FAA 2017 1053 0004 - Attachment - 1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Exemption No.

17664

UNITED STATES OF AMERICA


DEPARTMENT OF TRANSPORTATION
FEDERAL AVIATION ADMINISTRATION
RENTON, WASHINGTON 98057-3356

In the matter of the petition of

Airbus SAS Regulatory Docket No. FAA-2017-1053

for an exemption from§ 25.981(a)(3) of


title 14, Code of Federal Regulations

GRANT OF TIME-LIMITED EXEMPTION

By letter dated October 26, 2017, Mr. Franc;ois Duclos, A350 Chief Airworthiness Engineer,
Airbus SAS (Airbus), D2202, 2 rond-point Emile Dewoitine, 31700 Blagnac Cedex, France,
petitioned the Federal Aviation Administration (FAA) for an exemption from the requirements of
§ 25.981(a)(3) of title 14, Code of Federal Regulations (14 CFR). This exemption, if granted,
would allow Airbus time to complete the necessary modification and installation of new
hydraulic monitoring and control application (HMCA) software and new hydraulic engine driven
pump (EDP) on Model A350-900 airplanes while permitting on-schedule delivery and retrofit to
its customers in the United States (U.S.). Airbus requests relief from the requirements of
§ 25.981(a)(3) for a period of 18 months. The reliefrequested by Airbus also applies to the
general powerplant installation failure analysis requirements of§ 25.901(c) and the systems
failure analysis requirements of§ 25.1309(b), as they have been applied to powerplant
installations.

The petitioner requests relief from the following regulation:

Section 25.981(a)(3), at Amendment 25-125, states that no ignition source may be


present at each point in the fuel tank or fuel tank system where catastrophic failure could
occur due to ignition of fuel or vapors. This must be shown by demonstrating that an
ignition source could not result from each single failure, from each single failure in
combination with each latent failure condition not shown to be extremely remote, and
from all combinations of failures not shown to be extremely improbable. The effects of
manufacturing variability, aging, wear, corrosion, and likely damage must be considered.
Related sections of 14 CFR
Section 25.901(c) at Amendment 25-126- requires that for each powerplant and
auxiliary power unit installation, it must be established that no single failure or
malfunction or probable combination of failures will jeopardize the safe operation of the
airplane except that the failure of structural elements need not be considered if the
probability of such failure is extremely remote.

Section 25.1309(b) at Amendment 25-123, states that the airplane systems and
associated components~ considered separately and in relation to other systems, must be
designed so that (1) the occurrence of any failure condition which would prevent the
continued safe flight and landing of the airplane is extremely improbable, and (2) the
occurrence of any other failure condition which would reduce the capability of the
airplane or the ability of the crew to cope with adverse operating conditions is
improbable.

The petitioner supports their request with the following information:

This.section quotes the relevant information from the petitioner's request, with minor edits for
clarity. The complete petition is available at the Department of Transportation's Federal Docket
Management System, on the Internet at http://regulations.gov, in Docket No. F AA-2017-1053.

Airbus Request - General

Airbus is petitioning for a time-limited exemption from two provisions of 14 CFR


25.981(a)(3), amendment 25-125 (Fuel tank ignition prevention), for the A350-900
airplane models, which will be modified to install new hydraulic monitoring and control
application (HMCA) software (S4.2). The purpose of the new software standard is to
mitigate local hydraulic engine driven pump (EDP)'overheat failure mode in order to
avoid overheated hydraulic fluid to enter the fuel tank (hydraulic fluid carrying lines are
running inside the fuel tanks). The S4.2 software logics will-

• Be modified in order to improve the robustness of the hydraulic case drain line
temperature monitoring.

• Implement an EDP depress function in case of detected hydraulic case drain line
fluid high temperature.

A time-limited exemption is sought from the no combinations offailures not shown to be


extremely improbable and no single failure in combination with each latent failure
condition not shown to be extremely remote requirements as stated in§ 25.981(a)(3).
(Demonstrating that an ignition source could not result from each single failure in
combination with each latent failure condition not shown to be extremely remote, and
from all combinations of failures not shown to be extremely improbable).

Airbus is seeking relief from the above requirements for a period of 18 months from the
certification date of the new HMCA software S4.2 to allow time to certify with the FAA

2
and the European Aviation Safety Agency (EASA) a new design of hydraulic EDP,
followed by manufacturing and incorporation of this new standard (in production and
retrofit) on the concerned United States (N-registered) A350-900 airplane models. The
new EDP will enable Airbus to demonstrate compliance to the combinations offailures
not shown to be extremely improbable requirement of§ 25.981(a)(3) identified above.
Note that the currently certified EDP standard is -04 and that the new -06 standard will be
certified with project V-EDP-A350.

Airbus Public Interest Statement

Incorporation of the modified HMCA software is a clear safety improvement which


ensures that, in the case of hydraulic EDP overheat failure, the temperature of the
hydraulic lines in the fuel tank remain below the 200° Celsius value per Advisory
Circular 25 .981-1 C, as the commonly accepted maximum surface temperature in the fuel
tank for kerosene-type fuels. Therefore, granting this exemption is in the public interest
since it contributes to increase the robustness of the A350-900 design against the risk of a
potential hot surface ignition in the fuel tank. With the new HMCA software, full
compliance to§ 25.981(a)(3) cannot be demonstrated for the following reasons:

1. Considering the in-service experience with the current EDP standard, it is not
possible to robustly reiy on EDP failure modes and effects analysis (FMEA)
failure rates that would be able to meet the extremely improbable target for
combination of failures.

2. For the specific "latent plus one" criterion, additional redundancy in the hydraulic
fluid temperature monitoring is required.

The first consideration will be addressed by the certification and incorporation of the new
EDP standard in the time:frame requested by this exemption (18 months). Meanwhile, it
is considered that the anticipated failure rate and master minimum equipment list
(MMEL) restrictions applied on the fuel tank inerting system maintain an acceptable level
of safety. The second consideration will have to be addressed by another petition for
temporary exemption.

Airbus Safety Statement

As already mentioned, the incorporation of the modified HMCA software is a clear safety
improvement; therefore, granting the exemption cannot adversely affect safety.

Summary

Airbus seeks a time-limited exemption from 14 CFR 25.981(a)(3), amendment 25-175,


for the incorporation of a modified HMCA software (S4.2) on the Model A350-900
airplanes. More precisely, Airbus seeks an exemption of 18 months to certify and
incorporate an additional modification- namely an upgraded standard of hydraulic EDP,
in production and retrofit. The new EDP standard will enable Airbus to show compliance
to§ 25.981(a)(3) with the exception of the "no single failure in combination with

3
probable (i.e., with a probability greater than extremely remote) latent failure condition"
provision. Granting this request is in the public interest since it will enable Airbus to
deliver and retrofit the N-registered A350-900 airplanes with the modified HMCA
software which is a clear safety enhancement. The modified software ensures that in case
of hydraulic EDP overheat failure, the temperature of the hydraulic lines in the fuel tank
remain below the 200° Celsius.

Modification 112090 is already approved by EASA (on October 6, 2017) and mandated
by EASA Airworthiness Directive 2017-0200.

Federal Register publication

A summary.of the petition was published in the Federal Register on November 8, 2017 [82 FR
51906]. The FAA received no comments. ·

The FAA's analysis

We agree with the petitioner's justification that granting the petition is in the public interest.
This exemption will allow approval of design changes needed to address an unsafe condition
associated with the hydraulic engine driven pump failures; specifically, in three stages of
increasingly safer design changes, it will address the potential for ignition sources inside the
center fuel tank, in combination with flammable fuel vapors, to result in a fuel tank explosion.

The first stage of design changes, installation of the hydraulic monitoring and control application
(HMCA) software (S4.2), will increase safety by limiting the temperature rise in the hydraulic
fluid following a hydraulic engine driven pump failure condition. However, there are latent
failure modes that could prevent the system from detecting and reacting to the temperature rise.
The second stage of design changes, installation of a modified hydraulic engine driven pump
(new standard -06), will further increase safety by significantly reducing the likelihood of a
hydraulic engine driven pump failure and resulting temperature rise. The third stage of design
changes, yet to be identified by Airbus, will increase safety to a fully compliant design by-
addressing the latent failure modes in the hydraulic system that protect from the temperature rise.

The petitioner only requested relief from the requirements of§ 25.981(a)(3). However, granting
relief from that section requires the need for a grant of relief from the general powerplant
installation failure analysis requirements of§ 25.901(c) and the systems failure analysis
requirements of§ 25.1309(b), as they have been applied to powerplant installations. Therefore,
although the petitioner did not specifically request an exemption from§§ 25.901(c) and
25 .13 09(b) for the design change, the FAA also grants the necessary relief herein from those
additional related sections.

Section 25.901(c) is intended to provide an overall safety assessment of the powerplant and
auxiliary power unit installations, including fuel systems. Section 25.1309 provides general
safety requirements for systems installed on the airplane that limit the acceptable effects of
foreseeable failures and malfunctions. The FAA discussed the relationship between

4
§§ 25.901(c), 25.1309, and§ 25.98l(a) in the final rule preamble of amendment 25-102 to
14 CFR part 25 (66 FR 23085), specifically stating:

These requirements are consistent with the general powerplant installation failure analysis
requirements of Sec. 25.901(c) and the systems failure analysis requirements of
Sec. 25 .13 09, as they have been applied to powerplant installations. This additional
requirement is needed because the general requirements of Secs. 25.901 and 25.1309
have not been consistently applied and documented when showing that ignition sources
are precluded from transport category airplane fuel tanks. Compliance with Sec. 25.981
requires an analysis of the airplane fuel tank system using analytical methods and
documentation currently used by the aviation industry in demonstrating compliance with
Secs. 25.901 and 25.1309. In order to eliminate any ambiguity as to the necessary
methods of compliance, the rule explicitly requires that the existence of latent failures be
assumed unless they are extremely remote, which is currently required under Sec. 25.901,
but not under Sec. 25.1309. ,

The FAA previously granted Airbus an equivalent level of safety (ELOS) finding to § 25.1309 in
the original certification basis for the Model A350 airplanes and is documented in FAA
memorandum number TC0544IB-T-S-2. The ELOS finding substitutes the following
requirement for § 25 .13 09(b):

(b) The airplane systems and associated components, considered separately and in
relation to other systems, must be designed and installed so that:

(1) Each catastrophic failure condition

1. is extremely improbable; and

11. does not result from a single failure; and

(2) Each hazardous failure condition is extremely remote; and

(3) Each major failure condition is remote.

The requirements in the ELOS finding for§ 25.1309(b) are effectively the same as§ 25.1309(b),
amendment 2~-123. Therefore, granting the exemption to§ 25.1309(b) results in granting an
exemption to the equivalent requirement in the ELOS finding for the specific design changes
discussed in this document.

Airbus requested that the exemption for the HMCA software (S4.2) apply for 18 months to allow
time for it to develop, and for the FAA to approve, additional design changes on the hydraulic
engine driven pump (new standard -06), but indicated that they will not be able to demonstrate
full compliance with§ 25,981(a)(3) without further design changes. Since the reasons for
granting the requested relief for the software design change are the same as would be for granting

5
relief on the hydraulic engine driven pump design changes, we considered the relief necessary for
both design changes while evaluating this petition. Therefore, it is not necessary for Airbus to
petition for an additional temporary exemption to allow installation of the new hydraulic engine
driven pump.

The FAA considers the additional action in EASA Airworthiness Directive 2017-0200 of
precluding operation of the Model A350-900 airplane with an inoperative fuel tank inerting
system (sometimes referred to as the fuel tank flammability reduction system) as necessary to
provide an acceptable level of safety until Airbus develops fully compliant design changes. The
fuel tank inerting system significantly decreases the time the fuel tanks are flammable during
operation. Therefore, limiting the flammability of the fuel tanks significantly reduces the
likelihood of a fuel tank explosion following a hydraulic engine driven pump overheat failure
condition. We have included this as a condition for granting the time-limited exemption.

Airbus did not request relief from the "no single failure" aspect of§ 25.981(a)(3); therefore, we
assume that Airbus will show the HMCA software (S4.2) and the hydraulic engine driven pump
(new standard -06) design changes will comply with this aspect. We consider this requirement is
necessary to provide an acceptable level of safety. For clarity, we included this as a condition for
granting the time-limited exemption.
The FAA considers it is necessary to provide an acceptable level of safety by limiting the
potential for a fuel tank explosion that currently exists to a small number of airplanes and for a
short period of time. There are a small number ofU.S.-operated Model A350-900 airplanes
currently in service and we anticipate U.S. operators will only introduce a small number of
airplanes into service within the timeframe of the time-limited exemption. We are including
requirements for U.S. operators to retrofit Model A350-900 airplanes with the modified ,
hydraulic engine driven pump (new standard -06) as well as with the to-be-determined fully
compliant design changes as a condition for granting the time-limited exemption. We are also
including requirements for Airbus to provide service instructions to U.S. operators for
incorporating the design changes as a condition for granting the time-limited exemption. The
incorporation of all design changes required by the conditions in this time-limited exemption
allows reintroduction of temporary dispatch relief with the fuel tank inerting system inoperative.
The FAA has determined that the proposed modifications represent a reasonable, cost-effective
method to reduce the risk from potential hydraulic engine driven pump failures leading to fuel
tank ignition sources as partial mitigation until Airbus can develop additional design changes to
show full compliance. This includes the modifications to the hydraulic system software (HMCA
S4.2) and to the hydraulic engine driven pump (new standard -06).

The FAA's decision

In consideration of the foregoing, I find that a grant of a time-limited exemption is in the public
interest. Therefore, pursuant to the authority contained in 49 U.S.C. 40113 and 44701(£)
delegated to me by the Administrator, I grant Airbus an exemption from the requirements of
14 CFR 25.901(c), amendment 25-126; 25.981(a)(3), amendment 25-125; and 25.1309(b),
amendment 25-123 that apply to the hydraulic engine driven pump installation on Airbus Model

6
A350-900 airplanes. I grant this time-limited exemption to the extent necessary to allow Airbus
to provide interim design changes that are safety improvements for the Model A350-900 airplane
while allowing time to further develop fully compliant design changes that can be implemented
in production aD-d retrofit.

This exemption is subject to the following conditions:

1. Airbus must show compliance to the remaining aspect of§ 25.981(a)(3) by demonstrating
that an ignition source could not result from each single failure. The effects of
manufacturing variability, aging, wear, corrosion, and likely damage must be considered .

.2. Prior to May 1, 2018, Airbus must:

a. Submit for FAA approval design changes that show compliance to§ 25.1309(b)
and the "combinations of failures" aspect of§ 25.981(a)(3) by demonstrating that
an ignition source could not result from all combinations of failures not shown to
be extremely improbable. The effects of manufacturing variability, aging, wear,
corrosion, and likely damage must be considered.

b. Provide U.S. operators with approved service instructions for retrofit of these
design changes.

3. Prior to December 1, 2020, Airbus must:

a. Submit for FAA approval design changes, in addition to those submitted to satisfy
condition 2.a. of this time-limited exemption, that show full compliance to
§§ 25.901(c), 25.981(a)(3), and25.1309(b).

b. Provide U.S. operators with approved service instructions for retrofit of these
design changes.

4. Airbus must develop a fuel system airworthiness limitation and include it in the
Airworthiness Limitations Section of the Model A350-900 Instructions for Continued
Airworthiness that requires operators to:

a. Prior to May 1, 2019, incorporate design changes developed by Airbus to satisfy


condition 2 of this time-limited exemption.

b. Prior to December 1, 2021, incorporate design changes developed by Airbus to


satisfy condition 3 of this time-limited exemption.

7
c. Prohibit airplane dispatch with the fuel tank inerting system inoperative until the
design changes developed by Airbus for condition 3 of this time-limited
exemption are incorporated on the airplane.

Issued in Renton, Washington, on NOV 27 2017

Victor Wicklund
Manager, Transport Standards Branch
Policy and Innovation Division
Aircraft Certification Service

You might also like