VTOL.2300 Flight control systems
n/a
(a) The flight control systems must be designed to:
(1) operate easily, smoothly, and positively enough to allow proper performance of their functions;
(2) protect against likely hazards;
(3) allow flight crew to be aware of the control limits.
(b) Trim systems, if installed, must be designed to:
(1) protect against inadvertent, incorrect, or abrupt trim operation;
(2) provide information that is required for safe operation.
MOC 1 VTOL.2300 Fly-by-Wire control systems: Definition and Scope
n/a
The definition of flight control system is provided in MOC VTOL.2000.
Due to the distributed propulsion, most VTOL configurations have a closer integration of engines and flight controls than other types of aircraft. To address this specificity, a number of lift/thrust system and flight control system objectives are included in Subpart F – Systems and equipment objectives.
While some definitions are proposed in this MOC to facilitate common references, they do not imply limits in the scope of analyses. For example, in most configurations, the lift/thrust units play a role in the flight control function and should thus be integrated in any related safety analyses (e.g. MOC VTOL.2510, MOC 4 VTOL.2300).
Scope and certification approach covering both engines and flight controls for each project should be proposed by the Applicant for acceptance by the Agency.
MOC 2 VTOL.2300 Acceptability of ASTM standard F3232/F3232M-20 for Fly-by-Wire flight control systems
n/a
The ASTM F3232/F3232M-20 standard is the Standard Specification for Flight Controls in Small Aircraft. As this standard was prepared with the assumption of traditional (i.e. mechanical) primary flight controls, it can only be accepted as a means of compliance with VTOL.2300 for Fly-by-Wire (FbW) control systems with some explanations (see below), adaptations and additions (see Section 2) .
The definitions provided in §3 of ASTM F3232/F3232M-20 are only applicable insofar as the concept exists for VTOL capable aircraft and has not been defined otherwise. For instance: “aircraft type code” is not a valid concept for VTOL and “Continued Safe Flight and Landing” has been specifically defined for VTOL capable aircraft in MOC VTOL.2000.
Similarly, any reference in ASTM F3232/F3232M-20 to standards or methods for the determination of Handling Qualities should be considered to be replaced by a reference to MOC VTOL.2135.
Lastly, while this standard addresses conventional architecture elements such as flaps and stall barrier systems, different considerations may apply for other architectures in VTOL capable aircraft.
The following table provides the status of the acceptability of the ASTM F3232/F3232M-20 standard as a means of compliance with VTOL.2300 for Fly-by-Wire (FbW) control systems. Later revisions of ASTM F3232/F3232M or alternative standards may also be proposed by the applicant and agreed with the Agency as acceptable means of compliance in a particular certification project.
|
ASTM F3232/F3232M-20 |
VTOL status/comments |
|
§4.1.1, §4.1.2 |
Accepted |
|
§4.1.3, §4.1.3.1 |
Accepted |
|
§4.2 |
This ASTM standard paragraph is an accepted means of compliance. Nevertheless, additional means of compliance are required for FbW, as proposed in this MOC. |
|
§4.3 |
Accepted |
|
§4.4 |
Accepted |
|
§4.5 |
Accepted |
|
§4.6 |
Accepted |
|
§4.7 |
This ASTM § was developed for traditional flight control systems. It is accepted as with some additions, see Section 2 below . |
|
§4.8 |
Accepted |
|
§4.9 |
Typo in the ASTM standard: “flight” instead of “light”. Accepted |
|
§4.10 |
Accepted |
|
§4.11 |
Accepted |
|
§4.12 |
Accepted |
|
§4.13 |
Accepted |
|
§5.1 |
Accepted |
|
§5.2 |
Accepted with some additions to address FbW |
|
§5.3 Artificial Stall Barrier System |
Accepted |
2. Adaptations/additions to ASTM standard F3232/F3232M-20 linked to Fly-by-Wire implementation
(a) Operation tests
To be considered an accepted means of compliance with VTOL.2300(a)(1) and (2), paragraph §4.7 of ASTM standard F3232/F3232M-20 should be adapted and complemented as follows:
(1) Adaptation of ASTM F3232/F3232M-20 standard
4.7 Operation Tests:
4.7.1 It must be shown by operation tests that, when the controls are operated from the pilot compartment with the system loaded to the maximum actuation system forces (i.e. loads and torques), the system is free from jamming, excessive friction, excessive deflection, or any combination thereof.
NOTES:
(i) It is acceptable to reduce the load slightly to enable movement of the actuator throughout its range.
(ii) This requirement applies to primary and secondary flight controls that move surfaces and flight controls that move or redirect lift/thrust units. It does not apply to fixed propulsion units that vary RPM, blade angle, or thrust for flight control.
(2) Addition to ASTM F3232/F3232M-20 standard
One method, but not the only one, for demonstrating the Operational Tests is as follows:
Conduct the control system operational tests by operating the controls from the pilot's compartment with the entire system loaded so as to correspond to the limit control forces established by the regulations for the control system being tested. The following conditions should be met:
(i) Under limit load, check each control surface/effector for travel and detail parts for deflection. This may be accomplished as follows:
(A) Support the control surface/effector being tested while positioned at the neutral position.
(B) Load the surface using loads corresponding to the limit control forces established in the SC VTOL.
(C) Load the pilot's control until the control surface is just off the support.
(D) Determine the available travel which is the amount of movement of the surface/effector from neutral when the control is moved to the system stop. It is acceptable to reduce the load slightly to enable movement of the actuator throughout its range.
(E) The above procedure should be repeated in the opposite direction.
(F) The minimum control surface/effector travel from the neutral position in each direction being measured should be 10 percent of the control surface travel measured with no load on the surface.
Regardless of the amount of travel of the surface when under limit load, the aircraft should have adequate flight characteristics as specified in Subpart B. Any derivative aircraft of a previous type certificated aircraft need not exceed the control surface travel of the original aircraft; however, the flight characteristics should be flight tested to ensure compliance.
(ii) Under limit load, no signs of jamming or of any permanent set of any connection, bracket, attachment, etc. may be present.
(iii) Friction should be minimised so that the limit control forces and torques specified by the regulations may be met.
MOC 3 VTOL.2300 Validation of Electronic Flight Control Laws (FCL) in Fly-by-Wire flight control systems
n/a
Compliance of the electronic flight control laws should be considered satisfactory when an adequate substantiation of validation activities is shown and formalised in the compliance documents.
(a) Formalisation of compliance demonstration strategy
In order to demonstrate compliance with an adequate level of formalisation, the following should be performed and captured within compliance documents:
(1) Determination of flight control characteristics that require a detailed and specific validation strategy for VTOL.2135, VTOL.2145, VTOL.2300, VTOL.2500, VTOL.2510 compliance and Modified Handling Qualities Rating Method (MHQRM) demonstration;
(2) Substantiation of the proposed validation strategy (e.g. analyses, simulator tests, flight tests) covering the characteristics and features determined above.
(b) Validation activities
For the substantiation of the proposed validation strategy, the applicant should perform the following activities:
(1) Identify the objectives (intended function) of each function.
(3) Check compatibility of each function with other functions acting on the same control surface/actuator:
(i) Identify potential interface problems with other functions,
(ii) Define test conditions (e.g. rig-test, offline/piloted simulation, flight test, …),
(iii) Particular consideration should be given to actuator limitations and the resulting coupling of the remaining control authority between different control functions.
(4) Check compatibility of each function in all applicable modes with other functions at aircraft level:
(i) Identify potential interface problems with other functions on aircraft level,
(ii) Define test conditions (e.g. rig-test, offline/piloted simulation, flight test, …).
(5) Analyse failure conditions for each function:
(i) Identify failure conditions and classify the severity of failures in accordance with VTOL.2510,
(ii) Define test conditions for verification of failure conditions severities (e.g. rig-test, offline/piloted simulation, flight test, …).
(iii) Where functions are acting on the same control surface/actuators, particular consideration shall be given to coupling of failures in these functions (including control margin dependencies) as well as the overall redundancy management between these functions (including actuator limitations).
(6) Document all steps.
(c) Characteristics
For the validation activities identified by the paragraphs (b) 2 to 5 above, the following should be covered in particular:
(1) Definition of priorities between FCL functions acting on the same control surface / actuator (e.g. priorities, mixing-laws, …),
(2) Multi-objective optimisation (e.g. trajectory, energy consumption, passenger comfort), including trading one criterion (e.g. airspeed) vs others in extreme conditions,
(3) Transition between different FCL modes with and without failures (e.g. blending, fading-in/fading-out, smoothness of transition, …),
(4) Effects of erroneous input data (e.g. air data, aircraft configuration, …),
(5) Discontinuities and non-linearities,
(6) Control law interfaces,
(7) Voting mechanisms,
(8) Protections priorities (e.g. entry/exit logic conditions not symmetrical),
(9) Determination of critical scenario for multiple failures.
The validation strategy should include but should not be limited to operational scenarios. The determination that an adequate level of validation of the FCL design has been achieved should be based on engineering judgment.
(d) Documentation to be provided
The applicant should prepare a checklist with a defined set of test cases based on experience, and provide the FCL Validation methodology and strategy for verification by the Agency.
(e) Auditing
The Applicant should perform adequate auditing and the Agency may define a related Level of Involvement in such audits.
Compliance should be shown in conjunction with the following requirements: VTOL.2135, VTOL.2145, VTOL.2500 and VTOL.2510.
MOC VTOL.2300(a)(1) Function and operation of Fly-by-Wire flight control system
n/a
(a) Flight crew awareness of the modes of operation
(1) If the design of the flight control system has multiple modes of operation (e.g. hover, transition, cruise modes) and/or includes degraded modes following failures, a means should be provided to indicate to the crew any mode that significantly changes or degrades the handling or operational characteristics of the aircraft.
(2) The sub-modes of operation (both in nominal and degraded mode) and the transition between them should be smooth, and should be evaluated to determine whether or not they are intuitive. If these sub-modes or the transition between them are not intuitive, an indication to the flight crew may be required. This indication may be different from the classic “failure alerting”.
(3) In case of several flight control modes, limitations should be clearly annunciated and the definition of a Training Area of Special Emphasis (TASE) in the Flight Crew Data (FCD) may need to be established during the certification of the Operational Suitability Data (OSD).
Compliance should be shown in conjunction with other paragraphs (such as VTOL.2445), where failures could lead to flight control mode degradation.
(b) Flight envelope protection
If Flight Envelope Protection (FEP) features are implemented, then these should follow the following principles:
(1) Onset characteristics of each envelope protection feature should be smooth, appropriate to the phase of flight and type of manoeuvre; and not be in conflict with the ability of the pilot to satisfactorily change the aircraft flight path (e.g. speed, attitude) within the approved flight envelope.
(2) Limit values of protected flight parameters (and if applicable, associated warning thresholds) should be compatible with:
(i) the aircraft structural limits;
(ii) the required safe and controllable manoeuvring of the aircraft;
(iii) the margins to critical conditions;
(iv) dynamic manoeuvring, airframe and system tolerances (both from manufacturing and in-service), and non-steady atmospheric conditions - in any appropriate combination and phase of flight - should not result in a limited flight parameter beyond the nominal design limit value that would cause unsafe flight characteristics;
(v) the rotor rotational speed limits;
(vi) the blade stall limits;
(vii) the engine and transmission torque limits; and/or
(viii) any other operation limitations for the aircraft and lift/thrust system installation.
(3) The aircraft should be responsive to pilot commanded dynamic manoeuvring within a suitable range of the parameter limits that define the approved flight envelope.
(4) The FEP system and any failure condition not shown to be extremely improbable should be analysed per MOC VTOL.2135 MHQRM (including the effect on flight envelope probabilities) and VTOL.2510.
(5) When simultaneous envelope limiting is active this should not result in adverse coupling or adverse priority (e.g. if two or more envelope limitations could exist simultaneously, this consequence should not be a wrong priority).
Adherence to the above principles should be shown in conjunction with the demonstration of compliance with the following requirements: VTOL.2110, VTOL.2425(a), VTOL.2500, VTOL.2510(a)(b) and VTOL.2135 with MOC VTOL.2135.
(c) Flight control and critical displays:
The following apply at all attitudes and in all modes of operation:
(1) The flight control system should be designed to continue to operate and not hinder aircraft recovery from any attitude.
(2) Control systems for essential services should be designed so that when a movement to one position has been selected, a different position can be selected without having to wait for the completion of the initially selected movement, and the system should arrive at the finally selected position without further attention. The movements that follow and the time taken by the system to allow the required sequence of selection should not be such as to adversely affect the airworthiness of the aircraft.
(3) Compliance should be shown by evaluation of the closed loop flight control system. This evaluation is intended to ensure that there are no features or unique characteristics (including numerical singularities) which would restrict the pilot’s ability to recover from any attitude. The intent is not to limit the use of envelope protection features or other systems that augment the control characteristics of the aircraft.
(4) The following conditions that might occur due to pilot action, system failures or external events should be considered:
(i) Abnormal attitude (including the aircraft becoming inverted;)
(ii) Excursion of any other flight parameter; and
(iii) Flight conditions that may result in higher than normal pitch, roll or yaw rates.
(5) For each of the conditions in (c)(4):
(i) The flight control system should continue to operate;
(ii) The design of the flight control laws, including any automatic protection function should not hinder aircraft recovery; and
(iii) Critical flight displays should continue to provide accurate indications and any other information that the pilot may require to execute recovery from the unusual attitude and/or arrest the higher than normal pitch, roll or yaw rates.
MOC VTOL.2300(a)(2) Protection against likely Hazards for Fly-by-Wire flight control systems
n/a
(a) Control Signal Integrity
Perturbations, as referred to in this MOC, are described as signals that result from any condition that is able to modify the command signal from its intended characteristics. They can be categorised into the following categories:
(1) Internal causes that could modify the command and control signals. These include but are not limited to:
(i) loss of data bits, frozen or erroneous values,
(ii) unwanted transients,
(iii) computer capacity saturation,
(iv) processing of signals by asynchronous microprocessors,
(v) adverse effects caused by transport lag,
(vi) poor resolution of digital signals,
(vii) sensor noise,
(viii) corrupted sensor signals,
(ix) aliasing effects,
(x) inappropriate sensor monitoring thresholds,
(xi) structural interactions (such as control actuator compliance or coupling of structural modes with control modes), that may adversely affect the system operation or structural stability and integrity.
(2) External causes that could modify the command and control signals. These include but are not limited to:
(i) Lightning,
(ii) EMI effects (e.g., electric engine interference, aircraft’s own electrical power and power switching transients, smaller signals if they can affect flight control, transients due to electrical failures),
(iii) High Intensity Radiated Fields (HIRF)
(iv) Single Event Effects (SEE)
(3) Spurious signals and/or false data, that are a consequence of perturbations in either of the two categories above, may result in malfunctions that produce unacceptable system responses equivalent to those of conventional systems such as limit cycle/oscillatory failures, runaway/hardover conditions, disconnection, lockups and false indication/warning that consequently present a flight hazard. It is imperative that the command signals remain continuous and free from internal and external perturbations and common cause failures. Therefore special design measures should be employed to maintain system integrity at a level of safety at least equivalent to that which is achieved with traditional hydro-mechanical designs. These special design measures can be monitored through the System Safety Analysis (SSA) process provided specific care is directed to development methods and on quantitative and qualitative demonstrations of compliance.
(4) An evaluation of the following should be conducted:
(i) Theflight control system should continue to perform its intended function (even in a degraded mode)
(ii) Any system in the aerodynamic loop which has a malfunction should not produce an unsafe level of uncommanded motion and should automatically recover its ability to perform critical functions upon removal of the effects of that malfunction.
(iii) Malfunctions of systems in the aerodynamic loop should not adversely affect the ability to perform a safe flight and landing.
(iv) Any disruption to an individual unit or component as a consequence of a malfunction, and which requires annunciation and crew action, should be identified to and approved by the Agency to ensure that:
(A) the failure can be recognised by the crew, and
(B) the crew action can be expected to result in continued safe flight and landing in the Category Enhanced or in a controlled emergency landing in the Category Basic.
(v) An automatic change from a normal to a degraded mode that is caused by spurious signal(s) or malfunction(s) should meet the probability requirements associated with the functional hazard assessment (FHA) established per VTOL.2510(a), (e.g. a failure condition assessed as major should be remote).
(vi) Exposure to a spurious signal or malfunction should not result in a hazard with a probability greater than that allowed by the criteria of VTOL.2510(a) and associated MOC. The impact on handling qualities and structural loads should also be evaluated.
(vii) Interaction of flight control functions and actuator control loops
(viii) The flight control system should operate appropriately when considering other systems. The applicant should ensure the compatibility of automatic functions that may dynamically interact or affect flight control in both normal and anticipated abnormal operating conditions and ensure that such interactions (either by aircraft response or by data transfer) do not result in inappropriate flight control responses. This should include any potential for adverse coupling of the dynamics of one automated flight function with another (e.g., coupling between automated power and flight control functions).
(5) The complexity and criticality of the FbW flight control system (if utilised) necessitates additional laboratory testing beyond that required as part of individual equipment validation and software verification.
(6) It should be shown that either the FbW flight control system signals cannot be altered unintentionally (i.e. what is received by the effector/actuator is what was transmitted by the computer), or that altered signal characteristics meet the following criteria:
(i) Stable gain and phase margins are maintained for all flight control closed loop systems. Pilot control inputs (pilot in the loop) are excluded from this requirement.
(ii) Sufficient pitch, roll, yaw and lift/thrust control power is available to provide control for continued safe flight and landing in the Category Enhanced or for controlled emergency landing in the Category Basic, considering all the FbW flight control system signal malfunctions that are not extremely improbable.
(iii) The effect of spurious signals on the systems which are included in the aerodynamic loop should not result in unacceptable transients or degradation of the aircraft's performance. Specifically, signals that would cause a significant uncommanded motion of a control surface/effector actuator should be readily detected and deactivated or the surface motion should be arrested by other means in a satisfactory manner. Small amplitude residual system oscillations may be acceptable, if justified.
(iv) Establishment of a Validation and Verification process for the development of the flight control monitors, for example following SAE ARP 6539 Validation and Verification Process Steps for Monitors Development in Complex Flight Control and Related Systems.
(7) It should be demonstrated that the output from the control surface closed loop system does not result in any uncommanded, sustained oscillations of flight control surfaces/effectors. The effects of minor instabilities may be acceptable, provided that they are thoroughly investigated, documented, and understood. An example of an acceptable condition would be one where a computer input is perturbed by spurious signals, but the output signal remains within the design tolerances, and the system is able to continue in its selected mode of operation unaffected by that perturbation.
(8) In the context of showing and demonstrating these system characteristics an accepted Means of Compliance includes:
(i) Systematic laboratory validation which includes a realistic representation of all relevant interfacing systems, and associated software, including the control system components which are part of the lift/thrust system. Closed loop aircraft simulation/testing will be necessary in this laboratory validation.
(ii) Laboratory or aircraft testing to demonstrate unwanted coupling of electronic command signals (over the spectrum of operating frequencies) and their effects on the mechanical actuators and interfacing structure.
(iii) Analysis or inspection to substantiate that separation/segregation are utilised to minimize any potential hazards.
(9) A successful demonstration of signal integrity should include all elements, which contribute to command and control signals to the "aerodynamic closed loop" that actuate the flight controls. The "aerodynamic closed loop" should be evaluated for the normal and degraded modes. Elements of the integrated "aerodynamic closed loop" may include for example; digital or analogue flight control computers, power control units, control feedback, major data busses, and the sensor signals including; air data, acceleration, rate gyros, commands to the surface position, and respective power supply sources. Autopilot systems (including feedback functions) should be included in this demonstration if they are integrated with the FbW flight control system.
Compliance should be shown in conjunction with VTOL.2510 and SC EHPS (Electric and Hybrid Propulsion System).
A means should be provided to allow a check of full range of movement to their commanded position of all primary lift/thrust controls (i.e. pilot controls, control surfaces) prior to flight, or a means should be provided that will allow the pilot to determine that full control authority is available prior to flight.
Some checks of the engine power and power control (e.g. engine RPM at least at idle thrust) should also be provided.
Compliance should be shown in conjunction with the following requirements VTOL.2425(a), VTOL.2435(f) (g) and VTOL.2615.
(c) Precautions against maintenance error / incorrect assembly
Experience has shown that maintenance errors should be assumed to occur and should be considered in the system design in order to reduce their likelihood.
The flight control system should be designed to physically prevent incorrect assemblies having significant safety effects and/or critical repercussions (i.e. catastrophic, hazardous, or major). Distinctive and permanent marking should only be used if the prevention of incorrect assembly by design is impractical, and the Agency accepts the justification provided.
Significant safety effects may include an out-of-phase action, reversal in the sense of the control, faults introduced due to improper rigging, interconnection of the controls between two systems where this is not intended and loss of function.
(d) Flight Control Jams
The aircraft, pilot controls and its movable control system and/or surfaces should be designed to prevent a jam from occurring (refer to ASTM F3232/F3232M-20 standard §4.7 and 4.8) and should be tolerant to any jam, as far as practicable, and demonstrate continued safe flight and landing in the Category Enhanced or controlled emergency landing in the Category Basic. This may include the need for jam alleviation means.
The detachment of a part (e.g. control surface) should not be used as an alleviation means.
(1) Definition of Jam:
A jam is a failure or event such that a control (e.g. control surface), pilot control, or component is fixed in one position.
Causes of a jam may include corroded bearings, interference with a foreign or loose object, control system icing, seizure of an actuator, or a disconnection that results in a jam by creating an interference. Jams of this type should be assumed to occur and should be evaluated at positions up to and including the normally encountered positions defined in (2) below.
All other failures that result in a fixed control (e.g. a control surface), pilot control, or component are addressed via the safety analysis process in accordance with VTOL.2300 and VTOL.2510. Depending on system architecture and the location of the failure, some jam failures may not always result in a fixed control surface or pilot control.
(2) Determination of Control System Jam Positions.
The flight phases required to be addressed should cover all flight phases (e.g. vertical takeoff, transition, in-flight (climb, cruise, normal turns, descent, and approach), transition and, vertical landing). Additional phases specific to the aircraft, such as hover should also be considered.
(3) Methodology:
When showing compliance with VTOL.2300(a)(2), the applicant should:
(i) provide a summary of the design features that are intended to prevent a jam from occurring, due to failure or physical interference (jam prevention means),
(ii) provide a summary of the means by which a jam could be alleviated (jam alleviation means),
(iii) For each axis and flight phase:
(A) determine the ‘normally encountered position’.
This ‘normally encountered position’ is the maximum position resulting from reasonably expected manoeuvres, gust/manoeuvre load alleviation function commands and wind & gust conditions.
As an example, assuming a jam to be approximately 1 x 10-6 to 1 x 10-7 per flight hour, a reasonable definition of normally encountered positions would represent the range of control surface deflections (from neutral to the largest deflection) expected to occur in 1000 random operational flights, without considering other failures, for each of the flight segments identified in the rule. This assumption should be supported by FMEA/SSA expected failure rates for jams.
NOTE 2: Similarly to NOTE 1 above, the 1000 random operation flights is based on the assumption of a jam to be approximately 1 x 10-6 to 1 x 10-7 per flight hour. This is actually dependent on the actuator technology, installation, aircraft manufacturer and supplier experience. The Applicant should therefore propose a conservative analysis to cover the risk that is foreseen.
(B) evaluate the jam at positions up to and including the normally encountered position, and demonstrate continued safe flight and landing in the Category Enhanced or controlled emergency landing in the Category Basic including structural strength capability.
NOTE 3: Only the aircraft rigid body modes need to be considered when evaluating the aircraft response to manoeuvres, wind/gust conditions and continued safe flight to landing.
(iv) to identify the remaining possible jamming conditions, and demonstrate to the Agency that all precautions have been taken and that the probability of occurrence is consistent with the hazard classification. If it is needed, it should be discussed with and accepted by the Agency.
NOTE 4: Compliance should be shown in conjunction with MOC VTOL.2215 Flight Load Conditions for wind/gust conditions.
MOC VTOL.2300(a)(3) Control margin awareness
n/a
(a) A suitable annunciation or indication should be provided to the crew for any flight condition in which commands (e.g. control surfaces, engine RPMs) are approaching their limits (whether or not it is pilot commanded) and that returning to normal flight and/or continuation of safe flight requires a specific crew action.
(b) There should be a direct feedback of the control margin to the flight crew at any time in flight, in nominal and in a failure condition. This control margin is the remaining control available, related to the type of control laws (e.g. attitude command) and the means of control (e.g. torque provided by lift/thrust units). For systems that provide combined thrust and vector control, information should be provided to the crew about which amount of remaining control is available to allow them to take the required actions to fly the aircraft.
(c) In the case of different control margin priorities, they should be clearly indicated to the crew for the current condition (e.g. height hold vs airspeed hold vs bank angle).
(d) It should be taken into account that some pilot-demanded manoeuvres (e.g., rapid roll) are necessarily associated with intended full performance, which may saturate the control. Therefore, simple alerting systems should function in both intended and unexpected flight control-limiting situations and should be properly balanced between the necessary crew-awareness and nuisance alerting. Nuisance alerting should be minimised by proper setting of the warning threshold.
(e) Depending on the application, suitable annunciations may include cockpit flight control position, force, annunciator light, or control position indicators. The term “suitable” indicates an appropriate balance between nuisance and necessary operation. Furthermore, this MOC applies at the limits of flight control authority, not necessarily at the limits of any individual control travel.
Compliance should be shown in conjunction with VTOL.2445 (a), (b), (c), (f) and (g).
MOC 4 VTOL.2300 Common Mode Failures and Errors in Fly-by Wire Flight Control Functions
n/a
To demonstrate compliance with VTOL.2300, in line with VTOL.2510, specific attention should be paid to common mode failures and errors in flight controls. The considerations on common modes in Section 9 (b) of MOC VTOL.2510 apply, supplemented by the following for fly-by-wire flight controls:
(a) Full reliance on Development Assurance and Quality Assurance as sole mitigation of a common mode failure or error leading to a total loss of flight controls function shall be avoided as far as practicable. Additional architectural mitigations that provide functional independence and/or item development independence should be provided.
(b) It is recognized that dissimilarity in the High-level specifications of Flight Control Laws in a Command/Monitoring (COM/MON) architecture may not be easy to implement. Monitoring of the Flight Control Laws may be a possible mitigation means against common mode errors in such case.
MOC 5 VTOL.2300 Hidden Failures in Fly-by-Wire flight control systems
n/a
To demonstrate compliance with VTOL.2300, in line with VTOL.2510, and to reach an acceptable level of safety, specific attention should be paid to latent failures.
The objective is to obtain a design with a minimum number of significant latent failures. Each significant latent failure should be highlighted in the system safety assessment and subject to review by the Agency.
In addition to the general considerations in Section 12 of MOC VTOL.2510, the following applies for fly-by-wire flight control systems:
(a) Definitions:
(1) Latent = dormant = hidden for more than one flight.
(2) A failure is latent until it is made known to the flight crew or maintenance personnel.
(3) A significant latent failure is one, which would in combination with one or more specific failures, or events result in a Hazardous or Catastrophic Failure Condition.
(4) A significant failure condition is one which is classified Hazardous or Catastrophic and contains one or more significant latent failures.
(b) The following approach should be followed:
(1) Double failures, with either one latent, that can lead to a Catastrophic Failure Condition should be avoided as far as practicable in system design. Deviations should be presented and accepted by the Agency.
(2) Latent failures that contribute to Hazardous or Catastrophic effects at aircraft level should be avoided in system design.
(3) The use of periodic maintenance or flight crew checks to detect significant latent failures when they occur is undesirable and should not be used in lieu of practical and reliable failure monitoring and indications.
(4) It is recognised that, on occasion, it would be impracticable to meet (1) and (2). In such cases:
(i) The remaining latent failures should be recorded and justified in the PSSA/SSA and reviewed during the design review process for compliance,
(ii) Compliance should be based on both previous experience and sound engineering judgement and should assess:
(A) the failure rates and service history of each component,
(B) the inspection type and interval for any component whose failure would be latent, and
(C) any possible common cause of cascading failure modes.
(iii) The integrity of the evident part of the significant failure condition should meet a minimum standard:
(A) For Catastrophic failure combinations comprising of only one evident failure, the probability per flight hour of the evident part should be:
a. <= 10-5/Fh for Category Enhanced and Basic 7 to 9 passengers or
b. <= 10-4/Fh for Category Basic below 7 passengers.
(B) For Hazardous failure combinations comprising of only one evident failure, the probability per flight hour of the evident part should be:
a. <= 10-4/Fh for Category Enhanced and Basic 7 to 9 passengers or
b. <= 10-3/Fh for Category Basic below 7 passengers.
(iv) In addition, a Specific Risk calculation should be performed to demonstrate compliance with the presence of a latent failure. For each combination composed of one evident failure and latent failures and leading to a Catastrophic Failure Condition the probability of the latent part of the combination (e.g. “Sum of the products of the failure rates multiplied by the exposure time” of any latent failure) should be on average equal to or less than 1x10-3 (=1/1000).
(v) The periodic maintenance checks, which may result from the compliance to this Specific Risk criterion in (b)(4)(iv)), should be considered as candidates for required maintenance tasks, in addition to the candidates for required maintenance tasks already selected for compliance to VTOL.2510.
VTOL.2305 Landing gear systems
n/a
(a) The landing gear must be designed to:
(1) provide stable support and control to the aircraft during surface operation; and
(2) account for likely system failures and likely operation environment (including anticipated limitation exceedances and emergency procedures).
(b) The aircraft must have a reliable means of stopping the aircraft with sufficient kinetic energy absorption to account for landing and take-off, in all approved conditions, and of holding the aircraft in position when parked.
(c) For aircraft that have a system that actuates the landing gear, there must be:
(1) a positive means to keep the landing gear in the landing position; and
(2) an alternative means available to bring the landing gear in the landing position when a non-deployed system position would be a hazard.
MOC VTOL.2305 Landing Gear Systems
n/a
1. Scope and Definitions
(a) This MOC applies to
(1) Wheeled landing gear, not to a skid, ski or float design.
(2) Tricycle landing gear arrangements of Nose and Main Landing Gears.
(3) Ground control of the vehicle, for the landing gear, pertains to steering by turning any of the vehicle wheels.
(b) The guidance assumes
(2) No significant longitudinal engine thrust on ground
(3) Steering system is restricted to low-speed taxi only
(4) Ground resonance addressed separately, at aircraft-level
2. Interference with Extension/Retraction
It should be shown that, in any practical circumstances, movement of the pilot’s ground control (including movement during retraction or extension or after retraction of the landing gear) cannot interfere with the correct retraction or extension of the landing gear, unless it can be shown that such interference cannot create a consequence worse than Major, as defined in VTOL.2510.
3. Towing
If it is intended to tow the vehicle via the landing gear (either via tow-bar or via direct attachment to the wheel(s)), the ground control system(s), towing attachment(s), and associated elements should be designed or protected by appropriate means such that during ground manoeuvring operations effected by means independent of the vehicle:
(a) Damage affecting the safe operation of the ground control system is precluded, or
(b) A flight crew alert is provided, before taxi commences, if damage may have occurred.
4. Wheels
(a) The wheel should be approved, to ETSO C26d or equivalent
(b) The maximum static load rating of each wheel should not be less than the corresponding static ground reaction with:
(1) Maximum weight; and
(2) Critical centre of gravity.
(c) The maximum limit load rating of each wheel should equal or exceed the maximum radial limit load determined under the applicable ground load requirements of this SC.
5. Tyres
(a) If the landing gear is fitted with a tyre, then it should be a tyre:
(1) That is a proper fit on the rim of the wheel; and
(2) Of a rating that is not exceeded under:
(i) The design maximum weight;
(ii) A load on each main wheel tyre equal to the static ground reaction corresponding to the critical centre of gravity; and
(iii) A load on nose wheel tyres to be compared with the dynamic rating established for those tyres equal to the reaction obtained at the nose wheel, assuming that the mass of the vehicle acts at the most critical centre of gravity and exerts a force of 1.0 g downward and 0.25 g forward, the reactions being distributed to the nose and main wheels according to the principles of statics with the drag reaction at the ground applied only at wheels with brakes. Dynamic elements may be omitted for vehicles which usually take off and land vertically, and for which a running landing is Extremely Improbable.
(b) Each tyre installed on a retractable landing gear system should, at the maximum size of the tyre type expected in service, have a clearance to surrounding structure and systems that is adequate to prevent contact between the tyre and any part of the structure or systems.
(c) ETSO C62 provides the appropriate tyre performance standards. This ETSO accepts the use of a 1.5 factor on the Tyre Rating for helicopters. This factor is also appropriate to be used in VTOL vehicles which take off and land vertically (i.e. equivalent to helicopters).
6. Brakes
(a) The brakes should also be adequate to counter any normal unbalanced torque when starting engines or rotors.
(b) A park brake should be included which will hold the vehicle stopped, on a 10 degree slope, on a dry and smooth runway, for whichever is most demanding of the following three cases. In each case a steady wind speed of at least 17 kt, or higher defined by the applicant, from the most adverse direction should be assumed in order:
(1) To allow sufficient time for emergency egress and to secure the vehicle in place via other means
(2) To counter any unbalanced torque when starting or stopping rotating lift/thrust units
(3) To react any element of longitudinal thrust from lift/thrust units, albeit that the take-off and landing will be vertical.
(c) The brakes should have adequate controllability and stopping capacity to bring the vehicle safely to a halt for any emergency running landing (including an immediate re-land). Such a running landing need not be considered if it arises from failure combinations determined to be Extremely Improbable, as defined in VTOL.2510. ETSO-C26c contains minimum performance standards for wheels and wheel-brake assemblies. The relevant rotorcraft section of this ETSO may be used when following this MOC.
(d) Any fatigue or endurance effect of applying the brake during high-speed taxi should be taken into consideration.
(e) Means should be provided for each brake assembly to indicate when the heat sink is worn to the permissible limit. The means should be reliable and readily visible.
(f) Compatibility of the wheel and brake assemblies with the vehicle and its systems should be substantiated.
7. Landing Gear Warning
If a retractable landing gear is used, an aural or equally effective landing gear warning device should be provided that functions continuously when the vehicle is in a normal landing mode and the landing gear is not fully extended and locked. A manual shut-off capability should be provided for the warning device and the warning system should automatically reset when the vehicle is no longer in the landing mode.
8. Landing Gear Position Indication
If a retractable landing gear is used, there should be a landing gear position indicator (as well as necessary switches to actuate the indicator) or other means to inform the pilot that each gear is secured in the extended (or retracted) position. If switches are used, they should be located and coupled to the landing gear mechanical system in a manner that prevents an erroneous indication of either “down and locked” if each gear is not in the fully extended position, or of “up and locked” if each landing gear is not in the fully retracted position.
9. Landing Gear Emergency Extension
If a retractable landing gear is used, emergency means should be provided for extending the gear in the event of :
(a) Any reasonably probable failure in the normal retraction system; or
(b) The failure of any single source of hydraulic, electric, or equivalent energy.
10. Operation Tests
The proper functioning of the extending/retracting mechanism must be shown by operation tests.
11. Landing Gear Lock
There should be a positive means (other than the use of the LG extension power source) to keep the landing gear extended in the landing position.
n/a
(a) If certification for intended operations on water is requested, the aircraft must:
(1) provide buoyancy of 80 % in excess of the buoyancy required to support the maximum weight of the aircraft in fresh water; and
(2) have sufficient margin so that the aircraft will stay afloat at rest in calm water without capsizing in case of a likely float or hull flooding.
(b) If certification for emergency flotation is requested, the aircraft must:
(1) not rely on any manual action to deploy any installed emergency flotation system;
(2) have watertight compartments, integrated buoyancy or flotation units of the emergency flotation system and their attachments to the aircraft, capable of withstanding the applicable water loads; and
(3) be shown to maintain its intended floating attitude in the sea conditions selected by the applicant; and
(4) be shown not to sink for 15 minutes.
(c) If certification for ditching is requested, the aircraft must:
(1) not rely on any manual action to deploy any installed emergency flotation system;
(2) withstand the applicable water loads;
(3) be shown to have a safe water entry and to maintain its intended floating attitude in the sea conditions selected by the applicant;
(4) be shown not to sink for 15 minutes; and
(5) for Category Enhanced incorporate appropriate post-capsize survivability features.
(d) If certification for limited overwater operations is requested, the aircraft must:
(1) not rely on any manual action to deploy any installed emergency flotation system;
(2) have watertight compartments, integrated buoyancy or flotation units of the emergency flotation system, and their attachments to the aircraft, capable of withstanding the applicable water loads; and
(3) be shown not to sink for 15 minutes.
(e) If certification for operations on floating surfaces is requested, the aircraft must be shown to be able to be safely operated within the surface motion limits selected by the applicant, in addition to meeting the criteria referred to in points (b), (c) or (d).
MOC VTOL.2310(b) Emergency Flotation
n/a
(a) If certification for emergency flotation is requested by the applicant, the aircraft should meet the following design criteria:
(1) For aircraft fitted with an emergency flotation system (floats):
(i) The flotation units of the emergency flotation system and their attachments to the aircraft should comply with the structural provisions for ditching, emergency flotation and overwater operations of MOC VTOL.2270(c)
(ii) The aircraft should be shown to resist capsize, in the intended floating attitude, in the sea conditions selected by the applicant. The probability of capsizing in a 5-minute exposure to the sea conditions should be demonstrated to be less than or equal to 10.0 % with a fully serviceable emergency flotation system, with 95 % confidence. No demonstration of capsize resistance is required for the case of the critical float compartment having failed. Allowances should be made for probable structural damage and leakage.
(iii) For Category Enhanced, it should be shown that the aircraft will not sink following the functional loss of any single complete flotation unit for 15 minutes(1).
(iv) For Category Basic, it should be shown that the aircraft will not sink for 15 minutes(1) with a fully functional emergency flotation system.
(v) An emergency flotation system that is stowed in a deflated condition during normal flight should have a means of automatic deployment following water entry. Automatic deployment should not rely on any manual action during flight.
(2) For aircraft with watertight compartments, hull buoyancy and/or integrated buoyancy:
(i) The buoyancy components of the aircraft and their attachments to the aircraft should comply with the structural provisions for ditching, emergency flotation and overwater operations of MOC VTOL.2270(c).
(ii) The aircraft should be shown to resist capsize, in the intended floating attitude, in the sea conditions selected by the applicant. The probability of capsizing in a 5-minute exposure to the sea conditions should be demonstrated to be less than or equal to 10.0 % with fully functional buoyancy components, with 95 % confidence. No demonstration of capsize resistance is required for the case of the functional loss of the critical buoyancy component. Allowances should be made for probable structural damage and leakage.
(iii) For Category Enhanced, it should be shown that the aircraft will not sink following the functional loss of any single buoyancy component for 15 minutes(1).
(iv) For Category Basic, it should be shown that the aircraft will not sink for 15 minutes(1) with fully functional buoyancy components.
Note (1): 15 minutes is consistent with MOC VTOL.2430(a)(6) “Energy retention capability in an emergency landing”.
(b) CS 27 Amdt. 5 (or later): AMC 27.802 and ‘AMC to CS 27.801(e) and CS 27.802(c)’ provide additional guidance.
(c) If certification with emergency flotation provisions is requested by the applicant, the flight manual should contain the substantiated sea conditions and any associated information relating to the certification obtained with emergency flotation provisions.
(d) The following MOCs are also applicable:
(1) MOC VTOL.2315(a) Means of egress and emergency exits
(2) MOC VTOL.2430(a)(6) Energy retention capability in an emergency landing
(3) MOC VTOL.2535 Safety Equipment
(4) MOC VTOL.2605(c) Information related to safety equipment
(5) MOC VTOL.2610 Instrument markings, control markings and placard
n/a
(a) If certification with ditching provisions is requested by the applicant, the aircraft should meet the following design criteria:
(1) The design criteria defined for MOC VTOL.2310(b) Emergency Flotation
(2) The aircraft should comply with the structural provisions for ditching, emergency flotation and overwater operations of MOC VTOL.2270
(3) Each practicable design measure, compatible with the general characteristics of the aircraft, should be taken to minimise the probability that when ditching, the behaviour of the aircraft would cause immediate injury to the occupants or would make it impossible for them to escape.
(4) The probable behaviour of the aircraft during ditching water entry should be shown to exhibit no unsafe characteristics.
(5) For aircraft fitted with an emergency flotation system:
(i) The aircraft should be shown to resist capsize(1), in the intended floating attitude, in the sea conditions selected by the applicant. The probability of capsizing in a 5-minute exposure to the sea conditions should be substantiated to be less than or equal to 3.0 % with a fully serviceable emergency flotation system and 30.0 % with the critical float compartment failed, with 95 % confidence.
(ii) Allowances should be made for probable structural damage and leakage.
(iii) An emergency flotation system that is stowed in a deflated condition during normal flight should be designed such that the effects of a water impact (i.e. crash) on the emergency flotation system are minimized.
(6) For aircraft with watertight compartments, hull buoyancy and/or integrated buoyancy:
(i) The aircraft should be shown to resist capsize(1), in the intended floating attitude, in the sea conditions selected by the applicant. The probability of capsizing in a 5-minute exposure to the sea conditions should be substantiated to be less than or equal to 3.0 % with fully functional buoyancy components, and 30.0 % with the functional loss of the critical buoyancy component, with 95 % confidence.
(ii) Allowances should be made for probable structural damage and leakage.
(iii) The buoyancy components should be designed such that the effects of a water impact (i.e. crash) on the buoyancy components are minimised.
(7) Unless the effects of the collapse of external doors and windows are accounted for in the investigation of the probable behaviour of the aircraft during ditching and for the capsize resistance demonstration, the external doors and windows should be designed to withstand the probable maximum local pressures.
(8) Additionally, for Category Enhanced: The aircraft design should incorporate appropriate post-capsize(1) survivability features to enable all passenger cabin occupants to safely egress the aircraft, taking into account the human breath hold capability.
(i) One method of meeting this post-capsize survivability provision is to create stable floating attitudes which will create an air pocket in the passenger cabin. Passengers can utilise the air in the pocket for continued survival during the time needed for all to make their escape.
(ii) The size and shape of the air pocket should be sufficient to accommodate all passengers. A minimum volume per passenger, in the form of an elliptical column of 70 cm x 50 cm (27 in. x 19 in.) and height of 30 cm (11 in.) relative to the static waterline should be established and demonstrated as fitting into the air pocket, including with the critical float compartment or buoyancy component failed.
(iii) The air pocket should be accessible and immediately available without passengers needing to cross seat backs.
(iv) Emergency breathing systems (EBSs) that are capable of being quickly deployed underwater do exist. This type of personal protective equipment (PPE) may provide a limited level of mitigation for the issues related to human breath hold capability, but it should not be considered alone as being sufficient to meet the post-capsize survivability provisions.
Note (1): Capsize means full or partial capsize, i.e. inability to maintain the intended floating attitude.
(b) CS 27 Amdt. 5 (or later): AMC 27.801 and AMC to CS 27.801(e) and CS 27.802(c) provide additional guidance.
(c) If certification with ditching provisions is requested by the applicant, the flight manual should contain the substantiated sea conditions and any associated information relating to the certification obtained with ditching provisions.
(d) The following MOCs are also applicable:
(1) MOC VTOL.2315(a) Means of egress and emergency exits
(2) MOC VTOL.2430(a)(6) Energy retention capability in an emergency landing
(3) MOC VTOL.2535 Safety Equipment
(4) MOC VTOL.2605(c) Information related to safety equipment
(5) MOC VTOL.2610 Instrument markings, control markings and placard