During a certification program, there may be a need to tailor11 either:
the Primary Certification Code (PCC), when seeking an initial certification approval,
the existing Type Certification Basis (TCB), when seeking a major change approval.
Throughout this Annex, the term ‘tailoring of the TCB’ is used to cover both tailoring of the PCC in order to develop a TCB for an initial certification approval, and tailoring of an established TCB.
Tailoring may be required to provide supplementary requirements for a specific technology area, to specify later amendments of requirements, or to otherwise account for the Defence Configuration, Role and Environment (CRE). This tailoring may occur during initial certification of the platform or during changes to the type certificate. The Defence Aviation Safety Design Requirements Manual (DASDRM) prescribes essential and recommended design requirements for a range of technologies and these are incorporated into TCBs through tailoring when required.
Tailoring of the TCB can be achieved by directly including additional requirements or standards in the TCB and Type Certificate Data Sheet (TCDS), or through use of a Military Certification Review Item (MCRI).
This Annex supports Section 7.2.2 and Section 7.2.3 in terms of providing further guidance on tailoring of the TCB, including:
when an MCRI is required and the MCRI categories adopted and employed by DASA
when Operator agreement is required to support tailoring of the TCB and how that agreement should be achieved
illustration of the process for obtaining DASA agreement on tailoring of the TCB.
Supplementation of the PCC. Where tailoring is required to supplement the PCC with additional requirements, this can be done directly (without an MCRI) where the supplementation does not require discussion or explanation, and where the supplementation does not rely on reference to internal Defence documents22. For example MIL-STD-464C for Electromagnetic Environmental Effects can be listed directly in the TCB and TCDS, because it is a recognised standard from an C/MAA which is widely available for use by future designers, and requires no further discussion or explanation.
Use of later amendments of airworthiness requirements. Where a change proposes to use later amendments of airworthiness requirements than the current platform TCB, this can be recorded directly in the TCDS without the use of an MCRI. DASA will review and provide agreement to the proposed use of later amendments via the applicable Certification Program Plan (CPP). Elect to Comply MCRIs will be used to record the use of later amendments only when further justification needs to be recorded, such as when there is a need to record justification that the change to the later standard does not have a negative impact on safety, or where there is a need to place limits or conditions on the use of the later amendment.
TCDS Update. Where tailoring is incorporated into the TCDS directly, without an MCRI, it will be made clear whether the tailoring applies to the entire platform or only to certain systems or modifications. For example, if a new requirement is introduced for Electromagnetic Environmental Effects for a specific modification, but the remainder of the aircraft is not certified to that requirement, the TCDS will clearly state that the requirement is only applicable to the modification.
An MCRI is an agreement between DASA and an applicant and provides formal documentation of the TCB tailoring. DASA employs the five categories of MCRIs outlined below. These categories and their descriptions/definitions have been adapted for Defence’s context from European Military Airworthiness Certification Criteria (EMACC) and European Aviation Safety Agency (EASA) descriptions.
Exception MCRI. An Exception MCRI details agreed tailoring to an Airworthiness Code or design standard that reduces the level of safety inherent in the native requirement, on the basis that requiring compliance would adversely affect Defence capability. Exception MCRIs are used where it is not practicable to achieve or demonstrate compliance to a requirement in the PCC or TCB due to the impact on capability, and an equivalent level of safety cannot be demonstrated. Exception MCRIs require Operator agreement based on appropriate understanding of the risk and potential controls33.
Special Condition MCRI. A Special Condition MCRI details those elements of the design for which a bespoke certification specification has been developed44.
Elect to Comply MCRI. An Elect to Comply MCRI details those elements where the use of a later version of the PCC or alternative standard has been agreed55.
Equivalent Safety Finding MCRI. An Equivalent Safety Finding (ESF) MCRI details where an airworthiness requirements or standard cannot be met through direct compliance, and agreement has been reached to provide a safety argument to demonstrate that an equivalent level of safety has been achieved. ESF MCRIs that rely on the implementation of operational controls to achieve an equivalent level of safety require Operator agreement66.
Interpretive Material/Means of Compliance/Acceptable Means of Compliance (IM/MOC/AMC) MCRI. An IM/MOC/AMC MCRI is used where the applicant proposes to use an extant IM/MOC/AMC, but only in parts or with some changes to the content, or if there was a discussion about the application of such documents, which needs to be recorded.
MCRIs cannot be assigned multiple categories. In certain cases, a Special Condition or Exception MCRI may include content from a different MCRI type, for example for technology areas where the determination of the certification requirement/standard is based on a risk decision, such a Defence Long Range Operations (DLRO). These MCRIs will be assigned a single category based on the primary type of tailoring, in the case of DLRO this would be a Special Condition MCRI. However, ordinarily where different types of tailoring is required (such as a partial ESF and partial Exception), it is expected that these will be included in separate MCRIs to cover each type of tailoring.
A template for an MCRI is available on the DASR Templates website.
Tailoring to multiple elements of the TCB can be ‘grouped’ into a single MCRI, where the tailoring is associated with a common issue or relates to the same technology area. Any MCRIs that ‘group’ issues should be able to be given a meaningful title that encompasses all of the tailoring inside. If a meaningful title cannot be developed due to the MCRI containing disparate topics, then they should be separated into multiple MCRIs. The decision on appropriate grouping of issues into a single MCRI ultimately rests with the Military Type Certificate Holder (MTCH), who will be responsible for managing the MCRI through the life of the platform. A key aspect of DASA agreement will be the assurance that decisions around MCRI grouping are suitable for long-term management of the TCB.
Overview
In some cases, tailoring of the TCB requires agreement from the relevant Operator. Operator agreement is required where operational controls are introduced to overcome design shortfalls or where there is a need to manage a level of risk above that represented by compliance with Authority prescribed design requirements and standards.
This sub-section outlines when Operator agreement is required to support tailoring of the TCB, and how that agreement should be achieved.
An MCRI should be used for any tailoring of the TCB that requires Operator agreement. The following situations and types of MCRIs must be underpinned by Operator agreement:
MCRIs that result in a level of risk above that represented by compliance with the Authority prescribed design requirements and standards (ie Exception MCRIs and some Special Condition MCRIs)
MCRIs that rely on the implementation of operational controls to achieve an equivalent level of safety to a TCB requirement or standard (ie some Equivalent Safety Finding MCRIs).
MCRIs that require Operator agreement must include a reference to where that agreement was achieved on the front page of the MCRI.
Operator agreement must be provided prior to requesting DASA agreement.
Operator Agreement. Tailoring of the TCB that results in an ‘elevated level of risk’77 must be underpinned by Operator agreement. This Operator agreement must be based on appropriate understanding of the risk and potential controls, through the completion of a WHS compliant (7-step) risk management process (refer DASR GM SMS.A.25(b)(2)(2.2) and DASA AC 003/2018 Risk Management in the DASP).
Risk management and Operator agreement underpinning an MCRI can be documented in an Airworthiness Issue Paper (AwIP)88. For non-complex issues with minor safety impact this risk management and Operator agreement can alternatively be documented in an equivalent risk management document, such as the webform AE628 ‘Risk Decision Brief’ (RDB). The RDB does not include a step for DASA input99 and, therefore, DASA can only retrospectively review the risk management process. This is suitable for low-level and non-complex risks, where the risk management is a simple process for the Operator to complete. However, this approach is rarely suitable for more significant or complex risks where DASA input may be required to confirm the understanding of the risk associated with the non-compliance, or to confirm that potential controls have been identified and evaluated appropriately. The AwIP process includes a section for a DASA position, enabling DASA to review the risk evaluation and provide advice to the RMA prior to decisions being made, and therefore is appropriate for more complex or higher level risks.
A key consideration in the acceptability of any risk management process used to justify an MCRI that has an elevated level of risk, is that it must meet the same outcomes as the AwIP, ie it must:
clearly document the full 7-step risk management process based on an accurate understanding of the hazards and risks associated with the TCB non-compliance
demonstrate that co-ordinated technical and operational input have been provided
show that the risk has been appropriately retained.
Risk management cannot be achieved directly through the MCRI as this is an agreement between the applicant (ie project office or MTCH) and DASA, documenting tailoring of the TCB, and does not include the entity responsible for the risk management (ie the Operator).
Any document used to demonstrate Operator agreement for an MCRI must be clearly referenced in the MCRI and traceable in the future. A ‘live’ document that undergoes frequent update (such as a Hazard Log) does not provide a suitable enduring reference for the risk management decision (though it may be used for continuous monitoring and review of a risk that has been assessed and retained elsewhere).
Documentation. The responsibility for the management of a TCB and the responsibility for the management of risk associated with TCB shortfalls belong to two different entities. The applicant is responsible for developing / managing the TCB and ensuring that the type design complies with the TCB, and that the risk associated with any design shortfalls is identified and communicated to the Operator. The Military Air Operator (MAO) is responsible for the management of risk associated with their platform(s). As such, the documentation of the TCB tailoring is separated from the documentation on the management of the associated risk, allowing the applicant (ie project office or MTCH) to manage the former while the MAO manages the latter. While the MCRI must include a reference to the relevant Operator agreement, it cannot not include discussion on the risk, especially the risk characterisation, for the following reasons:
Duplicating the risk management information over two documents (eg the AwIP and MCRI) can lead to conflicts if they are updated separately. Noting that open AwIPs can undergo regular updates as part of an effective continuous monitoring and review system, including the risk detail in the MCRI could drive unnecessary updates to the TCB (via updating the MCRI). Updates to the MCRI should only be required when there is a change to the TCB tailoring that has been agreed.
The MCRI is used to document what standard/benchmark has been accepted for a design, and is underpinned by sound risk management. The risk associated with the MCRI can change as controls (particularly operational controls) are implemented or removed, but this does not necessarily change the type design/certificate and therefore should not automatically require the MCRI to be updated. Changes to controls which impact on the type design/certificate, or which impact on the level of compliance/tailoring in the MCRI, will require the MCRI to be updated.
Continuous monitoring and review of the hazards and risks on the platform is the MAO’s responsibility. The MTCH and supporting design organisation(s) will provide considerable input to the risk management process for hazards and risks associated with the type design however, it should remain clear that the ultimate responsibility for the risk management is with the MAO.
The MCRI must clearly outline how the design does not meet the TCB, what (if any) standard/requirement the design does meet instead, and any relevant controls which have been agreed in lieu of the original requirement (ie risk controls which have been agreed to enable the tailoring to occur)1010. It is not sufficient to reference out to the AwIP (or other risk management document) to provide the understanding of how the TCB is being tailored, as those documents are not part of the certification of the platform and may not be accessible to future designers.
Equivalent Safety Finding (ESF) MCRIs may be agreed by DASA if the risk associated with a non-compliance to the TCB can be eliminated1111 through the implementation of controls. An ESF MCRI that is based on the implementation of risk controls can only be agreed if those controls are implemented in a DASA approved document, such as the TCDS, Military Air Operator – Operations Specification (MAO OpSpec), or the DASA-approved areas of the Aircraft Flight Manual (AFM). Controls implemented solely through Flying Orders or Standing Instructions are not sufficient to enable an ESF MCRI to be approved, as they could be removed without DASA or MTCH knowledge, thus invalidating the ESF justification1212.
26. Operator agreement is required where an MCRI justification relies on the implementation of ‘operational’ controls, to demonstrate that the controls are acceptable from an operational perspective and able to be implemented safely. This Operator agreement may be documented in an AwIP (especially if there are a number of Exceptions related to the same design change that are already being covered by an AwIP), but can equally be documented in a suitable alternative format. Operator agreement cannot be achieved through the MCRI itself, as the MCRI is an agreement between the applicant (ie project office or MTCH) and DASA, and the Operator is not a signatory. Where an AwIP or alternative risk management documentation is used to support an ESF MCRI, it can only be utilised to demonstrate Operator agreement to the implementation of controls, it cannot be used to imply ‘agreement’ to the ESF claim (by DASA or the Operator). The ESF claim must be entirely established and agreed within the MCRI, without reliance on other documents.
TCB tailoring (either with an MCRI or without) must be agreed prior to submitting a declaration of compliance for the relevant certification approval. A declaration of compliance must be made against the approved TCB, therefore if there is outstanding tailoring that has not yet been agreed, compliance cannot be declared. The following flowcharts show the process for gaining agreement to TCB tailoring either with or without an MCRI.