AMC 25.901(c) Safety Assessment of Powerplant Installations
ED
Decision 2005/006/R
1. PURPOSE.
This Acceptable Means of Compliance (AMC) describes an acceptable means for
showing compliance with the requirements of CS 25.901(c).
This document describes a method of conducting a “System Safety Assessment” of
the powerplant installation as a means for demonstrating compliance. This
guidance is intended to supplement the engineering and operational judgement
that must form the basis of any compliance findings. The guidance provided in
this document is meant for aeroplane manufacturers, modifiers, foreign
regulatory authorities, and EASA Large Aeroplane type certification engineers.
Like all AMC material, this AMC is not, in itself, mandatory, and does not
constitute a requirement. It is issued to describe an acceptable means, but
not the only means, for demonstrating compliance with the powerplant
installation requirements for Large Aeroplanes. Terms such as “shall” and
“must” are used only in the sense of ensuring applicability of this particular
method of compliance when the acceptable method of compliance described in
this document is used.
2. RELATED
CERTIFICATION SPECIFICATIONS. CS 25.571, CS 25.901, CS 25.903, CS 25.933, CS 25.1309, and CS 25.1529; CS E-50 and E-510, CS P-150 and P-230.
3. APPLICABILITY.
The guidance provided in this document applies to powerplant installations on
Large Aeroplanes that are subject to the requirements of CS 25.901.
This guidance specifically concerns demonstrating compliance with the
requirements of CS 25.901(c), which states:
“(c) The
powerplant installation must comply with CS 25.1309, except that the effects of the following need not comply with CS
25.1309(b):
(1) Engine case burn through or rupture;
(2) Uncontained engine rotor failure; and
(3) Propeller debris release.”
CS 25.901(c) is intended to provide an overall safety assessment
of the powerplant installation that is consistent with the requirements of CS 25.1309, while accommodating unique powerplant installation compliance
policies. It is intended to augment rather than replace other applicable CS-25
design and performance standards for Large Aeroplanes.
In
accommodating unique policies related to powerplant compliance, EASA has
determined that specific guidance relative to demonstrating compliance with CS
25.1309(b) is needed; such guidance is contained in this AMC. (No unique
compliance requirements for CS 25.1309(a) and (c) are required for powerplant
installations.)
Wherever
this AMC indicates that compliance with other applicable requirements has been
accepted as also meeting the intent of CS 25.901(c) for a specific failure
condition, no additional dedicated safety analysis is required. Where this AMC
may conflict with AMC 25.1309 (“System Design and Analysis”), this AMC
shall take precedence for providing guidance in demonstrating compliance with CS
25.901(c).
When
assessing the potential hazards to the aircraft caused by the powerplant
installation, the effects of an engine case rupture, uncontained engine rotor
failure, engine case burn-through, and propeller debris release are excluded
from CS 25.901(c)/CS 25.1309. The effects and rates of these failures are
minimised by compliance with CS-E, Engines; CS-P, Propellers; CS 25.903(d)(1), CS 25.905(d), and CS 25.1193.
Furthermore,
the effects of encountering environmental threats or other operating
conditions more severe than those for which the aircraft is certified (such as
volcanic ash or operation above placard speeds) need not be considered in the CS
25.901(c)/CS 25.1309 compliance process. However, if a failure or malfunction
can affect the subsequent environmental qualification or other operational
capability of the installation, this effect should be accounted for in the CS
25.901(c)/CS 25.1309 assessment.
The terms
used in this AMC are intended to be identical to those used in AMC 25.1309.
4. BACKGROUND.
JAR-25 was
the Joint Aviation Authorities Airworthiness Code for Large Aeroplanes. It was
developed from the U.S. Federal Aviation Regulations Part 25 (FAR 25) during
the 1970s. Early versions (Changes) of JAR-25 consisted of only the
differences from FAR 25.
In 1976,
JAR-25 Change 3 was published and introduced, for the first time, requirement
JAR 25.1309 and ACJ Nos. 1 to 7 to JAR 25.1309. Requirement JAR 25.1309 was
almost the same as the (then) existing FAR regulation (Amdt. 25-37), but the
advisory material given in the ACJ provided interpretation of and acceptable
means of compliance with, the requirement.
Specific advice was given on how to show that the inverse relationship
existed between the criticality of the Failure Condition and its probability
of occurrence.
JAR-25,
Change 3, did not include any specific JAR-25 requirement for powerplant
installation safety assessment and so FAR 25.901(c) was also valid for JAR-25.
FAR 25.901(c) text (Amdt. 25-23, Effective 8 May 1970) stated:
“25.901 Installation
(c) The powerplant
installation must comply with § 25.1309”.
At Change 4
of JAR-25, effective 19 July 1978, JAR 25.901(c) was introduced using the same
FAR 25 words as shown above (viz.):
“JAR 25.901 Installation
(c) The power-plant
installation must comply with JAR 25.1309.”
However, at
about that time, the FAA had been reviewing a proposal to revise FAR
25.901(c), to introduce the wording “… no single failure or probable
combination …”. This revised text was introduced at Amdt. 25-40, effective 2
May 1977.
The
revisions introduced by Amdt. 25-40 were reviewed by the JAR-25 Study Groups
and in two letters (Refs.: JAR/JET/2416/BT dated 21 July 1977 and
JAR/JET/2467/BT dated 21 October 1977), the JAR-25 Powerplant Study Group
recommended that, for JAR 25.901(c), the text should remain the same as the
pre-Amdt. 25-40 version of FAR 25.901(c).
Since that
time, JAR 25.901(c) and CS 25.901(c) have continued to refer to JAR / CS
25.1309 and for EASA/JAA, powerplant installations have been treated in the
same way as for other aircraft systems when assessing the effects of failures
and malfunctions.
One
traditional exception to this has been the assessment of hazards resulting
from an engine rotor failure. Previous ACJ No. 1 to JAR 25.1309 allowed for an
explicit exception to the quantitative objective for a given catastrophic
failure condition, for cases where the state of the art does not permit it to
be achieved. This is the case for engine rotor failure and the ‘minimisation
of hazard’ requirement of CS 25.903(d)(1) has been used instead of CS
25.1309 to cover this risk.
5. GENERAL SYSTEM
SAFETY ASSESSMENT GUIDANCE.
Compliance
with CS 25.901(c)/CS 25.1309 may be shown by a System Safety Assessment (SSA)
substantiated by appropriate testing and/or comparable service experience. Such
an assessment may range from a simple report that offers descriptive details
associated with a failure condition, interprets test results, compares two
similar systems, or offers other qualitative information; to a detailed
failure analysis that may include estimated numerical probabilities.
The depth
and scope of an acceptable SSA depend on:
—
the
complexity and criticality of the functions performed by the system(s) under
consideration,
—
the
severity of related failure conditions,
—
the
uniqueness of the design and extent of relevant service experience,
—
the
number and complexity of the identified causal failure scenarios, and
—
the
detectability of contributing failures.
The SSA
criteria, process, analysis methods, validation and documentation should be
consistent with the guidance material contained in AMC 25.1309.
Wherever there is unique guidance specifically for powerplant installations,
this is delineated in Section 6, below.
In carrying
out the SSA for the powerplant installation for CS 25.901(c)/CS 25.1309, the
results of the engine (and propeller) failure analyses (reference CS P-150 and
CS E-510) should be used as inputs for those powerplant failure effects that
can have an impact on the aircraft. However, the SSA undertaken in response to
CS-E and CS-P may not address all the potential effects that an engine and
propeller as installed may have on the aircraft.
For those
failure conditions covered by analysis under CS-E and CS-P, and for which the
installation has no effect on the conclusions derived from these analyses, no
additional analyses will be required to demonstrate compliance to CS 25.901(c)/CS
25.1309.
The effects
of structural failures on the powerplant installation, and vice versa, should
be carefully considered when conducting system safety assessments:
a. Effects of structural failures on
powerplant installation. The powerplant
installation must be shown to comply with CS 25.901(c) following structural failures that are anticipated
to occur within the fleet life of the aeroplane type. This should be part of
the assessment of powerplant installation failure condition causes.
Examples of
structural failures that have been of concern in previous powerplant
installations are:
(1) Thrust reverser restraining load path
failure that may cause a catastrophic inadvertent deployment.
(2) Throttle quadrant framing or mounting
failure that causes loss of control of multiple engines.
(3) Structural failures in an avionics rack or
related mounting that cause loss of multiple, otherwise independent,
powerplant functions/components/systems.
b. Effects of powerplant installation
failures on structural elements. Any effect of powerplant installation
failures that could influence the suitability of affected structures, should
be identified during the CS 25.901(c) assessment and accounted for when
demonstrating compliance with the requirements of CS-25, Subpart C
(“Structure”) and D (“Design and Construction”). This should be part of the
assessment of powerplant installation failure condition effects.
Some
examples of historical interdependencies between powerplant installations and
structures include:
(1) Fuel system failures that cause excessive
fuel load imbalance.
(2) Fuel vent, refuelling, or feed system
failures that cause abnormal internal fuel tank pressures.
(3) Engine failures that cause excessive
loads/vibration.
(4) Powerplant installation failures that
expose structures to extreme temperatures or corrosive material.
6. SPECIFIC CS
25.901(c) SYSTEM SAFETY ASSESSMENT GUIDANCE.
This section
provides compliance guidance unique to powerplant installations.
a. Undetected Thrust Loss. The SSA
discussed in Section 5 should consider undetected thrust loss and its effect
on aircraft safety. The assessment should include an evaluation of the failure
of components and systems that could cause an undetected thrust loss, except
those already accounted for by the approved average-to-minimum engine
assessment.
(1) In determining the criticality of
undetected thrust losses from a system design and installation perspective,
the following should be considered:
(i) Magnitude of the thrust loss,*
(ii) Direction of thrust,
(iii) Phase of flight, and
(iv) Impact of the thrust loss on aircraft
safety.
(*Although
it is common for safety analyses to consider the total loss of one engine's
thrust, a small undetected thrust loss that persists from the point of
take-off power set could have a more significant impact on the accelerate/stop
distances and take-off flight path/obstacle clearance capability than a
detectable single engine total loss of thrust failure condition at V1)
(2) In addition, the level at which any thrust
loss becomes detectable should be validated. This validation is typically
influenced by:
(i) Impact on aircraft performance and
handling,
(ii) Resultant changes in powerplant
indications,
(iii) Instrument accuracy and visibility,
(iv) Environmental and operating conditions,
(v) Relevant crew procedures and capabilities,
etc.
(3) Reserved.
b. Detected Thrust Loss. While detectable
engine thrust losses can range in magnitude from a few percent to 100% of
total aircraft thrust, the total loss of useful thrust (in-flight
shutdown/IFSD) of one or more engines usually has the largest impact on aircraft
capabilities and engine-dependent systems. Furthermore, single and multiple
engine IFSD’s tend to be the dominant thrust loss-related failure conditions
for most powerplant installations. In
light of this, the guidance in this AMC focuses on the IFSD failure
conditions. The applicant must consider other engine thrust loss failure
conditions, as well, if they are anticipated to occur more often than the IFSD
failure condition, or if they are more severe than the related IFSD failure
condition.
(1) Single Engine IFSD. The effects of any
single engine thrust loss failure condition, including IFSD, on aircraft
performance, controllability, manoeuvrability, and crew workload are accepted
as meeting the intent of CS 25.901(c) if compliance is also demonstrated with:
—
CS 25.111 (“Take-off path”),
—
CS 25.121 (“Climb: one-engine-inoperative”),
and
—
CS 25.143 (“Controllability and
Manoeuvrability -- General”).
(i) Nevertheless, the effects of an IFSD on
other aircraft systems or in combination with other conditions also must be
assessed as part of showing compliance with CS 25.901(c)/CS 25.1309. In this
case, it should be noted that a single engine IFSD can result from any number
of single failures, and that the rate of IFSD’s range from approximately 1x10-4
to 1x10-5 per engine flight hour. This rate includes all failures
within a typical powerplant installation that affect one -- and only one --
engine. Those failures within a typical powerplant that can affect more than
one engine are described in Section 6.b.(2), below.
(ii) If an estimate of the IFSD rate is
required for a specific turbine engine installation, any one of the following
methods is suitable for the purposes of complying with CS 25.901(c)/ CS
25.1309(b):
(A) Estimate the IFSD rate based on service
experience of similar powerplant installations;
(B) Perform a bottom-up reliability analysis
using service, test, and any other relevant experience with similar components
and/or technologies to predict component failure modes and rates; or
(C) Use a conservative value of 1x10-4
per flight hour.
(iii) If an estimate of the percentage of these
IFSD’s for which the engine is restartable is required, the estimate should be
based on relevant service experience.
(iv) The use of the default value delineated in
paragraph 6.b.(1)(ii)(C) is limited to traditional turbine engine
installations. However, the other methods (listed in 6.b.(1)(ii)(A) and (B),
above) are acceptable for estimating the IFSD rates and restartability for
other types of engines, such as some totally new type of engine or unusual
powerplant installation with features such as a novel fuel feed system. In the case of new or novel components,
significant non-service experience may be required to validate the reliability
predictions. This is typically attained through test and/or technology
transfer analysis.
(v) Related issues that should be noted here
are:
(A) CS 25.901(b)(2) sets an additional
standard for installed engine reliability. This requirement is intended to
ensure that all technologically feasible and economically practical means are
used to assure the continued safe operation of the powerplant installation
between inspections and overhauls.
(B) The effectiveness of compliance with CS 25.111, CS 25.121
and CS 25.143 in meeting the intent of CS 25.901(c) for single engine thrust loss is dependent on the
accuracy of the human factors assessment of the crew’s ability to take
appropriate corrective action. For the
purposes of compliance with CS 25.901(c) in this area, it may be assumed that
the crew will take the corrective actions called for in the aeroplane flight
manual procedures and associated approved training.
(2) Multiple Engine IFSD. Typical engine IFSD
rates may not meet the AC 25.1309-1B guidance that calls for 1 x 10-9
per hour for a catastrophic multiple engine IFSD. However, engine IFSD rates
been part of the historically-accepted service experience upon which that
guidance was based, and these IFSD rates are continuously improving.
Consequently:
(i) Current typical turbine engine IFSD
rates, and the resulting possibility of multiple independent IFSD’s leading to
a critical power loss, are considered inherently acceptable for compliance
with CS 25.901(c) without the need for quantitative assessment.
(ii) Nevertheless, some combinations of
failures within aircraft systems common to multiple engines may cause a
catastrophic multiple engine thrust loss. These should be assessed to ensure
that they meet the extremely improbable criteria. Systems to be considered
include:
—
fuel
system,
—
air
data system,
—
electrical
power system,
—
throttle
assembly,
—
engine
indication systems, etc.
(iii) The means of compliance described above is
only valid for turbine engines, and for engines that can demonstrate
equivalent reliability to turbine engines, using the means outlined in Section
6.a. of this AMC. The approach to demonstrating equivalent reliability should
be discussed early in the program with the Agency on a case-by-case basis.
c. Automatic Take-off Thrust Control
System. CS-25, Appendix I [“Automatic Take-off Thrust Control System
(ATTCS)”], specifies the minimum reliability levels for these automatic
systems. In addition to showing compliance with these reliability levels for
certain combinations of failures, other failure conditions that can arise as a
result of introducing such a system must be shown to comply with CS 25.901(c)/CS
25.1309.
d. Thrust Management Systems. A System
Safety Assessment is essential for any aeroplane system that aids the crew in
managing engine thrust (i.e., computing target engine ratings, commanding
engine thrust levels, etc.). As a minimum, the criticality and failure hazard
classification must be assessed. The system criticality will depend on:
—
the
range of thrust management errors it could cause,
—
the
likelihood that the crew will detect these errors and take appropriate
corrective action, and
—
the
severity of the effects of these errors with and without crew intervention.
The hazard
classification will depend on the most severe effects anticipated from any
system. The need for more in-depth analysis will depend upon the systems
complexity, novelty, initial failure hazard classification, relationship to
other aircraft systems, etc.
(1) Automated thrust management features, such
as autothrottles and target rating displays, traditionally have been certified
on the basis that they are only conveniences to reduce crew workload and do
not relieve the crew of any responsibility for assuring proper thrust
management. In some cases, malfunctions
of these systems can be considered to be minor, at most. However, for this to be valid, even when the
crew is no longer directly involved in performing a given thrust management
function, the crew must be provided with information concerning unsafe system
operating conditions to enable them to take appropriate corrective action.
(2) Consequently, when demonstrating
compliance with CS 25.901(c)/CS 25.1309, failures within any automated thrust
management feature which, if not detected and properly accommodated by crew
action, could create a catastrophe should be either:
(i) considered a catastrophic failure
condition when demonstrating compliance with CS 25.901(c)/CS 25.1309(b); or
(ii) considered an unsafe system operating
condition when demonstrating compliance with the warning requirements of CS
25.1309(c).
e. Thrust Reverser. Compliance with CS 25.933(a) (“Reversing systems”) provides demonstration of compliance with CS
25.901(c)/CS 25.1309 for the thrust reverser
in-flight deployment failure conditions. A standard CS 25.901(c)/CS 25.1309 System Safety Assessment should be performed for
any other thrust reverser-related failure conditions.
7. TYPICAL FAILURE
CONDITIONS FOR POWERPLANT SYSTEM INSTALLATIONS.
The purpose
of this section is to provide a list of typical failure conditions that may be
applicable to a powerplant system installation. This list is by no means
all-encompassing, but it captures some failure conditions that have been of
concern in previous powerplant system installations. The specific failure conditions identified
during the preliminary SSA for the installation should be reviewed against
this list to assist in ensuring that all failure conditions have been
identified and properly addressed.
As stated
previously in this AMC, the assessment of these failure conditions may range
from a simple report that offers descriptive details associated with a failure
condition, interprets test results, compares two similar systems, or offers
other qualitative information; to a detailed failure analysis that may include
estimated numerical probabilities. The
assessment criteria, process, analysis methods, validation, and documentation
should be consistent with the guidance material contained in AMC 25.1309.
a. Fire Protection System - Failure
Conditions:
(1) Loss of detection in the presence of a
fire.
(2) Loss of extinguishing in the presence of a
fire.
(3) Loss of fire zone integrity in the
presence of a fire.
(4) Loss of flammable fluid shut-off or
drainage capability in the presence of a fire.
(5) Creation of an ignition source outside a
fire zone but in the presence of flammable fluids.
b. Fuel System -- Failure Conditions:
(1) Loss of fuel feed/fuel supply.
(2) Inability to control lateral and
longitudinal balance.
(3) Hazardously misleading fuel indications.
(4) Loss of fuel tank integrity.
(5) Loss of fuel jettison.
(6) Uncommanded fuel jettison.
c. Powerplant Ice Protection - Failure
Conditions:
(1) Loss of propeller, inlet, engine, or other
powerplant ice protection on multiple powerplants when required.
(2) Loss of engine/powerplant ice detection.
(3) Activation of engine inlet ice protection
above limit temperatures.
d. Propeller Control - Failure Conditions:
(1) Inadvertent fine pitch (overspeed,
excessive drag).
(2) Inadvertent coarse pitch (over-torque,
thrust asymmetry)
(3) Uncommanded propeller feathering.
(4) Failure to feather.
(5) Inadvertent application of propeller brake
in flight.
(6) Unwanted reverse thrust (pitch).
e. Engine Control and Indication -- Failure
Conditions:
(1) Loss of thrust.
(2) Loss of thrust control, including
asymmetric thrust, thrust increases, thrust decreases, thrust fail fixed, and
unpredictable engine operation.
(3) Hazardously misleading display of
powerplant parameter(s).
f. Thrust Reverser - Failure Conditions:
(1) Inadvertent deployment of one or more
reversers.
(2) Failure of one or more reversers to deploy
when commanded.
(3) Failure of reverser component restraints
(i.e., opening of D-ducts in flight, release of cascades during reverser
operation, etc.).
[Amdt No:
25/1]
Loading collections...