jul-aug2012
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Flight Safety Australia<br />
Issue 87 July–August 2012<br />
41<br />
Under the federated model of system architecture, the various<br />
computers in an aircraft could be thought of as like member<br />
states of the European Union (or any other federation,<br />
Australia even). They worked for a common purpose, but<br />
each component was unique. There was a ‘black box’ for the<br />
autopilot, and a separate black box for the inertial navigation<br />
system, for example. They were able to cooperate closely<br />
in some tasks, but not as closely in others. To stretch<br />
the metaphor: they all used the euro, but their individual<br />
economies were very different.<br />
In contrast, integrated modular avionics, as used on the latest<br />
generation of transport aircraft, including the Airbus A380<br />
and Boeing 787 do away with discrete black boxes. They are<br />
replaced by racks of computer modules, which are, in the<br />
words of an Airbus presentation on the A380, ‘non systemspecific’.<br />
It’s like the way a laptop computer can do duty as<br />
a DVD player. As long as the right peripherals (sensors and<br />
actuators in an aircraft) are in place, a computer can turn<br />
its hand to whatever its software allows. Moreover, multiple<br />
systems applications can be executed on the same computer.<br />
The aircraft’s computers speak to each other on a high-speed<br />
multiplexed network.<br />
Integrated modular avionics bring obvious advantages of<br />
system redundancy and robustness. But they also bring new<br />
and subtle hazards in the way they differ from the old federal<br />
architecture.<br />
The Airbus presentation notes: ‘Resource sharing has a direct<br />
impact on the way to design and implement systems since<br />
it creates new dependencies between them, both from a<br />
technical and a process point of view.’<br />
‘With modern aircraft there are more functions, but not items,<br />
included in the MEL’, Nikolic says. ‘Each of these functions<br />
may be carried out by more than one system, some of which<br />
could be critical systems in the aircraft. You might have a<br />
function that is MEL-able, and to repair that function you need<br />
to replace a critical component. However, we have noticed a<br />
significant number of events that were not reported because<br />
the function was MEL-able.’<br />
One example illustrates the potential hazard. An operator flying<br />
a new technology aircraft reported through the SDR system<br />
that its engineers had removed the thrust control quadrant—<br />
the thrust levers and mounting—twice.<br />
A subsequent audit of the operator revealed 17 removals<br />
over 14 months. ‘We asked “why didn’t you report the other<br />
events?” and they said “they were all MEL-able—we didn’t<br />
have to report them”,’ Nikolic says.<br />
Further reading<br />
Jean-Bernard Itier, Airbus presentation on A380 integrated<br />
modular architecture. http://tinyurl.com/bpn6edq<br />
‘Two removals of the quadrant signified nothing much, but<br />
17 was an unambiguous trend. Here was a serious reliability<br />
issue with a major component—and we didn’t know about it.’<br />
‘We realised from this how the MEL could hide potential<br />
defects. Many of these could be precursors to a major event.<br />
If we are not aware of these failures we are not aware of the<br />
reduced reliability of a critical component and we can’t act. ‘<br />
In modern aircraft everything is connected, Nikolic explains.<br />
‘Unless you do a thorough investigation into the<br />
causes, you cannot establish whether any small<br />
functional failure is related, or not, to a potential<br />
major defect that must be reported.’<br />
Under the revised CAAP 51, the MEL provision not to report<br />
a defect does not exist, and it is up to the operator to do a full<br />
investigation and establish whether a defect is major, after<br />
considering the root cause. If the root cause points towards<br />
the major defect, an SDR must be submitted.<br />
The other reason for redrafting CAAP 51 was a significant<br />
number of questions coming from the industry about<br />
corrosion levels.<br />
‘The previous version did not have specific corrosion level<br />
definitions, or details of the corrosion level that required<br />
reporting to CASA,’ Nikolic says. ‘The new draft provides<br />
specific corrosion level definitions and also explains what<br />
corrosion levels need to be reported through the SDR system.’<br />
One result, Nikolic says, is that aircraft makers will be able to<br />
coordinate their internal corrosion reporting systems with the<br />
new CASA one. ‘If there is an issue in future with corrosion<br />
levels everyone will be on the same page. It reduces ambiguity<br />
in communication.’<br />
Two other significant details have been changed. The revised<br />
CAAP 51 says that when a service difficulty investigation<br />
takes more than two months to complete the submitter should<br />
provide follow-up interim reports every two months.<br />
‘In other words: you need to report every two months, even if<br />
it is only to say you are still working on it,’ Nikolic adds.<br />
And a short but significant sentence, added as item (w) to<br />
appendix A, encourages operators not only to submit major<br />
defects that match examples listed in appendix A, but also any<br />
other information they consider to be important.<br />
To sum up: aviation safety in the age of the Reason model<br />
multi-factor accident depends on information. What information<br />
is reported depends on the reporting system. That has been<br />
fixed—for now—but the game will continue to evolve.