background image

705 

Federal Aviation Administration, DOT 

§ 33.28 

approved operating limits over chang-
ing atmospheric conditions in the de-
clared flight envelope; 

(ii) Complies with the operability re-

quirements of §§ 33.51, 33.65 and 33.73, as 
appropriate, under all likely system in-
puts and allowable engine power or 
thrust demands, unless it can be dem-
onstrated that failure of the control 
function results in a non-dispatchable 
condition in the intended application; 

(iii) Allows modulation of engine 

power or thrust with adequate sensi-
tivity over the declared range of engine 
operating conditions; and 

(iv) Does not create unacceptable 

power or thrust oscillations. 

(2) 

Environmental limits. 

The applicant 

must demonstrate, when complying 
with §§ 33.53 or 33.91, that the engine 
control system functionality will not 
be adversely affected by declared envi-
ronmental conditions, including elec-
tromagnetic interference (EMI), High 
Intensity Radiated Fields (HIRF), and 
lightning. The limits to which the sys-
tem has been qualified must be docu-
mented in the engine installation in-
structions. 

(c) 

Control transitions. 

(1) The appli-

cant must demonstrate that, when 
fault or failure results in a change 
from one control mode to another, 
from one channel to another, or from 
the primary system to the back-up sys-
tem, the change occurs so that: 

(i) The engine does not exceed any of 

its operating limitations; 

(ii) The engine does not surge, stall, 

or experience unacceptable thrust or 
power changes or oscillations or other 
unacceptable characteristics; and 

(iii) There is a means to alert the 

flight crew if the crew is required to 
initiate, respond to, or be aware of the 
control mode change. The means to 
alert the crew must be described in the 
engine installation instructions, and 
the crew action must be described in 
the engine operating instructions; 

(2) The magnitude of any change in 

thrust or power and the associated 
transition time must be identified and 
described in the engine installation in-
structions and the engine operating in-
structions. 

(d) 

Engine control system failures. 

The 

applicant must design and construct 
the engine control system so that: 

(1) The rate for Loss of Thrust (or 

Power) Control (LOTC/LOPC) events, 
consistent with the safety objective as-
sociated with the intended application 
can be achieved; 

(2) In the full-up configuration, the 

system is single fault tolerant, as de-
termined by the Administrator, for 
electrical or electronic failures with 
respect to LOTC/LOPC events; 

(3) Single failures of engine control 

system components do not result in a 
hazardous engine effect; and 

(4) Foreseeable failures or malfunc-

tions leading to local events in the in-
tended aircraft installation, such as 
fire, overheat, or failures leading to 
damage to engine control system com-
ponents, do not result in a hazardous 
engine effect due to engine control sys-
tem failures or malfunctions. 

(e) S

ystem safety assessment. 

When 

complying with this section and § 33.75, 
the applicant must complete a System 
Safety Assessment for the engine con-
trol system. This assessment must 
identify faults or failures that result in 
a change in thrust or power, trans-
mission of erroneous data, or an effect 
on engine operability producing a surge 
or stall together with the predicted fre-
quency of occurrence of these faults or 
failures. 

(f) 

Protection systems. 

(1) The design 

and functioning of engine control de-
vices and systems, together with en-
gine instruments and operating and 
maintenance instructions, must pro-
vide reasonable assurance that those 
engine operating limitations that af-
fect turbine, compressor, fan, and tur-
bosupercharger rotor structural integ-
rity will not be exceeded in service. 

(2) When electronic overspeed protec-

tion systems are provided, the design 
must include a means for testing, at 
least once per engine start/stop cycle, 
to establish the availability of the pro-
tection function. The means must be 
such that a complete test of the system 
can be achieved in the minimum num-
ber of cycles. If the test is not fully 
automatic, the requirement for a man-
ual test must be contained in the en-
gine instructions for operation. 

(3) When overspeed protection is pro-

vided through hydromechanical or me-
chanical means, the applicant must 

VerDate Sep<11>2014 

12:50 Apr 30, 2019

Jkt 247046

PO 00000

Frm 00715

Fmt 8010

Sfmt 8010

Y:\SGML\247046.XXX

247046

spaschal on DSK3GDR082PROD with CFR