ASTECH Logo
We help Organizations quickly Conceptualize, Design, Develop, and Implement Innovative Cost-Effective Solutions for Avionics, Aircraft, and Flight Guidance-Navigation-Control Systems.

Home
 YOU
 US
 What We Can Do
 What We Have Done
- On Learjets
Why ASTECH
 ASTECH's Founder
 Expert's Corner
 - AC-25.1309
 Links
 In Closing

 

 

  1. FAR 25 Regulations-- Sec. 25.1309 Equipment, Systems, and Installations
  2. Purpose
  3. Cancellation
  4. Applicability
  5. Background
  6. The FAA Fail-Safe Design Concept
  7. Definitions
  8. Discussion
  9. Acceptable Techniques
  10. Qualitative Assessment
  11. Quantative Assessment
  12. Operational & Maintenance Considerations
  13. Step-By-Step Guide

FAR 25 Regulations-- Sec. 25.1309 Equipment, Systems, and Installations.


(a) The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.

(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that--

(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and

(2) The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.

(c) Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.

(d) Compliance with the requirements of paragraph (b) of this section must be shown by analysis, and where necessary, by appropriate ground, flight, or simulator tests. The analysis must consider--

(1) Possible modes of failure, including malfunctions and damage from external sources.

(2) The probability of multiple failures and undetected failures.

(3) The resulting effects on the airplane and occupants, considering the stage of flight and operating conditions, and

(4) The crew warning cues, corrective action required, and the capability of detecting faults.

(e) Each installation whose functioning is required by this subchapter, and that requires a power supply, is an "essential load" on the power supply. The power sources and the system must be able to supply the following power loads in probable operating combinations and for probable durations:

(1) Loads connected to the system with the system functioning normally.

(2) Essential loads, after failure of any one prime mover, power converter, or energy storage device.

(3) Essential loads after failure of-- (i) Any one engine on two-engine airplanes; and (ii) Any two engines on three-or-more-engine airplanes.

(4) Essential loads for which an alternate source of power is required by this chapter, after any failure or malfunction in any one power supply system, distribution system, or other utilization system.

(f) In determining compliance with paragraphs (e) (2) and (3) of this section, the power loads may be assumed to be reduced under a monitoring procedure consistent with safety in the kinds of operation authorized. Loads not required in controlled flight need not be considered for the two-engine- inoperative condition on airplanes with three or more engines.

(g) In showing compliance with paragraphs (a) and (b) of this section with regard to the electrical system and equipment design and installation, critical environmental conditions must be considered. For electrical generation, distribution, and utilization equipment required by or used in complying with this chapter, except equipment covered by Technical Standard Orders containing environmental test procedures, the ability to provide continuous, safe service under foreseeable environmental conditions may be shown by environmental tests, design analysis, or reference to previous comparable service experience on other aircraft.

1. PURPOSE


This Advisory Circular (AC) describes various acceptable means for showing compliance with the requirements of 25.1309 (b), (c), and (D) of the Federal Aviation Regulations (FAR). These means are intended to provide guidance for the experienced engineering and operational judgment that must form the basis for compliance findings. They are not mandatory. Other means may be used if they show compliance with this section of the FAR.

2. CANCELLATION


AC 25.1309-1 dated 9/7/82, is hereby cancelled.

3. APPLICABILITY


Section 25.1309(b) provides general requirements for a logical and acceptable inverse relationship between the probability and the severity of each failure condition and 25.1309(d) requires that compliance be shown primarily by analysis. Section 25.1309(c) provides general requirements for system monitoring, failure warning, and capability for appropriate corrective crew action. Because 25.1309(b) and (c) is a regulation of general applicability, it may not be used to replace or alter any allowed design practices or specific requirements of Part 25, and each requirement of 25.1309(b) and (c) applies only if other applicable sections of Part 25 do not provide a specific system requirement that has a similar purpose. While 25.1309(b) and (c) does not apply to the performance, flight characteristics, and structural loads and strength requirements of Subparts B and C, it does apply to any system on which compliance with any of those requirements is based. For example, it does not apply to an airplane's inherent stall characteristics or their evaluation, but it does apply to a stall warning system used to enable compliance with paragraph 25.207.

4. BACKGROUND


The Part 25 airworthiness standards are based on the fail-safe design concept that has evolved over the years. A brief description is provided in Paragraph b. Section 25.1309(b) and (c) sets forth certain objective safety requirements based on this design concept. Many systems, equipment, and their installations have been successfully evaluated to the applicable requirements of Part 25, including paragraphs 25.1309(b), (c), and (d), without using structured means for safety assessments. However, in recent years there has been an increase in the degree of system complexity and integration, and in the number of safety-critical functions performed by systems. Difficulties had been experienced in assessing the hazards that could result from failures of such systems, or adverse interactions among them. These difficulties led to the use of structured means for showing compliance with 25.1309(b). For this and other reasons, guidance was needed on acceptable means of compliance with 25.1309(b), (c), and (d).

a. Section 25.1309(b) and (d) specifies required safety levels in qualitative terms, and requires that a safety assessment be made. Various assessment techniques nave been developed to assist applicants and the FAA in determining that a logical and acceptable inverse relationship exists between the probability and the severity of each failure condition. These techniques include the use of service experience data of similar, previously-approved systems, and thorough qualitative analyses.

b. In addition, difficulties had been experienced in assessing the acceptability of some designs, especially those of systems, or parts of systems, that are complex that have a high degree of integration, that use new technology or new or different applications of conventional technology, or that perform safety-critical functions. These difficulties led to the selective use of rational analyses to estimate quantitative probabilities, and the development of related criteria based on historical data of accidents and hazardous incidents caused or contributed to by failures. These criteria, expressed as numerical probability ranges associated with the terms used in paragraph 26.1309(b), became commonly accepted for evaluating the quantitative analyses that are often used in such cases to support experienced engineering and operational judgment and to supplement qualitative analyses and tests.

5. The FAA Fail-Safe Design Concept


The Part 25 airworthiness standards are based on, and incorporate, the objectives, and principles or techniques, of the fail-safe design concept, which considers the effects of failures and combinations of failures in defining a safe design.

a. The following basic objectives pertaining to failures apply:

(1) In any system or subsystem, the failure of any single element, component, or connection during any one flight (brake release through ground deceleration to stop) should be assumed, regardless of its probability. Such single failures should not prevent continued safe flight and landing, or significantly reduce the capability of the airplane or the ability of the crew to cope with the resulting failure conditions.

(2) Subsequent failures during the same flight, whether detected or latent, and combinations thereof, should also be assumed, unless their joint probability with the first failure is shown to be extremely improbable.

b. The fail-safe design concept uses the following design principles or techniques in order to ensure a safe design. The use of only one of these techniques is seldom adequate. A combination of two or more is usually needed to provide a fail-safe design; i.e., to ensure that major failure conditions are improbable and that catastrophic failure conditions are extremely improbable.

(1) Design Integrity and Quality, including Life Limits, to ensure intended function and prevent failures.

(2) Redundancy or Backup Systems to enable continued function after any single (or other defined number of failure(s); e.g., two or more engines, hydraulic systems, flight control systems, etc.

(3) Isolation of Systems, Components, and Elements so that the failure of one does not cause the failure of another. Isolation is also termed independence.

(4) Proven Reliability so that multiple, independent failures are unlikely to occur during the same flight.

(5) Failure Warning or Indication to provide detection.

(6) Flight Crew Procedures for use after failure detection, to enable continued safe flight and landing or specifying crew corrective action.

(7) Checkability: the capability to check a component's condition.

(8) Designed Failure Effect Limits, including The capability to sustain damage, to limit the safety impact or effects of a failure.

(9) Designed Failure Path to control and direct the effects of a failure in a way that limits its safety impact.

(10) Margins or Factors of Safety to allow for any undefined or unforeseeable adverse conditions.

(11) Error-Tolerance that considers adverse effects of foreseeable errors during the airplanes design, test, manufacture, operation, and maintenance.

6. Definitions


The following definitions apply to the system design and analysis requirements of paragraphs 25.1309(b), (c), and (d) and the guidance material provided in this AC. They should not be assumed to apply to the same or similar terms used in other regulations or ACs. Terms for which standard dictionary definitions apply are not defined herein.

a. Attribute: A feature, characteristic, or aspect of a system or a device, or a condition affecting its operation. Some examples would include design, construction, technology, installation, functions, applications, operational uses, environmental and operational stresses, and relationships with other systems, functions, and flight or structural characteristics.

b. Certification Check Requirement (CCR): A recurring flightcrew or groundcrew check that is required by design to help show compliance with paragraphs 25.1309(b) and (d)(2) by detecting the presence of and thereby limiting the exposure time to, a significant latent failure that would, in combination with one or more other specific failures or events identified in a safety analysis, result in a hazardous failure condition.

c. Check: An examination (e.g., an inspection or test) to determine the physical integrity or functional capability of an item.

d. Complex: A system is considered to be complex if structured methods of analysis are needed for a thorough and valid safety assessment. A structured method is very methodical and highly organized. Failure modes and effects, fault tree, and reliability block diagram analyses are examples of structured methods.

e. Continued Safe Flight and Landing: The capability for continued controlled flight and landing at a suitable airport, possibly using emergency procedures, but without requiring exceptional pilot skill or strength. Some airplane damage may be associated with a failure condition, during flight or upon landing.

f. Conventional: An attribute of a system is considered to be conventional if it is the same as, or closely similar to, that of previously approved systems that are commonly used.

g. Failure: A loss of function, or a malfunction, of a system or a part thereof.

h. Failure Condition: The effects on the airplane and its occupants, both direct and consequential, caused or contributed to by one or more failures, considering relevant adverse operational or environmental conditions. Failure conditions may be classified according to their severities as follows:

(1) Minor: Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase inconvenience in crew workload, such as routine flight plan changes, or some inconvenience to occupants.

(2) Major: Failure conditions which would reduce the capability of the airplane or capability of the crew to cope with adverse operating conditions to the extent that there would be, for example:

(i) A significant reduction in safety margins or functional capabilities, a significant increase in crew work-load or in conditions impairing crew efficiency, or some discomfort to occupants; or

(ii) In more severe cases, a large reduction in safety margins or functional capabilities, higher workload or physical distress such that the crew could not be relied on to perform its tasks accurately or completely, or adverse effects on occupants.

(3) Catastrophic: Failure conditions which would prevent continued safe flight and landing.

i. Redundancy: The presence of more than one independent means for accomplishing a given function or flight operation. Each means need not necessarily be identical.

j. Qualitative: Those analytical processes that assess system and airplane safety in a subjective, nonnumerical manner.

k. Quantitative: Those analytical processes that apply mathematical methods to assess system and airplane safety.

7. DISCUSSION


Section 25.1309(b) and (d) requires substantiation by analysis, and where necessary, by appropriate ground, flight, or simulator , tests, that a logical and acceptable inverse relationship exists between the probability and the severity of each failure condition. However, tests are not required to verify failure conditions that are postulated to be catastrophic. As discussed in Paragraph 3, some systems and some functions must be evaluated for compliance with certain specific system requirements that take precedence over certain requirements of paragraphs 25.1309(b) and (c) that have similar purposes. In either case, however, the goal is to ensure an acceptable overall airplane safety level considering all failure conditions of all systems.

a. The requirements of 25.1309(b) and (d) are intended to ensure an orderly and thorough evaluation of the effects on safety of foreseeable failures or other events such as errors or external circumstances, separately or in combination, involving one or more system functions. The interactions of these factors within a system and among relevant systems should be considered.

b. The severities of failure conditions may be evaluated according to the following considerations:

(1) Effects on the airplane such as reductions in safety margins, degradations in performance, loss of capability to conduct certain flight operations, or potential or consequential effects on structural integrity.

(2) Effects on the crewmembers, such as increases above their normal workload that would affect their ability to cope with adverse operational or environmental conditions or subsequent failures.

(3) Effects on the occupants; i.e., passengers and crewmembers.

c. For convenience in conducting design assessments, failure conditions may be classified according to their severities as minor, major, or catastrophic. Paragraph 6h provides accepted definitions of these terms.

(1) The classification of failure conditions does not depend on whether or not a system or function is required by any specific, regulation. Some systems required by special regulations, such as transponders, position lights, and public address systems, may have the potential for only minor failure conditions. Conversely, other systems not required by any specific regulation, such as flight management systems and automatic landing systems, may have the potential for major or catastrophic failure conditions.

(2) Regardless of the types of assessment used, the classification of failure conditions should always be accomplished with consideration of all relevant factors; e.g., system, crew, performance, operational, external, etc. Examples of factors would include the nature of the failure modes, any effects or limitations on performance, and any required or likely crew action. It is particularly important to consider factors that would alleviate or intensify the severity of a failure condition. An example of an alleviating factor would be the continued performance of identical or operationally similar functions by other systems not affected by a failure condition. Examples of intensifying factors would include unrelated conditions that would reduce the ability of the crew to cope with a failure condition, such as weather or other adverse operational or environmental conditions, or failures of other unrelated systems or functions.

d. The probability that a failure condition would occur may be assessed as probable, improbable, or extremely probable. These terms are explained in Paragraphs 9e and 10b. Each failure condition should have a probability that is inversely-related to its severity. Fig 1, Probability vs. Consequence Graph, illustrates this relationship.

(1) Minor failure conditions may be probable.

(2) Major failure conditions must be improbable.

(3) Catastrophic failure conditions must be extremely improbable.-

e. An assessment to identify and classify failure condition is necessarily qualitative. On the other hand, an assessment of the probability of a failure condition may be either qualitative or quantitative. An analysis may range from a simple report that interprets test results or compares two similar systems to a detailed analysis that may (or may not) include estimated numerical probabilities. The depth and scope of an analysis depends on the types of functions performed by the system, the severities of system failure conditions, and whether or not the system is complex. Regardless of its type, an analysis should show that the system and its installation can tolerate failures to the extent that major failure conditions are improbable and catastrophic failure conditions are extremely improbable.

(1) Experienced engineering and operational judgment should be applied when determining whether or not a system is complex Comparison with similar, previously approved systems is sometimes helpful. All relevant system attributes should be considered; however, the complexity of the software used to program a digital computer-based system should not be considered because the software is assessed and control led by other means, as described in Paragraph 7i.

(2) An analysis Should always consider the application of the fail-safe design concept described in Paragraph 5, and give special attention to ensuring the effective use of design techniques that would prevent single failures or other events from damaging or otherwise adversely affecting more than one redundant system channel or more than one system performing operationally similar functions. When considering such common-cause failures or other events, consequential or cascading effects should be taken into account if they would be inevitable or reasonably likely.

(3) Some examples of Such potential common-cause failures or other events would include rapid release of energy from concentrated sources such as uncontained failures of rotating parts or pressure vessels, pressure differentials, noncatastrophic structural failures, loss of environmental conditioning, disconnection of more than one subsystem or component by over-temperature protection devices, contamination by fluids, damage from localized fires, loss of power, excessive voltage, physical or environmental interactions among parts, use of incorrect, faulty, or bogus parts, human or machine errors, and foreseeable adverse operational conditions, environmental conditions, or events external to the system or to the airplane.

f. As discussed in Paragraphs 8c(1) and 8d(2), compliance for a system or part thereof that is not complex may sometimes be shown by design and installation appraisals and evidence of satisfactory service experience on other airplanes using the same or other systems that are similar in their relevant attributes.

g. In general, a failure condition. resulting from a single failure mode of a device cannot be accepted as being extremely improbable. In very unusual cases, however, experienced engineering judgment may enable an assessment that such a failure mode is not a practical possibility. When making such an assessment, all possible and relevant considerations should be taken into account, including all relevant attributes of the device. Service experience showing that the failure mode has not yet occurred may be extensive, but it can never be enough. Furthermore, flightcrew or groundcrew checks have no value if a catastrophic failure mode would occur suddenly and without any prior indication or warning. The assessment's logic and rationale should be so straightforward and readily obvious that, from a realistic and practical viewpoint, any knowledgeable, experienced person would unequivocally conclude that the failure mode simply would not occur, unless it is associated with a wholly-unrelated failure condition that would itself be catastrophic.

h. Section 25-1309(c) provides requirements for system monitoring, failure warning, and capability for appropriate corrective crew action. Guidance on acceptable means of compliance is provided in Paragraph 8g.

i. In general, the means of compliance described in this AC are not directly applicable to software assessments because it is not feasible to assess the number or kinds of software errors, if any, that may remain after the completion of system design, development, and test. Advisory' Circular 20-115A dated August 12, 1986, "Radio Technical Commission for Aeronautics Document RTCA/DO-178A," or later revisions thereto, provides acceptable means for assessing and controlling the software used to program digital computer-based systems. Document RTCA/DO-178A dated March 22, 1985, "Software Considerations in Airborne Systems and Equipment Certification," defines and uses certain terms to classify the criticalities of functions. For information, these terms have the following relationships to the terms used in this AC to classify failure conditions: failure conditions adversely affecting non-essential functions would be minor, failure conditions adversely affecting essential functions would be major, and failure conditions adversely affecting critical functions would be catastrophic.

For more information on how ASTECH Engineering may be able to help you, please contact Jeff Wilson at astech@cox.net or call 316-304-6157.
© Copyright 1996 ASTECH Engineering. All rights reserved. No part of this document may be reproduced in any form without the expressed written consent of the author.

Keywords: Concept Research Development Integration Integrated Aviation Avionics Aircraft Flight Controls
Autopilots Navigation Guidance Analysis Simulation Software Algorithms Hardware Interfaces
Requirements Engineers HITL FCS GPS FMS UAV Systems