What is the purpose of AMC 25.1302 regarding flight crew equipment?

AMC 25.1302 provides guidance for demonstrating compliance with CS 25.1302 and other related paragraphs in CS-25 concerning installed equipment used by the flight crew, focusing on design and approval of equipment for flight crew members from their seated positions.

What factors should be considered for consistency in flight deck design according to AMC 25.1302?

Factors to consider for consistency include symbology, data entry conventions, formatting, color philosophy, terminology, labeling, function and logic, information presented with other information of the same type, and the operational environment.

What is the key difference between 'evaluations' and 'tests' as means of compliance under AMC 25.1302?

Evaluations are assessments conducted by the applicant without requiring a conforming product/system, while tests require a conforming product/system and system interface, with the Agency typically present.

What design aspects does AMC 25.1302 address to minimize flight crew errors?

AMC 25.1302 addresses design characteristics that reduce or avoid flight crew error by ensuring that necessary information and controls are provided in a usable form, and that operationally relevant system behavior is understandable, predictable, and supportive of flight crew tasks.

How should feedback be provided for control inputs according to AMC 25.1302?

Feedback for control inputs should be visual, auditory, or tactile, informing the crew that a control has been activated, the function is in process, and the action associated with the control has been initiated.

How does the level of systems integration affect compliance with AMC 25.1302?

The level of systems integration, referring to the interactions and dependencies between systems affecting flight crew operation, can impact the means of compliance with AMC 25.1302. Higher integration may require more scrutiny during the certification process.

What design considerations apply to system behavior under CS 25.1302(c)?

Under CS 25.1302(c), operationally relevant system behavior must be predictable and unambiguous, and the design must enable the flight crew to intervene in a manner appropriate to the task and intended function.

What factors determine the degree of design novelty according to AMC 25.1302?

The degree of design novelty is determined by factors such as the introduction of new technologies, the need for unusual operational procedures, new ways for the flight crew to interact with systems, and new uses for existing systems that change flight crew tasks or responsibilities.

What should be included in a certification plan according to AMC 25.1302?

A certification plan should document the new aeroplane, system, control, information, or feature(s); the design feature(s) being evaluated; the integration or complexity of the new feature(s); affected flight crew tasks; new flight crew procedures; specific requirements to be complied with; the means used to show compliance; and the method for transferring data to the Agency.

What are the limitations of using a 'design philosophy' as a means of compliance under AMC 25.1302?

In most cases, using a design philosophy alone will be insufficient to demonstrate compliance. It typically needs to be supplemented with other means of compliance.

What is the scope of 'controls' as defined by AMC 25.1302?

For the purposes of AMC 25.1302, 'controls' are defined as devices the flight crew manipulates to operate, configure, and manage the aeroplane, including buttons, switches, knobs, keyboards, touch screens, cursor control devices, graphical user interfaces, and voice-activated controls.

What are the six general means of compliance discussed in AMC 25.1302?

The six general means of compliance discussed are statements of similarity, design description, calculations/analyses, evaluations, tests, and flight operational evaluations.

AMC 25.1302 Installed Systems and Equipment for Use by the Flight Crew

Navigate / EASA

Ask question Discover more Add to collection

ED Decision 2007/010/R

Table of content

1. Purpose

2. Background

3. Scope and Assumptions

4. Certification Planning

5. Design Considerations and Guidance

6. Means of Compliance

Appendix 1: Related Regulatory Material

Appendix 2: Definitions and Acronyms

1. PURPOSE

This Acceptable Means of Compliance (AMC) provides guidance material for demonstrating compliance with the requirements of CS 25.1302 and several other paragraphs in CS-25 that relate to the installed equipment used by the flight crew in the operation of an aeroplane. In particular, this AMC addresses the design and approval of installed equipment intended for the use of flight-crew members from their normally seated positions on the flight deck. This AMC also provides recommendations for the design and evaluation of controls, displays, system behaviour, and system integration, as well as design guidance for error management.

Applicants should use Paragraphs 4, 5 and 6 of this AMC together to constitute an acceptable means of compliance. Paragraph 4 “Certification Planning”, describes the activities and communication between the applicant and the Agency for certification planning. Paragraph 5 “Design Considerations and Guidance”, is organised in accordance with the sub-paragraphs of CS 25.1302 and identifies HF related design issues that should be addressed to show compliance with CS 25.1302 and other relevant rules. Paragraph 6 “Means of Compliance” describes general means of compliance and how they may be used.

2. BACKGROUND

Flight crews make a positive contribution to the safety of the air transportation system because of their ability to assess continuously changing conditions and situations, analyse potential actions, and make reasoned decisions. However, even well trained, qualified, healthy, alert flight-crew members make errors. Some of these errors may be influenced by the design of the systems and their flight crew interfaces, even with those that are carefully designed. Most of these errors have no significant safety effects, or are detected and/or mitigated in the normal course of events,. Still, accident analyses have identified flight crew performance and error as significant factors in a majority of accidents involving transport category aeroplanes.

Accidents most often result from a sequence or combination of errors and safety related events (e.g., equipment failure and weather conditions). Analyses show that the design of the flight deck and other systems can influence flight crew task performance and the occurrence and effects of some flight crew errors.

Some current regulatory requirements mean to improve aviation safety by requiring that the flight deck and its equipment be designed with certain capabilities and characteristics. Approval of flight deck systems with respect to design-related flight crew error has typically been addressed by referring to system specific or general applicability requirements, such as CS 25.1301(a), CS 25.771(a), and CS 25.1523. However, little or no guidance exists to show how the applicant may address potential crew limitations and errors. That is why CS 25.1302 and this guidance material have been developed.

Often, showing compliance with design requirements that relate to human abilities and limitations is subject to a great deal of interpretation. Findings may vary depending on the novelty, complexity, or degree of integration related to system design. The EASA considers that guidance describing a structured approach to selecting and developing acceptable means of compliance is useful in aiding standardised certification practices.

3. SCOPE AND ASSUMPTIONS

This AMC provides guidance for showing compliance with CS 25.1302 and guidance related to several other requirements associated with installed equipment the flight crew uses in operating the aeroplane. Table 1 below contains a list of requirements related to flight deck design and flight crew interfaces for which this AMC provides guidance. Note that this AMC does not provide a comprehensive means of compliance for any of the requirements beyond CS 25.1302.

This material applies to flight crew interfaces and system behaviour for installed systems and equipment used by the flight crew on the flight deck while operating the aeroplane in normal and non-normal conditions. It applies to those aeroplane and equipment design considerations within the scope of CS-25 for type certificate and supplemental type certificate (STC) projects. It does not apply to flight crew training, qualification, or licensing requirements. Similarly, it does not apply to flight crew procedures, except as required within CS-25.

In showing compliance to the requirements referenced by this AMC, the applicant may assume a qualified flight crew trained in the use of the installed equipment. This means a flight crew that is allowed to fly the aeroplane by meeting the requirements in the operating rules for the relevant Authority.

Paragraph 3 - Table 1: Requirements relevant to this AMC.

CS-25 BOOK 1 Requirements	General topic	Referenced material in this AMC
CS 25.771(a)	Unreasonable concentration or fatigue	Error, 5.6. Integration, 5.7. Controls, 5.3. System Behaviour, 5.5.
CS 25.771(c)	Controllable from either pilot seat	Controls, 5.3. Integration, 5.7.
CS 25.773	Pilot compartment view	Integration, 5.7.
CS 25.777(a)	Location of cockpit controls.	Controls, 5.3. Integration, 5.7.
CS 25.777(b)	Direction of movement of cockpit controls	Controls, 5.3. Integration, 5.7.
CS 25.777(c)	Full and unrestricted movement of controls	Controls, 5.3. Integration, 5.7.
CS 25.1301(a)	Intended function of installed systems	Error, 5.6. Integration, 5.7. Controls, 5.3. Presentation of Information, 5.4. System Behaviour, 5.5.
CS 25.1302	Flight crew error	Error, 5.6. Integration, 5.7. Controls, 5.3. Presentation of Information, 5.4. System Behaviour, 5.5.
CS 25.1303	Flight and navigation instruments	Integration, 5.7.
CS 25.1309(a)	Intended function of required equipment under all operating conditions	Controls, 5.3. Integration, 5.7.
CS 25.1309(c)	Unsafe system operating conditions and minimising crew errors which could create additional hazards	Presentation of information, 5.4. Errors, 5.6.
CS 25.1321	Visibility of instruments	Integration, 5.7.
CS 25.1322	Warning caution and advisory lights	Integration, 5.7.
CS 25.1329	Autopilot, flight director and autothrust	System Behaviour, 5.5.
CS 25.1523	Minimum flight crew	Controls, 5.3. Integration, 5.7.
CS 25.1543(b)	Visibility of instrument markings	Presentation of Information, 5.4.
CS 25.1555 (a)	Control markings	Controls, 5.3.
CS 25 Appendix D	Criteria for determining minimum flight crew	Integration, 5.7.

CS 25.1302 is a general applicability requirement. Other CS-25 requirements exist for specific equipment and systems. Where guidance in other AMCs is provided for specific equipment and systems, that guidance is assumed to have precedence if a conflict exists with guidance provided here. Appendix 1 of this AMC lists references to other related regulatory material and documents.

4. CERTIFICATION PLANNING

This paragraph describes applicant activities, communication between the applicant and the Agency, and the documentation necessary for finding compliance in accordance with this AMC. Requirements for type certification related to complying with CS-25 may be found in Part 21.

Applicants can gain significant advantages by involving the Agency in the earliest possible phases of application and design. This will enable timely agreements on potential design related human factors issues to be reached and thereby reduce the applicant’s risk of investing in design features that may not be acceptable to the Agency.

Certain activities that typically take place during development of a new product or a new flight deck system or function, occur before official certification data is submitted to demonstrate compliance with the requirements. The applicant may choose to discuss or share these activities with the Agency on an information-only basis. Where appropriate, the Agency may wish to participate in assessments the applicant is performing with mock-ups, prototypes, and simulators.

When the Agency agrees, as part of the certification planning process, that a specific evaluation, analysis, or assessment of a human factors issue will become part of the demonstration that the design is in compliance with requirements, that evaluation, analysis, or assessment is given “certification credit”.

Figure 1 illustrates the interaction between paragraph 4, 5 and 6 of this AMC. These paragraphs are used simultaneously during the certification process. Paragraph 4 details applicant activities and communication between the applicant and the Agency. Paragraph 5 provides means of compliance on specific topics. Paragraphs 5.2, 5.6 and 5.7 assist the applicant in determining inputs required for the scoping discussions outlined in paragraph 4.1. Paragraphs 5.3 through 5.5 provide guidance in determining the list of applicable requirements for discussion, outlined in paragraph 4.2. Paragraph 6 provides a list of acceptable general means of compliance used to guide the discussions for paragraph 4.3. Paragraph 4.4 lists items that may be documented as a result of the above discussions.

Paragraph 4 - Fig. 1: Methodical approach to planning certification for design related Human performance issues

4.1 Scope of the flight deck certification programme

This paragraph provides means of establishing the scope of the certification programme.

In a process internal to the applicant, the applicant should consider the flight deck controls, information and system behaviour that involve flight crew interaction. The applicant should relate the intended functions of the system(s), components and features to the flight crew tasks. The objective is to improve understanding about how flight crew tasks might be changed or modified as a result of introducing the proposed system(s), components and features. Paragraph 5.2, Intended Function and Associated Flight Crew Tasks, provides guidance.

The certification programme may be impacted by the level of integration, complexity and novelty of the design features, each of which is described in the sub-paragraphs that follow. Taking these features into account, the applicant should reach an agreement with the Agency on the scope of flight deck controls, information and system behaviour that will require extra scrutiny during the certification process. Applicants should be aware that the impact of a novel feature might also be affected by its complexity and the extent of its integration with other elements of the flight deck. A novel but simple feature will likely require less rigorous scrutiny than one that is both novel and complex.

a) Integration

In this document, the term “level of systems integration”, refers to the extent to which there are interactions or dependencies between systems affecting the flight crew’s operation of the aeroplane. The applicant should describe such integration among systems, because it may affect means of compliance. Paragraph 5.7 also refers to integration. In the context of that paragraph, integration defines how specific systems are integrated into the flight deck and how the level of integration may affect the means of compliance.

b) Complexity

Complexity of the system design from the flight crew’s perspective is an important factor that may also affect means of compliance in this process. Complexity has multiple dimensions. The number of information elements the flight crew has to use (the number of pieces of information on a display, for instance) may be an indication of complexity. The level of system integration may be a measure of complexity of the system from the flight crew’s perspective. Design of controls can also be complex. An example would be a knob with multiple control modes. Paragraph 5 addresses several aspects of complexity.

c) Novelty

The applicant should identify the degree of design novelty based on the following factors:

— Are new technologies introduced that operate in new ways for either established or new flight deck designs?

— Are unusual or additional operational procedures needed as a result of the introduction of new technologies?

— Does the design introduce a new way for the flight crew to interact with systems using either conventional or innovative technology?

— Does the design introduce new uses for existing systems that change the flight crew’s tasks or responsibilities?

Based on the above criteria, the applicant should characterise features by their novelty. More novel features may require extra scrutiny during certification. Less novel features must still be shown to be compliant with requirements, but will usually follow a typical certification process that may be less rigorous than the process described below.

4.2 Applicable Requirements

The applicant should identify design requirements applicable to each of the systems, components, and features for which means of demonstrating compliance must be selected. This can be accomplished in part by identifying design characteristics that can adversely affect flight crew performance, or that pertain to avoidance and management of flight crew errors.

Specific design considerations for requirements involving human performance are discussed in Paragraph 5. The applicability of each design consideration in Paragraph 5 will depend on the design characteristics identified in paragraph 4.1.

The expected output of the analysis is a list of requirements that will be complied with and for which design considerations will be scrutinised. This list of requirements will be the basis for a compliance matrix identifying the means of compliance proposed for each requirement.

4.3 Select appropriate means of compliance

After identifying what should be shown in order to demonstrate compliance, the applicant should review paragraph 6.1 for guidance on selecting the means, or multiple means of compliance, appropriate to the design. In general, it is expected that the level of scrutiny or rigour represented by the means of compliance should increase with higher levels of novelty, complexity and integration of the design.

Paragraph 6 identifies general means of compliance that have been used on many certification programmes and discusses their selection, appropriate uses, and limitations. The applicant may propose other general means of compliance, subject to approval by the Agency.

Once the human performance issues have been identified and means of compliance have been selected and proposed to the Agency, the Agency may agree, as part of the certification planning process, that a specific evaluation, analysis or assessment of a human factors issue will become part of the demonstration that the design is in compliance with requirements. Certification credit can be granted when data is transmitted to and accepted by the Agency using standard certification procedures. This data will be a part of the final record of how the applicant has complied with the requirements.

The output of this step will consist of the means that will be used to show compliance to the requirements.

4.4 Certification plan

The applicant should document the certification process, outputs and agreements described in the previous paragraphs. This may be done in a separate plan or incorporated into a higher level certification plan. The following is a summary of what may be contained in the document:

— The new aeroplane, system, control, information or feature(s)

— The design feature(s) being evaluated and whether or not the feature(s) is(are) new or novel

— The integration or complexity of the new feature(s)

— Flight crew tasks that are affected or any new tasks that are introduced

— Any new flight crew procedures

— Specific requirements that must be complied with

— The means (one or several) that will be used to show compliance

— The method for transferring data to the Agency

5. DESIGN CONSIDERATIONS AND GUIDANCE

This paragraph contains a discussion of CS 25.1302 and guidance on complying with it and other requirements.

The applicant should first complete the following steps.

— Identify systems, components, and features of a new design that are potentially affected by the requirements.

— Assess degrees of novelty, complexity, and level of integration using the initial process steps in paragraph 4.

Once these steps have been completed, use the contents of this paragraph to identify what should be shown to demonstrate compliance.

To comply with the requirements of CS-25, the design of flight deck systems should appropriately address foreseeable capabilities and limitations of the flight crew. To aid the applicant in complying with this overall objective, this paragraph has been divided into sub-paragraphs. They provide guidance on the following topics:

— Applicability and Explanatory material to CS 25.1302 (See paragraph 5.1),

— Intended function and associated flight crew tasks(See paragraph 5.2),

— Controls (See paragraph 5.3),

— Presentation of information(See paragraph 5.4),

— System behaviour (See paragraph 5.5),

— Flight crew error management(See paragraph 5.6),

— Integration (See paragraph 5.7),

Each sub-paragraph discusses what the applicant should show to establish compliance with applicable requirements. We are not describing here what might otherwise be referred to as industry “best practices.” The guidance presented here is the airworthiness standard for use in compliance. Obviously, not all criteria can or should be met by all systems. Because the nature of the guidance in this AMC is broad and general, some of it will conflict in certain instances. The applicant and the Agency must apply some judgment and experience in determining which guidance applies to what parts of the design and in what situations. Headings indicate the regulations to which the guidance applies. First, however, we provide a more detailed discussion of CS 25.1302.

As described in the Background and Scope paragraphs of this document, flight crew error is a contributing factor in accidents. CS 25.1302 was developed to provide a regulatory basis for, and this AMC provides guidance to address design-related aspects of avoidance and management of flight crew error by taking the following approach:

First, by providing guidance about design characteristics that are known to reduce or avoid flight crew error and that address flight crew capabilities and limitations. Requirements in sub-paragraphs (a) through (c) of CS 25.1302 are intended to reduce the design contribution to such errors by ensuring information and controls needed by the flight crew to perform tasks associated with the intended function of installed equipment are provided, and that they are provided in a usable form. In addition, operationally relevant system behaviour must be understandable, predictable, and supportive of flight crew tasks. Guidance is provided in this paragraph on the avoidance of design-induced flight crew error.

Second, CS 25.1302(d) addresses the fact that since flight crew errors will occur, even with a well-trained and proficient flight crew operating well-designed systems, the design must support management of those errors to avoid safety consequences. Paragraph 5.6 below on flight crew error management provides relevant guidance.

5.1 Applicability and Explanatory Material to CS 25.1302

CS-25 contains requirements for the design of flight deck equipment that are system-specific (e.g., CS 25.777, CS 25.1321, CS 25.1329, CS 25.1543 etc.), generally applicable (e.g., CS 25.1301(a), CS 25.1309(c), CS 25.771 (a)), and that establish minimum flight crew requirements (e.g. CS 25.1523 and CS-25 Appendix D). CS 25.1302 augments previously existing generally applicable requirements by adding more explicit requirements for design attributes related to avoidance and management of flight crew error. Other ways to avoid and manage flight crew error are regulated through requirements governing licensing and qualification of flight-crew members and aircraft operations. Taken together, these complementary approaches provide a high degree of safety.

The complementary approach is important. It is based upon recognition that equipment design, training/licensing/ qualification, and operations/procedures each provide safety contributions to risk mitigation. An appropriate balance is needed among them. There have been cases in the past where design characteristics known to contribute to flight crew error were accepted based upon the rationale that training or procedures would mitigate that risk. We now know that this can often be an inappropriate approach. Similarly, due to unintended consequences, it would not be appropriate to require equipment design to provide total risk mitigation. If a flight-crew member misunderstands a controller's clearance, it does not follow that the Agency should mandate datalink or some other design solution as Certification Specifications. Operating rules currently require equipment to provide some error mitigations (e.g., Terrain Awareness and Warning Systems), but not as part of the airworthiness requirements.

As stated, a proper balance is needed among design approval requirements in the minimum airworthiness standards of CS-25 and requirements for training/ licensing/ qualification and operations/procedures. CS 25.1302 and this AMC were developed with the intent of achieving that appropriate balance.

Introduction The introductory sentence of CS 25.1302 states that the provisions of this paragraph apply to each item of installed equipment intended for the flight crew’s use in operating the aeroplane from their normally seated positions on the flight deck.

“Intended for the flight-crew member’s use in the operation of the aeroplane from their normally seated position,” means that intended function of the installed equipment includes use by the flight crew in operating the aeroplane. An example of such installed equipment would be a display that provides information enabling the flight crew to navigate. The phrase “flight-crew members” is intended to include any or all individuals comprising the minimum flight crew as determined for compliance with CS 25.1523. The phrase “from their normally seated position” means flight-crew members are seated at their normal duty stations for operating the aeroplane. This phrase is intended to limit the scope of this requirement so that it does not address systems or equipment not used while performing their duties in operating the aeroplane in normal and non-normal conditions. For example, this paragraph is not intended to apply to items such as certain circuit breakers or maintenance controls intended for use by the maintenance crew (or by the flight crew when not operating the aeroplane).

The words “This installed equipment must be shown…” in the first paragraph means the applicant must provide sufficient evidence to support compliance determinations for each of the CS 25.1302 requirements. This is not intended to require a showing of compliance beyond that required by Part 21A.21(b). Accordingly, for simple items or items similar to previously approved equipment and installations, we do not expect the demonstrations, tests or data needed to show compliance with CS 25.1302 to entail more extensive or onerous efforts than are necessary to show compliance with previous requirements.

The phrase “individually and in combination with other such equipment” means that the requirements of this paragraph must be met when equipment is installed on the flight deck with other equipment. The installed equipment must not prevent other equipment from complying with these requirements. For example, applicants must not design a display so that information it provides is inconsistent or in conflict with information from other installed equipment.

In addition, provisions of this paragraph presume a qualified flight crew trained to use the installed equipment. This means the design must meet these requirements for flight-crew members who are allowed to fly the aeroplane by meeting operating rules qualification requirements. If the applicant seeks type design or supplemental type design approval before a training programme is accepted, the applicant should document any novel, complex, or highly integrated design features and assumptions made during design that have the potential to affect training time or flight crew procedures. The requirement and associated material are written assuming that either these design features and assumptions, or knowledge of a training programme (proposed or in the process of being developed) will be coordinated with the appropriate operational approval organisation when judging the adequacy of the design.

The requirement that equipment be designed so the flight crew can safely perform tasks associated with the equipment’s intended function, applies in both normal and non-normal conditions. Tasks intended for performance under non-normal conditions are generally those prescribed by non-normal (including emergency) flight crew procedures. The phrase “safely perform their tasks” is intended to describe one of the safety objectives of this requirement. The requirement is that equipment design enables the flight crew to perform the tasks with sufficient accuracy and in a timely manner, without unduly interfering with other required tasks. The phrase “tasks associated with its intended function” is intended to characterise either tasks required to operate the equipment or tasks for which the equipment’s intended function provides support.

CS 25.1302(a) requires the applicant to install appropriate controls and provide necessary information for any flight deck equipment identified in the first paragraph of CS 25.1302. Controls and information displays must be sufficient to allow the flight crew to accomplish their tasks. Although this may seem obvious, this requirement is included because a review of CS-25 on the subject of human factors revealed that a specific requirement for flight deck controls and information to meet the needs of the flight crew is necessary. This requirement is not reflected in other parts of the rules, so it is important to be explicit.

CS 25.1302(b) addresses requirements for flight deck controls and information that are necessary and appropriate so the flight crew can accomplish their tasks, as determined through (a) above. The intent is to ensure that the design of the control and information devices makes them usable by the flight crew. This sub-paragraph seeks to reduce design-induced flight crew errors by imposing design requirements on flight deck information presentation and controls. Sub-paragraphs (1) through (3) specify these design requirements.

Design requirements for information and controls are necessary to:

— Properly support the flight crew in planning their tasks,

— Make available to the flight crew appropriate, effective means to carry-out planned actions,

— Enable the flight crew to have appropriate feedback information about the effects of their actions on the aeroplane.

CS 25.1302(b)(1) specifically requires that controls and information be provided in a clear and unambiguous form, at a resolution and precision appropriate to the task. As applied to information, “clear and unambiguous” means that it:

— Can be perceived correctly (is legible).

— Can be comprehended in the context of the flight crew task.

— Supports the flight crew’s ability to carry out the action intended to perform the tasks.

For controls, the requirement for “clear and unambiguous” presentation means that the crew must be able to use them appropriately to achieve the intended function of the equipment. The general intent is to foster design of equipment controls whose operation is intuitive, consistent with the effects on the parameters or states they affect, and compatible with operation of other controls on the flight deck.

Sub-paragraph CS 25.1302(b)(1) also requires that the information or control be provided, or operate, at a level of detail and accuracy appropriate to accomplishing the task. Insufficient resolution or precision would mean the flight crew could not perform the task adequately. Conversely, excessive resolution has the potential to make a task too difficult because of poor readability or the implication that the task should be accomplished more precisely than is actually necessary.

CS 25.1302(b)(2) requires that controls and information be accessible and usable by the flight crew in a manner consistent with the urgency, frequency, and duration of their tasks. For example, controls used more frequently or urgently must be readily accessed, or require fewer steps or actions to perform the task. Less accessible controls may be acceptable if they are needed less frequently or urgently. Controls used less frequently or urgently should not interfere with those used more urgently or frequently. Similarly, tasks requiring a longer time for interaction should not interfere with accessibility to information required for urgent or frequent tasks.

CS 25.1302(b)(3) requires that equipment presents information advising the flight crew of the effects of their actions on the aeroplane or systems, if that awareness is required for safe operation. The intent is that the flight crew be aware of system or aeroplane states resulting from flight crew actions, permitting them to detect and correct their own errors.

This sub-paragraph is included because new technology enables new kinds of flight crew interfaces that previous requirements don’t address. Specific deficiencies of existing requirements in addressing human factors are described below:

— CS 25.771(a) addresses this topic for controls, but does not include criteria for information presentation.

— CS 25.777(a) addresses controls, but only their location.

— CS 25.777(b) and CS 25.779 address direction of motion and actuation but do not encompass new types of controls such as cursor devices. These requirements also do not encompass types of control interfaces that can be incorporated into displays via menus, for example, thus affecting their accessibility.

— CS 25.1523 and CS-25 Appendix D have a different context and purpose (determining minimum crew), so they do not address these requirements in a sufficiently general way.

CS 25.1302(c) requires that installed equipment be designed so its behaviour that is operationally relevant to flight crew’ tasks is:

— Predictable and unambiguous.

— Designed to enable the flight crew to intervene in a manner appropriate to the task (and intended function).

Improved flight deck technologies involving integrated and complex information and control systems, have increased safety and performance. However, they have also introduced the need to ensure proper interaction between the flight crew and those systems. Service experience has found that some equipment behaviour (especially from automated systems) is excessively complex or dependent upon logical states or mode transitions that are not well understood or expected by the flight crew. Such design characteristics can confuse the flight crew and have been determined to contribute to incidents and accidents.

The phrase “operationally-relevant behaviour” is meant to convey the net effect of the equipment’s system logic, controls, and displayed information upon flight crew awareness or perception of the system’s operation to the extent that this is necessary for planning actions or operating the system. The intent is to distinguish such system behaviour from the functional logic within the system design, much of which the flight crew does not know or need to know and which should be transparent to them.

CS 25.1302(c)(1) requires that system behaviour be such that a qualified flight crew can know what the system is doing and why. It requires that operationally relevant system behaviour be “predictable and unambiguous”. This means that a crew can retain enough information about what their action or a changing situation will cause the system to do under foreseeable circumstances, that they can operate the system safely. System behaviour must be unambiguous because crew actions may have different effects on the aeroplane depending on its current state or operational circumstances.

CS 25.1302(c)(2) requires that the design be such that the flight crew will be able to take some action, or change or alter an input to the system in a manner appropriate to the task.

CS 25.1302(d) addresses the reality that even well-trained, proficient flight crews using well-designed systems will make errors. It requires that equipment be designed to enable the flight crew to manage such errors. For the purpose of this rule, errors “resulting from flight crew interaction with the equipment” are those errors in some way attributable to, or related to, design of the controls, behaviour of the equipment, or the information presented. Examples of designs or information that could cause errors are indications and controls that are complex and inconsistent with each other or other systems on the flight deck. Another example is a procedure inconsistent with the design of the equipment. Such errors are considered to be within the scope of this requirement and AMC.

What is meant by design which enables the flight crew to “manage errors” is that:

— The flight crew must be able to detect and/or recover from errors resulting from their interaction with the equipment, or

— Effects of such flight crew errors on the aeroplane functions or capabilities must be evident to the flight crew and continued safe flight and landing must be possible, or

— Flight crew errors must be discouraged by switch guards, interlocks, confirmation actions, or other effective means, or

— Effects of errors must be precluded by system logic or redundant, robust, or fault tolerant system design.

The requirement to manage errors applies to those errors that can be reasonably expected in service from qualified and trained flight crews. The term “reasonably expected in service” means errors that have occurred in service with similar or comparable equipment. It also means error that can be projected to occur based on general experience and knowledge of human performance capabilities and limitations related to use of the type of controls, information, or system logic being assessed.

CS 25.1302(d) includes the following statement: “This sub-paragraph does not apply to skill-related errors associated with manual control of the aeroplane”. That statement means to exclude errors resulting from flight crew proficiency in control of flight path and attitude with the primary roll, pitch, yaw and thrust controls, and which are related to design of the flight control systems. These issues are considered to be adequately addressed by existing requirements, such as CS-25 Subpart B and CS 25.671(a). It is not intended that design be required to compensate for deficiencies in flight crew training or experience. This assumes at least the minimum flight crew requirements for the intended operation, as discussed at the beginning of Paragraph 5.1 above.

This requirement is intended to exclude management of errors resulting from decisions, acts, or omissions by the flight crew that are not in good faith. It is intended to avoid imposing requirements on the design to accommodate errors committed with malicious or purely contrary intent. CS 25.1302 is not intended to require applicants to consider errors resulting from acts of violence or threats of violence.

This “good faith” exclusion is also intended to avoid imposing requirements on design to accommodate errors due to obvious disregard for safety by a flight-crew member. However, it is recognised that errors committed intentionally may still be in good faith but could be influenced by design characteristics under certain circumstances. An example would be a poorly designed procedure not compatible with the controls or information provided to the flight crew.

The intent of requiring errors to be manageable only “to the extent practicable” is to address both economic and operational practicability. It is meant to avoid imposing requirements without considering economic feasibility and commensurate safety benefits. It is also meant to address operational practicability, such as the need to avoid introducing error management features into the design that would inappropriately impede flight crew actions or decisions in normal or non-normal conditions. For example, it is not intended to require so many guards or interlocks on the means to shut down an engine that the flight crew would be unable to do this reliably within the available time. Similarly, it is not intended to reduce the authority or means for the flight crew to intervene or carry out an action when it is their responsibility to do so using their best judgment in good faith.

This sub-paragraph was included because managing errors that result from flight crew interaction with equipment (that can be reasonably expected in service), is an important safety objective. Even though the scope of applicability of this material is limited to errors for which there is a contribution from or relationship to design, CS 25.1302(d) is expected to result in design changes that will contribute to safety. One example, among others, would be the use of an "undo" functions in certain designs.

5.2 Intended Function and Associated Flight Crew Tasks

CS 25.1301(a) requires that: “each item of installed equipment must - (a) Be of a kind and design appropriate to its intended function”. CS 25.1302 establishes requirements to ensure the design supports flight-crew member’s ability to perform tasks associated with a system’s intended function. In order to show compliance with CS 25.1302, the intended function of a system and the tasks expected of the flight crew must be known.

An applicant’s statement of intended function must be sufficiently specific and detailed that the Agency can evaluate whether the system is appropriate for the intended function(s) and the associated flight crew tasks. For example, a statement that a new display system is intended to “enhance situation awareness” must be further explained. A wide variety of different displays enhance situation awareness in different ways. Examples are; terrain awareness, vertical profile, and even the primary flight displays). The applicant may need more detailed descriptions for designs with greater levels of novelty, complexity or integration.

An applicant should describe intended function(s) and associated task(s) for:

— Each item of flight deck equipment,

— Flight crew indications and controls for that equipment,

— Individual features or functions of that equipment.

This type of information is of the level typically provided in a pilot handbook or an operations manual. It would describe indications, controls, and flight crew procedures.

As discussed in paragraph 4, novel features may require more detail, while previously approved systems and features typically require less. Paragraph 4.1 discusses functions that are sufficiently novel that additional scrutiny is required. Applicants may evaluate whether statements of intended function(s) and associated task(s) are sufficiently specific and detailed by using the following questions:

— Does each feature and function have a stated intent?

— Are flight crew tasks associated with the function described?

— What assessments, decisions, and actions are flight-crew members expected to make based on information provided by the system?

— What other information is assumed to be used in combination with the system?

— Will installation or use of the system interfere with the ability of the flight crew to operate other flight deck systems?

— Are there any assumptions made about the operational environment in which the equipment will be used?

— What assumptions are made about flight crew attributes or abilities beyond those required in regulations governing flight operations, training, or qualification?

5.3 Controls

5.3.1 Introduction

For purposes of this AMC, we define controls as devices the flight crew manipulates in order to operate, configure, and manage the aeroplane and its flight control surfaces, systems, and other equipment. This may include equipment in the flight deck such as;

— Buttons

— Switches

— Knobs

— Keyboards

— Keypads

— Touch screens

— Cursor control devices

— Graphical user interfaces, such as pop-up windows and pull-down menus that provide control functions

— Voice activated controls

5.3.2 Showing Compliance with CS 25.1302(b)

Applicants should propose means of compliance to show that controls in the proposed design comply with CS 25.1302(b). The proposed means should be sufficiently detailed to demonstrate that each function, method of control operation, and result of control actuation complies with the requirements, i.e.:

— Clear

— Unambiguous

— Appropriate in resolution and precision

— Accessible

— Usable

— Enables flight crew awareness (provides adequate feedback)

For each of these requirements, the proposed means of compliance should include consideration of the following control characteristics for each control individually and in relation to other controls:

— Physical location of the control

— Physical characteristics of the control (e.g., shape, dimensions, surface texture, range of motion, colour)

— Equipment or system(s) that the control directly affects

— How the control is labelled

— Available control settings

— Effect of each possible actuation or setting, as a function of initial control setting or other conditions

— Whether there are other controls that can produce the same effect (or affect the same target parameter) and conditions under which this will happen

— Location and nature of control actuation feedback

The following discussion provides additional guidance for design of controls that comply with CS 25.1302. It also provides industry accepted best practices.

5.3.3 Clear and Unambiguous Presentation of Control Related Information

a. Distinguishable and Predictable Controls [CS 25.1301(a), CS 25.1302]

Each flight-crew member should be able to identify and select the current function of the control with speed and accuracy appropriate to the task. Function of a control should be readily apparent so that little or no familiarisation is required. The applicant should evaluate consequences of control activation to show they are predictable and obvious to each flight-crew member. This includes control of multiple displays with a single device and shared display areas that flight-crew members access with individual controls. Controls can be made distinguishable or predictable by differences in form, colour, location, and/or labelling. Colour coding is usually not sufficient as a sole distinguishing feature. This applies to physical controls as well as to controls that are part of an interactive graphical user interface.

b. Labelling [CS 25.1301(a), CS 25.1543(b), CS 25.1555(a)]

For general marking of controls see CS 25.1555(a). Labels should be readable from the crewmember’s normally seated position in all lighting and environmental conditions. If a control performs more than one function, labelling should include all intended functions unless function of the control is obvious. Labels of graphical controls accessed by a cursor device such as a trackball should be included on the graphical display. When menus lead to additional choices (submenus), the menu label should provide a reasonable description of the next submenu.

The applicant can label with text or icons. Text and icons should be shown to be distinct and meaningful for the function that they label. The applicant should use standard and/or non-ambiguous abbreviations, nomenclature, or icons, consistent within a function and across the flight deck. ICAO 8400 provides standard abbreviations and is an acceptable basis for selection of labels.

The design should avoid hidden functions (such as clicking on empty space on a display to make something happen), However, such hidden functions may be acceptable if adequate alternate means are available for accessing the function. The design should still be evaluated for ease of use and crew understanding.

When using icons instead of text labelling, the applicant should show that the flight crew requires only brief exposure to the icon to determine the function of a control and how it operates. Based on design experience, the following guidelines for icons have been shown to lead to usable designs:

— The icon should be analogous to the object it represents

— The icon should be in general use in aviation and well known to flight crews

— The icon should be based on established standards, when they exist, and conventional meanings.

In all cases, the applicant should show use of icons to be at least equivalent to text labels in terms of speed and error rate. Alternatively, the applicant should show that the increased error rate or task times have no unacceptable effect on safety or flight crew workload and do not cause flight crew confusion.

c. Interaction of Multiple Controls [CS 25.1302]

If multiple controls for the flight crew are provided for a function, the applicant should show that there is sufficient information to make the flight crew aware of which control is currently functioning. As an example, crewmembers need to know which flight-crew member’s input has priority when two cursor control devices can access the same display. Designers should use caution when dual controls can affect the same parameter simultaneously.

5.3.4 Accessibility of controls [CS 25.771(a), CS 25.777(b), CS 25.1302]

The applicant must show that each flight-crew member in the minimum flight crew, as defined by CS 25.1523, has access to and can operate all necessary controls. Accessibility is one factor in determining whether controls support the intended function of equipment used by the flight crew. Any control required for flight-crew member operation in the event of incapacitation of other flight-crew members (in both normal and non-normal conditions) must be shown to be viewable, reachable, and operable by flight-crew members with the stature specified in CS 25.777(c), from the seated position with shoulder restraints on. If shoulder restraints are lockable, this may be shown with shoulder restraints unlocked.

CS 25.777(c) requires that the location and arrangement of each flight deck control permit full and unrestricted movement of that control without interference from other controls, equipment, or structure in the flight deck.

Layering of information, as with menus or multiple displays, should not hinder flight crew in identifying the location of the desired control. In this context, location and accessibility are not only the physical location of the control function (on a display device) or any multifunction control (for example,, a cursor control device) used to access them. Location and accessibility also includes consideration of where the control functions may be located within various menu layers and how the flight-crew member navigates those layers to access the functions. Accessibility should be shown in conditions of system failures (including crew incapacitation) and minimum equipment list dispatch.

Control position and direction of motion should be oriented from the vantage point of the flight-crew member. Control/display compatibility should be maintained from that regard. For example, a control on an overhead panel requires movement of the flight-crew member’s head backwards and orientation of the control movement should take this into consideration.

5.3.5 Use of controls

a. Environmental issues affecting controls [CS 25.1301(a) and CS 25.1302]

Turbulence or vibration and extremes in lighting levels should not prevent the crew from performing all their tasks at an acceptable level of performance and workload. If use of gloves is anticipated for cold weather operations, the design should account for the effect of their use on the size and precision of controls. Sensitivity of controls should afford precision sufficient to perform tasks even in adverse environments as defined for the aeroplane’s operational envelope. Analysis of environmental issues as a means of compliance (see 6.3.3) is necessary, but not sufficient for new control types or technologies or for novel use of controls that are themselves not new or novel.

The applicant should show that controls required to regain aeroplane or system control and controls required to continue operating the aeroplane in a safe manner are usable in conditions such as dense smoke in the flight deck or severe vibrations. An example of the latter condition would be after a fan blade loss.

b. Control-display compatibility [CS 25.777(b)]

To ensure that a control is unambiguous, the relationship and interaction between a control and its associated display or indications should be readily apparent, understandable, and logical. A control input is often required in response to information on a display or to change a parameter setting on a display. The applicant should specifically asses any rotary knob that has no obvious “increase” or “decrease” function with regard to flight crew expectations and its consistency with other controls on the flight deck. The Society of Automotive Engineers’ (SAE) publication ARP 4102, section 5.3, is an acceptable means of compliance for controls used in flight deck equipment.

When a control is used to move an actuator through its range of travel, the equipment should provide, within the time required for the relevant task, operationally significant feedback of the actuator’s position within its range. Examples of information that could appear relative to an actuator’s range of travel include trim system positions, target speed, and the state of various systems valves.

Controls associated with a display should be located so that they do not interfere with the performance of the crew task. Controls whose function is specific to a particular display surface should be mounted near to the display or function being controlled. Locating controls immediately below a display is generally preferable as mounting controls immediately above a display has, in many cases, caused the flight-crew member’s hand to obscure viewing of the display when operating controls. However, controls on the bezel of multifunction displays have been found to be acceptable.

Spatial separation between a control and its display may be necessary. This is the case with a system’s control located with others for that same system, or when it is one of several controls on a panel dedicated to controls for that multifunction display. When there is large spatial separation between a control and its associated display, the applicant should show that use of the control for the associated task(s), is acceptable in terms of types of errors, error rate(s) and access time(s).

In general, control design and placement should avoid the possibility that the visibility of information could be blocked. If range of control movement temporarily blocks the flight crew’s view of information, the applicant should show that this information is either not necessary at that time or available in another accessible location.

Annunciations/labels on electronic displays should be identical to labels on related switches and buttons located elsewhere on the flight deck. If display labels are not identical to related controls, the applicant should show that flight-crew members can quickly, easily, and accurately identify associated controls.

5.3.6 Adequacy of Feedback [CS 25.771(a), CS 25.1301(a), CS 25.1302)]

Feedback for control inputs is necessary to give the flight crew awareness of the effects of their actions. Each control should provide feedback to the crewmember for menu selections, data entries, control actions, or other inputs. There should be clear and unambiguous indication when crew input is not accepted or followed by the system. This feedback can be visual, auditory, or tactile. Feedback, in whatever form, should be provided to inform the crew that:

— A control has been activated (commanded state/value)

— The function is in process (given an extended processing time)

— The action associated with the control has been initiated (actual state/value if different from the commanded state).

The type, duration and appropriateness of feedback, will depend upon the crew’s task and the specific information required for successful operation. As an example, switch position alone is insufficient feedback if awareness of actual system response or the state of the system as a result of an action is required.

Controls that may be used while the user is looking outside or at unrelated displays should provide tactile feedback. Keypads should provide tactile feedback for any key depression. In cases when this is omitted, it should be replaced with appropriate visual or other feedback that the system has received the inputs and is responding as expected.

Equipment should provide appropriate visual feedback, not only for knob, switch, and pushbutton position, but also for graphical control methods such as pull-down menus and pop-up windows. The user interacting with a graphical control should receive positive indication that a hierarchical menu item has been selected, a graphical button has been activated, or other input has been accepted.

The applicant should show that feedback in all forms is obvious and unambiguous to the flight crew in performance of the tasks associated with the intended function of the equipment.

5.4 Presentation of Information

5.4.1 Introduction

Applicants should propose means of compliance to show that information displayed in the proposed design complies with CS 25.1302(b). The proposed means should be sufficiently detailed to show that the function, method of control operation and result, complies with the requirements, i.e.:

— Clear

— Unambiguous

— Appropriate in resolution and precision

— Accessible

— Usable

— Enables Flight Crew awareness (provides adequate feedback)

Presentation of information to the flight crew can be visual (for instance, on an LCD), auditory (a “talking” checklist) or tactile (for example, control feel). Information presentation on the integrated flight deck, regardless of the medium used, should meet all of the requirements bulleted above. For visual displays, this AMC addresses mainly display format issues and not display hardware characteristics. The following provides design considerations for requirements found in CS 25.1301(a), CS 25.1301(b), CS 25.1302, and CS 25.1543(b). In the event of a conflict between this document and AMC 25-11 regarding guidance on specific electronic visual display functions, AMC 25-11 takes precedence.

5.4.2 Clear and Unambiguous Presentation of Information

a. Qualitative and quantitative display formats [CS 25.1301(a) and CS 25.1302]

Applicants should show that display formats include the type of information the flight crew needs for the task, specifically with regard to the speed and precision of reading required. For example, the information could be in the form of a text message, numerical value, or a graphical representation of state or rate information). State information identifies the specific value of a parameter at a particular time. Rate information indicates the rate of change of that parameter.

If the flight crew’s sole means of detecting non-normal values is by monitoring values presented on the display, the equipment should offer qualitative display formats. Qualitative display formats better convey rate and trend information. If this is not practical, the applicant should show that the flight crew can perform the tasks for which the information is used. Quantitative presentation of information is better for tasks requiring precise values.

Digital readouts or present value indices incorporated into qualitative displays should not make the scale markings or graduations unusable as they pass the present value index.

b. Consistency [CS 25.1302]

If similar information is presented in multiple locations or modes (visual and auditory, for example), consistent presentation of information is desirable. Consistency in information presentation within the system tends to minimise flight crew error. If information cannot be presented consistently within the flight deck, the applicant should show that differences do not increase error rates or task times leading to significant safety or flight crew workload and do not cause flight crew confusion.

c. Characters, fonts, lines and scale markings [CS 25.1301(a) and CS 25.1543(b)]

The applicable crew members, seated at their stations and using normal head movement, should be able to see and read display format features such as fonts, symbols, icons and markings. In some cases, cross flight deck readability may be required. Examples of situations where this might be needed are cases of display failure or when cross checking flight instruments. Readability must be maintained in sunlight viewing conditions (per CS 25.773(a)) and under other adverse conditions such as vibration. Figures and letters should subtend not less than the visual angles defined in SAE ARP 4102-7 at the design eye position of the flight-crew member who normally uses the information.

d. Colour [CS 25.1302]

Avoid using many different colours to convey meaning on displays. However, judicious use of colour can be very effective in minimising display interpretation workload and response time. Colour can be used to group logical electronic display functions or data types. A common colour philosophy across the flight deck is desirable, although deviations may be approved with acceptable justification. Applicants should show that the chosen colour set is not susceptible to confusion or misinterpretation due to differences in colour usage between displays. Improper colour coding increases response times for display item recognition and selection, and increases likelihood of errors in situations where the speed of performing a task is more important than accuracy. Extensive use of the colours red and amber for other than alerting functions or potentially unsafe conditions is discouraged. Such use diminishes the attention-getting characteristics of true warnings and cautions.

Use of colour as the sole means of presenting information is also discouraged. It may be acceptable however, to indicate the criticality of the information in relation to the task. Colour, when used for task essential information, should be in addition to other coding characteristics, such as texture or differences in luminance. AMC 25-11 contains recommended colour sets for specific display features.

Applicants should show that layering information on a display does not add to confusion and clutter as a result of the colour standards and symbols used. Designs requiring flight-crew members to manually de-clutter such displays should also be avoided.

e. Symbology, Text, and Auditory Messages [CS 25.1302]

Designs can base many elements of electronic display formats on established standards and conventional meanings. For example, ICAO 8400 provides abbreviations and is one standard that could be applied to flight deck text. SAE ARP 4102-7, Appendix A-C and SAE ARP 5289 are acceptable standards for avionic display symbols.

The position of a message or symbol within a display also conveys meaning to the flight-crew member. Without the consistent or repeatable location of a symbol in a specific area of the electronic display, interpretation errors and response times may increase. Applicants should give careful attention to symbol priority (priority of displaying one symbol overlaying another symbol by editing out the secondary symbol) to ensure that higher priority symbols remain viewable.

New symbols (a new design or a new symbol for a function which historically had an associated symbol) should be tested for distinguishability and flight crew comprehension and retention.

The applicant should show that display text and auditory messages are distinct and meaningful for the information presented. Assess messages for whether they convey the intended meaning. Equipment should display standard and/or non-ambiguous abbreviations and nomenclature, consistent within a function and across the flight deck.

5.4.3 Accessibility and Usability of Information

a. Accessibility of information [CS 25.1302]

Some information may at certain times be immediately needed by the flight crew, while other information may not be necessary during all phases of flight. The applicant should show that the flight crew can access and manage (configure) all necessary information on the dedicated and multifunction displays for the phase of flight. The applicant should show that any information required for continued safe flight and landing is accessible in the relevant degraded display modes following failures as defined by CS 25.1309. The applicant should specifically assess what information is necessary in those conditions, and how such information will be simultaneously displayed. The applicant should also show that supplemental information does not displace or otherwise interfere with required information.

Analysis as the sole means of compliance is not sufficient for new or novel display management schemes. The applicant should use simulation of typical operational scenarios to validate the flight crew’s ability to manage available information.

b. Clutter [CS 25.1302]

Clutter is the presentation of information in a way that distracts flight-crew members from their primary task. Visual or auditory clutter is undesirable. To reduce flight-crew member’s interpretation time, equipment should present information simply and in a well-ordered way. Applicants should show that an information delivery method (whether visual or auditory) presents the information the flight-crew member actually requires to perform the task at hand. The flight crew can use their own discretion to limit the amount of information that needs to be presented at any point in time. For instance, a design might allow the flight crew to program a system so that it displays the most important information all the time, and less important information on request. When a design allows, flight crew selection of additional information, the basic display modes should remain uncluttered.

Automatically de-cluttering display options can hide needed information from the flight-crew member. The applicant should show that equipment that uses automatic de-selection of data to enhance the flight-crew member’s performance in certain emergency conditions provides the information the flight-crew member requires. Use of part-time displays depends not only on information de-clutter goals but also on display availability and criticality. Therefore, when designing such features, the applicant should follow the guidance in AMC 25-11.

Because of the transient nature of auditory information presentation, designers should be careful to avoid the potential for competing auditory presentations that may conflict with each other and hinder interpretation. Prioritisation and timing may be useful to avoid this potential problem.

Prioritise information according to task criticality. Lower priority information should not mask higher priority information and higher priority information should be available, readily detectable, easily distinguishable and usable. This does not mean that the display format needs to change based on phase of flight.

c. System response to control input [CS 25.1302]

Long or variable response times between control input and system response can adversely affect system usability. The applicant should show that response to control input, such as setting values, displaying parameters, or moving a cursor symbol on a graphical display is fast enough to allow the flight crew to complete the task at an acceptable performance level. For actions requiring noticeable system processing time equipment should indicate that system response is pending.

5.5 System Behaviour

5.5.1 Introduction

Flight crew task demands vary depending on the characteristics of the system design. Systems differ in their responses to relevant flight crew input. The response can be direct and unique as in mechanical systems or it can vary as a function of an intervening subsystem (such as hydraulics or electrics). Some systems even automatically vary their response to capture or maintain a desired aeroplane or system state.

As described in paragraph 5.1, CS 25.1302(c) states that installed equipment must be designed so that the behaviour of the equipment that is operationally relevant to the flight crew’s tasks is: (1) predictable and unambiguous, and (2) designed to enable the flight crew to intervene in a manner appropriate to the task (and intended function).

The requirement for operationally relevant system behaviour to be predictable and unambiguous will enable a qualified flight crew to know what the system is doing and why. This means that a crew should have enough information about what the system will do under foreseeable circumstances as a result of their action or a changing situation that they can operate the system safely. This distinguishes system behaviour from the functional logic within the system design, much of which the flight crew does not know or need to know.

If flight crew intervention is part of the intended function or non-normal procedures for the system, the crewmember may need to take some action, or change an input to the system. The system must be designed accordingly. The requirement for flight crew intervention capabilities recognises this reality.

Improved technologies, which have increased safety and performance, have also introduced the need to ensure proper cooperation between the flight crew and the integrated, complex information and control systems. If system behaviour is not understood or expected by the flight crew, confusion may result.

Some automated systems involve tasks that require flight crew attention for effective and safe performance. Examples include the flight management system (FMS) or flight guidance systems. Alternatively, systems designed to operate autonomously, in the sense that they require very limited or no human interaction, are referred to as 'automatic systems'. Such systems are switched 'on' or 'off 'or run automatically and are not covered in this paragraph. Examples include fly-by-wire systems, full authority digital engine controls (FADEC), and yaw dampers. Detailed specific guidance for automatic systems can be found in relevant parts of CS-25.

Service experience shows that automated system behaviour that is excessively complex or dependent on logical states, or mode transitions are not understood or expected by the flight crew can lead to flight crew confusion. Design characteristics such as these have been determined to contribute to incidents and accidents.

This sub-paragraph provides guidance material for showing compliance with these design considerations for requirements found in CS 25.1302(c), CS 25.1301(a), CS 25.1309(c), or any other relevant paragraphs of CS-25.

5.5.2 System Function Allocation

The applicant should show that functions of the proposed design are allocated so that:

— The flight crew can be expected to complete their allocated tasks successfully in both normal and non-normal operational conditions, within the bounds of acceptable workload and without requiring undue concentration or causing undue fatigue. (See CS 25.1523 and CS-25 Appendix D for workload evaluation);

— Flight crew interaction with the system enables them to understand the situation, and enables timely detection of failures and crew intervention when appropriate;

— Task sharing and distribution of tasks among flight-crew members and the system during normal and non-normal operations is considered.

5.5.3 System Functional Behaviour

A system’s behaviour results from the interaction between the flight crew and the automated system and is determined by:

— The system’s functions and the logic that governs its operation; and

— The user interface, which consists of the controls and information displays that communicate the flight crew’s inputs to the system and provide feedback on system behaviour to the crew.

It is important that the design reflect a consideration of both of these together. This will avoid a design in which the functional logic governing system behaviour can have an unacceptable effect on crew performance. Examples of system functional logic and behaviour issues that may be associated with errors and other difficulties for the flight crew are the following:

— Complexity of the flight crew interface for both inputs (entering data) and outputs.

— Inadequate understanding and inaccurate expectations of system behaviour by the flight crew following mode selections and transitions.

Inadequate understanding and incorrect expectations by the flight crew of system intentions and behaviour.

Predictable and Unambiguous System Behaviour (CS 25.1302(c)(1))

Applicants should propose the means they will use to show that system or system mode behaviour in the proposed design is predictable and unambiguous to the flight crew.

System or system mode behaviour that is ambiguous or unpredictable to the flight crew has been found to cause or contribute to flight crew errors. It can also potentially degrade the flight crew’s ability to perform their tasks in both normal and non-normal conditions. Certain design characteristics have been found to minimise flight crew errors and other crew performance problems.

The following design considerations are applicable to operationally relevant system or system mode behaviours:

— Simplicity of design (for example, number of modes, mode transitions).

— Clear and unambiguous mode annunciation. For example, a mode engagement or arming selection by the flight crew should result in annunciation, indication or display feedback adequate to provide awareness of the effect of their action.

— Accessible and usable methods of mode arming, engagement and de-selection. For example, the control action necessary to arm, engage, disarm or disengage a mode should not depend on the mode that is currently armed or engaged, on the setting of one or more other controls, or on the state or status of that or another system.

— Predictable un-commanded mode change and reversions. For example, there should be sufficient annunciation, indication or display information to provide awareness of uncommanded changes of the engaged or armed mode of a system.

Note that formal descriptions of modes typically define them as mutually exclusive, so that a system cannot be in more than one mode at a particular time. For instance, a display can be in “north up” mode or “track up” mode, but not both at the same time.

For specific guidance on flight guidance system modes, see AMC 25.1329.

Flight Crew Intervention (CS 25.1302(c)(2))

Applicants should propose the means that they will use to show that system behaviour in the proposed design allows the flight crew to intervene in operation of the system without compromising safety. This should include descriptions of how they will determine that functions and conditions in which intervention should be possible have been addressed.

If done by analysis, the completeness of the analysis may be established either by defining acceptable criteria for the depth and breadth of the analysis, or by proposing an analysis method that is inherently complete. In addition, applicant’s proposed methods should describe how they would determine that each intervention means is appropriate to the task.

Controls for Automated Systems

Automated systems can perform various tasks selected by and under supervision of the flight crew. Controls should be provided for managing functionalities of such a system or set of systems. The design of such “automation specific” controls should enable the crew to:

— Safely prepare the system for the task to be executed or the subsequent task to be executed. Preparation of a new task (for example, new flight trajectory) should not interfere with, or be confused with, the task being executed by the automated system.

— Activate the appropriate system function without confusion about what is being controlled, in accordance with crew expectations. For example, the flight crew should have no confusion when using a vertical speed selector which could set either vertical speed or flight path angle.

— Manually intervene in any system function, as required by operational conditions, or to revert to manual control. For example, manual intervention might be needed during loss of system functionality, system abnormalities, or failure conditions.

Displays for Automated Systems

Automated systems can perform various tasks with minimal crew interventions, but under the supervision of the flight crew. To ensure effective supervision and maintain crew awareness of system state and system “intention” (future states), displays should provide recognisable feedback on:

— Entries made by the crew into the system so that the crew can detect and correct errors.

— Present state of the automated system or mode of operation. (What is it doing?)

— Actions taken by the system to achieve or maintain a desired state. (What is it trying to do?)

— Future states scheduled by the automation. (What is it going to do next?)

— Transitions between system states.

The applicant should consider the following aspects of automated system design:

— Indications of commanded and actual values should enable the flight crew to determine whether the automated systems will perform according to their expectations;

— If the automated system nears its operational authority or is operating abnormally for the conditions, or is unable to perform at the selected level, it should inform the flight crew, as appropriate for the task;

— The automated system should support crew coordination and cooperation by ensuring shared awareness of system status and crew inputs to the system; and

— The automated system should enable the flight crew to review and confirm the accuracy of commands constructed before being activated. This is particularly important for automated systems because they can require complex input tasks.

5.6 Flight Crew Error Management

5.6.1 Showing Compliance with CS 25.1302(d)

It is important to recognise that flight crews will make errors, even when well trained, experienced and rested individuals are using well-designed systems. Therefore, CS 25.1302(d) requires that “To the extent practicable, the installed equipment must enable the flight crew to manage errors resulting from flight crew interaction with the equipment that can be reasonably expected in service, assuming flight crews acting in good faith. This sub-paragraph does not apply to skill-related errors associated with manual control of the aeroplane.”

To comply with CS 25.1302(d), the design should meet at least one of the following criteria. It should:

— Enable the flight crew to detect (see 5.6.2), and/or recover from errors (see 5.6.3); or

— Ensure that effects of flight crew errors on the aeroplane functions or capabilities are evident to the flight crew and continued safe flight and landing is possible (see 5.6.4); or

— Discourage flight crew errors by using switch guards, interlocks, confirmation actions, or similar means, or preclude the effects of errors through system logic and/or redundant, robust, or fault tolerant system design (see 5.6.5).

These objectives:

— Are, in a general sense, in a preferred order.

— Recognise and assume that flight crew errors cannot be entirely prevented, and that no validated methods exist to reliably predict either their probability or all the sequences of events with which they may be associated.

— Call for means of compliance that are methodical and complementary to, and separate and distinct from, aeroplane system analysis methods such as system safety assessments.

As discussed previously in paragraph 5.1, Compliance with CS 25.1302(d) is not intended to require consideration of errors resulting from acts of violence or threats of violence. Additionally, the requirement is intended to require consideration of only those errors that are design related.

Errors that do have a design-related component are considered to be within the scope of this regulatory and advisory material. Examples are a procedure that is inconsistent with the design of the equipment, or indications and controls that are complex and inconsistent with each other or other systems on the flight deck.

When demonstrating compliance, the applicant should evaluate flight crew tasks in both normal and non-normal conditions, considering that many of the same design characteristics are relevant in either case. For example, under non-normal conditions, the flying tasks (navigation, communication and monitoring), required for normal conditions are generally still present, although they may be more difficult in some non-normal conditions. So tasks associated with the non-normal conditions should be considered as additive. The applicant should not expect the errors considered to be different from those in normal conditions, but any evaluation should account for the change in expected tasks.

To show compliance with CS 25.1302(d), an applicant may employ any of the general types of methods of compliance discussed in Paragraph 6, singly or in combination. These methods must be consistent with an approved certification plan as discussed in Paragraph 4, and account for the objectives above and the considerations described below. When using some of these methods, it may be helpful for some applicants to refer to other references relating to understanding error occurrence. Here is a brief summary of those methods and how they can be applied to address flight crew error considerations:

— Statement of Similarity (paragraph 6.3.1): A statement of similarity may be used to substantiate that the design has sufficient certification precedent to conclude that the ability of the flight crew to manage errors is not significantly changed. Applicants may also use service experience data to identify errors known to commonly occur for similar crew interfaces or system behaviour. As part of showing compliance, the applicant should identify steps taken in the new design to avoid or mitigate similar errors.

— Design Descriptions (paragraph 6.3.2): Applicants may structure design descriptions and rationale to show how various types of errors are considered in the design and addressed, mitigated or managed. Applicants can also use a description of how the design adheres to an established and valid design philosophy to substantiate that the design enables flight crews to manage errors.

— Calculation and Engineering Analysis (paragraph 6.3.3): As one possible means of showing compliance with CS 25.1302(d), an applicant may document means of error management through analysis of controls, indications, system behaviour, and related flight crew tasks. This would need to be done in conjunction with an understanding of potential error opportunities and the means available for the flight crew to manage those errors. In most cases it is not considered feasible to predict the probability of flight crew errors with sufficient validity or precision to support a means of compliance. If an applicant chooses to use a quantitative approach, the validity of the approach should be established.

— Evaluations, Demonstrations, and Tests (paragraph 6.3.4-6): For compliance purposes, evaluations are intended to identify error possibilities that may be considered for mitigation in design or training. In any case, scenario objectives and assumptions should be clearly stated before running the evaluations, demonstrations, or tests. In that way, any discrepancy in those expectations can be discussed and explained in the analysis of the results.

As discussed further in Paragraph 6, these evaluations, demonstrations, or tests should use appropriate scenarios that reflect intended function and tasks, including use of the equipment in normal and non-normal conditions. Scenarios should be designed to consider flight crew error. If inappropriate scenarios are used or important conditions are not considered, incorrect conclusions can result. For example, if no errors occur during an evaluation it may mean only that the scenarios are too simple. On the other hand, if some errors do occur, it may mean any of the following:

— The design, procedures, or training should be modified,

— The scenarios are unrealistically challenging, or

— Insufficient training occurred prior to the evaluation.

In such evaluations it is not considered feasible to establish criteria for error frequency.

5.6.2 Error Detection

Applicants should design equipment to provide information so the flight crew can become aware of an error or a system/aeroplane state resulting from a system action. Applicants should show that this information is available to the flight crew, adequately detectable, and clearly related to the error in order to enable recovery in a timely manner.

Information for error detection may take three basic forms:

Indications provided to the flight crew during normal monitoring tasks. As an example, if an incorrect knob was used, resulting in an unintended heading change, the change would be detected through the display of target values. Presentation of a temporary flight plan for flight crew review before accepting it would be another way of providing crew awareness of errors.

Indications on instruments in the primary field of view that are used during normal operation may be adequate if the indications themselves contain information used on a regular basis and are provided in a readily accessible form. These may include mode annunciations and normal aeroplane state information such as altitude or heading. Other locations for the information may be appropriate depending on the flight crew’s tasks, such as on the control-display unit when the task involves dealing with a flight plan. Paragraph 5.4, Presentation of Information, contains additional guidance to determine whether information is adequately detectable.

Flight crew indications that provide information of an error or a resulting aeroplane system condition. An example might be an alert to the flight crew about the system state resulting from accidentally shutting down a hydraulic pump. Note that if the indication is an alert, it is related to the resulting system state, not necessarily directly to the error itself. Existence of a flight crew alert that occurs in response to flight crew error may be sufficient to establish that information exists and is adequately detectable, if the alert directly and appropriately relates to the error. Definitions of alert levels in CS 25.1322 are sufficient to establish that the urgency of the alert is appropriate. Content of the indication should directly relate to the error. Indications for indirect effects of an error may lead the flight crew to believe there may be non-error causes for the annunciated condition.

“Global” alerts that cover a multitude of possible errors by annunciating external hazards or aeroplane envelope or operational conditions. Examples include monitoring systems such as terrain awareness warning systems (TAWS) and traffic collision avoidance systems (TCAS). An example would be a TAWS alert resulting from turning the wrong direction in a holding pattern in mountainous terrain.

The applicant should consider the following when establishing whether the degree or type of information is available to the flight crew, adequately detectable, and clearly related to the error:

— Effects of some errors are easily and reliably determined by the system (by design), and some are not. For those that cannot be sensed by the system, design and arrangement of the information monitored and scanned by the flight crew can facilitate error detection. An example would be alignment of engine speed indicator needles in the same direction during normal operation.

— Aeroplane alerting and indication systems may not detect whether an action is erroneous because systems cannot know flight crew intent for many operational circumstances. In these cases, reliance is often placed on the flight crew’s ability to scan and observe indications that will change as a result of an action such as selecting a new altitude or heading, or making a change to a flight plan in a flight management system. For errors of this nature, detection depends on flight crew interpretation of available information. Training, crew resource management, and monitoring systems such as TAWS and TCAS are examples of ways to provide a redundant level of safety if any or all flight-crew members fail to detect certain errors.

— From a design standpoint, some information, such as heading, altitude, and fuel state, should be provided as readily available indications rather than in the form of alerts when there is potential for them to contribute to excessive nuisance alerts.

The applicant may establish that information is available and clearly related to the error by design description when precedent exists or when a reasonable case may be made that the content of the information is clearly related to the error that caused it. In some cases, piloted evaluations (see 6.3.4) may be needed to assess whether the information provided is adequately available and detectable.

5.6.3 Error Recovery

Assuming that the flight crew detects errors or their effects, the next logical step is to ensure that the error can be reversed, or the effect of the error can be mitigated in some way so that the aeroplane is returned to a safe state.

An acceptable means to establish that an error is recoverable is to show that:

— Controls and indications exist that can be used either to reverse an erroneous action directly so that the aeroplane or system is returned to the original state, or to mitigate the effect so that the aeroplane or system is returned to a safe state, and

— The flight crew can be expected to use those controls and indications to accomplish the corrective actions in a timely manner.

To establish the adequacy of controls and indications that facilitate error recovery, a statement of similarity or design description of the system and crew interface may be sufficient. For simple or familiar types of system interfaces, or systems that are not novel, even if complex, a statement of similarity or design description of the crew interfaces and procedures associated with indications is an acceptable means of compliance.

To establish that the flight crew can be expected to use those controls and indications to accomplish corrective actions in a timely manner, evaluation of flight crew procedures in a simulated flight deck environment can be highly effective. This evaluation should include examination of nomenclature used in alert messages, controls, and other indications. It should also include the logical flow of procedural steps and the effects that executing the procedures have on other systems.

5.6.4 Error Effects

Another means of satisfying the objective of error mitigation is to ensure that effects of the error or relevant effects on aeroplane state:

— Are evident to the flight crew, and

— Do not adversely impact safety (do not prevent continued safe flight and landing).

Piloted evaluations in the aeroplane or in simulation may be relevant if flight crew performance issues are in question for determining whether a state following an error permits continued safe flight and landing. Evaluations and/or analyses may be used to show that, following an error, the flight crew has the information in an effective form and has the aeroplane capability required to continue safe flight and landing.

5.6.5 Precluding Errors or Their Effects

For irreversible errors that have potential safety implications, means to discourage the errors are recommended. Acceptable ways to discourage errors include switch guards, interlocks, or multiple confirmation actions. For example, generator drive controls on many aeroplanes have guards over the switches to discourage inadvertent actuation, because once disengaged, the drives cannot be re-engaged while in flight or with the engine running. An example of multiple confirmations would be presentation of a temporary flight plan that the flight crew can review before accepting.

Another way of avoiding flight crew error is to design systems to remove misleading or inaccurate information, (e.g., sensor failures), from displays. An example would be a system that removes flight director bars from a primary flight display or removing “own-ship” position from an airport surface map display when the data driving the symbols is incorrect.

The applicant should avoid applying an excessive number of protections for a given error. Excessive use of protections could have unintended safety consequences. They might hamper the flight-crew member‘s ability to use judgment and take actions in the best interest of safety in situations not predicted by the applicant. If protections become a nuisance in daily operation flight crews may use well-intentioned and inventive means to circumvent them. This could have further effects not anticipated by the operator or the designer.

5.7 Integration

5.7.1 Introduction

Many systems, such as flight management systems, are integrated physically and functionally into the flight deck and may interact with other flight deck systems. It is important to consider a design not just in isolation, but in the context of the overall flight deck. Integration issues include where a display or control is installed, how it interacts with other systems, and whether there is internal consistency across functions within a multi-function display, as well as consistency with the rest of the flight deck’s equipment.

CS 25.1302 requires that “…installed equipment must be shown, individually and in combination with other such equipment, to be designed so that qualified flight-crew members trained in its use can safely perform their tasks associated with its intended function …”. To comply with this integration requirement, all flight deck equipment must be able to be used by the flight crew to perform their tasks, in any combination reasonably expected in service. Flight deck equipment includes interfaces to aeroplane systems the flight crew interacts with, such as controls, displays, indications, and annunciators.

Analyses, evaluations, tests and other data developed to establish compliance with each of the specific requirements in CS 25.1302 (a) through (d) should address integration of new or novel design features or equipment with previously approved features or equipment as well as with other new items. It should include consideration of the following integration factors:

— Consistency (see 5.7.2)

— Consistency trade-offs (see 5.7.3)

— Flight deck environment (see 5.7.4)

— Integration related workload and error (see 5.7.5)

5.7.2 Consistency

Consistency needs to be considered within a given system and across the flight deck. Inconsistencies may result in vulnerabilities, such as increased workload and errors, especially during stressful situations. For example, in some flight management systems, the format for entering latitude and longitude differs across the display pages. This may induce flight crew errors, or at least increase flight crew workload. Additionally, errors may result if latitude and longitude is displayed in a format that differs from formats on the most commonly used paper charts. Because of this, it is desirable to use formats that are consistent with other media whenever possible. Although trade-offs exist, as discussed in the next paragraph, the following are design attributes to consider for consistency within and across systems:

— Symbology, data entry conventions, formatting, colour philosophy, terminology, and labelling.

— Function and logic. For example, when two or more systems are active and performing the same function, they should operate consistently and use the same style interface.

— Information presented with other information of the same type that is used in the flight deck. For example, navigation symbology used on other flight deck systems or on commonly used paper charts should be considered when developing the symbology to be used on electronic map displays.

— The operational environment. It is important that a flight management system is consistent with the operational environment so that the order of the steps required to enter a clearance into the system is consistent with the order in which they are given by air traffic management.

Adherence to a flight deck design philosophy is one way to achieve consistency within a given system as well as within the overall flight deck. Another way is to standardise aspects of the design by using accepted, published industry standards such as the labels and abbreviations recommended in ICAO Annex 8400/5. The applicant might Standardise symbols used to depict navigation aids (the very high frequency omnidirectional ranges, VORs, for example), by following the conventions recommended in SAE ARP5289. However, inappropriate standardisation, rigidly applied, can be a barrier to innovation and product improvement. Additionally, standardisation may result in a standard to the lowest common denominator. Thus, guidance in this paragraph promotes consistency rather than rigid standardisation.

5.7.3 Consistency Trade-Offs

It is recognised that it is not always possible or desirable to provide a consistent flight crew interface. Despite conformance with the flight deck design philosophy, principles of consistency, etc, it is possible to negatively impact flight crew workload,. For example, all auditory alerts may adhere to a flight deck alerting philosophy, but the number of alerts may be unacceptable. Consistent format across the flight deck may not work when individual task requirements necessitate presentation of data in two significantly different formats. An example is a weather radar display formatted to show a sector of the environment, while a moving map display shows a 360 degree view. In such cases it should be demonstrated that the interface design is compatible with the requirements of the piloting task and can be used individually and in combination with other interfaces without interference to either system or function.

Additionally:

— The applicant should provide an analysis identifying each piece of information or data presented in multiple locations and show that the data is presented in a consistent manner or, where that is not true, justify why that is not appropriate.

— Where information is inconsistent, that inconsistency should be obvious or annunciated, and should not contribute to errors in information interpretation.

— There should be a rationale for instances where a system’s design diverges from the flight deck design philosophy. Consider any impact on workload and errors as a result of this divergence.

— The applicant should describe what conclusion the flight crew is expected to draw and what action should be taken when information on the display conflicts with other information on the flight deck (either with or without a failure).

5.7.4 Flight Deck Environment

The flight deck system is influenced by physical characteristics of the aeroplane into which a system is integrated, as well as by operational environment characteristics. The system is subject to such influences on the flight deck as turbulence, noise, ambient light, smoke, and vibrations (such as those that may result from ice or fan blade loss). System design should recognise the effect of such influences on usability, workload, and crew task performance. Turbulence and ambient light, for example, may affect readability of a display. Flight deck noise may affect audibility of aural alerts. The applicant should also consider the impact of the flight deck environment for non-normal situations, such as unusual attitude recovery or regaining control of the aeroplane or system.

The flight deck environment includes the layout, or physical arrangement of the controls and information displays. Layout should take into account crew requirements in terms of:

— Access and reach (to controls).

— Visibility and readability of displays and labels.

— Task-oriented location and grouping of human-machine interaction elements.

An example of poor physical integration would be a required traffic avoidance system obscured by thrust levers in the normal operating position.

5.7.5 Integration Related Workload and Error

When integrating functions and/or equipment, designers should be aware of potential effects, both positive and negative, that integration can have on crew workload and its subsequent impact on error management. Systems must be designed and evaluated, both in isolation and in combination with other flight deck systems, to ensure that the flight crew is able to detect, reverse, or recover from errors. This may be more challenging when integrating systems that employ higher levels of automation or have a high degree of interaction and dependency on other flight deck systems.

Applicants should show that the integrated design does not adversely impact workload or errors given the context of the entire flight regime. Examples of such impacts would be increased time to:

— Interpret a function,

— Make a decision,

— Take appropriate actions.

Controls, particularly multi-function controls and/or novel control types, may present the potential for misidentification and increased response times. Designs should generally avoid multi-function controls with hidden functions, because they increase both crew workload and the potential for error.

Two examples of integrated design features that may or may not impact error and workload are as follows:

— Presenting the same information in two different formats. This may increase workload, such as when altitude information is presented concurrently in tape and round-dial formats. Yet different formats may be suitable depending on the design and the flight crew task. For example, an analog display of engine revolutions-per-minute can facilitate a quick scan, whereas a digital numeric display can facilitate precise inputs. The applicant is responsible for demonstrating compliance with CS 25.1523 and showing that differences in the formats do not result in unacceptable workload levels.

— Presenting conflicting information. Increases in workload and error may result from two displays depicting conflicting altitude information on the flight deck concurrently, regardless of format. Systems may exhibit minor differences between each flight-crew member station, but all such differences should be evaluated specifically to ensure that potential for interpretation error is minimised, or that a method exists for the flight crew to detect incorrect information, or that the effects of these errors can be precluded.

The applicant should show that the proposed function will not inappropriately draw attention away from other flight deck information and tasks in a way that degrades flight crew performance and decreases the overall level of safety. There are some cases where it may be acceptable for system design to increase workload. For example, adding a display into the flight deck may increase workload by virtue of the additional time flight-crew members spend looking at it, but the safety benefit the additional information provides may make it an acceptable trade-off.

Because each new system integrated into the flight deck may have a positive or negative effect on workload, each must be evaluated in isolation and combination with the other systems for compliance with CS 25.1523. This is to ensure that the overall workload is acceptable, i.e., that performance of flight tasks is not adversely impacted and that the crew’s detection and interpretation of information does not lead to unacceptable response times. Special attention should be paid to CS-25 Appendix D and specifically compliance for items that the appendix lists as workload factors. They include “accessibility, ease, and simplicity of operation of all necessary flight, power, and equipment controls.”

6. MEANS OF COMPLIANCE

This paragraph discusses considerations in selecting means of compliance. It provides six general acceptable means to demonstrate compliance in addressing human performance issues. These means of compliance are generic and have been used in certification programmes. The acceptable means of compliance to be used on any given project should be determined on a case-by-case basis, driven by the specific compliance issues. They should be developed and proposed by the applicant, and then agreed to by the Agency. Uses and limitations of each type of compliance means are provided in paragraph 6.3.

6.1 Selecting Means of Compliance

— The means of compliance discussed in this paragraph include:

— Statements of similarity (See paragraph 6.3.1),

— Design description (See paragraph 6.3.2),

— Calculations/analyses (See paragraph 6.3.3),

— Evaluations (See paragraph 6.3.4),

— Tests ( See paragraph 6.3.5),

There is no generic method to determine appropriate compliance means for a specific project. The choice of an appropriate compliance means or combination of several different means depends on a number of factors specific to a project.

Some certification projects may necessitate more than one means of demonstrating compliance with a particular requirement. For example, when flight testing in a conforming aeroplane is not possible, a combination of design review and part-task simulation evaluation may be proposed.

Answering the following questions will aid in selecting means of compliance.

— With which means of compliance will it possible to gather the required certification data?

— Will a single means of compliance provide all of the data or will several means of compliance be used in series or in parallel?

— What level of fidelity of the facility is required to collect the required data?

— Who will be the participants?

— What level of training is required prior to acting as a participant?

— How will the data from an evaluation be presented to show compliance?

— Will results of a demonstration be submitted for credit?

— If a test is required, what conformed facility will be used?

6.2 Discussion and Agreement with the Agency on Compliance Demonstrations

The applicant’s proposal for means of compliance must be coordinated with the Agency to ensure that all aspects necessary for desired credit towards certification are achieved. These could include the planned scenarios, the necessary types of human performance issues to be explored, or the conditions under which the test will be conducted to provide a realistic environment for the evaluation.

6.3 Description of Means of Compliance

The six general means of compliance found to be acceptable for use in demonstrating compliance related to flight deck design are described in the following sub-paragraphs .

6.3.1 Statement of Similarity

Description

A statement of similarity is a description of the system to be approved and a description of a previously approved system detailing the physical, logical, and operational similarities with respect to compliance with requirements.

Deliverable

A statement of similarity could be part of a certification report, containing references to existing certification data/documents.

Participants

Not applicable.

Conformity

Not applicable.

Uses

It may be possible to substantiate the adequacy of a design by comparing it to previously certificated systems shown to be robust with respect to lack of contribution to crew error and/or capability of the flight crew to manage the situation should an error occur. This avoids repetition of unnecessary effort to justify the safety of such systems.

Limitations

A statement of similarity to show compliance must be used with care. The flight deck should be evaluated as a whole, not as merely a set of individual functions or systems. Two functions or features previously approved on separate programmes may be incompatible when combined on a single flight deck. Also, changing one feature in a flight deck may necessitate corresponding changes in other features, to maintain consistency and prevent confusion.

Example

If the window design in a new aeroplane is identical to that in an existing aeroplane, a statement of similarity may be an acceptable means of compliance to meet CS 25.773.

6.3.2 Design Description

The applicant may elect to substantiate that the design meets the requirements of a specific paragraph by describing the design. Applicants have traditionally used drawings, configuration descriptions, and/or design philosophy to show compliance. Selection of participants and conformity are not relevant to this means of compliance.

a. Drawings

Description

Layout drawings or engineering drawings, or both, depicting the geometric arrangement of hardware or display graphics.

Deliverable

The drawing, which can be part of a certification report.

Uses

Applicants can use drawings for very simple certification programmes when the change to the flight deck is very simple and straightforward. Drawings can also be used to support compliance findings for more complex interfaces.

Limitations

The use of drawings is limited to physical arrangements and graphical concerns.

b. Configuration Description

Description

A configuration description is a description of the layout, general arrangement, direction of movement, etc., of regulated item. It can also be a reference to documentation, giving such a description (for example from a different project with similar layout) . It could be used to show the relative locations of flight instruments, groupings of control functions, allocation of colour codes to displays and alerts, etc.

Deliverable

Explanation of functional aspects of crew interface: text description of certification item and/or functional aspects of the crew interface with the system (with visuals as appropriate).

Uses

Configuration descriptions are generally less formalised than engineering drawings. They are developed to point out features of the design that support a finding of compliance. In some cases, such configuration descriptions may provide sufficient information for a finding of compliance. More often, however, they provide important background information, while final confirmation of compliance is found through other means, such as demonstrations or tests. The background information provided by configuration descriptions may significantly reduce the complexity and/or risk associated with demonstrations or tests. The applicant will have already communicated how a system works with the configuration description and any discussions or assumptions may have already been coordinated.

Limitations

Configuration descriptions may provide sufficient information for a finding of compliance with a specific requirement. More often, though, they provide important background information, while final confirmation of compliance is found by other means, such as demonstrations or tests. Background information provided by configuration descriptions may significantly reduce the complexity and/or risk associated with the demonstrations or tests.

c. Design philosophy

Description

A design philosophy approach can be used to demonstrate that an overall safety-centred philosophy, as detailed in the design specifications for the product/system or flight deck, has been applied.

Deliverable

Text description of certification item and/or functional aspects of the crew interface with the system (with figures and drawings as appropriate) and its relationship to overall design philosophy.

Uses

Documents the ability of a design to meet requirements of a specific paragraph.

Limitations

In most cases, this means of compliance will be insufficient as the sole means to demonstrate compliance.

Example

Design philosophy may be used as a means of compliance when a new alert is added to the flight deck, if the new alert is consistent with the acceptable existing alerting philosophy.

6.3.3 Calculation/analysis

Description

Calculations or engineering analyses (“paper and pencil” assessments) that do not require direct participant interaction with a physical representation of the equipment.

Deliverable

Report detailing the analysis, its components, evaluation assumptions, and basis for decision making. The report details results and conclusions.

Participants

Conducted by the applicant.

Conformity

Not applicable.

Uses

Provides a systematic evaluation of specific or overall aspects of the human interface part of the product/system/flight deck. May be specified by guidance material.

Limitations

Carefully consider the validity of the assessment technique for analyses not based on advisory material or accepted industry standard methods. Applicants may be asked to validate any computational tools used in such analyses. If analysis involves comparing measured characteristics to recommendations derived from pre-existing research (internal or public domain), the applicant may be asked to justify the applicability of data to the project.

Example

An applicant may conduct a vision analysis to demonstrate that the flight crew has a clear and undistorted view out the windows. Similarly, an analysis may also demonstrate that flight, navigation and powerplant instruments are plainly visible from the flight-crew member station. The applicant may need to validate results of the analysis in ground or flight test.

6.3.4 Evaluations

The applicant may use a wide variety of part-task to full-installation representations of the product/system or flight deck for evaluations. These all have two characteristics in common: (1) the representation of the human interface and the system interface do not necessarily conform to the final documentation, and (2) the certification Agency is generally not present. The paragraphs below address mock-ups, part-task simulations, full simulations, and in-flight evaluations that typically make up this group of means of compliance. A mock-up is a full-scale, static representation of the physical configuration (form and fit). It does not include functional aspects of the flight deck and its installed equipment.

Description

Evaluations are assessments of the design conducted by the applicant, who then provides a report of the results to the Agency.

Deliverable

A report, delivered to the Agency.

Participants

Applicant and possibly Agency

Facilities

An evaluation can be conducted in a mock-up, on a bench, or in a laboratory, simulator or aeroplane.

Conformity

Conformity is not required.

Mock-up evaluation

Mock-ups can be used as representations of the design, allowing participants to physically interact with the design. Three-dimensional representations of the design in a CAD system, in conjunction with three-dimensional models of the flight deck occupants, have also been used as “virtual” mock-ups for certain limited types of evaluations. Reach assessments, for example, can use either type of mock-up.

Example of a mock-up evaluation

An analysis to demonstrate that controls are arranged so that flight-crew members from 1.58 m (5ft 2 inches) to 1.91 m (6ft 3 inches) in height can reach all controls. This analysis may use computer-generated data based on engineering drawings. The applicant may demonstrate results of the analysis in the actual aeroplane.

Bench or laboratory evaluation

The applicant can conduct an evaluation using devices emulating crew interfaces for a single system or a related group of systems. The applicant can use flight hardware, simulated systems, or combinations of these.

Example of a bench or laboratory evaluation

A bench evaluation for an integrated system could be an avionics suite installed in a mock-up of a flight deck, with the main displays and autopilot controls included. Such a tool may be valuable during development and for providing system familiarisation to the Agency. However, in a highly integrated architecture, it may be difficult or impossible to assess how well the avionics system will fit into the overall flight deck without more complete simulation or use of the actual aeroplane.

Simulator evaluation

A simulator evaluation uses devices that present an integrated emulation (using flight hardware, simulated systems, or combinations of these) of the flight deck and the operational environment. These devices can also be “flown” with response characteristics that replicate, to some extent, responses of the aeroplane. Simulation functional and physical fidelity (or degree of realism) requirements will typically depend on the configurations, functions, tasks, and equipment.

Aeroplane evaluation

This is an evaluation conducted in the actual aeroplane.

Uses

Traditionally, these types of activities have been used as part of the design process without formal certification credit. However, these activities can result in better designs that are more likely to be compliant with applicable requirements.

Limitations

Evaluations are limited by the extent to which the facilities actually represent the flight deck configuration and realistically represent flight crew tasks. As flight deck systems become more integrated, part-task evaluations may become less useful as a means of compliance, even though their utility as engineering tools may increase.

6.3.5 Tests

Tests are means of compliance conducted in a manner very similar to evaluations (described above in paragraph 6.3.4). There is, however, a significant difference. Tests require a conforming product/system and system interface. A test can be conducted on a bench, in a laboratory, in a simulator, or on an aeroplane.

Description

Tests are assessments of the design conducted with the Agency present.

Deliverable

A report, delivered to the Agency.

Participants

Applicant and possibly Agency

Facilities

A test can be conducted on a bench or in a laboratory, simulator or an aeroplane.

Conformity

The facility must be conforming.

Bench or laboratory test

This type of testing is usually confined to showing that components perform as designed. Bench tests are usually not enough to stand alone as a means of compliance. They can, however, provide useful supporting data in combination with other means.

Example of a bench or laboratory test

The applicant might show visibility of a display under the brightest of expected lighting conditions with a bench test, provided there is supporting analysis to define the expected lighting conditions. Such supporting information might include a geometric analysis to show potential directions from which the sun could shine on the display, with calculations of expected viewing angles. These conditions might then be reproduced in the laboratory.

Conformity related to a bench or laboratory test

The part or system would need to be conforming to show compliance.

Simulator test

A simulator test uses devices that present an integrated emulation (using flight hardware, simulated systems, or combinations of these) of the flight deck and the operational environment. They can also be “flown” with response characteristics that replicate the responses of the aeroplane. The applicant should determine the physical and functional fidelity requirements of the simulation as a function of the issue under evaluation.

Simulator test conformity and fidelity issues

Only conforming parts of the flight deck may be used for simulator tests. Applicants may use a flight crew training simulator to validate most of the normal and emergency procedures for the design, and any workload effects of the equipment on the flight crew. If the flight deck is fully conforming and the avionics are driven by conforming hardware and software, then the applicant may conduct and use integrated avionics testing for showing compliance. Note that not all aspects of the simulation must have a high level of fidelity for any given compliance issue. Rather, assess fidelity requirements in view of the issue being evaluated.

Aeroplane test

Aeroplane tests can be conducted either on the ground or in flight.

Example of an aeroplane test

An example of a ground test is an evaluation for the potential of reflections on displays. Such a test usually involves covering the flight deck windows to simulate darkness and setting the flight deck lighting to desired levels. This particular test may not be possible in a simulator, because of differences in the light sources, display hardware, and/or window construction.

Flight testing during certification is the final demonstration of the design. These are tests conducted in a conforming aeroplane during flight. The aeroplane and its components (flight deck) are the most representative of the type design to be certified and will be the closest to real operations of the equipment. In-flight testing is the most realistic testing environment, although it is limited to those evaluations that can be conducted safely. Flight testing can be used to validate and verify other tests previously conducted during the development and certification programme. It is often best to use flight testing as final confirmation of data collected using other means of compliance, including analyses and evaluations.

Limitations of flight tests

Flight tests may be limited by the extent to which flight conditions of particular interest (for example, weather, failure, unusual attitudes) can be found/produced and then safely evaluated in flight. Also note that flight testing on the aeroplane provides the least control over conditions of any of the means of compliance. The Agency and the applicant should thoroughly discuss how and when flight tests and their results will be used to show compliance.

[Amdt 25/3]

Details

Source-Title: AMC 25.1302 Installed Systems and Equipment for Use by the Flight Crew

Erulesid: ERULES-1963177438-9504 Compare versions

Domain: Initial airworthiness

Amendedby: Amendment 3

Applicabilitydate: 19 September, 2007

Entryintoforcedate: 19 September, 2007

Regulatorysource: ED Decision 2007/010/R Navigate

Regulatorysubject: CS-25

Typeofcontent: AMC to CS (Acceptable means of compliance to certification specification)

Parentir: CS 25.1302 Installed systems and equipment for use by the flight crew

Origin: EASA

Category: EAR

Details

Related sections: