over its maximum exposure time does not exceed 1/1000.''
    The FAA uses the term ``fault tolerance'' in Sec.  25.1309(b)(5)(i) 
instead of ``redundancy'' as used in CS 25.1309(b)(5)(i) because the 
term ``redundancy'' could be interpreted as a prescriptive design 
requirement, and Sec.  25.1309 is intended to be a performance-based 
rule. In this final rule, the FAA revised Sec.  25.1309(b)(5)(ii) to 
refer to ``the residual average probability'' of the catastrophic 
failure condition following a single latent failure. The term 
``residual average probability'' is the remaining probability of a 
failure condition given the presence of a single latent failure. This 
change aligns with the recommendations from the 2010 ARAC ASAWG 
specific risk tasking recommendation report, sections 6.3.1.6 and 
6.3.1.7. The final rule uses ``all subsequent active failures'' rather 
than the proposed Sec.  25.1309(b)(5)'s ``all subsequent single 
failures'' to ensure the applicant accounts for the residual average 
probability of all active failures in a failure condition. Finally, the 
FAA agrees to harmonize Sec.  25.1309(b)(5)(iii) with CS 
25.1309(b)(5)(iii) to ensure that combined probability of all the 
latent failures is accounted for as recommended by the commenters, 
except that the FAA uses ``active failure'' in Sec.  
25.1309(b)(5)(iii), instead of ``evident failure'' as used in CS 
25.1309(b)(5)(iii). Having harmonized Sec.  25.1309(b)(5)(iii) with CS 
25.1309(b)(5)(iii), the FAA does not expect the differences in wording 
between Sec.  25.1309(b)(5) and CS 25.1309(b)(5) to be burdensome to 
applicants.
4. Paragraph (c)
    In the NPRM, proposed Sec.  25.1309(c) would require the applicant 
to provide information concerning unsafe system operating conditions to 
enable the flightcrew to take corrective action and to show that the 
design of systems and controls, including indications and 
annunciations, minimizes crew errors that could create additional 
hazards. ANAC, TCCA, and Boeing requested the FAA revise proposed Sec.  
25.1309(c) to include ``in a timely manner'' as part of the corrective 
action to be taken by the flightcrew. The FAA has updated the final 
rule accordingly. This change more closely harmonizes Sec.  25.1309(c) 
with CS 25.1309(c). In addition, the discussion of this proposal in the 
NPRM preamble refers to the importance of providing timely and 
effective annunciations to allow appropriate crew action.
    TCCA requested that the FAA align the wording of proposed Sec.  
25.1309(c) with CS 25.1309(c). TCCA stated that the first sentence of 
proposed Sec.  25.1309(c) does not correctly reflect the intent of the 
rule, which is for the airplane and systems to provide information to 
the flightcrew when necessary for safe operation. TCCA explained that 
``the applicant must provide information'' could be interpreted as 
requiring the applicant to provide documentation or training instead of 
flightcrew alerts as intended. The FAA agrees and revised the first 
sentence of Sec.  25.1309(c) to say that the airplane and systems 
provide the necessary information. This will harmonize the intent with 
the corresponding sentence in CS 25.1309(c).
    To further harmonize with EASA's rule, the FAA revised the second 
sentence of Sec.  25.1309(c) to require that systems and controls, 
including ``information,'' indications, and annunciations, be designed 
to minimize crew errors. ``Information'' refers to the same term used 
in the first sentence of Sec.  25.1309(c) and has the same intent as 
used in Sec.  25.1302.
5. Paragraph (d)
    In the NPRM, the FAA proposed to move the requirements of Sec.  
25.1309(d) regarding mandatory methods showing compliance with Sec.  
25.1309(b) to guidance (AC 25.1309-1B). The NPRM

[[Page 68720]]

proposed that new Sec.  25.1309(d) would require applicants to 
establish ``Certification Maintenance Requirements,'' or CMRs, as 
limitations in the airplane's Instructions for Continued Airworthiness. 
Applicants have long used CMRs, such as mandatory inspections at 
scheduled intervals, to show that their proposed design complies with 
Sec.  25.1309 and other part 25 regulations that establish reliability 
requirements.
    In this final rule, however, the FAA is moving the CMR requirement 
to Sec.  25.1309(e), as discussed in the following section. 
Accordingly, the FAA is revising Sec.  25.1309(d) to ``Reserved'' as 
requested by Boeing, TCCA, and Safran. This will be a difference 
between Sec.  25.1309(d) and CS 25.1309(d) because the latter states 
that applicants must assess Electrical Wiring Interconnection System 
(EWIS) per CS 25.1709. The FAA expects this difference to have no 
effect in practice because Sec.  25.1309 is a general requirement that 
applies to all systems, including EWIS. In addition, Sec.  25.1709 
addresses system safety of EWIS, and Sec.  25.1709 is harmonized with 
CS 25.1709.
6. Paragraph (e)
    In the NPRM, the FAA proposed that Sec.  25.1309(d) would require 
an applicant to establish CMRs to prevent development of the failure 
conditions described in Sec.  25.1309(b) and to include these CMRs in 
the ALS. In the final rule, these requirements are now in Sec.  
25.1309(e).
    The FAA's proposed CMR requirement referenced Sec.  25.1309(b), 
which addresses catastrophic, hazardous, and major failure conditions. 
Boeing, GAMA/AIA, Gulfstream, and Garmin suggested that the requirement 
to establish CMRs in Sec.  25.1309(d) be limited to CMRs that address 
catastrophic and hazardous failure conditions in Sec.  25.1309(b)(1) 
and (b)(2). TCCA commented that the NPRM describes CMRs as tasks to 
detect safety significant failures that result in hazardous or 
catastrophic conditions but recommended that major failure conditions 
should also be considered.
    The FAA declines to restrict the use of CMRs to catastrophic and 
hazardous failure conditions. Although a CMR is primarily used to 
establish a required maintenance task that would detect issues such as 
the wear out or a hidden failure of an item whose failure is associated 
with a hazardous or catastrophic failure condition, a CMR may also be 
used to detect a latent failure that would, in combination with one 
specific failure or event, result in a major failure condition. The SSA 
identifies the need for a scheduled maintenance task. It may be 
necessary for applicants to include a CMR in the ALS of the ICA for a 
major failure condition if the maintenance task is not provided in 
other areas of the ICA. An acceptable process for selecting CMRs is 
provided in AC 25-19A, Certification Maintenance Requirements.\26\
---------------------------------------------------------------------------

    \26\ Available at drs.faa.gov.
---------------------------------------------------------------------------

    ANAC questioned whether the FAA intended proposed Sec.  25.1309(d) 
to require CMRs for all failure conditions and requested the FAA 
clarify in the final rule language that CMRs be established ``as 
necessary.'' The FAA agrees to add the words ``as necessary'' to the 
final rule. As explained in AC 25-19A, the process of creating CMRs to 
control risk of failures described in Sec.  25.1309(b) begins with 
identifying candidate CMRs (CCMRs) until a committee of experts 
determines they are CMRs. Thus, the FAA does not require CMRs for all 
failure conditions, and not every CCMR will become a CMR. Although 
adding ``as necessary'' results in different language between Sec.  
25.1309(e) and CS 25.1309(e), this difference does not affect 
harmonization between the FAA and EASA because the guidance for 
selecting CMRs is aligned.
    Garmin requested the FAA reword proposed Sec.  25.1309(d) to 
require the safety analysis to identify the CCMRs that must be 
dispositioned using a process acceptable to the Administrator to 
identify which CCMRs should be airworthiness limitations. Garmin stated 
that the proposed wording seems to preclude the use of AC 25-19A to 
first identify and classify CCMRs. The FAA does not agree with this 
request. The final rule requires CMRs to be established and included in 
the ALS of the airplane's ICA. The associated guidance in AC 25-19A 
provides a method of compliance, which includes identifying and 
dispositioning CCMRs as CMRs. The FAA also did not adopt the 
commenter's proposed change because it would result in a difference 
compared to corresponding EASA regulations and guidance.
    Airbus commented that the word ``detect'' is more appropriate than 
the word ``prevent'' used in proposed Sec.  25.1309(d) since failures 
will be detected during CMR tasks. The FAA did not replace ``prevent'' 
with ``detect'' since the intent of this rule is to prevent the 
development of the failure condition by detecting the existence of a 
latent failure.

I. Section 25.1365, Electrical Appliances, Motors, and Transformers

    In the NPRM, the FAA proposed to remove the reference to Sec.  
25.1309(d) from Sec.  25.1365(a) because Sec.  25.1309(d) would no 
longer contain mandatory methods for demonstrating compliance with 
Sec.  25.1309(b). GAMA/AIA and Gulfstream commented that the FAA should 
remove Sec. Sec.  25.1431(a), 25.1351(a)(2), and 25.1365(a), as those 
regulations are redundant to or simply point to compliance with Sec.  
25.1309. The FAA does not agree with this request because removing 
Sec. Sec.  25.1431(a), 25.1351(a)(2), and 25.1365(a) may have 
unintended consequences. In addition, removal of these regulations was 
not proposed in the NPRM. The FAA did not change this final rule as a 
result of this comment but has removed the reference to Sec.  
25.1309(d) from Sec.  25.1365(a) as proposed in the NPRM.

J. Section H25.4(a) of Appendix H, Airworthiness Limitations Section

    The FAA adopts Sec.  H25.4(a) of appendix H as proposed in the 
NPRM. The FAA received no comments on this section.

K. Miscellaneous Comments

1. Applicability of Sec.  25.1309 to Electromagnetic Conditions
    Bombardier commented that the NPRM preamble indicates that the FAA 
did not intend proposed Sec.  25.1309(b) and the associated advisory 
material to change how type certificate applicants account for systems' 
exposure to high-intensity radiated fields (HIRF) and lightning. 
Bombardier requested that the FAA clarify whether this same principle 
applies to electromagnetic conditions in other regulations (e.g., 
Sec. Sec.  25.1353, 25.1431, 25.899). The FAA does not intend revised 
Sec.  25.1309 and the associated advisory material to take precedence 
over or supersede how applicants address electromagnetic conditions in 
accordance with other regulations.
2. Revise Nonregulatory Definitions
    This section addresses commenters' requests to revise definitions 
that the FAA provided in the NPRM preamble or in draft AC 25.1309-1B. 
The FAA also proposed in the NPRM that some of these definitions would 
be included in new Sec.  25.4. The following paragraphs address the 
definitions of hazardous failure condition, latent failure, single 
failure, event, and failure condition.
    The FAA included a table of definitions in the preamble of the 
NPRM. The table included some definitions given in proposed Sec.  25.4 
and

[[Page 68721]]

provided additional definitions that were not in proposed Sec.  25.4. 
That table is not included in this final rule; applicants should 
instead refer to this preamble, final Sec.  25.4 and AC 25.1309-1B. 
Relevant definitions are provided in Sec.  25.4 Definitions or in the 
appropriate AC.
    GAMA/AIA, Airbus, Boeing, Bombardier, and Garmin requested that the 
FAA remove the following language from the preamble definition of 
``hazardous failure condition:'' ``Note: For the purpose of performing 
a safety assessment, a `small number' of fatal injuries means one such 
injury.'' The commenters stated that considering a ``small number'' of 
fatal injuries to be one such injury for the purpose of performing 
safety assessments is too restrictive. This note was only in the 
preamble and not in the proposed regulatory definition in Sec.  25.4, 
as the FAA considered it guidance on the application of the definition. 
The FAA agrees to remove this note from AC 25.1309-1B. The note is not 
included in AMC Sec.  25.1309, nor was it included in any of the 
relevant ARAC recommendations. Given the difficulty and context-
dependent nature of estimating whether a failure condition would result 
in one or multiple fatal injuries, the FAA finds that it is not 
necessary to define ``small number'' in order to provide the necessary 
separation between hazardous and catastrophic failure conditions. 
Historically, applicants have assessed this aspect of the definition of 
``hazardous failure condition'' differently based on the size of the 
airplane, number of occupants, and fleet size. The FAA will continue to 
accept this practice.
    ANAC commented that the FAA's definition of ``latent failure'' in 
the NPRM preamble table (``a failure that is not apparent to the 
flightcrew or maintenance personnel'') may be confusing since the 
maintenance crew will detect latent failures through periodic 
maintenance activities such as CMRs. ANAC recommended the FAA use the 
following definition of latent failure: ``A failure which is not 
detected and/or annunciated when it occurs.'' The FAA agrees and has 
updated the definition of ``latent failure'' in AC 25.1309-1B. Boeing, 
GAMA/AIA, TCCA, and Garmin requested that the FAA modify the definition 
of ``latent failure'' to include the qualifier ``for more than one 
flight'' to ensure consistent understanding and application. The FAA 
did not make this change because the definition of ``latent failure'' 
includes undetectable failures regardless of the latency period. AC 
25.1309-1B has been updated to provide additional guidance on the 
appropriate duration of a latent failure; that is, an acceptable means 
of compliance to SLF minimization is to show that the failure would not 
be latent for more than one flight.
    TCCA requested that the FAA clarify the intent of the phrase 
``common causes'' as used in the NPRM preamble table's definition of 
single failure or state that common causes may include external events 
that are not considered failures (e.g., bird strike). TCCA stated that 
the NPRM preamble and draft AC 25.1309-1B definitions of ``failure'' 
include a note that errors and events are not considered failures and 
that this creates an apparent conflict where the definition of single 
failures includes common causes. Airbus also stated that external 
events are not system failures and questioned whether external failure 
conditions should be explicitly excluded from Sec.  25.1309 because 
they are already covered by their own regulations (e.g., bird strike is 
specifically addressed under Sec.  25.631). In response, the FAA has 
updated the single failure definition in AC 25.1309-1B to be the same 
as provided by the ARAC SDAHWG recommendations report that included a 
draft AC 25.1309 (see the ``Arsenal'' draft AC 25.1309 ).\27\
---------------------------------------------------------------------------

    \27\ Available in the docket as part of the SDAHWG 
recommendation, ``Task 2--System and Analysis Harmonization and 
Technology Update,'' pp. 61-99, and at www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------

    In addition, the FAA updated the note within the definition of 
``failure'' in AC 25.1309-1B to remove the word ``events.'' In general, 
an SSA addresses how systems are affected by an external event, such as 
a bird strike, using a common cause analysis or a single event cause 
where the external event is assumed without a probability.
    Bombardier stated that the FAA's definition of ``single failure'' 
in the preamble table was ambiguous and implied that a single failure 
would affect multiple ``components, parts or elements'' when most 
single failures will affect single components or parts. Bombardier 
requested the FAA revise the definition to ``a single occurrence that 
affects the operation of a component, part, or element such that it no 
longer functions as intended'' or not adopt the definition. The FAA 
updated the definition of ``single failure'' to ``any failure or set of 
failures that cannot be shown to be independent from each other'' in AC 
25.1309-1B. The FAA did not make the requested change because the FAA 
intends that applicants treat a common mode failure of multiple 
components, parts, or elements as a ``single failure,'' and this 
connection would be lost if the FAA were to revise the definition as 
Boeing proposed.
    TCCA recommended that the FAA consider changing the term ``event'' 
in the preamble table to ``external event'' to align with EASA CS-25, 
ARP4754B ``Guidelines for Development of Civil Aircraft and Systems,'' 
and ARP4761A. The FAA agrees and has updated ``event'' to ``external 
event'' in AC 25.1309-1B.
    Boeing requested that the FAA address ``collisions (intentional or 
not)'' in the definition of ``event.'' Boeing stated that this change 
would provide clarity that collisions are not events to be considered 
as part of required safety assessments. Although the FAA updated the 
term ``event'' to ``external event'' in AC 25.1309-1B, the FAA did not 
change its definition in response to this comment. The definition of 
``external events'' states that it does not cover sabotage or other 
similar intentional acts. Intentional collisions are intentional acts 
and, therefore, not an ``external event.'' Unintentional collision may 
be due to failure of onboard system equipment, which is excluded from 
this definition since its origin is not distinct from that of the 
airplane. Unintentional collision may be due to flightcrew error, which 
is already excluded.
    The preamble table's definition of ``failure condition'' referenced 
a condition that affected ``the airplane, its occupants, or other 
persons.'' Bombardier requested that the FAA remove ``or other 
persons'' from this definition or provide guidance as to how applicants 
can assess potential effects on other persons and how these effects 
would relate to severity classification. The FAA declines to change the 
definition of ``failure condition'' in AC 25.1309-1B. The FAA included 
the words ``or other persons'' to account for the effects on persons 
other than the airplane occupants that applicants should take into 
consideration when assessing failure conditions for compliance with 
Sec.  25.1309. AC 25.1309-1B provides guidance on the type of persons, 
the risks to be considered, and how applicants can classify the failure 
conditions given the effects on other persons that do not include 
airplane occupants. For example, ground maintenance crew involved in 
servicing the airplane while `in-service' could have a risk of an 
inadvertent door coming open or thrust reverser movement.

[[Page 68722]]

3. Revise Other Regulations
    In the NPRM, the FAA proposed that the revised Sec.  25.1309(b) 
would not apply to single failures in the brake system because those 
failures are adequately addressed by Sec.  25.735(b)(1). An individual 
commenter recommended changes to current Sec.  25.735, ``Brakes and 
braking systems,'' stating that parts of Sec.  25.735 are no longer 
relevant or need to be updated to reflect modern braking systems. The 
commenter requested changes to Sec.  25.735 and corresponding changes 
to AC 25.1309-1B. Gulfstream also requested that the FAA add a 
paragraph to Sec.  25.735 to address braking capability with all 
engines inoperative. The FAA does not agree with these requests. The 
FAA did not propose changes to Sec.  25.735 in the NPRM, and such 
changes are outside the scope of this rulemaking.
    GAMA/AIA and Bombardier requested that the FAA revise Sec.  25.672, 
``Stability augmentation and automatic and power-operated systems,'' in 
this rulemaking package. GAMA/AIA stated that proposed Sec.  25.671(c) 
removed the failures that Sec.  25.672 is referencing. Bombardier 
suggested that the FAA remove Sec.  25.672(c) because the failures 
addressed under Sec.  25.672(c) could be addressed entirely under Sec.  
25.1309(b) or clarify that the intent of Sec.  25.672(c) does not apply 
to modern fly-by-wire aircraft. In addition, GAMA/AIA requested that 
the FAA add guidance for Sec.  25.672 that reflects the recommendations 
made by the FTHWG. The FAA did not change this final rule or associated 
guidance material as a result of these comments. Revising Sec.  25.672 
is unnecessary because Sec.  25.672(b) refers to failures specified in 
Sec.  25.671(c), and the final rule for Sec.  25.671(c) includes these 
failures. Section 25.672(c) contains requirements that are in addition 
to the requirements of Sec.  25.1309(b). The FAA declines to add 
guidance at this time for Sec.  25.672 based on recommendations made by 
the FTHWG because further discussion is needed to harmonize the 
guidance for Sec.  25.672 with other regulatory authorities; the FAA 
notes these discussions are ongoing in a Certification Authorities for 
Transport Airplanes (CATA) harmonization activity.\28\ The FAA does not 
agree to clarify that the intent of Sec.  25.672(c) does not apply to 
modern fly-by-wire aircraft because the FAA has not made this 
determination.
---------------------------------------------------------------------------

    \28\ www.faa.gov/aircraft/air_cert/design_approvals/transport/transport_intl/cata.
---------------------------------------------------------------------------

4. Revise Cost-Benefit Analysis
    Garmin commented on the NPRM that the cost-benefit analysis does 
not consider the impact on amended type certificate (ATC) or 
supplemental type certificate (STC) projects that would be considered 
significant under Sec.  21.101, known as the Changed Product Rule. In 
addition, MARPA requested the FAA clarify the applicability of the SSA 
rule to parts manufacturer approval (PMA) applicants and STC 
applicants. If the SSA rule is applicable to PMA and STC applicants, 
MARPA requested that the FAA adjust the cost-benefit analysis 
accordingly, complete a Regulatory Flexibility Act analysis, and make 
the revised cost-benefit analysis and Regulatory Flexibility Act 
analysis available for comment in a supplemental NPRM.
    This final rule updates the cost-benefit analysis to take account 
of the fact that the final rule closely harmonizes with the 
corresponding EASA rule. Since U.S. manufacturers already are required 
to meet the EASA requirements, the closely harmonized provisions of the 
final rule impose no or minimal costs. In future STC or ATC projects 
where the design change is determined under the Changed Product Rule to 
be a significant product level change, the Changed Product Rule will 
then require that the certification basis of those projects be updated. 
The cost-benefit analysis for the Changed Product Rule, however, has 
determined that the required updated certification basis for such 
projects is cost-beneficial.\29\ PMAs (replacement articles) are 
managed in accordance with Subpart K to part 21. The final rule will 
apply only at that time in the future when a PMA (or non-significant 
STC) applicant seeks to modify a product that already has the final 
rule in its certification basis. Accordingly, the FAA finds that 
neither a Regulatory Flexibility Act analysis nor a supplemental NPRM 
is required.
---------------------------------------------------------------------------

    \29\ 65 FR 36266, June 7, 2000.
---------------------------------------------------------------------------

    Garmin commented that the cost discussion misses the fact that 
Sec.  25.1309(b)(4), without a cutset limit, could result in additional 
costs to redesign the systems from what has historically been 
acceptable and conventional. Garmin also stated that the 1/1000 
requirement could be applied to any level of cutset, which could drive 
design changes, and that there are additional costs to negotiate with 
the FAA to produce the analysis that proves 1/1000 is met or that 
latency is minimized; thus, the FAA should revise the cost-benefit 
analysis to include those costs.
    In this final rule, the FAA is not adopting the 1/1000 requirement 
that it had proposed for Sec.  25.1309(b)(4); that section will not 
apply if the associated system meets the average risk requirements of 
Sec.  25.1309(b)(1) and (b)(2), assuming the SLF has occurred. 
Moreover, the FAA has moved the 1/1000 criterion to AC 25.1309-1B as 
guidance. These changes address the commenter's concern that proposed 
Sec.  25.1309(b)(4) needed a minimal cutset limit. There may be 
demonstration or negotiation costs to show impracticality or 
minimization of the SLF latency, but these costs are already accounted 
for in the cost-benefit analysis of the Changed Product Rule, Sec.  
21.101.
    Garmin questioned whether the FAA has adequately justified the cost 
of applying the specific risk criteria of proposed Sec.  25.1309(b)(4) 
and (b)(5) to systems that have not historically had such a 
requirement. Garmin also requested that the FAA update the cost 
discussion for specific risk to acknowledge that for most of the 
aircraft systems the existing Sec.  25.1309(b) is the right baseline. 
Given that in the final rule, the Sec.  25.1309(b)(4) and (b)(5) 
requirements are closely aligned with the corresponding EASA 
requirements, the FAA responds that the correct baseline is the EASA 
rule since it is already in place. Using that baseline, the additional 
cost to manufacturers is, at most, minimal since manufacturers already 
have to meet the corresponding EASA requirements.
    Garmin stated that if the FAA regulations remain different from 
EASA's, then the cost of an applicant's validation to differing 
expectations should be considered. Also, TCCA commented that the cost-
benefit assessment could improve by increasing harmonization. As 
already noted, the FAA has increased the level of harmonization between 
the final rule and EASA CS-25, as compared to the NPRM, to such an 
extent that the remaining costs associated with this rulemaking are 
minimal.
5. Aircraft Certification, Safety, and Accountability Act
    The preamble of the NPRM included a summary of the FAA's ongoing 
implementation of Section 115 of the Aircraft Certification, Safety, 
and Accountability Act (ACSAA). The FAA received one comment on these 
implementation activities, a supportive comment from ALPA. The FAA 
continues to take action to implement Section 115, including the 
revision of relevant guidance documents such as AC 25.1309-1B, which 
the FAA issued as part of this rulemaking.
6. Other
    The FAA received a request from GAMA/AIA to include a file within 
the

[[Page 68723]]

docket that contained the FAA's responses to all NPRM comments that the 
FAA received. The FAA does not agree with this request. This final rule 
discusses the comments in detail. Additionally, many comments on the 
NPRM are no longer relevant because the FAA has revised the final rule 
to increase harmonization with EASA CS-25.
    The FAA also received comments from Airbus, Boeing, Bombardier, 
EASA, GAMA/AIA, and TCCA to revise specific preamble text of the NPRM. 
This final rule does not restate the entirety of the NPRM preamble, so 
specific editorial suggestions are not applicable, except as noted in 
the preceding discussion of definitions. No changes were made to this 
final rule in this regard.

K. Advisory Material

    The FAA has issued three new ACs and revisions to two existing ACs 
to provide guidance material for acceptable means, but not the only 
means, of showing compliance with the regulations in this final rule. 
These ACs are available in the public docket for this rulemaking:
     AC 25.671-1, Control Systems--General.
     AC 25.901-1, Safety Assessment of Powerplant 
Installations.
     AC 25.933-1, Unwanted In-Flight Thrust Reversal of 
Turbojet Thrust Reversers.
     AC 25.629-1C, Aeroelastic Stability Substantiation of 
Transport Category Airplanes.
     AC 25.1309-1B, System Design and Analysis.

VI. Regulatory Notices and Analyses

    Federal agencies consider impacts of regulatory actions under a 
variety of executive orders and other requirements. First, Executive 
Order 12866 and Executive Order 13563, as amended by Executive Order 
14094 (``Modernizing Regulatory Review''), direct that each Federal 
agency shall propose or adopt a regulation only upon a reasoned 
determination that the benefits of the intended regulation justify the 
costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) 
requires agencies to analyze the economic impact of regulatory changes 
on small entities. Third, the Trade Agreements Act (Pub. L. 96-39) 
prohibits agencies from setting standards that create unnecessary 
obstacles to the foreign commerce of the United States. Fourth, the 
Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies 
to prepare a written assessment of the costs, benefits, and other 
effects of proposed or final rules that include a Federal mandate that 
may result in the expenditure by State, local, or tribal governments, 
in the aggregate, or by the private sector, of $100,000,000 or more 
annually (adjusted annually for inflation) in any one year. The current 
threshold after adjustment for inflation is $183,000,000, using the 
most current (2023) Implicit Price Deflator for the Gross Domestic 
Product. The FAA has provided a detailed Regulatory Impact Analysis 
(RIA) in the docket for this rulemaking. This portion of the preamble 
summarizes the FAA's analysis of the economic impacts of this final 
rule.
    In conducting these analyses, the FAA determined that this final 
rule (1) has benefits that justify its costs; (2) is not significant 
under section 3(f)(1) of Executive Order 12866 as amended; (3) will not 
have a significant economic impact on a substantial number of small 
entities; (4) will not create unnecessary obstacles to the foreign 
commerce of the United States; and (5) will not impose an unfunded 
mandate on State, local, or tribal governments, or on the private 
sector. These analyses are summarized below.

A. Regulatory Evaluation

1. Summary of Rule Provisions
    In the NPRM, the FAA proposed to amend certain airworthiness 
regulations to standardize the criteria for conducting safety 
assessments for systems, including flight controls and powerplants, 
installed on transport category airplanes. This final rule generally is 
adopted as proposed. In some provisions, the FAA has increased the 
level of harmonization between the final rule and EASA CS-25, as 
compared to the NPRM, to such an extent that the remaining costs 
associated with this rulemaking are minimal.
    The predominant action of the final rule will:
     Require applicants to minimize, to the extent possible, 
the problem of significant latent failures (SLFs), a problem that is 
highlighted in the case of catastrophic dual failures, where a latent 
failure can leave the airplane one active failure away from a 
catastrophic accident.
    The rule also:
     Institutes an ``airplane-level'' SSA that will integrate 
and, to the extent possible, standardize safety assessment criteria 
across critical airplane systems:
    [cir] Reflecting the much greater integration of modern aircraft 
systems (e.g., avionics and fly-by-wire systems) as compared to what 
they were when the current safety criteria in Sec.  25.1309 and other 
system safety assessment rules were established in 1970.\30\
---------------------------------------------------------------------------

    \30\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------

    [cir] Including removal of general systems safety criteria from 
Sec.  25.901(c) [Powerplant Installation] and pointing to Sec.  25.1309 
(General System Safety Criteria) for these criteria, and allowing a 
``reliability'' (Sec.  25.1309) option in addition to the current 
``controllability'' requirement for developing designs for turbojet 
thrust reversing systems (Sec.  25.933).
     Requires CMRs to identify and restrict exposure to the SLF 
conditions addressed in Sec.  25.1309 and requires CMRs to be contained 
in the ALS of the ICA.
     Updates SSA requirements in order to address new 
technology in flight control systems and the effects these systems can 
have on airplane controllability.
    [cir] For airplanes equipped with fly-by-wire control systems, 
compensates for a lack of direct tactile link between flightdeck 
control and control surface by providing natural or artificial control 
feel forces or flightcrew alerting
     Requires assessment of the effect of system failures on 
airplane structural loads.
     Revises applicability of the requirement that equipment 
and systems perform their intended functions:
    [cir] Broadens the applicability of Sec.  25.1309 to include any 
equipment or system installed in the airplane regardless of whether it 
is required for type certification, operating approval, or is optional 
equipment.
    [cir] Allows equipment associated with passenger amenities (e.g., 
entertainment displays and audio systems) not to work as intended as 
long as the failure of such systems would not affect airplane safety.
2. Cost and Benefits of the Final Rule
    As discussed below, the FAA finds that all provisions of this final 
rule are closely harmonized with corresponding EASA provisions already 
in effect. This means that manufacturers face no additional cost 
because they already have to meet the EASA requirements, and in most 
cases, the provisions of this final rule are cost-beneficial owing to 
reduced costs from joint harmonization. Some provisions of the final 
rule are cost-relieving. Moreover, most, if not all, of the rule 
provisions are already in effect owing to industry practice, ELOS 
findings, or special conditions.\31\ There

[[Page 68724]]

is no additional cost for provisions that are already voluntary 
industry practice or voluntary ELOS findings. Special conditions have 
been required, but owing to the long duration of these special 
conditions (20-40 years), the FAA finds that they are now accepted by 
industry as the low-cost actions for the issues addressed, so there is 
no change with codification and, therefore, no additional cost. The FAA 
asked for comments on this last finding in the NPRM and received none.
---------------------------------------------------------------------------

    \31\ The FAA issues special conditions when we find that the 
airworthiness regulations for an aircraft, aircraft engine, or 
propeller design do not contain adequate safety standards, because 
of a novel or unusual design feature. These special conditions stay 
in place until they are replaced by adequate regulations, as is done 
in this rulemaking.
---------------------------------------------------------------------------

a. Section 25.1309 Equipment, Systems, and Installations
    There was no change to Sec.  25.1301 in the final rule compared to 
the NPRM, and there were no changes to Sec.  25.1309(a) in the final 
rule except for a small change in Sec.  25.1309(a)(2) to match the ARAC 
language and to harmonize with EASA.
    The rule revises current Sec.  25.1309(a) into two paragraphs. 
Section 25.1309(a)(1) revises the applicability of the Sec.  25.1309(a) 
requirement that equipment and systems perform their intended function. 
Section 25.1309(a)(1) clarifies that the rule applies to any equipment 
or system installed in the airplane regardless of whether it is 
required for type certification, operating approval, or is optional 
equipment. As this requirement harmonizes closely with EASA's 
corresponding requirement, with which part 25 manufacturers are already 
required to comply, there is no additional cost. However, the 
requirement has reduced costs from joint harmonization and, therefore, 
will be cost-beneficial.
    Along with an associated change to Sec.  25.1301, ``Function and 
Installation,'' Sec.  25.1309(a)(2) will allow equipment associated 
with passenger amenities (e.g., entertainment displays and audio 
systems) not to function as intended as long as the failure of such 
systems do not affect airplane safety. No safety benefit is derived 
from demonstrating that such equipment performs as intended if failing 
to perform as intended will not affect safety. Accordingly, this change 
will reduce the certification cost of passenger amenities for airplane 
manufacturers without affecting safety; therefore, this change is cost-
beneficial.
i. Sections 25.1309(b)(1), (b)(2), and (b)(3) (Average Risk and Fail-
Safe Criteria)
    The current rule requires that airplane systems and associated 
components be designed so that any failure condition that ``would 
prevent the continued safe flight and landing of the airplane'' 
(catastrophic failure condition) is ``extremely improbable,'' a 
condition specified in AC 25.1309-1A (6-21-1988) as ``on the order of 
<=10-9 per flight hour.'' This is the traditional ``average 
risk'' requirement and is retained in the final rule at Sec.  
25.1309(b)(1)(i).
    The current rule requires any failure condition that ``would reduce 
the capability of the airplane or the ability of the crew to cope with 
adverse operating conditions'' to be ``improbable'' (on the order of 
10-9 < p <=10-5), a failure condition specified 
in current AC 25.1309-1A as ``major.'' Current practice, however, has 
been to use the SDAHWG recommended ``Arsenal'' draft AC 25.1309 (6-10-
2002) under which the previous ``major'' failure condition has been 
divided into two categories: ``hazardous'' (on the order of 
10-9 < p <=10-7) and ``major'' (on the order of 
10-7 < p <=10-5), categories that have been 
incorporated into this final rule in Sec.  25.1309(b)(2) and (b)(3). 
These changes can be thought of as the average risk criteria for 
hazardous and major failure conditions.
    As it harmonizes with corresponding EASA major and hazardous 
categories and is current industry practice, this rule change is cost-
beneficial as it entails no additional costs but is cost-beneficial 
from reduced costs of joint harmonization. The FAA asked for comments 
on this finding but received none. Moreover, the rule structure and 
intent are in perfect harmony with EASA's corresponding requirements 
and, therefore, will entail no additional cost to manufacturers.
    As recommended by the SDAHWG, Sec.  25.1309(b)(1)(ii) will 
explicitly require that single failures must not result in catastrophic 
failures--the ``no single failure'' fail-safe requirement. As it 
harmonizes with the equivalent EASA requirement and is already current 
industry practice, this requirement is cost-beneficial as it entails no 
additional costs but has reduced costs from joint harmonization.\32\
---------------------------------------------------------------------------

    \32\ The no single failure requirement was inadvertently removed 
in 1970 but remained industry practice. At the same time, the no 
single failure requirement was made explicit for flight controls, 
and in 1977 was made explicit for powerplants.
---------------------------------------------------------------------------

ii. Sections 25.1309(b)(4) and (b)(5) (Specific Risk Criteria)
    Sections 25.1309(b)(4) and (b)(5) represent the predominant change 
to existing SSA requirements in that they are adding specific risk 
approaches to SSA to supplement the traditional average risk approach 
in order to address the problem of latent failures.
    Section 25.1309(b)(4) requires the elimination of SLFs to the 
extent practical, or, if not practical, to minimize them so as to limit 
situations where the airplane is one failure away from a catastrophic 
accident. (This is particularly important in the case of catastrophic 
CSL+1 dual failures specifically addressed in the section on Sec.  
25.1309(b)(5) immediately following.) The NPRM also required that the 
product of the maximum time the latent failure is expected to be 
present and its average failure rate not exceed 1/1000. Based on 
comments on the NPRM that this requirement was onerous and not in 
harmony with EASA, this provision was moved to AC 25.1309-1B, System 
Design and Analysis, as a possible means of compliance.
    Several commenters on the NPRM also pointed out that, in many 
cases, it would be wasteful to require analysis of an SLF with 
sufficient redundancy that the average risk criteria continued to hold 
even when setting the SLF probability to unity.\33\ Consequently, Sec.  
25.1309(b)(4) does not apply in those cases. This exception is not in 
the corresponding CS 25.1309(b)(4), but even with this difference, 
compared to the NPRM, this provision is more closely harmonized with 
the EASA provision as the FAA has removed an intermediate step--the 
less than 1/1000 criterion--that is not in the EASA rule and moved it 
to AC 25.1309-1B.
---------------------------------------------------------------------------

    \33\ SLFs are identified at the beginning of an SSA, or during a 
Preliminary SSA, in which the manufacturer undertakes a functional 
hazard assessment on the basis of which a hazard's ``hazard 
classification'' is validated as catastrophic, hazardous, etc. These 
evaluations are qualitative and are independent of ``average'' risk 
criteria that a catastrophic failure condition should be ``extremely 
improbable'' or <=10-9, or that a hazardous failure 
condition should be ``extremely remote'', or <=10-7.
---------------------------------------------------------------------------

    Accordingly, the FAA finds no costs to this provision as 
manufacturers already have to comply with a corresponding EASA 
provision. Moreover, elimination of SLFs when practical is already 
industry practice. Since the provision entails no costs, the FAA finds 
the rule to be cost-beneficial because of reduced costs from joint 
harmonization.

[[Page 68725]]

iii. Section 25.1309(b)(5) (CSL+1 Dual Failures)
    A ``CSL+1 (Catastrophic Single Latent Plus One)'' refers to a 
catastrophic failure condition caused by a single latent failure and an 
active (evident) failure. Section 25.1309(b)(5)(i), adopted as 
proposed, is similar to Sec.  25.1309(b)(4) in that it also requires 
the dual failure to be eliminated if practical. An example is an AD 
action that eliminated the CSL+1 dual failure that caused the 
catastrophic Lauda Air Flight 004 (1994); the AD required that a third 
lock be added to the thrust reverser system. This change converted the 
dual failure condition to a triple failure condition and removed the 
airplane from a situation where it was one failure away from a 
catastrophic accident.
    If the dual failure condition cannot be eliminated, additional 
control is appropriate beyond the traditional ``extremely improbable'' 
(average risk) requirement applied to a combination of failures. The 
additional control takes the form of two specific risk criteria: (1) a 
requirement to ``limit residual probability'' (Sec.  25.1309(b)(5)(ii)) 
and (2) a ``limit latency'' requirement (Sec.  25.1309(b)(5)(iii)).
    The requirement to limit the residual probability limits the 
probability of a catastrophic failure in the presence of a latent 
failure to be ``remote'' (on the order of <=10-5). So, this 
requirement limits the risk of a catastrophic accident in the situation 
where a latent failure has occurred, and the airplane is a single 
failure away from a catastrophic accident.\34\ The limit latency 
requirement limits the probability of the latent failure itself to be 
<=1/1000 so as to limit the time between maintenance inspections, that 
the airplane is operating one failure away from a catastrophic 
accident.\35\ \36\ There are no substantial changes to Sec.  
25.1309(b)(5) in the final rule compared to the NPRM.
---------------------------------------------------------------------------

    \34\ More generally, if multiple active failures could cause a 
catastrophic accident in the presence of the latent failure, the 
average probability (per flight hour) of these active failures must 
be remote.
    \35\ More generally, the sum of the probabilities of the latent 
failures combined with an active failure must be <= 1/1000.
    \36\ Since the 10-9 average risk criterion must also 
be met, if residual risk is on the order of 10-5, the 
latent failure rate must be 10-4 or less. Conversely, if 
the latent failure rate is at 10-3, residual risk must be 
on the order of 10-6 or less.
---------------------------------------------------------------------------

    The FAA finds that Sec.  25.1309(b)(5) is in perfect harmony with 
CS 25.1309(b)(5) in structure and intent and closely harmonizes in rule 
language. Accordingly, there is no cost to this provision because 
manufacturers already have to comply with an equivalent EASA 
requirement. Therefore, this rule is cost-beneficial because of reduced 
costs from joint harmonization.
iv. Section 25.1309(c) (Flightcrew Alerting)
    Section 25.1309(c) currently requires that warning information be 
provided to the flightcrew to alert them to unsafe system operating 
conditions and to enable them to take appropriate corrective action. 
Revised Sec.  25.1309(c) requires that information be provided to the 
flightcrew concerning unsafe system operating conditions, rather than 
requiring only warnings and, in a change to the NPRM that more closely 
harmonizes with the corresponding EASA provision, that it be provided 
in a timely manner. The revision will remove an incompatibility with 
Sec.  25.1322, which allows other sensory and tactile feedback from the 
airplane caused by inherent airplane characteristics to be used in lieu 
of dedicated indications and annunciations if the applicant can show 
such feedback is sufficiently timely and effective to allow the crew to 
take corrective action.
    These changes closely harmonize Sec.  25.1309(c) with CS 
25.1309(c). Owing to close harmonization with EASA's rule already in 
place, there is no cost entailed by these rule changes.
v. Section 25.1309(d) (Reserved)
    Current Sec.  25.1309(d) specifies that compliance to Sec.  
25.1309(b) must be shown by analysis and appropriate testing, and must 
consider possible modes of failure, including malfunctions and damage, 
and also that the assessment considers crew warning cues, corrective 
action required, and the capability of detecting faults. With this 
rulemaking, for two reasons, the FAA moves that content to AC 25.1309-
1B, along with expanded guidance on the safety assessment process: (1) 
Section 25.1309 is a performance-based regulation for which methods of 
compliance are more appropriately provided in guidance, and (2) the 
items for consideration listed in Sec.  25.1309(d) constitute an 
incomplete method of compliance to Sec.  25.1309(b). This change is 
cost-beneficial because requirements have been relegated to guidance 
material, giving manufacturers greater flexibility.
    CS 25.1309(d) simply states that EWIS must be assessed per CS 
25.1709. The current FAA rule has the same requirement in Sec.  
25.1309(f), but it was removed in the NPRM on the basis of redundancy, 
and proposed Sec.  25.1309(d) was used for the CMR requirement. In the 
final rule, the CMR requirement has been moved to Sec.  25.1309(e) (see 
next section) and Sec.  25.1309(d) is now reserved.
vi. Section 25.1309(e) and H25.4 (Certification Maintenance 
Requirements)
    CMRs are inspection and maintenance tasks and associated inspection 
intervals that are used to identify and restrict exposure of critical 
airplane safety systems to catastrophic and hazardous failure 
conditions, including wear-related failures. An example highlighting 
the importance of CMRs is the catastrophic crash of Alaskan Airlines, 
Flight 261, in the Pacific Ocean off the California coast on January 
31, 2000, killing all 88 passengers and crew.\37\ The NTSB determined 
that the probable cause of this accident was a catastrophic loss of 
airplane pitch control resulting from in-flight failure of the 
jackscrew assembly of the horizontal stabilizer trim system. That 
failure was related to maintenance of this system, specifically the 
accelerated excessive wear of a critical part as a result of 
insufficient lubrication.
---------------------------------------------------------------------------

    \37\ NTSB Safety Recommendation A-02-51 is available in the 
docket and at www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
---------------------------------------------------------------------------

    Section 25.1309(e) is a new provision \38\ requiring that CMRs be 
established, as necessary, to prevent catastrophic and hazardous 
failure conditions, and occasionally, major failure conditions, 
described in Sec.  25.1309(b). The CMR requirement was proposed in 
Sec.  25.1309(d) in the NPRM. The ``as necessary'' qualifier was added 
in the final rule to clarify that the FAA does not require CMRs for all 
failure conditions. Section 25.1309(e) also will require these CMRs to 
be contained in the ALS of the ICA required by Sec.  25.1529. This 
latter requirement is an industry recommendation via the SE-172 
Taskforce to the Commercial Aviation Safety Team (CAST) \39\ and 
responds to the Taskforce's recognition that CMRs are critical to 
safety and should have treatment similar to other Airworthiness 
Limitations.
---------------------------------------------------------------------------

    \38\ The NPRM Sec.  25.1309(e) specified that the flight control 
jam conditions addressed by Sec.  25.671(c) do not apply to Sec.  
25.1309(b)(1)(ii). This exclusion is now in the introductory 
paragraph of Sec.  25.1309.
    \39\ skybrary.aero/sites/default/files/bookshelf/2553.pdf.
---------------------------------------------------------------------------

    Both of these requirements will codify industry practice and will 
harmonize with CS 25.1309 and H25.4, so industry will incur no 
additional costs. The rule is cost-beneficial from reduced costs of 
joint harmonization.\40\
---------------------------------------------------------------------------

    \40\ EASA. Certification Specifications and Acceptable Means of 
Compliance for Large Aeroplanes (CS-25), Amendment 20, 25 August 
2017.

---------------------------------------------------------------------------

[[Page 68726]]

vii. Section 25.1309(f) (Removed)
    The FAA has removed paragraph (f) from Sec.  25.1309 and paragraph 
(b) from Sec.  25.1301. Section 25.1301(b) requires that the airplane's 
EWIS meet the requirements of subpart H of 14 CFR part 25. Subpart H 
was created (at amendment 25-123, in 2007) as the single place for the 
majority of wiring certification requirements. The references in 
Sec. Sec.  25.1301(b) and 25.1309(f) are redundant and unnecessary 
because subpart H specifies their applicability. The NPRM Sec.  
25.1301(f) was used to specify exceptions to Sec.  25.1309(b), which 
are now provided in the introduction of Sec.  25.1309.
b. Section 25.629 Aeroelasticity Stability Requirements
    The FAA is revising Sec.  25.629(a) to add wording to clarify that 
the aeroelastic evaluation must include any condition of operation 
within the maneuvering envelope. This is current industry practice 
because such conditions are allowed operational conditions and, 
therefore, need to be free from aeroelastic instabilities. Also, this 
requirement is stated explicitly for part 23 airplanes in 14 CFR part 
23 and CS-23. The FAA is also revising Sec.  25.629(a) to consistently 
use the singular term ``evaluation'' where it appears in order to 
prevent confusion.
    Section 25.671(c)(2) currently specifies examples of failure 
combinations that require evaluation, including dual electrical and 
dual hydraulic system failures and any single failure combined with any 
probable hydraulic or electrical failure. Section 25.629(d)(9) 
currently requires that the airplane be shown to be free from flutter 
considering various failure conditions considered under Sec.  25.671, 
which include the example failure conditions specified in Sec.  
25.671(c)(2). These examples are being removed from current Sec.  
25.671(c)(2). These failure conditions, however, have provided an 
important design standard for dual actuators on flight control surfaces 
that rely on retention of restraint stiffness or damping for flutter 
prevention. Therefore, the FAA relocates these examples to the 
aeroelastic stability requirements of Sec.  25.629(d) and made changes 
to the paragraph numbers to correspond with EASA's rule, as requested 
by commenters. These changes are cost-beneficial owing to complete 
harmonization with the corresponding CS 25.629 provision.
    The NPRM also proposed a change to Sec.  25.629(b) that would 
require that design conditions include the range of load factors 
specified in Sec.  25.333. Commenters objected that the proposed change 
was an expansion of the traditional scope of Sec.  25.629, and it 
disharmonized with EASA requirements. The FAA agreed to remove the 
proposed change to Sec.  25.629(b), substituting an alternative change 
in Sec.  25.629(a), clarifying that aeroelastic evaluation must include 
any condition of operation within the maneuvering envelope. This 
revision has no cost as it is clarifying and is current industry 
practice.
c. Section 25.671 General (Control Systems)
i. Section 25.671(a), (d), (e), and (f) (Control Systems)
    The substantive revisions to these requirements are the new 
criteria in the second sentence of Sec.  25.671(a); the addition of the 
phrase, ``and an approach and flare to a landing and controlled stop, 
and flare to a ditching, is possible'' in Sec.  25.671(d); and the new 
requirements in Sec.  25.671(e) and (f). The modification to Sec.  
25.671(d) clarifies that controllability when all engines fail includes 
the capability to approach and flare to a landing and controlled stop, 
and flare to a ditching, and harmonizes with CS 25.671(d). In the NPRM, 
Sec.  25.671(d) includes the sentence: ``The applicant may show 
compliance with this requirement by analysis where the applicant has 
shown that analysis to be reliable.'' This sentence is not included in 
the final rule as it describes an acceptable means of compliance, which 
is adequately covered in the corresponding guidance.
    The new paragraph (e) of Sec.  25.671 requires that the airplane be 
designed to indicate to the flightcrew whenever the primary control 
means are near the limit of control authority. On airplanes equipped 
with fly-by-wire control systems, there is no direct tactile link 
between the flightdeck control and the control surface, and the 
flightcrew may not be aware of the actual control surface position. If 
the control surface is near the limit of control authority, and the 
flightcrew is unaware of that position, it could negatively affect the 
flightcrew's ability to control the airplane in the event of an 
emergency. The airplane could meet this requirement through natural or 
artificial control feel forces, by cockpit control movement if shown to 
be effective, or by flightcrew alerting that complies with Sec.  
25.1322.
    The new paragraph (f) of Sec.  25.671 requires that appropriate 
flight crew alerting be provided if the flight control system has 
multiple modes of operation whenever the airplane enters any mode that 
significantly changes or degrades the normal handling or operational 
characteristics of the airplane. On some flight control system designs, 
there may be sub-modes of operation that change or degrade the normal 
handling or operational characteristics of the airplane. Similar to 
control surface awareness, the flightcrew should be made aware if the 
airplane is operating in such a sub-mode. Aside from the one change 
already noted, there are no substantial changes to Sec.  25.671(a), 
(d), (e), and (f) in the final rule compared to the NPRM.
    Manufacturers face little or no additional cost from these 
provisions because they are already required by CS 25.671 in language 
that exactly matches Sec.  25.671 in language structure and closely 
matches Sec.  25.671 in the language itself. Therefore, there is no 
additional cost resulting from these provisions. Moreover, since 
industry has been meeting the new criteria in Sec.  25.671(a), (e), and 
(f) under special conditions since the early 1980s, the FAA believes 
that industry now accepts Sec.  25.671(a), (e), and (f) as necessary 
low-cost actions. Again, there is no additional cost. For this reason, 
the FCHWG recommended these new criteria with little debate.
ii. Section 25.671(b) (Minimize Probability of Incorrect Assembly)
    Section 25.671(b) is revised to allow distinctive and permanent 
marking for flight control systems to minimize the probability of 
incorrect assembly only when design means are impractical. Aside from 
minor language changes, there are no changes to this provision in the 
final rule relative to the NPRM. It is expert consensus that the 
physical prevention of misassembly by design is safer than reliance on 
marking, which can be overlooked or ignored. Although not flight 
control related, fuel tank access doors provide an example. Since these 
doors are required to have greater strength because of the location, 
fuel tank access door systems are designed so that other doors will not 
securely fit in the fuel tank access door openings.
    Since distinctive and permanent marking to minimize the probability 
of incorrect assembly is disallowed only when design means are 
practical, the expected gain in safety benefits from the reduced 
probability of incorrect assembly is greater than the costs of the rule 
revision.
    Accordingly, the FAA finds this provision to be cost-beneficial. 
The FAA

[[Page 68727]]

requested comments on this finding and received none. In any case, 
manufacturers face no additional cost because Sec.  25.671(b) closely 
aligns with CS 25.671(b) with which they must already comply.
iii. Section 25.671(c) (Flight Control Jams)
    For flight controls, revised Sec.  25.671(c) is analogous to Sec.  
25.1309(b) in having requirements for the single failure (Sec.  
25.671(c)(1)), the combinational failure (Sec.  25.671(c)(2)), and 
specific risk (Sec.  25.671(c)(3)). Sections 25.671(c)(1) and (c)(2) 
have some language changes, but the intent of each provision is 
unchanged from the current rule. The NPRM proposed to remove Sec.  
25.671(c)(1) and (c)(2) because all single and combinational failures 
are covered by the foundational Sec.  25.1309. However, the FAA agrees 
with commenters that Sec.  25.671(c)(1) and (c)(2) should be retained 
because removal would disharmonize with EASA's corresponding 
requirements and because different means of compliance are normally 
used for Sec.  25.671(c) and Sec.  25.1309(b). Accordingly, paragraphs 
(c)(1) and (c)(2) of current Sec.  25.671 are retained in the final 
rule. Section 25.671(c)(3) is revised as follows:
    (1) In Sec.  25.671(c)(3), the FAA clarifies that the provision 
applies only to jams due to a physical interference (e.g., foreign or 
loose object, system icing, corroded bearings). All other failures or 
events that result in either a control surface, pilot control, or 
component being fixed in position are addressed under Sec.  
25.671(c)(1) and (c)(2) and Sec.  25.302 where applicable.
    (2) Section 25.671(c)(3) no longer addresses a runaway of a flight 
control surface and subsequent jam. A failure that results in 
uncommanded control surface movement is addressed by Sec.  25.671(c)(1) 
and (c)(2).
    (3) Section 25.671(c)(3)(iii) is a new requirement specifying that 
given a jam, the combined probability is 1/1000 or less that any 
additional failure conditions could prevent continued safe flight and 
landing. This requirement is to ensure adequate reliability of any 
system necessary to alleviate the jam when it occurs. This specific 
risk requirement is analogous to the 1/1000 latent specific risk 
requirement for potential catastrophic single latent failure plus one 
(CSL+1) failure conditions discussed above for Sec.  25.1309(b)(5), 
which is required to ensure a safety margin in the event of an active 
failure.
    (4) While current Sec.  25.671(c)(3) allows the use of probability 
analysis, applicants have generally been unable to demonstrate that 
jamming conditions are ``extremely improbable,'' except for conditions 
that occur during a very limited time just prior to landing. Because of 
this issue with probability assessment for jams, the FAA has revised 
Sec.  25.671(c)(3) to require that the manufacturer's safety 
assessments assume that jamming conditions will occur--probability set 
equal to one--when showing that the airplane is capable of continued 
safe flight and landing. For the same reason, the jamming conditions of 
Sec.  25.671(c)(3) are excluded from the probability requirements of 
Sec.  25.1309(b).
    The assumption that the jam will occur--and that the airplane will 
be able to withstand it--does not apply to jamming conditions that 
occur immediately before touchdown if the risk of a jam is minimized to 
the extent practical. For jams that occur just before landing, some 
amount of time and altitude is necessary in order to recover, and there 
is no practical means by which a recovery can be demonstrated. Hence 
the requirement that the risk of a jam be minimized to the extent 
practical. (This is a change from the NPRM where the requirement was 
that the applicant show that such jams are extremely improbable.) This 
change creates a difference in the language of Sec.  25.671(c)(3)(ii) 
and CS 25.671(3)(ii) because EASA does not have this exception in its 
rule.
    In its Acceptable Means of Compliance (AMC) Sec.  25.671, however, 
EASA states that, ``if continued safe flight and landing cannot be 
demonstrated, perform a qualitative assessment of the design, relative 
to jam prevention and jam alleviation means, to show that all practical 
precautions have been taken . . . .'' Consequently, the FAA expects the 
difference between Sec.  25.671(c)(3)(ii) and CS 25.671(c)(3)(ii) to 
have no effect in practice. There are no additional substantial 
differences between the final rule and the NPRM with respect to Sec.  
25.671(c)(3).
    Section 25.671 has changed from the NPRM to the point where it is 
almost perfectly aligned in structure and intent, and closely aligned 
in text language, with CS 25.671. Section 25.671 is now so closely 
aligned that there is no additional cost from the FAA provision because 
manufacturers already have to meet the EASA provision. Moreover, as 
already noted, industry has been meeting the new criteria in Sec.  
25.671(a), (e), and (f) under special conditions since the early 1980s. 
Because of that experience, the FAA believes that manufacturers now 
accept these special conditions as the low-cost necessary actions. 
Again, there is no additional cost. Finally, the FAA believes that 
Sec.  25.671(c)(3) is already accepted as the low-cost industry 
practice as it has been used by many manufacturers under a voluntary 
ELOS.
d. Section 25.901 Installation (Powerplants)
    The revision to Sec.  25.901(c) moves basic systems safety criteria 
to Sec.  25.1309 and is finalized as proposed. In so doing, Sec.  
25.901(c) clarifies that Sec.  25.1309 applies to powerplant (engine) 
installations, as it does for all airplane systems. Accordingly, the 
current provision in Sec.  25.901(c) prohibiting catastrophic single 
failures or probable combinations of failures is removed. Design 
requirements do not change as a result of this revision to the rule.
    There are no substantial changes in the final rule compared to the 
NPRM. The revision exactly harmonizes the structure and very closely 
harmonizes the text of Sec.  25.901(c) with EASA's corresponding CS 
25.901(c). Accordingly, the revision is cost-beneficial as it provides 
reduced costs from joint harmonization since manufacturers already must 
already comply with CS 25.901(c). The FAA asked for comments on this 
finding in the NPRM and received none.
e. Section 25.933 Reversing Systems (Controllability and Reliability 
Options)
    In the event of an inadvertent activation of the thrust reverser 
during flight, current Sec.  25.933(a) requires that the airplane be 
capable of ``continued flight and landing.'' The service history of 
airplanes certified under the current rule--most prominently, the 
aforementioned catastrophic Lauda Air accident in Thailand--has 
demonstrated that the intent of this ``fail-safe'' requirement had not 
been achieved. As discussed in the section on Sec.  25.1309(b)(5) 
above, the catastrophic failure condition that caused the Lauda Air 
accident was corrected by adding redundancy to convert a dual failure 
condition to a triple failure condition. This revision to Sec.  
25.933(a) further addresses the thrust reverser issue with a revised 
Sec.  25.933(a)(1)(i) that retains ``controllability'' from the current 
rule as an option, but also revises Sec.  25.933(a)(1)(ii) to provide 
an additional ``reliability'' option using the requirements of Sec.  
25.1309(b).\41\ The

[[Page 68728]]

reliability option recognizes that Sec.  25.1309 applies to all 
systems. There are no substantial differences between the final rule 
and the NPRM with respect to Sec.  25.933(a).
---------------------------------------------------------------------------

    \41\ It should be noted that the controllability option would 
still require compliance with Sec.  25.1309. But when an applicant 
demonstrates compliance using the controllability option, that 
ensures that an unwanted thrust reversal in flight would be 
classified at worst as a ``major'' failure, thereby making 
compliance with Sec.  25.1309(b) much easier.
---------------------------------------------------------------------------

    The final rule (and NPRM) for Sec.  25.933(a) is in close harmony 
with the corresponding CS 25.933(a) as it is identical in rule 
structure and intent. Accordingly, there is no additional cost to this 
rule as manufacturers already have to comply with CS 25.933(a). 
Moreover, Sec.  25.933(a) is cost-beneficial as it allows flexibility 
in design development, enabling manufacturers to achieve the intended 
level of safety in the most cost-effective manner.
f. Section 25.302 Interaction of Systems and Structures
    There are many technical differences between the NPRM and the final 
rule. Nine major commenters, including Boeing and Airbus, asked the FAA 
to harmonize with EASA CS 25.302, even to the extent of using the same 
language and paragraph numbering. Commenters noted that CS 25.302 
matches the FAA Interaction of Systems and Structures special condition 
that has been used for many years. Commenters stated that the 
differences between FAA and EASA requirements would create a 
substantial certification burden. The FAA agrees with the commenters 
and, except where discussed below, has agreed to match the language and 
structure of EASA's rule to the extent possible.
i. Section 25.302(b) System Fully Operative
    The applicant must derive limit loads \42\ for the limit conditions 
specified in subpart C, taking into account the behavior of the system 
up to the limit loads. The applicant must show that the airplane meets 
the strength requirements of subparts C and D, using the appropriate 
factor of safety to derive ultimate loads from these limit loads. 
Section 25.302(b) is less verbose than the corresponding EASA text but 
uses some of the same language and has the same intent as EASA's 
version. Since Sec.  25.302(b) harmonizes with EASA CS 25.302(b), there 
are no incremental costs from paragraph (b), and the provision is cost-
beneficial because of joint harmonization.
---------------------------------------------------------------------------

    \42\ Design loads are typically expressed in terms of limit 
loads, which are then multiplied by a factor of safety, usually 1.5, 
to determine ultimate loads.
---------------------------------------------------------------------------

ii. Section 25.302(c) System in the Failure Condition
    This section applies for any failure condition not shown to be 
extremely improbable or that results from a single failure. CS 
25.302(c) requires the evaluation of any system failure condition not 
shown to be extremely improbable but does not explicitly mention single 
failures. Nevertheless, evaluation of single failures would be required 
when evaluating CS 25.302. This is because single failures cannot be 
shown by a probability analysis to be extremely improbable. As noted in 
AC 25.1309-1A, dated June 21, 1988, ``In general, a failure condition 
resulting from a single failure mode of a device cannot be accepted as 
being extremely improbable.'' Extremely improbable failure conditions 
are those having an average probability per flight hour of 1 x 
10-9 or less. The FAA would not accept a probability 
analysis showing a single failure to be extremely improbable because 
such an estimation would not be considered reliable. An unreliable 
estimate could inadvertently result in a level of risk that was unsafe 
and not justified by any cost savings obtained. Accordingly, the FAA 
finds to be cost-beneficial the requirement of Sec.  25.302(c) to 
evaluate any system failure condition resulting from a single failure.
    At the time of occurrence, the applicant must determine the loads 
occurring at the time of failure and immediately after failure. For 
static strength substantiation, the airplane must be able to withstand 
the ultimate loads determined by multiplying the loads by a factor of 
safety related to the probability that the failure occurs. The factor 
of safety (F.S.) is shown in Figure 1.
[GRAPHIC] [TIFF OMITTED] TR27AU24.000

    Figure 1 shows the factor of safety to be constant at 1.5 between a 
probability of failure of 1.0 and 10-5, and between 
10-5 and 10-9 declines linearly from 1.5 to 1.25 
as Pj goes from 10-5 to 10-9, where Pj is the 
probability of failure. The factor of safety is not allowed to be below 
1.5 at high probabilities of failure (>10-5). For low 
probabilities of failure (<10-5), the F.S. falls as the 
probability of failure falls but is not allowed to be less than 1.25 as 
the probability of

[[Page 68729]]

failure falls towards extreme improbability at 10-9. Note 
that the probability of failure axis is in logarithmic scale. In the 
NPRM, this figure was not used as the FAA kept the factor of safety at 
1.5 regardless of the probability of failure. In the final rule, this 
provision is cost-relieving relative to the NPRM because the FAA is now 
harmonizing with the less stringent EASA provision.
    For residual strength substantiation, the airplane must be able to 
withstand two-thirds of the ultimate loads. Residual strength is the 
strength that remains as the airplane structure deteriorates over time, 
so this test requires a prediction of that deterioration.
    Failures of the system that result in forced structural vibrations 
(oscillatory failures) must not produce loads that could result in 
detrimental deformation of primary structure. A forced structural 
vibration or oscillatory failure occurs when an oscillating system is 
driven by a periodic force that is external to the system.
    For the continuation of the flight, loads are determined for a 
limited set of conditions, as noted in Sec.  25.302(c)(2)(i). Section 
25.302(c)(2)(i)(F) is an additional rule provision not in CS 25.302. 
This provision requires that if any system is installed or tailored to 
reduce the loads of a part 25 load condition, then that load condition 
must also be evaluated. This provision is necessary to account for any 
such systems as their failure will increase loads. The FAA believes 
this is a low-cost provision, having been applied in only a few cases 
over many years.
    For static strength substantiation, the structure must be able to 
withstand the loads determined in Sec.  25.302(c)(2)(i) multiplied by a 
factor of safety, as shown in Figure 2.
[GRAPHIC] [TIFF OMITTED] TR27AU24.001

Qj = (Tj)(Pj) where:

Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)

    Figure 2 shows the factor of safety falls linearly from 1.5 to 1.0 
as Qj declines from 1 to 10-5, and the factor of safety is 
constant at 1.0 between 10-5 and 10-9, where Qj = 
(Tj)(Pj), where Tj is the average time in the failure condition (in 
hours), and Pj is the probability of failure (per hour) or failure 
rate. So Qj is the (average) cumulative probability of failure. In 
contrast to the F.S. at the time of failure occurrence (Figure 1), the 
F.S. for continuation of flight (Figure 2) is allowed to fall 
immediately below 1.5 as failure probability falls from the highest 
probability of 1, and in contrast to the minimum F.S. of 1.25 for 
Figure 1, the Figure 2 safety margin is allowed to fall to 1.0 at 
10-5, where it remains as the probability of failure falls 
to extreme improbability at 10-9. As with Figure 1, note 
that the Figure 2 probability of failure axis is in logarithmic scale.
    In the NPRM, this figure was not used as the FAA did not vary the 
factor of safety with the probability of system failure. The NPRM 
provision was less stringent than the final rule in reducing the factor 
of safety to 1.0 if the failure was annunciated. However, the NPRM 
provision applied to all load conditions in subpart C, whereas in the 
final rule, the provision applies to the limited set of subpart C load 
conditions specified in Sec.  25.302(c)(2)(i) so that, overall, in 
harmonizing with EASA, final rule provision is cost-relieving relative 
to the NPRM.
    For residual strength substantiation, the airplane must be able to 
withstand two-thirds of the ultimate loads. If the loads induced by the 
failure condition have a significant effect on fatigue or damage 
tolerance, then their effects must be taken into account. A failure 
condition has a ``significant'' effect on fatigue or damage tolerance 
if it would result in a change to inspection thresholds, inspection 
intervals, or life limits. Unlike EASA's rule, Sec.  25.302(c) does not 
include aeroelasticity stability requirements. Both CS 25.302 and CS 
25.629 specify flutter speed margins for failure conditions. In CS 
25.629, for the group of failures covered by CS 25.302, the margins are 
based on the probability of the condition's occurrence, whereas, for 
the remaining failure conditions, a single speed margin is defined, 
similar to Sec.  25.629, regardless of probability. The FAA believes 
the current speed margins specified in Sec.  25.629 are adequate, and 
there is no need for more specific failure criteria based on 
probability of occurrence and speed margins. The current speed margin 
specified in Sec.  25.629, which has been in place since amendment 25-0 
of 14 CFR part 25, has proven effective in service. For that reason, 
non-provision has little impact.
Summary of Cost-Benefit Analysis for Sec.  25.302(c)
    The FAA finds that Sec.  25.302(c) harmonizes very closely in 
structure with CS 25.302(c) and closely in rule

[[Page 68730]]

language, aside from the single failure requirement, the additional 
load provision of Sec.  25.302(c)(2)(i)(F), and the lack of 
aeroelasticity stability requirements in Sec.  25.302(c). Because of 
this close harmonization, there is little or no additional cost to that 
required by EASA certification. Moreover, because of the imposition of 
the FAA's Interaction of Systems and Structures special conditions for 
more than twenty years, the FAA believes that industry is so well-
adapted to the special conditions that it is now the industry's low-
cost necessary action. Thus, no change is implied by the rule, and, 
therefore, there is little or no additional cost. The provision is 
cost-beneficial owing to cost savings from joint harmonization.
iii. Section 25.302(d) Failure Indications
    Section 25.302(d) requires that the system be checked for failure 
conditions discussed in Sec.  25.302(c)(2), for example, using a CMR 
procedure. As far as practicable, the flightcrew must be made aware of 
these failures before flight. Manufacturers are allowed relief in the 
F.S. requirement shown in Figure 2, as in Sec.  25.302(c)(2). However, 
any failure condition, not extremely improbable, that results in an 
F.S. below 1.25 in Figure 2 must be alerted to the crew. This latter 
requirement sounds contradictory since it means the flightcrew must be 
alerted when the probability of failure is low enough for the safety 
factor to be less than 1.25. It appears alerting the flightcrew is 
substituted for a higher factor of safety. A manufacturer finding 
alerting the flightcrew too onerous can reverse the substitution by 
having a higher factor of safety.
    The language of this paragraph closely matches that of CS 
25.302(d), except for some additional verbiage that does not change the 
intent. For the same reasons given for paragraph (c) of Sec.  25.302, 
there is no additional cost from this provision, and the provision is 
cost-beneficial owing to the cost savings from joint harmonization.
iv. Section 25.302(e) Dispatch With Known Failure Conditions
    The applicant forecasts the probability of the failure condition 
(``at the time of occurrence'' in Sec.  25.302(c)) and how many days 
the airplane will be in that dispatch configuration. That probability 
is then combined with the probability of subsequent failures to 
calculate Qj, the probability of being in the dispatched condition, and 
the subsequent failure condition. Qj is then used in Figure 2 to 
establish the required safety margins, the same safety margin relief 
allowed in Sec.  25.302(c)(2) and in Sec.  25.302(d).
    The FAA excludes one sentence related to dispatch limitations from 
Sec.  25.302(e) that is in CS 25.302 because its intent and application 
are unclear. Otherwise, Sec.  25.302(e) closely harmonizes with CS 
25.302. The FAA special conditions and the corresponding CS 25.302 have 
provided an adequate service record. For the same reasons given for 
paragraphs (c) and (d) of Sec.  25.302, there is no additional cost 
from this provision, and the provision is cost-beneficial owing to the 
reduced costs from joint harmonization.

B. Regulatory Flexibility Determination

    The Regulatory Flexibility Act (RFA) of 1980, Public Law 96-354, 94 
Stat. 1164 (5 U.S.C. 601-612), as amended by the Small Business 
Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121, 110 Stat. 
857, Mar. 29, 1996) and the Small Business Jobs Act of 2010 (Pub. L. 
111-240, 124 Stat. 2504 Sept. 27, 2010), requires Federal agencies to 
consider the effects of the regulatory action on small business and 
other small entities and to minimize any significant economic impact. 
The term ``small entities'' comprises small businesses and not-for-
profit organizations that are independently owned and operated and are 
not dominant in their fields, and governmental jurisdictions with 
populations of less than 50,000.
    Garmin commented on the NPRM that the cost-benefit analysis does 
not consider the impact on ATC or STC projects that would be considered 
significant under Sec.  21.101, the Changed Product Rule. In addition, 
MARPA requested that the FAA clarify the applicability of the SSA rule 
to PMA applicants and STC applicants. If the SSA rule is applicable to 
PMA and STC applicants, MARPA requested that the FAA adjust the cost-
benefit analysis accordingly, complete a Regulatory Flexibility Act 
analysis, and make the revised cost-benefit analysis and Regulatory 
Flexibility Act analysis available for comment in a supplemental NPRM.
    This final rule updates the cost-benefit analysis to take account 
of the fact that the final rule closely harmonizes with the 
corresponding EASA rule. Since U.S. manufacturers already are required 
to meet the EASA requirements, the closely harmonized provisions of the 
final rule impose no or minimal costs. In future STC or ATC projects 
where the design change is determined under the Changed Product Rule to 
be a significant product level change, the Changed Product rule will 
then require that the certification basis of those projects be updated. 
The cost-benefit analysis for the Changed Product Rule, however, has 
determined that the required updated certification basis for such 
projects is cost-beneficial. PMAs (replacement articles) are managed in 
accordance with Subpart K to part 21. The final rule will apply only at 
that time in the future when a PMA (or non-significant STC) applicant 
seeks to modify a product that already has the final rule in its 
certification basis. Accordingly, the FAA finds that neither a 
Regulatory Flexibility Act analysis nor a supplemental NPRM is 
required.
    If an agency determines that a rulemaking will not result in a 
significant economic impact on a substantial number of small entities, 
the head of the agency may so certify under section 605(b) of the RFA. 
Since there are no or minimal additional costs to this final rule, the 
FAA certifies that the final rule will not have a significant economic 
impact on a substantial number of small entities.

C. International Trade Impact Assessment

    The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the 
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal 
agencies from establishing standards or engaging in related activities 
that create unnecessary obstacles to the foreign commerce of the United 
States. Pursuant to these Acts, the establishment of standards is not 
considered an unnecessary obstacle to the foreign commerce of the 
United States, so long as the standard has a legitimate domestic 
objective, such as the protection of safety and does not operate in a 
manner that excludes imports that meet this objective. The statute also 
requires consideration of international standards and, where 
appropriate, that they be the basis for U.S. standards.
    The FAA has assessed the potential effect of this final rule and 
determined that its purpose is to ensure the safety of U.S. civil 
aviation. Therefore, this final rule is in compliance with the Trade 
Agreements Act.

D. Unfunded Mandates Assessment

    The Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) 
governs the issuance of Federal regulations that require unfunded 
mandates. An unfunded mandate is a regulation that requires a State, 
local, or tribal government or the private sector to incur direct costs 
without the Federal government having first provided the funds to pay 
those costs. The FAA

[[Page 68731]]

determined that the proposed rule will not result in the expenditure of 
$183 million or more by State, local, or tribal governments, in the 
aggregate, or the private sector, in any one year.

E. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the FAA consider the impact of paperwork and other information 
collection burdens imposed on the public. The FAA has determined that 
there is no new requirement for information collection associated with 
this final rule.

F. International Compatibility

    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is FAA policy to conform to 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices to the maximum extent practicable. The FAA has 
determined that there are no ICAO Standards and Recommended Practices 
that correspond to these regulations.

G. Environmental Analysis

    FAA Order 1050.1F identifies FAA actions that are categorically 
excluded from preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act (NEPA) in the absence of extraordinary circumstances. The FAA has 
determined this rulemaking action qualifies for the categorical 
exclusion identified in paragraph 5-6.6 for regulations and involves no 
extraordinary circumstances.

VII. Executive Order Determinations

A. Executive Order 13132, Federalism

    The FAA has analyzed this final rule under the principles and 
criteria of Executive Order (E.O.) 13132, Federalism (64 FR 43255, 
August 10, 1999). The FAA has determined that this action will not have 
a substantial direct effect on the States, or the relationship between 
the Federal Government and the States, or on the distribution of power 
and responsibilities among the various levels of government, and, 
therefore, will not have federalism implications.

B. Executive Order 13175, Consultation and Coordination With Indian 
Tribal Governments

    Consistent with Executive Order 13175, Consultation and 
Coordination with Indian Tribal Governments,\43\ and FAA Order 1210.20, 
American Indian and Alaska Native Tribal Consultation Policy and 
Procedures,\44\ the FAA ensures that Federally Recognized Tribes 
(Tribes) are given the opportunity to provide meaningful and timely 
input regarding proposed Federal actions that have the potential to 
have substantial direct effects on one or more Indian tribes, on the 
relationship between the Federal government and Indian tribes, or on 
the distribution of power and responsibilities between the Federal 
government and Indian tribes; or to affect uniquely or significantly 
their respective Tribes. At this point, the FAA has not identified any 
unique or significant effects, environmental or otherwise, on tribes 
resulting from this final rule.
---------------------------------------------------------------------------

    \43\ 65 FR 67249 (Nov. 6, 2000).
    \44\ FAA Order No. 1210.20 (Jan. 28, 2004), available at 
www.faa.gov/documentLibrary/media/1210.pdf.
---------------------------------------------------------------------------

C. Executive Order 13211, Regulations That Significantly Affect Energy 
Supply, Distribution, or Use

    The FAA analyzed this final rule under E.O. 13211, Actions 
Concerning Regulations that Significantly Affect Energy Supply, 
Distribution, or Use (66 FR 28355, May 18, 2001). The FAA has 
determined that it is not a ``significant energy action'' under the 
executive order and is not likely to have a significant adverse effect 
on the supply, distribution, or use of energy.

D. Executive Order 13609, Promoting International Regulatory 
Cooperation

    Executive Order 13609, Promoting International Regulatory 
Cooperation, promotes international regulatory cooperation to meet 
shared challenges involving health, safety, labor, security, 
environmental, and other issues and to reduce, eliminate, or prevent 
unnecessary differences in regulatory requirements. The FAA has 
analyzed this action under the policies and agency responsibilities of 
Executive Order 13609 and has determined that this action will have no 
effect on international regulatory cooperation.
    In January of 2020, EASA published CS-25 amendment 24, which bore 
many similarities to the proposals in the NPRM, including added 
criteria for latent failures in CS 25.1309. This final rule harmonizes 
FAA requirements with EASA's requirements to the extent possible.

VIII. Additional Information

A. Electronic Access and Filing

    A copy of the NPRM, all comments received, this final rule, and all 
background material may be viewed online at www.regulations.gov using 
the docket number listed above. A copy of this final rule will be 
placed in the docket. Electronic retrieval help and guidelines are 
available on the website. It is available 24 hours each day, 365 days 
each year. An electronic copy of this document may also be downloaded 
from the Office of the Federal Register's website at 
www.federalregister.gov and the Government Publishing Office's website 
at www.govinfo.gov. A copy may also be found at the FAA's Regulations 
and Policies website at www.faa.gov/regulations_policies.
    Copies may also be obtained by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue SW, Washington, DC 20591, or by calling (202) 267-9677. 
Commenters must identify the docket or notice number of this 
rulemaking.
    All documents the FAA considered in developing this final rule, 
including economic analyses and technical reports, may be accessed in 
the electronic docket for this rulemaking.

B. Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996 requires the FAA to comply with small entity requests for 
information or advice about compliance with statutes and regulations 
within its jurisdiction. A small entity with questions regarding this 
document may contact its local FAA official, or the person listed under 
the FOR FURTHER INFORMATION CONTACT heading at the beginning of the 
preamble. To find out more about SBREFA on the internet, visit 
www.faa.gov/regulations_policies/rulemaking/sbre_act/.

List of Subjects in 14 CFR Part 25

    Aircraft, Aviation safety, Life-limited parts, Reporting and 
recordkeeping requirements.

The Amendment

    In consideration of the foregoing, the Federal Aviation 
Administration amends chapter I of title 14, Code of Federal 
Regulations as follows:

PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES

0
1. The authority citation for part 25 continues to read as follows:

    Authority:  49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 
44704.

0
2. Add Sec.  25.4 to read as follows:

[[Page 68732]]

Sec.  25.4  Definitions.

    (a) For the purposes of this part, the following general 
definitions apply:
    (1) Certification maintenance requirement means a required 
scheduled maintenance task established during the design certification 
of the airplane systems as an airworthiness limitation of the type 
certificate or supplemental type certificate.
    (2) Significant latent failure is a latent failure that, in 
combination with one or more specific failures or events, would result 
in a hazardous or catastrophic failure condition.
    (b) For purposes of this part, the following failure conditions, in 
order of increasing severity, apply:
    (1) Major failure condition means a failure condition that would 
reduce the capability of the airplane or the ability of the flightcrew 
to cope with adverse operating conditions, to the extent that there 
would be--
    (i) A significant reduction in safety margins or functional 
capabilities,
    (ii) A physical discomfort or a significant increase in flightcrew 
workload or in conditions impairing the efficiency of the flightcrew,
    (iii) Physical distress to passengers or cabin crew, possibly 
including injuries, or
    (iv) An effect of similar severity.
    (2) Hazardous failure condition means a failure condition that 
would reduce the capability of the airplane or the ability of the 
flightcrew to cope with adverse operating conditions, to the extent 
that there would be--
    (i) A large reduction in safety margins or functional capabilities,
    (ii) Physical distress or excessive workload such that the 
flightcrew cannot be relied upon to perform their tasks accurately or 
completely, or
    (iii) Serious or fatal injuries to a relatively small number of 
persons other than the flightcrew.
    (3) Catastrophic failure condition means a failure condition that 
would result in multiple fatalities, usually with the loss of the 
airplane.
    (c) For purposes of this part, the following failure conditions in 
order of decreasing probability apply:
    (1) Probable failure condition means a failure condition that is 
anticipated to occur one or more times during the entire operational 
life of each airplane of a given type.
    (2) Remote failure condition means a failure condition that is not 
anticipated to occur to each airplane of a given type during its entire 
operational life, but which may occur several times during the total 
operational life of a number of airplanes of a given type.
    (3) Extremely remote failure condition means a failure condition 
that is not anticipated to occur to each airplane of a given type 
during its entire operational life, but which may occur a few times 
during the total operational life of all airplanes of a given type.
    (4) Extremely improbable failure condition means a failure 
condition that is not anticipated to occur during the total operational 
life of all airplanes of a given type.

0
3. Add Sec.  25.302 to read as follows:


Sec.  25.302  Interaction of systems and structures.

    For airplanes equipped with systems that affect structural 
performance, either directly or as a result of a failure or 
malfunction, the influence of these systems and their failure 
conditions must be taken into account when showing compliance with the 
requirements of subparts C and D of this part. These criteria are only 
applicable to structure whose failure could prevent continued safe 
flight and landing.
    (a) General. The applicant must use the following criteria in 
determining the influence of a system and its failure conditions on the 
airplane structure.
    (b) System fully operative. With the system fully operative, the 
following criteria apply:
    (1) The applicant must derive limit loads for the limit conditions 
specified in subpart C of this part, taking into account the behavior 
of the system up to the limit loads. System nonlinearities must be 
taken into account.
    (2) The applicant must show that the airplane meets the strength 
requirements of subparts C and D of this part, using the appropriate 
factor of safety to derive ultimate loads from the limit loads defined 
in paragraph (b)(1) of this section. The effect of nonlinearities must 
be investigated sufficiently beyond limit conditions to ensure the 
behavior of the system presents no detrimental effects compared to the 
behavior below limit conditions. However, conditions beyond limit 
conditions need not be considered when it can be shown that the 
airplane has design features that will not allow it to exceed those 
limit conditions.
    (3) Reserved.
    (c) System in the failure condition. For any system failure 
condition not shown to be extremely improbable or that results from a 
single failure, the following criteria apply:
    (1) At the time of occurrence. The applicant must establish a 
realistic scenario, starting from 1g level flight conditions, and 
including pilot corrective actions, to determine the loads occurring at 
the time of failure and immediately after failure.
    (i) For static strength substantiation, the airplane must be able 
to withstand the ultimate loads determined by multiplying the loads in 
paragraph (c)(1) of this section by a factor of safety that is related 
to the probability of occurrence of the failure. The factor of safety 
(F.S.) is defined in Figure 1.

Figure 1 to paragraph (c)(1)(i)

[[Page 68733]]

[GRAPHIC] [TIFF OMITTED] TR27AU24.002

    (ii) For residual strength substantiation, the airplane must be 
able to withstand two thirds of the ultimate loads defined in paragraph 
(c)(1)(i) of this section. For pressurized cabins, these loads must be 
combined with the normal operating differential pressure.
    (iii) Reserved.
    (iv) Failures of the system that result in forced structural 
vibrations (oscillatory failures) must not produce loads that could 
result in detrimental deformation of primary structure.
    (2) For the continuation of the flight. For the airplane, in the 
system failed state and considering any appropriate reconfiguration and 
flight limitations, the following apply:
    (i) The loads derived from the following conditions at speeds up to 
VC/MC, or the speed limitation prescribed for the 
remainder of the flight must be determined:
    (A) the limit symmetrical maneuvering conditions specified in 
Sec. Sec.  25.331 and 25.345,
    (B) the limit gust and turbulence conditions specified in 
Sec. Sec.  25.341 and 25.345,
    (C) the limit rolling conditions specified in Sec.  25.349 and the 
limit unsymmetrical conditions specified in Sec. Sec.  25.367 and 
25.427(b) and (c),
    (D) the limit yaw maneuvering conditions specified in Sec.  25.351,
    (E) the limit ground loading conditions specified in Sec. Sec.  
25.473 and 25.491, and
    (F) any other subpart C of this part load condition for which a 
system is specifically installed or tailored to reduce the loads of 
that condition.
    (ii) For static strength substantiation, each part of the structure 
must be able to withstand the loads in paragraph (c)(2)(i) of this 
section multiplied by a factor of safety that depends on the 
probability of being in this failure condition. The factor of safety is 
defined in Figure 2.
Figure 2 to paragraph (c)(2)(ii)
[GRAPHIC] [TIFF OMITTED] TR27AU24.003

Qj = (Tj)(Pj) where:

Tj = Average time spent in failure condition j (in hours)
Pj = Probability of occurrence of failure mode j (per hour)
If Pj is greater than 10-3 per flight hour, then a 1.5 
factor of safety must be applied in

[[Page 68734]]

lieu of the factor of safety defined in Figure 2.

    (iii) For residual strength substantiation, the airplane must be 
able to withstand two thirds of the ultimate loads defined in paragraph 
(c)(2)(ii) of this section. For pressurized cabins, these loads must be 
combined with the normal operating differential pressure.
    (iv) If the loads induced by the failure condition have a 
significant effect on fatigue or damage tolerance then their effects 
must be taken into account.
    (v) Reserved.
    (vi) Reserved.
    (3) Reserved.
    (d) Failure indications. For system failure detection and 
indication, the following apply:
    (1) The system must be checked for failure conditions evaluated 
under paragraph (c) of this section that degrade the structural 
capability below the level required by subparts C (excluding Sec.  
25.302) and D of this part or that reduce the reliability of the 
remaining system. As far as practicable, these failures must be 
indicated to the flightcrew before flight.
    (2) The existence of any failure condition evaluated under 
paragraph (c) of this section that results in a factor of safety 
between the airplane strength and the loads of subpart C of this part 
below 1.25 must be indicated to the flightcrew.
    (e) Dispatch with known failure conditions. If the airplane is to 
be dispatched in a known system failure condition that affects 
structural performance or affects the reliability of the remaining 
system to maintain structural performance, then the Master Minimum 
Equipment List must ensure the provisions of Sec.  25.302 are met for 
the dispatched condition and for any subsequent failures. Flight 
limitations and operational limitations may be taken into account in 
establishing Qj as the combined probability of being in the dispatched 
failure condition and the subsequent failure condition for the safety 
margins in Figure 2. No reduction in these safety margins is allowed if 
the subsequent system failure rate is greater than 10-3 per 
flight hour.

0
4. Amend Sec.  25.629 by revising paragraph (a) and (d) introductory 
text, redesignating paragraphs (d)(9) and (10) as paragraphs (d)(10) 
and (11), and adding a new paragraph (d)(9) to read as follows:


Sec.  25.629  Aeroelastic stability requirements.

    (a) General. The aeroelastic stability evaluation required under 
this section includes flutter, divergence, control reversal and any 
undue loss of stability and control as a result of structural 
deformation. The aeroelastic evaluation must include whirl modes 
associated with any propeller or rotating device that contributes 
significant dynamic forces. Additionally, the evaluation must include 
any condition of operation within the maneuvering envelope. Compliance 
with this section must be shown by analyses, wind tunnel tests, ground 
vibration tests, flight tests, or other means found necessary by the 
Administrator.
* * * * *
    (d) Failures, malfunctions, and adverse conditions. The failures, 
malfunctions, and adverse conditions that must be considered in showing 
compliance with this section are:
* * * * *
    (9) The following flight control system failure combinations in 
which aeroelastic stability relies on flight control system stiffness, 
damping or both:
    (i) Any dual hydraulic system failure.
    (ii) Any dual electrical system failure.
    (iii) Any single failure in combination with any probable hydraulic 
or electrical system failure.
* * * * *

0
5. Revise Sec.  25.671 to read as follows:


Sec.  25.671  General.

    (a) Each flight control system must operate with the ease, 
smoothness, and positiveness appropriate to its function. The flight 
control system must continue to operate and respond appropriately to 
commands, and must not hinder airplane recovery, when the airplane is 
experiencing any pitch, roll, or yaw rate, or vertical load factor that 
could occur due to operating or environmental conditions, or when the 
airplane is in any attitude.
    (b) Each element of each flight control system must be designed, or 
distinctively and permanently marked, to minimize the probability of 
incorrect assembly that could result in failure or malfunctioning of 
the system. The applicant may use distinctive and permanent marking 
only where design means are impractical.
    (c) The airplane must be shown by analysis, test, or both, to be 
capable of continued safe flight and landing after any of the following 
failures or jams in the flight control system within the normal flight 
envelope. Probable malfunctions must have only minor effects on control 
system operation and must be capable of being readily counteracted by 
the pilot.
    (1) Any single failure, excluding failures of the type defined in 
Sec.  25.671(c)(3);
    (2) Any combination of failures not shown to be extremely 
improbable, excluding failures of the type defined in Sec.  
25.671(c)(3); and
    (3) Any failure or event that results in a jam of a flight control 
surface or pilot control that is fixed in position due to a physical 
interference. The jam must be evaluated as follows:
    (i) The jam must be considered at any normally encountered position 
of the control surface or pilot control.
    (ii) The jam must be assumed to occur anywhere within the normal 
flight envelope and during any flight phase except during the time 
immediately before touchdown if the risk of a potential jam is 
minimized to the extent practical.
    (iii) In the presence of the jam, any additional failure conditions 
that could prevent continued safe flight and landing must have a 
combined probability of 1/1000 or less.
    (d) If all engines fail at any point in the flight, the airplane 
must be controllable, and an approach and flare to a landing and 
controlled stop, and flare to a ditching, must be possible, without 
requiring exceptional piloting skill or strength.
    (e) The airplane must be designed to indicate to the flightcrew 
whenever the primary control means is near the limit of control 
authority.
    (f) If the flight control system has multiple modes of operation, 
appropriate flightcrew alerting must be provided whenever the airplane 
enters any mode that significantly changes or degrades the normal 
handling or operational characteristics of the airplane.

0
6. Amend Sec.  25.901 by revising paragraph (c) to read as follows:


Sec.  25.901  Installation.

* * * * *
    (c) For each powerplant and auxiliary power unit installation, the 
applicant must comply with the requirements of Sec.  25.1309, except 
that the effects of the following failures need not comply with Sec.  
25.1309(b)--
    (1) Engine case burn-through or rupture,
    (2) Uncontained engine rotor failure, and
    (3) Propeller debris release.
* * * * *

0
7. Amend Sec.  25.933 by revising paragraph (a)(1) to read as follows:


Sec.  25.933  Reversing systems.

    (a) * * *
    (1) For each system intended for ground operation only, the 
applicant must show--
    (i) The airplane is capable of continued safe flight and landing 
during and after any thrust reversal in flight; or

[[Page 68735]]

    (ii) The system complies with Sec.  25.1309(b) using the assumption 
the airplane would not be capable of continued safe flight and landing 
during and after an in-flight thrust reversal.
* * * * *

0
8. Revise Sec.  25.1301 to read as follows:


Sec.  25.1301  Function and installation.

    Each item of installed equipment must--
    (a) Be of a kind and design appropriate to its intended function;
    (b) Be labeled as to its identification, function, or operating 
limitations, or any applicable combination of these factors; and
    (c) Be installed according to limitations specified for that 
equipment.

0
9. Revise Sec.  25.1309 to read as follows:


Sec.  25.1309  Equipment, systems, and installations.

    The requirements of this section, except as identified below, apply 
to any equipment or system as installed on the airplane. Although this 
section does not apply to the performance and flight characteristic 
requirements of subpart B of this part, or to the structural 
requirements of subparts C and D of this part, it does apply to any 
system on which compliance with any of those requirements is dependent. 
Section 25.1309(b) does not apply to the flight control jam conditions 
addressed by Sec.  25.671(c)(3); single failures in the brake system 
addressed by Sec.  25.735(b)(1); the failure conditions addressed by 
Sec. Sec.  25.810(a)(1)(v) and 25.812; uncontained engine rotor 
failure, engine case rupture, or engine case burn-through failures 
addressed by Sec. Sec.  25.903(d)(1) and 25.1193 and part 33 of this 
chapter; and propeller debris release failures addressed by Sec.  
25.905(d) and part 35 of this chapter.
    (a) The airplane's equipment and systems must be designed and 
installed so that:
    (1) The equipment and systems required for type certification or by 
operating rules, or whose improper functioning would reduce safety, 
perform as intended under the airplane operating and environmental 
conditions; and
    (2) Other equipment and systems, functioning normally or 
abnormally, do not adversely affect the safety of the airplane or its 
occupants or the proper functioning of the equipment and systems 
addressed by paragraph (a)(1) of this section.
    (b) The airplane systems and associated components, evaluated 
separately and in relation to other systems, must be designed and 
installed so that they meet all of the following requirements:
    (1) Each catastrophic failure condition--
    (i) Must be extremely improbable; and
    (ii) Must not result from a single failure.
    (2) Each hazardous failure condition must be extremely remote.
    (3) Each major failure condition must be remote.
    (4) Each significant latent failure must be eliminated as far as 
practical, or, if not practical to eliminate, the latency of the 
significant latent failure must be minimized. However, the requirements 
of the previous sentence do not apply if the associated system meets 
the requirements of paragraphs (b)(1) and (b)(2) of this section, 
assuming the significant latent failure has occurred.
    (5) For each catastrophic failure condition that results from two 
failures, either of which could be latent for more than one flight, the 
applicant must show that--
    (i) It is impractical to provide additional fault tolerance; and
    (ii) Given the occurrence of any single latent failure, the 
residual average probability of the catastrophic failure condition due 
to all subsequent active failures is remote; and
    (iii) The sum of the probabilities of the latent failures that are 
combined with each active failure does not exceed 1/1000.
    (c) The airplane and systems must provide information concerning 
unsafe system operating conditions to the flightcrew to enable them to 
take appropriate corrective action in a timely manner. Systems and 
controls, including information, indications, and annunciations, must 
be designed to minimize flightcrew errors that could create additional 
hazards.
    (d) Reserved.
    (e) The applicant must establish certification maintenance 
requirements as necessary to prevent the development of the failure 
conditions described in paragraph (b) of this section. These 
requirements must be included in the Airworthiness Limitations section 
of the Instructions for Continued Airworthiness required by Sec.  
25.1529.

0
10. Amend Sec.  25.1365 by revising paragraph (a) to read as follows:


Sec.  25.1365  Electrical appliances, motors, and transformers.

    (a) An applicant must show that, in the event of a failure of the 
electrical supply or control system, the design and installation of 
domestic appliances meet the requirements of Sec.  25.1309(b) and (c). 
Domestic appliances are items such as cooktops, ovens, coffee makers, 
water heaters, refrigerators, and toilet flush systems that are placed 
on the airplane to provide service amenities to passengers.
* * * * *

0
11. Revise section H25.4 of appendix H to part 25 by adding paragraph 
(a)(6) to read as follows:

Appendix H to Part 25--Instructions for Continued Airworthiness

* * * * *

H25.4 Airworthiness Limitations section.

* * * * *
    (a) * * *
    (6) Each certification maintenance requirement established to 
comply with any of the applicable provisions of part 25.
* * * * *

    Issued under authority provided by 49 U.S.C. 106(f), 106(g), 
44701(a), and 44704 in Washington, DC.
Michael Gordon Whitaker,
Administrator.
[FR Doc. 2024-18511 Filed 8-26-24; 8:45 am]
BILLING CODE 4910-13-P