AGENCY:

Federal Aviation Administration (FAA), Department of Transportation (DOT).

ACTION:

Notice of proposed rulemaking (NPRM).

SUMMARY:

The FAA proposes to amend certain airworthiness regulations to standardize the criteria for conducting safety assessments for systems, including flight controls and powerplants, installed on transport category airplanes. With this action, the FAA seeks to reduce risk associated with airplane accidents and incidents that have occurred in service, and reduce risk associated with new technology in flight control systems. The intended effect of this proposed action is to improve aviation safety by making system safety assessment (SSA) certification requirements more comprehensive and consistent.

DATES:

Send comments on or before March 8, 2023.

ADDRESSES:

Send comments identified by docket number FAA-2022-1544 using any of the following methods:

• Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for sending your comments electronically.

• Mail: Send comments to Docket Operations, M-30; U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room W12-140, West Building Ground Floor, Washington, DC 20590-0001.

• Hand Delivery or Courier: Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

• Fax: Fax comments to Docket Operations at (202) 493-2251.

Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments from the public to better inform its rulemaking process. DOT posts these comments, without edit, including any personal information the commenter provides, to www.regulations.gov, as described in the system of records notice (DOT/ALL-14 FDMS), which you can review at https://www.dot.gov/​privacy.

Docket: Background documents or comments received may be read at https://www.regulations.gov at any time. Follow the online instructions for accessing the docket or go to the Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT:

Suzanne Masterson, Strategic Policy Transport Section, AIR-614, Strategic Policy Management Branch, Policy and Innovation Division, Aircraft Certification Service, Federal Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; telephone and fax (206) 231-3211; email Suzanne.Masterson@faa.gov.

SUPPLEMENTARY INFORMATION:

Authority for This Rulemaking

The FAA's authority to issue rules on aviation safety is found in Title 49 of the United States Code. Subtitle I, Section 106 describes the authority of the FAA Administrator. Subtitle VII, Aviation Programs, describes in more detail the scope of the agency's authority.

This rulemaking is promulgated under the authority described in Subtitle VII, Part A, Subpart III, Section 44701, “General Requirements.” Under that section, the FAA is charged with promoting safe flight of civil aircraft in air commerce by prescribing regulations and minimum standards for the design and performance of aircraft that the Administrator finds necessary for safety in air commerce. This regulation is within the scope of that authority. It prescribes new safety standards for the design and operation of transport category airplanes.

Acronyms and Frequently Used Terms

Contents

I. Overview of Proposed Rule

II. Background

A. Statement of the Problem

B. Related Actions

1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations

2. FAA Review of Service Difficulty Reports

3. Commercial Aviation Safety Team Task Force Study Regarding Gaps in Maintenance Process

4. Equivalent Level of Safety Findings and Special Conditions

5. Harmonization with European Union Aviation Safety Agency (EASA) Certification Standards

6. Aircraft Certification, Safety, and Accountability Act

C. NTSB Recommendations

III. Discussion of the Proposed Rule

A. Consistent Safety Assessment Criteria for Airplane Systems

1. Average Risk Criteria (§ 25.1309(b)(1), (2), and (3))

2. Latent Failures in System Designs

B. Consistent Application and Interpretation of Requirements for Equipment, Systems, and Installations

1. Applicability of § 25.1309

2. Exceptions From Applicability of § 25.1309

3. Flightcrew Alerting and Errors

C. Interaction of Systems and Structures (New § 25.302)

1. Applicability of New § 25.302

2. Normal Operation

3. Failure Condition Effect on Structural Performance

4. Dispatch in a System Failed State

5. Differences Between Proposed § 25.302 and EASA CS 25.302

D. Turbojet Thrust Reversing Systems

E. Flight Control Systems Safety Assessment Criteria

1. Changes to § 25.671(c) Failure Criteria

2. Other Changes to § 25.671

F. Certification Maintenance Requirements

G. Miscellaneous Amendments

1. Method of Compliance With § 25.1309(b)

2. Failure Examples Related to Flutter

3. Other Changes to § 25.629

4. EWIS Requirements

5. Removal of Redundant Requirements

H. Petitions for Rulemaking

I. Advisory Material

IV. Regulatory Notices and Analyses

A. Regulatory Evaluation

1. Costs and Benefits of this Proposed Rule

2. Who is potentially affected by this Proposed Rule?

3. Assumptions and Sources of Information

4. Costs of the Proposed Specific Risk Rule

5. Benefits of the Proposed Specific Risk Rule

6. Summary of Costs and Benefits of Specific Risk Rule

7. Section 25.1309: Equipment, Systems, and Installations

8. Section 25.671: General Control Systems

9. Section 25.901: Installation Engines

10. Section 25.933: Reversing Systems

11. Section 25.302: Interaction of Systems and Structures

B. Regulatory Flexibility Determination

C. International Trade Impact Assessment

D. Unfunded Mandates Assessment

E. Paperwork Reduction Act

F. International Compatibility and Cooperation

G. Environmental Analysis

V. Executive Order Determinations

A. Executive Order 13132, Federalism

B. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use

C. Executive Order 13609, International Cooperation

VI. Additional Information

A. Comments Invited

B. Availability of Rulemaking Documents

I. Overview of Proposed Rule

The FAA proposes to revise regulations in title 14, Code of Federal Regulations (14 CFR) part 25 (Airworthiness Standards: Transport Category Airplanes) related to the safety assessment ^[1] of airplane systems. The proposed changes to part 25 would affect applicants for type certification and operators of transport category airplanes. Applicants for type certification would be required to conduct their SSAs in accordance with the revised regulations. Proposed changes to the ICA would affect operators of newly certified airplanes, although the impact on those operators would not be significant.

The FAA proposes revised and new safety standards to reduce the likelihood of potentially catastrophic risks due to latent failures in critical systems. The standards would require the elimination of such risks as far as practical. When it is not practical to eliminate such a risk, the standards would require the reduction and management of any remaining risk. The proposed standards would also improve the likelihood that operators discover latent failures and address them before they become an unsafe condition, rather than discovering them after they occur and the FAA addressing them with airworthiness directives (ADs).

Because modern aircraft systems (for example, avionics and fly-by-wire systems) are much more integrated than they were when the current safety criteria in § 25.1309 and other system safety assessment rules were established in 1970,^[2] the new standards proposed in this rule would be consistent for all systems of the airplane, reducing the chance of a hazard falling into a gap between the different regulatory requirements for different systems.

Consistent criteria for conducting SSAs would also provide predictability for applicants by reducing the number of issue papers and special conditions necessary for airplane certification projects.^[3]

Specifically, the proposed rule would—

• Require that applicants limit the likelihood of a catastrophic failure condition that results from a combination of two failures, either of which could be latent. In this proposal, the FAA refers to this particular failure condition as a Catastrophic Single Latent Failure Plus One (CSL+1) because it consists of the catastrophic condition that results from a single latent failure plus one additional failure. See proposed § 25.1309(b)(5).
• Revise safety assessment regulations to eliminate ambiguity in, and provide consistency between, the safety assessments that applicants must conduct for different types of airplane systems. Section 25.1309 would continue to contain the safety assessment criteria applicable to most airplane systems. Sections 25.671(c) (flight control systems) and 25.901(c) (powerplant installations) would be amended to remove general system safety criteria. Instead, the systems covered in these sections would be required to comply with § 25.1309 (system safety criteria). Section 25.933(a) (thrust reversing systems) would allow compliance with § 25.1309 as an option. Sections 25.671, 25.901, and 25.933 would continue to contain criteria for safety assessments specific to flight control systems, powerplant installations, and thrust reversing systems, respectively.
• Require applicants to assess and account for any effect that the failure of a system could have on the structural performance of the airplane. See proposed § 25.302.
• Define the different types of failure of flight control systems, including jams, and define the criteria for safety assessment of those types of failures. See proposed § 25.671.

• Require applicants to include, in the Airworthiness Limitations Section (ALS) of the airplane's Instructions for Continued Airworthiness (ICA), necessary maintenance tasks that Start Printed Page 75427 applicants identify during their SSAs. See proposed § 25.1309(d).

• Remove the “function properly when installed” criterion in § 25.1301(a)(4) for installed equipment whose function is not needed for safe operation of the airplane.

II. Background

A. Statement of the Problem

This proposed action is necessary because airplane accidents, incidents, and service difficulties have occurred as a result of failures in airplane systems. Some of these occurrences were caused, in part, by insufficient design standards for controlling the risk of latent failures. Current FAA regulations do not prevent the unintended operation of an airplane with a latent failure that, when combined with another failure, could cause an accident. For example, in 1991, a Boeing Model 767 series airplane operated by Lauda Air took off with a contaminated thrust reverser control valve. This contamination was “latent” because it was undetected. The accident investigation found that a short circuit occurred, and together with the contaminated control valve, caused the thrust reverser to unintentionally deploy in flight. As a result, the airplane subsequently crashed, resulting in 223 fatalities.^[4]

Also, current regulations do not require establishment of mandatory inspections for significant latent failures that may pose a risk in maintaining the airworthiness of the airplane design. Such inspections may be necessary to reduce an airplane's exposure to these latent failures, so airplanes continue to meet safety standards while in service.

Additionally, current regulations do not adequately address new technology in flight control systems and the effects these systems can have on controllability and structural capability. For example, on airplanes equipped with fly-by-wire control systems, there is no mechanical link between the flightdeck control and the control surface, so the flightcrew may not be aware of the actual control surface position. Also, on some flight control system designs, there may be submodes of operation that change or degrade the normal handling or operational characteristics of the airplane. Flightcrew awareness of both the operational mode of the airplane and the control surface positions are necessary design features to ensure safety of flight but are not required by current regulations.

This action is also necessary to address flight control systems whose failure can affect the loads imposed on the airplane structure. As an example, some airplanes are equipped with rudder limiters, which reduce the maximum deflection of the rudder at higher airspeeds, thereby reducing the maximum loads on the rudder and vertical stabilizer. Failure of the rudder limiter can result in higher loads on these surfaces in the event of a significant rudder maneuver. Excessive loads can lead to structural damage and catastrophic failure. Current regulations do not require applicants to account for these potentially higher loads in the structural design of the airplane.

Lastly, certain system safety requirements are not standardized across airplane systems. Current regulations specify different safety assessment criteria for different systems, which can lead to inconsistent standards across the airplane. Also, when systems that traditionally have been separate become integrated using new technology, applicants may be unsure which standard to apply.

The FAA proposes to address these issues by revising the system safety assessment requirements in part 25.

B. Related Actions

1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations

Advances in flight controls technology, increased airplane system integration, and certain incidents, accidents, and service difficulties related to system failures prompted the FAA to task the ARAC with developing recommendations for new or revised requirements and compliance methods related to the safety assessment of airplane and powerplant systems. The ARAC accepted tasks on various airplane systems issues and assigned them to the Powerplant Installation Harmonization Working Group (PPIHWG),^[5] Flight Controls Harmonization Working Group (FCHWG),^[6] Loads and Dynamics Harmonization Working Group (LDHWG),^[7] and System Design and Analysis Harmonization Working Group (SDAHWG).^[8] The FAA also tasked the ARAC to make recommendations for harmonizing the relevant part 25 rules with the corresponding European certification specifications for large airplanes.^[9] The ARAC accepted this task and assigned it to the relevant working groups.

In developing their recommendations, the PPIHWG and FCHWG reviewed the investigations of two transport category airplane accidents. In the May 1991 Lauda Air accident, discussed previously, an unintentional thrust reverser deployment on a Boeing Model 767 series airplane caused a loss of airplane controllability.^[10] In the September 1994 USAir accident, the NTSB considered a malfunction of the rudder actuation system on a Boeing Model 737-300 series airplane, to have likely initiated a loss of airplane controllability that resulted in the airplane impacting the ground near Pittsburgh, Pennsylvania.^[11] The investigations of these two accidents identified hazards resulting from potential CSL+1 failure conditions in safety critical systems.

The PPIHWG recommended revisions to § 25.901(c), to address failures and malfunctions of powerplant and auxiliary power unit (APU) installations, and to § 25.933, to address failures and malfunctions of thrust reversing systems. The FCHWG recommended changes to § 25.671 to address failures and jamming of flight control systems. The LDHWG recommended the addition of a new rule, § 25.302, to address systems that directly, or as a result of a failure or malfunction, would affect the structural performance of the airplane. The SDAHWG recommended revisions to §§ 25.1301 and 25.1309, and further changes to § 25.901(c). Each working group also recommended advisory material to accompany the recommended regulatory changes. The SDAHWG named their recommended Start Printed Page 75428 revision to AC 25.1309-1A as the “Arsenal” version.^[12]

Although the working groups each addressed the subject of managing latent failures in safety critical systems, their recommendations were not consistent when defining the criteria for latent failures. After reviewing the relevant regulations, and the recommendations from the working groups, the FAA, along with the European, Canadian, and Brazilian civil aviation authorities, identified a need to standardize SSA criteria. These authorities were concerned that the safety criteria recommended by the working groups could result in differing safety assessments across various critical systems. Differing standards could result in an inappropriately low level of safety on some critical systems, or, conversely, unnecessarily apply the most stringent standard to every system in a set of integrated systems.

Therefore, in 2006, the FAA tasked ARAC, which assigned the task to the Airplane-Level Safety Assessment Working Group (ASAWG),^[13] with creating consistent SSA criteria and developing new criteria for “specific risk.” “Specific risk” is the risk on a given flight resulting from the existence of a particular condition (for example, a latent failure) on that flight. It is differentiated from “average risk,” which is the risk on a typical flight of all airplanes of a particular model for a typical duration.

The ASAWG completed its work in May 2010 and recommended a set of consistent requirements that would apply to all systems. Specific areas addressed in the recommendation report include latent failures, aging and wear, Master Minimum Equipment Lists, and flight and diversion time. The ASAWG recommended that the general system safety criteria for all airplane systems be governed by § 25.1309, and recommended adjustments to the regulations and advisory material addressed by the working groups mentioned previously, to implement consistent system safety criteria. All ARAC working group recommendation reports are available in the docket for this NPRM.

2. FAA Review of Service Difficulty Reports

One ASAWG recommendation responded to the need to prevent a catastrophic failure condition resulting from two failures, when either failure is latent (undetected) for more than one flight. In such a case, the first failure is latent, and thus persists undetected, and the second failure is active (detected) because its occurrence results in a catastrophic accident. In consideration of this recommendation, the FAA reviewed a number of past service difficulty reports ^[14] that could have led to catastrophic accidents if the latent failure had been followed by another failure. These include:

• A latent failure of a fire extinguisher control switch that, if coupled with an active failure such as an engine fire, could have resulted in an uncontrollable engine fire.^[15]

• A latent failure of the high-lift system ^[16] brake that, if coupled with an active failure such as a high-lift system transmission driveshaft failure, could have resulted in loss of control.^[17]

• A latent failure of a high-lift system proximity sensor that, if coupled with an active failure such as a high-lift drive system failure, could have resulted in loss of control.^[18]

The FAA has determined that such service difficulties were, in part, a consequence of insufficient design standards for controlling the risk due to latent failures, and the FAA expects similar service difficulties in the future if the standards are not revised to manage such risks.

3. Commercial Aviation Safety Team Task Force Study Regarding Gaps in Maintenance Process

In 2009, the Commercial Aviation Safety Team (CAST) ^[19] chartered a task force, led by the FAA Flight Standards Service, Aircraft Maintenance Division, to conduct a study to identify and correct gaps in operators' maintenance processes. The objective of the task force was to ensure that the level of safety provided at certification would be sustained throughout the life of the airplane.

In 2011, the task force reported on the gaps it found, and recommended mitigation strategies.^[20] One of the identified gaps (GAP 009) was that the current regulations do not require use of Certification Maintenance Requirements (CMRs),^[21] which identify inspections of systems for significant latent failures that are necessary to preserve the airplane's reliability. The FAA has been recommending in advisory circulars (AC 25.1309-1A and AC 25-19, and AC 25-19A) to establish the need for inspections of critical systems where latent failures could exist. Since CMRs are critical to safety, the task force recommended the FAA require their use.

4. Equivalent Level of Safety Findings and Special Conditions

The FAA has applied most of the SSA criteria proposed in this NPRM to certification projects for the past 15 years, through equivalent level of safety (ELOS) findings under § 21.21. The topics of these findings include flight control systems (§ 25.671(c)) as recommended by the FCHWG; thrust reversers (§ 25.933(a)(1)) as recommended by the PPIHWG; and general SSA criteria (§§ 25.1301 and 25.1309) as recommended by the SDAHWG.

Modern transport category airplanes are equipped with systems that, directly or as a result of failure or malfunction, affect structural performance. However, current regulations do not require applicants to take into account loads on the airplane due to the effects of system failures on structural performance. Therefore, the FAA has applied special conditions that require the effects of Start Printed Page 75429 system failures be taken into account in the design. The FAA based the provisions of these special conditions, titled “Interaction of Systems and Structures,” on the criteria developed by the ARAC working groups, and propose to codify these special conditions in proposed § 25.302.

Finally, the FAA has applied the requirements in proposed § 25.671(a), (e), and (f) for fly-by-wire control systems to recent type certificate applications through means of compliance issue papers and special conditions.

5. Harmonization With European Union Aviation Safety Agency (EASA) Certification Standards

EASA certification standards for large airplanes (CS-25) prescribes the airworthiness standards corresponding to 14 CFR part 25 for transport category airplanes certified by the European Union. Applicants for FAA type certification of transport category airplanes may also seek EASA validation of the FAA's type certificate. Where part 25 and CS-25 differ, an applicant must meet both airworthiness standards to obtain a U.S. type certificate and validation of the type certificate by foreign authorities, or obtain exemptions, ELOS findings or special conditions, or the foreign authority's equivalent to those, as necessary to meet one standard in lieu of the other. Where FAA and EASA can maintain harmonized requirements, applicants for type certification benefit by having a single set of requirements with which they must show compliance, thereby reducing the cost and complexity of certification and codifying a consistent level of safety.

EASA incorporated the SDAHWG-recommended changes to §§ 25.1301 and 25.1309, and associated guidance, in its initial issuance of CS-25 on October 17, 2003.^[22] EASA incorporated the criteria regarding interaction of systems and structures recommended by the LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-25 at amendment 25/1 on December 12, 2005.^[23] EASA incorporated the ASAWG-recommended regulatory and advisory material implementing consistent SSA criteria, at amendment 25/24 to CS-25, on January 10, 2020.^[24] This proposed NPRM would harmonize FAA requirements with EASA to the extent possible, with differences described in the Discussion of the Proposed Rule.

6. Aircraft Certification, Safety, and Accountability Act

This proposal would update the requirements and guidance for system safety assessments to support, in part, the requirements of the Aircraft Certification, Safety, and Accountability Act, Public Law 116-260 (the Act). Section 115(b)(1)(A) of the Act states that the Administrator of the FAA shall require an applicant for an amended type certificate for a transport airplane to perform a system safety assessment with respect to each proposed design change that the Administrator determines is significant, with such assessment considering the airplane-level effects of individual errors, malfunctions, or failures and realistic pilot response times to such errors, malfunctions, or failures. Currently, § 25.1309 requires this action, not just for significant design changes, but for all design changes affecting systems. Specifically, § 25.1309(b) requires applicants assess safety at the airplane level for airplane systems and associated components, considered separately and in relation to other systems. Section 25.1309(d) specifies that compliance to § 25.1309(b) must be shown by analysis and appropriate testing, and must consider possible modes of failure, including malfunctions and damage and also that the assessment consider crew warning cues, corrective action required, and the capability of detecting faults. In the context of § 25.1309, “corrective action” means flightcrew procedures for use after failure detection to enable continued safe flight and landing.^[25] The proposed § 25.1309 would remove the current content of § 25.1309(d), and place that content in draft AC 25.1309-1B, along with expanded guidance on the safety assessment process, because (1) the proposed § 25.1309 would be a performance-based regulation for which methods of compliance are more appropriately provided in guidance, and (2) the items for consideration listed in § 25.1309(d) constitute an incomplete method of compliance to § 25.1309(b), as explained in section III.G.1 of this preamble.

Section 115(b)(1)(B) of the Act states that the system safety assessments required by section 115(b)(1)(A) of the Act be updated for each subsequent proposed design change that the Administrator determines is significant. As discussed, § 25.1309 already requires this action not just for significant design changes, but for all design changes affecting systems. This proposed rulemaking would update the analysis necessary for airplane-level effects of individual errors, malfunctions, or failures.

Section 115(b)(1)(C) of the Act states that applicants must provide to the FAA the data and assumptions underlying each assessment and amended assessment. Draft AC 25.1309-1B, which accompanies this rulemaking, states that a system safety assessment, to show compliance, should provide data such as component failure rates and their sources and applicability, and support any assumptions made. Section 7.9 of the draft AC provides detailed guidance on identification and justification of assumptions, data, and analytic techniques.

Section 115(b)(1)(D) of the Act states that applicants must provide for document traceability and clarity of explanations for changes to aircraft type designs and system safety assessment certification documents. Appendix C of Draft AC 25.1309-1B, describes the safety assessment process, and states that a system safety assessment, to show compliance, should include, among other things, a statement of the functions, boundaries, and interfaces of the system and a description that establishes correctness and completeness and traces the work leading to the conclusions of the SSA.

These updates to system safety assessment requirements, and to implementing guidance, would provide a foundation to address how human (flight crew) response is treated and validated within the context of the required analysis. As required by Section 126 of the Act, the FAA is researching pilot responses to errors, malfunctions and failures, and may use that research in the future to update guidance in this regard.

C. NTSB Recommendations

As a result of the aforementioned 1994 Pittsburgh accident, the National Transportation Safety Board (NTSB) issued two safety recommendations relevant to this rulemaking, A-99-22 and A-99-23.^[26] In Safety Recommendation A-99-22, the NTSB recommends that the FAA ensure that future transport category airplanes Start Printed Page 75430 provide a reliably redundant rudder actuation system. In Safety Recommendation A-99-23, the NTSB recommends that the FAA require type certificate applicants to show that transport category airplanes are capable of continued safe flight and landing after jamming of a flight control at any deflection possible, up to and including its full deflection, unless the applicant shows that such a jam is extremely improbable. This proposed rule would implement these recommendations by revising § 25.671(c).

The NTSB issued Safety Recommendation A-02-51 ^[27] following an accident in January 2000, in which a McDonnell Douglas Model MD-83 airplane crashed into the Pacific Ocean off the coast of California. The NTSB determined that the probable cause of this accident was a loss of airplane pitch control resulting from the in-flight failure of the jackscrew assembly of the horizontal stabilizer trim system. This failure was related to maintenance of this critical system; specifically, the excessive and accelerated wear of a critical part as a result of insufficient lubrication. In Safety Recommendation A-02-51, the NTSB recommends that the FAA review and revise airplane certification regulations, and associated guidance applicable to the certification of transport category airplanes, to ensure that applicants fully address wear-related failures so that, to the maximum extent possible, such failures will not be catastrophic. The proposed requirement to include CMRs in the ALS would respond to this safety recommendation, as would the draft ACs accompanying this NPRM that contain guidance on assessing wear-related failures as part of the SSA.

The NTSB issued Safety Recommendation A-14-119 ^[28] following an incident in January 2013, in which the APU lithium-ion battery installed in a Boeing Model 787-8 airplane caught fire when the airplane was parked at a gate at Logan International Airport in Boston, Massachusetts. In Safety Recommendation A-14-119 the NTSB recommends that the FAA to provide its certification engineers with written guidance and training to ensure that assumptions, data sources, and analytical techniques are fully identified and justified in applicants' safety assessments for designs incorporating new technology. Additionally, the NTSB recommends that an appropriate level of conservatism be included in the analysis or design, consistent with the intent of the draft guidance material that the SDAHWG recommended. Draft AC 25.1309-1B, accompanying this NPRM, would contain the recommended guidance.^[29]

III. Discussion of the Proposed Rule

After consideration of the issues in the Statement of Problem, the relevant NTSB recommendations, and ARAC recommendations, the FAA proposes to revise several regulations to change how applicants would conduct SSAs.

A. Consistent Safety Assessment Criteria for Airplane Systems

1. Average Risk Criteria (§ 25.1309(b)(1), (2), and (3))

Current § 25.1309(b) requires applicants to design the systems and associated components (considered both separately and in relation to each other) of their proposed transport category airplane to meet two criteria. First, these systems must be designed so that the occurrence of any failure condition which would prevent the safe flight and landing of the airplane is extremely improbable (§ 25.1309(b)(1)). Second, each system must be designed so that the likelihood of any other failure condition which would reduce the capability of the airplane, or of its flightcrew, to cope with adverse operating conditions is improbable (§ 25.1309(b)(2)).

The FAA proposes to revise § 25.1309(b) to establish risk criteria that can be used consistently across multiple airplane systems, harmonize FAA regulations with EASA Certification Specifications for Large Aeroplanes (CS) 25.1309(b), and codify commonly issued ELOS findings. The proposed revisions would require that type certificate applicants design and install airplane systems and associated components, evaluated both separately and in relation to other systems, so that—

• Each catastrophic failure condition is extremely improbable and does not result from a single failure;
• Each hazardous failure condition is extremely remote; and
• Each major failure condition is remote.

As noted previously, the current rule (§ 25.1309(b)(2)) requires any failure condition that would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to be “improbable” (on the order of 10⁻⁹ < p ≤ 10⁻⁵, where p is probability of failure per flight hour). This condition is characterized by AC 25.1309-1A as “major,” and it represents a broad spectrum of probability.

As previously discussed, the FAA has issued ELOS findings for more than a decade to accept use of the ARAC-recommended revision to §§ 25.1301 and 25.1309 in lieu of §§ 25.1301 and 25.1309, and the accompanying “Arsenal” version of AC 25.1309-1 as the method of compliance. In the “Arsenal” version, the “major” failure condition is divided into two categories: “hazardous” and “major”, with corresponding probability requirements of “extremely remote” (on the order of 10⁻⁹ < p ≤ 10⁻⁷) and “remote” (on the order of 10⁻⁷ < p ≤ 10⁻⁵).” The granular assessment of failure conditions in the “Arsenal” version is beneficial because it allows for more accurate analysis of highly integrated systems and better differentiation of failure effects on flightcrew than the current requirements of § 25.1309(b). The “hazardous” category in the “Arsenal” version corresponds to the more severe end of the “major” category in current § 25.1309(b)(2), which is referred to as “severe major” in AC 25.1309-1A, “System Design and Analysis,” dated June 21, 1988.

This proposal would codify current practice by adding the “hazardous” failure condition category and its probability requirement, replace the probability term “improbable” with “remote” for major failure conditions, and prohibit catastrophic single failure.

a. Inclusion of Specific Failure Condition Categories and Probabilities

An objective of this proposal is to align the regulatory terms used in 14 CFR part 25 to describe failure condition categories and probabilities with the terms used in the most recent transport airplane certification projects (whose SSAs use the methods in the “Arsenal” version of AC 25.1309-1 and in EASA CS 25.1309 and accompanying guidance). Proposed § 25.1309(b) would use terms that are already used by the aviation industry to describe failure condition categories and probabilities. Additionally, since the FAA also uses these terms in other part 25 regulations, such as §§ 25.671, 25.981, and 25.1709, the FAA proposes to define them in a new § 25.4, “Definitions.” Although the terminology in § 25.1309(b) would change from the current regulations, the intent and usage of those terms would not change as a result. Start Printed Page 75431

b. Prohibiting Catastrophic Single Failures

Proposed § 25.1309(b)(1)(ii) would prohibit a proposed design from allowing any single failure that could result in a catastrophic failure condition ( i.e., a “fail-safe” design requirement). The requirement that applicants assume that any single failure could occur and that such failure not prevent continued safe flight and landing was codified in 1965 as § 25.1309. The FAA inadvertently removed from § 25.1309 the requirement for fail-safe design in 1970 at amendment 25-23,^[30] although the agency retained guidance on fail-safe design. The purpose of the FAA's guidance on fail-safe design, has been to convey the objectives of the fail-safe design concept, and provide principles and techniques for its usage by applicants.

Amendment 25-23 also amended § 25.671(c) to prohibit catastrophic single failures in flight control systems. At that time, § 25.901(c) applied § 25.1309 to powerplant installation, requiring applicants to assume in their safety assessments that any single failure could occur. With amendment 25-40 in 1977,^[31] the FAA amended § 25.901(c) to explicitly prohibit catastrophic single failures in systems associated with the powerplant installation because § 25.1309 did not prohibit catastrophic single failures.

This proposed rule would also make the requirements for safety assessments of flight control systems and powerplant installations consistent with the requirements for other systems in regard to prohibiting catastrophic single failures. Systems covered by the proposed §§ 25.671(c) and 25.901(c) would be required to comply with the § 25.1309 prohibition of catastrophic single failures under all operating and environmental conditions under which the airplane was approved to operate. Incorporation of fail-safe design requirements across all the critical systems of the airplane would ensure consistent safety objectives are implemented. Further discussion of proposed changes to §§ 25.671(c) and 25.901(c) is provided in sections III.E and III.B.2.d of this preamble, respectively.

2. Latent Failures in System Designs

a. Proposed Criteria—§ 25.1309(b)(4)

The FAA proposes to add a new paragraph (b)(4) to § 25.1309 that would require applicants to avoid SLFs whenever practical. The purpose of proposed § 25.1309(b)(4) is to reduce an airplane's exposure to SLFs by establishing the following hierarchy of safety requirements. First, the applicant must eliminate SLFs. If the elimination of the SLF is not practical, then the applicant must limit the likelihood of that SLF to 1/1000 between inspections. If the applicant proves that it is not practical to comply with the 1/1000 criterion, then the applicant must design the system to minimize the failure's latency; that is, minimize the length of time the failure is expected to be present, and remain undetected.

The FAA intends the proposed rule to minimize the latency of SLFs and achieve the safety objective of the ASAWG's recommendation to avoid SLFs whenever practical. The FCHWG, PPIHWG, and ASAWG each recommended the 1/1000 value to limit the latency period in the failure conditions specific to that working group's technical area. The FAA proposes that application of the 1/1000 criterion to every system that may contain a SLF is a necessary safety measure that an applicant can apply. This 1/1000 criterion is necessary to reduce exposure of the airplane to latent failures that leave the airplane one failure away from a hazardous or catastrophic condition. This criterion is cost effective as described in the costs and benefits section of this NPRM.

An applicant may be able to show, in rare situations, that it is not practical to meet the 1/1000 criterion. One possible example is if compliance with the 1/1000 criterion would necessitate complex or invasive maintenance tasks on the flight line, increasing the risk of incorrect maintenance. In such situations, safety may be better served if the operator inspects for latent failures at a maintenance facility or at a longer inspection interval, even though the longer inspection interval could mean the probability of the latent failure exceeds 1/1000; however, the applicant must minimize the time the failure is expected to be present. The FAA expects that an applicant would likely integrate these steps into its normal design processes. During the FAA's review of an applicant's proposed demonstration of compliance with the other provisions of § 25.1309(b), if the FAA determines that it may be practical to eliminate or further reduce exposure to a SLF, then these proposed regulations would require the applicant to either redesign the system or demonstrate the impracticality of that redesign.

b. Proposed Criteria—§ 25.1309(b)(5)

The FAA proposes a new standard for limiting the risk of a CSL+1 failure condition (a catastrophic failure combination that results from a single latent failure plus one additional failure). Under current regulations, an operator could unknowingly dispatch an airplane with a potential CSL+1 failure condition. Under this proposal, when conducting SSAs, an applicant would be required to apply additional criteria in proposed § 25.1309(b)(5) (pertaining to additional fault tolerance, residual risk, and probability of latent failures) to limit the specific risk of a CSL+1 failure condition, in addition to the requirement in § 25.1309(b)(1).^[32]

i. Additional Fault Tolerance

For each potential catastrophic failure condition that results from two failures, either of which could be latent for more than one flight, the applicant would be required by § 25.1309(b)(5)(i) to show that it is impractical to design the system with additional fault tolerance. For example, if practical, the applicant could add a failure monitor, thereby eliminating the latency of the first (undetected) failure. Or, the applicant could design additional redundancy in the system, so that the second failure would not be catastrophic. In either case, the condition resulting from the failure combination would no longer create a CSL+1 failure condition.

ii. Limiting the Residual Risk to a “Remote” Probability

The FAA proposes § 25.1309(b)(5)(ii), which would adopt the ASAWG recommendation to limit the total probability that any single failure could lead to a catastrophe following a latent failure. This total probability could be no greater than “remote.” The ASAWG recommended the “remote” criterion based on the reliability of components typically used in systems that have a redundant means to protect against catastrophic single failures. These components have demonstrated a level of reliability, on the order of 1x10⁻⁵ per flight hour, which was consistent with the SDAHWG's recommended probability guidelines (the “Arsenal” version of AC 25.1309, and EASA Acceptable Means of Compliance 25.1309) for showing “remote” probability. The ASAWG reasoned that establishing a higher standard than “remote” could require redesign of systems that have an acceptable in- Start Printed Page 75432 service safety record, and the FAA agrees with this rationale.

Therefore, the FAA proposes that this “remote” criterion, in combination with the criterion to limit latency to a maximum probability of 1/1000, would establish an acceptable level of safety for potential CSL+1 failure conditions. Also, if a system has multiple potential failure combinations that lead to the same CSL+1 failure condition, each combination of which contains the same latent failure, the applicant would be required to sum the probabilities of the non-latent failures. The resulting sum of probabilities would also have to meet the “remote” criterion.

iii. Limiting the Probability of Latent Failures to 1/1000

Proposed § 25.1309(b)(5)(iii) would limit the probability of occurrence of a latent failure in a CSL+1 combination to 1/1000. The 1/1000 value would be the proposed maximum allowable probability of a latent failure. To comply, the applicant would multiply the maximum time the latent failure is allowed to be present by the component failure rate, and show that the resultant value is less than or equal to 1/1000. The maximum time is typically the time between inspections. The ASAWG recommended limiting the probability of occurrence of a latent failure in a CSL+1 combination to be “on the order of” 1/1000 or less. The FAA and Transport Canada submitted dissenting opinions, documented in the ASAWG final report, that the phrase “on the order of” would defeat the purpose of establishing a clear criterion for limiting the likelihood of a latent failure; therefore, this proposal omits that phrase. Instead, the 1/1000 value would be the maximum allowable probability of a latent failure occurring between inspections.

To determine this 1/1000 limit, the ASAWG drew on the knowledge of the FCHWG and PPIHWG, both of which determined that 1/1000 was a practical limit on the probability of a latent failure in the flight control and thrust reversing systems. The ASAWG evaluated safety analysis data and found that the probability of a latent failure between inspections very rarely exceeded 1/1000.^[33] The FAA has accepted this numerical value in the certification of these particular systems through ELOS findings and determined that applicants can apply it across all systems.

B. Consistent Application and Interpretation of Requirements for Equipment, Systems, and Installations

1. Applicability of § 25.1309

Applicants have raised numerous questions regarding the applicability of § 25.1309. The FAA therefore proposes to revise § 25.1309 as follows:

a. Introductory Paragraph of § 25.1309

The FAA proposes to add an introductory paragraph to § 25.1309, which specifies that the rule applies to all systems and equipment on the airplane. Section 25.1309(a) currently requires that applicants design and show that only the equipment, systems, and installations whose functioning is required by Subchapter C—Aircraft will perform their intended functions under any foreseeable operating condition (amendment 25-123, dated December 10, 2007). This proposed rule would adopt the SDAHWG's recommendation to remove the limitation to Subchapter C, which would broaden the applicability of § 25.1309 to any system or equipment as installed on the airplane, regardless of whether it is required for type certification or by operating rules.

b. Section 25.1309(a)—Criteria for Two Classes of Installed Equipment and Systems

The FAA proposes to remove § 25.1301(a)(4), which requires that installed equipment function properly when installed, and address that requirement through proposed § 25.1309(a), which would contain requirements for two different classes of equipment and systems installed in the airplane: (1) equipment and systems that are required for type certification or by operating rules, or whose improper functioning would reduce safety; and (2) all other systems.

c. Section 25.1309(a)(1)—Airplane Equipment and Systems Whose Improper Functioning Would Reduce Safety

Proposed § 25.1309(a)(1) would apply to all installed airplane equipment and systems whose improper functioning would reduce safety, regardless of whether the equipment or system is required by type certification rules or operating rules. Such equipment and systems would be required to perform as intended under the airplane operating and environmental conditions. A failure or malfunction of equipment or systems reduces safety if the failure or malfunction results in a minor or more severe failure condition. The FAA recognizes, however, that failures may occur throughout the operational life of the airplane, and that a failed system may no longer perform as intended. The acceptability of failures and their associated risks are covered by the fail-safe regulations, such as §§ 25.901(c), 25.1309(b), 25.671(c), 25.735(b)(1), 25.810(a)(1)(v), 25.812, 25.903(d)(1), and 25.1316.

The FAA further proposes new § 25.1309(a)(1) to require that equipment and systems perform as intended not just under airplane operating conditions as required by current § 25.1309(a), but under environmental conditions as well. This change is needed to remove an ambiguity in the current regulations, and ensure that an applicant's safety assessment is complete.

Current § 25.1309(a) requires that each such item perform its intended functions under “any foreseeable operating condition,” but does not mention “environmental conditions.” The method of compliance to the rule in AC 25.1309-1A discusses both types of conditions. To perform the safety assessment using the method in that AC, the applicant must account for the airplane operating conditions (such as weight, center of gravity, altitudes, flap positions) and the environmental conditions that the airplane is reasonably expected to encounter (such as atmospheric turbulence, lightning, or precipitation).

The FAA has not required that systems and components perform as intended in foreseeable but easily avoidable environmental conditions, such as volcanic ash clouds. Thus, the FAA proposes to remove “any foreseeable” from § 25.1309(a)(1). This change would also harmonize with CS 25.1309(a)(1).

The intent of this change is to ensure that the applicant evaluates the continued function of equipment and systems—

• Throughout the airplane's normal operating envelope, as defined by the airplane flight manual (AFM), together with any modification to that envelope associated with abnormal or emergency procedures, and any anticipated crew action; and
• Under the anticipated external and internal airplane environmental conditions in which the equipment and systems must perform as intended.

The proposed language in § 25.1309(a)(1) is consistent with existing FAA guidance ^[34] regarding environmental conditions because it Start Printed Page 75433 would allow that, even if certain environmental conditions are foreseeable, performing as intended in those conditions is not always possible. For example, ash clouds from volcanic eruptions are foreseeable, but an applicant does not have to show that the airplane can safely operate in such clouds, relying instead on forecasting and air traffic control means to avoid such conditions.

d. Section 25.1309(a)(2—Equipment and Systems With No Effect on the Safety of the Airplane or Its Occupants

Current § 25.1309(a) requires that all equipment, systems, and installations function properly when installed. However, the proper functioning of non-essential equipment is typically not necessary for safe operation of the airplane. These non-essential systems include passenger amenities such as entertainment displays, audio systems, in-flight telephones, non-emergency lighting, and food storage and preparation.

Proposed § 25.1309(a)(2) would require all equipment and systems not subject to proposed § 25.1309(a)(1) to not have an adverse effect on the safety of the airplane or its occupants, and would allow such equipment to be approved even if that equipment may not perform as intended. Consequently, this proposal would reduce the testing needed for those equipment and systems installations, because they would not need to meet the operational and environmental condition requirements of proposed § 25.1309(a)(1). The proposed § 25.1309(a)(2) would, however, require applicants to test such systems, equipment, and installations to show that their normal or abnormal functioning does not adversely affect the proper functioning of the equipment, systems, and installations covered by proposed § 25.1309(a)(1); and does not otherwise adversely affect the safety of the airplane or its occupants.

No safety benefit is derived from demonstrating that equipment performs as intended, if failing to perform as intended would not impact safety. Instead, the FAA would expect that an applicant perform a qualitative evaluation of the design and installation of such equipment and systems installed in the airplane to determine that neither their normal operation nor their failure would adversely affect crew workload, operation of other systems, or the safety of persons.

The FAA expects normal installation practices to result in sufficiently obvious isolation of the impacts of such equipment on safety that compliance can be based on a relatively simple qualitative installation evaluation. If the possible impacts, including failure modes or effects, are uncertain, or isolation between systems is provided by complex means, then more formal structured evaluation methods or a design change may be necessary. Guidance on performing qualitative evaluations is provided in draft AC 25.1309-1B.

This proposed change would reduce the cost of certification to airplane and equipment manufacturers and modifiers without reducing the level of safety provided by part 25.

e. Applicability of § 25.1309 to In-Service and Out-of-Service Conditions

Applicants have questioned whether, when showing compliance with § 25.1309, they must consider out-of-service conditions or risks to persons other than the occupants of the airplane. Compliance with § 25.1309 applies to flight operating conditions as well as ground operating conditions, consistent with current practice. Draft AC 25.1309-1B, specifies that compliance is applicable to ground operating conditions when the airplane is in service. An airplane is in service from the time the airplane arrives at a gate or other location for pre-flight preparations, until it is removed from service. While ground operating conditions include conditions associated with line maintenance and refueling, dispatch determinations, embarkation and disembarkation, and taxi, they do not include periods of shop maintenance, storage, or other out-of-service activities. Applicants should also account for threats to people on the ground or adjacent to the airplane during ground operations, electric shock threats to mechanics, and other similar situations.

f. Applicability of § 25.1309 to High Intensity Radiated Fields and Lightning Exposure

The ASAWG recommended that a future committee address how applicants should account for systems' exposure to high intensity radiated fields (HIRF) and lightning when showing compliance with § 25.1309(b). The FAA acknowledges that follow-on regulatory or policy action may be necessary to ensure this topic is addressed in a manner that is both effective and practical. This proposed rule and the associated advisory material are not intended to change how type certificate applicants account for systems' exposure to HIRF and lightning when demonstrating compliance with § 25.1309. Historically, considerations of lightning and HIRF in determining failure effects have been limited to specific potential failures of concern, such as failure of protection features, including critical isolation features, that are dedicated to protecting the airplane from the effects of lightning. Under the proposed changes to § 25.1309, applicants would continue to apply § 25.1309 in addressing the effects of HIRF and lightning as described in the prior sentence. Testing and qualitative evaluations may still be used as a means of compliance. Use of lightning and HIRF probabilities in quantitative analyses is also still allowed but not required. The proposed revision to § 25.1309 would not supersede the more specific requirements of §§ 25.1316 and 25.1317.

2. Exceptions From Applicability of § 25.1309

a. Flight Control Jams Addressed by § 25.671

Proposed § 25.1309(e) would exclude the flight control jams governed by § 25.671 from the proposed single-failure requirement in § 25.1309(b)(1)(ii). The FAA has historically used § 25.671(c) rather than § 25.1309 to regulate the risk of flight control jams. Proposed § 25.671(c) would continue this approach because flight control jams are an unusual failure condition in which the control position is critical to the outcome of the condition. Therefore, specifying a flight control jam as a “single failure” does not fully define the failure condition because the control position is not defined. The current and proposed § 25.671(c) specify that the applicant must evaluate flight control jams at “normally encountered” positions. Additionally, proposed § 25.671(c) would not require evaluation of flight control jams immediately before touchdown if the applicant shows that such jams are extremely improbable, as explained later in this preamble in the section entitled, “Changes to § 25.671(c)(3).” Therefore, this type of failure would be excluded from the prohibition on a single failure being the cause of a catastrophic failure condition under § 25.1309(b)(1)(ii).

b. Brakes and Braking Systems, Addressed by § 25.735

Proposed § 25.1309(b) would not apply to single failures in the brake system. Those failures are adequately addressed by § 25.735(b)(1) at amendment 25-107, which limits the effect of a single failure of the brake system to doubling the stopping distance of the brake roll. The diverse Start Printed Page 75434 circumstances under which such a failure could occur make any structured determination of its outcome or frequency indeterminate. The proposed § 25.1309 would apply to all other failures in the brake system.

c. Emergency Egress Assist Means and Escape Routes, Addressed by § 25.810, and Emergency Lighting, Addressed by § 25.812

Proposed § 25.1309(f) would also exclude the failure effects addressed by §§ 25.810(a)(1)(v) and 25.812 from § 25.1309(b). The failure conditions relevant to the cabin safety equipment installations addressed by §§ 25.810(a)(1)(v) (escape slides) and 25.812 (emergency lighting) are associated with varied evacuation scenarios for which the probability of occurrence cannot be determined due to the multitude of factors that can lead to an evacuation. For these types of equipment, the FAA has not been able to define appropriate scenarios under which an applicant could demonstrate compliance with § 25.1309(b). The FAA considers it acceptable in terms of safety, to require particular design features or specific reliability demonstrations for these types of equipment and, therefore, the FAA proposes to exclude them from the requirements of § 25.1309(b).

d. Powerplant—Installation, Addressed by § 25.901(c)

The FAA proposes to revise § 25.901(c) to state that the requirements of § 25.1309 apply to powerplant and APU installations and to list the failures that do not need to comply with § 25.1309(b). Those exceptions, which would be consistent with existing requirements, are engine case burn-through or rupture, uncontained engine rotor failure, and propeller debris release. The FAA specifies those exceptions in proposed §§ 25.901(c) and 25.1309(f). Excepting these failures from § 25.1309(b) would not degrade the level of safety from that required by current regulations. An applicant must already minimize the effects and occurrence rates of these failures when complying with:

• Part 33, “Airworthiness Standards: Aircraft Engines.”
• Part 35, “Airworthiness Standards: Propellers.”
• Paragraph (d)(1) of § 25.903, “Engines.”
• Paragraph (d) of § 25.905, “Propellers.”
• Section 25.1193, “Cowling and nacelle skin.”

This proposed revision would also harmonize § 25.901(c) with CS 25.901(c).

3. Flightcrew Alerting and Errors

a. Categorization of Required Flightcrew Information

Section 25.1309(c) currently requires that warning information must be provided to the flightcrew to alert them to unsafe system operating conditions, and to enable them to take appropriate corrective action. The FAA proposes to revise § 25.1309(c) to require information be provided to the flightcrew concerning unsafe system operating conditions, rather than requiring only warnings. The proposed revisions to § 25.1309(c) would make the provision compatible with the requirements of current § 25.1322 (“Warning, caution, and advisory lights”), which details requirements for the presentation of warning, caution, and advisory alerts installed on the flight deck. For example, § 25.1322 requires a warning indication if immediate action by a flightcrew member were necessary; however, the particular method of indication would depend on the urgency and need for flightcrew awareness or action that is necessary for the particular failure. The proposed revision to § 25.1309(c) (to remove the requirement for “alert”) would remove an incompatibility with § 25.1322, which allows other sensory and tactile feedback from the airplane caused by inherent airplane characteristics to be used in lieu of dedicated indications and annunciations if the applicant can show such feedback is sufficiently timely and effective to allow the crew to take corrective action.^[35]

b. Minimization of Crew Errors

Proposed § 25.1309(c) would require that applicants design “systems and controls, including indications and annunciations” to minimize crew errors that could create additional hazards. The proposed change would remove a reference to “warnings,” which are addressed in § 25.1322, and instead use the broader phrase “indications and annunciations.” The additional hazards that an applicant's proposed design must minimize, under this proposal, are those that could occur after a failure and those caused by inappropriate actions made by a crewmember in response to the failure. As specified in § 25.1585, any flightcrew procedures necessary to ensure continued safe flight and landing after the occurrence of a failure indication or annunciation must be described in the approved AFM, AFM revision, or AFM supplement, unless the FAA evaluates the procedures and accepts that the procedures are part of normal aviation abilities.

C. Interaction of Systems and Structures (New § 25.302)

The FAA proposes a new section, § 25.302, that would require an applicant to account for systems, and their possible failure, when assessing the structural performance of its proposed design.

As a result of advances in flight control technology, the structure requirements in part 25 do not provide an adequate regulatory basis to establish an acceptable level of safety for airplanes equipped with systems that affect structural performance such as the electronic flight control system. Earlier automatic control systems usually had two failure states: loss of function and malfunction. Flightcrews could readily detect these conditions. The new electronic flight control systems are more sophisticated and offer advantages that include load limiting and load alleviation.^[36] Failures in these systems, however, may allow the system to function in degraded modes that flightcrews may not readily detect, and in which load alleviation may be lost or reduced.

The LDHWG developed recommendations for design standards for airplanes equipped with systems that, directly or as a result of failure, affect the structural performance of the airplane. Structural performance is the capability of the airplane to meet the structural requirements of part 25.

While the FAA has applied the LDHWG recommendations for design standards to airplane certification programs since 1999 via special conditions, on December 12, 2005, EASA incorporated the design standards developed by the LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-25 at amendment 25/1.^[37] Similarly, the FAA now proposes to adopt these criteria, with some modifications, as new § 25.302. The codification of these requirements in Start Printed Page 75435 part 25 will eliminate the need for the FAA to issue special conditions on future certification projects. This will result in increased efficiency for both the FAA and the industry in certification programs, without impacting the level of safety.

1. Applicability of New § 25.302

Proposed § 25.302 would apply to all systems that affect structural performance of the airplane. A system affects structural performance if it can induce loads on the airframe, or change the response of the airplane to inputs such as gusts or pilot actions, either when operating normally or as a result of failure. Examples of systems that can affect structural performance are load alleviation systems, modal suppression systems, stability augmentation systems, and fuel management systems, as well as hydraulic, electrical, and mechanical systems.

2. Normal Operation

Proposed § 25.302 would require that an applicant account for the influence of systems, operating normally, when showing compliance with subparts C and D of part 25. The proposed rule would require an applicant to derive limit loads for the conditions specified in subpart C and to account for any behavior or effect of the system on the structural performance of the airplane. This means that the applicant would need to account for any significant nonlinearity, including the rate of displacement of control surfaces, thresholds, or any other system nonlinearities, when deriving limit loads.

Proposed § 25.302 would also require that an applicant shows that the airplane meets the strength requirements of part 25 for static and residual strength, using specified factors to derive ultimate loads from the limit loads. The proposed rule would require the applicant to investigate the effect of nonlinearities beyond limit conditions to ensure that the behavior of the system presents no anomaly compared to the system's behavior below limit conditions.

3. Failure Condition Effect on Structural Performance

Proposed § 25.302(a) through (e) would require an applicant to assess the effect of failure conditions on the airplane's structural performance. Proposed § 25.302 would require assessment of all failure conditions not shown to be extremely improbable, or that result from a single failure, as typically determined by the applicant's system safety assessment.

Proposed § 25.302(a) would require that the airplane's design be able to withstand the loads, including control system loads, resulting from failure conditions, at speeds up to V_C /M_C , the design cruising speed. Such loads are limit loads as described in § 25.301, and an applicant then applies a safety factor ^[38] of 1.5 to determine the airplane's ultimate loads. Proposed § 25.302(a) would require the applicant to determine the loads assuming “realistic scenarios, including pilot corrective actions.” Draft AC 25.1309—1B and AC 25.671-X, “Control Systems—General,” would provide guidance for applicants on means of determining these effects of failure conditions, including realistic effects. Under the proposed rule, the applicant would be responsible for developing scenarios that describe the response of the airplane and the response of the pilots following a failure condition, using the guidance in those ACs or another acceptable method.

Proposed § 25.302(b) would require that, in the system-failed state ( i.e., after a particular system has failed), the airplane be able to withstand the limit flight and ground load conditions specified in subpart C. The applicant would only be required to assess flight conditions at speeds up to V_C /M_C or the speed limitation prescribed by the AFM for the remainder of the flight. An applicant must apply a safety factor of 1.5 to determine ultimate loads, with two exceptions.

The first proposed exception to § 25.302(b) would allow a safety factor of 1.0, rather than 1.5, if the failure condition would be immediately annunciated or otherwise obvious to the flightcrew. The proposed rule would also allow the applicant to take into account any relevant reconfiguration and flight limitations specified in the AFM. The FAA proposes a safety factor of 1.0 in this case because the probability is very low that a design load condition would occur after a system failure on the same flight. The probability of an extreme maneuver ( i.e., a maneuver that would result in load levels approaching design limit loads) is further reduced because the pilot would be aware that a failure condition had occurred. If relying on annunciation as the method of informing the flightcrew, the applicant should show that the relevant annunciation system is reliable per § 25.1309(b).

The second proposed exception to § 25.302(b) would allow a safety factor of 1.25 if the failure condition would not be annunciated but the probability is extremely remote. The FAA proposes a safety factor of 1.25 in this case because the probability is very low that an extremely remote failure condition and a design load condition would occur on the same airplane, even if the failure condition would not be annunciated.

The FAA does not intend for proposed § 25.302 to require an applicant to evaluate every subpart C load condition under every possible failure condition and at each speed, altitude, and payload configuration for which the airplane is designed. Instead, the FAA anticipates that the applicant would first identify those failure conditions that could impact the loads analysis required by subpart C. The applicant would then select load conditions that the applicant presumes could be affected by those failure conditions. Given the appropriate safety factor (1.0, 1.25, or 1.5), the applicant would then determine whether any of these load conditions, when affected by a failure condition, would yield higher loads than the load conditions without the effects of the failure condition. If so, the applicant would expand its analysis, as necessary, to ensure that the requirement of proposed § 25.302 would be met.

Proposed § 25.302(c) would require that, when conducting the damage tolerance evaluation required by § 25.571, the applicant take into account the fatigue loads induced by any failure condition. The rule would require that these fatigue loads be included as part of the typical loading spectra ^[39] at a rate commensurate with the probability of their occurrence.

If a failure condition could affect the airplane's residual strength loads, proposed § 25.302(d) would require the applicant to conduct a residual strength evaluation as specified in § 25.571(b) under the assumption that the failure condition had occurred. The proposed rule would allow an applicant to calculate these loads using at least two-thirds of each of the safety factors specified for the static strength assessment. The applicant would conduct this residual strength evaluation, which assumes a system failure condition has occurred, separately from the normal residual strength evaluation required by § 25.571(b), which does not assume a Start Printed Page 75436 system failure condition has occurred. The two-thirds factor in proposed § 25.302(d) is consistent with the method of determining residual strength loads in § 25.571(b).^[40]

Proposed § 25.302 would not apply to the flight control jam conditions covered by proposed § 25.671(c), or the discrete source events already covered by § 25.571(e). Proposed § 25.671(c) and current § 25.571(e) establish criteria to address these specific failures, and the respective ACs, draft AC 25.671-X and current AC 25.571-1D, Damage Tolerance and Fatigue Evaluation of Structure, would describe methods of compliance. Proposed § 25.302 would also not apply to any failure or event that is external to (not part of) the system being evaluated and that would itself cause structural damage. These conditions are already addressed by other rules, such as §§ 25.365, 25.571, 25.841, and 25.901.

4. Dispatch in a System-Failed State

Proposed § 25.302(e) would provide structural requirements for dispatch under the master minimum equipment list developed by the applicant. If the list would allow dispatch in a system-failed state, the airplane would need to continue to meet the design load requirements of subpart C in that system-failed state, without any reduction in safety factor. The applicant would be allowed to take into account any relevant operating limitations, including configuration changes, specified for the dispatched configuration. In addition, the airplane would also need to meet § 25.302(a) and (b), accounting for any subsequent single failure, and separately, any combination of failures not shown to be extremely remote.

5. Differences Between Proposed § 25.302 and EASA CS 25.302

As noted previously, EASA has incorporated the criteria regarding interaction of systems and structures criteria recommended by the LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-25. Proposed § 25.302 differs from CS 25.302 and appendix K in a number of ways.

i. Determination of Safety Factor

The most significant difference between the proposed § 25.302 and CS 25.302 is that the latter defines structural factors of safety and the flutter speed margin on a sliding scale based on probability, while the proposed § 25.302 specifies discrete safety factors and does not change the flutter speed margin currently specified in § 25.629, as described below.

ii. Flutter Speed Margin

Proposed § 25.302 does not include any aeroelastic stability requirements and would only address the effect of systems on loads requirements. Section 25.629 and CS 25.302 both specify flutter speed margins for failure conditions. The margins in CS 25.302 are based on the probability of the condition's occurrence, while § 25.629 defines a single speed margin for every failure condition regardless of its probability. The FAA believes the current speed margin specified in § 25.629 is adequate, and there is no need to propose more specific failure criteria based on probability of occurrence. The current speed margin specified in § 25.629, which has been in place since Amendment 25-0 of 14 CFR part 25, has proven effective in service.

iii. Regulatory Structure Differences

The FAA's proposal is contained entirely within § 25.302 and does not add a new appendix to part 25. Also, the FAA's proposal would not include the two paragraphs in appendix K of CS-25 that are general in nature and do not contain any specific requirements. These paragraphs, K25.1(a) and (b) of CS-25, discuss application of the requirements in the appendix.

iv. Fully Operative Condition

Appendix K of CS-25 includes several paragraphs that require evaluation of the airplane in a system-fully-operative condition. The FAA's proposal would replace those paragraphs with a simpler requirement that the applicant account for the effects of systems when showing compliance with the requirements of subparts C and D. The FAA does not regard this as a substantive difference in the criteria.

v. Safety Factor at the Time of Failure

For the applicant's assessment of the failure condition at the time the failure occurs, CS 25.302 allows a reduced safety factor, ranging from 1.5 to 1.25, based on the probability of the failure. The FAA's proposal would require a safety factor of 1.5, regardless of the probability of the failure. The FAA determined it's better to define structural strength capability using discrete factors of safety rather than a sliding scale based on probability because probability estimates are not that precise. The FAA also determined the proposed 1.5 safety factor requirement would be easily met by applicants for type certification because systems that affect structural performance are typically passive systems, which alleviate loads rather than initiate loads.

vi. Safety Factor for Continued Flight After Initial Failure

For the assessment of continued flight, after the initial failure condition occurs, CS 25.302 requires the applicant to determine loads for several subpart C load conditions. In contrast, the FAA's proposal would require the applicant to determine loads for any subpart C load condition that would be affected by the failure condition. In addition, CS 25.302 allows a reduced safety factor, ranging from 1.5 to 1.0, based on the probability of the failure condition's occurrence. In contrast, the FAA's proposal would specify a safety factor of 1.5, unless the failure condition would be annunciated, in which case the rule would allow a safety factor of 1.0; or, if the failure condition was extremely remote, the rule would allow a safety factor of 1.25. As noted above, the FAA proposes to use discrete factors of safety rather than a sliding scale based on probability because probability estimates are not that precise. The FAA proposed rule would be simpler to apply than EASA's method because an applicant would use discrete safety factors, rather than sliding scales. For failures that are annunciated, this proposal would be less stringent than CS 25.302, since proposed § 25.302 would allow a safety factor of 1.0 regardless of the probability of failure. However, the FAA's proposal recognizes that annunciation of the failure would limit exposure to a subsequent design load condition to the remainder of the flight. Because of the very low probability of a system failure condition followed by a design load condition occurring on the same flight, the FAA believes a safety factor of 1.0 is appropriate.

vii. Fatigue and Damage Tolerance

Both § 25.571 and CS 25.571 require a “residual strength evaluation” of the airplane that demonstrates structural strength capability in the presence of fatigue cracks and any other anticipated environmental or accidental damage. The residual strength loads used for those evaluations are limit loads (safety factor of 1.0). Proposed § 25.302 would mimic the requirement in CS 25.302 for an additional assessment of residual strength using two-thirds of the loads specified for the continuation of flight. However, these loads would vary between § 25.302 and CS 25.302, as described in the previous paragraph. Start Printed Page 75437 Proposed § 25.302 would also echo CS 25.302's requirement that the applicant evaluate the fatigue loads induced by any failure condition. However, the FAA proposal is more specific than CS 25.302 in how that evaluation would be accomplished.

viii. Failure Annunciation

CS 25.302 outlines various failure annunciation criteria for affected system failure conditions. The FAA's proposal does not specify annunciation criteria, but instead determines the allowable safety factor based upon whether the failure condition would be annunciated.

ix. Dispatch Configuration

CS 25.302 requires that anticipated dispatch configurations meet the strength and flutter aspects of CS 25.302, while accounting for the probability of the airplane being in that configuration. The FAA's proposal would require that the structural strength criteria in the proposed rule—§ 25.302(a) through (b)—be met for the airplane in the dispatch configuration while accounting for any subsequent single failure or any subsequent combination of failures not shown to be extremely remote.

D. Turbojet Thrust Reversing Systems

The current regulation for thrust reversals in flight, § 25.933(a)(1), requires that, during any reversal in flight, the engine will produce no more than flight-idle thrust. Additionally, current § 25.933(a)(1) requires an applicant to show that each operable reverser can be restored to the forward thrust position, and that the airplane is capable of continued safe flight and landing under any possible position of the thrust reverser. Proposed § 25.933(a)(1)(ii) would allow an applicant to demonstrate compliance with § 25.1309(b) for these thrust reversing systems.

The application of the current standards has not precluded the loss of airplane control following the unwanted in-flight deployment of the thrust reverser. The investigation of the 1991 Lauda Air accident involving a Boeing Model 767 airplane revealed that an unwanted in-flight thrust reversal at high speeds and high power conditions on an airplane with wing-mounted, high-bypass turbofan engines can result in disruption of air flow over the wing and the loss of lift and controllability. Until this accident, the service history of in-flight thrust reverser deployment incidents indicated that an in-flight thrust reverser deployment at high power would not result in a catastrophic event. However, engine installations on modern transport category airplanes include high—bypass turbofan engines mounted close to the wing, and forward of the wing leading edge, to reduce aerodynamic drag and provide sufficient ground clearance. As a result, these airplanes do not have a sufficient control margin in the event of an unwanted in-flight thrust reversal and, therefore, cannot comply with the rule during all phases of flight.

To allow applicants for type certification flexibility in their design and achieve the intended level of safety, the FAA proposes to allow an applicant to demonstrate using a system safety assessment, per the proposed 14 CFR 25.1309(b), that unwanted deployment of the thrust reverser will not occur in flight. The FAA derived this option, known as the “reliability option,” from the PPIHWG's recommendations.^[41]

The PPIHWG evaluated methods used by applicants to assure reliability of other critical systems to determine if applicants could effectively apply the same requirements to thrust reverser systems. The PPIHWG concluded that design features such as redundant locking mechanisms (eliminating catastrophic single failures) in conjunction with more rigorous design and maintenance assessments (reducing exposure to latent failures) can provide a level of safety equivalent to the current rule. The FAA agrees.

Allowing an applicant to develop thrust reversing systems in compliance with § 25.1309, especially by reducing those systems' exposure to SLFs, would improve the level of safety because unwanted in-flight thrust reverser deployments would not be expected to occur during the entire operational life of all airplanes of one type, and eliminate the need for flightcrew procedures in response to an in-flight thrust reversal. Proposed § 25.1309 would provide a level of safety at least equivalent to current § 25.933(a)(1)(ii). This reliability option would allow an applicant to use a more practical approach to show compliance in all phases of flight for all known engine installations.

This proposal is consistent with the FAA's current practice because the FAA has been implementing the PPIHWG's recommendations through ELOS findings on specific projects since 1994. The FAA has accepted SSAs that show that in-flight thrust reverser deployment is extremely improbable as an alternative to flight tests that show full controllability across the entire flight envelope. The FAA has also accepted a combination of these two methods to allow applicants for type certification more flexibility when demonstrating an ELOS. For example, within that portion of the flight envelope where controllability cannot be shown, applicants have shown that the probability of an unwanted in-flight thrust reversal is extremely improbable. Conversely, applicants who have shown compliance primarily using the reliability option have shown that there are portions of the flight envelope where the airplane is controllable, and an unwanted in-flight deployment can be classified as less severe than catastrophic. This mixed approach has allowed applicants more flexibility in the thrust reverser system design and maintenance intervals than under the traditional rule. Under current ELOS determinations, applicants select either option, or combine them, to achieve the level of safety intended by the rule. With this proposal, the FAA regulations would continue to allow such combinations, but without the need for an ELOS. This will result in increased efficiency for both the FAA and the industry in certification programs, without impacting the level of safety established by § 25.933(a)(1).

Based on the PPIHWG's recommendations, the FAA also proposes that the current requirements in § 25.933(a)(1)—that each operable reverser can be restored to the forward thrust position, and that during any reversal in flight the engine will produce no more than flight-idle thrust—would no longer be necessary given the other proposed changes to this section. If a design can meet § 25.1309(b) without these features, then they need not be mandatory. Further, in accordance with proposed § 25.1309(a), any properly functioning thrust reverser would be required to respond appropriately to all anticipated flightcrew commands.

E. Flight Control Systems Safety Assessment Criteria

1. Changes to § 25.671(c) Failure Criteria

a. Changes to § 25.671(c), (c)(1), and (c)(2)

The current design and failure criteria for flight control systems, in § 25.671(c), were largely derived from Civil Air Regulations 4b.320, which preceded the current 14 CFR part 25 standards established in 1965. The FAA updated those requirements in amendment 25-23 (35 FR 5674, April 8, 1970) to account for automatic and powered flight control technology improvements and to consolidate the failure criteria Start Printed Page 75438 and make them applicable to the entire control system.

Section 25.671(c) requires that the airplane be capable of continued safe flight and landing following the failure conditions listed in § 25.671(c)(1) and (2) and the jamming conditions in § 25.671(c)(3).

Paragraph (c)(1) of § 25.671 requires an applicant to show continued safe flight and landing following any single failure.

Paragraph (c)(2) requires the applicant to show continued safe flight and landing following any combination of failures not shown to be extremely improbable. Paragraph (c)(2) also includes examples of failures that must be evaluated.

The FAA proposes to remove the flight control system failure criteria in § 25.671(c)(1) and (2), including the examples of specific failures that must be evaluated, and instead require safety assessment of flight control systems to be regulated by § 25.1309. Section 25.1309 would be used to address the flight control SSA, except with regard to jamming. The FAA also proposes to retain the examples in § 25.671(c)(2) as failures, that must be considered in showing compliance with § 25.629 as discussed later in this preamble (section I.A.2).

Finally, current § 25.671(c) requires that probable failures have only minor effects and be capable of being readily counteracted by the pilot. The FAA proposes to remove this requirement because its effect on safety would be covered by proposed § 25.1309. Proposed § 25.1309 would require that each major failure condition be remote, which means that probable failures (more likely than remote) must have only minor effects (must not be major).

b. Changes to § 25.671(c)(3)

Section 25.671(c)(3) requires that an applicant evaluate any jam in a control position normally encountered, as well as runaway ^[42] of a flight control to an adverse position and subsequent jam. The FAA proposes to consolidate the current § 25.671(c)(3) flight control jams requirement under § 25.671(c) and revise as described below.

The flight control jams requirement in § 25.671(c)(3) has generated debate about the meaning of a “normally encountered” control position. This phrase came under scrutiny after two Boeing Model 737 accidents, and the FAA and NTSB investigations that followed.^[43 44] The issue was whether “normally encountered” should be interpreted as a small control surface deflection, which occurs routinely, or as a large or even full control surface deflection, which occurs much less frequently. Demonstrating compliance assuming a fully deflected and jammed control surface is much more difficult than doing so with a small control surface deflection. In May 1995, the FAA issued a policy letter specifying what “normally encountered” control positions (which included large deflections) should be used for compliance with § 25.671(c)(3).^[45] In October 1996, the NTSB issued Safety Recommendation A-96-108, later superseded by Safety Recommendation A-99-23, which recommended that applicants evaluate control jams at fully-deflected control positions. The FCHWG considered the NTSB safety recommendation in developing its recommendation. The FCHWG recommended that the phrase “normally encountered” be retained in the rule, and that an FAA AC define the “normally encountered” control positions. The FAA proposes to adopt the FCHWG recommendation.

Draft AC 25.671-X would explain that the FAA considers “normally encountered” positions as the range of control surface deflections, from neutral to the largest deflection expected to occur in 1,000 random operational flights, without considering other failures. The AC would also provide guidance for performance based criteria that define environmental and operational maneuver conditions, and the resulting deflections that could be considered normally encountered positions.

A second compliance issue related to § 25.671(c)(3) stems from an applicant's use of probability analysis to show that a jam, or a runaway and jam, is “extremely improbable.” Section 25.671(c)(3) requires the airplane to be capable of continued safe flight and landing after experiencing jamming conditions, including runaway of a flight control surface and subsequent jam, unless the jamming condition is shown to be extremely improbable or the jam can be alleviated. While current § 25.671(c)(3) allows the use of probability analysis, applicants have generally been unable to demonstrate that jamming conditions are “extremely improbable,” except for conditions that occur during a very limited time just prior to landing. Therefore, the FAA proposes to revise § 25.671(c) to require that the applicant's safety assessments assume that the specified jamming conditions will occur, regardless of those conditions' probability. The FAA also proposes to exclude jamming conditions that occur immediately before touchdown if these can be shown to be extremely improbable. For jams that occur just before landing, some amount of time and altitude is necessary in order to recover, and there is no practical means by which a recovery can be demonstrated. Therefore, the applicant would be allowed to show such a jamming condition is extremely improbable based on the limited time exposure.

The FAA also proposes to revise § 25.671(c) to define the types of jams that must be evaluated as those that result in a flight control surface or pilot control that is fixed in position due to a physical interference.

Proposed § 25.671(c) would also require that, in the presence of a jam evaluated under that paragraph, any additional failure conditions that could prevent continued safe flight and landing must have a combined probability of less than 1/1000. This is to ensure adequate reliability of any system necessary to alleviate the jam when it occurs.

Lastly, the FAA proposes to remove the requirement to account for a runaway of a flight control surface and subsequent jam. The FAA does not believe it is necessary to include this requirement in § 25.671 because the SSA required by § 25.1309 would account for any failure condition that leads to a runaway of a flight control surface. Runaways of flight control surfaces will be evaluated under § 25.1309 regardless of whether they are due to an external source, such as a foreign object or control system icing, or due to failures that are internal to the flight control system.

2. Other Changes to § 25.671

The FAA proposes to revise § 25.671(a) to add a requirement that the flight control system continue to operate and respond as designed to commands, and not hinder airplane recovery, when the airplane experiences any pitch, roll, or yaw rate, or vertical load factor that could occur due to operating or environmental conditions, or when the airplane is in any attitude. This would ensure there are no features or unique Start Printed Page 75439 characteristics (including, for example, computer errors that might occur at certain airplane bank angles) of the control system design that would restrict the pilot's ability to recover from any attitude, rate of rotation, or vertical load factor expected to occur due to operating or environmental conditions. The phrase “operating or environmental conditions” would have the same meaning as in proposed § 25.1309(a)(1): the full normal operating envelope of the airplane, as defined by the AFM, together with any modification to that envelope associated with abnormal or emergency procedures, and any anticipated crew action. That envelope includes other external environmental conditions that the airplane is reasonably expected to encounter, such as atmospheric turbulence.

The FAA proposes to revise § 25.671(b) to require that the system be designed or marked to avoid incorrect assembly that could result in “failure of the system to perform its intended function,” rather than in the “malfunctioning of the system.” The FAA also proposes to revise § 25.671(b) to restrict the use of such marking to cases in which compliance by design means is impractical. The objective of these proposed changes is to ensure that the system performs its intended function.^[46]

Section 25.671(d) requires that the airplane remain controllable if all engines fail. The FAA proposes to revise this section to require that not only must the airplane be controllable following failure of all engines, but that an approach and flare to a landing and controlled stop must also be possible, assuming that a suitable runway is available. The proposed rule would also apply the requirement to the failure of all engines at any point in the flight. The FAA also proposes to make the last sentence of § 25.671(d) active voice by changing it from “Compliance with this requirement may be shown by analysis where that method has been shown to be reliable,” to “The applicant may show compliance with this requirement by analysis where the applicant has shown that analysis to be reliable.” This revision would not change the substance of the requirement.

The FAA also proposes to add a new paragraph (e) to § 25.671, which would require that the flight control system indicate to the flightcrew whenever the primary control means are near the limit of control authority. On airplanes equipped with fly-by-wire control systems, there is no direct tactile link between the flightdeck control and the control surface, and the flightcrew may not be aware of the actual control surface position. If the control surface is near the limit of control authority, and the flightcrew is unaware of that position, it could negatively affect the flightcrew's ability to control the airplane in the event of an emergency. The flight control system could meet this requirement through natural or artificial control feel forces, by cockpit control movement if shown to be effective, or by flightcrew alerting that complies with §§ 25.1309(c) and 25.1322.

The FAA also proposes to add a new paragraph (f) to § 25.671, which would require that the flight control system alert the flightcrew whenever the airplane enters any mode that significantly changes or degrades the normal handling or operational characteristics of the airplane. On some flight control system designs, there may be submodes of operation that change or degrade the normal handling or operational characteristics of the airplane. Similar to control surface awareness, the flightcrew should be made aware if the airplane is operating in such a submode.

The FAA derived the requirements of proposed § 25.671(e) and (f) from its experience certifying applications for fly-by-wire systems. The proposed requirements summarized in this section for revision to § 25.671 have been applied on numerous programs through ELOS findings. Codifying these requirements in part 25 would result in increased efficiency for both the FAA and the industry in certification programs, without impacting the level of safety.

F. Certification Maintenance Requirements

Section H25.4(a) of appendix H to part 25 requires that airworthiness limitations within the ICA reside in a segregated and clearly distinguishable section titled “Airworthiness Limitations section.” The ALS is required to include mandatory maintenance actions approved by § 25.571 for damage tolerant structures, by § 25.981 for fuel tank systems, and by § 25.1701 for the electrical wiring interconnection system (EWIS). However, section H25.4 does not include the maintenance actions typically established during the certification process as CMRs, using the guidance in AC 25-19A, Certification Maintenance Requirements. As a result, the current regulations are not consistent in how they address system-related maintenance requirements.

AC 25.1309-1A provides guidance for an applicant to include maintenance actions when it shows compliance with § 25.1309, and AC 25-19A provides guidance on the selection, documentation, and control of CMR to implement such maintenance actions. CMRs, when properly implemented, are required tasks to detect safety significant failures that would, in combination with one or more other failures, result in a hazardous or catastrophic failure condition. CMRs are developed to show compliance to § 25.1309, and other regulations requiring safety analyses such as §§ 25.671, 25.783, 25.901, and 25.933. As described in AC 25-19A, establishing CMRs is not always necessary if there is another suitable method to identify the needed maintenance task to prevent a failure condition from developing.

In practice, industry and the other certification authorities have treated CMRs as equivalent to airworthiness limitations. CMRs are currently considered by operators as the systems counterpart to the airworthiness limitations for primary structures, fuel tank systems, and EWIS. However, unlike these airworthiness limitation items, the CMRs do not have a regulatory basis upon which to standardize their development. Airworthiness limitations for systems that have hazardous and catastrophic failure effects are just as relevant to the safety of the airplane as the airworthiness limitations currently required for fuel tank systems, EWIS, and damage tolerant primary structures. Many applicants have been voluntarily including CMRs in the ALS of the ICA.

Based on the forgoing, the FAA proposes to revise § 25.1309(d) to require the applicant to establish CMRs to prevent development of the failure conditions described in § 25.1309(b). Section 25.1309(d) would require these maintenance requirements to be included in the ALS of the ICA required by § 25.1529. This proposal would codify current industry practice the FAA has accepted as a means of compliance with § 25.1309 and other system safety regulations, for many years.

In addition, the type certification process often results in the establishment of CMRs for systems that are not regulated by § 25.1309 (for example, a CMR may be established for flutter prevention under § 25.629). To provide a common regulatory basis for such CMRs, including those established Start Printed Page 75440 under § 25.1309, the FAA proposes a new section, H25.4(a)(6). This proposed rule would require an applicant to include any CMR in the ALS of the ICA, if the CMR was established to comply with any applicable provisions of part 25.

G. Miscellaneous Amendments

1. Method of Compliance With § 25.1309(b)

The FAA proposes to remove current § 25.1309(d). Section 25.1309(d) currently requires an applicant to show that a design complies with § 25.1309(b) by using analysis, and where necessary, ground, flight, or simulator testing. Section 25.1309(d) also describes the features that the applicant's analysis must consider.

The FAA reconsidered the requirement in § 25.1309(d) and concluded that this requirement is no longer needed within the regulatory text, since it specifies a particular, yet incomplete, process for compliance with § 25.1309(b). This conclusion is consistent with the SDAHWG recommendation to remove § 25.1309(d) and place the process for compliance with § 25.1309(b) into non-mandatory guidance material. Removing these steps from the regulation is not intended to alter the evaluations required by § 25.1309(b). Instead, it is intended to reflect that § 25.1309(b) provides performance-based requirements for which the methods of compliance should be appropriate to the particular system. In addition, the current § 25.1309(d) provides an incomplete list of considerations, and other, equally important factors may need to be included in the applicant's proposed assessments. These factors can include environmental conditions, complexity of the design, common cause of multiple failures, flightcrew capability and workload, and safety margin after a failure, all of which will vary for each application and which the FAA will discuss in the accompanying draft guidance.

Because § 25.1309(d) would no longer prescribe specific methods for demonstrating compliance with § 25.1309(b), the FAA also proposes to remove the reference to § 25.1309(d) from § 25.1365(a). This change would not affect the level of safety provided by the current rule, because § 25.1365(a) would continue to reference the requirements of § 25.1309(b). This proposal would harmonize § 25.1365(a) with CS 25.1365(a).

2. Failure Examples Related To Flutter

This proposal would relocate several specific failures from § 25.671(c)(2) to the aeroelastic stability requirements of § 25.629. Section 25.671(c)(2) specifies examples of failure combinations that must be evaluated, including dual electrical and dual hydraulic system failures, and any single failure combined with any probable hydraulic or electrical failure. Section 25.629(d)(9) currently requires that the airplane be shown to be free from flutter considering various failure conditions considered under § 25.671, which includes those failure conditions specified in § 25.671(c)(2). The FAA is proposing to remove those examples from § 25.671(c)(2) in conjunction with related changes to § 25.1309 described in section III.E of this preamble. However, the specific failure conditions identified in § 25.671(c)(2) have provided an important design standard for dual actuators on flight control surfaces that rely on retention of restraint stiffness or damping for flutter prevention. Therefore, this proposal relocates these failure conditions from § 25.671(c)(2) to the aeroelastic stability requirements of § 25.629(d). This change would not affect the level of safety provided in current §§ 25.671(c)(2) and 25.629(d).

3. Other Changes to § 25.629

Section 25.629(b) requires the airplane to be free from aeroelastic instability for “all configurations and design conditions” within the speed and altitude envelopes specified in § 25.629(b)(1) and (2). Such design conditions include the range of load factors within the normal flight envelope. The normal flight envelope is defined in § 25.333. Therefore, this proposal would specify that the aeroelastic stability envelope includes the range of load factors specified in § 25.333.

4. EWIS Requirements

The FAA proposes to remove paragraph (b) from § 25.1301 and to remove paragraph (f) from § 25.1309. Section 25.1301(b) requires that a proposed airplane's EWIS meet the requirements of subpart H of part 25. Subpart H was created (at amendment 25-123, in 2007) as the single place for the majority of wiring certification requirements. The references in §§ 25.1301(b) and 25.1309(f) are redundant and unnecessary because subpart H specifies its applicability. The FAA has determined that such redundancy is not needed because the subpart H requirements can stand alone.

5. Removal of Redundant Requirements

The FAA proposes to remove paragraph (e) from § 25.1309. The requirements of paragraph (e) concern compliance with § 25.1309(a) and (b) for electrical system and equipment design. The requirements of paragraph (e) are unnecessary because they are redundant to the general risk assessment of § 25.1309 and to §§ 25.1351 through 25.1365 specifically related to electrical systems.

H. Petitions for Rulemaking

During the development of this proposed rule, the FAA considered two relevant petitions for rulemaking submitted in 1986. Summaries of these petitions were published in the Federal Register .^[47] The petitions and a disposition of the petitions are included in the docket for this NPRM. This NPRM proposes some changes that were suggested in those petitions, including adding definitions of probability terms ^[48] and revising the methods for accounting for failure effects.^[49] See proposed §§ 25.4 and 25.1309.

I. Advisory Material

The FAA has drafted three new ACs and revisions to two existing ACs to provide guidance material for acceptable means, but not the only means, of showing compliance with the regulations proposed for revision by this NPRM. The FAA will post the draft ACs in the docket and on the “Aviation Safety Draft Documents Open for Comment” web page at http://www.faa.gov/​aircraft/​draft_​docs/​.^[50] The FAA requests that you submit comments on the draft AC through either the docket or through that web page. The draft ACs are as follows:

• AC 25.671-X, Control Systems—General.

• AC 25.901-X, Safety Assessment of Powerplant Installations.

• AC 25.933-X, Unwanted In-Flight Thrust Reversal of Turbojet Thrust Reversers.

• AC 25.629-1C, Aeroelastic Stability Substantiation of Transport Category Airplanes.

• AC 25.1309-1B, System Design and Analysis.Start Printed Page 75441

IV. Regulatory Notices and Analyses

Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 and Executive Order 13563 direct that each Federal agency shall propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (Pub. L. 96-39) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, the Trade Act requires agencies to consider international standards and, where appropriate, that they be the basis of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation with base year of 1995). This portion of the preamble summarizes the FAA's analysis of the economic impacts of the proposed rule. The FAA suggests readers seeking greater detail read the Regulatory Impact Analysis in the docket for this rulemaking.

In conducting these analyses, the FAA determined that this proposed rule (1) has benefits that justify its costs; (2) is not an economically “significant regulatory action” as defined in section 3(f) of Executive Order 12866; (3) would not have a significant economic impact on a substantial number of small entities; (4) would not create unnecessary obstacles to the foreign commerce of the United States; and (5) would not impose an unfunded mandate on state, local, or tribal governments, or on the private sector by exceeding the threshold identified above. These analyses are summarized below.

A. Regulatory Evaluation

1. Costs and Benefits of This Proposed Rule

The predominant cost impact of this proposed rule results from proposed requirements addressing catastrophic dual failures (CSL+1), where the first failure is latent (unknown until discovered by crew or maintenance personnel), which, in combination with a second active failure, results in a catastrophic accident. Without the rule, unsafe conditions in service associated with potential CSL+1 failure conditions would continue to be addressed, after certification, by airworthiness directives (ADs).^[51] Accordingly, the costs of ADs avoided because of the rule would be benefits of the rule in the form of cost savings. ADs resulting from potential CSL+1 failure conditions are occurring at such a high rate that the benefits of avoiding these ADs, by themselves, exceed the costs of the specific risk rule, § 25.1309(b)(5). At a 7 percent discount rate, the FAA finds that the cost savings resulting from the proposed specific risk rule to be $24.6 million, exceeding the $15.5 million cost of the rule, and resulting in $9.1 million in net cost savings. At a 3 percent discount rate, the FAA finds that the cost savings are $46.79 million, exceeding a $24.65 million cost, and resulting in $22.14 million in net benefits.

The FAA finds all other provisions of this proposed rule to be cost beneficial or to have zero or minimal cost.

2. Who is potentially affected by this proposed rule?

Applicants for type certification, and operators, of part 25 airplanes are potentially affected by this proposed rule.

3. Assumptions and Sources of Information

• The FAA uses three percent and seven percent discount rates to estimate present value and annualized costs and cost savings based on OMB guidance.^[52]

• Source: Airplane certification costs, https://www.faa.gov/​, Regulations & Policies, Rulemaking, Committees—Advisory and Rulemaking Committees, Topics—Transport Airplane and Engines (TAE) Subcommittee (Active), Airplane-level Safety Analysis Complete File, ARAC ASAWG Report, Specific Risk Tasking, appendix A, p. 104. Source: ASAWG Recommendation Report, “SPECIFIC RISK TASKING,” April 2010 (pp. 64, 104). These costs are updated to 2021 dollars by the ratio of the 2021 GDP implicit price deflator to the 2010 GDP implicit price deflator, viz. 118.490/96.164 = 1.232. U.S. Bureau of Economic Analysis. “Table 1.1.4. Price Indexes for GDP.” Click “Modify” icon and refresh table with first and last years of period.

• For manufacturers of large part 25 airplanes (large transports): 2 U.S. airplane certifications in next 10-year period, with 24 annual U.S. deliveries per U.S. certification; 1 foreign airplane certification in next 10-year period, with 16 annual U.S. deliveries per foreign certification; 23-year airplane production run, and 28-year retirement age. For manufacturers of business jets (small part 25 airplanes): 2 U.S. airplane certifications in next 10-year period, 21 annual U.S. deliveries per U.S. certification and 28-year production run; 3 foreign airplane certifications in next 10-year period, 11 annual U.S. deliveries per foreign certification and; 16-year airplane production run, 30-year retirement age. For benefits of avoided ADs (6): Average number of certifications for U.S.-manufactured airplanes. See the Regulatory Impact Analysis available in the docket for more details.

• The period of analysis for large airplanes is 23 + 28 = 51 years to account for a product life cycle determined by a 23-year production period and a 28-year service period. The period of analysis for business jets is 28 + 30 = 58 years to account for a product life cycle determined by a 28-year production period and a 30-year service period.

• Average flight hours per year: Large part 25 airplanes—3,000, Source: FlightGlobal's FlightFleets Analyzer, www.ascendworldwide.com. (Average annual flight hours = 3,040 for all narrowbody, widebody, and regional jets, at least one year old, operated by U.S. airlines as of August 28, 2018.)

4. Costs of the Proposed Specific Risk Rule

To calculate the compliance costs for new U.S. certifications, the FAA assumes that all new certifications will be approved one year after the effective date of the rule, with production beginning one year later. Using an airplane life cycle model detailed in the Regulatory Impact Analysis available in the docket, for large part 25 airplanes (large transports) the FAA bases compliance costs on 2 new certificates, delivery of 24 airplanes per certificate per year to U.S. operators, production runs of 23 years, and an airplane retirement age of 28 years. The costs of compliance for large transports are calculated over an airplane life cycle of 51 years (the period from first delivery to last retirement), beginning in year 1 and ending in year 51. The small part 25 airplane category is a business jet category. For part 25 business jets, the FAA bases compliance costs on 2 new certificates, delivery of 21 airplanes per Start Printed Page 75442 certificate per year to U.S. operators, production runs of 28 years, and an airplane retirement age of 30 years. The costs of compliance for part 25 business jets are calculated over an airplane life cycle of 45 years, beginning in year 1 and ending in year 47.

Unit industry cost estimates for the specific risk rule, § 25.1309(b)(5), were provided by the ASAWG in its report, “Specific Risk Tasking.” ^[53] High costs were reported by Boeing and Cessna in contrast to the zero or near-zero costs reported by the other manufacturers. This was the result of (1) Boeing and Cessna using the existing § 25.1309 amendment as a baseline and not taking into account voluntary ELOS actions they have taken; and (2) high hardware and operating costs reported by Cessna that were 20 to 30 times the comparable costs reported by Boeing. The FAA was unable to verify these high costs. The FAA's rationale and procedure to adjust for these costs follows.

The FAA adjusted Boeing's engineering cost estimate by taking into account the extent to which voluntary ELOS actions for the Boeing Model 787 already address the problems of potential CSL+1 dual catastrophic failures. This adjustment allows the FAA to reduce Boeing's estimate to 13.3 percent of its reported value. This large adjustment reflects the importance of two factors: (1) the ELOS action for flight control systems—the FAA estimates that flight control systems constitute 60 percent of existing potential CSL+1 failure conditions, and (2) that 25 percent of potential CSL+1 failure conditions have already been addressed.

Moreover, for the few CSL+1 combinations not already meeting the proposed rule, no hardware change would be necessary as only the inspection intervals would be affected. Accordingly, expected hardware costs and fuel burn costs are reduced to zero, leaving only non-recurring engineering costs and maintenance costs.

Large transports and business jets have similar system safety architectures because they both meet the “no single failure” and “extremely improbable” (10⁻⁹) average risk criteria. Accordingly, the FAA has determined that the Boeing Model 787 cost analysis also applies to Cessna, so that Cessna's engineering cost estimate should also be reduced to 13.3 percent of reported value, and its hardware and fuel burn cost should be reduced to zero.

With these adjustments, industry unit cost estimates are shown in table 3 below, along with a summary of the production life cycle data. See the Regulatory Impact Analysis available in the docket for more detail on the industry unit cost estimates.

Employing these unit cost estimates in the airplane life cycle model referred to above, the FAA estimates the costs of the specific risk rule over the large transport and business jet life cycles and show the results by major cost component in table 4 below.

5. Benefits of the Proposed Specific Risk Rule

As discussed more fully in the Regulatory Impact Analysis available in the docket for this proposed rule, the proposed specific risk rule would (1) eliminate the risk of CSL+1 failure conditions by requiring additional redundancy, or (2) limit the risk of CSL+1 failure conditions by limiting the probabilities of the dual latent and active failures. CSL+1 failure conditions probably caused three accidents, which resulted in the destruction of the airplane and the fatalities of all passengers and crew. These accidents were Lauda Air Flight 004 (Boeing Model 767) in 1991, resulting in the fatalities of 233 passengers and crew; USAir Flight 427 (Boeing Model 737) in 1994, resulting in the fatalities of 132 passengers and crew; and the earlier United Airlines Flight 585 (Boeing Model 737) in 1991, resulting in the fatalities of 25 passengers and crew.

For the Lauda Air accident, the Thai investigating committee found the probable cause to be an uncommanded in-flight deployment of the airplane's left engine thrust reverser, resulting in loss of airplane control. The airplane was equipped with a double lock thrust reverser system that operated as follows. If a pilot wanted to deploy the thrust reversers, he or she raised the thrust reverser lever, which set the directional control valve (DCV) (1st lock) to the deploy position and opened the hydraulic isolation valve (HIV) (2nd lock), allowing hydraulic pressure to open the thrust reverser door. The investigating committee found that one likely cause of uncommanded deployment was contamination of the DCV that made it susceptible to increased pressure on its deploy side (latent failure). When the HIV inadvertently opened due to a short circuit (active failure), hydraulic pressure became available to the susceptible DCV causing a change in the valve position from “stow” to “deploy” with consequent deployment and the catastrophic accident. Once discovered, this potential CSL+1 failure condition was eliminated by an AD action mandating an additional valve (3rd lock). (Please see the Regulatory Impact Analysis available in the docket for discussion of the CSL+1 failure conditions that the NTSB concluded to be the probable cause of the USAir Flight 427 and United Airlines Flight 585 accidents.)

The FAA finds that, if the specific risk rule had been in effect, the likelihood of these accidents occurring would have been reduced. Since the FAA has already issued ADs to prevent reoccurrence of these CSL+1 accidents, the FAA does not use them in estimating benefits from this rule. However, without the rule, unsafe conditions in service associated with potential CSL+1 failure conditions would continue to be addressed by ADs. Accordingly, the costs of the ADs avoided because of the rule would be benefits of the rule in the form of cost savings. The FAA first provides an overview of the benefits estimation, and then provides the details.

a. Overview of Avoided AD Benefits

For the ten-year period of 2008 to 2017, the FAA searched for all new (including superseding) ADs that were associated with potential CSL+1 failure conditions and found 15 such ADs. In order to simplify the analysis, the cost of an AD was estimated based only on the basic wage and cost of materials data provided in the AD (or referenced service bulletins) for required inspections or repairs/replacements, for all airplanes that were affected by the AD. As in the cost section above, the FAA updated cost to 2021 dollars. Since labor costs were given in hours as well as in current dollars, labor costs were particularly easy to update since the FAA could simply use labor hours and the 2021 AD wage rate of $85 per hour.^[54] In one or two cases, the costs of an AD were adjusted based on information obtained from the safety engineer referenced in the AD. “On-condition” costs were not included in calculated AD costs because such costs depend on an unknown number of airplanes identified on inspection as requiring repair or parts replacement. AD costs often occurred several months or years following the AD effective date because of time allowed for compliance and because of ongoing inspection costs. For 4 of the 15 ADs, there is no terminating action so the affected airplanes are required to be periodically inspected over their entire service lives. Present value AD costs in issuance-year dollars were calculated by discounting these future year costs to the year of AD issuance at the rate of 7 percent. These present value AD costs were adjusted to 2021 dollars using the GDP implicit price deflator. The total cost of the 15 ADs in 2021 dollars is then summed from the individual AD costs.

b. Details of Avoided AD Benefits

Table 5 shows cost of each of the 15 ADs that were associated with potential CSL+1 failure conditions. For each AD, the table provides the following information:

• AD No.;
• Effective date of the AD;
• Airplane Model;
• PV AD Cost ($2021);
• The potential CSL+1 failure condition; and
• Required AD Actions.

Airworthiness Directive No. 8 is split into two results because, after an initial AD was issued and complied with, it was later determined that a wider range of part numbers should have been checked, which meant re-inspection for a large number of airplanes that had already been inspected. So No. 8a shows the costs for the number of airplanes the FAA estimates have already been checked in the initial AD, while No. 8b Start Printed Page 75444 shows the new costs in the superseding AD for the airplanes already checked as well as for the newly affected airplanes. AD No. 15 is also shown in two parts, with No. 15a showing the results for the main recurring action and No. 15b showing the results for a concurrent nonrecurring action for a subset of affected airplanes, required in order to ensure the effectiveness of the test required by the main recurring action.

Airworthiness Directives Nos. 1, 2, 4 and 15a are the four ADs with recurring actions lasting the lifetime of the airplanes. The total present value costs for these ADs were calculated using AD unit cost data and individual airplane data from the Aircraft section of FlightGlobal's FlightFleets Analyzer. For each airplane already in the affected fleet at the AD's effective date, costs were calculated for the remaining years of an assumed 28-year life, with yearly costs discounted back to the AD's effective date but valued in 2021 dollars. For each airplane entering the affected fleet after the AD's effective date, costs were calculated for its entire assumed 28-year life with an additional discount factor for time between the AD's effective date and the in-service date of the airplane. Actual life was used instead of a 28-year life if airplanes were retired (or written off) early. Data for August 2018 was used for AD Nos. 1, 2 and 15a. But for AD No. 4, data as of the AD's effective date, September 26, 2012, was used in order to simplify the calculations. The affected model—Boeing Model 757—ended production in 2004, so few, if any, additional airplanes would be entering the affected fleet after the AD's 2012 effective date, and fewer of the affected airplanes would have to be retrieved from the “Retired/Written Off” file than if a more recent date was used.

The FAA notes that all 15 ADs apply to large transport airplanes and none apply to business jets. This result is not surprising, since part 25 business jets account for a small percentage of the total flight hours for part 25 airplanes. Given the FAA's assumptions, the life cycle airplane model estimates that part 25 business jets account for just 10.3 percent of all part 25 flight hours. This particular result does not mean that CSL+1 failure conditions cannot occur on part 25 business jets. In fact, while this regulatory evaluation was being written, an immediate final rule AD was published ^[55] for a potential CSL+1 failure condition in a Gulfstream Model GVI business jet. Since this AD occurs outside the 10-year 2008-2017 sampling window, the FAA did not include it in its analysis.

As table 5 below shows, total AD costs sum to $64,195,574. The avoidance of these costs are benefits that the FAA used to estimate benefits of the proposed specific risk rule. Over the period of AD selection, 2008 to 2017, however, there were, on average, approximately six new airplane models brought to the market by U.S. manufacturers. Since the FAA estimated the costs of the proposed rule assuming two new model certifications, in order to make the estimate of the value of avoided ADs comparable, the FAA divided these costs by three. The FAA then divided the adjusted costs by 10 to estimate the average annual AD costs over the 10-year sample period. Finally, recognizing that no rule is perfectly effective, the FAA estimated that the proposed rule would be 90 percent effective and, accordingly, reduce the annual estimates by 10 percent. These reduced annual estimates are then used in the life cycle airplane model to estimate the benefits of the proposed rule in a manner analogous to the estimate of the costs of the proposed rule. Dividing $64,195,574 by 3 × 10 = 30 and multiplying by 90 percent, the FAA obtained an estimate of average annual benefits of $2,139,852. This then is the estimate of the average annual value of the ADs that will be avoided over the 51-year life cycle of our two airplane models as a result of the proposed specific risk rule. The present value of $2,139,852 for 51 years can be calculated with the present value annuity formula, PVA = C [1-1/(1+r)ⁿ ]/r = $2,139,852 × [1-1/(1.07)⁴⁷ ]/.07 = $26.4 million, where C = $2,139,852 is the average annual “cash flow” benefit, r = 0.07 is the discount rate, and n = 51 years is the annuity length in years. However, to make benefits compatible with the cost of the rule analysis, the FAA must discount for an additional year to account for our assumed year for certification of the airplane models. Therefore, the present value of the AD cost savings is $24.5/1.07 = $24.6 million.

6. Summary of Costs and Benefits of Specific Risk Rule

In table 6 below, the FAA summarizes the costs and benefits of the proposed specific risk rule. As the table shows, the proposed rule is cost-beneficial with present value cost savings of $24.6 million far exceeding present value costs of $15.8 million. Net cost savings are $8.8 million in present value. A similar analysis at a 3 percent discount rate finds present value cost savings to be $43.6 million, exceeding $31.7 million in present value costs, and resulting in $11.9 million in net cost savings.

7. Section 25.1309: Equipment, Systems, and Installations

In section I.A.5 above, the FAA undertook the cost benefit analysis of the proposed specific risk rule, § 25.1309(b)(5). This section discusses the remaining paragraphs of § 25.1309.

a. Section 25.1309(a)

The proposed rule would revise § 25.1309(a) into two paragraphs. Proposed § 25.1309(a)(1) would revise the applicability of the § 25.1309(a) requirement that equipment and systems perform their functions as intended. Proposed § 25.1309(a)(1) clarifies that it applies to any equipment or system installed in the airplane, and whose improper functioning would reduce safety, regardless of whether it is required for type certification, operating approval, or is optional equipment. As this requirement merely harmonizes with EASA's corresponding requirement, with which part 25 manufacturers are already in compliance, there is no additional cost. However, the requirement has the minimal benefits of the reduced cost of joint harmonization and, therefore, would be cost beneficial.

Along with an associated change to § 25.1301, Function and Installation, proposed § 25.1309(a)(2) would allow equipment associated with passenger amenities ( e.g., entertainment displays and audio systems) not to function as intended as long as the failure of such systems would not affect airplane safety. No safety benefit is derived from demonstrating that such equipment performs as intended, if failing to perform as intended would not affect safety. Accordingly, this proposed change would reduce the certification cost of passenger amenities for airplane manufacturers without affecting safety, and, therefore, this proposed change would be cost-beneficial.

b. Section 25.1309(b)(1), (2), and (3): Average Risk and Fail Safe Criteria

The current rule requires airplane systems and associated components be designed so that any failure condition that would prevent the continued safe flight and landing of the airplane (catastrophic failure condition) is “extremely improbable,” a condition specified in current AC 25.1309-1A as having a probability on the order of ≤10^−[9] per flight hour. However, as recommended by the SDAHWG, the proposed text of § 25.1309(b) would explicitly require that single failures must not result in catastrophic failures—the “no single failure” fail-safe requirement. As it harmonizes with the equivalent EASA requirement and is already current industry practice (see the “Arsenal” version of AC 25.1309), this proposed “no single failure” requirement would be cost beneficial as it entails no additional cost but has Start Printed Page 75448 benefits from the reduced costs of joint harmonization.^[56]

The current rule requires any failure condition that would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to be “improbable” (on the order of 10⁻⁹ < p ≤ 10⁻⁵ , where p is probability), a condition specified under current AC 25.1309-1A as “major.” Current practice, however, is the “Arsenal” version of AC 25.1309, under which the old “major” failure condition has been divided into two categories: “hazardous” (on the order of 10⁻⁹ < p ≤ 10⁻⁷ ) and “major” (on the order of 10⁻⁷ < p ≤ 10⁻⁵ ). These categories have been incorporated into the proposed rule. As it harmonizes with corresponding EASA major and hazardous categories and is current industry practice, this proposed rule change would be cost beneficial as it entails no additional costs but has benefits from the reduced costs of joint harmonization.

c. Section 25.1309(b)(4): Limit Latency Criteria

Proposed § 25.1309(b)(4) specifies criteria that would apply to any SLF. The purpose of proposed § 25.1309(b)(4) is to limit SLFs whenever practical so as to limit conditions where the airplane is one failure away from a hazardous or catastrophic accident.

It is already industry practice to eliminate SLFs when practical, as required by proposed § 25.1309(b)(4)(i); therefore, the proposal would entail no additional cost. In any case, proposed § 25.1309(b)(4) is cost beneficial because proposed paragraph (4)(i) is limited by paragraph (4)(ii) and, further, under § 25.1309(b)(4)(iii), both paragraphs (4)(i) and (b)(4)(ii) are not required when impractical.

d. Section 25.1309(c): Flightcrew Alerting

Section 25.1309(c) would continue to require that the flightcrew be provided with information concerning unsafe system operating conditions. Section 25.1322 would continue to require that alerting be provided. The only proposed change in this rule is to remove the conflict with § 25.1322, Flightcrew Alerting. Accordingly, there is no cost (or benefit) entailed by the proposed rule change.

e. Section 25.1309(d) and H25.4: Certification Maintenance Requirements

Proposed § 25.1309(d) would be a new rule requiring that CMRs be established, as necessary, to prevent catastrophic and hazardous failure conditions described in proposed § 25.1309(b). The proposed rule also would require these CMRs to be contained in the ALS of the ICA required by § 25.1529. This latter requirement is an industry recommendation via the SE-172 Taskforce to CAST ^[57] , and it addresses the taskforce's recognition that CMRs are critical to safety and should be treated similarly to other airworthiness limitations.

Both of these proposed requirements would codify industry practice and would harmonize with EASA's changes to CS 25.1309 and H25.4, and so would entail no additional costs. However, the requirements would have the benefits of reduced joint harmonization costs and, therefore, would be cost beneficial.

8. Section 25.671: General Control Systems

a. Section 25.671(a), (d), (e), and (f)

Since industry has been meeting the proposed criteria in paragraphs (a), (e), and (f) under special conditions since the early 1980s, the FAA believes that these proposed criteria are now met at minimal cost. The modification to § 25.671(d) clarifies that controllability includes the capability to flare to a landing and controlled stop. The FAA believes that if the airplane is controllable, the manufacturer will be able to meet the requirement for flare and braking capability at minimal cost. The FAA requests comments on these findings.

b. Section 25.671(b): Minimize Probability of Incorrect Assembly

Section 25.671(b) would be revised to allow distinctive and permanent marking to minimize the probability of incorrect assembly only when design means are impractical. This revision was recommended by the FCHWG. It is expert consensus that the physical prevention of misassembly by design is safer than reliance on marking, which can be overlooked or ignored. Since distinctive and permanent marking to minimize the probability of incorrect assembly is disallowed only when design means are practical, the expected gain in safety benefits from the reduced probability of incorrect assembly would be greater than the costs of the proposed revision. The FAA requests comments on its finding that this provision is cost-beneficial.

c. Section 25.671(c)

The FAA proposes to revise § 25.671(c). Current § 25.671(c)(1) and (c)(2) would be removed, because the applicability of § 25.1309 would be clarified to be any equipment or system as installed on the airplane, so it would apply to flight control systems and would accomplish the safety objective of § 25.671(c)(1) and (c)(2). Proposed 25.671(c) differs from the current rule as follows:

• Proposed § 25.671(c) addresses only jams that are due to a physical interference, for example, foreign or loose object, system icing, corroded bearings, etc. (Jams due to other reasons are covered by § 25.1309.)
• Proposed § 25.671(c) does not allow jams to be considered extremely improbable, except those jams that occur just before landing.
• Proposed § 25.671(c)(3) specifies that, given a jam due to a physical interference, the combined probability is less than 1/1000 that any additional failure conditions could prevent continued safe flight and landing. As the main intent of § 25.671(c)(3) is to limit the probability of a latent failure of any jam alleviation device (such as a breakout device), § 25.671(c)(3) is largely redundant to the proposed § 25.1309(b)(5) latent risk requirement.
• Proposed § 25.671(c) would no longer address a runaway of a flight control surface and subsequent jam as such jams would be adequately addressed by proposed § 25.1309.

As proposed § 25.671(c) has been used by many manufacturers as an ELOS, the FAA believes its use is current practice. Accordingly, there are no additional costs (or benefits) from § 25.671(c)(1). The FAA requests comments on this conclusion.

9. Section 25.901: Installation Engines

Proposed § 25.901 would specify that § 25.1309 applies to powerplant installations, as it does for all airplane systems. Accordingly, the current provision in § 25.901(c) prohibiting catastrophic single failures or probable combinations of failures would be removed. Applicant requirements would not change as a result of this revised rule. The proposed revision would harmonize § 25.901(c) with EASA's corresponding CS 25.901(c). Accordingly, the proposed revision would be cost-beneficial as it entails no additional cost but has benefits from the reduced costs of joint harmonization. Start Printed Page 75449 The FAA requests comments on this conclusion.

10. Section 25.933: Reversing Systems

Proposed § 25.933(a)(1)(i) retains, as an option, the “controllability” standard of the current rule. Proposed § 25.933(a)(1)(ii) is an additional, “reliability,” option. The service history of airplanes certified under the current rule—most prominently, the Lauda Air accident—demonstrates that the fail-safe intent of the controllability requirement had not been achieved.

The PPIHWG recommended adding the reliability option, concluding that applicants should be allowed to select the most suitable option for their particular type designs or failure conditions addressed. This option is especially valuable given its improvement implied by the proposed revision to § 25.1309.^[58] This proposed change allows additional flexibility in design development, thus reducing costs by allowing manufacturers to achieve the intended level of safety in the most cost-effective manner. As this proposed rule would be cost relieving, it would be cost beneficial. The FAA requests comments on this conclusion.

11. Section 25.302: Interaction of Systems and Structures

Proposed § 25.302 would be a new rule that would incorporate, with some modifications, the criteria the LDHWG recommended in December 2000, and the FCHWG in September 2002. EASA has already incorporated the criteria developed by the LDHWG into CS 25.302 and appendix K of CS-25.

The proposed rule would specifically address any system failure condition considered under § 25.1309 that can affect the structural performance of the airplane. Systems affect structural performance if they induce loads on the airframe or if they change the response of the airplane to inputs such as gusts or pilot actions, either directly or as a result of failure. Systems that affect structural performance are flight control computers, autopilots, stability augmentation systems, load alleviations systems, and fuel management systems. The proposed rule would also apply to hydraulic systems, electrical systems, and mechanical systems.

U.S. part 25 manufacturers already comply with EASA's CS 25.302, which went into effect in November 2004. Accordingly, the costs of compliance with the FAA's proposed § 25.302 depends on the extent to which it harmonizes with CS 25.302. If the provisions of proposed § 25.302 are identical with, less onerous than, or, more generally, satisfied by, the provisions of CS 25.302, then compliance with CS 25.302 would also mean compliance with proposed § 25.302. This harmonization means U.S. part 25 manufacturers would incur no incremental compliance costs. If the provisions of proposed § 25.302 are more onerous than, or, more generally, not satisfied by, the provisions of CS 25.302, then manufacturers would incur incremental compliance costs.

The FAA now assesses the benefits and costs of proposed § 25.302 by section:

a. Section 25.302(a): At the Time of Failure Occurrence

For the assessment of the initial failure condition, EASA's CS 25.302 allows the safety factor to decline linearly from 1.5 to 1.25 as the probability of failure declines from 10⁻⁵ to 10⁻⁹ per flight hour but proposed § 25.302(a) keeps the factor at 1.5. The FAA proposal, therefore, would be more conservative in this regard, but, after two decades of special conditions, this more conservative factor is now easily met by manufacturers. Therefore, the cost effect would be minimal. As safety would be higher compared to CS 25.302, this proposed requirement would be cost beneficial. The FAA requests comments on this finding.

b. Section 25.302(b): Continuation of Flight After Failure

CS 25.302 requires that loads be determined for several CS-25 design load conditions, whereas the FAA proposal would require that loads be determined for any design load condition that would be affected. CS 25.302 requires a safety factor of 1.5 for a failure condition with a failure rate above 10⁻⁵, but which declines linearly to 1.0 as probability declines from 10⁻⁵ to 10⁻⁹.

The FAA proposal specifies a safety factor of 1.5 but would reduce the safety factor to 1.0 if the failure condition is annunciated, because the probability of an extreme maneuver would be reduced as the pilot would be aware that a failure condition had occurred. The FAA would reduce the safety factor to 1.25 if the failure condition is extremely remote (probability of the order of ≤10⁻⁷ per flight hour). The probability is very low that a design load condition would occur subsequent to a system failure on the same flight. The FAA proposal, therefore, is less conservative than the EASA requirement in requiring lower safety factors, particularly for annunciated failures; and most failures that affect structures would be annunciated.

The FAA proposal is more conservative, however, in applying to all load conditions specified in subpart C, with the possible result of higher engineering, hardware, and operating compliance costs relative to EASA requirements. Nevertheless, the FAA believes that the safety benefits would continue to outweigh the costs. The FAA requests comments on this conclusion.

c. Section 25.302(d)

This proposed rule would require the residual strength evaluation be conducted according to § 25.571—the fatigue and damage tolerance rule—and it, therefore, assesses the residual strength load conditions in § 25.571, rather than the load conditions listed in CS 25.302. This proposed change would result in little or no increase in workload and, consequently, would have minimal cost because manufacturers already use the § 25.571 process and because the differences in load conditions between the two provisions are not significant. The FAA requests comments on this finding.

d. Section 25.302(e): Dispatch Requirements

CS 25.302 requires that anticipated dispatch configurations be addressed by meeting the strength and flutter aspects of CS 25.302 taking into account the probability of being in that configuration. CS 25.302 includes: “Flight limitations and expected operational limitations may be taken into account in establishing . . . the combined probability of being in the dispatched failure condition and the subsequent failure condition for the safety margins . . . . ” ^[59] This means that the applicant must combine the probability of being in the dispatched state with the probability of subsequent failures to determine safety margins. This analysis obviously involves a fair amount of probability work. Moreover, for the dispatched configuration, CS 25.302 would consider any failure condition not shown to be extremely improbable (on the order of ≤10⁻⁹ per flight hour). Several applicants have specifically objected to the CS dispatch rule because of this latter requirement.

In contrast, the FAA proposal is simpler, less onerous, and involves less Start Printed Page 75450 probability work. First, the proposal does not include flutter criteria. Second, the proposal assumes a probability of one for the dispatched configuration, and subsequent failures would be considered only if they were single failures or if they are not extremely remote (of the order of ≤10⁻⁷ per flight hour). The FAA believes that the incremental cost of the simpler and less onerous FAA proposal is so low that the safety benefits of the proposal would continue to outweigh the costs. The FAA requests comments on this finding.

B. Regulatory Flexibility Determination

The Regulatory Flexibility Act of 1980 (Pub. L. 96-354) (RFA) establishes “as a principle of regulatory issuance that agencies shall endeavor, consistent with the objectives of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the businesses, organizations, and governmental jurisdictions subject to regulation. To achieve this principle, agencies are required to solicit and consider flexible regulatory proposals and to explain the rationale for their actions to assure that such proposals are given serious consideration.” The RFA covers a wide range of small entities, including small businesses, not-for-profit organizations, and small governmental jurisdictions. Agencies must perform a review to determine whether a rule will have a significant economic impact on a substantial number of small entities. If the agency determines that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA.

However, if an agency determines that a rule is not expected to have a significant economic impact on a substantial number of small entities, section 605(b) of the RFA provides that the head of the agency may so certify, and a regulatory flexibility analysis is not required. The certification must include a statement providing the factual basis for this determination, and the reasoning should be clear.

All U.S. manufacturers (applicants for type certification) of large transports or part 25 business jets are large companies with more than 1,500 employees or are subsidiaries of large companies so-defined and, therefore, are not classified as small entities by the Small Business Administration.^[60] Operators of part 25 airplanes will be directly affected by the $1,102 annual incremental operating cost (maintenance) per large transport and the $147 annual incremental operating cost per part 25 business jet. These costs are minimal, especially compared to the high annual operating cost of part 25 airplanes.

If an agency determines that a rulemaking will not result in a significant economic impact on a substantial number of small entities, the head of the agency may so certify under section 605(b) of the RFA. Therefore, as provided in section 605(b), the head of the FAA proposes that this proposed rulemaking would not result in a significant economic impact on a substantial number of small entities. The FAA requests comments on this determination.

C. International Trade Impact Assessment

The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal agencies from establishing standards or engaging in related activities that create unnecessary obstacles to the foreign commerce of the United States. Pursuant to these Acts, the establishment of standards is not considered an unnecessary obstacle to the foreign commerce of the United States, so long as the standard has a legitimate domestic objective, such as the protection of safety, and does not operate in a manner that excludes imports that meet this objective. The statute also requires consideration of international standards and, where appropriate, that they be the basis for U.S. standards.

The FAA has assessed the effect of this proposed rule and determined that its purpose is to ensure the safety of U.S. civil aviation. Therefore, this proposed rule is in compliance with the Trade Agreements Act.

D. Unfunded Mandates Assessment

Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires each Federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in an expenditure of $100 million or more (in 1995 dollars) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a “significant regulatory action.” The FAA currently uses an inflation-adjusted value of $155.0 million in lieu of $100 million. This proposed rule does not contain such a mandate; therefore, the requirements of Title II of the Act do not apply.

E. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires that the FAA consider the impact of paperwork and other information collection burdens imposed on the public. The FAA has determined that there would be no new requirement for information collection associated with this proposed rule.

F. International Compatibility and Cooperation

In keeping with U.S. obligations under the Convention on International Civil Aviation, it is FAA policy to conform to International Civil Aviation Organization (ICAO) Standards and Recommended Practices to the maximum extent practicable. The FAA has determined that there are no ICAO Standards and Recommended Practices that correspond to these proposed regulations.

In January of 2020, EASA published CS 25 amendment 24, which bore many similarities to this proposal, including added criteria for latent failures in CS 25.1309.

G. Environmental Analysis

FAA Order 1050.1F identifies FAA actions that are categorically excluded from preparation of an environmental assessment or environmental impact statement under the National Environmental Policy Act in the absence of extraordinary circumstances. The FAA has determined this rulemaking action qualifies for the categorical exclusion identified in paragraph 5-6.6 and involves no extraordinary circumstances.

V. Executive Order Determinations

A. Executive Order 13132, Federalism

The FAA has analyzed this proposed rule under the principles and criteria of Executive Order 13132, “Federalism” (64 FR 43255, August 10, 1999). The agency has determined that this action would not have a substantial direct effect on the States, or the relationship between the Federal Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, would not have federalism implications.

B. Executive Order 13211, Regulations That Significantly Affect Energy Supply, Distribution, or Use

The FAA analyzed this proposed rule under Executive Order 13211, “Actions Concerning Regulations that Significantly Affect Energy Supply, Distribution, or Use” (66 FR 28355, May Start Printed Page 75451 18, 2001). The agency has determined that it would not be a “significant energy action” under the Executive order and would not be likely to have a significant adverse effect on the supply, distribution, or use of energy.

C. Executive Order 13609, International Cooperation

Executive Order 13609, “Promoting International Regulatory Cooperation,” (77 FR 26413, May 4, 2012) promotes international regulatory cooperation to meet shared challenges involving health, safety, labor, security, environmental, and other issues and to reduce, eliminate, or prevent unnecessary differences in regulatory requirements. The FAA has analyzed this action under the policies and agency responsibilities of Executive Order 13609 and has determined that this action would have no effect on international regulatory cooperation.

VI. Additional Information

A. Comments Invited

The FAA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. The agency also invites comments relating to the economic, environmental, energy, or federalism impacts that might result from adopting the proposals in this document. The most helpful comments reference a specific portion of the proposal, explain the reason for any recommended change, and include supporting data. To ensure the docket does not contain duplicate comments, commenters should send only one copy of written comments, or if comments are filed electronically, commenters should submit only one time.

Except for Confidential Business Information (CBI) as described in the following paragraph, and other information as described in 14 CFR 11.35, the FAA will file in the docket all comments it receives, as well as a report summarizing each substantive public contact with FAA personnel concerning this proposed rulemaking. Before acting on this proposal, the FAA will consider all comments it receives on or before the closing date for comments. The FAA will consider comments filed after the comment period has closed if it is possible to do so without incurring expense or delay. The agency may change this proposal in light of the comments it receives.

Confidential Business Information: Confidential Business Information (CBI) is commercial or financial information that is both customarily and actually treated as private by its owner. Under the Freedom of Information Act (FOIA) (5 U.S.C. 552), CBI is exempt from public disclosure. If your comments responsive to this NPRM contain commercial or financial information that is customarily treated as private, that you actually treat as private, and that is relevant or responsive to this NPRM, it is important that you clearly designate the submitted comments as CBI. Please mark each page of your submission containing CBI as “PROPIN.” The FAA will treat such marked submissions as confidential under the FOIA, and they will not be placed in the public docket of this NPRM. Submissions containing CBI should be sent to Suzanne Masterson, Strategic Policy Transport Section, AIR-614, Strategic Policy Management Branch, Policy and Innovation Division, Aircraft Certification Service, Federal Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; email Suzanne.Masterson@faa.gov. Any commentary that the FAA receives which is not specifically designated as CBI will be placed in the public docket for this rulemaking.

B. Availability of Rulemaking Documents

An electronic copy of rulemaking documents may be obtained from the internet by—

1. Searching the Federal eRulemaking Portal at www.regulations.gov;

2. Visiting the FAA's Regulations and Policies web page at www.faa.gov/​regulations_​policies; or

3. Accessing the Government Printing Office's web page at www.GovInfo.gov.

Copies may also be obtained by sending a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue SW, Washington, DC 20591, or by calling (202) 267-9680. Commenters must identify the docket or notice number of this rulemaking.

All documents the FAA considered in developing this proposed rule, including economic analyses and technical reports, may be accessed from the internet through the Federal eRulemaking Portal referenced in item (1) above.

List of Subjects in 14 CFR Part 25

• Aircraft
• Aviation safety
• Reporting and recordkeeping requirements

The Proposed Amendment

In consideration of the foregoing, the Federal Aviation Administration proposes to amend chapter I of title 14, Code of Federal Regulations as follows:

PART 25—AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES

1. The authority citation for part 25 continues to read as follows:

Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 44704.

2. Add § 25.4 to read as follows:

3. Add § 25.302 to subpart C to read as follows:

4. Amend § 25.629 by revising the introductory text of paragraphs (b) and (d), redesignating paragraph (d)(10) as paragraph (d)(11), and adding paragraph (d)(10) to read as follows:

5. Revise § 25.671 to read as follows:

6. Amend § 25.901 by revising paragraph (c) to read as follows:

7. Amend § 25.933 by revising paragraph (a)(1) to read as follows:

8. Revise § 25.1301 to read as follows:

9. Revise § 25.1309 to read as follows:

10. Amend § 25.1365 by revising paragraph (a) to read as follows:

11. In appendix H to part 25, under the heading H25.4, add paragraph (a)(6) to read as follows:

Appendix H to Part 25—Instructions for Continued Airworthiness

H25.4 Airworthiness Limitations Section

(a) * * *

(6) Each certification maintenance requirement established to comply with any of the applicable provisions of part 25.

Footnotes