Federal Aviation Administration (FAA), DOT.
Notice of proposed special conditions.
This action proposes special conditions for installing an Autopilot Stabilization Augmentation System (AP/SAS) in the Robinson Helicopter Company (Robinson) Model R66 helicopter. This helicopter will have novel or unusual design features associated with installing a complex AP/SAS that has potential failure modes with more severe adverse results than those envisioned by the existing applicable airworthiness standards. The applicable airworthiness standards do not contain adequate or appropriate safety standards for this design feature. This proposed special condition contains the added safety standards the Administrator considers necessary to establish a level of safety equivalent to the existing airworthiness standards.
We must receive your comments by July 31, 2009.
Mail two copies of your comments to: Federal Aviation Administration, Rotorcraft Directorate, Attn: Rules Docket (ASW-111), Docket No. SW021, 2601 Meacham Blvd., Fort Worth, Texas 76137. You may deliver two copies to the Rotorcraft Directorate at this address. You must mark your comments for: Docket No. SW021. You may inspect comments in the Rules Docket weekdays, except Federal holidays, between 8:30 a.m. and 4 p.m.Start Further Info
FOR FURTHER INFORMATION CONTACT:
George Schwab, Aviation Safety Engineer, FAA, Rotorcraft Directorate (ASW-112), Aircraft Certification Service, 2601 Meacham Blvd., Fort Worth, Texas, 76137; telephone (817) 222-5114; facsimile (817) 222-5961.End Further Info End Preamble Start Supplemental Information
We invite you to take part in this rulemaking by sending written comments, data, or views. The most helpful comments reference a specific portion of the special conditions, explain the reason for any recommended change, and include supporting data. We ask that you send us two copies of written comments.
We will file in the docket all comments we receive, as well as a report summarizing each substantive public contact with FAA personnel on these special conditions. You can inspect the docket before and after the comment closing date. If you wish to review the docket in person, go to the address in the ADDRESSES section of this document between 8:30 a.m. and 4 p.m., Monday through Friday, except Federal holidays.
We will consider all comments we receive on or before the closing date for comments. We will consider comments filed late if it is possible to do so without incurring additional expense or delay. We may change these special conditions based on the comments we receive.
If you want the FAA to acknowledge receipt of your comments on this proposal, include with your comments a pre-addressed, stamped postcard on which the docket number appears. We will stamp the date on the postcard and mail it back to you.
On November 1, 2006, Robinson proposed a change to the certification basis, through the FAA's Los Angeles Aircraft Certification Office (LA ACO), that would include installing an AP/SAS as part of the application for type certification for the Robinson Model R66 helicopter. The Robinson Model R66 helicopter is a part 27 Normal category, single turbine engine, conventional helicopter designed for civil operation. The helicopter is capable of carrying four passengers with one pilot, and has a maximum gross weight of approximately 2,650 pounds. The major design features include a 2-blade, fully articulated main rotor, a 2-blade anti-torque tail rotor, a skid landing gear, and a visual flight rule (VFR) basic avionics configuration. Robinson proposes offering the Hoh Aeronautics, Inc. two-axis AP/SAS as a factory installed option.
Type Certification Basis
If the Administrator finds the applicable airworthiness standards, as they apply to the type certification, do not contain adequate or appropriate safety standards because of a novel or unusual design feature, special conditions are prescribed under § 21.16.
Special conditions, as appropriate, are defined in § 11.19, and issued by following the procedures in § 11.38 and become part of the type certification basis under § 21.17(a)(2).
Special conditions are initially applicable to the model for which they are issued. Should the Type Certificate for that model be amended later to include any other model that incorporates the same novel or unusual design feature, the special condition would also apply to the other model under § 21.101.
Novel or Unusual Design Features
The Robinson Model R66 helicopter will be required to show compliance with the current applicable requirements without the optional AP/SAS system. The Hoh Aeronautics, Inc. AP/SAS system will constitute a novel or unusual design feature when installed in the Model R66 helicopter. Although this AP/SAS system performs non-critical control functions, the possible failure modes for this system and their effects on the ability of the helicopter to continue safe flight and landing are more severe than those envisioned when the present safety standards were promulgated. Therefore, additional safety standards are necessary.
Failure Condition Categories
The effect on safety is not adequately covered under § 27.1309 for the application of new technology and new application of standard technology. Start Printed Page 28450Specifically, the present provisions of § 27.1309(c) do not adequately address the safety requirements for systems whose failures could result in Catastrophic or Hazardous/Severe-Major failure conditions, or for complex systems whose failures could result in Major failure conditions.
To comply with the provision of the special condition, we propose to require that Robinson provide the FAA with a Systems Safety Assessment (SSA) for the final Hoh Aeronautics Inc. AP/SAS installation configuration that will adequately address the safety objectives established by the Functional Hazard Assessment (FHA) and the Preliminary System Safety Assessment (PSSA), including the Fault Tree Analysis (FTA). This must ensure that all failure modes and their resulting effects are adequately addressed for the installed AP/SAS. The SSA process, FHA, PSSA, and FTA are all parts of the overall Safety Assessment (SA) process discussed in FAA Advisory Circular (AC) 27-1B (Certification of Normal Category Rotorcraft) and SAE document ARP 4761 (Guidelines and Methods for Conducting the Safety Assessment Process on civil airborne Systems and Equipment).
This special condition requires that the AP/SAS system installed on a Robinson Model R66 helicopter meet these requirements to adequately address the failure effects identified by the FHA, and subsequently verified by the SSA, within the defined design integrity requirements.
As discussed, this special condition is applicable to the Robinson Model R66 helicopter with the Hoh Aeronautics, Inc. AP/SAS installed as a factory option under the pending application for the Robinson Model R66 type certificate. Should Robinson Helicopter Company apply at a later date for a change to the type certificate to include another model incorporating this same factory installed option Hoh Aeronautics, Inc. AP/SAS novel or unusual design feature, this special condition would also apply to that model, under the provisions of § 21.101(b)(1).
This action affects only the Robinson R66 model series of helicopter with the novel or unusual design features of a Hoh Aeronautics, Inc. AP/SAS installed. It is not a rule of general applicability.Start List of Subjects
List of Subjects in 14 CFR Parts 21 and 27End List of Subjects
The authority citation for these special conditions is as follows:
The Proposed Special Conditions
Accordingly, the Federal Aviation Administration (FAA) proposes the following special conditions as part of the type certification basis for Robinson Model R66 helicopters:
For installation of a Hoh Aeronautics, Inc. Autopilot/Stability Augmentation System on a Robinson Model R66 helicopter, the system must be designed and installed so that the failure conditions identified in the Functional Hazard Assessment and addressed by the System Safety Assessment, after design completion, are adequately addressed in accordance with the Definitions for the Failure Condition Categories and the Requirements (including the design integrity, design environmental, and test and analysis requirements) of this special condition.
Failure Conditions are conditions that result from a failure and are classified, according to the severity of their effects on the rotorcraft, into one of the following categories:
(1) No Effect—Failure Conditions that would have no effect on safety; for example, Failure Conditions that would not affect the operational capability of the rotorcraft or increase crew workload; however, could result in an inconvenience to the occupants, excluding the flight crew.
(2) Minor—Failure conditions which would not significantly reduce rotorcraft safety, and would involve crew actions that are well within their capabilities. Minor failure conditions would include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload such as routine flight plan changes, or result in some physical discomfort to occupants.
(3) Major—Failure conditions which would reduce the capability of the rotorcraft or the ability of the crew to cope with adverse operating conditions to the extent there would be, for example, a significant reduction in safety margins or functional capabilities; a significant increase in crew workload or result in impairing crew efficiency; physical distress to occupants, including injuries; or physical discomfort to the flight crew.
(4) Hazardous/Severe-Major—Failure conditions that would reduce the capability of the rotorcraft or the ability of the crew to cope with adverse operating conditions to the extent there would be:
(i) A large reduction in safety margins or functional capabilities;
(ii) Physical distress or excessive workload that would impair the flight crew's ability to the extent that they could not be relied on to perform their tasks accurately or completely; or
(iii) Possible serious or fatal injury to a passenger or a cabin crewmember, excluding the flight crew.
Hazardous/Severe-Major failure conditions can include events that are manageable by the crew by use of proper procedures, which, if not carried out correctly or in a timely manner, may result in a Catastrophic Event.
(5) Catastrophic—Failure Conditions which would result in multiple fatalities to occupants, fatalities or incapacitation to the flight crew, or result in the inability of the rotorcraft to continue safe flight and landing.
Robinson must comply with the existing requirements of § 27.1309 for all applicable design and operational aspects of the AP/SAS with the failure condition categories of No Effect, Minor, and for non-complex systems whose failure condition category is classified as Major. Robinson must also comply with the requirements of this special condition for all applicable design and operational aspects of the AP/SAS with the failure condition categories of Catastrophic and Hazardous/Severe-Major, and for complex systems classified as a Major failure condition category.
A complex system is a system whose operations, failure modes, or failure effects are difficult to understand without the aid of analytical methods (for example, Fault Tree Analysis, Failure Modes and Effect Analysis, Functional Hazard Assessment, etc.).
a. Design Integrity Requirements
Each of the failure condition categories defined in this special condition relate to the corresponding aircraft system integrity requirements. The design integrity requirements for the Hoh Aeronautics, Inc. AP/SAS as they relate to the allowed probability of occurrence for each failure condition category, and the proposed software design assurance level, are as follows:
Major—Condition classified as a “Major failure condition” and resulting in Major effects must be shown to be improbable, or at or less than 1 × 10−5 failures/hour, and associated software must be developed to the RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) software design assurance Level C.
Hazardous/Severe-Major—Condition classified as a “Hazardous/Severe-Major failure condition” and resulting in Hazardous/Severe-Major effects must be shown to be extremely remote or at or less than 1 × 10−7 failures/hour, and associated software must be developed to the RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) software design assurance Level B.
Catastrophic—Condition classified as a “Catastrophic failure condition” and resulting in Catastrophic effects must be shown to be extremely improbable or at or less than 1 × 10−9 failures/hour, and associated software must be developed to the Start Printed Page 28451RTCA/DO-178B (Software Considerations in Airborne Systems And Equipment Certification) Level A software design assurance level.
b. Design Environmental Requirements
Robinson must qualify the AP/SAS system equipment to the appropriate environmental level in the RTCA document DO-160F (Environmental Conditions and Test Procedures for Airborne Equipment), for all relevant aspects. This must show that the AP/SAS system performs its intended function under any foreseeable operating condition, which includes the expected environment in which the AP/SAS is intended to operate. Some of the main considerations for environmental concerns are installation locations and the resulting exposure to environmental conditions for the AP/SAS system equipment, including considerations for other equipment that may be affected environmentally by the AP/SAS equipment installation. The level of environmental qualification must be related to the severity of the considered failure condition and effects on the aircraft.
c. Test & Analysis Requirements
Compliance with these requirements may be shown by a variety of methods, which typically consist of analysis, flight tests, ground tests, and simulation, as a minimum. Compliance methodology is partly related to the associated failure condition category. If the AP/SAS is a complex system, compliance with the requirements for aspects of the AP/SAS that can result in failure conditions classified as Major may be shown by analysis, in combination with appropriate testing to validate the analysis. Compliance with the requirements for aspects of the AP/SAS that can result in failure conditions classified as Hazardous/Severe-Major may be shown by flight-testing in combination with analysis and simulation, and the appropriate testing to validate the analysis. Flight tests may be limited for this classification of failures due to safety considerations.
Compliance with the requirements for aspects of the AP/SAS that can result in failure conditions classified as Catastrophic may be shown by analysis and validated by appropriate testing in combination with simulation. Very limited flight tests in combination with simulation may be used as a part of a showing of compliance for failures in this classification. Flight tests are performed only in circumstances that use operational variations or extrapolations from other flight performance aspects to address flight safety.Start Signature
Issued in Fort Worth, Texas, on June 11, 2009.
Mark R. Schilling,
Acting Manager, Rotorcraft Directorate, Aircraft Certification Service.
[FR Doc. E9-14103 Filed 6-15-09; 8:45 am]
BILLING CODE 4910-13-P