35.15—Safety analysis.
(a)
(1)
The applicant must analyze the propeller system to assess the likely consequences of all failures that can reasonably be expected to occur. This analysis will take into account, if applicable:
(i)
The propeller system in a typical installation. When the analysis depends on representative components, assumed interfaces, or assumed installed conditions, the assumptions must be stated in the analysis.
(iii)
Multiple failures referred to in paragraph (d) of this section, or that result in the hazardous propeller effects defined in paragraph (g)(1) of this section.
(2)
The applicant must summarize those failures that could result in major propeller effects or hazardous propeller effects defined in paragraph (g) of this section, and estimate the probability of occurrence of those effects.
(3)
The applicant must show that hazardous propeller effects are not predicted to occur at a rate in excess of that defined as extremely remote (probability of 10−7 or less per propeller flight hour). Since the estimated probability for individual failures may be insufficiently precise to enable the applicant to assess the total rate for hazardous propeller effects, compliance may be shown by demonstrating that the probability of a hazardous propeller effect arising from an individual failure can be predicted to be not greater than 10−8 per propeller flight hour. In dealing with probabilities of this low order of magnitude, absolute proof is not possible and reliance must be placed on engineering judgment and previous experience combined with sound design and test philosophies.
(b)
If significant doubt exists as to the effects of failures or likely combination of failures, the Administrator may require assumptions used in the analysis to be verified by test.
(c)
The primary failures of certain single elements (for example, blades) cannot be sensibly estimated in numerical terms. If the failure of such elements is likely to result in hazardous propeller effects, then compliance may be shown by reliance on the prescribed integrity requirements of this part. These instances must be stated in the safety analysis.
(d)
If reliance is placed on a safety system to prevent a failure progressing to hazardous propeller effects, the possibility of a safety system failure in combination with a basic propeller failure must be included in the analysis. Such a safety system may include safety devices, instrumentation, early warning devices, maintenance checks, and other similar equipment or procedures. If items of the safety system are outside the control of the propeller manufacturer, the assumptions of the safety analysis with respect to the reliability of these parts must be clearly stated in the analysis and identified in the propeller installation and operation instructions required under § 35.3.
(e)
If the safety analysis depends on one or more of the following items, those items must be identified in the analysis and appropriately substantiated.
(1)
Maintenance actions being carried out at stated intervals. This includes verifying that items that could fail in a latent manner are functioning properly. When necessary to prevent hazardous propeller effects, these maintenance actions and intervals must be published in the instructions for continued airworthiness required under § 35.4. Additionally, if errors in maintenance of the propeller system could lead to hazardous propeller effects, the appropriate maintenance procedures must be included in the relevant propeller manuals.
(2)
Verification of the satisfactory functioning of safety or other devices at pre-flight or other stated periods. The details of this satisfactory functioning must be published in the appropriate manual.
(3)
The provision of specific instrumentation not otherwise required. Such instrumentation must be published in the appropriate documentation.
(f)
If applicable, the safety analysis must include, but not be limited to, assessment of indicating equipment, manual and automatic controls, governors and propeller control systems, synchrophasers, synchronizers, and propeller thrust reversal systems.
(g)
Unless otherwise approved by the Administrator and stated in the safety analysis, the following failure definitions apply to compliance with this part.