(a) The equipment, systems, and installations whose functioning is
required by this subchapter must be designed and installed to ensure that
they perform their intended functions under any foreseeable operating
condition.
(b) The rotorcraft systems and associated components, considered
separately and in relation to other systems, must be designed so that --
(1) For Category B rotorcraft, the equipment, systems, and
installations must be designed to prevent hazards to the rotorcraft if
they malfunction or fail; or
(2) For Category A rotorcraft --
(i) The occurrence of any failure condition which would prevent the
continued safe flight and landing of the rotorcraft is extremely
improbable; and
(ii) The occurrence of any other failure conditions which would reduce
the capability of the rotorcraft or the ability of the crew to cope with
adverse operating conditions is improbable.
(c) Warning information must be provided to alert the crew to unsafe
system operating conditions and to enable them to take appropriate
corrective action. Systems, controls, and associated monitoring and
warning means must be designed to minimize crew errors which could create
additional hazards.
(d) Compliance with the requirements of paragraph (b)(2) of this
section must be shown by analysis and, where necessary, by appropriate
ground, flight, or simulator tests. The analysis must consider --
(1) Possible modes of failure, including malfunctions and damage from
external sources;
(2) The probability of multiple failures and undetected failures;
(3) The resulting effects on the rotorcraft and occupants, considering
the stage of flight and operating conditions; and
(4) The crew warning cues, corrective action required, and the
capability of detecting faults.
(e) For Category A rotorcraft, each installation whose functioning is
required by this subchapter and which requires a power supply is an
"essential load" on the power supply. The power sources and the system
must be able to supply the following power loads in probable operating
combinations and for probable durations:
(1) Loads connected to the system with the system functioning normally.
(2) Essential loads, after failure of any one prime mover, power
converter, or energy storage device.
(3) Essential loads, after failure of --
(i) Any one engine, on rotorcraft with two engines; and
(ii) Any two engines, on rotorcraft with three or more engines.
(f) In determining compliance with paragraphs (e)(2) and (3) of this
section, the power loads may be assumed to be reduced under a monitoring
procedure consistent with safety in the kinds of operations authorized.
Loads not required for controlled flight need not be considered for the
two-engine-inoperative condition on rotorcraft with three or more engines.
(g) In showing compliance with paragraphs (a) and (b) of this section
with regard to the electrical system and to equipment design and
installation, critical environmental conditions must be considered. For
electrical generation, distribution, and utilization equipment required by
or used in complying with this subchapter, except equipment covered by
Technical Standard Orders containing environmental test procedures, the
ability to provide continuous, safe service under foreseeable
environmental conditions may be shown by environmental tests, design
analysis, or reference to previous comparable service experience on other
aircraft.
(h) In showing compliance with paragraphs (a) and (b) of this section,
the effects of lightning strikes on the rotorcraft must be considered. (Secs. 313(a), 601, 603, 604, and 605 of the Federal Aviation Act
of 1958 (49 U.S.C. 1354(a), 1421, 1423, 1424, and 1425); and sec. 6(c),
Dept. of Transportation Act (49 U.S.C. 1655(c)))