Springer Series in Reliability Engineering

David Lapesa Barrera

Aircraft
Maintenance
Programs
Springer Series in Reliability Engineering

Series Editor
Hoang Pham, Department of Industrial and Systems Engineering,
Rutgers University, Piscataway, NJ, USA
More information about this series at https://link.springer.com/bookseries/6917
David Lapesa Barrera

Aircraft Maintenance
Programs
David Lapesa Barrera
Zaragoza, Spain

ISSN 1614-7839 ISSN 2196-999X (electronic)

Springer Series in Reliability Engineering
ISBN 978-3-030-90262-9 ISBN 978-3-030-90263-6 (eBook)
https://doi.org/10.1007/978-3-030-90263-6

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature
Switzerland AG 2022
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preamble

Ever since my early childhood, I have been fascinated with the power of flying. I
cannot remember the first time that I watched at the skies and got excited seeing a
bird or an aircraft; that is something that I still do, now closer to the airports: just
sit and observe the magnificence of the nature and the greatness of what the human
being has achieved.
What I can perfectly recall is the first time that I was concerned about flight safety;
I was about ten years old, and fortuitously I watched a movie entitled Alive! (¡Viven!
in Spanish) based on the true story of the Fairchild F-27 that crashed on the Andes
in 1972. It was a cloudy day and the aircraft repeatedly impacted the mountains,
ejecting a few occupants and ending to stop in a glacier. Despite the accident, many
occupants survived initially; some died later as a consequence of the crash and a few
more during the next days due to an avalanche. The group had to turn to cannibalism
in order to survive until they were rescued more than two months later. That horrifying
but beautiful survival story still catch my attention.
During my early youth, flying was mostly limited to business trips or people that
may afford the expensive ticket prices. Although it may seem rare, it was not until my
third year in the Aeronautical University when I actually took my first flight with a
low-cost airline, and since then I have never stopped. Flying has given me the chance
to know more countries, places, and people than what I could have ever dreamt of.
After a summer internship in the Spanish Air Force, in which I had the opportunity
of optimizing a maintenance check of the McDonnell Douglas EF-18, I definitely
decided to initiate my professional career focused on the Continuing Airworthiness
of the aircraft.
I have worked for four top airlines in Spain, Switzerland, and the Middle East,
participating in really interesting projects such as the introduction of the Airbus
A220 (the old Bombardier C Series) to the first operator or managing the Aircraft
Maintenance Program of the largest Airbus A380 fleet in the world, or ensuring the
airworthiness of the latest Airbus produced design, the A350 aircraft.
This book captures the best Aircraft Maintenance Program practices acquired
during these years through research, application, and observance of ethical, excel-
lent, and good practices that ensure flight safety, but also recognizing unethical and

v
vi Preamble

poor procedures and behaviors that may compromise it. I came with the idea of the
Triangle of Airworthiness to explain what are the minimum aircraft criteria to fly
safe and the considerations in regards to the Aircraft Maintenance Programs to
enlarge the triangle in a more cost-effective way.
The book presents a comparison of the applicable EASA and FAA regulations.
However, it is fair to recognize the honorable experience and contribution of other
authorities to aviation safety, such as the UK Civil Aviation Authority, Transport
Canada, the Australian Civil Aviation Safety Authority, and many others. It is also
necessary to recognize the efforts of the accident investigation authorities that make
an incredible work and which recommendations have significantly contributed to the
safety level that we enjoy nowadays on the skies.
Special thanks are owed to the leaders that have given me the opportunity to grow
both professionally and personally: Pablo Gestal, as Technical Director of Swiftair,
Patrick Scherrer, as the Head of Engineering of Swiss International Airlines, Dolf
Beltz, as the VP Engineering Planning and IT Systems at Emirates Airline, and
Rafael Martinez, as Technical Director of Evelop (Iberojet).
Thanks to them I have met eminent Maintenance Program experts, the most inspi-
rational mentors, and my role models: Maritza Leon, Lars Schuster, and Gianluca
Ropa; and other commanders that brought exciting discussions and projects to the
arena: Blanca Escalante, Francisco Javier Ramos, Gerd Eismann, Nick Green, Paul
Davies, Andy Jones, Margalida Salis, Angelo Caldeira and Silvia Neves to name a
few.
I must be also grateful for the reason that I have had the chance to connect with
plenty of other aviation professionals, mates, and friends during my professional
journey; although it is not possible to mention all, with affection: Miguel, Elizabeth,
Marta, Esperanza, Alemneh, Timo, Joao, Bassem, Julius, Mohsin, Osama, Andrea,
Maria, Amin, Arun, Lokesh, Alberto, Luis, ...
I kindly appreciate the organizations that have reviewed and permitted the use of
their standards and material in this book, with special allusion to Airlines for America
(A4A), the International Civil Aviation Oganization (ICAO) and the International Air
Transport Association (IATA).
And last but not least, thanks to my family and lifelong friends for their inspiration
and moral support on whatever the plan is.

Zaragoza, Spain David Lapesa Barrera

Introduction

This book details the Aircraft Maintenance Program (AMP) standards and require-
ments for Large Aircraft involved in Commercial Air Transport operations consid-
ering two different ICAO regulatory environments. These two models are chosen due
to their significant efforts and contribution to the worldwide air safety: the European
Union Aviation Safety Agency (EASA) and the Federal Aviation Administration
(FAA).
The Aircraft Maintenance Program is the document that describes the scheduled
maintenance tasks and their prescribed frequency that are necessary for the safe
operation of the aircraft. The AMP, under the operator responsibility, is a key element
to maintain the Continuing Airworthiness of the aircraft, meaning that it remains in
a condition for safe operation.
The type of aircraft operation is typically classified attending to aircraft takeoff
weight and/or the number of passengers that can be carried on board, and the purposes
of the flight.
Large aircraft are those with a maximum certificated takeoff weight of over 5700
kg, and Commercial Air Transport is the operation of aircraft, scheduled or non-
scheduled, to transport passengers, cargo or mail for remuneration or hire.
The book includes plenty of examples extracted from aircraft accident/incident
investigations in order to understand how they have modeled the regulations through
the years and which has been the impact on the AMP requirements.
Lastly, the book presents some tools, techniques, and good practices that may
help to improve the quality standards of an AMP.

The Triangle of Airworthiness

The Triangle of Airworthiness is a simplified model to understand the processes by

which an aircraft and its components are in a safe condition for the operation. The
sides of the triangle represent the three elements that are required to keep an aircraft
airworthy: Safety, Reliability, and Quality.

vii
viii Introduction

RISKS

Lowered Safety

SAFETY
Improved Safety

Not cost-effective

Fig. 1 Triangle of Airworthiness.

Lack of Safety, Reliability, or Quality standards makes the airworthiness level to

be inside the Risks triangle (non-acceptable level). This condition is beyond non-
compliance; the appearance of risk factors seriously compromises the safe condition
of the operations.
On the other side, any added ingredient that inflates the triangle will improve the
airworthiness level but may be not cost-effective.
The airworthiness success of the operator is defined by the appropriate balance
of the three elements of the triangle (Fig. 1).
Safety refers to reduce the possibility of harming persons or damage property
to a level that is acceptable. The safety standards are set internationally by ICAO
and implemented through safety programs at two levels: the State Safety Programs
(SSP) and the organization Safety Management Systems (SMS). In the case of EASA,
there is an intermediary level that is equivalent to the SSP. It is the European Aviation
Safety Program (EASP) that aids the member states in developing their own SSPs.
The investigation of occurrences and deviations from the safety standards, which
include the investigation of aircraft incidents and accidents, plays one of the most
important roles in the safety programs.
The acceptable level of safety is achieved through a continuing process of hazard
identification and risk management: appropriate safety culture, occurrence reporting
systems, and occurrence investigation. Between these three components, likely the
most difficult to achieve is an open safety culture, which is directly related to the
Introduction ix

effectiveness of the occurrence reporting systems; some organizations and indi-

viduals are still concerned about the implications of reporting, which may be still
more pronounced in non-democratic cultures where the safety requirements may be
appropiately defined in the organization’s Safety Policy and hanging on every wall
but not becoming a fact in a “Just Culture” environment. Fortunately, even though
the safety culture and the occurrence reporting systems may be deficient, there is
a historical work on aircraft accident investigation that has molded the regulations
worldwide and made the system more robust.
Reliability refers to the level to which an aircraft or component performs in
regards to the intended function given by the design specifications. The reliability
level at the design phase is known as Inherent Reliability and can only be transmitted
to the manufactured aircraft or component if the Quality functions of the production,
Continuing Airworthiness and maintenance organizations are adequate. The target
of a Reliability Program is to maintain the Inherent Reliability of the aircraft and its
components, what is achieved through an alive and effective Aircraft Maintenance
Program. The Inherent Reliability can only be improved through redesign, so an
appropriate modification policy is required.
Quality refers to the improvement of the processes that ensure an organization
is fit and effective. The minimum acceptable level of quality is compliance with the
applicable regulations and standards; the organization is responsible for establishing
its own Compliance Monitoring/Quality function to ensure this level is maintained.
However, the organization can set higher levels of quality that will definitely be
related to the success of what the organization does.
The nexus of the three sides of the Airworthiness Triangle are the Risks: the three
pillars contribute to the reduction of hazards and are interrelated to each other.

Guidance to Navigate Through the Book

This is a multipurpose book; while the main objective is to raise awareness of the
importance of an appropriate and effective Aircraft Maintenance Program to maintain
the airworthiness of the aircraft while keeping it cost-effective, it may be read in
different ways depending on the objective that the reader is looking for:
– From the regulatory and Technical point of view:
• Part I Regulatory Environment presents an introduction to the current EASA
and FAA regulatory systems and responsibilities,
• Part II The Aircraft Maintenance Program—Content and Management
presents the Aircraft Maintenance Program requirements and their sources,
• Part III The Reliability Program details the Reliability Program requirements,
and
• Part IV The AMP in the Engineering and Maintenance Organization context
identifies the relations of the Maintenance Programs function with other
elements of the organization.
x Introduction

– From the Safety perspective:

• Part V Safety Programs introduces the Safety Programs, including the SMS,
and some of the models used to evaluate Human and Organizational Factors.
• Part V complements the “Lessons Learned” boxes found in Part II that describe
some of the aircraft incident/accident investigations that have modeled the
current AMP standards and regulations, and Appendix II introduces the aircraft
accident investigation processes.

– From the Quality perspective:

• Part VI AMP Quality Improvement Tools and Methods introduces the Compli-
ance Monitoring/Quality function and compiles a series of tools and techniques
for the quality improvement of the AMP.
• Part II and III also incorporate useful practices to be taken into consideration
during the development of the program.

Most of the standards and regulatory requirements quoted have been simplified for
better understanding, and therefore DO NOT SUBSTITUTE ANY APPLICABLE
STANDARD OR REGULATION. Please, refer to the applicable requirements in the
appropriate regulatory environment at the time of developing an approved AMP.
Some concepts considered in this book may be useful with the development
of Maintenance Programs for other purposes than commercial operations of large
aircraft, such as programs for different aircraft/operation categories or programs
required by different industries such as naval, oil, or pharmaceutical Maintenance
Programs.
When “competent authority” is referenced, it is the designated body responsible
of the subject matter, e.g., the competent authority for the approval of a Type Design
is granted by the Certification Authority, e.g. EASA or the FAA; the competent
authority for the approval of an AMP is the corresponding ministry or national avia-
tion authority of each EASA member state, as appropriate (FAA does not require the
AMP approval, it is part of the Ops Spec); or the competent authority for operational
approvals is the corresponding ministry or national aviation authority of each EASA
member state or the FAA, as appropriate.
Contents

Part I Regulatory Environment

1 ICAO and the Aviation Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 The International Civil Aviation Organization (ICAO) . . . . . . . . . 3
1.2 The European Union Aviation Safety Agency (EASA) . . . . . . . . . 4
1.3 The Federal Aviation Administration (FAA) . . . . . . . . . . . . . . . . . . 6
1.4 Civil Aviation Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Bilateral Aviation Safety Agreements (BASA) . . . . . . . . . . . . . . . . 9
2 The Story of Airworthiness Approvals and Certifications . . . . . . . . . 11
2.1 Initial Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 Continuing Airworthiness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Continuing Airworthiness Management—Organization
and AMP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 EASA: CAMO, CAME and AMP Requirements . . . . . . . . . . . . . . 16
3.2 FAA: CAMP, Maintenance Schedule and AMP
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Instructions for Continuing Airworthiness (ICA) . . . . . . . . . . . . . . . . . 21
4.1 ICA—Design Organizations Responsibilities . . . . . . . . . . . . . . . . . 23
4.1.1 ICA—EASA Design
Organization—Specifications and Regulations . . . . . . . 24
4.1.2 ICA—FAA Design
Organization—Specifications and Regulations . . . . . . . 25
4.1.3 E.U.–U.S. Bilateral Agreement—Design
Organization Approvals . . . . . . . . . . . . . . . . . . . . . . . . . . 26

xi
xii Contents

Part II Aircraft Maintenance Programs: Content and

Management
5 AMP Content and Maintenance Planning Document (MPD) . . . . . . 33
5.1 AMP Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.1 General Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.2 AMP Preamble—Procedures . . . . . . . . . . . . . . . . . . . . . . 37
5.1.3 AMP Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.1.4 AMP Revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.2 Maintenance Planning Document (MPD) . . . . . . . . . . . . . . . . . . . . 42
5.2.1 MPD and AMM/IPC Revision Cycle . . . . . . . . . . . . . . . 43
5.3 Maintenance Requirement and Task Card . . . . . . . . . . . . . . . . . . . . 45
6 AMP Primary Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.1 Maintenance Review Board Report (MRBR) . . . . . . . . . . . . . . . . . 47
6.1.1 The International Maintenance Review Board
Policy Board (IMRBPB) . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.2 The International MRB/MTB Process Standard
(IMPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.1.3 Policy and Procedures Handbook (PPH) . . . . . . . . . . . . 51
6.1.4 Utilization Considerations . . . . . . . . . . . . . . . . . . . . . . . . 51
6.1.5 The Maintenance Steering Group (MSG) . . . . . . . . . . . . 51
6.1.6 MSG-3 Analysis Methodology . . . . . . . . . . . . . . . . . . . . 53
6.1.7 Issue Paper 44 (IP 44): MRB
Evolution/Optmization Guidelines . . . . . . . . . . . . . . . . . 66
6.2 Airworthiness Limitations (ALS) and Certification
Maintenance Requirements (CMR) . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.2.1 Requirements Derived from Systems Safety
Analysis (SSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.2.2 Requirements Derived from the Damage
Tolerance and Fatigue Evaluation of the Structure . . . . 80
6.2.3 Examples of ALS Documentation Data Packages . . . . . 85
7 AMP Secondary Sources: Aging Aircraft . . . . . . . . . . . . . . . . . . . . . . . . 87
7.1 Continuing Structural Integrity Program . . . . . . . . . . . . . . . . . . . . . 88
7.1.1 Supplemental Structural Inspection Program
(SSIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.1.2 Corrosion Prevention and Control Program
(CPCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.1.3 SSIP/CPCP Implementation . . . . . . . . . . . . . . . . . . . . . . . 90
8 AMP Secondary Sources: MCAI, Modifications and Repairs,
and Non-mandatory Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . 95
8.1 Mandatory Continuing Airworthiness Information
(MCAI)—Airworthiness Directives (AD) . . . . . . . . . . . . . . . . . . . . 95
8.2 Modifications and Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Contents xiii

8.2.1 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
8.2.2 Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.2.3 Modifications/Repairs Scheduled Requirements . . . . . . 102
8.3 Non-mandatory Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . 104
8.3.1 Service Bulletins (SB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.3.2 Service Letters (SL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8.4 Embodiment Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
9 AMP Secondary Sources: Operational Requirements
and Changes to the Operation Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.1 Scheduled Requirements Derived from Specific Operation
Approvals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
9.1.1 Reduced Vertical Separation Minima (RVSM) . . . . . . . 110
9.1.2 Minimum Navigation Performance
Specifications (MNPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
9.1.3 Performance-Based Navigation (PBN): RNAV
and RNP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
9.1.4 Extended Diversion Time Operations
(EDTO)—ETOPS/LROPS . . . . . . . . . . . . . . . . . . . . . . . . 116
9.1.5 All Weather Operations (AWO) . . . . . . . . . . . . . . . . . . . . 121
9.2 Low Utilization Maintenance Program (LUMP) . . . . . . . . . . . . . . 123
9.3 Miscellaneous Scheduled Requirements . . . . . . . . . . . . . . . . . . . . . 124
9.3.1 Preflight Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
9.3.2 Safety/Emergency Equipment . . . . . . . . . . . . . . . . . . . . . 127
9.3.3 Emergency Locator Transmitter (ELT) . . . . . . . . . . . . . . 128
9.3.4 Flight Recorders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
9.3.5 Weight and Balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
10 Components Maintenance Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
10.1 Acceptance of Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
10.1.1 Component Authorized Release Certificate . . . . . . . . . . 147
10.1.2 Conformity Documentation/Statement . . . . . . . . . . . . . . 147
10.1.3 Suspected Unapproved Parts (SUP) . . . . . . . . . . . . . . . . 148
10.1.4 Organization Responsibilities . . . . . . . . . . . . . . . . . . . . . . 148
10.2 Component Maintenance Manuals (CMM) . . . . . . . . . . . . . . . . . . . 151
10.3 Details of Specific Component Programs . . . . . . . . . . . . . . . . . . . . 151
10.3.1 Evacuation Slides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.3.2 Landing Gear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
10.3.3 Powerplant, Thrust Reverser, and Auxiliary
Power Unit (APU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.4 Aircraft Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . 158
10.5 Robbery Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
10.6 Component Maintenance Program Structure . . . . . . . . . . . . . . . . . . 165
xiv Contents

11 AMP Task Interval Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

11.1 Maintenance Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
11.1.1 First Accomplishment of Tasks—Starting Point . . . . . . 169
11.1.2 Repeat Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
11.1.3 Credit from Accomplishment of a Different Task . . . . . 171
11.2 Grace Period (Compliance Time) . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
11.3 Permitted Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
11.3.1 Scope of the Permitted Variations . . . . . . . . . . . . . . . . . . 172
11.3.2 Maximum Permitted Variation . . . . . . . . . . . . . . . . . . . . . 173
11.3.3 Permitted Variations—Interval Management . . . . . . . . . 174
11.4 Exceptional Short-Term Extension . . . . . . . . . . . . . . . . . . . . . . . . . . 174
11.4.1 Scope of the Exceptional Short-Term Extension . . . . . . 174
11.4.2 Exceptional Short-Term Extensions—Interval
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.5 Task Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.5.1 Scope of the AMP Task Escalation . . . . . . . . . . . . . . . . . 176
12 AMP Evolution/Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
12.1 AMP Evolution/Optimization: Assessment of Resources . . . . . . . 182
12.2 AMP Evolution/Optimization Based on MRB
Evolution/Optimization (Process Mirror) . . . . . . . . . . . . . . . . . . . . 182
13 Maintenance Checks and Bridge Programs . . . . . . . . . . . . . . . . . . . . . . 187
13.1 Maintenance Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
13.1.1 Types of Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
13.1.2 Maintenance Check Concepts . . . . . . . . . . . . . . . . . . . . . 188
13.1.3 Task Repackaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
13.2 Bridge Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
13.2.1 Bridge Program Causes . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
13.2.2 AMP Bridging Considerations . . . . . . . . . . . . . . . . . . . . . 194
14 Aircraft Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
14.1 Aircraft Induction: The AMP Revision . . . . . . . . . . . . . . . . . . . . . . 195
14.2 Aircraft Induction—Documental Review for AMP
Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
15 Critical Maintenance Tasks/Required Inspection Items . . . . . . . . . . . 197
15.1 Critical Maintenance Tasks and Identical Tasks (EASA) . . . . . . . 197
15.2 Required Inspection Items (FAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
15.3 Dual Maintenance on Extended Diversion Time Operations
(EDTO) Significant Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
15.4 Integration into the AMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Contents xv

Part III The Reliability Program

16 Reliability Program Regulatory Requirements . . . . . . . . . . . . . . . . . . . 211
16.1 EASA—Reliability Program Requirements . . . . . . . . . . . . . . . . . . 211
16.2 FAA—Continuing Analysis Surveillance System (CASS) . . . . . . 212
17 Reliability Program Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
17.1 Sources of the Reliability Program . . . . . . . . . . . . . . . . . . . . . . . . . . 213
17.2 Analysis of Reliability Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
17.2.1 Performance Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
17.2.2 Deviations from Performance Standards . . . . . . . . . . . . 215
17.3 Reliability Root Cause Analysis (RCA) . . . . . . . . . . . . . . . . . . . . . . 226
17.4 Corrective Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
18 AMP Task Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
18.1 AMP Task Effectiveness Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 229
18.1.1 In-Service Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
18.1.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
18.1.3 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
18.1.4 Approval and Implementation . . . . . . . . . . . . . . . . . . . . . 232
19 Reliability Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
19.1 Reliability Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
19.2 Reliability Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Part IV The AMP in the Engineering and Maintenance

Organization Context
20 The Engineering and Maintenance Organization . . . . . . . . . . . . . . . . . 237
20.1 Aircraft Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
20.2 Engineering Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
20.2.1 Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
20.2.2 Technical Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
20.2.3 Technical Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
20.2.4 Maintenance Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
20.2.5 Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
20.2.6 Maintenance Planning and Scheduling . . . . . . . . . . . . . . 244
20.2.7 IT Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
20.3 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
20.3.1 Production Planning and Control . . . . . . . . . . . . . . . . . . . 245
20.3.2 Maintenance Control Center . . . . . . . . . . . . . . . . . . . . . . . 246
20.3.3 Line/Base Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
20.3.4 Workshops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
20.4 Supply Chain and Material Support . . . . . . . . . . . . . . . . . . . . . . . . . 248
20.4.1 Inventory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
20.4.2 Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
xvi Contents

20.4.3 Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

20.4.4 Component Repairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
20.4.5 Warranty and Insurance . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
20.5 Oversight Functions: Compliance Monitoring/quality
and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
20.6 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
20.7 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
21 Interface of the Maintenance Program with Other Functions . . . . . . 253
21.1 Service Level Agreements (SLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
22 Impact of the AMP Revision on the Organization . . . . . . . . . . . . . . . . 257

Part V Safety Management

23 Hazards and Safety Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
24 Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
24.1 Human Factors Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
24.1.1 The Shell Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
24.1.2 The Pear Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
24.2 The Dirty Dozen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
24.2.1 Lack of Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 274
24.2.2 Complacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
24.2.3 Lack of Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
24.2.4 Distraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
24.2.5 Lack of Teamwork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
24.2.6 Fatigue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
24.2.7 Lack of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
24.2.8 Pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
24.2.9 Lack of Assertiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
24.2.10 Stress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
24.2.11 Lack of Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
24.2.12 Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
25 Organizational Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
25.1 The Reason’s Model (Swiss Cheese Model) . . . . . . . . . . . . . . . . . . 283
25.2 Case Study: Overdue Airworthiness Directive . . . . . . . . . . . . . . . . 285
26 Safety Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
26.1 Safety Management Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
26.2 SMS: EASA and FAA Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 290
26.3 Safety Reporting Systems and Exchange of Information . . . . . . . 291
26.3.1 Types of Safety Reporting Systems . . . . . . . . . . . . . . . . . 291
Contents xvii

26.3.2 Safety Information Exchange . . . . . . . . . . . . . . . . . . . . . . 293

26.3.3 Safety Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
26.4 Safety Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Part VI Quality Improvement Tools and Methods

27 Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
27.1 Regulations and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
27.1.1 Regulatory Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
27.1.2 IATA Operational Safety Audit (IOSA) . . . . . . . . . . . . . 302
27.1.3 ISO 9001:2015 Quality Management Systems . . . . . . . 303
27.2 Preparing for an Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
28 Problem Solving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
28.1 Root Cause Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
28.1.1 Five Why Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
28.1.2 Cause and Effect Diagram (Fishbone Diagram) . . . . . . 308
28.1.3 Bow-Tie Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
28.1.4 Failure Mode and Effects Analysis (FMEA) . . . . . . . . . 311
28.2 Reactive Problem-Solving Methodologies . . . . . . . . . . . . . . . . . . . 312
28.2.1 A3 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
28.2.2 Maintenance Error Decision Aid (MEDA) . . . . . . . . . . . 314
29 Continuous Improvement Methodologies and Tools . . . . . . . . . . . . . . 317
29.1 Continuous Improvement Methodologies . . . . . . . . . . . . . . . . . . . . 318
29.1.1 Lean . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
29.1.2 Kaizen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
29.1.3 Six Sigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
29.1.4 Agile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
29.2 Continuous Improvement Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
29.2.1 Process Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
29.2.2 The Re Method: Eliminating Overprocessing
Waste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
29.2.3 6S Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
29.2.4 Scrumban: Scrum and Kanban . . . . . . . . . . . . . . . . . . . . . 326
29.2.5 Poka-Yoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
29.2.6 Gemba Walk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
29.2.7 Kaizen Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
30 Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
30.1 Business Intelligence (BI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
30.2 Cost–Benefit Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
31 Innovation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
31.1 Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
31.1.1 Robotic Process Automation (RPA) . . . . . . . . . . . . . . . . 336
31.1.2 Radio-Frequency Identification (RFID) . . . . . . . . . . . . . 337
xviii Contents

31.1.3 Maintenance Automation . . . . . . . . . . . . . . . . . . . . . . . . . 337

31.2 Toward Predictive and Prescriptive Aircraft Maintenance . . . . . . . 339
31.3 Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Appendix A: Introduction to Aircraft Maintenance Program Costs . . . . . 343

Appendix B: Introduction to Aircraft Accident Investigation . . . . . . . . . . 351
EASA Regulation Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Acronyms

A4A Airlines for America

AAIB Air Accidents Investigation Branch (United Kingdom)
AAIC Aircraft Accident Investigation Commission (Japan)
AAIP Approved Aircraft Inspection Program
AAM Aircraft Asset Management
AAPID Aviation Accidents Prevention and Investigation Department
(Portugal)
AbIR Airborne Image Recorder
AC Advisory Circular
ACARS Aircraft Communication Addressing and Reporting System
AD Airworthiness Directive or Accidental Damage (refer to the
context)
ADREP Accident/Incident Data Reporting
ADS-B Automatic Dependent Surveillance Broadcast
AFM Aircraft Flight Manual
AHM Aircraft Health Monitoring
AI Artificial Intelligence
AIBN Accident Investigation Board Norway
AIDS Accident/Incident Database System
AIR Aircraft Inspection Report
ALI Airworthiness Limitation Item/Inspection
ALS Airworthiness Limitation
AltMC Alternative Means of Compliance
AM Accountable Manager
AMC Acceptable Means of Compliance
AML Aircraft Maintenance License
AMM Aircraft Maintenance Manual
AMOC Acceptable Means of Compliance
AMP Aircraft Maintenance Program
ANS Air Navigation Services
AOA Angle Of Attack

xix
xx Acronyms

AOC Air Operator Certificate

AOG Aircraft On Ground
AOM Aerodrome Operating Minima
APU Auxiliary Power Unit
ARAC Aviation Rulemaking Advisory Committee
ARC Airworthiness Review Certificate
ARL Aircraft Readiness Log
ASA Aviation Safety Advisory
ASIAS Aviation Safety Information Analysis and Sharing Program
ASRS Aviation Safety Reporting System
ATA Air Transport Association
ATC Air Traffic Control
ATM Air Traffic Management
ATS Air Traffic Services
ATSB Australian Transport Safety Bureau
AWO All Weather Operations
BASA Bilateral Aviation Safety Agreement
BEA Bureau of Enquiry and Analysis for Civil Aviation Safety
(France)
BI Business Intelligence
BLG Body Landing Gear
BPMN Business Process Model and Notation
CA Certification Authority
CAA Civil Aviation Authority
CAME Continuing Airworthiness Management Exposition
CAMMOE Continuing Airworthiness Management and Maintenance Orga-
nization Exposition
CAMO Continuing Airworthiness Management Organization
CAMP Continuous Airworthiness Maintenance Program
CAREP Cabin Report
CASS Continuing Analysis and Surveillance System
CAT Commercial Air Transport
CAT I Category I operation
CAT II Category II operation
CAT III Category III operation
CBA Cost-benefit Analysis
CCMR Candidate Certification Maintenance Requirement
CDCCL Critical Design Configuration Control Limitation
CDL Configuration Deviation List
CENIPA Aeronautical Accident Investigation and Prevention Center
(Brazil)
CFR Code of Federal Regulations
CG Centre of Gravity
CGREP Cargo Report
CLN Cleaning
Acronyms xxi

CM Compliance Monitoring
CMCC Certification Maintenance Coordination Committee
CMM Component Maintenance Manual
CMP Configuration, Maintenance and Procedures
CMR Certification Maintenance Requirement
CMT Critical Maintenance Task
CoC Certificate of Conformance
CofA Certificate of Airworthiness
CPCP Corrosion Prevention and Control Program
CR Cancelation Rate
CRD Comment Response Document
CREEP Container, Restraints, Energy Absorption, Environment, and
Post-crash
CRM Crew Resource Management
CRS Certificate of Release to Service
CS Certification Specifications
CSN Cycles Since New
CSO Cycles Since Overhaul
CSR Cycles Since Repair
CVFDR Cockpit Voice Flight Data Recorder
CVR Cockpit Voice Recorder
CWT Center Wing Fuel Tank
DA Decision Altitude
DAH Design Approval Holder
DD Deferred Defect
DDP Detail Design Point
DDRS Documentation Discrepancy Reporting System
DER Designated Engineer Representative
DET Detailed Visual Inspection
DH Decision Height
DIS Discard
DLR Data Link Recorder
DMAIC Define, Measure, Analyze, Improve, and Control
DMC Direct Maintenance Costs
DME Distance Measuring Equipment
DOC Direct Operating Costs
DoI Date of Installation
DoLA Date of Last Accomplishment
DoM Date of Manufacture
DOT Department Of Transportation
DSG Design Service Goal
DT Damage Tolerance
DTE Damage Tolerant Evaluation
DTI Damage Tolerant Inspection
EAD Emergency Airworthiness Directive
xxii Acronyms

EASA European Union Aviation Safety Agency

EASP European Aviation Safety Program
ECAST European Commercial Aviation Safety Team
ECCAIRS European Coordination Centre for Accident and Incident
Reporting Systems
ECM Engine Condition Monitoring
ECR-ECCAIRS European Central Repositories for Occurrences
ECR-SRIS European Central Repository for Safety Recommendations
ED Environmental Deterioration
EDTO Extended Diversion Time Operations
EEL Emergency Equipment Layout
ELT Emergency Locator Transmitter
EMI Electromagnetic Interference
EMK Emergency Medical Kit
EO Engineering Order
EOL End Of Lease
ESD Electrostatic Sensitive Devices
ETOPS Extended Range Twin-engine Operations/Extended Operations
ETSO European Technical Standard Order
ETSOA European Technical Standard Order Authorization
EUR RMA European Regional Monitoring Agency
EUROCAE European Organization for Civil Aviation Equipment
EVS Enhanced Vision System
EWIS Electrical Wiring Interconnect Systems
EZAP Enhanced Zonal Analysis Procedure
FAA Federal Aviation Administration
FAK First Aid Kit
FAL Fuel Airworthiness Limitation
FAR Federal Aviation Regulations
FC Flight Cycle
FCOM Flight Crew Operating Manual
FD Fatigue Damage
FDM Flight Data Monitoring
FDR Flight Data Recorder
FEC Failure Effect Category
FF First Flight
FH Flight Hour
FL Flight Level
FMEA Failure Mode Effect Analysis
FNC Functional Check
FNPRM Further Notice of Proposed Rulemaking
FOQA Flight Operations Quality Assurance
FQIS Fuel Quantity Indicating System
FRS Flammability Reduction System
FTA Fault Tree Analysis
Acronyms xxiii

GLS GNSS Landing System

GM Guidance Material
GNSS Global Navigation Satellite System
GVI General Visual Inspection
HAZOPS Hazard and Operability Studies
HFACS Human Factors Analysis and Classification
HIRF High Intensity Radiated Field
HPC High-Pressure Compressor
HPT High-Pressure Turbine
HT Hard-time
HUD Head-Up Display
IATA International Air Transport Association
ICA Instructions for Continuing Airworthiness
ICAO International Civil Aviation Authority
IFSD In-Flight Shut Down
IFTB In-Flight Turn Back
IGGS Inert Gas Generation System
IIC Investigator in Charge
ILS Instrument Landing System
IMC Indirect Maintenance Costs
IMM Ignition Mitigation Mean
IMPR Industrial Import Price Index
IMPS International MRB/MBT Process Standard
IMRBPB International Maintenance Review Board Policy Board
IOSA IATA Operational Safety Audit
IP Issue Paper
IPA Implementation Procedures for Airworthiness
IPC Illustrated Parts Catalogue
IR Implementing Rule
ISARP IOSA Standards and Recommended Practices
ISC Industry Steering Committee
ISI In-Service Information
ISM IOSA Standards Manual
ISO International Organization for Standardization
IT Information Technology
JAA Joint Aviation Authorities
JAR Joint Aviation Requirements
JIC Job Instruction Card
JIT Just in Time
KPI Key Performance Indicator
L/HIRF Lightning/High Intensity Radiated Field
LCI Labor Cost Index
LDG Landing
LEP Life Extension Program
LG Landing Gear
xxiv Acronyms

LHSI Lightning/HIRF Significant Item

LLP Life Limited Part
LOPA Layout Of Passenger Accommodation
LOV Limit Of Validity
LVO Low Visibility Operation
LPC Low-Pressure Compressor
LPT Low-Pressure Turbine
LROPS Long Range Operations
LRU Line Replaceable Unit
LTVO Low Visibility Takeoff
LUB Lubrication
LUMP Low Utilization Maintenance Program
LUR Low Utilization Recommendations
MAREP Maintenance Report
MAT Maintenance Access Terminal
MCAI Mandatory Continuing Airworthiness Information
MCAS Maneuvering Characteristics Augmentation System
MCBF Mean Cycles Between Failures
MCBUR Mean Cycles Between Unscheduled Removals
MCC Maintenance Control Center
MCTF Mean Cycles To Failure
MCTUR Mean Cycles To Unscheduled Removal
MEDA Maintenance Error and Decision Aid
MEL Minimum Equipment List
MLS Microwave Landing System
MMEL Master Minimum Equipment List
MNSP Minimum Navigation Performance Specifications
MOE Maintenance Organization Exposition
MOR Maintenance Occurrence Report
MP Maintenance Programs
MP&S Maintenance Planning & Scheduling
MPD Maintenance Planning Document
MPIG Maintenance Programs Industry Group
MRB Maintenance Review Board
MRBR Maintenance Review Board Report
MRM Maintenance Resource Management
MSG Maintenance Steering Group
MSI Maintenance Significant Item
MTB Maintenance Type Board
MTBF Mean Time Between Failures
MTBUR Mean Time Between Unscheduled Removals
MTTF Mean Time To Failure
MTTR Mean Time To Repair
MTTUR Mean Time To Unscheduled Removal
MWG Maintenance Working Group
Acronyms xxv

NAA National Aviation Authority

NAARMO North American Approvals Registry and Monitoring Organiza-
tion
NASA National Aeronautics and Space Administration
NDT Non-Destructive Test
NFFR No Fault Found Rate
NGS Nitrogen Generation System
NLG Nose Landing Gear
NPA Notice of Proposed Amendment
NPH Nominated Post Holder
NPRM Notice of Proposed Rulemaking
NTSB National Transportation Safety Board (United States)
OC On-Condition
OCy Operating Cycles
OEM Original Equipment Manufacturer
OH Operating Hours
OMS On-board Maintenance System
OPC Operational Check
Ops Spec Operations Specifications
OR Operational Reliability
P/N Part Number
PAD Proposed Airworthiness Directive
PAP Protection Assurance Plan
PBE Performance Breathing Equipment
PBN Performance Based Navigation
PCU Power Control Unit
PDCA Plan, Do, Check, and Act
PEAR People, Environment, Actions, and Resources
PFMEA Process Failure Mode Effect Analysis
PHM Prognostics and Health Management
PIREP Pilots Report
PMA Parts Manufacturer Approval
PP&C Production Planning and Control
PPH Policy and Procedures Handbook
PPI Producer Price Index
PSE Principal Structural Element
QA Quality
QAR Quick Access Recorder
QMS Quality Management System
RCA Root Cause Analysis
RDAS Repair Design Approval Sheet
RFID Radio-Frequency Identification
RII Required Inspection Item
RMA Regional Monitoring Agency
RMPIG Rotorcraft Maintenance Programs Industry Group
xxvi Acronyms

RNAV Area Navigation

RNP Required Navigation Performance
ROI Return on Investment
RPA Robotic Process Automation
RSC Removable Structural Component
RST Restoration
RTCA Radio Technical Commission for Aeronautics
RVR Runway Visual Range
RVSM Reduced Vertical Separation Minima
S/N Serial Number
SAR Search and Rescue
SARPs Standards and Recommended Practices
SB Service Bulletin
SCR Schedule Completion Rate
SDCPS Safety Data Collection and Processing Systems
SDI Special Detailed Inspection
SDR Service Difficulty Report
SDRS Service Difficulty Reporting System
SEMR System Equipment Maintenance Requirement
SF Severity Factor
SFAR Special Federal Aviation Regulations
SFI Safety Performance Indicator
SHELL Software, Hardware, Environment, and Liveware
SHM Structural Health Monitoring
SID Standard Instrument Departure
SIP Structural Integrity Program
SIPOC Suppliers, Inputs, Process, Outputs, and Customers
SL Service Letter
SLA Service Level Agreement
SM Safety Manager
SMS Safety Management System
SOP Standard Operating Procedure
SR Success Rate
SRM Structural Repair Manual
SRS Safety Reporting System
SSA System Safety Analysis
SSAD Sensitive Security Airworthiness Directive
SSD Significant Standard Differences
SSI Structural Significant Item
SSID Supplemental Structural Inspection Document
SSIP Supplemental Structural Inspection Program
SSP State Safety Program
SSR Secondary Surveillance Radar
STAR Standard Instrument Arrival
STC Supplemental Type Certificate
Acronyms xxvii

STCH Supplemental Type Certificate Holder

SUP Suspected Unapproved Part
SVC Servicing
SWG Structures Working Group
SWIFT Structured What-If
SWOT Strengths, Weaknesses, Opportunities, and Threats
SWPM Standard Wiring Practices Manual
TC Type Certificate
TCAS Traffic Collision Avoidance System
TCH Type Certificate Holder
TCU Task Unitary Cost
TDR Technical Dispatch Reliability
TIP Technical Implementation Procedures
ToT Transfer of Title
TP Technical Publications
TR Technical Records
TS Technical Services
TSB Transport Safety Board (Canada)
TSN Time Since New
TSO Technical Standard Order
TSO Time Since Overhaul
TSOA Technical Standard Order Authorization
TSR Time Since Repair
UAV Unmanned Aerial Vehicle
ULB Underwater Locator Beacon
Unsch RR Unscheduled Removal Rate
USOAP Universal Safety Oversight Program
VA Validation Authority
VCK Visual Check
VOR Very High Frequency (VHF) Omni-Directional Range
VSB Vendor Service Bulletin
VSM Value Stream Map
WFD Widespread Fatigue Damage
WG Working Group
WI Work Instruction
WLG Wing Landing Gear
 Part I
Regulatory Environment
Chapter 1
ICAO and the Aviation Authorities

1.1 The International Civil Aviation Organization (ICAO)

The International Civil Aviation Organization (ICAO) is an agency of the United

Nations that works with (193) member states and industry groups. ICAO has its
origin in the Convention on International Civil Aviation signed in Chicago in the 7
December, 1944, known as Chicago Convention. The ICAO prime objective is to
develop the international civil aviation in a safe and orderly manner.
ICAO works with the member states and industry groups to reach consensus on
international civil aviation Standards and Recommended Practices (SARPs) and
policies. These SARPs and policies are used by the ICAO Member States to ensure
that their local civil aviation operations and regulations conform to global norms.
ICAO also issues a series of documents (Docs) for guidance and interpretation of the
SARPs.
Member states are required to notify ICAO of any differences that may exist
between the national regulations and the ICAO SARPs. These are published in the
form of supplements to the SARPs Annexes.
Relevant ICAO SARPS and Docs guidance to the object of study are:
• Annex 6—Operation of Aircraft, Part I—International Air Transport—Aero-
planes1
• Annex 8—Airworthiness of Aircraft2
– Doc 9760—Airworthiness Manual3
• Annex 19—Safety Management4

1 Annex 6 Operation of Aircraft Part I—International Commercial Air Transport—Aeroplanes.

ICAO. Eleventh Edition—July 2018.
2 Annex 8 Airworthiness of Aircraft. ICAO. Twelfth Edition—July 2018.
3 Airworthiness Manual (Doc 9760). ICAO. Third Edition—2014.
4 Annex 19 Safety Management. ICAO. Second Edition—July 2016.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 3

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_1
4 1 ICAO and the Aviation Authorities

– Doc 9859—Safety Management Manual5

The European and American authorities, EASA and FAA respectively, are
members of ICAO, and their operation and airworthiness regulations thoroughly
comply with the standards dictated by ICAO Annexes.

1.2 The European Union Aviation Safety Agency (EASA)

The European Union Aviation Safety Agency (EASA) main tasks are rulemaking,
drafting aviation safety legislation, and providing technical advice to the Euro-
pean Commission (EC) and the Member States. In addition to all European Union
States, other non-E.U. countries are also Members of EASA (Norway, Iceland,
Liechtenstein, and Switzerland).
Until the formation of EASA, an association of European Civil Aviation Author-
ities, the Joint Aviation Authorities (JAA), was cooperating to develop and imple-
ment common safety standards: the Joint Aviation Requirements (JAR). The regu-
latory function laid within each member state while they recognized the JAR speci-
fications as acceptable basis for their regulatory frameworks. The JAA system led to
different interpretations of the standards which were affecting the efficiency of the
specifications. EASA gradually absorbed the functions of the Joint Aviation Author-
ities (JAA) as the European regulatory authority what has significantly improved the
execution of the standards.
The EASA Regulation is structured at different levels: rules, specifications,
acceptable means of compliance, and guidance.
The so-called Implementing Rules (IRs)/Regulation (hard law) are binding the
E.U. States once adopted by the EC.
The Acceptable Means of Compliance (AMC) (soft law) are non-binding. The
AMC serves as means by which the requirements contained in the Basic Regulation
and the IRs can be met. NAAs and organizations may decide to show compliance
with the requirements proposing Alternative Means of Compliance (AltMoC).
The Guidance Material (GM) (soft law) is non-binding explanatory and
interpretation material on how to achieve the requirements.
The Certification Specifications (CS) (soft law) are non-binding technical
standards used to meet the essential requirements.
EASA consolidates each part of its regulation into “Easy Access Rules” docu-
ments, so each regulatory element of the IR is followed by the related AMC and GM
paragraphs.
EASA Regulations differentiate the Technical/Organizational Requirements from
the rules applicable to the competent authorities. Initial and Continuing Airworthi-
ness rules (IR + AMC/GM) are structured into two sections: Section A for the
Technical/Organizational Requirements and Section B for the procedures applicable

5 Safety Management Manual (Doc 9859). ICAO. Fourth Edition—2018.

1.2 The European Aviation Safety Agency (EASA) 5

CS-25 Large Aircraft

CS-26 Additional
Aiworthines Specifications

Part-21 Design, Certification

CS-E Engines
and Production

Initial Airworthiness Specifications CS-P Propellers

AMC-20 AMC for

Additional Airworthiness CS-APU Auxiliary Power
Airworthiness of Products,
Specifications Units
Parts and Appliances

Part-M Continuing
EASA Rulemaking

CS-ETSO European
Airworthiness Management
Technical Standard Orders
(*)(**)

Part-CAMO Continuing
CS-AWO All Weather
Continuing Airworthiness Airworthiness Management
Operations
Organizations (**)

Part-145 Maintenance
Organizations

Part-ORO Organization
requirements for Air
Operations

Part-CAT Commercial Air

Transport Operations
Air Operations
Part-SPA Specific Approvals
Operations

Others

Fig. 1.1 Relevant (AMP) EASA regulation. (*) For reference only, Part-M applies to large aircraft
and components for installation which are registered in an EASA member state or which oversight is
delegated to an EASA member state. If the oversight of an EASA registered aircraft and components
for installation is delegated to a third country and is not used by an E.U. operator, Part-M does not
apply. For large aircraft registered in a third country for which the oversight function is not delegated
to an EASA member state (dry lease by a license air carrier), the corresponding requirements are
listed in Part-T. (**) The last revision of the EASA Continuing Airworthiness regulation (incor-
porating Regulation (EU) 2019/1383) re-structures the requirements for organizations managing
the continuing airworthiness of aircraft into two new parts: Part-CAMO (in replacement of Part-M
Subpart F) and Part-CAO (in replacement of Part-M Subpart G for Combined Airworthiness Orga-
nizations (Continuing Airworthiness Management and/or Maintenance for non-large aircraft and
non-licensed air carrier)). For new Part-CAMO, applicable to large aircraft, the main difference in
regards to Part-M is the introduction of Safety Management System (SMS) principles
6 1 ICAO and the Aviation Authorities

to competent authorities. Operation Rules (Air Ops) applicable to competent author-

ities are described in Part-ARO, the organizational requirements in Part-ORO, and
the operation requirements in the rest of the Air Ops Parts.
The regulations in the EASA system, at the effects of ensuring the airworthiness
of large aircraft involved in commercial air transport and that are relevant to the
subject of study, are detailed in Fig. 1.1.6
EASA Rulemaking Process
EASA draws up Terms of Reference (ToR) for each Rulemarking project after
consulting its advisory bodies. The ToR defines the project and its scope, the process
to be followed, the timetable for completion, and details of the rulemarking group,
if needed. The first draft of the rules and proposed actions are published in the form
of a Notice of Proposed Amendment (NPA). NPAs are published on the EASA
website to allow any person/organization to submit their comments in the form of a
Comment Response Document (CRD). CRDs are summarized and also published
with the EASA response to those comments together with the final EASA Decision
(ED) (soft law).
When the rulemarking process leads to change on the scope and content of the
Basic Regulation, EASA issues Opinions (comprised by draft regulation and an
explanatory memorandum), which are submitted to the EC as proposals to change
existing regulations or create new ones (hard law).

1.3 The Federal Aviation Administration (FAA)

The Federal Aviation Administration (FAA), part of the United States Department
of Transportation, is the agency that regulates the civil aviation within the USA.
The Code of Federal Regulations (CFR) are general and permanent rules
published by the departments and agencies of the U.S. Federal Government that
represent different areas. 14 CFR are the rules published by the FAA in regards to
the Aeronautics and Space subject.
The Special Federal Aviation Regulations (SFAR) are temporary rules to
address temporary situations. SFAR are listed at the beginning of the related CFR.
The FAA Orders and Notices are guidance material applicable only to FAA
employees, although the general public may find them of interest. For example,
the Flight Standards Information Management System (FSIMS), ruled by the FAA
Order 8900.1, is the repository of all Flight Standards policy and guidance in regards
to aviation safety inspector job tasks. Although it is dedicated to aviation safety
inspectors, it is of interest for any organization that must comply with any of the 14
CFRs.

6Reference to EASA Regulations used for the development of this book are detailed at the end
chapter EASA Regulation Codes.
1.3 The Federal Aviation Administration (FAA) 7

Subchapter A - Definitions and

Part 5 Safety Management Systems
General Requirements

Part 13 Investigative and enforcement

Subchapter B - Procedural Rules
procedures

Part 21 Certification procedures SFAR 88

for products and articles. Fuel Tank

Part 25 Airworthiness Standards:

Transport Category Airplanes.

Part 26 Continued Airworthiness and

FAA Rulemaking (14 CFR)

Safety improvements for Transport

Category Airplanes.

Part 33 Airworthiness Standards.

Aircraft Engines.
Subchapter C - Aircraft
Part 34 Fuel Venting and Exhaust
emission requirements for Turbine Engine
powered Airplanes.

Part 35 Airworthiness Standards:

Propellers.

Part 39 Airworthiness Directives.

Part 43 Maintenance, Preventive

Maintenance, Rebuilding, and Alteration.

Subchapter F - Air Traffic and Part 91 General Operating and Flight

General Operating Rules Rules.

Part 121 Operating Requirements:

Domestic, Flag, and Supplemental
Subchapter G - Air Carriers and Operations.
Operators for compensation or
hire: Certification and Part 135 Operating Requirements:
Operations Commuter and On Demand Operations and
Rules governing persons on board such
aircraft.

Subchapter H - Schools and

Part 145 Repair Stations.
other certified agencies

Advisory Circulars (AC)

Orders and Notices FSIMS (Order 8900.1)

Fig. 1.2 Relevant (AMP) FAA Basic Regulation

The Advisory Circulars (AC) are non-binding information and guidance

provided by the FAA that are acceptable to comply with the regulation.
At the effects of airworthiness of large aircraft involved in commercial air
transport, the relevant CFR and SFAR are shown in Fig. 1.2.7
14 CFRs are widely known as Federal Aviation Regulations (FAR). However, due
to confusion with the Federal Acquisition Regulations (48 CFR), that are related to

7 14 CFR used for the development of this book are based on e-CFR current data as of 8 June 2020.
8 1 ICAO and the Aviation Authorities

a different subject (acquisition of goods and services), the FAA advises against the
use of the acronym to refer to FAA regulations.
FAA Rulemaking Process
The FAA draft rules and proposed actions are published as Notice of Proposed Rule-
making (NPRM). NPRMs are usually published on the Federal Register to allow
any interested party to submit comments, but they may be only distributed to specific
interested parties. If the comments change considerably the original NPRM and addi-
tional judgment is required, a Further NPRM (FNPRM) is published. NPRM and
all the documents related (comments, supporting documents, data, analysis, exten-
sions of comment periods, etc.) are published in the public docket. The Final Rule
is published in the Federal Register or distributed to the affected parties. The CFR
is updated with the Final Rules on annual basis. In case of an emergency situa-
tion, the NPRM process can be bypassed, e.g., issue of an Emergency Airworthiness
Directive.

1.4 Civil Aviation Authorities

Aviation regulations and policies are harmonized worldwide thanks to the ICAO
efforts to ensure consistent levels of safety. The contribution of the civil avia-
tion authorities and agencies, others than the European Union Aviation Safety
Agency (EASA) and the Federal Aviation Administration (FAA), to the air safety,
merits a special mention: the United Kingdom Civil Aviation Authority (CAA),
currently dissociated from EASA as a technical agent, the Transport Canada Civil
Aviation (TCCA), the Brazilian National Civil Aviation Agency (ANAC), the
Australian Civil Aviation Safety Authority (CASA), the South African Civil Avia-
tion Authority (SACAA), the Civil Aviation Administration of China (CAAC), the
Russian Federal Air Transport Agency (RFCAA), the Qatar Civil Aviation Authority
(QCAA), the Saudi Arabia General Authority of Civil Aviation (GACA), the United
Arab Emirates General Civil Aviation Authority (GCAA), and so on.
Adhered to the ICAO standards, all these civil aviation authorities and agencies
have developed their own regulatory frameworks under common specifications. The
guidance provided by ICAO and the close cooperation between all these entities have
made the skies safer. However, there is margin to work together toward improved
safety levels.
The structure of the aviation regulations differs from country to country, but most
of them have some characteristics in common with the regulations of the states where
aviation more evolved in the earlier days, FAA or TCCA, or with the JAA/EASA.
Although the mission to regulate lies on the civil aviation authorities and agen-
cies, the operator has an inherent safety responsibility and should not only focus on
compliance with its regulatory framework but go beyond and adopt the best practices.
1.4 Civil Aviation Authorities 9

Just to quote an example in regards the Aircraft Maintenance Programs, the UK

CAA Civil Aviation Publication (CAP) 747—Mandatory Requirements for Airwor-
thiness8 addresses the risks associated to excessive paint thickness and the use of
self-adhesive decals on the aircraft that may totally preclude the effective accomplish-
ment of an inspection, including non-destructive testing techniques. In this line, the
UK CAA requires that operators and maintenance organizations assess the impact on
structural inspection tasks and ensure the AMP requires their removal at the appro-
priate times. What apparently looks a reasonable mandatory requirement, as it may
invalidate a structural inspection that in the worst-case scenario may be linked to
a mandatory requirement, it is still not considered either in the EASA or the FAA
regulations.
When an unsafe element or omission is encountered in the regulation, the operator
or individual person has the ethical responsibility to address it to the corresponding
civil aviation authority or agency and assess the potential safety impact within its
organization, as far as practicable, while the authority works on the subject.

1.5 Bilateral Aviation Safety Agreements (BASA)

A Bilateral Aviation Safety Agreement (BASA) is the mutual recognition of the

competency on certification and other processes between two states. The coopera-
tion of the two countries supports the harmonization of the rules and reduces the
duplication of activities.
The BASA Implementation Procedures for Airworthiness (IPA)/Technical Imple-
mentation Procedures (TIP) is the document that contains the implementation
procedures, interfaces, and technical assistance required between both states.
The most significant BASAs include the major states of aircraft/engine design:
the European Union, the USA, Canada, and Brazil.
Details of the EU-US BASA and the Technical Implementation Procedures for
Airworthiness and Environmental Certification are included in Sect. 4.1.3.

8 Civil Aviation Publication (CAP) 747—Mandatory Requirements for Airworthiness GR No. 10

(4.1 and 4.2). UK CAA.
Chapter 2
The Story of Airworthiness Approvals
and Certifications

2.1 Initial Airworthiness

Aircraft are designed following Certification requirements derived from ICAO Annex
8 Airworthiness of Aircraft which are applied through the regulatory system of the
state of design.
The design process to demonstrate compliance with the appropriate airworthi-
ness regulatory requirements involves design documentation review, analysis, and
testing of the aircraft. The process culminates with the issuance of a Type Certificate
(TC) that is valid for the aircraft type. A TC is issued for unlimited duration unless
otherwise revoked, suspended, or surrendered.
The competent authority issues the first Certificate of Airworthiness (CofA)
for every individual aircraft when conforming to the Type Design. CofA is a non-
expiring document, subject to not being revoked or suspended, that is granted by
the authority of the state of registration that proves the airworthy condition of the
aircraft. Export CofA is used for the delivery of new aircraft or transfer of used
aircraft to other states that are under a different certification regulatory environment
than the state of manufacture. Consequent CofA is issued by the state of registration
when imported.

2.2 Operation

Any entity that wants to provide commercial air transportation services must obtain
two separate approvals in parallel:
• Safety Authorization in the form of an Air Operator Certificate (AOC), and
• Economic Authorization in the form of an Operating License. It requires the
possession of an AOC, specifying the activities covered by the license, and a
number of financial conditions.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 11

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_2
12 2 The Story of Airworthiness Approvals and Certifications

Table 2.1 FAA Aircraft Operator Authorizations

FAA—Air Carrier Aircraft Operator Certificate (AOC)
14 CFR AOC Description
Part 121 Domestic or flag Aircraft with more than 9 seats or more than a 7,500 lb (3400 kg)
payload in scheduled passenger operations. Payload is the aircraft
carrying capacity: passengers, baggage, and cargo
Supplemental Aircraft with more than 30 seats or a 7,500 lb payload
(non-scheduled or all-cargo)
Part 135 Commuter Aircraft with 9 seats or fewer or a 7,500 lb payload or less or
rotorcraft in scheduled passenger operations (5 or more round
trips a week in at least one market)
On-demand Aircraft with 30 seats or fewer and a 7,500 lb payload or less or
rotorcraft in on-demand passenger and/or cargo operations

The Air Operator Certificate (AOC) is an unlimited approval, unless otherwise

revoked or suspended, that allows an operator to perform specific air transport oper-
ations. The AOC lists the approved types of operation, e.g., passengers or cargo,
specific operational approvals, ares of operation and special limitations.
An aircraft can be operated on the basis of ownership or dry lease1 agreement
(aircraft operated under the lessee AOC). The legal responsibility for the continuing
airworthiness of the aircraft lies on the owner or the lessee, as stipulated on the
registration document or detailed in the leasing contract.
While EASA authorizes the commercial air transport operations under a unique
AOC type, the FAA issues two basic types of certificates based on the types of services
and where the operations are conducted (both including scheduled and non-scheduled
operations):
• Air Carrier Certificate for common carriage (interstate, foreign, overseas, or
carriage of mail operations).
• Operating Certificate for common carriage (intrastate operations) or non-
common carriage (private carriage).
Common carriage is the transportation of persons or cargo for compensation
or hire and involves hold out to the public (by advertising or other means); non-
common carriage involves the transport of persons or cargo for compensation or hire
but without holding out (contract carriers).
For Commercial Air Transport (CAT), the FAA issues the Air Carrier Certificate or
the Operating Certificate, as applicable, under Part 121 or 135. Table 2.1 summarizes
the types of CAT operations to which the FAA certificate can authorize.

1 Dry Lease requires the operator that hires the aircraft (lessee) to include it under its own AOC.
In other types of agreements, such as Wet Lease or ACMI (Aircraft, Crew, Maintenance, and
Insurance), it is the responsibility of the Wet Lease/ACMI operator (lessor) to manage the aircraft
under its AOC.
2.2 Operation 13

The AOC limits the type of operation that is authorized to be conducted, e.g.,
passenger, cargo, domestic, or commuter. The authorizations, conditions, and limi-
tations for each aircraft type must be detailed in the Operations Specifications (Ops
Spec).
The Ops Spec include the authorized specific approvals (e.g., PBN, MNPS,
RVSM, LVO, EDTO (ETOPS)) and limitations. The Ops Spec also includes the
reference to the person or organization responsible to maintain the continuing airwor-
thiness and the reference to the regulation that requires the work (EASA CAMO/FAA
CAMP).
AOC specifications for commercial air operations are detailed in EASA Air Ops
Part-ORO Subpart AOC and FAA 14 CFR Part-119.
About the Economic Authorization, the responsibility for issuing the Operating
License lies on the transportation authority; in an EASA environment, it is the
Ministry of Transport of the corresponding member state and in the FAA environment
is the Department Of Transportation (DOT).
The FAA issues different types of operating licenses attending to the type of
operation and the aircraft size: the Certificate of Public Convenience and Necessity
for Air Carriers, the Commuter Air Carrier Authorization, and the On-Demand Air
Taxi Registration.
Operating Licenses are unlimited, unless otherwise revoked or suspended, and
are granted in accordance with E.U. Regulation (EC) 1008/2008 and 49 U.S. Code
41,102, in E.U. and U.S., respectively.

2.3 Continuing Airworthiness

To demonstrate the airworthy condition of the aircraft, the operator must ensure that:
• the Certificate of Airworthiness (CofA) remains valid, and
• the maintenance of the aircraft is performed in accordance with an approved
Aircraft Maintenance Program.
The approach to comply with these two conditions differs between EASA and the
FAA. EASA requires that the tasks associated with the continuing airworthiness of
the aircraft are performed by an approved Continuing Airworthiness Management
Organization (CAMO), referenced in the Ops Spec and that the validity of the CofA
is revised periodically and validated through the Airworthiness Review Certificate
(ARC).
On the other side, the FAA does not recognize the CAMO organizational approval
system and authorizes the operator, through the Ops Spec, to develop its own Contin-
uous Airworthiness Maintenance Program (CAMP) without the need of the FAA
approval.
In other words, although both regulations monitor and require that the operator
self-monitors its performance through safety, quality, and reliability programs (the
Triangle of Airworthiness), EASA additionally requires a series of approvals while
the FAA relies on the Ops Specs.
CAMO and CAMP requirements are detailed in Sect. 3.1.
14 2 The Story of Airworthiness Approvals and Certifications

The Airworthiness Review Certificate (ARC) (EASA)

In an EASA environment, the condition for the CofA to remains valid is that the
relevant CAMO states a recommendation for the competent authority to issue the
Airworthiness Review Certificate (ARC) and validate that the aircraft remains
airworthy. The ARC is valid for one year but it can be extended twice for a period
of one year each if the aircraft has been in a controlled environment during the
preceding 12 months (continuously managed by a unique CAMO and maintained by
an approved maintenance organization).
The ARC involves the so-called full review of the aircraft records (that is usually
performed through sample checks within each document category) and a physical
survey. During the ARC review of the aircraft records, special attention is given
to the compliance with applicable Airworthiness Directives and with the Aircraft
Maintenance Program.
Airworthiness Directives are mandatory instructions to correct unsafe conditions
that may exist.
The Aircraft Maintenance Program contains all required scheduled maintenance
to maintain the aircraft in airworthy condition. The main sources of an initial Main-
tenance Program are instructions required by the authority and instructions provided
by the manufacturers that are customized to the operation of the aircraft.

2.4 Maintenance

The CAMO/CAMP requires compliance with Airworthiness Directives (ADs),

Modifications/Repairs, and AMP tasks. The compliance is demonstrated by the
Certificate of Release to Service (CRS), that is issued by the approved Part-145
maintenance organization, and the associated “Dirty Fingerprint”.
The Dirty Fingerprint is the work card or record that describes the maintenance
task, supporting data, and associate findings. The CRS is issued after any maintenance
task(s) and before the next flight to certify that the required maintenance has been
performed. All maintenance must be signed and stamped by approving certifying
staff.
Certifying staff must be in possession of an Aircraft Maintenance License (AML)
endorsed with a Type Rating (aircraft type) to be qualified for the maintenance of the
aircraft type. The AML is issued under EASA Part-66 for EASA certifying staff and
under Part-65 for FAA certifying staff. Staff Authorization to carry out maintenance
is given by the Part-145 organization.
The qualification of Certifying staff is gained through knowledge and experience.
The theoretical knowledge may be directly assessed by the competent authority or
through an approved EASA/FAA Part-147 training organization.
In summary, while the responsibility of the continuing airworthiness of the aircraft
lies on the operator legally, in practice the responsibility is shared between the oper-
ator, the Type Certificate holder (design/manufacturer), the maintenance organiza-
tions, the certifying staff and training organizations, and the regulatory/competent
authorities.
Chapter 3
Continuing Airworthiness
Management—Organization and AMP
Requirements

The requirements for an EASA Continuing Airworthiness Management Organiza-

tion (CAMO) are captured in the Continuing Airworthiness Management Exposi-
tion (CAME) of the organization. These elements are comparable to those required
for an FAA operator on the Continuous Airworthiness Maintenance Program
(CAMP). CAME/CAMP usually applies to the management of all aircraft types that
are operated.
While the CAME (EASA) is subject to the approval by the competent authority,
the CAMP (FAA) is authorized through the Ops Spec and does not require authority
approval.
There is a considerable difference on the Aircraft Maintenance Program concept
between EASA and the FAA:
• EASA requirements for an AMP only consider scheduled repetitive maintenance,
a Reliability Program and the procedures to manage both, while other require-
ments are managed through separate processes that are also specified in the CAME
(e.g., organization, modifications/repairs, critical maintenance tasks/identical
tasks, technical records, training). An EASA AMP is only applicable to an aircraft
type.
• On the other side, the FAA considers all these other requirements as part of
the maintenance program: the CAMP. The CAMP has ten elements among
which there are two that working together are comparable to the EASA AMP
concept; these are the Maintenance Schedule and the component of the Contin-
uing Analysis and Surveillance System (CASS) that measures the Maintenance
Schedule effectiveness, alike the EASA scheduled repetitive maintenance and the
Reliability Program requirements respectively.
Therefore, when referring to an AMP in this book, it represents:
• the Aircraft Maintenance Program (scheduled repetitive maintenance + Relia-
bility Program + procedures) as defined by EASA, and
• the Maintenance Schedule and the Reliability Program (part of the CASS), both
elements of the CAMP, as defined by the FAA.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 15
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_3
16 3 Continuing Airworthiness Management …

3.1 EASA: CAMO, CAME and AMP Requirements

A CAMO is an approved organization responsible for the continuing airworthiness

management tasks. The approval is granted by the competent authority in accordance
with the Part-CAMO (old Part-M Subpart G).1
The responsibilities, procedures, and methods of the organization are contained in
the Continuing Airworthiness Management Exposition (CAME). The CAME and
its amendments must be approved by the competent authority, although the authority
may grant certain concessions for the approval of minor changes. Any concessions
should be formalized in the exposition itself.
The CAME should contain the following information, as required in Part-CAMO
CAMO.A.300 (old Part-M M.A.704):
• a statement signed by the Accountable Manager to confirm that the organization
will work in accordance with the Part-M and the exposition at all times,
• the organization’s safety policy,
• the organization’s scope of work,
• the titles, names, responsibilities, and associated chains of responsibilities
(organization chart) of:
– the Accountable Manager (AM), who has corporate authority for ensuring that
all continuing airworthiness management activities can be financed and carried
out in accordance with the Part-M,
– the nominated Compliance Monitoring (CM) Manager, or group, with the
responsibility of ensuring that the organization is always in compliance with
the Part-M and Part-CAMO,
– the nominated Safety Manager (SM), or group, with the responsibility for
managing the development, administration, and maintenance of effective safety
management processes,
– the Nominated Post Holder (NPH), or group, responsible for the management
and supervision of continuing airworthiness activities,
– the nominated staff authorized to extend recommendation for the issue of
Airworthiness Review Certificate (ARC) and, where applicable, permits to
fly,
• a general description of the manpower resources and the system to plan the
availability of staff,
• a general description and location of the facilities,
• the description of the internal safety reporting scheme,
• procedures specifying how the CAMO ensures compliance with Part-M and Part-
CAMO, including key processes, list of contracted/subcontracted activities and
the CAME amendment procedures,

1 Approval in accordance with Part-CAO for combined continuing airworthiness and maintenance
organizations (old Part-M Subpart F) is applicable to non-large aircraft not used by a licenced air
carrier and therefore not subject of this book; Part-CAO involve an alleviation in responsibilities
for operators of non-large aircraft (below 5700 kg) in regards the Part-CAMO requirements.
3.1 EASA: CAMO, CAME and AMP Requirements 17

• the list of approved Aircraft Maintenance Programs, and

• the list of alternative means of compliance, if any.
The main functions of a CAMO are listed in Part-CAMO CAMO.A.315 (old
Part-M M.A.708):
• ensure all continuing airworthiness management is carried out in accordance with
the Part-M Subpart C (preflight, rectification of defects, maintenance program,
reliability program, Airworthiness Directives, modifications and repairs, check
flights, etc.), as applicable,
• develop and control a Maintenance Program for the aircraft managed including
any applicable Reliability Program,
• ensure that modifications/repairs are accomplished in accordance with approved
data,
• establish a procedure to assess non-mandatory modifications and/or inspections
and decide on their application,
• ensure the aircraft and its components, including engines and propellers, are
maintained by appropriately approved maintenance organizations,
• ensure any maintenance is appropriately released for the determination of aircraft
airworthiness, and
• take into account human factors during the continuing airworthiness management,
including contracted/subcontracted activities.
Part-145 organizations are also required to define responsibilities, procedures, and
methods in the so-called Maintenance Organization Exposition (MOE). For small
organizations with Part-CAMO and Part-145 functions, the competent authority may
authorize to develop a unique manual, the Continuing Airworthiness Management
and Maintenance Organization Exposition (CAMMOE).
EASA—Aircraft Maintenance Program (AMP) Requirements
EASA Part-M regulation requires that the aircraft continuing airworthiness is main-
tained under an Aircraft Maintenance Program (AMP). The rules for an AMP are
described in the Part-M M.A.302:
• the AMP and any subsequent amendments must be approved by the competent
authority, except when an indirect approval procedure is approved in the CAME;
• the AMP must establish compliance with:
– instructions issued by the competent authority, and
– Instructions for Continuing Airworthiness (ICA) issued by a Design Approval
Holder (DAH) approved under Part-21;
• the owner or CAMO may deviate from the ICA and propose escalated intervals
based on data obtained from sufficient reviews, e.g., derived from the analysis of
the effectiveness of the approved AMP (Reliability Program). The escalation of
safety-related task is not subject to the indirect approval and must be approved by
the competent authority;
• the owner or CAMO may propose additional instructions in the AMP;
18 3 Continuing Airworthiness Management …

• the AMP should contain details, including frequency, of all maintenance to be

carried out, including any specific tasks linked to the type and the specificity of
operations;
• when the maintenance program is based on Maintenance Steering Group (MSG)
logic or Condition Monitoring, the AMP shall include a Reliability Program;
• the AMP should be reviewed to ensure it continues to be valid in light of:
– new/revised instructions issued by the competent authority,
– new/revised instructions issued by the corresponding Design Approval Holders
(DAHs) approved under Part-21, and
– in-service experience.
EASA Part-M M.A.302 Aircraft Maintenance Programme requirements and
related AMCs/GMs references are quoted in the corresponding sections of this book
as appropriate.
Air Ops rules and related AMCs/GMs containing continuing airworthiness
requirements, e.g., RVSM, EDTO (ETOPS), etc. are also quoted as appropriate.

3.2 FAA: CAMP, Maintenance Schedule and AMP

Requirements

FAA 14 CFR 121.367 and 135.425 require that the holder of an Air Carrier Certificate
or Operator Certificate has an inspection program and a program covering other
maintenance, preventive maintenance, and alterations.
Certificate holders operating under FAA Part-121 or Part-135 (with aircraft of 10
or more seats) are required to develop a Continuous Airworthiness Maintenance
Program (CAMP).
Certificate holders operating under Part-135 for aircraft with 9 or less seats are
required to maintain its aircraft in accordance with Part-43 and 91 but have the option
to make use of an Approved Aircraft Inspection Program (AAIP) or a CAMP.
A CAMP contains specific maintenance and inspection tasks, including methods,
standards, and techniques for accomplishing these tasks. A CAMP does not require
FAA approval; the FAA issue Ops Spec to authorize its use. Guidelines to develop a
CAMP can be found in the AC 120-16F Air Carrier Maintenance Programs.
AAIP is limited to inspections; the certificate holder is also required to comply
with additional maintenance requirements such as cleaning, inspecting, adjusting,
testing, and lubricating. The operator can choose to additionally follow the main-
tenance program recommended by the manufacturer or an FAA approved program.
AAIP requires FAA approval. Guidelines to develop an AAIP are described in the
AC 135-10B Approved Aircraft Inspection Program.
At the effects of this book, the comparisons between the EASA and FAA will be
based on the CAMP for being more comprehensive than the AAIP.
3.2 FAA: CAMP, Maintenance Schedule and AMP Requirements 19

The Continuous Airworthiness Maintenance Program (CAMP) has ten elements:

• Airworthiness responsibility,
• Air Carrier Maintenance Manual,
• Air Carrier Maintenance Organization,
• Accomplishment and approval of maintenance and alterations,
• Maintenance Schedule,
• Required Inspection Items (RII),
• Maintenance recordkeeping system,
• Contract maintenance,
• Personnel training,
• Continuing Analysis and Surveillance System (CASS).
As detailed previously, the Maintenance Schedule element is comparable to
the EASA Aircraft Maintenance Program concept, and the element of the CASS
that measures the Maintenance Schedule effectiveness is comparable to the EASA
Reliability Program.
The RII element is comparable to the EASA Critical Maintenance Task/Identical
Task requirements detailed in Sect. 15.2.
FAA—Maintenance Schedule and CASS Requirements
The Maintenance Schedule should contain information on what to maintain, how, and
when. The following items are examples on what may be included in the Maintenance
Schedule: ADs, ALS, CMR, MRBR, SSID, EWIS, SBs, SLs, Life Limits, component
replacement for overhaul/repair, special inspections, checks or tests, lubrication and
servicing, etc.
The objective of the Maintenance Schedule is to do the correct task at the correct
interval, and it should describe the procedures to manage these repetitive maintenance
items.
The CASS monitors the Maintenance Schedule to verify its effectiveness. The
CASS is considered the main source of information that might indicate the need for
a change to the Maintenance Schedule.
As detailed throughout the previous paragraphs, the CAMP, and consequently
the Maintenance Schedule and the CASS, do not require FAA approval. In the FAA
environment, the CAMP and its elements are authorized through the Ops Spec in
lieu of requiring the approval by the competent authority as it takes places for an
Aircraft Maintenance Program under an EASA environment.
Chapter 4
Instructions for Continuing
Airworthiness (ICA)

ICAO defines Instructions for Continuing Airworthiness (ICA) as “a set of

descriptive data, maintenance planning and accomplishment instructions, devel-
oped by a Design Approval Holder (DAH) in accordance with the certification basis
for the aeronautical product. The ICAs provide air operators with the necessary
information to develop their own maintenance programme and also for approved
maintenance organizations to establish the accomplishment instructions”.
ICAs are all the necessary instructions to ensure the airworthiness of an aircraft is
maintained throughout its operational life. ICAs are produced by holders of design
approvals (DAHs) and form the basis of the maintenance approved data, which is in
part used for the AMP development.
ICAO standards and main regulations are ambiguous at defining which documents
or instructions are ICA and which not. Attending to the definition, in these paragraphs,
only those documents and instructions whose purpose is to maintain the design
standard and the airworthiness of the aircraft (safety) will be considered as ICA.
The issuance of a Type Certificate (TC), that is the document approved by the
regulatory authority to define the design of an aircraft/engine/propeller type and
to certify that the design meets the airworthiness requirements (specifications), is
subject to the following mandatory ICAs: Airworthiness Limitations (ALS), Certifi-
cation Maintenance Requirements (CMR), and Maintenance Review Board Report
(MRBR). MRBR could be substituted by other alternative means of compliance
to develop the initial aircraft maintenance program if approved by the competent
authority.
The Maintenance Planning Document (MPD) is a repository document that
contains, as minimum, the scheduled ALS, CMR, and MRBR requirements, and
provides additional information about maintenance tasks, scheduling, and proce-
dures. Although it varies between design organizations, the MPD may also contain
other ICAs such as:

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 21

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_4
22 4 Instructions for Continuing Airworthiness (ICA)

• maintenance required for specific operations (e.g., EDTO (ETOPS), RVSM)),

• maintenance required for Low Aircraft Utilization (LUR),
• regulatory mandatory requirements (e.g., Airworthiness Directives), and/or
• manufacturer/vendor recommendations (e.g., recommended Service Bulletins,
Service Letters, etc).
Once the aircraft has entered into service, based on further testing and analysis and
on worldwide fleet experience, the ICAs evolute to ensure that the aircraft maintains
a safe performance. Some manufacturer/vendor recommendations will be adopted
under the MRBR. Some portions of the ICA that are part of the certification process
(ALS and CMR) and minimum scheduled maintenance requirements that were not
delivered before the aircraft entry into service, usually related to overhaul and heavy
maintenance, will also be released.
The operator in-service experience with the aircraft and its components, usually
monitored under a Reliability Program, will require that the operator develops addi-
tional maintenance tasks, implements certain manufacturer/vendor recommenda-
tions, and accomplishes modifications that had not been considered previously.
Modifications will be accomplished not only due to the operator in-service expe-
rience but due to new mandatory requirements (e.g., AD or new/revised operational
regulation). When appropriate, after a modification, the Design Approval Holder
(DAH) will issue the ICA or variation to the existing ICA to maintain the continued
airworthiness of the aircraft. For example, major modifications, when approved by
the TC holder, will come in the form of a Service Bulletin (SB) and its associated
ICA may be covered in the same or different SB or in the TCH documentation, e.g.,
the MRBR; major modifications when approved by a design organization different
than the TC holder will come in the form of Supplemental Type Certificate (STC)
and the ICA will be part of the STC certification.
After aircraft damage, it must be assessed and repair actions may be required.
ICA or variation to the existing ICA may be instructed by the repair design holder
so the aircraft continues to conform to the approved Type Certificate. For example,
after the repair of a damage covered in the aircraft Structural Repair Manual (SRM),
specific repetitive inspections may be given in the manual and these are considered
ICA; after a repair that is not covered by the SRM, the holder of the repair design
will have to provide the ICA as appropriate.
The ICA requirements are not always convenient so the DAH may be contacted
to define alternative instructions on a case-by-case basis. The use of alternative
instructions should be approved by the competent authority or under a procedure
approved by the competent authority.
In addition to the ICA documents pointed above, these are other examples of
publications that are considered ICA: Supplemental Structural Inspection Documen-
tation (SSID), Aging Aircraft Maintenance requirements, Life Extension Programs
(LEP) and Aircraft Maintenance Manual (AMM).
4 Instructions for Continuing Airworthiness (ICA) 23

The accountabilities in regards the ICA cascade down from the ICAO SARPs to:
• the regulatory authorities to adopt the ICAO Annex 8 standards in their
requirements,
• the design organizations (Part-21) to provide the necessary ICA to aircraft owners
and operators,
• the operator and the continuing airworthiness management (EASA Part-M and
Part-CAMO) to customize the applicable ICAs into the AMP,
• the maintenance organizations (Part-145) to execute the maintenance instructions
as provided in the ICA (which will also involve the competency of the maintenance
certifying staff involved in maintenance as per Part-66 (EASA)/Part-65 (FAA) and
training organizations as per Part-147),
• back to the operator and the continuing airworthiness management to show
compliance, and
• the competent/regulatory authority to surveil that during the mentioned process
the aircraft airworthiness is maintained.
The following paragraphs introduce the responsibilities of the design organiza-
tions to develop ICAs for approval of a new or changed type design.

4.1 ICA—Design Organizations Responsibilities

ICAO Annex 8—Airworthiness of Aircraft defines the standards for the regula-
tory authorities to establish a framework for the development and management of
ICA. These standards require that each aircraft/engine/propeller is provided with the
instructions for its maintenance, repair, and all necessary information to keep it in
airworthy condition.
ICAO Doc 9760—Airworthiness Manual provides additional guidance mate-
rial; this document recommends that limitations and procedures necessary for safe
operations and maintenance are made available to the operators of the aircraft,
including:
• mandatory maintenance structural tasks and replacement times for structural parts
(usually identified in the Airworthiness Limitations),
• mandatory maintenance tasks established during the type certification process
(usually identified in the Certification Maintenance Requirements),
• Instructions for Continued Airworthiness (usually contained in the MRBR),
descriptive data and instructions for the maintenance, servicing, inspection and
repair (usually contained in the maintenance manuals and structural repair
manual), and
• a continuing Structural Integrity Program (SIP) to ensure the airworthiness of
the aircraft, including specific information concerning corrosion prevention and
control.
24 4 Instructions for Continuing Airworthiness (ICA)

4.1.1 ICA—EASA Design Organization—Specifications

and Regulations

Certification Specifications for Large Aircraft (Subpart G, CS 25.1529, 25.1729 and

Appendix H) require the preparation of ICA for each aircraft, engine, propeller, and
appliance required by the CS-25 and describes its format and content. The ICAs
should:
• include scheduling information for each part of the aircraft with the recommended
periods at which they should be cleaned, inspected, adjusted, tested, and lubri-
cated, and the degree of inspection, the applicable wear tolerances, and work
recommended at these periods, or
• make reference to the source of this information.
CS-25 also requires that the ICA contains a section for Airworthiness Limitations
(ALS) that is segregated from the rest of the document. The ALS must include
each mandatory modification time, replacement time, structural inspection interval
and related structural inspection procedure, any mandatory replacement of EWIS
components, and any Certification Maintenance Requirement (CMR).
EASA Part-21 Regulation (21.A.61/107/120A/449) requires that the holder of
relevant approvals issued under Part-21 (TC, STC, Minor change to TC, Repair
design and ETSO authorization(*)) furnishes at least one set of complete ICA or
associated variations to the ICA, as appropriate, to the owner before delivery/first
Certificate of Airworthiness (whichever occurs later) and that any changes to the
ICA or variations of the ICA are made available to any person required to comply
with those instructions. Some portion of the ICA, usually related to overhaul or
heavy maintenance, may be delayed until the aircraft/engine/propeller has entered
into service, but made available before it reaches relevant age.
There are still two major concerns on which EASA is currently working:
• there is margin for interpretation on what is “a set of complete ICA” what can
be misinterpreted between different DAHs (e.g., in regards ICA produced by
suppliers), and
• (*) the responsibility of the ETSO authorization holder in regards to ICA is
ambiguous.

Types of Design and Changes

The design organization should provide the means, including the ICA or variation
to ICA, to keep the airworthiness standard for the following types of design and
changes:
• Type Certificate (TC) and Supplemental Type Certificate (STC). A TC is an
approved design of an aircraft/engine/propeller. An STC is an approved major
modification to an approved TC that defines the design changes and how it affects
the original design.
4.1 ICA—Design Organizations Responsibilities 25

– Minor change: approved TC/STC modification that has no appreciable effect

on the mass, balance, structural strength, reliability, operational characteristics,
noise, fuel venting, exhaust emission, operational suitability data, or other
characteristics affecting the airworthiness.
– Major change: approved TC/STC modification not considered as minor. Only
the TC holder or an STC holder can apply for major changes to the TC. Only
the STC holder or the holder of a separate STC can apply for major changes
to the STC.
• Repairs. A repair is the restoration of an aircraft/engine/propeller to an airworthy
condition after damage.
– Standard repair: repair that follows design data included in the certification
specifications (acceptable methods, techniques, practices) to accomplish the
repair, e.g., through the Structural Repair Manual (SRM).
– Minor repair: approved repair that has no appreciable effect on structural
performance, weight, balance, systems, operational characteristics, or other
characteristics affecting the airworthiness.
– Major repair: approved repair not considered as minor.
• European Technical Standard Order (ETSO) Authorization. An ETSOA is a
way to have parts and appliances approved ensuring compliance with a minimum
performance standard. It includes both design and production. It represents an
alternative to the type certification process and is convenient for parts that are
common to different types of aircraft/engine/propeller (e.g., instruments, seats,
emergency equipment, APU, etc.).
– Minor change: does not require a complete investigation to determine compli-
ance with an ETSO.
– Major change: requires a complete investigation to determine compliance with
an ETSO and leads to a new ETSO authorization.

4.1.2 ICA—FAA Design Organization—Specifications

and Regulations

Responsibilities of FAA TC and STC holders in regards to aircraft/engine/propeller

ICA are considered in the Part-21 (14 CFR 21.50) and are comparable to those
provided in the EASA Part-21. Additional considerations, including ICA preparation,
are detailed in Part-25 (14 CFR 25.1529, 25.1729 and Appendix H to Part-25) and
Part-26 (14 CFR 26.11) with special highlighting of the EWIS ICA.
FAA Part-26 (14 CFR 26.43/45/47) requires that after repairs, modifications (alter-
ations) or modifications to repairs, the TC/STC holder performs a Damage Tolerant
Evaluation (DTE), develops the appropriate Damage Tolerant Inspections (DTI), and
makes them available to persons required to comply with those instructions. Several
Advisory Circulars, into the ICA definition, provide guidance and recommendations:
26 4 Instructions for Continuing Airworthiness (ICA)

AC 26-1 Part 26 Continued Airworthiness and Safety Improvements, AC 120-93

Damage Tolerance Inspections for Repairs and Alterations and AC 25.1529-1A ICA
of Structural Repairs on Transport Airplanes.
FAA Part-21 Subpart O, dedicated to the approval of Technical Standard Orders
(TSO) (the FAA equivalent to the EASA ETSO Authorization), does not explicitly
require the TSO design holder to provide the appropriate ICA. However, extended
guidance about the TSO process is provided in the Advisory Circular AC 21-46A
as acceptable means to comply with the Part-21 Subpart O, and it requires the
design organization, at the time of TSO submission for approval, to provide the
ICA necessary to maintain the TSO requirements after the product is installed.
FAA Part-21 Subpart K describes the requirements for issuing Parts Manufac-
turer Approval (PMA). It is a special authorization granted by the FAA (not consid-
ered by EASA) that combines design and production approval for modification and
replacement articles that were not originally fitted in the aircraft. The PMA allows
a manufacturer to produce and sell these articles for installation on type certificated
aircraft/engine/propeller, even though it is not the original manufacturer of the type
certificated product. Basically, the PMA methods for the FAA approval are based
on:
• License or rights granted by the TC Holder: the part remains with the same Part
Number.
• Test, computation, and identicality to show that the design meets the applicable
airworthiness requirements and the manufacturing processes, inspection and test
procedures produce a part that is identical to the original from a TC; or
• STC design. An STC Holder can produce parts under Part-21 production approval
or Part-21 PMA approval.

4.1.3 E.U.–U.S. Bilateral Agreement—Design Organization

Approvals

Within the E.U.–U.S. BASA (Bilateral Aviation Safety Agreement), the Technical
Implementation Procedures for Airworthiness and Environmental Certification1
defines the procedures for approving products to import into the E.U. and the U.S.
and the means for providing support afterward. EASA and the FAA give validity to
the certification made by each other. In order to maintain the confidence, it is required
an oversight model that monitors their competency, including a sampling system to
verify approvals, quality audits, and observations, and aim for standardization.
Aircraft/engine/propeller TC, STC, design repairs (developed by the TC/STC
Holder), ETSOA/TSOA, PMA and changes to the prior designs, except when

1 Technical Implementation Procedures for Airworthiness and Environmental Certification between

the Federal Aviation Administration of the United States of America and the European Aviation
Safety Agency of the European Union. Revision 6, September 22, 2017 (up to Amendment 2, April
02, 2019).
4.1 ICA—Design Organizations Responsibilities 27

involving the alteration of critical components, are recognized and accepted mutually
under the E.U.–U.S. BASA.
For some critical components, FAA PMAs and FAA design repairs (not devel-
oped by the TC/STC holder, e.g., by a Designated Engineer Representative (DER)),
explicit EASA approval is required.
In regards to ICA, while an MRBR approved by one of both states is automatically
accepted by the other, the level of involvement for other types of ICA, such as the
Airworthiness Limitations, may vary and require a validation process.
The Significant Standard Differences (SSDs) between the EASA and FAA
certification specifications standards are published in the EASA and FAA websites.

Lesson in Progress—The Boeing 737 MAX Case

On October 2018, the Indonesian carrier Lion Air operating a Boeing 737 MAX
under Flight 610 from Jakarta (WIII), Indonesia, with intended destination to
Depati Amir Airport (WIPK), crashed into the Java Sea 13 min after takeoff,
killing all 189 passengers and crew.2
Five months later, on March 2019, in similar circumstances, Ethiopian
Airlines 737 MAX Flight 302 crashed six minutes after takeoff on a flight
from Addis Ababa Bole International Airport (HAAB), Ethiopia, with intended
destination to Nairobi (HKJK), Kenya, killing all 157 passengers and crew.3
The aircraft was grounded worldwide in the same month, two years after its
type certification by the FAA on March 2017, until November 2020 (Fig. 4.1).
Due to financial constraints and the pressure on Boeing to compete with the
Airbus A320 NEO, Boeing had updated its old 737 design instead of designing
a new aircraft that would have been less attractive to customers: new type rating
and additional costs.4
The 737 MAX included new larger engines and their relative placement in
comparison with its predecessors, so Boeing developed a new software called
Maneuvering Characteristics Augmentation System (MCAS) to address the
stability issues of the new configuration.

2 Aircraft Accident Investigation Report PT. Lion Mentari Airlines Boeing B737-8 (MAX); PK-
LQP. Komite Nasional Keselamatan Transportasi Republic of Indonesia. 20 October 2018.
3 Aircraft Accident Investigation Bureau Interim Investigation Report on Accident to the B737-8

(MAX) Registered ET-AVJ operated by Ethiopian Airlines. The Federal Democratic Republic of
Ethiopia Ministry of Transport. 10 March 2020.
4 The Boeing 737 MAX Aircraft: Costs, Consequences, and Lessons from its Design, Development,

and Certification—Preliminary Investigative Findings. The House Committee on Transportation and

Infrastructure. March 2020.
28 4 Instructions for Continuing Airworthiness (ICA)

The MCAS was designed to push the aircraft nose down under certain flight
conditions and was relying on a single Angle Of Attack (AOA) sensor for
automatic activation.

Fig. 4.1 Boeing 737 MAX sit parked at Boeing field. Photo by David Ryder/Getty Images

The preliminary investigation of the Indonesian and Ethiopian accidents,

carried out by their corresponding aircraft accident investigation offices,
revealed the deficiencies of the Boeing design. Soon after, the U.S. Congress
initiated further investigations into the FAA approval process.
Boeing had assumed that the pilots would mitigate any malfunction while the
reality showed that, in most of the cases, they were unaware of the existence of
the new system. Additionally, the MCAS was not classified as a safety–critical
system and its failure was not rated as “catastrophic”.
In this regard, it was expected that a software fix would return the aircraft
to service, but new safety issues arose during the investigations.
The investigations also exposed that the FAA oversight function with
respect to Boeing created a conflict of interests where Individual Designees
(Boeing employees that are authorized as FAA representatives to validate
design compliance) failed to take action to represent the FAA interests and
would have allowed unsafe design approaches.
4.1 ICA—Design Organizations Responsibilities 29

The BASA agreements were also called into question. Many of the signatory
states of BASAs with the U.S. reviewed their validation of the 737 MAX type
certification. Additionally, many did not rely on the software upgrade either
the 737 MAX FAA re-certification, and issued their own certifications for the
MCAS system.
Surely, this is a lesson in progress: aviation experts are calling to review the
terms under with the BASAs are signed and most of the certification authorities
worldwide may revise their aviation regulations in regards to the requirements
for amended type certification and their own oversight functions.
 Part II
Aircraft Maintenance Programs: Content
and Management
Chapter 5
AMP Content and Maintenance Planning
Document (MPD)

The content of an Aircraft Maintenance Program (AMP) is set by the regulatory

environment that must satisfy. As introduced in Part I, while an FAA CAMP may
look more comprehensive at first instance, actually the CAMP elements that are
not considered in an EASA AMP will be considered in the CAME (e.g., airwor-
thiness responsibility, maintenance manual, maintenance organization, approval of
maintenance and alterations, Required Inspection Items (RII), recordkeeping system,
contract maintenance, and personnel training).
This chapter describes the requirements of an AMP under an EASA environment.
These requirements may be used to develop the Maintenance Schedule element
required for the FAA CAMP.
The AMP should contain the following provisions:
• the preamble, including definitions of the Maintenance Tasks/Checks and the
necessary procedures to manage them,
• the sections that include the scheduled maintenance tasks and limitations, and
• the Reliability Program.
An AMP is initially developed from the Maintenance Planning Document (MPD).
The MPD contains the maintenance tasks that are part of the aircraft type certifica-
tion (ALS and CMR) and the initial scheduled maintenance requirements (MRBR
or alternative means of compliance).

5.1 AMP Content

An AMP should define the maintenance task terms that are to be managed/used by
the continuing airworthiness/maintenance organization. The AMP must also describe
the procedures necessary to manage the maintenance tasks.
The AMP as a whole should not leave any margin for interpretation. The AMP
must meet both the regulatory requirements and the standards set by the operator.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 33

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_5
34 5 AMP Content and Maintenance Planning Document (MPD)

5.1.1 General Considerations

Operator’s Certification Statement

The Operator’s Certification Statement is a formal declaration duly signed by the
CAMO responsible person (Nominated Person or delegate) that states the aircraft
will be maintained in accordance with the submitted AMP and that it will be reviewed
and updated as required.
AMP Approval
The AMP approval process should be agreed with the competent authority and be
included in the CAME. The CAME should reflect any indirect approval concessions
granted by the competent authority.
The indirect approval is a privilege granted to the CAMO to approve certain
changes in the AMP without the need of the competent authority approval.
Once an AMP revision is submitted for approval (to the competent authority or the
NPH/delegate in the case of indirect approval), no further changes are usually allowed
except those arising from the approver findings/observations for that particular
revision, if any.
The AMP should incorporate the approval sheet duly signed by:
• the CAMO staff authorized to prepare and submit the AMP for approval, and
• the competent authority responsible person, or
• in the case of indirect approval, the CAMO Nominated Person or delegate.

Distribution List
The AMP should include a distribution list and the distribution methods to ensure it
is available for any concerned party (competent authority, CAMO staff, maintenance
organization, etc.).
Record of AMP Revisions and Temporary Revisions
The AMP should register the history of Revisions and Temporary Revisions. It is
recommendable to include at least the main reasons for each major Revision.
Summary of Changes
The AMP should list all the changes and justifications promulgated in the latest
Revision.
AMP Effective Date
An Aircraft Maintenance Program revision should always be approved with a desig-
nated Effective Date agreed with the competent authority or a designated date based
on a procedure approved by the authority. The effective date is the AMP entry into
force date in which the new/revised/deleted requirements and procedures become
effective.
5.1 AMP Content 35

The AMP Effective Date may be the same than the AMP approval date, but
a limited time can be granted to the operator to accommodate all the necessary
changes into the system used for the AMP Maintenance Requirement control. This
difference has much to do with the capacity of such system; the process may turn
lengthy with a large volume of AMP changes when the maintenance software does
not have the capability to dump the data directly from the AMP (manual process)
and/or it requires individual management of each task change to make them effective.
On the other hand, an advanced maintenance software may allow to dump all the
changes automatically from a database and/or make them effective in a glance as
soon as the AMP is approved.
AMP Applicability
The AMP must define the aircraft registration(s) to which it is applicable and in
which configuration(s) (engines, APU, and layout, as applicable). An aircraft should
be maintained under only one AMP at a certain point in time.
It is possible to associate an “Applicability Number” to each registration if it is
considered that facilitates the understanding of the Task Effectivity.
The AMP Applicability should be updated when an aircraft is inducted/phased-out
into/from the AMP.
AMP Source Documents
The AMP must list all the source documents in which is based on and their revision
and issue/effective date.
The process to receive and control the source documents and their revisions and
the process to evaluate and implement their changes into the AMP should be defined
(Fig. 5.3).
Maintenance Checks
The AMP should define the suitability of the AMP maintenance tasks to be packaged
and performed together (maintenance check) or individually (out-of-phase). It is
usually based on the maintenance tasks intervals and parameters and in the accesses
required. Examples: Preflight Check, Transit Check, Daily Check, Weekly Check,
Service Check, A-Check, B-Check, C-Check, and D-Check.
A Maintenance Check is restricted by an interval that may contain different param-
eters (FH, FC, calendar time, etc.). The Maintenance Check intervals cannot be more
permissive than the Maintenance Tasks thresholds/intervals within it.
Utilization
The AMP is based on an anticipated utilization. MRBR, one of the primary sources
of the AMP, is developed based on an assumption of anticipated average annual
utilization; when the utilization of the aircraft falls out of the envelope defined in
the MRBR, it is necessary to contact the Type Certificate Holder (TCH) to develop
specific recommendations (Low Utilization Recommendations). Section 9.2 details
the characteristics of these special programs.
36 5 AMP Content and Maintenance Planning Document (MPD)

The anticipated utilization is based on the operator experience and in the expected
operation. Usually, the anticipated utilization is presented by the “Annual Average
Fleet Utilization.” It is also recommended to anticipate if the utilization of any of the
individual aircraft of the fleet may fall out of the MRBR utilization envelope rather
than using the average fleet parameters.
AMP utilization must be analyzed at least during the AMP annual review.
Limit Of Validity (LOV)
The Limit Of Validity (LOV) corresponds to the Flight Hours and/or Flight Cycles
for which it is demonstrated that Widespread Fatigue Damage (WFD) will likely not
occur on the aircraft structure. LOV is understood as the aircraft usable life: The
operator cannot operate an aircraft beyond the LOV or Extended LOV of the aircraft.
LOV is defined in the Structures Airworthiness Limitations.
Task Type Categories
The AMP must describe each task type categories to define the expected level of
maintenance and the methods. Task types: Cleaning (CLN), Lubrication (LUB),
Servicing (SVC), Operational Check (OPC), Functional Check (FNC), Visual Check
(VCK), General Visual Inspection (GVI), Detailed Visual Inspection (DET), Special
Detailed Inspection (SDI), Restoration (RST), Discard (DIS), etc.
The task type categories are usually based on the MPD/MRBR although the
operator may develop additional task type categories as required.
Aircraft Maintenance Task Format
A maintenance task is typically defined by the following format:
• Status. It identifies the action taken for the task between two consecutive AMP
revisions: New (N), Revised (R), Deleted (D), or Blank (if no action has been
taken). The reason for the change is described in the Summary Of Changes.
• Task number. AMP task number is usually derived (if not the same) from
the source document task number. It is recommended to establish a numbering
convention for the operator’s own tasks.
• Zone. Location of the item subject to maintenance.
• Description. It is the scope of the task (a summary) in the context given by the
system, subsystem, component, zone, or structural item tittle.
• Task Code. It is the task type category.
• Threshold/Interval. It identifies the prescribed periods at which the task has to
be performed (first accomplishment/repeat). Chapter 11 details the procedures for
the thresholds/Intervals management.
• Source. It identifies the origin of the task: MRBR, ALS, CMR, AD, SB, SL,
operator‘s own task, etc. It is appropriate to reflect the Failure Effect Category
(FEC) for MRBR tasks in the source field, if applicable.
• References. It should identify:
– Source: references to the corresponding source document task number and/or
regulatory requirement for adequate traceability.
5.1 AMP Content 37

Fig. 5.1 AMP Task Format

– Instructions: references to the task instructions (Aircraft Maintenance Manual

(AMM), Task Card, Engineering Order (EO), etc.).
– Others: references to any documented information that is considered necessary
for the accomplishment of the maintenance task.
• Effectivity. It details for which registrations within the AMP applicability the task
is effective. It is possible to define the Effectivity by the Applicability Numbers
if they have been established.
Effectivity and applicability concepts are usually confused; applicability refers
to something that is appropriate to be applied but does not imply any effect, e.g.,
the applicability of an MPD task means that the task is suitable to be used for
the aircraft that meet the applicability conditions. However, effectivity refers to
something that is actually in force, e.g., the effectivity of an AMP task means that
it must be accomplished for the specified registrations (Fig. 5.1).
• Task Revision Date. It identifies the AMP revision in which the task was last
revised.
Any information considered by the operator to facilitate the use and understanding
of the AMP may be added to the AMP Task Format, e.g., “Preparation” to identify
the necessary task preliminary procedures, “Access” to identify panels, linings or
doors to be opened or removed, or “Remarks” to identify any additional information.
Component Maintenance Task and Life Limitations Format
The format for component tasks and life limitations is slightly different than the
standard described for aircraft maintenance tasks.
The format should include a field for the Part Number (P/N) for which the
limitation is effective. The format may require additional fields to identify the
intervals/limitations for each particular aircraft configuration.

5.1.2 AMP Preamble—Procedures

The AMP preamble should include, although not limited to, the rules and guidelines
to manage:
• The maintenance tasks. The procedures to manage the maintenance tasks are
usually detailed in the source documents and should be customized to the operator
AMP.
38 5 AMP Content and Maintenance Planning Document (MPD)

• The checks/tasks thresholds/intervals. The procedures to manage the checks/task

thresholds and intervals may also be detailed in the source documents: the
first and repeat accomplishment of the tasks, considerations during aircraft on
ground/maintenance/parking/storage, the use of Grace Periods, the Permitted
Variations, the Exceptional Short-term Extensions, the Escalation, and the
Evolution/Optimization procedures.
The AMP procedures are usually developed in accordance with the operator neces-
sities to produce compliance with the regulations and standards; it is particular to
each organization. The following procedures may be considered for inclusion into the
AMP, although they may be developed as stand-alone or as part of the CAME/CAMP:
• AMP source documents management: control and evaluation of changes.
• AMP revision and approval.
• AMP implementation.
• Maintenance software—Management of AMP checks and tasks.
• AMP aircraft induction.
• AMP aircraft phase-out.
• Parking/storage.
• Documentation Discrepancy Reporting System (DDRS).
In addition to the distribution list described in the AMP preamble, the communi-
cations during the AMP process (with the authority, internal stakeholders, the TCH,
and manufacturers) are essential for the AMP revision good end, especially in large
organizations where a large volume of correspondence is processed. It is highly
recommendable to establish procedures to detail which communications are neces-
sary, with who and how in order to avoid any possible mistake or omission. The AMP
Communications procedure may be considered in the AMP preamble.

5.1.3 AMP Structure

The importance of an AMP resides in compliance with the regulations rather than the
structure of the document. The approach to defining it is a decision of the operator
but must be acceptable to the competent authority. The following seven sections are
usually found in any AMP; they are based on the MPD/MRBR and on the requirement
to develop a Reliability Program:
• Preamble,
• Systems,
• Powerplant,
• Structures,
• Zonal,
• Components,
• Reliability Program.
5.1 AMP Content 39

These sections may be merged or segregated, e.g., Systems and Powerplant

requirements may be merged in a unique section, or on-wing component tasks may
be integrated into the Systems section and off-wing component requirements in a
separated section.
The following content should also be covered in the AMP as applicable. It may
be integrated into the sections detailed above or in dedicated sections:
• Mandatory requirements:
– Airworthiness Limitations (ALS),
– Certification Maintenance Requirements (CMR),
– AD Repetitive maintenance.
• Operational requirements: RVSM, MNSP, RNAV, RNP, EDTO (ETOPS), AWO,
• Low Utilization Maintenance Program (LUMP),
• Supplemental Structural Inspection Program (SSIP),
• Corrosion Prevention and Control Program (CPCP),
• Repetitive requirements derived from Modifications and Repairs,
• Operator own tasks:
– Reliability: non-mandatory recommendations (SB, SL, CMM, etc.) and
procedures developed by the operator.
– Operator standards: comfort and appearance items.
There are certain benefits on integrating or segregating the AMP content into the
sections detailed at the beginning of this paragraphs (introduction, systems, power-
plant, structures, zonal, and components). The operator should look for the approach
that better aligns with its organization:
• Benefits of integration. The integration of requirements into the sections detailed
at the beginning of this tittle allows visualizing all the maintenance that is required
for a system, structure, zone, or component at a glance.
• Benefits of segregation. The segregation of these requirements into separated
sections is especially suitable in large organizations with multiple stakeholders.
It facilitates assigning responsibilities, e.g., AD, modifications and repairs may
be the responsibility of a Technical Services department, Operator’s own tasks
responsibility of the Reliability department, Component tasks responsibility of a
dedicated AMP team, etc.
On the other hand, the operator may decide to define and control certain regulatory
requirements through the AMP. It may generate dedicated AMP sections or additional
fields in the AMP Task Format, for example (Fig. 5.2):

Fig. 5.2 AMP Task Format with CMT provision

40 5 AMP Content and Maintenance Planning Document (MPD)

Fig. 5.3 Aircraft Maintenance Program Sources

5.1 AMP Content 41

• Critical Maintenance Tasks (CMT): identification, assessment, and establishment

of error-capturing methods. Chapter 15 details the Critical Maintenance Task
requirements.
Certain competent authorities may require, or the operator may decide, to include
the grace periods and bridge checks derived from an AMP revision under the AMP
approval. This practice shows a high level of transparency from the operator’s side.
It may be developed as an Appendix to the AMP.
Another good practice is to develop an AMP Appendix to incorporate the MPD
tasks that are not applicable to the AMP applicable registrations and the corre-
sponding justification. It can facilitate the understanding of the MPD implementation,
e.g., during an audit.

5.1.4 AMP Revision

The operator is responsible for evaluating new/revised requirements and instructions

for the continuing airworthiness for inclusion into the AMP. The AMP should remain
valid in light of the operating experience:
• Regulatory requirements, e.g., AD, ALS, CMR, etc.,
• Design holder instructions, e.g., ICA,
• In-service experience (Reliability Program),
• Type and specificity of the operation, e.g., LUMP, AWO.
EASA Part-M AMC M.A.302 (3) requires that the AMP is reviewed at least annu-
ally; the FAA has a performance-driven approach and does not impose any specific
time limitation for the AMP review.
It is reasonable that changes that may affect the airworthiness of the aircraft are
implemented at the earliest (e.g., ALS, CMR, MRBR FEC 5 and 8).
In certain cases, where the requirements are dynamic in nature (ADs, Modifica-
tions and Repairs, and Reliability Program tasks), it is unfeasible to update the AMP
in the same dynamic way as they evolve. They usually do not trigger an AMP revision
but should be included in the AMP at the next suitable opportunity. The status of
ADs, Modifications and Repairs, and Reliability tasks (non-mandatory recommen-
dations and own tasks developed by the operator) usually supposes a snapshot at the
time of the AMP revision. It is recommended that such clarification is included in
the AMP preamble.
If different rules are established by the design holder/manufacturer or the compe-
tent authority (e.g., in the case of ADs requiring to incorporate the ALS requirements
into the AMP), these should be complied with straightaway.
ICA Implementation Period
The ICA implementation period is the time between the ICA approval/publication
date and the effective date of the AMP revision. This time should be sufficient to
42 5 AMP Content and Maintenance Planning Document (MPD)

analyze the changes and identify and allocate the necessary resources that may be
required (staff, material, tools, facilities, etc.).
While a three-month period may be found appropriate and it is a non-approved
standard adopted by many operators, the fact is that the management of a large
volume of changes can become lengthy.

5.2 Maintenance Planning Document (MPD)

The Maintenance Planning Document (MPD) is a repository document issued by

the Type Certificate Holder (TCH) that contains repetitive maintenance tasks and
additional information required for their accomplishment. The purpose of the MPD
is to assist operators in the development of an Aircraft Maintenance Program (AMP).
The consideration of MPD as ICA is subject to interpretation attending to the
current definition; however, it is undeniable that the MPD compiles the minimum
ICA to develop an initial AMP (*).
The MPD typically includes all the maintenance tasks that are part of the aircraft
type certification plus the initial scheduled maintenance tasks developed alongside
the type certification (primary sources) and may content maintenance tasks from
secondary sources:
Primary Sources:
• Maintenance Review Board Report (MRBR),
• Airworthiness Limitations (ALS),
• Certification Maintenance Requirements (CMR).
Secondary Sources:
• Regulatory requirements,
• Airworthiness Directives (AD),
• Operational requirements: RVSM, MNSP, RNAV, RNP, EDTO (ETOPS), AWO,
• Low Utilization Maintenance Program (LUMP),
• Supplemental Structural Inspection Document (SSID),
• Life Extension Program (LEP),
• Repetitive requirements derived from Service Bulletins (SB) and Service Letters
(SL),
• Repetitive requirements derived from Modifications and Repairs,
• Component Manufacturer recommendations,
• Etcetera.
(*) Compliance with the MPD does not constitute compliance with the minimum
requirements, e.g., ALS Life Limitations, not considered as repetitive maintenance
tasks, may not be incorporated in the MPD but are part of the AMP. Even if the
MPD contains all the primary and secondary sources listed above, the operator is
5.2 Maintenance Planning Document (MPD) 43

still responsible for controlling, analyzing, and implementing each source document,
as applicable.
The consideration of secondary sources into the MPD differs between Type
Certificate Holders (TCHs). Small manufacturers with a few clients tend to customize
more the MPD by considering more secondary sources so it is easier for the operator
to implement the requirements into the AMP; larger manufacturers with many clients
may leave the responsibility of evaluating these secondary sources to the operator
allowing more flexibility.
The MPD is the link between the requirements defined in the source documents
and the procedures to accomplish such requirements. The MPD incorporates refer-
ences to the instructions for the accomplishment of the maintenance tasks. These
instructions are usually developed in the Aircraft Maintenance Manual (AMM).
The AMM is an ICA that contains most of the necessary tasks, step by step, for the
maintenance of the aircraft.
Complex maintenance tasks that require specialized maintenance techniques,
test equipment, or expertise are usually developed in different manuals, e.g.,
Non-Destructive Test (NDT) Manual.
The MPD contains additional information relevant for the planning of the task such
as the man-hours required to perform it and the number of staff and the skills required.
Usually, the man-hours provided in the MPD have to be adjusted to the operator’s
efficiency. Each maintenance organization should calculate its labor efficiency factor
based on its own experience.
The MPD planning information, together with the AMM instructions, provides
with the basic information to schedule an MPD maintenance task: accesses, panels,
material, components, equipment, tools, workforce, skills, etc.
The operator must highlight any discrepancy between the MPD requirements and
the source documents to the TCH. A Document Discrepancy Reporting System to
register and control documentation discrepancies is recommended.

5.2.1 MPD and AMM/IPC Revision Cycle

As introduced in the previous paragraphs, the Aircraft Maintenance Manual

(AMM) is an ICA document that contains most of the necessary tasks and procedures
for the maintenance of the aircraft: information of the aircraft features, systems,
structures, installations, basic control, servicing procedures, maintenance instruc-
tions, access procedures, removal/installation of parts and components, methods and
equipment, instructions to apply protective treatments after structural inspections,
etc.
The Illustrated Parts Catalogue (IPC) is the document that details all the infor-
mation related to the parts and components that are certified to be fitted on the aircraft.
It includes the parts and components for which a maintenance instruction is provided
in the AMM.
44 5 AMP Content and Maintenance Planning Document (MPD)

Both AMM and IPC are used not only for scheduled maintenance but for the
accomplishment of non-scheduled maintenance.
Modifications/repairs may revise the content of AMM/IPC through dedicated
Supplements provided in the modification/repair approved data package.
The operator is responsible for identifying changes derived from the AMM/IPC
revision that may impact the Aircraft Maintenance Program (AMP); the AMM should
be reviewed to identify changes to the task setup: subtasks, equipment, material,
critical tasks/independent inspection/reinspection/required inspection item, etc.
Certain elements developed by the operator that are based on the AMM should also
be reviewed, e.g., when the operator takes credit for the calculation of the next due of
a task from the accomplishment of a different task based on the AMM assessment.
The IPC should be reviewed to identify changes in the effectivity of AMP tasks for
requirements at component level defined with open applicability in the source docu-
ment, e.g., the MRBR requires the in-shop operational check of the flight recorders
and a new Part Number (P/N) is introduced by the IPC revision; the operator should
identify the P/N through the IPC review and add it to the AMP task unless the
appropriate means to avoid the installation of such P/N into the operator’s fleet are
established.
Depending on the TCH, the issue of an AMM/IPC revision may be aligned with
the issue of the AMP Primary Source documents (MRBR, ALS) and other ICAs
(SRM, NTM/NDT, etc.) in a Maintenance Data Cycle.
The implementation of AMM/IPC within the maintenance organization is usually
immediate as soon as they are issued; it is a regulatory requirement to keep the
maintenance data up to date, including its revision status, on the work card/worksheet
used by the mechanic.
Certain issues or misalignments may arise during the time between the MPD
and the AMM/IPC are released within the maintenance organization and the time in
which the changes are fully implemented in the AMP (AMP Effective Date), e.g.,
• the AMM procedure has been deleted. It may be caused due to the associated
MPD task has also been deleted; the operator is still responsible for complying
with the AMP task until it is removed from the AMP. In urgent cases, a temporary
Work Card based on the instructions provided in the previous revision of the
AMM may be developed until the new AMP revision incorporating the changes
becomes effective.
Other issues may be derived from the TCH documentation management; the
operator should establish the means to identify such omissions/mistakes and take the
appropriate measures to correct them, e.g.:
• New/revised MPD task without AMM reference/procedure. The operator should
contact the TCH to provide the AMM reference/procedure. If the procedure has
no immediate effect or impact (e.g., high threshold tasks), the AMM procedure
may be delayed.
• The MPD task applicability does not match the AMM instruction applicability. In
case there is no AMM instruction available for specific registrations, the operator
5.2 Maintenance Planning Document (MPD) 45

should contact the TCH to provide it or expand the AMM task applicability, as
applicable.
• The MPD references an AMM procedure that has been deleted. The operator
should contact the TCH to reinstate the procedure into the AMM or provide
appropriate MPD-AMM references.
• The IPC removes a Part Number (P/N) that is installed on the operator’s fleet. The
operator should contact the TCH to reinstate the P/N into the IPC or justify the
deletion, in which case additional actions will be required.
Changes to the maintenance documentation require micromanagement. The oper-
ator should establish the means and use its best engineering practices to identify and
correct any inconsistency derived from the maintenance documentation.

5.3 Maintenance Requirement and Task Card

A Maintenance Requirement contains all the information necessary to schedule

a maintenance task. It is also known under other designations, such as Engineering
Control, and its content may be integrated within a Task Card.
The Maintenance requirement is usually defined by task number, description,
zone, task code and sources, threshold/interval, references, effectivity, and revi-
sion status (task revision date and reason of revision) and may include additional
information such as line/base/heavy maintenance classification.
The operator may group Maintenance Requirements that are to be accomplished
together into Maintenance Check to facilitate their scheduling. See Sect. 11.1.3 for
further information.
On the other side, a Task Card is a customization of the maintenance instructions
provided by the Design Approval Holder (DAH) or instructions developed by the
operator in support of the completion of the task by the technician. A Task Card is
also known as Work Card, Work Sheet, or Job Instruction Card (JIC).
A Task Card should be structured in clear stages to avoid variability or error
(e.g., disassembly, accomplishment of the task, reassembly, and testing). It typically
includes the following provisions:
• information required for the task accomplishment, e.g., equipment, material
preload, access, qualifications, transcription of the maintenance data instructions
or references to it, maintenance data revision status, etc.,
• record of the accomplishment of the maintenance task stages (technician sign-off),
and
• record of error-capturing required actions (see Chapter 15 for further information
about Critical Maintenance Tasks/Identical Tasks and Required Inspection Items).
It is highly recommendable to establish the means and procedures to ensure
that any transcription of the maintenance data instructions into the Task Card
46 5 AMP Content and Maintenance Planning Document (MPD)

system maintains its integrity. To avoid mistakes/omissions, the Task Card should be
simplified to the maximum acceptable level.
The Task Card preparation usually involves a detailed evaluation of the source
documentation tasks and subtasks (AMM, IPC, NTM, etc.) to identify which level of
access and resources are necessary for its accomplishment. The examination should
be depth enough to identify the appropriate facilities, workforce, and technician
qualifications, maintenance times, equipment, and material.
For certain maintenance actions, usually, those requiring design changes (e.g.,
ADs or modifications/repairs), the Maintenance Requirement/Task Card may be
developed through a specific type of document known as Engineering Order (EO).
Chapter 6
AMP Primary Sources

The primary sources of an Aircraft Maintenance Program (AMP) are those required
for the type design certification (ALS and CMR) and the initial scheduled mainte-
nance tasks developed alongside the type certification (MRBR). Compliance with
the instructions contained in these sources is mandatory.
While ALS and CMR documents are binding by Airworthiness Directives (AD),
the compliance with the MRBR could be substituted by alternative means of compli-
ance to develop the initial aircraft maintenance program if it is accepted and approved
by the competent authority. In a typical scenario, the MRBR becomes the soul of the
party.
This chapter describes the primary source document standards and processes that
are required for the development of an initial Aircraft Maintenance Program.

6.1 Maintenance Review Board Report (MRBR)

The Maintenance Review Board Report (MRBR) is an ICA document that contains
the minimum schedule maintenance requirements to be used in the development of
an approved maintenance program for an aircraft and its components.
The MRBR is developed by the regulatory authority of the state of design and
representatives of the aviation industry (design organizations and air operators).
Regulatory authorities of the states of intended operation and other interested parties
may also participate in the process.
The MRB process involves all the activities to develop, review, and amend the
MRBR. The main purpose of the process is to assist the design organization and
operators in developing the initial maintenance program for newly certified aircraft
and/or engines and the regulatory authority in approving that program.
The standards for the MRB process are set at the highest level in the ICAO
Airworthiness Manual Doc 9760. In compliance with this manual, the International
Maintenance Review Board Policy Board (IMRBPB) issues the International

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 47

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_6
48 6 AMP Primary Sources

MRB/MBT Process Standard (IMPS) for guidance to outline the processes and
procedures used during the MRB/MBT1 process.
The MRB process’s main tool is a task-oriented methodology known as MSG-3
analysis.
This chapter goes into the MRB international standards, the IMPS, and the MSG-3
methodology.

6.1.1 The International Maintenance Review Board Policy

Board (IMRBPB)

The International Maintenance Review Board Policy Board (IMRBPB) is a body

formed by aviation regulatory authorities and representatives of the industry with the
objective of developing procedures and guidance on the MRB/MBT process and the
use of the MSG-3 methodology. The IMRBPB promotes harmonization between the
regulations through a structured forum for discussions. The IMRBPB convenes once
a year.
The IMRBPB positions become policy only when are adopted by the corre-
sponding regulatory authority.
Composition of the IMRBPB:
• Members from Regulatory Authorities who have signed the IMRBPB charter
(Australia; Brazil; Canada; China; the European Union; Hong Kong; Japan;
Singapore; and the USA).
• The Maintenance Programs Industry Group (MPIG) and Rotorcraft MPIG
(RMPIG). The MPIG is an organization formed to represent aircraft operators
and manufacturers. It is facilitated by the Airlines for America (A4A), formally
known as Air Transport Association (ATA). The MPIG provides with a forum
to develop consensus positions on regulatory proposals and proposing solutions
to emerging issues.
• The board is open to appropriate representative parties within the aviation industry.
The IMRBPB issues the International MRB/MTB Process Standard (IMPS) as
guidance to standardize the processes and procedures to be used by the regulatory
authorities in the oversight and approval of scheduled maintenance requirements.
When the IMPS is referenced as the MRB standard in the regulatory frameworks, it
is possible to apply validation principles. For example, within the EU-US Bilateral
Aviation Safety Agreement (BASA), EASA and FAA recognize the approval of each
other MRBRs because the IMPS is referenced in both regulatory frameworks.
The IMRBPB also reviews Candidate Issue Papers presented by any of its
members. Candidate Issue Papers are proposals for changes to the IMPS or MSG-3
methodology. The candidate becomes an Issue Paper (IP) once approved by the
IMRBPB. IP is implemented within the next suitable revision of IMPS or MSG-3.

1 Maintenance Type Board (MTB) is the process recommended for small aircraft.
6.1 Maintenance Review Board Report (MRBR) 49

The application of an Issue Paper, the IP44 for the Evolution/Optimization of the
MRBR, is detailed in Sect. 6.1.7.

6.1.2 The International MRB/MTB Process Standard (IMPS)

The International MRB/MTB Process Standard (IMPS)2 is designed to stan-

dardize the development of scheduled maintenance requirements. Although the IMPS
describes the MRB and MTB procedures, MTB is recommended for aircraft less than
15,000 kg and will not be disclosed in these lines. MRB is recommended for trans-
port category aircraft of more than 15,000 kg, but this process may be used for any
other aircraft if it is the applicant option.
The MRBR is developed by the Type Certificate (TC) applicant, the Certification
Authority (CA), air operators, and other regulatory authorities. The MSG-3 method-
ology is used by specialist working groups to propose maintenance tasks/intervals
that are presented to the Industry Steering Committee (ISC). The ISC prepares a
recommendation for the MRBR, which is then reviewed by the MRB and approved
by the MRB Chairperson.
The IMPS defines the following bodies in the organization that develops the
MRBR:
• Maintenance Review Board (MRB): responsible for approving the MRBR under
the management of the MRB Chairperson. Functions:
– Determine and assign MRB members and MRB advisors to the MWGs.
– Review and accept the PPH.
– Coordinate the MRB activities, issues, and associated matters with the ISC
Chairman.
– Ensure that the TCH provides adequate training, including MSG-3 method-
ology, to all MRB members.
– Ensuring CA participation in all MWGs and attending ISC meetings.
– Invite ISC Chairperson and selected ISC members to the MRB meetings.
– Review and discuss ISC proposals.
– Approve the MRBR.
• Type Certificate Holder (TCH): responsible for applying for the MRB process
to the CA. Functions:
– Assign an ISC Co-Chairman.
– Develop a PPH for presentation to the ISC and MRB.
– Provide aircraft technical, PPH, and MSG-3 training for all ISC and MWGs
members.
– Provide the ISC with a candidate list of Maintenance Significant Items (MSI),
Structural Significant Items (SSI), and Lightning/HIRF Significant Items
(LHSI), supported by the MSG-3 analysis.

2 International MRB/MTB Process Standard (IMPS). IMRBPB. Issue No. 01, 2019.
50 6 AMP Primary Sources

– Attend each MWGs and ISC meetings.

– Provide the ISC/MRB and appropriate WG members with details of design
changes that will impact the MSG-3 analysis, which may include changes due
to potential Airworthiness Limitation Items (ALI) and Candidate Certification
Maintenance Requirements (CCMRs).
– Maintain records of the MSG-3 analysis.
– Ensure that the aircraft manuals contain information and procedures for
accomplishing all on-aircraft maintenance tasks covered in the MRBR.
• Industry Steering Committee (ISC): responsible for managing the activities of
the Working Groups (WGs) and preparing the MRBR under the management of
the ISC Chairperson, usually an operator of the aircraft or similar model. The ISC
is formed by the TCH, operators, aircraft/engine/propeller manufacturers, and, if
appropriate, representatives of maintenance organizations. Functions:
– Determine the number and type of MWGs and organize them.
– Review and approve the PPH and forward it to the MRB Chairperson for
acceptance.
– Attend MRB meetings when requested by the MRB Chairperson.
– Invite MRB Chairperson and selected MRB members to the ISC meeting.
– Invite other Validation Authorities (VA) to the ISC meetings.
– Direct the activities of the MWGs.
– Review and accept all MWGs analysis.
– Prepare the MRBR prior to submission for approval to the MRB Chairperson.
• Maintenance Working Groups (MWGs): responsible for review and endorse
the MSG-3 analysis proposals made by the TCH. Each WG is formed by specialist

Fig. 6.1 MRB process

6.1 Maintenance Review Board Report (MRBR) 51

representatives of the aircraft/engine/propeller TCH, vendors, operators, mainte-

nance organizations, and regulatory advisors. It is recommended that a minimum
of three operators are represented in each WG meeting. The WG Chairperson is
selected by the WG and accepted by the ISC. Normally the WG Chairperson will
be an operator. Functions:
– Review technical data and MSG-3 analysis provided by the TCH.
– Develop initial minimum scheduled tasking/interval requirements using the
latest accepted PPH procedures and the revision of the MSG-3 document
referenced in the PPH.
The MRBR is an alive document; it is recommended that the ISC Chairperson/Co-
Chairperson and the MRB Chairperson carry out a yearly review to determine the
need for revisions.

6.1.3 Policy and Procedures Handbook (PPH)

The Policy and Procedures Handbook (PPH) compiles all the necessary infor-
mation required for the development of the initial minimum scheduled mainte-
nance/inspection requirements. It is developed by the TCH with the support of the
CA. The policy and procedures detailed are the basis to be followed by the WGs,
the ISC, and the MRB. Basically, the PPH contains the IMPS and MSG-3 standards
adapted to the specific project. Any deviations from the IMPS or MSG-3 methodology
must be reflected in the PPH and accepted by the CA.

6.1.4 Utilization Considerations

The MSG-3 analysis as a whole assumes an anticipated average annual utilization

of the aircraft. Task intervals are determined in function of this assumption and are
valid for the defined utilization envelope. The utilization envelope is reflected in the
PPH and the MRBR.
When the utilization falls out of the utilization envelope defined in the MRBR,
the TCH is responsible for developing specific recommendations out of the MRB
process, e.g., Low Utilization Recommendations (LUR).

6.1.5 The Maintenance Steering Group (MSG)

The first generation of aircraft maintenance programs was based on the idea that
each part on an aircraft required regular overhaul. Experience showed that some
52 6 AMP Primary Sources

components did not require as much attention as others, and new methods of control
more efficient and cost-effective were demanded by the industry.
In 1968, the FAA and representatives of the industry (the Air Transport Associ-
ation (ATA), airlines, aircraft manufacturers, and suppliers) formed a Maintenance
Steering Group (MSG) that introduced for the first time the concept of decision-
logic to develop schedule maintenance for the new Boeing 747 aircraft. The results
of this task force were captured in a document that could be used in the future for
newly certified aircraft and that was titled Maintenance Evaluation and Programme
Development and formally known as MSG-1. MSG-1 introduced two processes for
the development of routine maintenance tasks:
• Hard-Time (HT): preventive maintenance process that requires a system or
component to be overhauled or removed from service at fixed periods.
• On-Condition (OC): preventive maintenance process that requires a system or
component to be inspected for serviceability (to be removed from service before
failure).
The standard ensured that the units were removed from service before failure
during normal operation.
In 1970, MSG-1 is updated to MSG-2, titled Airline/Manufacturer Maintenance
Programme Planning; this revision updated the decision logic that could be used in
this case for the new generation of aircraft. It was process-oriented and analyzed
failure modes from the component level up. MSG-2 applied to specific aircraft and
produced a list of Maintenance Significant Items (MSIs) to which the logic was
applied.
MSG-2 introduced a third process (in addition to Hard-time and On-Condition)
for the development of routine maintenance:
• Condition Monitoring: maintenance process, no preventive, that allows a system
or component to operate until failure without an adverse effect on safety.
MSG-2 presented several weaknesses:
• economic effects not considered
• difficulty to track so many components
• difficulty to deal with the increased complexity of aircraft systems
• corrosion prevention measures not properly addressed
• confusion with the interpretation of HT, OC, and CM.
In 1980, MSG-2 evolved to MSG-3, titled Operator/Manufacturer Schedule
Maintenance Development; MSG-3 is a task-oriented approach that analyzes system
failure modes from a system level down through the Failure Mode Effect Analysis
(FMEA) methodology.
MSG-3 segregated the consequences of functional failures into two categories:
“safety” and “economic”. Further classification determined subcategories based on
the evidence of the failure: “evident to” or “hidden from” the operating crew.
The task-oriented model eliminated the confusion associated with the interpreta-
tion of Hard-Time, On-Condition, and Condition Monitoring.
6.1 Maintenance Review Board Report (MRBR) 53

On the structural side, the logic evolved to take into consideration possible struc-
tural deterioration (fatigue, corrosion, accidental damage, age, etc.) and recognized
new damage tolerance and fatigue evaluation rules.
The MSG-3 methodology is maintained by the ATA and has continued evolving
in successive revisions of the document published since its first issue.3 Some
of the changes are the addition of guidelines for the Corrosion Prevention and
Control Program (CPCP), the Enhanced Zonal Analysis Procedure (EZAP) with
emphasis on the Electrical Wiring Interconnect Systems (EWIS) and the analysis for
Lightning/High Intensity Radiated Field (L/HIRF).
The MSG-3 Analysis methodology is gutted in the following paragraphs.

6.1.6 MSG-3 Analysis Methodology

The working portions of the MSG-3 process are contained in four individual sections,
each one with its own decision-logic:
• Systems and Powerplant,
• Aircraft Structures,
• Zonal Inspections,
• Lighting/High Intensity Radiated Field (L/HIRF).

6.1.6.1 Systems and Powerplant

Systems and Powerplant Analysis Procedure

Before the MSG-3 logic can be applied to aircraft systems and powerplants, the Main-
tenance Significant Items (MSIs) must be identified in a top-down approach process
that first will classify the aircraft’s major functional areas, ATA systems/subsystems
and down until all replaceable items. The highest manageable level of the items
subject of failure that could affect safety, be undetectable during operations, or have
significant operational or economic impact will be selected in the “Candidate MSI
List.” The list will be reviewed by the ISC and validated by the Working Groups.
Once the MSIs have been listed, the function (normal characteristics of an item),
functional failures (failure of an item to perform its intended function), failure effects
(results of functional failures) and failure causes (why the functional failure occurs)
will be identified for each MSI.
Following the established decision-logic diagrams described in the MSG-3:
• The consequences of failure are classified into Failure Effect Categories (FECs):
– Evident Safety (FEC 5): task required to ensure safe operation.
– Evident Operational (FEC 6): task desirable if it reduces the risk of failure.

3MSG-3: Operator/Manufacturer Scheduled Maintenance Development, Volume 1—Fixed Wing

Aircraft. A4A. Revision 2018.1.
54 6 AMP Primary Sources

– Evident Economic (FEC 7): task desirable if the cost of the task is less than
the cost of repair.
– Hidden Safety (FEC 8): task required to avoid the safety effect of failure.
– Hidden Non-safety (FEC 9): task desirable to avoid economic effects of
failure.
(Note: Evident/Hidden refers to the crew awareness of the failure during
normal operation)
• The failure causes are analyzed for each FEC to select the specific type of task:
– Lubrication (LUB)/Servicing (SVC) (for all FEC categories). The purpose is to
maintain inherent design capabilities. This task is selected if the replenishment
of the consumable reduces the rate of functional deterioration.
– Operational (OPC)/Visual Check (VCK) (for FEC 8 and 9 only). The purpose
is to determine that an item is fulfilling its intended purpose; it does not require
quantitative tolerances, it is a failure finding task. This task is selected if it is
possible to identify the failure.
– Inspection (GVI/DET/SDI)/Functional Check (FNC) (for all FEC categories).
The purpose of an inspection is to detect damage, failure, or irregularity. The
purpose of a functional check is to determine if the function(s) of an item
performs within specified limits; it is a quantitative check.
This task is selected if the reduced resistance to failure is detectable and
exists a consistent interval between deterioration condition and functional
failure. The level of inspection and the methods necessary to detect the failure
determine three types of inspection:
General Visual Inspection (GVI): visual examination to detect obvious
defects within touching distance.
Detailed Visual Inspection (DET): intensive examination to detect defects.
Special Detailed Inspection (SDI): intensive examination to detect defects
that require specialized equipment/techniques.
– Restoration (RST) (for all FEC categories). The purpose is to return the item to a
specific standard. This task is selected if the item shows functional degradation
at a certain point in its life and most of the units are to be used after that point.
– Discard (DIS) (for all FEC categories). The purpose is to remove from service
the item at a specified life limit. This task is selected if the item shows functional
degradation at a certain point in its life and most of the units are to be used
after that point, but it is not possible to restore the item to a specific standard.
– Combination (for FEC 5 and 8 only). For the safety categories, it is necessary
to analyze all possibilities to choose the most effective task(s).

Task Interval
The task interval is selected by the Maintenance Working group (MWG) based on
available data (failure rates and characteristics) and/or guided by the experience with
similar systems or components. The MWG takes into consideration tests, technical
6.1 Maintenance Review Board Report (MRBR) 55

Fig. 6.2 Systems and Powerplants MSG-3 Analysis (simplified)

analysis, and recommendations of the manufacturer, customer requirements, and

service experience with similar items.
During this process, the MWG will identify the appropriate parameter(s) (flight
hours, flight cycles, calendar time, engine/APU hours/cycles, engine/landing gear
change, etc.) and the associated numerical interval(s).
Warning: A task should not be performed more often than required as it may have
an adverse effect on safety and reliability due to maintenance errors.
Certification Maintenance Requirements (CMR)
Certification Maintenance Requirements (CMR) are tasks identified during the type
certification process. They are the result of a System Safety Analysis intended to
detect safety significant latent failures that may result in a hazardous or catastrophic
failure condition. See Sect. 6.2.1.3 for further information.
56 6 AMP Primary Sources

CMRs are originated from a different analysis process than the MSG-3 analysis.
However, it may be acceptable to use an MSG-3 task in lieu of a Candidate CMR
(CCMR) only in the following case: The MSG-3 task is safety categorized, meets
the interval and scope of the CCMR or is adjusted to meet it, and it is accepted by
the ISC/WG. If the ISC/WG does not accept the CCMR, then a CMR is established
and remains independent from the MSG-3 task.
Sampling
When no enough experience to determine appropriate tasks and intervals exist, the
MSG-3 methodology can implement Sampling programs to examine certain number
of items that are subject to in-service deterioration. No-sampled items continue in
service until the results of the Sampling determine the need for additional tasks and/or
item improvement.

6.1.6.2 Aircraft Structures

The Aircraft Structure consists of fuselage, empennage, engine mountings, landing

gear, flight control surfaces, and related points of attachment.
The actuation portions of landing gear, doors, flight controls, dynamic components
such as hinge bearings, are treated as system components and their failures analyzed
as described in the previous section Systems and Powerplants. For some other items
for which it is difficult to identify them as pure system or pure structure should not
be analyzed independently; coordination of Systems and Structures Working Groups
is necessary.
Damage Sources
• Accidental Damage (AD): random event which may reduce the strength of
the structure and is not readily detectable. For example, handling equipment,
foreign objects, hail, lighting, runway debris, etc. Large-size ADs as a bird strike,
large hail, or major collisions that are detectable immediately are not part of this
assessment.
• Environmental Deterioration (ED): deterioration as a result of chemical interac-
tion with the climate or environment. For example, corrosion and stress corrosion
cracking, which is the combination of a corrosive environment and tensile stress.
Corrosion Prevention and Control Programs (CPCP) are designed to control an
aircraft structure to Corrosion Level 1 or better, meaning that the corrosion damage
does not require structural reinforcement or replacement.
Refer to Sect. 7.1.2 for further information on Corrosion Levels.
• Fatigue Damage (FD): propagation of cyclic loading of cracks.
6.1 Maintenance Review Board Report (MRBR) 57

Fig. 6.3 Structures MSG-3 analysis (simplified)

Structures Analysis Procedure

The MSG-3 logic applied to aircraft structures requires to categorize the structural
items according to the consequences of the failure into:
• Structural Significant Item (SSI): any item that in case of failure could affect
the structural integrity necessary for the safe operation of the aircraft.
• Other Structure: any other structural item not classified as SSI.
58 6 AMP Primary Sources

Any SSI for which there is an associated Principal Structural Element (PSE) is
subject to the Damage Tolerance and Fatigue Evaluation that is not part of the MRB
process but part of the aircraft certification (CS 25.571). A PSE is an element that
contributes significantly to the carrying of flight, ground, or pressurization loads,
and whose integrity is essential in maintaining the overall structural integrity of
the aircraft. The Structural Airworthiness Limitations are the result of such different
process and are listed in a different document. See Sect. 6.2.2 for further information.
Disregarding the SSI with associated PSE, the analysis of the SSI is carried out,
in the first instance, attending to the detection of structural failures.
• Damage Tolerance (DT). Structure that can sustain damage without structural
failure until the damage is detected. The manufacturer determines if timely
detection is dependent on schedule inspections.
On the other hand, all SSI are analyzed attending to the material of the structure:
• Metallic: AD/ED and CPCP inspection requirements are determined. If ED and
CPCP requirements are similar, the ED task will cover the CPCP requirement;
otherwise, a CPCP task is established.
• Non-metallic: AD/ED inspection requirements for timely detection of damage
(including the impact of AD on ED) are listed.
For Other Structure, if the item has similar items on existing aircraft, the Struc-
tures Working Group (SWG) will develop the maintenance recommendations; other-
wise, e.g., for new materials or designs, the recommendations will be given by
the manufacturer. The tasks selected are included in the Scheduled Structural
Maintenance.
Tasks from FD, AD, ED/CPCP (other than Airworthiness Limitations), and tasks
from the Other Structure analysis are evaluated for zonal transfer and either become
zonal inspection candidates or are listed in the MRBR Structures Section.

6.1.6.3 Zonal Inspections

The review of each aircraft zone usually happens when the MSG-3 analysis of
Systems, Powerplant, and Structures are concluded.
Special attention is given to Electrical Wiring Interconnection Systems
(EWIS), defined as any electrical connection, including the associated terminal
devices with the purpose of transmitting electrical energy, data, or signals. EWIS has
been a major concern after two catastrophic aircraft accidents that were associated
with electrical wiring systems degradation.
6.1 Maintenance Review Board Report (MRBR) 59

Zonal Analysis Procedure

The first step to apply the MSG-3 logic is to divide the aircraft into zones as defined
in the ATA iSpec 2200.4
For each Zone, the following details are to be listed: access, installed equip-
ment, L/HIRF protection features, wire bundle installation, potential for presence of
combustible materials, etc.
There are two types of zonal analysis:
• Standard Zonal Analysis for zones containing only structure and/or systems
installations without electrical wiring. All tasks developed through the stan-
dard zonal analysis should be included in the Zonal Inspections. However, the
Zonal Inspections may be compared with the GVIs arisen from the Systems and
Powerplant, Structures, and L/HIRF analysis procedures in this way:
– If the access requirement is the same and the proposed interval is at least as
frequent, the Zonal Inspection will fully cover the GVI.
– Otherwise, a stand-alone GVI should be included in the corresponding MSI
for Systems and Powerplant, in the SSI for structures, and LHSI for L/HIRF,
from which it was identified.
• Enhanced Zonal Analysis Procedure (EZAP) for zones that contain systems
installations with electrical wiring, including potential for combustible material
presence. The EZAP identifies stand-alone inspection tasks focused on EWIS.
Task type selection:
– GVI may be found effective for the complete zone. GVIs arising from the
EZAP are to be compared with the Zonal Inspections result of the standard
zonal analysis. If the access requirement is the same and the proposed interval is
at least as frequent, the Zonal Inspection will fully cover the GVI. Otherwise,
a stand-alone GVI should be included in the Systems and Powerplant tasks
under ATA 20 Standards Practices—Airframe with references to the EZAP.
– DET may be found effective for specific items in a zone. In this case, the
Detailed Inspection should be included in the Systems and Powerplant tasks
under ATA 20 Standards Practices—Airframe with references to the EZAP.
Whenever possible, the intervals should match those selected for targeted schedule
maintenance checks.
Each zone may involve multiple zonal inspections with less frequent intervals for
those requiring intensive access requirements.

4 iSpec 2200 is a global standard, also developed by the Air Transport Association (ATA) as the
MSG-3, which includes the specifications for the content, structure, and electronic exchange of
aircraft engineering and maintenance information.
60 6 AMP Primary Sources

Fig. 6.4 Zonal MSG-3 analysis (simplified)

6.1 Maintenance Review Board Report (MRBR) 61

Lesson Learned—Swissair Flight 111

On 2 September 1998, the McDonnell Douglas MD-11, operating Flight 111,
departed from John F. Kennedy (JFK) International Airport, New York, on a
flight to Geneva, Switzerland. The aircraft crashed on fire into the Atlantic
Ocean and all 229 occupants on board were killed.
The results of the investigation carried out by the Transport Safety Board
(TSB) of Canada5 revealed that an electrical short circuit, likely from the wiring
of the in-flight entertainment system, ignited the flammable insulation and the
fire propagated to multiple aircraft systems that led to the loss of control of the
aircraft.

Fig. 6.5 Partial reconstruction of the cockpit area. Transportation Safety Board of Canada

The fire likely started above the cockpit ceiling, a zone with several wire
bundles containing hundreds of wirings, due to a wire arcing event that
ignited the nearby insulation blankets. The presence of significant amounts
of flammable material allowed the fire to spread and intensify rapidly. The
aircraft did not incorporate built-in smoke and fire detection and suppression
devices in the area where the fire started, nor were required by regulation.
The TSB inspections of other MD-11 aircraft showed wiring discrepancies
that included chafed, cut, and cracked wires and inconsistencies in wire and
wire bundle routing. The Canadian TSB sent an Aviation Safety Advisory
(ASA) to the American NTSB, which was translated into the FAA issuing

5Aviation Investigation Report—In-Flight Fire Leading to Collision with Water of the Swissair
McDonnell Douglas MD-11 HB-IWF. Transportation Safety Board (TSB) of Canada.
62 6 AMP Primary Sources

an MD-11 Airworthiness Directive requiring inspection to determine whether

wiring discrepancies exist that could cause electrical arcing.
Although not being the case because the Swissair MD-11 was just seven
years old, this accident highlighted the potentially catastrophic consequences
of ageing aircraft wiring.
As a consequence of this and other accidents, such as the TWA Flight
800 that is detailed in the Fuel Airworthiness Limitations (FAL) paragraphs,
the certification specifications were revised to elevate the wiring requirements
to a higher level. The risks associated with wirings are nowadays addressed
under the Electrical Wiring Interconnection System (EWIS) requirements.
CS/FAR 25.1729 requires that the TCH incorporates any mandatory replace-
ment time of EWIS components and an Enhanced Zonal Analysis Procedure
(EZAP) in the ICA. The EZAP requires to identify each zone of the aircraft that
contains EWIS and each zone that contains EWIS and combustible materials
or is in close proximity to hydraulic, mechanical, or electrical flight controls.
EZAP includes the tasks and intervals to reduce the likelihood of ignition
sources and accumulation of combustible material, procedures to clean the
EWIS components of combustible material, and instructions and caution infor-
mation to minimize contamination and EWIS accidental damage during aircraft
maintenance, modifications or repairs.

6.1.6.4 Lighting/High Intensity Radiated Field (L/HIRF)

The intent of L/HIRF maintenance is to reduce the possibility that a single failure
cause (such as a lightning strike), and the occurrence of a common failure cause
(such as ED or AD) across redundant channels of L/HIRF protection, could impact
aircraft airworthiness.
L/HIRF protection relies on internal and external protection components:
• For Line Replaceable Units (LRU) with L/HIRF internal Protection Components
whose failures could have an adverse effect on safety, the aircraft manufacturer
will confirm that the LRU manufacturer ensures the effectiveness of the protection.
It may be through LRU CMM procedures or other data acceptable to the regulatory
authorities. MSG-3 analysis is not required.
6.1 Maintenance Review Board Report (MRBR) 63

• External On Aircraft L/HIRF Protection Components whose failure could have

an adverse effect on safety must be analyzed.
The TCH may develop a combined Zonal and L/HIRF assessment if it is found
convenient; in any case, it should be reflected in the PPH.
Lightning/High Intensity Radiated Field (L/HIRF) Analysis Procedure
The majority of the L/HIRF protection scheduled maintenance will be covered by
the Zonal Inspections. When the Zonal Inspections cannot identify the degradation
of the L/HIRF protection components, additional tasks are required.
The first step is to identify the L/HIRF Significant Items (LHSI), which are
those that perform a specific function necessary to provide L/HIRF protection of crit-
ical systems and structure. Only protection components that are subject to Environ-
mental or Accidental Damage (ED/AD) may require dedicated L/HIRF maintenance.
ED/AD threats are determined for each location where LHSIs are installed:
• If the degradation is detectible through the Zonal Inspections, no dedicated
L/HIRF is required.
• If the Zonal Inspections do not cover the detection of degradation of the LHSI
and:
– the degradation is detectable without disassembly: the appropriate level of task
and interval are selected.
– disassembly is required: it is necessary to assess the effects of disassembly
versus the probability of degradation of the installation.
If the assessment requires a task, the appropriate level of task and interval
are selected.
If the assessment shows that disassembly can result in additional deteriora-
tion or induce damage into the LHSI, no task is selected but redesign may
be necessary.
The Working Group evaluates the L/HIRF Protection Assurance Plan (PAP) (with
sample size details, number of test points, etc.) developed by the TCH, if any, in order
to determine if it covers the intent of the task or a stand-alone task is required.
The tasks selected are included in the Systems and Powerplant tasks under ATA
20 Standards Practices—Airframe with references to the L/HIRF.
64 6 AMP Primary Sources

Fig. 6.6 L/HIRF MSG-3 analysis (simplified)

Lesson Learned—Pan Am Flight 214

The aircraft is an excellent electrical conductor that becomes an efficient path
for electrical discharge. On average, each aircraft is struck by lightning once
or twice a year; it depends on the area and the type of operation. Lightning
strikes occur more often on aircraft flying short routes as the aircraft has to
cross altitudes with intense lightning activity (climb and descent phases) more
often. The lightning effects include physical damage directly associated with
the arc event, indirect effects due to the lighting current, ignition of fuel tank
vapors, or engine shutdown.
On 8 December 1963, the Pan Am Flight 214 operated with a Boeing 707
departed Baltimore, Maryland, with the intention to land in Philadelphia, Penn-
sylvania. The aircraft was struck by lightning, turned into fire, and a large
portion of the left wing separated. The aircraft crashed in flames killing all the
81 occupants.
The results of the investigation carried out by the Civil Aeronautics Board
(CAB),6 the precursor of the NTSB, concluded that the lightning induced the

6Aircraft Accident Report—Pan American World Airways Boeing 707–121, N709PA, near Elkton,
Alaska. CAB. 25 February 1965.
6.1 Maintenance Review Board Report (MRBR) 65

ignition of the fuel–air mixture in the left reserve fuel tank with resultant
explosive disintegration of the left outer wing and the aircraft lost control.

Fig. 6.7 Photo of the Pan Am accident B707 aircraft. FAA archive

In the mid-1950s, the first lightning protection design and test standards
had been published focusing on electrical bonding and lighting protection
of fuel systems; no attention was given to the effects of currents conducted
through other systems (e.g., electrical or avionics systems), or the overall
aircraft structure.
Until the Pan Am accident, it was assumed that proper electrical bonding
of fuel system components provided protection against lightning-induced fuel
tank explosion. The investigation revealed that additional means to mitigate
the effects of lightning were needed, e.g., electrical shielding, increased skin
thickness to prevent lightning penetration, etc.
The CAB issued a battery of recommendations that included the installa-
tion of static discharge wicks on aircraft not so equipped. Additionally, it was
recommended to expand efforts to achieve practical means by which flammable
air-vapor mixture was eliminated from the fuel tanks; between other solutions,
the CAB proposed inerting the space above the fuel. Some decades later, after
the catastrophic TWA 800 fuel tank explosion detailed in Sect. 6.2.1.4, the
inerting systems would come to picture again and would become a requirement.
The CAB recommendations in regards to the Pan Am accident led the FAA
to issue specific regulations to protect the aircraft from the catastrophic effects
of lightning and, more specifically, for the fuel system lightning protection.
Since the Pan Am event, technical studies and recommendations from other
accidents/incidents have been modeling the regulation.
For example, until 1976 the efforts of the fuel systems specialists focused
on electrical bonding of components installed in the wing tank skins and
surrounding skins and structures, but the picture changed when the Imperial
Iranian Air Force Flight ULF48, a Boeing 747, crashed during its approach
66 6 AMP Primary Sources

to Madrid, Spain, due to a fuel tank explosion caused by lightning strike, killing
all 17 people on board. The specialists began to think also about the effects of
lightning currents inside fuel tanks.
Protection of aircraft electrical and electronic systems has gained rele-
vance during the recent years due to the increased High Intensity Radiated
Field (HIRF) environment (radars, ground-based equipment, RF transmitters,
etc.) and the increased dependence on electrical/electronic systems performing
functions required for the safe operation of the aircraft (avionics, fly-by-wire,
autopilot, etc.). The first HIRF environment certification was developed in
Europe to protect the Airbus A320 critical systems. In 1987, the FAA also
imposed certification standards to protect electrical and electronic systems
that perform critical functions from HIRF.
Current regulations define the certification requirements for L/HIRF protec-
tion and address the effects of lightning on structures, fuel systems, engines,
electrical and electronic system wiring and equipment, and external equip-
ment and sensors that are connected to electrical and electronic sensors, such
as antennas and air data probes, and the effects of HIRF on electrical and
electronic systems.

6.1.7 Issue Paper 44 (IP 44): MRB Evolution/Optmization

Guidelines

In 2001, the Transport Canada Civil Aviation (TCCA) requested more defined
policy/standards/procedures for the MRB evolution process. Canadian operators
demanded to escalate MRB checks, being the competition the motivating factor. The
TCCA did not feel comfortable by granting escalations and skipping the authority
of the TCH respective regulatory agencies.
While the MRB establishes the initial minimum maintenance tasks and intervals
for new operators, that tend to be conservative, the maximum intervals are only
justified by the in-service experience.
In 2008, the IMRBPB approved the first issue of the IP 44 Evolution/Optimization
Guidelines document. The guidelines were incorporated into the IMPS Issue No. 01
in 2019.
The guidance provided in the IP 44 establishes the basis for the PPH
when TCH/OEM, MRB, and ISC want to proceed with an exercise for the
Evolution/Optimization of the MRBR process. The procedures for the Evolu-
tion/Optimization based on in-service experience should be part of the Policy and
Procedures Handbook (PPH) for the aircraft type developed by the TCH.
6.1 Maintenance Review Board Report (MRBR) 67

The Evolution/Optimization is carried out through the analysis of in-service data.

This analysis allows to adjust tasks and intervals to the accumulated in-service
experience.
The data collected by the TCH should be based on representative samples of
different aircraft age (older and newer aircraft) and all possible operating environ-
ments. The data should be standardized and include the following information:
• Serial Number of the aircraft.
• Number of tasks accomplished: the number of times the task has been accom-
plished, including findings. The data of consecutive task accomplishments may
be required, especially for lower interval tasks, to assess the reliability related to
the MRBR task.
• Interval of task findings applied: actual task interval of each participating operator.
• Component Data (Shop Findings, No-Fault-Found Removals, and Failures): This
data is necessary to perform component failure-mode and life-cycle analysis
necessary to support the evolution/optimization of tasks associated with the
component.
• Failure Effect Category (FEC) considerations: based on the criticality identified
during the MSG-3 analysis.
• Utilization: operational representation of Flight Hour versus Cycles versus
Calendar time.
• Maintenance findings.
– Scheduled: findings during routine maintenance tasks.
– Unscheduled: findings and corrective actions, including PIREPs (Pilot Reports)
and MAREPs (Maintenance Reports).
The significance of the findings should be weighed. Findings in the course of
unrelated maintenance tasks must also be taken into consideration. Scheduled and
unscheduled maintenance should be linked to the appropriate MRBR task, if possible,
using four digit ATA codes.
The in-service data collected is processed through statistical models. The data size
should be sufficient to ensure a 95% confidence level on a task-by-task basis. This
means the likelihood that the overall performance lays within the range specified by
the sample fleet performance.
The engineering assessment should include the analysis of the correlated in-
service data and the review of modification status, fleet configuration, and any other
relevant information.
Note: Special care is required for MRBR tasks that have been used to cover
Candidate Certification Maintenance Requirements (CCMR). The earlier decisions
have to be revisited to ensure they are not invalidated.
68 6 AMP Primary Sources

6.2 Airworthiness Limitations (ALS) and Certification

Maintenance Requirements (CMR)

Airworthiness Limitations (ALS) are scheduled maintenance items required by the

design that are considered critical from a System Safety Analysis (SSA) or the
Fatigue and Damage Tolerance evaluation of the structure to address potential
unsafe conditions of the aircraft. ALS requirements are MANDATORY.
Conditions that do not have catastrophic effects on operational safety but maintain
the continued airworthiness of the design are usually evaluated during the MRB
process. It does not mean that an item (structure, system or component) is assessed
only through a unique process (ALS assessment/evaluation or MSG-3 analysis), but
are complementary. Attending to the unsafe/no-unsafe condition that the system or
component may develop, one of the assessments or both are required.
ALS are derived from two types of analyses performed by the TC/STC appli-
cant/holder, different from the MRB process/MSG-3 methodology, that may generate
different types of ALS requirements:
• System Safety Analysis (SSA): driven by CS/FAR 25.1529 Instructions for
Continued Airworthiness and CS/FAR 25.1309 Equipment, systems and installa-
tions with specific considerations for EWIS, fuel tank ignition prevention, control
systems, fuselage doors, powerplant installation and reversing systems. When the
design of the aircraft systems cannot comply with the conditions specified in the
certification specifications, Airworthiness Limitations are established to prevent
the development of failures in the form of:
– System repetitive maintenance tasks or CMR,
– Critical Design Configuration Control Limitations (CDCCL) (only for fuel
systems), or
– System Life Limitations.
• Damage Tolerance and Fatigue Evaluation of the structure: driven by CS/FAR
25.1529 Instructions for Continued Airworthiness and CS/FAR 25.571 Damage
tolerance and fatigue evaluation of the structure. Based on this evaluation, airwor-
thiness limitations are established to prevent catastrophic failure of the structure
in the form of:
– Structural repetitive maintenance tasks, or
– Structural Life Limitations.
This subchapter addresses the ALS processes and requirements and presents two
examples of ALS documentation data packages provided by different TCHs.
6.2 Airworthiness Limitations (ALS) and Certification … 69

6.2.1 Requirements Derived from Systems Safety Analysis

(SSA)

In order to understand the Systems Airworthiness Limitations derived from a

System Safety Analysis (SSA), it is required to define the Failure Effects and
the design/installation requirements for the aircraft systems, components, and
equipment.
The details and specifications of the SSA during the CMR process and the
determination of Fuel Airworthiness Limitations are detailed in this subchapter.

6.2.1.1 Failure Effects and Systems Safety Analysis (SSA)

The fail-safe design concept considers the effects of failures and combination of
failures in defining a safe design and ensures to a large degree the initial airworthiness
of the aircraft: life limits, redundant and backup systems, isolation and/or segregation
of systems/components/elements, proven reliability, failure warning or indication,
flight crew procedures, etc.
Classification of the types of failure condition according to the severity of its
effects:
• No safety effect: It does not affect safety.
• Minor: It does not significantly reduce the aircraft safety and the crew actions are
within their capabilities.
• Major: It reduces the capability of the aircraft or the ability of the crew to cope
with adverse operating conditions. It implies a significant reduction in safety
margins or functional capabilities, a significant increase in crew workload or in
conditions impairing crew efficiency, or discomfort to the flight crew, or physical
distress to passengers or cabin crew, possibly including injuries.
• Hazardous: It reduces the capability of the aircraft or the ability of the crew
to cope with adverse operating conditions. It implies a large reduction in safety
margins or functional capabilities, physical distress, or excessive workload such
that the flight crew cannot be relied upon to perform their tasks accurately or
completely, or serious or fatal injury to a relatively small number of the occupants
other than the flight crew.
• Catastrophic: It results in multiple fatalities, usually with the loss of the aircraft.
A System Safety Analysis (SSA) involves the assessment of all the systems on
the aircraft to determine the effect of a failure. The type of analysis conducted can
be:
• Quantitative: use of mathematical methods. Quantitative methods are often used
to assess complex systems when there is no sufficient service experience, e.g.,
during initial design certification.
70 6 AMP Primary Sources

• Qualitative: subjective non-mathematical assessment based on engineering judg-

ment. Examples: Design Appraisal, Failure Modes and Effect Analysis (FMEA),
Fault Tree or Dependence Diagram Analysis, Markov Analysis, etc.

6.2.1.2 Design and Installation Requirements

Attending to the design requirements described in the certification specifications, it

is possible to categorize the Systems Airworthiness Limitations into CMR and other
limitations.
Design Requirements—CMR
A Candidate Certification Maintenance Requirement (CCMR) is established
when it is not possible to comply with the following design conditions for the aircraft
systems and components:
• any catastrophic failure is extremely improbable and does not result from a single
failure,
• any hazardous failure condition is extremely remote,
• any major failure condition is remote, and
• the crew errors are minimized through immediate indications and warnings when
an unsafe system operating condition exists.
CCMRs are proposed during the initial design certification. The failure effects
probabilities are considered up to the Design Service Goal (DSG) of the aircraft.
The DSG is the period of time (in FH, FC, or both) established at design and/or
certification during which the aircraft structure is expected to be reasonably free from
significant cracking.
Concerns beyond the DSG or concerns arising after the initial design certification
are usually addressed through different means than the CMR process, e.g., an SSA
that may originate a System Scheduled Maintenance Requirement.
Design Requirements—Other Limitations
A system repetitive maintenance task, CDCCL or System Life Limitation is estab-
lished when it is not possible to comply with the following design and installation
conditions for the aircraft systems or equipment:
• Aircraft equipment and systems required for the type certification or by operating
rules must be designed and installed in the way that they perform as intended,
• Other equipment and systems should not be a danger in themselves or adversely
affect those required by the certification/operation, and
• EWIS must be designed and installed in the way that any catastrophic failure
condition is extremely improbable and does not result from a single failure, and
any hazardous failure condition is extremely remote.
6.2 Airworthiness Limitations (ALS) and Certification … 71

6.2.1.3 Certification Maintenance Requirements (CMR)

ICAO defines a Certification Maintenance Requirement (CMR) as “the scheduled

maintenance that is required by design to help show compliance with the appropriate
type certification basis by detecting the presence of a safety-significant latent failure
that would result in a hazardous or catastrophic failure condition”.
CMRs are system repetitive maintenance tasks established during the
type/supplemental type certification process to detect:
• latent failures that may result in a hazardous or catastrophic failure condition,
• latent failures that may result in a major failure condition and the SSA identifies
the need for a scheduled maintenance task, or
• impending wear out of an item whose failure is associated with a hazardous or
catastrophic failure condition.
The standards for the CMR process are set in the EASA AMC 25.1309 Equipment,
Systems and Installations, AMC 25-19 Certification Maintenance Requirements,
and FAA AC 25.1309-lA System Design and Analysis and AC 25-19A Certification
Maintenance Requirements.
Failure Effects Probability
The following descriptions of the probability of failure effects of the aircraft systems
and components are adopted in EASA CS-25 (AMC 25.1309). FAA AC 25.1309-lA
establishes the same limits but considering Remote Failure Condition and Extremely
Remote Failure Conditions probability terms under a single category: Improbable
failure.
CMRs are usually based on quantitative analysis when no relevant service
experience is accumulated.
Standard System Safety Analysis (SSA) Process
A Standard System Safety Analysis for the aircraft systems and components is
performed by the TC/STC applicant/holder. It can be simplified in the following
six steps:
• Define the systems and their interfaces and identify the functions that the system
is to perform.
• Identify and classify failure conditions. It can be done through a Functional Hazard
Assessment, which is a systematic examination of the aircraft and system func-
tions to identify failure conditions arising from malfunctions, failure to function,
or as a normal response to unusual or abnormal external factors.
– For non-complex systems with relevant attributes that are similar to systems
used on other aircraft: classification derived from design and installation
appraisals and the service experience of the comparable system.
– For complex systems: systematically postulate the effects on the safety of the
aircraft and its occupants resulting from any possible failure(s).
72 6 AMP Primary Sources

Table 6.1 Failure conditions probability in quantitative and qualitative methods

Failure conditions Quantitative method Qualitative method
Probable Failure Conditions Average Probability Per Flight Anticipated to occur one or
Hour greater than of the order more times during the entire
of 1 × 10−5 operational life of each aircraft
Remote Failure Conditions Average Probability Per Flight Unlikely to occur to each
Hour of the order of 1 × 10−5 aircraft during its total life, but
or less, but greater than of the which may occur several times
order of 1 × 10−7 when considering the total
operational life of a number of
aircraft of the type
Extremely Remote Failure Average Probability Per Flight Not anticipated to occur to
Conditions Hour of the order of 1 × 10−7 each aircraft during its total
or less, but greater than of the life but which may occur a few
order of 1 × 10−9 times when considering the
total operational life of all
aircraft of the type
Extremely Improbable Failure Average Probability Per Flight Not anticipated to occur during
Conditions Hour of the order of 1 × 10−9 the entire operational life of all
or less aircraft of one type

• Select the depth and scope of the analysis based on the types of functions
performed by the system, the severity of the system failure conditions, and the
complexity of the system.
• Conduct the analysis and produce the data
• Assess the analysis and conclusions of multiple safety assessments.
• Prepare compliance statements, maintenance requirements (CCMR), and flight
manual requirements.

Selection of CMRs
The Certification Maintenance Coordination Committee (CMCC) is convened
by the TC applicant and should include manufacturer representatives (maintenance,
design, safety), operators designated by the Industry Steering Committee (ISC)
Chairperson, Certification Authority (CA) specialist(s) and the MRB Chairperson.
The CMCC reviews the Candidate Certification Maintenance Requirements
(CCMRs), their purposes, the failure conditions and their criticality, the intended
tasks and intervals, and other relevant factors.
The CMCC discusses CCMR compatible tasks generated by the MRB if the MRB
task is safety categorized (FEC 5 and 8) and meets or can meet the interval and scope
of the CCMR, in which case the CMCC coordinates with the ISC/MWG for their
review. If the proposed/revised MRB task and/or intervals are accepted by the ISC,
the CCMR will be included in the MRBR. It will be required any type of means and
protections to avoid that future optimization/evolution exercise change the scope or
the interval that is required by the corresponding CCMR.
6.2 Airworthiness Limitations (ALS) and Certification … 73

CMCC will compile the results of the review of CCMRs and the agreements with
the ISC and will submit the final CMR document to the Certification Authority (CA)
for approval.
The introduction of a new CMR or changes to an existing CMR after the
certification must also be reviewed by the CMCC and approved by the CA.
CMRs are functionally equal to ALIs, and usually, the CMR approved document
is included in the Airworthiness Limitations.
CMR Categorization
The TC applicant usually categorizes the CMRs based on the sensitivity of the Failure
Condition to interval escalation:
• One Star CMR (CMR*): mandatory task that cannot be escalated, changed, or
deleted without the approval of the State of Design Certification Authority.
• Two Star CMR (CMR**): mandatory task that cannot be escalated, changed, or
deleted without the approval of the competent Certification Authority of the State
of registration that will require the support of approved escalation procedures
under a Reliability Program.

CMR Changes
Concerns beyond the DSG or concerns arising after the initial design certification are
addressed through different means than the CMR process. CMR post-certification
changes may only arise due to any of the following reasons:
• the world fleet service experience shows that certain assumptions regarding
component failure rates made during the SSA were too conservative and new
re-calculated failure rates demonstrate that the task interval may be changed,
• there are sufficient data basis for the relaxation of the CMR,
• the authority determines that the requirement must be more restrictive (it will be
mandated by an AD), or
• new CMR unrelated to in-service events arises due to:
– certification of design changes, or
– updates to the certification compliance documentation, e.g., due to regulation
changes, AD actions on similar systems or aircraft, awareness of additional
hazardous or catastrophic failure conditions, revised failure rates, consideration
of extended DSG, etc.
New CMRs or changes to existing CMRs should be reviewed, at least, by the same
entities that were involved in the CMCC at the time of the initial design certification.
See Sect. 11.4 for Exceptional Short-term Extension to CMR.
74 6 AMP Primary Sources

Fig. 6.8 System Safety Analysis (SSA) (simplified)

6.2 Airworthiness Limitations (ALS) and Certification … 75

6.2.1.4 Fuel Airworthiness Limitations (FAL)

The prevention of the fuel system ignition and the reduction of the fuel tank flamma-
bility take special relevance due to a series of catastrophic aircraft accidents that have
occurred in the aviation industry in the past years. It has generated special rules and
dedicated sections in the certification and continuing airworthiness regulations.
The standards for the Fuel Airworthiness Limitations (FAL) are set in the
EASA AMC 25.981 Fuel Tank Ignition Prevention, Appendix M Fuel Tank FRM and
FAA AC 25.981-1D Fuel Tank Ignition Source Prevention Guidelines, AC 25.981-2A
Fuel Tank FRM and AC 120-98A Operator Information for Incorporating Fuel Tank
Flammability Reduction Requirements into a Maintenance or Inspection Program.
Fuel Tank System Ignition
Fuel tank flammability is the ability of the fuel tank to ignite or explode. There are
three elements for an ignition/explosion to happen (the Fire Triangle):
• Fuel. The characteristics of the fuel in regards to flammability are measured by
its flash point (lowest temperature at which the fuel produces flammable vapors
at sea level pressure) and its volatility/distillation (capacity of the fuel to produce
flammable vapors).
• Air. Ambient air is a mixture of 21% oxygen, 78% nitrogen, and other gases.
Oxygen is the oxidizing agent during the ignition/explosion process; the fuel
burning reacts with the oxygen to release heat.
• Ignition source. It is any element that can release sufficient energy to initiate
combustion of fuel/air mixture.
Fuel tank system ignition sources:
• Electrical arcs and sparks are the result of electrical component and wiring
failures, lighting, High Intensity Radiated Fields (HIRF)/Electromagnetic Inter-
ference (EMI) and static discharges.
• Friction sparks are the result of rubbing of metallic surfaces, e.g., debris
contacting a fuel pump impeller or an impeller contacting the pump casing. The
debris may come from nuts, bolts, rivets, fasteners, manufacturing or maintenance
debris, and so forth that are drawn into the fuel pumps.
• Autoignition or Hot surface ignition: it is caused by an increase of the flammable
vapors that could exceed the ignition temperature of the fuel. The ignition temper-
ature is the minimum temperature at which a mixture of flammable vapor and
oxygen spontaneously ignite without an external source of ignition (flames, arcs,
or sparks).
• Filament heating: the heating of a small diameter conductive material when
exposed to electrical current.
The methods to reduce fuel tank flammability focus on reducing the presence of:
• Ignition sources. It is achieved minimizing the presence of systems and compo-
nents that may be a source of ignition within the fuel tank, where EWIS and
76 6 AMP Primary Sources

L/HIRF protection play an important role, or through Ignition Mitigation Means

(IMM), such as polyurethane foam.
• Oxygen (fuel–air mixture). It is achieved through Flammability Reduction
Systems (FRS), such as Inert Gas Generation Systems (IGGS) or Nitrogen
Generation Systems (NGS).
The EWIS and L/HIRF protection System Safety Assessments for elements within
the fuel system may be accomplished in conjunction with the Fuel SSA.
Fuel System Safety Analysis (SSA)
The Fuel SSAs to address ignition sources versus flammability should demonstrate
separately that:
• The presence of an ignition source within the fuel system is Extremely Improbable
and does not result from a single failure. Additionally, it must be demonstrated
that no heat transfer can lead to fuel autoignition within the fuel system; any
system that may release heat to the fuel system should be considered during the
analysis.
• If an FRS is installed, that the FRS failure or a failure that could affect the FRS
with potential catastrophic consequences is Extremely Improbable and does not
result from a single failure. Additionally, it must be demonstrated that fuel tank
pressure remains within limits during normal or failure operating conditions and
that the enriched air produced by the FRS does not create a hazard.
Assumptions and considerations for the analysis in regards to ignition sources:
• Fuel tank flammability: explosive fuel–air mixture is present in the fuel tanks at
all times.
• Failure condition classification: the presence of an ignition source is a catastrophic
failure condition unless design features are incorporated to mitigate the hazards
of the fuel tank ignition, e.g., polyurethane foam.
• Failure conditions:
– The analysis must consider the effects of manufacturing variability, aging,
wear, corrosion, and likely damage such as wire bundle located where a
mechanic could use it as a handhold or a fuel probe located where a mechanic
could use it as a step in the tank.
– The analysis must assume deficiencies and anomalies identified through service
experience, failure modes identified, in-service information (e.g., supplier
service data), and any other failure modes identified by the functional hazard
assessment. Service experience shows that degradation of certain elements of
the fuel system such as fuel pumps and associated wiring and connectors, Fuel
Quantity Indicating System (FQIS) wiring, bonding straps, etc., have been
sources of ignition. It may assist in identifying possible failure modes.
• External environment: the severity of the external environmental conditions
considered are those established by the certification regulations, e.g., probability
of lighting encounter should be assumed.
6.2 Airworthiness Limitations (ALS) and Certification … 77

• Ignition sources: electrical arcs and sparks, friction sparks, autoignition, or hot
surface ignition and filament heating must be considered.
• Fuel tanks: the failure modes associated with empty fuel tanks must be consid-
ered, e.g., extended dry running of fuel pumps in empty fuel tanks may result in
temperatures above the ignition temperature of the fuel or may expose the pump
to debris and cause sparks.
Whenever the Fuel SSA cannot demonstrate that catastrophic consequences
are Extremely Improbable and do not result from a single failure, Airworthiness
Limitations are established in the appropriate form:
• System repetitive maintenance task or CMR
• CDCCL
• System Life Limitations

Critical Design Configuration Control Limitations (CDCCL)

Critical Design Configuration Control Limitations (CDCCL) are critical features
of a design that must be maintained to ensure that ignition sources will not develop
within the fuel tank system. CDCCLs do not have interval; whenever mainte-
nance, modifications, or repairs occur in the area, the CDCCL inspection must be
accomplished.
CDCCLs are the means of notifying operators and design and maintenance orga-
nizations about characteristics of the fuel tank system or applicable components or
parts that cannot be changed.
The design holder must ensure that CDCCL items that could result in a failure,
malfunction or defect endangering the safe operation of the aircraft, are evident for
those who may perform and approve maintenance, modifications or repairs:
• CDCCL items must be incorporated to the Airworthiness Limitations.
• CDCCL should be identified in associated ICAs, e.g., Aircraft Maintenance
Manual (AMM), Component Maintenance Manual (CMM), Standard Wiring
Practices Manual (SWPM), Structure Repair Manual (SRM), etc.
• CDCCL items may be provided with visible identification means, e.g., color-
coding of wire to identify separation limits or identification tabs at specific
intervals along the wiring.

Lesson Learned—Trans World Airlines Flight 800

On 17 July 1996, the TWA Flight 800, a Boeing 747 scheduled from John F.
Kennedy International Airport (JFK), New York, to Charles DeGaulle Interna-
tional Airport, Paris, exploded, broke up and impacted into the Atlantic Ocean
killing the 230 people that were onboard.
78 6 AMP Primary Sources

More than 95% of the accident airplane wreckage was recovered and recon-
structed as pertinent, and one of the most ambitious investigations in the
aviation history was undertaken.
The results of the NTSB investigation7 determined that the probable cause of
the accident was the explosion of the center wing fuel tank (CWT), resulting
from ignition of the flammable fuel/air mixture. The CWT was configured
within the airframe such that the air conditioning packs were located in an
enclosed bay, directly below the CWT. The air conditioning packs operate at
high temperatures and the heat was transferred into the CWT. It caused that the
temperature of the fuel increased and flammable fuel-air vapor was generated.

Fig. 6.9 Photo of the TWA 800 reconstructed fuselage. NTSB archive

Although the ignition source could not be determined with certainty, the
most likely was a short circuit outside of the CWT that allowed excessive
voltage to enter it through the electrical wiring associated with the fuel quantity
indication system.
Similar accidents with identical failure causes were taken as references; for
example, the Philippine Airlines Boeing 737 (Flight 143)8 that in May 1990
suffered an explosion in the CWT and bursted the aircraft into flames while it
was on ground, killing 8 of the 119 occupants.

7 Accident Investigation Report—In-flight Break-up Over the Atlantic Ocean, Trans World Airlines
Flight 800 Boeing 747–131, N93119. NTSB. 23 August 2000.
8 Accident description of the Philippines Air Lines Boeing 737-3Y0, EI-BZG. Retrieved from

https://aviation-safety.net.
6.2 Airworthiness Limitations (ALS) and Certification … 79

During the NTSB investigation, many efforts and initiatives were undertaken
in the industry in response to the disaster; it worths to mention the Aircraft Fuel
System Safety Program (AFSSP), a voluntary program that gathered informa-
tion about the overall integrity of the design and maintenance of the fuel systems
throughout the life of the aircraft performing inspections of the world fleet.
The FAA formed the Aviation Rulemaking Advisory Committee (ARAC)
on Fuel Tank Flammability Reduction and a second ARAC on Flammability
Reduction Systems (FMS) that included representatives from Europe, Canada,
and Brazil, to evaluate both reducing or eliminating fuel-air vapor and potential
ignition sources within the aircraft fuel tanks.
The TWA 800 NTSB report recommended reducing the fuel tank flamma-
bility and the ignition sources.
The FAA originally issued guidance material in the form of Advisory Circu-
lars (AC 25.981-1B and AC 25.981-2) for the prevention of fuel tank ignition
sources and flammability minimization.
On 3 March 2001, a similar accident happened again; a Thai Airways
Boeing 7379 suffered a CWT explosion while the aircraft was parked on Don
Mueang Airport, Bangkok.
The FAA issued the Special Federal Aviation Regulation (SFAR) 88 based
on the NTSB, the ARACs, and the industry recommendations. The SFAR 88
required the manufacturers to enhance the maintenance program to maintain
design features that are necessary to prevent ignition sources in the fuel tank.
The result was the requirement for Airworthiness Limitation Inspections
(ALI) and Critical Design Configuration Control Limitations (CDCCL).
Under certain high flammability specifications, the SFAR also mandated the
incorporation of either a Flammability Reduction System (FRS) or an Ignition
Mitigation Means (IMM), including the retrofit of aircraft manufactured since
1992.
The JAA (predecessor of EASA) issued the INT/POL 25/12 to request,
through the National Aviation Authorities, the operators to carry out a safety
review of the fuel systems, in line with the SFAR 88. Later on, EASA required
an FRS for aircraft with high flammability exposure only on new aircraft
manufactured from 2012, without retrofit plans.

9 Accident description of the Thai Airways Boeing 737-4D7, HS-TDC. Retrieved from https://avi
ation-safety.net.
80 6 AMP Primary Sources

6.2.2 Requirements Derived from the Damage Tolerance

and Fatigue Evaluation of the Structure

CS/FAR 25.571 requires that the design applicant/holders evaluate all structure of the
aircraft that may contribute to catastrophic failure with respect to its susceptibility to
Accidental Damage (AD), Environmental Deterioration (ED), including corrosion
damage for metallics and moisture for composites, and Fatigue Damage (FD).
The evaluations required to support the Damage Tolerance and Fatigue consider-
ations involve:
• Damage Tolerance (DT) evaluation
• Fatigue Safe-Life evaluation
• Widespread Fatigue Damage (WFD) evaluation
Damage sources (AD, ED and FD) and classification of the structure (DT and SL)
are introduced in the MSG-3 analysis paragraphs (Sect. 6.1.6.2):
• Damage sources: Accidental Damage (AD) is any random event which may reduce
the strength of the structure and is not readily detectable; Environmental Deterio-
ration ED) is the result of chemical interaction with climate or environment; and
Fatigue Damage (FD) is the propagation of cyclic loading of cracks.
• Classification of the structure attending to the detection of structural failures:
Damage Tolerance (DT) structure can sustain damage without structural failure
until the damage is detected (fail-safe); when structural failure can happen if the
damage is not detected, it is classified as Safe-Life structure.
Based on the result of these evaluations, maintenance requirements may be needed
to avoid catastrophic failures during the operational life of the aircraft. The opera-
tional life of the aircraft, limited by its Limit Of Validity (LOV), is the result of a
full-scale fatigue test that demonstrates that WFD will not occur up to that limit.
The standards for the Damage Tolerance and Fatigue Evaluation of the Structure
process are set in the EASA AMC 25.571 Damage tolerance and fatigue evaluation
of the structure and FAA AC 25.571-1D Damage Tolerance and Fatigue Evaluation
of Structure, AC 120-104 Establishing and Implementing Limit Of Validity to prevent
Widespread Fatigue Damage, AC 120-93 DT Inspections for repairs and alternations.

6.2.2.1 Damage Tolerance (DT) Evaluation

Damage Tolerance (DT) is the attribute of the structure that permits it to retain its
required residual strength without detrimental structural deformation for a period
of use after the structure has sustained a given level of fatigue, environmental,
accidental, or discrete source damage.
DT is based on the fail-safe concept: the structure retains its required residual
strength for a period of time of unrepaired use after failure or partial failure.
6.2 Airworthiness Limitations (ALS) and Certification … 81

The DT evaluation should ensure that, although AD, ED, or FD occurs within the
LOV, the structure will be capable of withstanding the loading conditions specified
in the certification without failure or detrimental structural deformation until the
damage is detected.
The DT evaluation should identify, in the first instance, the structural items subject
of study:
• Principal Structure Element (PSE): element that contributes significantly to the
carrying of flight, ground, or pressurization loads, and whose integrity is essential
in maintaining the overall structural integrity of the aircraft, e.g., elements of
the wing and empennage (control surfaces, primary fittings, etc.), the fuselage
(pressure bulkheads, frames, skin, etc.), the landing gear and its attachments,
engine mounts, thrust reverser components, etc.
• Detail Design Point (DDP): area of the structure that contributes to the suscep-
tibility of the structure to fatigue cracking or degradation such that the structure
cannot maintain its load carrying capability, which could lead to a catastrophic
failure. DDPs are areas of higher risk of fatigue cracking.
Each particular design should be assessed to establish appropriate damage criteria
in relation to:
• Damage-extension characteristics: it should be possible to establish the extent of
damage in terms of parameters (detectability with the inspection techniques to be
used, initially detectable crack size, residual-strength capabilities of the structure,
likely damage-extension rate).
• inspectionability: in cases where the area is not accessible for inspection, the DT
evaluation should allow for the extension of the damage into detectable areas or
demonstrate sufficient residual strength up to the LOV without inspection.
Based on the definition of the PSE/DDP and the damage criteria, the locations of
damage to the structure for DT evaluation, and the modes of damage due to AD, ED,
or FD are identified. The locations may be determined through analysis (static tests,
fatigue analysis, etc.), from the review of the design and/or past service experience.
DT analysis and tests should demonstrate that:
• the structure, with the extent of damage established for residual-strength eval-
uation, can withstand the specified design-limit loads (considered as ultimate
loads),
• the damage-growth rate under the repeated loads expected in service, between the
time the damage becomes initially detectable and the time the extent of damage
reaches the value for residual-strength evaluation, provides a practical basis for
the development of the inspection program and procedures.
DT analysis/test includes repeated load and static analysis. The test evidence,
supported by in-service experience, if any, should provide sufficient data to establish
a structural inspection program that ensures damage detection before it becomes
critical.
82 6 AMP Primary Sources

Structural Repetitive Maintenance Tasks

The ALS inspection thresholds are established by fatigue analysis/tests or crack-
growth analysis/tests assuming an initial manufacturing damage. The thresholds of
the inspections may be as low as the repeat interval or may allow longer periods
when it takes a certain amount of time before fatigue cracks develop to a size that
would be detectable during an inspection.
The MRB process develops an inspection program for early detection of Acci-
dental Damage and Environmental Damage, including CPCP, in order to minimize
the interaction between corrosion and accidental damage and fatigue cracking. ALS
focuses on the detection of cracks developing from the damages that may lead to a
catastrophic structural failure.
ALS requires that the corrosion level is controlled to Level 1 or better (the damage
does not require structural reinforcement or replacement) on all PSE and DDP
that could contribute to catastrophic failure. The CPCP defined in the MRBR is
an acceptable means of compliance.
Any damage found during ALS/MRBR structural inspections, such as fatigue
cracking or corrosion greater than level 1, should be reported to the design holder
for assessment.
Refer to Sect. 7.1.2 for further information on Corrosion Levels.

6.2.2.2 Fatigue Safe-Life Evaluation

When the inspections based on the Damage Tolerance evaluation for a particular
structure are impractical, Fatigue Safe-life evaluation must demonstrate through anal-
ysis/test that catastrophic fatigue failure, as the result of repeated loads of variable
magnitude expected in-service, is avoided up to the LOV.
Safe-life is the number of events such as FH or FC, during which there is a low
probability that the strength of the structure will degrade below its design ultimate
value due to fatigue cracking.
An example of a structure for which a Fatigue Safe-Life evaluation may be
accepted, instead of a Damage Tolerance evaluation, is the Landing Gear and its
local attachments.
The Safe-Life evaluation includes:
• estimation/measurement of the in-service expected loads,
• structural analysis, including consideration of the stress concentration effects,
• fatigue testing in response to the in-service expected loads, and
• evaluation of fatigue initiation due to stress corrosion, disbonding, environment
and corrosion, accidental damage, or manufacturing defects based on a review of
the design, quality control, and past service experience.
6.2 Airworthiness Limitations (ALS) and Certification … 83

Life Limits
When the evidence of the Safe-Life analysis/tests cannot demonstrate that the catas-
trophic fatigue failure of the structure is avoided up to the LOV, replacement times
must be established.
The Safe-Life Limits may be determined by:
• the failure of the structure during fatigue tests, or
• demonstration of fatigue life without failure.

6.2.2.3 Widespread Fatigue Damage (WFD) Evaluation

Widespread Fatigue Damage (WFD) is the simultaneous presence of cracks at

multiple structural details that are of sufficient size and density whereby the structure
will no longer meet the residual strength required for the certification.
Structural fatigue damage begins as an insignificant crack during normal operation
conditions or due to corrosion, scratches, material defects, etc., and grows under
repeated stress compromising the structural integrity of the aircraft. Fatigue damage
can occur locally in small areas or details, in structural elements with the simultaneous
presence of cracks (Multiple Site Damage) or in multiple adjacent structural elements
(Multiple Element Damage).
Limit Of Validity (LOV)
The Limit Of Validity (LOV) is the period of time, stated as FH, FC, or both, for
which it has been demonstrated by full-scale fatigue test evidence that WFD will not
occur in the aircraft structure.
The target for a LOV is usually to meet the Design Service Goal (DSG) established
during the certification process, which is the period of time during which the aircraft
structure is expected to be reasonably free from significant cracking.
The first step is to identify the WFD-susceptible structure. It is a subset of the
PSE that have been identified as Fatigue Critical Structure and that is susceptible
to WFD.
Full-scale fatigue-test evidence is required to support the evaluation of structure
that is susceptible to WFD. Sources of the evidence are:
• full-scale fatigue testing, based on realistic simulation of expected operational
loads and,
• in-service data, e.g., maintenance findings and results of teardown inspections,
which are those dedicated to identifying the extent of the damage caused by AD,
ED, or FD.
After the entire WFD-susceptible structure has been evaluated, a final LOV is
established. It results in maintenance requirements and/or design changes to support
the operation up to the LOV.
If the final LOV is reduced in regards to the targeted LOV, the need for maintenance
requirements or design changes could also be reduced.
84 6 AMP Primary Sources

The Type Certificate (TC) of the aircraft may be issued before completion of the
full-scale fatigue test but must ensure at least one year of safe operation substantiated
by fatigue-test evidence. Until the full-scale fatigue is completed, a limitation equal
to not more than one-half of the cycles accumulated on the fatigue test must be
established. An aircraft should not operate beyond this limitation or the approved
LOV.
Maintenance Requirements, Modifications, and Repairs
When maintenance requirements (inspection, modification, replacement, etc.) are
necessary for an aircraft to reach its LOV, they become Airworthiness Limitations
or may be developed as service information for post-certified aircraft, e.g., through
an SB, and be mandated by Airworthiness Directives.
When it is not possible to demonstrate that the affected structure due to changes
to the TC/STC (modifications or repairs) is free from WFD up to the LOV, it is
necessary to:
• redesign the proposal,
• develop maintenance requirements to support that WFD does not occur before
the LOV, and/or
• establish a new LOV.

Extended Limit Of Validity (LOV)

The requirements for extending a LOV are basically the same than those for estab-
lishing the initial LOV. However, while the Type Certificate Holder is who establishes
the initial LOV, an Extended LOV is considered a major change to the type design,
and therefore, it can be defined as an amendment to the TC by the TCH or as a
Supplemental Type Certificate (STC).
In any case, all the structural modifications/repairs that are already embodied
on the aircraft must be taken into consideration and it becomes necessary that the
operator contacts the corresponding TCH or STCH for their re-assessment.
Extended LOV may apply to all aircraft for which the initial LOV was established
or for a subset of those aircraft. The structural configuration (including modifications
and replacements) must be considered up to the approval date of the Extended LOV.
TCH or STCH must demonstrate that WFD will not occur in the aircraft up to
the Extended LOV. The demonstration likely requires additional full-scale fatigue
testing.
Extended LOV and any maintenance requirement derived from the WFD
evaluation must be incorporated into the Airworthiness Limitations.
The operator is responsible for incorporating the revised ALS requirements into
the AMP.
Considerations for Older Aircraft
For older aircraft that have not been certified under the Damage Tolerance (DT)
evaluation requirements, a Supplemental Structural Inspection Program (SSID) may
be developed. See Chap. 7 for further details.
6.2 Airworthiness Limitations (ALS) and Certification … 85

On the other hand, for aircraft that have not been certified under the Widespread
Fatigue Damage (WFD) evaluation, the FAA (14 CFR 26.21 Limit of Validity)
requires that a LOV and corresponding ALS to support that limit are established
before the aircraft reaches its Design Service Goal (DSG). EASA rulemaking for
aircraft without a defined LOV is in the process of being harmonized with the FAA.

6.2.3 Examples of ALS Documentation Data Packages

The requirements to develop the ALS ICA are analogous between EASA and FAA.
However, the presentation of the ALS maintenance requirements data package
is a choice of the design holder, independently of the EASA/FAA regulatory
environment.
For example, Airbus, under the EASA certification authority, structures the ALS
documentation into the following stand-alone documents:
• Structure:
– ALS Part 1 Safe Life Airworthiness Limitations Items
– ALS Part 2 Damage Tolerant Airworthiness Limitation Items (ALI): derived
from the fail-safe—damage tolerance analysis. Includes the Limit Of Validity
(LOV).
• Systems:
– ALS Part 3 Certification Maintenance Requirements (CMR): derived from the
System Safety Assessment (SSA) and the MSG-3 analysis.
– ALS Part 4 System Equipment Maintenance Requirements (SEMR): derived
from the system safety component evaluation, the MSG-3 analysis, and the
system life limits.
• Fuel:
– ALS Part 5 Fuel Airworthiness Limitations (FAL): derived from the fuel tank
safety analysis.
On the other side, Boeing, under the FAA certification authority, incorporates the
ALS requirements into the Section 9 of the Maintenance Planning Document (MPD)
under the following format:
• Airworthiness Limitations—Structural Inspections
• Airworthiness Limitations—Structural Safe-Life Limits
• Airworthiness Limitations—Systems
• Certification Maintenance Requirements (CMR)
• Structural Limit Of Validity (LOV)
ALS documentation is mandated by AD when new requirements are added or
when revised ALS requirements are more restrictive.
Chapter 7
AMP Secondary Sources: Aging Aircraft

The aging process of an aircraft depends on factors that are particular for the subject
aircraft: operation, environment, maintenance, storage, etc. Like a person or like the
wine, each aircraft ages in a particular way.
The effects of aircraft aging have not always been taken into considera-
tion. Aircraft were operated beyond their original Design Service Goals (DSG),
and original maintenance plans were not addressing potential age-related unsafe
conditions.
Aging of aircraft systems and components, such as EWIS, fuel, hydraulic and
pneumatic lines, seals, flight instrumentation, or engine elements, is a concern since
their deterioration may develop in catastrophic failures.
On the other hand, the structure of aging aircraft, mostly affected by fatigue
and corrosion, may also develop in catastrophic failures if it is not appropriately
maintained.
Several programs, triggered by catastrophic aircraft accidents, were launched to
take into account the continuous use of the aircraft. Although the current regulatory
environment addresses the aircraft aging since its design phase, older aircraft must
adhere to these requirements to mitigate the consequences of aging through adequate
maintenance programs.
The means adopted to mitigate the aging of aircraft systems and components are
detailed in other chapters of this book:
• Electrical Wiring Interconnection Systems (EWIS) maintenance,
• Fuel tank system maintenance,
• Component maintenance programs, e.g., engine overhaul, landing gear overhaul,
etc., and
• The Reliability Program.
This chapter focuses on the structural requirements for aging aircraft that have
been designed to less stringent than the current standards, except for Widespread
Fatigue Damage (WFD) considerations. It means when a Damage Tolerance (DT)
maintenance inspection program and/or a Corrosion Prevention and Control Program

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 87

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_7
88 7 AMP Secondary Sources: Aging Aircraft

(CPCP) have not been developed under the MRBR and ALS principles as detailed
in Sects. 6.1.6.2 and 6.2.2.
The Maintenance Costs related to aging aircraft are outlined in Appendix A.

7.1 Continuing Structural Integrity Program

The structural integrity of aging aircraft is a concern due to factors such as Accidental
Damage (AD), Environmental Damage (ED), and Fatigue Damage (FD) that may
contribute to catastrophic failure. In the absence of certain maintenance inspection
programs such as a Damage Tolerance (DT) maintenance inspection program or a
Corrosion Prevention and Control Program (CPCP), the design holder is respon-
sible for developing a Continuing Structural Integrity Program to maintain the
airworthiness of aging aircraft.
A Structural Task Group (STG) formed by the TCH, the certification authority,
and operators is formed to address the issue. The STG makes recommendations, via
the TCH, to the certification authority. The authority is responsible for approving
the program and ensuring its implementation by the operators; if it is considered
that unsafe conditions exist, the implementation of the program, or elements of the
program, are mandated by Airworthiness Directives.
The Continuing Structural Integrity Program considers the following elements:
• Supplemental Structural Inspection Program (SSIP) to detect fatigue cracking,
• Corrosion Prevention and Control Program (CPCP),
• Assessment of modifications and repairs to develop DT-based inspections for all
fatigue critical structure,
• Mandatory modification program required to maintain the structural integrity.
SSIP and CPCP programs should be initiated no later than one half of the aircraft
Design Service Goal (DSG).

7.1.1 Supplemental Structural Inspection Program (SSIP)

In the absence of a Damage Tolerance (DT) maintenance inspection program, EASA

Part-M Appendix I to AMC M.A.302 requires that, if the TC holder has developed a
Supplemental Structural Inspection Program (SSIP), it is included in the Aircraft
Maintenance Program.
FAA includes the SSIP requirements in the 14 CFR 121.1109, requiring that the
operator incorporates an approved DT-based inspection program into the AMP.
The guidelines to develop a Supplemental Structural Inspection Program (SSIP)
are detailed in EASA AMC 20-20 Continuing Structural Integrity Programme and
FAA AC 91-56B Continuing Structural Integrity Program for airplanes.
7.1 Continuing Structural Integrity Program 89

The SSIP requirements are documented in the Supplemental Structural Inspec-

tion Document (SSID). The incorporation of the SSID into the operator AMP is
usually mandated by an Airworthiness Directive (AD).
To the extent of practicable, the SSID should comply with the Damage Tolerance
requirements established in CS/FAR 25.571. See Sect. 6.2.2.1.
Note: Safe-Life items, described in Sect. 6.2.2.2, do not require investigation under
an SSIP in regards to Damage Tolerance. However, they should be considered during
the assessment of other elements of the Continuing Structural Integrity Program, e.g.,
CPCP or modification program.

7.1.2 Corrosion Prevention and Control Program (CPCP)

TCHs are aware of the effects of corrosion on the aircraft; when a CPCP has not
been established under the MRB process, a CPCP is usually developed voluntarily
to address potential undesirable conditions.
EASA and FAA consider that the CPCP objectives are met by the MSG-3 analysis
(MRB process) or the TCH initiative to develop a corrosion program.
To determine the CPCP inspections tasks and thresholds/intervals, the following
elements must be considered:
• Corrosion properties of the material,
• Operational environment,
• Protective treatments used,
• General practices used during manufacturing and maintenance, and
• Local and widespread corrosion.
If an unsafe condition is identified for a particular design, the CPCP will be
mandated by Airworthiness Directives. The CPCP must be, in any case, approved
by the certification authority.
The operator is responsible for incorporating the CPCP into the AMP unless it
can demonstrate that the approved AMP already controls the corrosion to Level 1 or
better. Additionally, the operator should adjust the CPCP to the particular operational
conditions, e.g., humid or corrosive environment.
Corrosion Levels
The CPCP objective is to reduce the material loss due to corrosion to a level necessary
to maintain the airworthiness of the aircraft (Corrosion Level 1 or better).
EASA AMC 20-20 and FAA AC 43-4B define the following corrosion levels:
• Corrosion Level 1:
– damage occurring between successive inspections that is within allowable
damage limits,
– damage occurring between successive inspections that does not require struc-
tural reinforcement, replacement or new damage tolerance-based inspections,
90 7 AMP Secondary Sources: Aging Aircraft

– corrosion occurring between successive inspections that exceeds allowable

limits but can be attributed to an event not typical of operator usage of other
aircraft in the same fleet, or
– light corrosion occurring repeatedly between inspections that eventually
requires structural reinforcement, replacement, or new damage tolerance-based
inspections.
• Corrosion Level 2:
– corrosion occurring between any two successive corrosion inspections task
that requires a single rework or blend out which exceeds the allowable limit,
or
– corrosion occurring between successive inspections that is widespread and
requires a single blend-out approaching allowable rework limits. i.e., it is not
light corrosion as provided for in Level 1.
• Corrosion Level 3:
– corrosion occurring during the first or subsequent accomplishments of a corro-
sion inspection task that the operator determines to be an urgent airworthiness
concern.

7.1.3 SSIP/CPCP Implementation

Depending on the information provided by the TCH in the SSID/CPCP documents,

the supplemental inspection requirements may require to:
• be accomplished in conjunction with the existing approved structural inspection
program, or
• be a transition from an existing program, e.g., MRBR to SSID/CPCP. In this case,
the design holder should provide the rules for the SSID/CPCP implementation
for any of the following situations:
– SSID/CPCP comparable to the MRBR inspection when the interval is lower,
the same, or greater.
– SSID/CPCP is not comparable to the MRBR inspection.
See the details for previous task accomplishment credits in Sect. 11.1.3.

Lesson Learned—Aloha Airlines Flight 243

On April 1988, the Boeing 737 Flight 243 operated by Aloha Airlines between
Hilo and Honolulu, Hawai, experienced an explosive decompression and struc-
tural failure while en route and had to perform an emergency landing on Kahului
7.1 Continuing Structural Integrity Program 91

Airport, Maui island. The aircraft was carrying 6 crew members and 89 passen-
gers, from which one flight attendant was swept overboard during the decom-
pression and killed; 1 more flight attendant and 7 passengers resulted seriously
injured.
Aloha 737 fleet was formed by high cycle aircraft operated in a harsh corro-
sion environment; the aircraft in question had been delivered to Aloha Airlines
in 1969 and had accumulated 35,496 Flight Hours and 89,680 Flight Cycles.

Fig. 7.1 Aloha Airlines Flight 243 evacuation. NTSB Archive

The results of the NTSB investigation1 determined that the probable cause
of the accident was the failure of the Aircraft Maintenance Program to detect
the presence of significant disbonding and fatigue damage of the fuselage skin
lap splice.
The overlapping skins were bonded together with an adhesive and fastened
with three rows of rivets. The cold bond adhesive had manufacturing defi-
ciencies that led to degraded bonds that were susceptible to corrosion. The
effects from the pressurization loads, that were supposed to be transferred by
the adhesive bonds, were actually transferred through the rivets what led to

1Aircraft Accident Report—Aloha Airlines, Flight 243, Boeing 737-200, N73711, near Maui,
Hawaii. NTSN. 14 June 1989.
92 7 AMP Secondary Sources: Aging Aircraft

multiple fatigue cracks. The advanced stages of damages at multiple sites led
to the condition known as Widespread Fatigue Damage (WFD), where the
aircraft structure was not able to support the loads and the fuselage upper lobe
was separated.
Previous to the accident, Boeing had issued an Alert Service Bulletin
proposing the inspection of all the lap joints after the discovery of early produc-
tion difficulties which resulted in low bond durability, corrosion, and prema-
ture fatigue cracking. The FAA issued an Airworthiness Directive but failed to
require the inspection of all the lap joints proposed in the Alert SB, excluding
those that failed in the Aloha flight. There was neither complete terminating
action developed by Boeing or required by the FAA.
Aloha Airlines was participating in the Supplemental Structural Inspection
Program (SSIP) that provided with inspections to identify cracks, corrosion,
and other damages. The SSIP only included items where detection of structural
damages required directed inspections, but excluded inspections for obvious
damages or evident malfunctions. It was assumed that a rupturing crack in the
fuselage skin would have been detected as obvious damage or had led to a safe
decompression in the worst case scenario.
Aloha Airlines AMP was using a heavy maintenance D-Check interval of
15,000 FH, being apparently more restrictive than the 20,000 FH recommended
by Boeing. However, due to the type of operation, the aircraft was accumulating
cycles at twice the rate for which the Boeing MPD was designed. The AMP
had created a structural maintenance program based on hours and did not
recognize the effects of the rapid accumulation of cycles that is determining in
the initiation of fatigue cracks.
Aloha had not developed specific severe operating environment corrosion
detection and corrosion control programs in accordance with the techniques
recommended by Boeing (application of corrosion inhibiting compounds,
aircraft washing, buffing and brightening of unpainted surfaces, etc.). Addi-
tionally, it was noted that the technicians accepted signs of on-going corrosion
damage as a normal operating condition.
NTSB concluded that the Aloha Airlines maintenance department did not
have sufficient manpower, technical knowledge, or the required programs
to meet its responsibility to ensure the continued structural integrity of its
airplanes.
Although certification authorities, manufacturers, and operators had become
already concerned with ageing aircraft, Aloha Flight 243 brought the focus on
the causes of structural ageing. The FAA issued the “Aging Aircraft Evaluation
Trend Report” with several changes to regulations in regards certification and
inspection.
The FAA made mandatory the Corrosion Prevention and Control
Programs (CPCP) to ensure that hazardous corrosion never occurs, when
7.1 Continuing Structural Integrity Program 93

not developed under the MRB process or on voluntary basis, and required
sufficient full scale fatigue test evidence that Widespread Fatigue Damage
(WFD) would not occur within the DSG of the aircraft.
But it was not until 10 years later, triggered by the TWA Flight 800 accident
that brought to light the effects of age in wire bundles, when the FAA initiated
a comprehensive regulatory response.
These and other accidents and incidents resulting from aircraft ageing high-
light the importance of an effective Aircraft Maintenance Program that takes
into consideration the effects of aircraft ageing.
Chapter 8
AMP Secondary Sources: MCAI,
Modifications and Repairs,
and Non-mandatory Recommendations

The Airworthiness Directives, Modifications and Repairs, and non-mandatory

recommendations are grouped together under this chapter due to their dynamic
nature.
As introduced in Sect. 5.1, some of these maintenance requirements evolve in
such a way that it may become unfeasible to maintain the AMP updated at all times,
e.g., new ADs, damages, changing necessities arising from the Reliability Program,
terminating actions, superseding inspections, etc.
For these requirements, the AMP may suppose a snapshot at the time of the AMP
revision.

8.1 Mandatory Continuing Airworthiness Information

(MCAI)—Airworthiness Directives (AD)

ICAO defines Mandatory Continuing Airworthiness Information (MCAI) as

“the mandatory requirements for the modification, replacement of parts, or inspec-
tion of aircraft and amendment of operating limitations and procedures for the safe
operation of the aircraft”.
The most common form of MCAIs is Airworthiness Directives (ADs). ADs
are issued by the certification authority of the state of design to notify aircraft
owners/operators about an unsafe condition that exists, or is likely to exist, and
prescribe corrective actions for the continuing airworthiness of the aircraft/engine/
propeller/component.
Occurrence Reporting Systems
ICAO Annex 8—Airworthiness of Aircraft requires that the airworthiness author-
ities develop a reporting system to collect faults, malfunctions, defects, and other
occurrences which affect or may affect the airworthiness of the aircraft. This system,
known in general terms as Service Difficulty Reporting System (SDRS), requires

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 95

D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_8
96 8 AMP Secondary Sources: MCAI, Modifications …

feedback from design and maintenance organizations and aircraft operators. In the
EASA system, the feedback is provided through Maintenance Occurrence Reports
(MORs) and in the FAA though Service Difficulty Reports (SDRs).
Airworthiness Directives are usually the result of the SDRs but may be originated
from other occurrence reporting systems.
Additional information about Occurrence Reporting Systems is detailed in
Sect. 26.3.
Unsafe Condition and Corrective Action
The unsafe condition may be due to deficiencies related to design, manufacturing,
maintenance, etc.
Such correction may include compliance with specific instructions detailed within
the AD or with instructions given by the DAH (e.g., a Service Bulletin (SB) or an
Airworthiness Limitation Inspection (ALI)). The AD does not include the referenced
service information that remains property of the design holder.
A SB only becomes mandatory when an AD is issued, whichever is the
categorization established by the DAH (mandatory, alert, recommended, etc.).
The corrective action may involve modification, replacement, limitation, inspec-
tion, periodic inspection, etc. A terminating action is a corrective action that
completely resolves the unsafe condition and restores the airworthiness of the aircraft.
An Airworthiness Directive (AD) should include the following information:
• identification of the unsafe condition,
• identification of the affected aircraft/engine/propeller/component,
• corrective action required,
• compliance time for the corrective action, and
• effective date.
An AD is no longer effective when it is canceled or superseded by a new AD.
While EASA issues revisions to AD to correct minor changes, the FAA policy is to
supersede it and issue a new one.
Responsibilities
When an AD has to be issued, the DAH should propose the appropriate corrective
action and/or required inspections.
While the responsibility of issuing the AD lies on the state of design or design
change, the dissemination and compliance lie on the state of registration of the aircraft.
The state of registration may issue ADs for aircraft/engine/propeller/component
designed in other states.
EASA policy (ED Decision 2019/018/ED) is to endorse automatically the
ADs issued by the state of design or design change of an aircraft/engine/
propeller/component validated by EASA unless a different AD is issued or a different
decision is taken by the agency before the effective date of the AD.
8.1 Mandatory Continuing Airworthiness Information (MCAI) … 97

The FAA policy for imported products (Order 8040.5) is to determine first if
the unsafe condition exists or is likely to exist and if a particular course of action
is needed to correct it. The assessment can conclude with the AD endorsed, with
different corrective actions/times, or with the unsafe condition not considered and
the AD not adopted.
Under the European Union – United States BASA (Bilateral Aviation Safety
Agreement), both agencies recognize that even working in cooperation, they may
disagree in finding the unsafe condition and may propose to issue a unilateral AD.
The owner of an aircraft may decide to also comply with ADs that are not
mandatory by the state of registration but that can facilitate the End Of Lease (EOL).
When compliance with an AD to correct an unsafe condition is urgent, it is issued
as an Emergency Airworthiness Directive (EAD).
For non-emergency Airworthiness Directives, the airworthiness authority usually
announces first a proposal for AD that is open to the public for feedback. In the
EASA system, the proposal is known as Proposed Airworthiness Directive (PAD).
The FAA makes uses of the CFR system under the Notice of Proposed Rulemaking
(NPRM) process.
EASA issues a special type of AD when the content includes reserved infor-
mation: the Sensitive Security Airworthiness Directive (SSAD). SSADs are only
distributed to the states which have registered affected aircraft. It is the responsi-
bility of the state of registration to inform only the concerned parties, including
owners/operators.
Acceptable Means of Compliance (AMOC)
Acceptable Means of Compliance (AMOC) are approved deviations to ADs, e.g.,
alternative modifications, inspection procedures, compliance times, limitations, etc.
The AMOC is requested by the operator (it may be through the DAH) and approved
by the competent authority of the state of registration.
When the competent authority of the state of registration does not have sufficient
expertise or all the relevant information, advice from the DAH or the competent
authority of the state of design may be requested.
When the AD is revised, the AMOC should still be valid; a revision of an AD does
not introduce more restrictive requirements. However, when an AD is superseded,
the AMOC is invalidated, if no other provisions are stated in the AMOC, and the
operator should submit a new AMOC application for the new AD if it is still required.
Scheduled Requirements
EASA Part-M (M.A.302 (d)(1)) requires that the AMP establishes compliance with
instructions issued by the competent authority.
Repetitive instructions specified in Airworthiness Directives should be incorpo-
rated in the AMP.
The FAA regulation does not specifically require to include the process for
managing ADs into the AMP; however, for air carriers, it is recommended as per AC
120-16G.
98 8 AMP Secondary Sources: MCAI, Modifications …

Special attention must be given to Airworthiness Directives mandating the incor-

poration of an Airworthiness Limitations document (ALS) into the AMP. It is required
when the ALI tasks are more restrictive; when the ALS revision means alleviation,
there is no reason to justify the issue of an AD. Failure to comply with the more
restrictive ALI tasks may lead to an unsafe condition; therefore, ALS requirements
are considered MCAI.

8.2 Modifications and Repairs

As seen in Chap. 4, the Design Approval Holder is responsible for providing the
appropriate ICA or variation to ICA to keep the airworthiness standard when a
modification or repair to the type design of an aircraft/engine/propeller/component
is embodied.

8.2.1 Modifications

ICAO defines modification as “a change to the type design of an aeronautical product

which is not a repair”. Modifications are originated by diverse reasons:
• mandatory requirements (e.g., AD or operational regulations),
• type of operation (e.g., installation of RVSM, AWO, or EDTO (ETOPS)
equipment),
• reliability (e.g., recommendations derived from in-service experience), or
• operator requirements (e.g., curtains installation, cabin layout change, or
passenger to cargo conversion).
When a new modification is mandated or the need for a modification is addressed,
a DAH, that may be the TCH, should provide with the approved data necessary
to maintain the airworthiness of the aircraft. A demodification (bringing back the
aircraft/engine/propeller/component to the original type design) is considered a
modification and the same rules apply.
The responsible for the approval of a modification depends on the extent of the
change (major or minor). The form in which the modification is approved depends
on the type design that is intended for modification (TC/STC) and on the entity that
develops the modification.
• Major Modification: TC/STC modification that has an appreciable effect on the
airworthiness (mass, balance, structural strength, reliability, operational character-
istics, noise, fuel venting, exhaust emission, operational suitability data, or other
characteristics affecting the airworthiness) and requires approval from the certifi-
cation authority. The major modification may affect a TC or an STC. The form in
which the modification is presented depends on the holder of the design change:
8.2 Modifications and Repairs 99

– Change to the Type Certificate:

when the modification is developed by the TCH, it is usually presented in the
form of a Service Bulletin (SB). Its associated ICA may be covered in the
same or different SB, or in other TC ICA (MRBR, IPC, etc.).
when the modification is developed by a Part-21 organization, other than the
TCH, it is usually presented in the form of a Supplemental Type Certificate
(STC). Its associated ICA is part of the certification process and included in
the STC approved data package.
– Change to the Supplemental Type Certificate: It is usually developed by an
STCH and presented in the form of a new STC. Its associated ICA is part of
the certification process and included in the new STC approved data package.
• Minor Modification: TC/STC modification that has no appreciable effect on
the airworthiness and its approval is granted by the certification authority or an
approved design organization. Minor modifications are usually presented as SB,
and the associated ICA will be part of the TC ICA if developed by the TC or part
of the modification data package if developed by a different Part-21 organization.
In-house modifications not approved by a Part-21 organization, usually presented
in the form of Engineering Orders (EO), are a continuing airworthiness organiza-
tion practice used to develop modifications that have “no impact” on the aircraft
airworthiness. These modifications are not based on approved data, and the eval-
uation of the interference of the modification with the airworthiness may not be
properly assessed. Therefore, EASA and the FAA consider that the assessment must
be determined by a DAH approved under a Part-21. In the case in which an in-house
modification procedure is agreed with the competent authority, it should be reflected
in the organization’s exposition.
Production modifications are changes embodied during the aircraft certification
process. They may be linked to a SB that contains the instructions to implement such
modification for aircraft that are already in-service. Both production modification
and linked modification SBs play an important role in the ICA for defining the task
effectivity. For example, an MRBR/ALS/CMR task may be only effective for aircraft
that has or has not incorporated certain modifications; the modification is given by
the production modification reference or by the corresponding modification SB.

8.2.2 Repairs

ICAO defines repair as “the restoration of an aeronautical product to an airworthy

condition as defined by the appropriate airworthiness requirements”.
100 8 AMP Secondary Sources: MCAI, Modifications …

When a damage is found in an aircraft/engine/propeller/component, an assessment

should be carried out to determine if it is within the established limits or requires
repair.
Assessment guidelines and standard repairs (major and minor) are included in
the Structural Repair Manual (SRM) or the Maintenance Manual provided by the
DAH. They contain all the information required to develop a standard repair and the
associated ICA.
When the damage is out of limits and the manuals do not consider a standard
repair, a design organization must be contacted in order to assess the damage and
design the repair.
The design of a repair can be classified based on the nature of the structure being
repaired:
• Standard Repair: it is a repair that follows design data included in the certi-
fication specifications (acceptable methods, techniques, and practices) for its
accomplishment.
• Major Repair: it has an appreciable effect on the airworthiness (structural perfor-
mance, weight, balance, systems, operational characteristics, or other character-
istics affecting the airworthiness) and requires approval from the certification
authority, a DAH, or a DER (only FAA). The major repair may affect a TC or an
STC.
Note: Manual supplements are not in the scope of the DER and need additional
approval.
• Minor Repair: it has no appreciable effect on the airworthiness and its approval
is granted by the certification authority or an approved design organization.
A repair can also be classified attending to its temporary/permanent nature:
• Temporary repair: it is a provisional repair that includes a limitation after which
it must be replaced by a permanent repair.
• Permanent repair: it does not include any life limitation.
The repair may require additional inspections to maintain the continued airworthi-
ness of the aircraft/engine/propeller/component. The inspections may also be tempo-
rary until the permanent repair is embodied or required throughout the life of the
product.
The design organization must provide with the appropriate repair design data.
Its presentation depends on the DAH and the certification authority. For example,
Airbus approves the repair through the Repair and Design Approval Form (RDAF)
(old Repair Design Approval Sheet (RDAS)), and Boeing approves the repair using
the FAA Form 8100-9 Statement of Compliance with Airworthiness Standards.
8.2 Modifications and Repairs 101

Fig. 8.1 Sample FAA Form 8100-9 used for Repair Data Approval. FAA Order 8100.15 CHG 1
102 8 AMP Secondary Sources: MCAI, Modifications …

8.2.3 Modifications/Repairs Scheduled Requirements

EASA Part-M AMC M.A.302 requires that repetitive maintenance tasks derived from
modifications and repairs are incorporated into the Aircraft Maintenance Program
(AMP).
An equivalent requirement is reflected in the FAA 14 CFR 121.367 and 135.425
for the CAMP to cover alterations. It is further described in the AC 120-16F.
The modification/repair approved data package should include the appro-
priate ICA to support the continued airworthiness of the aircraft/engine/
propeller/component; specific maintenance requirements necessary to demonstrate
that the affected structure, if any, is free from Widespread Fatigue Damage (WFD)
up to the Limit Of Validity (LOV) may be incorporated into the design change ICA.
When the ICA includes repetitive maintenance tasks, these shall be part of the
AMP.
Modifications and repairs are dynamic in nature; this means that between consec-
utive AMP revisions, there are some factors that will change the repetitive require-
ments, e.g., requirements derived from new modification/repairs or embodiment of
permanent solutions.
It is not always feasible to update the AMP in the same dynamic way as the
modifications/repairs evolve. The status of repetitive tasks from modifications/repairs
is a snapshot at the time of the AMP revision. It is recommended that such clarification
is included in the AMP preamble.
Generally, repetitive maintenance requirements derived from modifications and
repairs do not trigger an AMP revision. However, it is recommended that changes
derived from major modifications/repairs, that are critical because they may have
a considerable effect on the airworthiness, are included in the AMP at the earliest
opportunity. The changes derived from minor modifications should also be included
into the AMP at the next convenient opportunity.
The process to control modifications and repairs usually depends on the size of
the continuing airworthiness organization. While small organizations tend to manage
the inspections derived from modifications/repairs on a case-by-case basis through
the main AMP process, larger organizations usually manage them through a more
complex and separated process. It is the responsibility of the continuing airworthiness
organization to include these inspections into the AMP.

Lesson Learned—Japan Airlines Flight 123

On August 12, 1985, the Boeing 747 Flight 123 operated by Japan Airlines
between Tokyo and Osaka, Japan, went out of control due to fatigue failure
of the aft bulkhead, followed by structural failure of the vertical stabilizer,
and crashed after 32 min of irregular flight killing 520 of the 524 occupants,
becoming the deadliest single-aircraft accident in aviation history.
8.2 Modifications and Repairs 103

The maintenance manager and the engineer who had inspected and cleared the
aircraft as airworthy committed suicide.
The Japanese Aircraft Accident Investigation Commission (AAIC), that led
the investigation,1 revealed the chain of events that resulted in the crash.

Fig. 8.2 Accident aircraft flying over Okutama with the missing vertical stabilizer. Photo
124 of the Aircraft Accident Investigation Report

Seven years earlier, during a landing roll, the aircraft struck its aft fuselage
on the runway and suffered considerable damage. The Boeing standard repair
(temporary) consisted of a continuous splice plate with three rows of rivets.
However, a Boeing inspector found a reduced edge margin around the rivet
holes on the splice surface in comparison with the drawings, and the repair
was improperly redesigned and installed: two splices with only one line of
rivets effectively carrying the loads instead of two.
Since the repair, a number of fatigue cracks propagated mainly at one-row
rivet connection portions reducing the strength of the aft bulkhead to the extent
that could not support the cabin pressure and ruptured, causing the subsequent
ruptures of the fuselage tail, vertical stabilizer, and hydraulic flight control
systems.
The C-Check, that was conducted up to 6 times between the repair and
the accident, included the visual inspection procedures for the aft pressure
bulkhead. It is considered that the inspection method was not adequate as such
cracks, with a critical length, were not found.

1Aircraft Accident Investigation Report—Japan Air Lines Boeing 747 SR-100, JA8119, Gunma
Prefecture, Japan. AAIC. June 19, 1987.
104 8 AMP Secondary Sources: MCAI, Modifications …

In line with the AAIC report, the NTSB recommendations were undertaken
by the FAA under several initiatives, including the revision of several 14 CFR
parts to require repair assessment programs to the operators.

8.3 Non-mandatory Recommendations

The design holder/manufacturer of an aircraft/engine/propeller/component issues

documents in the form of Service Bulletin (SB), Service Letter (SL), etc., to commu-
nicate the operator about product improvements and solutions to in-service issues.
The design holder of an engine/propeller/component may also include specific
recommendations in its Maintenance Manual. See Sect. 10.2 for further details about
Component Maintenance Manual recommendations.
Although these recommendations are considered by the TCH to develop the ICAs,
the operator is also responsible for evaluating the adequacy of their implementation
for its particular fleet and operation.
In this regard, EASA CAMO.A.315(b)(4) and corresponding AMC require that
the continuing airworthiness organization establishes a procedure to assess non-
mandatory modifications and/or inspections and decide on their application, making
use of the organization’s safety risk management process. This information includes
SB, SL, Maintenance Manuals, and any other information that is produced for the
aircraft and its components by an approved design organization, the manufacturer,
the competent authority, or the agency.
When the operator adopts scheduled maintenance derived from non-mandatory
recommendations, it will be part of the AMP. The recommendation should include,
as minimum, the applicability, the interval, the maintenance task scope, and the
instructions or reference to the instructions.
As it happens with Airworthiness Directives, modifications, and repairs, non-
mandatory recommendations may be dynamic in nature. The operator may decide
to comply with a SB/SL repetitive inspection to address issues until a final solution
(terminating action) is developed, address issues that are more cost-effective than
implementing a final solution or address issues temporarily until the effectiveness of
the recommendation is demonstrated (troubleshooting).
It is not always feasible to update the AMP in the same dynamic way as the
adopted recommendations may evolve; the status of SB/SL inspections at the time
of the AMP revision is a snapshot of the status at the time of the revision.
In the case of components, the recommendation may be binding by vendor/repair
shop, e.g., due to warranty.
The effectiveness of an adopted recommendation is measured by the Reliability
Program. As minimum, it should be part of the yearly review of the AMP.
Recommendations may become mandatory when it is mandated by the authority,
e.g., through the issuance of an AD.
8.3 Non-mandatory Recommendations 105

8.3.1 Service Bulletins (SB)

A Service Bulletin (SB) is a document issued by the DAH of an aircraft/engine/

propeller/component to notify owners/operators about product improvement (related
to safety, reliability, costs, or operational/maintenance practices).
The actions required by a SB may include modifications, one-time inspec-
tion/check, repetitive inspections/checks, change in the limitations, etc.
Generally, a SB issued by the engine/propeller/component DAH is referred to as
Vendor Service Bulletin (VSB).
There is no standard to classify the SB, but usually, the DAH does it in accor-
dance with safety considerations. When the SB addresses unsafe conditions, it may
be classified as “Mandatory” or “Alert”; otherwise, the SB may be classified as
“Recommended” or “Optional”.
When the condition highlighted by a SB may affect the safety of the aircraft,
the competent authority usually issues an Airworthiness Directive (AD), but there
are exceptional means that they use to make a SB mandatory, e.g., through the
Airworthiness Limitations (ALS).
The issuance of an AD is “independent” of the SB classification; a SB does not
become mandatory until the competent authority decides so. A SB classified by the
design holder as "mandatory" will become mandatory if the competent authority has
the same consideration about the safety concern than the DAH; otherwise, from the
regulatory point of view, it is acknowledged as a recommendation.
When the instructions provided in the SB include repetitive inspections or modifi-
cations that may cause changes in the effectivity of an ICA maintenance task, it should
be considered and reviewed by the DAH, e.g., for inclusion in the ALS/CMR/MRBR.

8.3.2 Service Letters (SL)

A Service Letter (SL) is a document issued by the design holder of an aircraft/engine/

propeller/component to notify owners/operators about ongoing issues.
Although the purpose of an SL and SB may be confused, generally an SL is more
informational (solutions to production issues, operation/maintenance recommended
practices, advance information about a future production modification or SB release,
spares interchangeability, etc.) and does not involve any major change or minor
change with safety aspects.
The intent of an SL may be covered by documents under different names, e.g.,
Airbus uses In-Service Information (ISI) documents for the same purpose.
106 8 AMP Secondary Sources: MCAI, Modifications …

8.4 Embodiment Policy

As explained in the introduction of this chapter, it is a regulatory requirement that

the operator adopts a policy to review non-mandatory information related to the
airworthiness of the aircraft.
This information is not limited to SBs, SLs, and CMMs; any information that may
affect the airworthiness of the aircraft must be evaluated independently of the form
in which is presented by the DAH, manufacturer, competent authority, or agency.
While the safety factor must be decisive across all operators in their Embodiment
Policies, there are other aspects to be taken into consideration by the operator at
the time of deciding the adoption of a non-mandatory requirement, e.g., dispatch
reliability, remaining lease time, corrective actions already taken, operator standards,
or airline reputation.
An Embodiment Policy should not be to adopt all non-mandatory recommen-
dations or not to adopt any. Incorporating all the recommendations is not cost-
effective and may increase the probability of maintenance errors. Not incorporating
any requirement may lead to lower levels of safety and reliability and also increase
the costs.
The policy should guarantee that the safety, reliability, and standards established
by the operator are maintained.
The Embodiment Policy process should contain the following aspects:
• Evaluation:
– Technical analysis. Typically, it includes the review of the current status of
the particular system or component (AMP, modifications already embodied,
etc.) and in-service data.
– Return On Investment (ROI) analysis and/or Cost–Benefit Analysis (CBA).
ROI is the calculation of the benefits expected (e.g., lower shop visits due to
increased reliability, increased aircraft dispatch reliability, etc.) versus the costs
of implementing the recommendation (e.g., material, manpower and facilities
costs, etc.). CBA is a broader analysis and tries to quantify not only tangible
but also intangible costs and benefits (e.g., airline reputation). Further CBA
information is detailed in Sect. 30.2.
• Decision/Justification. The technical and the ROI/CBA analyses, the standards
established by the operator, and the aircraft availability are taken into consideration
to decide if implementing the recommendation. The decision may be to embody
it in the whole fleet, to embody it on attrition, to embody it partially in the fleet
(e.g., a sample to monitor the results of the embodiment) or not to embody it.
• Recording. The evaluation of the recommendation and the decision/justification
must be registered by the operator.
• Results monitoring. The analysis of the effectiveness of the requirement is
measured by the Reliability Program that ensures the loop is closed.
8.4 Embodiment Policy 107

All the aspects of the Embodiment Policy apply not only to the known non-
mandatory recommendations but to other types of modifications that the operator
decides to accomplish, e.g., an STC or a minor modification in a different form than
a SB.
In the case of an AD involving a SB, the SB will be released in advance, and the
operator may decide not to implement it at first instance. However, the decision of
the operator must be revoked as soon as the AD is issued.
The grade of implication of the departments/individuals of the continuing airwor-
thiness organization in the Embodiment Policy process usually depends on the size
of the organization and the type of recommendation. A Modification Embodi-
ment Policy Board formed by the main stakeholders (Technical Services, Main-
tenance Programs, Reliability, Materials, Repairs, Finances, etc.) may be a good
idea, especially for modifications with greater impact such as major modifications.
Chapter 9
AMP Secondary Sources: Operational
Requirements and Changes
to the Operation Type

The operator must incorporate scheduled maintenance required for the operation
under specific approvals (RVSM, MNPS, PBN, EDTO, and AWO) and require-
ments to support changes to the type of operation (utilization changes and Low/High
Utilization Recommendations) into the Aircraft Maintenance Program.
Other miscellaneous operational requirements such as those dedicated to the main-
tenance items of the Preflight Check, Safety/Emergency Equipment (ELT, First-Aid
Kits, Medical Emergency Kits, etc.), Flight Recorders, and the Weight and Balance
of the aircraft should also be incorporated into the AMP.

9.1 Scheduled Requirements Derived from Specific

Operation Approvals

Certain aircraft operations requiring specific approvals may entail the accomplish-
ment of additional scheduled maintenance in order to maintain such approval. The
competent authority of the state of registration/operation will require those additional
requirements to be included into the Aircraft Maintenance Program.
The relevant operation approvals include, but are not limited to:
• Reduced Vertical Separation Minima (RVSM) operations,
• Minimum Navigation Performance Specifications (MNPS) operations,
• Performance-Based Navigation (PBN): Area Navigation (RNAV) and Required
Navigation Performance (RNP) operations,
• Extended Diversion Time Operations (EDTO): ETOPS/LROPS,
• All Weather Operations (AWO): CAT II, CAT III, and LTVO.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 109
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_9
110 9 AMP Secondary Sources: Operational Requirements and Changes …

ICAO Annex 6—Operation of Aircraft pays attention to all the requirements listed
above. The main regulatory authorities, including EASA and the FAA, echo the
ICAO standards and recommendations and adapt them to their respective regulatory
frameworks.
In the EASA system, the requirements are detailed in the Air Operation rules, and
their inclusion into the Aircraft Maintenance Program is a main point of the Part-M.
EASA M.A.302 (e) explicitly requires that “the Aircraft Maintenance Program shall
contain details, including frequency, of all maintenance to be carried out, including
any specific tasks linked to the type and the specificity of operations”.
While the TC/STC holder or equipment manufacturer may provide ICA in support
of the equipment and systems required for operations requiring specific approvals,
ultimately, it is the responsibility of the operator to comply with those instructions
and with any additional requirement established by the competent authority.
In this regard, the MSG-3 methodology incorporates provisions to take into
consideration the certificated operating capabilities of the aircraft since incorporated
through the IP 99 ETOPS/MRBR Tasking Requirements.
It is important to differentiate the airworthiness approval that is the capability
of the aircraft to perform a specific operation (equipment, systems, performance,
etc.) and the approval of the specific operations that is related to the capability of
the operator to perform the operation (it requires the airworthiness approval plus
additional procedures, flight crew training, operator experience, etc.).
When the ICAs given by the TC/STC holder are a source of the AMP, it is conve-
nient and sufficient that the AMP preamble mentions the ICA as source document and
states that the AMP complies with the specific approval requirements, e.g., RVSM
capabilities are inherent functions of the design of the aircraft, and the schedule
maintenance necessary for the RVSM operation has been considered during the
MRB process, being the MRBR source of this Aircraft Maintenance Program.
It is recommended that any other instruction or restriction to the ICA established
by the competent authority is added to the AMP with the appropriate cross-reference
to the regulation paragraphs.

9.1.1 Reduced Vertical Separation Minima (RVSM)

Reduced Vertical Separation Minima (RVSM) is an ICAO program to increase the

airspace capacity and reduce fuel consumption and emissions. The program applies
in certain portions of the airspace between flight levels FL 290 and FL 410 and
reduces the aircraft vertical separation to 300 m (1000 ft), allowing the aircraft to fly
more optimum profiles.
9.1 Scheduled Requirements Derived from Specific Operation Approvals 111

The RVSM operational approval must be granted by the competent authority and
involves:
• RVSM airworthiness approval (capability of the aircraft). The equipment should
be able to indicate the FL being flown, automatically maintain a selected FL, alert
to the flight crew when a deviation from the selected FL occurs, and automatically
report pressure altitude,
• procedures for monitoring and reporting height-keeping errors. The operator
should report occurrences caused by malfunction of aircraft equipment or of
operational nature to the competent authority,
• a training program for the flight crew,
• operating procedures (MEL, preflight procedures, in-flight procedures, etc.).
Since 2018, for intended operations within the U.S. airspace, the FAA does
not require specific RVSM operation approval if the above criteria are met and
the altitude-keeping performance is monitored with an Automatic Dependent
Surveillance-Broadcast (ADS-B) equipment.
Scheduled Requirements
EASA AMC3 SPA.RVSM.105 requires that the AMP includes the ICA issued by
the TC holder in relation to the RVSM operations certification (CS-ACNS, Certifi-
cation Specifications for Airborne Communications, Navigation and Surveillance).
The ICA should contain but is not limited to the transponder testing, the mainte-
nance/inspection of the autopilot to ensure continued accuracy and integrity of the
automatic altitude control system, the maintenance of all the RVSM equipment in
accordance with the corresponding CMMs and the performance criteria of the RVSM
approval data package.
The continuing airworthiness procedures should establish the appropriate means
to assess any modification, repair, or design change which may affect the RVSM
approval, e.g., alignment of pitot/static probes, repairs to dents, or deformation around
static plates.
For new aircraft RVSM approved and approvals based on design changes (STC,
SB, etc.), the holder of the design/design change should provide the ICA.
FAA AC 91-85B RVSM requirements are equivalent to those prescribed by EASA.
When the aircraft is designed with RVSM capability, the MRB process may iden-
tify the required RVSM scheduled maintenance/intervals, and it is good practice to
reflect it in the AMP preamble; when the RVSM capability is introduced through
design changes, it is convenient to identify the associated ICA in the AMP preamble
and reference it in the corresponding RVSM tasks.
112 9 AMP Secondary Sources: Operational Requirements and Changes …

Lessons Learned—Vertical Separation

The development of civil aircraft flights in the air space during the 1950s came
with an increased number of in-flight incidents, accidents, and collisions. The
air traffic system did not provide the safety level that was expected with the
growth in the air traffic.
ICAO developed a “flight levels” system based on atmospheric pressure that
served as a worldwide standard; however, the system presented certain errors
at high altitude, reason why higher separation was required above FL290. In
1958, ICAO set the standard vertical separation at 300 m (1000 ft) below flight
level FL290 and 600 m (2000 ft) for flights at or above FL290.
Efforts to increase the air space capacity above FL290 started soon after:
Optimum altitude profiles offered more cost-effective flights. Flights below the
optimum cruise altitude suffered a penalty of about 1% for each 300 m.
After years of expert panels and researches, and supported by new tech-
nologies, as the Traffic Alert and Collision Avoidance System (TCAS), a sepa-
ration of 300 m between FL290 and FL410 became feasible. The new rules,
known as Reduced Vertical Separation Minima (RVSM), started to be grad-
ually implemented since 1997 in certain portions of the air space and required
specific operation approval.
Since the implementation of the RVSM, several incidents and a few
catastrophic collisions have occurred in the RVSM space.
Constanza Lake Collision
On July 1, 2002, the Tupolev TU-154 operated by Bashkirian Airlines and
the Boeing 757 operated by DHL collided in the RVSM space, approximately
FL354 over the Lake Constanza, Germany, killing all the 69 occupants and all
the two occupants (only crew) of each aircraft, respectively.
Five minutes before the accident, both flights were following their routes at
FL360. The Tupolev TCAS gave an advisory because the DHL flight was in
the area; seconds later, the radar controller issued instructions to the Tupolev
to descend to FL350 in order to keep the separation minima with the DHL
flight. A few minutes later, the Tupolev received a TCAS advisory to climb
and the DHL TCAS to descent, but again the Tupolev received instructions
from the radar controller to descend and decided to follow such indications.
Both aircraft attempted flight maneuvers to avoid collision unsuccessfully.
The results from the accident investigation carried out by the German
Federal Bureau of Aircraft Accidents Investigation,1 summarized that the ATC
controller had not noticed the imminent separation infringement in time and

1Investigation Report on the Collision of the Boeing B757-200 and the Tupolev TY154M (near)
Lake of Constanza. German Federal Bureau of Aircraft Accident Investigation (BFU). May 2004.
9.1 Scheduled Requirements Derived from Specific Operation Approvals 113

that the Tupolev crew followed a maneuver contrary to the generated by the
TCAS advisory. Recommendations were focused on the improvement of the
ATC system, the priority of TCAS over ATC when a conflict exists, and the
promotion of enhanced technologies such as the Secondary Surveillance Radar
(SSR Mode S) and the Automatic Dependent Surveillance Broadcast (ADS-B).

Fig. 9.1 Reconstruction of Mid-Air Collision between the DHL B757 and TU-154.
Appendix 7 to the final report of the accident

Gol Transportes Aereos Flight 1907

On September 29, 2006, a new tragedy occurred in RVSM space. A Boeing 737
operated by Gol Transportes Aereos as Flight 1907 and an Embraer Legacy
600 business jet collided in the RVSM air space at FL370 over the Brazilian
Amazon jungle. A major portion of the left wing of the B737 was damaged,
and the aircraft became uncontrollable and broke up in flight killing all the 154
occupants. Besides the damages on the left winglet, stabilizer, and elevator,
the Legacy remained controllable and made an emergency landing without
injuries.
The investigation, led by the Brazilian Aeronautical Accident Investigation
and Prevention Center (CENIPA),2 revealed that the aircraft was placed on a

2Final Report on the Aeronautical Accident of the B-737 8EH and EMB-135 BJ Legacy. CENIPA.
2008.
114 9 AMP Secondary Sources: Operational Requirements and Changes …

collision course and the transponder of the B737 was not functioning; conse-
quently, the TCAS on both aircraft did not alert their crews. Because they did
not notice the TCAS malfunction, they maintained RVSM separation when the
necessary requirements did not longer exist. The attempts of the B737 crew
and the ATC to establish communication had also been unsuccessful.

9.1.2 Minimum Navigation Performance Specifications

(MNPS)

Minimum Navigation Performance Specifications (MNPS) are prescribed for

flights in defined portions of the air space, based on the Regional Air Navigation
Agreements, in which it is required an enhanced accuracy of the navigation equip-
ment. MNPS allows safe aircraft separation in demanded areas, for example, the
North Atlantic Region (NAT MNPS) and the northern area of Canada (CMNPS).
NAT MNPS3 airspace is applicable between FL 285 and FL 420, and routes are
separated by 60 NM; aircraft operating in the NAT MNPS should have the following
lateral navigation capability:
• standard deviation of lateral track errors less than 11.7 km (6.3 Nm).
• the proportion of the total flight time spent by aircraft 56 km (30 Nm) or more off
the cleared track shall be less than 5.3 × 10–4 .
• the proportion of the total flight time spent by aircraft between 93 and 130 km
(50 and 70 NM) off the cleared track shall be less than 1.3 × 10–4 .
Aircraft not meeting the MNPS operation requirements can only fly in the NAT
area below FL 285 and above FL 420. RVSM is applicable in all NAT MNPS.
The MNPS operational approval is granted by the competent authority and is
based on:
• equipment that meets the required performance,
• navigation displays, indicators, and controls,
• training program for the flight crew, and
• operating procedures (equipment operating limitations, MEL, etc.).
Future implementation of MNPS is not planned. Since 2016, NAT MNPS airspace
is being redesignated to NAT High Level Airspace (NAT HLA) as part of the plan
for the transition from MNPS to Performance-Based Navigation (PBN).

3 North Atlantic Operations and Airspace Manual. ICAO. V. 2020–1.

9.1 Scheduled Requirements Derived from Specific Operation Approvals 115

Scheduled Requirements
While dedicated requirements in the EASA/FAA operation regulations for the imple-
mentation of MNPS ICA in the maintenance program are not found, the operator
is responsible for ensuring that the equipment meets the required performance. If
specific scheduled maintenance tasks are required for the MNPS approval, these
should be incorporated into the Aircraft Maintenance Program.

9.1.3 Performance-Based Navigation (PBN): RNAV and RNP

With the conventional routes, aircraft navigated from a ground navigation station
position (NavAid) to another and so on. Area Navigation (RNAV) concept allowed
to define the aircraft position relative to ground and space-based NavAids (VOR,
DME, GNSS, etc.); the flight path did not require to overflight the ground navigation
stations, and the aircraft could fly to any point within the coverage of the NavAids
used. Required Navigation Performance (RNP) was developed from the RNAV
concept without the necessity of relying on specific equipment or systems. RNAV
and RNP allow more efficient use of the airspace and fuel consumption reduction.
ICAO defines Performance-Based Navigation (PBN) as “area navigation based
on performance requirements for aircraft operating along an ATS route, on an
instrument approach procedure or in a designated airspace”.4
PBN involves the two types of navigation specifications: RNAV and RNP. Both
specifications are considered area navigation; the difference is that while RNP spec-
ification includes a requirement for onboard performance monitoring and alerting,
the RNAV specification is not able to provide assurance of their performance.
RNAV and RNP are designed with a number (RNAV X or RNP X) that refers to
the lateral navigation accuracy in NM which is expected at least during 95% of the
flight.
RNAV 5 may have different designation depending on the region; in Europe is
defined as Basic RNAV or B-RNAV and is mostly developed for en-route airspace.
RNAV 1 and RNAV 2 (before known in Europe as Precision RNAV or P-RNAV)
are used in SID and STAR procedures.
The PBN concept, which did not include vertical navigation originally, has
evolved, and currently, RNP navigation with vertical guidance is used during
approach operations (RNP APCH).
The RNAV/RPN operational approvals are granted by the competent authority
and are based on:
• airworthiness approval (stated in the AFM or other document approved by the
certification authority),
• safety assessment,
• training program for the flight crew,

4 Performance-Based Navigation (PBN) Manual (Doc 9613). ICAO. Fourth Edition—2013.

116 9 AMP Secondary Sources: Operational Requirements and Changes …

• operating procedures (equipment operating limitations, MEL, etc.), and

• monitoring program, if applicable.

Scheduled Requirements
Dedicated requirements in the EASA/FAA operation regulations for the implemen-
tation of RNAV/RNP ICA in the maintenance program are not found. However, the
operator is responsible for ensuring that the performance requirements are main-
tained. If specific scheduled maintenance tasks are required for the RNAV/RNP
approval, these should be incorporated into the AMP.

9.1.4 Extended Diversion Time Operations

(EDTO)—ETOPS/LROPS

ICAO defines Extended Diversion Time Operations (EDTO) as “any operation

by an aeroplane with two or more turbine engines where the diversion time to an
en-route alternate aerodrome is greater than the threshold time established by the
State of the Operator”.5
EDTO modifies the standard in which any twin-engine aircraft is required to
remain no further than 60 min flying time to an en-route alternate aerodrome, and
any aircraft with more than two engines is required to remain within 120 min from
the alternate aerodrome. EDTO provisions allow to increase these diversion times.
In order to guarantee the overall operational safety, specific considerations are
taken for EDTO approval. While for aircraft with more than two engines the most
relevant limitations are the time that the cargo fire protection system can hold fire
and the oxygen supply during the diversion, for two-engine aircraft, there are several
systems (EDTO significant systems) which failure could affect the safety of the
diversion or are specifically important during the diversion, e.g., electrical, including
battery, fuel and navigation systems, engines, APU, etc.
Originally conceived by ICAO as Extended Range Twin-engine Operations
(ETOPS), EDTO widened the concept to incorporate extended range operations for
aircraft with three or more engines. The acronym ETOPS is used in different ways
by regulatory authorities and individuals, e.g.:
• EASA rules are not adapted to the EDTO terminology, and ETOPS is limited to
aircraft with two engines. EASA introduces the Long-Range Operations (LROPS)
concept for extended range operations by aircraft with three and four engines.
• FAA, considering originally ETOPS for aircraft with two engines, redefined the
concept to “Extended Operations”, equivalent to EDTO.
• Happy people use ETOPS as an acronym for “Engines Turn Or Passengers Swim”.
Being ETOPS much more than the capability of an aircraft to reach land without
engines, it sounds funny.

5 Extended Diversion Time Operations (EDTO) (Doc 10,085). ICAO. First Edition-2017.
9.1 Scheduled Requirements Derived from Specific Operation Approvals 117

ICAO Annex 6 requires EDTO aircraft certification for aircraft with two engines
as a prerequisite for EDTO operations; aircraft with more than two engines does not
require EDTO certification specifically but a review of the time capabilities of the
EDTO systems. In this line, the Aircraft Maintenance Program should support the
EDTO operations with tasks that maintain the integrity of the cargo compartment,
pressurization features such as door seals, electrical supply system, engines, and
APU.
The EDTO operational approvals are granted by the competent authority and are
based on:
• EDTO aircraft/engine type design and reliability approval,
• training program for the flight crew,
• operating procedures (equipment operating limitations, MEL, etc.), and
• the operator’s experience.

Scheduled Requirements
The AMP should support the targeted EDTO operation. The tasks related to EDTO are
those impacting EDTO significant systems. Dual maintenance on identical EDTO
significant systems requires special considerations. See Sect. 15.3 for details about
the management of dual maintenance.
An EDTO task may be an existing task with a different interval for EDTO or a
dedicated task for the EDTO operation mandated by the CMP document or derived
from in-service experience (Reliability Program).
The Configuration, Maintenance and Procedures (CMP) document is devel-
oped by the TCH and contains the configuration requirements necessary for
extended diversion time operations: inspections, Life Limits, MMEL constraints,
and maintenance practices.
In addition to the AMP EDTO requirements, EDTO operations require a predepar-
ture service check that includes the EDTO maintenance release and the development
of specific programs for two-engine EDTO, such as Engine Condition Monitoring
(ECM), Oil Consumption Monitoring, or monitoring of the APU In-Flight Start for
the aircraft–engine combination (part of the Reliability Program, see Sect. 17.2.2.3).
EASA considerations for twin-engine ETOPS operational approval, including the
development of an ETOPS maintenance program, are detailed in AMC 20-6. LROPS’s
operational approval for more than two-engine aircraft is still not addressed.
FAA AC 120-42B & 135-42 details the requirements for the ETOPS operational
approval (two or more engine aircraft) and for the twin-engine ETOPS maintenance
program required in 14 CFR 121.374 &135.411.
118 9 AMP Secondary Sources: Operational Requirements and Changes …

Lessons Learned—EDTO (ETOPS) History and the Flights That May

Have Shaken Its Foundation
In 1936, the U.S. Bureau of Air Commerce, the precursor of the FAA, required
the operation of aircraft with two-piston engines to show that available fields for
takeoff and landing were located within at least 100 miles (approx. 160 km)
along the proposed route. The average time to fly over 100 miles with an
inoperative engine was 60 min. In 1953, a 60 min rule was imposed on two
and three-engine aircraft based on the lack of engine reliability, that focused
on piston engines, with flexibility to operate beyond the rule under approval.
In the 1950s, ICAO issued a more flexible recommendation that was imple-
mented by many regulatory authorities outside the U.S.: 90 min diversion time
for two-engine aircraft.
More than a decade later, in 1964, the already formed FAA kept the 60 min
restriction valid for two-engine aircraft, but three-engine aircraft was exempted.
Three and four-engine aircraft became the mambo kings of the intercontinental
skies until the 1980s.
Some Airbus A300 operators had been conducting 90 min overwater oper-
ations since 1976 across the North Atlantic, the Bay of Bengal, and the Indian
Ocean, under the 90 min ICAO rule.
In the 1980s, ICAO formed an ETOPS study group to analyze the feasibility
of extended operations of the new twinjets generation: the Airbus A300-600,
A310, A320 family, A330, Boeing B757, B767, etc. The study group recom-
mended the 60 min restriction unless the aircraft could meet special ETOPS
criteria. It would be later incorporated into the ICAO Annex 6.
In the U.S., at the beginning of the 1980s, during the B767-200ER entry into
service, the Boeing Director of Engineering approached the FAA administrator
about the possibility of an exemption to the 60 min rule, to which the FAA
administrator answered “It’ll be a cold day in hell before I let twins fly long
haul, overwater routes”, a sentence that has become memorable in the ETOPS
history. Despite the initial opposition, the FAA initiated technical discussions
with ICAO, aircraft manufacturers, and operators.
Air Canada Flight 143—Gimli Glider
The FAA discussions hung by a thread when on July 23, 1983, the Air Canada
Flight 143, a Boeing 767 domestic flight operated between Montreal and
Edmonton, Canada, ran out of fuel halfway to its destination. The aircraft
glided to an emergency landing at an Airforce Base in Gimli. There was no
loss of life nor significant injuries amongst the 69 occupants.
9.1 Scheduled Requirements Derived from Specific Operation Approvals 119

The incident became widely known as “Gimli Glider”.6

One day before the event, the aircraft had undergone a routine service check
in which the three fuel indicators (corresponding to the left and right main tanks
and the auxiliary fuel tank) were found to be blank. The technician obtained
fuel indication pulling and deactivating a circuit breaker, then tagged the circuit
breaker as inoperative, and made the corresponding entry in the logbook under
the provisions of the Minimum Equipment List (MEL) that required a fuel drip.
The fuel drip is a procedure to confirm the fuel load by using fuel measuring
sticks located under the wings.

Fig. 9.2 Gimli Glider evacuation. Photo courtesy of Gimli Glider Museum

The next day, the aircraft was flown from Edmonton to Montreal, where
another technician was assigned to perform the fuel drip to satisfy the require-
ments of the MEL. He noted the entry in the logbook and attempted a self-test
of the system by resetting the circuit breaker but was distracted and forgot to
pull the circuit breaker again, so it remained activated. The captain noticed the
blank fuel indicators and the collared circuit breaker and incorrectly assumed
that it was deactivated. Although the MEL only allowed the dispatch of the
aircraft with at least two of the three indicators in operating condition, the

6Final report of the Board of Enquiry Investigating the circumstances of an accident involving the
Air Canada Boeing 767 aircraft C-GAUN that effected an emergency landing at Gimli, Manitoba.
Commissioner George H. Lockwood by order of the Minister of Transport. April 1985.
120 9 AMP Secondary Sources: Operational Requirements and Changes …

captain formed the opinion that he could safely fly the aircraft after the fuel
drip that confirmed the fuel onboard.
In Canada, aircraft was recently started to be fueled and charged in liters.
The Gimli Glider had been delivered in the metric system (using liters and
kilograms). The drip sticks were also calibrated in the metric system, in
centimeters.
Drip tables were provided onboard the aircraft to convert centimeters to
liters, but the conversion from liters to kilograms required a conversion factor
called specific gravity. The conversion factor used twice during the incident
day was 1.77 lbs per liter, while the figure conversion should have been around
0.8 kg per liter.
The aircraft departed from Montreal and landed in Ottawa, on its way to
Edmonton, where it was dripped with the same wrong conversion factor. In
the flight from Ottawa to Edmonton, the aircraft ran out of fuel in flight, both
engines failed, and without power, all the electronic gauges in the cockpit
became blank. After 45 miles gliding, the aircraft effected an emergency
landing in Gimli.
After the Air Canada Flight 143 incident, there existed certain reticence
about the proposals of the Boeing Director of Engineering in regard to the B767
exemption to the 60 min rule. He reacted arguing that under the circumstances
of such incident, all the engines would have shouted down independently of
how many engines the aircraft had.
Finally, in 1985, the FAA issued the AC 120–42 for ETOPS operations
allowing two-engine aircraft to operate on routes up to 120 min from an
adequate airport after demonstration of specific levels of in-service experience
and systems reliability.
The first ETOPS operation (90 min) was conducted in February 1985 by
TWA with a Boeing 767.
The Civil Aviation Authorities of some countries also issued ETOPS rules
during the same period: CAA UK, DGAC France, Transport Canada, DOT
Australia, and CAA New Zealand. Others relied on the guidance provided in
the ETOPS amendments to ICAO Annex 6.
In 1988, the good experience with the 120 min rule led the FAA to amend the
AC 120-42 (120-42A) and allow two-engine aircraft to operate up to 180 min
from an airport. The Advisory Circular revision established an ETOPS oper-
ation approval system based on in-service experience: ETOPS 120 required
12 months experience with the aircraft–engine combination, and ETOPS
180 required 12 months of experience with the aircraft–engine combination
conducting ETOPS 120 operations.
AC 120-42A included provisions for the aircraft and engine design, Main-
tenance Programs, and operations. The new 180 min rule covered more than
9.1 Scheduled Requirements Derived from Specific Operation Approvals 121

90% of the Earth’s surface. The new rules were adopted by ICAO, the JAA,
and other Civil Aviation Authorities.
The industry continued evolving at a fast pace and the new generation of
twinjets started to get approval for ETOPS with greater diversion times that
imposed new requirements at the same time.
In 2001, the Air Transat Flight 236, another gliding incident detailed in
Sect. 10.4, highlighted the risks associated with undetected fuel leaks to aircraft
operating on long-range overwater routes, regardless of the number of engines.
Onboard fire, medical emergency or catastrophic decompression does not
understand about the number of engines of an aircraft. Every aircraft needed
viable diversion times and en-route alternate airports. Three- and four-engine
passenger aircraft may not need extra fuel to reach a diversion airport, but they
needed oxygen supply when loss of cabin pressure happens, means to suppress
or contain a fire, etc.
In 2007, the FAA revised its regulation to incorporate the ETOPS rules
for passenger aircraft with more than two engines for diversions greater than
180 min.
As of today, the aircraft initially certified for maximum diversion is the
Airbus A350XWB with capability approval up to 370 min.

9.1.5 All Weather Operations (AWO)

All Weather Operations (AWO) involve a set of operations conducted when the
visibility is limited in order to allow the flight crew to continue with safe ground
operation, takeoff, departure, approach, and landing. AWO are determined by the
Aerodrome Operating Minima (AOM) and the operator AWO approvals.
AOM are the limits of usability of an aerodrome in terms of:
• Visibility or Runway Visual Range (RVR): RVR is the range at which the pilot
on the centerline of a runway can see its surface markings, its delineating lights,
or its centerline.
• Decision Altitude/Height (DA/DH): altitude/height at which no visual contact has
been established, and the missed approach must be initiated.
• Cloud conditions.
The aerodrome capability depends on the runway and its obstacles, visual
(signals) and no visual aids (instrument approach systems such as Instru-
mental/Microwave/GNSS Landing Systems, etc.), services, and procedures.
The operator capability depends on the aircraft equipment (such as the
ILS/MLS/GLS receiver, the RNAV/RNP system, the Enhanced Vision System
(EVS), the Head-Up Display (HUD), etc.), airworthiness and maintenance require-
ments, and flight crew procedures.
122 9 AMP Secondary Sources: Operational Requirements and Changes …

Table 9.1 LVO approach types

LVO approach type Definition
Lower than standard LTS CAT I Reduced approach and/or runway lighting as an alternative
to the standard lighting systems
CAT II DH: Lower than 60 m (200 ft) but not lower than 30 m
(100 ft)
RVR not less than 300 m
Other than standard OTS CAT II Increased RVR minima at runways with reduced approach
and/or runway lighting systems, as an alternative to the
standard lighting systems
CAT IIIA DH: Lower than 30 m (100 ft) or no decision height
RVR not less than 175 m
CAT IIIB DH: Lower than 15 m (50 ft) or no decision height
RVR less than 175 m but not less than 50 m
CAT IIIC DH: No decision height
No RVR limitations

Low Visibility Operations (LVO) include those AWO under poor weather
conditions in support of:
• Low Visibility Take-Off (LTVO). Takeoff operations under RVR less than 400 m.
• Low Visibility Approach. See Table 9.1 for the LVO approach types defined in
the ICAO Annex 6.
If DH and RVR fall into different categories, the approach is conducted in
accordance with the requirements of the most demanding category.
The use of systems like the Enhanced Vision System (EVS) allows operations
with lower visibility than normal and may require specific approval.
Scheduled Requirements
EASA AMC5 SPA.LVO.105 requires that the Maintenance Program includes the
maintenance instructions for the CAT II, CAT III, and LTVO onboard guidance
systems established by the operator in liaison with the manufacturer.
FAA AC 120-28D & AC 120-29A require that the Maintenance Program addresses
the necessary provisions for LTVO and CAT I/II/III landing in accordance with
the intended operation, the manufacturer recommendations, MRB or equivalent
requirements, or any subsequent mandatory requirement.
FAA AC 90-106A requires that the Maintenance Program incorporates the EVS
manufacturer ICA and identifies any maintenance/inspection required to support the
continued airworthiness of the system.
When the aircraft is designed with any LVO capability, the MRB process may
identify the required scheduled maintenance/intervals, and it is good practice to
reflect it in the AMP preamble; when the LVO capability is introduced through
design changes, it is convenient to identify the associated ICA in the AMP preamble
and reference it in the corresponding LVO tasks.
9.2 Low Utilization Maintenance Program (LUMP) 123

9.2 Low Utilization Maintenance Program (LUMP)

As introduced in the MRBR Sect. 6.1, MSG-3 analysis and MRBR are developed
assuming a specific utilization envelope.
The utilization of an aircraft is function of two factors: availability (period of time
deducting the maintenance time) and the average flight leg time (ratio FH/FC during
a period of time).
A low utilization scenario is usually found in charter operations that are seasonal
or occasional. If the utilization falls below the MRBR limits, it may have a negative
impact on detecting discrepancies that are sensitive to time, e.g., corrosion, seal
degradation, etc.
Low Utilization Recommendations (LUR) are additional requirements established
by the TCH that may consider new interval parameters to existing MRBR tasks or
additional maintenance. Basically, the TCH adjusts the FH and FC limitations of
the tasks that may be affected by the low utilization operation into a calendar-based
program. It does not override MRBR requirements, e.g., if an MRBR is FH-based,
the dual LUR interval will be defined by the FH parameter plus the new LUR calendar
parameter, whichever occurs first.
Each interval parameter (FH, FC, calendar time, etc.) is suitable to detect specific
types of failures and deterioration of the aircraft. In this case, calendar time is appro-
priate for structures that are subject to environmental deterioration, e.g., structure
corrosion, and systems that are exposed independently of the operation.
The following list shows a representative sample of the tasks considered by the
TCH when developing a LUR program:
• servicing tasks, e.g., tasks involving grease and oil subject to degradation,
• tasks required to avoid seal degradation in dry or wet confined spaces, e.g., fuel
tanks, engines,
• tasks requiring fluids flow, e.g., operational test of oil or fuel systems,
• tasks required to ensure system drainage, e.g., fuel tank water drainage,
• task required to avoid microbiological contamination,
• tasks required to detect and avoid corrosion,
• tasks required to detect fatigue,
• tasks required to detect or avoid degradation of inactive systems, e.g.,
avionic/electronic equipment, and
• tasks requiring battery replacement.
Low utilization does not interfere with the provisions for aircraft parking/storage.
During parking/storage, calendar-based maintenance task must be performed before
the aircraft is released, although the owner/operator may decide to accomplish certain
tasks in advance if it is considered beneficial, e.g., corrosion tasks.
The operator is responsible, not only to implement the TCH recommendations
but to evaluate the impact of the low utilization operation on the whole AMP.
Low utilization operations may have a negative impact on the reliability analysis;
the reliability data may be insufficient or not be available to develop an effective anal-
ysis. In this case, the in-service experience that may have been developed previously
124 9 AMP Secondary Sources: Operational Requirements and Changes …

during normal utilization operations may be used, or the TCH may be contacted for
support.
High Utilization
An aircraft loses more value (depreciation), and the operating costs increase when
the utilization increase. High utilization also involves more frequent maintenance
and consequently may induce more maintenance errors that may cause a negative
effect on aircraft reliability and safety.
MSG-3 analysis is carried out under safety and operational principles, but also
under cost-effective criteria. When an aircraft is operated above the utilization
assumptions of the MSG-3 analysis (limits defined in the MRBR), the MRBR tasks
become no cost-effective.
High Utilization programs may be developed by the TCH to ensure that the
maintenance is consistent with the high utilization operation.
The operator should assess the impact of the high utilization operation on the
whole AMP.
When the assessment of the high utilization operation entails a relaxation of task
intervals (escalation or escalation via parameter change), it must be carried out under
the competent authority approval or in accordance with the procedures agreed with
the competent authority.
Transfer of aircraft between AMPs (normal to low utilization and vice versa) is
detailed in Sect. 13.2.

9.3 Miscellaneous Scheduled Requirements

9.3.1 Preflight Check

A Preflight Check contains all the inspections that are required to be carried out
before flight to ensure that the aircraft is fit for the intended flight.
The Preflight Check typically includes:
• A walk-around inspection of the aircraft and its emergency equipment for presence
and condition, including any obvious signs of wear, damage, or leakage:
– The walk-around inspection is usually based on the guidance provided by
the TCH on the Aircraft Flight Manual (AFM) or the Flight Crew Operating
Manual (FCOM).
– The emergency equipment inspection is usually based on the Emergency
Equipment Layout (EEL) that is developed by the operator to satisfy the
operation rules.
• An inspection of the aircraft records and technical logbooks to ensure that there
are no pending maintenance actions that may affect the safety of the flight or that
may become overdue during the flight.
9.3 Miscellaneous Scheduled Requirements 125

• A control of consumable fluids, gases, etc., uplifted prior to flight that should be
of the correct specification, free from contamination, and correctly recorded.
• A control that control surface and landing gear pin locks, pitot/static covers,
restraint devices, and engine/aperture blanks have been removed.
• A control that the external surfaces are free from ice, snow, sand, dust, volcanic
ash, etc., and the icing/anti-icing procedures have been followed.
The Preflight Check is excluded from the definition of maintenance except when
the task is performed by certifying/maintenance staff. Certain requirements, such
as repetitive ADs or ICA maintenance tasks (MRBR, ALS, CMR, etc.), require
maintenance certification, if no otherwise stated; for other requirements, such as the
walk-around, the inspection of the emergency equipment or the inspection of the
aircraft records, etc., it is up to the operator, under agreement with the competent
authority, if the Preflight Check is performed by certifying/maintenance staff or by
the flight crew.
Certifying staff and/or flight crew must be appropriately trained when performing
Preflight Checks. Under certain conditions, the flight crew may be temporarily
authorized (through a limited certifying staff authorization) to accomplish simple
maintenance tasks.
Guidance to develop a Preflight Check is provided in EASA Part-M AMC
M.A.301(a).
EASA Appendix I to AMC M.A.302 (1.1.9) explicitly requires that details of the
Preflight Check maintenance tasks that are accomplished by maintenance staff are
part of the AMP.
In any of the above cases, in accordance with EASA CAT.GEN.MPA.105 and
FAA 14 CFR 91.7, the pilot in command of the aircraft is responsible for ensuring
that the preflight check has been carried out and the aircraft is in condition for a safe
flight.

Lesson Learned—Aeroperu Flight 603

On October 2, 1996, the crew onboard the Boeing 757 Flight 603 operated
by Aeroperu between Lima, Peru, and Santiago de Chile, Chile, noticed that
the altimeters were not responding and declared emergency. While returning to
Lima, the flight became uncontrollable and crashed, killing all the 70 occupants.
The Peruvian Accident Investigation Board7 revealed that the probable cause
of the accident was the obstruction by adhesive tape of the three static ports on
the left side of the aircraft. The B757 had three airspeed and altitude indicators:
The pilot and copilot indicators had separate air data computers that receive
inputs from separate pitot probes and static ports located at both sides of the

7 Report on the Accident of the Boeing 757–200 aircraft operated by Aeroperu. Accident Investiga-
tion Board, Ministry of Transport and Communications, Peru.
126 9 AMP Secondary Sources: Operational Requirements and Changes …

fuselage; the standby indicator was operated directly from an independent pitot
probe and dual static ports. The copilot altimeters and airspeed indicators were
not working, and the crew was over-saturated with the multiple alarms and
warnings that led to the loss of control of the flight.

Fig. 9.3 Aeroperu B757 months before the accident. Photo by Werner Fischdick

The polishing of the lower front part of the fuselage had been scheduled
previous to the flight. The normal procedure instructed to cover the static ports
with adhesive tape to avoid they become obstructed. The presence of the adhe-
sive tape was not detected during the various phases of the task certification,
and the release of the aircraft was handed over to the crew.
During the preflight inspections, the pilot in command did not realize either
that there were lengths of tape covering the static ports.
The recommendations from the investigation included the amendment of the
aircraft maintenance manuals to require to use of brightly colored protective
covers with warning flags attached to place over static ports while cleaning
and polishing the aircraft, that manufacturers such as McDonnell Douglas or
Airbus had already designed. A generic recommendation to carry out better
documented Preflight Checks was issued.
9.3 Miscellaneous Scheduled Requirements 127

9.3.2 Safety/Emergency Equipment

Safety/Emergency Equipment is any provision installed or carried onboard the

aircraft that is required for the safe conduct of the flight and protection of occupants.
Emergency Equipment addresses abnormal or emergency situations that demand
immediate action, including life preservation. For example,

Emergency Locator Transmitter (ELT) Life vests First-Aid Kit (FAK)

Low-frequency ULB Evacuation slides Emergency medical kit
Portable fire extinguishers Life rafts Defibrillator
Protective Breathing Equipment (PBE) Portable lights Survival kit
Oxygen bottles/generators Flashlights Megaphone
Oxygen masks Emergency flares Crash axe
Smoke hoods Emergency markings/lights

Safety Equipment is used during normal operation. For example,

Seat belts Safety cards

Child restraint devices Safety demonstration kit

As specified in the Preflight Check paragraphs, the Emergency Equipment should

be inspected for presence and condition during such inspection. Additionally, the
operator should:
• consider the ICA specified for the equipment installed on the aircraft, and
• comply with the operation regulatory requirements for specific equipment.
The MRB process considers the ICA of the Safety/Emergency Equipment installed
on the aircraft. The operator should also take into account any additional ICA of
equipment installed through modification.
The operator should select the appropriate method of control of the
Safety/Emergency Equipment requirements. Some items, such as the life of the
equipment, may be controlled as Hard-Time or through Inspection Surveys at periodic
intervals, e.g., check of life vests for expiration at periodic intervals and replacement
if the life does not reach the next scheduled event.
Specific regulatory requirements are provided for the:
• First-Aid Kit (FAK) and Emergency Medical Kit (EMK). EASA AMC2
CAT.IDE.A.220 & AMC4 CAT.IDE.A.225 requires that FAK and EMK are
inspected periodically for condition of their content and replenished at regular
intervals (IAW instructions contained on their labels) or after use.
• Emergency Locator Transmitter (ELT). See the next paragraphs.
128 9 AMP Secondary Sources: Operational Requirements and Changes …

9.3.3 Emergency Locator Transmitter (ELT)

ICAO Annex 6—Operation of Aircraft defines Emergency Locator Transmitter

(ELT) as “equipment which broadcast distinctive signals on designated frequencies
and, depending on application, may be automatically activated by impact or be
manually activated”.
ELT devices should be coded and registered with the national agency respon-
sible for search and rescue. In the event of aircraft crash, the ELT will be manu-
ally/automatically activated and will transmit a continuous emergency signal that
will alert the Search and Rescue (SAR) authority about specific information of the
aircraft and its location.
There are five types of ELT:
• Automatic fixed (ELT(AF)): automatically activated, permanently attached to
the aircraft,
• Automatic portable (ELT(AP)): automatically activated, attached to the aircraft
but readily removable,
• Automatic deployable (ELT(AD)): automatically deployed and activated by
impact (and in some cases by hydrostatic sensors). Manual deployment is
provided.
• Survival (ELT(S)): removable from the aircraft, stowed to facilitate its use in an
emergency, and manually activated by survivors,
• Distress Triggered (ELT(DT)): manually or automatically activated by detection
of an in-flight distress event.
Automatic ELTs are activated when the crash acceleration sensor (also called G
switch) detects that a certain force is reached. For new device generations, ELT (DT),
the triggers for automatic activation are defined in EUROCAE ED-237.
In line with ICAO Annex 6, EASA Air Ops CAT.IDE.A.280 establishes the
requirements for the ELTs to be installed on the aircraft for its operation.
Aircraft authorized to carry 19 passengers or less is required to be equipped with
one ELT or one aircraft localization means. If the CofA is issued before July 1, 2008,
the ELT can be of any type; otherwise, it should be an automatic ELT.
Aircraft authorized to carry more than 19 passengers are required to be equipped
with one automatic ELT or two ELTs of any type or one aircraft localization means
if the CofA is issued before July 1, 2008. Otherwise, it should be equipped with
two ELTs, one of which shall be automatic, or one ELT and one aircraft localization
mean.
The FAA 14 CFR 91.207 requires one automatic ELT to be installed on the aircraft
for its operation under Part-121/135. FAA includes certain exceptions to the rule that
deviates from the ICAO standards; for example, aircraft engaged in scheduled flights
by scheduled air carriers or aircraft with a maximum payload capacity of more than
18,000 pounds when used in transportation is exempted of carrying an ELT, unless
operated overwater or remote areas. For overwater or remote areas operations, up to
two Survival ELTs may be required.
9.3 Miscellaneous Scheduled Requirements 129

Scheduled Requirements
EASA Air Ops AMC1 CAT.IDE.A.280 establishes the operational requirements for
the ELT batteries:
• Batteries specifically designed for use in ELTs and having an airworthiness release
certificate (EASA Form 1, or equivalent, e.g., FAA Form 8130-3) should be
replaced (or recharged if the battery is rechargeable) before the end of their useful
life in accordance with the ELT maintenance instructions.
• Standard batteries not having an airworthiness release to service, when used in
ELTs should be replaced (or recharged if the battery is rechargeable) when 50%
of their useful life (or for rechargeable, 50% of their useful life of charge), as
established by the manufacturer, have expired.
FAA 14 CFR 91.207, 121.339/353, and 135.167 exceed the ELT battery
requirement of EASA:
• ELT batteries (in general) should be replaced (or recharged if the battery is
rechargeable) when 50% of their useful life (or for rechargeable, 50% of their
useful life of charge), as established by the manufacturer, has expired.
Additionally, there is an extra recommendation in 14 CFR 91.207 to inspect each
ELT every 12 months for proper installation, battery corrosion, operation of control
and sensors, and radiated signal strength.

Lessons Learned—The Origin of ELT Requirements

On March 11, 1967, the pilot of a Cessna 195 in a flight from Portland to San
Francisco, with his wife and stepdaughter onboard, lost power and crashed
into a snowed forest. The family was injured but survived the crash. They
struggled for survival and finally perished. The bodies and the aircraft were
found 7 months later.
The diary written by the family during that time motivated the U.S.
Congress. In 1971, with three years compliance time, the FAA amended
its regulations to require the installation of Emergency Locator Transmitters
(ELTs) for certain aircraft categories. The rule applied mostly to general avia-
tion, but scheduled air carriers and turbojet aircraft, usually under the air traffic
control system and a flight plan, were exempted as they were considered more
readily located after an accident.
The new rules tarnished soon when in 1972 a Cessna 310, with two members
of the U.S. House of Representatives onboard, disappeared while flying from
Anchorage to Juneau, Alaska, without ELT. The wreckage was never found.
The U.S. Congress wanted to shorten the compliance time imposed a year
before, but it was actually extended given that the FAA started to receive
numerous reports on ELTs false alarms and faults that consumed its resources.
130 9 AMP Secondary Sources: Operational Requirements and Changes …

In 1978, the issue reached such level that the FAA permitted the temporary oper-
ation for 90 days without the ELT while it was inspected, modified, repaired, or
replaced. The several investigations carried out during those years brought to
light that 90% of false alarms were from parked aircraft; battery, crash sensor,
and installation defects, including corrosion, leaks, and short circuits, became
a concern. Their inspection for condition, corrosion, and proper installation
would become a requirement.
Some years later, in a 1996 Christmas evening, a turbojet crashed in New
Hampshire and would not be found until almost three years later. The FAA
ELT rules exemptions for turbojet aircraft were revised; the installation of
an ELT became a requirement for unscheduled turbojet operations, but the
air carriers scheduled non-overwater operations remained exempt. Up to date,
this represents an exception to the ICAO SARPs that basically recommends
an automatic ELT onboard all aircraft.
COSPAS-SARSAT
In 1979, the COSPAS-SARSAT8 satellite system project was launched by
Canada, France, the United States, and the USSR. The COSPAS-SARSAT
satellite network became operational in 1985, and three years later, the system
was available internationally with more participating countries.
When an ELT activates, the system receives the signal, locates the ELT, and
sends the alert to the corresponding SAR authority.
The first generation of ELTs transmitted on analog frequencies of
121.5/243.0 MHz and produced too many false alarms on those frequencies.
The second generation of ELTs, specifically designed for satellite detection and
transmitting on 406 MHz digital technology, offered an enhanced performance:
increased system capacity, improved location accuracy, unique identification
of the transmitter, and global coverage. The 406 MHz ELTs were required by
ICAO from 2008; one year later, COSPAS-SARSAT ceased the reception of
121.5/243.0 MHz signals.
The post-crash functionality and survivability of the ELTs have been in
question since their adoption. Lack of waterproofing, fire protection, or the
damage of the antenna during the impact are concerns that have been exposed
in two of the most impacting accidents of the recent history: the Air France
Flight 447 and the Malaysian Airlines Flight 370.
The effective ELT signal transmission may be degraded by the shielding
effect of the aircraft structure or if its antenna does not remain above water.

8COSPAS, from the Russian, stands for “Space Systems for the Search of Vessels in Distress”;
SARSAT stands for “Search and Rescue Satellite-Aided Tracking”.
9.3 Miscellaneous Scheduled Requirements 131

A review of the aircraft accidents over the last 30 years, carried out as a result
of one of these accidents, revealed that only about 34% of the accident cases
recorded effective ELT activation.
Air France Flight 447
On June 1, 2009, Air France Flight 447, an Airbus A330 en route from Rio de
Janeiro, Brazil, to Paris, France, was lost in the middle of the Atlantic Ocean
with 228 occupants onboard.
The investigation, carried out by the Bureau of Enquiry and Analysis
for Civil Aviation Safety (BEA),9 the French aircraft accident investigation
authority, revealed that the inconsistencies between the airspeed measurements,
due to obstruction of the Pitot probes by ice crystals, caused the autopilot
disconnection and the aircraft went into stall.
The pilots failed to diagnose the situation and did not apply a recovery
maneuver. The aircraft crashed, and all the occupants died on the impact.

Fig. 9.4 Vertical stabilizer of the Air France A330 found in the ocean. Photo by Forca Aerea
Brasileira via LatinContent via Getty Images

9Final report on the Accident to the Airbus A330-203 registered F-GZCP operated by Air France
Flight AF 447. BEA. July 2012.
132 9 AMP Secondary Sources: Operational Requirements and Changes …

The international search operations focused, initially and unsuccessfully, on

possible transmissions from the ELTs and ULBs. One week later, floating
bodies and parts of the aircraft started to be recovered. The wreckage was
found almost two years later at a depth of 3900 m; bodies, flight recorders, and
parts of the aircraft that were useful for the investigation were recovered.
The BEA issued a series of recommendations in order to facilitate the aircraft
localization for public transport flights with passengers operating overwater or
remote areas, e.g., triggering of data transmission and activation of the ELT as
soon as an emergency situation is detected onboard.
Other BEA recommendations for the same aircraft category included the
regular transmission of basic flight parameters (e.g., position, altitude, speed,
and heading), the extension of ULB transmission time to 90 days, an addi-
tional Low-Frequency ULB, or an image recorder that would make possible to
observe the whole instrument panels.
Malaysia Airlines Flight 370
On March 8, 2014, Malaysia Airlines Flight 370, a Boeing 777 en route from
Kuala Lumpur, Malaysia, to Beijing, China, and its 239 occupants disappeared
from the air traffic control radar. The crash area is still under debate.
The international investigations and search operations, led by the Malaysian
ICAO Annex 13 Safety Investigation Team10 and the Australian Transport
Safety Bureau (ATSB),11 did not reveal why the aircraft diverted from the
Flight Plan and later disappeared from the ATC control radar.
During the following two years, over twenty debris items appeared in the
southeastern coast of Africa, Madagascar, Mauritius, and Reunion Islands
that evinced the aircraft had crashed. However, the unknown location of the
wreckage did not allow to determine the real cause of the accident.
The investigation bodies issued a battery of recommendations that came
to complement those issued for the Air France Flight 447 accident: real-time
tracking and more effective ways to determine the aircraft location.

10 Safety Investigation Report—Malaysia Airlines Boeing B777-200ER (9 M-MRO). The

Malaysian ICAO Annex 13 Safety Investigation Team for MH370. July 02, 2018.
11 ATSB Transport Safety Report: The Operational Search for MH370. ATSB. October 03, 2017.
9.3 Miscellaneous Scheduled Requirements 133

Fig. 9.5 Now-missing Malaysia Airlines B777 flying. Photo by Lorenzo Giacobbo

As a result of the Air France and the Malaysian flight events and the recom-
mendations derived from their investigations, ICAO Annex 6 was revised
to incorporate provisions for certain aircraft/operation categories: aircraft
tracking and, for overwater operations, a securely attached Low-Frequency
Underwater Locator Beacon (LF-ULB) device that is able to operate at
8.8 kHz for a minimum of 30 days. LF-ULB offers an increased detection range
in comparison with the frequencies emitted by the flight recorders ULBs.
Changes to the ICAO flight recorder standards derived from these accidents
are detailed in Sect. 9.3.4.
In the recent years, EUROCAE,12 standards reference for ELT manufac-
turing, has also reviewed the ELT specifications with new crashworthiness
standards (ED-62B): crash test, survivability to vibrations, resistance of coaxial
cables, flame tests, etc. EUROCAE has also developed standards for the next
generation of ELTs with capability to activate transmission in-flight triggered
by distress events (ED-237).

12EUROCAE is an organization that develops the most recognized standards for electronic equip-
ment for air transport. EUROCAE activity in regard to ELT and Flight Recorders is linked to
ICAO recommendations and is usually conducted jointly with the Radio Technical Commission for
Aeronautics (RTCA).
134 9 AMP Secondary Sources: Operational Requirements and Changes …

The ELT Lithium Batteries

Several incidents related to lithium-sulfur dioxide batteries, mostly used within
the ELTs, alerted the FAA during the 1970s. The batteries exploded, burned,
or leaked, forming corrosive acid. In 1979, the FAA required to remove these
batteries, affecting approximately 60,000 aircraft, and issued new standards
and requirements.
During recent years, lithium batteries carried onboard the aircraft have been
a matter of concern due to the increased number of flammability and sponta-
neous combustion-related incidents. The problem has not been focused only
on the batteries as personal items or cargo but on the aircraft and component
batteries. In 2013 and 2014, two serious incidents related to the lithium batteries
of the Boeing 787, with several minor injuries, ended with the grounding of
the worldwide fleet.
But in 2013, an ELT-related incident occurred to an Ethiopian Airlines
Boeing 787 that was parked and unpowered in London Heathrow Airport
passed more unnoticed.

Fig. 9.6 Ethiopian Airlines B787 structural damage. AAIB investigation report

A fire was initiated by the uncontrolled release of stored energy from the
lithium battery in the ELT. The fire was extinguished by the firefighters, but the
aircraft suffered extensive heat damage in the upper portion of the rear fuselage,
where the ELT was installed, and the insulation blankets were destroyed.
9.3 Miscellaneous Scheduled Requirements 135

The investigation carried out by the UK Air Accidents Investigation Branch

(AAIB)13 determined that the battery wires crossed and trapped under the
battery compartment cover plate and probably created a short circuit resulting in
the fire. The fire reached the insulation blankets and the composite structure that
acted as fuel. The AAIB issued a series of recommendations related to battery
certification and installation standards, mostly addressed to the certification
authority of the state of design, the FAA.

9.3.4 Flight Recorders

ICAO Annex 6—Operation of Aircraft defines Flight Recorder as “any type of

recorder installed in the aircraft for the purpose of complementing accident/incident
investigation”.
Flight recorders play a fundamental role in the aircraft accident/incident inves-
tigation process. They are designed following established crashworthiness and fire
protection specifications to ensure the data recorded survive an accident/incident.
These specifications are contained in EUROCAE ED-112.
There are four types of crashed protected flight recorders:
• Flight Data Recorder (FDR): it records specific flight parameters data that reflect
the state and performance of the aircraft, e.g., flight path, speed, attitude, engine
power, etc.
• Cockpit Voice Recorder (CVR): it records the voice communications and aural
environment of the cockpit.
• Airborne Image Recorder (AbIR): it records images/video of the cockpit.
• Data Link Recorder (DLR): it records the data link communication messages.
Flight recorder technology has evolved from magnetic type to more reliable
devices based on Solid-State principles that improve the integrity of the data and
the recording capacity.
The most modern aircraft incorporate combined devices known as Cockpit Voice
Flight Data Recorders (CVFDR) with both FDR and CVR functions.
Large aircraft are required to be fitted with:
• an FDR that records the preceding 25 h,
• a CVR that records the preceding 2 h (in EASA, 25 h for aircraft of more than
27,000 kg), and

13Report 2/2015 on the serious incident to Boeing B787-8, ET-AOP London Heathrow Airport.
Air Accidents Investigation Branch (AAIB). August 19, 2015.
136 9 AMP Secondary Sources: Operational Requirements and Changes …

• when the aircraft has data link communications capability, under some conditions,
the data should be recorded in a dedicated device, DLR, or make use of the FDR,
CVR, or CVFDR. The duration must be the same as the specified for the CVR.
Compliance with FDR and CVR requirements can be achieved by two CVFDR.
While aircraft accident investigators recommend the use of Airborne Image
Recorders (AIRs) that could contribute to determine the causes of an aircraft acci-
dent, its use is still being discussed due to flight crew organizations’ concerns about
privacy.
The location of the flight recorders must be traceable following an aircraft acci-
dent/incident. No-deployable flight recorders are fitted with an Underwater Locator
Beacon (ULB), which is an acoustic device activated by immersion in water,
and Deployable flight recorders are fitted with an automatic Emergency Locator
Transmitter (ELT).
Due to recent aircraft accident events, the regulatory requirements for the duration
of the signal transmitted by the flight recorder ULB have changed from 30 to 90 days.
Scheduled Requirements
In line with ICAO Annex 6 Appendix 8, EASA Air OPS CAT.GEN.MPA.195 (b)
requires that the operator conducts operational checks and evaluations of FDR record-
ings, CVR recordings, and DLR to ensure their continued serviceability. The limits
are established in AMC1 CAT.GEN.MPA.195(b):
• inspection of the FDR recording and the CVR recording every year with certain
exceptions, e.g., when the systems are monitored for proper operation and
– the flight recorders are Solid State, and the inspection may be up to two years.
– the aircraft is fitted with two Solid-State CVFDR and shares the same flight
data acquisition, and the inspection of the recording needs only to be performed
alternately for one recorder position at time intervals not exceeding four years
(one SSCVFDR should be inspected every two years).
• inspection every five years, or sensor manufacturer recommendations, that the
FDR parameters not monitored by other means are being recorded within the cali-
bration tolerances and that there is no discrepancy in the engineering conversion
routines for these parameters.
• inspection of the Data Link Recorder (DLR) every five years,
• when installed, the aural or visual means for preflight checking the flight recorders
for proper operation should be used every day. When no such means are available
for a flight recorder, the operator should perform an operational check of this
flight recorder at time intervals not exceeding seven calendar days of operation.
Further guidance for the inspection procedures is provided in the Guidance
Material.
It is recommendable to establish the corresponding cross-references between
AMP tasks and the regulatory requirements.
9.3 Miscellaneous Scheduled Requirements 137

Misaligned in regard to the ICAO Annex 6 Appendix 8, the FAA does not have
a specific regulation that requires operational checks and evaluations of the flight
recorders to ensure their continued serviceability. However, the FAA does require
this maintenance function to be carried out as part of the ICA. Such difference is
published as a deviation from the ICAO standards.

Lesson Learned—The Flight Recorders Requirements

Early flight recorders have been available since the end of the 1930s. The
technology used consisted in metal foils to record flight parameters and wire
recording for audio; in many cases, the data were not sufficient for the aircraft
accident investigators to determine the causes.
In 1941, the Civil Aeronautics Board (CAB), predecessor of the FAA, issued
a new rule to require a simple type of recording device for certain carriers;
three years later, it was found that operators could not properly maintain the
recorders during the wartime and rescinded the rule. In 1947, it was reinstated
for scheduled air transportation, but one year later, it was rescinded again as
there was no recording device of proven reliability still available.
The second generation of flight recorders came during the mid-1950s from
the hands of David Warren, an Australian research scientist that had lost his
father about 20 years before during one of the earliest air disasters. David
was involved in the investigation of the repeated accidents of the de Havilland
Comet, the first jet commercial aircraft, when he came with an innovative idea:
the design of a device able to record flight data and voices and sounds in the
cockpit.
The recorders technology stepped forward; the use of magnetic-type
recorders allowed to record more data, erase, and rerecord.
The advanced versions of the prototypes designed by Warren are nowadays
installed on most of the commercial aircraft.
De Havilland Comet
The numerous hull losses of de Havilland Comet aircraft had started in 1953,
one year after its entry into service, with the first passenger jetliner involved in a
catastrophic accident; it was a delivery flight to Canadian Pacific Airlines with
a technical stop at Karachi, Pakistan. The aircraft crashed during the takeoff
and killed its 11 occupants.
The accident was attributed to the error of the pilot. Between 1953
and 1954, other three de Havilland Comet aircraft crashed, this time due
to structural failure, killing everybody onboard, a total of 99 people. The
de Havilland Comet fleet was grounded until 1958, when the aircraft reap-
peared with a redesigned structure. In the same year, the Boeing 707 went into
service; Boeing, with the 707, and McDonnell Douglas, with the DC-8, had
learned the lesson and would eat the cake during the following years.
138 9 AMP Secondary Sources: Operational Requirements and Changes …

Fig. 9.7 First De Havilland Comet 4 rolls out of its hangar in 1958. Photo by PA Images
via Getty Images

ICAO and regulatory authorities worldwide started to require an FDR, in the

first instance, and soon after a CVR. In 1957, the FAA approved a rule requiring
an FDR onboard air carrier commercial aircraft and large aircraft. The FDRs
had to be capable of recording time, airspeed, altitude, vertical acceleration,
and heading. In 1964, a new rule required also a CVR. The CVR would provide
the cockpit conversation of the crew during the last 30 min of the flight that
would supplement the FDR data during the accident investigations.
Although a large series of unrecovered recorders have been accumulated
since their implementation, these devices have become invaluable during
numerous aircraft accident investigations. The requirement for recorders was
progressively expanded for other types of aircraft/operation during the next
years.
United Airlines Flight 389
Likely, Flight 389 appeared as one of the greatest frustrations after the imple-
mentation of the recorder’s rules. The CVR requirement, issued in 1964 but
with three years compliance time, was still not implemented within the Boeing
727 operated as Flight 389 by United Airlines.
9.3 Miscellaneous Scheduled Requirements 139

On August 16, 1965, after only two months of service, the aircraft, en route
from New York to Chicago, crashed into the Lake Michigan, killing all the 30
occupants. FDR cover parts were recovered but nothing about the recording
itself.
The results of the NTSB investigation did not find evidence of any system
or structural failure, and it was not possible to determine the causes of the
accident.14
Crashworthiness specifications (TSO C51a) would be enhanced soon after
in 1966: impact resistance changed from 100 g for 11 ms to 1000 g for 5 ms.
Crashworthiness and fire protection specifications have continued devel-
oping until the present days.
The third generation of flight recorders appeared during the 1990s: the
Solid-State flight recorders stored data in semiconductors memories or inte-
grated circuits, allowing to record a much larger quantity of data. Solid-State
technology has no moving parts; maintenance and power consumption are
minimized, and data retrieval is easier.
The Boeing 737 Rudder
During the 1990s, several incidents and two accidents related to a design flaw
of the Boeing 737, in which a limited amount of data was available to determine
the causes, would change the FDR rules.
On March 3, 1991, an United Airlines Boeing 737, operating as Flight
585 from Denver to Colorado Springs, Colorado, lost control and pitched nose
down until it reached a nearly vertical attitude that ended with crash. All the 25
occupants were killed, and the aircraft destroyed by the impact and fire. The
NTSB investigation15 determined that could not identify conclusive evidence
to explain the loss of the aircraft. Three years later, a second crash would
elucidate the cause: the rudder Power Control Unit.
On September 8, 1994, the Boeing 737 operated by USAir as Flight 427
from Chicago to Pittsburgh entered on uncontrolled descent during the landing
maneuvering and impacted terrain. All the 132 occupants were killed, and the
aircraft ruined by the impact and the fire. The NTSB investigation16 revealed

14 Aircraft Accident Report—United Airlines B-727, N7036U, in Lake Michigan. NTSB. August
16, 1965.
15 Aircraft Accident Report—United Airlines Flight 585, Boeing 737-200, N999UA, 4 Miles South

of Colorado Springs. NTSB. March 27, 2001, amending December 1992 report.
16 Aircraft Accident Report—USAIR Flight 427, Boeing 737-300, N513AU near Aliquippa,

Pennsylvania. NTSB. March 24, 1999.

140 9 AMP Secondary Sources: Operational Requirements and Changes …

not only the cause of this accident but the cause of the United Airlines Flight
585 disaster and the B737 rudder design defect.

Fig. 9.8 U.S. Air Boeing 737 Flight 427 crash site. Unattributed

The B737 rudder surface deflected in a direction opposite to that commanded

by the pilots due to a jam of the main rudder Power Control Unit (PCU), the
hydraulically powered device that moves the rudder. The FAA issued several
Airworthiness Directives that included the replacement of the rudder PCUs.
The NTSB claimed that the FDRs involved in the accidents recorded very
limited amount of data (5 and 13 parameters, respectively) and recommended
the acquisition of additional parameters that would have been useful during
the investigations: control wheel position, rudder pedal position, flight control
surface (rudder, aileron, and spoiler) positions, or lateral acceleration. In 1997,
derived from the NTSB recommendations, the FAA adopted several changes
for certain aircraft/operation categories: retention of the parameters recording
for 25 h and gradual increase of the parameters to be recorded from 29 to 88.
Recent History
During the investigation of the MD-11 Swissair Flight 111 accident occurred
in 1998, detailed in Sect. 6.1.6.3, shortcomings related to the duration of the
CVR recordings, the supply of electrical power to the FDR, and the use of the
same generator bus were identified. When the aircraft power to the recorders
was interrupted, they stopped recording. As a result of the Canadian TSB
recommendations, new requirements were introduced in the standards and
9.3 Miscellaneous Scheduled Requirements 141

rules: increased CVR recording capacity from 30 min to, at least, two hours; a
dedicated independent supply source for the CVR, if the aircraft power source is
interrupted, for a period of 10 min; and separate generator buses to power each
recorder. FAA implemented the TSB recommendations in 2008, and EASA
integrated them in 2015 together with the recommendations derived from other
accidents.
In 1999, derived from the Swissair and other accidents, the NTSB issued
additional recommendations: the use of deployable recorders and video
recorders. Deployable recorders have been used in military and helicopter
applications since the 1960s. Their advantage resides in the floatability proper-
ties; there is no need for ULB, and because the ELT antenna remains overwater,
the signal is detectable, and the recorder can be recovered quicker. It would
take a few more accidents until provisions (no requirements) were made for
these devices. On the other hand, in regard to video recorders, the opposition
of pilots associations, that consider it a breach to their privacy, has blocked any
way of progress until today.
The flight recorders measures adopted from the catastrophic Air France and
the Malaysian flights seen in Sect. 9.3.3, also modeled the requirements: Non-
deployable flight recorder ULBs should operate for a minimum of 90 days, and
provisions for Automatic Deployable Flight Recorder (ADFR) with integrated
ELT were introduced.
Note: not related to the Malaysian flight accident causes but highlighted
during the investigation is the fact that the SSFDR ULB battery had expired
in December 2012, more than a year before the event. The effectiveness of the
ULB decreases past the expiry date until discharge, so its operation would not
have been guaranteed.
In 2015, EASA implemented a new requirement for certain newly manu-
factured large commercial aircraft to extend the CVR recording time to 25 h.
The rule addressed the lack of enough data during the incident/accident inves-
tigations, in many cases, due to overwritten data. The ICAO standards adopted
the rule; the FAA is pending of action of this ICAO standard despite the NTSB
recommendation.

9.3.5 Weight and Balance

ICAO Annex 6 requires that the Weight of the aircraft and Center of Gravity location
are such that the flight can be conducted safely. Additionally, operators look for the
most efficient operation, which starts with the proper loading of the aircraft.
The aircraft tends to gain weight during its life due to a wide range of factors:
accumulation of grease and oil, moisture, repaint, new equipment, modifications,
142 9 AMP Secondary Sources: Operational Requirements and Changes …

repairs, etc. The operator is responsible for ensuring that the weight and balance
records are updated when a change occurs.
The Weight and Balance can be obtained by:
• weighing of the aircraft or
• calculation from the previous aircraft weighing if the changes are known.
Once the operator knows the aircraft empty weight and the position of its Center
of Gravity (CG), by adding the passenger, cargo, and fuel loads, the weight of the
aircraft and CG can be estimated for the entire flight.
As a scheduled action with a direct effect on the airworthiness of the aircraft, for
control and compliance purposes, it is recommendable to incorporate the Weight and
Balance task into the AMP, referencing the corresponding regulatory requirement.
Scheduled Requirements
ICAO does not establish specific periods for the weigh and balance of the aircraft but
recognizes the importance of developing a program to satisfy the Annex 6 require-
ments. Updated Weight and Balance report is a requirement for the Certificate of
Airworthiness (CofA) and the Airworthiness Review Certificate (ARC, only for
EASA).
EASA Air Ops CAT.POL.MAB.100 (b) requires that the operator establishes the
weight and the CG of any aircraft:
• by actual weighing prior to initial entry into service (given by the OEM/TCH)
and
• thereafter at intervals of
– four years if individual aircraft masses are used, or
– nine years if fleet masses are used.
The accumulated effects of modifications and repairs on the Weight and Balance
shall be accounted for and properly documented. Aircraft shall be reweighed if the
effect of modifications on the weight and balance is not accurately known.
In line with the recommendations provided in the ICAO Airworthiness Manual
Doc 9760, EASA AMC1 CAT.POL.MAB.100(b) provides guidance to make use of
the fleet masses for a group of aircraft of the same model and configuration under
certain conditions. The interval between two fleet mass evaluation should not exceed
48 months, and during that time, the operator should weigh a certain number of
aircraft (being n the number of aircraft in the fleet):
• if the fleet is composed by 2 or 3 aircraft: n,
• if the fleet is composed by 4 to 9 aircraft: (n+ 3)/2,
• if the fleet is composed by 10 or more aircraft: (n + 51)/10.
The aircraft selected should be those that have not been weighed for the longest
time.
9.3 Miscellaneous Scheduled Requirements 143

FAA 14 CFR 125.91 requires that the current mass and CG are calculated from
the values established by the actual weight of the aircraft within the preceding 36
calendar months.
The use of fleet masses is detailed in AC 120-27F, following the ICAO
recommendations, and is equivalent to the prescribed in the EASA AMC.
Chapter 10
Components Maintenance Program

The basis for the Component Maintenance Program, part of the Aircraft Mainte-
nance Program, are provided by the regulatory requirements and the manufacturer’s
Instructions for Continued Airworthiness (ICA): scheduled maintenance tasks, Life
Limited Parts, overhaul, etc. The basic program should be further developed by the
operator based on the inputs from the Reliability Program.
The maintenance of components can be performed:
• On-wing, with the component installed on the aircraft (e.g., component instruc-
tions provided in the AMM), or
• Off-wing, at shop (e.g., component instructions provided in the CMM).
During the development of the ICA, the TCH takes into consideration the main-
tenance recommendations given for the components. These recommendations and
instructions may be adopted in the ICA to be performed On-wing or Off-wing.
The ICA should identify and provide with guidance for the maintenance that is to
be controlled at component level. Any other decision to control a task at component
level should be originated from the regulation, the Reliability Program, or warranty
reasons. For example, the MRBR is based on the probability of failures; although
a task may look apparently a component task, the intent could be to evaluate the
behavior of such component when it is installed on a system. In this case, there would
be no need to control the system task at component level but aircraft level. Tasks
requiring component-level control are identified in the ICA.
Some of the component requirements have been already introduced throughout the
chapters of this book: regulatory requirements for the Emergency/Safety Equipment,
ELT, FDR, and CVR.
The inadequate management of component requirements may be a source of
hazards and lead to mistakes or omissions. The focus is on the following processes:
• component acceptance, e.g., control of the acceptance standards of new or
maintained components,
• component robbery, e.g., control of parts removed from one aircraft or component
to be fitted in another,
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 145
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_10
146 10 Components Maintenance Program

• configuration control, e.g., control of the design or build standard of the aircraft
or components such that it remains within the approved data standards.
This chapter introduces the Acceptance of Components, the Maintenance Program
of specific components [Evacuation Slides, as a representation of components main-
tenance, and complex systems such as the Landing Gears and Powerplants, including
Propellers, and Auxiliary Power Units (APU)], and highlights the importance of
adequate Configuration Management and Robbery procedures.

10.1 Acceptance of Components

The Component Repair Cycle is the process since a component is removed from
service until it is restored to a serviceable condition.
A component is considered unserviceable when its life limit has expired, does not
comply with mandatory requirements (AD, ALS, etc.), it is not possible to determine
its airworthiness or eligibility for installation, has evidence of defects/malfunctions,
or its serviceability is affected by an incident/accident.
The mechanic will remove the unserviceable component from the aircraft that
will be properly tagged to prevent its use. Items with expired life limit and those
with non-reparable defects are classified unsalvageable and discarded/mutilated in a
controlled manner. The repairable items enter in the Component Repair Cycle.1
The Component Repair Cycle involves the following activities:
• Removal of Unserviceable component,
• Unserviceable tagging,
• Warehouse and shipping to Repair Shop (internal/external),
• Repair/Overhaul,
• Shipping from Repair Shop,
• Receiving/Acceptance of the component,
• Warehouse receives and issues the serviceable component,
• Installation of Serviceable Component.
The reason for removal should be considered, as well as other potential mainte-
nance from the AMP and modifications/repairs, when defining the component Work
Scope.
Considerations for repair or overhaul should go beyond the reason for removal; a
repair can lead to more events in the long term.

1 Best Practices for Component Maintenance Cost Management. IATA. Second Edition—2015.
10.1 Acceptance of Components 147

10.1.1 Component Authorized Release Certificate

Components that are in Serviceable condition should be accompanied by an autho-

rized release certificate; it may be an EASA Form 1, FAA Form 8130-3, or
an equivalent document.
EASA Form 1 and FAA Form 8130-3 can be issued by approved production
organizations for new components or by approved maintenance organizations for
components that have undergone maintenance.
Maintenance of components should only be performed by an approved mainte-
nance organization.
The EASA Form 1, FAA Form 8130-3, or equivalent document should include
the basis in which the component is released:
• Component identification (Part Number and Serial Number) and description,
• Components Status: new/prototype for components released by production orga-
nizations and Overhauled/Inspected/Tested/Repaired/Modified for components
released by maintenance organizations,
• Remarks: maintenance data used, compliance with AD and SB, modifica-
tions/repairs, replacement parts installed, Life Limited Parts status, etc.
The procedures to fill an EASA Form 1 are detailed in EASA Part 21 Appendix
I to Annex I and Part M Appendix II for production and maintenance organizations,
respectively.
The procedure to fill an FAA Form 8130-3 is detailed in the FAA Order 8130.21G.
Under the EU-US BASA, EASA and the FAA recognize each other design
approvals, allowing the installation of new components of the other regulatory envi-
ronment when accompanied with its release certificate. However, used components
approved for return to service are eligible for installation on the other regulatory
environment only when accompanied by an authorized dual release. A Dual Release
EASA Form 1 or a Dual Release FAA Form 8130-3 make use of the appropiate boxes
(12 and 14) of the certificate itself to reference compliance with the other regulation,
as appropriate.

10.1.2 Conformity Documentation/Statement

Standard parts (e.g., fasteners, bearings, seals, pins, etc.), Raw material (e.g.,
metal, plastic, fabric, etc.), or Consumable material (e.g., lubricants, compounds,
paints, sealants, etc.) should only be fitted/used to/on an aircraft or component when
it is accompanied by a Certificate of Conformance (CoC) or conformity statement
that means the part or raw/consumable material adapts to the applicable standards.
148 10 Components Maintenance Program

For Standard Parts, an EASA Form 1/FAA Form 8130-3 may be issued in lieu of
a CoC or a conformity statement. EASA Form 1/FAA Form 8130-3 should not be
issued for Raw/Consumable material.

10.1.3 Suspected Unapproved Parts (SUP)

Suspected Unapproved Parts (SUP) are those that apparently do not meet the
applicable requirements to enter the aviation system: lack of proper documentation,
defective parts rejected during production, parts improperly maintained, military
parts that do not meet the civil certification requirements, supplier parts without the
authorization of the approved manufacturer, parts that have reached a design life
limit, parts that have been damaged beyond repair, or directly counterfeit parts.
Certain situations may raise questions: price or delivery schedule much lower
than those given by other distributors, unidentified distributors, inability to provide
substantiating documentation, damaged packaging, packaging without distributor
identification, or tampered part identification (P/N & S/N).
A SUP may compromise the airworthiness of the aircraft, and its installation is
not allowed. The organization must report any Suspected Unapproved Parts (SUP) to
EASA or the FAA, as corresponds, for its investigation. The investigation determines
the safety concerns and traces the parts to their source; if considered, the SUP is
removed from the aviation system.
The SUP cased under investigation and the already confirmed Unapproved Parts
are published in the EASA and FAA Web sites.
Guidance for detecting and reporting SUP is provided in EASA SIB 2017-13R1
and FAA AC 21-29D.

10.1.4 Organization Responsibilities

The Maintenance Organization must ensure that the component is eligible to be

installed on the aircraft based on:
• the component release certificate (EASA Form 1, FAA Form 8130-3 or equiv-
alent document) or Certificate of Conformance (CoC)/conformity statement, as
applicable,
• the maintenance data: AMP, IPC, regulatory requirements, ADs, SBs, modifica-
tions, specifications, etc.,
• applicable configuration standards defined by the operator.
Guidance related to acceptance of components/parts is provided in EASA AMC
145.A.42 and FAA AC 20-62E &AC 20–154 (Figs. 10.1 and 10.2).
 10.1 Acceptance of Components

Fig. 10.1 EASA form 1 template (Part-145)

149
150 10 Components Maintenance Program

Fig. 10.2 FAA form 8130-3 template

10.2 Component Maintenance Manuals (CMM) 151

10.2 Component Maintenance Manuals (CMM)

A Component Maintenance Manual (CMM) is a document that provides

instructions to maintain and restore a component. It includes the procedures for
assembly/disassembly, cleaning, inspection, check, repair, and also the component
limitations.
While the Aircraft Maintenance Manual (AMM) provides instructions for the
maintenance of the aircraft and on-wing maintenance of its components, the CMM
details the instructions for off-wing (in-shop) maintenance. It is only allowed to
accomplish CMM tasks on-wing when it is referenced specifically in the AMM.
When an ICA makes reference to the use of a CMM, the CMM becomes part of
the ICA, and the design holder should make it accessible to the operator.
CMM recommendations are taken into consideration by the DAH when devel-
oping the ICAs, e.g., during the MSG-3 analysis.
It is not required that the operator reviews the CMM for every single component
of the aircraft; however, the minimum list should include the CMMs of the compo-
nents identified as critical by the DAH during the certification process. These critical
components usually have a life limitation, an inspection, or some kind of mainte-
nance requirement that is already specified in the ICAs. The operator is responsible
for assessing the suitability of such recommendations under an Embodiment Policy
and the Reliability Program.
The CMMs may define more restricted requirements than those adopted by the
DAH and the operator should review them.

10.3 Details of Specific Component Programs

10.3.1 Evacuation Slides

The maintenance of Evacuation Slides is representative of the actions necessary for

a component to comply with its design and remain in condition for safe operation; it
means an airworthy component. The Evacuation Slides program typically includes
scheduled repetitive maintenance (checks, inspections, etc.), overhaul, life/service
limitations, and sampling.
An Evacuation Slide is an inflatable device considered as Emergency Equipment
as defined in Sect. 9.3.2, that assists in the evacuation of the occupants of an aircraft
in descending to ground.
Evacuation Slides are automatically deployed but should include means to prevent
the deployment under non-emergency conditions.
The Slides are a requirement for non-over-wing exits more than 1.8 m from the
ground and over-wing emergency exits under certain specifications. The details are
described in EASA/FAA CS/FAR 25.810, and complete guidance is provided in FAA
CS 25-17A Transport Airplane Cabin Interiors Crashworthiness Handbook. Design
requirements are related in the EASA/FAA ETSO-C69c/TSO-C69c.
152 10 Components Maintenance Program

Evacuation Slides Configuration

Depending on the performance specifications required for the emergency evacuation,
the Evacuation Slides can be classified as:
• Type I: inflatable slide suitable for assisting occupants in descending from a
floor-level aircraft exit or from an aircraft wing,
• Type II: inflatable slide also designed to be used as a life raft, i.e., a slide/raft,
• Type III: inflatable exit ramp suitable for assisting occupants in descending to an
aircraft wing from certain over-wing exits,
• Type IV: combination inflatable exit ramp and wing-to-ground slide.
A typical Evacuation Slide contains the following elements:
• Packboard/Stowage device,
• Inflatable assembly: air retaining fabric structure,
• Inflator assembly:
– Gas generator: supplies high-pressure hot gas,
– Cylinder: cools the gas from the generator,
– Control valve: releases the gas to the inflatable assembly.
Likely, the Evacuation Slide manufacturer recommends slide overhaul at specific
intervals and establishes life, service limits, and hydrostatic test for the gas generator
and the cylinder.
Scheduled Requirements
Evacuation Slides are subject to the MSG-3 analysis under the MRB process and to
the System Safety Analysis (SSA) that may lead to the adoption of Airworthiness
Limitations. These analyses take into consideration the maintenance recommenda-
tions given by the manufacturer in the CMM that are based on specific tests for the
slide certification, e.g., material, pressure retention, water, radiant heat, evacuation
rate, beam strength, attachment means test, etc.
The result of these tests, analysis, and evaluations usually concludes with three
types of maintenance requirements:
• Scheduled maintenance tasks
– MSG-3 analysis may require a Sampling Program for the Evacuation Slides
of the operator’s fleet, usually deployment at defined intervals for alternating
slide locations, in order to confirm that there are no unexpected degradation
characteristics.
• Evacuation Slide Overhaul
• Evacuation Slide Life and Service Limitations.
Evacuation Slides are usually designed in the way the Overhaul times support the
Life and Service Limitations.
10.3 Details of Specific Component Programs 153

Evacuation Slides Maintenance Program

The MSG-3 analysis, the Reliability Program, and applicable regulatory require-
ments define the incorporation of these recommendations into the AMP.
It is recommendable to structure the AMP Evacuation Slide component require-
ments in regard to the slide configuration. Although the Overhaul time usually
supports the Life and Service Limitations of internal components (inflator assembly
components), it should be ensured by the operator in a controlled manner.
Special Considerations—Storage
The Evacuation Slide Overhaul period usually starts from the Date of Manufacture
for new slides or Date of Overhaul for slides that have undergone restoration. When
the Evacuation Slide has been under controlled storage before installation on the
aircraft, the manufacturer may allow certain alleviation for the accomplishment of
the next Overhaul. Such credit should be stated accordingly in the component release
form (EASA Form 1, FAA Form 8130-3 or equivalent), but storage procedures are
not part of the scheduled maintenance and, therefore, not part of the AMP.

10.3.2 Landing Gear

The Landing Gear (LG) is the system that supports the weight of the aircraft and
allows the operation while it is on ground and facilitates the takeoff and landing
procedures.
LG Configuration
The Landing Gear configuration depends on the design; larger and heavier aircraft
incorporates more complex landing gear arrangements with more wheels per landing
strut.
The most common LG configuration on large aircraft is the retractable tricycle
type. It is a Nose Landing Gear (NLG) and two LGs aft the Center of Gravity, usually
located under each wing (Wing/Main Landing Gear). Most of the Airbus and Boeing
models are in this configuration.
Heavier aircraft, such as the Airbus A340, A380, and the Boeing 747, requires
additional support with a LG located in the central fuselage (Body Landing Gear).
The number of wheels also increases with the weight: from a total of six wheels
in the Airbus A320 or the Boeing 737 to 18 wheels in the Boeing 747 or 22 wheels
in the A380.
Each LG within the aircraft has its own configuration, e.g., features for the steering
of the aircraft may be incorporated only on the NLG or additionally on the BLG for
larger aircraft, modern aircraft only incorporate brake units on the WLG/BLG, etc.
The structural configuration of the LG comprises several assemblies, e.g., fitting,
shock absorber, strut, piston, cylinder, bogie beam, axle, drag/sidestay braces, unlock
actuator, retraction actuator, etc. Likely, most of these assemblies require overhaul
as part of the complete LG Overhaul. Additionally, these assemblies contain Life
Limited Parts that are to be considered during the development of the LG Overhaul
Work Scope.
154 10 Components Maintenance Program

Scheduled Requirements
The structure of the Landing Gear and related points of attachment are examined
during the MRB process to identify requirements that prevent structural failures due
to Accidental Damage (AD), Environmental Deterioration (ED), including corro-
sion, or Fatigue Damage (FD). Damage Tolerance (DT) and Widespread Fatigue
evaluations of the LG are carried out to establish Airworthiness Limitations to avoid
catastrophic failures during the operational life of the aircraft.
Older aircraft are assessed for Damage Tolerance (DT) and corrosion through
specific programs (SSIP and CPCP).
The actuating portions of the LG are treated as system components and are subject
to the MSG-3 analysis during the MRB process and the System Safety Analysis
(SSA), but also to the Damage Tolerance and Widespread Fatigue evaluations.
The LG is a critical system of the aircraft and requires specific functional,
structural, fatigue, environment, shock absorption tests, etc., for certification. The
result of these tests, analysis, and evaluations usually concludes with three types of
maintenance requirements:
• Scheduled on-wing/off-wing maintenance tasks,
• LG Overhaul,
• LG Life Limited Parts (LLP).
As for other systems, the Reliability Program plays an important role in optimizing
the LG maintenance, and certain parameters, such as the Mean Time Between Failures
(MTBF) and the Mean Time To Repair (MTTR), should be closely monitored.
The LG Overhaul provides four additional maintenance opportunities:
• Accomplishment of scheduled maintenance tasks on the aircraft, that being
not part of the Overhaul, is suitable to be performed at the time of the LG
removal/installation due to exposure of the area.
• Accomplishment of maintenance tasks on LG components during the Overhaul,
e.g., inspection of LG Line Replaceable Units (LRU).
• Replacement of LG LLPs. LG is usually designed, so the Overhaul times support
the Life Limits.
• Embodiment of LG modifications/repairs.
The selection of the Overhaul period for a newly certified LG should ensure its
integrity until it is validated through the MRB process based on service experience
(sampling of selected representative LG in service).
The standards for the design of the Landing Gear are set in EASA CS-25 and
FAA 14 CFR 25.
LG Maintenance Program
It is recommendable to structure the AMP LG component requirements respecting
the LG Configuration as far as practicable. It means ordering the requirements in
regard to the assemblies and subassemblies.
10.3 Details of Specific Component Programs 155

If no guidance is given by the DAH, developing a LG Component Maintenance

Program based on the LG Configuration may require an exhaustive evaluation of
the documentation, e.g., LG Overhaul manual, LG component CMMs, schematic
diagrams, etc. However, a structured program not only ensures a proper corre-
lation between the LG configuration and the requirements but also facilitates the
development of the LG Work Scopes.

10.3.3 Powerplant, Thrust Reverser, and Auxiliary Power

Unit (APU)

The Powerplant is the primary system necessary for the propulsion of the aircraft:
engine and propeller, if applicable.
Commercial aircraft is usually fitted with turbine engines, where the intaken air
is compressed (compressor), the fuel ignited in the compressed air (combustion), the
turbine turned due to the energy of the ignition, and the remaining energy exhausted
in the form of hot compressed gases. Basically, there are two types of turbine engines:
• Turbofan: the turbine drives a fan at the front of the engine.
• Turbopropeller: the turbine drives a Propeller at the front of the engine.
The thrust is the reaction of the engine in the opposite direction of the exhausted,
hot compressed gases. Reverse thrust is necessary to reduce the speed of the aircraft,
e.g., during landing. Reverse thrust is achieved through:
• A Thrust Reverser device for turbofan engines. It reverses the flow of the exhaust
gases.
• Reverse pitch for turbopropeller engines. It is created by turning the angle of
attack of the blades to a negative pitch.
Engines and Propellers are defined by their own type design, but Thrust Reverser
devices may be declared as part of the engine type design or be certified with the
aircraft.
On the other side, the Auxiliary Power Unit (APU) is a type of engine whose
purpose is to provide with pneumatic and electrical power to the aircraft.
Powerplant, Thrust Reverser, and APU Configurations
The Powerplant (Engine and Propeller, if applicable) and Thrust Reverser Configu-
rations depend on their type design.
Modern turbofan engines are usually built-in modules, so they can be changed
individually for easier maintenance and reduced times and costs. A typical turbofan
engine with thrust reverser system is formed by:
• Engine modules:
156 10 Components Maintenance Program

– Fan/Low-Pressure Compressor (LPC): fan blades, fan disk, and compressor

case.
– Engine Core section:
High-Pressure Compressor (HPC): rotor compressor blades and stator
compressor vanes,
Combustor: inner and outer casings, fuel nozzles, and the high-pressure
nozzle guide vanes,
High-Pressure Turbine (HPT): HPT rotor and nozzle guide vane assemblies.
– Low-Pressure Turbine (LPT): LPT rotors, LPT nozzle stator case, and turbine
rear frame.
– Accessory Gear Box.
• Mounts and thrust links,
• Thrust Reverser device,
• Cowls (Intake cowl, Fan cowl, and Thrust Exhaust cowl),
• Systems: starting, ignition, control, indicating, oil, fuel, airflow, cooling, fire
protection, anti-icing, etc.
Configuration of turbopropellers is slightly different; basically, the propeller takes
the role of the fan to generate thrust and the role of the thrust reverser device to produce
reverse thrust. The propeller is composed of a Hub and two or more Blades.
On the other side, APU is considered as a type of engine, and its configuration
also depends on the type design.
All the elements described above are subject to requirements derived from their
certification.
Scheduled Requirements
The certification of engines, thrust reverser devices, propellers, and APU includes
the ICA necessary for their maintenance, including scheduled maintenance, Airwor-
thiness Limitations and Life Limited Parts (LLPs). It is determined through Damage
Tolerance (DT) evaluation of the structure and Safety Analysis based on method-
ologies such as the Fault Tree Analysis (FTA), Failure Mode and Effect Analysis
(FMEA), Markov analysis, etc., and supported by tests for fatigue, stress, calibra-
tion, endurance, vibration, load effects, ingestion of water, hail or birds, blade failure,
over-torque, integrity, emissions, etc.
Engine/Propeller/APU scheduled maintenance, Airworthiness Limitations, and
LLPs are usually detailed in Chapter 5 of the Engine/Propeller/APU Maintenance
Manual.
Additionally, as part of the aircraft certification, the engines, thrust reverser
devices, propellers, and APU must be taken into consideration for the MSG-3 analysis
during the MRB process and the System Safety Analysis (SSA) for their installation.
Engine/APU mountings and attachments are taken into consideration as part of
the aircraft structure and are subject to the Damage Tolerance (DT) and Widespread
Fatigue Damage (WFD) evaluations.
10.3 Details of Specific Component Programs 157

IMPS Issue 01 included the FAA proposal (IP 165) that highlighted that no excep-
tions are allowed for the MSI selection during the MRB process in regard to engines,
propellers, and APU. This clarification was due to some aircraft TCHs attempted to
deviate from the MSG-3 process, e.g., by using the manufacturer’s recommended
program, tasks, and intervals or directly excluding the powerplant or APU from the
MSG-3 analysis.
The result of the manufacturer recommendations, the MRB process, and the SSA
of the installation of powerplant, thrust reverser, and APU usually concludes with
four types of maintenance requirements:
• Scheduled on-wing/off-wing maintenance tasks,
• Major inspection/Overhaul,
• Life Limited Parts (LLP),
• Engine/APU Piece-part inspections.
Piece-part inspections are triggered by opportunity, not by a time or a periodic
interval requirement that are accomplished on safety–critical parts when they are
exposed. Their inclusion into the AMP is debatable because piece-parts inspections
are not scheduled maintenance. In any case, the operator should select an appropriate
method to control them.
The Overhaul of Engine and APU provides opportunity to:
• Accomplish scheduled maintenance tasks on the aircraft, that being not part
of the Overhaul, are suitable to be performed at the time of engine/APU
removal/installation due to exposure of the area.
• Accomplishment of maintenance tasks on Engine/APU components during the
Overhaul, e.g., piece-part inspections,
• Replacement of Engine/APU LLPs. Engine/APU are usually designed, so the
Overhaul times support the Life Limits.
• Embodiment of Engine/APU modifications/repairs.
The standards for the design of the Engines and Thrust Reversers certified with
the Engines and Propellers are detailed in EASA/FAA CS-E/FAR-33&34 and CS-
P/FAR-35 respectively. The specifications for their installation on the aircraft are
listed in CS/FAR-25 Subpart E.
The standards for the design of Auxiliary Power Units (APU) are detailed in EASA
CS-APU and FAA TSO-77b. The specifications for its installation on the aircraft are
detailed in EASA/FAA CS-25 Subpart J/FAR-25 Subpart E.
Special Considerations
Certain items associated with the Engine/APU require disconnection/removal from
the airframe during Engine/APU replacement, e.g., electrical, hydraulic, fuel, air
intake/exhaust, engine/APU controls, and mounting components. If these compo-
nents/parts are associated with maintenance requirements and are inadvertently unin-
stalled and shipped with the engine/APU for repair, it may cause an unsafe condition
in the case that the current status of the aircraft maintenance and the replacement
component/parts are not appropriately evaluated.
158 10 Components Maintenance Program

The Configuration Management of the Engine/APU may not be sufficient to

control the inadvertent uninstallation of components/parts during Engine/APU
removal. The operator should establish a policy and the necessary procedures for
their control.
Engine, Thrust Reverser, and Propeller Maintenance Programs
It is recommendable that the Engine, Thrust Reverser, and Propeller Maintenance
Programs are segregated in regard to the configuration of each individual item.
Following the guidance provided by the manufacturers, e.g., in the Engine Manual
or the APU Manual, it is possible to correlate the configuration of Engine, Thrust
Reverser, and Propeller with their respective requirements. This “tree” ordered
way is clearer, and the development of the Engine/APU/Propeller Overhaul/Major
Inspection Work Scope is facilitated.

10.4 Aircraft Configuration Management

In the Aircraft Maintenance Program (AMP) context, the Aircraft Configura-

tion Management is the process to ensure that the aircraft configuration and the
components installed are consistent with:
• the type design (TC, STC, modifications/repairs and ETSO/TSO),
• the Aircraft Maintenance Program, including Reliability Program requirements,
• applicable regulatory requirements, and
• leasing and warranty/repair requirements.
The Configuration Management is based on the procedures to manage the config-
uration tree (build standard) of the aircraft, the components that are installed on,
and the applicable associated requirements (ADs, modifications/repairs, scheduled
maintenance, life limitations, sampling requirements, etc.).
The coding conventions used to control the configuration are usually based on
the ATA chapters and should allow the unique identification of each configuration
item and the correlation of such items with related sources. The coding convention
supports the management of reliability data to a large extent, as related in Sect. 17.1.
The use of Part Numbers and Serial Numbers allows the identification of components
and the traceability of the transactions.
The procedure to manage the aircraft configuration should be defined by the oper-
ator and include provisions to identify, document, and communicate configuration
changes to the interested stakeholders.
The Configuration Management procedures depend on the size of the organiza-
tion; small operators usually implement basic configuration trees and simple config-
uration procedures, while larger operators develop more detailed and structured
configuration trees with more complex procedures.
The basic aircraft configuration is defined by the approved documentation
provided by the DAHs. It is complemented by an exhaustive evaluation of other
10.4 Aircraft Configuration Management 159

sources of information and the experience of the operator with the aircraft and the
component types. The following items should be taken into consideration:
• Conformity documentation (delivery documents),
• Aircraft/Component Illustrated Part Catalogues (IPC),
• Aircraft Maintenance Program (AMP): MRBR, ALS, RVSM, EDTO, etc.,
• Modifications/repairs,
• Regulatory requirements, including Airworthiness Directives (ADs),
• Operator’s service experience (Reliability Program),
• Leasing/Warranty/Repair/Pooling agreements (1*), and
• Removable Structural Components (RSC) (2*)
(1*) Leasing/Warranty/Repair/Pooling agreements may impose certain return restric-
tions, e.g., return under specified standards (modification/repair, vendor recommen-
dations, etc.).
(2*) RSC procedures may require the addition of items to the configuration tree.
Refer to Sect. 10.5 for further information.
For operators of large fleets, it is beneficial to establish a common configura-
tion. When this is not possible and deviations exist, it is recommended to establish
subfleets, e.g., based on the engine type, as far as practicable. It allows to locate
subfleets at specific aircraft bases and reduce inventory costs.

Lesson Learned—Air Transat Flight 236

On August 24, 2001, the Air Transat Flight 236 operated under ETOPS approval
with an Airbus A330 from Toronto, Canada, to Lisbon, Portugal, ran out of
fuel with 306 people onboard. The captain glided the aircraft to an emergency
landing in Lajes Airport, Azores. 16 occupants were minor injured, and two
passengers received serious injuries during the emergency evacuation. The
aircraft suffered considerable structural damage to the fuselage and the main
landing gear (Fig. 10.3).
The investigation carried out by the Portuguese Aviation Accidents Preven-
tion and Investigation Department (AAPID),2 with the cooperation of the
Canada TSB, revealed that the cause was a fuel leak in the right engine as
the result of using mismatched fuel and hydraulic lines during an engine
replacement.
Air Transat had received a spare engine, but the receiving process did not
identify that the configuration of the loaned engine (pre-mod) did not match
the configuration of the other A330 engines of its fleet (post-mod). The fullest
guarantee to confirm the lack of disparities is the comparison of the engines

2Accident Investigation Final Report—All Engines-out Landing Due to Fuel Exhaustion. Aviation
Accidents Prevention and Investigation Department, Government of Portugal. August 24, 2001.
160 10 Components Maintenance Program

once it is known which engine is to be replaced, but the company procedures

did not require to check the non-mandatory SBs when planning for an engine
change.

Fig. 10.3 Air Transat Wheels after the emergency landing. FAA archive

The planners were not aware of the differences in configuration between the
two engines, and the task cards generated were those associated with a normal
engine change, but no task card was issued to address the applicable SBs.
During the engine replacement, the technician realized that the difficulty
of the hydraulic pump installation could be related to the different SB status
and attempted to view the SB. Due to a network problem, the SB was not
accessible. Access to the SB would have revealed that there were two inter-
related SBs that required replacement of the fuel tube and the hydraulic line,
as well as other associated components; however, the lead technician relied on
MCC verbal advice to replace the fuel tube (from the removed engine in post-
mod condition), and confident that it was the only requirement, completed the
installation of the post-mod hydraulic pump without replacing the hydraulic
lines that remained in pre-mod condition. The installation did not allow enough
clearance between the hydraulic and the fuel lines.
The post-installation inspections, including independent inspection, were
intended to ensure that the engine controls were properly connected and secured
and did not detect the incompatibility of the fuel and hydraulic lines (Fig. 10.4).
The installation resulted in the hydraulic and fuel tubes coming into contact
with each other, which caused the in-flight fracture of the fuel tube and a fuel
leak. The crew received a warning of fuel imbalance and unaware of the fuel
leak commenced transferring fuel from the left wing fuel tank to the leak in
the right engine. The right and left engines flamed out, and the aircraft had to
glide about 75 miles (120 km) to the emergency landing.
Transport Canada restricted the Air Transat ETOPS operations, and the
company received a CAD 250.000 fine from the Canadian Government.
10.4 Aircraft Configuration Management 161

Fig. 10.4 Fuel Pipe crack and scratches. AAPID accident investigation report

The AAPID issued a battery of recommendations that urged the regula-

tory authorities of states responsible for the manufacture of aircraft and major
components to review the regulation to ensure that adequate defenses existed in
the preinstallation processes, including the maintenance planning process, to
detect major configuration differences. AAPID also recommended the review
of the standards for identifying the configuration and modification status of
major components.

10.5 Robbery Procedures

The Robbery of a component is the process through which a serviceable component

is removed (robbed) from a donor aircraft to be installed on a recipient aircraft,
usually due to no availability in the inventory after a fault or defect is found.
If the process is not controlled, the robbed component may result in a different
utilization profile than the recipient aircraft.
The serviceability of the robbed component should be demonstrated with an autho-
rized release certificate (EASA Form 1, FAA Form 8130-3, or equivalent) except
when the component is to be used within the maintenance organization under a
procedure approved in its manual.
The component maintenance records should be transferred with the component;
it seems relatively simple for maintenance defined at component level that is associ-
ated to the specific Serial Number, but it may require an exhaustive assessment for
maintenance that is defined at aircraft level and may even turn more complex when
the item is not serialized.
162 10 Components Maintenance Program

MRBR Aircraft Level Tasks

The case for MRBR tasks at aircraft level is debatable; as introduced in Sect. 6.1.5,
the evolution from MSG-2 to MSG-3 methodology used during the MRB process
marked a change in the decision logic from a component level up failure-effect
analysis to a system level down approach; the change meant to focus on the loss of
function rather than on the individual component failure (component failure is to be
monitored through the Reliability Program), if no otherwise stated.
The task interval for a robbed component installed on a recipient aircraft may be
inadvertently doubled in the worst case scenario if no action is taken. The probability
of failure or degradation would increase during the period that is being “exceeded”
for that particular component. The risk may be assumed by the operator for non-
safety-related tasks, with economic or operational impact, but the debate is open for
safety FEC 5 and 8 tasks.
Robbed Components Examples
The next examples detail possible solutions for safety-related system/structure AMP
tasks (e.g., mandatory requirement, AD, ALS including CMR, MRBR FEC 5 and 8,
etc.) that are controlled at aircraft level:
• (a) For a robbed Right Hand Main LG that is installed on a recipient aircraft and
an AMP system task for the Operational Check of the LG braking system (that
affects both Right and Left Main Landing Gears), the more restrictive next due
calculation should be applied (the next due as per the donor aircraft, RH MLG,
or the next due as per the recipient aircraft, LH MLG, whichever comes first).
• (b) For a robbed Flap Position X that is installed on a recipient aircraft and an
AMP task for the Detailed Inspection of all the Flaps, there are several options:
– (b.1) The next due for the Flap X is based on the last accomplishment on
the donor aircraft, and the next due for all other positions is based on the last
accomplishment on the recipient aircraft. It requires component-level tracking.
– (b.2) The next due for all the Flaps is aligned by accomplishing the inspection
of the more restrictive calculation for all the positions (the next due as per the
donor aircraft, Flap X, or the next due as per the recipient aircraft, all other
Flap positions).
In contrast to the solutions detailed above, the operator may decide to return the
component to the donor aircraft before any affected task becomes due. It still requires
assessment of the AMP tasks that affect the component, but it may be limited to tasks
with interval below the period that the component remains off the donor aircraft.
For non-safety-related tasks, the next due calculation may be based on the last
accomplishment of the task on the recipient aircraft if accepted by the authority under
the Robbery procedure.
There may be cases in which it is possible to demonstrate that the installation
procedure covers the intent of the task; if it is agreed with the competent authority
under the Robbery procedure, compliance to the AMP task can be given to the
recipient aircraft based on the installation.
10.5 Robbery Procedures 163

Cases in which the decision adopted requires component-level tracking, as the

one described in (b.1), may involve component serialization. Serialization should be
based on approved procedures and may be temporary until a physical survey allows
to assign a permanent Serial Number.
Robbed Component Utilization Profile
The utilization profile of the robbed component may be directly known, e.g., when
it has always been installed on the same aircraft, or may require further assessment:
• If the component has always been within the operator’s fleet, the utilization profile
computation is based on the profiles of each registration in which it has been
installed on.
• If it is not possible to determine the Utilization profile, the operator should assign
the utilization based on statistical methods developed by the DAH, use repre-
sentative utilization profiles (subfleet maximum utilization, fleet pool maximum
utilization, and worldwide fleet maximum utilization) or develop other acceptable
methods.

Robbed Component Limitations After Application Change

When the maintenance requirement limitations on the donnor and recipient aircraft
differs (due to the different limitations that may exist between aircraft types, series
or configurations), the new limitations to be applied for the next due may require
evaluation and recalculation.
It is sometimes wrongly accepted in the industry that the limitations applicable
to the recipient aircraft, as per the approved AMP for that aircraft and configuration,
are the ones to be applied.
While it may be valid for certain type of tasks and components, the impact of
application change on fatigue requirements on Removable Structural Components
(RSC) must be assessed (usually identified in the structural and zonal MRBR tasks
and Structural ALS DT inspections).
The approach for the re-calculation of the fatigue requirement limits for the next
due may differ between TCHs, if any guidance is provided, but should be in any case
acceptable to the competent authority. The two following methods are acceptable
means of compliance for applying the new limits:
– Applying the most stringent limitation (threshold/interval) although it may not be
the corresponding to the current application and may be penalizing, or
– Adapting the threshold/interval using the Palmgren–Miner rule, based on a linear
fatigue damage accumulation that asummes the fatigue life as inversely propor-
tional to cumulative damage in one life time (up to the first inspection, threshold)
or between two consecutive inspections (within an interval).
Note: the interval after the first inspection on the recipient aircraft (by threshold
or by interval) return to the one on the current application (recipient aircraft).
164 10 Components Maintenance Program

Regulatory Requirements
The Robbery procedure is not an explicit regulatory requirement as such but emanates
from the need for compliance when the robbery of a component takes place.
For components removed from aircraft withdrawn from service, EASA Part-M
AMC M.A.613(a)(2.7) requires to evaluate the possible need for alignment of the
scheduled maintenance to comply with the AMP of the aircraft in which the compo-
nent is installed. It is understood, from the AMC M.A.613(a)(2.6&2.7) paragraphs,
that the same rule applies for components removed from serviceable aircraft.
Guidance in regard to the robbery of Removable Structural Components (RSC)
is provided in Spec 120: Removable Structural Components Industry Guidelines,3
and for modifications/repairs and determination of RSC utilization profiles in EASA
AMC 20-20 Annex 3 and FAA AC 120-93.
The actions derived from the decision of robbing a component may be taken and
assessed on a case-by-case basis; however, it is recommendable to develop a robbery
procedure that is acceptable by the competent authority, in order to standardize and
facilitate the process.
Preliminary Considerations—Tasks Affected By Robbery
The operator may decide to perform the evaluation to relate components and any
applicable maintenance requirement (it is not limited to repetitive maintenance) in
a case-by-case basis, whenever a component is robbed, but it is possible to advance
or partially advance the assessment by:
• Identification of components subject to Robbery: based on the Aircraft Configura-
tion and requirements (e.g., ADs, modifications/repairs, AMP, etc.), the Remov-
able Structural Component (RSC) list, if provided by the TCH, and complemented
by the operator’s evaluation and experience.
• Cross-reference of components and maintenance requirements.

Robbery Policy and Register

The operator should define a Robbery Policy, accepted by the competent authority,
taking into consideration:
• TCH recommendations/guidance, if any.
• Evaluation of the affected tasks:
– Task categorization: Safety/Non-safety,
– Aircraft and component Utilization profile,
– Tasks affecting other components,
– Task Next due calculation.
• Component returns to the donor aircraft/component remains on the recipient
aircraft.

3 Spec 120: Removable Structural Components Industry Guidelines. A4A. Revision 2014.1.
10.5 Robbery Procedures 165

It is recommendable that the policy allows a certain degree of flexibility, such as

the returns/remains choice, so that the operator can take decisions on a case-by-case
basis.
The Robbery procedure should describe the means to register each robbery action,
including:
• the component details (donor/recipient aircraft, Part Number, Serial Number, and
utilization),
• the component maintenance history records or references,
• the assessment, including tasks affected and limitation changes, and
• the actions adopted, based on the defined Robbery Policy and the case-by-case
considerations.

10.6 Component Maintenance Program Structure

A mature Component Maintenance Program should include the procedures and provi-
sions to eliminate any source of hazards, including an appropriate configuration
control.
There are plenty of options to incorporate the repetitive maintenance requirements
into the AMP; as explained in Sect. 5.1.3, the operator should choose the integra-
tive/segregative approach that better aligns with its organization and objectives. For
example,
• Segregate On-wing tasks into the AMP System and Structural Programs sections
and Off-wing tasks into the Component Program section.
• Integrate all component tasks (On-wing and Off-wing) into a Component Program
section.
• Segregate the Component Program section into On-wing and Off-wing tasks.
• Segregate Component Program section into several programs: simple components
and dedicated subsections for complex components.
• Segregate dynamic tasks (derived from AD, modifications/repairs, recommenda-
tions, robbery, etc.) into dedicated sections or integrated into the Components
section.
As detailed throughout this chapter, it is convenient to arrange the programs
for complex components as per their built configurations in order to facilitate their
understanding and the development of Work Scope Packages.
Chapter 11
AMP Task Interval Management

The Interval of a maintenance task is the prescribed period at which the task has to
be performed. The Threshold is defined as the prescribed time at which the task has
to be performed in the first instance.
The determination of the threshold/interval of a maintenance task may be based on
available data (tests, analysis, simulations, statistical methods, in-service experience,
etc.) and/or engineering judgment.
Thresholds and intervals are expressed in terms of one or a combination of usage
parameters. The selection of usage parameter(s) is based on the suitability to address
the purpose of the task:
• Flight Hours (FH): time between the aircraft leaves the ground on the takeoff
and touches the ground on the landing. Its use is suitable for systems that are in
constant operation and are subject to failure due to the usage.
• Flight Cycles (FC): takeoff to landing sequence. Its use is suitable for structures
that are subject to pressurization fatigue.
• Landings (LDG): aircraft touching the ground (to full stop or touch-and-go). It
is suitable for structures that are subject to impact fatigue.
• Calendar Time (days, months, and years). Its use is suitable for structures that
are subject to environmental deterioration (e.g., corrosion) or systems that are
exposed independently of the operation like fire extinguishers.
• Operating Hours (OH): time of operation. Its use is suitable for
systems/components operated independently that are subject to failure due to
the usage, e.g., APU and batteries.
• Operating Cycles (OCy): on–off sequence. Its use is suitable for
systems/components operated independently that are subject to cyclic fatigue,
e.g., engine.
• Letter check: group of tasks with similar intervals. Its use is suitable to allocate
the maintenance task into scheduled work packages, e.g., A-Check.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 167
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_11
168 11 AMP Task Interval Management

“Inspection Window” is a concept used by some TCHs to allow certain toler-

ance in the accomplishment of the AMP task, which allows flexibility to perform
maintenance. Inspection windows should not become permanent variations.
The threshold/interval parameters established by the ICA may be converted to
other units if the operator finds it convenient, but it must demonstrate that the ICA
requirements are not exceeded.
Although performing a task much more in advance or more often than the
prescribed in the AMP does not require justification, this practice may result in:
• maintenance errors, causing a negative effect on the aircraft reliability and safety,
and
• invalid in-service data to support an evaluation of the specified interval during
Escalation or Evolution/Optimization exercises.
If it is considered that the AMP interval is not optimum, it is recommended to
perform a complete assessment to determine a new threshold/interval.
The preamble of an AMP should contain the definition of the threshold/interval
parameters used and the procedures to manage them. The first five procedures listed
below are covered in this chapter, and the last three are detailed in subsequent
chapters.
• Maintenance Clock: next due calculation,
• Grace Periods (Compliance Time),
• Permitted Variations,
• Exceptional Short-term Extension,
• Task Escalation,
• AMP Evolution/Optimization (Chap. 12),
• Maintenance Checks (Chap. 13),
• Bridge programs (Chap. 13).
In the case that the interval of a maintenance task is exceeded (including overrun
during aircraft operation), it should be accomplished before the next flight and
the competent authority notified through the Compliance Monitoring (CM)/Quality
department, as agreed. The procedure to deal with an overdue situation is not part of
the AMP preamble; it is competence of the CM/QA department that may delegate
the investigation to the AMP department, under their surveillance.
Permitted Variations or Exceptional Short-term Extensions should not be issued
to make up for the overdue situation.
11.1 Maintenance Clock 169

11.1 Maintenance Clock

11.1.1 First Accomplishment of Tasks—Starting Point

The starting point for the calculation of the due date for the first accomplishment
of a maintenance task is specific for each item. The selection of the initial point is
based on the suitability to address the purpose of the task, but also on the conditions
in which the aircraft is delivered.
Usually, the initial points in which the first accomplishment are based on are:
• AMP Effective date: AMP entry into force date,
• First Flight (FF): date of the first time that the aircraft performs a flight (production
flight test) during the certification phase,
• Transfer of Title (ToT): date of the official transfer of ownership to the first buyer.
Delivery date, first Certificate of Airworthiness (CofA), or Export CofA may also
be used,
• Date of Last Accomplishment (DoLA): date in which the task was previously
performed (predelivery),
• Date of Modification: date in which a modification is embodied on the aircraft,
• Date of Manufacture (DoM): date in which a product is declared in conformance
with its specifications,
• Date of Installation (DoI): date in which a product is installed on the aircraft.
Under certain conditions (e.g., aircraft preservation during production), the OEM
may disregard the contribution to failure, fatigue, or degradation between the FF,
component DoM, or DoI and the ToT. Additionally, after the manufacturer prede-
livery checks, certain tasks may be considered as reset to zero. It may result especially
interesting for the owner/operator when lengthy time passes between FF and ToT,
e.g., test aircraft used for the Type Certification.
On the other hand, when the first accomplishment of a maintenance task is much
earlier than the threshold (greater than the interval), the TCH may allow the second
accomplishment of the task to be back at the threshold instead of the repeat interval.
As explained in the introduction of this chapter, early task accomplishment is not a
recommendable practice.
For aircraft which applicability is given by the embodiment of modification(s),
the starting point for the calculation of the due date is not always the date of
accomplishment of such modification. The guidance provided by the TCH must
be followed.
In any case, the ICAs, together with the conformity documentation furnished by
the TCH/OEM at the time of the aircraft delivery, should provide sufficient guidance
to the operator for the calculation of the initial task due dates.
170 11 AMP Task Interval Management

11.1.2 Repeat Interval

In order to understand the principles of the repeat interval management, it is necessary

to define the condition of an aircraft based on its airworthiness status:
• Airworthy condition. The aircraft conforms to its approved design and is in
condition for safe operation.
• No-airworthy condition. The aircraft is not fit for safe operation, e.g., time since
a task interval is overrun, time between runway touch down and preflight check
release, etc.
No-airworthy condition applies to ground times, maintenance, and
parking/storage of the aircraft.
The ICA provided by DAH and manufacturers should provide guidelines for the
use of repeat intervals. Typically, they state that the calculation of the next due date
of a maintenance task (after the first accomplishment) is based on the date of the last
accomplishment.
This statement is actually not accurate for tasks with calendar time intervals. Apart
from some exceptions, the calculation of the next due of a maintenance task is based
on the date in which the Certificate of Release to Service (CRS) is signed. CRS
and the real date of accomplishment do not necessarily coincide.1
This situation may look out of proportion for short interval tasks (e.g., Daily
check) when compared to extended grounding times. It is expected that in these
cases, tasks with shorter intervals are performed at the end of the grounding time but
before the release of the aircraft.
The same philosophy applies while the aircraft is on ground ready for operation,
on maintenance, or during parking/storage: The accomplishment of any task that
becomes due during these times only needs to be performed before the release of the
aircraft, if no otherwise stated by the DAH or required by the competent authority.
In any case, the effect of the environmental conditions during prolonged grounding
times should be assessed. The owner/operator can request the maintenance organi-
zation to issue a release specifically to cover the accomplishment of certain tasks as
it considers, e.g., corrosion inspections.
The following cases are exceptions to the general rule:
• Tasks extended under the Permitted Variation or Exceptional Short-term Exten-
sion procedures.
• Component tasks: the maintenance task next due calculation is specific for each
component. It may be based on the date on which the component is released (e.g.,
EASA Form 1 or equivalent FAA Form 8130-3), on the date of installation, on
the previous accomplishment of the task, or being established according to other
criteria defined by the manufacturer. Special care must be taken on components

1EASA FAQ n. 19,102 & 19,496. Retrieved June 11, 2020, from https://www.easa.europa.eu/the-
agency/faqs/continuing-airworthiness.
11.1 Maintenance Clock 171

transferred from different applications (aircraft type, model, weight variant, etc.);
if there is any change in the limitations, it should be taken into consideration.

11.1.3 Credit from Accomplishment of a Different Task

The TCH/OEM can establish a relationship between an existing/deleted maintenance

task and a new task through which the calculation of the next due of the introduced
task can take credit from the last accomplishment of the existing/deleted task.
In the same way, the operator may demonstrate that the maintenance level and
scope of an existing/deleted AMP task fulfill the requirements of a new AMP task and
therefore it is possible to take credit of the accomplishment of the existing/deleted
task for the calculation of the next due of the introduced task. In this case, the credit
procedure should be acceptable to the authority; it should ensure that the operator’s
evaluation is registered and that future maintenance documentation changes, that
may invalidate such evaluation, are monitored. For example, when it is demonstrated
that the AMM instructions detailed for an existing/deleted task are alike the AMM
instructions given for a new task, a credit relation may be established if the changes
derived from the AMM revision are controlled. In this case, it is recommendable to
incorporate a credit relation statement, as appropriate, into the AMP task.
If the relation is only valid for particular revision(s) of the maintenance docu-
mentation, it should also be reflected, e.g., credit can be taken from previous
accomplishment (task number) if performed in accordance with AMM Rev.X.

11.2 Grace Period (Compliance Time)

The incorporation of changes at the time of the AMP effective date (for new and de-
escalated tasks) introduced by the revision of ICA may require the use of additional
time when the maintenance task due has been exceeded or is close to be exceeded.
This additional time is known as Grace Period (Compliance Time) and allows the
operator to accomplish the task at the next suitable opportunity (ground time, access,
resources, etc.). In no case, the accomplishment of the task, after applying a grace
period, should exceed the designated threshold/interval from the AMP effective date.
The only exceptions to overrun this rule are a Permitted Variation, an Exceptional
Short-term Extension, or the approval by the competent authority, as applicable.
It is recommended that the operator includes its Grace Period policy in the AMP
preamble. In order to develop such policy, the operator should take into consideration
the specific guidance or rules, if any, provided by the TCH and/or competent authority.
The Grace Period policy should be customized to the operation. For example, it is
deduced that new corrosion inspections may be originated from corrosion findings;
therefore, if the aircraft is operated in a corrosive environment, it makes sense that
172 11 AMP Task Interval Management

the operator’s policy is to accomplish new corrosion inspections at the very earliest
opportunity.
In the case of mandatory ICA (ALS and CMR), the guidelines or specific Grace
Periods provided by the TCH are strictly binding.
It is recommended to analyze the Grace Periods that may be required before the
AMP approval.
Certain competent authorities may require the results of the analysis from the
previous or the current programs when the AMP is submitted for approval.

11.3 Permitted Variations

One-time concession to a maintenance task interval, applied to a unique aircraft,

is known as a Permitted Variation, Prescribed Tolerance, Short Time Escalation, or
simply, Extension. It is an exceptional procedure to allow the operator to fly for a
limited time until the maintenance task can be performed.
The term Exceptional Short-term Extension is most commonly used for conces-
sions to Airworthiness Limitation and CMR tasks intervals.

11.3.1 Scope of the Permitted Variations

An operator can only apply a Variation to a maintenance task under the approval of
the competent authority or under a Variation procedure described in the AMP and
approved by the authority. The delegation of responsibilities to the continuing airwor-
thiness organization/operator can be formally approved in the CAME/CAMP. A Vari-
ation should never compromise the airworthiness of the aircraft that is, ultimately,
responsibility of the operator.
Authorities and TCHs agree that the Variation procedure is not a planning or
scheduling tool and should only be used in situations out of control of the oper-
ator such as weather conditions or non-availability of parts, equipment, staff, or
hangar in case of other unscheduled maintenance. Therefore, adequate analysis and
justification must be provided at the time of the Variation request.
The conclusions of the analysis may require to perform supplemental inspections
during the Variation time to ensure the airworthiness of the aircraft.
The systematic use of the Variation procedure is not prohibited but not recom-
mended; it may expose the trustworthiness of the operator and its capacity to manage
its own resources.
Variations should not be issued after a maintenance task has exceeded its interval.
While EASA does not provide guidance in this regard, the corresponding NAAs are
in charge of the oversight function and should develop adequate procedures to avoid
dubious practices. On the U.S. side, the FAA requires to be notified no later than a
working day after the issuance of the variation.
11.3 Permitted Variations 173

There is still a double concern here: Some operators use the Variation proce-
dure to hide non-compliance occurrences, and some authorities may not perform an
exhaustive oversight function. Ideally, the Variation record system should ensure the
integrity of the current times at which the Variation has been requested and approved.
Note: Variations greater than those specified in the AMP Variations paragraphs are
to be granted by the competent authority. The request of the operator to exceed a
Permitted Variation is usually accompanied by the recommendation of the TCH.

11.3.2 Maximum Permitted Variation

The Variations limits are based on the TCH recommendation when the competent
authority has not provided appropriate guidelines, but in any case, it is subject to the
authority approval.
EASA does not establish maximum limits for Variations and leaves the respon-
sibility to the competent authorities. The National Aviation Authorities can regulate
the limitations or allow the operator to follow the TCH recommendation.
The most common case is that the limitations, whether established by the NAA
or the TCH, follow the recommendations provided in the JAA Temporary Guidance
Leaflet (TLG) Nº 26. Although this document was canceled because EASA consid-
ered the Variations are operational issues and the responsibility resides on the NAAs,
it is still frame of reference.
The FAA establishes the maximum limits for Variations (Short-Term Escalation)
in the Flight Standards Handbook 8900.1 FSIMS.

Table 11.1 Maximum Variation limits comparison: JAA TLG Nº26 versus FAA FSIMS
JAA TLG Nº 26 FAA Flight Standards Handbook
8900.1 FSIMS
Flight Hours 10% (not to exceed 500 FH) 10% (not to exceed 500 FH)
Flight Cycles 5% (not to exceed 250 FC) 10% (not to exceed 500 FC)
Calendar Items 1 year or less: 10% or 1 month, 10% (not to exceed 500 FH translated
whichever is the lesser to calendar time)
More than 1 year but not exceeding 3
years: 2 months
More than 3 years: 3 months
174 11 AMP Task Interval Management

11.3.3 Permitted Variations—Interval Management

The criteria to manage the interval of a maintenance task after a Variation differs
between regulators; while some provide certain guidelines, others leave the procedure
in the hands of the continuing airworthiness organization.
The criteria used could be seen as acceptable or not depending on the inspector. To
avoid these cases, it is especially recommended to describe the Variation procedure
in the AMP preamble to be accepted and approved by the authority beforehand.
EASA provides guidance in the FAQ section of its Web site (FAQ n.19102),
recommending the calculation of the next due using the original due date of the
maintenance task. This is an exception to the interval management general rules.
The FAA provides guidance in the Flight Standards Handbook 8900.1 (FSIMS).
In general terms, it is not strictly required to buy back the time exceeded so the next
due date of the maintenance task can be calculated using the accomplishment date.
However, the operator must identify in its Maintenance Program the FEC 5 or 8
safety tasks, for which the concurrence of the TCH not to buy back the variation time
may be required.

11.4 Exceptional Short-Term Extension

An Exceptional Short-term Extension is a one-time concession to an Airworthiness

Limitation maintenance task interval, applied to a unique aircraft.

11.4.1 Scope of the Exceptional Short-Term Extension

It is important to highlight that not all Airworthiness Limitations are subject to

Extension. Usually, the TCH identifies in the ALS documents those tasks that are
subject to Exceptional Short-term Extension and the appropriate maximum limits
based on statistics and reliability data without risking safety.
Once these tasks and limits are published in the ALS documentation, the responsi-
bility lies on the competent authority that may be delegated to the continuing airwor-
thiness organization. In this case, the Exceptional Short-term Extension delegation
can be formally reflected in the CAME/CAMP and the procedure in the Aircraft
Maintenance Program, likewise for the Variation.
The systematic use of the Exceptional Short-term Extensions procedure is not
recommended or is prohibited, depending on the Airworthiness Task type.
Note: Variation procedure is not valid for Airworthiness Limitations.
Note: Exceptional Short-term Extensions greater than those delegated are to be
granted by the authority.
11.4 Exceptional Short-Term Extension 175

EASA guidance is limited to Extension of CMR task intervals in the CS-25.

FAA provides guidelines for CMRs in the AC 25-19 and for Fuel Tank Systems
Airworthiness Limitations in the AC 120-97.

11.4.2 Exceptional Short-Term Extensions—Interval

Management

The criteria to manage the interval of an Airworthiness Limitation maintenance task

after an Exceptional Short-term Extension are not always explicitly described in the
regulatory documentation. However, it is deduced from the EASA and FAA texts
that the interval must revert back to the original interval so the calculation of the next
due is based on the original due date of the maintenance task.

11.5 Task Escalation

An Aircraft Maintenance Program (AMP) is approved for one operator and is partic-
ular to its operation (environment, utilization, modification status, aircraft age, etc.).
The initial threshold/interval and scope of the maintenance tasks are often conserva-
tive. It is required a certain level of maturity and confidence to adjust a maintenance
task to the operator’s in-service performance experience.
Only certain AMP tasks are subject to Escalation; usually, the competent authority
does not allow to relieve mandatory requirements such as AD repetitive requirements,
ALS, CMR*, and MRBR Structural sampling. Tasks such as CMR**, MRBR FEC
5 & 8, & EWIS & L/HIRF are considered as safety-related and may be subject to
escalation but with the condition of remaining in the AMP without content change.
The Escalation procedure should be agreed with the competent authority and be
included in the AMP preamble. Both the competent authority and the operator should
be confident in the procedure. The operator should demonstrate sufficient in-service
experience.
The Escalation of maintenance tasks should be supported by a Reliability Program,
which is part of the Aircraft Maintenance Program. While the scope of a Reliability
Program is wider, in regard to task escalation, it provides an appropriate means of
monitoring the effectiveness of the AMP based on in-service experience. The operator
collects and analyzes maintenance and operational data, identifies deficiencies, and
proposes and implements adjustments.
The Reliability Program is explained with further detail in PART III.
The AMP task Escalation (based on the operator in-service experience data)
should not be confused with the evolution derived from worldwide fleet in-service
experience data, inherent to the AMP ICA source document processes (MRBR, ALS,
176 11 AMP Task Interval Management

CMR, etc.). However, implementation of changes due to the ICA revision should also
be supported by the Reliability Program.

11.5.1 Scope of the AMP Task Escalation

In the first instance, the operator should define the intended scope of the Escalation
based on realistic goals. It may be the escalation of a maintenance task, a maintenance
check, but could also be all the allowable tasks within the whole AMP.
For small projects involving a few AMP tasks, it may be relatively easy for the
operator to analyze the in-service experience data and propose/approve Escalation
results (depending on the procedure agreed with the competent authority). As long
as the scope of the project grows (e.g., a letter Check Escalation), a higher level
of expertise is required (e.g., complex statistical methods or sampling programs
to support the Escalation of servicing tasks), and additional support may become
necessary to reach an acceptable level of confidence for both the operator and the
competent authority.
The level of confidence required also has much to do with the type of tasks that
the operator proposes to escalate: likely, safety-related tasks (CMR**, MRBR FEC
5 & 8 & EWIS & L/HIRF, etc.) will require a higher level of confidence than no
safety-related tasks (MRBR FEC 6 & 7 & 9).
This being said, when it is required a higher level of confidence (attending to the
size of the project, the type of tasks, the sampling requirements, and the previous
experience of the operator with Escalation exercises), the operator, the TCH, and the
competent authority may join their expertise under an AMP Evolution/Optimization
exercise. The AMP Evolution/Optimization process is introduced in Chap. 12.

Lesson Learned—Alaska Airlines Flight 261

On January 21, 2000, a McDonnell Douglas MD-83 operated by Alaska
Airlines as Flight 261 from Puerto Vallarta, Mexico, to Seattle, Washington,
lost control, and crashed into the Pacific Ocean, killing all 88 people onboard.
The results of the NTSB investigation2 determined that the probable cause
of the accident was the loss of aircraft pitch control resulting from the in-flight
failure of the jackscrew nut threads of the horizontal stabilizer trim system
that was due to excessive wear resulting from insufficient lubrication of the
jackscrew assembly.

2Aircraft Accident Report—Loss of Control and Impact with Pacific Ocean Alaska Airlines Flight
261 McDonnell Douglas MD-83, N963AS, about 2.7 Milles North of Anacapa Island, California.
NTSB. December 30, 2002.
11.5 Task Escalation 177

The jackscrew nut is a fixed mechanism, and its rotation through the nut moves
the horizontal stabilizer to trim the aircraft. The horizontal stabilizer is a critical
flight control, and its adjustment (pitch/longitudinal trim) allows to achieve a
balanced flight condition.

Fig. 11.1 Jackscrew from the Alaska Airlines Flight 261 wreckage. NTSB Accident
Investigation Report

During the Alaska flight, the horizontal stabilizer was jammed and did not
allow the operation of the trim system that normally makes slights adjust-
ments to the control surfaces to keep the balance of the aircraft. After several
troubleshooting attempts, the crew unjammed the horizontal stabilizer, but the
aircraft pitched nose down and crashed into the ocean.
The NTSB revealed the incoordination of the MRB and the design office.
The escalation practices and the lubrication procedures of Alaska Airlines and
the FAA oversight function were questioned.
178 11 AMP Task Interval Management

Fig. 11.2 C-Check maintenance. NTSB Archive

Lubrication Interval
Initially, Alaska Airlines was performing the lubrication of the jackscrew
assembly every 500 FH, consistent with the MRBR (MSG-2), which recom-
mended a lubrication interval of 600 to 900 FH. The MSG-2 interval exceeded
the interval requirement established for the predecessor DC-9 by the design
office, 300 to 350 FH.
Alaska Airlines subsequently increased the lubrication interval to 1000 FH,
to 1200 FH, and to 1600 FH between 1988 and 1994. The investigation did not
determine what type of information, if any, was presented as justification for
these lubrication interval escalations.
In 1996, the new MRBR, which was based on the MSG-3 logic, called for
the lubrication at C-Check intervals (3600 FH or 15 months, whichever comes
first) without considering the original design lubrication interval. Additionally,
due to a typographical error, the interval was transferred to the Maintenance
Planning Document without the calendar time interval, just 3600 FH. Alaska
Airlines changed the interval to 8 months, eliminating flight hours limits that,
based on utilization rates, were about 2550 FH. NTSB highlighted that a purely
calendar-based interval did not account for increases in-flight hours that result
from increased airplane utilization. The lubrication was also performed within
each C-Check, still less than the 3600 FH recommended in the MPD.
The Alaska interval was about 3 to 4 times longer than the originally recom-
mended interval (300-350 FH )and, on the other side, had increased more than
400% since the beginning of the operation without apparent justification.
The inadequate lubrication resulted in excessive wear of the jackscrew
assembly nut and, therefore, was a direct contributor to the accident.
11.5 Task Escalation 179

Play Check Interval

The certification of the DC-9 required the end play checks at every C-Check
or 3600 FH. The DC-9 and MD-80 MRBR (MSG-2) recommended the check
every 7000 FH or 30 months, whichever comes first, and the MRBR (MSG-3)
extended it to every 7200 FH or 30 months.
Initially, Alaska Airlines scheduled the check every other C-Check (every
5000 FH). A series of C-Check escalations ended with the check being
performed with a 30 calendar months interval (about 9550 FH).
The safety implications of the lubrication escalations were magnified by the
simultaneous escalations of the end play check interval, providing fewer oppor-
tunities to discover and address any excessive wear resulting from lubrication
deficiencies.
Safety Actions
The FAA issued an Airworthiness Directive to mandate the inspection and
lubrication of the jackscrew assembly every 650 FH and the end play check
every 2000 FH.
The FAA also issued a Certification Process Study (CPS) as a result of the
Alaska Flight 261, TWA Flight 800, and other events that focused on numerous
process categories, including human factors in aircraft design, operation and
maintenance, flight-critical systems and structures and safety oversight.
Chapter 12
AMP Evolution/Optimization

As introduced in the previous chapter under the Task Escalation paragraphs, when an
operator(s) requires a high level of expertise to analyze its own in-service experience
data with the purpose of Escalation, or it is required a higher level of confidence to
undertake the Escalation project, the operator, the TCH, and the competent authority
can initiate an AMP Evolution/Optimization exercise.
The Evolution/Optimization exercise does not focus only on Escalation, but on
improving the aircraft reliability and safety from a cost-effective approach.
The results of an AMP Optimization exercise may lead to:
• Interval change: escalation/de-escalation/parameter change (FH, FC, calendar
time, etc.),
• Task category change,
• Work scope change,
• Instruction change,
• Addition/deletion of tasks or applicability change.
Other recommendations and changes not associated with the AMP may result
from the exercise, e.g., modification or configuration changes.
The standards for the AMP Evolution/Optimization based on in-service experi-
ence must be described in the operator’s manuals.
If the operator, the TCH, and the competent authority find it convenient, the proce-
dures for the AMP Evolution/Optimization can be mirrored from the MRB Evolu-
tion/Optimization process that is detailed in the Policy and Procedures Handbook
(PPH) (see Sect. 6.1.7).
Note that the AMP Evolution/Optimization exercise is based on the own operator’s
in-service experience and only applicable to the operator’s fleet, while the MRB
Evolution/Optimization in accordance with IP 44 is based on worldwide fleet in-
service data, and all operators of the fleet type can be benefited by it.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 181
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_12
182 12 AMP Evolution/Optimization

12.1 AMP Evolution/Optimization: Assessment

of Resources

The scope of an AMP Evolution/Optimization must be agreed by the operator,

the TCH, and the competent authority and may cover from a single AMP task, a
Maintenance Check to the overall AMP.
Before getting involved in an AMP Evolution/Optimization exercise at big scale,
each involved party should evaluate its own resources, e.g., the competent authority
may not have enough specialists available to participate in the project, the TCH may
require such complex sampling programs that the optimization becomes unfeasible,
and the operator may not be able to provide all in-service data in the form or quality
required by the TCH or may not have enough specialist expertise.
The service provided by the TCH tends to be expensive; however, for the opti-
mization of letter checks and above, the results could be really cost-effective. For
example, if the optimization results in Check escalation: reduction of direct mainte-
nance cost due to fewer check events, increased reliability, and aircraft and resource
availability.
Resources and Cost–Benefit Analyses determine a good starting point for an AMP
Optimization project.

12.2 AMP Evolution/Optimization Based on MRB

Evolution/Optimization (Process Mirror)

The main difference between an AMP Evolution/Optimization and the MRB Evolu-
tion/Optimization resides in the scope of the data analysis; the MRB process is
supported by the certification and worldwide fleet data, whereas the AMP Evolu-
tion/Optimization exercise is supported by in-service data of the operator(s) that
participate in the exercise. The results of the Evolution/Optimization are only
applicable to the operator(s).
The AMP Evolution/Optimization process can be akin to the MRB process and
usually will require alike bodies.
Table 12.1 shows a simplified example of a possible analogy between the
MRB Evolution/Optimization process and the AMP Evolution/Optimization (MRB
process mirror) that may be used by the operator as the base to develop its own
procedure.
In the example above, the operator develops the AMP Evolution/Optimization
procedure, which is reviewed, discussed, and approved by the Internal ISC [TCH
and operator(s)] and accepted by the Competent Authority.
Based on the procedure, the operator provides the TCH with its in-service
experience data. The TCH reviews the MSG-3 analysis, analyzes the in-service
data, and recommends adjustments to tasks or task intervals in the form of AMP
Evolution/Optimization Dossiers.
12.2 AMP Evolution/Optimization Based on MRB Evolution … 183

Table 12.1 MRB Process—Evolution/Optimization analogies

MRB Process AMP Evolution/Optimization (MRB
Process mirror)
Standards IMPS & MSG-3 (to be agreed with the competent
authority)
Data Worldwide fleet in-service data Operators in-service data
Documents Policy and Procedures Handbook (PPH) AMP Optimization procedure
MRB Evolution/Optimization Dossier AMP Evolution/Optimization Dossier
MRBR revision AMP revision
Bodies Maintenance Review Board (MRB) Competent Authority
Formed by representatives of the Formed by representatives of the
Certification Authority competent authority
Main functions: Main functions:
– Review and accept the PPH – Review and accept the AMP
– Coordinate the MRB activities with Optimization procedure
the ISC – Ensure that the TCH provides
– Ensure that the TCH provides adequate training to all competent
adequate training to all MRB authority representatives
members – Participate in the internal ISC
– Ensure Certification Authority – Approve the AMP
participation in all MWG and ISC
meetings
– Review and discuss ISC proposals
– Approve the MRBR
Type Certificate Holder (TCH) Type Certificate Holder (TCH)
Main functions Main functions
– Develop a PPH for presentation to the – Provide training to the Internal ISC
ISC and MRB and Internal MWG members
– Provide training to ISC and MWG – Review operator’s in-service data
members – Provide with the AMP
– Review MSG-3 analysis and Evolution/Optimization Dossiers
worldwide fleet in-service data – Participate in the Internal MWGs and
– Provide with the MRB ISC meeting
Evolution/Optimization Dossier
– Participate in each MWG and ISC
meeting
(continued)

The Dossiers are then analyzed and discussed by the Internal MWG (operator(s)
and TCH specialists). The Internal MWGs final recommendations are remitted to
the Internal ISC that reviews, discusses, and accepts/rejects them.
The Internal ISC summarizes the analysis, the in-service data used, and the
recommendations in a final Task Review Report.
The operator prepares a revision of the AMP to include the results of the AMP
Evolution/Optimization exercise based on the Task Review Report that will be finally
reviewed and approved by the Competent Authority.
184 12 AMP Evolution/Optimization

Table 12.1 (continued)

MRB Process AMP Evolution/Optimization (MRB
Process mirror)
Industry Steering Committee (ISC) Internal ISC
The ISC is formed by the TCH, The Internal ISC is formed by the TCH,
operators, and aircraft/engine/propeller the operator (CAMO representatives:
manufacturers and, if appropriate, Nominated PostHolder, Maintenance
representatives of maintenance Programs & Reliability, Planning,
organizations Technical Services, Compliance
Main functions: Monitoring, etc.). It is chaired by the
– Review and approve the PPH operator
– Direct the activities of the MWGs Main functions:
– Review and accept all MWGs analysis – Review and approve the AMP
– Prepare the MRBR Optimization procedure
– Direct the activities of the Internal
MWGs
– Review and accept all Internal MWGs
analysis
– Prepare the Task Review Report
Maintenance Working Group (MWG) Internal MWG
Each WG is formed by specialist The Internal MWG is formed by the
representatives of the operator (Technical services) and TCH
aircraft/engine/propeller TCH, vendors, specialists
operators (at least three are Main functions:
recommended in each WG meeting), – Review the AMP
maintenance organizations, and Evolution/Optimization Dossiers
regulatory advisors. The WG – Propose scheduled tasking/interval
chairperson (normally a nominated requirements using the AMP
person from an operator) is selected by Optimization procedure and the AMP.
the WG and accepted by the ISC Evolution/Optimization Dossiers to
Main functions: the Internal ISC
– Review technical data, MSG-3
analysis, and MRB
Evolution/Optimization Dossiers
provided by the TCH
– Propose scheduled tasking/interval
requirements using the PPH, the
MSG-3 analysis, and the worldwide
fleet in-service data
Participant Operators Operator
Main function: Main function:
– Provide in-service experience data to – Provide in-service experience data to
the TCH the TCH
– Participate in MWGs and ISCs – Develop the AMP Optimization
procedure
– Participate in MWGs, ISCs
– Prepare the AMP
12.2 AMP Evolution/Optimization Based on MRB Evolution … 185

Fig. 12.1 AMP Evolution/Optimization Process

The simplified process related in the example may be used for all types of Evolu-
tion/Optimization projects; however, due to its complexity, it makes more sense for
letter check Evolution/Optimization and above. It is recommendable to simplify it
for smaller projects.
Chapter 13
Maintenance Checks and Bridge
Programs

13.1 Maintenance Checks

A Maintenance Check is a group of maintenance tasks that are accomplished together

at periodic intervals, e.g., Service Check, A-Check, C-Check, etc.
The MSG-3 methodology used during the MRBR development targets Mainte-
nance Check intervals; it facilitates to gather maintenance tasks into packages. The
TCH may predefine Maintenance Checks or allow flexibility to the operator to select
its own Maintenance Check concept. In any case, it must be ensured that the Mainte-
nance Checks intervals are not more permissive than the maintenance tasks within it
and that the threshold/intervals defined for the individual tasks are never exceeded,
except when it is allowed by the Permitted Variation or Exceptional Short-term
Extension procedures or under agreement with the competent authority.
The Aircraft Maintenance Program should define the Maintenance Check concept
that is followed (Block, Equalized, or Dynamic) and the Maintenance Checks
intervals.

13.1.1 Types of Maintenance

Maintenance tasks can be classified attending to their scope in Line, Base, and Heavy
Maintenance.
Line Maintenance is considered as any maintenance action performed before
the flight to ensure that the aircraft is fit for the intended flight. It may include
scheduled maintenance necessary to detect obvious defects or unsatisfactory condi-
tions (including internal system/structure/power plant items easily accessible), trou-
bleshooting, defect rectification, component replacement (including engines, and

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 187
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_13
188 13 Maintenance Checks and Bridge Programs

propellers), and minor modifications/repairs that do not require extensive disas-

sembly and can be accomplished by simple means. Occasionally, the accomplish-
ment of base maintenance may be performed in line under the acceptance of the
Compliance Monitoring/Quality manager.
Examples of Line maintenance are the Preflight, Transit, Daily, Weekly, and Service
checks.
Base Maintenance is considered as any maintenance action falling out of the Line
Maintenance criteria. It means when the aircraft is removed from the operation
to undergo scheduled maintenance necessary to detect system/structure/component
deterioration (e.g., fatigue cracking or corrosion), maintenance actions that may
require special accesses or techniques, rectification of complex defects and major
modifications/repairs. Base Maintenance is usually performed in a controlled
environment (hangar).
Heavy Maintenance is defined as in-depth Base Maintenance. It may include from
major structural inspections and modification/repairs to the overhaul of the aircraft.
Typically, C-Check and above are considered heavy maintenance.
Base and Heavy Maintenance Checks are usually defined by letter checks; it is a
series of checks alphabetically designated with increased scope (A-Check, B-Check,
C-Check, D-Check). A-Checks and B-Checks are considered Base Maintenance,
although B-Check is disused for modern aircraft which content is absorbed by other
checks.
Maintenance check intervals depend on the aircraft type and the concept defined
by the TCH or operator and are usually based on FH, FC, and/or calendar time
parameters. A simplistic approach to identify A-, C-, and D-Checks is that they are
performed in terms of months, years, and lustrums, respectively.

13.1.2 Maintenance Check Concepts

The operator should evaluate the Maintenance Check concept that is more suitable
to its aircraft and type of operation, taking the following preliminary considerations
into account:
• the type of operation and aircraft availability (e.g., charter, seasonal, scheduled),
• the maintenance tasks attributes (scope, thresholds/intervals, zones, accesses,
man-hours, equipment, facilities, etc.),
• the susceptibility to maintenance findings (aircraft age and operation environ-
ment),
• the maintenance approvals and/or contracted maintenance (e.g., approval for line
maintenance and base maintenance up to A-Check and contracted for C-Check
and onwards),
• the maintenance capacity (manpower, shifts, facilities, equipment, etc.), and
• the maintenance costs.
13.1 Maintenance Checks 189

The above considerations lead to three types of Maintenance Check concepts:

Block, Equalized, and Dynamic.
Block Concept
The Block concept packages maintenance tasks based on their interval into different
Maintenance Checks. It involves less Line maintenance and more Base/Heavy main-
tenance. This concept is suitable for aging aircraft and long haul operators with large
fleets.
Advantages:
• easier for implementation and planning of maintenance due to fewer maintenance
events,
• longer maintenance times that allow more opportunities to:
– accomplish prolonged maintenance tasks, modifications, and repairs,
– sequence prolonged tasks, and
– rectify defects.
• broad assessment of the overall aircraft condition,
• reduced risk of maintenance errors due to recurrent accesses,
• reduced man-hours.
Disadvantages:
• lower aircraft availability,
• higher maintenance costs,
• interval usage not optimized,
• workload peaks.

Equalized Concept
The Equalized concept redistributes maintenance tasks into shorter Maintenance
Checks in order to gain availability for the operation of the aircraft. This concept takes
advantage of the time between flights, in which the aircraft is grounded, to perform

Fig. 13.1 Block Maintenance Checks

190 13 Maintenance Checks and Bridge Programs

maintenance. It involves more Line maintenance and less Base/Heavy maintenance.

It is suitable for young aircraft and short-haul operators with small aircraft fleets.
Advantages:
• higher aircraft availability,
• lower maintenance costs,
• optimization of the interval usage,
• spread workload.
Disadvantages:
• more difficult for implementation and planning of maintenance due to increased
maintenance events,
• shorter maintenance times that allow fewer opportunities to:
– accomplish prolonged maintenance tasks, modifications, and repairs,
– sequence prolonged tasks, and
– rectify defects.
• limited assessment of the overall aircraft condition,
• higher risk of maintenance errors due to recurrent accesses,
• higher man-hours.

Dynamic Concept
The Dynamic concept does not package maintenance tasks. Each individual task is
monitored and forecasted individually (Out Of Phase task). It allows deferring their
accomplishment until they have to be actually performed. Under this concept, main-
tenance tasks are performed in Line to fit into the flight operation until a Base/Heavy
maintenance input (due to access requirements, workload necessary for prolonged
tasks, modifications, repairs, defect rectification, etc.) is required.
The Dynamic concept can be considered as maximized Equalization; the advan-
tages and disadvantages of the Dynamic concept are more pronounced than the listed
for the Equalized concept.

Fig. 13.2 Equalized Maintenance Checks

13.1 Maintenance Checks 191

Lesson Learned—Aloha Airlines Flight 243—Equalized Maintenance

During the Aloha Airlines Flight 243 investigation, detailed in Chap. 7, one
of the areas of concern identified by the NTSB was the manner in which a
highly segmented structural inspection program was implemented. The Aloha
D-Check inspection of the Boeing 737 fleet was covered in 52 independent
work packages. Limited areas of the aircraft were inspected during each work
package, and this practice precluded a comprehensive assessment of the overall
structural condition of the aircraft.
The NTSB considered the use of 52 block/independent work packages and
the fact that the FAA considered this practice as acceptable without analysis,
a matter of serious concern.
Overnight non-flying periods were utilized to accomplish B-Checks and
included portions of the C-Check and D-Check plus any related or unscheduled
maintenance. Since Aloha Airlines usually did not have spare aircraft in the
fleet, it was expected that the maintenance function would release the aircraft
in an operational status to meet the next day schedule.
The NTSB recommended that comprehensive structural inspections are best
accomplished by a D-Check in which the entire aircraft is inspected and refur-
bished in one hangar visit, or alternatively, distributed within C-Check inputs.
Any deviations from this philosophy should be evaluated carefully before
acceptance.

13.1.3 Task Repackaging

Under certain situations, the operator may need to repackage a Maintenance Check.
It may be:
• temporary (one-time): due to specific conditions of the aircraft, e.g., aircraft
maintenance or parking/storage,
• permanent: consequence of the change of the Maintenance Check concept due
to the need to harmonize the workload between Maintenance Checks or other
operator’s considerations.

Alignment of Calendar-Based Tasks After Maintenance or Parking/Storage

Periods
When an aircraft is on maintenance or parking/storage during a lengthy period of
time, there may be a Maintenance Check that becomes due only because of the
calendar element of its interval.
192 13 Maintenance Checks and Bridge Programs

The Maintenance Check may content tasks with calendar intervals but also others
based on different parameters such as FH or FC. Before the release of the aircraft,
it is reasonable not to perform all the tasks within the Maintenance Check but only
those that have become due.
After the release of the aircraft, the next accomplishment of the Maintenance
Check is still limited by the last time that it was fully accomplished.
The desired situation is usually to realign the calendar items to the Maintenance
Check; it is to schedule all the tasks together again. Under this situation, it is required
to repackage back the calendar-based tasks to the Maintenance Check.
Maintenance Check Concept Change
When the operator decides to revise the Maintenance Check concept (to Block,
Equalized, or Dynamic), it involves a safety aspect that should be approved under the
AMP by the competent authority or through a procedure agreed with the competent
authority.
The need for a change in the Maintenance Check concept is usually caused
by a change in the preliminary consideration detailed under the “Maintenance
Check concepts” paragraphs, e.g., change of the type of operation, maintenance
task attributes, susceptibility to maintenance findings, the maintenance approvals
and/or contracted maintenance, the maintenance capacity, or the maintenance costs.
Maintenance Checks Harmonized Workload
Under the Equalized Maintenance Check concept, an AMP revision (new, revised,
and deleted tasks) may unbalance the workload between the individual checks. In
this case, the operator may want to redistribute the maintenance tasks to harmonize
the packages.

13.2 Bridge Programs

A Bbridge Program is the result of the comparison between two different AMPs to
spot the differences that must be taken into consideration when transitioning between
both programs. It may be due to:
• an AMP revision,
• the transition to a Low Utilization Maintenance Program (LUMP), or
• change of operator (aircraft redelivery/delivery).
Each AMP is customized to the aircraft operation and the regulatory environ-
ment of the states of registration and operation; what is valid for an aircraft under
certain operating conditions may be not applicable under others, and rules can change
between different states when operation or registration changes.
The need for Bridging is originated when the AMP to which the aircraft is
transitioned contains new or more restrictive requirements that need realignment.
The Bridge Program is the technical justification required for the approval of the
transition.
13.2 Bridge Programs 193

It is assumed that, although an aircraft should be maintained under only one

approved AMP at a certain point in time, there is a limited time during the transition
in which both programs may coexist, e.g., time between the AMP approval date and
AMP effective date, if there is time allowance for its implementation, or specific time
during the redelivery/delivery process.

13.2.1 Bridge Program Causes

AMP Revision
A Bridge Program may be required when an AMP revision de-escalates the interval
of existing tasks or introduces new requirements.
At the time of the AMP Effective Date, the Maintenance Check to which the task
is associated may be ongoing or have been already planned, and it is not suitable to
perform it at that specific maintenance event. In those cases, the use of Grace Periods
provides additional time to the operator to schedule the accomplishment of the task
at the next suitable opportunity, with the condition of not exceeding the next task
due date from the AMP Effective Date.
On the other side, for safety-related tasks or tasks for which an early accom-
plishment is considered beneficial, such as corrosion detection tasks for operations
in corrosive environments, the operator may agree to perform them at the earliest
opportunity instead of the most suitable one.
In all these cases, it is required a Bridge Program to perform the task in the
way that their second accomplishment under that AMP revision is aligned with the
Maintenance Check.
Transition to a Low Utilization Maintenance Program (LUMP)
As introduced in Sect. 9.2, LUMP incorporates additional requirements recom-
mended by the TCH when the utilization falls below the limits established in the
MRBR. Under the Low Utilization Recommendations, certain tasks based on FH or
FC parameters are adjusted to add a calendar component.
Under the LUR conditions, the new calendar parameter usually acts as a de-
escalation of the maintenance task. In these cases, the LUMP tasks must be bridged
taking into consideration all the parameters.
Operator Change
Under the aircraft operator change case, the need for a Bridge Program may be
duplicated or tripled if leasing transactions happen during the change:
• for the old operator, the lease contract usually involves redelivery requirements and
obligations to return the aircraft under certain conditions and configurations, e.g.,
bridging back the maintenance requirements to the basic programs and intervals
defined by the manufacturer (MPD, MRBR, SSID, CPCP, EDTO (ETOPS), etc.).
194 13 Maintenance Checks and Bridge Programs

• for the lessor, the new lease contract may involve certain obligations such as deliver
the aircraft under certain conditions and considerations (usually it is fulfilled by the
old operator obligations) and in compliance with specific regulatory requirements
(it may be requested by the new operator or contractual clauses).
• for the new operator, a Bridge Program may be required to transition the aircraft
to the new AMP that is customized to its particular operation and regulatory
environment.
When the transfer of the aircraft between operators is known, typically, all the
required Bridge Programs are accomplished at the time of the Redelivery/Delivery
Maintenance Check.

13.2.2 AMP Bridging Considerations

As other processes within the AMP, such as the technical document review or the
aircraft induction, the Bridge Program is a critical exercise. It requires the review of
the aircraft records to some extent, micromanagement of task due calculations, and
engineering judgment; the management of all the data must be properly controlled.
Bridge Program procedures and, if appropriate, quality control means should be
developed by the operator to ensure it is carried out effectively.
The Bridging of an AMP can be performed at:
• maintenance check level, if the maintenance check concept and content is the
same in both AMPs, independently of the intervals of the checks, or
• task level, if the maintenance check concept and content differ.
There are certain methods and tools that may facilitate the transition of the aircraft
between two AMPs. It is especially interesting for aircraft of large fleets that are “reg-
ularly” bridged between AMPs, e.g., from normal/high utilization to low utilization
programs and vice versa due to “continuous” changes in the type of operation.
In this case, it is recommendable that the operator develops a database template,
for example in Excel format, where it is possible to dump the requirements of both
AMPs (old and new maintenance tasks and limits) and the last accomplishment of
the AMP tasks (performed under any previous AMP) in the way that automatically
calculates the next due of the tasks and highlights:
• the technical need for a Bridge Program, e.g., due to ongoing/planned Maintenance
Checks at the time of the AMP revision effective date,
• de-escalated and new safety-related tasks, and
• any other operator’s considerations.
The bases to develop a Bridge Program template are the same for a single aircraft
than for as many as needed. Once the process is automated, it becomes easier to
interpret the data and spot the need for bridging.
Chapter 14
Aircraft Induction

The previous chapters of the Part II of this book introduce the requirements and
methods that are necessary for the development of an initial Aircraft Maintenance
Program and keep it up to date in accordance with the changes of the requirements
established by the source documentation.
Inducting an aircraft into an operator’s fleet is a critical process that requires
an exhaustive examination of the aircraft delivery documentation and aircraft
maintenance records.
The requirements of the new operator’s AMP should be fulfilled through the three
following complementary exercises:
• inclusion of the aircraft/components applicable requirements into the new
operator’s AMP (AMP Revision),
• analysis of the level of compliance with the new operator’s AMP (Documental
Review for AMP Compliance),
• Bridge Programs. Refer to Sect. 13.2 for further information.
This chapter outlines the process to induct an aircraft into an existing AMP.

14.1 Aircraft Induction: The AMP Revision

The induction of an aircraft into an existing AMP involves the analysis of the AMP
source documents based on the current status and configuration of the aircraft. The
purpose is to identify all the applicable requirements for the aircraft and its compo-
nents for the specificity of the operation in the regulatory environment of the state
of registration.
The effectivity of certain AMP tasks depends on the configuration on which the
aircraft and its components are delivered to the new operator; the list of technical
records to review includes, but is not limited to:

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 195
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_14
196 14 Aircraft Induction

• the Aircraft Inspection Report (AIR), Aircraft Readiness Log (ARL), or equiva-
lent that contains the initial delivery configuration and modification status of the
aircraft,
• the Engine/Propeller/APU Logbooks or equivalent that contains the initial
delivery configuration and modification status of the corresponding item,
• the Modification status detailing the STCs and SBs incorporated on the aircraft
and its components,
• the Layout Of Passenger Accommodation (LOPA) (cabin configuration), and
• the Emergency Equipment Layout (EEL).
The operator’s own tasks, derived from the Reliability Program and the standards
defined by the operator, should also be reviewed for applicability.

14.2 Aircraft Induction—Documental Review for AMP

Compliance

For used aircraft, it is necessary to demonstrate that it complies with the appli-
cable requirements of the new operator’s AMP and that there is evidence of such
compliance.
The review of the aircraft maintenance records includes the following compliance
status reports, but is not limited to:
• Aircraft/components maintenance status (maintenance visits), including Complex
components status (Landing Gear/Engine/Propeller/APU LLP status, Last Over-
haul/Major Inspection, Last Shop visit, etc.),
• Airworthiness Directives (AD) status,
• Aircraft/components Modification status,
• Repair status, including temporary repairs,
• Aircraft Weight and Balance report,
• Aircraft/components operational status (RVSM, MNPS, PBN, EDTO, AWO),
• Life Limited Parts (LLP) status.
LLP status should be supported by Back-to-Birth traceability of all the parts (proof
of the total operational life of the LLP).
Based on the revised AMP, which incorporates all the applicable requirements
for the aircraft and its components and on the documental review of the maintenance
records, Bridge Programs will transition the aircraft (aircraft induction) to the revised
AMP that is customized to a specific operation in a particular regulatory environment.
Chapter 15
Critical Maintenance Tasks/Required
Inspection Items

The main aviation regulators recognize the possibility of human errors/omissions

during the performance of maintenance tasks that could impact on safety and establish
appropriate countermeasures to minimize the risks.
While the identified risks are analogous, the terminology used by EASA and FAA
slightly differs; this chapter introduces separately the concepts of Critical Mainte-
nance Tasks (CMT) and Identical Tasks in the EASA environment and Required
Inspection Items (RII) in the FAA environment.
The requirements for Dual Maintenance for Extended Diversion Time Operations
(EDTO) Significant Systems are also detailed in this chapter.

15.1 Critical Maintenance Tasks and Identical Tasks

(EASA)

In the EASA environment, the responsibility for ensuring that the requirements
are met and the risks are minimized lies on the maintenance organizations, usually
assisted by the continuing airworthiness organization.
The countermeasures focus on human errors/omissions during the accomplish-
ment of:
• Critical Maintenance Tasks (CMT): tasks that involve the assembly or any
disturbance of a system or any part of the aircraft/engine/propeller, that, if an
error occurred during its performance, could directly endanger the flight safety,
• Identical Tasks: tasks that involve removal/installation or assembly/disassembly
of several components of the same type fitted to more than one system, whose
failure could have an impact on safety.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 197
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_15
198 15 Critical Maintenance Tasks/Required Inspection Items

EASA Countermeasures for Critical Maintenance Tasks and Identical Tasks

EASA requires that an error capturing method to detect maintenance errors/omissions
is implemented when performing any Critical Maintenance Task (CMT) or Identical
Tasks. Two possible methods are proposed:
• Independent Inspection: inspection performed by an independent qualified
person to attest the satisfactory completion of the task, without deficiencies found,
by an authorized person (responsible for the completion of the task),
• Re-inspection: inspection performed by the authorized person (responsible also
for the completion of the task) to ensure its satisfactory completion, without
deficiencies found.
The preferred method for CMT is the Independent Inspection. When only one
person is available, due to unforeseen circumstances, re-inspection methods can be
used.
On the other side, Identical Tasks should be performed by different persons in
different systems, but re-inspection methods can be used when, due to unforeseen
circumstances, only one person is available.
EASA defines Critical Maintenance Tasks, Identical Tasks and establishes the
countermeasure requirements in Part-M M.A.402 (g&h), Part-145 145.A.48 (b&c),
and related AMCs.
Critical Maintenance Task Identification
The guidelines for Critical Maintenance Tasks (CMT) identification define which
tasks should be assessed; these are as follows:
• tasks that may affect:
– the control of the aircraft, flight path and attitude, such as installation, rigging,
and adjustments of flight controls,
– the aircraft stability control systems (autopilot, fuel transfer),
– the propulsive force of the aircraft, including installation of aircraft engines,
propellers, and rotors, and
• overhaul, calibration, or rigging of engines, propellers, transmissions, and
gearboxes.
The maintenance organization should select the appropriate sources to identify
the CMTs, usually assisted by the continuing airworthiness organization: guidance
provided by the design approval holder, occurrence reporting and accident/incident
reports, audit results, information exchange systems, etc.
While the regulation sets the basis to identify CMTs, the maintenance organi-
zation should select the tasks and assess which steps are subject to Independent
Inspection/Re-inspection.
15.1 Critical Maintenance Tasks and Identical Tasks (EASA) 199

For example, an engine change will be identified as requiring Independent

Inspection/Re-inspection by the maintenance organization. Additionally, it should
identify which steps within the engine change are critical. Likely, the installation and
derived operational/functional checks will require each one an individual inspection
to ensure the proper installation (mounts), system connections (electrical, hydraulic,
fuel, controls), correct operation, etc.
In order to facilitate the CMTs’ assessment, the maintenance organization may
develop a Critical Maintenance Task matrix based on the probability of failure and
the guidance provided by the regulation and the selected sources. A CMT matrix
based on ATA chapters/subchapters and the type of maintenance to be performed
eases the identification of CMTs and critical steps (Table 15.1).
Identical Task Identification
The maintenance organization should assess the maintenance of duplicated systems
that may be critical. The sources for the assessment are those detailed for CMTs in
addition to the guidance provided in the Configuration, Maintenance, and Procedures
(CMP) document for dual maintenance on EDTO Significant Systems.

15.2 Required Inspection Items (FAA)

In the FAA environment, the responsibility to ensure the risks are minimized remains
with the operator but is separated from the maintenance function.
The FAA countermeasure method lays on the definition of Required Inspection
Items (RII) that are those tasks that could result in a failure, malfunction, or defect
that endangers the safe operation of the aircraft if the task is not completed properly
or if improper parts or material is used.
FAA Countermeasures for Required Inspection Items (RII)
The FAA is straightforward in the identification of RIIs; a simple decision logic
diagram is provided in AC 120-16G as guidance for their determination.
The list of RII includes all tasks performed on the aircraft that could result in a
failure, malfunction, or defect endangering the safe operation of the aircraft, if not
performed properly or if improper parts or materials are used, except:
• items that are deferrable per the Minimum Equipment List (MEL) or Configura-
tion Deviation List (CDL), or
• items for which a test to simulate operational functions and defect failures,
malfunctions, or defects that would impact the safe flight/landing is required.
The FAA establishes the requirements for the minimization of human error
during maintenance, the Required Inspection Items (RII), in the 14 CFR 121.369(b),
135.427(b), and AC 120-16G.
 200

Table 15.1 Critical Maintenance Task (CMT) Matrix example

Critical Maintenance Tasks (CMT) Matrix
ATA sub-chapter Item Rem/Inst Insp/Check Adjustment Function Mod/Repair Remarks
27–00 Flight Control Surfaces × × × Inspect for connections, attachments,
safety devices, critical adjustments and
final verification
..
.
32–00 Landing Gear × × × Inspect for connections, attachments,
safety devices, critical adjustments,
emergency extension, emergency
adjustments and final verification
..
.
52–00 Doors × × × Inspect for connections, attachments,
(cabin/cargo/emergency) safety devices, critical adjustments and
final verification
..
.
78–30 Thrust Reverser × × Inspect for primary attachments, critical
adjustments and final verification
..
.
79–10 Engine Oil Storage × × Inspect for connections, attachments,
safety devices, critical adjustments and
final verification
..
.
15 Critical Maintenance Tasks/Required Inspection Items
15.3 Dual Maintenance on Extended Diversion Time Operations … 201

15.3 Dual Maintenance on Extended Diversion Time

Operations (EDTO) Significant Systems

ICAO defines EDTO significant system as “an aeroplane system whose failure or
degradation could adversely affect the safety particular to an EDTO flight, or whose
continued functioning is specifically important to the safe flight and landing of an
aeroplane during an EDTO diversion”.
Several limitations are defined to minimize the risk of errors/omissions while
performing the maintenance task on parallel/identical EDTO significant systems
that could lead to dual system failures.
The limitations on dual maintenance may include:
• staggering of maintenance of identical/similar EDTO significant systems into
different maintenance visits,
• when staggering is not possible/suitable:
– the task is performed by different technicians, or
– the task is performed by the same technician under the direct supervision of a
second EDTO qualified professional.
When dual maintenance cannot be avoided, a ground/in-flight verification test
may be required.
Design Approval Holders are not bound to identify or provide guidance related to
Critical Maintenance Tasks, but they are for the identification of EDTO Significant
Systems (that supports the EDTO Identical Tasks selection) in the Configuration,
Maintenance, and Procedures (CMP) document, as detailed in EASA AMC 20-6
and FAA Appendix K to Part 25.
The EDTO dual maintenance limitations recommendations are published in ICAO
Doc 10,085 Extended Diversion Time Operations (EDTO) Manual.
ICAO recommendations are encompassed by EASA under the requirements for
Identical Tasks described in M.A.402(g), 145.A.48(c), and related AMCs.
The FAA adopts the recommendations for two-engine aircraft under 14 CFR
121.374(c) and considers any extended operation in AC120-42B.
While for EASA operators, the adoption of countermeasures for any Identical
Tasks is a requirement, many FAA operators have realized about the improvement
on reliability due to the mandatory EDTO countermeasures and have expanded it to
the accomplishment of all Identical Tasks.
202 15 Critical Maintenance Tasks/Required Inspection Items

15.4 Integration into the AMP

The operator may develop the appropriate procedures to manage the assessment
and evolution of Critical Maintenance Tasks/Identical Tasks (EASA) or Required
Inspection Items (RII) (FAA) in assistance to the maintenance organizations.
For repetitive maintenance tasks, their control can be overseen through an inde-
pendent procedure or under integration within the AMP or Maintenance Schedule
(part of the CAMP) for an EASA or FAA program, respectively.
If the operator opts for consolidating and managing the Critical Maintenance
Tasks/Identical Tasks or Required Inspection Items (RII) for scheduled maintenance
through the AMP/Maintenance schedule, the procedure should be defined in the
program. The identification may be achieved by implementing a task code, e.g.,
CMT (for Critical Maintenance Task) or RII (Required Inspection Item), by specific
notes in the task description or by an appendix listing the tasks.

Lesson Learned—Required Inspection Items and Critical Maintenance

Tasks
The requirements for Required Inspection have been in the FAA rules
since 1964 when the CAMP requisite was introduced in response to safety
concerns that had been found during accident investigations and surveillance
of maintenance.
The aviation history, including the recent history, is spotted with plenty of
errors performed during maintenance on critical systems, and the rules have
evolved to a large extent due to the several incidents and accidents occurred.
Eastern Airlines Flight 855 (Identical Tasks)
On May 5, 1983, the Lockheed L-1011 TriStar, operating as Eastern Airlines
Flight 855 from Miami to the Bahamas with 172 occupants, lost all the three
engines. The crew managed to restart one engine and landed back in Miami
without injuries.
The results of the NTSB investigation1 determined that the probable cause
of the accident was the omission of the O-ring seals on the master chip detectors

1Aircraft Accident Report – Easter Airlines, Lockheed L-1011, N334EA, Miami Airport. National
Transportation Safety Board (NTSB). 09 March 1984.
15.4 Integration into the AMP 203

of the three engines that led to oil leaks, loss of lubrication, and damage of the
engines.

Fig. 15.1 Eastern Airlines Lockheed L-1011 TriStar. Photo by Gary Vincent

A master chip detector contains a magnetic probe that attracts small particles
of metal which may be present in the oil line. The presence of metal particles
may indicate that internal components of the engine are in distress, and the
engine may fail if the defect is not corrected. The O-rings of the master chip
detector prevent oil from leaking from the pressurized oil system; if the O-ring
is not installed, the oil system will start to leak as soon as the engine is started.
The master chip detectors were normally given to the mechanics with the
O-rings installed. On the day of the incident, one of the two mechanics that
were assigned to accomplish the replacement of the magnetic chip detectors of
all the three engines did not find any detector in the cabinet and picked them
from the stock room. One of the mechanics replaced the magnetic chip detector
from the position #2 engine, and the other mechanic did it for engines #1 and
#3.
The Task Cards clearly required the placement of new O-ring seals; however,
both mechanics wrongly assumed that the O-rings were installed on the
detectors and did not inspect their configuration.
Additionally, the replacement of the master chip detector required engine
motor that may have detected the oil leaks, but no specific times were estab-
lished so the three engines were motored just for 10 s, giving no time to the oil
leaks to be observed.
204 15 Critical Maintenance Tasks/Required Inspection Items

Due to the constraints of the reduced interval (25FH) recommended by

Rolls Royce, likely it was not suitable to stagger the task into different mainte-
nance events. In regard to the criticality of the task, it was properly addressed by
assigning different mechanics to the engines positions to avoid the same human
error, but one of the safety barriers, the ground test required for dual mainte-
nance, was not appropriate: The engines motor was not performed effectively
and did not detect the oil leaks.
In 1992, the NTSB had recommended the review of the RII regulations
derived from the investigation of the Continental Express Flight 2574 catas-
trophic accident, detailed in Chap. 24, in which the leading edge of the left hori-
zontal stabilizer was separated due to 47 screw fasteners that were missing.
About 15 months after the accident, the same company was involved in an
incident caused by human error that left 14 screws missing from the aileron
vane.
At the beginning of the 2000s, during the investigation of the Alaska
Airlines Flight 261 disaster caused by insufficient lubrication of the jackscrew
assembly related in Sect. 11.5, the NTSB concluded that if the lubrication would
have been an RII for which an inspector sign-off would have been needed, the
potential for unperformed or improperly performed lubrication would have
been reduced. The responsibilities of the FAA and operators to determine
critical items and inspection levels were called into question one more time.
EASA, at its birth in 2003, established the rules for the performance of
critical maintenance: the Part-M defined it as “Flight Safety Sensitive Main-
tenance Task” and required an independent inspection after its accomplish-
ment; the Part-145 required that the organization would establish procedures
to minimize the risk of multiple errors and capture errors on critical systems
and limited the accomplishment of dual maintenance.
In 2016, EASA harmonized the terminologies used in the Part-M and Part-
145 rules under the “Critical Maintenance Task (CMT)” requirements. The
changes standardized both parts, including the recommended error capturing
methods (independent inspection and re-inspection), and introduced specific
Part-145 requirements for the performance of maintenance.
The CMT term overlapped the existing RII term that was already widely
used; they are equivalent in concept and application, but differ in regard to the
responsibilities.
The RII is an FAA Part-121/135 rule mandated to the maintenance organiza-
tion Part-145. The individual carrying an RII must be certifying staff although
does not exercise the certification privileges when accomplishing the RII.
The CMT is a responsibility of the Part-145. The independent inspection
is carried out by a qualified person but does not require to hold certification
privileges.
15.4 Integration into the AMP 205

The DAT accident and BA incident related in the following paragraphs were
part of a series of events that triggered the changes to the EASA regulation
implemented in 2016.
Danish Air Transport Flight DTR54
On January 31, 2005, the crew of the ATR-42 operated as Flight DTR54 experi-
enced considerable control problems related to the elevator function during the
takeoff at Bergen, Norway. They declared emergency and returned to Bergen
for landing. None of the 25 occupants was injured.
The investigation carried out by the Accident Investigation Board Norway
(AIBN)2 revealed that the control problems were originated by the detachment
of the right side elevator that ended hanging below the horizontal stabilizer
attached only by the inboard of the three hinges that normally connect them.
The bolt belonging to the center hinge assembly that had fallen out at an
earlier point in time, without being discovered, was found inside the elevator.
The bolt belonging to the outer hinge assembly fell out during the takeoff in
question and was found in the runway.

Fig. 15.2 DAT ATR-42 Elevator after landing. AIBN accident investigation report

Apparently, during the aircraft repaint in 1999, the elevators were removed
and re-installed, and both the center and outer hinges had not been tightened
to the correct torque. The procedures followed during the installation did not
state anything about any specific inspection carried out after completion, and
it is reasonable to assume that the error capturing method was not carried out
or unsatisfactorily performed.

2Report on the Aircraft Accident at Bergen Airport Flesland, Norway, involving an ATR 42–320,
OY-JRJ, operated by Danish Air Transport. AIBN. April 2006.
206 15 Critical Maintenance Tasks/Required Inspection Items

A DVI of the elevator fitting had been performed two years before the accident
but did not require specific attention to the hinges.
The AIBN suggested to EASA the discussion on whether the manufac-
turer should be given responsibility on identifying systems that are critical to
safety and require double check following maintenance. Up to date, the EASA
CMT regulation is focused on the continuing airworthiness of the aircraft and
the disturbance made to a system when performing maintenance. Despite the
guidance provided to identify CMTs, the EASA position leads to a lack of stan-
dardization between the EASA member states and their operators in regard to
the application of the rule.
British Airways (G-CPER)
On September 7, 2003, the crew of the Boeing 757, operated by British Airways
from London Heathrow to Paris, noticed hot oil smell and diverted to London
Gatwick for landing. During the autopilot approach, the aircraft drifted to the
right of the ILS localizer and the autopilot disconnected. The crew had to apply
a large amount of manual left roll control to prevent the aircraft from turning to
the right, maintaining the control, until touch down. The aircraft landed safely
with no injuries.
The Air Accident Investigation Branch (AAIB)3 revealed that the incident
was caused by maintenance errors that ended in the failure to re-install two
access panels on the right-hand outboard flap and incorrect procedures used
to service the engine oils. It was the first flight following a 26 days heavy
maintenance check.
The flap panels were removed and placed in the maintenance area, together
with the cuff panels from the slats that, at a glance, are very similar in
appearance to the flap panels. The cuff panels were no longer required as
the replacement slats were delivered with the cuff panels already fitted.
The company had authorized the technician to self-certify certain types of
maintenance tasks, including the fitting of access panels, without the need for
an independent inspection. At the end of the check, although the technician was
aware that he had not fitted the flap panels himself, he stamped the refitting task
card as he could not see any holes in the wing and assumed that all panels had

3 Report on the serious incident to Boeing 757–236, G-CPER. AAIB. December 15, 2005.
15.4 Integration into the AMP 207

been fitted. However, he had not recognized that the flap panels are concealed
by the flap drive fairings when these are retracted.

Fig. 15.3 BA B757 D-Check. AAIB Incident investigation report

On the other side, a different technician that performed the engine oil
servicing noticed that the levels on both engines were high (nearly 20 L) and
proceed to drain one liter from each engine recalling a Technical Newsletter
that stated that overfilling the engine levels causes oil smells in the cabin. The
technician did not follow the AMM instructions that state the oil level must be
checked within ten minutes and one hour of engine shutdown as the level on
the sight glass may under-read, what actually caused the engine would remain
overfilled. Satisfied with the work, both he and the certifying staff, assuming
the technician had completed the oil servicing, stamped the task.
Once the aircraft was released and shortly after the crew entered the aircraft,
a smell of hot oil became noticeable on the flight deck that disappeared when
the thrust increased, and the crew proceeded for taxi to the runway. After the
takeoff, the smell returned stronger than before to a level to which the crew
had to go on oxygen. The crew diverted to Heathrow with the autopilot and
auto thrust engaged and the aircraft configured for landing, but the aircraft
was drifting to the right of the runway centerline as a consequence of the
asymmetric aerodynamic effects induced by the missing flap panels. The crew
disconnected the autopilot and continued the approach visually until landing.
208 15 Critical Maintenance Tasks/Required Inspection Items

In addition to the battery of recommendation issued by the AAIB to British

Airways, an additional one was issued to EASA to consider introducing a
requirement to carry out a duplicate inspection on aircraft access panels when
removed/refitted or open/closed that may affect the airworthiness if incorrectly
secured or endanger the aircraft or persons on the ground.
 Part III
The Reliability Program

The Inherent Reliability of an aircraft, system, or component is the level to which

it performs the intended functions for a specified period of time under specified
conditions according to the design specifications.
The Inherent Reliability of a design can only be transmitted to the manufactured
product if the Compliance Monitoring/Quality function of the production organiza-
tion is appropriate, and once in service, if the Compliance Monitoring/Quality func-
tions of the continuing airworthiness management and maintenance organizations
are also adequate.
The Inherent Reliability is limited by the design; higher reliability levels can
only be achieved through redesign, e.g. through a modification or change in the
maintenance practices.
The objective of a Reliability Program is to maintain the Inherent Reliability
of the aircraft and its systems and components throughout their life cycle, which
includes determining the correct intervals of the AMP tasks and improve the Inherent
Reliability with an appropriate Modification Embodiment Policy. The Reliability
Program is not limited to apply corrective actions as a result of deviations from
reliability performance standards.
The Reliability Program is one of the main portions of the Aircraft Maintenance
Program and the main tool to measure its effectiveness; it is that the AMP tasks are
effective and their intervals are appropriate.
In the Part II of this book, it has been highlighted the relevance of the reliability
data to support the AMP. This Part III introduces the main regulatory requirements
for a Reliability Program, provides tools to analyze the reliability data, assess devi-
ations from performance standards, and brings solutions to correct those deviations.
This chapter also accounts for one of the main AMP requirements: the AMP Task
Effectiveness Analysis.
Chapter 16
Reliability Program Regulatory
Requirements

The EASA and FAA requirements for a Reliability Program are comparable; the
effectiveness of the AMP is measured by the Reliability Program, and the perfor-
mance of the AMP is measured by the CAME elements, under an EASA environment,
and the CASS elements, under an FAA environment.

16.1 EASA—Reliability Program Requirements

Part I introduced the requirement of EASA Part-M Subpart C, M.A.302 (g) to include
a Reliability Program in the AMP when it is based on Maintenance Steering Group
(MSG) logic or condition monitoring.
Appendix I to AMC M.A.302 (g) provides further guidance to identify when a
Reliability Program is actually required: when it is based on the MSG-3 logic or
includes condition monitored components or does not contain overhaul time periods
for significant system components or when it is specified by the MPD/MRBR. In
other cases, e.g., when the AMP is based on MSG-1 or MSG-2 logic but only contains
Hard-time (HT) or On-Condition (OC) items, there is no need to develop a Reliability
Program.
The objective of an EASA Reliability Program is to recognize the needs for
corrective action, to establish what corrective action is needed, and to determine the
effectiveness of that action. When the AMP is based on the MSG-3 methodology,
the Reliability Program should monitor all MSG-3-related tasks.
While the requirement is irrespective of the fleet size, EASA allows certain alle-
viations for a fleet of less than six aircraft of the same type (small fleet) due to the
amount of available data that can be processed. In this case, the program should
focus on areas where a sufficient amount of data is likely to be processed and use the
engineering judgment on areas where the data are limited. The use of Alert Levels
on areas where the data are limited is not appropriate. EASA encourages the CAMO
of small fleets to contact the TCH or other CAMOs to obtain additional data.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 211
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_16
212 16 Reliability Program Regulatory Requirements

The scope of a Reliability Program for a small fleet may be covered by a

component defect monitoring system, but it may suppose an Integrated Maintenance
Management Program in large CAMO.
Reliability Program Revision
The following changes to the Reliability Program should be submitted to the authority
for approval:
• the format and content of routine reports,
• the time scales for the production of reports together with their distribution,
• the format and content of reports supporting the request for increases in periods
between maintenance (escalation) and for amendments to the AMP. These reports
should contain sufficient detailed information to enable the competent authority
to make its own evaluation where necessary.

16.2 FAA—Continuing Analysis Surveillance System

(CASS)

14 CFR 121.373 & 135.431 require that certificate holders operating under Part-121
or under Part-135 (with aircraft of 10 or more seats) to establish and maintain a
Continuing Analysis Surveillance System (CASS) for the analysis and surveillance
of the performance and effectiveness of its Continuous Airworthiness Maintenance
Program (CAMP).
A CASS has two major measurement components:
• Maintenance Program Performance. It is an audit system (quality assurance
function) of all CAMP elements: Airworthiness responsibility, Air Carrier Main-
tenance Manual, Air Carrier Maintenance Organization, Accomplishment and
approval of maintenance and alterations, Maintenance Schedule, Required Inspec-
tion Items (RII), Maintenance recordkeeping system, Contract maintenance,
Personnel training, and CASS.
• Maintenance Program Effectiveness. It is the collection, analysis, and investiga-
tion of adverse trends of operational data. An FAA-approved Reliability Program
can be used to satisfy this major portion of the CASS requirements.
In other words, the Reliability Program addresses the operational data of the
Scheduled Maintenance element of a CAMP, while the CASS addresses and audits
all elements of the CAMP.
The integration of the Reliability Program within the CASS provides a picture of
the health of the operator’s maintenance organization.
FAA AC 120-79A provides the guidelines to develop and implement a CASS;
FAA AC 120-17B provides guidance for developing and maintaining a Reliability
Program as part of a Continuous Airworthiness Maintenance Program (CAMP).
The FAA considerations for a Reliability Program fulfill all the EASA require-
ments in this regard.
Chapter 17
Reliability Program Process

The Reliability Program process consists of the analysis of the reliability data sources,
identification of deviations from performance standards, Root Cause Analysis (RCA)
of the deviations, and implementation of corrective actions.

17.1 Sources of the Reliability Program

The Reliability Program should define the data that is required to perform the
reliability analysis, the data quality, and the data quantity.
The operator should select sufficient data sources to identify adverse trends and
individual events; the following list contains examples of reliability source data:
• Technical Logs,
• Pilots Reports (PIREPs),
• Cabin Reports (CAREPs),
• Cargo Reports (CGREPs),
• Maintenance Reports (MAREPs),
• Health Monitoring:
– Aircraft Maintenance Access Terminal (MAT)/On-board Maintenance System
(OMS) readouts,
– Engine Condition and Trend Monitoring,
• Deferred Defects (DD)/Minimum Equipment List (MEL),
• Scheduled maintenance findings,
• Sampling programs,
• Unscheduled maintenance,
• Unscheduled component removal,
• Shop finding reports,
• Store issues/reports,

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 213
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_17
214 17 Reliability Program Process

• Special Operations: EDTO (ETOPS), RVSM, RNP/RNAV, AWO (CAT II/III,

LTVO),
• Reports on Technical Delays,
• Reports on Accidents/Incidents,
• Service Difficulty Reports (SDR),
• TCH continuing airworthiness and safety information (SB, SL, CMM, etc.).

Data Quality and Quantity

The operator should develop a process to validate the accuracy of the data used in
support of the Reliability Program. Data can be considered of sufficient quality when
it is accurate, free from substantive recording errors, and comprehensive enough in
both scope and detail to facilitate its intended function in operations, analysis, and
decision making. A data accuracy/data quality process may include:
• Forms and instructions,
• Data audits,
• Reporting System (to provide feedback when data deviate from the data
standards),
• a common coding convention or system to correlate all sources, e.g., ATA code.
The operator should define a method for determining the relevant type and amount
of data required to represent its fleet.
The Reliability data is usually shared between the operator, the manufacturer, and
the suppliers and should be standardized. The standard used across the industry is the
Spec 2000—Reliability Data Collection and Exchange (Ch. 11),1 developed by the
Air Transport Association (ATA), that provides standardized formats for defining,
collecting, and exchanging reliability data between these organizations.

17.2 Analysis of Reliability Data

The procedures for analysis and interpretation of the Reliability data should enable
to measure the performance of the items controlled by the program. When deviations
from the performance standards are highlighted, a Root Cause Analysis (RCA) to
identify the causes of the deviation and the appropriate corrective actions becomes
necessary to maintain the reliability level.

1 Spec 2000—Reliability Data Collection/Exchange (Ch. 11). A4A. Revision 2019.1.

17.2 Analysis of Reliability Data 215

17.2.1 Performance Standards

A performance standard is an operational goal or standard developed by the oper-

ator to define an acceptable level of reliability, e.g., number, ratio, percentage, etc.
It may be calculated by the number of events occurring in a specified operating
period expressed in FH, FC, OH, or calendar time. The Reliability Program should
include procedures for the periodic review and adjustment of the standards based on
operational experience and fleet age, and operational, seasonal, and environmental
considerations.
The calculation of performance standards, control limits, and alert values is based
on average or baseline methods and statistical tools such as the standard deviation
or the Poisson distribution.
The operator may have different reasons than a negative operational performance
to consider the adjustment of the AMP, e.g., review to ensure over-maintenance is
not occurring, aircraft comfort and appearance, or changes due to modifications, etc.

17.2.2 Deviations from Performance Standards

The following paragraphs define some programs and techniques, that may be
combined, for determining deviations from performance standards.

17.2.2.1 Alert-Based Programs

The Alert-based programs identify deviations from defined standards based on

previous performance. The Alert Level is triggered by an increase in failure rates
or findings that goes beyond normal variation. The operator should identify the data
type, the method to calculate the Alert Level, and the alert method, and will initiate
an investigation when the performance falls outside the normal variation.
Alert Levels are not acceptable airworthiness levels but the means to identify
failure rates out of the normal performance variation.
The following paragraphs illustrate several examples of Alert-based parameters
that may be used to identify adverse trends for the aircraft and its components.
Aircraft Metrics
The operator should consider a suitable aircraft alert system as indication of devia-
tions from the standards. The parameters used to set alerts at aircraft, fleet, or subfleet
levels are function of the aircraft utilization and the dispatch/operational reliability,
that may be particularized for major components or special operations and the raised
defects.
216 17 Reliability Program Process

Utilization Parameters
Utilization/Flight Leg Time is one of the most important measures of operational
efficiency.
• Utilization: Flight Hours of Flight Cycles usage of an aircraft, fleet, or subfleet
within a specified period.

Total Flight Hours or Total Flight Cycles

Utilization =
Operational Days

The most common periods used are days and years, providing the Daily
Utilization and Annual Utilization parameters respectively.
• Flight Leg Time: period between the aircraft takeoff and landing.

Total Flight Hours

Flight Leg Time =
Total Flight Cycles

When the Utilization or Flight Leg Time is computed for a fleet or subfleet, it
is measured in average terms, e.g., Average Daily or Annual Utilization or Average
Flight Leg Time.
The aim of any operator is usually to achieve an efficient aircraft utilization
with reduced turnaround times; it requires appropriate coordination amongst many
of its functions: Flight Operations, Scheduling, Maintenance, Ground Operations,
Maintenance Programs, Reliability, etc.
Although the utilization is closely related to the type of operation, deviations in
the utilization may indicate poor performance in some of the operator functions that
may require to be looked at for optimization.
On the other hand, as seen in Sect. 6.1.4, changes in the utilization must be
surveilled given that the MRBR is valid within a utilization envelope, below which
other rules should be applied, e.g., the Low Utilization Maintenance Program
(LUMP).
Dispatch Reliability and Dispatch Availability Parameters
The Dispatch Reliability metrics are appropriate indicators to assess the technical
performance of the aircraft and the maintenance and the supply chain management
systems.
• Technical Dispatch Reliability (TDR): percentage of revenue flights that depart
within a specified period (typically 15 min) of a scheduled departure time.

Tech. Cancellations + Tech. Delays (above 15 min)

TDR = 100 − × 100
Revenue Flights

Revenue Flight is the total departures deducting the Non-Revenue Flights such
as Maintenance Check flights, Test flights, or Ferry flights.
17.2 Analysis of Reliability Data 217

• Operational Reliability: percentage of revenue flights that depart within a spec-

ified period (typically 15 min) of a scheduled departure time and for which there
are no in-flight technical interruptions such as In-Flight Turn Back or Diversion
events.

Tech. Cancellation + Tech. Delays (above 15 min) + IFTB + Div.

OR = 100 − × 100,
Revenue Flights

being IFTB the number of In-Flight Turn Back events and Div. the number of
diversions.
The impact of a 16 min delay, a 2 h delay, a Technical Cancelation, or an IFTB is
different. The TDR and OR equations can be reformulated by using Severity Factors
(SF), which take into consideration the weight of each interruption. The operator can
request guidance for the calculation of the SFs to the TCH.
The Operational Reliability target for many operators, supported by aircraft manu-
facturers, is to achieve a level of around 99%. Whenever the OR falls below the Alert
Level, indication for investigation should be highlighted. Reduced OR levels may
correlate maintenance or supply chain management issues.
On the other hand, the TDR and OR can also be estimated for specific operations
or major components. For example:
• For specific operations:
– TDR/OR for EDTO (ETOPS) operations, where Revenue Flights are EDTO
Revenue Flights and the Technical Interruptions (cancelations, delays, IFTB,
diversions) are due to failure of EDTO Significant Items.
– TDR/OR for RNAV operations, where Revenue Flights are RNAV Revenue
Flights and the Technical Interruptions (cancelations, delays, IFTB, diversions)
are due to failure of RNAV Significant Items.
• For major components:
– TDR/OR for APU, where APU Cycles are considered instead of Revenue
Flights, and the Technical Interruptions are due to failure of the APU.
– TDR/OR for Engines, where all the engines are considered, Engine Cycles
substitute the Revenue Flights, and the Technical Interruptions are due to failure
of the Engines. For example, Engine Operational Reliability is calculated as
follows:

Tech. Interruptions due to Engine failure

Engine OR = 100 − × 100 × No. of Engines
Engine Cycles

The use of Technical Dispatch Reliability (TDR) and Operational Reliability

(OR) parameters, when the operator has reserve aircraft to cover those with technical
issues, may hide technical organizational concerns. In such a case, the Operational
Availability metric complements the TDR or OR metrics to assess not only the
218 17 Reliability Program Process

technical performance of the aircraft but the maintenance system.2 The Operational
Availability is the total time deducting the unavailability time (aircraft grounding due
to scheduled/unscheduled maintenance or due to non-technical events such as crew
delays, weather issues, and air traffic control problems). The maintenance or other
factors of non-availability during the normal transit of the aircraft are not taken into
account for the calculation of the Operational Availability parameter.
When it is necessary to determine the reliability levels that are due to Technical
Cancelations and Diversions specifically, the Cancelation Rate (CR) and Schedule
Completion Rates (SCR) are appropriate parameters:
• Cancelation Rate (CR): rate of cancelled flights.

Revenue Flights + Tech. Cancellations + Div.

CR = × 100
Revenue Flights

• Schedule Completion Rate (SCR): rate of completed flights. It is the inverse of

the Cancelation Rate.
Revenue Flights
SCR = × 100
Revenue Flights + Tech. Cancellations + Div.

An indication for investigation is highlighted whenever the CR raises above, or

the SCR falls below the fixed Alert Levels. CR and SCR can also be considered
Event-based Alerts.
Capability Parameters (Special Operations)
As introduced in the previous paragraphs, the dispatch reliability parameters can be
translated to special operations in order to flag deviations in the concerned operation
capability, e.g., Technical Dispatch Reliability or Operational Reliability for RNAV
or EDTO (ETOPS) flights.
It becomes necessary to define the Significant Items for the special operations not
only to assess the dispatch reliability of those operations but to assign Component
Alert Levels.
On the other side, it is possible to define operational statistics to detect adverse
trends for those operations. For example, the CAT III Success Rate (SR):

Sucessful CAT III Landings

CAT III SR =
CAT III Attempts

Logbooks and MEL Parameters

The defects entered in the logbooks by the crew, maintenance, or other staff in the
form of Pilot Reports (PIREPs), Maintenance Reports (MAREPs), Cabin Reports
(CAREPs), or Cargo Reports (CGREPs) that require maintenance action are a main

2 Aircraft Operational Availability. IATA. First Edition—2018.

17.2 Analysis of Reliability Data 219

source of the Reliability data. In order to identify adverse trends, it is useful to

compute rates for a specific period of time for each type of report:

Number of Reports (PIREPs, MAREPs, CAREPs or CGREPs)

Reports Rate = × 1000
Flight Hours

The Report Rate can be particularized for special operations or major components,
e.g., EDTO PIREPs or engine MAREPs, in order to focus on adverse trends for
specific areas.
The Minimum Equipment List (MEL) is a relation of equipment necessary for
the safe operation of the aircraft. The MEL is developed by the operator on the basis
of a Master Minimum Equipment List (MMEL) issued by the TCH as part of the
certification of the aircraft. The MEL establishes limitations and conditions for the
operation of the aircraft with inoperative equipment. When a flight is dispatched with
an inoperative MEL item, the corresponding entry must be made in the logbook.
From the reliability perspective, it is interesting to analyze the rate of accumulated
MEL items at a certain point in time what may give indication of deviations or
inappropriate use of the MEL procedures:

Open MEL Items

MEL Items Rate =
Number of Days × Number of aircraft

MEL Items Rate formula can be translated for Deferred Defects (DD) that are
those that have been assessed to be within the MEL and the Configuration Deviation
List (CDL) limits and have been postponed within specified limits. DD Items Rate
is calculated taking into consideration open DD items.
The MEL Usage metrics provide an indication of the percentage of the time
allowed by MEL items that have been already utilized; it provides visibility on the
agility of the maintenance function to resolve the defect:

Days of open MEL Cat X

MEL Usage (%) = × 100,
MEL Limitation (days)

where MEL Cat X refers to the category of the MEL items; it is the time allowed for
reparation (e.g., Cat B: 3 consecutive days; Cat C: 10 consecutive days; and Cat D:
120 consecutive days).
Component Metrics
The following examples of reliability parameters may assist in the definition of Alert
Levels for components that are useful to identify deviations from their performance
standards. The presented alert parameters can be set for a component Part Number
(P/N), a range of serials within the P/N, or a unique component.
• Mean Time/Cycles Between Failures (MTBF/MCBF): the total unit flight
hours/cycles of each Part number (including all Serial Numbers) accrued in a
period of time divided by all the confirmed failures for such Part Number.
220 17 Reliability Program Process

Total Unit Hours

MTBF =
Number of Failures
Total Unit Cycles
MCBF =
Number of Failures
• Mean Time/Cycles Between Unscheduled Removals (MTBUR/MCBUR): the
total unit flight hours/cycles of each Part number (including all Serial Numbers)
accrued in a period of time divided by the number of unscheduled removals during
the same period.

Total Unit Hours

MTBUR =
Unscheduled Removals
Total Unit Cycles
MCBUR =
Unscheduled Removals
• Mean Time/Cycles To Unscheduled Removal (MTTUR/MCTUR): the total
of cumulative operating hours/cycles of each Part Number (including all Serial
Numbers) accrued in a period of time divided by the number of unscheduled
removals during the same period.

Cummulative Total Unit Hours

MTTUR =
Unscheduled Removals
Cummulative Total Unit Cycles
MCTUR =
Unscheduled Removals
• Unscheduled Removal Rate (Unsch RR): rate between the number of unsched-
uled removals in a period of time and the total unit flight hours.

Unscheduled Removals
Unsch RR = × 1000
Total Unit Hours
• No Fault Found Rate (NFFR): rate between the difference of unscheduled
removals and the number of failures in a period of time divided by the unscheduled
removals.
Unscheduled Removals − Number of Failures
NFFR = × 1000
Unscheduled Removals
Parameters such as MTBF and MTBUR may be compared with the corresponding
guarantee MTBF and MTBUR as targeted values.
There are many more parameters that can be useful in defining Alert Levels,
e.g., Mean Time/Cycles to Failure (MTTF/MCTF), Time/Cycles Since Repair
(TSR/CSR), Time/Cycles Since Overhaul (TSO/CSO), Time/Cycles Since New
(TSN/CSN), etc. The operator should evaluate which metrics are suitable for each
type of component in relation to the trends that want to be identified.
17.2 Analysis of Reliability Data 221

Some of these figures such as the components with the lowest MTBF/MCBF,
MTBUR/MCBUR, MTTUR/MCTUR, or with the highest Unscheduled Removal
and No Fault Found rates may be incorporated into the Reliability Report.
Out of the Reliability Program scope, it is possible to define further parameters
to assess the availability of components, such as the Mean Time To Repair (MTTR),
that is interesting from the perspective of Workshops and Supply Chain management
to assess the degree to which a component is operational and ready for use when
required. MTTR and other parameters, such as the Mean Time to Respond or the
Mean Time to Resolve, are useful to assess the maintenance function performance.

17.2.2.2 Event-Based Programs

The Event-based metrics are used to track individual technical service difficulties,
usually with safety implications or significant operational impact. Therefore, the data
associated with each event should be collected in order to carry out an investigation
and take the appropriate corrective actions.
Some of the events that may require investigations are Incidents, Diversions, In-
Flight ShutDown events, In-Flight Propeller Feathering, Rejected Takeoff, Aborted
Approach, Return to Gate, Emergency Descent, Hard Landing and Lighting Strikes.
It is possible to define metrics to measure deviations from the standards for all
these events. For example, to assess the engine operation cessation due to reasons
outside of normal operating procedures, it is used the In-Flight ShutDown (IFSD)
Rate:
Number of IFSD
IFSD Rate = × 1000
Engine Hours

Another example of Event-based Alert is the definition of a rate for occurrences

that require safety reporting:

Number of reported ocurrences

Occurrence Report Rate = × 1000
Revenue Flights

17.2.2.3 Trend Monitoring Programs

The Trend Monitoring programs track the current performance of systems, struc-
tures, or capabilities and identify out of limit conditions or deterioration tendencies.
The data provided by the monitoring systems are usually supplemented by data from
the component and structure failures. While the analysis of the component data is
typically assumed by the Reliability function, the Trend Monitoring programs are not
always managed by reliability staff, e.g., the Flight Data Monitoring (FDM)/Flight
222 17 Reliability Program Process

Operations Quality Assurance (FOQA) program, and the monitoring of RVSM oper-
ations may be responsibility of Flight Operations, the Engine Condition Monitoring
(ECM) may be responsibility of the Technical Services function, or the Structural
Health Monitoring (SHM) may be controlled under the Maintenance Programs and
Technical Services functions.
In any case, the procedures to manage the applicable Trend Monitoring programs
should be incorporated or referenced in the Reliability Program.
Flight Data Monitoring (FDM)/Flight Operations Quality Assurance (FOQA)
A Flight Data Monitoring (FDM) program under the EASA rules, known as Flight
Operations Quality Assurance (FOQA) under the FAA regulations, is a process that
collects and analyzes flight data from routine operations in order to improve the flight
safety.
The FDM/FOQA data are acquired from the aircraft sensors throughout the flight
data recorders: from a simple airborne Flight Data Recorder (FDR) to the Quick
Access Recorder (QAR) or more modern technologies that automatically download
the information via wireless systems.
The data are usually processed on ground with advanced software programs that
check for abnormalities and present interpretable results.
The FDM/FOQA analysis techniques are based on:
• Exceedance detection: It involves setting specific limits for the parameters to
detect deviations.
• Statistics: It is used to create profiles of flights or maintenance procedures and
build distributions in regard to defined criteria. The distribution of the data will
show all flights and enable to determine standard deviations from the mean and
risks based on the mean.
The data are compiled periodically, e.g., monthly, and reviewed by the moni-
toring team that will issue recommendations to the appropriate stakeholders. The
monitoring team is usually formed and chaired by Flight Operations and Safety
staff with a representation of the continuing airworthiness organization, usually the
Reliability and Technical Services functions.
The FDM is an EASA requirement for aircraft with a maximum certificated takeoff
mass of more than 27,000 kg and a voluntary program for the FAA operators.
EDTO (ETOPS) Trend Monitoring Programs for Two-Engine Aircraft
Following the EDTO (ETOPS) operational approval for two-engine aircraft, the
operator must have the appropriate programs to monitor the engine condition, the oil
consumption, and under certain specifications, the APU In-Flight starting.
These programs may also be found beneficial for non-EDTO operations and the
EDTO operation of aircraft with more than two engines.
17.2 Analysis of Reliability Data 223

Engine Condition Monitoring (ECM)

Engine Condition Monitoring (ECM) is a process that collects and analyzes engine
data to measure its performance. ECM allows for identification of adverse trends at
an early stage so corrective actions can be taken before the safe operation is affected.
In regard to two-engine EDTO operations, the ECM should determine if an engine
is no longer capable of providing the maximum thrust and loading demands that are
required for a single-engine diversion.
The typical engine parameters collected are related to speed, temperature,
pressure, fuel flow, and vibration.
The ECM data are recorded and downloaded to a ground station for its analysis
(e.g., from the QAR) or transmitted via Aircraft Communication Addressing and
Reporting System (ACARS) for real-time analysis. If the analysis is not in real time,
it is recommended to analyze the data at frequent periods, with a maximum time of
5 days.
The data are compared with design performance models and with the engine
service experience through specialized software that identifies deviations from the
set standards. The data analysis is performed by the operator or a service provider
that may be the engine manufacturer.
The MSG-3 methodology does not allow to take credit of an Engine Condition
Monitoring (ECM) program for the failure analysis; however, the ECM may take
credit of the MRBR tasks for monitoring engine fuel, oil, control systems, etc.
Oil Consumption Monitoring
The Oil Consumption Monitoring program ensures that there is enough oil to
complete each EDTO (ETOPS) flight. The consumption should not exceed the TCH
recommendations, and the operator should identify deviations of the normal oil
consumption rate.
This program requires that the amount of oil added at the departure is recorded and
compared with the average consumption; an investigation and appropriate correc-
tive action is required if any increase or deviation from the normal consumption is
detected.
The APU oil consumption is included in the program if the EDTO (ETOPS)
operation requires an APU.
If the oil analysis is recommended by the TCH, it should be included or referenced
in the program.
APU In-Flight Start Program
The APU In-Flight Start program is used to demonstrate the continued ability of the
APU to perform high altitude cold soak starts and run, typically required when the
APU is a backup source of electrical or pneumatic power.
The APU In-Flight Start Program is a requisite for the approval of two-engine
EDTO operations if the Type Certificate requires an APU but does not require the
APU to run during the EDTO portion of the flight, and the MEL does not allow to
flight with an inoperative APU beyond the diversion time.
224 17 Reliability Program Process

The APU In-Flight Start program is usually conducted by the Flight Operations
function and includes periodic sampling of the capability of each aircraft for APU
in-flight starting. When the APU in-flight start rate drops below 95%, the operator
should initiate a further investigation into any common cause or systemic errors in
the procedures. If this reliability level cannot be achieved, the continuous operation
of the APU may be necessary.
Structural Health Monitoring (SHM)
Structural Health Monitoring (SHM) is the state of art in detecting damage of the
structure. The SHM checks specific structural items, details, installations, or assem-
blies using onboard mechanical, optical, or electronic devices that are designed to
detect the damage.
SHM is based on emerging technologies that may even provide data of when
the damage occurred, where it is located, and the characteristics of the damage.
The SHM may assess the aircraft’s structural condition and point the need for
corrective/maintenance action.
While some of the initiated SHM programs transmit the data via wireless systems
when the processor unit is interrogated, the goal of current SHM programs is to
monitor the aircraft structure in flight.
SHM provides countless benefits: early detection of structural damages, less
number of major repairs, detection of damages in difficult access areas, and reduction
of inspection times.
Scheduled SHM is considered in the MSG-3 methodology as a valid method to
detect structural damage by using the readout of SHM devices at periodic intervals.
Aircraft Health Monitoring (AHM)
Aircraft Health Monitoring (AHM) is the next step in the development of collection
and analysis of in-flight data. The real-time AHM constitutes an authentic Prognostics
and Health Management (PHM) system that provides with a real-time picture of
the fitness status of the aircraft. AHM provides several added values for crew and
maintenance staff in regard to predecessor systems: real-time fault indication, real-
time troubleshooting of aircraft systems and components, anticipation of faults of
systems and component, and prescription of maintenance.
AHM has much to do with the capability of the aircraft to obtain data; while the
data from the flight data recorders can be made remotely available for all commer-
cial aircraft, the most modern aircraft integrate more sensors in more systems and
components to enhance their reliability.
AHM added values translate into less time spent on fault analysis, reduction of
unnecessary removal of functional components, optimized inventory, less downtime,
and consequently, the reduction of Technical Interruptions (cancelations, delays,
IFTB, diversions).
The AHM analysis is usually performed by a specialized AHM System service
provider that has remote access, via Aircraft Communication Addressing and
Reporting System (ACARS), to the aircraft data parameters.
17.2 Analysis of Reliability Data 225

The AHM System service provider makes use of specialized software that
compares performance data with developed models, identifies deviation trends, inter-
rogates the aircraft when a fault is found, and investigates the aircraft history to
provide a solution.
AHM allows determining the root cause of a defect before the aircraft reaches its
destination.
AHM may integrate components of other trend monitoring techniques such as the
Engine Condition Monitoring (ECM) or the Structural Health Monitoring (SHM)
system(s).
Out of the scope of this book, the AHM system may also provide the opportunity
to monitor the fuel consumption and calculate the carbon dioxide emissions for more
sustainable and cost-effective operations.
In regard to AHM and the MSG-3 methodology, IP 180 proposes the amendment
of the IMPS and MSG-3 to make use of the certified AHM capabilities as alternative
procedures to identify failures and prevent deterioration on the inherent safety and
reliability levels of the aircraft, in addition to the scheduled tasks that are to be
accomplished at specific intervals. The proposal is under a maturity process and is
planned to be implemented within a future MSG-3 revision.
Monitoring of Reduced Vertical Separation Minima (RVSM) Operations
The monitoring of height keeping performance of RVSM operations is carried out
by Regional Monitoring Agencies.
Eurocontrol, through the European Regional Monitoring Agency (EUR RMA),
monitors and supports aircraft operations in the European RVSM airspace. The
results for aircraft registered in states accredited to the EUR RMA are published
in the Eurocontrol site; for aircraft registered elsewhere are published via the RMA
corresponding to the state of registration.
The FAA has established, through bilateral agreements with Canada and Mexico,
the North American Approvals Registry and Monitoring Organization (NAARMO)
to monitor the height keeping performance.
The RMAs do not provide the results directly to the operators but publish the date
of the last successful height monitoring measurement on their Web sites. In case of
any safety concern, the RMAs contact the operator through the competent authority.

17.2.2.4 Index-Based Programs

The Index-based Alert makes use of multiple data types that are correlated to
a specific aircraft system or component to produce an index ranking of perfor-
mance: Pilot/Maintenance/Cabin/Cargo Reports, routine task findings, delays and
cancelations, MEL/CDL items, etc.
Defining Index-based Alerts brings to light the importance of establishing a
common coding convention to be able to correlate all reliability sources, usually,
by the use of ATA codes.
226 17 Reliability Program Process

The performance ranking can highlight the systems or components with the worst
performance or the schedule maintenance tasks that are apparently not effective, so
the pertinent investigation is initiated.

17.3 Reliability Root Cause Analysis (RCA)

A Reliability Root Cause Analysis (RCA) is performed and documented when devi-
ations from the performance standards are highlighted and there is a need to find the
cause of such deviations.
The Reliability RCA should consider not only the data source that triggers the
analysis but a series of factors that may be determining to find the underlying causes.
The following list shows some examples of additional aspects that may assist during
the RCA:
• other figures from the techniques used to identify deviations from perfor-
mance standards (Alert-based, Event-based, Trend Monitoring and Index-based
programs),
• Maintenance and Workshop findings,
• Modification Embodiment Policy,
• Sampling Programs,
• Effectiveness of the AMP,
• Effects of changes in the utilization or type of operation, and
• Staff training.
There are a variety of analytical techniques and tools to perform a Reliability
RCA. The following list presents some of them:
• Evaluation of repetitive defects,
• Review of Service Bulletins and industry reports for applicability and urgency,
• Comparison of operational data from internal and external sources,
• Pool data with other operators of the same aircraft type (for small size operators),
• Investigative testing / sampling program,
• Conventional RCA tools: Five Whys, Cause and Effect Diagram (Fishbone
Diagram), Process Analysis/Cause Mapping, etc.,
• Graphical and Statistical Analysis: Pareto chart, Poisson’s distribution, Hypoth-
esis testing, Normal distribution, Exponential distribution, Weibull analysis,
etc.,
• Failure Mode and Effects Analysis (FMEA) / MSG-3 methodology,
• Maintenance Error and Decision Aid (MEDA).
17.3 Reliability Root Cause Analysis (RCA) 227

Further information about conventional RCA is detailed in Sect. 21.1. The operator
is responsible for finding or defining the appropriate RCA analysis tool that is used
in assistance of identifying the root causes.

17.4 Corrective Actions

Any reduction in the reliability levels revealed by the Reliability Program should
be corrected. It is highly recommendable that the operator develops decision logics
to determine which corrective actions need to be taken to eliminate the causes of
deviations from the performance standards.
Guidance to develop a decision logic tree for AMP task adjustment is provided in
the FAA AC 120-17B Appendixes. The book Aviation Maintenance Management 3
also provides valuable guidance on the investigation process decision logic from the
alert/event to the corrective action.
The TCH can also provide assistance for developing the decision logics.
Figure 17.1 shows as an example the process developed by Boeing to determine
the corrective action of Short-Life Units.4
In the same way that usually there is not a single cause of deviations from the
standards, usually, the corrective action is also composed by different actions that
may be a combination of some of the following items:
• Changes to maintenance, operational procedures, or techniques,
• Amendment of AMP tasks and intervals: escalation, de-escalation, addition,
modification, or deletion of tasks,
• Amendments to approved manuals (e.g., maintenance manual or crew manual),
• Design change, modifications,
• Special inspections or fleet campaigns,
• Spares provisioning,
• Staff training,
• Manpower and equipment planning.
Corrective actions should include a planned completion date wherever applicable.

3 Aviation Maintenance Management (Pg. 275–287). Harry A. Kinnison & Tariq Siddiqui. Second
Edition.
4 New Process for Component Removal Reduction. Boeing AERO Magazine QTR_03.12.
228 17 Reliability Program Process

Fig. 17.1 Boeing Short-Life Unit (SLU) decision tree

Chapter 18
AMP Task Effectiveness

The operator may want to adjust the AMP due to reasons that fall out of adverse
operational trends.
The main reason for the AMP adjustment request should be the routine review
of the AMP tasks for effectiveness, which is one of the requirements for a main-
tenance program. This review may involve not only the adjustment of the task but
modifications, some type of product improvements, or organizational changes.
Other reasons are introduced in Sect. 11.5; the operator may be looking for the
Escalation of a task or Maintenance Check, and analysis for the task effectiveness
will be required.
On the other hand, when the operator reviews its aircraft appearance policy, it
may identify areas of concern that lead to adjustments of the AMP tasks.
AMP Evolution/optimization exercises, as detailed in Chap. 12, comply with the
requirement for the AMP routine review for effectiveness for the tasks that are within
the scope of the project.

18.1 AMP Task Effectiveness Analysis

The purpose of the AMP Task Effectiveness Analysis is to adjust the tasks to their
appropriate scope and interval that must be or remain acceptable from a safety
perspective. The analysis does not always end with a task escalation; task esca-
lation is just one of all the possible corrective actions that may be derived from the
analysis, but it may also result in the de-escalation of the task, the addition of new
tasks, change on the task category, scope or instructions, change on the organization
procedures, etc.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 229
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_18
230 18 AMP Task Effectiveness

18.1.1 In-Service Data

In-service data is collected and usually correlated by establishing a common coding

convention (ATA code). The scope of the analysis includes all the operational data
and data findings raised during scheduled or unscheduled maintenance in which
corrective action is directly related to the task in question and unrelated data findings
in which corrective action is not associated with the task but has an impact on the
task being analyzed.
The methods to determine the effectiveness of the AMP should collect and analyze
100% of its performance standard data, but the sampling concept may be used in
support when analyzing other types/sets of data such as routine maintenance findings.
Sampling
The sample size depends on the needs of the analysis but, in any case, must result
in confidence that represents the population (aircraft, fleet, subfleet, component P/N,
range of serials within a P/N or single component).
In regard to an aircraft fleet, an appropriate representation may include aircraft
with different operational history, configuration, utilization, operational and envi-
ronmental conditions, storage periods, or task yields and may be limited to the data
collected during a defined period of time.
The operator should weight the benefits in analyzing the repetitive accomplish-
ment of a task on specific aircraft against the last accomplishment of the task on a
greater number of aircraft.
When the available data is not sufficient to analyze the effectiveness of a task or
to justify a task change, it may become necessary to collect additional data through
new Sampling Programs, e.g., grease sample or oil sample.
Task Interval Yield
The Interval Yield is a relevant factor when analyzing scheduled maintenance tasks
data. The task interval is established to detect degradation or potential failure at the
prescribed interval; if the task is performed much earlier than the specified interval,
the data may not be valid to support the analysis.
The yield is calculated by division of the interval at which the task was performed
by the defined interval. If degradation/failure is found at low yield, it must be taken
into consideration for analysis; however, if no findings are encountered at low yield,
a minimum acceptable level must be established. The FAA considers that 80% is
the minimum acceptable yield for single tasks and 90% for average yield of all task
accomplishments considered for the analysis.
18.1 AMP Task Effectiveness Analysis 231

18.1.2 Analysis

The analysis primarily focuses on significant findings related to systems and struc-
tures in which failure may affect the safety and airworthiness of the aircraft;
non-significant findings are or are not taken into consideration based on risk
assessment.
The existence of maintenance findings does not indicate the inefficiency of the
task itself but requires assessment.
It is recommendable that the operator develops a standardized decision logic for
the analysis based on the type of tasks.
The task is considered ineffective if the analysis shows that the impact on opera-
tions is high. If the impact on operations is low, regardless of the number of findings,
the task is considered effective but in general terms may be subject to optimization
as follows:
• if there is a low number of both scheduled and unscheduled maintenance findings,
the task interval is not optimized and may be candidate for escalation,
• if there is a high number of findings arisen from scheduled or unscheduled main-
tenance, the task interval is not optimized and is candidate for de-escalation,
and
• if there is a low number of scheduled maintenance findings but a high number of
unscheduled maintenance findings, further assessment is required to determine
the task effectiveness.

18.1.3 Recommendations

The recommendation from the AMP Task Effectiveness Analysis should be based
on risk assessment: task type, targeted failure mode, consequences of failure, etc.
In regard to the AMP, the analysis may lead to changes in the task interval (esca-
lation or de-escalation), the addition of new tasks, deletion of existing tasks, change
on the task category, scope, or instructions. As detailed in Sect. 11.5, mandatory
requirements such as AD repetitive requirements, ALS, CMR*, and MRBR Struc-
tural sampling are not subject to escalation within the terms detailed in these para-
graphs. Moreover, certain safety-related tasks such as CMR**, MRBR FEC 5 & 8 &
EWIS & L/HIRF may be subject to escalation but with the condition of remaining
in the AMP without content change.
Other recommendations may go beyond the AMP scope and include modifications
or configuration changes, revision of the maintenance procedures, specific mainte-
nance actions, or changes in the organization procedures (responsibilities, manuals,
training, etc.).
232 18 AMP Task Effectiveness

18.1.4 Approval and Implementation

Under the FAA environment, the operator can implement the recommendations from
the AMP task effectiveness analysis through an internal approval process without
the involvement of the agency.
Under an EASA environment, the approval procedure should be agreed with the
competent authority and detailed in the CAME (Direct Approval by the competent
authority or Indirect Approval by the operator). The competent authority may autho-
rize for AMP Indirect Approval to implement changes arising from the AMP Task
Effectiveness Analysis if the Reliability Program monitors the content of the AMP
in a comprehensive manner and the procedures associated with the functioning of
the Reliability Board provide the assurance that appropriate control is exercised over
the internal validation of such changes.
The implementation of a task escalation or deletion requires the AMP approval,
but a new task or task de-escalation can be implemented in advance of the approval
based on safety, operational, or cost concerns. In this case, the operator should assess
the necessity of grace periods and bridge programs attending to the urgency of the
reliability concern.
Chapter 19
Reliability Analysis Results

The presentation of the reliability data, adverse trends, analyses, and corrective
actions taken closes the continuous reliability loop process, supported by the
Technical Reliability meeting and the Reliability Board Meeting.

19.1 Reliability Reports

The Reliability Program should include the procedures to distribute the summary of
the reliability data collected, the analysis performed, and the status of the corrective
actions and approved recommendations. The audience should include the manage-
ment of the continuing airworthiness and maintenance functions and other interested
stakeholders.
The operator should select the appropriate reporting methods and frequency
(progressive, weekly, monthly, quarterly, annual, on-demand) that allows for the
identification of adverse trends that may incur significant operational impact.
The reporting methods and frequency will also be determined by the size of the
organization and the complexity of its operations.
The reporting methods may be in the form of reliability reports, reliability
presentations, etc., and should reflect:
• the reliability philosophy of the operator, including the operational reliability
targets,
• the reliability figures,
• areas where the reliability targets are not achieved,
• deficiencies carried forward from previous reports and status of the corrective
actions,
• implemented and planned recommendations, and
• the status of the AMP Effectiveness Analysis.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 233
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_19
234 19 Reliability Analysis Results

19.2 Reliability Meetings

There are two types of Reliability meetings derived from the reliability process that
are typically found within medium to large organizations. The Technical Reliability
meeting convenes technical experts to ensure corrective actions to adverse reliability
trends are taken, and the Reliability Board meeting establishes the reliability policy
and ensures the appropriate resources are provided.
Technical Reliability Meetings
The Technical Reliability Meetings should be assisted by representatives of the
continuing airworthiness and maintenance organizations, operations, the TCH, etc.
Its function is to ensure that all reliability issues are addressed, and appropriate
corrective actions are taken. The meeting usually includes data and issues since the
last meeting or pending items.
The operator should select the appropriate frequency (monthly, quarterly, on-
demand).
The meeting may include a review of the following items:
• Reliability data and trends,
• Reliability drivers,
• Approval of corrective actions,
• Feedback from corrective actions already taken,
• ADs and modifications.

Reliability Board Meeting

The Reliability Board is formed by representatives of interested parties: contin-
uing airworthiness, maintenance, compliance monitoring, safety, operations, the
competent authority, the TCH, etc.
It is formed to oversee the Reliability Program performance, provide guidance,
and ensure that the resources to implement the recommended corrective actions are
provided.
The operator should select an appropriate frequency (quarterly, yearly, etc., and
on-demand) that should be acceptable to the competent authority.
The meeting may include the following items:
• Presentation and discussion of reliability reports,
• AMP and Reliability Program changes,
• Changes to the reliability targets.
 Part IV
The AMP in the Engineering
and Maintenance Organization Context

Some of the requirements for operators, continuing airworthiness, and maintenance

organizations have been detailed in the previous chapters. The structure of these
organization(s) depends on the type of operation, the size, and the strategy they set
to meet their objectives. It will change from time to time to meet new goals or to
correct deficiencies.
The competent authorities, supported by the regulation, must ensure that each
organization can provide the necessary resources to meet their obligations: the appro-
priate amount of competent staff, including the nominated persons, maintenance data,
equipment, tools, material, facilities, etc. The organization, at the same time, pursue
more cost-effective processes and should work to maintain or improve the required
level of safety.
This chapter considers an Engineering & Maintenance organization, including
continuing airworthiness management, maintenance and training roles, and describes
the main functions that may be found in a medium to large size organization (e.g.,
Safety, Compliance Monitoring/Quality, Maintenance Programs, Reliability, Tech-
nical Services, Stores, Maintenance Planning, Production Planning & Control, Work-
shops, etc.). These functions are also applicable to smaller organizations in which
the activities may be merged or even performed by a single person.
While a small AMP revision may have an insignificant impact on the Engi-
neering & Maintenance organization, the implementation of greater revisions, e.g.,
due to specific programs such as Low Utilization Maintenance Programs (LUMP),
Supplemental Structural Inspection Programs (SSIP) or the results of an Evolu-
tion/Optimization exercise, should be carefully analyzed and planned to avoid any
type of disruption.
The Engineering & Maintenance organization, the relations between the Main-
tenance Programs and other functions, and the impact of the AMP revision are
introduced in the following paragraphs.
Chapter 20
The Engineering and Maintenance
Organization

An Engineering and Maintenance organization, independently of the size, must

comply with the organizational requirements for those services that provide.
Medium to large Engineering and Maintenance organizations, with a considerable
amount of aircraft and components to maintain, technicians and certifying staff to
authorize, and stringent deadlines to meet, can become quite complex.
This chapter details the operation of a hypothetical Engineering and Maintenance
organization that meets those organizational requirements.
Figure 20.1 shows the high-level structure of our Engineering and Maintenance
organization.
Engineering Services and Aircraft Asset Management functions basically cover
the organizational requirements of the EASA Part-CAMO and the FAA Part-121/135
for continuing airworthiness management organizations.
EASA/FAA Part-145 requirements for maintenance organizations are covered
under the Maintenance functions; EASA/FAA Part-147 requirements are covered
under the Training function and integrate the rules for certifying staff established in
the EASA Part-66 and FAA Part-65.
Compliance Monitoring/Quality and Safety functions contribute to the organi-
zational compliance of continuing airworthiness management, maintenance, and
training organizations. These functions may be dedicated to each organization (e.g.,
one dedicated to Engineering Services and Aircraft Asset Management, another
dedicated to Maintenance and Supply Chain and Maintenance Support and another
dedicated to Training) as it is found convenient.
The oversight functions, Compliance Monitoring/Quality and Safety, are inde-
pendent of the rest of the organization and are responsible to the corresponding
accountable manager.
The Engineering and Maintenance organization and the Flight Operations function
(out of the scope of this book) must provide mutual support in certain areas, e.g.,
for assessing the implementation of modifications that may affect the operations,
for developing/revising the Preflight inspection standards or assessing the required

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 237
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_20
238 20 The Engineering and Maintenance Organization

Fig. 20.1 Engineering and Maintenance organization Organigram

flight crew training, for Maintenance Check flights or when expertise on operation
procedures is required.
Our Engineering and Maintenance organization includes functions not derived
from the requirements but that are considered an added value: Process Analysis and
Improvement, and Innovation; these functions may not only support the compliance
but can help in developing safer and more cost-effective processes to the rest of the
organization. Some tools and methods that can be used by this function are detailed
in Part 6.
The Engineering and Maintenance organization may be part of the operator orga-
nization or be subcontracted, including outsourcing of some of its functions inde-
pendently, e.g., only the maintenance function, the development of the AMP, or the
management of Technical Records. The regulation establishes certain limitations on
the outsourcing of specialized services, and they must be, in any case, included in
the corresponding organization’s exposition/manual.
Each function/subfunction of the Engineering and Maintenance organization can
be organized on Fleet Stream basis with functions dedicated to each aircraft type for
which the organization/function is approved to provide services. The Fleet Stream
philosophy may improve efficiency and reduce costs in many areas of the business.

20.1 Aircraft Asset Management

The Aircraft Asset Management (AAM) function manages the technical, legal, and
financial aspects of aircraft induction, phaseout, and major projects.
The goal of AAM is to maximize the owned aircraft asset value and minimize the
leased aircraft costs.
The AAM function is halfway the technical, the legal, and the financial functions
of the organization, and therefore, it should be constituted by experts of the three
fields for safe, compliant, and cost-effective end results.
The AAM function is usually segregated into different subfunctions, e.g.,
• Aircraft Induction: the AAM function coordinates the induction process, including
the issuance of the CofA and ARC, as applicable, ensuring that the aircraft is in
airworthy condition. It may require support from the Maintenance Programs,
20.1 Aircraft Asset Management 239

Technical Services, and Compliance Monitoring/Quality functions. Delivery

technical records are addressed to the interested stakeholders for their review.
• Aircraft Phaseout: if the aircraft is owned, the phaseout means aircraft trading
or dismantling for using, selling, or bringing components, assemblies, and
constituent parts of the aircraft to the market. If the aircraft is leased, the AAM
function manages the End Of Lease (EOL) process, including the Bridge Programs
required to return the aircraft as stipulated in the leasing contract.
• Projects: Activities that may require technical, legal, or financial expertise, e.g.,
major modifications such as aircraft conversion to freighter.
• Contracts and Insurance: This subfunction negotiates leasing and sales contracts
and ensures their requirements are fulfilled.

20.2 Engineering Services

The Engineering Services function manages most of the administrative requirements

for the continuing airworthiness of the aircraft and provides support and assistance
to other functions.
The basic functions for medium to large organizations are shown in Fig. 20.2.

Fig. 20.2 Engineering Services Organigram

The following paragraphs detail the main activities of each Engineering Services
function.

20.2.1 Technical Publications

The Technical Publications (TP) function receives, controls, and distributes all the
maintenance data that is necessary for the accomplishment of maintenance.
The maintenance data include, but is not limited to:
• external maintenance data:
– regulation (EASA Continuing Airworthiness rules, AMSc, GMs, FAA 14 CFR,
Advisory Circulars, competent authority publications, etc.),
240 20 The Engineering and Maintenance Organization

– Airworthiness Directives (AD),

– Scheduled maintenance (MPD, MRBR, ALS, SSID, CPCP, LUR),
– Master Minimum Equipment list (MMEL),
– Service Bulletins (SB), Service Letters (SL),
– Modifications/repairs data,
– Maintenance and Repair Manuals of aircraft and components,
– Troubleshooting manuals.
• internal maintenance data:
– Company manuals (CAME/CAMP, MOE, Design organization manual, etc.),
– Aircraft Maintenance Program (AMP),
– Minimum Equipment List (MEL),
– Configuration Deviation List (CDL).
TP should ensure that the maintenance data is.
• Updated: the maintenance data should be up to date by subscribing to revi-
sion schemes, checking that the revisions are being received and monitoring the
revision status of the data.
• Controlled: the maintenance data should establish a system and the necessary
procedures to receive, control, and distribute the publications.
• Distributed: the maintenance data need to be distributed to all concerned parties
and staff.
• Available: each person performing maintenance should have access to the
maintenance data. TP should establish and control a maintenance data library.
It is usual to integrate the Technical Publication function within the Technical
Services or IT Systems functions.

20.2.2 Technical Records

The Technical Records (TR) function receives, manages, and archives/retains the
maintenance records. Maintenance records should also be made available to the
concerned staff.
Any maintenance performed on the aircraft or component and any release docu-
ment of such aircraft/component must be controlled and recorded. The format in
which the maintenance is recorded, certified, and stored (paper or electronic) should
be acceptable to the competent authority.
The maintenance records include, but are not limited to:
• Delivery documents (Aircraft Inspection Report (AIR)/Aircraft Readiness Log
(ARL), Engine/Propeller/APU Logbooks, LOPA, etc.),
• Time in service and time since last maintenance of the aircraft and certain compo-
nents, e.g., Life Limited Parts (LLP), Time Controlled Items (TCI), Overhaul, etc.
20.2 Engineering Services 241

Times are recorded in Flight Hours, Flight Cycles, Operating Hours, calendar time,
etc., as appropriate,
• compliance status with maintenance requirements (Logbook, Task Cards, Engi-
neering Orders, Work Orders, Work Packages, Shop Visit Reports, etc., including
defect corrections and non-routine maintenance):
– Airworthiness Directives (ADs),
– Aircraft Maintenance Program (AMP),
– Modifications/repairs,
• release of aircraft and components:
– Certificate of Release to Service (CRS) of the aircraft,
– Certificate of Release to Service of components (EASA Form 1, FAA Form
8130–3 or equivalent),
– Certificate of Conformance (CoC).
Each maintenance record should include the date, the identification of the
aircraft or component (registration, Part Number, Serial Number, as applicable),
the times since new/overhaul, details of the work performed, maintenance certifica-
tion with details of the certifying staff (authorization/signature), and the release of
the maintenance performed.
TR should develop the necessary procedures to ensure the maintenance records
are properly collected, recorded, stored, and made available to all concerned staff.
Maintenance records should be protected from damage, alteration, and theft, and
their integrity maintained.
TR largely support the Aircraft Review Certificate (ARC), in an EASA environ-
ment, and the End Of Lease (EOL) processes by providing the necessary maintenance
records.
Larger organizations tend to segregate TR functions, e.g., configuration control,
data entry, and digitalization/archiving.
The maintenance records retention period is three years since the release of the
aircraft/component in an EASA environment. FAA requires, in general terms, to keep
the maintenance records for one year or until the work is repeated or superseded by
other work.

20.2.3 Technical Services

The Technical Services (TS) function assesses maintenance documentation and

provides technical support/assistance to other functions.
The Technical Services function includes, but is not limited to:
• Assessment of maintenance data: Airworthiness Directives, modifications,
repairs, SB, SL, CMM, and manufacturer/vendor recommendations, etc.,
• assessment of issues derived from reliability data trends,
242 20 The Engineering and Maintenance Organization

• generating Engineering Orders (EO),

• review and closure of accomplished EO,
• prepare modification campaigns,
• coordinate Work Scopes with Maintenance Programs
• provide expertise to other functions,
• participating in the rulemaking processes by providing comments to Notice
of Proposed Amendment (NPA), Proposed AD (PAD), Notice of Proposed
Rulemaking (NPRM), etc.,
• participating in the MRB Maintenance Working Groups (MWG).
AMP source documents, other than those specified in the above lines, are assessed
by the Maintenance Programs function. It is convenient to establish the appro-
priate means of communication between both functions to avoid the omission of
any requirement derived from the maintenance documentation assessment.
The Technical Services expertise may be required during a wide range of activi-
ties; some examples are the development of the AMP, participate the Internal “Main-
tenance Working Groups” and “Industry Steering Committee” during the Evolu-
tion/Optimization of the AMP, evaluation of new aircraft, system or component,
evaluation of new equipment and tools, assistance in troubleshooting, etc.
Technical Services responsibilities may be segregated in regard to the fleet type,
the area of expertise (by ATA or ATA groups), and the urgency of the work (short/long
term), e.g.,
• Long-term TS: Aircraft Systems, Power plants, Aircraft Structure, and Cabin
appearance.
• Short-term TS: depending on the type of operation and maintenance philosophy, a
dedicated team available 24/7 that provides assistance on urgent day-to-day issues
may be needed.

20.2.4 Maintenance Programs

The Maintenance Programs (MP) function assesses maintenance documentation and

develops the Aircraft Maintenance Program.
The Maintenance Programs function includes, but is not limited to:
• assessment of AMP source documents: AD (only those requiring specific actions
into the AMP), MPD, MRBR, ALS, CMR, LUR, SSID, CPCP, and other ICA,
• assess source document changes versus reliability data,
• propose and implement task/check intervals,
• propose/participate in the Evolution/Optimization of the AMP,
• generate AMP revision and evaluation of the impact on other functions,
• management of Bridge Programs,
• create and control Maintenance Requirements,
• coordinate Work Scopes with Maintenance Planning and Technical Records,
• participating in the MRB Industry Steering Committee (ISC),
20.2 Engineering Services 243

• provide assistance to other functions.

The assessment of AMP sources is detailed in the PART 2 of this book.
The Maintenance Programs responsibilities are usually segregated in regard to the
fleet type and may be further defined considering the different Maintenance Programs
within an AMP, e.g.,
• AMP Revision Preparation: Aircraft Systems, Aircraft Structure, Components,
Landing Gear, Power plants, etc.,
• AMP Implementation—it may be segregated attending to the same reasoning than
the AMP preparation,
• specific AMP Projects.
The Generation of Task Cards to support the AMP Maintenance Requirements
may be delegated to the Maintenance Programs function. This chapter is consid-
ered as Work Preparation responsibility under the Production Planning and Control
function.

20.2.5 Reliability

The Reliability function collects and analyzes the in-service data (reliability data)
and proposes any necessary corrective action to ensure the AMP tasks and intervals
are effective. The Reliability function is based on the Reliability Program.
The Reliability function includes, but is not limited to:
• development of the Reliability Program,
• collect in-service data,
• analyze in-service data,
• coordinate corrective actions with Technical Services and/or Maintenance
Programs (modifications, AMP changes, etc.),
• prepare the Reliability reports,
• chair the Reliability meetings,
• support AMP changes.
The analysis of in-service data and the scope of the Reliability Program are
detailed in PART 3.
Collection of quality in-service data requires appropriate procedures and coordi-
nation with the functions that source the data.
The Reliability function is essential for the development of the Embodiment
Policy for non-mandatory recommendations (SBs, SLs, CMMs, etc.), as introduced
in Sect. 8.4, and should be a main actor of the Modification Embodiment Policy
Board.
The Reliability Program is a requirement for AMPs based on maintenance steering
group logic and both functions should work in close coordination. It is usual to
combine both functions under a Maintenance Programs and Reliability department.
244 20 The Engineering and Maintenance Organization

20.2.6 Maintenance Planning and Scheduling

The Maintenance Planning and Scheduling (MP&S) function packages maintenance

requirements issued by the Technical Services and Maintenance Programs functions,
defines maintenance events, and assigns grounding times.
The Maintenance Planning and Scheduling function includes, but is not limited
to:
• assess the maintenance forecast and deferred maintenance versus the aircraft
availability,
• work scoping: package Maintenance/Check Requirements issued by Technical
Records (Engineering Orders) and Maintenance Programs (AMP Task Cards and
Maintenance Checks),
• generation of Work Orders and Work Packages,
• assign maintenance events ground times,
• ensure the availability of resources.
The Maintenance Planning and Scheduling responsibilities may be segregated
into:
• Short-term planning for Line Maintenance inputs, with dedicated resources to
fulfill immediate necessities and avoid day-to-day issues an disruptions,
• Long-term planning for Base/Heavy Maintenance inputs, and
• Scheduling for tail and ground times assignment.
Scheduling requires close coordination with Flight Operations.

20.2.7 IT Systems

The IT Systems function maintains the Information Technology means that support
the Engineering Services and Maintenance functions.
Nowadays, it is difficult to imagine the management of the continuing airworthi-
ness and maintenance of an aircraft based on paper. The industry progresses fast, and
there exists dedicated aviation enterprise asset management software with capability
to manage most of the requirements demanded by any airline size (finance, human
resources, compliance monitoring, continuing airworthiness, planning, production,
component maintenance, material management, communications, etc.). However,
the use of different software that may be interfaced is still common.
The IT Systems function includes, but is not limited to:
• management of IT solutions and their interfaces,
• ensure the integrity of the data managed by the IT solutions,
• backup of data, including maintenance data and technical records,
• development of new IT solutions,
• assess the impact of IT changes and ensure their smooth implementation.
20.2 Engineering Services 245

The IT Systems function is critical to ensure the correct operation of all the
rest of the functions, including compliance and the efficiency of the deployment of
resources. A minimum error or omission may cause the biggest disruption.

20.3 Maintenance

The Engineering Maintenance function manages the execution of maintenance for

the continuing airworthiness of the aircraft. Figure 20.3 shows the main activities of

Fig. 20.3 Maintenance organigram

the Maintenance organization.

The following paragraphs detail the main activities of each Maintenance function.

20.3.1 Production Planning and Control

The Production Planning and Control (PP&C) function is responsible for scheduling
the aircraft maintenance event work and ensures the availability of the necessary
resources (manpower, tools, equipment, material, maintenance data, and facilities).
The PP&C function includes, but is not limited to:
• Evaluation of Work Packages and customization,
• Generation of Task Cards, including facilitation Task Cards, e.g., for access
requirements,
• Identify and plan Critical Maintenance Tasks,
• Planning and status management of aircraft maintenance events,
• Coordinate subcontracted maintenance,
• Organize maintenance teams and shifts,
• Coordinate availability of tools, equipment, and material,
• Ensure the completion of maintenance,
• Ensure Deferred maintenance is addressed,
246 20 The Engineering and Maintenance Organization

• Develop Capacity Plans,

• Evaluation of Critical Paths.
Capacity Planning refers to the amount of maintenance that the organization can
complete. It requires estimation of resources and evaluation of Critical Paths that
may delay the completion of maintenance events.
As introduced in Sect. 5.2, the MPD provides additional information for the
planning of each maintenance task, including estimated manpower. The man-hours
provided by the MPD are usually adjusted to the operator efficiency using the labor
efficiency factor. PPC further adjusts these estimations based on the organization
maintenance experience.
On the other hand, under this chapter, the generation of Task Cards is considered a
responsibility of PP&C in a dedicated team for the Work Preparation due to their grade
of expertise and proximity to the real maintenance work. It is normal that the Work
Preparation responsibilities are delegated to other functions such as maintenance
Planning or segregated between Maintenance Programs (AMP tasks) and Technical
Services (modification/repair tasks).
In this regard, it is quoted the comparison related by Kinnison and Siddiqui1 about
the discussion on the control of the Material Support function by the Maintenance
or the Finance department: “- Artistic decisions should not be made by non-artistic
people- and -Technical decisions should not be made by non-technical people-”.
Although a Maintenance Programs Engineer is qualified enough to produce Task
Cards, the Production Planning and Control Engineer likely has a closer view of the
maintenance necessities what makes him more suitable, if there is any margin, to
develop Task Cards.

20.3.2 Maintenance Control Center

The Maintenance Control Center (MCC) function monitors the aircraft’s technical
status and its serviceability.
The MCC function includes, but is not limited to:
• assessment, monitoring, and coordination for Deferred Defects rectification,
• assessment of deviations (MEL and CDL),
• management of aircraft recovery (Aircraft On Ground (AOG) situations),
• coordinate with logistics the availability of spares,
• provide technical support to technicians and flight crew,
• coordinate Daily Checks,
• coordinate servicing of the aircraft and Line Maintenance dispatch,
• coordinate maintenance in outstations and in case of aircraft diversion.

1Aviation Maintenance Management (Pg. 181). Harry A. Kinnison & Tariq Siddiqui. Second
Edition.
20.3 Maintenance 247

If a Short-term Technical Services 24/7 function is defined, it may be integrated

within the MCC team in order to provide assistance at the forefront on day-to-day
issues.

20.3.3 Line/Base Maintenance

The main characteristics of Line and Base Maintenance are introduced in Sect. 9.1.1.
The Line Maintenance function accomplishes maintenance before flight to ensure
the aircraft is fit for the intended flight, usually without disturbing the flight schedule.
The Base Maintenance function is in charge of maintenance out of the Line
Maintenance scope and requires to remove the aircraft from operation.
PP&C usually coordinates Line Maintenance through MCC while the interface
with Base Maintenance is direct.
The Line/Base Maintenance function includes, but is not limited to, the perfor-
mance of maintenance on the aircraft and its certification for release to service by
duly certified/authorized staff.

20.3.4 Workshops

The Workshops function is to perform maintenance on parts and components

removed from the aircraft.
Workshops related to base/heavy maintenance that supports the aircraft while is
out of operation, work closely with PP&C, e.g., Cabin refurbishment, Metal and
Composites repairs, or Paint Workshops.
Other types of Workshops support aircraft at all times and require availability of
spare parts, e.g., Battery, Oxygen, or Engine Workshops. The work on these types
of parts and components maintenance is usually performed on exchange basis; the
unit is removed and sent to the Workshop, and a serviceable unit is installed on the
aircraft.
The Capability List of a part 145 organization relates the items and scope of work
that can be performed (in-house capability).
If not identified in the Capability list, maintenance on components may be
outsourced. In that case, the coordination with the Supply Chain and Material Support
functions and the subcontractors takes all the relevance.
Each Workshop has its own “Production Planning” function for the schedule
of maintenance on the part or component with the appropriate manpower, tools,
equipment, material, maintenance data, and facilities.
Workshop spaces usually have their own work area with tools and equipment and
a storage area with provisions to separate serviceable from unserviceable items.
248 20 The Engineering and Maintenance Organization

20.4 Supply Chain and Material Support

The Supply Chain and Material Support function integrates all the activities that are
required to furnish the Engineering and Maintenance organization with equipment,
tools, and material at each location which are required (Fig. 20.4).

Fig. 20.4 Supply Chain and Material Support Organigram

20.4.1 Inventory Control

The Inventory Control function supervises the material forecast to ensure that the
supply chain of parts to Maintenance and Engineering at the selected locations is
adequate (just-in-time), and AOG situations do not happen due to lack of parts.

20.4.2 Procurement

The Procurement function is responsible for purchasing material attending to

specifications, cost, delivery times, warranty, etc.
The Procurement function should ensure that the material is certified to be fitted
or used on the aircraft for which the purchase is intended. It includes a docu-
mental review (EASA Form 1, FAA Form 8130–3, Certificate of Conformance or
equivalent).
The Procurement responsibilities may be segregated in regard to the fleet type and
the area of expertise (by ATA or ATA groups), e.g., Aircraft Systems, Power plants,
Aircraft Structure, and Cabin items.
20.4 Supply Chain and Material Support 249

20.4.3 Stores

The Stores function is responsible for maintaining the integrity of the material and
issuing and exchanging it with the mechanics. The Stores function should define
the procedures to receive material, including a physical and documentary incoming
inspection.
The Stores function ensures that material that requires to be stored under certain
conditions (Electrostatic Sensitive Devices (ESD), flammable items, oxygen, etc.) is
properly addressed.
The Stores function controls the Shelf Life of the stored items and any maintenance
that may require before their dispatch.
Rotable components and repairable parts and equipment/tools are usually avail-
able on exchange basis and managed by the Component Repairs Function.
Tools/Equipment is usually available on loan basis and should be returned to the
Tool/Equipment stores once the activity for which they are issued has been completed.
The Stores function is responsible for controlling that the maintenance required for
Tools/Equipment (test, calibration, servicing, etc.) is addressed.
The Store area must have provisions to segregate serviceable from unserviceable
components, parts, and equipment/tools.

20.4.4 Component Repairs

The Component Repairs function manages the life cycle of aircraft rotable or
repairable parts, equipment, and tools.
These items are available on exchange basis: the mechanic returns the unservice-
able component subject of workshop maintenance or defective part to the Component
Repairs function in exchange of a new/overhauled/refurbished/repaired part, and the
Component Repairs function manages the routing of the unserviceable item to the
Workshop (in-house or outsourced).
The Component Repair process works side by side with the Warranty and
Insurance function.

20.4.5 Warranty and Insurance

The Warranty and Insurance function identifies if there is any warranty or insurance
associated with the defective items returned by the mechanics.
If the part is under a warranty period or is associated with an insurance, it is
addressed to the warranty holder or through the insurance holder for repair.
250 20 The Engineering and Maintenance Organization

20.5 Oversight Functions: Compliance Monitoring/quality

and Safety

Oversight functions are those responsible for surveilling that the regulatory require-
ments are complied with by the operator and subcontracted organizations. The over-
sight functions responsibility of the operator are the Quality System/Compliance
Monitoring, the Aircraft Review Certificate (ARC) (only required by EASA), and
the Safety Management.
These functions are dependable from the Accountable Manager and must be
independent of other interests.
Although the Quality and Safety Systems may oversee all the organization, their
functions can be segregated, e.g., Quality System into Quality Engineering Support
and Quality Maintenance.
Subcontracted organizations, that may have their own oversight functions, must
still be surveilled by the operator.
In the hypothetical case of the medium to large Engineering and Maintenance
organization presented in this chapter, the oversight function considered surveils all
the other functions.

20.6 Training

The Training function provides the training courses and practices that are required
for the Engineering and Maintenance organization staff.
In this organization, training may be required for all the staff managing the
continuing airworthiness or the maintenance of the aircraft (such as training on
Safety Management Systems, EWIS, Fuel Tank Safety, Human Factors and refresher
courses), be a requirement for specialized positions (such as aircraft or engine
familiarization courses), or be a requirement for the issuance of an authorization.
The most relevant authorization under this chapter is the one to perform
maintenance on the aircraft.
The requirements for licensing certifying staff are detailed in the Part-66 (EASA)
and Part-65 (FAA). However, it is the Engineering and Maintenance organiza-
tion, usually through the Compliance Monitoring/Quality function, which provides
authorization to make use of that license on its aircraft.

20.7 Others

Certain functions that are not derived from the rules may be an added value to the
entire organization, e.g., Process Analysis and Improvement or Innovation. These
are extra functions that look not only for conformance but for safer and more
20.7 Others 251

cost-effective processes. Organizations with Process Analysis and Improvement and

Innovation functions are at the forefront of the industry.
Large organizations may deploy delegates of the contemplated function into other
Engineering and Maintenance functions to ensure that best practices are adopted and
new necessities are addressed in the most innovative (cost-effective) way.
Innovation function should work side by side with IT Systems to bring new or
improved IT solutions.
Some improvement tools are detailed in Part 6.
Chapter 21
Interface of the Maintenance Program
with Other Functions

The Maintenance Programs function interfaces with most of the other Engineering
and Maintenance functions described in the previous chapter one way or another.
The process interfaces enable information to flow between activities; adequate
information transformation and information exchange become essential to fulfill
these interdependencies.
As it is detailed in the next Part 5 of this book, lack of communication and misun-
derstandings are potential hazards that could threaten the safe operation. Focusing
on the overall benefit of the organization, the interfaces between departments should
be given priority over short-term goals of each individual function.
The process approach interrelates the different functions to produce specific
outcomes allowing to effectively and efficiently achieve goals and objectives and
allowing continuous improvement. This subject is further detailed in Part 6.
When the interrelations between processes are appropriately defined beyond
timing and resources, on a more detailed interface management focused in commu-
nication, it is possible to provide a better overview of information flow that in
turn will provide the opportunities to identify performance indicators to support
the decision-making process and apply continuous improvement methods (see Part
6).
The Maintenance Program function often plays a coordinating role for many of the
Engineering and Maintenance activities, and the responsibilities of the AMP stake-
holders need to be defined over the short-term goals of the individual departments
for effective and efficient communication and collaboration. Table 21.1 summarizes
those main interactions.
When there is more than one fleet type or AMP, the MP functions should coordi-
nate for the standardization of processes and procedures. Requirements at component
level for Part Numbers that are common between the programs of several fleets should
be communicated and addressed by the affected MP functions.
On the other side, when the MP function for a specific fleet is segregated (systems,
components, powerplant, etc.), the necessary procedures for the assessment of the
source documents and their implementation should be established in order to avoid

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 253
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_21
254 21 Interface of the Maintenance Program with Other Functions

Table 21.1 Maintenance Programs main interactions with other E&M functions
Aircraft Asset Management
Maintenance Programs (MP) Aircraft Asset Management (AAM)
Support the aircraft phase-out programs, Provide the Delivery Technical Records to MP
including End Of Lease (EOL) through Technical Records
Demonstrate compliance status as required Act as the main point of contact with the
in the Leasing contract seller/lessor
Engineering Services
Maintenance Programs (MP) Technical Publications (TP)
Submission of the AMP to TP for its control Provide the latest revisions of the AMP source
and distribution documents to the responsible staff of the MP
Identify new AMP source documents and function
address them to TP for control
Maintenance Programs (MP) Technical Records (TR)
Address deficiencies/discrepancies found in Ensure the maintenance records comply with the
the Technical Records requirements established in the AMP
Maintenance Programs (MP) Technical Services (TS)
Request technical advice to TS when high Request to incorporate/revise repetitive
level of expertise is required requirements derived from the analysis of ADs,
Coordinate with TS the development of SBs, SLs, modification/repairs, or from repetitive
Work Scopes actions derived from the Reliability Program in
the AMP
Inform MP about any action that may impact the
scheduled maintenance
Maintenance Programs (MP) Reliability
Request the analysis of in-service data and Request to implement corrective actions derived
support from the Reliability function when from the analysis of in-service data, e.g., a new
there are changes in the source document requirement or de-escalation of the interval of an
requirements existing AMP task
Maintenance Programs (MP) Maintenance Planning and Scheduling
(MP&S)
Changes on the Maintenance Check concept Request deviation from the AMP defined
or intervals require MP&S agreement intervals under unforeseen circumstances
(Permitted Variation or Exceptional Short-term
Extension)
Maintenance Programs (MP) IT systems
Assist IT Systems to develop new solutions Coordinate software upgrades or the
implementation of new IT solutions that may
impact the AMP
Maintenance
Maintenance Programs (MP) Production Planning and Control (PP&C)
Provide assistance for AMP Documental Provide adequate in-service data (findings,
discrepancies, e.g., derived from the non-routine maintenance, etc.) that is analyzable
misalignment of MPD/AMM revision cycle by the Reliability Program function in order to
Provide List of new AMP tasks for review identify adverse trends
(continued)
21 Interface of the Maintenance Program with Other Functions 255

Table 21.1 (continued)

Maintenance Programs (MP) Maintenance Control Center (MCC)
Provide assistance during Aircraft On Request Permitted Variation or Exceptional
Ground (AOG) situations related to the AMP Short-term Extension, usually processed through
Maintenance Planning
Maintenance Programs (MP) Line/base maintenance
Interfaces through PP&C Interfaces through PP&C
Maintenance Programs (MP) Workshops
Provide assistance for component Work Provides adequate in-service data (findings, shop
Scoping reports, etc.) that is analyzable by the Reliability
Program function in order to identify adverse
trends
Supply chain and material support
Maintenance Programs (MP) Inventory Control and Procurement
Provide List of new material, equipment, and Adjust the provisioning of material, equipment,
tools and tools derived from the AMP revision
Maintenance Programs (MP) Stores
Assist with component storage requirements Request assistance on component storage
requirements
Maintenance Programs (MP) Component repairs
Coordinate changes to rotatable component Request assistance on component repairs and
requirements Work Scopes
Maintenance Programs (MP) Warranty and Insurance
Provide assistance with warranty or Request assistance on warranty or insurance
insurance issues issues
Oversight functions
Maintenance Programs (MP) Compliance Monitoring (CM)/Quality (QA)
Provide assistance during AMP audits Surveil that the AMP complies with the
applicable regulations and the policies and
standards of the organization
Maintenance Programs (MP) Aircraft Review Certificate (ARC) (EASA)
Provide AMP status, demonstrating Ensures compliance with the AMP
compliance, and assist during the ARC
process
Maintenance Programs (MP) Safety Management
MP, as part of the organization, is under the Ensure the safety standards derived from the MP
Safety Management System (SMS)
Training
Maintenance Programs (MP) Training
Propose MP training Provide training to MP staff
256 21 Interface of the Maintenance Program with Other Functions

any error or omission. In the same way, the implementation of specific projects into
the AMP, such as an Evolution/Optimization exercise, should also be appropriately
defined through the corresponding procedures.

21.1 Service Level Agreements (SLA)

A Service Level Agreement (SLA) is an accord between two or more stakeholders

to deliver the output of a process under stipulated specifications and times.
In order to comply with the requirements established by each Engineering and
Maintenance function, the internal SLAs provide the right tool to compromise
deliverables. It is usual that SLAs are integrated within the organization procedures.
In regard to the Maintenance Programs function, these are some SLAs examples
that may be agreed:
• Technical Publications (TP) to release the source documents of the AMP within
a timeframe (days) after their publication in the manufacturer website and in a
specific format and under a defined process or IT tool.
• Maintenance Programs (MP) to submit the AMP to Technical Publications within
a timeframe (days) after its approval in a specific format and under a defined
process or IT tool.
• Technical Records (TR) to record the reliability data in a specific format and under
a defined process or IT tool.
• Technical Services (TS) to provide the analysis of AD, SB, SL, modifica-
tions/repairs within a timeframe (days) after they are issued in a specific format
and under a defined process or IT tool.
• Reliability to provide a corrective actions list affecting the AMP on periodic basis
(monthly), in a specific format and under a defined process or IT tool.
• IT Systems to notify in advance within a defined timeframe (weeks) of any
scheduled IT maintenance action.
• Maintenance Programs to solve a Permitted Variation/Exceptional Short-term
Extension within a timeframe (hours) after request.
• Maintenance Programs to submit new tasks to Production Planning and Control
and Inventory Control within a timeframe (weeks) before AMP approval in a
specific format and under a defined process or IT tool.
There are plenty of processes within the Engineering and Maintenance organiza-
tion that should be defined under specific agreed terms for the correct functioning of
the organization.
Chapter 22
Impact of the AMP Revision
on the Organization

The impact of an AMP revision on the Engineering and Maintenance organization

should be assessed as part of the development of such revision. Certain changes that
may modify certain resources requirements (e.g., for qualified staff, material, tools,
equipment, or facilities) should be taken into consideration and analyzed before an
AMP is submitted for approval. Coordination with the Maintenance functions is
essential to avoid any possible future disruption.
While the escalation or deletion of AMP tasks is looked for and welcomed by
the whole organization, new or de-escalated task may cause an impact that should
be acceptable by the affected functions; e.g., Line Maintenance should have or be
provided to have the capability and resources to perform Base/Heavy Maintenance
de-escalated tasks.
Large AMP changes, usually undertaken during major revisions, may require
some sort of resources adaptation by the maintenance functions in order to be accept-
able, e.g., the Capacity Planning may be affected (additional resources or transfer of
resources between Line and Base Maintenance, or vice versa), Material Planning,
etc.
The elements of an AMP task that should be taken into consideration for the
impact assessment are:
• Maintenance Check: in which Maintenance Check is or is intended to allocate the
AMP task and Bridge Program requirements.
• Maintenance Environment: which environment is required to accomplish the task,
Line or Base/Heavy.
• Critical Maintenance Tasks (CMT)/Identical Tasks or Required Inspection Items
(RII).
• Man-hours and Skills: the workload and skills required to accomplish the task.
• Materials, equipment, and tools.
• Facilities: availability of facilities.
• Maintenance documentation: new maintenance documentation may require
further assessment by PP&C.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 257
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_22
258 22 Impact of the AMP Revision on the Organization

• Phase-out conditions: special attention should be given to the End Of Lease (EOL)
contracts. For example, the efforts of the implementation of an Escalation or
Evolution/Optimization exercise may not make sense when there is no opportunity
to take benefit before the aircraft phase-out.
The Maintenance organization usually has the processes in place to absorb small
changes derived from the AMP revision, e.g., Capacity and Material Planning proce-
dures, the Reliability Program, etc.; however, it is recommendable to address the
requirements of new AMP tasks to the affected functions for their assessment, e.g.,
• List of new AMP tasks to PP&C, including tasks requiring specialized techniques
and skills, e.g., NDT tasks.
• List of new material, equipment, and tools to Inventory Control.
• List of intended deleted and escalated tasks that may adversely affect the reliability
to the Reliability function.
Big AMP changes, such as Maintenance Check interval revision due to MRBR
revision or an Evolution/Optimization exercise, should be presented to the affected
functions in advance of the approval for a comprehensive assessment.
Appendix A provides guidelines to compute the cost of an AMP revision. It may
be interesting for budgeting functions.
 Part V
Safety Management

In the early days of aviation, the still not developed regulatory systems and the
emerging basic technology was not sufficient to avoid the increasing aircraft acci-
dents. Basically, the investigations of such accidents were the principal means of
prevention; technological improvements and an increased regulatory activity led the
aviation industry to be the more regulated but also the safest mode of transportation
since the 1950s.
The understanding of aviation safety was based on regulatory compliance and
oversight, but the complexity of the operations did not provide enough guidance to
cover all the possible scenarios. As we have seen in the “Lessons Learned” boxes
throughout the Part II of the book, the recommendations of the aircraft accident
investigation bodies have modeled the today‘s aviation regulations: protection of
hazards derived from technical factors such as EWIS, lighting, high intensity radi-
ated fields, ignition sources, fuel tank flammability, accidental and fatigue damages,
environment, aircraft separation, and aircraft extended diversion times.
If the evident cause of an accident was not technological failure, the “safety rules
breakers” took all attention. The safety concerns derived from those investigations
were addressed at the specific, but the understanding of hazards was not comprehen-
sive, e.g., if an aircraft was not able to reach an alternative aerodrome after an engine
failure, diversion times were established for two–engine aircraft and full stop.
By the 1970s, after major technological advancements, the technical factors took
a secondary role and human factors became the focus of safety. The industry efforts
concentrated on the intent of minimizing the effects of individual human errors that
needed to be under control.
In the 1990s, a new philosophy arose from a better understanding of hazards:
individuals do not work on their own but in the context of an organization. Since
then, safety is regulatorily viewed from a systemic point of view that encompasses
technical, human, and organizational factors.
In addition to mandatory reporting of certain occurrences, voluntary reporting
systems arose at all levels, allowing that the identification of hazards and their
reporting would become everybody’s responsibility.
260 Part V: Safety Management

After the tragic events on September 11, 2001, in which four coordinated terrorist
attacks carried out by an extremist group ended with four passenger aircraft hijacked
and crashed into the World Trade Center towers in New York city, the Pentagon and
a field in Pennsylvania, the focus jumped into the security aspects of the entire air
transport system. Regulations evolved to mitigate the effects of security on safety.
While new threats arise, specially in the cybersecurity areas due to increased
digitalized systems and aircraft on-board electronic networks, the requirements also
mature to ensure that cyber risks are taken into account during the design of the
aircraft and its operation.
The requirement for Aviation Security Management Systems, including the
management of information, is requiring urgent attention, and the main regulators
are working against the clock to achieve an structured approach that minimizes the
effects of security risks.
This chapter focus in the already matured requirements, introduces the Human
and Organizational factors as sources of errors, some of the models and tools for the
analysis and understanding of the interactions of such factors with other components
of the aviation system (SHELL, PEAR, Dirty Dozen and Reason’s models), and
the safety strategy cascaded down from the ICAO Annex 19 – Safety Management
SARPs (State Safety Programs (SSP) and Safety Management Systems (SMS)).
For further details about one of the main elements of the safety risk manage-
ment component of the SSP, the Aircraft Accident Investigation process, refer to
Appendix II.
Chapter 23
Hazards and Safety Risks

The core processes of safety management are hazard identification and safety risk
management. Both concepts can be confused if not properly defined.
Hazard is the condition with the potential to cause injuries to people, damage
to equipment or structures, loss of material, or reduction of ability to perform a
prescribed function.
Hazards can be classified into two types:
• Latent conditions are present on the system but are not perceived as harmful,
e.g., operation over safety, poor communication, or poor management decisions.
• Active failures: actions or inactions with an immediate adverse effect, e.g., errors,
deviations from the described procedures or violations.
Hazards can be reactively identified after an accident or incident happens, or
through proactive and predictive processes to identify hazards before a safety event
occurs, e.g., flight data analysis, voluntary reporting systems, safety surveys, audits,
trend monitoring, etc.
The Accident Triangle theory, usually associated with an iceberg (Fig. 23.1),
shows the relation between accidents, serious incidents, minor incidents, and latent
conditions. The theory proposes that if the number of latent conditions is reduced,
there will be a corresponding fall on the number of accidents.
The Guidance on Hazard Identification1 document, developed by the Euro-
pean Commercial Aviation Safety Team (ECAST), details the hazard concept
within a safety risk management framework and identifies a number of tools and
techniques for its identification: brainstorming, Hazard and Operability Studies
(HAZOPS), Checklists, Failure Modes and Effect Analysis (FMEA), Structured
What-If (SWIFT), Dynamic Models and Future Hazards Identification through the
FAST method.

1Guidance on Hazards Identification. ECAST—Safety Management System and Safety Culture

Working Group (SMS WG), March 2009.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 261
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_23
262 23 Hazards and Safety Risks

Fig. 23.1 Illustration of the

Accident Triangle theory
Accidents
1-5

Serious incidents
30-100
Minor incidents
100-1000

Latent conditions
1000-4000

A Safety Risk is the probability and severity of the consequences or outcomes of

a hazard.
It is usual that the Safety Management Systems jump from identifying hazards
directly to mitigation and bypass the evaluation of the safety risks of the consequences
of hazards. However, Safety Risk Management becomes necessary for assigning
priorities effectively and allocates resources between all assessed safety risks.
The assessment of the risks associated with the hazards and the implementation
of mitigation measures to reduce the risks to an acceptable level is represented in
the Bow-Tie diagram (Fig. 23.2). The Bow-Tie methodology consists of the risk
scenarios around a certain hazard and the ways in which the organization stops
those scenarios from happening. It is a multipurpose tool that is used to analyze risk
scenarios, show their potential costs, manage safety accidents/incidents, or perform
Root Cause Analysis (RCA). The method is further detailed in the Root Cause
Analysis methods in the Sect. 28.1.3.
Safety Risk Management requires to assess if the safety risks are acceptable or
not and if the safety risks can be mitigated or not. It is usually determined through
a defined Safety Risk Assessment Matrix (Fig. 23.3) that is used to assign a Risk
Index based on the severity of the risk (e.g., catastrophic, hazardous, major, minor,
or negligible) and its probability (e.g., from extremely improbable to frequent).
When the mitigation actions may reduce the safety risk to an acceptable level,
a Return on Investment (ROI) or Cost–Benefit Analysis (CBA) of the mitigation
23 Hazards and Safety Risks 263

Fig. 23.2 Bow-Tie diagram

Fig. 23.3 Safety Risk Assessment and Safety Risk Tolerability Matrixes

becomes necessary. If a safety risk is unacceptable or the mitigations means are not
cost-effective, the operation must be canceled.
The Modification Embodiment Policy presented in Sect. 8.4 represents a good
example when the safety risks are derived from technological factors; a DAH iden-
tifies hazards that may affect the airworthiness of the aircraft and propose solutions;
then the operator assesses the associated safety risks, including a Return On Invest-
ment (ROI) or Cost–Benefit Analysis (CBA) to justify the decision to embody or not
to embody the proposed solution.
Chapter 24
Human Factors

Detailing the introduction of this part, in the early days of aviation, about 80% of the
accidents were caused by technical factors and about 20% by human factors. The
Human Factors took special relevance during the 1970s when the aviation industry
realized that human errors were underlying most of the aircraft accident and incident
rather than technical failures.
During that decade, the SHELL model was developed as a simple conceptual
tool for the analysis of the interactions of the human with other components and
features of the aviation system: Software, Hardware, Environment, and Liveware.
On December 28, 1978, the flight crew of the United Airlines Flight 173 became
so absorbed with the diagnosis of the landing gear failure that aborted the landing
procedure but failed to monitor their fuel state, ending with the aircraft crashed. The
accident triggered the requirement for the Crew Resource Management (CRM)
training for flight crew and other personnel essential to flight safety.
The error percentage terms (80% technical, 20% human factors) were inter-
changed progressively until the 1990s: the advanced reliability of the aircraft and its
components reduced the percentage term of accidents attributed to technical factors
to 20%, but the increased complexity of aircraft systems and organizations raised
human factors to 80%.
As the CRM emerged from a tragic event, the same happened with the Aloha
Airlines Flight 243 that led to the requirement for a Maintenance Resource Manage-
ment (MRM) training. MRM initially supposed an adaptation of the CRM to the
aircraft maintenance.
On March 10, 1989, the Air Ontario Flight 13631 was not able to attain sufficient
altitude to clear the trees beyond the end of the runway, due to the heavy ice and snow
accumulated on the wings. The APU had been inoperative and one engine had been
running to provide the aircraft with electrical power while on ground, not allowing

1 Final Report—Commission of Inquiry into the Air Ontario Crash at Dryden, Ontario. Commis-
sioner Virgil P. Moshansky by order in Council, 1992.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 265
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_24
266 24 Human Factors

to perform the de-icing procedures. The aircraft crashed and turned into fire, killing
24 of its 69 occupants.
In 1993, Gordon Dupont, an experienced Aircraft Maintenance Engineer and
Aircraft Accident Investigator, while working for Transport Canada, developed a
Human Factors training program for maintenance derived from the recommendations
of the Moshansky report (investigation of the Air Ontario Flight 1363 accident). To
follow up on the training program, Dupont developed a set of Dirty Dozen Safety
posters. During his years of experience, he had realized that every accident he had
investigated seemed to have the same preconditions in common.2
During the 1990s, the FAA developed the PEAR model (People, Environment,
Actions, Resources) with human factors on aircraft maintenance in mind. Although
the content is basically the same, the PEAR modeled the human factors with less
abstract terms than the SHELL model.
The Reason’s model (Swiss Cheese model) for accident causation would also
appear at the beginning of the 1990s to relate Human Factors and organizational
factors, supervision, preconditions, and specific acts. It is covered in Chap. 25
Organizational Factors.

Lesson Learned—Human Factors

The three shocking cases presented below expose common human factors that
ended or may have ended in severe consequences.
Continental Express Flight 2574 (Eagle Lake)—In-flight Breakup
On 11 September 1991, the Continental Express Flight 2574 operated with
an Embraer EMB120 between Laredo and Houston, Texas, broke up during
descent over the Eagle Lake area, and crashed, killing all the 14 occupants.
The leading edge of the left horizontal stabilizer separated from the airframe
leading to an aerodynamic stall; nose-down pitching the left wing failed and
released fuel, cause of fire, and the right wing tip detached from the aircraft. The
horizontal stabilizer and left engine separated and the aircraft was uncontrolled
until the impact.
The investigation carried out by the NTSB3 revealed that the 47 screw
fasteners that would have attached the upper surface of the leading edge
assembly for the left side of the horizontal stabilizer were missing.
The night before the accident, it was scheduled the replacement of the
leading edge deice boots of the left and right horizontal stabilizer. Normally, the

2 Meeting 11: Human Error in Aviation Maintenance. The Dirty Dozen Errors in Maintenance (pg.
45–49, Gordon Dupont). FAA Office of Aviation Medicine, 1997.
3 Aircraft Accident Report—Continental Express Flight 2574 In-Flight Structural Breakup, EMB-

120RT, N33701. NTSB. 21 July 1992.

24 Human Factors 267

old boots are stripped from the leading edge, the deice lines disconnected, the
leading edge removed, a new boot bonded on, and the leading edge reinstalled.
During the evening shift, two mechanics removed most of the right leading
edge bottom screws while the inspector removed the attaching screws from the
top of both the right and the left leading edges.
The corresponding entry was made in the turnover sheet but the incoming
midnight shift inspector reviewed the sheet before it was made. The midnight
shift removed the right leading edge, bonded a new boot, and reinstalled it.
The removal of the left leading edge was deferred to be made on another night,
and the midnight shift did not notice that the work on the left side had already
been started.
Between other conclusions, the NTSB pointed that the work on the hori-
zontal stabilizer leading edge had not been identified as an RII and recom-
mended the FAA to review the regulations, policies, and practices related to
RII.
On 9 December 1992, 15 months after the accident, another Continental
Express EMB120 was involved in an incident; after takeoff, the crew noticed a
vibration through the airframe and control column and returned to the departure
airport. The investigation revealed that 14 screws were missing from the left
upper aileron vane, result of being partially removed during maintenance and
the failure of the quality control inspector to detect it.
British Airways Flight 5390—the Miracle of the Captain Sucked out of
the Cockpit
On 10 June 1990, the BAC One-Eleven aircraft operated as British Airways
Flight 5390 between Birmingham, UK, and Malaga, Spain, suffered and explo-
sive decompression. At 17,300 feet, the left windscreen of the cockpit was
blown out and the pilot in command was partially sucked out of his wind-
screen. His legs were caught on the flight controls; the cabin crew restrained
him while his torso remained outside of the aircraft during the 20 min of emer-
gency descent carried out by the copilot. Apart from the fractures, the frostbite,
and the shock of the pilot in command, no other serious injuries occurred.
268 24 Human Factors

Fig. 24.1 British Airways Flight 5390 windscreen. Photo via Solo Syndication

The investigation led by the UK Air Accident Investigation Branch

(AAIB)4 determined that the main cause of the accident was the replacement of
the left windscreen prior to the flight, in which 84 out of a total of 90 securing
bolts were of smaller than the specified diameter.
The left windscreen had been changed during the night shift of the previous
day due to noted cruise darkening and bubbling. The shift maintenance
manager, with 33 years of experience, removed the windscreen and decided to
replace the bolts that presented signs of corrosion or that had been damaged
during removal.
The shift manager took one of the bolts and went to the stores to identify
it, by comparison, omitting the identification through the Illustrated Part Cata-
logue (IPC). He identified P/N A211-7D while the windscreen should have
been fitted using A211-8D. Because of their small size, the bolts did not have
identification, and when he noticed that there were not enough A211-7D bolts,
he picked A211-8C bolts that were visually equal. The shift manager required
glasses for close work as he had difficulties reading small prints or figures,
especially at night, but he did not use it while performing the windscreen
replacement.
He fitted the windscreen using 84 of the A211-8C bolts, that were smaller
in diameter, and 6 of the A211-7D bolts, that were of the same diameter but
shorter.

4Aircraft Accident Report 1/92 on the Accident to BAC One-Eleven, G-BJRT over Didcot,
Oxfordshire. Air Accidents Investigation Branch (AAIB), February 1992.
24 Human Factors 269

Additionally, the windscreen replacement was not identified as requiring a

duplicate inspection to cover possible safety–critical situations caused by
servicing errors.
The AAIB pointed the eroded potential of the shift manager to achieve
quality in the windscreen fitting process as one of the causal factors of the
accident: inadequate care, poor trade practices, failure to adhere to company
standards, and use of unsuitable equipment.
Continental Airlines Flight 1515—a Mechanic Ingested by an Engine
On 16 January 2006, the Continental Airlines Boeing 737 operated as Flight
1515, while waiting for a leak check detected by the flight crew at El Paso
International Airport, Texas, a mechanic stepped into the inlet hazard zone and
was ingested by the engine and shredded.
The NTSB investigation revealed the failure of the mechanic to maintain
proper clearance with the engine intake during a jet engine run, and the failure of
contracted maintenance personnel to follow written procedures and directives
of the airline’s maintenance manual.

Fig. 24.2 CFM56-3 Engine on a Continental Airlines B737-524. Photo by Ken Iwelumo

The flight crew had discovered an oil leak on the right engine during the
preflight inspection and the airline station staff called contract maintenance
to investigate it. Three mechanics from the contract maintenance attended the
call and started the job without the specific procedures and authorizations that
were required under the airline’s procedures, despite the airline’s controller
attempted to contact them for such subject.
270 24 Human Factors

The mechanics opened both sides of the engine fan cowls and requested the
captain for an engine run to check for the source of the leak. One mechanic
positioned on the inboard side of the engine, other on the outboard side and
the third mechanic clear of the engine because it was part of his On the Job
Training.
A small leak was appreciated and one of the two mechanics around the
engine requested the captain to run the engine at 70% power to conduct further
checks that were initiated after verifying with the mechanic that the area was
clear.
The mechanic on the outboard side of the engine stood up, stepped into the
inlet hazard zone and the engine ingestion happened. The captain immediately
stopped the engine run.
The mechanic that was fatally injured had worked for the contract main-
tenance for more than 10 years, had been certified for 40 years and received
maintenance training from the airline, except specific training regarding ground
engine runs and associated hazards.
The other mechanic stated that maintenance instructions were not needed
for the engine run because engine oil leaks were a common occurrence and
because of his past experience as a mechanic.

24.1 Human Factors Modeling

Human performance modeling serves to investigate and analyze Human Factors by

targeting training and prevention efforts. The objective of the models is to understand
the underlying causal factors that lead to an accident/incident.5

24.1.1 The Shell Model

The SHELL model helps to visualize the interrelationships amongst the human
(Liveware) with the rest of components and features of the aviation system (Soft-
ware, Hardware, Environment, and Liveware). It does not cover interfaces outside
Human Factors (hardware–hardware, hardware–environment, software–hardware,
software–environment, etc.).
The humans (Liveware) are at the center of the model. Because the human perfor-
mance is variable, some factors that affect the individual performance makes rough
the edge of the block: physical factors (strength, vision, hearing, etc.), physiological

5Aviation Maintenance Technician Handbook—General (Chapter 14 Human Factors). FAA, Flight

Standards Service. 2018.
24.1 Human Factors Modeling 271

Fig. 24.3 SHELL model

(oxygen availability, health, stress, fatigue, drugs, etc.), psychological (adequacy

of training, experience, workload, etc.), and psycho-social factors (interpersonal
conflicts, personal problems, etc.).
Interfaces of the Liveware with the other aviation system components
Liveware–Hardware (L–H). It is the interface of the human with technology, e.g.,
design of seats to fit the sitting characteristics of the human body or displays to match
the sensory and information processing characteristics of the user. The human tends
to adapt to L–H mismatches, which can mask deficiencies that only become evident
after an occurrence.
The rough edge between both components is minimized with ergonomics, a
process to design or arrange workplaces to fit the people who use them.
In the cockpit, ergonomics is applied since the design phase. For example, CS/FAR
25 requires that “each pilot compartment must be arranged to give the pilots a
sufficiently extensive, clear, and undistorted view, to enable them to safely perform
any manoeuvres….”
Liveware–Software (L–S). It is the relationship between the human and the
supporting systems found in the workplace, e.g., regulations, manuals, procedures,
computer software, etc.
The edge between both components is minimized by a user-friendly design of
documentation and software: simple and standardized vocabulary, phraseology and
formats, accuracy, and clarity.
As an example, EASA Part-M and Part-145, in order to minimize the errors that
could be made by technicians, require that “maintenance tasks are transcribed onto
the work cards or worksheets and subdivided into clear stages to ensure a record of the
accomplishment of the maintenance task, differentiating, when relevant, disassembly,
accomplishment of task, reassembly and testing.”
Rules to develop regulations, manuals, procedures, etc., are specified in the
aviation regulations at all levels.
272 24 Human Factors

Liveware–Liveware (L–L). The interface between humans plays a role in deter-

mining their performance: flight crew, air traffic controllers, maintenance engineers,
etc.
The advent of Crew Resource Management (CRM) and its extension to main-
tenance, Maintenance Resource Management (MRM), focus on the interactions
amongst humans at different levels of the aviation system. Relationships between
staff and management, corporate culture, operating pressures, and other factors that
can significantly affect human performance are within the scope of L–L.
Liveware–Environment (L–E). Relations between the human and internal/external
environments. Internal environment refers to physical considerations such as light,
temperature, noise, vibration or air quality, and external environment refers to things
such as weather or turbulences.
The adequate physical facilities can be highly influenced by the local financial
situation and the effectiveness of the regulations, which may create pressures to
take shortcuts, inadequate infrastructure, and may also compromise the quality of
decision-making.
Both EASA and the FAA incorporate rules to minimize the L–E edges, e.g., EASA
Part-M requires that “any person or organization performing maintenance shall
ensure that proper facilities are used in case of inclement weather or lengthy main-
tenance” or FAA Part-145 requires that “each certificated repair station provides
ventilation, lighting, and control of temperature, humidity, and other climatic condi-
tions sufficient to ensure personnel perform maintenance, preventive maintenance,
or alterations to the standards required.”
The SHELL model is considered in the ICAO framework and in the Acci-
dent/Incident Data Reporting (ADREP) taxonomy, the current international standard
for aviation accident/incident databases, and consequently in the European Coordi-
nation Centre for Accident and Incident Reporting Systems (ECCAIRS) database
(see Sect. 26.3 for further details).

24.1.2 The Pear Model

The PEAR model was developed by the FAA to recall the four considerations for
assessing and mitigating Human Factors in aviation maintenance: People, Environ-
ment, Actions, and Resources. The PEAR modeled the human factors with less
abstract terms than the SHELL model, although the content was basically the same.
The model is used by the FAA and other Civil Aviation Authorities for their
Maintenance Human Factors training.
Components of the PEAR model
People who do the job. The same factors related to the Liveware component of the
SHELL model are considered in the PEAR: physical, physiological, psychological,
and psycho-social factors.
24.1 Human Factors Modeling 273

Environment in which they work. The environments considered are the physical
(weather, location inside/outside, workspace, shift, lighting, sound level, safety) and
the organizational (staff, supervision, labor-management relation, pressures, crew
structure, size of the company, profitability, morale, corporate culture).
Actions they perform to complete tasks: steps to perform tasks, sequence of
activity, number of people involved, communication requirements, information
control requirements, certification requirements, knowledge requirements, skill
requirements, inspection requirements, etc.
Resources necessary to complete the job. A resource is anything the person
performing the task needs to get the job done: procedures/workcards, technical
manuals, other people, test equipment, tools, computer/software, paperwork/sign-
offs, ground handling equipment, work stands and lifts, fixtures, materials, task
lighting, training, quality systems, etc.

24.2 The Dirty Dozen

The Dirty Dozen is the twelve most common human errors conditions or precon-
ditions that can act as precursors to accidents or incidents: Lack of communication,
Complacency, Lack of Knowledge, Distraction, Lack of Teamwork, Fatigue, Lack
of resources, Pressure, Lack of Assertiveness, Stress, Lack of Awareness and Norms.
The Dirty Dozen has become a cornerstone of Human Factors to introduce human
error accident precursors and is widely used in training. However, for a more compre-
hensive list of human error accident precursors, it is necessary to attend more detailed
guidance, e.g., ICAO Circular 240 Investigation of Human Factors in Accidents and
Incidents, or more specialized guidance, e.g., ICAO Human Factors Guidelines for
Aircraft Maintenance Manual (Doc 9824).
Numerous modifications and customizations to the Dirty Dozen list have been
produced by the aviation industry; for example, Hawker Pacific Aerospace (HPA)
expanded the Dirty Dozen to the “Filthy Fifteen” in its Human Factors training to
incorporate three more human performance issues: Not Admitting Limitations, Lack
of Operational Integrity, and Lack of Professionalism.
I introduce here my Dirty Dozen Number Zero: Optimism Bias. Optimism Bias
refers to the mistaken belief that oneself is less exposed to commit an error or that
the consequences of a personal error would not be catastrophic. It is like: It will not
happen to me! People tend to think that unlikely events, such as an aircraft accident,
cannot be derived from their actions or inactions. Optimism Bias acts together with
each element of the Dirty Dozen and is likely the most difficult to reduce or eliminate,
although experts show that experiencing certain events can reduce it.
Since the Dupont’s Dirty Dozen posters, conceived originally for aircraft main-
tenance, the list has found its way to introduce human errors into all areas of the
aviation industry: flight crew, air traffic controllers, etc.
274 24 Human Factors

The following paragraphs introduce the Dirty Dozen, referring to some of the
accidents/incidents detailed in the “Lessons Learned” boxes detailed throughout the
book.
Dirty Dozen List:
1. Lack of Communication
2. Complacency
3. Lack of Knowledge
4. Distraction
5. Lack of Teamwork
6. Fatigue
7. Lack of Resources
8. Pressure
9. Lack of Assertiveness
10. Stress
11. Lack of Awareness
12. Norms.
Accidents/incidents do not occur from a single cause and so happens with their
precursors; the Dirty Dozen components are interrelated and accidents/incidents
usually involve several conditions. Additionally, the Dirty Dozen is better understood
in the context of the organization; for a comprehensive assessment of the overall
situation, human factors must be assessed together with technical and organizational
factors.

24.2.1 Lack of Communication

Failure to transmit, receive, or provide enough information to complete a task is a

key human factor. With verbal communication, usually what others remember is the
first and the last part of what it is said. It is estimated that only about 30% of a verbal
message is received and understood.
The aviation industry is multicultural, and special attention must be given not to
misunderstand or misinterpret messages.
The typical scenario where communication is critical and can cause issues is
during shift change at maintenance. A job that has been partially accomplished is
transferred from the technician finishing his duties to the technician starting his duty.
The regulations already reflect the importance of adequate communication
between outgoing and incoming staff and require a formalized process for exchanging
information between outgoing and incoming persons, a planned shift overlap, and a
place for such exchanges. It is required that communication is effective at the handing
over of the task: The outgoing person must be able to understand and communicate
the important and critical elements of the job, and the incoming person must be able
to understand and assimilate the information provided.
24.2 The Dirty Dozen 275

Continental Express Flight 2574 represents a good example of a maintenance

system with established handover procedures, but in which the communication failed;
the evening shift supervisor failed to effectively pass the information of the job
already performed to the midnight shift supervisor.
Communication occurs at all levels: between organizations (continuing airwor-
thiness, maintenance, design organizations, manufacturers, vendors, etc.), within
functions of the operator, and between staff within the same function.
Safety Nets:
• Never assume anything.
• For critical tasks, consider using more than one form of communication.
• Use logbooks, worksheets, etc., to communicate and remove doubt.
• Discuss work to be done or what has been completed.

24.2.2 Complacency

Complacency is the overconfidence, usually gained over time, from repeated expe-
rience performing a task. Although the term is usually used for auto-complacency,
when the overconfidence comes from personal experience, complacency may also
refer to overconfidence in a system, especially with automated systems (the company
procedures, the maintenance system, the maintenance software, etc.).
Complacency leads to take shortcuts, skip steps, or not follow procedures or
instructions.
British Airways Flight 5390 represents a useful complacency example in which
the shift manager was confident to install the windscreen with the bolts he believed
were those to be used, without the need of a crosscheck with the IPC.
Likely, the most relevant accident in which complacency was present is the Aloha
Convertible Flight 243 detailed in Chap. 7. An AD was requesting the inspection
of some lap joints, excluding those involved in the accident, and an eddy current
inspection of the entire panel where cracks were found, what would have revealed
the effects of Widespread Fatigue Damage in the area. The inspectors, with 22 and
33 years of experience, had visually detected cracks and accomplished two repairs,
but there was not documented eddy current inspection. Additionally, the investigation
revealed that a visual examination between both repairs would have detected evident
fatigue cracks emanating from the fastener holes. Despite the cracks and the repairs,
the inspectors also failed to assess further the SB related to the AD that recommended
the inspection of other lap joints in addition to those required by the AD, and that
included those lap joints which cracking caused the accident.
Although a person can be motivated to do a critical task very well, when it has to be
repeatedly performed, factors as boredom or task length can influence performance
reliability.
276 24 Human Factors

Safety Nets:
• Expect to find errors.
• Use Checklists.
• Train yourself to expect to find a fault.
• NEVER sign for anything you didn’t do.

24.2.3 Lack of Knowledge

Shortage of experience, training, information, or ability to successfully perform a

task is a potential hazard when no safety nets are provided.
The requirement for qualifications, relevant experience, and training is recognized
in the aviation regulations, as well as continuous training that is essential to keep up
to date with changing regulatory requirements, technology, systems, processes, and
procedures.
The most recent catastrophic examples in which Lack of Knowledge was involved
are the Boeing 737 MAX Lion Air Flight 610 and Ethiopian Airlines Flight 302,
detailed in Sect. 4.1.3, where the pilots did not know about the functionalities of the
new MCAS software that was designed to push the aircraft nose down under certain
flight conditions.
Safety Nets:
• Use current manuals.
• Ask when you don’t know.
• Participate in training.

24.2.4 Distraction

Anything that draws the attention away from the task at hand is a distraction: external
sources of distractions such as noises, immediate request for assistance or advice,
conversations, phone calls, messages, etc., but also internal sources of distractions
that may be derived from stress or fatigue.
Distractions are the cause for a big portion of all maintenance errors due to
forgetting things, including what has or has not been done.
In the emergency of the Air Canada Flight 143 known as Gimli Glider, related
in Sect. 9.1.4, the technician attempted a self-test of the fuel indication system by
resetting a circuit breaker but was distracted by the arrival of the fueller and forgot
to pull the circuit breaker again, so it remained activated. The distraction of the
technician was a contributor factor to the event that led the aircraft to run out of fuel
in flight.
24.2 The Dirty Dozen 277

Safety Nets:
• Use checklists.
• Mark the uncomplete work.
• Go back three steps when restarting the work.

24.2.5 Lack of Teamwork

Lack of Teamwork is characterized by the failure to work together to complete a

shared goal. Often tied with Lack of Communication or Assertiveness and with
unclear roles and responsibilities, Lack of Teamwork leads the individuals to work
by themselves and not to communicate with the rest of the team.
During the investigation of the Air France Flight 447 accident, detailed in
Sect. 9.3.3, the recording of the CVR suggested that while the pilot in command
was resting, failing to follow the crew resource management procedures, the two
copilots in charge of the aircraft were left with the uncertainty of who was in charge,
contributing factor to the catastrophic aircraft aerodynamic stall.
Teamwork is not only a matter of the individual attitude but should also be built
from effective management and leadership positions that are able to identify, promote,
and use the full potential of each person within the team.
The greatest detractor of Teamwork is negative politics that may shadow the
importance of a shared goal and make different teams or people within the same
team to work in different directions, typical of large organizations.
Safety Nets:
• Discuss what, who and how a task should be done.
• Make sure everyone understands and agrees.

24.2.6 Fatigue

Physical or mental exhaustion can threaten work performance. Fatigue is usually

derived from long periods of work or short periods of rest but can arise as a
manifestation of stress or lack of motivation.
In 2008, both pilots of the Bombardier CL-600 operated as Go! Flight 1002,
in a short flight between Hawaiian Islands, felt asleep. Despite the attempts of the
controllers trying to contact the flight crew, the aircraft passed over its destination
airport and continued for about 26 nautical miles until the captain woke up and
returned to the destination without further consequences for the flight. Both pilots
had fallen asleep during the midmorning hours, a time associated with wakefulness
and rising alertness; they were fatigued.
278 24 Human Factors

The Go! Flight is not an isolated case; a survey of the British Airline Pilot’s
Association (BALPA) showed that 43% had involuntarily fallen asleep in the cockpit,
and of those, 31% said that when they woke up the other pilot was also asleep.
Flight Crew and Maintenance staff are more prone to suffer fatigue due to irregular
duty times (nightshifts, rotating shifts, etc.) that may end with poor sleep.
Although aviation regulations are strict in regards to working times and rosters, at
the end is a personal responsibility to plan and make use of the rest periods provided
to minimize fatigue.
Safety Nets:
• Watch for symptoms of fatigue in yourself and others.
• Plan to avoid complex tasks at the bottom of your circadian rhythm.
• Sleep and exercise regularly.
• Ask others to check your work.

24.2.7 Lack of Resources

Lack or bad quality of qualified people, equipment, documentation, data, time, parts,
etc., can interfere with the ability to complete a task adequately.
When Lack of Resources is accompanied by Pressure to complete a task, it
becomes a time bomb. See the Air Transat Flight 236 example in the following
paragraphs.
Safety Nets:
• Order parts before they are required.
• Have a plan for pooling or loaning parts.
• Maintain a standard and, if in doubt, ground the aircraft.

24.2.8 Pressure

Real or perceived forces demanding high-level job performance may become a hazard
when they interfere to complete a task correctly. Pressure can come directly from
clients, the organization, a manager, the team, etc., due to the established resources
and deadlines. But Pressure can also be self-induced when ones take additional work
that cannot be handled.
Assertiveness is likely the most effective safety net to minimize pressure; a “No!”
in time may help not to compromise safety standards.
In the Air Transat Flight 236 incident related in Sect. 10.4, in which the aircraft
ran out of fuel in the middle of the Atlantic Ocean due to a fuel leak, there was
a component of time pressure to complete the work in time for a scheduled flight
and to clear the hangar for an upcoming event. Pressure also played a role when the
24.2 The Dirty Dozen 279

technician was not able to access the SB (resource) due to network issues and he
relied on MCC advice without consulting the document.
Safety Nets:
• Be sure the pressure isn’t self-induced.
• Communicate concerns, be assertive.
• Ask for extra help.
• Put safety first and learn just to say No.

24.2.9 Lack of Assertiveness

Lack of Assertiveness is the failure to speak up or document concerns about instruc-

tions, orders, or the actions of others: failing to speak when things do not seem right.
The opposite side is the aggressive behavior, which can be as harmful as the Lack of
Assertiveness.
In a positive way, Assertiveness is the ability to express your thoughts, opinions,
and needs in a productive manner. It is related to other Dirty Dozens, especially Lack
of Communication and Lack of Teamwork.
Management positions must be familiar with the behavior styles of the team they
supervise so they can use their best skills.
The British Airways Flight 5390 represents an example of Lack of Assertiveness
from the Stores Supervisor side. He had been in the job for about 16 years and
realized that the shift manager had wrongly identified the Part Number of the bolt as
A211-7D, so he informed him that the correct part number to install the windscreen
was A211-8D but did not press the point, ending with a pilot partially blown out of
an aircraft.
Safety Nets:
• Express concerns but offer positive solutions.
• Resolve one issue before addressing another.
• If it’s not critical, record it in the journey logbook and only sign for what is
serviceable.
• Refuse to compromise your standards.

24.2.10 Stress

Stress is a physical, chemical, or emotional factor that causes physical or mental

tension. There are two main types of stress: acute stress that relates to events and
pressures of the present such as emergency or time pressures, and chronic stress that
is built when a pressure situation is present during a longer period of time, leading
to anxiety or other symptoms of stress.
280 24 Human Factors

In the Aeroperu Flight 603 related in Sect. 9.3.1, the pilot in command hesitated
in taking decisions due to the acute stress of the moment and the excessive number
of alarms that contributed to the confusion and chaos. In the end, they did not know
what to pay attention to, and basically, they did not focus on the repetitive GPWS
alarms, neglecting the flight.
Certain level of stress can be helpful and motivating to get the things done. Actu-
ally, lack of this certain level of stress can lead to lack of motivation and then to other
Dirty Dozens such as Complacency or Lack of Awareness.
Safety Nets:
• Be aware of how stress can affect your work.
• Take a rational approach to problem-solving.
• Take time off or at least have a short break.
• Discuss the problem with someone who can help.
• Ask members of your team to monitor your work.
• Exercise your body.

24.2.11 Lack of Awareness

Lack of Awareness leads to failure to be alert and observative in the surroundings,

failure to recognize a situation in time or space, understand what it is, and predict
the possible results. It is usually combined with auto-complacency and often occurs
to very experienced staff who fail to think about the possible consequences of the
work they are doing.
The most tremendous example of a catastrophic end due to Lack of Awareness
is probably the case of Continental Airlines Flight 1515, in which a mechanic was
ingested during the engine run.
It is usual to find Lack of Awareness of other human factors, and other
human factors leading to Lack of Awareness, e.g., stress, fatigue, pressure, lack
of knowledge, or lack of teamwork.
Safety Nets:
• Check to see if your work will conflict with an existing modification or repair.
• Fully understand the procedures needed to complete a task.
• Think of what may occur in the event of an accident.
• Ask others if they can see any problem with the work done.

24.2.12 Norms

Following unwritten rules or behaviors which deviate from the required rules, proce-
dures and instructions may suppose potential threads, including unwritten rules or
procedures that are expected due to Pressure. Norms are usually tolerated by most of
24.2 The Dirty Dozen 281

the team, and they are not always bad: Negative norms can detract from established
safety standards and must be corrected, but positive norms should be captured as
appropriate, e.g., in a procedure.
In Sect. 15.3, the Eastern Airlines Flight 855, in which the omission of the O-rings
of the master chip detectors during their installation led to the loss of all the three
engines, shows signs of the negative effects of Norms. The mechanics decided to
skip the procedure; because they did not find any detector in the cabinet, they picked
them up from the stock room complacent that, as always, they would have installed
the O-rings. Because of the time pressure, they also skipped the step of the Task
Cards that called for the placement of new O-rings.
In the British Airways Flight 5390, for the shift manager was normal not to
follow the established procedure that required to check the IPC and identify the
appropriate Part Number, and selected the bolts by visual comparison, leading to the
decompression that blew out the windscreen and sucked out the pilot in command.
Resistance to change and lengthy processes to change things are direct contributors
to the negative effects of Norms. The system to manage processes, procedures, and
work instructions should be alive and allow to design and test changes, so they can
be reviewed and amended as appropriate as part of the continuous improvement of
safety and quality standards.
Safety Nets:
• Always work as per the instructions or have the instructions changed.
• Be aware that “norms” don’t make it right.
• Identify and eliminate negative norms.
• Follow good safety procedures.
• Identify and eliminate negative norms.
Chapter 25
Organizational Factors

The models presented in the previous chapter focus on human performance and are
useful to understand the underlying human factors that lead to an accident/incident,
but the individuals do not operate in a vacuum; they do it in the context of an
organization. In order to analyze the causes of an accident/incident, it is necessary
to encompass technical, human, and organizational factors.
Developed at the beginning of the 90s, the Reason’s model (Swiss Cheese model)
illustrates how an accident occurs in an organization, focusing on both organization
hierarchy and human error. The barriers established within an organization prevent
the adverse events of organizational influences, unsafe supervision, preconditions
for unsafe acts, and unsafe acts.
The Human Factors Analysis and Classification (HFACS) framework was devel-
oped at the beginning of the 2000s based on the Reason’s model. HFACS uses the
same levels than the Reason’s model but develops causal categories to identify the
active and latent failures that occur.

25.1 The Reason’s Model (Swiss Cheese Model)

The Reason’s model postulates that accidents require that a number of enabling
factors come together, each one necessary but in itself not sufficient to breach the
system defenses.
Equipment failures or operational errors are never the cause of breaches in safety
defenses, but rather the triggers. The safety system defenses are broken when active
failures and latent conditions are present.
Active failures are actions, or inactions, with an immediate adverse effect: errors,
deviations from prescribed procedures and practices, violations, etc.
The latent conditions are those that are present on the system before a failure
occurs and that may be not recognized as harmful because they are not perceived as

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 283
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_25
284 25 Organizational Factors

failures in the first place: operation over safety, poor communication, poor manage-
ment decisions, etc. These latent conditions may remain dormant for a long time and
usually become evident once the fence has been broken.
Most of the latent conditions start with the decision-makers: time, budgets,
politics, etc., that can lead to inadequate training, skills or operating procedures,
scheduling conflicts, neglect of workplace precautions, etc. Decisions made by the
organization managers and regulatory authorities are often the consequence of inade-
quate resources, which can lead to accidents. Avoiding the initial cost of strengthening
the safety system can facilitate the pathway to the organizational accident.
The hypothesis of Reason is that most of the accidents can be traced to four levels
of failure:
• Organizational Influences, e.g., undue time pressures, poor procedures, lack of
training, or lack of safety culture.
• Unsafe Supervision, e.g., poor surveillance, failure to correct deficiencies.
• Preconditions for Unsafe Acts, e.g., fatigue, poor environmental conditions.
• Unsafe Acts, e.g., forgetting a checklist item, installing a wrong part, failing to
detect a structural crack.
In the Reason’s model, the safety system defenses are built to protect against fluc-
tuations in human performance or decision making, represented as slices of cheese:
technology, training, regulations, etc. The holes on the cheese slices represent latent
conditions that vary in size, position, and time in all slices. When the holes in all
the system momentarily align, they allow an opportunity for “a trajectory of acci-
dent opportunity” in which an active failure can pass all the defenses leading to an
accident.
The Human Factors Analysis and Classification System (HFACS) further
develops the Reason’s model and establishes causal categories to identify the active
and latent failures. In theory, at least one failure occurs at each level leading to an
adverse event. If at any time the failure at one level is corrected, the accident/incident
will be prevented. Table 25.1 shows the HFACS framework.

Fig. 25.1 Swiss Cheese Model (concept of accident causation)

25.2 Case Study: Overdue Airworthiness Directive 285

Table 25.1 HFACS framework

Levels of Failure HFACS Causal Categories
Organizational Influences Operational Culture
Operational Process
Resource Management
Supervisory Factors Inadequate Supervision
Planned Inappropriate Operations
Failed to Correct Known Problem
Supervisory Violations
Preconditions for Unsafe Acts Situational Factors Physical Environment
Tools/Technology
Condition of Operators Mental States
Physiological States
Physical/mental Limitations
Personnel Factors Communication, Coordination and
Planning
Fitness for duty
Unsafe Acts Errors Decision Errors
Skill-Based Errors
Perceptual Errors
Violations Routine Violations
Exceptional Violations

25.2 Case Study: Overdue Airworthiness Directive

The following example details the human and organizational factors found after
failing to comply with an Airworthiness Directive, analyzed from the Dirty Dozen
and HFACS perspectives.
A TCH publishes a Service Bulletin that is assessed and implemented on attri-
tion basis without limitation by the Technical Services function of an Engineering
and Maintenance organization. During the same time, the TCH publishes the ALS
Damage Tolerance document with a new section for “WFD-Related mandatory modi-
fications” that require the embodiment of the SB with a specified hard due date. The
experienced Maintenance Programs engineer expects that the SB will be covered by
an AD and, therefore, will be managed by the Technical Services function, so does
not perform any action. A second engineer that crosschecks the implementation of
the ALS document and the supervisor that samples the process do not highlight any
omission.
Months later, the authority publishes an AD mandating the incorporation of the
ALS document into the AMP, action that has already been accomplished except for
the new ALS section. About three years later, the TCH removes the WFD-Related
286 25 Organizational Factors

mandatory modifications section from the ALS, and a few months later the authority
publishes a new AD to clarify that the modifications mandated under the ALS are
still required as per AD (without grace period concession). The modification results
are overdue for a number of aircraft of the operator’s fleet, that end grounded until
the authority grants an AD extension for the subject aircraft.
Dirty Dozen
The requirement to embody a mandatory modification through the ALS docu-
mentation is an unusual procedure; typically, it is mandated through an Airwor-
thiness Directive. Despite the responsibility of the TCH and the authority, there
are several enabling human factors within the operator that lead to the occur-
rence. The Maintenance Programs engineer fails to properly assess the AMP source
documentation.
The apparent preconditions identified in the case are:
• Complacency: the engineer trusts the company procedures that apparently assigns
the analysis of modifications to the Technical Services function.
• Lack of Assertiveness: the engineer fails to raise concerns about an unusual
procedure.
• Lack of Awareness: the engineer fails to recognize the possible results of his
inaction.
• Lack of teamwork: the engineer fails to work together with the Technical Services
team to assess the overall ALS document.
• Norms: the engineer deviates from the procedures implementing the ALS
document partially.
Other Dirty Dozen conditions that may be present at the time of the ALS docu-
mentation evaluation may be less obvious. Lack of knowledge, distraction, fatigue,
lack of resources, pressure, or stress may have led the engineer to completely omit
the “WFD-Related mandatory modifications” section.
Human Factors Analysis and Classification System (HFACS)
The HFACS comprises the human conditions listed in the previous paragraphs, but
also the organizational factors that lead the engineer to omit the new ALS section.
The deviation from the established procedures ends with the partial implemen-
tation of the ALS document, an Unsafe Act classified as Decision Error under the
HFACS framework. The choice to omit the new section is conscious, likely caused
by the misinterpretation of the document and the established procedures. It can be
extrapolated from the Dirty Dozen “Norms.”
The Preconditions for the Unsafe Act include all the other Dirty Dozen identified
(complacency and lack of assertiveness, awareness, and teamwork). It is classified
under the personnel factors Communication, Coordination and Planning. As it
is detailed in Chap. 21, the Maintenance Program function interacts with most of
the other functions of the organization; any deficiencies found in such interactions
should be appropriately addressed.
25.2 Case Study: Overdue Airworthiness Directive 287

Although a second engineer follows the exiting procedure to crosscheck the imple-
mentation of the ALS document, and the supervisor also samples it, apparently it
does not function as expected, and both also omit the new ALS section. The aspects
of the deficient oversight function are classified as Inadequate Supervision.
In the last instance, a procedure to review source documents that lacks closer
coordination between departments and does not consider unusual situations makes
the rest. The influence of the organization falls within the Operational Process
category.
If one of the causal categories would be eliminated on time, the AD overdue
situation would have been prevented.
Chapter 26
Safety Programs

ICAO Annex 19—Safety Management defines safety as “the state in which risks
associated with aviation activities, related to, or in direct support of the operation
of aircraft, are reduced and controlled to an acceptable level.”
The safety strategy set by ICAO is substantiated on two complementary elements:
the State Safety Programs (SSP), for states, and the Safety Management Systems
(SMS), for organizations.
The regulatory and oversight functions of a state do not require an SMS but an
SSP, except in circumstances where the state is also a service provider (Air Traffic
Service, Aeronautical Information Services, meteorological services, etc.).
The European equivalent of the SSP is the European Aviation Safety
Programme (EASP) that aids the member states in developing their own SSPs.
The EASP sets the strategy and integrates the ICAO requirements into the EASA
regulation.
The FAA, as both regulatory and product/service provider organization, chose to
implement both SSP and SMS in order to ensure the interoperability amongst all the
safety management functions across FAA organizations. Therefore, the overall FAA
Safety Management System (SMS) comprises both frameworks: SSP and SMS.
An SMS should be proportional to the scope and size of the organization.

26.1 Safety Management Principles

Both SSP and SMS elements of the Safety Strategy set by ICAO are supported by
the same basic principles (pillars) of Safety Management, at state and organizational
levels, respectively: Safety Policy, Safety Risk Management, Safety Assurance, and
Safety Promotion.
The Safety Policy and objectives reflect the commitment toward safety:
responsibilities, accountabilities, organizational structure, safety rules frameworks,

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 289
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_26
290 26 Safety Programs

processes, SSP/SMS documentation, and the establishment of a Safety Reporting

System (SRS).
Safety Risk Management refers to the identification of hazards based on both
reactive and proactive methods, and the assessment, control, and mitigation of risks.
The State Safety Risk Management element of an SSP must ensure the imple-
mentation of SMS for service providers.
Reactive methods are occurrence/incident/accident investigations and mandatory
safety reporting; proactive methods are inspections, audits, surveys, studies, reviews,
voluntary safety reporting, etc.
The responsibility of the states to establish a process for Incidents/Accidents
Investigation in accordance with ICAO Annex 13 is introduced in the Appendix B
of this book.
Safety Assurance refers to the surveillance, monitoring, and measurement of the
safety performance, the management of changes that may affect the level of safety,
and the continuous improvement of the SSP/SMS.
Safety Promotion is the element that refers to the responsibilities of states and
service providers to promote safety awareness, sharing safety information, and devel-
oping a positive safety culture. The main tools for Safety Promotion are safety training
programs and an appropriate safety communication policy.

26.2 SMS: EASA and FAA Approaches

The regulatory approach between EASA and the FAA differs in regards the scope of
the organization for which is required the implementation of an SMS; while EASA
is integrating the SMS elements within the approval of each type of organization, the
FAA only requires an SMS to the Part-121 operators but implements an SMS within
the FAA organization itself that acts as the SSP.
EASA is gradually embodying the SMS requirements into its regulations: since
2012 the safety management principles are reflected in the Air Operations, Air Crew,
Aerodromes, ATM/ANS, and so on, with the latest incorporation into the CAMO
organization requirements in 2019 and into the Part-145 Maintenance organizations
in 2021. Certain elements of the SMS, such as the occurrence reporting system, are
already incorporated into the Part-21 Design and Production organizations, for which
the requirement for an SMS is already presented in the form of a Notice of Proposal
Amendment (NPA) and should be incorporated into the Implementing Rules soon.
On the other side, since 2010, the FAA requires the implementation of SMS
(based on 14 CFR Part 5) to the Part-121 Air Carriers. The SMS development for
operators approved under a non-Part-121, MROs, training organizations, and other
service providers is encouraged under voluntary basis. The deviation from the ICAO
standards is appropriately published by the FAA.
26.3 Safety Reporting Systems and Exchange of Information 291

26.3 Safety Reporting Systems and Exchange

of Information

ICAO Annex 19 requires that the states and service providers establish Safety Data
Collection and Processing Systems (SDCPS) to capture, store, aggregate, and
enable the analysis of safety data and safety information. The SDCPS are set at
both state and organization level, each of which content:
• Records from incident/accident investigations,
• Safety Reporting Systems (Mandatory/Voluntary), and
• Other sources of information, e.g., schemes for exchange of information.
Apart from the rules to report accidents and serious incident to the appropriate
accident investigation authorities, the requirement for Safety Reporting Systems is
essential in hazard identification.
The safety data is protected and should not be used for disciplinary, civil, admin-
istrative, or criminal actions against persons or organizations but only for purposes
of maintaining or improving safety. Therefore, if the objective is an effective safety
reporting, both types of reporting, mandatory, and voluntary should not lead to blame
or punishment. However, principles of exception apply when the competent authority
determines that the occurrence is caused by any act or omission considered as a gross
negligence, willful misconduct, or criminal activity, for the proper administration of
justice, or when the release of the safety information is necessary for maintaining or
improving safety.

26.3.1 Types of Safety Reporting Systems

Mandatory Reporting Systems require people and service providers to report

certain types of events and hazards to the competent authority. These events and
hazards endanger, or if not corrected, would endanger, the aircraft, its occupants, or
any other person.
For example, non-compliance or significant errors in compliance with the Aircraft
Maintenance Program must be reported. Specific approvals or programs may have
specific reporting requirements for associated failures or malfunctions, e.g., for
EDTO (ETOPS), APU shut down or failure when the APU is required to be available
by operational requirements, or loss of one hydraulic system.
In addition to the mandatory reporting systems, a Voluntary Reporting System
is required to collect and analyze information on observed deficiencies that are not
required to be mandatorily reported but that are perceived as hazards. The information
is disidentified to ensure the confidentiality of the reporting person/organization.
292 26 Safety Programs

EASA Safety Reporting Systems

In an EASA environment, the rules and guidance to establish the Safety Reporting
Systems (mandatory and voluntary) for the states and organizations are detailed in
the (EU) No 376/2014 on the reporting, analysis and follow-up of occurrences in
civil aviation (implemented in CAMO.A.160 for continuing airworthiness manage-
ment organizations) and AMC 20–8 Occurrence Reporting. Implementing Regulation
(EU) 2015/1018 lists down the occurrences that are mandatory to be reported. The
rules establish a maximum reporting period of 72 h since becoming aware of the
occurrence, although it should be immediate when significant hazards happen.
The European Union Safety Reporting Portal provides common reporting forms
for individuals and organizations to submit the safety reports to their competent
authority.
In addition to the State Safety Reporting Systems required for the member states,
EASA makes provision for a higher level reporting system: the Confidential Safety
Reporting. The Confidential Safety Reporting enables individuals to report alleged
malpractices and irregularities voluntarily. It does not replace the normal mandatory
and voluntary occurrence reporting lines established by organizations and member
states but allows to report any suspected, presumed, or alleged violation of the legal
framework of the European Union for civil aviation safety.
FAA Safety Reporting Systems
The FAA Service Difficulty Reporting System (SDRS) is the mandatory system
for operators and maintenance organizations concerning failures, malfunctions, and
defects of the aircraft and its components. SDRs rules, including the occurrences to
be reported, are detailed in 14 CFR 121.703, 135.415, and 145.221. A maximum
reporting period of 96 h since the discovery of the failure, malfunction, or defect is
established for the aforementioned certificate holders.
The Aviation Safety Reporting System (ASRS), designed and operated by the
National Aeronautics and Space Administration (NASA), is the voluntary avia-
tion occurrence reporting system that serves the FAA in safety researching. The
description of the program is detailed in AC 00-46E Aviation Safety Reporting
Program.
ICAO Safety Reporting System
At international level, in accordance with ICAO Annex 13 Aircraft Accident and Inci-
dent Investigation, after an accident of aircraft above 2250 kg and incident to large
aircraft (over 5700 kg), the state conducting the investigation must report the Acci-
dent Preliminary Report or the Incident Data Report, as corresponds, to ICAO. The
ICAO reporting system, known as Accident/Incident Data Reporting (ADREP),
constitutes a databank of worldwide occurrences.
Based on this data, ICAO issues a series of periodic summary reports providing
statistics and an up-to-date picture of significant occurrences on a worldwide basis.
26.3 Safety Reporting Systems and Exchange of Information 293

Safety Reporting Between Organizations

It is recommendable that approved organizations establish reporting systems to
address data related to unsafe or unairworthy conditions, although the form and times
are left to the individual organizations to determine. The importance is focused on
an appropriate exchange of information relating to occurrences between:
• Operator/Maintenance and Production organizations to Design organizations,
• Maintenance organizations to Operator, and
• Production to Production organizations.

26.3.2 Safety Information Exchange

The following two programs are used to support organizations, at the European and
U.S. levels, respectively, for the collection and exchange of their aviation safety
information.
The European Coordination Centre for Accident and Incident Reporting
Systems (ECCAIRS) acts as the network of European Civil Aviation Authorities
and Safety Investigation Authorities to collect and analyze safety information. The
ECCAIRS reporting system is held in two central databases: the European Central
Repositories for Occurrences (ECR-ECCAIRS) and the European Central Repository
for Safety Recommendations (ECR-SRIS).
In the U.S., the Aviation Safety Information Analysis and Sharing Program
(ASIAS) is the most extensive program in safety data exchange, connecting a
wide variety of data sources across government and industry: ASRS, SDR, Acci-
dent/Incident Database System (AIDS), NTSB accident database and others (flight
operational quality assurance, meteorological aviation reports, mandatory occurrence
reports, near mid-air collisions, traffic flow management system, etc.).

26.3.3 Safety Data Format

The ADREP taxonomy, used in the ADREP system, is a set of definitions and
descriptions used during the gathering and reporting of accident/incident data to
ICAO: aircraft categories, entities and attributes, aviation operation, descriptive
factors, events, events phases, occurrence category, occurrence classes, organiza-
tions/persons, etc. ICAO encourages the states to use an ADREP compatible system
(same coded predetermined format).
On the other side, the ECCAIRS software (a product derived from the evolution
of the ECCAIRS system, initially developed to assist national and European trans-
port authorities) has become a widely used platform for safety reporting. ECCAIRS
software is used by ICAO to operate its own ADREP system and is also chosen by
several non-European states to take advantage of the common classification.
294 26 Safety Programs

For standardization purposes, organizations usually use reporting forms based

on the format of the corresponding Safety Reporting Systems implemented by their
national authorities. EASA actually requires that the organizations reporting systems
are compatible with the ADREP taxonomy and the ECCAIRS software.
Softwares such as Q-Pulse or SMS Pro assist organizations in managing their
Safety and Quality management systems with support for ADREP/ECCAIRS
reporting.

26.4 Safety Culture

The concept of Safety Culture involves the values and attitudes regarding safety
issues, shared by every member of every level of an organization. It refers to the
extent to which every individual and every group of the organization is aware of the
hazards and safety risks induced by his/her/its activities, is behaving to preserve and
enhance safety, is willing to communicate safety issues, and consistently evaluates
safety-related behaviors.
Safety Culture is the vital condition for an effective SMS but is at the same time the
element in which many organizations still fail. Safety culture within an organization
cannot succeed if the local culture or the safety culture of the authority are not the
same. For example, in non-democratic cultures, there is an acceptance of unequal
status and deferences to managers and likely fear for safety reporting, which acts as
an uncrossable barrier toward Safety Culture.
Safety Culture does not mean that a Safety Policy is established, an SMS is in
place, SMS and Human Factors training is given, or “Safety” posters are hanging on
every wall of the organization; effective Safety reporting must be encouraged.
The European Commercial Aviation Safety Team (ECAST) proposes a Safety
Culture framework based on the following six dimensions or characteristics:
• Commitment: extent to which every level of the organization has a positive
attitude toward safety and recognizes its importance. It cascades down from the
organization’s safety policy and should be encouraged by the management with
appropriate means and motivation. SAFETY FIRST!
• Behavior: extent to which every level of the organization behaves such as to
maintain and improve the level of safety. The expected behaviors of how people
would behave if nobody would be watching should be analyzed against organi-
zation–employee mutual expectations, job satisfaction, and adequate equipment.
• Awareness: extent to which employees and management are aware of safety risks.
• Adaptability: extent to which employees and management are willing to learn
from past experiences and are able to change to enhance the level of safety.
• Information: extent to which information is distributed to the right people, e.g.,
proper communication or effective safety reporting.
• Justness: extent to which safe behavior and reporting of safety issues are
encouraged or even rewarded, and unsafe behaviors are discouraged.
26.4 Safety Culture 295

Both the competent authority and the organization should promote a non-punitive
environment facilitating the reporting of occurrences and thereby advancing the
principle of “Just Culture.”
However, while safety reporting should be non-punishing and reporters and
sources of safety information should be protected (actually it is a key of effective
safety reporting), it should not interfere with the responsibilities of the competent
authorities. The authorities are in charge to educate and promote training or supervi-
sion when safety deficiencies are detected and should take actions against those who
constantly and deliberately operate outside the regulations.
Just Culture should neither interfere with the administrative and penal laws estab-
lished by each state; the fact that an organization has not only safety but legal
responsibility is usually omitted during SMS training.
EASA, in the Article 84 Fines and Periodic Penalty Payments of the Basic Regula-
tion, details the fines and periodic penalty payments whenever the rules are infringed.
It allows a supplementary tool, in addition to the withdrawal of certificates. For
example, when it is found that the certificate holder has intentionally or negligently
breached the rules, it may be imposed a fine of up to 4% of the annual income or
turnover of the preceding business year.
The FAA details the civil penalties in the Investigative and Enforcement Proce-
dures in 14 CFR Part 13, with references to the corresponding chapters of the
49 CFR—Transportation. For example, the FAA has the authority to issue orders
assessing a penalty of up to $400,000 for other than small business concerns.
 Part VI
Quality Improvement Tools and Methods

The effectiveness of the Safety Management Systems (SMS) detailed in the

previous chapter cannot be understood without applying quality management prin-
ciples. SMS and Quality Management Systems (QMS) have developed a strong
relationship, where improvements to the quality processes are required to satisfy the
safety requirements.
Both management systems are originated from similar management processes
(findings/occurrences, root cause analysis, corrective action and follow up) and there-
fore share many commonalities: both have to be planned and managed, depend on
measurement and monitoring, involve every function, process, and person with the
organization, and push for continuous improvement.
Although both also have common methods and techniques, the objective of each
system is different. The objective of an SMS focuses on aviation safety through
investigation of events and identification of hazards, and the objective of a QMS is
customer satisfaction through compliance and continuous improvement.
SMS and QMS are complementary and must work closely together to achieve the
overall safety goals.
Whether the quality assurance function is under a compliance monitoring
program, as the minimum required by EASA, or under a QMS, the identification
of under-performing processes and the improvement of the organization’s processes
to reduce risks are required under any ICAO environment.
This chapter outlines several effective continuous improvement tools and method-
ologies designed to streamline safety and quality processes. The tools and method-
ologies can be used in different ways; for example, while an audit is traditionally
considered a compliance monitoring tool, it can be used and prepared in advance as
a powerful method for continuous improvement. Not preparing for an audit can be a
missed chance, and not collaborating for an effective audit can be a second missed
chance.
The tools and methodologies selected in the following chapters have been proven
to be useful in the aircraft maintenance program area but are only part of a larger
continuous improvement toolbox with plenty of other instruments available; the key
is to recognize deficiencies and look for the most appropriate solution when needed.
Chapter 27
Audits

ISO 19011:2018 defines an audit as “the systematic, independent and documented

process for obtaining objective evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled.”
The objective evidence consists of data supporting the existence or verity of some-
thing: records, observation, measurement, test, etc. The audit criteria is the set of
requirements (legal requirements, contractual obligations, policies, procedures, work
instructions, etc.) used as a reference against which objective evidence is compared.
Audits are traditionally recognized as compliance monitoring tools and occa-
sionally can be found threatening because inevitably their function is to highlight
non-compliance, deficiencies, or areas that can be improved, and those are always
under the responsibility of managers and supervisors that could feel underestimated
their expertise and efforts. On the contrary to these feelings, audits are based on
evidence and can become the most valuable ally improvement tool if the organi-
zation or function being audited knows how to turn the findings, observations, and
recommendations into opportunities to analyze gaps and hazards and enhance its
processes.
This chapter introduces the most common requirements and standards to which
an operator can be audited: the Aviation Regulations (EASA/FAA), the IATA
Operational Safety Audit (IOSA), and the ISO 9001:2018 standards.
Following the introduction to the most common audit requirements and stan-
dards, a few paragraphs follow to suggest certain preliminary exercises that can be
performed by the audited organization’s function to make the audit more effective
and get the full benefit from it.

27.1 Regulations and Standards

In addition to the mandatory audit requirements that allow an operator or service

provider to be certified/authorized to perform certain types of activities and operations
and keep that certification/authorization to develop its functions, there exist a few
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 299
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_27
300 27 Audits

other internationally recognized standards to which the organization can adhere and
that, in addition to ensure regulatory compliance, can offer several advantages, e.g.,
standardization of the audit process, elimination of redundancy of audit activities, or
deeper focus on the performance of the management systems.
The auditing component for the three requirements/standards described hereunder
(EASA/FAA, IATA, and ISO 9001) can be classified attending to the entity that
conducts the audit:
• Internal (First-party): self-assessment conducted by the organization.
• External:
– Second-party: conducted by parties having an interest in the organization,
e.g., customers.
– Third-party: conducted by independent auditing organizations, such as those
providing certification/registration conformity or governmental agencies, e.g.,
EASA, FAA, Civil Aviation Authorities, or organizations accredited by IATA
or ISO.
Internal Audits are one of the most important elements of the management
systems; they are not optional but required to maintain the certification/authorization
under consideration. An effective internal auditing process is a key factor toward
successful external audits.
It is not necessary that the organization carries out internal audits for each
requirement/standard; an internal audit program can integrate all of them (regu-
lation, IOSA, ISO 9001:2015, lean audits, etc.) where the intent of each individual
requirement/standard is appropriately covered by the program.

27.1.1 Regulatory Audit

Under the ICAO SARPs, the States are required to have a safety oversight system
that observes and assesses the compliance of the aircraft operator and the service
providers with the applicable regulations, procedures, and recommended practices
and standards. This is achieved through different means, including Regulatory
Audits conducted by the regulatory/competent authority and the requirement for
the organizations to establish a self-auditing and inspection program, including
contractors and subcontractors auditing.
ICAO allows variations in the manner in which compliance with the regulations
can be demonstrated to satisfy the regulation: prescriptive-based and performance-
based compliance.
Prescriptive-based Compliance is the conventional means of achieving target
levels of safety performance based on pre-established, non-variable standards, or
limitations. An operator following this approach generally bases its systems in
manuals and SOPs that meet the regulatory requirements, instead of systems and
processes, and shows compliance when required.
27.1 Regulations and Standards 301

Performance-based Compliance involves target levels of safety performance of

systems and/or processes that allow the implementation of variations to the prescrip-
tive regulations. It is facilitated by the analysis of operational data to generate
evidence.
Both EASA and the FAA allow to adjust the audit cycles based on a risk-
based methodology. For example, EASA establishes an oversight planning cycle
of 24 months when the operator demonstrates prescriptive-based compliance. The
cycle can be extended to 36 months if the organization also demonstrates an effec-
tive identification of aviation safety hazards and management of associated risks that
have full control over all changes, no level 1 findings have been issued during the
previous audit, and all corrective actions have been implemented within the rules.
The cycle can be further extended to 48 months when the operator demonstrates
overall Performance-based Compliance, with the aforementioned conditions plus
an effective continuous reporting system on the safety performance and regulatory
compliance.
In the EASA system, the types of audit findings are classified into two levels:
• Finding level 1: significant finding that can lead to revoke, limit, or suspend the
organization approval/authorization until the corrective actions have been taken,
e.g.,
– failure to give access to the facilities of the organization to the competent
authority,
– obtaining/maintaining the validity of the certificate/authorization by falsifica-
tion of submitted documentary evidence,
– evidence of malpractice or fraudulent use of the certificate/authorization, or
– lack of an accountable manager.
• Finding Level 2: non-compliance with the regulations, organization’s procedures
and manuals, or terms of the certification/authorization which could lower safety
or hazard flight safety. There is a corrective action period granted by the authority.
• Finding Level 3 (Observation): item where it has been identified, by objective
evidence, to contain potential problems that could lead to a non-compliance.
In the FAA Internal Evaluation Programs, the audit findings are classified under
five categories:
• Non-compliance with regulations (NCP),
• Non-conformance with documented procedures (NCF),
• Safety-related concern (SRC), currently in compliance and conformance, but the
problem may have safety implications,
• Quality-related concern (QRC), currently in compliance and conformance, but
the problem indicates a weakness in the quality system, and
• Observation (OBS).
The Safety and Just Culture principles detailed in Sect. 26.4 also apply to the
audit findings. Inadvertent errors should not lead to disciplinary actions.
When an organization demonstrates compliance with industry standards that are
compatible with the regulations and the oversight planning cycle, e.g., through IOSA
302 27 Audits

certification, the authority may adapt the oversight program to avoid duplication of
specific audit items.

27.1.2 IATA Operational Safety Audit (IOSA)

The IATA Operational Safety Audit (IOSA) is an evaluation system developed by

the International Air Transport Association (IATA) to assess the operational manage-
ment and control systems of an airline. The IOSA Audits are carried out by Audit
Organizations accredited and overseen by IATA.
IOSA provides a structured audit methodology and standard checklists that reflect
the updated regulatory requirements (cascaded down from ICAO Annexes) and best
practices across the industry.
One of the main objectives of IOSA is to eliminate audit redundancy by recogni-
tion of the standard in the safety oversight programs of the regulators. A standard-
ized audit system facilitates the exchange of audit information and reduces resource
requirements and costs.
IOSA targets the organization’s Management System to assess if the internal
auditing system ensures:
• Compliance with applicable regulations and standards,
• Satisfies stated maintenance operations needs,
• Identifies undesirable conditions and areas requiring improvement,
• Identifies hazards in maintenance operations, and
• Assess the effectiveness of safety risk controls.
Under an ICAO environment, typically, the first two points, related to compliance,
are covered by the Quality Management System requirements, and the last three,
related to the continuous improvement of the operational safety performance, by the
Safety Management System.
The IOSA Standards Manual (ISM) provides the IOSA Standards and Recom-
mended Practices (ISARPs), associated guidance material, and other supporting
information necessary for the auditor to conduct the audit and for the operator to
prepare for it.1,2
The ISM provisions are structured in the following operational categories:
• Section 1—Organization and Management System (ORG)
• Section 2—Flight Operations (FLT)
• Section 3—Operational Control and Flight Dispatch (DSP)
• Section 4—Aircraft Engineering and Maintenance (MNT)
• Section 5—Cabin Operations (CAB)
• Section 6—Ground Handling Operations (GRH)
• Section 7—Cargo Operations (CGO)
• Section 8—Security Management (SEC).

1IOSA Standards Manual. IATA. Edition 14 Revision 1—2021.

2IOSA Audit Handbook, Procedures and Guidance (Audit Organizations and Airlines). IATA.
Edition 11—2021.
27.1 Regulations and Standards 303

The Aircraft Maintenance Program ISARPs can be found in section 4—Aircraft

Engineering and Maintenance (MNT).

27.1.3 ISO 9001:2015 Quality Management Systems

ISO 9001 is an international standard that specifies the requirements for a Quality
Management System (QMS) for any type of organization, independently of the
size, products, or service that provides, e.g., operators, suppliers, or agencies.
The ICAO Universal Safety Oversight Programme (USOAP), the EASA Inte-
grated Management System, and the FAA Safety Office are ISO 9001:2015
certified.
The ISO standard allows the organization or part of the organization to demon-
strate its ability to consistently provide products/services that meet customer and
applicable regulatory requirements.
ISO 9001:2015, the current version, bases the success of an organization on
its competence to meet customer satisfaction. To achieve this, ISO 9001:2015 is
established under three pillars:
• Risk-based thinking: It is a systematic approach to risk where they are evaluated
while establishing or revising processes and/or controls, rather than seeing risk
as an isolated component. The definition of risk is expanded in ISO to “the effect
of uncertainty on objectives,” what it is described as a potential deviation from
an expected outcome (the unknown, positive or negative). Risk-based thinking
makes the preventive action part of the day-to-day routine.
• Process Approach: It is the way to organize and manage the process activities
as a system to create value, rather than managing the resources vertically or
independently (departments, staff, products, etc.). It allows eliminating the issues
that occur frequently at the boundaries of the functional departments and achieves
the results more efficiently.
• PDCA Cycle (Plan-Do-Check-Act). It is the operating principle of ISO
9001:20,015 for continuous improvement (see Sect. 29.1.2.1 for further details).
The three concepts are an integral part of the ISO 9001:2015 standard. Risk-based
thinking is used throughout the process approach to identify risks, define process
changes and/or controls to prevent undesired results; PDCA operates as the cycle of
continuous improvement of the processes, with risk-based thinking at each stage.
ISO 9001:2015 and the EASA/FAA QMS regulatory requirements are comple-
mentary. EASA/FAA QMS primarily focuses on compliance and documentation,
and it defines roles and responsibilities of the nominated persons to manage specific
areas (Quality and Safety). On the other side, ISO 9001:2015 focuses on processes
and performance to identify risks and opportunities, without the need of nominated
persons but leadership positions, and resting importance to the documentation.
304 27 Audits

27.2 Preparing for an Audit

“By failing to prepare, you are preparing to fail,” unattributed.

Out of the competences and responsibilities of the Quality function and/or auditor
that will guide the audit, it is highly recommendable that the Maintenance Program
function prepares in advance in order to be confident with the AMP processes, identify
opportunities for improvement in advance, and contribute to its effectiveness.
Preparing for an audit can ensure that the documentation meets the requirements
and standards and that the processes and procedures are correctly followed.
One of the keys for a successful audit is that the auditee is familiar with the
requirements and standards, knowing the elements that need to comply with.
The team should be aware of its role in the organization and how they contribute
to meet the quality and safety objectives. They should be able to answer the auditor’s
questions by referring to updated policy, process maps, procedures, work instructions,
etc. Everybody in the team should be on the same page.
If any process or activity performed is not appropriately documented or followed,
process maps, procedures, or work instructions, as appropriate, may require to be
developed or revised.
Another key point is the organization of the documentation: knowing where to
find documents and records and generate the reports that may be requested by the
auditor. It is the right time for the team to use the 6S method to put everything in
place (see Sect. 29.2.3).
The next step is to ensure that the function’s processes meet the audit criteria.
Likely, there is some checklist, or the Quality function can provide supporting docu-
mentation, that can be used to cross-refer the requirements and standards to the
manuals, processes, procedures, work instructions, etc. It is also time to review the
results of past audits to ensure that the corrective actions are implemented and are
effective.
Preparing a correlation of compliance statements will provide confidence in the
system and will also allow to demonstrate compliance straight away, making the
audit more efficient.
Once the scope, date, and place of the audit are known, a short presentation
(5 min) can be developed to introduce the current high-level view of the audit scope
processes, latest changes and achievements, and how the findings and observation
from the last audit have been resolved. The presentation should focus on the audit
scope and should not try to deviate the attention of the auditor to different subjects,
but be used to clarify the understanding about the organization and its processes.
During the audit, being honest and professional with the auditor is essential so
the auditor can uncover non-compliance and deficiencies that will be used as inputs
for continuous improvement.
Chapter 28
Problem Solving

From time to time, some element of the organization fails or may fail to perform as
expected, e.g., staff, processes, procedures, components, equipment, etc. Problem
Solving is the act of defining those issues, analyze the root causes, and select and
implement solutions.
When the issues are known, e.g., a non-compliance or an incident or accident, the
approach is known as Reactive Problem Solving and aims to find and eliminate the
root causes of the occurrence.
There are a number of tools used for Reactive Problem Solving: the A3 Method
and the Maintenance Error Decision Aid (MEDA) are used as overall methodologies
for problem solving and continuous improvement and are at the same time a useful
source of data. Certain methods, such as the Five Why and the Cause and Effect
Analysis are used as Root Cause Analysis (RCA) tools to identify those latent
issues.
Reactive methods are used after an event occurs in order to find out why it occurred.
But Reactive Problem Solving can be minimized by taking a proactive approach.
Proactive Problem Solving aims to anticipate risks and potential issues by using a
variety of tools, e.g., the Bow-Tie Diagram or the Failure Mode and Effects Analysis
(FMEA). Proactive methods are usually not spontaneous but triggered by some type
of occurrence, normally when a high-risk scenario is detected. Certain elements of
these methods are valid to be used during an RCA and will look not only into the
root causes of the known issue but into the possible scenarios around a hazard.
Becoming proactive requires changes to the existing processes, greater collabo-
ration between the functions of the organization, and more resources, so a high level
of commitment from the management is necessary.
Basic tools such as process flowcharts can be used in assistance with the above-
mentioned tools and methodologies (see Sect. 29.2.1).
There are many other tools and methodologies for Problem Solving that may be
found useful; the key is to research and adapt those instruments to the needs.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 305
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_28
306 28 Problem Solving

28.1 Root Cause Analysis

Root Cause Analysis (RCA) looks for the underlying causes of deficiencies and
occurrences. These are the Latent Conditions, a type of Hazard introduced in
Chap. 23, that are those present on the system that are not perceived as harmful.
RCA is used to correct deficiencies and occurrences at the three sides of the
Triangle of Airworthiness:
• Reliability, when deviations from the performance standards are highlighted and
there is a need to find the causes of such deviations,
• Safety, when it is necessary to identify the gaps in the safety defenses in order to
prevent future occurrences,
• Quality, when non-compliance with the regulations or standards are identified
and it is necessary to revise the current processes to avoid re-occurrence.
In all the three domains, it is usual to confuse the symptoms (Active Failures) with
the underlying causes. The symptoms are the evidences of the underlying causes
and should be immediately addressed with immediate corrective actions, e.g., the
immediate corrective action for a non-compliance with an Airworthiness Directive
usually grounds the affected aircraft, but the underlying cause may be the lack of
training that leads to lack of knowledge of employees, a wrong AD setup and, in the
last instance, to the non-compliance situation.
RCA includes a number of reactive methods performed after evidence (e.g., when a
control limit is reached or after an occurrence) and others to anticipate such situations.
This chapter introduces four of the plenty of available RCA tools:
• Five Why Analysis,
• Cause and Effect Diagram,
• Bow-Tie Diagram, and
• Failure Mode and Effects Analysis (FMEA).
The use of the different tools depends on what we are looking for; while the Five
Why Analysis can assist on quick identification of root causes, the Cause and Effect
Diagram serves as a visual tool to order them in accordance with causal categories.
Bow-Tie and FMEA are proactive methods that focus on how and when a system
could fail and can be triggered by the occurrence for which any of the other RCA is
being performed.
Other simple RCA tools not further detailed in this book but that may be found
useful are:
• the Affinity Diagram, used to organize a large number of ideas into natural rela-
tionships (contributing causes identification and classification), especially during
a brainstorming session.
• the Causal Factor Tree Analysis, useful to display all the actions and conditions
that lead to the occurrence in a logical tree-structured hierarchy.
28.1 Root Cause Analysis 307

• the Pareto Chart, useful to display data and facilitate the decision-making
process. It allows weighting the contributing factors, based on historical data,
and assists in determining which causes should be addressed first.
An RCA method by itself does not eliminate or mitigate the underlying causes
but it is an input to the assessment of the preventive or corrective action.
Both the occurrence investigation and the corrective actions must be cost-
beneficial; when the analysis is not deep enough, the latent conditions may not
be adequately identified, and when the analysis is too exhaustive, the use of certain
resources such as manpower would be missed from the day-to-day tasks what can
lead to new occurrences. Therefore, in order to determine and assign the resources
required in a reasonable manner, the analysis depth level should be pre-assessed.
During the course of the analysis, it is possible to adjust resources based on changing
needs.
As introduced in previous chapters, a Cost–Benefit Analysis (CBA) may be
required to determine if the mitigation actions are cost-effective.
The RCA tools are limited by human performance; some of these constraints are:
• Confirmation Bias: tendency to search and interpret information in the way that
supports one’s hypothesis.
• Stop the analysis at the symptoms instead of going to deeper level root causes.
• Following only one causal chain.
• The investigation is limited to the knowledge of the practitioners, which can lead
to miss the identification of causes that actually they do not know.
All these limitations can lead to inadequate identification of root causes and trigger
future re-occurrences. To overcome these conditions, it is necessary:
• To allocate enough resources to allow following different causal chains and
analyze deep root causes levels,
• For complex issues, build a diversified team rather than a single person performing
the RCA. Taking into consideration that most of the occurrences are associated
with human factors, an HF expert should be incorporated into the team as far as
practicable. It is necessary not only to count with a panel of experts on the subject
but to incorporate staff that is not directly involved in the process that caused the
occurrence in order to reduce the confirmation bias element of the analysis.

28.1.1 Five Why Analysis

The first of the RCA tools presented was developed by Sakichi Toyoda, the founder of
Toyota Industries, back in the 1930s. It is nowadays used across all types of industries
as one of the most recognized simple problem-solving methods.
The Five Why Analysis is used to determine the root causes of a problem by
asking the question “Why?” multiple times in succession until they are found.
For example:
308 28 Problem Solving

• Why…did the Airworthiness Directive was overdue? Because…the wrong task

setup in the maintenance software.
• Why…was the task setup in the maintenance software wrong? Because…the
employee developing it did not know the maintenance software functionalities.
• Why…did not the employee know the maintenance software functionalities?
Because…he had no training on the software.
• Why…the employee had no training on the software? Because…it is not part of
the operator’s policy to provide maintenance software training.
• Why…is not the operator’s policy to provide maintenance software training?
Because…the regulations do not require maintenance software training.
One of the keys to succeed with a Five Why Analysis is the formulation of the
questions and the answers, which must be as simple and precise as possible.
The root causes may be found with more or less than five questions depending on
the complexity of the issue. The individual or team conducting the analysis should
determine when the real causes of the problem are found; indications of a completed
analysis are when the elimination of the causes found would prevent the occur-
rence from happening again or when the elimination of such causes is not under the
organization authority.
In the case of safety occurrences, where deficient regulations or standards may be
amongst the root causes, it should be notified to the competent authority, as appro-
priate, who will be in charge of further analysis. In the case example, another Why
question, e.g., “Why the regulations do not require maintenance software training?”
would lead to an area that is outside of the organization competences.
Because there are several root causes associated with an occurrence, the Five
Why Analysis usually takes multiple directions. In the example above, just from the
second question, it is possible to deviate to a few other causes; e.g., the task setup was
wrong because there was no setup verification procedure, or because the employee
was under stress, and so on; or from the third question, deficiencies in the employee
induction process, in the written procedures, in the software ergonomics, etc., may
be detected.

28.1.2 Cause and Effect Diagram (Fishbone Diagram)

The Cause and Effect Diagram, also known as Ishikawa Diagram or Fishbone
Diagram, is a visual RCA tool that allows to see all the causes at once and identify
if the same root cause is found in more than one causal chain.
The use of the Cause and Effect Diagram is appropriate for complex issues where
brainstorming is required, and usually, it serves as the means to apply the Five Why
Analysis.
The Box at the head of the fish reflects the statement of the issue, the spines
or main branches are the different causal categories, and each branch has different
28.1 Root Cause Analysis 309

sub-branches for further categorization and boxes to specify root causes. More sub-
branches indicate more level of detail of the analysis.
The main branches depend on the specific case of study; a common model can be
used to help to structure the diagram, e.g.,
• The 8M model: Man, Machine, Material, Method, Measurement, Mission,
Management, and Maintenance.
• The 4S model: Surroundings, Suppliers, Systems, and Skills.
When the search includes or is focused on Human Factors, the use of the Human
Factors models introduced in Chap. 24 may be useful to preformat the diagram, e.g.,
SHELL, PEAR, Dirty Dozen.
For the case presented in the Five Why paragraphs, an overdue Airworthiness
Directive, it is possible to choose the main branches based on the evidences of
the data collected, e.g., deficiencies in the Equipment, Process, People, Quality,
Environment, and Management could have contributed to the occurrence; those are
the main branches of our Cause and Effect Diagram (Fig. 28.1).
The diagram allows to visualize all the root causes at the same time, but there is an
inconvenience: the Cause and Effect Diagram does not identify the interrelationships
between root causes; e.g., the deficiencies on the quality audits may be related to

Fig. 28.1 Cause and Effect Diagram example

310 28 Problem Solving

deficiencies in the AD setup procedure, the setup validation or the employee readi-
ness; or the lack of awareness about certain maintenance software malfunctions may
have led to a deficient validation process.
When it becomes necessary to focus on causal chains, usually when assessing
high-risk scenarios, the Cause and Effect Diagram may be not sufficient, and other
methods, such as the Bow-Tie Diagram, are more appropriate.

28.1.3 Bow-Tie Diagram

The Bow-Tie Diagram is not only an RCA tool but a risk assessment method. In
comparison with the Five Why and the Cause and Effect Diagram, it allows to show
the flow of events from the root causes to the hazardous condition, and from the
hazardous condition to the potential outcomes1 (See an introduction to Bow-Tie
Diagram in Chap. 23).
Basically, the Bow-Tie Diagram consists of (all) the possible risk scenarios around
a certain hazard and the means that the organization establishes to stop those scenarios
from happening.
While the overall Bow-Tie method is more appropriate for proactive hazards and
risk analysis, the use of the left side of the diagram (from the root causes to the
hazardous condition, analogous to a Fault Tree Analysis + Causal Factors Analysis)
is appropriate to perform an RCA.
The right side of the Bow-Tie Diagram (analogous to an Event Tree Analysis)
serves to assess the consequences of a single initiating event and their probabilities,
and it is useful for safety risks assessment.
The guidelines to draw the Bow-Tie Diagram are summarized in the following
steps:
• Identification of Hazards
• Identification of Top Events (uncontrolled Hazards)
• Identification of Threads
• Identification of Consequences
• Identification of Control Methods. The control methods at the left side of the
diagram are the proactive methods used to prevent the top event from happening;
the control methods at the right side prevent the hazard from becoming in
unwanted consequences.
The selection of the Top Event is critical to develop a Bow-Tie diagram but,
at the same time, is completely subjective. For example, an Overdue AD can be a
consequence for an organization but can be a Top Event for a structural failure.

1 BowTie Methodology Manual. BowTieXP. Revision 15, 2015.

28.1 Root Cause Analysis 311

28.1.4 Failure Mode and Effects Analysis (FMEA)

The Failure Mode and Effects Analysis (FMEA) is a structured approach to

discover potential failures (failure modes) that may exist in a design, including the
design of an aircraft, system, component, modification, process, etc., and assess the
consequences of those failures at different levels.
The FMEA requires to review as many elements of the design as possible, e.g.,
systems, subsystems, and components in an aircraft, or steps in a process.
When the FMEA is focused on a process, it is known as Process FMEA
(PFMEA), and the hazards to be identified are derived from Human Factors, the
methods, the equipment, the measurement systems, and the process performance.
The FMEA principles are the base of the MSG-3 analysis used through a top-
down approach: from the aircraft, systems, and subsystems to the components. (see
Sect. 6.1).
The FMEA is also used as a qualitative tool for System Safety Analysis (SSA) to
determine the effect of a failure (see Sect. 6.2.1.1), or as an analytical technique to
perform Reliability RCAs.
The criteria used by the FMEA include:
• Failure cause and frequency,
• Severity or impact of the failure, in the MSG-3 categorized as “safety” and
“economic.”
• Detection (likelihood of failure detection), in the MSG-3 categorized as “evident
to” or “hidden from” the operating crew.
The FMEA is captured in a worksheet usually difficult to understand, reason why
a set of Bow-Tie Diagrams can be used to visualize the results while the worksheet
provides more detailed information about the causal chains and the failure modes.
Example: MSG-3 Life Vest Function
The following example summarizes the FMEA/MSG-3 process for one of the
functions of a Life Vest:
• Function (the normal characteristic actions of the item): To inflate the life vest
automatically by pulling the handle.
• Functional Failure (How the item fails to perform its function): Failed to
inflate the life vest automatically.
• Failure Effect (What is the result of the functional failure): Life Vest cannot
be inflated automatically. Manual inflation is still available.
• Failure Cause (Why the Functional Failure occurs? Gas cylinder activation
mechanism failed.
• Is the occurrence of a functional failure evident to the operating crew? No,
the failure is not detectable by operating crew during normal duties because the
life vest is only used in case of emergency.
• Does the combination of a hidden functional failure and one additional failure
of a system-related or back-up function have an adverse effect on operating
312 28 Problem Solving

safety? Yes, the failure in combination with an emergency situation does not have
an adverse effect on operating safety because the life vest can be inflated manually,
but the item is considered emergency equipment.
Based on the analysis, the function is associated with the FEC 8 Hidden Safety
category, and an appropriate task must be selected to avoid the safety effect of failure,
e.g., an Operational check of the gas cylinder mechanism.

28.2 Reactive Problem-Solving Methodologies

The two Reactive Problem-Solving methods presented hereunder can be used as

described or customized to the necessities of any organization or function.
The A3 method is a comprehensive tool based on the PDCA Cycle that allows
visualizing which is the current state of the processes related to an occurrence, which
are the causal factors for the occurrence to happen, which are the goals established
to prevent those causal factors, the corrective actions, and the follow-up process. See
Sect. 29.1.2.1 for further details about the PDCA Cycle.
On the other hand, the Maintenance Error Decision Aid (MEDA) provides a
predefined tool specially designed for errors on aircraft maintenance with a user-
friendly format.
When comparing both methods, A3 represents a continuous improvement method
while the MEDA miss some elements that may be essential for a comprehensive
investigation, e.g., the goals to be achieved or the state of the current process that
may facilitate the work.

28.2.1 A3 Method

The A3 Problem Solving is a structured method that consists of a systematic

approach that mirrors the Plan-Do-Check-Act (PDCA) Cycle.
The A3 lean methodology was first used by Toyota during the 1960s and gained
great popularity amongst the manufacturing industry. The A3 is demonstrated to be
a simple, concise, and effective tool that can be used across other types of industries.
The tool to apply the methodology is the A3 Report, which originally used an ISO
A3 size paper that gives the name to the method. Because there is not an established
set format, the report should be customized to the needs of the organization and
standardized, maintaining the PDCA principles.
The following main sections of the A3 process are proposed:
Plan
• Background. Identification and brief description of the problem: What, When,
Where, Who, Why, How, and How many/How often.
28.2 Reactive Problem-Solving Methodologies 313

• Immediate Corrective Actions. Measures to solve the current negative effects of

the issue. The immediate actions usually do not prevent the issue from occurring
again.
• Current situation. Summary of the context in which the issue has happened. It
may include an overview of the processes, e.g., a process flowchart, procedures,
and any other information that aids to understand how things are done at the
present.
• Goals. Definition of the desired state. Because a deeper understanding of the issue
is gained while advancing with the report, the goals are usually reformulated.
• Root Cause Analysis (RCA). Analysis of the underlying causes of the issue. This
is the most critical step as the right causes should be clearly identified; otherwise,
we may be proposing solutions to a wrong problem. See Sect. 28.1 for RCA tools.
• Corrective Actions/Countermeasures. Once the root causes are defined and
understood, the countermeasures are the proposals of potential solutions that aid
to reach the Goals. A Return on Investment (ROI) or Cost–Benefit Analysis (CBA)
may be required at this step to measure all the potential costs and benefits from
each solution, so the most appropriate is selected.
Do
• Action Plan. The plan includes the steps, actions, responsibilities, and timelines
to implement the Countermeasures. Beta testing can be introduced in the Action
Plan to assess the results of the Countermeasures at small scale and verify if the
desired results are obtained.
Check
• Monitoring and Validation. Confirmation of the desired effects of the Coun-
termeasures. If the Goals are not achieved with the proposed Action Plan, it is
required to draw a new plan that may require to assess some parts or the overall
project again.
Act
• Follow-up. Update and standardization of processes, procedures, work instruc-
tions, etc., to finalize the full implementation of the solution.
• Distribution. Communication of at least a summary of the A3 report to the
affected or interested parties across the organization that may benefit from the
report knowledge.
Two valuable stages not considered by A3 but defined in a similar method, the 8
Disciplines (8D) methodology used by Ford, are:
• A preliminary stage for the Emergency response actions, and
• An end-stage to congratulate and recognize the collective efforts of the team.
314 28 Problem Solving

28.2.2 Maintenance Error Decision Aid (MEDA)

The Maintenance Error Decision Aid (MEDA)2 is a structured process developed

by Boeing in the early 1990s to investigate events caused by maintenance technicians
and/or inspectors’ performance.
The MEDA event investigation is basically an interview with the person whose
performance lead to the event with the objective to find out what errors (uninten-
tional) or violations (intentional, e.g., deviation from regulations, company policies,
process or procedures) occurred and which are the contributing factors for those
errors/violations to happen.
The model used by the MEDA philosophy is analogous to the HFACS framework
introduced in Sect. 25.1: a maintenance technician or inspector works within an
immediate environment under supervision within an organization, and a failure at
any of these levels can contribute to an event.
The fundamental philosophy behind MEDA is:
• A maintenance-related event can be caused by an error, by a violation, or by an
error/violation combination.
• Maintenance errors are not made on purpose.
• Maintenance errors are caused by a series of contributing factors.
• Violations, while intentional, are also caused by contributing factors. and
• Most of these error or violation contributing factors are under the control of
management, and, therefore, can be improved so that they do not contribute to
future, similar events.
The main pillars of the MEDA philosophy are the MEDA Results Form and the
MEDA Interview with the technician and/or inspector.
The MEDA Results Form
The MEDA Results Form used to apply the methodology is a predefined four-page
format structured in six sections.
• Section I—General Information. When, where, and to what the incident
occurred: airline, station, aircraft and engine type, aircraft designator, ATA, zone,
references to similar events, interviewer information, date and time of the event,
date of investigation, shift during which the event occurred, type of maintenance,
implementation of corrective actions dates, etc.
• Section II—Event. Selection of the Event category: Operations Process Event
(Delay, Cancelation, Return to Gate, In-Flight Shut Down, Air Turn-back, Diver-
sion, Smoke/fumes/odor event, Others), Aircraft Damage Event, Personal Injury
Event, Rework (didn’t pass ops check/inspection), Airworthiness Control, Found
during Maintenance, Found during Flight, or Other Events.
• Section III—Maintenance System Failure. Whether caused by an error or a
violation, the maintenance system failure (the Active Failure) leads directly to the

2 Maintenance Error Decision Aid (MEDA) User’s Guide. Boeing. September 2013.
28.2 Reactive Problem-Solving Methodologies 315

event. There are eight major system failures listed in the form and a ninth box
provision for other failures:
– Installation failure,
– Servicing failure,
– Repair failure,
– Fault isolation, test, or inspection failure,
– Foreign object damage/debris,
– Airplane or equipment damage,
– Personal injury,
– Maintenance control failure,
– Others.
• Section IV—Chronological Summary of the Event. Summary of the Event in
chronological order and contributing factors found during the interview.
• Section V—Summary of Recommendations. It is recommended to summarize
each recommendation associated with the identified contributing factors. The
strategies proposed from preventing system failures are:
– Error reduction/Error elimination: try to improve task reliability by eliminating
or reducing the adverse conditions that have increased the risk of maintenance
error.
– Error capturing: tasks performed specifically to catch an error made during a
maintenance task, e.g., Independent Inspection or Re-inspection, operational
or functional test, or verification steps.
– Error tolerance: allows a system to remain functional even after maintenance
error, e.g., staggering dual maintenance into different maintenance visits or
being performed by different technicians.
– Audit Programs: audits do not address specific contributing factors but may
identify systemic conditions that may contribute to error.
• Section VI—Contributing Factors Checklist. The last part of the report aids
to identify the contributing factors with the following categorization. Once the
category is selected, a description of how each factor contributed to the system
failure follows.
– Information,
– Ground support equipment, tools, and safety equipment,
– Aircraft design, configuration, parts, equipment, and consumables,
– Job or task,
– Knowledge and skills,
– Individual factors,
– Environment and facilities,
– Organizational factors,
– Leadership and supervision,
– Communication.
316 28 Problem Solving

The MEDA Interview

The Interview is the most important part of the investigation as it allows to identify
the contributing factors to the error or violation.
The use of Cognitive Interviewing principles is recommended to increase the
amount of information that can be recalled. These principles are summarized in the
following stages:
• Develop and maintain good rapport.
• Encourage the interviewee to be actively involved.
• Help the interviewee concentrate.
• Use open, simple, and unbiased questions.
• Listen actively.
• Use a communication style to suit the interviewee.
• Work as a team with other interviewers.
It is recommended that the interview team is formed by no more than two people
trained on MEDA; when only one person is doing the interview, it results less
threatening to the technician.
Chapter 29
Continuous Improvement Methodologies
and Tools

The previous chapter introduced some Proactive Solving tools as continuous

improvement methods when potential safety-related issues are detected, usually
triggered by an occurrence when a high-risk scenario is identified.
Additionally to the safety enhancement, there are several methodolo-
gies/philosophies than can be used for the continuous improvement of the orga-
nization’s processes to make them more effective and efficient.
Effective processes are those that achieve their purpose, producing the intended
or expected result; efficient processes are those that perform with the least waste of
resources (budget, staff, time, material, effort, etc.).
This chapter introduces four methodologies that have been proved to be valuable
across different types of industries:
• Lean focuses on minimizing waste (fewer resources).
• Kaizen improves all aspects of the organization through processes standardiza-
tion, increasing efficiency and eliminating waste.
• Six Sigma focuses on improving the quality of the final product or service by
finding and eliminating causes of defects.
• Agile encourages teamwork and self-organization to achieve quick response to
changes.
These methodologies are not selective and under certain criteria can be integrated,
e.g., giving way to Lean Kaizen, Lean Six Sigma, or Lean Agile. Actually, despite
the differences in the approach of each method, on many occasions, they make use
of the same continuous improvement tools. This is the reason why the first part of
this chapter introduces the methodologies and the second part describes some of the
tools.
Although these methodologies are suitable to be adopted within a function of the
organization, the noticeable benefit is amassed when applied to its entire structure,
when everyone is engaged in the continuous improvement culture, from managers
to non-managerial employees.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 317
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_29
318 29 Continuous Improvement Methodologies and Tools

The use of continuous improvement methodologies can direct the organization

to the Process Excellence, making all its activities more effective and efficient. It
is the first step toward Operational Excellence, a broader concept that does not
only encompass the continuous improvement of processes but the integration of
these methodologies and other improvement tools (project management, innovation,
etc.) within the Management Systems of the organization: safety culture, continuous
improvement culture, people, resources, etc. to function optimally together through
streamlined processes.

29.1 Continuous Improvement Methodologies

29.1.1 Lean

The core of the Lean methodology is reducing waste and adding value in every
process. Its origin goes back to the 1940s when Toyota established the foundations
of Lean manufacturing, aiming to eliminate activities that did not add value to the
end product and that resulted in significant productivity and efficiency improvements.
The “Lean” term and its five principles would be coined years later during the 1990s.
The notable impact of Lean thinking not only changed the manufacturing industry
but it has spread and succeed across many others.

29.1.1.1 Lean Principles

The Lean methodology provides with a five-step cycle approach for guidance to
implement the Lean measures:
• Identify Value: how the product or service meets the customer values. It requires
to design the processes to meet the customer needs and remove the features that
do not add value. In order to know what are the customer needs, it is necessary to
engage with them through interviews, surveys, or data analytics, e.g., analysis of
complaints, discrepancies, etc.
• The Value Stream: the life cycle of a product or service. It requires to identify all
steps in the process and eliminate those that do not add value. The Value Stream
Mapping (VSM) is indicated as the right tool to analyze the current state of the
processes for identification and segregation of value-added from non-value-added
steps.
• Create Flow: the sequence of steps necessary to create a product or service. It
requires to make the value-added steps to occur in an efficient manner (flow).
• Establish Pull: production based on the demand. It requires creating pull between
all steps in the process, if continuous flow is possible.
• Seek Perfection: continuous improvement. The four previous steps are only the
beginning of the Lean cycle, but in order to keep eliminating waste is necessary
29.1 Continuous Improvement Methodologies 319

that the company culture aims to continuously optimize the processes. Kaizen
is likely the most appropriate methodology to create a continuous improvement
culture at all levels in an organization.
The Lean principles can be integrated within the PDCA and the DMAIC Cycles
detailed in the following paragraphs.

29.1.1.2 Types of Waste: The 3M Lean Model

The Lean methodology focuses on eliminating activities that consume resources but
do not bring any added value (waste). The 3M Model is used to explain the three
types of waste (in Japanese terms): MUDA, MURA, and MURI.
MUDA is the Japanese word for waste, and it refers to non-added value activities.
Some non-added value practices, e.g., audits, are considered as non-value practices
but are still necessary to ensure the quality of the product or service; these are clas-
sified as MUDA Type I. All the other non-value activities that are strictly considered
as not necessary are classified as MUDA Type II.
Attending to the reason of the waste, the MUDA is classified into eight categories
under the TIM WOODS acronym. It is used as a framework to define the types of
waste that can be found in a process:
• Transport: movement of people, products, and information from one place to
another that could endanger their integrity, e.g., transferring information from a
system to a spreadsheet.
• Inventory: cost associated with parts and documentation not on Just in Time
(JIT). JIT refers to the workflow method to produce only the amount of goods
that are needed to meet the demand.
• Motion: unnecessary movement of tools, equipment, or people, e.g., moving
between locations for material or a meeting.
• Waiting: wasted time waiting for parts, equipment, tools, information, instruc-
tions, etc.
• Overproduction: producing more than the next process needs causing excessive
inventory or work waiting for further processing.
• Overprocessing: excessive standards not required by the customer, e.g., unneces-
sary information or unnecessary people in an email or meeting.
• Defects: failure of a product or process to meet the specifications, requiring rework
or scrap.
• Skills: underutilized staff capabilities, task delegation, or knowledge transfer.
The MURA waste is translated as unevenness, non-uniformity, irregularity.
MURA refers to the varying workload that is usually associated with the customer
demands, and that ends with bottlenecks when the demand is high and with human
resources waste when it is low.
To eradicate the MURA is necessary to make use of JIT strategies and integrate
appropriate reporting systems; the lean tools that can assist in producing the right
320 29 Continuous Improvement Methodologies and Tools

work and the right amount of work at the right time are based on pull strategies such
as Kanban (see 29.2.4).
The MURI waste is the overburden, strain, or unreasonable work, usually result
of the MURA waste: working in a process without training, unclear instructions, lack
of proper tools and equipment, unreliable processes, poor communication, etc.
The effects of MURI are directly related to inefficiency but also to any type of
Human Factors: pressure, stress, lack of awareness, etc. Tools such as 5S, Poka-Yoke,
or automation can help to kill the MURI evil.
MURA and MURI are not waste as such but considered as the catalyst of MUDA.
The MUDA TIM WOODS categories are symptoms of failure to handle MURA and
MURI. In rough outlines, by eliminating MURA and predicting the process flow, the
deficiencies of MURI within the process are highlighted and, therefore, can also be
eliminated, turning into the elimination of the MUDA.

29.1.2 Kaizen

Kaizen is a Japanese word meaning “Change for Better (Improvement).” The Kaizen
philosophy aims to create a culture where all employees are engaged on the contin-
uous improvement of the processes of the organization. As Lean, the origins of
Kaizen are usually traced back to Toyota.
The Kaizen philosophy is supported by the PDCA Cycle based on the thinking
that small and incremental changes, which are easy to implement, can bring large
positive improvements.
Kaizen has a dual nature:
• As a philosophy, building the continuous improvement culture, and
• As an action plan, through Kaizen Events, to address specific areas of improve-
ment within the organization.
A Continuous Action Plan of Kaizen Events throughout the entire organization is
the base to achieve the success of the Kaizen philosophy.
Kaizen empowers the voice of the employee, those doing the job, through sugges-
tions schemes. These are the means to encourage the employee to detect deficiencies
and areas of waste and propose solutions, e.g., through Kaizen suggestion boxes or
rewards to suggestions.

29.1.2.1 The PDCA Cycle

The PDCA Cycle (Plan-Do-Check-Act), also known as Deming Cycle, is an iter-

ative four-step model to support problem solving, continuous improvement, and
managing process changes.
The framework has been utilized by different standards and methodologies,
amongst them ISO 9001, Lean, and Kaizen.
29.1 Continuous Improvement Methodologies 321

The model is structured into the following steps:

• Plan: identify the problem or opportunity to change, collect relevant data,
understand the root cause, and establish objectives and solutions.
• Do: test the solutions at small scale and collect data. The solutions applied at small
scales allow minimal operational disruption, and they can be later incrementally
implemented at larger scales.
• Check: analyze the data gathered during the Do phase for effectiveness and decide
if the solution is appropriate, requires adjustment, or is not effective.
• Act/Adjust: if the solution does not work, the cycle needs to be repeated again
with a different plan or adjustments to the plan; if the implementation of the
solution is successful, the learned lesson can be standardized and implemented
into wider changes. In any case, the Act phase becomes the base for the next
PDCA iteration.
Simple tools such as the Five Why Analysis or the Cause and Effect Diagram
(Ishikawa) are appropriate during the Plan and Check phases.
The PDCA Cycle does not look for perfection in just one iteration, but just what it
can be practically achieved. Trying to reach the excellence in just a movement may
lead to the Analysis Paralysis with no solution implemented. Excellence is expected
from small but continuous improvements.

Fig. 29.1 PDCA cycle

322 29 Continuous Improvement Methodologies and Tools

29.1.3 Six Sigma

Six Sigma is a methodology that provides a set of tools and techniques designed to
seek a solution to any variation or defect that is present in a process.
The conventional strategy assumed that if the products or services were of good
quality, then the performance standards were correct, but the efforts were largely
overlooked and unquantified.
The first objectives of Six Sigma were drafted by Motorola during the 1980s and
initially focused on statistical methods that targeted a process mean (average) of six
Standard Deviations away from the closest specification limit, translated to a target
of 3.4 defects per million operations.
Six Sigma follows its own cyclic methodology known as the DMAIC Process.

29.1.3.1 The DMAIC Process

The DMAIC Process (Define-Measure-Analyze-Improve-Control) is a framework

for improvement, analog to the PDCA Cycle, structured in five stages:
• Define the business opportunity and establish the goals,
• Measure the process current state and collect relevant data,
• Analyze the data and determine the Root Causes for the defect under considera-
tion,
• Improve the current process creating a future state process that reduces/eliminates
waste and variation, and
• Control the future state process to sustain the results.
The DMAIC Process is repeated until the desired results are achieved.
The phases of DMAIC and PDCA are comparable, where the Plan phase of the
PDCA is the Define-Measure-Analyze phases of the DMAIC.

29.1.4 Agile

The Agile methodology is an iterative approach to project management in which

the work is delivered in small portions at each delivery cycle, which provides the
opportunity to gather feedback, respond to changes quickly, and redefine the project
in accordance with the needs.
Agile empowers self-organized cross-functional teams, groups of individuals with
different functional expertise working toward the same goal.
Agile was initially thought for software development but has crossed the
barriers and demonstrated its benefits in many other industries with highly dynamic
environments, especially when handling innovation or creative projects.
29.1 Continuous Improvement Methodologies 323

The Agile iterative model is based on the PDCA Cycle (Iteration Planning, Itera-
tion Execution, Iteration Review, and Iteration Retrospective), where each iteration
has a defined fixed time. Shorter iterations allow more frequent opportunities to
measure the progress and use feedback.

29.2 Continuous Improvement Tools

29.2.1 Process Mapping

A Business Process is the sequence and interactions of the activities necessary to

produce a product or service: the flow of work.
The main purpose of process mapping is to gain understanding on how the process
works (current state of the process) or how a new or adjusted process would work
(future state).
Process Maps are very versatile and serve not only to document processes but can
be used for several other purposes such as process analysis, process improvement or
redesign, simulation, measurement, training, retention of knowledge, etc.
A Process Map can be drawn for any set of activities where there are inputs and
outputs; the full benefit comes when the Business Process Map covers the entire
organization processes and interactions as it is possible to establish if it is aligned
with its policies. A Process Map facilitates the visualization of how a process impacts
other processes or the end product or service; it is especially useful to assess process
links (when the output of a process is the input of a different process) that are usually
the most critical elements of the organization, where latent conditions and risks
are more present, e.g., due to lack of communication or lack of teamwork between
process owners.
Types of Process Maps
There are several types of Process Maps depending on the level of detail required
and the purpose for which the map is required. The three following types are a
representative example of the process mapping tools that can be used for continuous
improvement:
• SIPOC: high-level Process Map that summarizes a process from the beginning to
the end focusing on the essentials; it does not include much details. SIPOC stands
for Suppliers, Inputs, Process, Outputs, and Customers. The SIPOC focuses on the
inputs and outputs of the process (material, products, services, or information),
rather than on the individual activities.
A modified SIPOC, the SIPOC-R, includes the Process Requirements. These
are the details about the regulations, specifications, and/or acceptance criteria
needed from the process output.
324 29 Continuous Improvement Methodologies and Tools

SIPOC/SIPOC-R is the first step to understand a process and is a useful intro-

duction to the process during Kaizen Events, the Plan phase of the PDCA Cycle,
or the Define phase of DMAIC.
• Swimlane Map (Cross-functional Map): flow chart that sequences the activities
of processes and subprocesses and separates the responsibilities into lanes. It can
be drawn at high level with information of the major process steps, stakeholders
and their interfaces, or with greater detail of the activities within the process. This
type of map is typically used to document Business Processes (in lieu of the SOP
system), and as the other types, used for continuous improvement: identification
of waste, bottlenecks, weaknesses, etc.
The Business Process Model and Notation (BPMN) is a standard used for
Business Process Mapping suitable for Swimlane Map drawing that provides a
graphical notation easy to understand and interpret: events, activities, gateways,
and connections.
• Value Stream Map (VSM): displays the critical steps of a process quantifying
and detailing the resources required (e.g., material, information, time) at each
stage for the process to flow.
VSMs are used to understand which are the value-added activities and the
non-value-added activities within the process, with the objective of eliminating
waste.

Business Process Map versus Standard Operating Procedures (SOP)

A Standard Operating Procedure (SOP) is a written instruction on how a
process works. The SOP details the high-level steps of the process being described
(the activities necessary to complete the process) and assigns ownership and
responsibilities.
The specifications about how to carry out the procedure or any of its activities are
given in a more detailed document that describes the step-by-step activities (including
equipment, tools, and methods): the Work Instruction (WI).
SOPs have been used traditionally to systemize and document business processes
and to show compliance with the regulations and the organization’s policies; however,
SOPs present a series of disadvantages in comparison with Business Process
Mapping.
The development, maintenance, and organization of SOPs are time consuming,
require a high volume of documentation, the workflow may be difficult to interpret,
and rarely they can be used as improvement tools.
On the other hand, Business Process Maps present several advantages in regards
the conventional SOPs at the time of documenting processes: they can be built in
considerably less time, are easier to organize and maintain, are more visual, the
workflow is aligned and are easier to understand, and represent a basic tool for
process improvement.
Business Process Mapping is a preferred method to document processes. Nowa-
days, the Business Process Map software or platforms that may be developed by any
organization already incorporate provisions to provide further details for each activity
29.2 Continuous Improvement Tools 325

if the process map is not clear enough. These explanations should be minimized just
for purposes of easing the understanding of the process.
Additionally, these software/platforms usually allow to link Work Instructions,
Forms, Check Sheets, Standards, etc. when more detailed information to perform an
activity or support documentation is required.

29.2.2 The Re Method: Eliminating Overprocessing Waste

The Re method is one of the most simple and straight tools that can be used to reduce
overprocessing waste (one of the waste types of the TIM WOODS model).
“Re-” is a Latin prefix that indicates repetition (again), e.g., repeat, reinspect,
re-do, rework, reevaluate, reprogram, recollect, etc.
The method consists in identifying all steps of the process that indicate activity
duplication. It is not limited to activities starting with Re- but to words such as check,
verify or ensure.
The identification of duplicate activities is relatively easy when the Business
Process Map is already developed.
As seen in the previous paragraphs, there are two types of MUDA waste. The Re
method consists of identifying which activities are MUDA Type I (non-value added
but necessary) and which are Type II (not necessary). MUDA Type II activities can
be eliminated from the process straight away as soon as detected.
MUDA Type I usually includes activities aimed to ensure that we are operating out
of the Risks area of the Triangle of Airworthiness; it requires a touch of engineering
judgment to analyze if the activity is reasonable, e.g., whereas it makes sense that a
second person verifies the triggers and applicability of an Engineering Order related
to an Airworthiness Directive, verifying that there are no spelling errors in all the
document by a second person may be a waste of time.

29.2.3 6S Method

The 6S method, also known as 5S + Safety, is used to organize and improve the
working environment for effectiveness and efficiency.
A preliminary step for applying the 6S method is to know the work process, so it
may be a good idea to go for the 6S after a Business Process Mapping exercise.
The 6S is divided into five stages, derived from Japanese words, and a sixth stage,
Safety, that is to be applied during those five steps:
• Seiri (Sort): identify and remove/archive all the items in the workplace that are
not needed to perform the work. It facilitates the search of the required items,
reducing time and distractions, and also eliminate obstacles (hazards). Items not
only refer to physical workspace things (equipment, tools, materials) but also to
326 29 Continuous Improvement Methodologies and Tools

the virtual workspace (files, folders, emails, SOPs, WIs, Business Process Maps,
non-interfaced databases storing the same information, etc.).
• Seiton (Straighten/Set): organize all the remaining items based on their function
using ergonomic principles to make them available when required. Each item
should have an assigned location and clear identification (equipment labels, files
or folders appropriately named, etc.). Seiton eases the search of the items, spot
when the items are not returned, reduces movement waste, and facilitates process
flow.
• Seiso (Shine): clean and maintain the workplace pleasing on a regular basis. It
allows to identify more items that are not needed and that were omitted during
the Seiri phase, or better ways of organizing the items that were not taking into
consideration during the Seiton phase.
• Seiketsu (Standardize): establish new norms and procedures based on the previous
stages and monitor adherence.
• Shitsuke (Sustain): apply the developed norms and procedures until they become
habitual, part of the workplace culture. It may require training sessions, regular
audits, checklists, etc.
• Safety: apply the safety principles during all the above stages to identify and
eliminate hazards. If needed, use a risk assessment method, e.g., Safety Risk
Assessment Matrix (see Chap. 23).
The implementation of Visual Management principles during the Seiton
stage (Straighten), using instinctive visual means to communicate key information
(standards, warnings, etc.), makes the workplace speaks and improves safety.
The 6S method works in any area of an organization and contributes not only to
eliminate waste but to enhance the culture of safety.

29.2.4 Scrumban: Scrum and Kanban

Following the Visual Management tools, Scrumban is a Lean/Agile methodology

result of combining the Scrum and Kanban methods as an approach to workflow
management.
Kanban, a Japanese word translated as “billboard,” was originally a Lean manu-
facturing tool used as a visual scheduling system that was designed to improve
Just In Time (JIT) by eliminating bottlenecks and producing only the amount of
products/services that were needed to meet the demand. The main tool was the
Kanban board that made visible the status of each task within the process to the team
(requested, in progress and done), in which the in-progress status tasks were limited
in order to ensure an optimal pace of work without exceeding work capacity.
On the other side, Scrum is an Agile tool, initially conceived for software devel-
opment to facilitate the iterative Agile philosophy for complex products: breaking
29.2 Continuous Improvement Tools 327

the work into smaller goals that can be completed within each delivery cycle (itera-
tion, also called sprint). Scrum defines specific roles (scrum master, product owner,
scrum team) under relatively strict rules.
The hybrid methodology leverages Scrum for agility and Kanban for continuous
improvement, eliminating the rigidity and the specific roles of the Scrum method
and maintaining the iterative approach, while Kanban provides the workflow visual
tool, allowing an overall flexible method.
As it happens with most of the continuous improvement tools, Scrumban requires
to know well the business processes, and it is necessary to refer again to the
importance of Business Process Mapping as a preliminary activity to any other
improvement task.
The Kanban methodology itself, and consequently Scrumban, has evolved from
Kanban boards to more sophisticated ways: emails, sensors, electronic dashboards,
etc.
Virtual solutions to manage the workflow and backlog with board automation are
commonplace through a variety of software, e.g., Agilo for Trac (open source) or
JIRA, or aviation specialized software such as Ground Star.
These software applications allow the use of the Scrum, Kanban, and Scrumban
principles and can provide a platform to illustrate the status of each activity, discuss
on tasks, time tracking, issue of automatic reports, quality control, etc.
Workflow visualization allows the stakeholders to analyze metrics and adjust
priorities (data-driven decision making). The acquisition of data may require that the
(Scrumban) software is interfaced with other management software or databases.
The Scrumban methodology is applicable to most of the aircraft mainte-
nance business areas, resulting especially interesting to optimize the staff capacity
management.
The use of Scrumban shows plenty of benefits, amongst them: allows real-time
process tracking, optimizes the process workflow, serves as a repository of infor-
mation, and is a useful tool to eliminate many of the TIM WOODS wastes, e.g.,
minimizing meetings, progress reports, interruptions, etc.

29.2.5 Poka-Yoke

Mistake-Proofing, from the Japanese words Poka-Yoke, is any element of the

process that is designed with the purpose of preventing human errors.
For example, when an assembly requires the use of four screws for installation,
the screws can be yellow coated and packaged in batches of four, so missing bolts
from the package and from the installation are easily detectable. Or a maintenance
software that pops-up a warning when a Maintenance Requirement is set up without
applicability or threshold/interval triggers for the attention of the staff.
The ergonomics approach followed during the aircraft design as per CS/FAR 25
is another example of the Poka-Yoke application.
328 29 Continuous Improvement Methodologies and Tools

Theoretically, a full mistake-proof element (an element with zero error/mistake

tolerance) would eliminate the necessity of the 100% quality control practices.
The Poka-Yoke process exercise can be adapted from the following steps:
• Review each step of the Process Map and identify where human errors are likely
to happen.
• Find the root causes for each potential error.
• Design a solution that prevents the error from occurring or that detect the mistakes
as they occur.
• If there is no solution that makes impossible the error to happen:
– Design a solution that minimizes the risks to an acceptable level, and/or
– Establish a quality control method/element, e.g., an independent inspection.
Poka-Yoke not only minimizes the probability of human errors but can signifi-
cantly reduce all types of waste.

29.2.6 Gemba Walk

Gemba is the Japanese word for “the real place,” meaning the place where the value
is created, where the real work occurs.
The Gemba Walk is one of the main Lean tools used for continuous improvement
by managers and supervisors, that may be submerged into data, reports, meetings,
etc. and lose the sight of what is really going on.
Gemba allows them to connect or reconnect with the processes with regular walks
to observe how the process activities are carried out and talks with the staff that does
the job.
Each Gemba Walk focuses on a specific area, e.g., safety, efficiency, effectivity, or
some of the TIM WOOD wastes, in line with the Kaizen philosophy: great changes
start by small but steady improvements.
The manager/supervisor should prepare specific questions and a Gemba Checklist
if appropriate.
Gemba is useful to listen the concerns of the employees about specific activities,
ask questions, where the Five Why method can serve of assistance (see Sect. 28.1.1),
gather information, detect areas of waste, and note opportunities for improvement.
The Gemba knight-errant should possess at least some basic knowledge of Lean
principles and tools to be able to identify these areas of waste and opportunities.
Gemba should not fall into punitive actions but into a positive environment where
the staff is willing to share information; Gemba is neither an instant recommendation
process, just a data collection process.
After the Gemba Walk, when all the data and ideas are analyzed and organized,
they should be communicated to the concerned team.
Kaizen Event(s) may be called to focus the efforts on specific projects for
improvement on the weak areas detected during the Gemba Walk.
29.2 Continuous Improvement Tools 329

29.2.7 Kaizen Events

A Kaizen Event is a workshop whose objective is to improve a business area or

process. It can be part of the schedule of the Kaizen Continuous Action Plan or
triggered by a Gemba Walk or an occurrence where weaknesses or waste have been
revealed.
The duration of a Kaizen Event depends on the complexity of the subject process
and the scope of the event, usually lasting from a few hours up to a week.
Before the event, it is necessary to identify the area/process of improvement and
define specifically the scope and goals of the event.
In order to provide an overall perspective of the process and on potential changes,
the Kaizen Event team should be diversified. It is usually formed by 6 to 10 people,
including:
• a facilitator with knowledge and experience in continuous improvement method-
ologies and tools,
• staff directly involved in the process (about 50% of the team),
• experts on the process,
• staff that provide input to the process, if considered advantageous,
• staff that receive output from the process, and
• third-party/observer not directly involved in the process.
The participation of the management is usually limited so the solutions offered
by the Kaizen Event team are not restricted by their influence. Although they usually
have their role at the time of deciding about the implementation of the solutions
proposed during the event, especially if there are costs involved, the role of the team
to take decisions should be empowered.
The Kaizen Event can be defined in the following steps:
• explanation of the event, background, scope, and objectives
• introduction to the types of waste, continuous improvement methodologies in use
and training on the tools relevant to the event.
• Brainstorming.
– Draw the Process Map current state, if not available, and gather data about how
things are performed at present.
– Analyze the process. Make use of the Lean tools to identify wastes, deficiencies,
and areas of improvement: Value Stream Mapping, Five Why Analysis, Cause
and Effect Diagram, Bow-Tie Diagram, FMEA, etc.
– Achieve a consensus and provide solutions/draw the Process Map future state.
– Document the new standard.
– Propose an implementation plan to offer minimum operational disruption.
• Write the Kaizen Event Report summarizing the current and future states of the
process and the results of the brainstorming sessions. Also, include any other
solutions that were proposed but did not reach agreement, they may be valuable
in future.
330 29 Continuous Improvement Methodologies and Tools

Following the PDCA Cycle, once the implementation of a new solution is

approved, test it, gather data to analyze its effectiveness, and, if successful,
standardize the work and make a wider/total implementation.
In addition to all the obvious benefits of the Kaizen Events (waste reduction,
process optimization, and safety improvement), these events are a good opportunity
to engage the staff, improve teamwork, and ensure their commitment to continuous
improvement.
Chapter 30
Decision Making

Applying Problem-Solving methodologies, Continuous Improvement strategies,

Innovation projects, and especially during the day-to-day tasks requires taking
informed decisions.
There are plenty of methods that can help to make the right decision, e.g., Brain-
storming, Multivoting, Pro/con technique, Trial and Error, Decision tree, Decision
matrix, the Affinity Diagrams, the Game theory, SWOT Analysis, Pareto Chart, etc.
Incorporating data and analytics into the decision-making process (data-driven
decision making) can provide the organization with consistent and confident
solutions.
An effective Decision-Making process usually requires following a number of
steps: gather relevant information, identify alternatives, weight the pros and cons of
the different options, choose amongst the different alternatives, and taking (the most
appropriate) action.
This chapter introduces two techniques that can benefit the organization in these
regards: Business Intelligence (BI) and the Cost–Benefit Analysis (CBA).

30.1 Business Intelligence (BI)

Business Intelligence (BI) refers to the technology and processes that enable an
organization to analyze data in order to support the decision making process, e.g.,
tools that present data and provide Key Performance Indicators (KPI) in the form of
dashboards, summaries, reports, graphs, charts, queries, etc.
Business Intelligence includes all those systems that transform data into patterns
and trends in a visual context to be easily interpreted. BI allows to integrate data
from multiple data sources for their efficient access, with numerous platforms and
software solutions available on the market to provide unified data visualization.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 331
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_30
332 30 Decision Making

While BI used to be based on past Small Data that was manageable by the human
being, the current technologies and the explosion of available data, including real-
time data, are changing the ways in which the information is processed and analyzed.
As far as the data volume grows, it becomes more important to make use of
technology to extract meaningful information that helps us to make decisions.
Key Performance Indicators (KPI)
Business Metrics are the measures used to track, monitor, and assess the performance
or progress of the organization’s processes. Successful BI requires to avoid irrele-
vant or unnecessary figures and select only the right metrics, the Key Performance
Indicators (KPIs), that show in numbers (measure and target) what is important to
achieve goals and objectives for a particular audience.
The selection of KPIs is likely the most challenging task at the time of developing
a BI system; a widely recommended rule is that KPIs follow the SMART criteria:
• Specific: description of the KPI, what exactly measures.
• Measurable: measure that allows to monitor the progress.
• Achievable: KPI should be realistic, given the available resources.
• Relevant: important to the organization’s function goals and objectives.
• Timely: the measure is for a specified time frame.
The most relevant KPI areas to the Maintenance Program function are those
attributed to the Triangle of Airworthiness:
• Safety: Safety Performance Indicators (SPI) are used to monitor and assess
the safety performance, e.g., number of mandatory/voluntary reports received,
number of accidents or incidents, number of new hazards identified through the
Reporting System, % of the overall budget for new risk control, number of safety
communications published, etc.1
• Reliability: the metrics and alert levels defined in the Sect. 17.2.2.1 of this book act
as KPIs to measure the effectiveness of the AMP and the operational performance.
Measuring scheduled versus unscheduled maintenance can also be a useful KPI
to assess reliability performance.
• Quality: quality KPIs serve to assess the success of the QMS or Compliance
Monitoring function, e.g., average findings per audit, number of significant find-
ings versus total number of findings, number of repeat findings within the last
audit planning cycle, average lead time for completing corrective actions, number
of changes to SOPs, etc.
Other metrics that are usually relevant to most of the functions of any organization
are related to efficiency and productivity.

1 Measuring Safety Performance Guidelines for Service Providers. Safety Management Interna-
tional Collaboration Group (SM ICG). 16 July 2013.
30.2 Cost–Benefit Analysis 333

30.2 Cost–Benefit Analysis

The need for a Cost–Benefit Analysis has been constantly repeated throughout
the book: in the Modification Embodiment Policy (Sect. 8.4), in the AMP Evolu-
tion/Optimization (Sect. 12.1) or when adopting Safety Mitigation actions (Chap. 23).
The Cost–Benefit Analysis is an economic evaluation used to weight the costs
involved in doing something to the advantage or profit that it may bring.
While the Decision-Making process related to Safety issues or initiatives (apart
from mandatory Airworthiness Requirements) often do not require an economic
justification and there are no ifs or buts, it is true that sometimes an organization may
choose not to consider an option because it does actually not know the numbers.
A Cost–Benefit Analysis is an appropriate method to explain why a decision
is made: the CBA provides objectivity because it is based on numbers and it
demonstrates that the initiative has been matured.
The guidelines to perform a CBA can be summarized in the following steps:
• Establish a framework for the CBA defining the goals and metrics that will be
used to measure and compare benefits and costs.
• Identify and categorize projected costs and assign financial values:
– Direct costs: expenses directly related to the implementation of the decision,
e.g., an SB kit, a modification package, an upgraded component, manpower,
software licenses, etc.,
– Indirect costs: overhead expenses, usually fixed, that apply to more than one
business activity, e.g., rent, utilities, electricity,
– Downtime cost: loss of revenue derived from ceasing an activity, e.g.,
grounding an aircraft for a modification,
– Intangible costs: unquantifiable or difficult to quantify costs generally of nega-
tive nature, e.g., operational interruption, reduced productivity, satisfaction,
morale, or reputation,
– Opportunity costs: lost benefits or opportunities of choosing one alternative
over another (the cost of not choosing the best alternative).
• Identify and categorize the expected benefits and assign financial values. The
benefits are quantified in analogous way than the costs (direct, indirect, intangible,
and competitive benefits).
• Assign financial values to costs and benefits (Euros, Dollars, etc. in the same
currency).
• Compute the total value of costs, the total value of benefits, and compare.
• Project the timeframe required for benefits to repay costs: Return on Investment
(ROI). When the decision involves long timeframes, it is necessary to adjust the
cost/benefit forecast to take into account variables such as the inflation or the
discount rate to accurate the analysis.
• Analyze the results:
334 30 Decision Making

– If the total costs outnumber the total benefits, the proposal should be
reconsidered to identify potential cost reductions or in favor of an alternative.
– If the total benefits outnumber the total costs, a final recommendation can be
issued.
• Verify that the proposed solution reaches the goals established in the first step.
• Initiate a Business Case capturing the CBA and other analyses reasoning the
recommendation (gap analysis, risk assessment, etc.).
In addition of considering different alternatives, a With/Without Analysis may
be useful in cases when it is necessary to assess the impact of the decision in order
to estimate not only what the situation would be with an option but what would be
without the initiative.
While performing a CBA, there are several uncertainties that can influence the
results, distorting the analysis, but that must be assumed, e.g., some costs/benefits
cannot be translated to a monetary value or the value of intangibles is subject to
interpretation.
CBA is a useful tool to choose the option that will generate the higher value and
to justify if an initiative is worthwhile.
Chapter 31
Innovation

Following the idea of Operational Excellence introduced in the previous chapters,

Innovation is likely one of the fundamental pillars through which an organization
introduces new solutions to improve the business, its processes, and finally, the output
of those processes: the product or service.
Although innovation is usually related to invention, it actually refers to the intro-
duction of new concepts, methodologies, products/services, or processes as methods
of improvement that may be already outside in the market maybe to be adopted and
adapted from a different sector.
Innovation changes how the work is accomplished in order to create value: safer
processes or products/services, increased efficiency, reduced costs, etc.
In the framework of the so-called Fourth Industrial Revolution, the available
new technologies are leading to higher levels of automation, digitalization, and secure
data exchange, with the potential for Artificial Intelligence.
One of the main enablers for the revolution in aviation is being the Paperless
Aircraft Operations (digital publications, AMP source documents XML updates,
electronic records, electronic logbooks, electronic signatures, RFID, audit trails,
encryption of data, connectivity, etc.) that allows to align the industry data standards
and improve compliance, efficiencies, and cost reductions.1
Real-time predictive maintenance is becoming a reality and the transition to
prescriptive maintenance is already possible by using Big Data Analytics and
Machine Learning, where data sharing enters the equation to lead the aviation
industry to more efficient and safer scenarios.
These new technologies present numerous opportunities but also challenges
such as Data Security what is pushing cybersecurty to evolve as a manage-
ment system. Data protection technologies such as Blockchain will likely have a
predominant role in the near future.
This chapter introduces some of the innovative technologies that are changing the
aircraft maintenance and its work environment.

1 Guidance Material for the implementation of Paperless Aircraft Operations in Technical

Operations. IATA. Release 1-November 2017.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 335
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6_31
336 31 Innovation

31.1 Automation

Automation refers to any technology that can perform a process or activity with
minimum human intervention, from Robotic Process Automation (RPA) software
applications that facilitates business processes repetitive tasks to automated devices
that ease aircraft inspections.
Although automated systems can incorporate certain degree of autonomy,
meaning that they can use Artificial Intelligence/Machine Learning to make deci-
sions when the conditions change, as will be shown in the next section of this chapter,
both terms should not be confused.

31.1.1 Robotic Process Automation (RPA)

Robotic Process Automation (RPA) makes use of a software (bot or virtual work-
force) to develop a business process by watching how the user performs that task
and replicating the activity. As the human, once the bot is configured, it can handle
actions between multiple systems and applications: copy-paste, update information,
data entry and migration, data validation and correction, preparation of periodic
reports, generation of emails, archiving, and a long etcetera.
RPA is used to automate repetitive, prone to error or time-consuming processes
with low rates of exceptions that involve the management of digital data. RPA bots are
relatively easy and quick to configure, and the benefits are almost instant: improves
efficiency and effectiveness, reduces manpower and costs, and avoids human errors,
allowing the human to focus on the process exceptions or other areas of the business
such as critical tasks or process improvement.
The bots capabilities translated to the AMP process may be enormous, e.g., a bot
can compare the requirements of a new source document with the approved AMP and
highlight the differences, can revise if there is any reliability action related to those
revised tasks, migrate an AMP revision into the maintenance software, generate
Task Cards, Engineering Orders, preloading of parts, generation of Work Orders,
preparation of Reliability reports, etc.
RPA is not exempt from risks; the candidate process for RPA should be accom-
panied by a risk assessment, be properly designed, deployed and monitored to avoid
disruptions, and include a Recovery Plan in case of failure.
Because RPA relies much on the analysis of documentation, before selecting
RPA candidate processes, it is essential to assess if such documentation is of enough
quality not to require human intervention. It can limit the use of TCH or other third
party documents that may require a quality control method before their use in an
RPA process.
31.1 Automation 337

31.1.2 Radio-Frequency Identification (RFID)

Radio-Frequency Identification (RFID) is a wireless tracking system used to

exchange data between an RFID transponder (smart label technology similar to a
bar code) and an RFID writer/reader device. RFID provides the possibility to tag
dedicated information to individual items (asset tracking); when the reader interro-
gates the transponder(s), the smart label(s) transmits the data written in its memory.
RFID can be passive, using the energy of the radio wave, or active, battery-powered.
RFID has a wide potential in varied types of industries. In aviation, RFID has found
its way through different applications, e.g., the cargo/baggage monitoring system,
supply chain management, and as alternative means to traditional maintenance
methods such as visual inspections for data.2
The use of RFID used with the aircraft Emergency Equipment can confirm that
the assets are present and not expired just by walking through the aircraft cabin with
an RFID scanner. It is important to bear in mind that RFID does not capture the
condition of the Emergency Equipment items, a requirement of the Preflight Check
that is in force and that does not allow taking full advantage of this technology in
this regard. However, RFID can reduce inspection times and optimize the item’s
lifecycles.
RFID can facilitate the management of Components and Parts by identification
(Part Number, Serial Number, manufacturing date) and store of the maintenance
history directly in the tag (life limit, overhaul, modifications, repairs, previous corro-
sion treatments, etc.). RFID eases the traceability of the component and the exchange
of critical information between multiple parties (operator, repair shop, suppliers, etc.),
improving the supply chain.
RFID can reduce inspection times and costs and ease the access to information,
but it shows certain limitations; RFID can degrade and therefore have an expiration
date, requiring to establish a method for tracking their replacement.
When RFID technology is used as alternative means of compliance to tradi-
tional maintenance methods, the RFID limitations must be considered during the
development of the AMP.

31.1.3 Maintenance Automation

Developing technologies such as Structural Health Monitoring (SHM) (intro-

duced in Sect. 17.2.2.3) can determine the structural integrity of the aircraft through
dedicated sensors: damages, location, characteristics, and need for repair. SHM can
be Automated (A-SHM) and integrated within the AHM for real-time monitoring of
the structure and additionally is already considered in the MSG-3 methodology as a

2Guidance on Introducing Radio-Frequency Identification (RFID) into Airline Maintenance

Operations. IATA. May 2013.
338 31 Innovation

valid method for Schedule maintenance (S-SHM) by reading out the SHM device at
specific intervals.
A-SHM allows unscheduled maintenance to become scheduled, where damages
can be monitored and repairs can be planned at the next suitable maintenance visit.
Additionally, SHM allows to overcome accessibility problems, eliminates the
potential to damage the structure during disassembly, and minimizes human factors
hazards.
The aviation industry is starting to make use of other automated and semi-
automated technologies to ease and speed external aircraft inspections. Unmanned
Aerial Vehicles (UAV), drones, can be used to perform visual checks through cameras
and localize and measure visual damages on the aircraft surface with laser sensors,
but also to detect other areas of interest (oil leaks, regulatory markings condition,
etc.). The UAV path can be predefined, without the need of remote piloting, capturing
all the images necessary to generate an inspection report that can be then assessed.
For example, a regular external inspection of an A330 takes about two hours; the use
of a drone can reduce it to less than 15 min.
Definitely, UAVs provide a more accurate, effective, and efficient inspection
method. For the time being, its use is limited inside hangars and not allowed on
or near airports.
Whereas UAVs are optimized for the upper part of the aircraft fuselage, similar
inspection technologies are developed for Mobile Robots to inspect the lower part
of the fuselage.
Crawling/climbing robots with advanced suction systems are already in the
market to adhere to the aircraft surfaces and record and transmit images and for
ultrasound and thermographic testing that can be used to detect damages and record
the structural condition of the aircraft.
More solutions are being developed to facilitate the inspection and repair of engine
parts of difficult access, which may remove the need to take the engine off the
aircraft to perform maintenance. For example, Rolls Royce is researching a remote-
controlled boreblending machine that could be installed in the engine while the
specialist performs the maintenance tasks or repair remotely. A network of fiber
periscopes cameras embedded with the engine, snake robots to conduct inspections
and repairs, or microwalking cameras that can be used to do visual inspections are
technologies expected to be widely used in the near future.
These new automation technologies are faster, reduce turnaround and grounding
times and not only overcome certain human limitations but provide opportunity to
avoid human errors.
31.2 Toward Predictive and Prescriptive Aircraft Maintenance 339

31.2 Toward Predictive and Prescriptive Aircraft

Maintenance

The use of maintenance data, that has always been there available, together with
all the data that aircraft systems and components are able to generate nowadays,
including real-time data, has evolved in such a way during the last years that
Data Science and Analysis, Machine Learning and Artificial Intelligence have
become the focus for changing the aircraft maintenance concept from descriptive
to predictive/prescriptive.
The traditional Trend Monitoring programs enabled to analyze past data in order to
identify out of limit conditions and deterioration trends; kind of business intelligence
precursor to artificial intelligence.
A step forward, Data Science and Analysis have allowed to make use of existing
and emerging technologies to obtain deeper insights and information not only from
past but from real-time data; statistical models allow to discover trends and patterns
to predict future behaviors of systems and components.
The modern Aircraft Health Monitoring (AHM) systems, introduced in
Sect. 17.2.2.3, can make use of integrated sensors in systems and components that
are used to acquire more data.
Older generation of aircraft can be upgraded with hardware and software for the
installation of sensors that capture more data and that allows its automatic transmis-
sion. For example, the new solution co-developed by Airbus and Rockwell Collins,
FOMAX, allows to capture and transmit expanded volumes of recorded aircraft data
(from 400 parameters to roughly 24,000 on an A320).
Other developments, such as Airbus Skywise Health Monitoring (part of the
Skywise aviation data platform), Boeing AHM (part of the Boeing AnalytX powered
products), IKON by Embraer, Smart Link by Bombardier, etc. provide the airlines
with a range of predictive analytical tools and services to identify in real-time condi-
tions and generate alarms before they turn into faults, and prescriptive analytics,
providing decision support. These tools enable real-time fix and proactive main-
tenance management that result in reduced disruptions and increased reliability
levels.
The use of real-time data from the AHM systems with the historical mainte-
nance data under statistic and algorithm models has allowed the development of
sophisticated platforms and tools that represent authentic machine learning tools.
Some airlines have created their own solutions. For example, Agnos, the Big Data
solution developed by AFI KLM E&M, analyses in-flight data that is transformed to
alerts about defective components. The algorithms are continuously improved based
on the data provided by the aircraft and shop feedback. Another example is Aviatar,
the modular platform developed by Lufthansa that allows to centralize all the fleet’s
data on one platform and uses real-time analytics to predict faults.
Other platforms developed by manufacturers allow to store, access, and manage
the operator’s own data but also to analyze manufacturer data and global data (or data
from operators participating on specific programs), e.g., Airbus Skywise, Boeing
340 31 Innovation

AnalytX or GE Predix. The operator’s data sharing, agreed to be anonymized,

allows to develop more accurate models and algorithms so the systems automatically
and increasingly learn and improve from experience, boosting the fleet operational
reliability.
Not only manufacturers have realized about the importance of data sharing;
Lufthansa Technik launched the Aviation DataHub platform for the use of the entire
aviation industry. Airlines can benefit from deciding with who want to share their
data.
Aviation industry has already introduced the technology that exhibits behaviors
such as learning, problem solving, and decision making through data experience; this
is Artificial Intelligence able to take or support decisions and provide solutions before
problems happen and turn unscheduled maintenance into scheduled maintenance. It
provides such a great benefit in regards to operational reliability and availability.
The benefits of using these predictive and prescriptive tools definitely can make
the Aircraft Maintenance Program more efficient, with less restrictions derived from
the Reliability Program that can rely on these new approaches.
Already proposed and under IMRBPB discussion, the next AMP evolution will
come hand in hand with the MSG-3 methodology using the certified AHM capabil-
ities as alternative procedures to the scheduled tasks. But for the time being…we
have to wait for the proposal to be matured.

31.3 Blockchain

Blockchain is the technology that allows to store and share information in blocks in a
secure, decentralized, and incorruptible way. Each block is like a page in a logbook,
including the data being recorded, the data of the transaction (date, time, digital
signature, etc.) and a unique code called “hash” that references such block to the
previous block in the chain. The data stored on the blockchain is visible to everyone
that is part of the blockchain network. If the data of a block want to be altered or
a new block to be inserted between existing blocks, all the following blocks would
need to be edited too and it would require the consensus of the network, enabling
transparent transactions.
Blockchain is of particular interest for organizations that use the same data. For
aircraft operators and maintenance service providers, some of the ongoing research
projects focus on the following areas3 :
• Certification and Digital Signatures: blockchain can facilitate the use of certi-
fication and digital signatures to transfer regulated documents between interested
parties electronically, e.g., Operator Certificate, organization approval, CofA,
ARC, CRS, Task Cards, EASA Form 1, FAA 8110-3, staff licensing, etc.

3Blockchain in Aviation, Exploring the Fundamentals, Use Cases, and Industry Initiatives. IATA.
White Paper—October 2018.
31.3 Blockchain 341

• Aircraft Maintenance Records: blockchain can replace paperwork and

databases by creating immutable records of the maintenance performed on each
aircraft and component.
All the information pertaining to an aircraft or component lifecycle can be stored
consistently across different organizations and in real time: authorities, lessors, manu-
facturers, operators, maintenance service providers, etc. Blockchain would ensure
that parts are legitimate and has the potential to reduce the efforts to identify and
mitigate Suspected Unapproved Parts (SUP). See Sect. 10.1.3 for further information
about SUP.
The potential of Blockchain and its combination with the innovative technologies
detailed in the previous paragraphs is still being discovered.
For example, Blockchain can provide a framework to securely record the RPA
transactions, and RPA can be used to feed Big Data into the Blockchain.
RFID creates components with unique identification and history, and it could
also be configured to flow data into the Blockchain automatically without the need
for manual entries, automating and protecting the collection of data. The same thing
could happen with the integrated sensors of systems, structures, and components of
the Aircraft and Structural Health Monitoring systems that are used to acquire
data, decentralizing it.
While the Blockchain provides secure access to the Big Data generated by the
operation of the aircraft, Artificial Intelligence is the engine that enables analytics
and decision making from such information. Blockchain could provide transparency
to the conclusions and decisions made by AI, with the potential to record the AI
decision-making process.
The way to Blockchain to be used in the aviation industry is full of chal-
lenges and opportunities, with numerous research projects and tests running. In
the near future, Blockchain could be integrated within the organization’s manage-
ment systems and processes for secure and decentralized communications, enabling
trusting transactions.
Appendix A
Introduction to Aircraft Maintenance
Program Costs

This appendix introduces the costs of implementing or revising an Aircraft Main-

tenance Program that may be useful for budgeting or operating cost prediction
purposes.
Deduced from the U.S. DOT Form 41, widely used in airline analysis and financial
research, the total airline operating costs can be broken down into1 :
• Flight Direct Operating Costs (DOCs): cost related to flying operations,
including pilots, fuel, maintenance, and aircraft ownership,
• Ground Operating Costs: servicing of passengers and aircraft, including landing
fees and reservations/sales charges,
• System Operating Costs: marketing, administrative and general overhead items,
including in-flight services and ground equipment ownership.
The Direct Maintenance Costs (DMCs), good part of the DOC, is defined in
the ATA Common Support Data Dictionary (CSDD)2 as the maintenance labor and
material costs directly expended in performing maintenance on an item or aircraft.
The Indirect Maintenance Cost (IMC), also known as maintenance burden or over-
heads, are those expenditures that contribute to the overall maintenance operations
(e.g., line station servicing, administration, record keeping, supervision, tooling,
test equipment, facilities, etc.). DMC can be categorized attending to the nature of
maintenance: Schedule maintenance and Unscheduled maintenance.
Within the Schedule maintenance category, the three main elements generating
direct costs are:
• the Aircraft Maintenance Program (AMP), including the Reliability Program,
• Airworthiness Directives (ADs), and
• the Embodiment Policy for non-mandatory recommendations (e.g., SB, SL, etc.).

1 Airline Operating Costs and Productivity. Economic Development. ICAO. Tehran, 20–23 February
2017.
2 Common Support Data Dictionary (CSDD). A4A. Revision 2017.1.

© The Editor(s) (if applicable) and The Author(s), under exclusive license 343
to Springer Nature Switzerland AG 2022
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
344 Appendix A: Introduction to Aircraft Maintenance Program Costs

In regards to the Unschedule maintenance, the direct costs come from:

• findings during Scheduled maintenance, and
• faults/defects during aircraft operation, including damage and repairs.
The increased costs of appropriate Aircraft Maintenance and Reliability Programs
and Embodiment policies are usually well compensated not only by the decrease of
the unschedule maintenance and its associated costs but by the reduction of down-
time and interruption costs. Downtime costs are considered as contributors to the
airline costs when the aircraft is expected to be in operation but due to “unforeseen
circumstances “ is not, e.g., due to unscheduled maintenance (derived from a deficient
AMP, likely related to a deficient Reliability Program, or an unexpected damage) or
due to supply chain shortcomings. The Downtime and the costs associated also have
much to do with the resources assigned to the maintenance function, e.g., sufficient
and appropriate documentation, qualified manpower, material, equipment/tools, and
facilities contribute to minimize the downtimes.

A.1 Direct Maintenance Cost

The greater contributors to the DMC are the requirements to detect and correct the
aging effects and the maintenance of major components.
Both of the DMC categories (scheduled and non-scheduled maintenance) are
directly influenced by the effects of aging aircraft and the consequent require-
ments (see Chaps. 6 and 7): the programs derived from the Damage Tolerance and
Fatigue Evaluation of the structure (Airworthiness Limitations, Continuing Struc-
tural Integrity Programs), the Enhanced Zonal Analysis Procedures (EZAP) to detect
EWIS contamination/degradation, or the Corrosion Prevention and Control Programs
(CPCP).
The AMP source documents establish more frequent inspections as the aircraft
gets older that result in more frequent findings and increased non-routine mainte-
nance.
The structural inspections and modifications required to comply with the
Widespread Fatigue Damage regulations, in order to operate the aircraft until its
Limit Of Validity (LOV), represent significant costs associated with in-depth mainte-
nance, the need for additional manpower (including more specialized non-destructive
inspectors) and special tools/equipment, and the rectification of defects (cracks,
corrosion, etc.), that result in longer grounding times and increased costs.
In accordance with IATA Maintenance Cost for Aging Aircraft (2018) publication,
50% of the total maintenance cost of an aircraft is “eaten” by the engines scheduled
maintenance. Additionally, the schedule maintenance of other major components,
such as the landing gear overhaul, also contribute significantly to the maintenance
costs.
Appendix A: Introduction to Aircraft Maintenance Program Costs 345

Fig. A1 Illustrative DMC Aging curves per maintenance category (IATA Maintenance Cost for
Aging Aircraft (2018))

A.2 The Cost of an Aircraft Maintenance Program

The calculation of the costs/savings associated with the implementation or revision

of an AMP may be found useful at the time of budgeting, predicting future operating
costs, or when compared with the ongoing costs, for detecting inconsistencies or
areas where a closer look is needed.
The AMP cost baseline method presented takes into consideration the AMP DMC
and certain AMP IMC derived from the implementation/revision of the AMP, such
as documentation and tools/equipment; however, other contributing factors, such
as changes in the manpower required (other than certifying and support staff but
administrative) or specific training that may be needed to ensure that sufficient level of
expertise is provided (other than mandatory training and certifications, but additional
training to cover new situations such as new aircraft configuration or new IT solutions)
are disregarded.
346 Appendix A: Introduction to Aircraft Maintenance Program Costs

Therefore, the presented AMP cost baseline method considers the following
factors:
• Documentation costs: new or revised customized documentation derived from
the specificity of the operation (supplements) or dedicated exercises such as
Evolution/Optimization dossiers,
• Manpower: changes to the workload,
• Outsourced maintenance: new or revised agreements with manufacturers and
MROs,
• Material: changes to the material needs,
• Equipment/tool: changes to the required equipment/tool.
To benefit from applying the AMP cost baseline method, it becomes essential to
calculate the overall AMP costs at a certain point in time (it can be since the initial
AMP or afterward during any AMP revision) and adjust the costs parameters period-
ically (recommended at yearly basis during the budgeting exercise). The adjustments
include:
• Accumulation of AMP revisions costs since the last adjustment,
• labor and production indexes update,
• labor rates update, and
• outsourced maintenance parameters update.

A.2.1 Use of Cost Indexes

The calculation of costs derived from the AMP implementation/revision is usually

accurate for the incoming or ongoing budget cycle, but the price changes in future
cycles may distort the cost forecast/projections. In order to accurate the cost in the
future, it is necessary the use of Cost Indexes.
The Cost Indexes used by each operator depend on the state in which the aircraft
is maintained and the sources from which the material and equipment/tools are
purchased. It is possible to use the cost indexes published by certain agencies on
assistance for forecasting the AMP costs. For example, in Europe, the statistical office
of the European Union (Eurostat) publishes the following indexes for all European
Union member states:
• Labor Cost Index (LCI): shows the evolution of the cost for employing labor force
on an hourly basis.
• Producer Price Index (PPI): measures the changes in the trading price of products
and services.
• Industrial Import Price Index (IMPR): measures price developments of imported
items.
In the USA, equivalent indexes are published by the Bureau of Labor Statistics
(Employment Cost Index, Producer Price Index, and Import Price Index).
Appendix A: Introduction to Aircraft Maintenance Program Costs 347

A.2.2 Task Unitary Cost Measurement

The cost of performing a maintenance task once for a unique aircraft is defined by the
Task Unitary Cost. The TUC is the summation of the Manpower cost, the Material
cost, and the Outsourced costs:

TUC = CMP + C M + COUT

The Manpower Cost is given by the type of skilled staff (support, certifying,
specialist), the corresponding labor rates, and the Average Man-Hours (MH). In
Sect. 5.2, it is explained that the skills and man-hours detailed in the MPD are
adjusted by the operator to its particular efficiency.
The Manpower cost factor of the TCU (CMP ) is represented by the following
formula:

CMP = MHSupport staff · CSupport + MHCertifying staff · CCertifying

+ MHSpecialist staff · CSpecialist ,

being CSupport , CCertifying and CSpecialist the corresponding MH rates for each skill.
The Material Cost is given by the components, standard parts, and raw mate-
rial that are required or estimated to be required during the accomplishment of the
maintenance task.

C M = CComponents + CStandard Parts + CRaw material

On the other side, when part or the overall performance of the maintenance task
is outsourced, it must be weighed in the cost calculations based on the details of the
agreements. More or less complex, it is possible to determine the unitary Outsourced
Cost (COUT ).

A.2.3 Task Cost/Saving Calculations

In order to calculate the cost of performing the maintenance task for the overall fleet,
it is necessary to consider two types of costs:
• One-time costs (C Initial ): assumed only once, usually known in advance of the
task implementation, e.g., documentation, equipment/tools.
• Recurrent costs: assumed repeatedly every time the task is performed. Recurrent
costs are those detailed in the previous paragraphs for the Task Unitary Cost:
manpower, material, and outsourced services.
348 Appendix A: Introduction to Aircraft Maintenance Program Costs

Total Number of Tasks Performed Per Fleet Per Year

Based on the maintenance experience (for existing tasks), the maintenance plan,
and the interval of the task, it is possible to determine the number of times that the
maintenance task has to or would have to be performed each year. If such level of
detail is not required or the approach is not feasible, it is possible to approximate the
calculations based on average terms.
The average number of times that a task is accomplished per year in the operator’s
fleet take into consideration the number of aircraft for which the maintenance task is
applicable (N) and the interval of the task expressed in months (I), converted from
FH or FC interval parameters using the fleet utilization, as applicable. Therefore, the
average accomplishment times of the task per fleet per year is given by:

N
TTotal per year = · 12 months
I
For easier understanding, the average TTotal per year is use during the next calcula-
tions.
Maintenance Task Cost Per Fleet Per Year
The increase/decrease of man-hours per fleet per year takes into consideration the
Total number of tasks performed during that period (TTotal per year ) and the Task Unitary
Cost (TUC) increase/decrease:

CostTotal per year = TTotal per year · TCU

= TTotal per year · (CMP + C M + COUT )

where:
• CMP = MHSupport staff · CSupport + MHCertifying staff · CCertifying +
MHSpecialist staff · CSpecialist ,
• C M = CComponents + CStandard Parts + CRaw material
• COUT is based on the weighted cost calculations based on the outsourced
agreements.
The CostTotal per year formula represents:
• the cost of implementing a new task, excluding the one-time implementing cost
(CInitial ), where the  is negative,
• the savings of deleting an existing task, where the  is positive,
• the delta of the costs/savings derived from the task revision (escalation, deescala-
tion, changes in the Man-Hours or Material needs, and changes in the outsourced
services agreements), where the  sign depends on the balance of the factors
analyzed.
Note: special attention must be paid to the symbols ± used in the TCUTotal per year
formula. Cost (−) and savings (+) must be appropriately defined.
Appendix A: Introduction to Aircraft Maintenance Program Costs 349

Accumulated Costs/Savings
The following formula serves to accumulate the costs/savings derived from a task
implementation/change at a specific point in time (i):


i
Costi = CInitial + CostTotal per year(indexed) ,
i0

where i = 1, 2, 3, 4… is the year in which the accumulated cost wants to be calculated,

and the total cost per year per fleet taking into consideration the indexes given in
(A2.1) are provided by the following summation:


i 
i
CostTotal per year (indexed) = TTotal per year · TCU(indexed)
i0 i0


i
= TTotal per year · (CMP + C M + COUT )(indexed)
i0


i
= TTotal per year · CMP · LCIi−1
i0


i
+ TTotal per year · C M · index(1)i−1
i0


i
+ TTotal per year · COUT · index(2)i−1
i0

While for labor costs it is clear that the index to be used is the Labor Cost Index
(LCI), for material and outsourced costs the index to be applied depends on the
producer (industrial or service) and the importation; in the above formula is just
indicated as “index()” for the operator analysis.
The following graphic shows the expected cost pattern derived from the
cost/saving analysis performed considering the application of indexes and the use of
the average total number of tasks performed per fleet per year (TTotal per year ). While
the graphics would keep a linear tendency if the indexes are not applied, it becomes
polynomial when they are applied (Fig. A2).
In the case that the total number of tasks performed per fleet per year is accurately
defined (without the use of averages terms), certain irregularities in the polynomial
curves appear, but the tendency remains.
350 Appendix A: Introduction to Aircraft Maintenance Program Costs

Cost ($)
9000.00
8000.00
7000.00
6000.00
5000.00
4000.00
3000.00
2000.00
1000.00
0.00

Time (YE)

Fig. A2 Example of Task Cost accumulation during successive years

Appendix B
Introduction to Aircraft Accident Investigation

The investigation of aircraft accidents and events and the safety studies initiatives
performed worldwide since the first days of aviation have allowed to find out
the most probable causes of such occurrences, identifying safety deficiencies and
implementing actions to avoid re-occurrences.
The results of such investigations have been the most important method of acci-
dent prevention and the main source to model the aviation regulations toward safer
aviation.
Recapitulating some of the aircraft accident investigations that changed the aircraft
design and maintenance rules: the Aloha Flight 243 investigation brought the atten-
tion about the consequences of the aging process of the aircraft resulting in the
current regulations and means to avoid Widespread Fatigue Damage (WFD); the
existing requirements for Electrical Wiring Interconnection Systems (EWIS) are the
result of the investigation of the Swissair Flight 111 and the TWA Flight 800,
that highlighted the deficiencies in the certification and Continuing Airworthiness
requirements of Electrical Wiring Interconnection Systems (EWIS); a battery of
recommendations for fuel tank design and maintenance was also the result of the
TWA 800 investigation.
The “Lessons Learned” boxes included throughout the chapters of this book
exhibit the main aircraft accidents that have modeled the current airworthiness regula-
tions and others that are considered of relevant interest for understanding the proposed
subjects, but there is still an open question: what is the process since an aircraft
accident happens until the recommendations are issued?
The alarm of an aircraft accident is usually triggered by the Air Traffic Services
when it is determined the aircraft has crashed or disappeared from its control, by
the Airport Authorities when an accident occurs on or adjacent to an airport, or by
the Search And Rescue (SAR) services when a distress signal is received and it is
confirmed by the ATS.
Immediately after the alarm is on, a full investigation machinery to understand
the causes of the aircraft accident is initiated.

© The Editor(s) (if applicable) and The Author(s), under exclusive license 351
to Springer Nature Switzerland AG 2022
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
352 Appendix B: Introduction to Aircraft Accident Investigation

This Appendix introduces the civil aircraft accident investigation process,

including the Maintenance Investigation.

B.1 Investigation Responsibilities

The accident investigation authority should be able to withstand political or other

interferences or pressures and must be strictly objective and impartial. ICAO requires
that the States set up their accident investigation authorities independently from the
civil aviation authorities and any other party whose interests could conflict with the
task entrusted to the investigation body.3
Imagine that an Aircraft Accident Investigation Authority would depend directly
on the Civil Aviation Authority and that its boards of directors would count with the
CEO and chairperson of the most profitable national carrier. This situation would
unleash rumors about the independence of the investigations and the possible interest
of private hands over air safety.
After an accident or serious incident, usually, the State of Occurrence notifies the
States of Registration, Operator, Design, Manufacture, and ICAO, this last one when
the aircraft is over 2250 kg.
The State of Occurrence is responsible for instituting and conducting the inves-
tigation but, if it is found more practical, it may be delegated whole or partially to
another State (e.g., State of Registration or State of the Operator) or a regional acci-
dent and incident investigation organization. In any case, the State of Occurrence
must provide every means to facilitate the investigation.
When the accident occurs out of the territory of any State, the responsibility to
institute and conduct the investigation lies on the State of Registration.
The Investigator in Charge (IIC) is appointed by the State conducting the investi-
gation. He must have unrestricted control over the wreckage and all relevant material,
including the Flight Recorders and ATS records.
The States of the Registration, Operator, Design, and Manufacture have the right
to appoint an accredited representative and one or more advisers to participate in
the investigation. EASA or the FAA would act on behalf of the State whenever it
is related to the design approval. Other States can provide information, facilities, or
experts to the State conducting the investigation.
The Safety Board “Go Team,” formed by the State conducting the investigation
or the delegated organization, is responsible to the Investigator In Charge (IIC) and
initiates the process in the accident scene as quickly as possible. It is composed of
a panel of specialists in different aviation areas with clearly defined responsibilities,
e.g., Wreckage, Operations, Weather, Air Traffic Services, Structures, Powerplant,
Systems, Maintenance, Human Factors, and Survival Factors.

3 Annex 13 Aircraft Accident and Incident Investigation. ICAO. Eleventh Edition—July 2016.
Appendix B: Introduction to Aircraft Accident Investigation 353

The responsible for each area of expertise heads a working group that is staffed
with representatives of the operator, airframe and engine design and manufacturers,
design certifying authority, pilot and flight attendant unions, etc.
Some of the working groups remain at the accident scene, usually from few days to
several weeks, to collect data and evidences as long as necessary and then move onto
other facilities to continue the investigation, e.g., Powerplant to an engine teardown
at a manufacturer or overhaul facilities and Systems to an instrument manufacturer’s
plant.
Other teams, such as the Flight Data Recorder and Cockpit Voice Recorder groups,
may be not attending the accident scene but being placed on an investigation authority
center. When the State conducting the investigation has not facilities for the readout
of the recorders, it can make use of the facilities made available by other States.
The State conducting the investigation should not make the investigation records
available for other purposes than the investigation unless it is considered beneficial
for such investigation or any future investigations. The investigation records include
the recording or transcription of the Cockpit Voice Recorder (CVR), communication
between persons involved in the operation of the aircraft, recording and transcrip-
tions from the Air Traffic Control units, medical/private information of the persons
involved in the accident, and communication between people involved in the opera-
tion of the aircraft. The records are only included in the Final Report when pertinent
to the analysis of the accident.
Judicial investigations are often initiated when there is a need to assign liabili-
ties and compensate victims. Both Safety and Judicial investigations are required to
be separate. The Safety investigation should cooperate with the Judicial investiga-
tion, but some of the records obtained, such as cockpit voice or image recording, are
normally used for the Safety investigation but not available for the Judicial investiga-
tors to avoid its use for other purposes. An exception is when the Inspector in Charge
detects an act of unlawful interference; in such case, he should inform the Judicial
Authorities and the recording may be put at their disposal. The State conducting the
investigation must coordinate both authorities and mediate if a conflict exists.
The most important mandate of the Safety Board is to address safety deficiencies
immediately, including deficiencies that are not directly related to the cause of the
accident, and issue Safety Recommendations.
Usually, preliminary or interim reports with factual information and Safety
Recommendations are issued during the course of the investigation to provide safety
information to the industry and address immediate safety concerns.
A final report is issued at the end of the investigation concluding with the
identification of the findings, causes, and contributing factors to the accident.
The final report must be reported to ICAO through the ADREP system (see
Sect. 26.3.1).
The detailed responsibilities and obligations standards for Aircraft Accident and
Incident Investigations are detailed in ICAO Annex 13.
354 Appendix B: Introduction to Aircraft Accident Investigation

EASA and FAA Roles

When an investigation takes place in any of the European Union states, the role
of EASA is to follow the investigation carried out by the corresponding accident
investigation authority, provide technical advice whenever is needed, and process
the Safety Recommendations addressed to the Agency, but EASA is not an accident
investigation body. Some examples of investigation authorities across Europe are
the Bureau of Enquiry and Analysis for Civil Aviation Safety (BEA) in France,
the Commission for the Investigation of Accidents and Incidents for Civil Avia-
tion (CIAIAC) in Spain, and the German Federal Bureau of Aircraft Accidents
Investigation (BFU).
Similarly, the competences of the FAA when an accident occurs in the U.S. terri-
tory are to provide advice, support, and address Safety Recommendations from
the National Transportation Safety Board (NSTB), the investigation authority
dependent on the U.S. Department of Transportation.
The NTSB was formed in 1967 as successor of the Civil Aeronautics Board (CAB)
that had been in charge of the accident investigations since the 1940s. The NTSB
is multimodal and does not only investigate accidents and incidents involving civil
aircraft but also other transportation modes such as marine and rail. Up to 2017, the
NTSB had investigated more than 149,000 aviation accidents and issued more than
15,000 Safety Recommendations to more than 2400 recipients.

B.2 The Investigation Areas

The Wreckage Investigation documents the airframe wreckage and the accident
scene, including calculation of impact angles to help to determine the aircraft’s pre-
impact course and attitude. The initial assessment determines the presence of flight
control surfaces (wings, vertical and horizontal stabilizers, flaps, spoilers) and major
structural parts (engines, propellers, blades), and follows with the identification of
every part of the wreckage. During the investigation, the distribution of the wreckage
is plotted to establish the path of the aircraft and the first impact location. Ground
marks, scars upon trees, shrubs, rocks, poles, power lines, and buildings are also
examined to understand the impact.
The reconstruction of the wreckage, assembling the parts back to their relative
position before failure, is not necessary but can be the key for determining the causes
of certain types of accidents such as in-flight structural breakup, collisions, fires, or
explosions. The reconstruction of the TWA 800 explosion, detailed in Sect. 6.2.1.4,
was one of the most comprehensive and expensive reconstructions ever attempted,
where approximately, 96% of the wreckage was recovered from the Atlantic Ocean.
The Operations Investigation studies the history of the flight and the activity
of the flight crew, and may also examine the role of flight operations, dispatch or
other personnel involved directly with the operation of the aircraft. Some of the
major areas involved are the crew qualifications and experience, duties, rest periods,
Appendix B: Introduction to Aircraft Accident Investigation 355

activity before, during and after the accident, flight planning, weight and balance,
final flight path and sequence of the flight.
The flight is reconstructed from the data collected, where the Flight Recorders
and radar records play a significant role, and the contribution of the other groups of
the investigation.
The Weather Investigation gathers all the pertinent weather data. A special-
ized group is needed if the meteorological conditions are considered an important
contributing factor to the accident; otherwise, a report from a specialist meteorologist
may be sufficient.
The investigation collects forecast and observed meteorological conditions with
special consideration for hazardous phenomena that may be not so apparent such as
cyclones, severe turbulences, freezing rain, or volcanic ash.
The Air Traffic Services (ATS) Investigation addresses the aeronautical and
operational information from service providers, including the acquisition of ATC
radar data and transcripts of the controller-pilot radio transmissions. The objective is
to reconstruct the occurrence from the planning stage through the various functions
exercised by the service providers, e.g., ground control, aerodrome control, area
control, and approach control.
The Structures Investigation is aimed to determine the causes attributed to mate-
rial failures, with special considerations for major component failures due to inade-
quate design strength, excessive loads, or deterioration due to fatigue or corrosion.
The investigation must discern which structural parts failed in-flight and which failed
on the impact.
The Powerplant Investigation usually includes engines, propellers, thrust
reversers, mountings, cowlings, and fuel and oil systems. Powerplant failure is often
a causal factor of aircraft accidents and it is important to determine if it was involved
in the subject occurrence. The data collected should enable to assess if the engine
was separated in-flight, if it was producing power at impact and the type of engine
failure (e.g., rotor disk fracture, operational ingestion of debris birds, ice or volcanic
ash, failure of the reverser system or the nacelle, etc.).
The Systems Investigation studies the aircraft components related to the aircraft
systems such as hydraulic, electrical (including EWIS), pneumatic and oxygen
systems, the instruments, and elements of the flight control systems. One of the
main tasks is to document the flight configuration of the aircraft at the event time,
including positions of switches and controls in the cockpit taking into consideration
that it may have been altered during the impact or the evacuation procedures.
The Maintenance Investigation focuses on the adequacy of the maintenance
performed, the capability of the maintenance management, and the human factors in
maintenance.
The Human Factors Investigation assesses the human performance and all the
factors that may have caused or contributed to the accident (fatigue, medication,
alcohol, drugs, medical histories, training, workload, equipment design, and work
environment).
It is required a high degree of coordination of the Human Factors investigation
group with the Operations, Air Traffic Services, and Maintenance investigations.
356 Appendix B: Introduction to Aircraft Accident Investigation

The Human and Organizational models detailed in Chaps. 24 and 25 (SHELL,

PEAR, Reason’s model), and other models or techniques such as the Failure Mode
and Effects Analysis (FMEA), aid the investigator in analyzing the data gathered in
order to determine the contributing factors.
The Survival Factors Investigation documents and analyses information
regarding several areas: search and rescue, evacuation and survival, aircraft interior
configuration, impact and occupants’ dynamics and crash injury, and survivability
aspects.
Documenting the aircraft and surrounding site is essential in order to establish how
and why injuries and fatalities occurred: condition and location of the elements of
cockpit, passenger cabin, exits, evacuation devices, emergency equipment, restraint
systems, stowage compartments, cabin baggage, cargo, communication systems,
galleys, etc.
The CREEP methodology is a systematic approach used by some aircraft accident
investigators to assess the different factors that influence the occupant’s survivability
during a crash. The CREEP crashworthiness acronym stands for the following factors:
• Container: the aircraft structure should not disintegrate, deform until it crushes
the occupants or allows external objects to penetrate the cabin.
• Restraints: components such as belts, attachments, and connectors should be able
to prevent injuries at the force levels expected during a crash.
• Energy Absorption: the effects of the acceleration forces experienced by the occu-
pants are amplified or attenuated depending on the design of the structure and the
seats.
• Environment: the cockpit, cabin, and cargo spaces should be delethalized; it means
that the potentially injurious objects should be properly secured.
• Post-crash factors: if the occupants survive the crash, they should be able to exit
the aircraft and reach emergency assistance. The most critical aspects are the
ability of the occupants to unbuckle themselves from the restraint systems and
reach emergency exits, and the post-crash fire effects (heat, smoke, and toxic
fumes).
The investigators inspect all the CREEP factors to determine elements that may
have prevented the occupants from being injured.

B.2.1 The Maintenance Investigation

The Maintenance Group is responsible for reviewing the maintenance history of

the aircraft, the actions of the maintenance organization and its staff, and the Aircraft
Maintenance Program under which it was maintained. The goal is to determine if the
aircraft has been maintained in accordance with the applicable airworthiness regula-
tions, including the suitability of such regulations, identify maintenance information
that may suggest particular lines of investigation, and if any maintenance action could
be a contributing or root cause of the accident.
Appendix B: Introduction to Aircraft Accident Investigation 357

The maintenance investigation focuses on the adequacy of the maintenance

performed, the maintenance management capability, and the human factors on
maintenance.
Immediately after accident notification, the Maintenance Group chairperson or
the Investigator in Charge (IIC) notifies the owner/operator of the aircraft that all
the maintenance records pertaining to such aircraft are impounded. These must be
retained and made available when requested by the group.
Usually, before reviewing any specific documentation of the maintenance
performed on the aircraft, the Maintenance Group is briefed about the operator
policies and procedures in the context of the applicable operating regulations.
The operator and maintenance organization manuals, including contracted main-
tenance, are of much relevance for the Maintenance Group because they contain
the maintenance policies and procedures and allow to understand the organization
of the departments, duties, responsibilities and individual group functions such as
the Maintenance Program, stores control, technical Records administration, Crit-
ical Maintenance Task/Required Inspection Items management, etc. that can help to
determine if any of these may have contributed to the accident.
The Continuing Airworthiness Management Exposition (CAME) and the Main-
tenance Organization Exposition (MOE) in an EASA environment or the Air Carrier
Maintenance Manual and the Repair Station Manual required as per the FAA rules,
will be likely the first documents the Maintenance Group are interested in.
The main areas to be examined by the Maintenance Group include:
• the operating history of the aircraft, engines, propellers, and components, and
• the aircraft records to determine compliance with all the applicable Airworthiness
Directives (AD) and the approved Aircraft Maintenance Program (AMP), that
major modifications and repairs are performed in accordance with approved data,
and that any discrepancies or omissions associated with the aircraft have been
properly corrected.
One of the most important tasks of the Maintenance Group is to review the
approved Aircraft Maintenance Program with the objective of assessing its
adequacy and effectiveness. The study of the relevant records will highlight improper
or inadequate maintenance, servicing, or inspection.
The relevant records that may be requested by the Maintenance Group for review
include, but are not limited to:
• Aircraft Technical Logs,
• Aircraft maintenance history,
• Routine and non-routine task cards,
• Applicable Airworthiness Directives (AD),
• Airworthiness Limitations (ALS) and Certification Maintenance Requirements
(CMR),
• Modifications and Repairs records for the aircraft, engines, propellers, and
components,
• List of SB and SL issued by manufacturers,
358 Appendix B: Introduction to Aircraft Accident Investigation

• Engine change log,

• Engine Condition Monitoring Data,
• Engine and airframe vibration monitoring data,
• MEL and CDL items currently being carried on the accident aircraft,
• Report of In-flight shutdowns,
• List of cancelations/diversions/deviations,
• Occurrences history: overweight landings, bird strikes, lightning strikes, damage
reports, etc.,
• Service Difficulty Reports (SDR),
• Relevant incidents for the accident aircraft or others of the same model,
• Weight and Balance records.
The data collected is assessed to determine the effectiveness of the maintenance
performed and the adequacy and relevance to the issues associated with the accident.
If any system or component becomes suspect through the records review, the Main-
tenance Group will alert the investigative team. In the same way, the data collected by
other groups may indicate lines of investigation for the Maintenance Group, e.g., if
a landing gear life-limited part is found relatively distant from the rest of the landing
gear wreckage area, it may indicate the part failure, and therefore, the Maintenance
Group should investigate the landing gear records with more detail.
As a consequence of the maintenance records review, the oversight agencies may
also be evaluated to determine if their actions/inactions may have contributed to the
accident sequence.
Maintenance Error
When a Maintenance error is suspected, the Maintenance Group must deeply
investigate all the factors that may have contributed to the final error.
Chapters 23 and 24 provide a deeper understanding of Human and Organizational
Factors. The following lines recapitulate some important elements that are considered
on the maintenance part of the aircraft accident investigation.
The source of the data that a technician uses to carry out a job may be a
contributing factor if it was not understandable or difficult to understand, not complete
or conflicting with other documents, but also if it was not available or it was directly
ignored. The current publications released by the operator and manufacturers, as of
the date of the accident, can be requested by the Maintenance Group to determine
any deviations; it can include the Aircraft Maintenance Manual (AMM), the Illus-
trated Part Catalogue (IPC), the Structural Repair Manual (SRM), Troubleshooting
manuals, Overhaul Manuals, Component Maintenance Manual (CMM), Service
publications (Service Bulletins, Operator Letters, Maintenance Tips), etc.
If the parts necessary to perform a task are incorrectly labeled, it can lead to
improper installation or incorrect modification/repair. If they are not available, the
technician may end using substitute parts or even omitting the part.
In the same way, if tools/equipment are not available or are not accessible, the
maintenance technician may use others that are not suitable to perform the task; if
they are not safe, the technician may be distracted due to concerns for staff safety;
Appendix B: Introduction to Aircraft Accident Investigation 359

if they are not properly calibrated or there are no instructions for use, it may have
provided wrong measures; etc.
The Maintenance Group should consider aspects of the aircraft design and
configuration that may have contributed to the suspected maintenance errors, e.g.,
complex, difficult or extensive procedures, difficult or uncomfortable access areas,
multiple similar connections on the same component or components easily installed
with wrong orientation.
A poorly developed maintenance Task Card could also contribute to maintenance
error: repetitive and monotonous actions, complex/confusing/changed procedures,
complacency, or directly accomplishing the task differently may induce errors.
EASA Regulation Codes

• Basic Regulation:
– Regulation (EU) 2018/1139 Basic Regulation. December 2019.
• Initial Airworthiness:
– Regulation (EU) No 748/2012 Easy Access Rules for Airworthiness and Envi-
ronmental Certification (Part-21) (up to Regulation (EU) 2019/897 and ED
Decision 2019/018/R). December 2019.
– Regulation (EU) No 2015/640 Easy Access Rules for Additional Airworthiness
Specifications (Part-26) (up to Regulation (EU) No 2015/640 and ED Decision
2015/013/R). January 2018.
– CS-25 Easy Access Rules for Large Aeroplanes (up to ED Decision
2018/005/R—Amendment 21). November 2018.
– CS-E Easy Access Rules for Engines (up to ED Decision 2018/014/R—
Amendment 5). February 2020.
– CS-P Easy Access Rules for Propellers (up to ED Decision 2006/09/R—
Amendment 1). November 2018.
– CS-APU Easy Access Rules for Auxiliary Power Units (ED Decision
2003/5/RM—Initial issue). February 2018.
– CS-ETSO Easy Access Rules for European Technical Standard Orders (up to
ED Decision 2018/008/R—Amendment 14). November 2018.
– CS-AWO Easy Access Rules for All Weather Operations (ED Decision
2003/6/RM—Initial issue). February 2018.
– AMC-20 Easy Access Rules for Acceptable Means of Compliance for Airwor-
thiness of Products, Parts and Appliances (up to ED Decision 2019/011/R—
Amendment 17). February 2020.
• Continuing Airworthiness:
– Regulation (EU) No 1321/2014 Easy Access Rules for Continuing Airwor-
thiness (Part-M, Part-145, Part-66, Part-147, Part-T, Part-ML, Part-CAMO,

© The Editor(s) (if applicable) and The Author(s), under exclusive license 361
to Springer Nature Switzerland AG 2022
D. Lapesa Barrera, Aircraft Maintenance Programs, Springer Series
in Reliability Engineering, https://doi.org/10.1007/978-3-030-90263-6
362 EASA Regulation Codes

Part-CAO) (up to Regulation (EU) 2020/270 and ED Decision 2020/002/R).

June 2020.
• Air Operations:
– Regulation (EU) No 965/2012 Easy Access Rules for Air Operations (up to
Regulation (EU) 2019/1387 and ED Decision 2019/019/R). October 2019.