Keywords

The Cycles of Maintenance

Existing regulations require that maintenance for aircraft should be performed periodically according to the schedule defined using manufacturer data. Maintenance periods are accompanied by intermediate checks based on the actual load and annual checks [14]. Unfortunately, as outlined by [58], only a small proportion of world aircraft fleet are maintained according to this schedule.

The lack of an effective policing of maintenance and safety requirements in aviation is a major contributory factor for poor safety and thus provides little benefit for aviation [9, 10]. When safety checks are mandatory and performed by an independent body a certificate for permitted vehicle use is issued. Regretfully, the coverage of checking is highly unlikely to be considered as complete [11], making risk of aircraft use substantial and unavoidable.

Even properly maintained aircraft on the ground does not guarantee reliability and safety of an aircraft during flight. Until now neither control nor flight safety management system has taken into account an information about faults that the aircraft may already have; does not prove or monitor quality of maintenance, does use in real time structural models of aircraft and does check deviations that are developing. This creates a situation where the decision to use the aircraft for the next flight is taken almost voluntarily, based more or less on trust. Note that the quality of certification depends heavily on human factors (existing qualification, training, integrity etc.). The “Observer” publication (21st Aug 2005: “Airline pilots ‘lack basic skills’”) revealed that the risks associated with poor training are real concern in the CA segment). In turn, recent accidents: June 2009 (A330 AirFrance), November 2010 A380, Boeing 747 (Quantas), 2012 complete mishap with A380 wings show that neither design of aircraft nor their control systems are satisfactory reliable.

Two idealistic approaches that might improve maintenance and aviation safety have been pursued so far: (a) changing human nature by special training and retraining (i.e. unfounded optimism) or, (b) changing the world (i.e. improving the quality of maintenance and upgrading landing strips to airfields with proper maintenance facilities), making maintenance obligatory—neither is realistic nor feasible.

What is possible? An answer is in a designing a CPS system that is able to perform high quality analysis of aircraft conditions using accumulated and current flight (or mission) data from aircraft devices and knowledge of aircraft structure. Existing and new information technologies might be extremely helpful to implement this goal by making device and software for this kind of monitor. The results of this real time monitoring of conditions, when necessary, could supply relevant information about the current state of an aircraft for flight crew on board and operators, maintenance team, insurers and designers on ground. This allows correct decisions and “prescribing” procedures for aircraft maintenance. Above all, this analysis can run continuously on board and request recovery or servicing when necessary during and after flight.

The concept of preventive maintenance [10] has been known amongst aviation academics for a long time, but was never actually implemented [7]; two accidents with Rolls Royce engines with two days of 4th and 5th of November 2010 manifest the lack of knowledge and ability to apply them to keep required level of reliability for aircraft engines. To some extent preventive maintenance is progressing in the automotive sector, mostly for aggregation of information of wear of parts and the amount of vehicle use [6], but, again, volume of recalled cars due to poor reliability for Toyota, Mercedes and other brands exceeds hundreds of thousands every year, manifesting that existing concepts of preventive maintenance and quality of design are not sufficient or efficient.

The approach proposed here is called principle of active condition control (PACC), concept of active system safety was registered 20/09/2010 by European OHIM, No 008895674 and patented [14]. At the same time, no matter how good principle was introduced without implementation it has largely rhetoric value. To be implemented PACC must include model of aircraft feasible for real-time application, special on-board hardware and system software. This includes continuous, detailed dependency capture and analysis during development cycle, combined with PACC aircraft model, and combined with real-time analytic focused aggregation and processing of real-time aircraft data. Note that a pilot can’t be involved in handling critical conditions—processes and complexity of control systems as well as aircraft designs do not leave a room for manoeuvre: humans become a weakest link and can’t be considered as an element of active conditional control approach. This system has to monitor aircraft (or vehicle) conditions, call it active condition control monitor (ACCM). To have any credibility, ACCM itself must be ultra reliable in three ways:

  1. 1.

    Always be available, even though the aircraft itself may not be serviced to schedule.

  2. 2.

    Always offer safe and relevant actionable advice based on the current conditions, using previous flight data, current flight data and trustworthy analysis.

  3. 3.

    Present an action plan to conserve or improve conditions by avoiding risk, which is credible in its own right and transparent and clear to the operators, crew and other relevant institutions.

There are some challenges regarding determination of conditions of aircraft during flight: the amount of flight data available is approaching hundreds of megabytes, the complexity of fault free models of aircraft is growing, whilst while modelling of deterioration of aircraft conditions is an order of magnitude more complex.

But PACC has no palliatives: it only has abilities to determine a vehicle conditions and to react timely on their deterioration lowering the risk of use.

Secondly, the reliability of the existing parts of the aircraft will not be improved in the foreseeable future; in fact, they will gradually degrade due to aircraft aging and exploitation. In turn, complexity of modern aircraft complicates an overall reliability improvement.

Thirdly, the reliability of any safety and reliability control system must itself be extremely high (“who watches the watchers?”) and faults possible in it should be isolated in terms of impact on aircraft operation. This kind of systems has to function over the whole life cycle of aircraft, without maintenance (“zero maintenance” approach was proposed by author of this paper in 2007 [15]).

So far, ‘common sense’ suggests an improvement of reliability and safety level using the aircraft’s actual use and then advising on reliability and safety of its future use. This introduces the need of the continuous and instantaneous assessment of the aircraft reliability. Thus, to implement active conditional monitoring one has to use current and accumulated flight data and create a model of aircraft, capable of assessing point availability in real time. Additionally, to produce a quality real-time result a CPS system framework must be instituted to reliably handle the vast information ingest and data interchange. Simultaneously, the framework must analytically process fast enough to provide a productive instantaneous assessment of the situation and thus an actionable predictive human usable result. Using this might improve mission reliability, i.e. the probability of successful completion of the flight. Above all, it is necessary to predict potential risks/faults and anticipate corrective or preventative action to improve/maintain safety of operation and its successful completion.

Information Content Management and Active Conditional Control

Modelling dependencies of vast arrays of components within an aircraft for PACC is arduous and complex. Here we discuss how PACC can be applied to existing designs and discuss the added benefits of planning for PACC from the beginning of a new design cycle to achieve optimal performance. Hence, how much knowledge is enough knowledge? What threshold of knowledge must be achieved about a system or a set of its components to make an informed PACC decision? How coupled or decoupled is the existing design? These are questions which have discrete answers when discussed within discrete contexts. For example, a system might have a functional requirement to include an oil pump. The pump will be rated as viable to a certain amount of use/miles/flight hours etc. and hence, due to the imperfect nature of reality, has a set of design parameters which provide information about a range of usage as opposed to an exact time. The oil pump is also a core sub-component of a larger system which has its own range(s) and set of independence and inter dependencies. Historically, Complexity Theory [16] provides solutions to minimizing information content and understanding design ranges, functional requirements, dependencies, design parameters, & constraints, as well as, the coupling and decoupling within a design. PACC takes advantage of complexity theory by maximizing effectiveness thru minimizing the amount of information content, as shown in Fig. 15.1, necessary to understand a situational range and to solve the right problem. If PACC planning is performed early during the beginning of a design cycle, an optimized model is produced a priori, and hence PACC has a more accurate model as initial input. This minimizes the time and analysis required to implement PACC for a given design.

Fig. 15.1
figure 1

Information axiom minimizing information content [17]

Full size image

Preventive Maintenance Versus Active Conditional Control

Current monitoring and maintenance systems do not provide in-depth knowledge of aircraft conditions; they suffer from latent (hidden) faults and therefore do not prevent or reduce the degradation of safety. In principle, any conditional monitoring system is implementing generalised algorithm of fault tolerance (GAFT) as introduced in [12], (see Fig. 15.1). In such systems, steps A, B, D, and E in Fig. 15.2 are not implemented in real time of mission. It is clear though that real time implementation of GAFT is essential for the purpose of active condition control. PACC implementation includes a use of several types [12] of redundancies deliberately introduced in the system for implementation of steps of the algorithm Fig. 15.2. However, the choice of redundancy limits the design process when new features of an object are pursued.

Fig. 15.2
figure 2

The algorithm to implement PACC

Full size image

The obvious question is: how active conditional control affects reliability and scheme of maintenance of an object? A simple answer is identification of condition or state and actions to tolerate/reduce consequences makes possible to avoid risky developments and, therefore, reduce harm and increase safety. An analysis of the potential for reliability gain from PACC implementation is the goal of this work.

The primary functions of ACCM are the evaluation of conditions and when necessary execution of preventive maintenance. Maintenance here is considered in a broad sense including PACC implementation of maintenance-on-demand during and after flight as well as an increase of quality of periodic maintenance.

An aircraft is an object, with cyclic operation that in principle includes preventive maintenance procedures. In practice it is hardly the case. The approach to periodic maintenance of aircraft is based on assumptions (which are sometimes quite naive and over-optimistic) about the guaranteed high quality of maintenance. Even when this periodic maintenance does take place the resulting state of an aircraft is very difficult to analyse. Additionally, flight information, estimation of condition of aircraft, its main structural elements as a system does not correspond to before, during, and after flights periods.

Preventive maintenance for aircraft, as well as for other complex technological objects with safety–critical functionality, was introduced in the early 1960s [10]. A simple Google search yields 1.3 million references for preventive maintenance. Aviation-related preventive maintenance is discussed at least 96 K references. At the same time, theory of preventive maintenance is mentioned in less than 100 references.

A possible reason for this gap difference is in the fuzziness of the meaning of “preventive maintenance” and the justification of its proper application. Usually those who use the term consider “preventive maintenance” from the position of business school courses for managers of airports and aircraft service centres. The real meaning of the theory of preventive maintenance unfortunately is not widely understood or well explained.

To the best knowledge of the author, Prof. A.Birolini [3] developed the most comprehensive analysis of preventive maintenance with rigorous check of required assumptions. An objective of this work is to apply this approach in the aviation domain, assuming real-time checking of the aircraft condition and ability of prediction of conditions deterioration.

The preventive maintenance might increase confidence about the aircraft’s current state. To achieve this one requires the development of an aircraft model as well as model for estimating an impact of fault on the system. One has to take into account an estimation of efficiency of this implementation.

Challenges in the area of preventive maintenance are:

  • Dependence of the periods of preventive maintenance on parameters and data.

  • Role of checking and testing coverage on quality parameters.

  • Development of generalised model including these two factors.

The last bullet point deals with efficiency of processing of flight data and evaluation of system condition pre, during, and post mission. Then preventive maintenance development is based upon:

  • Introducing of PACC.

  • Development of a model for preventive maintenance based on conditional probability.

  • Reasoning and inference about assumptions of preventive maintenance.

  • Analysis of main factors that influence on the period of preventive maintenance.

  • Evaluation of an impact that PACC has on the policies of preventive maintenance.

Some criteria for judging PACC success are:

  • How big is a gain of PACC in comparison with classic preventive maintenance?

  • Can PACC allow varying periods of maintenance as a function of a condition of an aircraft proven/evaluated/estimated during flight, using flight data processing?

  • Can PACC’s real-time ingest and analysis, provide finer grained fidelity to in-flight system health inferenceing and to post flight cause-effect analysis?

  • What level of mission reliability can realistically be achieved?

It is certain that full coverage of all possible faults of the complex systems cannot be achieved in practice. It is also certain that 100 % level of confidence of estimations of aircraft conditions cannot be guaranteed. So, how far can we go here? Can we provide clear and substantial coverage of faults and define trends especially the most dangerous ones that lead to accidents? How does a PACC implementation define or change the period of preventive maintenance? Can PACC support required maintenance by location of possible faults, and does it reduce the overall inspection time? It is at least intuitively clear that implementation of PACC increase flight safety and aircraft reliability. However, justification of the gain might be required to achieve economic efficiency of a PACC implementation.

PACC, Conditional and Preventive Maintenance

Preventive maintenance estimations deal with processes of system degradation due to wear and tear, i.e. due to ageing of materials and the effects of utilisation. Purpose of conditional maintenance is to detect hidden faults and to anticipate latent faults to avoid their occurrence in a timely way and thus avoid actual fault impact on the system. The so-called latency of the fault is a phenomenon of the possible trend of a parameter, which is related to a fault (or faults). Latency also might have another reason, caused by erroneous decoding of a fault. This happens when the aircraft or vehicle is used in limited modes of flight and/or recorded parameters and variables are not representative, etc.

Let us consider an aircraft as a repairable structure with periodic maintenance at TPM, 2TPM,…; at t = 0 consider the aircraft as new. Initially we analyse the aircraft reliability assuming that the elapsed time of periodic maintenance is negligible in comparison with the time of aircraft operation—(quite a realistic assumption as ~300 flight hours correspond to ~0.5 h of maintenance in commercial aviation, further (CA).

Further research might introduce a non-negligible period of maintenance (PM). There are other factors that influence reliability: repair time, incomplete coverage of testing and quality of maintenance. It might be interesting to investigate more advanced features and assumptions derived for PACC implementation for an aircraft implementation such as sensitivity to coverage of testing, reduction of maintenance time due to real time (RT) processing of flight data and growth of maintenance quality. Recent papers [12, 13] cover the role of malfunctions in reliability of the system and initiates research in this direction. Other promising research areas in reliability modelling are:

  • The impact of the volume of data on quality of evaluation of vehicle condition.

  • Time of processing of flight (current) data.

  • Reliability vesus models available (“are the structure models available good enough?”).

  • The impact of flight data on safety (“how much we need to know to be safe?”).

In data dependencies further areas of required research are:

  • The relationship between accumulated and current flight data to define condition.

  • Data integrity in the long term (distillation of flight data trends).

  • The efficiency of data access for evaluation of conditions according to PACC.

Organizationally, a better policy of maintenance can be developed if the fundamental model includes in its implementation plan, the introduction of support for unavoidability of maintenance procedures and spreading the cost of maintenance. Both features should be considered for maintenance policies with and without PACC implementation. This research is also might be helpful in convincing insurance companies to revisit current policies existing at the aircraft and similar markets.

Conditional Maintenance

Let us assume that maintenance takes negligible time, relative to the operational life of the aircraft. Four options are possible here:

  1. 1.

    PM is not performed and the aircraft is considered as good as new.

  2. 2.

    PM is not performed and the aircraft is considered as non-suitable for further flights (e.g. because some resource necessary for flight is exhausted).

  3. 3.

    As a result of testing procedures the aircraft is considered not to be flight worthy (due to insufficient test completeness or test trustworthiness) and PM is not performed.

  4. 4.

    The aircraft is considered to be potentially not flight worthy and PM is performed instead of a full-scale repair.

The fourth assumption is now explored. Ideal maintenance assumes that at times 0, TPM, 2TPM,… the system (aircraft) is ‘as good as new’. The reliability function for the aircraft without preventive maintenance is:

$$ {\text{R}}\left( {\text{t}} \right) = 1- {\text{F}}\left( {\text{t}} \right) \;{\text{for}}\; {\text{t}} > 0,{\text{ R}}\left( 0 \right) = { 1} $$
(15.1)

where F(t) is the distribution function of the failure-free operating time of a single item structure and, for simplicity, it is assumed that it is represented by the exponential distribution F(t) = 1−e−λt in the period t, and λ is constant. Introducing conditional maintenance changes the form of the reliability function for the aircraft as follows:

$$ R_{PM} \left( t \right) \, = \, R^{n} \left( {T_{PM} } \right)R\left( {t - nT_{PM} } \right)\quad {\text{for}}\;{\text{nT}}_{\text{PM}} < {\text{ t }} \le \, \left( {{\text{n}} + 1} \right){\text{T}}_{\text{PM}} \;{\text{and}} \;{\text{n}} = 0, 1, 2, \ldots $$
(15.2)

R(t) and RPM(t) give the probability for no failures (faults) in the period (0, t), without and with ideal maintenance.

If an aircraft is considered as a system without maintenance and repair then its reliability in its simplest form (assuming a constant failure rate λ) can be presented by the reliability function given by (15.3):

$$ R(t) = e^{{ - \lambda {\text{t}}}} $$
(15.3)

R(t) per Eq. (15.3) is depicted in Fig. 15.3, with λ = 0.3 and time parameter t = [0…10]. Figure 15.2 solid line is R(t), dashed line is threshold R o . Threshold 0.2 was chosen very low to increase visibility. The dot-and-dash line marks the point where R o is reached the system condition when aircraft or system should be put out of service.

Fig. 15.3
figure 3

Reliability function R(t) for the case of constant failure rate λ

Full size image

The threshold R o (straight line) represents the minimum level of system reliability required to continue safe operation. For this example, R o  = 0.2 (chosen particularly low to increase visibility), the reliability approaches the threshold R o at time 5.4. Aircraft in modern management schemes should be serviced when aircraft condition reaches a certain level. This approach is known as conditional maintenance. Usually evaluation of conditions of aircraft after maintenance is overoptimistic and assumes, in particular, that maintenance fixes all possible faults in the aircraft. This makes it possible to set maintenance procedures periodically, at times when the model shows that reliability is reaching the point when maintenance is necessary and considering an aircraft as good as new after maintenance.

Note that assumptions of ideal conditional maintenance and threshold level of reliability allowed are combined to define the size of intervals between maintenance activities. Existing practice tends to set maintenance intervals to be equal. Formally, the reliability function R PM (t) with ideal conditional maintenance is based on the following assumptions:

Assumption 1

100 % coverage i.e. maintenance restores the system completely

Assumption 2

The interval between two successive maintenances is constant: T PM

Assumption 3

Maintenance is produced instantly and does not delay the usage schedule

In such a situation, it is possible to consider a mission reliability MR(t) as reliability function between two successive periodic maintenance actions, i.e. with t starting by 0 at each maintenance phase. For the case of constant failure rate λ this leads to (see Fig. 15.3).

$$ MR(t) = e^{{ - \lambda (t - nT_{PM} )}} ,\quad {\text{for}}\; {\text{nT}}_{\text{PM}} < {\text{t}} \le \left( {{\text{n}} + 1} \right){\text{T}}_{\text{PM}} ,{\text{ n}} = 0, 1, 2, \ldots $$
(15.4)

It is also possible to consider MRn(t) and assign the mission reliability to the corresponding mission. As stated above, it is assumed that periodic ideal conditional maintenance restores the system to the state ‘as good as new’. The approach is well known in aviation and other safety critical industries as it enables reliability theory to be applied for estimation of conditions of the system over life cycle of operation. Note here that this kind of reliability models is quite optimistic and can, at best, be used as a guide: firstly intervals between maintenance inspections are rarely equal because aircraft are now used heavily e.g. in chain flights, with interval between flights less than 1.5 h; secondly, commercial aviation suffers from sporadic and far from perfect maintenance; thirdly as shown in [1] and above, the quality of regular maintenance across all segments of aviation is far from ideal. The main causes for this are a) the maintenance personnel, and b) lack of objective models to define conditions of aircraft. Additionally, latent aircraft faults often exist quite a long time: from some minutes up to several years see for example recent case with A380 multiple wing defects). Therefore, more realistic assumptions are required for estimation of mission reliability.

Figure 15.4 presents a mission reliability function with ideal periodic maintenance, where the solid curve is the mission reliability function, the dashed bottom line is the acceptability threshold, and the dot-and-dash line indicates the perfectly reliable state of the system, i.e., 100 % reliable. It is assumed full coverage of ideal maintenance that returns the system to the state ‘as good as new’, and maintenance periods are: TPM, 2TPM,…,nTPM.

Fig. 15.4
figure 4

Mission reliability with ideal preventive maintenance

Full size image

Conditional Maintenance with Incomplete Coverage

Regretfully, the optimism of existing declarations about the quality of maintenance and complete coverage of the system faults has short lived: in November 2010 alone aircraft accidents with A380 and Boeing 747 and A380 2012 multiple wings mishaps show that coverage is far from required level. Denote coverage as α, α < 1. The mission reliability function assumptions are formally presented below for the case of maintenance with incomplete coverage:

Assumption 1

Coverage is not 100 %. Coverage percentage is 100 α%, where 0 < α < 1, and is assumed to be constant over all maintenance actions

Assumption 2

Maintenance is instantaneous and doesn’t delay aircraft schedule

Assumption 3

A threshold MR 0 of acceptable mission reliability is given (fixed)

Assumption 4

T PM is a function of several variables, including α, λ and MR 0

Mission reliability is then calculated according to:

$$ MR(t) = \alpha^{\kappa } e^{{ - \lambda \left( {t - \sum\limits_{i = 0}^{n} {T_{PM} (i)} } \right)}} \quad {\text{for}}\;\sum\limits_{i = 0}^{n} {T_{PM(i)} < t \le } \sum\limits_{i = 0}^{n + 1} {T_{PM(i)} ,T_{PM(0)} = 0} \;{\text{n}} = 0, 1, 2\ldots $$
(15.5)

The resulting mission reliability curve for this case is presented in Fig. 15.5. Equation (15.5) is in particular true for α ≈ 1. Note that system is as good as new after the n-th PM and that as well a n restart by 0 at each corrective maintenance yielding system as good as new. It is now assumed that maintenance takes place when the system (an aircraft) reaches the threshold reliability i.e. when:

$$ MR\left( t \right) = MR_{0} $$
(15.5a)
Fig. 15.5
figure 5

Conditional periodic maintenance with incomplete coverage

Full size image

This case has some theoretical interest, as it might be useful to analyse the role of all the variables that define behaviour of period of maintenance T PM .

Calculating T PM (i), for i = 1,2,…,n, and taking into account the role of the other variables such as MR 0, α and λ; then T PM (i) is given as:

$$ T_{PM} (i) = \frac{1}{\lambda }\ln \frac{{\alpha^{i - 1} }}{{MR_{0} }},\quad {\text{i }} = { 1}, 2, \ldots $$
(15.6)

This model is more realistic, enabling to schedule maintenance when the system (aircraft) reaches the threshold of acceptable mission reliability. Observe here that the interval between successive maintenance inspections T PM (i) is shrinking significantly along life cycle of aircraft operation. The relative decrease can be evaluated by the rate of decrease of ΔT PM (i):

$$ \Updelta T_{PM(i)} = \frac{{T_{PM(i)} - T_{PM(i + 1)} }}{{T_{PM(i + 1)} }} $$
(15.6a)

or, by the function of the interval index:

$$ \Updelta T_{PM} = \frac{{T_{PM(i)} - T_{PM(i + 1)} }}{i} $$
(15.6b)

Figure 15.5 presents the function of mission reliability for the case of periodic maintenance with incomplete coverage. The solid curve is the mission reliability curve, the dashed line is the threshold, and the dot-and-dash line indicates the perfect reliable state of system, i.e. as if 100 % reliable. It is assumed that while the threshold is reached, maintenance is carried out. But for this example, because of incomplete coverage, the mission reliability of the system cannot return to 100 % after maintenance, and the amplitude of recovery of conditions after iterations of maintenance gradually degrades over time.

The actual condition of aircraft varies between thresholds MR o and MR(t) between two successive maintenances. When mission reliability approaches MR o it should be grounded in the interests of safety. Maintenance period shown with picks defined by TPM, 2TPM, 3TPM,… etc.

Maintenance with Implementation of PACC

PACC introduces a new CPS process in aircraft management: on-line checking of the aircraft’s condition. On-line checking is a process of real-time (during the flight) checking of the aircraft’s main elements, including hardware (in general), electronics and pilot. The aim of checking is detection of degradation or change in behaviour and, when possible, recovery of the suspected element or subsystem, conserving the system’s reliability and safety. When recovery is not possible the preventive nature of PACC aims to reduce the level of danger, risk etc.—aiming for graceful degradation of an object or service quality to the object’s users.

The Process of Checking and the Process of Maintenance are independent in principle; thus they can be considered as concurrent processes as well as sequential ones. The checking or maintenance activities can be started when required, when possible or just when convenient. The main idea here is to carry out checking well in advance when mission reliability MR(t) is higher than threshold reliability MR 0 , making degradation of the aircraft conditions during flight less probable.

When applied together the processes of checking and conditional maintenance may increase the reliability of the system. The gradient of this change is a function of the quality of checking (coverage) and the quality of maintenance.

For consistency of analysis of the impact of PACC implementation we introduce following conditions:

  • A constant failure rate.

  • Maintenance is not ideal and coverage is less than 100 %.

  • Minimum acceptable reliability threshold is introduced as before.

Some other assumptions relate to the checking process. Formally, the mission reliability function for preventive maintenance with an introduced online checking process is based on the following assumptions:

Assumption 1

Coverage of maintenance is not ideal. Coverage of maintenance is αM100 %, where 0 < αM < 1, and αM is assumed as a constant

Assumption 2

Threshold MR 0 exists for MR (t)

Assumption 3

Online checking process is introduced. The period for checking is T PC and T PC is a constant

Assumption 4

The system can dynamically scale. Thousands of checks may have to occur within different time intervals. The resource processing pool is tuned via scalable processes to keep T PC a constant per each required check

Assumption 5

After each online checking, the confidence about the system’s conditions is increased, therefore MR(t) is also increased, and this confidence is αC100 %, while 0 < αC < 1 and αC is a constant

Assumption 6

The period between two successive maintenance inspections is T PM (i). T PM (i) is a variable, actually a function of i, R 0, αC, αM, λ and T PC

The mission reliability function (rigorously speaking conditional probability of absence a failure in the previous checking period as it is clarified below) for an aircraft is then calculated according to:

$$ MR(t) = MR_{i} \alpha_{c}^{n} e^{{ - \lambda \left( {t - nT_{PC} } \right)}} ,\quad {\text{for}}\; {\text{n}}\;{\text{T}}_{\text{PC}} < {\text{t}} \le \left( {{\text{n}} + 1} \right){\text{T}}_{\text{PC}} ,\;{\text{n}} = 0, 1, 2, \ldots $$
(15.7)

.

For MR(t) in Eq. (15.7) n stands for the n-th on-line checking period. For a new system, MR0 = 1. MRi follows from Eq. (15.5) as

$$ MR_{i} = \alpha_{M}^{i} ,\quad {\text{i}} = 0, 1, 2 $$
(15.7a)

where i corresponds to the ith maintenance period, MRi denotes the initial value of mission reliability at the beginning of a maintenance period, \( MR_{i} \alpha_{c}^{n} \) denotes the initial value at the beginning of an online-checking period respectively. Note that n in Eq. (15.7) start at 0 at each maintenance period;

When the mission reliability of an aircraft reaches the threshold MR o it should be grounded awaiting for preventive maintenance, so:

$$ MR_{i} \le MR_{0} $$
(15.7b)

.

From a practical point of view, the online checking period should be constant, as per Assumption 3 above, and the checking procedure should start at the beginning of the following period. Suppose initially that checking takes no time, and maintenance will be carried out instantly. Even if time delay due to the checking process has to be considered, we still assume that the maintenance is carried out only at the end of the following online-checking period. Let index n be the serial number of an online-checking period, and index i be the serial number of a maintenance period. The online-checking period T PC and the maintenance period T PM(i) relates as:

  • The online-checking period T PC is a constant, the maintenance period T PM(i) is a variable.

  • T PM(i) contains a certain number of T PC.

.

With these assumptions mission reliability per Eq. (15.7) is shown on Fig. 15.5.

Figure 15.6 is an example of a mission reliability function under conditional maintenance with on-line checking, where the solid curve is the mission reliability curve, the dashed line is the threshold, and the dot-and-dash line indicates the perfect reliable state of system, i.e., 100 % reliable. As shown on Fig. 15.6, once an on-line checking period arrives, the latest system states are measured and analysed.

Fig. 15.6
figure 6

Preventive maintenance with on-line checking

Full size image

After each online-checking process the latest system states are available and, therefore, the awareness and confidence about the system both recover a little bit (subject to no faults being detected), so does the mission reliability curve. When the mission reliability reaches the threshold, maintenance is carried out just as with preventive maintenance in Fig. 15.5. The rate of mission reliability degradation is a topic for further investigation, searching for the ways to slow down a system degradation using ICT technologies.

When no maintenance is scheduled for a long time (the actual situation in commercial and general aviation) the mission reliability of an aircraft will reach the threshold MR o . The rate of mission reliability with on-line checking in fact decreases slightly faster, due to added unreliability of checking system itself. Checking with subsequent maintenance, on the contrary, increases mission reliability. The gap of confidence between a point in time before checking and after the checking will from now on be referred as a corridor of mission reliability.

The Mission Reliability Corridor: Introduction and Definitions

The basic model of a mission reliability corridor δ is defined using practical assumptions and a set of scenarios as in the previous sections.

Suppose no serious system faults occur, and then the mission reliability corridor is defined as the safe operational area where the curve is normally expected to stay under the online-checking scheme. The corridor defines the value that mission reliability curve could reach in each on-line checking period, and, therefore, corridor effectively helps to decide when to carry out maintenance in order to avoid violating the given threshold. On the other hand, the ‘width’ of the mission reliability corridor will help to define the requirements for software and hardware of the system that perform conditional control. Prediction or estimating of system condition depends on volume of data, complexity of a model used and performance of hardware, all integrated into allowable or not time delays. The corridor is plotted in Figs. 15.7, 15.8, 15.9, 15.10, and 15.11 and represented as dotted lines.

Fig. 15.7
figure 7

Mission reliability corridor as a function of number of iterations

Full size image
Fig. 15.8
figure 8

Mission reliability corridor as a function of time

Full size image
Fig. 15.9
figure 9

On-line checking performance requirement—β gap

Full size image
Fig. 15.10
figure 10

Mission reliability with calculation after the checking period

Full size image
Fig. 15.11
figure 11

Mission reliability with checking for reaching boundary

Full size image

Definition 1

In each online checking period, the width of the corridor δ is a constant and time independent. During the n-th online checking process a mission reliability corridor δ(n) is a function of n with width and given as:

$$ \delta (n) = MR(nT_{PC} ) - MR((n + 1)T_{PC} ) $$
(15.8)

Clearly the corridor under this definition becomes too conservative at the end of each online checking period; the cause is that the amplitude of coverage by on-line checking shrinks as time goes on, as illustrated in Fig. 15.7.

In other words, the upper boundary δU(n) and the lower boundary δL(n) of the mission reliability corridor in Fig. 15.7 are given respectively given as:

$$ \delta_{U} (n) = MR(nT_{PC} ) $$
(15.8a)
$$ \delta_{L} (n) = MR\left( {(n + 1)T_{PC} } \right) $$
(15.8b)

In Figs. 15.7, 15.8, 15.9, 15.10, and 15.11, the solid plot line is the mission reliability curve, the dashed line is the threshold level, and the dot-and-dash line is the initial reliability level. The dotted lines around mission reliability curve show the corridor, and the vertical dotted lines indicate online-checking periods.

Definition 2

A time-varying corridor with the width δ varies over time within each online checking period. For the n-th online checking process δ(t) is given as:

$$ \delta (t) = MR\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} \left( {1 - e^{{ - \lambda T_{PC} }} } \right),\quad nT_{PC} \le t < \left( {n + 1} \right)T_{PC} $$
(15.9)

Actually, \( MR\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} \) in Eq. (15.9) defines the upper limit of the corridor at time t. Assume a hypothetic system with mission reliability of the same value at the upper limit of the corridor at time t, then \( MR\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} \left( {1 - e^{{ - \lambda T_{PC} }} } \right) \) is the mission reliability after an online checking period T PC . The width of the corridor δ at time t, δ(t) equals the difference between the upper limit of the corridor at time t and the reliability of a system at time t + T PC . It is evident that the width of corridor varies over time.

The corresponding corridor of the reliability curve is illustrated in Fig. 15.8. Note that it shrinks with the amplitude of coverage by on-line checking.The width of the reliability corridor in Fig. 15.8 is given as follows:

$$ \delta (t) = R\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} \left( {1 - e^{{ - \lambda T_{PC} }} } \right),\quad nT_{PC} \le t < \left( {n + 1} \right)T_{PC} . $$
(15.9a)

In other words, the upper boundary δU(n) and the lower boundary δL(n) of the mission reliability corridor in Fig. 15.8 are given respectively as:

$$ \delta_{U} (t) = R\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} ,\quad nT_{PC} \le t < \left( {n + 1} \right)T_{PC} $$
(15.9b)
$$ \delta_{L} (t) = R\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/T_{PC} }} \;e^{{ - \lambda T_{PC} }} ,\quad nT_{PC} \le t < \left( {n + 1} \right)T_{PC} $$
(15.9c)

Clearly, this corridor is much less conservative than introduced by Definition 1.

Defining the Frequency of the On-line Checking Process

Assumption 1

Online checking process starts at the beginning of each period of use.

Figure 15.9 illustrates impact of time required for real time data processing on mission reliability, where the dotted lines are used to indicate each on-line checking period, which in this case is set as 2-time-units long. Because the measurement and analysis of the latest system states can not be completed immediately at the beginning of each on-line checking period, the awareness and confidence about the system are not improved until these data are available, and therefore there is a delay β on the coverage of the mission reliability curve in each online checking period. So β is the time required for data processing, which may vary, and has an upper bound β max , i.e., β  β max . The worst case should be:

$$ \beta_{max} = {\text{T}}_{\text{PC}} $$
(15.10)

The question is, what is the influence of a data processing delay on the definition of the corridor, i.e. the impact of \( \beta_{max} \) on δ(t), assuming the second definition of a corridor is adopted? When \( \beta_{max} n \) is taken into account, δ(t) should be calculated by:

$$ \delta (t) = MR\left( {nT_{PC} } \right)\alpha_{C}^{{\left( {t - nT_{PC} } \right)/2T_{PC} }} \;\left( {1 - e^{{ - 2\lambda T_{PC} }} } \right),\quad nT_{PC} \le t < \left( {n + 1} \right)T_{PC} $$
(15.11)

Compared with “T PC ” in Eq. (15.9), “2T PC ” in Eq. (15.11) embodies the maximum delay due to online data processing, in the case that β max is almost out of synchronization with TPC in its period.

Avoiding R 0 Being Violated in the Corridor When Delay Occurs

Implementation of principle of active conditional control requires that mission reliability should not fall below the threshold R0 even in when β max is taken into account. This could be achieved in one of three methods:

Method 1. Within each online checking process, when data processing is finished, check whether the mission reliability is below the threshold R 0. In this case, due to the delay caused by data processing, the threshold could be violated. Figure 15.10 shows that when online checking is carried out at time 30 the mission reliability is above the threshold but then goes below the threshold when the online checking process is finished at time 32.

Method 2. In each online checking process, check whether the bottom line of the corridor is below the threshold R 0, i.e.:

$$ MR_{I} \alpha_{C}^{{\left( {n - n_{AM} } \right)}} \alpha_{C}^{{rem\left( {t,T_{PC} } \right)}} - \delta (t) \le R_{0} $$
(15.11b)

where the first term of the relation defines the top of the corridor, and “rem” signifies the remainder after dividing t by TPC. The result of applying this method is illustrated in Fig. 15.11. The maximum delay, i.e. T PC , is taken into account when defining the width of corridor in (Eq. 15.11) so that the mission reliability is always within a corridor even when there is data processing delay. Consequently, the mission reliability in Fig. 15.11 never reaches the lower threshold because maintenance is carried out in time before the bottom of corridor touches the threshold.

Method 3. Define a buffer zone, i.e. [MR 0, R B ] then in each online checking process, check whether the mission reliability is within the buffer zone, i.e.,

$$ MR\left( {\left( {n + 1} \right)T_{PC} } \right) \leq MR_{0} + \, MR_{B} $$
(15.11c)

The result of introducing a buffer zone is illustrated in Fig. 15.12, where the buffer zone is represented as the area between the dashed line and the dot-and-dash line. Due to the delay caused by online data processing there is a possibility that the reliability will ‘enter’ the buffer zone. Once this happens, maintenance must be carried out in order to avoid the reliability going further below the threshold.

Fig. 15.12
figure 12

Mission reliability with checking within a buffer zone

Full size image

Maintenance Versus PACC

Previous sections show that preventive maintenance with PACC is more efficient than known conditional or preventive maintenance approaches. The quantitative analysis might help to see how much. Comparisons might be performed using time between two successive maintenance sessions, the lifespan of the system under a certain maintenance strategy, and how many times maintenance is carried out during the life time of system. But here we propose an integration of mission reliability over a given time period, i.e. the volume of the area encircled by the mission reliability curve and the reference axes. A main reason for this index is to compare schemes of conditional control and preventive maintenance as introduced above.

The integration values of mission reliability under conditional maintenance and preventive maintenance with PACC are calculated by Eqs. (15.12), (15.13) respectively:

$$ V_{CM} \left( {T_{1} } \right) = \int\limits_{0}^{{T_{1} }} {MR_{CM} (t)dt} , $$
(15.12)
$$ V_{PM} \left( {T_{2} } \right) = \int\limits_{0}^{{T_{2} }} {MR_{PM} (t)dt} , $$
(15.13)

where MR CM (T) and MR PM (T) are given by Eqs. (15.3) and (15.5).

Then efficiency of the preventive maintenance with PACC over conditional maintenance can be assessed as:

$$ y\left( {T_{1} ,T_{2} } \right) = \frac{{V_{PM} \left( {T_{2} } \right) - V_{CM} \left( {T_{1} } \right)}}{{V_{CM} \left( T_{1} \right)}} $$
(15.14)

Let us assume T 1 = T 2. This means we compare the mission reliability of system with preventive maintenance with PACC with the one with conditional maintenance in a same period of time. Figure 15.13 gives an example of such a comparison, where T 1 = T 2 = 40.

Fig. 15.13
figure 13

Efficiency of conditional and preventive maintenance with PACC

Full size image

For Eqs. (15.12) and (15.13): V CM (40) = 15.5961, V PM (40) = 18.5084 and Y(40) = 0.1867.

V PM (40) > V CM (40) means that in the specified 40 unit time period the system under preventive maintenance with PACC has a higher reliability, in other words, the efficiency of preventive maintenance using PACC is about 20 % better compared with conditional maintenance. Accordingly Fig. 15.13 preventive maintenance with PACC could increase period between two sequential maintenance sessions, therefore overall cost of maintenance for a vehicle reduces.

Let T 1 and T 2 be the lifespan of the system under preventive maintenance with PACC and conditional maintenance, respectively. Then the value of y in Eq. (15.14) can be used to assess how much extra reliability the adoption of preventive maintenance has created relative to a conditional maintenance scheme.

Comparison of the left and right boxes of Fig. 15.14 shows that the conditional maintenance system will no longer be able to recover after point 44.6 in time, while under the preventive maintenance with PACC, the critical time is 129.1. One can then easily deduce from Eqs. (15.12) and (15.13) that:

$$ V_{CM} \left( { 4 4. 6} \right) = 1 6. 6 70 7, \;V_{PM} \left( { 1 2 9. 1} \right) = 50. 2 6 70 $$

and

$$ \left( {V_{PM} \left( { 1 2 9. 1} \right) \, - V_{CM} \left( { 4 4. 6} \right)} \right)/V_{CM} \left( { 4 4. 6} \right) \, = { 2}.0 1 5 3 $$
Fig. 15.14
figure 14

Comparison of efficiency of conditional and preventative maintenance with PACC

Full size image

Thus, the efficiency of preventive maintenance is improved by over 200 % compared with conditional maintenance. Figure 15.14 shows the result in a more intuitive way.

The indexes defined in Eqs. (15.12), (15.13) and (15.14) can be extended to compare preventative maintenance with the classical reliability function. It is worth to compare them at first within the same time period, as illustrated in Fig. 15.14:

$$ \begin{aligned} {\text{V}}_{\text{CRF}} \left( { 40} \right) = & 3. 3 3 3 6,{\text{V}}_{\text{PM}} \left( { 40} \right) = 1 8. 50 8 4,\;{\text{and}} \\ & \left( {{\text{V}}_{\text{PM}} \left( { 40} \right) \, - {\text{ V}}_{\text{CRF}} \left( { 40} \right)} \right)/{\text{V}}_{\text{CRF}} \left( { 40} \right) \, = { 4}. 5 5 2 1\\ \end{aligned} $$

Let us estimate gain in mission reliability for the systems with implemented active conditional control against the standard system for the whole period of functioning. The classical mission reliability function reaches the threshold at the time 5.4 (Figs. 15.15 and 15.16). When preventive maintenance with PACC is applied the mission reliability declines to lower bound much slower—after the time 129.1, and then one has:

$$ \begin{aligned} {\text{V}}_{\text{CRF}} \left( { 5. 4} \right) \, &= 2. 6 7 3 9,\\ {\text{ V}}_{\text{PM}} \left( { 1 2 9. 1} \right) &= 50. 2 6 70\;{\text{and}}\, \left( {{\text{V}}_{\text{PM}} \left( { 1 2 9. 1} \right) \, - {\text{ V}}_{\text{CRF}} \left( { 5. 4} \right)} \right)/{\text{ V}}_{\text{CRF}} \left( { 1 2 9. 1} \right) \, = { 17}. 7 9 9 1\\ \end{aligned} $$
Fig. 15.15
figure 15

Comparison of the CLASSIC reliability function and preventative maintenance with PACC

Full size image
Fig. 15.16
figure 16

Classical reliability function versus preventative maintenance

Full size image

Figure 15.16 illustrates the significant advantage in mission reliability when preventive maintenance with PACC is applied in comparison with the system described by classic mission reliability.

Conclusions

  • The Principle of Active Conditional Control has been analysed in terms of the mission reliability gain for aircraft maintenance. The Classical, Conditional and Preventative approaches to maintenance have been compared quantitatively.

  • Principle of Active Conditional Control assumes continuous application of knowledge of aircraft structure and results of flight data aiming to improve safety and mission reliability of aircraft, the quality of maintenance and reducing the cost.

  • Implementation of this principle enables the monitoring of reliability in real time of aircraft application and offers 20–25 % growth of mission reliability.

  • Mapping between flight information and aircraft safety or mission reliability, the role and structure of information as well model of aircraft and impact of flight conditions are subject of a special integrated research.

  • To benefit from proposed approach an aircraft (as well as any other safety critical real-time system) should be designed introducing principle of active conditional control from the conceptual draft of a system, benefitting from knowledge about dependencies between aircraft elements and subsystems.

  • Aviation is the most complex area for the application of technological advances: complex and long working periods, an extremely wide range of operation conditions, multi-disciplinary skills needed from personnel involved. Therefore the Principle of Active Conditional Control and its implementation must become the subject of future multidimensional research to improve aviation safety and efficiency.