AMC 25.671 Control Systems — General

1.      PURPOSE

This AMC provides an acceptable means, but not the only means, to demonstrate compliance with the control system requirements of CS 25.671.

2.      RELATED DOCUMENTS

a.       Advisory Circulars, Acceptable Means of Compliance.

(1)     FAA Advisory Circular (AC) 25-7D, dated 4 May 2018, Flight Test Guide for Certification of Transport Category Airplanes.

(2)     AMC 25.1309 System Design and Analysis.

b.      Standards.

(1)     EUROCAE document ED-79A, Guidelines for Development of Civil Aircraft and Systems, issued in December 2010, or the equivalent SAE Aerospace Recommended Practice (ARP) 4754A.

(2)     SAE Aerospace Recommended Practice (ARP) 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, issued in December 1996.

3.      APPLICABILITY OF CS 25.671

CS 25.671 applies to all flight control system installations (including primary, secondary, trim, lift, drag, feel, and stability augmentation systems (refer to CS 25.672)) regardless of implementation technique (manual, powered, fly-by-wire, or other means).

While CS 25.671 applies to flight control systems, CS 25.671(d) does apply to all control systems required to provide control, including deceleration, for the phases specified.

4.      DEFINITIONS

The following definitions apply to CS 25.671 and this AMC. Unless otherwise stated, they should not be assumed to apply to the same or similar terms used in other rules or AMC.

a.       At-Risk Time. The period of time during which an item must fail to cause the failure effect in question. This is usually associated with the final fault in a fault sequence leading to a specific failure condition. See also SAE ARP4761.

b.      Catastrophic Failure Condition. Refer to AMC 25.1309 (Paragraph 7 FAILURE CONDITION CLASSIFICATIONS AND PROBABILITY TERMS).

c.       Continued Safe Flight and Landing. The capability for continued controlled flight and landing at an aerodrome without requiring exceptional piloting skill or strength.

d.      Landing. The phase following final approach and starting with the landing flare. It includes the ground phase on the runway and ends when the aeroplane comes to a complete stop on the runway.

e.       Latent Failure. Refer to AMC 25.1309 (Paragraph 5 DEFINITIONS).

f.       Error. Refer to AMC 25.1309 (Paragraph 5 DEFINITIONS).

g.       Event. Refer to AMC 25.1309 (Paragraph 5 DEFINITIONS).

h.      Exposure Time. The period of time between the time when an item was last known to be operating properly and the time when it will be known to be operating properly again. See also SAE ARP4761.

i.        Extremely Improbable. Refer to AMC 25.1309 (Paragraph 7 FAILURE CONDITION CLASSIFICATIONS AND PROBABILITY TERMS).

j.        Failure. Refer to AMC 25.1309 (Paragraph 5 DEFINITIONS).

The following types of failures should be considered when demonstrating compliance with CS 25.671(c). Since the type of failure and the effect of the failure depend on the system architecture, this list is not exhaustive, but serves as a general guideline.

(1)     Jam. Refer to the definition provided below.

(2)     Loss of Control of Surface. A failure that results in a surface not responding to commands. Failure sources can include mechanical disconnection, control cable disconnection, actuator disconnection, loss of hydraulic power, or loss of control commands due to computers, data path or actuator electronics failures. In these conditions, the position of the surface(s) or controls can be determined by analysing the system architecture and aeroplane aerodynamic characteristics; common positions include surface-centred (0°) or zero hinge-moment position (surface float).

(3)     Oscillatory Failure. A failure that results in undue surface oscillation. Failure sources include control loop destabilisation, oscillatory sensor failure, oscillatory computer or actuator electronics failure. The duration of the oscillation, its frequency, and amplitude depend on the control loop, monitors, limiters, and other system features.

(4)     Restricted Control. A failure that results in the achievable surface deflection being limited. Failure sources include foreign object interference, malfunction of a travel limiter, and malfunction of an envelope protection. This type of failure is considered under CS 25.671(c)(1) and CS 25.671(c)(2), as the system/surface can still be operated.

(5)     Runaway or Hardover. A failure that results in uncommanded control surface movement. Failure sources include servo valve jams, computer or actuator electronics malfunctioning. The speed of the runaway, the duration of the runaway (permanent or transient), and the resulting surface position (full or partial deflection) depend on the available monitoring, limiters, and other system features. This type of failure is addressed under CS 25.671(c)(1) and (c)(2).

Runaways that are caused by external events, such as loose or foreign objects, control system icing, or any other environmental or external source are addressed in CS 25.671(c)(2).

(6)     Stiff or Binding Controls. A failure that results in a significant increase in control forces. Failure sources include failures of artificial feel systems, corroded bearings, jammed pulleys, and failures causing high friction. This type of failure is considered under CS 25.671(c)(1) and CS 25.671(c)(2), as the system/surface can still be operated. In some architectures, higher friction may result in reduced centring of the controls.

k.       Failure Conditions. As used in CS 25.671(c), this term refers to the sum of all failures and failure combinations contributing to a hazard, apart from the single failure (flight control system jam) being considered.

l.        Flight Control System. Flight control system refers to the following: primary flight controls from the pilot’s controllers to the primary control surfaces, trim systems from the pilot’s trim input devices to the trim surfaces (including stabiliser trim), speed brake/spoiler systems from the pilot’s control lever to the brake/spoiler panels or other drag/lift-dumping devices, high-lift systems from the pilot’s controls to the high-lift surfaces, feel systems, and stability augmentation systems. Supporting systems (i.e. hydraulic systems, electrical power systems, avionics, etc.) should also be included if failures in these systems have an impact on the function of the flight control system.

Examples of elements to be evaluated under CS 25.671 include, but are not limited to:

—      linkages,

—      hinges,

—      cables,

—      pulleys,

—      quadrants,

—      valves,

—      actuators (including actuator components),

—      flap/slat tracks (including track rollers and movable tracks),

—      bearings, axles and pins,

—      control surfaces (jam and runaway only),

—      attachment fittings.

m.     In-flight is the time period from the time when the aeroplane is at 10 m (35 ft) above aerodrome level (AAL) following a take-off, up to the time when the aeroplane reaches 15 m (50 ft) AAL prior to landing, including climb, cruise, normal turns, descent, and approach.

n.      Jam. A failure or event that results in either a control surface, a pilot control, or a component being fixed in one position.

(i)       Control surfaces and pilot controls fixed in one position due to a physical interference are addressed under CS 25.671(c)(3). Causes may include corroded bearings, interference with a foreign or loose object, control system icing, seizure of an actuator, or disconnection that results in a jam by creating interference. Normally encountered positions are defined in paragraph 7.b of this AMC.

(ii)      All other failures or events that result in either a control surface, a pilot control, or a component being fixed in one position are addressed under CS 25.671(c)(1) and 25.671(c)(2) as appropriate. Depending on the system architecture and the location of the failure or the event, some failures or events that cause a jam may not always result in a fixed surface or pilot control; for example, a jammed valve could result in a surface runaway.

o.      Landing is the time period from the time when the aeroplane is at 15 m (50 ft) AAL prior to landing, up to the complete stop of the aeroplane on the runway.

p.      Probability versus Failure Rate. Failure rate is typically expressed in terms of average probability of occurrence per flight hour. In cases where the failure condition is associated with a certain flight condition that occurs only once per flight, the failure rate is typically expressed as average probability of occurrence per flight (or per take-off, or per landing). Failure rates are usually the ‘root’ numbers used in a fault tree analysis prior to factoring in latency periods, exposure time, or at-risk time. Probability is non-dimensional and expresses the likelihood of encountering or being in a failed state. Probability is obtained by multiplying a failure rate by the appropriate exposure time.

q.      Take-off is the time period from the brake release up to the time when the aeroplane reaches 10 m (35 ft) AAL.

5.      EVALUATION OF FLIGHT CONTROL SYSTEM OPERATION — CS 25.671(a)

a.       General.

Flight control systems should be designed such that when a movement to one position has been selected, a different position can be selected without waiting for the completion of the initially selected movement, and the system should arrive at the finally selected position without further attention. The movements that follow and the time taken by the system to allow the required sequence of selection should not adversely affect the controllability of the aeroplane.

b.      Abnormal Attitude.

Compliance should be demonstrated by evaluation of the closed-loop flight control system. This evaluation is intended to ensure that there are no features or unique characteristics (including numerical singularities) which would restrict the pilot’s ability to recover from any attitude.

Open-loop flight control systems should also be evaluated, if applicable.

For aeroplanes that are equipped with a flight control envelope protection, the attitudes of the aeroplane to be considered should include cases outside the protected envelope.

c.       Parameters to be considered

The following relevant flight dynamic parameters should be considered by the applicant (non-exhaustive list):

—      Pitch, Roll or Yaw rate

—          Vertical load factor

—          Airspeed

—          Angle of attack

d.      Operating and Environmental Conditions

The parameters in paragraph 5.c. above should be considered within the limit flight envelope, which is the flight envelope that is associated with the aeroplane design limits or the flight control system protection limits.

6.      EVALUATION OF FLIGHT CONTROL SYSTEM ASSEMBLY — CS 25.671(b)

The intent of CS 25.671(b) is to minimise the risk by design that the elements of the flight control system are incorrectly assembled, such that this leads to significant safety effects. The intent is not to address configuration control (refer to CS 25.1301(a)(2)).

The applicant should take adequate precautions during the design process and provide adequate procedures in the instructions for continued airworthiness to minimise the risk of incorrect assembly (i.e. installation, connection, or adjustment) of elements of the flight control system during production and maintenance. The following steps should be used:

(1)     assess the potential effects of potential incorrect assemblies of flight control systems elements and determine a classification of the severity of the associated failure conditions;

(2)     when a failure condition is classified as catastrophic, hazardous, or major, EASA normally only accepts physical prevention means in the design of the elements to prevent an incorrect assembly. If, exceptionally, the applicant considers that providing such design prevention means is impractical, this should be presented to EASA. If agreed by EASA, the applicant may then use a distinctive and permanent marking of the involved elements.

(3)     failure conditions that are classified either as minor or with no safety effect are not considered to have a significant safety effect.

Examples of significant safety effects:

(1)     an out-of-phase action;

(2)     reversal in the sense of the control;

(3)     interconnection of the controls between two systems where this is not intended;

(4)     loss of function.

7.      EVALUATION OF FLIGHT CONTROL SYSTEM FAILURES — CS 25.671(c)

Development errors (e.g. mistakes in requirements, design, or implementation) should be considered when demonstrating compliance with CS 25.671(c). However, the guidance provided in this paragraph is not intended to address the means of compliance related to development errors. Development errors are managed through development assurance processes and system architecture. Some guidelines are provided in AMC 25.1309.

CS 25.671(c) requires that the aeroplane be shown by analysis, test, or both, to be capable of continued safe flight and landing following failures in the flight control system within the normal flight envelope.

CS 25.671(c)(1) requires the evaluation of any single failure, excluding the types of jams addressed in subparagraph CS 25.671(c)(3). CS 25.671(c)(1) requires to consider any single failure, suggesting that an alternative means of controlling the aeroplane or an alternative load path is provided in the case of a single failure. All single failures must be considered, even if they are shown to be extremely improbable.

CS 25.671(c)(2) requires the evaluation of any combination of failures not shown to be extremely improbable, excluding the types of jams addressed in CS 25.671(c)(3).

Some combinations of failures, such as dual electrical system or dual hydraulic system failures, or any single failure in combination with any probable electrical or hydraulic system failure, are normally not demonstrated as being extremely improbable.

CS 25.671(c)(3) requires the evaluation of any failure or event that results in a jam of a flight control surface or pilot control. This subparagraph addresses failure modes that would result in the surface or pilot control being fixed in a position. It should be assumed that the fixed position is the position that is commanded at the time of the failure due to some physical interference. The position at the time of the jam should be at any control position normally encountered during take-off, climb, cruise, normal turn manoeuvres, descent, approach, and landing. In some architectures, component jams within the system may result in failure modes other than a fixed surface or pilot control; those types of jams (such as a jammed valve) are considered under subparagraphs CS 25.671(c)(1) and (c)(2). All single jams must be considered, even if they can be shown to be extremely improbable.

Alleviation means may be used to show compliance with CS 25.671(c)(3). For this purpose, alleviation means include system reconfigurations or any other features that eliminate or reduce the consequences of a jam or permit continued safe flight and landing.

Any runaway of a flight control to an adverse position must be accounted for, as per
CS 25.671(c)(1) and (c)(2), if such a runaway is due to:

—         a single failure; or

—         a combination of failures which are not shown to be extremely improbable.

Some means to alleviate the runaway may be used to demonstrate compliance, such as by reconfiguring the control system, deactivating the system (or a failed portion of it), overriding the runaway by a movement of the flight controls in the normal sense, eliminating the consequences of a runaway to ensure continued safe flight and landing following a runaway. The consideration of a control runaway will be specific to each application and a general interpretation of an adverse position cannot be provided. Where applicable, the applicant is required to assess the resulting surface position after a runaway, if the failure condition is not extremely improbable or can occur due to a single failure.

It is acknowledged that determining a consistent and reasonable definition of normally encountered flight control positions can be difficult. Experience from in-service aeroplanes shows that the overall failure rate for a flight control surface jam is of an order of magnitude between 10^-6 and 10^-7 per flight hour. This failure rate may be used to justify a definition of ‘normally encountered position’ and is not intended to be used to support a probabilistic assessment. Considering this in-service aeroplane data, a reasonable definition of normally encountered positions represents the range of flight control surface deflections (from neutral to the largest deflection) expected to occur in 1 000 random operational flights, without considering other failures, for each of the flight phases addressed in this AMC.

One method of establishing acceptable flight control surface deflections is to use the performance-based criteria outlined in this AMC (see sub-paragraph 7.b. below) that were established to eliminate any differences between aeroplane types. The performance-based criteria prescribe environmental and operational manoeuvre conditions, and the resulting deflections may be considered as normally encountered positions for demonstrating compliance with CS 25.671(c)(3).

All approved aeroplane gross weights and centre-of-gravity locations should be considered. However, only critical combinations of gross weight and centre-of-gravity locations should be demonstrated.

a.       Compliance with CS 25.671(c)(2)

When demonstrating compliance with the failure requirements of CS 25.671(c)(2), the following safety analysis/assessment should be considered.

A safety analysis/assessment according to AMC 25.1309 should be supplemented to demonstrate that the aeroplane is capable of continued safe flight and landing following any combination of failures not shown to be extremely improbable.

The aeroelastic stability (flutter) requirements of CS 25.629 should also be considered.

b.      Determination of Flight Control System Jam Positions — CS 25.671(c)(3)

The following flight phases should be considered: ‘take-off’, ‘in-flight’ (climb, cruise, normal turn manoeuvres, descent, and approach), and ‘landing’ (refer to the definitions in paragraph 4. DEFINITIONS of this AMC).

CS 25.671(c)(3) requires that the aeroplane be capable of landing with a flight control or pilot control jam. The aeroplane should, therefore, be evaluated for jams in the landing configuration.

Only the aeroplane rigid body modes need to be considered when evaluating the aeroplane response to manoeuvres and continued safe flight and landing.

It should be assumed that, if the jam is detected prior to V₁, the take-off will be rejected.

Although 1 in 1 000 operational take-offs is expected to include crosswinds of 46 km/h (25 kt) or greater, the short exposure time associated with a flight control surface jam occurring between V₁ and V_LOF allows usage of a less conservative crosswind magnitude when determining normally encountered lateral and directional control positions. Given that lateral and directional flight controls are continuously used to maintain runway centre line in a crosswind take-off, and that flight control inputs greater than those necessary at V₁ occur at speeds below V₁, any jam in these flight control axes during a crosswind take-off is normally detected prior to V₁. Considering the flight control jam failure rate combined with the short exposure time between V₁ and V_LOF, a reasonable crosswind level for the determination of jammed lateral or directional flight control positions during take-off is 28 km/h (15 kt).

A similar reasoning applies for the approach and landing flight phases. It leads to consider that a reasonable crosswind level for the determination of jammed lateral or directional control positions during approach and landing is 28 km/h (15 kt).

The jam positions to be considered in demonstrating compliance should include any position up to the maximum position determined by the following manoeuvres. The manoeuvres and conditions described in this paragraph should only be used to determine the flight control surface and pilot control deflections to evaluate the continued safe flight and landing capability, and should not be used for the evaluation of flight test manoeuvres; see paragraph 7.e below.

(1)     Jammed Lateral Control Positions

(i)      Take-off: The lateral flight control position for wings level at V₁ in a steady crosswind of 28 km/h (15 kt) (at a height of 10 m (35 ft) above the take-off surface). Variations in wind speed from a 10-m (35-ft) height can be obtained using the following relationship:

V_alt = V_10metres * (H_desired/10.0)^1/7

where:

V_10metres = wind speed in knots at 10 m (35 ft) above ground level (AGL)

V_alt = wind speed at desired altitude (kt)

H_desired = desired altitude for which wind speed is sought (AGL), but not lower than
1.5 m (5 ft)

(ii)     In-flight: The lateral flight control position to sustain a 12-degree/second steady roll rate from 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate, but not greater than 50 % of the control input.

(iii)     Landing (including flare): The maximum lateral control position is the greater of:

(A)     the peak lateral control position to maintain wings level in response to a steady crosswind of 28 km/h (15 kt), in manual or autopilot mode; or

(B)     the peak lateral control position to maintain wings level in response to an atmospheric discrete lateral gust of 16 km/h (15 ft/s) from sea level to
6 096 m (20 000 ft).

Note: If the flight control system augments the pilot’s input, then the maximum surface deflection to achieve the above manoeuvres should be considered.

(2)     Jammed Longitudinal Control Positions

(i)      Take-off: The following three longitudinal flight control positions should be considered:

(A)     Any flight control position from that which the flight controls naturally assume without pilot input at the start of the take-off roll to that which occurs at V₁ using the procedures recommended by the aeroplane manufacturer.

Note: It may not be necessary to consider this case if it can be demonstrated that the pilot is aware of the jam before reaching V₁ (for example, through a manufacturer’s recommended AFM procedure).

(B)     The longitudinal flight control position at V₁ based on the procedures recommended by the aeroplane manufacturer including the consideration for any runway condition for which the aeroplane is approved to operate.

(C)     Using the procedures recommended by the aeroplane manufacturer, the peak longitudinal flight control position to achieve a steady aeroplane pitch rate of the lesser of 5°/s or the pitch rate necessary to achieve the speed used for all-engines-operating initial climb procedures (V₂+XX) at 35 ft.

(ii)     In-flight: The maximum longitudinal flight control position is the greater of:

(A)     the longitudinal flight control position required to achieve steady state normal accelerations from 0.8 to 1.3 g at speeds from 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate;

(B)     the peak longitudinal flight control position commanded by the autopilot and/or stability augmentation system in response to atmospheric discrete vertical gust of
16 km/h (15 ft/s) from sea level to 6 096 m (20 000 ft).

(iii)     Landing: Any longitudinal control position required, in manual or autopilot mode, for performing a flare and landing, using the procedures recommended by the aeroplane manufacturer.

(3)     Jammed Directional Control Positions

(i)      Take-off: The directional flight control position for take-off at V₁ in a steady crosswind of 28 km/h (15 kt) (at a height of 10 m (35 ft) above the take-off surface). Variations in wind speed from a height of 10 m (35 ft) can be obtained using the following relationship:

V_alt = V_10metres * (H_desired/10.0)^1/7

where:

V_10metres = wind speed in knots at 10 m above ground level (AGL)

V_alt = wind speed at desired altitude

H_desired = desired altitude for which wind speed is sought (AGL), but not lower than 1.5 m (5 ft)

(ii)     In-flight: The directional flight control position is the greater of:

(A)     the peak directional flight control position commanded by the autopilot and/or stability augmentation system in response to atmospheric discrete lateral gust of 16 km/h (15 ft/s) from sea level to 6 096 m (20 000 ft);

(B)     maximum rudder angle required for lateral/directional trim from 1.23V_SR1 to the maximum all-engines-operating airspeed in level flight with climb power, but not to exceed V_MO/M_MO or V_FE as appropriate. While more commonly a characteristic of propeller aeroplane, this addresses any lateral/directional asymmetry that can occur in flight with symmetric power; or

(C)     for approach, the peak directional control position commanded by the pilot, autopilot and/or stability augmentation system in response to a steady crosswind of 28 km/h (15 kt).

(iii)     Landing: The maximum directional control position is the greater of:

(A)     the peak directional control position commanded by the pilot, autopilot and/or stability augmentation system in response to a steady crosswind of 28 km/h
(15 kt); or

(B)     the peak lateral control position to maintain wings level in response to an atmospheric discrete lateral gust of 16 km/h (15 ft/s) from sea level to 6 096 m (20 000 ft).

(4)     Control Tabs, Trim Tabs, and Trimming Stabilisers

Any tabs installed on flight control surfaces are assumed jammed in the position that is associated with the normal deflection of the flight control surface on which they are installed.

Trim tabs and trimming stabilisers are assumed jammed in the positions that are associated with the procedures recommended by the aeroplane manufacturer for take-off and that are normally used throughout the flight to trim the aeroplane from 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate.

(5)     Speed Brakes

Speed brakes are assumed jammed in any position for which they are approved to operate during flight at any speed from 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate. Asymmetric extension and retraction of the speed brakes should be considered. Roll spoiler jam (asymmetric spoiler panel) is addressed in paragraph 7.b(1).

(6)     High-Lift Devices

Leading edge and trailing edge high-lift devices are assumed to jam in any position for take-off, climb, cruise, approach, and landing. Skew of high-lift devices or asymmetric extension and retraction should be considered. CS 25.701 requires a mechanical interconnection (or equivalent means) between flaps or slats, unless the aeroplane has safe flight characteristics with the asymmetric flaps or slats positions.

(7)     Load Alleviation Systems

(i)      Gust Load Alleviation Systems: At any airspeed between 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate, the flight control surfaces are assumed to jam in the maximum position commanded by the gust load alleviation system in response to an atmospheric discrete gust with the following reference velocities:

(A)     16 km/h (15 ft/s) equivalent airspeed (EAS) from sea level to 6 096 m (20 000 ft) (vertical gust);

(B)     16 km/h (15 ft/s) EAS from sea level to 6 096 m (20 000 ft) (lateral gust).

(ii)     Manoeuvre Load Alleviation Systems: At any airspeed between 1.23V_SR1 to V_MO/M_MO or V_FE, as appropriate, the flight control surfaces are assumed to jam in the maximum position commanded by the manoeuvre load alleviation system during a pull-up manoeuvre to 1.3 g or a push-over manoeuvre to 0.8 g.

c.       Considerations for jams just before landing — CS 25.671(c)(3)(i) and (ii)

CS 25.671(c)(3)(ii) requires that failures (leading to a jam) must be assumed to occur anywhere within the normal flight envelope and during any flight phase from take-off to landing. This includes the flight phase just before landing and the landing itself. For the determination of the jam position per CS 25.671(c)(3)(i) and the assessment of continued safe flight and landing, guidance is provided in this AMC. However, there might be exceptional cases where it is not possible to demonstrate continued safe flight and landing. Even jam alleviation means (e.g., disconnection units) might not be efficient because of the necessary time for the transfer of pilot controls.

For these exceptional cases, the compliance to CS 25.671(c)(3)(ii) may be shown by demonstrating that the occurrence of a jam just before landing is extremely improbable.

Therefore, the overall compliance to CS 25.671(c)(3)(ii) for the flight phase just before landing may be performed as follows:

(1)     Demonstrate continued safe flight and landing after a jam has occurred just before landing.

Note: The assessment of continued safe flight and landing in paragraph 7.e. below also applies to jams occurring just before landing;

(2)     If continued safe flight and landing cannot be demonstrated, perform a qualitative assessment of the design, relative to jam prevention features and jam alleviation means, to show that all practical precautions have been taken; or

(3)     As a last resort, after agreement by EASA, use data from in-service aeroplanes to support an extremely improbable argument (without use of at-risk time).

The typical means of jam prevention/alleviation include low-friction materials, dual-rotation bearings, clearances, jack catchers, priority switch on sidestick.

d.      Jam Combinations Failures — CS 25.671(c)(3)

In addition to the demonstration of jams at ‘normally encountered position’, compliance with CS 25.671(c)(3) should include an analysis that shows that a minimum level of safety exists when a jam occurs. This additional analysis must show that in the presence of a jam considered under CS 25.671(c)(3), the failure conditions that could prevent continued safe flight and landing have a combined probability of 1/1 000 or less.

As a minimum, this analysis should include elements such as a jam breakout or override, disconnection means, alternate flight surface control, alternate electrical or hydraulic sources, or alternate cable paths. This analysis should help to determine the intervals for scheduled maintenance activity or the operational checks that ensure the availability of the alleviation or compensation means.

e.       Assessment of Continued Safe Flight and Landing — CS 25.671(c)

Following a flight control system failure of the types discussed in paragraphs 7.a., 7.b., 7.c. and 7.d. of this AMC, the manoeuvrability and structural strength criteria defined in the following paragraphs should be considered to determine the capability of continued safe flight and landing of the aeroplane. Additionally, a pilot assessment of the aeroplane handling qualities should be performed, although this does not supersede the criteria provided below.

A local structural failure (e.g. via a mechanical fuse or shear-out) that could lead to a surface departure from the aeroplane should not be used as a means of jam alleviation.

(1)     Flight Characteristics

(i)      General. Following a flight control system failure, appropriate procedures may be used including system reconfiguration, flight limitations, and flight crew resource management. The procedures for safe flight and landing should not require exceptional piloting skills or strengths.

Additional means of control, such as a trim system, may be used if it can be shown that the system is available and effective. Credit should not be given to the use of differential engine thrust to manoeuvre the aeroplane. However, differential thrust may be used after the recovery in order to maintain lateral/directional trim.

For the cases of longitudinal flight control surface and pilot control jams during take-off prior to rotation, it is necessary to show that the aeroplane can be safely rotated for lift-off without consideration of field length available.

(ii)     Transient Response. There should be no unsafe conditions during the transient condition following a flight control system failure. The evaluation of failures or manoeuvres that lead to a jam is intended to be initiated from 1-g wings level flight conditions. For this purpose, continued safe flight and landing (within the transition phase) is generally defined as not exceeding any one of the following criteria:

(A)     a load on any part of the primary structure sufficient to cause a catastrophic structural failure;

(B)     catastrophic loss of flight path control;

(C)     exceedance of V_DF/M_DF;

(D)     catastrophic flutter;

(E)     excessive vibration or excessive buffeting conditions;

(F)     bank angle in excess of 90 degrees.

In connection with the transient response, compliance with the requirements of CS 25.302 should be demonstrated. While V_F is normally an appropriate airspeed limit to be considered regarding continued safe flight and landing, temporary exceedance of V_F may be acceptable as long as the requirements of CS 25.302 are met.

Paragraph 7.b. of this AMC provides a means to determine flight control surface deflections for the evaluation of flight control jams. In some cases, aeroplane roll, pitch rate, or normal acceleration is used as a basis to determine these deflections. The roll or pitch rate and/or normal acceleration that is used to determine the flight control surface deflection need not be included in the evaluation of the transient condition. For example, the in-flight lateral flight control position determined in paragraph 7.b.(1)(ii) is based on a steady roll rate of 12°/s. When evaluating this condition, either by analysis, simulation, or in-flight demonstration, the resulting flight control surface deflection is simply input while the aeroplane is in wings level flight, at the appropriate speed, altitude, etc. During this evaluation, the actual roll or pitch rate of the aeroplane may or may not be the same as the roll or pitch rate used to determine the jammed flight control surface position.

(iii)     Delay Times. Due consideration should be given to the delays involved in pilot recognition, reaction, and operation of any disconnection systems, if applicable.

Delay = Recognition + Reaction + Operation of Disconnection

Recognition is defined as the time from the failure condition to the point at which a pilot in service operation may be expected to recognise the need to take action. Recognition of the malfunction may be through the behaviour of the aeroplane or a reliable failure warning system, and the recognition point should be identified but should not normally be less than
1 second. For flight control system failures, except the types of jams addressed in CS 25.671(c)(3), control column or wheel movements alone should not be used for recognition.

The following reaction times should be used:

The time required to operate any disconnection system should be measured either through ground test or flight test. This value should be used during all analysis efforts. However, flight test or manned simulation that requires the pilot to operate the disconnection includes this extra time, therefore, no additional delay time would be needed for these demonstrations.

(iv)     Manoeuvre Capability for Continued Safe Flight and Landing. If, using the procedures recommended by the aeroplane manufacturer, the following manoeuvres can be performed following the failure, it will generally be considered that continued safe flight and landing has been shown:

(A)     A steady 30° banked turn to the left or right;

(B)     A roll from a steady 30° banked turn through an angle of 60° so as to reverse the direction of the turn in not more than 11 seconds (in this manoeuvre, the rudder may be used to the extent necessary to minimise side-slip, and the manoeuvre may be unchecked);

(C)     A push-over manoeuvre to 0.8 g, and a pull-up manoeuvre to 1.3 g;

(D)     A wings level landing flare in a 90° crosswind of up to 18.5 km/h (10 kt) (measured at 10 m (33 ft) above the ground); and

(E)     The aeroplane remains on the paved runway surface during the landing roll, until reaching a complete stop.

Note: In the case of a lateral or directional flight control system jam during take-off as described in paragraph 7.b(1) or 7.b(3) of this AMC, it should be shown that the aeroplane can safely land on a suitable runway, without crosswind and with crosswind in the same direction as during take-off and at speeds up to the value at which the jam was established.

(v)      Control Forces. The short- and long-term control forces should not be greater than 1.5 times the short- and long-term control forces allowed by CS 25.143(d) or CS 25.143(k) as applicable.

Short-term forces have typically been interpreted to mean the time required to accomplish a configuration or trim change. However, taking into account the capability of the crew to share the workload, the short-term forces provided in CS 25.143(d) or CS 25.143(k), as applicable, may be appropriate for a longer duration, such as the evaluation of a jam on take-off and return to landing.

During the recovery following the failure, transient control forces may exceed these criteria to a limited extent. Acceptability of any exceedance will be evaluated on a case-by-case basis.

(2)     Structural Strength for Flight Control System Failures.

(i)      Failure Conditions per CS 25.671(c)(1) and (c)(2). It should be shown that the aeroplane maintains structural integrity for continued safe flight and landing. This should be accomplished by demonstrating compliance with CS 25.302, where applicable, unless otherwise agreed with EASA.

(ii)     Jam Conditions per CS 25.671(c)(3). It should be shown that the aeroplane maintains structural integrity for continued safe flight and landing. Recognising that jams are infrequent occurrences and that margins have been taken in the definition of normally encountered positions in this AMC, an acceptable means of compliance for structural substantiation of jam conditions is provided below in paragraph 7.e.(2)(iii).

(iii)     Structural Substantiation. The loads considered as ultimate should be derived from the following conditions at speeds up to the maximum speed allowed for the jammed position or for the failure condition:

(A)     Balanced manoeuvre of the aeroplane between 0.25 and 1.75 g with high-lift devices fully retracted and in en-route configurations, and between 0.6  and 1.4 g with high-lift devices extended;

(B)     Vertical and lateral discrete gusts corresponding to 40 % of the limit gust velocity specified at V_c in CS 25.341(a) with high-lift devices fully retracted, and a 5.2-m/s (17-ft/s) vertical and a 5.2-m/s (17-ft/s) head-on gust with high-lift devices extended. The vertical and lateral gusts should be considered separately.

A flexible aeroplane model should be used for load calculations, where the use of a flexible aeroplane model is significant for the loads being assessed.

8.      EVALUATION OF ALL-ENGINES-FAILED CONDITION — CS 25.671(d)

a.       Explanation.

The intent of CS 25.671(d) is to assure that in the event of failure of all engines, the aeroplane will be controllable, an approach and a flare to a landing and to a ditching is possible, and, assuming that a suitable runway is available, the aeroplane is controllable on ground and can be stopped.

In this context:

—          ‘flare to a landing/ditching’ refers to the time until touchdown;

—          ‘suitable runway’ is a hard-surface runway or equivalent for which the distance available following touchdown is consistent with the available aeroplane ground deceleration capability.

Although the rule refers to ‘flare to a landing’ with the implication that the aeroplane is on a runway, it is recognised that, with all engines inoperative, it may not be possible to reach a suitable runway or landing surface. In this case, the aeroplane must still be able to make a flare to a landing attitude.

Compliance with CS 25.671(d) effectively requires that the aeroplane is equipped with a source(s) of emergency power, such as an air-driven generator, windmilling engines, batteries, or other power source, capable of providing adequate power to the systems that are necessary to control the aeroplane.

Analysis, simulation, or a combination of analysis and simulation may be used to demonstrate compliance where the methods are shown to be reliable.

b.      Procedures.

(1)     The aeroplane should be evaluated to determine that it is possible, without requiring exceptional piloting skill or strength, to maintain control following the failure of all engines and attain the parameters provided in the operational procedure of the aeroplane flight manual (AFM), taking into account the time necessary to activate any backup systems. The aeroplane should also remain controllable during restart of the most critical engine, whilst following the AFM recommended engine restart procedures.

(2)     The most critical flight phases, especially for aeroplanes with emergency power systems dependent on airspeed, are likely to be the take-off, the landing, and the ditching. Credit may be taken from the hydraulic pressure and/or the electrical power produced while the engines are spinning down and from any residual hydraulic pressure remaining in the system. Sufficient power must be available to complete a wings level approach and flare to a landing, and flare to a ditching.

Analyses or tests may be used to demonstrate the capability of the control systems to maintain adequate hydraulic pressure and/or electrical power during the time between the failure of the engines and the activation of any power backup systems. If any of the power backup systems rely on aerodynamic means to generate the power, then a flight test should be conducted to demonstrate that the power backup system can supply adequate electrical and/or hydraulic power to the control systems. The flight test should be conducted at the minimum practical airspeed required to perform an approach and flare to a safe landing and ditching attitude.

(3)     The manoeuvre capability following the failure of all engines should be sufficient to complete an approach and flare to a landing, and flare to a ditching. Note that the aeroplane weight could be extremely low (e.g. the engine failures could be due to fuel exhaustion). The maximum speeds for approach and landing/ditching may be limited by other CS-25 specifications (e.g. tyre speeds, flap or landing gear speeds, etc.) or by an evaluation of the average pilot ability to conduct a safe landing/ditching. At an operational weight determined for this case and for any other critical weights and positions of the centre of gravity identified by the applicant, at speeds down to the approach speeds appropriate to the aeroplane configuration, if the following manoeuvres can be performed, it will generally be considered that compliance has been shown:

(i)      a steady 30° banked turn to the left or right;

(ii)     a roll from a steady 30° banked turn through an angle of 60° so as to reverse the direction of the turn in not more than 11 s (in this manoeuvre, the rudder may be used to the extent necessary to minimise side-slip, and the manoeuvre may be unchecked);

(iii)     a push-over manoeuvre to 0.8 g, and a pull-up manoeuvre to 1.3 g;

(iv)     a wings level landing flare in a 90° crosswind of up to 18.5 km/h (10 kt) (measured at 10 m (33 ft) above the ground).

Note: If the loss of all engines has no effect on the flight control authority of the aeroplane, then the results of the flight tests of the basic handling qualities with all engines operating may be used to demonstrate the satisfactory handling qualities of the aeroplane with all engines failed.

(4)     It should be possible to perform a flare to a safe landing and ditching attitude, in the most critical configuration, from a stabilised approach using the recommended approach speeds, pitch angles, and the appropriate AFM procedures, without requiring exceptional piloting skills or strengths. For transient manoeuvres, forces are allowed up to 1.5 times those specified in CS 25.143(d) or CS 25.143(k) as applicable for temporary application with two hands available for control.

Similarly to paragraph 7.e.(1)(v) of this AMC, the acceptability of any exceedance will be evaluated on a case-by-case basis.

(5)     Finally, assuming that a suitable runway is available, it should be possible to control the aeroplane until it comes to a complete stop on the runway. A means of positive deceleration should be provided.

A suitable runway should have the lateral dimensions, length and load-bearing capability that meets the requirements defined in the emergency procedures of the AFM.

It is not necessary to consider adverse environmental conditions (e.g. wet or contaminated runway, tailwind) when demonstrating compliance for the on-ground phase.

9.      EVALUATION OF CONTROL AUTHORITY AWARENESS — CS 25.671(e)

CS 25.671(e) requires an indication to the flight crew when a flight condition exists in which near-full-flight-control authority (whether or not it is pilot-commanded) is being used. Suitability of such an annunciation should take into account that some pilot-commanded manoeuvres (e.g. rapid roll) are necessarily associated with intended full performance, which may saturate the surface. Therefore, simple alerting systems, which should function in both intended and unexpected flight control-limiting situations, should be properly balanced between needed crew awareness and nuisance alerting. Nuisance alerting must be minimised per CS 25.1322 by correct setting of the alerting threshold.

Depending on the application, suitable indications may include cockpit flight control position, annunciator light, or surface position indicators. Furthermore, this requirement applies to the limits of flight control authority, not necessarily to the limits of any individual surface travel.

When the aeroplane is equipped with an unpowered manual flight control system, the pilot may be
de facto aware of the limit of control authority. In this case, no other means of indication may be required.

10.     EVALUATION OF FLIGHT CONTROL SYSTEM MODES OF OPERATION — CS 25.671(f)

Some flight control systems, for instance, electronic flight control systems, may have multiple modes of operation not restricted to being either on or off. The applicant should evaluate the different modes of operation and the transition between them in order to establish if they are intuitive or not.

If these modes, or the transition between them, are not intuitive, an alert to the flight crew may be required. Any alert must comply with CS 25.1322. This includes the indication to the flight crew of the loss of protections.

11.     DEMONSTRATION OF ACCEPTABLE MEANS OF COMPLIANCE

It is recognised that it may be neither practical nor appropriate to demonstrate compliance by flight test for all of the failure conditions noted herein. Compliance may be demonstrated by analysis, simulation, a piloted engineering simulator, flight test, or a combination of these methods, as agreed with EASA. Simulation methods should include an accurate representation of the aeroplane characteristics and of the pilot response, including time delays as specified in paragraph 7.e(1)(iii) of this AMC.

Compliance with CS 25.671 may result in AFM non-normal and emergency procedures. Verification of these procedures may be accomplished in flight, or, with the agreement of EASA, using a piloted simulator.

a.       Acceptable Use of Simulations. It is generally difficult to define the types of simulations that might be acceptable in lieu of flight test without identifying specific conditions or issues. However, the following general principles can be used as guidance for making this kind of decision:

(1)     In general, flight test is the preferred method to demonstrate compliance;

(2)     Simulation may be an acceptable alternative to flight test, especially when:

(i)      a flight test would be too risky even after attempts to mitigate these risks (e.g. ‘simulated’ take-offs/landings at high altitude);

(ii)     the required environmental conditions, or the representation of the failure conditions, are too difficult to attain (e.g. wind shear, high crosswinds, system failure configurations);

(iii)     the simulation is used to augment a reasonably broad flight test programme;

(iv)     the simulation is used to demonstrate repeatability.

b.      Simulation Requirements. In order to be acceptable for use in demonstrating compliance with the requirements for performance and handling qualities, a simulation method should:

(1)     be suitably validated by flight test data for the conditions of interest; furthermore,:

(i)      this does not mean that there must be flight test data at the exact conditions of interest; the reason why a simulation method is being used may be that it is too difficult or risky to obtain flight test data at the conditions of interest;

(ii)     the level of substantiation of the simulator to flight correlation should be commensurate with the level of compliance (i.e. unless it is determined that the simulation is conservative, the closer the case is to being non-compliant, the higher the required quality of the simulation);

(2)     be conducted in a manner appropriate to the case and conditions of interest:

(i)      if closed-loop responses are important, the simulation should be piloted by a human pilot;

(ii)     for piloted simulations, the controls/displays/cues should be substantially equivalent to what would be available in the real aeroplane (unless it is determined that not doing so would provide added conservatism).

12.     SPECIFICITIES OF AEROPLANES WITH FLY-BY-WIRE FLIGHT CONTROL SYSTEMS

a.       Control Signal Integrity.

If the aeroplane is equipped with a conventional flight control system, the transmission of command signals to the primary and secondary flight control surfaces is made through conventional mechanical and hydromechanical means.

The determination of the origin of perturbations to command transmissions is relatively straightforward since failure cases can usually be classified in a limited number of categories that include maintenance error, jamming, disconnection, runaway, failure of mechanical element, or structural failure of hydraulic components. Therefore, it is almost always possible to identify the most severe failure cases that would serve as an envelope to all other cases that have the same consequences.

However, when the aeroplane is equipped with flight control systems using the fly-by-wire technology, incorporating digital devices and software, experience from electronic digital transmission lines shows that the perturbation of signals from internal and external sources is not unlikely.

The perturbations are described as signals that result from any condition that is able to modify the command signal from its intended characteristics. They can be classified in two categories:

(1)     Internal causes that could modify the command and control signals include, but are not limited to:

—         loss of data bits, frozen or erroneous values;

—         unwanted transients;

—         computer capacity saturation;

—         processing of signals by asynchronous microprocessors;

—         adverse effects caused by transport lag;

—         poor resolution of digital signals;

—         sensor noise;

—         corrupted sensor signals;

—         aliasing effects;

—         inappropriate sensor monitoring thresholds;

—         structural interactions (such as control surface compliance or coupling of structural modes with control modes) that may adversely affect the system operation.

(2)     External causes that could modify the command and control signals include but are not limited to:

—         high-intensity radiated fields (HIRF);

—         lightning;

—         electromagnetic interference (EMI) effects (e.g. motor interference, aeroplane’s own electrical power and power switching transients, smaller signals if they can affect flight control, transients due to electrical failures.)

Spurious signals and/or false data that are a consequence of perturbations in either of the two above categories may result in malfunctions that produce unacceptable system responses equivalent to those of conventional systems such as limit cycle/oscillatory failures, runaway/hardover conditions, disconnection, lockups and false indication/warning that consequently present a flight hazard. It is imperative that the command signals remain continuous and free from internal and external perturbations and common-cause failures. Therefore, special design measures should be employed to maintain system integrity at a level of safety at least equivalent to that which is achieved with traditional hydromechanical designs. These special design measures can be monitored through the system safety assessment (SSA) process, provided specific care is directed to development methods and on quantitative and qualitative demonstrations of compliance.

The following should be considered when evaluating compliance with CS 25.671(c)(2):

(1)     The flight control system should continue to provide its intended function, regardless of any malfunction from sources in the integrated systems environment of the aeroplane.

(2)     Any malfunctioning system in the aerodynamic loop should not produce an unsafe level of uncommanded motion and should automatically recover its ability to perform critical functions upon removal of the effects of that malfunction.

(3)     Systems in the aerodynamic loop should not be adversely affected during and/or after exposure to any sources of a malfunction.

(4)     Any disruption to an individual unit or component as a consequence of a malfunction, and which requires annunciation and flight crew action, should be identified to and agreed by EASA to assure that:

a)       the failure can be recognised by the flight crew, and

b)       the flight crew action can be expected to result in continued safe flight and landing.

(5)     An automatic change from a normal to a degraded mode that is caused by spurious signal(s) or malfunction(s) should meet the probability guidelines associated with the hazard assessment established in AMC 25.1309, e.g. for a condition assessed as ‘major’, the probability of occurrence should be no more than ‘remote’ (Pc < 10^-5 per flight hour).

(6)     Exposure to a spurious signal or malfunction should not result in a hazard with a probability greater than that allowed by the criteria of AMC 25.1309. The impact on handling qualities should be evaluated.

The complexity and criticality of the fly-by-wire flight control system necessitates the additional laboratory testing beyond that required as part of individual equipment validation and software verification.

It should be shown that either the fly-by-wire flight control system signals cannot be altered unintentionally, or that altered signal characteristics would meet the following criteria:

(1)     Stable gain and phase margins are maintained for all control surface closed-loop systems.
Pilot control inputs (pilot in the loop) are excluded from this requirement;

(2)     Sufficient pitch, roll, and yaw control power is available to provide control for continued safe flight and landing, considering all the fly-by-wire flight control system signal malfunctions that are not extremely improbable; and

(3)     The effect of spurious signals on the systems that are included in the aerodynamic loop should not result in unacceptable transients or degradation of the performance of the aeroplane. Specifically, in case of signals that would cause a significant uncommanded motion of a control surface actuator, either the signal should be readily detected and deactivated or the surface motion should be arrested by other means in a satisfactory manner. Small amplitude residual system oscillations may be acceptable.

It should be demonstrated that the output from the control surface closed-loop system does not result in uncommanded, sustained oscillations of flight control surfaces. The effects of minor instabilities may be acceptable, provided that they are thoroughly investigated, documented, and understood. An example of an acceptable condition would be one where a computer input is perturbed by spurious signals, but the output signal remains within the design tolerances, and the system is able to continue to operate in its selected mode of operation and is not affected by this perturbation.

When demonstrating compliance with CS 25.671(c), these system characteristics should be demonstrated using the following means:

(1)     Systematic laboratory validation that includes a realistic representation of all relevant interfacing systems, and associated software, including the control system components that are part of the pitch, roll, and yaw axis control. Closed-loop aeroplane simulation/testing is necessary in this laboratory validation;

(2)     Laboratory or aeroplane testing to demonstrate unwanted coupling of electronic command signals and their effects on the mechanical actuators and interfacing structure over the spectrum of operating frequencies; and

(3)     Analysis or inspection to substantiate that physical or mechanical separation and segregation of equipment or components are utilised to minimise any potential hazards.

A successful demonstration of signal integrity should include all the elements that contribute to the command and control signals to the ‘aerodynamic closed loop’ that actuates the aerodynamic control surfaces (e.g. rudder, elevator, stabiliser, flaps, and spoilers). The ‘aerodynamic closed loop’ should be evaluated for the normal and degraded modes. Elements of the integrated ‘aerodynamic closed loop’ may include, for example: digital or analogue flight control computers, power control units, control feedback, major data busses, and the sensor signals including: air data, acceleration, rate gyros, commands to the surface position, and respective power supply sources. Autopilot systems (including feedback functions) should be included in this demonstration if they are integrated with the fly-by-wire flight control system.

b.      Formalisation of Compliance Demonstration for Electronic Flight Control Laws.

On fly-by-wire aeroplanes, flight controls are typically implemented according to complex control laws and logics.

The handling qualities certification tests, usually performed on conventional aeroplanes to demonstrate compliance with CS-25 Subpart B specifications, are not considered to be sufficient to demonstrate the behaviour of the flight control laws in all foreseeable situations that may be encountered in service.

In order to demonstrate compliance with an adequate level of formalisation, the following should be performed and captured within certification documents:

—          Determination of the flight control characteristics that require detailed and specific test strategy; and

—          Substantiation of the proposed validation strategy (flight tests, simulator tests, analyses, etc.) covering the characteristics and features determined above.

In particular, the following characteristics of flight control laws should be covered:

—          discontinuities;

—          robustness versus piloted manoeuvres and/or adverse weather conditions;

—          protection priorities (entry/exit logic conditions not symmetrical);

—          control law mode changes with and without failures; and

—          determination of critical scenarios for multiple failures.

The validation strategy should include, but should not be limited to, operational scenarios. The determination that an adequate level of formalisation of validation strategy has been achieved should be based on engineering judgement.

[Amdt No: 25/24]

[Amdt No: 25/27]