GM 21.A.3B(d)(4) Defect correction – Sufficiency of proposed corrective action    

CAA ORS9 Decision No. 1

This GM provides guidelines to assist in establishing rectification campaigns to remedy discovered defects.

1. STATUS

This document contains GM of a general nature for use in conjunction with engineering judgement, to aid airworthiness engineers in reaching decisions in the state of technology at the material time.

While the main principles of this GM could be applied to small private aeroplanes, helicopters, etc. the numerical values chosen for illustration are appropriate to large aeroplanes for public transport.

2. INTRODUCTION

    2.1 Over the years, target airworthiness risk levels underlying airworthiness requirements have developed on the basis of traditional qualitative airworthiness approaches; they have been given more precision in recent years by being compared with achieved airworthiness levels (judged from accident statistics) and by the general deliberations and discussions which accompanied the introduction of rational performance requirements, and more recently, the Safety Assessment approach in requirements. Although the target airworthiness risk level tends to be discussed as a single figure (a fatal accident rate for airworthiness reasons of not more than 1 in 10 000 000 flights/flying hours for large aeroplanes) it has to be recognised that the requirements when applied to particular aircraft types will result in achieved airworthiness levels at certification lying within a band around the target level and that thereafter, for particular aircraft types and for particular aircraft, the achieved level will vary within that band from time to time.

    2.2 The achieved airworthiness risk levels can vary so as to be below the target levels, because it is difficult if not impossible to design to the minimum requirements without being in excess of requirements in many areas; also because aircraft are not always operated at the critical conditions (e.g., aircraft weight, CG position and operational speeds; environmental conditions - temperature, humidity, degree of turbulence). The achieved level may vary so as to be above the target level because of undetected variations in material standards or build standards, because of design deficiencies, because of encountering unforeseen combinations of failures and/or combinations of events, and because of unanticipated operating conditions or environmental conditions.

    2.3 There is now a recognition of the need to attempt to monitor the conditions which tend to increase the level and to take appropriate corrective action when the monitoring indicates the need to do so in order to prevent the level rising above a predetermined ‘ceiling’.

    2.4 The CAA also has a duty in terms of providing the public with aviation services and therefore should consider the penalties associated with curtailment or even removal (by ‘grounding’) of aviation services when establishing the acceptability of any potential variation in airworthiness level.

    2.5 Thus, the purpose of this GM is:

      (a) To postulate basic principles which should be used to guide the course of actions to be followed so as to maintain an adequate level of airworthiness risk after a defect has occurred which, if uncorrected, would involve a potential significant increase of the level of risk for an aircraft type.

      (b) For those cases where it is not possible fully and immediately to restore an adequate level of airworthiness risk by any possible alleviating action such as an inspection or limitation, to state the criteria which should be used in order to assess the residual increase in risk and to limit it to an appropriate small fraction of the mean airworthiness through life risk.

3. DISCUSSION

    3.1 Several parameters are involved in decisions on safety matters. In the past the cost of proposed action has often been compared with the notional 'risk cost', i.e. the cost of a catastrophe multiplied by its probability of occurrence.

    3.2 This can be a useful exercise, but it should be held within the constraint of acceptable airworthiness risk levels, i.e., within airworthiness risk targets which represent the maximum levels of risk with which an aircraft design must comply, i.e., in the upper part of the 'band'. Currently for large aeroplanes the mean airworthiness risk level is set at a catastrophe rate for airworthiness reasons of not more than one in every ten- million flights/flying hours. The constraint is overriding in that any option, which could be permitted on risk cost considerations, or other grounds, is unacceptable if it leads to significant long-term violation of this safety requirement.

    3.3 While it should clearly be the objective of all to react to and eliminate emergency situations, i.e., those involving a potentially significant increase of airworthiness risk levels, without unreasonable delay, the CAA should be able finally to rule on what is a minimum acceptable campaign programme. It has therefore seemed desirable to devise guidelines to be used in judging whether a proposed campaign of corrective actions is sufficient in airworthiness terms, and clearly this ought to be based on determining the summation of the achieved airworthiness risk levels for the aircraft and passengers during any periods of corrective action and comparing them with some agreed target.

    3.4 As the period of corrective action will not be instantaneous (unless by grounding), there is potentially an increase in the achieved airworthiness risk level possibly to and, without controls, even above the higher part of the 'band', and the amount by which the level is above the mean target figure, and the period for which it should be allowed to continue, has been a matter of some arbitrary judgement.

    3.5 It would appear desirable to try to rationalise this judgement. For example, if an aircraft were to spend 10 % of its life at a level such that the risk of catastrophe was increased by an order of magnitude, the average rate over its whole life would be doubled which may not be in the public interest. A more suitable criterion is perhaps one which would allow an average increase in risk of, say one third on top of the basic design risk when spread over the whole life of the aircraft an amount which would probably be acceptable within the concept (See Figure 1). It would then be possible to regard the 'through life' risk to an aircraft - e.g., a mean airworthiness target of not more than one airworthiness catastrophe per 10 million (107) hours, as made up of two parts, the first being 3/4 of the total and catering for the basic design risk and the other being 1/4 of the total, forming an allowance to be used during the individual aircraft's whole life for unforeseen campaign situations such as described above.

    3.6 Investigation has shown that a total of ten such occasions might arise during the life of an individual aircraft.

    3.7 Using these criteria, there could then be during each of these emergency periods (assumed to be ten in number) a risk allowance contributed by the campaign alone of:

    1 x 10-7 for 2.5% of the aircraft's life; or

    5 x 10-7 for 0.5% of the aircraft's life; or

    1 x 10-6 for 0.25% of the aircraft's life; or

    1 x 10-5 for 0.025% of the aircraft's life, etc.

    without exceeding the agreed 'allowance' set aside for this purpose.

    3.8 Thus a 'reaction table' can be created as indicated in Table 1 (the last two columns assuming a typical aircraft design life of 60,000 hours and an annual utilisation of 3,000 hours per annum) showing the flying or calendar time within which a defect should be corrected if the suggested targets are to be met.

    Table 1

Estimated catastrophe rate to aircraft due to the defect under consideration (per a/c hour)

Average reaction time for aircraft at risk (hours)

On a calendar basis

4 x 10-8

3 750

15 months

5 x 10-8

3 000

12 months

1 x 10-7

1 500

6 months

2 x 10-7

750

3 months

5 x 10-7

300

6 weeks

1 x 10-6

150

3 weeks

1 x 10-5

15

Return to base

    3.9 These principles may be applied to a single aircraft or a number of aircraft of a fleet but in calculating risk, all the risk should be attributed to those aircraft which may carry it, and should not be diluted by including other aircraft in the fleet which are known to be free of risk. (It is permissible to spread the risk over the whole fleet when a source is known to exist without knowing where). Where a fleet of aircraft is involved Column 2 may be interpreted as the mean time to rectification and not the time to the last one.

    3.10 There is one further constraint. However little effect a situation may have on the 'whole life' risk of an aircraft, the risk should not be allowed to reach too high a level for any given flight. Thus while a very high risk could be tolerated for a very short period without unacceptable degradation of the overall airworthiness target, the few flights involved would be exposed to a quite unacceptable level of risk. It is therefore proposed that the Table 1 should have a cut-off at the 2 x 10-6 level so that no flight carries a risk greater than 20 times the target. At this level the defect is beginning to contribute to a greater likelihood of catastrophe than that from all other causes, including non-airworthiness causes, put together. If the situation is worse than this, grounding appears to be the only alternative with possibly specially authorised high-risk ferry flights to allow the aircraft to return to base empty. Figures 2 and 3 show a visualisation chart equivalent to Table 1, giving average rectification time (either in flight hours or months) based on probability of defect that must be corrected.

    3.11 It will be seen that the above suggestions imply a probability of catastrophe from the campaign alone of 1.5/10 000 per aircraft during each separate campaign period (i.e. p = 0.015 per 100 aircraft fleet).

    3.12 In addition, in order to take into account large fleet size effect, the expected probability of the catastrophic event during the rectification period on the affected fleet shall not exceed 0.1. See Figure 4.

    3.13 It should also be noted that in assessing campaign risks against 'design risk', an element of conservatism is introduced, since the passenger knows only 'total risk' (i.e. airworthiness plus operations risks) and the fatal accident rate for all reasons is an order of magnitude greater than that for airworthiness reasons only (i.e., 10-6 as against 10-7). The summated campaign risk allowance proposed by this GM is therefore quite a small proportion of the total risk to which a passenger is subject. When operating for short periods at the limit of risk proposed (2 x 10-6 per hour) the defect is however contributing 100 % more risk than all other causes added together.

    3.14 A similar approach is proposed to cover the case of defects associated to hazardous failure conditions for which the safety objectives defined by the applicable certification specifications are not met. According to CS 25.1309, the allowable probability for each hazardous failure condition is set at 10-7 per flight hour compared to 10-9 per flight hour for a catastrophic failure condition. Figure 5 is showing a visualisation chart giving average rectification time based on probability of defect that should be corrected. This is similar to Figure 2 but with lower and upper boundaries adapted to cover the case of hazardous failure conditions (probabilities of 10-7 and 2x10-4 respectively).

    3.15 In addition, in order to take into account large fleet size effect, the expected probability of the hazardous event during the rectification period on the affected fleet shall not exceed 0.5. See Figure 6.

4. GUIDELINES

    4.1 The above would lead to the following guidelines for a rectification campaign to remedy a discovered defect associated to a catastrophic failure condition without grounding the aircraft:

    (i) Establish all possible alleviating action such as inspections, crew drills, route restrictions, and other limitations.

    (ii) Identify that part of the fleet, which is exposed to the residual risk, after compliance has been established with paragraph (i).

    (iii) Using reasonably cautious assumptions, calculate the likely catastrophic rate for each aircraft carrying the risk in the affected fleet.

    (iv) Compare the speed with which any suggested campaign will correct the deficiency with the time suggested in Figure 2. The figure should not be used beyond the 2x10-6 level, except for specially authorised flights.

    (v) Also ensure that the expected probability of the catastrophic event during the rectification period on the affected fleet is in accordance with Figure 4.

    4.2 Similarly, the following guidelines would be applicable for a rectification campaign to remedy a discovered defect associated to a hazardous failure condition without grounding the aircraft:

    (i) Establish all possible alleviating action such as inspections, crew drills, route restrictions, and other limitations.

    (ii) Identify that part of the fleet, which is exposed to the residual risk, after compliance has been established with paragraph (i).

    (iii) Using reasonably cautious assumptions, calculate the likely hazardous rate for each aircraft carrying the risk in the affected fleet.

    (iv) Compare the speed with which any suggested campaign will correct the deficiency with the time suggested in Figure 5.

    (v) Also ensure that the expected probability of the hazardous event during the rectification period on the affected fleet is in accordance with Figure 6.

    4.3 It must be stressed that the benefit of these guidelines will be to form a datum for what is considered to be the theoretically maximum reaction time. A considerable amount of judgement will still be necessary in establishing many of the input factors and the final decision may still need to be tempered by non-numerical considerations, but the method proposed will at least provide a rational 'departure point' for any exercise of such judgement.

    4.4 It is not intended that the method should be used to avoid quicker reaction times where these can be accommodated without high expense or disruption of services.

Figure 1 - Visualisation Chart for CS-25

Figure 2 - Visualisation Chart for CS-25 (Flight hours)

Figure 3 - Visualisation Chart for CS-25 (Calendar basis)


Figure 4 - Visualisation Chart for CS-25 (Flight Hours)

Figure 5 - Visualisation Chart for CS-25 (Flight hours)


Figure 6 - Visualisation Chart for CS-25 (Flight hours)