(a) The equipment, systems, and installations whose functioning is required by this subchapter must be designed and installed to ensure that they perform their intended functions under any foreseeable operating condition.
(b) The rotorcraft systems and associated components, considered separately and in relation to other systems, must be designed so that—
(1) For Category B rotorcraft, the equipment, systems, and installations must be designed to prevent hazards to the rotorcraft if they malfunction or fail; or
(2) For Category A rotorcraft—
(i) The occurrence of any failure condition which would prevent the continued safe flight and landing of the rotorcraft is extremely improbable; and
(ii) The occurrence of any other failure conditions which would reduce the capability of the rotorcraft or the ability of the crew to cope with adverse operating conditions is improbable.
(c) Warning information must be provided to alert the crew to unsafe system operating conditions and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.
(d) Compliance with the requirements of paragraph (b)(2) of this section must be shown by analysis and, where necessary, by appropriate ground, flight, or simulator tests. The analysis must consider—
(1) Possible modes of failure, including malfunctions and damage from external sources;
(2) The probability of multiple failures and undetected failures;
(3) The resulting effects on the rotorcraft and occupants, considering the stage of flight and operating conditions; and
(4) The crew warning cues, corrective action required, and the capability of detecting faults.
(e) For Category A rotorcraft, each installation whose functioning is required by this subchapter and which requires a power supply is an “essential load” on the power supply. The power sources and the system must be able to supply the following power loads in probable operating combinations and for probable durations:
(1) Loads connected to the system with the system functioning normally.
(2) Essential loads, after failure of any one prime mover, power converter, or energy storage device.
(3) Essential loads, after failure of—
(i) Any one engine, on rotorcraft with two engines; and
(ii) Any two engines, on rotorcraft with three or more engines.
(f) In determining compliance with paragraphs (e)(2) and (3) of this section, the power loads may be assumed to be reduced under a monitoring procedure consistent with safety in the kinds of operations authorized. Loads not required for controlled flight need not be considered for the two-engine-inoperative condition on rotorcraft with three or more engines.
(g) In showing compliance with paragraphs (a) and (b) of this section with regard to the electrical system and to equipment design and installation, critical environmental conditions must be considered. For electrical generation, distribution, and utilization equipment required by or used in complying with this subchapter, except equipment covered by Technical Standard Orders containing environmental test procedures, the ability to provide continuous, safe service under foreseeable environmental conditions may be shown by environmental tests, design analysis, or reference to previous comparable service experience on other aircraft.