Davi.ws

23.2 Regulatory Basis of the Federal Aviation Technical Standard Order • Supplemental Type Certificate • Type Certificate, Amended Type Certificate, and Service Bulletin 23.4 FAA Designees23.5 System Requirements23.6 Safety Assessment23.7 Environmental Qualification23.8 Software Assurance23.9 Manufacturing Approvals23.10 The Joint Aviation Authorities23.11 Summary Defining TermsFurther Information 23.1 Introduction
Almost all aspects of the design, production, and operation of civil aircraft are subject to extensiveregulation by governments. This chapter describes the most significant regulatory involvement a devel-oper is likely to encounter in the certification of avionics.
Certification is a critical element in the safety-conscious culture on which civil aviation is based. The legal purpose of avionics certification is to document a regulatory judgment that a device meets allapplicable regulatory requirements and can be manufactured properly. At another level, beneath thelegal and administrative machinery of regulatory approval, certification can be regarded differently. Itcan be thought of as an attempt to predict the future. New equipment proposed for certification hasno service history. Certification tries, in effect, to provide credible predictions of future service experi-ence for new devices — their influences on flight crews, their safety consequences, their failure rates,and their maintenance needs. Certification is not a perfect predictor, but historically it has been quitea good one.
In this chapter, for the most part, certification activities appropriate to the U.S. Federal Aviation Administration (FAA) are discussed. However, be aware that the practices of civil air authorities elsewhere,while generally similar to those of the FAA, often differ in detail or scope. Toward the end of this chapter, some differences between the FAA and the European Joint Aviation Authorities, or JAA, headquarteredin Hoofddorp, the Netherlands, will be illustrated.
Expensive misunderstandings can result from differences among regulators. Moreover, the rules and expectations of every authority, the FAA included, change over time. For current guidance, authoritativesources should be consulted.
This chapter discusses the following topics: • The Technical Standard Order (TSO) system for equipment approval • The Supplemental Type Certificate (STC) system for aircraft modification • Use of FAA designees in lieu of FAA personnel Conceptually, the certification of avionics is straightforward, indeed almost trivial: the applicant simply defines the product, establishes its regulatory requirements, and demonstrates that those requirements havebeen met. The reality is, of course, more problematic.
It is a truism that for any proposed avionics system a suitable market must exist. As with any commercial pursuit, adequate numbers of avionics units must be sold at margins sufficient to recover investmentsmade in the product. Development costs must be controlled if the project is to survive. Warranty andsupport costs must be predicted and managed. The choices made in each of these areas will affect andbe affected by certification.
This chapter is an introduction to certification of avionics. It is not a complete treatment of the subject.
Some important topics are discussed only briefly. Many situations that come up in real-life certificationprojects are not addressed.
Good engineering should not be confused with good certification. A new avionics device can be brilliantly conceived and flawlessly designed, yet ineligible for certification. Good engineering is a pre-requisite to good certification, but the two are not synonymous.
Certification has a strong legalistic element and is more craft than science. Almost every project raises some odd regulatory-approval quirk during its development. Certification surprises are rarely pleasant,but surprises can be minimized or eliminated by maintaining open and honest communication with thecognizant regulators.
23.2 Regulatory Basis of the Federal Aviation Administration
The FAA, created in 1958, acts primarily through publication and enforcement of the Federal AviationRegulations, or FARs. FARs are organized by sections known as Parts. The FAR Parts covering mostavionics-related activity are listed below: • Part 1 — Definitions and Abbreviations • Part 21 — Certification Procedures for Products and Parts • Part 23 — Airworthiness Standards: Normal, Utility, Acrobatic, and Commuter Category Airplanes • Part 25 — Airworthiness Standards: Transport Category Airplanes • Part 27 — Airworthiness Standards: Normal Category Rotorcraft • Part 29 — Airworthiness Standards: Transport Category Rotorcraft • Part 33 — Airworthiness Standards: Aircraft Engines • Part 34 — Fuel Venting and Exhaust Emission Requirements for Turbine Engine-Powered Airplanes • Part 91 — General Operating and Flight Rules • Part 121 — Operating Requirements: Domestic, Flag, and Supplemental Operations • Part 183 — Representatives of the Administrator Only a subset of these regulations will apply to any given project. Much of the job of managing a certification program well lies in identifying the complete but minimum set of regulations applicableto a project.
23.3 FAA Approvals of Avionics Equipment
The FARs provide several different forms of approval for electronic devices installed aboard civil aircraft.
Of these, most readers will be concerned primarily with approvals under the Technical Standard Order(TSO) system, approvals under a Supplemental Type Certificate (STC), or approvals as part of a TypeCertificate, Amended Type Certificate, or Service Bulletin.* 23.3.1 Technical Standard Order
An approval under the Technical Standard Order (TSO) system is common. TSOs are regulatory instrumentsthat recognize the broad use of certain classes of products, parts, and devices. TSOs apply to more thanavionics; they can apply to any product with the potential for wide use, from seat belts and fire extin-guishers to tires and oxygen masks. Indeed, that is the guiding principle behind TSOs — they must bewidely useful. Considerable FAA effort goes into the sponsorship and adoption of a TSO. The agencywould have little interest in publishing a TSO for a device with limited application.
TSOs contain product specifications, required data submittals, marking requirements, and various instructions and limitations. Many TSOs are associated with avionics: flight-deck instruments, commu-nications radios, ILS receivers, navigation equipment, collision avoidance systems, and flight data record-ers, to name just a few.
TSO-C113, “Airborne Multipurpose Electronic Displays,” is representative of avionics TSOs. Electronic display systems are used for various purposes: display of attitude, airspeed, or altitude, en route navigationdisplay, guidance during precision approach, display of engine data or aircraft status, maintenance alerts,passenger entertainment, and so on. The same physical display device could potentially be used for anyor all of these functions, and on many different aircraft types. Recognizing this broad applicability, theFAA published TSO-C113 so that developers could more easily adapt a generic display device to a varietyof applications. TSO-C113 is typical, calling out requirements for the following data: • References to related regulations, data, and publications • Requirements for environmental testing • Requirements for software design assurance • Requirements for the marking of parts • Installation procedures and limitations *Newly developed equipment has sometimes been installed as part of a field approval under an FAA Form 337, though this has become rarer and is disallowed in most cases.
When an avionics manufacturer applies for a TSO approval, and the manufacturer’s facilities and data comply with the terms of the TSO, the manufacturer receives a TSO Authorization from the FAA. A TSOAuthorization represents approval of both design data and manufacturing rights. That is, the proposeddevice is deemed to be acceptable in its design, and the applicant has demonstrated the ability to produceidentical units.
In TSO-based projects, the amount of data actually submitted to the FAA varies by system type, by the FAA’s experience with particular applicants, and by FAA region. In one case, an applicant might berequired to submit a great deal of certification data; in another, a one-page letter from an applicant mightbe adequate for issuance of a TSO Authorization. On any new project, it is unwise to presume that allregulatory requirements are known. Consistency is a high priority for the FAA, but regional differencesamong agency offices do exist. Early discussion with the appropriate regulators will ensure that theexpectations of agency and applicant are mutually understood and agreed on.
For more information on TSOs, see FAA Advisory Circular 20-110J, ‘‘Index of Aviation Technical Standard Orders;’’ FAA Order 8110.31, ‘‘TSO Minimum Performance Standard;’’ and FAA Order 8150.1,‘‘Technical Standard Order Procedures.’’ Note that a TSO does not grant approval for installation in an aircraft. Although data approved under a TSO can be used to support an installation approval, the TSO Authorization itself applies only to theequipment in question. Installation approvals must be pursued through other means (see next section)and are not necessarily handled by an avionics equipment manufacturer.
23.3.2 Supplemental Type Certificate
A Supplemental Type Certificate (STC) is usually granted to someone other than the aircraft manufac-turer, who wishes to modify the design of an existing aircraft. Retrofits and upgrades of avionics equip-ment are common motivations for seeking STC approvals from the FAA.
In an STC, the applicant is responsible for all aspects of an aircraft modification. Those aspects typically • Formal application for a Supplemental Type Certificate (STC) • Negotiation of the certification basis of the relevant aircraft with the FAA • Identification of any items requiring unusual regulatory treatment • Performance of all analyses specified in the certification plan • Coordination with the FAA throughout the project • Physical modification of aircraft configuration • Performance of all conformity and compliance inspections • Performance of all required lab, ground, and flight testing • Preparation of flight manual supplements • Preparation of instructions needed for continued airworthiness • Preparation of a certification summary An applicant for an STC must be ‘‘a U.S. entity,’’ although the exact meaning of this phrase is not always clear. One common case is that of a nominally foreign firm with an office in the U.S. It is acceptableto the FAA for that U.S.-based office to apply for and hold an STC.
An applicant for an STC begins the process officially by completing and submitting FAA Form 8110-12, ‘‘Application for Type Certificate, Production Certificate, or Supplemental Type Certificate,’ to the cognizantFAA Aircraft Certification Office. Accompanying the application should be a description of the projectand the aircraft type(s) involved, the project schedule, a list of locations where design and installationwill be performed, a list of proposed Designees (discussed later in this chapter), and, if desired, a requestfor an initial meeting with the FAA. The FAA will assign a project number, appoint a manager for theproject, schedule a meeting if one was requested, and send to the applicant an acknowledgment letterwith these details.
The applicant must determine the certification basis of the aircraft to be modified. The certification basis is the sum of all applicable FAA regulations (at specified amendment levels) and any binding guidancethat apply to the aircraft and project in question. Regulations tend to become more stringent over time,and complying with later rules may be more time-consuming and expensive than with earlier rules.
A certification basis is established by reference to the Type Certificate Data Sheet (TCDS) for each affected aircraft and through negotiation with the FAA. For example, an applicant might propose that acertification basis be those rules in effect at the time of original aircraft certification, whereas the FAAmay require the applicant to comply with regulations in effect at the time of STC application. Thedifferences between these two positions can be numerous and significant. Except in the simplest cases,they are a crucial topic for early discussions with the FAA.
Complex avionics systems, extensive aircraft modifications, and novel system architectures all raise the odds that something in a project will be unusual and will not fit neatly into the normal regulatory framework.
For such activities, an applicant might wish to propose compliance based on other regulatory mechanisms:alternative means of compliance, findings of equivalent safety, exemptions, or special conditions. If so,generic advice is largely useless. By their nature, these activities are unusual and require close coordinationwith the FAA.
An STC applicant must prepare a certification plan. The plan should include the following: • A brief description of the modification and how compliance is to be substantiated • A summary of the Functional Hazard Assessment (see ‘‘Safety Assessment’’ later in this chapter) • A list of proposed compliance documentation, including document numbers, titles, authors, and approving or recommending Designees, if applicable (the role of Designees is described in moredetail later in this chapter) • A compliance checklist, listing the applicable regulations from the certification basis, their amend- ment number, subject, means of compliance, substantiating documents, and relevant Designees • A definition of Minimum Dispatch Configuration • If used, a list of the proposed FAA Designees, including name, Designee number, appointing FAA office, classification, authorized areas, and authorized functions • A project schedule, including dates for data submittals, test plan submittals, tests (with their locations), conformity inspections, installation completion, ground and flight testing, and projectcompletion Some FAA Aircraft Certification Offices require all Designated Engineering Representatives (see next section) participating in a project to sign an FAA Form 8110-3, ‘‘Statement of Compliance with theFederal Aviation Regulations,’’ recommending approval of a certification plan.
Extensive analysis and testing are generally required to demonstrate compliance. Results of these analyses and tests must be preserved. Later in this chapter, three of the most important of these activities — safetyassessments, environmental qualification, and software assurance — will be discussed along with anotherengineering topic, development and handling of system requirements.
The FAA’s involvement in an STC is a process, not an act. Most FAA specialists support multiple projects concurrently, and matching the schedules of applicant and agency requires planning. Thisplanning is the applicant’s responsibility. Missed deadlines and last-minute surprises on the part of an applicant can result in substantial delays to a project, as key FAA personnel are forced to reschedule theirtime, possibly weeks or months later than originally planned.
The STC process assumes modification of at least one prototype aircraft. It is in the aircraft modification that all the engineering analysis — aircraft performance, structural and electrical loading, weight andbalance, human factors, and so on — comes together. Each component used in an aircraft modificationmust either be manufactured under an approved production system or examined formally for conformanceto its specifications. This formal examination is known as ‘‘parts conformity inspection.’’ A completed aircraftmodification is then subject to an ‘‘installation conformity inspection.’ In complex installations or evencomplex parts, progressive conformity inspections may be required. Conformity inspections are conductedby an FAA Inspector or a Designee authorized by the FAA — a Designated Manufacturing InspectionRepresentative (DMIR) or Designated Airworthiness Representative (DAR) (see next section).
Compliance inspections, as distinct from conformity inspections, verify through physical inspection that a modification complies with the applicable FARs. Typical of compliance inspections is an exami-nation of modified wiring on an aircraft. A compliance inspection is conducted by an FAA engineer orauthorized Designated Engineering Representative (again, see next section).
For significant projects involving ground and flight testing, the FAA will issue a Type Inspection Authorization (TIA). The TIA details all the inspections, ground tests, and flight tests necessary tocomplete the certification program. Prior to issuing a TIA, the FAA should have received and reviewedall of the descriptive and compliance data for the project. The FAA has recently added an item to its TIAprocedures: the flight test risk assessment. The risk assessment seeks to identify and mitigate any perceivedrisks in flight tests that include FAA personnel, based on data supplied by the applicant.
New avionics equipment installed as part of an STC will usually impose new and different procedures on flight crews. An applicant will, in most cases, document new procedures in a supplement to an approvedflight manual. In complex cases, it may also be necessary to provide a supplement to an operations manual.
An applicant must provide instructions for the continued airworthiness of a modified airplane. Penetra- tions of the pressure vessel by, say, wiring or tubing may require periodic inspection. Actuators associatedwith a new subsystem may need scheduled maintenance. Instructions for continued airworthiness areusually a supplement to a maintenance manual but may also include supplements to an illustrated partscatalog, a structural repair manual, structural inspection procedures, or component maintenance manuals.
Much of this discussion has been more applicable to transport aircraft than to smaller aircraft.
Regulatory requirements for the smaller (FAR Part 23) aircraft are, in some respects, less stringent thanfor transport aircraft. Yet even for transports, not everything described above is required in everycircumstance. Early discussion between applicant and regulator is the quickest way to determine whatactually needs to be done.
Some avionics developers may find it desirable to pursue an STC through an organization called a Designated Alteration Station (DAS). A DAS can, if properly authorized by the FAA, perform all thework associated with a given aircraft modification and issue an STC. In this approach, the developermight not deal with FAA personnel at all. Key issues are ownership of the STC rights and handling ofproduction approvals.
For more information on STCs, see FAA Advisory Circular 21-40, ‘‘Application Guide for Obtaining a Supplemental Type Certificate.’’ For more information on DASs, see FAA Advisory Circular 21.431-1A,‘‘Designated Alteration Station Authorization Procedures.’’ 23.3.3 Type Certificate, Amended Type Certificate, and Service Bulletin
Approvals as part of a Type Certificate, Amended Type Certificate, or Service Bulletin are tied to thecertification activities of airframers or engine manufacturers. For development programs involving thesekinds of approvals, an avionics supplier’s obligations are roughly similar to those imposed by an STCproject, though detailed requirements can vary greatly. Avionics suppliers participating in an aircraft- orengine-development program can and should expect to receive certification guidance from the manu-facturer of the aircraft or engine. Hence, these cases will not be considered further here.
23.4 FAA Designees
In the U.S., any applicant may deal directly with the FAA. Unlike many other civil air authorities, theFAA does not collect fees for its services from applicants. However (and also unlike other agencies),the FAA can at its discretion appoint individuals who meet certain qualifications to act on its behalf.
These appointees, called Designees, receive authorizations under FAR Part 183 and act in a variety ofroles. Some are physicians authorized to issue medical certificates to pilots. Others are examinersauthorized to issue licenses to new pilots. Still others are inspectors authorized to approve maintenancework.
Avionics developers are most likely to encounter FAA Designated Engineering Representatives (DERs) and either Designated Manufacturing Inspection Representatives (DMIRs) or Designated AirworthinessRepresentatives (DARs).
All Designees must possess authorizations from the FAA appropriate to their activities. DERs can approve engineering data just as the FAA would. Flight Test Pilot DERs can conduct and approve the results of flighttests in new or modified aircraft. DMIRs and DARs can perform conformity inspections of products andinstallations, and DARs can issue Airworthiness Certificates. When acting in an authorized capacity, aDesignee is legally a representative of the FAA; in most respects, he or she is the FAA for an applicant’spurposes. Nevertheless, there are practical differences in conduct between the FAA and its Designees.
The most obvious difference is that an applicant actually hires and pays a Designee, and thus has more flexibility in managing his or her time on the project. The resulting benefits in project scheduling canmore than offset the costs of the Designee. In addition, experienced Designees can be sources of valuableguidance and recommendations. The FAA, by contrast, restricts itself to findings of compliance. That is,the agency will simply tell an applicant whether or not submitted data complies with the regulations. Ifdata are judged noncompliant, the FAA will not, in most cases, tell an applicant how to bring it intocompliance. A Designee, however, can assist an applicant with recovery strategies or, better yet, steer anapplicant toward compliant approaches in the first place.
The FAA often encourages the use of Designees by applicants. An applicant must define and propose the use of Designees, by name, to the FAA Aircraft Certification Office (ACO) for each project. If theproposed Designees are acceptable to the ACO, the ACO will coordinate with its manufacturing coun-terpart and delegate certain functions to the specified Designees. Those Designees are then obliged toact as surrogates for the relevant FAA personnel on that project, providing oversight and ultimatelyapproving or recommending approval of compliant data.
Although an applicant’s use of Designees is discretionary, the realities of the FAA workload and scheduling may make the use of Designees a pragmatic necessity. Whenever Designees are consideredfor inclusion in a project, their costs and benefits should be evaluated with the same care devoted to anyother engineering resource. For more information, see FAA Order 8100.8, ‘‘Designee ManagementHandbook;’’ FAA Order 8110.37C, ‘‘Designated Engineering Representatives (DER) Guidance Handbook;’’and FAA Order 8130.28A, ‘‘Airworthiness Designee Management Program.’’ This chapter has so far dealt mainly with the definitions and practices of FAA regulation. There is, of course, a great deal of engineering work to be done in any avionics development. Four engineering topicsof great interest to the FAA are the handling of system requirements, performance of a safety assessment,environmental qualification, and software assurance.
23.5 System Requirements
Avionics developers must document the requirements of their proposed systems, ideally in ways that areeasily controlled and manipulated. Many experienced practitioners regard the skillful capture of require-ments as the single most important technical activity on any project. A system specification is the basisfor descriptions of normal and abnormal operation, functional testing, training and maintenance pro-cedures, and much else. A brief treatment of the topic here does not imply that it can be approached superficially. On the contrary, system specification is so important that a large body of literature existsfor it elsewhere (see Chapter 21 for a starting point). Requirements definition is supported by manyacceptable methods. Each company evolves its own practices in this area.
Over the years, many types of avionics systems have come to be described by de facto standardized requirements, easing the burden of both engineering and certification. New systems, though, are free todiffer from tradition in arbitrary ways. Applicants should expect such differences to be scrutinized closelyby regulators and customers, who may demand additional justification and substantiation for the changes.
Proper requirements are the foundation for well-designed avionics. Whatever the sources of require- ments, and whatever the methods used for their capture and refinement, an applicant must be able todemonstrate that a new system’s requirements — performance, safety, maintenance, continued airwor-thiness, and so on — have been addressed comprehensively. Some projects simply tabulate requirementsmanually, along with the means of compliance for each requirement. Others implement large, sophisti-cated databases to control requirements and compliance information. Compliance is generally shownthrough analysis, test, inspection, demonstration, or some combination thereof.
23.6 Safety Assessment
Early in a project — the earlier the better — developers should consider the aircraft-level hazards associatedwith their proposed equipment. This is the first of possibly several steps in a safety assessment of a newsystem.
There is an explicit correlation between the severity of a system’s hazards and the scrutiny to which that system is subjected. With a few notable exceptions,* systems that are inconsequential from a safetystandpoint receive little attention. Systems whose improper operation can result in aircraft damage orloss of life receive a great deal of attention and require correspondingly greater engineering care andsubstantiation.
Unsurprisingly, there is an inverse relationship between the severity of a system’s hazards and the frequency with which those hazards can be tolerated. Minor annoyances might be tolerable every thou-sand or so flight hours. Catastrophic hazards, by contrast, must occur less frequently than once in everybillion flight hours. In addition, the regulations for transport aircraft require that no single failure,regardless of probability, result in a catastrophic hazard, implying that any such hazard must arise fromtwo or more independent failures occurring together.
Initial considerations of hazards should be formalized in a Functional Hazard Assessment (FHA) for the proposed system. An FHA should address hazards only at levels associated directly with operationof the system in question. For example, an autopilot FHA would consider the hazards of an uncommandedhardover or oscillation of a control surface. A display-system FHA would consider the hazards of blank,frozen, and active-but-misleading displays during various phases of flight.
In general, if an FHA concludes that misbehavior of a system has little or no effect on continued safe flight and landing, no further work is needed for the safety assessment. On the other hand, if the FHAconfirms that a system can pose nontrivial risk to the aircraft or its occupants, then investigation andanalysis must continue. The additional work, if needed, will likely involve preparation of a PreliminarySystem Safety Assessment, Fault Tree Analysis, Failure Modes and Effects Analysis, Common Cause Analysis,and a final System Safety Assessment.
In the absence of a specific aircraft installation, assumptions must be made regarding avionics usage to make progress on a safety assessment. This is true in TSO approvals, for example, if design assurance levelsare not specified in the TSO or if developers contemplate hazards or usage different from those assumed *For example, failures of flight data recorders, cockpit voice recorders, and emergency locator transmitters have no effect on continued safe flight and landing. Conventional safety-assessment reasoning would dismiss these devicesfrom failure-effect considerations. However, the systems obviously perform important functions, and the FAA definesthem as worthy of more attention than suggested by a safety assessment. For more discussion of this topic, refer toSoftware Assurance in this chapter for a description of software levels assigned to flight data recorders.
in the TSO. There are pitfalls* in unthinking acceptance and use of generic hazard classifications andsoftware levels (see Software Assurance later in this chapter and in Chapter 27), even for standard products.
Technologies can change quickly; regulations cannot. The gap between what is technically possible andwhat can be approved sometimes leads to conflicting requirements, bewildering difficulties, and delays inbringing to market devices that offer improvements to safety, operating economics, or both. The solutionis early agreement with the appropriate regulators concerning the requirements applicable to a new device.
The details of safety assessments are outside the scope of this chapter. For an introduction to safety- related analysis, refer to the following: • ARP4754 — Systems Integration Requirements Guidelines; Society of Automotive Engineers Inc., • ARP4761** — Guidelines and Tools for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment; Society of Automotive Engineers Inc., 1994 • NUREG-0492 — Fault Tree Handbook; U.S. Nuclear Regulatory Commission, 1981 • FAA Advisory Circular 25.1309-1A — System Design Analysis, 1988 • FAA Advisory Circular 23.1309-1C*** — Equipment, Systems, and Installations in Part 23 Air- • Safeware: System Safety and Computers — Nancy G. Leveson, Addison-Wesley Publishing Com- • Systematic Safety: Safety Assessment of Aircraft Systems — Civil Aviation Authority (UK), 1982 Customers routinely demand that some failures, even those associated with minor hazards, be less frequent than required by regulation — that is, the customer’s requirement is more stringent than theFAA’s. Economic issues such as dispatch reliability and maintenance costs are the usual motivation, andmeeting the customer’s specification automatically satisfies the regulatory requirement.
Some TSOs refer to third-party guidance material, usually in the form of equipment-performance specifications from organizations such as RTCA**** and the Society of Automotive Engineers. TSOs,Advisory Circulars, and these third-party specifications can explicitly call out hazard levels and softwareassurance levels. If such prescriptions apply to a given project, developers may simply adopt the prescrip-tions given for use in their own safety assessments. Developers, of course, must still substantiate theirclaims to the prescribed levels.
In addition to a safety assessment, an analysis of equipment reliability may be required to predict average times between failures of the equipment. Although this analysis is often performed by safety analysts, thefocus is different. Whereas a safety assessment is concerned with the operational consequences and *A given TSO might specify a software level (see Software Assurance section in this chapter), and a TSOA could certainly be granted on that basis. However, actual installation of such a device on an aircraft might require a highersoftware level. For example, an airspeed sensor containing Level C software could be approved under TSO-C2d, butthe sensor could not then be used to supply a transport aircraft with primary air data, because that function requiresLevel A software.
**ARP 4754 and ARP 4761 are expected to be recognized by a new FAR/JAR advisory circular, AC/ACJ 25.1309- 1B. At this writing, the advisory circular has not been adopted.
***An applicant developing avionics exclusively for general aviation airplanes should pay special attention to Advisory Circular 23.1309-1C. The Advisory Circular offers regulatory relief from many requirements that wouldotherwise apply. In particular, for some functions on several classes of small airplanes it allows software assuranceat lower levels than would be the case for transport aircraft.
****RTCA Inc., formerly known as Radio Technical Corporation of America, is a nonprofit association of U.S.- based aeronautical organisations from both government and industry. RTCA seeks sound technical solutions toproblems involving the application of electronics and telecommunications to aeronautical operations. RTCA tries toresolve such problems by mutual agreement of its members (cf. EUROCAE).
probabilities of system failures, a reliability analysis is concerned with the frequency of failures ofparticular components in a system.
23.7 Environmental Qualification
Environmental qualification is invariably required of avionics. The standard in this area is RTCA/DO-160D, ‘‘Environmental Conditions and Test Procedures for Airborne Equipment’’ (RTCA, 1997). DO-160D specifies testing for temperature range, humidity, crashworthiness, vibration, susceptibility toradiated and conducted radio frequencies, lightning tolerance, and other environmental factors.
It is the responsibility of applicants to identify environmental tests appropriate to their systems.
Whenever choices for environmental testing are unclear, guidance from FAA personnel or DERs isin order.
To receive certification credit, environmental testing must be performed on test units whose configu- rations are controlled and acceptable for the tests in question. Conformity inspection may be necessaryfor test articles not manufactured in accordance with a production approval. An approved test plan, testsetup conformity inspection, and formal witnessing of tests by FAA specialists or Designees are oftenrequired. In all cases, an applicant must document and retain evidence of equipment configurations, testsetups, test procedures, and test results.
For further information on environmental testing, see Chapter 25.
23.8 Software Assurance
Software has become increasingly important in avionics development and has assumed a correspondinglyhigher profile in certification. It is frequently the dominant consideration in certification planning.
Regulatory compliance for software can be shown by conforming to the guidelines described in RTCA/DO-178B, ‘‘Software Considerations in Airborne Systems and Equipment Certification’’ (RTCA,1992). DO-178B was developed jointly by RTCA and the European Organisation for Civil AviationEquipment (EUROCAE).* DO-178B is not a development standard for software. It is an assurance standard. DO-178B is neutral with respect to development methods. Developers are free to choose their own methods, provided theresults satisfy the assurance criteria of DO-178B in the areas of planning, requirements definition, designand coding, integration, verification, configuration management, and quality assurance.
DO-178B defines five software levels, A through E, corresponding to hazard classifications derived from the safety assessment discussed earlier. At one extreme, Level A software is associated with functionswhose anomalous behavior could cause or contribute to a catastrophic failure condition for the aircraft.
Obvious examples of Level A software include fly-by-wire primary control systems and full-authoritydigital engine controllers. At the other extreme, passenger entertainment software is almost all Level E,because its failure has no safety-related effects.
A sliding scale of effort exists within DO-178B: the more critical the software, the more scrutiny that must be applied to it. Level A software generates more certification data than does Level B software, Level Bgenerates more than does Level C, and so on.
Avionics customers sometimes insist on software assurance levels higher than those indicated by a safety assessment. This is purely a contractual matter. Confusion can be avoided by separating a customer’scontractual wishes from regulatory compliance data submitted to the FAA or to DERs. Certificationsubmittals should be based on the safety assessment rather than on the contract. If a safety assessmentconcludes that a given collection of software should be Level C, but that software’s customer wants it tobe Level B, then the applicant should submit to the FAA plans and substantiating data for Level C software.
*RTCA/DO-178B is equivalent to EUROCAE/ED-12B, “Considerations sur le Logiciel en Vue de la Certification des Systemes et Equipments de Bord.” (EUROCAE, 1992.) Any additional evidence needed to demonstrate contractual compliance to Level B should be an issuebetween supplier and customer. That evidence is not required for certification and should become aregulatory matter only in unusual circumstances.* FAA guidance itself sometimes requires that software be assured to a level higher than indicated by the safety assessment. This is not uncommon in equipment required for dispatch but whose failures donot threaten continued safe flight and landing. For example, a flight data recorder must be installed andoperating in most scheduled-flight aircraft, but failure of a recorder during a flight would have no effecton the ability of a crew to carry on normally. Thus, from a safety assessment viewpoint, a flight datarecorder has no safety-related failure conditions. Based on that, the recorder’s software would be classifiedas Level E, implying that the software need not receive any FAA scrutiny. This, of course, violates commonsense — the FAA plainly has a regulatory interest in the proper operation of flight data recorders. Toresolve this mismatch, the FAA requires at least Level D compliance for any software associated with adispatch-required function.
Digital technology predates DO-178B. Many software-based products were developed and approved before DO-178B became available. If an applicant is making minor modifications to equipment approvedunder an older standard, it may be possible to preserve that older standard as the governing criteria forthe update. More frequently, the FAA will require new or changed software to meet the guidelines ofDO-178B, with unchanged software ‘‘grandfathered’’ in the new approval. When transport airplanes areinvolved in such cases, an Issue Paper dealing with use of ‘‘legacy’’ software is likely to be included in thecertification basis of the airplane by the FAA’s Transport Airplane Directorate. In a few cases, the FAAmay require a wholesale rework of a product to meet current standards.
The question of how much software data to submit to the FAA arises routinely. It is impractical to consider submitting all software data to the FAA. An applicant can realistically submit only a fraction ofthe data produced during software development. Applicants should propose and negotiate that datasubset with the FAA. Whether submitted formally or not, an applicant should retain and preserve allrelevant data (see DO-178B, Section 9.4, as a starting point). The FAA can examine applicants’ facilitiesand data at any time. It is the applicant’s responsibility to ensure that all relevant data are controlled,archived, and retrievable.
For more information on software-assurance guidelines, see Chapter 27 of this book, the FAA software home page on the World Wide Web at 〈 www.faa.gov/avr/air/air100/sware/sware.htm〉 , and the sup-plemental information to DO-178B published by RTCA.
In recent years, the FAA has paid growing attention to programmable logic devices: application-specific integrated circuits, field-programmable gate arrays, and so on. Findings of compliance for these devicesare often handled by FAA software specialists or delegated to DERs with software authorizations. Theagency’s increased scrutiny is intended to ensure that acceptable processes are being followed duringdevelopment of such devices. The FAA has a generic issue paper addressing compliance for the devices.
If proposed electronic equipment contains programmable logic devices, an applicant should expect theFAA to tailor its generic issue paper to the project and to include the tailored issue paper in the certificationbasis of that project.
Though little guidance is available officially at this writing, applicants should also note that FAA concern has increased with respect to assurance of all avionics hardware design processes. A great dealof effort in industry and government has been spent to specify acceptable practices in this area, primarilythrough the joint efforts of RTCA Special Committee 180 and EUROCAE Working Group 46 (‘‘DesignAssurance Guidance for Airborne Electronic Hardware’’). See RTCA document DO-254 (2000) for furtherinformation.
*It is usually prudent to avoid setting precedents of additional work beyond that required by regulations. Of course, applicants are always free to do additional work — developers often do, for their own reasons — and if the regulationsseem inappropriate or inadequate, applicants should seek to improve the regulations. Precedents are powerful things, forboth good and ill, in any regulatory regime. New precedents often have unintended and surprising consequences.
23.9 Manufacturing Approvals
It is not enough to obtain design approval for avionics equipment. Approval to manufacture and markproduction units must be obtained as well. Parts manufactured in accordance with an approved produc-tion system do not require parts conformity inspections.
With a TSO, as explained earlier, the approvals of design and manufacturing actually go together. In order to receive a TSO Authorization, the applicant must demonstrate not just an acceptable prototypebut also an ability to manufacture the article.
An STC holder must demonstrate production capabilities separately. After obtaining an STC approval the holder may apply for Parts Manufacturer Approval (PMA) authority to produce the parts necessaryto support the STC. PMA approvals are issued by the FAA Manufacturing Inspection District Officeresponsible for the applicant. An STC applicant who will need subsequent PMA authority should planand prepare for PMA from the beginning of a project. Alternatively, an STC holder may assign productionrights to others, who would then hold PMA authority for the parts in question.
23.10 The Joint Aviation Authorities
The European Joint Aviation Authorities (JAA) is an influential aviation body internationally. The JAArepresents European states (32 at this writing) that have agreed to cooperate in developing and imple-menting common safety standards and procedures for civil aviation. These standards and procedures arecodified in the Joint Aviation Requirements (JARs).
Although the JAA develops and adopts JARs in the areas of aircraft operations, aircraft maintenance, and the licensing of aviation personnel, this chapter is mainly concerned with the JARs affecting aircraftdesign and certification. These include rules for the certification of airplanes (JAR-23, JAR-25), sailplanesand powered sailplanes (JAR-22), helicopters (JAR-27, JAR-29), engines (JAR-E), auxiliary power units(JAR-APU), and equipment (JAR-TSO).
There is a great deal of similarity between the JARs and the FARs, as well as between the JAA’s and FAA’s advisory material. Indeed, the JAA and the FAA made commitments in 1992 to harmonize ‘‘whereappropriate, to the maximum extent possible’’ the JARs and FARs. The harmonization effort for airwor-thiness rules is expected to be completed in the year 2000. After that, the JAA and the FAA intend toengage in joint rulemaking to encourage the uniformity of new regulatory material. On at least four newaircraft programs, the JAA and the FAA have agreed to work together in a process dubbed ‘‘Cooperativeand Concurrent Certification.’’ Still, there are differences. The following list illustrates a few of the differences: • The JAA is not a regulatory body. Whereas the FAA defines and enforces its rules under its own authority, JAA actions are carried out through its member states and their national authorities.
For example, on a development program for a new aircraft or engine, the JAA member states willassign specialists to a Joint Certification Team that acts on behalf of all the JAA members. At thesuccessful completion of the team’s evaluations, Type Certificates for the new aircraft or engineare issued not by the JAA itself, but by the member state. Thus, each Type Certificate remains anational artifact, subject to regulation by the national authority of the issuing state.
• Although JAA member countries have various forms of delegation to organizations, the JAA has no individual delegation mechanism equivalent to the FAA Designee system. Certification workis performed by JAA specialists directly or in concert with their counterparts at other non-JAAcivil air authorities.
• Fees are charged to each applicant for JAA certification work.
• On some certification programs, the JAA and FAA have disagreed over the intensity of disruptive electromagnetic fields to which aircraft should be subjected during tests.
• The JAA requirements in some areas, such as operation with two engines failed on a three-engine airplane, and operation at negative load factors, differ from those of the FAA.
These examples are chosen largely at random. They serve only to illustrate that JAA/FAA harmonization is not complete. Any U.S. applicant whose certification project has a European or, for that matter anyother international component, should investigate the implications thoroughly.
23.11 Summary
Certification can be straightforward, but like any other developmental activity, it must be managed. At thebeginning of a project, applicants should work with their regulators to define expectations on both sides.
During development, open communication should be maintained among suppliers, customers, and regu-lators. In a well-run project, evidence of compliance with regulatory requirements will be produced withlittle incremental effort, almost as a side-effect of good engineering during the normal course of work. Thecumulative result will, in the end, be a complete demonstration of compliance, soon followed by certification.
Regulatory officials, whether FAA employees or Designees, work best and are most effective when they are regarded as part of an applicant’s development team.
An applicant is obliged to demonstrate compliance with the applicable regulations, nothing more.
However, partial information from an applicant can lead to misunderstandings and delays, and attemptsto resolve technical disagreements with regulators through nontechnical means rarely have the desired effect.
In the past, regrettably, large investments have been made in systems that could not be approved by the FAA. In order to avoid such outcomes, applicants are well advised to hold early discussions withappropriate FAA personnel or Designees.
Defining Terms
Certification: Legal recognition, through issuance of a certificate by a civil aviation authority, that a
product, service, organization, or person complies with that authority’s requirements.
Certification basis: The sum of all current regulations applicable to a given project at the time application
is made to a civil aviation authority to begin a certification process.
Designee: An individual authorized by the FAA under FAR Part 183 to act on behalf of the agency in
Issue Paper: Instrument administered by an FAA Directorate to define and control a substantial under-
standing between an applicant and the FAA, such as formal definition of a certification basis or afinding of equivalent safety, or to provide guidance on a specific topic, such as approval methodsfor programmable logic devices.
PMA: Parts Manufacturer Approval, by which the FAA authorizes the production of parts for replacement
and modification, based on approved designs.
Special Condition: A modification to a certification basis, necessary if an applicant’s proposed design
features or circumstances are not addressed adequately by existing FAA rules; in effect, a newregulation, administered by an FAA Directorate, following public notice and a public commentperiod of the proposed new rule.
STC: Supplemental Type Certificate, by which the FAA approves the design of parts and procedures
developed to perform major modifications to the design of existing aircraft.
TSOA: Technical Standard Order Authorization, the mechanism by which the FAA approves design data
and manufacturing authority for products defined by a Technical Standard Order (see also 〈http://www.faa.gov/avr/air/AIR100/tsohome.htm〉).
Further Information
Certification Services, Inc.: www.certification.comEuropean Organisation for Civil Aviation Equipment (EUROCAE): www.eurocae.orgFederal Aviation Administration (FAA): www.faa.govJoint Aviation Authorities (JAA): www.jaa.nlRTCA: www.rtca.orgSociety of Automotive Engineers (SAE): www.sae.org

Source: http://www.davi.ws/avionics/TheAvionicsHandbook_Cap_23.pdf