[Federal Register: May 3, 2007 (Volume 72, Number 85)]
[Notices]
[Page 24656-24674]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03my07-124]
[[Page 24656]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Airworthiness Criteria: Airship Design Criteria for Zeppelin
Luftschifftechnik GmbH Model LZ N07 Airship
AGENCY: Federal Aviation Administration (FAA), DOT.
ACTION: Notice of availability of proposed design criteria and request
for comments
-----------------------------------------------------------------------
SUMMARY: This notice announces the availability of and requests
comments on the proposed design criteria for the Zeppelin
Luftschifftechnik GmbH model LZ N07 airship. The German aviation
airworthiness authority, the Luftfahrt-Bundesamt (LBA), forwarded an
application for type validation of the Zeppelin Luftschifftechnik GmbH
(ZLT) model LZ N07 airship on October 1, 2001. The airship will meet
the provisions of the Federal Aviation Administration (FAA) normal
category for airships operations and will be certificated for day and
night visual flight rules (VFR); additionally, an operator of this
airship may petition for exemption to operate the airship in other
desired operations.
DATES: Comments must be received on or before June 4, 2007.
ADDRESSES: Send all comments on the proposed design criteria to:
Federal Aviation Administration, Attention: Mr. Karl Schletzbaum,
Project Support Office, ACE-112, 901 Locust, Kansas City, Missouri
64106. Comments may be inspected at the above address between 7:30 a.m.
and 4 p.m. weekdays, except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Mr. Karl Schletzbaum, 816-329-4146.
SUPPLEMENTARY INFORMATION:
Comments Invited
Interested persons are invited to comment on the proposed design
criteria by submitting such written data, views, or arguments as they
may desire. Commenters should identify the proposed design criteria on
the Zeppelin Luftschifftechnik GmbH model LZ N07 airship and submit
comments, in duplicate, to the address specified above. All
communications received on or before the closing date for comments will
be considered by the Small Airplane Directorate before issuing the
final design criteria.
Discussion
Background
Under the provisions of the Bilateral Aviation Safety Agreement
(BASA) between the United States and Germany, the German aviation
airworthiness authority, the Luftfahrt-Bundesamt (LBA), forwarded an
application for type validation of the Zeppelin Luftschifftechnik GmbH
(ZLT) model LZ N07 airship on October 1, 2001. The LZ N07 has a rigid
structure, 290,330 cubic foot displacement and has accommodations for
twelve passengers and two crewmembers. The airship will meet the
provisions of the Federal Aviation Administration (FAA) normal category
for airships; additionally, an operator of this airship may petition
for exemption to operate the airship in other desired operations. The
airship will be certificated for day and night visual flight rules
(VFR).
Proposed Design Criteria
Applicable Airworthiness Criteria Under 14 CFR Part 21
The only applicable requirement for airship certification in the
United States is FAA document FAA-P-8110-2, Airship Design Criteria
(ADC). This document has been the basis of bilateral validation of
airships between Germany and the United States for many years. However,
in 1995, the LBA issued the initial version of the
Luftt[uuml]chtigkeitsforderungen f[uuml]r Luftschiffe der Kategorien
Normal und Zubringer (hereafter referred to as the LFLS), which added a
commuter category to German airship categories and also added
additional requirements for normal category airships. Due to this,
where the previously mutually accepted ADC can be considered to be
harmonized in practice, the issuance of the LFLS created regulatory
differences for normal category airships between the United States and
Germany.
In keeping with its bilateral obligations, the FAA has, with
assistance from the LBA, determined that regulatory differences exist
between the two requirements (ADC versus LFLS). This determination is
the Significant Regulatory Differences analysis. In the case of the LZ
N07 airship, the German certification was accomplished to the higher
standard of the commuter category of the LFLS, with various LBA
modifications and additions. The FAA desires to accept the Zeppelin
airship model LZ N07 at the same airworthiness standard as it was
certificated to in Germany, so we have decided to accept the
requirements of the LFLS and the supplemental requirements issued by
the LBA as the U.S. certification basis. With this decision, the bulk
of the regulatory differences are not relevant, as the FAA is accepting
the provisions of the German LFLS certification in the commuter
category in its entirety. The FAA has, after comparing the normal
category ADC to the commuter category LFLS requirements, determined
that all of the LFLS requirements are at least equivalent to and, in
many cases, more conservative than the requirements for the normal
category contained in the ADC.
Regulatory Differences
The LFLS was developed considering the ADC at Change 1, but Change
2 provisions were not considered. There will be one regulatory
difference due to this; ZLT will show compliance to ADC Sec. 4.14 at
Change 2.
Additional and Alternative Requirements
The German aviation authority, the Luftfaht-Bundesamt (LBA) issued
additional requirements, special conditions, and equivalent levels of
safety to deal with certain design provisions and airworthiness
concerns specific to the design of the LZ N07 that were not anticipated
by the LFLS. These requirements will also become part of the U.S.
certification basis for this airship.
The U.S. certification basis for the LZ N07 will be proposed as an
entire certification basis, including those changes required by the FAA
and the LBA. Based on the provisions of 14 Code of Federal Regulations
(CFR) part 21, Sec. Sec. 21.17(b), 21.17(c) and 21.29, the following
airworthiness requirements were evaluated and found applicable,
suitable, and appropriate for this design, and they will remain active
until August 31, 2007 or to a future date extended by the FAA, and form
the Certification Basis.
Certification Basis
The German regulation Luftt[uuml]chtigkeitsforderungen f[uuml]r
Luftschiffe der Kategorien Normal und Zubringer, (referred to as the
LFLS), effective April 13, 2001; except:
(1) In lieu of compliance to LFLS section 673 the LZ N07 will
comply with ADC Sec. 4.14.
(2) B-1 LBA, Equivalent Safety Finding for Section 76 LFLS, Engine
Failure.
Discussion
The LFLS requires that the airship restore itself to a state of
equilibrium after the failure of any one engine during any flight
condition. In the case of the LZ N07, a state of equilibrium using
designated ballast cannot be achieved as required by the LFLS. ZLT
[[Page 24657]]
met this requirement with an equivalent level of safety.
In lieu of the provisions of LFLS Sec. 76 the following is
required:
In the case of failure of any one engine (of three) it must be
shown that a zero vertical speed condition can be established for any
flight condition by using the thrust vectoring capability of the
remaining two engines and aerodynamic lift.
The time to achieve this zero vertical speed will be demonstrated
to be not more than when using a designated ballast system with a
minimum discharge rate established in LFLS Sec. 893(d).
(3) B-2 LBA, Equivalent Safety Finding for LFLS Section 143(b),
Controllability and Maneuverability, General [all engines out].
Discussion
LFLS section 143(b) requires that the airship be capable of a safe
descent and landing after failure of all engines under the conditions
of LFLS section 561. ZLT met this requirement with an equivalent level
of safety.
Even in the event of all engines failing, a limited means to
control the descent of the airship is available, but only with the
airship in equilibrium. With the airship heavy, there is no means to
modulate the descent once speed has dissipated, since the descent rate
is determined by heaviness only. However, descent will be stable and no
unsafe attitude will result and the worst-case descent rate is still in
compliance with the emergency landing conditions of LFLS section 561.
This fulfills the safety objective of LFLS section 143(b).
To satisfy the provisions of LFLS section 143(b), the following is
required:
A qualitative safety analysis will be performed to show that the
simultaneous occurrence of a loss of all engines (combined with worst
case weight conditions) is extremely improbable.
(4) B-3 LBA, Equivalent Safety Finding for LFLS Section 33(d)(2),
Propeller Speed and Pitch Limits.
Discussion
LFLS section 33(d)(2) requires a demonstration with the propeller
speed control inoperative that there is a means to limit the maximum
engine speed to 103 percent of the maximum allowable takeoff rotations
per minute (rpm). The LZ N07 is designed so that in case of a zero
thrust condition in flight, the affected engine is shut off. The
shutoff rpm is above 103 percent of the maximum allowable takeoff rpm.
The LZ N07 airship is not equipped with a traditional propeller
governor system. The propeller speed control function is provided by
the AIU (engine control board). If the AIU fails, a means to shut down
the engine is provided: Called the Limiting System (Lasar). The
limiting system provides two functional stages; the first stage limits
rpm between 2725 and 2750, in case the AIU engine control board is
unable to limit engine speed with the propeller in zero thrust pitch
condition. The second stage shuts down the engine at 2900 rpm in case
of limiting system first stage failure in order to avoid engine and
propeller disintegration hazard to the airship. The shutdown of one
engine is considered a major hazard. (Note: maximum rpm = 2700, 103
percent maximum rpm = 2781.)
In traditional governor systems during in-flight operation with
zero thrust pitch selected, overspeed protection is not assured in case
of a governor failure. The LZ N07 design is considered to provide
equivalent or improved safety compared to previously certified
(traditional) governor systems.
To satisfy the provisions of LFLS section 33(d)(2), the following
is required:
The proper function of the systems will be demonstrated by
performing a system ground test simulation.
The propeller overspeed capability of 126 percent of the maximum
rpm will comply with the provisions of JAR P certification, (JAR P
section 170(a)(2)).
(5) B-4 LBA, Equivalent Safety Finding for LFLS Section 145,
Longitudinal Control.
Discussion
LFLS section 145 requires a demonstration of nose-down pitch change
out of a stabilized and trimmed climb and 30 degree pitch angle at
maximum continuous power and a nose-up pitch change out of a stabilized
and trimmed descent and -30 degree pitch angle at maximum continuous
power on all engines. ZLT met this requirement with an equivalent level
of safety. The LZ N07 ballonet system limitations prevent stabilized
climbs or descents above certain vertical speeds. The procedure
required in LFLS section 145 cannot be demonstrated by flight test
without modification.
ZLT demonstrated through flight test that sufficient control
authority was available to recover from a steep climb or descent when
the airship is trimmed for the appropriate climb or descent and is
operated under maximum continuous power.
Additionally, it was also shown that it is possible to produce a
nose-down pitch change out of a stabilized and trimmed climbing flight
and a nose-up pitch change out of a similar descent. The LZ N07
ballonet systems limitations prevent this from being demonstrated at
maximum continuous power and 30-degree pitch angle because the climb or
descent rates are too high at the resulting airspeed.
To satisfy the provisions of LFLS section 145 the following is
required:
A flight test procedure will demonstrate that it is possible to
produce:
(1) A nose-down pitch change out of a stabilized climb with a nose-
up flight path angle as limited by the ballonet system for the relevant
true airspeed or 30 degrees, whichever leads to a lower absolute value.
(2) A nose-up pitch change out of a stabilized descent with a nose-
down flight path angle as limited by the ballonet system for the
relevant true airspeed or -30 degrees, whichever leads to a lower
absolute value.
(6) C-1 LBA, Additional Requirement for a Reliable Load Validation;
14 CFR part 25, Sec. 25.301(b).
Discussion
The present LFLS does not include the requirement for the
manufacturer to validate the load assumptions used for stress analyses.
14 CFR part 25, Sec. 25.301(b) requires that methods used to determine
load intensities and distribution must be validated by flight load
measurement unless the methods used for determining those loading
conditions are shown to be reliable.
The following is added as an additional requirement:
The provisions of 14 CFR part 25, Sec. 25.301(b) will be complied
with.
(7) D-1 LBA, Additional Requirements for LFLS section 853(a),
Compartment Interiors [Flammability of Seat Cushions].
Discussion
LFLS section 853 does not provide requirements for flammability
standards for seat cushions as introduced by Amendment 59 of 14 CFR
part 25. The LBA requested a proof test for seat cushions with the oil
burner as specified in 14 CFR part 25, Appendix F, part II or
equivalent for passenger seats, except for crew seats.
To satisfy the provisions of LFLS section 853(a), the following is
required:
A proof test for seat cushions with the oil burner as specified in
14 CFR part 25, Appendix F, part II or equivalent for passenger seats
will be performed successfully.
(8) D-5 LBA, Additional Requirements for LFLS Section 673(d),
Primary Flight Controls.
[[Page 24658]]
Discussion
LFLS section 673(d) requires that airships without a direct
mechanical linkage between the cockpit and primary flight control
surfaces be designed with a dual redundant control system. The
terminology ``dual redundant'' is considered ambiguous in that it does
not clearly define the degree of redundancy required.
To satisfy the provisions of LFLS section 853(a), the following is
required:
Compliance with LFLS section 1309 will show that continued safe
flight and landing is assured after complete failure of any one of the
primary flight control system lanes.
(9) D-6 LBA, Equivalent Safety Finding for LFLS Section 771(c),
Pilot Compartment [Controls Location with Respect to Propeller Hub].
Discussion
LFLS section 771(c) requires that aerodynamic controls and pilots
may not be situated within the trajectories of the designated propeller
burst area. Since a thrust vectoring (including a non-swiveling lateral
propeller) system has been incorporated into the airship, with two
engines forward and one aft engine, formal non-compliance in some cases
cannot be avoided.
To satisfy the provisions of LFLS section 771(c), the following is
required:
A qualitative safety analysis will be accomplished that considers
the mitigating effects of:
(1) The relationship of overall swivel angle of propeller
rotational plane versus crucial swivel angle of propeller rotational
plane, (2) The distance between aft propeller and aerodynamic controls,
and
(3) The potential energy absorbing and deflecting structure between
aft propulsion unit and controls and pilot.
The analysis will consider the following:
The lateral propeller is continuously operating in idle with the
exception of ground maneuvering and approach phases.
The rear propeller transitions through its crucial angle only,
while swiveling from the horizontal to the vertical position from a
takeoff/approach/landing/hover to a level flight configuration.
Aircraft Flight Manual (AFM) procedures, cockpit placarding, and
swivel lever markings shall be established to restrict normal operation
in the crucial swivel range.
(10) D-7 LBA, Equivalent Safety Findings for LFLS Section 777(c),
Cockpit Controls; 1141(a), Powerplant Controls: General; 1143(c),
Engine Controls; 1149(a)(2), Propeller Speed and Pitch Controls;
1167(c)(1), Vectored Thrust Controls
Discussion
LFLS section 777(c), 1141(a), 1143(c), 1149(a)(2), and 1167(c)(1)
all involve requirements governing the configuration and
characteristics of throttle, propeller pitch, mixture, and thrust
vectoring controls. Due to the constant speed throttle control concept
allowing infinitely variable thrust vector control between maximum
reverse and maximum forward thrust, a non-conventional control system
was developed that is partially non-compliant with the requirements.
The requirements and the configuration of the LZ N07 are summarized in
Table 1 below.
To satisfy the provisions of LFLS section 777(c), 1141(a), 1143(c),
1149(a)(2) and 1167(c)(1) the following is required:
In the case of an identified non-compliance to the LFLS, as shown
in Table 1, compliance will be by an evaluation of the airship and a
finding that there are safe handling characteristics using the type
design engine thrust control/thrust vectoring controls as described in
Table 1.
Table 1
----------------------------------------------------------------------------------------------------------------
Description of equivalent
LFLS paragraph Requirement Compliant/ non-compliant level of safety finding
----------------------------------------------------------------------------------------------------------------
777(c)........................ throttle, propeller 1. Non-compliant. Propeller speed, thrust, and
pitch, mixture mixture controls are
controls: arranged in this order from
1. Order left to right.. left to right. Propeller
speed and mixture are
grouped together forward of
the THRUST levers because
they are preset for
individual operating
conditions. The THRUST
levers are located
separately with the L/H and
R/H THRUST levers and
swivel controls grouped
together in order to
achieve convenient vector
operation.
2. arrange to prevent 2. compliant............ >Rear engine thrust control
confusion. set is offset to the rear
of the center pedestal,
which makes its allocation
to the rear engine obvious.
1141(a)....................... 1. Arrangement like 777. 1. Compliant as See 777(c) above.
described above.
2. markings like 1555(a) 2. compliant............ compliant.
1143(c)....................... 1. Separate control of 1. Compliant............ 1. Compliant
engines.
2. simultaneous control 2. simultaneous control 2. simulteneous control of
of engines. virtually compliant. forward engines allows for
symmetric thrust
applications, which are
essential for effective
handling of the airship.
The aft engine THRUST lever
is not located between the
forward THRUST levers
because it requires
individual control
especially during take-off,
hover, landing, and ground
maneuvering. Unintentional
operation of the aft engine
is prevented by this
arrangement.
1149(a)(2).................... simultaneous speed and Non-compliant for take- In contrast to conventional
pitch control of off, hover, landing, propeller controls, a
propellers. and ground maneuvering. constant propeller pitch is
commanded directly by the
THRUST lever and propeller
speed is preselected by the
RPM lever and is
automatically governed by
means of throttle
variation.
[[Page 24659]]
In this operating mode, full
RPM is selected and pitch
control is commanded
directly from the THRUST
levers, which are not
grouped together, thus not
allowing simultaneous pitch
control. The reason for
this arrangement is
explained in issue 1143(c)
above. In FLIGHT
configuration maximum pitch
is preselected by the
THRUST levers, speed
control is now accomplished
by movement of the RPM
levers, which are grouped
together allowing
simultaneous speed control.
1167(c)(1).................... Thrust vectoring:
1.--Independent of other 1. Compliant............ 1. Compliant.
controls.
2.--separate and 2. non compliant........ 2. simultaneous vectoring
simultaneous control of control of forward engines
all propulsion units. allows for symmetric
vectoring. Asymmetric
control of forward swivel
angle is made impossible in
order to prevent pilot
confusion during vector
control.
Aft swivel adjustment is
limited to 0[deg] for
cruise and -90[deg] for T/
L. The aft swivel is
separated due to the
individual control
requirement.
----------------------------------------------------------------------------------------------------------------
(11) D-8 LBA, Equivalent Safety Findings for LFLS Section 807(d)
and Section 807(d)(1)(i), Emergency Exits.
Discussion
LFLS section 807(d) and (d)(1)(i) for commuter category airships
carrying less than 15 passengers requires at least three emergency
exits. Refer to Table 2.
Table 2
----------------------------------------------------------------------------------------------------------------
Category versus exits First exit Second exit Third exit
----------------------------------------------------------------------------------------------------------------
Normal Category (Less than 10 External door/ Main One exit 19 x 26 inches No requirement.
passengers.). door: Sec. 783(a) opposite of main door:
(19 x 26 inches). Sec. 807(a)(1).
Commuter Category (Less than 15 Main door must be floor Same as above.......... In addition one exit 19
passengers.). level: Sec. x 26 required.
807(d)(1).
Commuter Category Zeppelin LZ N07.... Floor level main door Second floor level main Not provided.
much larger as 19 x 26 door much larger as 19
inches. x 26 inches provided.
Design comprising 12 passengers...... Equivalent safety
requested for greater
than 9 passengers.
----------------------------------------------------------------------------------------------------------------
The design of the LZ N07 fully complies with the requirement for
the Normal Category; however, the third exit required for compliance in
the Commuter Category is not provided. This results in a formal
noncompliance.
To satisfy the provisions of LFLS section 807(d) and 807(d)(1)(i),
the following is required: Compliance for LFLS section 807(d) and
807(d)(1)(i) will be shown by:
(1) The first and second exits provided are both floor level exits
and oversized compared to 19 by 26 inches.
(2) The evacuation demonstration required in section 803(e) shall
be accomplished within 60 seconds, (with one exit blocked) instead of
90 seconds.
(12) D-9 LBA, Equivalent Safety Finding for Section 881(a),
Envelope Design [Envelope Tension].
Discussion
LFLS section 881(a) requires that the envelope maintain tension
while supporting limit load conditions for all flight conditions. The
rigid design of the LZ N07 allows for limited wrinkling of the envelope
under limit load conditions with no effect on airship handling and
performance.
Due to the unique kind of rigid structural design, the structural
integrity of the LZ N07 airship is not dependent on the tension of the
envelope, as rigid structure replaces the load-carrying envelope. The
alignment of structure, engines, empennage, cabin and other components
affecting handling qualities, performance, and other factors is
independent of any wrinkling condition of the envelope.
To satisfy the provisions of LFLS section 881(a), the following is
required:
Safe handling characteristics will be demonstrated by flight test,
the limit load carrying capability by analysis.
(13) D-10 LBA, Equivalent Safety Finding for LFLS Section 881(f),
Envelope Design [Rapid Deflation Provisions].
Discussion
LFLS section 881(f) requires that provisions be maintained to allow
for rapid envelope deflation of the airship should it break loose from
the mast while moored. The present design does not include such a
provision. For German certification, ZLT had to demonstrate an
equivalent level of safety. As part of this, ZLT presented that, due to
the unique kind of rigid structural design of the airship, any rapid
deflation provision will not significantly reduce the effective cross
section of the envelope; thus, the uncontrolled drift of the airship
due to surface winds once free of its moorings could not be brought
under control. ZLT presented that the overall level of safety is
negatively affected by the potential unwanted operation of the required
rapid deflation provision when unintentionally operated or operated due
to individual failure conditions,
[[Page 24660]]
and that this could lead to a potentially severe failure condition.
ZLT was required by the LBA to provide an equivalent level of
safety by means of a qualitative safety analysis and by showing that
the reliability of the mast coupling system design is significantly
improved over typical non-rigid airship systems. It also provided proof
of safe life design for the structural parts and to prove the fail-safe
design of the hydraulically powered locking mechanism. These systems
are part of the ground based mooring vehicle.
We understand that the rigid structure of the airship complicates
or eliminates the deflation design feature expected of non-rigid types
of airships, and we believe that this requirement cannot be met without
an equivalent level of safety. The rapid deflation feature of a non-
rigid airship is provided to allow emergency egress without the ship
lifting and to deflate the envelope in case an airship is blown off of
the mast and is subsequently uncontrolled. These concerns still apply
to a rigid airship.
We accept the evacuation procedure, described in the section
discussion LFLS section 809(e), as an acceptable equivalent feature for
the evacuation requirement.
In the event that the airship is blown off of the mast, we believe
that a rigid airship will present the same or enhanced hazard as the
requirement for non-rigid type airships was developed to mitigate, that
being of an unmanned and, or, uncontrolled airship in controlled
airspace in the proximity of persons, property, or other aircraft.
To satisfy the provisions of LFLS section 881(f), the following is
required:
Safe life design for the structural parts and fail-safe design of
the hydraulically powered locking mechanism of the mooring vehicle will
be shown.
The Airship Flight Manual will contain mast procedures for all
approved mast mooring conditions. These procedures will also include a
requirement to have transponder equipment active when the airship is
moored on the mast, and define conditions when a pilot must be in the
airship.
(14) D-11 LBA, Equivalent Safety Finding for LFLS Section 883(e),
Pressure System.
Discussion
LFLS section 883(e) requires that provisions be maintained to blow
air into the helium space in order to prevent wrinkling of the
envelope. The present design of the airship does not include this
provision; therefore, ZLT had to demonstrate equivalent level of
safety.
Due to the unique kind of rigid structural design, the structural
integrity of the airship is not dependent on the tension of the
envelope. Rigid structure replaces the load-carrying envelope. The
alignment of structure, engines, empennage, and cabin, etc., affecting
handling qualities and airship controllability is independent of any
wrinkling condition of the envelope.
To satisfy the provisions of LFLS section 883(e), the following is
required:
Safe operation at reduced helium pressures will be demonstrated.
(15) D-12 LBA, Interpretation of LFLS Section 785(b), Seats, berths
and safety belts [Approval of].
Discussion
The LFLS requires approval for seats; the LBA required approval of
passenger and crew seats according to TSO C39b. The ZLT uses seats that
are TSO C39b approved by a seat vendor; if this is not done, the seats
used will demonstrate compliance to TSO C39b.
To satisfy the provisions of LFLS section 758(b), the following is
required:
Seats will comply with the provisions of TSO C39b.
(16) D-13 LBA, Additional Requirement; LFLS Section 1585(a)(10),
Operating Procedures [Ditching, Emergency Evacuation].
Discussion
The LFLS does not provide requirements for ditching exits; the LBA
requested a floatation analysis to be done, to analyze the case of an
unplanned ditching. Helium loss during the emergency evacuation
procedure was not considered. It was determined by calculation that the
passenger cabin provides enough buoyancy for safe egress with the
requirement that one emergency exit shall be usable above the static
waterline for at least 90 seconds for emergency evacuation.
To satisfy the provisions of LFLS section 758(b), the following is
required:
It shall be demonstrated by test or analysis that an emergency
evacuation exit will remain above the waterline for at least 90 seconds
after finally settling on the water. Relevant instructions will be
included in the Airship Flight Manual.
(17) D-14 LBA, Interpretative Material; LFLS Section 803(e),
Emergency Evacuation Demonstration.
Discussion
LFLS section 803(e) requires an emergency evacuation demonstration.
This evacuation must be completed within 90 seconds. Compliance with
LFLS section 881(g) must be considered in conjunction with section
803(a) through (e).
This requirement demonstrates the ability of the entire cabin to be
evacuated within 90 seconds using the maximum number of occupants, with
flight crew preparation for the emergency evacuation. Normal valving of
helium to provide emergency deflation on the ground during the
emergency evacuation, according to section 881(g), is assumed.
To satisfy the provisions of LFLS section 803(e), the following is
required:
(1) It will be demonstrated that the cabin can be emergency
egressed within 90 seconds.
(2) In addition, the evacuation method established will include the
preparation of the airship for the ground phase of the emergency
evacuation on the ground. The applicant will demonstrate by analysis
supported by tests that the preparation for cabin emergency evacuation
could be conducted within 30 seconds (from time of landing until start
of cabin emergency evacuation). This technique will be published in the
AFM. Refer to Figure 1, ``ZLT Emergency Evacuation Technique.''
[[Page 24661]]
[GRAPHIC] [TIFF OMITTED] TN03MY07.019
(3) The evacuation method established will include four steps:
(a) After the occurrence of the emergency situation, the pilot has
to prepare the airship for an emergency landing.
(b) The pilot has to land the airship.
(c) The pilot has to prepare the airship for the evacuation. This
includes providing enough heaviness so that the airship cannot leave
the ground during the passenger evacuation. Also, the pilot must keep
the airship in a safe position before starting the evacuation. By
controlling the deflation, the pilot must try to prevent trapping of
the envelope over the occupants during the evacuation.
(d) The actual evacuation will only begin when a safe position of
the airship can be maintained and when enough heaviness is provided.
These steps will be reflected in the AFM.
(18) D-15 LBA, Additional Requirements; 14 CFR part 23, Sec. Sec.
23.859 and 23.1181(d), [cabin heating; fuel burner].
Discussion
ZLT wishes to install fuel burner heating equipment for a cabin
heating and ventilation system in the lower shell of the passenger
cabin. The LFLS does not provide adequate requirements for the
installation of fuel burner equipment. The LBA required the application
of 14 CFR part 23, Sec. Sec. 23.859 and 23.1181(d), revised as of
January 1, 1998, in addition to other applicable requirements of the
LFLS. The LBA interpretation of Sec. 23.859 (a) is such that the
entire heater compartment will be considered a fire region and has to
be of fireproof construction. Part 23 Sec. 23.859, paragraphs (a)(1)
to (a)(3), will be complied with also. Other applicable FAA regulations
introduced by reference to Sec. Sec. 23.859 and 23.1181(d) by the LBA
will be complied with by compliance to applicable LFLS sections.
The airship will comply with the provisions of 14 CFR part 23,
Sec. 23.859, Combustion Heater Fire Protection, and Sec. 23.1181(d),
Firewalls.
(19) E-1 LBA, Additional Requirements Remote Propeller Drive
System.
Discussion
The LZ N07 propellers of both forward and aft propulsion systems
are not conventionally installed directly on the engine crankshaft. A
remote propeller drive system consisting of torque shafts, swivel
gears, friction clutches and a belt drive unit (on the aft engine only)
is installed between engine and propeller to provide thrust and vector
capability for the propellers. The LFLS does not contain requirements
for such power transmission designs.
The LBA required compliance as described in LBA guidance paper I-
231-87, applicable to components installed between engines and
propellers. I-231-87(01) requires compliance with JAR 22H or 14 CFR
part 33; however, instead of JAR 22H or 14 CFR part 33 compliance,
compliance with applicable sections of JAR P (Change 7) as listed in
Table 3 will be required.
Table 3
[Applicable sections of JAR P and I-231-87]
------------------------------------------------------------------------
Section Summary
------------------------------------------------------------------------
I-231-87.................................. Remote torque shafts/
Fernwellen.
I-231-87(01).............................. Alle Bauteile zwischen Motor
und Propeller FAR 33.
I-231-87(02).............................. Kr[auml]fte auf
k[uuml]rzestem Weg in
tragende Bauteile.
I-231-87(03).............................. Konstruktive Ma[szlig]nahmen
gegen ungleiche Dehnung.
I-231-87(04).............................. Bei Drehgelenken
ungleichf[ouml]rm.
Drehbewegung meiden.
I-231-87(05).............................. Abstand Struktur zu
rotierenden Teilen >13mm.
I-231-87(06).............................. FVB: Erweichungstemperatur
TGA nicht
[uuml]berschreiten.
[[Page 24662]]
I-231-87(07).............................. Nicht feuersichere Wellen:
Feuerschutz zum Motor.
I-231-87(08).............................. Keine Gef[auml]hrdung durch
angetr. Rest gebroch.
Welle.
I-231-87(09).............................. Unterkritischer Lauf/
Kritische Drehzahl
1,5*nmax.
I-231-87(10).............................. Schwingungsversuch mit
Anla[szlig]-
Abstellvorg[auml]ngen.
JAR-P..................................... Propellers: Change 7, dated
22.10.87.
JAR-P01................................... Section 1--Requirements.
JAR-P01 1A................................ SUB-SECTION A--GENERAL.
JAR-P030(a)(1)............................ Specification detailing
airworthiness requirements.
JAR-P040(b)............................... Fabrication methods.
JAR-P040(b)(1)............................ Consistently sound structure
and reliable.
JAR-P040(b)(2)............................ Approved process
specifications, if close
control required.
JAR-P040(c)............................... Castings.
JAR-P040(c)(1)............................ Casting technique, heat
treatment, quality control.
JAR-P040(c)(2)............................ AA Approval for casting
production required.
JAR-P040(e)............................... Welded structures and welded
components.
JAR-P040(e)(1)............................ Welding technique, heat
treatment, quality control.
JAR-P040(e)(3)............................ Drawings annotated and with
working instructions.
JAR-P040(e)(4)............................ If required, radiographic
inspection, may be in
steps.
JAR-P070.................................. Failure analysis.
JAR-P070(a)............................... Failure analysis/assessment
of propeller and control
systems.
JAR-P070(b)(2)............................ Significant overspeed or
excessive drag.
JAR-P070(c)............................... Proof of probability of
failure.
JAR-P070(e)............................... Acceptability of failure
analysis, if more on 1 of:
JAR-P070(e)(1)............................ A safe life being
determined.
JAR-P070(e)(2)............................ A high level of integrity,
parts to be listed.
JAR-P070(e)(3)............................ Maintenance actions,
serviceable items.
JAR-P080.................................. Propeller pitch limits and
settings.
JAR-P090.................................. Propeller pitch indications.
JAR-P130.................................. Identification.
JAR-P140.................................. Conditions applicable to all
tests.
JAR-P140(a)............................... Oils and lubricants.
JAR-P140(b)............................... Adjustments.
JAR-P140(b)(1)............................ Adjustments prior to test
not be altered after
verification.
JAR-P140(b)(2)............................ Adjustment and settings
checked/unintentional
variations recorded.
JAR-P140(b)(2)(i)......................... At each strip examination.
JAR-P140(b)(2)(ii)........................ When adjustments and
settings are reset.
JAR-P140(b)(3)............................ Instructions for (b)(1)
proposed for Manuals.
JAR-P140(c)............................... Repairs and replacements.
JAR-P140(d)............................... Observations.
JAR-P150.................................. Conditions applicable to
endurance tests only.
JAR-P150(a)............................... Propeller accessories to be
used during tests.
JAR-P150(b)............................... Controls (ground and flight
tests).
JAR-P150(b)(1)............................ Automatic controls provided
in operation.
JAR-P150(b)(2)............................ Controls operated in
accordance with
instructions.
JAR-P150(b)(3)............................ Instructions provided in
Manuals.
JAR-P150(c)............................... Stops (ground tests).
JAR-P160.................................. General.
JAR-P160(b)............................... Pass without evidence of
failure or malfunction.
JAR-P160(c)............................... Detailed inspection before
and after tests complete.
JAR-P170(c)............................... Spinner, deicing equipment,
etc., subject to same test.
JAR-P190(c)............................... Propellers fitted with
spinner and fans.
JAR-P200.................................. Rig tests of propeller
equipment.
JAR-P200(a)............................... Tests for feathering, beta
control, thrust reverse.
JAR-P200(b)............................... Test to represent the amount
of 1000 hour cycles.
JAR-P200(c)............................... Evidence of similar tests
may be acceptable.
JAR-P210.................................. Endurance tests.
JAR-P210(b)............................... Variable pitch propellers.
JAR-P210(b)(1)............................ Variable pitch propellers
tested to one of following:
JAR-P210(b)(1)(i)......................... A 110-hour test.
JAR-P210(b)(1)(i)(A)...................... 5 hours at takeoff power.
JAR-P210(b)(1)(i)(B)...................... 50 hours maximum continuous
power.
JAR-P210(b)(1)(i)(C)...................... 50 hours consisting of ten 5-
hour cycles.
JAR-P210(b)(2)............................ At conclusion of the
endurance test total
cycles.
JAR-P210(b)(2)(ii)........................ Governing propellers: 1500
cycles of control.
JAR-P210(b)(2)(iv)........................ Reversible-pitch propellers:
200 cycles + 30 seconds.
JAR-P220.................................. Functional tests not less 50
in flight.
JAR-P220(b)............................... Variable pitch (governing)
propellers.
JAR-P220(b)(1)............................ Propeller governing system
compatible w. engine.
JAR-P220(b)(2)............................ Stability of governing under
various oil temperatures
conditions.
JAR-P220(b)(3)............................ Response to rapid throttle
movements, balked landing.
JAR-P220(b)(4)............................ Governing and feathering at
all speeds up to VNE.
[[Page 24663]]
JAR-P220(b)(5)............................ Unfeathering, especially
after cold soak.
JAR-P220(b)(6)............................ Beta control response and
sensitivity.
JAR-P220(b)(7)............................ Correct operation of stops
and warning lights.
JAR-P220(c)............................... Propeller design for
operation in reverse pitch
50 landing.
------------------------------------------------------------------------
To satisfy the additional required provisions, the following is
required:
Compliance will be shown for the Remote Propeller Drive System to
the requirements of LBA document I-237-87, dated September 1987, and
the Joint Aviation Requirements (JARs) summarized in Table 3.
Table 3
[Repeated]
------------------------------------------------------------------------
Section Summary
------------------------------------------------------------------------
I-231-87.................................. Remote torque shafts/
Fernwellen.
I-231-87(01).............................. Alle Bauteile zwischen Motor
und Propeller FAR 33.
I-231-87(02).............................. Kr[auml]fte auf
k[beta]rzestem Weg in
tragende Bauteile.
I-231-87(03).............................. Konstruktive Ma[szlig]nahmen
gegen ungleiche Dehnung.
I-231-87(04).............................. Bei Drehgelenken
ungleichf[ouml]rm.
Drehbewegung meiden.
I-231-87(05).............................. Abstand Struktur zu
rotierenden Teilen >13mm.
I-231-87(06).............................. FVB: Erweichungstemperatur
TGA nicht
[uuml]berschreiten.
I-231-87(07).............................. Nicht feuersichere Wellen:
Feuerschutz zum Motor.
I-231-87(08).............................. Keine Gef[auml]hrdung durch
angetr. Rest gebroch.
Welle.
I-231-87(09).............................. Unterkritischer Lauf/
Kritische Drehzahl
1,5*nmax.
I-231-87(10).............................. Schwingungsversuch mit
Anla[beta]-
Abstellvorg[auml]ngen.
JAR-P..................................... Propellers Change 7, dated
22.10.87.
JAR-P01................................... Section 1--Requirements.
JAR-P01 1A................................ SUB-SECTION A--GENERAL.
JAR-P030(a)(1)............................ Specification detailing
airworthiness requirements.
JAR-P040(b)............................... Fabrication Methods.
JAR-P040(b)(1)............................ Consistently sound structure
and reliable.
JAR-P040(b)(2)............................ Approved process
specification, if close
control required.
JAR-P040(c)............................... Castings.
JAR-P040(c)(1)............................ Casting technique, heat
treatment, quality control.
JAR-P040(c)(2)............................ AA Approval for casting
production required.
JAR-P040(e)............................... Welded Structures and Welded
Components.
JAR-P040(e)(1)............................ Welding technique, heat
treatment, quality control.
JAR-P040(e)(3)............................ Drawings annotated and with
working instructions.
JAR-P040(e)(4)............................ If required, radiographic
inspection, may be in
steps.
JAR-P070.................................. Failure Analysis.
JAR-P070(a)............................... Failure analysis/assessment
propeller/control system.
JAR-P070(b)(2)............................ Significant overspeed or
excessive drag.
JAR-P070(c)............................... Proof of probability of
failure.
JAR-P070(e)............................... Acceptability of failure
analysis, if more on 1 of:
JAR-P070(e)(1)............................ A safe life being
determined.
JAR-P070(e)(2)............................ A high level of integrity,
parts to be listed.
JAR-P070(e)(3)............................ Maintenance actions,
serviceable items.
JAR-P080.................................. Propeller Pitch Limits and
Settings.
JAR-P090.................................. Propeller Pitch Indications.
JAR-P130.................................. Identification.
JAR-P140.................................. Conditions Applicable to All
Tests.
JAR-P140(a)............................... Oils and Lubricants.
JAR-P140(b)............................... Adjustments.
JAR-P140(b)(1)............................ Adjustment prior to test not
be altered after
verification.
JAR-P140(b)(2)............................ Adjustment and settings
checked/unintentional
variations recorded.
JAR-P140(b)(2)(i)......................... At each strip examination.
JAR-P140(b)(2)(ii)........................ When adjustments and
settings are reset.
JAR-P140(b)(3)............................ Instructions for (b)(1)
proposed for Manuals.
JAR-P140(c)............................... Repairs and Replacements.
JAR-P140(d)............................... Observations.
JAR-P150.................................. Conditions Applicable to
Endurance Tests Only.
JAR-P150(a)............................... Propeller accessories to be
used during tests.
JAR-P150(b)............................... Controls (Ground and Flight
Tests).
JAR-P150(b)(1)............................ Automatic controls provided
in operation.
JAR-P150(b)(2)............................ Controls operated in
accordance with
instructions.
JAR-P150(b)(3)............................ Instructions provided in
Manuals.
JAR-P150(c)............................... Stops (Ground Tests).
JAR-P160.................................. General.
[[Page 24664]]
JAR-P160(b)............................... Pass without evidence of
failure or malfunction.
JAR-P160(c)............................... Detailed inspection before
and after tests complete.
JAR-P170(c)............................... Spinner, deicing equipment,
etc., subject to same test.
JAR-P190(c)............................... Propellers Fitted with
Spinner and Fans.
JAR-P200.................................. Rig Tests of Propeller
Equipment.
JAR-P200(a)............................... Tests for feathering, Beta
Control, thrust reverse.
JAR-P200(b)............................... Test to represent the amount
of 1000 h cycles.
JAR-P200(c)............................... Evidence of similar tests
may be acceptable.
JAR-P210.................................. Endurance Tests.
JAR-P210(b)............................... Variable Pitch Propellers.
JAR-P210(b)(1)............................ Variable Pitch Propellers
tested to one of following:
JAR-P210(b)(1)(i)......................... A 110-Hour Test.
JAR-P210(b)(1)(i)(A)...................... 5 hours at Takeoff Power.
JAR-P210(b)(1)(i)(B)...................... 50 hours Maximum Continuous
Power.
JAR-P210(b)(1)(i)(C)...................... 50 hours consisting of ten 5-
hour cycles.
JAR-P210(b)(2)............................ At conclusion of the
Endurance Test total
cycles.
JAR-P210(b)(2)(ii)........................ Governing Propellers: 1500
cycles of control.
JAR-P210(b)(2)(iv)........................ Reversible-pitch Propellers:
200 cycles + 30 sec.
JAR-P220.................................. Functional Tests not less 50
in flight.
JAR-P220(b)............................... Variable Pitch (Governing)
Propellers.
JAR-P220(b)(1)............................ Propeller governing system
compatible with engine.
JAR-P220(b)(2)............................ Stability of governing under
various oil temperature
conditions.
JAR-P220(b)(3)............................ Response to rapid throttle
movements, balked landing.
JAR-P220(b)(4)............................ Governing and feathering at
all speeds up to VNE.
JAR-P220(b)(5)............................ Unfeathering, especially
after cold soak.
JAR-P220(b)(6)............................ Beta control response and
sensitivity.
JAR-P220(b)(7)............................ Correct operation of stops
and warning lights.
JAR-P220(c)............................... Propeller Design for
Operation in Reverse Pitch
50 landing.
------------------------------------------------------------------------
LBA Document I-237-87
Preliminary Guideline for Compliance of Transmission-Shafts in
Powerplant Installations of Airplanes (part 23) and Powered
Sailplanes (JAR 22)
LBA Document: I231-87
Issue: 30. September 1987
Change record: Translated into English, May 2002
Translation has been done by best knowledge and judgement. In
any case, the officially published text in German language is
authoritative.
At the present time the Airworthiness Requirements for motorized
aircraft assume only propeller-engine-combinations, where the
propeller is directly fixed at the engine flange.
Clutches, transmission shafts, intermediate bearings, angular
drives (gearboxes), universal joints, shifting sleeves, etc., are
accommodated for neither by JAR-22, nor by part 23 (JAR-23), or part
33 (JAR-E).
The necessity to supplement/amend the Airworthiness Requirements
became obvious for a powered sailplane, where a transmission shaft
from the engine in the middle of the fuselage runs through the
cockpit between the pilots (side-by-side seats) to the bow of the
fuselage where the propeller is mounted.
The rupture of a so installed transmission shaft can, besides
the loss of thrust, also by the whirling of the parts that remain
attached to the run-away engine have catastrophic effects to pilots
and aircrafts/aeroplanes.
Also differently arranged transmission shafts that do not pass
through the cockpit can endanger the surrounding primary structure,
the controls or other important systems critically.
For transmission shaft installations the following Special
Requirements have to be applied for powered sailplanes and aircraft
(aeroplanes) in addition to JAR 22 and part 23 (JAR 23),
respectively part 33 (JAR-E):
(1) All parts between engine and propeller, that serve the
transfer of engine-power to the propeller are regarded as parts of
the engine and are, as far as practicable/applicable, to be shown to
comply with JAR-22 Subpart H Engines or part 33 Aircraft Engines
(JAR-E), respectively.
(2) Propeller thrust, lateral loads and gyroscopic moments have
to be transferred to load carrying members on the shortest possible
way.
(3) Dissimilar expansion/deformation between structural and
powerplant parts, may it be under loads or/and temperatures has to
be accounted for by appropriate means.
(4) Universal joints used in the transmission shaft installation
have to be selected and arranged/installed so that an unsteadiness
of the rotation speed is avoided.
(5) Wrappings, guidances, protective covers and all other
structural members must have such a spacing from rotating parts,
that under deformation due to flight or ground loads and if pressure
is exerted by parts of the body (pilot or passenger) a radial or
respectively longitudinal distance of at least 13 mm (0.5 inch)
remains.
(6) It has to be guaranteed that parts made of fibre-reinforced
materials during operation do not exceed (reach) the softening
temperature. Softening temperature: TGA according to DIN 29971.
Compliance has to be sought in a ``cooling test flight'' according
to JAR 22.1041/22.1047 or part 23, Sec. Sec. 23.1041/23.1045/
23.1047 (or JAR 23 * * *), respectively.
If the difference between the corrected maximum operational
temperature and the softening temperature is less than 15 [deg]C,
the operational temperature has to be monitored (continuously) by an
instrument.
(7) If parts of the transmission shaft installation are made
from material not being fireproof, these parts have to be protected
against the effects of fire in the engine compartment.
(8) It has to be shown, that the whirling rest of a broken
transmission shaft, still driven by the engine does neither directly
endanger occupants (pilots included) nor parts of the primary
structure in a way that the flight cannot be brought to a safe end.
Compliance has to be sought in a test under the assumption that the
shaft is broken at a place most critical for compliance and the
engine running at take-off power.
(9) The repeated in-flight-stopping and re-starting of the
engine is common practice for powered sailplane. To avoid passing
through a critical RPM-range, transmission shaft installation must
operate in a sub-critical RPM-range.
The critical RPM of any transmission shaft must be at least 1.5
times the maximum operational RPM. When determining the critical RPM
the influences of the maximum imbalance to be expected from the
manufacturing process, as well as the bending of the shaft under
load factor and probable forced bending by fuselage deformation has
to be considered.
[[Page 24665]]
(10) The vibration test required by JAR 22.1843 or FAR
33.43(a)(b)/(JAR-E) respectively must comprise the complete
transmission shaft installation (engine-transmission-shaft-
propeller). The effects of engine stopping and restarting must be
investigated.
The stresses derived from the test above have to be superimposed
with the stresses directly originating from load factors acting on
the transmission shaft or are forced on the transmission shaft by
deformation of the airframe.
The resulting peak stresses must not exceed the fatigue limit of
the material used for the transmission shaft installation.
Figure 2: LBA Document
(20) E-2 LBA, Equivalent Safety Finding; LFLS Section 1167(d),
Vectored Thrust Components [Auxiliary Thrust Vectoring].
Discussion
LFLS section 1167(d) (subpart E) requires an auxiliary means be
provided to return the vectoring thrust system into a normal operating
position should the primary means fail. The current design does not
include this design feature. The LZ N07 is equipped with a system of
swiveling propellers. This system is used for conventional cruise
flight with the propellers in a vertical position and also for steering
the airship at low airspeeds with the propellers in swiveled positions.
This results in no one ``normal position'' of the propeller than can be
specified. Even if the propeller swiveling system fails, such a stuck
position might be useful for the pilot. Also, since all three engines
are operating individually, a single vectoring failure does not
interfere with the two remaining propulsion units.
Instead of providing auxiliary means to return the system to the
normal operating position, the design, operation, and function of the
vectoring system on the Zeppelin LZ N07 airship provides an equivalent
level of safety.
To satisfy the provisions of LFLS section 1167(d), the following is
required:
It will be shown by flight test that continued safe flight and
landing is possible with a propeller stuck in any one position with the
affected engine (still) running or shut off.
(21) F-1 LBA, Additional Requirements; LFLS Section 1301, Function
and Installation; and LFLS Section 1309, Equipment, Systems and
Installations (HIRF)
Discussion
The LZ N07 utilizes new avionics/electronic systems that provide
critical data to the flight crew. The applicable regulations do not
contain adequate or appropriate safety standards for the protection of
these systems from the effects of high intensity radiated fields
(HIRF). The LBA's required additional safety standards considered
necessary to establish a level of safety equivalent to that established
by existing airworthiness standards.
There is no specific regulation that addresses protection
requirements for electrical and electronic systems from HIRF. Increased
power levels from the ground based radio transmitters and the growing
use of sensitive electrical and electronic systems to command and
control the airship, especially under IFR conditions, have made it
necessary to provide adequate protection. To ensure that the level of
safety is achieved equivalent to that intended by the regulations
incorporated by reference, additional requirements are needed for the
LZ N07 to require that new technology electrical and electronic systems
be designed and installed to preclude component damage and interruption
of critical functions due to effect of HIRF.
High Intensity Radiated Fields (HIRF)
With the trend toward increased power levels from ground-based
transmitters, plus the advent of space and satellite communications,
coupled with electrical and electronic command and control of an
airship, the immunity of critical systems to HIRF must be established.
It is not possible to precisely define the HIRF to which the airship
will be exposed in service. There is also uncertainty concerning the
effectiveness of gondola shielding for HIRF. Furthermore, coupling of
electromagnetic energy to gondola-installed equipment through the
windows apertures is undefined. Based on surveys and analysis of
existing HIRF emitters, an adequate level of protection exists when
compliance with the HIRF special condition is shown.
To satisfy the provisions of LFLS section1301 and LFLS section 1309
the following is required:
The airship systems and associated components, considered
separately and in relation to other systems, must be designed and
installed so that:
(a) Each system that performs a critical or essential function is
not adversely affected when the airship is exposed to the normal HIRF
environment.
(b) All critical functions must not be adversely affected when the
airship is exposed to the certification HIRF environment.
(c) After the airship is exposed to the certification HIRF
environment, each affected system that performs a critical function
recovers normal operation without requiring any crew action, unless
this conflicts with other operational or functional requirements of
that system.
The following definitions apply:
(a) Critical function: A function whose failure would prevent
continued safe flight and landing of the airship.
(b) Essential function: A function whose failure would reduce the
capability of the airship or the ability of the crew to cope with
adverse operating conditions.
(c) The definitions of normal and certification HIRF environments,
frequency bands, and corresponding average and peak levels are defined
in Table 4 and Table 5.
General Guidance Material
The User Guide for AC/AMJ 20-1317 The Certification of Aircraft
Electrical and Electronical Systems for Operation in the High Radiated
Fields (HIRF) Environment dated 9/21/98 must be used. In case of
conflicting issues, this notice will supersede, unless otherwise
notified.
Criticality Definitions
In order to perform hazard assessments, the table below defines
equivalence:
Table 4
------------------------------------------------------------------------
Guidance according to LFLS certification
Definition CRI F-1/HIRF AC/AMJ 20-1317 basis*
------------------------------------------------------------------------
Critical.................. Catastrophic......... Multiple failure
analysis will not
apply in general.
Essential................. Hazardous............ Multiple failure
Severe............... analysis will not
Major................ apply in general.
------------------------------------------------------------------------
* Since the LFLS is based on 14 CFR part 23, multiple failure analysis
will not apply in general. However, common mode failures, or failures
if one failure would lead inevitably to another failure, have to be
considered.
[[Page 24666]]
Equipment Test Requirements
If ZLT can demonstrate for Level A, B, or C equipment that
equipment testing is adequate for showing compliance, the following
equipment test requirement will be used:
RTCA DO-160 D, if equipment development was launched in 1996 or
later a no TSO or JTSO certification will be obtained by the supplier.
RTCA DO-160 C, or earlier if equipment development was launched in
1995 or earlier, or if the equipment affected already holds a separate
TSO or JZSO certification.
Table 5
------------------------------------------------------------------------
Frequency Peak Average
------------------------------------------------------------------------
10 kHz-100 kHz.................................... 40 40
100 kHz-500 kHz................................... 40 40
500 kHz-2 MHz..................................... 40 40
2 MHz-30 MHz...................................... 100 100
30 MHz-70 MHz..................................... 20 20
70 MHz-100 MHz.................................... 20 20
100 MHz-200 MHz................................... 50 30
200 MHz-400 MHz................................... 70 70
400 MHz-700 MHz................................... 730 30
700 MHz-1 GHz..................................... 1300 70
1 GHz-2 GHz....................................... 2500 160
2 GHz-4 GHz....................................... 3500 240
4 GHz-6 GHz....................................... 3200 280
6 GHz-8 GHz....................................... 800 330
8 GHz-12 GHz...................................... 3500 330
12 GHz-18 GHz..................................... 1700 180
------------------------------------------------------------------------
Certification HIRF Environment
Field Strengths in Volts/Meter, (V/m).
Note: At 10 kHz-100kHz a Height Impedance Field of 320V/m peak
exists.
Table 6
------------------------------------------------------------------------
Frequency Peak Average
------------------------------------------------------------------------
10 kHz-100 kHz.................................... 20 20
100 kHz-500 kHz................................... 20 20
500 kHz-2 MHz..................................... 30 30
2 MHz-30 MHz...................................... 50 50
30 MHz-70 MHz..................................... 10 10
70 MHz-100 MHz.................................... 10 10
100 MHz-200 MHz................................... 30 30
200 MHz-400 MHz................................... 25 25
400 MHz-700 MHz................................... 730 30
700 MHz-1 GHz..................................... 40 10
1 GHz-2 GHz....................................... 1700 160
2 GHz-4 GHz....................................... 3000 170
4 GHz-6 GHz....................................... 2300 280
6 GHz-8 GHz....................................... 530 230
------------------------------------------------------------------------
Normal HIRF Environment
Field Strengths in Volts/Meter, (V/m).
Abbreviations
GHz--Gigahertz
IFR--Instrument Flight Rules
kHz--Kilohertz
m--Meter
MHz--Megahertz
V--Volt
(22) F-2 LBA, Additional Requirements; LFLS Section 1301, Function
and Installation, and LFLS Section 1309, Equipment, Systems and
Installations [Software development and transition to RTCA DO-178B/ED-
12B]
Discussion
The LZ N07 will be certificated with microprocessor-based systems
installed that contain software. The LBA considered that there was
limited policy or guidance for transitioning to the use of RTCA DO
178B/ED-12B from earlier guidance regarding means of compliance for
software-based systems. Specific transition criteria were specified for
the LZ N07 compliance program.
RTCA DO 178B/ED-12B, ``Software Considerations in Airborne Systems
and Equipment Certification,'' dated December 1, 1992, provides
guidance for software development where industry and regulatory
experience showed RTCA document DO 178A/ED-12A, ``Software
Considerations in Airborne Systems and Equipment Certification,'' dated
1985, required revision. Through RTCA, Inc./EUROCAE, a joint committee
comprised of representatives from both the public and private sectors,
created DO 178B/ED-12B to reflect the experience gained in the
certification of aircraft and engines containing software based systems
and equipment and to provide guidance in the area not previously
addressed by DO 178A/ED-12A. DO 178B/ED-12B contains more objectively-
determinable compliance criteria and considerably enhances the
consistency of software evaluations. The use of DO 178B/ED-12B provides
for a more thorough and sure compliance finding to objective standards,
reducing the likelihood of software errors.
Due to being superseded for the reasons discussed above, DO 178A/
ED-12A and prior versions were not recognized by the LBA as acceptable
means of compliance for software being developed or being modified for
an airship certification program (in Germany) whose application date
was later than January 11, 1993 (except as noted in subparagraph 1(a)
and 1(b) below). The LZ N07 program fell into this category. ZLT was
allowed to propose exceptions to the use of DO 178B/ED-12B (or
equivalently acceptable means of compliance) for specific systems or
equipment. These requests were evaluated on a case-by-case basis and
were considered when:
(a) The LBA determined that the software modification is so simple
or straightforward that an upgrade of the applicant's processes to DO
178B/ED-12B from earlier revisions of DO 178/ED-12 is not necessary for
assuring that the modification is specified, designed, and implemented
correctly, and verified appropriately; or
(b) Where a straightforward and readily obvious determination could
be made by the LBA that airworthiness will not be affected if some
specific objectives of DO 178B/ED-12B were not met.
One example might be the modification of a code table or local or
private data that can be readily verified by inspection. A second
example might be minor gain changes necessary for adoption of existing
equipment to a new airframe. A third example might be the modification
of a small percentage of code that has no effect on common or global
data or other forms of coupling between modules nor interfaces with
other equipment or where such effects are easily limited and where such
limiting is easily verifiable. A fourth example might be where a non-
essential system with Level 3 software per DO 178A/ED-12A would be
appropriately re-categorized during the system safety assessment and DO
178B/ED-12B processes as Level E software. Exemptions such as the above
were, for the most part, directed at previously approved software-based
equipment that had an established and acceptable service history
performing the same function in the same installation environment as
the new application and for which only significant changes were being
made such as outlined above.
Regardless of which version of DO 178/ED-12 was used, ZLT was
required to submit to the LBA a Plan for Software Aspects of
Certification (PSAC), a Software Configuration Index (SCI), and a
Software Accomplishment Summary (SAS) containing the information
specified in DO 178B/ED-12B, paragraphs 11.1, 11.16, and 11.20,
respectively, in addition to any other information required by the
version of DO 178/ED-12 used for the software approval.
For the software being modified, two acceptable methods of
upgrading to DO 178B/ED-12B were specified:
(a) ZLT was allowed to upgrade the entire development baseline,
including all processes and all data items per the provisions of DO
178B/ED-12B, section 12.1.4. Existing processes and data items that can
be shown to already meet the objectives for DO 178B/ED-12B will not
need upgrading.
(b) Alternatively, ZLT was allowed to choose an incremental
approach, using DO 178B/ED-12B processes to make modifications and
upgrading the
[[Page 24667]]
products (data items) of the life cycle processes only where they are
affected by the modification. A regression analysis should identify
those areas of the code and other data items affected by the
modification. Data items were upgraded in those areas where they were
directly affected by the modification (for instance, new requirements)
and where required in order to satisfy the objectives of DO 178B/ED-
12B, Annex A (for instance, where otherwise unmodified requirements
must be upgraded to provide sufficient data for the requirements-based
testing of the modified code sections).
In planning the transition activities using either alternative, ZLT
should perform an analysis to see where the processes and products of
the software life cycle do not satisfy the DO 178B/ED-12B objectives.
This will provide a limit to the activity required and criteria for
assessing the upgrade.
To satisfy the provisions of LFLS section 1301 and LFLS section
1309, the following is required:
Software development for the LZ N07 will be accomplished according
to DO 178B/ED-12B (or equivalently acceptable means of compliance) for
specific systems or equipment. Deviations from this requirement will be
considered when:
(a) The software modification is so simple or straightforward that
an upgrade of the applicant's processes to DO 178B/ED-12B from earlier
revisions of DO 178/ED-12 is not necessary for assuring that the
modification is specified, designed, and implemented correctly, and
verified appropriately; or
(b) Where a straightforward and readily obvious determination can
be made by the certifying authority that airworthiness will not be
affected if some specific objectives of DO 178B/ED-12B were not met.
The applicant will submit a Plan for Software Aspects of
Certification (PSAC), a Software Configuration Index (SCI), and a
Software Accomplishment Summary (SAS) containing the information
specified in DO 178B/ED-12B, paragraphs 11.1, 11.16, and 11.20,
respectively, in addition to any other information required by the
version of DO 178/ED-12 used for the software approval.
For software modifications, two methods of upgrading to DO 178B/ED-
12B are acceptable:
(a) Upgrade the entire development baseline, including all
processes and all data items, per the provisions of DO 178B/ED-12B,
section 12.1.4. Existing processes and data items that can be shown to
already meet the objectives for DO 178B/ED-12B will not need upgrading.
(b) Choose an incremental approach, using DO 178B/ED-12B processes
to make modifications and upgrading the products (data items) of the
life cycle processes only where they are affected by the modification.
A regression analysis should identify those areas of the code and other
data items affected by the modification. Data items were upgraded in
those areas where they were directly affected by the modification (for
instance, new requirements), and where required in order to satisfy the
objectives of DO 178B/ED-12B, Annex A (for instance, where otherwise
unmodified requirements must be upgraded to provide sufficient data for
the requirements-based testing of the modified code sections).
In planning the transition activities using either alternative, an
analysis will be performed to determine where the processes and
products of the software life cycle do not satisfy the DO 178B/ED-12B
objectives.
Equipment comprising software that is already certified under TSO,
JTSO, FAA-STC, or LBA requirements, will be excluded from this
requirement. However, the software qualification standard of such
equipment will be at least according to DO 178A.
Equipment comprising software that is specifically developed for
use in LZ N07 and modifications to equipment comprising software
specific for LZ N07 that is not, or is not yet, certified under TSO,
JTSO, FAA-STC, or LBA requirement, will be certified according to this
requirement.
(23) F-3 LBA, Additional Requirements, LFLS Section 1301, Function
and Installation, and LFLS Section 1309, Equipment, Systems and
Installations [Electronic Hardware Design Assurance (ASIC)]
Discussion
The LZ N07 will utilize electronic systems that may perform
critical and essential functions. During its certification of the
airship, the LBA made the determination that LBA airworthiness
requirements did not contain adequate standards or guidance for the
assurance that the internal hardware of these electronic systems are
designed to meet the appropriate safety standards. There was no
existing LBA policy or guidance for showing compliance to the existing
rules for those aspects of certification associated with Application
Specific Integrated Circuits (ASICs) and Electronic Programmed Logic
Devices (EPLDs). Recently, EUROCAE Working Group 46 ``Complex
Electronic Hardware'' was established to work in cooperation with RTCA
SC-180 to consider this subject.
LFLS section 1309 was intended by the LBA as a general requirement
that should be applied to all systems and powerplant installations (as
required by LFLS section 901(a)) to determine the effect on the airship
of a functional failure or malfunction. It is based on the principle
that there should be an inverse relationship between the severity of
the effect of a failure and the probability of its occurrence.
Definitions
a. Continued Safe Flight and Landing: The capability for continued
controlled flight and landing, possibly using emergency procedures, but
without requiring exceptional pilot skill or strength. Some airship
damage may be associated with a Failure Condition, during flight or
upon landing.
b. Error: An occurrence arising as a result of incorrect action by
the flight crew or maintenance personnel.
c. Event: An occurrence that has its origin distinct from the
airship, such as atmospheric conditions (e.g., gusts, temperature
variations, icing, and lightning strikes) runway conditions, cabin and
baggage fires. The term is not intended to cover sabotage.
d. Failure: A loss of function, or a malfunction, of a system or
part thereof.
e. Failure Condition: The effect on the Airship and its occupants,
both direct and consequential, caused or contributed to by one or more
failures, considering relevant adverse operational or environmental
conditions. Failure Conditions may be classified according to their
severities as follows:
(1) Minor: Failure Conditions that would not significantly reduce
Airship safety and which involve crew actions that are well within
their capabilities. Minor failure conditions may include, for example,
a slight reduction in safety margins or functional capabilities, a
slight increase in crew workload, such as routine flight plan changes,
or some inconvenience to occupants.
(2) Major: Failure Conditions that would reduce the capability of
the Airship or the ability of the crew to cope with adverse operating
conditions to the extent that there would be, for example, a
significant reduction in safety margins or functional capabilities, a
significant increase in crew workload or in conditions impairing crew
efficiency, or discomfort to occupants, possibly including injuries.
(3) Hazardous: Failure conditions that would reduce the capability
of the airship or the ability of the crew to cope
[[Page 24668]]
with adverse operating conditions to the extent that there would be:
(a) A large reduction in safety margins or functional capabilities;
(b) Physical distress or higher workload such that the flight crew
cannot be relied upon to perform their tasks accurately or completely;
or
(c) Serious or fatal injury to a relatively small number of the
occupants.
(4) Catastrophic: Failure conditions that would prevent Continued
Safe Flight and Landing.
f. Redundancy: The presence of more than one independent means for
accomplishing a given function or flight operation. Each means need not
necessarily be identical.
Technical Discussion
LFLS section 1309(b) and (d) require substantiation by analysis
and, where necessary, by appropriate ground, flight, or simulator
tests, that a logical and acceptable inverse relationship exists
between the probability and the severity of each Failure Condition.
However, tests are not required to verify Failure Conditions that are
postulated to be Catastrophic. The goal is to ensure an acceptable
overall Airship safety level, considering all Failure Conditions of all
systems.
a. The requirements of LFLS section 1309(b) and (d) are intended to
ensure an orderly and thorough evaluation of the effects on safety of
foreseeable failures or other events, such as errors or external
circumstances, separately or in combination, involving one or more
system functions. The interactions of these factors within a system and
among relevant systems should be considered.
b. The severities of Failure Conditions may be evaluated according
to the following considerations:
(1) Effects on the Airship, such as reductions in safety margins,
degradations in performance, loss of capability to conduct certain
flight operations, or potential or consequential effects on structural
integrity.
(2) Effects on crewmembers, such as increases above their normal
workload that would affect their ability to cope with adverse
operational or environmental conditions.
(3) Effects on the occupants; i.e., passengers and crewmembers.
(4) For convenience in conducting design assessments, Failure
Conditions may be classified according to their severities as Minor,
Major, Hazardous, or Catastrophic. Chapter 1, ``Definitions'' provides
accepted definitions of these terms.
(a) The classification of Failure Conditions does not depend on
whether or not a system or function is the subject of a specific
requirement. Some ``required'' systems, such as transponders, position
lights, and public address systems, may have the potential for only
Minor Failure Conditions. Conversely, other systems that are not
``required,'' such as flight management systems, may have the potential
for Major, Hazardous, or Catastrophic Failure Conditions.
(b) Regardless of the types of assessment used, the classification
of Failure Conditions should always be accomplished with consideration
of all relevant factors; e.g., system, crew, performance, operational,
external, etc. Examples of factors would include the nature of the
failure modes, any effects or limitations on performance, and any
required or likely crew action. It is particularly important to
consider factors that would alleviate or intensify the severity of a
Failure Condition. An example of an alleviating factor would be the
continued performance of identical or operationally similar functions
by other systems not affected by the Failure Condition. Examples of
intensifying factors would include unrelated conditions that would
reduce the ability of the crew to cope with a Failure Condition, such
as weather or other adverse operational or environmental conditions.
The probability that a Failure Condition would occur may be
assessed as Probable, Improbable (Remote or Extremely Remote), or
Extremely Improbable. Each Failure Condition should have a probability
that is inversely related to its severity.
1. Minor Failure Conditions may be Probable.
2. Major Failure Conditions must be no more frequent than
Improbable (Remote).
3. Hazardous Failure Conditions must be no more frequent than
Improbable (Extremely Remote).
4. Catastrophic Failure Conditions must be Extremely Improbable.
c. An assessment to identify and classify Failure Conditions is
necessarily qualitative. On the other hand, an assessment of the
probability of a Failure Condition may be either qualitative or
quantitative. An analysis may range from a simple report that
interprets test results or compares two similar systems to a detailed
analysis that may (or may not) include estimated numerical
probabilities. The depth and scope of an analysis depends on the types
of functions performed by the system, the severities of Failure
Conditions, and whether or not the system is complex. Regardless of its
type, an analysis should show that the system and its installation can
tolerate failures to the extent that Major and Hazardous Failure
Conditions are Improbable and Catastrophic Failure Conditions are
Extremely Improbable:
(1) Experienced engineering and operational judgment should be
applied when determining whether nor not a system is complex.
Comparison with similar, previously approved systems, is sometimes
helpful. All relevant systems Attributes should be considered; however,
the complexity of the software used to program a digital-computer-based
system should not be considered because the software is assessed and
controlled by other means, as described in paragraph 2.i.
(2) An analysis should consider the application of the fail-safe
design concept described in paragraph 5 and give special attention to
ensuring the effective use of design techniques that would prevent
single failures or other events from damaging or otherwise adversely
affecting more than one redundant system channel or more than one
system performing operationally-similar functions. When considering
such common-cause failures or other events, consequential or cascading
effects should be taken into account if they would be inevitable or
reasonably likely.
(3) Some examples of such potential common-cause failures or other
events would include rapid release of energy from concentrated sources
such as uncontained failures of rotating parts or pressure vessels,
pressure differentials, non-catastrophic structural failures, loss of
environmental conditioning, disconnection of more than one subsystem or
component by over temperature protection devices, contamination by
fluids, damage from localized fires, loss of power, excessive voltage,
physical or environmental interactions among parts, human or machine
errors, or events external to the system or to the Airship.
d. Compliance for a system or part thereof that is not complex may
sometimes be shown by design and installation appraisals and evidence
of satisfactory service experience on other Airships using the same or
other systems that are similar in their relevant Attributes.
e. In general, a Failure Condition resulting from a single failure
mode of a device cannot be accepted as being Extremely Improbable. In
very unusual cases, however, experienced engineering judgment may
enable an assessment that such a failure mode is not a practical
possibility. When making such an assessment, all possible and relevant
considerations should be taken
[[Page 24669]]
into account, including all relevant Attributes of the device. Service
experience showing that the failure mode has not yet occurred may be
extensive, but it can never be enough. Furthermore, flight crew or
ground crew checks have no value if a Catastrophic failure mode would
occur suddenly and without any prior indication or warning. The
assessment's logic and rationale should be so straightforward and
readily obvious that, from a realistic and practical viewpoint, any
knowledgeable, experienced person would unequivocally conclude that the
failure mode simply would not occur.
f. LFLS section 1309(c) provides requirements for system
monitoring, failure warning, and capability for appropriate corrective
crew action. Guidance on acceptance means of compliance is provided in
paragraph 8.g.
g. In general, the means of compliance described in this Appendix
to CRI F-ASIC's are not directly applicable to software assessments
because it is not feasible to assess the number or kinds of software
errors, if any, that may remain after the completion of system design,
development, and test. RTCA DO-178A and EUROCAE ED-12A, or later
revisions thereto, provide acceptable means for assessing and
controlling the software used to program digital-computer-based
systems. The documents define and use certain terms to classify the
criticalities of functions. These terms have the following
relationships to the terms used in this Appendix to CRI F-ASIC's to
classify Failure Conditions: Failure Conditions adversely affecting
non-essential functions would be Minor, Failure Conditions adversely
affecting essential functions would be Major or Hazardous, and Failure
Conditions adversely affecting critical functions would be
Catastrophic.
h. Functional Hazard Assessment. Before an applicant proceeds with
a detailed safety assessment, it is useful to prepare a preliminary
hazard assessment of the system functions in order to determine the
need for and scope of subsequent analysis. This assessment may be
conducted using service experience, engineering and operational
judgment, or a top-down deductive qualitative examination of each
function performed by the system. A functional hazard assessment is a
systematic, comprehensive examination of a system's functions to
identify potential Major, Hazardous and Catastrophic Failure Conditions
that the system can cause or contribute to not only if it malfunctions
or fails to function but also in its normal response to unusual or
abnormal external factors. It is concerned with the operational
vulnerabilities of the system rather than with the detailed hardware
analysis.
Each system function should also be examined with respect to
functions performed by other Airship systems because the loss of
different but related functions provided by separate systems may affect
the severity of Failure Conditions postulated for a particular system.
In assessing the effects of a Failure Condition, factors that might
alleviate or intensify the direct effects of the initial Failure
Condition should be considered, including consequent or related
conditions existing within the Airship that may affect the ability of
the crew to deal with direct effects, such as the presence of smoke,
acceleration vectors, interruption of communication, interference with
cabin pressurization, etc.
When assessing the consequences of a given Failure Condition,
account should be taken of the warnings given, the complexity of the
crew action, and the relevant crew training. The number of overall
Failure Conditions involving other than instinctive crew actions may
influence the flight crew performance that can be expected. Training
requirements may need to be specified in some cases.
A functional hazard assessment may contain a high level of detail
in some cases, such as for a flight guidance and control system with
many functional modes, but many installations may need only a simple
review of the system design by the applicant. The functional hazard
assessment is a preliminary engineering tool. It should be used to
identify design precautions necessary to ensure independence, to
determine the required software level, and to avoid common mode and
cascade failures.
If further safety analysis is not provided, then the functional
hazard assessment could itself be used as certification documentation.
(1) Analysis of Hazardous and Catastrophic Failure Conditions
(a) A detailed safety analysis will be necessary for each Hazardous
and Catastrophic Failure Condition identified by the functional hazard
assessment. Hazardous Failure Conditions should be Improbable
(Extremely Remote), and Catastrophic Failure Conditions should be
Extremely Improbable. The analysis will usually be a combination of
qualitative and quantitative assessment of the design. Probability
levels that are related to Catastrophic Failure Conditions should not
be assessed only on a numerical basis, unless this basis can be
substantiated beyond reasonable doubt.
(b) For simple and conventional installations, i.e., low complexity
and similarity in relevant Attributes, it may be possible to assess a
Catastrophic Failure Condition as being Extremely Improbable on the
basis of experienced engineering judgment, without using all the formal
procedures listed above. The basis for the assessment will be the
degree of redundancy, the established independence and isolation of the
channels and the reliability record of the technology involved. A
Failure Condition resulting from a single failure mode of a device
cannot generally be accepted as being Extremely Improbable, except in
very unusual cases.
To satisfy the provisions of LFLS section 1301 and LFLS section
1309 Equipment, Systems and Installations with respect to Electronic
Hardware Design Assurance (ASIC), the design considerations and
analyses described in the above Discussion and Technical Discussion
will be utilized to accomplish the following:
Correct operation will be demonstrated by test or analysis under
all combinations and permutations of conditions of the gates within the
device for electronic hardware whose anomalous behavior would cause or
contribute to a failure of a system resulting in a catastrophic or
hazardous failure condition for the airplane as defined in Advisory
Circular 23.1309-1C.
Correct operation will also be demonstrated by test or analysis
under all combinations and permutations of conditions at the pins of
the device for electronic hardware whose anomalous behavior would cause
or contribute to a failure of a system resulting in a major or minor
failure condition for the airplane as defined in Advisory Circular
23.1309-1C.
If the testing and analysis methods outlined above are impractical
due to the complexity of the device, the electronic hardware should be
developed using a structured development process. The applicant may use
the guidelines in RTCA DO-254, ``Design Assurance Guidance for Airborne
Electronic Hardware'' or another process that is acceptable to the FAA.
If the applicant chooses to use the guidelines in RTCA DO-254, the
hardware development assurance levels should be the same as the
software development assurance levels agreed to by the applicant and
the FAA.
(24) F-4 LBA, Additional Requirements concerning LFLS Sections
1301, 1303, 1305, 1309, 1321, 1322, 1330, and 1431 with respect to
Liquid Crystal Displays
[[Page 24670]]
Discussion
ZLT proposed to use Liquid Crystal Displays (LCDs) for presentation
of Airspeed/Altitude/Attitude/Engine/Warning and Caution information to
the pilots. The LBA had no published approval criteria for LCD
technology.
The LCDs to be installed in the LZ-N07 flight deck will display
flight information, including functions critical to safe flight and
landing. There is presently no existing guidance material for Liquid
Crystal Display airworthiness certification in the LFLS. For the LZ-N07
certification, the following Guidance Material for LCD airworthiness
approval was developed. The following Guidance Material provides
acceptable guidance for airworthiness approval of display systems using
LCD technology in the LZ-N07.
Guidance Material
Guidance Material for Electronic Liquid Crystal Display Systems
Airworthiness Approval
Purpose
This Guidance Material provides guidance for certification of
Liquid Crystal Display (LCD) based electronic display systems used for
guidance, control, or decision-making by the pilots of an Airship. Like
all guidance material, this document is not, in itself, mandatory and
does not constitute a regulation. It is issued to provide guidance and
to outline a method of compliance with the rules.
Scope
The material provided in this section consists of guidance related
to pilot displays and specifications for LCDs in the cockpit of an
Airship. The content of the Appendix is limited to statements of
general certification considerations, including color, symbology,
coding, clutter, dimensionality, and attention-getting requirements,
and display visual characteristics.
a. Information Separation.
(1) Color Standardization.
(a) Although color standardization is desirable, during the initial
certification of electronic displays, color standards for symbology
were not imposed (except for cautions and warnings in LFLS section
1322). At that time, the expertise did not exist within industry or the
LBA, nor did sufficient service experience exist to rationally
establish a suitable color standard.
(b) In spite of the permissive LCD color atmosphere that existed at
the time of initial LCD display certification programs, an analysis of
the major certifications to date reveals many areas of common color
design philosophy; however, if left unrestricted, in several years
there will be few remaining common areas of color selection. If that is
the case, information transfer problems may begin to occur that have
significant safety implications. To preclude this, the following colors
are being recommended based on current-day common usage. Deviations may
be approved with acceptable justification.
(c) The following depicts acceptable display colors related to
their functional meaning recommended for electronic display systems.
1. Display features should be color-coded as follows:
Warnings--Red
Flight envelope and system limits--Red
Cautions, abnormal sources--Amber/Yellow
Earth--Tan/Brown
Engaged modes--Green
Sky--Cyan/Blue
ILS deviation pointer--Magenta
Flight director bar--Magenta/Green
2. Specified display features should be allocated colors from one
of the following color sets:
------------------------------------------------------------------------
Color set 1 Color set 2
------------------------------------------------------------------------
Fixed reference symbols........... White.............. Yellow \*\
Current data, values.............. White.............. Green
Armed modes....................... White.............. Cyan
Selected data, values............. Green.............. Cyan
Selected heading.................. Magenta * *........ Cyan
Active route/flight plan.......... Magenta............ White
------------------------------------------------------------------------
\*\ The extensive use of the color yellow for other than caution/
abnormal information is discouraged.
\**\ In color Set 1, magenta is intended to be associated with those
analogue parameters that constitute ``fly to'' or ``keep centered''
type information.
(d) When deviating from any of the above symbol color assignments,
the manufacturer should ensure that the chosen color set is not
susceptible to confusion or color meaning transference problems due to
dissimilarities with this standard. The Authority test pilot should be
familiar with other systems in use and evaluate the system specifically
for confusion in color meanings.
(e) The LBA does not intend to limit electronic displays to the
above colors, although they have been shown to work well. The colors
available from a symbol generator/display unit combination should be
carefully selected on the basis of their chrominance separation.
Research studies indicate that regions of relatively high color
confusion exist between red and magenta, magenta and purple, cyan and
green, and yellow and orange (amber). Colors should track with
brightness so that chrominance and relative chrominance separation are
maintained as much as possible over day/night operation. Requiring the
flight crew to discriminate between shades of the same color for symbol
meaning in one display is not recommended.
(f) Chrominance uniformity should be in accordance with the
guidance provided in SAE Document ARP 1874. As designs are finalized,
the manufacturer should review his color selections to ensure the
presence of color works to the advantage of separating logical
electronic display functions or separation of types of displayed data.
Color meanings should be consistent throughout all color LCD displays
in the cockpit. In the past, no criteria existed requiring similar
color schemes for left and right side installations using electro-
mechanical instruments.
(2) Color Perception versus Workload.
(a) When color displays are used, colors should be selected to
minimize display interpretation workload. Symbol coloring should be
related to the task or crew operation function. Improper color-coding
increases response times for display item recognition and selection,
and it increases the likelihood of errors in situations where response
rate demands exceed response accuracy demands. Color assignments that
differ from other displays in use, either electromechanical or
electronic, or that differ from common usage (such as red, yellow, and
green for stoplights), can potentially lead to confusion and
information transferal problems.
(b) When symbology is configured such that symbol characterization
is not based on color contrast alone but on shape as well, then the
color information is seen to add a desirable degree of redundancy to
the displayed information. There are conditions in which pilots whose
vision is color deficient can obtain waivers for medical qualifications
under National crew license regulations. In addition, normal aging of
the eye can reduce the ability to sharply focus on red objects or
discriminate blue/green. For pilots with such deficiency, display
interpretation workload may be unacceptably increased unless symbology
is coded in more dimensions than color alone. Each symbol that needs
separation because of the criticality of its information content should
be identified by at least two distinctive coding parameters (size,
shape, color, location, etc.).
(c) Color diversity should be limited to as few colors as practical
to ensure adequate color contrast between symbols. Color grouping of
symbols, annunciations, and flags should follow
[[Page 24671]]
a logical scheme. The contribution of color to information density
should not make the display interpretation times so long that the pilot
perceives a cluttered display.
(3) Standard Symbology. Many elements of electronic display formats
lend themselves to standardization of symbology, which would shorten
training and transition times when pilots change airplane types.
(4) Symbol Position.
(a) The position of a message or symbol within a display conveys
meaning to the pilot. Without the consistent or repeatable location of
a symbol in a specific area of the electronic display, interpretation
errors and response times may increase. The following symbols and
parameters should be position consistent:
(1) All warning/caution/advisory annunciation locations.
(2) All sensor data: Altitude, airspeed, glideslope, etc.
(3) All sensor failure flags. (Where appropriate, flags should
appear in the area where the data is normally placed.)
(4) Either the pointer or scale for analogue quantities should be
fixed. (Moving scale indicators that have a fixed present value may
have variable limit markings.)
(b) An evaluation of the positions of the different types of
alerting messages and annunciations available within the electronic
display should be conducted, with particular attention given to
differentiation of normal and abnormal indications. There should be no
tendency to misinterpret or fail to discern a symbol, alert, or
annunciation due to an abnormal indication being displayed in the
position of a normal indication and having similar shape, size or
color.
(c) Pilot and copilot displays may have minor differences in
format, but all such differences should be evaluated specifically to
ensure that no potential for interpretation error exists when pilots
make cross-side display comparisons.
(5) Clutter. A cluttered display is one that uses an excessive
number and/or variety of symbols, colors, or small spatial
relationships. This causes increased processing time for display
interpretation. One of the goals of display format design is to convey
information in a simple fashion in order to reduce display
interpretation time. A related issue is the amount of information
presented to the pilot. As this increases, tasks become more difficult
as secondary information may detract from the interpretation of
information necessary for the primary task. A second goal of display
format design is to determine what information the pilot actually
requires in order to perform the task at hand. This will serve to limit
the amount of information that needs to be presented at any point in
time. Addition of information by pilot selection may be desirable,
particularly in the case of navigational displays, as long as the basic
display modes remain uncluttered after pilot de-selection of secondary
data. Automatic de-selection of data has been allowed in the past to
enhance the pilot's performance in certain emergency conditions.
(6) Interpretation of Two-Dimensional Displays. Modern
electromechanical attitude indicators are three-dimensional devices.
Pointers overlay scales; the fixed airplane symbol overlays the flight
director single cue bars that, in turn, overlay a moving background.
The three-dimensional aspect of a display plays an important role in
interpretation of instruments. Electronic flight instrument system
displays represent an attempt to copy many aspects of conventional
electromechanical displays but in only two dimensions. This can present
a serious problem in quick-glance interpretation, especially for
attitude. For displays using conventional, discrete symbology, the
horizon line, single cue flight director symbol, and fixed airplane
reference should have sufficient conspicuity such that the quick-glance
interpretation should never be misleading for basic attitude. This
conspicuity can be gained by ensuring that the outline of the fixed
airplane symbol(s) always retains its distinctive shape, regardless of
the background or position of the horizon line or pitch ladder. Color
contrast is helpful in defining distinctive display elements but is
insufficient by itself because of the reduction of chrominance
difference in high ambient light levels. The characteristics of the
flight director symbol should not detract from the spatial relationship
of the fixed airplane symbol(s) with the horizon. Careful attention
should be given to the symbol priority (priority of displaying one
symbol overlaying another symbol by editing out the secondary symbol)
to assure the conspicuity and ease of interpretation similar to that
available in three-dimensional electromechanical displays.
Note: Horizon lines and pitch scales that overwrite the fixed
airplane symbol or roll pointer have been found unacceptable in the
past.
(7) Attention-Getting Requirements.
(a) Some electronic display functions are intended to alert the
pilot to changes: Navigation sensor status changes (VOR flag), computed
data status changes (flight director flag or command cue removal), and
flight control system normal mode changes (annunciator changes from
armed to engaged) are a few examples. For the displayed information to
be effective as an attention-getter, some easily noticeable change must
be evident. A legend change by itself is inadequate to annunciate
automatic or uncommanded mode changes. Color changes may seem adequate
in low light levels or during laboratory demonstrations but become much
less effective at high ambient light levels. Motion is an excellent
attention-getting device. Symbol shape changes are also effective, such
as placing a box around freshly changed information. Short-term
flashing symbols (approximately 10 seconds or flash until acknowledge)
are effective attention-getters. A permanent or long-term flashing
symbol that is non-cancelable should not be used.
(b) In some operations, continued operation with inoperative
equipment is allowed (under provisions of an MEL). The display designer
should consider the applicant's MEL desires because in some cases a
continuous strong alert may be too distracting for continued dispatch.
(8) Color Drive Failure. Following a single color drive failure,
the remaining symbology should not present misleading information,
although the display does not have to be usable. If the failure is
obvious, it may be assumed that the pilot will not be susceptible to
misleading information due to partial loss of symbology. To make this
assumption valid, special cautions may have to be included in the AFM
procedures that point out to the pilot that important information
formed from a single primary color may be lost, such as red flags.
(9) For Both Active Matrix and Segmented Liquid Crystal Displays
Viewing Envelope: The installed display must meet all the following
requirements when viewed from a rectangle centered on the design eye
position and sized 1-foot vertical dimension and 2-feet horizontal
dimension.
General: The display symbology must be clearly readable throughout
the viewing envelope under all ambient illumination levels ranging from
1.1 lux (0.10 fc) to sun shaft illumination of 86,400 lux (8000 fc) at
45 degrees incidence to the face of the display.
Symbol Alignment: Symbols that are interpreted relative to each
other must be aligned to preclude erroneous interpretation.
[[Page 24672]]
Flicker: Flicker must not be readily discernible or distracting
under day, twilight, or night conditions, considering both foveal and
full peripheral vision, and using a format most susceptible to
producing flicker.
Multiple Images: Multiple display images produced by light not
normal to the display surface must neither be distracting nor cause
erroneous interpretation.
Luminance: The display luminance must be sufficient to provide a
comfortable level of viewing under all conditions and provide rapid eye
adaptation when transitioning from looking outside the flight deck.
Minimum Luminance: Under night lighting, with the display
brightness set at the lowest usable level for flight with normal
symbology, all flags and annunciators must be adequately visible.
Lighting: In order to aid daylight viewing, the displays'
backlighting must be designed such that adequate daylight backlighting
is provided when the cockpit discrete lighting control is set to the
`bright' position. In ``non-bright'' positions, the displays must be
modulated in a balanced fashion in conjunction with other cockpit
lighting.
(10) For Active Matrix Displays.
Matrix Anomalies: For both static and dynamic formats, the display
must have no matrix anomalies that cause distraction or erroneous
interpretation.
Line Width Uniformity: Lines of specified color and luminance must
remain uniform in width at all orientations. Unintended line width
variation must not be readily apparent or distracting in any case.
Symbol Quality: Symbols must not have distracting gaps or geometric
distortions that cause erroneous interpretations.
Symbol Motion: Display symbology that is in motion must not have
distracting or objectionable jitters, jerkiness, or ratcheting effects.
Image Retention: Image retention must not be readily discernible
day or night and must not be distracting or cause an erroneous
interpretation or smearing effect for motion dynamic symbology.
Defects: Visible defects on the display surface (such as ``on''
elements, ``off'' elements, spots, discolored areas, etc.) must not be
distracting or cause an erroneous interpretation. Service limits for
defects must be established.
Luminance Uniformity: Display areas of a specified color and
luminance must have a luminance uniformity of less than 50 percent
across the utilized display surface. The rate of change of luminance
within any small area shall be minimized to eliminate distracting
visual effects. These requirements apply for any eye position within
the display viewing envelope.
Contrast Ratios: The average contrast ratio over the usable display
surface must be a minimum of 201 at the design eye position and 101 for
any eye position within the display viewing envelope when measured
under a dark ambient illumination. This requirement is based on a 0.5
mm (0.0201) line width. Smaller line widths must have a comparable
readability, which may require a higher contrast ratio.
(11) For Segmented Displays.
Activated Segments: Activated segments must have a contrast ratio
with the immediately adjacent inactivated background of 21 for viewing
angles of on-axis to 50 degrees off-axis.
Inactivated Segments: When segments are not electrically activated,
there must be no obtrusive difference between the normal background
luminance, color, or texture and the inactivated segments of the area
surrounding them. The contrast ratio between inactivated segments and
the background must not be greater than 1.151 in a light ambient when
viewed from an angle normal to the display up to an angle 50 degrees
off-axis.
For the purpose of this Issue Paper, the following definition
applies:
Luminance Uniformity = (Lmax - Lmin / Lave (expressed in percent)
Where Lmax = Maximum luminance measured anywhere on the utilized
display surface
Lmin = Minimum luminance measured anywhere on the utilized display
surface
Lave = Average luminance of the utilized display surface
To satisfy the provisions of LFLS sections 1301, 1303, 1305, 1309,
1321, 1322, 1330, and 1431 with respect to Liquid Crystal Displays, the
design considerations and analyses described in the above Guidance
Material will be utilized:
(a) Equipment comprising LCDs that is not specifically developed
for use in the LZ-N07, and which is already certified under TSO, JTSO,
FAA-STC, or LBA Kennblatt, will be excluded and not certified according
to these guidelines.
(b) Equipment comprising LCDs that is specifically developed for
the use in LZ-N07, and modifications to equipment comprising LCDs
specific for the LZ-N07, and that is not, or not yet, certified under
TSO, JTSO, FAA-STC, or LBA Kennblatt, will be certified according to
these guidelines.
(25) F-5 LBA, Additional Requirements; LFLS Section 1301, Function
and Installation, and LFLS Section 1309, Equipment, Systems and
Installations, Use of Commercial Off-The-Shelf (COTS) Software in
Airship Avionics Systems
General Discussion
The LZ N07 will be certificated with digital microprocessor based
systems installed that may contain commercial off-the-shelf (COTS)
software. This Guidance Material identifies acceptable means of
certifying airborne systems and equipment containing COTS software on
the airship.
Background
Many COTS software applications and components have been developed
for use outside the field of commercial air transportation. Much of the
COTS software has been developed for systems for which safety is not a
concern or for systems with safety criteria different from that of
commercial airships. Consequently, for COTS software, adequate
artifacts may not be available to assess the adequacy of the software
integrity. Available evidence may be insufficient to show that adequate
software life cycle processes were used. RTCA DO 178B/ED-12B recognizes
the above and addresses means by which COTS may be shown to comply with
airship certification requirements.
Technical Discussion
Document RTCA DO 178B/ED-12B provides a means for obtaining the
approval of airborne COTS software. For those systems that make use of
COTS software, the objectives of RTCA DO 178B/ED-12B should be
satisfied. If deficiencies exist in the life cycle data of COTS
software, DO 178B/ED-12B addresses means to augment that data to
satisfy the objectives. If Zeppelin chooses to utilize a means other
than DO 178B/ED-12B, the LBA requests Zeppelin to propose, via the Plan
for Software Aspects of Certification (PSAC), how it intends to show
that all COTS software complies with Airship Requirements LFLS sections
1301, 1309. Zeppelin should obtain agreement on the means of compliance
from the LBA prior to implementation.
Abbreviations Used in This Guidance
Table 7
------------------------------------------------------------------------
Abbreviation