The aircraft must be ensured that all operation conditions are constantly maintained in an airworthy state in accordance with type design character during its operational process which can be interpreted as continuing airworthiness (Janic, 2000). To identify, analyze and assess the occurrence risk during operation and maintenance process effectively is essential in maintaining continuing airworthiness. It is also a main concern for both aircraft designer and airworthiness authority (Bahr, 1997). The Boeing Company and Airbus Company both have already built the risk assessment method appropriate for the airplanes during operation. The failure occurrences or conditions have been collected, analyzed and evaluated to determine risk levels of the airplane or the entire fleet. Then the appropriate corrective actions were made and the customers were informed to complete these actions to guarantee the safety level of the civil airplanes (Wei and Chen, 2011).
In this study, the risk assessment method suitable for the airplanes made in China has been developed. The classifications of the risk types, hazard levels and probability levels have been given. The appropriate corrective actions and the maximum compliance time have been determined. Using the present risk assessment method, the wing fuel tank overpressure damage event has been analyzed. The risk level, corrective actions and the maximum compliance time has been determined.
RISK ASSESSMENT METHOD
Types of risk: During the operation of civil airplanes, the risks can be largely distinguished into five categories, as following:
|•||Risks associated with aircraft systems that can be directly analyzed with AC 25.1309 tools (FAA, 1988)|
||Risks associated with the potential of failure of structural elements due to insufficient strength
||Risks associated with non-compliance with specific certification requirements on aircraft characteristics like for instance performance or flight handling. These risks are almost always the result of failure modes in either structure or systems and can therefore be handled as discussed above for categories 1 or 2, as applicable
||Risks associated with systems subject to specific FAR/CS 25 (FAR, 2011; EASA, 2008) requirements exceeding or at least as stringent as FAR/CS 25.1309 (FAR, 2011; EASA, 2008). In these situations, only replace the limits of AC 25.1309 (FAA, 1988) by the applicable specific requirement
||Risks associated with systems required for emergency situations (i.e., evacuation, fire). In these cases, the hazard needs correction to a certain extent irrespective of its probability of occurrence. To a certain extent as the usual approach is to compare the actual probability of occurrence with the accepted industry average failure probability, i.e., it is known that evacuation slides cannot be packed with a deployment reliability of much higher than 99%. A 1 in 100 probability of failure to occur is therefore considered acceptable
Hazard classification: The first step in risk assessment is the classification of the hazard as shown in Table 1, derived from AC 25.1309 (FAA, 1988). The hazard is in some cases self-evident from the actual event (the reportable occurrence).
|Table 1:||Classification of the hazard level|
In case of a crack finding during walk-around inspection, there has been no actual unsafe condition as yet. The question then needs to be answered: what if this crack had not been found by a very attentive flight crew member? How far was this crack away from the critical crack length in the fatigue and damage tolerance analysis report? Could it as well have escaped attention until reaching the critical crack length? And what would be the effect on the aircraft of the failure of this structural member when the crack will have reached its critical length? In other cases, the reportable occurrence may have involved an actual unsafe condition (for instance: major). However, a more severe sequence of events (for instance: hazardous) could quite as well have occurred in slightly different circumstance (for example, a less alert flight crew or different weather conditions). In that case either both hazard levels need to be further applied in the risk assessment or the most severe hazard classification shall be taken as the basis for the further assessment.
Probability level: Determination of the probability level is the next step in risk assessment. The probability level is either primarily based on observation of specific occurrences or on component failure mode probabilities derived from design analysis reports or on a combination of both.
When the failure, malfunction or defect has been actually observed, the first order estimate of the probability of occurrence is simply the number of observed occurrences divided by number of Flight Cycles (FC) or Flight Hours (FH). However, with very low numbers of observations (which is mostly the case after the first and as yet only occurrence of a certain failure mode), it can only provide a first order of magnitude estimate. Nevertheless, without any further information being available, statistically speaking with one event, it must be assumed that the probability of occurrence is certainly not better than the inverse of the total accumulated number of FC/FH. And if a statistical confidence level, of say 80% is applied, the Poisson distribution model shows that the probability of occurrence with one event that cannot be assumed better than three times the inverse of the total accumulated number of FC/FH.
It is always wise to try to bring in expert knowledge; what is the type of the failure mode? Is fatigue cracking or another type of aging phenomenon involved? Is there evidence of a production batch related problem or of a problem that is specific for one operator or certain operational circumstances (for instance cold weather)? The answers to these kinds of questions may help to improve the confidence levels in the statistics and/or to reduce the probability estimate. However, be aware that it may also work the other way around; for instance, when the problem has been traced back to a batch that only affects 10% of the fleet, you know that 90% of the fleet is safe but on the other hand; in the 10% of the fleet at risk the risk has increased tenfold, If you dont know the distribution of the batch in the fleet that it not an issue but if you do know you have to base your further assessment and actions on this 10% of the fleet with the higher risk.
In that case the assessment is already partially based on assumptions with respect to component failure mode probabilities. Calculation of a probability of occurrence during design is based on SSA techniques like Fault Tree Analysis (FTA) to find all possible single failure modes and combinations thereof that can lead to the specific occurrence (top event) that is analyzed (SAE International, 1996a, b). In risk assessment on reportable occurrences, it is very useful to see where the in-service event does fit in the FTA, is it a top event or may there easily be a next higher (and more severe) top event; what are the relevant combinations in which the in-service event is an element? This enables not only to establish the real hazard that must be assessed but also to estimate the probability of that hazard. Useful tools in cases where only very limited data is available are the Weibull distribution and the basic principles of Bayesian statistics (SAE International, 1996a, b).
Level of exceedance: After the hazard level and the probability level of occurrence have been determined, the level of exceedance could be determined based on Table 1. If the hazard and probability fit within the 25.1309 limits, no action is required from safety perspective. However, note that until a new aircraft type has accumulated 1E7 FC in service, the first rough estimate (without application of any confidence level) of the probability of occurrence is above the E-7 limit. Thus for several years of operation after the in-service introduction, every occurrence with a hazardous effect in principle exceeds the 25.1309 limit. When the event as such is found not to be an exceedance of the 25.1309 limits, it is advisable to assure that sufficient consideration has been given in the hazard classification to relevant combinations with potential aggravating factors (technical, human, environment).
Appropriate action: When an exceedance of the 25.1309 limits has been found, the appropriate corrective action should be taken, i.e., the fleet measures including: (1) Grounding, (2) Limitation, (3) Inspection and (4) Modification:
|•||The grounding is the most dramatic of all possible fleet measures. It is important to try to avoid grounding at all times by quick and effective limitations and/or inspections. Thus this will only be required when such actions are not possible or effective and the risk assessment leaves no other choice|
||One level less far-reaching is to issue a (temporary) limitation. This allows continued operation of the fleet while the design remains (as yet) as is. Limitations shall be neatly tailored to be effective on one side and not to hamper the operation more than strictly necessary on the other side. In the case of temporary limitations, the question of the exit strategy is again of importance, especially when the limitations have large consequences on the economics of the operation
||The next level consists of (temporary) inspection(s), one-time or repetitive. Inspections also allow continued operation of the unchanged design. However, unless very simple, inspections take more time to develop. They shall be neatly tailored to be effective on one side and not to hamper the operation more than strictly necessary on the other side
||The preferred final solutions (certainly in the start-up phase) are modification(s). Modifications shall be aimed to eliminate the root cause(s) of the unsafe condition. They will however take the most time (and money) to develop and will take more time for the airlines to comply. Effective modifications will terminate any limitation and inspections
When to determine the time to eliminate risk exceedance, the total 25.1309 risk (1E-7, 1E-5) is split into 3/4 for the basic design and 1/4 for the rectification campaign. In addition, it is assumed that a total of 10 rectification campaigns might occur during the life of an average individual aircraft (EASA, 2012) and that the average total aircraft life is 60000 FH/FC. With these assumptions, the maximum to the compliance time is calculated as follows:
Maximum compliance timexProbability of occurrence =
A fixed figure for each severity category
For the catastrophic category:
Compliance timexProbability = 0.25xE-7
x60000 / 10 = 1.5E-4
For the hazardous category:
Compliance timexProbability = 0.25xE-5
x60000/10 = 1.5E-2
In addition, the individual aircraft probability of catastrophic accident shall not exceed 2E-6. If a probability of occurrence would be allowed above 2E-6, the specific risk would begin to contribute to a greater likelihood of catastrophe than that from all other causes including non-airworthiness causes, put together. The fleet catastrophic accident risk shall not exceed 0.1. This reduces the calculation result for large fleets:
Fleet sizexcompliance timexprobability<0.1
Fleet size<0.1/1.5E-4 = 667 aircraft
As long as the fleet size of a specific aircraft type does not exceed 667 aircraft, this restriction is not relevant.
During the scheduled midlife X-ray inspections of the engine mounting frames, just by change the welding defects were discovered. In two forward frames and one aft frame, defects were found in a total of 4 weld locations. The defects were made just during manufacture of the engine mounting frames, where the tubes were welded to the end fittings. The correct position of the weld is exactly on the border line between tube and fitting. However, unintentional sideways movement of the electric arc had resulted in some welds running beside the border line for a part of the tube circumference. Where a weld runs beside the border line, there is no connection between tube and end fitting for that part of the tube circumference as shown in Fig. 1. The examples of welding defect viewed from the inside and the corresponding X-ray image are shown in Fig. 2. The largest defect found had a length of 50 mm in circumferential direction.
Type of risk: Link in the engine mounting frame corrosion case, the risk associated with the potential of failure of structural elements due to insufficient strength.
Hazard classification: Both the potential for engine separation and the consequence of engine separation need to be considered.
The defects have been found on 4 welding locations and 3 frames of 2 aircraft (2 forward and one aft frame). The severity of the defects can be summarized as follows:
|•||The 50 mm long completely through the thickness with fatigue striations at the tips of about 1 mm at maximum|
||The 12, 10 and 27 mm long approximately 1 mm deep, no fatigue striations
||The 6 and 8 mm long completely through the thickness, no fatigue striations
||Mismatch (gap) between inner side of tube and fitting over about 1/6 of the circumference, no fatigue striations
|Fig. 1:||Schematic of engine mounting frames welding defects|
||Example of welding defect, (a) Viewed from the inside and (b) Corresponding X-ray image
The defects have been missed during production inspections as well as during the fatigue and damage tolerance inspections and were only found during the midlife X-ray corrosion inspections. The mounting frames with the four defects found, would still have been able to sustain the limit loads.
The analysis mentioned above all leads to a summary; the hazard of the reduction in structural strength cannot be established with confidence because of the many factors that determine the remaining load capability (number, positions and lengths of defects per engine installation).
The consequence of engine separation; although there is no experience, this is again conservatively assumed to be catastrophic (large asymmetry in weight and propulsion, possibly heavy damage to the wing, possibly fire).
Probability level and level of exceedance: About 30% of the frames had undergone midlife inspections. These X-ray inspections do not warrant detection of weld defects. On the basis of the above information, it is considered that sufficiently conservative to assume that in the fleet presently 10 aircraft may be present with multiple defects on one engine installation to such an extent, that they would not be able to withstand limit load and with a 10% probability would even lead to engine separation.
The probability of a catastrophe P is then:
P = Limit load occurrence ratex10/affected fleetx1/10
=1E-5x10/200x1/10 = 5E-8
In view of the hazard classification catastrophic in Table 1, the probability of occurrence is a factor of 50 too high.
Appropriate action: The welding defects must be eliminated from the fleet and from spare frames. The defects can only be found by a tailor-made and complicated X-ray inspection method. Accomplishing this on every weld of all engine mounting frames would obviously lead to an enormous amount work. Therefore, the work is minimized by first identifying the engine mounting frames with non-straight welds. Only these welds need X-ray inspections.
The maximum compliance time is calculated as:
5E-8xY = 1.5E-4
Y = 1.5E-4/5E-8 = 3,000 FH/FC
In addition, the probability of catastrophe of 5E-8 is <2E-6. The fleet is <667 aircrafts.
The risk assessment method for civil airplanes during continued airworthiness has been developed in the present analysis. The risk types of the event has been classified into five cases, i.e., (1) Risks associated with aircraft systems, (2) Risks associated with the potential of failure of structural elements due to insufficient strength, (3) Risks associated with non-compliance with specific certification requirements on aircraft characteristics, (4) Risks associated with systems subject to specific FAR/CS 25 requirements exceeding or at least as stringent as FAR/CS 25.1309 and (5) Risks associated with systems required for emergency situations. Based on the effect on the aeroplane, occupants and flight crew, the hazard levels of the event are classified into five levels, i.e., catastrophic, hazardous, major, minor and no safety effect. The acceptable qualitative and quantitative levels for each hazard level have been determined. After determining the hazard level and probability level, the level of exceedance, the appropriate corrective actions can be obtained to reduce the risk level. The risk of engine mounting frames welding defects has been evaluated in the present analysis. The risk type, hazard level, probability level and risk level of the event has been determined using the risk assessment method. The appropriate corrective actions have been given and the maximum compliance time has been calculated to reduce the risk level.
This study is sponsored by the jointly funded projects of the National Nature Science Foundation of China and the Civil Aviation Administration of China (Grant No. 60572171, 60979019, 60939003 and U1333119), the Basic Research Project of Shanghai Branch of Chinese Aeronautical Establishment, Science and Technology Project of Civil Aviation Administration of China (Grant No. MHRD201123).