(b) Validation —(1) Functional aspects. The applicant must substantiate by tests, analysis, or a combination thereof, that the engine control system performs the intended functions in a manner which:
(i) Enables selected values of relevant control parameters to be maintained and the engine kept within the approved operating limits over changing atmospheric conditions in the declared flight envelope;
(ii) Complies with the operability requirements of §§33.51, 33.65 and 33.73, as appropriate, under all likely system inputs and allowable engine power or thrust demands, unless it can be demonstrated that failure of the control function results in a non-dispatchable condition in the intended application;
(iii) Allows modulation of engine power or thrust with adequate sensitivity over the declared range of engine operating conditions; and
(iv) Does not create unacceptable power or thrust oscillations.
(2) Environmental limits. The applicant must demonstrate, when complying with §§33.53 or 33.91, that the engine control system functionality will not be adversely affected by declared environmental conditions, including electromagnetic interference (EMI), High Intensity Radiated Fields (HIRF), and lightning. The limits to which the system has been qualified must be documented in the engine installation instructions.
(c) Control transitions. (1) The applicant must demonstrate that, when fault or failure results in a change from one control mode to another, from one channel to another, or from the primary system to the back-up system, the change occurs so that:
(i) The engine does not exceed any of its operating limitations;
(ii) The engine does not surge, stall, or experience unacceptable thrust or power changes or oscillations or other unacceptable characteristics; and
(iii) There is a means to alert the flight crew if the crew is required to initiate, respond to, or be aware of the control mode change. The means to alert the crew must be described in the engine installation instructions, and the crew action must be described in the engine operating instructions;
(2) The magnitude of any change in thrust or power and the associated transition time must be identified and described in the engine installation instructions and the engine operating instructions.
(d) Engine control system failures. The applicant must design and construct the engine control system so that:
(1) The rate for Loss of Thrust (or Power) Control (LOTC/LOPC) events, consistent with the safety objective associated with the intended application can be achieved;
(2) In the full-up configuration, the system is single fault tolerant, as determined by the Administrator, for electrical or electronic failures with respect to LOTC/LOPC events;
(3) Single failures of engine control system components do not result in a hazardous engine effect; and
(4) Foreseeable failures or malfunctions leading to local events in the intended aircraft installation, such as fire, overheat, or failures leading to damage to engine control system components, do not result in a hazardous engine effect due to engine control system failures or malfunctions.
(e) S ystem safety assessment. When complying with this section and §33.75, the applicant must complete a System Safety Assessment for the engine control system. This assessment must identify faults or failures that result in a change in thrust or power, transmission of erroneous data, or an effect on engine operability producing a surge or stall together with the predicted frequency of occurrence of these faults or failures.
(f) Protection systems. (1) The design and functioning of engine control devices and systems, together with engine instruments and operating and maintenance instructions, must provide reasonable assurance that those engine operating limitations that affect turbine, compressor, fan, and turbosupercharger rotor structural integrity will not be exceeded in service.
(2) When electronic overspeed protection systems are provided, the design must include a means for testing, at least once per engine start/stop cycle, to establish the availability of the protection function. The means must be such that a complete test of the system can be achieved in the minimum number of cycles. If the test is not fully automatic, the requirement for a manual test must be contained in the engine instructions for operation.
(3) When overspeed protection is provided through hydromechanical or mechanical means, the applicant must demonstrate by test or other acceptable means that the overspeed function remains available between inspection and maintenance periods.
(g) Software. The applicant must design, implement, and verify all associated software to minimize the existence of errors by using a method, approved by the FAA, consistent with the criticality of the performed functions.
(h) Aircraft-supplied data. Single failures leading to loss, interruption or corruption of aircraft-supplied data (other than thrust or power command signals from the aircraft), or data shared between engines must:
(1) Not result in a hazardous engine effect for any engine; and
(2) Be detected and accommodated. The accommodation strategy must not result in an unacceptable change in thrust or power or an unacceptable change in engine operating and starting characteristics. The applicant must evaluate and document in the engine installation instructions the effects of these failures on engine power or thrust, engine operability, and starting characteristics throughout the flight envelope.
(i) Aircraft-supplied electrical power. (1) The applicant must design the engine control system so that the loss, malfunction, or interruption of electrical power supplied from the aircraft to the engine control system will not result in any of the following:
(i) A hazardous engine effect, or
(ii) The unacceptable transmission of erroneous data.
(2) When an engine dedicated power source is required for compliance with paragraph (i)(1) of this section, its capacity should provide sufficient margin to account for engine operation below idle where the engine control system is designed and expected to recover engine operation automatically.
(3) The applicant must identify and declare the need for, and the characteristics of, any electrical power supplied from the aircraft to the engine control system for starting and operating the engine, including transient and steady state voltage limits, in the engine instructions for installation.
(4) Low voltage transients outside the power supply voltage limitations declared in paragraph (i)(3) of this section must meet the requirements of paragraph (i)(1) of this section. The engine control system must be capable of resuming normal operation when aircraft-supplied power returns to within the declared limits.
(j) Air pressure signal. The applicant must consider the effects of blockage or leakage of the signal lines on the engine control system as part of the System Safety Assessment of paragraph (e) of this section and must adopt the appropriate design precautions.
(k) Automatic availability and control of engine power for 30-second OEI rating. Rotorcraft engines having a 30-second OEI rating must incorporate a means, or a provision for a means, for automatic availability and automatic control of the 30-second OEI power within its operating limitations.
(l) Engine shut down means. Means must be provided for shutting down the engine rapidly.
(m) Programmable logic devices. The development of programmable logic devices using digital logic or other complex design technologies must provide a level of assurance for the encoded logic commensurate with the hazard associated with the failure or malfunction of the systems in which the devices are located. The applicant must provide evidence that the development of these devices has been done by using a method, approved by the FAA, that is consistent with the criticality of the performed function.
[Amdt. 33–26, 73 FR 48284, Aug. 19, 2008]