§ 33.75
Safety analysis.
(a) (1) The applicant must analyze the engine, including the control system, to assess the likely consequences of all failures that can reasonably be expected to occur. This analysis will take into account, if applicable:
(i) Aircraft-level devices and procedures assumed to be associated with a typical installation. Such assumptions must be stated in the analysis.
(ii) Consequential secondary failures and latent failures.
(iii) Multiple failures referred to in paragraph (d) of this section or that result in the hazardous engine effects defined in paragraph (g)(2) of this section.
(2) The applicant must summarize those failures that could result in major engine effects or hazardous engine effects, as defined in paragraph (g) of this section, and estimate the probability of occurrence of those effects. Any engine part the failure of which could reasonably result in a hazardous engine effect must be clearly identified in this summary.
(3) The applicant must show that hazardous engine effects are predicted to occur at a rate not in excess of that defined as extremely remote (probability range of 10−7 to 10−9 per engine flight hour). Since the estimated probability for individual failures may be insufficiently precise to enable the applicant to assess the total rate for hazardous engine effects, compliance may be shown by demonstrating that the probability of a hazardous engine effect arising from an individual failure can be predicted to be not greater than 10−8 per engine flight hour. In dealing with probabilities of this low order of magnitude, absolute proof is not possible, and compliance may be shown by reliance on engineering judgment and previous experience combined with sound design and test philosophies.
(4) The applicant must show that major engine effects are predicted to occur at a rate not in excess of that defined as remote (probability range of 10−5 to 10−7 per engine flight hour).
(b) The FAA may require that any assumption as to the effects of failures and likely combination of failures be verified by test.
(c) The primary failure of certain single elements cannot be sensibly estimated in numerical terms. If the failure of such elements is likely to result in hazardous engine effects, then compliance may be shown by reliance on the prescribed integrity requirements of §§ 33.15, 33.27, and 33.70 as applicable. These instances must be stated in the safety analysis.
(d) If reliance is placed on a safety system to prevent a failure from progressing to hazardous engine effects, the possibility of a safety system failure in combination with a basic engine failure must be included in the analysis. Such a safety system may include safety devices, instrumentation, early warning devices, maintenance checks, and other similar equipment or procedures. If items of a safety system are outside the control of the engine manufacturer, the assumptions of the safety analysis with respect to the reliability of these parts must be clearly stated in the analysis and identified in the installation instructions under § 33.5 of this part.
(e) If the safety analysis depends on one or more of the following items, those items must be identified in the analysis and appropriately substantiated.
(1) Maintenance actions being carried out at stated intervals. This includes the verification of the serviceability of items that could fail in a latent manner. When necessary to prevent hazardous engine effects, these maintenance actions and intervals must be published in the instructions for continued airworthiness required under § 33.4 of this part. Additionally, if errors in maintenance of the engine, including the control system, could lead to hazardous engine effects, the appropriate procedures must be included in the relevant engine manuals.
(2) Verification of the satisfactory functioning of safety or other devices at pre-flight or other stated periods. The details of this satisfactory functioning must be published in the appropriate manual.
(3) The provisions of specific instrumentation not otherwise required.
(4) Flight crew actions to be specified in the operating instructions established under § 33.5.
(f) If applicable, the safety analysis must also include, but not be limited to, investigation of the following:
(1) Indicating equipment;
(2) Manual and automatic controls;
(3) Compressor bleed systems;
(4) Refrigerant injection systems;
(5) Gas temperature control systems;
(6) Engine speed, power, or thrust governors and fuel control systems;
(7) Engine overspeed, overtemperature, or topping limiters;
(8) Propeller control systems; and
(9) Engine or propeller thrust reversal systems.
(g) Unless otherwise approved by the FAA and stated in the safety analysis, for compliance with part 33, the following failure definitions apply to the engine:
(1) An engine failure in which the only consequence is partial or complete loss of thrust or power (and associated engine services) from the engine will be regarded as a minor engine effect.
(2) The following effects will be regarded as hazardous engine effects:
(i) Non-containment of high-energy debris;
(ii) Concentration of toxic products in the engine bleed air intended for the cabin sufficient to incapacitate crew or passengers;
(iii) Significant thrust in the opposite direction to that commanded by the pilot;
(iv) Uncontrolled fire;
(v) Failure of the engine mount system leading to inadvertent engine separation;
(vi) Release of the propeller by the engine, if applicable; and
(vii) Complete inability to shut the engine down.
(3) An effect whose severity falls between those effects covered in paragraphs (g)(1) and (g)(2) of this section will be regarded as a major engine effect.
[Amdt. 33-24, 72 FR 50867, Sept. 4, 2007]