Keywords

1 Introduction

Within Structural Integrity Programs a large set of assumptions is required, particularly in the area of fatigue and damage tolerance (FDT). The certification requirements do not provide a final answer to what is the best approach to avoid catastrophic failures due to fatigue (Eastin 2003); therefore, the means of compliance are subject to interpretation until an agreement with the authorities has been found.

For the development of a new aircraft, for a major change to type design or for the development of a supplemental structural inspection document (SSID), interpretations are considered as risks to the success of the program. Particular attention to initial assumptions has to be given due to its contribution to program development risks and to the continued safe operation. Structural integrity programs related to small aircrafts such as Part 23 airplanes or Part 27 rotorcraft are more prone to these risks, because in many cases the design organizations are smaller and experience with previous similar products may be missing.

In this review paper a definition of risk is provided and the principle of assessing risks is shown on an example. The FDT evaluation process is outlined to point out steps where initial assumptions may have a large impact. Some process steps are discussed in more detail to show how the risks of assumptions may be categorized. In many cases a qualitative approach is sufficient, however, for some problems probabilistic concepts are more suitable (Tong 2001).

2 Risks

For the purpose of the discussion in this paper, the risks are described as:

  • Program Development Risks (PRORI) and

  • Continued Safe Operation Risks (CONRI).

PRORI affect the success of a program with the related financial impact. Return of invest and time to market are two of the key parameters. Although fatigue failures during the development contribute to the learning curve of the design organization engineers, premature failure in development test, certification test or in prototype aircraft are not desired. Fatigue failures always have an impact on program costs and also often to the production lead time with corresponding negative effects on return of invest and time to market. Return of invest is also a function of positive market perception of the product which is based on good performance data (e.g. minimized structural weight) and low operational costs (optimized inspection requirements).

CONRI describes the risks of structural failure on in-service aircraft components according to the following interpretation: risk is the probability of failure over a period of time vs. the severity of the failure effect. The risk of failure in engineering structures is never zero, but it has to be demonstrated by analysis supported by test, that it is being kept at an acceptable level during the entire design service life. Minimizing CONRI conflicts with the objective to minimize structural weight and operational costs.

In a typical risk assessment for systems (MIL-STD-882E 2012) four severity categories to describe a failure effect are introduced: Catastrophic, Critical, Marginal, and Negligible. The severity is placed against the probability levels as frequent, probable, occasional, remote, and improbable. Each resulting field in such a 4 × 5 matrix has a risk assessment code (RAC). The pre-defined RAC can be used to identify actions and their implementation time. These codes can be categorized into ranges where the “unacceptable” range require immediate corrective actions. “Undesirable” would be tracked for possible corrective actions. “Acceptable” might have a lower priority for corrective action or may not need any tracking actions. After successful corrective actions have been put in place, the RAC would eventually be considered as “eliminated”.

Basically in every daily engineering decision, this process is followed intuitively without explicit formulation of severity and probability. However, the more significant decisions are taken the more formal such a process should be followed. Although the above risk assessment process was developed for systems, it is suggested to apply it to structures during the entire product life cycle. The following approaches can be used to determine the RAC depending on the type of problem:

  • Qualitative approach based on engineering judgement.

  • Qualitative approach supported by deterministic analysis (e.g. existing fatigue analysis) and/or available test results.

  • Probabilistic approach to determine quantitative likelihood.

The simplest risk matrix is a 2 × 2 matrix according to Table 1, which is useful for first fast decisions and to keep record of the risk items over the entire program phase.

Table 1. Simplistic risk assessment.
Full size table

In system safety processes for general aviation airplane and rotorcraft (MIL-STD-882E 2012; ARP 5151 2013), the principle of risk management is nothing else than:

  1. 1.

    identifying,

  2. 2.

    assessing and

  3. 3.

    controlling risks.

Controlling risks means that it is attempted to move risk items to the lower right-hand corner by taking appropriate actions and keeping record of the changing RAC. Eventually risks are eliminated or accepted. Two extreme examples of corrective actions and the effect on the RAC are given:

  1. 1.

    A corrective action may involve only the application of a more refined risk matrix (e.g. 4 × 5 matrix instead of 2 × 2), where a previously “undesirable” RAC in the preliminary evaluation may be found to be “acceptable”.

  2. 2.

    Based on an occurrence report due to an in-service crack finding on an individual aircraft, a corrective action through a service bulletin may be required to mandate inspections (covered by an airworthiness directive) to collect fleet data. If a one-off case is confirmed, the risk code may be moved vertically to a lower field, or in the other case an upper field will result.

In the second example, a probabilistic evaluation technique may be needed to determine whether further actions are required. With every new relevant information (e.g. fleet data, change in usage assumptions, new FEM analysis, fatigue test results from tear down inspection, etc.) the risk assessment should be re-evaluated. This is the basis for actions to be defined as well as for the continued management of risks.

3 Spectrum Development and Damage Tolerance Evaluation

The major contributor to the risk of structural failure is fatigue (White 2006). A few selected steps in the development of a structural integrity program related to FDT is reviewed in the following. Although, the flow chart in Fig. 1 is not comprehensive, it indicates major steps of the spectrum development and damage tolerance evaluation in an aircraft structural integrity program.

Fig. 1.
figure 1

Spectrum development and damage tolerance evaluation process.

Full size image

Being an important part of a FDT evaluation but not shown in the flow chart of Fig. 1, many structural tests are being carried out from coupon level to full scale level and from development test to certification and qualification test. In addition flight strain surveys are considered as testing. Tests can be seen as means to control and mitigate PRORI and CONRI at different phases throughout the program. From the perspective of the development of a specific test plan however, a risk assessment is required for each individual test.

4 Component Design Criteria

The certification basis and related design philosophies for each component should be defined at the beginning of a program. There are several options to select in the world of Part 23 and Part 27 aircraft. For normal, utility and acrobatic category airplanes any of the three approaches may apply: Safe-Life, Fail-Safe, or Damage Tolerance. For commuter aircraft only damage tolerance can be selected, unless shown to be impractical. Within Part 27 there are differences. One option requires a replacement time evaluation, which can be considered as safe-life evaluation. Another option is fail-safe evaluation, however, in practice this refers to fracture mechanics based methods similar to a Part 23 damage tolerance evaluation (Eastin 2003). A third option identifies a combination of the latter options.

The interpretation of the requirements is a first assumption with associated risks. Basic decisions are taken related to the load path of primary structure: Single load path (SLP) vs. multiple load path (MLP). Whether a structure is SLP or MLP is not always obvious and may be subject to detailed failure analysis and residual strength evaluation. Also, a MLP structure is not necessarily a fail-safe structure. Although geometry and function may be the same for a MLP structure, safe-life or damage tolerance requirements may be applicable. Both requirements may be applicable at the same time, e.g. for interface structure of components with different design philosophies.

Qualification and certification costs depend on the selected design philosophies and are difficult to quantify. For PRORI a qualitative risk assessment approach is the only reasonable path to go. Special attention is required for outsourced component design and the related technical requirement documents as PRORI are much higher: after supplier selection and contractual agreements it is more difficult and costly to change requirements.

5 Scatter Factors

FDT Scatter Factors (SF) are associated to the component design criteria and not only to account for variations in loads, material properties and quality. Existing company methodologies may not be applicable to a new structural integrity program and SF have to be selected and re-discussed.

An example of a difficult situation to select an appropriate SF is the case of an actuator component that also acts as a structural load path member and that is considered as a principal structural element (PSE), in case a significant portion of ground or flight load is being transferred. The following conditions may exist:

  • System and structural requirements apply at the same time.

  • Endurance testing as well as fatigue testing with a certain number of specimen will be required.

  • Redundancy based on MLP or Fail-Safe design will be required from systems side.

  • Based on structural considerations damage tolerance is likely to be impractical and if fail-safe is not an option to choose (e.g. for commuter aircraft), then safe-life will be applicable.

  • Safe-Life analysis may be performed with a S-N approach or a strain-life approach.

  • Material data may be available from the literature only or by specific coupon test programs.

  • The secondary load path may be equally loaded or loaded by a fraction of the primary load path load.

  • Alternatively the secondary load path may be a “sleeping load path” that is only loaded in case of failure of the primary.

  • Failure of a load path may be annunciated or not, i.e. dormant failure condition may exist.

Now, what is the appropriate SF for analysis of the primary and secondary load path? How should the inspection threshold be determined? What are the “correct” fatigue test scatter factors under what fraction of total load for each load path and what is the amount of specimen to be tested to qualify such a supplier component? No authority guidance is available for such situations. In case there is no similarity to previous programs, then there is no other option than to go for an educated guess and tick the upper left box (unacceptable) of the PRORI 2 × 2 matrix. It is important to keep in mind that a conservative selection of SF may also lead to unacceptable PRORI (e.g. risk of qualification test failure with slip in delivery schedule).

One of the corrective actions may be to prioritize authority discussions on this topic and leave some flexibility in TRD for supplier contracts. The same risk management procedure should be applied to all other PSE. This may be helpful as a tool to keep track of future actions on program level (e.g. define priorities of agenda items with the authority) or on technical level (e.g. define tear down inspection location).

6 Usage and Mission

As part of the fatigue load spectrum, the usage assumptions and mission mix have a high effect on the FDT evaluation as it determines both the number of load occurrences and its magnitudes. Usage parameters are defined based on the anticipated aircraft usage of the customer (e.g. training aircraft, commuter aircraft, etc.). Mission parameters are defined for a particular usage (e.g. payload, trip fuel reserves, etc.). With a mission mix the severity of a spectrum can be adjusted.

To illustrate the large set of assumptions some parameters are listed for an example of a pressurized commuter aircraft. Note that performance data are also based on assumptions or estimates depending on the development stage of the aircraft.

  • Flight Duration and corresponding hour to landing ratio (usage assumption)

  • Flown Distance (usage assumption)

  • Zero Fuel Weight (cabin configuration and payload capabilities)

  • Trip Fuel (one or more legs, reserves, performance data)

  • Take-off Weight (number of passengers, cargo, fuel and zero fuel weight)

  • Center of Gravity Position (mission assumption)

  • Flight Phase Assumptions

    • Climb and Descent rates and speeds (performance data)

    • Cruise altitude (mission assumptions)

    • Cruise speed (performance data)

    • Differential pressure (pressurization system performance, altitude)

    • Holding pattern, altitude and speed (mission assumptions and performance)

    • Final approach (altitude, speed, descent-rate, flap setting,…)

  • Taxi phase (distance on ground, type of runway)

  • Landing phase (high speed and low speed regime)

From the above list, it is already evident that the set of assumptions and the parameters to be selected are very numerous; therefore, the combined effects or sensitivities cannot be captured in an intuitive manner or in a simplified analysis. In addition, for certain parameters fatigue damages may follow an opposite trend, depending on the aircraft component, due to different dominating load cases or even due to different design philosophies (landing gear safe-life component vs. damage tolerance based wing).

Despite these difficulties fatigue allowables have to be derived at early program phases for preliminary design. Therefore, the above assumptions have to be made based on experience, available marketing and performance data and best guess. It is important to “draw a line in the sand”, to set a clearly defined baseline for the preliminary fatigue design allowables and to start to manage the risks: the RAC is likely to be placed in the upper left area. More accurate usage and mission data are collected and as aircraft performance data starts to converge, the assumptions and corresponding allowables should be revised step-by-step to achieve a better RAC. Nevertheless, it will not be possible, according to the author’s opinion, to reach an acceptable RAC without employing probabilistic methods.

Probabilistic methods, such as Monte Carlo Sampling, are a suitable way to study the aging of a virtual aircraft fleet and assess, if the selected spectrum mix is a good representation of the fleet usage. To do so, suitable fatigue damage models (e.g. power law models) for every component and distributions of the usage parameters (climb rate and speed, cruise altitude and speed, payload, differential pressure, etc.) have to be developed. The probability density function and eventually the cumulative density function give indications about the quality (good representation of the fleet) of the selected mission mix and related assumptions. This is a helpful way to mitigate these risks prior to further validation programs of prototype flights, which may be at a late stage, long after the critical design review. Figure 2 shows a representation of the process to evaluate the fleet usage and mission.

Fig. 2.
figure 2

Usage and mission probabilistic analysis.

Full size image

7 Fatigue Spectrum

The fatigue spectrum development process requires to define discrete quasi-static load cases in order to load an internal-load model (e.g. Global FEM) and to derive local stress, strain or free-body load sequences. Normalized and processed load sequences are used as input for fatigue or crack-growth analyses. Important assumptions are:

  • Selection of adequate sources for load exceedance data (gust, maneuver, taxi), e.g. AC23-13A, ESDU69023, other

  • Discretization of exceedance data to derive occurrences: stepping assumptions and cut-off assumptions

  • Randomization process of Load Cases

  • Randomization of flight severities

  • Definition of repeating spectrum block size

  • Simulation and application of load cases (static or dynamic, time step definition, critical wave length, re-bouncing effects)

  • Internal Load Modelling to derive local load sequences

  • Selection of load sequence counting procedures

Above assumptions are more difficult to include in probabilistic models, except for the exceedance data, which are nothing else than distributions. However, for many Part 23 aircraft programs the AC23-13A or the ESDU69023 provide good results and that associated risks are acceptable. Also for the other points, the relative risks compared to the usage and mission assumption are small. An exception is the derivation of load cards, where careful considerations and non-probabilistic risk control is required.

8 Principal Structural Elements

All PSE have to undergo a FDT evaluation by means of analysis supported by test evidence. The list of PSE is established by judgment in a first step. The selection of analysis location can be based on the reduction of PSE, by identification of fatigue critical structure as a sub-set of PSE. Apart from stress level review, a qualitative selection can be done based on a design feature review (stress concentration and stiffness changes) and spotting the areas of load transfer. If available, test experience or in-service experience on similar products is helpful. The selection of analysis location includes risks, as not every spot can be covered due to limited resources, different time scales for production of components, etc. Not all PSE can be equally treated. Therefore, tracking of the risk for every PSE is needed based on a qualitative approach.

9 Internal Loads

Internal loads are derived from Global FEM models. To determine gross stresses at analysis locations, the evaluation of free-body loads is a standard and efficient procedure. However, risks are present, as not all effects may be captured in a realistic way, e.g. out-of plane bending, secondary bending, local load transfer. Alternatively, stresses from detailed FEM are extracted. The detailed FEM are used to de-risk, however, employing resources for time-consuming modelling, data processing, documentation and validation may reduce the resources for other important issues. Risks associated to this process have to be considered for each PSE based on a qualitative approach. This will support the decision process for the selection of locations for detailed FEM modelling.

10 Material Data

Nonproprietary material data are available in e.g. NASGRO where large sets of common da/dN and fracture toughness data are provided. The statistical data basis varies for the different alloys. Applied curve fits are not necessarily appropriate for every alloy and grain direction. Depending on the delta K range, the deviations of test points vs. curve fit can alter. Material changes may be required for several program reasons, resulting in situations, where no reliable data is available. Substitute material data may be employed as an alternative. Fracture toughness data have a large effect on the critical crack size; however, the sensitivity to the crack growth life is in many cases lower than for other parameters, such as threshold stress intensity. Nevertheless, various model parameters and assumptions do affect results and therefore risks, e.g. transition between plane strain and plane stress.

A qualitative risk assessment approach is suitable for tracking risks until more reliable data is available (coupon test program as corrective action), also probabilistic approach may be helpful (distribution function of material parameters are known or easy to determine using existing data from the literature).

Life improvement technologies enable to increase fatigue lives and in some cases crack growth lives. Life improvement can be achieved by interference fit, cold working, cold rolling, cold forming, shot peening, bead blasting, etc. Some of these techniques may be considered to reduce the RAC but not to take credit on the allowable. Nevertheless, for cold worked holes life improvement factors may be applicable not only to fatigue but to certain phases of crack growth. Alternatively, the life improvement may be considered by a smaller equivalent initial flaw size (EIFS) rather than by a factor on life or in best case with a numerical simulation of stress intensity factors.

11 Stress Intensity Factors

Stress Intensity Factor (SIF) solutions, respectively “Beta” libraries are available in tools like e.g. NASGRO or AFGROW. Surprisingly efficient analyses for many problems are possible with an idealized and simple single corner crack at hole standard solution. Often a continued flaw model (single edge thru crack) is used to simulate a second phase of growth. These two models and the corresponding beta values from AFGROW are illustrated in Fig. 3.

Fig. 3.
figure 3

Rogue Flaw (bottom) and Continued Flaw (top) with Beta values for the crack front in horizontal direction.

Full size image

Whereas the ligament phase provide reliable results at low analysis costs, the continued flaw model may overestimate the beta, so that short lives may result, as indicated by the steep increase and high values of beta, compared to the ligament phase. Over conservatism may add in to the PRORI. To reduce PRORI, the analyst may be tempted to increase the width of the plate model to reduce beta or to apply other beta corrections based on not validated procedures without the effect of reducing PRORI effectively. In fact, unknowns may be added. On the other hand, advanced modelling to derive accurate beta corrections are associated with relative high analysis costs and lead time. The bottom line is that PRORI is affected in case of conservative analysis (too high margins may indicate not optimized structure) and also in case of accurate analysis (costs, lead time, omitting other analysis locations). A careful assessment has to be done for a good trade-off. Simplistic analysis models may be the better choice than complex models as the qualitative risks can be better evaluated.

12 Crack Growth

Another set of initial assumptions and selections have to be made for the crack growth models. Several models are available, e.g. Paris, Walker, Forman, NASGRO, etc. If no company methodologies exist, then a selection based on available or familiar tools should not dramatically affect the corresponding risk codes. Specific models for crack closure phenomena and possibly crack retardation may be accounted for, where the effect on RAC is much higher.

13 Initial Crack Sizes and Inspections

The initial crack size is one of the most sensitive parameter in the Damage Tolerance analysis. For rogue flaw conditions the 0.05 in. is an established EIFS value and low risks are associated if this is selected. For quality flaw conditions the Air Force structures bulletin (EN-SB-08-002 2011) suggested to increase the widely used value of 0.005 per JSSG-2006 requirements to 0.01 in. These initial crack size values are used for deterministic crack growth analysis but are based on probabilistic characterization of initial quality. The quality is represented in terms of equivalent fatigue crack based methods (Rudd and Gray 1978; Yang and Manning 1980).

The initial crack size related to detectable crack length for in-service inspections should be based on probability of detection (POD) studies. Due to the sensitivity of the initial crack size a high risk code penalty would result on values determined by judgement. For inspection requirements being the basic result of the damage tolerance evaluation, risk considerations have to be taken when defining inspections for airworthiness limitation items. Probabilistic methods can be employed to mitigate risk and help to set inspections intervals.

14 Probabilistic Methods

For risk assessment, related to in-service issues of aging aircraft (i.e. CONRI), it is often necessary to evaluate a field event e.g. cracked structure to determine necessary fleet safety actions, such as inspections, modifications or when to retire a part or airframe. These evaluations require assessing variations in loading, material, geometry, and EIFS. The probabilistic damage tolerance analysis (PDTA) software enables regulators and original equipment manufacturer (OEM) engineers to conduct risk assessments of aircraft structural issues in support of safety decisions. A PDTA approach provides a mechanism, whereby inspection and maintenance operations can be included in the simulation, thus providing engineers with the capability to assess the benefits and safety risks of different maintenance actions. This approach can also be used to quantify PRORI due to initial assumptions, as outlined in the above chapters.

Probabilistic methods in the literature (Millwater et al. 2014; Ocampo et al. 2008) can consider material and usage variations to find the life distribution and usage sensitivity. Multiple inspection and repair scenarios versus no inspections to calculate the single-flight-probability-of-failure (SFPOF) can be considered. SFPOF is important in determining what courses of action provide adequate fleet and/or individual aircraft continued operational safety. Figure 4 shows a schematic of a probabilistic damage tolerance analysis and its components.

Fig. 4.
figure 4

Probabilistic framework.

Full size image

15 New Manufacturing Technologies

The FDT process has been discussed for conventional structural integrity programs. New technologies like Advanced Manufacturing (AM) are emerging and will eventually find the way into primary structural components. From risk assessment point of view however, nothing is changing: OEM introduce new technologies in a first step on structural components with low failure severity and loaded by not significant load, i.e. low probability of fatigue failure. The complexity is increased from criticality (significantly loaded structure), design (optimized structure) and qualification point of view on a step-by-step basis. Further steps follow, once sufficient process information, allowable data and service experience is gathered. This way, CONRI and PRORI remain always acceptable based on qualitative assessments.

Increased implementation time for the introduction of AM or other innovations is possible by accepting higher PRORI. In such a case adapting probabilistic concepts should be considered for more accurate quantification of the uncertainties (e.g. Initial Discontinuity State (IDS) due to manufacturing process) by inclusion into the structural analysis.

16 Conclusion

A risk assessment process related to initial assumptions and simplifications as part of the FDT evaluation has been discussed with respect to small aircraft structural integrity programs. A risk ranking can be established by qualitative judgment alone or supported by deterministic analysis or testing. However, at some occasions it is necessary to deploy probabilistic methodologies to better understand the risks.

Although, a risk matrix for a specific assumption may look trivial, it is of major importance to keep record of the risk codes and its evolution throughout the program. First, this will allow to find solutions fast under the premise to keep track of associated risks and second, the accumulation of various risk items can be visualized and actions can be taken before the cumulative value exceeds a critical level.

As discussed in this paper, it can be observed that the building block testing is an interpretation of risk mitigation. The type certification or the approval of a major change is just a point in time where the overall risk items must reach an acceptable level. As part of a continued airworthiness program the risks are further tracked. From this perspective, type certification is understood as a level of knowledge that justifies the risk level “acceptable”. The knowledge is growing with service experience and probabilistic methods may be used to improve the required risk assessments for fleet management.