FROM FIRST FLIGHT TO LAST FLIGHT: SAFETY OF AIRCRAFT IN-SERVICE

Safety is not self-sustaining. This means that designing safety into an aircraft is not enough as safety must be maintained or enhanced throughout the life of the aircraft from the moment the aircraft undertake its first flight.

Initial Safety Level at Aircraft Design and Certification

Every aircraft produced by aircraft manufacturer is certified by civil aviation authority of the State of Design before it is allowed to fly. The type certification of an aircraft is an independent assessment of the design and a confirmation that it meets standards of safety called airworthiness codes that have been established over decades. Airworthiness codes include ensuring redundancy in all the aircraft critical systems and every system vital to the safe operation of an aircraft must have a backup, and in some cases more than one backup. For example, twin-engine jets are designed to safely take off, fly and land even if one engine fails. Most of the aircraft manufacturers have design standards that are more stringent than the airworthiness codes.
During the type certification process, the aircraft manufacturer and the airworthiness authorities go through a detailed design review and series of test programs. Testing a new aircraft design can take many months or years. Tests are conducted in laboratories, wind tunnels, icing tunnels, on the ground and during flight tests. Detailed design review includes aircraft system safety assessment where system safety methodology and analysis techniques are used evaluate the safety aspects of the design. Aircraft system safety analysis that are normally carried out during the design phase includes but not limited to Functional Hazard Assessment (FHA), Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA). Hazards that are identified may be mitigated by one or more of several methods following the Safety Order of Precedence and these include elimination of hazards from design, incorporation of safety devices, providing warnings devices, and development of procedures and training to avoid the situation.
One of the several test programs carried out is the structural static tests that include: Flight Test Installation (FTI) calibration test, maximum wing bending at limit load, ailerons and spoilers functioning test during max wing bend, fuselage pressure test, and fatigue tests and flight cycles simulation. According to Airbus, fatigue testing examines how the aircraft structure responds to stress over a long period of time and during different stages of its operations, such as taxiing on the runway, take-off, cruising and landing. To re-create these conditions, a combination of loads is placed on the airframe and activated by computer-operated hydraulic jacks. During fatigue tests, according to The Boeing Company, the aircraft is subjected to up to three lifetimes of normal wear and tear to help validate its durability. Another test is the certification flight test that is designed to assess general handling qualities, operational performance, airfield noise emission and systems operation in normal mode, failure scenarios and extreme conditions including water ingestion trials, low speed take-off tests, flutter and rejected take-off and landing. 
Once the aircraft is certified by the airworthiness authority of the State of Design, the aircraft is cleared for mass production by the aircraft manufacturer and take-off for the entirety of the aircraft lifetime. Each aircraft that rolls off the production line is tested before delivery by the aircraft manufacturer and before an aircraft manufacturer delivers an aircraft and sign the transfer of the title to the customer, the customer carries out a complete and detailed checks. These checks are to confirm the conformity of the aircraft with the type certificate and contractual specification. Typical checks include: ground checks of external surfaces, bays and cabin visual inspection, static aircraft system and cockpit checks, engine tests and acceptance flight test where all aircraft systems (including cabin systems) and aircraft behaviour are checked during flight.
When an aircraft is delivered by the manufacturer to the customer in its type certificated pristine condition, it has an initial level of safety and once an aircraft undertake is first flight, the initial level of safety is required to be maintained throughout the aircraft’s life. As the aircraft is operated, the level of safety is maintained through a continuing process of monitoring service experience, identifying safety related issues and opportunities, and then addressing these issues or opportunities through appropriate product or procedure changes. The responsibility for maintaining the level of safety of an aircraft in service is shared among the airworthiness authorities, the aircraft operators, the aircraft manufacturers, the aircraft maintenance and repair organisations and the aircraft equipment suppliers.
To improve safety during an aircraft life cycle, it is not sufficient to assess the safety of the aircraft only during its design phase but also during the in-service phase. Daily aircraft operations must be evaluated for safety (e.g., maintenance or operation procedures). The aircraft is also evolving and changing during the “In-Service” phase (e.g., product improvements, obsolescence, modifications). Differences exist or can develop between the assumptions made during the design phase and how the aircraft are operated and maintained. For these reasons, safety should be assessed also during the “In-Service” phase of the aircraft life cycle and to do this, information must be collected, monitored and analyzed. In addition to maintaining the safety of the aircraft, there is a desire to enhance safety and the process of either maintaining or enhancing safety is what is called In-service Safety Assessment.

In-service Safety Assessment

The In-service Safety Assessment is meant to continue the effort started during the aircraft design phase, and begins with the introduction of the new aircraft type and continues until the aircraft is retired from service. The three main objectives of the In-service Safety Assessment are to
  • Maintain the airworthiness (certification) of the airplane. In-service events are assessed based on their effects on the level of safety intended in the certification process.
  • Maintain the safety of the aircraft. In-service events are assessed against the internal safety objectives of the aircraft operator.
  • Improve the safety of the aircraft. In-service events are assessed to identify opportunities to decrease their number, or to surpass the safety objectives of the aircraft operator.
In-service safety assessment process is expected to be continuous, iterative and closed-loop. When an event is identified, assessed and action implemented, the monitoring continues, to validate the effectiveness of the action. The safety of the aircraft depends on numerous factors, including the original design, manufacturing, flight crew and maintenance actions, operation effects, quality of parts, modifications, environment and aircraft aging.
Society for Automotive Engineers (SAE) has described in-service safety assessment process to include the following five generic high level steps:
  • Hazard Identification
  • Risk Assessment
  • Risk Reduction/Mitigation
  • Risk Control Implementation
  • Hazard Tracking
Civil Aviation Authorities (CAAs), Original Equipment Manufacturers (OEMs), and aircraft operators may choose a three steps process or call the five steps different names but all is aim to achieve the same purpose of maintaining or improving the level of safety of the aircraft.
Hazard Identification encompasses collection of data and monitoring of the parameters. It also provides for recognition of events, which have occurred and may be of concern but were not previously identified. For the CAAs, the sources of data include accident and incident investigation findings, Mandatory Occurrence and Service Difficulty Reports, for the OEMs, sources of data include accident and incident investigation findings, warranty claims information, field service reports, and operator reports, while for the operators, sources of data include accident and incident investigation findings, air safety report and reliability report. Analyze monitored data to identify potential or real hazards.
Risk Assessment is the process that is initiated when an undesired event (or trend) is detected. Detection may be the result of internal or external data. Based on the significance of the event and initial evaluation of the risk, a more detailed and complete risk assessment is performed as appropriate. Assess severity and potential magnitude of fleet involvement.
Risk Reduction/Mitigation encompasses research into event causes and the development of corrective action(s). This should include risk assessment of potential corrective action(s). Identify root causes and extent of problem. Provide factual knowledge of potential hazard and assessment information to decision maker(s). If a potential hazard is deemed a safety issue, actions will be taken by company functions to fully understand the problem, initiate corrective actions, and make appropriate notifications. (e.g., Customers, suppliers, FAA, and other agencies).
Risk Control Implementation consists of evaluating the corrective action options and identifying those with acceptable levels of safety. This action is typically performed by a review board or management position, which approves the proposed corrective action, determines the implementation method and authorizes implementation by the responsible organization. If potential hazard is not deemed a safety issue, document decision/rationale, and Lessons Learned. If potential hazard is deemed a safety issue, corrective actions should be applied to aircraft/component.
Hazard Tracking is when the corrective action has been implemented (or not implemented as appropriate) and the safety assessment process for that event is documented and closed. If the decision is not to implement the corrective action, the decision and its justification are documented and filed in the hazard tracking log.
Normally, a corrective action will be implemented through the issuance of an official technical document from the organization implementing the change.
Examples of documents which may be issued or changed for the operator include:
a. Flight Operations Manual
b. Engineering Orders
c. Maintenance Procedures Manual
d. Flight Operations Bulletins or Maintenance Bulletins

For a manufacturer, the document issued may:
a. be focused toward the operator in the form of a Service Bulletin, Service Letter, All Operator Telex, Maintenance Tips, etc.
b. be directed toward its own organization which may include new process instructions,
production guidelines, new drawings, etc.

The CAA may issue an Airworthiness Directive to ensure compliance with actions that are deemed mandatory to correct the unsafe condition.

Reporting In-Service Events
Civil Aviation Regulations requires the owner or operator of an aeroplane over 5, 700 kg  and helicopter over 3,175kg maximum certificated take-off mass to monitor and assess maintenance and operational experience with respect to continuing airworthiness and have a system whereby information on faults, malfunctions, defects and other occurrences that cause or might cause adverse effects on the continuing airworthiness of the aircraft is transmitted to the manufacturer of the aircraft and the civil aviation authority of the State of Registry of the aircraft. Civil Aviation Regulations also require the civil aviation authority of the State of Registry of the aircraft and aircraft manufacturer to send such report to the civil aviation authority of the State of Design of the aircraft type.
Why is reporting of in-service event important? During the investigation of an aircraft accident, the accident investigating authority identified that the aircraft had been flying with an identified fault for a number of flight cycles before the accident; this fault was not reported. The accident investigating authority concluded that failure of reporting limited the effectiveness of existing safety programmes, meaning that it could result in an inaccurate assessment of risks by both airlines and aircraft manufacturers, which limits their ability to manage the risks. Further to this, the accident investigating authority issued recommendations on the need to make operators aware of the importance of reporting in-service event. If an aircraft owner or operator is in doubt about whether an in-service event is important to report, the best action to take is always to report the information to the civil aviation authority and the aircraft manufacturer. An in-service event you may think of as an isolated case may have a bigger impact on a global fleet level. Collecting information regarding in-service events that might involve potential safety issues is a key aspect of in-service safety assessment effort to continuously improve the safety of aircraft and this can only be achieved with the help of the aviation community through rapid, accurate and comprehensive information exchanges on events which might potentially affect fleet safety. It is also important to remember that events that have had no particular consequence might have an effect on safety if they occur in other circumstances or on another type of aircraft. Aircraft manufacturers rely on aircraft operators to report incidents and other in-service events so they can be evaluated for safety implications. Aircraft owners, operators and MRO (Maintenance, Repair and Overhaul) are encouraged to report in-service events to aircraft manufacturer and civil aviation authority, even if the event is considered irrelevant
In-service Safety Assessment and Safety Management System
While the application of Safety Management System (SMS) to aircraft manufacturers is relatively new, the underlying safety principles and methodologies contained within SMS are equivalent to the in-service safety assessment processes that have been developed over the past several decades and are currently being used by many aircraft manufacturers, component suppliers, aircraft operators and civil aviation authorities. In particular, the In-Service Safety Assessment process being used maps directly to three elements of the ICAO Annex 19 safety framework: 2.1 Hazard Identification, 2.2 Risk Assessment and Mitigation, and 4.2 Safety Communication. As can be seen from the above description of the process, In-Service Safety Assessment, also called Continued Airworthiness, relies on the cooperative efforts of manufacturers, operators and regulators to ensure the continued future safety of the global air transportation system.
Entropy of an Aircraft

Entropy has been defined as a measure of the disorder or randomness in a closed system or the inevitable and steady deterioration of a system. This means the steady deterioration of the initial level of safety of an aircraft is inevitable. Therefore, while the aircraft manufacturer’s job is to minimize the entropy of an aircraft during design, the aircraft operator’s job is to combat the natural, continual increase in the entropy of the aircraft during its operational lifetime. To summarize, it is the aircraft manufacturer’s responsibility to design the aircraft with as high degree of perfection (low entropy) as possible within reasonable limits. The aircraft operator’s responsibility is to remove and replace parts, troubleshoot aircraft, isolate faults in aircraft by following the fault isolation manual, and restore aircraft for their intended use. The CAA’s safety oversight responsibility is to ensure the aircraft manufacturer and the aircraft operator carry out their responsibilities with respect to the entropy of the aircraft in-service. In-service safety assessment of aircraft is the surest way of ensuring the entropy of the aircraft throughout its life cycle is maintained as low as reasonably practicable. From first flight to the retirement flight, the safety of an aircraft in-service is the responsibilities of the CAA, aircraft manufacturer, aircraft operators, suppliers etc.

Each operator should define the appropriate level of safety and the internal assessment approach within the company structure. This structure may vary from a complex structured formal organization to a very informal structure that simply recognizes a need for safety awareness. The operator will determine the appropriate monitoring processes and procedures, and the definition of specific types of data to be collected and monitored. This may vary from a minimum of existing regulatory reportable issues to a more comprehensive set of undesired events. The exact parameters to be selected are the operator’s option based on the level of in-service safety assessment process desired by management.
As soon as CAA receives a report on an event, it should be analysed to identify any safety concerns and this should be a continuous monitoring process to allow the early detection of potential in-service problems. CAA should take immediate and appropriate action to ensure that the highest safety standards are maintained. An in-service safety assessment team should be set up to carry out this process.
Reporting in-service events directly to aircraft manufacturer and civil aviation authority enhances fleet safety and contributes to safer aircraft operations within the air transport system. It is important to remember that the timeliness and quality of the in-service data is paramount, in allowing an effective and efficient investigation. Operators are encouraged to develop their own In-service Safety Assessment process and continuously adapt it to their specific operating needs and criteria. Communication with CAA, other operators, suppliers and manufacturers is advantageous throughout the process.


Comments

Post a Comment

Popular posts from this blog

HUMAN FACTORS IN AIRCRAFT MAINTENANCE – The Dirty Dozens and The Safety Nets

COMMON ERRORS IN MAINTENANCE  Do These Look Familiar? •       Failure to follow published technical data or local instructions. •       Using unauthorized procedure or parts not referenced in technical data. •       Failure to document maintenance properly in maintenance records, work package. •       Inattention to detail/complacency. •       Incorrectly installed hardware on an aircraft/engine. •       Installing the wrong part . •       Failure to conduct a tool inventory after completion of the task. •       Personnel not trained or certified to perform the task. •       Ground support equipment improperly positioned for the task. WHAT IS DIRTY DOZEN? •       The “Dirty Dozen” refer to the 12...
Read more

TRACEABILITY OF AIRCRAFT PARTS

The installer of an aircraft part must determine its eligibility and traceability to approved source before installing the part on the aircraft. For aircraft parts to be eligible and traceable, they must be from a source approved or acceptable to the Federal Aviation Administration (FAA). Aircraft parts must be produced in accordance with a production system and data approved or found acceptable by the regulatory authority of the State of Design. Owner and operator of aircraft are also required to keep current status of aircraft life-limited parts and these records must be transferred to the new owner or operator after the sale. This paper reviews traceability of aircraft parts with special emphasis on approved and acceptable parts, the traceability documentation required, and back-to-birth traceability. EASA Part M.A.501(a) states that “No component may be fitted unless it is in a satisfactory condition, has been appropriately released to service on an EASA Form 1 or equivalen...
Read more

AIRCRAFT MAINTENANCE DATA

Maintenance data are maintenance information and instructions required to maintain an aircraft or product in an airworthy condition. The maintenance data are used to ensure the continuing airworthiness of aircraft throughout its life and are required to be kept up to date and accessible to maintenance personnel performing maintenance and inspection on aircraft. Maintenance data are sometimes referred to as technical data or airworthiness data either approved or accepted. This paper examined the regulatory requirement for maintenance data and types of maintenance data. The paper looked at the various categories of maintenance data and their sources with emphases on the organization issuing or publishing such maintenance data and importance. The availability of maintenance data to persons or organization performing maintenance, the need for the currency of maintenance data, the permissibility of making changes to maintenance data, and the use of work cards and/or worksheets were examin...
Read more