2.3.1 The evaluation of failures and failure combinations shall be based on engineering judgement and acceptable fail-safe methodology. The analysis should consider effects of operations with one engine inoperative, including allowance for damage that could result from failure of the first engine. Unless it can be shown that equivalent safety levels are provided or the effects of failure are minor, failure and reliability analysis should be used as guidance in verifying that the proper level of fail-safe design has been provided.
2.3.2 Airframe Systems (General)
Airframe systems shall be shown to comply with section525.1309 of Airworthiness Manual Chapter525.
- Extended duration, single engine operations shall not require exceptional piloting skills and/or crew coordination. Considering the resulting degradation of the performance of the aeroplane type with an engine inoperative, the increased flightcrew workload and the malfunction of remaining systems and equipment, the impact on flightcrew procedures shall be minimised. Consideration shall also be given to the effects of continued flight with an engine and/or airframe systems inoperative on the flight crew's and/or passengers' physiological needs.
2.3.3 Propulsion Systems
The propulsion system shall be shown to comply with section525.901 of Airworthiness Manual Chapter525.
In order to maintain a level of safety, consistent with other aircraft systems, it is necessary to have an acceptably low risk of double propulsion system failure for all design and operational related causes. This implies a relationship between propulsion system reliability and maximum approved diversion time.
- It shall be shown that the propulsion system reliability has reached an acceptable level for ETOPS as determined in accordance with AppendixA.
2.3.4 Auxiliary Power Unit
If an APU is required to satisfy the type design criteria for ETOPS, the installation shall meet:
the applicable Airworthiness Manual Chapter525 requirements (SubpartE - Powerplant);
- any additional requirements necessary to demonstrate its ability to perform the intended function, ie start reliability, altitude, bleed air capability etc.
2.3.5 Communication, Navigation and Basic Flight Instruments
It shall be shown that, under all combinations of propulsion and/or airframe system failures which are not extremely improbable, reliable communication, sufficiently accurate navigation, and basic flight instruments needed to comply with contingency procedures for ETOPS will be available.
2.3.6 Cabin Pressurization
A review of fail-safe redundancy features shall show that the loss of cabin pressure is improbable under single engine conditions.
Aeroplane performance data shall be provided to verify the ability for continued safe flight and landing after loss of cabin pressure and subsequent operation at a lower altitude.
- Unless it can be shown that cabin pressure can be maintained during single engine operation at the altitude required for continued flight to a suitable airport, oxygen shall be available to sustain the passengers and crew for the maximum diversion time.
2.3.7 Cabin Heating/Cooling
The air conditioning system must be capable of providing a reasonable cabin temperature in the event of any single or combination of failures not shown to be extremely improbable.
2.3.8 Equipment Cooling
The data shall establish that the required electronic equipment for ETOPS has the ability to operate acceptably with an engine shut down. Additionally, adequate indication of the proper functioning of the cooling system shall be verifiable if required, to assure system operation prior to dispatch.
2.3.9 Cargo Compartment
The cargo compartment design and fire protection system capability (if required) shall be consistent with the following:
Design - The cargo compartment fire protection system integrity and reliability shall be suitable for the intended operations considering fire detection sensors, liner materials, etc.;
Fire Protection - Operations are not permitted if the maximum diversion time at all engine operating maximum continuous speed is greater than the time to which cargo compartment fire protection has been adequately substantiated in the Type Design Approval, including allowance for approach and landing at an adequate airport (15minute contingency); and
Main deck ClassB cargo compartments (defined by Airworthiness Manual, Chapter525, Section525.857), with volumes in excess of 200cubic feet, are to be modified to a ClassC configuration or equivalent;
- ClassD cargo compartments, with volumes in excess of 200cubic feet, are precluded from use in ETOPS.
2.3.10 Electrical Power
Three or more reliable and independent electrical power sources shall be available, each capable of powering essential systems independently. If one or more of the required electrical power sources are powered by an APU, hydraulic system, or ram air turbine, the following criteria apply as appropriate:
The APU, when installed, shall meet the criteria in Para2.3.3 of this publication.
The hydraulic power source must be reliable. To achieve this reliability, it may be necessary to provide two or more independent energy sources (eg bleed air from two or more pneumatic sources).
Ram air turbine deployment shall be demonstrated to be sufficiently reliable and not require main electrical or engine dependent power for deployment.
- The APU, when installed, shall meet the criteria in Para2.3.3 of this publication.
In the event of any single failure or combination of failures not shown to be extremely improbable, it shall be shown that electrical power is provided for:
essential flight instruments, avionics, communications, navigation, supportive systems and any other equipment deemed necessary for extended range operations for continued safe flight and landing;
crew cockpit information of sufficient accuracy for the intended operation; and
- instruments and equipment needed to allow the flight crew to cope effectively with adverse conditions.
- essential flight instruments, avionics, communications, navigation, supportive systems and any other equipment deemed necessary for extended range operations for continued safe flight and landing;
2.3.11 Hydraulic Power and Flight Controls
Consideration of these systems may be combined, since many commercial aeroplanes have full hydraulically-powered or "fly-by-wire" controls. For aeroplanes with these types of flight controls, evaluation of system redundancy shall show that single failures or failure combinations not shown to be extremely improbable do not preclude continued safe flight and landing at a suitable airport.
- As part of this evaluation, the loss of any two hydraulic systems and any engine should be assumed to occur unless it is established during failure evaluation that there are no sources of damage or the location of the damage sources are such that this failure condition will not occur (engine rotorburst need not be considered in this regard).
- Date modified: