AMC 20-2B Certification of Essential Auxiliary Power Units (APUs) Equipped with Electronic Controls

ED Decision 2020/010/R

1. GENERAL

The existing certification specifications (CSs) for APU and aircraft certification may require special interpretation for essential APU equipped with electronic control systems. Because of the nature of this technology, it has been found necessary to prepare acceptable means of compliance (AMC) specifically addressing the certification of these electronic control systems.

Like any AMC, the content of this document is not mandatory. It is issued for guidance purposes, and to outline a method of compliance with the CSs. In lieu of following this method, an alternative method may be followed, provided that this is agreed by EASA as an acceptable method of compliance with the CSs.

This document discusses the compliance tasks relating to both the APU and the aircraft certification.

2 RELEVANT SPECIFICATIONS

2.1 APU certification

CS-APU

 Book 1, paragraph 2(c);

 Book 1, Section A, paragraphs 10(b), 20, 80, 90, 210, 220, 280 and 530;

 Book 2, Section A, AMC CS-APU 20.

2.2 Aircraft certification

Aeroplanes: CS-25

 paragraphs 581, 899, 901, 903, 939, 1141, 1163, 1181, 1183, 1189, 1301, 1305, 1307(c), 1309, 1337, 1351(b) and (d), 1353(a) and (b), 1355(c), 1357, 1431, 1461, 1521, 1524, 1527

3 SCOPE

This AMC provides guidance on electronic (analogue and digital) essential APU control systems, on the interpretation and means of compliance with the relevant APU and aircraft certification requirements.

It gives guidance on the precautions to be taken for the use of electronic technology for APU control, protection and monitoring and, where applicable, for integration of functions specific to the aircraft.

Precautions have to be adapted to the criticality of the functions. These precautions may be affected by:

            degree of authority of the system;

            phase of flight;

            availability of backup system.

This document also discusses the division of compliance tasks between the APU and the aircraft certification.

4 PRECAUTIONS

4.1 General

The introduction of electronic technology can entail the following:

(a) greater interdependence of the APU and the aircraft owing to the exchange of electrical power and/or data between them;

(b) a risk of significant failures which might, for example, occur as a result of:

(i) insufficient protection from electromagnetic disturbance (e.g. lightning, internal or external radiation effects);

(ii) insufficient integrity of the aircraft electrical power supply;

(iii) insufficient integrity of data supplied from the aircraft;

(iv) hidden design faults or discrepancies contained within the design of the APU control software/airborne electronic hardware (AEH); or

(v) omissions or errors in the system specification.

Appropriate design and integration precautions must therefore be taken to minimise these risks.

4.2 Objective

The introduction of electronic control systems should provide for the aircraft at least the equivalent level of safety, and the related reliability level, as achieved by an essential APU equipped with hydromechanical control and protection systems.

This objective, when defined during the aircraft/APU certification for a specific application, will be agreed with EASA.

4.3 Precautions related to APU control, protection and monitoring

The software and AEH associated with the APU control, protection and monitoring functions must have a criticality level and architecture appropriate to the criticality of the functions performed.

For digital systems, any residual errors not detected during the software/AEH development and certification process could cause an unacceptable failure. The latest edition of AMC 20-115/AMC 20-152 constitutes an acceptable means of compliance for software/AEH development, verification and software/AEH aspects of certification. The APU software/AEH criticality level should be determined by the APU and aircraft/system safety assessment process; ED-79A/ARP4754A and ARP4761 provide guidelines on how to conduct an aircraft/APU/system safety assessment process.

It should be noted that the software/AEH development assurance methods and disciplines described in the latest edition of AMC 20-115/AMC 20-152 may not, in themselves, be sufficient to ensure that the overall system safety and reliability targets have been achieved. This is particularly true for certain critical systems, such as full authority digital engine control (FADEC) systems. In such cases, it is accepted that other measures, usually within the system, in addition to a high level of software/AEH development assurance, may be necessary to achieve these safety objectives and demonstrate that they have been met.

It is outside the scope of the latest edition of AMC 20-115/AMC 20-152 to suggest or specify these measures, but in accepting that they may be necessary, it is also the intention to encourage the development of software/AEH techniques which could support meeting the overall system safety objectives.

Note: In this AMC, the ‘criticality level’ is used to reflect either the software level of a software item and the AEH design assurance level (or DAL) of an AEH item.

4.4 Precautions related to APU independence from the aircraft

4.4.1 Precautions related to electrical power supply and data from the aircraft

When considering the objectives of Section 4.2, due consideration must be given to the reliability of electrical power and data supplied to the electronic controls and peripheral components. Therefore, the potential adverse effects on APU operation of any loss of electrical power supply from the aircraft or failure of data coming from the aircraft must be assessed during the APU certification.

(a) Electrical power

The use of either the aircraft electrical power network or electrical power sources specific to the APU, or the combination of both, may meet the objectives.

If the aircraft electrical system supplies power to the APU control system at any time, the power supply quality, including transients or failures, must not lead to a situation identified during the APU certification which is considered during the aircraft certification to be a hazard to the aircraft.

(b) Data

The following cases should be considered:

(i) erroneous data received from the aircraft by the APU control system; and

(ii) control system operating faults propagating via data links.

In certain cases, defects of aircraft input data may be overcome by other data references specific to the APU in order to meet the objectives.

4.4.2 Local events

(a) In designing an electronic control system to meet the objectives of Section 4.2, special consideration needs to be given to local events.

Examples of local events include fluid leaks, mechanical disruptions, electrical problems, fires or overheat conditions. An overheat condition results when the temperature of the electronic control unit is greater than the maximum safe design operating temperature declared during the APU certification. This situation can increase the failure rate of the electronic control system.

(b) Whatever the local event, the behaviour of the electronic control system must not cause a hazard to the aircraft. This will require consideration of effects such as the overspeed of the APU.

When the demonstration that there is no hazard to the aircraft is based on the assumption that there exists another function to afford the necessary protection, it must be shown that this function is not rendered inoperative by the same local event (including destruction of wires, ducts, power supplies).

(c) Specific design features or analysis methods may be used to show compliance with respect to hazardous effects. Where this is not possible, for example due to the variability or the complexity of the failure sequence, then testing may be required. These tests must be agreed with EASA.

4.4.3 Lightning and other electromagnetic effects

Electronic control systems are sensitive to lightning and other electromagnetic interference. The system design must incorporate sufficient protection in order to ensure the functional integrity of the control system when subjected to designated levels of electric or electromagnetic inductions, including external radiation effects.

The validated protection levels for the APU electronic control system must be detailed during the APU certification in an approved document. For aircraft certification, it must be substantiated that these levels are adequate.

4.5 Other functions integrated into the electronic control system

If functions other than those directly associated with the control of the APU are integrated into the electronic control system, the APU certification should take into account the applicable aircraft requirements.

5 INTERRELATION BETWEEN APU CERTIFICATION AND AIRCRAFT CERTIFICATION

5.1 Objective

To satisfy the certification requirements, such as CS 25.901, CS 25.903 and CS 25.1309, an analysis of the consequences of failures of the system on the aircraft has to be made. It should be ensured that the software/AEH criticality levels and the safety and reliability objectives for the electronic control system are consistent with these requirements.

5.2 Interface definition

The interface has to be identified for the AEH and software aspects between the APU and the aircraft systems in the appropriate documents.

The APU documents should cover in particular:

(a) the software/AEH criticality level (per function if necessary);

(b) the reliability objectives for:

            an APU shutdown in flight;

            a loss of APU control or a significant change in performance; and

            the transmission of faulty parameters;

(c) the degree of protection against lightning or other electromagnetic effects (e.g. the level of induced voltages that can be supported at the interfaces);

(d) the APU and aircraft interface data and its characteristics; and

(e) the aircraft power supply and its characteristics (if relevant).

5.3 Distribution of compliance demonstrations

The certification of the APU equipped with electronic controls and of the aircraft may be shared between the APU certification and the aircraft certification. The distribution between the APU certification and the aircraft certification must be identified and agreed with EASA and/or the appropriate APU and aircraft authorities (an example is given in the appendix).

Appropriate evidence provided for the APU certification should be used for the aircraft certification. For example, the quality of any aircraft function software/AEH and aircraft/APU interface logic already demonstrated for the APU certification should need no additional substantiation for the aircraft certification.

Aircraft certification must deal with the specific precautions taken in respect of the physical and functional interfaces with the APU.

[Amdt 20/10]

[Amdt 20/19]

Appendix to AMC 20-2B

ED Decision 2020/010/R

The following is an example of the distribution of the tasks between the APU certification and the aircraft certification.

FUNCTIONS OR INSTALLATION CONDITIONS

SUBSTANTIATION UNDER CS-APU

SUBSTANTIATION UNDER CS-25

APU CONTROL AND PROTECTION

 Safety objective

 Software/AEH criticality level

 Reliability

 Software/AEH criticality level

 

MONITORING

 Independence of control and monitoring parameters

 Monitoring parameter reliability

 Indication system reliability

AIRCRAFT DATA

 Protection of APU from aircraft data failures

 Software/AEH criticality level

 

 Aircraft data reliability

CONTROL SYSTEM ELECTRICAL SUPPLY

 

 

 Reliability and quality of aircraft supply if used

ENVIRONMENTAL CONDITIONS, LIGHTNING AND OTHER ELECTROMAGNETIC EFFECTS

 Equipment protection

 Declared capability

 Aircraft design

 Aircraft wiring protection

[Amdt 20/19]