[Federal Register Volume 87, Number 235 (Thursday, December 8, 2022)]
[Proposed Rules]
[Pages 75424-75454]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26369]
[[Page 75423]]
Vol. 87
Thursday,
No. 235
December 8, 2022
Part IV
 Department of Transportation
-----------------------------------------------------------------------
 Federal Aviation Administration
-----------------------------------------------------------------------
14 CFR Part 25
System Safety Assessments; Proposed Rule
  Federal Register / Vol. 87, No. 235 / Thursday, December 8, 2022 / 
Proposed Rules  
[[Page 75424]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No.: FAA-2022-1544; Notice No. 23-04]
RIN 2120-AJ99
System Safety Assessments
AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: The FAA proposes to amend certain airworthiness regulations to 
standardize the criteria for conducting safety assessments for systems, 
including flight controls and powerplants, installed on transport 
category airplanes. With this action, the FAA seeks to reduce risk 
associated with airplane accidents and incidents that have occurred in 
service, and reduce risk associated with new technology in flight 
control systems. The intended effect of this proposed action is to 
improve aviation safety by making system safety assessment (SSA) 
certification requirements more comprehensive and consistent.
DATES: Send comments on or before March 8, 2023.
ADDRESSES: Send comments identified by docket number FAA-2022-1544 
using any of the following methods:
     Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for sending your 
comments electronically.
     Mail: Send comments to Docket Operations, M-30; U.S. 
Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room 
W12-140, West Building Ground Floor, Washington, DC 20590-0001.
     Hand Delivery or Courier: Take comments to Docket 
Operations in Room W12-140 of the West Building Ground Floor at 1200 
New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday 
through Friday, except Federal holidays.
     Fax: Fax comments to Docket Operations at (202) 493-2251.
    Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits comments 
from the public to better inform its rulemaking process. DOT posts 
these comments, without edit, including any personal information the 
commenter provides, to www.regulations.gov, as described in the system 
of records notice (DOT/ALL-14 FDMS), which you can review at https://www.dot.gov/privacy.
    Docket: Background documents or comments received may be read at 
https://www.regulations.gov at any time. Follow the online instructions 
for accessing the docket or go to the Docket Operations in Room W12-140 
of the West Building Ground Floor at 1200 New Jersey Avenue SE, 
Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Suzanne Masterson, Strategic Policy 
Transport Section, AIR-614, Strategic Policy Management Branch, Policy 
and Innovation Division, Aircraft Certification Service, Federal 
Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; 
telephone and fax (206) 231-3211; email [email protected].
SUPPLEMENTARY INFORMATION:
Authority for This Rulemaking
    The FAA's authority to issue rules on aviation safety is found in 
Title 49 of the United States Code. Subtitle I, Section 106 describes 
the authority of the FAA Administrator. Subtitle VII, Aviation 
Programs, describes in more detail the scope of the agency's authority.
    This rulemaking is promulgated under the authority described in 
Subtitle VII, Part A, Subpart III, Section 44701, ``General 
Requirements.'' Under that section, the FAA is charged with promoting 
safe flight of civil aircraft in air commerce by prescribing 
regulations and minimum standards for the design and performance of 
aircraft that the Administrator finds necessary for safety in air 
commerce. This regulation is within the scope of that authority. It 
prescribes new safety standards for the design and operation of 
transport category airplanes.
Acronyms and Frequently Used Terms
           Table 1--Acronyms Frequently Used in This Preamble
------------------------------------------------------------------------
           Acronym                             Definition
------------------------------------------------------------------------
AC...........................  Advisory Circular.
AD...........................  Airworthiness Directive.
AFM..........................  Airplane Flight Manual.
ALS..........................  Airworthiness Limitations section.
ARAC.........................  Aviation Rulemaking Advisory Committee.
ASAWG........................  Airplane[dash]Level Safety Analysis
                                Working Group.
CAST.........................  Commercial Aviation Safety Team.
CMR..........................  Certification Maintenance Requirement.
CS-25........................  Certification Specifications for Large
                                Aeroplanes (issued by EASA).
CSL+1........................  Catastrophic Single Latent Failure Plus
                                One (a failure condition).
EASA.........................  European Union Aviation Safety Agency.
ELOS.........................  Equivalent Level of Safety.
EWIS.........................  Electrical Wiring Interconnection System.
FCHWG........................  Flight Controls Harmonization Working
                                Group.
ICA..........................  Instructions for Continued Airworthiness.
LDHWG........................  Loads and Dynamics Harmonization Working
                                Group.
NTSB.........................  National Transportation Safety Board.
PPIHWG.......................  Powerplant Installation Harmonization
                                Working Group.
SDAHWG.......................  System Design and Analysis Harmonization
                                Working Group.
SLF..........................  Significant Latent Failure.
SSA..........................  System Safety Assessment.
------------------------------------------------------------------------
[[Page 75425]]
                            Table 2--Terms Used in This Notice of Proposed Rulemaking
----------------------------------------------------------------------------------------------------------------
                  Term                                                  Definition
----------------------------------------------------------------------------------------------------------------
                                                     General
----------------------------------------------------------------------------------------------------------------
Certification maintenance requirement    A required scheduled maintenance task established during the design
 (CMR) *.                                 certification of the airplane systems as an airworthiness limitation
                                          of the type certificate or supplemental type certificate.
Error..................................  An omission or incorrect action by a crewmember or maintenance
                                          personnel, or a mistake in requirements, design, or implementation.
Event..................................  An occurrence that has its origin distinct from the airplane, such as
                                          atmospheric conditions (e.g., gusts, temperature variations, icing,
                                          and lightning strikes); runway conditions; conditions of
                                          communication, navigation, and surveillance services;
                                          bird[dash]strike; cabin and baggage fires (not initiated by features
                                          installed on the airplane). The term does not cover sabotage or other
                                          similar intentional acts.
Failure................................  An occurrence that affects the operation of a component, part, or
                                          element such that it no longer functions as intended. This includes
                                          both loss of function and malfunction.
                                         Note: Errors and events may cause failures or influence their effects
                                          but are not considered to be failures.
Failure condition......................  A condition, caused or contributed to by one or more failures or
                                          errors, that has either a direct or consequential effect on the
                                          airplane, its occupants, or other persons, accounting for--
                                             Flight phase,
                                             Relevant adverse operational or environmental conditions,
                                             and
                                             External events.
Latent failure.........................  A failure that is not apparent to the flightcrew or maintenance
                                          personnel.
Single failure.........................  Any occurrence, or set of occurrences, that cannot be shown to be
                                          independent from each other (e.g., failures due to a common cause),
                                          that affect the operation of components, parts, or elements such that
                                          they no longer function as intended. (See definition of ``Failure.'')
Structural performance.................  The capability of the airplane to meet the structural requirements of
                                          14 CFR part 25.
----------------------------------------------------------------------------------------------------------------
                               Failure conditions in order of increasing severity
----------------------------------------------------------------------------------------------------------------
Minor failure condition................  A failure condition that would not significantly reduce airplane safety
                                          and would only require flightcrew actions that are well within their
                                          capabilities. Minor failure conditions may result in--
                                             A slight reduction in safety margins or functional
                                             capabilities,
                                             A slight increase in flightcrew workload, such as routine
                                             flight plan changes,
                                             Some physical discomfort to passengers or flight
                                             attendants, or
                                             An effect of similar severity.
Major failure condition *..............  A failure condition that would reduce the capability of the airplane or
                                          the ability of the flightcrew to cope with adverse operating
                                          conditions, to the extent that there would be--
                                             A significant reduction in safety margins or functional
                                             capabilities,
                                             A significant increase in flightcrew workload or in
                                             conditions impairing the efficiency of the flightcrew,
                                             Physical distress to passengers or flight attendants,
                                             possibly including injuries, or
                                             An effect of similar severity.
Hazardous failure condition *..........  A failure condition that would reduce the capability of the airplane or
                                          the ability of the flightcrew to cope with adverse operating
                                          conditions, to the extent that there would be--
                                             A large reduction in safety margins or functional
                                             capabilities,
                                             Physical distress or excessive workload such that the
                                             flightcrew cannot be relied upon to perform their tasks accurately
                                             or completely, or
                                             Serious or fatal injuries to a relatively small number of
                                             persons other than the flightcrew.
                                         Note: For the purpose of performing a safety assessment, a ``small
                                          number'' of fatal injuries means one such injury.
Catastrophic failure condition *.......  A failure condition that would result in multiple fatalities, usually
                                          with the loss of the airplane.
----------------------------------------------------------------------------------------------------------------
                                        Terms related to latent failures
----------------------------------------------------------------------------------------------------------------
Significant latent failure *...........  A latent failure that, in combination with one or more specific
                                          failures or events, would result in a hazardous or catastrophic
                                          failure condition.
Catastrophic single latent failure plus  A catastrophic failure condition that results from a combination of two
 one (CSL+1).                             failures, either of which could be latent for more than one flight.
----------------------------------------------------------------------------------------------------------------
                              Failure conditions in order of decreasing probability
----------------------------------------------------------------------------------------------------------------
Probable failure condition *...........  A failure condition that is anticipated to occur one or more times
                                          during the entire operational life of each airplane of a given type.
Remote failure condition *.............  A failure condition that is not anticipated to occur to each airplane
                                          of a given type during its entire operational life, but which may
                                          occur several times during the total operational life of a number of
                                          airplanes of a given type.
Extremely remote failure condition *...  A failure condition that is not anticipated to occur to each airplane
                                          of a given type during its entire operational life, but which may
                                          occur a few times during the total operational life of all airplanes
                                          of a given type.
Extremely improbable failure condition*  A failure condition that is not anticipated to occur during the total
                                          operational life of all airplanes of a given type.
----------------------------------------------------------------------------------------------------------------
* These terms are also defined in proposed new Sec.   25.4 Definitions.
[[Page 75426]]
Contents
I. Overview of Proposed Rule
II. Background
    A. Statement of the Problem
    B. Related Actions
    1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
    2. FAA Review of Service Difficulty Reports
    3. Commercial Aviation Safety Team Task Force Study Regarding 
Gaps in Maintenance Process
    4. Equivalent Level of Safety Findings and Special Conditions
    5. Harmonization with European Union Aviation Safety Agency 
(EASA) Certification Standards
    6. Aircraft Certification, Safety, and Accountability Act
    C. NTSB Recommendations
III. Discussion of the Proposed Rule
    A. Consistent Safety Assessment Criteria for Airplane Systems
    1. Average Risk Criteria (Sec.  25.1309(b)(1), (2), and (3))
    2. Latent Failures in System Designs
    B. Consistent Application and Interpretation of Requirements for 
Equipment, Systems, and Installations
    1. Applicability of Sec.  25.1309
    2. Exceptions From Applicability of Sec.  25.1309
    3. Flightcrew Alerting and Errors
    C. Interaction of Systems and Structures (New Sec.  25.302)
    1. Applicability of New Sec.  25.302
    2. Normal Operation
    3. Failure Condition Effect on Structural Performance
    4. Dispatch in a System Failed State
    5. Differences Between Proposed Sec.  25.302 and EASA CS 25.302
    D. Turbojet Thrust Reversing Systems
    E. Flight Control Systems Safety Assessment Criteria
    1. Changes to Sec.  25.671(c) Failure Criteria
    2. Other Changes to Sec.  25.671
    F. Certification Maintenance Requirements
    G. Miscellaneous Amendments
    1. Method of Compliance With Sec.  25.1309(b)
    2. Failure Examples Related to Flutter
    3. Other Changes to Sec.  25.629
    4. EWIS Requirements
    5. Removal of Redundant Requirements
    H. Petitions for Rulemaking
    I. Advisory Material
IV. Regulatory Notices and Analyses
    A. Regulatory Evaluation
    1. Costs and Benefits of this Proposed Rule
    2. Who is potentially affected by this Proposed Rule?
    3. Assumptions and Sources of Information
    4. Costs of the Proposed Specific Risk Rule
    5. Benefits of the Proposed Specific Risk Rule
    6. Summary of Costs and Benefits of Specific Risk Rule
    7. Section 25.1309: Equipment, Systems, and Installations
    8. Section 25.671: General Control Systems
    9. Section 25.901: Installation Engines
    10. Section 25.933: Reversing Systems
    11. Section 25.302: Interaction of Systems and Structures
    B. Regulatory Flexibility Determination
    C. International Trade Impact Assessment
    D. Unfunded Mandates Assessment
    E. Paperwork Reduction Act
    F. International Compatibility and Cooperation
    G. Environmental Analysis
V. Executive Order Determinations
    A. Executive Order 13132, Federalism
    B. Executive Order 13211, Regulations That Significantly Affect 
Energy Supply, Distribution, or Use
    C. Executive Order 13609, International Cooperation
VI. Additional Information
    A. Comments Invited
    B. Availability of Rulemaking Documents
I. Overview of Proposed Rule
    The FAA proposes to revise regulations in title 14, Code of Federal 
Regulations (14 CFR) part 25 (Airworthiness Standards: Transport 
Category Airplanes) related to the safety assessment \1\ of airplane 
systems. The proposed changes to part 25 would affect applicants for 
type certification and operators of transport category airplanes. 
Applicants for type certification would be required to conduct their 
SSAs in accordance with the revised regulations. Proposed changes to 
the ICA would affect operators of newly certified airplanes, although 
the impact on those operators would not be significant.
---------------------------------------------------------------------------
    \1\ A system safety assessment is a structured process intended 
to systematically identify the risks pertinent to the design of 
aircraft systems, and to show that the systems meet safety 
requirements.
---------------------------------------------------------------------------
    The FAA proposes revised and new safety standards to reduce the 
likelihood of potentially catastrophic risks due to latent failures in 
critical systems. The standards would require the elimination of such 
risks as far as practical. When it is not practical to eliminate such a 
risk, the standards would require the reduction and management of any 
remaining risk. The proposed standards would also improve the 
likelihood that operators discover latent failures and address them 
before they become an unsafe condition, rather than discovering them 
after they occur and the FAA addressing them with airworthiness 
directives (ADs).
    Because modern aircraft systems (for example, avionics and fly-by-
wire systems) are much more integrated than they were when the current 
safety criteria in Sec.  25.1309 and other system safety assessment 
rules were established in 1970,\2\ the new standards proposed in this 
rule would be consistent for all systems of the airplane, reducing the 
chance of a hazard falling into a gap between the different regulatory 
requirements for different systems.
---------------------------------------------------------------------------
    \2\ 35 FR 5665 (Apr. 8, 1970).
---------------------------------------------------------------------------
    Consistent criteria for conducting SSAs would also provide 
predictability for applicants by reducing the number of issue papers 
and special conditions necessary for airplane certification 
projects.\3\
---------------------------------------------------------------------------
    \3\ Special conditions are rules of particular applicability 
that the FAA issues to address novel or unusual design features. See 
14 CFR 21.16, and section 2-4(j)(3) of FAA Order 8110.4C, Type 
Certification. The latter is available at drs.faa.gov, and as noted 
therein, the FAA uses the issue paper process to develop the terms 
of these special conditions. See FAA Order 8110.112A, Standardized 
Procedures for Usage of Issue Papers and Development of Equivalent 
Levels of Safety Memorandums, and Advisory Circular 20-166A, Issue 
Paper Process, available at drs.faa.gov.
---------------------------------------------------------------------------
    Specifically, the proposed rule would--
     Require that applicants limit the likelihood of a 
catastrophic failure condition that results from a combination of two 
failures, either of which could be latent. In this proposal, the FAA 
refers to this particular failure condition as a Catastrophic Single 
Latent Failure Plus One (CSL+1) because it consists of the catastrophic 
condition that results from a single latent failure plus one additional 
failure. See proposed Sec.  25.1309(b)(5).
     Revise safety assessment regulations to eliminate 
ambiguity in, and provide consistency between, the safety assessments 
that applicants must conduct for different types of airplane systems. 
Section 25.1309 would continue to contain the safety assessment 
criteria applicable to most airplane systems. Sections 25.671(c) 
(flight control systems) and 25.901(c) (powerplant installations) would 
be amended to remove general system safety criteria. Instead, the 
systems covered in these sections would be required to comply with 
Sec.  25.1309 (system safety criteria). Section 25.933(a) (thrust 
reversing systems) would allow compliance with Sec.  25.1309 as an 
option. Sections 25.671, 25.901, and 25.933 would continue to contain 
criteria for safety assessments specific to flight control systems, 
powerplant installations, and thrust reversing systems, respectively.
     Require applicants to assess and account for any effect 
that the failure of a system could have on the structural performance 
of the airplane. See proposed Sec.  25.302.
     Define the different types of failure of flight control 
systems, including jams, and define the criteria for safety assessment 
of those types of failures. See proposed Sec.  25.671.
     Require applicants to include, in the Airworthiness 
Limitations Section (ALS) of the airplane's Instructions for Continued 
Airworthiness (ICA), necessary maintenance tasks that
[[Page 75427]]
applicants identify during their SSAs. See proposed Sec.  25.1309(d).
     Remove the ``function properly when installed'' criterion 
in Sec.  25.1301(a)(4) for installed equipment whose function is not 
needed for safe operation of the airplane.
II. Background
A. Statement of the Problem
    This proposed action is necessary because airplane accidents, 
incidents, and service difficulties have occurred as a result of 
failures in airplane systems. Some of these occurrences were caused, in 
part, by insufficient design standards for controlling the risk of 
latent failures. Current FAA regulations do not prevent the unintended 
operation of an airplane with a latent failure that, when combined with 
another failure, could cause an accident. For example, in 1991, a 
Boeing Model 767 series airplane operated by Lauda Air took off with a 
contaminated thrust reverser control valve. This contamination was 
``latent'' because it was undetected. The accident investigation found 
that a short circuit occurred, and together with the contaminated 
control valve, caused the thrust reverser to unintentionally deploy in 
flight. As a result, the airplane subsequently crashed, resulting in 
223 fatalities.\4\
---------------------------------------------------------------------------
    \4\ Lauda Air B767 Accident Report by the Aircraft Accident 
Investigation Committee, Ministry of Transport and Communications, 
Thailand, is available in the docket and at https://lessonslearned.faa.gov/Lauda/LaudaAccidentReport.pdf.
---------------------------------------------------------------------------
    Also, current regulations do not require establishment of mandatory 
inspections for significant latent failures that may pose a risk in 
maintaining the airworthiness of the airplane design. Such inspections 
may be necessary to reduce an airplane's exposure to these latent 
failures, so airplanes continue to meet safety standards while in 
service.
    Additionally, current regulations do not adequately address new 
technology in flight control systems and the effects these systems can 
have on controllability and structural capability. For example, on 
airplanes equipped with fly-by-wire control systems, there is no 
mechanical link between the flightdeck control and the control surface, 
so the flightcrew may not be aware of the actual control surface 
position. Also, on some flight control system designs, there may be 
submodes of operation that change or degrade the normal handling or 
operational characteristics of the airplane. Flightcrew awareness of 
both the operational mode of the airplane and the control surface 
positions are necessary design features to ensure safety of flight but 
are not required by current regulations.
    This action is also necessary to address flight control systems 
whose failure can affect the loads imposed on the airplane structure. 
As an example, some airplanes are equipped with rudder limiters, which 
reduce the maximum deflection of the rudder at higher airspeeds, 
thereby reducing the maximum loads on the rudder and vertical 
stabilizer. Failure of the rudder limiter can result in higher loads on 
these surfaces in the event of a significant rudder maneuver. Excessive 
loads can lead to structural damage and catastrophic failure. Current 
regulations do not require applicants to account for these potentially 
higher loads in the structural design of the airplane.
    Lastly, certain system safety requirements are not standardized 
across airplane systems. Current regulations specify different safety 
assessment criteria for different systems, which can lead to 
inconsistent standards across the airplane. Also, when systems that 
traditionally have been separate become integrated using new 
technology, applicants may be unsure which standard to apply.
    The FAA proposes to address these issues by revising the system 
safety assessment requirements in part 25.
B. Related Actions
1. Aviation Rulemaking Advisory Committee (ARAC) Recommendations
    Advances in flight controls technology, increased airplane system 
integration, and certain incidents, accidents, and service difficulties 
related to system failures prompted the FAA to task the ARAC with 
developing recommendations for new or revised requirements and 
compliance methods related to the safety assessment of airplane and 
powerplant systems. The ARAC accepted tasks on various airplane systems 
issues and assigned them to the Powerplant Installation Harmonization 
Working Group (PPIHWG),\5\ Flight Controls Harmonization Working Group 
(FCHWG),\6\ Loads and Dynamics Harmonization Working Group (LDHWG),\7\ 
and System Design and Analysis Harmonization Working Group (SDAHWG).\8\ 
The FAA also tasked the ARAC to make recommendations for harmonizing 
the relevant part 25 rules with the corresponding European 
certification specifications for large airplanes.\9\ The ARAC accepted 
this task and assigned it to the relevant working groups.
---------------------------------------------------------------------------
    \5\ 57 FR 58844 (Dec. 11, 1992).
    \6\ 63 FR 45554 (Aug. 26, 1998).
    \7\ 59 FR 30081 (Jun. 10, 1994).
    \8\ 61 FR 26246 (May 24, 1996).
    \9\ As the FAA noted in the Federal Register in 1993: ``The FAA 
announced at the Joint Aviation Authorities (JAA)-Federal Aviation 
Administration (FAA) Harmonization Conference in Toronto, Ontario, 
Canada, (June 2-5, 1992) that it would consolidate within the 
Aviation Rulemaking Advisory Committee structure an ongoing 
objective to ``harmonize'' the Joint Aviation Requirements (JAR) and 
the Federal Aviation Regulations (FAR). Coincident with that 
announcement, the FAA assigned to the ARAC those projects related to 
JAR/FAR 25, 33 and 35 harmonization which were then in the process 
of being coordinated between the JAA and the FAA.'' 58 FR 13819, 
13820 (Mar. 15, 1993).
---------------------------------------------------------------------------
    In developing their recommendations, the PPIHWG and FCHWG reviewed 
the investigations of two transport category airplane accidents. In the 
May 1991 Lauda Air accident, discussed previously, an unintentional 
thrust reverser deployment on a Boeing Model 767 series airplane caused 
a loss of airplane controllability.\10\ In the September 1994 USAir 
accident, the NTSB considered a malfunction of the rudder actuation 
system on a Boeing Model 737-300 series airplane, to have likely 
initiated a loss of airplane controllability that resulted in the 
airplane impacting the ground near Pittsburgh, Pennsylvania.\11\ The 
investigations of these two accidents identified hazards resulting from 
potential CSL+1 failure conditions in safety critical systems.
---------------------------------------------------------------------------
    \10\ See footnote 4.
    \11\ NTSB Accident Report NTSB/AAR-09/01, Uncontrolled Descent 
and Collision with Terrain, USAir Flight 427, Boeing 737-300, 
N513AU, Near Aliquippa, Pennsylvania, September 8, 1994, is 
available in the docket and at https://lessonslearned.faa.gov/USAir427/usair427_ntsb_report.pdf.
---------------------------------------------------------------------------
    The PPIHWG recommended revisions to Sec.  25.901(c), to address 
failures and malfunctions of powerplant and auxiliary power unit (APU) 
installations, and to Sec.  25.933, to address failures and 
malfunctions of thrust reversing systems. The FCHWG recommended changes 
to Sec.  25.671 to address failures and jamming of flight control 
systems. The LDHWG recommended the addition of a new rule, Sec.  
25.302, to address systems that directly, or as a result of a failure 
or malfunction, would affect the structural performance of the 
airplane. The SDAHWG recommended revisions to Sec. Sec.  25.1301 and 
25.1309, and further changes to Sec.  25.901(c). Each working group 
also recommended advisory material to accompany the recommended 
regulatory changes. The SDAHWG named their recommended
[[Page 75428]]
revision to AC 25.1309-1A as the ``Arsenal'' version.\12\
---------------------------------------------------------------------------
    \12\ The ``Arsenal'' version is a draft revision of AC 25.1309-
1A, developed by the ARAC SDAHWG. Applicants can use it in 
conjunction with a request for an ELOS finding for, or exemption 
from, Sec. Sec.  25.1301 and 25.1309, per FAA Policy PS-ANM100-00-
113-1034, Use of ARAC (Aviation Rulemaking Advisory Committee) 
Recommended Rulemaking not yet formally adopted by the FAA, as a 
basis for equivalent level of safety or exemption to Part 25, dated 
January 4, 2001, available at https://drs.faa.gov. The ``Arsenal'' 
version is available in the docket as part of the SDAHWG 
recommendation, Task 2--System and Analysis Harmonization and 
Technology Update, pp. 61-99, and at https://www.faa.gov/regulations_policies/rulemaking/committees/documents/media/TAEsdaT2-5241996.pdf.
---------------------------------------------------------------------------
    Although the working groups each addressed the subject of managing 
latent failures in safety critical systems, their recommendations were 
not consistent when defining the criteria for latent failures. After 
reviewing the relevant regulations, and the recommendations from the 
working groups, the FAA, along with the European, Canadian, and 
Brazilian civil aviation authorities, identified a need to standardize 
SSA criteria. These authorities were concerned that the safety criteria 
recommended by the working groups could result in differing safety 
assessments across various critical systems. Differing standards could 
result in an inappropriately low level of safety on some critical 
systems, or, conversely, unnecessarily apply the most stringent 
standard to every system in a set of integrated systems.
    Therefore, in 2006, the FAA tasked ARAC, which assigned the task to 
the Airplane-Level Safety Assessment Working Group (ASAWG),\13\ with 
creating consistent SSA criteria and developing new criteria for 
``specific risk.'' ``Specific risk'' is the risk on a given flight 
resulting from the existence of a particular condition (for example, a 
latent failure) on that flight. It is differentiated from ``average 
risk,'' which is the risk on a typical flight of all airplanes of a 
particular model for a typical duration.
---------------------------------------------------------------------------
    \13\ 71 FR 14284 (Mar. 21, 2006).
---------------------------------------------------------------------------
    The ASAWG completed its work in May 2010 and recommended a set of 
consistent requirements that would apply to all systems. Specific areas 
addressed in the recommendation report include latent failures, aging 
and wear, Master Minimum Equipment Lists, and flight and diversion 
time. The ASAWG recommended that the general system safety criteria for 
all airplane systems be governed by Sec.  25.1309, and recommended 
adjustments to the regulations and advisory material addressed by the 
working groups mentioned previously, to implement consistent system 
safety criteria. All ARAC working group recommendation reports are 
available in the docket for this NPRM.
2. FAA Review of Service Difficulty Reports
    One ASAWG recommendation responded to the need to prevent a 
catastrophic failure condition resulting from two failures, when either 
failure is latent (undetected) for more than one flight. In such a 
case, the first failure is latent, and thus persists undetected, and 
the second failure is active (detected) because its occurrence results 
in a catastrophic accident. In consideration of this recommendation, 
the FAA reviewed a number of past service difficulty reports \14\ that 
could have led to catastrophic accidents if the latent failure had been 
followed by another failure. These include:
---------------------------------------------------------------------------
    \14\ Service difficulty reports are reports of occurrences or 
detection of failures, malfunctions, and defects, as required by 14 
CFR 91.1415, 121.703, 125.409, 135.415 and 145.221, as applicable to 
the type of operation of the aircraft.
---------------------------------------------------------------------------
     A latent failure of a fire extinguisher control switch 
that, if coupled with an active failure such as an engine fire, could 
have resulted in an uncontrollable engine fire.\15\
---------------------------------------------------------------------------
    \15\ A report of the failure of a certain engine fire shutoff 
switch led to Airworthiness Directive (AD) 2005-01-13, Amendment 39-
13938 (70 FR 2339, January 13, 2005).
---------------------------------------------------------------------------
     A latent failure of the high-lift system \16\ brake that, 
if coupled with an active failure such as a high-lift system 
transmission driveshaft failure, could have resulted in loss of 
control.\17\
---------------------------------------------------------------------------
    \16\ A ``high-lift'' system is a system that increases the 
amount of lift produced by an airplane wing.
    \17\ Multiple reports of failure of a certain high-lift system 
brake led to AD 2009-20-12, Amendment 39-16035 (74 FR 50686, October 
1, 2009)
---------------------------------------------------------------------------
     A latent failure of a high-lift system proximity sensor 
that, if coupled with an active failure such as a high-lift drive 
system failure, could have resulted in loss of control.\18\
---------------------------------------------------------------------------
    \18\ Multiple reports of failure of a certain high-lift system 
proximity sensor led to AD 2014-03-08, Amendment 39-17745 (79 FR 
9398, February 19, 2014).
---------------------------------------------------------------------------
    The FAA has determined that such service difficulties were, in 
part, a consequence of insufficient design standards for controlling 
the risk due to latent failures, and the FAA expects similar service 
difficulties in the future if the standards are not revised to manage 
such risks.
3. Commercial Aviation Safety Team Task Force Study Regarding Gaps in 
Maintenance Process
    In 2009, the Commercial Aviation Safety Team (CAST) \19\ chartered 
a task force, led by the FAA Flight Standards Service, Aircraft 
Maintenance Division, to conduct a study to identify and correct gaps 
in operators' maintenance processes. The objective of the task force 
was to ensure that the level of safety provided at certification would 
be sustained throughout the life of the airplane.
---------------------------------------------------------------------------
    \19\ Founded in 1998, CAST is a cooperative government-industry 
initiative. CAST is co-chaired by a senior-level official of the air 
transport industry and by the FAA Associate Administrator for 
Aviation Safety.
---------------------------------------------------------------------------
    In 2011, the task force reported on the gaps it found, and 
recommended mitigation strategies.\20\ One of the identified gaps (GAP 
009) was that the current regulations do not require use of 
Certification Maintenance Requirements (CMRs),\21\ which identify 
inspections of systems for significant latent failures that are 
necessary to preserve the airplane's reliability. The FAA has been 
recommending in advisory circulars (AC 25.1309-1A and AC 25-19, and AC 
25-19A) to establish the need for inspections of critical systems where 
latent failures could exist. Since CMRs are critical to safety, the 
task force recommended the FAA require their use.
---------------------------------------------------------------------------
    \20\ More information on CAST and the task force findings is 
available in the docket and on the internet at https://www.skybrary.aero/sites/default/files/bookshelf/2553.pdf.
    \21\ CMRs are defined in Advisory Circular (AC) 25.1309-1A, 
System Design and Analysis, dated June 21, 1988; and AC 25-19A, 
Certification Maintenance Requirements, dated October 3, 2011. The 
FAA plans to revise AC 25.1309-1 as described in this document, and 
the CMR definition would conform to the definition provided in Table 
2 and in new Sec.  25.4, Definitions. The CMR definition in AC 25-
19A already conforms to the definition provided in Table 2. That AC 
is not being revised as part of this rulemaking.
---------------------------------------------------------------------------
4. Equivalent Level of Safety Findings and Special Conditions
    The FAA has applied most of the SSA criteria proposed in this NPRM 
to certification projects for the past 15 years, through equivalent 
level of safety (ELOS) findings under Sec.  21.21. The topics of these 
findings include flight control systems (Sec.  25.671(c)) as 
recommended by the FCHWG; thrust reversers (Sec.  25.933(a)(1)) as 
recommended by the PPIHWG; and general SSA criteria (Sec. Sec.  25.1301 
and 25.1309) as recommended by the SDAHWG.
    Modern transport category airplanes are equipped with systems that, 
directly or as a result of failure or malfunction, affect structural 
performance. However, current regulations do not require applicants to 
take into account loads on the airplane due to the effects of system 
failures on structural performance. Therefore, the FAA has applied 
special conditions that require the effects of
[[Page 75429]]
system failures be taken into account in the design. The FAA based the 
provisions of these special conditions, titled ``Interaction of Systems 
and Structures,'' on the criteria developed by the ARAC working groups, 
and propose to codify these special conditions in proposed Sec.  
25.302.
    Finally, the FAA has applied the requirements in proposed Sec.  
25.671(a), (e), and (f) for fly-by-wire control systems to recent type 
certificate applications through means of compliance issue papers and 
special conditions.
5. Harmonization With European Union Aviation Safety Agency (EASA) 
Certification Standards
    EASA certification standards for large airplanes (CS-25) prescribes 
the airworthiness standards corresponding to 14 CFR part 25 for 
transport category airplanes certified by the European Union. 
Applicants for FAA type certification of transport category airplanes 
may also seek EASA validation of the FAA's type certificate. Where part 
25 and CS-25 differ, an applicant must meet both airworthiness 
standards to obtain a U.S. type certificate and validation of the type 
certificate by foreign authorities, or obtain exemptions, ELOS findings 
or special conditions, or the foreign authority's equivalent to those, 
as necessary to meet one standard in lieu of the other. Where FAA and 
EASA can maintain harmonized requirements, applicants for type 
certification benefit by having a single set of requirements with which 
they must show compliance, thereby reducing the cost and complexity of 
certification and codifying a consistent level of safety.
    EASA incorporated the SDAHWG-recommended changes to Sec. Sec.  
25.1301 and 25.1309, and associated guidance, in its initial issuance 
of CS-25 on October 17, 2003.\22\ EASA incorporated the criteria 
regarding interaction of systems and structures recommended by the 
LDHWG into its regulatory framework as CS 25.302 and appendix K of CS-
25 at amendment 25/1 on December 12, 2005.\23\ EASA incorporated the 
ASAWG-recommended regulatory and advisory material implementing 
consistent SSA criteria, at amendment 25/24 to CS-25, on January 10, 
2020.\24\ This proposed NPRM would harmonize FAA requirements with EASA 
to the extent possible, with differences described in the Discussion of 
the Proposed Rule.
---------------------------------------------------------------------------
    \22\ https://www.easa.europa.eu/en/downloads/1516/en..
    \23\ https://www.easa.europa.eu/en/document-library/certification-specifications/cs-25-amendment-1.
    \24\ https://www.easa.europa.eu/en/downloads/108354/en.
---------------------------------------------------------------------------
6. Aircraft Certification, Safety, and Accountability Act
    This proposal would update the requirements and guidance for system 
safety assessments to support, in part, the requirements of the 
Aircraft Certification, Safety, and Accountability Act, Public Law 116-
260 (the Act). Section 115(b)(1)(A) of the Act states that the 
Administrator of the FAA shall require an applicant for an amended type 
certificate for a transport airplane to perform a system safety 
assessment with respect to each proposed design change that the 
Administrator determines is significant, with such assessment 
considering the airplane-level effects of individual errors, 
malfunctions, or failures and realistic pilot response times to such 
errors, malfunctions, or failures. Currently, Sec.  25.1309 requires 
this action, not just for significant design changes, but for all 
design changes affecting systems. Specifically, Sec.  25.1309(b) 
requires applicants assess safety at the airplane level for airplane 
systems and associated components, considered separately and in 
relation to other systems. Section 25.1309(d) specifies that compliance 
to Sec.  25.1309(b) must be shown by analysis and appropriate testing, 
and must consider possible modes of failure, including malfunctions and 
damage and also that the assessment consider crew warning cues, 
corrective action required, and the capability of detecting faults. In 
the context of Sec.  25.1309, ``corrective action'' means flightcrew 
procedures for use after failure detection to enable continued safe 
flight and landing.\25\ The proposed Sec.  25.1309 would remove the 
current content of Sec.  25.1309(d), and place that content in draft AC 
25.1309-1B, along with expanded guidance on the safety assessment 
process, because (1) the proposed Sec.  25.1309 would be a performance-
based regulation for which methods of compliance are more appropriately 
provided in guidance, and (2) the items for consideration listed in 
Sec.  25.1309(d) constitute an incomplete method of compliance to Sec.  
25.1309(b), as explained in section III.G.1 of this preamble.
---------------------------------------------------------------------------
    \25\ AC 25.1309-1A provides guidance on including flightcrew 
corrective action in showing compliance to Sec.  25.1309. Draft AC 
25.1309-1B, sections 5.3 and 5.4, would provide updated guidance.
---------------------------------------------------------------------------
    Section 115(b)(1)(B) of the Act states that the system safety 
assessments required by section 115(b)(1)(A) of the Act be updated for 
each subsequent proposed design change that the Administrator 
determines is significant. As discussed, Sec.  25.1309 already requires 
this action not just for significant design changes, but for all design 
changes affecting systems. This proposed rulemaking would update the 
analysis necessary for airplane-level effects of individual errors, 
malfunctions, or failures.
    Section 115(b)(1)(C) of the Act states that applicants must provide 
to the FAA the data and assumptions underlying each assessment and 
amended assessment. Draft AC 25.1309-1B, which accompanies this 
rulemaking, states that a system safety assessment, to show compliance, 
should provide data such as component failure rates and their sources 
and applicability, and support any assumptions made. Section 7.9 of the 
draft AC provides detailed guidance on identification and justification 
of assumptions, data, and analytic techniques.
    Section 115(b)(1)(D) of the Act states that applicants must provide 
for document traceability and clarity of explanations for changes to 
aircraft type designs and system safety assessment certification 
documents. Appendix C of Draft AC 25.1309-1B, describes the safety 
assessment process, and states that a system safety assessment, to show 
compliance, should include, among other things, a statement of the 
functions, boundaries, and interfaces of the system and a description 
that establishes correctness and completeness and traces the work 
leading to the conclusions of the SSA.
    These updates to system safety assessment requirements, and to 
implementing guidance, would provide a foundation to address how human 
(flight crew) response is treated and validated within the context of 
the required analysis. As required by Section 126 of the Act, the FAA 
is researching pilot responses to errors, malfunctions and failures, 
and may use that research in the future to update guidance in this 
regard.
C. NTSB Recommendations
    As a result of the aforementioned 1994 Pittsburgh accident, the 
National Transportation Safety Board (NTSB) issued two safety 
recommendations relevant to this rulemaking, A-99-22 and A-99-23.\26\ 
In Safety Recommendation A-99-22, the NTSB recommends that the FAA 
ensure that future transport category airplanes
[[Page 75430]]
provide a reliably redundant rudder actuation system. In Safety 
Recommendation A-99-23, the NTSB recommends that the FAA require type 
certificate applicants to show that transport category airplanes are 
capable of continued safe flight and landing after jamming of a flight 
control at any deflection possible, up to and including its full 
deflection, unless the applicant shows that such a jam is extremely 
improbable. This proposed rule would implement these recommendations by 
revising Sec.  25.671(c).
---------------------------------------------------------------------------
    \26\ NTSB Safety Recommendations A-99-22 and A-99-23 are 
available in the docket and at https://www.ntsb.gov/safety/safety-recs/recletters/A99_20_29.pdf.
---------------------------------------------------------------------------
    The NTSB issued Safety Recommendation A-02-51 \27\ following an 
accident in January 2000, in which a McDonnell Douglas Model MD-83 
airplane crashed into the Pacific Ocean off the coast of California. 
The NTSB determined that the probable cause of this accident was a loss 
of airplane pitch control resulting from the in-flight failure of the 
jackscrew assembly of the horizontal stabilizer trim system. This 
failure was related to maintenance of this critical system; 
specifically, the excessive and accelerated wear of a critical part as 
a result of insufficient lubrication. In Safety Recommendation A-02-51, 
the NTSB recommends that the FAA review and revise airplane 
certification regulations, and associated guidance applicable to the 
certification of transport category airplanes, to ensure that 
applicants fully address wear-related failures so that, to the maximum 
extent possible, such failures will not be catastrophic. The proposed 
requirement to include CMRs in the ALS would respond to this safety 
recommendation, as would the draft ACs accompanying this NPRM that 
contain guidance on assessing wear-related failures as part of the SSA.
---------------------------------------------------------------------------
    \27\ NTSB Safety Recommendation A-02-51 is available in the 
docket and at https://www.ntsb.gov/safety/safety-recs/recletters/A02_36_51.pdf.
---------------------------------------------------------------------------
    The NTSB issued Safety Recommendation A-14-119 \28\ following an 
incident in January 2013, in which the APU lithium-ion battery 
installed in a Boeing Model 787-8 airplane caught fire when the 
airplane was parked at a gate at Logan International Airport in Boston, 
Massachusetts. In Safety Recommendation A-14-119 the NTSB recommends 
that the FAA to provide its certification engineers with written 
guidance and training to ensure that assumptions, data sources, and 
analytical techniques are fully identified and justified in applicants' 
safety assessments for designs incorporating new technology. 
Additionally, the NTSB recommends that an appropriate level of 
conservatism be included in the analysis or design, consistent with the 
intent of the draft guidance material that the SDAHWG recommended. 
Draft AC 25.1309-1B, accompanying this NPRM, would contain the 
recommended guidance.\29\
---------------------------------------------------------------------------
    \28\ NTSB Safety Recommendation A-14-119 is available in the 
docket and https://www.ntsb.gov/safety/safety-recs/recletters/A-14-113-127.pdf.
    \29\ This advisory circular, and the other advisory circulars 
that accompany this proposal, are in the docket for review and 
comment.
---------------------------------------------------------------------------
III. Discussion of the Proposed Rule
    After consideration of the issues in the Statement of Problem, the 
relevant NTSB recommendations, and ARAC recommendations, the FAA 
proposes to revise several regulations to change how applicants would 
conduct SSAs.
A. Consistent Safety Assessment Criteria for Airplane Systems
1. Average Risk Criteria (Sec.  25.1309(b)(1), (2), and (3))
    Current Sec.  25.1309(b) requires applicants to design the systems 
and associated components (considered both separately and in relation 
to each other) of their proposed transport category airplane to meet 
two criteria. First, these systems must be designed so that the 
occurrence of any failure condition which would prevent the safe flight 
and landing of the airplane is extremely improbable (Sec.  
25.1309(b)(1)). Second, each system must be designed so that the 
likelihood of any other failure condition which would reduce the 
capability of the airplane, or of its flightcrew, to cope with adverse 
operating conditions is improbable (Sec.  25.1309(b)(2)).
    The FAA proposes to revise Sec.  25.1309(b) to establish risk 
criteria that can be used consistently across multiple airplane 
systems, harmonize FAA regulations with EASA Certification 
Specifications for Large Aeroplanes (CS) 25.1309(b), and codify 
commonly issued ELOS findings. The proposed revisions would require 
that type certificate applicants design and install airplane systems 
and associated components, evaluated both separately and in relation to 
other systems, so that--
     Each catastrophic failure condition is extremely 
improbable and does not result from a single failure;
     Each hazardous failure condition is extremely remote; and
     Each major failure condition is remote.
    As noted previously, the current rule (Sec.  25.1309(b)(2)) 
requires any failure condition that would reduce the capability of the 
airplane or the ability of the crew to cope with adverse operating 
conditions to be ``improbable'' (on the order of 10-9 < p <= 
10-5, where p is probability of failure per flight hour). 
This condition is characterized by AC 25.1309-1A as ``major,'' and it 
represents a broad spectrum of probability.
    As previously discussed, the FAA has issued ELOS findings for more 
than a decade to accept use of the ARAC-recommended revision to 
Sec. Sec.  25.1301 and 25.1309 in lieu of Sec. Sec.  25.1301 and 
25.1309, and the accompanying ``Arsenal'' version of AC 25.1309-1 as 
the method of compliance. In the ``Arsenal'' version, the ``major'' 
failure condition is divided into two categories: ``hazardous'' and 
``major'', with corresponding probability requirements of ``extremely 
remote'' (on the order of 10-9 < p <= 10-7) and 
``remote'' (on the order of 10-7 < p <= 10-5).'' 
The granular assessment of failure conditions in the ``Arsenal'' 
version is beneficial because it allows for more accurate analysis of 
highly integrated systems and better differentiation of failure effects 
on flightcrew than the current requirements of Sec.  25.1309(b). The 
``hazardous'' category in the ``Arsenal'' version corresponds to the 
more severe end of the ``major'' category in current Sec.  
25.1309(b)(2), which is referred to as ``severe major'' in AC 25.1309-
1A, ``System Design and Analysis,'' dated June 21, 1988.
    This proposal would codify current practice by adding the 
``hazardous'' failure condition category and its probability 
requirement, replace the probability term ``improbable'' with 
``remote'' for major failure conditions, and prohibit catastrophic 
single failure.
a. Inclusion of Specific Failure Condition Categories and Probabilities
    An objective of this proposal is to align the regulatory terms used 
in 14 CFR part 25 to describe failure condition categories and 
probabilities with the terms used in the most recent transport airplane 
certification projects (whose SSAs use the methods in the ``Arsenal'' 
version of AC 25.1309-1 and in EASA CS 25.1309 and accompanying 
guidance). Proposed Sec.  25.1309(b) would use terms that are already 
used by the aviation industry to describe failure condition categories 
and probabilities. Additionally, since the FAA also uses these terms in 
other part 25 regulations, such as Sec. Sec.  25.671, 25.981, and 
25.1709, the FAA proposes to define them in a new Sec.  25.4, 
``Definitions.'' Although the terminology in Sec.  25.1309(b) would 
change from the current regulations, the intent and usage of those 
terms would not change as a result.
[[Page 75431]]
b. Prohibiting Catastrophic Single Failures
    Proposed Sec.  25.1309(b)(1)(ii) would prohibit a proposed design 
from allowing any single failure that could result in a catastrophic 
failure condition (i.e., a ``fail-safe'' design requirement). The 
requirement that applicants assume that any single failure could occur 
and that such failure not prevent continued safe flight and landing was 
codified in 1965 as Sec.  25.1309. The FAA inadvertently removed from 
Sec.  25.1309 the requirement for fail-safe design in 1970 at amendment 
25-23,\30\ although the agency retained guidance on fail-safe design. 
The purpose of the FAA's guidance on fail-safe design, has been to 
convey the objectives of the fail-safe design concept, and provide 
principles and techniques for its usage by applicants.
---------------------------------------------------------------------------
    \30\ 35 FR 5674 (Apr. 8, 1970).
---------------------------------------------------------------------------
    Amendment 25-23 also amended Sec.  25.671(c) to prohibit 
catastrophic single failures in flight control systems. At that time, 
Sec.  25.901(c) applied Sec.  25.1309 to powerplant installation, 
requiring applicants to assume in their safety assessments that any 
single failure could occur. With amendment 25-40 in 1977,\31\ the FAA 
amended Sec.  25.901(c) to explicitly prohibit catastrophic single 
failures in systems associated with the powerplant installation because 
Sec.  25.1309 did not prohibit catastrophic single failures.
---------------------------------------------------------------------------
    \31\ 42 FR 15042 (Mar. 17, 1977).
---------------------------------------------------------------------------
    This proposed rule would also make the requirements for safety 
assessments of flight control systems and powerplant installations 
consistent with the requirements for other systems in regard to 
prohibiting catastrophic single failures. Systems covered by the 
proposed Sec. Sec.  25.671(c) and 25.901(c) would be required to comply 
with the Sec.  25.1309 prohibition of catastrophic single failures 
under all operating and environmental conditions under which the 
airplane was approved to operate. Incorporation of fail-safe design 
requirements across all the critical systems of the airplane would 
ensure consistent safety objectives are implemented. Further discussion 
of proposed changes to Sec. Sec.  25.671(c) and 25.901(c) is provided 
in sections III.E and III.B.2.d of this preamble, respectively.
2. Latent Failures in System Designs
a. Proposed Criteria--Sec.  25.1309(b)(4)
    The FAA proposes to add a new paragraph (b)(4) to Sec.  25.1309 
that would require applicants to avoid SLFs whenever practical. The 
purpose of proposed Sec.  25.1309(b)(4) is to reduce an airplane's 
exposure to SLFs by establishing the following hierarchy of safety 
requirements. First, the applicant must eliminate SLFs. If the 
elimination of the SLF is not practical, then the applicant must limit 
the likelihood of that SLF to 1/1000 between inspections. If the 
applicant proves that it is not practical to comply with the 1/1000 
criterion, then the applicant must design the system to minimize the 
failure's latency; that is, minimize the length of time the failure is 
expected to be present, and remain undetected.
    The FAA intends the proposed rule to minimize the latency of SLFs 
and achieve the safety objective of the ASAWG's recommendation to avoid 
SLFs whenever practical. The FCHWG, PPIHWG, and ASAWG each recommended 
the 1/1000 value to limit the latency period in the failure conditions 
specific to that working group's technical area. The FAA proposes that 
application of the 1/1000 criterion to every system that may contain a 
SLF is a necessary safety measure that an applicant can apply. This 1/
1000 criterion is necessary to reduce exposure of the airplane to 
latent failures that leave the airplane one failure away from a 
hazardous or catastrophic condition. This criterion is cost effective 
as described in the costs and benefits section of this NPRM.
    An applicant may be able to show, in rare situations, that it is 
not practical to meet the 1/1000 criterion. One possible example is if 
compliance with the 1/1000 criterion would necessitate complex or 
invasive maintenance tasks on the flight line, increasing the risk of 
incorrect maintenance. In such situations, safety may be better served 
if the operator inspects for latent failures at a maintenance facility 
or at a longer inspection interval, even though the longer inspection 
interval could mean the probability of the latent failure exceeds 1/
1000; however, the applicant must minimize the time the failure is 
expected to be present. The FAA expects that an applicant would likely 
integrate these steps into its normal design processes. During the 
FAA's review of an applicant's proposed demonstration of compliance 
with the other provisions of Sec.  25.1309(b), if the FAA determines 
that it may be practical to eliminate or further reduce exposure to a 
SLF, then these proposed regulations would require the applicant to 
either redesign the system or demonstrate the impracticality of that 
redesign.
b. Proposed Criteria--Sec.  25.1309(b)(5)
    The FAA proposes a new standard for limiting the risk of a CSL+1 
failure condition (a catastrophic failure combination that results from 
a single latent failure plus one additional failure). Under current 
regulations, an operator could unknowingly dispatch an airplane with a 
potential CSL+1 failure condition. Under this proposal, when conducting 
SSAs, an applicant would be required to apply additional criteria in 
proposed Sec.  25.1309(b)(5) (pertaining to additional fault tolerance, 
residual risk, and probability of latent failures) to limit the 
specific risk of a CSL+1 failure condition, in addition to the 
requirement in Sec.  25.1309(b)(1).\32\
---------------------------------------------------------------------------
    \32\ The draft Regulatory Impact Analysis in the docket for this 
rulemaking refers to this part of the proposal as the ``specific 
risk rule.''
---------------------------------------------------------------------------
i. Additional Fault Tolerance
    For each potential catastrophic failure condition that results from 
two failures, either of which could be latent for more than one flight, 
the applicant would be required by Sec.  25.1309(b)(5)(i) to show that 
it is impractical to design the system with additional fault tolerance. 
For example, if practical, the applicant could add a failure monitor, 
thereby eliminating the latency of the first (undetected) failure. Or, 
the applicant could design additional redundancy in the system, so that 
the second failure would not be catastrophic. In either case, the 
condition resulting from the failure combination would no longer create 
a CSL+1 failure condition.
ii. Limiting the Residual Risk to a ``Remote'' Probability
    The FAA proposes Sec.  25.1309(b)(5)(ii), which would adopt the 
ASAWG recommendation to limit the total probability that any single 
failure could lead to a catastrophe following a latent failure. This 
total probability could be no greater than ``remote.'' The ASAWG 
recommended the ``remote'' criterion based on the reliability of 
components typically used in systems that have a redundant means to 
protect against catastrophic single failures. These components have 
demonstrated a level of reliability, on the order of 
1x10-\5\ per flight hour, which was consistent with the 
SDAHWG's recommended probability guidelines (the ``Arsenal'' version of 
AC 25.1309, and EASA Acceptable Means of Compliance 25.1309) for 
showing ``remote'' probability. The ASAWG reasoned that establishing a 
higher standard than ``remote'' could require redesign of systems that 
have an acceptable in-
[[Page 75432]]
service safety record, and the FAA agrees with this rationale.
    Therefore, the FAA proposes that this ``remote'' criterion, in 
combination with the criterion to limit latency to a maximum 
probability of 1/1000, would establish an acceptable level of safety 
for potential CSL+1 failure conditions. Also, if a system has multiple 
potential failure combinations that lead to the same CSL+1 failure 
condition, each combination of which contains the same latent failure, 
the applicant would be required to sum the probabilities of the non-
latent failures. The resulting sum of probabilities would also have to 
meet the ``remote'' criterion.
iii. Limiting the Probability of Latent Failures to 1/1000
    Proposed Sec.  25.1309(b)(5)(iii) would limit the probability of 
occurrence of a latent failure in a CSL+1 combination to 1/1000. The 1/
1000 value would be the proposed maximum allowable probability of a 
latent failure. To comply, the applicant would multiply the maximum 
time the latent failure is allowed to be present by the component 
failure rate, and show that the resultant value is less than or equal 
to 1/1000. The maximum time is typically the time between inspections. 
The ASAWG recommended limiting the probability of occurrence of a 
latent failure in a CSL+1 combination to be ``on the order of'' 1/1000 
or less. The FAA and Transport Canada submitted dissenting opinions, 
documented in the ASAWG final report, that the phrase ``on the order 
of'' would defeat the purpose of establishing a clear criterion for 
limiting the likelihood of a latent failure; therefore, this proposal 
omits that phrase. Instead, the 1/1000 value would be the maximum 
allowable probability of a latent failure occurring between 
inspections.
    To determine this 1/1000 limit, the ASAWG drew on the knowledge of 
the FCHWG and PPIHWG, both of which determined that 1/1000 was a 
practical limit on the probability of a latent failure in the flight 
control and thrust reversing systems. The ASAWG evaluated safety 
analysis data and found that the probability of a latent failure 
between inspections very rarely exceeded 1/1000.\33\ The FAA has 
accepted this numerical value in the certification of these particular 
systems through ELOS findings and determined that applicants can apply 
it across all systems.
---------------------------------------------------------------------------
    \33\ The ASAWG recommendation report is available in the docket 
for this NPRM.
---------------------------------------------------------------------------
B. Consistent Application and Interpretation of Requirements for 
Equipment, Systems, and Installations
1. Applicability of Sec.  25.1309
    Applicants have raised numerous questions regarding the 
applicability of Sec.  25.1309. The FAA therefore proposes to revise 
Sec.  25.1309 as follows:
a. Introductory Paragraph of Sec.  25.1309
    The FAA proposes to add an introductory paragraph to Sec.  25.1309, 
which specifies that the rule applies to all systems and equipment on 
the airplane. Section 25.1309(a) currently requires that applicants 
design and show that only the equipment, systems, and installations 
whose functioning is required by Subchapter C--Aircraft will perform 
their intended functions under any foreseeable operating condition 
(amendment 25-123, dated December 10, 2007). This proposed rule would 
adopt the SDAHWG's recommendation to remove the limitation to 
Subchapter C, which would broaden the applicability of Sec.  25.1309 to 
any system or equipment as installed on the airplane, regardless of 
whether it is required for type certification or by operating rules.
b. Section 25.1309(a)--Criteria for Two Classes of Installed Equipment 
and Systems
    The FAA proposes to remove Sec.  25.1301(a)(4), which requires that 
installed equipment function properly when installed, and address that 
requirement through proposed Sec.  25.1309(a), which would contain 
requirements for two different classes of equipment and systems 
installed in the airplane: (1) equipment and systems that are required 
for type certification or by operating rules, or whose improper 
functioning would reduce safety; and (2) all other systems.
c. Section 25.1309(a)(1)--Airplane Equipment and Systems Whose Improper 
Functioning Would Reduce Safety
    Proposed Sec.  25.1309(a)(1) would apply to all installed airplane 
equipment and systems whose improper functioning would reduce safety, 
regardless of whether the equipment or system is required by type 
certification rules or operating rules. Such equipment and systems 
would be required to perform as intended under the airplane operating 
and environmental conditions. A failure or malfunction of equipment or 
systems reduces safety if the failure or malfunction results in a minor 
or more severe failure condition. The FAA recognizes, however, that 
failures may occur throughout the operational life of the airplane, and 
that a failed system may no longer perform as intended. The 
acceptability of failures and their associated risks are covered by the 
fail-safe regulations, such as Sec. Sec.  25.901(c), 25.1309(b), 
25.671(c), 25.735(b)(1), 25.810(a)(1)(v), 25.812, 25.903(d)(1), and 
25.1316.
    The FAA further proposes new Sec.  25.1309(a)(1) to require that 
equipment and systems perform as intended not just under airplane 
operating conditions as required by current Sec.  25.1309(a), but under 
environmental conditions as well. This change is needed to remove an 
ambiguity in the current regulations, and ensure that an applicant's 
safety assessment is complete.
    Current Sec.  25.1309(a) requires that each such item perform its 
intended functions under ``any foreseeable operating condition,'' but 
does not mention ``environmental conditions.'' The method of compliance 
to the rule in AC 25.1309-1A discusses both types of conditions. To 
perform the safety assessment using the method in that AC, the 
applicant must account for the airplane operating conditions (such as 
weight, center of gravity, altitudes, flap positions) and the 
environmental conditions that the airplane is reasonably expected to 
encounter (such as atmospheric turbulence, lightning, or 
precipitation).
    The FAA has not required that systems and components perform as 
intended in foreseeable but easily avoidable environmental conditions, 
such as volcanic ash clouds. Thus, the FAA proposes to remove ``any 
foreseeable'' from Sec.  25.1309(a)(1). This change would also 
harmonize with CS 25.1309(a)(1).
    The intent of this change is to ensure that the applicant evaluates 
the continued function of equipment and systems--
     Throughout the airplane's normal operating envelope, as 
defined by the airplane flight manual (AFM), together with any 
modification to that envelope associated with abnormal or emergency 
procedures, and any anticipated crew action; and
     Under the anticipated external and internal airplane 
environmental conditions in which the equipment and systems must 
perform as intended.
    The proposed language in Sec.  25.1309(a)(1) is consistent with 
existing FAA guidance \34\ regarding environmental conditions because 
it
[[Page 75433]]
would allow that, even if certain environmental conditions are 
foreseeable, performing as intended in those conditions is not always 
possible. For example, ash clouds from volcanic eruptions are 
foreseeable, but an applicant does not have to show that the airplane 
can safely operate in such clouds, relying instead on forecasting and 
air traffic control means to avoid such conditions.
---------------------------------------------------------------------------
    \34\ AC 25.1309-1A, section 8.e. provides guidance on 
incorporation of environmental conditions in SSA.
---------------------------------------------------------------------------
d. Section 25.1309(a)(2--Equipment and Systems With No Effect on the 
Safety of the Airplane or Its Occupants
    Current Sec.  25.1309(a) requires that all equipment, systems, and 
installations function properly when installed. However, the proper 
functioning of non-essential equipment is typically not necessary for 
safe operation of the airplane. These non-essential systems include 
passenger amenities such as entertainment displays, audio systems, in-
flight telephones, non-emergency lighting, and food storage and 
preparation.
    Proposed Sec.  25.1309(a)(2) would require all equipment and 
systems not subject to proposed Sec.  25.1309(a)(1) to not have an 
adverse effect on the safety of the airplane or its occupants, and 
would allow such equipment to be approved even if that equipment may 
not perform as intended. Consequently, this proposal would reduce the 
testing needed for those equipment and systems installations, because 
they would not need to meet the operational and environmental condition 
requirements of proposed Sec.  25.1309(a)(1). The proposed Sec.  
25.1309(a)(2) would, however, require applicants to test such systems, 
equipment, and installations to show that their normal or abnormal 
functioning does not adversely affect the proper functioning of the 
equipment, systems, and installations covered by proposed Sec.  
25.1309(a)(1); and does not otherwise adversely affect the safety of 
the airplane or its occupants.
    No safety benefit is derived from demonstrating that equipment 
performs as intended, if failing to perform as intended would not 
impact safety. Instead, the FAA would expect that an applicant perform 
a qualitative evaluation of the design and installation of such 
equipment and systems installed in the airplane to determine that 
neither their normal operation nor their failure would adversely affect 
crew workload, operation of other systems, or the safety of persons.
    The FAA expects normal installation practices to result in 
sufficiently obvious isolation of the impacts of such equipment on 
safety that compliance can be based on a relatively simple qualitative 
installation evaluation. If the possible impacts, including failure 
modes or effects, are uncertain, or isolation between systems is 
provided by complex means, then more formal structured evaluation 
methods or a design change may be necessary. Guidance on performing 
qualitative evaluations is provided in draft AC 25.1309-1B.
    This proposed change would reduce the cost of certification to 
airplane and equipment manufacturers and modifiers without reducing the 
level of safety provided by part 25.
e. Applicability of Sec.  25.1309 to In-Service and Out-of-Service 
Conditions
    Applicants have questioned whether, when showing compliance with 
Sec.  25.1309, they must consider out-of-service conditions or risks to 
persons other than the occupants of the airplane. Compliance with Sec.  
25.1309 applies to flight operating conditions as well as ground 
operating conditions, consistent with current practice. Draft AC 
25.1309-1B, specifies that compliance is applicable to ground operating 
conditions when the airplane is in service. An airplane is in service 
from the time the airplane arrives at a gate or other location for pre-
flight preparations, until it is removed from service. While ground 
operating conditions include conditions associated with line 
maintenance and refueling, dispatch determinations, embarkation and 
disembarkation, and taxi, they do not include periods of shop 
maintenance, storage, or other out-of-service activities. Applicants 
should also account for threats to people on the ground or adjacent to 
the airplane during ground operations, electric shock threats to 
mechanics, and other similar situations.
f. Applicability of Sec.  25.1309 to High Intensity Radiated Fields and 
Lightning Exposure
    The ASAWG recommended that a future committee address how 
applicants should account for systems' exposure to high intensity 
radiated fields (HIRF) and lightning when showing compliance with Sec.  
25.1309(b). The FAA acknowledges that follow-on regulatory or policy 
action may be necessary to ensure this topic is addressed in a manner 
that is both effective and practical. This proposed rule and the 
associated advisory material are not intended to change how type 
certificate applicants account for systems' exposure to HIRF and 
lightning when demonstrating compliance with Sec.  25.1309. 
Historically, considerations of lightning and HIRF in determining 
failure effects have been limited to specific potential failures of 
concern, such as failure of protection features, including critical 
isolation features, that are dedicated to protecting the airplane from 
the effects of lightning. Under the proposed changes to Sec.  25.1309, 
applicants would continue to apply Sec.  25.1309 in addressing the 
effects of HIRF and lightning as described in the prior sentence. 
Testing and qualitative evaluations may still be used as a means of 
compliance. Use of lightning and HIRF probabilities in quantitative 
analyses is also still allowed but not required. The proposed revision 
to Sec.  25.1309 would not supersede the more specific requirements of 
Sec. Sec.  25.1316 and 25.1317.
2. Exceptions From Applicability of Sec.  25.1309
a. Flight Control Jams Addressed by Sec.  25.671
    Proposed Sec.  25.1309(e) would exclude the flight control jams 
governed by Sec.  25.671 from the proposed single-failure requirement 
in Sec.  25.1309(b)(1)(ii). The FAA has historically used Sec.  
25.671(c) rather than Sec.  25.1309 to regulate the risk of flight 
control jams. Proposed Sec.  25.671(c) would continue this approach 
because flight control jams are an unusual failure condition in which 
the control position is critical to the outcome of the condition. 
Therefore, specifying a flight control jam as a ``single failure'' does 
not fully define the failure condition because the control position is 
not defined. The current and proposed Sec.  25.671(c) specify that the 
applicant must evaluate flight control jams at ``normally encountered'' 
positions. Additionally, proposed Sec.  25.671(c) would not require 
evaluation of flight control jams immediately before touchdown if the 
applicant shows that such jams are extremely improbable, as explained 
later in this preamble in the section entitled, ``Changes to Sec.  
25.671(c)(3).'' Therefore, this type of failure would be excluded from 
the prohibition on a single failure being the cause of a catastrophic 
failure condition under Sec.  25.1309(b)(1)(ii).
b. Brakes and Braking Systems, Addressed by Sec.  25.735
    Proposed Sec.  25.1309(b) would not apply to single failures in the 
brake system. Those failures are adequately addressed by Sec.  
25.735(b)(1) at amendment 25-107, which limits the effect of a single 
failure of the brake system to doubling the stopping distance of the 
brake roll. The diverse
[[Page 75434]]
circumstances under which such a failure could occur make any 
structured determination of its outcome or frequency indeterminate. The 
proposed Sec.  25.1309 would apply to all other failures in the brake 
system.
c. Emergency Egress Assist Means and Escape Routes, Addressed by Sec.  
25.810, and Emergency Lighting, Addressed by Sec.  25.812
    Proposed Sec.  25.1309(f) would also exclude the failure effects 
addressed by Sec. Sec.  25.810(a)(1)(v) and 25.812 from Sec.  
25.1309(b). The failure conditions relevant to the cabin safety 
equipment installations addressed by Sec. Sec.  25.810(a)(1)(v) (escape 
slides) and 25.812 (emergency lighting) are associated with varied 
evacuation scenarios for which the probability of occurrence cannot be 
determined due to the multitude of factors that can lead to an 
evacuation. For these types of equipment, the FAA has not been able to 
define appropriate scenarios under which an applicant could demonstrate 
compliance with Sec.  25.1309(b). The FAA considers it acceptable in 
terms of safety, to require particular design features or specific 
reliability demonstrations for these types of equipment and, therefore, 
the FAA proposes to exclude them from the requirements of Sec.  
25.1309(b).
d. Powerplant--Installation, Addressed by Sec.  25.901(c)
    The FAA proposes to revise Sec.  25.901(c) to state that the 
requirements of Sec.  25.1309 apply to powerplant and APU installations 
and to list the failures that do not need to comply with Sec.  
25.1309(b). Those exceptions, which would be consistent with existing 
requirements, are engine case burn-through or rupture, uncontained 
engine rotor failure, and propeller debris release. The FAA specifies 
those exceptions in proposed Sec. Sec.  25.901(c) and 25.1309(f). 
Excepting these failures from Sec.  25.1309(b) would not degrade the 
level of safety from that required by current regulations. An applicant 
must already minimize the effects and occurrence rates of these 
failures when complying with:
     Part 33, ``Airworthiness Standards: Aircraft Engines.''
     Part 35, ``Airworthiness Standards: Propellers.''
     Paragraph (d)(1) of Sec.  25.903, ``Engines.''
     Paragraph (d) of Sec.  25.905, ``Propellers.''
     Section 25.1193, ``Cowling and nacelle skin.''
    This proposed revision would also harmonize Sec.  25.901(c) with CS 
25.901(c).
3. Flightcrew Alerting and Errors
a. Categorization of Required Flightcrew Information
    Section 25.1309(c) currently requires that warning information must 
be provided to the flightcrew to alert them to unsafe system operating 
conditions, and to enable them to take appropriate corrective action. 
The FAA proposes to revise Sec.  25.1309(c) to require information be 
provided to the flightcrew concerning unsafe system operating 
conditions, rather than requiring only warnings. The proposed revisions 
to Sec.  25.1309(c) would make the provision compatible with the 
requirements of current Sec.  25.1322 (``Warning, caution, and advisory 
lights''), which details requirements for the presentation of warning, 
caution, and advisory alerts installed on the flight deck. For example, 
Sec.  25.1322 requires a warning indication if immediate action by a 
flightcrew member were necessary; however, the particular method of 
indication would depend on the urgency and need for flightcrew 
awareness or action that is necessary for the particular failure. The 
proposed revision to Sec.  25.1309(c) (to remove the requirement for 
``alert'') would remove an incompatibility with Sec.  25.1322, which 
allows other sensory and tactile feedback from the airplane caused by 
inherent airplane characteristics to be used in lieu of dedicated 
indications and annunciations if the applicant can show such feedback 
is sufficiently timely and effective to allow the crew to take 
corrective action.\35\
---------------------------------------------------------------------------
    \35\ See draft AC 25.1309-1B, sections 5.3.1.6 and 5.4.1.
---------------------------------------------------------------------------
b. Minimization of Crew Errors
    Proposed Sec.  25.1309(c) would require that applicants design 
``systems and controls, including indications and annunciations'' to 
minimize crew errors that could create additional hazards. The proposed 
change would remove a reference to ``warnings,'' which are addressed in 
Sec.  25.1322, and instead use the broader phrase ``indications and 
annunciations.'' The additional hazards that an applicant's proposed 
design must minimize, under this proposal, are those that could occur 
after a failure and those caused by inappropriate actions made by a 
crewmember in response to the failure. As specified in Sec.  25.1585, 
any flightcrew procedures necessary to ensure continued safe flight and 
landing after the occurrence of a failure indication or annunciation 
must be described in the approved AFM, AFM revision, or AFM supplement, 
unless the FAA evaluates the procedures and accepts that the procedures 
are part of normal aviation abilities.
C. Interaction of Systems and Structures (New Sec.  25.302)
    The FAA proposes a new section, Sec.  25.302, that would require an 
applicant to account for systems, and their possible failure, when 
assessing the structural performance of its proposed design.
    As a result of advances in flight control technology, the structure 
requirements in part 25 do not provide an adequate regulatory basis to 
establish an acceptable level of safety for airplanes equipped with 
systems that affect structural performance such as the electronic 
flight control system. Earlier automatic control systems usually had 
two failure states: loss of function and malfunction. Flightcrews could 
readily detect these conditions. The new electronic flight control 
systems are more sophisticated and offer advantages that include load 
limiting and load alleviation.\36\ Failures in these systems, however, 
may allow the system to function in degraded modes that flightcrews may 
not readily detect, and in which load alleviation may be lost or 
reduced.
---------------------------------------------------------------------------
    \36\ ``Load limiting and load alleviation'' refer to the 
reduction of structural loads by automatic control surface limits or 
movements. For example, vertical tail loads may be reduced by a 
rudder limiter that automatically reduces the rudder deflection 
upper limit as speed increases. Wing load alleviation may be 
accomplished by automatic upward movements of the outboard ailerons 
during a pitch up maneuver, thereby reducing the loads on the 
outboard portion of the wing.
---------------------------------------------------------------------------
    The LDHWG developed recommendations for design standards for 
airplanes equipped with systems that, directly or as a result of 
failure, affect the structural performance of the airplane. Structural 
performance is the capability of the airplane to meet the structural 
requirements of part 25.
    While the FAA has applied the LDHWG recommendations for design 
standards to airplane certification programs since 1999 via special 
conditions, on December 12, 2005, EASA incorporated the design 
standards developed by the LDHWG into its regulatory framework as CS 
25.302 and appendix K of CS-25 at amendment 25/1.\37\ Similarly, the 
FAA now proposes to adopt these criteria, with some modifications, as 
new Sec.  25.302. The codification of these requirements in
[[Page 75435]]
part 25 will eliminate the need for the FAA to issue special conditions 
on future certification projects. This will result in increased 
efficiency for both the FAA and the industry in certification programs, 
without impacting the level of safety.
---------------------------------------------------------------------------
    \37\ https://www.easa.europa.eu/en/document-library/certification-specifications/cs-25-amendment-1.
---------------------------------------------------------------------------
1. Applicability of New Sec.  25.302
    Proposed Sec.  25.302 would apply to all systems that affect 
structural performance of the airplane. A system affects structural 
performance if it can induce loads on the airframe, or change the 
response of the airplane to inputs such as gusts or pilot actions, 
either when operating normally or as a result of failure. Examples of 
systems that can affect structural performance are load alleviation 
systems, modal suppression systems, stability augmentation systems, and 
fuel management systems, as well as hydraulic, electrical, and 
mechanical systems.
2. Normal Operation
    Proposed Sec.  25.302 would require that an applicant account for 
the influence of systems, operating normally, when showing compliance 
with subparts C and D of part 25. The proposed rule would require an 
applicant to derive limit loads for the conditions specified in subpart 
C and to account for any behavior or effect of the system on the 
structural performance of the airplane. This means that the applicant 
would need to account for any significant nonlinearity, including the 
rate of displacement of control surfaces, thresholds, or any other 
system nonlinearities, when deriving limit loads.
    Proposed Sec.  25.302 would also require that an applicant shows 
that the airplane meets the strength requirements of part 25 for static 
and residual strength, using specified factors to derive ultimate loads 
from the limit loads. The proposed rule would require the applicant to 
investigate the effect of nonlinearities beyond limit conditions to 
ensure that the behavior of the system presents no anomaly compared to 
the system's behavior below limit conditions.
3. Failure Condition Effect on Structural Performance
    Proposed Sec.  25.302(a) through (e) would require an applicant to 
assess the effect of failure conditions on the airplane's structural 
performance. Proposed Sec.  25.302 would require assessment of all 
failure conditions not shown to be extremely improbable, or that result 
from a single failure, as typically determined by the applicant's 
system safety assessment.
    Proposed Sec.  25.302(a) would require that the airplane's design 
be able to withstand the loads, including control system loads, 
resulting from failure conditions, at speeds up to VC/
MC, the design cruising speed. Such loads are limit loads as 
described in Sec.  25.301, and an applicant then applies a safety 
factor \38\ of 1.5 to determine the airplane's ultimate loads. Proposed 
Sec.  25.302(a) would require the applicant to determine the loads 
assuming ``realistic scenarios, including pilot corrective actions.'' 
Draft AC 25.1309--1B and AC 25.671-X, ``Control Systems--General,'' 
would provide guidance for applicants on means of determining these 
effects of failure conditions, including realistic effects. Under the 
proposed rule, the applicant would be responsible for developing 
scenarios that describe the response of the airplane and the response 
of the pilots following a failure condition, using the guidance in 
those ACs or another acceptable method.
---------------------------------------------------------------------------
    \38\ A safety factor is a design factor used, in this instance, 
to provide for the possibility of loads greater than those 
anticipated in normal operating conditions, and for uncertainties in 
design.
---------------------------------------------------------------------------
    Proposed Sec.  25.302(b) would require that, in the system-failed 
state (i.e., after a particular system has failed), the airplane be 
able to withstand the limit flight and ground load conditions specified 
in subpart C. The applicant would only be required to assess flight 
conditions at speeds up to VC/MC or the speed 
limitation prescribed by the AFM for the remainder of the flight. An 
applicant must apply a safety factor of 1.5 to determine ultimate 
loads, with two exceptions.
    The first proposed exception to Sec.  25.302(b) would allow a 
safety factor of 1.0, rather than 1.5, if the failure condition would 
be immediately annunciated or otherwise obvious to the flightcrew. The 
proposed rule would also allow the applicant to take into account any 
relevant reconfiguration and flight limitations specified in the AFM. 
The FAA proposes a safety factor of 1.0 in this case because the 
probability is very low that a design load condition would occur after 
a system failure on the same flight. The probability of an extreme 
maneuver (i.e., a maneuver that would result in load levels approaching 
design limit loads) is further reduced because the pilot would be aware 
that a failure condition had occurred. If relying on annunciation as 
the method of informing the flightcrew, the applicant should show that 
the relevant annunciation system is reliable per Sec.  25.1309(b).
    The second proposed exception to Sec.  25.302(b) would allow a 
safety factor of 1.25 if the failure condition would not be annunciated 
but the probability is extremely remote. The FAA proposes a safety 
factor of 1.25 in this case because the probability is very low that an 
extremely remote failure condition and a design load condition would 
occur on the same airplane, even if the failure condition would not be 
annunciated.
    The FAA does not intend for proposed Sec.  25.302 to require an 
applicant to evaluate every subpart C load condition under every 
possible failure condition and at each speed, altitude, and payload 
configuration for which the airplane is designed. Instead, the FAA 
anticipates that the applicant would first identify those failure 
conditions that could impact the loads analysis required by subpart C. 
The applicant would then select load conditions that the applicant 
presumes could be affected by those failure conditions. Given the 
appropriate safety factor (1.0, 1.25, or 1.5), the applicant would then 
determine whether any of these load conditions, when affected by a 
failure condition, would yield higher loads than the load conditions 
without the effects of the failure condition. If so, the applicant 
would expand its analysis, as necessary, to ensure that the requirement 
of proposed Sec.  25.302 would be met.
    Proposed Sec.  25.302(c) would require that, when conducting the 
damage tolerance evaluation required by Sec.  25.571, the applicant 
take into account the fatigue loads induced by any failure condition. 
The rule would require that these fatigue loads be included as part of 
the typical loading spectra \39\ at a rate commensurate with the 
probability of their occurrence.
---------------------------------------------------------------------------
    \39\ ``Typical loading spectra'' is described in AC 25.571-1D, 
Damage Tolerance and Fatigue Evaluation of Structure.
---------------------------------------------------------------------------
    If a failure condition could affect the airplane's residual 
strength loads, proposed Sec.  25.302(d) would require the applicant to 
conduct a residual strength evaluation as specified in Sec.  25.571(b) 
under the assumption that the failure condition had occurred. The 
proposed rule would allow an applicant to calculate these loads using 
at least two-thirds of each of the safety factors specified for the 
static strength assessment. The applicant would conduct this residual 
strength evaluation, which assumes a system failure condition has 
occurred, separately from the normal residual strength evaluation 
required by Sec.  25.571(b), which does not assume a
[[Page 75436]]
system failure condition has occurred. The two-thirds factor in 
proposed Sec.  25.302(d) is consistent with the method of determining 
residual strength loads in Sec.  25.571(b).\40\
---------------------------------------------------------------------------
    \40\ In Sec.  25.571(b), residual strength loads are determined 
using a safety factor of 1.0, which is two-thirds of the typical 
safety factor of 1.5 required by Sec.  25.303.
---------------------------------------------------------------------------
    Proposed Sec.  25.302 would not apply to the flight control jam 
conditions covered by proposed Sec.  25.671(c), or the discrete source 
events already covered by Sec.  25.571(e). Proposed Sec.  25.671(c) and 
current Sec.  25.571(e) establish criteria to address these specific 
failures, and the respective ACs, draft AC 25.671-X and current AC 
25.571-1D, Damage Tolerance and Fatigue Evaluation of Structure, would 
describe methods of compliance. Proposed Sec.  25.302 would also not 
apply to any failure or event that is external to (not part of) the 
system being evaluated and that would itself cause structural damage. 
These conditions are already addressed by other rules, such as 
Sec. Sec.  25.365, 25.571, 25.841, and 25.901.
4. Dispatch in a System-Failed State
    Proposed Sec.  25.302(e) would provide structural requirements for 
dispatch under the master minimum equipment list developed by the 
applicant. If the list would allow dispatch in a system-failed state, 
the airplane would need to continue to meet the design load 
requirements of subpart C in that system-failed state, without any 
reduction in safety factor. The applicant would be allowed to take into 
account any relevant operating limitations, including configuration 
changes, specified for the dispatched configuration. In addition, the 
airplane would also need to meet Sec.  25.302(a) and (b), accounting 
for any subsequent single failure, and separately, any combination of 
failures not shown to be extremely remote.
5. Differences Between Proposed Sec.  25.302 and EASA CS 25.302
    As noted previously, EASA has incorporated the criteria regarding 
interaction of systems and structures criteria recommended by the LDHWG 
into its regulatory framework as CS 25.302 and appendix K of CS-25. 
Proposed Sec.  25.302 differs from CS 25.302 and appendix K in a number 
of ways.
i. Determination of Safety Factor
    The most significant difference between the proposed Sec.  25.302 
and CS 25.302 is that the latter defines structural factors of safety 
and the flutter speed margin on a sliding scale based on probability, 
while the proposed Sec.  25.302 specifies discrete safety factors and 
does not change the flutter speed margin currently specified in Sec.  
25.629, as described below.
ii. Flutter Speed Margin
    Proposed Sec.  25.302 does not include any aeroelastic stability 
requirements and would only address the effect of systems on loads 
requirements. Section 25.629 and CS 25.302 both specify flutter speed 
margins for failure conditions. The margins in CS 25.302 are based on 
the probability of the condition's occurrence, while Sec.  25.629 
defines a single speed margin for every failure condition regardless of 
its probability. The FAA believes the current speed margin specified in 
Sec.  25.629 is adequate, and there is no need to propose more specific 
failure criteria based on probability of occurrence. The current speed 
margin specified in Sec.  25.629, which has been in place since 
Amendment 25-0 of 14 CFR part 25, has proven effective in service.
iii. Regulatory Structure Differences
    The FAA's proposal is contained entirely within Sec.  25.302 and 
does not add a new appendix to part 25. Also, the FAA's proposal would 
not include the two paragraphs in appendix K of CS-25 that are general 
in nature and do not contain any specific requirements. These 
paragraphs, K25.1(a) and (b) of CS-25, discuss application of the 
requirements in the appendix.
iv. Fully Operative Condition
    Appendix K of CS-25 includes several paragraphs that require 
evaluation of the airplane in a system-fully-operative condition. The 
FAA's proposal would replace those paragraphs with a simpler 
requirement that the applicant account for the effects of systems when 
showing compliance with the requirements of subparts C and D. The FAA 
does not regard this as a substantive difference in the criteria.
v. Safety Factor at the Time of Failure
    For the applicant's assessment of the failure condition at the time 
the failure occurs, CS 25.302 allows a reduced safety factor, ranging 
from 1.5 to 1.25, based on the probability of the failure. The FAA's 
proposal would require a safety factor of 1.5, regardless of the 
probability of the failure. The FAA determined it's better to define 
structural strength capability using discrete factors of safety rather 
than a sliding scale based on probability because probability estimates 
are not that precise. The FAA also determined the proposed 1.5 safety 
factor requirement would be easily met by applicants for type 
certification because systems that affect structural performance are 
typically passive systems, which alleviate loads rather than initiate 
loads.
vi. Safety Factor for Continued Flight After Initial Failure
    For the assessment of continued flight, after the initial failure 
condition occurs, CS 25.302 requires the applicant to determine loads 
for several subpart C load conditions. In contrast, the FAA's proposal 
would require the applicant to determine loads for any subpart C load 
condition that would be affected by the failure condition. In addition, 
CS 25.302 allows a reduced safety factor, ranging from 1.5 to 1.0, 
based on the probability of the failure condition's occurrence. In 
contrast, the FAA's proposal would specify a safety factor of 1.5, 
unless the failure condition would be annunciated, in which case the 
rule would allow a safety factor of 1.0; or, if the failure condition 
was extremely remote, the rule would allow a safety factor of 1.25. As 
noted above, the FAA proposes to use discrete factors of safety rather 
than a sliding scale based on probability because probability estimates 
are not that precise. The FAA proposed rule would be simpler to apply 
than EASA's method because an applicant would use discrete safety 
factors, rather than sliding scales. For failures that are annunciated, 
this proposal would be less stringent than CS 25.302, since proposed 
Sec.  25.302 would allow a safety factor of 1.0 regardless of the 
probability of failure. However, the FAA's proposal recognizes that 
annunciation of the failure would limit exposure to a subsequent design 
load condition to the remainder of the flight. Because of the very low 
probability of a system failure condition followed by a design load 
condition occurring on the same flight, the FAA believes a safety 
factor of 1.0 is appropriate.
vii. Fatigue and Damage Tolerance
    Both Sec.  25.571 and CS 25.571 require a ``residual strength 
evaluation'' of the airplane that demonstrates structural strength 
capability in the presence of fatigue cracks and any other anticipated 
environmental or accidental damage. The residual strength loads used 
for those evaluations are limit loads (safety factor of 1.0). Proposed 
Sec.  25.302 would mimic the requirement in CS 25.302 for an additional 
assessment of residual strength using two-thirds of the loads specified 
for the continuation of flight. However, these loads would vary between 
Sec.  25.302 and CS 25.302, as described in the previous paragraph.
[[Page 75437]]
Proposed Sec.  25.302 would also echo CS 25.302's requirement that the 
applicant evaluate the fatigue loads induced by any failure condition. 
However, the FAA proposal is more specific than CS 25.302 in how that 
evaluation would be accomplished.
viii. Failure Annunciation
    CS 25.302 outlines various failure annunciation criteria for 
affected system failure conditions. The FAA's proposal does not specify 
annunciation criteria, but instead determines the allowable safety 
factor based upon whether the failure condition would be annunciated.
ix. Dispatch Configuration
    CS 25.302 requires that anticipated dispatch configurations meet 
the strength and flutter aspects of CS 25.302, while accounting for the 
probability of the airplane being in that configuration. The FAA's 
proposal would require that the structural strength criteria in the 
proposed rule--Sec.  25.302(a) through (b)--be met for the airplane in 
the dispatch configuration while accounting for any subsequent single 
failure or any subsequent combination of failures not shown to be 
extremely remote.
D. Turbojet Thrust Reversing Systems
    The current regulation for thrust reversals in flight, Sec.  
25.933(a)(1), requires that, during any reversal in flight, the engine 
will produce no more than flight-idle thrust. Additionally, current 
Sec.  25.933(a)(1) requires an applicant to show that each operable 
reverser can be restored to the forward thrust position, and that the 
airplane is capable of continued safe flight and landing under any 
possible position of the thrust reverser. Proposed Sec.  
25.933(a)(1)(ii) would allow an applicant to demonstrate compliance 
with Sec.  25.1309(b) for these thrust reversing systems.
    The application of the current standards has not precluded the loss 
of airplane control following the unwanted in-flight deployment of the 
thrust reverser. The investigation of the 1991 Lauda Air accident 
involving a Boeing Model 767 airplane revealed that an unwanted in-
flight thrust reversal at high speeds and high power conditions on an 
airplane with wing-mounted, high-bypass turbofan engines can result in 
disruption of air flow over the wing and the loss of lift and 
controllability. Until this accident, the service history of in-flight 
thrust reverser deployment incidents indicated that an in-flight thrust 
reverser deployment at high power would not result in a catastrophic 
event. However, engine installations on modern transport category 
airplanes include high--bypass turbofan engines mounted close to the 
wing, and forward of the wing leading edge, to reduce aerodynamic drag 
and provide sufficient ground clearance. As a result, these airplanes 
do not have a sufficient control margin in the event of an unwanted in-
flight thrust reversal and, therefore, cannot comply with the rule 
during all phases of flight.
    To allow applicants for type certification flexibility in their 
design and achieve the intended level of safety, the FAA proposes to 
allow an applicant to demonstrate using a system safety assessment, per 
the proposed 14 CFR 25.1309(b), that unwanted deployment of the thrust 
reverser will not occur in flight. The FAA derived this option, known 
as the ``reliability option,'' from the PPIHWG's recommendations.\41\
---------------------------------------------------------------------------
    \41\ For more information about the PPIHWG's recommendations, 
see the PPIHWG report in the docket for this rulemaking.
---------------------------------------------------------------------------
    The PPIHWG evaluated methods used by applicants to assure 
reliability of other critical systems to determine if applicants could 
effectively apply the same requirements to thrust reverser systems. The 
PPIHWG concluded that design features such as redundant locking 
mechanisms (eliminating catastrophic single failures) in conjunction 
with more rigorous design and maintenance assessments (reducing 
exposure to latent failures) can provide a level of safety equivalent 
to the current rule. The FAA agrees.
    Allowing an applicant to develop thrust reversing systems in 
compliance with Sec.  25.1309, especially by reducing those systems' 
exposure to SLFs, would improve the level of safety because unwanted 
in-flight thrust reverser deployments would not be expected to occur 
during the entire operational life of all airplanes of one type, and 
eliminate the need for flightcrew procedures in response to an in-
flight thrust reversal. Proposed Sec.  25.1309 would provide a level of 
safety at least equivalent to current Sec.  25.933(a)(1)(ii). This 
reliability option would allow an applicant to use a more practical 
approach to show compliance in all phases of flight for all known 
engine installations.
    This proposal is consistent with the FAA's current practice because 
the FAA has been implementing the PPIHWG's recommendations through ELOS 
findings on specific projects since 1994. The FAA has accepted SSAs 
that show that in-flight thrust reverser deployment is extremely 
improbable as an alternative to flight tests that show full 
controllability across the entire flight envelope. The FAA has also 
accepted a combination of these two methods to allow applicants for 
type certification more flexibility when demonstrating an ELOS. For 
example, within that portion of the flight envelope where 
controllability cannot be shown, applicants have shown that the 
probability of an unwanted in-flight thrust reversal is extremely 
improbable. Conversely, applicants who have shown compliance primarily 
using the reliability option have shown that there are portions of the 
flight envelope where the airplane is controllable, and an unwanted in-
flight deployment can be classified as less severe than catastrophic. 
This mixed approach has allowed applicants more flexibility in the 
thrust reverser system design and maintenance intervals than under the 
traditional rule. Under current ELOS determinations, applicants select 
either option, or combine them, to achieve the level of safety intended 
by the rule. With this proposal, the FAA regulations would continue to 
allow such combinations, but without the need for an ELOS. This will 
result in increased efficiency for both the FAA and the industry in 
certification programs, without impacting the level of safety 
established by Sec.  25.933(a)(1).
    Based on the PPIHWG's recommendations, the FAA also proposes that 
the current requirements in Sec.  25.933(a)(1)--that each operable 
reverser can be restored to the forward thrust position, and that 
during any reversal in flight the engine will produce no more than 
flight-idle thrust--would no longer be necessary given the other 
proposed changes to this section. If a design can meet Sec.  25.1309(b) 
without these features, then they need not be mandatory. Further, in 
accordance with proposed Sec.  25.1309(a), any properly functioning 
thrust reverser would be required to respond appropriately to all 
anticipated flightcrew commands.
E. Flight Control Systems Safety Assessment Criteria
1. Changes to Sec.  25.671(c) Failure Criteria
a. Changes to Sec.  25.671(c), (c)(1), and (c)(2)
    The current design and failure criteria for flight control systems, 
in Sec.  25.671(c), were largely derived from Civil Air Regulations 
4b.320, which preceded the current 14 CFR part 25 standards established 
in 1965. The FAA updated those requirements in amendment 25-23 (35 FR 
5674, April 8, 1970) to account for automatic and powered flight 
control technology improvements and to consolidate the failure criteria
[[Page 75438]]
and make them applicable to the entire control system.
    Section 25.671(c) requires that the airplane be capable of 
continued safe flight and landing following the failure conditions 
listed in Sec.  25.671(c)(1) and (2) and the jamming conditions in 
Sec.  25.671(c)(3).
    Paragraph (c)(1) of Sec.  25.671 requires an applicant to show 
continued safe flight and landing following any single failure.
    Paragraph (c)(2) requires the applicant to show continued safe 
flight and landing following any combination of failures not shown to 
be extremely improbable. Paragraph (c)(2) also includes examples of 
failures that must be evaluated.
    The FAA proposes to remove the flight control system failure 
criteria in Sec.  25.671(c)(1) and (2), including the examples of 
specific failures that must be evaluated, and instead require safety 
assessment of flight control systems to be regulated by Sec.  25.1309. 
Section 25.1309 would be used to address the flight control SSA, except 
with regard to jamming. The FAA also proposes to retain the examples in 
Sec.  25.671(c)(2) as failures, that must be considered in showing 
compliance with Sec.  25.629 as discussed later in this preamble 
(section I.A.2).
    Finally, current Sec.  25.671(c) requires that probable failures 
have only minor effects and be capable of being readily counteracted by 
the pilot. The FAA proposes to remove this requirement because its 
effect on safety would be covered by proposed Sec.  25.1309. Proposed 
Sec.  25.1309 would require that each major failure condition be 
remote, which means that probable failures (more likely than remote) 
must have only minor effects (must not be major).
b. Changes to Sec.  25.671(c)(3)
    Section 25.671(c)(3) requires that an applicant evaluate any jam in 
a control position normally encountered, as well as runaway \42\ of a 
flight control to an adverse position and subsequent jam. The FAA 
proposes to consolidate the current Sec.  25.671(c)(3) flight control 
jams requirement under Sec.  25.671(c) and revise as described below.
---------------------------------------------------------------------------
    \42\ A runaway of a flight control occurs when the control 
surface moves to its fully extended position without pilot input and 
as the result of some type of failure.
---------------------------------------------------------------------------
    The flight control jams requirement in Sec.  25.671(c)(3) has 
generated debate about the meaning of a ``normally encountered'' 
control position. This phrase came under scrutiny after two Boeing 
Model 737 accidents, and the FAA and NTSB investigations that 
followed.43 44 The issue was whether ``normally 
encountered'' should be interpreted as a small control surface 
deflection, which occurs routinely, or as a large or even full control 
surface deflection, which occurs much less frequently. Demonstrating 
compliance assuming a fully deflected and jammed control surface is 
much more difficult than doing so with a small control surface 
deflection. In May 1995, the FAA issued a policy letter specifying what 
``normally encountered'' control positions (which included large 
deflections) should be used for compliance with Sec.  25.671(c)(3).\45\ 
In October 1996, the NTSB issued Safety Recommendation A-96-108, later 
superseded by Safety Recommendation A-99-23, which recommended that 
applicants evaluate control jams at fully-deflected control positions. 
The FCHWG considered the NTSB safety recommendation in developing its 
recommendation. The FCHWG recommended that the phrase ``normally 
encountered'' be retained in the rule, and that an FAA AC define the 
``normally encountered'' control positions. The FAA proposes to adopt 
the FCHWG recommendation.
---------------------------------------------------------------------------
    \43\ NTSB Aircraft Accident Report NTSB/AAR-01/01 is available 
in the docket and at https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR0101.pdf.
    \44\ NTSB Aircraft Accident Report NTSB/AAR-99/01 is available 
in the docket and at https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR9901.pdf.
    \45\ Policy Statement PS-ANM100-1995-00020 is available in the 
docket and at https://www.faa.gov/regulations_policies/policy_guidance/.
---------------------------------------------------------------------------
    Draft AC 25.671-X would explain that the FAA considers ``normally 
encountered'' positions as the range of control surface deflections, 
from neutral to the largest deflection expected to occur in 1,000 
random operational flights, without considering other failures. The AC 
would also provide guidance for performance based criteria that define 
environmental and operational maneuver conditions, and the resulting 
deflections that could be considered normally encountered positions.
    A second compliance issue related to Sec.  25.671(c)(3) stems from 
an applicant's use of probability analysis to show that a jam, or a 
runaway and jam, is ``extremely improbable.'' Section 25.671(c)(3) 
requires the airplane to be capable of continued safe flight and 
landing after experiencing jamming conditions, including runaway of a 
flight control surface and subsequent jam, unless the jamming condition 
is shown to be extremely improbable or the jam can be alleviated. While 
current Sec.  25.671(c)(3) allows the use of probability analysis, 
applicants have generally been unable to demonstrate that jamming 
conditions are ``extremely improbable,'' except for conditions that 
occur during a very limited time just prior to landing. Therefore, the 
FAA proposes to revise Sec.  25.671(c) to require that the applicant's 
safety assessments assume that the specified jamming conditions will 
occur, regardless of those conditions' probability. The FAA also 
proposes to exclude jamming conditions that occur immediately before 
touchdown if these can be shown to be extremely improbable. For jams 
that occur just before landing, some amount of time and altitude is 
necessary in order to recover, and there is no practical means by which 
a recovery can be demonstrated. Therefore, the applicant would be 
allowed to show such a jamming condition is extremely improbable based 
on the limited time exposure.
    The FAA also proposes to revise Sec.  25.671(c) to define the types 
of jams that must be evaluated as those that result in a flight control 
surface or pilot control that is fixed in position due to a physical 
interference.
    Proposed Sec.  25.671(c) would also require that, in the presence 
of a jam evaluated under that paragraph, any additional failure 
conditions that could prevent continued safe flight and landing must 
have a combined probability of less than 1/1000. This is to ensure 
adequate reliability of any system necessary to alleviate the jam when 
it occurs.
    Lastly, the FAA proposes to remove the requirement to account for a 
runaway of a flight control surface and subsequent jam. The FAA does 
not believe it is necessary to include this requirement in Sec.  25.671 
because the SSA required by Sec.  25.1309 would account for any failure 
condition that leads to a runaway of a flight control surface. Runaways 
of flight control surfaces will be evaluated under Sec.  25.1309 
regardless of whether they are due to an external source, such as a 
foreign object or control system icing, or due to failures that are 
internal to the flight control system.
2. Other Changes to Sec.  25.671
    The FAA proposes to revise Sec.  25.671(a) to add a requirement 
that the flight control system continue to operate and respond as 
designed to commands, and not hinder airplane recovery, when the 
airplane experiences any pitch, roll, or yaw rate, or vertical load 
factor that could occur due to operating or environmental conditions, 
or when the airplane is in any attitude. This would ensure there are no 
features or unique
[[Page 75439]]
characteristics (including, for example, computer errors that might 
occur at certain airplane bank angles) of the control system design 
that would restrict the pilot's ability to recover from any attitude, 
rate of rotation, or vertical load factor expected to occur due to 
operating or environmental conditions. The phrase ``operating or 
environmental conditions'' would have the same meaning as in proposed 
Sec.  25.1309(a)(1): the full normal operating envelope of the 
airplane, as defined by the AFM, together with any modification to that 
envelope associated with abnormal or emergency procedures, and any 
anticipated crew action. That envelope includes other external 
environmental conditions that the airplane is reasonably expected to 
encounter, such as atmospheric turbulence.
    The FAA proposes to revise Sec.  25.671(b) to require that the 
system be designed or marked to avoid incorrect assembly that could 
result in ``failure of the system to perform its intended function,'' 
rather than in the ``malfunctioning of the system.'' The FAA also 
proposes to revise Sec.  25.671(b) to restrict the use of such marking 
to cases in which compliance by design means is impractical. The 
objective of these proposed changes is to ensure that the system 
performs its intended function.\46\
---------------------------------------------------------------------------
    \46\ Draft AC 25.671-X will note that by ``assembled'' in Sec.  
25.671(b), the FAA means not only the connection of physical parts, 
but also the installation of software that will be part of the 
approved design. This reflects current practice and echoes the 
installation requirements of Sec.  25.1301.
---------------------------------------------------------------------------
    Section 25.671(d) requires that the airplane remain controllable if 
all engines fail. The FAA proposes to revise this section to require 
that not only must the airplane be controllable following failure of 
all engines, but that an approach and flare to a landing and controlled 
stop must also be possible, assuming that a suitable runway is 
available. The proposed rule would also apply the requirement to the 
failure of all engines at any point in the flight. The FAA also 
proposes to make the last sentence of Sec.  25.671(d) active voice by 
changing it from ``Compliance with this requirement may be shown by 
analysis where that method has been shown to be reliable,'' to ``The 
applicant may show compliance with this requirement by analysis where 
the applicant has shown that analysis to be reliable.'' This revision 
would not change the substance of the requirement.
    The FAA also proposes to add a new paragraph (e) to Sec.  25.671, 
which would require that the flight control system indicate to the 
flightcrew whenever the primary control means are near the limit of 
control authority. On airplanes equipped with fly-by-wire control 
systems, there is no direct tactile link between the flightdeck control 
and the control surface, and the flightcrew may not be aware of the 
actual control surface position. If the control surface is near the 
limit of control authority, and the flightcrew is unaware of that 
position, it could negatively affect the flightcrew's ability to 
control the airplane in the event of an emergency. The flight control 
system could meet this requirement through natural or artificial 
control feel forces, by cockpit control movement if shown to be 
effective, or by flightcrew alerting that complies with Sec. Sec.  
25.1309(c) and 25.1322.
    The FAA also proposes to add a new paragraph (f) to Sec.  25.671, 
which would require that the flight control system alert the flightcrew 
whenever the airplane enters any mode that significantly changes or 
degrades the normal handling or operational characteristics of the 
airplane. On some flight control system designs, there may be submodes 
of operation that change or degrade the normal handling or operational 
characteristics of the airplane. Similar to control surface awareness, 
the flightcrew should be made aware if the airplane is operating in 
such a submode.
    The FAA derived the requirements of proposed Sec.  25.671(e) and 
(f) from its experience certifying applications for fly-by-wire 
systems. The proposed requirements summarized in this section for 
revision to Sec.  25.671 have been applied on numerous programs through 
ELOS findings. Codifying these requirements in part 25 would result in 
increased efficiency for both the FAA and the industry in certification 
programs, without impacting the level of safety.
F. Certification Maintenance Requirements
    Section H25.4(a) of appendix H to part 25 requires that 
airworthiness limitations within the ICA reside in a segregated and 
clearly distinguishable section titled ``Airworthiness Limitations 
section.'' The ALS is required to include mandatory maintenance actions 
approved by Sec.  25.571 for damage tolerant structures, by Sec.  
25.981 for fuel tank systems, and by Sec.  25.1701 for the electrical 
wiring interconnection system (EWIS). However, section H25.4 does not 
include the maintenance actions typically established during the 
certification process as CMRs, using the guidance in AC 25-19A, 
Certification Maintenance Requirements. As a result, the current 
regulations are not consistent in how they address system-related 
maintenance requirements.
    AC 25.1309-1A provides guidance for an applicant to include 
maintenance actions when it shows compliance with Sec.  25.1309, and AC 
25-19A provides guidance on the selection, documentation, and control 
of CMR to implement such maintenance actions. CMRs, when properly 
implemented, are required tasks to detect safety significant failures 
that would, in combination with one or more other failures, result in a 
hazardous or catastrophic failure condition. CMRs are developed to show 
compliance to Sec.  25.1309, and other regulations requiring safety 
analyses such as Sec. Sec.  25.671, 25.783, 25.901, and 25.933. As 
described in AC 25-19A, establishing CMRs is not always necessary if 
there is another suitable method to identify the needed maintenance 
task to prevent a failure condition from developing.
    In practice, industry and the other certification authorities have 
treated CMRs as equivalent to airworthiness limitations. CMRs are 
currently considered by operators as the systems counterpart to the 
airworthiness limitations for primary structures, fuel tank systems, 
and EWIS. However, unlike these airworthiness limitation items, the 
CMRs do not have a regulatory basis upon which to standardize their 
development. Airworthiness limitations for systems that have hazardous 
and catastrophic failure effects are just as relevant to the safety of 
the airplane as the airworthiness limitations currently required for 
fuel tank systems, EWIS, and damage tolerant primary structures. Many 
applicants have been voluntarily including CMRs in the ALS of the ICA.
    Based on the forgoing, the FAA proposes to revise Sec.  25.1309(d) 
to require the applicant to establish CMRs to prevent development of 
the failure conditions described in Sec.  25.1309(b). Section 
25.1309(d) would require these maintenance requirements to be included 
in the ALS of the ICA required by Sec.  25.1529. This proposal would 
codify current industry practice the FAA has accepted as a means of 
compliance with Sec.  25.1309 and other system safety regulations, for 
many years.
    In addition, the type certification process often results in the 
establishment of CMRs for systems that are not regulated by Sec.  
25.1309 (for example, a CMR may be established for flutter prevention 
under Sec.  25.629). To provide a common regulatory basis for such 
CMRs, including those established
[[Page 75440]]
under Sec.  25.1309, the FAA proposes a new section, H25.4(a)(6). This 
proposed rule would require an applicant to include any CMR in the ALS 
of the ICA, if the CMR was established to comply with any applicable 
provisions of part 25.
G. Miscellaneous Amendments
1. Method of Compliance With Sec.  25.1309(b)
    The FAA proposes to remove current Sec.  25.1309(d). Section 
25.1309(d) currently requires an applicant to show that a design 
complies with Sec.  25.1309(b) by using analysis, and where necessary, 
ground, flight, or simulator testing. Section 25.1309(d) also describes 
the features that the applicant's analysis must consider.
    The FAA reconsidered the requirement in Sec.  25.1309(d) and 
concluded that this requirement is no longer needed within the 
regulatory text, since it specifies a particular, yet incomplete, 
process for compliance with Sec.  25.1309(b). This conclusion is 
consistent with the SDAHWG recommendation to remove Sec.  25.1309(d) 
and place the process for compliance with Sec.  25.1309(b) into non-
mandatory guidance material. Removing these steps from the regulation 
is not intended to alter the evaluations required by Sec.  25.1309(b). 
Instead, it is intended to reflect that Sec.  25.1309(b) provides 
performance-based requirements for which the methods of compliance 
should be appropriate to the particular system. In addition, the 
current Sec.  25.1309(d) provides an incomplete list of considerations, 
and other, equally important factors may need to be included in the 
applicant's proposed assessments. These factors can include 
environmental conditions, complexity of the design, common cause of 
multiple failures, flightcrew capability and workload, and safety 
margin after a failure, all of which will vary for each application and 
which the FAA will discuss in the accompanying draft guidance.
    Because Sec.  25.1309(d) would no longer prescribe specific methods 
for demonstrating compliance with Sec.  25.1309(b), the FAA also 
proposes to remove the reference to Sec.  25.1309(d) from Sec.  
25.1365(a). This change would not affect the level of safety provided 
by the current rule, because Sec.  25.1365(a) would continue to 
reference the requirements of Sec.  25.1309(b). This proposal would 
harmonize Sec.  25.1365(a) with CS 25.1365(a).
2. Failure Examples Related To Flutter
    This proposal would relocate several specific failures from Sec.  
25.671(c)(2) to the aeroelastic stability requirements of Sec.  25.629. 
Section 25.671(c)(2) specifies examples of failure combinations that 
must be evaluated, including dual electrical and dual hydraulic system 
failures, and any single failure combined with any probable hydraulic 
or electrical failure. Section 25.629(d)(9) currently requires that the 
airplane be shown to be free from flutter considering various failure 
conditions considered under Sec.  25.671, which includes those failure 
conditions specified in Sec.  25.671(c)(2). The FAA is proposing to 
remove those examples from Sec.  25.671(c)(2) in conjunction with 
related changes to Sec.  25.1309 described in section III.E of this 
preamble. However, the specific failure conditions identified in Sec.  
25.671(c)(2) have provided an important design standard for dual 
actuators on flight control surfaces that rely on retention of 
restraint stiffness or damping for flutter prevention. Therefore, this 
proposal relocates these failure conditions from Sec.  25.671(c)(2) to 
the aeroelastic stability requirements of Sec.  25.629(d). This change 
would not affect the level of safety provided in current Sec. Sec.  
25.671(c)(2) and 25.629(d).
3. Other Changes to Sec.  25.629
    Section 25.629(b) requires the airplane to be free from aeroelastic 
instability for ``all configurations and design conditions'' within the 
speed and altitude envelopes specified in Sec.  25.629(b)(1) and (2). 
Such design conditions include the range of load factors within the 
normal flight envelope. The normal flight envelope is defined in Sec.  
25.333. Therefore, this proposal would specify that the aeroelastic 
stability envelope includes the range of load factors specified in 
Sec.  25.333.
4. EWIS Requirements
    The FAA proposes to remove paragraph (b) from Sec.  25.1301 and to 
remove paragraph (f) from Sec.  25.1309. Section 25.1301(b) requires 
that a proposed airplane's EWIS meet the requirements of subpart H of 
part 25. Subpart H was created (at amendment 25-123, in 2007) as the 
single place for the majority of wiring certification requirements. The 
references in Sec. Sec.  25.1301(b) and 25.1309(f) are redundant and 
unnecessary because subpart H specifies its applicability. The FAA has 
determined that such redundancy is not needed because the subpart H 
requirements can stand alone.
5. Removal of Redundant Requirements
    The FAA proposes to remove paragraph (e) from Sec.  25.1309. The 
requirements of paragraph (e) concern compliance with Sec.  25.1309(a) 
and (b) for electrical system and equipment design. The requirements of 
paragraph (e) are unnecessary because they are redundant to the general 
risk assessment of Sec.  25.1309 and to Sec. Sec.  25.1351 through 
25.1365 specifically related to electrical systems.
H. Petitions for Rulemaking
    During the development of this proposed rule, the FAA considered 
two relevant petitions for rulemaking submitted in 1986. Summaries of 
these petitions were published in the Federal Register.\47\ The 
petitions and a disposition of the petitions are included in the docket 
for this NPRM. This NPRM proposes some changes that were suggested in 
those petitions, including adding definitions of probability terms \48\ 
and revising the methods for accounting for failure effects.\49\ See 
proposed Sec. Sec.  25.4 and 25.1309.
---------------------------------------------------------------------------
    \47\ 51 FR 33061 (Sept. 18, 1986) and 52 FR 1924 (Jan. 16, 
1987).
    \48\ Including ``extremely improbable'' and ``probable'' with 
regard to failure conditions.
    \49\ Including the ``fail-safe'' requirement, and specifying 
exceptions in Sec.  25.1309 for certain failure effects specified in 
other sections and subparts of part 25.
---------------------------------------------------------------------------
I. Advisory Material
    The FAA has drafted three new ACs and revisions to two existing ACs 
to provide guidance material for acceptable means, but not the only 
means, of showing compliance with the regulations proposed for revision 
by this NPRM. The FAA will post the draft ACs in the docket and on the 
``Aviation Safety Draft Documents Open for Comment'' web page at http://www.faa.gov/aircraft/draft_docs/.\50\ The FAA requests that you submit 
comments on the draft AC through either the docket or through that web 
page. The draft ACs are as follows:
---------------------------------------------------------------------------
    \50\ To submit comments via the ``Aviation Safety Draft 
Documents Open for Comment'' web page, https://www.faa.gov/aircraft/draft_docs/, please follow the instructions found on that web page.
---------------------------------------------------------------------------
     AC 25.671-X, Control Systems--General.
     AC 25.901-X, Safety Assessment of Powerplant 
Installations.
     AC 25.933-X, Unwanted In-Flight Thrust Reversal of 
Turbojet Thrust Reversers.
     AC 25.629-1C, Aeroelastic Stability Substantiation of 
Transport Category Airplanes.
     AC 25.1309-1B, System Design and Analysis.
[[Page 75441]]
IV. Regulatory Notices and Analyses
    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866 and Executive Order 13563 direct 
that each Federal agency shall propose or adopt a regulation only upon 
a reasoned determination that the benefits of the intended regulation 
justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub. 
L. 96-354) requires agencies to analyze the economic impact of 
regulatory changes on small entities. Third, the Trade Agreements Act 
(Pub. L. 96-39) prohibits agencies from setting standards that create 
unnecessary obstacles to the foreign commerce of the United States. In 
developing U.S. standards, the Trade Act requires agencies to consider 
international standards and, where appropriate, that they be the basis 
of U.S. standards. Fourth, the Unfunded Mandates Reform Act of 1995 
(Pub. L. 104-4) requires agencies to prepare a written assessment of 
the costs, benefits, and other effects of proposed or final rules that 
include a Federal mandate likely to result in the expenditure by State, 
local, or tribal governments, in the aggregate, or by the private 
sector, of $100 million or more annually (adjusted for inflation with 
base year of 1995). This portion of the preamble summarizes the FAA's 
analysis of the economic impacts of the proposed rule. The FAA suggests 
readers seeking greater detail read the Regulatory Impact Analysis in 
the docket for this rulemaking.
    In conducting these analyses, the FAA determined that this proposed 
rule (1) has benefits that justify its costs; (2) is not an 
economically ``significant regulatory action'' as defined in section 
3(f) of Executive Order 12866; (3) would not have a significant 
economic impact on a substantial number of small entities; (4) would 
not create unnecessary obstacles to the foreign commerce of the United 
States; and (5) would not impose an unfunded mandate on state, local, 
or tribal governments, or on the private sector by exceeding the 
threshold identified above. These analyses are summarized below.
A. Regulatory Evaluation
1. Costs and Benefits of This Proposed Rule
    The predominant cost impact of this proposed rule results from 
proposed requirements addressing catastrophic dual failures (CSL+1), 
where the first failure is latent (unknown until discovered by crew or 
maintenance personnel), which, in combination with a second active 
failure, results in a catastrophic accident. Without the rule, unsafe 
conditions in service associated with potential CSL+1 failure 
conditions would continue to be addressed, after certification, by 
airworthiness directives (ADs).\51\ Accordingly, the costs of ADs 
avoided because of the rule would be benefits of the rule in the form 
of cost savings. ADs resulting from potential CSL+1 failure conditions 
are occurring at such a high rate that the benefits of avoiding these 
ADs, by themselves, exceed the costs of the specific risk rule, Sec.  
25.1309(b)(5). At a 7 percent discount rate, the FAA finds that the 
cost savings resulting from the proposed specific risk rule to be $24.6 
million, exceeding the $15.5 million cost of the rule, and resulting in 
$9.1 million in net cost savings. At a 3 percent discount rate, the FAA 
finds that the cost savings are $46.79 million, exceeding a $24.65 
million cost, and resulting in $22.14 million in net benefits.
---------------------------------------------------------------------------
    \51\ ADs are rules issued by the FAA that require specific 
actions to address an unsafe condition on an aircraft or other 
aviation product.
---------------------------------------------------------------------------
    The FAA finds all other provisions of this proposed rule to be cost 
beneficial or to have zero or minimal cost.
2. Who is potentially affected by this proposed rule?
    Applicants for type certification, and operators, of part 25 
airplanes are potentially affected by this proposed rule.
3. Assumptions and Sources of Information
     The FAA uses three percent and seven percent discount 
rates to estimate present value and annualized costs and cost savings 
based on OMB guidance.\52\
---------------------------------------------------------------------------
    \52\ OMB Circular A-4, Regulatory Analysis (2003), https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A4/a-4.pdf.
---------------------------------------------------------------------------
     Source: Airplane certification costs, https://www.faa.gov/
, Regulations & Policies, Rulemaking, Committees--Advisory and 
Rulemaking Committees, Topics--Transport Airplane and Engines (TAE) 
Subcommittee (Active), Airplane-level Safety Analysis Complete File, 
ARAC ASAWG Report, Specific Risk Tasking, appendix A, p. 104. Source: 
ASAWG Recommendation Report, ``SPECIFIC RISK TASKING,'' April 2010 (pp. 
64, 104). These costs are updated to 2021 dollars by the ratio of the 
2021 GDP implicit price deflator to the 2010 GDP implicit price 
deflator, viz. 118.490/96.164 = 1.232. U.S. Bureau of Economic 
Analysis. ``Table 1.1.4. Price Indexes for GDP.'' Click ``Modify'' icon 
and refresh table with first and last years of period.
     For manufacturers of large part 25 airplanes (large 
transports): 2 U.S. airplane certifications in next 10-year period, 
with 24 annual U.S. deliveries per U.S. certification; 1 foreign 
airplane certification in next 10-year period, with 16 annual U.S. 
deliveries per foreign certification; 23-year airplane production run, 
and 28-year retirement age. For manufacturers of business jets (small 
part 25 airplanes): 2 U.S. airplane certifications in next 10-year 
period, 21 annual U.S. deliveries per U.S. certification and 28-year 
production run; 3 foreign airplane certifications in next 10-year 
period, 11 annual U.S. deliveries per foreign certification and; 16-
year airplane production run, 30-year retirement age. For benefits of 
avoided ADs (6): Average number of certifications for U.S.-manufactured 
airplanes. See the Regulatory Impact Analysis available in the docket 
for more details.
     The period of analysis for large airplanes is 23 + 28 = 51 
years to account for a product life cycle determined by a 23-year 
production period and a 28-year service period. The period of analysis 
for business jets is 28 + 30 = 58 years to account for a product life 
cycle determined by a 28-year production period and a 30-year service 
period.
     Average flight hours per year: Large part 25 airplanes--
3,000, Source: FlightGlobal's FlightFleets Analyzer, 
www.ascendworldwide.com. (Average annual flight hours = 3,040 for all 
narrowbody, widebody, and regional jets, at least one year old, 
operated by U.S. airlines as of August 28, 2018.)
4. Costs of the Proposed Specific Risk Rule
    To calculate the compliance costs for new U.S. certifications, the 
FAA assumes that all new certifications will be approved one year after 
the effective date of the rule, with production beginning one year 
later. Using an airplane life cycle model detailed in the Regulatory 
Impact Analysis available in the docket, for large part 25 airplanes 
(large transports) the FAA bases compliance costs on 2 new 
certificates, delivery of 24 airplanes per certificate per year to U.S. 
operators, production runs of 23 years, and an airplane retirement age 
of 28 years. The costs of compliance for large transports are 
calculated over an airplane life cycle of 51 years (the period from 
first delivery to last retirement), beginning in year 1 and ending in 
year 51. The small part 25 airplane category is a business jet 
category. For part 25 business jets, the FAA bases compliance costs on 
2 new certificates, delivery of 21 airplanes per
[[Page 75442]]
certificate per year to U.S. operators, production runs of 28 years, 
and an airplane retirement age of 30 years. The costs of compliance for 
part 25 business jets are calculated over an airplane life cycle of 45 
years, beginning in year 1 and ending in year 47.
    Unit industry cost estimates for the specific risk rule, Sec.  
25.1309(b)(5), were provided by the ASAWG in its report, ``Specific 
Risk Tasking.'' \53\ High costs were reported by Boeing and Cessna in 
contrast to the zero or near-zero costs reported by the other 
manufacturers. This was the result of (1) Boeing and Cessna using the 
existing Sec.  25.1309 amendment as a baseline and not taking into 
account voluntary ELOS actions they have taken; and (2) high hardware 
and operating costs reported by Cessna that were 20 to 30 times the 
comparable costs reported by Boeing. The FAA was unable to verify these 
high costs. The FAA's rationale and procedure to adjust for these costs 
follows.
---------------------------------------------------------------------------
    \53\ See https://www.faa.gov/, Regulations & Policies, 
Rulemaking, Committees--Advisory and Rulemaking Committees, Topics--
Transport Airplane and Engines (TAE) Subcommittee (Active), 
Airplane-level Safety Analysis Complete File, ARAC ASAWG Report, 
Specific Risk Tasking (April 2010), appendix A, p. 104.
---------------------------------------------------------------------------
    The FAA adjusted Boeing's engineering cost estimate by taking into 
account the extent to which voluntary ELOS actions for the Boeing Model 
787 already address the problems of potential CSL+1 dual catastrophic 
failures. This adjustment allows the FAA to reduce Boeing's estimate to 
13.3 percent of its reported value. This large adjustment reflects the 
importance of two factors: (1) the ELOS action for flight control 
systems--the FAA estimates that flight control systems constitute 60 
percent of existing potential CSL+1 failure conditions, and (2) that 25 
percent of potential CSL+1 failure conditions have already been 
addressed.
    Moreover, for the few CSL+1 combinations not already meeting the 
proposed rule, no hardware change would be necessary as only the 
inspection intervals would be affected. Accordingly, expected hardware 
costs and fuel burn costs are reduced to zero, leaving only non-
recurring engineering costs and maintenance costs.
    Large transports and business jets have similar system safety 
architectures because they both meet the ``no single failure'' and 
``extremely improbable'' (10-9) average risk criteria. 
Accordingly, the FAA has determined that the Boeing Model 787 cost 
analysis also applies to Cessna, so that Cessna's engineering cost 
estimate should also be reduced to 13.3 percent of reported value, and 
its hardware and fuel burn cost should be reduced to zero.
    With these adjustments, industry unit cost estimates are shown in 
table 3 below, along with a summary of the production life cycle data. 
See the Regulatory Impact Analysis available in the docket for more 
detail on the industry unit cost estimates.
 Table 3--Industry Production and Unit Cost Data for Estimating Costs of
                       Proposed Specific Risk Rule
                          [Cost values--$2021]
------------------------------------------------------------------------
                                                              Part 25
                                          Part 25 large    business  jet
                                            transports       airplanes
------------------------------------------------------------------------
Production Estimates:
    Number of Certifications (10 years)                2               2
    Production Life (Years)............               23              30
    U.S. Deliveries to U.S. Operators                 24              21
     per Certification per Year........
    Retirement Age (Years).............               28              30
    Foreign Deliveries to U.S.                        16              33
     Operators per Year................
Engineering & Production Costs:
    Non-Recurring Engineering Costs per       $1,353,982        $453,734
     Model.............................
    Recurring Costs (Hardware &                        0               0
     Installation) per Airplane........
Operating Costs........................           $1,231            $164
    Incremental Maintenance Costs per             $1,231            $164
     Airplane per Year.................
    Incremental Fuel Burn per Airplane                 0               0
     per Year..........................
------------------------------------------------------------------------
Note: Details may not add up to totals due to rounding.
    Employing these unit cost estimates in the airplane life cycle 
model referred to above, the FAA estimates the costs of the specific 
risk rule over the large transport and business jet life cycles and 
show the results by major cost component in table 4 below.
                            Table 4--Summary of Costs of Proposed Specific Risk Rule
                                                     [$2021]
----------------------------------------------------------------------------------------------------------------
                                                Cost ($ mil.)                   Present value cost ($ mil.)
                                   -----------------------------------------------------------------------------
           Cost category              Part 25      Part 25                   Part 25      Part 25
                                       large       business   All part 25     large       business   All part 25
                                     transports      jets      airplanes    transports      jets      airplanes
----------------------------------------------------------------------------------------------------------------
Non[dash]Recurring Engineering             2.74          0.9          3.6          2.5          0.8          3.4
 Costs............................
Hardware & Installation Costs.....          0.0          0.0          0.0          0.0          0.0          0.0
Operating Costs (Maintenance).....         50.7          8.4         59.1         10.8          1.7         12.5
                                   -----------------------------------------------------------------------------
[[Page 75443]]
 
    Total.........................         53.4          9.3         62.7         13.3          2.5         15.8
----------------------------------------------------------------------------------------------------------------
Note 1: Present Value Cost is calculated using a 7 percent discount rate. The FAA presents estimates using a 3
  percent discount rate in the Regulatory Impact Analysis available in the docket for this proposed rule.
Note 2: Details may not add up to totals due to rounding.
5. Benefits of the Proposed Specific Risk Rule
    As discussed more fully in the Regulatory Impact Analysis available 
in the docket for this proposed rule, the proposed specific risk rule 
would (1) eliminate the risk of CSL+1 failure conditions by requiring 
additional redundancy, or (2) limit the risk of CSL+1 failure 
conditions by limiting the probabilities of the dual latent and active 
failures. CSL+1 failure conditions probably caused three accidents, 
which resulted in the destruction of the airplane and the fatalities of 
all passengers and crew. These accidents were Lauda Air Flight 004 
(Boeing Model 767) in 1991, resulting in the fatalities of 233 
passengers and crew; USAir Flight 427 (Boeing Model 737) in 1994, 
resulting in the fatalities of 132 passengers and crew; and the earlier 
United Airlines Flight 585 (Boeing Model 737) in 1991, resulting in the 
fatalities of 25 passengers and crew.
    For the Lauda Air accident, the Thai investigating committee found 
the probable cause to be an uncommanded in-flight deployment of the 
airplane's left engine thrust reverser, resulting in loss of airplane 
control. The airplane was equipped with a double lock thrust reverser 
system that operated as follows. If a pilot wanted to deploy the thrust 
reversers, he or she raised the thrust reverser lever, which set the 
directional control valve (DCV) (1st lock) to the deploy position and 
opened the hydraulic isolation valve (HIV) (2nd lock), allowing 
hydraulic pressure to open the thrust reverser door. The investigating 
committee found that one likely cause of uncommanded deployment was 
contamination of the DCV that made it susceptible to increased pressure 
on its deploy side (latent failure). When the HIV inadvertently opened 
due to a short circuit (active failure), hydraulic pressure became 
available to the susceptible DCV causing a change in the valve position 
from ``stow'' to ``deploy'' with consequent deployment and the 
catastrophic accident. Once discovered, this potential CSL+1 failure 
condition was eliminated by an AD action mandating an additional valve 
(3rd lock). (Please see the Regulatory Impact Analysis available in the 
docket for discussion of the CSL+1 failure conditions that the NTSB 
concluded to be the probable cause of the USAir Flight 427 and United 
Airlines Flight 585 accidents.)
    The FAA finds that, if the specific risk rule had been in effect, 
the likelihood of these accidents occurring would have been reduced. 
Since the FAA has already issued ADs to prevent reoccurrence of these 
CSL+1 accidents, the FAA does not use them in estimating benefits from 
this rule. However, without the rule, unsafe conditions in service 
associated with potential CSL+1 failure conditions would continue to be 
addressed by ADs. Accordingly, the costs of the ADs avoided because of 
the rule would be benefits of the rule in the form of cost savings. The 
FAA first provides an overview of the benefits estimation, and then 
provides the details.
a. Overview of Avoided AD Benefits
    For the ten-year period of 2008 to 2017, the FAA searched for all 
new (including superseding) ADs that were associated with potential 
CSL+1 failure conditions and found 15 such ADs. In order to simplify 
the analysis, the cost of an AD was estimated based only on the basic 
wage and cost of materials data provided in the AD (or referenced 
service bulletins) for required inspections or repairs/replacements, 
for all airplanes that were affected by the AD. As in the cost section 
above, the FAA updated cost to 2021 dollars. Since labor costs were 
given in hours as well as in current dollars, labor costs were 
particularly easy to update since the FAA could simply use labor hours 
and the 2021 AD wage rate of $85 per hour.\54\ In one or two cases, the 
costs of an AD were adjusted based on information obtained from the 
safety engineer referenced in the AD. ``On-condition'' costs were not 
included in calculated AD costs because such costs depend on an unknown 
number of airplanes identified on inspection as requiring repair or 
parts replacement. AD costs often occurred several months or years 
following the AD effective date because of time allowed for compliance 
and because of ongoing inspection costs. For 4 of the 15 ADs, there is 
no terminating action so the affected airplanes are required to be 
periodically inspected over their entire service lives. Present value 
AD costs in issuance-year dollars were calculated by discounting these 
future year costs to the year of AD issuance at the rate of 7 percent. 
These present value AD costs were adjusted to 2021 dollars using the 
GDP implicit price deflator. The total cost of the 15 ADs in 2021 
dollars is then summed from the individual AD costs.
---------------------------------------------------------------------------
    \54\ See the Regulatory Impact Analysis available in the docket 
for more details on the labor rate and hours used in this analysis.
---------------------------------------------------------------------------
b. Details of Avoided AD Benefits
    Table 5 shows cost of each of the 15 ADs that were associated with 
potential CSL+1 failure conditions. For each AD, the table provides the 
following information:
     AD No.;
     Effective date of the AD;
     Airplane Model;
     PV AD Cost ($2021);
     The potential CSL+1 failure condition; and
     Required AD Actions.
    Airworthiness Directive No. 8 is split into two results because, 
after an initial AD was issued and complied with, it was later 
determined that a wider range of part numbers should have been checked, 
which meant re-inspection for a large number of airplanes that had 
already been inspected. So No. 8a shows the costs for the number of 
airplanes the FAA estimates have already been checked in the initial 
AD, while No. 8b
[[Page 75444]]
shows the new costs in the superseding AD for the airplanes already 
checked as well as for the newly affected airplanes. AD No. 15 is also 
shown in two parts, with No. 15a showing the results for the main 
recurring action and No. 15b showing the results for a concurrent 
nonrecurring action for a subset of affected airplanes, required in 
order to ensure the effectiveness of the test required by the main 
recurring action.
    Airworthiness Directives Nos. 1, 2, 4 and 15a are the four ADs with 
recurring actions lasting the lifetime of the airplanes. The total 
present value costs for these ADs were calculated using AD unit cost 
data and individual airplane data from the Aircraft section of 
FlightGlobal's FlightFleets Analyzer. For each airplane already in the 
affected fleet at the AD's effective date, costs were calculated for 
the remaining years of an assumed 28-year life, with yearly costs 
discounted back to the AD's effective date but valued in 2021 dollars. 
For each airplane entering the affected fleet after the AD's effective 
date, costs were calculated for its entire assumed 28-year life with an 
additional discount factor for time between the AD's effective date and 
the in-service date of the airplane. Actual life was used instead of a 
28-year life if airplanes were retired (or written off) early. Data for 
August 2018 was used for AD Nos. 1, 2 and 15a. But for AD No. 4, data 
as of the AD's effective date, September 26, 2012, was used in order to 
simplify the calculations. The affected model--Boeing Model 757--ended 
production in 2004, so few, if any, additional airplanes would be 
entering the affected fleet after the AD's 2012 effective date, and 
fewer of the affected airplanes would have to be retrieved from the 
``Retired/Written Off'' file than if a more recent date was used.
    The FAA notes that all 15 ADs apply to large transport airplanes 
and none apply to business jets. This result is not surprising, since 
part 25 business jets account for a small percentage of the total 
flight hours for part 25 airplanes. Given the FAA's assumptions, the 
life cycle airplane model estimates that part 25 business jets account 
for just 10.3 percent of all part 25 flight hours. This particular 
result does not mean that CSL+1 failure conditions cannot occur on part 
25 business jets. In fact, while this regulatory evaluation was being 
written, an immediate final rule AD was published \55\ for a potential 
CSL+1 failure condition in a Gulfstream Model GVI business jet. Since 
this AD occurs outside the 10-year 2008-2017 sampling window, the FAA 
did not include it in its analysis.
---------------------------------------------------------------------------
    \55\ 83 FR 48918 (Sept. 28, 2018).
---------------------------------------------------------------------------
    As table 5 below shows, total AD costs sum to $64,195,574. The 
avoidance of these costs are benefits that the FAA used to estimate 
benefits of the proposed specific risk rule. Over the period of AD 
selection, 2008 to 2017, however, there were, on average, approximately 
six new airplane models brought to the market by U.S. manufacturers. 
Since the FAA estimated the costs of the proposed rule assuming two new 
model certifications, in order to make the estimate of the value of 
avoided ADs comparable, the FAA divided these costs by three. The FAA 
then divided the adjusted costs by 10 to estimate the average annual AD 
costs over the 10-year sample period. Finally, recognizing that no rule 
is perfectly effective, the FAA estimated that the proposed rule would 
be 90 percent effective and, accordingly, reduce the annual estimates 
by 10 percent. These reduced annual estimates are then used in the life 
cycle airplane model to estimate the benefits of the proposed rule in a 
manner analogous to the estimate of the costs of the proposed rule. 
Dividing $64,195,574 by 3 x 10 = 30 and multiplying by 90 percent, the 
FAA obtained an estimate of average annual benefits of $2,139,852. This 
then is the estimate of the average annual value of the ADs that will 
be avoided over the 51-year life cycle of our two airplane models as a 
result of the proposed specific risk rule. The present value of 
$2,139,852 for 51 years can be calculated with the present value 
annuity formula, PVA = C [1-1/(1+r)\n\]/r = $2,139,852 x [1-1/
(1.07)\47\]/.07 = $26.4 million, where C = $2,139,852 is the average 
annual ``cash flow'' benefit, r = 0.07 is the discount rate, and n = 51 
years is the annuity length in years. However, to make benefits 
compatible with the cost of the rule analysis, the FAA must discount 
for an additional year to account for our assumed year for 
certification of the airplane models. Therefore, the present value of 
the AD cost savings is $24.5/1.07 = $24.6 million.
                                                         Table 5--SSA CSL+1 Costs Savings by AD
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                    PV AD cost
    No.            AD No.            Effective date of AD        Airplane model       ($2021)     Potential CSL+1 failure condition  Required AD actions
--------------------------------------------------------------------------------------------------------------------------------------------------------
1..........  2008-06-06........  April 16, 2008.............  All Boeing 767         $1,168,710  Extensive corrosion was found on    Repetitive
                                                               airplanes.                         the outside rod of a ballscrew in   inspections,
                                                                                                  the drive mechanism of the          lubrication,
                                                                                                  horizontal stabilizer trim          freeplay
                                                                                                  actuator (HSTA) of a Boeing Model   measurement, and
                                                                                                  757 airplane (AD for which is No.   corrective action,
                                                                                                  4 below). The HSTA drive            as specified in
                                                                                                  mechanisms on Boeing airplanes      Boeing Alert
                                                                                                  are designed similarly, in that     Service Bulletins
                                                                                                  they are of the rod-within-a-rod    767-27A0194 or 767-
                                                                                                  configuration. The corrosion was    27A0195, both
                                                                                                  on the outside rod, which           Revision 1, dated
                                                                                                  functions as a screw that drives    July 21, 2005; or
                                                                                                  the stabilizer and is the primary   both Revision 2,
                                                                                                  load path. If the outside rod       dated July 13,
                                                                                                  fails, load is transferred to the   2006; as
                                                                                                  secondary load path--the inner      applicable.
                                                                                                  rod--whose job is to hold the
                                                                                                  horizontal stabilizer in place so
                                                                                                  it does not run away causing loss
                                                                                                  of airplane control. In such a
                                                                                                  case, the flightcrew would
                                                                                                  typically be instructed to land
                                                                                                  at a suitable airport as soon as
                                                                                                  possible. Since corrosion of the
                                                                                                  outer rod could imply corrosion
                                                                                                  of the inner rod also, this AD
                                                                                                  reveals a potential CSL+1
                                                                                                  catastrophic accident where
                                                                                                  active failure of the outer rod
                                                                                                  occurs in conjunction with an
                                                                                                  already failed inner rod.
2..........  2009-14-06........  August 12, 2009............  All Boeing 777            853,970  See AD No. 1 above................  Maintenance record
                                                               airplanes.                                                             check and same
                                                                                                                                      actions as AD No.
                                                                                                                                      1.
[[Page 75445]]
 
3..........  2011-27-03........  February 10, 2012..........  All Boeing 737          3,709,424  See AD No. 1 above................  Modification as
                                                               airplanes.                                                             specified in
                                                                                                                                      Boeing Alert
                                                                                                                                      Service Bulletin
                                                                                                                                      737-27A1278,
                                                                                                                                      Revision 1, dated
                                                                                                                                      January 7, 2010;
                                                                                                                                      or Boeing Alert
                                                                                                                                      Service Bulletin
                                                                                                                                      737-27A1277,
                                                                                                                                      Revision 2, dated
                                                                                                                                      January 8, 2010;
                                                                                                                                      as applicable.
4..........  2012-16-16........  September 26, 2012.........  All Boeing 757          3,052,050  See AD No. 1 above................  See AD No. 1 above.
                                                               airplanes.
5..........  2009-20-12........  November 5, 2009...........  Certain Boeing 747     16,353,670  The FAA received several reports    Replace trailing
                                                               airplanes, as                      that the inboard trailing edge      edge (TE)
                                                               identified in                      flaps on Boeing Model 747           no[dash]back
                                                               Boeing Special                     airplanes were partially            brakes with skewed
                                                               Attention Service                  retracted from the commanded        roller no-back
                                                               Bulletin 747-27-                   position due to failure of          brakes.
                                                               2422, dated                        transmission carbon disk ``no-
                                                               October 30, 2008.                  back'' brakes. This AD highlights
                                                                                                  a potential CSL+1 failure
                                                                                                  condition in which the no-back
                                                                                                  brake fails to hold the flap in
                                                                                                  its commanded position (latent
                                                                                                  failure) and the flap system
                                                                                                  transmission driveshaft breaks
                                                                                                  (active failure), causing the
                                                                                                  flap to ``freewheel.'' The no-
                                                                                                  back brake failure is latent
                                                                                                  because when it occurs, there is
                                                                                                  no means to check it in place
                                                                                                  without disconnecting the
                                                                                                  driveshaft and removing the
                                                                                                  gearbox in which it resides from
                                                                                                  the airplane. The dual failure
                                                                                                  would create unbalanced
                                                                                                  aerodynamic forces between wings
                                                                                                  that could cause the airplane to
                                                                                                  roll into a severe attitude,
                                                                                                  resulting in catastrophic loss of
                                                                                                  control.
6..........  2013-17-03........  October 4, 2013............  Airbus A330-200 and     3,048,381  See AD No. 5 above................  Assume immediate
                                                               -300; A340-200 and                                                     terminating
                                                               -300; and A340-541                                                     action:
                                                               and -642 series                                                        Replacement of all
                                                               airplanes.                                                             4 JURID wing tip
                                                                                                                                      brakes (WTBs) with
                                                                                                                                      MIBA WTBs.
7..........  2011-22-02........  November 29, 2011..........  All Airbus A310 and       526,557  This AD results from mandatory      Modification of the
                                                               A300 B4-600 and -                  continuing airworthiness            electrical
                                                               600R, F4-600R                      information (MCAI) originated by    installation in
                                                               (collectively                      EASA. An operator reported          the pylon/wing
                                                               called A300-600)                   several cases of wire damage at     interface to avoid
                                                               series airplanes.                  the pylon/wing interface.           wire damage.
                                                                                                  Analysis revealed that the wire
                                                                                                  damage was due to deficient
                                                                                                  information in installation
                                                                                                  drawings and job cards. The CSL+1
                                                                                                  problem here stems from the fact
                                                                                                  that Low Pressure Valve (LPV)
                                                                                                  wires were not segregated by
                                                                                                  design. The function of the LPV
                                                                                                  is to control the fuel supply at
                                                                                                  the engine-to-pylon interface. In
                                                                                                  case of fire, the fuel supply to
                                                                                                  the engines (or APU) is shut off
                                                                                                  by the LPVs, which are
                                                                                                  electrically actuated by
                                                                                                  operation of the engine (or APU)
                                                                                                  fire handle. The wire chafing
                                                                                                  could induce dormant failure of
                                                                                                  the LPV, preventing its closure
                                                                                                  and leading to an uncontrolled
                                                                                                  engine (or APU) fire.
8a.........  2014-03-08........  March 26, 2014.............  All Airbus A318,          535,501  This AD was prompted by an          Inspect to
                                                               A319, A320, and                    investigation finding that when     determine part
                                                               A321 series                        target and proximity sensors with   numbers of the
                                                               airplanes.                         certain combinations of serial      interconnecting
                                                                                                  numbers are installed on a flap     struts installed
                                                                                                  interconnecting strut, the target   on the wings and
                                                                                                  signal may not be detected.         the serial numbers
                                                                                                  Between the trailing edge flaps     of the associated
                                                                                                  (inboard and outboard) of an        target and
                                                                                                  Airbus Model A320 wing, there is    proximity sensors,
                                                                                                  an interconnecting strut, whose     and replace the
                                                                                                  function is to temporarily hold a   interconnecting
                                                                                                  flap if the flap's drive system     strut if
                                                                                                  disconnects in flight at the        applicable.
                                                                                                  gearbox (which is connected to
                                                                                                  the wing). The interconnecting
                                                                                                  strut has a proximity sensor that
                                                                                                  reads the relative movement
                                                                                                  between the flaps. The proximity
                                                                                                  sensor operates on the same
                                                                                                  principle as sensors used in a
                                                                                                  house alarm system. When a window
                                                                                                  is opened, the target mounted in
                                                                                                  the window moves away from the
                                                                                                  sensor installed in the
                                                                                                  windowsill. The alarm system
                                                                                                  knows the window is open.
                                                                                                  Similarly, if a flap drive system
                                                                                                  disconnects, there would be
                                                                                                  relative movement between the
                                                                                                  flaps observed by the sensor
                                                                                                  causing the flap control computer
                                                                                                  to shut down the flap system,
                                                                                                  thus preventing asymmetric flap
                                                                                                  movement between the wings. Given
                                                                                                  latent failure of an
                                                                                                  interconnecting strut sensor, a
                                                                                                  flap drive system disconnect
                                                                                                  could result in asymmetric flap
                                                                                                  panel movement and consequent
                                                                                                  loss of airplane control.
[[Page 75446]]
 
8b.........  2017-24-07........  January 5, 2018............  All Airbus A318,        1,512,126  Same as above. This superseding AD  Because of the
                                                               A319, A320, and                    was issued because EASA             nearly 4[dash]year
                                                               A321 series                        determined that a wider range of    difference in the
                                                               airplanes.                         part numbers of affected            AD dates, in
                                                                                                  interconnecting struts should be    addition to
                                                                                                  checked.                            inspection of new
                                                                                                                                      airplanes, all of
                                                                                                                                      the airplanes that
                                                                                                                                      had been already
                                                                                                                                      inspected under
                                                                                                                                      the AD 2014-03-08
                                                                                                                                      requirements have
                                                                                                                                      to be re-inspected
                                                                                                                                      under 2017-24-07.
9..........  2014-11-10........  August 19, 2014............  Bombardier CL-600-      1,881,761  This AD was prompted by reports     Replace pitch feel
                                                               2B19 (Regional Jet                 that the shear pin in the input     simulator (PFS)
                                                               Series 100 & 440),                 lever of several PFS (Pitch Feel    units with
                                                               S/Ns 7003-8110                     Simulator) units failed due to      redesigned PFS
                                                               inclusive.                         fatigue, and by the development     units. This action
                                                                                                  of a re-designed PFS unit,          would terminate
                                                                                                  eliminating the need for            the currently
                                                                                                  repetitive functional tests. With   required
                                                                                                  latent failure of a PFS unit due    repetitive
                                                                                                  to a failed shear pin, the          function tests.
                                                                                                  failure of the second PFS unit
                                                                                                  would result in loss of pitch
                                                                                                  feel forces and consequent
                                                                                                  reduced control of the airplane.
                                                                                                  Loss of tactile feedback
                                                                                                  typically causes the pilot to
                                                                                                  overshoot commands to the control
                                                                                                  system. As an analogy, consider
                                                                                                  an automobile steering wheel. At
                                                                                                  low speeds, the feel is soft
                                                                                                  (requiring large turns to steer
                                                                                                  the front wheels a given amount).
                                                                                                  At high speeds, the feel is
                                                                                                  designed to be harder (requiring
                                                                                                  more force to steer the wheels a
                                                                                                  given amount). If the feel unit
                                                                                                  fails, we can still steer, but
                                                                                                  because the forces are the same
                                                                                                  at low and high speeds, we could
                                                                                                  lose control of the car at high
                                                                                                  speeds.
10.........  2015-19-01........  October 21, 2015...........  Boeing 777                 16,150  This AD was prompted by reports of  Revise maintenance
                                                               airplanes, Line                    latently-failed fuel shutoff        or inspection
                                                               Nos. 1 through                     valves caused by a design error     program, as
                                                               1104 inclusive.                    that affects both valve control     applicable, to
                                                                                                  and indication of the valve's       require a new
                                                                                                  position. As a result, the          airworthiness
                                                                                                  failure can lead to a large         limitation--a
                                                                                                  number of flights with the fuel     daily operational
                                                                                                  shutoff valve failed in the open    check of the fuel
                                                                                                  position without the operator       shutoff valve
                                                                                                  being aware of the failure.         position
                                                                                                  Latent failures of the fuel         indication.
                                                                                                  shutoff valve to the engine (or
                                                                                                  APU) could result in an inability
                                                                                                  to shut off fuel to the engine
                                                                                                  (or APU) and an uncontrollable
                                                                                                  fire that could lead to
                                                                                                  catastrophic wing failure.
11.........  2015-19-04........  October 21, 2015...........  All Boeing 757             50,150  See AD No. 10 above...............  See AD No. 10
                                                               airplanes.                                                             above.
12.........  2015-19-09........  November 3, 2015...........  All Boeing 787-8          111,421  See AD No. 10 above...............  1. Revise
                                                               airplanes.                                                             maintenance or
                                                                                                                                      inspection
                                                                                                                                      program.
                                                                                                                                     2. Replace engine
                                                                                                                                      and APU shutoff
                                                                                                                                      valve actuators
                                                                                                                                      with new
                                                                                                                                      actuators.
13.........  2015-21-09........  October 28, 2015...........  All Boeing 767             38,250  See AD No. 10 above...............  See AD No. 10
                                                               airplanes.                                                             above.
14.........  2015-21-10........  October 28, 2015...........  All Boeing 737-600,       105,740  See AD No. 10 above...............  See AD No. 10
                                                               -700, -700C, -800,                                                     above.
                                                               and -900 airplanes.
15a........  2016-04-06........  April 1, 2016..............  All Boeing 737-600,     2,455,178  During a simulated fire test in     Recurring test:
                                                               -700, -700C, -800,                 the forward cargo compartment on    Repetitive Smoke
                                                               and -900 airplanes.                737-800 airplanes, smoke            Clearance--Operati
                                                                                                  penetrated into the passenger       onal Test for
                                                                                                  cabin and flightdeck when in the    correct operation
                                                                                                  fire suppression configuration.     of the equipment
                                                                                                  The smoke was observed entering     cooling and low
                                                                                                  the passenger cabin, during         pressure
                                                                                                  steady state cruise and descent     environmental
                                                                                                  conditions, in quantities           control systems.
                                                                                                  significantly higher than amounts
                                                                                                  found acceptable during previous
                                                                                                  certification tests. Small
                                                                                                  amounts of smoke were observed in
                                                                                                  the flightdeck. A subsequent
                                                                                                  Boeing review found that there
                                                                                                  was no maintenance procedure
                                                                                                  available to inspect the
                                                                                                  components used to reconfigure
                                                                                                  the air distribution system.
                                                                                                  Latent failure of the equipment
                                                                                                  cooling system or low pressure
                                                                                                  environmental control system, in
                                                                                                  combination with a cargo fire,
                                                                                                  could result in smoke in the main
                                                                                                  cabin and flightdeck and possible
                                                                                                  loss of airplane control. The
                                                                                                  maintenance procedure could
                                                                                                  reduce the likelihood of such
                                                                                                  latent failures.
[[Page 75447]]
 
15b........  2016-04-06........  April 1, 2016..............  Certain Boeing 737-    28,776,535  Incorporation of this               Concurrent
                                                               600, -700, -700C, -                non[dash]recurring action           non[dash]recurring
                                                               800,.                              (required by Boeing Special         action: Install
                                                              -900, and..........                 Attention Service Bulletin 737-     new relays and do
                                                              -900ER series                       26A1137, Revision 1, dated August   wiring changes to
                                                               airplanes.                         13, 2009) is necessary to ensure    the environmental
                                                                                                  that the Smoke Clearance            control system
                                                                                                  Mode[dash]Operational Test result
                                                                                                  of the recurring action is
                                                                                                  satisfactory.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Total = $64,195,524
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sources: The Federal Register reference for each AD is noted in ``Appendix Table 6'' of the ``Regulatory Evaluation'' in the docket.
Note 1: Information in the ADs was in some cases supplemented and corrected by the FAA safety engineers assigned to the ADs or by the Systems Policy
  Branch (AIR[dash]630), Safety Risk Management Section (AIR-633).
Note 2: For non[dash]recurring actions, we assume compliance times to be at, or close to, the midpoint of the compliance period specified in the AD (or
  associated service bulletin). For recurring actions, we assume compliance times to be at the end of a compliance period, or somewhat earlier. See
  ``Appendix Table 6'' in the ``Regulatory Evaluation'' for details on data assumptions and calculations.
6. Summary of Costs and Benefits of Specific Risk Rule
    In table 6 below, the FAA summarizes the costs and benefits of the 
proposed specific risk rule. As the table shows, the proposed rule is 
cost-beneficial with present value cost savings of $24.6 million far 
exceeding present value costs of $15.8 million. Net cost savings are 
$8.8 million in present value. A similar analysis at a 3 percent 
discount rate finds present value cost savings to be $43.6 million, 
exceeding $31.7 million in present value costs, and resulting in $11.9 
million in net cost savings.
                        Table 6--Summary of Cost-Benefit Analysis for Specific Risk Rule
                                         [Present value $2021 millions]
----------------------------------------------------------------------------------------------------------------
                                                                  Part 25  large        Part 25        Part 25
                         Cost category                              transports       business jets    airplanes
----------------------------------------------------------------------------------------------------------------
Non-Recurring Engineering Costs...............................                $2.5             $0.8         $3.4
Hardware & Installation Costs per Airplane....................                 0.0              0.0          0.0
Operating Costs per Airplane per Year.........................                10.8              1.7         12.5
                                                               -------------------------------------------------
Total PV Costs................................................                13.3              2.5         15.8
                                                               -------------------------------------------------
Cost Savings (Value of Avoided ADs)...........................  ..................  ...............         24.6
                                                               -------------------------------------------------
Net Cost Savings..............................................  ..................  ...............          8.8
----------------------------------------------------------------------------------------------------------------
Note 1: Cost savings reflect assumption of 90 percent rule effectiveness.
Note 2: Numbers may not add to totals due to rounding. Present values are calculated using a discount rate of
  seven percent. Present values using a three percent discount rate are provided in the Regulatory Impact
  Analysis available in the docket.
7. Section 25.1309: Equipment, Systems, and Installations
    In section I.A.5 above, the FAA undertook the cost benefit analysis 
of the proposed specific risk rule, Sec.  25.1309(b)(5). This section 
discusses the remaining paragraphs of Sec.  25.1309.
a. Section 25.1309(a)
    The proposed rule would revise Sec.  25.1309(a) into two 
paragraphs. Proposed Sec.  25.1309(a)(1) would revise the applicability 
of the Sec.  25.1309(a) requirement that equipment and systems perform 
their functions as intended. Proposed Sec.  25.1309(a)(1) clarifies 
that it applies to any equipment or system installed in the airplane, 
and whose improper functioning would reduce safety, regardless of 
whether it is required for type certification, operating approval, or 
is optional equipment. As this requirement merely harmonizes with 
EASA's corresponding requirement, with which part 25 manufacturers are 
already in compliance, there is no additional cost. However, the 
requirement has the minimal benefits of the reduced cost of joint 
harmonization and, therefore, would be cost beneficial.
    Along with an associated change to Sec.  25.1301, Function and 
Installation, proposed Sec.  25.1309(a)(2) would allow equipment 
associated with passenger amenities (e.g., entertainment displays and 
audio systems) not to function as intended as long as the failure of 
such systems would not affect airplane safety. No safety benefit is 
derived from demonstrating that such equipment performs as intended, if 
failing to perform as intended would not affect safety. Accordingly, 
this proposed change would reduce the certification cost of passenger 
amenities for airplane manufacturers without affecting safety, and, 
therefore, this proposed change would be cost-beneficial.
b. Section 25.1309(b)(1), (2), and (3): Average Risk and Fail Safe 
Criteria
    The current rule requires airplane systems and associated 
components be designed so that any failure condition that would prevent 
the continued safe flight and landing of the airplane (catastrophic 
failure condition) is ``extremely improbable,'' a condition specified 
in current AC 25.1309-1A as having a probability on the order of 
<=10-\9\ per flight hour. However, as recommended by the 
SDAHWG, the proposed text of Sec.  25.1309(b) would explicitly require 
that single failures must not result in catastrophic failures--the ``no 
single failure'' fail-safe requirement. As it harmonizes with the 
equivalent EASA requirement and is already current industry practice 
(see the ``Arsenal'' version of AC 25.1309), this proposed ``no single 
failure'' requirement would be cost beneficial as it entails no 
additional cost but has
[[Page 75448]]
benefits from the reduced costs of joint harmonization.\56\
---------------------------------------------------------------------------
    \56\ The no single failure requirement was inadvertently removed 
in 1970 but remained industry practice. At the same time, the no 
single failure requirement was made explicit for flight controls 
and, in 1977, was made explicit for powerplants.
---------------------------------------------------------------------------
    The current rule requires any failure condition that would reduce 
the capability of the airplane or the ability of the crew to cope with 
adverse operating conditions to be ``improbable'' (on the order of 
10-\9\ < p <= 10-\5\, where p is probability), a 
condition specified under current AC 25.1309-1A as ``major.'' Current 
practice, however, is the ``Arsenal'' version of AC 25.1309, under 
which the old ``major'' failure condition has been divided into two 
categories: ``hazardous'' (on the order of 10-\9\ < p <= 
10-\7\) and ``major'' (on the order of 10-\7\ < p 
<= 10-\5\). These categories have been incorporated into the 
proposed rule. As it harmonizes with corresponding EASA major and 
hazardous categories and is current industry practice, this proposed 
rule change would be cost beneficial as it entails no additional costs 
but has benefits from the reduced costs of joint harmonization.
c. Section 25.1309(b)(4): Limit Latency Criteria
    Proposed Sec.  25.1309(b)(4) specifies criteria that would apply to 
any SLF. The purpose of proposed Sec.  25.1309(b)(4) is to limit SLFs 
whenever practical so as to limit conditions where the airplane is one 
failure away from a hazardous or catastrophic accident.
    It is already industry practice to eliminate SLFs when practical, 
as required by proposed Sec.  25.1309(b)(4)(i); therefore, the proposal 
would entail no additional cost. In any case, proposed Sec.  
25.1309(b)(4) is cost beneficial because proposed paragraph (4)(i) is 
limited by paragraph (4)(ii) and, further, under Sec.  
25.1309(b)(4)(iii), both paragraphs (4)(i) and (b)(4)(ii) are not 
required when impractical.
d. Section 25.1309(c): Flightcrew Alerting
    Section 25.1309(c) would continue to require that the flightcrew be 
provided with information concerning unsafe system operating 
conditions. Section 25.1322 would continue to require that alerting be 
provided. The only proposed change in this rule is to remove the 
conflict with Sec.  25.1322, Flightcrew Alerting. Accordingly, there is 
no cost (or benefit) entailed by the proposed rule change.
e. Section 25.1309(d) and H25.4: Certification Maintenance Requirements
    Proposed Sec.  25.1309(d) would be a new rule requiring that CMRs 
be established, as necessary, to prevent catastrophic and hazardous 
failure conditions described in proposed Sec.  25.1309(b). The proposed 
rule also would require these CMRs to be contained in the ALS of the 
ICA required by Sec.  25.1529. This latter requirement is an industry 
recommendation via the SE-172 Taskforce to CAST \57\, and it addresses 
the taskforce's recognition that CMRs are critical to safety and should 
be treated similarly to other airworthiness limitations.
---------------------------------------------------------------------------
    \57\ More information on CAST and the task force findings is 
available in the docket and on the internet at https://www.skybrary.aero/bookshelf/views/bookDetails.php?bookId=2553.
---------------------------------------------------------------------------
    Both of these proposed requirements would codify industry practice 
and would harmonize with EASA's changes to CS 25.1309 and H25.4, and so 
would entail no additional costs. However, the requirements would have 
the benefits of reduced joint harmonization costs and, therefore, would 
be cost beneficial.
8. Section 25.671: General Control Systems
a. Section 25.671(a), (d), (e), and (f)
    Since industry has been meeting the proposed criteria in paragraphs 
(a), (e), and (f) under special conditions since the early 1980s, the 
FAA believes that these proposed criteria are now met at minimal cost. 
The modification to Sec.  25.671(d) clarifies that controllability 
includes the capability to flare to a landing and controlled stop. The 
FAA believes that if the airplane is controllable, the manufacturer 
will be able to meet the requirement for flare and braking capability 
at minimal cost. The FAA requests comments on these findings.
b. Section 25.671(b): Minimize Probability of Incorrect Assembly
    Section 25.671(b) would be revised to allow distinctive and 
permanent marking to minimize the probability of incorrect assembly 
only when design means are impractical. This revision was recommended 
by the FCHWG. It is expert consensus that the physical prevention of 
misassembly by design is safer than reliance on marking, which can be 
overlooked or ignored. Since distinctive and permanent marking to 
minimize the probability of incorrect assembly is disallowed only when 
design means are practical, the expected gain in safety benefits from 
the reduced probability of incorrect assembly would be greater than the 
costs of the proposed revision. The FAA requests comments on its 
finding that this provision is cost-beneficial.
c. Section 25.671(c)
    The FAA proposes to revise Sec.  25.671(c). Current Sec.  
25.671(c)(1) and (c)(2) would be removed, because the applicability of 
Sec.  25.1309 would be clarified to be any equipment or system as 
installed on the airplane, so it would apply to flight control systems 
and would accomplish the safety objective of Sec.  25.671(c)(1) and 
(c)(2). Proposed 25.671(c) differs from the current rule as follows:
     Proposed Sec.  25.671(c) addresses only jams that are due 
to a physical interference, for example, foreign or loose object, 
system icing, corroded bearings, etc. (Jams due to other reasons are 
covered by Sec.  25.1309.)
     Proposed Sec.  25.671(c) does not allow jams to be 
considered extremely improbable, except those jams that occur just 
before landing.
     Proposed Sec.  25.671(c)(3) specifies that, given a jam 
due to a physical interference, the combined probability is less than 
1/1000 that any additional failure conditions could prevent continued 
safe flight and landing. As the main intent of Sec.  25.671(c)(3) is to 
limit the probability of a latent failure of any jam alleviation device 
(such as a breakout device), Sec.  25.671(c)(3) is largely redundant to 
the proposed Sec.  25.1309(b)(5) latent risk requirement.
     Proposed Sec.  25.671(c) would no longer address a runaway 
of a flight control surface and subsequent jam as such jams would be 
adequately addressed by proposed Sec.  25.1309.
    As proposed Sec.  25.671(c) has been used by many manufacturers as 
an ELOS, the FAA believes its use is current practice. Accordingly, 
there are no additional costs (or benefits) from Sec.  25.671(c)(1). 
The FAA requests comments on this conclusion.
9. Section 25.901: Installation Engines
    Proposed Sec.  25.901 would specify that Sec.  25.1309 applies to 
powerplant installations, as it does for all airplane systems. 
Accordingly, the current provision in Sec.  25.901(c) prohibiting 
catastrophic single failures or probable combinations of failures would 
be removed. Applicant requirements would not change as a result of this 
revised rule. The proposed revision would harmonize Sec.  25.901(c) 
with EASA's corresponding CS 25.901(c). Accordingly, the proposed 
revision would be cost-beneficial as it entails no additional cost but 
has benefits from the reduced costs of joint harmonization.
[[Page 75449]]
The FAA requests comments on this conclusion.
10. Section 25.933: Reversing Systems
    Proposed Sec.  25.933(a)(1)(i) retains, as an option, the 
``controllability'' standard of the current rule. Proposed Sec.  
25.933(a)(1)(ii) is an additional, ``reliability,'' option. The service 
history of airplanes certified under the current rule--most 
prominently, the Lauda Air accident--demonstrates that the fail-safe 
intent of the controllability requirement had not been achieved.
    The PPIHWG recommended adding the reliability option, concluding 
that applicants should be allowed to select the most suitable option 
for their particular type designs or failure conditions addressed. This 
option is especially valuable given its improvement implied by the 
proposed revision to Sec.  25.1309.\58\ This proposed change allows 
additional flexibility in design development, thus reducing costs by 
allowing manufacturers to achieve the intended level of safety in the 
most cost-effective manner. As this proposed rule would be cost 
relieving, it would be cost beneficial. The FAA requests comments on 
this conclusion.
---------------------------------------------------------------------------
    \58\ It should be noted that the controllability option would 
still require compliance with Sec.  25.1309. But when an applicant 
demonstrates compliance using the controllability option, an 
unwanted thrust reversal in flight will be classified at worst as a 
``major'' failure, thereby making compliance with Sec.  25.1309(b) 
much easier.
---------------------------------------------------------------------------
11. Section 25.302: Interaction of Systems and Structures
    Proposed Sec.  25.302 would be a new rule that would incorporate, 
with some modifications, the criteria the LDHWG recommended in December 
2000, and the FCHWG in September 2002. EASA has already incorporated 
the criteria developed by the LDHWG into CS 25.302 and appendix K of 
CS-25.
    The proposed rule would specifically address any system failure 
condition considered under Sec.  25.1309 that can affect the structural 
performance of the airplane. Systems affect structural performance if 
they induce loads on the airframe or if they change the response of the 
airplane to inputs such as gusts or pilot actions, either directly or 
as a result of failure. Systems that affect structural performance are 
flight control computers, autopilots, stability augmentation systems, 
load alleviations systems, and fuel management systems. The proposed 
rule would also apply to hydraulic systems, electrical systems, and 
mechanical systems.
    U.S. part 25 manufacturers already comply with EASA's CS 25.302, 
which went into effect in November 2004. Accordingly, the costs of 
compliance with the FAA's proposed Sec.  25.302 depends on the extent 
to which it harmonizes with CS 25.302. If the provisions of proposed 
Sec.  25.302 are identical with, less onerous than, or, more generally, 
satisfied by, the provisions of CS 25.302, then compliance with CS 
25.302 would also mean compliance with proposed Sec.  25.302. This 
harmonization means U.S. part 25 manufacturers would incur no 
incremental compliance costs. If the provisions of proposed Sec.  
25.302 are more onerous than, or, more generally, not satisfied by, the 
provisions of CS 25.302, then manufacturers would incur incremental 
compliance costs.
    The FAA now assesses the benefits and costs of proposed Sec.  
25.302 by section:
a. Section 25.302(a): At the Time of Failure Occurrence
    For the assessment of the initial failure condition, EASA's CS 
25.302 allows the safety factor to decline linearly from 1.5 to 1.25 as 
the probability of failure declines from 10-5 to 
10-9 per flight hour but proposed Sec.  25.302(a) keeps the 
factor at 1.5. The FAA proposal, therefore, would be more conservative 
in this regard, but, after two decades of special conditions, this more 
conservative factor is now easily met by manufacturers. Therefore, the 
cost effect would be minimal. As safety would be higher compared to CS 
25.302, this proposed requirement would be cost beneficial. The FAA 
requests comments on this finding.
b. Section 25.302(b): Continuation of Flight After Failure
    CS 25.302 requires that loads be determined for several CS-25 
design load conditions, whereas the FAA proposal would require that 
loads be determined for any design load condition that would be 
affected. CS 25.302 requires a safety factor of 1.5 for a failure 
condition with a failure rate above 10-5, but which declines 
linearly to 1.0 as probability declines from 10-5 to 
10-9.
    The FAA proposal specifies a safety factor of 1.5 but would reduce 
the safety factor to 1.0 if the failure condition is annunciated, 
because the probability of an extreme maneuver would be reduced as the 
pilot would be aware that a failure condition had occurred. The FAA 
would reduce the safety factor to 1.25 if the failure condition is 
extremely remote (probability of the order of <=10-7 per 
flight hour). The probability is very low that a design load condition 
would occur subsequent to a system failure on the same flight. The FAA 
proposal, therefore, is less conservative than the EASA requirement in 
requiring lower safety factors, particularly for annunciated failures; 
and most failures that affect structures would be annunciated.
    The FAA proposal is more conservative, however, in applying to all 
load conditions specified in subpart C, with the possible result of 
higher engineering, hardware, and operating compliance costs relative 
to EASA requirements. Nevertheless, the FAA believes that the safety 
benefits would continue to outweigh the costs. The FAA requests 
comments on this conclusion.
c. Section 25.302(d)
    This proposed rule would require the residual strength evaluation 
be conducted according to Sec.  25.571--the fatigue and damage 
tolerance rule--and it, therefore, assesses the residual strength load 
conditions in Sec.  25.571, rather than the load conditions listed in 
CS 25.302. This proposed change would result in little or no increase 
in workload and, consequently, would have minimal cost because 
manufacturers already use the Sec.  25.571 process and because the 
differences in load conditions between the two provisions are not 
significant. The FAA requests comments on this finding.
d. Section 25.302(e): Dispatch Requirements
    CS 25.302 requires that anticipated dispatch configurations be 
addressed by meeting the strength and flutter aspects of CS 25.302 
taking into account the probability of being in that configuration. CS 
25.302 includes: ``Flight limitations and expected operational 
limitations may be taken into account in establishing . . . the 
combined probability of being in the dispatched failure condition and 
the subsequent failure condition for the safety margins . . . . '' \59\ 
This means that the applicant must combine the probability of being in 
the dispatched state with the probability of subsequent failures to 
determine safety margins. This analysis obviously involves a fair 
amount of probability work. Moreover, for the dispatched configuration, 
CS 25.302 would consider any failure condition not shown to be 
extremely improbable (on the order of <=10-9 per flight 
hour). Several applicants have specifically objected to the CS dispatch 
rule because of this latter requirement.
---------------------------------------------------------------------------
    \59\ EASA CS-25, amendment 11, dated July 4, 2011.
---------------------------------------------------------------------------
    In contrast, the FAA proposal is simpler, less onerous, and 
involves less
[[Page 75450]]
probability work. First, the proposal does not include flutter 
criteria. Second, the proposal assumes a probability of one for the 
dispatched configuration, and subsequent failures would be considered 
only if they were single failures or if they are not extremely remote 
(of the order of <=10-7 per flight hour). The FAA believes 
that the incremental cost of the simpler and less onerous FAA proposal 
is so low that the safety benefits of the proposal would continue to 
outweigh the costs. The FAA requests comments on this finding.
B. Regulatory Flexibility Determination
    The Regulatory Flexibility Act of 1980 (Pub. L. 96-354) (RFA) 
establishes ``as a principle of regulatory issuance that agencies shall 
endeavor, consistent with the objectives of the rule and of applicable 
statutes, to fit regulatory and informational requirements to the scale 
of the businesses, organizations, and governmental jurisdictions 
subject to regulation. To achieve this principle, agencies are required 
to solicit and consider flexible regulatory proposals and to explain 
the rationale for their actions to assure that such proposals are given 
serious consideration.'' The RFA covers a wide range of small entities, 
including small businesses, not-for-profit organizations, and small 
governmental jurisdictions. Agencies must perform a review to determine 
whether a rule will have a significant economic impact on a substantial 
number of small entities. If the agency determines that it will, the 
agency must prepare a regulatory flexibility analysis as described in 
the RFA.
    However, if an agency determines that a rule is not expected to 
have a significant economic impact on a substantial number of small 
entities, section 605(b) of the RFA provides that the head of the 
agency may so certify, and a regulatory flexibility analysis is not 
required. The certification must include a statement providing the 
factual basis for this determination, and the reasoning should be 
clear.
    All U.S. manufacturers (applicants for type certification) of large 
transports or part 25 business jets are large companies with more than 
1,500 employees or are subsidiaries of large companies so-defined and, 
therefore, are not classified as small entities by the Small Business 
Administration.\60\ Operators of part 25 airplanes will be directly 
affected by the $1,102 annual incremental operating cost (maintenance) 
per large transport and the $147 annual incremental operating cost per 
part 25 business jet. These costs are minimal, especially compared to 
the high annual operating cost of part 25 airplanes.
---------------------------------------------------------------------------
    \60\ The Small Business Administration criterion for small 
aircraft manufacturers is 1,500 employees or less.
---------------------------------------------------------------------------
    If an agency determines that a rulemaking will not result in a 
significant economic impact on a substantial number of small entities, 
the head of the agency may so certify under section 605(b) of the RFA. 
Therefore, as provided in section 605(b), the head of the FAA proposes 
that this proposed rulemaking would not result in a significant 
economic impact on a substantial number of small entities. The FAA 
requests comments on this determination.
C. International Trade Impact Assessment
    The Trade Agreements Act of 1979 (Pub. L. 96-39), as amended by the 
Uruguay Round Agreements Act (Pub. L. 103-465), prohibits Federal 
agencies from establishing standards or engaging in related activities 
that create unnecessary obstacles to the foreign commerce of the United 
States. Pursuant to these Acts, the establishment of standards is not 
considered an unnecessary obstacle to the foreign commerce of the 
United States, so long as the standard has a legitimate domestic 
objective, such as the protection of safety, and does not operate in a 
manner that excludes imports that meet this objective. The statute also 
requires consideration of international standards and, where 
appropriate, that they be the basis for U.S. standards.
    The FAA has assessed the effect of this proposed rule and 
determined that its purpose is to ensure the safety of U.S. civil 
aviation. Therefore, this proposed rule is in compliance with the Trade 
Agreements Act.
D. Unfunded Mandates Assessment
    Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires each Federal agency to prepare a written statement 
assessing the effects of any Federal mandate in a proposed or final 
agency rule that may result in an expenditure of $100 million or more 
(in 1995 dollars) in any one year by State, local, and tribal 
governments, in the aggregate, or by the private sector; such a mandate 
is deemed to be a ``significant regulatory action.'' The FAA currently 
uses an inflation-adjusted value of $155.0 million in lieu of $100 
million. This proposed rule does not contain such a mandate; therefore, 
the requirements of Title II of the Act do not apply.
E. Paperwork Reduction Act
    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the FAA consider the impact of paperwork and other information 
collection burdens imposed on the public. The FAA has determined that 
there would be no new requirement for information collection associated 
with this proposed rule.
F. International Compatibility and Cooperation
    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is FAA policy to conform to 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices to the maximum extent practicable. The FAA has 
determined that there are no ICAO Standards and Recommended Practices 
that correspond to these proposed regulations.
    In January of 2020, EASA published CS 25 amendment 24, which bore 
many similarities to this proposal, including added criteria for latent 
failures in CS 25.1309.
G. Environmental Analysis
    FAA Order 1050.1F identifies FAA actions that are categorically 
excluded from preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act in the absence of extraordinary circumstances. The FAA has 
determined this rulemaking action qualifies for the categorical 
exclusion identified in paragraph 5-6.6 and involves no extraordinary 
circumstances.
V. Executive Order Determinations
A. Executive Order 13132, Federalism
    The FAA has analyzed this proposed rule under the principles and 
criteria of Executive Order 13132, ``Federalism'' (64 FR 43255, August 
10, 1999). The agency has determined that this action would not have a 
substantial direct effect on the States, or the relationship between 
the Federal Government and the States, or on the distribution of power 
and responsibilities among the various levels of government, and, 
therefore, would not have federalism implications.
B. Executive Order 13211, Regulations That Significantly Affect Energy 
Supply, Distribution, or Use
    The FAA analyzed this proposed rule under Executive Order 13211, 
``Actions Concerning Regulations that Significantly Affect Energy 
Supply, Distribution, or Use'' (66 FR 28355, May
[[Page 75451]]
18, 2001). The agency has determined that it would not be a 
``significant energy action'' under the Executive order and would not 
be likely to have a significant adverse effect on the supply, 
distribution, or use of energy.
C. Executive Order 13609, International Cooperation
    Executive Order 13609, ``Promoting International Regulatory 
Cooperation,'' (77 FR 26413, May 4, 2012) promotes international 
regulatory cooperation to meet shared challenges involving health, 
safety, labor, security, environmental, and other issues and to reduce, 
eliminate, or prevent unnecessary differences in regulatory 
requirements. The FAA has analyzed this action under the policies and 
agency responsibilities of Executive Order 13609 and has determined 
that this action would have no effect on international regulatory 
cooperation.
VI. Additional Information
A. Comments Invited
    The FAA invites interested persons to participate in this 
rulemaking by submitting written comments, data, or views. The agency 
also invites comments relating to the economic, environmental, energy, 
or federalism impacts that might result from adopting the proposals in 
this document. The most helpful comments reference a specific portion 
of the proposal, explain the reason for any recommended change, and 
include supporting data. To ensure the docket does not contain 
duplicate comments, commenters should send only one copy of written 
comments, or if comments are filed electronically, commenters should 
submit only one time.
    Except for Confidential Business Information (CBI) as described in 
the following paragraph, and other information as described in 14 CFR 
11.35, the FAA will file in the docket all comments it receives, as 
well as a report summarizing each substantive public contact with FAA 
personnel concerning this proposed rulemaking. Before acting on this 
proposal, the FAA will consider all comments it receives on or before 
the closing date for comments. The FAA will consider comments filed 
after the comment period has closed if it is possible to do so without 
incurring expense or delay. The agency may change this proposal in 
light of the comments it receives.
    Confidential Business Information: Confidential Business 
Information (CBI) is commercial or financial information that is both 
customarily and actually treated as private by its owner. Under the 
Freedom of Information Act (FOIA) (5 U.S.C. 552), CBI is exempt from 
public disclosure. If your comments responsive to this NPRM contain 
commercial or financial information that is customarily treated as 
private, that you actually treat as private, and that is relevant or 
responsive to this NPRM, it is important that you clearly designate the 
submitted comments as CBI. Please mark each page of your submission 
containing CBI as ``PROPIN.'' The FAA will treat such marked 
submissions as confidential under the FOIA, and they will not be placed 
in the public docket of this NPRM. Submissions containing CBI should be 
sent to Suzanne Masterson, Strategic Policy Transport Section, AIR-614, 
Strategic Policy Management Branch, Policy and Innovation Division, 
Aircraft Certification Service, Federal Aviation Administration, 2200 
South 216th Street, Des Moines, WA 98198; email 
[email protected]. Any commentary that the FAA receives which 
is not specifically designated as CBI will be placed in the public 
docket for this rulemaking.
B. Availability of Rulemaking Documents
    An electronic copy of rulemaking documents may be obtained from the 
internet by--
    1. Searching the Federal eRulemaking Portal at www.regulations.gov;
    2. Visiting the FAA's Regulations and Policies web page at 
www.faa.gov/regulations_policies; or
    3. Accessing the Government Printing Office's web page at 
www.GovInfo.gov.
    Copies may also be obtained by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue SW, Washington, DC 20591, or by calling (202) 267-9680. 
Commenters must identify the docket or notice number of this 
rulemaking.
    All documents the FAA considered in developing this proposed rule, 
including economic analyses and technical reports, may be accessed from 
the internet through the Federal eRulemaking Portal referenced in item 
(1) above.
List of Subjects in 14 CFR Part 25
    Aircraft, Aviation safety, Reporting and recordkeeping 
requirements.
The Proposed Amendment
    In consideration of the foregoing, the Federal Aviation 
Administration proposes to amend chapter I of title 14, Code of Federal 
Regulations as follows:
PART 25--AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES
0
1. The authority citation for part 25 continues to read as follows:
    Authority: 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 
44704.
0
2. Add Sec.  25.4 to read as follows:
Sec.  25.4  Definitions.
    (a) For the purposes of this part, the following general 
definitions apply:
    (1) Certification maintenance requirement means a required 
scheduled maintenance task established during the design certification 
of the airplane systems as an airworthiness limitation of the type 
certificate or supplemental type certificate.
    (2) Significant latent failure is a latent failure that, in 
combination with one or more specific failures or events, would result 
in a hazardous or catastrophic failure condition.
    (b) For purposes of this part, the following failure conditions, in 
order of increasing severity, apply:
    (1) Major failure condition means a failure condition that would 
reduce the capability of the airplane or the ability of the flightcrew 
to cope with adverse operating conditions, to the extent that there 
would be--
    (i) A significant reduction in safety margins or functional 
capabilities,
    (ii) A significant increase in flightcrew workload or in conditions 
impairing the efficiency of the flightcrew,
    (iii) Physical distress to passengers or flight attendants, 
possibly including injuries, or
    (iv) An effect of similar severity.
    (2) Hazardous failure condition means a failure condition that 
would reduce the capability of the airplane or the ability of the 
flightcrew to cope with adverse operating conditions, to the extent 
that there would be--
    (i) A large reduction in safety margins or functional capabilities,
    (ii) Physical distress or excessive workload such that the 
flightcrew cannot be relied upon to perform their tasks accurately or 
completely, or
    (iii) Serious or fatal injuries to a relatively small number of 
persons other than the flightcrew.
    (3) Catastrophic failure condition means a failure condition that 
would result in multiple fatalities, usually with the loss of the 
airplane.
    (c) For purposes of this part, the following failure conditions in 
order of decreasing probability apply:
    (1) Probable failure condition means a failure condition that is 
anticipated to
[[Page 75452]]
occur one or more times during the entire operational life of each 
airplane of a given type.
    (2) Remote failure condition means a failure condition that is not 
anticipated to occur to each airplane of a given type during its entire 
operational life, but which may occur several times during the total 
operational life of all airplanes of a given type.
    (3) Extremely remote failure condition means a failure condition 
that is not anticipated to occur to each airplane of a given type 
during its entire operational life, but which may occur a few times 
during the total operational life of all airplanes of a given type.
    (4) Extremely improbable failure condition means a failure 
condition that is not anticipated to occur during the total operational 
life of all airplanes of a given type.
0
3. Add Sec.  25.302 to subpart C to read as follows:
Sec.  25.302  Interaction of systems and structures.
    This section applies to systems that affect the structural 
performance of the airplane. The applicant must include the effects of 
systems when conducting the analyses and tests necessary to show 
compliance with subparts C and D of this part. For any system failure 
condition that either results from a single failure or is not extremely 
improbable, paragraphs (a) through (e) of this section apply. This 
section does not apply to the flight control jam conditions prescribed 
in Sec.  25.671(c) or the discrete source events prescribed in Sec.  
25.571(e).
    (a) Loads occurring at the time of failure and immediately after 
failure. The airplane must be able to withstand the loads occurring at 
the time of failure and immediately after failure. The applicant must 
determine these loads at speeds up to VC/MC, 
starting from 1-g level flight conditions, and assuming realistic 
scenarios, including pilot corrective actions. These are limit loads, 
and the applicant must apply a safety factor of 1.5 to determine 
ultimate loads.
    (b) Limit flight and ground loads following the system failure. In 
the system-failed state, the airplane must be able to withstand the 
limit flight and ground loads specified in subpart C of this part at 
speeds up to VC/MC or the speed limitation 
specified for the remainder of the flight. The applicant must apply a 
safety factor of 1.5 to determine ultimate loads, except as provided in 
paragraphs (b)(1) or (2) of this section.
    (1) If the failure would be immediately annunciated or otherwise 
obvious to the flightcrew, then the applicant may use a safety factor 
of 1.0. The applicant may also take into account any resulting 
configuration changes or operating limitations specified in the 
Airplane Flight Manual.
    (2) If the failure would not be immediately annunciated or 
otherwise obvious to the flightcrew, but the failure condition is 
extremely remote, then the applicant may use a safety factor of 1.25.
    (c) Damage tolerance evaluation. When conducting the damage 
tolerance evaluation required by Sec.  25.571, the applicant must take 
into account the fatigue loads induced by any failure condition. These 
fatigue loads must be included as part of the typical loading spectra 
at a rate commensurate with the probability of their occurrence.
    (d) Residual strength loads. For any probable failure condition 
that would affect the residual strength loads prescribed in Sec.  
25.571(b), the applicant must conduct a residual strength evaluation as 
prescribed in that paragraph under the assumption that the failure 
condition has occurred. The applicant must calculate these residual 
strength loads using at least two-thirds of the applicable safety 
factor specified in paragraph (b) of this section.
    (e) Master Minimum Equipment List. If the applicant submits for 
approval a Master Minimum Equipment List that allows dispatch in a 
system-failed state that can affect structural performance, the 
following requirements apply:
    (1) In the dispatched configuration, the airplane must meet the 
design load requirements of subpart C of this part, assuming any 
operating limitations, including configuration changes, that apply to 
the dispatched airplane; and
    (2) In the dispatched configuration, the airplane must meet the 
requirements of paragraphs (a) and (b) of this section, taking into 
account any subsequent single failure, and separately, any combination 
of failures that are not extremely remote.
0
4. Amend Sec.  25.629 by revising the introductory text of paragraphs 
(b) and (d), redesignating paragraph (d)(10) as paragraph (d)(11), and 
adding paragraph (d)(10) to read as follows:
Sec.  25.629  Aeroelastic stability requirements.
* * * * *
    (b) Aeroelastic stability envelopes. The airplane must be free from 
aeroelastic instability within the aeroelastic stability envelopes 
described in this paragraph for all configurations and design 
conditions, and for the load factors specified in Sec.  25.333.
* * * * *
    (d) Failures, malfunctions, and adverse conditions. The failures, 
malfunctions, and adverse conditions that must be considered in showing 
compliance with this section are:
* * * * *
    (10) Each of the following failure combinations:
    (i) Any dual hydraulic system failure.
    (ii) Any dual electrical system failure.
    (iii) Any single failure in combination with any probable hydraulic 
or electrical failure.
* * * * *
0
5. Revise Sec.  25.671 to read as follows:
Sec.  25.671  General.
    (a) Each flight control and flight control system must operate with 
the ease, smoothness, and positiveness appropriate to its function. The 
flight control system must continue to operate and respond 
appropriately to commands, and must not hinder airplane recovery, when 
the airplane is experiencing any pitch, roll, or yaw rate, or vertical 
load factor that could occur due to operating or environmental 
conditions, or when the airplane is in any attitude.
    (b) Each element of each flight control system must be designed, or 
distinctively and permanently marked, to minimize the probability of 
incorrect assembly that could result in failure of the system to 
perform its intended function. The applicant may use distinctive and 
permanent marking only where design means are impractical.
    (c) The applicant must show by analysis, test, or both that the 
airplane is capable of continued safe flight and landing after any 
failure or event that results in a jam of a flight control surface or 
pilot control due to a physical interference.
    (1) The applicant must assume the jam evaluated under this 
paragraph occurs at any normally encountered position of the flight 
control surface or pilot control.
    (2) The applicant must assume the jam evaluated under this 
paragraph occurs anywhere within the normal flight envelope, except 
that the applicant need not account for flight control jams that occur 
immediately before touchdown if the applicant shows that such jams are 
extremely improbable.
    (3) In the presence of a jam evaluated under this paragraph, any 
additional failure conditions that could prevent continued safe flight 
and landing must have a combined probability of less than 1/1000.
    (d) If all engines fail at any point in the flight, the airplane 
must be controllable, and an approach and flare to a landing and 
controlled stop must be
[[Page 75453]]
possible without requiring exceptional piloting skill or strength. The 
applicant may show compliance with this requirement by analysis where 
the applicant has shown that analysis to be reliable.
    (e) The flight control system must indicate to the flightcrew 
whenever the primary control means is near the limit of control 
authority.
    (f) If the flight control system has multiple modes of operation, 
the system must alert the flightcrew whenever the airplane enters any 
mode that significantly changes or degrades the normal handling or 
operational characteristics of the airplane.
0
6. Amend Sec.  25.901 by revising paragraph (c) to read as follows:
Sec.  25.901  Installation.
* * * * *
    (c) For each powerplant and auxiliary power unit installation, the 
applicant must comply with the requirements of Sec.  25.1309, except 
that the effects of the following failures need not comply with Sec.  
25.1309(b)--
    (1) Engine case burn-through or rupture,
    (2) Uncontained engine rotor failure, and
    (3) Propeller debris release.
* * * * *
0
7. Amend Sec.  25.933 by revising paragraph (a)(1) to read as follows:
Sec.  25.933  Reversing systems.
    (a) * * *
    (1) For each system intended for ground operation only, the 
applicant must show--
    (i) The airplane is capable of continued safe flight and landing 
during and after any thrust reversal in flight; or
    (ii) The system complies with Sec.  25.1309(b).
* * * * *
0
8. Revise Sec.  25.1301 to read as follows:
Sec.  25.1301  Function and installation.
    Each item of installed equipment must--
    (a) Be of a kind and design appropriate to its intended function;
    (b) Be labeled as to its identification, function, or operating 
limitations, or any applicable combination of these factors; and
    (c) Be installed according to limitations specified for that 
equipment.
0
9. Revise Sec.  25.1309 to read as follows:
Sec.  25.1309  Equipment, systems, and installations.
    Except as provided in paragraphs (e) and (f) of this section, this 
section applies to any equipment or system as installed on the 
airplane. The applicant need not account for this section when showing 
compliance with the performance and flight characteristic requirements 
of subpart B of this part and the structural requirements of subparts C 
and D of this part, except that this section applies to any system on 
which compliance with any of those requirements is dependent.
    (a) The airplane's equipment and systems, as installed, must meet 
the following requirements:
    (1) The equipment and systems required for type certification or by 
operating rules, or whose improper functioning would reduce safety, 
must perform as intended under the airplane operating and environmental 
conditions; and
    (2) Other equipment and systems functioning normally or abnormally 
must not adversely affect the safety of the airplane or its occupants, 
or the proper functioning of the equipment and systems addressed by 
paragraph (a)(1) of this section.
    (b) Each of the airplane's systems and associated components, as 
installed, and evaluated both separately and in relation to other 
systems, must meet all of the following requirements:
    (1) Each catastrophic failure condition--
    (i) Must be extremely improbable; and
    (ii) Must not result from a single failure.
    (2) Each hazardous failure condition must be extremely remote.
    (3) Each major failure condition must be remote.
    (4) Each significant latent failure must be eliminated except--
    (i) If the Administrator finds it would be impractical for the 
applicant to comply with paragraph (b)(4) of this section, the product 
of the maximum time the failure is expected to be present and its 
average failure rate must not exceed 1/1000; or
    (ii) If the Administrator finds it would be impractical for the 
applicant to comply with paragraph (b)(4)(i) of this section, the 
applicant must minimize the time the failure is expected to be present.
    (5) For each catastrophic failure condition that results from two 
failures, either of which could be latent for more than one flight, the 
applicant must show that--
    (i) It is impractical to provide additional fault tolerance;
    (ii) Given the occurrence of any single latent failure, the 
probability of the catastrophic failure condition occurring due to all 
subsequent single failures is remote; and
    (iii) The product of the maximum time the latent failure is 
expected to be present and its average failure rate does not exceed 1/
1000.
    (c) The applicant must provide information concerning unsafe system 
operating conditions in order to enable the flightcrew to take 
corrective action. The applicant must show that the design of systems 
and controls, including indications and annunciations, minimizes crew 
errors that could create additional hazards.
    (d) The applicant must establish certification maintenance 
requirements to prevent development of the failure conditions described 
in paragraph (b) of this section. These requirements must be included 
in the Airworthiness Limitations section of the Instructions for 
Continued Airworthiness required by Sec.  25.1529.
    (e) Section 25.1309(b)(1)(ii) does not apply to the flight control 
jam conditions addressed by Sec.  25.671(c).
    (f) Section 25.1309(b) does not apply to--
    (1) Single failures in the brake system addressed by Sec.  
25.735(b)(1);
    (2) Failure effects addressed by Sec. Sec.  25.810(a)(1)(v) and 
25.812;
    (3) Uncontained engine rotor failure, engine case rupture, or 
engine case burn-through failures addressed by Sec. Sec.  25.903(d)(1) 
and 25.1193 and part 33 of this chapter; and
    (4) Propeller debris release failures addressed by Sec.  25.905(d) 
and part 35 of this chapter.
0
10. Amend Sec.  25.1365 by revising paragraph (a) to read as follows:
Sec.  25.1365  Electrical appliances, motors, and transformers.
    (a) An applicant must show that, in the event of a failure of the 
electrical supply or control system, the design and installation of 
domestic appliances meet the requirements of Sec.  25.1309(b) and (c). 
Domestic appliances are items such as cooktops, ovens, coffee makers, 
water heaters, refrigerators, and toilet flush systems that are placed 
on the airplane to provide service amenities to passengers.
* * * * *
0
11. In appendix H to part 25, under the heading H25.4, add paragraph 
(a)(6) to read as follows:
[[Page 75454]]
Appendix H to Part 25--Instructions for Continued Airworthiness
* * * * *
H25.4 Airworthiness Limitations Section
* * * * *
    (a) * * *
    (6) Each certification maintenance requirement established to 
comply with any of the applicable provisions of part 25.
* * * * *
    Issued in Washington, DC, on November 30, 2022.
Lirio Liu,
Executive Director, Aircraft Certification Service.
[FR Doc. 2022-26369 Filed 12-7-22; 8:45 am]
BILLING CODE 4910-13-P