Annex B: System Safety Requirements
The safety analysis performed for operations in the SDA must be reviewed and assessed for operations in the NDA.
The review of the design should identify all required systems that use heading and the impact on the aircraft of the use of True Heading versus Magnetic Heading by those systems. The review should also consider component design limitations that apply to the NDA but did not apply to the SDA. This review will assist in formulating a comprehensive test plan.
The review should also include operational assumptions made in the original Functional Hazard Assessment (FHA) or SSA that may be impacted/affected by operations in the NDA.
In general, it is anticipated that the following systems may be affected: Navigation, Communication and Flight Controls.
Example:
In the SDA, it is considered that the aircraft is always within VHF range of an appropriate Air Traffic Controller (ATC), but this is not the case in the NDA. What impact does this have on the availability of communications?
The hazards listed below are a generic set of hazards that may be impacted. A detailed review of the specific design being assessed will identify whether other hazards exist which need to be addressed.
Note: The definitions of probability classifications have evolved over time. It is, therefore, important to determine the certification basis amendment level applicable to the aircraft being assessed. For example, early type design certifications typically required that a “Major” failure condition meet the probability classification of improbable. More recent type designs require that a “Major” failure condition meet the probability classification of "Remote". For the purpose of this advisory, where there are differences between early and more recent probability classifications, the earlier classification will be denoted in square brackets (e.g., [improbable]).
Where no design change is associated, in establishing whether the aircraft meets the requirements of this TAA Advisory, it is acceptable to use the original definitions of probability classifications (i.e., there is no requirement to re-assess already established FHA or SSA items). However, if there is a design change required to ensure the aircraft meets the requirements associated with this TAA Advisory, it is then recommended to use the currently published probability classifications when deriving new FHA or SSA items.
| Item |
Requirements, Consideration and Guidance Certification Requirements: AWM 1309(b) or MIL-HDBK-516 Section 14 |
|---|---|
| 1 | Loss of all attitude (primary and standby) is considered a Catastrophic failure condition. |
| 2 | Loss of all Communications is considered a Major failure condition, but credit can be taken for availability of VHF communication. As such, the safety analysis should document that the implemented design meets the criteria associated with a Major failure condition (i.e., loss of all communications should be remote [improbable]). In the SDA, aircraft are generally equipped with dual VHF communication transceivers, which allow the aircraft to meet the intent of this requirement. Within the NDA (unless otherwise required by the OAA), VHF-only communication is not considered sufficient. As such, Loss of Long-Range Communication is considered a Minor failure condition. It is considered acceptable to equip with one long-range communication system (such as a HF communications transceiver, or an appropriate SATCOM voice system), provided it is installed as rquired equipment. Position reports can still be made on the common enroute VHF frequency (126.7 MHz) and there are several Peripheral Stations (PAL) and Community Aerodrome Radio Stations (CARS) available. In an emergency where the HF and/or SATCOM have failed, contacting overflying flights on 121.5 MHz is acceptable. |
| 3 | Loss of all Navigation is considered a Major failure condition. As such, the safety analysis should document that the implemented design meets the criteria associated with a Major failure condition (i.e., the loss of all navigation should be remote [improbable] and there is no single failure that would cause the loss of all available navigation equipment). The analysis may have to be supported by test showing that the aircraft’s primary navigation system can provide a navigation solution (e.g., EGI), given fewer ground-based Navigation Aids in the NDA. |
| 4 | Loss of all Navigation and Communication is considered a Catastrophic failure condition. As such, the safety analysis should document that the implemented design meets the criteria associated with a Catastrophic failure condition (i.e., the loss of all navigation and communications should be extremely improbable). |
| 5 | Loss of all heading (primary and standby) in the NDA can be considered a Major failure condition provided that the aircraft is equipped with a fully functional area navigation system capable of navigating in degrees true. This area navigation system must be certified according to the requirements of the airspace being utilized. As such, the safety analysis should document that the implemented design meets the criteria associated with a Major failure condition (i.e., the loss of all heading should be remote [improbable]). Credit is being provided for an area navigation system that can provide track guidance. This credit is provided because, in an emergency situation where all heading information is lost but attitude and position information is still available, navigation will still be possible. Furthermore, if the aircraft is equipped with an ADF and an area navigation system that provides bearings to NDBs, an aircraft heading can be determined and used to manually update the heading reference system in cases where the design supports a free Directional Gyroscope mode. |
Page details
- Date modified: