OPERATIONS
Best Maintenance Practices for Redundant Systems
Performing similar maintenance tasks on redundant systems at the same time, or by the same person during a particular maintenance check, may lead to the repetition of a maintenance error. This creates a risk of simultaneous failure of the redundant systems when the aircraft is back into service.
This article provides best practices to reduce this risk and ensure that the benefits of redundancy of systems or components on the aircraft is not compromised.
CASE STUDY 1
Event Description
The loss of two hydraulic systems in flight
An A330 aircraft experienced the loss of two hydraulic systems in the cruise phase of a long-range flight. The initial HYD B RSVR LO LVL and HYD B SYS LO PR ECAM cautions were triggered, and the HYD B + Y SYS LO PR ECAM warning appeared approximately 30 minutes later. The flight crew applied the appropriate procedure and set the affected hydraulic pumps to OFF, causing the flight control system to revert to alternate law.
The flight crew diverted the aircraft and landed safely without further incident. The aircraft was kept on the ground for further inspection.
Event Analysis
The same leak in two hydraulic systems
After an initial inspection, the maintenance engineer discovered signs indicating a hydraulic leak that came from the High Pressure (HP) manifold on both the blue and yellow hydraulic systems. They decided to replace both HP manifolds and sent them to Airbus for further analysis.
The hydraulic fluid leak was confirmed as coming from the check valves installed in both the blue and yellow hydraulic system HP manifolds. O-rings reserved only for transportation and storage were found installed on both selectors. The Aircraft Maintenance Manual (AMM) requests the removal of these transportation and storage O-rings before the installation of the check valves on the aircraft. These O-rings are not for operational use as they are not designed to sustain hydraulic system pressure. These transportation O-rings were damaged and were confirmed as the origin of the hydraulic fluid leak.
(fig.1) Check valves of the blue and yellow HP manifolds with their respective O-rings
A maintenance error repeated on two hydraulic systems
Maintenance records showed that the check valves were replaced a few days prior to the event. The same maintenance personnel performed the task on both the blue and yellow manifolds at the same time. They erroneously left the transportation O-rings on both check valves.
CASE STUDY 2
Event Description
Engine fire after landing
An ENG 1 FIRE ECAM warning was triggered on an A320neo aircraft shortly after landing. The flight crew set the ENG MASTER lever to OFF, and pressed the ENG 1 FIRE pushbutton to discharge AGENT 1. The ECAM warning remained, so the flight crew discharged AGENT 2. The warning disappeared and the aircraft safely came to a stop at the gate without further incident.
Event Analysis
Evidence of fire
preliminary maintenance inspection confirmed evidence of fire found on the engine core at the 12 o'clock position. The operator decided to replace engine 1 for further investigation and repair.
Fuel leaking from a fuel nozzle
Further inspection revealed that the engine fire was caused by a fuel leak from a fuel nozzle B-nut that was not torqued to the correct value specified in the AMM. The B-nuts of the other fuel nozzles were also incorrectly torqued, but they showed no sign of leaks.
(fig.2) Example of a fuel nozzle and its B-nuts on an A320neo engine
A maintenance error on engine 1 repeated on engine 2
A check of engine 2 enabled the operator to discover that the fuel nozzle B-nuts were also incorrectly torqued as was the case for engine 1. The correct torque was then applied to all of the engine 2 nozzle B-nuts and there were no further discrepancies.
Maintenance records revealed that the aircraft had a maintenance check 16 days prior to the event. The fuel nozzles of both engines were replaced. The same maintenance personnel performed the nozzle replacement on both engine 1 and engine 2 and improperly torqued their B-nuts.
APPLYING BEST PRACTICES
Operators and approved maintenance organizations should identify when there is the risk of errors being repeated in identical maintenance tasks during a particular maintenance check. This will allow for application of the following best practices to prevent simultaneous failures in redundant systems.
Stagger the scheduling
When possible, avoid scheduling similar maintenance tasks on redundant systems at the same time. This reduces the risk of having a simultaneous failure of the redundant systems as a result of a repeated maintenance error.
Assign different people to redundant systems
If it is not possible to stagger the scheduling of similar maintenance tasks, then a different person or team should carry out the task on each redundant system or component. This reduces the probability of repeating a potential maintenance error made by the same person or team.
Additional inspection and cross-check
Identify the task as one that requires an additional inspection, cross-check, and dual signature verification that the task was completed correctly and in accordance with the maintenance procedures.
Test one system at a time
If a system test or engine run is necessary, the maintenance personnel should ensure that only one of the redundant systems or engines is tested at a time, unless the task provides other specific instructions. This reduces the risk of simultaneous failures or unexpected behavior of the systems/engines during the test.
Always follow the maintenance procedures
As a general rule, strictly adhering to the maintenance procedures reduces the risk of introducing human errors during maintenance tasks.
Regulatory requirements
ETOPS operations
For ETOPS operations, requirements and guidelines shall be applied. For example:
EU and UK regulations
EU and UK regulations also request that operators establish procedures that prevent the risk of repeating errors on identical systems (independently of the type of operations):
Further information can be found in the following documents available on the Airbusworld/A220World portals:
Performing similar maintenance tasks on redundant systems at the same time, or by the same person during a particular maintenance check, may lead to the repetition of a maintenance error. This creates a risk of simultaneous failure of the redundant systems when the aircraft is back into service.
There are a range of safeguards or best practices that can be applied to prevent repetition of a maintenance error. These include staggered scheduling of the task, using different personnel to carry out the task, performing an additional cross-check inspection, and requiring a dual signature to verify that the task was correctly carried out and in accordance with the maintenance procedures. Where possible, and unless otherwise specified, carry out a test of one system or one engine run at a time.
In all cases, it is important to correctly apply the maintenance procedures.
Contributors:
Marco FAITA
Customer Support Programme
Jean Philippe JACQ
Product Safety Management
Arturo MARTINEZ GRACIDA
Human Factor in Maintenance
Cyril MONTOYA
Product Safety Enhancement Manager
Prosper PRÉAU
Continuing Airworthiness Expert
Airworthiness & Certification
With Thanks to Ian GOODWIN from Product Safety, Jean- Francois BOURCHANIN from Flight Controls Engineering Support, Denis DURAND from A320 Propulsion Systems