‘You take a chance getting up in the morning, crossing the street, or sticking your face in a fan.’
Title quote credit: The Naked Gun: From the Files of Police Squad! Director: David Zucker. Performer: Leslie Nielsen. Paramount Pictures. 1988.
Understanding the risk posed by the interaction of functionally unrelated systems; are we, as those responsible for deriving preventive maintenance for aircraft, missing the point?
The Ministry of Defence of the United Kingdom (UK MoD) have recently undertaken a programme of ageing aircraft audits (AAA) as a means of ensuring the continuing airworthiness of its ageing fleet. Though not stipulated as a requirement of an AAA, many platforms have also conducted a zonal hazard analysis (ZHA).
ZHA is used to understand the hazards and safety concerns which result from undesirable system to system interactions, based on a zones system composition. ZHA complements many of the systems analysis approaches, which examine only the functions of systems, by considering functionally unrelated systems that are located in close proximity and the manner in which they could interact.
Experience from those ZHA/AAA activities have led to the publishing of the ageing aircraft platform working group (AAPWG) Paper 011 which can be found, in the public domain, following this link. The paper introduces guidance for the completion of ZHA on in-service platforms and goes on to discuss the possibility of significant overlap between the ZHA activity and the maintenance derivation activity – ostensibly, reliability centred maintenance (RCM).
As an RCM practitioner this caught my interest and spurred a look into the processes used across multiple standards and guidelines. The themes, or shortcomings, appear universal and I’ll discuss them a little further..
Enhanced zonal analysis procedures (EZAP) have been introduced into a number of RCM-based methodologies for aircraft and they attempt, at least in part, to mitigate the interaction between systems. In looking into this, two recurring themes strike home:
- There is a clear focus on the condition electrical wiring interconnecting systems (EWIS)
- There is no mechanism for design challenge
The focus on EWIS and its condition is an attempt to prevent its interaction with a combustible material and, therefore, mitigate the risk of fire/explosion. In many cases, including that of ATA MSG-3, JAP(D)100C-22 and ASD S4000P, if you follow the algorithms, the presence of combustible materials is bypassed if there is no EWIS in the area but what about other ignition sources?
What about other risks? – Is fire/explosion the only event that could happen when systems interact in an area?
No…
…we should, as a minimum, consider control restriction or loss of structural integrity as plausible events or outcomes.
This topic seems to ask far more questions than it answers but, perhaps the most poignant, are we doing enough to avoid a tragedy, such as the loss of the Nimrod XV230, today? The cause of the loss of the aircraft was not confirmed but deemed likely to have occurred due to the interaction between two systems, namely fuel and hot air. That misunderstood interaction was exacerbated by a number of wider issues including, among other things, culture.
XV230 Nimrod which was lost over Afghanistan 2 September 2006, with the loss of all 14 crew on board, likely as the result of interaction between fuel and hot air systems. (Image credit: RAF Hawker Siddeley Nimrod XV230 at the 2005 Waddington Air Show. Author: Oren Rozen, 02 July 2005 (link))
Are our maintenance derivation processes so narrow now that they don’t allow us to consider the possibility of other interactions and does that, as part of a wider culture, transfer down to our maintainers who will be directed to look at the condition of EWIS but not necessarily trained or encouraged to identify other potential problems?
Yes…
…AAPWG Paper 011, details a number of examples including fuel unions directly above hot surfaces, panels fouling flight control inputs and grease accumulating in an oxygen bay. These interactions were found during optional ZHA activities and not as a result of any regularly scheduled or mandated preventive maintenance review.
There is an argument, of course, that these things should be mitigated by good design or good practice but experience gained from the AAAs indicates otherwise. The EZAPs are out of kilter with the rest of the RCM process and should, without doubt, include the ability to challenge the design.
Go back to the EZAP algorithms that you employ and then ask yourself the question…are we carrying risks, from unintended interactions, that we haven’t considered?