JAR-25 Large Aeroplanes
Section 3 - Advisory Material - AMJ
Change 14, 27 May 1994
Disclaimer: This section from JAR-25 is provided for study purposes only. Do not rely on the
information provided in any way.
This page is not from the Joint Aviation Authorities, JAA.
The official source of this document is:
JAA Headquarters, PO Box 3000, 2130 KA HOOFDDORP, Netherlands
The document can be obtained in paper form:
Civil Aviation Authority, Printing & Publication Services, 37 Gratton Road, Cheltenham GL50 2BN, UK
The document can be obtained on CD-ROM from:
Westward Digital Limited, 37 Windsor Street, Cheltenham, Glos, GL52 2DG, UK
Section 3 - Advisory Material - AMJ
1 General
1.1 This Section contains Advisory Material that has been agreed for inclusion in JAR. Advisory Material is basically for general guidance, recommendations and information on subjects which, in some cases, may be in the development stages. The material is not necessarily related to a specific paragraph in JAR and may in fact cover many.
1.2 In some cases the material herein is of ACJ status (ie Acceptable Means of Compliance or Interpretations) but is included in this Section 3 for continuity of reading the AMJ. ACJ material herein will be identified as such and will have the same status as that in Section 2 of this JAR-25
2. Presentation
2.1 The Advisory Material is presented in full page width on loose pages, each page being identified by the date of issue or the Change number under which it is amended or re-issued.
2.2 Numbering system
Where the material relates to a specific JAR-25 paragraph, that number will be used preceded by "AMJ". ]
[ Where the material relates to several JAR-25 paragraphs, the numbers will take the form of AMJ 25X-1*, ]
[ -2 etc, and the AMJ will have a title for easy reference. ]
[ Where the material relates to JAR-25 and other JAR codes, the number will take the form of AMJ 20X-1*, ]
[ -2 etc, and the AMJ will also have a title for easy reference.
2.3 Explanatory Notes not forming part of the Advisory Material appear in a smaller typeface.
2.4 New, amended or corrected text is enclosed within heavy brackets. ]
AMJ 25.561 (b)(3)
Commercial Accomodation Equipment
[ See JAR 25.561 (b)(3) ]
Commercial accomodation equipment complying only with JAR 25.561 need additional substantiation by analysis, tests or combination thereof to cover the 1·33 factor for their attachments as specified in JAR 25.561 (c).
[ AMJ 25.1309
System Design and Analysis
See JAR 25.1309
1. PURPOSE
This AMJ is similar to FAA Advisory Circular AC 25.1309-1A, dated 21 June 1988. Differences between the two texts are indicated, in accordance with normal JAA practice, by underlining.
This AMJ describes various acceptable means for showing compliance with the requirements of JAR 25.1309 (b), (c) and (d). These means are intended to provide guidance for the experienced engineering and operational judgement that must form the basis for compliance findings. They are not mandatory. Other means may be used if they show compliance with this section of the requirements
2. RESERVED
3. APPLICABILITY
Paragraph 25.1309 is intended by the Joint Aviation Authorities (JAA) as a general requirement that should be applied to all systems and Powerplant installations (as required by JAR 25.901(c)) to determine the effect on the aeroplane of a functional failure or malfunction. It is based on the principle that there should be an inverse relationship between the severity of the effect of a failure and the probability of its occurrence.
This principle may in some instances be at variance with specific paragraphs elsewhere in JAR-25. That is to say that a specific requirement may call for a higher safety objective than is warranted in relation to the effect it has on the particular aeroplane type. In other instances the reverse may apply.
The JAA will consider such instances on a case-by-case basis, and such instances would be the subject of negotiation with the applicant in a specific case. However, notwithstanding that a forcible argument to replace or alter the requirements of a specific paragraph may exist, it may not necessarily justify the waiving of a long-established tradition of engineering practice.
4. BACKGROUND
a. For a number of years, aeroplane systems were evaluated to specific requirements, to the "single fault" criterion, or to the fail-safe design concept.
As later-generation aeroplanes developed, more safety-critical functions were required to be performed, which generally resulted in an increase in the complexity of the systems designed to perform these functions. The potential hazards to the aeroplane and its occupants which could arise in the event of loss of one or more functions provided by a system or that system's malfunction had to be considered, as also did the interaction between systems performing different functions.
This has led to the general principle that an inverse relationship should exist between the probability of loss of function(s) or malfunction(s) (leading to a serious Failure Condition) and the degree of hazard to the aeroplane and its occupants arising therefrom. In assessing the acceptability of a design it was recognised that rational probability values would have to be established, This was worked out on the following basis:
Historical evidence indicates that the risk of a serious accident due to operational and airframe-related causes is approximately 1 per million hours of flight. Furthermore, about 10 percent of the total can be attributed to Failure Conditions caused by the aeroplane's systems problems. It seems reasonable that serious accidents caused by systems should not be allowed a higher probability than this in new aeroplane designs. It is thereby possible to require for new designs that the probability of a serious accident from all such Failure Conditions be not greater than 1 per ten million flight hours or 1 x 10-7 per flight hour.
The difficulty with this is that it is not possible to say whether the target has been met until all the systems on the aeroplane are collectively analysed numerically. ]
For this reason it is assumed, arbitrarily, that there are about 100 potential Failure Conditions in an aeroplane which would prevent Continued Safe Flight and Landing. The target allowable risk of 1 x 10-7 was thus apportioned equally among these Conditions, resulting in a risk allocation of not greater than 1 x 10-9 to each. The upper-risk limit for Failure Conditions which would prevent Continued Safe Flight and Landing would be 1 x 10-9 for each hour of flight which establishes an approximate probability value for the term "Extremely Improbable". Failure Conditions having less severe effects could be relatively more likely to occur.
In parallel with the above, various analytical techniques were developed to assist the applicant and Airworthiness Authority in conducting a safety analysis. These help to carry out a thorough qualitative analysis. The techniques also allow the analyst to carry out a quantitative assessment as and when appropriate.
b. This AMJ identifies various analytical approaches, both qualitative and quantitative, which may be used to assist applicant and JAA personnel in determining compliance with the requirement. It also provides guidance for determining when, or if, a particular analysis should be conducted. Numerical values are assigned to the probabilistic terms included in the requirement, for use in those cases where the impact of system failures is examined by quantitative methods of analysis. These analytical tools are intended to supplement, but not replace, engineering and operational judgement.
5. THE FAIL-SAFE DESIGN CONCEPT
The fail-safe design concept considers the effects of failures and combinations of failures in defining a safe design.
a. The following basic objectives pertaining to failures apply:
(1) In any system or subsystem, the failure of any single element, component, or connection during any one flight (brake release through ground deceleration to stop) should be assumed, regardless of its probability. Such singlefailures should not prevent Continued Safe Flight and Landing.
(2) Subsequent failures during the same flight, whether detected or latent, and combinations thereof, should also be assumed, unless their joint probability with the first failure is shown to be Extremely Improbable.
b The Fail-Safe Design concept uses the following design principles or techniques in order to ensure a safe design. The use of only one of these principles or techniques is seldom adequate. A combination of two or more is usually needed to provide a fail-safe design; i.e. to ensure that Major and Hazardous Failure Conditions are Improbable and that Catastrophic Failure Conditions are Extremely Improbable:
(1) Designed Integrity and Quality, including life limits, to ensure intended function and minimise the occurrence and/or the effects of failures.
(2) Redundancy or Back-Up Systems to enable continued function after any single (or other defined number of) failure(s); e.g. two or more engines, hydraulic systems, flight control systems, etc.
(3) Isolation (especially physical or spatial separation) and independence of Systems, Components, and elements so that the failure of one does not cause the failure of another.
(4) Proven Reliability so that multiple, independent failures are unlikely to occur during the same flight.
(5) Failure Warning or Indication to provide detection.
(6) Flightcrew Procedures for use after failure detection, to enable Continued Safe Flight and Landing by specifying crew corrective action.
(7) Checkability: the capability to check a component's condition.
(8) Failure Containment to limit the safety impact of a failure.
(9) Designed Failure Path to control and direct the effects of a failure in a way that limits its safety impact. ]
[ (10) Error-Tolerance that considers adverse effects of foreseeable errors during the aeroplane's design, test, manufacture, operation, and maintenance.
(11) Margins or Factors of Safety to account for foreseeable but uncertain or undefined adverse conditions.
6. DEFINITIONS
The following definitions apply to the system design and analysis requirements of JAR 25.1309(b), (c), and (d) and the guidance material provided in this AMJ. They should not be assumed to apply to the same or similar terms used in other requirements, ACJs or AMJs. Terms for which standard dictionary definitions apply are not defined herein.
a. ATTRIBUTE: A feature, characteristic, or aspect of a system or a device, or a condition affecting its operation. Some examples would include design, construction, technology, installation, functions, applications, operational uses, environmental and operational stresses, and relationships with other systems, functions, and flight or structural characteristics.
b. CERTIFICATION CHECK REQUIREMENT (CCR): A recurring flight crew or ground crew Check that is required by design to help show compliance with JAR 25.1309(b) and (d)(2) by detecting the presence of, and thereby limiting the exposure time to, a significant latent failure that would, in combination with one or more other specific failure or events identified in a safety analysis, result in a Hazardous or Catastrophic Failure Condition.
c. CHECK: An examination (e.g. an inspection or test) to determine the physical integrity or functional capability of an item.
d. COMPLEX: Applicable to systems whose architecture and logic are difficult to comprehend without the aid of analytical tools, e.g. Failure Modes and Effects Analysis, Fault Trees, Reliability Block Diagrams.
e. CONTINUED SAFE FLIGHT AND LANDING: The capability for continued controlled flight and landing, possibly using emergency procedures, but without requiring exceptional pilot skill or strength. Some aeroplane damage may be associated with a Failure Condition, during flight or upon landing.
f. CONVENTIONAL: An attribute of a system is considered to be conventional if it is the same as, or closely similar to, that of previously-approved systems that are commonly used.
g. ERROR: An occurrence arising as a result of incorrect action by the flight crew or maintenance personnel.
h. EVENT: An occurrence which has its origin distinct from the aeroplane, such as atmospheric conditions (e.g. gusts, temperature variations, icing and lightning strikes) runway conditions, cabin and baggage fires. The term is not intended to cover sabotage.
i. FAILURE: A loss of function, or a malfunction, of a system or part thereof.
j. FAILURE CONDITION: The effect on the aeroplane and its occupants, both direct and consequential, caused or contributed to by one or more failures, considering relevant adverse operational or environmental conditions. Failure Conditions may be classified according to their severities as follows:
(1) MINOR: Failure Conditions which would not significantly reduce aeroplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.
(2) MAJOR: Failure Conditions which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example, a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to occupants, possibly including injuries. ]
[ (3) HAZARDOUS: Failure Conditions which would reduce the capability of the aeroplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be:
(i) A large reduction in safety margins or functional capabilities;
(ii) Physical distress or higher workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely; or
(iii) Serious or fatal injury to a relatively small number of the occupants.
(4) CATASTROPHIC: Failure Conditions which would prevent Continued Safe Flight and Landing.
k. REDUNDANCY: The presence of more than one independent means for accomplishing a given function or flight operation. Each means need not necessarily be identical.
l. QUALITATIVE: Those analytical processes that assess system and aeroplane safety in a subjective, non-numerical manner.
m. QUANTITATIVE: Those analytical processes that apply mathematical methods to assess system and aeroplane safety.
7. DISCUSSION
JAR 25.1309(b) and (d) require substantiation by analysis and, where necessary, by appropriate ground, flight, or simulator tests, that a logical and acceptable inverse relationship exists between the probability and the severity of each Failure Condition. However, tests are not required to verify Failure Conditions that are postulated to be Catastrophic. As discussed in paragraph 3, some systems and some functions already receive such an evaluation to show compliance with other specific requirements or special conditions and thereby normally meet the intent of JAR 25.1309 without a need for additional analyses. In either case, however, the goal is to ensure an acceptable overall aeroplane safety level, considering all Failure Conditions of all systems.
a. The requirements of JAR 25.1309(b) and (d) are intended to ensure an orderly and thorough evaluation of the effects on safety of foreseeable failures or other events, such as errors or external circumstances, separately or in combination, involving one or more system functions. The interactions of these factors within a system and among relevant systems should be considered.
b. The severities of Failure Conditions may be evaluated according to the following considerations:
(1) Effects on the aeroplane, such as reductions in safety margins, degradations in performance, loss of capability to conduct certain flight operations, or potential or consequential effects on structural integrity
(2) Effects on crew members, such as increases above their normal workload that would affect their ability to cope with adverse operational or environmental conditions.
(3) Effects on the occupants; i.e. passengers and crew members.
c. For convenience in conducting design assessments, Failure Conditions may be classified according to their severities as Minor, Major, Hazardous, or Catastrophic. Paragraph (6)(j) provides accepted definitions of these terms.
(1) The classification of Failure Conditions does not depend on whether or not a system or function is the subject of a specific requirement. Some "required" systems, such as transponders, position lights, and public address systems, may have the potential for only Minor Failure Conditions. Conversely, other systems which are not "required", such as flight management systems, may have the potential for Major, Hazardous, or Catastrophic Failure Conditions. ]
[ (2) Regardless of the types of assessment used, the classification of Failure Conditions should always be accomplished with consideration of all relevant factors; e.g. system, crew, performance, operational, external, etc. Examples of factors would include the nature of the failure modes, any effects or limitations on performance, and any required or likely crew action. It is particularly important to consider factors that would alleviate or intensify the severity of a Failure Condition. An example of an alleviating factor would be the continued performance of identical or operationally-similar functions by other systems not affected by the Failure Condition. Examples of intensifying factors would include unrelated conditions that would reduce the ability of the crew to cope with a Failure Condition, such as weather or other adverse operational or environmental conditions.
d. The probability that a Failure Condition would occur may be assessed as Probable, Improbable (Remote or Extremely Remote), or Extremely Improbable. These terms are explained in paragraph 9.e. and 10.b. Each Failure Condition should have a probability that is inversely related to its severity, as illustrated in figure 1, Relationship between Probability and Severity of Effects:
(1) Minor Failure Conditions may be Probable.
(2) Major Failure Conditions must be no more frequent than Improbable (Remote).
(3) Hazardous Failure Conditions must be no more frequent than Improbable (Extremely Remote).
(4) Catastrophic Failure Conditions must be Extremely Improbable.
e. An assessment to identify and classify Failure Conditions is necessarily qualitative. On the other hand, an assessment of the probability of a Failure Condition may be either qualitative or quantitative. An analysis may range from a simple report that interprets test results or compares two similar systems to a detailed analysis that may (or may not) include estimated numerical probabilities. The depth and scope of an analysis depends on the types of functions performed by the system, the severities of Failure Conditions, and whether or not the system is complex. Regardless of its type, an analysis should show that the system and its installation can tolerate failures to the extent that Major and Hazardous Failure Conditions are Improbable and Catastrophic Failure Conditions are Extremely Improbable (see figure 1):
(1) Experienced engineering and operational judgement should be applied when determining whether nor not a system is complex. Comparison with similar, previously-approved systems, is sometimes helpful. All relevant systems Attributes should be considered; however, the complexity of the software used to program a digital-computer-based system should not be considered because the software is assessed and controlled by other means, as described in paragraph 7.i.
(2) An analysis should consider the application of the fail-safe design concept described in paragraph 5, and give special attention to ensuring the effective use of design techniques that would prevent single failures or other events from damaging or otherwise adversely affecting more than one redundant system channel or more than one system performing operationally-similar functions. When considering such common-cause failures or other events, consequential or cascading effects should be taken into account if they would be inevitable or reaosonably likely.
(3) Some examples of such potential common-cause failures or other events would include rapid release of energy from concentrated sources such as uncontained failures of rotating parts or pressure vessels, pressure differentials, non-catastrophic stuctural failures, loss of environmental conditioning, disconnection of more than one subsystem or component by overtemperature protection devices, contamination by fluids, damage from localised fires, loss of power, excessive voltage, physical or environmental interactions among parts, human or machine errors, or events external to the system or to the aeroplane.
f. As discussed in paragraphs 8.c.(1) and 8.d.(2), compliance for a system or part thereof that is not complex may sometimes be shown by design and installation appraisals and evidence of satisfactory service experience on other aeroplanes using the same or other systems that are similar in their relevant Attributes. ]
[ g. In general, a Failure Condition resulting from a single failure mode of a device cannot be accepted as being Extremely Improbable. In very unusual cases, however, experienced engineering judgement may enable an assessment that such a failure mode is not a practical possibility. When making such an assessment, all possible and relevant considerations should be taken into account, including all relevant Attributes of the device. Service experience showing that the failure mode has not yet occurrred may be extensive, but it can never be enough. Furthermore, flight crew or ground crew checks have no value if a Catastrophic failure mode would occur suddenly and without any prior indication or warning. the assessment's logic and rationale should be so straightforward and readily obvious that, from a realistic and practical viewpoint, any knowledgeable, experienced person would unequivocally conclude that the failure mode simply would not occur.
h. JAR 25.1309(c) provides requirements for system monitoring, failure warning, and capability for appropriate corrective crew action. Guidance on acceptance means of compliance is provided in paragraph 8.g.
i. In general, the means of compliance described in this AMJ are not directly applicable to software assessments because it is not feasible to assess the number or kinds of software errors, if any, that may remain after the completion of system design, development, and test. RTCA DO-178A and EUROCAE ED-12A, or later revisions thereto, provide acceptable means for assessing and controlling the software used to program digital-computer-based systems. The documents define and use certain terms to classify the criticalities of functions. For information, these terms have the following relationships to the terms used in this AMJ to classify Failure Conditions: Failure Conditions adversely affecting non-essential functions would be Minor, Failure Conditions adversely affecting essential functions would be Major or Hazardous, and Failure Conditions adversely affecting critical functions would be Catastrophic.
8. ACCEPTABLE TECHNIQUES
The methods outlined in this section provide acceptable techniques, but not the only techniques, for determining compliance with the requirements of JAR 25.1309(b), (c) and (d). Other comparable techniques exist and may be proposed by an applicant for use in any certification programme. Early agreement between the applicant and the Certificating Authority should be reached on the methods of assessment to be used.
After the applicant has established an acceptable classification level for a particular Failure Condition by means of a hazard assessment, it is the applicant's responsibility to determine how to show compliance with the requirement and obtain the concurrence of the Certificating Authority. Design and installation reviews, analyses, flight tests, ground tests, simulator tests or other approved means may be used. Flight tests are not required for verifying the postulated effects of either Hazardous or Catastrophic Failure Conditions.
a. Functional Hazard Assessment
Before an applicant proceeds with a detailed safety assessment, it is useful to prepare a preliminary hazard assessment of the system functions in order to determine the need for and scope of subsequent analysis. This assessment may be conducted using service experience, engineering and operational judgement, or a top-down deductive qualitative examination of each function performed by the system. A functional hazard assessment is a systematic, comprehensive examination of a system's functions to identify potential Major, Hazardous and Catastrophic Failure Conditions which the system can cause or contribute to, not only if it malfunctions or fails to function, but also in its normal response to unusual or abnormal external factors. It is concerned with the operational vulnerabilities of the system rather than with the detailed hardware analysis.
Each system function should also be examined with respect to functions performed by other aeroplane systems, because the loss of different but related functions provided by separate systems may affect the severity of Failure Conditions postulated for a particular system. In assessing the effects of a Failure Condition factors which might alleviate or intensify the direct effects of the initial Failure Condition should be considered, including consequent or related conditions existing within the aeroplane which may affect the ability of the crew to deal with direct effects, such as the presence of smoke, acceleration vectors, interruption of communication, interference with cabin pressurisation, etc.
When assessing the consequences of a given Failure Condition, account should be taken of the warnings given, the complexity of the crew action, and the relevant crew training. The number of overall Failure Conditions involving other than instinctive crew actions may influence the flight crew performance that can be expected. Training requirements may need to be specified in some cases. ]
[ A functional hazard assessment may contain a high level of detail in some cases, such as for a flight guidance and control system with many functional modes, but many installations may need only a simple review of the system design by the applicant. The functional hazard assessment is a preliminary engineering tool. It should be used to identify design precautions necessary to ensure independence, to determine the required software level and to avoid common mode and cascade failures.
If further safety analysis is not provided, then the functional hazard assessment could itself be used as certification documentation.
b. Analysis of Minor Failure Conditions
(1) Although a functional hazard assessment has determined that malfunction of a particular system can result in only Minor Failure Conditions by itself, it is also necessary that the assessment verifies that failures of the system will not contribute to more severe Failure Conditions if combined with failures of other systems or functions. In general, the installation of systems which do not perform any airworthiness-related functions should be accomplished in a manner which ensures their independence of function and physical separation from airworthiness-related components.
(2) If the hazard assessment, based on experienced engineering judgement, determines that system malfunctions cannot result in worse than Minor Failure Conditions, or affect other airworthiness-related functions, no further safety analysis is necessary to show compliance with JAR 25.1309.
c. Analysis of Major Failure Conditions
(1) Major Failure Conditions identified by the functional hazard assessment should be Improbable (Remote). If the complexity of the system is low, and the system is similar in its relevant Attributes to those used in other aeroplanes (see figure 1) and the effects of failure would be the same, then design and installation appraisals, and satisfactory service history of the equipment being analysed, or of similar design, will usually be acceptable for showing compliance.
(2) If similarity cannot be justified, but the system is conventional in its relevant Attributes, then compliance may be shown by means of a qualitative assessment. This also applies to systems of high complexity, provided that there is reasonable confidence that the Failure Condition is not worse than Major.
(3) For complex systems which include functional redundancy, a qualitative failure modes and effects analysis or fault tree may be necessary to determine that redundancy actually exists (e.g. no single failure affects all functional channels), and to show that the failure modes of the equipment do not have any airworthiness-related effects on other functions.
d. Analysis of Hazardous and Catastrophic Failure Conditions
(1) Except as specified in paragraph 8.d.(2), a detailed safety analysis will be necessary for each Hazardous and Catastrophic Failure Condition identified by the functional hazard assessment (see figure 1). Hazardous Failure Conditions should be Improbable (Extremely Remote), and Catastrophic Failure Conditions should be Extremely Improbable. The analysis will usually be a combination of qualitative and quantitative assessment of the design. Probability levels which are related to Catastrophic Failure Conditions should not be assessed only on a numerical basis, unless this basis can be substantiated beyond reasonable doubt.
(2) For very simple and conventional installations, i.e. low complexity and similarity in relevant Attributes (see figure 1), it may be possible to assess a Catastrophic Failure Condition as being Extremely Improbable, on the basis of experienced engineering judgement, without using all the formal procedures listed above. The basis for the assessment will be the degree of redundancy, the established independence and isolation of the channels and the reliability record of the technology involved. Satisfactory service experience on similar systems commonly used in many aeroplanes may be sufficient when a close similarity is established in respect of both the system design and operating conditions. However, as discussed in paragraph 7.g., a Failure Condition resulting from a single failure mode of a device cannot generally be accepted as being Extremely Improbable, except in very unusual cases. ]
[ e. Operational or Environmental Conditions
A probability of one should usually be used for encountering a discrete condition for which the aeroplane is designed, such as instrument meteorological conditions or Category III weather operations. On the other hand, reasonable and rational consideration of the statistically-derived probability of a random condition may usually be included in an analysis, provided it is based on an applicable supporting data base and its statistical distribution. When combining the probability of such a random condition with that of a system failure, care should be taken to ensure that the condition and the system failure are independent of one another, or that any dependencies are properly accounted for. Two examples of the reasonable and rational use of such random conditions are the encountering of hazardous turbulence or gust levels after the failure of a structural load alleviation system, and the availability of a suitable alternate airport having a crosswind lower than that at the intended destination airport after a system failure that results in a loss of high rudder authority. The applicant should obtain early concurrence of the Certificating Authority when such conditions are to be included in an analysis.
f. Latent Failures
A latent failure is one which is inherently undetected when it occurs. A significant latent failure is one which would, in combination with one or more other specific failures or events, result in a Hazardous or Catastrophic Failure Condition. Because the frequency at which a device is checked directly affects the probability that any latent failure of that device exists, CCRs (see paragraph 6.b.) may be used to help show compliance with JAR 25.1309(b) and (d)(2) for significant latent failures.
g. Acceptable Means of Compliance with JAR 25.1309(c) and (d)(4)
JAR 25.1309(c) requires that warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. It also requires that systems, controls, and associated monitoring and warning means must be designed to minimise crew errors which could create additional hazards. Compliance with this section is shown qualitatively:
(1) Failure warning or indication may be either natural (inherent) or designed into the system. In either case, it should be timely, rousing, obvious, clear and unambiguous. It should occur at a point in a potentially-catastrophic sequence of failures where the aeroplane's capability and the crew's ability still remain sufficient for appropriate corrective crew action.
(2) Unless they are accepted as normal airmanship, procedures for the crew to follow after the occurrence of failure warning should be described in the approved Aeroplane Flight Manual (AFM) or AFM revision or supplement.
(3) Even if operation or performance is unaffected or insignificantly affected at the time of failure, warning is required if it is considered necessary for the crew to take any action or observe any precautions. Some examples would include reconfiguring a system, being aware of a reduction in safety margins, changing the flight plan or regime, or making an unscheduled landing to reduce exposure to a more serious failure condition that would result from subsequent failures or operational or environmental conditions. Warning is also required if a failure must be corrected before a subsequent flight. If operation or performance is unaffected or insignificantly affected, warning may be inhibited during specific phases of flight where corrective action by the crew is considered more hazardous than no action.
(4) The use of CCRs or other checks in lieu of practical and reliable failure monitoring and warning systems to detect significant latent failures when they occur does not comply with JAR 25.1309(c) and (d)(4). A practical failure monitoring and warning system is one which is considered to be within the state of the art. A reliable failure monitoring and warning system is one which would not result in either excessive failures of a genuine warning, or excessive or untimely false warnings which can sometimes be more hazardous than lack of provision for, or failures of, genuine but infrequent warnings. Experienced judgement should be applied when determining whether or not a failure monitoring and warning system would be practical and reliable. Comparison with similar, previously-approved systems is sometimes helpful. Paragraph 11. provides further guidance on the use of CCRs. ]
[ (5) The assumptions of paragraph 11.a. that the flight crew will take appropriate corrective action and perform required checks correctly are based on compliance with the requirement for a design that minimises the potential for serious crew errors; however, quantitative assessments of the probabilities of crew errors are not considered feasible. Particular attention should be given to the placement of switches or other control devices, relative to one another, so as to minimise the potential for inadvertent incorrect crew action, especially during emergencies or periods of high workload. Extra protection, such as the use of guarded switches, may sometimes be needed.
9. QUALITATIVE ASSESSMENT
Various methods for assessing the causes, severities, and likelihood of potential Failure Conditions are available to support experienced engineering and operational judgement. Some of these methods are structured. The various types of analysis are based on either inductive or deductive approaches. Descriptions of typical types of analysis and explanations of qualitative probability terms are provided below.
a. Design Appraisal. A qualitative appraisal of the integrity and safety of the design. An effective appraisal requires experienced judgement and, in accordance with paragraph 7.e., should place special emphasis on any Failure Conditions that are likely to prevent Continued Safe Flight and Landing.
b. Installation Appraisal. A qualitative appraisal of the integrity and safety of the installation. An effective appraisal requires experienced judgement and, in accordance with paragraph 7.e., should place special emphasis on any Failure Conditions that are likely to prevent Continued Safe Flight and Landing. Any deviations from normal, industry-accepted installation practices, such as clearances or tolerances, should be evaluated, especially when appraising modifications made after entry into service.
c. Failure Modes and Effects Analysis. A structured, inductive, bottom-up analysis which is used to evaluate the effects on the system and the aeroplane of each possible element or component failure. When properly formatted, it will aid in identifying latent failures and the possible causes of each failure mode.
d. Fault tree or Dependence Diagram (Reliability Block Diagram) Analysis. Structured, deductive, top-down analyses which are used to identify the conditions, failures, and events that would cause each defined Failure Condition. They are graphical methods of identifying the logical relationship between each particular Failure Condition and the primary element or component failures, other events, or combinations thereof that can cause it. A failure modes and effects analysis is usually used as the source document for those primary failures or other events. A fault tree analysis is failure oriented, and is conducted from the perspective of which failures must occur to cause a defined Failure Condition. A dependence diagram analysis is success-oriented, and is conducted from the perspective of which failures must not occur to preclude a defined Failure Condition.
e. Qualitative Probability Terms. When using qualitative analyses to determine compliance with JAR 25.1309(b), the following descriptions of the probability terms used in the requirement and this AMJ have become commonly accepted as aids to engineering judgement:
(1) Probable Failure Conditions are those anticipated to occur one or more times during the entire operational life of each aeroplane.
(2) Improbable Failure Conditions are divided into two categories as follows:
(i) Remote. Unlikely to occur to each aeroplane during its total life but which may occur several times when considering the total operational life of a number of aeroplanes of the type.
(ii) Extremely Remote. Unlikely to occur when considering the total operational life of all aeroplanes of the type, but nevertheless has to be considered as being possible.
(3) Extremely Improbable Failure Conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all aeroplanes of one type. ]
[ 10. QUANTITATIVE ASSESSMENT
A quantitative analysis may be used to support experienced engineering and operational judgement and to supplement qualitative analyses. A description of such an analysis, discussion and guidance information, and explanations of quantitative probability terms, are provided below. A quantitative analysis is often used for Hazardous or Catastrophic Failure Conditions of systems that are complex, that have insufficient service experience to help substantiate their safety, or that have Attributes that differ significantly from those of conventional systems.
a. Probability Analysis. A failure modes and effects, fault tree, or dependence diagram analysis which also includes numerical probability information. The probabilities of primary failures can be determined from failure rate data and exposure times, using failure rates derived from service experience on identical or similar items, or acceptable industry standards. The conventional mathematics of probability can then be used to calculate the estimated probability of each Failure Condition as a function of the estimated probabilities of its identified contributory failures or other events.
(1) It is recognised that, for various reasons, component failure rate data are not precise enough to enable accurate estimates of the probabilities of Failure Conditions. This results in some degree of uncertainty, as indicated by the expression "of the order of " in the descriptions of the quantitative probability terms that are provided in paragraph 10.b. When calculating the estimated probability of each Failure Condition, this uncertainty should be accounted for in a way that does not compromise safety.
(2) Unless acceptable probability criteria are provided elsewhere, such as in other AMJs, acceptable probabilities for Failure Conditions should be derived from complete event scenarios leading to an inability for Continued Safe Flight and Landing. The considerations described in paragraphs 7.c. and 7.e. should always be taken into account so that the required probabilities are rational and realistically-based. Using experienced engineering and operational judgement, acceptable probabilities should have reasonable tolerances because the uncertainty is accounted for as discussed in paragraph 10.a.(1).
b. Quantitative Probability Terms. When using quantitative analyses to help determine compliance with JAR 25.1309(b), the following descriptions of the probability terms used in this requirement and this AMJ have become commonly accepted as aids to engineering judgement. They are usually expressed in terms of acceptable numerical probability ranges for each flight hour, based on a flight of mean duration for the aeroplane type. However, for a function which is used only during a specific flight operation; e.g., take-off, landing, etc., the acceptable probability should be based on, and expressed in terms of, the flight operation's actual duration.
(1) Probable Failure Conditions are those having a probability greater than of the order of 1 x 10-5.
(2) (i) Improbable (Remote) Failure Conditions are those having a probability order of 1 x 10-5 or less but greater than of the order of 1 x 10-7.
(ii) Improbable (Extremely Remote) Failure Conditions are those having a probability of the order of 1 x 10-7 or less, but greater than of the order of 1 x 10-9.
(3) Extremely Improbable Failure Conditions are those having a probability of the order of 1 x 10-9 or less.
11. OPERATIONAL AND MAINTENANCE CONSIDERATIONS
This AMJ addresses only those operational and maintenance considerations that are directly related to compliance with JAR 25.1309(b), (c), and (d); other operational and maintenance considerations are not discussed herein. Flight crew and ground tasks related to compliance with this requirement should be appropriate and reasonable. However, as discussed in paragraph 8.g.(5), quantitative assessments of the probabilities of crew errors are not considered feasible. Therefore, reasonable tasks are those for which full credit can be taken because the flight crew or ground crew can realistically be anticipated to perform them correctly and when they are required or scheduled. In addition, based on experienced engineering and operational judgement, the discovery of obvious failures during normal operation and maintenance of the aeroplane may be considered, even though such failures are not the primary purpose or focus of the operational or maintenance actions. ]
[ a. Flight Crew Action. When assessing the ability of the flight crew to cope with a Failure Condition, the warning information and the complexity of the required action should be considered (see paragraph 8.g.). If the evaluation indicates that a potential Failure Condition can be alleviated or overcome without jeopardising other safety-related flight crew tasks and without requiring exceptional pilot skill or strength, credit may be taken for correct and appropriate corrective action, for both qualitative and quantitative assessments. Similarly, credit may be taken for correct flight crew performance of CCRs, if overall flight crew workload during the time available to perform them is not excessive and if they do not require exceptional pilot skill or strength. Unless flight crew actions are accepted as normal airmanship, they should be described in the approved AFM or AFM revision or supplement.
b. Ground Crew Action. Credit may be taken for correct ground crew accomplishment of reasonable CCRs, for both qualitative and quantitative assessments. Such requirements should be provided for use in approved maintenance programmes.
c. Certification Check Requirements. As defined in paragraph 6.b. and as discussed in 8.f., CCRs (also referred to as Certification Maintenance Requirements, or CMRs) may be needed to help show compliance with JAR 25.1309(b) and (d)(2) for significant latent failures. Rational methods, which usually involve quantitative analyses or relevant service experience data, should be used to determine CCR intervals. These intervals should have reasonable tolerances so that CCRs can be performed concurrently with other maintenance, inspection, or check procedures not required by design for compliance with JAR 25.1309(b) and (d)(2). Such tolerances are acceptable because the uncertainty described in paragraph 10.a.(1) is accounted for as discussed therein. If CCRs are used, they and their intervals and tolerances, and any post-certification changes, or procedures provided in the type design for an aeroplane owner or operator to make such changes, should be approved by, or with the concurrence of, the Certificating Authority having cognizance over the type design that relates to the system and its installation.
(1) Any applicant originating CCRs that are to be performed by flight crews should provide all relevant information to owners and operators of the aeroplane in the approved AFM or AFM revision or supplement.
(2) Any applicant originating CCRs that are to be performed by ground crews should provide all relevant information to owners and operators of the aeroplane early enough for well-planned, timely incorporation into approved maintenance programmes. If appropriate, approved procedures for reasonable adjustments to CCR intervals as a result of knowledge acquired from service experience may be provided for use in approved maintenance programmes.
(3) Any owner or operator of an aeroplane may request that alternative CCRs or their intervals be allowed and specified in an operator's specification approved under the applicable operating requirement or in accordance with an approved maintenance programme. As discussed in paragraph 11.c., concurrence of the Certificating Authority having cognizance over the type design that relates to the system and its installation is necessary.
d. Flight with Equipment or Functions Inoperative. Any applicant may elect to develop a list of equipment and functions which need not be operative for safe flight and landing, based on stated compensating precautions that should be taken; e.g. operational or time limitations, or flight crew or ground crew checks. The documents used to show compliance with JAR 25.1309(b), (c) and (d), together with any other relevant information, should be considered in the development of this list, which then becomes the basis for a Master Minimum Equipment List (MMEL). Experienced engineering and operational judgement should be applied during the development of the MMEL.
12. STEP-BY-STEP GUIDE
This guide and figure 2, Depth of Analysis Flowchart, are provided primarily for the use of applicants who are not familiar with the various methods and procedures generally used by industry to conduct design safety assessments. This guide and figure 2 are not certification checklists, and they do not include all the information provided in this AMJ. There is no necessity for an applicant to use them or for the Certificating Authority to accept them, in whole or in part, to show compliance with any requirement. Their sole purposes are to assist applicants by illustrating a systematic approach to design safety assessments, to enhance understanding and communication by summarising some of the information provided in this AMJ, and to provide some suggestions on documentation. ]
[ a. Define the system and its interfaces, and identify the functions that the system is to perform. Determine whether or not the system is complex, similar to systems used on other aeroplanes, and conventional .
b. Identify and classify the significant (i.e. non-trivial) Failure Conditions. All relevant applicant engineering organisations, such as systems, structures, propulsion, and flight test, should be involved in this process. This identification and classification may be done by conducting a Functional Hazard Assessment, which is usually based on one of the following methods, as appropriate:
(1) If the system is not complex, and if its relevant Attributes are similar to those of systems used on other aeroplanes, this identification and classification may be derived from design and installation appraisals and the service experience of the comparable, previously-approved, systems.
(2) If the system is complex, it is necessary to systematically postulate the effects on the safety of the aeroplane and its occupants resulting from any possible failure, considered both individually and in combination with other failures or events.
c. Choose the means to be used to determine compliance with JAR 25.1309(b), (c) and (d). The depth and scope of the analysis depends on the types of functions performed by the system, the severities of system Failure Conditions, and whether or not the system is complex. For Major Failure Conditions, experienced engineering and operational judgement, design and installation appraisals and comparative service experience data on similar systems may be acceptable, either on their own or in conjunction with qualitative analyses or selectively used quantitative analyses. For Hazardous or Catastrophic Failure Conditions, a very thorough safety assessment is necessary. The applicant should obtain the early concurrence of the Certificating Authority on the choice of an acceptable means of compliance.
d. Implement the design and produce the data which are agreed with the Certificating Authority as being acceptable to show compliance. To the extent feasible, an analysis should be self-contained; however, if it is not, all other docuemnts needed should be referenced. A typical analysis should include the following information to the extent necessary to show compliance:
(1) A statement of the functions, boundaries, and interfaces of the system.
(2) A list of the component parts and equipment of which the system is comprised, and their design standards. This list may reference other documents; e.g. Technical Standard Orders , manufacturer's or military specifications, etc.
(3) The conclusions, including a statement of the Failure Conditions and their classifications and probabilities (expressed qualitatively and quantitatively, as appropriate), that show compliance with the requirements of JAR 25.1309(b), (c) and (d).
(4) A description that establishes correctness and completeness and traces the work leading to the conclusions. This description should include the basis for the classification of each Failure Condition (e.g. analysis or ground, flight, or simulator tests). It should also include a description of precautions taken against common-mode or common-cause failures, provide any data such as component failure rates and their sources and applicability, support any assumptions made, and identify any required flight crew or ground crew actions, including any CCRs. ]
[ FIGURE 1 - RELATIONSHIP BETWEEN PROBABILITY AND SEVERITY OF FAILURE CONDITION
EFFECT ON Normal Nuisance Operating; Significant Large reduction Multiple deaths
AIRCRAFT limitations reduction in in safety usually with loss
AND emergency safety margins; margins;crew of aircraft
OCCUPANTS procedures difficult for crew estended
to cope with Adverse because of
conditions; workload or
passenger environmental
injuries conditions
serious or fatal
injuryto a small
number of
occupants
F.A.R. EXTREMELY
PROBABILITY <- - - -- PROBABLE - - - - - > <- - - - - -IMPROBABLE- - - - -> <- - - - -- - -> (REF ONLY) IMPROBABLE
EXTREMELY
< - - - - - - - - PROBABLE - - - - - - - - - - - > <- - - - -IMPROBABLE-- - - - > <-- - - - - - - - - - ->
IMPROBABLE
JAR-25
PROBABILITY <- - FREQUENT - - - - -><-REASONABLY- ><--REMOTE -- ><--EXTREMELY- >
PROBABLE REMOTE
10-0 10-1 10-2 10-3 10-4 10 -5 10-6 10-7 10-8 10-9
| | | |
CLASSIFICATION<- - - - - - -MINOR - - - - - - - - - - > <-- MAJOR -- > <- HAZARDOUS--><-CATASTROPHE-->
OF FAILURE
CONDITIONS
[ FIGURE 2 DEPTH OF ANALYSIS FLOW CHART
[ AMJ 25.1309(b)
Equipment Systems and Installations
See JAR 25.1309(b)
1. Heated Domestic Appliances (Galley Equipment)
1.1 The design and installation of heated domestic appliances should be such that no single failure (e.g. welded thermostat or contactor) can result in dangerous uncontrolled heating and consequent risk of fire or smoke or injury to occupants.
An acceptable method of achieving this is by the provision of a means independent of the normal temperature control system, which will automatically interrupt the electrical power supply to the unit in the event of an overheat condition occurring. The means adopted should be such that it cannot be reset in flight.
1.2 The design and installation of microwave ovens should be such that no hazard could be caused to the occupants or the equipment of the aeroplane under either normal operation or single failure conditions.
1.3 Heated liquid containers, e.g. water boilers, coffee makers should, in addition to overheat protection, be provided with an effective means to relieve overpressure, either in the equipment itself or in its installations.
NOTE: Due account should be taken of the possible effects of lime scale deposit both in the design and maintenance procedures of water heating equipment.
2. Electric Overheat Protection Equipment, Including those Installed in Domestic Systems
2.1 Unless it can be shown that compliance with JAR 25.1309(b) is provided by the circuit protective device required by JAR 25.1357(a), electric motors and transformers etc. (including those installed in domestic systems, such as galleys and toilet flush systems) should be provided with a suitable thermal protection device if necessary to prevent them overheating such as to create a smoke or fire hazard under normal operation and failure conditions.
The following should be taken into consideration:
a. Failures of any automatic control systems, e.g. automatic timer systems, which may cause the motor to run continuously;
b. Short circuit failures of motor windings or transformer windings to each other or to the motor or transformer frame;
c. Open circuit of one or more phases on multi-phase motors;
d. Motor seizures;
e. The proximity of flammable materials or fluids;
f. The proximity of other aeroplane installations;
g. Spillage of fluids, such as toilet waste;
h. Accumulation of combustible material; and
i. Cooling air discharge under normal operating or failure conditions. ]
[ AMJ 25.1322
Alerting Systems
1. INTRODUCTION
This AMJ gives general guidance on the design and certification of alerting systems. The term "alerting system" is meant to include all the Warnings, Cautions and Advisories (see paragraph 3 below) on the flight deck whether they are provided by a single system or not. It includes both the means used to draw the attention of the crew to the existence of an abnormality or an aircraft condition and the means of identifying it. In any case where the guidance appears to conflict with a specific JAR-25 requirement the requirement must take priority.
2. RELEVANT JAR-25 REQUIREMENTS & RELATED DOCUMENTS
2.1 Requirements and associated ACJ
JAR 25.207 Stall warning
JAR 25.672(a) Stability augmentation and automatic power-operated systems
JAR 25.699 Lift and drag device position
JAR 25.703 Take-off warning
JAR 25.729(e) Gear not extended warnings
JAR 25.783(e) Doors not locked warnings
JAR 25.841(b) Cabin altitude warning
JAR 25.857(c) Cargo compartment smoke warnings
JAR 25.1203 Fire-detector system
JAR 25.1303(b)(5) Attitude display systems
JAR 25.1303(c)(1) VMO/MMO warning
JAR 25.1305 Engine warnings
JAR 25.1309(c) Warning information
JAR 25.1322 Warnings and cautions
JAR 25B1305 APU fire warning
JAR-AWO 153 Audible warning of automatic pilot failure
JAR-AWO 253 Audible warning of automatic pilot failure
JAR-AWO 352 Indications and warnings ]
[ 2.2 Related Documents
1 AMJ 25-11 Electronic Display Systems
2 ARP 4102/4 Flight Deck Alerting System (FAS) Society of Automotive
Engineers. July 1988.
3 ARINC "Flight Warning Computer System" 8.9.80
Characteristic
726
4 CAA Paper "Guidelines for Auditory Warnings Systems
82017 on Civil Aircraft." November 1982
5 DOT/FAA/ "Aircraft Alerting Systems Standardisation Study"
RD-81/38.11 Volume 2 "Aircraft Alerting Systems Design Guidelines".
3. DEFINITIONS
In this AMJ, where the following terms are used, they have the following meanings:
Alert A signal to the crew intended to draw their attention to the existence of an abnormality, system fault or aircraft condition and to identify it.
False Alert An incorrect alert caused by a failure of the alerting system.
Nuisance Alert An unwanted alert not caused by an alerting system failure but by any other cause.
Warning Immediate recognition and corrective or compensatory action by the crew is required.
Caution Immediate crew awareness is required and subsequent crew action will be required.
Advisory Crew awareness is required and subsequent crew action may be required.
Message A caption light or text on a display system providing information on an abnormality or aircraft condition.
4. ALERTING (ATTENTION-GETTING) (See also Table 1)
4.1 The crew should be alerted to the presence of a Warning or Caution message by an attention-getting device. This may be achieved by any of the following:
4.1.1 Flashing red light for Warnings and flashing amber light for Cautions.
4.1.2 An aural signal coded to distinguish between a Warning and a Caution accompanied by steady or flashing red or amber lights (see 4.1.1).
4.1.3 A voice alert accompanied by steady or flashing lights.
There need not be an attention-getting signal for an Advisory.
4.2 The lights referred to in 4.1 above should be placed where they are in the normal field of view of each crew member (e.g. on or immediately below the glare shield) and visible in all lighting conditions but without being blinding. Manual dimming should not be provided unless the minimum setting retains adequate attention-getting qualities when flying from night into day conditions or an aural alert is also provided. Automatic dimming may be provided if an aural alert is also provided. ]
[ 4.3 If aural signals are provided, the signal for a Warning should always take priority over that for a Caution. Voice alerts should be heard in order of priority.
4.4 It should be possible for the crew to extinguish an alerting light and silence an aural alert, preferably by pressing the light, unless JAR requires otherwise.
TABLE 1
ALERTING SYSTEM
CHARACTERISTICS
CATEGORY CRITERIA (ATTENTIONGETTING) NOTES
AURAL VISUAL
Warning Immediate recognition and corrective Optional unless Red Visual alert
or compensatory action by the crew required by JAR should flash
is required if no aura
Caution Immediate crew awareness Optional unless Amber Visual alert
is required and subsequent required by JAR should crew action will be required flash if no
aural
Advisory Crew awareness is required and
subsequent crew action may be
required. None Not red
Note: Some sub-division of Caution and/or Advisory alert categories is permitted if justified.
5. VISUAL SIGNALS
5.1 Warning and Caution messages should be grouped on a panel or display visible to all members of the minimum flight crew. Where it is not possible to find a single location visible to all crew members, duplicate panels or displays should be added. If space constraints make it necessary to split the panel into two parts located in different places, both parts should be visible to all members of the minimum flight crew and the alerting lights referred to in paragraph 4.1 should direct the attention of the crew to the appropriate part.
5.2 Warning messages as required by JAR 25.1322 should be red and Caution messages should be amber. Advisories may be any colour except red, and preferably not amber.
5.3 The design of the aeroplane and its systems should be such as to minimise the number of warnings necessary.
5.4 Captions on the panel or messages on the display should be unambiguous and easily readable, i.e. they should identify the fault or abnormality clearly enough to direct the crew to the correct procedure.
Where the caption or message does not identify the nature and location of the fault sufficiently precisely to ensure the correct remedial action, additional indications should be located close to, or preferably on the appropriate switches or controls to direct the crew to them. In particular, engine fire warnings should be repeated on or near the controls for the appropriate engine so as to minimise the risk of shutting down the wrong engine.
5.5 Caution and Advisory messages on the panel or display may be suppressed by the crew provided that there remains an indication that an abnormality still exists and the message can be recalled to the display by the crew.
5.6 If a failure causes the display of a number of related messages (e.g. an engine failure resulting in loss of hydraulic and electrical systems) the messages, where practicable, should be shown (e.g. on a CRT) in the order in which crew action is required.
Where the display is unable to show all the resulting messages an indication should be given that messages additional to those shown exist and it must be possible for the crew to have those additional messages shown. ]
[ 6. AURAL SIGNALS (Excluding Voice)
6.1 The number of different aural signals on the flight deck, including those for Warnings, Cautions, altitude alert, marker beacons etc., should be minimised and it is strongly recommended that the total should not exceed eight. (Marker beacon signals may be counted as a single system).
6.2 Dedicated aural signals should be provided only where specified by airworthiness or operational requirements and where normal aural alerts (reference paragraph 4.1.2) cannot meet these requirements.
6.3 It is strongly recommended that aural signals are supplied both to headsets and a flight deck loudspeaker, so that the signals are audible to the crew whether they are wearing headsets (taking into account their noise attenuation characteristics) or not.
6.4 The loudness of aural signals should be set so as to ensure that they will be heard under all foreseeable operating conditions. The minimum volume achievable by any manual adjustment (if provided) of aural signals should be adequate to ensure an alert if the level of flight deck noise subsequently increases. It is recommended that automatic volume control is provided to compensate for changing ambient noise. ]
6.5 Both the pitch and the temporal pattern of aural signals should be varied to make them distinctive from one another.
6.6 Some aural signals are not permitted by the requirements to be silenced except by a return to normal conditions, e.g. overspeed and take-off configuration and, in some conditions, landing gear warning.
6.7 There should be only one aural signal at a time. If the possibility of two or more aural signals at the same time cannot be avoided it should be shown that each signal is clearly intelligible to the crew. The order in which the signals are presented should be that in which crew action is required.
7. GENERAL
7.1 Warnings, Cautions and Advisories, that require no crew action in a particular phase of flight, may be inhibited if it is safer to do so. Substantiation should be provided on request. However, if it occurs before entering a flight phase when it would be inhibited, the inhibition should not operate on that message.
Inhibited messages should be revealed in order of priority at the end of the inhibition phase.
7.2 The crew should be able to isolate the attention-getting device in the event of a fault in the alerting system so as to avoid continuous unwanted operation. Rearming of the alerting system before the next flight may be accomplished either -
7.2.1 Automatically, or
7.2.2 Manually if the absence of rearming is clear and unmistakable.
7.3 There should be no significant delay in an alert after the attainment of a Warning or Caution threshold unless the level of urgency and the flight phase permits it.
8. RELIABILITY AND INTEGRITY
For establishing compliance of the alerting system with JAR 25.1309, both the failure to operate when required and unwanted operation should be considered -
8.1 The reliability of the alerting system should be compatible with the Safety Objectives associated with the system function for which it provides an alert. Crew alerting of certain parameters may be an Essential function. Where this is so, loss of crew alerting should be Improbable. ]
[ 8.2 The alerting system should be designed to avoid false and nuisance alerts. The possible effects of a false alert should be assessed for each function and taken into account in establishing the required Safety Objectives. In addition, the occurrence rate of false and nuisance alerts should be low enough to maintain crew confidence in the alerting system.
8.3 In demonstrating compliance with paragraph 8.1 it would also be necessary to show that -
a. No probable single failure can cause the total loss of either the Warning or the Caution attention-getting means defined in 4.1.
b. If a single failure can cause the loss of the central warning and caution panel or display, adequate secondary means of identification is provided, where necessary.
c. A single failure which could cause the loss or failure of a system function does not also result in the loss of any associated alerting function unless the consequences are minor.
8.4 The alerting functions associated with those systems which may be essential for continued safe flight and landing should be available when the aircraft is operating without normal electrical power.
8.5 It should be possible to test the system to the extent necessary to comply with JAR 25.1309. It should also be possible for the crew to check all alerting system indication filaments or other display devices. ]
[AMJ 25X1591
Supplementary Performance Information for Take-off from Wet Runways and for Operation on Runways Contaminated by Standing Water, Slush, Loose Snow, Compacted Snow or Ice
See JAR 25X1591
1 Purpose
This AMJ provides information, guidelines, recommendations and acceptable means of compliance concerning take-off performance information for wet runways and take-off and landing performance information for runways contaminated by standing water, slush, loose snow, compacted snow or ice.
The procedures set forth herein are one acceptable means of compliance with the provision of JAR 25X1591. Any alternate means, including direct testing, proposed by the Applicant will be given due consideration.
2 Runway Conditions
2.1 Dry Runway
In addition to those runways which are not " wet " or "contaminated" according to the definitions stated in paragraphs 2.2 to 2.5, this category includes those runways which have been specially prepared with grooves or porous pavement and maintained to retain "effectively dry" braking action even when moisture is present.
2.2 Wet Runway
A runway is considered as wet when it is well soaked but without significant areas of standing water.
A runway is considered well soaked when there is sufficient moisture on the runway surface to cause it to appear reflective.
2.3 Runway Contaminated by Standing Water, Slush or Loose Snow
A runway is considered to be contaminated when more than 25% of the runway surface area (whether in isolated areas or not) within the required length and width being used, is covered by surface water, more than 3mm (0·125 inch) deep, or by slush, or loose snow, equivalent to more than 3mm (0·125 inch) of water.
2.4 Runway Contaminated by Compacted Snow
A runway is considered contaminated by compacted snow when covered by snow which has been compressed into a solid mass which resists further compression and will hold together or break into lumps if picked up.
2.5 Runway Contaminated by Wet Ice
A runway surface condition where braking action is expected to be very low, due to the presence of wet ice.
3 Acceptable Means of Compliance
3.1 General Conditions
Take-off performance information for wet runways and take-off and landing performance information for runways contaminated by standing water, slush, loose snow, compacted snow or ice should be determined in accordance with the following assumptions:
3.2 Take-off Performance Information for Wet Runways
3.2.1 The supplementary performance information required by JAR 25X1591 should include accelerate-stop distance, take-off distance and take-off run appropriate to a wet runway, defined as follows: ]
[a. The accelerate-stop distance on a wet runway is the greater of the following:
i. The sum of the distances necessary to -
A Accelerate the aeroplane with all engines operating from a standing start to VEF corresponding to VSTOP;
B Accelerate the aeroplane from VEF to VSTOP and continue the acceleration for 2·0 seconds after Vstop is reached, assuming the critical engine fails at VEF; and
C Come to a full stop on a wet runway from the point reached at the end of the acceleration period prescribed in sub-paragraph (a)(i)(B), assuming that the pilot does not apply any means of retarding the aeroplane until that point is reached and that the critical engine is still inoperative.
ii. The sum of the distances necessary to -
A Accelerate the aeroplane from a standing start to VSTOP and continue the acceleration for 2·0 seconds after VSTOP is reached, with all engines operating; and
B Come to a full stop on a wet runway from the point reached at the end of the acceleration period prescribed in sub-paragraph (a)(ii)(A), assuming that the pilot does not apply any means of retarding the aeroplane until that point is reached and that all engines are still operating.
b. The take-off distance on a wet runway is the greater of the following:
i. The horizontal distance along the take-off path from the start of the take-off to the point at which the aeroplane is 15ft above the take-off surface, achieved in a manner consistent with the achievement of V2 before reaching 35ft above the take-off surface, as determined under JAR 25.111 and assuming that the critical engine fails at VEF corresponding to VGO.
ii. 115% of the horizontal distance along the take-off path, with all engines operating, from the start of the take-off to the point at which the aeroplane is 35 ft above the take-off surface, as determined by a procedure consistent with JAR 25.111. (See ACJ 25.113(a)(2).)
c. The take-off run on a wet runway is the greater of the following:
i. The horizontal distance along the take-off path from the start of the take-off to a point at which VLOF is reached, as determined under JAR 25.111 and assuming that the critical engine fails at VEF corresponding to VGO.
ii. 115% of the horizontal distance along the take-off path, with all engines operating, from the start of the take-off to the point equidistant between the point at which VLOF is reached and the point at which the aeroplane is 35 ft above the take-off surface, as determined by a procedure consistent with JAR 25.111. (See ACJ 25.113(a)(2).)
NOTE: VSTOP is the highest decision speed from which the aeroplane can stop within the accelerate-stop distance available. VGO is the lowest decision speed from which a continued take-off is possible within the take-off distance available.
3.2.2 Means other than wheel brakes may be used to determine the accelerate-stop distance if that means -
a. Is safe and reliable;
b. Is used so that consistent results can be expected under normal operating conditions; and
c. Is such that exceptional skill is not required to control the aeroplane.
3.2.3 Wheel-braking characteristics on wet runways may be derived on the basis of sub-paragraphs (a) or (b) - ]
[a. Assuming a wheel-braking coefficient of friction (µBWET) equal to the non-torque limited wheel braking coefficient of friction measured on a dry runway ((µBDRY), factored in accordance with Table 1. However, µBWET must not exceed either -
- That appropriate to the wheel-brake torque limit for the conditions, or
- 0·40
- The derivation µBWET is illustrated in Figure 1.
TABLE 1
Ground Speed (knots) 20 40 60 80 100 120 140 160
Factor µBWET 0·64 0·64 0·62 0·57 0·52 0·48 0·44 0·41
µBDRY
FIGURE 1
KEY: _____________ Measured wheel-braking coefficient of friction on a dry runway when not torque limited, µBDRY
_ _ _ _ _ _ _ _ Measured wheel-braking coefficient of friction on a dry runway when torque limited
___ _ ___ _ ___ Derived non-torque limited µBWET, factored from µBDRY
__ _ _ __ _ _ __ Extrapolation of derived non-torque limited µBWET line to 0·4 at zero speed
Derived value of wheel-braking coefficient of friction on a wet runway, µBWET
NOTE: Measurements at low weight may be made to extend the wheel-braking coefficient of friction when not torque limited, µBDRY, down to speeds below that at which the torque limit is encountered at high weight. ]
[ b. When dry runway wheel-braking characteristics have been based on a mean effective wheel-braking coefficient of friction ( DRY), appropriate to the initial wheel-braking conditions, the wheel-braking characteristics on wet runways may be derived by assuming a mean effective wheel-braking coefficient of friction ( WET) equal to the non-torque limited mean effictive wheel-braking coefficient of friction established for a dry runway ( DRY ) factored by 0·5.
3.3 Take-off Performance Information for Contaminated Runways
3.3.1 The supplementary performance information required by JAR 25X1591 should include accelerate-stop distance, take-off distance and take-off run appropriate to the relevant contaminant, derived in accordance with the general provisions of paragraph 3.2.1.
a. Standing water, slush or loose snow
Assumptions relating to wheel-braking coefficient of friction should be those of paragraph 3.5 and assumptions relating to precipitation drag should be those of paragraph 4.
b. Compacted snow or ice
Assumptions relating to wheel-braking coefficient of friction should be those of paragraph 3.5.
3.3.2 In establishing accelerate-stop distance, performance credit for reverse thrust may be assumed, subject to compliance with the general provisions of paragraph 3.2.2 being shown.
3.4 Landing Performance Information for Contaminated Runways
3.4.1 The supplementary performance information required by JAR 25X1591 should include landing distance appropriate to the relevant contaminant, derived in accordance with the general provisions of JAR 25.125(a).
However, the airborne distance should be calculated by assuming 7 seconds to elapse between passing through 50 ft height and touchdown. In the absence of flight test data to substantiate a lower value, the touchdown speed should be assumed to be 93% of the threshold speed. (See paragraph 5.3).
a. Standing water, slush or loose snow
Assumptions relating to wheel-braking coefficient of friction should be those of paragraph 3.5 and assumptions relating to precipitation drag should be those of paragraph 4.
b. Compacted snow or ice
Assumptions relating to wheel-braking coefficient of friction should be those of paragraph 3.5.
3.4.2 Means other than wheel brakes may be used to determine the landing distance if that means -
a. Is safe and reliable;
b. Is used so that consistent results can be expected under normal operating conditions; and
c. Is such that exceptional skill is not required to control the aeroplane.
3.5 Wheel-braking Characteristics on Contaminated Runways
a. For runways contaminated by standing water, slush or loose snow, as defined in paragraph 2.2, a wheel-braking coefficient of friction of 0·25 µBDRY should be assumed at speeds equal to and below 0·9 times the estimated aquaplaning speed and 0·05 should be assumed above this speed.
b. For runways covered by compacted snow, as defined in paragraph 2.4, a wheel-braking coefficient of friction of 0·2 should be assumed.
c. For runways covered by wet ice, as defined in paragraph 2.5, a wheel-braking coefficient of friction of 0·05 should be assumed. ]
[4 Information on Precipitation Drag
During the take-off acceleration, account should be taken of precipitation drag. During the accelerate-stop deceleration and at landing, credit may be taken for precipitation drag.
Calculations should take account of landing gear displacement drag and spray impingement drag as follows:
4.1 Landing Gear Displacement Drag
a. Basic Tyre Drag
The drag on the tyre is given by -
D = CD . ½r . V2 S
Where r is the density of the precipitation and S is the frontal area.
S = b X d where d is the depth of precipitation and b is the tyre width at the surface and may be found from -
Where W is the maximum width of the tyre and d is the tyre deflection, which may be obtained from tyre manufacturers' load-deflection curves.
The value of CD may be taken as 0·75 for an isolated tyre.
b. Multiple Wheels
The drag on two wheels side by side is usually less than that of two separate wheels. A single tyre clears a path of about 3 times its own footprint width, so if two tyres are set side by side with a spacing of less than 2b between them the cleared paths will overlap and the total amount of slush displaced will be reduced, with a proportionate reduction in drag. There is however, an interference effect caused by the spray from one wheel striking its neighbour. The drag of spray striking the landing gear structure may also be important.
A typical dual wheel trailing arm arrangement shows a drag 1·6 times the single wheel drag (including interference) whereas the factor can be up to twice the single wheel drag if the wheels are in front of the main leg. For a typical four wheel bogie layout the drag was 3·35 times the single wheel drag (again including interference).
4.2 Spray Impingement Drag
Spray thrown up by the wheels, particularly the nose-wheels, may strike the airframe and cause further drag. In some layouts, this component of the drag can greatly exceed the displacement drag of the nose-wheels.
In order to assess the drag, it is necessary to know the angles of the spray plumes so that they can be compared with the geometry of the aircraft. The angle at which the plumes rise is generally between 10º and 20º; it varies rapidly with speed and depth of precipitation and to a small extent with tyre geometry. A method for estimating the plume angles in plan and elevation is given in Ref. 1 and this may be used in the absence of experimental evidence. The information may be used to indicate those parts of the airframe which will be struck by spray, in particular whether the nose-wheel plumes will strike the main landing gear or open wheel-wells and whether the main-wheel plumes will strike the rear fuselage or flaps.
The spray drag can be estimated on the basis of the usual skin friction drag equation, using a CD of 0·0025, but it is difficult to estimate the effective density of the fluid in the spray plume. An empirical relationship which converts the skin friction drag into an equivalent displacement drag based on nose-wheel alone drag measurements on three aircraft (CV880, Canberra, Trident), is as follows:
CDspray = 8 x L x 0·0025
Where CDspray is to be applied to the total nose-wheel displacement area (b x d x number of wheels), and L is the length in feet of fuselage behind the point at which the top of the plume reaches the height of the bottom of the fuselage. ]
[ The relation can also be used in the case of main-wheel spray striking the rear fuselage. In this case only the inner plume from the innermost wheel is involved, so the relevant displacement area is half that of one main wheel.
This relation applies only when there are no large areas normal to the flow. If such areas are present, e.g. if the spray plume strikes the main landing gear, it is possible to use the spray pattern data in Ref. 1 and Ref. 2 to determine the percentage of the total fluid displaced which will strike a bluff surface and to estimate the momentum loss of this mass of fluid.
Ref. 1 : ESDU Data Item 83042 "Estimation of Spray Patterns Generated from the sides of A/C tyres running in water or slush".
Ref. 2 : NASA Report TP-2718 "Measurement of flow rate and trajectory of aircraft tire-generated water spray".
4.3 Effect of Aquaplaning Speed
In the absence of test evidence the following can be used:
a. The aquaplaning speed VP is given by -
VP = 9
Where VP is ground speed in knots, P is tyre pressure in lb/sq inch and s is the specific gravity of the precipitation.
or VP = 34
Where P is the tyre pressure in kg/sq cm.
b. Above VP the precipitation drag decreases as the tyres rise and the angle of the spray plumes decreases. Figure 2, taken from the ICAO Airworthiness Technical Manual, illustrates this variation of drag with speed and also shows how it varies with specific gravity of precipitation. As specific gravity decreases, VP rises and the peak drag occurs at a higher speed. If this speed is closer to the more sensitive area of the take-off, the overall effect on take-off distance may be more severe. It is therefore necessary to repeat the calculation for the whole range of specific gravity to be considered in respect of water and slush, e.g. from 1·0 down to about 0·4.
FIGURE 2 ]
[c. An acceptable method of calculating the drag above VP is to reduce CD as shown by the curve in Figure 3. This relationship applies to both displacement and spray drag.
FIGURE 3
4.4 Precipitation Depth
For continued take-off, accelerate-stop and landing, it should be assumed that the whole manoeuvre takes place in precipitation having a depth equal to the nominal average depth of precipitation.
5 Presentation of Supplementary Performance Information
5.1 General
Performance information for contaminated runways, derived in accordance with the provisions of paragraphs 3.3 and 3.4 should be accompanied by the following statements:
a. The level of safety is decreased when operating on contaminated runways and therefore every effort should be made to ensure that the runway surface is cleared of any significant precipitation.
b. The performance information assumes any standing water, slush or loose snow to be of uniform depth and density.
c. The provision of performance information for contaminated runways should not be taken as implying that ground handling characteristics on these surfaces will be as good as can be achieved on dry or wet runways, in particular, in cross-winds and when using reverse thrust.
5.2 Take-off
The supplementary performance information provided for take-off should show the distances for continued and rejected take-off and associated operational speeds, with all engines operating and with failure of one engine during take-off, for wet runways and, where approval is sought by the applicant for take-off operations on contaminated runways, for the conditions defined in paragraphs 2.3, 2.4 and 2.5.
The information should be such that it is possible to determine - ]
[a. The highest decision speed from which the aircraft can stop within the accelerate-stop distance available (VSTOP), and the lowest decision speed from which a continued take-off is possible within the take-off distance available (VGO), or
b. The weight at which, for a given runway length, VGO equals VSTOP.
5.3 Landing
Information should be presented giving the landing distance (actual unfactored) for the contaminated runway conditions defined in paragraphs 2.3, 2.4 and 2.5, with all engines operating, for speeds at the runway threshold from VREF to VREF + 10 knots, where VREF is the speed determined in accordance with JAR 25.125(a)(2).
6 Regulatory Status of Supplementary Information
The supplementary performance information should include an explanation of its regulatory status substantially in accordance with sub-paragraphs (a) and (b) -
a. General
This information has been prepared by the manufacturer and approved by the Authority in the form of guidance material, to assist operators in developing suitable guidance, recommendations or instructions for use by their flight crews when operating on wet/contaminated runway surface conditions.
Except as provided in sub-paragraph (b), this information does not in any way replace or amend the Operating Limitations and Performance Information listed in (other parts of) the approved aeroplane Flight Manual.
b. Operating Limitations
The applicable regulations in some countries participating in JAR may require certain elements of supplementary performance information to be established as additional limitations for the operation of the aeroplane. ]
Advisory Material Joint - AMJ
[AMJ 25-11
Electronic Display Systems
Purpose
This Advisory Material Joint (AMJ) provides guidance for certification of cathode ray tube (CRT) based electronic display systems used for guidance, control, or decision-making by the pilots of transport category aeroplanes. Like all advisory material, this document is not, in itself, mandatory and does not constitute a regulation. It is issued to provide guidance and to outline a method of compliance with the rules.
This AMJ is similar to FAA Advisory Circular AC 25-11 dated 16 July 1987. Differences between the two texts are indicated in accordance with normal JAA practice by underlining.
Scope
The material provided in this AMJ consists of guidance related to pilot displays and specifications for CRTs in the cockpit of commercial transport aeroplanes. The content of the AMJ is limited to statements of general certification considerations, including display function criticality and compliance considerations; colour, symbology, coding, clutter, dimensionality, and attention-getting requirements; display visual characteristics; failure modes; information display and formatting; specific integrated display and mode considerations, including maps, propulsion parameters, warning, advisory, check list procedures and status displays.]
[ 1. Background
a. The initial certification of CRTs as primary flight instruments, both in Europe and the United States, was coincident with major airframe certifications. The prime airframe manufacturers invested extensive preliminary laboratory work to define the system architecture, software design, colours, symbols, formats, and types of information to be presented, and to prove that these resulting displays would provide an acceptable level of safety. The flight test programmes gave many hours exposure of the electronic display systems to company test pilots, Authority test pilots, and customer pilots. Certification of the displays came at the end of this process. Because of this pre-certification exposure, the Authority had a high degree of confidence that these displays were adequate for their intended function and safe to use in foreseeable normal and failed conditions.
b. The initial electronic display designs tended to copy the electromechanical display formats. As a result, pilots have evaluated the new displays using the electromechanical displays as a reference. As electronic display systems evolve, there is great potential for significant improvements in information interchange between the system (aeroplane) and the pilot. The Authority intends to allow a certification environment that will provide the greatest flexibility commensurate with safety.
2. Glossary of Acronyms
AC Advisory Circular published by FAA
ACJ Advisory Circular Joint
ADF Automatic Direction Finder
ADI Attitude Director Indicator
AFCS Automatic Flight Control System
AFM Aeroplane Flight Manual
AIR Aerospace Information Report (SAE)
AMJ Advisory Material Joint
ARP Aerospace Recommended Practice (SAE)
AS Aerospace Standard (SAE)
CDI Course Deviation Indicator
CRT Cathode Ray Tube
DOT Department of Transportation
EADI Electronic Attitude Director Indicator
ED EUROCAE Document
EFIS Electronic Flight Instrument System
EHSI Electronic Horizontal Situation Indicator
EUROCAE The European Organisation for Civil Aviation Equipment
FAA Federal Aviation Administration
FAR Federal Aviation Regulations
HSI Horizontal Situation Indicator
ILS Instrument Landing System
INS Inertial Navigation System
JAA Joint Aviation Authorities
JAR Joint Aviation Requirements
JTSO Joint Technical Standard Order
MEL Minimum Equipment List
PFD Primary Flight Display
RNAV Area Navigation
ROM Read Only Memory
RTCA Radio Technical Commission for Aeronautics
RTO Rejected Take-off
SAE Society of Automotive Engineers
STC Supplemental Type Certificate
TSO Technical Standard Order
VOR Very High Frequency Omnirange Station ]
[3. Related Requirements And Documents
a. Requirements
Compliance with many sections of JAR-25 may be related to, or dependent on, cockpit displays, even though the regulations may not explicitly state display requirements. Some applicable paragraphs of JAR-25 are listed below. The particular compliance method chosen for other regulations not listed here may also require their inclusion if CRT displays are used in the flight deck.
25.207 Stall warning.
25.672 Stability augmentation and automatic and power-operated systems.
25.677 Trim systems.
25.699 Lift and drag device indicator.
25.703 Take-off warning system.
25.729 Retracting mechanism.
25.771 Pilot compartment.
25.777 Cockpit controls.
25.783 Doors.
25.812 Emergency listing.
25.841 Pressurised cabins.
25.857 Cargo compartment classification.
25.858 Cargo compartment fire detection systems.
25.859 Combustion heater fire protection.
25.863 Flammable fluid fire protection.
25.901 Powerplant installation.
25.903 Engines.
25.1019 Oil strainer or filter.
25.1141 Powerplant controls: general.
25.1165 Engine ignition systems.
25.1199 Extinguishing agent containers.
25.1203 Fire detector systems.
25.1301 Equipment: function and installation.
25.1303 Flight and navigation instruments.
25.1305 Powerplant instruments.
25.1309 Equipment, systems, and installations.
25.1321 Arrangement and visibility.
25.1322 Warning, caution, and advisory lights.
25.1323 Airspeed indicating system.
25.1326 Pitot heat indication systems.
25.1329 Automatic pilot system.
25.1331 Instruments using a power supply.
25.1333 Instrument systems.
25.1335 Flight director systems.
25.1337 Powerplant instruments.
25.1351 Electrical systems and equipment: general.
25.1353 Electrical equipment and installations.
25.1355 Distribution system.
25.1381 Instrument lights.
25.1383 Landing lights.
25.1431 Electronic equipment.
25.1435 Hydraulic systems.
25.1441 Oxygen equipment and supply.
25.1457 Cockpit voice recorders.
25.1459 Flight recorders.
25.1501 Operating limitations and information: general.
25.1523 Minimum flight crew.
25.1541 Markings and placards: general.
25.1543 Instrument markings: general.
25.1545 Airspeed limitation information.
25.1549 Powerplant and auxiliary power unit instruments.
25.1551 Oil quantity indicator.
25.1553 Fuel quantity indicator.
25.1555 Control markings.
25.1581 Aeroplane flight manual: general. ]
[ JAR 25B1305 APU instruments
JAR-AWO All Weather Operations (Subpart 2 Cat II Operations and Subpart 3 Cat III Operations) National operational regulations relative to instrument and equipment requirements.
b. Advisory Circulars, ACJs and AMJs
AC 20-88A Guidelines on the Marking of Aircraft Powerplant Instruments (Displays).
AMJ 25.1309 System Design Analysis.
ACJ 25.1329 Automatic Pilot Systems Approval.
AC 90-45A Approval of Area Navigation Systems for Use in the U.S. National Airspace System.
AMJ 25.1322 Alerting Systems
National operational regulations relative to Cat I, II and III approaches.
c. Technical Standard Orders
TSO-C113 Airborne Multipurpose Electronic Displays.
d. Industry Documents
(1) The following documents are available from the EUROCAE 11, rue Hamelin 75783, Paris Cedex 16, France:
ED14B/RTCA DO-160B Environmental Conditions and Test Procedures for Airborne Equipment.
ED12A/RTCA DO-178A Software Considerations in Airborne Systems and Equipment Certification.
ED58 Minimum Operational Performance Specification for Airborne Area Navigation Equipment using Multi-sensor Inputs.
(2) The following documents are available from the Society of Automotive Engineers, Inc. (SAE), 400 Commonwealth Drive, Warrendale, PA. 15096, USA:
ARP 268F Location and Actuation of Flight Deck Controls for Transport Aircraft.
AS 425B Nomenclature and Abbreviations, Flight Deck Area.
ARP 4102-4 Flight Deck Alerting System.
ARP 926A Fault/Failure Analysis Procedure.
ARP 1068B Flight Deck Instrumentation, Display Criteria and Associated Controls for Transport Aircraft.
ARP 1093 Numeral, Letter and Symbol Dimensions for Aircraft Instrument Displays.
ARP 1161 Crew Station Lighting - Commercial Aircraft.
ARP 1834 Fault/Failure Analysis for Digital Systems and Equipment.
ARP 1874 Design Objectives for CRT Displays for Part 25 (Transport) Aircraft.
AS 8034 Minimum Performance Standards for Airborne Multipurpose Electronic Displays.
(3) The following documents are presently in draft form:
ARP 1782 Photometric and Colormetric Measurement Procedures for Direct View CRT Display Systems.
ARP 4032 Human Integration Color Criteria and Standards.
NOTE: In the event of conflicting information, this AMJ takes precedence as guidance for certification of transport category aeroplane installations. ]
[ e. Research Reports. The following documents are available through the National Technical Information Service, Springfield, Virginia 22161, USA:
DOT/FAA/RD-81/38. II Aircraft Alerting Systems
Standardization Study
Volume II
Aircraft Alerting Systems Design Guidelines.
DOT/FAA/PM-85-19 The Development and Evaluation of Color Systems
for Airborne Applications.
4. General Certification Considerations
Introductory Note: When Improbable means Extremely Remote the latter is used, otherwise it means Remote.
a. Display Function Criticality. The use of electronic displays allows designers to integrate systems to a much higher degree than was practical with previous aeroplane flight deck components. With this integration can come much greater simplicity of operation of the aeroplane through automation of navigation, thrust, aeroplane control, and the related display systems. Although normal operation of the aeroplane may become easier, failure state evaluation and the determination of criticality of display functions may become more complex. This determination should refer to the display function and include all causes that could affect the display of that function, not only the display equipment. "Loss of display," for example, means "loss of capability to display".
(1) Criticality of flight and navigation data displayed should be evaluated in accordance with the requirements in JAR 25.1309 and 25.1333. AMJ 25.1309 clarifies the meaning of these requirements and the types of analyses that are appropriate to show that systems meet them. AMJ 25.1309 also provides criteria to correlate the depth of analyses required with the type of function the system performs (non-essential, essential or critical); however, a system may normally be performing non-essential or essential functions from the standpoint of required availability and have potential failure modes that could be more critical. In this case, a higher level of criticality applies. Pilot evaluation may be a necessary input in making the determination of criticality for electronic displays. AMJ 25.1309 recommends that the flight test pilot-
(i) Determines the detectability of a failure condition,
(ii) Determines the required subsequent pilot actions, and
(iii) Determines if the necessary actions can be satisfactorily accomplished in a timely manner without exceptional pilot skill or strength.
(2) Software-based systems should have the computer software verified and validated in an acceptable manner. One acceptable means of compliance for the verification and validation of computer software is outlined in ED12A/DO-178A. Software documentation appropriate to the level to which the verification and validation of the computer software has been accomplished should be provided as noted in ED12A/DO178A.
(3) Past certification programs have resulted in the following determinations of display criticality. Unconventional aeroplane and display design may change these assessments. In the failure cases discussed below, hazardously misleading failures are, by definition, not associated with a suitable warning.
(i) Attitude. Display of attitude in the cockpit is a critical function. Loss of all attitude display, including standby attitude, is a critical failure and must be Extremely Improbable. Loss of primary attitude display for both pilots must be Improbable. Display of hazardously misleading roll or pitch attitude simultaneously on the primary attitude displays for both pilots must be Extremely Improbable.
Display of dangerously incorrect roll or pitch attitude on any single primary attitude display, without a warning must be Extremely Remote.
(ii) Airspeed. Display of airspeed in the cockpit is a critical function. Loss of all airspeed display, including standby, must be assessed in accordance with JAR 25.1333(b).* Loss of primary airspeed display for both pilots must be Improbable. Displaying hazardously misleading airspeed simultaneously on both pilots' displays, coupled with the loss of stall warning or overspeed warning functions, must be Extremely Improbable.
(iii) Barometric Altitude. Display of altitude in the cockpit is a critical function. Loss of all altitude display, including standby, must be assessed in accordance with JAR 25 1333(b).* Loss of primary altitude display for both pilots must be Improbable. Displaying hazardously misleading altitude simultaneously on both pilots' displays must be Extremely Improbable. ]
[ (iv) Vertical Speed. Display of vertical speed in the cockpit is an essential function. Loss of vertical speed display to both pilots must be Improbable.
(v) Rate-of-Turn Indication. The rate-of-turn indication is a non-essential function and is not required if the requirements of paragraph 4a(3)(i) are met.
NOTE: Operational rules may require the installation of a rate-of-turn indicator.
(vi) Slip/Skid Indication. The slip/skid or side slip indication is an essential function. Loss of this function to both pilots must be Improbable. Simultaneously misleading slip/skid or side slip information to both pilots must be Improbable.
(vii) Heading. Display of stabilised heading in the cockpit is an essential function. Displaying hazardously misleading heading information on both pilots' primary displays must be Improbable. Loss of stabilised heading in the cockpit must be Improbable. Loss of all heading display must be assessed in accordance with JAR 25.1333(b).*
(viii) Navigation. Display of navigation information (excluding heading, airspeed, and clock data) in the cockpit is an essential function. Loss of all navigation information must be Improbable. Displaying hazardously misleading navigational or positional information simultaneously on both pilots' displays must be Improbable.
NOTE: Because of a relationship between navigation capability and communicated navigation information, the following related requirements are included. Non-restorable loss of all navigation and communication functions must be Extremely Improbable. Loss of all communication functions must be Improbable.
General Interpretation is that it must be Extremely Imporable.
Judgement of what is "hazardously misleading" navigation information is clearly a difficult area. Failures which could potentially fall in this category need to be identified as early as possible. Nevertheless it is necessary that interpretation of what is "hazardously misleading" be agreed with the certification Authority and this may depend on the type of navigation system installed, (on board and ground installations) and the flight phase. In specific flight phases (e.g. approach or arrivals and departures) displaying hazardously misleading navigational or positional information simultaneously on both pilots' displays must be Extremely Remote. Previous certifications have shown that, in the traditional ATC environment, this level of safety has beenachieved by simultaneous display of raw radio navigation data in addition to any multi-sensor computed data.
(ix) Propulsion System Parameter Displays
(A) The required powerplant instrument displays must be designed and installed so that the failure or malfunction of any system or component that affects the display or accuracy of any propulsion system parameter for one engine will not cause the permanent loss of display or adversely affect the accuracy of any parameter for the remaining engines.
(B) No single fault, failure, or malfunction, or probable combinations of failures, shall result in the permanent loss of display, or in the misleading display, of more than one propulsion unit parameter essential for safe operation of a single engine.
(C) Combinations of failures which would result in the permanent loss of any single required powerplant parameter displays for more than one engine must be Improbable.
(D) Combinations of failures which would result in the hazardously misleading display of any parameter for more than one engine must be Extremely Improbable.
NOTE: The parameters to be considered must be agreed by the Authority.
(E) No single fault, failure, or malfunction, or combinations of failures not shown to be Extremely Improbable, shall result in the permanent loss of all propulsion system displays.
(F) Required powerplant instruments that are not displayed continuously must be automatically displayed when any inhibited parameter exceeds an operating limit or threshold, including fuel tank low-fuel advisory or maximum imbalance limit, unless concurrent failure conditions are identified where crew attention to other system displays takes priority over the powerplant instruments for continued safe operation of the aeroplane. In each case, it must be established that failure to concurrently display the powerplant instruments does not jeopardise the safe operation of the aeroplane. ]
[ (G) Propulsion system parameters essential for determining the health and operational status of the engines and for taking appropriate corrective action, including engine restart, must be automatically displayed after the loss of normal electrical power.
(H) If individual fuel tank quantity information is not continuously displayed, there must be adequate automatic monitoring of the fuel system to alert the crew of both system malfunctions and abnormal fuel management.
(x) Crew alerting display. The reliability of the alerting display should be compatible with the safety objectives associated with the system function for which it provides an alert. Crew alerting of certain parameters may be an essential function. Where this is so, loss of crew alerting should be Improbable (see AMJ 25.1322).
(xi) Flight crew Procedures. The display of hazardously misleading flight crew procedures caused by display system failure, malfunction, or misdesign must be Improbable.
(xii) Weather Radar. Display of weather radar in the cockpit is a nonessential function; however, presentation of hazardously misleading information must be Improbable.
NOTE: Operational rules may require the installation and functioning of weather radar.
b. Compliance Considerations
(1) Human Factors. Humans are very adaptable, but unfortunately for the display evaluation process, they adapt at varying rates with varying degrees of effectiveness and mental processing compensation. Thus, what some pilots might find acceptable and approvable, others would reject as being unusable and unsafe. Aeroplane displays must be effective when used by pilots who cover the entire spectrum of variability. Relying on a requirement of "train to proficiency" may be unenforceable, economically impracticable, or unachievable by some pilots without excessive mental workload as compensation.
(i) The test programme should include sufficient flight and simulation time, using a representative population of pilots, to substantiate -
(A) Reasonable training times and learning curves;
(B) Usability in an operational environment;
(C) Acceptable interpretation error rates equivalent to or less than conventional displays;
(D) Proper integration with other equipment that uses electronic display functions;
(E) Acceptability of all failure modes not shown to be Extremely Improbable; and
(F) Compatibility with other displays and controls.
The manufacturers should provide human factors support for their decisions regarding new or unique features in a display. Evaluation pilots should verify that the data supports a conclusion that any new or unique features have no human factors traps or pitfalls, such as display perceptual or interpretative problems, for a representative pilot population.
(ii) It is desirable to have display evaluations conducted by more than one pilot, even for the certification of displays that do not incorporate significant new features. At least one member of the team should have previous experience with the display principles contained in this document. For display designs that incorporate unproven features, evaluation by a greater number of pilots should be considered. To help the Authority certification team gain assurance of a sufficiently broad exposure base, the electronic display manufacturer or installer should develop a test programme with the Authority that gathers data from Authority test pilots, company test pilots, and customer pilots who will use the display. A reasonable amount of time for the pilot to adapt to a display feature can be allowed, but long adaptation times must receive careful consideration. Any attitude display format presented for Authority approval should be sufficiently natural in its design so that no training is required for basic manual aeroplane control.
(iii) For those electronic display systems that have been previously approved (including display formats) and are to be installed in aeroplanes in which these systems have not been previously approved, a routine Authority certification should be conducted. This programme should emphasise the systems' integration in the aeroplane, taking into account the operational aspects, which may require further detailed systems failure analysis (where "system" means the display, driving electronics, sensors and sources of information). ]
[ (iv) Simulation is an invaluable tool for display evaluation. Acceptable simulation ranges from a rudimentary bench test set up, where the display elements are viewed statically, to full flight training simulation with motion, external visual scene, and entire aeroplane systems representation. For minor or simple changes to previously approved displays, one of these levels of simulation may be deemed adequate for display evaluation. For evaluation of display elements that relate directly to aeroplane control (i.e. air data, attitude, thrust set parameters, etc.), simulation should not be relied upon entirely. The dynamics of aeroplane motion, coupled with the many added distractions and sensory demands made upon the pilot that are attendant to actual aeroplane flight, have a profound effect on the pilot's perception and usability of displays. Display designers, as well as Authority test pilots, should be aware that display formats previously approved in simulation may well (and frequently do) turn out to be unacceptable in actual flight.
(2) Hardware Installation
(i) It is assumed that all display equipment has met the requirements set forth in SAE Document AS 8034 or guidance provided in TSO-C113. Therefore, the purpose of the following guidance is to ensure compatibility of the flight qualified equipment with the aeroplane environment. It is recognised that the validation of acceptable equipment installations considers the individual and combined effects of the following: temperature, altitude, electromagnetic interference, radiomagnetic interference, vibration, and other environmental influences. The installation requirements of JAR-25 are applicable to critical, essential, and nonessential systems, and should be determined on a case-by-case basis by the Authority based on the specific circumstances.
(A) Analysis and testing shall be conducted to ensure proper operation of the display at the maximum unpressurised altitude for which the equipment is likely to be exposed.
(B) Electromagnetic interference analysis and testing shall be conducted to show -
(1) That the installed system is not susceptible to interference from other aeroplane systems, considering both interference of signal and power systems; and from external environment; and
(2) That the installed equipment does not affect other aeroplane systems.
(C) If improper operation of the display system can result from failures of the cooling function, then the cooling function must be addressed by analysis and test/demonstration.
(ii) Pilot-initiated pre-flight tests may be used to reduce failure exposure times associated with the safety analysis required under JAR 25.1309(d). However, expecting an equipment pre-flight test to be conducted prior to each flight may not be conservative. If the flight crew is required to test a system prior to each flight, it should be assumed, for the safety analysis, that the flight crew will actually accomplish this test once per day, providing the pre-flight test is conveniently and acceptably implemented. An automatic-test feature designed to preclude the need for pilot initiated pre-flight tests may receive credit in the safety analysis.
5. Information Separation
a. Colour Standardisation
(1) Although colour standardisation is desirable, during the initial certification of electronic displays colour standards for symbology were not imposed (except for cautions and warnings in JAR 25.1322). At that time the expertise did not exist within industry or the Authority, nor did sufficient service experience exist, to rationally establish a suitable colour standard.
(2) In spite of the permissive CRT colour atmosphere that existed at the time of initial EFIS certification programmes, an analysis of the major certifications to date reveals many areas of common colour design philosophy; however, if left unrestricted, in several years there will be few remaining common areas of colour selection. If that is the case, information transfer problems may begin to occur that have significant safety implications. To preclude this, the following colours are being recommended based on current-day common usage. Deviations may be approved with acceptable justification.
(3) The following depicts acceptable display colours related to their functional meaning recommended for electronic display systems. ]
[ (i) Display features should be colour coded as follows:
Warnings Red
Flight envelope and system limits Red
Cautions, abnormal sources Amber/Yellow
Earth Tan/Brown
Engaged modes Green
Sky Cyan/Blue
ILS deviation pointer Magenta
Flight director bar Magenta/Green
(ii) Specified display features should be allocated colours from one of the following colour sets:
Colour Set 1 Colour Set 2
Fixed reference symbols White Yellow*
Current data, values White Green
Armed modes White Cyan
Selected data, values Green Cyan
Selected heading Magenta** Cyan
Active route/flight plan Magenta White
(iii) Precipitation and turbulence areas should be coded as follows:
Precipitation 0 - 1 mm/hr Black
1 - 4 " Green
4 - 12 " Amber/Yellow
12 - 50 " Red
Above 50 " Magenta
Turbulence White or Magenta
(iv) Background colour: Background colour may be used
(Grey or other shade) to enhance display presentation.
(4) When deviating from any of the above symbol colour assignments, the manufacturer should ensure that the chosen colour set is not susceptible to confusion or colour meaning transference problems due to dissimilarities with this standard. The Authority test pilot should be familiar with other systems in use and evaluate the system specifically for confusion in colour meanings. In addition, compatibility with electro-mechanical instruments should be considered.
(5) The Authority does not intend to limit electronic displays to the above colours, although they have been shown to work well. The colours available from a symbol generator/display unit combination should be carefully selected on the basis of their chrominance separation. Research studies indicate that regions of relatively high colour confusion exist between red and magenta, magenta and purple, cyan and green, and yellow and orange (amber). Colours should track with brightness so that chrominance and relative chrominance separation are maintained as much as possible over day/night operation. Requiring the flight crew to discriminate between shades of the same colour for symbol meaning in one display is not recommended.
(6) Chrominance uniformity should be in accordance with the guidance provided in SAE Document ARP 1874. As designs are finalised, the manufacturer should review his colour selections to ensure the presence of colour works to the advantage of separating logical electronic display functions or separation of types of displayed data. Colour meanings should be consistent throughout all colour CRT displays in the cockpit. In the past, no criteria existed requiring similar colour schemes for left and right side installations using electro-mechanical instruments.
b. Colour Perception vs. Workload
(1) When colour displays are used, colours should be selected to minimise display interpretation workload. Symbol colouring should be related to the task or crew operation function. Improper colour coding increases response times for display item recognition and selection, and increases the likelihood of errors in situations where response rate demands exceed response accuracy demands. Colour assignments that differ from other displays in use, either electromechanical or electronic, or that differ from common usage (such as red, yellow, and green for stoplights), can potentially lead to confusion and information transferral problems. ]
[ (2) When symbology is configured such that symbol characterisation is not based on colour contrast alone, but on shape as well, then the colour information is seen to add a desirable degree of redundancy to the displayed information. There are conditions in which pilots whose vision is colour deficient can obtain waivers for medical qualifications under National crew licence regulations. In addition, normal ageing of the eye can reduce the ability to sharply focus on red objects, or discriminate blue/green. For pilots with such deficiency, display interpretation workload may be unacceptably increased unless symbology is coded in more dimensions than colour alone. Each symbol that needs separation because of the criticality of its information content should be identified by at least two distinctive coding parameters (size, shape, colour, location, etc.).
(3) Colour diversity should be limited to as few colours as practical, to ensure adequate colour contrast between symbols. Colour grouping of symbols, annunciations, and flags should follow a logical scheme. The contribution of colour to information density should not make the display interpretation times so long that the pilot perceives a cluttered display.
c. Standard Symbology. Many elements of electronic display formats lend themselves to standardisation of symbology, which would shorten training and transition times when pilots change aeroplane types. At least one industry group (SAE) is working toward identifying these elements and proposing suitable standards. Future revisions of this AMJ may incorporate the results of such industry efforts.
d. Symbol Position
(1) The position of a message or symbol within a display conveys meaning to the pilot. Without the consistent or repeatable location of a symbol in a specific area of the electronic display, interpretation errors and response times may increase. The following symbols and parameters should be position consistent:
(i) Autopilot and flight director modes of operation.
(ii) All warning/caution/advisory annunciation locations.
(iii) All sensor data: altitude, airspeed, glideslope, etc.
(iv) All sensor failure flags. (Where appropriate, flags should appear in the area where the data is normally placed.)
(v) Either the pointer or scale for analogue quantities should be fixed. (Moving scale indicators that have a fixed present value may have variable limit markings.)
(2) An evaluation of the positions of the different types of alerting messages and annunciations available within the electronic display should be conducted, with particular attention given to differentiation of normal and abnormal indications. There should be no tendency to misinterpret or fail to discern a symbol, alert, or annunciation, due to an abnormal indication being displayed in the position of a normal indication, and having similar shape, size or colour.
(3) Pilot and co-pilot displays may have minor differences in format, but all such differences should be evaluated specifically to ensure that no potential for interpretation error exists when pilots make cross-side display comparisons.
(4) If the display incorporates slow rate "dithering" to reduce phosphor burn from stationary symbology, the entire display should be moved at a slow rate in order to not change the spatial relationships of the symbology collection as a whole.
e. Clutter. A cluttered display is one which uses an excessive number and/or variety of symbols, colours, or small spatial relationships. This causes increased processing time for display interpretation. One of the goals of display format design is to convey information in a simple fashion in order to reduce display interpretation time. A related issue is the amount of information presented to the pilot. As this increases, tasks become more difficult as secondary information may detract from the interpretation of information necessary for the primary task. A second goal of display format design is to determine what information the pilot actually requires in order to perform the task at hand. This will serve to limit the amount of information that needs to be presented at any point in time. Addition of information by pilot selection may be desirable, particularly in the case of navigational displays, as long as the basic display modes remain uncluttered after pilot de-selection of secondary data. Automatic de-selection of data has been allowed in the past to enhance the pilot's performance in certain emergency conditions (de-selection of AFCS engaged mode annunciation and flight director in extreme attitudes).]
[ f. Interpretation of Two-Dimensional Displays. Modern electro-mechanical attitude indicators are three-dimensional devices. Pointers overlay scales; the fixed aeroplane symbol overlays the flight director single cue bars which, in turn, overlay a moving background. The three-dimensional aspect of a display plays an important role in interpretation of instruments. Electronic flight instrument system displays represent an attempt to copy many aspects of conventional electromechanical displays, but in only two dimensions. This can present a serious problem in quick-glance interpretation, especially for attitude. For displays using conventional, discrete symbology, the horizon line, single cue flight director symbol, and fixed aeroplane reference should have sufficient conspicuity such that the quick-glance interpretation should never be misleading for basic attitude. This conspicuity can be gained by ensuring that the outline of the fixed aeroplane symbol(s) always retains its distinctive shape, regardless of the background or position of the horizon line or pitch ladder. Colour contrast is helpful in defining distinctive display elements but is insufficient by itself because of the reduction of chrominance difference in high ambient light levels. The characteristics of the flight director symbol should notdetract from the spatial relationship of the fixed aeroplane symbol(s) with the horizon. Careful attention should be given to the symbol priority (priority of displaying one symbol overlaying another symbol by editing out the secondary symbol) to assure the conspicuity and ease of interpretation similar to that available in three-dimensional electro-mechanical displays.
NOTE: Horizon lines and pitch scales which overwrite the fixed aeroplane symbol or roll pointer have been found unacceptable in the past.
g. Attention-Getting Requirements
(1) Some electronic display functions are intended to alert the pilot to changes: navigation sensor status changes (VOR flag), computed data status changes (flight director flag or command cue removal), and flight control system normal mode changes (annunciator changes from armed to engaged) are a few examples. For the displayed information to be effective as an attention-getter, some easily noticeable change must be evident. A legend change by itself is inadequate to annunciate automatic or uncommanded mode changes. Colour changes may seem adequate in low light levels or during laboratory demonstrations but become much less effective at high ambient light levels. Motion is an excellent attention-getting device. Symbol shape changes are also effective, such as placing a box around freshly changed information. Short-term flashing symbols (approximately 10 seconds or flash until acknowledge) are effective attention-getters. A permanent or long-term flashing symbol that is non-cancellable should not be used.
(2) In some operations, continued operation with inoperative equipment is allowed (under provisions of an MEL). The display designer should consider the applicant's MEL desires, because in some cases a continuous strong alert may be too distracting for continued dispatch.
h. Colour Drive Failure. Following a single colour drive failure, the remaining symbology should not present misleading information, although the display does not have to be usable. If the failure is obvious, it may be assumed that the pilot will not be susceptible to misleading information due to partial loss of symbology. To make this assumption valid, special cautions may have to be included in the AFM procedures that point out to the pilot that important information formed from a single primary colour may be lost, such as red flags.
6. Display Visual Characteristics
a. Visual Display Characteristics. The visual display characteristics of electronic displays should be in accordance with SAE Documents AS 8034, ARP 1874, and ARP 1068B. The manufacturer should notify the certification engineer of those characteristics that do not meet the guidelines contained in the referenced documents.
b. Chromaticity and Luminance
(1) Readability of the displays should be satisfactory in all operating and environmental lighting conditions expected in service. Four lighting conditions known to be critical for testing are-
(i) Direct sunlight on the display through a side cockpit window (usually short term with conventional window arrangements).
(ii) Sunlight through a front window illuminating white shirts which are reflected in the CRT (a function for the CRT front plate filter).
(iii) Sun above the forward horizon and above a cloud deck in the pilot's eyes (usually a prolonged situation and the most critical of these four).
(iv) Night and/or dark environment. Brightness should be controllable to a dim enough setting such that outside vision is not impaired while maintaining an acceptable presentation. ]
[ (2) When displays are evaluated in these critical lighting situations, the display should be adjusted to a brightness level representative of that expected at the end of the CRT's normal useful life (5000 to 20000 hours), or adjusted to a brightness level selected by the manufacturer as the minimum acceptable output and measurable by some readily accomplished maintenance tests. If the former method is used, adequate evaluations should be performed to ensure that the expected end of life brightness levels are met. Some manufacturers have found, and the Authority has accepted, that 50% of original brightness level is a realistic end of life value. If the latter method is used, procedures should be established to require periodic inspections, and these limits should then become part of the service life limits of the aeroplane system.
(3) Large fields used in colour displays as background (e.g. blue sky and brown earth for attitude) for primary flight control symbols need not be easily discriminated in these high ambient light levels, provided the proper sense of the flight control information is conveyed with a quick glance.
(4) Electronic display systems should meet the luminance (photometric brightness) levels of SAE Document ARP 1874. A system designed to meet these standards should be readily visible in all the lighting conditions listed in paragraphs 6.b.(1) and 6.b.(2), and should not require specific flight testing for luminance if the system has been previously installed in another aeroplane with similar cockpit window arrangements. If the display evaluation team feels that some attributes are marginal under extreme lighting conditions, the following guidelines may be used:
(i) The symbols that convey quick-glance attitude and flight path control information (e.g., horizon line, pitch scale, fixed aeroplane symbol and/or flight path symbol, sky pointer and bank indices, flight director bars) should each have adequate brightness contrast with its respective background to allow it to be easily and clearly discernible.
(ii) The combination of colour and brightness of any subset of these symbols which may, due to relative motion of a dynamic display, move adjacent to each other and use colour as an aid for symbol separation (e.g. flight director bars and fixed aeroplane symbol), should render each symbol distinctly identifiable in the worst case juxtaposition.
(iii) Flags and annunciations that may relate to events of a time critical nature (including warnings and cautions defined in paragraph 10. of this AMJ as well as flight control system annunciations of mode reversions) should have a sufficient contrast with their background and immediate environment to achieve an adequate level of attensity (attention getting properties). Colour discrimination in high brightness ambient levels may not be necessary if the symbol remains unambiguous and clearly distinct from adjacent normal state or alphanumeric characters.
(iv) Analogue scale displays (heading, air data, engine data, CDIs, or course lines) should each have adequate brightness with its respective background to allow it to be easily and clearly discernible. Coloured warning and caution markings on scales should retain colour discrimination. Symbols used as targets and present value pointers in juxtaposition to a scale should remain distinct. If colour is required to convey the meaning of similar shaped targets or indices, the colour should remain easily discernible.
(v) Flags and annunciations should still be visible at low display brightness when the display is adjusted to the lowest usable level for flight with normal symbology (day or night).
(vi) Raster fields conveying information such as weather radar displays should allow the raster to be independently adjustable in luminance from overlaid stroke symbology. The range of luminance control should allow detection of colour difference between adjacent small raster areas no larger than 5 milliradians in principal dimension; while at this setting, overlying map symbology, if present, should be discernible.
(5) Automatic brightness adjustment systems can be employed to decrease pilot workload and increase tube lifetime. Operation of these systems should be satisfactory over a wide range of ambient light conditions including the extreme cases of a forward low sun and a quartering rearward sun shining directly on the display. A measure of manual adjustment should be retained to provide for normal and abnormal operating differences. In the past it has been found that sensor location and field of view may as significant as the tube brightness dynamics. Glareshield geometry and window location should be considered in the evaluation.
c. Other Characteristics
The displays should provide characteristics which comply with the symbol alignment, linearity, jitter, convergence, focus, line width, symbol and character size, chrominance uniformity, and reflection criteria of SAE Documents ARP 1874 and AS 8034. The manufacturer should identify any features which do not comply with these documents. The Authority test team should evaluate these characteristics during the initial certification of the displays as installed in the aeroplane with special attention to those display details which do not comply with the criteria of ARP 1874 and AS 8034. The test team will provide the determination of whether these characteristics of the display are satisfactory. ]
[ d. Flicker
Flicker is an undesired rapid temporal variation in display luminance of a symbol, group of symbols, or a luminous field. Flicker can cause mild fatigue and reduced crew efficiency. Since it is a subjective phenomena, the criteria cannot be "no flicker"; but because of the potential deleterious effects, the presence of flicker should not be perceptible day or night considering foveal and full peripheral vision and a format most susceptible to producing flicker. Refresh rate is a major determinant of flicker; related parameters are phosphor persistence and the method of generating mixed colours. Some systems will also slow down the screen refresh rate when the data content is increased (as in a map display with selectable data content). Frequencies above 55 Hz for stroke symbology or non-interlaced raster and 30/60 Hz for interlaced raster are generally satisfactory.
e. Dynamics
For those elements of the display that are normally in motion, any jitter, jerkiness, or ratcheting effect should neither be distracting nor objectionable. Screen data update rates for analogue symbols used in direct aeroplane or powerplant manual control tasks (such as attitude, engine parameters, etc.) should be equal to or greater than 15 Hz. Any lag introduced by the display system should be consistent with the aeroplane control task associated with that parameter. In particular, display system lag (including the sensor) for attitude should not exceed a first order equivalent time constant of 100 milliseconds for aeroplanes with conventional control system response. Evaluation should be conducted in worst case aerodynamic conditions with appropriate stability augmentation systems off in order to determine the acceptability of display lag.
Note: An update rate of 10 Hz for some engine parameters has been found acceptable on some aeroplanes.
7. Information Display
Display elements and symbology used in real-time "tactical" aeroplane control should be natural, intuitive, and not dependent on training or adaptation for correct interpretation.
a. Basic T
The established basic T relationships of JAR 25.1321 should be retained. Deviations from this rule, as by equivalent safety findings, cannot be granted without human factors substantiation based on well-founded research or extensive service experience from military, foreign, or other sources.
(1) Deviations from the basic T that have been substantiated by satisfactory service experience and research are as follows:
(i) Airspeed and altitude instruments external to the attitude display drooped up to 15 degrees and elevated up to 10 degrees (when measured from the centre of the attitude fixed aeroplane reference to the centre of the air data instrument).
(ii) Vertical scale type radio altimeter indication between the attitude and altitude displays.
(iii) Vertical scale display of vertical speed between attitude and altitude displays.
(2) Airspeed and altitude within the electronic display should be arranged so that the present value of the displayed parameter is located as close as possible to a horizontal line extending from the centre of the attitude indicator. The present value of heading should be vertically underneath the centre of the attitude indicator; this does not preclude an additional heading display located horizontally from the attitude display.
(i) Moving scale air data displays should have their present value aligned with the centre of the attitude display fixed aeroplane reference.
(ii) A single fixed airspeed scale with a moving pointer would optimally have certain critical ranges where the present value (or pointer position) for those ranges is within 15 degrees of a horizontal line from the attitude display fixed aeroplane reference; e.g. take-off speeds (highly dynamic) and cruise speeds (long exposure). For aeroplanes with a large speed differential between take-off and cruise, the linear trade-off with speed resolution may preclude meeting this objective. In these cases, the manufacturer should prove that instrument scan, cross-check, and readability are acceptable for all expected normal and abnormal manoeuvres and applicable failure states of the aeroplane, including variability of the user pilot population.
(iii) Multiple range, fixed airspeed scales with moving pointers should be designed so that take-off and approach speed values are located within 15 degrees of a horizontal line through the attitude display fixed aeroplane reference symbol. The range switching point and hysteresis should be logically selected so that switching is unobtrusive and not detrimental to current speed tracking tasks or dynamic interpretation. Attributes of the individual scales must be such that there is no tendency for the pilot to lose the sense of context of speed range or misinterpret the displayed speed scale. ]
[ (3) In cases of adjacent air data instruments, such as a vertical scale airspeed inside an EADI and a conventional airspeed outside the EADI, the display closest to the primary attitude display will be considered the primary display, except in the case of supplementary displays where adequate human factors analysis and testing have been conducted to establish that the supplementary display does not decrease the level of safety from that provided by the primary display by itself (Example: fast/slow indicators).
(4) For retrofit of electronic displays into aeroplanes that previously exhibited variance from a basic T configuration, the electronic display installation should not increase this variance when considering the angle from the centre of the attitude reference to the centre of the airspeed and altimeter.
(5) The acceptability of a so-called "cruise" mode in which the upper EADI and lower EHSI display formats may be transposed will be considered on a case-by-case basis by the Authority.
(6) Instrument landing system glideslope raw data display has been allowed on either side of the electronic display. If glideslope raw data is presented on both the EHSI and EADI, they should be on the same side. The Authority recommends a standard location of glideslope scales on the right side as specified in SAE Document ARP 1068B. If the scale or its location is multifunctional, then it should be labelled and contain some unambiguous symbolic attribute related to the indicator's function.
(7) Compliance with JAR 25.1333 normally requires separate displays of standby attitude, air data, and heading. Since these displays are only used after a failure related to the primary instruments, the basic T arrangement requirements do not apply. However, all the standby instruments should be arranged to be easily usable by one of the pilots. JAR 25.1321(a) requires a third (standby) instrument, where fitted, to be installed so that both pilots can use it. ACJ 25.1321(a) allows that where an optimum position for both pilots is not possible any bias should be in favour of the first pilot.
b. Compacted Formats
(1) The term "compacted format", as used in this AMJ, refers to a reversionary display mode where selected display components of a two-tube CRT display, such as EADI and EHSI, are combined in a single CRT to provide somewhat better capability in case of a single tube failure. The concepts and requirements of JAR 25.1321, as discussed in paragraph 7.a., still apply; however, it has been found acceptable to allow a compacted mode on either the EADI or EHSI after failure of one CRT.
(2) The compacted display, out of necessity, will be quite different from the primary format. Flags, mode annunciations, scales, and pointers may have different locations and perhaps different logic governing when they appear. The flight test evaluation should ensure the proper operation of all the electronic display functions in the compacted format, including annunciation of navigation and guidance modes if present. All the normal EFIS functions do not have to be present in the compacted mode; those that are present should operate properly. Flags and mode annunciations should, wherever possible, be displayed in a location common with the normal format. In all cases the attitude display should meet the characteristics of paragraph 7.e.
(3) If the remaining elements of the compacted upper display meet the characteristics of this document and the JAR and national operational regulations governing required instrumentation, then a note in the AFM stating that the compacted display is an airworthy mode would be acceptable in order to allow dispatch with a failed lower tube configuration.
c. Test Functions
The electronic display should incorporate a pilot selectable or automatic test mode that exercises the system to a depth appropriate to the system design. This function should be included even if the system failure analysis is not dependent on such a mode, or if display test is also a maintenance function. The test mode (or a submode) should display warning flags in their proper locations. Alerting and annunciation functions should be exercised, but it normally would not be necessary for the test to cycle through all possible annunciation states, or to display all flags and alerts. It has been found acceptable to incorporate the display test with a centralised cockpit light test switch, and to have the display test function disabled while airborne. The test mode provides a convenient means to display the software configuration.
Note: It is understood that a pilot selectable test needs to be provided, even if the system failure analysis is not dependent on such a mode to enable the pilot to become familiar with the various failure flags and annunciations which may appear. It is considered that such a requirement could also be satisfied by an appropriate system training facility off the aircraft. ]
[ d. Primary Flight Displays
(1) A side-by-side or over-under arrangement of large primary displays may integrate many air data, attitude, navigation, alerting, and annunciation functions, while removing their discrete instrument counterparts. For the initial approval of a new set of displays incorporating this arrangement, many of the evaluation concepts covered elsewhere in this AMJ must be adhered to, particularly those relating to the use of colour and symbology for information separation (paragraph 5). The raw data aeroplane parameters necessary for manual control (attitude, airspeed, altitude, and heading) must still reside in a conventional basic T arrangement conducive to effective instrument cross-check. This means that heading and attitude must be presented on the same display for a side-by-side CRT arrangement.
(2) Scale Markings
(i) Air data displays have a requirement similar to attitude in that they must be able to convey to the pilot a quick-glance sense of the present speed or altitude. Conventional round-dial moving pointer displays inherently give some of this sense that may be difficult to duplicate on moving scales. Scale length is one attribute related to this quick-glance capability. The minimum visible airspeed scale length found acceptable for moving scales on jet transports has been 80 knots; since this minimum is dependent on other scale attributes and aeroplane operational speed range, variations from this should be verified for acceptability. Altimeters present special design problems in that -
(A) The ratio of total usable range to required resolution is a factor of 10 greater than for airspeed or attitude, and
(B) The consequences of losing sense of context of altitude can be catastrophic.
The combination of altimeter scale length and markings, therefore, should be adequate to allow sufficient resolution for precise manual altitude tracking in level flight, as well as enough scale length and markings to reinforce the pilot's sense of altitude and to allow sufficient look-ahead room to adequately predict and accomplish level-off. Addition of radio altimeter information on the scale so that it is visually related to ground position may be helpful in giving low altitude awareness. Airspeed scale markings that remain relatively fixed (such as stall warning, VMO/MMO), or that are configuration dependent (such as flap limits), are desirable in that they offer the pilot a quick-glance sense of speed. The markings should be predominant enough to confer the quick-glance sense information, but not so predominant as to be distracting when operating normally near those speeds (e.g. stabilised approach operating between stall warning and flap limit speeds).
(ii) Airspeed reference marks (bugs) on conventional airspeed indicators perform a useful function, and the implementation of them on electronic airspeed displays is encouraged. Computed airspeed/angle-of-attack reference marks (bugs) such as Vstall, Vstall warning, V1, VR, V2, flap limit speeds, etc., displayed on the airspeed scale will be evaluated for accuracy. Provision should be incorporated for a reference mark that will reflect the current target airspeed of the flight guidance system. This has been required in the past for some systems that have complex speed selection algorithms, in order to give the pilot adequate information required by JAR 25.1309(c) for system monitoring.
(iii) If any scale reference marks would not be available when equipment included on the MEL is inoperative, then the display should be evaluated for acceptability both with and without these reference marks.
(iv) Digital present value readouts or present value indices should not totally obscure the scale markings or graduations as they pass the present value index.
(v) Adjacent scale markings that have potential for interfering with each other (such as V1, VR, V2 in close proximity) must be presented so that the intended reference values remain distinct and unambiguous.
(vi) At the present time, scale units marking for air data displays incorporated into PFDs are not required ("knots", "airspeed" for airspeed, "feet", "altitude" for altimeters) as long as the content of the readout remains unambiguous. For altimeters with the capability to display in both Metric and British units, the scale and primary present value readout should remain scaled in British units with no units marking required; the Metric display should consist of a separate present value readout that does include units marking.
(vii) Airspeed scale graduations found to be acceptable have been in 5-knot increments with graduations labelled at 20-knot intervals. If trend or acceleration cues are used, or a digital present value readout is incorporated, scale markings at 10-knot intervals have been found acceptable. Minimum altimeter graduations should be in 100-foot increments with a present value readout, or 50-foot increments with a present value index only. Due to operational requirements, it is expected that aeroplanes without either 20-foot scale graduations, or a readout of present value, will not be eligible for Category II low visibility operation with barometrically determined decision heights. ]
[ (3) Vertically oriented moving scale airspeed indication is acceptable with higher numbers at the top or bottom if no airspeed trend or acceleration cues are associated with the speed scale. Such cues should be oriented so that increasing energy or speed results in upward motion of the cue. To be consistent with this convention, airspeed scales with these cues should have the high speed numbers at the top. Speed, altitude, or vertical rate trend indicators should have appropriate hysteresis and damping to be useful and non-distracting. Evaluation should include turbulence expected in service.
(4) The integration of many parameters into one upper display makes necessary an evaluation of the effect of failure (either misleading or total loss) of a display at the most critical time for the pilot. The sudden loss of multiple parameters can greatly impact the ability of the pilot to cope with immediate aeroplane control tasks in certain flight regimes such as during take-off rotation. If such failures are probable during the critical exposure time, the system must be evaluated for acceptability of data lost to the pilot. Automatic sensing and switching may have to be incorporated to preserve a display of attitude in one of the primary displays on the side with the failure.
e. Attitude
(1) An accurate, easy, quick-glance interpretation of attitude should be possible for all expected unusual attitude situations and command guidance display configurations. The pitch attitude display scaling should be such that during normal manoeuvres (such as take-off at high thrust-to-weight ratios) the horizon remains visible in the display with at least 2° pitch margin available.* In addition, extreme attitude symbology and automatically decluttering the EADI at extreme attitudes has been found acceptable (extreme attitude symbology should not be visible during normal manoeuvring). Surprise, unusual attitudes should be conducted in the aeroplane to confirm the quick-glance interpretation of attitude. The attitude display should be examined in 360° of roll and ± 90° of pitch. This can usually be accomplished by rotating the attitude source through the required gyrations with the aeroplane powered on the ground. When the aeroplane hardware does not allow this type of evaluation, accurate laboratory simulations must be used.
(2) Both fixed aeroplane reference and fixed earth reference bank pointers ("sky" pointers) have been approved. A mix of these types in the same cockpit should not be approved.
f. Digital, Analogue and Combinations
The Authority has a long standing policy of not accepting digital only displays of control parameters. The reason was the belief that only analogue data in the form of a pointer/scale relationship provided necessary rate, trend, and displacement information to the pilot. However, the Authority will evaluate new electronic display formats which include digital-only or combinations of digital and analogue displays of air data, engine instruments, or navigation data. Digital information displays will be evaluated on the basis that they can be used to provide the same or better level of performance and pilot workload as analogue displays of the same parameters. Simulator studies can be valuable in providing experience with new display formats, but care must be taken to ensure that the simulator provides all the environmental cues germane to the parameter being evaluated.
g. Knob Tactile Requirements
(1) Control knobs used to set digital data on a display that have inadequate friction or tactile detents can result in undue concentration being required for a simple act such as setting an out-of-view heading bug to a CRT displayed number. Controls for this purpose should have an appropriate amount of feel to minimise this problem, as well as minimising the potential for inadvertent changes. The friction levels associated with standard resistive potentiometers have been shown in some cases to be inadequate.
(2) The display response to control input need not meet the dynamic requirements of paragraph 6.e., but should be fast enough to prevent undue concentration being required in setting values or display parameters. The sense of motion of controls should comply with the requirements of JAR 25.777, where applicable.
h. Full-Time vs. Part-Time Displays
Some aeroplane parameters or status indications are required by the JAR-25 and national operational regulations to be displayed, yet they may only be necessary or required in certain phases of flight. If it is desired to inhibit some parameters from full-time display, an equivalent level of safety to full-time display must be demonstrated. Criteria to be considered include the following:
(1) Continuous display of the parameter is not required for safety of flight in all normal flight phases.
(2) The parameter is automatically displayed in flight phases where it is required. ]
[ (3) The inhibited parameter is automatically displayed when its value indicates an abnormal condition, or when the parameter reaches an abnormal value.
(4) Display of the inhibited parameter can be manually selected by the crew without interfering with the display of other required information.
(5) If the parameter fails to be displayed when required, the failure effect and compounding effects must meet the requirements of JAR 25.1309.
(6) The automatic, or requested, display of the inhibited parameter should not create unacceptable clutter on the display; simultaneous multiple "pop-ups" must be considered.
(7) If the presence of the new parameter is not sufficiently self-evident, suitable alerting must accompany the automatic presentation.
8. Switching And Annunciation
Switching and annunciation considerations made important by electronic displays are as follows:
a. Power Bus Transients
(1) The electronic attitude display should not be unusable or unstable for more than one second after the normally expected electrical bus transients due to engine failure, and should affect only displays on one side of the aeroplane. Recognisably valid pitch and roll data should be available within one second, and any effects lasting beyond one second should not interfere with the ability to obtain quick-glance attitude. For most aeroplanes an engine failure after take-off will simultaneously create a roll rate acceleration, new pitch attitude requirements, and an electrical transient. Attitude information is paramount; transfer to standby attitude or transfer of control of the aeroplane to the other pilot cannot be reliably accomplished under these conditions in a timely enough manner to prevent an unsafe condition. In testing this failure mode, experience has shown that switching the generator off at the control panel may not result in the largest electrical transient. During an engine failure, as the engine speed decays, the generator output voltage and frequency each decay to a point where the bus control finally recognises the failure. This can be a significantly larger disturbance resulting in a different effect on the using equipment. One practical way to simulate this failure is with a fuel cut. Other engine failure conditions may be more critical (such as sub-idle stalls) which cannot be reasonably evaluated in flight test. Analysis should identify these failure modes and show that the preceding criteria are met.
(2) The design objective should be displays that are insensitive to power transients; however, if the power transient is not related to a simultaneous aeroplane control problem, other failures which result in loss of displays on one side are not deemed as time critical, providing the switching concepts for multiple parameter displays are considered (paragraph 7.d.). Bus transients caused by normal load switching (hydraulic pump actuation, ovens, generator paralleling, etc.) should cause no visible effect on the display. Expected abnormal bus transients (i.e. generator failure not caused by engine failure) should not initiate a power up initialisation or cold start process.
(3) The large electrical loads required to restart some engine types should not affect more than one pilot's display.
b. Reversionary Switching (Electronic Display Failure States)
(1) The acceptability of a so-called "cruise" mode in which the upper EADI and lower EHSI display formats may be transposed will be considered on a case-by-case basis by the Authority.
(2) In case of a symbol generator failure, both the pilot's and the copilot's displays may be driven from a single remaining symbol generator. When this switching state is invoked, there should be clear, cautionary alerting to both pilots that the displayed information is from a single source.
c. Source Switching and Annunciation
When the type or source of information presented on the primary flight instruments can change meaning with manual or automatic mode or source selection, then this mode or source must be inherently unambiguous from the format of the display or from appropriate annunciation.
(1) Independent attitude, heading, and air data sources are required for the pilot and copilot primary displays. As long as independent sources are selected, there would ordinarily be no need for annunciation of these sources. If sources to the electronic displays can be switched in such a fashion that the flight crew becomes vulnerable to hazardously misleading information on both sides of the cockpit as a result of a common failure, then this switching configuration should be accomplished by a cautionary alert in clear view of both pilots. ]
[ (2) If the source of navigation information is not ambiguous, such as a case when VOR/ILS is not switchable across the cockpit, then no source annunciation would be required. Likewise, if a single navigation computer could only be responsible for the HSI navigation data, then this source need not be annunciated.
(3) If a crew member can select from multiple, similar, navigation sources, such as multiple VORs or multiple, long-range navigation systems, then the display of the selected source data into a CDI type presentation should be annunciated (i.e. VOR 1, INS 2, etc.). The annunciation should be implemented in such a fashion that a non-normal source selection is immediately apparent. In addition, when both crew members have selected the same navigation source, this condition should be annunciated; for example, the copilot has off-side VOR selected, with VOR 1 annunciated in amber/yellow in the co-pilot's electronic display. Exceptions to this non-normal annunciation requirement can be constructed. If the similar navigation sources are two navigation computers that ensure position and stored route identically through a cross-talk channel, electronic display of normal or non-normal source annunciation would not be required provided a system disparity was annunciated. In the case where source annunciations are not provided on the electronic displays, such source annunciations should be readily obvious to the crew.
(4) The increased flexibility offered by modern avionics systems may cause flightcrews to be more susceptible to selecting an inappropriate navigation source during certain phases of flight, such as approach. Since electronic displays may incorporate more complex switching, compensating means should be provided to ensure that the proper navigation source has been selected. In order to reduce the potential for the pilot selecting a non-approach-qualified navigation source (such as INS) for an instrument approach, the Authority has approved the use of a discrete colour, in addition to labelling, for data from non-approach-qualified navigation sources when displayed on a CDI.
(5) If the primary heading display can be presented as true or grid heading or track -
(i) The electronic display should provide appropriate annunciation. Annunciation of magnetic heading is not normally required.
(ii) Either the display or heading source should provide a cautionary alert to the crew prior to entry into a terminal area with other than magnetic heading displayed. Examples of acceptable implementations include a simple alert when below 10 000 feet and in true heading mode, or a display alert generated by complex logic that detects the initiation of a descent from cruise altitude while still in true heading mode.
(6) There are situations where it may be desirable to have true heading displayed on the primary navigation display, and at the same time have VOR or ADF bearing pointers visible. All but a very small fraction of the VORs are referenced to Magnetic North; the electronic display should display the bearing pointer in such a fashion that it will point geometrically correct. If other display considerations permit, a separate readout of magnetic bearing to the VOR station would be desirable. If the electronic display cannot display this "corrected" geometric bearing, then some display attribute should make it clear to the flight crew that the displayed geometry is not correct.
(7) Mode and source select annunciations on electronic displays should be compatible (this does not mean that the labels have to be identical, but that they are unambiguous in being able to identify them as the same function) with labels on source and mode select switches and buttons located elsewhere in the cockpit.
(8) If annunciation of automatic navigation system or flight control system mode switching is provided by the electronic display, selected modes should be clearly annunciated with some inherent attention-getting feature, such as a temporary box around the annunciation. Examples include vertical or lateral mode capture, release of capture, and autopilot or autothrottle mode change.
d. Failures
In the case of a detected failure of any parameter, the associated invalid indications should be removed and only the flag should be displayed. It is recommended that differentiation is made between the failure of a parameter and a "no computed data" parameter, e.g. non-reception of radio navigation data.
9. Map Mode Considerations
a. The map format should provide features recommended by SAE Document ARP 1068B. Evaluation of maps or navigation displays overlaid with raster radar returns should ensure that all essential map or navigation display symbology remains readable and easily discriminated from the radar data.
b. When a route or course line can be presented in a map format, it should be demonstrated that the route can be flown manually and with autopilot in heading hold or control wheel steering modes (if applicable) with course errors compatible with those course errors defined as allowable in EUROCAE DOCUMENT ED 58. ED 58 discusses flight technical error and relates methods of accounting for piloting accuracy. ]
[ c. If instrument approaches are to be flown using a map format, previous certifications have included an AFM limitation requiring at least one pilot to monitor a raw data presentation. For ILS approaches, raw localiser and glide slope deviation presented in the ADI has been sufficient, and both navigation displays may remain in the map mode. For VOR approaches, a map course line may be used as the primary display for conducting the approach, providing the AFM limitations prescribe the allowable display mode configurations for proper raw data monitoring. Additional considerations include evaluation of crew time and task demands to configure the map/navigation computer for the approach. If it is desired to have both displays in the map mode for VOR approaches with no raw data monitoring, the accuracy and failure modes of the map display, navigation computer, and sensors must be shown to be compatible with the performance requirements and obstacle clearance zones associated with the type of approach being conducted.
d. When evaluating map failure modes, including failures induced by the symbol generator or the source navigation computer, consideration must be given to the compelling nature of a map display. It has been demonstrated that gross map position errors can go undetected or unbelieved because the flight crew falsely relied on the map instead of correct raw data. This characteristic of crew interpretation reinforces the need to adhere to the criteria of paragraph 4a(3)(viii), (which defines navigation as an essential function) when considering equipment and navigation source requirements.
10. Integrated Warning, Caution and Advisory Displays (See AMJ 25.1322)
a. A "warning" should be generated when immediate recognition and corrective or compensatory action is required; the associated colour is red. A "caution" should be generated when immediate crew awareness is required and subsequent crew action will be required; the associated colour is amber/yellow. An "advisory" should be generated when crew awareness is required and subsequent crew action may be required; the associated colour should be unique, preferably not amber/yellow. Report No. DOT/FAA/RD-81-38, II, stresses the importance of preserving the integrity of caution and warning cues, including colour. Although electronic displays, when used as primary flight displays, are not intended to be classified as integrated caution and warning systems, they do generate warnings, cautions, and advisories that fall within the above definitions. Use of red, amber, or yellow for symbols not related to caution and warning functions is not prohibited but should be minimised to prevent diminishing the attention-getting characteristics of true warnings and cautions.
b. Caution and warning displays are necessarily related to aural alerts and master caution and warning attention-getting devices. If the electronic display provides caution and warning displays, previously independent systems may be integrated into one system where single faults potentially may result in the loss of more than one crew alerting function. Integrated systems have been found to be satisfactory if the features outlined below are provided -
(1) Visual and aural master caution attention-getting devices are activated whenever a caution message is displayed. Different visual and aural master warning devices are provided which activate whenever a warning is displayed.
(2) An aural alert audible to all flight crew members under all expected operating conditions is sounded when any conditions exist that require crew recognition of a problem and either immediate or future action. If the aural alert occurs because of the landing gear configuration warning, overspeed warning, take-off configuration warning, or ground proximity warning, the aural alert must sound continually while the conditions exist. The landing gear configuration warning may be automatically inhibited in those flight regimes where the warning is clearly unnecessary. Special means may be provided to cancel these aural warnings during selected non-normal procedures. If any one warning is cancelled, the remaining warnings must still be available. Other aural alerts may be cancelled by the flight crew. Certain alerts (either the aural portion or both aural and visual) may be inhibited in limited phases of flight, and enabled when that phase of flight is exited or terminated, provided the overall inhibition scheme increases safety. For example, systems have been approved that inhibit most alerts during (and immediately after) the take-off. The safety objective is to reduce the incidence of unnecessary high-speed rejected take-offs (RTO). Toward this end, the more effective type of system uses airspeed sensing to automatically begin the inhibit function. Systems requiring manual inhibition prior to initiation of take-off have been approved, but have the undesirable effect of suppressing alerts that should properly instigate a low-speed RTO. Enabling of alerts should be automatic after an altitude gain appropriate to the type of aeroplane.
(3) A separate and distinct visual warning, caution, or advisory message is conspicuously displayed for each warning, caution, or advisory condition that the system is designed to recognise. The visual indication must be visible by all flight crew members under all expected lighting conditions. The colours of visual warning, caution, and advisory displays provided by this system must comply with JAR 25.1322.
(4),(5) & (6) Reliability and Integrity (see AMJ 25.1322, 8). ]
[ (7) The aural alerting is audible to the flight crew under worst case ambient noise conditions, but not so loud and intrusive as to interfere with the crew taking the required action to ensure safe flight.
11. Checklists Or Procedural Advisory Displays
a. For purposes of the following discussion, checklist displays are divided into three types: those modifiable by the flight crew, those modifiable only on the ground by maintenance procedure, and those containing information "hardwired" into the system or in ROM (unchangeable read-only-memory).
(1) Data modifiable by the flight crew. The responsibility for electronic checklist display contents rests with the flight crew. For those operations where the aeroplane is commonly flown by the same flight crew every day, this responsibility presents no burden on the pilots. At the other extreme, in an air carrier operation the pilots cannot be reasonably expected to review the contents of the checklist before their first flight of the day in that aeroplane. In order to implement this type of operation, the checklist format should allow for some means to easily determine the current status of the information; this means should be compatible with a practically implemented procedure that operationally controls who makes changes, and when and how that change level is identified on the display.
(2) Data modifiable by maintenance procedure. The display system should lend itself to a means for the flight crew to easily determine the change level of the checklist contents.
(3) Data prepared by the manufacturer and contained in ROM. It has been previously stated in the section on display criticality that the display of hazardously misleading flight crew procedures must be Improbable. This requirement applies not only to failure states of the display system, but to changes to the aeroplane after display certification. While it is the responsibility of the manufacturer and the Authority to provide acceptable procedures to the operator, it is the responsibility of the operator to identify any checklist changes that may be made necessary by aeroplane modification. The display manufacturer should design the system so that revision status is easily identifiable by, and such that required changes can be made available to, the operator. An aeroplane change that made the electronic checklist incompatible with the required crew procedures in a manner that could be hazardously misleading would require the corresponding change to be made to the checklist or the display to be disabled entirely.
b. The wide variety of configurations and corresponding AFM supplements within a single model may establish a unique set of checklist procedures for each individual aeroplane. Incorporation of STCs or other minor modifications could necessitate changes to the AFM, AFM supplements, or addition of new supplements. These changes would then require modifications to the electronically displayed checklists. At this stage of display development, it would seem advisable to limit displayed checklist information to that which can easily be changed or that which pertains only to the basic aeroplane. A hard copy of the AFM or approved operations manual and any checklists required by the operational rules must be available to the flight crew at all times.
c. Because misleading information in an emergency procedure could be hazardous, those elements of the display system responsible for the content of such procedures are deemed to be essential, and the display of wrong or misleading information must be Improbable. An analysis of the display system showing that such hazard is Improbable should be accomplished, the major concern being that incorrect procedures may be presented which could result in confusion in the cockpit. This analysis does not have to include the probability of the flight crew entering wrong information into a crew entry type of display.
d. Electronic checklists should be consistent in the level of detail among the various procedures. Checklist content that the crew may rely on for normal day-to-day procedures, but which is incomplete for abnormal or emergency procedures, may be unsatisfactory because of the extra time required for the crew to discover that the information required is missing and only obtainable from an alternate hard-copy checklist. Crew training, display response time, availability of display, and other cockpit cues are to be considered in evaluating the display system. If the system does not display all procedures required for safe operation of the aeroplane during normal and emergency conditions, testing is required to ensure that the proposed method for integrating an electronic checklist along with hard copy checklists does not decrease the level of safety in any foreseeable circumstance. If electronic checklists are installed, pilot workload should be no greater than that for using hard copy of the procedures.
12. System Status Displays
If aeroplane systems status displays are provided, based on flight phase and system failure conditions, the symbols representing the system components should be logical, easily understood, and consistent between display formats. The colours used should be compatible with the requirements of paragraphs 5.a. and 5.b. of this AMJ. ]
[ AMJ 25-13
Reduced And Derated Take-Off Thrust (Power) Procedures
1. Purpose
This advisory material (AMJ) provides guidance for the certification and use of reduced thrust (power) for take-off and derated take-off thrust (power) on turbine powered transport category aeroplanes. It consolidates JAR guidance concerning this subject and serves as a ready reference for those involved with aeroplane certification and operation. These procedures should be considered during aeroplane type certification and supplemental type certification activities when less than engine rated take-off thrust (power) is used for take-off.
2. Applicable Joint Aviation Requirements (JAR)
The applicable regulations are JAR 25.101, 25.1521 and 25.1581.
3. Background
Take-off operations conducted at thrust (power) settings less than the maximum take-off thrust (power) available may provide substantial benefits in terms of engine reliability, maintenance, and operating costs. These take-off operations generally fall into two categories; those with a specific derated thrust (power) level, and those using the reduced thrust (power) concept, which provides a lower thrust (power) level that may vary for different take-off operations. Both methods can be approved for use, provided certain limitations are observed. The subjects discussed herein do not pertain to inflight thrust cutback procedures that may be employed for noise abatement purposes.
4. Definitions
Customarily, the terms "thrust" and "power" are used, respectively, in reference to turbojet and turboprop installations. For simplicity, only the term "thrust" is used throughout this AMJ. For turboprop installations, the term "power" should be substituted. For purposes of this AMJ the following definitions apply:
a. Take-off Thrust
(1) Rated take-off thrust, for a turbojet engine, is the approved engine thrust, within the operating limits, including associated time limits, established by the engine type certificate for use during take-off operations.
(2) Take-off thrust, for an aeroplane, is normally the engine rated take-off thrust, corrected for any installation losses and effects, that is established for the aeroplane under JAR-25. Some aeroplanes use a take-off thrust setting that is defined at a level that is less than that based on the engine rated take-off thrust. JAR 25.1521 requires that the take-off thrust rating established for the aeroplane must not exceed the take-off thrust rating limits established for the engine under the engine type certificate. The value of the take-off thrust setting parameter is presented in the Aeroplane Flight Manual (AFM) and is considered a normal take-off operating limit.
b. Derated take-off thrust, for an aeroplane, is a take-off thrust less than the maximum take-off thrust, for which exists in the AFM a set of separate and independent, or clearly distinguishable, take-off limitations and performance data that complies with all the take-off requirements of JAR-25. When operating with a derated take-off thrust, the value of the thrust setting parameter which establishes thrust for take-off is presented in the AFM and is considered a normal take-off operating limit.
c. Reduced take-off thrust, for an aeroplane, is a take-off thrust less than the take-off (or derated take-off) thrust. The aeroplane take-off performance and thrust setting are established by approved simple methods, such as adjustments, or by corrections to the take-off or derated take-off thrust setting and performance. When operating with a reduced take-off thrust, the thrust setting parameter which establishes thrust for take-off is not considered a take-off operating limit. ]
[ d. A wet runway is one that is neither dry nor contaminated.
e. A contaminated runway is a runway where more than 25% of the required field length, within the width being used, is covered by standing water or slush more than 0.125 inch (3.2 mm) deep, or that has an accumulation of snow or ice. However, in certain other situations it may be appropriate to consider the runway contaminated. For example, if the section of the runway surface that is covered with standing water or slush is located where rotation and lift-off will occur, or during the high speed part of the take-off roll, the retardation effect will be far more significant than if it were encountered early in the take-off while at low speed. In this situation, the runway might better be considered "contaminated" rather than "wet".
5. Reduced Thrust: (Acceptable Means Of Compliance)
Under JAR 25.101(c), 25.101(f), and 25.101(h), it is acceptable to establish and use a take-off thrust setting that is less than the take-off or derated take-off thrust if -
a. The reduced take-off thrust setting -
(1) Does not result in loss of systems or functions that are normally operative for take-off such as automatic spoilers, engine failure warning, configuration warning, systems dependent on engine bleed air, or any other required safety related system.
(2) Is based on an approved take-off thrust rating or derating for which complete aeroplane performance data is provided.
(3) Enables compliance with the applicable engine operating and aeroplane controllability requirements in the event that take-off thrust, or derated take-off thrust (if such is the performance basis), is applied at any point in the take-off path.
(4) Is at least 75% of the take-off thrust, or derated take-off thrust if such is the performance basis, for the existing ambient conditions, with no further reduction below 75% resulting from ARP credit.
(5) For turboprop installations, is predicated on an appropriate analysis of propeller efficiency variation at all applicable conditions and is limited to at least 75% take-off thrust.
(6) Enables compliance with JAR-25 Appendix I in the event of an engine failure during take-off, for aeroplanes equipped with an Automatic Reserve Performance system.
b. Relevant speeds (VEF, VMC, VR, and V2) used for reduced thrust take-offs are not less than those which will comply with the required airworthiness controllability criteria when using the take-off thrust (or derated take-off thrust, if such is the performance basis) for the ambient conditions, including the effects of an Automatic Reserve Performance (ARP) system. It should be noted, as stated in paragraph c. below, that in determining the take-off weight limits, credit can be given for an operable ARP system .
c. The aeroplane complies with all applicable performance requirements, including the criteria in paragraphs a. and b. above, within the range of approved take-off weights, with the operating engines at the thrust available for the reduced thrust setting selected for take-off. However, the thrust settings used to show compliance with the take-off flight path requirements of JAR 25.115 and the final take-off climb performance requirements of JAR 25.121(c) should not be greater than that established by the initial thrust setting. In determining the take-off weight limits, credit can be given for an operable ARP system.
d. Appropriate limitations, procedures, and performance information are established and are included in the AFM. The reduced thrust procedures must ensure that there is no significant increase in cockpit workload, and no significant change to take-off procedures.
e. A periodic take-off demonstration is conducted using the aeroplane's take-off thrust setting without ARP, if fitted, and the event is logged in the aeroplane's permanent records. An approved engine maintenance procedure or an approved engine condition monitoring programme may be used to extend the time interval between take-off demonstrations. ]
[ f. The AFM states, as a limitation, that take-offs utilising reduced take-off thrust settings -
(1) Are not authorised on runways contaminated with standing water, snow, slush, or ice, and are not authorised on wet runways unless suitable performance accountability is made for the increased stopping distance on the wet surface.
(2) Are not authorised where items affecting performance cause significant increase in crew workload.
Examples of these are -
Inoperative Equipment: Inoperative engine gauges, reversers, anti-skid systems or engine systems resulting in the need for additional performance corrections.
Engine Intermix: Mixed engine configurations resulting in an increase in the normal number of power setting values.
Non-standard operations: Any situation requiring a non-standard take-off technique.
(3) Are not authorised unless the operator establishes a means to verify the availability of take-off or derated take-off thrust to ensure that engine deterioration does not exceed authorised limits.
(4) Are authorised for aeroplanes equipped with an ARP System, whether operating or not
g. The AFM states that -
(1) Application of reduced take-off thrust in service is always at the discretion of the pilot.
(2) When conducting a take-off using reduced take-off thrust, take-off thrust or derated take-off thrust if such is the performance basis may be selected at any time during the take-off operation.
h. Procedures for reliably determining and applying the value of the reduced take-off thrust setting and determining the associated required aeroplane performance are simple (such as the assumed temperature method). Additionally, the pilot is provided with information to enable him to obtain both the reduced take-off thrust and take-off thrust, or derated take-off thrust if such is the performance basis, for each ambient condition.
i. Training procedures are developed by the operator for the use of reduced take-off thrust.
6. Derated Thrust (Acceptable Means Of Compliance)
For approval of derated take-off thrust provisions, the limitations, procedures, and other information prescribed by JAR 25.1581, as applicable for approval of a change in thrust, should be included as a separate Appendix in the AFM. The AFM limitations section should indicate that when operating with derated thrust, the thrust setting parameter should be considered a take-off operating limit. However, inflight take-off thrust (based on the maximum take-off thrust specified in the basic AFM) may be used in showing compliance with the landing and approach climb requirements of JAR 25.119 and 25.121(d), provided that the availability of take-off thrust upon demand is confirmed by using the thrust-verification checks specified in paragraph 5.e. above. ]
AMJ 25-19
Certification Maintenance Requirements
See Orange Paper Amendment 96/1
[ AMJ 20X-1
Certification of Aircraft Propulsion Systems Equipped with Electronic Controls
[ 1 GENERAL
The existing regulations for Engine, Propeller and aircraft certification may require special interpretation for Engines/Propellers equipped with electronic control systems. Because of the nature of this technology it has been found necessary to prepare advisory material specifically addressing the certification of these control systems.
Like any advisory material, the content of this document is not mandatory and does not constitute a regulation. It is issued for guidance purposes and to outline a method of compliance with the certification requirements. In lieu of following this method, an Applicant may elect to follow an alternative method provided that this is agreed by the Authority as an acceptable method of compliance with the requirements. Consequently the terms 'shall' and 'must' only apply to an Applicant who chooses to follow the certification route deifined herein.
This document discusses the compliance tasks relating to both the Engine/Propeller and the aircraft certification and indicates how these tasks could be allocated between the Engine/Propeller manufacturer and the aircraft manufacturer from a certification viewpoint. It does not, however, seek to define or to interfere with the contractual arrangements made between the Engine/Propeller and aircraft manufacturers for the provision of any particular data.
2 REFERENCE REGULATIONS
2.1 Engine and Propeller Certification
Turbine Engines for Aeroplanes and Rotorcraft -
JAR-E
Section 1, Sub-section A, paragraphs E20, E30, E40, E50, E60, E90, E110,
E150(c), E190
Sub-section D, paragraphs E500, E510, E530, E550
Sub-section E, as appropriate.
Propellers -
JAR-P, Paragraph P70
2.2 Aircraft Certification
Aeroplane: JAR-25
Paragraphs, 25.33, 581, 631, X899, 901, 903, 905, 933, 937, 939, 961, 994, 995, 1103(d), 1143 (except (d)), 1149, 1153, 1155, 1163, 1181, 1183, 1189, 1301, 1305, 1307(c), 1309, 1337, 1351(b)(d), 1353(a)(b), 1355(c), 1357, 1431, 1461, 1521(a), 1527.
Rotorcraft: Equivalent requirements (currently not part of JAR).
3 SCOPE
This advisory material provides guidance for electronic (analogue and digital) Engine and Propeller control systems, on the interpretation and means of compliance with the relevant Engine, Propeller and aircraft certification requirements.
It gives guidance on the precautions to be taken for the use of electronic technology for Engine/Propeller control, protection and monitoring, and, where applicable, for integration of functions specific to the aircraft.
Precautions have to be adapted to the criticality of the functions. These precautions may be affected by - ]
[ Degree of authority of the system,
Phase of flight,
Availability of back-up system.
This document also discusses the division of compliance tasks between the Engine, Propeller and aircraft manufacturers.
It does not cover APU control systems.
4 PRECAUTIONS
4.1 General
The introduction of electronic technology can entail the following:
a. A greater dependence of the Engine/Propeller on the aircraft owing to the use of electrical power and/or data supplied from the aircraft.
b. Risk of significant failures common to more than one Engine/Propeller of the aircraft which might, for example, occur as a result of -
i. Insufficient protection from electromagnetic disturbance (lightning, internal or external radiation effects),
ii. Insufficient integrity of the aircraft electrical power supply,
iii. Insufficient integrity of data supplied from the aircraft,
iv. Hidden design faults of discrepancies contained within the design of the propulsion system control software, or
v. Omissions or errors in the system specification.
Special design and integration precautions must therefore be taken to minimise these risks.
4.2 Objective
The introduction of electronic control systems should provide for the aircraft at least the equivalent safety, and the related reliability level, as achieved by Engine/Propellers equipped with hydromechanical control and protection systems.
This objective, when defined by the aircraft/Engine manufacturers for a specific application, will be agreed with the Authorities.
4.3 Precautions Relating to Engine/Propeller Control, Protection and Monitoring
The software associated with Engine/Propeller control, protection and monitoring functions must have a quality level and architecture appropriate to their criticality (see also paragraph 4.5.1).
The design of the system relating to the control, protection and monitoring functions shall be such as to satisfy the requirements of JAR-E 50(c).
4.4 Precautions Relating to Engine/Propeller Independence From the Aircraft
4.4.1 Precautions relating to electrical power supply and data from the aircraft
When considering the objectives of paragraph 4.2, due consideration must be given to the reliability of electrical power and data supplied to the electronic controls and peripheral components. Therefore the potential adverse effects on Engine/Propeller operation of any loss of electrical power supply from the aircraft or failure of data coming from the aircraft must be assessed during the Engine/Propeller certification. ]
[ The use of either the aircraft electrical power network or electrical power sources specific to the Engine/Propeller, or the combination of both may meet the objectives. Defects of aircraft input data may be overcome by other data references specific to each Engine/Propeller.
4.4.2 Local events
a. In designing an electronic control system to meet the objectives of paragraph 4.2, special consideration needs to be given to local events.
Examples of local events include fluid leaks, mechanical disruptions, electrical problems, fires or overheat conditions. An overheat condition results when the temperature of the electronic control unit is greater than the maximum safe design operating temperature declared by the Engine/Propeller manufacturer. This situation can increase the failure rate of the electronic control system.
b. Whatever the local event, the behaviour of the electronic control system must not cause a hazard to the aircraft. This will require consideration of effects such as the control of the thrust reverser deployment, the overspeed of the Engine, transients effects or inadvertent Propeller pitch change under any flight condition.
When the demonstration that there is no hazard to the aircraft is based on the assumption that there exists another function to afford the necessary protection, it must be shown that this function is not rendered inoperative by the same local event (including destruction of wires, ducts, power supplies).
c. Specific design features or analysis methods may be used to show compliance with respect to hazardous effects. Where this is not possible, for example due to the variability or the complexity of the failure sequence, then testing may be required. These tests shall be agreed with the appropriate Authority.
4.5 Precautions Relating to Failure Modes Common to More Than One Engine/Propeller
4.5.1 System design
For digital systems, any residual errors not activated during the software development and certification process could cause a failure common to more than one Engine/Propeller. RTCA DO178A (or the equivalent EUROCAE ED 12A) constitutes an acceptable means of compliance for software development and certification. It should be noted however that the DO178A states in section 3.3 -
'It is appreciated that, with the current state of knowledge, the software disciplines described in this document may not, in themselves, be sufficient to ensure that the overall system safety and reliability targets have been achieved. This is particularly true for certain critical systems, such as full authority fly-by-wire systems, In such cases it is accepted that other measures, usually within the system, in addition to a high level of software discipline may be necessary to achieve these safety objectives and demonstrate that they have been met.
It is outside the scope of this document to suggest or specify these measures, but in accepting that they may be necessary, it is also the intention to encourage the development of software techniques which could support meeting the overall system safety objectives.'
4.5.2 Environmental effects
Special attention should be given to any condition which could affect more than one Engine/Propeller control system. For example, incorrect operation under hot ambient conditions.
4.5.3 Lightning and other electromagnetic effects
Electronic control systems are sensitive to lightning and other electromagnetic interference. Moreover, these conditions can be common to more than one Engine/Propeller. The system design shall incorporate sufficient protection in order to ensure the functional integrity of the control system when subjected to designated levels of electric or electromagnetic inductions, including external radiation effects.
The validated protection levels for the Engine/Propeller electronic control systems shall be detailed by the manufacturer in an approved document. For aircraft certification, the aircraft manufacturer shall substantiate that these levels are adequate. ]
[ 4.5.4 Aircraft electrical power supply
If the aircraft electrical system supplies power to the Engine/Propeller control system at any time, the power supply quality, including transients or failures, must not lead to a situation identified by the Engine manufacturer, which is considered by the aircraft manufacturer to be a hazard to the aircraft.
4.5.5 Data exchanged with the aircraft
a. Aircraft must be protected from unacceptable effects of faults due to a single cause, simultaneously affecting more than one Engine/Propeller. In particular, the following cases should be considered:
i. Erroneous data received from the aircraft by the Engine/Propeller control system if the data source is common to more than one Engine/Propeller (e.g. air data sources, autothrottle synchronising), and
ii. Control system operating faults propagating via data links between Engine/Propellers (e.g. maintenance recording, common bus, cross-talk, autofeathering, automatic reserve power system).
b. Any precautions needed may be taken either through the aircraft system architecture or by logic internal to the electronic control system.
4.6 Other Functions Integrated into the Electronic Control System
If functions other than those directly associated with the control of the Engine/Propeller, such as thrust reverser control or automatic starting, are integrated into the electronic control system, the Engine/Propeller manufacturer should take into account the applicable aircraft requirements.
5 INTER-RELATION BETWEEN ENGINE/PROPELLER AND AIRCRAFT CERTIFICATION
5.1 Objective
To satisfy the JAR aircraft requirements, such as JAR 25.901, JAR 25.903 and JAR 25.1309, an analysis of the consequences of failures of the system on the aircraft has to be made. The Engine/Propeller manufacturer should, together with the aircraft manufacturer, ensure that the software levels and safety and reliability objectives for the electronic control system are consistent with these requirements.
5.2 Interface Definition
a. The interface has to be identified for the hardware and software aspects between the Engine, Propeller and the aircraft systems in the appropriate documents.
b. The Engine/Propeller/aircraft documents should cover in particular -
i. The software quality level (per function if necessary),
ii. The reliability objectives for -
Engine shut-down in flight,
Loss of Engine/Propeller control or significant change in thrust,
Transmission of faulty parameters,
iii. The degree of protection against lightning or other electromagnetic effects (e.g. level of induced voltages that can be supported at the interfaces),
iv. Engine, Propeller and aircraft interface data and characteristics, and
v. Aircraft power supply and characteristics (if relevant). ]
[ 5.3 Distribution of Compliance Tasks
The tasks for the certification of the aircraft propulsion system equipped with electronic controls may be shared between the Engine, Propeller and aircraft manufacturers. The distribution of these tasks between the manufacturers shall be identified and agreed with the appropriate Engine and aircraft Authorities (an example is given in paragraph 6).
Appropriate evidence provided for Engine/Propeller certification should be used for aircraft certification. For example, the quality of any aircraft function software and aircraft/Engine/Propeller interface logic already demonstrated for Engine/Propeller certification should need no additional substantiation for aircraft certification.
Aircraft certification shall deal with the specific precautions taken in respect of the physical and functional interfaces with the Engine/Propeller.
6 TABLE
An example of tasks distribution bewteen Engine and aircraft manufacturers. (When necessary, a similar approach should be taken for Propeller applications).
SUBSTANTIATION SUBSTANTIATION BY AIRCRAFTMANUFACTURER
TASK BY UNDER JAR-25 -
ENGINE
MANUFACTURER with data supplied by with its own data
UNDER engine manufacturer
JAR-E
ENGINE CONTROL - Safety objective - Consideration of common
AND PROTECTION mode effects (including software)
- Software level - Reliability
- Software level
MONITORING - Independence of control - Monitoring parameter - Indication system
and monitoring parameters reliability reliability
- Independence engine/
engine
AIRCRAFT DATA - Protection of engine - Aircraft data
from aircraft data reliability
failures
- Independence engine/
- Software level engine
THRUST REVERSER - Software level - System reliability - Safety objectives
CONTROL/MONITORING - Architecture
- Consideration of common mode effects
(including software)
CONTROL SYSTEM - Reliability of quality
ELECTRICAL SUPPLY of aircraft supply if used.
- Independence engine/
engine
ENVIRONMENTAL - Equipment protection - Declared capability - Aircraft design
CONDITIONS
LIGHTNING AND - Aircraft wiring
OTHER ELECTROMAGNETIC protection
EFFECTS
FIRE PROTECTION - Equipment protection - Declared capability - Aircraft design
LAST UPDATE: [an error occurred while processing this directive]
AUTHOR: Prof. Dr. Scholz
IMPRESSUM (PDF)
Prof. Dr. Scholz
Aircraft Design and Systems Group (AERO)
Aeronautical Engineering
Department of Automotive and Aeronautical Engineering
Faculty of Engineering and Computer Science
Hamburg University of Applied Sciences