In the United States, the Code of Federal Regulations (CFR)1 is the codification of the rules published in the Federal Register by the departments and agencies of the federal government. The Code of Federal Regulations is divided into 50 titles that represent areas subject to federal regulation. The 50 subject matter titles contain one or more volumes that are updated annually. Each title is divided into chapters, and each chapter typically bears the name of the issuing agency. Each chapter is further subdivided into parts that cover specific regulatory areas. Large parts may be subdivided into subparts; parts are then organized in sections.
Title 14 of the CFR covers regulations for aeronautics and space. Within Title 14 there are six Chapters spread over five Volumes. The Volumes, Chapters, and Parts are organized as shown in Table 2.1.
Chapter one of Title 14 has three subchapters that define the contents of Part 1–59. The subchapters are as follows:
• Subchapter A—Definitions
• Part 1 Definitions and Abbreviations
• Part 3 General Requirements
• Subchapter B—Procedural Rules
• Part 11 General Rulemaking Procedures
• Part 13 Investigative and Enforcement Procedures
• Part 14 Rules Implementing the Equal Access to Justice Act of 1980
• Part 15 Administrative Claims Under Federal Tort Claims Act
• Part 16 Rules of Practice for Federally Assisted Airport Enforcement Proceedings
• Part 17 Procedures for Protests and Contract Disputes
• Subchapter C—Aircraft
• Part 21 Certification Procedures for Products and Parts
• Part 23 Airworthiness Standards: Normal, Utility, Acrobatic, and Commuter Category Airplanes
• Part 25 Airworthiness Standards: Transport Category Airplanes
• Part 26 Continued Airworthiness and Safety Improvements for Transport Category Airplanes
• Part 27 Airworthiness Standards: Normal Category Rotorcraft
• Part 29 Airworthiness Standards: Transport Category Rotorcraft
• Part 31 Airworthiness Standards: Manned Free Balloons
• Part 33 Airworthiness Standards: Aircraft Engines
Title 14 Code of Federal Regulations
• Part 34 Airworthiness Standards: Fuel Venting and Exhaust Emission Requirements for Turbine Engine Powered Airplanes
• Part 35 Airworthiness Standards: Propellers
• Part 36 Noise Standards: Aircraft Type and Airworthiness Certification
• Part 39 Airworthiness Directives
• Part 43 Maintenance, Preventive Maintenance, Rebuilding and Alteration
• Part 45 Identification and Registration Marking
• Part 47 Aircraft Registration
• Part 49 Recording of Registration Titles and Security Documents
• Part 50-59 [Reserved]
Figure 2.1 shows the structure of the Code of Federal Regulations, Title 14 for Aeronautics and Space, Part 21/23/25/27/29 for parts, aircraft, and engines, regulation 1301 for function and installation, and regulation 1309 for equipment, systems, and installation.
A particular regulation is referenced by Title, Part, Subchapter, and Subpart. The regulations pertaining to systems and equipment on Part 25 transport aircraft are referenced:
• 14 CFR 25.13012
• 14 CFR 25.13093
Federal Aviation Regulations have an amendment level to identify the date and identification of the most recent change to the regulation. In general, aircraft certification programs for new aircraft or changes to existing aircraft use the most recent amendment level of the regulations applicable to the program. In some instances programs such as aircraft derivative models or changes to an existing model aircraft can use the regulations and amendment level from original approval or certification basis.
FIGURE 2.1 CFR Structure
The following paragraphs show the basic text of FARs 25.1301 and 25.1309. While other versions and amendments of this FAR exist, the point here is to show the basic intent of the text. Foreign certification authorities such as the European Aviation Safety Agency (EASA) use a set of Certification Specification (CS) that follow the numbering, and largely, the intent or same text, as the equivalent FAR.
The text of 14 CFR 25.1301 states:
Function and installation.
(a) Each item of installed equipment must—
(1) Be of a kind and design appropriate to its intended function;
(2) Be labeled as to its identification, function, or operating limitations, or any applicable combination of these factors;
(3) Be installed according to limitations specified for that equipment; and
(4) Function properly when installed.
[(b) EWIS must meet the requirements of subpart H of this part.]
Amendment 25-123, Effective 12/10/07
The term EWIS refers to electrical wiring interconnection system for the wiring and connections to, and between, aircraft systems.
The text of 14 CFR 25.1309 states:
Equipment, systems, and installations.
(a) The equipment, systems, and installations whose functioning is required by this subchapter, must be designed to ensure that they perform their intended functions under any foreseeable operating condition.
(b) The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that—
(1) The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and
(2) The occurrence of any other failure condition which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.
(c) Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.
(d) Compliance with the requirements of paragraph (b) of this section must be shown by analysis, and where necessary, by appropriate ground, flight, or simulator tests. The analysis must consider—
(1) Possible modes of failure, including malfunctions and damage from external sources.
(2) The probability of multiple failures and undetected failures.
(3) The resulting effects on the airplane and occupants, considering the stage of flight and operating conditions, and
(4) The crew warning cues, corrective action required, and the capability of detecting faults.
[(e) In showing compliance with paragraphs (a) and (b) of this section with regard to the electrical system and equipment design and installation, critical environmental conditions must be considered. For electrical generation, distribution, and utilization equipment required by or used in complying with this chapter, except equipment covered by Technical Standard Orders containing environmental test procedures, the ability to provide continuous, safe service under foreseeable environmental conditions may be shown by environmental tests, design analysis, or reference to previous comparable service experience on other aircraft.]
[(f) EWIS must be assessed in accordance with the requirements of Section 25.1709.]
Amendment 25-123, Effective 12/10/07
The certification basis for a project or an aircraft program is the applicable airworthiness requirements as established in 14 CFR 21.174 (original certification) and 14 CFR 21.1015 (change to a type certificate), as appropriate; special conditions; equivalent level of safety findings; requirements per 14 CFR 21.21(b)(2)6; and exemptions applicable to the product to be certificated. The certification basis specifies the applicable regulations and their respective amendment level at the time of application for a certificate. An application for type certification of a transport category aircraft (Part 25) is effective for five years. An application for any other type certificate is effective for three years, unless an applicant shows at the time of application that their product requires a longer period of time for design, development, and testing, and the FAA approves a longer period. The applicant is the party that applies to the FAA for a type certification, supplemental type certificate, or an amended type certificate. A type certificate (TC) is the certification for a new type of aircraft. A supplemental type certificate (STC) is the certification for modification to existing aircraft. An amended type certificate (ATC) is FAA approval to modify an aircraft design from its original design. An amended type certificate approves not only the modification, but also how that modification affects the original design.
The FAA publishes additional information that explains an acceptable method to comply with the certification basis and thus to the applicable regulations (FAR). These publications are known as Advisory Circulars (AC). The Advisory Circulars contain information known as a means of compliance (MoC) to a FAR. Advisory Circulars are identified by the regulation they are associated with. For example, AC 25.13097 explains a means of compliance to regulation 14 CFR 25.1309. Advisory Circulars may also contain explanations of regulations and other guidance materials, best practices, or information useful to the aviation industry. Advisory Circulars can also provide guidance, methods, procedures, and practices for complying with Federal Aviation Regulations and requirements.
The most commonly used means of compliance to a FAR are:
• Engineering evaluation
• Compliance statement
• Design review
• Calculation/analysis
• Safety assessment
• Tests
• Laboratory test
• Ground test on aircraft
• Flight test
• Simulation
• Inspection
• Conformity inspection
• Design inspection
• Equipment qualification
Engineering evaluation for demonstration of compliance to a regulation includes compliance statement, design review, calculation/analysis, and safety assessment. A compliance statement is a formal statement that a design complies with a regulation and may include compliance by similarity. A design review is used when compliance is based on a review of data, descriptions, or drawings. Calculation or analysis is used when compliance is demonstrated by an engineering analysis, calculation, or report. Safety assessment is used when compliance is demonstrated by a safety analysis such as probability analysis.
Tests for demonstration of compliance to a regulation include laboratory tests, ground tests with an aircraft, flight tests with an aircraft, and simulation of aircraft functions. Laboratory test is used when compliance is demonstrated by testing in a lab. Ground test is used when compliance is demonstrated by aircraft testing conducted on the ground. Flight test is used when compliance is demonstrated with aircraft flight testing. Simulation is used when compliance is demonstrated by flight or computer model simulation or with the use of a representative mockup of the equipment.
Inspection for demonstration of compliance to a regulation includes conformity inspection and design inspection. Conformity inspection is used when compliance is demonstrated by a review of the equipment against its approved and released drawings. Design inspection is used when compliance is demonstrated by an inspection of the design as it is installed on the aircraft.
Equipment qualification is used when compliance is demonstrated by environmental qualification testing, such as RTCA/DO-160.8
The means of compliance allow the applicant to “show compliance” to a regulation. Once the compliance has been demonstrated, the regulatory authority or designee may then make a finding of compliance to the regulation.
Many of the methods for demonstrating compliance to the regulations are not well suited or practical for airborne electronic hardware, especially circuit cards or devices such as field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), or complex programmable logic devices (CPLDs). DO-254 was written to provide applicants and developers with suitable methods and techniques to show compliance to the FARs.
Figure 2.2 shows the Advisory Circulars for FARs pertaining to systems, equipment, and electronic parts.
AC 25.1309 includes several objectives based on fail-safe system design principles. When considering a system and its operation, failure objectives need to include:
• The failure of any single element, component, or connection during any one flight.
• Any single failure of an element, component, or connection should not prevent safe flight and landing.
• Catastrophic failures must be extremely improbable.
• Common cause analysis should be used to ensure that single failures do not adversely affect more than one channel in a redundant system (i.e., with multiple channels). These single failures do not adversely affect more than one system performing equivalent aircraft functions.
AC 25.1309 also includes techniques to assess failures and their impacts. These assessments are supported with qualitative and quantitative analysis. A functional hazard assessment (FHA) is a qualitative assessment to identify and classify failures. The FHA is used in early design stages to assess various system architectures and design for suitability. The FHA, as will be described later, is also used to determine the DAL associated with a function and its electronic hardware. In Aerospace Recommended Practice (ARP) 4754A, the aircraft level function design assurance level is the FDAL, the software and/or airborne electronic hardware has the resultant item design assurance level (IDAL). A reliability or fault tree analysis is a quantitative assessment of failures to show that their probability is commensurate, i.e., inversely proportional, to their severity.
FIGURE 2.2 Advisory Circulars
In accordance with AC 25.1309, catastrophic hazards must be shown to be extremely improbable. Analysis of catastrophic hazards should include qualitative and quantitative assessment. Failures classified as major hazards must be shown to be improbable. Analysis of major hazards includes qualitative and sometimes a quantitative assessment.
The AC goes on to define extremely improbable failures as those having a probability on the order of 1 × 10−9 or less, improbable failures as those having a probability on the order of less than 1 × 10−5 but greater than 1 × 10−9, and probable failures as those having a probability on the order of greater than 1 × 10−5.
Updates to these categories added a hazardous/severe-major condition. Analysis of failures classified as hazardous/severe-major should include qualitative and quantitative assessment. Failures classified as hazardous/severe-major must be shown to have a probability on the order of less than 1 × 10−5 but greater than 1 × 10−7.
As system or component complexity increases, the ability to perform qualitative and quantitative assessments of system or component failures becomes more and more difficult. The FARs for systems and equipment and the associated Advisory Circular came about in the era of electrical and mechanical systems with comparatively low complexity. As system and component complexity increased, the industry recognized the need to provide a means of compliance to the FARs that considered the increasing complexity.
In 1996, ARP4754 was written to address highly integrated electronic systems, especially those with significant functionality implemented in software. ARP4754 addresses development assurance for a system, where development assurance results in a system that satisfies its certification basis and from which errors have been detected and removed. Development assurance uses a development methodology with planned and systematic actions in conjunction with qualitative and quantitative assessments to ensure that the system is fail-safe and that any failures meet their probability of occurrence.
The 1996 version of ARP4754 references RTCA/DO-178B for software aspects and the document that would become DO-254 for complex electronic hardware aspects of the system development. RTCA/DO-254 was subsequently published in April 2000. The FAA published the Advisory Circular for complex custom micro-coded components, AC 20-152, in June 2005. AC 20-152 defines DO-254 as a means of compliance to the FARs for complex electronic hardware. As stated in AC 20-152, “By following the guidance and procedures outlined in RTCA/DO-254, you have assurance that the hardware design performs its intended functions within the environment it was designed for, and the assurance of meeting all the applicable airworthiness requirements.”9 Notice that this language wraps back around to the FARs and the Advisory Circulars:
• FAR 25.1301 states that equipment must operate properly and FAR 25.1309 states that equipment must perform its intended function.
• AC 20-152 states that if DO-254 is used, then there is assurance that complex electronic hardware will perform its intended function.
• FAR 25.1309 states that equipment must perform its intended function under all foreseeable operating conditions.
• AC 20-152 states that if DO-254 is used, then there is assurance that complex electronic hardware will perform its intended function in the environment for which it was designed.
• AC 25.1309 states that qualitative and quantitative analysis should be used for catastrophic and hazardous/severe-major failure conditions. The AC also gives probabilities for all categories of failure conditions. AC 25.1309 is a means of compliance to FAR 25.1309.
• AC 20-152 states that if DO-254 is used then there is assurance of meeting applicable airworthiness requirements.
Advisory Circular 20-152, published in June 2005, addresses RTCA/DO-254, Design Assurance Guidance for Airborne Electronic Hardware for 14 CFR Parts 21, 23, 25, 27, 29, and 33. DO-254 can be used for compliance to Federal Aviation Regulations for:
• Products and Parts
• Normal, Utility, Acrobatic, and Commuter Category Airplanes
• Transport Category Airplanes
• Normal Category Rotorcraft
• Transport Category Rotorcraft
• Aircraft Engines
Guidance is information that explains how to comply with certification requirements and aviation regulations. FAA Advisory Circular 20-152 recognizes the guidance in DO-254 for complex custom micro-coded components with hardware design assurance levels of A, B, and C (i.e., the IDAL). The types of components covered by AC 20-152 include ASICs, PLDs, FPGAs, and similar components.
The guidance in DO-254 is applicable to line replaceable units (LRU), circuit cards or circuit boards, programmable logic devices including CPLDs, ASICs, and FPGAs, and COTS components. While DO-254 has a broad scope, AC 20-152 limits the scope to complex custom micro-coded components. The guidance in DO-254 represents industry consensus on design assurance for airborne electronic hardware. DO-254 also incorporates best practices for design assurance identified by the aviation and electronics industry.
Guidance in DO-254 covers a variety of topics including:
• Hardware standards
• Hardware design life cycle data
• Additional design assurance techniques for design assurance (IDAL) A and B functions
• Previously developed hardware
• Tool assessment and qualification
• Use of COTS components
• Product service experience
• Hardware safety assessment
• Design assurance strategy, including consideration for design assurance (IDAL) A and B functions
• Planning process
• Requirements capture
• Conceptual design
• Detailed design
• Implementation
• Production transition
• Validation process
FIGURE 2.3 DO-254 Relationship to CFR
• Verification process including tests and reviews
• Configuration management
• Process assurance
• Certification liaison and proposed means of compliance
The path to DO-254 from the Code of Federal Regulations is shown in Figure 2.3.
The Federal Aviation Administration (FAA) uses Issue Papers to provide a structured means of accomplishing the necessary steps in the type certification and type validation processes. Type certification includes projects for type certificates, amended type certificates, type design changes, supplemental type certificates, and amended supplemental type certificates. Issue Papers provide a means for describing and tracking the resolution of significant technical, regulatory, and administrative issues that occur during a project. The Issue Paper process establishes a formal communication for significant issues between the applicant, a foreign civil aviation authority if applicable, and the FAA.
For type certification projects, Issue Papers are useful tools for keeping an unbiased uniform certification approach between applicants. Issue Papers also form a valuable reference for future type certification programs and for development of regulatory changes. By describing significant or precedent setting technical decisions and the rationales employed, Issue Papers can become reference material.
The Issue Paper process is documented in FAA Order 8110.11210 titled Standardized Procedures for Usage of Issue Papers and Development of Equivalent Levels of Safety Memorandums. The FAA maintains a Transport Airplane Issues List for issues applicable to international validation and domestic certification projects on the FAA Web site.
The list identifies the subject “Assurance of Simple and Complex Electronic Hardware” for inclusion in certification programs. The description states that a means of compliance Issue Paper may be needed for most aircraft programs and modification projects for airborne systems containing electronic hardware components.
Current FAA certification programs use an Issue Paper to cover topics relevant to airborne electronic hardware. Contents of these Issue Papers are proprietary to the applicant. Foreign certification authorities have similar processes; e.g., EASA has a similar process that uses certification review items (CRI).
The FAA uses Orders to provide information to the managers and staff of the FAA Aircraft Certification Service, including designated engineering representatives (DER), and organizations associated with the certification process described in Title 14 of the Code of Federal Regulations. Order 8110.105 applies to PLDs and is titled Simple and Complex Electronic Hardware Approval Guidance.
Order 8110.105 supplements RTCA/DO-254 and gives guidance for approving both simple and complex custom micro-coded components. Topics covered, and the associated paragraphs in 8110.105, are:
• Reviews and FAA involvement
How to review simple electronic hardware (SEH) and complex electronic hardware (CEH) |
|
• Chapter 3: |
How much FAA involvement should apply to hardware projects |
• Topics for SEH and CEH
Modifiable components |
|
Certification plan |
|
Validation processes |
|
Configuration management |
|
Assessing and qualifying tools |
|
Approving hardware changes in legacy systems using RTCA/DO-254 |
|
Acknowledging compliance to RTCA/DO-254 for TSO approvals that don’t reference RTCA/DO-254 |
|
COTS intellectual property |
• Topics for SEH
Verification processes |
|
Traceability |
• Topics for CEH
Verification processes |
|
Traceability |
Chapter 2 of Order 8110.105 describes reviews as part of the certification liaison process. Reviews may be conducted on-site, at the applicant or supplier’s facility, or may be conducted as a desk review. The four reviews, known as SOI reviews, are as follows:
• SOI #1—Hardware planning review
• SOI #2—Hardware design review
• SOI #3—Hardware validation and verification review
• SOI #4—Final review
SOI #1 is conducted when most of the plans and standards are complete and reviewed. SOI #2 is typically conducted when at least 50 percent of the hardware design data (requirements, design, and implementation) is complete and has been reviewed. SOI #3 is typically conducted when at least 50 percent of the hardware validation and verification data is complete and has been reviewed. SOI #4 occurs after the final hardware build and verification are complete, a hardware conformity review is done, and the application(s) is ready for formal system approval.
The depth and extent of FAA involvement in a project, including determination of when and where to conduct the SOI reviews, is determined by the hardware design assurance level and a score based on relevant criteria. Level A and B hardware require high or medium FAA involvement, Level C hardware requires medium or low FAA involvement, and Level D hardware requires low FAA involvement. The score derived from relevant criteria can range from 0 to 207. A score of less than 80 results in high FAA involvement for Level A and B, medium FAA involvement for Level C, and low FAA involvement for Level D hardware. A score of between 80 and 130 results in high FAA involvement for Level A, medium FAA involvement for Level B and C, and low FAA involvement for Level D hardware. A score of greater than 130 results in medium FAA involvement for Level A and B, and low FAA involvement for Level C and D hardware. The FAA involvement could be direct participation by an FAA engineer from an Aircraft Certification Office (ACO) or by a DER assigned and delegated for the project. Compliance organizations can use Authorized Representatives (AR) or Unit Members (UM) as the designated authority to perform oversight and reviews.
Stage of Involvement audits use the content of the Airborne Electronic Hardware Review Job Aid11 as a reference tool during the reviews. While the Job Aid is not intended to be used as a checklist, it often does serve as the official checklist during a review. Either way, it would behoove applicants and developers to be familiar with the Job Aid questions. The Job Aid questions can form the basis for project review forms or can be used to conduct internal dry run reviews before a formal FAA review is held.
The Job Aid also includes a description of tasks to be performed before, during, and after a hardware review in Part 2; a list of activities and questions to be considered during a review in Part 3; and an approach to the Findings and Observations to DO-254 objectives in Part 4.
1. Code of Federal Regulations, United States Government Printing Office, electronic version available at: http://www.ecfr.gov
2. Code of Federal Regulations, Title 14: Aeronautics and Space, PART 25—AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES, Subpart F—Equipment, 25.1301 Function and installation.
3. Code of Federal Regulations, Title 14: Aeronautics and Space, Part 25—AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES, Subpart F—Equipment, 25.1309 Equipment, systems, and installations.
4. Code of Federal Regulations, Title 14: Aeronautics and Space, PART 21—CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS, Subpart B—Type Certificates, 21.17 Designation of applicable regulations.
5. Code of Federal Regulations, Title 14: Aeronautics and Space, PART 21—CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS, Subpart D—Changes to Type Certificates, 21.101 Designation of applicable regulations.
6. Code of Federal Regulations, Title 14: Aeronautics and Space, PART 21—CERTIFICATION PROCEDURES FOR PRODUCTS AND PARTS, Subpart B—Type Certificates, 21.21 Issue of type certificate: normal, utility, acrobatic, commuter, and transport category aircraft; manned free balloons; special classes of aircraft; aircraft engines; propellers.
7. Advisory Circular, AC 25.1309-1A—System Design and Analysis, Federal Aviation Administration, June 1988.
8. RTCA DO-160F, ENVIRONMENTAL CONDITIONS AND TEST PROCEDURES FOR AIRBORNE EQUIPMENT, RTCA Inc., Washington, D. C., 2000.
9. Advisory Circular Number 20-152, RTCA, INC., DOCUMENT RTCA/DO-254, DESIGN ASSURANCE GUIDANCE FOR AIRBORNE ELECTRONIC HARDWARE, Federal Aviation Administration, June 2005, p. 1.
10. Order 8110.112, Standardized Procedures for Usage of Issue Papers and Development of Equivalent Levels of Safety Memorandums, Federal Aviation Administration, June 2010.
11. Conducting Airborne Electronic Hardware Reviews Job Aid, Aircraft Certification Service, Federal Aviation Administration, February 2008.