Appendix 3 to AMC 20-158A -- Examples of HIRF safety assessment considerations -- Level A systems on large aeroplanes

• ED Decision 2022/001/R found in: AMC-20 Amdt 23 - Airworthiness of Products, Parts and Appliances (Jan 2022)

Appendix 3 to AMC 20-158A — Examples of HIRF safety assessment considerations — Level A systems on large aeroplanes ED Decision 2022/001/R 1.         Establishing appropriate pass/fail criteria for complying with CS 25.1317(a)can only be achieved through a comprehensive review of the system design using an acceptable HIRF functional hazard assessment process in the form of a system HIRF certification level (HCL). The following paragraphs summarisethe approaches whereby pass/fail criteria for compliance with CS 25.1317(a) are specified on the merit of specific system architecture attributes. 2.         For the purposes of discussion and evaluation of the examples, the architectural strategies used in the system implementation need to be defined. Therefore, the additional definitions below should be considered: a.         Similar redundant channels: the multiple channels consist of equipment, components, electrical interconnections and configurations that are similar, typically with pieces of equipment that have identical part numbers. The channels should be independent. They may be configured in active, active-backup and passive-backup modes. b.         Dissimilar redundant channels: each channel is unique and independent of the others. They may be configured in active, active-backup and passive-backup modes. c.         Combination of similar and dissimilar redundant channels: the combination of similar and dissimilar channels, as defined above, with independence between channels. They may be configured in active, active-backup and passive-backup modes. Notes: a.         ‘Active mode’ means that the channel performs the aircraft function in normal operation. b.         ‘Active-backup mode’ means that the channel is operational but not used to perform the aircraft function until switched to active mode either automatically or by flight crew action. c.         ‘Passive-backup mode’ means that the channel is not operational; switching to active mode is either automatic or by flight crew action upon failure recognition. d.         ‘Combination of electrical/electronic and mechanical, hydraulic and/or pneumatic channels’: certain architectures combine electrical and electronic channels with mechanical, hydraulic and/or pneumatic channels. These combinations of electrical/electronic and mechanical, hydraulic or pneumatic channels may be configured in active, active-backup and passive-backup modes. e.         These examples are theoretical and intended to facilitate the discussion from which universal guidelines may be derived to help develop useful guidance material. It is not the intention to account for all possible configurations but only to represent the common system architectures or some that present unique challenges. 3.         This Appendix presents examples of large aeroplane systems with multiple independent and redundant channels that perform a function whose failure would prevent continued safe flight and landing. These examples could also be used for other types of aircraft. <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="600"> <p align="center">Example 1</p> </td> </tr> <tr> <td rowspan="2" width="227"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="373"> <p align="center">25.1317(a)</p> </td> </tr> <tr> <td valign="top" width="125"> <p align="center">Channel</p> </td> <td valign="top" width="126"> <p align="center">Channel</p> </td> <td valign="top" width="121"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="227"> <p>Display of attitude, altitude, and airspeed information to the pilots during IFR operations</p> <p>(e.g. primary display system and associated sensors, with dissimilar standby display system and sensors)</p> </td> <td valign="top" width="125"> <p>Active</p> <p>(Pilot displays and associated sensors)</p> </td> <td valign="top" width="126"> <p>Active</p> <p>(Co-pilot displays and associated sensors)</p> </td> <td valign="top" width="121"> <p>Active-backup</p> <p>(Dissimilar standby display and associated sensors)</p> </td> </tr> <tr> <td valign="top" width="227"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="125"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="126"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="121"> <p>(b)</p> </td> </tr> <tr> <td colspan="4" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts the specification of CS 25.1333 for independent displays of information essential to the safety of flight at each pilot station. The standby display is required in order to achieve the safety objectives of CS 25.1309. Either the pilot or the co-pilot can be the pilot flying (PF) or pilot monitoring (PM) during normal operations, so both the pilot and the co-pilot display systems should be considered as active systems.</p> <p>Compliance with CS 25.1317(a)(1), (a)(2), and (a)(3) should demonstrate that neither pilot display of aircraft attitude, altitude, and airspeed is adversely affected and recovers normal operation of these Level A functions when the aircraft is exposed to HIRF Environment I and II. It is acceptable that the dissimilar standby display demonstrates compliance with the CS 25.1316(b) requirements. The adverse effects must include both a loss of, and hazardously misleading, attitude, altitude, and airspeed information.</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="600"> <p align="center">Example 2</p> </td> </tr> <tr> <td rowspan="2" width="227"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="372"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="125"> <p align="center">Channel</p> </td> <td valign="top" width="126"> <p align="center">Channel</p> </td> <td valign="top" width="121"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="227"> <p>Full authority control of pitch, yaw, and roll using electrical and electronic flight control systems</p> </td> <td valign="top" width="125"> <p>Active or active‑backup</p> <p>(Flight control system #1)</p> </td> <td valign="top" width="126"> <p>Active or active‑backup</p> <p>(Flight control system #2)</p> </td> <td valign="top" width="121"> <p>Active or active‑backup</p> <p>(Flight control system #3)</p> </td> </tr> <tr> <td valign="top" width="227"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="125"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="126"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="121"> <p>(a)(1), (a)(2), (a)(3)</p> </td> </tr> <tr> <td colspan="4" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts an electronic flight control system that comprises three independent channels to meet the safety objectives of CS 25.1309. At any time, any one of the three channels can operate as the active channel.</p> <p>Only one channel operates in an active mode while the others are in active-backup mode. Any channel can perform the control function at any time; therefore, all the channels must comply with CS 25.1317(a)(1), (a)(2), and (a)(3).</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="600"> <p align="center">Example 3</p> </td> </tr> <tr> <td rowspan="2" width="228"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="372"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="124"> <p align="center">Channel</p> </td> <td valign="top" width="127"> <p align="center">Channel</p> </td> <td valign="top" width="122"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="228"> <p>Provide engine overspeed protection</p> </td> <td valign="top" width="124"> <p>Active </p> <p>(Electronic engine control system)</p> <p>(Normal speed control)</p> </td> <td valign="top" width="127"> <p>Active or active‑backup (Electronic engine control system)</p> <p>(Overspeed protection) </p> </td> <td valign="top" width="122"> <p>Active</p> <p>(Independent mechanical overspeed protection) </p> </td> </tr> <tr> <td valign="top" width="228"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="124"> <p>(b)</p> </td> <td valign="top" width="127"> <p>(b)</p> </td> <td valign="top" width="122"> <p>Not subject to CS 25.1317 </p> </td> </tr> <tr> <td colspan="4" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts the function of engine overspeed protection performed by a combination of active electrical and electronic control and mechanical system control. The mechanical channel must provide overspeed protection during normal operations, and be independent of the active electronic control channels. The mechanical channel must not rely on electrical or electronic components to assist, augment, or monitor the overspeed protection. If the mechanical channel is independent of the electronic engine control speed control and overspeed protection, and has no electrical or electronic components that have failure modes that could prevent overspeed protection, then the engine overspeed protection function is not adversely affected when the aircraft is exposed to HIRF Environment I and II. The system is, therefore, not subject to CS 25.1317(a). The electronic engine control channels should comply with CS 25.1317(b).</p> <p>This example only considers the overspeed protection feature implemented by the system. Other functions whose failure may be classified as catastrophic, such as the loss of thrust control function where the function may be implemented by electronic control channels, should comply with CS 25.1317(a).</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="600"><br clear="all"/> <br clear="all"/> <p align="center">Example 4</p> </td> </tr> <tr> <td rowspan="2" width="227"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="373"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="124"> <p align="center">Channel</p> </td> <td valign="top" width="126"> <p align="center">Channel</p> </td> <td valign="top" width="123"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="227"> <p>Provide electrical power for electrical and electronic systems including those with catastrophic failure conditions</p> </td> <td valign="top" width="124"> <p>Active</p> <p>(Left engine generator system)</p> </td> <td valign="top" width="126"> <p>Active</p> <p>(Right engine generator system)</p> </td> <td valign="top" width="123"> <p>Passive-backup</p> <p>(Emergency power supply system driven by ram-air turbine)</p> </td> </tr> <tr> <td valign="top" width="227"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="124"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="126"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="123"> <p>(b)</p> </td> </tr> <tr> <td colspan="4" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts a typical transport category aircraft electrical system on a twin-engined aircraft where two or more independent sources of electrical power are required by CS 25.1307(b) and a ram-air turbine is necessary to meet the safety objectives of CS 25.1309 and CS 25.1351(d).</p> <p>For this example, the electrical system consists of two active channels provided by a single main-engine-driven generator on each engine with the associated distribution and controls, and a third passive-backup channel provided by a ram-air turbine electrical power system. The ram-air turbine electrical power system is stowed during normal operation and deployed either automatically and/or manually when power from the two main-engine-driven generators is lost.</p> <p>The active engine generator system channels must not be adversely affected when the aircraft is exposed to HIRF Environment I and II, and comply with CS 25.1317(a)(1), (a)(2), and (a)(3). The passive‑backup ram-air turbine electrical power system does not mitigate adverse effects for compliance with CS 25.1317(a). It is acceptable that the ram-air turbine electrical power system demonstrates compliance with the CS 25.1317(b) requirements.</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="5" width="600"> <p align="center">Example 5</p> </td> </tr> <tr> <td rowspan="2" width="166"> <p align="center">Function</p> </td> <td colspan="4" valign="top" width="434"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="107"> <p align="center">Channel</p> </td> <td valign="top" width="107"> <p align="center">Channel</p> </td> <td valign="top" width="109"> <p align="center">Channel</p> </td> <td valign="top" width="112"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="166"> <p>Provide electrical power for electrical and electronic systems including those with catastrophic failure conditions</p> </td> <td valign="top" width="107"> <p>Active</p> <p>(Left engine generator system)</p> </td> <td valign="top" width="107"> <p>Active</p> <p>(Right engine generator system)</p> </td> <td valign="top" width="109"> <p>Active </p> <p>(APU-driven generator system required for ETOPS flight beyond 180')</p> </td> <td valign="top" width="112"> <p>Passive-backup</p> <p>(Emergency power supply driven by <br/> ram-air turbine)</p> </td> </tr> <tr> <td valign="top" width="166"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="107"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="107"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="109"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="112"> <p>(b)</p> </td> </tr> <tr> <td colspan="5" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts a twin-engined transport category aircraft electrical system where two or more independent sources of electrical power are required by CS 25.1307(b) and an alternate source (driven by a ram-air turbine) is necessary to meet the safety objectives of CS 25.1309 and CS 25.1351(d). This configuration includes a third electrical power source driven by an auxiliary power unit (APU). This third source is required (active channel) for ETOPS beyond 180 minutes. </p> <p>As in Example 4, the emergency power source is a passive-backup channel provided by a ram-air turbine that remains stowed during normal flight and deployed either automatically and/or manually when power from all other channels is lost.</p> <p>All active electrical power generation channels should comply with CS 25.1317(a)(1), (a)(2), and (a)(3). The passive-backup electrical power generation channel does not mitigate the adverse effects due to HIRF exposure to meet the intent of the HIRF requirements. It is acceptable that the passive-backup channel demonstrate compliance with CS 25.1316(b) requirements.</p> <p>Note: For non-ETOPS or for ETOPS up to 180' aircraft, the APU HIRF certification level should be defined based on the specific aircraft safety assessment.</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="100%"> <thead> <tr> <td colspan="5" valign="top" width="623"> <p align="center">Example 6</p> </td> </tr> <tr> <td rowspan="2" width="151"> <p align="center">Function</p> </td> <td valign="top" width="123"> <p align="center">25.1317(a) System</p> </td> <td valign="top" width="123"> <p align="center">25.1317 System</p> </td> <td valign="top" width="123"> <p align="center">25.1317 System</p> </td> <td valign="top" width="104"> <p align="center">System</p> </td> </tr> <tr> <td valign="top" width="123"> <p align="center">Channel</p> </td> <td valign="top" width="123"> <p align="center">Channel</p> </td> <td valign="top" width="123"> <p align="center">Channel</p> </td> <td valign="top" width="104"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="151"> <p>Reduce aircraft speed on ground in a controlled manner</p> <p>using thrust reverser control system, spoiler deployment system, and wheel braking system</p> </td> <td valign="top" width="123"> <p>Active</p> <p>Main brake system (Electro-mechanical)</p> </td> <td valign="top" width="123"> <p>Active</p> <p>(Electronic engine thrust reverse control with associated sensors)</p> </td> <td valign="top" width="123"> <p>Active</p> <p>(Electronic spoiler deployment control with associated sensors)</p> </td> <td valign="top" width="104"> <p>Active</p> <p>(Independent mechanical wheel braking)</p> </td> </tr> <tr> <td valign="top" width="151"> <p>Requirements for compliance demonstration<br/> (CS 25.1317)</p> </td> <td valign="top" width="123"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="123"> <p>25.1317(a), (b) or (c) depending on specific aircraft safety assessment </p> </td> <td valign="top" width="123"> <p>25.1317(a), (b) or (c) depending on specific aircraft safety assessment </p> </td> <td valign="top" width="104"> <p>Not subject to <br/> CS 25.1317 </p> </td> </tr> <tr> <td colspan="5" valign="top" width="623"> <p>Discussion:</p> <p>This example depicts an aircraft-level function that is performed by a combination of independent systems each contributing in part to the function during a specific phase of flight. In this case, each system implements a very distinct aircraft-level function that serves in a complementary manner to decelerate the aircraft during the landing roll. The mechanical wheel braking system is assumed to be independent of the other channels, with no associated electrical or electronic equipment to assist, augment, or monitor the mechanical wheel braking system.</p> <p>In this example, it is assumed that the main brake system includes failure conditions that are catastrophic. For the electronic engine thrust reverser control and the electronic spoiler control systems, the applicable parts of CS 25.1317 would depend on the specific failure conditions. The effectiveness, authority, and malfunctions associated with each system should be considered. Additionally, the interaction between the systems has also to be considered. Issues such as asymmetrical thrust reverser activation or spoiler deployment could adversely affect the main brake and mechanical wheel braking functions and could affect the safety classification for the thrust reverser and spoiler controls.</p> <p>An aircraft safety assessment must be carried out for each of these systems that perform a specific aircraft-level function to identify and classify their failure conditions. The failure hazard classifications and the decomposition of each system into the constituent channels would then dictate which paragraphs of CS 25.1317 are needed.</p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="600"> <p align="center">Example 7</p> </td> </tr> <tr> <td rowspan="2" width="229"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="371"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="124"> <p align="center">Channel</p> </td> <td valign="top" width="125"> <p align="center">Channel</p> </td> <td valign="top" width="121"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="229"> <p>Provide altitude information to be displayed in IFR flight using air-data computer connected to the primary flight display (PFD), and pneumatic standby instrument with alternate static port</p> </td> <td valign="top" width="124"> <p>Active</p> <p>(Air-data computer 1 with static port)</p> </td> <td valign="top" width="125"> <p>Active</p> <p>(Air-data computer 2 with static port)</p> </td> <td valign="top" width="121"> <p>Active-backup </p> <p>(Pneumatic standby altimeter with alternate static port)</p> </td> </tr> <tr> <td valign="top" width="229"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="124"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="125"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="121"> <p>Not subject to <br/> CS 25.1317</p> </td> </tr> <tr> <td valign="top" width="229"> </td> <td valign="top" width="124"> </td> <td valign="top" width="125"> </td> <td valign="top" width="121"> </td> </tr> <tr> <td colspan="4" valign="top" width="600"> <p>Discussion:</p> <p>This example depicts the function to provide altitude information. The main sources are two air-data computers (ADCs) coupled to static ports and a backup source from a standby pneumatic altimeter coupled to an alternate static port independent from the main static ports.</p> <p>In such a case, the standby altimeter does not mitigate compliance with CS 25.1317(a) for the active ADC channels. The standby altimeter does not mitigate the common hazardously misleading altitude information from the active ADC channels for compliance with CS 25.1317(a). </p> </td> </tr> </table> <table border="1" cellpadding="0" cellspacing="0" width="99%"> <thead> <tr> <td colspan="4" width="622"> <p align="center">Example 8</p> </td> </tr> <tr> <td rowspan="2" width="240"> <p align="center">Function</p> </td> <td colspan="3" valign="top" width="382"> <p align="center">25.1317(a) System</p> </td> </tr> <tr> <td valign="top" width="128"> <p align="center">Channel</p> </td> <td valign="top" width="130"> <p align="center">Channel</p> </td> <td valign="top" width="124"> <p align="center">Channel</p> </td> </tr> </thead> <tr> <td valign="top" width="240"> <p>Control and protection of the aircraft pneumatic (bleed) system </p> <p>(Top-level failure condition</p> <p>classification: catastrophic)</p> </td> <td valign="top" width="128"> <p>Active</p> <p>(Pneumatic system controller #1)</p> <p>FDAL B/IDAL B</p> </td> <td valign="top" width="130"> <p>Active</p> <p>(Pneumatic system controller #2)</p> <p>FDAL B/IDAL B</p> </td> <td valign="top" width="124"> <p>Passive-backup</p> <p>(High pressure switch + valve)</p> <p>FDAL C/IDAL C</p> </td> </tr> <tr> <td valign="top" width="240"> <p>Requirements for compliance demonstration (CS 25.1317)</p> </td> <td valign="top" width="128"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="130"> <p>(a)(1), (a)(2), (a)(3)</p> </td> <td valign="top" width="124"> <p>(b)</p> </td> </tr> <tr> <td colspan="4" valign="top" width="622"> <p>Discussion:</p> <p>This is a generic example with the objective to show that not rarely the HIRF certification level (HCL) of a given system will be different from the functional development assurance level (FDAL) and item development assurance level (IDAL), defined according to SAE ARP 4754A/EUROCAE ED‑79A Guidelines for Development of Civil Aircraft and Systems.</p> <p>Therefore, it is important to use the proper nomenclature and avoid SAE ARP 4754A/EUROCAE ED‑79A ‘DAL’ or similar terms when referring to the HCL.</p> <p>In this example, the pneumatic control system is composed of two main active controllers and a simpler passive-backup channel that can perform the function, preventing the catastrophic event in case of the failure of both controllers.</p> <p>The FDAL for each channel or member (SAE ARP 4754A/EUROCAE ED-79A nomenclature) was defined for a catastrophic top-level failure condition based on the ‘Option 2’ column 4 of Table 3 DEVELOPMENT ASSURANCE LEVEL ASSIGNMENT TO MEMBERS OF A FUNCTIONAL FAILURE SET of SAE ARP 4754A/EUROCAE ED-79A, which allows the combination of FDALs B+B+C for independent channels. In contrast, the respective HCLs would be A+A+B.</p> <p>Considering that HIRF can simultaneously affect all the channels, the considerations used for IDAL assignment cannot be used, and compliance with CS 25.1317(a) is required for both the active channels that perform a function with the catastrophic top-level failure condition.</p> <p>In this example, the IDAL for the passive-backup channel may be C. However, for HIRF, the applicable part of CS 25.1317 is (b), similarly to Example 5.</p> </td> </tr> </table> [Amdt 20/23]