Federal Aviation Administration (FAA), DOT.
Notice of proposed special conditions.
This notice proposes special conditions for the Diamond Aircraft Industries (DAI), model DA-40NG airplane. This airplane will have a novel or unusual design feature(s) associated with an electronic engine control (EEC), also known as a Full Authority Digital Engine Control (FADEC). The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These proposed special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.
Comments must be received on or before October 7, 2011.
Comments on this proposal may be mailed in duplicate to: Federal Aviation Administration, Regional Counsel, ACE-7, Attention: Rules Docket, Docket No. CE313, 901 Locust, Room 506, Kansas City, Missouri 64106, or delivered in duplicate to the Regional Counsel at the above address. Comments must be marked: CE313. Comments may be inspected in the Rules Docket weekdays, except Federal holidays, between 7:30 a.m. and 4 p.m.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Pete Rouse, Federal Aviation Administration, Aircraft Certification Service, Small Airplane Directorate, ACE-111, 901 Locust, Kansas City, Missouri, 816-329-4135, fax 816-329-4090.End Further Info End Preamble Start Supplemental Information
Interested persons are invited to participate in the making of these proposed special conditions by submitting such written data, views, or arguments as they may desire. Communications should identify the regulatory docket or notice number and be submitted in duplicate to the address specified above. All communications received on or before the closing date for comments will be considered by the Administrator. The proposals described in this notice may be changed in light of the comments received. All comments received will be available in the Rules Docket for examination by interested persons, both before and after the closing date for comments. A report summarizing each substantive public contact with FAA personnel concerning this rulemaking will be filed in the docket. Persons wishing the FAA to acknowledge receipt of their comments submitted in response to this notice must include with those comments a self-addressed, stamped postcard on which the following statement is made: “Comments to Docket No. CE313.” The postcard will be date stamped and returned to the commenter.
On May 11, 2010 Diamond Aircraft Industry GmbH applied for an amendment to Type Certificate No. A47CE to include the new model DA-40NG with the Austro Engine GmbH model E4 ADE. The model DA-40NG, which is a derivative of the model DA-40 currently approved under Type Certificate No. A47CE, is a fully composite, four place, single-engine airplane with a cantilever low wing, T-tail airplane with the Austro Engine GmbH model E4 diesel engine and an increased maximum takeoff gross weight from 1150 kilograms (kg) to 1280 kg (2535 pounds (lbs) to 2816 lbs).
DAI will use an EEC instead of a traditional mechanical control system on the model DA-40NG airplane. The EEC is certified as part of the engine design certification, and the certification requirements for engine control systems are driven by 14 CFR part 33 certification requirements. The guidance for the part 33 EEC certification requirement is contained in two advisory circulars: Advisory Circular (AC) 33.28-1 and AC 33.28-2. The EEC certification, as part of the engine, addresses those aspects of the engine specifically addressed by part 33 and is not intended to address 14 CFR part 23 installation requirements. However, the guidance does highlight some of the aspects of installation that the engine applicant should consider during engine certification. The installation of an engine with an EEC system requires evaluation of environmental effects and possible effects on or by other airplane systems, including the part 23 installation aspects of the EEC functions. For example, the indirect effects of lightning, radio interference with other airplane electronic systems, and shared engine and airplane data and power sources.
The regulatory requirements in part 23 for evaluating the installation of complex electronic systems are contained in § 23.1309. However, when § 23.1309 was developed, the requirements of the rule were specifically excluded from applying to powerplant systems provided as part of the engine (reference § 23.1309(f)(1)). Although the parts of the system that are not certificated with the engine could be evaluated using the criteria of § 23.1309, the analysis would not be useful and not be complete because it would not include the effects of the aircraft supplied power and data failures on the engine control system, and the resulting effects on engine power/thrust. The integral nature of EEC installations require review of EEC functionality at the airplane level, as behavior acceptable for part 33 certification may not be acceptable for part 23 certification.
For over a decade, the Small Airplane Directorate has applied a special condition that required all EEC installations to comply with the requirements of § 23.1309(a) through (e). The rationale for applying § 23.1309 was that it was an existing rule that contained the best available requirements to apply to the installation of a complex electronic system; in this case, an EEC with aircraft interfaces. Additionally, special conditions for High Intensity Radiated Fields (HIRF) were also applied prior to the codification of § 23.1308.
There are several difficulties for propulsion systems directly complying with the requirements of § 23.1309. There are conflicts between the guidance material for § 23.1309 and propulsion system capabilities and failure susceptibilities. The following figure is an excerpt from AC 23.1309-1D.Start Printed Page 55294
|Classification of failure conditions||No safety effect||Minor||Major||Hazardous||Catastrophic|
|Allowable qualitative probability||No probability requirement||Probable||Remote||Extremely remote||Extremely improbable|
|Effect on Airplane||No effect on operational capabilities or safety||Slight reduction in functional capabilities or safety margins||Significant reduction in functional capabilities or safety margins||Large reduction in functional capabilities or safety margins||Normally with hull loss.|
|Effect on Occupants||Inconvenience for passengers||Physical discomfort for passengers||Physical distress to passengers, possibly including injuries||Serious or fatal injury to an occupant||Multiple fatalities.|
|Effect on Flight Crew||No effect on flight crew||Slight increase in workload or use of emergency procedures||Physical discomfort or a significant increase in workload||Physical distress or excessive workload impairs ability to perform tasks||Fatal injury or incapacitation.|
|Classes of airplanes:||Allowable Quantitative Probabilities and Software (SW) and Complex Hardware (HW) DALs (Note 2).|
|Class I (Typically SRE under 6,000 lbs.)||No Probability or SW & HW DALs Requirement||<10−3 Note 1 & 4 P=D, S=D||<10−4 Notes 1 & 4 P=C, S=D P=D, S=D (Note 5)||<10−5 Notes 4 P=C, S=D P=D, S=D (Note 5)||<10−6 Note 3 P=C, S=C.|
|Class II (Typically MRE, STE, or MTE under 6000 lbs.)||No Probability or SW & HW DALs Requirement||<10−3 Note 1 & 4 P=D, S=D||<10−5 Notes 1 & 4 P=C, S=D P=D, S=D (Note 5)||<10−6 Notes 4 P=C, S=C P=D, S=D (Note 5)||<10−7 Note 3 P=C, S=C.|
|Class III (Typically SRE, STE, MRE, & MTE equal or over 6000 lbs.)||No Probability or SW & HW DALs Requirement||<10−3 Note 1 & 4 P=D, S=D||<10−5 Notes 1 & 4 P=C, S=D||<10−7 Notes 4 P=C, S=C||<10−8 Note 3. P=B, S=C.|
|Class IV (Typically Commuter Category)||No Probability or SW & HW DALs Requirement||<10−3 Note 1 & 4 P=D, S=D||<10−5 Notes 1 & 4 P=C, S=D||<10−7 Notes 4 P=B, S=C||<10−9 Note 3 P=A, S=B.|
|Note 1: Numerical values indicate an order of probability range and are provided here as a reference. The applicant is usually not required to perform a quantitative analysis for minor and major failure conditions. See figure 3.|
|Note 2: The alphabets denote the typical SW and HW DALs for most primary system (P) and secondary system (S). For example, HW or SW DALs Level A on primary system is noted by P=A. See paragraphs 13 & 21 for more guidance.|
|Note 3: At airplane function level, no single failure will result in a catastrophic failure condition.|
|Note 4: Secondary system (S) may not be required to meet probability goals. If installed, S should meet stated criteria.|
|Note 5: A reduction of DALs applies only for navigation, communication, and surveillance systems if an altitude encoding altimeter transponder is installed and it provides the appropriate mitigations. See paragraphs 13 & 21 for more information.|
There is a conflict between the EEC system loss-of-thrust-control (LOTC), or loss-of-power-control (LOPC), probability per hour requirements given in part 33 guidance material and the failure rate requirements associated with the hazard created by a total loss of power/thrust as given in part 23 AC 23.1309-1D guidance. The part 33 requirements for engine control LOTC/LOPC probabilities are shown below:
|Engine type||Average LOTC/LOPC events per million hours||Maximum LOTC/LOPC events per million hours|
|Turbine Engine||10 (1 × 10-05 per hour)||100 (1 × 10-04 per hour).|
|Reciprocating Engine||45 (4.5 × 10-05 per hour)||450 (4.5 × 10-04 per hour).|
See AC 33.28-1, AC 33.28-2 and ANE-1993-33.28TLD-R1 for further guidance.
The classification of the failure condition for LOTC/LOPC event on a single engine airplane ranges from Hazardous to Catastrophic. The classification of the failure condition for a single engine LOTC/LOPC event on a multi-engine airplane ranges from Major to Catastrophic. The classification of the failure condition for a multi-engine LOTC/LOPC event on a multi-engine airplane is Catastrophic. From the AC 23.1309-1D failure probability values, it is obvious that a single engine airplane EEC system will not be able to meet the failure probabilities as shown in the guidance material for § 23.1309. As a result, applicants have elected to declare a reduced hazard severity for a failure of the EEC system. This is not the intent of § 23.1309. The greater hazard severity should be associated with lower probabilities of failure, and higher probabilities of failure should not establish the lower hazard severities. There is also a conflict between the classification of the failure condition for a failure of an EEC system and the required test levels for the effects of lightning and high intensity radiated frequency (HIRF). Testing to a level lower than required for a catastrophic failure results in a lower level of safety than the mechanical system it replaces. Start Printed Page 55295This is contrary to the intent of certification requirements.
The advent of EEC also created/established the ability to dispatch with certain allowable loss of functionality and/or redundancy. This is known as Time-Limited Dispatch (TLD). The TLD allowable configurations must meet the specific risk LOTC/LOPC failure probabilities. FAA policy statement, ANE-1993-33.28TLD-R1, defines the full up and TLD allowable failure probabilities for turbine engines. The ability to use TLD is a risk management endeavor that uses a limited time period between inspection/maintenance intervals to mitigate the hazard. As such, the FAA has issued specific guidance for part 23 airplanes in addition to policy statement, ANE-1993-33.28TLD-R1, in order to adequately capture the necessary time limits between maintenance intervals. A means of compliance issue paper giving specific guidance can be generated, if desired, for the applicant.
The advent of EEC also led to incorporation of functions that, while not required by the CFRs, also introduce potentially catastrophic failure(s) and malfunction(s). Consequently, incorporation of these additional functions must be shown to retain part 23 levels of safety. These additional functions have included thrust management, portions of engine indication otherwise provided as part of the engine installation, engine speed synchronization, ignition control, auto-feather, etc.
The certification of an airplane to the standards of 14 CFR part 25 does not require the application of § 25.1309 via special condition to the EEC installation. In part 25, § 25.1309 is applicable to the powerplant installations in general and as a whole. The part 25 consequences differ from part 23 due to the required multi-engine configuration of part 25 airplanes. Additional applicable part 25, Subpart E requirements are those contained within § 25.901(b)(2) and (c):
(b) For each powerplant—
(2) The components of the installation must be constructed, arranged, and installed so as to ensure their continued safe operation between normal inspections or overhauls;
(c) For each powerplant and auxiliary power unit installation, it must be established that no single failure or malfunction or probable combination of failures will jeopardize the safe operation of the airplane except that the failure of structural elements need not be considered if the probability of such failure is extremely remote.
There is language similar to part 25, § 25.901(c) contained in part 23, § 23.1141(e):
Section 23.1141—Powerplant Controls: General
(e) For turbine engine powered airplanes, no single failure or malfunction, or probable combination thereof, in any powerplant control system may cause the failure of any powerplant function necessary for safety.
The requirements contained within § 23.1141(e) were originally intended for the mechanical control interfaces on turbine engines. The rule was first promulgated at Amendment 23-7, effective on September 14, 1969. The preamble justifying the rule change states:
“This proposal would, in effect require that the need for system redundancy, alternate devices, and duplication of functions be determined in the design of turbine powerplant control systems.”
The overall intent of the above cited rules is to provide a robust and fault tolerant engine control installation that ensures that no single failure or malfunction or probable combination of failures will jeopardize the safe operation of the airplane.
Given the unique requirements of an EEC installation, and the lack of specific regulatory requirements, a special condition will be applied to all EEC installations in part 23 airplanes. This special condition is not applicable to the part 33 engine certification requirements, and it specifically excludes any part 33 references. Compliance with this special condition may necessitate changes to the EEC, and may require additional part 33 compliance showings. In like manner, changes to the EEC at the part 33 level may require additional compliance showings to this special condition. The overall intent of this special condition is to leverage off of the part 33 compliance as much as possible and address the airplane level effects of an EEC installation.
The EEC system includes all of the subsystems on the aircraft that interface with the EEC and provide aircraft data and electrical power. This special condition is applicable to and includes all functions of the EEC system that have an effect at the airplane level. An example of this is control of the turbine engine compressor variable geometry (VG): the VG function in itself is not an airplane function, but changes to the VG scheduling will require re-substantiating compliance to part 23 requirements, such as § 23.939.
The components that should be considered part of the EEC system are defined in Society of Automotive Engineers (SAE) document, Aerospace Recommended Practice (ARP) 5107B, Guidelines for Time-Limited-Dispatch (TLD) Analysis for Electronic Engine Control Systems, section 6.4. This guidance is intended for turbine engine installations; however, the intent is applicable to piston engine installations. A means of compliance issue paper giving specific guidance can be generated, if desired, for the applicant.
Part 33 certification data, if applicable, may be used to show compliance with the requirements of part 23 installation requirements; however, compliance with the part 33 requirements does not constitute compliance with the requirements of part 23, nor automatically imply that the engine is installable on a part 23 airplane. The part 23 applicant is required to show compliance in accordance with part 21. If part 33 data is to be used, then the part 23 applicant must be able to provide this data for their showing of compliance to the part 23 requirements.
Type Certification Basis
Under the provisions of § 21.101, DAI must show that the model DA-40NG meets the applicable provisions of the regulations incorporated by reference in Type Certificate No. A47CE or the applicable regulations in effect on the date of application for the change to the model DA-40. The regulations incorporated by reference in the type certificate are commonly referred to as the “original type certification basis.”
If the Administrator finds that the applicable airworthiness regulations (i.e., 14 CFR part 23) do not contain adequate or appropriate safety standards for the model DA-40NG because of a novel or unusual design feature, special conditions are prescribed under the provisions of § 21.16.
In addition to the applicable airworthiness regulations and special conditions, the model DA-40NG must comply with the fuel vent and exhaust emission requirements of 14 CFR part 34 and the noise certification requirements of 14 CFR part 36.
The FAA issues special conditions, as appropriate, as defined in § 11.19, under § 11.38, and they become part of the type certification basis under § 21.101(b)(2).
Special conditions are initially applicable to the model for which they are issued. Should the type certificate for that model be amended later to Start Printed Page 55296include any other model that incorporates the same novel or unusual design feature, or should any other model already included on the same type certificate be modified to incorporate the same novel or unusual design feature, the special conditions would also apply to the other model under the provisions of § 21.101(a)(1).
Novel or Unusual Design Features
The model DA-40NG will incorporate the following novel or unusual design features:
Electronic engine control system.
As discussed above, these special conditions are applicable to the model DA-40NG. Should DAI apply at a later date for a change to the type certificate to include another model incorporating the same novel or unusual design feature, the special conditions would apply to that model.
This action affects only certain novel or unusual design features on one model of airplane. It is not a rule of general applicability, and it affects only the applicant who applied to the FAA for approval of these features on the airplane.Start List of Subjects
List of Subjects in 14 CFR Part 23End List of Subjects
The authority citation for these special conditions is as follows:
The Proposed Special Conditions
Accordingly, pursuant to the authority delegated to me by the Administrator, the FAA proposes the following special conditions as part of the type certification basis for Diamond Aircraft Industry GmbH model DA-40NG with the installation of the Austro Engine GmbH model E4 aircraft diesel engine.
1. Electronic Engine Control
a. For electronic engine control system installations, it must be established that no single failure or malfunction or probable combinations of failures of Electronic Engine Control (EEC) system components will have an effect on the system, as installed in the airplane, that causes the loss-of-thrust-control (LOTC), or loss-of-power-control (LOPC) probability of the system to exceed those allowed in part 33 certification.
b. Electronic engine control system installations must be evaluated for environmental and atmospheric conditions, including lightning. The EEC system lightning and High-Intensity Radiated Fields (HIRF) effects that result in LOTC/LOPC should be considered catastrophic.
c. The components of the installation must be constructed, arranged, and installed so as to ensure their continued safe operation between normal inspections or overhauls.
d. Functions incorporated into any electronic engine control that make it part of any equipment, systems or installation whose functions are beyond that of basic engine control, and which may also introduce system failures and malfunctions, are not exempt from § 23.1309 and must be shown to meet part 23 levels of safety as derived from § 23.1309. Part 33 certification data, if applicable, may be used to show compliance with any part 23 requirements. If part 33 data is to be used to substantiate compliance with part 23 requirements, then the part 23 applicant must be able to provide this data for their showing of compliance.
The term “probable” in the context of “probable combination of failures” does not have the same meaning as in AC 23.1309-1D. The term “probable” in “probable combination of failures” means “foreseeable,” or (in AC 23.1309-1D terms), “not extremely improbable.”Start Signature
Issued in Kansas City, Missouri, on August 31, 2011.
Manager, Small Airplane Directorate, Aircraft Certification Service.
[FR Doc. 2011-22890 Filed 9-6-11; 8:45 am]
BILLING CODE 4910-13-P