CFR Final Rule

Hide details for Federal Register InformationFederal Register Information
[Federal Register: May 18, 1993 (Volume 58, Number 94)]
[Page 29088]


Hide details for Header InformationHeader Information
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 33
[Docket No. 24466; Amendment No. 33-15]
RIN AB06
Airworthiness Standards: Aircraft Engines Electrical and Electronic Engine Control Systems

Hide details for Preamble InformationPreamble Information
AGENCY: Federal Aviation Administration, DOT
ACTION: Final Rule
SUMMARY: This amendment establishes requirements for the certification of electrical and electronic engine control (EEC) systems. Although these types of control system have been certificated under existing regulations, those regulations do not address specific requirements related to electrical and electronic engine controls. This action does not mandate specific design requirements, but codifies and standardizes functional requirements pertaining to the certification of electrical and electronic engine control systems. Codification of these requirements will result in reduced design, testing, and administrative costs.
EFFECTIVE DATE: This rule becomes effective August 16, 1993.
FOR FURTHER INFORMATION CONTACT: Cosimo Bosco, Engine and Propeller Standards Staff, ANE-110, Engine and Propeller Directorate, Aircraft Certification Service, FAA, New England Region, 12 New England Executive Park, Burlington, Massachusetts 01803-5229; (617)270-2492; Fax (617)270-2412.
SUPPLEMENTARY INFORMATION:
Background

Statement of the Problem
Advances in electronic technology have led to the development of more comprehensive and more automated control systems for aircraft engines. The need for these more complex systems was created by the demands of the aviation industry for more fuel efficient and higher performance engines. These engines require that some engine parameters be controlled more accurately than earlier engine control systems and that some engine functions be controlled that were not previously controlled directly. The need for more complex controls has led to a transformation in the design of engine controls from those based primarily upon hydromechanical technology to those based primarily upon electronic technology. The majority of new engine certification projects make use of EEC systems, causing this segment of the engine certification activity to become large and specialized.
Currently, definitive regulations have not been established that provide the certification basis for these engine control systems. The FAA has, in recent years, relied upon generalized interpretations of the Federal Aviation Regulations (FAR), Advisory Circular (AC) information, and contain engineering professional society documentation to develop a certification basis for these systems on a case-by-case basis. Consequently, there is a need to amend 14 CFR part 33 to establish and standardize the certification basis for turbine and reciprocating engine controlled by electrical and electronic control systems.
Certification issues that are addressed in this regulation are power supply requirements, aircraft-supplied date, failure modes, environmental requirements including lightning and high intensity radiated electromagnetic fields (HIRF) and software design. The Society of Automotive Engineers (SAE) convened a special subcommittee, AE4R, Aircraft Radiated Fields, whose objective was to validate data on design, test, and analysis of equipment in the electromagnetic environment. The report of the SAE-AE4R Subcommittee will provide the technical data for an AC on radiated electromagnetic fields. It should be noted that at the SAE-AE4R meeting in June 1990, the term high energy radiated fields, HERF, was replaced by high intensity radiated fields, HIRF. Certification requirements also require information that information be included in the engine instruction manual to define the important aspects of the EEC.

History
With the advent of the gas turbine engine, more sophisticated fuel controls were needed to control an engine than the simple carburetor that was used to control reciprocating aircraft and automotive engines. The primary function of any engine fuel control is to maintain as efficient, combustible fuel-to-air ratio in response to any power input command. The gas turbine engine introduced additional requirements for engine fuel controls over those of the reciprocating engine because the engine compressor would stall and surge for certain combinations of pressure ratio across the compressor and the compressor rotor speed. Engine fuel controls have been designed to avoid this compressor stall region throughout the aircraft operating envelope and for all pilot power lever commands. In addition, the engine fuel control was designed to protect the engine from exceeding its design limits for temperature, speed, and pressure. In the late 1940s and early 1950s, when the gas turbine engine and fuel control technology were being developed, a rudimentary analog computational technology was available to implement these controls either electronically or hydromechanically. Engine controls based on each approach were being developed. However, the analog electronic fuel control technology developed more quickly, and the initial gas turbine engines were controlled with full authority electronic controls, albeit using vacuum tubes. Early models of engines on the U.S. Air Force B-52 bomber were fitted with these electronic engine controls. However, the electronic controls were superseded by the hydromechanical controls because they demonstrated an improved reliability over the electronic engine controls.
From the 1950s to the late 1970s, semiconductor technology became available and advanced rapidly from translators, through various levels of integration, and operational amplifiers, to solid state memories and microprocessors. Until the late 1970s, the electronic engine controls were used only to perform functions to protect the engine from exceeding design limits for temperature, speed, pressure, or torque. The full authority analog electronic engine control on the Concorde aircraft and a few engines with limited authority controls were the exceptions to this generalization. The 1973 oil crisis created an urgent need in the commercial aviation industry for more fuel efficient engines. In the mid-1970s, research and development programs to develop full authority digital engine controls (FADEC) were initiated by various commercial and military engineering groups. Two FADEC systems developed under one of the commercial demonstration programs were test flown in 1980 on an experimental Boeing 747 aircraft. In the late 1970s, supervisory controls were used on large transport engines certificated by General Electric (GE), Pratt & Whitney (PW), and Rolls Royce (RR). These controls enhanced engine performance and functioned similar to a FADEC, but were limited to less than 50 percent authority of thrust and did not control the engine start. Subsequently, in 1983, the PWA PW2037 became the first U.S. commercial engine to be certificated with a FADEC system.
In June 1977, the FAA issued Notice No. 77-6, Aircraft Regulatory Review Program, Invitation to Submit Proposals for Consideration (42 FR 29687, June 9, 1977). This notice was issued in response to the need to update and modernize technical requirements, and for clarification and elimination of redundancies in test and design requirements. The FAA solicited rule change proposals from the aviation community and the general public, and held a week-long Regulatory Review Conference in January 1978, attended by over 100 industry and public representatives.
As part of the Aircraft Engine Regulatory Review Program, a rule change was proposed to add a new Section 33.64 to be titles Engine Power Control Systems. This proposal defined a "full authority electronic fuel control system" and addressed requirements for this system. Requirements were defined for power supply, system redundancy, environmental characteristics, and loss of inputs supplied from outside of the control system. This proposal was developed in anticipation of the wide scale introduction of electronic engine controls for commercial aircraft engines. It was subsequently determined that the addition of special standards applicable to engine power or control systems that require electrical or electronic inputs would be more appropriate under Sec. 33.67. Therefore, the proposal for the addition of Sec. 33.64 was withdrawn and included in Sec. 33.67.
Based on information received during the review program and conference, the FAA issued Notice of Proposed Rulemaking (NPRM) 80-21, Aircraft Engine Regulatory Review Program; Aircraft Engine and Related Powerplant Installation Proposals (45 FR 76872, November 20, 1980), which proposed to upgrade the airworthiness standards applicable to the type certification of aircraft engines and of aircraft with respect to engine installations.
The NPRM included the provisions of the previously proposed Sec. 33.64 as new Sec. 33.67(d). The new Sec. 33.67(d) also added a paragraph that required that the overall reliability level for systems requiring electrical or electronic inputs be at least equivalent to that provided in a comparable hydromechanical control for that engine type. The public comments upon proposed Section 33.67(d) were extensive and raised several valid points and suggestions. Due to the extent of the comments, the FAA believed a major modification to this proposed change was required. Therefore, the proposed Sec. 33.67(d) was withdrawn and another NPRM was considered necessary.
In June 1984, the FAA invited interested parties to an Electronic Engine Control Conference in Burlington, Massachusetts. The FAA objective was to provide a forum that would encourage the participation of the attendees from industry and government agencies in discussion of the technical aspects of the proposed regulations. The meeting was attended by more than 100 industry and public representatives. Five presentations were made, one of which was an FAA presentation entitled "Technical Approach to Regulation." In its presentation, the FAA addressed the following matters that it believed should be included in the forthcoming rule change that addressed EEC systems:
1. Degree of Authority--Full vs Partial
2. Software Design
3. Backup and Alternative Control Systems
4. Power Sources--Independent vs Aircraft Supplied
5. Environmental Limits--Lightning Protection
6. Aircraft supplied Data and Crew Alerting
The major portion of the time was devoted to panel discussions of these subjects, in the context of establishing certification requirements for electronic engine controls. A number of points were made that influenced the regulation proposed.
In 1985, the FAA issued NPRM 85-6, Aircraft Engines, Engine Control Systems (50 FR 6185, February 14, 1985). Comments were invited until May 20, 1985. Subsequently, the comment period was extended until July 29, 1985, at the request of commenters. Due consideration has been given to all comments received. Substantive changes, and changes of an editorial and clarifying nature, have been made to the rule based upon comments received and further review within the FAA.

Related Activity
In recent years there has been considerable activity within the FAA and industry to define the lighting and HIRF environment and the protection requirements for electrical and electronic systems. Aircraft certification requirements for lightning and HIRF for critical fly-by-wire-systems, including those for FADEC systems, have been defined or are being defined. Section 33.28 specifically identifies lightning as an environment to be considered in the certification of EEC systems. Although HIRF is not specifically named in the rule, it is one of the environments, along with temperature, vibration, and others that must be considered during certification of EEC systems.
The Society of Automotive Engineers (SAE)-AE4L Lightning Subcommittee published, "Recommended Draft Advisory Circular, Protection of Aircraft Electrical/Electronic Systems Against the Indirect Effects of Lightning." (SAE publication AE4L-87-3, "Orange Book") in February 1987. This draft AC was prepared at the request of the FAA. The FAA has issued this document as AC 20-136, "Protection of Aircraft Electrical/Electronic Systems Against the Indirect Effects of Lightning," after it was modified to address public comments. This AC defines the synthesized test waveforms for lightning and the suggested Equipment Transient Design Levels (ETDL) for voltage and current for various types of equipment installations. In addition, the AC defines a procedure for developing a lightning test plan for submittal to the FAA. A companion users manual (Report Number DOT/FAA/CT-88/1) for AC 20-136 is scheduled to be completed in 1993. That document will provide guidance material that will define procedures for conducting the lightning tests. Also, the SAE-AE4L Subcommittee is currently preparing a revision to Section 22, "Lightning Induced Transient Susceptibility," of Radio Technical Commission for Aeronautics (RTCA) document DO-160, "Environmental Conditions and Test Procedure for Airborne Equipment," to include some of the guidelines of AC 20-136.
Notice 89-15, Electrical and Electronic Systems Lightning Protection, which proposes FAR Section 25.1316, System Lightning Protection, is in the rulemaking process at this time. During the interim period, the FAA has issued special conditions for individual aircraft models to define the lightning requirements for critical fly-by-wire systems including FADECs. Two examples of these special conditions are: (1) Notice No. SC-87-5-NM, "Special Conditions: Airbus Industries Model A320 Series Airplane"; and (2) Notice No. SC-88-6-NM, "Special Conditions: Boeing 747-400 Lightning and Radio Frequency (RF) Energy Protection.
The regulations that address lightning protection for critical systems are contained in Parts 23,27, and 29. FAA engine certification programs have used the guidelines provided in SAE-AE4L-87-3 to verify that the EEC systems have been designed with adequate protection against the hazards caused by the lightning environment. Applicants have used experimental lightning test data and analysis to determine the anticipated induced voltage and current levels for the EEC system. A lightning test program is conducted by an applicant to demonstrate that there is no adverse effect on the performance of the EEC system when exposed to the anticipated lightning-induced voltage and current levels.
To address certification concerns regarding the electromagnetic environment, the FAA initiated, in 1989, a high priority program to determine and define the electromagnetic environment for aircraft; to develop and describe guidance material for design, test, and analysis of equipment in the electromagnetic environment; and to prescribe and promulgate regulatory standards. The FAA requested and received the participation of international airworthiness authorities and industry in developing internationally recognized standards for certification. The British Civil Aviation Authority (CAA), the French Direction General de l'Aviation Civile (DGAC), the German Luftfahrt Bundesamt (LBA), and the International Civil Aviation Organization (ICAO) have participated in the definition of the electromagnetic environment and development of design and qualification standards with the FAA. The SAE convened a special subcommittee, AE4R, with the objective of validating data on design, test, and analysis of equipment in the electromagnetic environment. The report of the SAE-AE4R Subcommittee will provide the technical material for the AC on radiated electromagnetic fields. The RTCA, through a special committee, has developed environmental test standards for equipment intended for aircraft application. The test standards are included in Section 20 of the RTCA document DO-160C, "Radio Frequency Susceptibility (Radiated and Conducted)."
The FAA has initiated a separate regulatory project to propose standards for the protection of aircraft electrical and electronic systems from the effects of the HIRF environment. An associated AC and a user's manual are being prepared coincident with the HIRF rulemaking.
On December 5, 1969, the FAA issued a memorandum to its aircraft certification directorates and aircraft certification offices stating the policy guidelines to be used in special conditions to assure uniformity of HIRF requirements for certification projects until a final rule could be issued.
In addition, RTCA Special Committee SC-167 has been chartered to review and revise, as necessary, RTCA document DO-178A, "Software Considerations in Airborne Systems and Equipment Certification." RTCA document DO-178A was issued by the FAA as AC 20-115A. The European Organization for Civil Aviation Electronics (EUROCAE), Working Group WG-12, is directed to work together with SC-167 to ensure that a common software AC is maintained for both the FAA and the European Joint Aviation Authorities (JAA).
The FAA submitted over twenty software certification issues to SC-167 to be considered for inclusion in the "Terms of Reference" (TOR) that have been generated by SC-167. The TOR will be addressed within the appropriate working groups of SC-167. RTCA document DO-178, Revision B, may not address all of the FAA issues. The FAA may issue additional guidance material to the extent necessary to address issues not covered by the TOR.

Discussion of Comments
Sixteen commenters from domestic and foreign industry, public, organizations, and from foreign airworthiness authorities responded to the NPRM. The comments from these letters are grouped according to the applicable NPRM paragraph and are discussed below.
Before proceeding with the discussion of comments for each subsection of Sec. 33.28, general comments regarding advisory material are discussed here. One commenter requests that advisory material for subsections (b) through (e) of the rule be provided , and a second commenter requests that advisory material for subsections (a) and (d) be provided for specific issues. Advisory material for protection of aircraft electrical and electronic systems from the effects of lightning and HIRF was previously discussed in the "Related Activity" section above. While the existing and future advisory material that was discussed above is directed toward aircraft certification, it also addresses certification of critical systems, including FADEC systems. The FAA believes that this advisory material will respond to the requests for advisory material for subparagraph (d). The FAA has determined that new issues raised by subsections (a) through (c), and (e) can be handled on a case-by-case basis without advisory material. However, the FAA will continue to review the need for advisory material and will issue it as the need arises.

Section 33.28 (Title and Introductory Text)
Three commenters recommend that the term "Electronic," as used in the title and introductory text of the new section, be changed to "electrical and (or and/or) electronic" to be more definitive of these systems. The FAA agrees. The paragraph heading "Electronic engine control systems" now reads "Electrical and electronic engine control systems" and the phrase in the introductory text of the new section "electrical or electronic" reads "electrical and electronic."
One commenter recommends that the scope of the rule be expanded to include "engine electronic computers" since the functions performed by EECs now are not limited to engine control functions. The FAA recognizes that EEC systems perform functions associated with the engine, in addition to the basic engine control function, and that all of these functions are usually controlled by a computer. However, the term electronic engine controls has become a generic classification that has been generally accepted by the FAA and industry to apply to a control that controls the engine functions. Therefore, this comments was not incorporated.
One commenter states that the scope of the regulation would bring aircraft related safety concepts into FAR Part 33 without precedent. The commenter concludes that this could result in a requirement to recertify an engine for each aircraft application.
The FAA believes that the integration of engine and aircraft control systems will continue to progress as the state of the art in electronic controls advances. The need for this regulation is to a certain extent, the result of this increased integration, and one of the primary purposes of this regulation is to ensure that the integration results in a safe engine/aircraft product. It should be noted that engine/aircraft integration before the advent of EEC resulted in a number applications in which engine hydromechanical control settings were changed from the original certificated specifications. While these changes occasionally required different engine model designations, a complete recertification program generally has not been required. It is not the intent of the FAA to change the rules that determine when an engine needs to be recertificated. However, the FAA has determined that this regulation is needed because of technological advances in engine controls.
One commenter suggests that the phrase "relies on" in the first sentence of the rule implies that the rule would apply only to FADEC type systems. The commenter believes that this phrase could be interpreted as being inapplicable to a system that could continue to function by hydromechanical means, without electrical or electronic means.
Even though a control system can continue to function in a backup (hydromechanical) mode without the electronic portions, the normal mode of operation for these systems is with the electrical and electronic control portions functional. The wording of the rule is modified to insert the word "normal" before the word "operation" to clarify this point.

Section 33.28(a)
Three commenters state that the proposed terms "primary" and "secondary control systems" are not defined in the proposed rule, and that the terms would be subject to interpretation and possible misunderstanding. Four commenters recommend that the paragraph be modified to consider all control functions, not only the degree of authority of power or thrust. Since other controlled functions, such as control of surge margin, rotor overspeed, reverser sequencing, etc., are defined in terms of range of control rather than in percentage authority, the degree of authority should be expressed in terms other than percent of power or thrust so as to include other functions.
The FAA agrees with both comments. Section 33.28(a) is modified to remove the reference to primary and secondary controls, and the reference to the degree of authority that is applicable to the control of power or thrust is clarified. The regulation is also modified to require that control system data be included in the instruction manual. The new requirement addresses other controlled functions, such as overspeed and reverser sequencing as well as power or thrust. This section requires that the range of control of these additional controlled functions be specified. In addition, the control system description, required to be included in the instruction manual, must specify the unique EEC and aircraft interface requirements that can affect safe engine operation.
Two commenters recommend that the degree of authority should be specified in terms of a nominal degree of authority in normal operation. A third commenter recommends that, in determining the degree of authority, consideration should be given to anticipated flight and environmental conditions to assure a realistic worst-case analysis, and that the authority be specified relative to maximum power for uniformity.
The FAA agrees that the degree of authority be based on a worst-case analysis. FAA experience with past certification programs has disclosed that controls that were understood to provide only minor trimming of power or thrust, under some flight conditions, were found to control more than 50 percent of the maximum engine thrust. It is necessary that the full range of the control functions, under all conditions, be clearly specified. This information is also needed by the FAA in order to make determinations on the airworthiness of the system design, including power supply, redundancy, and software design.
One commenter recommends adding a statement that "full engine power shall be available * * * in the event of a go-around under normal and failure conditions." While full engine power for a go-around is desirable, it may not be necessary in all cases. Also, the requirement for go-around power would need to be applied to all engine controls, not only those with EEC. Therefore, the FAA believes that this is actually a subject for coordination between engine and aircraft manufacturers, and the FAA during subsequent aircraft certification programs. Adoption of this requirement would be beyond the scope of this rule.

Section 33.28(b)
Three commenters state that partial loss of power or thrust is not an unsafe condition. They suggest that tests and/or analyses be used to establish the change in power or thrust level resulting from failure of aircraft-supplied power or data. The commenters imply that the engine certification process should only establish the change in power or thrust level resulting from failure of aircraft-supplied power or data during the engine certification process.
The FAA is not in complete agreement with these comments. The FAA agrees that not all partial losses of power or thrust are unsafe. However, the level, frequency, and duration of power or thrust loss resulting from failure of aircraft-supplied power or data are among factors considered during evaluation for engine certification. Evaluation of partial loss of power or thrust during the engine certification process is coordinated with the cognizant aircraft certification office. Therefore, the FAA has determined that this requirement is needed.
Two commenters suggest changing the phrase "significant change of power" to "unacceptable change of power." One commenter notes that in some installations, such as in helicopters, it may not be desirable to have a "fail-fixed" condition (one in which the operating conditions immediately prior to failure is continued), as a result of a loss of aircraft power. The FAA agrees that some clarification is necessary and has revised paragraph (b) to read "unacceptable change of power or thrust."
Three commenters state that the phrase "continued safe operation" was not defined and could lead to misinterpretation.
The intent of this phrase is to require that failure of aircraft-supplied power or data not result in an unsafe engine condition in an operating engine. The FAA has determined that there is sufficient historical experience with the phrase "continued safe operation" that its use in this context will not result in confusion.
Two commenters state that the term, "any failure" can cover "the state of abnormal, incorrect functioning of the aircraft-supplied power and data which will inevitably vary the engine response" and that this failure will generally be beyond the control of the engine manufacturer. However, they state, the engine manufacturer would be expected to ensure that the engine would "continue to function in a sensibly unchanged manner" after the loss of aircraft-supplied power or data. Commenters seek to have the rule distinguish between "failure" and "loss" of aircraft power or data.
The FAA has determined that the word "failure" in paragraph (b) includes loss, as well as abnormal or incorrect functioning of the aircraft-supplied power or data. The control system is expected to accommodate these faults. However, cases will be considered on an individual basis where abnormal or incorrect functioning of the aircraft-supplied data cannot be accommodated be the EEC. Accordingly, the wording of the requirement is retained as proposed.
Two of the commenters state that Sec. 33.28(b) introduces the concept that the loss of thrust is an unsafe condition, and that such a concept would be contrary to accepted practice in the certification of engines. The FAA engine certification process is based on the principle that a loss of power or thrust in a single engine is not necessarily an unsafe condition for multiple engine aircraft. However, the FAA engine certification practice has been to evaluate partial and complete loss of power or thrust during the certification process, particularly where such a loss is caused by a common mode event. There is regulatory precedent for rules to limit partial loss of power or thrust. For example, Sec. 33.77. Foreign object ingestion, states that sustained loss of more than 25 percent of power or thrust is unacceptable. Therefore, the FAA disagrees with the comment that a new concept is being introduced.
Three commenters indicate a need to describe unsafe engine conditions and how these conditions relate to those in Sec. 33.75, Safety analysis.
This proposal would incorporate more comprehensive safety considerations than currently required by Sec. 33.75. Additional failure modes are introduced by EEC systems because more engine functions are controlled, and there is more integration with the aircraft, such as autothrottle and thrust management systems. Examples of these additional failure modes are included in the discussion of comments to paragraph (c) below. It would be beyond the scope of this rulemaking, however, to list additional unsafe conditions in Sec. 33.75, since no change to that section was proposed.
One commenter expresses concern that relating continued safe operation to a significant change in power or thrust may not consider corrective action by the crew that permits a controlled return to a selected power setting.
The FAA has certificated systems that allow pilot action to recover the lost power or thrust by simply resetting the power lever. Consideration of flight crew action is reviewed on an individual application basis at the power plant installation level. For example, a system would not be acceptable if excessive pilot action were required to maintain power or thrust after the reversion to a backup system.
One commenter recommends deletion of proposed paragraph (b) because it addresses engine isolation, which is an airframe certification issue. The commenter states that it would be inconsistent to treat the loss of electrical data or supply differently from the loss of fuel supply, and that such treatment would impose significant cost penalties for design, and manufacture, and maintenance.
The FAA disagrees with the commenter because the ability of the engine to operate without power supply or data from the aircraft, i.e., engine self-sufficiency, has been an engine certification requirement for many years. An early example of this requirement is the magneto requirement for reciprocating engines. With regard to aircraft-supplied data, the FAA does not mandate separate air data sensors for the engine, but rather requires that the loss of aircraft-supplied data should not cause an adverse effect on engine operation. Fault accommodation techniques can be used to comply with the requirement.
One commenter recommends that the second section of this paragraph read, "any failures not shown to be extremely improbable will [not] prevent continued safe operation of the engine." Two commenters state that the inverse relationship between probability and consequence of failure should be considered in this paragraph. Another commenter states that the paragraph presupposes that aircraft power systems are not reliable.
The FAA recognizes that aircraft electrical power systems are reliable, and that it may be shown during aircraft certification that the likelihood of a total electrical power loss is extremely improbable. However, the FAA also recognizes that most types of aircraft power systems have suffered such a loss at some time in their fleet-service history. In addition, aircraft-supplied power to the engine can be lost because of cable damage due to events, such as fire or structural damage. Systems with hydromechanical backup to the EEC that use aircraft power have been certificated because the engine can be operated safely despite loss of aircraft power to the EEC. Other EEC systems have been certificated that use aircraft power for powering noncritical functions, while the critical control functions are powered from a dedicated engine power source. For systems that depend on electrical power for continued safe operation, this paragraph would require the use of an engine-mounted, dedicated power supply. Therefore, the FAA concludes that a requirement to ensure engine independence from aircraft power systems is necessary and that the requirement as written must be retained.
One commenter states that an aircraft power system could supply electrical power with greater reliability than could a dedicated single engine-mounted alternator. A second commenter states that paragraph (b) encourages the use of a single engine-mounted generator which may not be as reliable as multiple sources of a suitably designed aircraft electrical power system. In response to the comments regarding single engine-mounted generators, the single fault tolerance requirement stated in paragraph (c) would need to be considered in order to determine acceptability. For example, the FAA has approved systems with a single alternator, with redundant alternator windings, that supply power independently to redundant channels of a FADEC.

Section 33.28(c)
Four commenters recommend that this paragraph be deleted since the requirements are presently contained in Sec. 33.75. The FAA has determined that these requirements differ from, and are necessary in addition to, the requirements contained in Sec. 33.75. Electrical and electronic controls introduce potential failures that can result in unsafe conditions that are not addressed by the requirements contained in Sec. 33.75. These types of failures include, but are not limited to:
(a) Loss of control of the engine;
(b) Instability in the control of a critical function;
(c) Unwanted change in magnitude or direction of power or thrust for some aircraft operating conditions; and
(d) Unwanted action of a critical control function, such as deployment of reversers.
Therefore, it is necessary that these types of control system failures also be considered.
One commenter finds the proposed paragraph acceptable, provided that mechanical or electronic control backup systems are recognized as acceptable. The FAA certificates engine control systems, with either mechanical or electronic control backup systems, provided that continued safe operation of the engine is maintained following a single failure of electrical or electronic component.
Four commenters express concern with the phrase "loss of ability to control the engine over an approved range of power or thrust." They are concerned that the FAA may consider the partial loss of power or thrust an unsafe condition, which they consider change from past practice. The FAA practice has been to certify engines that have failure modes resulting in partial loss of thrust, provided that the failures do not result in an unsafe condition. However, in these cases, acceptance of partial loss of power or thrust is coordinated with the cognizant aircraft certification office. Each engine certification application is reviewed on an individual basis.
Because of the concerns expressed with the phrase, "loss of ability to control the engine over an approved range of power or thrust," the FAA is deleting this phrase and revising the paragraph to be more general. When this phrase is removed, the language of the paragraph becomes similar to that of Sec. 25.901(c) that addresses single failures in power plants. Section 25.901(c) contains the phrase "no single failure or malfunction or probable combination of failures," while the NPRM contains the phrase "any probable failure or malfunction." The NPRM wording was derived from Sec. 33.75 that states "any probable malfunction or any probable single or multiple failures." The FAA's intent in using the phrase "any probable failure or malfunction" in the NPRM was to include "any" failure or malfunction that could occur, including any single failure or malfunction. It has been FAA practice to apply this same interpretation to the phrase "any probably malfunction or any probable single or multiple failure" in Sec. 33.75. In addition, the revised Sec. 33.28(c) including the phrase, "or probable combination of failures," which is identical to that of Sec. 25.901(c), and similar to the phrase "or multiple failure" in Sec. 33.75. Probable combination of failures was also the intent of the phrase "any probable failure or malfunction" in the NPRM. In the NPRM, the phrase, "any probable failure or malfunction," was intended to include any probable combination of failures as provided in the revised paragraph. Accordingly, the paragraph has been revised to address the concerns of commenters, to clarify the FAA intent, and provide a rule with phrasing that has a precedent in FAA regulations.
Two commenters suggest the use of the inverse relationship that relates the frequency of the failure to the consequence of the failure. The FAA recognizes that this relationship is addressed in AC 25.1309-1A. This relationship is one of the considerations used when evaluating the applicant's fault analysis and the acceptability of the failures discussed in the analysis. However, a quantitative acceptance criterion for the various EEC failures is not intended at this time. Also, there are considerations other than failure rates that are used in the engine certification process. The FAA will continue to evaluate the need for including inverse relationships in the requirements.

Section 33.28(d)
One commenter recommends that this paragraph be replaced with a simple requirement for compliance with the component test requirements of Sec. 33.91(a). The existing component certification requirements, including Sec. 33.91(a), must be met by electrical and electronic controls. The FAA has determined that the limits for induced voltage transients, including lightning strikes and high energy radiated fields, must be specified since this is a consideration which is of concern only to engine with electrical and electronic controls.
Two commenters recommend that specific standards for lightning testing be given or that on AC be written on the subject. A third commenter recommends that SAE Committee Report AE4L-81-2 be used as an industry standard.
Lightning test waveforms and testing may be based on SAE Committee Reports AE4L-81-2, AE4L-87-3, or other methods found acceptable by the FAA. It is not the intent of this paragraph to set a specific tolerance for lightning strikes, but simply to require that the tolerance level, to which the EEC system is designed, be specified, so that adequate shielding can be provided by the aircraft manufacturer to ensure that this tolerance level is not exceeded in the aircraft installation. However, the guidelines set forth in AC20-136 (SAE publication, AE4L-87-3, "Orange Book") state that in the preparation of the lightning test plan, the applicant should determine the lightning environment for the equipment to be certificated, add a margin of safety, and then test to these levels. Test levels will differ for different engines. For example, on a large transport engine, 1,000 ampere shield currents have been used for the multiple stroke tests during certification. For a commuter aircraft engine, and applicant determined that a 3,000 ampere shield current was an appropriate level for the multiple stroke test.
There were no comments received concerning the HIRF environmental levels. In the section on "Related Activity" above, the activities related to HIRF were addressed. While these activities are directed toward aircraft certification for critical electrical and electronic systems, they also place requirements of the HIRF test levels for equipment certification.
Specification of design limitations for lightning and HIRF in an engine's instruction manual is consistent with the current FAA practice with regard to the level of lightning and HIRF likely to be encountered in the normal operating environment of the engine. The aircraft manufacturer and the engine manufacturer coordinate the proper levels for the particular installation that are necessary to meet the aircraft airworthiness requirements. The engine manufacturer tests and certifies the engine to a given environmental level, and these levels are specified in the instruction manual. This level is then considered to be a design limitation that the aircraft installation must accommodate. In the case of lightning and HIRF, the aircraft manufacturer is required by special conditions to provide an aircraft that meets the specified aircraft lightning and HIRF threat levels. By various design techniques, such as wire routing, cable shielding, and grounding, the aircraft installation provides the level of lightning and HIRF protection to accommodate the specified threat levels for the engine installation.
One commenter recommends that the phrase "environmental limits, including transients due to lightning strikes" be restricted to operating conditions lest they be interpreted as a matter of long-term durability. The FAA has determined that the term "environmental limits" is a commonly used and accepted term that does include transient conditions, as well as long-term durability for conditions which may exist in steady-state. Therefore, the phrase is retained as proposed.

Section 33.28(e)
Five commenters recommend that the method used to design and implement the software be approved by the Administrator, rather than be "specified" and "suitable," since these terms are not defined. The FAA concurs with this recommendation, and the paragraph has been revised accordingly. It should be noted that RTCA document DO-178A, "Software Considerations in Airborne Systems and Equipment Certification," is accepted by the FAA as guideline for software design and development. This guideline defines the software certification test plan that is prepared by the applicant and submitted to the regulatory authority for approval.
Three commenters made recommendations that the phrase "* * * would result in an excessive loss of power or thrust * * *" is unnecessarily restrictive and subject to problems of interpretation. Two of these commenters note that a loss of power or thrust is not an unsafe condition.
The FAA disagrees with these commenters. It should be recognized that this paragraph addresses undetected errors in software rather than control hardware failures, and that it is possible that all engines on a multi-engine aircraft could be affected. This could lead to the loss of power or thrust that is greater than that experienced after the loss of a single engine. The word "excessive" is changed to "unacceptable" in accordance with comments discussed under the discussion of comments to Sec. 33.28(b); otherwise, the phrase is retained as written.
Two commenters express concern over the release of proprietary data to satisfy the requirements of this paragraph. A complete and detailed review of the control software will be required to establish compliance with this paragraph. The review will include proprietary data, if it is used. The FAA already reviews proprietary data submitted for other aspects of aircraft and aircraft engine certification. Furthermore, proprietary data is protected from disclosure under the Freedom of Information Act (FOIA), as amended (5 U.S.C. 552).
One commenter recommends that Sec. 33.28(e) be replaced with the statement, "compliance with engine component test as specified in 33.91(a) is required." The FAA concludes that a regulation that specifically addresses software is necessary and, therefore, this paragraph is retained as part of the rule.
Two commenters state that complete prevention of errors in software would be impractical and that the word "prevent" should be changed to "minimize," or the requirement should be deleted. The FAA understands these concerns, however, the word "prevent," as used in this context, means that the software is to be designed and implemented to the highest standards that the state of the art allows, such as Level 1 "Critical," as defined in RTCA document DO-178A. by taking all steps toward error prevention required of software engineering practice for critical levels, and completing any additional testing required by the FAA, an applicant will satisfy the requirement to "prevent" the software errors.
One commenter states that methods used by its control suppliers to prevent software errors in design and implementation can be specified for this purpose. The FAA interprets this comment to be in agreement with the rule.
One commenter recommends that paragraph (f) be added with a requirement that control and instrumentation systems be segregated mechanically and electrically. The FAA has determined that such a requirement would be overly restrictive. Experience has shown that such systems can be safely integrated with appropriate hardware and software safeguards.

Regulatory Evaluation Summary
There is no known cost impact associated with this rule. The rule codifies and standardizes existing FAA practice with regard to the certification of engine control systems, particularly with those systems that are electrical and electronic in nature, and more recently with the FADEC systems. These systems have been marketed to the aircraft industry as a means of reducing costs and improving performance, reliability, and maintainability over the existing hydromechanical controls. In order for this new technology to gain acceptance by the aircraft industry, it was necessary for the engine/control suppliers to provide systems that would achieve the same level of airworthiness as the existing hydromechanical technology. In order to accomplish this objective, these systems were introduced into service with dedicated power systems, fault-accommodated and fault-tolerant (including redundant) designs, lightning and electromagnetic interference (EMI) protection, and critical software design methodology. Because these systems are state of the art, and there are presently no specialized regulations that provide for their certification, the FAA has relied upon generalized interpretations of the regulations, AC information, and engineering professional society documentation to establish type certification special conditions on a case-by-case basis. Current regulations that are generally applied to the certification of electrical and electronic engine control systems include, but are not limited to, Sec. 33.5. Instruction manual; Sec. 33.75, Safety analysis; and Sec. 33.91, Engine components tests. None of these rules, however, provides explicit requirements with regard to electronic engine controls. In consonance with existing FAA practice, this final rule reflects the FAA's intent to promulgate a regulation which institutes functional objective requirements, rather than mandating design requirements, in order to accomplish the certification of engine control systems.
Section 33.28(a) requires that control systems that rely on electrical and electronic means for operation be defined in the installation manual with regard to the controlled functions and the degree of authority, in percentages, exerted over power or thrust for both normal and failure modes. In addition, this paragraph specifies that the unique engine and airplane interface requirements, with regard to the control system, be included in the manual as part of this definition. This paragraph does not require manufacturers to perform any additional testing or activities beyond current certification practices.
Section 33.28(b) requires that electrical and electronic engine control systems be designed and constructed so that any failure of aircraft-supplied power or data will not result in an unacceptable change in power or thrust, or prevent continued safe operation of the engine. This section provides the engine manufacturer with alternatives it may use to meet this requirement. For example, the manufacturer may meet the requirement through an independent power supply, such as a generator, or through a secondary power supply, such as batteries. Satisfying the certification requirement through the latter may be difficult given present technology. However, the FAA has strictly interpreted this certification issue in the existing regulations as requiring design for engine isolation.
Section 33.28(c) requires that electrical and electronic engine control systems be designed and constructed so that any failure or malfunction of electronic components will not prevent continued safe operation of the engine. All manufacturers have chosen, in the past, to design and construct a hydromechanical or electronic control backup system that accomplishes this objective, and the FAA has approved these methods. Therefore, this requirement codifies present practices.
Section 33.28(d) requires that electrical and electronic engine control system environmental limits, including transients due to lightning strikes and high energy radiated electromagnetic fields, be specified. As with current certification practice, the requirement remains that the aircraft withstand lightning transients and exposure to high energy radiated fields and continue to operate. Those are requirements that would be imposed upon any electrical and electronic system that performs a critical function and, therefore, is not a new requirement, or cost directly attributable to this rule.
Section 33.28(e) requires that electrical and electronic engine control systems have all associated software designed and implemented to prevent errors that would result in an unacceptable loss of power or thrust, or other unsafe condition, and have the method used to design and implement the software approved for the application. In current practice, the FAA requires that electronic engine control software be designed to the critical level, Level 1, as defined in RTCA document DO-178A, or a standard found equivalent by the Administrator.
Therefore, this rulemaking establishes clearer functional objective requirements that provide the basis for the type certification of electrical and electronic engine control systems. Furthermore, codifying these functional requirements provides unquantified benefits to manufacturers and the federal government by allowing both to standardize their certification efforts, resulting in reduced design, testing, and administrative costs.
This regulatory action codifies and standardizes in part 33, subpart B, functional requirements (objectives) pertaining to the certification of electrical and electronic engine control systems. This amendment is in consonance with present certification requirements as they pertain to engine control systems, and does not mandate specific design requirements. Because this amendment would not impose type certification standards (objectives) beyond those currently applied in practice by the FAA, there is no cost impact associated with it. Furthermore, as described above, this amendment provides benefits to manufacturers and the federal government through standardization of certification efforts.

International Trade Impact Statement
This amendment would have no significant impact on trade for U.S. firms doing business in foreign countries or foreign firms doing business in the U.S. The rule codifies and standardizes existing FAA practices with regard to the certification of engine control systems, particularly those systems that are electrical and electronic in nature, as well as the more recent FADEC systems. These systems have been marketed to the aircraft industry as a means of reducing costs and improving performance, reliability, and maintainability as compared to the existing hydromechanical controls. In order for this new technology to gain acceptance by the aircraft industry, it was necessary for both foreign and domestic engine/control suppliers to provide systems that would achieve the same level of airworthiness as the existing hydromechanical technology. Therefore, neither domestic nor foreign manufacturers are effected by different standards.

Regulatory Flexibility Determination
The Regulatory Flexibility Act of 1980 (RFA) was enacted by Congress to ensure, among other things, that small entities are not disproportionately affected by government regulations. The RFA requires agencies to review rules which may have a "significant economic impact on a substantial number of small entities." The FAA definition of a substantial number of small entities is a number which is not less than 11, and which is not more than one-third of the small entities subject to a proposed or existing rule. The FAA also threshold for a determination of a small entity for US manufacturers of airplanes and airplane parts is 75 employees. The threshold for aircraft engine and engine parts manufacturers is 375 employees. There are no known engine manufacturers, airframe manufacturers, or manufacturers of electrical or electronic engine control systems that are considered to be "small entities" under the definition. In addition, as discussed above, the regulatory evaluation indicates that there are no costs associated with the amendment.
Therefore, FAA has determined that the amendment will not have a significant economic impact, positive or negative, on a substantial number of small entities.

Federalism Implications
The regulations adopted herein will not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, in accordance with Executive Order 12612, it is determined that this final rule does not have sufficient federalism implications to warrant the preparation of a Federalism Assessment.

Conclusion
For the reasons discussed in the preamble, and based on the findings in the Regulatory Evaluation and the International Trade Impact Analysis, the FAA has determined that this rule is not major under Executive Order 12291. In addition, the FAA certifies that this rule will not have a significant economic impact, positive or negative, on a substantial number of small entities under the criteria of the Regulatory Flexibility Act. This regulation is not considered significant under DOT Regulatory Policies and Procedures (44 FR 11034, February 28, 1979). A final regulatory evaluation of the rule, including a Regulatory Flexibility Determination and Trade Impact Analysis, has been placed in the docket. A copy may be obtained by contacting the person identified under "FOR FURTHER INFORMATION CONTACT."

List of Subject in 14 CFR Part 33
Aircraft, Aviation safety.


Hide details for Regulatory InformationRegulatory Information
Adoption of the Amendment

In consideration of the foregoing, the Federal Aviation Administration amends part 33 of the Federal Aviation Regulations (14 CFR part 33) as follows:

PART 33--AIRWORTHINESS STANDARDS: AIRCRAFT ENGINES

1. The authority citation for part 33 continues to read as follows:
Authority: 49 U.S.C. 1344, 1354(a), 1355, 1421, 1423, 1424, 1425; 49 U.S.C. 106(g).

2. Part 33 is amended by adding a new Sec. 33.28 to read as follows:

Sec. 33.28 Electrical and electronic engine control systems.
Each control system which relies on electrical and electronic means for normal operation must:
(a) Have the control system description, the percent of available power or trust controlled in both normal operation and failure conditions, and the range of control of other controlled functions, specified in the instruction manual required by Sec. 33.5 for the engine;
(b) Be designed and constructed so that any failure of aircraft-supplied power or data will not result in an unacceptable change in power or thrust, or prevent continued safe operation of the engine;
(c) Be designed and constructed so that no single failure or malfunction, or probable combination of failures of electrical or electronic components of the control system, results in an unsafe condition;
(d) Have environmental limits, including transients caused by lightning strikes, specified in the instruction manual; and
(e) Have all associated software designed and implemented to prevent errors that would result in an unacceptable loss of power or thrust, or other unsafe condition, and have the method used to design and implement the software approved by the Administrator.



Hide details for Footer InformationFooter Information
Issued in Washington, DC, on May 11, 1993.
Joseph Del Balzo.
Acting Administrator.
[FR Doc. 93-11721 Filed 5-17-93; 8:45 am
BILLING CODE 4910-13-M


Show details for CommentsComments

Hide details for Document HistoryDocument History

Notice of Proposed Rulemaking Actions:
Notice of Proposed Rulemaking. Notice No. 85-6; Issued on 12/21/84.

Other Final Rule Actions:
Not Applicable.