This article covers a lot of known ground for Service Engineers but it may be interesting for new hires or people that are interested in Aviation or Aviation professionals not directly involved in Aircraft Maintenance.
The article pertains predominantly to Large Aircraft (Part 25 design standards) that are operated commercially.
References for this article downloadable below;
MSG-3 (obtainable at a cost from https://publications.airlines.org/CommerceProductDetail.aspx?Product=328 )
EASA CS 25.1309 Systems Safety Assessment design standards
EASA CS 25.571 Fatigue and damage tolerance assessment design standards
Appendix H on CS 25.571
EASA M.A. 302 Maintenance program development (CAMO)
Appendix I to M.A. 203
CM MRB-001 EASA Certification Memorandum on MRB development
FAA Advisory Circular AC 25-19A Certification Maintenance Requirements (CMR)
FAA Advisory Circular AC 25-571D Fatigue and Damage Tolerance (guidance for compliance)
Advisory Circular AC 120-17B Reliability Programs
Advisory Circular AC 121-22C MRB Process and overview (very informative!)
History of MSG (Maintenance Steering Group)
The first MSG process was set up during the age of the first commercial jets when aircraft started to get used much more heavily than previous designs. The Air Transport volume increased during that time and the first MSG developed a standardised process to determine the content of maintenance to be recommended for each aircraft type.
MSG-1
This process was used in the development of the Boeing 747 and objective was to prevent accidents as a result of technical failures
MSG-2
Published by the Air Transport Association (ATA) was used during the development of the Tri Jets Lockheed L-1011 TriStar and the McDonell Douglas DC-10
MSG-3 was further developed (still published by ATA) and revised regularly. In essence it consist of logic diagrams, classifying elements of aircraft systems and structure and determine the effects on safety and reliability. Some of the logic diagrams will be shown later.
The MSG-3 focuses on four main area's
Systems and power plants
Structures
Zonal
Lightning and High Intensity Radiated Field resilience (L/HIRF)
The MSG-3 process starts with the design of the aircraft and analyses are carried out by the manufacturer (Type Certificate Holder) for current production aircraft and in some cases for out of Production Aircraft by Type Certificate holders other than the manufacturer. Example of the latter are; Fokker Services for Fokker Aircraft, Viking for DeHavilland Canada Aircraft, and Deutsche Aircraft GmbH for Dornier 328 Series.
The goal is to identify maintenance tasks that are effective and efficient and enable the aircraft to be operated with a satisfactory level of safety and reliability.
Current Part 25 (Large Aircraft) Design Standards
The current Part 25 Design Standards contain required levels of safety related to maintenance; notably:
25.571 Damage Tolerance and Fatigue Evaluation (part quoted below)
"(a) General. An evaluation of the strength, detail design, and fabrication must show that catastrophic failure due to fatigue, corrosion, or accidental damage, will be avoided throughout the operational life of the aeroplane. This evaluation must be conducted in accordance with the provisions of sub-paragraphs (b) and (e) of this paragraph, except as specified in sub-paragraph (c) of this paragraph, for each part of the structure which could contribute to a catastrophic failure (such as wing, empennage, control surfaces and their systems, the fuselage, engine mounting, landing gear, and their related primary attachments). (See AMC 25.571 (a), (b) and (e).) For turbine engine powered aeroplanes, those parts which could contribute to a catastrophic failure must also be evaluated under sub-paragraph (d) of this paragraph. In addition, the following apply:
(1) Each evaluation required by this paragraph must include –
(i) The typical loading spectra, temperatures, and humidities expected in service;
(ii) The identification of principal structural elements and detail design points, the failure of which could cause catastrophic failure of the aeroplane; and
(iii) An analysis, supported by test evidence, of the principal structural
elements and detail design points identified in sub-paragraph (a) (1) (ii) of this paragraph.
(2) The service history of aeroplanes of similar structural design, taking due account of differences in operating conditions and procedures, may be used in the evaluations required by this paragraph.
(3) Based on the evaluations required by this paragraph, inspections or other
procedures must be established as necessary to prevent catastrophic failure, and must be included in the Airworthiness Limitations Section of the Instructions for Continued Airworthiness required by CS 25.1529.
(b) Damage-tolerance (fail-safe) evaluation. The evaluation must include a determination of the probable locations and modes of damage due to fatigue, corrosion, or accidental damage. The determination must be by analysis supported by test evidence and (if available)
service experience. Damage at multiple sites due to prior fatigue exposure must be included where the design is such that this type of damage can be expected to occur. The
evaluation must incorporate repeated load and static analyses supported by test evidence. The extent of damage for residual strength evaluation at any time within the operational life
must be consistent with the initial detectability and subsequent growth under repeated loads.
The residual strength evaluation must show that the remaining structure is able to withstand loads (considered as static ultimate loads) corresponding to the following conditions:
(1) The limit symmetrical manoeuvring conditions specified in CS
25.337 up to VC and in CS 25.345.
(2) The limit gust conditions specified
(2) The limit gust conditions specified in CS 25.341 at the specified speeds up to VC and in CS 25.345.
(3) The limit rolling conditions specified in CS 25.349 and the limit unsymmetrical conditions specified in CS 25.367 and CS 25.427(a) through (c), at speeds up to VC.
(4) The limit yaw manoeuvring conditions specified in CS 25.351 at the specified speeds up to VC.
(5) For pressurised cabins, the following conditions
(i) The normal operating differential pressure combined with the expected external aerodynamic pressures applied simultaneously with the flight loading conditions specified in sub-paragraphs (b)(1) to (b)(4) of this paragraph if they have a significant
effect.
(ii) The maximum value of normal operating differential pressure (including the expected external aerodynamic pressures during 1 g level flight) multiplied by a factor of 1·15 omitting other loads.
(6) For landing gear and directlyaffected airframe structure, the limit ground loading conditions specified in CS 25.473, CS 25.491 and CS 25.493."
25.1309 (Equipment, systems and Installations) which part text is quoted below:
"(a) The aeroplane equipment and systems must be designed and installed so that:
(1) Those required for type certification or by operating rules, or whose
improper functioning would reduce safety, perform as intended under the aeroplane
operating and environmental conditions.
(2) Other equipment and systems are not a source of danger in themselves and do
not adversely affect the proper functioning of those covered by sub-paragraph (a)(1) of
this paragraph.
(b) The aeroplane systems and associated components, considered separately and in
relation to other systems, must be designed so that -
(1) Any catastrophic failure condition
(i) is extremely improbable; and
(ii) does not result from a single failure; and
(2) Any hazardous failure condition is extremely remote; and
(3) Any major failure condition is remote.
(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards.
(d) Electrical wiring interconnection systems must be assessed in accordance with the requirements of CS 25.1709"
CS 25.1709 Electrical Wiring Interconnect Systems (EWIS)
"EWIS must be designed and installed so that:
(a) Each catastrophic failure condition
(1) is extremely improbable; and
(2) does not result from a single failure;
and
(b) Each hazardous failure condition is extremely remote."
CS 25.1529 Instructions for Continued Airworthiness
"Instructions for Continued Airworthiness in accordance with Appendix H must be prepared."
Appendix H states basically that a for a type certificate to be granted, maintenance manuals, An Airworthiness Limitation Document and an EWIS document must be published.
Note that catastrophic failures can not be a result of a single system failure
Birth of an Initial Maintenance Program
For a Maintenance program to get approved, a lot of preparation has to be conducted by the Type Certificate Holder (TCH) which eventually produces a Mandatory Document, called the MRB Report (MRBR), this document is prepared by internal working Groups with detailed knowledge of the design and the elements of focus of MSG-3;
Systems and power plants
Structures
Zonal
Lightning and High Intensity Radiated Field resilience (L/HIRF)
These subsystems will have to be analysed and evaluated in accordance with MSG-3 logic, a couple of examples will be shown below.
The output of the working groups will have to pass through the Industry Steering Committee (ISC) in which delegated from (future) operators, TCH, suppliers of components and authorities participate.
After review and evaluation and modification by the ISC, the output in a Proposed Maintenance Program.
This then is passed through the Maintenance Review Board, in which the document is submitted for approval by the certifying agencies. For EASA, Certification Memorandum (CM) MRB-001 documents the policy by which EASA certifies the MRBR. FAA published AC 121-22B for that purpose.
It is noted that established modern aircraft and powerplant manufacturers publish a slew of additional documents which I will not elaborate on. Examples:
Airbus ALS documents (Airworthiness Limitation Section)
MPD (Maintenance Planning Document) Serves as basis for Operators Maintenance Programs
Boeing Landing Gear Interchangeability Drawings
Once the MRBR has been certified, this forms a basis for Operators to develop their own Maintenance Programs.
Every Operator must have their Maintenance Program Approved by their oversight Authority. Maintenance Programs are always live documents and have to be reviewed periodically. Maintenance Programs can only be effective in combination with a Reliability Program. Ref AC 120-17B and MA302.
Factors that will shape Operators Approved Maintenance Programs differently from the MRBR;
Level of operational reliability
Environment (corrosive, moist, dry dusty, runway shape)
Configuration of engines, avionics, interior, added systems
Modification Standard like embodied Service Bulletins (SB) and Supplemental Type Certificates (STC)
Embodied Structural Repairs
Below simplified graphic for the process
MSG-3 Processes
Just like many documents, MSG-3 is subject to reviews and is currently on a 3 year Revision Cycle.
There are different analyses methods for the 4 subsystems in MSG-3 (listed below).
Systems and power plants
Structures
Zonal
Lightning and High Intensity Radiated Field resilience (L/HIRF)
The goal of MSG-3 is to produce a set of maintenance tasks that are effective and efficient and enable the aircraft to be operated at a satisfactory level of safety and reliability
There are several levels of analysis; below the flow diagram for systems and power plants;
Level one make the distinction of evident or hidden functional failure
A hidden functional failure can be a malfunction of a backup or protection system that under normal circumstances is not operational, such as alternate landing gear and flap systems, escape systems. The most prominent example was the 737MAX MCAS system
Level two categorises failures into five categories with each its own criteria for task selection
Evident safety effect
Evident Operational Effect
Evident Economic Effect
Hidden Safety Effect
Hidden non safety effect
Below a graphic depiction
Below the task selection matrix which is used to determine the effect on;
Safety
Operational Effect
Economic Effect
Below th graphic evaluation of CMR's
Comprehensive information about CMR's are in AC 25-19 latest revision level (currently A)
CMR's are tasks that result from System Safety Analyses during activities stipulated by CS 25.1309 as part of type design. They are tasks without which the required level of safety can not be obtained and have no bearing on reliability or economy
Graphics taken from AC 25-19A
