2013-13841. Special Conditions: Cessna Aircraft Company, Model J182T; Electronic Engine Control System Installation
-
Start Preamble
AGENCY:
Federal Aviation Administration (FAA), DOT.
ACTION:
Final special conditions; request for comments.
SUMMARY:
These special conditions are issued for the Cessna Aircraft Company (Cessna) Model J182T airplane. This airplane will have a novel or unusual design feature(s) associated with the installation of an electronic engine control. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.
DATES:
The effective date of these special conditions is June 25, 2013.
We must receive your comments by July 25, 2013.
ADDRESSES:
Send comments identified by docket number [FAA-2013-0493] using any of the following methods:
Federal eRegulations Portal: Go to http://www.regulations.gov and follow the online instructions for sending your comments electronically.
Mail: Send comments to Docket Operations, M-30, U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE., Room W12-140, West Building Ground Floor, Washington, DC 20590-0001.
Hand Delivery of Courier: Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
Fax: Fax comments to Docket Operations at 202-493-2251.
Privacy: The FAA will post all comments it receives, without change, to http://www.regulations.gov,, including any personal information the commenter provides. Using the search function of the docket Web site, anyone can find and read the electronic form of all comments received into any FAA docket, including the name of the individual sending the comment (or signing the comment for an association, business, labor union, etc.). DOT's complete Privacy Act Statement can be found in the Federal Register published on April 11, 2000 (65 FR 19477-19478), as well as at http://DocketsInfo.dot.gov.
Docket: Background documents or comments received may be read at http://www.regulations.gov at any time. Follow the online instructions for accessing the docket or go to the Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Mr. Peter Rouse, Federal Aviation Administration, Small Airplane Directorate, Aircraft Certification Service, 901 Locust, Room 301, Kansas City, MO 64106; telephone (816) 329-4135; facsimile (816) 329-4090.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
The FAA has determined that notice and opportunity for prior public comment hereon are impracticable because these procedures would significantly delay issuance of the design approval and thus delivery of the affected aircraft. In addition, the substance of these special conditions has been subject to the public comment process in several prior instances with no substantive comments received. The FAA therefore finds that good cause exists for making these special conditions effective upon issuance.
Comments Invited
We invite interested people to take part in this rulemaking by sending written comments, data, or views. The most helpful comments reference a specific portion of the special conditions, explain the reason for any recommended change, and include supporting data. We ask that you send us two copies of written comments.
We will consider all comments we receive on or before the closing date for comments. We will consider comments filed late if it is possible to do so without incurring expense or delay. We may change these special conditions based on the comments we receive.
Background
On April 2, 2012, Cessna Aircraft Company applied for an amendment to Type Certificate No. 3A13 to include the new model J182T which will incorporate the installation of the Societe de Motorisation Aeronautiques (SMA) Engines, Inc. SR305-230E-C1 which is a four-stroke, air cooled, diesel cycle engine that uses turbine (jet) fuel. The J182T incorporates an engine controlled by an electronic engine Start Printed Page 37959control (EEC), also known as a Full Authority Digital Engine Control (FADEC). The EEC system performs critical functions throughout the operational envelope such as the control of the fuel flow and ignition. These functions and their impact on the engine are required by 14 CFR parts 33 and 23. Additionally, the EEC systems have incorporated functions, that while not required in either parts 33 or 23, have potential failure(s) and malfunction(s) that may be catastrophic or unacceptably degrade the airplane level of safety. Examples of the additional functions include thrust management, engine parameter indication, engine speed synchronization, engine torque equalization, etc. Considerations for installation of EEC systems were not envisaged and are not adequately addressed in part 23. Therefore, special conditions are required to define the additional safety standards the Administrator considers necessary to establish a level of safety equivalent to the existing airworthiness standards. Cessna will use an EEC instead of a traditional mechanical control system on the J182T airplane. The J182T, which is a derivative of the T182T currently approved under Type Certificate No. 3A13, is an aluminum, four place, single engine airplane with a cantilever high wing, with the SMA SR305-230E-C1 diesel cycle engine and equipped with an electronic engine control.
The EEC is part 33 certified as part of the engine, and the certification requirements for engine control systems are driven by part 33 requirements. The guidance for the part 33 EEC certification requirement is contained in two advisory circulars: AC 33.28-1 and AC 33.28-2. The EEC certification, as part of the engine, addresses those aspects of the engine specifically addressed by part 33 and is not intended to address part 23 installation requirements. However, the guidance does highlight some of the installation aspects that the engine applicant should consider during engine certification. The installation of an engine with an EEC system requires evaluation of environmental effects and possible effects on or by other airplane systems, including the part 23 installation aspects of the EEC functions. For example, the indirect effects of lightning, radio interference with other airplane electronic systems, and shared engine and airplane data and power sources.
The regulatory requirements in part 23 for evaluating the installation of complex electronic systems are contained in § 23.1309. However, when § 23.1309 was developed, the requirements of the rule excluded powerplant systems as part of the certificated engine (reference § 23.1309(f)(1), amendment No. 23-49). Although the parts of the system that are not certificated with the engine could be evaluated using the criteria of § 23.1309, the analysis would be incomplete because it would not include the effects of the aircraft supplied power and data failures on the engine control system, and the resulting effects on engine power/thrust. The integral nature of EEC installations require review of EEC functionality at the airplane level because behavior acceptable for part 33 certification may not be acceptable for part 23 certification.
The Small Airplane Directorate has applied a Special Condition for over a decade that required all EEC installations to comply with the requirements of §§ 23.1309(a) through (e), amendment No. 23-49. The rationale for applying § 23.1309 was that it was an existing rule that contained the best available requirements to apply to the installation of a complex electronic system; in this case, an electronic engine control with aircraft interfaces. Additionally, Special Conditions for High Intensity Radiated Fields (HIRF) were also applied prior to the codification of § 23.1308.
There are several difficulties for propulsion systems directly complying with the requirements of § 23.1309. There are conflicts between the guidance material for § 23.1309 and propulsion system capabilities and failure susceptibilities. The following figure is an excerpt from AC 23.1309-1E showing the relationship among airplane classes, probabilities, severity of failure conditions, and software and complex hardware Development Assurance Level.
Classification of failure conditions No safety effect Minor Major Hazardous Catastrophic Allowable qualitative probability No probability requirement Probable Remote Extremely remote Extremely improbable Effect on Airplane No effect on operational capabilities or safety Slight reduction in functional capabilities or safety margins Significant reduction in functional capabilities or safety margins Large reduction in functional capabilities or safety margins Normally with hull loss. Effect on Occupants Inconvenience for passengers Physical discomfort for passengers Physical distress to passengers, possibly including injuries Serious or fatal injury to an occupant Multiple fatalities. Effect on Flight Crew No effect on flight crew Slight increase in workload or use of emergency procedures Physical discomfort or a significant increase in workload Physical distress or excessive workload impairs ability to perform tasks Fatal Injury or incapacitation. Classes of Airplanes Allowable Quantitative Probabilities and Software (SW) and Complex Hardware (HW) Development Assurance Levels (Note 2) Class I (Typically SRE 6,000 pounds or less) No Probability or SW and HW Development Assurance Levels Requirement <10−3 Note 1 P=D <10−4 Notes 1 and 4 P=C, S=D <10−5 Note 4 P=C, S=D <10−6 Note 3 P=C, S=C. Class II (Typically MRE, STE, or MTE 6,000 pounds or less) No Probability or SW and HW Development Assurance Levels Requirement <10−3 Note 1 P=D <10−5 Notes 1 and 4 P=C, S=D <10−6 Note 4 P=C, S=C <10−7 Note 3 P=C, S=C. Start Printed Page 37960 Class III (Typically SRE, STE, MRE, and MTE greater than 6,000 pounds) No Probability or SW and HW Development Assurance Levels Requirement <10−3 Note 1 P=D <10−5 Notes 1 and 4 P=C, S=D <10−7 Note 4 P=C, S=C <10−8 Note 3 P=B, S=C. Class IV (Typically Commuter Category) No Probability or SW and HW Development Assurance Levels Requirement <10−3 Note 1 P=D <10−5 Notes 1 and 4 P=C, S=D <10−7 Note 4 P=B, S=C <10−9 Note 3 P=A, S=B. Note 1: Numerical values indicate an order of probability range and are provided here as a reference. Note 2: The letters of the alphabet denote the typical SW and HW Development Assurance Levels for Primary System (P) and Secondary System (S). For example, HW or SW Development Assurance Level A on Primary System is noted by P=A. Note 3: At airplane function level, no single failure will result in a Catastrophic Failure Condition. Note 4. Secondary System (S) may not be required to meet probability goals. If installed, S should meet stated criteria. Difference Between Part 23 and Part 33 Guidance, Loss of Thrust or Power Control
There is a conflict between the EEC system loss-of-thrust-control (LOTC), or loss-of-power control (LOPC), probability per hour requirements given in part 33 guidance material and the failure rate requirements associated with the hazard created by a total loss of power/thrust as given in part 23 AC 23.1309-1E guidance. The part 33 requirements for engine control LOTC/LOPC probabilities are shown below:
Engine type Average LOTC/LOPC events per million hours Maximum LOTC/LOPC events per million hours Turbine Engine 10 (1 × 10−05 per hour) 100 (1 × 10−04 per hour). Reciprocating Engine 45 (4.5 × 10−05 per hour) 450 (4.5 × 10−04 per hour). Note: See AC 33.28-1, AC 33.28-2 and ANE-1993-33.28TLD-Rl for further guidance. The part 23 classification of the failure condition for LOTC/LOPC event on a single engine airplane ranges from Hazardous to Catastrophic. The classification of the failure condition for a single engine LOTC/LOPC event on a multi-engine airplane ranges from Major to Catastrophic. The classification of the failure condition for a multi-engine LOTC/LOPC event on a multi-engine airplane is Catastrophic. From the AC 23.1309-lE failure probability values, it is obvious that a single engine airplane electronic engine control system will not be able to meet the failure probabilities as shown in the guidance material for § 23.1309. As a result, applicants have inappropriately declared a reduced hazard severity for a failure of the electronic engine control system. This is not the intent of § 23.1309. The greater hazard severity should be associated with lower probabilities of failure, and higher probabilities of failure should not artificially establish lower hazard severities. There is also a conflict between the classification of the failure condition of an electronic engine control system and the required test levels for the effects of lightning and high intensity radiated frequency (HIRF). Testing to a level lower than required for a catastrophic failure results in a lower level of safety than the mechanical system it replaces. This is contrary to the intent of certification requirements.
Time Limited Dispatch
The advent of electronic engine controls also created the ability to dispatch with certain allowable loss of functionality and/or redundancy. This is known as Time Limited Dispatch (TLD). The TLD allowable configurations must meet the specific risk LOTC/LOPC failure probabilities. FAA Policy Statement, ANE-1993-33.28TLD-Rl, defines the full up and TLD allowable failure probabilities for turbine engines. The ability to use TLD is a risk management endeavor that uses a limited time between inspection/maintenance intervals to mitigate the hazard. As such, the FAA has issued specific guidance for part 23 aircraft in addition to Policy Statement, ANE-1993-33.28TLD-Rl, in order to capture the necessary time limits between maintenance intervals.
Additional Functions
The advent of electronic engine controls also led to incorporating functions that; while not required by the CFRs; also introduce potentially catastrophic failure(s) and malfunction(s). Consequently, incorporation of these additional functions must be shown to retain part 23 safety levels. These additional functions have included thrust management, portions of engine indication otherwise provided as part of the engine installation, engine speed synchronization, ignition control, auto-feather, etc.
Part 25, unlike part 23, does not apply § 25.1309 via special condition to the electronic engine control installation. Section 25.1309 is applicable to the powerplant installations in general and as a whole. The part 25 hazard classifications for LOTC/LOPC differ from part 23 due to the required multi-engine configuration of part 25 aircraft. Additional applicable part 25 subpart E requirements are those contained within § 25.901(b)(2) and (c):
Sec. 25.901—Installation.
a. Rule Text.
(b) For each powerplant—
(2) The components of the installation must be constructed, arranged, and installed so as to ensure their continued safe operation between normal inspections or overhauls;
(c) For each powerplant and auxiliary power unit installation, it must be established that no single failure or malfunction or probable combination of failures will jeopardize the safe operation of the airplane except that the failure of structural elements need not be considered if the probability of such failure is extremely remote.
Start Printed Page 37961The following are excerpts from guidance provided in FAA Policy Statement, PS-ANM100-2002-00073:
Section 25.901—Installation.
b. Intent of Rule:
- § 25.901(b)(2) is intended to require such preventative maintenance as is necessary to ensure that components of the powerplant installation do not cease safe functioning.
- § 25.901(c) is intended to define, in general terms, the foreseeable failures that each powerplant and auxiliary power unit installation must be shown to safely accommodate.
(7) § 25.901(c): Section 25.901(c) is intended to provide an overall safety assessment of the powerplant installation. It is intended to augment rather than replace other, more specific applicable Part 25 design and performance standards for transport category airplanes. When assessing the potential hazards to the aircraft caused by the powerplant installation, the effects of an engine case rupture, uncontained engine rotor failure, engine case burnthrough, and propeller debris release are excluded from § 25.901(c). The effects and rates of these failures are minimized by compliance with Part 33 (“Airworthiness Standards: Aircraft Engines”; Part 35 (“Airworthiness Standards: Propellers”; § 25.903(d)(l) (“Engines”; § 25.905(d) (“Propellers”; and § 25.1193 (“Cowling and nacelle skin”. Furthermore, the effects of encountering environmental threats or other operating conditions more severe than those for which the aircraft is certified (such as volcanic ash or operation above placard speeds) need not be considered in the § 25.901(c) compliance process. However, if a failure or malfunction can affect the subsequent environmental qualification or other operational capability of the installation, this effect should be accounted/or in the § 25.901(c) assessment.
(a) Compliance with § 25.901(c) may be shown by a System Safety Assessment (SSA) substantiated by appropriate testing and/or comparable service experience. Such an assessment may range from a simple report that offers descriptive details associated with a failure condition, interprets test results, compares two similar systems, or offers other qualitative information; to a detailed failure analysis that may include estimated numerical probabilities. The depth and scope of an acceptable SSA depends on:
- the complexity and criticality of the functions performed by the system(s) under consideration,
- the severity of related failure conditions,
- the uniqueness of the design and extent of relevant service experience,
- the number and complexity of the identified causal failure scenarios, and
- the detectability of contributing failures.
(b) Historically, the use of a “bottom-up single failure analysis,” such as a Failure Modes and Effects Analysis (FMEA), has been a popular safety assessment method with many applicants. Wherever the effects of a failure are found to be operationally “latent,” then the effects of the “next worst” failure are assessed. In this approach, the “probable combinations of failures” are assumed only to be a single latent failure plus “the next worst” failure. When assessing the failure effects of a simple mechanical, hydro-mechanical, or electrical system, where independence from the effects of failures elsewhere in the aircraft can be assumed, this can be an effective and relatively simple means of assuring that the design is adequately “fail-safe.” However, as the integration and diversity of functions and technologies in the subject design increase, particularly when digital avionics are involved, the resulting increases in complexity, interdependence, and parts count make this “latents-plus-one” assumption about the “probable combinations of failure” questionable. Consequently, to ensure that the design is “fail-safe” for a sufficient number of co-existing failures, probability methods are typically necessary.
(d) In carrying out the SSA for the powerplant installation for § 25.90I(c), the results of the engine (and propeller) failure analyses (reference § 33.28 and § 33.75) should be used as inputs for those powerplant failure effects that can have an impact on the aircraft. However, the SSA undertaken in response to Part 33 and Part 35 may not address all the potential effects that an engine and propeller as installed may have on the aircraft. For those failure conditions covered by analysis under Part 33 and/or Part 35, and for which the installation has no effect on the conclusions derived from these analyses, no additional analyses will be required to demonstrate compliance to § 25.901(c).
There is language similar to § 25.901(c) contained in § 23.1141(e):
§ 23.1141—Powerplant controls: General.
(e) For turbine engine powered airplanes, no single failure or malfunction, or probable combination thereof, in any powerplant control system may cause the failure of any powerplant function necessary for safety.
The requirements contained within § 23.114l(e) were originally intended for the mechanical control interfaces on turbine engines. The rule was first promulgated at amendment 23-7, effective on September 14, 1969. The preamble justifying the rule change states:
This proposal would, in effect require that the need for system redundancy, alternate devices, and duplication of functions be determined in the design of turbine powerplant control systems.
The overall intent of the above cited rules is to provide a robust and fault tolerant engine control installation that ensures that no single failure or malfunction or probable combination of failures will jeopardize the safe operation of the airplane.
Type Certification Basis
Under the provisions of § 21.101, Cessna must show that the model J182T meets the applicable provisions of the regulations incorporated by reference in Type Certificate No. 3A13 or the applicable regulations in effect on the date of application for the change to the model T182T. The regulations incorporated by reference in the type certificate are commonly referred to as the “original type certification basis.” In addition, the J182T certification basis includes special conditions and equivalent levels of safety.
If the Administrator finds that the applicable airworthiness regulations (i.e., 14 CFR part 23) do not contain adequate or appropriate safety standards for the J182T because of a novel or unusual design feature, special conditions are prescribed under the provisions of § 21.16.
In addition to the applicable airworthiness regulations and special conditions, the J182T must comply with the fuel vent and exhaust emission requirements of 14 CFR part 34 and the noise certification requirements of 14 CFR part 36.
The FAA issues special conditions, as defined in § 11.19, under § 11.38 and they become part of the type certification basis under § 21.101.
Special conditions are initially applicable to the model for which they are issued. Should the type certificate for that model be amended later to include any other model that incorporates the same novel or unusual design feature, or should any other model already included on the same type certificate be modified to incorporate the same novel or unusual design feature, the special conditions would also apply to the other model.
Novel or Unusual Design Features
The J182T will incorporate the following novel or unusual design features: Electronic engine control system.
Discussion
These special conditions address the certification requirements for the installation of Electronic Engine Control (EEC) systems on part 23 airplanes. As described in the background section, the advisory circular and policy guidance between part 33 and part 23 contains differences that can lead to conflicting certification requirements. As such, these special conditions are necessary in order to provide a reasonable means of compliance that removes the conflicts between part 33 and part 23. The intent of these special conditions is to provide a robust and fault tolerant electronic engine control installation that ensures no single failure or malfunction or probable combination of failures will jeopardize the safe operation of the airplane.Start Printed Page 37962
Applicability
As discussed above, these special conditions are applicable to the model J182T. Should Cessna apply at a later date for a change to the type certificate to include another model incorporating the same novel or unusual design feature, the special conditions would apply to that model as well.
Conclusion
This action affects only certain novel or unusual design features on one model of airplane. It is not a rule of general applicability and affects only the applicant who applied to the FAA for approval of these features on the airplane.
The substance of these special conditions has been subjected to the notice and comment period in several prior instances and has been derived without substantive change from those previously issued. It is unlikely that prior public comment would result in a significant change from the substance contained herein. Therefore, because a delay would significantly affect the certification of the airplane, which is imminent, the FAA has determined that prior public notice and comment are unnecessary and impracticable, and good cause exists for adopting these special conditions upon issuance. The FAA is requesting comments to allow interested persons to submit views that may not have been submitted in response to the prior opportunities for comment described above.
Start List of SubjectsList of Subjects in 14 CFR Part 23
- Aircraft
- Aviation safety
- Signs and symbols
Citation
The authority citation for these special conditions is as follows:
The Special Conditions
Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the type certification basis for Cessna Model J182T airplanes.
1. Electronic Engine Control
a. For electronic engine control system installations, it must be established that no single failure or malfunction or probable combinations of failures of Electronic Engine Control (EEC) system components will have an effect on the system, as installed in the airplane, that causes the loss-of-thrust-control (LOTC), or loss-of-power-control (LOPC) probability of the system to exceed those allowed in part 33 certification.
b. Electronic engine control system installations must be evaluated for environmental and atmospheric conditions, including lightning. The EEC system lightning and High-Intensity Radiated Fields (HIRF) effects that result in LOTC/LOPC must be shown to comply with the HIRF and lightning requirements appropriate for catastrophic failure conditions.
c. The components of the installation must be constructed, arranged, and installed so as to ensure their continued safe operation between normal inspections or overhauls.
d. Functions incorporated into any electronic engine control that make it part of any equipment, systems or installation whose functions are beyond that of basic engine control, and which may also introduce system failures and malfunctions, are not exempt from § 23.1309 and must be shown to meet part 23 levels of safety as derived from § 23.1309. Part 33 certification data, if applicable, may be used to show compliance with any part 23 requirements. If part 33 data is to be used to substantiate compliance with part 23 requirements, then the part 23 applicant must be able to provide this data for their showing of compliance.
Note: The term “probable” in the context of “probable combination of failures” does not have the same meaning as in AC 23.1309-1E. The term “probable” in “probable combination of failures” means “foreseeable,” or (in AC 23.1309-1E terms), “not extremely improbable.”
Start SignatureIssued in Kansas City, Missouri on May 29, 2013.
Earl Lawrence,
Manager, Small Airplane Directorate, Aircraft Certification Service.
[FR Doc. 2013-13841 Filed 6-24-13; 8:45 am]
BILLING CODE 4910-13-P
Document Information
- Comments Received:
- 0 Comments
- Effective Date:
- 6/25/2013
- Published:
- 06/25/2013
- Department:
- Federal Aviation Administration
- Entry Type:
- Rule
- Action:
- Final special conditions; request for comments.
- Document Number:
- 2013-13841
- Dates:
- The effective date of these special conditions is June 25, 2013.
- Pages:
- 37958-37962 (5 pages)
- Docket Numbers:
- Docket No. FAA-2013-0493, Special Conditions No. 23-260-SC
- Topics:
- Aircraft, Aviation safety, Signs and symbols
- PDF File:
- 2013-13841.pdf
- CFR: (1)
- 14 CFR 23