AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Notice of availability of proposed design criteria and request for comments

SUMMARY:

This notice announces the availability of and requests comments on the proposed design criteria for the Zeppelin Luftschifftechnik GmbH model LZ N07 airship. The German aviation airworthiness authority, the Luftfahrt-Bundesamt (LBA), forwarded an application for type validation of the Zeppelin Luftschifftechnik GmbH (ZLT) model LZ N07 airship on October 1, 2001. The airship will meet the provisions of the Federal Aviation Administration (FAA) normal category for airships operations and will be certificated for day and night visual flight rules (VFR); additionally, an operator of this airship may petition for exemption to operate the airship in other desired operations.

DATES:

Comments must be received on or before June 4, 2007.

ADDRESSES:

Send all comments on the proposed design criteria to: Federal Aviation Administration, Attention: Mr. Karl Schletzbaum, Project Support Office, ACE-112, 901 Locust, Kansas City, Missouri 64106. Comments may be inspected at the above address between 7:30 a.m. and 4 p.m. weekdays, except Federal holidays.

FOR FURTHER INFORMATION CONTACT:

Mr. Karl Schletzbaum, 816-329-4146.

SUPPLEMENTARY INFORMATION:

Comments Invited

Interested persons are invited to comment on the proposed design criteria by submitting such written data, views, or arguments as they may desire. Commenters should identify the proposed design criteria on the Zeppelin Luftschifftechnik GmbH model LZ N07 airship and submit comments, in duplicate, to the address specified above. All communications received on or before the closing date for comments will be considered by the Small Airplane Directorate before issuing the final design criteria.

Discussion

Background

Under the provisions of the Bilateral Aviation Safety Agreement (BASA) between the United States and Germany, the German aviation airworthiness authority, the Luftfahrt-Bundesamt (LBA), forwarded an application for type validation of the Zeppelin Luftschifftechnik GmbH (ZLT) model LZ N07 airship on October 1, 2001. The LZ N07 has a rigid structure, 290,330 cubic foot displacement and has accommodations for twelve passengers and two crewmembers. The airship will meet the provisions of the Federal Aviation Administration (FAA) normal category for airships; additionally, an operator of this airship may petition for exemption to operate the airship in other desired operations. The airship will be certificated for day and night visual flight rules (VFR).

Proposed Design Criteria

Applicable Airworthiness Criteria Under 14 CFR Part 21

The only applicable requirement for airship certification in the United States is FAA document FAA-P-8110-2, Airship Design Criteria (ADC). This document has been the basis of bilateral validation of airships between Germany and the United States for many years. However, in 1995, the LBA issued the initial version of the Lufttüchtigkeitsforderungen für Luftschiffe der Kategorien Normal und Zubringer (hereafter referred to as the LFLS), which added a commuter category to German airship categories and also added additional requirements for normal category airships. Due to this, where the previously mutually accepted ADC can be considered to be harmonized in practice, the issuance of the LFLS created regulatory differences for normal category airships between the United States and Germany.

In keeping with its bilateral obligations, the FAA has, with assistance from the LBA, determined that regulatory differences exist between the two requirements (ADC versus LFLS). This determination is the Significant Regulatory Differences analysis. In the case of the LZ N07 airship, the German certification was accomplished to the higher standard of the commuter category of the LFLS, with various LBA modifications and additions. The FAA desires to accept the Zeppelin airship model LZ N07 at the same airworthiness standard as it was certificated to in Germany, so we have decided to accept the requirements of the LFLS and the supplemental requirements issued by the LBA as the U.S. certification basis. With this decision, the bulk of the regulatory differences are not relevant, as the FAA is accepting the provisions of the German LFLS certification in the commuter category in its entirety. The FAA has, after comparing the normal category ADC to the commuter category LFLS requirements, determined that all of the LFLS requirements are at least equivalent to and, in many cases, more conservative than the requirements for the normal category contained in the ADC.

Regulatory Differences

The LFLS was developed considering the ADC at Change 1, but Change 2 provisions were not considered. There will be one regulatory difference due to this; ZLT will show compliance to ADC § 4.14 at Change 2.

Additional and Alternative Requirements

The German aviation authority, the Luftfaht-Bundesamt (LBA) issued additional requirements, special conditions, and equivalent levels of safety to deal with certain design provisions and airworthiness concerns specific to the design of the LZ N07 that were not anticipated by the LFLS. These requirements will also become part of the U.S. certification basis for this airship.

The U.S. certification basis for the LZ N07 will be proposed as an entire certification basis, including those changes required by the FAA and the LBA. Based on the provisions of 14 Code of Federal Regulations (CFR) part 21, §§ 21.17(b), 21.17(c) and 21.29, the following airworthiness requirements were evaluated and found applicable, suitable, and appropriate for this design, and they will remain active until August 31, 2007 or to a future date extended by the FAA, and form the Certification Basis.

Certification Basis

The German regulation Lufttüchtigkeitsforderungen für Luftschiffe der Kategorien Normal und Zubringer, (referred to as the LFLS), effective April 13, 2001; except:

(1) In lieu of compliance to LFLS section 673 the LZ N07 will comply with ADC § 4.14.

(2) B-1 LBA, Equivalent Safety Finding for Section 76 LFLS, Engine Failure.

Discussion

The LFLS requires that the airship restore itself to a state of equilibrium after the failure of any one engine during any flight condition. In the case of the LZ N07, a state of equilibrium using designated ballast cannot be achieved as required by the LFLS. ZLT Start Printed Page 24657met this requirement with an equivalent level of safety.

In lieu of the provisions of LFLS § 76 the following is required:

In the case of failure of any one engine (of three) it must be shown that a zero vertical speed condition can be established for any flight condition by using the thrust vectoring capability of the remaining two engines and aerodynamic lift.

The time to achieve this zero vertical speed will be demonstrated to be not more than when using a designated ballast system with a minimum discharge rate established in LFLS § 893(d).

(3) B-2 LBA, Equivalent Safety Finding for LFLS Section 143(b), Controllability and Maneuverability, General [all engines out].

Discussion

LFLS section 143(b) requires that the airship be capable of a safe descent and landing after failure of all engines under the conditions of LFLS section 561. ZLT met this requirement with an equivalent level of safety.

Even in the event of all engines failing, a limited means to control the descent of the airship is available, but only with the airship in equilibrium. With the airship heavy, there is no means to modulate the descent once speed has dissipated, since the descent rate is determined by heaviness only. However, descent will be stable and no unsafe attitude will result and the worst-case descent rate is still in compliance with the emergency landing conditions of LFLS section 561. This fulfills the safety objective of LFLS section 143(b).

To satisfy the provisions of LFLS section 143(b), the following is required:

A qualitative safety analysis will be performed to show that the simultaneous occurrence of a loss of all engines (combined with worst case weight conditions) is extremely improbable.

(4) B-3 LBA, Equivalent Safety Finding for LFLS Section 33(d)(2), Propeller Speed and Pitch Limits.

Discussion

LFLS section 33(d)(2) requires a demonstration with the propeller speed control inoperative that there is a means to limit the maximum engine speed to 103 percent of the maximum allowable takeoff rotations per minute (rpm). The LZ N07 is designed so that in case of a zero thrust condition in flight, the affected engine is shut off. The shutoff rpm is above 103 percent of the maximum allowable takeoff rpm.

The LZ N07 airship is not equipped with a traditional propeller governor system. The propeller speed control function is provided by the AIU (engine control board). If the AIU fails, a means to shut down the engine is provided: Called the Limiting System (Lasar). The limiting system provides two functional stages; the first stage limits rpm between 2725 and 2750, in case the AIU engine control board is unable to limit engine speed with the propeller in zero thrust pitch condition. The second stage shuts down the engine at 2900 rpm in case of limiting system first stage failure in order to avoid engine and propeller disintegration hazard to the airship. The shutdown of one engine is considered a major hazard. (Note: maximum rpm = 2700, 103 percent maximum rpm = 2781.)

In traditional governor systems during in-flight operation with zero thrust pitch selected, overspeed protection is not assured in case of a governor failure. The LZ N07 design is considered to provide equivalent or improved safety compared to previously certified (traditional) governor systems.

To satisfy the provisions of LFLS section 33(d)(2), the following is required:

The proper function of the systems will be demonstrated by performing a system ground test simulation.

The propeller overspeed capability of 126 percent of the maximum rpm will comply with the provisions of JAR P certification, (JAR P section 170(a)(2)).

(5) B-4 LBA, Equivalent Safety Finding for LFLS Section 145, Longitudinal Control.

Discussion

LFLS section 145 requires a demonstration of nose-down pitch change out of a stabilized and trimmed climb and 30 degree pitch angle at maximum continuous power and a nose-up pitch change out of a stabilized and trimmed descent and −30 degree pitch angle at maximum continuous power on all engines. ZLT met this requirement with an equivalent level of safety. The LZ N07 ballonet system limitations prevent stabilized climbs or descents above certain vertical speeds. The procedure required in LFLS section 145 cannot be demonstrated by flight test without modification.

ZLT demonstrated through flight test that sufficient control authority was available to recover from a steep climb or descent when the airship is trimmed for the appropriate climb or descent and is operated under maximum continuous power.

Additionally, it was also shown that it is possible to produce a nose-down pitch change out of a stabilized and trimmed climbing flight and a nose-up pitch change out of a similar descent. The LZ N07 ballonet systems limitations prevent this from being demonstrated at maximum continuous power and 30-degree pitch angle because the climb or descent rates are too high at the resulting airspeed.

To satisfy the provisions of LFLS section 145 the following is required:

A flight test procedure will demonstrate that it is possible to produce:

(1) A nose-down pitch change out of a stabilized climb with a nose-up flight path angle as limited by the ballonet system for the relevant true airspeed or 30 degrees, whichever leads to a lower absolute value.

(2) A nose-up pitch change out of a stabilized descent with a nose-down flight path angle as limited by the ballonet system for the relevant true airspeed or −30 degrees, whichever leads to a lower absolute value.

(6) C-1 LBA, Additional Requirement for a Reliable Load Validation; 14 CFR part 25, § 25.301(b).

Discussion

The present LFLS does not include the requirement for the manufacturer to validate the load assumptions used for stress analyses. 14 CFR part 25, § 25.301(b) requires that methods used to determine load intensities and distribution must be validated by flight load measurement unless the methods used for determining those loading conditions are shown to be reliable.

The following is added as an additional requirement:

The provisions of 14 CFR part 25, § 25.301(b) will be complied with.

(7) D-1 LBA, Additional Requirements for LFLS section 853(a), Compartment Interiors [Flammability of Seat Cushions].

Discussion

LFLS section 853 does not provide requirements for flammability standards for seat cushions as introduced by Amendment 59 of 14 CFR part 25. The LBA requested a proof test for seat cushions with the oil burner as specified in 14 CFR part 25, Appendix F, part II or equivalent for passenger seats, except for crew seats.

To satisfy the provisions of LFLS section 853(a), the following is required:

A proof test for seat cushions with the oil burner as specified in 14 CFR part 25, Appendix F, part II or equivalent for passenger seats will be performed successfully.

(8) D-5 LBA, Additional Requirements for LFLS Section 673(d), Primary Flight Controls. Start Printed Page 24658

Discussion

LFLS section 673(d) requires that airships without a direct mechanical linkage between the cockpit and primary flight control surfaces be designed with a dual redundant control system. The terminology “dual redundant” is considered ambiguous in that it does not clearly define the degree of redundancy required.

To satisfy the provisions of LFLS section 853(a), the following is required:

Compliance with LFLS section 1309 will show that continued safe flight and landing is assured after complete failure of any one of the primary flight control system lanes.

(9) D-6 LBA, Equivalent Safety Finding for LFLS Section 771(c), Pilot Compartment [Controls Location with Respect to Propeller Hub].

Discussion

LFLS section 771(c) requires that aerodynamic controls and pilots may not be situated within the trajectories of the designated propeller burst area. Since a thrust vectoring (including a non-swiveling lateral propeller) system has been incorporated into the airship, with two engines forward and one aft engine, formal non-compliance in some cases cannot be avoided.

To satisfy the provisions of LFLS section 771(c), the following is required:

A qualitative safety analysis will be accomplished that considers the mitigating effects of:

(1) The relationship of overall swivel angle of propeller rotational plane versus crucial swivel angle of propeller rotational plane, (2) The distance between aft propeller and aerodynamic controls, and

(3) The potential energy absorbing and deflecting structure between aft propulsion unit and controls and pilot.

The analysis will consider the following:

The lateral propeller is continuously operating in idle with the exception of ground maneuvering and approach phases.

The rear propeller transitions through its crucial angle only, while swiveling from the horizontal to the vertical position from a takeoff/approach/landing/hover to a level flight configuration.

Aircraft Flight Manual (AFM) procedures, cockpit placarding, and swivel lever markings shall be established to restrict normal operation in the crucial swivel range.

(10) D-7 LBA, Equivalent Safety Findings for LFLS Section 777(c), Cockpit Controls; 1141(a), Powerplant Controls: General; 1143(c), Engine Controls; 1149(a)(2), Propeller Speed and Pitch Controls; 1167(c)(1), Vectored Thrust Controls

Discussion

LFLS section 777(c), 1141(a), 1143(c), 1149(a)(2), and 1167(c)(1) all involve requirements governing the configuration and characteristics of throttle, propeller pitch, mixture, and thrust vectoring controls. Due to the constant speed throttle control concept allowing infinitely variable thrust vector control between maximum reverse and maximum forward thrust, a non-conventional control system was developed that is partially non-compliant with the requirements. The requirements and the configuration of the LZ N07 are summarized in Table 1 below.

To satisfy the provisions of LFLS section 777(c), 1141(a), 1143(c), 1149(a)(2) and 1167(c)(1) the following is required:

In the case of an identified non-compliance to the LFLS, as shown in Table 1, compliance will be by an evaluation of the airship and a finding that there are safe handling characteristics using the type design engine thrust control/thrust vectoring controls as described in Table 1.

(11) D-8 LBA, Equivalent Safety Findings for LFLS Section 807(d) and Section 807(d)(1)(i), Emergency Exits.

Discussion

LFLS section 807(d) and (d)(1)(i) for commuter category airships carrying less than 15 passengers requires at least three emergency exits. Refer to Table 2.

The design of the LZ N07 fully complies with the requirement for the Normal Category; however, the third exit required for compliance in the Commuter Category is not provided. This results in a formal noncompliance.

To satisfy the provisions of LFLS section 807(d) and 807(d)(1)(i), the following is required: Compliance for LFLS section 807(d) and 807(d)(1)(i) will be shown by:

(1) The first and second exits provided are both floor level exits and oversized compared to 19 by 26 inches.

(2) The evacuation demonstration required in section 803(e) shall be accomplished within 60 seconds, (with one exit blocked) instead of 90 seconds.

(12) D-9 LBA, Equivalent Safety Finding for Section 881(a), Envelope Design [Envelope Tension].

Discussion

LFLS section 881(a) requires that the envelope maintain tension while supporting limit load conditions for all flight conditions. The rigid design of the LZ N07 allows for limited wrinkling of the envelope under limit load conditions with no effect on airship handling and performance.

Due to the unique kind of rigid structural design, the structural integrity of the LZ N07 airship is not dependent on the tension of the envelope, as rigid structure replaces the load-carrying envelope. The alignment of structure, engines, empennage, cabin and other components affecting handling qualities, performance, and other factors is independent of any wrinkling condition of the envelope.

To satisfy the provisions of LFLS section 881(a), the following is required:

Safe handling characteristics will be demonstrated by flight test, the limit load carrying capability by analysis.

(13) D-10 LBA, Equivalent Safety Finding for LFLS Section 881(f), Envelope Design [Rapid Deflation Provisions].

Discussion

LFLS section 881(f) requires that provisions be maintained to allow for rapid envelope deflation of the airship should it break loose from the mast while moored. The present design does not include such a provision. For German certification, ZLT had to demonstrate an equivalent level of safety. As part of this, ZLT presented that, due to the unique kind of rigid structural design of the airship, any rapid deflation provision will not significantly reduce the effective cross section of the envelope; thus, the uncontrolled drift of the airship due to surface winds once free of its moorings could not be brought under control. ZLT presented that the overall level of safety is negatively affected by the potential unwanted operation of the required rapid deflation provision when unintentionally operated or operated due to individual failure conditions, Start Printed Page 24660and that this could lead to a potentially severe failure condition.

ZLT was required by the LBA to provide an equivalent level of safety by means of a qualitative safety analysis and by showing that the reliability of the mast coupling system design is significantly improved over typical non-rigid airship systems. It also provided proof of safe life design for the structural parts and to prove the fail-safe design of the hydraulically powered locking mechanism. These systems are part of the ground based mooring vehicle.

We understand that the rigid structure of the airship complicates or eliminates the deflation design feature expected of non-rigid types of airships, and we believe that this requirement cannot be met without an equivalent level of safety. The rapid deflation feature of a non-rigid airship is provided to allow emergency egress without the ship lifting and to deflate the envelope in case an airship is blown off of the mast and is subsequently uncontrolled. These concerns still apply to a rigid airship.

We accept the evacuation procedure, described in the section discussion LFLS section 809(e), as an acceptable equivalent feature for the evacuation requirement.

In the event that the airship is blown off of the mast, we believe that a rigid airship will present the same or enhanced hazard as the requirement for non-rigid type airships was developed to mitigate, that being of an unmanned and, or, uncontrolled airship in controlled airspace in the proximity of persons, property, or other aircraft.

To satisfy the provisions of LFLS section 881(f), the following is required:

Safe life design for the structural parts and fail-safe design of the hydraulically powered locking mechanism of the mooring vehicle will be shown.

The Airship Flight Manual will contain mast procedures for all approved mast mooring conditions. These procedures will also include a requirement to have transponder equipment active when the airship is moored on the mast, and define conditions when a pilot must be in the airship.

(14) D-11 LBA, Equivalent Safety Finding for LFLS Section 883(e), Pressure System.

Discussion

LFLS section 883(e) requires that provisions be maintained to blow air into the helium space in order to prevent wrinkling of the envelope. The present design of the airship does not include this provision; therefore, ZLT had to demonstrate equivalent level of safety.

Due to the unique kind of rigid structural design, the structural integrity of the airship is not dependent on the tension of the envelope. Rigid structure replaces the load-carrying envelope. The alignment of structure, engines, empennage, and cabin, etc., affecting handling qualities and airship controllability is independent of any wrinkling condition of the envelope.

To satisfy the provisions of LFLS section 883(e), the following is required:

Safe operation at reduced helium pressures will be demonstrated.

(15) D-12 LBA, Interpretation of LFLS Section 785(b), Seats, berths and safety belts [Approval of].

Discussion

The LFLS requires approval for seats; the LBA required approval of passenger and crew seats according to TSO C39b. The ZLT uses seats that are TSO C39b approved by a seat vendor; if this is not done, the seats used will demonstrate compliance to TSO C39b.

To satisfy the provisions of LFLS section 758(b), the following is required:

Seats will comply with the provisions of TSO C39b.

(16) D-13 LBA, Additional Requirement; LFLS Section 1585(a)(10), Operating Procedures [Ditching, Emergency Evacuation].

Discussion

The LFLS does not provide requirements for ditching exits; the LBA requested a floatation analysis to be done, to analyze the case of an unplanned ditching. Helium loss during the emergency evacuation procedure was not considered. It was determined by calculation that the passenger cabin provides enough buoyancy for safe egress with the requirement that one emergency exit shall be usable above the static waterline for at least 90 seconds for emergency evacuation.

To satisfy the provisions of LFLS section 758(b), the following is required:

It shall be demonstrated by test or analysis that an emergency evacuation exit will remain above the waterline for at least 90 seconds after finally settling on the water. Relevant instructions will be included in the Airship Flight Manual.

(17) D-14 LBA, Interpretative Material; LFLS Section 803(e), Emergency Evacuation Demonstration.

Discussion

LFLS section 803(e) requires an emergency evacuation demonstration. This evacuation must be completed within 90 seconds. Compliance with LFLS section 881(g) must be considered in conjunction with section 803(a) through (e).

This requirement demonstrates the ability of the entire cabin to be evacuated within 90 seconds using the maximum number of occupants, with flight crew preparation for the emergency evacuation. Normal valving of helium to provide emergency deflation on the ground during the emergency evacuation, according to section 881(g), is assumed.

To satisfy the provisions of LFLS section 803(e), the following is required:

(1) It will be demonstrated that the cabin can be emergency egressed within 90 seconds.

(2) In addition, the evacuation method established will include the preparation of the airship for the ground phase of the emergency evacuation on the ground. The applicant will demonstrate by analysis supported by tests that the preparation for cabin emergency evacuation could be conducted within 30 seconds (from time of landing until start of cabin emergency evacuation). This technique will be published in the AFM. Refer to Figure 1, “ZLT Emergency Evacuation Technique.”

(3) The evacuation method established will include four steps:

(a) After the occurrence of the emergency situation, the pilot has to prepare the airship for an emergency landing.

(b) The pilot has to land the airship.

(c) The pilot has to prepare the airship for the evacuation. This includes providing enough heaviness so that the airship cannot leave the ground during the passenger evacuation. Also, the pilot must keep the airship in a safe position before starting the evacuation. By controlling the deflation, the pilot must try to prevent trapping of the envelope over the occupants during the evacuation.

(d) The actual evacuation will only begin when a safe position of the airship can be maintained and when enough heaviness is provided.

These steps will be reflected in the AFM.

(18) D-15 LBA, Additional Requirements; 14 CFR part 23, §§ 23.859 and 23.1181(d), [cabin heating; fuel burner].

Discussion

ZLT wishes to install fuel burner heating equipment for a cabin heating and ventilation system in the lower shell of the passenger cabin. The LFLS does not provide adequate requirements for the installation of fuel burner equipment. The LBA required the application of 14 CFR part 23, §§ 23.859 and 23.1181(d), revised as of January 1, 1998, in addition to other applicable requirements of the LFLS. The LBA interpretation of § 23.859 (a) is such that the entire heater compartment will be considered a fire region and has to be of fireproof construction. Part 23 § 23.859, paragraphs (a)(1) to (a)(3), will be complied with also. Other applicable FAA regulations introduced by reference to §§ 23.859 and 23.1181(d) by the LBA will be complied with by compliance to applicable LFLS sections.

The airship will comply with the provisions of 14 CFR part 23, § 23.859, Combustion Heater Fire Protection, and § 23.1181(d), Firewalls.

(19) E-1 LBA, Additional Requirements Remote Propeller Drive System.

Discussion

The LZ N07 propellers of both forward and aft propulsion systems are not conventionally installed directly on the engine crankshaft. A remote propeller drive system consisting of torque shafts, swivel gears, friction clutches and a belt drive unit (on the aft engine only) is installed between engine and propeller to provide thrust and vector capability for the propellers. The LFLS does not contain requirements for such power transmission designs.

The LBA required compliance as described in LBA guidance paper I-231-87, applicable to components installed between engines and propellers. I-231-87(01) requires compliance with JAR 22H or 14 CFR part 33; however, instead of JAR 22H or 14 CFR part 33 compliance, compliance with applicable sections of JAR P (Change 7) as listed in Table 3 will be required.

To satisfy the additional required provisions, the following is required:

Compliance will be shown for the Remote Propeller Drive System to the requirements of LBA document I-237-87, dated September 1987, and the Joint Aviation Requirements (JARs) summarized in Table 3.

LBA Document I-237-87

Preliminary Guideline for Compliance of Transmission-Shafts in Powerplant Installations of Airplanes (part 23) and Powered Sailplanes (JAR 22)

LBA Document: I231-87

Issue: 30. September 1987

Change record: Translated into English, May 2002

Translation has been done by best knowledge and judgement. In any case, the officially published text in German language is authoritative.

At the present time the Airworthiness Requirements for motorized aircraft assume only propeller-engine-combinations, where the propeller is directly fixed at the engine flange.

Clutches, transmission shafts, intermediate bearings, angular drives (gearboxes), universal joints, shifting sleeves, etc., are accommodated for neither by JAR-22, nor by part 23 (JAR-23), or part 33 (JAR-E).

The necessity to supplement/amend the Airworthiness Requirements became obvious for a powered sailplane, where a transmission shaft from the engine in the middle of the fuselage runs through the cockpit between the pilots (side-by-side seats) to the bow of the fuselage where the propeller is mounted.

The rupture of a so installed transmission shaft can, besides the loss of thrust, also by the whirling of the parts that remain attached to the run-away engine have catastrophic effects to pilots and aircrafts/aeroplanes.

Also differently arranged transmission shafts that do not pass through the cockpit can endanger the surrounding primary structure, the controls or other important systems critically.

For transmission shaft installations the following Special Requirements have to be applied for powered sailplanes and aircraft (aeroplanes) in addition to JAR 22 and part 23 (JAR 23), respectively part 33 (JAR-E):

(1) All parts between engine and propeller, that serve the transfer of engine-power to the propeller are regarded as parts of the engine and are, as far as practicable/applicable, to be shown to comply with JAR-22 Subpart H Engines or part 33 Aircraft Engines (JAR-E), respectively.

(2) Propeller thrust, lateral loads and gyroscopic moments have to be transferred to load carrying members on the shortest possible way.

(3) Dissimilar expansion/deformation between structural and powerplant parts, may it be under loads or/and temperatures has to be accounted for by appropriate means.

(4) Universal joints used in the transmission shaft installation have to be selected and arranged/installed so that an unsteadiness of the rotation speed is avoided.

(5) Wrappings, guidances, protective covers and all other structural members must have such a spacing from rotating parts, that under deformation due to flight or ground loads and if pressure is exerted by parts of the body (pilot or passenger) a radial or respectively longitudinal distance of at least 13 mm (0.5 inch) remains.

(6) It has to be guaranteed that parts made of fibre-reinforced materials during operation do not exceed (reach) the softening temperature. Softening temperature: TGA according to DIN 29971. Compliance has to be sought in a “cooling test flight” according to JAR 22.1041/22.1047 or part 23, §§ 23.1041/23.1045/23.1047 (or JAR 23 * * *), respectively.

If the difference between the corrected maximum operational temperature and the softening temperature is less than 15 °C, the operational temperature has to be monitored (continuously) by an instrument.

(7) If parts of the transmission shaft installation are made from material not being fireproof, these parts have to be protected against the effects of fire in the engine compartment.

(8) It has to be shown, that the whirling rest of a broken transmission shaft, still driven by the engine does neither directly endanger occupants (pilots included) nor parts of the primary structure in a way that the flight cannot be brought to a safe end. Compliance has to be sought in a test under the assumption that the shaft is broken at a place most critical for compliance and the engine running at take-off power.

(9) The repeated in-flight-stopping and re-starting of the engine is common practice for powered sailplane. To avoid passing through a critical RPM-range, transmission shaft installation must operate in a sub-critical RPM-range.

The critical RPM of any transmission shaft must be at least 1.5 times the maximum operational RPM. When determining the critical RPM the influences of the maximum imbalance to be expected from the manufacturing process, as well as the bending of the shaft under load factor and probable forced bending by fuselage deformation has to be considered. Start Printed Page 24665

(10) The vibration test required by JAR 22.1843 or FAR 33.43(a)(b)/(JAR-E) respectively must comprise the complete transmission shaft installation (engine-transmission-shaft-propeller). The effects of engine stopping and restarting must be investigated.

The stresses derived from the test above have to be superimposed with the stresses directly originating from load factors acting on the transmission shaft or are forced on the transmission shaft by deformation of the airframe.

The resulting peak stresses must not exceed the fatigue limit of the material used for the transmission shaft installation.

Figure 2: LBA Document

(20) E-2 LBA, Equivalent Safety Finding; LFLS Section 1167(d), Vectored Thrust Components [Auxiliary Thrust Vectoring].

Discussion

LFLS section 1167(d) (subpart E) requires an auxiliary means be provided to return the vectoring thrust system into a normal operating position should the primary means fail. The current design does not include this design feature. The LZ N07 is equipped with a system of swiveling propellers. This system is used for conventional cruise flight with the propellers in a vertical position and also for steering the airship at low airspeeds with the propellers in swiveled positions. This results in no one “normal position” of the propeller than can be specified. Even if the propeller swiveling system fails, such a stuck position might be useful for the pilot. Also, since all three engines are operating individually, a single vectoring failure does not interfere with the two remaining propulsion units.

Instead of providing auxiliary means to return the system to the normal operating position, the design, operation, and function of the vectoring system on the Zeppelin LZ N07 airship provides an equivalent level of safety.

To satisfy the provisions of LFLS section 1167(d), the following is required:

It will be shown by flight test that continued safe flight and landing is possible with a propeller stuck in any one position with the affected engine (still) running or shut off.

(21) F-1 LBA, Additional Requirements; LFLS Section 1301, Function and Installation; and LFLS Section 1309, Equipment, Systems and Installations (HIRF)

Discussion

The LZ N07 utilizes new avionics/electronic systems that provide critical data to the flight crew. The applicable regulations do not contain adequate or appropriate safety standards for the protection of these systems from the effects of high intensity radiated fields (HIRF). The LBA's required additional safety standards considered necessary to establish a level of safety equivalent to that established by existing airworthiness standards.

There is no specific regulation that addresses protection requirements for electrical and electronic systems from HIRF. Increased power levels from the ground based radio transmitters and the growing use of sensitive electrical and electronic systems to command and control the airship, especially under IFR conditions, have made it necessary to provide adequate protection. To ensure that the level of safety is achieved equivalent to that intended by the regulations incorporated by reference, additional requirements are needed for the LZ N07 to require that new technology electrical and electronic systems be designed and installed to preclude component damage and interruption of critical functions due to effect of HIRF.

High Intensity Radiated Fields (HIRF)

With the trend toward increased power levels from ground-based transmitters, plus the advent of space and satellite communications, coupled with electrical and electronic command and control of an airship, the immunity of critical systems to HIRF must be established. It is not possible to precisely define the HIRF to which the airship will be exposed in service. There is also uncertainty concerning the effectiveness of gondola shielding for HIRF. Furthermore, coupling of electromagnetic energy to gondola-installed equipment through the windows apertures is undefined. Based on surveys and analysis of existing HIRF emitters, an adequate level of protection exists when compliance with the HIRF special condition is shown.

To satisfy the provisions of LFLS section1301 and LFLS section 1309 the following is required:

The airship systems and associated components, considered separately and in relation to other systems, must be designed and installed so that:

(a) Each system that performs a critical or essential function is not adversely affected when the airship is exposed to the normal HIRF environment.

(b) All critical functions must not be adversely affected when the airship is exposed to the certification HIRF environment.

(c) After the airship is exposed to the certification HIRF environment, each affected system that performs a critical function recovers normal operation without requiring any crew action, unless this conflicts with other operational or functional requirements of that system.

The following definitions apply:

(a) Critical function: A function whose failure would prevent continued safe flight and landing of the airship.

(b) Essential function: A function whose failure would reduce the capability of the airship or the ability of the crew to cope with adverse operating conditions.

(c) The definitions of normal and certification HIRF environments, frequency bands, and corresponding average and peak levels are defined in Table 4 and Table 5.

General Guidance Material

The User Guide for AC/AMJ 20-1317 The Certification of Aircraft Electrical and Electronical Systems for Operation in the High Radiated Fields (HIRF) Environment dated 9/21/98 must be used. In case of conflicting issues, this notice will supersede, unless otherwise notified.

Criticality Definitions

In order to perform hazard assessments, the table below defines equivalence:

Equipment Test Requirements

If ZLT can demonstrate for Level A, B, or C equipment that equipment testing is adequate for showing compliance, the following equipment test requirement will be used:

RTCA DO-160 D, if equipment development was launched in 1996 or later a no TSO or JTSO certification will be obtained by the supplier.

RTCA DO-160 C, or earlier if equipment development was launched in 1995 or earlier, or if the equipment affected already holds a separate TSO or JZSO certification.

Certification HIRF Environment

Field Strengths in Volts/Meter, (V/m).

Note:

At 10 kHz-100kHz a Height Impedance Field of 320V/m peak exists.

Normal HIRF Environment

Field Strengths in Volts/Meter, (V/m).

Abbreviations

GHz—Gigahertz

IFR—Instrument Flight Rules

kHz—Kilohertz

m—Meter

MHz—Megahertz

V—Volt

(22) F-2 LBA, Additional Requirements; LFLS Section 1301, Function and Installation, and LFLS Section 1309, Equipment, Systems and Installations [Software development and transition to RTCA DO-178B/ED-12B]

Discussion

The LZ N07 will be certificated with microprocessor-based systems installed that contain software. The LBA considered that there was limited policy or guidance for transitioning to the use of RTCA DO 178B/ED-12B from earlier guidance regarding means of compliance for software-based systems. Specific transition criteria were specified for the LZ N07 compliance program.

RTCA DO 178B/ED-12B, “Software Considerations in Airborne Systems and Equipment Certification,” dated December 1, 1992, provides guidance for software development where industry and regulatory experience showed RTCA document DO 178A/ED-12A, “Software Considerations in Airborne Systems and Equipment Certification,” dated 1985, required revision. Through RTCA, Inc./EUROCAE, a joint committee comprised of representatives from both the public and private sectors, created DO 178B/ED-12B to reflect the experience gained in the certification of aircraft and engines containing software based systems and equipment and to provide guidance in the area not previously addressed by DO 178A/ED-12A. DO 178B/ED-12B contains more objectively-determinable compliance criteria and considerably enhances the consistency of software evaluations. The use of DO 178B/ED-12B provides for a more thorough and sure compliance finding to objective standards, reducing the likelihood of software errors.

Due to being superseded for the reasons discussed above, DO 178A/ED-12A and prior versions were not recognized by the LBA as acceptable means of compliance for software being developed or being modified for an airship certification program (in Germany) whose application date was later than January 11, 1993 (except as noted in subparagraph 1(a) and 1(b) below). The LZ N07 program fell into this category. ZLT was allowed to propose exceptions to the use of DO 178B/ED-12B (or equivalently acceptable means of compliance) for specific systems or equipment. These requests were evaluated on a case-by-case basis and were considered when:

(a) The LBA determined that the software modification is so simple or straightforward that an upgrade of the applicant's processes to DO 178B/ED-12B from earlier revisions of DO 178/ED-12 is not necessary for assuring that the modification is specified, designed, and implemented correctly, and verified appropriately; or

(b) Where a straightforward and readily obvious determination could be made by the LBA that airworthiness will not be affected if some specific objectives of DO 178B/ED-12B were not met.

One example might be the modification of a code table or local or private data that can be readily verified by inspection. A second example might be minor gain changes necessary for adoption of existing equipment to a new airframe. A third example might be the modification of a small percentage of code that has no effect on common or global data or other forms of coupling between modules nor interfaces with other equipment or where such effects are easily limited and where such limiting is easily verifiable. A fourth example might be where a non-essential system with Level 3 software per DO 178A/ED-12A would be appropriately re-categorized during the system safety assessment and DO 178B/ED-12B processes as Level E software. Exemptions such as the above were, for the most part, directed at previously approved software-based equipment that had an established and acceptable service history performing the same function in the same installation environment as the new application and for which only significant changes were being made such as outlined above.

Regardless of which version of DO 178/ED-12 was used, ZLT was required to submit to the LBA a Plan for Software Aspects of Certification (PSAC), a Software Configuration Index (SCI), and a Software Accomplishment Summary (SAS) containing the information specified in DO 178B/ED-12B, paragraphs 11.1, 11.16, and 11.20, respectively, in addition to any other information required by the version of DO 178/ED-12 used for the software approval.

For the software being modified, two acceptable methods of upgrading to DO 178B/ED-12B were specified:

(a) ZLT was allowed to upgrade the entire development baseline, including all processes and all data items per the provisions of DO 178B/ED-12B, section 12.1.4. Existing processes and data items that can be shown to already meet the objectives for DO 178B/ED-12B will not need upgrading.

(b) Alternatively, ZLT was allowed to choose an incremental approach, using DO 178B/ED-12B processes to make modifications and upgrading the Start Printed Page 24667products (data items) of the life cycle processes only where they are affected by the modification. A regression analysis should identify those areas of the code and other data items affected by the modification. Data items were upgraded in those areas where they were directly affected by the modification (for instance, new requirements) and where required in order to satisfy the objectives of DO 178B/ED-12B, Annex A (for instance, where otherwise unmodified requirements must be upgraded to provide sufficient data for the requirements-based testing of the modified code sections).

In planning the transition activities using either alternative, ZLT should perform an analysis to see where the processes and products of the software life cycle do not satisfy the DO 178B/ED-12B objectives. This will provide a limit to the activity required and criteria for assessing the upgrade.

To satisfy the provisions of LFLS section 1301 and LFLS section 1309, the following is required:

Software development for the LZ N07 will be accomplished according to DO 178B/ED-12B (or equivalently acceptable means of compliance) for specific systems or equipment. Deviations from this requirement will be considered when:

(a) The software modification is so simple or straightforward that an upgrade of the applicant's processes to DO 178B/ED-12B from earlier revisions of DO 178/ED-12 is not necessary for assuring that the modification is specified, designed, and implemented correctly, and verified appropriately; or

(b) Where a straightforward and readily obvious determination can be made by the certifying authority that airworthiness will not be affected if some specific objectives of DO 178B/ED-12B were not met.

The applicant will submit a Plan for Software Aspects of Certification (PSAC), a Software Configuration Index (SCI), and a Software Accomplishment Summary (SAS) containing the information specified in DO 178B/ED-12B, paragraphs 11.1, 11.16, and 11.20, respectively, in addition to any other information required by the version of DO 178/ED-12 used for the software approval.

For software modifications, two methods of upgrading to DO 178B/ED-12B are acceptable:

(a) Upgrade the entire development baseline, including all processes and all data items, per the provisions of DO 178B/ED-12B, section 12.1.4. Existing processes and data items that can be shown to already meet the objectives for DO 178B/ED-12B will not need upgrading.

(b) Choose an incremental approach, using DO 178B/ED-12B processes to make modifications and upgrading the products (data items) of the life cycle processes only where they are affected by the modification. A regression analysis should identify those areas of the code and other data items affected by the modification. Data items were upgraded in those areas where they were directly affected by the modification (for instance, new requirements), and where required in order to satisfy the objectives of DO 178B/ED-12B, Annex A (for instance, where otherwise unmodified requirements must be upgraded to provide sufficient data for the requirements-based testing of the modified code sections).

In planning the transition activities using either alternative, an analysis will be performed to determine where the processes and products of the software life cycle do not satisfy the DO 178B/ED-12B objectives.

Equipment comprising software that is already certified under TSO, JTSO, FAA-STC, or LBA requirements, will be excluded from this requirement. However, the software qualification standard of such equipment will be at least according to DO 178A.

Equipment comprising software that is specifically developed for use in LZ N07 and modifications to equipment comprising software specific for LZ N07 that is not, or is not yet, certified under TSO, JTSO, FAA-STC, or LBA requirement, will be certified according to this requirement.

(23) F-3 LBA, Additional Requirements, LFLS Section 1301, Function and Installation, and LFLS Section 1309, Equipment, Systems and Installations [Electronic Hardware Design Assurance (ASIC)]

Discussion

The LZ N07 will utilize electronic systems that may perform critical and essential functions. During its certification of the airship, the LBA made the determination that LBA airworthiness requirements did not contain adequate standards or guidance for the assurance that the internal hardware of these electronic systems are designed to meet the appropriate safety standards. There was no existing LBA policy or guidance for showing compliance to the existing rules for those aspects of certification associated with Application Specific Integrated Circuits (ASICs) and Electronic Programmed Logic Devices (EPLDs). Recently, EUROCAE Working Group 46 “Complex Electronic Hardware” was established to work in cooperation with RTCA SC-180 to consider this subject.

LFLS section 1309 was intended by the LBA as a general requirement that should be applied to all systems and powerplant installations (as required by LFLS section 901(a)) to determine the effect on the airship of a functional failure or malfunction. It is based on the principle that there should be an inverse relationship between the severity of the effect of a failure and the probability of its occurrence.

Definitions

a. Continued Safe Flight and Landing: The capability for continued controlled flight and landing, possibly using emergency procedures, but without requiring exceptional pilot skill or strength. Some airship damage may be associated with a Failure Condition, during flight or upon landing.

b. Error: An occurrence arising as a result of incorrect action by the flight crew or maintenance personnel.

c. Event: An occurrence that has its origin distinct from the airship, such as atmospheric conditions (e.g., gusts, temperature variations, icing, and lightning strikes) runway conditions, cabin and baggage fires. The term is not intended to cover sabotage.

d. Failure: A loss of function, or a malfunction, of a system or part thereof.

e. Failure Condition: The effect on the Airship and its occupants, both direct and consequential, caused or contributed to by one or more failures, considering relevant adverse operational or environmental conditions. Failure Conditions may be classified according to their severities as follows:

(1) Minor: Failure Conditions that would not significantly reduce Airship safety and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.

(2) Major: Failure Conditions that would reduce the capability of the Airship or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to occupants, possibly including injuries.

(3) Hazardous: Failure conditions that would reduce the capability of the airship or the ability of the crew to cope Start Printed Page 24668with adverse operating conditions to the extent that there would be:

(a) A large reduction in safety margins or functional capabilities;

(b) Physical distress or higher workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely; or

(c) Serious or fatal injury to a relatively small number of the occupants.

(4) Catastrophic: Failure conditions that would prevent Continued Safe Flight and Landing.

f. Redundancy: The presence of more than one independent means for accomplishing a given function or flight operation. Each means need not necessarily be identical.

Technical Discussion

LFLS section 1309(b) and (d) require substantiation by analysis and, where necessary, by appropriate ground, flight, or simulator tests, that a logical and acceptable inverse relationship exists between the probability and the severity of each Failure Condition. However, tests are not required to verify Failure Conditions that are postulated to be Catastrophic. The goal is to ensure an acceptable overall Airship safety level, considering all Failure Conditions of all systems.

a. The requirements of LFLS section 1309(b) and (d) are intended to ensure an orderly and thorough evaluation of the effects on safety of foreseeable failures or other events, such as errors or external circumstances, separately or in combination, involving one or more system functions. The interactions of these factors within a system and among relevant systems should be considered.

b. The severities of Failure Conditions may be evaluated according to the following considerations:

(1) Effects on the Airship, such as reductions in safety margins, degradations in performance, loss of capability to conduct certain flight operations, or potential or consequential effects on structural integrity.

(2) Effects on crewmembers, such as increases above their normal workload that would affect their ability to cope with adverse operational or environmental conditions.

(3) Effects on the occupants; i.e., passengers and crewmembers.

(4) For convenience in conducting design assessments, Failure Conditions may be classified according to their severities as Minor, Major, Hazardous, or Catastrophic. Chapter 1, “Definitions” provides accepted definitions of these terms.

(a) The classification of Failure Conditions does not depend on whether or not a system or function is the subject of a specific requirement. Some “required” systems, such as transponders, position lights, and public address systems, may have the potential for only Minor Failure Conditions. Conversely, other systems that are not “required,” such as flight management systems, may have the potential for Major, Hazardous, or Catastrophic Failure Conditions.

(b) Regardless of the types of assessment used, the classification of Failure Conditions should always be accomplished with consideration of all relevant factors; e.g., system, crew, performance, operational, external, etc. Examples of factors would include the nature of the failure modes, any effects or limitations on performance, and any required or likely crew action. It is particularly important to consider factors that would alleviate or intensify the severity of a Failure Condition. An example of an alleviating factor would be the continued performance of identical or operationally similar functions by other systems not affected by the Failure Condition. Examples of intensifying factors would include unrelated conditions that would reduce the ability of the crew to cope with a Failure Condition, such as weather or other adverse operational or environmental conditions.

The probability that a Failure Condition would occur may be assessed as Probable, Improbable (Remote or Extremely Remote), or Extremely Improbable. Each Failure Condition should have a probability that is inversely related to its severity.

1. Minor Failure Conditions may be Probable.

2. Major Failure Conditions must be no more frequent than Improbable (Remote).

3. Hazardous Failure Conditions must be no more frequent than Improbable (Extremely Remote).

4. Catastrophic Failure Conditions must be Extremely Improbable.

c. An assessment to identify and classify Failure Conditions is necessarily qualitative. On the other hand, an assessment of the probability of a Failure Condition may be either qualitative or quantitative. An analysis may range from a simple report that interprets test results or compares two similar systems to a detailed analysis that may (or may not) include estimated numerical probabilities. The depth and scope of an analysis depends on the types of functions performed by the system, the severities of Failure Conditions, and whether or not the system is complex. Regardless of its type, an analysis should show that the system and its installation can tolerate failures to the extent that Major and Hazardous Failure Conditions are Improbable and Catastrophic Failure Conditions are Extremely Improbable:

(1) Experienced engineering and operational judgment should be applied when determining whether nor not a system is complex. Comparison with similar, previously approved systems, is sometimes helpful. All relevant systems Attributes should be considered; however, the complexity of the software used to program a digital-computer-based system should not be considered because the software is assessed and controlled by other means, as described in paragraph 2.i.

(2) An analysis should consider the application of the fail-safe design concept described in paragraph 5 and give special attention to ensuring the effective use of design techniques that would prevent single failures or other events from damaging or otherwise adversely affecting more than one redundant system channel or more than one system performing operationally-similar functions. When considering such common-cause failures or other events, consequential or cascading effects should be taken into account if they would be inevitable or reasonably likely.

(3) Some examples of such potential common-cause failures or other events would include rapid release of energy from concentrated sources such as uncontained failures of rotating parts or pressure vessels, pressure differentials, non-catastrophic structural failures, loss of environmental conditioning, disconnection of more than one subsystem or component by over temperature protection devices, contamination by fluids, damage from localized fires, loss of power, excessive voltage, physical or environmental interactions among parts, human or machine errors, or events external to the system or to the Airship.

d. Compliance for a system or part thereof that is not complex may sometimes be shown by design and installation appraisals and evidence of satisfactory service experience on other Airships using the same or other systems that are similar in their relevant Attributes.

e. In general, a Failure Condition resulting from a single failure mode of a device cannot be accepted as being Extremely Improbable. In very unusual cases, however, experienced engineering judgment may enable an assessment that such a failure mode is not a practical possibility. When making such an assessment, all possible and relevant considerations should be taken Start Printed Page 24669into account, including all relevant Attributes of the device. Service experience showing that the failure mode has not yet occurred may be extensive, but it can never be enough. Furthermore, flight crew or ground crew checks have no value if a Catastrophic failure mode would occur suddenly and without any prior indication or warning. The assessment's logic and rationale should be so straightforward and readily obvious that, from a realistic and practical viewpoint, any knowledgeable, experienced person would unequivocally conclude that the failure mode simply would not occur.

f. LFLS section 1309(c) provides requirements for system monitoring, failure warning, and capability for appropriate corrective crew action. Guidance on acceptance means of compliance is provided in paragraph 8.g.

g. In general, the means of compliance described in this Appendix to CRI F-ASIC's are not directly applicable to software assessments because it is not feasible to assess the number or kinds of software errors, if any, that may remain after the completion of system design, development, and test. RTCA DO-178A and EUROCAE ED-12A, or later revisions thereto, provide acceptable means for assessing and controlling the software used to program digital-computer-based systems. The documents define and use certain terms to classify the criticalities of functions. These terms have the following relationships to the terms used in this Appendix to CRI F-ASIC's to classify Failure Conditions: Failure Conditions adversely affecting non-essential functions would be Minor, Failure Conditions adversely affecting essential functions would be Major or Hazardous, and Failure Conditions adversely affecting critical functions would be Catastrophic.

h. Functional Hazard Assessment. Before an applicant proceeds with a detailed safety assessment, it is useful to prepare a preliminary hazard assessment of the system functions in order to determine the need for and scope of subsequent analysis. This assessment may be conducted using service experience, engineering and operational judgment, or a top-down deductive qualitative examination of each function performed by the system. A functional hazard assessment is a systematic, comprehensive examination of a system's functions to identify potential Major, Hazardous and Catastrophic Failure Conditions that the system can cause or contribute to not only if it malfunctions or fails to function but also in its normal response to unusual or abnormal external factors. It is concerned with the operational vulnerabilities of the system rather than with the detailed hardware analysis.

Each system function should also be examined with respect to functions performed by other Airship systems because the loss of different but related functions provided by separate systems may affect the severity of Failure Conditions postulated for a particular system. In assessing the effects of a Failure Condition, factors that might alleviate or intensify the direct effects of the initial Failure Condition should be considered, including consequent or related conditions existing within the Airship that may affect the ability of the crew to deal with direct effects, such as the presence of smoke, acceleration vectors, interruption of communication, interference with cabin pressurization, etc.

When assessing the consequences of a given Failure Condition, account should be taken of the warnings given, the complexity of the crew action, and the relevant crew training. The number of overall Failure Conditions involving other than instinctive crew actions may influence the flight crew performance that can be expected. Training requirements may need to be specified in some cases.

A functional hazard assessment may contain a high level of detail in some cases, such as for a flight guidance and control system with many functional modes, but many installations may need only a simple review of the system design by the applicant. The functional hazard assessment is a preliminary engineering tool. It should be used to identify design precautions necessary to ensure independence, to determine the required software level, and to avoid common mode and cascade failures.

If further safety analysis is not provided, then the functional hazard assessment could itself be used as certification documentation.

(1) Analysis of Hazardous and Catastrophic Failure Conditions

(a) A detailed safety analysis will be necessary for each Hazardous and Catastrophic Failure Condition identified by the functional hazard assessment. Hazardous Failure Conditions should be Improbable (Extremely Remote), and Catastrophic Failure Conditions should be Extremely Improbable. The analysis will usually be a combination of qualitative and quantitative assessment of the design. Probability levels that are related to Catastrophic Failure Conditions should not be assessed only on a numerical basis, unless this basis can be substantiated beyond reasonable doubt.

(b) For simple and conventional installations, i.e., low complexity and similarity in relevant Attributes, it may be possible to assess a Catastrophic Failure Condition as being Extremely Improbable on the basis of experienced engineering judgment, without using all the formal procedures listed above. The basis for the assessment will be the degree of redundancy, the established independence and isolation of the channels and the reliability record of the technology involved. A Failure Condition resulting from a single failure mode of a device cannot generally be accepted as being Extremely Improbable, except in very unusual cases.

To satisfy the provisions of LFLS section 1301 and LFLS section 1309 Equipment, Systems and Installations with respect to Electronic Hardware Design Assurance (ASIC), the design considerations and analyses described in the above Discussion and Technical Discussion will be utilized to accomplish the following:

Correct operation will be demonstrated by test or analysis under all combinations and permutations of conditions of the gates within the device for electronic hardware whose anomalous behavior would cause or contribute to a failure of a system resulting in a catastrophic or hazardous failure condition for the airplane as defined in Advisory Circular 23.1309-1C.

Correct operation will also be demonstrated by test or analysis under all combinations and permutations of conditions at the pins of the device for electronic hardware whose anomalous behavior would cause or contribute to a failure of a system resulting in a major or minor failure condition for the airplane as defined in Advisory Circular 23.1309-1C.

If the testing and analysis methods outlined above are impractical due to the complexity of the device, the electronic hardware should be developed using a structured development process. The applicant may use the guidelines in RTCA DO-254, “Design Assurance Guidance for Airborne Electronic Hardware” or another process that is acceptable to the FAA. If the applicant chooses to use the guidelines in RTCA DO-254, the hardware development assurance levels should be the same as the software development assurance levels agreed to by the applicant and the FAA.

(24) F-4 LBA, Additional Requirements concerning LFLS Sections 1301, 1303, 1305, 1309, 1321, 1322, 1330, and 1431 with respect to Liquid Crystal Displays Start Printed Page 24670

Discussion

ZLT proposed to use Liquid Crystal Displays (LCDs) for presentation of Airspeed/Altitude/Attitude/Engine/Warning and Caution information to the pilots. The LBA had no published approval criteria for LCD technology.

The LCDs to be installed in the LZ-N07 flight deck will display flight information, including functions critical to safe flight and landing. There is presently no existing guidance material for Liquid Crystal Display airworthiness certification in the LFLS. For the LZ-N07 certification, the following Guidance Material for LCD airworthiness approval was developed. The following Guidance Material provides acceptable guidance for airworthiness approval of display systems using LCD technology in the LZ-N07.

Guidance Material

Guidance Material for Electronic Liquid Crystal Display Systems Airworthiness Approval

Purpose

This Guidance Material provides guidance for certification of Liquid Crystal Display (LCD) based electronic display systems used for guidance, control, or decision-making by the pilots of an Airship. Like all guidance material, this document is not, in itself, mandatory and does not constitute a regulation. It is issued to provide guidance and to outline a method of compliance with the rules.

Scope

The material provided in this section consists of guidance related to pilot displays and specifications for LCDs in the cockpit of an Airship. The content of the Appendix is limited to statements of general certification considerations, including color, symbology, coding, clutter, dimensionality, and attention-getting requirements, and display visual characteristics.

a. Information Separation.

(1) Color Standardization.

(a) Although color standardization is desirable, during the initial certification of electronic displays, color standards for symbology were not imposed (except for cautions and warnings in LFLS section 1322). At that time, the expertise did not exist within industry or the LBA, nor did sufficient service experience exist to rationally establish a suitable color standard.

(b) In spite of the permissive LCD color atmosphere that existed at the time of initial LCD display certification programs, an analysis of the major certifications to date reveals many areas of common color design philosophy; however, if left unrestricted, in several years there will be few remaining common areas of color selection. If that is the case, information transfer problems may begin to occur that have significant safety implications. To preclude this, the following colors are being recommended based on current-day common usage. Deviations may be approved with acceptable justification.

(c) The following depicts acceptable display colors related to their functional meaning recommended for electronic display systems.

1. Display features should be color-coded as follows:

Warnings—Red

Flight envelope and system limits—Red

Cautions, abnormal sources—Amber/Yellow

Earth—Tan/Brown

Engaged modes—Green

Sky—Cyan/Blue

ILS deviation pointer—Magenta

Flight director bar—Magenta/Green

2. Specified display features should be allocated colors from one of the following color sets:

(d) When deviating from any of the above symbol color assignments, the manufacturer should ensure that the chosen color set is not susceptible to confusion or color meaning transference problems due to dissimilarities with this standard. The Authority test pilot should be familiar with other systems in use and evaluate the system specifically for confusion in color meanings.

(e) The LBA does not intend to limit electronic displays to the above colors, although they have been shown to work well. The colors available from a symbol generator/display unit combination should be carefully selected on the basis of their chrominance separation. Research studies indicate that regions of relatively high color confusion exist between red and magenta, magenta and purple, cyan and green, and yellow and orange (amber). Colors should track with brightness so that chrominance and relative chrominance separation are maintained as much as possible over day/night operation. Requiring the flight crew to discriminate between shades of the same color for symbol meaning in one display is not recommended.

(f) Chrominance uniformity should be in accordance with the guidance provided in SAE Document ARP 1874. As designs are finalized, the manufacturer should review his color selections to ensure the presence of color works to the advantage of separating logical electronic display functions or separation of types of displayed data. Color meanings should be consistent throughout all color LCD displays in the cockpit. In the past, no criteria existed requiring similar color schemes for left and right side installations using electro-mechanical instruments.

(2) Color Perception versus Workload.

(a) When color displays are used, colors should be selected to minimize display interpretation workload. Symbol coloring should be related to the task or crew operation function. Improper color-coding increases response times for display item recognition and selection, and it increases the likelihood of errors in situations where response rate demands exceed response accuracy demands. Color assignments that differ from other displays in use, either electromechanical or electronic, or that differ from common usage (such as red, yellow, and green for stoplights), can potentially lead to confusion and information transferal problems.

(b) When symbology is configured such that symbol characterization is not based on color contrast alone but on shape as well, then the color information is seen to add a desirable degree of redundancy to the displayed information. There are conditions in which pilots whose vision is color deficient can obtain waivers for medical qualifications under National crew license regulations. In addition, normal aging of the eye can reduce the ability to sharply focus on red objects or discriminate blue/green. For pilots with such deficiency, display interpretation workload may be unacceptably increased unless symbology is coded in more dimensions than color alone. Each symbol that needs separation because of the criticality of its information content should be identified by at least two distinctive coding parameters (size, shape, color, location, etc.).

(c) Color diversity should be limited to as few colors as practical to ensure adequate color contrast between symbols. Color grouping of symbols, annunciations, and flags should follow Start Printed Page 24671a logical scheme. The contribution of color to information density should not make the display interpretation times so long that the pilot perceives a cluttered display.

(3) Standard Symbology. Many elements of electronic display formats lend themselves to standardization of symbology, which would shorten training and transition times when pilots change airplane types.

(4) Symbol Position.

(a) The position of a message or symbol within a display conveys meaning to the pilot. Without the consistent or repeatable location of a symbol in a specific area of the electronic display, interpretation errors and response times may increase. The following symbols and parameters should be position consistent:

(1) All warning/caution/advisory annunciation locations.

(2) All sensor data: Altitude, airspeed, glideslope, etc.

(3) All sensor failure flags. (Where appropriate, flags should appear in the area where the data is normally placed.)

(4) Either the pointer or scale for analogue quantities should be fixed. (Moving scale indicators that have a fixed present value may have variable limit markings.)

(b) An evaluation of the positions of the different types of alerting messages and annunciations available within the electronic display should be conducted, with particular attention given to differentiation of normal and abnormal indications. There should be no tendency to misinterpret or fail to discern a symbol, alert, or annunciation due to an abnormal indication being displayed in the position of a normal indication and having similar shape, size or color.

(c) Pilot and copilot displays may have minor differences in format, but all such differences should be evaluated specifically to ensure that no potential for interpretation error exists when pilots make cross-side display comparisons.

(5) Clutter. A cluttered display is one that uses an excessive number and/or variety of symbols, colors, or small spatial relationships. This causes increased processing time for display interpretation. One of the goals of display format design is to convey information in a simple fashion in order to reduce display interpretation time. A related issue is the amount of information presented to the pilot. As this increases, tasks become more difficult as secondary information may detract from the interpretation of information necessary for the primary task. A second goal of display format design is to determine what information the pilot actually requires in order to perform the task at hand. This will serve to limit the amount of information that needs to be presented at any point in time. Addition of information by pilot selection may be desirable, particularly in the case of navigational displays, as long as the basic display modes remain uncluttered after pilot de-selection of secondary data. Automatic de-selection of data has been allowed in the past to enhance the pilot's performance in certain emergency conditions.

(6) Interpretation of Two-Dimensional Displays. Modern electromechanical attitude indicators are three-dimensional devices. Pointers overlay scales; the fixed airplane symbol overlays the flight director single cue bars that, in turn, overlay a moving background. The three-dimensional aspect of a display plays an important role in interpretation of instruments. Electronic flight instrument system displays represent an attempt to copy many aspects of conventional electromechanical displays but in only two dimensions. This can present a serious problem in quick-glance interpretation, especially for attitude. For displays using conventional, discrete symbology, the horizon line, single cue flight director symbol, and fixed airplane reference should have sufficient conspicuity such that the quick-glance interpretation should never be misleading for basic attitude. This conspicuity can be gained by ensuring that the outline of the fixed airplane symbol(s) always retains its distinctive shape, regardless of the background or position of the horizon line or pitch ladder. Color contrast is helpful in defining distinctive display elements but is insufficient by itself because of the reduction of chrominance difference in high ambient light levels. The characteristics of the flight director symbol should not detract from the spatial relationship of the fixed airplane symbol(s) with the horizon. Careful attention should be given to the symbol priority (priority of displaying one symbol overlaying another symbol by editing out the secondary symbol) to assure the conspicuity and ease of interpretation similar to that available in three-dimensional electromechanical displays.

Note:

Horizon lines and pitch scales that overwrite the fixed airplane symbol or roll pointer have been found unacceptable in the past.

(7) Attention-Getting Requirements.

(a) Some electronic display functions are intended to alert the pilot to changes: Navigation sensor status changes (VOR flag), computed data status changes (flight director flag or command cue removal), and flight control system normal mode changes (annunciator changes from armed to engaged) are a few examples. For the displayed information to be effective as an attention-getter, some easily noticeable change must be evident. A legend change by itself is inadequate to annunciate automatic or uncommanded mode changes. Color changes may seem adequate in low light levels or during laboratory demonstrations but become much less effective at high ambient light levels. Motion is an excellent attention-getting device. Symbol shape changes are also effective, such as placing a box around freshly changed information. Short-term flashing symbols (approximately 10 seconds or flash until acknowledge) are effective attention-getters. A permanent or long-term flashing symbol that is non-cancelable should not be used.

(b) In some operations, continued operation with inoperative equipment is allowed (under provisions of an MEL). The display designer should consider the applicant's MEL desires because in some cases a continuous strong alert may be too distracting for continued dispatch.

(8) Color Drive Failure. Following a single color drive failure, the remaining symbology should not present misleading information, although the display does not have to be usable. If the failure is obvious, it may be assumed that the pilot will not be susceptible to misleading information due to partial loss of symbology. To make this assumption valid, special cautions may have to be included in the AFM procedures that point out to the pilot that important information formed from a single primary color may be lost, such as red flags.

(9) For Both Active Matrix and Segmented Liquid Crystal Displays

Viewing Envelope: The installed display must meet all the following requirements when viewed from a rectangle centered on the design eye position and sized 1-foot vertical dimension and 2-feet horizontal dimension.

General: The display symbology must be clearly readable throughout the viewing envelope under all ambient illumination levels ranging from 1.1 lux (0.10 fc) to sun shaft illumination of 86,400 lux (8000 fc) at 45 degrees incidence to the face of the display.

Symbol Alignment: Symbols that are interpreted relative to each other must be aligned to preclude erroneous interpretation. Start Printed Page 24672

Flicker: Flicker must not be readily discernible or distracting under day, twilight, or night conditions, considering both foveal and full peripheral vision, and using a format most susceptible to producing flicker.

Multiple Images: Multiple display images produced by light not normal to the display surface must neither be distracting nor cause erroneous interpretation.

Luminance: The display luminance must be sufficient to provide a comfortable level of viewing under all conditions and provide rapid eye adaptation when transitioning from looking outside the flight deck.

Minimum Luminance: Under night lighting, with the display brightness set at the lowest usable level for flight with normal symbology, all flags and annunciators must be adequately visible.

Lighting: In order to aid daylight viewing, the displays' backlighting must be designed such that adequate daylight backlighting is provided when the cockpit discrete lighting control is set to the ‘bright’ position. In “non-bright” positions, the displays must be modulated in a balanced fashion in conjunction with other cockpit lighting.

(10) For Active Matrix Displays.

Matrix Anomalies: For both static and dynamic formats, the display must have no matrix anomalies that cause distraction or erroneous interpretation.

Line Width Uniformity: Lines of specified color and luminance must remain uniform in width at all orientations. Unintended line width variation must not be readily apparent or distracting in any case.

Symbol Quality: Symbols must not have distracting gaps or geometric distortions that cause erroneous interpretations.

Symbol Motion: Display symbology that is in motion must not have distracting or objectionable jitters, jerkiness, or ratcheting effects.

Image Retention: Image retention must not be readily discernible day or night and must not be distracting or cause an erroneous interpretation or smearing effect for motion dynamic symbology.

Defects: Visible defects on the display surface (such as “on” elements, “off” elements, spots, discolored areas, etc.) must not be distracting or cause an erroneous interpretation. Service limits for defects must be established.

Luminance Uniformity: Display areas of a specified color and luminance must have a luminance uniformity of less than 50 percent across the utilized display surface. The rate of change of luminance within any small area shall be minimized to eliminate distracting visual effects. These requirements apply for any eye position within the display viewing envelope.

Contrast Ratios: The average contrast ratio over the usable display surface must be a minimum of 201 at the design eye position and 101 for any eye position within the display viewing envelope when measured under a dark ambient illumination. This requirement is based on a 0.5 mm (0.0201) line width. Smaller line widths must have a comparable readability, which may require a higher contrast ratio.

(11) For Segmented Displays.

Activated Segments: Activated segments must have a contrast ratio with the immediately adjacent inactivated background of 21 for viewing angles of on-axis to 50 degrees off-axis.

Inactivated Segments: When segments are not electrically activated, there must be no obtrusive difference between the normal background luminance, color, or texture and the inactivated segments of the area surrounding them. The contrast ratio between inactivated segments and the background must not be greater than 1.151 in a light ambient when viewed from an angle normal to the display up to an angle 50 degrees off-axis.

For the purpose of this Issue Paper, the following definition applies:

Luminance Uniformity = (L max − L min / L ave (expressed in percent)

Where L max = Maximum luminance measured anywhere on the utilized display surface

L min = Minimum luminance measured anywhere on the utilized display surface

L ave = Average luminance of the utilized display surface

To satisfy the provisions of LFLS sections 1301, 1303, 1305, 1309, 1321, 1322, 1330, and 1431 with respect to Liquid Crystal Displays, the design considerations and analyses described in the above Guidance Material will be utilized:

(a) Equipment comprising LCDs that is not specifically developed for use in the LZ-N07, and which is already certified under TSO, JTSO, FAA-STC, or LBA Kennblatt, will be excluded and not certified according to these guidelines.

(b) Equipment comprising LCDs that is specifically developed for the use in LZ-N07, and modifications to equipment comprising LCDs specific for the LZ-N07, and that is not, or not yet, certified under TSO, JTSO, FAA-STC, or LBA Kennblatt, will be certified according to these guidelines.

(25) F-5 LBA, Additional Requirements; LFLS Section 1301, Function and Installation, and LFLS Section 1309, Equipment, Systems and Installations, Use of Commercial Off-The-Shelf (COTS) Software in Airship Avionics Systems

General Discussion

The LZ N07 will be certificated with digital microprocessor based systems installed that may contain commercial off-the-shelf (COTS) software. This Guidance Material identifies acceptable means of certifying airborne systems and equipment containing COTS software on the airship.

Background

Many COTS software applications and components have been developed for use outside the field of commercial air transportation. Much of the COTS software has been developed for systems for which safety is not a concern or for systems with safety criteria different from that of commercial airships. Consequently, for COTS software, adequate artifacts may not be available to assess the adequacy of the software integrity. Available evidence may be insufficient to show that adequate software life cycle processes were used. RTCA DO 178B/ED-12B recognizes the above and addresses means by which COTS may be shown to comply with airship certification requirements.

Technical Discussion

Document RTCA DO 178B/ED-12B provides a means for obtaining the approval of airborne COTS software. For those systems that make use of COTS software, the objectives of RTCA DO 178B/ED-12B should be satisfied. If deficiencies exist in the life cycle data of COTS software, DO 178B/ED-12B addresses means to augment that data to satisfy the objectives. If Zeppelin chooses to utilize a means other than DO 178B/ED-12B, the LBA requests Zeppelin to propose, via the Plan for Software Aspects of Certification (PSAC), how it intends to show that all COTS software complies with Airship Requirements LFLS sections 1301, 1309. Zeppelin should obtain agreement on the means of compliance from the LBA prior to implementation.

Abbreviations Used in This Guidance

To satisfy the provisions of LFLS Section 1301, Function and Installation, and LFLS Section 1309, Equipment, Systems and Installations, Use of Commercial Off-the-Shelf (COTS) Software in Airship Avionics Systems the design considerations and analyses described in the above Guidance Material will be utilized:

Equipment comprising COTS that is not specifically developed for use in the LZ-N07, and which is already certified under TSO, JTSO, FAA-STC, or LBA Kennblatt, will be excluded and not certified according to this Guidance Material.

Equipment comprising COTS that is specifically developed for use in the LZ-N07, and modifications to equipment comprising COTS specific for LZ N07, and that is not, or not yet, certified under TSO, JTSO, FAA-STC, or LBA Kennblatt, will be certified according to this Guidance Material.

(26) F-6 LBA, Sections 1301, 1322, 1528, and 1585; LFLS (Equivalent Safety Finding) Envelope Pressure Indicator—Color Coding

Discussion

To indicate the envelope pressure of the LZ-N07, ZLT will propose an instrument (Envelope Pressure Indicator, EPI) that will provide annunciation of the Helium and Ballonet Pressure as well as indications of the aft and forward Fan and Sensor Fail status using LED columns. The measurement range covers a red, amber, and green band by a colored scale adjacent to the LED columns. The LED columns are continuously of an amber color, due to the technical solution possible only. In addition, any out-of-limit pressure determination will trigger a discrete warning output to the Integrated Instrument Display System (IIDS) for crew alerting and generation of an appropriate warning message.

Using the pressure indications, the flight crew is able to monitor and control the airship throughout the flight. Furthermore, the ground crew will utilize the EPI to maintain constant pressures in the hull.

Messages on displays should be unambiguous and easily readable and should be designed to avoid confusion to the crew. The use of an amber colored LED column, indicating possible red, amber, and green status of the associated systems, is not in line with the general color philosophy of the LZ N07 cockpit and the applicable LFLS requirements, and it was considered by the LBA as an unusual design feature.

While the LBA allowed the use of amber based on an equivalent safety finding, we believe that the provisions of LFLS section 1322, where an amber indication is reserved to indicate where immediate crew awareness is required and subsequent crew action will be required, should be adhered to.

The control and indicating systems will, therefore, comply with the provisions of LFLS section 1322.

(27) F-7 LBA, Equivalent Safety Finding Section 1387(b) LFLS, Bow Light Dihedral Angle

Discussion

LFLS section 1387(b) requires a dihedral angle formed by two intersecting vertical planes making angles of 110 degrees to the right and to the left. LFLS appendix table 10 requires, in addition, a minimum light intensity of 20 cd throughout the dihedral angle. The LZ-N07 system only attains the required intensity over 100 degrees but is still visible from 100 degrees to 110 degrees (left and right) at a reduced intensity. The LBNA granted an equivalency to LFLS section 1387(b) based on the greater dihedral angle coverage of the aft light, +/−80 degrees rather than +/−70 degrees at the specified intensity. This is acceptable to the FAA.

To satisfy the provisions of LFLS section1387(b), the following is required:

The LFLS section 1387(b) required dihedral angle will be no less than 100 degrees at the intensities specified in Table 10 of the appendix of the LFLS. In addition, the rear light will have an included angle of +/-80 degrees at the specified intensity from Table 10 of the appendix of the LFLS. Refer to Figure 3.

(28) Ballast Water.

Discussion

To minimize the possibility of environmental contamination from ballast water, there will be provisions in the airship or servicing provisions that ensure that biological or chemical contamination does not occur due to the servicing of ballast water of one location and dumping of water in a different location. This provision will be added to the certification basis as a special environmental requirement:

Under no circumstances may water ballast be loaded or released that does not comply with the provisions of 40 CFR part 141, National Primary Drinking Water Regulations. Obtaining water from a water supply use for human consumption is acceptable; water aerially released or otherwise dumped cannot degrade beyond the limits set by 40 CFR part 141. If ballast water is contaminated, it can only be released into appropriate sewage facilities in accordance with national and local laws and regulations. These provisions will be explained in the Airship Flight Manual and ground operations materials and manuals. Procedures will also be developed that will eliminate the possibility of biological contamination growing in the ballast system and then being jettisoned or dumped, unless detected and treated. The ballast system will have a method of securing filler locations to eliminate the possibility of tampering with the system.