VTOL.2400 Lift/thrust system installation
n/a
(a) For the purpose of this Subpart, the aircraft lift/thrust system installation must include each component that is necessary for lift/thrust, affects lift/thrust safety, or provides auxiliary power to the aircraft.
(b) Each aircraft engine, propeller and auxiliary power unit (APU) must be type certified, or meet accepted specifications.
(c) The applicant must construct and arrange each lift/thrust system installation to account for:
(1) all likely operating conditions, including foreign object threats;
(2) sufficient clearance of moving parts to other aircraft parts and their surroundings;
(3) likely hazards in operation, including hazards to ground personnel; and
(4) vibration and fatigue.
(d) Hazardous accumulations of fluids, vapours or gases must be isolated from the aircraft and personnel compartments and must be safely contained or discharged.
(e) Installations of lift/thrust system components that deviate from the component limitations or installation instructions must be shown to be safe.
(f) For the purposes of this Subpart, ‘energy’ means any type of energy for the lift/thrust unit, including, for example, fuels or any kind of electric current.
MOC VTOL.2400(b) Accepted Specifications for Electric/Hybrid Lift/Thrust Units
n/a
EASA Special Condition E-19 on Electric/Hybrid Propulsion System is an accepted specification to be met by electric/hybrid lift/thrust units that are installed in VTOL capable aircraft.
MOC VTOL.2400(c)(3) Lift/thrust system installation – likely hazards in operation
n/a
The likely hazards in operation, including hazards to ground personnel, that the applicant should account for, include:
(a) Risk of inadvertent electric engine start (if applicable):
The aircraft controls should prevent inadvertent sudden motor operation when not commanded by the pilot, in particular during the aircraft supply power-on.
(b) Rotor/propeller disk conspicuity during landing, take-off and ground operations (if applicable):
CS 27.1565 Amdt. 6 is accepted as a means of compliance for rotors, propellers and other rotating parts that could hit and injure ground personnel. Considerations for night conditions should also be included if night operations are authorised.
(c) Downwash effect on third parties:
The downwash of the aircraft should be characterised and reported to allow safe operation and minimisation of hazards to ground personnel.
The following method can be followed to test and report aircraft downwash:
(1) Preliminary assessment:
The applicant should assess whether the test as described in this section can be conducted safely for his aircraft.
(2) Test:
While the aircraft is in a low hover, the radial component of the downwash (outwash) is measured around the aircraft on a circle of diameter 2 D.
(3) Reporting:
The maximum measured speed is reported in km/h to the nearest multiple of 5, as well as the measurement standard (here “§(c) in MOC VTOL.2400(c)(3)”), in the performance section of the aircraft flight manual.
If the downwash temperature on the 2 D-diameter circle is more than 10°C above ambient temperature, this should also be characterised and reported.
Note: ‘D’ is reported as part of MOC VTOL.2115.
(4) Test specification:
|
Parameter |
Description |
Value |
Tolerance |
|
Conditions |
density altitude |
≤ 2000 ft |
- |
|
|
ambient wind, throughout each test run, measured 2 m above the ground within 200 m of the circle centre. Location should be representative of the test condition. |
≤ 3 kt |
- |
|
|
no precipitations |
- |
- |
|
Surface |
Smooth pavement, e.g. concrete or asphalt, surrounded by clear area, e.g. grass (Figure 1) |
||
|
|
diameter pavement |
≥ 3 D |
- |
|
|
diameter clear area |
≥ 6 D |
|
|
|
naturally occurring height discontinuity on pavement (excluding measuring equipment and operator, e.g. joint between concrete slabs) |
≤ 2 cm |
- |
|
|
naturally occurring height discontinuity on clear area (e.g. grass) |
≤ 20 cm |
- |
|
|
pavement level (locally and overall) |
0° |
± 2° |
|
|
clear area level (locally and overall) |
0° |
± 5° |
|
Aircraft position |
Hovering in a normal take-off and landing configuration, holding height or a power datum. Up to 8 poles can be used to assist in visually positioning the aircraft. |
||
|
|
height (from the bottom of the landing gear) |
1 m |
(2) |
|
|
heading |
- |
(2) |
|
|
lateral and longitudinal position |
- |
(2) |
|
|
mass |
MTOM |
-0.1% |
|
|
diameter of poles |
≤ 3 cm |
- |
|
Measurement positions |
Measuring at discrete locations on the 2 D circle(1) - option 1: While the aircraft is maintained on a fixed heading, successive measurements are taken around the 2 D circle (Figure 2) - option 2: The aircraft is yawed facing successive aiming points while measurements are taken at 4 fixed cardinal positions on the 2 D circle to compensate for residual ambient wind (Figure 3). The measurement intervals at the 4 positions should be synchronised (within ± 1 sec). |
||
|
|
distance between successive measurement positions (option 1) or aiming points (option 2) |
≤ 2 m |
- |
|
|
heights |
0.5 m and |
± 5 cm |
|
|
lateral and longitudinal position |
- |
± 10 cm |
|
|
measure in the radial direction |
- |
± 5° |
|
|
measure the horizontal wind component |
- |
± 5° |
|
|
measure the maximum over time (for each measurement) |
≥ 10 s |
- |
|
Measuring support |
An operator and up to 4 poles, or a tripod, can be used to assist in positioning the measuring equipment. The operator and poles should not be located directly in front or behind the measuring equipment. |
||
|
|
diameter of poles or tripod legs |
≤ 3 cm |
- |
|
|
position of operator laterally of measuring equipment |
≥ 2 m |
- |
|
Measuring equipment |
For example vane anemometer |
||
|
|
accuracy wind speed |
≤ ± 4.5 km/h |
- |
|
|
accuracy temperature (if applicable) |
≤ ± 3°C |
- |
|
|
resolution wind speed |
≤ 1 km/h |
- |
|
|
wind speed reporting interval |
≤ 3 sec (3) |
- |
(1) The 2 D circle should be centred on the centre of the smallest enclosing circle (refer to MOC VTOL.2115 Section 8).
(2) The accuracy of the hover should meet the accuracy expected in operations. Height, heading and lateral/longitudinal position accuracy values could be the “desired” values used to evaluate the handling qualities in hover as per Eurocae ED-295 standard.
(3) or “maximum” reporting function
Figure 1: Test surfaces
Figure 2: Option 1 – Measurement positions
Figure 3: Option 2 – Measurement positions and aiming points
Figure 4: Measurement heights
(d) Hazard areas:
Areas around the aircraft where a hazard to persons or equipment may exist, for example due to moving surfaces, engine exhaust or battery venting in case of fire, should be identified and depicted in the AFM (see example Figure 5). Corresponding hazard markings should be present on the aircraft.
Figure 5: Example of battery fire flame venting hazard area depiction
(e) High Voltage:
Eurocae ED-290 “Guidance on High Voltage definition and Consideration for Personal Safety” is accepted as a means to determine the likely hazards related to High Voltage to be accounted for in VTOL.2400 (c)(3)
VTOL.2415 Lift/thrust system installation ice protection
n/a
(a) The aircraft and lift/thrust system installation design must prevent any accumulation or shedding of ice or snow that would adversely affect lift/thrust system operation.
(b) Reserved.
VTOL.2425 Lift/thrust system operational characteristics
n/a
(a) The installed lift/thrust system must operate without any hazardous characteristics during normal and emergency operation within the range of operation limitations for the aircraft and lift/thrust system installation.
(b) If the safety benefits outweighs the hazard, the design must allow the shutdown and restart of a lift/thrust unit in flight within an established envelope.
MOC VTOL.2425(b) Shutdown and Restart of a Lift/Thrust Unit in Flight
n/a
A lift/thrust unit may be shut down during VTOL operation in some particular failure cases (overspeed condition, erratic operation…) or in the event of energy starvation. In the event of failure, this shutdown can be automatically triggered by the control system or manually triggered by the flight crew as a result of the application of an emergency operating procedure. The shutdown can affect several whole lift/thrust units or only one of its sub-systems, e.g. one electric engine.
(a) In any case, there should be means to isolate the lift/thrust system as requested per VTOL.2440.
(b) Special care should be taken of distributed propulsion systems incorporating a large number of lift/thrust units. Human error, such as the shutdown of the wrong lift/thrust unit by the pilot, should be avoided by adequate design solutions and an appropriate human factors evaluation.
(c) The phrase “if the safety benefit outweighs the hazard” employed in VTOL.2425(b) is related to the capability to restart (or relight in the case of an internal combustion engine) a lift/thrust unit.
It is often worthwhile that the aircraft system allows the restart or the relight (in case an internal-combustion engine is part of the lift/thrust system) of the lift/thrust unit that has been shut down.
However, this restart/relight capability should not be systematically the safest option to offer to the flight crew as it could also create hazards to the aircraft. The applicant should therefore establish an associated failure scenario to determine if it is in the interest of safety to perform a restart and relight.
(d) In performing the assessment in (c), the applicant should take into account the following elements:
(1) The aircraft performances and handling qualities:
Is a continued safe flight and landing possible without restarting/relighting the lift/thrust unit that has been shut down? If not, there should be means to restart/relight the shutdown lift/thrust unit (automatically or by the flight crew).
(2) The associated hazards:
Does the restart/relight of the shutdown lift/thrust unit allow a continued safe flight and landing? The following two examples are provided for clarification:
(i) One electric engine is shut down on a VTOL equipped with several electric engines. On the one hand, the aircraft flight control system detects the engine shutdown and adjusts the flight control laws in order to perform a continued safe flight and landing. On the other hand, a restart of the shutdown electric engine is performed automatically, which may lead to aircraft transient attitude changes due to the flight control system adjustments. This may surprise the flight crew which could be detrimental in situations such as the final approach. In such situations, if automatic engine restart/relight capabilities are provided to the VTOL, the system capability should enable the crew to make a final decision whether to activate this function or not.
(ii) An electric engine is shut down due to friction caused by a bearing damage. Vibrations are detected and the engine is shutdown. The restart of such engine may lead to sparks (with the associated fire risk), high vibration levels or other phenomena that could impair the safety of the aircraft. Such severe bearing damage should be detectable so as to prevent from restart/relight.
(3) Human factors
VTOL concepts are often designed around a significant number of lift/thrust units. The applicant should assess if manual operating procedures to restart or relight a shutdown lift/thrust unit are compatible with the workload of the flight crew or if the procedures should be automated, and what are the possibilities of erroneous manipulation of the lift/thrust unit controls during a restart/relight performed by the flight crew, as well as possible ways of mitigating them by design.
Note: Standard systems safety assessment and flight crew error assessment contain specific methodologies to identify and mitigate hazards presented by restarting a lift/thrust unit in flight.
VTOL.2430 Lift/thrust system installation, energy storage and distribution systems
n/a
(a) Each system must:
(1) be designed to provide independence between multiple energy storage and supply systems so that a failure, including fire, of any one component in one system will not result in the loss of energy storage or supply of another system.
(2) be designed to prevent catastrophic events due to lightning strikes taking into account direct and indirect effects for aircraft unless it is shown that exposure to lightning is unlikely.
(3) provide energy to the lift/thrust system installation with adequate margins to ensure safe functioning under all permitted and likely operating conditions, and accounting for likely component failures.
(4) provide the relevant information established in VTOL.2445 to the flight crew and provide uninterrupted supply of that energy when the system is correctly operated, accounting for likely energy fluctuations.
(5) provide a means to safely remove or isolate the energy stored within the system.
(6) be designed to retain the energy under all likely operating conditions and minimise hazards to the occupants and people on the ground during any survivable emergency landing. For Category Enhanced, failure due to overload of the landing system must be taken into account.
(7) prevent hazardous contamination of the energy supplied to each lift/thrust unit installation.
(b) Each storage system must:
(1) withstand the loads under likely operating conditions without failure, accounting for installation;
(2) be isolated from personnel compartments and protected from likely hazards;
(3) be designed to prevent significant loss of stored energy due to energy transfer or venting under likely operating conditions;
(4) provide energy for a sufficient reserve based on a standard flight; and
(5) be capable of jettisoning energy safely if this functionality is provided.
(c) Each energy-storage-refilling or -recharging system must be designed to:
(1) prevent improper refilling or recharging;
(2) prevent contamination of the stored energy during likely operating conditions; and
(3) prevent the occurrence of any hazard to the aircraft or to persons during refilling or recharging.
(d) Likely errors during ground handling of the aircraft must not lead to a hazardous loss of stored energy.
MOC VTOL.2430(a)(2) Protection of the fuel system against lightning
n/a
For the protection of a conventional fuel system against lightning:
(a) CS 27.954 Amdt. 6 is accepted as means of compliance
(b) As an alternative to CS 27.954, the paragraph 17.2 of ASTM F3061/F3061M-19 “Standard Specification for Systems and Equipment in Small Aircraft” is also accepted as a means of compliance.
MOC VTOL.2430(a)(3) and (a)(4) Accessible energy in electrical energy storage systems
n/a
(a) Eurocae ED-289 “Guidance on the determination of accessible energy in battery systems for eVTOL applications” is accepted as a means to determine the adequate margins of an electrical energy storage system required by VTOL.2430(a)(3).
(b) Eurocae ED-289 “Guidance on the determination of accessible energy in battery systems for eVTOL applications” is accepted as a means to define the reliability of the relevant information of an electrical energy storage system to be provided to the flight crew as required by VTOL.2430(a)(4) and established in VTOL.2445(g).
MOC VTOL.2430(a)(6) Energy retention capability in an emergency landing
n/a
1. General
MOC VTOL.2325(a)(4) provides an accepted means of compliance with VTOL.2430(a)(6) regarding the energy retention capability of the energy storage and distribution system during a survivable emergency landing on land.
2. Specific considerations for VTOL capable aircraft with an electrical energy storage and distribution system
In addition to Section 1 of this MOC, the following applies for VTOL capable aircraft with an electrical energy storage and/or distribution system:
(a) For VTOL capable aircraft that are certified as per VTOL.2310 for intended operations on water, for emergency flotation or for ditching, MOC VTOL.2325(a)(4) with the following changes constitutes an accepted means of compliance with VTOL.2430(a)(6) regarding the energy retention capability of the energy storage and distribution system during a survivable emergency landing on water:
(1) In Section 3(b) of MOC VTOL.2325(a)(4): the drop impact surface should be water. Conservatively a non-deforming surface may be used.
(2) In Section 5 (d)(1) of MOC VTOL.2325(a)(4): persons on ground include all persons in contact with the VTOL, including persons in the water. The electrical energy storage and distribution system should retain the stored electrical energy for at least 15 minutes.
(b) For VTOL capable aircraft certified for continued operations over water without meeting the flotation categories under VTOL.2310, MOC VTOL.2325(a)(4) with the following change constitutes an accepted means of compliance with VTOL.2430(a)(6) regarding the energy retention capability of the energy storage and distribution system during a survivable emergency landing on water:
(1) In Section 3(a) of MOC VTOL.2325(a)(4): the drop height may be reduced to 6 m
VTOL.2435 Lift/thrust installation support systems
n/a
(a) Reserved.
(b) Reserved.
(c) Reserved.
(d) Reserved.
(e) Reserved.
(f) Likely foreign object damage that would be hazardous to the lift/thrust unit must be prevented.
(g) The flight crew must be aware of the lift/thrust configuration.
(h) Reserved.
MOC VTOL.2435(f) Prevention of likely foreign object damage to the lift/thrust unit
n/a
(a) The demonstration of compliance with VTOL.2435(f) should consider any foreign object of a nature such that it could impair the proper functioning of the lift/thrust system, both in flight and on the ground.
(b) It should be substantiated that the strike and ingestion effects of foreign objects such as plastic bags, papers, cleaning cloths, hand tools, rivets, bolts and screws are not hazardous to the aircraft. This can be achieved by demonstrating that such threat cannot affect more than a critical number of lift/thrust units and ensuing
— continued safe flight and landing for Category Enhanced
— controlled emergency landing for Category Basic
(c) Design precautions should be taken to avoid the clogging of cooling holes by foreign objects.
MOC VTOL.2435(g) Flight crew awareness of the lift/thrust unit configuration
n/a
This MOC is applicable in case that several configurations of the lift/thrust system are part of the VTOL type design definition.
It is a common practice in the rotorcraft industry that turbines are equipped with different kinds of air intakes depending on the mission. In accordance with VTOL 2435 (g) the flight crew must be aware of the associated configuration in order to apply the proper procedures and to adequately calculate the performances.
(a) The term “configuration” of the lift/thrust system mentioned in VTOL.2435 (g) refers only to “physical” configuration. It does not consider the different aerodynamic conditions that a lift/thrust system may be subject to within the certified envelope. For example, a lift/thrust unit mounted on a tilting element is considered as a single configuration even though the aerodynamic conditions in which the lift/thrust unit operate depend on the tilting angle.
(b) The intent of VTOL.2435(g) is therefore to provide the flight crew through the relevant VTOL capable aircraft systems, with the necessary information concerning any lift/thrust configuration that has an impact on:
(1) the lift/thrust performances
(2) the lift/thrust operating procedures
The applicant should assess the impact of any lift/thrust configuration change with regards to these criteria.
(1) The flight crew should have a clear and easily interpretable means to know which configuration of the lift/thrust system is mounted
(2) Operating procedures impacted by the configuration should be provided in the flight manual
(3) The impact of the different configurations on the VTOL capable aircraft performances should be established by a combination of analysis, bench tests and flight tests. Following their determination, they should be published in the flight manual
VTOL.2440 Lift/thrust system installation fire protection
n/a
There must be means to isolate and mitigate hazards in the event of a lift/thrust system fire or overheat in operation.
MOC VTOL.2440 Propulsion Batteries Thermal Runaway for VTOL category enhanced
n/a
Compliance with VTOL.2440, but also with VTOL.2330, VTOL.2400(d), VTOL.2425(a), VTOL.2430 (a)(1)(5), (b)(2), (c)(3), (d), VTOL.2510, and VTOL.2525 requires demonstrating that the hazards from a fire in the propulsion battery system will be appropriately prevented and mitigated.
The latest rechargeable lithium battery systems minimum operational performance standard RTCA DO-311A is a useful baseline for developing and testing propulsion battery systems. However, its “Thermal runaway containment test”, in section 2.4.5.5, was developed for lithium batteries that provide power to other aircraft systems or equipment. Therefore, the standard did not necessarily consider the particularities of battery systems intended to be used for electric and hybrid aircraft propulsion.
That containment test, when applied to propulsion battery systems, may lead to decrease their energy/weight ratio unduly and substantially, because of placing the focus on the containment of an unprecedented thermal runaway event instead of considering the implementation of different protection layers and the containment of a realistic worst-case thermal runaway event. While this test could be accepted as means of compliance, provided that other requisites are also met, it should not alleviate the implementation of appropriate protective layers/measures.
In this Means of Compliance, the Agency proposes an alternative test method for propulsion lithium batteries, to promote best industry practices, robust designs, and protection layers strategies for the entire propulsion battery system. Moreover, this alternative intends to foster innovation and development of new solutions for these battery system protection layers, instead of relying only on containment mitigations.
The main reasons for this alternative method to RTCA DO-311A section 2.4.5.5. “Thermal Runaway Containment Test” are:
(a) The amount of additional external energy put into the battery system for this test is far in excess of energies used in service, which are limited by fail-safe protection layers and proper design, manufacturing, installation, operation, and maintenance.
(1) Depending upon the chemistry, rechargeable lithium batteries can accept overcharging levels that lead to double the normal energy before reaching a point of chemical and thermal instability.
(2) Heating the whole battery could compromise the validity of the test results due to mechanical and thermal effects created by pre-heating the whole battery structure, materials, and components to high temperatures.
(b) In some cases, overcharging (if feasible) or overheating the whole battery can drive a near-simultaneous failure of all cells in the battery, which would not represent a realistic in-service field failure, but an extreme condition not encountered in service, even in batteries where reliable and tested protection layers were not implemented.
(c) However, in other cases, this test may lead to undertest the propulsion battery containment, since:
(1) Only one test article is tested.
(2) There is no characterisation of thermal runaway behaviour at cell level for different parameters.
(3) The variability in the characteristics of the cells, or the possibility of having defective cells within the battery system, may lead to trigger very few cells at temperatures lower than the thermal runaway initiation temperature of most of the cells.
(4) As the power to the heating device may be removed once a thermal runaway has initiated, it could lead to have only those very few cells into thermal runaway.
(5) If a thermal runaway occurs in at least two cells, the objective of the test is already met.
(6) Degradation of the propulsion battery containment due to aging and environmental conditions during operation is not considered.
(d) The design of electronics for critical aviation applications has been practiced for decades in the industry and demonstrated as highly effective for the safe operation of aircraft when consistent with appropriate industry practices. Therefore, as for any other system in the aircraft, if designed protections are shown to be reliable, the overall risk testing should consider these protections and their reliability.
Considering this, two acceptable approaches are proposed in this Means of Compliance to address the demonstration of an adequate mitigation of battery system thermal runaway conditions for VTOL capable aircraft in the category enhanced.
This Means of Compliance is neither addressing nor superseding other tests and considerations needed for the certification of propulsion battery systems (i.e., external short circuit, available system capacity and energy, protections testing, battery system crashworthiness tests, HV signage…).
This Means of Compliance is predicated on battery technologies and chemistries that are currently known and ready for use. Future technologies and chemistries might require additional or alternative considerations that should be first established at project level.
The following references have been used as a source of information or to provide accepted methods and practices:
(a) RTCA DO-311A “Minimum Operational Performance Standards for Rechargeable Lithium Batteries and Battery Systems”, December 19, 2017.
(b) RTCA DO-160G/EUROCAE ED-14G “Environmental Conditions in Airborne Systems and Equipment”.
(c) ED-289 “Guidance on Determination of Accessible Energy in Battery Systems for EVTOL Applications”.
(d) ED-312 “Guidance on Determining Failure Modes in Lithium-Ion Cells for eVTOL Applications”.
(e) RTCA DO-227A “Minimum Operational Performance Standards for Non-Rechargeable Lithium Batteries”.
(f) EASA AMC 20-115 “Airborne Software Development Assurance Using EUROCAE ED-12 and RTCA DO-178”.
(g) EASA AMC 20-152 “Development Assurance for Airborne Electronic Hardware (AEH)”.
(h) SAE ARP 4761 “Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment”.
(i) EASA MOC VTOL.2330 “Fire Protection in designated fire zones”.
For the purpose of this MOC:
(a) “Battery” is used as a generic term for an electrochemical energy storage system.
(b) “Battery Cell” means a single electrochemical unit which exhibits a voltage across its two terminals and is used as the elementary unit of a battery module or battery system.
(c) “Battery Module” means a group of electrically interconnected cells in series and/or parallel arrangement contained in a single enclosure that ensures that no fluids, flames, gasses, smoke, or fragments enter other modules, and that no thermal runaway is propagated from one module to the others during normal operation or failure conditions.
(d) “Battery system” means an assembly of electrically interconnected battery modules (modularized battery) or cells in series and/or parallel, plus any protective, monitoring, alerting circuitry or hardware inside or outside of the battery, its packaging, and the designed venting provisions.
(f) “Cell Thermal Runaway” is a rapid self-sustained heating of a battery cell driven by exothermic chemical reactions of the materials within the cell. Examples of objective evidence or unambiguous markers that demonstrate that a cell achieved thermal runaway are:
(1) A sharp increase in temperature and pressure and a drop in cell voltage.
(2) Measured peak temperature at least 80% of the typical peak temperature reached during thermal runaway for a given chemistry, per test or per literature reports.
(3) Melted metallic components of cells (other than lithium).
(4) Decomposed active materials / Oxidized metallic lithium.
(5) Pyrolyzed (charred) cell contents.
(g) “Battery Thermal Runaway” is defined as:
(1) Thermal runaway of two cells that thermally affect at least one common adjacent third cell within the same battery or, for modularized batteries, within the same module.
(2) Thermal runaway of any three or more cells within the same battery or, for modularized batteries, within the same module.
|
This Means of Compliance applies only to battery systems intended to be primarily used for electric and hybrid propulsion in VTOL capable aircraft in the category enhanced. Therefore, the terms “Propulsion Battery (System)” and “Battery (System)” are used interchangeably throughout this MOC and are equivalent to the term “Electrical Energy Storage System” in EASA SC-VTOL. |
Propulsion battery systems should successfully demonstrate the implementation of multiple layers of mitigation mechanisms against unsafe conditions, such as thermal runaway, by providing the following:
(a) Evidence that RTCA DO-311A section 2.1 “General Requirements” have been considered and successfully implemented and that section 3 “Installation Considerations” has been evaluated.
(b) Evidence that critical functions including control and protective functions that include software have been designed and validated, as per the applicable revision of EASA AMC 20-115, to an appropriate design assurance level.
(c) Evidence that critical functions, including control and protective functions with airborne electronic hardware, have been designed and validated as per the applicable revision of EASA AMC 20-152 to an appropriate design assurance level.
(1) Functional Hazard Assessment (FHA).
(2) System Safety Assessment (SSA) including a qualitative and quantitative analysis of the failure condition (e.g., Fault Tree Analysis (FTA/DD/MA)).
(i) The System Safety Assessment (SSA) should demonstrate that the safety objectives associated to identified failure conditions are fulfilled.In particular, any catastrophic failure condition should be extremely improbable and not result from a single failure of the propulsion battery system, including control and protective functions inside or outside of the battery.
(3) Failure Modes and Effects Analysis (FMEA).
(4) Common Cause Analysis (CMA, PRA and ZSA).
(e) Evidence that propagation prevention mechanisms are successfully implemented when the propulsion battery system is tested in accordance with thermal runaway Non-Propagation Tests guidelines defined in section 7.(a).
|
Note 1: Demonstrating compliance with one of the test approaches defined in this MOC does not alleviate the classification of the failure condition “battery thermal runaway” (as defined in 3.(g)), which is considered catastrophic. The safety of the propulsion battery is based in a multi-layer approach, where the reliability of the cells and the control and protective functions play a key role and should not be alleviated, since: — Propulsion batteries are not comparable to other aircraft equipment/systems, due to their novel use, criticality, significant fire hazard and lack of service experience. — Thermal runaway tests are not comparable to other qualification tests, due to the variability in the outcome of the tests (due to cell variability, TR initiation criteria, temperature, SOC..) and their novelty and lack of testing experience. Therefore, this safety requirement should be used by the applicants to specify the reliability requirement for the cell failure, as well as the safety objectives of the control and protective functions.
|
5. Approach #1: RTCA DO-311A Section 2.4.5.5. Battery Thermal Runaway Containment Test
Propulsion battery systems are considered to properly fulfil verification aspects of propulsion battery system thermal runaway conditions when:
(a) Section 4. “Prerequisites” of this document is followed, and
(b) They are tested in accordance with RTCA DO-311A section 2.4.5.5 Battery Thermal Runaway Containment Test in accordance with the requirements of RTCA DO-311A section 2.2.2.4, and
(c) At least 20% of the cells in the battery system achieved thermal runaway in the test referenced in previous point 5.(b).
6. Approach #2: Battery Thermal Runaway Containment for Continued Safe Flight and Landing (CSFL)
Propulsion battery systems are considered to properly fulfil verification aspects of propulsion battery system thermal runaway conditions when they are tested following:
(a) Section 4. “Prerequisites” of this document, and
(b) The Thermal Runaway Containment for CSFL time tests guidelines defined in section 7.(b).
|
Note 2: Since propulsion battery systems have much higher capacity and size than conventional battery systems, it may not be feasible to design a battery system that complies with the previous test approaches with a reasonable weight penalty. The applicant may propose a modularized battery system composed out of battery modules to comply at battery module level, instead of at battery system level, with any of the test approaches defined in this document. |
(a) Thermal Runaway Non-Propagation Tests:
(1) Latent manufacturing cell defects should be minimized, as stated in RTCA DO-311A section 2.1.7 “Mitigation of cells failures” and in ED-312 “Guidance on Determining Failure Modes in Lithium-Ion Cells for eVTOL Applications” section 2.1.3 “Manufacturing considerations”. However, even using the most reliable cells from the most robust suppliers, and applying proper incoming inspection and testing, these manufacturing defects cannot be totally prevented. Consequently, having an internal short circuit at cell level in propulsion battery systems with thousands of cells becomes a likely scenario for a thermal runaway. For that reason, propagation to adjacent cells in the battery should be properly prevented to avoid a chain reaction.
(2) The applicant should define, in coordination with the Agency, a set of tests at battery system level to demonstrate that the propagation prevention mechanisms have been successfully implemented.
(3) The following guidelines should be considered for the development of Thermal Runaway Non-Propagation tests:
(ii) A full characterisation of thermal runaway behaviour at cell level should be performed by the applicant to identify, and include at battery system level tests, the potential worst-cases for cell-to-cell propagation at battery system level tests, combining the following parameters:
(A) Thermal Runaway Trigger Method. When it is possible to overcharge the cell to force a thermal runaway, the behaviour of the cell between overcharging and overheating may lead to different outcomes.
(B) State of Charge (SOC). In some cases, low SOC leads to more material remaining in the cell, hence increasing the probability of cell-to-cell propagation. However, higher SOC usually leads to a more explosive and energetic thermal runaway with more material expelled outside the cell.
(C) Positions of the internal short-circuit relative to the cell venting mechanism. Different positions of the heater on the cell may lead to different outcomes in the way the cell is venting or even cause side or bottom ruptures of the cell case.
(D) Heating rates. Different heating rates (i.e., between 5°C/min and 20°C/min) have demonstrated different behaviours of the thermal runaway at cell level, with flames or smoke development depending on the heating rate.
(iii) For this characterization, at least the following parameters should be determined during the test:
(A) Initial State of Charge.
(B) Trigger time for the thermal runaway.
(C) Maximum temperature.
(D) Average total thermal energy release expressed in joules.
(E) Initiation temperature.
(F) Temperature rise rate.
(G) Quantification of mass ejected.
(iv) Due to the high variability in cell level tests, the applicant should define, in coordination with the Agency, an appropriate number of replicates to ensure a representative sample for the cell thermal runaway characterization in (ii). This sample should represent all expected cell variabilities that are anticipated in the life of the product, and should include cell replicates from different lots, manufactured on different dates and from different manufacturing sites (if applicable).
(v) A thermal runaway in a cell in the propulsion battery system should be caused by the worst-case combinations of test conditions determined in the cell characterisation in (ii).
(vi) The triggered cell should be selected as follows:
(A) To maximize the potential for propagation to other cells, the spacing and heat transfer characteristics between cells should be assessed.
(B) The battery system configuration, location of the cell within the battery system, and point 7.(a)(3)(ii) should be assessed to justify the selection of cells with the potential to become worst cases to be tested (e.g. centre, wide face, narrow face, corner, edge…).
(vii) The tested battery system should be representative of the type design configuration, and should include the installation into the aircraft, designated venting provision, installation orientation, and any other design configuration or variable that could impact the test outcome.
(viii) In case there are battery systems with different installations within the aircraft that could impact the test outcome, these different installations should be tested, or if properly justified, at least the worst-case installation.
(ix) The tested battery system should not be modified to such an extent that the method of propagation is not anymore representative of that for a non-modified battery system. Wires for heating, voltage, and temperature monitoring should be passed through the housing and any openings should be sealed to retain internal pressure. Suitable sealant may be high temperature RTV silicone rubber or equivalent.
(x) The cells should not be modified in any way that changes their composition or mechanical properties (including the external cell case).
(xi) The temperature of the battery system before triggering the cell should be always stabilized at 55°C or the maximum operating high temperature, whichever is higher.
(xii) The trigger mechanism may be deactivated once thermal runaway has been initiated in the triggered cell.
(xiii) If a thermal runaway in the targeted cell does not occur, the objective of the test has not been met.
(xiv) The following parameters should be recorded during the test:
(A) The voltage of at least the cell being triggered.
(B) The temperature of the cell being triggered.
(C) The temperatures of the cells nearest to the cell being triggered.
(D) The temperature of the external surface of the battery system and/or Explosive Fire Zone (including the venting provisions).
(E) The volume at standard temperature and pressure, rate of release, and temperature of gasses that exit the battery system and/or Explosive Fire Zone.
(xv) The battery system tested should be monitored for a minimum of 8 hours after the initial thermal runaway event, and during this time it should comply with the following:
(A) No propagation to other cells.
(B) No rupture of the battery system and/or Explosive Fire Zone.
(C) No release of fragments outside the battery system and/or Explosive Fire Zone.
(D) No escape of flames or emissions outside of the battery system and/or Explosive Fire Zone, except through the designed venting provisions.
(E) No compromise of warning signals and safety functions (e.g., battery automatic disconnect function).
(b) Thermal Runaway Containment for CSFL time Tests
(1) Experience has demonstrated that, although very unlikely, more than a cell could go into thermal runaway due to an unforeseen failure mode. Therefore, the applicant should define in coordination with the Agency, a set of tests to demonstrate that realistic worst-cases of thermal runaway in more than a cell can be managed at propulsion battery system level and installation level (Battery Explosive Fire Zone) ensuring continued safe flight and landing in accordance with EASA MOC VTOL.2330 “Fire Protection in designated fire zones”.
(2) The following guidelines should be considered for the development of Thermal Runaway Containment for CSFL time Tests:
(i) Aging and environmental conditions during operation may result in degradation of the electrochemical properties and protection layers for each battery. Therefore, to test the worst-cases conditions during the life of the propulsion battery system, these tests should also be performed with battery systems that have experienced loading that could lead to such degradation, i.e., vibrations, thermal cycling and electrical cycling, either on separate test articles or sequentially on the same test articles. Battery systems used for RTCA DO-160/EUROCAE ED-14 environmental tests and aging cycle tests (iaw. EUROCAE ED-289) can be used as test samples when the applicant demonstrates a proper aging and degradation. Alternatively, battery systems that have gone through equivalent accelerated life tests can also be used.
(ii) All the parameters identified in Section 7.(a)(3)(ii) (Guidelines for development of Thermal Runaway Non-Propagation Tests) for the full characterisation of thermal runaway behaviour at cell level should be also considered to determine the potential worst-cases for Thermal Runaway Containment tests.
(iii) A thermal runaway in at least 20% of the cells in the propulsion battery system should be caused by the worst-cases of combinations of test conditions as determined in the previous point 7.(b)(2)(ii).
(iv) Triggered cells should be selected as follows:
(A) To maximize the potential for propagation to other cells, the spacing and heat transfer characteristics between cells should be assessed.
(B) The battery system configuration, the location of the cells within the battery system, and point 7.(b)(2)(ii) should be assessed to justify the selection of cells that have potential to be worst cases to be tested (e.g. centre, wide face, narrow face, corner, edge, subgroup of triggered cells in different sides, …)
(v) The tested battery system should be representative of the type design configuration, and should include the installation into the aircraft, designated venting provision, installation orientation, and any other design configuration or variable that could impact the test outcome.
(vi) In case there are battery systems with different installations within the aircraft that could impact the test outcome, these different installations should be tested, or if properly justified, at least the worst-case installation.
(vii) The tested battery system should not be modified to such an extent that the method of propagation is not anymore representative of that for a non-modified battery system. Wires for heating, voltage, and temperature monitoring should be passed through the housing and any openings should be sealed to retain internal pressure. Suitable sealant may be high temperature RTV silicone rubber or equivalent.
(viii) The cells should not be modified in any way that changes their composition or mechanical properties (including the external cell case).
(ix) The temperature of the battery before triggering the cells, should be always stabilized at 55°C or the maximum operating temperature, whichever is higher.
(x) The trigger mechanism may be deactivated once a thermal runaway has been initiated in all the targeted cells.
(xi) It should be proven for each test that:
(A) The trigger method setup aims to trigger all targeted cells at the same time.
(B) All triggered cells have entered into thermal runaway within a reasonable amount of time (approximately 1 minute).
(xii) If a thermal runaway in the targeted cells does not occur, the objective of the test has not been met.
(xiii) If propagation to all cells is prevented, the number and locations of cells that entered thermal runaway should be reported.
(xiv) The following parameters should be recorded during the test:
(A) The voltages of at least the cells being triggered.
(B) The temperatures of the cells being triggered.
(C) The temperatures of the cells nearest to the cells being triggered.
(D) The temperature of the external surface of the battery system and/or Explosive Fire Zone (including the venting provisions).
(E) The volume at standard temperature and pressure, rate of release, and temperature of gasses that exit the battery system and/or Explosive Fire Zone.
(xv) During the test it should be demonstrated that the thermal runaway can be managed at propulsion battery system level and at installation level (Battery Explosive Fire Zone) ensuring continued safe flight and landing in accordance with EASA MOC VTOL.2330 Fire Protection in designated fire zones.
VTOL.2445 Lift/thrust system installation information
n/a
The following lift/thrust system installation information must be established:
(a) Operating limitations, procedures and instructions necessary for the safe operation of the aircraft;
(b) the need for instrument markings or placards;
(c) any additional information necessary for the safe operation of the aircraft;
(d) inspections or maintenance to assure continued safe operation;
(e) information related to the lift/thrust configuration;
(f) techniques and associated limitations for lift/thrust unit starting and stopping; and
(g) energy level information to support energy management, including consideration of a likely component failure within the system.