xx/xx/201x
Proposed
AC 29-2C
This is new AC 29-2 guidance material.
CHAPTER 3
AIRWORTHINESS STANDARDS
TRANSPORT CATEGORY ROTORCRAFT
MISCELLANEOUS GUIDANCE (MG)
AC 29 MG 17
GUIDANCE ON ANALYZING AN ADVANCED FLIGHT CONTROLS
(AdFC) SYSTEMS
a. Purpose.
(1) This MG provides certification guidance for installation of an AdFC system in
rotorcraft. An AdFC is a flight control system that utilizes or replaces mechanical parts
in conventional mechanical flight control systems with electronic parts. Typical systems
include fly-by-wire and fly-by-light.
(2) This MG describes acceptable guidance for analyzing an AdFC system to
determine compliance with all applicable sections of 14 CFR part 29. An applicant for a
type certificate, amended type certificate, supplemental type certificate, amended
supplemental type certificate, and technical standard order authorization may use the
“Rotorcraft Advanced Flight Controls (AdFC) Handbook” (being published under Policy
Statement PS-ASW-27,29-09), in conjunction with applicable ACs, to comply with
relevant regulations.
b. References and Related Documents.
(1) Applicable 14 CFR part 29 regulations:
29.141, 29.143, 29.151, 29.161, 29.171, 29.173, 29.175, 29.177, 29.241,
29.391, 29.395, 29.397, 29.399, 29.602, 29.663, 29.671, 29.672, 29.674,
29.675, 29.681, 29.683, 29.685, 29.687, 29.771, 29.773, 29.777, 29.779,
29.1301, 29.1309, 29.1317, 29.1321, 29.1322, 29.1329, 29.1335, 29.1351,
29.1555, 29.1581, 29.1585, and Appendix B
(2) Applicable ACs (current version):
(i) AC 20-174, Development of Civil Aircraft and Systems.
(ii) AC 20-175, Controls for Flight Deck Systems.
(iii) AC 29-2, section 29.1309; Equipment, Systems, and Installations.
(3) Applicable Orders (current version):
Page MG 17 - 1
AC 29-2C
Proposed
xx/xx/201x
(i) 4040.26, Aircraft Certification Service Flight Test Risk Management
Program.
(ii) 8110.4, Type Certification.
(4) Applicable guidance:
(i) Policy Statement PS-ASW-27,29-09, Rotorcraft Advanced Flight Controls
(AdFC) Handbook.
(ii) SAE ARP 4754A, Guidelines for Development of Civil Aircraft and
Systems.
(iii) SAE ARP 4761, Guidelines and Methods for Conducting the Safety
Assessment Process on Civil Airborne Systems and Equipment.
c. Background.
(1) The FAA recognizes that technology utilized in commercial rotorcraft
consistently lags behind state-of-the-art air transport aircraft and military technologies.
AdFC technology has been in use for many years, but guidance material on the safety
aspects of certification, continued operational safety, and especially the use of that
technology has been limited within the FAA.
(2) In 2004 the FAA, Joint Aviation Authorities, and a rotorcraft industry
harmonization team developed a draft AC 27 MG 17 as certification guidance for
installation of AdFC systems in rotorcraft. Though never published officially, that draft
AC was applied via issue paper on several rotorcraft AdFC certification projects. We
started a new effort to update and publish certification guidance for installation of AdFC
systems in rotorcraft. This new effort produced the AdFC handbook, based on the 2004
draft AC’s research conducted jointly by the FAA and the Calspan Corporation. In
addition, we incorporated experience gained through previous fixed-wing AdFC system
certification projects and on-going projects for AdFC system certification on rotorcraft.
d. Application. Applicants seeking approval for the installation of an AdFC system
in rotorcraft should apply this guidance in its entirety as a means, but not the only
means, for showing compliance with the applicable rules.
(1) Since part 29 regulations are inadequate for addressing the new and novel
features of AdFC systems, it may require issue papers, special conditions, equivalent
means of compliance, and methods of compliance to establish safety standards in the
following areas:
(i) Interaction of Systems and Structures. Since rotorcraft with AdFC systems
may contain control functions that affect the structural integrity of the rotorcraft,
Page MG 17 - 2
xx/xx/201x
Proposed
AC 29-2C
additional safety considerations are necessary to address the effects of these systems
on structural integrity, either directly or because of AdFC failures.
(ii) Pilot and Co-Pilot Dual Controls. Since the current regulations assume to
address mechanically linked controls only, additional safety considerations are
necessary to address potentially confusing aspects of pilot and co-pilot dual, non-linked
controls. As an example, a non-responsive control input could prevent compliance with
§ 29.779.
(iii) Lateral-Directional and Longitudinal Stability and Low Energy Awareness.
An AdFC allows for many possibilities in developing laws for novel flight control. In the
simplest form, an AdFC could replace the function of a direct link between the flight
controls and the swashplate. The current flight requirements deal with the conventional
factors of the rotorcraft handling qualities. A more likely situation is the use of an AdFC
to modify the relationship between control input and rotorcraft response.
(iv) Control Surface Awareness. Additional safety considerations are required
to address pilot awareness when employing AdFC systems since certain provisions of
§ 29.143 are not adequate for AdFC systems.
(v) Flight Characteristics Compliance via the Handling Quantities Rating
Method (HQRM). Additional safety considerations are required to address a
methodology for compliance with § 29.1309 by using the HQRM to show an HQ rating
of “satisfactory” for flying qualities in degraded modes.
(vi) Flightcrew Alerting. Additional safety considerations are required to
address the unique alerting characteristics of AdFC systems. The changes to
§ 25.1322 provide complete requirements that § 29.1322 does not.
(vii) Data Integrity. Additional safety considerations are required to ensure no
unintentional altering of primary signals from the flight control system, that the altered
signal characteristics will maintain stable gain and maintain phase margins with
sufficient power to each axis, and consider that all un-commanded signals are
extremely improbable.
(viii) Flight Envelope Protection (FEP). Additional safety considerations are
required to ensure that an FEP system, if implemented, prevents the pilot or autopilot
from making control commands that would force the aircraft to exceed its structural or
aerodynamic operating limits.
(2) Evaluation Methodology. There must be an evaluation of the AdFC systems
performance, the same as conventional flight control systems, to demonstrate
adherence to the safety requirements under all failure conditions. In each case, the
software and hardware used must be under configuration control to comply with the
regulations. We recognize the following evaluation methods; however, there may be
request for other acceptable methods:
Page MG 17 - 3
AC 29-2C
Proposed
xx/xx/201x
- Computer Analysis.
- Pilot-in-the-Loop Simulator Test.
- Bench Test.
- Ground Test.
- Flight Test.
(i) There may be a relationship between the levels of integrity provided to
satisfy a determined failure condition category and the methodology used to validate the
adequacy of the provided integrity. The below table, Figure AC 29 MG 17-1, addresses
this relationship:
Failure Condition Suggested Verification
Categories
Method
Possible Additional
Methods
Minor
Analysis
Flight Testing *3
Major
Analysis
Ground Test
Simulation
Flight Test
Hazardous/Sever Analysis
e-Major
Ground Test
Limited Flight Tests *1, *2
Catastrophic
Analysis
Ground Test
Simulation
Limited Flight Tests *1,
*2
* - Notes:
1 - This should be determined on a case-to-case basis.
2 - Minimize flight testing as a verification methodology, for this combination of
provided integrity and failure condition category, due to safety in testing
considerations. However, desirable flight testing may be feasible for some
aspects if observing proper identification of flight test risk and assessments,
and risk mitigations, in accordance with FAA Order 4040.26 .
3 - For analysis or verification, those probable failures evaluated as having minor
effects, flight testing is an option if the effects are not obvious or if there can
only be evaluation of closed loop effects in flight.
Figure AC 29 MG 17-1
Verification Methodology
Page MG 17 - 4
xx/xx/201x
Proposed
AC 29-2C
(ii) Due to AdFC inherent complexity, investigate AdFC systems that typically
have a large number of test cases of single and multiple failures to verify the safety
functions under all failure conditions.
(A) Non-Real Time Computer Analysis. At the beginning of the
development process, when system components are not yet available in hardware, nonreal time computer simulation is a useful tool for supporting the preliminary system
safety assessment. This allows, at an early stage of the development, a prediction of
the effects and an assessment of the criticality of failure modes of the flight control
system.
(B) Pilot-in-the-Loop Simulator Test. It may be practical to use a flight
simulator (FS) to qualitatively verify safety assessments for certain AdFC failure
conditions that would be high risk or unsafe to perform in flight. These assessments
may be part of the SA process used to show compliance with specific regulations. For
example, use the FS to gather data on aircraft transients caused by a failure, crew
recognition of the abnormal event, recoverability after the failure transient, and the
ability to continue safe flight and landing after recovery. There can be accomplishment
of these assessments for critical, selected conditions using the FS without presenting a
safety risk to the flight test crew.
(1) Test Environment. The test environment for pilot-in-the-loop
simulator tests includes:
- Cockpit, equipped with AdFC representative displays and
controls.
- Computer Generated Imagining (CGI).
- Simulated AdFC system.
- Simulated rotorcraft visuals and behavior.
(2) Verification of Simulation Tools.
(i) Before final evaluation of failure mode effects using a FS,
validate the FS for the specific test conditions identified in the test plan. Do this
validation quantitatively, qualitatively, or a combination of both and approved in a
manner suitable to the FAA..
(ii) There must be control of the FS configuration, including
hardware and software, to ensure there is no corruption of the functional performance,
as validated, during the certification process. Assess the FS to identify and preclude
opportunities for misleading simulator results that could affect the certification process
and ultimately the design of the AdFC systems.
(3) Test Procedure and Expected Results. The test procedure for pilotin-the-loop simulator tests includes real-time simulation of performance with simulated
failures. The expected test results are:
Page MG 17 - 5
AC 29-2C
Proposed
xx/xx/201x
(i) Evaluation of pilot intervention time (recognition and reaction
time) for the occurrence of failures under various flight conditions.
(ii) Assessment of handling qualities during recovery maneuvers.
(iii) Assessment of man-machine interface (controls and displays,
warnings, cautions, and advisories).
(iv) Evaluation of rotorcraft transients.
(C) Bench Test. The installation of the AdFC system in hardware, and
tests performed in either open loop or closed-loop configuration, where there is
simulation of the rotorcraft.
(1) Test Environment. The environment for bench tests includes:
(i) AdFC software installation into the hardware.
(ii) AdFC system must be realistic to the aircraft environment,
including, but not limited to, the mechanical equipment, wiring, cooling, electrical and
hydraulic power supplies, cockpit controls and displays, trim system, actuation system,
and actuator loads.
(iii) Rotorcraft simulation by a mathematical model (only required
for closed-loop simulation).
(2) Test Procedure and Expected Results. The test procedure for
bench tests and rig tests includes open loop and closed-loop tests with simulated
failures. The expected results are:
(i) Verification of failure logic, failure management, and resultant
degraded modes.
(ii) Evaluation of transients during and after failure modes.
Note: Compared to validation of failure management in the simulator, the use of
hardware-in-the-loop simulation provides more realistic results with respect to
signal accuracy and resolution, phase delay, and other hardware or software
related effects.
(G) Rotorcraft Test.
(1) Ground Test. Verification of some aspects of the AdFC
functionality should be possible on the ground, such as determination of stuck or
jammed controls or actuators. Perform ground testing to check the safety functions with
Page MG 17 - 6
xx/xx/201x
Proposed
AC 29-2C
the equipment installed in the aircraft. Perform operation tests to demonstrate that the
flight control system is free from jamming. Perform limit load static tests to demonstrate
compliance with limit load requirements.
(2) Flight Test. The objective of flight tests is flight evaluations to show
compliance with applicable rules and safety requirements and to verify assumptions for
those objectives that are not possible during ground testing. Certain effects can only be
addressed in flight, such as aircraft stability and control, aircrew human factors and
ergonomics, pilot-induced oscillations, air resonance, and structural coupling. Assess
rotorcraft performance and handling qualities under normal and failure operating
conditions. This implies that the test conditions must provide for resetting of failures at
any time to return to the faultless system configuration, if necessary. Carry out flight
tests at various flight conditions with and without simulated failures considering event
risk assessments and risk mitigations.
(3) Type Inspection Authorization (TIA) requirements. In addition to the
requirements of Order 8110.4 (current version) and prior to performing a TIA flight, the
applicant must provide the following documentation to the FAA:
(i) An approved FHA.
(ii) Evidence of completion of SW Stage of Involvement (SOI) #3. Provide all
SOI #3 findings and observations along with their disposition.
(iii) All open problem reports have been adequately disposition.
Page MG 17 - 7