125 90 5MB
English Pages 389 [368] Year 2022
Springer Series in Reliability Engineering
David Lapesa Barrera
Aircraft Maintenance Programs
Springer Series in Reliability Engineering Series Editor Hoang Pham, Department of Industrial and Systems Engineering, Rutgers University, Piscataway, NJ, USA
More information about this series at https://link.springer.com/bookseries/6917
David Lapesa Barrera
Aircraft Maintenance Programs
David Lapesa Barrera Zaragoza, Spain
ISSN 1614-7839 ISSN 2196-999X (electronic) Springer Series in Reliability Engineering ISBN 978-3-030-90262-9 ISBN 978-3-030-90263-6 (eBook) https://doi.org/10.1007/978-3-030-90263-6 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preamble
Ever since my early childhood, I have been fascinated with the power of flying. I cannot remember the first time that I watched at the skies and got excited seeing a bird or an aircraft; that is something that I still do, now closer to the airports: just sit and observe the magnificence of the nature and the greatness of what the human being has achieved. What I can perfectly recall is the first time that I was concerned about flight safety; I was about ten years old, and fortuitously I watched a movie entitled Alive! (¡Viven! in Spanish) based on the true story of the Fairchild F-27 that crashed on the Andes in 1972. It was a cloudy day and the aircraft repeatedly impacted the mountains, ejecting a few occupants and ending to stop in a glacier. Despite the accident, many occupants survived initially; some died later as a consequence of the crash and a few more during the next days due to an avalanche. The group had to turn to cannibalism in order to survive until they were rescued more than two months later. That horrifying but beautiful survival story still catch my attention. During my early youth, flying was mostly limited to business trips or people that may afford the expensive ticket prices. Although it may seem rare, it was not until my third year in the Aeronautical University when I actually took my first flight with a low-cost airline, and since then I have never stopped. Flying has given me the chance to know more countries, places, and people than what I could have ever dreamt of. After a summer internship in the Spanish Air Force, in which I had the opportunity of optimizing a maintenance check of the McDonnell Douglas EF-18, I definitely decided to initiate my professional career focused on the Continuing Airworthiness of the aircraft. I have worked for four top airlines in Spain, Switzerland, and the Middle East, participating in really interesting projects such as the introduction of the Airbus A220 (the old Bombardier C Series) to the first operator or managing the Aircraft Maintenance Program of the largest Airbus A380 fleet in the world, or ensuring the airworthiness of the latest Airbus produced design, the A350 aircraft. This book captures the best Aircraft Maintenance Program practices acquired during these years through research, application, and observance of ethical, excellent, and good practices that ensure flight safety, but also recognizing unethical and v
vi
Preamble
poor procedures and behaviors that may compromise it. I came with the idea of the Triangle of Airworthiness to explain what are the minimum aircraft criteria to fly safe and the considerations in regards to the Aircraft Maintenance Programs to enlarge the triangle in a more cost-effective way. The book presents a comparison of the applicable EASA and FAA regulations. However, it is fair to recognize the honorable experience and contribution of other authorities to aviation safety, such as the UK Civil Aviation Authority, Transport Canada, the Australian Civil Aviation Safety Authority, and many others. It is also necessary to recognize the efforts of the accident investigation authorities that make an incredible work and which recommendations have significantly contributed to the safety level that we enjoy nowadays on the skies. Special thanks are owed to the leaders that have given me the opportunity to grow both professionally and personally: Pablo Gestal, as Technical Director of Swiftair, Patrick Scherrer, as the Head of Engineering of Swiss International Airlines, Dolf Beltz, as the VP Engineering Planning and IT Systems at Emirates Airline, and Rafael Martinez, as Technical Director of Evelop (Iberojet). Thanks to them I have met eminent Maintenance Program experts, the most inspirational mentors, and my role models: Maritza Leon, Lars Schuster, and Gianluca Ropa; and other commanders that brought exciting discussions and projects to the arena: Blanca Escalante, Francisco Javier Ramos, Gerd Eismann, Nick Green, Paul Davies, Andy Jones, Margalida Salis, Angelo Caldeira and Silvia Neves to name a few. I must be also grateful for the reason that I have had the chance to connect with plenty of other aviation professionals, mates, and friends during my professional journey; although it is not possible to mention all, with affection: Miguel, Elizabeth, Marta, Esperanza, Alemneh, Timo, Joao, Bassem, Julius, Mohsin, Osama, Andrea, Maria, Amin, Arun, Lokesh, Alberto, Luis, ... I kindly appreciate the organizations that have reviewed and permitted the use of their standards and material in this book, with special allusion to Airlines for America (A4A), the International Civil Aviation Oganization (ICAO) and the International Air Transport Association (IATA). And last but not least, thanks to my family and lifelong friends for their inspiration and moral support on whatever the plan is. Zaragoza, Spain
David Lapesa Barrera
Introduction
This book details the Aircraft Maintenance Program (AMP) standards and requirements for Large Aircraft involved in Commercial Air Transport operations considering two different ICAO regulatory environments. These two models are chosen due to their significant efforts and contribution to the worldwide air safety: the European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA). The Aircraft Maintenance Program is the document that describes the scheduled maintenance tasks and their prescribed frequency that are necessary for the safe operation of the aircraft. The AMP, under the operator responsibility, is a key element to maintain the Continuing Airworthiness of the aircraft, meaning that it remains in a condition for safe operation. The type of aircraft operation is typically classified attending to aircraft takeoff weight and/or the number of passengers that can be carried on board, and the purposes of the flight. Large aircraft are those with a maximum certificated takeoff weight of over 5700 kg, and Commercial Air Transport is the operation of aircraft, scheduled or nonscheduled, to transport passengers, cargo or mail for remuneration or hire. The book includes plenty of examples extracted from aircraft accident/incident investigations in order to understand how they have modeled the regulations through the years and which has been the impact on the AMP requirements. Lastly, the book presents some tools, techniques, and good practices that may help to improve the quality standards of an AMP.
The Triangle of Airworthiness The Triangle of Airworthiness is a simplified model to understand the processes by which an aircraft and its components are in a safe condition for the operation. The sides of the triangle represent the three elements that are required to keep an aircraft airworthy: Safety, Reliability, and Quality. vii
viii
Introduction
RISKS Lowered Safety
SAFETY Improved Safety
Not cost-effective Fig. 1 Triangle of Airworthiness.
Lack of Safety, Reliability, or Quality standards makes the airworthiness level to be inside the Risks triangle (non-acceptable level). This condition is beyond noncompliance; the appearance of risk factors seriously compromises the safe condition of the operations. On the other side, any added ingredient that inflates the triangle will improve the airworthiness level but may be not cost-effective. The airworthiness success of the operator is defined by the appropriate balance of the three elements of the triangle (Fig. 1). Safety refers to reduce the possibility of harming persons or damage property to a level that is acceptable. The safety standards are set internationally by ICAO and implemented through safety programs at two levels: the State Safety Programs (SSP) and the organization Safety Management Systems (SMS). In the case of EASA, there is an intermediary level that is equivalent to the SSP. It is the European Aviation Safety Program (EASP) that aids the member states in developing their own SSPs. The investigation of occurrences and deviations from the safety standards, which include the investigation of aircraft incidents and accidents, plays one of the most important roles in the safety programs. The acceptable level of safety is achieved through a continuing process of hazard identification and risk management: appropriate safety culture, occurrence reporting systems, and occurrence investigation. Between these three components, likely the most difficult to achieve is an open safety culture, which is directly related to the
Introduction
ix
effectiveness of the occurrence reporting systems; some organizations and individuals are still concerned about the implications of reporting, which may be still more pronounced in non-democratic cultures where the safety requirements may be appropiately defined in the organization’s Safety Policy and hanging on every wall but not becoming a fact in a “Just Culture” environment. Fortunately, even though the safety culture and the occurrence reporting systems may be deficient, there is a historical work on aircraft accident investigation that has molded the regulations worldwide and made the system more robust. Reliability refers to the level to which an aircraft or component performs in regards to the intended function given by the design specifications. The reliability level at the design phase is known as Inherent Reliability and can only be transmitted to the manufactured aircraft or component if the Quality functions of the production, Continuing Airworthiness and maintenance organizations are adequate. The target of a Reliability Program is to maintain the Inherent Reliability of the aircraft and its components, what is achieved through an alive and effective Aircraft Maintenance Program. The Inherent Reliability can only be improved through redesign, so an appropriate modification policy is required. Quality refers to the improvement of the processes that ensure an organization is fit and effective. The minimum acceptable level of quality is compliance with the applicable regulations and standards; the organization is responsible for establishing its own Compliance Monitoring/Quality function to ensure this level is maintained. However, the organization can set higher levels of quality that will definitely be related to the success of what the organization does. The nexus of the three sides of the Airworthiness Triangle are the Risks: the three pillars contribute to the reduction of hazards and are interrelated to each other.
Guidance to Navigate Through the Book This is a multipurpose book; while the main objective is to raise awareness of the importance of an appropriate and effective Aircraft Maintenance Program to maintain the airworthiness of the aircraft while keeping it cost-effective, it may be read in different ways depending on the objective that the reader is looking for: – From the regulatory and Technical point of view: • Part I Regulatory Environment presents an introduction to the current EASA and FAA regulatory systems and responsibilities, • Part II The Aircraft Maintenance Program—Content and Management presents the Aircraft Maintenance Program requirements and their sources, • Part III The Reliability Program details the Reliability Program requirements, and • Part IV The AMP in the Engineering and Maintenance Organization context identifies the relations of the Maintenance Programs function with other elements of the organization.
x
Introduction
– From the Safety perspective: • Part V Safety Programs introduces the Safety Programs, including the SMS, and some of the models used to evaluate Human and Organizational Factors. • Part V complements the “Lessons Learned” boxes found in Part II that describe some of the aircraft incident/accident investigations that have modeled the current AMP standards and regulations, and Appendix II introduces the aircraft accident investigation processes. – From the Quality perspective: • Part VI AMP Quality Improvement Tools and Methods introduces the Compliance Monitoring/Quality function and compiles a series of tools and techniques for the quality improvement of the AMP. • Part II and III also incorporate useful practices to be taken into consideration during the development of the program. Most of the standards and regulatory requirements quoted have been simplified for better understanding, and therefore DO NOT SUBSTITUTE ANY APPLICABLE STANDARD OR REGULATION. Please, refer to the applicable requirements in the appropriate regulatory environment at the time of developing an approved AMP. Some concepts considered in this book may be useful with the development of Maintenance Programs for other purposes than commercial operations of large aircraft, such as programs for different aircraft/operation categories or programs required by different industries such as naval, oil, or pharmaceutical Maintenance Programs. When “competent authority” is referenced, it is the designated body responsible of the subject matter, e.g., the competent authority for the approval of a Type Design is granted by the Certification Authority, e.g. EASA or the FAA; the competent authority for the approval of an AMP is the corresponding ministry or national aviation authority of each EASA member state, as appropriate (FAA does not require the AMP approval, it is part of the Ops Spec); or the competent authority for operational approvals is the corresponding ministry or national aviation authority of each EASA member state or the FAA, as appropriate.
Contents
Part I
Regulatory Environment
1
ICAO and the Aviation Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 The International Civil Aviation Organization (ICAO) . . . . . . . . . 1.2 The European Union Aviation Safety Agency (EASA) . . . . . . . . . 1.3 The Federal Aviation Administration (FAA) . . . . . . . . . . . . . . . . . . 1.4 Civil Aviation Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Bilateral Aviation Safety Agreements (BASA) . . . . . . . . . . . . . . . .
3 3 4 6 8 9
2
The Story of Airworthiness Approvals and Certifications . . . . . . . . . 2.1 Initial Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Continuing Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 11 11 13 14
3
Continuing Airworthiness Management—Organization and AMP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 EASA: CAMO, CAME and AMP Requirements . . . . . . . . . . . . . . 3.2 FAA: CAMP, Maintenance Schedule and AMP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
Instructions for Continuing Airworthiness (ICA) . . . . . . . . . . . . . . . . . 4.1 ICA—Design Organizations Responsibilities . . . . . . . . . . . . . . . . . 4.1.1 ICA—EASA Design Organization—Specifications and Regulations . . . . . . . 4.1.2 ICA—FAA Design Organization—Specifications and Regulations . . . . . . . 4.1.3 E.U.–U.S. Bilateral Agreement—Design Organization Approvals . . . . . . . . . . . . . . . . . . . . . . . . . .
15 16 18 21 23 24 25 26
xi
xii
Contents
Part II
Aircraft Maintenance Programs: Content and Management
5
AMP Content and Maintenance Planning Document (MPD) . . . . . . 5.1 AMP Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.1 General Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.2 AMP Preamble—Procedures . . . . . . . . . . . . . . . . . . . . . . 5.1.3 AMP Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1.4 AMP Revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Maintenance Planning Document (MPD) . . . . . . . . . . . . . . . . . . . . 5.2.1 MPD and AMM/IPC Revision Cycle . . . . . . . . . . . . . . . 5.3 Maintenance Requirement and Task Card . . . . . . . . . . . . . . . . . . . .
33 33 34 37 38 41 42 43 45
6
AMP Primary Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Maintenance Review Board Report (MRBR) . . . . . . . . . . . . . . . . . 6.1.1 The International Maintenance Review Board Policy Board (IMRBPB) . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.2 The International MRB/MTB Process Standard (IMPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.3 Policy and Procedures Handbook (PPH) . . . . . . . . . . . . 6.1.4 Utilization Considerations . . . . . . . . . . . . . . . . . . . . . . . . 6.1.5 The Maintenance Steering Group (MSG) . . . . . . . . . . . . 6.1.6 MSG-3 Analysis Methodology . . . . . . . . . . . . . . . . . . . . 6.1.7 Issue Paper 44 (IP 44): MRB Evolution/Optmization Guidelines . . . . . . . . . . . . . . . . . 6.2 Airworthiness Limitations (ALS) and Certification Maintenance Requirements (CMR) . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 Requirements Derived from Systems Safety Analysis (SSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.2 Requirements Derived from the Damage Tolerance and Fatigue Evaluation of the Structure . . . . 6.2.3 Examples of ALS Documentation Data Packages . . . . .
47 47
7
8
AMP Secondary Sources: Aging Aircraft . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Continuing Structural Integrity Program . . . . . . . . . . . . . . . . . . . . . 7.1.1 Supplemental Structural Inspection Program (SSIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.2 Corrosion Prevention and Control Program (CPCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.3 SSIP/CPCP Implementation . . . . . . . . . . . . . . . . . . . . . . . AMP Secondary Sources: MCAI, Modifications and Repairs, and Non-mandatory Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . 8.1 Mandatory Continuing Airworthiness Information (MCAI)—Airworthiness Directives (AD) . . . . . . . . . . . . . . . . . . . . 8.2 Modifications and Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48 49 51 51 51 53 66 68 69 80 85 87 88 88 89 90 95 95 98
Contents
8.3
8.4 9
xiii
8.2.1 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2.2 Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2.3 Modifications/Repairs Scheduled Requirements . . . . . . Non-mandatory Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.1 Service Bulletins (SB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.2 Service Letters (SL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Embodiment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AMP Secondary Sources: Operational Requirements and Changes to the Operation Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1 Scheduled Requirements Derived from Specific Operation Approvals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.1 Reduced Vertical Separation Minima (RVSM) . . . . . . . 9.1.2 Minimum Navigation Performance Specifications (MNPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.3 Performance-Based Navigation (PBN): RNAV and RNP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.4 Extended Diversion Time Operations (EDTO)—ETOPS/LROPS . . . . . . . . . . . . . . . . . . . . . . . . 9.1.5 All Weather Operations (AWO) . . . . . . . . . . . . . . . . . . . . 9.2 Low Utilization Maintenance Program (LUMP) . . . . . . . . . . . . . . 9.3 Miscellaneous Scheduled Requirements . . . . . . . . . . . . . . . . . . . . . 9.3.1 Preflight Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3.2 Safety/Emergency Equipment . . . . . . . . . . . . . . . . . . . . . 9.3.3 Emergency Locator Transmitter (ELT) . . . . . . . . . . . . . . 9.3.4 Flight Recorders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3.5 Weight and Balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Components Maintenance Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1 Acceptance of Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.1.1 Component Authorized Release Certificate . . . . . . . . . . 10.1.2 Conformity Documentation/Statement . . . . . . . . . . . . . . 10.1.3 Suspected Unapproved Parts (SUP) . . . . . . . . . . . . . . . . 10.1.4 Organization Responsibilities . . . . . . . . . . . . . . . . . . . . . . 10.2 Component Maintenance Manuals (CMM) . . . . . . . . . . . . . . . . . . . 10.3 Details of Specific Component Programs . . . . . . . . . . . . . . . . . . . . 10.3.1 Evacuation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3.2 Landing Gear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3.3 Powerplant, Thrust Reverser, and Auxiliary Power Unit (APU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.4 Aircraft Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 10.5 Robbery Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.6 Component Maintenance Program Structure . . . . . . . . . . . . . . . . . .
98 99 102 104 105 105 106 109 109 110 114 115 116 121 123 124 124 127 128 135 141 145 146 147 147 148 148 151 151 151 153 155 158 161 165
xiv
Contents
11 AMP Task Interval Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Maintenance Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1.1 First Accomplishment of Tasks—Starting Point . . . . . . 11.1.2 Repeat Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1.3 Credit from Accomplishment of a Different Task . . . . . 11.2 Grace Period (Compliance Time) . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Permitted Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3.1 Scope of the Permitted Variations . . . . . . . . . . . . . . . . . . 11.3.2 Maximum Permitted Variation . . . . . . . . . . . . . . . . . . . . . 11.3.3 Permitted Variations—Interval Management . . . . . . . . . 11.4 Exceptional Short-Term Extension . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.1 Scope of the Exceptional Short-Term Extension . . . . . . 11.4.2 Exceptional Short-Term Extensions—Interval Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.5 Task Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.5.1 Scope of the AMP Task Escalation . . . . . . . . . . . . . . . . .
167 169 169 170 171 171 172 172 173 174 174 174 175 175 176
12 AMP Evolution/Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 12.1 AMP Evolution/Optimization: Assessment of Resources . . . . . . . 182 12.2 AMP Evolution/Optimization Based on MRB Evolution/Optimization (Process Mirror) . . . . . . . . . . . . . . . . . . . . 182 13 Maintenance Checks and Bridge Programs . . . . . . . . . . . . . . . . . . . . . . 13.1 Maintenance Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1.1 Types of Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.1.2 Maintenance Check Concepts . . . . . . . . . . . . . . . . . . . . . 13.1.3 Task Repackaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2 Bridge Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2.1 Bridge Program Causes . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2.2 AMP Bridging Considerations . . . . . . . . . . . . . . . . . . . . .
187 187 187 188 191 192 193 194
14 Aircraft Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 14.1 Aircraft Induction: The AMP Revision . . . . . . . . . . . . . . . . . . . . . . 195 14.2 Aircraft Induction—Documental Review for AMP Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 15 Critical Maintenance Tasks/Required Inspection Items . . . . . . . . . . . 15.1 Critical Maintenance Tasks and Identical Tasks (EASA) . . . . . . . 15.2 Required Inspection Items (FAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.3 Dual Maintenance on Extended Diversion Time Operations (EDTO) Significant Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4 Integration into the AMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
197 197 199 201 202
Contents
xv
Part III The Reliability Program 16 Reliability Program Regulatory Requirements . . . . . . . . . . . . . . . . . . . 211 16.1 EASA—Reliability Program Requirements . . . . . . . . . . . . . . . . . . 211 16.2 FAA—Continuing Analysis Surveillance System (CASS) . . . . . . 212 17 Reliability Program Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.1 Sources of the Reliability Program . . . . . . . . . . . . . . . . . . . . . . . . . . 17.2 Analysis of Reliability Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.2.1 Performance Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.2.2 Deviations from Performance Standards . . . . . . . . . . . . 17.3 Reliability Root Cause Analysis (RCA) . . . . . . . . . . . . . . . . . . . . . . 17.4 Corrective Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
213 213 214 215 215 226 227
18 AMP Task Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1 AMP Task Effectiveness Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1.1 In-Service Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1.3 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1.4 Approval and Implementation . . . . . . . . . . . . . . . . . . . . .
229 229 230 231 231 232
19 Reliability Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 19.1 Reliability Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 19.2 Reliability Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Part IV The AMP in the Engineering and Maintenance Organization Context 20 The Engineering and Maintenance Organization . . . . . . . . . . . . . . . . . 20.1 Aircraft Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2 Engineering Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.1 Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.2 Technical Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.3 Technical Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.4 Maintenance Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.5 Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.2.6 Maintenance Planning and Scheduling . . . . . . . . . . . . . . 20.2.7 IT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.3 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.3.1 Production Planning and Control . . . . . . . . . . . . . . . . . . . 20.3.2 Maintenance Control Center . . . . . . . . . . . . . . . . . . . . . . . 20.3.3 Line/Base Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.3.4 Workshops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.4 Supply Chain and Material Support . . . . . . . . . . . . . . . . . . . . . . . . . 20.4.1 Inventory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.4.2 Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
237 238 239 239 240 241 242 243 244 244 245 245 246 247 247 248 248 248
xvi
Contents
20.4.3 Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.4.4 Component Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.4.5 Warranty and Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.5 Oversight Functions: Compliance Monitoring/quality and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.6 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20.7 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
249 249 249 250 250 250
21 Interface of the Maintenance Program with Other Functions . . . . . . 253 21.1 Service Level Agreements (SLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 22 Impact of the AMP Revision on the Organization . . . . . . . . . . . . . . . . 257 Part V
Safety Management
23 Hazards and Safety Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 24 Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.1 Human Factors Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.1.1 The Shell Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.1.2 The Pear Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2 The Dirty Dozen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.1 Lack of Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.2 Complacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.3 Lack of Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.4 Distraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.5 Lack of Teamwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.6 Fatigue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.7 Lack of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.8 Pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.9 Lack of Assertiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.10 Stress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.11 Lack of Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24.2.12 Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
265 270 270 272 273 274 275 276 276 277 277 278 278 279 279 280 280
25 Organizational Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 25.1 The Reason’s Model (Swiss Cheese Model) . . . . . . . . . . . . . . . . . . 283 25.2 Case Study: Overdue Airworthiness Directive . . . . . . . . . . . . . . . . 285 26 Safety Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26.1 Safety Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26.2 SMS: EASA and FAA Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 26.3 Safety Reporting Systems and Exchange of Information . . . . . . . 26.3.1 Types of Safety Reporting Systems . . . . . . . . . . . . . . . . .
289 289 290 291 291
Contents
xvii
26.3.2 Safety Information Exchange . . . . . . . . . . . . . . . . . . . . . . 293 26.3.3 Safety Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 26.4 Safety Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Part VI
Quality Improvement Tools and Methods
27 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27.1 Regulations and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27.1.1 Regulatory Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27.1.2 IATA Operational Safety Audit (IOSA) . . . . . . . . . . . . . 27.1.3 ISO 9001:2015 Quality Management Systems . . . . . . . 27.2 Preparing for an Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
299 299 300 302 303 304
28 Problem Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.1 Root Cause Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.1.1 Five Why Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.1.2 Cause and Effect Diagram (Fishbone Diagram) . . . . . . 28.1.3 Bow-Tie Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.1.4 Failure Mode and Effects Analysis (FMEA) . . . . . . . . . 28.2 Reactive Problem-Solving Methodologies . . . . . . . . . . . . . . . . . . . 28.2.1 A3 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28.2.2 Maintenance Error Decision Aid (MEDA) . . . . . . . . . . .
305 306 307 308 310 311 312 312 314
29 Continuous Improvement Methodologies and Tools . . . . . . . . . . . . . . 29.1 Continuous Improvement Methodologies . . . . . . . . . . . . . . . . . . . . 29.1.1 Lean . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.1.2 Kaizen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.1.3 Six Sigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.1.4 Agile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2 Continuous Improvement Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.1 Process Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.2 The Re Method: Eliminating Overprocessing Waste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.3 6S Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.4 Scrumban: Scrum and Kanban . . . . . . . . . . . . . . . . . . . . . 29.2.5 Poka-Yoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.6 Gemba Walk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.7 Kaizen Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
317 318 318 320 322 322 323 323 325 325 326 327 328 329
30 Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 30.1 Business Intelligence (BI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 30.2 Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 31 Innovation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.1 Robotic Process Automation (RPA) . . . . . . . . . . . . . . . . 31.1.2 Radio-Frequency Identification (RFID) . . . . . . . . . . . . .
335 336 336 337
xviii
Contents
31.1.3 Maintenance Automation . . . . . . . . . . . . . . . . . . . . . . . . . 337 31.2 Toward Predictive and Prescriptive Aircraft Maintenance . . . . . . . 339 31.3 Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Appendix A: Introduction to Aircraft Maintenance Program Costs . . . . . 343 Appendix B: Introduction to Aircraft Accident Investigation . . . . . . . . . . 351 EASA Regulation Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Acronyms
A4A AAIB AAIC AAIP AAM AAPID AbIR AC ACARS AD ADREP ADS-B AFM AHM AI AIBN AIDS AIR ALI ALS AltMC AM AMC AML AMM AMOC AMP ANS AOA
Airlines for America Air Accidents Investigation Branch (United Kingdom) Aircraft Accident Investigation Commission (Japan) Approved Aircraft Inspection Program Aircraft Asset Management Aviation Accidents Prevention and Investigation Department (Portugal) Airborne Image Recorder Advisory Circular Aircraft Communication Addressing and Reporting System Airworthiness Directive or Accidental Damage (refer to the context) Accident/Incident Data Reporting Automatic Dependent Surveillance Broadcast Aircraft Flight Manual Aircraft Health Monitoring Artificial Intelligence Accident Investigation Board Norway Accident/Incident Database System Aircraft Inspection Report Airworthiness Limitation Item/Inspection Airworthiness Limitation Alternative Means of Compliance Accountable Manager Acceptable Means of Compliance Aircraft Maintenance License Aircraft Maintenance Manual Acceptable Means of Compliance Aircraft Maintenance Program Air Navigation Services Angle Of Attack xix
xx
AOC AOG AOM APU ARAC ARC ARL ASA ASIAS ASRS ATA ATC ATM ATS ATSB AWO BASA BEA BI BLG BPMN CA CAA CAME CAMMOE CAMO CAMP CAREP CASS CAT CAT I CAT II CAT III CBA CCMR CDCCL CDL CENIPA CFR CG CGREP CLN
Acronyms
Air Operator Certificate Aircraft On Ground Aerodrome Operating Minima Auxiliary Power Unit Aviation Rulemaking Advisory Committee Airworthiness Review Certificate Aircraft Readiness Log Aviation Safety Advisory Aviation Safety Information Analysis and Sharing Program Aviation Safety Reporting System Air Transport Association Air Traffic Control Air Traffic Management Air Traffic Services Australian Transport Safety Bureau All Weather Operations Bilateral Aviation Safety Agreement Bureau of Enquiry and Analysis for Civil Aviation Safety (France) Business Intelligence Body Landing Gear Business Process Model and Notation Certification Authority Civil Aviation Authority Continuing Airworthiness Management Exposition Continuing Airworthiness Management and Maintenance Organization Exposition Continuing Airworthiness Management Organization Continuous Airworthiness Maintenance Program Cabin Report Continuing Analysis and Surveillance System Commercial Air Transport Category I operation Category II operation Category III operation Cost-benefit Analysis Candidate Certification Maintenance Requirement Critical Design Configuration Control Limitation Configuration Deviation List Aeronautical Accident Investigation and Prevention Center (Brazil) Code of Federal Regulations Centre of Gravity Cargo Report Cleaning
Acronyms
CM CMCC CMM CMP CMR CMT CoC CofA CPCP CR CRD CREEP CRM CRS CS CSN CSO CSR CVFDR CVR CWT DA DAH DD DDP DDRS DER DET DH DIS DLR DMAIC DMC DME DOC DoI DoLA DoM DOT DSG DT DTE DTI EAD
xxi
Compliance Monitoring Certification Maintenance Coordination Committee Component Maintenance Manual Configuration, Maintenance and Procedures Certification Maintenance Requirement Critical Maintenance Task Certificate of Conformance Certificate of Airworthiness Corrosion Prevention and Control Program Cancelation Rate Comment Response Document Container, Restraints, Energy Absorption, Environment, and Post-crash Crew Resource Management Certificate of Release to Service Certification Specifications Cycles Since New Cycles Since Overhaul Cycles Since Repair Cockpit Voice Flight Data Recorder Cockpit Voice Recorder Center Wing Fuel Tank Decision Altitude Design Approval Holder Deferred Defect Detail Design Point Documentation Discrepancy Reporting System Designated Engineer Representative Detailed Visual Inspection Decision Height Discard Data Link Recorder Define, Measure, Analyze, Improve, and Control Direct Maintenance Costs Distance Measuring Equipment Direct Operating Costs Date of Installation Date of Last Accomplishment Date of Manufacture Department Of Transportation Design Service Goal Damage Tolerance Damage Tolerant Evaluation Damage Tolerant Inspection Emergency Airworthiness Directive
xxii
EASA EASP ECAST ECCAIRS ECM ECR-ECCAIRS ECR-SRIS ED EDTO EEL ELT EMI EMK EO EOL ESD ETOPS ETSO ETSOA EUR RMA EUROCAE EVS EWIS EZAP FAA FAK FAL FAR FC FCOM FD FDM FDR FEC FF FH FL FMEA FNC FNPRM FOQA FQIS FRS FTA
Acronyms
European Union Aviation Safety Agency European Aviation Safety Program European Commercial Aviation Safety Team European Coordination Centre for Accident and Incident Reporting Systems Engine Condition Monitoring European Central Repositories for Occurrences European Central Repository for Safety Recommendations Environmental Deterioration Extended Diversion Time Operations Emergency Equipment Layout Emergency Locator Transmitter Electromagnetic Interference Emergency Medical Kit Engineering Order End Of Lease Electrostatic Sensitive Devices Extended Range Twin-engine Operations/Extended Operations European Technical Standard Order European Technical Standard Order Authorization European Regional Monitoring Agency European Organization for Civil Aviation Equipment Enhanced Vision System Electrical Wiring Interconnect Systems Enhanced Zonal Analysis Procedure Federal Aviation Administration First Aid Kit Fuel Airworthiness Limitation Federal Aviation Regulations Flight Cycle Flight Crew Operating Manual Fatigue Damage Flight Data Monitoring Flight Data Recorder Failure Effect Category First Flight Flight Hour Flight Level Failure Mode Effect Analysis Functional Check Further Notice of Proposed Rulemaking Flight Operations Quality Assurance Fuel Quantity Indicating System Flammability Reduction System Fault Tree Analysis
Acronyms
GLS GM GNSS GVI HAZOPS HFACS HIRF HPC HPT HT HUD IATA ICA ICAO IFSD IFTB IGGS IIC ILS IMC IMM IMPR IMPS IMRBPB IOSA IP IPA IPC IR ISARP ISC ISI ISM ISO IT JAA JAR JIC JIT KPI L/HIRF LCI LDG LEP LG
xxiii
GNSS Landing System Guidance Material Global Navigation Satellite System General Visual Inspection Hazard and Operability Studies Human Factors Analysis and Classification High Intensity Radiated Field High-Pressure Compressor High-Pressure Turbine Hard-time Head-Up Display International Air Transport Association Instructions for Continuing Airworthiness International Civil Aviation Authority In-Flight Shut Down In-Flight Turn Back Inert Gas Generation System Investigator in Charge Instrument Landing System Indirect Maintenance Costs Ignition Mitigation Mean Industrial Import Price Index International MRB/MBT Process Standard International Maintenance Review Board Policy Board IATA Operational Safety Audit Issue Paper Implementation Procedures for Airworthiness Illustrated Parts Catalogue Implementing Rule IOSA Standards and Recommended Practices Industry Steering Committee In-Service Information IOSA Standards Manual International Organization for Standardization Information Technology Joint Aviation Authorities Joint Aviation Requirements Job Instruction Card Just in Time Key Performance Indicator Lightning/High Intensity Radiated Field Labor Cost Index Landing Life Extension Program Landing Gear
xxiv
LHSI LLP LOPA LOV LVO LPC LPT LROPS LRU LTVO LUB LUMP LUR MAREP MAT MCAI MCAS MCBF MCBUR MCC MCTF MCTUR MEDA MEL MLS MMEL MNSP MOE MOR MP MP&S MPD MPIG MRB MRBR MRM MSG MSI MTB MTBF MTBUR MTTF MTTR MTTUR MWG
Acronyms
Lightning/HIRF Significant Item Life Limited Part Layout Of Passenger Accommodation Limit Of Validity Low Visibility Operation Low-Pressure Compressor Low-Pressure Turbine Long Range Operations Line Replaceable Unit Low Visibility Takeoff Lubrication Low Utilization Maintenance Program Low Utilization Recommendations Maintenance Report Maintenance Access Terminal Mandatory Continuing Airworthiness Information Maneuvering Characteristics Augmentation System Mean Cycles Between Failures Mean Cycles Between Unscheduled Removals Maintenance Control Center Mean Cycles To Failure Mean Cycles To Unscheduled Removal Maintenance Error and Decision Aid Minimum Equipment List Microwave Landing System Master Minimum Equipment List Minimum Navigation Performance Specifications Maintenance Organization Exposition Maintenance Occurrence Report Maintenance Programs Maintenance Planning & Scheduling Maintenance Planning Document Maintenance Programs Industry Group Maintenance Review Board Maintenance Review Board Report Maintenance Resource Management Maintenance Steering Group Maintenance Significant Item Maintenance Type Board Mean Time Between Failures Mean Time Between Unscheduled Removals Mean Time To Failure Mean Time To Repair Mean Time To Unscheduled Removal Maintenance Working Group
Acronyms
NAA NAARMO NASA NDT NFFR NGS NLG NPA NPH NPRM NTSB OC OCy OEM OH OMS OPC Ops Spec OR P/N PAD PAP PBE PBN PCU PDCA PEAR PFMEA PHM PIREP PMA PP&C PPH PPI PSE QA QAR QMS RCA RDAS RFID RII RMA RMPIG
xxv
National Aviation Authority North American Approvals Registry and Monitoring Organization National Aeronautics and Space Administration Non-Destructive Test No Fault Found Rate Nitrogen Generation System Nose Landing Gear Notice of Proposed Amendment Nominated Post Holder Notice of Proposed Rulemaking National Transportation Safety Board (United States) On-Condition Operating Cycles Original Equipment Manufacturer Operating Hours On-board Maintenance System Operational Check Operations Specifications Operational Reliability Part Number Proposed Airworthiness Directive Protection Assurance Plan Performance Breathing Equipment Performance Based Navigation Power Control Unit Plan, Do, Check, and Act People, Environment, Actions, and Resources Process Failure Mode Effect Analysis Prognostics and Health Management Pilots Report Parts Manufacturer Approval Production Planning and Control Policy and Procedures Handbook Producer Price Index Principal Structural Element Quality Quick Access Recorder Quality Management System Root Cause Analysis Repair Design Approval Sheet Radio-Frequency Identification Required Inspection Item Regional Monitoring Agency Rotorcraft Maintenance Programs Industry Group
xxvi
RNAV RNP ROI RPA RSC RST RTCA RVR RVSM S/N SAR SARPs SB SCR SDCPS SDI SDR SDRS SEMR SF SFAR SFI SHELL SHM SID SIP SIPOC SL SLA SM SMS SOP SR SRM SRS SSA SSAD SSD SSI SSID SSIP SSP SSR STAR STC
Acronyms
Area Navigation Required Navigation Performance Return on Investment Robotic Process Automation Removable Structural Component Restoration Radio Technical Commission for Aeronautics Runway Visual Range Reduced Vertical Separation Minima Serial Number Search and Rescue Standards and Recommended Practices Service Bulletin Schedule Completion Rate Safety Data Collection and Processing Systems Special Detailed Inspection Service Difficulty Report Service Difficulty Reporting System System Equipment Maintenance Requirement Severity Factor Special Federal Aviation Regulations Safety Performance Indicator Software, Hardware, Environment, and Liveware Structural Health Monitoring Standard Instrument Departure Structural Integrity Program Suppliers, Inputs, Process, Outputs, and Customers Service Letter Service Level Agreement Safety Manager Safety Management System Standard Operating Procedure Success Rate Structural Repair Manual Safety Reporting System System Safety Analysis Sensitive Security Airworthiness Directive Significant Standard Differences Structural Significant Item Supplemental Structural Inspection Document Supplemental Structural Inspection Program State Safety Program Secondary Surveillance Radar Standard Instrument Arrival Supplemental Type Certificate
Acronyms
STCH SUP SVC SWG SWIFT SWOT SWPM TC TCAS TCH TCU TDR TIP ToT TP TR TS TSB TSN TSO TSO TSOA TSR UAV ULB Unsch RR USOAP VA VCK VOR VSB VSM WFD WG WI WLG
xxvii
Supplemental Type Certificate Holder Suspected Unapproved Part Servicing Structures Working Group Structured What-If Strengths, Weaknesses, Opportunities, and Threats Standard Wiring Practices Manual Type Certificate Traffic Collision Avoidance System Type Certificate Holder Task Unitary Cost Technical Dispatch Reliability Technical Implementation Procedures Transfer of Title Technical Publications Technical Records Technical Services Transport Safety Board (Canada) Time Since New Technical Standard Order Time Since Overhaul Technical Standard Order Authorization Time Since Repair Unmanned Aerial Vehicle Underwater Locator Beacon Unscheduled Removal Rate Universal Safety Oversight Program Validation Authority Visual Check Very High Frequency (VHF) Omni-Directional Range Vendor Service Bulletin Value Stream Map Widespread Fatigue Damage Working Group Work Instruction Wing Landing Gear
Part I
Regulatory Environment
Chapter 1
ICAO and the Aviation Authorities
1.1 The International Civil Aviation Organization (ICAO) The International Civil Aviation Organization (ICAO) is an agency of the United Nations that works with (193) member states and industry groups. ICAO has its origin in the Convention on International Civil Aviation signed in Chicago in the 7 December, 1944, known as Chicago Convention. The ICAO prime objective is to develop the international civil aviation in a safe and orderly manner. ICAO works with the member states and industry groups to reach consensus on international civil aviation Standards and Recommended Practices (SARPs) and policies. These SARPs and policies are used by the ICAO Member States to ensure that their local civil aviation operations and regulations conform to global norms. ICAO also issues a series of documents (Docs) for guidance and interpretation of the SARPs. Member states are required to notify ICAO of any differences that may exist between the national regulations and the ICAO SARPs. These are published in the form of supplements to the SARPs Annexes. Relevant ICAO SARPS and Docs guidance to the object of study are: • Annex 6—Operation of Aircraft, Part I—International Air Transport—Aeroplanes1 • Annex 8—Airworthiness of Aircraft2 – Doc 9760—Airworthiness Manual3 • Annex 19—Safety Management4
1
Annex 6 Operation of Aircraft Part I—International Commercial Air Transport—Aeroplanes. ICAO. Eleventh Edition—July 2018. 2 Annex 8 Airworthiness of Aircraft. ICAO. Twelfth Edition—July 2018. 3 Airworthiness Manual (Doc 9760). ICAO. Third Edition—2014. 4 Annex 19 Safety Management. ICAO. Second Edition—July 2016. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_1
3
4
1 ICAO and the Aviation Authorities
– Doc 9859—Safety Management Manual5 The European and American authorities, EASA and FAA respectively, are members of ICAO, and their operation and airworthiness regulations thoroughly comply with the standards dictated by ICAO Annexes.
1.2 The European Union Aviation Safety Agency (EASA) The European Union Aviation Safety Agency (EASA) main tasks are rulemaking, drafting aviation safety legislation, and providing technical advice to the European Commission (EC) and the Member States. In addition to all European Union States, other non-E.U. countries are also Members of EASA (Norway, Iceland, Liechtenstein, and Switzerland). Until the formation of EASA, an association of European Civil Aviation Authorities, the Joint Aviation Authorities (JAA), was cooperating to develop and implement common safety standards: the Joint Aviation Requirements (JAR). The regulatory function laid within each member state while they recognized the JAR specifications as acceptable basis for their regulatory frameworks. The JAA system led to different interpretations of the standards which were affecting the efficiency of the specifications. EASA gradually absorbed the functions of the Joint Aviation Authorities (JAA) as the European regulatory authority what has significantly improved the execution of the standards. The EASA Regulation is structured at different levels: rules, specifications, acceptable means of compliance, and guidance. The so-called Implementing Rules (IRs)/Regulation (hard law) are binding the E.U. States once adopted by the EC. The Acceptable Means of Compliance (AMC) (soft law) are non-binding. The AMC serves as means by which the requirements contained in the Basic Regulation and the IRs can be met. NAAs and organizations may decide to show compliance with the requirements proposing Alternative Means of Compliance (AltMoC). The Guidance Material (GM) (soft law) is non-binding explanatory and interpretation material on how to achieve the requirements. The Certification Specifications (CS) (soft law) are non-binding technical standards used to meet the essential requirements. EASA consolidates each part of its regulation into “Easy Access Rules” documents, so each regulatory element of the IR is followed by the related AMC and GM paragraphs. EASA Regulations differentiate the Technical/Organizational Requirements from the rules applicable to the competent authorities. Initial and Continuing Airworthiness rules (IR + AMC/GM) are structured into two sections: Section A for the Technical/Organizational Requirements and Section B for the procedures applicable 5
Safety Management Manual (Doc 9859). ICAO. Fourth Edition—2018.
1.2 The European Aviation Safety Agency (EASA)
5
CS-25 Large Aircraft
EASA Rulemaking
CS-26 Additional Aiworthines Specifications Part-21 Design, Certification and Production
CS-E Engines
Initial Airworthiness
Specifications
CS-P Propellers
AMC-20 AMC for Airworthiness of Products, Parts and Appliances
Additional Airworthiness Specifications
CS-APU Auxiliary Power Units
Part-M Continuing Airworthiness Management (*)(**)
CS-ETSO European Technical Standard Orders
Part-CAMO Continuing Airworthiness Management Organizations (**)
CS-AWO All Weather Operations
Continuing Airworthiness
Part-145 Maintenance Organizations Part-ORO Organization requirements for Air Operations Part-CAT Commercial Air Transport Operations Air Operations Part-SPA Specific Approvals Operations
Others
Fig. 1.1 Relevant (AMP) EASA regulation. (*) For reference only, Part-M applies to large aircraft and components for installation which are registered in an EASA member state or which oversight is delegated to an EASA member state. If the oversight of an EASA registered aircraft and components for installation is delegated to a third country and is not used by an E.U. operator, Part-M does not apply. For large aircraft registered in a third country for which the oversight function is not delegated to an EASA member state (dry lease by a license air carrier), the corresponding requirements are listed in Part-T. (**) The last revision of the EASA Continuing Airworthiness regulation (incorporating Regulation (EU) 2019/1383) re-structures the requirements for organizations managing the continuing airworthiness of aircraft into two new parts: Part-CAMO (in replacement of Part-M Subpart F) and Part-CAO (in replacement of Part-M Subpart G for Combined Airworthiness Organizations (Continuing Airworthiness Management and/or Maintenance for non-large aircraft and non-licensed air carrier)). For new Part-CAMO, applicable to large aircraft, the main difference in regards to Part-M is the introduction of Safety Management System (SMS) principles
6
1 ICAO and the Aviation Authorities
to competent authorities. Operation Rules (Air Ops) applicable to competent authorities are described in Part-ARO, the organizational requirements in Part-ORO, and the operation requirements in the rest of the Air Ops Parts. The regulations in the EASA system, at the effects of ensuring the airworthiness of large aircraft involved in commercial air transport and that are relevant to the subject of study, are detailed in Fig. 1.1.6 EASA Rulemaking Process EASA draws up Terms of Reference (ToR) for each Rulemarking project after consulting its advisory bodies. The ToR defines the project and its scope, the process to be followed, the timetable for completion, and details of the rulemarking group, if needed. The first draft of the rules and proposed actions are published in the form of a Notice of Proposed Amendment (NPA). NPAs are published on the EASA website to allow any person/organization to submit their comments in the form of a Comment Response Document (CRD). CRDs are summarized and also published with the EASA response to those comments together with the final EASA Decision (ED) (soft law). When the rulemarking process leads to change on the scope and content of the Basic Regulation, EASA issues Opinions (comprised by draft regulation and an explanatory memorandum), which are submitted to the EC as proposals to change existing regulations or create new ones (hard law).
1.3 The Federal Aviation Administration (FAA) The Federal Aviation Administration (FAA), part of the United States Department of Transportation, is the agency that regulates the civil aviation within the USA. The Code of Federal Regulations (CFR) are general and permanent rules published by the departments and agencies of the U.S. Federal Government that represent different areas. 14 CFR are the rules published by the FAA in regards to the Aeronautics and Space subject. The Special Federal Aviation Regulations (SFAR) are temporary rules to address temporary situations. SFAR are listed at the beginning of the related CFR. The FAA Orders and Notices are guidance material applicable only to FAA employees, although the general public may find them of interest. For example, the Flight Standards Information Management System (FSIMS), ruled by the FAA Order 8900.1, is the repository of all Flight Standards policy and guidance in regards to aviation safety inspector job tasks. Although it is dedicated to aviation safety inspectors, it is of interest for any organization that must comply with any of the 14 CFRs.
6
Reference to EASA Regulations used for the development of this book are detailed at the end chapter EASA Regulation Codes.
1.3 The Federal Aviation Administration (FAA)
7
Subchapter A - Definitions and General Requirements
Part 5 Safety Management Systems
Subchapter B - Procedural Rules
Part 13 Investigative and enforcement procedures Part 21 Certification procedures for products and articles.
SFAR 88 Fuel Tank
FAA Rulemaking (14 CFR)
Part 25 Airworthiness Standards: Transport Category Airplanes. Part 26 Continued Airworthiness and Safety improvements for Transport Category Airplanes. Part 33 Airworthiness Standards. Aircraft Engines.
Subchapter C - Aircraft
Part 34 Fuel Venting and Exhaust emission requirements for Turbine Engine powered Airplanes. Part 35 Airworthiness Standards: Propellers. Part 39 Airworthiness Directives. Part 43 Maintenance, Preventive Maintenance, Rebuilding, and Alteration. Part 91 General Operating and Flight Rules.
Subchapter F - Air Traffic and General Operating Rules
Subchapter G - Air Carriers and Operators for compensation or hire: Certification and Operations
Part 121 Operating Requirements: Domestic, Flag, and Supplemental Operations. Part 135 Operating Requirements: Commuter and On Demand Operations and Rules governing persons on board such aircraft.
Subchapter H - Schools and other certified agencies
Part 145 Repair Stations.
Advisory Circulars (AC) Orders and Notices
FSIMS (Order 8900.1)
Fig. 1.2 Relevant (AMP) FAA Basic Regulation
The Advisory Circulars (AC) are non-binding information and guidance provided by the FAA that are acceptable to comply with the regulation. At the effects of airworthiness of large aircraft involved in commercial air transport, the relevant CFR and SFAR are shown in Fig. 1.2.7 14 CFRs are widely known as Federal Aviation Regulations (FAR). However, due to confusion with the Federal Acquisition Regulations (48 CFR), that are related to 7
14 CFR used for the development of this book are based on e-CFR current data as of 8 June 2020.
8
1 ICAO and the Aviation Authorities
a different subject (acquisition of goods and services), the FAA advises against the use of the acronym to refer to FAA regulations. FAA Rulemaking Process The FAA draft rules and proposed actions are published as Notice of Proposed Rulemaking (NPRM). NPRMs are usually published on the Federal Register to allow any interested party to submit comments, but they may be only distributed to specific interested parties. If the comments change considerably the original NPRM and additional judgment is required, a Further NPRM (FNPRM) is published. NPRM and all the documents related (comments, supporting documents, data, analysis, extensions of comment periods, etc.) are published in the public docket. The Final Rule is published in the Federal Register or distributed to the affected parties. The CFR is updated with the Final Rules on annual basis. In case of an emergency situation, the NPRM process can be bypassed, e.g., issue of an Emergency Airworthiness Directive.
1.4 Civil Aviation Authorities Aviation regulations and policies are harmonized worldwide thanks to the ICAO efforts to ensure consistent levels of safety. The contribution of the civil aviation authorities and agencies, others than the European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA), to the air safety, merits a special mention: the United Kingdom Civil Aviation Authority (CAA), currently dissociated from EASA as a technical agent, the Transport Canada Civil Aviation (TCCA), the Brazilian National Civil Aviation Agency (ANAC), the Australian Civil Aviation Safety Authority (CASA), the South African Civil Aviation Authority (SACAA), the Civil Aviation Administration of China (CAAC), the Russian Federal Air Transport Agency (RFCAA), the Qatar Civil Aviation Authority (QCAA), the Saudi Arabia General Authority of Civil Aviation (GACA), the United Arab Emirates General Civil Aviation Authority (GCAA), and so on. Adhered to the ICAO standards, all these civil aviation authorities and agencies have developed their own regulatory frameworks under common specifications. The guidance provided by ICAO and the close cooperation between all these entities have made the skies safer. However, there is margin to work together toward improved safety levels. The structure of the aviation regulations differs from country to country, but most of them have some characteristics in common with the regulations of the states where aviation more evolved in the earlier days, FAA or TCCA, or with the JAA/EASA. Although the mission to regulate lies on the civil aviation authorities and agencies, the operator has an inherent safety responsibility and should not only focus on compliance with its regulatory framework but go beyond and adopt the best practices.
1.4 Civil Aviation Authorities
9
Just to quote an example in regards the Aircraft Maintenance Programs, the UK CAA Civil Aviation Publication (CAP) 747—Mandatory Requirements for Airworthiness8 addresses the risks associated to excessive paint thickness and the use of self-adhesive decals on the aircraft that may totally preclude the effective accomplishment of an inspection, including non-destructive testing techniques. In this line, the UK CAA requires that operators and maintenance organizations assess the impact on structural inspection tasks and ensure the AMP requires their removal at the appropriate times. What apparently looks a reasonable mandatory requirement, as it may invalidate a structural inspection that in the worst-case scenario may be linked to a mandatory requirement, it is still not considered either in the EASA or the FAA regulations. When an unsafe element or omission is encountered in the regulation, the operator or individual person has the ethical responsibility to address it to the corresponding civil aviation authority or agency and assess the potential safety impact within its organization, as far as practicable, while the authority works on the subject.
1.5 Bilateral Aviation Safety Agreements (BASA) A Bilateral Aviation Safety Agreement (BASA) is the mutual recognition of the competency on certification and other processes between two states. The cooperation of the two countries supports the harmonization of the rules and reduces the duplication of activities. The BASA Implementation Procedures for Airworthiness (IPA)/Technical Implementation Procedures (TIP) is the document that contains the implementation procedures, interfaces, and technical assistance required between both states. The most significant BASAs include the major states of aircraft/engine design: the European Union, the USA, Canada, and Brazil. Details of the EU-US BASA and the Technical Implementation Procedures for Airworthiness and Environmental Certification are included in Sect. 4.1.3.
8
Civil Aviation Publication (CAP) 747—Mandatory Requirements for Airworthiness GR No. 10 (4.1 and 4.2). UK CAA.
Chapter 2
The Story of Airworthiness Approvals and Certifications
2.1 Initial Airworthiness Aircraft are designed following Certification requirements derived from ICAO Annex 8 Airworthiness of Aircraft which are applied through the regulatory system of the state of design. The design process to demonstrate compliance with the appropriate airworthiness regulatory requirements involves design documentation review, analysis, and testing of the aircraft. The process culminates with the issuance of a Type Certificate (TC) that is valid for the aircraft type. A TC is issued for unlimited duration unless otherwise revoked, suspended, or surrendered. The competent authority issues the first Certificate of Airworthiness (CofA) for every individual aircraft when conforming to the Type Design. CofA is a nonexpiring document, subject to not being revoked or suspended, that is granted by the authority of the state of registration that proves the airworthy condition of the aircraft. Export CofA is used for the delivery of new aircraft or transfer of used aircraft to other states that are under a different certification regulatory environment than the state of manufacture. Consequent CofA is issued by the state of registration when imported.
2.2 Operation Any entity that wants to provide commercial air transportation services must obtain two separate approvals in parallel: • Safety Authorization in the form of an Air Operator Certificate (AOC), and • Economic Authorization in the form of an Operating License. It requires the possession of an AOC, specifying the activities covered by the license, and a number of financial conditions. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_2
11
12
2 The Story of Airworthiness Approvals and Certifications
Table 2.1 FAA Aircraft Operator Authorizations FAA—Air Carrier Aircraft Operator Certificate (AOC) 14 CFR
AOC
Description
Part 121 Domestic or flag Aircraft with more than 9 seats or more than a 7,500 lb (3400 kg) payload in scheduled passenger operations. Payload is the aircraft carrying capacity: passengers, baggage, and cargo Supplemental Part 135 Commuter
On-demand
Aircraft with more than 30 seats or a 7,500 lb payload (non-scheduled or all-cargo) Aircraft with 9 seats or fewer or a 7,500 lb payload or less or rotorcraft in scheduled passenger operations (5 or more round trips a week in at least one market) Aircraft with 30 seats or fewer and a 7,500 lb payload or less or rotorcraft in on-demand passenger and/or cargo operations
The Air Operator Certificate (AOC) is an unlimited approval, unless otherwise revoked or suspended, that allows an operator to perform specific air transport operations. The AOC lists the approved types of operation, e.g., passengers or cargo, specific operational approvals, ares of operation and special limitations. An aircraft can be operated on the basis of ownership or dry lease1 agreement (aircraft operated under the lessee AOC). The legal responsibility for the continuing airworthiness of the aircraft lies on the owner or the lessee, as stipulated on the registration document or detailed in the leasing contract. While EASA authorizes the commercial air transport operations under a unique AOC type, the FAA issues two basic types of certificates based on the types of services and where the operations are conducted (both including scheduled and non-scheduled operations): • Air Carrier Certificate for common carriage (interstate, foreign, overseas, or carriage of mail operations). • Operating Certificate for common carriage (intrastate operations) or noncommon carriage (private carriage). Common carriage is the transportation of persons or cargo for compensation or hire and involves hold out to the public (by advertising or other means); noncommon carriage involves the transport of persons or cargo for compensation or hire but without holding out (contract carriers). For Commercial Air Transport (CAT), the FAA issues the Air Carrier Certificate or the Operating Certificate, as applicable, under Part 121 or 135. Table 2.1 summarizes the types of CAT operations to which the FAA certificate can authorize. 1
Dry Lease requires the operator that hires the aircraft (lessee) to include it under its own AOC. In other types of agreements, such as Wet Lease or ACMI (Aircraft, Crew, Maintenance, and Insurance), it is the responsibility of the Wet Lease/ACMI operator (lessor) to manage the aircraft under its AOC.
2.2 Operation
13
The AOC limits the type of operation that is authorized to be conducted, e.g., passenger, cargo, domestic, or commuter. The authorizations, conditions, and limitations for each aircraft type must be detailed in the Operations Specifications (Ops Spec). The Ops Spec include the authorized specific approvals (e.g., PBN, MNPS, RVSM, LVO, EDTO (ETOPS)) and limitations. The Ops Spec also includes the reference to the person or organization responsible to maintain the continuing airworthiness and the reference to the regulation that requires the work (EASA CAMO/FAA CAMP). AOC specifications for commercial air operations are detailed in EASA Air Ops Part-ORO Subpart AOC and FAA 14 CFR Part-119. About the Economic Authorization, the responsibility for issuing the Operating License lies on the transportation authority; in an EASA environment, it is the Ministry of Transport of the corresponding member state and in the FAA environment is the Department Of Transportation (DOT). The FAA issues different types of operating licenses attending to the type of operation and the aircraft size: the Certificate of Public Convenience and Necessity for Air Carriers, the Commuter Air Carrier Authorization, and the On-Demand Air Taxi Registration. Operating Licenses are unlimited, unless otherwise revoked or suspended, and are granted in accordance with E.U. Regulation (EC) 1008/2008 and 49 U.S. Code 41,102, in E.U. and U.S., respectively.
2.3 Continuing Airworthiness To demonstrate the airworthy condition of the aircraft, the operator must ensure that: • the Certificate of Airworthiness (CofA) remains valid, and • the maintenance of the aircraft is performed in accordance with an approved Aircraft Maintenance Program. The approach to comply with these two conditions differs between EASA and the FAA. EASA requires that the tasks associated with the continuing airworthiness of the aircraft are performed by an approved Continuing Airworthiness Management Organization (CAMO), referenced in the Ops Spec and that the validity of the CofA is revised periodically and validated through the Airworthiness Review Certificate (ARC). On the other side, the FAA does not recognize the CAMO organizational approval system and authorizes the operator, through the Ops Spec, to develop its own Continuous Airworthiness Maintenance Program (CAMP) without the need of the FAA approval. In other words, although both regulations monitor and require that the operator self-monitors its performance through safety, quality, and reliability programs (the Triangle of Airworthiness), EASA additionally requires a series of approvals while the FAA relies on the Ops Specs. CAMO and CAMP requirements are detailed in Sect. 3.1.
14
2 The Story of Airworthiness Approvals and Certifications
The Airworthiness Review Certificate (ARC) (EASA) In an EASA environment, the condition for the CofA to remains valid is that the relevant CAMO states a recommendation for the competent authority to issue the Airworthiness Review Certificate (ARC) and validate that the aircraft remains airworthy. The ARC is valid for one year but it can be extended twice for a period of one year each if the aircraft has been in a controlled environment during the preceding 12 months (continuously managed by a unique CAMO and maintained by an approved maintenance organization). The ARC involves the so-called full review of the aircraft records (that is usually performed through sample checks within each document category) and a physical survey. During the ARC review of the aircraft records, special attention is given to the compliance with applicable Airworthiness Directives and with the Aircraft Maintenance Program. Airworthiness Directives are mandatory instructions to correct unsafe conditions that may exist. The Aircraft Maintenance Program contains all required scheduled maintenance to maintain the aircraft in airworthy condition. The main sources of an initial Maintenance Program are instructions required by the authority and instructions provided by the manufacturers that are customized to the operation of the aircraft.
2.4 Maintenance The CAMO/CAMP requires compliance with Airworthiness Directives (ADs), Modifications/Repairs, and AMP tasks. The compliance is demonstrated by the Certificate of Release to Service (CRS), that is issued by the approved Part-145 maintenance organization, and the associated “Dirty Fingerprint”. The Dirty Fingerprint is the work card or record that describes the maintenance task, supporting data, and associate findings. The CRS is issued after any maintenance task(s) and before the next flight to certify that the required maintenance has been performed. All maintenance must be signed and stamped by approving certifying staff. Certifying staff must be in possession of an Aircraft Maintenance License (AML) endorsed with a Type Rating (aircraft type) to be qualified for the maintenance of the aircraft type. The AML is issued under EASA Part-66 for EASA certifying staff and under Part-65 for FAA certifying staff. Staff Authorization to carry out maintenance is given by the Part-145 organization. The qualification of Certifying staff is gained through knowledge and experience. The theoretical knowledge may be directly assessed by the competent authority or through an approved EASA/FAA Part-147 training organization. In summary, while the responsibility of the continuing airworthiness of the aircraft lies on the operator legally, in practice the responsibility is shared between the operator, the Type Certificate holder (design/manufacturer), the maintenance organizations, the certifying staff and training organizations, and the regulatory/competent authorities.
Chapter 3
Continuing Airworthiness Management—Organization and AMP Requirements
The requirements for an EASA Continuing Airworthiness Management Organization (CAMO) are captured in the Continuing Airworthiness Management Exposition (CAME) of the organization. These elements are comparable to those required for an FAA operator on the Continuous Airworthiness Maintenance Program (CAMP). CAME/CAMP usually applies to the management of all aircraft types that are operated. While the CAME (EASA) is subject to the approval by the competent authority, the CAMP (FAA) is authorized through the Ops Spec and does not require authority approval. There is a considerable difference on the Aircraft Maintenance Program concept between EASA and the FAA: • EASA requirements for an AMP only consider scheduled repetitive maintenance, a Reliability Program and the procedures to manage both, while other requirements are managed through separate processes that are also specified in the CAME (e.g., organization, modifications/repairs, critical maintenance tasks/identical tasks, technical records, training). An EASA AMP is only applicable to an aircraft type. • On the other side, the FAA considers all these other requirements as part of the maintenance program: the CAMP. The CAMP has ten elements among which there are two that working together are comparable to the EASA AMP concept; these are the Maintenance Schedule and the component of the Continuing Analysis and Surveillance System (CASS) that measures the Maintenance Schedule effectiveness, alike the EASA scheduled repetitive maintenance and the Reliability Program requirements respectively. Therefore, when referring to an AMP in this book, it represents: • the Aircraft Maintenance Program (scheduled repetitive maintenance + Reliability Program + procedures) as defined by EASA, and • the Maintenance Schedule and the Reliability Program (part of the CASS), both elements of the CAMP, as defined by the FAA. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_3
15
16
3 Continuing Airworthiness Management …
3.1 EASA: CAMO, CAME and AMP Requirements A CAMO is an approved organization responsible for the continuing airworthiness management tasks. The approval is granted by the competent authority in accordance with the Part-CAMO (old Part-M Subpart G).1 The responsibilities, procedures, and methods of the organization are contained in the Continuing Airworthiness Management Exposition (CAME). The CAME and its amendments must be approved by the competent authority, although the authority may grant certain concessions for the approval of minor changes. Any concessions should be formalized in the exposition itself. The CAME should contain the following information, as required in Part-CAMO CAMO.A.300 (old Part-M M.A.704): • a statement signed by the Accountable Manager to confirm that the organization will work in accordance with the Part-M and the exposition at all times, • the organization’s safety policy, • the organization’s scope of work, • the titles, names, responsibilities, and associated chains of responsibilities (organization chart) of: – the Accountable Manager (AM), who has corporate authority for ensuring that all continuing airworthiness management activities can be financed and carried out in accordance with the Part-M, – the nominated Compliance Monitoring (CM) Manager, or group, with the responsibility of ensuring that the organization is always in compliance with the Part-M and Part-CAMO, – the nominated Safety Manager (SM), or group, with the responsibility for managing the development, administration, and maintenance of effective safety management processes, – the Nominated Post Holder (NPH), or group, responsible for the management and supervision of continuing airworthiness activities, – the nominated staff authorized to extend recommendation for the issue of Airworthiness Review Certificate (ARC) and, where applicable, permits to fly, • a general description of the manpower resources and the system to plan the availability of staff, • a general description and location of the facilities, • the description of the internal safety reporting scheme, • procedures specifying how the CAMO ensures compliance with Part-M and PartCAMO, including key processes, list of contracted/subcontracted activities and the CAME amendment procedures, 1
Approval in accordance with Part-CAO for combined continuing airworthiness and maintenance organizations (old Part-M Subpart F) is applicable to non-large aircraft not used by a licenced air carrier and therefore not subject of this book; Part-CAO involve an alleviation in responsibilities for operators of non-large aircraft (below 5700 kg) in regards the Part-CAMO requirements.
3.1 EASA: CAMO, CAME and AMP Requirements
17
• the list of approved Aircraft Maintenance Programs, and • the list of alternative means of compliance, if any. The main functions of a CAMO are listed in Part-CAMO CAMO.A.315 (old Part-M M.A.708): • ensure all continuing airworthiness management is carried out in accordance with the Part-M Subpart C (preflight, rectification of defects, maintenance program, reliability program, Airworthiness Directives, modifications and repairs, check flights, etc.), as applicable, • develop and control a Maintenance Program for the aircraft managed including any applicable Reliability Program, • ensure that modifications/repairs are accomplished in accordance with approved data, • establish a procedure to assess non-mandatory modifications and/or inspections and decide on their application, • ensure the aircraft and its components, including engines and propellers, are maintained by appropriately approved maintenance organizations, • ensure any maintenance is appropriately released for the determination of aircraft airworthiness, and • take into account human factors during the continuing airworthiness management, including contracted/subcontracted activities. Part-145 organizations are also required to define responsibilities, procedures, and methods in the so-called Maintenance Organization Exposition (MOE). For small organizations with Part-CAMO and Part-145 functions, the competent authority may authorize to develop a unique manual, the Continuing Airworthiness Management and Maintenance Organization Exposition (CAMMOE). EASA—Aircraft Maintenance Program (AMP) Requirements EASA Part-M regulation requires that the aircraft continuing airworthiness is maintained under an Aircraft Maintenance Program (AMP). The rules for an AMP are described in the Part-M M.A.302: • the AMP and any subsequent amendments must be approved by the competent authority, except when an indirect approval procedure is approved in the CAME; • the AMP must establish compliance with: – instructions issued by the competent authority, and – Instructions for Continuing Airworthiness (ICA) issued by a Design Approval Holder (DAH) approved under Part-21; • the owner or CAMO may deviate from the ICA and propose escalated intervals based on data obtained from sufficient reviews, e.g., derived from the analysis of the effectiveness of the approved AMP (Reliability Program). The escalation of safety-related task is not subject to the indirect approval and must be approved by the competent authority; • the owner or CAMO may propose additional instructions in the AMP;
18
3 Continuing Airworthiness Management …
• the AMP should contain details, including frequency, of all maintenance to be carried out, including any specific tasks linked to the type and the specificity of operations; • when the maintenance program is based on Maintenance Steering Group (MSG) logic or Condition Monitoring, the AMP shall include a Reliability Program; • the AMP should be reviewed to ensure it continues to be valid in light of: – new/revised instructions issued by the competent authority, – new/revised instructions issued by the corresponding Design Approval Holders (DAHs) approved under Part-21, and – in-service experience. EASA Part-M M.A.302 Aircraft Maintenance Programme requirements and related AMCs/GMs references are quoted in the corresponding sections of this book as appropriate. Air Ops rules and related AMCs/GMs containing continuing airworthiness requirements, e.g., RVSM, EDTO (ETOPS), etc. are also quoted as appropriate.
3.2 FAA: CAMP, Maintenance Schedule and AMP Requirements FAA 14 CFR 121.367 and 135.425 require that the holder of an Air Carrier Certificate or Operator Certificate has an inspection program and a program covering other maintenance, preventive maintenance, and alterations. Certificate holders operating under FAA Part-121 or Part-135 (with aircraft of 10 or more seats) are required to develop a Continuous Airworthiness Maintenance Program (CAMP). Certificate holders operating under Part-135 for aircraft with 9 or less seats are required to maintain its aircraft in accordance with Part-43 and 91 but have the option to make use of an Approved Aircraft Inspection Program (AAIP) or a CAMP. A CAMP contains specific maintenance and inspection tasks, including methods, standards, and techniques for accomplishing these tasks. A CAMP does not require FAA approval; the FAA issue Ops Spec to authorize its use. Guidelines to develop a CAMP can be found in the AC 120-16F Air Carrier Maintenance Programs. AAIP is limited to inspections; the certificate holder is also required to comply with additional maintenance requirements such as cleaning, inspecting, adjusting, testing, and lubricating. The operator can choose to additionally follow the maintenance program recommended by the manufacturer or an FAA approved program. AAIP requires FAA approval. Guidelines to develop an AAIP are described in the AC 135-10B Approved Aircraft Inspection Program. At the effects of this book, the comparisons between the EASA and FAA will be based on the CAMP for being more comprehensive than the AAIP.
3.2 FAA: CAMP, Maintenance Schedule and AMP Requirements
19
The Continuous Airworthiness Maintenance Program (CAMP) has ten elements: • • • • • • • • • •
Airworthiness responsibility, Air Carrier Maintenance Manual, Air Carrier Maintenance Organization, Accomplishment and approval of maintenance and alterations, Maintenance Schedule, Required Inspection Items (RII), Maintenance recordkeeping system, Contract maintenance, Personnel training, Continuing Analysis and Surveillance System (CASS).
As detailed previously, the Maintenance Schedule element is comparable to the EASA Aircraft Maintenance Program concept, and the element of the CASS that measures the Maintenance Schedule effectiveness is comparable to the EASA Reliability Program. The RII element is comparable to the EASA Critical Maintenance Task/Identical Task requirements detailed in Sect. 15.2. FAA—Maintenance Schedule and CASS Requirements The Maintenance Schedule should contain information on what to maintain, how, and when. The following items are examples on what may be included in the Maintenance Schedule: ADs, ALS, CMR, MRBR, SSID, EWIS, SBs, SLs, Life Limits, component replacement for overhaul/repair, special inspections, checks or tests, lubrication and servicing, etc. The objective of the Maintenance Schedule is to do the correct task at the correct interval, and it should describe the procedures to manage these repetitive maintenance items. The CASS monitors the Maintenance Schedule to verify its effectiveness. The CASS is considered the main source of information that might indicate the need for a change to the Maintenance Schedule. As detailed throughout the previous paragraphs, the CAMP, and consequently the Maintenance Schedule and the CASS, do not require FAA approval. In the FAA environment, the CAMP and its elements are authorized through the Ops Spec in lieu of requiring the approval by the competent authority as it takes places for an Aircraft Maintenance Program under an EASA environment.
Chapter 4
Instructions for Continuing Airworthiness (ICA)
ICAO defines Instructions for Continuing Airworthiness (ICA) as “a set of descriptive data, maintenance planning and accomplishment instructions, developed by a Design Approval Holder (DAH) in accordance with the certification basis for the aeronautical product. The ICAs provide air operators with the necessary information to develop their own maintenance programme and also for approved maintenance organizations to establish the accomplishment instructions”. ICAs are all the necessary instructions to ensure the airworthiness of an aircraft is maintained throughout its operational life. ICAs are produced by holders of design approvals (DAHs) and form the basis of the maintenance approved data, which is in part used for the AMP development. ICAO standards and main regulations are ambiguous at defining which documents or instructions are ICA and which not. Attending to the definition, in these paragraphs, only those documents and instructions whose purpose is to maintain the design standard and the airworthiness of the aircraft (safety) will be considered as ICA. The issuance of a Type Certificate (TC), that is the document approved by the regulatory authority to define the design of an aircraft/engine/propeller type and to certify that the design meets the airworthiness requirements (specifications), is subject to the following mandatory ICAs: Airworthiness Limitations (ALS), Certification Maintenance Requirements (CMR), and Maintenance Review Board Report (MRBR). MRBR could be substituted by other alternative means of compliance to develop the initial aircraft maintenance program if approved by the competent authority. The Maintenance Planning Document (MPD) is a repository document that contains, as minimum, the scheduled ALS, CMR, and MRBR requirements, and provides additional information about maintenance tasks, scheduling, and procedures. Although it varies between design organizations, the MPD may also contain other ICAs such as:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_4
21
22
• • • •
4 Instructions for Continuing Airworthiness (ICA)
maintenance required for specific operations (e.g., EDTO (ETOPS), RVSM)), maintenance required for Low Aircraft Utilization (LUR), regulatory mandatory requirements (e.g., Airworthiness Directives), and/or manufacturer/vendor recommendations (e.g., recommended Service Bulletins, Service Letters, etc).
Once the aircraft has entered into service, based on further testing and analysis and on worldwide fleet experience, the ICAs evolute to ensure that the aircraft maintains a safe performance. Some manufacturer/vendor recommendations will be adopted under the MRBR. Some portions of the ICA that are part of the certification process (ALS and CMR) and minimum scheduled maintenance requirements that were not delivered before the aircraft entry into service, usually related to overhaul and heavy maintenance, will also be released. The operator in-service experience with the aircraft and its components, usually monitored under a Reliability Program, will require that the operator develops additional maintenance tasks, implements certain manufacturer/vendor recommendations, and accomplishes modifications that had not been considered previously. Modifications will be accomplished not only due to the operator in-service experience but due to new mandatory requirements (e.g., AD or new/revised operational regulation). When appropriate, after a modification, the Design Approval Holder (DAH) will issue the ICA or variation to the existing ICA to maintain the continued airworthiness of the aircraft. For example, major modifications, when approved by the TC holder, will come in the form of a Service Bulletin (SB) and its associated ICA may be covered in the same or different SB or in the TCH documentation, e.g., the MRBR; major modifications when approved by a design organization different than the TC holder will come in the form of Supplemental Type Certificate (STC) and the ICA will be part of the STC certification. After aircraft damage, it must be assessed and repair actions may be required. ICA or variation to the existing ICA may be instructed by the repair design holder so the aircraft continues to conform to the approved Type Certificate. For example, after the repair of a damage covered in the aircraft Structural Repair Manual (SRM), specific repetitive inspections may be given in the manual and these are considered ICA; after a repair that is not covered by the SRM, the holder of the repair design will have to provide the ICA as appropriate. The ICA requirements are not always convenient so the DAH may be contacted to define alternative instructions on a case-by-case basis. The use of alternative instructions should be approved by the competent authority or under a procedure approved by the competent authority. In addition to the ICA documents pointed above, these are other examples of publications that are considered ICA: Supplemental Structural Inspection Documentation (SSID), Aging Aircraft Maintenance requirements, Life Extension Programs (LEP) and Aircraft Maintenance Manual (AMM).
4 Instructions for Continuing Airworthiness (ICA)
23
The accountabilities in regards the ICA cascade down from the ICAO SARPs to: • the regulatory authorities to adopt the ICAO Annex 8 standards in their requirements, • the design organizations (Part-21) to provide the necessary ICA to aircraft owners and operators, • the operator and the continuing airworthiness management (EASA Part-M and Part-CAMO) to customize the applicable ICAs into the AMP, • the maintenance organizations (Part-145) to execute the maintenance instructions as provided in the ICA (which will also involve the competency of the maintenance certifying staff involved in maintenance as per Part-66 (EASA)/Part-65 (FAA) and training organizations as per Part-147), • back to the operator and the continuing airworthiness management to show compliance, and • the competent/regulatory authority to surveil that during the mentioned process the aircraft airworthiness is maintained. The following paragraphs introduce the responsibilities of the design organizations to develop ICAs for approval of a new or changed type design.
4.1 ICA—Design Organizations Responsibilities ICAO Annex 8—Airworthiness of Aircraft defines the standards for the regulatory authorities to establish a framework for the development and management of ICA. These standards require that each aircraft/engine/propeller is provided with the instructions for its maintenance, repair, and all necessary information to keep it in airworthy condition. ICAO Doc 9760—Airworthiness Manual provides additional guidance material; this document recommends that limitations and procedures necessary for safe operations and maintenance are made available to the operators of the aircraft, including: • mandatory maintenance structural tasks and replacement times for structural parts (usually identified in the Airworthiness Limitations), • mandatory maintenance tasks established during the type certification process (usually identified in the Certification Maintenance Requirements), • Instructions for Continued Airworthiness (usually contained in the MRBR), descriptive data and instructions for the maintenance, servicing, inspection and repair (usually contained in the maintenance manuals and structural repair manual), and • a continuing Structural Integrity Program (SIP) to ensure the airworthiness of the aircraft, including specific information concerning corrosion prevention and control.
24
4 Instructions for Continuing Airworthiness (ICA)
4.1.1 ICA—EASA Design Organization—Specifications and Regulations Certification Specifications for Large Aircraft (Subpart G, CS 25.1529, 25.1729 and Appendix H) require the preparation of ICA for each aircraft, engine, propeller, and appliance required by the CS-25 and describes its format and content. The ICAs should: • include scheduling information for each part of the aircraft with the recommended periods at which they should be cleaned, inspected, adjusted, tested, and lubricated, and the degree of inspection, the applicable wear tolerances, and work recommended at these periods, or • make reference to the source of this information. CS-25 also requires that the ICA contains a section for Airworthiness Limitations (ALS) that is segregated from the rest of the document. The ALS must include each mandatory modification time, replacement time, structural inspection interval and related structural inspection procedure, any mandatory replacement of EWIS components, and any Certification Maintenance Requirement (CMR). EASA Part-21 Regulation (21.A.61/107/120A/449) requires that the holder of relevant approvals issued under Part-21 (TC, STC, Minor change to TC, Repair design and ETSO authorization(*)) furnishes at least one set of complete ICA or associated variations to the ICA, as appropriate, to the owner before delivery/first Certificate of Airworthiness (whichever occurs later) and that any changes to the ICA or variations of the ICA are made available to any person required to comply with those instructions. Some portion of the ICA, usually related to overhaul or heavy maintenance, may be delayed until the aircraft/engine/propeller has entered into service, but made available before it reaches relevant age. There are still two major concerns on which EASA is currently working: • there is margin for interpretation on what is “a set of complete ICA” what can be misinterpreted between different DAHs (e.g., in regards ICA produced by suppliers), and • (*) the responsibility of the ETSO authorization holder in regards to ICA is ambiguous. Types of Design and Changes The design organization should provide the means, including the ICA or variation to ICA, to keep the airworthiness standard for the following types of design and changes: • Type Certificate (TC) and Supplemental Type Certificate (STC). A TC is an approved design of an aircraft/engine/propeller. An STC is an approved major modification to an approved TC that defines the design changes and how it affects the original design.
4.1 ICA—Design Organizations Responsibilities
25
– Minor change: approved TC/STC modification that has no appreciable effect on the mass, balance, structural strength, reliability, operational characteristics, noise, fuel venting, exhaust emission, operational suitability data, or other characteristics affecting the airworthiness. – Major change: approved TC/STC modification not considered as minor. Only the TC holder or an STC holder can apply for major changes to the TC. Only the STC holder or the holder of a separate STC can apply for major changes to the STC. • Repairs. A repair is the restoration of an aircraft/engine/propeller to an airworthy condition after damage. – Standard repair: repair that follows design data included in the certification specifications (acceptable methods, techniques, practices) to accomplish the repair, e.g., through the Structural Repair Manual (SRM). – Minor repair: approved repair that has no appreciable effect on structural performance, weight, balance, systems, operational characteristics, or other characteristics affecting the airworthiness. – Major repair: approved repair not considered as minor. • European Technical Standard Order (ETSO) Authorization. An ETSOA is a way to have parts and appliances approved ensuring compliance with a minimum performance standard. It includes both design and production. It represents an alternative to the type certification process and is convenient for parts that are common to different types of aircraft/engine/propeller (e.g., instruments, seats, emergency equipment, APU, etc.). – Minor change: does not require a complete investigation to determine compliance with an ETSO. – Major change: requires a complete investigation to determine compliance with an ETSO and leads to a new ETSO authorization.
4.1.2 ICA—FAA Design Organization—Specifications and Regulations Responsibilities of FAA TC and STC holders in regards to aircraft/engine/propeller ICA are considered in the Part-21 (14 CFR 21.50) and are comparable to those provided in the EASA Part-21. Additional considerations, including ICA preparation, are detailed in Part-25 (14 CFR 25.1529, 25.1729 and Appendix H to Part-25) and Part-26 (14 CFR 26.11) with special highlighting of the EWIS ICA. FAA Part-26 (14 CFR 26.43/45/47) requires that after repairs, modifications (alterations) or modifications to repairs, the TC/STC holder performs a Damage Tolerant Evaluation (DTE), develops the appropriate Damage Tolerant Inspections (DTI), and makes them available to persons required to comply with those instructions. Several Advisory Circulars, into the ICA definition, provide guidance and recommendations:
26
4 Instructions for Continuing Airworthiness (ICA)
AC 26-1 Part 26 Continued Airworthiness and Safety Improvements, AC 120-93 Damage Tolerance Inspections for Repairs and Alterations and AC 25.1529-1A ICA of Structural Repairs on Transport Airplanes. FAA Part-21 Subpart O, dedicated to the approval of Technical Standard Orders (TSO) (the FAA equivalent to the EASA ETSO Authorization), does not explicitly require the TSO design holder to provide the appropriate ICA. However, extended guidance about the TSO process is provided in the Advisory Circular AC 21-46A as acceptable means to comply with the Part-21 Subpart O, and it requires the design organization, at the time of TSO submission for approval, to provide the ICA necessary to maintain the TSO requirements after the product is installed. FAA Part-21 Subpart K describes the requirements for issuing Parts Manufacturer Approval (PMA). It is a special authorization granted by the FAA (not considered by EASA) that combines design and production approval for modification and replacement articles that were not originally fitted in the aircraft. The PMA allows a manufacturer to produce and sell these articles for installation on type certificated aircraft/engine/propeller, even though it is not the original manufacturer of the type certificated product. Basically, the PMA methods for the FAA approval are based on: • License or rights granted by the TC Holder: the part remains with the same Part Number. • Test, computation, and identicality to show that the design meets the applicable airworthiness requirements and the manufacturing processes, inspection and test procedures produce a part that is identical to the original from a TC; or • STC design. An STC Holder can produce parts under Part-21 production approval or Part-21 PMA approval.
4.1.3 E.U.–U.S. Bilateral Agreement—Design Organization Approvals Within the E.U.–U.S. BASA (Bilateral Aviation Safety Agreement), the Technical Implementation Procedures for Airworthiness and Environmental Certification1 defines the procedures for approving products to import into the E.U. and the U.S. and the means for providing support afterward. EASA and the FAA give validity to the certification made by each other. In order to maintain the confidence, it is required an oversight model that monitors their competency, including a sampling system to verify approvals, quality audits, and observations, and aim for standardization. Aircraft/engine/propeller TC, STC, design repairs (developed by the TC/STC Holder), ETSOA/TSOA, PMA and changes to the prior designs, except when 1
Technical Implementation Procedures for Airworthiness and Environmental Certification between the Federal Aviation Administration of the United States of America and the European Aviation Safety Agency of the European Union. Revision 6, September 22, 2017 (up to Amendment 2, April 02, 2019).
4.1 ICA—Design Organizations Responsibilities
27
involving the alteration of critical components, are recognized and accepted mutually under the E.U.–U.S. BASA. For some critical components, FAA PMAs and FAA design repairs (not developed by the TC/STC holder, e.g., by a Designated Engineer Representative (DER)), explicit EASA approval is required. In regards to ICA, while an MRBR approved by one of both states is automatically accepted by the other, the level of involvement for other types of ICA, such as the Airworthiness Limitations, may vary and require a validation process. The Significant Standard Differences (SSDs) between the EASA and FAA certification specifications standards are published in the EASA and FAA websites.
Lesson in Progress—The Boeing 737 MAX Case On October 2018, the Indonesian carrier Lion Air operating a Boeing 737 MAX under Flight 610 from Jakarta (WIII), Indonesia, with intended destination to Depati Amir Airport (WIPK), crashed into the Java Sea 13 min after takeoff, killing all 189 passengers and crew.2 Five months later, on March 2019, in similar circumstances, Ethiopian Airlines 737 MAX Flight 302 crashed six minutes after takeoff on a flight from Addis Ababa Bole International Airport (HAAB), Ethiopia, with intended destination to Nairobi (HKJK), Kenya, killing all 157 passengers and crew.3 The aircraft was grounded worldwide in the same month, two years after its type certification by the FAA on March 2017, until November 2020 (Fig. 4.1). Due to financial constraints and the pressure on Boeing to compete with the Airbus A320 NEO, Boeing had updated its old 737 design instead of designing a new aircraft that would have been less attractive to customers: new type rating and additional costs.4 The 737 MAX included new larger engines and their relative placement in comparison with its predecessors, so Boeing developed a new software called Maneuvering Characteristics Augmentation System (MCAS) to address the stability issues of the new configuration.
2
Aircraft Accident Investigation Report PT. Lion Mentari Airlines Boeing B737-8 (MAX); PKLQP. Komite Nasional Keselamatan Transportasi Republic of Indonesia. 20 October 2018. 3 Aircraft Accident Investigation Bureau Interim Investigation Report on Accident to the B737-8 (MAX) Registered ET-AVJ operated by Ethiopian Airlines. The Federal Democratic Republic of Ethiopia Ministry of Transport. 10 March 2020. 4 The Boeing 737 MAX Aircraft: Costs, Consequences, and Lessons from its Design, Development, and Certification—Preliminary Investigative Findings. The House Committee on Transportation and Infrastructure. March 2020.
28
4 Instructions for Continuing Airworthiness (ICA)
The MCAS was designed to push the aircraft nose down under certain flight conditions and was relying on a single Angle Of Attack (AOA) sensor for automatic activation.
Fig. 4.1 Boeing 737 MAX sit parked at Boeing field. Photo by David Ryder/Getty Images
The preliminary investigation of the Indonesian and Ethiopian accidents, carried out by their corresponding aircraft accident investigation offices, revealed the deficiencies of the Boeing design. Soon after, the U.S. Congress initiated further investigations into the FAA approval process. Boeing had assumed that the pilots would mitigate any malfunction while the reality showed that, in most of the cases, they were unaware of the existence of the new system. Additionally, the MCAS was not classified as a safety–critical system and its failure was not rated as “catastrophic”. In this regard, it was expected that a software fix would return the aircraft to service, but new safety issues arose during the investigations. The investigations also exposed that the FAA oversight function with respect to Boeing created a conflict of interests where Individual Designees (Boeing employees that are authorized as FAA representatives to validate design compliance) failed to take action to represent the FAA interests and would have allowed unsafe design approaches.
4.1 ICA—Design Organizations Responsibilities
The BASA agreements were also called into question. Many of the signatory states of BASAs with the U.S. reviewed their validation of the 737 MAX type certification. Additionally, many did not rely on the software upgrade either the 737 MAX FAA re-certification, and issued their own certifications for the MCAS system. Surely, this is a lesson in progress: aviation experts are calling to review the terms under with the BASAs are signed and most of the certification authorities worldwide may revise their aviation regulations in regards to the requirements for amended type certification and their own oversight functions.
29
Part II
Aircraft Maintenance Programs: Content and Management
Chapter 5
AMP Content and Maintenance Planning Document (MPD)
The content of an Aircraft Maintenance Program (AMP) is set by the regulatory environment that must satisfy. As introduced in Part I, while an FAA CAMP may look more comprehensive at first instance, actually the CAMP elements that are not considered in an EASA AMP will be considered in the CAME (e.g., airworthiness responsibility, maintenance manual, maintenance organization, approval of maintenance and alterations, Required Inspection Items (RII), recordkeeping system, contract maintenance, and personnel training). This chapter describes the requirements of an AMP under an EASA environment. These requirements may be used to develop the Maintenance Schedule element required for the FAA CAMP. The AMP should contain the following provisions: • the preamble, including definitions of the Maintenance Tasks/Checks and the necessary procedures to manage them, • the sections that include the scheduled maintenance tasks and limitations, and • the Reliability Program. An AMP is initially developed from the Maintenance Planning Document (MPD). The MPD contains the maintenance tasks that are part of the aircraft type certification (ALS and CMR) and the initial scheduled maintenance requirements (MRBR or alternative means of compliance).
5.1 AMP Content An AMP should define the maintenance task terms that are to be managed/used by the continuing airworthiness/maintenance organization. The AMP must also describe the procedures necessary to manage the maintenance tasks. The AMP as a whole should not leave any margin for interpretation. The AMP must meet both the regulatory requirements and the standards set by the operator. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_5
33
34
5 AMP Content and Maintenance Planning Document (MPD)
5.1.1 General Considerations Operator’s Certification Statement The Operator’s Certification Statement is a formal declaration duly signed by the CAMO responsible person (Nominated Person or delegate) that states the aircraft will be maintained in accordance with the submitted AMP and that it will be reviewed and updated as required. AMP Approval The AMP approval process should be agreed with the competent authority and be included in the CAME. The CAME should reflect any indirect approval concessions granted by the competent authority. The indirect approval is a privilege granted to the CAMO to approve certain changes in the AMP without the need of the competent authority approval. Once an AMP revision is submitted for approval (to the competent authority or the NPH/delegate in the case of indirect approval), no further changes are usually allowed except those arising from the approver findings/observations for that particular revision, if any. The AMP should incorporate the approval sheet duly signed by: • the CAMO staff authorized to prepare and submit the AMP for approval, and • the competent authority responsible person, or • in the case of indirect approval, the CAMO Nominated Person or delegate. Distribution List The AMP should include a distribution list and the distribution methods to ensure it is available for any concerned party (competent authority, CAMO staff, maintenance organization, etc.). Record of AMP Revisions and Temporary Revisions The AMP should register the history of Revisions and Temporary Revisions. It is recommendable to include at least the main reasons for each major Revision. Summary of Changes The AMP should list all the changes and justifications promulgated in the latest Revision. AMP Effective Date An Aircraft Maintenance Program revision should always be approved with a designated Effective Date agreed with the competent authority or a designated date based on a procedure approved by the authority. The effective date is the AMP entry into force date in which the new/revised/deleted requirements and procedures become effective.
5.1 AMP Content
35
The AMP Effective Date may be the same than the AMP approval date, but a limited time can be granted to the operator to accommodate all the necessary changes into the system used for the AMP Maintenance Requirement control. This difference has much to do with the capacity of such system; the process may turn lengthy with a large volume of AMP changes when the maintenance software does not have the capability to dump the data directly from the AMP (manual process) and/or it requires individual management of each task change to make them effective. On the other hand, an advanced maintenance software may allow to dump all the changes automatically from a database and/or make them effective in a glance as soon as the AMP is approved. AMP Applicability The AMP must define the aircraft registration(s) to which it is applicable and in which configuration(s) (engines, APU, and layout, as applicable). An aircraft should be maintained under only one AMP at a certain point in time. It is possible to associate an “Applicability Number” to each registration if it is considered that facilitates the understanding of the Task Effectivity. The AMP Applicability should be updated when an aircraft is inducted/phased-out into/from the AMP. AMP Source Documents The AMP must list all the source documents in which is based on and their revision and issue/effective date. The process to receive and control the source documents and their revisions and the process to evaluate and implement their changes into the AMP should be defined (Fig. 5.3). Maintenance Checks The AMP should define the suitability of the AMP maintenance tasks to be packaged and performed together (maintenance check) or individually (out-of-phase). It is usually based on the maintenance tasks intervals and parameters and in the accesses required. Examples: Preflight Check, Transit Check, Daily Check, Weekly Check, Service Check, A-Check, B-Check, C-Check, and D-Check. A Maintenance Check is restricted by an interval that may contain different parameters (FH, FC, calendar time, etc.). The Maintenance Check intervals cannot be more permissive than the Maintenance Tasks thresholds/intervals within it. Utilization The AMP is based on an anticipated utilization. MRBR, one of the primary sources of the AMP, is developed based on an assumption of anticipated average annual utilization; when the utilization of the aircraft falls out of the envelope defined in the MRBR, it is necessary to contact the Type Certificate Holder (TCH) to develop specific recommendations (Low Utilization Recommendations). Section 9.2 details the characteristics of these special programs.
36
5 AMP Content and Maintenance Planning Document (MPD)
The anticipated utilization is based on the operator experience and in the expected operation. Usually, the anticipated utilization is presented by the “Annual Average Fleet Utilization.” It is also recommended to anticipate if the utilization of any of the individual aircraft of the fleet may fall out of the MRBR utilization envelope rather than using the average fleet parameters. AMP utilization must be analyzed at least during the AMP annual review. Limit Of Validity (LOV) The Limit Of Validity (LOV) corresponds to the Flight Hours and/or Flight Cycles for which it is demonstrated that Widespread Fatigue Damage (WFD) will likely not occur on the aircraft structure. LOV is understood as the aircraft usable life: The operator cannot operate an aircraft beyond the LOV or Extended LOV of the aircraft. LOV is defined in the Structures Airworthiness Limitations. Task Type Categories The AMP must describe each task type categories to define the expected level of maintenance and the methods. Task types: Cleaning (CLN), Lubrication (LUB), Servicing (SVC), Operational Check (OPC), Functional Check (FNC), Visual Check (VCK), General Visual Inspection (GVI), Detailed Visual Inspection (DET), Special Detailed Inspection (SDI), Restoration (RST), Discard (DIS), etc. The task type categories are usually based on the MPD/MRBR although the operator may develop additional task type categories as required. Aircraft Maintenance Task Format A maintenance task is typically defined by the following format: • Status. It identifies the action taken for the task between two consecutive AMP revisions: New (N), Revised (R), Deleted (D), or Blank (if no action has been taken). The reason for the change is described in the Summary Of Changes. • Task number. AMP task number is usually derived (if not the same) from the source document task number. It is recommended to establish a numbering convention for the operator’s own tasks. • Zone. Location of the item subject to maintenance. • Description. It is the scope of the task (a summary) in the context given by the system, subsystem, component, zone, or structural item tittle. • Task Code. It is the task type category. • Threshold/Interval. It identifies the prescribed periods at which the task has to be performed (first accomplishment/repeat). Chapter 11 details the procedures for the thresholds/Intervals management. • Source. It identifies the origin of the task: MRBR, ALS, CMR, AD, SB, SL, operator‘s own task, etc. It is appropriate to reflect the Failure Effect Category (FEC) for MRBR tasks in the source field, if applicable. • References. It should identify: – Source: references to the corresponding source document task number and/or regulatory requirement for adequate traceability.
5.1 AMP Content
37
Fig. 5.1 AMP Task Format
– Instructions: references to the task instructions (Aircraft Maintenance Manual (AMM), Task Card, Engineering Order (EO), etc.). – Others: references to any documented information that is considered necessary for the accomplishment of the maintenance task. • Effectivity. It details for which registrations within the AMP applicability the task is effective. It is possible to define the Effectivity by the Applicability Numbers if they have been established. Effectivity and applicability concepts are usually confused; applicability refers to something that is appropriate to be applied but does not imply any effect, e.g., the applicability of an MPD task means that the task is suitable to be used for the aircraft that meet the applicability conditions. However, effectivity refers to something that is actually in force, e.g., the effectivity of an AMP task means that it must be accomplished for the specified registrations (Fig. 5.1). • Task Revision Date. It identifies the AMP revision in which the task was last revised. Any information considered by the operator to facilitate the use and understanding of the AMP may be added to the AMP Task Format, e.g., “Preparation” to identify the necessary task preliminary procedures, “Access” to identify panels, linings or doors to be opened or removed, or “Remarks” to identify any additional information. Component Maintenance Task and Life Limitations Format The format for component tasks and life limitations is slightly different than the standard described for aircraft maintenance tasks. The format should include a field for the Part Number (P/N) for which the limitation is effective. The format may require additional fields to identify the intervals/limitations for each particular aircraft configuration.
5.1.2 AMP Preamble—Procedures The AMP preamble should include, although not limited to, the rules and guidelines to manage: • The maintenance tasks. The procedures to manage the maintenance tasks are usually detailed in the source documents and should be customized to the operator AMP.
38
5 AMP Content and Maintenance Planning Document (MPD)
• The checks/tasks thresholds/intervals. The procedures to manage the checks/task thresholds and intervals may also be detailed in the source documents: the first and repeat accomplishment of the tasks, considerations during aircraft on ground/maintenance/parking/storage, the use of Grace Periods, the Permitted Variations, the Exceptional Short-term Extensions, the Escalation, and the Evolution/Optimization procedures. The AMP procedures are usually developed in accordance with the operator necessities to produce compliance with the regulations and standards; it is particular to each organization. The following procedures may be considered for inclusion into the AMP, although they may be developed as stand-alone or as part of the CAME/CAMP: • • • • • • • •
AMP source documents management: control and evaluation of changes. AMP revision and approval. AMP implementation. Maintenance software—Management of AMP checks and tasks. AMP aircraft induction. AMP aircraft phase-out. Parking/storage. Documentation Discrepancy Reporting System (DDRS).
In addition to the distribution list described in the AMP preamble, the communications during the AMP process (with the authority, internal stakeholders, the TCH, and manufacturers) are essential for the AMP revision good end, especially in large organizations where a large volume of correspondence is processed. It is highly recommendable to establish procedures to detail which communications are necessary, with who and how in order to avoid any possible mistake or omission. The AMP Communications procedure may be considered in the AMP preamble.
5.1.3 AMP Structure The importance of an AMP resides in compliance with the regulations rather than the structure of the document. The approach to defining it is a decision of the operator but must be acceptable to the competent authority. The following seven sections are usually found in any AMP; they are based on the MPD/MRBR and on the requirement to develop a Reliability Program: • • • • • • •
Preamble, Systems, Powerplant, Structures, Zonal, Components, Reliability Program.
5.1 AMP Content
39
These sections may be merged or segregated, e.g., Systems and Powerplant requirements may be merged in a unique section, or on-wing component tasks may be integrated into the Systems section and off-wing component requirements in a separated section. The following content should also be covered in the AMP as applicable. It may be integrated into the sections detailed above or in dedicated sections: • Mandatory requirements: – Airworthiness Limitations (ALS), – Certification Maintenance Requirements (CMR), – AD Repetitive maintenance. • • • • • •
Operational requirements: RVSM, MNSP, RNAV, RNP, EDTO (ETOPS), AWO, Low Utilization Maintenance Program (LUMP), Supplemental Structural Inspection Program (SSIP), Corrosion Prevention and Control Program (CPCP), Repetitive requirements derived from Modifications and Repairs, Operator own tasks: – Reliability: non-mandatory recommendations (SB, SL, CMM, etc.) and procedures developed by the operator. – Operator standards: comfort and appearance items.
There are certain benefits on integrating or segregating the AMP content into the sections detailed at the beginning of this paragraphs (introduction, systems, powerplant, structures, zonal, and components). The operator should look for the approach that better aligns with its organization: • Benefits of integration. The integration of requirements into the sections detailed at the beginning of this tittle allows visualizing all the maintenance that is required for a system, structure, zone, or component at a glance. • Benefits of segregation. The segregation of these requirements into separated sections is especially suitable in large organizations with multiple stakeholders. It facilitates assigning responsibilities, e.g., AD, modifications and repairs may be the responsibility of a Technical Services department, Operator’s own tasks responsibility of the Reliability department, Component tasks responsibility of a dedicated AMP team, etc. On the other hand, the operator may decide to define and control certain regulatory requirements through the AMP. It may generate dedicated AMP sections or additional fields in the AMP Task Format, for example (Fig. 5.2):
Fig. 5.2 AMP Task Format with CMT provision
5 AMP Content and Maintenance Planning Document (MPD)
Fig. 5.3 Aircraft Maintenance Program Sources
40
5.1 AMP Content
41
• Critical Maintenance Tasks (CMT): identification, assessment, and establishment of error-capturing methods. Chapter 15 details the Critical Maintenance Task requirements. Certain competent authorities may require, or the operator may decide, to include the grace periods and bridge checks derived from an AMP revision under the AMP approval. This practice shows a high level of transparency from the operator’s side. It may be developed as an Appendix to the AMP. Another good practice is to develop an AMP Appendix to incorporate the MPD tasks that are not applicable to the AMP applicable registrations and the corresponding justification. It can facilitate the understanding of the MPD implementation, e.g., during an audit.
5.1.4 AMP Revision The operator is responsible for evaluating new/revised requirements and instructions for the continuing airworthiness for inclusion into the AMP. The AMP should remain valid in light of the operating experience: • • • •
Regulatory requirements, e.g., AD, ALS, CMR, etc., Design holder instructions, e.g., ICA, In-service experience (Reliability Program), Type and specificity of the operation, e.g., LUMP, AWO.
EASA Part-M AMC M.A.302 (3) requires that the AMP is reviewed at least annually; the FAA has a performance-driven approach and does not impose any specific time limitation for the AMP review. It is reasonable that changes that may affect the airworthiness of the aircraft are implemented at the earliest (e.g., ALS, CMR, MRBR FEC 5 and 8). In certain cases, where the requirements are dynamic in nature (ADs, Modifications and Repairs, and Reliability Program tasks), it is unfeasible to update the AMP in the same dynamic way as they evolve. They usually do not trigger an AMP revision but should be included in the AMP at the next suitable opportunity. The status of ADs, Modifications and Repairs, and Reliability tasks (non-mandatory recommendations and own tasks developed by the operator) usually supposes a snapshot at the time of the AMP revision. It is recommended that such clarification is included in the AMP preamble. If different rules are established by the design holder/manufacturer or the competent authority (e.g., in the case of ADs requiring to incorporate the ALS requirements into the AMP), these should be complied with straightaway. ICA Implementation Period The ICA implementation period is the time between the ICA approval/publication date and the effective date of the AMP revision. This time should be sufficient to
42
5 AMP Content and Maintenance Planning Document (MPD)
analyze the changes and identify and allocate the necessary resources that may be required (staff, material, tools, facilities, etc.). While a three-month period may be found appropriate and it is a non-approved standard adopted by many operators, the fact is that the management of a large volume of changes can become lengthy.
5.2 Maintenance Planning Document (MPD) The Maintenance Planning Document (MPD) is a repository document issued by the Type Certificate Holder (TCH) that contains repetitive maintenance tasks and additional information required for their accomplishment. The purpose of the MPD is to assist operators in the development of an Aircraft Maintenance Program (AMP). The consideration of MPD as ICA is subject to interpretation attending to the current definition; however, it is undeniable that the MPD compiles the minimum ICA to develop an initial AMP (*). The MPD typically includes all the maintenance tasks that are part of the aircraft type certification plus the initial scheduled maintenance tasks developed alongside the type certification (primary sources) and may content maintenance tasks from secondary sources: Primary Sources: • Maintenance Review Board Report (MRBR), • Airworthiness Limitations (ALS), • Certification Maintenance Requirements (CMR). Secondary Sources: • • • • • • •
Regulatory requirements, Airworthiness Directives (AD), Operational requirements: RVSM, MNSP, RNAV, RNP, EDTO (ETOPS), AWO, Low Utilization Maintenance Program (LUMP), Supplemental Structural Inspection Document (SSID), Life Extension Program (LEP), Repetitive requirements derived from Service Bulletins (SB) and Service Letters (SL), • Repetitive requirements derived from Modifications and Repairs, • Component Manufacturer recommendations, • Etcetera. (*) Compliance with the MPD does not constitute compliance with the minimum requirements, e.g., ALS Life Limitations, not considered as repetitive maintenance tasks, may not be incorporated in the MPD but are part of the AMP. Even if the MPD contains all the primary and secondary sources listed above, the operator is
5.2 Maintenance Planning Document (MPD)
43
still responsible for controlling, analyzing, and implementing each source document, as applicable. The consideration of secondary sources into the MPD differs between Type Certificate Holders (TCHs). Small manufacturers with a few clients tend to customize more the MPD by considering more secondary sources so it is easier for the operator to implement the requirements into the AMP; larger manufacturers with many clients may leave the responsibility of evaluating these secondary sources to the operator allowing more flexibility. The MPD is the link between the requirements defined in the source documents and the procedures to accomplish such requirements. The MPD incorporates references to the instructions for the accomplishment of the maintenance tasks. These instructions are usually developed in the Aircraft Maintenance Manual (AMM). The AMM is an ICA that contains most of the necessary tasks, step by step, for the maintenance of the aircraft. Complex maintenance tasks that require specialized maintenance techniques, test equipment, or expertise are usually developed in different manuals, e.g., Non-Destructive Test (NDT) Manual. The MPD contains additional information relevant for the planning of the task such as the man-hours required to perform it and the number of staff and the skills required. Usually, the man-hours provided in the MPD have to be adjusted to the operator’s efficiency. Each maintenance organization should calculate its labor efficiency factor based on its own experience. The MPD planning information, together with the AMM instructions, provides with the basic information to schedule an MPD maintenance task: accesses, panels, material, components, equipment, tools, workforce, skills, etc. The operator must highlight any discrepancy between the MPD requirements and the source documents to the TCH. A Document Discrepancy Reporting System to register and control documentation discrepancies is recommended.
5.2.1 MPD and AMM/IPC Revision Cycle As introduced in the previous paragraphs, the Aircraft Maintenance Manual (AMM) is an ICA document that contains most of the necessary tasks and procedures for the maintenance of the aircraft: information of the aircraft features, systems, structures, installations, basic control, servicing procedures, maintenance instructions, access procedures, removal/installation of parts and components, methods and equipment, instructions to apply protective treatments after structural inspections, etc. The Illustrated Parts Catalogue (IPC) is the document that details all the information related to the parts and components that are certified to be fitted on the aircraft. It includes the parts and components for which a maintenance instruction is provided in the AMM.
44
5 AMP Content and Maintenance Planning Document (MPD)
Both AMM and IPC are used not only for scheduled maintenance but for the accomplishment of non-scheduled maintenance. Modifications/repairs may revise the content of AMM/IPC through dedicated Supplements provided in the modification/repair approved data package. The operator is responsible for identifying changes derived from the AMM/IPC revision that may impact the Aircraft Maintenance Program (AMP); the AMM should be reviewed to identify changes to the task setup: subtasks, equipment, material, critical tasks/independent inspection/reinspection/required inspection item, etc. Certain elements developed by the operator that are based on the AMM should also be reviewed, e.g., when the operator takes credit for the calculation of the next due of a task from the accomplishment of a different task based on the AMM assessment. The IPC should be reviewed to identify changes in the effectivity of AMP tasks for requirements at component level defined with open applicability in the source document, e.g., the MRBR requires the in-shop operational check of the flight recorders and a new Part Number (P/N) is introduced by the IPC revision; the operator should identify the P/N through the IPC review and add it to the AMP task unless the appropriate means to avoid the installation of such P/N into the operator’s fleet are established. Depending on the TCH, the issue of an AMM/IPC revision may be aligned with the issue of the AMP Primary Source documents (MRBR, ALS) and other ICAs (SRM, NTM/NDT, etc.) in a Maintenance Data Cycle. The implementation of AMM/IPC within the maintenance organization is usually immediate as soon as they are issued; it is a regulatory requirement to keep the maintenance data up to date, including its revision status, on the work card/worksheet used by the mechanic. Certain issues or misalignments may arise during the time between the MPD and the AMM/IPC are released within the maintenance organization and the time in which the changes are fully implemented in the AMP (AMP Effective Date), e.g., • the AMM procedure has been deleted. It may be caused due to the associated MPD task has also been deleted; the operator is still responsible for complying with the AMP task until it is removed from the AMP. In urgent cases, a temporary Work Card based on the instructions provided in the previous revision of the AMM may be developed until the new AMP revision incorporating the changes becomes effective. Other issues may be derived from the TCH documentation management; the operator should establish the means to identify such omissions/mistakes and take the appropriate measures to correct them, e.g.: • New/revised MPD task without AMM reference/procedure. The operator should contact the TCH to provide the AMM reference/procedure. If the procedure has no immediate effect or impact (e.g., high threshold tasks), the AMM procedure may be delayed. • The MPD task applicability does not match the AMM instruction applicability. In case there is no AMM instruction available for specific registrations, the operator
5.2 Maintenance Planning Document (MPD)
45
should contact the TCH to provide it or expand the AMM task applicability, as applicable. • The MPD references an AMM procedure that has been deleted. The operator should contact the TCH to reinstate the procedure into the AMM or provide appropriate MPD-AMM references. • The IPC removes a Part Number (P/N) that is installed on the operator’s fleet. The operator should contact the TCH to reinstate the P/N into the IPC or justify the deletion, in which case additional actions will be required. Changes to the maintenance documentation require micromanagement. The operator should establish the means and use its best engineering practices to identify and correct any inconsistency derived from the maintenance documentation.
5.3 Maintenance Requirement and Task Card A Maintenance Requirement contains all the information necessary to schedule a maintenance task. It is also known under other designations, such as Engineering Control, and its content may be integrated within a Task Card. The Maintenance requirement is usually defined by task number, description, zone, task code and sources, threshold/interval, references, effectivity, and revision status (task revision date and reason of revision) and may include additional information such as line/base/heavy maintenance classification. The operator may group Maintenance Requirements that are to be accomplished together into Maintenance Check to facilitate their scheduling. See Sect. 11.1.3 for further information. On the other side, a Task Card is a customization of the maintenance instructions provided by the Design Approval Holder (DAH) or instructions developed by the operator in support of the completion of the task by the technician. A Task Card is also known as Work Card, Work Sheet, or Job Instruction Card (JIC). A Task Card should be structured in clear stages to avoid variability or error (e.g., disassembly, accomplishment of the task, reassembly, and testing). It typically includes the following provisions: • information required for the task accomplishment, e.g., equipment, material preload, access, qualifications, transcription of the maintenance data instructions or references to it, maintenance data revision status, etc., • record of the accomplishment of the maintenance task stages (technician sign-off), and • record of error-capturing required actions (see Chapter 15 for further information about Critical Maintenance Tasks/Identical Tasks and Required Inspection Items). It is highly recommendable to establish the means and procedures to ensure that any transcription of the maintenance data instructions into the Task Card
46
5 AMP Content and Maintenance Planning Document (MPD)
system maintains its integrity. To avoid mistakes/omissions, the Task Card should be simplified to the maximum acceptable level. The Task Card preparation usually involves a detailed evaluation of the source documentation tasks and subtasks (AMM, IPC, NTM, etc.) to identify which level of access and resources are necessary for its accomplishment. The examination should be depth enough to identify the appropriate facilities, workforce, and technician qualifications, maintenance times, equipment, and material. For certain maintenance actions, usually, those requiring design changes (e.g., ADs or modifications/repairs), the Maintenance Requirement/Task Card may be developed through a specific type of document known as Engineering Order (EO).
Chapter 6
AMP Primary Sources
The primary sources of an Aircraft Maintenance Program (AMP) are those required for the type design certification (ALS and CMR) and the initial scheduled maintenance tasks developed alongside the type certification (MRBR). Compliance with the instructions contained in these sources is mandatory. While ALS and CMR documents are binding by Airworthiness Directives (AD), the compliance with the MRBR could be substituted by alternative means of compliance to develop the initial aircraft maintenance program if it is accepted and approved by the competent authority. In a typical scenario, the MRBR becomes the soul of the party. This chapter describes the primary source document standards and processes that are required for the development of an initial Aircraft Maintenance Program.
6.1 Maintenance Review Board Report (MRBR) The Maintenance Review Board Report (MRBR) is an ICA document that contains the minimum schedule maintenance requirements to be used in the development of an approved maintenance program for an aircraft and its components. The MRBR is developed by the regulatory authority of the state of design and representatives of the aviation industry (design organizations and air operators). Regulatory authorities of the states of intended operation and other interested parties may also participate in the process. The MRB process involves all the activities to develop, review, and amend the MRBR. The main purpose of the process is to assist the design organization and operators in developing the initial maintenance program for newly certified aircraft and/or engines and the regulatory authority in approving that program. The standards for the MRB process are set at the highest level in the ICAO Airworthiness Manual Doc 9760. In compliance with this manual, the International Maintenance Review Board Policy Board (IMRBPB) issues the International © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_6
47
48
6 AMP Primary Sources
MRB/MBT Process Standard (IMPS) for guidance to outline the processes and procedures used during the MRB/MBT1 process. The MRB process’s main tool is a task-oriented methodology known as MSG-3 analysis. This chapter goes into the MRB international standards, the IMPS, and the MSG-3 methodology.
6.1.1 The International Maintenance Review Board Policy Board (IMRBPB) The International Maintenance Review Board Policy Board (IMRBPB) is a body formed by aviation regulatory authorities and representatives of the industry with the objective of developing procedures and guidance on the MRB/MBT process and the use of the MSG-3 methodology. The IMRBPB promotes harmonization between the regulations through a structured forum for discussions. The IMRBPB convenes once a year. The IMRBPB positions become policy only when are adopted by the corresponding regulatory authority. Composition of the IMRBPB: • Members from Regulatory Authorities who have signed the IMRBPB charter (Australia; Brazil; Canada; China; the European Union; Hong Kong; Japan; Singapore; and the USA). • The Maintenance Programs Industry Group (MPIG) and Rotorcraft MPIG (RMPIG). The MPIG is an organization formed to represent aircraft operators and manufacturers. It is facilitated by the Airlines for America (A4A), formally known as Air Transport Association (ATA). The MPIG provides with a forum to develop consensus positions on regulatory proposals and proposing solutions to emerging issues. • The board is open to appropriate representative parties within the aviation industry. The IMRBPB issues the International MRB/MTB Process Standard (IMPS) as guidance to standardize the processes and procedures to be used by the regulatory authorities in the oversight and approval of scheduled maintenance requirements. When the IMPS is referenced as the MRB standard in the regulatory frameworks, it is possible to apply validation principles. For example, within the EU-US Bilateral Aviation Safety Agreement (BASA), EASA and FAA recognize the approval of each other MRBRs because the IMPS is referenced in both regulatory frameworks. The IMRBPB also reviews Candidate Issue Papers presented by any of its members. Candidate Issue Papers are proposals for changes to the IMPS or MSG-3 methodology. The candidate becomes an Issue Paper (IP) once approved by the IMRBPB. IP is implemented within the next suitable revision of IMPS or MSG-3. 1
Maintenance Type Board (MTB) is the process recommended for small aircraft.
6.1 Maintenance Review Board Report (MRBR)
49
The application of an Issue Paper, the IP44 for the Evolution/Optimization of the MRBR, is detailed in Sect. 6.1.7.
6.1.2 The International MRB/MTB Process Standard (IMPS) The International MRB/MTB Process Standard (IMPS)2 is designed to standardize the development of scheduled maintenance requirements. Although the IMPS describes the MRB and MTB procedures, MTB is recommended for aircraft less than 15,000 kg and will not be disclosed in these lines. MRB is recommended for transport category aircraft of more than 15,000 kg, but this process may be used for any other aircraft if it is the applicant option. The MRBR is developed by the Type Certificate (TC) applicant, the Certification Authority (CA), air operators, and other regulatory authorities. The MSG-3 methodology is used by specialist working groups to propose maintenance tasks/intervals that are presented to the Industry Steering Committee (ISC). The ISC prepares a recommendation for the MRBR, which is then reviewed by the MRB and approved by the MRB Chairperson. The IMPS defines the following bodies in the organization that develops the MRBR: • Maintenance Review Board (MRB): responsible for approving the MRBR under the management of the MRB Chairperson. Functions: – Determine and assign MRB members and MRB advisors to the MWGs. – Review and accept the PPH. – Coordinate the MRB activities, issues, and associated matters with the ISC Chairman. – Ensure that the TCH provides adequate training, including MSG-3 methodology, to all MRB members. – Ensuring CA participation in all MWGs and attending ISC meetings. – Invite ISC Chairperson and selected ISC members to the MRB meetings. – Review and discuss ISC proposals. – Approve the MRBR. • Type Certificate Holder (TCH): responsible for applying for the MRB process to the CA. Functions: – Assign an ISC Co-Chairman. – Develop a PPH for presentation to the ISC and MRB. – Provide aircraft technical, PPH, and MSG-3 training for all ISC and MWGs members. – Provide the ISC with a candidate list of Maintenance Significant Items (MSI), Structural Significant Items (SSI), and Lightning/HIRF Significant Items (LHSI), supported by the MSG-3 analysis. 2
International MRB/MTB Process Standard (IMPS). IMRBPB. Issue No. 01, 2019.
50
6 AMP Primary Sources
– Attend each MWGs and ISC meetings. – Provide the ISC/MRB and appropriate WG members with details of design changes that will impact the MSG-3 analysis, which may include changes due to potential Airworthiness Limitation Items (ALI) and Candidate Certification Maintenance Requirements (CCMRs). – Maintain records of the MSG-3 analysis. – Ensure that the aircraft manuals contain information and procedures for accomplishing all on-aircraft maintenance tasks covered in the MRBR. • Industry Steering Committee (ISC): responsible for managing the activities of the Working Groups (WGs) and preparing the MRBR under the management of the ISC Chairperson, usually an operator of the aircraft or similar model. The ISC is formed by the TCH, operators, aircraft/engine/propeller manufacturers, and, if appropriate, representatives of maintenance organizations. Functions: – Determine the number and type of MWGs and organize them. – Review and approve the PPH and forward it to the MRB Chairperson for acceptance. – Attend MRB meetings when requested by the MRB Chairperson. – Invite MRB Chairperson and selected MRB members to the ISC meeting. – Invite other Validation Authorities (VA) to the ISC meetings. – Direct the activities of the MWGs. – Review and accept all MWGs analysis. – Prepare the MRBR prior to submission for approval to the MRB Chairperson. • Maintenance Working Groups (MWGs): responsible for review and endorse the MSG-3 analysis proposals made by the TCH. Each WG is formed by specialist
Fig. 6.1 MRB process
6.1 Maintenance Review Board Report (MRBR)
51
representatives of the aircraft/engine/propeller TCH, vendors, operators, maintenance organizations, and regulatory advisors. It is recommended that a minimum of three operators are represented in each WG meeting. The WG Chairperson is selected by the WG and accepted by the ISC. Normally the WG Chairperson will be an operator. Functions: – Review technical data and MSG-3 analysis provided by the TCH. – Develop initial minimum scheduled tasking/interval requirements using the latest accepted PPH procedures and the revision of the MSG-3 document referenced in the PPH. The MRBR is an alive document; it is recommended that the ISC Chairperson/CoChairperson and the MRB Chairperson carry out a yearly review to determine the need for revisions.
6.1.3 Policy and Procedures Handbook (PPH) The Policy and Procedures Handbook (PPH) compiles all the necessary information required for the development of the initial minimum scheduled maintenance/inspection requirements. It is developed by the TCH with the support of the CA. The policy and procedures detailed are the basis to be followed by the WGs, the ISC, and the MRB. Basically, the PPH contains the IMPS and MSG-3 standards adapted to the specific project. Any deviations from the IMPS or MSG-3 methodology must be reflected in the PPH and accepted by the CA.
6.1.4 Utilization Considerations The MSG-3 analysis as a whole assumes an anticipated average annual utilization of the aircraft. Task intervals are determined in function of this assumption and are valid for the defined utilization envelope. The utilization envelope is reflected in the PPH and the MRBR. When the utilization falls out of the utilization envelope defined in the MRBR, the TCH is responsible for developing specific recommendations out of the MRB process, e.g., Low Utilization Recommendations (LUR).
6.1.5 The Maintenance Steering Group (MSG) The first generation of aircraft maintenance programs was based on the idea that each part on an aircraft required regular overhaul. Experience showed that some
52
6 AMP Primary Sources
components did not require as much attention as others, and new methods of control more efficient and cost-effective were demanded by the industry. In 1968, the FAA and representatives of the industry (the Air Transport Association (ATA), airlines, aircraft manufacturers, and suppliers) formed a Maintenance Steering Group (MSG) that introduced for the first time the concept of decisionlogic to develop schedule maintenance for the new Boeing 747 aircraft. The results of this task force were captured in a document that could be used in the future for newly certified aircraft and that was titled Maintenance Evaluation and Programme Development and formally known as MSG-1. MSG-1 introduced two processes for the development of routine maintenance tasks: • Hard-Time (HT): preventive maintenance process that requires a system or component to be overhauled or removed from service at fixed periods. • On-Condition (OC): preventive maintenance process that requires a system or component to be inspected for serviceability (to be removed from service before failure). The standard ensured that the units were removed from service before failure during normal operation. In 1970, MSG-1 is updated to MSG-2, titled Airline/Manufacturer Maintenance Programme Planning; this revision updated the decision logic that could be used in this case for the new generation of aircraft. It was process-oriented and analyzed failure modes from the component level up. MSG-2 applied to specific aircraft and produced a list of Maintenance Significant Items (MSIs) to which the logic was applied. MSG-2 introduced a third process (in addition to Hard-time and On-Condition) for the development of routine maintenance: • Condition Monitoring: maintenance process, no preventive, that allows a system or component to operate until failure without an adverse effect on safety. MSG-2 presented several weaknesses: • • • • •
economic effects not considered difficulty to track so many components difficulty to deal with the increased complexity of aircraft systems corrosion prevention measures not properly addressed confusion with the interpretation of HT, OC, and CM.
In 1980, MSG-2 evolved to MSG-3, titled Operator/Manufacturer Schedule Maintenance Development; MSG-3 is a task-oriented approach that analyzes system failure modes from a system level down through the Failure Mode Effect Analysis (FMEA) methodology. MSG-3 segregated the consequences of functional failures into two categories: “safety” and “economic”. Further classification determined subcategories based on the evidence of the failure: “evident to” or “hidden from” the operating crew. The task-oriented model eliminated the confusion associated with the interpretation of Hard-Time, On-Condition, and Condition Monitoring.
6.1 Maintenance Review Board Report (MRBR)
53
On the structural side, the logic evolved to take into consideration possible structural deterioration (fatigue, corrosion, accidental damage, age, etc.) and recognized new damage tolerance and fatigue evaluation rules. The MSG-3 methodology is maintained by the ATA and has continued evolving in successive revisions of the document published since its first issue.3 Some of the changes are the addition of guidelines for the Corrosion Prevention and Control Program (CPCP), the Enhanced Zonal Analysis Procedure (EZAP) with emphasis on the Electrical Wiring Interconnect Systems (EWIS) and the analysis for Lightning/High Intensity Radiated Field (L/HIRF). The MSG-3 Analysis methodology is gutted in the following paragraphs.
6.1.6 MSG-3 Analysis Methodology The working portions of the MSG-3 process are contained in four individual sections, each one with its own decision-logic: • • • •
Systems and Powerplant, Aircraft Structures, Zonal Inspections, Lighting/High Intensity Radiated Field (L/HIRF).
6.1.6.1
Systems and Powerplant
Systems and Powerplant Analysis Procedure Before the MSG-3 logic can be applied to aircraft systems and powerplants, the Maintenance Significant Items (MSIs) must be identified in a top-down approach process that first will classify the aircraft’s major functional areas, ATA systems/subsystems and down until all replaceable items. The highest manageable level of the items subject of failure that could affect safety, be undetectable during operations, or have significant operational or economic impact will be selected in the “Candidate MSI List.” The list will be reviewed by the ISC and validated by the Working Groups. Once the MSIs have been listed, the function (normal characteristics of an item), functional failures (failure of an item to perform its intended function), failure effects (results of functional failures) and failure causes (why the functional failure occurs) will be identified for each MSI. Following the established decision-logic diagrams described in the MSG-3: • The consequences of failure are classified into Failure Effect Categories (FECs): – Evident Safety (FEC 5): task required to ensure safe operation. – Evident Operational (FEC 6): task desirable if it reduces the risk of failure. 3
MSG-3: Operator/Manufacturer Scheduled Maintenance Development, Volume 1—Fixed Wing Aircraft. A4A. Revision 2018.1.
54
6 AMP Primary Sources
– Evident Economic (FEC 7): task desirable if the cost of the task is less than the cost of repair. – Hidden Safety (FEC 8): task required to avoid the safety effect of failure. – Hidden Non-safety (FEC 9): task desirable to avoid economic effects of failure. (Note: Evident/Hidden refers to the crew awareness of the failure during normal operation) • The failure causes are analyzed for each FEC to select the specific type of task: – Lubrication (LUB)/Servicing (SVC) (for all FEC categories). The purpose is to maintain inherent design capabilities. This task is selected if the replenishment of the consumable reduces the rate of functional deterioration. – Operational (OPC)/Visual Check (VCK) (for FEC 8 and 9 only). The purpose is to determine that an item is fulfilling its intended purpose; it does not require quantitative tolerances, it is a failure finding task. This task is selected if it is possible to identify the failure. – Inspection (GVI/DET/SDI)/Functional Check (FNC) (for all FEC categories). The purpose of an inspection is to detect damage, failure, or irregularity. The purpose of a functional check is to determine if the function(s) of an item performs within specified limits; it is a quantitative check. This task is selected if the reduced resistance to failure is detectable and exists a consistent interval between deterioration condition and functional failure. The level of inspection and the methods necessary to detect the failure determine three types of inspection: General Visual Inspection (GVI): visual examination to detect obvious defects within touching distance. Detailed Visual Inspection (DET): intensive examination to detect defects. Special Detailed Inspection (SDI): intensive examination to detect defects that require specialized equipment/techniques. – Restoration (RST) (for all FEC categories). The purpose is to return the item to a specific standard. This task is selected if the item shows functional degradation at a certain point in its life and most of the units are to be used after that point. – Discard (DIS) (for all FEC categories). The purpose is to remove from service the item at a specified life limit. This task is selected if the item shows functional degradation at a certain point in its life and most of the units are to be used after that point, but it is not possible to restore the item to a specific standard. – Combination (for FEC 5 and 8 only). For the safety categories, it is necessary to analyze all possibilities to choose the most effective task(s). Task Interval The task interval is selected by the Maintenance Working group (MWG) based on available data (failure rates and characteristics) and/or guided by the experience with similar systems or components. The MWG takes into consideration tests, technical
6.1 Maintenance Review Board Report (MRBR)
55
Fig. 6.2 Systems and Powerplants MSG-3 Analysis (simplified)
analysis, and recommendations of the manufacturer, customer requirements, and service experience with similar items. During this process, the MWG will identify the appropriate parameter(s) (flight hours, flight cycles, calendar time, engine/APU hours/cycles, engine/landing gear change, etc.) and the associated numerical interval(s). Warning: A task should not be performed more often than required as it may have an adverse effect on safety and reliability due to maintenance errors. Certification Maintenance Requirements (CMR) Certification Maintenance Requirements (CMR) are tasks identified during the type certification process. They are the result of a System Safety Analysis intended to detect safety significant latent failures that may result in a hazardous or catastrophic failure condition. See Sect. 6.2.1.3 for further information.
56
6 AMP Primary Sources
CMRs are originated from a different analysis process than the MSG-3 analysis. However, it may be acceptable to use an MSG-3 task in lieu of a Candidate CMR (CCMR) only in the following case: The MSG-3 task is safety categorized, meets the interval and scope of the CCMR or is adjusted to meet it, and it is accepted by the ISC/WG. If the ISC/WG does not accept the CCMR, then a CMR is established and remains independent from the MSG-3 task. Sampling When no enough experience to determine appropriate tasks and intervals exist, the MSG-3 methodology can implement Sampling programs to examine certain number of items that are subject to in-service deterioration. No-sampled items continue in service until the results of the Sampling determine the need for additional tasks and/or item improvement.
6.1.6.2
Aircraft Structures
The Aircraft Structure consists of fuselage, empennage, engine mountings, landing gear, flight control surfaces, and related points of attachment. The actuation portions of landing gear, doors, flight controls, dynamic components such as hinge bearings, are treated as system components and their failures analyzed as described in the previous section Systems and Powerplants. For some other items for which it is difficult to identify them as pure system or pure structure should not be analyzed independently; coordination of Systems and Structures Working Groups is necessary. Damage Sources • Accidental Damage (AD): random event which may reduce the strength of the structure and is not readily detectable. For example, handling equipment, foreign objects, hail, lighting, runway debris, etc. Large-size ADs as a bird strike, large hail, or major collisions that are detectable immediately are not part of this assessment. • Environmental Deterioration (ED): deterioration as a result of chemical interaction with the climate or environment. For example, corrosion and stress corrosion cracking, which is the combination of a corrosive environment and tensile stress. Corrosion Prevention and Control Programs (CPCP) are designed to control an aircraft structure to Corrosion Level 1 or better, meaning that the corrosion damage does not require structural reinforcement or replacement. Refer to Sect. 7.1.2 for further information on Corrosion Levels. • Fatigue Damage (FD): propagation of cyclic loading of cracks.
6.1 Maintenance Review Board Report (MRBR)
57
Fig. 6.3 Structures MSG-3 analysis (simplified)
Structures Analysis Procedure The MSG-3 logic applied to aircraft structures requires to categorize the structural items according to the consequences of the failure into: • Structural Significant Item (SSI): any item that in case of failure could affect the structural integrity necessary for the safe operation of the aircraft. • Other Structure: any other structural item not classified as SSI.
58
6 AMP Primary Sources
Any SSI for which there is an associated Principal Structural Element (PSE) is subject to the Damage Tolerance and Fatigue Evaluation that is not part of the MRB process but part of the aircraft certification (CS 25.571). A PSE is an element that contributes significantly to the carrying of flight, ground, or pressurization loads, and whose integrity is essential in maintaining the overall structural integrity of the aircraft. The Structural Airworthiness Limitations are the result of such different process and are listed in a different document. See Sect. 6.2.2 for further information. Disregarding the SSI with associated PSE, the analysis of the SSI is carried out, in the first instance, attending to the detection of structural failures. • Damage Tolerance (DT). Structure that can sustain damage without structural failure until the damage is detected. The manufacturer determines if timely detection is dependent on schedule inspections. On the other hand, all SSI are analyzed attending to the material of the structure: • Metallic: AD/ED and CPCP inspection requirements are determined. If ED and CPCP requirements are similar, the ED task will cover the CPCP requirement; otherwise, a CPCP task is established. • Non-metallic: AD/ED inspection requirements for timely detection of damage (including the impact of AD on ED) are listed. For Other Structure, if the item has similar items on existing aircraft, the Structures Working Group (SWG) will develop the maintenance recommendations; otherwise, e.g., for new materials or designs, the recommendations will be given by the manufacturer. The tasks selected are included in the Scheduled Structural Maintenance. Tasks from FD, AD, ED/CPCP (other than Airworthiness Limitations), and tasks from the Other Structure analysis are evaluated for zonal transfer and either become zonal inspection candidates or are listed in the MRBR Structures Section.
6.1.6.3
Zonal Inspections
The review of each aircraft zone usually happens when the MSG-3 analysis of Systems, Powerplant, and Structures are concluded. Special attention is given to Electrical Wiring Interconnection Systems (EWIS), defined as any electrical connection, including the associated terminal devices with the purpose of transmitting electrical energy, data, or signals. EWIS has been a major concern after two catastrophic aircraft accidents that were associated with electrical wiring systems degradation.
6.1 Maintenance Review Board Report (MRBR)
59
Zonal Analysis Procedure The first step to apply the MSG-3 logic is to divide the aircraft into zones as defined in the ATA iSpec 2200.4 For each Zone, the following details are to be listed: access, installed equipment, L/HIRF protection features, wire bundle installation, potential for presence of combustible materials, etc. There are two types of zonal analysis: • Standard Zonal Analysis for zones containing only structure and/or systems installations without electrical wiring. All tasks developed through the standard zonal analysis should be included in the Zonal Inspections. However, the Zonal Inspections may be compared with the GVIs arisen from the Systems and Powerplant, Structures, and L/HIRF analysis procedures in this way: – If the access requirement is the same and the proposed interval is at least as frequent, the Zonal Inspection will fully cover the GVI. – Otherwise, a stand-alone GVI should be included in the corresponding MSI for Systems and Powerplant, in the SSI for structures, and LHSI for L/HIRF, from which it was identified. • Enhanced Zonal Analysis Procedure (EZAP) for zones that contain systems installations with electrical wiring, including potential for combustible material presence. The EZAP identifies stand-alone inspection tasks focused on EWIS. Task type selection: – GVI may be found effective for the complete zone. GVIs arising from the EZAP are to be compared with the Zonal Inspections result of the standard zonal analysis. If the access requirement is the same and the proposed interval is at least as frequent, the Zonal Inspection will fully cover the GVI. Otherwise, a stand-alone GVI should be included in the Systems and Powerplant tasks under ATA 20 Standards Practices—Airframe with references to the EZAP. – DET may be found effective for specific items in a zone. In this case, the Detailed Inspection should be included in the Systems and Powerplant tasks under ATA 20 Standards Practices—Airframe with references to the EZAP. Whenever possible, the intervals should match those selected for targeted schedule maintenance checks. Each zone may involve multiple zonal inspections with less frequent intervals for those requiring intensive access requirements.
4
iSpec 2200 is a global standard, also developed by the Air Transport Association (ATA) as the MSG-3, which includes the specifications for the content, structure, and electronic exchange of aircraft engineering and maintenance information.
60
Fig. 6.4 Zonal MSG-3 analysis (simplified)
6 AMP Primary Sources
6.1 Maintenance Review Board Report (MRBR)
61
Lesson Learned—Swissair Flight 111 On 2 September 1998, the McDonnell Douglas MD-11, operating Flight 111, departed from John F. Kennedy (JFK) International Airport, New York, on a flight to Geneva, Switzerland. The aircraft crashed on fire into the Atlantic Ocean and all 229 occupants on board were killed. The results of the investigation carried out by the Transport Safety Board (TSB) of Canada5 revealed that an electrical short circuit, likely from the wiring of the in-flight entertainment system, ignited the flammable insulation and the fire propagated to multiple aircraft systems that led to the loss of control of the aircraft.
Fig. 6.5 Partial reconstruction of the cockpit area. Transportation Safety Board of Canada
The fire likely started above the cockpit ceiling, a zone with several wire bundles containing hundreds of wirings, due to a wire arcing event that ignited the nearby insulation blankets. The presence of significant amounts of flammable material allowed the fire to spread and intensify rapidly. The aircraft did not incorporate built-in smoke and fire detection and suppression devices in the area where the fire started, nor were required by regulation. The TSB inspections of other MD-11 aircraft showed wiring discrepancies that included chafed, cut, and cracked wires and inconsistencies in wire and wire bundle routing. The Canadian TSB sent an Aviation Safety Advisory (ASA) to the American NTSB, which was translated into the FAA issuing
5
Aviation Investigation Report—In-Flight Fire Leading to Collision with Water of the Swissair McDonnell Douglas MD-11 HB-IWF. Transportation Safety Board (TSB) of Canada.
62
6 AMP Primary Sources
an MD-11 Airworthiness Directive requiring inspection to determine whether wiring discrepancies exist that could cause electrical arcing. Although not being the case because the Swissair MD-11 was just seven years old, this accident highlighted the potentially catastrophic consequences of ageing aircraft wiring. As a consequence of this and other accidents, such as the TWA Flight 800 that is detailed in the Fuel Airworthiness Limitations (FAL) paragraphs, the certification specifications were revised to elevate the wiring requirements to a higher level. The risks associated with wirings are nowadays addressed under the Electrical Wiring Interconnection System (EWIS) requirements. CS/FAR 25.1729 requires that the TCH incorporates any mandatory replacement time of EWIS components and an Enhanced Zonal Analysis Procedure (EZAP) in the ICA. The EZAP requires to identify each zone of the aircraft that contains EWIS and each zone that contains EWIS and combustible materials or is in close proximity to hydraulic, mechanical, or electrical flight controls. EZAP includes the tasks and intervals to reduce the likelihood of ignition sources and accumulation of combustible material, procedures to clean the EWIS components of combustible material, and instructions and caution information to minimize contamination and EWIS accidental damage during aircraft maintenance, modifications or repairs.
6.1.6.4
Lighting/High Intensity Radiated Field (L/HIRF)
The intent of L/HIRF maintenance is to reduce the possibility that a single failure cause (such as a lightning strike), and the occurrence of a common failure cause (such as ED or AD) across redundant channels of L/HIRF protection, could impact aircraft airworthiness. L/HIRF protection relies on internal and external protection components: • For Line Replaceable Units (LRU) with L/HIRF internal Protection Components whose failures could have an adverse effect on safety, the aircraft manufacturer will confirm that the LRU manufacturer ensures the effectiveness of the protection. It may be through LRU CMM procedures or other data acceptable to the regulatory authorities. MSG-3 analysis is not required.
6.1 Maintenance Review Board Report (MRBR)
63
• External On Aircraft L/HIRF Protection Components whose failure could have an adverse effect on safety must be analyzed. The TCH may develop a combined Zonal and L/HIRF assessment if it is found convenient; in any case, it should be reflected in the PPH. Lightning/High Intensity Radiated Field (L/HIRF) Analysis Procedure The majority of the L/HIRF protection scheduled maintenance will be covered by the Zonal Inspections. When the Zonal Inspections cannot identify the degradation of the L/HIRF protection components, additional tasks are required. The first step is to identify the L/HIRF Significant Items (LHSI), which are those that perform a specific function necessary to provide L/HIRF protection of critical systems and structure. Only protection components that are subject to Environmental or Accidental Damage (ED/AD) may require dedicated L/HIRF maintenance. ED/AD threats are determined for each location where LHSIs are installed: • If the degradation is detectible through the Zonal Inspections, no dedicated L/HIRF is required. • If the Zonal Inspections do not cover the detection of degradation of the LHSI and: – the degradation is detectable without disassembly: the appropriate level of task and interval are selected. – disassembly is required: it is necessary to assess the effects of disassembly versus the probability of degradation of the installation. If the assessment requires a task, the appropriate level of task and interval are selected. If the assessment shows that disassembly can result in additional deterioration or induce damage into the LHSI, no task is selected but redesign may be necessary. The Working Group evaluates the L/HIRF Protection Assurance Plan (PAP) (with sample size details, number of test points, etc.) developed by the TCH, if any, in order to determine if it covers the intent of the task or a stand-alone task is required. The tasks selected are included in the Systems and Powerplant tasks under ATA 20 Standards Practices—Airframe with references to the L/HIRF.
64
6 AMP Primary Sources
Fig. 6.6 L/HIRF MSG-3 analysis (simplified)
Lesson Learned—Pan Am Flight 214 The aircraft is an excellent electrical conductor that becomes an efficient path for electrical discharge. On average, each aircraft is struck by lightning once or twice a year; it depends on the area and the type of operation. Lightning strikes occur more often on aircraft flying short routes as the aircraft has to cross altitudes with intense lightning activity (climb and descent phases) more often. The lightning effects include physical damage directly associated with the arc event, indirect effects due to the lighting current, ignition of fuel tank vapors, or engine shutdown. On 8 December 1963, the Pan Am Flight 214 operated with a Boeing 707 departed Baltimore, Maryland, with the intention to land in Philadelphia, Pennsylvania. The aircraft was struck by lightning, turned into fire, and a large portion of the left wing separated. The aircraft crashed in flames killing all the 81 occupants. The results of the investigation carried out by the Civil Aeronautics Board (CAB),6 the precursor of the NTSB, concluded that the lightning induced the
6
Aircraft Accident Report—Pan American World Airways Boeing 707–121, N709PA, near Elkton, Alaska. CAB. 25 February 1965.
6.1 Maintenance Review Board Report (MRBR)
ignition of the fuel–air mixture in the left reserve fuel tank with resultant explosive disintegration of the left outer wing and the aircraft lost control.
Fig. 6.7 Photo of the Pan Am accident B707 aircraft. FAA archive
In the mid-1950s, the first lightning protection design and test standards had been published focusing on electrical bonding and lighting protection of fuel systems; no attention was given to the effects of currents conducted through other systems (e.g., electrical or avionics systems), or the overall aircraft structure. Until the Pan Am accident, it was assumed that proper electrical bonding of fuel system components provided protection against lightning-induced fuel tank explosion. The investigation revealed that additional means to mitigate the effects of lightning were needed, e.g., electrical shielding, increased skin thickness to prevent lightning penetration, etc. The CAB issued a battery of recommendations that included the installation of static discharge wicks on aircraft not so equipped. Additionally, it was recommended to expand efforts to achieve practical means by which flammable air-vapor mixture was eliminated from the fuel tanks; between other solutions, the CAB proposed inerting the space above the fuel. Some decades later, after the catastrophic TWA 800 fuel tank explosion detailed in Sect. 6.2.1.4, the inerting systems would come to picture again and would become a requirement. The CAB recommendations in regards to the Pan Am accident led the FAA to issue specific regulations to protect the aircraft from the catastrophic effects of lightning and, more specifically, for the fuel system lightning protection. Since the Pan Am event, technical studies and recommendations from other accidents/incidents have been modeling the regulation. For example, until 1976 the efforts of the fuel systems specialists focused on electrical bonding of components installed in the wing tank skins and surrounding skins and structures, but the picture changed when the Imperial Iranian Air Force Flight ULF48, a Boeing 747, crashed during its approach
65
66
6 AMP Primary Sources
to Madrid, Spain, due to a fuel tank explosion caused by lightning strike, killing all 17 people on board. The specialists began to think also about the effects of lightning currents inside fuel tanks. Protection of aircraft electrical and electronic systems has gained relevance during the recent years due to the increased High Intensity Radiated Field (HIRF) environment (radars, ground-based equipment, RF transmitters, etc.) and the increased dependence on electrical/electronic systems performing functions required for the safe operation of the aircraft (avionics, fly-by-wire, autopilot, etc.). The first HIRF environment certification was developed in Europe to protect the Airbus A320 critical systems. In 1987, the FAA also imposed certification standards to protect electrical and electronic systems that perform critical functions from HIRF. Current regulations define the certification requirements for L/HIRF protection and address the effects of lightning on structures, fuel systems, engines, electrical and electronic system wiring and equipment, and external equipment and sensors that are connected to electrical and electronic sensors, such as antennas and air data probes, and the effects of HIRF on electrical and electronic systems.
6.1.7 Issue Paper 44 (IP 44): MRB Evolution/Optmization Guidelines In 2001, the Transport Canada Civil Aviation (TCCA) requested more defined policy/standards/procedures for the MRB evolution process. Canadian operators demanded to escalate MRB checks, being the competition the motivating factor. The TCCA did not feel comfortable by granting escalations and skipping the authority of the TCH respective regulatory agencies. While the MRB establishes the initial minimum maintenance tasks and intervals for new operators, that tend to be conservative, the maximum intervals are only justified by the in-service experience. In 2008, the IMRBPB approved the first issue of the IP 44 Evolution/Optimization Guidelines document. The guidelines were incorporated into the IMPS Issue No. 01 in 2019. The guidance provided in the IP 44 establishes the basis for the PPH when TCH/OEM, MRB, and ISC want to proceed with an exercise for the Evolution/Optimization of the MRBR process. The procedures for the Evolution/Optimization based on in-service experience should be part of the Policy and Procedures Handbook (PPH) for the aircraft type developed by the TCH.
6.1 Maintenance Review Board Report (MRBR)
67
The Evolution/Optimization is carried out through the analysis of in-service data. This analysis allows to adjust tasks and intervals to the accumulated in-service experience. The data collected by the TCH should be based on representative samples of different aircraft age (older and newer aircraft) and all possible operating environments. The data should be standardized and include the following information: • Serial Number of the aircraft. • Number of tasks accomplished: the number of times the task has been accomplished, including findings. The data of consecutive task accomplishments may be required, especially for lower interval tasks, to assess the reliability related to the MRBR task. • Interval of task findings applied: actual task interval of each participating operator. • Component Data (Shop Findings, No-Fault-Found Removals, and Failures): This data is necessary to perform component failure-mode and life-cycle analysis necessary to support the evolution/optimization of tasks associated with the component. • Failure Effect Category (FEC) considerations: based on the criticality identified during the MSG-3 analysis. • Utilization: operational representation of Flight Hour versus Cycles versus Calendar time. • Maintenance findings. – Scheduled: findings during routine maintenance tasks. – Unscheduled: findings and corrective actions, including PIREPs (Pilot Reports) and MAREPs (Maintenance Reports). The significance of the findings should be weighed. Findings in the course of unrelated maintenance tasks must also be taken into consideration. Scheduled and unscheduled maintenance should be linked to the appropriate MRBR task, if possible, using four digit ATA codes. The in-service data collected is processed through statistical models. The data size should be sufficient to ensure a 95% confidence level on a task-by-task basis. This means the likelihood that the overall performance lays within the range specified by the sample fleet performance. The engineering assessment should include the analysis of the correlated inservice data and the review of modification status, fleet configuration, and any other relevant information. Note: Special care is required for MRBR tasks that have been used to cover Candidate Certification Maintenance Requirements (CCMR). The earlier decisions have to be revisited to ensure they are not invalidated.
68
6 AMP Primary Sources
6.2 Airworthiness Limitations (ALS) and Certification Maintenance Requirements (CMR) Airworthiness Limitations (ALS) are scheduled maintenance items required by the design that are considered critical from a System Safety Analysis (SSA) or the Fatigue and Damage Tolerance evaluation of the structure to address potential unsafe conditions of the aircraft. ALS requirements are MANDATORY. Conditions that do not have catastrophic effects on operational safety but maintain the continued airworthiness of the design are usually evaluated during the MRB process. It does not mean that an item (structure, system or component) is assessed only through a unique process (ALS assessment/evaluation or MSG-3 analysis), but are complementary. Attending to the unsafe/no-unsafe condition that the system or component may develop, one of the assessments or both are required. ALS are derived from two types of analyses performed by the TC/STC applicant/holder, different from the MRB process/MSG-3 methodology, that may generate different types of ALS requirements: • System Safety Analysis (SSA): driven by CS/FAR 25.1529 Instructions for Continued Airworthiness and CS/FAR 25.1309 Equipment, systems and installations with specific considerations for EWIS, fuel tank ignition prevention, control systems, fuselage doors, powerplant installation and reversing systems. When the design of the aircraft systems cannot comply with the conditions specified in the certification specifications, Airworthiness Limitations are established to prevent the development of failures in the form of: – System repetitive maintenance tasks or CMR, – Critical Design Configuration Control Limitations (CDCCL) (only for fuel systems), or – System Life Limitations. • Damage Tolerance and Fatigue Evaluation of the structure: driven by CS/FAR 25.1529 Instructions for Continued Airworthiness and CS/FAR 25.571 Damage tolerance and fatigue evaluation of the structure. Based on this evaluation, airworthiness limitations are established to prevent catastrophic failure of the structure in the form of: – Structural repetitive maintenance tasks, or – Structural Life Limitations. This subchapter addresses the ALS processes and requirements and presents two examples of ALS documentation data packages provided by different TCHs.
6.2 Airworthiness Limitations (ALS) and Certification …
69
6.2.1 Requirements Derived from Systems Safety Analysis (SSA) In order to understand the Systems Airworthiness Limitations derived from a System Safety Analysis (SSA), it is required to define the Failure Effects and the design/installation requirements for the aircraft systems, components, and equipment. The details and specifications of the SSA during the CMR process and the determination of Fuel Airworthiness Limitations are detailed in this subchapter.
6.2.1.1
Failure Effects and Systems Safety Analysis (SSA)
The fail-safe design concept considers the effects of failures and combination of failures in defining a safe design and ensures to a large degree the initial airworthiness of the aircraft: life limits, redundant and backup systems, isolation and/or segregation of systems/components/elements, proven reliability, failure warning or indication, flight crew procedures, etc. Classification of the types of failure condition according to the severity of its effects: • No safety effect: It does not affect safety. • Minor: It does not significantly reduce the aircraft safety and the crew actions are within their capabilities. • Major: It reduces the capability of the aircraft or the ability of the crew to cope with adverse operating conditions. It implies a significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries. • Hazardous: It reduces the capability of the aircraft or the ability of the crew to cope with adverse operating conditions. It implies a large reduction in safety margins or functional capabilities, physical distress, or excessive workload such that the flight crew cannot be relied upon to perform their tasks accurately or completely, or serious or fatal injury to a relatively small number of the occupants other than the flight crew. • Catastrophic: It results in multiple fatalities, usually with the loss of the aircraft. A System Safety Analysis (SSA) involves the assessment of all the systems on the aircraft to determine the effect of a failure. The type of analysis conducted can be: • Quantitative: use of mathematical methods. Quantitative methods are often used to assess complex systems when there is no sufficient service experience, e.g., during initial design certification.
70
6 AMP Primary Sources
• Qualitative: subjective non-mathematical assessment based on engineering judgment. Examples: Design Appraisal, Failure Modes and Effect Analysis (FMEA), Fault Tree or Dependence Diagram Analysis, Markov Analysis, etc. 6.2.1.2
Design and Installation Requirements
Attending to the design requirements described in the certification specifications, it is possible to categorize the Systems Airworthiness Limitations into CMR and other limitations. Design Requirements—CMR A Candidate Certification Maintenance Requirement (CCMR) is established when it is not possible to comply with the following design conditions for the aircraft systems and components: • any catastrophic failure is extremely improbable and does not result from a single failure, • any hazardous failure condition is extremely remote, • any major failure condition is remote, and • the crew errors are minimized through immediate indications and warnings when an unsafe system operating condition exists. CCMRs are proposed during the initial design certification. The failure effects probabilities are considered up to the Design Service Goal (DSG) of the aircraft. The DSG is the period of time (in FH, FC, or both) established at design and/or certification during which the aircraft structure is expected to be reasonably free from significant cracking. Concerns beyond the DSG or concerns arising after the initial design certification are usually addressed through different means than the CMR process, e.g., an SSA that may originate a System Scheduled Maintenance Requirement. Design Requirements—Other Limitations A system repetitive maintenance task, CDCCL or System Life Limitation is established when it is not possible to comply with the following design and installation conditions for the aircraft systems or equipment: • Aircraft equipment and systems required for the type certification or by operating rules must be designed and installed in the way that they perform as intended, • Other equipment and systems should not be a danger in themselves or adversely affect those required by the certification/operation, and • EWIS must be designed and installed in the way that any catastrophic failure condition is extremely improbable and does not result from a single failure, and any hazardous failure condition is extremely remote.
6.2 Airworthiness Limitations (ALS) and Certification …
6.2.1.3
71
Certification Maintenance Requirements (CMR)
ICAO defines a Certification Maintenance Requirement (CMR) as “the scheduled maintenance that is required by design to help show compliance with the appropriate type certification basis by detecting the presence of a safety-significant latent failure that would result in a hazardous or catastrophic failure condition”. CMRs are system repetitive maintenance tasks established during the type/supplemental type certification process to detect: • latent failures that may result in a hazardous or catastrophic failure condition, • latent failures that may result in a major failure condition and the SSA identifies the need for a scheduled maintenance task, or • impending wear out of an item whose failure is associated with a hazardous or catastrophic failure condition. The standards for the CMR process are set in the EASA AMC 25.1309 Equipment, Systems and Installations, AMC 25-19 Certification Maintenance Requirements, and FAA AC 25.1309-lA System Design and Analysis and AC 25-19A Certification Maintenance Requirements. Failure Effects Probability The following descriptions of the probability of failure effects of the aircraft systems and components are adopted in EASA CS-25 (AMC 25.1309). FAA AC 25.1309-lA establishes the same limits but considering Remote Failure Condition and Extremely Remote Failure Conditions probability terms under a single category: Improbable failure. CMRs are usually based on quantitative analysis when no relevant service experience is accumulated. Standard System Safety Analysis (SSA) Process A Standard System Safety Analysis for the aircraft systems and components is performed by the TC/STC applicant/holder. It can be simplified in the following six steps: • Define the systems and their interfaces and identify the functions that the system is to perform. • Identify and classify failure conditions. It can be done through a Functional Hazard Assessment, which is a systematic examination of the aircraft and system functions to identify failure conditions arising from malfunctions, failure to function, or as a normal response to unusual or abnormal external factors. – For non-complex systems with relevant attributes that are similar to systems used on other aircraft: classification derived from design and installation appraisals and the service experience of the comparable system. – For complex systems: systematically postulate the effects on the safety of the aircraft and its occupants resulting from any possible failure(s).
72
6 AMP Primary Sources
Table 6.1 Failure conditions probability in quantitative and qualitative methods Failure conditions
Quantitative method
Probable Failure Conditions
Average Probability Per Flight Anticipated to occur one or Hour greater than of the order more times during the entire of 1 × 10−5 operational life of each aircraft
Qualitative method
Remote Failure Conditions
Average Probability Per Flight Hour of the order of 1 × 10−5 or less, but greater than of the order of 1 × 10−7
Unlikely to occur to each aircraft during its total life, but which may occur several times when considering the total operational life of a number of aircraft of the type
Extremely Remote Failure Conditions
Average Probability Per Flight Hour of the order of 1 × 10−7 or less, but greater than of the order of 1 × 10−9
Not anticipated to occur to each aircraft during its total life but which may occur a few times when considering the total operational life of all aircraft of the type
Extremely Improbable Failure Average Probability Per Flight Not anticipated to occur during Conditions Hour of the order of 1 × 10−9 the entire operational life of all aircraft of one type or less
• Select the depth and scope of the analysis based on the types of functions performed by the system, the severity of the system failure conditions, and the complexity of the system. • Conduct the analysis and produce the data • Assess the analysis and conclusions of multiple safety assessments. • Prepare compliance statements, maintenance requirements (CCMR), and flight manual requirements. Selection of CMRs The Certification Maintenance Coordination Committee (CMCC) is convened by the TC applicant and should include manufacturer representatives (maintenance, design, safety), operators designated by the Industry Steering Committee (ISC) Chairperson, Certification Authority (CA) specialist(s) and the MRB Chairperson. The CMCC reviews the Candidate Certification Maintenance Requirements (CCMRs), their purposes, the failure conditions and their criticality, the intended tasks and intervals, and other relevant factors. The CMCC discusses CCMR compatible tasks generated by the MRB if the MRB task is safety categorized (FEC 5 and 8) and meets or can meet the interval and scope of the CCMR, in which case the CMCC coordinates with the ISC/MWG for their review. If the proposed/revised MRB task and/or intervals are accepted by the ISC, the CCMR will be included in the MRBR. It will be required any type of means and protections to avoid that future optimization/evolution exercise change the scope or the interval that is required by the corresponding CCMR.
6.2 Airworthiness Limitations (ALS) and Certification …
73
CMCC will compile the results of the review of CCMRs and the agreements with the ISC and will submit the final CMR document to the Certification Authority (CA) for approval. The introduction of a new CMR or changes to an existing CMR after the certification must also be reviewed by the CMCC and approved by the CA. CMRs are functionally equal to ALIs, and usually, the CMR approved document is included in the Airworthiness Limitations. CMR Categorization The TC applicant usually categorizes the CMRs based on the sensitivity of the Failure Condition to interval escalation: • One Star CMR (CMR*): mandatory task that cannot be escalated, changed, or deleted without the approval of the State of Design Certification Authority. • Two Star CMR (CMR**): mandatory task that cannot be escalated, changed, or deleted without the approval of the competent Certification Authority of the State of registration that will require the support of approved escalation procedures under a Reliability Program. CMR Changes Concerns beyond the DSG or concerns arising after the initial design certification are addressed through different means than the CMR process. CMR post-certification changes may only arise due to any of the following reasons: • the world fleet service experience shows that certain assumptions regarding component failure rates made during the SSA were too conservative and new re-calculated failure rates demonstrate that the task interval may be changed, • there are sufficient data basis for the relaxation of the CMR, • the authority determines that the requirement must be more restrictive (it will be mandated by an AD), or • new CMR unrelated to in-service events arises due to: – certification of design changes, or – updates to the certification compliance documentation, e.g., due to regulation changes, AD actions on similar systems or aircraft, awareness of additional hazardous or catastrophic failure conditions, revised failure rates, consideration of extended DSG, etc. New CMRs or changes to existing CMRs should be reviewed, at least, by the same entities that were involved in the CMCC at the time of the initial design certification. See Sect. 11.4 for Exceptional Short-term Extension to CMR.
74
Fig. 6.8 System Safety Analysis (SSA) (simplified)
6 AMP Primary Sources
6.2 Airworthiness Limitations (ALS) and Certification …
6.2.1.4
75
Fuel Airworthiness Limitations (FAL)
The prevention of the fuel system ignition and the reduction of the fuel tank flammability take special relevance due to a series of catastrophic aircraft accidents that have occurred in the aviation industry in the past years. It has generated special rules and dedicated sections in the certification and continuing airworthiness regulations. The standards for the Fuel Airworthiness Limitations (FAL) are set in the EASA AMC 25.981 Fuel Tank Ignition Prevention, Appendix M Fuel Tank FRM and FAA AC 25.981-1D Fuel Tank Ignition Source Prevention Guidelines, AC 25.981-2A Fuel Tank FRM and AC 120-98A Operator Information for Incorporating Fuel Tank Flammability Reduction Requirements into a Maintenance or Inspection Program. Fuel Tank System Ignition Fuel tank flammability is the ability of the fuel tank to ignite or explode. There are three elements for an ignition/explosion to happen (the Fire Triangle): • Fuel. The characteristics of the fuel in regards to flammability are measured by its flash point (lowest temperature at which the fuel produces flammable vapors at sea level pressure) and its volatility/distillation (capacity of the fuel to produce flammable vapors). • Air. Ambient air is a mixture of 21% oxygen, 78% nitrogen, and other gases. Oxygen is the oxidizing agent during the ignition/explosion process; the fuel burning reacts with the oxygen to release heat. • Ignition source. It is any element that can release sufficient energy to initiate combustion of fuel/air mixture. Fuel tank system ignition sources: • Electrical arcs and sparks are the result of electrical component and wiring failures, lighting, High Intensity Radiated Fields (HIRF)/Electromagnetic Interference (EMI) and static discharges. • Friction sparks are the result of rubbing of metallic surfaces, e.g., debris contacting a fuel pump impeller or an impeller contacting the pump casing. The debris may come from nuts, bolts, rivets, fasteners, manufacturing or maintenance debris, and so forth that are drawn into the fuel pumps. • Autoignition or Hot surface ignition: it is caused by an increase of the flammable vapors that could exceed the ignition temperature of the fuel. The ignition temperature is the minimum temperature at which a mixture of flammable vapor and oxygen spontaneously ignite without an external source of ignition (flames, arcs, or sparks). • Filament heating: the heating of a small diameter conductive material when exposed to electrical current. The methods to reduce fuel tank flammability focus on reducing the presence of: • Ignition sources. It is achieved minimizing the presence of systems and components that may be a source of ignition within the fuel tank, where EWIS and
76
6 AMP Primary Sources
L/HIRF protection play an important role, or through Ignition Mitigation Means (IMM), such as polyurethane foam. • Oxygen (fuel–air mixture). It is achieved through Flammability Reduction Systems (FRS), such as Inert Gas Generation Systems (IGGS) or Nitrogen Generation Systems (NGS). The EWIS and L/HIRF protection System Safety Assessments for elements within the fuel system may be accomplished in conjunction with the Fuel SSA. Fuel System Safety Analysis (SSA) The Fuel SSAs to address ignition sources versus flammability should demonstrate separately that: • The presence of an ignition source within the fuel system is Extremely Improbable and does not result from a single failure. Additionally, it must be demonstrated that no heat transfer can lead to fuel autoignition within the fuel system; any system that may release heat to the fuel system should be considered during the analysis. • If an FRS is installed, that the FRS failure or a failure that could affect the FRS with potential catastrophic consequences is Extremely Improbable and does not result from a single failure. Additionally, it must be demonstrated that fuel tank pressure remains within limits during normal or failure operating conditions and that the enriched air produced by the FRS does not create a hazard. Assumptions and considerations for the analysis in regards to ignition sources: • Fuel tank flammability: explosive fuel–air mixture is present in the fuel tanks at all times. • Failure condition classification: the presence of an ignition source is a catastrophic failure condition unless design features are incorporated to mitigate the hazards of the fuel tank ignition, e.g., polyurethane foam. • Failure conditions: – The analysis must consider the effects of manufacturing variability, aging, wear, corrosion, and likely damage such as wire bundle located where a mechanic could use it as a handhold or a fuel probe located where a mechanic could use it as a step in the tank. – The analysis must assume deficiencies and anomalies identified through service experience, failure modes identified, in-service information (e.g., supplier service data), and any other failure modes identified by the functional hazard assessment. Service experience shows that degradation of certain elements of the fuel system such as fuel pumps and associated wiring and connectors, Fuel Quantity Indicating System (FQIS) wiring, bonding straps, etc., have been sources of ignition. It may assist in identifying possible failure modes. • External environment: the severity of the external environmental conditions considered are those established by the certification regulations, e.g., probability of lighting encounter should be assumed.
6.2 Airworthiness Limitations (ALS) and Certification …
77
• Ignition sources: electrical arcs and sparks, friction sparks, autoignition, or hot surface ignition and filament heating must be considered. • Fuel tanks: the failure modes associated with empty fuel tanks must be considered, e.g., extended dry running of fuel pumps in empty fuel tanks may result in temperatures above the ignition temperature of the fuel or may expose the pump to debris and cause sparks. Whenever the Fuel SSA cannot demonstrate that catastrophic consequences are Extremely Improbable and do not result from a single failure, Airworthiness Limitations are established in the appropriate form: • System repetitive maintenance task or CMR • CDCCL • System Life Limitations Critical Design Configuration Control Limitations (CDCCL) Critical Design Configuration Control Limitations (CDCCL) are critical features of a design that must be maintained to ensure that ignition sources will not develop within the fuel tank system. CDCCLs do not have interval; whenever maintenance, modifications, or repairs occur in the area, the CDCCL inspection must be accomplished. CDCCLs are the means of notifying operators and design and maintenance organizations about characteristics of the fuel tank system or applicable components or parts that cannot be changed. The design holder must ensure that CDCCL items that could result in a failure, malfunction or defect endangering the safe operation of the aircraft, are evident for those who may perform and approve maintenance, modifications or repairs: • CDCCL items must be incorporated to the Airworthiness Limitations. • CDCCL should be identified in associated ICAs, e.g., Aircraft Maintenance Manual (AMM), Component Maintenance Manual (CMM), Standard Wiring Practices Manual (SWPM), Structure Repair Manual (SRM), etc. • CDCCL items may be provided with visible identification means, e.g., colorcoding of wire to identify separation limits or identification tabs at specific intervals along the wiring.
Lesson Learned—Trans World Airlines Flight 800 On 17 July 1996, the TWA Flight 800, a Boeing 747 scheduled from John F. Kennedy International Airport (JFK), New York, to Charles DeGaulle International Airport, Paris, exploded, broke up and impacted into the Atlantic Ocean killing the 230 people that were onboard.
78
6 AMP Primary Sources
More than 95% of the accident airplane wreckage was recovered and reconstructed as pertinent, and one of the most ambitious investigations in the aviation history was undertaken. The results of the NTSB investigation7 determined that the probable cause of the accident was the explosion of the center wing fuel tank (CWT), resulting from ignition of the flammable fuel/air mixture. The CWT was configured within the airframe such that the air conditioning packs were located in an enclosed bay, directly below the CWT. The air conditioning packs operate at high temperatures and the heat was transferred into the CWT. It caused that the temperature of the fuel increased and flammable fuel-air vapor was generated.
Fig. 6.9 Photo of the TWA 800 reconstructed fuselage. NTSB archive
Although the ignition source could not be determined with certainty, the most likely was a short circuit outside of the CWT that allowed excessive voltage to enter it through the electrical wiring associated with the fuel quantity indication system. Similar accidents with identical failure causes were taken as references; for example, the Philippine Airlines Boeing 737 (Flight 143)8 that in May 1990 suffered an explosion in the CWT and bursted the aircraft into flames while it was on ground, killing 8 of the 119 occupants.
7
Accident Investigation Report—In-flight Break-up Over the Atlantic Ocean, Trans World Airlines Flight 800 Boeing 747–131, N93119. NTSB. 23 August 2000. 8 Accident description of the Philippines Air Lines Boeing 737-3Y0, EI-BZG. Retrieved from https://aviation-safety.net.
6.2 Airworthiness Limitations (ALS) and Certification …
79
During the NTSB investigation, many efforts and initiatives were undertaken in the industry in response to the disaster; it worths to mention the Aircraft Fuel System Safety Program (AFSSP), a voluntary program that gathered information about the overall integrity of the design and maintenance of the fuel systems throughout the life of the aircraft performing inspections of the world fleet. The FAA formed the Aviation Rulemaking Advisory Committee (ARAC) on Fuel Tank Flammability Reduction and a second ARAC on Flammability Reduction Systems (FMS) that included representatives from Europe, Canada, and Brazil, to evaluate both reducing or eliminating fuel-air vapor and potential ignition sources within the aircraft fuel tanks. The TWA 800 NTSB report recommended reducing the fuel tank flammability and the ignition sources. The FAA originally issued guidance material in the form of Advisory Circulars (AC 25.981-1B and AC 25.981-2) for the prevention of fuel tank ignition sources and flammability minimization. On 3 March 2001, a similar accident happened again; a Thai Airways Boeing 7379 suffered a CWT explosion while the aircraft was parked on Don Mueang Airport, Bangkok. The FAA issued the Special Federal Aviation Regulation (SFAR) 88 based on the NTSB, the ARACs, and the industry recommendations. The SFAR 88 required the manufacturers to enhance the maintenance program to maintain design features that are necessary to prevent ignition sources in the fuel tank. The result was the requirement for Airworthiness Limitation Inspections (ALI) and Critical Design Configuration Control Limitations (CDCCL). Under certain high flammability specifications, the SFAR also mandated the incorporation of either a Flammability Reduction System (FRS) or an Ignition Mitigation Means (IMM), including the retrofit of aircraft manufactured since 1992. The JAA (predecessor of EASA) issued the INT/POL 25/12 to request, through the National Aviation Authorities, the operators to carry out a safety review of the fuel systems, in line with the SFAR 88. Later on, EASA required an FRS for aircraft with high flammability exposure only on new aircraft manufactured from 2012, without retrofit plans.
9
Accident description of the Thai Airways Boeing 737-4D7, HS-TDC. Retrieved from https://avi ation-safety.net.
80
6 AMP Primary Sources
6.2.2 Requirements Derived from the Damage Tolerance and Fatigue Evaluation of the Structure CS/FAR 25.571 requires that the design applicant/holders evaluate all structure of the aircraft that may contribute to catastrophic failure with respect to its susceptibility to Accidental Damage (AD), Environmental Deterioration (ED), including corrosion damage for metallics and moisture for composites, and Fatigue Damage (FD). The evaluations required to support the Damage Tolerance and Fatigue considerations involve: • Damage Tolerance (DT) evaluation • Fatigue Safe-Life evaluation • Widespread Fatigue Damage (WFD) evaluation Damage sources (AD, ED and FD) and classification of the structure (DT and SL) are introduced in the MSG-3 analysis paragraphs (Sect. 6.1.6.2): • Damage sources: Accidental Damage (AD) is any random event which may reduce the strength of the structure and is not readily detectable; Environmental Deterioration ED) is the result of chemical interaction with climate or environment; and Fatigue Damage (FD) is the propagation of cyclic loading of cracks. • Classification of the structure attending to the detection of structural failures: Damage Tolerance (DT) structure can sustain damage without structural failure until the damage is detected (fail-safe); when structural failure can happen if the damage is not detected, it is classified as Safe-Life structure. Based on the result of these evaluations, maintenance requirements may be needed to avoid catastrophic failures during the operational life of the aircraft. The operational life of the aircraft, limited by its Limit Of Validity (LOV), is the result of a full-scale fatigue test that demonstrates that WFD will not occur up to that limit. The standards for the Damage Tolerance and Fatigue Evaluation of the Structure process are set in the EASA AMC 25.571 Damage tolerance and fatigue evaluation of the structure and FAA AC 25.571-1D Damage Tolerance and Fatigue Evaluation of Structure, AC 120-104 Establishing and Implementing Limit Of Validity to prevent Widespread Fatigue Damage, AC 120-93 DT Inspections for repairs and alternations.
6.2.2.1
Damage Tolerance (DT) Evaluation
Damage Tolerance (DT) is the attribute of the structure that permits it to retain its required residual strength without detrimental structural deformation for a period of use after the structure has sustained a given level of fatigue, environmental, accidental, or discrete source damage. DT is based on the fail-safe concept: the structure retains its required residual strength for a period of time of unrepaired use after failure or partial failure.
6.2 Airworthiness Limitations (ALS) and Certification …
81
The DT evaluation should ensure that, although AD, ED, or FD occurs within the LOV, the structure will be capable of withstanding the loading conditions specified in the certification without failure or detrimental structural deformation until the damage is detected. The DT evaluation should identify, in the first instance, the structural items subject of study: • Principal Structure Element (PSE): element that contributes significantly to the carrying of flight, ground, or pressurization loads, and whose integrity is essential in maintaining the overall structural integrity of the aircraft, e.g., elements of the wing and empennage (control surfaces, primary fittings, etc.), the fuselage (pressure bulkheads, frames, skin, etc.), the landing gear and its attachments, engine mounts, thrust reverser components, etc. • Detail Design Point (DDP): area of the structure that contributes to the susceptibility of the structure to fatigue cracking or degradation such that the structure cannot maintain its load carrying capability, which could lead to a catastrophic failure. DDPs are areas of higher risk of fatigue cracking. Each particular design should be assessed to establish appropriate damage criteria in relation to: • Damage-extension characteristics: it should be possible to establish the extent of damage in terms of parameters (detectability with the inspection techniques to be used, initially detectable crack size, residual-strength capabilities of the structure, likely damage-extension rate). • inspectionability: in cases where the area is not accessible for inspection, the DT evaluation should allow for the extension of the damage into detectable areas or demonstrate sufficient residual strength up to the LOV without inspection. Based on the definition of the PSE/DDP and the damage criteria, the locations of damage to the structure for DT evaluation, and the modes of damage due to AD, ED, or FD are identified. The locations may be determined through analysis (static tests, fatigue analysis, etc.), from the review of the design and/or past service experience. DT analysis and tests should demonstrate that: • the structure, with the extent of damage established for residual-strength evaluation, can withstand the specified design-limit loads (considered as ultimate loads), • the damage-growth rate under the repeated loads expected in service, between the time the damage becomes initially detectable and the time the extent of damage reaches the value for residual-strength evaluation, provides a practical basis for the development of the inspection program and procedures. DT analysis/test includes repeated load and static analysis. The test evidence, supported by in-service experience, if any, should provide sufficient data to establish a structural inspection program that ensures damage detection before it becomes critical.
82
6 AMP Primary Sources
Structural Repetitive Maintenance Tasks The ALS inspection thresholds are established by fatigue analysis/tests or crackgrowth analysis/tests assuming an initial manufacturing damage. The thresholds of the inspections may be as low as the repeat interval or may allow longer periods when it takes a certain amount of time before fatigue cracks develop to a size that would be detectable during an inspection. The MRB process develops an inspection program for early detection of Accidental Damage and Environmental Damage, including CPCP, in order to minimize the interaction between corrosion and accidental damage and fatigue cracking. ALS focuses on the detection of cracks developing from the damages that may lead to a catastrophic structural failure. ALS requires that the corrosion level is controlled to Level 1 or better (the damage does not require structural reinforcement or replacement) on all PSE and DDP that could contribute to catastrophic failure. The CPCP defined in the MRBR is an acceptable means of compliance. Any damage found during ALS/MRBR structural inspections, such as fatigue cracking or corrosion greater than level 1, should be reported to the design holder for assessment. Refer to Sect. 7.1.2 for further information on Corrosion Levels.
6.2.2.2
Fatigue Safe-Life Evaluation
When the inspections based on the Damage Tolerance evaluation for a particular structure are impractical, Fatigue Safe-life evaluation must demonstrate through analysis/test that catastrophic fatigue failure, as the result of repeated loads of variable magnitude expected in-service, is avoided up to the LOV. Safe-life is the number of events such as FH or FC, during which there is a low probability that the strength of the structure will degrade below its design ultimate value due to fatigue cracking. An example of a structure for which a Fatigue Safe-Life evaluation may be accepted, instead of a Damage Tolerance evaluation, is the Landing Gear and its local attachments. The Safe-Life evaluation includes: • • • •
estimation/measurement of the in-service expected loads, structural analysis, including consideration of the stress concentration effects, fatigue testing in response to the in-service expected loads, and evaluation of fatigue initiation due to stress corrosion, disbonding, environment and corrosion, accidental damage, or manufacturing defects based on a review of the design, quality control, and past service experience.
6.2 Airworthiness Limitations (ALS) and Certification …
83
Life Limits When the evidence of the Safe-Life analysis/tests cannot demonstrate that the catastrophic fatigue failure of the structure is avoided up to the LOV, replacement times must be established. The Safe-Life Limits may be determined by: • the failure of the structure during fatigue tests, or • demonstration of fatigue life without failure. 6.2.2.3
Widespread Fatigue Damage (WFD) Evaluation
Widespread Fatigue Damage (WFD) is the simultaneous presence of cracks at multiple structural details that are of sufficient size and density whereby the structure will no longer meet the residual strength required for the certification. Structural fatigue damage begins as an insignificant crack during normal operation conditions or due to corrosion, scratches, material defects, etc., and grows under repeated stress compromising the structural integrity of the aircraft. Fatigue damage can occur locally in small areas or details, in structural elements with the simultaneous presence of cracks (Multiple Site Damage) or in multiple adjacent structural elements (Multiple Element Damage). Limit Of Validity (LOV) The Limit Of Validity (LOV) is the period of time, stated as FH, FC, or both, for which it has been demonstrated by full-scale fatigue test evidence that WFD will not occur in the aircraft structure. The target for a LOV is usually to meet the Design Service Goal (DSG) established during the certification process, which is the period of time during which the aircraft structure is expected to be reasonably free from significant cracking. The first step is to identify the WFD-susceptible structure. It is a subset of the PSE that have been identified as Fatigue Critical Structure and that is susceptible to WFD. Full-scale fatigue-test evidence is required to support the evaluation of structure that is susceptible to WFD. Sources of the evidence are: • full-scale fatigue testing, based on realistic simulation of expected operational loads and, • in-service data, e.g., maintenance findings and results of teardown inspections, which are those dedicated to identifying the extent of the damage caused by AD, ED, or FD. After the entire WFD-susceptible structure has been evaluated, a final LOV is established. It results in maintenance requirements and/or design changes to support the operation up to the LOV. If the final LOV is reduced in regards to the targeted LOV, the need for maintenance requirements or design changes could also be reduced.
84
6 AMP Primary Sources
The Type Certificate (TC) of the aircraft may be issued before completion of the full-scale fatigue test but must ensure at least one year of safe operation substantiated by fatigue-test evidence. Until the full-scale fatigue is completed, a limitation equal to not more than one-half of the cycles accumulated on the fatigue test must be established. An aircraft should not operate beyond this limitation or the approved LOV. Maintenance Requirements, Modifications, and Repairs When maintenance requirements (inspection, modification, replacement, etc.) are necessary for an aircraft to reach its LOV, they become Airworthiness Limitations or may be developed as service information for post-certified aircraft, e.g., through an SB, and be mandated by Airworthiness Directives. When it is not possible to demonstrate that the affected structure due to changes to the TC/STC (modifications or repairs) is free from WFD up to the LOV, it is necessary to: • redesign the proposal, • develop maintenance requirements to support that WFD does not occur before the LOV, and/or • establish a new LOV. Extended Limit Of Validity (LOV) The requirements for extending a LOV are basically the same than those for establishing the initial LOV. However, while the Type Certificate Holder is who establishes the initial LOV, an Extended LOV is considered a major change to the type design, and therefore, it can be defined as an amendment to the TC by the TCH or as a Supplemental Type Certificate (STC). In any case, all the structural modifications/repairs that are already embodied on the aircraft must be taken into consideration and it becomes necessary that the operator contacts the corresponding TCH or STCH for their re-assessment. Extended LOV may apply to all aircraft for which the initial LOV was established or for a subset of those aircraft. The structural configuration (including modifications and replacements) must be considered up to the approval date of the Extended LOV. TCH or STCH must demonstrate that WFD will not occur in the aircraft up to the Extended LOV. The demonstration likely requires additional full-scale fatigue testing. Extended LOV and any maintenance requirement derived from the WFD evaluation must be incorporated into the Airworthiness Limitations. The operator is responsible for incorporating the revised ALS requirements into the AMP. Considerations for Older Aircraft For older aircraft that have not been certified under the Damage Tolerance (DT) evaluation requirements, a Supplemental Structural Inspection Program (SSID) may be developed. See Chap. 7 for further details.
6.2 Airworthiness Limitations (ALS) and Certification …
85
On the other hand, for aircraft that have not been certified under the Widespread Fatigue Damage (WFD) evaluation, the FAA (14 CFR 26.21 Limit of Validity) requires that a LOV and corresponding ALS to support that limit are established before the aircraft reaches its Design Service Goal (DSG). EASA rulemaking for aircraft without a defined LOV is in the process of being harmonized with the FAA.
6.2.3 Examples of ALS Documentation Data Packages The requirements to develop the ALS ICA are analogous between EASA and FAA. However, the presentation of the ALS maintenance requirements data package is a choice of the design holder, independently of the EASA/FAA regulatory environment. For example, Airbus, under the EASA certification authority, structures the ALS documentation into the following stand-alone documents: • Structure: – ALS Part 1 Safe Life Airworthiness Limitations Items – ALS Part 2 Damage Tolerant Airworthiness Limitation Items (ALI): derived from the fail-safe—damage tolerance analysis. Includes the Limit Of Validity (LOV). • Systems: – ALS Part 3 Certification Maintenance Requirements (CMR): derived from the System Safety Assessment (SSA) and the MSG-3 analysis. – ALS Part 4 System Equipment Maintenance Requirements (SEMR): derived from the system safety component evaluation, the MSG-3 analysis, and the system life limits. • Fuel: – ALS Part 5 Fuel Airworthiness Limitations (FAL): derived from the fuel tank safety analysis. On the other side, Boeing, under the FAA certification authority, incorporates the ALS requirements into the Section 9 of the Maintenance Planning Document (MPD) under the following format: • • • • •
Airworthiness Limitations—Structural Inspections Airworthiness Limitations—Structural Safe-Life Limits Airworthiness Limitations—Systems Certification Maintenance Requirements (CMR) Structural Limit Of Validity (LOV)
ALS documentation is mandated by AD when new requirements are added or when revised ALS requirements are more restrictive.
Chapter 7
AMP Secondary Sources: Aging Aircraft
The aging process of an aircraft depends on factors that are particular for the subject aircraft: operation, environment, maintenance, storage, etc. Like a person or like the wine, each aircraft ages in a particular way. The effects of aircraft aging have not always been taken into consideration. Aircraft were operated beyond their original Design Service Goals (DSG), and original maintenance plans were not addressing potential age-related unsafe conditions. Aging of aircraft systems and components, such as EWIS, fuel, hydraulic and pneumatic lines, seals, flight instrumentation, or engine elements, is a concern since their deterioration may develop in catastrophic failures. On the other hand, the structure of aging aircraft, mostly affected by fatigue and corrosion, may also develop in catastrophic failures if it is not appropriately maintained. Several programs, triggered by catastrophic aircraft accidents, were launched to take into account the continuous use of the aircraft. Although the current regulatory environment addresses the aircraft aging since its design phase, older aircraft must adhere to these requirements to mitigate the consequences of aging through adequate maintenance programs. The means adopted to mitigate the aging of aircraft systems and components are detailed in other chapters of this book: • Electrical Wiring Interconnection Systems (EWIS) maintenance, • Fuel tank system maintenance, • Component maintenance programs, e.g., engine overhaul, landing gear overhaul, etc., and • The Reliability Program. This chapter focuses on the structural requirements for aging aircraft that have been designed to less stringent than the current standards, except for Widespread Fatigue Damage (WFD) considerations. It means when a Damage Tolerance (DT) maintenance inspection program and/or a Corrosion Prevention and Control Program © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_7
87
88
7 AMP Secondary Sources: Aging Aircraft
(CPCP) have not been developed under the MRBR and ALS principles as detailed in Sects. 6.1.6.2 and 6.2.2. The Maintenance Costs related to aging aircraft are outlined in Appendix A.
7.1 Continuing Structural Integrity Program The structural integrity of aging aircraft is a concern due to factors such as Accidental Damage (AD), Environmental Damage (ED), and Fatigue Damage (FD) that may contribute to catastrophic failure. In the absence of certain maintenance inspection programs such as a Damage Tolerance (DT) maintenance inspection program or a Corrosion Prevention and Control Program (CPCP), the design holder is responsible for developing a Continuing Structural Integrity Program to maintain the airworthiness of aging aircraft. A Structural Task Group (STG) formed by the TCH, the certification authority, and operators is formed to address the issue. The STG makes recommendations, via the TCH, to the certification authority. The authority is responsible for approving the program and ensuring its implementation by the operators; if it is considered that unsafe conditions exist, the implementation of the program, or elements of the program, are mandated by Airworthiness Directives. The Continuing Structural Integrity Program considers the following elements: • Supplemental Structural Inspection Program (SSIP) to detect fatigue cracking, • Corrosion Prevention and Control Program (CPCP), • Assessment of modifications and repairs to develop DT-based inspections for all fatigue critical structure, • Mandatory modification program required to maintain the structural integrity. SSIP and CPCP programs should be initiated no later than one half of the aircraft Design Service Goal (DSG).
7.1.1 Supplemental Structural Inspection Program (SSIP) In the absence of a Damage Tolerance (DT) maintenance inspection program, EASA Part-M Appendix I to AMC M.A.302 requires that, if the TC holder has developed a Supplemental Structural Inspection Program (SSIP), it is included in the Aircraft Maintenance Program. FAA includes the SSIP requirements in the 14 CFR 121.1109, requiring that the operator incorporates an approved DT-based inspection program into the AMP. The guidelines to develop a Supplemental Structural Inspection Program (SSIP) are detailed in EASA AMC 20-20 Continuing Structural Integrity Programme and FAA AC 91-56B Continuing Structural Integrity Program for airplanes.
7.1 Continuing Structural Integrity Program
89
The SSIP requirements are documented in the Supplemental Structural Inspection Document (SSID). The incorporation of the SSID into the operator AMP is usually mandated by an Airworthiness Directive (AD). To the extent of practicable, the SSID should comply with the Damage Tolerance requirements established in CS/FAR 25.571. See Sect. 6.2.2.1. Note: Safe-Life items, described in Sect. 6.2.2.2, do not require investigation under an SSIP in regards to Damage Tolerance. However, they should be considered during the assessment of other elements of the Continuing Structural Integrity Program, e.g., CPCP or modification program.
7.1.2 Corrosion Prevention and Control Program (CPCP) TCHs are aware of the effects of corrosion on the aircraft; when a CPCP has not been established under the MRB process, a CPCP is usually developed voluntarily to address potential undesirable conditions. EASA and FAA consider that the CPCP objectives are met by the MSG-3 analysis (MRB process) or the TCH initiative to develop a corrosion program. To determine the CPCP inspections tasks and thresholds/intervals, the following elements must be considered: • • • • •
Corrosion properties of the material, Operational environment, Protective treatments used, General practices used during manufacturing and maintenance, and Local and widespread corrosion.
If an unsafe condition is identified for a particular design, the CPCP will be mandated by Airworthiness Directives. The CPCP must be, in any case, approved by the certification authority. The operator is responsible for incorporating the CPCP into the AMP unless it can demonstrate that the approved AMP already controls the corrosion to Level 1 or better. Additionally, the operator should adjust the CPCP to the particular operational conditions, e.g., humid or corrosive environment. Corrosion Levels The CPCP objective is to reduce the material loss due to corrosion to a level necessary to maintain the airworthiness of the aircraft (Corrosion Level 1 or better). EASA AMC 20-20 and FAA AC 43-4B define the following corrosion levels: • Corrosion Level 1: – damage occurring between successive inspections that is within allowable damage limits, – damage occurring between successive inspections that does not require structural reinforcement, replacement or new damage tolerance-based inspections,
90
7 AMP Secondary Sources: Aging Aircraft
– corrosion occurring between successive inspections that exceeds allowable limits but can be attributed to an event not typical of operator usage of other aircraft in the same fleet, or – light corrosion occurring repeatedly between inspections that eventually requires structural reinforcement, replacement, or new damage tolerance-based inspections. • Corrosion Level 2: – corrosion occurring between any two successive corrosion inspections task that requires a single rework or blend out which exceeds the allowable limit, or – corrosion occurring between successive inspections that is widespread and requires a single blend-out approaching allowable rework limits. i.e., it is not light corrosion as provided for in Level 1. • Corrosion Level 3: – corrosion occurring during the first or subsequent accomplishments of a corrosion inspection task that the operator determines to be an urgent airworthiness concern.
7.1.3 SSIP/CPCP Implementation Depending on the information provided by the TCH in the SSID/CPCP documents, the supplemental inspection requirements may require to: • be accomplished in conjunction with the existing approved structural inspection program, or • be a transition from an existing program, e.g., MRBR to SSID/CPCP. In this case, the design holder should provide the rules for the SSID/CPCP implementation for any of the following situations: – SSID/CPCP comparable to the MRBR inspection when the interval is lower, the same, or greater. – SSID/CPCP is not comparable to the MRBR inspection. See the details for previous task accomplishment credits in Sect. 11.1.3.
Lesson Learned—Aloha Airlines Flight 243 On April 1988, the Boeing 737 Flight 243 operated by Aloha Airlines between Hilo and Honolulu, Hawai, experienced an explosive decompression and structural failure while en route and had to perform an emergency landing on Kahului
7.1 Continuing Structural Integrity Program
91
Airport, Maui island. The aircraft was carrying 6 crew members and 89 passengers, from which one flight attendant was swept overboard during the decompression and killed; 1 more flight attendant and 7 passengers resulted seriously injured. Aloha 737 fleet was formed by high cycle aircraft operated in a harsh corrosion environment; the aircraft in question had been delivered to Aloha Airlines in 1969 and had accumulated 35,496 Flight Hours and 89,680 Flight Cycles.
Fig. 7.1 Aloha Airlines Flight 243 evacuation. NTSB Archive
The results of the NTSB investigation1 determined that the probable cause of the accident was the failure of the Aircraft Maintenance Program to detect the presence of significant disbonding and fatigue damage of the fuselage skin lap splice. The overlapping skins were bonded together with an adhesive and fastened with three rows of rivets. The cold bond adhesive had manufacturing deficiencies that led to degraded bonds that were susceptible to corrosion. The effects from the pressurization loads, that were supposed to be transferred by the adhesive bonds, were actually transferred through the rivets what led to
1
Aircraft Accident Report—Aloha Airlines, Flight 243, Boeing 737-200, N73711, near Maui, Hawaii. NTSN. 14 June 1989.
92
7 AMP Secondary Sources: Aging Aircraft
multiple fatigue cracks. The advanced stages of damages at multiple sites led to the condition known as Widespread Fatigue Damage (WFD), where the aircraft structure was not able to support the loads and the fuselage upper lobe was separated. Previous to the accident, Boeing had issued an Alert Service Bulletin proposing the inspection of all the lap joints after the discovery of early production difficulties which resulted in low bond durability, corrosion, and premature fatigue cracking. The FAA issued an Airworthiness Directive but failed to require the inspection of all the lap joints proposed in the Alert SB, excluding those that failed in the Aloha flight. There was neither complete terminating action developed by Boeing or required by the FAA. Aloha Airlines was participating in the Supplemental Structural Inspection Program (SSIP) that provided with inspections to identify cracks, corrosion, and other damages. The SSIP only included items where detection of structural damages required directed inspections, but excluded inspections for obvious damages or evident malfunctions. It was assumed that a rupturing crack in the fuselage skin would have been detected as obvious damage or had led to a safe decompression in the worst case scenario. Aloha Airlines AMP was using a heavy maintenance D-Check interval of 15,000 FH, being apparently more restrictive than the 20,000 FH recommended by Boeing. However, due to the type of operation, the aircraft was accumulating cycles at twice the rate for which the Boeing MPD was designed. The AMP had created a structural maintenance program based on hours and did not recognize the effects of the rapid accumulation of cycles that is determining in the initiation of fatigue cracks. Aloha had not developed specific severe operating environment corrosion detection and corrosion control programs in accordance with the techniques recommended by Boeing (application of corrosion inhibiting compounds, aircraft washing, buffing and brightening of unpainted surfaces, etc.). Additionally, it was noted that the technicians accepted signs of on-going corrosion damage as a normal operating condition. NTSB concluded that the Aloha Airlines maintenance department did not have sufficient manpower, technical knowledge, or the required programs to meet its responsibility to ensure the continued structural integrity of its airplanes. Although certification authorities, manufacturers, and operators had become already concerned with ageing aircraft, Aloha Flight 243 brought the focus on the causes of structural ageing. The FAA issued the “Aging Aircraft Evaluation Trend Report” with several changes to regulations in regards certification and inspection. The FAA made mandatory the Corrosion Prevention and Control Programs (CPCP) to ensure that hazardous corrosion never occurs, when
7.1 Continuing Structural Integrity Program
not developed under the MRB process or on voluntary basis, and required sufficient full scale fatigue test evidence that Widespread Fatigue Damage (WFD) would not occur within the DSG of the aircraft. But it was not until 10 years later, triggered by the TWA Flight 800 accident that brought to light the effects of age in wire bundles, when the FAA initiated a comprehensive regulatory response. These and other accidents and incidents resulting from aircraft ageing highlight the importance of an effective Aircraft Maintenance Program that takes into consideration the effects of aircraft ageing.
93
Chapter 8
AMP Secondary Sources: MCAI, Modifications and Repairs, and Non-mandatory Recommendations
The Airworthiness Directives, Modifications and Repairs, and non-mandatory recommendations are grouped together under this chapter due to their dynamic nature. As introduced in Sect. 5.1, some of these maintenance requirements evolve in such a way that it may become unfeasible to maintain the AMP updated at all times, e.g., new ADs, damages, changing necessities arising from the Reliability Program, terminating actions, superseding inspections, etc. For these requirements, the AMP may suppose a snapshot at the time of the AMP revision.
8.1 Mandatory Continuing Airworthiness Information (MCAI)—Airworthiness Directives (AD) ICAO defines Mandatory Continuing Airworthiness Information (MCAI) as “the mandatory requirements for the modification, replacement of parts, or inspection of aircraft and amendment of operating limitations and procedures for the safe operation of the aircraft”. The most common form of MCAIs is Airworthiness Directives (ADs). ADs are issued by the certification authority of the state of design to notify aircraft owners/operators about an unsafe condition that exists, or is likely to exist, and prescribe corrective actions for the continuing airworthiness of the aircraft/engine/ propeller/component. Occurrence Reporting Systems ICAO Annex 8—Airworthiness of Aircraft requires that the airworthiness authorities develop a reporting system to collect faults, malfunctions, defects, and other occurrences which affect or may affect the airworthiness of the aircraft. This system, known in general terms as Service Difficulty Reporting System (SDRS), requires © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_8
95
96
8 AMP Secondary Sources: MCAI, Modifications …
feedback from design and maintenance organizations and aircraft operators. In the EASA system, the feedback is provided through Maintenance Occurrence Reports (MORs) and in the FAA though Service Difficulty Reports (SDRs). Airworthiness Directives are usually the result of the SDRs but may be originated from other occurrence reporting systems. Additional information about Occurrence Reporting Systems is detailed in Sect. 26.3. Unsafe Condition and Corrective Action The unsafe condition may be due to deficiencies related to design, manufacturing, maintenance, etc. Such correction may include compliance with specific instructions detailed within the AD or with instructions given by the DAH (e.g., a Service Bulletin (SB) or an Airworthiness Limitation Inspection (ALI)). The AD does not include the referenced service information that remains property of the design holder. A SB only becomes mandatory when an AD is issued, whichever is the categorization established by the DAH (mandatory, alert, recommended, etc.). The corrective action may involve modification, replacement, limitation, inspection, periodic inspection, etc. A terminating action is a corrective action that completely resolves the unsafe condition and restores the airworthiness of the aircraft. An Airworthiness Directive (AD) should include the following information: • • • • •
identification of the unsafe condition, identification of the affected aircraft/engine/propeller/component, corrective action required, compliance time for the corrective action, and effective date.
An AD is no longer effective when it is canceled or superseded by a new AD. While EASA issues revisions to AD to correct minor changes, the FAA policy is to supersede it and issue a new one. Responsibilities When an AD has to be issued, the DAH should propose the appropriate corrective action and/or required inspections. While the responsibility of issuing the AD lies on the state of design or design change, the dissemination and compliance lie on the state of registration of the aircraft. The state of registration may issue ADs for aircraft/engine/propeller/component designed in other states. EASA policy (ED Decision 2019/018/ED) is to endorse automatically the ADs issued by the state of design or design change of an aircraft/engine/ propeller/component validated by EASA unless a different AD is issued or a different decision is taken by the agency before the effective date of the AD.
8.1 Mandatory Continuing Airworthiness Information (MCAI) …
97
The FAA policy for imported products (Order 8040.5) is to determine first if the unsafe condition exists or is likely to exist and if a particular course of action is needed to correct it. The assessment can conclude with the AD endorsed, with different corrective actions/times, or with the unsafe condition not considered and the AD not adopted. Under the European Union – United States BASA (Bilateral Aviation Safety Agreement), both agencies recognize that even working in cooperation, they may disagree in finding the unsafe condition and may propose to issue a unilateral AD. The owner of an aircraft may decide to also comply with ADs that are not mandatory by the state of registration but that can facilitate the End Of Lease (EOL). When compliance with an AD to correct an unsafe condition is urgent, it is issued as an Emergency Airworthiness Directive (EAD). For non-emergency Airworthiness Directives, the airworthiness authority usually announces first a proposal for AD that is open to the public for feedback. In the EASA system, the proposal is known as Proposed Airworthiness Directive (PAD). The FAA makes uses of the CFR system under the Notice of Proposed Rulemaking (NPRM) process. EASA issues a special type of AD when the content includes reserved information: the Sensitive Security Airworthiness Directive (SSAD). SSADs are only distributed to the states which have registered affected aircraft. It is the responsibility of the state of registration to inform only the concerned parties, including owners/operators. Acceptable Means of Compliance (AMOC) Acceptable Means of Compliance (AMOC) are approved deviations to ADs, e.g., alternative modifications, inspection procedures, compliance times, limitations, etc. The AMOC is requested by the operator (it may be through the DAH) and approved by the competent authority of the state of registration. When the competent authority of the state of registration does not have sufficient expertise or all the relevant information, advice from the DAH or the competent authority of the state of design may be requested. When the AD is revised, the AMOC should still be valid; a revision of an AD does not introduce more restrictive requirements. However, when an AD is superseded, the AMOC is invalidated, if no other provisions are stated in the AMOC, and the operator should submit a new AMOC application for the new AD if it is still required. Scheduled Requirements EASA Part-M (M.A.302 (d)(1)) requires that the AMP establishes compliance with instructions issued by the competent authority. Repetitive instructions specified in Airworthiness Directives should be incorporated in the AMP. The FAA regulation does not specifically require to include the process for managing ADs into the AMP; however, for air carriers, it is recommended as per AC 120-16G.
98
8 AMP Secondary Sources: MCAI, Modifications …
Special attention must be given to Airworthiness Directives mandating the incorporation of an Airworthiness Limitations document (ALS) into the AMP. It is required when the ALI tasks are more restrictive; when the ALS revision means alleviation, there is no reason to justify the issue of an AD. Failure to comply with the more restrictive ALI tasks may lead to an unsafe condition; therefore, ALS requirements are considered MCAI.
8.2 Modifications and Repairs As seen in Chap. 4, the Design Approval Holder is responsible for providing the appropriate ICA or variation to ICA to keep the airworthiness standard when a modification or repair to the type design of an aircraft/engine/propeller/component is embodied.
8.2.1 Modifications ICAO defines modification as “a change to the type design of an aeronautical product which is not a repair”. Modifications are originated by diverse reasons: • mandatory requirements (e.g., AD or operational regulations), • type of operation (e.g., installation of RVSM, AWO, or EDTO (ETOPS) equipment), • reliability (e.g., recommendations derived from in-service experience), or • operator requirements (e.g., curtains installation, cabin layout change, or passenger to cargo conversion). When a new modification is mandated or the need for a modification is addressed, a DAH, that may be the TCH, should provide with the approved data necessary to maintain the airworthiness of the aircraft. A demodification (bringing back the aircraft/engine/propeller/component to the original type design) is considered a modification and the same rules apply. The responsible for the approval of a modification depends on the extent of the change (major or minor). The form in which the modification is approved depends on the type design that is intended for modification (TC/STC) and on the entity that develops the modification. • Major Modification: TC/STC modification that has an appreciable effect on the airworthiness (mass, balance, structural strength, reliability, operational characteristics, noise, fuel venting, exhaust emission, operational suitability data, or other characteristics affecting the airworthiness) and requires approval from the certification authority. The major modification may affect a TC or an STC. The form in which the modification is presented depends on the holder of the design change:
8.2 Modifications and Repairs
99
– Change to the Type Certificate: when the modification is developed by the TCH, it is usually presented in the form of a Service Bulletin (SB). Its associated ICA may be covered in the same or different SB, or in other TC ICA (MRBR, IPC, etc.). when the modification is developed by a Part-21 organization, other than the TCH, it is usually presented in the form of a Supplemental Type Certificate (STC). Its associated ICA is part of the certification process and included in the STC approved data package. – Change to the Supplemental Type Certificate: It is usually developed by an STCH and presented in the form of a new STC. Its associated ICA is part of the certification process and included in the new STC approved data package. • Minor Modification: TC/STC modification that has no appreciable effect on the airworthiness and its approval is granted by the certification authority or an approved design organization. Minor modifications are usually presented as SB, and the associated ICA will be part of the TC ICA if developed by the TC or part of the modification data package if developed by a different Part-21 organization. In-house modifications not approved by a Part-21 organization, usually presented in the form of Engineering Orders (EO), are a continuing airworthiness organization practice used to develop modifications that have “no impact” on the aircraft airworthiness. These modifications are not based on approved data, and the evaluation of the interference of the modification with the airworthiness may not be properly assessed. Therefore, EASA and the FAA consider that the assessment must be determined by a DAH approved under a Part-21. In the case in which an in-house modification procedure is agreed with the competent authority, it should be reflected in the organization’s exposition. Production modifications are changes embodied during the aircraft certification process. They may be linked to a SB that contains the instructions to implement such modification for aircraft that are already in-service. Both production modification and linked modification SBs play an important role in the ICA for defining the task effectivity. For example, an MRBR/ALS/CMR task may be only effective for aircraft that has or has not incorporated certain modifications; the modification is given by the production modification reference or by the corresponding modification SB.
8.2.2 Repairs ICAO defines repair as “the restoration of an aeronautical product to an airworthy condition as defined by the appropriate airworthiness requirements”.
100
8 AMP Secondary Sources: MCAI, Modifications …
When a damage is found in an aircraft/engine/propeller/component, an assessment should be carried out to determine if it is within the established limits or requires repair. Assessment guidelines and standard repairs (major and minor) are included in the Structural Repair Manual (SRM) or the Maintenance Manual provided by the DAH. They contain all the information required to develop a standard repair and the associated ICA. When the damage is out of limits and the manuals do not consider a standard repair, a design organization must be contacted in order to assess the damage and design the repair. The design of a repair can be classified based on the nature of the structure being repaired: • Standard Repair: it is a repair that follows design data included in the certification specifications (acceptable methods, techniques, and practices) for its accomplishment. • Major Repair: it has an appreciable effect on the airworthiness (structural performance, weight, balance, systems, operational characteristics, or other characteristics affecting the airworthiness) and requires approval from the certification authority, a DAH, or a DER (only FAA). The major repair may affect a TC or an STC. Note: Manual supplements are not in the scope of the DER and need additional approval. • Minor Repair: it has no appreciable effect on the airworthiness and its approval is granted by the certification authority or an approved design organization. A repair can also be classified attending to its temporary/permanent nature: • Temporary repair: it is a provisional repair that includes a limitation after which it must be replaced by a permanent repair. • Permanent repair: it does not include any life limitation. The repair may require additional inspections to maintain the continued airworthiness of the aircraft/engine/propeller/component. The inspections may also be temporary until the permanent repair is embodied or required throughout the life of the product. The design organization must provide with the appropriate repair design data. Its presentation depends on the DAH and the certification authority. For example, Airbus approves the repair through the Repair and Design Approval Form (RDAF) (old Repair Design Approval Sheet (RDAS)), and Boeing approves the repair using the FAA Form 8100-9 Statement of Compliance with Airworthiness Standards.
8.2 Modifications and Repairs
101
Fig. 8.1 Sample FAA Form 8100-9 used for Repair Data Approval. FAA Order 8100.15 CHG 1
102
8 AMP Secondary Sources: MCAI, Modifications …
8.2.3 Modifications/Repairs Scheduled Requirements EASA Part-M AMC M.A.302 requires that repetitive maintenance tasks derived from modifications and repairs are incorporated into the Aircraft Maintenance Program (AMP). An equivalent requirement is reflected in the FAA 14 CFR 121.367 and 135.425 for the CAMP to cover alterations. It is further described in the AC 120-16F. The modification/repair approved data package should include the appropriate ICA to support the continued airworthiness of the aircraft/engine/ propeller/component; specific maintenance requirements necessary to demonstrate that the affected structure, if any, is free from Widespread Fatigue Damage (WFD) up to the Limit Of Validity (LOV) may be incorporated into the design change ICA. When the ICA includes repetitive maintenance tasks, these shall be part of the AMP. Modifications and repairs are dynamic in nature; this means that between consecutive AMP revisions, there are some factors that will change the repetitive requirements, e.g., requirements derived from new modification/repairs or embodiment of permanent solutions. It is not always feasible to update the AMP in the same dynamic way as the modifications/repairs evolve. The status of repetitive tasks from modifications/repairs is a snapshot at the time of the AMP revision. It is recommended that such clarification is included in the AMP preamble. Generally, repetitive maintenance requirements derived from modifications and repairs do not trigger an AMP revision. However, it is recommended that changes derived from major modifications/repairs, that are critical because they may have a considerable effect on the airworthiness, are included in the AMP at the earliest opportunity. The changes derived from minor modifications should also be included into the AMP at the next convenient opportunity. The process to control modifications and repairs usually depends on the size of the continuing airworthiness organization. While small organizations tend to manage the inspections derived from modifications/repairs on a case-by-case basis through the main AMP process, larger organizations usually manage them through a more complex and separated process. It is the responsibility of the continuing airworthiness organization to include these inspections into the AMP.
Lesson Learned—Japan Airlines Flight 123 On August 12, 1985, the Boeing 747 Flight 123 operated by Japan Airlines between Tokyo and Osaka, Japan, went out of control due to fatigue failure of the aft bulkhead, followed by structural failure of the vertical stabilizer, and crashed after 32 min of irregular flight killing 520 of the 524 occupants, becoming the deadliest single-aircraft accident in aviation history.
8.2 Modifications and Repairs
103
The maintenance manager and the engineer who had inspected and cleared the aircraft as airworthy committed suicide. The Japanese Aircraft Accident Investigation Commission (AAIC), that led the investigation,1 revealed the chain of events that resulted in the crash.
Fig. 8.2 Accident aircraft flying over Okutama with the missing vertical stabilizer. Photo 124 of the Aircraft Accident Investigation Report
Seven years earlier, during a landing roll, the aircraft struck its aft fuselage on the runway and suffered considerable damage. The Boeing standard repair (temporary) consisted of a continuous splice plate with three rows of rivets. However, a Boeing inspector found a reduced edge margin around the rivet holes on the splice surface in comparison with the drawings, and the repair was improperly redesigned and installed: two splices with only one line of rivets effectively carrying the loads instead of two. Since the repair, a number of fatigue cracks propagated mainly at one-row rivet connection portions reducing the strength of the aft bulkhead to the extent that could not support the cabin pressure and ruptured, causing the subsequent ruptures of the fuselage tail, vertical stabilizer, and hydraulic flight control systems. The C-Check, that was conducted up to 6 times between the repair and the accident, included the visual inspection procedures for the aft pressure bulkhead. It is considered that the inspection method was not adequate as such cracks, with a critical length, were not found.
1
Aircraft Accident Investigation Report—Japan Air Lines Boeing 747 SR-100, JA8119, Gunma Prefecture, Japan. AAIC. June 19, 1987.
104
8 AMP Secondary Sources: MCAI, Modifications …
In line with the AAIC report, the NTSB recommendations were undertaken by the FAA under several initiatives, including the revision of several 14 CFR parts to require repair assessment programs to the operators.
8.3 Non-mandatory Recommendations The design holder/manufacturer of an aircraft/engine/propeller/component issues documents in the form of Service Bulletin (SB), Service Letter (SL), etc., to communicate the operator about product improvements and solutions to in-service issues. The design holder of an engine/propeller/component may also include specific recommendations in its Maintenance Manual. See Sect. 10.2 for further details about Component Maintenance Manual recommendations. Although these recommendations are considered by the TCH to develop the ICAs, the operator is also responsible for evaluating the adequacy of their implementation for its particular fleet and operation. In this regard, EASA CAMO.A.315(b)(4) and corresponding AMC require that the continuing airworthiness organization establishes a procedure to assess nonmandatory modifications and/or inspections and decide on their application, making use of the organization’s safety risk management process. This information includes SB, SL, Maintenance Manuals, and any other information that is produced for the aircraft and its components by an approved design organization, the manufacturer, the competent authority, or the agency. When the operator adopts scheduled maintenance derived from non-mandatory recommendations, it will be part of the AMP. The recommendation should include, as minimum, the applicability, the interval, the maintenance task scope, and the instructions or reference to the instructions. As it happens with Airworthiness Directives, modifications, and repairs, nonmandatory recommendations may be dynamic in nature. The operator may decide to comply with a SB/SL repetitive inspection to address issues until a final solution (terminating action) is developed, address issues that are more cost-effective than implementing a final solution or address issues temporarily until the effectiveness of the recommendation is demonstrated (troubleshooting). It is not always feasible to update the AMP in the same dynamic way as the adopted recommendations may evolve; the status of SB/SL inspections at the time of the AMP revision is a snapshot of the status at the time of the revision. In the case of components, the recommendation may be binding by vendor/repair shop, e.g., due to warranty. The effectiveness of an adopted recommendation is measured by the Reliability Program. As minimum, it should be part of the yearly review of the AMP. Recommendations may become mandatory when it is mandated by the authority, e.g., through the issuance of an AD.
8.3 Non-mandatory Recommendations
105
8.3.1 Service Bulletins (SB) A Service Bulletin (SB) is a document issued by the DAH of an aircraft/engine/ propeller/component to notify owners/operators about product improvement (related to safety, reliability, costs, or operational/maintenance practices). The actions required by a SB may include modifications, one-time inspection/check, repetitive inspections/checks, change in the limitations, etc. Generally, a SB issued by the engine/propeller/component DAH is referred to as Vendor Service Bulletin (VSB). There is no standard to classify the SB, but usually, the DAH does it in accordance with safety considerations. When the SB addresses unsafe conditions, it may be classified as “Mandatory” or “Alert”; otherwise, the SB may be classified as “Recommended” or “Optional”. When the condition highlighted by a SB may affect the safety of the aircraft, the competent authority usually issues an Airworthiness Directive (AD), but there are exceptional means that they use to make a SB mandatory, e.g., through the Airworthiness Limitations (ALS). The issuance of an AD is “independent” of the SB classification; a SB does not become mandatory until the competent authority decides so. A SB classified by the design holder as "mandatory" will become mandatory if the competent authority has the same consideration about the safety concern than the DAH; otherwise, from the regulatory point of view, it is acknowledged as a recommendation. When the instructions provided in the SB include repetitive inspections or modifications that may cause changes in the effectivity of an ICA maintenance task, it should be considered and reviewed by the DAH, e.g., for inclusion in the ALS/CMR/MRBR.
8.3.2 Service Letters (SL) A Service Letter (SL) is a document issued by the design holder of an aircraft/engine/ propeller/component to notify owners/operators about ongoing issues. Although the purpose of an SL and SB may be confused, generally an SL is more informational (solutions to production issues, operation/maintenance recommended practices, advance information about a future production modification or SB release, spares interchangeability, etc.) and does not involve any major change or minor change with safety aspects. The intent of an SL may be covered by documents under different names, e.g., Airbus uses In-Service Information (ISI) documents for the same purpose.
106
8 AMP Secondary Sources: MCAI, Modifications …
8.4 Embodiment Policy As explained in the introduction of this chapter, it is a regulatory requirement that the operator adopts a policy to review non-mandatory information related to the airworthiness of the aircraft. This information is not limited to SBs, SLs, and CMMs; any information that may affect the airworthiness of the aircraft must be evaluated independently of the form in which is presented by the DAH, manufacturer, competent authority, or agency. While the safety factor must be decisive across all operators in their Embodiment Policies, there are other aspects to be taken into consideration by the operator at the time of deciding the adoption of a non-mandatory requirement, e.g., dispatch reliability, remaining lease time, corrective actions already taken, operator standards, or airline reputation. An Embodiment Policy should not be to adopt all non-mandatory recommendations or not to adopt any. Incorporating all the recommendations is not costeffective and may increase the probability of maintenance errors. Not incorporating any requirement may lead to lower levels of safety and reliability and also increase the costs. The policy should guarantee that the safety, reliability, and standards established by the operator are maintained. The Embodiment Policy process should contain the following aspects: • Evaluation: – Technical analysis. Typically, it includes the review of the current status of the particular system or component (AMP, modifications already embodied, etc.) and in-service data. – Return On Investment (ROI) analysis and/or Cost–Benefit Analysis (CBA). ROI is the calculation of the benefits expected (e.g., lower shop visits due to increased reliability, increased aircraft dispatch reliability, etc.) versus the costs of implementing the recommendation (e.g., material, manpower and facilities costs, etc.). CBA is a broader analysis and tries to quantify not only tangible but also intangible costs and benefits (e.g., airline reputation). Further CBA information is detailed in Sect. 30.2. • Decision/Justification. The technical and the ROI/CBA analyses, the standards established by the operator, and the aircraft availability are taken into consideration to decide if implementing the recommendation. The decision may be to embody it in the whole fleet, to embody it on attrition, to embody it partially in the fleet (e.g., a sample to monitor the results of the embodiment) or not to embody it. • Recording. The evaluation of the recommendation and the decision/justification must be registered by the operator. • Results monitoring. The analysis of the effectiveness of the requirement is measured by the Reliability Program that ensures the loop is closed.
8.4 Embodiment Policy
107
All the aspects of the Embodiment Policy apply not only to the known nonmandatory recommendations but to other types of modifications that the operator decides to accomplish, e.g., an STC or a minor modification in a different form than a SB. In the case of an AD involving a SB, the SB will be released in advance, and the operator may decide not to implement it at first instance. However, the decision of the operator must be revoked as soon as the AD is issued. The grade of implication of the departments/individuals of the continuing airworthiness organization in the Embodiment Policy process usually depends on the size of the organization and the type of recommendation. A Modification Embodiment Policy Board formed by the main stakeholders (Technical Services, Maintenance Programs, Reliability, Materials, Repairs, Finances, etc.) may be a good idea, especially for modifications with greater impact such as major modifications.
Chapter 9
AMP Secondary Sources: Operational Requirements and Changes to the Operation Type
The operator must incorporate scheduled maintenance required for the operation under specific approvals (RVSM, MNPS, PBN, EDTO, and AWO) and requirements to support changes to the type of operation (utilization changes and Low/High Utilization Recommendations) into the Aircraft Maintenance Program. Other miscellaneous operational requirements such as those dedicated to the maintenance items of the Preflight Check, Safety/Emergency Equipment (ELT, First-Aid Kits, Medical Emergency Kits, etc.), Flight Recorders, and the Weight and Balance of the aircraft should also be incorporated into the AMP.
9.1 Scheduled Requirements Derived from Specific Operation Approvals Certain aircraft operations requiring specific approvals may entail the accomplishment of additional scheduled maintenance in order to maintain such approval. The competent authority of the state of registration/operation will require those additional requirements to be included into the Aircraft Maintenance Program. The relevant operation approvals include, but are not limited to: • Reduced Vertical Separation Minima (RVSM) operations, • Minimum Navigation Performance Specifications (MNPS) operations, • Performance-Based Navigation (PBN): Area Navigation (RNAV) and Required Navigation Performance (RNP) operations, • Extended Diversion Time Operations (EDTO): ETOPS/LROPS, • All Weather Operations (AWO): CAT II, CAT III, and LTVO.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_9
109
110
9 AMP Secondary Sources: Operational Requirements and Changes …
ICAO Annex 6—Operation of Aircraft pays attention to all the requirements listed above. The main regulatory authorities, including EASA and the FAA, echo the ICAO standards and recommendations and adapt them to their respective regulatory frameworks. In the EASA system, the requirements are detailed in the Air Operation rules, and their inclusion into the Aircraft Maintenance Program is a main point of the Part-M. EASA M.A.302 (e) explicitly requires that “the Aircraft Maintenance Program shall contain details, including frequency, of all maintenance to be carried out, including any specific tasks linked to the type and the specificity of operations”. While the TC/STC holder or equipment manufacturer may provide ICA in support of the equipment and systems required for operations requiring specific approvals, ultimately, it is the responsibility of the operator to comply with those instructions and with any additional requirement established by the competent authority. In this regard, the MSG-3 methodology incorporates provisions to take into consideration the certificated operating capabilities of the aircraft since incorporated through the IP 99 ETOPS/MRBR Tasking Requirements. It is important to differentiate the airworthiness approval that is the capability of the aircraft to perform a specific operation (equipment, systems, performance, etc.) and the approval of the specific operations that is related to the capability of the operator to perform the operation (it requires the airworthiness approval plus additional procedures, flight crew training, operator experience, etc.). When the ICAs given by the TC/STC holder are a source of the AMP, it is convenient and sufficient that the AMP preamble mentions the ICA as source document and states that the AMP complies with the specific approval requirements, e.g., RVSM capabilities are inherent functions of the design of the aircraft, and the schedule maintenance necessary for the RVSM operation has been considered during the MRB process, being the MRBR source of this Aircraft Maintenance Program. It is recommended that any other instruction or restriction to the ICA established by the competent authority is added to the AMP with the appropriate cross-reference to the regulation paragraphs.
9.1.1 Reduced Vertical Separation Minima (RVSM) Reduced Vertical Separation Minima (RVSM) is an ICAO program to increase the airspace capacity and reduce fuel consumption and emissions. The program applies in certain portions of the airspace between flight levels FL 290 and FL 410 and reduces the aircraft vertical separation to 300 m (1000 ft), allowing the aircraft to fly more optimum profiles.
9.1 Scheduled Requirements Derived from Specific Operation Approvals
111
The RVSM operational approval must be granted by the competent authority and involves: • RVSM airworthiness approval (capability of the aircraft). The equipment should be able to indicate the FL being flown, automatically maintain a selected FL, alert to the flight crew when a deviation from the selected FL occurs, and automatically report pressure altitude, • procedures for monitoring and reporting height-keeping errors. The operator should report occurrences caused by malfunction of aircraft equipment or of operational nature to the competent authority, • a training program for the flight crew, • operating procedures (MEL, preflight procedures, in-flight procedures, etc.). Since 2018, for intended operations within the U.S. airspace, the FAA does not require specific RVSM operation approval if the above criteria are met and the altitude-keeping performance is monitored with an Automatic Dependent Surveillance-Broadcast (ADS-B) equipment. Scheduled Requirements EASA AMC3 SPA.RVSM.105 requires that the AMP includes the ICA issued by the TC holder in relation to the RVSM operations certification (CS-ACNS, Certification Specifications for Airborne Communications, Navigation and Surveillance). The ICA should contain but is not limited to the transponder testing, the maintenance/inspection of the autopilot to ensure continued accuracy and integrity of the automatic altitude control system, the maintenance of all the RVSM equipment in accordance with the corresponding CMMs and the performance criteria of the RVSM approval data package. The continuing airworthiness procedures should establish the appropriate means to assess any modification, repair, or design change which may affect the RVSM approval, e.g., alignment of pitot/static probes, repairs to dents, or deformation around static plates. For new aircraft RVSM approved and approvals based on design changes (STC, SB, etc.), the holder of the design/design change should provide the ICA. FAA AC 91-85B RVSM requirements are equivalent to those prescribed by EASA. When the aircraft is designed with RVSM capability, the MRB process may identify the required RVSM scheduled maintenance/intervals, and it is good practice to reflect it in the AMP preamble; when the RVSM capability is introduced through design changes, it is convenient to identify the associated ICA in the AMP preamble and reference it in the corresponding RVSM tasks.
112
9 AMP Secondary Sources: Operational Requirements and Changes …
Lessons Learned—Vertical Separation The development of civil aircraft flights in the air space during the 1950s came with an increased number of in-flight incidents, accidents, and collisions. The air traffic system did not provide the safety level that was expected with the growth in the air traffic. ICAO developed a “flight levels” system based on atmospheric pressure that served as a worldwide standard; however, the system presented certain errors at high altitude, reason why higher separation was required above FL290. In 1958, ICAO set the standard vertical separation at 300 m (1000 ft) below flight level FL290 and 600 m (2000 ft) for flights at or above FL290. Efforts to increase the air space capacity above FL290 started soon after: Optimum altitude profiles offered more cost-effective flights. Flights below the optimum cruise altitude suffered a penalty of about 1% for each 300 m. After years of expert panels and researches, and supported by new technologies, as the Traffic Alert and Collision Avoidance System (TCAS), a separation of 300 m between FL290 and FL410 became feasible. The new rules, known as Reduced Vertical Separation Minima (RVSM), started to be gradually implemented since 1997 in certain portions of the air space and required specific operation approval. Since the implementation of the RVSM, several incidents and a few catastrophic collisions have occurred in the RVSM space. Constanza Lake Collision On July 1, 2002, the Tupolev TU-154 operated by Bashkirian Airlines and the Boeing 757 operated by DHL collided in the RVSM space, approximately FL354 over the Lake Constanza, Germany, killing all the 69 occupants and all the two occupants (only crew) of each aircraft, respectively. Five minutes before the accident, both flights were following their routes at FL360. The Tupolev TCAS gave an advisory because the DHL flight was in the area; seconds later, the radar controller issued instructions to the Tupolev to descend to FL350 in order to keep the separation minima with the DHL flight. A few minutes later, the Tupolev received a TCAS advisory to climb and the DHL TCAS to descent, but again the Tupolev received instructions from the radar controller to descend and decided to follow such indications. Both aircraft attempted flight maneuvers to avoid collision unsuccessfully. The results from the accident investigation carried out by the German Federal Bureau of Aircraft Accidents Investigation,1 summarized that the ATC controller had not noticed the imminent separation infringement in time and
1
Investigation Report on the Collision of the Boeing B757-200 and the Tupolev TY154M (near) Lake of Constanza. German Federal Bureau of Aircraft Accident Investigation (BFU). May 2004.
9.1 Scheduled Requirements Derived from Specific Operation Approvals
113
that the Tupolev crew followed a maneuver contrary to the generated by the TCAS advisory. Recommendations were focused on the improvement of the ATC system, the priority of TCAS over ATC when a conflict exists, and the promotion of enhanced technologies such as the Secondary Surveillance Radar (SSR Mode S) and the Automatic Dependent Surveillance Broadcast (ADS-B).
Fig. 9.1 Reconstruction of Mid-Air Collision between the DHL B757 and TU-154. Appendix 7 to the final report of the accident
Gol Transportes Aereos Flight 1907 On September 29, 2006, a new tragedy occurred in RVSM space. A Boeing 737 operated by Gol Transportes Aereos as Flight 1907 and an Embraer Legacy 600 business jet collided in the RVSM air space at FL370 over the Brazilian Amazon jungle. A major portion of the left wing of the B737 was damaged, and the aircraft became uncontrollable and broke up in flight killing all the 154 occupants. Besides the damages on the left winglet, stabilizer, and elevator, the Legacy remained controllable and made an emergency landing without injuries. The investigation, led by the Brazilian Aeronautical Accident Investigation and Prevention Center (CENIPA),2 revealed that the aircraft was placed on a
2
Final Report on the Aeronautical Accident of the B-737 8EH and EMB-135 BJ Legacy. CENIPA. 2008.
114
9 AMP Secondary Sources: Operational Requirements and Changes …
collision course and the transponder of the B737 was not functioning; consequently, the TCAS on both aircraft did not alert their crews. Because they did not notice the TCAS malfunction, they maintained RVSM separation when the necessary requirements did not longer exist. The attempts of the B737 crew and the ATC to establish communication had also been unsuccessful.
9.1.2 Minimum Navigation Performance Specifications (MNPS) Minimum Navigation Performance Specifications (MNPS) are prescribed for flights in defined portions of the air space, based on the Regional Air Navigation Agreements, in which it is required an enhanced accuracy of the navigation equipment. MNPS allows safe aircraft separation in demanded areas, for example, the North Atlantic Region (NAT MNPS) and the northern area of Canada (CMNPS). NAT MNPS3 airspace is applicable between FL 285 and FL 420, and routes are separated by 60 NM; aircraft operating in the NAT MNPS should have the following lateral navigation capability: • standard deviation of lateral track errors less than 11.7 km (6.3 Nm). • the proportion of the total flight time spent by aircraft 56 km (30 Nm) or more off the cleared track shall be less than 5.3 × 10–4 . • the proportion of the total flight time spent by aircraft between 93 and 130 km (50 and 70 NM) off the cleared track shall be less than 1.3 × 10–4 . Aircraft not meeting the MNPS operation requirements can only fly in the NAT area below FL 285 and above FL 420. RVSM is applicable in all NAT MNPS. The MNPS operational approval is granted by the competent authority and is based on: • • • •
equipment that meets the required performance, navigation displays, indicators, and controls, training program for the flight crew, and operating procedures (equipment operating limitations, MEL, etc.).
Future implementation of MNPS is not planned. Since 2016, NAT MNPS airspace is being redesignated to NAT High Level Airspace (NAT HLA) as part of the plan for the transition from MNPS to Performance-Based Navigation (PBN).
3
North Atlantic Operations and Airspace Manual. ICAO. V. 2020–1.
9.1 Scheduled Requirements Derived from Specific Operation Approvals
115
Scheduled Requirements While dedicated requirements in the EASA/FAA operation regulations for the implementation of MNPS ICA in the maintenance program are not found, the operator is responsible for ensuring that the equipment meets the required performance. If specific scheduled maintenance tasks are required for the MNPS approval, these should be incorporated into the Aircraft Maintenance Program.
9.1.3 Performance-Based Navigation (PBN): RNAV and RNP With the conventional routes, aircraft navigated from a ground navigation station position (NavAid) to another and so on. Area Navigation (RNAV) concept allowed to define the aircraft position relative to ground and space-based NavAids (VOR, DME, GNSS, etc.); the flight path did not require to overflight the ground navigation stations, and the aircraft could fly to any point within the coverage of the NavAids used. Required Navigation Performance (RNP) was developed from the RNAV concept without the necessity of relying on specific equipment or systems. RNAV and RNP allow more efficient use of the airspace and fuel consumption reduction. ICAO defines Performance-Based Navigation (PBN) as “area navigation based on performance requirements for aircraft operating along an ATS route, on an instrument approach procedure or in a designated airspace”.4 PBN involves the two types of navigation specifications: RNAV and RNP. Both specifications are considered area navigation; the difference is that while RNP specification includes a requirement for onboard performance monitoring and alerting, the RNAV specification is not able to provide assurance of their performance. RNAV and RNP are designed with a number (RNAV X or RNP X) that refers to the lateral navigation accuracy in NM which is expected at least during 95% of the flight. RNAV 5 may have different designation depending on the region; in Europe is defined as Basic RNAV or B-RNAV and is mostly developed for en-route airspace. RNAV 1 and RNAV 2 (before known in Europe as Precision RNAV or P-RNAV) are used in SID and STAR procedures. The PBN concept, which did not include vertical navigation originally, has evolved, and currently, RNP navigation with vertical guidance is used during approach operations (RNP APCH). The RNAV/RPN operational approvals are granted by the competent authority and are based on: • airworthiness approval (stated in the AFM or other document approved by the certification authority), • safety assessment, • training program for the flight crew, 4
Performance-Based Navigation (PBN) Manual (Doc 9613). ICAO. Fourth Edition—2013.
116
9 AMP Secondary Sources: Operational Requirements and Changes …
• operating procedures (equipment operating limitations, MEL, etc.), and • monitoring program, if applicable. Scheduled Requirements Dedicated requirements in the EASA/FAA operation regulations for the implementation of RNAV/RNP ICA in the maintenance program are not found. However, the operator is responsible for ensuring that the performance requirements are maintained. If specific scheduled maintenance tasks are required for the RNAV/RNP approval, these should be incorporated into the AMP.
9.1.4 Extended Diversion Time Operations (EDTO)—ETOPS/LROPS ICAO defines Extended Diversion Time Operations (EDTO) as “any operation by an aeroplane with two or more turbine engines where the diversion time to an en-route alternate aerodrome is greater than the threshold time established by the State of the Operator”.5 EDTO modifies the standard in which any twin-engine aircraft is required to remain no further than 60 min flying time to an en-route alternate aerodrome, and any aircraft with more than two engines is required to remain within 120 min from the alternate aerodrome. EDTO provisions allow to increase these diversion times. In order to guarantee the overall operational safety, specific considerations are taken for EDTO approval. While for aircraft with more than two engines the most relevant limitations are the time that the cargo fire protection system can hold fire and the oxygen supply during the diversion, for two-engine aircraft, there are several systems (EDTO significant systems) which failure could affect the safety of the diversion or are specifically important during the diversion, e.g., electrical, including battery, fuel and navigation systems, engines, APU, etc. Originally conceived by ICAO as Extended Range Twin-engine Operations (ETOPS), EDTO widened the concept to incorporate extended range operations for aircraft with three or more engines. The acronym ETOPS is used in different ways by regulatory authorities and individuals, e.g.: • EASA rules are not adapted to the EDTO terminology, and ETOPS is limited to aircraft with two engines. EASA introduces the Long-Range Operations (LROPS) concept for extended range operations by aircraft with three and four engines. • FAA, considering originally ETOPS for aircraft with two engines, redefined the concept to “Extended Operations”, equivalent to EDTO. • Happy people use ETOPS as an acronym for “Engines Turn Or Passengers Swim”. Being ETOPS much more than the capability of an aircraft to reach land without engines, it sounds funny. 5
Extended Diversion Time Operations (EDTO) (Doc 10,085). ICAO. First Edition-2017.
9.1 Scheduled Requirements Derived from Specific Operation Approvals
117
ICAO Annex 6 requires EDTO aircraft certification for aircraft with two engines as a prerequisite for EDTO operations; aircraft with more than two engines does not require EDTO certification specifically but a review of the time capabilities of the EDTO systems. In this line, the Aircraft Maintenance Program should support the EDTO operations with tasks that maintain the integrity of the cargo compartment, pressurization features such as door seals, electrical supply system, engines, and APU. The EDTO operational approvals are granted by the competent authority and are based on: • • • •
EDTO aircraft/engine type design and reliability approval, training program for the flight crew, operating procedures (equipment operating limitations, MEL, etc.), and the operator’s experience.
Scheduled Requirements The AMP should support the targeted EDTO operation. The tasks related to EDTO are those impacting EDTO significant systems. Dual maintenance on identical EDTO significant systems requires special considerations. See Sect. 15.3 for details about the management of dual maintenance. An EDTO task may be an existing task with a different interval for EDTO or a dedicated task for the EDTO operation mandated by the CMP document or derived from in-service experience (Reliability Program). The Configuration, Maintenance and Procedures (CMP) document is developed by the TCH and contains the configuration requirements necessary for extended diversion time operations: inspections, Life Limits, MMEL constraints, and maintenance practices. In addition to the AMP EDTO requirements, EDTO operations require a predeparture service check that includes the EDTO maintenance release and the development of specific programs for two-engine EDTO, such as Engine Condition Monitoring (ECM), Oil Consumption Monitoring, or monitoring of the APU In-Flight Start for the aircraft–engine combination (part of the Reliability Program, see Sect. 17.2.2.3). EASA considerations for twin-engine ETOPS operational approval, including the development of an ETOPS maintenance program, are detailed in AMC 20-6. LROPS’s operational approval for more than two-engine aircraft is still not addressed. FAA AC 120-42B & 135-42 details the requirements for the ETOPS operational approval (two or more engine aircraft) and for the twin-engine ETOPS maintenance program required in 14 CFR 121.374 &135.411.
118
9 AMP Secondary Sources: Operational Requirements and Changes …
Lessons Learned—EDTO (ETOPS) History and the Flights That May Have Shaken Its Foundation In 1936, the U.S. Bureau of Air Commerce, the precursor of the FAA, required the operation of aircraft with two-piston engines to show that available fields for takeoff and landing were located within at least 100 miles (approx. 160 km) along the proposed route. The average time to fly over 100 miles with an inoperative engine was 60 min. In 1953, a 60 min rule was imposed on two and three-engine aircraft based on the lack of engine reliability, that focused on piston engines, with flexibility to operate beyond the rule under approval. In the 1950s, ICAO issued a more flexible recommendation that was implemented by many regulatory authorities outside the U.S.: 90 min diversion time for two-engine aircraft. More than a decade later, in 1964, the already formed FAA kept the 60 min restriction valid for two-engine aircraft, but three-engine aircraft was exempted. Three and four-engine aircraft became the mambo kings of the intercontinental skies until the 1980s. Some Airbus A300 operators had been conducting 90 min overwater operations since 1976 across the North Atlantic, the Bay of Bengal, and the Indian Ocean, under the 90 min ICAO rule. In the 1980s, ICAO formed an ETOPS study group to analyze the feasibility of extended operations of the new twinjets generation: the Airbus A300-600, A310, A320 family, A330, Boeing B757, B767, etc. The study group recommended the 60 min restriction unless the aircraft could meet special ETOPS criteria. It would be later incorporated into the ICAO Annex 6. In the U.S., at the beginning of the 1980s, during the B767-200ER entry into service, the Boeing Director of Engineering approached the FAA administrator about the possibility of an exemption to the 60 min rule, to which the FAA administrator answered “It’ll be a cold day in hell before I let twins fly long haul, overwater routes”, a sentence that has become memorable in the ETOPS history. Despite the initial opposition, the FAA initiated technical discussions with ICAO, aircraft manufacturers, and operators. Air Canada Flight 143—Gimli Glider The FAA discussions hung by a thread when on July 23, 1983, the Air Canada Flight 143, a Boeing 767 domestic flight operated between Montreal and Edmonton, Canada, ran out of fuel halfway to its destination. The aircraft glided to an emergency landing at an Airforce Base in Gimli. There was no loss of life nor significant injuries amongst the 69 occupants.
9.1 Scheduled Requirements Derived from Specific Operation Approvals
119
The incident became widely known as “Gimli Glider”.6 One day before the event, the aircraft had undergone a routine service check in which the three fuel indicators (corresponding to the left and right main tanks and the auxiliary fuel tank) were found to be blank. The technician obtained fuel indication pulling and deactivating a circuit breaker, then tagged the circuit breaker as inoperative, and made the corresponding entry in the logbook under the provisions of the Minimum Equipment List (MEL) that required a fuel drip. The fuel drip is a procedure to confirm the fuel load by using fuel measuring sticks located under the wings.
Fig. 9.2 Gimli Glider evacuation. Photo courtesy of Gimli Glider Museum
The next day, the aircraft was flown from Edmonton to Montreal, where another technician was assigned to perform the fuel drip to satisfy the requirements of the MEL. He noted the entry in the logbook and attempted a self-test of the system by resetting the circuit breaker but was distracted and forgot to pull the circuit breaker again, so it remained activated. The captain noticed the blank fuel indicators and the collared circuit breaker and incorrectly assumed that it was deactivated. Although the MEL only allowed the dispatch of the aircraft with at least two of the three indicators in operating condition, the
6
Final report of the Board of Enquiry Investigating the circumstances of an accident involving the Air Canada Boeing 767 aircraft C-GAUN that effected an emergency landing at Gimli, Manitoba. Commissioner George H. Lockwood by order of the Minister of Transport. April 1985.
120
9 AMP Secondary Sources: Operational Requirements and Changes …
captain formed the opinion that he could safely fly the aircraft after the fuel drip that confirmed the fuel onboard. In Canada, aircraft was recently started to be fueled and charged in liters. The Gimli Glider had been delivered in the metric system (using liters and kilograms). The drip sticks were also calibrated in the metric system, in centimeters. Drip tables were provided onboard the aircraft to convert centimeters to liters, but the conversion from liters to kilograms required a conversion factor called specific gravity. The conversion factor used twice during the incident day was 1.77 lbs per liter, while the figure conversion should have been around 0.8 kg per liter. The aircraft departed from Montreal and landed in Ottawa, on its way to Edmonton, where it was dripped with the same wrong conversion factor. In the flight from Ottawa to Edmonton, the aircraft ran out of fuel in flight, both engines failed, and without power, all the electronic gauges in the cockpit became blank. After 45 miles gliding, the aircraft effected an emergency landing in Gimli. After the Air Canada Flight 143 incident, there existed certain reticence about the proposals of the Boeing Director of Engineering in regard to the B767 exemption to the 60 min rule. He reacted arguing that under the circumstances of such incident, all the engines would have shouted down independently of how many engines the aircraft had. Finally, in 1985, the FAA issued the AC 120–42 for ETOPS operations allowing two-engine aircraft to operate on routes up to 120 min from an adequate airport after demonstration of specific levels of in-service experience and systems reliability. The first ETOPS operation (90 min) was conducted in February 1985 by TWA with a Boeing 767. The Civil Aviation Authorities of some countries also issued ETOPS rules during the same period: CAA UK, DGAC France, Transport Canada, DOT Australia, and CAA New Zealand. Others relied on the guidance provided in the ETOPS amendments to ICAO Annex 6. In 1988, the good experience with the 120 min rule led the FAA to amend the AC 120-42 (120-42A) and allow two-engine aircraft to operate up to 180 min from an airport. The Advisory Circular revision established an ETOPS operation approval system based on in-service experience: ETOPS 120 required 12 months experience with the aircraft–engine combination, and ETOPS 180 required 12 months of experience with the aircraft–engine combination conducting ETOPS 120 operations. AC 120-42A included provisions for the aircraft and engine design, Maintenance Programs, and operations. The new 180 min rule covered more than
9.1 Scheduled Requirements Derived from Specific Operation Approvals
121
90% of the Earth’s surface. The new rules were adopted by ICAO, the JAA, and other Civil Aviation Authorities. The industry continued evolving at a fast pace and the new generation of twinjets started to get approval for ETOPS with greater diversion times that imposed new requirements at the same time. In 2001, the Air Transat Flight 236, another gliding incident detailed in Sect. 10.4, highlighted the risks associated with undetected fuel leaks to aircraft operating on long-range overwater routes, regardless of the number of engines. Onboard fire, medical emergency or catastrophic decompression does not understand about the number of engines of an aircraft. Every aircraft needed viable diversion times and en-route alternate airports. Three- and four-engine passenger aircraft may not need extra fuel to reach a diversion airport, but they needed oxygen supply when loss of cabin pressure happens, means to suppress or contain a fire, etc. In 2007, the FAA revised its regulation to incorporate the ETOPS rules for passenger aircraft with more than two engines for diversions greater than 180 min. As of today, the aircraft initially certified for maximum diversion is the Airbus A350XWB with capability approval up to 370 min.
9.1.5 All Weather Operations (AWO) All Weather Operations (AWO) involve a set of operations conducted when the visibility is limited in order to allow the flight crew to continue with safe ground operation, takeoff, departure, approach, and landing. AWO are determined by the Aerodrome Operating Minima (AOM) and the operator AWO approvals. AOM are the limits of usability of an aerodrome in terms of: • Visibility or Runway Visual Range (RVR): RVR is the range at which the pilot on the centerline of a runway can see its surface markings, its delineating lights, or its centerline. • Decision Altitude/Height (DA/DH): altitude/height at which no visual contact has been established, and the missed approach must be initiated. • Cloud conditions. The aerodrome capability depends on the runway and its obstacles, visual (signals) and no visual aids (instrument approach systems such as Instrumental/Microwave/GNSS Landing Systems, etc.), services, and procedures. The operator capability depends on the aircraft equipment (such as the ILS/MLS/GLS receiver, the RNAV/RNP system, the Enhanced Vision System (EVS), the Head-Up Display (HUD), etc.), airworthiness and maintenance requirements, and flight crew procedures.
122
9 AMP Secondary Sources: Operational Requirements and Changes …
Table 9.1 LVO approach types LVO approach type
Definition
Lower than standard LTS CAT I
Reduced approach and/or runway lighting as an alternative to the standard lighting systems
CAT II
DH: Lower than 60 m (200 ft) but not lower than 30 m (100 ft) RVR not less than 300 m
Other than standard OTS CAT II
Increased RVR minima at runways with reduced approach and/or runway lighting systems, as an alternative to the standard lighting systems
CAT IIIA
DH: Lower than 30 m (100 ft) or no decision height RVR not less than 175 m
CAT IIIB
DH: Lower than 15 m (50 ft) or no decision height RVR less than 175 m but not less than 50 m
CAT IIIC
DH: No decision height No RVR limitations
Low Visibility Operations (LVO) include those AWO under poor weather conditions in support of: • Low Visibility Take-Off (LTVO). Takeoff operations under RVR less than 400 m. • Low Visibility Approach. See Table 9.1 for the LVO approach types defined in the ICAO Annex 6. If DH and RVR fall into different categories, the approach is conducted in accordance with the requirements of the most demanding category. The use of systems like the Enhanced Vision System (EVS) allows operations with lower visibility than normal and may require specific approval. Scheduled Requirements EASA AMC5 SPA.LVO.105 requires that the Maintenance Program includes the maintenance instructions for the CAT II, CAT III, and LTVO onboard guidance systems established by the operator in liaison with the manufacturer. FAA AC 120-28D & AC 120-29A require that the Maintenance Program addresses the necessary provisions for LTVO and CAT I/II/III landing in accordance with the intended operation, the manufacturer recommendations, MRB or equivalent requirements, or any subsequent mandatory requirement. FAA AC 90-106A requires that the Maintenance Program incorporates the EVS manufacturer ICA and identifies any maintenance/inspection required to support the continued airworthiness of the system. When the aircraft is designed with any LVO capability, the MRB process may identify the required scheduled maintenance/intervals, and it is good practice to reflect it in the AMP preamble; when the LVO capability is introduced through design changes, it is convenient to identify the associated ICA in the AMP preamble and reference it in the corresponding LVO tasks.
9.2 Low Utilization Maintenance Program (LUMP)
123
9.2 Low Utilization Maintenance Program (LUMP) As introduced in the MRBR Sect. 6.1, MSG-3 analysis and MRBR are developed assuming a specific utilization envelope. The utilization of an aircraft is function of two factors: availability (period of time deducting the maintenance time) and the average flight leg time (ratio FH/FC during a period of time). A low utilization scenario is usually found in charter operations that are seasonal or occasional. If the utilization falls below the MRBR limits, it may have a negative impact on detecting discrepancies that are sensitive to time, e.g., corrosion, seal degradation, etc. Low Utilization Recommendations (LUR) are additional requirements established by the TCH that may consider new interval parameters to existing MRBR tasks or additional maintenance. Basically, the TCH adjusts the FH and FC limitations of the tasks that may be affected by the low utilization operation into a calendar-based program. It does not override MRBR requirements, e.g., if an MRBR is FH-based, the dual LUR interval will be defined by the FH parameter plus the new LUR calendar parameter, whichever occurs first. Each interval parameter (FH, FC, calendar time, etc.) is suitable to detect specific types of failures and deterioration of the aircraft. In this case, calendar time is appropriate for structures that are subject to environmental deterioration, e.g., structure corrosion, and systems that are exposed independently of the operation. The following list shows a representative sample of the tasks considered by the TCH when developing a LUR program: • servicing tasks, e.g., tasks involving grease and oil subject to degradation, • tasks required to avoid seal degradation in dry or wet confined spaces, e.g., fuel tanks, engines, • tasks requiring fluids flow, e.g., operational test of oil or fuel systems, • tasks required to ensure system drainage, e.g., fuel tank water drainage, • task required to avoid microbiological contamination, • tasks required to detect and avoid corrosion, • tasks required to detect fatigue, • tasks required to detect or avoid degradation of inactive systems, e.g., avionic/electronic equipment, and • tasks requiring battery replacement. Low utilization does not interfere with the provisions for aircraft parking/storage. During parking/storage, calendar-based maintenance task must be performed before the aircraft is released, although the owner/operator may decide to accomplish certain tasks in advance if it is considered beneficial, e.g., corrosion tasks. The operator is responsible, not only to implement the TCH recommendations but to evaluate the impact of the low utilization operation on the whole AMP. Low utilization operations may have a negative impact on the reliability analysis; the reliability data may be insufficient or not be available to develop an effective analysis. In this case, the in-service experience that may have been developed previously
124
9 AMP Secondary Sources: Operational Requirements and Changes …
during normal utilization operations may be used, or the TCH may be contacted for support. High Utilization An aircraft loses more value (depreciation), and the operating costs increase when the utilization increase. High utilization also involves more frequent maintenance and consequently may induce more maintenance errors that may cause a negative effect on aircraft reliability and safety. MSG-3 analysis is carried out under safety and operational principles, but also under cost-effective criteria. When an aircraft is operated above the utilization assumptions of the MSG-3 analysis (limits defined in the MRBR), the MRBR tasks become no cost-effective. High Utilization programs may be developed by the TCH to ensure that the maintenance is consistent with the high utilization operation. The operator should assess the impact of the high utilization operation on the whole AMP. When the assessment of the high utilization operation entails a relaxation of task intervals (escalation or escalation via parameter change), it must be carried out under the competent authority approval or in accordance with the procedures agreed with the competent authority. Transfer of aircraft between AMPs (normal to low utilization and vice versa) is detailed in Sect. 13.2.
9.3 Miscellaneous Scheduled Requirements 9.3.1 Preflight Check A Preflight Check contains all the inspections that are required to be carried out before flight to ensure that the aircraft is fit for the intended flight. The Preflight Check typically includes: • A walk-around inspection of the aircraft and its emergency equipment for presence and condition, including any obvious signs of wear, damage, or leakage: – The walk-around inspection is usually based on the guidance provided by the TCH on the Aircraft Flight Manual (AFM) or the Flight Crew Operating Manual (FCOM). – The emergency equipment inspection is usually based on the Emergency Equipment Layout (EEL) that is developed by the operator to satisfy the operation rules. • An inspection of the aircraft records and technical logbooks to ensure that there are no pending maintenance actions that may affect the safety of the flight or that may become overdue during the flight.
9.3 Miscellaneous Scheduled Requirements
125
• A control of consumable fluids, gases, etc., uplifted prior to flight that should be of the correct specification, free from contamination, and correctly recorded. • A control that control surface and landing gear pin locks, pitot/static covers, restraint devices, and engine/aperture blanks have been removed. • A control that the external surfaces are free from ice, snow, sand, dust, volcanic ash, etc., and the icing/anti-icing procedures have been followed. The Preflight Check is excluded from the definition of maintenance except when the task is performed by certifying/maintenance staff. Certain requirements, such as repetitive ADs or ICA maintenance tasks (MRBR, ALS, CMR, etc.), require maintenance certification, if no otherwise stated; for other requirements, such as the walk-around, the inspection of the emergency equipment or the inspection of the aircraft records, etc., it is up to the operator, under agreement with the competent authority, if the Preflight Check is performed by certifying/maintenance staff or by the flight crew. Certifying staff and/or flight crew must be appropriately trained when performing Preflight Checks. Under certain conditions, the flight crew may be temporarily authorized (through a limited certifying staff authorization) to accomplish simple maintenance tasks. Guidance to develop a Preflight Check is provided in EASA Part-M AMC M.A.301(a). EASA Appendix I to AMC M.A.302 (1.1.9) explicitly requires that details of the Preflight Check maintenance tasks that are accomplished by maintenance staff are part of the AMP. In any of the above cases, in accordance with EASA CAT.GEN.MPA.105 and FAA 14 CFR 91.7, the pilot in command of the aircraft is responsible for ensuring that the preflight check has been carried out and the aircraft is in condition for a safe flight. Lesson Learned—Aeroperu Flight 603 On October 2, 1996, the crew onboard the Boeing 757 Flight 603 operated by Aeroperu between Lima, Peru, and Santiago de Chile, Chile, noticed that the altimeters were not responding and declared emergency. While returning to Lima, the flight became uncontrollable and crashed, killing all the 70 occupants. The Peruvian Accident Investigation Board7 revealed that the probable cause of the accident was the obstruction by adhesive tape of the three static ports on the left side of the aircraft. The B757 had three airspeed and altitude indicators: The pilot and copilot indicators had separate air data computers that receive inputs from separate pitot probes and static ports located at both sides of the
7
Report on the Accident of the Boeing 757–200 aircraft operated by Aeroperu. Accident Investigation Board, Ministry of Transport and Communications, Peru.
126
9 AMP Secondary Sources: Operational Requirements and Changes …
fuselage; the standby indicator was operated directly from an independent pitot probe and dual static ports. The copilot altimeters and airspeed indicators were not working, and the crew was over-saturated with the multiple alarms and warnings that led to the loss of control of the flight.
Fig. 9.3 Aeroperu B757 months before the accident. Photo by Werner Fischdick
The polishing of the lower front part of the fuselage had been scheduled previous to the flight. The normal procedure instructed to cover the static ports with adhesive tape to avoid they become obstructed. The presence of the adhesive tape was not detected during the various phases of the task certification, and the release of the aircraft was handed over to the crew. During the preflight inspections, the pilot in command did not realize either that there were lengths of tape covering the static ports. The recommendations from the investigation included the amendment of the aircraft maintenance manuals to require to use of brightly colored protective covers with warning flags attached to place over static ports while cleaning and polishing the aircraft, that manufacturers such as McDonnell Douglas or Airbus had already designed. A generic recommendation to carry out better documented Preflight Checks was issued.
9.3 Miscellaneous Scheduled Requirements
127
9.3.2 Safety/Emergency Equipment Safety/Emergency Equipment is any provision installed or carried onboard the aircraft that is required for the safe conduct of the flight and protection of occupants. Emergency Equipment addresses abnormal or emergency situations that demand immediate action, including life preservation. For example, Emergency Locator Transmitter (ELT)
Life vests
First-Aid Kit (FAK)
Low-frequency ULB
Evacuation slides
Emergency medical kit
Portable fire extinguishers
Life rafts
Defibrillator
Protective Breathing Equipment (PBE)
Portable lights
Survival kit
Oxygen bottles/generators
Flashlights
Megaphone
Oxygen masks
Emergency flares
Crash axe
Smoke hoods
Emergency markings/lights
Safety Equipment is used during normal operation. For example, Seat belts
Safety cards
Child restraint devices
Safety demonstration kit
As specified in the Preflight Check paragraphs, the Emergency Equipment should be inspected for presence and condition during such inspection. Additionally, the operator should: • consider the ICA specified for the equipment installed on the aircraft, and • comply with the operation regulatory requirements for specific equipment. The MRB process considers the ICA of the Safety/Emergency Equipment installed on the aircraft. The operator should also take into account any additional ICA of equipment installed through modification. The operator should select the appropriate method of control of the Safety/Emergency Equipment requirements. Some items, such as the life of the equipment, may be controlled as Hard-Time or through Inspection Surveys at periodic intervals, e.g., check of life vests for expiration at periodic intervals and replacement if the life does not reach the next scheduled event. Specific regulatory requirements are provided for the: • First-Aid Kit (FAK) and Emergency Medical Kit (EMK). EASA AMC2 CAT.IDE.A.220 & AMC4 CAT.IDE.A.225 requires that FAK and EMK are inspected periodically for condition of their content and replenished at regular intervals (IAW instructions contained on their labels) or after use. • Emergency Locator Transmitter (ELT). See the next paragraphs.
128
9 AMP Secondary Sources: Operational Requirements and Changes …
9.3.3 Emergency Locator Transmitter (ELT) ICAO Annex 6—Operation of Aircraft defines Emergency Locator Transmitter (ELT) as “equipment which broadcast distinctive signals on designated frequencies and, depending on application, may be automatically activated by impact or be manually activated”. ELT devices should be coded and registered with the national agency responsible for search and rescue. In the event of aircraft crash, the ELT will be manually/automatically activated and will transmit a continuous emergency signal that will alert the Search and Rescue (SAR) authority about specific information of the aircraft and its location. There are five types of ELT: • Automatic fixed (ELT(AF)): automatically activated, permanently attached to the aircraft, • Automatic portable (ELT(AP)): automatically activated, attached to the aircraft but readily removable, • Automatic deployable (ELT(AD)): automatically deployed and activated by impact (and in some cases by hydrostatic sensors). Manual deployment is provided. • Survival (ELT(S)): removable from the aircraft, stowed to facilitate its use in an emergency, and manually activated by survivors, • Distress Triggered (ELT(DT)): manually or automatically activated by detection of an in-flight distress event. Automatic ELTs are activated when the crash acceleration sensor (also called G switch) detects that a certain force is reached. For new device generations, ELT (DT), the triggers for automatic activation are defined in EUROCAE ED-237. In line with ICAO Annex 6, EASA Air Ops CAT.IDE.A.280 establishes the requirements for the ELTs to be installed on the aircraft for its operation. Aircraft authorized to carry 19 passengers or less is required to be equipped with one ELT or one aircraft localization means. If the CofA is issued before July 1, 2008, the ELT can be of any type; otherwise, it should be an automatic ELT. Aircraft authorized to carry more than 19 passengers are required to be equipped with one automatic ELT or two ELTs of any type or one aircraft localization means if the CofA is issued before July 1, 2008. Otherwise, it should be equipped with two ELTs, one of which shall be automatic, or one ELT and one aircraft localization mean. The FAA 14 CFR 91.207 requires one automatic ELT to be installed on the aircraft for its operation under Part-121/135. FAA includes certain exceptions to the rule that deviates from the ICAO standards; for example, aircraft engaged in scheduled flights by scheduled air carriers or aircraft with a maximum payload capacity of more than 18,000 pounds when used in transportation is exempted of carrying an ELT, unless operated overwater or remote areas. For overwater or remote areas operations, up to two Survival ELTs may be required.
9.3 Miscellaneous Scheduled Requirements
129
Scheduled Requirements EASA Air Ops AMC1 CAT.IDE.A.280 establishes the operational requirements for the ELT batteries: • Batteries specifically designed for use in ELTs and having an airworthiness release certificate (EASA Form 1, or equivalent, e.g., FAA Form 8130-3) should be replaced (or recharged if the battery is rechargeable) before the end of their useful life in accordance with the ELT maintenance instructions. • Standard batteries not having an airworthiness release to service, when used in ELTs should be replaced (or recharged if the battery is rechargeable) when 50% of their useful life (or for rechargeable, 50% of their useful life of charge), as established by the manufacturer, have expired. FAA 14 CFR 91.207, 121.339/353, and 135.167 exceed the ELT battery requirement of EASA: • ELT batteries (in general) should be replaced (or recharged if the battery is rechargeable) when 50% of their useful life (or for rechargeable, 50% of their useful life of charge), as established by the manufacturer, has expired. Additionally, there is an extra recommendation in 14 CFR 91.207 to inspect each ELT every 12 months for proper installation, battery corrosion, operation of control and sensors, and radiated signal strength.
Lessons Learned—The Origin of ELT Requirements On March 11, 1967, the pilot of a Cessna 195 in a flight from Portland to San Francisco, with his wife and stepdaughter onboard, lost power and crashed into a snowed forest. The family was injured but survived the crash. They struggled for survival and finally perished. The bodies and the aircraft were found 7 months later. The diary written by the family during that time motivated the U.S. Congress. In 1971, with three years compliance time, the FAA amended its regulations to require the installation of Emergency Locator Transmitters (ELTs) for certain aircraft categories. The rule applied mostly to general aviation, but scheduled air carriers and turbojet aircraft, usually under the air traffic control system and a flight plan, were exempted as they were considered more readily located after an accident. The new rules tarnished soon when in 1972 a Cessna 310, with two members of the U.S. House of Representatives onboard, disappeared while flying from Anchorage to Juneau, Alaska, without ELT. The wreckage was never found. The U.S. Congress wanted to shorten the compliance time imposed a year before, but it was actually extended given that the FAA started to receive numerous reports on ELTs false alarms and faults that consumed its resources.
130
9 AMP Secondary Sources: Operational Requirements and Changes …
In 1978, the issue reached such level that the FAA permitted the temporary operation for 90 days without the ELT while it was inspected, modified, repaired, or replaced. The several investigations carried out during those years brought to light that 90% of false alarms were from parked aircraft; battery, crash sensor, and installation defects, including corrosion, leaks, and short circuits, became a concern. Their inspection for condition, corrosion, and proper installation would become a requirement. Some years later, in a 1996 Christmas evening, a turbojet crashed in New Hampshire and would not be found until almost three years later. The FAA ELT rules exemptions for turbojet aircraft were revised; the installation of an ELT became a requirement for unscheduled turbojet operations, but the air carriers scheduled non-overwater operations remained exempt. Up to date, this represents an exception to the ICAO SARPs that basically recommends an automatic ELT onboard all aircraft. COSPAS-SARSAT In 1979, the COSPAS-SARSAT8 satellite system project was launched by Canada, France, the United States, and the USSR. The COSPAS-SARSAT satellite network became operational in 1985, and three years later, the system was available internationally with more participating countries. When an ELT activates, the system receives the signal, locates the ELT, and sends the alert to the corresponding SAR authority. The first generation of ELTs transmitted on analog frequencies of 121.5/243.0 MHz and produced too many false alarms on those frequencies. The second generation of ELTs, specifically designed for satellite detection and transmitting on 406 MHz digital technology, offered an enhanced performance: increased system capacity, improved location accuracy, unique identification of the transmitter, and global coverage. The 406 MHz ELTs were required by ICAO from 2008; one year later, COSPAS-SARSAT ceased the reception of 121.5/243.0 MHz signals. The post-crash functionality and survivability of the ELTs have been in question since their adoption. Lack of waterproofing, fire protection, or the damage of the antenna during the impact are concerns that have been exposed in two of the most impacting accidents of the recent history: the Air France Flight 447 and the Malaysian Airlines Flight 370. The effective ELT signal transmission may be degraded by the shielding effect of the aircraft structure or if its antenna does not remain above water.
8
COSPAS, from the Russian, stands for “Space Systems for the Search of Vessels in Distress”; SARSAT stands for “Search and Rescue Satellite-Aided Tracking”.
9.3 Miscellaneous Scheduled Requirements
131
A review of the aircraft accidents over the last 30 years, carried out as a result of one of these accidents, revealed that only about 34% of the accident cases recorded effective ELT activation. Air France Flight 447 On June 1, 2009, Air France Flight 447, an Airbus A330 en route from Rio de Janeiro, Brazil, to Paris, France, was lost in the middle of the Atlantic Ocean with 228 occupants onboard. The investigation, carried out by the Bureau of Enquiry and Analysis for Civil Aviation Safety (BEA),9 the French aircraft accident investigation authority, revealed that the inconsistencies between the airspeed measurements, due to obstruction of the Pitot probes by ice crystals, caused the autopilot disconnection and the aircraft went into stall. The pilots failed to diagnose the situation and did not apply a recovery maneuver. The aircraft crashed, and all the occupants died on the impact.
Fig. 9.4 Vertical stabilizer of the Air France A330 found in the ocean. Photo by Forca Aerea Brasileira via LatinContent via Getty Images
9
Final report on the Accident to the Airbus A330-203 registered F-GZCP operated by Air France Flight AF 447. BEA. July 2012.
132
9 AMP Secondary Sources: Operational Requirements and Changes …
The international search operations focused, initially and unsuccessfully, on possible transmissions from the ELTs and ULBs. One week later, floating bodies and parts of the aircraft started to be recovered. The wreckage was found almost two years later at a depth of 3900 m; bodies, flight recorders, and parts of the aircraft that were useful for the investigation were recovered. The BEA issued a series of recommendations in order to facilitate the aircraft localization for public transport flights with passengers operating overwater or remote areas, e.g., triggering of data transmission and activation of the ELT as soon as an emergency situation is detected onboard. Other BEA recommendations for the same aircraft category included the regular transmission of basic flight parameters (e.g., position, altitude, speed, and heading), the extension of ULB transmission time to 90 days, an additional Low-Frequency ULB, or an image recorder that would make possible to observe the whole instrument panels. Malaysia Airlines Flight 370 On March 8, 2014, Malaysia Airlines Flight 370, a Boeing 777 en route from Kuala Lumpur, Malaysia, to Beijing, China, and its 239 occupants disappeared from the air traffic control radar. The crash area is still under debate. The international investigations and search operations, led by the Malaysian ICAO Annex 13 Safety Investigation Team10 and the Australian Transport Safety Bureau (ATSB),11 did not reveal why the aircraft diverted from the Flight Plan and later disappeared from the ATC control radar. During the following two years, over twenty debris items appeared in the southeastern coast of Africa, Madagascar, Mauritius, and Reunion Islands that evinced the aircraft had crashed. However, the unknown location of the wreckage did not allow to determine the real cause of the accident. The investigation bodies issued a battery of recommendations that came to complement those issued for the Air France Flight 447 accident: real-time tracking and more effective ways to determine the aircraft location.
10
Safety Investigation Report—Malaysia Airlines Boeing B777-200ER (9 M-MRO). The Malaysian ICAO Annex 13 Safety Investigation Team for MH370. July 02, 2018. 11 ATSB Transport Safety Report: The Operational Search for MH370. ATSB. October 03, 2017.
9.3 Miscellaneous Scheduled Requirements
133
Fig. 9.5 Now-missing Malaysia Airlines B777 flying. Photo by Lorenzo Giacobbo
As a result of the Air France and the Malaysian flight events and the recommendations derived from their investigations, ICAO Annex 6 was revised to incorporate provisions for certain aircraft/operation categories: aircraft tracking and, for overwater operations, a securely attached Low-Frequency Underwater Locator Beacon (LF-ULB) device that is able to operate at 8.8 kHz for a minimum of 30 days. LF-ULB offers an increased detection range in comparison with the frequencies emitted by the flight recorders ULBs. Changes to the ICAO flight recorder standards derived from these accidents are detailed in Sect. 9.3.4. In the recent years, EUROCAE,12 standards reference for ELT manufacturing, has also reviewed the ELT specifications with new crashworthiness standards (ED-62B): crash test, survivability to vibrations, resistance of coaxial cables, flame tests, etc. EUROCAE has also developed standards for the next generation of ELTs with capability to activate transmission in-flight triggered by distress events (ED-237).
12
EUROCAE is an organization that develops the most recognized standards for electronic equipment for air transport. EUROCAE activity in regard to ELT and Flight Recorders is linked to ICAO recommendations and is usually conducted jointly with the Radio Technical Commission for Aeronautics (RTCA).
134
9 AMP Secondary Sources: Operational Requirements and Changes …
The ELT Lithium Batteries Several incidents related to lithium-sulfur dioxide batteries, mostly used within the ELTs, alerted the FAA during the 1970s. The batteries exploded, burned, or leaked, forming corrosive acid. In 1979, the FAA required to remove these batteries, affecting approximately 60,000 aircraft, and issued new standards and requirements. During recent years, lithium batteries carried onboard the aircraft have been a matter of concern due to the increased number of flammability and spontaneous combustion-related incidents. The problem has not been focused only on the batteries as personal items or cargo but on the aircraft and component batteries. In 2013 and 2014, two serious incidents related to the lithium batteries of the Boeing 787, with several minor injuries, ended with the grounding of the worldwide fleet. But in 2013, an ELT-related incident occurred to an Ethiopian Airlines Boeing 787 that was parked and unpowered in London Heathrow Airport passed more unnoticed.
Fig. 9.6 Ethiopian Airlines B787 structural damage. AAIB investigation report
A fire was initiated by the uncontrolled release of stored energy from the lithium battery in the ELT. The fire was extinguished by the firefighters, but the aircraft suffered extensive heat damage in the upper portion of the rear fuselage, where the ELT was installed, and the insulation blankets were destroyed.
9.3 Miscellaneous Scheduled Requirements
135
The investigation carried out by the UK Air Accidents Investigation Branch (AAIB)13 determined that the battery wires crossed and trapped under the battery compartment cover plate and probably created a short circuit resulting in the fire. The fire reached the insulation blankets and the composite structure that acted as fuel. The AAIB issued a series of recommendations related to battery certification and installation standards, mostly addressed to the certification authority of the state of design, the FAA.
9.3.4 Flight Recorders ICAO Annex 6—Operation of Aircraft defines Flight Recorder as “any type of recorder installed in the aircraft for the purpose of complementing accident/incident investigation”. Flight recorders play a fundamental role in the aircraft accident/incident investigation process. They are designed following established crashworthiness and fire protection specifications to ensure the data recorded survive an accident/incident. These specifications are contained in EUROCAE ED-112. There are four types of crashed protected flight recorders: • Flight Data Recorder (FDR): it records specific flight parameters data that reflect the state and performance of the aircraft, e.g., flight path, speed, attitude, engine power, etc. • Cockpit Voice Recorder (CVR): it records the voice communications and aural environment of the cockpit. • Airborne Image Recorder (AbIR): it records images/video of the cockpit. • Data Link Recorder (DLR): it records the data link communication messages. Flight recorder technology has evolved from magnetic type to more reliable devices based on Solid-State principles that improve the integrity of the data and the recording capacity. The most modern aircraft incorporate combined devices known as Cockpit Voice Flight Data Recorders (CVFDR) with both FDR and CVR functions. Large aircraft are required to be fitted with: • an FDR that records the preceding 25 h, • a CVR that records the preceding 2 h (in EASA, 25 h for aircraft of more than 27,000 kg), and
13
Report 2/2015 on the serious incident to Boeing B787-8, ET-AOP London Heathrow Airport. Air Accidents Investigation Branch (AAIB). August 19, 2015.
136
9 AMP Secondary Sources: Operational Requirements and Changes …
• when the aircraft has data link communications capability, under some conditions, the data should be recorded in a dedicated device, DLR, or make use of the FDR, CVR, or CVFDR. The duration must be the same as the specified for the CVR. Compliance with FDR and CVR requirements can be achieved by two CVFDR. While aircraft accident investigators recommend the use of Airborne Image Recorders (AIRs) that could contribute to determine the causes of an aircraft accident, its use is still being discussed due to flight crew organizations’ concerns about privacy. The location of the flight recorders must be traceable following an aircraft accident/incident. No-deployable flight recorders are fitted with an Underwater Locator Beacon (ULB), which is an acoustic device activated by immersion in water, and Deployable flight recorders are fitted with an automatic Emergency Locator Transmitter (ELT). Due to recent aircraft accident events, the regulatory requirements for the duration of the signal transmitted by the flight recorder ULB have changed from 30 to 90 days. Scheduled Requirements In line with ICAO Annex 6 Appendix 8, EASA Air OPS CAT.GEN.MPA.195 (b) requires that the operator conducts operational checks and evaluations of FDR recordings, CVR recordings, and DLR to ensure their continued serviceability. The limits are established in AMC1 CAT.GEN.MPA.195(b): • inspection of the FDR recording and the CVR recording every year with certain exceptions, e.g., when the systems are monitored for proper operation and – the flight recorders are Solid State, and the inspection may be up to two years. – the aircraft is fitted with two Solid-State CVFDR and shares the same flight data acquisition, and the inspection of the recording needs only to be performed alternately for one recorder position at time intervals not exceeding four years (one SSCVFDR should be inspected every two years). • inspection every five years, or sensor manufacturer recommendations, that the FDR parameters not monitored by other means are being recorded within the calibration tolerances and that there is no discrepancy in the engineering conversion routines for these parameters. • inspection of the Data Link Recorder (DLR) every five years, • when installed, the aural or visual means for preflight checking the flight recorders for proper operation should be used every day. When no such means are available for a flight recorder, the operator should perform an operational check of this flight recorder at time intervals not exceeding seven calendar days of operation. Further guidance for the inspection procedures is provided in the Guidance Material. It is recommendable to establish the corresponding cross-references between AMP tasks and the regulatory requirements.
9.3 Miscellaneous Scheduled Requirements
137
Misaligned in regard to the ICAO Annex 6 Appendix 8, the FAA does not have a specific regulation that requires operational checks and evaluations of the flight recorders to ensure their continued serviceability. However, the FAA does require this maintenance function to be carried out as part of the ICA. Such difference is published as a deviation from the ICAO standards.
Lesson Learned—The Flight Recorders Requirements Early flight recorders have been available since the end of the 1930s. The technology used consisted in metal foils to record flight parameters and wire recording for audio; in many cases, the data were not sufficient for the aircraft accident investigators to determine the causes. In 1941, the Civil Aeronautics Board (CAB), predecessor of the FAA, issued a new rule to require a simple type of recording device for certain carriers; three years later, it was found that operators could not properly maintain the recorders during the wartime and rescinded the rule. In 1947, it was reinstated for scheduled air transportation, but one year later, it was rescinded again as there was no recording device of proven reliability still available. The second generation of flight recorders came during the mid-1950s from the hands of David Warren, an Australian research scientist that had lost his father about 20 years before during one of the earliest air disasters. David was involved in the investigation of the repeated accidents of the de Havilland Comet, the first jet commercial aircraft, when he came with an innovative idea: the design of a device able to record flight data and voices and sounds in the cockpit. The recorders technology stepped forward; the use of magnetic-type recorders allowed to record more data, erase, and rerecord. The advanced versions of the prototypes designed by Warren are nowadays installed on most of the commercial aircraft. De Havilland Comet The numerous hull losses of de Havilland Comet aircraft had started in 1953, one year after its entry into service, with the first passenger jetliner involved in a catastrophic accident; it was a delivery flight to Canadian Pacific Airlines with a technical stop at Karachi, Pakistan. The aircraft crashed during the takeoff and killed its 11 occupants. The accident was attributed to the error of the pilot. Between 1953 and 1954, other three de Havilland Comet aircraft crashed, this time due to structural failure, killing everybody onboard, a total of 99 people. The de Havilland Comet fleet was grounded until 1958, when the aircraft reappeared with a redesigned structure. In the same year, the Boeing 707 went into service; Boeing, with the 707, and McDonnell Douglas, with the DC-8, had learned the lesson and would eat the cake during the following years.
138
9 AMP Secondary Sources: Operational Requirements and Changes …
Fig. 9.7 First De Havilland Comet 4 rolls out of its hangar in 1958. Photo by PA Images via Getty Images
ICAO and regulatory authorities worldwide started to require an FDR, in the first instance, and soon after a CVR. In 1957, the FAA approved a rule requiring an FDR onboard air carrier commercial aircraft and large aircraft. The FDRs had to be capable of recording time, airspeed, altitude, vertical acceleration, and heading. In 1964, a new rule required also a CVR. The CVR would provide the cockpit conversation of the crew during the last 30 min of the flight that would supplement the FDR data during the accident investigations. Although a large series of unrecovered recorders have been accumulated since their implementation, these devices have become invaluable during numerous aircraft accident investigations. The requirement for recorders was progressively expanded for other types of aircraft/operation during the next years. United Airlines Flight 389 Likely, Flight 389 appeared as one of the greatest frustrations after the implementation of the recorder’s rules. The CVR requirement, issued in 1964 but with three years compliance time, was still not implemented within the Boeing 727 operated as Flight 389 by United Airlines.
9.3 Miscellaneous Scheduled Requirements
139
On August 16, 1965, after only two months of service, the aircraft, en route from New York to Chicago, crashed into the Lake Michigan, killing all the 30 occupants. FDR cover parts were recovered but nothing about the recording itself. The results of the NTSB investigation did not find evidence of any system or structural failure, and it was not possible to determine the causes of the accident.14 Crashworthiness specifications (TSO C51a) would be enhanced soon after in 1966: impact resistance changed from 100 g for 11 ms to 1000 g for 5 ms. Crashworthiness and fire protection specifications have continued developing until the present days. The third generation of flight recorders appeared during the 1990s: the Solid-State flight recorders stored data in semiconductors memories or integrated circuits, allowing to record a much larger quantity of data. Solid-State technology has no moving parts; maintenance and power consumption are minimized, and data retrieval is easier. The Boeing 737 Rudder During the 1990s, several incidents and two accidents related to a design flaw of the Boeing 737, in which a limited amount of data was available to determine the causes, would change the FDR rules. On March 3, 1991, an United Airlines Boeing 737, operating as Flight 585 from Denver to Colorado Springs, Colorado, lost control and pitched nose down until it reached a nearly vertical attitude that ended with crash. All the 25 occupants were killed, and the aircraft destroyed by the impact and fire. The NTSB investigation15 determined that could not identify conclusive evidence to explain the loss of the aircraft. Three years later, a second crash would elucidate the cause: the rudder Power Control Unit. On September 8, 1994, the Boeing 737 operated by USAir as Flight 427 from Chicago to Pittsburgh entered on uncontrolled descent during the landing maneuvering and impacted terrain. All the 132 occupants were killed, and the aircraft ruined by the impact and the fire. The NTSB investigation16 revealed
14
Aircraft Accident Report—United Airlines B-727, N7036U, in Lake Michigan. NTSB. August 16, 1965. 15 Aircraft Accident Report—United Airlines Flight 585, Boeing 737-200, N999UA, 4 Miles South of Colorado Springs. NTSB. March 27, 2001, amending December 1992 report. 16 Aircraft Accident Report—USAIR Flight 427, Boeing 737-300, N513AU near Aliquippa, Pennsylvania. NTSB. March 24, 1999.
140
9 AMP Secondary Sources: Operational Requirements and Changes …
not only the cause of this accident but the cause of the United Airlines Flight 585 disaster and the B737 rudder design defect.
Fig. 9.8 U.S. Air Boeing 737 Flight 427 crash site. Unattributed
The B737 rudder surface deflected in a direction opposite to that commanded by the pilots due to a jam of the main rudder Power Control Unit (PCU), the hydraulically powered device that moves the rudder. The FAA issued several Airworthiness Directives that included the replacement of the rudder PCUs. The NTSB claimed that the FDRs involved in the accidents recorded very limited amount of data (5 and 13 parameters, respectively) and recommended the acquisition of additional parameters that would have been useful during the investigations: control wheel position, rudder pedal position, flight control surface (rudder, aileron, and spoiler) positions, or lateral acceleration. In 1997, derived from the NTSB recommendations, the FAA adopted several changes for certain aircraft/operation categories: retention of the parameters recording for 25 h and gradual increase of the parameters to be recorded from 29 to 88. Recent History During the investigation of the MD-11 Swissair Flight 111 accident occurred in 1998, detailed in Sect. 6.1.6.3, shortcomings related to the duration of the CVR recordings, the supply of electrical power to the FDR, and the use of the same generator bus were identified. When the aircraft power to the recorders was interrupted, they stopped recording. As a result of the Canadian TSB recommendations, new requirements were introduced in the standards and
9.3 Miscellaneous Scheduled Requirements
141
rules: increased CVR recording capacity from 30 min to, at least, two hours; a dedicated independent supply source for the CVR, if the aircraft power source is interrupted, for a period of 10 min; and separate generator buses to power each recorder. FAA implemented the TSB recommendations in 2008, and EASA integrated them in 2015 together with the recommendations derived from other accidents. In 1999, derived from the Swissair and other accidents, the NTSB issued additional recommendations: the use of deployable recorders and video recorders. Deployable recorders have been used in military and helicopter applications since the 1960s. Their advantage resides in the floatability properties; there is no need for ULB, and because the ELT antenna remains overwater, the signal is detectable, and the recorder can be recovered quicker. It would take a few more accidents until provisions (no requirements) were made for these devices. On the other hand, in regard to video recorders, the opposition of pilots associations, that consider it a breach to their privacy, has blocked any way of progress until today. The flight recorders measures adopted from the catastrophic Air France and the Malaysian flights seen in Sect. 9.3.3, also modeled the requirements: Nondeployable flight recorder ULBs should operate for a minimum of 90 days, and provisions for Automatic Deployable Flight Recorder (ADFR) with integrated ELT were introduced. Note: not related to the Malaysian flight accident causes but highlighted during the investigation is the fact that the SSFDR ULB battery had expired in December 2012, more than a year before the event. The effectiveness of the ULB decreases past the expiry date until discharge, so its operation would not have been guaranteed. In 2015, EASA implemented a new requirement for certain newly manufactured large commercial aircraft to extend the CVR recording time to 25 h. The rule addressed the lack of enough data during the incident/accident investigations, in many cases, due to overwritten data. The ICAO standards adopted the rule; the FAA is pending of action of this ICAO standard despite the NTSB recommendation.
9.3.5 Weight and Balance ICAO Annex 6 requires that the Weight of the aircraft and Center of Gravity location are such that the flight can be conducted safely. Additionally, operators look for the most efficient operation, which starts with the proper loading of the aircraft. The aircraft tends to gain weight during its life due to a wide range of factors: accumulation of grease and oil, moisture, repaint, new equipment, modifications,
142
9 AMP Secondary Sources: Operational Requirements and Changes …
repairs, etc. The operator is responsible for ensuring that the weight and balance records are updated when a change occurs. The Weight and Balance can be obtained by: • weighing of the aircraft or • calculation from the previous aircraft weighing if the changes are known. Once the operator knows the aircraft empty weight and the position of its Center of Gravity (CG), by adding the passenger, cargo, and fuel loads, the weight of the aircraft and CG can be estimated for the entire flight. As a scheduled action with a direct effect on the airworthiness of the aircraft, for control and compliance purposes, it is recommendable to incorporate the Weight and Balance task into the AMP, referencing the corresponding regulatory requirement. Scheduled Requirements ICAO does not establish specific periods for the weigh and balance of the aircraft but recognizes the importance of developing a program to satisfy the Annex 6 requirements. Updated Weight and Balance report is a requirement for the Certificate of Airworthiness (CofA) and the Airworthiness Review Certificate (ARC, only for EASA). EASA Air Ops CAT.POL.MAB.100 (b) requires that the operator establishes the weight and the CG of any aircraft: • by actual weighing prior to initial entry into service (given by the OEM/TCH) and • thereafter at intervals of – four years if individual aircraft masses are used, or – nine years if fleet masses are used. The accumulated effects of modifications and repairs on the Weight and Balance shall be accounted for and properly documented. Aircraft shall be reweighed if the effect of modifications on the weight and balance is not accurately known. In line with the recommendations provided in the ICAO Airworthiness Manual Doc 9760, EASA AMC1 CAT.POL.MAB.100(b) provides guidance to make use of the fleet masses for a group of aircraft of the same model and configuration under certain conditions. The interval between two fleet mass evaluation should not exceed 48 months, and during that time, the operator should weigh a certain number of aircraft (being n the number of aircraft in the fleet): • if the fleet is composed by 2 or 3 aircraft: n, • if the fleet is composed by 4 to 9 aircraft: (n+ 3)/2, • if the fleet is composed by 10 or more aircraft: (n + 51)/10. The aircraft selected should be those that have not been weighed for the longest time.
9.3 Miscellaneous Scheduled Requirements
143
FAA 14 CFR 125.91 requires that the current mass and CG are calculated from the values established by the actual weight of the aircraft within the preceding 36 calendar months. The use of fleet masses is detailed in AC 120-27F, following the ICAO recommendations, and is equivalent to the prescribed in the EASA AMC.
Chapter 10
Components Maintenance Program
The basis for the Component Maintenance Program, part of the Aircraft Maintenance Program, are provided by the regulatory requirements and the manufacturer’s Instructions for Continued Airworthiness (ICA): scheduled maintenance tasks, Life Limited Parts, overhaul, etc. The basic program should be further developed by the operator based on the inputs from the Reliability Program. The maintenance of components can be performed: • On-wing, with the component installed on the aircraft (e.g., component instructions provided in the AMM), or • Off-wing, at shop (e.g., component instructions provided in the CMM). During the development of the ICA, the TCH takes into consideration the maintenance recommendations given for the components. These recommendations and instructions may be adopted in the ICA to be performed On-wing or Off-wing. The ICA should identify and provide with guidance for the maintenance that is to be controlled at component level. Any other decision to control a task at component level should be originated from the regulation, the Reliability Program, or warranty reasons. For example, the MRBR is based on the probability of failures; although a task may look apparently a component task, the intent could be to evaluate the behavior of such component when it is installed on a system. In this case, there would be no need to control the system task at component level but aircraft level. Tasks requiring component-level control are identified in the ICA. Some of the component requirements have been already introduced throughout the chapters of this book: regulatory requirements for the Emergency/Safety Equipment, ELT, FDR, and CVR. The inadequate management of component requirements may be a source of hazards and lead to mistakes or omissions. The focus is on the following processes: • component acceptance, e.g., control of the acceptance standards of new or maintained components, • component robbery, e.g., control of parts removed from one aircraft or component to be fitted in another, © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_10
145
146
10 Components Maintenance Program
• configuration control, e.g., control of the design or build standard of the aircraft or components such that it remains within the approved data standards. This chapter introduces the Acceptance of Components, the Maintenance Program of specific components [Evacuation Slides, as a representation of components maintenance, and complex systems such as the Landing Gears and Powerplants, including Propellers, and Auxiliary Power Units (APU)], and highlights the importance of adequate Configuration Management and Robbery procedures.
10.1 Acceptance of Components The Component Repair Cycle is the process since a component is removed from service until it is restored to a serviceable condition. A component is considered unserviceable when its life limit has expired, does not comply with mandatory requirements (AD, ALS, etc.), it is not possible to determine its airworthiness or eligibility for installation, has evidence of defects/malfunctions, or its serviceability is affected by an incident/accident. The mechanic will remove the unserviceable component from the aircraft that will be properly tagged to prevent its use. Items with expired life limit and those with non-reparable defects are classified unsalvageable and discarded/mutilated in a controlled manner. The repairable items enter in the Component Repair Cycle.1 The Component Repair Cycle involves the following activities: • • • • • • • •
Removal of Unserviceable component, Unserviceable tagging, Warehouse and shipping to Repair Shop (internal/external), Repair/Overhaul, Shipping from Repair Shop, Receiving/Acceptance of the component, Warehouse receives and issues the serviceable component, Installation of Serviceable Component.
The reason for removal should be considered, as well as other potential maintenance from the AMP and modifications/repairs, when defining the component Work Scope. Considerations for repair or overhaul should go beyond the reason for removal; a repair can lead to more events in the long term.
1
Best Practices for Component Maintenance Cost Management. IATA. Second Edition—2015.
10.1 Acceptance of Components
147
10.1.1 Component Authorized Release Certificate Components that are in Serviceable condition should be accompanied by an authorized release certificate; it may be an EASA Form 1, FAA Form 8130-3, or an equivalent document. EASA Form 1 and FAA Form 8130-3 can be issued by approved production organizations for new components or by approved maintenance organizations for components that have undergone maintenance. Maintenance of components should only be performed by an approved maintenance organization. The EASA Form 1, FAA Form 8130-3, or equivalent document should include the basis in which the component is released: • Component identification (Part Number and Serial Number) and description, • Components Status: new/prototype for components released by production organizations and Overhauled/Inspected/Tested/Repaired/Modified for components released by maintenance organizations, • Remarks: maintenance data used, compliance with AD and SB, modifications/repairs, replacement parts installed, Life Limited Parts status, etc. The procedures to fill an EASA Form 1 are detailed in EASA Part 21 Appendix I to Annex I and Part M Appendix II for production and maintenance organizations, respectively. The procedure to fill an FAA Form 8130-3 is detailed in the FAA Order 8130.21G. Under the EU-US BASA, EASA and the FAA recognize each other design approvals, allowing the installation of new components of the other regulatory environment when accompanied with its release certificate. However, used components approved for return to service are eligible for installation on the other regulatory environment only when accompanied by an authorized dual release. A Dual Release EASA Form 1 or a Dual Release FAA Form 8130-3 make use of the appropiate boxes (12 and 14) of the certificate itself to reference compliance with the other regulation, as appropriate.
10.1.2 Conformity Documentation/Statement Standard parts (e.g., fasteners, bearings, seals, pins, etc.), Raw material (e.g., metal, plastic, fabric, etc.), or Consumable material (e.g., lubricants, compounds, paints, sealants, etc.) should only be fitted/used to/on an aircraft or component when it is accompanied by a Certificate of Conformance (CoC) or conformity statement that means the part or raw/consumable material adapts to the applicable standards.
148
10 Components Maintenance Program
For Standard Parts, an EASA Form 1/FAA Form 8130-3 may be issued in lieu of a CoC or a conformity statement. EASA Form 1/FAA Form 8130-3 should not be issued for Raw/Consumable material.
10.1.3 Suspected Unapproved Parts (SUP) Suspected Unapproved Parts (SUP) are those that apparently do not meet the applicable requirements to enter the aviation system: lack of proper documentation, defective parts rejected during production, parts improperly maintained, military parts that do not meet the civil certification requirements, supplier parts without the authorization of the approved manufacturer, parts that have reached a design life limit, parts that have been damaged beyond repair, or directly counterfeit parts. Certain situations may raise questions: price or delivery schedule much lower than those given by other distributors, unidentified distributors, inability to provide substantiating documentation, damaged packaging, packaging without distributor identification, or tampered part identification (P/N & S/N). A SUP may compromise the airworthiness of the aircraft, and its installation is not allowed. The organization must report any Suspected Unapproved Parts (SUP) to EASA or the FAA, as corresponds, for its investigation. The investigation determines the safety concerns and traces the parts to their source; if considered, the SUP is removed from the aviation system. The SUP cased under investigation and the already confirmed Unapproved Parts are published in the EASA and FAA Web sites. Guidance for detecting and reporting SUP is provided in EASA SIB 2017-13R1 and FAA AC 21-29D.
10.1.4 Organization Responsibilities The Maintenance Organization must ensure that the component is eligible to be installed on the aircraft based on: • the component release certificate (EASA Form 1, FAA Form 8130-3 or equivalent document) or Certificate of Conformance (CoC)/conformity statement, as applicable, • the maintenance data: AMP, IPC, regulatory requirements, ADs, SBs, modifications, specifications, etc., • applicable configuration standards defined by the operator. Guidance related to acceptance of components/parts is provided in EASA AMC 145.A.42 and FAA AC 20-62E &AC 20–154 (Figs. 10.1 and 10.2).
Fig. 10.1 EASA form 1 template (Part-145)
10.1 Acceptance of Components 149
10 Components Maintenance Program
Fig. 10.2 FAA form 8130-3 template
150
10.2 Component Maintenance Manuals (CMM)
151
10.2 Component Maintenance Manuals (CMM) A Component Maintenance Manual (CMM) is a document that provides instructions to maintain and restore a component. It includes the procedures for assembly/disassembly, cleaning, inspection, check, repair, and also the component limitations. While the Aircraft Maintenance Manual (AMM) provides instructions for the maintenance of the aircraft and on-wing maintenance of its components, the CMM details the instructions for off-wing (in-shop) maintenance. It is only allowed to accomplish CMM tasks on-wing when it is referenced specifically in the AMM. When an ICA makes reference to the use of a CMM, the CMM becomes part of the ICA, and the design holder should make it accessible to the operator. CMM recommendations are taken into consideration by the DAH when developing the ICAs, e.g., during the MSG-3 analysis. It is not required that the operator reviews the CMM for every single component of the aircraft; however, the minimum list should include the CMMs of the components identified as critical by the DAH during the certification process. These critical components usually have a life limitation, an inspection, or some kind of maintenance requirement that is already specified in the ICAs. The operator is responsible for assessing the suitability of such recommendations under an Embodiment Policy and the Reliability Program. The CMMs may define more restricted requirements than those adopted by the DAH and the operator should review them.
10.3 Details of Specific Component Programs 10.3.1 Evacuation Slides The maintenance of Evacuation Slides is representative of the actions necessary for a component to comply with its design and remain in condition for safe operation; it means an airworthy component. The Evacuation Slides program typically includes scheduled repetitive maintenance (checks, inspections, etc.), overhaul, life/service limitations, and sampling. An Evacuation Slide is an inflatable device considered as Emergency Equipment as defined in Sect. 9.3.2, that assists in the evacuation of the occupants of an aircraft in descending to ground. Evacuation Slides are automatically deployed but should include means to prevent the deployment under non-emergency conditions. The Slides are a requirement for non-over-wing exits more than 1.8 m from the ground and over-wing emergency exits under certain specifications. The details are described in EASA/FAA CS/FAR 25.810, and complete guidance is provided in FAA CS 25-17A Transport Airplane Cabin Interiors Crashworthiness Handbook. Design requirements are related in the EASA/FAA ETSO-C69c/TSO-C69c.
152
10 Components Maintenance Program
Evacuation Slides Configuration Depending on the performance specifications required for the emergency evacuation, the Evacuation Slides can be classified as: • Type I: inflatable slide suitable for assisting occupants in descending from a floor-level aircraft exit or from an aircraft wing, • Type II: inflatable slide also designed to be used as a life raft, i.e., a slide/raft, • Type III: inflatable exit ramp suitable for assisting occupants in descending to an aircraft wing from certain over-wing exits, • Type IV: combination inflatable exit ramp and wing-to-ground slide. A typical Evacuation Slide contains the following elements: • Packboard/Stowage device, • Inflatable assembly: air retaining fabric structure, • Inflator assembly: – Gas generator: supplies high-pressure hot gas, – Cylinder: cools the gas from the generator, – Control valve: releases the gas to the inflatable assembly. Likely, the Evacuation Slide manufacturer recommends slide overhaul at specific intervals and establishes life, service limits, and hydrostatic test for the gas generator and the cylinder. Scheduled Requirements Evacuation Slides are subject to the MSG-3 analysis under the MRB process and to the System Safety Analysis (SSA) that may lead to the adoption of Airworthiness Limitations. These analyses take into consideration the maintenance recommendations given by the manufacturer in the CMM that are based on specific tests for the slide certification, e.g., material, pressure retention, water, radiant heat, evacuation rate, beam strength, attachment means test, etc. The result of these tests, analysis, and evaluations usually concludes with three types of maintenance requirements: • Scheduled maintenance tasks – MSG-3 analysis may require a Sampling Program for the Evacuation Slides of the operator’s fleet, usually deployment at defined intervals for alternating slide locations, in order to confirm that there are no unexpected degradation characteristics. • Evacuation Slide Overhaul • Evacuation Slide Life and Service Limitations. Evacuation Slides are usually designed in the way the Overhaul times support the Life and Service Limitations.
10.3 Details of Specific Component Programs
153
Evacuation Slides Maintenance Program The MSG-3 analysis, the Reliability Program, and applicable regulatory requirements define the incorporation of these recommendations into the AMP. It is recommendable to structure the AMP Evacuation Slide component requirements in regard to the slide configuration. Although the Overhaul time usually supports the Life and Service Limitations of internal components (inflator assembly components), it should be ensured by the operator in a controlled manner. Special Considerations—Storage The Evacuation Slide Overhaul period usually starts from the Date of Manufacture for new slides or Date of Overhaul for slides that have undergone restoration. When the Evacuation Slide has been under controlled storage before installation on the aircraft, the manufacturer may allow certain alleviation for the accomplishment of the next Overhaul. Such credit should be stated accordingly in the component release form (EASA Form 1, FAA Form 8130-3 or equivalent), but storage procedures are not part of the scheduled maintenance and, therefore, not part of the AMP.
10.3.2 Landing Gear The Landing Gear (LG) is the system that supports the weight of the aircraft and allows the operation while it is on ground and facilitates the takeoff and landing procedures. LG Configuration The Landing Gear configuration depends on the design; larger and heavier aircraft incorporates more complex landing gear arrangements with more wheels per landing strut. The most common LG configuration on large aircraft is the retractable tricycle type. It is a Nose Landing Gear (NLG) and two LGs aft the Center of Gravity, usually located under each wing (Wing/Main Landing Gear). Most of the Airbus and Boeing models are in this configuration. Heavier aircraft, such as the Airbus A340, A380, and the Boeing 747, requires additional support with a LG located in the central fuselage (Body Landing Gear). The number of wheels also increases with the weight: from a total of six wheels in the Airbus A320 or the Boeing 737 to 18 wheels in the Boeing 747 or 22 wheels in the A380. Each LG within the aircraft has its own configuration, e.g., features for the steering of the aircraft may be incorporated only on the NLG or additionally on the BLG for larger aircraft, modern aircraft only incorporate brake units on the WLG/BLG, etc. The structural configuration of the LG comprises several assemblies, e.g., fitting, shock absorber, strut, piston, cylinder, bogie beam, axle, drag/sidestay braces, unlock actuator, retraction actuator, etc. Likely, most of these assemblies require overhaul as part of the complete LG Overhaul. Additionally, these assemblies contain Life Limited Parts that are to be considered during the development of the LG Overhaul Work Scope.
154
10 Components Maintenance Program
Scheduled Requirements The structure of the Landing Gear and related points of attachment are examined during the MRB process to identify requirements that prevent structural failures due to Accidental Damage (AD), Environmental Deterioration (ED), including corrosion, or Fatigue Damage (FD). Damage Tolerance (DT) and Widespread Fatigue evaluations of the LG are carried out to establish Airworthiness Limitations to avoid catastrophic failures during the operational life of the aircraft. Older aircraft are assessed for Damage Tolerance (DT) and corrosion through specific programs (SSIP and CPCP). The actuating portions of the LG are treated as system components and are subject to the MSG-3 analysis during the MRB process and the System Safety Analysis (SSA), but also to the Damage Tolerance and Widespread Fatigue evaluations. The LG is a critical system of the aircraft and requires specific functional, structural, fatigue, environment, shock absorption tests, etc., for certification. The result of these tests, analysis, and evaluations usually concludes with three types of maintenance requirements: • Scheduled on-wing/off-wing maintenance tasks, • LG Overhaul, • LG Life Limited Parts (LLP). As for other systems, the Reliability Program plays an important role in optimizing the LG maintenance, and certain parameters, such as the Mean Time Between Failures (MTBF) and the Mean Time To Repair (MTTR), should be closely monitored. The LG Overhaul provides four additional maintenance opportunities: • Accomplishment of scheduled maintenance tasks on the aircraft, that being not part of the Overhaul, is suitable to be performed at the time of the LG removal/installation due to exposure of the area. • Accomplishment of maintenance tasks on LG components during the Overhaul, e.g., inspection of LG Line Replaceable Units (LRU). • Replacement of LG LLPs. LG is usually designed, so the Overhaul times support the Life Limits. • Embodiment of LG modifications/repairs. The selection of the Overhaul period for a newly certified LG should ensure its integrity until it is validated through the MRB process based on service experience (sampling of selected representative LG in service). The standards for the design of the Landing Gear are set in EASA CS-25 and FAA 14 CFR 25. LG Maintenance Program It is recommendable to structure the AMP LG component requirements respecting the LG Configuration as far as practicable. It means ordering the requirements in regard to the assemblies and subassemblies.
10.3 Details of Specific Component Programs
155
If no guidance is given by the DAH, developing a LG Component Maintenance Program based on the LG Configuration may require an exhaustive evaluation of the documentation, e.g., LG Overhaul manual, LG component CMMs, schematic diagrams, etc. However, a structured program not only ensures a proper correlation between the LG configuration and the requirements but also facilitates the development of the LG Work Scopes.
10.3.3 Powerplant, Thrust Reverser, and Auxiliary Power Unit (APU) The Powerplant is the primary system necessary for the propulsion of the aircraft: engine and propeller, if applicable. Commercial aircraft is usually fitted with turbine engines, where the intaken air is compressed (compressor), the fuel ignited in the compressed air (combustion), the turbine turned due to the energy of the ignition, and the remaining energy exhausted in the form of hot compressed gases. Basically, there are two types of turbine engines: • Turbofan: the turbine drives a fan at the front of the engine. • Turbopropeller: the turbine drives a Propeller at the front of the engine. The thrust is the reaction of the engine in the opposite direction of the exhausted, hot compressed gases. Reverse thrust is necessary to reduce the speed of the aircraft, e.g., during landing. Reverse thrust is achieved through: • A Thrust Reverser device for turbofan engines. It reverses the flow of the exhaust gases. • Reverse pitch for turbopropeller engines. It is created by turning the angle of attack of the blades to a negative pitch. Engines and Propellers are defined by their own type design, but Thrust Reverser devices may be declared as part of the engine type design or be certified with the aircraft. On the other side, the Auxiliary Power Unit (APU) is a type of engine whose purpose is to provide with pneumatic and electrical power to the aircraft. Powerplant, Thrust Reverser, and APU Configurations The Powerplant (Engine and Propeller, if applicable) and Thrust Reverser Configurations depend on their type design. Modern turbofan engines are usually built-in modules, so they can be changed individually for easier maintenance and reduced times and costs. A typical turbofan engine with thrust reverser system is formed by: • Engine modules:
156
10 Components Maintenance Program
– Fan/Low-Pressure Compressor (LPC): fan blades, fan disk, and compressor case. – Engine Core section: High-Pressure Compressor (HPC): rotor compressor blades and stator compressor vanes, Combustor: inner and outer casings, fuel nozzles, and the high-pressure nozzle guide vanes, High-Pressure Turbine (HPT): HPT rotor and nozzle guide vane assemblies. – Low-Pressure Turbine (LPT): LPT rotors, LPT nozzle stator case, and turbine rear frame. – Accessory Gear Box. • • • •
Mounts and thrust links, Thrust Reverser device, Cowls (Intake cowl, Fan cowl, and Thrust Exhaust cowl), Systems: starting, ignition, control, indicating, oil, fuel, airflow, cooling, fire protection, anti-icing, etc.
Configuration of turbopropellers is slightly different; basically, the propeller takes the role of the fan to generate thrust and the role of the thrust reverser device to produce reverse thrust. The propeller is composed of a Hub and two or more Blades. On the other side, APU is considered as a type of engine, and its configuration also depends on the type design. All the elements described above are subject to requirements derived from their certification. Scheduled Requirements The certification of engines, thrust reverser devices, propellers, and APU includes the ICA necessary for their maintenance, including scheduled maintenance, Airworthiness Limitations and Life Limited Parts (LLPs). It is determined through Damage Tolerance (DT) evaluation of the structure and Safety Analysis based on methodologies such as the Fault Tree Analysis (FTA), Failure Mode and Effect Analysis (FMEA), Markov analysis, etc., and supported by tests for fatigue, stress, calibration, endurance, vibration, load effects, ingestion of water, hail or birds, blade failure, over-torque, integrity, emissions, etc. Engine/Propeller/APU scheduled maintenance, Airworthiness Limitations, and LLPs are usually detailed in Chapter 5 of the Engine/Propeller/APU Maintenance Manual. Additionally, as part of the aircraft certification, the engines, thrust reverser devices, propellers, and APU must be taken into consideration for the MSG-3 analysis during the MRB process and the System Safety Analysis (SSA) for their installation. Engine/APU mountings and attachments are taken into consideration as part of the aircraft structure and are subject to the Damage Tolerance (DT) and Widespread Fatigue Damage (WFD) evaluations.
10.3 Details of Specific Component Programs
157
IMPS Issue 01 included the FAA proposal (IP 165) that highlighted that no exceptions are allowed for the MSI selection during the MRB process in regard to engines, propellers, and APU. This clarification was due to some aircraft TCHs attempted to deviate from the MSG-3 process, e.g., by using the manufacturer’s recommended program, tasks, and intervals or directly excluding the powerplant or APU from the MSG-3 analysis. The result of the manufacturer recommendations, the MRB process, and the SSA of the installation of powerplant, thrust reverser, and APU usually concludes with four types of maintenance requirements: • • • •
Scheduled on-wing/off-wing maintenance tasks, Major inspection/Overhaul, Life Limited Parts (LLP), Engine/APU Piece-part inspections.
Piece-part inspections are triggered by opportunity, not by a time or a periodic interval requirement that are accomplished on safety–critical parts when they are exposed. Their inclusion into the AMP is debatable because piece-parts inspections are not scheduled maintenance. In any case, the operator should select an appropriate method to control them. The Overhaul of Engine and APU provides opportunity to: • Accomplish scheduled maintenance tasks on the aircraft, that being not part of the Overhaul, are suitable to be performed at the time of engine/APU removal/installation due to exposure of the area. • Accomplishment of maintenance tasks on Engine/APU components during the Overhaul, e.g., piece-part inspections, • Replacement of Engine/APU LLPs. Engine/APU are usually designed, so the Overhaul times support the Life Limits. • Embodiment of Engine/APU modifications/repairs. The standards for the design of the Engines and Thrust Reversers certified with the Engines and Propellers are detailed in EASA/FAA CS-E/FAR-33&34 and CSP/FAR-35 respectively. The specifications for their installation on the aircraft are listed in CS/FAR-25 Subpart E. The standards for the design of Auxiliary Power Units (APU) are detailed in EASA CS-APU and FAA TSO-77b. The specifications for its installation on the aircraft are detailed in EASA/FAA CS-25 Subpart J/FAR-25 Subpart E. Special Considerations Certain items associated with the Engine/APU require disconnection/removal from the airframe during Engine/APU replacement, e.g., electrical, hydraulic, fuel, air intake/exhaust, engine/APU controls, and mounting components. If these components/parts are associated with maintenance requirements and are inadvertently uninstalled and shipped with the engine/APU for repair, it may cause an unsafe condition in the case that the current status of the aircraft maintenance and the replacement component/parts are not appropriately evaluated.
158
10 Components Maintenance Program
The Configuration Management of the Engine/APU may not be sufficient to control the inadvertent uninstallation of components/parts during Engine/APU removal. The operator should establish a policy and the necessary procedures for their control. Engine, Thrust Reverser, and Propeller Maintenance Programs It is recommendable that the Engine, Thrust Reverser, and Propeller Maintenance Programs are segregated in regard to the configuration of each individual item. Following the guidance provided by the manufacturers, e.g., in the Engine Manual or the APU Manual, it is possible to correlate the configuration of Engine, Thrust Reverser, and Propeller with their respective requirements. This “tree” ordered way is clearer, and the development of the Engine/APU/Propeller Overhaul/Major Inspection Work Scope is facilitated.
10.4 Aircraft Configuration Management In the Aircraft Maintenance Program (AMP) context, the Aircraft Configuration Management is the process to ensure that the aircraft configuration and the components installed are consistent with: • • • •
the type design (TC, STC, modifications/repairs and ETSO/TSO), the Aircraft Maintenance Program, including Reliability Program requirements, applicable regulatory requirements, and leasing and warranty/repair requirements.
The Configuration Management is based on the procedures to manage the configuration tree (build standard) of the aircraft, the components that are installed on, and the applicable associated requirements (ADs, modifications/repairs, scheduled maintenance, life limitations, sampling requirements, etc.). The coding conventions used to control the configuration are usually based on the ATA chapters and should allow the unique identification of each configuration item and the correlation of such items with related sources. The coding convention supports the management of reliability data to a large extent, as related in Sect. 17.1. The use of Part Numbers and Serial Numbers allows the identification of components and the traceability of the transactions. The procedure to manage the aircraft configuration should be defined by the operator and include provisions to identify, document, and communicate configuration changes to the interested stakeholders. The Configuration Management procedures depend on the size of the organization; small operators usually implement basic configuration trees and simple configuration procedures, while larger operators develop more detailed and structured configuration trees with more complex procedures. The basic aircraft configuration is defined by the approved documentation provided by the DAHs. It is complemented by an exhaustive evaluation of other
10.4 Aircraft Configuration Management
159
sources of information and the experience of the operator with the aircraft and the component types. The following items should be taken into consideration: • • • • • • • •
Conformity documentation (delivery documents), Aircraft/Component Illustrated Part Catalogues (IPC), Aircraft Maintenance Program (AMP): MRBR, ALS, RVSM, EDTO, etc., Modifications/repairs, Regulatory requirements, including Airworthiness Directives (ADs), Operator’s service experience (Reliability Program), Leasing/Warranty/Repair/Pooling agreements (1*), and Removable Structural Components (RSC) (2*)
(1*) Leasing/Warranty/Repair/Pooling agreements may impose certain return restrictions, e.g., return under specified standards (modification/repair, vendor recommendations, etc.). (2*) RSC procedures may require the addition of items to the configuration tree. Refer to Sect. 10.5 for further information. For operators of large fleets, it is beneficial to establish a common configuration. When this is not possible and deviations exist, it is recommended to establish subfleets, e.g., based on the engine type, as far as practicable. It allows to locate subfleets at specific aircraft bases and reduce inventory costs.
Lesson Learned—Air Transat Flight 236 On August 24, 2001, the Air Transat Flight 236 operated under ETOPS approval with an Airbus A330 from Toronto, Canada, to Lisbon, Portugal, ran out of fuel with 306 people onboard. The captain glided the aircraft to an emergency landing in Lajes Airport, Azores. 16 occupants were minor injured, and two passengers received serious injuries during the emergency evacuation. The aircraft suffered considerable structural damage to the fuselage and the main landing gear (Fig. 10.3). The investigation carried out by the Portuguese Aviation Accidents Prevention and Investigation Department (AAPID),2 with the cooperation of the Canada TSB, revealed that the cause was a fuel leak in the right engine as the result of using mismatched fuel and hydraulic lines during an engine replacement. Air Transat had received a spare engine, but the receiving process did not identify that the configuration of the loaned engine (pre-mod) did not match the configuration of the other A330 engines of its fleet (post-mod). The fullest guarantee to confirm the lack of disparities is the comparison of the engines
2
Accident Investigation Final Report—All Engines-out Landing Due to Fuel Exhaustion. Aviation Accidents Prevention and Investigation Department, Government of Portugal. August 24, 2001.
160
10 Components Maintenance Program
once it is known which engine is to be replaced, but the company procedures did not require to check the non-mandatory SBs when planning for an engine change.
Fig. 10.3 Air Transat Wheels after the emergency landing. FAA archive
The planners were not aware of the differences in configuration between the two engines, and the task cards generated were those associated with a normal engine change, but no task card was issued to address the applicable SBs. During the engine replacement, the technician realized that the difficulty of the hydraulic pump installation could be related to the different SB status and attempted to view the SB. Due to a network problem, the SB was not accessible. Access to the SB would have revealed that there were two interrelated SBs that required replacement of the fuel tube and the hydraulic line, as well as other associated components; however, the lead technician relied on MCC verbal advice to replace the fuel tube (from the removed engine in postmod condition), and confident that it was the only requirement, completed the installation of the post-mod hydraulic pump without replacing the hydraulic lines that remained in pre-mod condition. The installation did not allow enough clearance between the hydraulic and the fuel lines. The post-installation inspections, including independent inspection, were intended to ensure that the engine controls were properly connected and secured and did not detect the incompatibility of the fuel and hydraulic lines (Fig. 10.4). The installation resulted in the hydraulic and fuel tubes coming into contact with each other, which caused the in-flight fracture of the fuel tube and a fuel leak. The crew received a warning of fuel imbalance and unaware of the fuel leak commenced transferring fuel from the left wing fuel tank to the leak in the right engine. The right and left engines flamed out, and the aircraft had to glide about 75 miles (120 km) to the emergency landing. Transport Canada restricted the Air Transat ETOPS operations, and the company received a CAD 250.000 fine from the Canadian Government.
10.4 Aircraft Configuration Management
161
Fig. 10.4 Fuel Pipe crack and scratches. AAPID accident investigation report
The AAPID issued a battery of recommendations that urged the regulatory authorities of states responsible for the manufacture of aircraft and major components to review the regulation to ensure that adequate defenses existed in the preinstallation processes, including the maintenance planning process, to detect major configuration differences. AAPID also recommended the review of the standards for identifying the configuration and modification status of major components.
10.5 Robbery Procedures The Robbery of a component is the process through which a serviceable component is removed (robbed) from a donor aircraft to be installed on a recipient aircraft, usually due to no availability in the inventory after a fault or defect is found. If the process is not controlled, the robbed component may result in a different utilization profile than the recipient aircraft. The serviceability of the robbed component should be demonstrated with an authorized release certificate (EASA Form 1, FAA Form 8130-3, or equivalent) except when the component is to be used within the maintenance organization under a procedure approved in its manual. The component maintenance records should be transferred with the component; it seems relatively simple for maintenance defined at component level that is associated to the specific Serial Number, but it may require an exhaustive assessment for maintenance that is defined at aircraft level and may even turn more complex when the item is not serialized.
162
10 Components Maintenance Program
MRBR Aircraft Level Tasks The case for MRBR tasks at aircraft level is debatable; as introduced in Sect. 6.1.5, the evolution from MSG-2 to MSG-3 methodology used during the MRB process marked a change in the decision logic from a component level up failure-effect analysis to a system level down approach; the change meant to focus on the loss of function rather than on the individual component failure (component failure is to be monitored through the Reliability Program), if no otherwise stated. The task interval for a robbed component installed on a recipient aircraft may be inadvertently doubled in the worst case scenario if no action is taken. The probability of failure or degradation would increase during the period that is being “exceeded” for that particular component. The risk may be assumed by the operator for nonsafety-related tasks, with economic or operational impact, but the debate is open for safety FEC 5 and 8 tasks. Robbed Components Examples The next examples detail possible solutions for safety-related system/structure AMP tasks (e.g., mandatory requirement, AD, ALS including CMR, MRBR FEC 5 and 8, etc.) that are controlled at aircraft level: • (a) For a robbed Right Hand Main LG that is installed on a recipient aircraft and an AMP system task for the Operational Check of the LG braking system (that affects both Right and Left Main Landing Gears), the more restrictive next due calculation should be applied (the next due as per the donor aircraft, RH MLG, or the next due as per the recipient aircraft, LH MLG, whichever comes first). • (b) For a robbed Flap Position X that is installed on a recipient aircraft and an AMP task for the Detailed Inspection of all the Flaps, there are several options: – (b.1) The next due for the Flap X is based on the last accomplishment on the donor aircraft, and the next due for all other positions is based on the last accomplishment on the recipient aircraft. It requires component-level tracking. – (b.2) The next due for all the Flaps is aligned by accomplishing the inspection of the more restrictive calculation for all the positions (the next due as per the donor aircraft, Flap X, or the next due as per the recipient aircraft, all other Flap positions). In contrast to the solutions detailed above, the operator may decide to return the component to the donor aircraft before any affected task becomes due. It still requires assessment of the AMP tasks that affect the component, but it may be limited to tasks with interval below the period that the component remains off the donor aircraft. For non-safety-related tasks, the next due calculation may be based on the last accomplishment of the task on the recipient aircraft if accepted by the authority under the Robbery procedure. There may be cases in which it is possible to demonstrate that the installation procedure covers the intent of the task; if it is agreed with the competent authority under the Robbery procedure, compliance to the AMP task can be given to the recipient aircraft based on the installation.
10.5 Robbery Procedures
163
Cases in which the decision adopted requires component-level tracking, as the one described in (b.1), may involve component serialization. Serialization should be based on approved procedures and may be temporary until a physical survey allows to assign a permanent Serial Number. Robbed Component Utilization Profile The utilization profile of the robbed component may be directly known, e.g., when it has always been installed on the same aircraft, or may require further assessment: • If the component has always been within the operator’s fleet, the utilization profile computation is based on the profiles of each registration in which it has been installed on. • If it is not possible to determine the Utilization profile, the operator should assign the utilization based on statistical methods developed by the DAH, use representative utilization profiles (subfleet maximum utilization, fleet pool maximum utilization, and worldwide fleet maximum utilization) or develop other acceptable methods. Robbed Component Limitations After Application Change When the maintenance requirement limitations on the donnor and recipient aircraft differs (due to the different limitations that may exist between aircraft types, series or configurations), the new limitations to be applied for the next due may require evaluation and recalculation. It is sometimes wrongly accepted in the industry that the limitations applicable to the recipient aircraft, as per the approved AMP for that aircraft and configuration, are the ones to be applied. While it may be valid for certain type of tasks and components, the impact of application change on fatigue requirements on Removable Structural Components (RSC) must be assessed (usually identified in the structural and zonal MRBR tasks and Structural ALS DT inspections). The approach for the re-calculation of the fatigue requirement limits for the next due may differ between TCHs, if any guidance is provided, but should be in any case acceptable to the competent authority. The two following methods are acceptable means of compliance for applying the new limits: – Applying the most stringent limitation (threshold/interval) although it may not be the corresponding to the current application and may be penalizing, or – Adapting the threshold/interval using the Palmgren–Miner rule, based on a linear fatigue damage accumulation that asummes the fatigue life as inversely proportional to cumulative damage in one life time (up to the first inspection, threshold) or between two consecutive inspections (within an interval). Note: the interval after the first inspection on the recipient aircraft (by threshold or by interval) return to the one on the current application (recipient aircraft).
164
10 Components Maintenance Program
Regulatory Requirements The Robbery procedure is not an explicit regulatory requirement as such but emanates from the need for compliance when the robbery of a component takes place. For components removed from aircraft withdrawn from service, EASA Part-M AMC M.A.613(a)(2.7) requires to evaluate the possible need for alignment of the scheduled maintenance to comply with the AMP of the aircraft in which the component is installed. It is understood, from the AMC M.A.613(a)(2.6&2.7) paragraphs, that the same rule applies for components removed from serviceable aircraft. Guidance in regard to the robbery of Removable Structural Components (RSC) is provided in Spec 120: Removable Structural Components Industry Guidelines,3 and for modifications/repairs and determination of RSC utilization profiles in EASA AMC 20-20 Annex 3 and FAA AC 120-93. The actions derived from the decision of robbing a component may be taken and assessed on a case-by-case basis; however, it is recommendable to develop a robbery procedure that is acceptable by the competent authority, in order to standardize and facilitate the process. Preliminary Considerations—Tasks Affected By Robbery The operator may decide to perform the evaluation to relate components and any applicable maintenance requirement (it is not limited to repetitive maintenance) in a case-by-case basis, whenever a component is robbed, but it is possible to advance or partially advance the assessment by: • Identification of components subject to Robbery: based on the Aircraft Configuration and requirements (e.g., ADs, modifications/repairs, AMP, etc.), the Removable Structural Component (RSC) list, if provided by the TCH, and complemented by the operator’s evaluation and experience. • Cross-reference of components and maintenance requirements. Robbery Policy and Register The operator should define a Robbery Policy, accepted by the competent authority, taking into consideration: • TCH recommendations/guidance, if any. • Evaluation of the affected tasks: – – – –
Task categorization: Safety/Non-safety, Aircraft and component Utilization profile, Tasks affecting other components, Task Next due calculation.
• Component returns to the donor aircraft/component remains on the recipient aircraft.
3
Spec 120: Removable Structural Components Industry Guidelines. A4A. Revision 2014.1.
10.5 Robbery Procedures
165
It is recommendable that the policy allows a certain degree of flexibility, such as the returns/remains choice, so that the operator can take decisions on a case-by-case basis. The Robbery procedure should describe the means to register each robbery action, including: • the component details (donor/recipient aircraft, Part Number, Serial Number, and utilization), • the component maintenance history records or references, • the assessment, including tasks affected and limitation changes, and • the actions adopted, based on the defined Robbery Policy and the case-by-case considerations.
10.6 Component Maintenance Program Structure A mature Component Maintenance Program should include the procedures and provisions to eliminate any source of hazards, including an appropriate configuration control. There are plenty of options to incorporate the repetitive maintenance requirements into the AMP; as explained in Sect. 5.1.3, the operator should choose the integrative/segregative approach that better aligns with its organization and objectives. For example, • Segregate On-wing tasks into the AMP System and Structural Programs sections and Off-wing tasks into the Component Program section. • Integrate all component tasks (On-wing and Off-wing) into a Component Program section. • Segregate the Component Program section into On-wing and Off-wing tasks. • Segregate Component Program section into several programs: simple components and dedicated subsections for complex components. • Segregate dynamic tasks (derived from AD, modifications/repairs, recommendations, robbery, etc.) into dedicated sections or integrated into the Components section. As detailed throughout this chapter, it is convenient to arrange the programs for complex components as per their built configurations in order to facilitate their understanding and the development of Work Scope Packages.
Chapter 11
AMP Task Interval Management
The Interval of a maintenance task is the prescribed period at which the task has to be performed. The Threshold is defined as the prescribed time at which the task has to be performed in the first instance. The determination of the threshold/interval of a maintenance task may be based on available data (tests, analysis, simulations, statistical methods, in-service experience, etc.) and/or engineering judgment. Thresholds and intervals are expressed in terms of one or a combination of usage parameters. The selection of usage parameter(s) is based on the suitability to address the purpose of the task: • Flight Hours (FH): time between the aircraft leaves the ground on the takeoff and touches the ground on the landing. Its use is suitable for systems that are in constant operation and are subject to failure due to the usage. • Flight Cycles (FC): takeoff to landing sequence. Its use is suitable for structures that are subject to pressurization fatigue. • Landings (LDG): aircraft touching the ground (to full stop or touch-and-go). It is suitable for structures that are subject to impact fatigue. • Calendar Time (days, months, and years). Its use is suitable for structures that are subject to environmental deterioration (e.g., corrosion) or systems that are exposed independently of the operation like fire extinguishers. • Operating Hours (OH): time of operation. Its use is suitable for systems/components operated independently that are subject to failure due to the usage, e.g., APU and batteries. • Operating Cycles (OCy): on–off sequence. Its use is suitable for systems/components operated independently that are subject to cyclic fatigue, e.g., engine. • Letter check: group of tasks with similar intervals. Its use is suitable to allocate the maintenance task into scheduled work packages, e.g., A-Check.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_11
167
168
11 AMP Task Interval Management
“Inspection Window” is a concept used by some TCHs to allow certain tolerance in the accomplishment of the AMP task, which allows flexibility to perform maintenance. Inspection windows should not become permanent variations. The threshold/interval parameters established by the ICA may be converted to other units if the operator finds it convenient, but it must demonstrate that the ICA requirements are not exceeded. Although performing a task much more in advance or more often than the prescribed in the AMP does not require justification, this practice may result in: • maintenance errors, causing a negative effect on the aircraft reliability and safety, and • invalid in-service data to support an evaluation of the specified interval during Escalation or Evolution/Optimization exercises. If it is considered that the AMP interval is not optimum, it is recommended to perform a complete assessment to determine a new threshold/interval. The preamble of an AMP should contain the definition of the threshold/interval parameters used and the procedures to manage them. The first five procedures listed below are covered in this chapter, and the last three are detailed in subsequent chapters. • • • • • • • •
Maintenance Clock: next due calculation, Grace Periods (Compliance Time), Permitted Variations, Exceptional Short-term Extension, Task Escalation, AMP Evolution/Optimization (Chap. 12), Maintenance Checks (Chap. 13), Bridge programs (Chap. 13).
In the case that the interval of a maintenance task is exceeded (including overrun during aircraft operation), it should be accomplished before the next flight and the competent authority notified through the Compliance Monitoring (CM)/Quality department, as agreed. The procedure to deal with an overdue situation is not part of the AMP preamble; it is competence of the CM/QA department that may delegate the investigation to the AMP department, under their surveillance. Permitted Variations or Exceptional Short-term Extensions should not be issued to make up for the overdue situation.
11.1 Maintenance Clock
169
11.1 Maintenance Clock 11.1.1 First Accomplishment of Tasks—Starting Point The starting point for the calculation of the due date for the first accomplishment of a maintenance task is specific for each item. The selection of the initial point is based on the suitability to address the purpose of the task, but also on the conditions in which the aircraft is delivered. Usually, the initial points in which the first accomplishment are based on are: • AMP Effective date: AMP entry into force date, • First Flight (FF): date of the first time that the aircraft performs a flight (production flight test) during the certification phase, • Transfer of Title (ToT): date of the official transfer of ownership to the first buyer. Delivery date, first Certificate of Airworthiness (CofA), or Export CofA may also be used, • Date of Last Accomplishment (DoLA): date in which the task was previously performed (predelivery), • Date of Modification: date in which a modification is embodied on the aircraft, • Date of Manufacture (DoM): date in which a product is declared in conformance with its specifications, • Date of Installation (DoI): date in which a product is installed on the aircraft. Under certain conditions (e.g., aircraft preservation during production), the OEM may disregard the contribution to failure, fatigue, or degradation between the FF, component DoM, or DoI and the ToT. Additionally, after the manufacturer predelivery checks, certain tasks may be considered as reset to zero. It may result especially interesting for the owner/operator when lengthy time passes between FF and ToT, e.g., test aircraft used for the Type Certification. On the other hand, when the first accomplishment of a maintenance task is much earlier than the threshold (greater than the interval), the TCH may allow the second accomplishment of the task to be back at the threshold instead of the repeat interval. As explained in the introduction of this chapter, early task accomplishment is not a recommendable practice. For aircraft which applicability is given by the embodiment of modification(s), the starting point for the calculation of the due date is not always the date of accomplishment of such modification. The guidance provided by the TCH must be followed. In any case, the ICAs, together with the conformity documentation furnished by the TCH/OEM at the time of the aircraft delivery, should provide sufficient guidance to the operator for the calculation of the initial task due dates.
170
11 AMP Task Interval Management
11.1.2 Repeat Interval In order to understand the principles of the repeat interval management, it is necessary to define the condition of an aircraft based on its airworthiness status: • Airworthy condition. The aircraft conforms to its approved design and is in condition for safe operation. • No-airworthy condition. The aircraft is not fit for safe operation, e.g., time since a task interval is overrun, time between runway touch down and preflight check release, etc. No-airworthy condition applies to ground times, maintenance, and parking/storage of the aircraft. The ICA provided by DAH and manufacturers should provide guidelines for the use of repeat intervals. Typically, they state that the calculation of the next due date of a maintenance task (after the first accomplishment) is based on the date of the last accomplishment. This statement is actually not accurate for tasks with calendar time intervals. Apart from some exceptions, the calculation of the next due of a maintenance task is based on the date in which the Certificate of Release to Service (CRS) is signed. CRS and the real date of accomplishment do not necessarily coincide.1 This situation may look out of proportion for short interval tasks (e.g., Daily check) when compared to extended grounding times. It is expected that in these cases, tasks with shorter intervals are performed at the end of the grounding time but before the release of the aircraft. The same philosophy applies while the aircraft is on ground ready for operation, on maintenance, or during parking/storage: The accomplishment of any task that becomes due during these times only needs to be performed before the release of the aircraft, if no otherwise stated by the DAH or required by the competent authority. In any case, the effect of the environmental conditions during prolonged grounding times should be assessed. The owner/operator can request the maintenance organization to issue a release specifically to cover the accomplishment of certain tasks as it considers, e.g., corrosion inspections. The following cases are exceptions to the general rule: • Tasks extended under the Permitted Variation or Exceptional Short-term Extension procedures. • Component tasks: the maintenance task next due calculation is specific for each component. It may be based on the date on which the component is released (e.g., EASA Form 1 or equivalent FAA Form 8130-3), on the date of installation, on the previous accomplishment of the task, or being established according to other criteria defined by the manufacturer. Special care must be taken on components
1
EASA FAQ n. 19,102 & 19,496. Retrieved June 11, 2020, from https://www.easa.europa.eu/theagency/faqs/continuing-airworthiness.
11.1 Maintenance Clock
171
transferred from different applications (aircraft type, model, weight variant, etc.); if there is any change in the limitations, it should be taken into consideration.
11.1.3 Credit from Accomplishment of a Different Task The TCH/OEM can establish a relationship between an existing/deleted maintenance task and a new task through which the calculation of the next due of the introduced task can take credit from the last accomplishment of the existing/deleted task. In the same way, the operator may demonstrate that the maintenance level and scope of an existing/deleted AMP task fulfill the requirements of a new AMP task and therefore it is possible to take credit of the accomplishment of the existing/deleted task for the calculation of the next due of the introduced task. In this case, the credit procedure should be acceptable to the authority; it should ensure that the operator’s evaluation is registered and that future maintenance documentation changes, that may invalidate such evaluation, are monitored. For example, when it is demonstrated that the AMM instructions detailed for an existing/deleted task are alike the AMM instructions given for a new task, a credit relation may be established if the changes derived from the AMM revision are controlled. In this case, it is recommendable to incorporate a credit relation statement, as appropriate, into the AMP task. If the relation is only valid for particular revision(s) of the maintenance documentation, it should also be reflected, e.g., credit can be taken from previous accomplishment (task number) if performed in accordance with AMM Rev.X.
11.2 Grace Period (Compliance Time) The incorporation of changes at the time of the AMP effective date (for new and deescalated tasks) introduced by the revision of ICA may require the use of additional time when the maintenance task due has been exceeded or is close to be exceeded. This additional time is known as Grace Period (Compliance Time) and allows the operator to accomplish the task at the next suitable opportunity (ground time, access, resources, etc.). In no case, the accomplishment of the task, after applying a grace period, should exceed the designated threshold/interval from the AMP effective date. The only exceptions to overrun this rule are a Permitted Variation, an Exceptional Short-term Extension, or the approval by the competent authority, as applicable. It is recommended that the operator includes its Grace Period policy in the AMP preamble. In order to develop such policy, the operator should take into consideration the specific guidance or rules, if any, provided by the TCH and/or competent authority. The Grace Period policy should be customized to the operation. For example, it is deduced that new corrosion inspections may be originated from corrosion findings; therefore, if the aircraft is operated in a corrosive environment, it makes sense that
172
11 AMP Task Interval Management
the operator’s policy is to accomplish new corrosion inspections at the very earliest opportunity. In the case of mandatory ICA (ALS and CMR), the guidelines or specific Grace Periods provided by the TCH are strictly binding. It is recommended to analyze the Grace Periods that may be required before the AMP approval. Certain competent authorities may require the results of the analysis from the previous or the current programs when the AMP is submitted for approval.
11.3 Permitted Variations One-time concession to a maintenance task interval, applied to a unique aircraft, is known as a Permitted Variation, Prescribed Tolerance, Short Time Escalation, or simply, Extension. It is an exceptional procedure to allow the operator to fly for a limited time until the maintenance task can be performed. The term Exceptional Short-term Extension is most commonly used for concessions to Airworthiness Limitation and CMR tasks intervals.
11.3.1 Scope of the Permitted Variations An operator can only apply a Variation to a maintenance task under the approval of the competent authority or under a Variation procedure described in the AMP and approved by the authority. The delegation of responsibilities to the continuing airworthiness organization/operator can be formally approved in the CAME/CAMP. A Variation should never compromise the airworthiness of the aircraft that is, ultimately, responsibility of the operator. Authorities and TCHs agree that the Variation procedure is not a planning or scheduling tool and should only be used in situations out of control of the operator such as weather conditions or non-availability of parts, equipment, staff, or hangar in case of other unscheduled maintenance. Therefore, adequate analysis and justification must be provided at the time of the Variation request. The conclusions of the analysis may require to perform supplemental inspections during the Variation time to ensure the airworthiness of the aircraft. The systematic use of the Variation procedure is not prohibited but not recommended; it may expose the trustworthiness of the operator and its capacity to manage its own resources. Variations should not be issued after a maintenance task has exceeded its interval. While EASA does not provide guidance in this regard, the corresponding NAAs are in charge of the oversight function and should develop adequate procedures to avoid dubious practices. On the U.S. side, the FAA requires to be notified no later than a working day after the issuance of the variation.
11.3 Permitted Variations
173
There is still a double concern here: Some operators use the Variation procedure to hide non-compliance occurrences, and some authorities may not perform an exhaustive oversight function. Ideally, the Variation record system should ensure the integrity of the current times at which the Variation has been requested and approved. Note: Variations greater than those specified in the AMP Variations paragraphs are to be granted by the competent authority. The request of the operator to exceed a Permitted Variation is usually accompanied by the recommendation of the TCH.
11.3.2 Maximum Permitted Variation The Variations limits are based on the TCH recommendation when the competent authority has not provided appropriate guidelines, but in any case, it is subject to the authority approval. EASA does not establish maximum limits for Variations and leaves the responsibility to the competent authorities. The National Aviation Authorities can regulate the limitations or allow the operator to follow the TCH recommendation. The most common case is that the limitations, whether established by the NAA or the TCH, follow the recommendations provided in the JAA Temporary Guidance Leaflet (TLG) Nº 26. Although this document was canceled because EASA considered the Variations are operational issues and the responsibility resides on the NAAs, it is still frame of reference. The FAA establishes the maximum limits for Variations (Short-Term Escalation) in the Flight Standards Handbook 8900.1 FSIMS. Table 11.1 Maximum Variation limits comparison: JAA TLG Nº26 versus FAA FSIMS JAA TLG Nº 26
FAA Flight Standards Handbook 8900.1 FSIMS
Flight Hours
10% (not to exceed 500 FH)
10% (not to exceed 500 FH)
Flight Cycles
5% (not to exceed 250 FC)
10% (not to exceed 500 FC)
Calendar Items
1 year or less: 10% or 1 month, whichever is the lesser More than 1 year but not exceeding 3 years: 2 months More than 3 years: 3 months
10% (not to exceed 500 FH translated to calendar time)
174
11 AMP Task Interval Management
11.3.3 Permitted Variations—Interval Management The criteria to manage the interval of a maintenance task after a Variation differs between regulators; while some provide certain guidelines, others leave the procedure in the hands of the continuing airworthiness organization. The criteria used could be seen as acceptable or not depending on the inspector. To avoid these cases, it is especially recommended to describe the Variation procedure in the AMP preamble to be accepted and approved by the authority beforehand. EASA provides guidance in the FAQ section of its Web site (FAQ n.19102), recommending the calculation of the next due using the original due date of the maintenance task. This is an exception to the interval management general rules. The FAA provides guidance in the Flight Standards Handbook 8900.1 (FSIMS). In general terms, it is not strictly required to buy back the time exceeded so the next due date of the maintenance task can be calculated using the accomplishment date. However, the operator must identify in its Maintenance Program the FEC 5 or 8 safety tasks, for which the concurrence of the TCH not to buy back the variation time may be required.
11.4 Exceptional Short-Term Extension An Exceptional Short-term Extension is a one-time concession to an Airworthiness Limitation maintenance task interval, applied to a unique aircraft.
11.4.1 Scope of the Exceptional Short-Term Extension It is important to highlight that not all Airworthiness Limitations are subject to Extension. Usually, the TCH identifies in the ALS documents those tasks that are subject to Exceptional Short-term Extension and the appropriate maximum limits based on statistics and reliability data without risking safety. Once these tasks and limits are published in the ALS documentation, the responsibility lies on the competent authority that may be delegated to the continuing airworthiness organization. In this case, the Exceptional Short-term Extension delegation can be formally reflected in the CAME/CAMP and the procedure in the Aircraft Maintenance Program, likewise for the Variation. The systematic use of the Exceptional Short-term Extensions procedure is not recommended or is prohibited, depending on the Airworthiness Task type. Note: Variation procedure is not valid for Airworthiness Limitations. Note: Exceptional Short-term Extensions greater than those delegated are to be granted by the authority.
11.4 Exceptional Short-Term Extension
175
EASA guidance is limited to Extension of CMR task intervals in the CS-25. FAA provides guidelines for CMRs in the AC 25-19 and for Fuel Tank Systems Airworthiness Limitations in the AC 120-97.
11.4.2 Exceptional Short-Term Extensions—Interval Management The criteria to manage the interval of an Airworthiness Limitation maintenance task after an Exceptional Short-term Extension are not always explicitly described in the regulatory documentation. However, it is deduced from the EASA and FAA texts that the interval must revert back to the original interval so the calculation of the next due is based on the original due date of the maintenance task.
11.5 Task Escalation An Aircraft Maintenance Program (AMP) is approved for one operator and is particular to its operation (environment, utilization, modification status, aircraft age, etc.). The initial threshold/interval and scope of the maintenance tasks are often conservative. It is required a certain level of maturity and confidence to adjust a maintenance task to the operator’s in-service performance experience. Only certain AMP tasks are subject to Escalation; usually, the competent authority does not allow to relieve mandatory requirements such as AD repetitive requirements, ALS, CMR*, and MRBR Structural sampling. Tasks such as CMR**, MRBR FEC 5 & 8, & EWIS & L/HIRF are considered as safety-related and may be subject to escalation but with the condition of remaining in the AMP without content change. The Escalation procedure should be agreed with the competent authority and be included in the AMP preamble. Both the competent authority and the operator should be confident in the procedure. The operator should demonstrate sufficient in-service experience. The Escalation of maintenance tasks should be supported by a Reliability Program, which is part of the Aircraft Maintenance Program. While the scope of a Reliability Program is wider, in regard to task escalation, it provides an appropriate means of monitoring the effectiveness of the AMP based on in-service experience. The operator collects and analyzes maintenance and operational data, identifies deficiencies, and proposes and implements adjustments. The Reliability Program is explained with further detail in PART III. The AMP task Escalation (based on the operator in-service experience data) should not be confused with the evolution derived from worldwide fleet in-service experience data, inherent to the AMP ICA source document processes (MRBR, ALS,
176
11 AMP Task Interval Management
CMR, etc.). However, implementation of changes due to the ICA revision should also be supported by the Reliability Program.
11.5.1 Scope of the AMP Task Escalation In the first instance, the operator should define the intended scope of the Escalation based on realistic goals. It may be the escalation of a maintenance task, a maintenance check, but could also be all the allowable tasks within the whole AMP. For small projects involving a few AMP tasks, it may be relatively easy for the operator to analyze the in-service experience data and propose/approve Escalation results (depending on the procedure agreed with the competent authority). As long as the scope of the project grows (e.g., a letter Check Escalation), a higher level of expertise is required (e.g., complex statistical methods or sampling programs to support the Escalation of servicing tasks), and additional support may become necessary to reach an acceptable level of confidence for both the operator and the competent authority. The level of confidence required also has much to do with the type of tasks that the operator proposes to escalate: likely, safety-related tasks (CMR**, MRBR FEC 5 & 8 & EWIS & L/HIRF, etc.) will require a higher level of confidence than no safety-related tasks (MRBR FEC 6 & 7 & 9). This being said, when it is required a higher level of confidence (attending to the size of the project, the type of tasks, the sampling requirements, and the previous experience of the operator with Escalation exercises), the operator, the TCH, and the competent authority may join their expertise under an AMP Evolution/Optimization exercise. The AMP Evolution/Optimization process is introduced in Chap. 12.
Lesson Learned—Alaska Airlines Flight 261 On January 21, 2000, a McDonnell Douglas MD-83 operated by Alaska Airlines as Flight 261 from Puerto Vallarta, Mexico, to Seattle, Washington, lost control, and crashed into the Pacific Ocean, killing all 88 people onboard. The results of the NTSB investigation2 determined that the probable cause of the accident was the loss of aircraft pitch control resulting from the in-flight failure of the jackscrew nut threads of the horizontal stabilizer trim system that was due to excessive wear resulting from insufficient lubrication of the jackscrew assembly.
2
Aircraft Accident Report—Loss of Control and Impact with Pacific Ocean Alaska Airlines Flight 261 McDonnell Douglas MD-83, N963AS, about 2.7 Milles North of Anacapa Island, California. NTSB. December 30, 2002.
11.5 Task Escalation
177
The jackscrew nut is a fixed mechanism, and its rotation through the nut moves the horizontal stabilizer to trim the aircraft. The horizontal stabilizer is a critical flight control, and its adjustment (pitch/longitudinal trim) allows to achieve a balanced flight condition.
Fig. 11.1 Jackscrew from the Alaska Airlines Flight 261 wreckage. NTSB Accident Investigation Report
During the Alaska flight, the horizontal stabilizer was jammed and did not allow the operation of the trim system that normally makes slights adjustments to the control surfaces to keep the balance of the aircraft. After several troubleshooting attempts, the crew unjammed the horizontal stabilizer, but the aircraft pitched nose down and crashed into the ocean. The NTSB revealed the incoordination of the MRB and the design office. The escalation practices and the lubrication procedures of Alaska Airlines and the FAA oversight function were questioned.
178
11 AMP Task Interval Management
Fig. 11.2 C-Check maintenance. NTSB Archive
Lubrication Interval Initially, Alaska Airlines was performing the lubrication of the jackscrew assembly every 500 FH, consistent with the MRBR (MSG-2), which recommended a lubrication interval of 600 to 900 FH. The MSG-2 interval exceeded the interval requirement established for the predecessor DC-9 by the design office, 300 to 350 FH. Alaska Airlines subsequently increased the lubrication interval to 1000 FH, to 1200 FH, and to 1600 FH between 1988 and 1994. The investigation did not determine what type of information, if any, was presented as justification for these lubrication interval escalations. In 1996, the new MRBR, which was based on the MSG-3 logic, called for the lubrication at C-Check intervals (3600 FH or 15 months, whichever comes first) without considering the original design lubrication interval. Additionally, due to a typographical error, the interval was transferred to the Maintenance Planning Document without the calendar time interval, just 3600 FH. Alaska Airlines changed the interval to 8 months, eliminating flight hours limits that, based on utilization rates, were about 2550 FH. NTSB highlighted that a purely calendar-based interval did not account for increases in-flight hours that result from increased airplane utilization. The lubrication was also performed within each C-Check, still less than the 3600 FH recommended in the MPD. The Alaska interval was about 3 to 4 times longer than the originally recommended interval (300-350 FH )and, on the other side, had increased more than 400% since the beginning of the operation without apparent justification. The inadequate lubrication resulted in excessive wear of the jackscrew assembly nut and, therefore, was a direct contributor to the accident.
11.5 Task Escalation
179
Play Check Interval The certification of the DC-9 required the end play checks at every C-Check or 3600 FH. The DC-9 and MD-80 MRBR (MSG-2) recommended the check every 7000 FH or 30 months, whichever comes first, and the MRBR (MSG-3) extended it to every 7200 FH or 30 months. Initially, Alaska Airlines scheduled the check every other C-Check (every 5000 FH). A series of C-Check escalations ended with the check being performed with a 30 calendar months interval (about 9550 FH). The safety implications of the lubrication escalations were magnified by the simultaneous escalations of the end play check interval, providing fewer opportunities to discover and address any excessive wear resulting from lubrication deficiencies. Safety Actions The FAA issued an Airworthiness Directive to mandate the inspection and lubrication of the jackscrew assembly every 650 FH and the end play check every 2000 FH. The FAA also issued a Certification Process Study (CPS) as a result of the Alaska Flight 261, TWA Flight 800, and other events that focused on numerous process categories, including human factors in aircraft design, operation and maintenance, flight-critical systems and structures and safety oversight.
Chapter 12
AMP Evolution/Optimization
As introduced in the previous chapter under the Task Escalation paragraphs, when an operator(s) requires a high level of expertise to analyze its own in-service experience data with the purpose of Escalation, or it is required a higher level of confidence to undertake the Escalation project, the operator, the TCH, and the competent authority can initiate an AMP Evolution/Optimization exercise. The Evolution/Optimization exercise does not focus only on Escalation, but on improving the aircraft reliability and safety from a cost-effective approach. The results of an AMP Optimization exercise may lead to: • Interval change: escalation/de-escalation/parameter change (FH, FC, calendar time, etc.), • Task category change, • Work scope change, • Instruction change, • Addition/deletion of tasks or applicability change. Other recommendations and changes not associated with the AMP may result from the exercise, e.g., modification or configuration changes. The standards for the AMP Evolution/Optimization based on in-service experience must be described in the operator’s manuals. If the operator, the TCH, and the competent authority find it convenient, the procedures for the AMP Evolution/Optimization can be mirrored from the MRB Evolution/Optimization process that is detailed in the Policy and Procedures Handbook (PPH) (see Sect. 6.1.7). Note that the AMP Evolution/Optimization exercise is based on the own operator’s in-service experience and only applicable to the operator’s fleet, while the MRB Evolution/Optimization in accordance with IP 44 is based on worldwide fleet inservice data, and all operators of the fleet type can be benefited by it.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_12
181
182
12 AMP Evolution/Optimization
12.1 AMP Evolution/Optimization: Assessment of Resources The scope of an AMP Evolution/Optimization must be agreed by the operator, the TCH, and the competent authority and may cover from a single AMP task, a Maintenance Check to the overall AMP. Before getting involved in an AMP Evolution/Optimization exercise at big scale, each involved party should evaluate its own resources, e.g., the competent authority may not have enough specialists available to participate in the project, the TCH may require such complex sampling programs that the optimization becomes unfeasible, and the operator may not be able to provide all in-service data in the form or quality required by the TCH or may not have enough specialist expertise. The service provided by the TCH tends to be expensive; however, for the optimization of letter checks and above, the results could be really cost-effective. For example, if the optimization results in Check escalation: reduction of direct maintenance cost due to fewer check events, increased reliability, and aircraft and resource availability. Resources and Cost–Benefit Analyses determine a good starting point for an AMP Optimization project.
12.2 AMP Evolution/Optimization Based on MRB Evolution/Optimization (Process Mirror) The main difference between an AMP Evolution/Optimization and the MRB Evolution/Optimization resides in the scope of the data analysis; the MRB process is supported by the certification and worldwide fleet data, whereas the AMP Evolution/Optimization exercise is supported by in-service data of the operator(s) that participate in the exercise. The results of the Evolution/Optimization are only applicable to the operator(s). The AMP Evolution/Optimization process can be akin to the MRB process and usually will require alike bodies. Table 12.1 shows a simplified example of a possible analogy between the MRB Evolution/Optimization process and the AMP Evolution/Optimization (MRB process mirror) that may be used by the operator as the base to develop its own procedure. In the example above, the operator develops the AMP Evolution/Optimization procedure, which is reviewed, discussed, and approved by the Internal ISC [TCH and operator(s)] and accepted by the Competent Authority. Based on the procedure, the operator provides the TCH with its in-service experience data. The TCH reviews the MSG-3 analysis, analyzes the in-service data, and recommends adjustments to tasks or task intervals in the form of AMP Evolution/Optimization Dossiers.
12.2 AMP Evolution/Optimization Based on MRB Evolution …
183
Table 12.1 MRB Process—Evolution/Optimization analogies MRB Process
AMP Evolution/Optimization (MRB Process mirror)
Standards
IMPS & MSG-3
(to be agreed with the competent authority)
Data
Worldwide fleet in-service data
Operators in-service data
Documents Policy and Procedures Handbook (PPH) AMP Optimization procedure
Bodies
MRB Evolution/Optimization Dossier
AMP Evolution/Optimization Dossier
MRBR revision
AMP revision
Maintenance Review Board (MRB) Formed by representatives of the Certification Authority Main functions: – Review and accept the PPH – Coordinate the MRB activities with the ISC – Ensure that the TCH provides adequate training to all MRB members – Ensure Certification Authority participation in all MWG and ISC meetings – Review and discuss ISC proposals – Approve the MRBR
Competent Authority Formed by representatives of the competent authority Main functions: – Review and accept the AMP Optimization procedure – Ensure that the TCH provides adequate training to all competent authority representatives – Participate in the internal ISC – Approve the AMP
Type Certificate Holder (TCH) Main functions – Develop a PPH for presentation to the ISC and MRB – Provide training to ISC and MWG members – Review MSG-3 analysis and worldwide fleet in-service data – Provide with the MRB Evolution/Optimization Dossier – Participate in each MWG and ISC meeting
Type Certificate Holder (TCH) Main functions – Provide training to the Internal ISC and Internal MWG members – Review operator’s in-service data – Provide with the AMP Evolution/Optimization Dossiers – Participate in the Internal MWGs and ISC meeting
(continued)
The Dossiers are then analyzed and discussed by the Internal MWG (operator(s) and TCH specialists). The Internal MWGs final recommendations are remitted to the Internal ISC that reviews, discusses, and accepts/rejects them. The Internal ISC summarizes the analysis, the in-service data used, and the recommendations in a final Task Review Report. The operator prepares a revision of the AMP to include the results of the AMP Evolution/Optimization exercise based on the Task Review Report that will be finally reviewed and approved by the Competent Authority.
184
12 AMP Evolution/Optimization
Table 12.1 (continued) MRB Process
AMP Evolution/Optimization (MRB Process mirror)
Industry Steering Committee (ISC) The ISC is formed by the TCH, operators, and aircraft/engine/propeller manufacturers and, if appropriate, representatives of maintenance organizations Main functions: – Review and approve the PPH – Direct the activities of the MWGs – Review and accept all MWGs analysis – Prepare the MRBR
Internal ISC The Internal ISC is formed by the TCH, the operator (CAMO representatives: Nominated PostHolder, Maintenance Programs & Reliability, Planning, Technical Services, Compliance Monitoring, etc.). It is chaired by the operator Main functions: – Review and approve the AMP Optimization procedure – Direct the activities of the Internal MWGs – Review and accept all Internal MWGs analysis – Prepare the Task Review Report
Maintenance Working Group (MWG) Each WG is formed by specialist representatives of the aircraft/engine/propeller TCH, vendors, operators (at least three are recommended in each WG meeting), maintenance organizations, and regulatory advisors. The WG chairperson (normally a nominated person from an operator) is selected by the WG and accepted by the ISC Main functions: – Review technical data, MSG-3 analysis, and MRB Evolution/Optimization Dossiers provided by the TCH – Propose scheduled tasking/interval requirements using the PPH, the MSG-3 analysis, and the worldwide fleet in-service data
Internal MWG The Internal MWG is formed by the operator (Technical services) and TCH specialists Main functions: – Review the AMP Evolution/Optimization Dossiers – Propose scheduled tasking/interval requirements using the AMP Optimization procedure and the AMP. Evolution/Optimization Dossiers to the Internal ISC
Participant Operators Main function: – Provide in-service experience data to the TCH – Participate in MWGs and ISCs
Operator Main function: – Provide in-service experience data to the TCH – Develop the AMP Optimization procedure – Participate in MWGs, ISCs – Prepare the AMP
12.2 AMP Evolution/Optimization Based on MRB Evolution …
185
Fig. 12.1 AMP Evolution/Optimization Process
The simplified process related in the example may be used for all types of Evolution/Optimization projects; however, due to its complexity, it makes more sense for letter check Evolution/Optimization and above. It is recommendable to simplify it for smaller projects.
Chapter 13
Maintenance Checks and Bridge Programs
13.1 Maintenance Checks A Maintenance Check is a group of maintenance tasks that are accomplished together at periodic intervals, e.g., Service Check, A-Check, C-Check, etc. The MSG-3 methodology used during the MRBR development targets Maintenance Check intervals; it facilitates to gather maintenance tasks into packages. The TCH may predefine Maintenance Checks or allow flexibility to the operator to select its own Maintenance Check concept. In any case, it must be ensured that the Maintenance Checks intervals are not more permissive than the maintenance tasks within it and that the threshold/intervals defined for the individual tasks are never exceeded, except when it is allowed by the Permitted Variation or Exceptional Short-term Extension procedures or under agreement with the competent authority. The Aircraft Maintenance Program should define the Maintenance Check concept that is followed (Block, Equalized, or Dynamic) and the Maintenance Checks intervals.
13.1.1 Types of Maintenance Maintenance tasks can be classified attending to their scope in Line, Base, and Heavy Maintenance. Line Maintenance is considered as any maintenance action performed before the flight to ensure that the aircraft is fit for the intended flight. It may include scheduled maintenance necessary to detect obvious defects or unsatisfactory conditions (including internal system/structure/power plant items easily accessible), troubleshooting, defect rectification, component replacement (including engines, and
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_13
187
188
13 Maintenance Checks and Bridge Programs
propellers), and minor modifications/repairs that do not require extensive disassembly and can be accomplished by simple means. Occasionally, the accomplishment of base maintenance may be performed in line under the acceptance of the Compliance Monitoring/Quality manager. Examples of Line maintenance are the Preflight, Transit, Daily, Weekly, and Service checks. Base Maintenance is considered as any maintenance action falling out of the Line Maintenance criteria. It means when the aircraft is removed from the operation to undergo scheduled maintenance necessary to detect system/structure/component deterioration (e.g., fatigue cracking or corrosion), maintenance actions that may require special accesses or techniques, rectification of complex defects and major modifications/repairs. Base Maintenance is usually performed in a controlled environment (hangar). Heavy Maintenance is defined as in-depth Base Maintenance. It may include from major structural inspections and modification/repairs to the overhaul of the aircraft. Typically, C-Check and above are considered heavy maintenance. Base and Heavy Maintenance Checks are usually defined by letter checks; it is a series of checks alphabetically designated with increased scope (A-Check, B-Check, C-Check, D-Check). A-Checks and B-Checks are considered Base Maintenance, although B-Check is disused for modern aircraft which content is absorbed by other checks. Maintenance check intervals depend on the aircraft type and the concept defined by the TCH or operator and are usually based on FH, FC, and/or calendar time parameters. A simplistic approach to identify A-, C-, and D-Checks is that they are performed in terms of months, years, and lustrums, respectively.
13.1.2 Maintenance Check Concepts The operator should evaluate the Maintenance Check concept that is more suitable to its aircraft and type of operation, taking the following preliminary considerations into account: • the type of operation and aircraft availability (e.g., charter, seasonal, scheduled), • the maintenance tasks attributes (scope, thresholds/intervals, zones, accesses, man-hours, equipment, facilities, etc.), • the susceptibility to maintenance findings (aircraft age and operation environment), • the maintenance approvals and/or contracted maintenance (e.g., approval for line maintenance and base maintenance up to A-Check and contracted for C-Check and onwards), • the maintenance capacity (manpower, shifts, facilities, equipment, etc.), and • the maintenance costs.
13.1 Maintenance Checks
189
The above considerations lead to three types of Maintenance Check concepts: Block, Equalized, and Dynamic. Block Concept The Block concept packages maintenance tasks based on their interval into different Maintenance Checks. It involves less Line maintenance and more Base/Heavy maintenance. This concept is suitable for aging aircraft and long haul operators with large fleets. Advantages: • easier for implementation and planning of maintenance due to fewer maintenance events, • longer maintenance times that allow more opportunities to: – accomplish prolonged maintenance tasks, modifications, and repairs, – sequence prolonged tasks, and – rectify defects. • broad assessment of the overall aircraft condition, • reduced risk of maintenance errors due to recurrent accesses, • reduced man-hours. Disadvantages: • • • •
lower aircraft availability, higher maintenance costs, interval usage not optimized, workload peaks.
Equalized Concept The Equalized concept redistributes maintenance tasks into shorter Maintenance Checks in order to gain availability for the operation of the aircraft. This concept takes advantage of the time between flights, in which the aircraft is grounded, to perform
Fig. 13.1 Block Maintenance Checks
190
13 Maintenance Checks and Bridge Programs
maintenance. It involves more Line maintenance and less Base/Heavy maintenance. It is suitable for young aircraft and short-haul operators with small aircraft fleets. Advantages: • • • •
higher aircraft availability, lower maintenance costs, optimization of the interval usage, spread workload.
Disadvantages: • more difficult for implementation and planning of maintenance due to increased maintenance events, • shorter maintenance times that allow fewer opportunities to: – accomplish prolonged maintenance tasks, modifications, and repairs, – sequence prolonged tasks, and – rectify defects. • limited assessment of the overall aircraft condition, • higher risk of maintenance errors due to recurrent accesses, • higher man-hours. Dynamic Concept The Dynamic concept does not package maintenance tasks. Each individual task is monitored and forecasted individually (Out Of Phase task). It allows deferring their accomplishment until they have to be actually performed. Under this concept, maintenance tasks are performed in Line to fit into the flight operation until a Base/Heavy maintenance input (due to access requirements, workload necessary for prolonged tasks, modifications, repairs, defect rectification, etc.) is required. The Dynamic concept can be considered as maximized Equalization; the advantages and disadvantages of the Dynamic concept are more pronounced than the listed for the Equalized concept.
Fig. 13.2 Equalized Maintenance Checks
13.1 Maintenance Checks
191
Lesson Learned—Aloha Airlines Flight 243—Equalized Maintenance During the Aloha Airlines Flight 243 investigation, detailed in Chap. 7, one of the areas of concern identified by the NTSB was the manner in which a highly segmented structural inspection program was implemented. The Aloha D-Check inspection of the Boeing 737 fleet was covered in 52 independent work packages. Limited areas of the aircraft were inspected during each work package, and this practice precluded a comprehensive assessment of the overall structural condition of the aircraft. The NTSB considered the use of 52 block/independent work packages and the fact that the FAA considered this practice as acceptable without analysis, a matter of serious concern. Overnight non-flying periods were utilized to accomplish B-Checks and included portions of the C-Check and D-Check plus any related or unscheduled maintenance. Since Aloha Airlines usually did not have spare aircraft in the fleet, it was expected that the maintenance function would release the aircraft in an operational status to meet the next day schedule. The NTSB recommended that comprehensive structural inspections are best accomplished by a D-Check in which the entire aircraft is inspected and refurbished in one hangar visit, or alternatively, distributed within C-Check inputs. Any deviations from this philosophy should be evaluated carefully before acceptance.
13.1.3 Task Repackaging Under certain situations, the operator may need to repackage a Maintenance Check. It may be: • temporary (one-time): due to specific conditions of the aircraft, e.g., aircraft maintenance or parking/storage, • permanent: consequence of the change of the Maintenance Check concept due to the need to harmonize the workload between Maintenance Checks or other operator’s considerations. Alignment of Calendar-Based Tasks After Maintenance or Parking/Storage Periods When an aircraft is on maintenance or parking/storage during a lengthy period of time, there may be a Maintenance Check that becomes due only because of the calendar element of its interval.
192
13 Maintenance Checks and Bridge Programs
The Maintenance Check may content tasks with calendar intervals but also others based on different parameters such as FH or FC. Before the release of the aircraft, it is reasonable not to perform all the tasks within the Maintenance Check but only those that have become due. After the release of the aircraft, the next accomplishment of the Maintenance Check is still limited by the last time that it was fully accomplished. The desired situation is usually to realign the calendar items to the Maintenance Check; it is to schedule all the tasks together again. Under this situation, it is required to repackage back the calendar-based tasks to the Maintenance Check. Maintenance Check Concept Change When the operator decides to revise the Maintenance Check concept (to Block, Equalized, or Dynamic), it involves a safety aspect that should be approved under the AMP by the competent authority or through a procedure agreed with the competent authority. The need for a change in the Maintenance Check concept is usually caused by a change in the preliminary consideration detailed under the “Maintenance Check concepts” paragraphs, e.g., change of the type of operation, maintenance task attributes, susceptibility to maintenance findings, the maintenance approvals and/or contracted maintenance, the maintenance capacity, or the maintenance costs. Maintenance Checks Harmonized Workload Under the Equalized Maintenance Check concept, an AMP revision (new, revised, and deleted tasks) may unbalance the workload between the individual checks. In this case, the operator may want to redistribute the maintenance tasks to harmonize the packages.
13.2 Bridge Programs A Bbridge Program is the result of the comparison between two different AMPs to spot the differences that must be taken into consideration when transitioning between both programs. It may be due to: • an AMP revision, • the transition to a Low Utilization Maintenance Program (LUMP), or • change of operator (aircraft redelivery/delivery). Each AMP is customized to the aircraft operation and the regulatory environment of the states of registration and operation; what is valid for an aircraft under certain operating conditions may be not applicable under others, and rules can change between different states when operation or registration changes. The need for Bridging is originated when the AMP to which the aircraft is transitioned contains new or more restrictive requirements that need realignment. The Bridge Program is the technical justification required for the approval of the transition.
13.2 Bridge Programs
193
It is assumed that, although an aircraft should be maintained under only one approved AMP at a certain point in time, there is a limited time during the transition in which both programs may coexist, e.g., time between the AMP approval date and AMP effective date, if there is time allowance for its implementation, or specific time during the redelivery/delivery process.
13.2.1 Bridge Program Causes AMP Revision A Bridge Program may be required when an AMP revision de-escalates the interval of existing tasks or introduces new requirements. At the time of the AMP Effective Date, the Maintenance Check to which the task is associated may be ongoing or have been already planned, and it is not suitable to perform it at that specific maintenance event. In those cases, the use of Grace Periods provides additional time to the operator to schedule the accomplishment of the task at the next suitable opportunity, with the condition of not exceeding the next task due date from the AMP Effective Date. On the other side, for safety-related tasks or tasks for which an early accomplishment is considered beneficial, such as corrosion detection tasks for operations in corrosive environments, the operator may agree to perform them at the earliest opportunity instead of the most suitable one. In all these cases, it is required a Bridge Program to perform the task in the way that their second accomplishment under that AMP revision is aligned with the Maintenance Check. Transition to a Low Utilization Maintenance Program (LUMP) As introduced in Sect. 9.2, LUMP incorporates additional requirements recommended by the TCH when the utilization falls below the limits established in the MRBR. Under the Low Utilization Recommendations, certain tasks based on FH or FC parameters are adjusted to add a calendar component. Under the LUR conditions, the new calendar parameter usually acts as a deescalation of the maintenance task. In these cases, the LUMP tasks must be bridged taking into consideration all the parameters. Operator Change Under the aircraft operator change case, the need for a Bridge Program may be duplicated or tripled if leasing transactions happen during the change: • for the old operator, the lease contract usually involves redelivery requirements and obligations to return the aircraft under certain conditions and configurations, e.g., bridging back the maintenance requirements to the basic programs and intervals defined by the manufacturer (MPD, MRBR, SSID, CPCP, EDTO (ETOPS), etc.).
194
13 Maintenance Checks and Bridge Programs
• for the lessor, the new lease contract may involve certain obligations such as deliver the aircraft under certain conditions and considerations (usually it is fulfilled by the old operator obligations) and in compliance with specific regulatory requirements (it may be requested by the new operator or contractual clauses). • for the new operator, a Bridge Program may be required to transition the aircraft to the new AMP that is customized to its particular operation and regulatory environment. When the transfer of the aircraft between operators is known, typically, all the required Bridge Programs are accomplished at the time of the Redelivery/Delivery Maintenance Check.
13.2.2 AMP Bridging Considerations As other processes within the AMP, such as the technical document review or the aircraft induction, the Bridge Program is a critical exercise. It requires the review of the aircraft records to some extent, micromanagement of task due calculations, and engineering judgment; the management of all the data must be properly controlled. Bridge Program procedures and, if appropriate, quality control means should be developed by the operator to ensure it is carried out effectively. The Bridging of an AMP can be performed at: • maintenance check level, if the maintenance check concept and content is the same in both AMPs, independently of the intervals of the checks, or • task level, if the maintenance check concept and content differ. There are certain methods and tools that may facilitate the transition of the aircraft between two AMPs. It is especially interesting for aircraft of large fleets that are “regularly” bridged between AMPs, e.g., from normal/high utilization to low utilization programs and vice versa due to “continuous” changes in the type of operation. In this case, it is recommendable that the operator develops a database template, for example in Excel format, where it is possible to dump the requirements of both AMPs (old and new maintenance tasks and limits) and the last accomplishment of the AMP tasks (performed under any previous AMP) in the way that automatically calculates the next due of the tasks and highlights: • the technical need for a Bridge Program, e.g., due to ongoing/planned Maintenance Checks at the time of the AMP revision effective date, • de-escalated and new safety-related tasks, and • any other operator’s considerations. The bases to develop a Bridge Program template are the same for a single aircraft than for as many as needed. Once the process is automated, it becomes easier to interpret the data and spot the need for bridging.
Chapter 14
Aircraft Induction
The previous chapters of the Part II of this book introduce the requirements and methods that are necessary for the development of an initial Aircraft Maintenance Program and keep it up to date in accordance with the changes of the requirements established by the source documentation. Inducting an aircraft into an operator’s fleet is a critical process that requires an exhaustive examination of the aircraft delivery documentation and aircraft maintenance records. The requirements of the new operator’s AMP should be fulfilled through the three following complementary exercises: • inclusion of the aircraft/components applicable requirements into the new operator’s AMP (AMP Revision), • analysis of the level of compliance with the new operator’s AMP (Documental Review for AMP Compliance), • Bridge Programs. Refer to Sect. 13.2 for further information. This chapter outlines the process to induct an aircraft into an existing AMP.
14.1 Aircraft Induction: The AMP Revision The induction of an aircraft into an existing AMP involves the analysis of the AMP source documents based on the current status and configuration of the aircraft. The purpose is to identify all the applicable requirements for the aircraft and its components for the specificity of the operation in the regulatory environment of the state of registration. The effectivity of certain AMP tasks depends on the configuration on which the aircraft and its components are delivered to the new operator; the list of technical records to review includes, but is not limited to:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_14
195
196
14 Aircraft Induction
• the Aircraft Inspection Report (AIR), Aircraft Readiness Log (ARL), or equivalent that contains the initial delivery configuration and modification status of the aircraft, • the Engine/Propeller/APU Logbooks or equivalent that contains the initial delivery configuration and modification status of the corresponding item, • the Modification status detailing the STCs and SBs incorporated on the aircraft and its components, • the Layout Of Passenger Accommodation (LOPA) (cabin configuration), and • the Emergency Equipment Layout (EEL). The operator’s own tasks, derived from the Reliability Program and the standards defined by the operator, should also be reviewed for applicability.
14.2 Aircraft Induction—Documental Review for AMP Compliance For used aircraft, it is necessary to demonstrate that it complies with the applicable requirements of the new operator’s AMP and that there is evidence of such compliance. The review of the aircraft maintenance records includes the following compliance status reports, but is not limited to: • Aircraft/components maintenance status (maintenance visits), including Complex components status (Landing Gear/Engine/Propeller/APU LLP status, Last Overhaul/Major Inspection, Last Shop visit, etc.), • Airworthiness Directives (AD) status, • Aircraft/components Modification status, • Repair status, including temporary repairs, • Aircraft Weight and Balance report, • Aircraft/components operational status (RVSM, MNPS, PBN, EDTO, AWO), • Life Limited Parts (LLP) status. LLP status should be supported by Back-to-Birth traceability of all the parts (proof of the total operational life of the LLP). Based on the revised AMP, which incorporates all the applicable requirements for the aircraft and its components and on the documental review of the maintenance records, Bridge Programs will transition the aircraft (aircraft induction) to the revised AMP that is customized to a specific operation in a particular regulatory environment.
Chapter 15
Critical Maintenance Tasks/Required Inspection Items
The main aviation regulators recognize the possibility of human errors/omissions during the performance of maintenance tasks that could impact on safety and establish appropriate countermeasures to minimize the risks. While the identified risks are analogous, the terminology used by EASA and FAA slightly differs; this chapter introduces separately the concepts of Critical Maintenance Tasks (CMT) and Identical Tasks in the EASA environment and Required Inspection Items (RII) in the FAA environment. The requirements for Dual Maintenance for Extended Diversion Time Operations (EDTO) Significant Systems are also detailed in this chapter.
15.1 Critical Maintenance Tasks and Identical Tasks (EASA) In the EASA environment, the responsibility for ensuring that the requirements are met and the risks are minimized lies on the maintenance organizations, usually assisted by the continuing airworthiness organization. The countermeasures focus on human errors/omissions during the accomplishment of: • Critical Maintenance Tasks (CMT): tasks that involve the assembly or any disturbance of a system or any part of the aircraft/engine/propeller, that, if an error occurred during its performance, could directly endanger the flight safety, • Identical Tasks: tasks that involve removal/installation or assembly/disassembly of several components of the same type fitted to more than one system, whose failure could have an impact on safety.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_15
197
198
15 Critical Maintenance Tasks/Required Inspection Items
EASA Countermeasures for Critical Maintenance Tasks and Identical Tasks EASA requires that an error capturing method to detect maintenance errors/omissions is implemented when performing any Critical Maintenance Task (CMT) or Identical Tasks. Two possible methods are proposed: • Independent Inspection: inspection performed by an independent qualified person to attest the satisfactory completion of the task, without deficiencies found, by an authorized person (responsible for the completion of the task), • Re-inspection: inspection performed by the authorized person (responsible also for the completion of the task) to ensure its satisfactory completion, without deficiencies found. The preferred method for CMT is the Independent Inspection. When only one person is available, due to unforeseen circumstances, re-inspection methods can be used. On the other side, Identical Tasks should be performed by different persons in different systems, but re-inspection methods can be used when, due to unforeseen circumstances, only one person is available. EASA defines Critical Maintenance Tasks, Identical Tasks and establishes the countermeasure requirements in Part-M M.A.402 (g&h), Part-145 145.A.48 (b&c), and related AMCs. Critical Maintenance Task Identification The guidelines for Critical Maintenance Tasks (CMT) identification define which tasks should be assessed; these are as follows: • tasks that may affect: – the control of the aircraft, flight path and attitude, such as installation, rigging, and adjustments of flight controls, – the aircraft stability control systems (autopilot, fuel transfer), – the propulsive force of the aircraft, including installation of aircraft engines, propellers, and rotors, and • overhaul, calibration, or rigging of engines, propellers, transmissions, and gearboxes. The maintenance organization should select the appropriate sources to identify the CMTs, usually assisted by the continuing airworthiness organization: guidance provided by the design approval holder, occurrence reporting and accident/incident reports, audit results, information exchange systems, etc. While the regulation sets the basis to identify CMTs, the maintenance organization should select the tasks and assess which steps are subject to Independent Inspection/Re-inspection.
15.1 Critical Maintenance Tasks and Identical Tasks (EASA)
199
For example, an engine change will be identified as requiring Independent Inspection/Re-inspection by the maintenance organization. Additionally, it should identify which steps within the engine change are critical. Likely, the installation and derived operational/functional checks will require each one an individual inspection to ensure the proper installation (mounts), system connections (electrical, hydraulic, fuel, controls), correct operation, etc. In order to facilitate the CMTs’ assessment, the maintenance organization may develop a Critical Maintenance Task matrix based on the probability of failure and the guidance provided by the regulation and the selected sources. A CMT matrix based on ATA chapters/subchapters and the type of maintenance to be performed eases the identification of CMTs and critical steps (Table 15.1). Identical Task Identification The maintenance organization should assess the maintenance of duplicated systems that may be critical. The sources for the assessment are those detailed for CMTs in addition to the guidance provided in the Configuration, Maintenance, and Procedures (CMP) document for dual maintenance on EDTO Significant Systems.
15.2 Required Inspection Items (FAA) In the FAA environment, the responsibility to ensure the risks are minimized remains with the operator but is separated from the maintenance function. The FAA countermeasure method lays on the definition of Required Inspection Items (RII) that are those tasks that could result in a failure, malfunction, or defect that endangers the safe operation of the aircraft if the task is not completed properly or if improper parts or material is used. FAA Countermeasures for Required Inspection Items (RII) The FAA is straightforward in the identification of RIIs; a simple decision logic diagram is provided in AC 120-16G as guidance for their determination. The list of RII includes all tasks performed on the aircraft that could result in a failure, malfunction, or defect endangering the safe operation of the aircraft, if not performed properly or if improper parts or materials are used, except: • items that are deferrable per the Minimum Equipment List (MEL) or Configuration Deviation List (CDL), or • items for which a test to simulate operational functions and defect failures, malfunctions, or defects that would impact the safe flight/landing is required. The FAA establishes the requirements for the minimization of human error during maintenance, the Required Inspection Items (RII), in the 14 CFR 121.369(b), 135.427(b), and AC 120-16G.
.. .
79–10
.. .
78–30
.. .
52–00
.. .
32–00
Engine Oil Storage
Thrust Reverser
Doors (cabin/cargo/emergency)
Landing Gear
Flight Control Surfaces
27–00
.. .
Item
ATA sub-chapter
Critical Maintenance Tasks (CMT) Matrix
×
×
×
×
×
Rem/Inst
Insp/Check
Table 15.1 Critical Maintenance Task (CMT) Matrix example
×
×
×
×
×
Adjustment
×
×
Function
×
Mod/Repair
Inspect for connections, attachments, safety devices, critical adjustments and final verification
Inspect for primary attachments, critical adjustments and final verification
Inspect for connections, attachments, safety devices, critical adjustments and final verification
Inspect for connections, attachments, safety devices, critical adjustments, emergency extension, emergency adjustments and final verification
Inspect for connections, attachments, safety devices, critical adjustments and final verification
Remarks
200 15 Critical Maintenance Tasks/Required Inspection Items
15.3 Dual Maintenance on Extended Diversion Time Operations …
201
15.3 Dual Maintenance on Extended Diversion Time Operations (EDTO) Significant Systems ICAO defines EDTO significant system as “an aeroplane system whose failure or degradation could adversely affect the safety particular to an EDTO flight, or whose continued functioning is specifically important to the safe flight and landing of an aeroplane during an EDTO diversion”. Several limitations are defined to minimize the risk of errors/omissions while performing the maintenance task on parallel/identical EDTO significant systems that could lead to dual system failures. The limitations on dual maintenance may include: • staggering of maintenance of identical/similar EDTO significant systems into different maintenance visits, • when staggering is not possible/suitable: – the task is performed by different technicians, or – the task is performed by the same technician under the direct supervision of a second EDTO qualified professional. When dual maintenance cannot be avoided, a ground/in-flight verification test may be required. Design Approval Holders are not bound to identify or provide guidance related to Critical Maintenance Tasks, but they are for the identification of EDTO Significant Systems (that supports the EDTO Identical Tasks selection) in the Configuration, Maintenance, and Procedures (CMP) document, as detailed in EASA AMC 20-6 and FAA Appendix K to Part 25. The EDTO dual maintenance limitations recommendations are published in ICAO Doc 10,085 Extended Diversion Time Operations (EDTO) Manual. ICAO recommendations are encompassed by EASA under the requirements for Identical Tasks described in M.A.402(g), 145.A.48(c), and related AMCs. The FAA adopts the recommendations for two-engine aircraft under 14 CFR 121.374(c) and considers any extended operation in AC120-42B. While for EASA operators, the adoption of countermeasures for any Identical Tasks is a requirement, many FAA operators have realized about the improvement on reliability due to the mandatory EDTO countermeasures and have expanded it to the accomplishment of all Identical Tasks.
202
15 Critical Maintenance Tasks/Required Inspection Items
15.4 Integration into the AMP The operator may develop the appropriate procedures to manage the assessment and evolution of Critical Maintenance Tasks/Identical Tasks (EASA) or Required Inspection Items (RII) (FAA) in assistance to the maintenance organizations. For repetitive maintenance tasks, their control can be overseen through an independent procedure or under integration within the AMP or Maintenance Schedule (part of the CAMP) for an EASA or FAA program, respectively. If the operator opts for consolidating and managing the Critical Maintenance Tasks/Identical Tasks or Required Inspection Items (RII) for scheduled maintenance through the AMP/Maintenance schedule, the procedure should be defined in the program. The identification may be achieved by implementing a task code, e.g., CMT (for Critical Maintenance Task) or RII (Required Inspection Item), by specific notes in the task description or by an appendix listing the tasks. Lesson Learned—Required Inspection Items and Critical Maintenance Tasks The requirements for Required Inspection have been in the FAA rules since 1964 when the CAMP requisite was introduced in response to safety concerns that had been found during accident investigations and surveillance of maintenance. The aviation history, including the recent history, is spotted with plenty of errors performed during maintenance on critical systems, and the rules have evolved to a large extent due to the several incidents and accidents occurred. Eastern Airlines Flight 855 (Identical Tasks) On May 5, 1983, the Lockheed L-1011 TriStar, operating as Eastern Airlines Flight 855 from Miami to the Bahamas with 172 occupants, lost all the three engines. The crew managed to restart one engine and landed back in Miami without injuries. The results of the NTSB investigation1 determined that the probable cause of the accident was the omission of the O-ring seals on the master chip detectors
1
Aircraft Accident Report – Easter Airlines, Lockheed L-1011, N334EA, Miami Airport. National Transportation Safety Board (NTSB). 09 March 1984.
15.4 Integration into the AMP
203
of the three engines that led to oil leaks, loss of lubrication, and damage of the engines.
Fig. 15.1 Eastern Airlines Lockheed L-1011 TriStar. Photo by Gary Vincent
A master chip detector contains a magnetic probe that attracts small particles of metal which may be present in the oil line. The presence of metal particles may indicate that internal components of the engine are in distress, and the engine may fail if the defect is not corrected. The O-rings of the master chip detector prevent oil from leaking from the pressurized oil system; if the O-ring is not installed, the oil system will start to leak as soon as the engine is started. The master chip detectors were normally given to the mechanics with the O-rings installed. On the day of the incident, one of the two mechanics that were assigned to accomplish the replacement of the magnetic chip detectors of all the three engines did not find any detector in the cabinet and picked them from the stock room. One of the mechanics replaced the magnetic chip detector from the position #2 engine, and the other mechanic did it for engines #1 and #3. The Task Cards clearly required the placement of new O-ring seals; however, both mechanics wrongly assumed that the O-rings were installed on the detectors and did not inspect their configuration. Additionally, the replacement of the master chip detector required engine motor that may have detected the oil leaks, but no specific times were established so the three engines were motored just for 10 s, giving no time to the oil leaks to be observed.
204
15 Critical Maintenance Tasks/Required Inspection Items
Due to the constraints of the reduced interval (25FH) recommended by Rolls Royce, likely it was not suitable to stagger the task into different maintenance events. In regard to the criticality of the task, it was properly addressed by assigning different mechanics to the engines positions to avoid the same human error, but one of the safety barriers, the ground test required for dual maintenance, was not appropriate: The engines motor was not performed effectively and did not detect the oil leaks. In 1992, the NTSB had recommended the review of the RII regulations derived from the investigation of the Continental Express Flight 2574 catastrophic accident, detailed in Chap. 24, in which the leading edge of the left horizontal stabilizer was separated due to 47 screw fasteners that were missing. About 15 months after the accident, the same company was involved in an incident caused by human error that left 14 screws missing from the aileron vane. At the beginning of the 2000s, during the investigation of the Alaska Airlines Flight 261 disaster caused by insufficient lubrication of the jackscrew assembly related in Sect. 11.5, the NTSB concluded that if the lubrication would have been an RII for which an inspector sign-off would have been needed, the potential for unperformed or improperly performed lubrication would have been reduced. The responsibilities of the FAA and operators to determine critical items and inspection levels were called into question one more time. EASA, at its birth in 2003, established the rules for the performance of critical maintenance: the Part-M defined it as “Flight Safety Sensitive Maintenance Task” and required an independent inspection after its accomplishment; the Part-145 required that the organization would establish procedures to minimize the risk of multiple errors and capture errors on critical systems and limited the accomplishment of dual maintenance. In 2016, EASA harmonized the terminologies used in the Part-M and Part145 rules under the “Critical Maintenance Task (CMT)” requirements. The changes standardized both parts, including the recommended error capturing methods (independent inspection and re-inspection), and introduced specific Part-145 requirements for the performance of maintenance. The CMT term overlapped the existing RII term that was already widely used; they are equivalent in concept and application, but differ in regard to the responsibilities. The RII is an FAA Part-121/135 rule mandated to the maintenance organization Part-145. The individual carrying an RII must be certifying staff although does not exercise the certification privileges when accomplishing the RII. The CMT is a responsibility of the Part-145. The independent inspection is carried out by a qualified person but does not require to hold certification privileges.
15.4 Integration into the AMP
205
The DAT accident and BA incident related in the following paragraphs were part of a series of events that triggered the changes to the EASA regulation implemented in 2016. Danish Air Transport Flight DTR54 On January 31, 2005, the crew of the ATR-42 operated as Flight DTR54 experienced considerable control problems related to the elevator function during the takeoff at Bergen, Norway. They declared emergency and returned to Bergen for landing. None of the 25 occupants was injured. The investigation carried out by the Accident Investigation Board Norway (AIBN)2 revealed that the control problems were originated by the detachment of the right side elevator that ended hanging below the horizontal stabilizer attached only by the inboard of the three hinges that normally connect them. The bolt belonging to the center hinge assembly that had fallen out at an earlier point in time, without being discovered, was found inside the elevator. The bolt belonging to the outer hinge assembly fell out during the takeoff in question and was found in the runway.
Fig. 15.2 DAT ATR-42 Elevator after landing. AIBN accident investigation report
Apparently, during the aircraft repaint in 1999, the elevators were removed and re-installed, and both the center and outer hinges had not been tightened to the correct torque. The procedures followed during the installation did not state anything about any specific inspection carried out after completion, and it is reasonable to assume that the error capturing method was not carried out or unsatisfactorily performed.
2
Report on the Aircraft Accident at Bergen Airport Flesland, Norway, involving an ATR 42–320, OY-JRJ, operated by Danish Air Transport. AIBN. April 2006.
206
15 Critical Maintenance Tasks/Required Inspection Items
A DVI of the elevator fitting had been performed two years before the accident but did not require specific attention to the hinges. The AIBN suggested to EASA the discussion on whether the manufacturer should be given responsibility on identifying systems that are critical to safety and require double check following maintenance. Up to date, the EASA CMT regulation is focused on the continuing airworthiness of the aircraft and the disturbance made to a system when performing maintenance. Despite the guidance provided to identify CMTs, the EASA position leads to a lack of standardization between the EASA member states and their operators in regard to the application of the rule. British Airways (G-CPER) On September 7, 2003, the crew of the Boeing 757, operated by British Airways from London Heathrow to Paris, noticed hot oil smell and diverted to London Gatwick for landing. During the autopilot approach, the aircraft drifted to the right of the ILS localizer and the autopilot disconnected. The crew had to apply a large amount of manual left roll control to prevent the aircraft from turning to the right, maintaining the control, until touch down. The aircraft landed safely with no injuries. The Air Accident Investigation Branch (AAIB)3 revealed that the incident was caused by maintenance errors that ended in the failure to re-install two access panels on the right-hand outboard flap and incorrect procedures used to service the engine oils. It was the first flight following a 26 days heavy maintenance check. The flap panels were removed and placed in the maintenance area, together with the cuff panels from the slats that, at a glance, are very similar in appearance to the flap panels. The cuff panels were no longer required as the replacement slats were delivered with the cuff panels already fitted. The company had authorized the technician to self-certify certain types of maintenance tasks, including the fitting of access panels, without the need for an independent inspection. At the end of the check, although the technician was aware that he had not fitted the flap panels himself, he stamped the refitting task card as he could not see any holes in the wing and assumed that all panels had
3
Report on the serious incident to Boeing 757–236, G-CPER. AAIB. December 15, 2005.
15.4 Integration into the AMP
207
been fitted. However, he had not recognized that the flap panels are concealed by the flap drive fairings when these are retracted.
Fig. 15.3 BA B757 D-Check. AAIB Incident investigation report
On the other side, a different technician that performed the engine oil servicing noticed that the levels on both engines were high (nearly 20 L) and proceed to drain one liter from each engine recalling a Technical Newsletter that stated that overfilling the engine levels causes oil smells in the cabin. The technician did not follow the AMM instructions that state the oil level must be checked within ten minutes and one hour of engine shutdown as the level on the sight glass may under-read, what actually caused the engine would remain overfilled. Satisfied with the work, both he and the certifying staff, assuming the technician had completed the oil servicing, stamped the task. Once the aircraft was released and shortly after the crew entered the aircraft, a smell of hot oil became noticeable on the flight deck that disappeared when the thrust increased, and the crew proceeded for taxi to the runway. After the takeoff, the smell returned stronger than before to a level to which the crew had to go on oxygen. The crew diverted to Heathrow with the autopilot and auto thrust engaged and the aircraft configured for landing, but the aircraft was drifting to the right of the runway centerline as a consequence of the asymmetric aerodynamic effects induced by the missing flap panels. The crew disconnected the autopilot and continued the approach visually until landing.
208
15 Critical Maintenance Tasks/Required Inspection Items
In addition to the battery of recommendation issued by the AAIB to British Airways, an additional one was issued to EASA to consider introducing a requirement to carry out a duplicate inspection on aircraft access panels when removed/refitted or open/closed that may affect the airworthiness if incorrectly secured or endanger the aircraft or persons on the ground.
Part III
The Reliability Program
The Inherent Reliability of an aircraft, system, or component is the level to which it performs the intended functions for a specified period of time under specified conditions according to the design specifications. The Inherent Reliability of a design can only be transmitted to the manufactured product if the Compliance Monitoring/Quality function of the production organization is appropriate, and once in service, if the Compliance Monitoring/Quality functions of the continuing airworthiness management and maintenance organizations are also adequate. The Inherent Reliability is limited by the design; higher reliability levels can only be achieved through redesign, e.g. through a modification or change in the maintenance practices. The objective of a Reliability Program is to maintain the Inherent Reliability of the aircraft and its systems and components throughout their life cycle, which includes determining the correct intervals of the AMP tasks and improve the Inherent Reliability with an appropriate Modification Embodiment Policy. The Reliability Program is not limited to apply corrective actions as a result of deviations from reliability performance standards. The Reliability Program is one of the main portions of the Aircraft Maintenance Program and the main tool to measure its effectiveness; it is that the AMP tasks are effective and their intervals are appropriate. In the Part II of this book, it has been highlighted the relevance of the reliability data to support the AMP. This Part III introduces the main regulatory requirements for a Reliability Program, provides tools to analyze the reliability data, assess deviations from performance standards, and brings solutions to correct those deviations. This chapter also accounts for one of the main AMP requirements: the AMP Task Effectiveness Analysis.
Chapter 16
Reliability Program Regulatory Requirements
The EASA and FAA requirements for a Reliability Program are comparable; the effectiveness of the AMP is measured by the Reliability Program, and the performance of the AMP is measured by the CAME elements, under an EASA environment, and the CASS elements, under an FAA environment.
16.1 EASA—Reliability Program Requirements Part I introduced the requirement of EASA Part-M Subpart C, M.A.302 (g) to include a Reliability Program in the AMP when it is based on Maintenance Steering Group (MSG) logic or condition monitoring. Appendix I to AMC M.A.302 (g) provides further guidance to identify when a Reliability Program is actually required: when it is based on the MSG-3 logic or includes condition monitored components or does not contain overhaul time periods for significant system components or when it is specified by the MPD/MRBR. In other cases, e.g., when the AMP is based on MSG-1 or MSG-2 logic but only contains Hard-time (HT) or On-Condition (OC) items, there is no need to develop a Reliability Program. The objective of an EASA Reliability Program is to recognize the needs for corrective action, to establish what corrective action is needed, and to determine the effectiveness of that action. When the AMP is based on the MSG-3 methodology, the Reliability Program should monitor all MSG-3-related tasks. While the requirement is irrespective of the fleet size, EASA allows certain alleviations for a fleet of less than six aircraft of the same type (small fleet) due to the amount of available data that can be processed. In this case, the program should focus on areas where a sufficient amount of data is likely to be processed and use the engineering judgment on areas where the data are limited. The use of Alert Levels on areas where the data are limited is not appropriate. EASA encourages the CAMO of small fleets to contact the TCH or other CAMOs to obtain additional data. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_16
211
212
16 Reliability Program Regulatory Requirements
The scope of a Reliability Program for a small fleet may be covered by a component defect monitoring system, but it may suppose an Integrated Maintenance Management Program in large CAMO. Reliability Program Revision The following changes to the Reliability Program should be submitted to the authority for approval: • the format and content of routine reports, • the time scales for the production of reports together with their distribution, • the format and content of reports supporting the request for increases in periods between maintenance (escalation) and for amendments to the AMP. These reports should contain sufficient detailed information to enable the competent authority to make its own evaluation where necessary.
16.2 FAA—Continuing Analysis Surveillance System (CASS) 14 CFR 121.373 & 135.431 require that certificate holders operating under Part-121 or under Part-135 (with aircraft of 10 or more seats) to establish and maintain a Continuing Analysis Surveillance System (CASS) for the analysis and surveillance of the performance and effectiveness of its Continuous Airworthiness Maintenance Program (CAMP). A CASS has two major measurement components: • Maintenance Program Performance. It is an audit system (quality assurance function) of all CAMP elements: Airworthiness responsibility, Air Carrier Maintenance Manual, Air Carrier Maintenance Organization, Accomplishment and approval of maintenance and alterations, Maintenance Schedule, Required Inspection Items (RII), Maintenance recordkeeping system, Contract maintenance, Personnel training, and CASS. • Maintenance Program Effectiveness. It is the collection, analysis, and investigation of adverse trends of operational data. An FAA-approved Reliability Program can be used to satisfy this major portion of the CASS requirements. In other words, the Reliability Program addresses the operational data of the Scheduled Maintenance element of a CAMP, while the CASS addresses and audits all elements of the CAMP. The integration of the Reliability Program within the CASS provides a picture of the health of the operator’s maintenance organization. FAA AC 120-79A provides the guidelines to develop and implement a CASS; FAA AC 120-17B provides guidance for developing and maintaining a Reliability Program as part of a Continuous Airworthiness Maintenance Program (CAMP). The FAA considerations for a Reliability Program fulfill all the EASA requirements in this regard.
Chapter 17
Reliability Program Process
The Reliability Program process consists of the analysis of the reliability data sources, identification of deviations from performance standards, Root Cause Analysis (RCA) of the deviations, and implementation of corrective actions.
17.1 Sources of the Reliability Program The Reliability Program should define the data that is required to perform the reliability analysis, the data quality, and the data quantity. The operator should select sufficient data sources to identify adverse trends and individual events; the following list contains examples of reliability source data: • • • • • •
Technical Logs, Pilots Reports (PIREPs), Cabin Reports (CAREPs), Cargo Reports (CGREPs), Maintenance Reports (MAREPs), Health Monitoring: – Aircraft Maintenance Access Terminal (MAT)/On-board Maintenance System (OMS) readouts, – Engine Condition and Trend Monitoring,
• • • • • • •
Deferred Defects (DD)/Minimum Equipment List (MEL), Scheduled maintenance findings, Sampling programs, Unscheduled maintenance, Unscheduled component removal, Shop finding reports, Store issues/reports,
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_17
213
214
17 Reliability Program Process
• Special Operations: EDTO (ETOPS), RVSM, RNP/RNAV, AWO (CAT II/III, LTVO), • Reports on Technical Delays, • Reports on Accidents/Incidents, • Service Difficulty Reports (SDR), • TCH continuing airworthiness and safety information (SB, SL, CMM, etc.). Data Quality and Quantity The operator should develop a process to validate the accuracy of the data used in support of the Reliability Program. Data can be considered of sufficient quality when it is accurate, free from substantive recording errors, and comprehensive enough in both scope and detail to facilitate its intended function in operations, analysis, and decision making. A data accuracy/data quality process may include: • Forms and instructions, • Data audits, • Reporting System (to provide feedback when data deviate from the data standards), • a common coding convention or system to correlate all sources, e.g., ATA code. The operator should define a method for determining the relevant type and amount of data required to represent its fleet. The Reliability data is usually shared between the operator, the manufacturer, and the suppliers and should be standardized. The standard used across the industry is the Spec 2000—Reliability Data Collection and Exchange (Ch. 11),1 developed by the Air Transport Association (ATA), that provides standardized formats for defining, collecting, and exchanging reliability data between these organizations.
17.2 Analysis of Reliability Data The procedures for analysis and interpretation of the Reliability data should enable to measure the performance of the items controlled by the program. When deviations from the performance standards are highlighted, a Root Cause Analysis (RCA) to identify the causes of the deviation and the appropriate corrective actions becomes necessary to maintain the reliability level.
1
Spec 2000—Reliability Data Collection/Exchange (Ch. 11). A4A. Revision 2019.1.
17.2 Analysis of Reliability Data
215
17.2.1 Performance Standards A performance standard is an operational goal or standard developed by the operator to define an acceptable level of reliability, e.g., number, ratio, percentage, etc. It may be calculated by the number of events occurring in a specified operating period expressed in FH, FC, OH, or calendar time. The Reliability Program should include procedures for the periodic review and adjustment of the standards based on operational experience and fleet age, and operational, seasonal, and environmental considerations. The calculation of performance standards, control limits, and alert values is based on average or baseline methods and statistical tools such as the standard deviation or the Poisson distribution. The operator may have different reasons than a negative operational performance to consider the adjustment of the AMP, e.g., review to ensure over-maintenance is not occurring, aircraft comfort and appearance, or changes due to modifications, etc.
17.2.2 Deviations from Performance Standards The following paragraphs define some programs and techniques, that may be combined, for determining deviations from performance standards.
17.2.2.1
Alert-Based Programs
The Alert-based programs identify deviations from defined standards based on previous performance. The Alert Level is triggered by an increase in failure rates or findings that goes beyond normal variation. The operator should identify the data type, the method to calculate the Alert Level, and the alert method, and will initiate an investigation when the performance falls outside the normal variation. Alert Levels are not acceptable airworthiness levels but the means to identify failure rates out of the normal performance variation. The following paragraphs illustrate several examples of Alert-based parameters that may be used to identify adverse trends for the aircraft and its components. Aircraft Metrics The operator should consider a suitable aircraft alert system as indication of deviations from the standards. The parameters used to set alerts at aircraft, fleet, or subfleet levels are function of the aircraft utilization and the dispatch/operational reliability, that may be particularized for major components or special operations and the raised defects.
216
17 Reliability Program Process
Utilization Parameters Utilization/Flight Leg Time is one of the most important measures of operational efficiency. • Utilization: Flight Hours of Flight Cycles usage of an aircraft, fleet, or subfleet within a specified period. Utilization =
Total Flight Hours or Total Flight Cycles Operational Days
The most common periods used are days and years, providing the Daily Utilization and Annual Utilization parameters respectively. • Flight Leg Time: period between the aircraft takeoff and landing. Flight Leg Time =
Total Flight Hours Total Flight Cycles
When the Utilization or Flight Leg Time is computed for a fleet or subfleet, it is measured in average terms, e.g., Average Daily or Annual Utilization or Average Flight Leg Time. The aim of any operator is usually to achieve an efficient aircraft utilization with reduced turnaround times; it requires appropriate coordination amongst many of its functions: Flight Operations, Scheduling, Maintenance, Ground Operations, Maintenance Programs, Reliability, etc. Although the utilization is closely related to the type of operation, deviations in the utilization may indicate poor performance in some of the operator functions that may require to be looked at for optimization. On the other hand, as seen in Sect. 6.1.4, changes in the utilization must be surveilled given that the MRBR is valid within a utilization envelope, below which other rules should be applied, e.g., the Low Utilization Maintenance Program (LUMP). Dispatch Reliability and Dispatch Availability Parameters The Dispatch Reliability metrics are appropriate indicators to assess the technical performance of the aircraft and the maintenance and the supply chain management systems. • Technical Dispatch Reliability (TDR): percentage of revenue flights that depart within a specified period (typically 15 min) of a scheduled departure time. TDR = 100 −
Tech. Cancellations + Tech. Delays (above 15 min) × 100 Revenue Flights
Revenue Flight is the total departures deducting the Non-Revenue Flights such as Maintenance Check flights, Test flights, or Ferry flights.
17.2 Analysis of Reliability Data
217
• Operational Reliability: percentage of revenue flights that depart within a specified period (typically 15 min) of a scheduled departure time and for which there are no in-flight technical interruptions such as In-Flight Turn Back or Diversion events. OR = 100 −
Tech. Cancellation + Tech. Delays (above 15 min) + IFTB + Div. × 100, Revenue Flights
being IFTB the number of In-Flight Turn Back events and Div. the number of diversions. The impact of a 16 min delay, a 2 h delay, a Technical Cancelation, or an IFTB is different. The TDR and OR equations can be reformulated by using Severity Factors (SF), which take into consideration the weight of each interruption. The operator can request guidance for the calculation of the SFs to the TCH. The Operational Reliability target for many operators, supported by aircraft manufacturers, is to achieve a level of around 99%. Whenever the OR falls below the Alert Level, indication for investigation should be highlighted. Reduced OR levels may correlate maintenance or supply chain management issues. On the other hand, the TDR and OR can also be estimated for specific operations or major components. For example: • For specific operations: – TDR/OR for EDTO (ETOPS) operations, where Revenue Flights are EDTO Revenue Flights and the Technical Interruptions (cancelations, delays, IFTB, diversions) are due to failure of EDTO Significant Items. – TDR/OR for RNAV operations, where Revenue Flights are RNAV Revenue Flights and the Technical Interruptions (cancelations, delays, IFTB, diversions) are due to failure of RNAV Significant Items. • For major components: – TDR/OR for APU, where APU Cycles are considered instead of Revenue Flights, and the Technical Interruptions are due to failure of the APU. – TDR/OR for Engines, where all the engines are considered, Engine Cycles substitute the Revenue Flights, and the Technical Interruptions are due to failure of the Engines. For example, Engine Operational Reliability is calculated as follows: Engine OR = 100 −
Tech. Interruptions due to Engine failure × 100 × No. of Engines Engine Cycles
The use of Technical Dispatch Reliability (TDR) and Operational Reliability (OR) parameters, when the operator has reserve aircraft to cover those with technical issues, may hide technical organizational concerns. In such a case, the Operational Availability metric complements the TDR or OR metrics to assess not only the
218
17 Reliability Program Process
technical performance of the aircraft but the maintenance system.2 The Operational Availability is the total time deducting the unavailability time (aircraft grounding due to scheduled/unscheduled maintenance or due to non-technical events such as crew delays, weather issues, and air traffic control problems). The maintenance or other factors of non-availability during the normal transit of the aircraft are not taken into account for the calculation of the Operational Availability parameter. When it is necessary to determine the reliability levels that are due to Technical Cancelations and Diversions specifically, the Cancelation Rate (CR) and Schedule Completion Rates (SCR) are appropriate parameters: • Cancelation Rate (CR): rate of cancelled flights. CR =
Revenue Flights + Tech. Cancellations + Div. × 100 Revenue Flights
• Schedule Completion Rate (SCR): rate of completed flights. It is the inverse of the Cancelation Rate. SCR =
Revenue Flights × 100 Revenue Flights + Tech. Cancellations + Div.
An indication for investigation is highlighted whenever the CR raises above, or the SCR falls below the fixed Alert Levels. CR and SCR can also be considered Event-based Alerts. Capability Parameters (Special Operations) As introduced in the previous paragraphs, the dispatch reliability parameters can be translated to special operations in order to flag deviations in the concerned operation capability, e.g., Technical Dispatch Reliability or Operational Reliability for RNAV or EDTO (ETOPS) flights. It becomes necessary to define the Significant Items for the special operations not only to assess the dispatch reliability of those operations but to assign Component Alert Levels. On the other side, it is possible to define operational statistics to detect adverse trends for those operations. For example, the CAT III Success Rate (SR): CAT III SR =
Sucessful CAT III Landings CAT III Attempts
Logbooks and MEL Parameters The defects entered in the logbooks by the crew, maintenance, or other staff in the form of Pilot Reports (PIREPs), Maintenance Reports (MAREPs), Cabin Reports (CAREPs), or Cargo Reports (CGREPs) that require maintenance action are a main 2
Aircraft Operational Availability. IATA. First Edition—2018.
17.2 Analysis of Reliability Data
219
source of the Reliability data. In order to identify adverse trends, it is useful to compute rates for a specific period of time for each type of report: Reports Rate =
Number of Reports (PIREPs, MAREPs, CAREPs or CGREPs) × 1000 Flight Hours
The Report Rate can be particularized for special operations or major components, e.g., EDTO PIREPs or engine MAREPs, in order to focus on adverse trends for specific areas. The Minimum Equipment List (MEL) is a relation of equipment necessary for the safe operation of the aircraft. The MEL is developed by the operator on the basis of a Master Minimum Equipment List (MMEL) issued by the TCH as part of the certification of the aircraft. The MEL establishes limitations and conditions for the operation of the aircraft with inoperative equipment. When a flight is dispatched with an inoperative MEL item, the corresponding entry must be made in the logbook. From the reliability perspective, it is interesting to analyze the rate of accumulated MEL items at a certain point in time what may give indication of deviations or inappropriate use of the MEL procedures: MEL Items Rate =
Open MEL Items Number of Days × Number of aircraft
MEL Items Rate formula can be translated for Deferred Defects (DD) that are those that have been assessed to be within the MEL and the Configuration Deviation List (CDL) limits and have been postponed within specified limits. DD Items Rate is calculated taking into consideration open DD items. The MEL Usage metrics provide an indication of the percentage of the time allowed by MEL items that have been already utilized; it provides visibility on the agility of the maintenance function to resolve the defect: MEL Usage (%) =
Days of open MEL Cat X × 100, MEL Limitation (days)
where MEL Cat X refers to the category of the MEL items; it is the time allowed for reparation (e.g., Cat B: 3 consecutive days; Cat C: 10 consecutive days; and Cat D: 120 consecutive days). Component Metrics The following examples of reliability parameters may assist in the definition of Alert Levels for components that are useful to identify deviations from their performance standards. The presented alert parameters can be set for a component Part Number (P/N), a range of serials within the P/N, or a unique component. • Mean Time/Cycles Between Failures (MTBF/MCBF): the total unit flight hours/cycles of each Part number (including all Serial Numbers) accrued in a period of time divided by all the confirmed failures for such Part Number.
220
17 Reliability Program Process
Total Unit Hours Number of Failures Total Unit Cycles MCBF = Number of Failures MTBF =
• Mean Time/Cycles Between Unscheduled Removals (MTBUR/MCBUR): the total unit flight hours/cycles of each Part number (including all Serial Numbers) accrued in a period of time divided by the number of unscheduled removals during the same period. Total Unit Hours Unscheduled Removals Total Unit Cycles MCBUR = Unscheduled Removals MTBUR =
• Mean Time/Cycles To Unscheduled Removal (MTTUR/MCTUR): the total of cumulative operating hours/cycles of each Part Number (including all Serial Numbers) accrued in a period of time divided by the number of unscheduled removals during the same period. Cummulative Total Unit Hours Unscheduled Removals Cummulative Total Unit Cycles MCTUR = Unscheduled Removals MTTUR =
• Unscheduled Removal Rate (Unsch RR): rate between the number of unscheduled removals in a period of time and the total unit flight hours. Unsch RR =
Unscheduled Removals × 1000 Total Unit Hours
• No Fault Found Rate (NFFR): rate between the difference of unscheduled removals and the number of failures in a period of time divided by the unscheduled removals. NFFR =
Unscheduled Removals − Number of Failures × 1000 Unscheduled Removals
Parameters such as MTBF and MTBUR may be compared with the corresponding guarantee MTBF and MTBUR as targeted values. There are many more parameters that can be useful in defining Alert Levels, e.g., Mean Time/Cycles to Failure (MTTF/MCTF), Time/Cycles Since Repair (TSR/CSR), Time/Cycles Since Overhaul (TSO/CSO), Time/Cycles Since New (TSN/CSN), etc. The operator should evaluate which metrics are suitable for each type of component in relation to the trends that want to be identified.
17.2 Analysis of Reliability Data
221
Some of these figures such as the components with the lowest MTBF/MCBF, MTBUR/MCBUR, MTTUR/MCTUR, or with the highest Unscheduled Removal and No Fault Found rates may be incorporated into the Reliability Report. Out of the Reliability Program scope, it is possible to define further parameters to assess the availability of components, such as the Mean Time To Repair (MTTR), that is interesting from the perspective of Workshops and Supply Chain management to assess the degree to which a component is operational and ready for use when required. MTTR and other parameters, such as the Mean Time to Respond or the Mean Time to Resolve, are useful to assess the maintenance function performance.
17.2.2.2
Event-Based Programs
The Event-based metrics are used to track individual technical service difficulties, usually with safety implications or significant operational impact. Therefore, the data associated with each event should be collected in order to carry out an investigation and take the appropriate corrective actions. Some of the events that may require investigations are Incidents, Diversions, InFlight ShutDown events, In-Flight Propeller Feathering, Rejected Takeoff, Aborted Approach, Return to Gate, Emergency Descent, Hard Landing and Lighting Strikes. It is possible to define metrics to measure deviations from the standards for all these events. For example, to assess the engine operation cessation due to reasons outside of normal operating procedures, it is used the In-Flight ShutDown (IFSD) Rate: IFSD Rate =
Number of IFSD × 1000 Engine Hours
Another example of Event-based Alert is the definition of a rate for occurrences that require safety reporting: Occurrence Report Rate =
17.2.2.3
Number of reported ocurrences × 1000 Revenue Flights
Trend Monitoring Programs
The Trend Monitoring programs track the current performance of systems, structures, or capabilities and identify out of limit conditions or deterioration tendencies. The data provided by the monitoring systems are usually supplemented by data from the component and structure failures. While the analysis of the component data is typically assumed by the Reliability function, the Trend Monitoring programs are not always managed by reliability staff, e.g., the Flight Data Monitoring (FDM)/Flight
222
17 Reliability Program Process
Operations Quality Assurance (FOQA) program, and the monitoring of RVSM operations may be responsibility of Flight Operations, the Engine Condition Monitoring (ECM) may be responsibility of the Technical Services function, or the Structural Health Monitoring (SHM) may be controlled under the Maintenance Programs and Technical Services functions. In any case, the procedures to manage the applicable Trend Monitoring programs should be incorporated or referenced in the Reliability Program. Flight Data Monitoring (FDM)/Flight Operations Quality Assurance (FOQA) A Flight Data Monitoring (FDM) program under the EASA rules, known as Flight Operations Quality Assurance (FOQA) under the FAA regulations, is a process that collects and analyzes flight data from routine operations in order to improve the flight safety. The FDM/FOQA data are acquired from the aircraft sensors throughout the flight data recorders: from a simple airborne Flight Data Recorder (FDR) to the Quick Access Recorder (QAR) or more modern technologies that automatically download the information via wireless systems. The data are usually processed on ground with advanced software programs that check for abnormalities and present interpretable results. The FDM/FOQA analysis techniques are based on: • Exceedance detection: It involves setting specific limits for the parameters to detect deviations. • Statistics: It is used to create profiles of flights or maintenance procedures and build distributions in regard to defined criteria. The distribution of the data will show all flights and enable to determine standard deviations from the mean and risks based on the mean. The data are compiled periodically, e.g., monthly, and reviewed by the monitoring team that will issue recommendations to the appropriate stakeholders. The monitoring team is usually formed and chaired by Flight Operations and Safety staff with a representation of the continuing airworthiness organization, usually the Reliability and Technical Services functions. The FDM is an EASA requirement for aircraft with a maximum certificated takeoff mass of more than 27,000 kg and a voluntary program for the FAA operators. EDTO (ETOPS) Trend Monitoring Programs for Two-Engine Aircraft Following the EDTO (ETOPS) operational approval for two-engine aircraft, the operator must have the appropriate programs to monitor the engine condition, the oil consumption, and under certain specifications, the APU In-Flight starting. These programs may also be found beneficial for non-EDTO operations and the EDTO operation of aircraft with more than two engines.
17.2 Analysis of Reliability Data
223
Engine Condition Monitoring (ECM) Engine Condition Monitoring (ECM) is a process that collects and analyzes engine data to measure its performance. ECM allows for identification of adverse trends at an early stage so corrective actions can be taken before the safe operation is affected. In regard to two-engine EDTO operations, the ECM should determine if an engine is no longer capable of providing the maximum thrust and loading demands that are required for a single-engine diversion. The typical engine parameters collected are related to speed, temperature, pressure, fuel flow, and vibration. The ECM data are recorded and downloaded to a ground station for its analysis (e.g., from the QAR) or transmitted via Aircraft Communication Addressing and Reporting System (ACARS) for real-time analysis. If the analysis is not in real time, it is recommended to analyze the data at frequent periods, with a maximum time of 5 days. The data are compared with design performance models and with the engine service experience through specialized software that identifies deviations from the set standards. The data analysis is performed by the operator or a service provider that may be the engine manufacturer. The MSG-3 methodology does not allow to take credit of an Engine Condition Monitoring (ECM) program for the failure analysis; however, the ECM may take credit of the MRBR tasks for monitoring engine fuel, oil, control systems, etc. Oil Consumption Monitoring The Oil Consumption Monitoring program ensures that there is enough oil to complete each EDTO (ETOPS) flight. The consumption should not exceed the TCH recommendations, and the operator should identify deviations of the normal oil consumption rate. This program requires that the amount of oil added at the departure is recorded and compared with the average consumption; an investigation and appropriate corrective action is required if any increase or deviation from the normal consumption is detected. The APU oil consumption is included in the program if the EDTO (ETOPS) operation requires an APU. If the oil analysis is recommended by the TCH, it should be included or referenced in the program. APU In-Flight Start Program The APU In-Flight Start program is used to demonstrate the continued ability of the APU to perform high altitude cold soak starts and run, typically required when the APU is a backup source of electrical or pneumatic power. The APU In-Flight Start Program is a requisite for the approval of two-engine EDTO operations if the Type Certificate requires an APU but does not require the APU to run during the EDTO portion of the flight, and the MEL does not allow to flight with an inoperative APU beyond the diversion time.
224
17 Reliability Program Process
The APU In-Flight Start program is usually conducted by the Flight Operations function and includes periodic sampling of the capability of each aircraft for APU in-flight starting. When the APU in-flight start rate drops below 95%, the operator should initiate a further investigation into any common cause or systemic errors in the procedures. If this reliability level cannot be achieved, the continuous operation of the APU may be necessary. Structural Health Monitoring (SHM) Structural Health Monitoring (SHM) is the state of art in detecting damage of the structure. The SHM checks specific structural items, details, installations, or assemblies using onboard mechanical, optical, or electronic devices that are designed to detect the damage. SHM is based on emerging technologies that may even provide data of when the damage occurred, where it is located, and the characteristics of the damage. The SHM may assess the aircraft’s structural condition and point the need for corrective/maintenance action. While some of the initiated SHM programs transmit the data via wireless systems when the processor unit is interrogated, the goal of current SHM programs is to monitor the aircraft structure in flight. SHM provides countless benefits: early detection of structural damages, less number of major repairs, detection of damages in difficult access areas, and reduction of inspection times. Scheduled SHM is considered in the MSG-3 methodology as a valid method to detect structural damage by using the readout of SHM devices at periodic intervals. Aircraft Health Monitoring (AHM) Aircraft Health Monitoring (AHM) is the next step in the development of collection and analysis of in-flight data. The real-time AHM constitutes an authentic Prognostics and Health Management (PHM) system that provides with a real-time picture of the fitness status of the aircraft. AHM provides several added values for crew and maintenance staff in regard to predecessor systems: real-time fault indication, realtime troubleshooting of aircraft systems and components, anticipation of faults of systems and component, and prescription of maintenance. AHM has much to do with the capability of the aircraft to obtain data; while the data from the flight data recorders can be made remotely available for all commercial aircraft, the most modern aircraft integrate more sensors in more systems and components to enhance their reliability. AHM added values translate into less time spent on fault analysis, reduction of unnecessary removal of functional components, optimized inventory, less downtime, and consequently, the reduction of Technical Interruptions (cancelations, delays, IFTB, diversions). The AHM analysis is usually performed by a specialized AHM System service provider that has remote access, via Aircraft Communication Addressing and Reporting System (ACARS), to the aircraft data parameters.
17.2 Analysis of Reliability Data
225
The AHM System service provider makes use of specialized software that compares performance data with developed models, identifies deviation trends, interrogates the aircraft when a fault is found, and investigates the aircraft history to provide a solution. AHM allows determining the root cause of a defect before the aircraft reaches its destination. AHM may integrate components of other trend monitoring techniques such as the Engine Condition Monitoring (ECM) or the Structural Health Monitoring (SHM) system(s). Out of the scope of this book, the AHM system may also provide the opportunity to monitor the fuel consumption and calculate the carbon dioxide emissions for more sustainable and cost-effective operations. In regard to AHM and the MSG-3 methodology, IP 180 proposes the amendment of the IMPS and MSG-3 to make use of the certified AHM capabilities as alternative procedures to identify failures and prevent deterioration on the inherent safety and reliability levels of the aircraft, in addition to the scheduled tasks that are to be accomplished at specific intervals. The proposal is under a maturity process and is planned to be implemented within a future MSG-3 revision. Monitoring of Reduced Vertical Separation Minima (RVSM) Operations The monitoring of height keeping performance of RVSM operations is carried out by Regional Monitoring Agencies. Eurocontrol, through the European Regional Monitoring Agency (EUR RMA), monitors and supports aircraft operations in the European RVSM airspace. The results for aircraft registered in states accredited to the EUR RMA are published in the Eurocontrol site; for aircraft registered elsewhere are published via the RMA corresponding to the state of registration. The FAA has established, through bilateral agreements with Canada and Mexico, the North American Approvals Registry and Monitoring Organization (NAARMO) to monitor the height keeping performance. The RMAs do not provide the results directly to the operators but publish the date of the last successful height monitoring measurement on their Web sites. In case of any safety concern, the RMAs contact the operator through the competent authority.
17.2.2.4
Index-Based Programs
The Index-based Alert makes use of multiple data types that are correlated to a specific aircraft system or component to produce an index ranking of performance: Pilot/Maintenance/Cabin/Cargo Reports, routine task findings, delays and cancelations, MEL/CDL items, etc. Defining Index-based Alerts brings to light the importance of establishing a common coding convention to be able to correlate all reliability sources, usually, by the use of ATA codes.
226
17 Reliability Program Process
The performance ranking can highlight the systems or components with the worst performance or the schedule maintenance tasks that are apparently not effective, so the pertinent investigation is initiated.
17.3 Reliability Root Cause Analysis (RCA) A Reliability Root Cause Analysis (RCA) is performed and documented when deviations from the performance standards are highlighted and there is a need to find the cause of such deviations. The Reliability RCA should consider not only the data source that triggers the analysis but a series of factors that may be determining to find the underlying causes. The following list shows some examples of additional aspects that may assist during the RCA: • other figures from the techniques used to identify deviations from performance standards (Alert-based, Event-based, Trend Monitoring and Index-based programs), • Maintenance and Workshop findings, • Modification Embodiment Policy, • Sampling Programs, • Effectiveness of the AMP, • Effects of changes in the utilization or type of operation, and • Staff training. There are a variety of analytical techniques and tools to perform a Reliability RCA. The following list presents some of them: • • • • • •
Evaluation of repetitive defects, Review of Service Bulletins and industry reports for applicability and urgency, Comparison of operational data from internal and external sources, Pool data with other operators of the same aircraft type (for small size operators), Investigative testing / sampling program, Conventional RCA tools: Five Whys, Cause and Effect Diagram (Fishbone Diagram), Process Analysis/Cause Mapping, etc., • Graphical and Statistical Analysis: Pareto chart, Poisson’s distribution, Hypothesis testing, Normal distribution, Exponential distribution, Weibull analysis, etc., • Failure Mode and Effects Analysis (FMEA) / MSG-3 methodology, • Maintenance Error and Decision Aid (MEDA).
17.3 Reliability Root Cause Analysis (RCA)
227
Further information about conventional RCA is detailed in Sect. 21.1. The operator is responsible for finding or defining the appropriate RCA analysis tool that is used in assistance of identifying the root causes.
17.4 Corrective Actions Any reduction in the reliability levels revealed by the Reliability Program should be corrected. It is highly recommendable that the operator develops decision logics to determine which corrective actions need to be taken to eliminate the causes of deviations from the performance standards. Guidance to develop a decision logic tree for AMP task adjustment is provided in the FAA AC 120-17B Appendixes. The book Aviation Maintenance Management 3 also provides valuable guidance on the investigation process decision logic from the alert/event to the corrective action. The TCH can also provide assistance for developing the decision logics. Figure 17.1 shows as an example the process developed by Boeing to determine the corrective action of Short-Life Units.4 In the same way that usually there is not a single cause of deviations from the standards, usually, the corrective action is also composed by different actions that may be a combination of some of the following items: • Changes to maintenance, operational procedures, or techniques, • Amendment of AMP tasks and intervals: escalation, de-escalation, addition, modification, or deletion of tasks, • Amendments to approved manuals (e.g., maintenance manual or crew manual), • Design change, modifications, • Special inspections or fleet campaigns, • Spares provisioning, • Staff training, • Manpower and equipment planning. Corrective actions should include a planned completion date wherever applicable.
3
Aviation Maintenance Management (Pg. 275–287). Harry A. Kinnison & Tariq Siddiqui. Second Edition. 4 New Process for Component Removal Reduction. Boeing AERO Magazine QTR_03.12.
228
Fig. 17.1 Boeing Short-Life Unit (SLU) decision tree
17 Reliability Program Process
Chapter 18
AMP Task Effectiveness
The operator may want to adjust the AMP due to reasons that fall out of adverse operational trends. The main reason for the AMP adjustment request should be the routine review of the AMP tasks for effectiveness, which is one of the requirements for a maintenance program. This review may involve not only the adjustment of the task but modifications, some type of product improvements, or organizational changes. Other reasons are introduced in Sect. 11.5; the operator may be looking for the Escalation of a task or Maintenance Check, and analysis for the task effectiveness will be required. On the other hand, when the operator reviews its aircraft appearance policy, it may identify areas of concern that lead to adjustments of the AMP tasks. AMP Evolution/optimization exercises, as detailed in Chap. 12, comply with the requirement for the AMP routine review for effectiveness for the tasks that are within the scope of the project.
18.1 AMP Task Effectiveness Analysis The purpose of the AMP Task Effectiveness Analysis is to adjust the tasks to their appropriate scope and interval that must be or remain acceptable from a safety perspective. The analysis does not always end with a task escalation; task escalation is just one of all the possible corrective actions that may be derived from the analysis, but it may also result in the de-escalation of the task, the addition of new tasks, change on the task category, scope or instructions, change on the organization procedures, etc.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_18
229
230
18 AMP Task Effectiveness
18.1.1 In-Service Data In-service data is collected and usually correlated by establishing a common coding convention (ATA code). The scope of the analysis includes all the operational data and data findings raised during scheduled or unscheduled maintenance in which corrective action is directly related to the task in question and unrelated data findings in which corrective action is not associated with the task but has an impact on the task being analyzed. The methods to determine the effectiveness of the AMP should collect and analyze 100% of its performance standard data, but the sampling concept may be used in support when analyzing other types/sets of data such as routine maintenance findings. Sampling The sample size depends on the needs of the analysis but, in any case, must result in confidence that represents the population (aircraft, fleet, subfleet, component P/N, range of serials within a P/N or single component). In regard to an aircraft fleet, an appropriate representation may include aircraft with different operational history, configuration, utilization, operational and environmental conditions, storage periods, or task yields and may be limited to the data collected during a defined period of time. The operator should weight the benefits in analyzing the repetitive accomplishment of a task on specific aircraft against the last accomplishment of the task on a greater number of aircraft. When the available data is not sufficient to analyze the effectiveness of a task or to justify a task change, it may become necessary to collect additional data through new Sampling Programs, e.g., grease sample or oil sample. Task Interval Yield The Interval Yield is a relevant factor when analyzing scheduled maintenance tasks data. The task interval is established to detect degradation or potential failure at the prescribed interval; if the task is performed much earlier than the specified interval, the data may not be valid to support the analysis. The yield is calculated by division of the interval at which the task was performed by the defined interval. If degradation/failure is found at low yield, it must be taken into consideration for analysis; however, if no findings are encountered at low yield, a minimum acceptable level must be established. The FAA considers that 80% is the minimum acceptable yield for single tasks and 90% for average yield of all task accomplishments considered for the analysis.
18.1 AMP Task Effectiveness Analysis
231
18.1.2 Analysis The analysis primarily focuses on significant findings related to systems and structures in which failure may affect the safety and airworthiness of the aircraft; non-significant findings are or are not taken into consideration based on risk assessment. The existence of maintenance findings does not indicate the inefficiency of the task itself but requires assessment. It is recommendable that the operator develops a standardized decision logic for the analysis based on the type of tasks. The task is considered ineffective if the analysis shows that the impact on operations is high. If the impact on operations is low, regardless of the number of findings, the task is considered effective but in general terms may be subject to optimization as follows: • if there is a low number of both scheduled and unscheduled maintenance findings, the task interval is not optimized and may be candidate for escalation, • if there is a high number of findings arisen from scheduled or unscheduled maintenance, the task interval is not optimized and is candidate for de-escalation, and • if there is a low number of scheduled maintenance findings but a high number of unscheduled maintenance findings, further assessment is required to determine the task effectiveness.
18.1.3 Recommendations The recommendation from the AMP Task Effectiveness Analysis should be based on risk assessment: task type, targeted failure mode, consequences of failure, etc. In regard to the AMP, the analysis may lead to changes in the task interval (escalation or de-escalation), the addition of new tasks, deletion of existing tasks, change on the task category, scope, or instructions. As detailed in Sect. 11.5, mandatory requirements such as AD repetitive requirements, ALS, CMR*, and MRBR Structural sampling are not subject to escalation within the terms detailed in these paragraphs. Moreover, certain safety-related tasks such as CMR**, MRBR FEC 5 & 8 & EWIS & L/HIRF may be subject to escalation but with the condition of remaining in the AMP without content change. Other recommendations may go beyond the AMP scope and include modifications or configuration changes, revision of the maintenance procedures, specific maintenance actions, or changes in the organization procedures (responsibilities, manuals, training, etc.).
232
18 AMP Task Effectiveness
18.1.4 Approval and Implementation Under the FAA environment, the operator can implement the recommendations from the AMP task effectiveness analysis through an internal approval process without the involvement of the agency. Under an EASA environment, the approval procedure should be agreed with the competent authority and detailed in the CAME (Direct Approval by the competent authority or Indirect Approval by the operator). The competent authority may authorize for AMP Indirect Approval to implement changes arising from the AMP Task Effectiveness Analysis if the Reliability Program monitors the content of the AMP in a comprehensive manner and the procedures associated with the functioning of the Reliability Board provide the assurance that appropriate control is exercised over the internal validation of such changes. The implementation of a task escalation or deletion requires the AMP approval, but a new task or task de-escalation can be implemented in advance of the approval based on safety, operational, or cost concerns. In this case, the operator should assess the necessity of grace periods and bridge programs attending to the urgency of the reliability concern.
Chapter 19
Reliability Analysis Results
The presentation of the reliability data, adverse trends, analyses, and corrective actions taken closes the continuous reliability loop process, supported by the Technical Reliability meeting and the Reliability Board Meeting.
19.1 Reliability Reports The Reliability Program should include the procedures to distribute the summary of the reliability data collected, the analysis performed, and the status of the corrective actions and approved recommendations. The audience should include the management of the continuing airworthiness and maintenance functions and other interested stakeholders. The operator should select the appropriate reporting methods and frequency (progressive, weekly, monthly, quarterly, annual, on-demand) that allows for the identification of adverse trends that may incur significant operational impact. The reporting methods and frequency will also be determined by the size of the organization and the complexity of its operations. The reporting methods may be in the form of reliability reports, reliability presentations, etc., and should reflect: • the reliability philosophy of the operator, including the operational reliability targets, • the reliability figures, • areas where the reliability targets are not achieved, • deficiencies carried forward from previous reports and status of the corrective actions, • implemented and planned recommendations, and • the status of the AMP Effectiveness Analysis.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_19
233
234
19 Reliability Analysis Results
19.2 Reliability Meetings There are two types of Reliability meetings derived from the reliability process that are typically found within medium to large organizations. The Technical Reliability meeting convenes technical experts to ensure corrective actions to adverse reliability trends are taken, and the Reliability Board meeting establishes the reliability policy and ensures the appropriate resources are provided. Technical Reliability Meetings The Technical Reliability Meetings should be assisted by representatives of the continuing airworthiness and maintenance organizations, operations, the TCH, etc. Its function is to ensure that all reliability issues are addressed, and appropriate corrective actions are taken. The meeting usually includes data and issues since the last meeting or pending items. The operator should select the appropriate frequency (monthly, quarterly, ondemand). The meeting may include a review of the following items: • • • • •
Reliability data and trends, Reliability drivers, Approval of corrective actions, Feedback from corrective actions already taken, ADs and modifications.
Reliability Board Meeting The Reliability Board is formed by representatives of interested parties: continuing airworthiness, maintenance, compliance monitoring, safety, operations, the competent authority, the TCH, etc. It is formed to oversee the Reliability Program performance, provide guidance, and ensure that the resources to implement the recommended corrective actions are provided. The operator should select an appropriate frequency (quarterly, yearly, etc., and on-demand) that should be acceptable to the competent authority. The meeting may include the following items: • Presentation and discussion of reliability reports, • AMP and Reliability Program changes, • Changes to the reliability targets.
Part IV
The AMP in the Engineering and Maintenance Organization Context
Some of the requirements for operators, continuing airworthiness, and maintenance organizations have been detailed in the previous chapters. The structure of these organization(s) depends on the type of operation, the size, and the strategy they set to meet their objectives. It will change from time to time to meet new goals or to correct deficiencies. The competent authorities, supported by the regulation, must ensure that each organization can provide the necessary resources to meet their obligations: the appropriate amount of competent staff, including the nominated persons, maintenance data, equipment, tools, material, facilities, etc. The organization, at the same time, pursue more cost-effective processes and should work to maintain or improve the required level of safety. This chapter considers an Engineering & Maintenance organization, including continuing airworthiness management, maintenance and training roles, and describes the main functions that may be found in a medium to large size organization (e.g., Safety, Compliance Monitoring/Quality, Maintenance Programs, Reliability, Technical Services, Stores, Maintenance Planning, Production Planning & Control, Workshops, etc.). These functions are also applicable to smaller organizations in which the activities may be merged or even performed by a single person. While a small AMP revision may have an insignificant impact on the Engineering & Maintenance organization, the implementation of greater revisions, e.g., due to specific programs such as Low Utilization Maintenance Programs (LUMP), Supplemental Structural Inspection Programs (SSIP) or the results of an Evolution/Optimization exercise, should be carefully analyzed and planned to avoid any type of disruption. The Engineering & Maintenance organization, the relations between the Maintenance Programs and other functions, and the impact of the AMP revision are introduced in the following paragraphs.
Chapter 20
The Engineering and Maintenance Organization
An Engineering and Maintenance organization, independently of the size, must comply with the organizational requirements for those services that provide. Medium to large Engineering and Maintenance organizations, with a considerable amount of aircraft and components to maintain, technicians and certifying staff to authorize, and stringent deadlines to meet, can become quite complex. This chapter details the operation of a hypothetical Engineering and Maintenance organization that meets those organizational requirements. Figure 20.1 shows the high-level structure of our Engineering and Maintenance organization. Engineering Services and Aircraft Asset Management functions basically cover the organizational requirements of the EASA Part-CAMO and the FAA Part-121/135 for continuing airworthiness management organizations. EASA/FAA Part-145 requirements for maintenance organizations are covered under the Maintenance functions; EASA/FAA Part-147 requirements are covered under the Training function and integrate the rules for certifying staff established in the EASA Part-66 and FAA Part-65. Compliance Monitoring/Quality and Safety functions contribute to the organizational compliance of continuing airworthiness management, maintenance, and training organizations. These functions may be dedicated to each organization (e.g., one dedicated to Engineering Services and Aircraft Asset Management, another dedicated to Maintenance and Supply Chain and Maintenance Support and another dedicated to Training) as it is found convenient. The oversight functions, Compliance Monitoring/Quality and Safety, are independent of the rest of the organization and are responsible to the corresponding accountable manager. The Engineering and Maintenance organization and the Flight Operations function (out of the scope of this book) must provide mutual support in certain areas, e.g., for assessing the implementation of modifications that may affect the operations, for developing/revising the Preflight inspection standards or assessing the required
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_20
237
238
20 The Engineering and Maintenance Organization
Fig. 20.1 Engineering and Maintenance organization Organigram
flight crew training, for Maintenance Check flights or when expertise on operation procedures is required. Our Engineering and Maintenance organization includes functions not derived from the requirements but that are considered an added value: Process Analysis and Improvement, and Innovation; these functions may not only support the compliance but can help in developing safer and more cost-effective processes to the rest of the organization. Some tools and methods that can be used by this function are detailed in Part 6. The Engineering and Maintenance organization may be part of the operator organization or be subcontracted, including outsourcing of some of its functions independently, e.g., only the maintenance function, the development of the AMP, or the management of Technical Records. The regulation establishes certain limitations on the outsourcing of specialized services, and they must be, in any case, included in the corresponding organization’s exposition/manual. Each function/subfunction of the Engineering and Maintenance organization can be organized on Fleet Stream basis with functions dedicated to each aircraft type for which the organization/function is approved to provide services. The Fleet Stream philosophy may improve efficiency and reduce costs in many areas of the business.
20.1 Aircraft Asset Management The Aircraft Asset Management (AAM) function manages the technical, legal, and financial aspects of aircraft induction, phaseout, and major projects. The goal of AAM is to maximize the owned aircraft asset value and minimize the leased aircraft costs. The AAM function is halfway the technical, the legal, and the financial functions of the organization, and therefore, it should be constituted by experts of the three fields for safe, compliant, and cost-effective end results. The AAM function is usually segregated into different subfunctions, e.g., • Aircraft Induction: the AAM function coordinates the induction process, including the issuance of the CofA and ARC, as applicable, ensuring that the aircraft is in airworthy condition. It may require support from the Maintenance Programs,
20.1 Aircraft Asset Management
239
Technical Services, and Compliance Monitoring/Quality functions. Delivery technical records are addressed to the interested stakeholders for their review. • Aircraft Phaseout: if the aircraft is owned, the phaseout means aircraft trading or dismantling for using, selling, or bringing components, assemblies, and constituent parts of the aircraft to the market. If the aircraft is leased, the AAM function manages the End Of Lease (EOL) process, including the Bridge Programs required to return the aircraft as stipulated in the leasing contract. • Projects: Activities that may require technical, legal, or financial expertise, e.g., major modifications such as aircraft conversion to freighter. • Contracts and Insurance: This subfunction negotiates leasing and sales contracts and ensures their requirements are fulfilled.
20.2 Engineering Services The Engineering Services function manages most of the administrative requirements for the continuing airworthiness of the aircraft and provides support and assistance to other functions. The basic functions for medium to large organizations are shown in Fig. 20.2.
Fig. 20.2 Engineering Services Organigram
The following paragraphs detail the main activities of each Engineering Services function.
20.2.1 Technical Publications The Technical Publications (TP) function receives, controls, and distributes all the maintenance data that is necessary for the accomplishment of maintenance. The maintenance data include, but is not limited to: • external maintenance data: – regulation (EASA Continuing Airworthiness rules, AMSc, GMs, FAA 14 CFR, Advisory Circulars, competent authority publications, etc.),
240
– – – – – – –
20 The Engineering and Maintenance Organization
Airworthiness Directives (AD), Scheduled maintenance (MPD, MRBR, ALS, SSID, CPCP, LUR), Master Minimum Equipment list (MMEL), Service Bulletins (SB), Service Letters (SL), Modifications/repairs data, Maintenance and Repair Manuals of aircraft and components, Troubleshooting manuals.
• internal maintenance data: – – – –
Company manuals (CAME/CAMP, MOE, Design organization manual, etc.), Aircraft Maintenance Program (AMP), Minimum Equipment List (MEL), Configuration Deviation List (CDL).
TP should ensure that the maintenance data is. • Updated: the maintenance data should be up to date by subscribing to revision schemes, checking that the revisions are being received and monitoring the revision status of the data. • Controlled: the maintenance data should establish a system and the necessary procedures to receive, control, and distribute the publications. • Distributed: the maintenance data need to be distributed to all concerned parties and staff. • Available: each person performing maintenance should have access to the maintenance data. TP should establish and control a maintenance data library. It is usual to integrate the Technical Publication function within the Technical Services or IT Systems functions.
20.2.2 Technical Records The Technical Records (TR) function receives, manages, and archives/retains the maintenance records. Maintenance records should also be made available to the concerned staff. Any maintenance performed on the aircraft or component and any release document of such aircraft/component must be controlled and recorded. The format in which the maintenance is recorded, certified, and stored (paper or electronic) should be acceptable to the competent authority. The maintenance records include, but are not limited to: • Delivery documents (Aircraft Inspection Report (AIR)/Aircraft Readiness Log (ARL), Engine/Propeller/APU Logbooks, LOPA, etc.), • Time in service and time since last maintenance of the aircraft and certain components, e.g., Life Limited Parts (LLP), Time Controlled Items (TCI), Overhaul, etc.
20.2 Engineering Services
241
Times are recorded in Flight Hours, Flight Cycles, Operating Hours, calendar time, etc., as appropriate, • compliance status with maintenance requirements (Logbook, Task Cards, Engineering Orders, Work Orders, Work Packages, Shop Visit Reports, etc., including defect corrections and non-routine maintenance): – Airworthiness Directives (ADs), – Aircraft Maintenance Program (AMP), – Modifications/repairs, • release of aircraft and components: – Certificate of Release to Service (CRS) of the aircraft, – Certificate of Release to Service of components (EASA Form 1, FAA Form 8130–3 or equivalent), – Certificate of Conformance (CoC). Each maintenance record should include the date, the identification of the aircraft or component (registration, Part Number, Serial Number, as applicable), the times since new/overhaul, details of the work performed, maintenance certification with details of the certifying staff (authorization/signature), and the release of the maintenance performed. TR should develop the necessary procedures to ensure the maintenance records are properly collected, recorded, stored, and made available to all concerned staff. Maintenance records should be protected from damage, alteration, and theft, and their integrity maintained. TR largely support the Aircraft Review Certificate (ARC), in an EASA environment, and the End Of Lease (EOL) processes by providing the necessary maintenance records. Larger organizations tend to segregate TR functions, e.g., configuration control, data entry, and digitalization/archiving. The maintenance records retention period is three years since the release of the aircraft/component in an EASA environment. FAA requires, in general terms, to keep the maintenance records for one year or until the work is repeated or superseded by other work.
20.2.3 Technical Services The Technical Services (TS) function assesses maintenance documentation and provides technical support/assistance to other functions. The Technical Services function includes, but is not limited to: • Assessment of maintenance data: Airworthiness Directives, modifications, repairs, SB, SL, CMM, and manufacturer/vendor recommendations, etc., • assessment of issues derived from reliability data trends,
242
20 The Engineering and Maintenance Organization
• • • • • •
generating Engineering Orders (EO), review and closure of accomplished EO, prepare modification campaigns, coordinate Work Scopes with Maintenance Programs provide expertise to other functions, participating in the rulemaking processes by providing comments to Notice of Proposed Amendment (NPA), Proposed AD (PAD), Notice of Proposed Rulemaking (NPRM), etc., • participating in the MRB Maintenance Working Groups (MWG). AMP source documents, other than those specified in the above lines, are assessed by the Maintenance Programs function. It is convenient to establish the appropriate means of communication between both functions to avoid the omission of any requirement derived from the maintenance documentation assessment. The Technical Services expertise may be required during a wide range of activities; some examples are the development of the AMP, participate the Internal “Maintenance Working Groups” and “Industry Steering Committee” during the Evolution/Optimization of the AMP, evaluation of new aircraft, system or component, evaluation of new equipment and tools, assistance in troubleshooting, etc. Technical Services responsibilities may be segregated in regard to the fleet type, the area of expertise (by ATA or ATA groups), and the urgency of the work (short/long term), e.g., • Long-term TS: Aircraft Systems, Power plants, Aircraft Structure, and Cabin appearance. • Short-term TS: depending on the type of operation and maintenance philosophy, a dedicated team available 24/7 that provides assistance on urgent day-to-day issues may be needed.
20.2.4 Maintenance Programs The Maintenance Programs (MP) function assesses maintenance documentation and develops the Aircraft Maintenance Program. The Maintenance Programs function includes, but is not limited to: • assessment of AMP source documents: AD (only those requiring specific actions into the AMP), MPD, MRBR, ALS, CMR, LUR, SSID, CPCP, and other ICA, • assess source document changes versus reliability data, • propose and implement task/check intervals, • propose/participate in the Evolution/Optimization of the AMP, • generate AMP revision and evaluation of the impact on other functions, • management of Bridge Programs, • create and control Maintenance Requirements, • coordinate Work Scopes with Maintenance Planning and Technical Records, • participating in the MRB Industry Steering Committee (ISC),
20.2 Engineering Services
243
• provide assistance to other functions. The assessment of AMP sources is detailed in the PART 2 of this book. The Maintenance Programs responsibilities are usually segregated in regard to the fleet type and may be further defined considering the different Maintenance Programs within an AMP, e.g., • AMP Revision Preparation: Aircraft Systems, Aircraft Structure, Components, Landing Gear, Power plants, etc., • AMP Implementation—it may be segregated attending to the same reasoning than the AMP preparation, • specific AMP Projects. The Generation of Task Cards to support the AMP Maintenance Requirements may be delegated to the Maintenance Programs function. This chapter is considered as Work Preparation responsibility under the Production Planning and Control function.
20.2.5 Reliability The Reliability function collects and analyzes the in-service data (reliability data) and proposes any necessary corrective action to ensure the AMP tasks and intervals are effective. The Reliability function is based on the Reliability Program. The Reliability function includes, but is not limited to: • • • •
development of the Reliability Program, collect in-service data, analyze in-service data, coordinate corrective actions with Technical Services and/or Maintenance Programs (modifications, AMP changes, etc.), • prepare the Reliability reports, • chair the Reliability meetings, • support AMP changes. The analysis of in-service data and the scope of the Reliability Program are detailed in PART 3. Collection of quality in-service data requires appropriate procedures and coordination with the functions that source the data. The Reliability function is essential for the development of the Embodiment Policy for non-mandatory recommendations (SBs, SLs, CMMs, etc.), as introduced in Sect. 8.4, and should be a main actor of the Modification Embodiment Policy Board. The Reliability Program is a requirement for AMPs based on maintenance steering group logic and both functions should work in close coordination. It is usual to combine both functions under a Maintenance Programs and Reliability department.
244
20 The Engineering and Maintenance Organization
20.2.6 Maintenance Planning and Scheduling The Maintenance Planning and Scheduling (MP&S) function packages maintenance requirements issued by the Technical Services and Maintenance Programs functions, defines maintenance events, and assigns grounding times. The Maintenance Planning and Scheduling function includes, but is not limited to: • assess the maintenance forecast and deferred maintenance versus the aircraft availability, • work scoping: package Maintenance/Check Requirements issued by Technical Records (Engineering Orders) and Maintenance Programs (AMP Task Cards and Maintenance Checks), • generation of Work Orders and Work Packages, • assign maintenance events ground times, • ensure the availability of resources. The Maintenance Planning and Scheduling responsibilities may be segregated into: • Short-term planning for Line Maintenance inputs, with dedicated resources to fulfill immediate necessities and avoid day-to-day issues an disruptions, • Long-term planning for Base/Heavy Maintenance inputs, and • Scheduling for tail and ground times assignment. Scheduling requires close coordination with Flight Operations.
20.2.7 IT Systems The IT Systems function maintains the Information Technology means that support the Engineering Services and Maintenance functions. Nowadays, it is difficult to imagine the management of the continuing airworthiness and maintenance of an aircraft based on paper. The industry progresses fast, and there exists dedicated aviation enterprise asset management software with capability to manage most of the requirements demanded by any airline size (finance, human resources, compliance monitoring, continuing airworthiness, planning, production, component maintenance, material management, communications, etc.). However, the use of different software that may be interfaced is still common. The IT Systems function includes, but is not limited to: • • • • •
management of IT solutions and their interfaces, ensure the integrity of the data managed by the IT solutions, backup of data, including maintenance data and technical records, development of new IT solutions, assess the impact of IT changes and ensure their smooth implementation.
20.2 Engineering Services
245
The IT Systems function is critical to ensure the correct operation of all the rest of the functions, including compliance and the efficiency of the deployment of resources. A minimum error or omission may cause the biggest disruption.
20.3 Maintenance The Engineering Maintenance function manages the execution of maintenance for the continuing airworthiness of the aircraft. Figure 20.3 shows the main activities of
Fig. 20.3 Maintenance organigram
the Maintenance organization. The following paragraphs detail the main activities of each Maintenance function.
20.3.1 Production Planning and Control The Production Planning and Control (PP&C) function is responsible for scheduling the aircraft maintenance event work and ensures the availability of the necessary resources (manpower, tools, equipment, material, maintenance data, and facilities). The PP&C function includes, but is not limited to: • Evaluation of Work Packages and customization, • Generation of Task Cards, including facilitation Task Cards, e.g., for access requirements, • Identify and plan Critical Maintenance Tasks, • Planning and status management of aircraft maintenance events, • Coordinate subcontracted maintenance, • Organize maintenance teams and shifts, • Coordinate availability of tools, equipment, and material, • Ensure the completion of maintenance, • Ensure Deferred maintenance is addressed,
246
20 The Engineering and Maintenance Organization
• Develop Capacity Plans, • Evaluation of Critical Paths. Capacity Planning refers to the amount of maintenance that the organization can complete. It requires estimation of resources and evaluation of Critical Paths that may delay the completion of maintenance events. As introduced in Sect. 5.2, the MPD provides additional information for the planning of each maintenance task, including estimated manpower. The man-hours provided by the MPD are usually adjusted to the operator efficiency using the labor efficiency factor. PPC further adjusts these estimations based on the organization maintenance experience. On the other hand, under this chapter, the generation of Task Cards is considered a responsibility of PP&C in a dedicated team for the Work Preparation due to their grade of expertise and proximity to the real maintenance work. It is normal that the Work Preparation responsibilities are delegated to other functions such as maintenance Planning or segregated between Maintenance Programs (AMP tasks) and Technical Services (modification/repair tasks). In this regard, it is quoted the comparison related by Kinnison and Siddiqui1 about the discussion on the control of the Material Support function by the Maintenance or the Finance department: “- Artistic decisions should not be made by non-artistic people- and -Technical decisions should not be made by non-technical people-”. Although a Maintenance Programs Engineer is qualified enough to produce Task Cards, the Production Planning and Control Engineer likely has a closer view of the maintenance necessities what makes him more suitable, if there is any margin, to develop Task Cards.
20.3.2 Maintenance Control Center The Maintenance Control Center (MCC) function monitors the aircraft’s technical status and its serviceability. The MCC function includes, but is not limited to: • • • • • • • •
1
assessment, monitoring, and coordination for Deferred Defects rectification, assessment of deviations (MEL and CDL), management of aircraft recovery (Aircraft On Ground (AOG) situations), coordinate with logistics the availability of spares, provide technical support to technicians and flight crew, coordinate Daily Checks, coordinate servicing of the aircraft and Line Maintenance dispatch, coordinate maintenance in outstations and in case of aircraft diversion.
Aviation Maintenance Management (Pg. 181). Harry A. Kinnison & Tariq Siddiqui. Second Edition.
20.3 Maintenance
247
If a Short-term Technical Services 24/7 function is defined, it may be integrated within the MCC team in order to provide assistance at the forefront on day-to-day issues.
20.3.3 Line/Base Maintenance The main characteristics of Line and Base Maintenance are introduced in Sect. 9.1.1. The Line Maintenance function accomplishes maintenance before flight to ensure the aircraft is fit for the intended flight, usually without disturbing the flight schedule. The Base Maintenance function is in charge of maintenance out of the Line Maintenance scope and requires to remove the aircraft from operation. PP&C usually coordinates Line Maintenance through MCC while the interface with Base Maintenance is direct. The Line/Base Maintenance function includes, but is not limited to, the performance of maintenance on the aircraft and its certification for release to service by duly certified/authorized staff.
20.3.4 Workshops The Workshops function is to perform maintenance on parts and components removed from the aircraft. Workshops related to base/heavy maintenance that supports the aircraft while is out of operation, work closely with PP&C, e.g., Cabin refurbishment, Metal and Composites repairs, or Paint Workshops. Other types of Workshops support aircraft at all times and require availability of spare parts, e.g., Battery, Oxygen, or Engine Workshops. The work on these types of parts and components maintenance is usually performed on exchange basis; the unit is removed and sent to the Workshop, and a serviceable unit is installed on the aircraft. The Capability List of a part 145 organization relates the items and scope of work that can be performed (in-house capability). If not identified in the Capability list, maintenance on components may be outsourced. In that case, the coordination with the Supply Chain and Material Support functions and the subcontractors takes all the relevance. Each Workshop has its own “Production Planning” function for the schedule of maintenance on the part or component with the appropriate manpower, tools, equipment, material, maintenance data, and facilities. Workshop spaces usually have their own work area with tools and equipment and a storage area with provisions to separate serviceable from unserviceable items.
248
20 The Engineering and Maintenance Organization
20.4 Supply Chain and Material Support The Supply Chain and Material Support function integrates all the activities that are required to furnish the Engineering and Maintenance organization with equipment, tools, and material at each location which are required (Fig. 20.4).
Fig. 20.4 Supply Chain and Material Support Organigram
20.4.1 Inventory Control The Inventory Control function supervises the material forecast to ensure that the supply chain of parts to Maintenance and Engineering at the selected locations is adequate (just-in-time), and AOG situations do not happen due to lack of parts.
20.4.2 Procurement The Procurement function is responsible for purchasing material attending to specifications, cost, delivery times, warranty, etc. The Procurement function should ensure that the material is certified to be fitted or used on the aircraft for which the purchase is intended. It includes a documental review (EASA Form 1, FAA Form 8130–3, Certificate of Conformance or equivalent). The Procurement responsibilities may be segregated in regard to the fleet type and the area of expertise (by ATA or ATA groups), e.g., Aircraft Systems, Power plants, Aircraft Structure, and Cabin items.
20.4 Supply Chain and Material Support
249
20.4.3 Stores The Stores function is responsible for maintaining the integrity of the material and issuing and exchanging it with the mechanics. The Stores function should define the procedures to receive material, including a physical and documentary incoming inspection. The Stores function ensures that material that requires to be stored under certain conditions (Electrostatic Sensitive Devices (ESD), flammable items, oxygen, etc.) is properly addressed. The Stores function controls the Shelf Life of the stored items and any maintenance that may require before their dispatch. Rotable components and repairable parts and equipment/tools are usually available on exchange basis and managed by the Component Repairs Function. Tools/Equipment is usually available on loan basis and should be returned to the Tool/Equipment stores once the activity for which they are issued has been completed. The Stores function is responsible for controlling that the maintenance required for Tools/Equipment (test, calibration, servicing, etc.) is addressed. The Store area must have provisions to segregate serviceable from unserviceable components, parts, and equipment/tools.
20.4.4 Component Repairs The Component Repairs function manages the life cycle of aircraft rotable or repairable parts, equipment, and tools. These items are available on exchange basis: the mechanic returns the unserviceable component subject of workshop maintenance or defective part to the Component Repairs function in exchange of a new/overhauled/refurbished/repaired part, and the Component Repairs function manages the routing of the unserviceable item to the Workshop (in-house or outsourced). The Component Repair process works side by side with the Warranty and Insurance function.
20.4.5 Warranty and Insurance The Warranty and Insurance function identifies if there is any warranty or insurance associated with the defective items returned by the mechanics. If the part is under a warranty period or is associated with an insurance, it is addressed to the warranty holder or through the insurance holder for repair.
250
20 The Engineering and Maintenance Organization
20.5 Oversight Functions: Compliance Monitoring/quality and Safety Oversight functions are those responsible for surveilling that the regulatory requirements are complied with by the operator and subcontracted organizations. The oversight functions responsibility of the operator are the Quality System/Compliance Monitoring, the Aircraft Review Certificate (ARC) (only required by EASA), and the Safety Management. These functions are dependable from the Accountable Manager and must be independent of other interests. Although the Quality and Safety Systems may oversee all the organization, their functions can be segregated, e.g., Quality System into Quality Engineering Support and Quality Maintenance. Subcontracted organizations, that may have their own oversight functions, must still be surveilled by the operator. In the hypothetical case of the medium to large Engineering and Maintenance organization presented in this chapter, the oversight function considered surveils all the other functions.
20.6 Training The Training function provides the training courses and practices that are required for the Engineering and Maintenance organization staff. In this organization, training may be required for all the staff managing the continuing airworthiness or the maintenance of the aircraft (such as training on Safety Management Systems, EWIS, Fuel Tank Safety, Human Factors and refresher courses), be a requirement for specialized positions (such as aircraft or engine familiarization courses), or be a requirement for the issuance of an authorization. The most relevant authorization under this chapter is the one to perform maintenance on the aircraft. The requirements for licensing certifying staff are detailed in the Part-66 (EASA) and Part-65 (FAA). However, it is the Engineering and Maintenance organization, usually through the Compliance Monitoring/Quality function, which provides authorization to make use of that license on its aircraft.
20.7 Others Certain functions that are not derived from the rules may be an added value to the entire organization, e.g., Process Analysis and Improvement or Innovation. These are extra functions that look not only for conformance but for safer and more
20.7 Others
251
cost-effective processes. Organizations with Process Analysis and Improvement and Innovation functions are at the forefront of the industry. Large organizations may deploy delegates of the contemplated function into other Engineering and Maintenance functions to ensure that best practices are adopted and new necessities are addressed in the most innovative (cost-effective) way. Innovation function should work side by side with IT Systems to bring new or improved IT solutions. Some improvement tools are detailed in Part 6.
Chapter 21
Interface of the Maintenance Program with Other Functions
The Maintenance Programs function interfaces with most of the other Engineering and Maintenance functions described in the previous chapter one way or another. The process interfaces enable information to flow between activities; adequate information transformation and information exchange become essential to fulfill these interdependencies. As it is detailed in the next Part 5 of this book, lack of communication and misunderstandings are potential hazards that could threaten the safe operation. Focusing on the overall benefit of the organization, the interfaces between departments should be given priority over short-term goals of each individual function. The process approach interrelates the different functions to produce specific outcomes allowing to effectively and efficiently achieve goals and objectives and allowing continuous improvement. This subject is further detailed in Part 6. When the interrelations between processes are appropriately defined beyond timing and resources, on a more detailed interface management focused in communication, it is possible to provide a better overview of information flow that in turn will provide the opportunities to identify performance indicators to support the decision-making process and apply continuous improvement methods (see Part 6). The Maintenance Program function often plays a coordinating role for many of the Engineering and Maintenance activities, and the responsibilities of the AMP stakeholders need to be defined over the short-term goals of the individual departments for effective and efficient communication and collaboration. Table 21.1 summarizes those main interactions. When there is more than one fleet type or AMP, the MP functions should coordinate for the standardization of processes and procedures. Requirements at component level for Part Numbers that are common between the programs of several fleets should be communicated and addressed by the affected MP functions. On the other side, when the MP function for a specific fleet is segregated (systems, components, powerplant, etc.), the necessary procedures for the assessment of the source documents and their implementation should be established in order to avoid © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_21
253
254
21 Interface of the Maintenance Program with Other Functions
Table 21.1 Maintenance Programs main interactions with other E&M functions Aircraft Asset Management Maintenance Programs (MP)
Aircraft Asset Management (AAM)
Support the aircraft phase-out programs, including End Of Lease (EOL) Demonstrate compliance status as required in the Leasing contract
Provide the Delivery Technical Records to MP through Technical Records Act as the main point of contact with the seller/lessor
Engineering Services Maintenance Programs (MP)
Technical Publications (TP)
Submission of the AMP to TP for its control and distribution Identify new AMP source documents and address them to TP for control
Provide the latest revisions of the AMP source documents to the responsible staff of the MP function
Maintenance Programs (MP)
Technical Records (TR)
Address deficiencies/discrepancies found in the Technical Records
Ensure the maintenance records comply with the requirements established in the AMP
Maintenance Programs (MP)
Technical Services (TS)
Request technical advice to TS when high level of expertise is required Coordinate with TS the development of Work Scopes
Request to incorporate/revise repetitive requirements derived from the analysis of ADs, SBs, SLs, modification/repairs, or from repetitive actions derived from the Reliability Program in the AMP Inform MP about any action that may impact the scheduled maintenance
Maintenance Programs (MP)
Reliability
Request the analysis of in-service data and support from the Reliability function when there are changes in the source document requirements
Request to implement corrective actions derived from the analysis of in-service data, e.g., a new requirement or de-escalation of the interval of an existing AMP task
Maintenance Programs (MP)
Maintenance Planning and Scheduling (MP&S)
Changes on the Maintenance Check concept or intervals require MP&S agreement
Request deviation from the AMP defined intervals under unforeseen circumstances (Permitted Variation or Exceptional Short-term Extension)
Maintenance Programs (MP)
IT systems
Assist IT Systems to develop new solutions
Coordinate software upgrades or the implementation of new IT solutions that may impact the AMP
Maintenance Maintenance Programs (MP)
Production Planning and Control (PP&C)
Provide assistance for AMP Documental discrepancies, e.g., derived from the misalignment of MPD/AMM revision cycle Provide List of new AMP tasks for review
Provide adequate in-service data (findings, non-routine maintenance, etc.) that is analyzable by the Reliability Program function in order to identify adverse trends (continued)
21 Interface of the Maintenance Program with Other Functions
255
Table 21.1 (continued) Maintenance Programs (MP)
Maintenance Control Center (MCC)
Provide assistance during Aircraft On Request Permitted Variation or Exceptional Ground (AOG) situations related to the AMP Short-term Extension, usually processed through Maintenance Planning Maintenance Programs (MP)
Line/base maintenance
Interfaces through PP&C
Interfaces through PP&C
Maintenance Programs (MP)
Workshops
Provide assistance for component Work Scoping
Provides adequate in-service data (findings, shop reports, etc.) that is analyzable by the Reliability Program function in order to identify adverse trends
Supply chain and material support Maintenance Programs (MP)
Inventory Control and Procurement
Provide List of new material, equipment, and Adjust the provisioning of material, equipment, tools and tools derived from the AMP revision Maintenance Programs (MP)
Stores
Assist with component storage requirements
Request assistance on component storage requirements
Maintenance Programs (MP)
Component repairs
Coordinate changes to rotatable component requirements
Request assistance on component repairs and Work Scopes
Maintenance Programs (MP)
Warranty and Insurance
Provide assistance with warranty or insurance issues
Request assistance on warranty or insurance issues
Oversight functions Maintenance Programs (MP)
Compliance Monitoring (CM)/Quality (QA)
Provide assistance during AMP audits
Surveil that the AMP complies with the applicable regulations and the policies and standards of the organization
Maintenance Programs (MP)
Aircraft Review Certificate (ARC) (EASA)
Provide AMP status, demonstrating compliance, and assist during the ARC process
Ensures compliance with the AMP
Maintenance Programs (MP)
Safety Management
MP, as part of the organization, is under the Safety Management System (SMS)
Ensure the safety standards derived from the MP
Training Maintenance Programs (MP)
Training
Propose MP training
Provide training to MP staff
256
21 Interface of the Maintenance Program with Other Functions
any error or omission. In the same way, the implementation of specific projects into the AMP, such as an Evolution/Optimization exercise, should also be appropriately defined through the corresponding procedures.
21.1 Service Level Agreements (SLA) A Service Level Agreement (SLA) is an accord between two or more stakeholders to deliver the output of a process under stipulated specifications and times. In order to comply with the requirements established by each Engineering and Maintenance function, the internal SLAs provide the right tool to compromise deliverables. It is usual that SLAs are integrated within the organization procedures. In regard to the Maintenance Programs function, these are some SLAs examples that may be agreed: • Technical Publications (TP) to release the source documents of the AMP within a timeframe (days) after their publication in the manufacturer website and in a specific format and under a defined process or IT tool. • Maintenance Programs (MP) to submit the AMP to Technical Publications within a timeframe (days) after its approval in a specific format and under a defined process or IT tool. • Technical Records (TR) to record the reliability data in a specific format and under a defined process or IT tool. • Technical Services (TS) to provide the analysis of AD, SB, SL, modifications/repairs within a timeframe (days) after they are issued in a specific format and under a defined process or IT tool. • Reliability to provide a corrective actions list affecting the AMP on periodic basis (monthly), in a specific format and under a defined process or IT tool. • IT Systems to notify in advance within a defined timeframe (weeks) of any scheduled IT maintenance action. • Maintenance Programs to solve a Permitted Variation/Exceptional Short-term Extension within a timeframe (hours) after request. • Maintenance Programs to submit new tasks to Production Planning and Control and Inventory Control within a timeframe (weeks) before AMP approval in a specific format and under a defined process or IT tool. There are plenty of processes within the Engineering and Maintenance organization that should be defined under specific agreed terms for the correct functioning of the organization.
Chapter 22
Impact of the AMP Revision on the Organization
The impact of an AMP revision on the Engineering and Maintenance organization should be assessed as part of the development of such revision. Certain changes that may modify certain resources requirements (e.g., for qualified staff, material, tools, equipment, or facilities) should be taken into consideration and analyzed before an AMP is submitted for approval. Coordination with the Maintenance functions is essential to avoid any possible future disruption. While the escalation or deletion of AMP tasks is looked for and welcomed by the whole organization, new or de-escalated task may cause an impact that should be acceptable by the affected functions; e.g., Line Maintenance should have or be provided to have the capability and resources to perform Base/Heavy Maintenance de-escalated tasks. Large AMP changes, usually undertaken during major revisions, may require some sort of resources adaptation by the maintenance functions in order to be acceptable, e.g., the Capacity Planning may be affected (additional resources or transfer of resources between Line and Base Maintenance, or vice versa), Material Planning, etc. The elements of an AMP task that should be taken into consideration for the impact assessment are: • Maintenance Check: in which Maintenance Check is or is intended to allocate the AMP task and Bridge Program requirements. • Maintenance Environment: which environment is required to accomplish the task, Line or Base/Heavy. • Critical Maintenance Tasks (CMT)/Identical Tasks or Required Inspection Items (RII). • Man-hours and Skills: the workload and skills required to accomplish the task. • Materials, equipment, and tools. • Facilities: availability of facilities. • Maintenance documentation: new maintenance documentation may require further assessment by PP&C. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_22
257
258
22 Impact of the AMP Revision on the Organization
• Phase-out conditions: special attention should be given to the End Of Lease (EOL) contracts. For example, the efforts of the implementation of an Escalation or Evolution/Optimization exercise may not make sense when there is no opportunity to take benefit before the aircraft phase-out. The Maintenance organization usually has the processes in place to absorb small changes derived from the AMP revision, e.g., Capacity and Material Planning procedures, the Reliability Program, etc.; however, it is recommendable to address the requirements of new AMP tasks to the affected functions for their assessment, e.g., • List of new AMP tasks to PP&C, including tasks requiring specialized techniques and skills, e.g., NDT tasks. • List of new material, equipment, and tools to Inventory Control. • List of intended deleted and escalated tasks that may adversely affect the reliability to the Reliability function. Big AMP changes, such as Maintenance Check interval revision due to MRBR revision or an Evolution/Optimization exercise, should be presented to the affected functions in advance of the approval for a comprehensive assessment. Appendix A provides guidelines to compute the cost of an AMP revision. It may be interesting for budgeting functions.
Part V
Safety Management
In the early days of aviation, the still not developed regulatory systems and the emerging basic technology was not sufficient to avoid the increasing aircraft accidents. Basically, the investigations of such accidents were the principal means of prevention; technological improvements and an increased regulatory activity led the aviation industry to be the more regulated but also the safest mode of transportation since the 1950s. The understanding of aviation safety was based on regulatory compliance and oversight, but the complexity of the operations did not provide enough guidance to cover all the possible scenarios. As we have seen in the “Lessons Learned” boxes throughout the Part II of the book, the recommendations of the aircraft accident investigation bodies have modeled the today‘s aviation regulations: protection of hazards derived from technical factors such as EWIS, lighting, high intensity radiated fields, ignition sources, fuel tank flammability, accidental and fatigue damages, environment, aircraft separation, and aircraft extended diversion times. If the evident cause of an accident was not technological failure, the “safety rules breakers” took all attention. The safety concerns derived from those investigations were addressed at the specific, but the understanding of hazards was not comprehensive, e.g., if an aircraft was not able to reach an alternative aerodrome after an engine failure, diversion times were established for two–engine aircraft and full stop. By the 1970s, after major technological advancements, the technical factors took a secondary role and human factors became the focus of safety. The industry efforts concentrated on the intent of minimizing the effects of individual human errors that needed to be under control. In the 1990s, a new philosophy arose from a better understanding of hazards: individuals do not work on their own but in the context of an organization. Since then, safety is regulatorily viewed from a systemic point of view that encompasses technical, human, and organizational factors. In addition to mandatory reporting of certain occurrences, voluntary reporting systems arose at all levels, allowing that the identification of hazards and their reporting would become everybody’s responsibility.
260
Part V: Safety Management
After the tragic events on September 11, 2001, in which four coordinated terrorist attacks carried out by an extremist group ended with four passenger aircraft hijacked and crashed into the World Trade Center towers in New York city, the Pentagon and a field in Pennsylvania, the focus jumped into the security aspects of the entire air transport system. Regulations evolved to mitigate the effects of security on safety. While new threats arise, specially in the cybersecurity areas due to increased digitalized systems and aircraft on-board electronic networks, the requirements also mature to ensure that cyber risks are taken into account during the design of the aircraft and its operation. The requirement for Aviation Security Management Systems, including the management of information, is requiring urgent attention, and the main regulators are working against the clock to achieve an structured approach that minimizes the effects of security risks. This chapter focus in the already matured requirements, introduces the Human and Organizational factors as sources of errors, some of the models and tools for the analysis and understanding of the interactions of such factors with other components of the aviation system (SHELL, PEAR, Dirty Dozen and Reason’s models), and the safety strategy cascaded down from the ICAO Annex 19 – Safety Management SARPs (State Safety Programs (SSP) and Safety Management Systems (SMS)). For further details about one of the main elements of the safety risk management component of the SSP, the Aircraft Accident Investigation process, refer to Appendix II.
Chapter 23
Hazards and Safety Risks
The core processes of safety management are hazard identification and safety risk management. Both concepts can be confused if not properly defined. Hazard is the condition with the potential to cause injuries to people, damage to equipment or structures, loss of material, or reduction of ability to perform a prescribed function. Hazards can be classified into two types: • Latent conditions are present on the system but are not perceived as harmful, e.g., operation over safety, poor communication, or poor management decisions. • Active failures: actions or inactions with an immediate adverse effect, e.g., errors, deviations from the described procedures or violations. Hazards can be reactively identified after an accident or incident happens, or through proactive and predictive processes to identify hazards before a safety event occurs, e.g., flight data analysis, voluntary reporting systems, safety surveys, audits, trend monitoring, etc. The Accident Triangle theory, usually associated with an iceberg (Fig. 23.1), shows the relation between accidents, serious incidents, minor incidents, and latent conditions. The theory proposes that if the number of latent conditions is reduced, there will be a corresponding fall on the number of accidents. The Guidance on Hazard Identification1 document, developed by the European Commercial Aviation Safety Team (ECAST), details the hazard concept within a safety risk management framework and identifies a number of tools and techniques for its identification: brainstorming, Hazard and Operability Studies (HAZOPS), Checklists, Failure Modes and Effect Analysis (FMEA), Structured What-If (SWIFT), Dynamic Models and Future Hazards Identification through the FAST method.
1
Guidance on Hazards Identification. ECAST—Safety Management System and Safety Culture Working Group (SMS WG), March 2009. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_23
261
262
23 Hazards and Safety Risks
Fig. 23.1 Illustration of the Accident Triangle theory
Accidents 1-5 Serious incidents 30-100 Minor incidents 100-1000 Latent conditions 1000-4000
A Safety Risk is the probability and severity of the consequences or outcomes of a hazard. It is usual that the Safety Management Systems jump from identifying hazards directly to mitigation and bypass the evaluation of the safety risks of the consequences of hazards. However, Safety Risk Management becomes necessary for assigning priorities effectively and allocates resources between all assessed safety risks. The assessment of the risks associated with the hazards and the implementation of mitigation measures to reduce the risks to an acceptable level is represented in the Bow-Tie diagram (Fig. 23.2). The Bow-Tie methodology consists of the risk scenarios around a certain hazard and the ways in which the organization stops those scenarios from happening. It is a multipurpose tool that is used to analyze risk scenarios, show their potential costs, manage safety accidents/incidents, or perform Root Cause Analysis (RCA). The method is further detailed in the Root Cause Analysis methods in the Sect. 28.1.3. Safety Risk Management requires to assess if the safety risks are acceptable or not and if the safety risks can be mitigated or not. It is usually determined through a defined Safety Risk Assessment Matrix (Fig. 23.3) that is used to assign a Risk Index based on the severity of the risk (e.g., catastrophic, hazardous, major, minor, or negligible) and its probability (e.g., from extremely improbable to frequent). When the mitigation actions may reduce the safety risk to an acceptable level, a Return on Investment (ROI) or Cost–Benefit Analysis (CBA) of the mitigation
23 Hazards and Safety Risks
263
Fig. 23.2 Bow-Tie diagram
Fig. 23.3 Safety Risk Assessment and Safety Risk Tolerability Matrixes
becomes necessary. If a safety risk is unacceptable or the mitigations means are not cost-effective, the operation must be canceled. The Modification Embodiment Policy presented in Sect. 8.4 represents a good example when the safety risks are derived from technological factors; a DAH identifies hazards that may affect the airworthiness of the aircraft and propose solutions; then the operator assesses the associated safety risks, including a Return On Investment (ROI) or Cost–Benefit Analysis (CBA) to justify the decision to embody or not to embody the proposed solution.
Chapter 24
Human Factors
Detailing the introduction of this part, in the early days of aviation, about 80% of the accidents were caused by technical factors and about 20% by human factors. The Human Factors took special relevance during the 1970s when the aviation industry realized that human errors were underlying most of the aircraft accident and incident rather than technical failures. During that decade, the SHELL model was developed as a simple conceptual tool for the analysis of the interactions of the human with other components and features of the aviation system: Software, Hardware, Environment, and Liveware. On December 28, 1978, the flight crew of the United Airlines Flight 173 became so absorbed with the diagnosis of the landing gear failure that aborted the landing procedure but failed to monitor their fuel state, ending with the aircraft crashed. The accident triggered the requirement for the Crew Resource Management (CRM) training for flight crew and other personnel essential to flight safety. The error percentage terms (80% technical, 20% human factors) were interchanged progressively until the 1990s: the advanced reliability of the aircraft and its components reduced the percentage term of accidents attributed to technical factors to 20%, but the increased complexity of aircraft systems and organizations raised human factors to 80%. As the CRM emerged from a tragic event, the same happened with the Aloha Airlines Flight 243 that led to the requirement for a Maintenance Resource Management (MRM) training. MRM initially supposed an adaptation of the CRM to the aircraft maintenance. On March 10, 1989, the Air Ontario Flight 13631 was not able to attain sufficient altitude to clear the trees beyond the end of the runway, due to the heavy ice and snow accumulated on the wings. The APU had been inoperative and one engine had been running to provide the aircraft with electrical power while on ground, not allowing 1
Final Report—Commission of Inquiry into the Air Ontario Crash at Dryden, Ontario. Commissioner Virgil P. Moshansky by order in Council, 1992. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_24
265
266
24 Human Factors
to perform the de-icing procedures. The aircraft crashed and turned into fire, killing 24 of its 69 occupants. In 1993, Gordon Dupont, an experienced Aircraft Maintenance Engineer and Aircraft Accident Investigator, while working for Transport Canada, developed a Human Factors training program for maintenance derived from the recommendations of the Moshansky report (investigation of the Air Ontario Flight 1363 accident). To follow up on the training program, Dupont developed a set of Dirty Dozen Safety posters. During his years of experience, he had realized that every accident he had investigated seemed to have the same preconditions in common.2 During the 1990s, the FAA developed the PEAR model (People, Environment, Actions, Resources) with human factors on aircraft maintenance in mind. Although the content is basically the same, the PEAR modeled the human factors with less abstract terms than the SHELL model. The Reason’s model (Swiss Cheese model) for accident causation would also appear at the beginning of the 1990s to relate Human Factors and organizational factors, supervision, preconditions, and specific acts. It is covered in Chap. 25 Organizational Factors.
Lesson Learned—Human Factors The three shocking cases presented below expose common human factors that ended or may have ended in severe consequences. Continental Express Flight 2574 (Eagle Lake)—In-flight Breakup On 11 September 1991, the Continental Express Flight 2574 operated with an Embraer EMB120 between Laredo and Houston, Texas, broke up during descent over the Eagle Lake area, and crashed, killing all the 14 occupants. The leading edge of the left horizontal stabilizer separated from the airframe leading to an aerodynamic stall; nose-down pitching the left wing failed and released fuel, cause of fire, and the right wing tip detached from the aircraft. The horizontal stabilizer and left engine separated and the aircraft was uncontrolled until the impact. The investigation carried out by the NTSB3 revealed that the 47 screw fasteners that would have attached the upper surface of the leading edge assembly for the left side of the horizontal stabilizer were missing. The night before the accident, it was scheduled the replacement of the leading edge deice boots of the left and right horizontal stabilizer. Normally, the
2
Meeting 11: Human Error in Aviation Maintenance. The Dirty Dozen Errors in Maintenance (pg. 45–49, Gordon Dupont). FAA Office of Aviation Medicine, 1997. 3 Aircraft Accident Report—Continental Express Flight 2574 In-Flight Structural Breakup, EMB120RT, N33701. NTSB. 21 July 1992.
24 Human Factors
267
old boots are stripped from the leading edge, the deice lines disconnected, the leading edge removed, a new boot bonded on, and the leading edge reinstalled. During the evening shift, two mechanics removed most of the right leading edge bottom screws while the inspector removed the attaching screws from the top of both the right and the left leading edges. The corresponding entry was made in the turnover sheet but the incoming midnight shift inspector reviewed the sheet before it was made. The midnight shift removed the right leading edge, bonded a new boot, and reinstalled it. The removal of the left leading edge was deferred to be made on another night, and the midnight shift did not notice that the work on the left side had already been started. Between other conclusions, the NTSB pointed that the work on the horizontal stabilizer leading edge had not been identified as an RII and recommended the FAA to review the regulations, policies, and practices related to RII. On 9 December 1992, 15 months after the accident, another Continental Express EMB120 was involved in an incident; after takeoff, the crew noticed a vibration through the airframe and control column and returned to the departure airport. The investigation revealed that 14 screws were missing from the left upper aileron vane, result of being partially removed during maintenance and the failure of the quality control inspector to detect it. British Airways Flight 5390—the Miracle of the Captain Sucked out of the Cockpit On 10 June 1990, the BAC One-Eleven aircraft operated as British Airways Flight 5390 between Birmingham, UK, and Malaga, Spain, suffered and explosive decompression. At 17,300 feet, the left windscreen of the cockpit was blown out and the pilot in command was partially sucked out of his windscreen. His legs were caught on the flight controls; the cabin crew restrained him while his torso remained outside of the aircraft during the 20 min of emergency descent carried out by the copilot. Apart from the fractures, the frostbite, and the shock of the pilot in command, no other serious injuries occurred.
268
24 Human Factors
Fig. 24.1 British Airways Flight 5390 windscreen. Photo via Solo Syndication
The investigation led by the UK Air Accident Investigation Branch (AAIB)4 determined that the main cause of the accident was the replacement of the left windscreen prior to the flight, in which 84 out of a total of 90 securing bolts were of smaller than the specified diameter. The left windscreen had been changed during the night shift of the previous day due to noted cruise darkening and bubbling. The shift maintenance manager, with 33 years of experience, removed the windscreen and decided to replace the bolts that presented signs of corrosion or that had been damaged during removal. The shift manager took one of the bolts and went to the stores to identify it, by comparison, omitting the identification through the Illustrated Part Catalogue (IPC). He identified P/N A211-7D while the windscreen should have been fitted using A211-8D. Because of their small size, the bolts did not have identification, and when he noticed that there were not enough A211-7D bolts, he picked A211-8C bolts that were visually equal. The shift manager required glasses for close work as he had difficulties reading small prints or figures, especially at night, but he did not use it while performing the windscreen replacement. He fitted the windscreen using 84 of the A211-8C bolts, that were smaller in diameter, and 6 of the A211-7D bolts, that were of the same diameter but shorter.
4
Aircraft Accident Report 1/92 on the Accident to BAC One-Eleven, G-BJRT over Didcot, Oxfordshire. Air Accidents Investigation Branch (AAIB), February 1992.
24 Human Factors
269
Additionally, the windscreen replacement was not identified as requiring a duplicate inspection to cover possible safety–critical situations caused by servicing errors. The AAIB pointed the eroded potential of the shift manager to achieve quality in the windscreen fitting process as one of the causal factors of the accident: inadequate care, poor trade practices, failure to adhere to company standards, and use of unsuitable equipment. Continental Airlines Flight 1515—a Mechanic Ingested by an Engine On 16 January 2006, the Continental Airlines Boeing 737 operated as Flight 1515, while waiting for a leak check detected by the flight crew at El Paso International Airport, Texas, a mechanic stepped into the inlet hazard zone and was ingested by the engine and shredded. The NTSB investigation revealed the failure of the mechanic to maintain proper clearance with the engine intake during a jet engine run, and the failure of contracted maintenance personnel to follow written procedures and directives of the airline’s maintenance manual.
Fig. 24.2 CFM56-3 Engine on a Continental Airlines B737-524. Photo by Ken Iwelumo
The flight crew had discovered an oil leak on the right engine during the preflight inspection and the airline station staff called contract maintenance to investigate it. Three mechanics from the contract maintenance attended the call and started the job without the specific procedures and authorizations that were required under the airline’s procedures, despite the airline’s controller attempted to contact them for such subject.
270
24 Human Factors
The mechanics opened both sides of the engine fan cowls and requested the captain for an engine run to check for the source of the leak. One mechanic positioned on the inboard side of the engine, other on the outboard side and the third mechanic clear of the engine because it was part of his On the Job Training. A small leak was appreciated and one of the two mechanics around the engine requested the captain to run the engine at 70% power to conduct further checks that were initiated after verifying with the mechanic that the area was clear. The mechanic on the outboard side of the engine stood up, stepped into the inlet hazard zone and the engine ingestion happened. The captain immediately stopped the engine run. The mechanic that was fatally injured had worked for the contract maintenance for more than 10 years, had been certified for 40 years and received maintenance training from the airline, except specific training regarding ground engine runs and associated hazards. The other mechanic stated that maintenance instructions were not needed for the engine run because engine oil leaks were a common occurrence and because of his past experience as a mechanic.
24.1 Human Factors Modeling Human performance modeling serves to investigate and analyze Human Factors by targeting training and prevention efforts. The objective of the models is to understand the underlying causal factors that lead to an accident/incident.5
24.1.1 The Shell Model The SHELL model helps to visualize the interrelationships amongst the human (Liveware) with the rest of components and features of the aviation system (Software, Hardware, Environment, and Liveware). It does not cover interfaces outside Human Factors (hardware–hardware, hardware–environment, software–hardware, software–environment, etc.). The humans (Liveware) are at the center of the model. Because the human performance is variable, some factors that affect the individual performance makes rough the edge of the block: physical factors (strength, vision, hearing, etc.), physiological 5
Aviation Maintenance Technician Handbook—General (Chapter 14 Human Factors). FAA, Flight Standards Service. 2018.
24.1 Human Factors Modeling
271
Fig. 24.3 SHELL model
(oxygen availability, health, stress, fatigue, drugs, etc.), psychological (adequacy of training, experience, workload, etc.), and psycho-social factors (interpersonal conflicts, personal problems, etc.). Interfaces of the Liveware with the other aviation system components Liveware–Hardware (L–H). It is the interface of the human with technology, e.g., design of seats to fit the sitting characteristics of the human body or displays to match the sensory and information processing characteristics of the user. The human tends to adapt to L–H mismatches, which can mask deficiencies that only become evident after an occurrence. The rough edge between both components is minimized with ergonomics, a process to design or arrange workplaces to fit the people who use them. In the cockpit, ergonomics is applied since the design phase. For example, CS/FAR 25 requires that “each pilot compartment must be arranged to give the pilots a sufficiently extensive, clear, and undistorted view, to enable them to safely perform any manoeuvres….” Liveware–Software (L–S). It is the relationship between the human and the supporting systems found in the workplace, e.g., regulations, manuals, procedures, computer software, etc. The edge between both components is minimized by a user-friendly design of documentation and software: simple and standardized vocabulary, phraseology and formats, accuracy, and clarity. As an example, EASA Part-M and Part-145, in order to minimize the errors that could be made by technicians, require that “maintenance tasks are transcribed onto the work cards or worksheets and subdivided into clear stages to ensure a record of the accomplishment of the maintenance task, differentiating, when relevant, disassembly, accomplishment of task, reassembly and testing.” Rules to develop regulations, manuals, procedures, etc., are specified in the aviation regulations at all levels.
272
24 Human Factors
Liveware–Liveware (L–L). The interface between humans plays a role in determining their performance: flight crew, air traffic controllers, maintenance engineers, etc. The advent of Crew Resource Management (CRM) and its extension to maintenance, Maintenance Resource Management (MRM), focus on the interactions amongst humans at different levels of the aviation system. Relationships between staff and management, corporate culture, operating pressures, and other factors that can significantly affect human performance are within the scope of L–L. Liveware–Environment (L–E). Relations between the human and internal/external environments. Internal environment refers to physical considerations such as light, temperature, noise, vibration or air quality, and external environment refers to things such as weather or turbulences. The adequate physical facilities can be highly influenced by the local financial situation and the effectiveness of the regulations, which may create pressures to take shortcuts, inadequate infrastructure, and may also compromise the quality of decision-making. Both EASA and the FAA incorporate rules to minimize the L–E edges, e.g., EASA Part-M requires that “any person or organization performing maintenance shall ensure that proper facilities are used in case of inclement weather or lengthy maintenance” or FAA Part-145 requires that “each certificated repair station provides ventilation, lighting, and control of temperature, humidity, and other climatic conditions sufficient to ensure personnel perform maintenance, preventive maintenance, or alterations to the standards required.” The SHELL model is considered in the ICAO framework and in the Accident/Incident Data Reporting (ADREP) taxonomy, the current international standard for aviation accident/incident databases, and consequently in the European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS) database (see Sect. 26.3 for further details).
24.1.2 The Pear Model The PEAR model was developed by the FAA to recall the four considerations for assessing and mitigating Human Factors in aviation maintenance: People, Environment, Actions, and Resources. The PEAR modeled the human factors with less abstract terms than the SHELL model, although the content was basically the same. The model is used by the FAA and other Civil Aviation Authorities for their Maintenance Human Factors training. Components of the PEAR model People who do the job. The same factors related to the Liveware component of the SHELL model are considered in the PEAR: physical, physiological, psychological, and psycho-social factors.
24.1 Human Factors Modeling
273
Environment in which they work. The environments considered are the physical (weather, location inside/outside, workspace, shift, lighting, sound level, safety) and the organizational (staff, supervision, labor-management relation, pressures, crew structure, size of the company, profitability, morale, corporate culture). Actions they perform to complete tasks: steps to perform tasks, sequence of activity, number of people involved, communication requirements, information control requirements, certification requirements, knowledge requirements, skill requirements, inspection requirements, etc. Resources necessary to complete the job. A resource is anything the person performing the task needs to get the job done: procedures/workcards, technical manuals, other people, test equipment, tools, computer/software, paperwork/signoffs, ground handling equipment, work stands and lifts, fixtures, materials, task lighting, training, quality systems, etc.
24.2 The Dirty Dozen The Dirty Dozen is the twelve most common human errors conditions or preconditions that can act as precursors to accidents or incidents: Lack of communication, Complacency, Lack of Knowledge, Distraction, Lack of Teamwork, Fatigue, Lack of resources, Pressure, Lack of Assertiveness, Stress, Lack of Awareness and Norms. The Dirty Dozen has become a cornerstone of Human Factors to introduce human error accident precursors and is widely used in training. However, for a more comprehensive list of human error accident precursors, it is necessary to attend more detailed guidance, e.g., ICAO Circular 240 Investigation of Human Factors in Accidents and Incidents, or more specialized guidance, e.g., ICAO Human Factors Guidelines for Aircraft Maintenance Manual (Doc 9824). Numerous modifications and customizations to the Dirty Dozen list have been produced by the aviation industry; for example, Hawker Pacific Aerospace (HPA) expanded the Dirty Dozen to the “Filthy Fifteen” in its Human Factors training to incorporate three more human performance issues: Not Admitting Limitations, Lack of Operational Integrity, and Lack of Professionalism. I introduce here my Dirty Dozen Number Zero: Optimism Bias. Optimism Bias refers to the mistaken belief that oneself is less exposed to commit an error or that the consequences of a personal error would not be catastrophic. It is like: It will not happen to me! People tend to think that unlikely events, such as an aircraft accident, cannot be derived from their actions or inactions. Optimism Bias acts together with each element of the Dirty Dozen and is likely the most difficult to reduce or eliminate, although experts show that experiencing certain events can reduce it. Since the Dupont’s Dirty Dozen posters, conceived originally for aircraft maintenance, the list has found its way to introduce human errors into all areas of the aviation industry: flight crew, air traffic controllers, etc.
274
24 Human Factors
The following paragraphs introduce the Dirty Dozen, referring to some of the accidents/incidents detailed in the “Lessons Learned” boxes detailed throughout the book. Dirty Dozen List: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Lack of Communication Complacency Lack of Knowledge Distraction Lack of Teamwork Fatigue Lack of Resources Pressure Lack of Assertiveness Stress Lack of Awareness Norms.
Accidents/incidents do not occur from a single cause and so happens with their precursors; the Dirty Dozen components are interrelated and accidents/incidents usually involve several conditions. Additionally, the Dirty Dozen is better understood in the context of the organization; for a comprehensive assessment of the overall situation, human factors must be assessed together with technical and organizational factors.
24.2.1 Lack of Communication Failure to transmit, receive, or provide enough information to complete a task is a key human factor. With verbal communication, usually what others remember is the first and the last part of what it is said. It is estimated that only about 30% of a verbal message is received and understood. The aviation industry is multicultural, and special attention must be given not to misunderstand or misinterpret messages. The typical scenario where communication is critical and can cause issues is during shift change at maintenance. A job that has been partially accomplished is transferred from the technician finishing his duties to the technician starting his duty. The regulations already reflect the importance of adequate communication between outgoing and incoming staff and require a formalized process for exchanging information between outgoing and incoming persons, a planned shift overlap, and a place for such exchanges. It is required that communication is effective at the handing over of the task: The outgoing person must be able to understand and communicate the important and critical elements of the job, and the incoming person must be able to understand and assimilate the information provided.
24.2 The Dirty Dozen
275
Continental Express Flight 2574 represents a good example of a maintenance system with established handover procedures, but in which the communication failed; the evening shift supervisor failed to effectively pass the information of the job already performed to the midnight shift supervisor. Communication occurs at all levels: between organizations (continuing airworthiness, maintenance, design organizations, manufacturers, vendors, etc.), within functions of the operator, and between staff within the same function. Safety Nets: • • • •
Never assume anything. For critical tasks, consider using more than one form of communication. Use logbooks, worksheets, etc., to communicate and remove doubt. Discuss work to be done or what has been completed.
24.2.2 Complacency Complacency is the overconfidence, usually gained over time, from repeated experience performing a task. Although the term is usually used for auto-complacency, when the overconfidence comes from personal experience, complacency may also refer to overconfidence in a system, especially with automated systems (the company procedures, the maintenance system, the maintenance software, etc.). Complacency leads to take shortcuts, skip steps, or not follow procedures or instructions. British Airways Flight 5390 represents a useful complacency example in which the shift manager was confident to install the windscreen with the bolts he believed were those to be used, without the need of a crosscheck with the IPC. Likely, the most relevant accident in which complacency was present is the Aloha Convertible Flight 243 detailed in Chap. 7. An AD was requesting the inspection of some lap joints, excluding those involved in the accident, and an eddy current inspection of the entire panel where cracks were found, what would have revealed the effects of Widespread Fatigue Damage in the area. The inspectors, with 22 and 33 years of experience, had visually detected cracks and accomplished two repairs, but there was not documented eddy current inspection. Additionally, the investigation revealed that a visual examination between both repairs would have detected evident fatigue cracks emanating from the fastener holes. Despite the cracks and the repairs, the inspectors also failed to assess further the SB related to the AD that recommended the inspection of other lap joints in addition to those required by the AD, and that included those lap joints which cracking caused the accident. Although a person can be motivated to do a critical task very well, when it has to be repeatedly performed, factors as boredom or task length can influence performance reliability.
276
24 Human Factors
Safety Nets: • • • •
Expect to find errors. Use Checklists. Train yourself to expect to find a fault. NEVER sign for anything you didn’t do.
24.2.3 Lack of Knowledge Shortage of experience, training, information, or ability to successfully perform a task is a potential hazard when no safety nets are provided. The requirement for qualifications, relevant experience, and training is recognized in the aviation regulations, as well as continuous training that is essential to keep up to date with changing regulatory requirements, technology, systems, processes, and procedures. The most recent catastrophic examples in which Lack of Knowledge was involved are the Boeing 737 MAX Lion Air Flight 610 and Ethiopian Airlines Flight 302, detailed in Sect. 4.1.3, where the pilots did not know about the functionalities of the new MCAS software that was designed to push the aircraft nose down under certain flight conditions. Safety Nets: • Use current manuals. • Ask when you don’t know. • Participate in training.
24.2.4 Distraction Anything that draws the attention away from the task at hand is a distraction: external sources of distractions such as noises, immediate request for assistance or advice, conversations, phone calls, messages, etc., but also internal sources of distractions that may be derived from stress or fatigue. Distractions are the cause for a big portion of all maintenance errors due to forgetting things, including what has or has not been done. In the emergency of the Air Canada Flight 143 known as Gimli Glider, related in Sect. 9.1.4, the technician attempted a self-test of the fuel indication system by resetting a circuit breaker but was distracted by the arrival of the fueller and forgot to pull the circuit breaker again, so it remained activated. The distraction of the technician was a contributor factor to the event that led the aircraft to run out of fuel in flight.
24.2 The Dirty Dozen
277
Safety Nets: • Use checklists. • Mark the uncomplete work. • Go back three steps when restarting the work.
24.2.5 Lack of Teamwork Lack of Teamwork is characterized by the failure to work together to complete a shared goal. Often tied with Lack of Communication or Assertiveness and with unclear roles and responsibilities, Lack of Teamwork leads the individuals to work by themselves and not to communicate with the rest of the team. During the investigation of the Air France Flight 447 accident, detailed in Sect. 9.3.3, the recording of the CVR suggested that while the pilot in command was resting, failing to follow the crew resource management procedures, the two copilots in charge of the aircraft were left with the uncertainty of who was in charge, contributing factor to the catastrophic aircraft aerodynamic stall. Teamwork is not only a matter of the individual attitude but should also be built from effective management and leadership positions that are able to identify, promote, and use the full potential of each person within the team. The greatest detractor of Teamwork is negative politics that may shadow the importance of a shared goal and make different teams or people within the same team to work in different directions, typical of large organizations. Safety Nets: • Discuss what, who and how a task should be done. • Make sure everyone understands and agrees.
24.2.6 Fatigue Physical or mental exhaustion can threaten work performance. Fatigue is usually derived from long periods of work or short periods of rest but can arise as a manifestation of stress or lack of motivation. In 2008, both pilots of the Bombardier CL-600 operated as Go! Flight 1002, in a short flight between Hawaiian Islands, felt asleep. Despite the attempts of the controllers trying to contact the flight crew, the aircraft passed over its destination airport and continued for about 26 nautical miles until the captain woke up and returned to the destination without further consequences for the flight. Both pilots had fallen asleep during the midmorning hours, a time associated with wakefulness and rising alertness; they were fatigued.
278
24 Human Factors
The Go! Flight is not an isolated case; a survey of the British Airline Pilot’s Association (BALPA) showed that 43% had involuntarily fallen asleep in the cockpit, and of those, 31% said that when they woke up the other pilot was also asleep. Flight Crew and Maintenance staff are more prone to suffer fatigue due to irregular duty times (nightshifts, rotating shifts, etc.) that may end with poor sleep. Although aviation regulations are strict in regards to working times and rosters, at the end is a personal responsibility to plan and make use of the rest periods provided to minimize fatigue. Safety Nets: • • • •
Watch for symptoms of fatigue in yourself and others. Plan to avoid complex tasks at the bottom of your circadian rhythm. Sleep and exercise regularly. Ask others to check your work.
24.2.7 Lack of Resources Lack or bad quality of qualified people, equipment, documentation, data, time, parts, etc., can interfere with the ability to complete a task adequately. When Lack of Resources is accompanied by Pressure to complete a task, it becomes a time bomb. See the Air Transat Flight 236 example in the following paragraphs. Safety Nets: • Order parts before they are required. • Have a plan for pooling or loaning parts. • Maintain a standard and, if in doubt, ground the aircraft.
24.2.8 Pressure Real or perceived forces demanding high-level job performance may become a hazard when they interfere to complete a task correctly. Pressure can come directly from clients, the organization, a manager, the team, etc., due to the established resources and deadlines. But Pressure can also be self-induced when ones take additional work that cannot be handled. Assertiveness is likely the most effective safety net to minimize pressure; a “No!” in time may help not to compromise safety standards. In the Air Transat Flight 236 incident related in Sect. 10.4, in which the aircraft ran out of fuel in the middle of the Atlantic Ocean due to a fuel leak, there was a component of time pressure to complete the work in time for a scheduled flight and to clear the hangar for an upcoming event. Pressure also played a role when the
24.2 The Dirty Dozen
279
technician was not able to access the SB (resource) due to network issues and he relied on MCC advice without consulting the document. Safety Nets: • • • •
Be sure the pressure isn’t self-induced. Communicate concerns, be assertive. Ask for extra help. Put safety first and learn just to say No.
24.2.9 Lack of Assertiveness Lack of Assertiveness is the failure to speak up or document concerns about instructions, orders, or the actions of others: failing to speak when things do not seem right. The opposite side is the aggressive behavior, which can be as harmful as the Lack of Assertiveness. In a positive way, Assertiveness is the ability to express your thoughts, opinions, and needs in a productive manner. It is related to other Dirty Dozens, especially Lack of Communication and Lack of Teamwork. Management positions must be familiar with the behavior styles of the team they supervise so they can use their best skills. The British Airways Flight 5390 represents an example of Lack of Assertiveness from the Stores Supervisor side. He had been in the job for about 16 years and realized that the shift manager had wrongly identified the Part Number of the bolt as A211-7D, so he informed him that the correct part number to install the windscreen was A211-8D but did not press the point, ending with a pilot partially blown out of an aircraft. Safety Nets: • Express concerns but offer positive solutions. • Resolve one issue before addressing another. • If it’s not critical, record it in the journey logbook and only sign for what is serviceable. • Refuse to compromise your standards.
24.2.10 Stress Stress is a physical, chemical, or emotional factor that causes physical or mental tension. There are two main types of stress: acute stress that relates to events and pressures of the present such as emergency or time pressures, and chronic stress that is built when a pressure situation is present during a longer period of time, leading to anxiety or other symptoms of stress.
280
24 Human Factors
In the Aeroperu Flight 603 related in Sect. 9.3.1, the pilot in command hesitated in taking decisions due to the acute stress of the moment and the excessive number of alarms that contributed to the confusion and chaos. In the end, they did not know what to pay attention to, and basically, they did not focus on the repetitive GPWS alarms, neglecting the flight. Certain level of stress can be helpful and motivating to get the things done. Actually, lack of this certain level of stress can lead to lack of motivation and then to other Dirty Dozens such as Complacency or Lack of Awareness. Safety Nets: • • • • • •
Be aware of how stress can affect your work. Take a rational approach to problem-solving. Take time off or at least have a short break. Discuss the problem with someone who can help. Ask members of your team to monitor your work. Exercise your body.
24.2.11 Lack of Awareness Lack of Awareness leads to failure to be alert and observative in the surroundings, failure to recognize a situation in time or space, understand what it is, and predict the possible results. It is usually combined with auto-complacency and often occurs to very experienced staff who fail to think about the possible consequences of the work they are doing. The most tremendous example of a catastrophic end due to Lack of Awareness is probably the case of Continental Airlines Flight 1515, in which a mechanic was ingested during the engine run. It is usual to find Lack of Awareness of other human factors, and other human factors leading to Lack of Awareness, e.g., stress, fatigue, pressure, lack of knowledge, or lack of teamwork. Safety Nets: • • • •
Check to see if your work will conflict with an existing modification or repair. Fully understand the procedures needed to complete a task. Think of what may occur in the event of an accident. Ask others if they can see any problem with the work done.
24.2.12 Norms Following unwritten rules or behaviors which deviate from the required rules, procedures and instructions may suppose potential threads, including unwritten rules or procedures that are expected due to Pressure. Norms are usually tolerated by most of
24.2 The Dirty Dozen
281
the team, and they are not always bad: Negative norms can detract from established safety standards and must be corrected, but positive norms should be captured as appropriate, e.g., in a procedure. In Sect. 15.3, the Eastern Airlines Flight 855, in which the omission of the O-rings of the master chip detectors during their installation led to the loss of all the three engines, shows signs of the negative effects of Norms. The mechanics decided to skip the procedure; because they did not find any detector in the cabinet, they picked them up from the stock room complacent that, as always, they would have installed the O-rings. Because of the time pressure, they also skipped the step of the Task Cards that called for the placement of new O-rings. In the British Airways Flight 5390, for the shift manager was normal not to follow the established procedure that required to check the IPC and identify the appropriate Part Number, and selected the bolts by visual comparison, leading to the decompression that blew out the windscreen and sucked out the pilot in command. Resistance to change and lengthy processes to change things are direct contributors to the negative effects of Norms. The system to manage processes, procedures, and work instructions should be alive and allow to design and test changes, so they can be reviewed and amended as appropriate as part of the continuous improvement of safety and quality standards. Safety Nets: • • • • •
Always work as per the instructions or have the instructions changed. Be aware that “norms” don’t make it right. Identify and eliminate negative norms. Follow good safety procedures. Identify and eliminate negative norms.
Chapter 25
Organizational Factors
The models presented in the previous chapter focus on human performance and are useful to understand the underlying human factors that lead to an accident/incident, but the individuals do not operate in a vacuum; they do it in the context of an organization. In order to analyze the causes of an accident/incident, it is necessary to encompass technical, human, and organizational factors. Developed at the beginning of the 90s, the Reason’s model (Swiss Cheese model) illustrates how an accident occurs in an organization, focusing on both organization hierarchy and human error. The barriers established within an organization prevent the adverse events of organizational influences, unsafe supervision, preconditions for unsafe acts, and unsafe acts. The Human Factors Analysis and Classification (HFACS) framework was developed at the beginning of the 2000s based on the Reason’s model. HFACS uses the same levels than the Reason’s model but develops causal categories to identify the active and latent failures that occur.
25.1 The Reason’s Model (Swiss Cheese Model) The Reason’s model postulates that accidents require that a number of enabling factors come together, each one necessary but in itself not sufficient to breach the system defenses. Equipment failures or operational errors are never the cause of breaches in safety defenses, but rather the triggers. The safety system defenses are broken when active failures and latent conditions are present. Active failures are actions, or inactions, with an immediate adverse effect: errors, deviations from prescribed procedures and practices, violations, etc. The latent conditions are those that are present on the system before a failure occurs and that may be not recognized as harmful because they are not perceived as
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_25
283
284
25 Organizational Factors
failures in the first place: operation over safety, poor communication, poor management decisions, etc. These latent conditions may remain dormant for a long time and usually become evident once the fence has been broken. Most of the latent conditions start with the decision-makers: time, budgets, politics, etc., that can lead to inadequate training, skills or operating procedures, scheduling conflicts, neglect of workplace precautions, etc. Decisions made by the organization managers and regulatory authorities are often the consequence of inadequate resources, which can lead to accidents. Avoiding the initial cost of strengthening the safety system can facilitate the pathway to the organizational accident. The hypothesis of Reason is that most of the accidents can be traced to four levels of failure: • Organizational Influences, e.g., undue time pressures, poor procedures, lack of training, or lack of safety culture. • Unsafe Supervision, e.g., poor surveillance, failure to correct deficiencies. • Preconditions for Unsafe Acts, e.g., fatigue, poor environmental conditions. • Unsafe Acts, e.g., forgetting a checklist item, installing a wrong part, failing to detect a structural crack. In the Reason’s model, the safety system defenses are built to protect against fluctuations in human performance or decision making, represented as slices of cheese: technology, training, regulations, etc. The holes on the cheese slices represent latent conditions that vary in size, position, and time in all slices. When the holes in all the system momentarily align, they allow an opportunity for “a trajectory of accident opportunity” in which an active failure can pass all the defenses leading to an accident. The Human Factors Analysis and Classification System (HFACS) further develops the Reason’s model and establishes causal categories to identify the active and latent failures. In theory, at least one failure occurs at each level leading to an adverse event. If at any time the failure at one level is corrected, the accident/incident will be prevented. Table 25.1 shows the HFACS framework.
Fig. 25.1 Swiss Cheese Model (concept of accident causation)
25.2 Case Study: Overdue Airworthiness Directive
285
Table 25.1 HFACS framework Levels of Failure
HFACS Causal Categories
Organizational Influences
Operational Culture Operational Process Resource Management
Supervisory Factors
Inadequate Supervision Planned Inappropriate Operations Failed to Correct Known Problem Supervisory Violations
Preconditions for Unsafe Acts
Situational Factors
Physical Environment
Condition of Operators
Mental States
Tools/Technology Physiological States Physical/mental Limitations Personnel Factors
Communication, Coordination and Planning
Errors
Decision Errors
Fitness for duty Unsafe Acts
Skill-Based Errors Perceptual Errors Violations
Routine Violations Exceptional Violations
25.2 Case Study: Overdue Airworthiness Directive The following example details the human and organizational factors found after failing to comply with an Airworthiness Directive, analyzed from the Dirty Dozen and HFACS perspectives. A TCH publishes a Service Bulletin that is assessed and implemented on attrition basis without limitation by the Technical Services function of an Engineering and Maintenance organization. During the same time, the TCH publishes the ALS Damage Tolerance document with a new section for “WFD-Related mandatory modifications” that require the embodiment of the SB with a specified hard due date. The experienced Maintenance Programs engineer expects that the SB will be covered by an AD and, therefore, will be managed by the Technical Services function, so does not perform any action. A second engineer that crosschecks the implementation of the ALS document and the supervisor that samples the process do not highlight any omission. Months later, the authority publishes an AD mandating the incorporation of the ALS document into the AMP, action that has already been accomplished except for the new ALS section. About three years later, the TCH removes the WFD-Related
286
25 Organizational Factors
mandatory modifications section from the ALS, and a few months later the authority publishes a new AD to clarify that the modifications mandated under the ALS are still required as per AD (without grace period concession). The modification results are overdue for a number of aircraft of the operator’s fleet, that end grounded until the authority grants an AD extension for the subject aircraft. Dirty Dozen The requirement to embody a mandatory modification through the ALS documentation is an unusual procedure; typically, it is mandated through an Airworthiness Directive. Despite the responsibility of the TCH and the authority, there are several enabling human factors within the operator that lead to the occurrence. The Maintenance Programs engineer fails to properly assess the AMP source documentation. The apparent preconditions identified in the case are: • Complacency: the engineer trusts the company procedures that apparently assigns the analysis of modifications to the Technical Services function. • Lack of Assertiveness: the engineer fails to raise concerns about an unusual procedure. • Lack of Awareness: the engineer fails to recognize the possible results of his inaction. • Lack of teamwork: the engineer fails to work together with the Technical Services team to assess the overall ALS document. • Norms: the engineer deviates from the procedures implementing the ALS document partially. Other Dirty Dozen conditions that may be present at the time of the ALS documentation evaluation may be less obvious. Lack of knowledge, distraction, fatigue, lack of resources, pressure, or stress may have led the engineer to completely omit the “WFD-Related mandatory modifications” section. Human Factors Analysis and Classification System (HFACS) The HFACS comprises the human conditions listed in the previous paragraphs, but also the organizational factors that lead the engineer to omit the new ALS section. The deviation from the established procedures ends with the partial implementation of the ALS document, an Unsafe Act classified as Decision Error under the HFACS framework. The choice to omit the new section is conscious, likely caused by the misinterpretation of the document and the established procedures. It can be extrapolated from the Dirty Dozen “Norms.” The Preconditions for the Unsafe Act include all the other Dirty Dozen identified (complacency and lack of assertiveness, awareness, and teamwork). It is classified under the personnel factors Communication, Coordination and Planning. As it is detailed in Chap. 21, the Maintenance Program function interacts with most of the other functions of the organization; any deficiencies found in such interactions should be appropriately addressed.
25.2 Case Study: Overdue Airworthiness Directive
287
Although a second engineer follows the exiting procedure to crosscheck the implementation of the ALS document, and the supervisor also samples it, apparently it does not function as expected, and both also omit the new ALS section. The aspects of the deficient oversight function are classified as Inadequate Supervision. In the last instance, a procedure to review source documents that lacks closer coordination between departments and does not consider unusual situations makes the rest. The influence of the organization falls within the Operational Process category. If one of the causal categories would be eliminated on time, the AD overdue situation would have been prevented.
Chapter 26
Safety Programs
ICAO Annex 19—Safety Management defines safety as “the state in which risks associated with aviation activities, related to, or in direct support of the operation of aircraft, are reduced and controlled to an acceptable level.” The safety strategy set by ICAO is substantiated on two complementary elements: the State Safety Programs (SSP), for states, and the Safety Management Systems (SMS), for organizations. The regulatory and oversight functions of a state do not require an SMS but an SSP, except in circumstances where the state is also a service provider (Air Traffic Service, Aeronautical Information Services, meteorological services, etc.). The European equivalent of the SSP is the European Aviation Safety Programme (EASP) that aids the member states in developing their own SSPs. The EASP sets the strategy and integrates the ICAO requirements into the EASA regulation. The FAA, as both regulatory and product/service provider organization, chose to implement both SSP and SMS in order to ensure the interoperability amongst all the safety management functions across FAA organizations. Therefore, the overall FAA Safety Management System (SMS) comprises both frameworks: SSP and SMS. An SMS should be proportional to the scope and size of the organization.
26.1 Safety Management Principles Both SSP and SMS elements of the Safety Strategy set by ICAO are supported by the same basic principles (pillars) of Safety Management, at state and organizational levels, respectively: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. The Safety Policy and objectives reflect the commitment toward safety: responsibilities, accountabilities, organizational structure, safety rules frameworks,
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_26
289
290
26 Safety Programs
processes, SSP/SMS documentation, and the establishment of a Safety Reporting System (SRS). Safety Risk Management refers to the identification of hazards based on both reactive and proactive methods, and the assessment, control, and mitigation of risks. The State Safety Risk Management element of an SSP must ensure the implementation of SMS for service providers. Reactive methods are occurrence/incident/accident investigations and mandatory safety reporting; proactive methods are inspections, audits, surveys, studies, reviews, voluntary safety reporting, etc. The responsibility of the states to establish a process for Incidents/Accidents Investigation in accordance with ICAO Annex 13 is introduced in the Appendix B of this book. Safety Assurance refers to the surveillance, monitoring, and measurement of the safety performance, the management of changes that may affect the level of safety, and the continuous improvement of the SSP/SMS. Safety Promotion is the element that refers to the responsibilities of states and service providers to promote safety awareness, sharing safety information, and developing a positive safety culture. The main tools for Safety Promotion are safety training programs and an appropriate safety communication policy.
26.2 SMS: EASA and FAA Approaches The regulatory approach between EASA and the FAA differs in regards the scope of the organization for which is required the implementation of an SMS; while EASA is integrating the SMS elements within the approval of each type of organization, the FAA only requires an SMS to the Part-121 operators but implements an SMS within the FAA organization itself that acts as the SSP. EASA is gradually embodying the SMS requirements into its regulations: since 2012 the safety management principles are reflected in the Air Operations, Air Crew, Aerodromes, ATM/ANS, and so on, with the latest incorporation into the CAMO organization requirements in 2019 and into the Part-145 Maintenance organizations in 2021. Certain elements of the SMS, such as the occurrence reporting system, are already incorporated into the Part-21 Design and Production organizations, for which the requirement for an SMS is already presented in the form of a Notice of Proposal Amendment (NPA) and should be incorporated into the Implementing Rules soon. On the other side, since 2010, the FAA requires the implementation of SMS (based on 14 CFR Part 5) to the Part-121 Air Carriers. The SMS development for operators approved under a non-Part-121, MROs, training organizations, and other service providers is encouraged under voluntary basis. The deviation from the ICAO standards is appropriately published by the FAA.
26.3 Safety Reporting Systems and Exchange of Information
291
26.3 Safety Reporting Systems and Exchange of Information ICAO Annex 19 requires that the states and service providers establish Safety Data Collection and Processing Systems (SDCPS) to capture, store, aggregate, and enable the analysis of safety data and safety information. The SDCPS are set at both state and organization level, each of which content: • Records from incident/accident investigations, • Safety Reporting Systems (Mandatory/Voluntary), and • Other sources of information, e.g., schemes for exchange of information. Apart from the rules to report accidents and serious incident to the appropriate accident investigation authorities, the requirement for Safety Reporting Systems is essential in hazard identification. The safety data is protected and should not be used for disciplinary, civil, administrative, or criminal actions against persons or organizations but only for purposes of maintaining or improving safety. Therefore, if the objective is an effective safety reporting, both types of reporting, mandatory, and voluntary should not lead to blame or punishment. However, principles of exception apply when the competent authority determines that the occurrence is caused by any act or omission considered as a gross negligence, willful misconduct, or criminal activity, for the proper administration of justice, or when the release of the safety information is necessary for maintaining or improving safety.
26.3.1 Types of Safety Reporting Systems Mandatory Reporting Systems require people and service providers to report certain types of events and hazards to the competent authority. These events and hazards endanger, or if not corrected, would endanger, the aircraft, its occupants, or any other person. For example, non-compliance or significant errors in compliance with the Aircraft Maintenance Program must be reported. Specific approvals or programs may have specific reporting requirements for associated failures or malfunctions, e.g., for EDTO (ETOPS), APU shut down or failure when the APU is required to be available by operational requirements, or loss of one hydraulic system. In addition to the mandatory reporting systems, a Voluntary Reporting System is required to collect and analyze information on observed deficiencies that are not required to be mandatorily reported but that are perceived as hazards. The information is disidentified to ensure the confidentiality of the reporting person/organization.
292
26 Safety Programs
EASA Safety Reporting Systems In an EASA environment, the rules and guidance to establish the Safety Reporting Systems (mandatory and voluntary) for the states and organizations are detailed in the (EU) No 376/2014 on the reporting, analysis and follow-up of occurrences in civil aviation (implemented in CAMO.A.160 for continuing airworthiness management organizations) and AMC 20–8 Occurrence Reporting. Implementing Regulation (EU) 2015/1018 lists down the occurrences that are mandatory to be reported. The rules establish a maximum reporting period of 72 h since becoming aware of the occurrence, although it should be immediate when significant hazards happen. The European Union Safety Reporting Portal provides common reporting forms for individuals and organizations to submit the safety reports to their competent authority. In addition to the State Safety Reporting Systems required for the member states, EASA makes provision for a higher level reporting system: the Confidential Safety Reporting. The Confidential Safety Reporting enables individuals to report alleged malpractices and irregularities voluntarily. It does not replace the normal mandatory and voluntary occurrence reporting lines established by organizations and member states but allows to report any suspected, presumed, or alleged violation of the legal framework of the European Union for civil aviation safety. FAA Safety Reporting Systems The FAA Service Difficulty Reporting System (SDRS) is the mandatory system for operators and maintenance organizations concerning failures, malfunctions, and defects of the aircraft and its components. SDRs rules, including the occurrences to be reported, are detailed in 14 CFR 121.703, 135.415, and 145.221. A maximum reporting period of 96 h since the discovery of the failure, malfunction, or defect is established for the aforementioned certificate holders. The Aviation Safety Reporting System (ASRS), designed and operated by the National Aeronautics and Space Administration (NASA), is the voluntary aviation occurrence reporting system that serves the FAA in safety researching. The description of the program is detailed in AC 00-46E Aviation Safety Reporting Program. ICAO Safety Reporting System At international level, in accordance with ICAO Annex 13 Aircraft Accident and Incident Investigation, after an accident of aircraft above 2250 kg and incident to large aircraft (over 5700 kg), the state conducting the investigation must report the Accident Preliminary Report or the Incident Data Report, as corresponds, to ICAO. The ICAO reporting system, known as Accident/Incident Data Reporting (ADREP), constitutes a databank of worldwide occurrences. Based on this data, ICAO issues a series of periodic summary reports providing statistics and an up-to-date picture of significant occurrences on a worldwide basis.
26.3 Safety Reporting Systems and Exchange of Information
293
Safety Reporting Between Organizations It is recommendable that approved organizations establish reporting systems to address data related to unsafe or unairworthy conditions, although the form and times are left to the individual organizations to determine. The importance is focused on an appropriate exchange of information relating to occurrences between: • Operator/Maintenance and Production organizations to Design organizations, • Maintenance organizations to Operator, and • Production to Production organizations.
26.3.2 Safety Information Exchange The following two programs are used to support organizations, at the European and U.S. levels, respectively, for the collection and exchange of their aviation safety information. The European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS) acts as the network of European Civil Aviation Authorities and Safety Investigation Authorities to collect and analyze safety information. The ECCAIRS reporting system is held in two central databases: the European Central Repositories for Occurrences (ECR-ECCAIRS) and the European Central Repository for Safety Recommendations (ECR-SRIS). In the U.S., the Aviation Safety Information Analysis and Sharing Program (ASIAS) is the most extensive program in safety data exchange, connecting a wide variety of data sources across government and industry: ASRS, SDR, Accident/Incident Database System (AIDS), NTSB accident database and others (flight operational quality assurance, meteorological aviation reports, mandatory occurrence reports, near mid-air collisions, traffic flow management system, etc.).
26.3.3 Safety Data Format The ADREP taxonomy, used in the ADREP system, is a set of definitions and descriptions used during the gathering and reporting of accident/incident data to ICAO: aircraft categories, entities and attributes, aviation operation, descriptive factors, events, events phases, occurrence category, occurrence classes, organizations/persons, etc. ICAO encourages the states to use an ADREP compatible system (same coded predetermined format). On the other side, the ECCAIRS software (a product derived from the evolution of the ECCAIRS system, initially developed to assist national and European transport authorities) has become a widely used platform for safety reporting. ECCAIRS software is used by ICAO to operate its own ADREP system and is also chosen by several non-European states to take advantage of the common classification.
294
26 Safety Programs
For standardization purposes, organizations usually use reporting forms based on the format of the corresponding Safety Reporting Systems implemented by their national authorities. EASA actually requires that the organizations reporting systems are compatible with the ADREP taxonomy and the ECCAIRS software. Softwares such as Q-Pulse or SMS Pro assist organizations in managing their Safety and Quality management systems with support for ADREP/ECCAIRS reporting.
26.4 Safety Culture The concept of Safety Culture involves the values and attitudes regarding safety issues, shared by every member of every level of an organization. It refers to the extent to which every individual and every group of the organization is aware of the hazards and safety risks induced by his/her/its activities, is behaving to preserve and enhance safety, is willing to communicate safety issues, and consistently evaluates safety-related behaviors. Safety Culture is the vital condition for an effective SMS but is at the same time the element in which many organizations still fail. Safety culture within an organization cannot succeed if the local culture or the safety culture of the authority are not the same. For example, in non-democratic cultures, there is an acceptance of unequal status and deferences to managers and likely fear for safety reporting, which acts as an uncrossable barrier toward Safety Culture. Safety Culture does not mean that a Safety Policy is established, an SMS is in place, SMS and Human Factors training is given, or “Safety” posters are hanging on every wall of the organization; effective Safety reporting must be encouraged. The European Commercial Aviation Safety Team (ECAST) proposes a Safety Culture framework based on the following six dimensions or characteristics: • Commitment: extent to which every level of the organization has a positive attitude toward safety and recognizes its importance. It cascades down from the organization’s safety policy and should be encouraged by the management with appropriate means and motivation. SAFETY FIRST! • Behavior: extent to which every level of the organization behaves such as to maintain and improve the level of safety. The expected behaviors of how people would behave if nobody would be watching should be analyzed against organization–employee mutual expectations, job satisfaction, and adequate equipment. • Awareness: extent to which employees and management are aware of safety risks. • Adaptability: extent to which employees and management are willing to learn from past experiences and are able to change to enhance the level of safety. • Information: extent to which information is distributed to the right people, e.g., proper communication or effective safety reporting. • Justness: extent to which safe behavior and reporting of safety issues are encouraged or even rewarded, and unsafe behaviors are discouraged.
26.4 Safety Culture
295
Both the competent authority and the organization should promote a non-punitive environment facilitating the reporting of occurrences and thereby advancing the principle of “Just Culture.” However, while safety reporting should be non-punishing and reporters and sources of safety information should be protected (actually it is a key of effective safety reporting), it should not interfere with the responsibilities of the competent authorities. The authorities are in charge to educate and promote training or supervision when safety deficiencies are detected and should take actions against those who constantly and deliberately operate outside the regulations. Just Culture should neither interfere with the administrative and penal laws established by each state; the fact that an organization has not only safety but legal responsibility is usually omitted during SMS training. EASA, in the Article 84 Fines and Periodic Penalty Payments of the Basic Regulation, details the fines and periodic penalty payments whenever the rules are infringed. It allows a supplementary tool, in addition to the withdrawal of certificates. For example, when it is found that the certificate holder has intentionally or negligently breached the rules, it may be imposed a fine of up to 4% of the annual income or turnover of the preceding business year. The FAA details the civil penalties in the Investigative and Enforcement Procedures in 14 CFR Part 13, with references to the corresponding chapters of the 49 CFR—Transportation. For example, the FAA has the authority to issue orders assessing a penalty of up to $400,000 for other than small business concerns.
Part VI
Quality Improvement Tools and Methods
The effectiveness of the Safety Management Systems (SMS) detailed in the previous chapter cannot be understood without applying quality management principles. SMS and Quality Management Systems (QMS) have developed a strong relationship, where improvements to the quality processes are required to satisfy the safety requirements. Both management systems are originated from similar management processes (findings/occurrences, root cause analysis, corrective action and follow up) and therefore share many commonalities: both have to be planned and managed, depend on measurement and monitoring, involve every function, process, and person with the organization, and push for continuous improvement. Although both also have common methods and techniques, the objective of each system is different. The objective of an SMS focuses on aviation safety through investigation of events and identification of hazards, and the objective of a QMS is customer satisfaction through compliance and continuous improvement. SMS and QMS are complementary and must work closely together to achieve the overall safety goals. Whether the quality assurance function is under a compliance monitoring program, as the minimum required by EASA, or under a QMS, the identification of under-performing processes and the improvement of the organization’s processes to reduce risks are required under any ICAO environment. This chapter outlines several effective continuous improvement tools and methodologies designed to streamline safety and quality processes. The tools and methodologies can be used in different ways; for example, while an audit is traditionally considered a compliance monitoring tool, it can be used and prepared in advance as a powerful method for continuous improvement. Not preparing for an audit can be a missed chance, and not collaborating for an effective audit can be a second missed chance. The tools and methodologies selected in the following chapters have been proven to be useful in the aircraft maintenance program area but are only part of a larger continuous improvement toolbox with plenty of other instruments available; the key is to recognize deficiencies and look for the most appropriate solution when needed.
Chapter 27
Audits
ISO 19011:2018 defines an audit as “the systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The objective evidence consists of data supporting the existence or verity of something: records, observation, measurement, test, etc. The audit criteria is the set of requirements (legal requirements, contractual obligations, policies, procedures, work instructions, etc.) used as a reference against which objective evidence is compared. Audits are traditionally recognized as compliance monitoring tools and occasionally can be found threatening because inevitably their function is to highlight non-compliance, deficiencies, or areas that can be improved, and those are always under the responsibility of managers and supervisors that could feel underestimated their expertise and efforts. On the contrary to these feelings, audits are based on evidence and can become the most valuable ally improvement tool if the organization or function being audited knows how to turn the findings, observations, and recommendations into opportunities to analyze gaps and hazards and enhance its processes. This chapter introduces the most common requirements and standards to which an operator can be audited: the Aviation Regulations (EASA/FAA), the IATA Operational Safety Audit (IOSA), and the ISO 9001:2018 standards. Following the introduction to the most common audit requirements and standards, a few paragraphs follow to suggest certain preliminary exercises that can be performed by the audited organization’s function to make the audit more effective and get the full benefit from it.
27.1 Regulations and Standards In addition to the mandatory audit requirements that allow an operator or service provider to be certified/authorized to perform certain types of activities and operations and keep that certification/authorization to develop its functions, there exist a few © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_27
299
300
27 Audits
other internationally recognized standards to which the organization can adhere and that, in addition to ensure regulatory compliance, can offer several advantages, e.g., standardization of the audit process, elimination of redundancy of audit activities, or deeper focus on the performance of the management systems. The auditing component for the three requirements/standards described hereunder (EASA/FAA, IATA, and ISO 9001) can be classified attending to the entity that conducts the audit: • Internal (First-party): self-assessment conducted by the organization. • External: – Second-party: conducted by parties having an interest in the organization, e.g., customers. – Third-party: conducted by independent auditing organizations, such as those providing certification/registration conformity or governmental agencies, e.g., EASA, FAA, Civil Aviation Authorities, or organizations accredited by IATA or ISO. Internal Audits are one of the most important elements of the management systems; they are not optional but required to maintain the certification/authorization under consideration. An effective internal auditing process is a key factor toward successful external audits. It is not necessary that the organization carries out internal audits for each requirement/standard; an internal audit program can integrate all of them (regulation, IOSA, ISO 9001:2015, lean audits, etc.) where the intent of each individual requirement/standard is appropriately covered by the program.
27.1.1 Regulatory Audit Under the ICAO SARPs, the States are required to have a safety oversight system that observes and assesses the compliance of the aircraft operator and the service providers with the applicable regulations, procedures, and recommended practices and standards. This is achieved through different means, including Regulatory Audits conducted by the regulatory/competent authority and the requirement for the organizations to establish a self-auditing and inspection program, including contractors and subcontractors auditing. ICAO allows variations in the manner in which compliance with the regulations can be demonstrated to satisfy the regulation: prescriptive-based and performancebased compliance. Prescriptive-based Compliance is the conventional means of achieving target levels of safety performance based on pre-established, non-variable standards, or limitations. An operator following this approach generally bases its systems in manuals and SOPs that meet the regulatory requirements, instead of systems and processes, and shows compliance when required.
27.1 Regulations and Standards
301
Performance-based Compliance involves target levels of safety performance of systems and/or processes that allow the implementation of variations to the prescriptive regulations. It is facilitated by the analysis of operational data to generate evidence. Both EASA and the FAA allow to adjust the audit cycles based on a riskbased methodology. For example, EASA establishes an oversight planning cycle of 24 months when the operator demonstrates prescriptive-based compliance. The cycle can be extended to 36 months if the organization also demonstrates an effective identification of aviation safety hazards and management of associated risks that have full control over all changes, no level 1 findings have been issued during the previous audit, and all corrective actions have been implemented within the rules. The cycle can be further extended to 48 months when the operator demonstrates overall Performance-based Compliance, with the aforementioned conditions plus an effective continuous reporting system on the safety performance and regulatory compliance. In the EASA system, the types of audit findings are classified into two levels: • Finding level 1: significant finding that can lead to revoke, limit, or suspend the organization approval/authorization until the corrective actions have been taken, e.g., – failure to give access to the facilities of the organization to the competent authority, – obtaining/maintaining the validity of the certificate/authorization by falsification of submitted documentary evidence, – evidence of malpractice or fraudulent use of the certificate/authorization, or – lack of an accountable manager. • Finding Level 2: non-compliance with the regulations, organization’s procedures and manuals, or terms of the certification/authorization which could lower safety or hazard flight safety. There is a corrective action period granted by the authority. • Finding Level 3 (Observation): item where it has been identified, by objective evidence, to contain potential problems that could lead to a non-compliance. In the FAA Internal Evaluation Programs, the audit findings are classified under five categories: • Non-compliance with regulations (NCP), • Non-conformance with documented procedures (NCF), • Safety-related concern (SRC), currently in compliance and conformance, but the problem may have safety implications, • Quality-related concern (QRC), currently in compliance and conformance, but the problem indicates a weakness in the quality system, and • Observation (OBS). The Safety and Just Culture principles detailed in Sect. 26.4 also apply to the audit findings. Inadvertent errors should not lead to disciplinary actions. When an organization demonstrates compliance with industry standards that are compatible with the regulations and the oversight planning cycle, e.g., through IOSA
302
27 Audits
certification, the authority may adapt the oversight program to avoid duplication of specific audit items.
27.1.2 IATA Operational Safety Audit (IOSA) The IATA Operational Safety Audit (IOSA) is an evaluation system developed by the International Air Transport Association (IATA) to assess the operational management and control systems of an airline. The IOSA Audits are carried out by Audit Organizations accredited and overseen by IATA. IOSA provides a structured audit methodology and standard checklists that reflect the updated regulatory requirements (cascaded down from ICAO Annexes) and best practices across the industry. One of the main objectives of IOSA is to eliminate audit redundancy by recognition of the standard in the safety oversight programs of the regulators. A standardized audit system facilitates the exchange of audit information and reduces resource requirements and costs. IOSA targets the organization’s Management System to assess if the internal auditing system ensures: • • • • •
Compliance with applicable regulations and standards, Satisfies stated maintenance operations needs, Identifies undesirable conditions and areas requiring improvement, Identifies hazards in maintenance operations, and Assess the effectiveness of safety risk controls.
Under an ICAO environment, typically, the first two points, related to compliance, are covered by the Quality Management System requirements, and the last three, related to the continuous improvement of the operational safety performance, by the Safety Management System. The IOSA Standards Manual (ISM) provides the IOSA Standards and Recommended Practices (ISARPs), associated guidance material, and other supporting information necessary for the auditor to conduct the audit and for the operator to prepare for it.1,2 The ISM provisions are structured in the following operational categories: • • • • • • • • 1
Section 1—Organization and Management System (ORG) Section 2—Flight Operations (FLT) Section 3—Operational Control and Flight Dispatch (DSP) Section 4—Aircraft Engineering and Maintenance (MNT) Section 5—Cabin Operations (CAB) Section 6—Ground Handling Operations (GRH) Section 7—Cargo Operations (CGO) Section 8—Security Management (SEC).
IOSA Standards Manual. IATA. Edition 14 Revision 1—2021. IOSA Audit Handbook, Procedures and Guidance (Audit Organizations and Airlines). IATA. Edition 11—2021.
2
27.1 Regulations and Standards
303
The Aircraft Maintenance Program ISARPs can be found in section 4—Aircraft Engineering and Maintenance (MNT).
27.1.3 ISO 9001:2015 Quality Management Systems ISO 9001 is an international standard that specifies the requirements for a Quality Management System (QMS) for any type of organization, independently of the size, products, or service that provides, e.g., operators, suppliers, or agencies. The ICAO Universal Safety Oversight Programme (USOAP), the EASA Integrated Management System, and the FAA Safety Office are ISO 9001:2015 certified. The ISO standard allows the organization or part of the organization to demonstrate its ability to consistently provide products/services that meet customer and applicable regulatory requirements. ISO 9001:2015, the current version, bases the success of an organization on its competence to meet customer satisfaction. To achieve this, ISO 9001:2015 is established under three pillars: • Risk-based thinking: It is a systematic approach to risk where they are evaluated while establishing or revising processes and/or controls, rather than seeing risk as an isolated component. The definition of risk is expanded in ISO to “the effect of uncertainty on objectives,” what it is described as a potential deviation from an expected outcome (the unknown, positive or negative). Risk-based thinking makes the preventive action part of the day-to-day routine. • Process Approach: It is the way to organize and manage the process activities as a system to create value, rather than managing the resources vertically or independently (departments, staff, products, etc.). It allows eliminating the issues that occur frequently at the boundaries of the functional departments and achieves the results more efficiently. • PDCA Cycle (Plan-Do-Check-Act). It is the operating principle of ISO 9001:20,015 for continuous improvement (see Sect. 29.1.2.1 for further details). The three concepts are an integral part of the ISO 9001:2015 standard. Risk-based thinking is used throughout the process approach to identify risks, define process changes and/or controls to prevent undesired results; PDCA operates as the cycle of continuous improvement of the processes, with risk-based thinking at each stage. ISO 9001:2015 and the EASA/FAA QMS regulatory requirements are complementary. EASA/FAA QMS primarily focuses on compliance and documentation, and it defines roles and responsibilities of the nominated persons to manage specific areas (Quality and Safety). On the other side, ISO 9001:2015 focuses on processes and performance to identify risks and opportunities, without the need of nominated persons but leadership positions, and resting importance to the documentation.
304
27 Audits
27.2 Preparing for an Audit “By failing to prepare, you are preparing to fail,” unattributed. Out of the competences and responsibilities of the Quality function and/or auditor that will guide the audit, it is highly recommendable that the Maintenance Program function prepares in advance in order to be confident with the AMP processes, identify opportunities for improvement in advance, and contribute to its effectiveness. Preparing for an audit can ensure that the documentation meets the requirements and standards and that the processes and procedures are correctly followed. One of the keys for a successful audit is that the auditee is familiar with the requirements and standards, knowing the elements that need to comply with. The team should be aware of its role in the organization and how they contribute to meet the quality and safety objectives. They should be able to answer the auditor’s questions by referring to updated policy, process maps, procedures, work instructions, etc. Everybody in the team should be on the same page. If any process or activity performed is not appropriately documented or followed, process maps, procedures, or work instructions, as appropriate, may require to be developed or revised. Another key point is the organization of the documentation: knowing where to find documents and records and generate the reports that may be requested by the auditor. It is the right time for the team to use the 6S method to put everything in place (see Sect. 29.2.3). The next step is to ensure that the function’s processes meet the audit criteria. Likely, there is some checklist, or the Quality function can provide supporting documentation, that can be used to cross-refer the requirements and standards to the manuals, processes, procedures, work instructions, etc. It is also time to review the results of past audits to ensure that the corrective actions are implemented and are effective. Preparing a correlation of compliance statements will provide confidence in the system and will also allow to demonstrate compliance straight away, making the audit more efficient. Once the scope, date, and place of the audit are known, a short presentation (5 min) can be developed to introduce the current high-level view of the audit scope processes, latest changes and achievements, and how the findings and observation from the last audit have been resolved. The presentation should focus on the audit scope and should not try to deviate the attention of the auditor to different subjects, but be used to clarify the understanding about the organization and its processes. During the audit, being honest and professional with the auditor is essential so the auditor can uncover non-compliance and deficiencies that will be used as inputs for continuous improvement.
Chapter 28
Problem Solving
From time to time, some element of the organization fails or may fail to perform as expected, e.g., staff, processes, procedures, components, equipment, etc. Problem Solving is the act of defining those issues, analyze the root causes, and select and implement solutions. When the issues are known, e.g., a non-compliance or an incident or accident, the approach is known as Reactive Problem Solving and aims to find and eliminate the root causes of the occurrence. There are a number of tools used for Reactive Problem Solving: the A3 Method and the Maintenance Error Decision Aid (MEDA) are used as overall methodologies for problem solving and continuous improvement and are at the same time a useful source of data. Certain methods, such as the Five Why and the Cause and Effect Analysis are used as Root Cause Analysis (RCA) tools to identify those latent issues. Reactive methods are used after an event occurs in order to find out why it occurred. But Reactive Problem Solving can be minimized by taking a proactive approach. Proactive Problem Solving aims to anticipate risks and potential issues by using a variety of tools, e.g., the Bow-Tie Diagram or the Failure Mode and Effects Analysis (FMEA). Proactive methods are usually not spontaneous but triggered by some type of occurrence, normally when a high-risk scenario is detected. Certain elements of these methods are valid to be used during an RCA and will look not only into the root causes of the known issue but into the possible scenarios around a hazard. Becoming proactive requires changes to the existing processes, greater collaboration between the functions of the organization, and more resources, so a high level of commitment from the management is necessary. Basic tools such as process flowcharts can be used in assistance with the abovementioned tools and methodologies (see Sect. 29.2.1). There are many other tools and methodologies for Problem Solving that may be found useful; the key is to research and adapt those instruments to the needs.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_28
305
306
28 Problem Solving
28.1 Root Cause Analysis Root Cause Analysis (RCA) looks for the underlying causes of deficiencies and occurrences. These are the Latent Conditions, a type of Hazard introduced in Chap. 23, that are those present on the system that are not perceived as harmful. RCA is used to correct deficiencies and occurrences at the three sides of the Triangle of Airworthiness: • Reliability, when deviations from the performance standards are highlighted and there is a need to find the causes of such deviations, • Safety, when it is necessary to identify the gaps in the safety defenses in order to prevent future occurrences, • Quality, when non-compliance with the regulations or standards are identified and it is necessary to revise the current processes to avoid re-occurrence. In all the three domains, it is usual to confuse the symptoms (Active Failures) with the underlying causes. The symptoms are the evidences of the underlying causes and should be immediately addressed with immediate corrective actions, e.g., the immediate corrective action for a non-compliance with an Airworthiness Directive usually grounds the affected aircraft, but the underlying cause may be the lack of training that leads to lack of knowledge of employees, a wrong AD setup and, in the last instance, to the non-compliance situation. RCA includes a number of reactive methods performed after evidence (e.g., when a control limit is reached or after an occurrence) and others to anticipate such situations. This chapter introduces four of the plenty of available RCA tools: • • • •
Five Why Analysis, Cause and Effect Diagram, Bow-Tie Diagram, and Failure Mode and Effects Analysis (FMEA).
The use of the different tools depends on what we are looking for; while the Five Why Analysis can assist on quick identification of root causes, the Cause and Effect Diagram serves as a visual tool to order them in accordance with causal categories. Bow-Tie and FMEA are proactive methods that focus on how and when a system could fail and can be triggered by the occurrence for which any of the other RCA is being performed. Other simple RCA tools not further detailed in this book but that may be found useful are: • the Affinity Diagram, used to organize a large number of ideas into natural relationships (contributing causes identification and classification), especially during a brainstorming session. • the Causal Factor Tree Analysis, useful to display all the actions and conditions that lead to the occurrence in a logical tree-structured hierarchy.
28.1 Root Cause Analysis
307
• the Pareto Chart, useful to display data and facilitate the decision-making process. It allows weighting the contributing factors, based on historical data, and assists in determining which causes should be addressed first. An RCA method by itself does not eliminate or mitigate the underlying causes but it is an input to the assessment of the preventive or corrective action. Both the occurrence investigation and the corrective actions must be costbeneficial; when the analysis is not deep enough, the latent conditions may not be adequately identified, and when the analysis is too exhaustive, the use of certain resources such as manpower would be missed from the day-to-day tasks what can lead to new occurrences. Therefore, in order to determine and assign the resources required in a reasonable manner, the analysis depth level should be pre-assessed. During the course of the analysis, it is possible to adjust resources based on changing needs. As introduced in previous chapters, a Cost–Benefit Analysis (CBA) may be required to determine if the mitigation actions are cost-effective. The RCA tools are limited by human performance; some of these constraints are: • Confirmation Bias: tendency to search and interpret information in the way that supports one’s hypothesis. • Stop the analysis at the symptoms instead of going to deeper level root causes. • Following only one causal chain. • The investigation is limited to the knowledge of the practitioners, which can lead to miss the identification of causes that actually they do not know. All these limitations can lead to inadequate identification of root causes and trigger future re-occurrences. To overcome these conditions, it is necessary: • To allocate enough resources to allow following different causal chains and analyze deep root causes levels, • For complex issues, build a diversified team rather than a single person performing the RCA. Taking into consideration that most of the occurrences are associated with human factors, an HF expert should be incorporated into the team as far as practicable. It is necessary not only to count with a panel of experts on the subject but to incorporate staff that is not directly involved in the process that caused the occurrence in order to reduce the confirmation bias element of the analysis.
28.1.1 Five Why Analysis The first of the RCA tools presented was developed by Sakichi Toyoda, the founder of Toyota Industries, back in the 1930s. It is nowadays used across all types of industries as one of the most recognized simple problem-solving methods. The Five Why Analysis is used to determine the root causes of a problem by asking the question “Why?” multiple times in succession until they are found. For example:
308
28 Problem Solving
• Why…did the Airworthiness Directive was overdue? Because…the wrong task setup in the maintenance software. • Why…was the task setup in the maintenance software wrong? Because…the employee developing it did not know the maintenance software functionalities. • Why…did not the employee know the maintenance software functionalities? Because…he had no training on the software. • Why…the employee had no training on the software? Because…it is not part of the operator’s policy to provide maintenance software training. • Why…is not the operator’s policy to provide maintenance software training? Because…the regulations do not require maintenance software training. One of the keys to succeed with a Five Why Analysis is the formulation of the questions and the answers, which must be as simple and precise as possible. The root causes may be found with more or less than five questions depending on the complexity of the issue. The individual or team conducting the analysis should determine when the real causes of the problem are found; indications of a completed analysis are when the elimination of the causes found would prevent the occurrence from happening again or when the elimination of such causes is not under the organization authority. In the case of safety occurrences, where deficient regulations or standards may be amongst the root causes, it should be notified to the competent authority, as appropriate, who will be in charge of further analysis. In the case example, another Why question, e.g., “Why the regulations do not require maintenance software training?” would lead to an area that is outside of the organization competences. Because there are several root causes associated with an occurrence, the Five Why Analysis usually takes multiple directions. In the example above, just from the second question, it is possible to deviate to a few other causes; e.g., the task setup was wrong because there was no setup verification procedure, or because the employee was under stress, and so on; or from the third question, deficiencies in the employee induction process, in the written procedures, in the software ergonomics, etc., may be detected.
28.1.2 Cause and Effect Diagram (Fishbone Diagram) The Cause and Effect Diagram, also known as Ishikawa Diagram or Fishbone Diagram, is a visual RCA tool that allows to see all the causes at once and identify if the same root cause is found in more than one causal chain. The use of the Cause and Effect Diagram is appropriate for complex issues where brainstorming is required, and usually, it serves as the means to apply the Five Why Analysis. The Box at the head of the fish reflects the statement of the issue, the spines or main branches are the different causal categories, and each branch has different
28.1 Root Cause Analysis
309
sub-branches for further categorization and boxes to specify root causes. More subbranches indicate more level of detail of the analysis. The main branches depend on the specific case of study; a common model can be used to help to structure the diagram, e.g., • The 8M model: Man, Machine, Material, Method, Measurement, Mission, Management, and Maintenance. • The 4S model: Surroundings, Suppliers, Systems, and Skills. When the search includes or is focused on Human Factors, the use of the Human Factors models introduced in Chap. 24 may be useful to preformat the diagram, e.g., SHELL, PEAR, Dirty Dozen. For the case presented in the Five Why paragraphs, an overdue Airworthiness Directive, it is possible to choose the main branches based on the evidences of the data collected, e.g., deficiencies in the Equipment, Process, People, Quality, Environment, and Management could have contributed to the occurrence; those are the main branches of our Cause and Effect Diagram (Fig. 28.1). The diagram allows to visualize all the root causes at the same time, but there is an inconvenience: the Cause and Effect Diagram does not identify the interrelationships between root causes; e.g., the deficiencies on the quality audits may be related to
Fig. 28.1 Cause and Effect Diagram example
310
28 Problem Solving
deficiencies in the AD setup procedure, the setup validation or the employee readiness; or the lack of awareness about certain maintenance software malfunctions may have led to a deficient validation process. When it becomes necessary to focus on causal chains, usually when assessing high-risk scenarios, the Cause and Effect Diagram may be not sufficient, and other methods, such as the Bow-Tie Diagram, are more appropriate.
28.1.3 Bow-Tie Diagram The Bow-Tie Diagram is not only an RCA tool but a risk assessment method. In comparison with the Five Why and the Cause and Effect Diagram, it allows to show the flow of events from the root causes to the hazardous condition, and from the hazardous condition to the potential outcomes1 (See an introduction to Bow-Tie Diagram in Chap. 23). Basically, the Bow-Tie Diagram consists of (all) the possible risk scenarios around a certain hazard and the means that the organization establishes to stop those scenarios from happening. While the overall Bow-Tie method is more appropriate for proactive hazards and risk analysis, the use of the left side of the diagram (from the root causes to the hazardous condition, analogous to a Fault Tree Analysis + Causal Factors Analysis) is appropriate to perform an RCA. The right side of the Bow-Tie Diagram (analogous to an Event Tree Analysis) serves to assess the consequences of a single initiating event and their probabilities, and it is useful for safety risks assessment. The guidelines to draw the Bow-Tie Diagram are summarized in the following steps: • • • • •
Identification of Hazards Identification of Top Events (uncontrolled Hazards) Identification of Threads Identification of Consequences Identification of Control Methods. The control methods at the left side of the diagram are the proactive methods used to prevent the top event from happening; the control methods at the right side prevent the hazard from becoming in unwanted consequences.
The selection of the Top Event is critical to develop a Bow-Tie diagram but, at the same time, is completely subjective. For example, an Overdue AD can be a consequence for an organization but can be a Top Event for a structural failure.
1
BowTie Methodology Manual. BowTieXP. Revision 15, 2015.
28.1 Root Cause Analysis
311
28.1.4 Failure Mode and Effects Analysis (FMEA) The Failure Mode and Effects Analysis (FMEA) is a structured approach to discover potential failures (failure modes) that may exist in a design, including the design of an aircraft, system, component, modification, process, etc., and assess the consequences of those failures at different levels. The FMEA requires to review as many elements of the design as possible, e.g., systems, subsystems, and components in an aircraft, or steps in a process. When the FMEA is focused on a process, it is known as Process FMEA (PFMEA), and the hazards to be identified are derived from Human Factors, the methods, the equipment, the measurement systems, and the process performance. The FMEA principles are the base of the MSG-3 analysis used through a topdown approach: from the aircraft, systems, and subsystems to the components. (see Sect. 6.1). The FMEA is also used as a qualitative tool for System Safety Analysis (SSA) to determine the effect of a failure (see Sect. 6.2.1.1), or as an analytical technique to perform Reliability RCAs. The criteria used by the FMEA include: • Failure cause and frequency, • Severity or impact of the failure, in the MSG-3 categorized as “safety” and “economic.” • Detection (likelihood of failure detection), in the MSG-3 categorized as “evident to” or “hidden from” the operating crew. The FMEA is captured in a worksheet usually difficult to understand, reason why a set of Bow-Tie Diagrams can be used to visualize the results while the worksheet provides more detailed information about the causal chains and the failure modes. Example: MSG-3 Life Vest Function The following example summarizes the FMEA/MSG-3 process for one of the functions of a Life Vest: • Function (the normal characteristic actions of the item): To inflate the life vest automatically by pulling the handle. • Functional Failure (How the item fails to perform its function): Failed to inflate the life vest automatically. • Failure Effect (What is the result of the functional failure): Life Vest cannot be inflated automatically. Manual inflation is still available. • Failure Cause (Why the Functional Failure occurs? Gas cylinder activation mechanism failed. • Is the occurrence of a functional failure evident to the operating crew? No, the failure is not detectable by operating crew during normal duties because the life vest is only used in case of emergency. • Does the combination of a hidden functional failure and one additional failure of a system-related or back-up function have an adverse effect on operating
312
28 Problem Solving
safety? Yes, the failure in combination with an emergency situation does not have an adverse effect on operating safety because the life vest can be inflated manually, but the item is considered emergency equipment. Based on the analysis, the function is associated with the FEC 8 Hidden Safety category, and an appropriate task must be selected to avoid the safety effect of failure, e.g., an Operational check of the gas cylinder mechanism.
28.2 Reactive Problem-Solving Methodologies The two Reactive Problem-Solving methods presented hereunder can be used as described or customized to the necessities of any organization or function. The A3 method is a comprehensive tool based on the PDCA Cycle that allows visualizing which is the current state of the processes related to an occurrence, which are the causal factors for the occurrence to happen, which are the goals established to prevent those causal factors, the corrective actions, and the follow-up process. See Sect. 29.1.2.1 for further details about the PDCA Cycle. On the other hand, the Maintenance Error Decision Aid (MEDA) provides a predefined tool specially designed for errors on aircraft maintenance with a userfriendly format. When comparing both methods, A3 represents a continuous improvement method while the MEDA miss some elements that may be essential for a comprehensive investigation, e.g., the goals to be achieved or the state of the current process that may facilitate the work.
28.2.1 A3 Method The A3 Problem Solving is a structured method that consists of a systematic approach that mirrors the Plan-Do-Check-Act (PDCA) Cycle. The A3 lean methodology was first used by Toyota during the 1960s and gained great popularity amongst the manufacturing industry. The A3 is demonstrated to be a simple, concise, and effective tool that can be used across other types of industries. The tool to apply the methodology is the A3 Report, which originally used an ISO A3 size paper that gives the name to the method. Because there is not an established set format, the report should be customized to the needs of the organization and standardized, maintaining the PDCA principles. The following main sections of the A3 process are proposed: Plan • Background. Identification and brief description of the problem: What, When, Where, Who, Why, How, and How many/How often.
28.2 Reactive Problem-Solving Methodologies
313
• Immediate Corrective Actions. Measures to solve the current negative effects of the issue. The immediate actions usually do not prevent the issue from occurring again. • Current situation. Summary of the context in which the issue has happened. It may include an overview of the processes, e.g., a process flowchart, procedures, and any other information that aids to understand how things are done at the present. • Goals. Definition of the desired state. Because a deeper understanding of the issue is gained while advancing with the report, the goals are usually reformulated. • Root Cause Analysis (RCA). Analysis of the underlying causes of the issue. This is the most critical step as the right causes should be clearly identified; otherwise, we may be proposing solutions to a wrong problem. See Sect. 28.1 for RCA tools. • Corrective Actions/Countermeasures. Once the root causes are defined and understood, the countermeasures are the proposals of potential solutions that aid to reach the Goals. A Return on Investment (ROI) or Cost–Benefit Analysis (CBA) may be required at this step to measure all the potential costs and benefits from each solution, so the most appropriate is selected. Do • Action Plan. The plan includes the steps, actions, responsibilities, and timelines to implement the Countermeasures. Beta testing can be introduced in the Action Plan to assess the results of the Countermeasures at small scale and verify if the desired results are obtained. Check • Monitoring and Validation. Confirmation of the desired effects of the Countermeasures. If the Goals are not achieved with the proposed Action Plan, it is required to draw a new plan that may require to assess some parts or the overall project again. Act • Follow-up. Update and standardization of processes, procedures, work instructions, etc., to finalize the full implementation of the solution. • Distribution. Communication of at least a summary of the A3 report to the affected or interested parties across the organization that may benefit from the report knowledge. Two valuable stages not considered by A3 but defined in a similar method, the 8 Disciplines (8D) methodology used by Ford, are: • A preliminary stage for the Emergency response actions, and • An end-stage to congratulate and recognize the collective efforts of the team.
314
28 Problem Solving
28.2.2 Maintenance Error Decision Aid (MEDA) The Maintenance Error Decision Aid (MEDA)2 is a structured process developed by Boeing in the early 1990s to investigate events caused by maintenance technicians and/or inspectors’ performance. The MEDA event investigation is basically an interview with the person whose performance lead to the event with the objective to find out what errors (unintentional) or violations (intentional, e.g., deviation from regulations, company policies, process or procedures) occurred and which are the contributing factors for those errors/violations to happen. The model used by the MEDA philosophy is analogous to the HFACS framework introduced in Sect. 25.1: a maintenance technician or inspector works within an immediate environment under supervision within an organization, and a failure at any of these levels can contribute to an event. The fundamental philosophy behind MEDA is: • A maintenance-related event can be caused by an error, by a violation, or by an error/violation combination. • Maintenance errors are not made on purpose. • Maintenance errors are caused by a series of contributing factors. • Violations, while intentional, are also caused by contributing factors. and • Most of these error or violation contributing factors are under the control of management, and, therefore, can be improved so that they do not contribute to future, similar events. The main pillars of the MEDA philosophy are the MEDA Results Form and the MEDA Interview with the technician and/or inspector. The MEDA Results Form The MEDA Results Form used to apply the methodology is a predefined four-page format structured in six sections. • Section I—General Information. When, where, and to what the incident occurred: airline, station, aircraft and engine type, aircraft designator, ATA, zone, references to similar events, interviewer information, date and time of the event, date of investigation, shift during which the event occurred, type of maintenance, implementation of corrective actions dates, etc. • Section II—Event. Selection of the Event category: Operations Process Event (Delay, Cancelation, Return to Gate, In-Flight Shut Down, Air Turn-back, Diversion, Smoke/fumes/odor event, Others), Aircraft Damage Event, Personal Injury Event, Rework (didn’t pass ops check/inspection), Airworthiness Control, Found during Maintenance, Found during Flight, or Other Events. • Section III—Maintenance System Failure. Whether caused by an error or a violation, the maintenance system failure (the Active Failure) leads directly to the 2
Maintenance Error Decision Aid (MEDA) User’s Guide. Boeing. September 2013.
28.2 Reactive Problem-Solving Methodologies
315
event. There are eight major system failures listed in the form and a ninth box provision for other failures: – – – – – – – – –
Installation failure, Servicing failure, Repair failure, Fault isolation, test, or inspection failure, Foreign object damage/debris, Airplane or equipment damage, Personal injury, Maintenance control failure, Others.
• Section IV—Chronological Summary of the Event. Summary of the Event in chronological order and contributing factors found during the interview. • Section V—Summary of Recommendations. It is recommended to summarize each recommendation associated with the identified contributing factors. The strategies proposed from preventing system failures are: – Error reduction/Error elimination: try to improve task reliability by eliminating or reducing the adverse conditions that have increased the risk of maintenance error. – Error capturing: tasks performed specifically to catch an error made during a maintenance task, e.g., Independent Inspection or Re-inspection, operational or functional test, or verification steps. – Error tolerance: allows a system to remain functional even after maintenance error, e.g., staggering dual maintenance into different maintenance visits or being performed by different technicians. – Audit Programs: audits do not address specific contributing factors but may identify systemic conditions that may contribute to error. • Section VI—Contributing Factors Checklist. The last part of the report aids to identify the contributing factors with the following categorization. Once the category is selected, a description of how each factor contributed to the system failure follows. – – – – – – – – – –
Information, Ground support equipment, tools, and safety equipment, Aircraft design, configuration, parts, equipment, and consumables, Job or task, Knowledge and skills, Individual factors, Environment and facilities, Organizational factors, Leadership and supervision, Communication.
316
28 Problem Solving
The MEDA Interview The Interview is the most important part of the investigation as it allows to identify the contributing factors to the error or violation. The use of Cognitive Interviewing principles is recommended to increase the amount of information that can be recalled. These principles are summarized in the following stages: • • • • • • •
Develop and maintain good rapport. Encourage the interviewee to be actively involved. Help the interviewee concentrate. Use open, simple, and unbiased questions. Listen actively. Use a communication style to suit the interviewee. Work as a team with other interviewers.
It is recommended that the interview team is formed by no more than two people trained on MEDA; when only one person is doing the interview, it results less threatening to the technician.
Chapter 29
Continuous Improvement Methodologies and Tools
The previous chapter introduced some Proactive Solving tools as continuous improvement methods when potential safety-related issues are detected, usually triggered by an occurrence when a high-risk scenario is identified. Additionally to the safety enhancement, there are several methodologies/philosophies than can be used for the continuous improvement of the organization’s processes to make them more effective and efficient. Effective processes are those that achieve their purpose, producing the intended or expected result; efficient processes are those that perform with the least waste of resources (budget, staff, time, material, effort, etc.). This chapter introduces four methodologies that have been proved to be valuable across different types of industries: • Lean focuses on minimizing waste (fewer resources). • Kaizen improves all aspects of the organization through processes standardization, increasing efficiency and eliminating waste. • Six Sigma focuses on improving the quality of the final product or service by finding and eliminating causes of defects. • Agile encourages teamwork and self-organization to achieve quick response to changes. These methodologies are not selective and under certain criteria can be integrated, e.g., giving way to Lean Kaizen, Lean Six Sigma, or Lean Agile. Actually, despite the differences in the approach of each method, on many occasions, they make use of the same continuous improvement tools. This is the reason why the first part of this chapter introduces the methodologies and the second part describes some of the tools. Although these methodologies are suitable to be adopted within a function of the organization, the noticeable benefit is amassed when applied to its entire structure, when everyone is engaged in the continuous improvement culture, from managers to non-managerial employees.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_29
317
318
29 Continuous Improvement Methodologies and Tools
The use of continuous improvement methodologies can direct the organization to the Process Excellence, making all its activities more effective and efficient. It is the first step toward Operational Excellence, a broader concept that does not only encompass the continuous improvement of processes but the integration of these methodologies and other improvement tools (project management, innovation, etc.) within the Management Systems of the organization: safety culture, continuous improvement culture, people, resources, etc. to function optimally together through streamlined processes.
29.1 Continuous Improvement Methodologies 29.1.1 Lean The core of the Lean methodology is reducing waste and adding value in every process. Its origin goes back to the 1940s when Toyota established the foundations of Lean manufacturing, aiming to eliminate activities that did not add value to the end product and that resulted in significant productivity and efficiency improvements. The “Lean” term and its five principles would be coined years later during the 1990s. The notable impact of Lean thinking not only changed the manufacturing industry but it has spread and succeed across many others.
29.1.1.1
Lean Principles
The Lean methodology provides with a five-step cycle approach for guidance to implement the Lean measures: • Identify Value: how the product or service meets the customer values. It requires to design the processes to meet the customer needs and remove the features that do not add value. In order to know what are the customer needs, it is necessary to engage with them through interviews, surveys, or data analytics, e.g., analysis of complaints, discrepancies, etc. • The Value Stream: the life cycle of a product or service. It requires to identify all steps in the process and eliminate those that do not add value. The Value Stream Mapping (VSM) is indicated as the right tool to analyze the current state of the processes for identification and segregation of value-added from non-value-added steps. • Create Flow: the sequence of steps necessary to create a product or service. It requires to make the value-added steps to occur in an efficient manner (flow). • Establish Pull: production based on the demand. It requires creating pull between all steps in the process, if continuous flow is possible. • Seek Perfection: continuous improvement. The four previous steps are only the beginning of the Lean cycle, but in order to keep eliminating waste is necessary
29.1 Continuous Improvement Methodologies
319
that the company culture aims to continuously optimize the processes. Kaizen is likely the most appropriate methodology to create a continuous improvement culture at all levels in an organization. The Lean principles can be integrated within the PDCA and the DMAIC Cycles detailed in the following paragraphs.
29.1.1.2
Types of Waste: The 3M Lean Model
The Lean methodology focuses on eliminating activities that consume resources but do not bring any added value (waste). The 3M Model is used to explain the three types of waste (in Japanese terms): MUDA, MURA, and MURI. MUDA is the Japanese word for waste, and it refers to non-added value activities. Some non-added value practices, e.g., audits, are considered as non-value practices but are still necessary to ensure the quality of the product or service; these are classified as MUDA Type I. All the other non-value activities that are strictly considered as not necessary are classified as MUDA Type II. Attending to the reason of the waste, the MUDA is classified into eight categories under the TIM WOODS acronym. It is used as a framework to define the types of waste that can be found in a process: • Transport: movement of people, products, and information from one place to another that could endanger their integrity, e.g., transferring information from a system to a spreadsheet. • Inventory: cost associated with parts and documentation not on Just in Time (JIT). JIT refers to the workflow method to produce only the amount of goods that are needed to meet the demand. • Motion: unnecessary movement of tools, equipment, or people, e.g., moving between locations for material or a meeting. • Waiting: wasted time waiting for parts, equipment, tools, information, instructions, etc. • Overproduction: producing more than the next process needs causing excessive inventory or work waiting for further processing. • Overprocessing: excessive standards not required by the customer, e.g., unnecessary information or unnecessary people in an email or meeting. • Defects: failure of a product or process to meet the specifications, requiring rework or scrap. • Skills: underutilized staff capabilities, task delegation, or knowledge transfer. The MURA waste is translated as unevenness, non-uniformity, irregularity. MURA refers to the varying workload that is usually associated with the customer demands, and that ends with bottlenecks when the demand is high and with human resources waste when it is low. To eradicate the MURA is necessary to make use of JIT strategies and integrate appropriate reporting systems; the lean tools that can assist in producing the right
320
29 Continuous Improvement Methodologies and Tools
work and the right amount of work at the right time are based on pull strategies such as Kanban (see 29.2.4). The MURI waste is the overburden, strain, or unreasonable work, usually result of the MURA waste: working in a process without training, unclear instructions, lack of proper tools and equipment, unreliable processes, poor communication, etc. The effects of MURI are directly related to inefficiency but also to any type of Human Factors: pressure, stress, lack of awareness, etc. Tools such as 5S, Poka-Yoke, or automation can help to kill the MURI evil. MURA and MURI are not waste as such but considered as the catalyst of MUDA. The MUDA TIM WOODS categories are symptoms of failure to handle MURA and MURI. In rough outlines, by eliminating MURA and predicting the process flow, the deficiencies of MURI within the process are highlighted and, therefore, can also be eliminated, turning into the elimination of the MUDA.
29.1.2 Kaizen Kaizen is a Japanese word meaning “Change for Better (Improvement).” The Kaizen philosophy aims to create a culture where all employees are engaged on the continuous improvement of the processes of the organization. As Lean, the origins of Kaizen are usually traced back to Toyota. The Kaizen philosophy is supported by the PDCA Cycle based on the thinking that small and incremental changes, which are easy to implement, can bring large positive improvements. Kaizen has a dual nature: • As a philosophy, building the continuous improvement culture, and • As an action plan, through Kaizen Events, to address specific areas of improvement within the organization. A Continuous Action Plan of Kaizen Events throughout the entire organization is the base to achieve the success of the Kaizen philosophy. Kaizen empowers the voice of the employee, those doing the job, through suggestions schemes. These are the means to encourage the employee to detect deficiencies and areas of waste and propose solutions, e.g., through Kaizen suggestion boxes or rewards to suggestions.
29.1.2.1
The PDCA Cycle
The PDCA Cycle (Plan-Do-Check-Act), also known as Deming Cycle, is an iterative four-step model to support problem solving, continuous improvement, and managing process changes. The framework has been utilized by different standards and methodologies, amongst them ISO 9001, Lean, and Kaizen.
29.1 Continuous Improvement Methodologies
321
The model is structured into the following steps: • Plan: identify the problem or opportunity to change, collect relevant data, understand the root cause, and establish objectives and solutions. • Do: test the solutions at small scale and collect data. The solutions applied at small scales allow minimal operational disruption, and they can be later incrementally implemented at larger scales. • Check: analyze the data gathered during the Do phase for effectiveness and decide if the solution is appropriate, requires adjustment, or is not effective. • Act/Adjust: if the solution does not work, the cycle needs to be repeated again with a different plan or adjustments to the plan; if the implementation of the solution is successful, the learned lesson can be standardized and implemented into wider changes. In any case, the Act phase becomes the base for the next PDCA iteration. Simple tools such as the Five Why Analysis or the Cause and Effect Diagram (Ishikawa) are appropriate during the Plan and Check phases. The PDCA Cycle does not look for perfection in just one iteration, but just what it can be practically achieved. Trying to reach the excellence in just a movement may lead to the Analysis Paralysis with no solution implemented. Excellence is expected from small but continuous improvements.
Fig. 29.1 PDCA cycle
322
29 Continuous Improvement Methodologies and Tools
29.1.3 Six Sigma Six Sigma is a methodology that provides a set of tools and techniques designed to seek a solution to any variation or defect that is present in a process. The conventional strategy assumed that if the products or services were of good quality, then the performance standards were correct, but the efforts were largely overlooked and unquantified. The first objectives of Six Sigma were drafted by Motorola during the 1980s and initially focused on statistical methods that targeted a process mean (average) of six Standard Deviations away from the closest specification limit, translated to a target of 3.4 defects per million operations. Six Sigma follows its own cyclic methodology known as the DMAIC Process.
29.1.3.1
The DMAIC Process
The DMAIC Process (Define-Measure-Analyze-Improve-Control) is a framework for improvement, analog to the PDCA Cycle, structured in five stages: • Define the business opportunity and establish the goals, • Measure the process current state and collect relevant data, • Analyze the data and determine the Root Causes for the defect under consideration, • Improve the current process creating a future state process that reduces/eliminates waste and variation, and • Control the future state process to sustain the results. The DMAIC Process is repeated until the desired results are achieved. The phases of DMAIC and PDCA are comparable, where the Plan phase of the PDCA is the Define-Measure-Analyze phases of the DMAIC.
29.1.4 Agile The Agile methodology is an iterative approach to project management in which the work is delivered in small portions at each delivery cycle, which provides the opportunity to gather feedback, respond to changes quickly, and redefine the project in accordance with the needs. Agile empowers self-organized cross-functional teams, groups of individuals with different functional expertise working toward the same goal. Agile was initially thought for software development but has crossed the barriers and demonstrated its benefits in many other industries with highly dynamic environments, especially when handling innovation or creative projects.
29.1 Continuous Improvement Methodologies
323
The Agile iterative model is based on the PDCA Cycle (Iteration Planning, Iteration Execution, Iteration Review, and Iteration Retrospective), where each iteration has a defined fixed time. Shorter iterations allow more frequent opportunities to measure the progress and use feedback.
29.2 Continuous Improvement Tools 29.2.1 Process Mapping A Business Process is the sequence and interactions of the activities necessary to produce a product or service: the flow of work. The main purpose of process mapping is to gain understanding on how the process works (current state of the process) or how a new or adjusted process would work (future state). Process Maps are very versatile and serve not only to document processes but can be used for several other purposes such as process analysis, process improvement or redesign, simulation, measurement, training, retention of knowledge, etc. A Process Map can be drawn for any set of activities where there are inputs and outputs; the full benefit comes when the Business Process Map covers the entire organization processes and interactions as it is possible to establish if it is aligned with its policies. A Process Map facilitates the visualization of how a process impacts other processes or the end product or service; it is especially useful to assess process links (when the output of a process is the input of a different process) that are usually the most critical elements of the organization, where latent conditions and risks are more present, e.g., due to lack of communication or lack of teamwork between process owners. Types of Process Maps There are several types of Process Maps depending on the level of detail required and the purpose for which the map is required. The three following types are a representative example of the process mapping tools that can be used for continuous improvement: • SIPOC: high-level Process Map that summarizes a process from the beginning to the end focusing on the essentials; it does not include much details. SIPOC stands for Suppliers, Inputs, Process, Outputs, and Customers. The SIPOC focuses on the inputs and outputs of the process (material, products, services, or information), rather than on the individual activities. A modified SIPOC, the SIPOC-R, includes the Process Requirements. These are the details about the regulations, specifications, and/or acceptance criteria needed from the process output.
324
29 Continuous Improvement Methodologies and Tools
SIPOC/SIPOC-R is the first step to understand a process and is a useful introduction to the process during Kaizen Events, the Plan phase of the PDCA Cycle, or the Define phase of DMAIC. • Swimlane Map (Cross-functional Map): flow chart that sequences the activities of processes and subprocesses and separates the responsibilities into lanes. It can be drawn at high level with information of the major process steps, stakeholders and their interfaces, or with greater detail of the activities within the process. This type of map is typically used to document Business Processes (in lieu of the SOP system), and as the other types, used for continuous improvement: identification of waste, bottlenecks, weaknesses, etc. The Business Process Model and Notation (BPMN) is a standard used for Business Process Mapping suitable for Swimlane Map drawing that provides a graphical notation easy to understand and interpret: events, activities, gateways, and connections. • Value Stream Map (VSM): displays the critical steps of a process quantifying and detailing the resources required (e.g., material, information, time) at each stage for the process to flow. VSMs are used to understand which are the value-added activities and the non-value-added activities within the process, with the objective of eliminating waste. Business Process Map versus Standard Operating Procedures (SOP) A Standard Operating Procedure (SOP) is a written instruction on how a process works. The SOP details the high-level steps of the process being described (the activities necessary to complete the process) and assigns ownership and responsibilities. The specifications about how to carry out the procedure or any of its activities are given in a more detailed document that describes the step-by-step activities (including equipment, tools, and methods): the Work Instruction (WI). SOPs have been used traditionally to systemize and document business processes and to show compliance with the regulations and the organization’s policies; however, SOPs present a series of disadvantages in comparison with Business Process Mapping. The development, maintenance, and organization of SOPs are time consuming, require a high volume of documentation, the workflow may be difficult to interpret, and rarely they can be used as improvement tools. On the other hand, Business Process Maps present several advantages in regards the conventional SOPs at the time of documenting processes: they can be built in considerably less time, are easier to organize and maintain, are more visual, the workflow is aligned and are easier to understand, and represent a basic tool for process improvement. Business Process Mapping is a preferred method to document processes. Nowadays, the Business Process Map software or platforms that may be developed by any organization already incorporate provisions to provide further details for each activity
29.2 Continuous Improvement Tools
325
if the process map is not clear enough. These explanations should be minimized just for purposes of easing the understanding of the process. Additionally, these software/platforms usually allow to link Work Instructions, Forms, Check Sheets, Standards, etc. when more detailed information to perform an activity or support documentation is required.
29.2.2 The Re Method: Eliminating Overprocessing Waste The Re method is one of the most simple and straight tools that can be used to reduce overprocessing waste (one of the waste types of the TIM WOODS model). “Re-” is a Latin prefix that indicates repetition (again), e.g., repeat, reinspect, re-do, rework, reevaluate, reprogram, recollect, etc. The method consists in identifying all steps of the process that indicate activity duplication. It is not limited to activities starting with Re- but to words such as check, verify or ensure. The identification of duplicate activities is relatively easy when the Business Process Map is already developed. As seen in the previous paragraphs, there are two types of MUDA waste. The Re method consists of identifying which activities are MUDA Type I (non-value added but necessary) and which are Type II (not necessary). MUDA Type II activities can be eliminated from the process straight away as soon as detected. MUDA Type I usually includes activities aimed to ensure that we are operating out of the Risks area of the Triangle of Airworthiness; it requires a touch of engineering judgment to analyze if the activity is reasonable, e.g., whereas it makes sense that a second person verifies the triggers and applicability of an Engineering Order related to an Airworthiness Directive, verifying that there are no spelling errors in all the document by a second person may be a waste of time.
29.2.3 6S Method The 6S method, also known as 5S + Safety, is used to organize and improve the working environment for effectiveness and efficiency. A preliminary step for applying the 6S method is to know the work process, so it may be a good idea to go for the 6S after a Business Process Mapping exercise. The 6S is divided into five stages, derived from Japanese words, and a sixth stage, Safety, that is to be applied during those five steps: • Seiri (Sort): identify and remove/archive all the items in the workplace that are not needed to perform the work. It facilitates the search of the required items, reducing time and distractions, and also eliminate obstacles (hazards). Items not only refer to physical workspace things (equipment, tools, materials) but also to
326
•
•
• • •
29 Continuous Improvement Methodologies and Tools
the virtual workspace (files, folders, emails, SOPs, WIs, Business Process Maps, non-interfaced databases storing the same information, etc.). Seiton (Straighten/Set): organize all the remaining items based on their function using ergonomic principles to make them available when required. Each item should have an assigned location and clear identification (equipment labels, files or folders appropriately named, etc.). Seiton eases the search of the items, spot when the items are not returned, reduces movement waste, and facilitates process flow. Seiso (Shine): clean and maintain the workplace pleasing on a regular basis. It allows to identify more items that are not needed and that were omitted during the Seiri phase, or better ways of organizing the items that were not taking into consideration during the Seiton phase. Seiketsu (Standardize): establish new norms and procedures based on the previous stages and monitor adherence. Shitsuke (Sustain): apply the developed norms and procedures until they become habitual, part of the workplace culture. It may require training sessions, regular audits, checklists, etc. Safety: apply the safety principles during all the above stages to identify and eliminate hazards. If needed, use a risk assessment method, e.g., Safety Risk Assessment Matrix (see Chap. 23).
The implementation of Visual Management principles during the Seiton stage (Straighten), using instinctive visual means to communicate key information (standards, warnings, etc.), makes the workplace speaks and improves safety. The 6S method works in any area of an organization and contributes not only to eliminate waste but to enhance the culture of safety.
29.2.4 Scrumban: Scrum and Kanban Following the Visual Management tools, Scrumban is a Lean/Agile methodology result of combining the Scrum and Kanban methods as an approach to workflow management. Kanban, a Japanese word translated as “billboard,” was originally a Lean manufacturing tool used as a visual scheduling system that was designed to improve Just In Time (JIT) by eliminating bottlenecks and producing only the amount of products/services that were needed to meet the demand. The main tool was the Kanban board that made visible the status of each task within the process to the team (requested, in progress and done), in which the in-progress status tasks were limited in order to ensure an optimal pace of work without exceeding work capacity. On the other side, Scrum is an Agile tool, initially conceived for software development to facilitate the iterative Agile philosophy for complex products: breaking
29.2 Continuous Improvement Tools
327
the work into smaller goals that can be completed within each delivery cycle (iteration, also called sprint). Scrum defines specific roles (scrum master, product owner, scrum team) under relatively strict rules. The hybrid methodology leverages Scrum for agility and Kanban for continuous improvement, eliminating the rigidity and the specific roles of the Scrum method and maintaining the iterative approach, while Kanban provides the workflow visual tool, allowing an overall flexible method. As it happens with most of the continuous improvement tools, Scrumban requires to know well the business processes, and it is necessary to refer again to the importance of Business Process Mapping as a preliminary activity to any other improvement task. The Kanban methodology itself, and consequently Scrumban, has evolved from Kanban boards to more sophisticated ways: emails, sensors, electronic dashboards, etc. Virtual solutions to manage the workflow and backlog with board automation are commonplace through a variety of software, e.g., Agilo for Trac (open source) or JIRA, or aviation specialized software such as Ground Star. These software applications allow the use of the Scrum, Kanban, and Scrumban principles and can provide a platform to illustrate the status of each activity, discuss on tasks, time tracking, issue of automatic reports, quality control, etc. Workflow visualization allows the stakeholders to analyze metrics and adjust priorities (data-driven decision making). The acquisition of data may require that the (Scrumban) software is interfaced with other management software or databases. The Scrumban methodology is applicable to most of the aircraft maintenance business areas, resulting especially interesting to optimize the staff capacity management. The use of Scrumban shows plenty of benefits, amongst them: allows real-time process tracking, optimizes the process workflow, serves as a repository of information, and is a useful tool to eliminate many of the TIM WOODS wastes, e.g., minimizing meetings, progress reports, interruptions, etc.
29.2.5 Poka-Yoke Mistake-Proofing, from the Japanese words Poka-Yoke, is any element of the process that is designed with the purpose of preventing human errors. For example, when an assembly requires the use of four screws for installation, the screws can be yellow coated and packaged in batches of four, so missing bolts from the package and from the installation are easily detectable. Or a maintenance software that pops-up a warning when a Maintenance Requirement is set up without applicability or threshold/interval triggers for the attention of the staff. The ergonomics approach followed during the aircraft design as per CS/FAR 25 is another example of the Poka-Yoke application.
328
29 Continuous Improvement Methodologies and Tools
Theoretically, a full mistake-proof element (an element with zero error/mistake tolerance) would eliminate the necessity of the 100% quality control practices. The Poka-Yoke process exercise can be adapted from the following steps: • Review each step of the Process Map and identify where human errors are likely to happen. • Find the root causes for each potential error. • Design a solution that prevents the error from occurring or that detect the mistakes as they occur. • If there is no solution that makes impossible the error to happen: – Design a solution that minimizes the risks to an acceptable level, and/or – Establish a quality control method/element, e.g., an independent inspection. Poka-Yoke not only minimizes the probability of human errors but can significantly reduce all types of waste.
29.2.6 Gemba Walk Gemba is the Japanese word for “the real place,” meaning the place where the value is created, where the real work occurs. The Gemba Walk is one of the main Lean tools used for continuous improvement by managers and supervisors, that may be submerged into data, reports, meetings, etc. and lose the sight of what is really going on. Gemba allows them to connect or reconnect with the processes with regular walks to observe how the process activities are carried out and talks with the staff that does the job. Each Gemba Walk focuses on a specific area, e.g., safety, efficiency, effectivity, or some of the TIM WOOD wastes, in line with the Kaizen philosophy: great changes start by small but steady improvements. The manager/supervisor should prepare specific questions and a Gemba Checklist if appropriate. Gemba is useful to listen the concerns of the employees about specific activities, ask questions, where the Five Why method can serve of assistance (see Sect. 28.1.1), gather information, detect areas of waste, and note opportunities for improvement. The Gemba knight-errant should possess at least some basic knowledge of Lean principles and tools to be able to identify these areas of waste and opportunities. Gemba should not fall into punitive actions but into a positive environment where the staff is willing to share information; Gemba is neither an instant recommendation process, just a data collection process. After the Gemba Walk, when all the data and ideas are analyzed and organized, they should be communicated to the concerned team. Kaizen Event(s) may be called to focus the efforts on specific projects for improvement on the weak areas detected during the Gemba Walk.
29.2 Continuous Improvement Tools
329
29.2.7 Kaizen Events A Kaizen Event is a workshop whose objective is to improve a business area or process. It can be part of the schedule of the Kaizen Continuous Action Plan or triggered by a Gemba Walk or an occurrence where weaknesses or waste have been revealed. The duration of a Kaizen Event depends on the complexity of the subject process and the scope of the event, usually lasting from a few hours up to a week. Before the event, it is necessary to identify the area/process of improvement and define specifically the scope and goals of the event. In order to provide an overall perspective of the process and on potential changes, the Kaizen Event team should be diversified. It is usually formed by 6 to 10 people, including: • a facilitator with knowledge and experience in continuous improvement methodologies and tools, • staff directly involved in the process (about 50% of the team), • experts on the process, • staff that provide input to the process, if considered advantageous, • staff that receive output from the process, and • third-party/observer not directly involved in the process. The participation of the management is usually limited so the solutions offered by the Kaizen Event team are not restricted by their influence. Although they usually have their role at the time of deciding about the implementation of the solutions proposed during the event, especially if there are costs involved, the role of the team to take decisions should be empowered. The Kaizen Event can be defined in the following steps: • explanation of the event, background, scope, and objectives • introduction to the types of waste, continuous improvement methodologies in use and training on the tools relevant to the event. • Brainstorming. – Draw the Process Map current state, if not available, and gather data about how things are performed at present. – Analyze the process. Make use of the Lean tools to identify wastes, deficiencies, and areas of improvement: Value Stream Mapping, Five Why Analysis, Cause and Effect Diagram, Bow-Tie Diagram, FMEA, etc. – Achieve a consensus and provide solutions/draw the Process Map future state. – Document the new standard. – Propose an implementation plan to offer minimum operational disruption. • Write the Kaizen Event Report summarizing the current and future states of the process and the results of the brainstorming sessions. Also, include any other solutions that were proposed but did not reach agreement, they may be valuable in future.
330
29 Continuous Improvement Methodologies and Tools
Following the PDCA Cycle, once the implementation of a new solution is approved, test it, gather data to analyze its effectiveness, and, if successful, standardize the work and make a wider/total implementation. In addition to all the obvious benefits of the Kaizen Events (waste reduction, process optimization, and safety improvement), these events are a good opportunity to engage the staff, improve teamwork, and ensure their commitment to continuous improvement.
Chapter 30
Decision Making
Applying Problem-Solving methodologies, Continuous Improvement strategies, Innovation projects, and especially during the day-to-day tasks requires taking informed decisions. There are plenty of methods that can help to make the right decision, e.g., Brainstorming, Multivoting, Pro/con technique, Trial and Error, Decision tree, Decision matrix, the Affinity Diagrams, the Game theory, SWOT Analysis, Pareto Chart, etc. Incorporating data and analytics into the decision-making process (data-driven decision making) can provide the organization with consistent and confident solutions. An effective Decision-Making process usually requires following a number of steps: gather relevant information, identify alternatives, weight the pros and cons of the different options, choose amongst the different alternatives, and taking (the most appropriate) action. This chapter introduces two techniques that can benefit the organization in these regards: Business Intelligence (BI) and the Cost–Benefit Analysis (CBA).
30.1 Business Intelligence (BI) Business Intelligence (BI) refers to the technology and processes that enable an organization to analyze data in order to support the decision making process, e.g., tools that present data and provide Key Performance Indicators (KPI) in the form of dashboards, summaries, reports, graphs, charts, queries, etc. Business Intelligence includes all those systems that transform data into patterns and trends in a visual context to be easily interpreted. BI allows to integrate data from multiple data sources for their efficient access, with numerous platforms and software solutions available on the market to provide unified data visualization.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_30
331
332
30 Decision Making
While BI used to be based on past Small Data that was manageable by the human being, the current technologies and the explosion of available data, including realtime data, are changing the ways in which the information is processed and analyzed. As far as the data volume grows, it becomes more important to make use of technology to extract meaningful information that helps us to make decisions. Key Performance Indicators (KPI) Business Metrics are the measures used to track, monitor, and assess the performance or progress of the organization’s processes. Successful BI requires to avoid irrelevant or unnecessary figures and select only the right metrics, the Key Performance Indicators (KPIs), that show in numbers (measure and target) what is important to achieve goals and objectives for a particular audience. The selection of KPIs is likely the most challenging task at the time of developing a BI system; a widely recommended rule is that KPIs follow the SMART criteria: • • • • •
Specific: description of the KPI, what exactly measures. Measurable: measure that allows to monitor the progress. Achievable: KPI should be realistic, given the available resources. Relevant: important to the organization’s function goals and objectives. Timely: the measure is for a specified time frame.
The most relevant KPI areas to the Maintenance Program function are those attributed to the Triangle of Airworthiness: • Safety: Safety Performance Indicators (SPI) are used to monitor and assess the safety performance, e.g., number of mandatory/voluntary reports received, number of accidents or incidents, number of new hazards identified through the Reporting System, % of the overall budget for new risk control, number of safety communications published, etc.1 • Reliability: the metrics and alert levels defined in the Sect. 17.2.2.1 of this book act as KPIs to measure the effectiveness of the AMP and the operational performance. Measuring scheduled versus unscheduled maintenance can also be a useful KPI to assess reliability performance. • Quality: quality KPIs serve to assess the success of the QMS or Compliance Monitoring function, e.g., average findings per audit, number of significant findings versus total number of findings, number of repeat findings within the last audit planning cycle, average lead time for completing corrective actions, number of changes to SOPs, etc. Other metrics that are usually relevant to most of the functions of any organization are related to efficiency and productivity.
1
Measuring Safety Performance Guidelines for Service Providers. Safety Management International Collaboration Group (SM ICG). 16 July 2013.
30.2 Cost–Benefit Analysis
333
30.2 Cost–Benefit Analysis The need for a Cost–Benefit Analysis has been constantly repeated throughout the book: in the Modification Embodiment Policy (Sect. 8.4), in the AMP Evolution/Optimization (Sect. 12.1) or when adopting Safety Mitigation actions (Chap. 23). The Cost–Benefit Analysis is an economic evaluation used to weight the costs involved in doing something to the advantage or profit that it may bring. While the Decision-Making process related to Safety issues or initiatives (apart from mandatory Airworthiness Requirements) often do not require an economic justification and there are no ifs or buts, it is true that sometimes an organization may choose not to consider an option because it does actually not know the numbers. A Cost–Benefit Analysis is an appropriate method to explain why a decision is made: the CBA provides objectivity because it is based on numbers and it demonstrates that the initiative has been matured. The guidelines to perform a CBA can be summarized in the following steps: • Establish a framework for the CBA defining the goals and metrics that will be used to measure and compare benefits and costs. • Identify and categorize projected costs and assign financial values: – Direct costs: expenses directly related to the implementation of the decision, e.g., an SB kit, a modification package, an upgraded component, manpower, software licenses, etc., – Indirect costs: overhead expenses, usually fixed, that apply to more than one business activity, e.g., rent, utilities, electricity, – Downtime cost: loss of revenue derived from ceasing an activity, e.g., grounding an aircraft for a modification, – Intangible costs: unquantifiable or difficult to quantify costs generally of negative nature, e.g., operational interruption, reduced productivity, satisfaction, morale, or reputation, – Opportunity costs: lost benefits or opportunities of choosing one alternative over another (the cost of not choosing the best alternative). • Identify and categorize the expected benefits and assign financial values. The benefits are quantified in analogous way than the costs (direct, indirect, intangible, and competitive benefits). • Assign financial values to costs and benefits (Euros, Dollars, etc. in the same currency). • Compute the total value of costs, the total value of benefits, and compare. • Project the timeframe required for benefits to repay costs: Return on Investment (ROI). When the decision involves long timeframes, it is necessary to adjust the cost/benefit forecast to take into account variables such as the inflation or the discount rate to accurate the analysis. • Analyze the results:
334
30 Decision Making
– If the total costs outnumber the total benefits, the proposal should be reconsidered to identify potential cost reductions or in favor of an alternative. – If the total benefits outnumber the total costs, a final recommendation can be issued. • Verify that the proposed solution reaches the goals established in the first step. • Initiate a Business Case capturing the CBA and other analyses reasoning the recommendation (gap analysis, risk assessment, etc.). In addition of considering different alternatives, a With/Without Analysis may be useful in cases when it is necessary to assess the impact of the decision in order to estimate not only what the situation would be with an option but what would be without the initiative. While performing a CBA, there are several uncertainties that can influence the results, distorting the analysis, but that must be assumed, e.g., some costs/benefits cannot be translated to a monetary value or the value of intangibles is subject to interpretation. CBA is a useful tool to choose the option that will generate the higher value and to justify if an initiative is worthwhile.
Chapter 31
Innovation
Following the idea of Operational Excellence introduced in the previous chapters, Innovation is likely one of the fundamental pillars through which an organization introduces new solutions to improve the business, its processes, and finally, the output of those processes: the product or service. Although innovation is usually related to invention, it actually refers to the introduction of new concepts, methodologies, products/services, or processes as methods of improvement that may be already outside in the market maybe to be adopted and adapted from a different sector. Innovation changes how the work is accomplished in order to create value: safer processes or products/services, increased efficiency, reduced costs, etc. In the framework of the so-called Fourth Industrial Revolution, the available new technologies are leading to higher levels of automation, digitalization, and secure data exchange, with the potential for Artificial Intelligence. One of the main enablers for the revolution in aviation is being the Paperless Aircraft Operations (digital publications, AMP source documents XML updates, electronic records, electronic logbooks, electronic signatures, RFID, audit trails, encryption of data, connectivity, etc.) that allows to align the industry data standards and improve compliance, efficiencies, and cost reductions.1 Real-time predictive maintenance is becoming a reality and the transition to prescriptive maintenance is already possible by using Big Data Analytics and Machine Learning, where data sharing enters the equation to lead the aviation industry to more efficient and safer scenarios. These new technologies present numerous opportunities but also challenges such as Data Security what is pushing cybersecurty to evolve as a management system. Data protection technologies such as Blockchain will likely have a predominant role in the near future. This chapter introduces some of the innovative technologies that are changing the aircraft maintenance and its work environment. 1
Guidance Material for the implementation of Paperless Aircraft Operations in Technical Operations. IATA. Release 1-November 2017. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 335 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_31
336
31 Innovation
31.1 Automation Automation refers to any technology that can perform a process or activity with minimum human intervention, from Robotic Process Automation (RPA) software applications that facilitates business processes repetitive tasks to automated devices that ease aircraft inspections. Although automated systems can incorporate certain degree of autonomy, meaning that they can use Artificial Intelligence/Machine Learning to make decisions when the conditions change, as will be shown in the next section of this chapter, both terms should not be confused.
31.1.1 Robotic Process Automation (RPA) Robotic Process Automation (RPA) makes use of a software (bot or virtual workforce) to develop a business process by watching how the user performs that task and replicating the activity. As the human, once the bot is configured, it can handle actions between multiple systems and applications: copy-paste, update information, data entry and migration, data validation and correction, preparation of periodic reports, generation of emails, archiving, and a long etcetera. RPA is used to automate repetitive, prone to error or time-consuming processes with low rates of exceptions that involve the management of digital data. RPA bots are relatively easy and quick to configure, and the benefits are almost instant: improves efficiency and effectiveness, reduces manpower and costs, and avoids human errors, allowing the human to focus on the process exceptions or other areas of the business such as critical tasks or process improvement. The bots capabilities translated to the AMP process may be enormous, e.g., a bot can compare the requirements of a new source document with the approved AMP and highlight the differences, can revise if there is any reliability action related to those revised tasks, migrate an AMP revision into the maintenance software, generate Task Cards, Engineering Orders, preloading of parts, generation of Work Orders, preparation of Reliability reports, etc. RPA is not exempt from risks; the candidate process for RPA should be accompanied by a risk assessment, be properly designed, deployed and monitored to avoid disruptions, and include a Recovery Plan in case of failure. Because RPA relies much on the analysis of documentation, before selecting RPA candidate processes, it is essential to assess if such documentation is of enough quality not to require human intervention. It can limit the use of TCH or other third party documents that may require a quality control method before their use in an RPA process.
31.1 Automation
337
31.1.2 Radio-Frequency Identification (RFID) Radio-Frequency Identification (RFID) is a wireless tracking system used to exchange data between an RFID transponder (smart label technology similar to a bar code) and an RFID writer/reader device. RFID provides the possibility to tag dedicated information to individual items (asset tracking); when the reader interrogates the transponder(s), the smart label(s) transmits the data written in its memory. RFID can be passive, using the energy of the radio wave, or active, battery-powered. RFID has a wide potential in varied types of industries. In aviation, RFID has found its way through different applications, e.g., the cargo/baggage monitoring system, supply chain management, and as alternative means to traditional maintenance methods such as visual inspections for data.2 The use of RFID used with the aircraft Emergency Equipment can confirm that the assets are present and not expired just by walking through the aircraft cabin with an RFID scanner. It is important to bear in mind that RFID does not capture the condition of the Emergency Equipment items, a requirement of the Preflight Check that is in force and that does not allow taking full advantage of this technology in this regard. However, RFID can reduce inspection times and optimize the item’s lifecycles. RFID can facilitate the management of Components and Parts by identification (Part Number, Serial Number, manufacturing date) and store of the maintenance history directly in the tag (life limit, overhaul, modifications, repairs, previous corrosion treatments, etc.). RFID eases the traceability of the component and the exchange of critical information between multiple parties (operator, repair shop, suppliers, etc.), improving the supply chain. RFID can reduce inspection times and costs and ease the access to information, but it shows certain limitations; RFID can degrade and therefore have an expiration date, requiring to establish a method for tracking their replacement. When RFID technology is used as alternative means of compliance to traditional maintenance methods, the RFID limitations must be considered during the development of the AMP.
31.1.3 Maintenance Automation Developing technologies such as Structural Health Monitoring (SHM) (introduced in Sect. 17.2.2.3) can determine the structural integrity of the aircraft through dedicated sensors: damages, location, characteristics, and need for repair. SHM can be Automated (A-SHM) and integrated within the AHM for real-time monitoring of the structure and additionally is already considered in the MSG-3 methodology as a 2
Guidance on Introducing Radio-Frequency Identification (RFID) into Airline Maintenance Operations. IATA. May 2013.
338
31 Innovation
valid method for Schedule maintenance (S-SHM) by reading out the SHM device at specific intervals. A-SHM allows unscheduled maintenance to become scheduled, where damages can be monitored and repairs can be planned at the next suitable maintenance visit. Additionally, SHM allows to overcome accessibility problems, eliminates the potential to damage the structure during disassembly, and minimizes human factors hazards. The aviation industry is starting to make use of other automated and semiautomated technologies to ease and speed external aircraft inspections. Unmanned Aerial Vehicles (UAV), drones, can be used to perform visual checks through cameras and localize and measure visual damages on the aircraft surface with laser sensors, but also to detect other areas of interest (oil leaks, regulatory markings condition, etc.). The UAV path can be predefined, without the need of remote piloting, capturing all the images necessary to generate an inspection report that can be then assessed. For example, a regular external inspection of an A330 takes about two hours; the use of a drone can reduce it to less than 15 min. Definitely, UAVs provide a more accurate, effective, and efficient inspection method. For the time being, its use is limited inside hangars and not allowed on or near airports. Whereas UAVs are optimized for the upper part of the aircraft fuselage, similar inspection technologies are developed for Mobile Robots to inspect the lower part of the fuselage. Crawling/climbing robots with advanced suction systems are already in the market to adhere to the aircraft surfaces and record and transmit images and for ultrasound and thermographic testing that can be used to detect damages and record the structural condition of the aircraft. More solutions are being developed to facilitate the inspection and repair of engine parts of difficult access, which may remove the need to take the engine off the aircraft to perform maintenance. For example, Rolls Royce is researching a remotecontrolled boreblending machine that could be installed in the engine while the specialist performs the maintenance tasks or repair remotely. A network of fiber periscopes cameras embedded with the engine, snake robots to conduct inspections and repairs, or microwalking cameras that can be used to do visual inspections are technologies expected to be widely used in the near future. These new automation technologies are faster, reduce turnaround and grounding times and not only overcome certain human limitations but provide opportunity to avoid human errors.
31.2 Toward Predictive and Prescriptive Aircraft Maintenance
339
31.2 Toward Predictive and Prescriptive Aircraft Maintenance The use of maintenance data, that has always been there available, together with all the data that aircraft systems and components are able to generate nowadays, including real-time data, has evolved in such a way during the last years that Data Science and Analysis, Machine Learning and Artificial Intelligence have become the focus for changing the aircraft maintenance concept from descriptive to predictive/prescriptive. The traditional Trend Monitoring programs enabled to analyze past data in order to identify out of limit conditions and deterioration trends; kind of business intelligence precursor to artificial intelligence. A step forward, Data Science and Analysis have allowed to make use of existing and emerging technologies to obtain deeper insights and information not only from past but from real-time data; statistical models allow to discover trends and patterns to predict future behaviors of systems and components. The modern Aircraft Health Monitoring (AHM) systems, introduced in Sect. 17.2.2.3, can make use of integrated sensors in systems and components that are used to acquire more data. Older generation of aircraft can be upgraded with hardware and software for the installation of sensors that capture more data and that allows its automatic transmission. For example, the new solution co-developed by Airbus and Rockwell Collins, FOMAX, allows to capture and transmit expanded volumes of recorded aircraft data (from 400 parameters to roughly 24,000 on an A320). Other developments, such as Airbus Skywise Health Monitoring (part of the Skywise aviation data platform), Boeing AHM (part of the Boeing AnalytX powered products), IKON by Embraer, Smart Link by Bombardier, etc. provide the airlines with a range of predictive analytical tools and services to identify in real-time conditions and generate alarms before they turn into faults, and prescriptive analytics, providing decision support. These tools enable real-time fix and proactive maintenance management that result in reduced disruptions and increased reliability levels. The use of real-time data from the AHM systems with the historical maintenance data under statistic and algorithm models has allowed the development of sophisticated platforms and tools that represent authentic machine learning tools. Some airlines have created their own solutions. For example, Agnos, the Big Data solution developed by AFI KLM E&M, analyses in-flight data that is transformed to alerts about defective components. The algorithms are continuously improved based on the data provided by the aircraft and shop feedback. Another example is Aviatar, the modular platform developed by Lufthansa that allows to centralize all the fleet’s data on one platform and uses real-time analytics to predict faults. Other platforms developed by manufacturers allow to store, access, and manage the operator’s own data but also to analyze manufacturer data and global data (or data from operators participating on specific programs), e.g., Airbus Skywise, Boeing
340
31 Innovation
AnalytX or GE Predix. The operator’s data sharing, agreed to be anonymized, allows to develop more accurate models and algorithms so the systems automatically and increasingly learn and improve from experience, boosting the fleet operational reliability. Not only manufacturers have realized about the importance of data sharing; Lufthansa Technik launched the Aviation DataHub platform for the use of the entire aviation industry. Airlines can benefit from deciding with who want to share their data. Aviation industry has already introduced the technology that exhibits behaviors such as learning, problem solving, and decision making through data experience; this is Artificial Intelligence able to take or support decisions and provide solutions before problems happen and turn unscheduled maintenance into scheduled maintenance. It provides such a great benefit in regards to operational reliability and availability. The benefits of using these predictive and prescriptive tools definitely can make the Aircraft Maintenance Program more efficient, with less restrictions derived from the Reliability Program that can rely on these new approaches. Already proposed and under IMRBPB discussion, the next AMP evolution will come hand in hand with the MSG-3 methodology using the certified AHM capabilities as alternative procedures to the scheduled tasks. But for the time being…we have to wait for the proposal to be matured.
31.3 Blockchain Blockchain is the technology that allows to store and share information in blocks in a secure, decentralized, and incorruptible way. Each block is like a page in a logbook, including the data being recorded, the data of the transaction (date, time, digital signature, etc.) and a unique code called “hash” that references such block to the previous block in the chain. The data stored on the blockchain is visible to everyone that is part of the blockchain network. If the data of a block want to be altered or a new block to be inserted between existing blocks, all the following blocks would need to be edited too and it would require the consensus of the network, enabling transparent transactions. Blockchain is of particular interest for organizations that use the same data. For aircraft operators and maintenance service providers, some of the ongoing research projects focus on the following areas3 : • Certification and Digital Signatures: blockchain can facilitate the use of certification and digital signatures to transfer regulated documents between interested parties electronically, e.g., Operator Certificate, organization approval, CofA, ARC, CRS, Task Cards, EASA Form 1, FAA 8110-3, staff licensing, etc. 3
Blockchain in Aviation, Exploring the Fundamentals, Use Cases, and Industry Initiatives. IATA. White Paper—October 2018.
31.3 Blockchain
341
• Aircraft Maintenance Records: blockchain can replace paperwork and databases by creating immutable records of the maintenance performed on each aircraft and component. All the information pertaining to an aircraft or component lifecycle can be stored consistently across different organizations and in real time: authorities, lessors, manufacturers, operators, maintenance service providers, etc. Blockchain would ensure that parts are legitimate and has the potential to reduce the efforts to identify and mitigate Suspected Unapproved Parts (SUP). See Sect. 10.1.3 for further information about SUP. The potential of Blockchain and its combination with the innovative technologies detailed in the previous paragraphs is still being discovered. For example, Blockchain can provide a framework to securely record the RPA transactions, and RPA can be used to feed Big Data into the Blockchain. RFID creates components with unique identification and history, and it could also be configured to flow data into the Blockchain automatically without the need for manual entries, automating and protecting the collection of data. The same thing could happen with the integrated sensors of systems, structures, and components of the Aircraft and Structural Health Monitoring systems that are used to acquire data, decentralizing it. While the Blockchain provides secure access to the Big Data generated by the operation of the aircraft, Artificial Intelligence is the engine that enables analytics and decision making from such information. Blockchain could provide transparency to the conclusions and decisions made by AI, with the potential to record the AI decision-making process. The way to Blockchain to be used in the aviation industry is full of challenges and opportunities, with numerous research projects and tests running. In the near future, Blockchain could be integrated within the organization’s management systems and processes for secure and decentralized communications, enabling trusting transactions.
Appendix A
Introduction to Aircraft Maintenance Program Costs
This appendix introduces the costs of implementing or revising an Aircraft Maintenance Program that may be useful for budgeting or operating cost prediction purposes. Deduced from the U.S. DOT Form 41, widely used in airline analysis and financial research, the total airline operating costs can be broken down into1 : • Flight Direct Operating Costs (DOCs): cost related to flying operations, including pilots, fuel, maintenance, and aircraft ownership, • Ground Operating Costs: servicing of passengers and aircraft, including landing fees and reservations/sales charges, • System Operating Costs: marketing, administrative and general overhead items, including in-flight services and ground equipment ownership. The Direct Maintenance Costs (DMCs), good part of the DOC, is defined in the ATA Common Support Data Dictionary (CSDD)2 as the maintenance labor and material costs directly expended in performing maintenance on an item or aircraft. The Indirect Maintenance Cost (IMC), also known as maintenance burden or overheads, are those expenditures that contribute to the overall maintenance operations (e.g., line station servicing, administration, record keeping, supervision, tooling, test equipment, facilities, etc.). DMC can be categorized attending to the nature of maintenance: Schedule maintenance and Unscheduled maintenance. Within the Schedule maintenance category, the three main elements generating direct costs are: • the Aircraft Maintenance Program (AMP), including the Reliability Program, • Airworthiness Directives (ADs), and • the Embodiment Policy for non-mandatory recommendations (e.g., SB, SL, etc.). 1
Airline Operating Costs and Productivity. Economic Development. ICAO. Tehran, 20–23 February 2017. 2 Common Support Data Dictionary (CSDD). A4A. Revision 2017.1. © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
343
344
Appendix A: Introduction to Aircraft Maintenance Program Costs
In regards to the Unschedule maintenance, the direct costs come from: • findings during Scheduled maintenance, and • faults/defects during aircraft operation, including damage and repairs. The increased costs of appropriate Aircraft Maintenance and Reliability Programs and Embodiment policies are usually well compensated not only by the decrease of the unschedule maintenance and its associated costs but by the reduction of downtime and interruption costs. Downtime costs are considered as contributors to the airline costs when the aircraft is expected to be in operation but due to “unforeseen circumstances “ is not, e.g., due to unscheduled maintenance (derived from a deficient AMP, likely related to a deficient Reliability Program, or an unexpected damage) or due to supply chain shortcomings. The Downtime and the costs associated also have much to do with the resources assigned to the maintenance function, e.g., sufficient and appropriate documentation, qualified manpower, material, equipment/tools, and facilities contribute to minimize the downtimes.
A.1 Direct Maintenance Cost The greater contributors to the DMC are the requirements to detect and correct the aging effects and the maintenance of major components. Both of the DMC categories (scheduled and non-scheduled maintenance) are directly influenced by the effects of aging aircraft and the consequent requirements (see Chaps. 6 and 7): the programs derived from the Damage Tolerance and Fatigue Evaluation of the structure (Airworthiness Limitations, Continuing Structural Integrity Programs), the Enhanced Zonal Analysis Procedures (EZAP) to detect EWIS contamination/degradation, or the Corrosion Prevention and Control Programs (CPCP). The AMP source documents establish more frequent inspections as the aircraft gets older that result in more frequent findings and increased non-routine maintenance. The structural inspections and modifications required to comply with the Widespread Fatigue Damage regulations, in order to operate the aircraft until its Limit Of Validity (LOV), represent significant costs associated with in-depth maintenance, the need for additional manpower (including more specialized non-destructive inspectors) and special tools/equipment, and the rectification of defects (cracks, corrosion, etc.), that result in longer grounding times and increased costs. In accordance with IATA Maintenance Cost for Aging Aircraft (2018) publication, 50% of the total maintenance cost of an aircraft is “eaten” by the engines scheduled maintenance. Additionally, the schedule maintenance of other major components, such as the landing gear overhaul, also contribute significantly to the maintenance costs.
Appendix A: Introduction to Aircraft Maintenance Program Costs
345
Fig. A1 Illustrative DMC Aging curves per maintenance category (IATA Maintenance Cost for Aging Aircraft (2018))
A.2 The Cost of an Aircraft Maintenance Program The calculation of the costs/savings associated with the implementation or revision of an AMP may be found useful at the time of budgeting, predicting future operating costs, or when compared with the ongoing costs, for detecting inconsistencies or areas where a closer look is needed. The AMP cost baseline method presented takes into consideration the AMP DMC and certain AMP IMC derived from the implementation/revision of the AMP, such as documentation and tools/equipment; however, other contributing factors, such as changes in the manpower required (other than certifying and support staff but administrative) or specific training that may be needed to ensure that sufficient level of expertise is provided (other than mandatory training and certifications, but additional training to cover new situations such as new aircraft configuration or new IT solutions) are disregarded.
346
Appendix A: Introduction to Aircraft Maintenance Program Costs
Therefore, the presented AMP cost baseline method considers the following factors: • Documentation costs: new or revised customized documentation derived from the specificity of the operation (supplements) or dedicated exercises such as Evolution/Optimization dossiers, • Manpower: changes to the workload, • Outsourced maintenance: new or revised agreements with manufacturers and MROs, • Material: changes to the material needs, • Equipment/tool: changes to the required equipment/tool. To benefit from applying the AMP cost baseline method, it becomes essential to calculate the overall AMP costs at a certain point in time (it can be since the initial AMP or afterward during any AMP revision) and adjust the costs parameters periodically (recommended at yearly basis during the budgeting exercise). The adjustments include: • • • •
Accumulation of AMP revisions costs since the last adjustment, labor and production indexes update, labor rates update, and outsourced maintenance parameters update.
A.2.1 Use of Cost Indexes The calculation of costs derived from the AMP implementation/revision is usually accurate for the incoming or ongoing budget cycle, but the price changes in future cycles may distort the cost forecast/projections. In order to accurate the cost in the future, it is necessary the use of Cost Indexes. The Cost Indexes used by each operator depend on the state in which the aircraft is maintained and the sources from which the material and equipment/tools are purchased. It is possible to use the cost indexes published by certain agencies on assistance for forecasting the AMP costs. For example, in Europe, the statistical office of the European Union (Eurostat) publishes the following indexes for all European Union member states: • Labor Cost Index (LCI): shows the evolution of the cost for employing labor force on an hourly basis. • Producer Price Index (PPI): measures the changes in the trading price of products and services. • Industrial Import Price Index (IMPR): measures price developments of imported items. In the USA, equivalent indexes are published by the Bureau of Labor Statistics (Employment Cost Index, Producer Price Index, and Import Price Index).
Appendix A: Introduction to Aircraft Maintenance Program Costs
347
A.2.2 Task Unitary Cost Measurement The cost of performing a maintenance task once for a unique aircraft is defined by the Task Unitary Cost. The TUC is the summation of the Manpower cost, the Material cost, and the Outsourced costs: TUC = CMP + C M + COUT The Manpower Cost is given by the type of skilled staff (support, certifying, specialist), the corresponding labor rates, and the Average Man-Hours (MH). In Sect. 5.2, it is explained that the skills and man-hours detailed in the MPD are adjusted by the operator to its particular efficiency. The Manpower cost factor of the TCU (CMP ) is represented by the following formula: CMP = MHSupport staff · CSupport + MHCertifying staff · CCertifying + MHSpecialist staff · CSpecialist , being CSupport , CCertifying and CSpecialist the corresponding MH rates for each skill. The Material Cost is given by the components, standard parts, and raw material that are required or estimated to be required during the accomplishment of the maintenance task. C M = CComponents + CStandard Parts + CRaw material On the other side, when part or the overall performance of the maintenance task is outsourced, it must be weighed in the cost calculations based on the details of the agreements. More or less complex, it is possible to determine the unitary Outsourced Cost (COUT ).
A.2.3 Task Cost/Saving Calculations In order to calculate the cost of performing the maintenance task for the overall fleet, it is necessary to consider two types of costs: • One-time costs (C Initial ): assumed only once, usually known in advance of the task implementation, e.g., documentation, equipment/tools. • Recurrent costs: assumed repeatedly every time the task is performed. Recurrent costs are those detailed in the previous paragraphs for the Task Unitary Cost: manpower, material, and outsourced services.
348
Appendix A: Introduction to Aircraft Maintenance Program Costs
Total Number of Tasks Performed Per Fleet Per Year Based on the maintenance experience (for existing tasks), the maintenance plan, and the interval of the task, it is possible to determine the number of times that the maintenance task has to or would have to be performed each year. If such level of detail is not required or the approach is not feasible, it is possible to approximate the calculations based on average terms. The average number of times that a task is accomplished per year in the operator’s fleet take into consideration the number of aircraft for which the maintenance task is applicable (N) and the interval of the task expressed in months (I), converted from FH or FC interval parameters using the fleet utilization, as applicable. Therefore, the average accomplishment times of the task per fleet per year is given by: TTotal per year =
N · 12 months I
For easier understanding, the average TTotal per year is use during the next calculations. Maintenance Task Cost Per Fleet Per Year The increase/decrease of man-hours per fleet per year takes into consideration the Total number of tasks performed during that period (TTotal per year ) and the Task Unitary Cost (TUC) increase/decrease: CostTotal per year = TTotal per year · TCU = TTotal per year · (CMP + C M + COUT ) where: • CMP = MHSupport staff · CSupport + MHCertifying staff · CCertifying + MHSpecialist staff · CSpecialist , • C M = CComponents + CStandard Parts + CRaw material • COUT is based on the weighted cost calculations based on the outsourced agreements. The CostTotal per year formula represents: • the cost of implementing a new task, excluding the one-time implementing cost (CInitial ), where the is negative, • the savings of deleting an existing task, where the is positive, • the delta of the costs/savings derived from the task revision (escalation, deescalation, changes in the Man-Hours or Material needs, and changes in the outsourced services agreements), where the sign depends on the balance of the factors analyzed. Note: special attention must be paid to the symbols ± used in the TCUTotal per year formula. Cost (−) and savings (+) must be appropriately defined.
Appendix A: Introduction to Aircraft Maintenance Program Costs
349
Accumulated Costs/Savings The following formula serves to accumulate the costs/savings derived from a task implementation/change at a specific point in time (i): Costi = CInitial +
i
CostTotal per year(indexed) ,
i0
where i = 1, 2, 3, 4… is the year in which the accumulated cost wants to be calculated, and the total cost per year per fleet taking into consideration the indexes given in (A2.1) are provided by the following summation: i
CostTotal per year (indexed) =
i0
i
TTotal per year · TCU(indexed)
i0
=
i
TTotal per year · (CMP + C M + COUT )(indexed)
i0
=
i
TTotal per year · CMP · LCIi−1
i0
+
i
TTotal per year · C M · index(1)i−1
i0
+
i
TTotal per year · COUT · index(2)i−1
i0
While for labor costs it is clear that the index to be used is the Labor Cost Index (LCI), for material and outsourced costs the index to be applied depends on the producer (industrial or service) and the importation; in the above formula is just indicated as “index()” for the operator analysis. The following graphic shows the expected cost pattern derived from the cost/saving analysis performed considering the application of indexes and the use of the average total number of tasks performed per fleet per year (TTotal per year ). While the graphics would keep a linear tendency if the indexes are not applied, it becomes polynomial when they are applied (Fig. A2). In the case that the total number of tasks performed per fleet per year is accurately defined (without the use of averages terms), certain irregularities in the polynomial curves appear, but the tendency remains.
350
Appendix A: Introduction to Aircraft Maintenance Program Costs
Cost ($) 9000.00 8000.00 7000.00 6000.00 5000.00 4000.00 3000.00 2000.00 1000.00 0.00
Time (YE) Fig. A2 Example of Task Cost accumulation during successive years
Appendix B
Introduction to Aircraft Accident Investigation
The investigation of aircraft accidents and events and the safety studies initiatives performed worldwide since the first days of aviation have allowed to find out the most probable causes of such occurrences, identifying safety deficiencies and implementing actions to avoid re-occurrences. The results of such investigations have been the most important method of accident prevention and the main source to model the aviation regulations toward safer aviation. Recapitulating some of the aircraft accident investigations that changed the aircraft design and maintenance rules: the Aloha Flight 243 investigation brought the attention about the consequences of the aging process of the aircraft resulting in the current regulations and means to avoid Widespread Fatigue Damage (WFD); the existing requirements for Electrical Wiring Interconnection Systems (EWIS) are the result of the investigation of the Swissair Flight 111 and the TWA Flight 800, that highlighted the deficiencies in the certification and Continuing Airworthiness requirements of Electrical Wiring Interconnection Systems (EWIS); a battery of recommendations for fuel tank design and maintenance was also the result of the TWA 800 investigation. The “Lessons Learned” boxes included throughout the chapters of this book exhibit the main aircraft accidents that have modeled the current airworthiness regulations and others that are considered of relevant interest for understanding the proposed subjects, but there is still an open question: what is the process since an aircraft accident happens until the recommendations are issued? The alarm of an aircraft accident is usually triggered by the Air Traffic Services when it is determined the aircraft has crashed or disappeared from its control, by the Airport Authorities when an accident occurs on or adjacent to an airport, or by the Search And Rescue (SAR) services when a distress signal is received and it is confirmed by the ATS. Immediately after the alarm is on, a full investigation machinery to understand the causes of the aircraft accident is initiated. © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
351
352
Appendix B: Introduction to Aircraft Accident Investigation
This Appendix introduces the civil aircraft accident investigation process, including the Maintenance Investigation.
B.1 Investigation Responsibilities The accident investigation authority should be able to withstand political or other interferences or pressures and must be strictly objective and impartial. ICAO requires that the States set up their accident investigation authorities independently from the civil aviation authorities and any other party whose interests could conflict with the task entrusted to the investigation body.3 Imagine that an Aircraft Accident Investigation Authority would depend directly on the Civil Aviation Authority and that its boards of directors would count with the CEO and chairperson of the most profitable national carrier. This situation would unleash rumors about the independence of the investigations and the possible interest of private hands over air safety. After an accident or serious incident, usually, the State of Occurrence notifies the States of Registration, Operator, Design, Manufacture, and ICAO, this last one when the aircraft is over 2250 kg. The State of Occurrence is responsible for instituting and conducting the investigation but, if it is found more practical, it may be delegated whole or partially to another State (e.g., State of Registration or State of the Operator) or a regional accident and incident investigation organization. In any case, the State of Occurrence must provide every means to facilitate the investigation. When the accident occurs out of the territory of any State, the responsibility to institute and conduct the investigation lies on the State of Registration. The Investigator in Charge (IIC) is appointed by the State conducting the investigation. He must have unrestricted control over the wreckage and all relevant material, including the Flight Recorders and ATS records. The States of the Registration, Operator, Design, and Manufacture have the right to appoint an accredited representative and one or more advisers to participate in the investigation. EASA or the FAA would act on behalf of the State whenever it is related to the design approval. Other States can provide information, facilities, or experts to the State conducting the investigation. The Safety Board “Go Team,” formed by the State conducting the investigation or the delegated organization, is responsible to the Investigator In Charge (IIC) and initiates the process in the accident scene as quickly as possible. It is composed of a panel of specialists in different aviation areas with clearly defined responsibilities, e.g., Wreckage, Operations, Weather, Air Traffic Services, Structures, Powerplant, Systems, Maintenance, Human Factors, and Survival Factors.
3
Annex 13 Aircraft Accident and Incident Investigation. ICAO. Eleventh Edition—July 2016.
Appendix B: Introduction to Aircraft Accident Investigation
353
The responsible for each area of expertise heads a working group that is staffed with representatives of the operator, airframe and engine design and manufacturers, design certifying authority, pilot and flight attendant unions, etc. Some of the working groups remain at the accident scene, usually from few days to several weeks, to collect data and evidences as long as necessary and then move onto other facilities to continue the investigation, e.g., Powerplant to an engine teardown at a manufacturer or overhaul facilities and Systems to an instrument manufacturer’s plant. Other teams, such as the Flight Data Recorder and Cockpit Voice Recorder groups, may be not attending the accident scene but being placed on an investigation authority center. When the State conducting the investigation has not facilities for the readout of the recorders, it can make use of the facilities made available by other States. The State conducting the investigation should not make the investigation records available for other purposes than the investigation unless it is considered beneficial for such investigation or any future investigations. The investigation records include the recording or transcription of the Cockpit Voice Recorder (CVR), communication between persons involved in the operation of the aircraft, recording and transcriptions from the Air Traffic Control units, medical/private information of the persons involved in the accident, and communication between people involved in the operation of the aircraft. The records are only included in the Final Report when pertinent to the analysis of the accident. Judicial investigations are often initiated when there is a need to assign liabilities and compensate victims. Both Safety and Judicial investigations are required to be separate. The Safety investigation should cooperate with the Judicial investigation, but some of the records obtained, such as cockpit voice or image recording, are normally used for the Safety investigation but not available for the Judicial investigators to avoid its use for other purposes. An exception is when the Inspector in Charge detects an act of unlawful interference; in such case, he should inform the Judicial Authorities and the recording may be put at their disposal. The State conducting the investigation must coordinate both authorities and mediate if a conflict exists. The most important mandate of the Safety Board is to address safety deficiencies immediately, including deficiencies that are not directly related to the cause of the accident, and issue Safety Recommendations. Usually, preliminary or interim reports with factual information and Safety Recommendations are issued during the course of the investigation to provide safety information to the industry and address immediate safety concerns. A final report is issued at the end of the investigation concluding with the identification of the findings, causes, and contributing factors to the accident. The final report must be reported to ICAO through the ADREP system (see Sect. 26.3.1). The detailed responsibilities and obligations standards for Aircraft Accident and Incident Investigations are detailed in ICAO Annex 13.
354
Appendix B: Introduction to Aircraft Accident Investigation
EASA and FAA Roles When an investigation takes place in any of the European Union states, the role of EASA is to follow the investigation carried out by the corresponding accident investigation authority, provide technical advice whenever is needed, and process the Safety Recommendations addressed to the Agency, but EASA is not an accident investigation body. Some examples of investigation authorities across Europe are the Bureau of Enquiry and Analysis for Civil Aviation Safety (BEA) in France, the Commission for the Investigation of Accidents and Incidents for Civil Aviation (CIAIAC) in Spain, and the German Federal Bureau of Aircraft Accidents Investigation (BFU). Similarly, the competences of the FAA when an accident occurs in the U.S. territory are to provide advice, support, and address Safety Recommendations from the National Transportation Safety Board (NSTB), the investigation authority dependent on the U.S. Department of Transportation. The NTSB was formed in 1967 as successor of the Civil Aeronautics Board (CAB) that had been in charge of the accident investigations since the 1940s. The NTSB is multimodal and does not only investigate accidents and incidents involving civil aircraft but also other transportation modes such as marine and rail. Up to 2017, the NTSB had investigated more than 149,000 aviation accidents and issued more than 15,000 Safety Recommendations to more than 2400 recipients.
B.2 The Investigation Areas The Wreckage Investigation documents the airframe wreckage and the accident scene, including calculation of impact angles to help to determine the aircraft’s preimpact course and attitude. The initial assessment determines the presence of flight control surfaces (wings, vertical and horizontal stabilizers, flaps, spoilers) and major structural parts (engines, propellers, blades), and follows with the identification of every part of the wreckage. During the investigation, the distribution of the wreckage is plotted to establish the path of the aircraft and the first impact location. Ground marks, scars upon trees, shrubs, rocks, poles, power lines, and buildings are also examined to understand the impact. The reconstruction of the wreckage, assembling the parts back to their relative position before failure, is not necessary but can be the key for determining the causes of certain types of accidents such as in-flight structural breakup, collisions, fires, or explosions. The reconstruction of the TWA 800 explosion, detailed in Sect. 6.2.1.4, was one of the most comprehensive and expensive reconstructions ever attempted, where approximately, 96% of the wreckage was recovered from the Atlantic Ocean. The Operations Investigation studies the history of the flight and the activity of the flight crew, and may also examine the role of flight operations, dispatch or other personnel involved directly with the operation of the aircraft. Some of the major areas involved are the crew qualifications and experience, duties, rest periods,
Appendix B: Introduction to Aircraft Accident Investigation
355
activity before, during and after the accident, flight planning, weight and balance, final flight path and sequence of the flight. The flight is reconstructed from the data collected, where the Flight Recorders and radar records play a significant role, and the contribution of the other groups of the investigation. The Weather Investigation gathers all the pertinent weather data. A specialized group is needed if the meteorological conditions are considered an important contributing factor to the accident; otherwise, a report from a specialist meteorologist may be sufficient. The investigation collects forecast and observed meteorological conditions with special consideration for hazardous phenomena that may be not so apparent such as cyclones, severe turbulences, freezing rain, or volcanic ash. The Air Traffic Services (ATS) Investigation addresses the aeronautical and operational information from service providers, including the acquisition of ATC radar data and transcripts of the controller-pilot radio transmissions. The objective is to reconstruct the occurrence from the planning stage through the various functions exercised by the service providers, e.g., ground control, aerodrome control, area control, and approach control. The Structures Investigation is aimed to determine the causes attributed to material failures, with special considerations for major component failures due to inadequate design strength, excessive loads, or deterioration due to fatigue or corrosion. The investigation must discern which structural parts failed in-flight and which failed on the impact. The Powerplant Investigation usually includes engines, propellers, thrust reversers, mountings, cowlings, and fuel and oil systems. Powerplant failure is often a causal factor of aircraft accidents and it is important to determine if it was involved in the subject occurrence. The data collected should enable to assess if the engine was separated in-flight, if it was producing power at impact and the type of engine failure (e.g., rotor disk fracture, operational ingestion of debris birds, ice or volcanic ash, failure of the reverser system or the nacelle, etc.). The Systems Investigation studies the aircraft components related to the aircraft systems such as hydraulic, electrical (including EWIS), pneumatic and oxygen systems, the instruments, and elements of the flight control systems. One of the main tasks is to document the flight configuration of the aircraft at the event time, including positions of switches and controls in the cockpit taking into consideration that it may have been altered during the impact or the evacuation procedures. The Maintenance Investigation focuses on the adequacy of the maintenance performed, the capability of the maintenance management, and the human factors in maintenance. The Human Factors Investigation assesses the human performance and all the factors that may have caused or contributed to the accident (fatigue, medication, alcohol, drugs, medical histories, training, workload, equipment design, and work environment). It is required a high degree of coordination of the Human Factors investigation group with the Operations, Air Traffic Services, and Maintenance investigations.
356
Appendix B: Introduction to Aircraft Accident Investigation
The Human and Organizational models detailed in Chaps. 24 and 25 (SHELL, PEAR, Reason’s model), and other models or techniques such as the Failure Mode and Effects Analysis (FMEA), aid the investigator in analyzing the data gathered in order to determine the contributing factors. The Survival Factors Investigation documents and analyses information regarding several areas: search and rescue, evacuation and survival, aircraft interior configuration, impact and occupants’ dynamics and crash injury, and survivability aspects. Documenting the aircraft and surrounding site is essential in order to establish how and why injuries and fatalities occurred: condition and location of the elements of cockpit, passenger cabin, exits, evacuation devices, emergency equipment, restraint systems, stowage compartments, cabin baggage, cargo, communication systems, galleys, etc. The CREEP methodology is a systematic approach used by some aircraft accident investigators to assess the different factors that influence the occupant’s survivability during a crash. The CREEP crashworthiness acronym stands for the following factors: • Container: the aircraft structure should not disintegrate, deform until it crushes the occupants or allows external objects to penetrate the cabin. • Restraints: components such as belts, attachments, and connectors should be able to prevent injuries at the force levels expected during a crash. • Energy Absorption: the effects of the acceleration forces experienced by the occupants are amplified or attenuated depending on the design of the structure and the seats. • Environment: the cockpit, cabin, and cargo spaces should be delethalized; it means that the potentially injurious objects should be properly secured. • Post-crash factors: if the occupants survive the crash, they should be able to exit the aircraft and reach emergency assistance. The most critical aspects are the ability of the occupants to unbuckle themselves from the restraint systems and reach emergency exits, and the post-crash fire effects (heat, smoke, and toxic fumes). The investigators inspect all the CREEP factors to determine elements that may have prevented the occupants from being injured.
B.2.1 The Maintenance Investigation The Maintenance Group is responsible for reviewing the maintenance history of the aircraft, the actions of the maintenance organization and its staff, and the Aircraft Maintenance Program under which it was maintained. The goal is to determine if the aircraft has been maintained in accordance with the applicable airworthiness regulations, including the suitability of such regulations, identify maintenance information that may suggest particular lines of investigation, and if any maintenance action could be a contributing or root cause of the accident.
Appendix B: Introduction to Aircraft Accident Investigation
357
The maintenance investigation focuses on the adequacy of the maintenance performed, the maintenance management capability, and the human factors on maintenance. Immediately after accident notification, the Maintenance Group chairperson or the Investigator in Charge (IIC) notifies the owner/operator of the aircraft that all the maintenance records pertaining to such aircraft are impounded. These must be retained and made available when requested by the group. Usually, before reviewing any specific documentation of the maintenance performed on the aircraft, the Maintenance Group is briefed about the operator policies and procedures in the context of the applicable operating regulations. The operator and maintenance organization manuals, including contracted maintenance, are of much relevance for the Maintenance Group because they contain the maintenance policies and procedures and allow to understand the organization of the departments, duties, responsibilities and individual group functions such as the Maintenance Program, stores control, technical Records administration, Critical Maintenance Task/Required Inspection Items management, etc. that can help to determine if any of these may have contributed to the accident. The Continuing Airworthiness Management Exposition (CAME) and the Maintenance Organization Exposition (MOE) in an EASA environment or the Air Carrier Maintenance Manual and the Repair Station Manual required as per the FAA rules, will be likely the first documents the Maintenance Group are interested in. The main areas to be examined by the Maintenance Group include: • the operating history of the aircraft, engines, propellers, and components, and • the aircraft records to determine compliance with all the applicable Airworthiness Directives (AD) and the approved Aircraft Maintenance Program (AMP), that major modifications and repairs are performed in accordance with approved data, and that any discrepancies or omissions associated with the aircraft have been properly corrected. One of the most important tasks of the Maintenance Group is to review the approved Aircraft Maintenance Program with the objective of assessing its adequacy and effectiveness. The study of the relevant records will highlight improper or inadequate maintenance, servicing, or inspection. The relevant records that may be requested by the Maintenance Group for review include, but are not limited to: • • • • •
Aircraft Technical Logs, Aircraft maintenance history, Routine and non-routine task cards, Applicable Airworthiness Directives (AD), Airworthiness Limitations (ALS) and Certification Maintenance Requirements (CMR), • Modifications and Repairs records for the aircraft, engines, propellers, and components, • List of SB and SL issued by manufacturers,
358
Appendix B: Introduction to Aircraft Accident Investigation
• • • • • • •
Engine change log, Engine Condition Monitoring Data, Engine and airframe vibration monitoring data, MEL and CDL items currently being carried on the accident aircraft, Report of In-flight shutdowns, List of cancelations/diversions/deviations, Occurrences history: overweight landings, bird strikes, lightning strikes, damage reports, etc., • Service Difficulty Reports (SDR), • Relevant incidents for the accident aircraft or others of the same model, • Weight and Balance records. The data collected is assessed to determine the effectiveness of the maintenance performed and the adequacy and relevance to the issues associated with the accident. If any system or component becomes suspect through the records review, the Maintenance Group will alert the investigative team. In the same way, the data collected by other groups may indicate lines of investigation for the Maintenance Group, e.g., if a landing gear life-limited part is found relatively distant from the rest of the landing gear wreckage area, it may indicate the part failure, and therefore, the Maintenance Group should investigate the landing gear records with more detail. As a consequence of the maintenance records review, the oversight agencies may also be evaluated to determine if their actions/inactions may have contributed to the accident sequence. Maintenance Error When a Maintenance error is suspected, the Maintenance Group must deeply investigate all the factors that may have contributed to the final error. Chapters 23 and 24 provide a deeper understanding of Human and Organizational Factors. The following lines recapitulate some important elements that are considered on the maintenance part of the aircraft accident investigation. The source of the data that a technician uses to carry out a job may be a contributing factor if it was not understandable or difficult to understand, not complete or conflicting with other documents, but also if it was not available or it was directly ignored. The current publications released by the operator and manufacturers, as of the date of the accident, can be requested by the Maintenance Group to determine any deviations; it can include the Aircraft Maintenance Manual (AMM), the Illustrated Part Catalogue (IPC), the Structural Repair Manual (SRM), Troubleshooting manuals, Overhaul Manuals, Component Maintenance Manual (CMM), Service publications (Service Bulletins, Operator Letters, Maintenance Tips), etc. If the parts necessary to perform a task are incorrectly labeled, it can lead to improper installation or incorrect modification/repair. If they are not available, the technician may end using substitute parts or even omitting the part. In the same way, if tools/equipment are not available or are not accessible, the maintenance technician may use others that are not suitable to perform the task; if they are not safe, the technician may be distracted due to concerns for staff safety;
Appendix B: Introduction to Aircraft Accident Investigation
359
if they are not properly calibrated or there are no instructions for use, it may have provided wrong measures; etc. The Maintenance Group should consider aspects of the aircraft design and configuration that may have contributed to the suspected maintenance errors, e.g., complex, difficult or extensive procedures, difficult or uncomfortable access areas, multiple similar connections on the same component or components easily installed with wrong orientation. A poorly developed maintenance Task Card could also contribute to maintenance error: repetitive and monotonous actions, complex/confusing/changed procedures, complacency, or directly accomplishing the task differently may induce errors.
EASA Regulation Codes
• Basic Regulation: – Regulation (EU) 2018/1139 Basic Regulation. December 2019. • Initial Airworthiness: – Regulation (EU) No 748/2012 Easy Access Rules for Airworthiness and Environmental Certification (Part-21) (up to Regulation (EU) 2019/897 and ED Decision 2019/018/R). December 2019. – Regulation (EU) No 2015/640 Easy Access Rules for Additional Airworthiness Specifications (Part-26) (up to Regulation (EU) No 2015/640 and ED Decision 2015/013/R). January 2018. – CS-25 Easy Access Rules for Large Aeroplanes (up to ED Decision 2018/005/R—Amendment 21). November 2018. – CS-E Easy Access Rules for Engines (up to ED Decision 2018/014/R— Amendment 5). February 2020. – CS-P Easy Access Rules for Propellers (up to ED Decision 2006/09/R— Amendment 1). November 2018. – CS-APU Easy Access Rules for Auxiliary Power Units (ED Decision 2003/5/RM—Initial issue). February 2018. – CS-ETSO Easy Access Rules for European Technical Standard Orders (up to ED Decision 2018/008/R—Amendment 14). November 2018. – CS-AWO Easy Access Rules for All Weather Operations (ED Decision 2003/6/RM—Initial issue). February 2018. – AMC-20 Easy Access Rules for Acceptable Means of Compliance for Airworthiness of Products, Parts and Appliances (up to ED Decision 2019/011/R— Amendment 17). February 2020. • Continuing Airworthiness: – Regulation (EU) No 1321/2014 Easy Access Rules for Continuing Airworthiness (Part-M, Part-145, Part-66, Part-147, Part-T, Part-ML, Part-CAMO, © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
361
362
EASA Regulation Codes
Part-CAO) (up to Regulation (EU) 2020/270 and ED Decision 2020/002/R). June 2020. • Air Operations: – Regulation (EU) No 965/2012 Easy Access Rules for Air Operations (up to Regulation (EU) 2019/1387 and ED Decision 2019/019/R). October 2019.