Safety First

Best Maintenance Practices for Redundant Systems

OPERATIONS

Best Maintenance Practices for Redundant Systems

Performing similar maintenance tasks on redundant systems at the same time, or by the same person during a particular maintenance check, may lead to the repetition of a maintenance error. This creates a risk of simultaneous failure of the redundant systems when the aircraft is back into service.

This article provides best practices to reduce this risk and ensure that the benefits of redundancy of systems or components on the aircraft is not compromised.


CASE STUDY 1

Event Description

The loss of two hydraulic systems in flight

An A330 aircraft experienced the loss of two hydraulic systems in the cruise phase of a long-range flight. The initial HYD B RSVR LO LVL and HYD B SYS LO PR ECAM cautions were triggered, and the HYD B + Y SYS LO PR ECAM warning appeared approximately 30 minutes later. The flight crew applied the appropriate procedure and set the affected hydraulic pumps to OFF, causing the flight control system to revert to alternate law.

The flight crew diverted the aircraft and landed safely without further incident. The aircraft was kept on the ground for further inspection.

Event Analysis

The same leak in two hydraulic systems

After an initial inspection, the maintenance engineer discovered signs indicating a hydraulic leak that came from the High Pressure (HP) manifold on both the blue and yellow hydraulic systems. They decided to replace both HP manifolds and sent them to Airbus for further analysis.

The hydraulic fluid leak was confirmed as coming from the check valves installed in both the blue and yellow hydraulic system HP manifolds. O-rings reserved only for transportation and storage were found installed on both selectors. The Aircraft Maintenance Manual (AMM) requests the removal of these transportation and storage O-rings before the installation of the check valves on the aircraft. These O-rings are not for operational use as they are not designed to sustain hydraulic system pressure. These transportation O-rings were damaged and were confirmed as the origin of the hydraulic fluid leak.

(fig.1) Check valves of the blue and yellow HP manifolds with their respective O-rings

A maintenance error repeated on two hydraulic systems

Maintenance records showed that the check valves were replaced a few days prior to the event. The same maintenance personnel performed the task on both the blue and yellow manifolds at the same time. They erroneously left the transportation O-rings on both check valves.


CASE STUDY 2

Event Description

Engine fire after landing

An ENG 1 FIRE ECAM warning was triggered on an A320neo aircraft shortly after landing. The flight crew set the ENG MASTER lever to OFF, and pressed the ENG 1 FIRE pushbutton to discharge AGENT 1. The ECAM warning remained, so the flight crew discharged AGENT 2. The warning disappeared and the aircraft safely came to a stop at the gate without further incident.

Event Analysis

Evidence of fire

preliminary maintenance inspection confirmed evidence of fire found on the engine core at the 12 o’clock position. The operator decided to replace engine 1 for further investigation and repair.

Fuel leaking from a fuel nozzle

Further inspection revealed that the engine fire was caused by a fuel leak from a fuel nozzle B-nut that was not torqued to the correct value specified in the AMM. The B-nuts of the other fuel nozzles were also incorrectly torqued, but they showed no sign of leaks.

(fig.2) Example of a fuel nozzle and its B-nuts on an A320neo engine

A maintenance error on engine 1 repeated on engine 2

A check of engine 2 enabled the operator to discover that the fuel nozzle B-nuts were also incorrectly torqued as was the case for engine 1. The correct torque was then applied to all of the engine 2 nozzle B-nuts and there were no further discrepancies.

Maintenance records revealed that the aircraft had a maintenance check 16 days prior to the event. The fuel nozzles of both engines were replaced. The same maintenance personnel performed the nozzle replacement on both engine 1 and engine 2 and improperly torqued their B-nuts.


APPLYING BEST PRACTICES

Operators and approved maintenance organizations should identify when there is the risk of errors being repeated in identical maintenance tasks during a particular maintenance check. This will allow for application of the following best practices to prevent simultaneous failures in redundant systems.

Stagger the scheduling

When possible, avoid scheduling similar maintenance tasks on redundant systems at the same time. This reduces the risk of having a simultaneous failure of the redundant systems as a result of a repeated maintenance error.

Assign different people to redundant systems

If it is not possible to stagger the scheduling of similar maintenance tasks, then a different person or team should carry out the task on each redundant system or component. This reduces the probability of repeating a potential maintenance error made by the same person or team.

Additional inspection and cross-check

Identify the task as one that requires an additional inspection, cross-check, and dual signature verification that the task was completed correctly and in accordance with the maintenance procedures.

Test one system at a time

If a system test or engine run is necessary, the maintenance personnel should ensure that only one of the redundant systems or engines is tested at a time, unless the task provides other specific instructions. This reduces the risk of simultaneous failures or unexpected behavior of the systems/engines during the test.

Always follow the maintenance procedures

As a general rule, strictly adhering to the maintenance procedures reduces the risk of introducing human errors during maintenance tasks.

Regulatory requirements

ETOPS operations

For ETOPS operations, requirements and guidelines shall be applied. For example:

  • US 14 CFR Part 121 section 121.374, “Continuous airworthiness maintenance program (CAMP) for two-engine ETOPS – Limitations on dual maintenance.”
  • FAA AC 120-42, “MAINTENANCE REQUIREMENTS FOR TWO-ENGINE ETOPS AUTHORIZATION – Dual Maintenance” paragraph
  • EASA AMC 20-6 (AMJ 120-42/IL 20). “4. CONTINUING AIRWORTHINESS MANAGEMENT EXPOSITION” chapter.

EU and UK regulations

EU and UK regulations also request that operators establish procedures that prevent the risk of repeating errors on identical systems (independently of the type of operations):

  • EU Part-145: Item 145.A.48(c)(3) and its AMC1 145.A.48(c)(3) & GM1 145.A.48(c)(3)
  • UK CAA Part-145: Item 145.A.48(c) and its AMC 145.A.48(c) & GM 145.A.48(c)

Further information can be found in the following documents available on the Airbusworld/A220World portals:

  • OIT 999.0097/16 “BEST PRACTICES FOR SIMULTANEOUS MAINTENANCE ON REDUNDANT ITEMS”
  • OIT AI/SE 999.0044/99 “DUAL SYSTEM MAINTENANCE RECOMMENDATIONS”
  • The introduction section of the Aircraft Maintenance Manual (AMM) & A220 Aircraft Maintenance Publication (AMP) provides general recommendations related to the risk of human error during maintenance tasks.


Performing similar maintenance tasks on redundant systems at the same time, or by the same person during a particular maintenance check, may lead to the repetition of a maintenance error. This creates a risk of simultaneous failure of the redundant systems when the aircraft is back into service.

There are a range of safeguards or best practices that can be applied to prevent repetition of a maintenance error. These include staggered scheduling of the task, using different personnel to carry out the task, performing an additional cross-check inspection, and requiring a dual signature to verify that the task was correctly carried out and in accordance with the maintenance procedures. Where possible, and unless otherwise specified, carry out a test of one system or one engine run at a time.

In all cases, it is important to correctly apply the maintenance procedures.

Contributors:

Marco FAITA

Customer Support Programme

Jean Philippe JACQ

Product Safety Management

Arturo MARTINEZ GRACIDA

Human Factor in Maintenance

Cyril MONTOYA

Product Safety Enhancement Manager

Prosper PRÉAU

Continuing Airworthiness Expert

Airworthiness & Certification

With Thanks to Ian GOODWIN from Product Safety, Jean- Francois BOURCHANIN from Flight Controls Engineering Support, Denis DURAND from A320 Propulsion Systems