Federal Aviation Administration, DOT.
Notice of policy statement; request for comments.
This notice announces an FAA policy applicable to the type certification of transport category airplanes. This notice advises the public, in particular manufacturers of transport category airplanes and their suppliers, that the FAA intends to adopt a new policy concerning the type certification assessment of thrust management systems. This notice is necessary to advise the public of this FAA policy and give all interested persons an opportunity to present their views on it.
Send your comments by July 16, 2001.
Send all comments on this policy statement to the individual identified under FOR FURTHER INFORMATION CONTACT.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Mike McRae, Federal Aviation Administration, Transport Airplane Directorate, Transport Standards Staff, Propulsion/Mechanical Systems Branch, ANM-112, 1601 Lind Avenue SW., Renton, WA 98055-4056; telephone (425) 227-2133; fax (425) 227-1320; e-mail: email@example.com.End Further Info End Preamble Start Supplemental Information
You may comment on this policy statement by sending any written data, views, or arguments as you may desire. You must identify the Policy Statement Number ANM-01-02 on your comments, and send your comments, in duplicate, to the address indicated above. The Transport Airplane Directorate (Transport Standards Staff) will consider all communications received on or before the closing date for comments.
The FAA traditionally has certified automated thrust management features, such as autothrottles and “target rating” displays, on the basis that they are only conveniences to reduce crew workload and do not relieve the crew of any responsibility for assuring proper thrust management. Consequently, even when the crew is no longer directly involved in performing a given thrust management function, they must be “aware” when this function is not being performed safely. Further, when they do become “aware” of any thrust management malfunction, they must be capable of taking appropriate corrective action to safely address that malfunction.
For most thrust management systems (TMS) that the FAA has certified to date, this crew “awareness” has been accepted as coming from:
a. Inherent aircraft operational cues (for example, failure of the throttles to properly respond to an autothrottle command is usually assumed to be Start Printed Page 32411detectable by improper movement of the throttle levers, engine indications, or other inherent aircraft responses); or
b. Adherence to training and procedures (for example, crews are trained to cross-check the TMS “target rating” against the Quick Reference Handbook rating or the rating on a dispatch sheet); or
c. Dedicated failure detection and annunciation (for example, if the autothrottle detects that it cannot perform its function, under some circumstances it will automatically disconnect itself and announce that fact through a crew alerting feature).
Service History Involving TMS Issues
There have been at least two recent accidents related to TMS effects:
1. March 31, 1995, Tarom Airbus Model A310-300, Bucharest, Hungary
The airplane crashed shortly after takeoff. The Romanian investigating team indicated that the probable cause of the accident was the combination of an autothrottle failure that generated asymmetric thrust and the pilot's apparent failure to react quickly enough to the developing emergency.
2. November 24, 1992, China Southern Boeing Model 737-300, Guilin, China
The airplane crashed shortly before landing at Guilin. The Civil Aviation Administration of China team investigating the probable cause of the accident concluded that the right auto throttle did not react during descent and level off. As a result, the thrust asymmetry induced the airplane to roll to the right. The flightcrew failed to recognize the abnormality and make correction in time, “followed by wrongful control input and crashed.”
Data from these accident investigations have provided evidence that it is incorrect to assume that the flight crew will always detect and address potentially adverse TMS effects strictly from inherent operational cues.
Similarly, other service experience suggests that it is not reasonable to expect the flight crew to adhere strictly to operational checks that are not specified in the flight manual, and that usually indicate the system is working correctly. It is not sufficient to find that the flight crew “should normally be able” to detect and safely accommodate these failures. Instead, it should be found that the flight crew is anticipated “always” to safely accommodate these failures. This distinction is intended to differentiate between those “human errors” that are simply part of anticipated human behaviors and limitations, and those that are “extraordinary” or “negligent.”
The FAA maintains that transport category airplane type designs should safely accommodate anticipated human errors. Therefore, the FAA has concluded that dedicated failure detection and annunciation is necessary to provide adequate “crew awareness” of TMS malfunctions.
Intent of This General Statement of Policy
The FAA intends the policy discussed in this notice to ensure that the actual criticality of automated thrust management features is identified and adequately addressed during type certification compliance with the fail-safe requirements of Title 14, Code of Federal Regulations (CFR), part 25, including:
§ 25.901(c) (“Powerplant: Installation”),
§ 25.903(b) (“Engines”), and
§ 25.1309(b) (“Equipment, systems, and installations”).
This policy is included in a draft Advisory Circular (AC) 25.901-1X, “Safety Assessment of Powerplant Installations,” which the Aviation Rulemaking Advisory Committee (ARAC) developed and submitted to the FAA as a recommendation for issuance. (Refer to 56 FR 2190, January 22, 1991, for more information about ARAC. Refer to 57 FR 58845, December 11, 1992, for more information about the ARAC-sponsored working group assigned to develop the recommendation.)
Draft AC 25.901-1X currently is part of a planned “Safety Assessment” rulemaking package that will include several proposed rules and advisory circulars. The FAA plans to issue those proposed documents for public comment at a future date.
However, the FAA has chosen to publish this particular segment as a general statement of policy in advance of the complete AC 25.901-1X.
To reduce the exposure to accidents like those described above, the FAA expects to use this policy to identify and correct any similar unsafe conditions in the current transport fleet and for all future type certification activities.
Effect of General Statement of Policy
The general policy stated in this document is not intended to establish a binding norm; it does not constitute a new regulation and the FAA would not apply or rely upon it as a regulation. The FAA Aircraft Certification Offices (ACO) that certify transport category airplanes and/or the thrust management systems installed on them should generally attempt to follow this policy, when appropriate. However, in determining compliance with certification standards, each ACO has the discretion not to apply these guidelines where it determines that they are inappropriate. Applicants should expect that the certificating officials will consider this information when making findings of compliance relevant to new certificate actions.
In addition, as with all advisory material, this statement of policy identifies one means, but not the only means, of compliance.
Because this general statement of policy only announces what the FAA seeks to establish as policy, the FAA considers it an issue for which public comment is appropriate. Therefore, the FAA requests comment on the following proposed general statement of policy relevant to type certification assessment of thrust management systems.
The Policy Statement
Thrust Management Systems. A System Safety Assessment is essential for any airplane system that aids the crew in managing engine thrust (for example, computing target engine ratings, commanding engine thrust levels, etc.). As a minimum, the applicant must assess the system criticality and failure hazard classification.
The system criticality will depend on:
- The range of thrust management errors it could cause;
- The likelihood that the flight crew will detect these errors and take appropriate corrective action; and
- The severity of the effects of these errors with and without intervention by the flight crew.
The hazard classification will depend on the most severe effects anticipated from any system. The need for more in-depth analysis will depend upon such things as the system's complexity, novelty, initial failure hazard classification, and relationship to other aircraft systems.
Automated thrust management features, such as autothrottles and target rating displays, traditionally have been certified on the basis that they are only conveniences to reduce crew workload and do not relieve the flight crew of any responsibility for assuring proper thrust management. In some cases, malfunctions of these systems can be considered minor, at most. However, for this to be valid, even when the flight crew is no longer directly involved in performing a given thrust management function, the flight crew must be provided with information concerning unsafe system operating conditions to Start Printed Page 32412enable them to take appropriate corrective action.
Consequently, failures within any automated thrust management feature that could create a catastrophe if not detected and properly accommodated by flight crew action should be considered either:
1. A catastrophic failure condition when demonstrating compliance with § 25.1309(b) and/or § 25.901(c); or
2. An unsafe system operating condition when demonstrating compliance with the warning requirements of § 25.1309(c).Start Signature
Issued in Renton, Washington, on June 1, 2001.
Dorenda D. Baker,
Acting Manager, Transport Airplane Directorate, Aircraft Certification Service.
[FR Doc. 01-14489 Filed 6-13-01; 8:45 am]
BILLING CODE 4910-13-P