Federal Aviation Administration (FAA), DOT.
Final special condition.
This special condition is issued for the modification of the Robinson Model R44 helicopter. This modification will have novel or unusual design features associated with installing a complex Autopilot/Stabilization Augmentation System (AP/SAS) that has potential failure modes with more severe adverse consequences than those envisioned by the existing applicable airworthiness regulations. This proposal contains the additional safety standards that the Administrator considers necessary to ensure that the failures and their effects are sufficiently analyzed and contained.
Effective Date: April 28, 2006.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Robert McCallister, Aviation Safety Engineer, FAA, Rotorcraft Directorate, Rotorcraft Standards Staff, 2601 Meacham Blvd., Fort Worth, Texas 76193-0110; telephone (817) 222-5121, FAX (817) 222-5961.End Further Info End Preamble Start Supplemental Information
On January 18, 2000, Hoh Aeronautics, Inc. submitted an application for a Supplemental Type Certification (STC) for the installation of an Autopilot Stability/Augmentation System (AP/SAS) on a Robinson Model R44 helicopter through the FAA's Los Angles Aircraft Certification Office (LA ACO). The Robinson Model R44 helicopter is a part 27 Normal category, single reciprocating engine, conventional helicopter designed for civil operation. The helicopter is capable of carrying three passengers with one pilot, and has a maximum gross weight of approximately 2,400 pounds. The major design features include a 2-blade, fully articulated main rotor, a 2-blade anti-torque tail rotor, a skid landing gear, and a visual flight rule (VFR) basic avionics configuration. Hoh Aeronautics, Inc. proposes to install a three-axis AP/SAS.
Type Certification Basis
Under the provisions of 14 CFR 21.115, Hoh Aeronautics, Inc. must show that the Robinson Model R44 helicopter, as modified by the installed AP/SAS, meets 14 CFR 21.101 standards. The baseline of the certification basis for the unmodified R44 is listed in Type Certification Data Sheet Number H11NM, Revision 3. Additionally, compliance must be shown to any special conditions prescribed by the Administrator.
If the Administrator finds that the applicable airworthiness regulations, as they pertain to this STC, do not contain adequate or appropriate safety standards because of a novel or unusual design feature, special conditions are prescribed under the provisions of § 21.101(d).
In addition to the applicable airworthiness regulations and special conditions, Hoh Aeronautics, Inc. must show compliance of the AP/SAS STC-altered Robinson Model R44 helicopter with the noise certification requirements of 14 CFR part 36; and the FAA must issue a finding of regulatory adequacy pursuant to 49 U.S.C. 44715 (formerly § 611 of the Federal Aviation Act of 1958 as amended by section 7 of Pub. L. 92-574, the “Noise Control Act of 1972”).
Special conditions, as appropriate, are defined in § 11.19, and issued by following the procedures in § 11.38 and become part of the type certification basis in accordance with § 21.101.
Special conditions are initially applicable to the model for which they are issued. Should Hoh Aeronautics, Inc. apply for a supplemental type certificate to modify any other model included on the same type certificate to incorporate the same or similar novel or unusual design feature, the special condition would also apply to the other model under the provisions of § 21.101.
Novel or Unusual Design Features
The Hoh Aeronautics, Inc. AP/SAS system incorporates novel or unusual design features, for installation in a Robinson Model R44 helicopter, Type Certification Data Sheet Number H11NM. This AP/SAS system performs non-critical control functions, since this model helicopter has been certificated to meet the applicable requirements independent of this system. However, the possible failure modes for this system, and their effect on the helicopter's ability to continue safe flight and landing, are more severe than those envisioned by the present rules when they were first promulgated.
Discussion of Comments
Notice of proposed special condition No. 27-013-SC for the Robinson R44 Helicopter was published in the Federal Register on June 8, 2005 (70 FR 33399). No comments were received on the special condition as proposed. After careful review of the available data, the FAA has determined that air safety and the public interest require the adoption of the special condition with only minor, non-substantive changes.
Definitions of Failure Condition Categories—Failure Conditions are classified, according to the severity of their effects on the aircraft, into one of the following categories:
1. No Effect—Failure Conditions that would have no effect on safety; for example, Failure Conditions that would not affect the operational capability of the rotorcraft or increase crew workload; however, could result in an inconvenience to the occupants, excluding the flight crew.
2. Minor—Failure conditions which would not significantly reduce rotorcraft safety, and which would involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight Start Printed Page 15558plan changes, or some physical discomfort to occupants.
3. Major—Failure conditions which would reduce the capability of the rotorcraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, physical distress to occupants, possibly including injuries, or physical discomfort to the flight crew.
4. Hazardous/Severe-Major—Failure conditions which would reduce the capability of the rotorcraft or the ability of the crew to cope with adverse operating conditions to the extent that there would be:
- A large reduction in safety margins or functional capabilities;
- Physical distress or excessive workload that would impair the flight crew's ability to the extent that they could not be relied on to perform their tasks accurately or completely; or,
- Possible serious or fatal injury to a passenger or a cabin crewmember, excluding the flight crew.
“Hazardous/Severe-Major” failure conditions can include events that are manageable by the crew by use of proper procedures, which, if not implemented correctly or in a timely manner, may result in a Catastrophic Event.
5. Catastrophic—Failure Conditions which would result in multiple fatalities to occupants, fatalities or incapacitation to the flight crew, or result in loss of the rotorcraft.
The present §§ 27.1309 (b) and (c) regulations do not adequately address the safety requirements for systems whose failures could result in “Catastrophic” or “Hazardous/Severe-Major” failure conditions, or for complex systems whose failures could result in “Major” failure conditions. The current regulations are inadequate because when §§ 27.1309(b) and (c) were promulgated, it was not envisioned that this type of rotorcraft would use systems that are complex or whose failure could result in “Catastrophic” or “Hazardous/Severe-Major” effects on the rotorcraft. This is particularly true with the application of new technology, new application of standard technology, or other applications not envisioned by the rule that affect safety.
We require that Hoh Aeronautics, Inc. provide the FAA with a Systems Safety Assessment (SSA) for the final AP/SAS installation configuration that will adequately address the safety objectives established by the Functional Hazard Assessment (FHA) and the Preliminary System Safety Assessment (PSSA), including the Fault Tree Analysis (FTA). This will ensure that all failure modes and their resulting effects are adequately addressed for the installed AP/SAS. The SSA process, FHA, PSSA, and FTA are all parts of the overall Safety Assessment (SA) process discussed in FAA Advisory Circular (AC) 27-1B (Certification of Normal Category Rotorcraft) and SAE document ARP 4761 (Guidelines and Methods for Conducting the Safety Assessment Process on civil airborne Systems and Equipment).
We require that the applicant comply with the existing requirements of § 27.1309 for all applicable design and operational aspects of the AP/SAS with the failure condition categories of “No Effect,” and “Minor,” and for non-complex systems whose failure condition category is classified as “Major.” We require that the applicant comply with the requirements of this special condition for all applicable design and operational aspects of the AP/SAS with the failure condition categories of “Catastrophic” and “Hazardous Severe/Major,” and for complex systems whose failure condition category is classified as “Major.”
A complex system is a system whose operations, failure modes, or failure effects are difficult to comprehend without the aid of analytical methods (e.g., Fault Tree Analysis, Failure Modes and Effect Analysis, Functional Hazard Assessment, etc.).
Design Integrity Requirements
Each of the failure condition categories defined in this special condition relate to corresponding aircraft systems integrity requirements. The systems design integrity requirements, for the Hoh Aeronautics, Inc. AP/SAS, as they relate to the allowed probability of occurrence for each failure condition category, along with the proposed software design assurance level, are as follows:
- “Major”—Failures resulting in Major effects must be shown to be improbable, or on the order of 1 × 10−5 failures/hour, and associated software must be developed to the RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) Level C software design assurance level.
- “Hazardous/Severe-Major”—Failures resulting in Hazardous/Severe-Major effects must be shown to be extremely remote, or on the order of 1 × 10−7 failures/hour, and associated software must be developed to the RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) Level B software assurance level.
- “Catastrophic”—Failures resulting in Catastrophic effects must be shown to be extremely improbable, or on the order of 1 × 10−9 failures/hour, and associated software must be developed to the RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) Level A design assurance level.
Design Environmental Requirements
We require that the AP/SAS system equipment be qualified to the appropriate environmental level in the RTCA document DO-160D (Environmental Conditions and Test Procedures for Airborne Equipment), for all relevant aspects. This is to ensure that the AP/SAS system performs its intended function under any foreseeable operating condition, which includes the expected environment in which the AP/SAS is intended to operate. Some of the main considerations for environmental concerns are installation locations and the resulting exposure to environmental conditions for the AP/SAS system equipment, including considerations for other equipment that may be affected environmentally by the AP/SAS equipment installation. The level of environmental qualification must be related to the severity of the considered failure effects on the aircraft.
Test & Analysis Requirements
Compliance with the requirements contained in this special condition may be shown by a variety of methods, which typically consist of analysis, flight tests, ground tests, and simulation, as a minimum. Compliance methodology is partly related to the associated failure condition category. If the AP/SAS is a complex system, compliance with the requirements contained in this document for aspects of the AP/SAS that can result in failure conditions classified as “Major” may be shown by analysis, in combination with appropriate testing to validate the analysis. Compliance with the requirements contained in this special condition for aspects of the AP/SAS that can result in failure conditions classified as “Hazardous/Severe-Major” may be shown by flight-testing in combination with analysis and simulation, and the appropriate testing to validate the analysis. Flight tests may be limited for this classification of failures due to safety considerations. Start Printed Page 15559Compliance with the requirements contained in this special condition for aspects of the AP/SAS that can result in failure conditions classified as “Catastrophic” may be shown by analysis, and appropriate testing in combination with simulation to validate the analysis. Very limited flight tests in combination with simulation are typically used as a part of a showing of compliance for failures in this classification. Flight tests are performed only in circumstances that use operational variations, or extrapolations from other flight performance aspects to address flight safety.
This special condition requires that the AP/SAS system installed on a Robinson Model R44 helicopter, Type Certification Data Sheet Number H11NM, Revision 3, meet these requirements to adequately address the failure effects identified by the FHA, and subsequently verified by the SSA, within the defined design integrity requirements.
This special condition is applicable to the Hoh Aeronautics, Inc. AP/SAS installed as an STC approval, in a Robinson Model R44 helicopter, Type Certification Data Sheet Number H11NM, Revision 3.
This action affects only certain novel or unusual design features for a Hoh Aeronautics, Inc. AP/SAS STC installed on one model series of helicopter. It is not a rule of general applicability and affects only the applicant who applied to the FAA for approval of these features on the helicopter.Start List of Subjects
List of Subjects in 14 CFR Part 27End List of Subjects
The authority citation for this special condition is as follows:
Final Special Condition Information
The Special Condition
Accordingly, pursuant to the authority delegated to me by the Administrator, the following special condition is issued as part of the Hoh Aeronautics, Inc. supplemental type certificate basis for an Autopilot/Stability Augmentation System to be installed on a Robinson Model R44 helicopter, Type Certification Data Sheet Number H11NM, Revision 3.
The Autopilot/Stability Augmentation System must be designed and installed so that the failure conditions identified in the Functional Hazard Assessment and verified by the System Safety Assessment, after design completion, are adequately addressed in accordance with the “Definitions” and “Requirements” sections (including the design integrity, design environmental, and test and analysis requirements) of this special condition.Start Signature
Issued in Fort Worth, Texas, on March 21, 2006.
David A. Downey,
Manager, Rotorcraft Directorate, Aircraft Certification Service.
[FR Doc. 06-3013 Filed 3-28-06; 8:45 am]
BILLING CODE 4910-13-P