Federal Aviation Administration, DOT.
Final policy statement.
This document announces an FAA policy applicable to the type certification of transport category airplanes. This document advises the public, in particular manufacturers of transport category airplanes and their suppliers, that the FAA intends to adopt a new policy concerning the type certification assessment of thrust management systems.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Mike McRae, Federal Aviation Administration, Transport Airplane Directorate, Transport Standards Staff, Propulsion/Mechanical Systems Branch, ANM-112, 1601 Lind Avenue SW., Renton, WA 98055-4056; telephone (425) 227-2133; fax (425) 227-1320; e-mail: email@example.com.End Further Info End Preamble Start Supplemental Information
The FAA traditionally has certified automated thrust management features, such as autothrottles and “target rating” displays, on the basis that they are only conveniences to reduce crew workload and do not relieve the crew of any responsibility for assuring proper thrust management. Consequently, even when the crew is no longer directly involved in performing a given thrust management function, they must be “aware” when this function is not being performed safely. Further, when they do become “aware” of any thrust management malfunction, they must be capable of taking appropriate corrective action to safely address that malfunction.
For most thrust management systems (TMS) that the FAA has certified to date, this crew “awareness” has been accepted as coming from:
a. Inherent aircraft operational cues (for example, failure of the throttles to properly respond to an autothrottle command is usually assumed to be detectable by improper movement of the throttle levers, engine indications, or other inherent aircraft responses); or
b. Adherence to training and procedures (for example, crews are trained to cross-check the TMS “target rating” against the Quick Reference Handbook rating or the rating on a dispatch sheet); or
c. Dedicated failure detection and annunciation (for example, if the autothrottle detects that it cannot perform its function, under some circumstances it will automatically disconnect itself and announce that fact through a crew alerting feature).
Service History Involving TMS Issues
There have been at lest two recent accidents related to TMS effects:
1. March 31, 1995, Tarom Airbus Model A310-300, Bucharest, Hungary: The airplane crashed shortly after takeoff. The Romanian investigating team indicated that the probable cause of the accident was the combination of an autothrottle failure that generated Start Printed Page 10794asymmetric thrust and the pilot's apparent failure to react quickly enough to the developing emergency.
2. November 24, 1992, China Southern Boeing Model 737-300, Guilin, China: The airplane crashed shortly before landing at Guilin. The Civil Aviation Administration of China team investigating the probable cause of the accident concluded that the right autothrottle did not react during descent and level off. As a result, the thrust asymmetry induced the airplane to roll to the right. The flightcrew failed to recognize the abnormality and make correction in time, “followed by wrongful control input and crashed.”
Data from these accident investigations have provided evidence that it is incorrect to assume that the flightcrew will always detect and address potentially adverse TMS effects strictly from inherent operational cues.
Similarly, other service experience suggests that it is not reasonable to expect the flightcrew to adhere strictly to operational checks that are not specified in the flight manual, and that usually indicate the system is working correctly. It is not sufficient to find that the flightcrew “should normally be able” to detect and safety accommodate theses failures. Instead, it should be found that the flightcrew is anticipated “always” to safely accommodate these failures. This distinction is intended to differentiate between those “human errors” that are simply part of anticipated human behaviors and limitations, and those that are “extraordinary” or “negligent.”
The FAA maintains that transport category airplane type designs should safely accommodate anticipated human errors. Therefore, the FAA has concluded that dedicated failure detection and annunciation is necessary to provide adequate “crew awareness” of TMS malfunctions.
Discussion of Proposed Policy Statement
On June 14, 2001, the FAA issued a notice of policy statement; request for comments (66 FR 32410) concerning how the FAA would evaluate various items when certifying automatic thrust management features in transport category airplanes. No comments were received. Accordingly, the FAA Policy on Type Certification Assessment of Thrust Management Systems is adopted as proposed.
Intent of This Policy Statement
The FAA intends the policy discussed in this document to ensure that the actual criticality of automated thrust management features is identified and adequately addressed during type certification compliance with the fail-safe requirements of Title 14, Code of Federal Regulations (CFR), part 25, including:
§ 25.901(c) (“Powerplant: Installation”),
§ 25.903(b) (“Engines”), and
§ 25.1309(b) (“Equipment, systems, and installations”).
This policy is included in a draft Advisory Circular (AC) 25.901-1X, “Safety Assessment of Powerplant Installations,” which the Aviation Rulemaking Advisory committee (ARAC) developed and submitted to the FAA as a recommendation for issuance. (Refer to 56 FR 2190, January 22, 1991, for more information about ARAC. Refer to 57 FR 58845, December 11, 1992, for more information about the ARAC-sponsored working group assigned to develop the recommendation.)
Draft AC 25.901-1X currently is part of a planned “Safety Assessment” rulemaking package that will include several proposed rules and advisory circulars. The FAA plans to issue those proposed documents for public comment at a future date. However, the FAA has chosen to publish this particular segment as a policy statement in advance of the complete AC 25.901-1X.
To reduce the exposure to accidents like those described above, the FAA will use this policy to identify and correct any similar unsafe conditions in the current transport fleet and for all future type certification activities.
Effect of Policy Statement
The policy stated in this document is not intended to establish a binding norm; it does not constitute a new regulation and the FAA would not apply or rely upon it as a regulation. The FAA Aircraft Certification Offices (ACO) that certify transport category airplanes and/or the thrust management systems installed on them should generally attempt to follow this policy, when appropriate. However, in determining compliance with certification standards, each ACO has the discretion not to apply these guidelines where it determines that they are inappropriate. Applicants should expect that the certificating officials will consider this information when making findings of compliance relevant to new certificate actions.
In addition, as with all advisory material, this policy statement identifies one means, but not the only means, of compliance.
The Policy Statement
Thrust Management Systems
A System Safety Assessment is essential for any airplane system that aids the crew in managing engine thrust (for example, computing target engine ratings, commanding engine thrust levels, etc.) At a minimum, the applicant must assess the system criticality and failure hazard classification.
The system criticality will depend on:
- The range of thrust management errors it could cause;
- The likelihood that the flightcrew will detect these errors and take appropriate corrective action; and
- The severity of the effects of these errors with and without intervention by the flightcrew.
The hazard classification will depend on the most severe effects anticipated from any system. The need for more in-depth analysis will depend upon such things as the system's complexity, novelty, initial failure hazard classification, and relationship to other aircraft systems.
Automated thrust management features, such as autothrottles and target rating displays, traditionally have been certified on the basis that they are only conveniences to reduce crew workload and do not relieve the flightcrew of any responsibility for assuring proper thrust management. In some cases, malfunctions of these systems can be considered minor, at most. However, for this to be valid, even when the flightcrew is no longer directly involved in performing a given thrust management function, the flightcrew must be provided with information concerning unsafe system operating conditions to enable them to take appropriate corrective action.
Consequently, failures within any automated thrust management feature that could create a catastrophe if not detected and properly accommodated by flightcrew action should be considered either:
1. a catastrophic failure condition when demonstrating compliance with § 25.1309(b) and/or § 25.901(c); or
2. an unsafe system operating condition when demonstrating compliance with the warning requirements of § 25.1309(c).Start Signature
Issued in Renton, Washington, on February 22, 2002.
Acting Manager, Transport Airplane Directorate, Aircraft Certification Service.
[FR Doc. 02-5634 Filed 3-7-02; 8:45 am]
BILLING CODE 4910-13-M