Nowlan RCM Book

, -,
Unclassified
%T'ON
A.,<,C I
! l h ~ ! #j > a a r z > I
r , < m" ,.h r , <
'>%
r*.r<.j
REPORT DOCUMENTATION
PAGE
_ _
.
_
..
:
.__
.. ..
GOV-
ACZEl;lOk
hO
.~
irs I U U ' h
..--
.. .
'I.:
.i
p . 4 ~ 3 ~
a : : ~ :
..
.\
-.
.'4
'.1.
..
- ' i i ( t i
. :.
.-
tiiiM*kr(
NL"?I11
MDA 903-75-C-0349
v \*YI
4 ~ 7 . 1 ~ 351 ,!,I: r.m* rrv:~.
- -
.-.
:~) &. - c~
December 29,1978
*, ,, ,..,,,F~,
476
.
..
.4
IS
. m . r . Iltn.' UIIIII-
..
.L*.
I J k l l F O H M I N . j OLi,
.-...
.-...
Office of Assistant Secretary of Defense

(Manpower, Reserve Affairs and I ogistics)
Washington, DC 20301
~
~-
.r
U C N N b M I AND A D D R E 5 5
United Airlines
San Francisco International Airport
San Francisco, Ca 94128
'
--I
TYPE OF RFPORT d FLHlOD COILIIF::
. :)l<rAN'(*
F. Stanley Nowlan
Howard F. Heap
I,:
. ..
H t C I P l C l . T ' S C A T A L O G NIIIARFH
I, . ~Final
~ -
Reliability-Centered Maintenance
--
3
I
K E A I ) INS I R U C T I O N S
I ~ K I , O I + I . :r o h ! p l . : ; m s r .
pore.!
d~
,L.(.""IT',
:!nclassified
,a , t
-~
,.LC',%
~.
,.I
rrli
,I.,\
r'
q p r o v e d for public release; distribution unlimited. Copies may be obtained from

thc National Tcchnical Information Service or !he Defense Documentation Center.
..
6.1
i7
..
This work was performed by United Airlines under the sponsorship of the
Office of !.ssistant Secretary of Defense (Manpower, Reserve Affairs and Logistics)
.,
_ ( .*
, ,,,.,..
1
r.>
..,.. ,,. ., .,,
,,., ,,., , , ,,, ,,,
. . < ~
,,,. !,,.,,, ..,,,, *<..
Actu, ral analysis Aircraft maintenance Cost effectiveness Decision theory

Evaluation Failurt effects Flight safety Logistics Maintenance program
Mechanical safety Preventive maintenance Product in~provement
Reliability Scheduled niaintenance System effectiveness
.
-.-
,,.,.,. .> r . . . .,.
...
..
., 11 , I ...
r\.
,,,. r , ,
I . .
.,I,
-.
., ., .,, r , , , , , i . . . r
~-
This book explains basic concepts, llrinciples, definitions, and applications of a

logical discipline for devel~pmentof efficient scheduled (preventive) maintenance
programs for complex equipment, and the on-going management of such programs.
Such programs are called reliability-centered maintenance (RCM) programs because
they are centered on achieving the inherent safety and reliability capabilities of
L
,-)D
,,,:",
1473
9 ;
--'
% ' ,
.:.I
-,
~~
-.
EPRODVCtD BY
<&
., .
NATIONAL TECHNICAL
INFORMATION SERVICE
U.S. DLPARlMtNl OF COMMERCL
SPR:NGFltLD, VA. n161
Unclassified
,; ~ , , . ~ c , A,
,I
Tbdir,
V l i . 1 . l l l l l l r l l,ntn I-r>ll.rer!
equipment at a minimum cost. A U.S.Department of Defense objective in sponsoring preparation of this document was that it serve as a guide for application to a
wide range of different types of military equipment.
There are essentially only four types of tasks in a scheduled maintenance program.
Mechanics can be asked to:
Inspect an item to detect a potential failure
Rework an item before a ~neximumpermissible age is exceeded
Discard an item before a maximum permissible age is exceeded
Inspect an item to find failures that have already occurred but wert not evident
to the equipment operating crew
A central problem addressed in this book is how to determine which types of scheduled maintenance tasks, if any, should be applied to an item and how frequently
assigned tasks should be accomplished. The use of a decision diagram as an aid in
this analysis is illustrated. The net result is a structured, ~ystematicblend of
experience, judgll~ent,and operational datalinformation to identify and analyze
which type of maintenance task is both applicable and effective for each significant
item as it relates to a particular iype of equipment. A concludingchapteremphasizes
the key importance of having a mutually supportive partnership between the personnel responsible for equipment design and the personnel responsible for equipment maintenance if maximum HCM results are to be achieved.
Appendices are included as follows:

Procedures fur auditing ihe development and implementation of a;.c RCM
program
A historic~lreview of equipment maintenance evolution
Techniques of performing actuarial analyses
An annotated bibliography
RELIABILITY-CENTERED MAlNTENANCE
reliability-centered
maintenance
F. STANLEY NOWLAN
HOWARD F. HEAP
Prodc~cedby Dolby Access Press

Designer Nancy Clark, illustrators David A. Strassman
and Evanell Towne, compositor Jonathan D. Peck,
printer Braun-Brum.field, Inc.
preface
mls VOLUME provides the first full discl~ssionof reliability-centered

maintenance as a logic~ldiscipline for the development of scheduledmairctenafice programs. The objective of such programs is to realize the
inherent reliability capabilities of the equipment for which they are
designed, and to do so at minimum cost. Each scheduled-maintenance
task in an RCM program is generated for an identifiable and explicit
reason. The consequences of each failure possibility are eva!uated, and
ihe failures are then classified according to the sevcrity of their consequences. Then for all significant items- those whose failure involves
operating safety or has major economic consequences- proposed tasks
are evaluated according to specific criteria of applicability and effectiveness. The resulting scheduled-maintenance program thus includes all
the tasks neccssay to protect safety and operating reliability, and only
the tasks that will accomplish this objective.
Up to this point the only document describing tllr nse of decision
diagrams for developing maintenance programs has becn MLiG-2, the
predecessor of P.CM anillysis. MSG-2 was concerned primarily with t l ~ e
development of prior-to-service programs and did not cover the us 9 f
operating information to modify the maintenance program after the
equipment enters service or the role of product irnprovement in i;uipment development. The chief focus was on the identificatiorl of a set of
t a s ~ that
s would eliminate the cost of unnecessary maintenance without
compromising safety or operating capability. There was no mention of
the problem of estabiishing task intervals, of consolidating the tasks
into work packages, or of making decisions \/here the necessary infoimation is unavailab!~.Thc treatment of structure programs was sketchy,
and zonal and other general inspection programs were not discussed
at all.
vii
viii
The difficulty that many people experienced in attempting to apply

the concepts of MSG-2 indicated the need for change.; and additions
simply to clarify many of the points. It was also abundantly clear, hi .wever, that the scope of the material should be expanded to cover the topics
that had not been hiccussed in that document, This volsme includes a
major expansion of the discussion on the problem of identifying functionally and stn~cturallysignificant items. The RCM decision diagram
itself is quite different from the one used for MSG-2. Instead of beginning
with the evaluation of proposed maintenance tasks, the decision logic
begins with the factor that determines the maintenance requirements of
each item - the consequences of a functional failure- and then an evaluation of the failure modes that cause it. Tllis new diagram also recognizes the four basic maintenance tasks that mechanics can perform
(instead of three maintenance processes), thereby clarifying the treatment of items with hidden functions. The role of a hidden-function
failure in a sequence of nw!tiple independent failures is stressed, and
it is also shown that the consequences of a possible multiple failure are
explicitly recognized in the definition of tl-,e consequences of the first
failure.
Another important aspect of the RCM decision logic is that it
includes a deiault strategy for making initial maintenance decisions in
the absence of full information. There is a full discussion of the problem
of assigning task intervals, particular!^ those for first and repeat oncondition inspections. The role of age exploration and the use of information derived from operating experience, both to modify the initial
maintenance program and to initiate product improvement, is discussed
at ler,gth. The content of scheduled-maintenance programs developed
by experienced practitioners of MSG-2 techniques may be quite similar
to the programs resulting from RCM analysis, but the RCM approach is
Inure rigorous, and there should be much more contidence in its outcome. The RCM technique can also be learned more quickly hnd is more
readily applicable to complex equipment other than transport aircraft.
Part Qne of this volume presents a full explanation of the theory
and principles of re'iability-centered maintenance, including a discussion of me failure process, the criteria for each of the four basic tasks,
the use of the decision logic to develop an initial program, and the
age-exploration activities that result in a continuing evolution of this
program after the equipment enters service. Part Two describes the
app!ication of these principles to the analysis of typical items in the
systems, powerplant, and stn~cturedivision of an airplane; the considerations in packaging the RCM tasks, along with other scheduled tasks,
the information systems necessary for
for actual implementation; a
management of the ongoing maintenance program. The concluding
chapter discusses the relationship of scheduled maintenance to operating safcty, the desigr-maintenance partnership, and tks application of
KCM analysis both tn in-service fleets and to other types of complex

equipment.
The text is followed by four appendices. Appendix A outlines the
principles of auditing a program-development project and discusses
some of the common probiems that arise during analysis. This material
provides an excellent check list for the analyst as well as the auditor and
should be especially useful as a teaching aid for those conductii~gtraining groups in RCM methods. Appendix B is a historical review of the
changes in maintenance thinking in the airline industry. Appendix C is
a discussion of the engineering procedures and techniques used in
actuarial analysis of reliability data. Appendix D, written by Dr. James
L. Dolby, is a discussion of the literature in reliability theory, information
science, decision analysis, and other areas related to RCM analysis and
provides an annotated guide to this literature as well as to the specific
literature on reliability-centered maintenance. Dr. Howard L. Resnikoff
has written an accompanying mathematical treatment of the subject,
titled Matllernaticnl Aspects of Reliability-Centered Maintenance.
A book of this nature is the result of many efforts, only a few of
which can be acknowledged here. First of all, we wish to express our
gratitude to the late W. C. Mentzer, who directed ,he pioneering studies
of maintenance policy at United Airlines, and to the Federal Aviation
Administration for creating the environment in which this work was
developed over the last twenty years. We also thank Charles S, Smith
and Joseph C. Saia of the Department of Defense, who defined the rontent of the present text and counseled us throughout its preparation.
James L. Dolby of San Jose State University, in addition to preparing
the bibliography, contributed his expertise to the text. In particular,
he helped to develop the concept of partitioning to identify significant
items and the concept of default answers as part of the decision logic,
as well as advising us on the actuarial appendix. Nancy Clark edited
our eiforts and organized them for clear exposition. Her logical thought
processes resulted in numerous major improvements throughout and
made possible the successful translation of our r~anuscriptto textbook
form.
Much help on specific areas of the text has come from friends and
cowo~kersin the industry. We especially wish to thank Me1 Stone of
Douglas Aircraft for his extensive help with the structure chapter, John
F. McDonald of the Flying Tiger Line for his comments on the theoretical
chapters, and John F. Pirtle of General Electric for his comments on the
powerplant chapter. Of the many others whose contributions influenced
the text in some i m ~ o r t a n respect,
t
we give particular thanks to Thomas
M. Edwards of United Airlines, Thomas D. Matteson of United Airlines,
Ernest Boyer of the Federal Aviation Adr,linistration, Captain L. Ebbert
of the U.S. Navy, Edward L. Thomas of the Air Transport Association,
and Robert Card of the University of Missouri.
We are also grateful to the ma; y people at United Airlines who prov i d ~ dus with specific help and assistance. The manuscript itself would
not have materialized without the effortsof MarieTilson, who cheerfully
typed and retyped the material through many drafts, We also thank
Claudia Tracy, whose artwork made the draft manuscript more readable,
and J. Douglas Burch, whose efforts throughout the project helped bring
it to completio~~.
Finally, we would like to thank the management of
United Airlines for its patience m d our wives for their encouragement
over the many long months of authorship and publication.
F. Stnnley N o w l a r ~
Hownrd F. Heap
contents
PREFACE
4\
rrii
MAINTENANCE PHILOSOPHY
CHAPTER ONE
.vrli
rcm: a maintenance discipline
I I THE EVOLUTION OF RCM ANALYSIS
1 - 2 THE BASIS O F RCM DECISION LOGIC
I.3
RELIABILITY PRCBLFMS I N CCMPLEX EQUIPMENT
1 - 4 A N OVERVIEW .OF MAINTENANCE ACTIVITY
II
PART ONE THEORY AND PRINCIPLES
CHAPTER TWO
the nature ot fdlure
2.1
M E DEFINITION OF FAFAILURE
17
2.2
THE DETECTION O f FAILURES
?O
2.3
THE CONSEQUENCES OF FAILURE
2.4
MULTIPLE FAILURES
2.5
THE FArlURE PROCLSS
2.6
FAILURE I N COMPLEX ITEMS
28
31
37
25
16
15
Z.?
QU~NTIT,\TWE DfiCRlPTION5 OF FAILURE
2.8
AGE-RUIABILIN CHARACTERISTICS
39
15
the four basic rimalntenance tasks
CHAP~TRTHREE
3 1
SCHEDULED 0N.CONDlTION TASKS
51
3-2
SCHEDULED REWORK TASKS
5h
3.3
SCHEDULED DISCARD TASKS
58
3.4
9CHEDULED FAILURE-FINDING TASKS
3.5
CHARACTERlSnCS OF THE CASlC TASKS
3.6
THE DIMENSIONS OF A SCHEDULED-MAINTENANCE PROGRAM
3.1
PRODUCT IMPROVEMENT AS PREVENTIVE MAINTENANCE
hl
71
75
developing the initid program
CHAPTER FOUR
78
HO
4.1
THE N A N R E OF SIGNIFICANT ITEMS
4.2
THE RCM DEC:510N PROCESS
4 a3
USE OF THE RCM 9ECISION DIAGRAM
4.4
DETEDMlYlNG COST E5FECWENESS
4.5
AGE WPLORATION
4.6
PACKAGING THE MAINTENANCE TASKS
CtiArnER FIVE
65
86
91
100
l!lh
109
evolution of the rcm prqram
5.1
T)IL USES OF OPERATING DATA
5.2
REACTING T O StRIOUS FAILURES
5.3
REFINING TWL MAINTENANCE P R O C M M
5.4
REVISIOYS I N MAINTENANCE REQUIREMENTS
5.5
THE PRODUCT-IMPROVEMENT PROCESS
5.6
RCM PROGRIMS FOR !N-SERVICE EQUIPMENT
113
IIf,
121
12h
128
137
112
50
PART TWO APPLlCATlONS

C H A ~ E Rslr
a p p t y i n ~rcm theory to aircraft
6.1
A SUMMARY OF RCM PRINCIPLES
6.2
O R G A N l U l l O N OF THE PROGRAM-DEVELOPMENT T
111
6 - 4 THE INFORMATION FLOW I N DECISION MAKING
145
153
acm analysis of systems
7- 1
CHARACTERISTICS OF SYSTEMS ITEMS
7.2
ASSEMBLING THE REQUIRED INFORMATION
7.3
ANALYSIS OF TYPICAL SYSTEMS ITEMS
7.4
ESTABLISHING TASK INTERVALS
CHAPTER EIGHT
158
159
161
lhb
192
rcm analysis of powerplants
8.1
CHARACTERISTICS OF POWERPIANT ITEM5
195
8.2
19')
8.3
FAILURES OF THE BASIC ENGINE FUNCTION
205
8.4
FAILURES OF SECONDARY ENGINE TUNCTIONS
8.5
M E ROLE OF AGE EXPLORATION
CHAPTER NINE
147
6 - 3 BEGlNhlNG THE DECISION PROCESS
CHAPTER SEVEN
217
224
rcm analysis of structures
9.1
CHARACTERISTICS OF STRUCTURAL ITEMS
9.2
THE STRUCTURAL lHSPECTlON P U N
229
238
9 - 3 ASSEMBLING THE kEQUlRED INFORMATION

9.4
RCM ANALYSIS OF STRUCTURAL ITEMS
9 5
ESTABLISHING INITIAL INSPECTION INTERVALS
9 - 6 STRUCTURAL AGE EXPLORATION
140
273
247
252
250
228
194
139
CHAPTER TEN
completingthe maintenance program
10.1
OTHER SCHEDULED-MAINTENANCE TASKS
10.2
PACKAGING THE MAINTENANCE WORKLOAD
CHAMER ELEVEN
1 1.1
277
284
the use of operating information
TYPICAL INFORMATION SYSTEMS
Xll
1 1 - 3 MODIFYING THE MAINTENANCE PROGRAM

1 1 - 4 INTERVALS: A N INFORMATION PROGRAM
11 - 5 RESOLVING DIFFERENCES OF OPINION
PURGING THE PROGRAM
CHAPTER TWELVE
307
321
325
328
the role of scheduled maintenance
12.1
SAFETY. RELIABILITY, AND SCHEDULED MAINTENANCE
12.2
AIR-TRANSPORT SAFETY LEVELS
12.3
THE DESIGN-MAINTENANCE PARTNERSHIP
12.4
RCM PROGRAMS FOR IN-SERVICE FLEETS
331
337
1 2 - 5 UPANSION OF RCM APPLICATIONS
341
343
317
PART THREE APPENDICES
APPEND~XA
292
293
1 1 - 2 TYPICAL TYPES OF ROUTINE ANALYSIS
1 1.6
276
349
auditin3 rcm pro3ramdevelopment
A. 1 AUDITING THE PROGRAM-DEVELOPMENTPROJECT

As2
AUDITING THE DECISION PRCCESS
A.3
AUDITING ANALYSIS O r THE CQUIPMENT
As4
AUDITING THE ONGOING PROGRAM
A.5
AUDITING NEW PROGRAMS FOR IN-SERVICL FLEETS
351
354
3h?
3h7
3bH
350
330
the history sf rcm programs
APPENP~X B
370
B. I
THE HARD-TIME PARADOX
371
8.2
CHANGING PERCLPTIONS OF THE HARD-TlME POLICY
B.3
THE INTRODUCTION OF GN-CONDITC3N MAINTEtiANCE
B.4
THE AIR TRANSPORT ASSOCIATION MSG- 1 AND MSG-2 PROGRAMS
B.5
THE RELATIONSHIP OF SCHEDULED MAINTENANCE TO OPERATING SAFETY
i I c t ~ a hitl!fldWsb
APPENDIX C
376
383
390
C *1
ANALYSIS OF LIFE-TEST DATA
C.2
ANALYSIS OF DATA FROM A DEFINED CALENDAR PERIOD
C.3
THE SMOOTHING PROBLLU
C.4
ANALYSIS OF A MIXED POPULATION
C.5
USEFUL PROBABILITY DlSTRIBUTIONS
C.6
A SPECIAL USE OF THE EXPONENTIAL D:STRIBUTION
APPENDIX D
391
402
40R
411
bibliqraptuy
420
D. 1
HISTORICAL DEVELOPMENT
D.2
RELIABILITY
D.3
INFOllMATlON SCIENCL AND DECISION ANALYSIS
D.4
MAINTENANCE THEORY AND PHILOSOPHY
D.5
MAINTENANCE APPLICATIOHS
436
D.6
A GUlDE TO OTHER SOURCES
47<;
GLOSZ4RY
INDEX
467
422
LORY AND ANALYSIS
453
417
425
430
427
395
385
387
a maintenance philosophy
A,. operator's maintenance program has four objectives:
b
To ensure realization of the inherent safety and reliability levels of

the equipment
To restore safety and reliability to their inherent levels when deterioration has occurred
*
b
To obtain the information necessary for design improvement of

those items whose inherent reliability proves inadequate
To accomplish these goals at a minimum total cost, including maintenance costs and the costs of residual failures
Relialirlity-centered maintenance is based on the following precepts:

A failure is an unsatisfactory condition. There are two types of failures: frorctionnl frrilurcs, usually reported by operating crews, and
pote!~tinlfnilrrrc.~, usually discovered by maintenance crews.
b
The consequences of a functicnal failure determine the priority of

maintenance effort. These consequences fall into four categories:
b
saiety consequelrces, involving possible loss of the equipment

and its occupants
Operational consequences, which involve an indirect economic

loss as well as the direct cost of repair
Nonoperational consequences, which involve only the direct

cost of repair
Hidden-failure consequences, which involve exposure to a possible multiple failure as a result of the undetecteci failure of a
hidden function
Scheduled maintenance is required for any item whose loss of function or mode of failure could have safety consequences. If preventive tasks cannot reduce the risk of such failures to a n acceptable
level, the item must be redesigned to alter its failure consequences.
Scheduled maintenance is required ior any item whose iunctional

failure will not be evident to the operating crew, and therefore
reported far corrective action.
In all other cases the consequences of failure are economic, and
maintenance tasks direzted at preventing such failu~esmust be
justified on economic grounds.
I.
All failure consequences, including economic consequences, are

established by the design characteristics of the equipment and can
be altered only by basic changes in the design:
b
Safety consequences can in nearly all cases be reduced to economic consequences by the use of redundancy.
Hidden functions can usually be made evident by instrumentation or other design features.
The feasibility and cost effectiveness of scheduled maintenance depend on the inspectability of the item, and the cost
of corrective maintenance depends on its failure modes and
inherent reliability.
The inherent reliability of the equiprnent is the level of reliability

achieved with an effective maintenance pr0gram.Thi.s lc.!el is established by the design of each item and the manufacturing processes
that produced it. Scheduled maintenance can ensure that the inherent rcliability of each item is achieved, but no form of mainte-
xvii
nance can yield a level of reliability beyond that inherent in t4e

design.
A reliability-centered mainteqance program includes only those tasks

which satisfy the criteria for both appIicability and effectiveness. The
opplicilbility of a task is determined by the characteristics of the itcin,
and its effective?rcssis defined in teims of the consequences the task is
designed to prevent.
There are four basic types of tasks that mechanics can perform, each
of which is applicable under a ilnique set of conditions. The first
three tasks are directed at preventing functional failures of the
items to which they are assigiled and the fourth is directed at preventing a multiple failure involving that item:
b
On-condition inspections of an item to find and correct any

potential failures
Rework (overhaul) of an item at or before some specified age

limit
Discard of an item (or one of its parts) at or before some specified life limit
Failure-finding inspections of a hidden-function item to find

and correct functional failures that have already occurred but
were not evident to the operating crew
A simple itenr, one that is subject to only one or a very few failure
modcs, frequently shows a decrease in reliability with increasing
operating age. An age limit may be useful in reducing the overall
failure rate of such items, and safe-life limits imposed on a single
part play a crucial role in controlling critical failures.
A co!;rple.~it~irr,one whose functional failure may result from many
different failure modes, shows little or no decrease in overall
reliability with increasing age unless there is a dominant failure
mode. Age limits imposed on complex t.omponents and systems
(including the equipment itself) therefore have little or no effect
on their overall failure rates.
The RCM decision diagram provides a logical tool for determining which
scheduled tasks are either necessary or desirable to protect the safety
and operating capability of the equipment.
The resulting set of RCM tasks is based on the following considerations:
xviii
The consequences of each type of functional failure
The visibility of a function..l failure to the operating crew

(evidence that a failure has occurred)
'The visibility of reduccii r~sistanceto failure (evidence that

a lailure is imminent)
The age-reliability characteristics of each item
The economic tradeoff between the cost of scheduled maintenance and the benefits to be derived from it
A m ~ l t i p l efailure, resulting from a sequence of jndependent failures, may have consequences that wo\%ldnot be cacsed by any one
of the individual failures alone. These consequences are taken
into account in the definition of the failure consequences for the
first failure.
A default strategy governs decision making in the absence of full

information or agreement. This strategy provides for conservative
initial decisions, to be revised on the basis of information derived
from operating experience.
.4 scheduled-maintenance program must be dynamic. Any prior-to

service program is based on limited information, and the operating
organization must be prepared to collect and respol~dto real data
throughout the operating life of the equipment.
b
Management of the ongoing maintenance program requires an

organized information system for surveillance and analysis of the
performance of each item under actual operating conditions. This
information is needed for two purposes:
b
To determine the refinements and modifications to be made in

the initial maintenance program (including the adjustment of
task intervals)
To determine the needs for product improvement
The information derived from operdting experience has the following hierarchy of importance:
b
Failures that could affect operating safety
Faiiures that have operational consequences
The failure modes of units removed as a result of failures
The general condition of unfailed parts in units that have

failed
The general condition of serviceable units inspected as

samples
xix
At the time an initial program is developed information is dvailable

to determine the tasks necessaiy to protect safet;, and operating
capability. However, the infomatior, reqxired to determine oyfimum task intervals and the applicability of age limits can be
obt~inedonly from age exploration after the equipment enters
service.
With any new equipment there is always the possibility of unanticipated failure modes. The first occurrence of any serious
unanticipated failure immediately sets in motion the followicg
product-improvcrnent cycle:
An on-condition task is developed to prevent recurrences

while the item is being redesigned.
The operating fleet is modified to incorporate the redesigned

part.
After the modification has proved successful, the special task

is eliminated from the maintenance program.
Product improvement, based on identification of the actual reliability characteristics of each item through age exploration, is part
of the normal development cycle of all complex equipment.
RELIABILITY-CENTERED MAINTENANCE
CHAPTER OtiE
reliability-centered maintenance
mE TERM r e l i l a l i l - c t r c rrrnirrtc~rm~r(-c
refers to a scheduled-maintenance
INTRODUCTION
program designed to realize the inherent reliability capabilities of equipment. For years maintenaxe was a craft learned thrwgh experience
and rarely examined analytically. As new performance requirements
led to increasingly complex equipment, however, maintenance costs
grew accordingly. By the late 1950s the vi::ume of these costs in thtr airline industry had reached a level that warranted a new look at the entire
concept of preventive maintenance. By that time studies of actual operating data had also begun to contradict certain basic assumptior~sof
traditional maintenance practice.
One of the underlying assumptions of maintenance theory has
always been that there is a fundamental cause-and-effect relationship
between scheduled mair'pnance and operating reliability. This assumption was based on th .,tuitive belief that because mechanical parts
wear out, the reliability 01any equipment is directly related to operating
age. It therefore followed that the more frequently equipment was overhauled, the better protected it was against the likelihood of failure. The
only problem was in determining w!,at age limit was necessary to assure
reliable operation.
In the case of aircraft it was also commonly assumed that all reliability proljlems were directly related to operating safety. Over the
years, however, it was found that many types of failures couid not be
pr2vented no matter how intensive the maintenance activities. Moreover, in a field subioct to rapidly expanding technology it was becoming
increasingly difficult to eliminate uncertainty. Equipment designers
were i\ble to cope with this problem, not by preventing failures, hut by
preventing such failures from affecting safety. In most aircraft all essential functions are protected by redundancy features which ensure that,
in the event of a fdilure, the necessary f u ~ ~ c t i owill
n still be available
from some other source. Although fail-safe and "failure-tolerant" design practices have not entirely eliminated the relationship between
safety and reliability, they have dissociated the two issues sufficiently
that their implications for maintenance have become quite different.
A major question still remained, however, concerning the relationship between scheduled maintenance and reliability. Despite the timehonored belief that reliability was directly related to the inteivals
between scheduled overhauls, searching studies based on actuarial
analysis of failure data suggested that the traditional hard-time policies
were, apart from their expense, ineffective in controlling failure rates.
This was not because the intervals were not short enough, and surely
not because the teardown inspections were not sufficiently thorough.
Rather, it was because, contrary to expectations, for many items the
likelihood of failure did no+ in fact increase with increasing operating
age. Consequently a maintenance policy based exclusively on some
maximum operating age would, no matter what the age limit, have little
or no effect on the failure rate.
At the same time the FAA, which is ~.esponsiblefor regulating airline maintenance practices, was frustrated by experiences showing that
it was not possible for airlines to control the failure rate of certain types
of engines by any feasible changes in scheduled-overhaul policy. As a
resalt, in 1960 a task force was formed, consisting of representatives
from both the FAA and the airlines, to investigate the capabilities of
CHAPTER l
scheduled maintenance. ?he work of this group led to an FA.;/Industy

Reliability Program, issued in November 1961 he he introduction to that
program stated:'
'Tile det.elopment of this program is towards the control of reliability through an analysis of the factors that affect reliability and
provide a system of actions to improve low reliability levels when
they exist.
In the past, a great deal of emphasis has been placed
on the control of overhaul periods to provide a satisfactory level of
reliability. After careful study, the Committee is convinced that
reliability and overhaul time control are not necessarily directly
associated topics; therefore, these s ~ b j e c t are
s dealt with separately.
Because the prcpulsion system has been the area of greatest concern in the recent past, and due t3 powerplant dala being more
.dadily available for study, programs are being developed for the
' propulsion system first as only one system at a time can be successfully worked out.
...
This approach was a direct challenge to the traditional concept that

the length of the inter-val between successive overhauls of an item
was an important factor in its failure rate. The task force developed a
propulsion-system reliability program, and each airline involved in the
task force was then huthorized to develop and implement reliability
prugrams in the area of maintenance in which it was most interested.
During this process a great deal was learned about the conditions that
must obtain for scheduled maintenance to be effective.t It was also found
that in many cases there was no effective form of scheduled maintenance.
..
I 1 THE EVOLUTION OF RCM ANALYSlS

t
~1 1 i
tt At United Airlines an effort
.li.~gr.~tn
It.~.l~t~itlut%
learned from these various
l > r ~ ~ l l ~ ~~ ~ ~ l*l ~
\ h: r~, l tll l ~ :
.
was made ;o coordinate what had been

activities ant1 ?eiine a generally applicable approach to the design of maintena1::e programs. A rudimentary
decision-diagram technique was devised in 1965 and was refined over
the next few years.+ This technique was eventually embodied in a docu-
'FAAll~~dltstryRcliabilit!! Pro~ra111.Federal Aviation Agency, November 7, 1961, p. 1.

tHnt~dlloclkfor M a i n t r ~ ~ n t Co~ttrol
~cr
Ily Kciiellility Mctlli~ds,FAA Advisory Circular 120-17,
December 31, 1964.
SH. N. Taylor and F. S. Nowlan, Turhine Engine Reliability Program, FAA Maintenance
Symposium on Contin~lcdReliability of 'Transport-type Aimraft Propulsion Systems,
Washington, D.C.,NovernL1c.r 17-18, 1965. T. D. Matteson and F. S. Nowlan, Current
I rends in Airline Maintenance Progmms, AlAA Commercial Aircraft Design and Operations Meeting, Los Angeles, June 12-14, 1967. F. S. Nowlan, Thc Use of Decision Diagrams
for Logical Analysis of Maintenancc Programs, United Airlines internal document, August
2, 1967.
nlent published under the title Handbook: Maintetranee Eval~rationand

l J r o ~ r a mDtlvelopmenf,generally known as MSG-I.* MSG1 was used by
special teams of industry and FAA yersor~nelto develop the initial prograin issued by the FAA Maintenance Review Board for the Boeing 747.
As described by the FAA, these t e a s s t
. . . sorted out the potentid maintenance tasks and then evaluated

them to determine which must be done for operating safel.y or
essential hidden function protection. The remaining potential tasks
were evaluated to determine whether they were economically useful. These:procedures provide a systematic review of the aircraft
design so that, in the absence of real experience, the best [maintenance] plocess can be utilized for each component and system.
The Boeing 747 maintenance program so developed was the first:attempt
to apply reliebility-centered mait;tenance concepts. This program has
been successful.
Subsequent improvements in the decision-diagram approach led
in 1970 tc a second document, MSG-2; AirlinclMarrrrfncturcr Mni~rtcnnricc
Program Plnnnitlg Documort, which was used to develop the scheduledmaintenance programs for the Lockhred 1011 and the Douglas DC-lo.$
These programs have been successful. MSG-2 has also been applied to
tactical milit*.y aircraft such # i s the McDonnell F4J and the Lockheed
P-3, and a similar document , 1,epared in Europe was the basis of the
initial scheduled-maintenance programs for such recent aircraft as the
Airbus lndustric A-300 and the Concorde.
The objective of the techniques outlined by MSG-1 and MSG-:! was
tc develop a qcheduled-maintenance program that assured the maximum safety and reliability of whicn the equipment was capable and
would meet this requirement at the lowest cost. As an example of the
economic benefits achieved with this type of
under traditional
maintenance policies the initial program for the Douglas DC-8 included
scheduled overhaul for 339 items, w h e r ~ a sthe initial progranl for the
DC-10, based on MSG-2, assigned only seven items to overhaul. One of
the items 110longer subject to an overhaul limit in the later progr.:! II was
the turbine engine. Elimination of this scheduled task qot only led to
major reduct,ons in labor and materials costs, but also reduced the spareengine inventory required to cover shop activities by more than 50
percent. Since engines for larger airplanes now cost upwards of $1
million each, this is a respectable saving.
'747 hlaintcnance Steering Group. 1111r1dl~ooA:
Mr~itltc'tra~l~.r
E~~slrrr~tiotr
r~tlrll1ro,\.rr~ttrD r l ~ c - l ~ ~ l r ttrc3tlt( M S G - I ) . Air Transport Association, July lo, 1UhA.
t f l , r l r m l Azliatiotl Adtttitlistrntiott Crrtificriticlrl l-'rt~ccdltres,May 19. 1972, par. 3036.
S A i r l i t ~ z l M n t ~ ~ c f r ~M~t t~~i lt t ~t tl ' ~ t nP~r lo~~~r n t t P~ / ~ l l t l ~ ~t l) ~O C I O ~ I M
~ ISI C~ -: 2 , Air Transport
Association, H & M Subcommittee, Marcy 25, 1970.
SECTION 1 . 1
As another example, under the initial program developed for the

Boeing 747 it took United Airlines only 66,000 manhours on major structural inspections to reach an inspection interval of 20,000 hours. In contrast, traditional maintenance policies led to an expenditure of over
4 millien manhours before the same interval was attained for sttuctural
inspections 011the smaller and less complex Douglas DC-8. Cost reductions on this scale are of obvious importance to any organization
responsible for maintaining large fleets of complex equipment. More
important, they are achieved with no decrease in the reliability of the
equipment; in fact, a clcarer understanding of the failure process has
actually improved operating reliability by making it easier to pinpoint
signs of an imminent failure.
The specific developments that led to RCM concepts as a fundimental approach to maintenance p!anning are described in detail in
Appendix 8. Although MSG-1and MSG-2were short working papers,
intended for use by a small number of people with extensive backgrounds in aircraft maintenance, further clarification of the bae;.c principles has resulted in a logical discipline that applies to maintenance
programs for any complex equipment.
1 2 THE BASIS OF RCM DECISION LOGIC

(nc naturc o f failure The principles of reliability-centered maintenance stem from a rigorous
idztltific.ltion of examination of certain questions that are often taken for granted:
significant items
ov.ilu.~tic~n
of failure
b How does a failure occur?
COIlLicl)ul'lll~CL.
What are its consequences?
selection of .lppli1-.lh~t..inti
rtfcctivc tasks
,hc
of age cx,,loration
b What good can preventive maintenance do?
INTRODUCTION
One of the chief drawbacks of the old hard-time approach to scheduled

maintenance is that the resulting teardown inspections provided no
real basis for determining when serviceable parts were likely to failthat is, there was no objective means of identifying reduced resistance
to failure. More than any other single factor, recognition of the specific
need to identify potential-failure conditions has been responsible for
the change from scheduled overhauls to on-condition inspections for
siqns of imminent failure.
Unfortunately, not all items can be protected by this type of maintenance task. In some cases the failure mechanism is imperfectly
understood, in others it is random, and in yet others the cost of such
inspections excecds the benefits they might provide. In fact, preventive
maintenance is not possible for many items of modem complex equipment. Nor, in all cases, is it necessary. Failures which could jeopardize
the safety of the equipment or its occupants must be prevented. Under
modem design practices, however, very few items fa]! into this category,
either because an essential function is provided by more than one source
or because operating safety i s protected in some other way. Similarly,
hidden functions must be protected by schedultd maintenance, both
to ensure their availability and to prevent exposure to the risk of a
multiple failure.
In all other cases the consequences of failure are economic, and the
value of preventive maintenance must be measured in economic terms.
In some cases these consequences are major, especially if a failure
affects the operational capability of the equipment. Whenever equipment must be removed from service to correct a failure, the cost of failure includes that loss of service. Thus if the intended use of the eauipment is of significant value, the delay or abandonment of that use
will constitute a significant loss-a fact that must be taken into account
in evaiuating the benefit of preventive maintenance. Other failures will
incur only the cost of correction or repair, and such failures may well be
tolerable, in the sense that it is less expensive to correct them as they
occur than to invest in the cost of preventing them.
In short, the driving element in all maintenance decisions is not
the failure of a given item, but the consequences of that failure for the
equipment as a whole. Within this context it is possible to develop an
efficient scheduled-maintenance program, subject to the constraints of
satisfying safety requirements and meeting operational-performance
goals. However, the solution of such an optimization problem requires
certain specific information which is nearly always unavailable at the
time an initial program must be developed. Hence we also need a basic
strategy for decision making which provides for optimum maintenance
decisions, given the information available at the time. The process of
developing an initial RCM program therefore consists of the following
steps:
b
Partitioning the equipment into object categories to identify those

items that require intensive study
Identifying significant items, those whose failure would have safety

or major economic consequences for the equipment as a whule, and
all hidden functions, which require scheduled maintenance regardless of their significance
Evaluating the maintenance requirements lor each significant item

and hidden function in terms of the failure consequences and selecting only those tasks which will satisfy these requirements
Identifying items for u.hich no applicable and effective task can be

found and either recommending design changes if safety is involved
or assigning no scheduled-maintenance tasks to these items until
further information becomes available
I-,.
Selecting conservative initial intervals for each of the included tasks

anci grouping the tasks in maintenance packages for application
Establishing an age-exploration program to provide the factual

information necessary to revise initial decisions
The first of these steps is intended, as a pureiy practical matter,

to reduce the problem of analysis to manageable size and to focus it
according to areas of engineering expertise. The next three steps are
the crux of RCM analysis. They involve a specific sequence of decision
questions, worded to indicate the information required for a yeslno
answer in each case. Where this information is not available, a default
answer specifies the action that will best protect the equipment until
there is a basis for some other decision. This dezision-diagram technique, described in full in Chapter 4, not only provides an orderly basis
for making decisions with limited information, but also results in a clear
audit trail for later review.
In the airline industry all scheduled-maintenance programs are, of
course, subject to FAA review and approval. The initial program for
each new type of equipment is promulgated by the FAA Maintecance
Review Board. This document, developed in conference with the equipment manufacturers and the purchasing airlines, forms the basis of the
initial program submitted by each airline for FAA approval. Organizations operating other equipment in the civilinn and rnj!itary sphetes
may define their initial maintenance progranls differently, bc! rame
comparable review procedure is usually involved.
Because any initlal scheduled-maintenance program must be developed and imylenlented in advance of actual operational data, an important element of RCM programs is age exploratiol~,a procedure for
systematic gathering of the information necessaly to determine the
applicability of some maintenance tasks and evaluate the effectiveness
of otl-.ers. As this information accumulates, the same decision diagram
provides a means of revising and refining the initial program. Much of
this i n f ~ n r ~ a t i oisn already available, of course, for equipment that has
been in service for some time. Although the specific data needed may
have to be retrieved from several different information sy%te;i\s, and
the remaining useful life of the equipment will be a factor in certain
decisions, RCM analysis under these circumsta:..~eswill result in fewer
default decisions, and hence a near-optimum program at the outset.
Such programs usually include a larger number of on-condition inspections than the programs arrived at under older policies, and fewer of
the scheduled rework tasks which had been included simply because
there was no evidence that they should not be done.
An effective scheduled-maintenance program will realize all the
reliability of which the equipment is capable. However, ;lo form of preventive maintenance can alter characteristics that are inherent in the
dcsinn.
.. Thr8'residuaI failures that occur after all appl~cableand effective
yrsventivc tasks have been implemented reflect ihe inherrnt capability
uf the equipmrnt. and if the resulting level of reliabi!ity is inad-quate.
: the onlirc<ourse is engineering redesign. This effort may be ditected
a i P sink& component to correct for a dominant failure mode or it may
be directed at some characteristic that will make a particular prevcntivc
technique feasible. Pmduc! improvement of this kind takes place-routinely during the early years of operation of any complex equipment.
Thus,. although reliability-centered maintenance is concerned tn the
short m n with tasks based on the actual reliabiliky characteristics of the
equipment, it is also concemcd with improvements that will uitimately
increase delivered ~eliability.
,
'
1 3 ILUMIUTI PROBLWS IN
COMPLEX EQUIPMENT
Failures are inevitable in any complex equipment, although their con- lrilurr ru*\ihilitic* in
sequences can be controlled by careful design and effective mainte- "'mr'" rquipmm'
pcrtltrmrnrr requirc.mcnt.
nance. The reason for this failure incidence is apparent if we consider and ~r,iahlli,v
some basic differences between simple and complex equipment. Simple th, lo~e,,I Jr*ijin in rr.duzin):
equipment is asked to p r f o n n very few diiterent functions. Such ' ~ 1 l ~ l ~ ' ~ ~ " q U ' ~ ' ~
equipment therefore consists of only a few systems and assemblies,
and thew in turn may be so simple that some are exposed to only one
possible failure mode. In most cases this simplicity extends to the
structur,~!elements as well, and both thc structure and the various items
on the equipment are relatively accessible for inspt~tion.
As a result, simple equipme!~thas certain distinct failure characteristics. Because it is exposed to relatively few failure possibilities, its
overall reliability tends to be higher. For the same seasun,these fai!ures
tend to be age-related; each type of failure tends to concentrate around
some average age, and since only a few Vpes of hilure are involved,
they govern the average age at failure. Howewer. in the absence of
redundancy and other protective features, such faiIures miry have fairly
serious consequences. Thus simple equipment i s often pmtected by
"overdesign"; components are heavier and bulkier than nmssary,
and familiar materials and processes are used to avoid the uncertainty
associated with more comdex high-yerfotmance equipment.
All in all. the traditional idea that failures are directly related to
safety and that their likelihood varies directly with age i; often true
for simple equipment. In any case, it is fairly easy to make an exhaustive'stud-y of such equipment to determine its scheduled-maintenance
requirements.
The situation is quite different with the complex equipment in t t s e
today. The general-aviation aircraft of the 1930s usually bad d si ,-pie
nviprcwating engine, a fixed-pitch propeller, fixed land~nggear, and

no wing flaps. The m d e m airyl.mc may have wveral turboprop or
turtwict p ~ w ~ r p l a n t wtractable
s,
I ~ n d i n ggear, mrrvable high-lilt devices, an airframe anti-icing system. pressure- atid ttmperature-contml
systems for the &in, extensive cnnimunicati~nsand navigation q u i p mcnt, complex cockpit instrumentation, and ccrmplex ancillary systems
to support all thrsc addition'al items. This increased complexity has
greatly expanded the safe operational c~pabilityof the aircraft. The
slmplc airplane of the 19.70s was
to trips of a few hundred
miles under wasonibfy favorable weather conditions. The higher perfornitice capability demanded of m d e m equipment, howcvcr, has
greatly increased not only the numhcr of items that can fail, but the
types of failurn that can occur.
b c h new design of any high-perfcmndnct*cquipmcnt is essentially
an attempt to make earlier designs technologically obsolete, with Ihu
rtsual measure of improvcment k i n g potential opratinp, capability
(includ~ngoperating costs). In other words, this is the operating capabiliry cxpcctcd in the absence of any failures that might change the
ci~umstances.The basis for cvilluatin~new aircraft designs usually
includes performance factors such as the following.
The maximum payload (military or commercial) that can be carried
over a given distancc
The maximum distance over which a given payload can be carried

The minimum 512~d the vchiclt. that can carry a given payload
over a givcn distancc
The highest speed that can be attained under defined payl~.adl
range conditions
Special capabilities, such as the ability to traverse rough terrain,

operate frpm short runways, or withstand punishment
In somc cases these hctors an! weighed against the anticipated direct
operating costs (including maintenance costs) associated with attaining
such capabilities, since a major objective may k to achieve the minimum cost per unit of payload transported. In other cases perforrnaoce
takes precectence ovcf cost. This is true not on!y of military equipment.
but of certain types of civilian equipment, where there is an adtwuate
market for specialized c.ipability despite its cost.
Another aspect of ,performance demands, of course, is the trend
toward incrcwing automation. Examples arc everywhere-automafic
flight-contml systems in aircraft, including automatic approach ahd
landing equipment; automatic transmissions in autumobiles; automated traffic-control syslcms for rapid-transit trains; and automatic
aperture-setting devices in cameras.
The design oi complex equipment, therefore, is always a tradeoff

between achieving the required performance capability and acceptable
reliability. This tradeoff entails an intentional compromise between the
lightness and compactness required for high performance and the
weight and bulk required for durability. Thus it is neither economically nor technologically feasible to produce complex equipment that
can sustain trouble-free operation for an indefinite period of time.
Although the reliability of certain items that perform single functions
may be improving, the number of such items has been vastly multiplied. It is therefore inevitable that failures will occur-that is, that
certain parts of the equipment will lose the capability of performing
their specified functions.
Our concern is not with the number of these failures, but with the
consequences of a given failure for the equipment as a whole. Will
the loss of a particular function endanger the equipment or its occupants? If not, is it necessary to abort the mission or take the equipment
out of service until repairs call be made? Or can unrestricted operaticn
continue and the repair be deferred to a convenient time and place? The
ability to defer failure coilsequences depends largely on the design of
the equipment. One strategy is the use of redundancy and fail-safe
construction. Anoiher strategy is failure substitution, the use of a minor
failure to preempt a major one, as in the use of fuses and circuit
breakers. This latter concept extends to maintenance activities in which
potential failures are used to preempt fi~nctionalfailures. Thus the
design may include various iqstrumentation to give some warning of
an impending failure or other features which iacilitate inspection for
possible deterioration. All these features actually increase the number
of failure possibilities in the sense that they add more items that could
fail. However, they greatly reduce the consequences of any single failure.
1 4 AN OVERVIEW OF MAINTENANCE ACTIVITY

The activities of a maintenance organizaiion include both the scheduled
work that is performed to avoid failures and the corrective work that is
performed after failures have occurred. Our present concern is with
preventive maintenance, the program of scheduled tasks necessary to
ensure safe and reliable operation of the equipment. The complete collection of these tasks, together with their assigned iilter-- . is termed
the scheduled vaintenance program. This program includes o. the tasks
that are scheduled in advai~ce-servicing and lubrication, illspection,
and scheduled removal and replacement of items on the equipment.
Exhibit 1.1 lists some typicai tasks in such a program.
In order to accomplish the anticipated corrective and scheduled
maintenance, an operating orgar.ization must establish an overall sup-
corrective and scheduled

maintenance
scheduled-maintenance
p,g,m
maintenance stations
line maintenance and shop
maintenance
SECTION 1 * 4
11
EXHIBIT 1.1 I ypical scheduled-maintenance tasks for various items

on aircraft. Some scheduled titsks are performed on the aircraft at
li~tc-maintenancestations and ethers are performed at the major
nlaititcnanrr base, either as p , ~ rof
t a larger maintenance package or
-1s part of the shop procedure whenever a failed unit is sent to the
niaintenance base for rcpair.
nature of item
scheduled-maintenance task
On-con.dltion (on aircraft):

Inspect filter for contamination
60 operating hours
on-condition (on aircraft):

Inspect drive shaft for spline
weat
1,000 operating hours
On-condition (on aircraft): .

Inspect brake wear indicatoia
During ovm@ht tops
On-condition (in shop): Test

automatic brake adjuster
Whenever brake asecmbly

is in shop
Compmsor rear frame

(General Electric CF6-6)
On-condition (on aircraft):

Inspect front flange for cracks
emanating from bolt holes
500 flight cycles or phase

check (134 days), whichever
is first
Nozzle guide vanes

(Pratt & Whitney JT8D-7)

Perfonn borescope inspection
for burning, cracking, or
bowing of guide vanes
l,000 operating h o w
Tenth-stage compressor blades

(Pratt & Whitney JT4)
Scheduled rework:
Shot-peen blade dovetail and
apply antigalling compound
Stage 3 turbine disk

(Pratt & Whitney JTSD)
Scheduled diecard: Replace

turbine disk with new part
15,000 flight cycles or 30,000

operating h o r n , whichever
is first
Rear spar at bulkhead

intersection (Douglas DC-10)

Inspect specified intersections
in zones 531,631,141,142 for
cracks and c o m s i ~ n
Primly strength-indicator
areas 5,000 operating houn,
internal fuel-tank areas
20,000 houre
Shock strut, main landing

gear (Boeing 737)
On-condition (in shop): Strip

cadmium plate and inspect
for cracks and corrosion
Fuel-pump assembly
(Douglas A41
Brake assembly, main landing

gear (Douglas DC-10')
and w a l h u n d checks
rOwUPLANT ITEMS
STIUCTUIAL m
port plan which includes the designation of maintenance stations, staffing with trained mechanics, provision of specialized testing equipment
and parts inventories, and so on. The overall maintenance plan of an
airline i:: ?pica1 of that for any transportation system in which each
piece of bquipment operates through many stations but has no unique
home station.
A large proportion of the failures that occur during operation are
first observed and reported by the operating crew. Some of these must
be corrected after the next landing, and a few are serious enough to
require a change in flight plan. The correction of many other failures,
however, can be deferred to a convenient time and location. Those line
stations with a high exposure to the need for immediate corrective work
are designated as maintenance stations and are equipped with trained
mechanics, spare-parts inventory, and the facilities necessary to carry
out such repairs. United Airlines serves 91 airline stations with 19 such
maintenance stations.
The decision to designate a particular station as a maintenance
station depends chiefly on the amount of traffic at that station and the
reliabiliv of the aircraft involved. A station at which the greatest volume
of repairs is expected is the logical first choice. However, other considerations may be the frequency with which the operating schedule provides ov.-. .ight layovers, the relative ease of routing other aircraft to
that station, the availability of mechanics and parts to support other
types of aircraft, the planned volume of scheduled-maintenance work,
and so on.
Line-maintenance stations themselves vary in size ~ n comp:exity.
d
The facilities needed for immediate corrective work establish the minimum resources at any given maintenance station, but operating organizations generally consolidate the bulk of the deferrable work at a few of
these stations for greater economy. To simplify the control of scheduled
maintenance, individual tasks arc grouped into a fairly small number
of maintenanc- ackages for execution. Like deferrable corrective work,
tnainte~lancepackages can be arsigned to any conthese sched
venient mainr
ice station. Thus the more involved work is generally
, assigned to th!
line stations already equipped with the staff and
inventories for ,~,ensivecorrective work.
Not all scheduled-maintenance tasks can be carried out at line stations. Major structur-1 inspections, scheduled rework, and inspections
which entail exter-s; -+ dissassembly are best handled at a major maintenance base equipned with shop facilities. The major base also repairs
failed units that a. ,moved from aircraft at the line stations. Few such
maintenance bases are needed, and reliability considerations generally
determine their size and manpower requirements, rather than their
location. Many large airlines operate efficiently with only one maintenance base. The work performed at a maintenance base is generally
termed shop maintenance to differentiate it from line maintenance, which

consists primarily of replacing failed units rather than repairing them.
The entire process by which a detailed support plan is developed
is beyond the scope of this volume. Suffice it to say that a detailed plan
is necessary in order to implement a scheduled-maintenance program.
Our concern here is with the development of such a program-or rather,
with the principles underlying its development. In the following chapters we will examine the nature of failures, the basis on which their consequences are evaluated, and the specific criteria that determine the '
applicability and effectiveness of a given type of prever.live task. With
this framework established, we will consider the decisior, '9gic that
results in a scheduled-maintenance program based on the actual reliability characteristics of the equipment. This reliability-centered approach ensures that the inherent safety and operating capability of the
equipment will be realized at the minimum cost, given the information '
available at any time.
The chapters in Part Two illustrate the application of RCM decision
logic to specific hardware examples and discuss some of the informain the continuing evolution of the maintenance
tion processes i~~volved
program after the equipment enters service. All these illustrations are
drawn from commercial-aircraft applications. However, it shou!d be
clear from the discussion in Part One that the basic principles of RCM
programs extend not just to otver operating contexts, but to maintenance
..I
programs for any complex equipment.
i
14
INTRODUCTION
CHAPTER TWO
PARTS of any mechanical equipment are subject to wear, corrosion,

and fatigue which inevitably result in some deviation from the conditions that existed when the equipment was new. Ultimately the deviation will become great enough that the equipment, or some item on it,
no longer meets the required performance standards- that is, it fails.
The role of scheduled maintenance is to cope with the failure process.
For years, h~wever,the chief focus has been on anticipating the age at
which things were likely to fail, rather than on how they fail and the
consequences of such failures. As a result, there has been insufficient
attention to the failure process itself, and even less attention to the
question of precisely what constitutes a failure.
One reason for this lack of attention has been the common assumption that all equipment "wears out" and inevitably becomes less reliable with increasing operating age. This assumption led to the conclusion that the overall failure rate of an item will always be reduced b y
an age limit which precludes operation at ages where the likelihood of
failure is greater. In accordance with this hard-time policy, all units were
taken out of service when they reached a specified age and were sent
tc the major maintenance base for complete disasseinbly and overhaul,
a procedure intended to restore each part to its original condibion.
It is now known that the reliability of most complex items does not
vary directly with operating age, at least not in such a way as to make
hard-time overhaul a useful concept. Procedures directed at obtaining
some precise evidence that a failure is imminent are frequently a far
superior weapon against failure. However, to understand the specific
nature of such procedures as they pertain to an RCM program, it is
necessary to take a closer look at the entire concept of failure. Without
a precise definition of what condition represents a failure, there is no
THE
16
THEORY AND PRINCIPLES
way either to assess its consequences or to define the physical evidence

for v, lich to inspect. The term failure must, in fact, be given a far more
explicit meaning than "an inability to function" in order to clarify the
basis of reliability-centered maintenance.
In this chapter we will examine the probleln of defining failures
and some of t r ~ eimplications this has for the analysis of failure data. We
will also see how failure consequences are evaluated, both in terms of
single failures and in terms of multiple failures. Finally, we will discuss
the process of failure itself and see why complex items, unlike simple
items, do not necessarily wear out.
2 1 THE DEFINITION OF FAILURE

Each of us has some intuitive notion of what constitutes a failure. We
would all agree that an automobile engine, a fuel pumr;or a tire has
fai!ed if it ceases to perform its intended function. But there are times
when an item does continue to function, although not at its expected
level. An automobile engine may run powerfully and smoothly, but its
oil consumption is high; a fuel pump may pump fuel, but sluggishly;
a tire may hold air and support the car, but its bald tread indicates that
it will do neither much longer.
Have these items failed? If not, how bad must their condition become before we would say a failure has occurred? Moreover, if any of
these conditions is corrected, the time required for unanticipated repairs might force a change in other plans, such as the delay or cancellation of a trip. In this event could it still be argued that no failure had
occurred?
failure
functional failure
potential failure
To cover all these eventualities we can define .a failure in broad

terms as follows:
-
A failure is an unsatiefactory cundltion.

.-
In other words, a failure is any identifiable deviation fmm the original

condition which is unsatisfact~ryto a particular user. The determination that a condition is unsatisfactory, however, depends on the consequences of failure in a given operating contex;. For example, high oil
consumption in an aircraft engine may pose no problem on shortor medium-range flights, whereas on long-range flights the same rate
of consumption would exhaust the oil supply. Similarly, engineinstrument malfunctions that would not disrupt operations on multiengine equipment would be clearly unsatisfactory on a single-engine
plane, and performance that is acceptable in a land-based environment
might not be good enough for carrier operation.
In short, the eract dividing line between satisfactory and unsatisfactory conditions will depend not only on the function of the item in
question, but on the nature of the equipment in which it is installed
and the operating context in which that equipment is used. The determination will therefore vary from one operating organization to another.
Within a given organization, however, it is essential that the boundaries
between satisfactory and unsatisfactory conditions be defined for each
item in clear and unmistakable terms.
FUNCTIONAL FAILURE
The judgment that a condition is unsatisfactory implies that there must

be some condition or performance standard on which this judgment
can be based. As we have seen.. however, an u2satisfactory condition
can range from the complete inability of an item to perform its intended
function to some physical evidence that it will soon be unable to do so.
For maintenance purposes, therefore, we must classify failures further
as either functional failures or potential failures:
A functional failure is the inability of an item (or the equipment containing it) to meet a specified performance standard.
18
A complete loss of function is clearly a functional failure. Note, however, that a functional failure also includes the inability of an item to
function at the level of performance that has been specified as satisfactory. This definition thus provides us with an identifiable and measurabie condition, a basis for identifying functional failures.
To define a functional failure for any item we must, of course, have

a clear understanding of its functions. This is not a trivid-ionsideration.
For example, if we say that the function of the br,~kingsystem on an airplane is to stop the plane, then only one functicnal failure is possibleinability to stop the plane. However, this system also has the functions
of providing modulated stopping capability, providing differential .
braking for maneuvering on the ground, providing antiskid capability, .
and so on. With this expanded definition it becomes clear that the
braking system is in fact subject to a number of different functional
failures. It is extremely important to determine all the functions of an
item that are significant in a given operating context, since it is only in
these terms that its fuprtional failures can be defined.
POTENTIAL MILURE
Once a particular functional failure has been defined, some physical

condition can often be identified which indicates that this failure is
imminent. Under these circumstances it may be possible to remove the
item from service before the point of functional failure: When such
conditions can be identified, they are defiqed as potential failures:
A potential failure is an identifiqble physical condition which indicates
.
a functional failure is imminent.
--
The fact that potential failures can be identified is an important aspect

of modem maintenance theory, becduse it permits maximum use c.i
each item without the consequences assoc~atedwith a functional failure.
Units are removed or repaired a1 the potential-failure stage, so that
potentia[,failures preempt functiorral failures.
For some items the identifiable condition that indicates imminent
failure is directly related to the performance criterion thdt defines the
functional failure. For example, one of the functions of a tire tread is to
provide a renewable surface that protects the carcass of the tire so that
it can be retreaded. This function is not the most obvious one, and it
might well be overlooked in a listing of tire functions; nevertheless, i t
is important from an economic standpoint. Repeated use of the tire
wears away the tread, and if wear continues to the point at which the
carcass cannot be retreaded, a functional fpilure has occurred. 'To prevent this particular iunctional failure, we must therefore define the
potential failure as some wear level that does not endanger the carcass.
The ability to identify either a functional or a potential 6:ilure thus
depends on three factors:
Clear definiticns of the functions of an item 4s they relate to the
equipment or operating context in which the ltem is to be used
'.
.I
A clear definition of the conditions that constitute a functional

failure in each case
A clear definition of the conditions that indicate the imminence

of this failure
In other words, we must not only define the failure; we must also specify the precise evidence by which it can be recognized.
2 2 M E DETECTION OF FAILURES
the role of the operating :rew
evident and hidden functions
verification of failures
interpreting failure d a t ~
Both functional failures and potential failures can be defined in tenns

of identifiable conditions for a given operatin8 context. In evaluating
failuw data, however, it is important to take i:~tdadcountthe different
frames cf reference of several sets of failure observers-the operating
crew, the line mechanic, the shop mechanic, and even passengers.
Understanding how and when the observer sees a failure and how he
interprets it is crucial both to operating reliability and to effective preventive mairllenance.
The detection and reporting of failures depends on two principal
e!cments f
b
The abserver must be in a position to detect the failure.This "right"

position may be a physical location, a particular moment in time,
or access to the inspection equipment that can reveal the condition.
The observer must have standards that enable him to recognize the
condition he sees as a failure, either functional or potential.
THE ROLE OF THE OPERATING CREW
Members of the operating crew are the only people in a position to

observe the dynamic operation of the equipment in its normal environment. Whereas an airplane in a maintenance facility is in a static
environment, during flight its systems are activated and the whole
machine is subjected to airloads and to both low atmospheric pressure
and low outside temperatures. As a result, the operating crew will be
the first to observe many functional failures. Such failures are often
detected at the time a crew member calls on a function and finds that
it is impaired.
In most complex equipment the crew's ability to observe failures
is further enhanced by extensive instrumentation, warning lights, or
other mortitoring devices. In some cases these indicators make failures
evident at the moment they occur, when otherwise they might go undetected until the function was needed. Siich early warning provides
more time fw- changes in operating strategy to offset the concequences
of the failure. For example, certain engine malfunctions may require

the shutdown of one engine and perhaps the selection of an alternate
landing field, or an auxiliary hydraulic pump may have to be turned on
after one of the main ones fails. Even when the flight can be continued
rk ithout incident, the crew is required to record the iailure as accurately
as possible in the flight log so the condition can be corrected at the
earliest opportunity.
This instrumentation also permits the crew to determine whether
iioms that are still operative are functioning as well as they should. In
some cases reduced performance is an indication of an imminent failure, and these conditions vrould also be examined later to see whether
a potential faiiure exists.
Not surprisingly, the operating crew plays a major role in detecting
failure conditions. This is illustrated by a study of the support costs on
a fleet of Boeing 747's over the iirst ten months of 1975 (a total of 51,400
operating hours). In this case 66.1 percent of all failure reports while the
plane was away from the maintenance base originated with the operating crew, and these failures accounted for 61.5 percent of the t ~ t amanl
hours for corrective line maintenance. The other 33.9 percent of the
reported failures included potential failures detected by line mechanics,
along with other failures not normally evident to the operating crew.
HIDDEN-FUNCTIONITEMS
Although most functional failures are first detected by the operating

crew, many items are subject to failures that the crew is not in a position to observe. The crew duties often include special checks of certain
hidden-function items, but most such failures must be found by inspections or tests performed by maintenance personnel. To ensure that we
will know when a failure has occurred, we must know that the observer
is in a position to detect it. Hence for maintenance purposes a basic
distinction is made between evident and hidderl f u n c t i o ~ sfrom the vantage point of the operating crew:
An evident function is one whose failure will be evident to the operating
crew during the performance of normal duties.
A hidden function is one whose failure will not bc evident to the operating crew during the Ferformance of normal duties.
An item may have several functions, any one of which can fail. If the
loss of one of these functions would not be evident, the item must be
classified from the maintenance standpoint as a hidden-function item.
Hidden func ;ions may be of two kinds:

b
A function that is normally active but
no indication to the
operating crew if it ceases

b
A function that is normally inactive, so that the crew cannot know

whether it will be available when it is needed (usually the demand
follows some other failure)
The fire-detection system in an aircraft powerplant falls into the first

category. This system is active whenever the engine is in use, but its
sensing function is hidden unless it detects a fire; thus if it fails in some
way, its falure is similarly hiiden. The fire-extinguishing system that
backs up this unit has the second kind of hidden function. It is not
activated unless a fire is detected, and only when it is called upon to
operate does the crew find out whether it works.
In addition to inspecting for potential failures, maintenance personnel also inspect most hidden-function items for functional failures.
Thus the operating crew and the maintenance crew complement one
arother as failure observers.
VUlFlCATlON OF FAILURE5
m t o R Y AND PRINCIPLES
Operating crews occasionally report conditions which appear unsatisfactory to them, but which are actually satisfactory according to the
defined standards for condition and performance. This is a basic principle of prevention. The operating crew cannot always know when a
particular deviation represents a potential failure, and in the interests
of safety the crew is required to report anything questionable. In most
airlines the ~peratingcrew can communicate directly with a central
group of maintenance specialists, or controllers, about any unusual conditions observed during flight. The controllers can determine the consequences of the condition described to them and advise the crew
whether to land as soon as possible or continue the flight, with or without operating restrictions. The controllers are also in a position to determine whether the condition should be corrected before the plane is
dispatched again. This advice is particularly important when a plane is
operating into a station which is not a maintenance station.
Once the plane is available for majntenance inspection, the maintenance crew is in a better position to diagnose the problem and determine whether a failure condition actually does exist. Thus the suspect
item may be replaced or repaired or marked "OK for continued operation." The fact that failure observers have different frames of reference
for interpreting the conditions they see often makes it difficult to evaluate failure reports. For example, a broken seat recliner is recognizable
to any observer as a failure. Frequently a passenger will notice the con-
dition first and complain about it to the flight attendant. The line
mechanic at the next maintenance station will take corrective action,
usually by replacing the mechanism and sending the failed unit to the
maintenance base, where the shop mechanic will record the failure and
make the repair. In this case all four types of observer would have no
difficulty recognizing the failure.
The situation is somewhat different with an in-flight engine shutdown as a result of erratic instrument readings. Although the passengers would not be aware that a failure had occurred, the operating crew
would report an engine failure. However, the line mechanic might discover that the failure was in the cockpit instruments, not the engine. He
would then replace the faulty instrument and report an instrument failure. Thus the crew members are the only ones in a position to observe
the failure, but they are not in a position to interpret it. Under other
circumstances the situation may be reversed. For example, on certain
engines actual separation of the turbine blades-a functional failureis preceded by a perceptible looseness of one or more blades in their
mounts. If the blades separate, both the operating crew and the passengers may become abrubtly aware of the functional failure, but since
the engine functions normally with loose blades, neither crew nor
passengers have any reason to suspect a potential failure. In this case
the crew members might be able to interpret the condition as a potential failure, but they are no1 in a position to observe it.
The line mechanic who inspects the engine as part of scheduled
maintenance will check for loose blades by slowly rotating the turbine
assembly and feeling the blades with a probe (typically a length of stiff
rubber or plastic tubing). If he finds any loose blades, he will report a
failure and remove the engine. The mechanics in the engine-repair shop
are in an even better position for detailed observation, since they must
go inside the engine case to get at the faulty blades. (On occasion they
may be the first to observe loose blades in an engine removed for other
reasons.) If they tonfirm the line mechanic's diagnosis, they will report
the failure as verified.
Of course, the situation is not always this clear cut. Often there are
no precise troubleshooting met!~ods to determine exactly which component or part is responsible for a reported malfunction. Under these
circumstances the line mechanic will remove several items, any one of
which might have caused the problem. This practice is sometimes
referred to as "shotgun" troubleshooting. Many of these suspect items
will show normal performance characteristics when they are tested at
the maintenance base. Thus, although they are reported as failures at
the time they are removed from the equipment, from the shop mechanic's frame of reference they are unverified failures. By the same token,
differences between the testing environment a d the field environment
will sometimes result in unverified failures for items that are actually
suffering functional failures in the field.
Units removed from equipment either as potential failures or because of malfunctions are termed premature removals. This term came
into use when most equipment items had a fixed operating-age limit.
A unit removed when it reached this limit was "time-expired,'' whereas
one removed because it had failed (or was suspected of having failed)
before this age limit was a "premature" removal.
INTERPRETING FAILURE DATA
24
The problem of interpreting failare data is further complicated by differences in reporting policy from one organization to another. For
example, one airline might classify an engine removed because of loose
turbine blades as a failure (this classification would be consistent with
our definition of a potential failure). This removal and all others like it
would then be counted as failures in all failure data. Another airline
might classify such removals as "precautionary," or even as "scheduled" (having discovered a potential failure, they would then schedule
the unit for removal at the earliest opportunity). In both these cases the
removals woo!d not be reported as failures.
Similar differences arise as a result of varying performance requirements. The inability of an item to meet some specified performance
requirement is considered a functiunal failure. Thus functional failures
(and also potential failures) are created or eliminated by differences in
the specified limits; even in the same ~ i e c eof equipment, what is a
failure to one organization will not cecessarily be a failure to another.
These differences exist not only from one organization to another, but
within a single organization over a long calendar period. Procedures
change, or failure definitions are revised, and any of these changes will
result in a change in the reported failure rate.
Another factor that must be taken into account is the difference in
orientation between manufacturers and users. On one hand, the operating organization tcnds to view a failure for any reason as undesirable
and expects the manufacturer to improve the product to eliminate all
such occurrences. On the other hand, the mknufacturer considers it his
responsibility to deliver a product capable of performing at the warranted reliability level (if there is one) under the specific stress conditiona for which it was designed. If it later develops that the equipment
must frequently be operated bevond these conditions, he will not want
to assume responsibility for any failures that may have been caused oi
accelerated by such operation. Thus manufacturers tend to "censor"
thc'failure histories of operating organizations in light of their individual operating practices. The result is that equipment users, with
some confusion among them, talk about what they actually saw, while
the manufacturer talks about what they should have seen.
2 3 THE CONSEQUENCES OF FAILURE

While failure analysis may have some small intrinsic interest of its own,
the reason for our concern with failure is its consequences, These may
range from the modest cost of replacing a failed component to the possible destruction of a piece of equipment and the loss of lives. Thus all
reliability-centered maintenance,. including the need for redesign, is
dictated, not by the frequency of a particular failure, but by the nature
of its consequences. Any preventive-maintenance program is therefore
based on the following precept:
safety consequences
operational consequences
nOnoperational
The consequences of a failure determine the priority of the maintenance

activities or design improvement required to prevent its occurre:hce.
The more complex any piece of equipment is, the more ways there are
in which it can fail. All failure consequences, however, can be grouped
in the following four categories:
b
Safety consequences, involving possible loss of the equipment and

its occupants

loss as well as the direct cost of repair
Nonoperational consequences, which involve only the direct cost of

repair
Hidden-failure consequences, which have no direct impact, but

increase the likelihood of a multiple failure
SAFETYCONSEQU WCES
The first consideration in evaluating any failure possibility is safety:

Does the failure cause a loss of function or secondary damage that could
have a direct adverse effect on operating safety?
Suppose the failure in question is the separation of a number of

turbine blades on an aircraft engine, causing the engine to vibrate
heavily and lqse much of its thrust. This functional failure could certainly affect the safety of a single-engine aircraft and its occupants,
since the loss of thrust will force an immediate landing regardless of
the terrain below. Furthermore, if the engine is one whose case cannot
contain ejected blades, the blades may be thrown through the engine
case and cause unpredictable, and perhaps serious, damage to the
,
SECTION 2.3
25
plane itsel;. There is also danger from hot gases escaping from thq
tom engine case. In a multiengine plane the loss of thrust would have
no direct effect on safety, since the aircraft can maintain altitude and
complete its flight with one engine inoperative. Hence the loss df function is not in itself cause for alarm. However, both plane and passengers
will still be endangered by the possible secondary damage caused by
the ejected blades. In this case, therefore, the secondary effdcts ate
sufficient reason to classify the failure as critics:.
A critical failure is any failure that could have a direct effect on
safety. Note, however, that the term direct implies certain limitations.
The impact of the failure must be immediate if it is to be considered
direct; that is, the adverse effect must be one that will be felt before
planned completion of the flight. In addition, these consequences must
result from a single failure, not from some combination of this failure
with one that has not yet occurred. An important fact follows from this:
,
26
THEORY AND PRlNClPLLS
All critical failures will be evident to the operating crew. If a failure

has no evident results, it cannot, b;. definition, have a direct effect
on safety.
It may be necessary to remove a plane from service to correct certain

failures before continuing operation, and in some cases it may even be
advisable to discontinue the flight. However, as long as the failure itself
has no immediate safety consequences, the need for these precautionary measures does not justify classifying this failure as critical.
Not evey critical failure results in an accident; some such failures,
in fact, have occurred fairly often with no serious consequences. However, the issue is not whether such consequences are inevitable, but
whether they are possible. For example, the seccndary effects associated .
with ejected turbine blades are unpredictable. Usually they do not
injure passengers or damage a vital part of the plane-but they can.
Therefore this failure is classified as critical. Similarly, any failure
that causes an engine fire is critical. Despite the existence of fireextinguishing systems, there is no guarantee that a fire can be controlled and extinguished. Safety consequences are always assessed' at
the most .~nservativelevel, and in the absence of pioof,that a failure
cannot affect safety, it is classified by deflult as critical.
In the event of any c1:itical dilure, every attempt is made to prevent
a recurrence. Often redesign of one or more vulnerable items is necessary. However, tine design and manufacture of new parts and their subsequent incorporation in in-service equipment takes months, and
sometimes years. Hence some other action is needed in the meantime.
In the case of turbine-blade failure an identifiable physical conditionloose blades-has been found to occur well in advance of actual separation of the blades. Thus regular inspection for this condition as part
of scheduled maintenance makes it possible to remove engines at the
potential-failure stage, thereby forestalling all critical functional failures. Note that this preventive-maintenance task does not prevent
failures; rather, by s~abstitutinga potential failure for a functional failure, it precludes tne consequences of a functional failure.
OPERATIONAL CONSEQUENCES
Once safety consequences have been ruled out, a second set of consequences must be considered:
--
- -
Does the failure have a direct adverse effect on operational capability?
Whenever the need to correct a failwe disrupts planned operations, the

failure has operational consequences. Thus operational consequences
include the need to abort an operation after a failure occurs, the delay
or cancellation of other operations to make unanticipated repairs, or
the need for operating restrictions until repairs can be made. (A critical
failure can, of course, be viewed as a special case of a failure with operational consequences.) In this case the ccnsequences are economic: they
represent the imputed cost of lost operational capability.
A failure tnat requires immediate correction does not necessarily
have operational consequences. For example, if a failed item on an aircraft can be replaced or repaired during the normal transit time at a line
station, then it causes no delay or cancellation of subsequent flights,
and the or'ly economic consequence is the cost of corrective maintenance. In contrast, the rlane may be operhtional, but its reduced capability will result in such costs as high fuel consumption. The definition
of operational consequences will therefore vary from one operating
context to another. I n all cases, however, the total cost of an operational
failure includes the economic loss resulting from the failure as well as
the cost of repairing it. If a failure has no operational consequences, the
cost of corrective rn:.in. mance is still incurred, but this is the only cost.
If a potential faihqrct such as loose turbine blades were discovered
while the plane 1. - . ice,
iime required to remove this engine
and install a - * , . \ ::iw would .n,dlve operational consequences. However, inspection. :.*,.. this potential failure can be performed while the
plane is out of sen.i:e for scheduled maintenance. In this case there is
ample time to remove and replace any failed engines (potential failures)
without disrupting planned operations.
'.
NONOPERATIONALCONSEQUENCES
j
I
"
There are many kinds of functional failures that have no direct adverse
effect on operational capability. One common example is the failure of
a navigation unit in a plane equipped with 5ighly redundant navigation system. Since other units ei'.,;..:t: ava.;, 'ty oi the required func-
SECTION 2.3
27
tinn. )he
. .
-..
~ d s e . .. : the failed unit must be

replaced at some cohenient ti7:c. Thus the costs generated by such a
failure are limited to the cost of corrective d,aintenance.
As we have seen, potential failures also fall in this category. The
purpose of defining a potential failure that can be used to preempt a
functional failure 'is to reduce the failure consequences in as many cases
as possible to the level of direct cost of replacement and repair.
n n l v r m r - - - - * - -.
*.
HIDDEN-FAILURECONSEQUENCES
Another important class of failures that have' no immediate consequences consists of failures of hidden-function items. By definition,
hidden failures can have no direct adverse effects (if they did, the
failure would not be hidden). However, the ultimate consequences can
be major if a hidden failure is not detected and ccrrected. Certain
elevator-control systems, for example, are designed with concentric
inner and outer shafts so that the failure of one shaft will not result in
any loss of elevator control. If the second shaft Nere to fail after an
undetected failure of the first one, the result would be a critical failure.
In other words, the consequence of any hidden-function failure is increased exposure to the consequences of a multiple failure.
2 * 4 MULTIPLE FAILURES
probability of a multiple failure Failure consequences are often assessed in terms of a sequence of indcevaluation of ntulti~le-failure pendent events leading to a multiple failure, since several successive
consequences
failures may rt-sult in consequences that no one of the hilures would

produce individually. The probability of a multiple failure is simple to
calculate. Suppose items A and B in Exhibit 2.1 both have a probability
of 0.99 of surviving a given two-hour flight (this would correspond to
one failure per 100 flight:;,.which is in fact a very high failure rate). If
items A and B are both functioning at takeoff time, there are only four
I
possible outcomes:
Item A survives and item.B survives: P = 0.;99 X 0.99 = 0.9801
Item A survives and item i3 fails:
P = 0.99 X 0.01 = 0.0099
Item A fails and item B survives:
P = 0.01 X 0.99 = 0.0099
Item A fails and item B fails:
P = 0.01 X 0.01 = 0.0001
In other words, the probability that A and B wil! both fail during the
same flight is only 0.0001, or an average of once in 10,000 flights. If we
were considering a multiple failure of three items, the average occurrence, even with the high failure rate we have assumed here, would be
' 28 THEORY AND P~~~NCIPLES once every milliotl flights.
'
EXHIBIT 2.1 1rce diagram showing the probability of a multiple

failure of two items during the sa:nc flight when both items are
servicr~bleat takeoff.
.Y.
Note t h e dfferwce, however, if item A is in a failed state when

the flight begins. Thcprobability that B will fail is .01; thus the probability of a multiple failure of A and B depends only on the probability
of the second failure--01, or an average of one occurrence every 100
flights. This becomes a matter of concern if the combination has critical
consequences. Becaase of the increased probability of a multiple failure,
hidden-function items are placed in a special category, and all such
items that are not subject to other maintenance tasks are scheduled for
failure-finding tasks. Although this type of task is intended to diecover,
rather than to preyent, hidden failures, it can be viewed.qs preventive
maintenai~cebecause one of its objectives is to reduce exposure to a
possible multiple failure.
To illustrate how the consequences of a multiple failure might be
evaluated, consider a sequence of failures all of which are evident. If
the first failure has safety consequences, there is no need to assess the
consequences of a second fhilure. This first critical failure is the sole
concern, and every effort is made to prevent its occurrence. When the
first loss of function is not critical, then the consequences of a second
third
flilun
fkrt
flilun
aon prntoar
frilumin 88armn
hr~&
frllun
The laltidarhur d tk,fint
f-'Ufr-'"'u*
p d m a frllu~a
O ~ I
A w d f a u n wwld be aitlcrlt
tf\rtintthilunmlUtkcorrrtkd
before faxther dlrpatch and tkfore hu opentloarl comequ~p~cn.
A thkd faUurt would be alW
the racbnd frilun murt be at.
rrcad before f d t e r &pa&&
but d o n of thr fimt failure
can be d & d bo a conmnimt
t b e a d 1.~uti011.
Nonopentionrl
Nonopentiolul
Operatiod
Criticd
A fourth fUum would be dtiul;

the third failure murt be camctrd
before furC;rerdirpatch, but consction of both the flrM and wand
failurn can k deferred.
EXHIBIT 2.2 The consequences of a single failure as determined by

the consequences of a possible multiple failure. A tailure that does
not in itself affect operating capability acquires operational
conscquetrzcs if a suhscquent multiple failure would be critical.
30
loss of function must be investigated. If the con-bined effect of both

failures would jeopardize safety, then this multiple failure must be
prevented by correcting the first failure as soon as possible. This may
entail an unscheduled lending and will at least require taking the
equipment out of service until the condition has been repaired. In this
cdse, therefore, the first failure has operational consequences.
Note in Exhibit 2.2 that multiple-failure conscquences need be
nssessed on!y in terms of two successive failure events. If a third loss
of function .would be critical, tlre second failure has operational consequences. However, the first failure in such a sequence can be deferred
to a convenient time and place; thus it has ns operational conscquences.
Hidden-function failures are assessed on the same basis. If the first
failure under consideration is a hidden one, scheduled maintenance is
necessary to protect .against a multiple failure. The intensity of this
maintt-nance, however, is dictated by the consequences of the possible
multiple failure. If the combination of this failure with a second lailure
would be critical, every effort is made to ensure that the hidden function will be available.
What we are doing, in effect, is treating any single failure as the
first in a succession of events that could lead to a critical multiple failure. It is this method of assessing failure consequences that permits us
to base a maintenance program on the consequences of single failures.
2 5 THE FAILURE PROCESS

FAILURE IN SIMPLE ITEMS
One reason for identifying unsatisfactory conditions at the potentialfailure stage is to prevent the more serious consequences of a functional
failure. Another reason, however, is that the removal of individual unit,
on the basis of their condition makes it possible to realize most of the
useful life of each unit. To see how this procedure works, zonsider a
simple item such as the airplane tire in Exhibit 2.3. -4lthough a tire has
other functions, here we are concerned with its retread capability.
Hence weshave defined a functional failure as the point at which the
failure in simple items

a model of the failure process
the age at failure
LXHIBm 2.3 Tire tread wear as a n illustration of the failure pmcess

in a simple item. The potential-failure condition ifi defined in this
case as the tread depth at point A. At poitit B, -when the tire is smooth,
ct can still be removed as a potential failure, but if wear continues to
point C the carcass will no longer be suitable for retreading, and the
loss of this function will constitute a functional failure.
Expoow (number of lurdln@
ULHlbm 2.4 The use of potential failures to prevent function.11

iailures. When tread depth reaches the potential-failure stage, the
tire is removed and retreaded (recapped). 'This pmcess restores the
original tread, .:~IJhence the original failure rcsist,~ncr,so that
the tire ncc,r~re.iches the futrclional-failure stage.
32
carcass plies are exposed so that the carcass is no longer suitable for
retreading. The remaining tread is thus the tire's resistance to failure at
any given moment. The stresses to which the tire is subjected during
each landing reduce this resistance by some predictable *mount, and
the number of landings is a measure of the total exposure to stress. With
increasing exposure in service, the failure resistance is gradually reduced until eventually there is a functional failure-visible plies.
Zecause the reduction in failure resistance is visible and easily
measured, it is usual maintenance practice to define a potential failure
as some wear level just short of this failure point. The tires are inspected
periodically, usually when the aircraft is out of service, and any tire
worn beyond the specified level is replaced. To allow for periodic
inspections, the condition we choose as the potential-failure stage
must not be too close to the functional-failure condition; that is, there
must be a reasonable interval in which to detect the potential failure
and take action. Conversely, setting the potential-failure limit too high
would mean replacing tires that still had substantial useful life.
Once the optimum potential-failure level has been defined, inspections can be scheduled at intervals based on the expected amount of
tread wear over a given number of landings. Exhibit 2.4 shows a smooth
tread noticed at inspection 5. At this point the tire is replaced, and if
its carcass is sound, it will be retreaded. Retreading restores the original
tread, and hence the original resistance to failure, and a new service
cycle begins.
Failure resistance, as we are using the concept here, is somewhat
analogous to the structural engineering practice of determining the
stresses imposed by an applied load and then addir.g a safety factor to
determine the design strength of a structural member. 'Tke difference
between the applied load and the design strength is then the resistance
to failure. The same principle extends to servicing and lubrication
requirements, for example, where a specified oil quantity or lubrication
film represents a resistance to functional failure. Similarly, loose turbine
blades are taken as a marked reduction in failure resistance, Thc ,s a
subtle difference, however, between this latter situation and -. tire
example. In the case of the tire the decline in failure resistance is visible
and rta: approximate unit of stress (average tread wear per landing) is
k n ~ w nIn
. the case of turbine blades the unit of stress is unknown and
the decline in failure resistance is not apparent until the resistance has
become quite low.
A MOnU OF THE FAILURL PROCESS
So far we have discussed a reduction in failure resistance that is cvidenccd by some visible condition. The more general failure process '
involves a direct interaction betweeri stress and resistance, as shown
in Exhibit 2.5. The measure of exposure may be calendar time, total
operating hours, or number of flight or landing cycles, depending on
the item. Because the measurable events occur over tirne, it is common
to refer to total exposure as the age of an item. Possible measures for the
stress scale are even more varied. Stresses may include temperature and
atmospheric conditions, vibration, abrasion, peak loads, or some combination of these factors. It is often impossible to separate all the stress
factors that may affect an item; hence exposure to stress is usually generalized to include all the stresses to which the item is subjected in a
given operating context.
The primary age measure for most aircraft equipment is operating
hours,usually "off-to-on" (takeoff to landing) flying hours. Some failure
modes, hawever, are related to the number of pround-air-ground stress
cycles, and in these cases age is measured as nunlber of landings or
flight cycles. Flight cycles are important, for exawple, in determining
the number of stress cycles experienced by the aircraft structure and
landing gear during landing. They are also of concern for powerplants.
Engines undergo much more stress during takeoff and climb than during cruise, and an engine that experienr2s more takeoffs in the same
number of operating hours will deteriorate more rapidly.
SECTION 2 - 5
33
ULHlBfT 2.5 Generalized model of the failure process. Resistance

!o failure is assumed to decl~nesteadily with exposure to stress,
n~easuredover time as operating age, flight cycles, and so on.
A functional failure occurs when the amount of stress exceeds the
remaining failure resistance. In reality both stress and resistance
can fluctuate, so that there is no way to predict the exact age at
which the failure point will be reached.
34
THEORY AND PrUNClPLts
For this reason all aircraft equipment is monitored in terms of both

operating hours and flight cycles, usually on the basis of total flying
time and total flight cycles for the entire aircraft. Thus if an engine is
installed in a plane that has accumulated 1,000 operating hours and is
removed at 1,543 hours, the engine has aged 543 hours since installation. If that engine was 300 hours old when it was installed, its age at
removal is 843 hours.
Some military aircraft are equipped with acceleration recorders
which also monitor the number of times the structare is stressed beyond
a certain number of G's during operation. The loads can be counted and
converted to an equivalent number of flight hours at the plane's designed operating profile. Like operating hours or flight cycles, these
"spectrum hours" provide a basis for estimating the reduction in resistance to a particular failure mode.
A functional failure occurs when the stress and resistance curves
intersect- tha: is, when the stress exceeds the remaining resistance
to failure. Either of these curves may take a variety of different shapes,
and the point at which they intersect will vary accordingiy (see Exhibit
2.6). Until they do intersect, however, no functional failure occurs. In
practice this failure model can be applied only to simple items -those
subject to only one or a very few failure modes-and to individual
failure modes in complex items. The reason for such a limitation be-
comes apparent if we consider some of the variables in just a single

failure mode.
THE AGE AT FAlUlRE
Our e%ainplesthus far imply that any given component, such as a

tire, has a well-defined initial resistance to failure and that the rate of
decline in this resistance is more or less known and predictable. It follows
that the time of failure should be predictable. In reality, however, even
nominally identical parts will vary both in their initial failure resistance
and in the rate at which this resistance declines with age. Suppose we
have two nominally identical units of a simple item, or perhaps two
identical parts in a complex item. To simplify matters further, let us say
they are exposed to only one type of stress and are subject to only one
type of failure. On this basis we might expect their failure resistance to
decline at the same rate and therefore expect both units to fail at approxVariability of stress, failure resistance, and the age
at failure. In example A the resistance remains constant over time,
but a sudden peak in stress causes failure to occur. In B the stress
and resistance curves do not intersect, but the peak in stress has
permanently lowered the remaining failure resistance. In C the
reduction in failure resistance caused by the peak stress is temporary.
In D the peak stress has accelerated the rate at which the remaining
resistance will decline with age.
EXHIBm 2.6
E*porure ( q e )
Exporure ( y e )
SECTION 2.5
35
EXHIBIT 2.7 The difference in failure age of two nominally identical

parts subjected to similar stress patterns. The two units begin their
service lives with coniparable initial resistance to failure, but unit B
is exposed to greater stress peaks and reacts to them consistently.
is unaffected by stress
Unit A behaves less accountably; its resista~~ce
peaks at 640 and 1,120 hours but declines rapidly between 1.200 and
1,300 hours. As a result, one unit fails at 850 hours and the other at
1,300 hours.
imately the same age. However, all manufactured components are

produced to specified tolerance limits, which results in a variation in
initial resistance. These varia, ' m s are insignificant from a performance
standpoint, but the result is that the two units will begin their service
lives with slightly different capacities to resist stress, and these capacities may decline at somewhat different rates.
Stress also varies from moment to moment during operation, sometimes quite abruptly. For example, the different loads exerted on an
aircraf! structure by atmospheric turbulence can vary markedly even
in the course of a short flight. Moreover, the effect of these stresses will
be further influenced by the condition of the item at the particular
moment it is stressed. As a result, each component will encounter a different stress pattern even if both are operating as part of the same system. Although the variations in either stress or resistance may be slight,
their interaction can make a substantial difference in the length of time
a given component will operate before failing. Units A and B in Exhibit
2.;' ,~,'iridi;r;lj'
-.
21;ke in their initial resistance, and the stress placed on
each does not vary much from the constant stress assumed in the generalized mode). However, the time of failure is the point at which the
stress and resistance curves intersect; thus unit B failed at an age of
850 hours, whereas unit A survived until 1,300 hours.
36
THEORY AND PlllNClPLES
Despite the variation in the failure ages of individual units, if a

large number of nominally identical units are considered, their failures
will tend to concentrate about some average age. For purposes of reliability analysis, however, it is necessary to employ statistical techniques
that describe the variation about this average age.
It is also important to recognize that the actual age at failure depends on the stress the unit experiences. The wing-,to-fuselage joints
of an aircraft will stand up to normal air turbulence for a very long time,
but perhaps not to the loads encountered during a tornado. The fan
blades of a turbine engine can withstand thousands of hours of normal
stress, but they may not be able to tolerate the ingestion of a single
goose. In nearly all cases random stress peaks markedly above the average level will lower the failure resistance. This reduction may be permanent, as when damage to several structural members lowers the failure
resistance of a wing, or resistance may be affected only at the time the
stress exceeds a certain level. In some cases resistance may change with
each variation in stress, as with metal fatig.de. From the standpoint of
preventive maintenance, however, the important factor is not a prediction of when an item is likely to fail, but whether or not the reduction in
failure resistance can be identified by some physical evidence that
permits us to recognize an imminent failure.
Many functional failures are evident at the time they occur, and in
t h e s cases the exact age at failure is known. Unless a failure is evident to the operating crew, hcwelrer, it is impossible to determine precisely when it cccurred. A potential failure detected by mechanics is
known only to have occurred some time between the last inspection
and the inspection at which it is observed. Sjmilarly, although there is
some exact age at which a hidden function fails, the only age we can
pinpoint is the time at which the failure is discovered. For this reason
the age at failure is defined, by convention, as the age at which a failure
is observed and reported.
2 6
FAILURE IN COMPLEX ITEMS
A complex ltem is one that is subject to many different failure modes. As

a result, the failure processes q a y i:volve a dozen different stress and
resistance considerations, and a correspondingly tangled graphic sepresentation. However, each of these considerations pertains to a single
failure mode - some particular type or manner of failure. For instance, a
bearing in a generator may wear; this causes the unit to vibrate, and
ultimately the bearing will seize. At this point the generator will suffer
a functional failure, since it can no longer rotate alld produce eiectric
power. Generators can also fail for other reasons, but the failure mode
in this case is bearing seizure.
Of course, the bearing itself i? also subject to more than one failure
failure modes
dominant failure modes
failure age of a complex item
mode. It may wear as a result of abrasion or crack as a result of excessive

heat. From the standpoint of the generator both conditions lead to the
same failure, bearing seizure. However, the maintenance analyst must
know the physical circumstances leading to a particular failure in order
to define an identifiable potential-failure condition. The manufacturer
also needs to know that the bearing is prone to failure and that a modification is needed to improve the reliability of the generator. Such a
design modification is obviously desirable if one particular failure mode
is responsible for a significant proportion of all the failures of the item.
Such failure modes are called domirrant failure modes.
As with failures in simple items, the failure ages for a single failure
mode tend to concentrate about an average age for that mode. However,
EXHIBIT 2.8 Experience with 50 newly ingtalled Pratt & Whilney
JTBD-7 engines over the first 2,000 operating hours. The 21 units that
failed before 2,000 hours flew a total of 18,076 hours, so the total
operating time for all 50 engines was 18,076 hours plus 58,000 hours
for the surviving engines, ur 76,076 hours. The mean time between
failures was therefore 76;W6/Zl, or 3,622 hours. The average age
of the failed engines, however, was only d61 hours. (United Airlines)
Opmtiq ry at fdltur (hondrrdr of h o w )
the average ages for all the different mod?s will be distributed along
the exposure axis. Consequently, unless there is a dominant failure
mode, the overall failure ages in complex items are usually widely dispersed and are unrelated to a specific operating age. This is a unique
ch, racteristic of complex items. A typical example is illustrated in Exhibit 2.8. In a sample of 50 newly installed Pratt & Whitnev JTBD-7
engines, 29 survived beyond 2,000 operating hours. The disparate failure ages of the 21 units that failed, however, do not show any concentration about the average failure age of 861 hours.
Nevertheless, even in complex items, no matter how numerous the
failure modes may be, the basic failure process reduces to the same
faciur- the interaction between stress and resistance to failure. Whether
failures involve redr-cad resistance, random stress peaks, or any combination of the two
.
interaction that brings an item to the failure
point. This aspc-' a !he failure process was summed up in a 1960
United .\irlines rep -?rt:*
7 1
The any: IC as a whole, its basic structure, its systems, and the
various items in it are operated in an environment which causes
stresses to be imposed upon them. The magnitudes, the durations
and the frequencies with which specific stresses are imposed are
all very variable. In many cases, the real spectrum of environmentally produced stresses is not known. The ability to withstand
stress is also variable. It differs from piece to oiece of new nominally identical equipment due to material differences, variations
in the manufacturing prcicesses, etc. The ability to withstand stress
may also vary with the age of a piece of equipment.
It is implied that an instance of environmental stress that exceeds the failure resistance of an item at a particular time constitutes failure of that item at that time.
2 'P QUANTITATIVE DESCRlPTlONS OF FAILURE

Any unanticipated critical failure prompts an immediate response to
prevent repetitions. In other cases, however, it is necessary to know
how frequently an item is l i ~ e l yto fail in order to plan for reliable
operation. There are several common reliability indexes based on the
failure history of an item. Methods for deriving certain of these measures
'F. S. Nowlan, A Comparison or the Potential Effectiveness of Numerical Regulatory
Codes in the Fields of Overhaul Periodicity, Airplane Strength, and Airplane Performance, United Airlines Report POA-32, April 14.1960. These remarks paraphrase a report
prepared by D. J. Davisnf theRand Corporation in 1950, which offered intensiveanalysiaof
failure data. For an excellent detailed discussion of the physical processes present in the
failure mechanism. see Robert P. Haviland, Rclinbility atld Lotrg Life Desiyn, Van Nostrand
Company, Inc., New York, 1964.
failure rate
mean time between failures
pmbability of survival
pmbabilib' density of
conditional probability
of failure
SECTION 2.7
19
are discussed in detail in Appendix C, but it is helpful at this point to

know what ehch measure actually represents.
FAILURE U
T
E
'fie failure rate is the total number of failures divided by some measure
of operational exposure. In most cases the failure rate is expressed as
failures per 1,000 operating hours. Thuc if six failures have occurred
over a period of 9,000 hours, the failure rate is ordinarily expressed as
0.667. Because measures other than operating hours are also used (flight
cycles, calendar time, etc.), it is important to know the units of measure
in comparing failure-rate data.
The failure rate is an especially valuable index for new equipment,
since it shows whether the failure experience of an item is representative of the state of the art. It is also useful in assessing the economic
desirability of product improvement. Early product-intprovement decisions are based on the performance of units that have beer. .-xposed to
fairly short individual periods of time in service, and this performance
is adequately measured by the failure rate.
MUN nML BLNYUN F A I L U ~
The mean time between failures, another widely used reliability index,
is the reciprocal of the failure rate. Thus with six failures in 9,000 operating hours, the mean time between failures would be 9,00016, or 1,500
hours. This measure has the same uses as the failure rate. Note that the
mean time between failures is not necessarily the same as the average
age at failure. In Exhibit 2.8, for example, the average age of the failed
engines was 861 hours, whereas the mean time between failures was
3,622 hours.*
PROMBILITV Of SURVNAl.
With more extended operating experience it becomes possible to determine the age-reliability characteristics of the item under study- the
relationship between its operating age and its probability of failure. At
:his stage we can plot a survival curve, showing the probability of survival without failure as a function of operating age. This curve relates
directly to the gener !y accepted definition of reliability:
Reliability is the probability that an item will survive to a specified operating age, under specified operating conditions, without failure.
For this reason the survival curve is commonly referred to as the reliability function.
40
'For a further discussion of this distinction, see Appendix C.
0p.nttns y rlnce lut rhap Vt&< :flight lioun,~

EXHIBIT 2.9 Survival curve fur the Pratt & Whitney JT8D-7 engine
of the Boeing 737, based on 58,432 total operating hours from May I
to July 31,1974. The average life is computed by partitioning alang
the vertical axis to form small incremental areas whose sum
approximates the area under the curve. With an age limit of 1,000
hours, only the shaded area enters into this computation, since no
engines can contribute to the survival curve beyond this limit,
despite the fact that they would I~avcsurvived had they been left in
service. (United Airlines)
Exhibit 2.9 shows a typical survival curve for an aircraft turbine

engine. The curve represents the percentage of installed engines that
survived to the time shown on the horizontal axis, and this is usually
our best estimate of the probability that any individual engine will
survive to that time without failure.
A survival curve is more useful than a simple statement of the
failure rate, since it can be used to predict the percentage of units that
will survive to some given age. If the engines in Exhibit 2.9 were scheduldd for removal at 1,000 hours, for example, 69 percent of them would
survive to that age limit, whereas 31 percent could be expected to fail
before then. The area under the survival curve can also be used to measure the average life of the item under consideration. If the probability
scale is divided into small increments, each of which is projected to
intersect the curve, the contribution of each of these incremental areas
can be calculated and added to determine the average life. Thus, the triangie at the top is the contribution o! the first 10 percent of the units that
fail (90 percent survive beyond this age):

[(age at P = 1) t (age at P = .90)] X
.lo
2
The next incremental area represents the contribution to the average life
of the next 10 percent of the units that fail:
[(age at P = .9Q
.10
+ (age at P = .80)] X 2
and so on. Completion of this computation for the entire area under the
curve would show that, with no age limit, the average life expected for
each engine in service would be 1,811 hours.
Note, however, that an age limit of 1,000 hours removes all the surviving units from service at that age. In this case, therefore, the area
under the curve represents only the area up to that age limit. The probability of survival to 1,000 hours is .692, so the contribution of any surviving unit to the average life is only 1,500 hours X ,692 = 692 hours.
This contribution, added to the incremental contributions above it for
the units that failed, yields an average realized life of 838 hours for faded
and unfailed engines. Any engines that would have survived to ages
higher thtn 1,000 hours, and thus have added to the average life, do not
count. The average lives that would be realized with other age limits
in this case are as follows:
age limit
1,000 hours
2,000 hours
3,000 hours
No limit
average realized life

838 hours
1,393 hours
1,685 hours
1,811 hours
PROMBILITY DWSllY OF FNLUUE
42
THEORY AND PRINCIPLS
The probability that an engine in Exhibit 2.9 will survive to 1,000 hours
is ,692, and the probability that it will survive to 1,200 hours is ,639. The
difference between these probabilities, .053, is the probability of a failure during this 200-hour interval. In other words, an averaae of 5.3 out
of every 100 engines that enter service can be expected to fail during..,
this partic~tlarinterval. Similarly, an average of 5.0 engines can be ex- '.
pected to fail during the interval from 1,200 to 1,400 hours. This measure
is called the probnbility density of failure.
Exhibit 2.10 shows the probability densities for each 200-hour
age interval, plotted from the probabilities of survival at each age. A
decreasing percentage of the engines will fai! in each successive age
interval because a decreasing percentage of engines survives to enter
that interval.
EXHIBIT 2-10 I'robability rlcnsity of failure f o ~the Pratt & Whitney

J'I'el)-7 engine of the Hoeing 737. 1)ensitv values are plotted at the
tnidpoint of ercll 200-hour interval and represent the probability that
a tailure will occur during thi.. interval. (United Airlines)
CONDmONAL PROMBIUTY OF FAILURE
The most useful measure of the age-reliability relationship is the probability that an item entering a given age interval will fail during that
interval. This measure is usually called the conditional probability of
failure-the probability of failure, given the condition that the item
enters that age interval. Sometimes it is also referred to as the hazard
rate or the local failure rate.* The conditional probability is related
to both the probability of survival and the probability density. For
example, an engine beginning at zero time has a probability of .692 ~f
reaching the age of 1,000 hours; once it has reached this age, the probability density of failure in thc next 200-hour interval is ,053. Each
engine that survives to 1,000 hours therefore has a conditional probability of failure between 1,000 and 1,200 hours of .053/.692, or .077. The
complete conditional-probability curve for this engine is shown in
Exhibit 2.11.
If the conditional probability of failure increases with age, we say
that the item shows wearout chnracteristics and immediately wonder if
an age limit would be effective in reducing the overall failure rate. (Note
'y-1
*
>
'In some literature these tenns are defined in a narrower sense to mean the value obtained
by computing the limit of the ratio as the age interval goes to zero.
SECTION 2.7
43
UHIBIT 2.11 Conditional probability of failure for the Pratt &

Whitney JT811-7engine of the Bocing 737. Probability values are
plotted at the midpoint of each 200-hour interval and represent the
average probability that an engine that survives to enter the interval
will f.lil during this interval. (United Airlines)
44
that the term ruenroitt in this context describes the adverse effect of age
on reliability; it does not necessarily imply any evident physical change
in individual units.) With an age limit of 1,000 hours the average realized life of the engine in question is 838 hours. The probability that an
engine will survive to this age is .692, so the failure rate with this limit
would be the probability of failure (.308) divided by the average life,
or a rate of 0.37 failures per 1,000 hours.
Exhibit 2.12 shows this failure rate plotted as a function of various
age limits. If the age limit is raised from 1,000 hours to 2,000 hours, the
overall failure rate is 0.42, an increase of only 13.5 percent due to the
second thousand hours of operation. However, the conditional probability of failure in the 200-hour interval just before each of these age
limits goes up from ,075 to .114, an increase of 52 percent. The rate of
brcrease in the failure rate falls off with age because it depends on the
conditional probability for each interval weighted by the probability of
survival to that interval-and there is a continual reduction in the survival probability.
What this means is that the effectiveness of an age limit in controlling failure rates depends not only on large increases in conditional
probability at higher ages, but also on a high probability of survival to
iPOo
oparthq
zoo0
s,m
Coao
limit rba hat dmp vblt (flWlt hopn)

EXHIBIT 2-12 Relationship between the failure rate and various age
limits for the rratt & Whitney JTAD-7 engine of the Boeing 737.
(United Airlines)
those ages. It follows that the desirability of an age limit on any item
cannot be investigated until there are sufficient operating data to construct survival and conditional-probability curves.
2 8 AGE-RELIABILITY CHARACTERISTICS
At one time it was believed that all equipment would show ivearout
characteristics, and dgring the years when equipment overhaul times
were being rapidly extended, United Airlines developed numerous
conditional-probability curves for aircraft components to ensure that
the higher overhaul times were not reducing overall reliability. It was
found that the conditional-probability curves fell into the six basic
patterns shown in Exhibit 2.13. Pattern A is often referred to in reliability
literature as the bathtub curve. This type of cuivt?has three identifiable
regions:
b
An infant-mortality region, the period immediately after manufacture or overhaul in which there is a relatively high probability of
failure
the bathtub curve

a e-mliability relationships
of complex items
the ,,life,, of a comp,ex item
11%might
benefit from
a limit on
opeiating age
The bathtub curve: infant mortality, followed

fint by a constant or gradually incmring failure
probability and then by a pronounced "wearout"
region. An q e limit may be desirable, ptsj
vfded a luge number of units suwive to the
age at which wearout bcginr,
Constant or gradually increadq failure pmbability, followed by a pronounced wearout
region. Once again, an age limit may be derirable (this curve is characteristic of aircraft
recipmc'atlng engines).
Gradually increasing failun probability, but
with no identifiable weamut age. It L usually
not dairable to impose an age limit h such
caws (this curve is charactedslc of aimraft
turbine eqined.
89% cmnot
benefit :ram
a l i d t on
open ting age
Low failure probability when the item is new

or just out of the shop, followed by a quick
increase to a constant ievel.
Constant probability of failure at all ages

(exponential survival dbbibutlon).
Infant mortality, followed by a constank or very

slowly increasing failure probability :partie
ularly applicable to electronic equipment).
A region of constant and relatively low failure probability

A wearout region, in which tile probability of failure begins to increase rapidly with age
If the failure pattern of an item does in fact fit this curve, we are
justified in concluding that the overall failure rate will be reduced if
some action is taken just before this item enters the wearout zonc. In
these cases allowing the item to age well intn the wearout region would
cause an appreciable increase in the failure rate. Note, however, that
,uch action will not have much effect on the overall rate unless there is
o high probability that the item will survive to the age at which wearout
appears.
The Fresence of a well-defined wearout regloll is far from universal; indeed, of thc six curves in Exhibit 2.13, only A and B show
wearout characteristics. It happens, hawever, that these two curves are
associated with a great many single-celled or simple items- in the case
of aircraft, such items as tires, reciprocating-engine cylinders, brake
pads, turbine-engine compressor blades, and all parts of the airplane
structure.
The relative frequency of each type of condition,tl-probabilitycurve
proved especially interesting. Somc 89 percent of the items analyzed
had no wearout zone; therefore their performance could not be improved by the imposition oi an age limit. In fact, after a certain age the
conditional probability of failure continued on at a constant rate (curves
D, E, and F). Another 5 percent had no well-defined wearout zone
(curve C ) but did become steadily more likely to fail as age increased.
For a very few of these items an age limit might prove useful, provided
that it was cost-cffcctivc.
Only 6 percpnt of the items studied showed pronounced wearout
characteristics (curves A and A). A-lthough an age limit would be applicable to these items, as we have seen, its effectiveness depends on a
high probability 'that the item will survive to that age. However, the
conditional-probability curves make it possible to identify those items
that might benefit from such a limit, and the question of effectiveness
can then be investigated. Although it is often assumed that the bathtub
curve is representative of most items, note that just 4 percent of the
items fell into this pattern (curve A). Moreover, most complex items had
conditional-probability cu~vesrepresei~tedby curves C to F--that is,
they showed no concentration of failures directly related to operating
age.
The basic difference between the failure palterns of complex and
simple items has important implications for maintenance. Usually the
conditional-probability curve for a complex itelr will show some infant
mortality; often the probability of failure right after installation is fairly
high. Usually, also, the conditional-probability curve shows no marked

point of increase with increasing age; the failure probability may increase gradually or remain constant, but there is no age that can be
identified as the beginning of a wearout zone. For this reason, unless
there is a dominant failure mode, an age limit does little or nothing to
improve the overall reliability of a complex item. In fact, in many cases
scheduled overhaul actually increases the overall failure rate by introducing a high infant-mortality rate in an otherwise stable system.
In contrast, single-celled and simple items frequently do show a
direct relationship between reliability and increasing age. This is partic7,larly true. of parts subject to metal fatigue or mechanical wear and
items designed as consumables. In this case an age limit based on some
maximum operating age or number of stress cycles may be highly effective in impr0vir.g the overall reliability of a complex item. Such
limits in fact play a major role in controlling critical-failure modes, since
they can be imposed on the part or component in which a given type of
failure originates.
ct statements
It is apparent from our discussion thus far that mow
about the "life" of equipment tell us little about its age-reliability characteristics. For example, the statement that an aircraft engine has a life
of 2,000 operating hours might mean any of the fcllowing:
48
No engines fail before reaching 2,000 hours.
No critical engine failures occur before 2,000 hours.
Half the engines fail before 2,000 hours.
The average age of failed engines is 2,000 hours.
Th? conditionnl probability of failure is constcnt below 2,000 hours.
Some part in the e:~ginehas a life limit of 2,000 hours.
The definition of reliability is the probability that an item will survive

a given operating period, under specified operating conditions, without
failure. In discussions of reliability, therefore, it is insufficient to state
an operating period alone as the "life" of an item. This statement has
no meaning unless a probability 3f survival is associated with it.
It should also be apparent by now why the failure rate plays a
relatively unimportant role in maintenance programs: it is too simple a
measure. Although the frequency of failures is useful in making cost
decisions and in establishing appropriate intervals for maintenance
tasks, it tells us n o t h i ~ gabout what tasks are appropriate or the consequences that dictate their objective. The effectiveness of a particular
maintenance solution can be evaluated only in terms of the safety or
economic consequences it is intended to prevent. By the same token, a
maintenance task must be applicable to the item in question in order

to have any effect at all. Hence we must now consider the possible forms
of preventive maintenance and see how an understanding of the failure
process and the age-reliability characteristics of an item permit us to
generate maintenance tasks on the basis of explicit criteria.
CHAPTER THREE
the four basic maintenance tasks
R ~ Mr u o G w s consist of specific tasks selected on the basis of the

actual reliability characteristics of the equipment they are designed to
protect. All these tasks can be described in terms of four basic f o m s of
preventive maintenance, each of which is applicable under a unique
set of circumstances:
b
Scheduled inspection of an item at regular intervals to find any

potential failures
Scheduled rework of an item at or before some specified age limit
Scheduled discard of an item (or one of its parts) at or before some

specified life limit
Scheduled inspection of a hidden-function item to find any functional failures
The first three types of tasks are directed at preventing single failures
and the fourth at preventing multiple failures. Inspection tasks can
usually be performed without removing the item from its installed position, whereas rework and discard tasks generally require that the item
be removed from the equipment and sent to a major maintenance base.
The development of a scheduled-maintenance program consists of
determining which of these four tasks, if any, arc both applicable and
effective for a given item. Applicability depends on the failure characteristics of the item. Thus an inspection for potential failures can be
applicable only if the item has characteristics that make it possible to
define a potential-failure condition. Similarly, an age-limit task will be
applicable only i f the failures at which the task is directed are related to
age. Effectiveness is a measure of the results of the task; the task objec-
tive, however, depends on the failure consequences involved. A proposed task might appear useful if it promises to reduce the overall
failure rate, but it could not be considered effective if the purpose in
applying it was to avoid functional failures altogether.
For inspection tasks the distinction between applicability and
effectiveness is usually obvious: the item either does or does not have
characteristics that make such a task applicable. For age-limit tasks,
however, the distinction is sometimes blurred by the intuitive belief
that the task is always applicable and therefore must also be effective.
In reality imposing an age limit on an item does not in itself guarantee
that its failure rate will be reduced. The issue in this case is not whether
the task can be done, but whether doing it will in fact improve reliability.
3 1 SCHEDULED ON-CONDITION TASKS

Scheduled inspections to detect potential failures are commonly termed
on-conditiotr tusks, siltce they call for the removal or repair of individual
units of an item "on the condition" that they do not meet the required
standard. Such tasks are directed at specific failure modes and are based
on the feasibility of defining some identifiable physical evidence of a
reduced resistance to the type of failure in question. Each unit is inspected at regular intervals and remains in service until its failure
resistance falls below a defined level- that is, until a potential failure is
discovered. Since on-condition tasks discriminate between units that
require corrective maintenance to forestall a functional failure and those
units that will probably survive to the next inspection, they permit all
units of the item to realize most of their useful lives.
ilclec~ion0 1 ~ ) t r t ~ t l t i .f.lilurtb\
lI
~ 1 ~ 1 ) l i c ~ l - icriteria
Iity
i"'~'~'ti"n '"""'""'"
This type of task is applicable to tires, brakes, many parts of an aircraft powerplant, and much of its struchire. Many routine servicing
tasks, such as checking oil quantity and tire pressure, are on-condition
tasks. The applicability of an on-condition task depends to some extent
on both maintenance technology and the design of the equipment. For
example, borescope and radioisotope techniques have been developed
for inspecting turbine engines, but these techniques are of value chiefly
because the engines have been designed to facilitate theit use.
If on-condition tasks were universally applicable, all failure possibilities could be dealt with in this way. Unfortunately there are many
types of failures in which the failure mode is not clearly understood or
is unpredictable or gives insufficient warning for preventive measures
to be effective. There are three criteria that must be met for an oncondition task to be applicable:
b
It must be possible to detect reduced failure resistance for a specific

failure mode.
It must be possible to define a potential-failure condition that can

be detected by an expllcit task.
There must be a reasonably consistent age interval between the

time of potential failure and the time of functional failure.
As an example, suppose a visible crack is used as a measure of

metal fatigue, as shown in Exhibit 3.1. Such an item is most failure
resistant when it is new (point A). The resistance drops steadilv with
increasing age and is already somewhat reduced by the time a crack
appears (point B). Thereafter it is possible to monitor the growth of the
crack and define a potential-failure point C far enough in advance to
permit removal of the item before a functional failure occurs (point D).
Once a crack has appeared, the failure resistance drops more rapidly;
hence the rate of crack growth in this item must be known in order to
establi~han inspection interval AT that will effectively control this
failure mode.
The data for the entire population of this item would define a range
of failure ages rather than one specific age. Hence both the defined
potential failure and the frequency of inspections depend on the objective of the task. If a functional failure would have safety consequences,
then the objective is to prevent all such failures. In this case an oncondition task may be app:icable, but it would be considered effective
only if it minimized the likelihood of a critical failure. If the failure does
not involve safety, then effectiveness is measured in economic terms
that is, the task is effective only if it is cost-effective. In the case of operational consequences this means that the cost of finding and correcting
potential failures must be less than the combined cost of the operational
consequences plus the cost of repairing the failed units. It follows from
52
WHIBIT 3.1
Determining the interval for on-condition inspection

of an item subject to metal fatigue. Once the rate of decline in failure
resistance has been determined, an inspection interval ATis established
that proyides ample opportunity to detect a potential failure before a
functional failure can occur.
this that when an on-condition task is effective in reducing the failure

rate, and hence the frequency of operational consequences, it is usually
also cost-effective, since the cost of inspection is relatively low.
Exhibit 3.2 shows some typical on-condition tasks for an aircraft.
The first example concerns a specific failure mode of an aircraft engine
that has a set of 24 tie bolts between the fourth and fifth stages of its
turbine to hold an air seal in position (and a similar set of tie bolts
between the fifth and sixth stages). Failure of this set of tie bolts would
result in a loose air seal and cause major damage to the engine. Lowered
resistance to failure is evidenced by the failure of one or more individual
bolts. (Note that although this would be a functional failure of the tie
bolts, it is a potential failure from the standpoint of the engine.)
The second example concerns the nozzle guide vanes of the same
engine. These vanes are subject to burning by the hot exhaust gases of
the engine, and also to erosion by h ~ r carbon
d
particles from the combustor. The required borescope inspection is a visual inspection to
determine how much damage has occurred on the airfoil and inner platform of the vare. The definition of potential-failure conditions in this
case is quite complex; in practice the interval between inspections is
reduced as the condition deteriorates, until a point is reachcd at which
the engine must be removed from service.
1 LOW-PRESSURE TURBINE SECTION
Check for failed aimed tie bolts.

Note: Airseal tie bolts between fourth- and fifth-stage and sixthstage rotors (last thrn staged are failing. T h m broken bolb u e
trapped in the h a 1 between the rotore and cruae a rattling mund
re they roll when the hubine L slowly rohttd.
A
Have fan rotated 180 degrees very slowly. Repeat 180-degree

rotation as often as nececslry.
B Liekn at tailcone for rattling sound caused by broken bolts

rolling around (do not confuse with clanking sound of blades).
Attempt to determine number of broken bolts by counting nttla ,
C Failed-bolt limits.
Three or fewer broken bolts: engine may remain in service.
Four or more broken bolte: engine must be bornoped within
75 hours.
D Supply the following information:

(1) Plane number Engine position -Engine time since last shop visit (2) Number of broken bolts estimated from
,,hstening" check --
E Send DIS*P5106 message giving above information.

2 RUST-STAGE NOZZLE GUIDE VANES
Borescope inspection (Boeing 747 JT9D powerpiurt).

A
Perform initial borescope inspection of first-stage nozzle

guide vanes at 600 hours. Perform repeat inspections at
600,200, 75, or 30 hours, depending on conditions f0ur.J.
B Dietress limits as given in MMIOV 72-00-99:

(I\ Trailing-edge cracks: maximum of 5 cracks per vane extending
to window (slot) leading edge. If distress exceeds this limit,
remove engine; otherwise, repeat inspection in 600 hours.
(2) Trailing-edge erosion: If burning-surface bum-through does
not exceed 112 by 112 inch, repeat i~spectionin 600 hours; if

burn-through does not exceed 314 by 314 inch, repeat inspection in 200 hours; if bum-through d m not exceed 1 by 1 inch,
repeat innpertion in 75 hours. If surface bum-through is up
to 518 inch from leadir~gedge, repeat inspection in 30 hours.
Note: 30-hour limit is a maximum fly-back limit, to be ueed
one time only.
54
3 ARLUE7EClOR INSTALLAllONS
Intensified inspection of installations, leads, and connections.

A Check for minimum clearance of 1/16 inch between ecnsing
elements and engine, as well as between various engine

components. Provide neceseary clearance.
B Check for any signs of wear.

C Wear limits:
Acceptable: Flat spots not exceeding 0.035 inch in width;
m y length acceptable.
Not acceptable: Flat sputs exceeding 0.035 inch in width or worn
spot exposing inner conductor or composition material between
inner conductor and outer sensing-element shell.
Note: Nominal diameter is 0.070 inch.
BRAKE ASSEMBLY, MAIN LANDING GEAR
Check brake-lining wear at each assembly, using small scale.

A
Set parking brakes.
B Measure wear-indicator pin extension at both indicator pins.
C Wear limits:
If either pin is less than 0.25 inch in lengtlt, replace brake
assembly.
Note: Replacement may be deferred, with approval from
SFOLM, provided wear-indicator pin measures longer than

13/64inch. If wear-indicator pin length is 13/64 inch or less,
immediate replacement is required.
PNEUMATIC DRIVE UNPTS, LEADING LDCf RAP
Check oil level and service as required.

Note: Drive units are numbered from outboard to inboard, 1 to 4,
left and right wing.
A Check oil level in proper si&.: glass. If oil level is visible in
sight glass, no service is required.
B If oil is not visible, slowly add oil (OIL2380) through fill port
until sight glass is filled. Use 53769 oil dispenser.
C Allow excess oil to draili out before installing fill plug.

SECTION 3.1
55
In the third example the potential failure may be either lack of

adequate clearance or visible wear on fire-detector sensing elements
and leads. The fourth and fifth examples involve less judgment in the
inspection process. Exact limits are given for the brake wear-indicator
pin in the first case and oil level in the pneumatic unit in the second
case. Both require a clearcut response on the part of the inspecting
mechanic.
Whenever an on.-condition task is applicable, it is the most desirable type of preventive maintenance. Not only does it avoid the premature removal of units that are still in satisfactory condition, but the
cost of correcting potential failures is often far less than the cost of correcting functional failures, especially those that cause extensive secondary damage. For this reason on-condition inspection tasks are steadily
replacing older practices for the maintenance of airline equipment.
3 2 SCHEDULED REWORK TASKS

applicability criteria
effectiveness criteria
effect o f an ajie limit oll
maintenance workload
56
Many single-celled and simple items display wearout characteristicsthat is, the probability of their failure becomes significantly greater
after a certain operating age. When an item does have an identifiable
wearout age, its overall failure rate can sometimes be reduced by imposing a hard-time limit on all units to prevent operation at the ages
of higher failure frequency. If the item is such that its original failure
resistance can be restored by rework or remanufacture, the necessary
rework task may be scheduled at appropriate intervals., For example,
the airplane tire in Exhibit 2.4 could have been scheduled for rework
after a specified number of landings, since retreading restores the
original failure resistance. However, this would have resulted in the
retreading of all tires at the specified age limit, whether they needed it
or not, and would not have prevented functional failures in those tires
that failed earlier than anticipated.
Where no potential-failure condition can be defined, on-condition
inspection of individual units is not feasible. In such cases a rework
task mav be applicable, either for a simple item or to control a specific
failure mode in a complex item. Although the age limit will be wasteful
for some units and ineffective for others, the net effect on the entire
population of that item will be favorable. This is not the case, however,
for complete rework of a complex item. As we saw in Chapter 2, failures
in complex items are the result of many different failure modes, each of
'The term or~rrhn~tl
has the connotation that the unit is completely disassembled and remanufactured part by part to restore it as nearly as possible to a "like-new ' physical
condition. Kru~ork refers to a set of maintenance operations considered sufficient to
restore the unit's origirlal resistance to failure. Thus rework for specific items may range
from replacement of a single part to complete remanufacture.
which may occur at a different average age. Consequently the overall

failure rate cf such items remains relatively constant; in some cases
reliability decreases gradually with age, but there is no particular age
that can be identified as a wearout zone. Thus, unless there is a dominant failure mode which i s eliminated in the course of rework, complete
rework of a complex item will have little or no effect on the overall
failure rate.
A rework task can be considered applicable to an item only if the
following criteria are met:
b
There must be a n identifiable age at which the item shows a rapid

increase in the conditional probability of failure.
A large propartion of the units must survive to that ag:.
It must be possible to restore the original failure resistance of the

item by reworking it.
Because the information required to develop survival and conditionalprobability curves for an item is not available when equipment firs1
goes into service, scheduled rework tasks rarely appear in a prior-toservice maintenance program (only seven components were assigned to
scheduled r:work i n the initial program developed for the Douglas
DC-10). Otten, however, those items subject to very expensive failures
are put into an age-exploration program to find out as soon as possible
whether they would benefit from scheduled rework.
Even when scheduled rework is applicable to an item, very often it
does not meet the conditions for effectiveness. A reduction in the number of expected failures, for example, would not be sufficient in the case
of safety consequences, and in the case of economic consequences the
task must be cost-effective. Moreover, since an age limit lowers the
average realized age of an item, it always increases the total number of
units sent to the shop for rework.
As an example, consider the effect scheduled rework would have
on the turbine engine discussed in Section 2.7. With no age limit, the
failure rate of these engines is 0.552 failures per 1,000 hours. Thus over
an operating period of 1 million hours an average of 552.2 failed units
(1,000,000/1,811) are sent to the shop for repair (see Exhibit 3.3). A
rework age limit of 2,000 hours v~illreduce the failure rate to 0.416; however, it will also reduce the average realized age from 1,811 hours to
1,393 hours. Since 42 percent of the units survive to 2,000 hours, over
the same operating period an average of 717.9 units would be sent to the
shop-the 416.3 units that failed plus the additional 301.6 scheduled
removals. In other words, there would be about 135 fewer failures, but
166 more engines that required rework. O n this basis scheduled rework
at 2,000-hour intervals would not be cost-effective unless the rework
cost for scheduled removals were substantially lower than the cost of
SECTION 3.2
57
age limit
(houd
failure rate
(per &OM) hours)
1
m
ow1
a
m
0.4163
0 . m
0.5522
3
m
None
yercsntrl)c uf unlb
surviving to age limit
averaged &d
engine age (horn)
repairing failures (in this case the rework cost would have to be less
than 135.91301.6, or 45.1 percent, of the repair cost).
Of course, the direct cost of rework is not the only economic factor
to be taken into account. If the failure is one that has operational consequences, the reduction in the number of failures may more than offset
the additional cost of rework. Determining the economic desirability of
a proposed rework age limit will be discussed in greater detail in the
next chapter. In general, however, the effect of at least four possible
rework intervals must be analyzed before an optimum limit can be
determined - if indeed one does exist. In most cases a rework task will
not prove cost-eifective unless the item has an unusually expensive
failure mode or the cost of a functional failure includes economic losses
other than the direct cost of repair.
3. 3
SCHEDULED DISCARD TASKS

,III<
..
#.! ,
I>.,
t,
, . .,
.,,:I,,
:,:,
ii
bc,l:,
lI,,.
;$,I~,,.
The scheduled rework of items at a specified ege limit is one type of

hard-time task; the other is scheduled discard of items or certain of their
parts at some specified operating Jge. Such tasks are frequently termed
life-limit tnsks. Life limits may be established to avoid critical failures,
in which case they are called safr-life limits, or they may be established
because they are ccst-effective in preventing noncritical failures, in
which case they are called economic-life limits.
SAFE-LIFE LIMITS
58
WEORY AND PlUNClPLU
A safe-life limit is imposed on an item only when safety is involved and

there is no observable condition that can be defined as a potential failure. In this case the item is removed at or before the specified inaximum
age and is either discarded or disassembled for discard of a time-expired

part. This practice is most useful for simple items or individual parts of
complex items, such as pyrotechnic devices in ejection seats, which have
a limited shelf life, and turbine-engine disks or nonredundant structural
members, which are subject to metal fatigue.
The safe-life limit itself is usually established by the equipment
manufacturer on the basis of developmenta: testing. A component
whose failure would be critical is designed to begin with to have a very
long life. It is then tested in a simulated operating environment to determine what average life has actually been achieved, and a conservatively
safe fraction of this average life is used .as the safe-life limit.
Safe-life items are nearly always single-celled parts, and their ages
at failure are grouped fairly closely about the average. However, the correlation bctween a test environment and the actual operating environment is never perfect. Moreover, because testing a long-lived part to
failure is both time-consuming and expensive, the volume of test data
is often too small to permit us to dmw a survival curve with much confidence. For this reason safe-lifelimits are usually established by dividing
the average failure age by a large arbitrary factor -sometimes a factor
as large as 3 or 4. The implication is that the conditional probability of
failure at this limit is essentially zero; that is, a safe-life limit is based on
a 100 percent probability of survival to that age. The difference between
a safe-life limit and the average agc at failure is illustrated in Exhibit 3.4.
A safe-life discard task is applicable only under the following
circumstances:
b
The item must be subject to a critical failure.
Test data must show that no failures are expected to occur below
the specified life limit.
SECTION 3 . 3
59
Complex ihm
EXHIBIT 3.4 Corn}~arisonof the average age at tailure (average Irfe)

iletrrnrit~~d
fro111oprr3ting data rnd .I safe-life lirrrit dcterrninrd on the
hasis of test data.
Since the function of a safe-life 14.mitis to avoid the occurrence of

a critical failure, the resulting discard task is effective only if it accomplishes this objective. Thus the only information for assessing effectiveness in this case will be the manufacturer's test data. Sometimes these
tests have not been comp!eted at the time the initial program is developed, but until a limit can be established, the available test data must
show that the anticipated in-service aging of the item will be safe. An
operating o~ganizationrarely has the facilities for further simulation
teqting that might justify increasing a safe-life limit, nor is there usually
a reasonable basis for reducing it, unless failures occur.
ECONOMIC-LIFELIMITS
60
THEORY AND PRlNClPLFS
In some instances extensive operating experiefice may indicate that

scheduled discard nt an item is desirable on purely economic grounds.
An econonric-lift. limit, however, is established in the same manner as
an age limit for scheduled rework; that is, it is based an the act-la1agereliability relationship of the item, rather than on some fraction of
the average age at failure. Whereas the objective of a safe-life limit i-
to avoid accumulating any failup data, the only justification for an

economic-life limit is cost effectiveness. Thus the failure,rate must be
known in order to predict how the total 1:umbcr of scheduled removals
at various age limits would affect the cost-benefit ratio.
In general, an economic-life task requires the follvwing three
conditions:
b
The item must be subject to a failure that has major economic (but
not safety) consequences.
There must be an identifiable age at which the item shows a rapid

increase in the conditional probability of failur, .
A large proportion of the units must survive to that age.
Although an item that meets the first criterion may be put into an ageexploration program to find out if a life limit is applicable, there are
rarely suff~cientgrounds for including this type of discard task in an
initial scheduled-maintenance program.
3 4 SCHEDULED FAILURE-FINDING TASKS

Whenever an item is subject to a functional failure that would not be
evident to the operating crew, a scheduled task is necessary to prcj?~ct
the availability of that function. Although hidden-function failure::,
by definition, have no immediate consequences, failures that are undetected increase the exposure to a possible multiple failure. Hence,
if no other type of maintenance task is applicable and effective, hiddenfunction items are assigned failurc-findiit~tasks, scheduled inspections
for hidden failures. Although such tasks are intended to locate functional failures rather than potential failures, they can be viewed as a
type of on-condition maintenance, since the failure of a hidden-function
item can also he kicwed as a potential n~ultiplefailure. The chief difference is in the level of iten1 consiciered; a functional failure of one item
may be only a potential failure for the equipment as a whole.
Most items supported by failure-finding inspections remain in
service until a functional failure is discovered. Some items, however,
have several functior~s,of which only one or a few are hidden. Such
items will be removed from service to correct evident failures, and if
the removal rate is sufficient to ensure adequate availability of the
hidden function, the shop specifications may include a failure-finding
inspection at that time. Other item:; may not require scheduled failurefinding tasks because the operating crew is required to check them
periodically. Many hidden functions, especially in systems, are made
evident by the addition of instrumentation, so that a separate insyection for hidden ffii!itres is unnecessary.
t'.
. ~ l j l r l i z . t h i l i t v 1.ritt3t.1.1
~ ~ * ~ ~ - I I I I. 1~ \ It bI r~hI~ I~ ~v
J\"l'"bi'i'\
A scheduled failure-finding task is applicable to an item under the

following two conditions. Note that the second criterion is in fact a
default condition:
The item must be subject to a functional failure that ir 3t evident
to the operating crew during the performance of nor dl duties.
D
The item must be one for which no other type of task is applicable
and effective.
The objective of a failure-finding task is to ensure adequate availability
oi a hidden function. The level of availability that is needed, however,

depends on the nature of the function and the consequences of a possiblc multiple failure. Some hidden functions, such as the fire-warning
system in an aircraft powerpiant, are sufficiently important that they
are tested before every flight.
' ~pron-iate intervals for failure-finding tasks cannot be determint., af ~ t l as
y those for other types of tasks. In the case of emergency equipment !lidden-function items rhich are replaced at specified
intervals, such as pyrotechnic devices, are tested prior to rework or
discard to see if they would have functioned had they been needed.
The test results at any given interval provide a basis for increasing or
decreasing the interval. In other cases the expected availability of a hidden function can be approximated by assuming that the age-reliability
relationship is exponential,' assigning a conservatively high failure
rate, and theii determining the probability of survival across a given
inspection interval.
As an example, suppose some hidden function has an anticipated
fnilure rate of 0.5 per 1,000 hours. The mean time between failures is
1.hen 2,000 hours, If the proposed inspection interval is 500 hours, a
unit that is serviceable at one inspection will have aged 500 hours by
the next inspection. The probability that it will survive this 500-hour
interval (one-fourth of the mean time between failures) is .78 on an
exponential curve (Exhibit 3.5). The average ava~labilitywould t h ~ be
s
T.
or a probability of .89 that the item will f~mctionif it is needed. If this

degree of reliability is inadequate, the inspection intenValmust be
reduced. Failure-fillding tasks are always effective if the inspection
interval is short enough.
To be considered effective a failure-finding task must ensure the
required level of availability. Howe\er, thi: task must also be cost-
62
~ E O R YAND PRINCIPLES
'If the conditional probability of failure is nonincreasi.lg, this is a conservative assumption.
0.50
0.71
1
Lb
Ratlo of in(mal to mcrn time between fdlum
1.50
0.S
EXHIBIT 3.5 Establishing th.)interval Lrr.1 failure-finding insprctiv~,

The age-reliability relatiotishifl of an itcm is .issu~ned,in thr .~trscncv
of inforlltation, to he exponential over operati~lgage. i'hu- . ~ t-111
inspection interval equal to one-fourth of the m;-an tini~.between
failures, the probability that the item will survivr that interval ih .7H.
This is true of the intcrv.11 between any two in>pibctions, rc#ari!lvsz
I,! the age oi tkz item. O n the b,:si+ oi this inspectitrn interval, tht.
.lvcrage availability of the unit would he 89 percent. ,\ti interval that
represented a snraller fraction of the exlwcted nieati tilnr h e t w r e ~ i
failures would yield higlrer average .rv.~ilability.
.!
effective with respect to the three other types of maintenance tasks- tnat
is, it must be the least expensive means of ensvring the necessary ievel
of availability. When a possible multiple failure is not related to safety,
an availability goal cif 95 percent is often used. Alternatively, the economic consequences of the multiple failure can be balanced against the
costs of inspection to determine the most cost-effective inte~valand
availability level.
Exhibit 3.6 shows some typical failure-finding ,sks for a commcrcia1 aircraft. In each case the scheduled task is designed to identify a
functional failure. In thc second example the failure might or might not
be evident to the operating crew, depending on whether a complaint
was received from a passenger.
SECTION 3.4
63
EXHIBIT 3.6
101
\.11111>1t~\
. 1 1 1 I 1 1 1 1 * III,IIII~I'II.SI~L~.
~ t - t l t ~ i ~ t OI:I\
. t l
to
01
f . i ~ I ~ ~ t . - t i ~ i t l i r i !i : ~ i \ l w ~ [ I,I\~L.
i n ~ ~
11%111.1~.1
.II~'1 . 1 1 I t s ~ 1 t 1 1 1 1 t 5 .
\l'cs~ itlt.ti
i\
I( ~ ~ I I.c
\ ~L~I l i ~ i t . \ l
1111.0 l i . i ~ ~ i t \ 111
.
lI1i5
t.~.rc1111.
111t~~Ii.1rlit
SMOKEGOCULS
Replacr miesing or damyltd go@the following conditionl:
(not repairable) re required by
A Plastic-foun face seal not adheriry to goggle rim
B Lens not d d n c d within g e e gmove

C
Dirt or seratchcs on lens
D Any other dcMmenta1 condition
READING UGHlS PASSENWR-SERVKE SYSTEM
T a t lighb in zonm A to E.
A
At positi~ns1,2 3 , and 4 on right attendmt'a panel, podtion

~Witchma8 fOll0WS:
PES-OFF, PSS-OFF, CH OFF, ATTND CALL-TEST (to
illuminate blue)
B t20rzone being checked, rotate teading-light r w i t d to ON

position:
(1) All reading lights in that zone rhould Illuminate.
(2) Master call light should not blink.
C Rotate reading-light switch to OFF pwftion:
(1) All reading lightp in that zone should not be illuminated,
(2)
Master call light should not blink.
D Rotate reading-light switch to SEAT p i t i o n :

All reading lighk in that zone should return to individual scat
CrL s~lcctor.
U
(
T
t
l
K
H
U
C
m
A Turn on beacon, navigation, and wing-illumination lights, and

at night turn on logo lights.
B Walk amund exterior of aircraft m d check lights.

C Turn off lighte.
04
THEORY A N D PRINCIPLES
3 5 CHARACTERISTICS OF THE BASIC TASKS

The four types of scheduled-maintenance tasks employed in an RCM
program differ both in terminology and in concept from traditional approaches to scheduled maintenance. In the airline industry, for example,
it is customary to refer to three "primary maintenance processes": otlc.ntrditiotr, /lard tinrc, and cotiditiotl rnorlito,.irl,y. All scheduled tasks are
considered to be either on-condition or hard-time. On-condition tasks
are defined by FAA regulations as:
t c r l ~ l i ~ i ~ ~ iii~tcr~tirc.;
logv
1 " ~
(11 t.lhh ~ ~ r r t c r t ~ l l t t ~
$ : ~ 3 1 f ~;;~;;:;;~,~;~x~~~
~~
Ir61a11
. . . restricted to components on which a determination of continued airworthiness may be made by visual inspection, measurement, tests, or other means without a teardown inspection o r
overhaul. These "On-Condition"checks are to be performed within
the time limitations prescribed for the inspection or check.
Although the term hnrd tin~t.is not specifically defined, it is implied
by a number of FAA requirements. Airline maintenance specifications
must include "time limitations, o r standards for determining time limitations, for overhauls, inspections and checks of airframes, engines,
propcllers, appliances, and emergency equipment," and the basic principle for establishing these time limitations is:
. . . that the inspections, checks, maintenance or overhaul be perforn~edat times well within the expected or proven service lift, of
each component of the aircraft.
o f IZC'!il t.isA t ~ * r ~ i i i. I ~
I I Li ~c11rrt.111
~ ~ l ~ ~ ~ ~
EXHIBIT 3.7 Co~iil?.~riso~i
rcy~rl.~!c~r\
u\,ijii..
RCM terminology
current rgulatory usagc
Inspection tasks:
On-condition tasks (to detect
potentid failurn)
Failure-finding ksks (to detect
hidden function failures)
Condition-monitoring process
(inspection of hidden-function
Removal tasks:
Scheduled rework
Scheduled discard
Hard-time proccss
Scheduled overhaul
Life limit
Servicing heks
Servicing
No scheduled msintenance
Condition-monitoring proctsa
(no scheduled tasks)
On-condition p m e ~
SECTION 3.5
65
66
The process termed condition monitoring is one that is characterized

by the absence of preventive-maintenance tasks. An iten1 is said to be
maintained by condition monitoring if it is permitted to remain in service without preventive maintenance until a functional failure occurs.
However, since condition monitoring is oriented to after-the-fact detection of failures, this designation may refer in some instances to failurefinding tasks assigned to hidden-function items and in other instances
to items assigned to no scheduled maintenance.
Despite the overlap in terminology, there are certain fundamentai
differences in concept between the tasks performed under traditional
required by a n
maintenance policies and the explicit task defi~~itions
RCM program. The hard-time approach was based on the assumption
that complex items do have an "expected or proven service life" - that
is, that their overall reliability invariably decreases with age. O n this
premise overhaul specifications usually required that all units which
had survived to the specified time limit be disassembled down to their
smallest constituent parts and inspected in detail for signs of deterioration. Technical experts examined each part and formed opinions about
whether a given componen; could have continued to operate satisfactorily to a projected new overhaul interval; in other words, they made
judgments about the age at which the item was likely to faii.
These teardown inspections might at first appear to qualify as oncondition inspections. However, such inspections were rarely focused
on the specific conditions required by an on-condition task. Unfortunately it is usually beyond human capability to look at a used part
and determine what its likelihood of failure will be at some later age.
As a result, the initial overhaul intervals for :lew equipmeqt were short
and were extended only by very small increments. At one point, in fact,
the FAA limited extensions of the interval for engine overhauls to a
maximum of 100 hours and required a period of at least three months
between successive extensions.
Note that the traditional type of scheduled overhaul also fails to
satisfy the criteria for a rework task. Shop specifications calling for the
part-by-part remanufacture of complex items to restore them to "likenew" condition wer2 intended to avoid operation in the age period at
which failures were expected to be more likely. As we have seen, however, this expectation does not hold for most complex items. Conse~ u e n t l ywe cannot cxzect periodic overhaul at any operating age to
make a noticeable difference in their reliability. Furthermore, even
when a complex item does meet the applicability criteria for a rework
task, it is difficult to satisfy the conditions for effectiveness. For this
reason complete rework of items such as turbine engines is now relatively rare, and many organizations have abandoned rework of other
rotating machinery, which was once considered a prime candidale for
scheduled overhaul.
THE MS1S OF TASK PREFERENCE
The applicability of any maintenance task depends on the failure characteristics of the item. However, the characteristics of the tasks themselves suggest a strong order of preference on the basis of their overall
effectiveness as preventive measures. The first choice is always an on' condition inspection, particularly if it can be performed without removing the item from the equipment. This type of preventive maintenance
has a number of edvantages. Because on-condition tasks identify individual units at the potential-failure stage, they are particularly effective
in preventing specific modes of failure. Hence they reduce the likelihood both of critical failures and of the operational consequences that
would otherwise result from that failure mode. For the same reason,
they also reduce the average cost of repair by avoiding the expensive
secondary damage that might be caused by a functional failure.
The fact that on-condition tasks identify individual units at the
s t of its
point of potential failure means that each unit realizes a l ~ ~ oal!
useful life. Sincc the number of removals for potential failures is only
slightly larger than the number that would result from functional failures, both the repair costs and the number of spare units necessary to
support the repair proceqs are kept to a minimum. The scheduling of
on-condition inspections at a time when the equipment is out of seivice
concentrates the discovcry of potential failures at the maintenance stations that perform the inspections. This fact, together with the lower
probability of functional failures, further reduces the inventory of spare
units that would otherwise have to be kept available at each line station.
If n3 applicakde and effective on-condition task can be found, the
next choice is a scheduled rewolk task. Scheduled rework of single parts
or components leads to a marked reduction in the overall failure rate of
items that have a dominant failure mode (the failures resulting from
this mode would be concentrated about an average age). This type of
task may be cost-effective if the failures have major economic consequences. As with on-condition inspections, the scheduled removals
can be concentrated at a few maintenance stations, thus reducing the
exposure of all line stations to the need to remove units after they have
failed. A rework age limit usually includes no restriction on the remanufacture and reuse of time-expired units; heilte material costs are lower
than they would be if the entire unit had to be discarded.
Any scheduled rework task, however, has certain disadvantages.
Because the age limit applies to all units of an item, many serviceable
units will be removed that would otherwise have survived to higher
ages. Moreover, as we sal.. in Section 3.2, the total number of removals
will consist of failed units plus scheduled removals. Hence the total
workload for this task is substantially greater than it would be with oncondition inspection, and a correspondingly larger number of spare
units is needed to support the shop process.
'
Scheduled discard is economically the least desirable of the three

directly preventive tasks, although it does have a few desirable features.
A safe-life limit on simple comp1)nents can prevent critical failures
caused by certain failure modes. Similarly, an cconornic-life limit can
reduce the frequency of functional failures that have major economic
consequences. However, a discard task is in itself quite costly. The average life realized by an item subject to a safe-life limit is only a fraction
of its potentially useft11 life, and the average life of an item subject to
an econ0mi.c-life limit is much less than the useful life of many indi-
I
~ h a r . i c l c r i s t i c sof t h r f u u r b.ieic
EXHlblT 3.8 C'oliip.lri\ct~i ~ I v.iricitc~
s c . l i ~ d t ~ l r J - n ~ . i i ~ ~ tt.15L*.
t~~i~it~t~~*
on-condition task
scheduled rcwork task
Applicability criteria
Reduced resistance to failure must

be detectable; rate of d u c t i o n in
failure mistance must be
predictable.
Conditional probability of failure

must increasc at an identifiable
rge; a large pmportion of the unib
must survive to that age.
Ef fectivencse criteria
For critical failures the task must

reduce the risk of failure to an
acceptable level; in all other cases
the task must be cost-cff&ive.
For critical failures the trsk must

reduce the risk of failure to an
acceptable level (a rework task
alone is unlikely to meet this
requirement); in ril other c a m
the task must br cast-effective.
Usual availability of
required information
Applicability prior to service;

efftctiventms after age exploration.
Applicability after age exploration;

effcctiventse after age exploration.
Effect on occurrence of
functional failures
Fallurea due to specific failure

mode eliminated or greatly reduced
in frequency.
Frequency of failures somewhat

less than with no scheduled
maintenance.
Distribution of
removals
Removals for potential failures

concehttrated at few stations where
inspections are performed; removals
for functional failures at my station.
Sckedu led removale concent-iated

at a very few statione; removal8 for
functional failures at m y etation.
Effect on shop volume
Slightly greater than with no

scheduled maintenance.
Much greater than with oncondition or no scheduled

maintenance.
characteristic
vidual units. In addition, a discard task involves the cost 01 ~ . ~ p l a c e ment; new items or parts must be purchased to replace the time-expired
units, since a life limit usually does not permit remanufacture and reuse.
Hidden-function failures have no immediate consequences; hence
our interest is in the least expensive rneans of ensuring the necessary
level of availability for the Item. When none of the other three tasks
is applicable, the default action for hidden-function items is a failurefirtding task. Otherwise, the choice of task is detemlined by cost
effectiveness.
scheduled discard task
failure-finding task
Ibr &life items conditional

probability of failure must be zero
below life limit; for economic-life
items conditional probability of
f d u r e m u d incrrclsc at A
; identifiable age and a lylc proportion
of unitr must survive to that age.
The occumnce of a functional

failure must not be evident to the
operating crew.
A mfc-life limit muat mduce the

risk of failure to m acceptable
1-1;
m economic-life 1 M t must
be cort-effective.
The task muat m u l t in the level

of availability ntccssuy to
reduce the risk of a multiple
failure to an acceptable level.
Slfclife applicability and e f f d v e ncu prior to eervice; economic-life

applicability and effectiveness
after age exploration.
Applicability prior to atrvfce;

e f f d v e n e s e after age cxploratiun.
Failurn due to spcdfic failure

mode eliminated (safe-life l h i t )
or reduced in frequency (economiclife limit).
No ef irct on item hpected, but

frequency of multiple failma
greatly reduced.
Scheduled removale concentrated

at a very few etatione; removals
for functional failures (economiclife limit) at my station.
Removals concentrated at stations

where inspections are perfomed;
no removals at other stations.
Not applicable.
Minimal.
SECTION 3 - 5
69
ITfMS THAT CANNOT BENEFIT FROM SCHEDULED MAINTENANCE
In the process of evaluating proposed maintenance tasks for an item

there will be a number of instances in which no appliczble task can be
found-that is, items for which there is no evidence that a particular
task will improve reliability. There will be far more instances, however,
in which an applicable task does not satisfy the conditions for effectiveness. This may be because the failure has such minor consequences that
the task is not cost-effective or because it has such major consequences
that the task does not reduce the risk of failure to the required level. If
safety consequences are involved, the objective of any task is to minimize the probability of a failure, and in this case all applicable tasks are
assigned as preventive main;enance. Since most essential functions in
well-designed equipment are protected by redundancy, the safety hazard is usually the possible secondary damage. However, the number of
failure modes in which this is a factor is relatively small.
When an item cannot benefit from scheduled maintenance, in some
cases product improvement may be necessary before the equipment
goes into service. More often the chore of determining what preventive
maintenance might accomplish for each item helps to clarify specific
modifications that would improve reliability in subsequent designs.
Where safety consequences are not involved, ally applicable task
must be cost-effective, and this condition is usually difficult to satisfy
unless the failure has operational consequences. Once again, the design
often employs redundancy to limit the number of items subject to such
failures. As a result, there are tens of thousands of items on complex
equipment for which scheduled maintenance provides no advantage.
Since such items cannot benefit from preventive maintenance, they are
left in optration until a fllnctional failure occurs. This strategy permits
each unit to redize its maximum useful life.
Items that cannot benefit from scheduled mait~tenanceare characterized by two properties:
Such items have no hidden functions; hence a failure is evident to
the operating crew and will therefore be reported and corrected.
I he failure is one that has no direct adverse effect on operating

safety.
70
A further characteristic of such items is that many of them are complex.

One reason for this is that when there is no evidence that a proposed
task will actually improve the reliability of a complex item, there is
always the possibility that it will introduce new problems, either by
upsetting astable state or, in scme cases, by introducing worknlanship
problems. Thus where a complex system cannot be protected by oilcondition inspections, from a purely practical standpoint the default
action w o ~ ~ be
l d no scheduled maintenance. This is usually the case,
for example, with dectrical and electronic systems.
3 * 6 THE DIMENSIONS OF A SCHEDULEDMAINTENANCE PROGRAM

THE ROLE OF THE BASIC TASKS
this role of the basic tasks
l'he maintenance activities required to su?port any type of complex

4 quipment include routine servicing, periodic inspections, and the perfonnance of any corrective maintenance necessary when a condition is
found to be unsatisfactory. Scheduled tasks are selected, however, on
the basis of the ways in which a particular item can fail. In considering
all the known or anticipated failure modes of each item we find that
many major components cannot benefit from any type of preventive
maintenance, some will require a singlc task, a i ~ dothers will require
several different tasks. The maintenance tasks assigned to a complex
item such as an aircraft turbine engine, for example, are quite numerous. Following are just a few of the inspection tasks performed while
the engine is installed:
~rrvicingand lubric~ltionta5h.i
r c l l l d l iusllectiolls sllld
wdlkaround ~ ~ l i c c k s
tlir total ~~iaititcnancr
worhlo.id
Oil-screen inspection to detect metal particles
Borescope inspection of the combustor to detect signs of metal

fatigue
"Sniff test" of the fuel manifold to detect fuel odors
"Broomstick check" to detect loose turbine blades
Inspection of the fan blades and front compressor blades

sible damage
Inspection for rattlitlg noise to detect broken lie bolts
fc
pos-
Radioisotope inspection of nozzle guide vanes for deformation

b
Spectrographic oil ana!ysis to detect metallic irldications of wear
Recognition of the criteria for applicability of scheduled 1,ework

has led to a great reduction in the number of items removed and sent
to the shop for routine overhaul. Items are still removed from equipment and sent to the maintenance base, however, either because they
have failed or because they contain parts that require scheduled rework
or discard. In this case it is necessary to decide the extent of the work to
be done before these items are returned to service. Within the frame of
reference dictated by the applicability of rework tasks, there are only
four circumstances under which rework would be specified:
Single parts may require rework as the result of an inspection for
potential failures that can be performed only when dn item is disassembled in the shop. This ~ p p l i e sto certain types of turbine
blades.
I
Single parts may require rework because their failure characteristics show that they will benefit from an age limit. This is the case
with some fuel manifolds.
Single parts may have to be discarded because they have reached

a specified life limit. This applies to the safe-life limits imposed on
most compressor and turbine disks.
Single parts may have to be reworked o r discarded because s h o ~
inspection discloses a functional failure that was not observable
when the item was installed on the equipment.
The amount of work specified as part of shop maintenance depends, of course, on the nature of the item. With some the direct cause
of a failure is correctea, and if the corilponent can then meet its performance standards, it is returned to sewice. This practice is sometimes
referred to as conditio~taloz)t~rltnul.Other items, such as turbine engines,
may have a great deal of additional work done cn them while they are
out of service. The work performed, however, is very much less than
that done under hard-time overhaul policies. As a result, the RCM
approach to rework tasks has substanlially decreased engine maintenance costs, not only by reducing the volu~neof units flowing through
the maintenance base, but also by reducing the amourlt of work required when they are there.
The propulsion system is not the only complex item on an aircraft;
however, it is a system closely associated with operating safety, and the
largest part of the maintenance costs for any aircraft stem from scheduled or unscheduled work on engines. Reratrse of this, on-condition
inspections play a major role in ~owerplantmaintenance programs, and
scheduled removals, when they are necessary, are set at the maximum
interval that will allow satisfactory operation.
SERVICING AND L U B R l U T l O N
I M t O R V A N D PRINCIPLES
Complex equipn~entrequires numerous scheduled servicing and lubrication tasks to maintain satisfactary operation. There is usually no
question abo~.twhich tasks are required and whether they are applicdble and effective. I-Iowever, it is interesting to review :his aspect of
maintenance in light of our discussion thus f,i.r.
L ~ b r i c ~ ~ t i far
o n ,example, really constitutes scheduled discard of a
single-celled item (the old I:~bricatio~l
film). This task is applicable because t h c fill11 does detrrioratt. with operating age and show wearout
char,~ctcristics.Usually the condition of the iilm cannot be determined;
henceconsrrvatively short intervals areassigned for its replacen1er.t with
n t tasks are also cost-efiective. .An item is lubricated
new l i ~ b r i c ~ ~Such
whutl~erit netbcis lubrication vr not because the cost is minuscule in
comp,\riscrn to thc costs t h ~ wtruld

t
~vsultfn>m inadtlgi~,\telubric.~tion.
In f ~ c tthe
, cost of this t ~ s his too low to justify studit~sto dt.tcrn\ine thtb
tnwt t~conomic~.,t
tash i~\tcrv,\l.As ,I tvsi~lt,I i ~ b r i c , ~ t is
i o r.\rely
~ ~ isol.~t~tI
ior in-depth .\nalysis in dt\vt%loping,\ m,\intcr\,~ner.program.
\Vhc\rc,\s lubric,\tion constitutt~s,I tlis~.anit,lsh, the stwicing t,lshs chcching tire prussrlrtu or tlui~ilt%vclsin vil ,lnd hydr,~ulicsystt*ms-atv
on-clrnriition tasAs. In this c,\sc pott\uti,\l failitwe , \ I ~rt*lrwst\nted by
pressure or fluid Ie\'t\ls beltw tk!t\ rcplenisl\rnent Ir.\pt.l..\nd :his conriit ion iz; corn~ctc~i
in tn,\chunit as nt.cttss,wy.
ZONAL INSPECTIONS AND WALKAROUND CHECKS
In contr.\st ti) st8~-vicing.\nd lilt-rir.,ttion t,lsks, zon.11 inspections dn\l

walh,\n~untichcchs of .\i~.c.r.~ft
structuws do not f,dl within the rv.llrn of
KCM task dt.iinitiun. IV.~lh,\roundcht~chs,nV iintt-n~iccito spot ,~ccirit\nt,\l J,\mapc ~ n fluid
d
It..~hs , ~ n dhtxnct- might bt*vit*weci .IS combinatio~~
on-condition ,\nd i,~ilu~-finrling
it~spections.III t;~ct,tlwy 110 include a
few sptacific on condition t,\shs. such .\s .\ check of br.~ktt we,w indir..\tors. I lowr\.er, ri.~rn.~gecan occur ,\t any time ,\nti is unwl,~tedto .\ny
dt%fin.\blt.Ie\*r.l of i,\iluW rt.sist,~ncr,t\s .\ wsult, tllcre is no b,\sis to1
dt*iining ,111 t y l i c i t p ~ t ~ n t i , l l - f , ~ i lst.\st*
~ ~ r t >or ,I pt\~~Iict.~bltit\tcrvh\l
,'
b t \ t w t ~ t ,I~ ~pirtt\~~ti,il
\
f . \ i l u ~.\nd
~ ,I h~nction,\lbiluw. Sin\il,~rly,a C I I C ~ ~
for Itt~Asis not L-astd 1111 tl~t-f d i l i ~
~~
~ l ~ . \ r , ~ ~ tof
~ r.Ii ~~,trticuldr
sti~s
itt5n\.
but'r.\tht~r is iutt\~rdt*dto spot any u~\fon>st*cn
t3\ceptitrns in f,\ilitr~b
bch.\vinr.
Zo~\,\li ~ ~ s p ~ c t i a,\IV
t ~ :cvtw
.
Itlt;s .;pecitic. 'l'hcy .\rt. not ~iitvctt~ii
.~t
, m y ~-,~rticul,~r
i,\ilt~rt.modt., but ,\nq
me~r*ly.\s i ~ r v ~ofytht%gt~~i>r,\I
~.otlditions within a givtw lone.. or ,\re,\, oi the cqitiymt~nt.Zon.11 inspt.cti(rt~si~~~Iittit.>
.I k.l~t.\~-h
t>i,111 tI\c systc>t\\, ~ s s ~ ~ ~ \ \,111d
b l i t~~. so t \ ~ \ t % ~1i1tt.s
-tit~s
it\ t*.\c*I~ I O I I ~ - tor st\~*urity
(loost>p,\rts). ol-vit>i~s
sis11sot ti.\~i\,\$t\or lt-.\Ls.
. ~ n nornl,~l
~i
\vc.\r , m i ttl.lr .\s ,\ n%si~lt
of othttr ~~l,\it~ttv\.\r\zc
,\ctivitit*s.In
pt)~vt\rpI.~~\t
tl1i5 i ~ ~ s t w ~it~~.Iti~it>s
\ t i o ~ ~ Ioohi~isi t ~ t l t>l ~ t c> t ~ g i ~t,~ilpipi%
~t,111d inlct, optwing tht- t.o\\.linp ,\nJ c\,~rninit~$
,111 thc t ~ n ~ i n t ~ - r n o u n t t - ~ i
,~~.ct*ssnrics.
.>DL{ so on. Stlcl~
i~~aycctious
1'1.ly .In irnport.\~\trtrlt~i l l stri~ctitr,\I n~.\i~\tct~.\ncc.
sin<;- 1llt.v , ~ l s ti~~clutiv
~
,\ pt\t~t.r.\lit\spt*~.ti~>~r
,>itlrc
intt>rt\,\Istri1t.tt1r.11.\rt-.\s t11.1t L.,IIIk>t% si>i*~\
\ v i t l ~,111 i ~ ~ s t . ~ l l , ~int i\-l.~~*i>,
o~~s
1'11~1s
t l ~ t >t*t>t~i\>lt~~i~t*~it.
\
bit1 arc ~ \ t ) t$1si~bstitutt\tor. tt11- \>IIV~~.III\
of tic
t,\iItsii t > ~ ~ - ~ * ~ > ~~!t ~i si\i>t i o- i~~it~it-~t\lt)pi\d
i t ~ ~ ~ s t ~ t rs t r i t t ~ t ~ ~ rsi$~\iti~*.~t\t
~~llv
~tt-ms.
~
:\ltlitji~sl~IOI\,\I-IIIS~.\II.I~IOI~ i ~ \ s p t \ ~ t i ~ ~ t1\&1t
w 111t-t~tt l ,~pplit..\bilitv 1.7 itcria it>r ,uiy ,hi tI\t% ttbitr I.,~sic t,\shs. tlri-ir cost 14: s i ~ ~.t. hsl\\,\ll
t ~ r ot
t tht\ ttjt.11 ~.tjstt ~ st ~ ~ l i t ~ ~ i i~i\,\it~ti-t\,\~i~*t>
tlt*~i
t I\.\t t 1 1 t ~.~rt-~*<.L~IOIII
IL..III~ ii~stitii-~i
i t tl~i*vrt3sult 111 t I \ c a ti~st-ovt\rvot tbvt-t~
,\ tt-\v pott-~it~,i\
t.~ili~rl~s.
l.'or this rt-.\s~b~~
.II\V KL3h1 \-n~gr.\lii1s s i ~ \ ) ~ ~ I t ~ ~bv
i ~.It ~st-p.~.
t~ti*~i
t.,rtc j > r t y c ; l n l 01 s~*hi\tlttlt~tl
:1>11,1I tt~s\~i~t~ttot\s
t t ~ t b
loccdon of
work performed
sehecluled
work
nut-Q.W
npO*
mechic
tdrl murharn
mports
per flwt hour
Below A-ch& level
Phuc check (combination of B

and C checlu)
D check (heavy rtruclural
inspection)
OFT mL AIulANL
At main mrinttnmce buc
Repair of failed enginea

Repair of otl~erfailed itcmr
2 Workload at ch.cka w u pnmw with om-k.U u*llmc( to uhadulcd

inrp.ctlonm and w n w and mchdf -Md
to comediw d .
3 A-chwk
mr, adjustad lo indude only rbrduled-mlnbnmm d
and the d v . work i t ynurtcd. C W w wark mu)% hoa flmm p r b la -tad
with other klow-A-check work.
4 TheDdmkHgunisn~yplal.DurLythe~~tlmrrmkuo
ample D ehulu for qeexplmtbn p l p o o a . A 1 q . r
p.rloa w o d d
lead to r d l e r D chak numbor.
5 TheconrcHvrnytreworkwupran(ld,witholnguuCr.rlgn.d~~Uc*
mporb .nd the nrulnda matpad to mcchalc flndlry..
THE TOTAL M A I M M N C E WOUUOAD
The total maintenance workload required &osupport complex equipment consists of all the work performed as scheduled maintenance, plus
the corrective-maintenance work required to repair failed units. Exhibit
3.9 illustrates the ratio of these two aspects of maintenance for an aircraft supported by a scheduled-maintenance program that is essentially
the same as an RCM program. The sclreduled tasks comprised somewhat less than 10 percent of the total manhours spent on maintenance.
yet these tasks ensured realization of all the reliability of which the
equipment was capable. Additional scheduled work would have increased costs, but it would not have improved reliability.
Approximately 75 percent of the corrective work was done at the
major maintenance base as a result of the line-mai~~tenance
practice of
replacing failed units with serviceable ones. About half the corrective
work was done on engines. The only way the corrective workload can
be reduced is by design changes that improve the inherent reliability of
the items that are failing. Such changes are usually directed at dominant
failure modes in items whose failure has safety or major economic consequences. In this case the engine failures do have ~ e r i o u seconomic
consequences, and this engine is still undergoing intensive development.
The absolute size of the scheduled workload for this aircraft will
not change very much from its 1975 value, but the corrective workload
will decrease substantially as product iinprovement overcgmes th6se
problems which require high manhour expenditures. Conse.luently the
relative proportions of the workload components may change in the
L
next several years. At some time in the future both components may
increase again as a result of conditions that do not occur until much
later age>.
'
3 -7 PRODUCT IMPROVEMENT AS
PREVENTIVE MAINTENANCE
Over the vcars aircrait m.~nuiacturershave incorporated ir number i ~ t ' ;.tht-rtQntreliability
char~cteristi<s
design features that have increased the inherent capability of the equip- nrrlh,ds
coFinK rriththe
inent for reliable operation. In most cases these yracticcs are intended fail,,
not to prevent tailure, but to rcduct. its consequences to the c<vstof cor-i
rcctive maintenance. Thus most sysiems iiems are designed with a high
degree of rc.du~idancyto en.GIArr that if one unit fails, the necessdry
tunction will still be available. On the same principle, structures arc
d c s i g ~ ~ ewith
d
multiplcs 10,id paths so that they are ddnrdge-tolt*rant.
I1n,tective devices mly also consist of entirkblvseparate componen\s, as
in the case of emcrgenc:; equipment - fire extinguishers, autonra(ica1ly
releaser1 oxygen equipmt*nt in pdasenger aircraft, and eipction seats in
single-rngine nrilitarv aircraft.
,,
Another common practice is failure substitution. This may be the

substitution of a minor functional failure to preempt a major one, as in
the use of automatic shutoff devices. Or it may be a feature included to
permit easy identification of a potential failure; for example, the outer
skin of an a' craft may be designed to crack before the structural member beneath it fails, so that there is evidence of an imminent failure that
can be detected by visual inspection. Inspection features such as borescope ports in engines also facilitate the detection of potential failures
that would otherwise be difficult to check for.
All these features are important from the standpoint of preventive
maintenance, since they determine both the feasibility of certain tasks
and the failure consequences by which task effectiveness is measured.
On a short-term basis, however, any scheduled-maintenance progxam
must be built around the reliability characteristics of the equipment as
it exists. In the case of new equipment, therefore, it is important to bear
in mind a basic conflict between certain design goals and reliability
goals. This problem is nowhere more apparent than in modem aircraft,
where the requirement for lightness and compactness is in direct opposition to the strength and bulk that is necessary for failure resistance.
A further difficulty is posed by the rush to new technology, since this
means that the designer is often working with new components and
even new materials whose reliability has not been proved by experience.
There are several pitfalls here. Designing for lightness, for example,
correspondingly reduces the initial margin between resistance and
stress. Even with familiar materials, the actual strength of a material
may be less than its nominal strength, or the rate at which its failure
resistance declines may be greater than expected. With unfamiliar materials and processes the likelihood is increased in both these areas. The
design goal of compactness may lezd to the same results and to other
problems as well. In a more compact area an item that functioned well
in a different environment may be exposed to higher temperatures or
to vibration from neighboring components. Such items are also likely
to be more difficult to reach for inspection or replacement.
Where reliability problems are inherent in the design itself, there
are three ways of coping with the failure process:
76
Increasing the initial resistance to failure
Reducing the rate at which failure resistance decreases
Reducing the stress to which the item is exposed
All three of these effects are shown in Exhibit 3.10.

Reliability improvement in each of these areas can take any number
of forms. In some instances the solution may be a modification in operating procedures. For example, the use of more reverse thrust and less
braking to slow an airplane after it has landed will reduce the stress on
Reduce atreas
FXHIBCT 3-10 Methods of coping with the failure process. An item

may be redesigned to increase its inilial failure resistance, to reduce
the rate al which f a l l t ~ r eresistance decays, or both. At the same
time, various strategies may be employed to reduce the stress to which
the item is exposed. Any or all of these procedures will improve
reliability by moving the point of functional failure tarther into the
future, and thus increasing the mean time between failures.
the brakes (although it increases the cumu:ative stress on the reverser).

Since this procedurc will also increase the life of the tires, it has several
implications for maintenance. In general, however, when unsatisfactory reliability characteristics result in exposure to critical failures or
excessive operational or maintenance costs, the only effective form of
prevention is redesign-either to alleviate the prob!em or to mitigate
its consequences.
When a critical-failure mode is involved, and no form of scheduled
maintenance call be found that will effectively control it, product improvement is mandatory. Otherwise the desirability of redesign depends on an assessment of the costs involved on both sides. Since this
information is ordinarily not available until after the equipment has
been in service for somo time, items that may ultimately be redesigned
on the basis of actual operating costs are often assigned to no scheduled
maintenance in a prior-to-service program.
CHAPTER FOUR
developing the initial program
scheduled-maintenance program must be developed for new

equipment long before it enters service. While it might be possible to
obtain a small mountain of test data on every part, assembly, and subsystem, the information about their actual reliability comes only from
operating experience. Thus the problem in basing a maintenance program on reliability characteristics might Rppear to be a lack of the very
information that is needed. In reality the problem is not the lack of
information; rather, it is knowing what information is necessary in
order to make decisions.
The RCM solution to this problem is a structured decision process
based, not on an attempt to estimate the reliability of each part, but on
the consequences of functional failures for the equipment itself. The
decision process thus proceeds from the top down, first to identify those
items whose failure is significant at the equipment level and then to
determine what scheduled maintenance can do for each of these items.
At each step of the analysis the decision is governed by the nature of
the failure consequences. This focus establishes the priority of mainter,ance activity and also permits us to define the effectiveness of proposed maintenance tasks in terms of the results they must accomplish.
Once this determination has been made, we are in a position to examine
each of the four possible forms of preventive maintenance to see which
tasks, if any, are both applicable and effective for the item undek
consideration.
The process of evaluating failure consequences and maintenance
AN INITIAL
78
tasks is facilitated by a decision-diagram technique which employs an

ordered set of priorities- in the case of both failure consequences and
task selection-with the questions at each level worded to define the
information required for that decision. In many cases the answer will
be obvious from mgineering expertise: the manufacturer's test data,
and previous experience with similar items. However, in developing
a prior-to-service maintenance program a strategy is required for
decision making when the appropriate information is not available.
'Thus the decision logic also provides for default answers to meet this
situation. For an item subject to critical failures, the default p 7 l hleads
ultimately to redesign. Where the consequences of failure are economic,
the default decision may be to do nothing (no scheduled maintenance)
until operating experience provides the information to justify some
other choice.
The result of RCM analysis is a scheduled-maintenance program
that includes all scheduled tdsks necessary to ensure safety and operating economy, but only those tasks that will do so. Where there is no
basis for determining whether a particular task will pr"ve applicable
and effective, the default strategy provides the most conservative answer. and as the maintenance program evolves, these initial decisions
are s! stematically modified on the basis of actual operating data. This
process continues throughout the service life of the equipment, so that
the decision structure provides for an optimal program in tern~sof the
information available at any time. In this chapter we will examine the
CHAPTER 4
79
decision process as it relates to commercial aircraft. However, the decision logic itself is general and applies to any complex equipment that
requires a maintenance support program designed to realize m~ximum
operating reliability at the lowest cost.
4 1 THE NATURE OF SIGNIFICANT ITEMS

identifying significant items
structurally significant items
functionally significant items
A transport plane consists of a vast number of parts and components.

all of which have specific functions. All these items can be expected to
fail at one time or another, but some of the failures have more serious
consequeficcs than others. Certain kinds of failures are a threat to safety,
and others have a direct effect on operating capability. However, there
are tens of thousands of items whose failure has no immediate impact
on the equipment as a whole. The failures are simply ccrrerted soon
after they occur, and the only consequence is the cost of repair. These
items have no significance from the standpoint of preventive maintenance in the sense that their consequences are tolerable. It is less
expensive to leave them in service until they fail than it would be to
prevent the failures. Thus the initial decision for these tens of thousands of items is no scheduled maintenance.
The information on which to base this decision ordinarily comes
from the manufacturer, who has had to face the problem of fa~lures
during the design and development of the equipment. In order to
qualify the aircraft for airworthiness, the manufacturer will have conducted a failure modes and effects analysis (FMEA) for all the major
assemblies, subsystems, and systems to demonstrate how the equipment will perform when various items fail. In addition, the purchasing
airlines will have knowledge of operating experience with similar items
in the past, as well as knowledge of the failure consequences in the
particular operating context in which the equipment is to be used.
The failures that are of concern are those whic).. have serious consequences. Thus an RCM program directs tasks at a relatively smail
number of items-those systems, subsystems, and assemblies whose
functional failure would be significant at the equipment level, either
in~mediatelyor downstream in the event of a hidden failure.
IDLNTIWING SIGNIFICANT ITEMS
The first step in the development of a scheduled-maintenance program

is a quick, approximate, but conservative identification of a set of
significant items:
A significant item is one whose failure could a f f ~ operating
t
safety or
have major economic consequences.
80
The definition of "major economic consequences" will vary from one

operating organization !.o another, but in most cases it includes any
functional failure that has a direct effect on operational cap.rbility or
involves a failure mode with unusually high repair costs.
So far we have used the term item in a very general sense to refer to
some component of th equipment. An item can, in fact, be of any size;
the eqtire aircra.ft might be viewed as an item, as might any one of its
parts. However, the larger and more complex the item, the more unwieldy the set of failure possibilities that must be taken into accoilnt.
To reduce the problem of analjsis to manageable size, it is customary to
Fartition the equipment into three major divisions - systems, powerplant, and structure - each of which involves different areas of engineering expertise. Each,division is then par:itioned in descending order of
complexity, with successively fewer failure pcssibilities at each level.
The chore now is to sort through the functions and failure possibilities of the various components and eliminate all the obviously nonsignificant items. To ensure that borderline cases and items for which
il~forrnationis lacking will always teceive further study, any .items
eliminated at this stage must be demonstrated to be nonsignificant.
Items may be classified as nonsignificant became their functions are
unrelated to operating capability or because they are replicpted, so that
a functional failure would not affect operating capability. Many items
can be eliminated because their failures ran be repaired quickly and
therefore involve no operational consequences. Other items may be
ruled out later because they are not candidates for on-condition or safelife tasks and hence cannot benefit from scheduled maintenance (there
is usually no information on the applicability of rework tasks at this
time). At this stage, however, all the i ~ e m sthat might benefit from
scheduled maintenance must be listed for further study.
During the process uf classifying i t e ~ . sas significdnt or nonsignificant certain items will be identified that have hidden functions. All
these items will require scheduled maintenance regardless of their
significance. Although the loss of a hidden function has no direct effect
on safety or operating capability, an undetected failure sxposes the
equipment to the :isk of a multiple failure which might have serious
consequences. Hence hidden-function items are subjected to the same
intensive analysis as significant items.
Note that all items will in fact be included by this procedure, since
the partitioning process itself has the following properties:
b
Any item containing a significant item is itself significant.
Any nonsignificant item is contained in a higher-level significant

item.
Any lower-level item cont,~inedin a nonsignificant iten1 is itself

nonsignificant.
(or other equipntent)
Systems
4.1 P~rtitioningan aircraft for preliminary identitication of

significant iteins. The equipment is fin' partitioned to show all items
in descending order of comp:exity. rhose items wbose failure clcariy
tias nn sig~tific~nt
con^-quencrs a! the equipment level are then p m ~ e d
from theqree, leavdg t!ie set oi ikms on which maintenance studies
mu . 5r cdhducted. E2ch significant itt?, will include as failure
r n ~ ~ rall
i e ~the fai:ure possibilities it contains.
82
THkORY AND PRlNClPLfS
Tire obiectiv?, however, is to ftnd the tnos: convenient level of each

s;rstem or assembly to classify as significant. The level must be !ow
enougn to znsure that no important fai!ure possibilities are overlooked,
but high encjugh fdr the loss ol function to have an impact on the equipment itself, since ihc consequences cf a functional failure are significant
only at the equipment level- that is, fzr the aircraft as a whole.
Once the optinlum level of item has been selected for study in each
x s e , we can prune the "trel?" back to a set of several I~undredpotentially significart items with the assurance that any failure possibilities
they include at lower levels will be taken into account as failure modes.
11s a n example, consider the engirie described in Section 3.1, in which
fai1u:e oi one or r;lore individual tie bolts in a set of 24 was defined as
a potcntial failure. Although this might be viewed as a functional failure of the tie bolt, thd failure of a single bolt does not affect engine
performance enough to be evident to the operating crew; consequently
the tie bolt is not a significant item. It does, htjwever, have a hidden
function, and if enough tie bolts failed, the resulting multiple failure
Aircraft
(or other equipment)
would indeed become evident. The inspection task selected to avoid

such a multiple failure would still be the one described in Exhibit 3.2a check for broken tie bolts. However, viewed from the engine level this
is an on-condition task, whereas at the parts level it wouid be considered
a failure-finding task.
In other words, the level of item selected as significant is important
only as a frame of reference. Whether we look up at a multiple failure or
down at a failure mode, an analysis of all the failure possibilities will
ultimately lead to exactly the same preventive task. The chief advantage
of the ydrtitioni~gprocess is that it allows us to focus intensive study
on just a few hundred items instedd of many thousands. In an aircraft
these items w ~ l linclude' some of the parts and assemblies, same subsystems, each of the systems, and each of the major divisions themselves.
The parts selected as significant are usually those in which a criticol
failure mocle originates. The structure division represents a special
case, since the significant items are specific regions that require scheduled maintenance, rather than whole structural assemb!ies.
STRUCTURALLY SlGNlPlCMlT I T W S
The significant items in each of the major divisions of an aircraft have

certdin common characteristics which relate to their maintenance reqglirements, For example, the aircraft struct~iteis a relatively static
assemblage of single-celled elements, and except for items such as
control surfaces, landing gear, or doors, the only struct~:a1 movement is
deflection under applied loads. However, the structure is subjected to
a great many such loads in the course of its operating life. As we saw in
Chapter 2, single-celled parts of a mechanism frequently exhibit wearout characteristics. This is true of ~netallicstnictural elements, which
are subject to metal fatigue- that is, to a reduction in failure resistance
with increasing age.
Andher physical process that can lead to the age-related faWureof
structural elements is corrosion, although the effects of corrosion are
much less predictable than those of fatigue. Even minor pitting seriously reduces both sratic strength and fatigue life, since the loss of loadcarrying material correspondingly increases the stress on the rest of,thc
eler lent. Accidental damage has a similar effect in preventing structural
components lrom realizing their inherent fatigue resistance. Thus,
although the aircr? . structure is designed for a very long fatigue life, it
is subject not only lo age-related failure in general, but to physical processes that compound the decline in failure resistance with age.
The failure of a major structural assembly which causes the loss of
some hasic structural function - such as enabling aerodynamic lilting
forces to balance the weight of the airplane or providing flight-control
surfac.~<for maneuvering capability clearly has sgfety consequences.
Moreover, any failures short of a critical failure-failures that do not
result in a loss of function to the aircralt- will usually not be evident to
the operating crew. The primary consideration in identifying significant
stnictural members, therefore, is the effect that failure of a member has
on the residual strength of the remaining assembly, although consideration is also given to susceptibility to corrosion and accidental damage.
The generic term structrtrnlly significnnt item (SSI)is used to denote
each specific structural region that requires scheduled maintenance to
guard against the fracture of a significant member. This region may be
defined as a site that iilcludes a number of structural elements, it may
be defined as the significant member itself, or it may be a particular region on the member that is the best indicator of itscondition. Often such
items are the points at which different slructural elements are joined;
for example, the wing-to-fuselage joint is always listed as a structurally
significant item. Most aircraft structure is maintained by on-condition
inspe, ns of Ihe regions identified as structurally significant items.
These ~nspectionsare designed to identify and repair corrosion, fatigue,
and other damage at the earliest possible stage, since the replacement of
a failed structural element is both difficult and expensive.
84
FUNCTIONALLY SIGNIFICANT m M S
ilnlike structure1 items, most systems are equipped with instrumentation to monitor the performance both of the system as a whole and of
individual assemblies within it. As a result, the occurrence of any functional failure in a svstem is usually evi,ient to the operating crew. Moreover, most systems are designed to be highly redundant, so that the
failhre of one unit often has no effect on operational capability. Ul~less
a second unit fails, the aircraft is dispatched as usual, and corrective
maintenance is simply deferred to a convenient time and location. Thus,
although the system as a whole is a f~tnctionallysipt~ificantitettt (FSI), the
units that comprise it would be classified as nonsignificant, since their
individual failures have no consequences at the equipment level.
Systems items differ in two other ways fro?^ structural items. Most
systems components are themselves multicelled, or complex; hence
their overall reliability shows little or no deterioration with dgc. Certain
metal parts in mechanical systems arc subject to fatigue and corrosion,
but these arc rarely responsible for a dominant failure mode. To meet
space and weight requirements, systems components are usually designed with a narrow margin between initial failure resistance and
stress. Since they are therefore subject to more frequent faiiure, the
system is usually also designcd to facilitate the replaceroent of failed
units. A further distinction between systems .\nd strlctural items is
that certain systems items, such as electrical and electtor ic components,
sre characteristically unable to benefit from scheduled maintenance.
Although the powerplant is it~elfa system, it warrants a category
of its own because of its complexity, its high cost, and the critical nature
of some of its failure modes. The shutdown of one engine in a multiengine aircraft has operational, but not safety, consequences. However,
thc failure of turbine or compressor disks-or any other failures that
wnerate projectiles, cause fires, or leave the engine so that it cannot be
shut down-can clearly affect safety. 'Ihese tailure modes arc always
given careful attention in a maintenance prcgram.
The powcrplant can bc viewed as a functionally significant item in
itself, but the failure characteristics of each of its modules, or major
subassemblies, are often quite different from those of the engine as a
whole. For example, the collective probabilities of all powerplant tailures have little relation to operating age, whereas single imporlant
parts may be subject to directly age-related failures. Thus scheduledmaintenance tasks in the powerplant program may i;lclude safe-life
limits for some items and scheduled rework for others. In as many
instances as possible, however, on-condition inspections are employed,
both to avoid the consequences of fu~lctionalfailul es and to reduce the
costs assclciated with scheduled removals. The powerplant is unique
from a maintenance standpoint in that it is designed to permit extensive inspection capability on the aircraft, it can be replaced in a fairly
secnon 4.1 85
. ..
'-?;
---. ..:
"
.
.
+
:
:
I
-
. ..
..
I..
,
6..r..-~:i;i.-c.u...\.
>:
... ...&
short time (although unscl~eduledreplacements have operational consequences), and it is subject to extensive shop inspections as well.
In the case of new engines there may be some failure modes that
cannot be effectively controlled except by redesign. The occurrence of
an unanticipated type of failure in any engine prompts an immediate
response on the part of maintenance. The failure consequences are
quickly assessed and the engine is examined to determine the cause of
the failure. Next, some method is usually devised for inspecting the rest
of the engines in service (or the suspect grotty of engines) for early signs
of the same kind of failure. These inspections forestall further failures
while the part is being redesigned. The alternative, if the failure is critical and no preventive task can be found, is grounding the fleet until the
problem can be solved.
Because items within the powerplant are exposed to many different
forms of deterioration, iilcluding all those that affect the structure and
the various systems, they have no conlmon failure characteristic. Unlike
systems items, however, all engine failures have operational consequences and some failure modes have safety consequences. For this
reason significant items in the powerplant are ide1;tified primarily on
the basis of their failure effects. The very complexity of the powerplant
results in one further characteristic. Engines are subject to so many
failure possibilities that operating data accumulate rapidly, especially
with use on multiengine commercial aircraft. This rapid feedback,.along
with the high cost of corrective maintenance 01, engines, favors the
initial selection of intensive on-condition inspections for powerplant
items, since the applicability of age-limit tasks can be investigated
before the point at which age-related failures would have any major
economic impact.
4 2 THE RCM DECISION PROCESS

ev.\Iuation of f,lilure
evaluation of proposed tasks
The partitioning procedure gives us a conservative first approximation

of the items that might benefit from scheduled maintenance. Each of
these items must now be examined in detail to determine whether its:
failure consequences actually qualify it as significant - and if so, whether
the item can in fact benefit from scheduled maintenance. Even when
tlre significance of an item is confirmed, there may be no form of preventive mainte~ancethat is applicable and effective. Such items cannot
be elirr nated from consideration, however, without a full analysis.
EVALUATION O F FAILURE CONSEQUENCLS
86
The consequences of a functional failure depend on both the nature of

the function and the natur? of the failure. Hence it is necessary to begin
the ,inalysis with an accurate list of all the functions demanded of an
II
I
i
I
I
I
I
item and a clear definition of the conditions that constitute a functional

failure in each case. It is also necessary to know the failure modes involved in order to determine the possible effects of each failure. Once
this information has been assembled for every item to be examined, we
are in a position to evaluate the actual consequences of failure.
As a result of the partitioning process certain items will have been
identified that have hidden functions-that is, their failure will not
necessarily be evidtmt to the operating crew. The first matter to be
ascertained in all cases, however, is whether we will know when a
failure has occurred. The following question is necessary, therefore, to
ensure that all hidden functions are accounted for:
Is the occilrrcncr of a f.iilurc eviilcnt to llic operdtil~gCI.C\V dur~tigth'
pertormance of norm,~lduties?
This question must be asked, not for each item, but for each frorctiotr of
the item. The loss of an item's basic function may be evident, but in
many cases thz item will have secondary or other characteristic functions
whose failure will not be evident to the operating crew.
Recall from our discussion in Chapter 2 that any functional failure
which has a direct effect on operational capability- i ~ ~ c l u d i ncritical
g
failures- will always be evident to the operating crew. If the effects of a
failure are not observable, the loss of function has no immediate impact.
But by the same token, there is no assurance that the f'tilure will be
reported and corrected. Thus if the dnswer It) this first question is no
for any function, scheduled maintenancls is required for that itern. Thc
purpose of the tas!< is not necessarily to prevent failures of the hidden
function, but to prevent exposure of the equipment to a multiple failure
involving that item.
In the case of a failure that is evident to the operating crew, thc
consequences miglrt be immediate; we therefore need to know how
serious they are likely to be:
I)ocs tli' fail:rrix ~diihe.1 loss 0 1 f i ~ l i ~ t i 01.
~ l si ~ - c o l ~ i i . iih11i.ig~
lr~
lI\dl
could Ii.rve a dirrct atlvtv-sc rffrct 011 oprr,itin): safety?
l'his question nrust be asked for each functional failure and for each
fnilrrre ttrorlc. Modern design practices ensure that transport aircraft are
exposed to very few critical losses of f ~ i n c t i oHowever,
~~.
certain failure
modes, especially in engines, d o cause seconddry damage that poses a
safety hazard. Therefore a yes answer to either aspect of this question
means that preventive maintenance is mandatory and can be considered
effective onlv if it prevents all occurrences of this type of failure.
Is the occurrence of a failure

evident to the operating crew d u r i n ~
performance of normal duties"
Does the failure cause a loss of

function or secondary damage that
could have a direct adverse effect
on operating safety7
Does the failure have a direct

adverse effect on operational
capability?
Safety
consequences
operational consequences
(economic)
Impact immediate
Nonoperational consequences
(ecunomic)
-A
Impact delayed
Hidden-failure
consequences
FXHIBIT 4.2 Ilecision diagram ;o identify significant itenis and

hidden functions on the basis of failure consequences. Failures
that af:ect safctv or operating capability have an immediate impact,
since the aircraft cannot be dispatched until they have been corrected.
The i~iipactof nonaperational failures and hidden failures is delayed
in the sense that correction can be deferred to a convenient time and
location.
If the answer to the safety question is no, our next concern is with
economic consequences:
Does the failure have a direct adverse effect on operational capability?
88
The consequences in this case include an immediate interruption of

operations, reduced capability if the airplane continues in service, or
the delay or cancellation of subsequent flights to make unscheduled repairs-all of which involve an economic loss beyond the cost of the
repairs. !n this case, although scheduled maintenance is not required
for safety reasons, it may be desirable on economic grounds. Thus if
the answer to this question is yes, any applicable preventive tasks must
be investigated for cost effectiveness.
If the failure has no direct effect on operational capability, the economic consequences include only the cost of repair. However, certain
Eunc!iorlal failures may be far more expensive to repair than to prevent,
especially in the case of a failure mode that causes extensive damage to
surrounding items. Although scheduled maintenance is more likely to
prove cost-effective when operational capability is a factor, there are
certain failure modes for which it is often desirable to investigate the
economic benefits of a preventive task.
The relationship of these three questions and the decision outcomes
in each case are illustrated in Exhibit 4.2. This simple decision-diagram
approach provides us with the following basic information about each
failure possibility:
-*
We know whether the failure will be evident, and therefore reported for correction.
b
We know whether its consequences include a possible safety hazard tor the equipment or its occupants.
We know whether its consequences have a direct effect on operational capability.
We know the objective of preventive maintenance in each case, and
hence the criterion for evaluating task effectiveness.
With this information we are now in a position to evaluate the maintenance possibilities for each item.
EVALUATING THE PROPOaED MAINTENANCE TASKS
The next ynase of RCM analysis involves a systematic study of each

failure mode to determine whether one of the four basic maintenance
tasks will satisfy both the criteria for applicability and the specific conditions for effectiveness. Since there is a clear order of preference for
the first three preventive tasks, we can again use a decision-diagram
approach, as shown in Exhibit 4.3.
Thc first task to be considered for each anticipated failure mode of
the item being studied is an on-condition inspection:
Is an on-condition task to detect potential failures both applicable and
effective?
SECTION 4 . 2
89
If the answer is yes, an on-condition inspection task is put into the program for that failure mode. If we obtain yes answers for all the failure
modes of an item, the analysis of that item is complete.
The applicability of an on-condition task can be determined by
engineering specialists who are familiar with the design characteristics
of the item, the materials used in it, and the inspection technology
available. Thus this information will be on hand before the equipment
goes into service. At the time an initial maintenance program is developed, however, there may not be enough information to determine
whether the task will be effective. In this case we assume that it will be
effective and establish the initial inspection intervals according to the
U(HIBm 4.3 1)ecision diagram to evaluate proposed scheduledni,iintcn,ince tasks. If nonc of the thrcc directly preventive tasks nieets
the criteria for applicability and effectiveness, an item whose failures
arc evident cannot he considered to benefit from scheduled maintenance.
If the item has a nidden function, the default action is a scheduled
f,lilurc-finding task.
Is an on-condition task to detect

potential failures both applicable
and effective?
On-condition
task
Is a rework task to reduce the

failure rate both applicable and
effective?
Yw
Rework
task
no
Is a discard task to avoid failurea

or reduce the failure rate both
applicable and effective?
A
no
Discard
ta~k
No scheduled
maintenance
seriousness of the failure consequences. Any applicable inspection task

can be made effective in terms of failure prevention if the intervals are
short enough, and if operzting experience later shows that it is not costeffective, the task will be deleted from the program at the next review.
If an on-condition task is not applicable for certain failure modes,
the next choice is a scheduled rework task:
Is a rework task to reduce the failure rate both applicable and effective?
In this case the question of applicability as well as effectiveness requires

an acalysis of operating data. Thus, unless the abe-reliability characteristics of the item are known from prior expe. lence with a similar
item exposed to a similar operating environment, the assumption in an
initial program is that an item will not benefit from scheduled rework.
In the absence of information, the answer to this question is no, and
we wait for the necessary information to become available after the
equipment goes into service.
A no answer to the rework question brings us to the question of a
scheduled discard task:
Is a discard task to avoid failures or reduce the frilure rate both applicable
and effective?
In an initial maintenance program the only items scheduled for discard

will be those for which the manufacturer has specified safe-life limits.
The tasks associated with those items are put into the program, but in
nearly all other cases the answer at this stage will be no.
4 3 USE OF THE RCM DECISION DIAGRAM

The small decision diagram in Exhibit 4.3 provides the essential mechanism for deciding which, if any, of the preventive-maintenance tasks
are both applicable and effective for a particular item. To use this diagram, however, it is necessary to know the failure consequences that
determine effectiveness in each case a7.d also dictate the default action
to be taken at each decision level.
THE COMBINED DECISION
DIAGRAM
Exhibit 4.4, which brings together the dixision questions in Exhibits 4.2
and 4.3, can be used to develop an RCM program either for new equipment or for equipment ;..:~ich is already in senvice. As we will see in
Chapter 5, it can also be used to modify the initial program as new
the full RCM decision diagram

use of the four consequence
hranches
the role of the default strategy
evident to the operating crew during

perfonna~..c of normal d u t i n ?
llRDn-
I-
Ire
&
110
---
2 Doer the fallum caurc a loss o f
function or wcondary damage that

could have a direct advene effect
on operating ~ f e t y ?
3 DM the failure have a direct

a d v e w effect o n operational
capability?
orruro~lu
wmrquwcs
UrnCONSEQULNCU
(ECOFKWK)
Scheduled nwintenmce i s required

to d u c c the r!rk o f failure to
m acceptable level.
Scheduled malntmance lr dcrlrable

I f b cost i s Icu than the combined
costa o f operational canwqu-nces and
repair o f those f a i l u r n i t p w w n b .
7
1
4 I s an on-condition task to detect

potential failurea both applicable
and effective7
tOn-condltlon
) ~ :s k
(
5
failure
Is a rate
rework
buthtask
applicable
to reduce
and
the
Is a discard task to avoid failures

6
--"*
failure rate bulh applicable and

effective?
10 Is a discard task to avoid failures
Iask

a v ~ l i c a b l eand effective?
Diualrl
task (LL)
Discard
task (LL)
Final action when no preventive

task is available deprndr on
failure connquencts.
and effective?
On-canditio*
task (OC)
effeclivel
task (RW)
8 I s an on-condition task to detect

potential failures hot% applicable
N o scheduled
maintenance (NSMI
I
Combination
of h s k s (COMB)
Redesign
mqulnd
EXHIBIT 4.4 The RCM decision diagram. These questions must be

raked for each type of functional failure listed for the item. The f i t
three questio~csdete~minethe consequences of that failure, and hence
the objective of preventive taakr. (F. S. Nowlrn and H.F. Heap)
MD0uNIYCTK)WI
NC)NOPti;.nONAL CONSEQUENCES
(ECONOMIC)
>chcrluled maintenance is desirable
id its cost is less than the cost of
repair of those failures it prevents.
HIDDEN.fAILURE CONSEQUENCZS
Sch~.duledmaintenance is required
to e ~ s u r ethe level of availabilily
necessary to avnid exposure tci r
multiple failure.
*
U Is an on-condition task to detect
and effective?
14 Is an on-condition task to detect
putential failures both applicable
and effective?
Y='
On-condition
task (OC)
both,appl~ic 1
I2 Is a rework task to reduce the

b:;v;te
and
no
---
IS 1s a rework task to reduce the
On-condition
task (OC)

effective?
L
' =Y
Y-
I
U Is a discard task to avoid failures
(RW)

1)iscard
task ILL)
no
4
Rrwork
task ( q w )
16 Is a discard task to avoid failures
Or reduce the failure rate both

Y-
hlo scheduled
m~intcndnce( N S M )
Redr4gn ma)
.*c desirable
Discard
task (LL)
no
Failure-findin~
task (FF)
Redesign may
hr desirable
information becomes available. The chapters in Part Two discuss the

application of RCM analysis to each of the three majcr divisions of the
aircraft systems, powerplant, and structures. For the time being, hovrever, let us see how the failure consequences influence the process of
task selection.
Consider an item which is subject to a critical failure. The answer
to question I is yes, since any failure that has a direct adverse effect on
operating safety will be evident to the operating crew. (This answer
refers, of course, only to a loss of the F .: :ticular function xnder consideration.) The answer to question 2 is also yes, since the failure has been
stated as critical. All subsequent questions about this failure possibility
therefore fall in the safety branch of the diagram. This has two important
implications for scheduled maintenance:
94
Scheduled maintenance is required if an applicable preventive task

car, be found.
A task can be considered effective only if i t reduces the risk of

critical failure to an acceptable level.
In the case of transport aircraft the risk must be at a level of extreme

improbability to be acceptable, but in the general case an acceptable
level does exist. For example, single-engine aircraft are utilized for
variotls civilian and military applications.
Each failure mode that might result in this failure is now examined
to determine which of the proposed preventive tasks will accomplish
the necessary objective. If an on-condition task is applicable for some
failure mode, it can usually be made effective by assigning conservatively short inspection intervals (a yes answer to question 4). If there
are failure modes for whlch on-condition inspection is not applicable,
the question of scheduled rework is considered. However, in an initial
program the failure data necessary to determine the applicability of
such a task are rarely available, and no operating organization can
arfcrd the number of critical failuzes required to provide this information. Thus : 1 the case of a critical-failure mode the answer to question 5
is no.
This brings us to the question of scheduled discard of the item or
part in which the critical failure originates- that is, to a safe-life limit.
In determining initial program requirements engineering advice may
indicate that such a task is applicable. Its effectiveness cannot be evaluated, however, uniess a safe-life limit has been established by developmental testing under simulated operating conditions. If a safe-life limit
has been established, scheduled discard at this limit is required; if 'i
life limit has not been established for this item, the answer to question
6 is no.
When some failure mode cannot Lt?adequately controlled by any

m e of the preceding tasks, we have one hrther recourse:
----.----
-.
Is a combination of preventiv~tasks both applicable and effective?
There are occasional circumstances in which a combination of two or

more preventive tasks will re;luce the risk of critical failure to an acceptable level. In a tingle-engine aircraft, for exampl.;, any and all applicable
tasks might be employed to reduce the likelihood of engine failure
to the lowest level possible. In most instances, however, this is a stopgap measure, pending redesign of the vulnerable part. If no combination of tasks can be found that will effectively avoid critical failures in
the interim, it may be necessary to restrict operation of the equipment
or even to remove it from service.
To retun to the top of the dec'zion diagram, suppose the failure of
an item has no safety consequences (a no answer to question Z), but it
does have operationai consequences (a yes answer to question 3). In
this event we are concerned only with the economic consequences of a
functional fai!ure:
b
Scheduled maintenance is desirable if its cost is less than the combined costs of operational consequences and repait for those failures it prevents.
A task can be considered effective only if it is cost-effective.
In scheduled airlines operational consequences can usually be measured

in terms of the inability to deliver service to passengers in a timely
fashion. In other operatir~gcontexts the cost of lost operational cspabiliiy might be measured differently. However, a cost can always be
imputed to any operational failure ir. terms of the opportunity cost of
being unable to use the equipment as planned.
To determine whether a ploposed maintenance task is economically desirable, it is necessary to know the imputed cost assigned to the
expected operational consequences. In initibl programs this will usually
be an arbitrary figure based on the benefits anticipated at the time the
equipment was purchased. In addition, it is necessary to have some
idea of the likelihood of failure, the ~ o s of
t the proposed task, and the
cost of corrective maintenance if the item is allowed to fail. Generally, if
the expected failure rate is low and the operational consequences are
not excessive, the decision will be to use no scheduled maintenance. As
the total cost of failure increases, preventive maintenance becomes more
attractive. In most cases it is possible to make a decision without a
formal economic-tradeoff study. (Later in the chapter we will examine
a procec'.ure for c1eterminir.g whether an economic-tradeoff study is

likely to be worthwhile.)
Wk'ere no ap~licableand cost-effective maintenance task can be
fouqd, we must eithm accept the operational consequences (no scheduled maintenance) or redesign the item to reduce the frequency of
failures. This decision ordinarily depends on the seriousness of the
operational consequences. If they represent a major economic loss, the
default decision is redesign.
If the failure of an item has no operational consequences, the question of task effectiveness is evaluated in direct economic terns:
Scheduled maintenance is desirable if its cost is less than the cost of
.,pair for those failures it prevents.
b
A task can be considered effective only if it is cost-effective.
Task effectiveness in this -ase is a simple tradeoff between the ccst of

prevention and the cost of cure. If br;th costs are of the same order of
magnitude, the decision goes to no scheduled maintenance. The reason
for this is that any preventive-maintenance task may clisturt the steadystate conditions of the mechanism, and this risk should not be introduced without good cause. Thus a preventive task will be scheduled
only where the cost of correcting failed items far outweighs the cost of
preventing failures.
Note that many of the items designated for no scheduled maintenance through this decision process might well have been identified
at the outset as those which cannot benefit from scheduled maintenance..
This branch of the decision diagram, however, permits us to evaluate
borderline items which might have benefited from a scheduled task if
an applicable one could be found.
In the case of hidden-function items task effectiveness involves
two criteria:
96
TWOW AND PRlNClPLES
Scheduled maintenance is requit.!;d to avoid exposure to a possible

multiple failure.
A task can be ,considered effective only if it ensures adequate availability of the hidden function.
Some hidden functions are sufficientiy important that their availability

is protected by periodic checks by the operating crew - that is, they are
made evident by defining the normal duties of the crew to cover them.
In all other cases, however, scheduled inspections are necessary. Since
hidden failures can have no direct effect on safety or operational capability, we can allow such items to fail, but we cannot afford the possible
consequences of undetected failures. Thus, in the absence o'any directly
preventive task that is applicable and effectivc, a specific failure-finding
task must always be assigned.
?,$
.f,
..
THE ROLE OF THE DEFAULT STRATEGY
The infarmation to be channeled into RCM decisions requires analysis

under two different sets of conditions. One is the development of an
inical maintenance program on the basis of limited information. The
other is mddification of these initial requirements as information
becomes availab!e from operating experience. As information accumulates, it becomes increasingly easier to make robust decisions. In developing a prior-to-sentice program, however, there are many areas in
which there is insufficient information for a clearcut yes-or-no answer
or the study group is unable to reach a consensus. To provide for decision making under these circumstar~cesit is necessary to have a backup
default strategy which dictates the course of action in such cases.
The default strategy summarized in Exhibit 4.5 shows tor each of
the decision questions which answer must be chosen in case of uncertainty. In each case the default answ-r is based on prcteclion of the
equipment against serious conseqt!enccs. For example, in the process
of identifying significant items, if it can be demonstrated that the failure
of an item has no effect on safr' . or operating capabilitj, the iterr, can
be classified as ncnsignificant
J does not warrant further study to
see if it can benefit from schedulc.. maintenance. If there is any dcubt,
however, it must be classified as significant and cannot be dismisced
without further analysis. Similarly, if it is not certain that a loss of function will be evident to the operating crew, it is treated as hidden unless
a fcilure mode involves critical secondary damage.
This default approach can conc5ivably lead to more preventive
maintenance than is necessary. Some tasks will be included as protection against hazards tha: do not exist, and others may be scheduled far
too frequently. The means of eliminating such excessive costs is provided by the age-exploration studies which begin as soon as the equipment goes into se-vice. Through this process the infcnnatim needed to
refine the initial program (and make major revisions where necessary)
is gathered systematically for evaluation. We will examine the techniques of age exploration and the nature of the infomiation it provides
in the next chapter.
Since an analysis of age-reliability characteristics requires failure
data that will not become available until some time after the equipment
has been in service, the default strategy will result in a no answer to
nearly all questions concerning the applicability and effectiveness uf
scheduled rework and discard tasks. Consequently, my initial RCM
program will consist essentially of on-condition tasks, a few safe-life
discard tasks, and failure-finding tasks for hidden-function items, in
addition to the usual servicing and lubrication tasks. Scheduled rework
or economic-life discard tasks may be added at some later stage, after
their applicability and effectiveness can be evaluated, but they rarely
appear in an initial program.
'
EXHIBIT 4 . 5 I b - t l c * t ~ ~ i .~1 1l it s t \ t * 1 - t t i III, 1 1 \ 1 8 t l ill t I v \ t - l o p i ~ ~,111

g illiti, !
~ t ~ l i ~ - , l ~ ~ l ~ ~ l l - ~ I?III;!I;.III
i i . ~ i ~ ~ill
' ct l~i t *~ ~i k,> i+ c~* ~~i ct , ~t0.1~ J,I~,I~ I I I I .~ ~I ~ t i ~ ~ ~ l
~ ~ ~ L * cI~.~I~I~~
c 3I 1I i~
~~~1e1s,
deciaicn question
default answer to be used

i l l rase of uncertainty
IDLNnFICAllON OF SIGNIFICANT ITEMS
Is the item clearly nonsignificant?
Nc: classify rtem as significant.
EVALUATION OF FAILURE CON.itQUWCLS
Is the occurrence of a failurc evident to the operating crew during

performance of normal duties?
No {except for critical sccandrry

damage): classify function ao
hidden.
Doea the failure cauee a low of

on operating safety?
Yes: clawify condequenm as

critic21.

adverse effccl on operational
capability?
Yes: classify c o n s q u e n w as
operational.
MUAWN
OF r
m s m TASKS
Is an on-condition d s k to detect
potential fallurea applicable?
Yes: include on-condition task in

program.
If an on-condition task is
applicable, is it effective?
Yes: assign i n e p d o n intervals

short enough to ntake task
effective.
Is a rewnrk task to reduce the

failure rate applicable?
No (unless there are real and

applicable data): assign item tr,
no wheduled maintenance.
If a rework task ia applicable, is

it effective?
No (unlers there are n l and

applicable dafa); assign item to
no scheduled m.rintenmce.
Is a discad irsh to avoid failures

or reduce the failure rate
applicable?
No {exceptfor safelife items!:

assign item to no scheduled
maintenance.
If a discad task is applicable, is it

effective?
NO (except for oafe-life items):

a s d p item to no scheduled
molntrnance.
ntagc at which question can be a n s w r r d

initial program
\,-ilh default)
onsoing plugran1
(operaling data)
possiblr advrrsr conirqucnc<*,.

of default J c ~ i s i n n
- --
default coasrqurnct*s
' l i n ~ i n , ~ l c1~4l t h : :-sequent
opcr.- tin^ inforrn.~lion
- ----
TJnncceuaary inspections that are

not i ,st-effective
Uttnecesmry redesign or schedul~d
nri~ltenancethat is not rwteffective
No t ~ redewign;
r
yep for s-heduled
main.enance
Szhduleci mainkenance that i~ not

L-st-effective
Yes
Scheduled maintenance that is not

cost-eftective
Yeb
Scheduled maintenance this* is nut

cudi-rffrtiivz
Yes
Deiay in exploiting a p ~ o r h m i t y
to ~educecosts
Yes
LJr.ncressary wdesigt. (safety) c!

delay in exploitin8 opprtun~ty
to reduce costs
No tor redesign;
yes for scheduled
maintenance
(safe life orrly)
(economic life)
l7elity in exploiting oppoitcnity

to mduce coats
Yes
(econo iic life)
Dclay in exploiting uppnrhln~ty

to reduce costs
Yes
(safe life only)
4 4
DETERMINING COST EFFECTIVENESS
criteria for cost effectiveness

finding a cost-effectiw interval
the impact of inherent
reliability characteristics
Since a moderate amoun! of information gathering is necessary for calculations of cost effectiveness, it is h.elpfu1 to know whether the effort is
likely to be fruitful. The decisiun-diagram approach is also useful in this
area. Exhibit 4.6 illustrates one method for deciding whether a detailed
assessment of an applicable task might be worthwhile.
Up to this point we have not been concerned about failure rate,
since it is nnt a primary measure of consequences. In the case of critical
failures it has no b-?aring; in fact, the sole objective is to avoid any failures on which to base a rate. Where the consequences are economic,
however. the total cost depends on the frequency with which these
consequences are likely to occur. The first question in evaluating the
cost effectiveness of prevention, therefore, concerns the frequer.cy of
functional failures:
Is the functional-failure rate high;
Since it is seldom w,orthwhilc to deal with rare types of nsncritical failures, this qt1estio.r rules out items that fail so seldom that the cost of
scheddled main!enancc would probably be greater than the benefits
to be derived from ib.The term Irigh, oCcourse,i: open to interpretation.
In airline practice a failure rate greater than 1 per 1,000 hours of flight
time is usually considered high, whereas d rate of less than 3.1 per 1,000
hours is usually not considered important. This questio~lis cften easier
to answer if the failure rate is described in terms of the number of failtares per month
If the failure rate is judged to be high, !'~enext concern is the cost
involved. Operational consequences are usuaily the major cost associated with a high failwe r;~te:
Does the failure involv\ operational consequences?
100
THEORY AND rRlNClrLES
Any failure that prevents continued dispatch of the equipment h-tvolves

operational consequences. However, the extent of the economic loss
depends largely on the intended use of the equipment. In amilitarycontext, for example, a much higher cost might be imputed to dispatch of
an airplane with restrictions on its operating perrormance than would
be the case in a commercial-airline context. If the failure does hav?
operational consequences, the total cost of failure includes the combined
cost of these consequences and the cost of repair.
Even when operational consequences are not it~volved,it may be

advantageous to forestall a particularly expensive failure mode:
Does
any failure rnocte cause unusually high repair o r o p e r a t i n g costs?
- .-
'This question must be investigated sepdrately, since such f a i l ~ ~modes

re
will usually be responsible for only a small fraction of the !i)till r~umber.
of fail~ves.
LXHIBIT 4.6 Derision Ji.igtanr ror c ~ a l u . ~ t i ntht
p probable cost
effectiveness of i~
proposed task when sthrlluled ~~raintenancc
in not
required to protect operating safety 01 tlrc ~vailabilitvof hi,!den
functions. The purpose of the decision technique is to reduce thc
number of farnr~leconomic-tradeoff studies that mus4he
performed.
consequences?
(
I
Do real and applicable data show the

desirability of the proposed task?
A a k is costeffective
ltl
Does any failure mode Cause unusually

high repair or operating costs?
Does an v~.onomic-tradeoffstudy justify

the task?
I
'hsk is coateffective
Task is not
cost-effective
Tark i q not
rost-effective
A yes answer to either of the preceding two q u e s t i o ~ means

~s
that
we need further information:
Do real and applicable data show the desirability of the proposed task?
It is possible to arrive at a yes answer to this question if there is substantial evidence that this task was cost-effective ill the past for this or
a similar item. If so, the task can be scheduled without a formal study.
U ( H I B ~4.7 A pro forma for analyzing the suppurt costs associated
with scheduled removals for rework. At least four proposed rcwork
intervals must be examined to determine whether a cost-effective
interval does exist.
item
a ~ u volume
d
of operation
proposed interval
Number of failures per year'

Average Saoe cost of =pairing a Wed unte
Annual buc cost of repdrhg failed udQ
Number of failthat have opentiolul conequencd
A w e cart of operatid consequmcea after failure
Annual coet of operational eonwquenm
Number of d,eduled mnoval~per yeu
Averqp base coat for a time-expired unit'
Annual base cost for time-expired units
Number of apm udts required to mpport w d m d
Cmt of unit
Annual coat of *pare units required
TOW.vnnd support C O B ~ '

1 it nuy be deshble to study r specific cxpendve failwe made ~ p m t d y .
2 Includes cod of removhg and Ind.ULy unit at line atation ud of

transporting it to and from the maintenance base
3 The numba of fduma that h v e opemtiod consaquenca m y be dithrrnt
trom the lotrl numba of f d u m , mince not mrg fillurn *rill have ma&
'=n'v"'
4 If the change in volume of work at the rmlnhmce brw d t a In -c
in fadllty reqtlirmwnb, the m u d cost of such ehuyr b u l d be incltdd
in the support corb.
102
THEORY
AND PRINCIPLES
Otherwise the question of economic tradeoff must be evaluated for

each of the applicable rnail~renancetasks:
Does an economic-tradeoff study justify the task?
An economic-tradeoff study involves several steps:

b
An estimate of the incremental effect of the task on the failure rate

of the item for several different task intervals
A translation of the reduced failure rate into cost reductions
An estimate of the cost of performing the proposed task for each

of the intervals considered
Determination of the interval, if one exists, at which the costbenefit ratio is the most favorable
Exhibit 4.7 shows a pro forma for evaluating the cost effectiveness of a
scheduled rework task. As we saw in Chapter 3, the cost factors for oncondition tasks and scheduled rework tasks are quite different. Scheduled removals increase both the total shop volume and the number of
spare units required to replace the units that are undergoing rework.
Consequently, unless the frequency of a very expensive failure is materially reduced by an age limit, the total cost of this task will usually
outweigh its econon~icbenefits.
In contrast, the total number of potential failures removed as a
result of on-condition inspections is not appreciably greater than it
would be if each unit were allowed to fail. Moreover, the cost of repairing potential failures is usually less than the cost of repair after a functional failure. As a result, on-condition inspection tasks, when they are
applicable, are relatively easy to justify.
The important role of cost effectiveness in RCM decision making
helps to clarify the nature of inherent reliability characteristics. The
inherent reliability of an item is not the length of time it will survive
with no failures; rather, it is the level of reliability the item will exhibit
when it is protected by preventive maintenance and adequate servicing
and lubrication. The degree of reliability tha; can be achieved, however,
depends on certain characteristics that are a direct result of the design
details of the equipment and the manufacturing processes that produced it. These characteristics determine both the need for preventive
maintenance and the effectiveness with which it can be provided. Thus
from a maintenance standpoint inherent re!iability characteristics are
decision factors such as those listed in Exhibit 4.8. Note that the answer
to each of the questions in Exhibit 4.4 requires a 1 :!owledge of at least
one of these characteristics.
-ofhelm
F.ihu,~uaum8
;--.tal
abblbbddhr#bad&L
dammima drkralt
w h o no applicable and
~~
vttulrcmkfsod
Needforufclifelimitrlo
prevent aittd f d u m
N e e d f a ~ r a d
lt~briatbn
Kktennhea rppUuMlily and
intend d srh-life d b c d
tulu
Dctamtnrrapglicabili md
interval of a e d d q
lubrication eUka
EXHIBIT 4.8
Examples of inherent reliability characteristics and their

impact on decision making. Each decision question in Exhibit 4.4
requires a knowledge of at least one of these characteristics. In the
abscncc c~fthis knowledge, a dcfault answer must be employed in
developing a11 initid scheduled-maintenanct. program.
104
WEORYAND PRINCIPLES
The test of cost effectiveness means that an RCM program will nor
include some tasks that might reduce the likelihood of noncritical failures. Howevcr, when a failure has economic consequences the inclusion
of a task that is not cost-effective would merely transfer these consequenccs from one cost categoiy to another; it would not reduce them.
Thus the cost factors on both sides must be considered inherent reliability characteristics, since they dictate the level of reliability that is
feasible for an existing design. Within this framework, RCM analysis

ensures aU the operat'ng reliability of which the equipment is capable.
Moreover, it results in a selection of only those tasks which will accomplish this objective; hence it also provides the required maintenance
protection at minimum cost.
Certain of the inherent reliability characteristics of new equipment
are unknown at the time a prior-to-service maintenance program is
developed. Consequently the initial program is somewhat more expensive than later refinements of it will be (although it is still a minimumcost program in terms of the information available at the time). This
situation is inevitable because of the default decisions necessary to
protect the equipment in the absence of full information. It is not too
serious a matter, however, because of the relatively slow rate at which
fleets of new equipmznt grow. For example, the Boeing 727 fleet shown
in Exhibit 4.9 took six years to reach its maximum size of 150 aircraft.
Although the full fleet finally flew more than 400,000 total hours a year,
the 20 planes in service by the end of the first year had flown a total of
only 34,300 hours. Thus the maintenance costs stemming from these
initial default decisions have little overall economic impact and will be
materially reduced with the information available by the time the fleet
reaches full size.
EXHlBrC 4.9 Examples of fleet groivlh in a commercial airline. Each
purchasing airline has a maximum rate at which it can accept new
airplanes, determined by training and staffing ri quirements. The rate
at which new equipment can enter service is h i g h ~ s tfor large airlines.
(IJnited Airlines)
4 5
AGE EXPLORATION
determination of
potential-failure age
opportunity sampling
106
One of the most important aspccts of an initial RCM program is age

exploration to determine the applicability of certain tasks and the most
effective intervals for others. In the case of aircyaft this process starts
with the manufacturer's certification test flights, during which some of
the most frequent types of failures will be identified. If some of these
failures have major consequences, product improvement will be initiated before any equipment is delivered to the purchaser. The information obtained during the certification period, however, id en ti fie^ n:y
those items that have iailed-presumably those with a high probability
of failure. The entire certification program for a new commercial transport plane requires a total of only 1,500 to 2,000 flight hours accumulated on the five or six planes assigned to the program. The flying t i ~ n e
for any one test plane is usually no more than 400 or 500 hours. ' . contrast, once a plane is put into service, it may fly 300 or more k.~-b:.rs
a
month. At this point we can begin to acquire information on the additional reliability characteristics of the equipment.
As we saw in Section 3.1, the applicability or an on-condition task
depends on the ability to measure reduced failure resistance. Its effectiveness, however, depends on the interval between inspections. The
same holds true for failure-finding tasks assigned to hidden-function
items. For this reason all such tasks are assigned conservatively short
intervals in an initial program, and all items whose failure could have
safety or major economic consequences are carecully monitored by frequent samp!e inspections to determine the exact effect of operating age
on their condition. The simple metal part illustrated in Exhibit 3.1, for
example, would initially be monitored at the intergals shown in Exhibit 4.10 to determine the exact point to be defined as a potential failure, the age at which inspections should start, and the most eifective
interval between inspections.
Because on-condition inspections play a large role in +hemaintenance programs for turbine e~tgines,some interesting practices have
evolved to reduce the cost of obtaining this information. When an
initial program is being developed, expeiience with earlier types of
engines will suggest many parts that might benefit fry:n on-condition
tasks, as well as some that might benefit from scheduled rework. Consequently the sample inspcctions required for age exploration make up
a large part of the initial maintenance program for any powerplant.
Some of these inspections can be performed while the engine is
installed,. but others can be performed only at a major maintenance base
after a certain amount of disassembly of the engine. The "on-the-wing"
D Functional
failure
7AAbr11
10
Sample-inspection intcwalr
12
14
Initial sampling intervals assigned in an ageexploration program to determine the rate at which failure resistance
declines. Reduced resistance is not detectable until .I visible crack
appears; thereafter the rate of crack propagation is monitored io
determine the exact point to be defined as a potential failure, the
point at which it is necessary to begin on-condition inspections, and
the most effective inspectiofi intpwal to ensure that all failing units
will be identified at the potentia!-failure stage.
FXHIBTC 4.10
inspections are handled by an initial requirement for early inspection

of the item on all engines. However, if inspection of the first few engines
to reach this limit discloses no unsatisfactory conditions, the limit for
the remaining engines is extended. Thus very few engines are actually
inspected at any fixed time limit until the point at which it becomes
desirable to stop extending the limit.
For those parts that require engine disassembly for inspection,
the practice is to define an age limit at which inspection information is considered to be of value. The initial operating age of a pdrt
might be limited, for example, to 1,500 hours without inspection, and
the threshold age f ~ valid
r
sampling information might be set at 500
hours. This was done for the General Electr' CF6-6engine in the Doug7ection of two sets of parts
las DC-10. In that case the FAA required
(equivalent to two engines) to justify an i n a . .ie in the 1,500-hour limit.
The initial maintenance program stated that sampling information could
be obtained either from one part aged 500 to 1,000 hours and a second
part aged 1,000 to 1,500 hours, or else from two parts that were both
108 mtoRY AND PRINCIPLES
aged 1,000 to 1,500 hours. The two sets of part-inspection reports could
be based on the inspection of parts in any number of engines.
The reason for this flexibi1Ii.y in scheduling is to take advantage of
opportunity samples, samples taken from engines that have failed and
have been sent back to the main base for repair. Any undamaged parts
from these engines can be used to meet the sampling requirements.
This procedure makes it unnecessary to schedule engine removals for
disassembly solely for the purpose of inspecting parts. Such forced
removals are necessary only when the required volume of sampling
cannot be obtained from opportunity samp!es. Because r.ew types of
engines usually have high f~ilurerates that create abundant opportunity samples, it is possible to make a careful evaluation of the condition of each part before any engines on the aircraft actually age to the
initial maximum limit.
On-condition inspections also play the primary role in the maintenance programs for structures. However, unlike powerplants, structure
does not provide opportunity samples. The structure is designed as an
integral unit, and corrective maintenance on any structural item removes
the entire airplane from service. Moreover, because the failure of any
major structural arsembly is critical, all parts of the structure are
designed to survive to very high ages. In the case of structure, therefox,
the inspection program itself is the only vehicle for age exploration, and
the inspection samples consist of individual airplanes, rather than
samples of parts from different airplanes. The initial inspection interval
for each structurally significant item is set at only a fraction of the age
at which evidence of deterioration is expected to appear, not only to
find and comct any conditions that may reduce the anticipated design
life, but also to i.dentify the age at which reduced failure resistance first
becomes evident.
Whereas powerplant items are continually interchanged and replaced as part of the normal repair cycle, structural members are repaired,
but are rarely replaced with new parts. Consequently the age of most
parts of a given structure is the same as the total age of the airplane. This
makes it possible to concentrate age-exploration activities on the highest
total-time airplanes. The first few airplanes to reach the initial limit
established for major structural inspections are designated as inspectioil
samples. All inspection findings for these airplanes are carefully documented, so that any changes in their condition with age can be identified
before younger airplanes reach this age. If there are no signs of deterioration, the starting intervals in the initial program will usually be
increased for the remaining airplanes in the fleet.
Age exploration of systems items is conducted on still another basis.
Systems items are generally characterized by low reliability; hence they
provide abundant opportunity samples. However, because systems failures are rarely critical and so many systems items cannot benefit froin
scheduled maintenance, cxtensive inspection of opportunity samples is

usually not justified by the value of the information obtained. In this
case the frequency of failures is likely to have greater economic impact
than the consequences of individual failures. Tnus for systems items
age exploration is based primarily on the monitoring and analysis of
failure data to determine the cost effectiveness of proposed tasks.
In the following chapter we will examine the many other aspects of
the age-exploration process.
4 * 6 PACKAGING THE MAINTENANCE TASKS

Once each maintenance task in the prior-tc-scrvice program has been
assigned an appropriate initial interval, either for the purpose of age
exploration or on the basis of conservative judgment, the RCM tasks
are combined with other scheduled tasks- the nervicing and lubrication tasks specified by the manufacturer and the scheduled zonalinstallation inspections. All the tasks with similar intervals are then
grouped into a number of maintenance packages, each with its own interval. The principle is the same as that spelled out in new-car warranties,
which specify a certain group of servicing and inspection tasks to be
performed every 1,000 miles, another to be performed every 5,000 miles,
and so on. For commercial aircraft these intervals range from betweenflight checks at every station to major inspections at eight- to ten-year
intervals at a maintenance base.
This grouping results in sli$htly more frequent performance of
some tasks than is strictiy necessary, but the additional cost is justified
by the increase in maintenance efficiency. Those tasks that are most
expensive, both in actual cost and in terms of down time for out-ofservice equipment, tend to shape the overall package. Thus if one task
must be performed every 1,000 miles and another can be done easily
at the same time, they will both be scheduled for that interval. If the
second task is required, say, every 2,500 miles, it will he scheduled
every other time the first task is done, and so on.
Airlines frequently give each of the major scheduled-maintenance
~ackagesan alphabetic designation; hence they are commonly known
i s letter checks. An A check .night be performed every 125 hours of
flight time, a B check every 900 hours, and so on. Exhibit 4.11 shows the
sc uence of letter checks as they would occur for an airplane over an
opdrating period of 3,600 hours. The content of a given letter check will
necessarily be the same every time it is performed, since some tasks
\,ill
come up only at every second or third occurrence of that check.
However, the fact that the more extensive packages occur at longer
intervals means that as the level of work increases, fewer stations need
to be equipped to handle it.
maintenance packages
distt'ibutio" of maintenance
workload
'-
SECTION 4.6
109
EXHIBIT 4.1 1 A sample schedule of maintenance packages. Each

work package includes all the scheduled tasks to be performed at that
interval. The A check includes all tasks scheduled at 125-hour
intervals; the B check consists of all tasks scheduled at 900-hour
intervals, as well as the A check that would otherwise be performed at
that interval; and the C check, scheduled for 3,600-hour intervals,
includes all the tasks scheduled for that interval, along with both the
A and B checks that would ordinarily take place at that time. The A
checks are performed at any of several line-maintenance stations.
PI; nes are muted to a few large maintenance stations for B checks,
and C checks are performed at the maintenance base.
110
for every stop at a line maintenance station, and a #2 service check

might be scheduled for every stopover of more than five hours (unless
a higher-level package is being performed), and so on.
In addition to the letter checks, which package the expensive or
time-consuming tasks, there are a number of smaller service packages.
For example, a #I service check might include those tasks scheduled
The entire scheduled-maintenance program, packaged for actual
implementation, must be completed and approved before any new air-
craft can enter service. Up to this point RCM analysis has provided us
with a set of tasks based on those reliability characteristics that can be
determined from a knowledge of the equipment and the operating context. Once the equipment enters service a whole new set of information
will come to light, and from this point on the maintenance program will
evolve on the basis of data from actual operating experience. This
process will continue throughout the service life of the equipment, so
that at every stage maintenance decisions are based, not on an estimate
of what the reliability is likely to be, but on the specific reliability characteristics that can be determiaed at that time.
evolution of the Ern program

IN THE preceding chapters we have examined the framework of
"
THEORY
AND PRINCIPLES
RCM
analysis and the decision process that leads to the selection of tasks for
an initial maintenance program. After the equipment enters service
information becomes available about its actual hteraction with the
operating environment. This information almost certainly contains
some surprises-unanticipated types of failures, unexpecied failure
consequences, unusually high failure rates, or even an absence of anticipated failures. Bucause the volume of operation is small at first, information is gained at that time about the failures that are likely to OCCUI
soonest and with the greatest frequency. As operating time accumulates, the less frequent types of failures are discovered, as well as those
that tend to occur at higher operating ages. All this information is used
for continuing evolution of the o n g ~ i n gmaintenance program.
Any complex equipment is a failure generator, and failure events
wiil occur toughout its whole operating life. The response to these
events depclrds on the failure consequences. If an unanticipattd failure
has serious implications for safety, the first occurrence sets in motion
an immediate cvcle of maintenance and design changes. In other cases
waiting until several failures have occurred allows a better assessment
of their frequency to determine the economic benefits of preventive
tasks, or possibly redesign. Very often wditing until enough failuies
have occurred to permit an evaluation of age-reliability relationships
provides the information necessary to modity the initial maintenance
decisions.
Evolution of the scheduled-maintenance program does not consist
solely of reactions to unanticipated failures. The intormation that becomes available - including the absence ~f failures - is also used for
systematic evaluation of all tasks in the initial program. On the basis of
actual data, the initial conservative ir~tervalsfor on-condition inspec-
.
,,
?,+
.,
,
. - < ,
A",
1 . . <
tions call be adjusted and the applicability of scheduled rework and

economic-life tasks can be investigated. Actual operations will frequently confirm the a priori assessments of failure consequences, but
occasionally the consequences will be found to be more serious or less
seribue .than anticipated, c.r a failure thought to be evident to the operating crew is not, and vice versa. The process by which all this information is obtained is called age exploration, both because the amount of
information is a direct function of the age of the equipment in serrice
and because some of this information relates to the ages of the items
themselves.
5 1 THE USES OF OPERATING DATA

It is important to recognize, both in planning a prior-to-service program and at the age-exploration staae, that a fleet of equipment does
not materialize overnight. In commc.rcia1 aviation new plai~esare
delivered to an airline at a rate of on.: to four a month, and as we saw
in Exhibit 4.9, the number of aircraft in service and the associated
volume of operations builds up slowly. This allow:, us to concentrate
first on the most frequent failures (since those tirat occur early will
continue to occur early after either delivery or repair) or on those
failures with the most serious consequences. As the volume of operations increases, 'he less frequent failures come to light and can be
dealt with later. In a military environment, where operating experience
does not accumulate as rapidly, this latter information may be obtained
by deliberate heavy use of the first few pieces of equipment- the fleetleader concept-although the small size of the sample data presents a
s e r i ~ u sdrawback.
the role of age exploration

evolution of the initial pmgranr
SECTION 5.1
113
The diability information obtclined from actual operating experience is quite varied. Although the failure rate plays a role early in operation in pinpointing design problems and evaluating task effectiveness,
an age-exi~lorationprogram is organized to provide the following kinds
of information:
b
The types oi failures the equipment is actually exposed to, as well

as their frequencies
The consequences of each failure, ranging from direct safety hazards through serious operational consequences, high repair costs,
long out-of-service times for repair, to a deferred need to correct
inexpensive fur,ctional failures
'
Confirmation that functional failures classified as evident to the

operating crew are
fact evident during normal performance of
duties
Identification of the ci~rumstancesof failure to determine whether
the failure occurred during normal operation or was due to sonle
external factor, such as bird strike
EXHIBIT 5.1 Summary of the uses of new information in the

continuing evolution of the scheduled-maintenance program. After
the equipment enters service age exyloraticn and the evaluation of
actual operating data continue throughout :ts entire service life.
mf;nemenh of initial maintenance p q n m
pmpostd
agelimit hrks
i:omr amlga~edto
no ~ lJhu l d mint8nmnce
Lhtennine -reliability
nlrtiond i p to confirm that conditional
probability of failure increauo
with we.
Monitor urd evduak

opu8tlonrl data to m
w h d - r m e a plicable and e d w U
can be drvrl~ped.
inspection tasks
Conthat reduction in failure

m i r h c e ir virible.
Determine rate of reduction in failure

mistance.
Confirm or modify defined pokntialfailure conditlon.
Adjust i ~ p t c t i o ninterval and age tor
fint ingetion, if applicable.
If f d l u m am we-r~lattd,
determine whether a coat-effective
,ge limit cxiek
m t - e m v e in-d
f.n
found, rdd trdc to prognm.
~f
Confirmation that on-condition inspections are really measuring

the reduction in resistance to z particular failure mode
'The actual rates of reduction in failure resistance, to determine

optimum inspection intervals
The mechanism involved in certain failure modes, to identify new

forms of on-condition inspection and parts that require design
improvement
Ideniification of tasks assigned as default actions in the initial

program which d o not prove applicable and effective
Identification of maintenance package:; that are generating few

trouble reports
Identification of items that are not ,enerating tmuble reports
The ages at which failures occur, so that the applicability of schcdulcd rework and discard tasks can be determined by actuarial
analysis
Exhibit 5.1 summarizes the uses of all this information in refining and
I
major revimione lo initial maintenance p m r a m

m u l b 01 kchnolo~lcrlchange
unratlciprtcd frilun
modes or consequences
new or
mdeslgned item
cltaisnger in
inspectioir tcchnolo~y
Develop on-condition t r 8 h to prevent

critical failure8 and to prevent or
durn frequency of expmcive fiilurea
at low qr.
Conduct RCM uralyais of itern

when it first enten service.
Evduah applicability
m d d h c t l w n e u of
vew on-condition
Mniquer.
Develop dea@ changea n m u r y for

pmnurent c o ~ c t i o nof pmblema
Develop frilum-findine tasks for
hidden functions not Iden!ifid in
initld p m p m .
Develop on-condition or other tarkr to
control critical or expensive fdlunr at
hi& agr, where product hpmvement
may not be economically justified.
---
Refine mrintenmce requlremenh

throtqh ag- exploration.
revising the initial maintenance program. The refinements are useful,

but their overall economic impact is usually quite small. The major
revisions are associated with unanticipated failures, design modifications, and the exploitation of new inspection technology; in this area
far greater economies are realized.
5 2
REACTING TO SERIOUS FAILURES
the preventive-maintel~ancel
redesign cycle
the improvable failure rate
prediction of reliability
improvement
116
After new equipment enters service it may experience unanticipated

types of failures and failure consequences. The mo* serious of these
are usually in the powerplant and the basic structure. Although such
failures can occur at any point in the life of the equipment, they are
most likely to occur early in oyeraiion. The first failure may have such
serious implications for operating safety or economics that all operating
organizations and the manufacturer react immediately. Thus there is a
structured pattern of events associated with unanticipated failures
which results in a characteristic cycle of reliability improvement.
.. Suppose the unforeseen failure is a critical engine failure. As an
immediate step, engineering investigations are undertaken to determine whether some on-condition inspection or other preventive task
will be effective. This preventive measure may result in a substantial
increase in maintenance costs. With a new engine a large number of
engine removals, dictated either by the discovery of potential failures
or by scheduled removal of all units, will also make it difficult to provide replacement engines. The next step is action to redesign the parts
in which the failure mode originates. When the new parts are available,
all the engines in service must then be mociified to incorporate the
change. Not ail design changes are successful, and it may take several
attempts over a period of two or three years to correct the problem.
Once the problem has been eliminated, the scheduled-maintenance tasks
instituted to control this type of failure are no longer necessary and can
be discontinued.
Exhibit 5.2 illustrates this cycle. A year after this engine ente~ed
service two critical failures occurred during a three-month period. Both
failures were found to be caused by notch, wear in the third-stage turbine blades. Since this failure mode was also found to be detectable at
the potential-failure stage, a line-maintenance on-condition inspection
was specified to check for loose turbine blades. Frequent inspection
intervals resulted in a large nt~mberof engine removals for this condition, but removal of these potential failures prevented any further
funclional failures. The turbine blade was redesigned, and halfway
through the following year modification of the exist in^ engines was
started to incorporate the new "low-swirl" blades. The on-condition
inspections were continued, but as rnore and more modified engines
50
Inrtrllrtion of low.
.
,
&
Ibhd" **mi
>
EXHIBIT 5.2 The pattern of events associated with an unantic~pated

critical failure mode in the Pratt & Whitney IT4 engine. The data
represent all engine removals for this failure mode, the first two as
functional failures and the rest as potential failures found by an
on-condition task developed after the first failure events. These
premature removals prevented all further functional failures, and as
modified engines entered service, the number of potential failures
also decreased. When no furthrr potential failures were found,
the on-condition task was deleted from the program.
(United Airlines)
entered service, the number of premature removajs (potential failures)

dropped. Finally, about three years atter the first two failures, the oncondition inspections were discontinued.
In new equipment the scheduled-maintenance tasks generated in
response to early critical failures are nearly always on-condition inspections. Age-limit tasks are not likely to b e feasible, since there are no
data for actuarial analysis, and in the case of early failures, taking some
fraction of the age at failure as a safe-life limit could easily be ineffective. Moreover, a short safe-liie limit might effectively preclude
continued operation of the equipment, since it would be difiicult to
provide the labor and spare parts needed for such intensive maintenance. The definition of an applicdble on-condition task, however, may
require great ingenuity. The failure mode must be determined, and a
specific part that shows physical evidence of r e d u ~ e dfailure resistance
mu-t be identified. Then some means of inspecting the part while it is
still installed must be devised.
Under these circumstances both the potential-failure point and the
inspection interval will be established on a very conservative basis. As
soon its the on-condition task is implemented, all the equipment in
SECTION 5.2
117
118
THEORY AND PWNClPLLS
service is inspected. This first inspection of the fleet often leads to a

large number of removals for the iiewly defined' potential failure. The
.ate of removil after this first inspectihn will be much lower, of course.
It may be low enough to justify increasing the initinl conservative inspection interval, but the inspections themselves will be continued
until experience has demonstrated that the proble11. no longer exists.
The cycle for early structural difficulties is similar. Once again, it is
necessary to determine the failure mocie and devise an on-condition
inspection for potential failures. In this case the inspections may be
scheduled as often as once every flight cycle or at intervals as long as
2,000 or 3,000 flight cycles. Again, even though the incidence of potential failures turns out to be relatively low after the first fleet inspection,
the task itself i- contir~ueduntil the design can be morlified.
Serious unanticipated faillires do not necessarily occur early in the
life of new equipment. At later ages, however, such failures may not
lead to design changes. The first response is still the same- the development of new scheduled-maintenance tasks. At this stage the imposition
of safe-life limits may be both technically and economically feasible.
On-condition tasks may also be applicable, but the inspections can be
scheduled to begin at a relatively high age and may have longer intervals. Unless the failure mode is strongly related to age, in which case a
life-iimit task may be more -??ropriate, the number of potential failures found by on-condition inspections will be far lower than in relatively new equipment. Depending on the age of the equipment, the
cost of redesign may not be warranted, since economic justification
depends on the remaining technologically useful life of the equipment.
Une further way of coping with failure is to restrict operating procedures to put less stress on a vulnerable component until it can be
redesigned. Sometimes the opposite strategy is also useful. When no
specific potential-failure condition can be identified, it may be possible
to preempt a s ~ r i o u sfailure by inducing it under other circumstances.
In one such case failures of a compressor disk on a tail-modnted turbine
engine were occurring at very low ages, and no on-condition inspections were feasible. It was possible to keep the plane in service, however, by requiring the pilot to brake at the end of the runway and apply
takeoff thrust with the aircraft statio~ary.The peak stress on the disk
occurred when takeoff thrust was first applied and decreased as the disk
warmed up. Thus if the disk did not fail during warrnup, it was unlikely
to do so during flight. This strategy resulted in several expensive fai!ures, but they were not critical on the ground, whereas the secondary
effects of disk failure would have been critical in. flight.
A new piece of complex equipment often experiences a high failure
rate. Often, too, the majority of these failures result from a smal' number
of failure modes. In the case of aircraft engines the conditional proba-
bilities of such dominant failure modes will fzequently increase rapidly

with opercting age. Exhibit 5.3 shows the results of successive analyses
of an engine that entered service in 1964. At that time its initial reliabiliv was POI-.-.,the conditional probability of failure was high, and
this probability increased rapidly with age. However, the increase 14.-s
linear and showed no identifiable wearout zone. Within a few montlls
the reliability of this engine was substantially improved by design
modifications directed at the dominant failure modes. The initia. high
failure rate brought the unmodified engines into the shop very frequently, which facilitated fairly rapid incorporation of the modified
parts. Consequently the conditional probability of failure continued
to drop, and ultimately the reliabiiity of this engine showed no relation::lip to operating age.
Once the early dominant failure modes in an engine are disposed
of, it becomes increasingly difficult to make further improvements.
Because of its complexity, !he engine will always be subject to many
different failure modes, and some may even bn dominant. However,
the failure probability associated with any given mode is too low to
justify further developmei~tof the engine. The difference bckween an
item's initial and mature failure rate is its irnp~ovrlblefailur? rate- the
EXHIBIT 5.3 Results of successive age-reliability analyses of the
Pratt L Whitney JTSU engine of the Boeing 727. As engineering
inrprovements grad~allyovercame dominant failure modes, the
conditional-probahility curve continued to flatten until it eventually
sho-.led no relationship of engine reliability to operating age.
(United Airlines)
I/,
October -December 3964
Januuy-kbntuy 1966
WY-
JP'Y1%'
h k r December 19n
Opmtlry y e alnce kr( shop visit (flight houn)

SECTION 5.2
119
WH~BIT5.4 Compal.ison of actual failure rates of the Pratt 81

Whitney J1PP engine with a forecast made in December 1965. During
initial ope~.i:ionthe failure rate based on small samples will show
hrge variations in different calendar periods. However, since reliability
improvement is characteristically exponential, it is possible to predict
the expected reduction in failure rate over a longer calendar period.
The temporary variation tmm the forecast level in this case was the
result of a new dominant failure mode which took several years to
resolve by redesign. (United Airlines)
120
THEORY AND FNNCIPLES
portion that will be eliminated by product improvement. If a particular

engine has a failure rate of 2 per 1,000 hours when it first enters service
and we anticipate that its failure rate will ultimately drop to 0.3, then
the improvable failure rate is 1.7.
In many cases the improvable failure rate declines exponentially
over calendar time- that is, the percentage of reduction remains constant, although the amount of reduction becomes smaller as the f a1'1 ure
rate is reduced. This percentage has been as much as 40 percent a year
for engines in a commercial-airline environment. Such a high degree of
improvement is possible only when a large number of engines are in
service to generate the failure data required both to direct product
improvement and to lower its unit cost. The fact that improvement is
characteristically exponential enables us to plot reliability growth in
new equipment with a fair degree of success. Exhibit 5.4 shows a cornparison of actual failure experience with a forecast that was made in
1965. The forecast was reasonably good until 1968, when a new failure
mode became dominant. This problem took nearly three years to resolve, after which the failure rate dropped back to the forecast level.
5 3 REFINING THE MAINTENANCE PROGRAM

The maintenance tasks added in response to urranticipated failures are
only one aspect of the age-exploration process. At the time the initial
program is developed certain reliability characteristics are unknown.
For example, the ability to measure reduced failure resistance can be
determined, but there is no information on the actual rate of reduction
as various items age in service. Similarly, the information necessary to
evaluate cost effectiveness and age-reliability relationships becomes
available only after the equipment has been in service for some time.
Once the maintenance program goes into effect, the results of the scheduled tasks provide the basis foi adjusting the initial conservative task
intervals, and as further operating data become available the default
decisions made in the absence of information are gradually eliminated
from the program.
adjusting task intervals

uses of actuarial analysis
ADlUSTING TASK INTERVAL5
As part of the initial progrzm many items are scheduled for frequent
sample inspections to monitor their condition and performance, and
other tasks are assigned conservatively short initial intervals. All these
tasks are then packaged for implementation. If the first few units to
reach this check limit show no unsatisfactory conditions, it is safe to
assume that the task interval for the remaining units can be extended.
Any equipment that has aged to the present check limit is designated a
time-extension sample.
In many cases, as we saw in Chapter 4, the required number of
samples is provided by opportunity samples, units that are available
for inspection because they have failed for some reason related to only
one failure mode. In the case of engines, for example, the availability of
samples of a particular part depends on the number of shop visits occasioned by failures in the section of the engine containing that part.
Since a new type of engine is far more likely to experience failures of
components in the hot section than in the cold section, the engine data
in Exhibit 5.5 show far more opportunity samples for the exit guidevane assembly than for the coxxpressor assembly. In both Lases, however, opportunity sampling provided a means of inspecting these parts
as they aged in service. Sincc tilere was no great difference between the
age of the highest-time installed part and the age of the highest-time
sample inspected, it was possible to extend the check limits for both
SECTION 5.3
121
FXHIBCT 5.5 Effectiveness of opportunity sampling of the Prart &

Whitney JTBD engine. Opportunity samples of the exit guide-vane
assembly (black) were more abundant than samples of the highcompressor assembly (red), but at every age the highest-time installed
unit was only slightly older than the highest-time inspected sample.
I hus any unsatisfactory condition detected in the sample would be
found before the remaining installed units had reached this age.
(United Airlines)
122
items until the age at which the sample units began to show signs of
deterioration.
Task intervals for systems and structur~litems are o~dinarilyincreased by increasing the interval of the letter-check package in which
they have been included. However, if the inspection reports indicate
that the interval for some particular task in this package should not be
extended, the task must be moved to another package. A task originally
assigned to the C-check package, for-instance, might be reassigned to
the package designated for every second R check. Conversely, there will
be tasks whose original intervals now appear far too conservative. In
this case the task interval might be increased, say, from C2 to C4 at the
same time that the C-check interval itself is being revised upward. The
same result can be achieved, of course, by leaving the intervals of all
packages fixed and moving all tasks from one package to another.
The managemcnt of maintenance packages requires careful planning. First, a schedule is needed for conducting the analysis necessary
to support each interval extension. This schedule must allow time for
the first few units that have entered service to age to the existing check
limit, and also time for the analysis necessary to assess the desirability
of extending the limit. The results of all inspections and corrective work
performed on these sample units must be carefully analyzed so that the
tasks for which intervals should not be extended can be moved to more
compatible packages. Tasks producing marginal results may stay with
the original package, but they should be noted for future attention. A
hard-time directory is usually maintained to identify tasks for which a
maximum interval appears likely. These tasks require closer study than
the others, and maintenance planning is facilitated by advance knowledge that they may be moved to a different package in the near future.
USES OF ACTUARIAL ANALYSIS IN ACE EXPLOIATlON
Whereas serious unanticipated failures prompt an immediate response,

action on infrequent failures or those with no major consequences is
usually delayed until enough information has been gathered to make a
full assessment of possible maintenance remedies. This is particularly
true with regaru to rework tasks, since these tasks are applicable only
if the conditional-probability curve shows that an item has an identifiable wearout zone. Such curves are the result of an actuarial analysis in
which the number of failures during various age intervals are measured
in terms of the total exposure of the item (total operating time for all
units) and the probability of survival to that age interval.
An actuarial analysis does not require hundreds of failure events.
A survival curve can be constructed from the data on 20 functional failures, and if necessary, from a sample of 10. However, since it takes
several thousand opirating hours to accumulate this many occurrences
of a given type of failure, there is sometimes concern about a surge of
failures as a result gf wearout after a certain age. If all the units in service
were the same age this might be the case, but because of the slow
buildup of a fleet of airplanes, the ages of the units in service are widely
distributed. If the item is very reliable at lower ages, and the first failure
does not occur until some time after the fleet has reached full strength,
the age distribution of the in-service units at that time will be the same
as F, -t of the planes in the fleet. This means that there may be a d~fferenc? or iive years or more between the ages of the oldest unit and the
n
.i one. If
e item is not that reliable, there will be even fewer
ii;otb.-ricre11n1~ since many of the units on the older airplanes will be
:a,!acements for units that have already failed.
It is this distributi~nin the ages of in-service units of an item that
makes it feasible to use actuarial analysis as a tool for age exploration.
If it is found that there is a sharp increase in t h t likelihood of failure at
higher ages, there is ample time to take preventive steps, since vrery few
units are actually approaching the "cliff" when it is discovered. It follows that attention is concentrated on the failure behavior of the oldest
units, so that in the event that there is a wearout zone, a rework task
t,c5
(,\a.
'*
can be added to the maintenance program long before the other units
reach this age.
n6
4,;uclrlal analysis conducted to
Exhibit 5.6 shows the *-@*llt~
A - L - ---- *
- :ework of a turbine engine would be an
..... c..lS1
corn.
applicable task. The upper curve shows the total conditional probability
for all units removed and sent to the shop for corrective work, and the
lower curve shows the conditional probability of functional failures as
reported by the operating crew. The distance between these two curves
at any age represents the conditional probability of potential failures
detected by on-condition inspections. It is functional failures that have
safety or operational consequences, and the conditional probability of
such failures in this case is constant. S!nce functional failures are independent of the time since engine installation (last shop visit), operating
age is not a factor in the failure rste, and a rework task is therefore not
applicable.
The conditional-probability curve that includes potential failures
does show i-n increase with increasing age. However, we do not want to
reduce the incidence of potential failures except by redesign, since these
inspections for potential failures are clearly effective in reducing the
nurr,ber of functional failures. As it is, each engine can remain in operatiol~until a potential failure is detected, and under these conditions
--
EXHIBIT 5.6 Conditional-probability curves for the General Electric

CF6-6engine of the Douglas DC-10. The upper curve shows the total
number of premature removals for botl. funct;onal and potential
failures, and the lower curve shows the number of these unit$ removed
as functional failures. Although the rate of potential failures increases
with operating age, as a result of effective on-condition inspections
the tunctional-failure rate is kept in check and shows no increase with
age. (United Airlines) .
lPoo
Opera-
124
rpoo
3poo
age m i n r r hat l o p *it (Wthoan)
Goo0
-mortality
1nf-t-4
------T"7"'
Failun mode 8
hiIun mode A
I
FXHIBR 5.7 Partitioning of a conditional-probability c.rrve to show

the number of unverified failures and the number of venfied failures
resulting from each of three failure modes. Note that the only high
infant mortality occurs from failure mode A; this results in an
upturn of the curves above it in a layered representation.
there is no increase in the functional-failure rate with age. Thus the

on-condition task itself prevents LL wearout zone for functional failures
and at the same time permits each engine to realize almost all of its
useful life.
The relationship of verified and unverified failures can be examined in the same way to determine the effectiveness of troubleshooting
methods. This information is of value to those concerned with stocking
and allocating replacement units and spare parts, but it is also important in identifying the actual characteristics of verified failures, so that
the failure mode can be pinpointed more exactly and a more accurate
potential-failure condition can be defined.
Exhibit 5.7 shows the various age-reliability relationships that can
be developed for an item subject to several different failure modes. The
upper curve shows the conditional probability for all reported failures,
and the curve below it shows the conditional probability of verified
failures. The distance between these two curves represents the prob-
ability of unscheduled removals of units that are actually sewiceablc.

l'hus the first curve represents the apparent reliability of the item and
the seco~~tl
curve represents its actual reliability.
To determine how we rnight improve the reliability of this item we
must examine the cor~tributionof cach failure mode to the total of verified failures. For example, failure modes A and B show no increase with
increasing age; hence any attempt to reduce the adverse age relationship must be directed at failure mode C. There is also a fairly high conditional probability of failure immediately after a shop visit as a result
of high infant mortality from failure mode A. The high.incidence of
early failures from this failure mode could be d r ~ eto a problem in,shop
procedures. If so, the difficulty might be overcome by'.changilg shop
specifications either to improve quality control or to break in a repaired
unit before it is returned to service. In thc case of aircraft engines, for
example, shop procedures in commercial airlines include a test-cell run
at the end of the shop process, during which some engines are rejected
and scnt back for further work. These test-cell rejects do not appear in
the failure count, since this count begins only after the engine is installed on the aircraft.
An actuarial analysis c.uch as that in Exhibit 5.7 can direct improvements toward a great many different areas by indicating which factors
are actually involved in the failure behavior of the item. An analysis of
thz Boeing 727 generator, for example, showed that the cox~ditional
probability of generalor failure did not increase with age until bearing
failures started at an age of 2,000 hours. This' failure mode csually results
in destruction of the generator. Since a new generator costs about $2,500,
as opposed to $50 for a bearing replacement, a generator rework task
during which the bearing was discarded was both applicable and costeffective at 4,000-hour intervals.
5 4
REVISIONS IN MAINTENANCE REQUIREMENTS
trew di.lgnostic tecllniques

desi~rlchanges
The maintenance tasks instituted in response to serious unanticipated

failures are usually interim measures, intended to control the problem
until it can be resolved by redesign. Two kinds of technological change,
however, may lead to revision of the requirements for scheduled maintenance: the development of new diagnostic techniques and modification of the present equipment.
DIAGNOSTIC TECHNIQUES
Most on-condition inspections are diagnostic techniques, since they
measure resistance to failure to identify specific problems. The earliest
and simplest technique used for aircraft was visual examination, perhaps aided by a magnifying glass. This visual inspection was extended
NEW
126
by development of the borescope. Numerous other techniques have

been developed for detecting cracks in metallic items, such as eddycurrent, magnaflux, and zyglo inspections. Radiography is also widely
e~nployed,not only for detecting cracks, but also to check clearances and
changes in configuration without the need to disassemble the item.
A useful diagnostic technique must be able to detect some specific
condition that can confidently be defined as a potential failure. It should
be suificiently accurate to identify all units that have reached this condition without including a large number of units for which faillire is
remote. In other words, such techniques mue' ?rovide a high power of
discrimination. The demand for such discrimination depends in part
on the consequences of failure. A technique with low resolving power
might be of value for single-engine aircraft if it prevented even a small
number of engine failures, despite the fact that i t caused numerous
unjustified removals. For a multiengine aircraft the same technique
would be unnecessary as a safety precaution and undesirable in economic terms.
Certain diagnostic techniques appear to have great potential but
will require further developn~entbefore they can be universally adopted.
For example, spectrographic analysis is sometimes used to detect wear in
metal parts by measuring the concentration of metallic clenlents in
lubricating oil. In many caszs, however, it has been difficult to define a
failure condilion related to the metal . ncentrations. Parts have failed
without the expected warning, and warnings have not necessarily been
associated with imminent failure. Even a change in the brand of oil may
necessitate new criteria for interpreting the analysis. Nevertheless, if
the failure is one with major consequences, even a low incidence of
successful interpretations (and prevcntcd failures) mLy offset the cost
of the inspections that produced no useful information.
Another recent technique is the use of computerized airborne integrated data systems (AIDS), which measure and record the performance
characteristics of many items for later study. Some of these characteristics, especially in powerplants, are also monitored by the normal flight
instrumentation, but the data arc not automatically recorded and integrated with other data. This procedure opens up the possibility of
correlating performance trends with the likelil~oodof failures, or "establishing a signature" for the failure mode. By revealing a previously overlookpd indication of reduced resistance to failure, AIDS may make it
possible to prevent certain functional failures by on-condition main'enance. The new data systems have in fact assisted in troubleshooting,
and rhey have indicated engine conditions that increase the stress on
certain internal parts. However, their success in performing a true (and
continuous) on-condition sumeillance has so far been limited. Once
again, this system may be worch:*~hile
for some organizations if analysis
convinces them that the value of its contribution outweighs its costs.
SECTION 5.4
127
As we have seen, scheduled rework tasks have limited applicability, and discard tasks apply only under rather special circumstances,
Major improvements in maintenance effectiveness depend, therefore,
on expanded use of diagnostic techniques. The search for additictnal
techniques continues, and the econolnic desirability of such new developments must be reelraluated from time to time.
DESIGN CHANGES
The product-improvement process is also a factor in changing maintenance requiren~ents,since design modificatic ns may change the reliability characteristic.. of items either in:cntionally or otherwise. Hidden
functions may be added or removed, critical-failure modes may be
'Added or removed, dominant failure modes and/or age-reliability characteristics niay be altered, and redesign may change the applicability of
on-condi tion tasks.
Whenever an item is substantially n~odified,its maintenance re-'
quirements must be reviewed. It may also be necessary to repeat the
age-exploration process for such items, both to find out whether the
modifications have achieved their intended pu.gose and to determine
how these modifications affect existing maintenance requirements for
the item. Finally, entirely new items are added to most equipment during its service life. Initial requirements must be developed for each of
these items, to be modified as necessary when operating data on them
become available.
5 5 THE PRODUCT-IMPROVEMENT PROCESS

determining the need for
product improvement
determining the desirability
improvement
of
infornration requirements
the role of product improvement
in equipment
125
THEORYAND PRINCIPLES
In tht course of evaluating the maintenance requirements of complex

equipment many items will be found that cannot benefit from scheduled maintenance, either because there is no applicable preventive task
or because the available forms uf preventian cannot provide the level of
reliability necessary. Because of the inherent conflict between performance requirements and reliability requirements, the reliability problems identified and corrected daring early operations are really a part
of the normal development cycle of high-performance equipment.
The degree of reliability that can bc achieved by prr-rentive maintenance is limited by the equipment itself. Thus a product may be
deemed unsatisfactory for any of the following reasons:
b
Exposure to critical faiiures
Exposure to failures that unduly reduce operational capability
Unduly high maintenance costs
A demonstrated need to make a hidden function visible
Failures may result from the stress and wear associated with tlie normal
overation of the it<m, or they may be caused by external factors such
as lightning strikes, bird ingestion, corrosive environments, and so on.
Product improvement to increase resistance to these external factors
may be just as necessary as modifications to withstand the effects of
the normal operating environment.
DETERMINING ME NEED FOR PRODUCT IMPROVLMENT
Product improvement directed toward better reliability may take a

number of forms. An item may be nlodilied to prevent critical failures,
to eliminate a particularly expensive failure mode, or to reduce its overall failure rate. The equipment, or an item on it, may be modified to
facilitate replacement of a failed unit, to make a hidden function visible,
to incorporate features that make on-condition inspections feasible, or
to add rcdundant features which alter the ronsequenccs of failure.
Product iinpmvement is expensive. It it~volvesthe cost of redesign
and !he rnatlufacture of new parts or whole new items. The operating
organ~zationalso incurs thc direct cost of modifying the existing equipment and perhaps the indirect cost of taking it out of service while such
modifications are being incorporated. Eurther risks ,ice always introduced when the design of high-perfortnance equipment is changed,
and there is no dssurance that the first atti npt at improvenrent will
eliminate or even alleviate the problem at which iniprovemcnt is
directed. For this reason it is important to distinguish between situations in which product improvement is necessary and those in which
it is desirablc.
The decision diagram in Exhibit 5.8 is hell 11 in evaluating the
necessity or desirability of initi.~tingdesign chanbes. In this case the
answers to :he dccisiot~questions are all based on operating cxpcrience. As always, t!,c first consideration is safety:
Does the failure cause a loss of function or secondary damage that could
have a direct adverse effect on operating safety?
If the answer to this question is yes. the next concern is whether such
failures can be controlled at the maintenance level:
Are present preventive measures effectively avoiding such failures?
If the answer is no, then the safety I~.~zard

has not been resolved. In this
case the only recourse is to remove the equipment frorn service until
the problem can be solved by redesign. Clearly, product improvement
is required.

on operating aafety?
Are present preventive measures

effectively avoiding such f a i l u n ?
I
Is product improvement cost-effective?
Is product improvement cost-effective7
lmpmvement is
desirable
1mpmvem;nt is
not justified
,
'
Improvement is
required
Improvement ie
desirable
Impmvcment L
not justified
Decision diagiam to determine whether product

improvement is required or merely desirable if it is cost-effective.
Unless product improvement is required for safety reasons, its cost
effrctivrlless 111us1be assebsed (see Lhhibit 5.9) to determine whether
the improvement is in fact economicnlly desirable.
EXHIBm 5.8
If the present preventive measures are effectively controlling critical failures, then product improvement is not necessary for safety reasons. However, the problem may seriously restrict operating capabihty
or result in unduly expensive maintenance requirements. It is therefore
necessary to investigate the possibility of reducing these costs:
Is product improvement cost-effective?
130
Here we are concerned solely with economics. As long as the safety

hazard has been removed, the only issue now is the cost of the preventive measure; employed. By the same token, if the answer to the first
question was no- that is, the failure has no direct effect on safety-it
may still have costly operational consequences. Thus a no answer to the

safety question brings us directly to the quzstion of cost effcctiveness.
DETERMINING THE DLSllUBlLCrY OF PRODUCT IMPROVEMENT
There is no hard-and-fast rule for determining when product improvement will be cost-effective. The major variables can be identified, but
the monetary values assigned in each cdse depend not only on direct
maintenance costs, but on a variety of other shop and operating costs,
as well as on the plans for continuing use of the equipment. All these
factors must be weighed against the costs of product improvement.
An operating organization is always faced with a larger'number of
apparently cost-effective improvement projects than are physically or
economically feasible. The decision diagram in Exhibit 5.9 is helpful in
ranking such projects and determining whether a proposed improvement is likely to produce discrrniblc results within a reasonable length
of time.
The first question in this case cortcerns the anticipated further use
of the equipment:
Is the remaining technologically useful life of the equipment high?
Any equipment, no matter how reliable, will eventually be outmoded

by new developments. Product improvement is not likely to result in
major savings when the equipment is near the end of its technologically useful life, whereas the elimination of excess costs over a span of
eight or ten years of continued service might represent a substantial
saving.
Some organizations requlre for budget approval that the costs of
product improvement be self-liquidating over a short period -say, two
years. This is equivalent to setting the operational horizon of the equipment at two years. Such a policv reduces the number of projects initiated on the basis of projected coc: benefits and ensures that only those
projects with relatively high pay~tackare approved. Thus if the answer
to this first qoestion is no, we can usually conclude that product improvement is not justified. If the economic consequences of failure are
very large, it may be more economical to retire the equipment early
I
than to attempt to modify it.
The case for product improvement is obviously strengthened if qn
item that will remain in service for some time is also experiencing frequent failures:
Is the functional-failure rate high?
SECTION 5.5
131
M I U T 5.9 Decision diagram to aeeeeo the probable cojt

effectiveness o f t rodud improvement. If a particular
impravement appears to be econsmicdly d a i n b l e , it must
be supported by a formal economic-tradeoff study.
Is the remaining technologically

useful life of the q u i p m e n t high!
Improvement is
not justified
Is the functional-failure rate high?
Does the failure involve major

operational consequences?
Are there specific costs which might

be eliminated by product iniprovement?
'
Is the cost of scheduled andlor

corrective maintenance high?
Y a
no
I
Improvement is
not justi!ird
Is them a high probability, with

existing technology, that an attempt
at product improvement will be
succebsful?
Does an economic-tradeoff study show

an expected cost benefit?
4
'-.*provement is
desirable
Improvement is
not justified
Improvement is
not justified
n ~ justified
t
If the answer to this question is yes, we must consider the economic

consequences of failure:
Does the failure involve major operational consequences?
Even when the failures have no operati~nalconsequences, there is

another economic factor to be taken into acount:
Is the cost of scheduled andlor corrective maintenance high?
Note that this last question may be reached by more than one path.
With a no answer to the failure-rate question, scheduled maintenance
may be effectively preventing functional failures, but only at great cost.
With a no answer to the question of operational consequences, functional failures may not be affecting operating capability, but the failure
mode may be one that results in exceedingly high repair costs. Thus a
yes answer to either of the two preceding questions brings us to the
question of product improvement:
Are there specific costs which might be eliminated by product
improvement?
This question concerns both the imputed costs of reduced operational

capability and thc more tangible costs associated with maintenance
activities. Unless these costs are related to a specific design characteristic, however, it is unlikely that the prob1t.m will be eliminated by
product improvement. Hence a no answer to this question means the
economic consequences of this failure will probably have to be borne.
If the problem can be pinned down to a specific cost element, then
the economic potential of product improvement is high. But is this
effort likely to produce the desired results'?
Is there a high probability, with existing technology, that an attempt
at product improvement will be successful?
Although a particuiar improvement might be very desirable econornically, it may not be feasible. An improvement directed at one failure
mode may unmask another failure mode, requiring several attempts
before the problem is solved. If informed technical opinion indicates
that the probability of success is low, the proposed improvement is
unlikely to be ec.onomically worthwhile.
If the improvement under consideration has survived the screening

process thus far, it warrants a fonnal economic-tradeoff study:
Does an economic-tradeoff study show an expected cost benefit?
The tradeoff study must compare the expected reduction in costs during
the remaining useful life of the equipment with the costs of obtaining
and incorporating the improved item. The expected benefit is then the *
projected saving if the first attempt at improvement is successful, mul'iplied by the probability of success at the first try. Alternatively, it might
be considered that the improvement will always be successful, but only
a portion of the potential savings will be realized.
There are some situations in which it may be necessary to proceed
with an improvement even though it does not result in an actual cost
benefit. In this case it is possible to work back through the set of decision questions and determine the values that would have to be ascribed
for the project to break even. Also, improvements in the form of increased redundancy can often be justified when redesign of the offending item is not. This type of justification is not necessary of course,
when the in-service reliability characteristics of an item are specified
by contractua! warranties or when there is a need for improvement for
reasons other than cost.
INFOllMATlON REQUIREMENTS
NG manufacturer has ~nlimitedresources for product improvement. He
134
needs to know which modifications to his product are necessary and

which are sufiiciently desirable for him to risk the cost of developing
them. This information must come from the operating organizations,
who are in the best position to determine the consequences and costs
of various types of failures measure tneir frequency, and define the
specific conditions that thcy consider unsatisfactory.
Opinions will differ from one organization to another about the
desirability of specific improvements, both because of differences i r ~
failure experience and because of differing definitions of a failure. C.
failure with safety consequences in one operating context may have
only operational consequences in another, dnd operational consequences that are majot for one organization may not be significant for
another. Similarly, the costs of scheduled and corrective :naintenance
will vary and will also have different economic impacts, depending on
the resources of each organization. Nevertheless, the manufacturer
must assess the aggregate experience of the various users and decide
which improvements will be of greatest value to the entire group.
With any new type of equipment, therefore, the operating organization must start with the following assumptions:
Certain items on the equipment will need improvement.
Requests for improvement must be supported by reliability and

cost data.
Specific information on the failure mode must be provided as a

basis for redesign.
Critical failures must be reported by a safety-alert system so that
all operating organizations can take immediate action against identified
safety hazards. Failure with other operational consequences are reported
at short intervals so that the cost effectiveness of product improvement
.can be assessed as soon as possible. The airline industry imputes high
costs to delayed or cancelled flights, and these events are usually rep o r t ~ -n a daily basis. In military applications it is important that
o p ~ -!. . . . ata. especially peacetime exercise data, be examined careful.. 'LI ~ t implications
s
for operational readiness.
i-or items whose failure has no operational consequences, the only
.ustification for prcduct improvement is a substantial reduction in
support costs. Many of these items will be ones for which there is no
applicable and effective form of preventive maintenance. In this case
statistical reliability reports at monthly or quarterly intervals are sufficient to permit an assessment of the desirability of product improvement. The economic benefits of redesign will usually not be as great
under these circumstances. In general, the information requirements
for product improvement are similar to those for management of the
ongoing maintenance program. In one case the information is used to
determine necessary or desirable design modifications and in the other
it is used to determine necessary or desirable modifications in the
maintenance program.
b
M E ROLE OF PRODUCT IMPROVEMENT I N EQUIPMENT DEVLOPMENT
The role of the product-improvement process in the developme~~t

of
new equipment is exemplified by the history of a ileet of Boeing 747's.
The first planes in this fleet went into operation in 1970 and the last four
planes were delivered in 1973. By April 1976 the airline had issued a
total of 1,781 change-order authorizations. Of this total, 85 of the design
changes were required by regulatory agencies, 801 were the result of
altered mission requirements by the airline, and 895 were required by
unsatjsfactory reliability characteristics. The cumulative number of
these change orders over the first six years of operation is shown in
Exhibit 5.10. Most of the change orders to meet regulatory requirements
were issued in compliance with FAA airworthiness directives. Such
directives mandate specific design changes or maintenance requirements to prevent critical failures. The cumulative number of the 41
directives issued (some entailed more than one change) is shown by the
second curve in Exhibit 5.10.
FXHIBIT 5-10 History of change-order authorizations for design

improvements in the Boeing 747 (top) and history of FAA
airworthiness directives issued over the same time period (bottom).

(United Airlines)
136
THEORY AND PRINCIPLB
The 895 design changes required to improve reliability characteristics did not include those associated with critical failures. They consisted of the following types of product improvement:
b
Those desirable to prevent or reduce the frequency of conditions

causing delays, cancellations, or substitutions (495)
Those desirable to improve structural fatigue life and reduce the

need for frequent inspection and repairs (184)
Those desirable to prevent or reduce the frequency of conditions
considered to compromise ground or flight stfety (214j
All these changes were based on information gathered from actual

operations after the equipment went into service. Such information is
an essential part of the development cycle in all complex equipment.
5 6 RCM PROGRAMS FOR

IN-SERVICE EQUIPMENT
The decision process outlined iii Chapter 4 was discussed in terms of
new equipment. However, this procedure also exiends to the development of ar. RCM program for equipme?t that is already in service and
is being supported by a scheduled-maintenance program developed on
some other basis. In this case there will be much less need for default
answers, since considerable information from operating experience is
already available. For example, there will be at least some information
about the total failure rate of each item, the actual economic consequences of various kinds of failures, what failure modes lead to loss of
function, which cause major secondary damage, and which are dominant. Many hidden functions will have been identified, and there may
be information on the age-reliability characteristics of many items.
Preparation for the program will still require a review of the design
characteristics of the equipment to define a set of significant functions
and functional failures. The usual result will be that items currently
treated individually can be grouped as a system or subsystem to be
considered as one significant i t e ~ nin the new program. A set of proposed maintenance tasks will have to be established which includes all
those existing tasks that satisfy the applicability criteria; additional
tasks may then be introduced if they also meet these requirements. The
tasks would then be analyzed for effectiveness in terms of failure consequences, as with a prior-to-service program.
The new RCM program should be developed with minimal reference to the existing program, and the two programs should not be compared until the proposal for the new one is complete. This is essential
use of available information

expected benefits
SECTION 5.6
137
to avoia the influence of past biases and to allow for free exercise of the
decision structure. When a comparison is finally made, the new RCM
program will generally have the fallowing features:
b
Many systems and subsystems will be classified as significant items.
L,
There will be a smaller number of equipment items for which

uniq:ie scheduled-maintenance tasks are specified.
Most systems items will no longer be subject to scheduled rework.
Turbine engines and other complex items will be subject to a few

speciZic rework or discard tasks, rather than intensive scheduled
overhaul.
There will be age-exploration sampling of certain identified parts

of the powerplant, which is continued until the parts reach very
high ages.
There will be increased use of on-condition tasks.
There will be some new tasks that are justified by critical-failure

modes, operational consequences, or hidden functions.
The intervals of higher-level maintenance packages will be greatly

increased, whereas intervals of lower-level packages, which consist
primarily of servicing tasks and deferrable corrective work, will
remain about the same.
The overall scheduled-maintenance workload will be reduced.
i i the existing program assigns a large number of items to scheduled rework, there may be some concern that eliminating these tasks
will result in a substantial increase in the failure rate. This quest~oncan
be resolved by conducting actuarial analyses of the failure data for thesc
items under the new program, to confirm that the change in maintenance policy iras not adversely affected their overall reliabiliiy. If these
analyses show that rework tasks are both applicable and effective for
some items, they can be reinstated.
The new RCM program will not be as labor-intensive as the program it replaces, and this fact will have to be taken into account in
adjusting staff requirements at maintenance facilities. It may be necessary to estimate the volume of work that has been eliminated in each
maintenancc package and make these adjustments when the new program is first implemented. Otherwise the anticipated reductions in
manhours and elapsed time for scheduled maintenance will often not
be realized.
138
PART 'IWO
applications
applying rcm theory to aircraft
THE REASONINGbehind
RCM programs wsls described in detail in Part

One. In the following chapters we will examine specific applications of
these principles to actual equipment hardware. Although the examples
discussed are drawn from commercial transport aircraft, they provide
practical guidelines that easily extend to other operating contexts and
to the development of scheduled-maintenance programs for other types
of complex equipment. The principle distinction in the case of aircraft
has to d o with design practices that are common to the aircraft industry.
In the case of commercial aircraft continuous evolution of the design
rcquirements promulgated by airworthiness authorities and the feedback of hardware information to equipment designers by operating
organizations have led to increasing capability of the equipment for
safe and reliable operation. Thus most modem aircraft enter service
with design features for certain items that allow easy identification of
potential failures. Similarly, various parts of the airplane are designed
for easy access when inspection is necessary or for easy removal and
replacement of vulnerable items. A host of instruments and other indicators provide for monitoring of systems operation, and in nearly all
cases essential functions are protected by some form of redundancy or
by backup devices that reduce the consequences of failure to a less
serious levei.
Complex equipment that has not benefited from such design practices will have diffei .nt - and less favorable- reliability characteristics,
and therefore less capability for reliable operation. Since preventive
maintenance. is limited by the inherent characteristics of the equipment, in many cases RCM analysis can do little more than recommend
the design changes that would make effective maintenance feasib!~.
The principles of reliability-centered tnaintenance still apply, and the

decision questions are the same. The answers to these questions, however, must reflect the design characteristics of the equipment itself and
hence will be different for equipment designed to other standards.
In this chapter we will briefly review certain aspects of RCM
analysis, examine the procedures for setting up a studv team to develop
a prior-to-service program, and consider some of the factors involved
in monitoring the RCM program as it evolves after the equipment
enters service.
6 * 1 A SUMMARY OF RCM PRINCIPLES

The complexity of modem equipment makes it impossible to predict
with any degree of accuracy when each part o r each assembly is likely to
fail. For this reason it is generally more productive to focus on those
reliability characteristics that can he determined from the available
information than to attempt to estimate failure behavior that will not
be known until the equipment enters service. In developing an initial
program, therefore, onlv a modest attempt is made tu anticipate the
0peratir.g reliability of every item. Instead, the governing factor in
RCM analysis is the impact of a functional failure at the equipment
level, and tasks are directed at a fairly s~nallnumber of sisnific-a~rtitcnrsthose whose failure might have safety or major economic consequences.
These items, along with all hidden-function items, are subjected to
intensive study, first to classify them according to their failure consequences and then to determine whether there is some form of maintenance protectic-n against these consequences.
signit~cantitclns
.~nllvsisof f ~ i l u * c o l ~ s ~ ~ u t . n c ~ s
"""u~'i"n ~ ' ~ ( ' p " ' ~ ~
'I" l'"f"U" S'r""Hy
"'
SECTION 6.1
141
142
APPLICATIONS
The first step in this prccess is to organize the problenl by partitioning the equipment into object categories according to areas of engineering expertise. Within each of these areas the equipment is further
partitioned in decreasing order of complexity to identify significant
items (those whose failure may have serious consequences for the
equipment as a whole), items with hidden functions (those whose
failure will not be evident and might therefore go undetected), and nonsignificant iterns (those whose failure has no impact on operating capability). As this last group encompasses many thousands of itenrs on an
aircraft, this procedure focuses the problem of analysis on thost items
whose frinctions must be protected to ensure safe and reliable operation.
The next step is a detailed analysis of the failure consequences in
each case. Each function of the item under consideration is examined
to determine whether its failure will be evident to the operating crew;
if not, a scheduled-maintenance task is required to find and correct
hidden failures. Each failure mode of the item is then examined to
determine whether it has safety or other serious consequences. If
safety is involved, scheduled maintenance is required to avoid the risk
of a critical failure. If there is no direct threat to safety, but a second
failure in a chain of events would have safety consequences, then the
first failure must be corrected at once and therefore has operational
consequences. In this case the consequences are economic, but they
include the cost of lost operating capability as well as the cost of repair.
Thus scheduled maintenance may be desirable on economic grounds,
provided that its cost is less than the contbined costs of failure. The
consequences of .I nonoperational failure are also economic, but they
involve only the direct cost of repair.
This classification by failure consequences also establishes the
framework for evaluating proposed maintenance tasks. In the case of
critical failures - those with direct safety consequences - a task is considered effective only if it reduces the likelihood of a functional failure
to an acceptable level of risk. Although hidden failures, by definition,
have no direct impact on safety or operating capability, the cri!erion in
this case is also risk; a task qualifies as effective only if it ensures adequate protection against the risk of a multiple failure. In the case of both
operational and nonoperational failures task effectiveness is measured
in economic terms. Thus a task may be applicable if it reduces the failure
rate (and hence the frequency of the eculwmic consequrnces), but it
must also be cost-effective- that is, the total cost of scheduled n~aintenance must be less than the cost of the failures it prevents.
Whereas the criterion for task effectiveness depends on the failure
consequences the task is intended to prevent, the applicability of each
form of preventive maintenance depends on the failure characteristics
of the item itself. For an ott-conditiott task to be applicable there must be
a definable potential-failure condition a18d a reasonaLly predictable age
interval between the point of potential failure and the point of functional failure. For a schcduled ~,eroorktask to be applicable the reliability
of the item must in fact be related to operating age; the age-reliability
relationship must show an increase in the conditional probability of
failure at some identifiable age (wearout) and most units of the item
must survive to that age. The applicability of discord tasks : . depends
.,s the life
on the age-reliability relationship, except that for safe-life
limit is set at some traction of the average age at failure. ;ail:tre-firrding
tnsks are applicable to all hidden-function items not covered by other
tasks.
'
EXHIBIT 6'1 Schematic representation of the RCM decision struclure.

The numbers represent "re decision questions stated in full in Exhibit
4.1, and the abbreviations represent the task assigned or other action
taken a s an outcome of each decision question.
;
I
;
COMB Red*
SECTION 6.1
143
The process of developing an RCM program consists of determining which of these scheduled tasks, if any, are both applicable and
effective for a given item. The fact that failure consequences govern the
entire decision process makes it possible to use a structured decisiondiagram anproach, both to establish maintenance requirements and to
evaluate proposed tasks. The binary Iarm of a decision diagrar? allows
a clear focus of engineering judgment on each issue. It also provides the
basic structure for a default strategy- the course of action to be taken if
there is insufficient information to answer the question or if the study
group is unable to reach a consensus. Thus if there is anv uncertainty
about whether a particular failure might have safety consequences, the
default answer will be yes; similarly, if there is no basis for detern~ining
whether a proposed task will prove applicable, the answer, at least in an
initial maintenance program, will be yes for on-condition tasks and no
for rework tasks.
It is important to realize that the decision structure itself is specifically designed for the need to make decisions even with minimal information. For example, if the default strategy demands redesign and this
is not feasible in the given timetable, then one alternative is to seek out
more information in order to resolve the problem. However, this is the
exception rather than the rule. In most cases the default path leads to no
scheduled maintenance, and the correction, if ally, comes naturally as
real and hpplicable data come into being as a result of actual use of the
equipment in service.
The decision logic also plays the important role of specifying its
own inforrnatian requirements. The first three questions assure us that
all fai!ures will be detected and that any failures that might affect safety
or operating capability will receive first ?riority. The remaining steps
providc Ior the selection of all applicab!e ar.d eik-tive tasks, but only
those tasks that meet these criteria are inclilded. Again, real data from
opcrating experience will provide the basis tor adjusting default decisions made in the ~ b s e n c eof information. Thus a prior-to-service
program consists primarily of on-condition and sample inspections,
failure-finding inspections for hidden-function items, and a few safelife discard tasks. As information is gathered to evaluate age-reliability
relalionships and actual operating costs, rework and discard iasks are
gradually added to the program where they are justified.
The net result of this carefu: bounding of the decision process is a
scheduled-maintenance program which is based at every stage on the
known reliability characteristics of the equipment in the operating context in which it is used. In short, reliability-centered maintenance is a
well-tested answer to the paradox of clodern aircraft maintenance- the
problem of how to maintain the equipment in h safe and economical
fashion until we have accumulated enough information to know how
to d o it.
3
6 2 ORGANIZATTgN OF THE
PROGRAM-DEVELOPMENT TEAM
In the airline industry the F.4A convenes a maintehance review board
(MRB)for each new type ot airplane. This hoard is responsible for
preparing and issuing a document that defines the initial scheduledmaintenance program for the new equipment. Although the initial program of each airline using the equipment is based on this document,
the airlines very quickly begin to obtain approval for revisions on the
basis of their individual experiences and operating require~~ents.
Consequently the programs that ultimately come into effect may be quite
different for users of the same equipment.
It is usual practice for the MRB -to develop this dr.cument as a joint
venture involving the air .raft and engine manufacturers, the purchasing
airlines, and members df the FAA. The industry group-the manufacturers and the airlines - ordinarily develop a complete program and
submit it to the MRB as a prcposal; the MRB then incorporates any necessary changes before final approval and release. On m e hand, this
procedure cannot be started until the design characteristics of the
equipment are well established; on the other hand, the initial program
must be completed and approved before the new plane can enter service. Thus there are certain time constraints involved.
While the ill !a1 maintenance program is being developed, other
FAA personnel, manufacturing and airline engineers, and pilots of the
purchasing airlines compile a minimum-equipment list (MEL) and a configuration-rieviatbn list (CDL). These two lists give explicit recognition
to the fact that the aircraft can be operated safely in a condition that is
less than its original state. In fact, these lists help to define operational
consequences, since they define the failures that must be corrected
before further operation. The minimum-equipment list specifies the
items that must be serviceable at the time a plane is dispatched and in
some cases includes mandatory operating limitations if certain items
are inoperative. The configuration .deviation list is concerned primarily
with the external envelope of the aircraft and identifies certain parts,
such as cover plates and small pieces of fairing, that are allowed to be
missing.
The first draft of the RCM program is generally developed by an
industry task force specially appointed for that purpose. Althougll there
are no hard-and-fast rules about organization, the approach on airline progralns has been a steering committee supported by a number
of working groups. The steering committee consists of about ten manufacturer and airline representatives and is responsible for managing all
aspects qf the program developn~ent;this committee also serves as the
interface with the manufact1 .er and the various regulatory agencies.
regulatory authorities
the role of the steering
committee
the
working gmupr
SECTION 6.2
145
The first chore of the steering committee is to appoint working groups

of eight to ten members to conduct the detailed study of the aircraft
structure, powerplant, and systems. Seven such working groups were
employed, for example, to develop the maintenance program for the
Douglas DC-10. The steering committee sets the ground rules for each
working group and selects a group chairman. Ordinarily a steeringcommittee member also sits in on each working-group meeting to
audit progress and resolve problems.'
One other responsibility of the steering committee is to arrange
for training. All members of the task force are given a one-week course
to familiarize them with the features of the new equipment. Members
of the working groups, however, require additional training in RCM
analysis (usually by the steering committee) and much more detailed
training on the particular aspect of the equipment they are to analyze.
The training in RCM procedures assures that all participants have a
uniform understanding of the basic task criteria and the definitions of
such key terms as siqnificant i t e m function, functional failure, failure
mode, failure consequences, and cost effectiveness. Working-group members must also be familiar with the decision iogic used to sort and select
tasks and with the default strategy to be employed when there is no
information or the group is unable to reach a consensus.
The members of the task force should represent the best engineering and maintenance talent available. Ideally, the steering-committee
should be headed by someone who has had previous experience with
similar efforts and is completely familiar with RCM techniques (or
employs someone who is familiar with them). All members of that
committee should be generalists, rather than specialists. Their duties
require experience in management and analysis, whereas the workinggroup members need actual hardware experience. Thus the steering
committee is often composed of reliability, engineering, and qualityassurance managers, whereas the working groups consist of working
engineers.
The working groups are responsible for identifying and listing the
significant and hidden-function items and evaluating the proposed
scheduled tasks. Usually they will be able to start with preliminary
worksheets prepared by the manufacturers. These worksheets are
studied in detail, and in some cases the working group may examine
an aircraft that is being assembled to confirm certain points. Each group
recommends additions and/or deletions of significant items, essential
functions, failure modes, and anticipated failure consequences and
selects appropriate scheduled tasks and task intervals for the portion of
146
APPLICATIONS
'The role of the auditor in a program-development project is discussed in detail in Appendix A. This discussion also covers some of the common problems that arise during analysis
and provides a useful review for those who may be wor .ing with RCM procedures for the
first time.
the equipment on which it is working. The results are then summarized

in a way that allows the steering committee to evaluate the anaiysis and
incorporate the scheduled tasks in the program.
6 3
BEGINNING THE DECISION PROCESS
A new aircraft is never totally new. Rather, it is the product of an era,

although its design usually includes some recent technological developments to improve performance capabilities and reduce maintenance
costs. The program-development tear. thus begirks with a large body of
knowledge gained from experience with other aircraft. In addition to
this general context of expertise, there are specific test data on the vital
portions of the aircraft. These are the manufacturer's tests, conducted
during design and development of the equipment to establish the integrity of the structure, the reliability and performance characteristics
of the powerplant, dnd other factors necessary to ensure that the various
systems and components will in fact perform as intended. Finally, the
new equipment will come to the RCM team with a list of manufacturer's
recommendations for scheduled lubrication and servicing, and often
more extensive maintenance suggestions as weil.
In evaluating and selecting the scheduled-maintenance tasks for
this new equipment, the analysis team will therefore have a fairly good
idea from the outset of which functions, failures, and tasks are going to
demand consideration. The first step in the procedure is to partition
the aircraft into its major divisions so that these can be assigned to the
various working groups. Usually one working group is established to
study the structure, another to study the powerplant, and several more
to study the various systems.
The systems division includes the various sets of items other than
the engine which perform specific functions-the environmentalcontrol system, the communications system, the hydraulic system. It
also includes the items that connect the asxmblies; for example, the
hydraulic system includes the lines that conrect the actuators to the
pump. The powerplant includes only the basic engine. It does not include the ignition system or engine-driven accessories, such as the fuel
control and the constant-speed drive, all of which are part of systems.
Nor does it include the engine cowling and stipports, which are part of
the structure. Structure includes all of the airframe structure: as well as
the movable flight-control surfaces, hinges, hinge bearing., and landing
gear. Frowever, the actuators, cables, gearboxes, and hydraulic components associated with these items are treated as part of the systems
division.
Each working group partitions the portion of the equipment for
which it is responsible in descending levels of complexity to identify
the partitioning process

assembling the required
information
recording the decision process
SECTION 6.3
147
nonsignificant items on the one hand and significant and hiddenfunction items on the other. To help organize this process the items are
usually characterized in some kind of order. For example, the engine is
ordinarily partitioned acc-rding to the order in which it is assembledby module, stage, and part- whereas the structure is partitioned according to geographic zones. Exhibit 6.2 shows some typical items included
under each of the major divisions, as well as typical items covered
FAHIBIT 6.2 Typical hardware items in each of the three major
divisions of an aircraft. The levcl of item selected a i significant in
ear9 case wili depend on the consequencrs of a funct;onal failure for
the aircraft a s a whole. These items will be subjected to intensive
RCM analysis to determine how thcy might benefit from scheduled
maintenance. The resulting program of RCM tasks is suppkmented
by a separate program of zonal inspections, which consists of scheduled
general inspections of all the items and installations within the
specified zone.
systems
Right-control systtm
Actuatom
Geuboxes
Cablea
.
.LinCugel,
Control vdvea
Electric-power qstem
Generaton
Relays
Constant-speed drives
Bus-control unit
Air-conditioning Jystem
Pach
Valves
Senmm
Ignition system
@niter
Power supply
powerplant
Comprmmr Section
Stators
Spacem
Tie rods
Blades
Air B
e
d
uhcture
W i q and empennage
9-n
sp~r
Skin8
Conbol mufaces
Slab and flaps
Hingbdin8g w
Shock ebute
Pbtons
Compressor h u h
Dish
Combustion section
h v e n g e pumps
Exit guide vanDiffwer case
Fuselage
Inner cam
Cirmmferentialr
B t P r l ~a ~ c m b l y
Longcrona
Bearing cubon seal
Skins
Bulkheads
Stator support
Combustion chambers
Rear support
Outlet ducts
Nozzle guide vmea
zonal installation8
Wing =nu
Hydraulic Uneo
Fuel 1-
w w
Du*
Wheelwell
Switches
Hydraulic lines
wiring
haelage mnem
chy8en ~y1indu1
Asmnbly housings
water line0
w-
by zonal-installation inspections. Although these general inspections

are not established on the basis of XCM analysis, the tasks themselves,
along with the necessary servicing and lubrication tasks, are included
in the final list of scheduled tasks for packaging in the maintenance
program.
This first sorting process to identify significant items is largely a
matter of experience and judgment,.Some items will be classified as
significant because they have always been significant in the past; others
may be included because there is some uncertainty about their impact
on the system as a whole. In selecting the appropriate level of item for
intensive study, two types of error are possible: partitioni,~gtoo far
down and unnecessarily increasing the workload, or else not partitioning down far enough and thus overlooking some failure mode that may
later prove signilicant. The first inclination is to minimize this latter
possibility in the interests of safety. Ilowever, with limited time and
resources it is equally important to pick some cutoff point that will not
dilute the effort needed for truly significant items. The optimum cutoff
point for each item thus lies in a fairly narrow range.
The partitioning process organizes the problem, but it is also necessary to organize the infcrmation required to solve it. In addition to
the manufacturer's designation of the item, a brief description is needed
that indicates the basic function of the item and its location in the
equipment. It is also necessary to make a colnplete ~ n accurate
d
list of
all the ~ t h e intended
r
or characteristic functions of the item in order to
define the functional failures to which it is subject. A functional failure
is any condition that prevents the item from meeting its specified performance requirements; hence the evidence by which this conditicn
can be recognized must be specified as well. A functional failure may
have several failrire modes, and the most likely ones must be identified.
For example, the list of functional failures for the main oil pump on a
jet engine might include high pressure, low pressure, no pressure, COILtaminated oil, and leaks. However, the condition of no prrssure may
be caused by drive-gear failure, shaft failure, or s broken oil line.
To evaluate the consequences of each type of failure it is necessary
to identify both the effects of a loss of function and the effects of any
secondary damage resulting from a particular failure mode. For example,
the loss of function for a generator might be described as no output; if
the cause is bearing failure, however, the probable secondary damage
is complete destruction of the generator, which is very expensive. Another important factor in evaluating failure consequences is the design
of the equipment itself. All redundancies, protective devices, and monitoring equipment must be listed, since these have a direct bearing on
the seriousness of any single failure. If an essential fui~ctionis available
from more than one source, then a failure tkat might otherwise have a
direct effect on safety or operating capability may have no significant

consequences. Similarly, failure annunciators and other instrumentation mean that failures that would otherwise be hidden are in fact evident to the operating crew.
All these data elements are assembled for each item before the
analysis begins. To keep track of the necessary information it is helpful
to summarize the data for each item on a descriptive worksheet like
that shown in Exhibit 6.3. The analysis itself consists of a systematic
examination of each failure possiuility and an evaluation of proposed
maintenance tasks. Tasks are proposed by both the manufacturing
EXHIBIT 6 - 3 ltem information worksheet. The data elements that
pertain to each item are assembled and recorded on a descriptive
worksheet before the analysis is begun. For convenience in
documenting the decision process, it is helpful to use reference
numbers and letters for the various functions, functional failures, and
failure niodes of each item.
mm r N # H M A m WOIYIIlUT
type of aircraft
item number
ltem nune
vendor part/model no.
reliability dab
premature-removal rate (per &OW unit houm)
failure rate (per &OW unit houn)
source of data
functions
150 APPLICATIONS
members of the program-development team and by the members of 'he

operating organization. The manufacturer has more specific knowledge
of the equipment, its intended design features, and !he development
and testing procedures that were employed. The operating organization
has the more intimate knowledge of how the equipment will be used,
what sorts of maintenance tasks are feasible, and which ones have
proved most effective in the recent. past.
To ensure that the entire decision process is documented, the answer to each question in the decision diagram must be recorded. One
convenient form is shown in Exhibit 6.4; the numbers across the top
no. per ahrafi
pmp-d
by
date
8y8tm
reviewed by
date
appmved by
date
zone(d
-
redundancies md protective featurn (indude inrtnunentation)
bdt-in t a t equipment (describe)

Can a i m f t be dirpatched with item
inoperative? Ifso, lirt any limitationr
which murt be observed.
classification of item (check)

significant
hiddell function
failure modes
faiiure eff&
m p o n m to dwitlon-dirppm quntionr
ref.
conmquencca
trrk wlectioa
EXHIBIT 6.4 Decision workshret for systems .and powerplant items.

For each htnction (F), functional failure (Ft.'),and failure mode (FM),
the answer: to the questions in the decision dihgranr are recorded
to show the reasoning leading Lo the selection of a particular task. In
the case ~f structural items the principal decision problem concerns
the serecti~n of task intervals; hence the worksheet form used for
stnictures i s somewhat different.
represent the decision questions, and the trail of answers shows the
logic by which a particular decision was reached. Depending on the
n a t u r ~of the item, its failure characteristics, and the failure consequences that govern the evaluation, the outcome may be one or more
scheduled tasks, redesign, or no scheduled maintenance. In each case,
however, the reason for the decision will be clearly identiiiable, both for
auditing during analysis and for later review.
The study up to this point represents a substantial effort. The analysis for the Douglas DC-10,which was based on similar principles, led
to a set of reports approximately 10 inches high and represented about
10 man years of effort over an 18-month period. Nevertheless, given the
complexity of modem aircraft, this effort is still modest in comparison
to what might be envisioned if the several bounds on the process were
rc!axed. These bounds are established by the decision questions themselves, by the default strategy that provides for decision making with
minimal information, and also by the auditing process that goes on
both during analysis and afterward.
Pya
of
Item number
6 0 4 THE INFORMATION FLOW IN

DEClSlON MAKING
The flow of information in RCM decision making is a circular process
that begins with the initial selection of items for intensivi? analysis and
continues throughout the life of the equipment. The very selection of
significant items requires not only substantial factual data, but considerable experience and judgment as inputs to a prior-to-sewice analysis.
The outputs are a list of all the applicable and effective tasks to be included in the scheduled-maintenance program. These tasks are then
assigned intervals and packaged for implementation, and from this
point on the information from actual operating experience becomes the
input data.
In most cases the transition from prior-to-service study to actual
maintenance on in-service equipment takes place gradually. The first
few planes delivered and put into service are inspected at relatively frequent intervals. This "excessive" maintenance is not expensive, since
only a few planes are involved, and it servcs both to work out the short-
the uses of operating data

evolution of the nlaintenance
program
program
managing the
SECTION 6.4
153
Evaluation of failure consequences
Design chrrrcteristics
of quipment
Operatof8 perfonnrnce
requirement8
y
y
vt
4 ,
Hidden function
1
I
Operational
Nonoperational
4
Evilhation of proposed tasks
technology
Scheduled inrpcctlonn
0.1-condition
Failure finding
Redesign
Scheduled removals
Rework
Dibcard
Other scheduled
Packaging of selected tasks

and intewrlo into program of
scheduled inspections/checb
U(H1BIT 6.5 The process of information flow and decision making

in the develop~nentand evolution of an RCM program.
comings in the maintenance program and to provide training opportunities for the personnel who will eventually handle the entire fleet.
During early operation the condition and performance of the aircraft are continually monitored through what the FAA terms an unillysis
and surzreillnnct. program. The maintenance department is prepared for
unanticipated kinds of failures and is ready to react immediately to any
critical events. Other failure experiences are reported systematically,
and this informatio~lis used to review and revise the scheduled tasks
and to provide the cost data necessary to initiate product improvement.
The maintenance crew will also be able to confirm the reliability of
Age exploration
ProOvrm duY.r and

pduu imprw.mmt
~ailureconeequences
Failure rates
Dominant failun rates
Maintenance costs
Actuarial analysis
Correction reports
Inspection findings
Nu scheduled
maintenance
AdJ~rQtmtof
tUk inta*d8
Observation of equipment
cnndition and performance
No scheduled
maintenance
Repair
Failure
Implmentation of
schduled tulo
Scheduled
maintenance
'.
Operational
+-3
maqy items; that is, they will see a great deal of nonfailure, which is also
reflected iri the program as it evolves. For example, the inspection intervals for items that are performing satisfactorily will be extended, thus
reducing the workload per plane at about the same rate that new planes
are entering service.
By the time the fleet has reached full size-about five years after
the first planes enter service- the thrusi of maintenance analysis turns
to a more careful study of the items that may eventually show wearout
characteristics and would therefore benefit from periodic rework or
discard. As the potential-failure ages of longer-lived items are identified,
156
APPLICAYIONS
some of these items may also be modified through redesign to increase

their longevity, and there will be corresponding changes in their maintenande requirements, necessitating a further round of analysis and age
exploration to determine their new reliability characteristics. Periodically the entire maintenance program is subjected to "purging," both to
eliminate tasks that have crept in to take care of problems that have since
been resolved and to omit borderline tasks that have not proved to be
worthwhile.
As a result of continuous maintenance and product improvement,
the aircraft also evolves throughout its operating life. Most commercial
t twenty vears. At the end of this
aircraft remain in operation for , ~least
time, although the overall structure of any given plane will be essentially the structure it started with, the rest of the aircraft will have been
substantially repiaced or modified, and most of the replaceable parts
will have been changed many times. Thus the aircraft is not in fact
twenty years old; only the basic structure is. This constant cycle of preventive and corrective maintenance ensures that an aircraft does not
wear out with age. Instead, it remains in service until newer designs
render it technologically obsolete.
To realize the inherent reliability of any aircraft it is necessary to
keep track of its state, both i~dividuallyand collectively, from the time
the equipment enters service until the time it is finally retired. The
information about failed items, potential failures, and the corresponding replacement of parts or components in each amraft must be
recorded and assembled in a fonn that allows for analysis of the performance of the aircraft as a whole, as well as the performance of individual items. At the earliest stages these information requirements concern only individual failures and failure modes. Soon after, it becomes
necessary \ 3 keep track of the accumulated operating time of the fleet
in order to establish fdilure rdtes, and when they are sufficiently low,
reduce inspection frequencies. It is sometimes helpful during the
middle years of operation to make extensive studies of individual item
histories (including actuarial analyses).
Given the hu.;dreds of thousands of parts on a modern aircraft,
these infor~nationrequirements call tor careful judgment. The notion
that someone must be able to determine at any point how long the light
bulb over seat 3F has been in operation would lead to staggering information costs. Just as it is crucial at the beginning to size the problem of
analysis, so it is crucial to size the reporting system so that the informaLion necessary to inanage the ongoing maintenance program is not
buried by an information overload. The various types of reporting
systems and the specific kinds of information they provide are discussed in Chapter 11.
Whatever the equipment, as the maintenance program evolves
each iteration of the decision process must be documented and audited
by independent observers if the results are to be relied upon. This documentation is just as important for subsequent modifications of the initial program as it was in developing the initial program. The structure
of the decision logic provides such documentation, since the list of
yeslno answers to specific.qucetic?ns leaves a cle,\r audit trail that can
be checked both during and after the decision process. This audit trail,
together with the information on which the initial decisions were made
and modified during subsequent operation of the equipment, provides
the starting point for the next round of design evolution. Given the
transitory nature of the workforce in both government and commercial
situations and the relatively long service life of complex equipment, this
maintenance-system "memory" is a necessary factor in long-term technological improvement.
C' 'U' i R SEVEN
runanill,sis of systems
nit sysms division includes all the systems required for o ~ e r a t i n gthe
aiqlane except the powerplant itself. Most systems are composed of

numerous separate assemblies, or components, linked by electrical or
hydraulic lines or other connecting devices. Even in a new type of aircraft few of the systems components will be entirely new; most will
have been used in p~eviousdesigns. As a result, the reliability characteristics of many systems items are fairly well known and data are oiten
available on e:!t appli.cability and effectiveness of specific maintenance
tasks. Maintenance experience has also shown that certain classes of
items, such as electronic components, have the generic characteristic of
being unable to benefit from scheduled maintenan~e.
A great many systems items do not require scheduled maintenance.
While a number of systems do have hidden functions that must be protected by scheduled tasks, most aircraft systems hdve been designed to
preclude critical failures and many have been designed to ensure that
the aircraft will remain fully operational after the occurrence of a failure. An item whose failure is evident to the operating crew and has no
safety or operational consequences would be classified as nonsignificant and assigned in an initial program to no scheduled maintenance.
The system itself would be designated as significant, since its overall
function is essential to the aircraft. In many cases, however, the units
that actually perform this function are nonsignificant items, since a
failtire of any one of them has no consequences other than the cost
of repair.
In general, the outcome of RCM analysis depends more on the
design charac'r-istics of the .cystern than on the nature of the item.
Nevertheless, certain results are typic~lfor various classes of items.
Mechanical items sl.-rh as fuel pumps, gearbox~s,and brake assemblies
will often receive on-condition tasks, and on rare occasions a rework

task, although frequently the assignment is to no scheduled maintenance. Hydraulic items are generally assigned on-condition tasks in
which a gross-flow check of the entire system is followed by isolation
checks to pinpoint the source of intr-nal leaks. Electrical aiid electronic
items, unless they have hidden functions that require failure-finding
tasks, will nearly always bc assigned to no scheduled maintenance.
7 1 CHARACTERlSTlCS OF SYSTEMS ITEMS

Each type of system has a unique function in an aircraft - flight control,
environmental control, furl supply, high-frequency communication,
and so on. Nevertheless, systems as a group have certain common charactcristics that affect their maintenance requirements. Most systems
are equipped with instrumc-ntation which allows thc operating crew
to monitor the performanc: both of the system as a whole and of *any
of its inaividual c o m p ~ ~ ~ e nThus
t s . as a general r - ~ l functional
e
failures
arc evident to the crew. Also, such failures seldoni affect operating
safety. A5 a result of careful design, even unanticipated failure modes
are unlikely to have safety consequenccs. I'he chief reason for this is
the high degree nt redundancy employed in sys:ems dcsign. All essential fonctio~isare available to the aircraft from more than one scturce, so
that the system is jrlil-sah..
It is usual, in fact, tor systemc to include enough rcdund3ncy tc
txmnit completion of ,i day's flying after a f'lilure has 0ccurrr.d. Under
these circumstances the airplane can be dispatched with one unit inoperdtivc, and unlcss a set-ond unit falls there is no necd to interrupt sched-
design characteristics
maintenance characteristics
LL
NSM
LL
NSM
EXHIBIT 7.1 The mnst common outcomes of RCM analysis in the

systems division. Few systems failures fall in the safety branch;
several, however, may fall in the hidden-function branch. The
principal objective of analysis is to ensure that these exceptions are
accurately identified.
uled operations for zorrective maintenance. Thus, d e ~ p i t ethe frequency

of systems failures, the majority of these failures have n o operatior~al
consequences. Correction of the failure is simply deferred to a convenient time and location. In addition to the protection ~ f f o r d e dby redundancy, some of the more exotic devices, such as the autoland system,
employ a newer technique called fnil-ollerntional. In this case not only
the aircraft, but the system itself remains fully operational after the
occurrence of a failure.
Even though systems in commercial aircraft are designed to reduce

failure consequences to the nonoperational level, once the equipment
enters service the performance of all items, including those assigned
to no scheduled maintenance, is carefully monitored during the early
stages of operation. To meet the space and weight requirements of highperfomance aircraft, systems components are generally designed with
a low .initial malgin of failure resistance; hence their overall reliability
tends to be low. To offset this problem components are usually designed
for easy replacement in the field. Even so, the poor reliability of certain
items may result in unacceptable repair or support costs, and the need
to improve systems items by redesign is quite commo; in new aikcraft.
Another characteristic of systems is that the assemhies that comprise them are themselves multicelled and subject to numerous failure
modes- that is, they are complex items. Since the overall reliability of a
complex item generally shows little or no relationship to operating age,
scheduled rework is rarely applicable to systems components (see Section 3.2) Rework or discard tasks may be applicable, however, to
relatively simple parts such as connecting lines or to items subject to
mechanical wear or metal fatigue. Some assemblies may also include
safe-life parts, such as the actuator endcaps in certain flight-control systems, for which redundancy is not feasible.
In terms of RCM analysis, then, systems items are characterized by
evident failures which fall primarily in the economic branches of the
dt!cision diagram, where scheduled maintenance is desirable only if it
is cost-effective (see Exhibit 7.1). For this reason, and because most
failures are unrelated to operating age, the most frequent outcome of
analysis is either an on-condition task or no scheduled maintcn,?nce.
However, the exceptions to this general pattern may fall in any branch
and lead to almost any of the possible outcomes. The principal focus in
developing a prior-to-service program for systems is on proper identification of these exceptions.
7 2 ASSEMBLING THE REQUIRED INFORAWION

The analysis of a system, subsystem, or assembly requires a knowledge
both of the system itself and of the relationship of the system to the aircraft as a whole. To evaluate the consequences of a functional failure
it is necessary to visualize the vcrious failure possibilities in terms of
the basic function of the entire system, rather than from the standpoint
of its component units. For this reason particular attention must be ?aid
to redundancies and other fail-safe features, since the amount of replication of a given function will determine the seriousness of the failure
consequences. A failure in a nonredundant system might represent a
critical loss of function for the aircraft, whereas the same failure in a
highly redundant system may not even affect operatianal capability.
initial infonnation roqui~ments

the information worksheet
WHIBIT 7 . 2 The data elements needed for analysis of systems items.
IDIENTIMTION OF ITLM
Type of aircraft
Quantity per aim?&
System designation
Loution(s)
Item name
Manufacturefs part number
ITEM 1 N H ) W T K ) N
Item d d p t i o n (general function and major aasembliee)

Xedundandes and protective features (including h b u m e n W o n )
Built-in test equipment
AVAUABLt UUAI;UTT DATA
Anticipated premature-removd rate

Anticipated verified f d u r e rate
Suurct of data (test data or operating experience)
oruAnm lt~smc~~mr
C m aircraft be dispatched with item inoperative? (fromMEL)

if so, do any limiting conditions apply?
RCM INPUT
Item functions
Functional failures (as defined for each function)
Most probable failure modes
Predictable failure effects (for each failulr mode)
Evidence of functional failurt
Bffecta of loss of function on operating capability
Effects of railure beyond lose of fun.&on
effects of possible secondary damege)
(including ultimate
Nature of failure ~.onstquencee

Evidence of rcduced failure ~ r e i s b ~ that
c e can be used to define
potential-failure conditions
Experience with other equipment on which the slme or similar
item has been used
162
APPLICATIONS
Another design feature that affects the evaluation of failure consequences is the instrumentation or built-in test equipment tor the
system. This instrumentation is a major factor in determining whether
functional failures will be evident or hidden from the operating crew.
It is also necesscry to know enough about the duties of the operating
crew to judge whether functional failure will be evident during routine
activities, either through use of the function or as a result of standard
crew checks of certain hidden-function items.
In the airline industry the minimum-equipment list and the
configuration-deviation list, issued by the l:AA, specify whether or not
an aircraft can be dispatched with a given item inoperative. These lists
help to determine whether a failure has operational consequences.
They are not the sole determinant; a failure that can be corrected quickly
may cause no delay in flight schedules, and highly unreliable items
may involve occasional operational consequences as the result of a multiple failure. However, any regulations that define acceptable flight configuration are an important p u t of the initial information requirements.
Exhibit 7.2 lists the data elements that must be collected and organized for each item to be studied. In the case of new aircraft much of
this information is supplied by the manufacturer in the various maintenance manuals and stores catalogs furnished with the equipment. For
the wide-body Douglas DC-10, for example, the wcrking groups were
provided with worksheets, instruction manuals, and schematic diagrams showing nearly all the data available. Usually 200 to 300 of the
most important systems, subsystems, and assemblies will be classified
either as functionally significant itercs or as items with hidden functions. If there is any doubt about whether an item is significant or b.is
a hidden function, it is always classified on this basis initially and
included in the list of items to receive further study.
Once the data elements for each item have been assembled, they
are summarized on descriptive worksheets for convenient reference
during cnalysis. Note in Exhibit 7.3 that the item description indicates
the general function of the item, the level of item being considered, and
the major assemblies and components it includes. The failure of any one
of these components would represent a failure mode for the item itself.
In listing the functions of the item it is important to describe both its
basic funct~onand each of its secondary functions clearly and accurately,
since each of these functions must be analyzed separately. The functional failtires should be worded to define the condition that constitutes a failure. Generally this is the condition or state that exists after
a failure has occurred.
Failitre cffects refers to all the immediate results of the failure. For
example, one effect of a locked wheel in a brake assembly is a tire blowout, with possible secondary damage to the airplane structure; another
EXHIBIT 7.3 An information

in the Uouqlas I)C-10.
worksheet for the air-conditioning park
type of airctrfl Douglas m-l&lO
SYSTEM IHK)RMAllON WOUCSHFIJ
item number
item name
Air-conditioning pack
vendor partlmodel no.
A-arch
9273734
item description
Pack dcliven temperature-contnlJed air to conditionedair distribution ducts of airplane. Major assemblies afe
heat exchanger, air-cycle machine, anti-ice vdve, water
separator, and bulkhead check vdve.
reliability data
premature-removal rate (rer LO00 unit hours)
failure rate (per 1,000 unit hours)
source of data
I
fidnctions
1 To supply air ta conditionedair distribution ducts at the

temperature called for by pack
temperature controller
A Conditioned air is not

supplied at called-for
temperature
2 To prevent loss of cabin
preseure by backflov~if duct

fails in unpressurized nos<wheel compartment
No protection again?:
oackflow
page
no. per aircraft 3
p m p l ~by
system
Air conditioning
zone(s1 110
r. S. N O W ~ P ~
of
date
3/6/78
reviewed by J. E. Kuhi
date
3/6/78
approved by
date
lundancies and protective features (include instrumenhtio~~)

The thrze packs are completekj independent. Each pack has a check valve
to prevent loss of cabin preseure in case of duct failure in unpressurized
ncse-wh-1 compartment. Flow to each pack is modulated by a flow-control
valve which provides automatic overtemperature protection backed by an
overtemperature Mpoff. Full cockpit instrumentation for each yack includes
indicators for pack flow, turbine inlet temperature, pack-temperature valve
position, and yack discharge temperature.
built-in test equipmpnt (describe) None

Can aimraft be dispatched with item
inoperative? If so, list i n y limitationn
which nust be observed.
Yes. No operating restrictions with one
pack inoperative
failure modes
claseification of item (check)

significant
X
hidden function
failure effects
1 Air-cycle machine seized
Reduced pack flow, annmalolas readings cn pack-flow

indicator and other instruments
Blocked ram-air passages in heat

exchanger
High turbine-inlet temperature and partial closure of

flow-conhol valve by overtemperature protection, with
resulting reduction in pack air flow
3 Failure of anti-ice valve
If valve fail5 in open position, increase in pack discharge

temperature; if valve fails in closed position, reduced pack
air flow
Failure of water separator
1 Failure of 'xlkhraci check va!ve
Condensation (water drops, fog, or ice crystals) in cabin

None (hidden function); if duct or connectors fail in pack
bay, loss of cabiu pressure by backflow, and airplane must
descend to lower altitude
effect is noise 2nd vibration, which will be apparent to the operating

crew. The description of failure effects shbilld always include any physical evidence by which the occurrence of a failure can be recognized.
Very often this evidence is an instrument indication or a warning light
that informs the pilot of a malfunction. In some cases the failure effects
also include specific operating restrictions, such as the need to descend
to a lower altitude. The failure effects must be described for each type
of func:tional failure, since they help to determine the consequences of
that failure for the equipment and its occupants.
All this information is examined, and the item is given a conservative initial clii.;sification of significant or nonsignificant on the basis
of its failure consequences. Items in either category may have hidden
functions; these must be identified whether the item is significant or
not. Thus some itelils may have two classifications. An item classified
as significant during the initial partitioning process may later be assigned to no scheduled maintenance, either because its failure consequences do not in fact qualify it as significant or because no maintenance
task can he found that will improve its reliability. At this stage, hdwever, any borderline items would be included for analysis.
7 3
ANALYSIS OF TYPICAL SYSTEMS ITEMS
DC-10 air-conditioning pack

nonredundant fuel pump
I)C-10 brake assembly
Boei*g 747 hiah-frwency

communications subsystem
other typical systems items
ANALYSIS O F A N AIR-CONDITIONING PACK
The air-conditioning pack described in Exhibit 7.3 is the cooling portion of the Douglas DC-10 air-conditioning system. This subsvstem was
classified as significant during thc first review of the DC-10 systems
because of its size, complexity, a . d cost. There are three inde2endent
installations of this i t ~ r nlocated
,
in the unpressurized nose-wheel side
compartment of the airplane (see Exhibit 7.4). Hot high-pressure air,
which has been bled from the compressor section of the engine, enters
the pack through a flow-control valve and is cooled and dehumidified
by a heat exchanges and the turbine of an air-cycle refrigeration machine. The cooled air is then directed through a distribution duct to a
manifold in the pressurized are.1 of the airplane, where it is mixed with
hot trim air and distributed to the various compartments. The perfonnance of each pack is controlled by a pack temperature controller.
Each pack is also monitored by cockpit instrumentation and can be controlled manually i f there is trouble with the ~ u t o m a t i ccontrol system.
The pack itself consists of the heat exchanger, the air-cycle mcrchine
(which has air bearings), an anti-ice valve, a watc.r separator, and a
check valve at the pressure bulkhead to prevent backflow and cabin
deprcssr~rizationi f there is a duct failure in the unpressurized area.
-",
Anti-ice valve
From
engine
,-
,I
valve
Heat exchanger
Ram-air inlet
UHIBIT 7.4 The air-conditioning pack in the Douglas DC-10.
The location of the three packs in the nose-wheel compartn~entis
indicated at the upper right. (Based on Airesearch 1.1ai11tenance
materials)
The duct is treated as part of the distribution system; similarly the

flow-control valve through which air enters thr pack is part of the pneumatic system. The pack temperature controller is part of a complex
temperature-control system and is also not analyzed as part of the airconditioning pack.
SECTION 7.3
167
Two functions have been listed for the air-conditioning pack. Its
basic function is to supply air to the distribution duct at the tempet'ature called for by the pack controller. This function is considered finbt:
Is the occurrence of a failure evident to the operating crew during
Any one of the failure modes listed will result in changes in the pack'!;
performance, and these anomalies will be reflected by the cackpit instru.ments. Hence the functional failure in this case can be classified as
evident.
The loss of function in itself does not affect operating safety; hovrever, each of the failure modes must be examined for possible secondary
damage:
2 Does the failure cause a loss of function or secondary damage that
could have a direct adverse effect on oper..ting safety?
Engineering study of the design of this item shows that none of the
failure modes causes any damage to surrounding items, so the answer
to this question is no.
The next question concerns oyi.rational consequences:
3 Does the failrlre have a direct adverse effect on operational
capability?
168
APPLICATIONS
Because the packs are fully rep!icated, the aircraft can be dispatched
with no operating restrictions when any one pack is inoperative. Therefore there is no immediate need for corrective maintenance. In tact, the
aircraft can be dispatched even if two units are inoperative, although
in this event operation would be restricted to altitudes of less than
25,000 feet.
On this basis we would reclassify the air-conditioning pack as a
functionally nonsignificant item. Failure of any one of the three packs
to perform its basic function will be e\ iderlt, ,lnd therefore reported and
corrected, A single failure has no effect on safety or operational capability, and since replacement of the failed unit can be deferred, there
are n o economic consequences other than the direct cost of corrective
maintenance. Under these circumstances schr2ulcd maintenance is
unlikely to be cost-effective, and the costs cannot be assessed in any
event until after Ihe equipment enters service. Thus in developing a
/
prior-to-service pmsram there is n o reed to make an intensive search
for scheriuled tasks that might prevent this type of failutz.
When we examine the second function of the air-conditioning
pack, however, we find an element that does require scheduled maintenancr. The hiilkhead check valve, which prevents backflow in case of
a duct failure, is of lightweight construction and flutters back and forth
during normal operation. Eventually n~echenicalwear will cause the
flapper to disengage from its hinge mount, and if tire duct in 'he unprcssurized nosc-wheel compartment should rupture, the valve will not seal
the entrance to the pressurized cabin.
To analyze this second iype of failure we start again with the tirst
question in the decision diahran~:
1 Is the occurrence of a failure evident to the operating crew during
pcrfonnmce of nonnal duties?
The c r ~ wwill have no way of knowing whether the check vc~lvehas

failed utiless there is also a riuct failure. Thus the valve has a hidden
function, ,\nd scheduled mainten,incc is required to avoid the risk of
d multiple failure--failure of the chcch \p.ilve, iollowed ,it some 1,ltt.r
t ~ n whv failure of the duct. Although the first failure woi~ldhave no
opercitionstlc o ~ ~ s c ~ l u r n cthis
e s , ~nultiplelailure w r ~ l l dnecessitate Jescent to ,I lower ,~ltituJe,and the ,~irpldnecould not be ~1isp.itcheli,iftcr
I*r~di~ig
until rcpail-s were n1.1de.
With a 1\11 answer to question 1 proposed tasks for the check v ~ l v e
fall in the hillden-function branch of tlic decision diagr,~n~:
-~
. --
--
~-
14 Is an on-cotrdition tatik to detect potential failures both applicable

and effective:
Engineering ,~dvicc.is tli,it the duct can be disconnected a11r1t t ~ cvalve

checked tor signs of we,ir. t-l~-nctlan on-condition task is .ipplic,iL~le.To
be effectivethe inspections n u s t be schcdulcd at short ei~i~iigh
ir.rter\.als
to ensure adequ,~te,~v.~ilability
of tht- hidden h~nction.On thc P,~sisof
experience with t>thertleets, ,In initid interv.11 id 10.000 I~clursis syecitied, and the an~lysisof this iiii~ctionis complcie.
la this case inspecting thtt valve ior wedr costs 11,) morc than
insp~cting1w
. t,i~leriv,\lv~.ssncl is :~n~fer,\blcbcc.~uscof the ezonomic
cat~sequei~ces
of a p-ssihle multiple f.\ilurt\. If ~ni~ltiplc
failure h,ld no
tqwr,ition.il cilnsey~lenct.?;.sr hcciulcd i~lspect~itns
woi~litstill bt- nccess,iy to protect thr 11iridt~11
t~li\l.tion:hc>we\~r,
tht.!' woi~lijpmb.iLdy h a w
L\t.en scheduled at longer 'ntervals a s 3 failure-finding task.
I Y ' N
I A
EXHIBIT 7.5 A worksheet showing the results of RCM analysis of the

air-conditioning pack in the Douglas DC-10. The references in the
first column are to the functions, 'unctional failures, and failure

modes listed in Exhibit 7.3.
Exhibit 7.5 shows the results of the preceding analysis, including

the response to each question in the decision diagram. Note that the
b ~ s i sfor each answer t ~ the
l first three quesfiolt; is directly traceable
to the information recorded on the descriptive worksheet in Exhibit 7.3.
ANALYslS OF A NONREDUNDANT FUEL PUMP
The fuel-pump assen~blydescribed in ~ x h i b i t7.6 was classified as a

significant item because the aircraft in which it is ins!.~.lledis a singleengine attack plane. This means that a complete loss of function will
bring the airplane aut of the sky. As indicclted on the worksheet, the
fuel pump is subject to four types of functional failures. The ficst of these
is loss of fuel flow (and pressure), and the associated failure mode is
stripped splines on the main drive shaft.
failure evident to the operating crew during
performance of no .ma1 duties?
1 Is the occurrence of
Dirowwd duet to mrnitdd and

.rumimchack valve for w e u
Not to QEl.d l0,MO houm
Lc~.sof fuel flow results in fuel starvation of the engine .111d an immediate and complete loss of thrust (tlan~eout).The pilo+ will sense this
loss of tltrust by ,I rc.duc.tior1 in engine noise and decclGration of the
aircrdft, 5r.1tit will also be evidenced by many instruments-tfik fuelpressure indicator, the fuel-flow indicator, the engine tachometer, the
airspeed indicator, and the altimeter. The a~lswerto question 1 is ther.efore yes.
';ince the iailurr. is evident, the next concern is ivith its direct
consequences:
2 Does the failure cause a loss of fr~nctionor secondary damage th.~t
could have r direct ddverse effect on operating safety?
In the event of a !'!ameout, the pilot must either eject or make the best
power-off landing he ccjn, regdrclless of the landing conditions. In this
case the loss of function itself has safety coljseyucnces, so i t is unnect. s,iry to consider whether either of the failure mo~iesc'1uses hazarc!ous
U(H1BIT 7 . 6 An information worksheet for the

Ilouglas A-4, a single-engine attack airplane.
fuel pump in the
SYSTEM INFOIIYATiON WORKSHEET type of aircraft
Douglas A-4
item number
item name
Fuel pump
vendor prrtlrnodel no.

item description
Multistage engine fuel pump driven through splined

shaft by engine-accessory gearbox. Deliverrr highpressure fuel to fuel control and provides fuclcontrol governor with engine-speed infomation.
Includes a fuel filter and filter bypass.
reliability data
premature-removal rate (per 1,000 unit hou~s)
failure rate (per 1,000 nit hours)
source of data
functions
1 To pump fuel to engine
thrsugh fuel-con601 unit
functional failures
A FJa fuel flow (and pressure)
External fuel leaks
3 To filter fuel
Unable to filter fuel
To provide engine-speed
signs1 to fuel control
A Loss of engine-speed signal
2 To contain fuel, without
external leakage
172
APPLICATIONS
page
of
prepared by
F. S. Nowlan
date 3/6/78
system Fuel supply
reviewed by
T. M. Edwards
date 3/6/78
zone!s:
approved by
no. per aircraft
date
redundancies and protective features (include instrumentation)
Fuel flow and fuel pressure are instrumented. Warning light indicates
when fuel filter is bypassed, manual f u e l - h ~ control can be used to
clear filter of ice particles. Fuel-control unit includes fuel bypass
with a constant-flow restrictor that automatically provides sufficient
fuel for 80 percent N, esginc speed if speed signal is Ic
buiit-in test equipment (describe) None

C3n aircraft be dispatched with item
i~operative?If so, list any limitations
which must be observed.
significant
hidden function
No
nonsignificant
failure nlodes
1 Stripped splines on main drive
shaft
idilure effects
Instruments show no fuel flow and pressure; engine

flameout, requiring forced no-power landing
1 Worn or damaged main-shaft

seals
Small loss of fuel through overboard drains
1 Filter clogged by ice or

debris from wear
Warning light shows filter bypass, possible delivery of

contaminated fuel to fuel control and engine; if fuel heater
does not correct for ice particles (warning light goes out),
airplane must land at nearest airport
1 Stripped splines on fuel-controlgovernor drive shaft
Fuel control automatically provides fuel for 80 percent N,

engine speed, no engine control except manual shutdown;
landing haza .dous
Fuel inlet
Fuel-control-governor
drive shaft
Discnarge ( t ~
control)
Fuel
.Impeller drive gears
Filte
- Discharge pressurorelief valve
Drive-shaft seals
Fuel-pump main
drive shaft
FXHIBIT 7 . 7 Schematic di~gramot the fuel-putnp .isscmhly in the
Douglas .4-4. The furl-pump mail\ drive shaft is powered by
the airplane engine.
secondary damage. The yes answer to this question brings u s to the

safety branch of the decision diagram, where all applicable scheduledmaintenance tasks are required but are considered effective only if they
reduce the risk of this failure to arkacceptable level.
We must now evaluate possible preventive tasks directed at the
failure mode, stripped drive-shaft splines:
4
Is an on-condition task to detect potentiai failures both applicable

2nd effective?
174
APPLICATIONS
Periodic inspection of the drivc shaft for spline wear will result in the
removal of units from service ai t h e potei,rial-failure stage; hence an
on-condition task is dpplicable. If this task reduced the risk of a functional failure to an acceptable level, it wotild also b e considered effec-
tive, and the answer to the question wculd be yes. In an initial program,
however, the chief source of infcrmation concerning the effectiveness
of an on-condition task is prior experience with a similar item. In this
case such information is not available, and even though we know the
task will be applicable, we have no means of determining that it will provide the degree of protection required. Under these circumstances we
would be reluctant to consider this task as meeting the effectiveness
criterion, and the answer to the on-condition question must therefore
be no.
Since an effective on-condition task has not been identified, we
must investigate other types of tasks:
5 Is a rework task to reduce the failure rate both applicable and
effective?
The fuel pump is a complex item, so we would not expect scheduled

rework to make a difference in its overall reiiability. Such a task might
be applicable, however, for a specific failure mode involving a simple
part, such as stripped drive-shaft splines. In this case scheduled rework
would probably entail removing the pump from the aircraft and sending it to the maintenance base for machine work to restore the splines
to "like-new" condi.:ion. If analysis of the other failure possibilities
identified additional parts that could be-~cfitfrom rework, there might
be quite extensive rework activity while the pump was at the base.
Scheduled reworii might lead to an appreciable reduction in fuelpump failures if the failure modes for which rework tasks were applicable represented a large proportion of the failure possibilities for this
item. However, this is an unusual situation fqr a complex iten- Moreover, the information necessary to assess the value of a rework task is
not available at the time an initial program is developed. At this stage,
therefore, we cannot conclude that scheduled yework would provide
any guarantee of operating safety and would have to answer this question no.
A no answer to the rework question means that we must move on
to the question of a discard task:
!s a discard task to avoid failures or reduce the failurc rate both
applicabie alrd effective?
During the development of an initial program the answer to this question must be no uniess the pump manufacturer has specified a safe-life
limit for the drive shaft.
Since no single task has been identified thus far which will protect against luss of the basic fuel-pump function, there is one further
recourse:
7 Is a combination of preventive tasks both applicable a n d effective?
--
The answer must again be no, since the only task that might pos3ibly
be of benefit is an on-condition inspection of the drive shaft. The nutcome of the analysis, therefore, is that scheduled maintenance cannot
prevent pump failures, and to avoid critical failures the design must
EXHIBIT 7.8 A worksheet showing the msults of RCM analysis of
the fuel pump in the L)ouglas A-4. The references irl the first column
are to the functions, functional failures, and failure modes listed in
Exhibit 7.6.
S Y t T U bEMION WO-rn
item name
type of airmft
Douglar A 4
Fuel pump
responacs to decision-diagram questions
ref.
task relection
consequences
Y Y
N N N N
If airplane must mlrr ~ 4 c b t. k m design ic

modified, the following mpon#r would be appropriate, although them is no asrunnce that d e d u l t d
h k s will meet effectivencer dterion.
176
APPLICATIONS
Y Y - Y
N N N N
----
N N N
be changed-in this case to provide redundant pulnping capabilities

in the fuel-supply system.
What can be done if the aircraft must enter service before the design can be modifit.,l? An on-condition inspection of the drive shaft
for spline wear can ,.,e assigned because such a task is usually effective
for a single mechanical part. We do not know whether it will prove
effective in this case. A rework task would probably not he scheduled to
remachine the splines, instead the shaft would be replaced if the splines
were in bad condition. All such tasks, however, would entail scheduled
removals, because the fuel pump must be disassen~bledto gain access
to the shaft. The initial intervals wou!d be very conservative, and we
P'Bc
of
item number
prepuecl by F. 5. NOW^
proposed task
reviewed by T. M. Edwuds
initial interval
None. Rednign L ncceusay to

provide sufficient redundancy for
operating safety.
Inspect main fuel-pump drive

&aft for epliite wear
Not to exceed 1,000 houra
Inspect for external leaks

(failure finding)
During w d h u n d check8
and ovemwt stops
Inspect filter for contamination
Not to exceed 60 hours
Outcome as for failure of

m r h drive shaft, 1 A 1
would still have to re&-ognizethat uperating experience may show that

thesc measures are not reducing the hazard to an acceptable level.
In addition to loss of fuel flow as a result of mechanic~lfailure, the
pump is also subject to external leaks. While a leak serious enctugh to
affect fuel pressure would be evident to the ofcrating crew, the fact that
a leak has formed will not be evident from the cockpit instrumel~tation.
The answer to the firs1 decision q~iestionis therefore no, which takes us
to the hidden-function branch oi the diagram. Ac indicated by the
answers recorded in Exhibit 7.8, tllere ar? no applicable and effective
on-condition, rework, or discard tash:. in this case. Therefore we arrive
at the dcfablt alternative and must scnedule ir failure-finding task-a11
inspection during walkaround checks and overnight :;tops for ally leaks
that exceed a specified \ d u e .
The third type of funct' ma1 failure results from clogging of the fuel
filter. A warning light informs the pilot when this condition exists, so
the failure is classified as evident. It does not present any safety problems, but it does have operational consequences, since a single-engine
plane must land at the nearest airport and cannot be dispatched until
this condition has been corrected. An on-condition inspection of the
fuel filter for contamination is applicable. In this case the failure consequences are economic; hence the criterion of task effectiveness is
cost. The cost of performing this task is so low that it would be judged
as cost-effective in an initial program. As a result of experience with
other fuel pumps, an iriitial interval of 60 hours is set for this check.
The fourth type of failure is inrl.:ilitv to provide engine-speed information to the fuel-control assembly, ca~tsedby failure of the govemor
drive shaft (see Exhibit 7.7). Since the analysis of this failure is similar
to that for failure of the m,lin drive shaft, the details are not repeated in
Exhibit 7.8. If tasks were scheduled, they ~ ~ o u l cbe! performed at the
sanw tinw as tllos~.fur the main drive sha!i.
ANALYSIS OF A LANDING-GEAR BRAKE ASSEMBLY
The brake assembly for the main landing gear of t!~eDouglas DC-10 is
classified as significant becausc the primary function of the braking
system is to provide stopping capabilit) after 1andi.1~:or during other
ground operation. Since a complete loss of this function would clearly
have safety consequenccs, it is necessary to consider how the brake
assembly centributes to the overall system function. The full braking
capacity is rarely used, and its cffect is masked by concurrent use of
reverse thrust from the engine. As a result, the pilot is not likely to
notice the reduction in stopping capability caused by a failure in one
brake assembly of a multiwheeled landing gear. ' h i s item therefore has
hidden functions as well. Had there been a difference of opinion about
the crew's ability to detect this condition, the default strategy would
also have required that these functions be classified as hiddcn.
i'ressure plate
Barking plate
of torque tube
EXHIBIT 7 . 9
I he brake assemhly on each wheel of the nuin

landing gear of the Douglas DC-10. (Based on Goodyear
~naintenancematerials)
EXHIBIT I . 1 0 1\11 inforliiatiot~worksheet for thin~ i i a i t i - l a l ~ d i r ~ f i - ~ e . ~

I-rake ssseii\hl\ of the Ih~~it:li.sI)L'-\O.
SYSTEM INFOUWATiON WORKSMEET type of alrcrvft
Douglas w-10-10
itrm number
item name
Bmke assembly, mdn landing gear
vendor prrtlmodel no. Coodyerr 5OOmS

item dtscription
Multiple-plate disk brak~(seven rotors and six statore)

powered by eight hydrddlic-driven pistona. Preasun?
line to this rsscmbly is included for purpoeeu of
analysis
reliability data
premature-removal rate (per 1,000 uni: hours) 1 per
l~ndhgs
source of data Similar equipment

functions
1 To pmvide s t o p p i q
functloi~rlfailures
No braking action
Reduced braking action
capability on cotnmand during

ground operation
180
APPLICATIONS
2 To release brakes
A Dragging brake
3 To contain hydraulic fluid
A External hydraulic leaks
page
no. per alrrrrft 8

syatetn
Landing gear
prrparrd by
F. S. Nowlen
rev~ewedbv
T.
M.Edwards
of
date
3/6/78
date
3/6/78
rcdundrncies and pmtective features (include instn~mentation)
One brake asscmbly in each wheel (four) of each main-landing-gear

truck. Separate hydraulic system&power half the pintone in each brake:
loss of brake fluid due to failed pressure line to wlrrel prevented by
fluid quantity limiters in eaclr hydraulic system. Engine thrrrst reverser
provides another murce of stopping capability. Wh~elwellis designed
to paevent critical secondary damdge by debris from tire failure.
built-in test equipment (describe) Visual wear indicators
Can aircraft he dispatched with item
innpcrativet If so, list any limilations
Yes. If one brake asscmbly inoperative,

gross takeoff a d landing weights must 5c
reduced.
failure modes
cirssification of item (check)
signific~nt
hidden tun,-tion
tailwre effects
1 Brake wear to point of seizure
Wheel skid, causing tire blowollt; audible noise and

vibration, possible;xtens!vc secondary damage to systems
within svheelwell; requires correction before dispatch
1 Broken pressure line
No braking action fmm half the actuating pistons in on?

assembly, ciusing reduced braking capability and slightly
increased mi~!imrrrnstopping distance
1 Malfrrnction of aduster assembly
Increased wear of pad and disk; overheating of brake and

tire may cause tire fuse plugs to blow, with landing nn flat
tire and secandaly damage from the failure; requires correction before dispatch
1 Damaaed or distorted piston seals
Slow Loss of hydraulic fluid from one system
A review oi the design cl~aracteristicsof the DC-10 shows that each

truck on the tnain landing gear has four wheels, and each wheel has a
multiple-disk brake assembly consisting of seven rotors and six stators
(see Exhibit 7.9). The brakes are powered by eight pistons, four of
which are driven by one hvdraulic system and four by another. Without this extensive replication, especially of the wheels on each truck,
reduced stopping capability in one brake assembly might be a critical
faildre. In this case the failure results only in slightly increased stopping
distances. One of the failure effects, however, is a possible tire blowout,
with secondary damage caused by rubber thrown from the damaged
tire. Brake assemblies can be replaced in the field, but the time required
will cause delays. The aircraft can also be dispalched with one assembly
inoperative, but only at a great penalty in operating weight. Thus any
observed failure of a brake assembly has operational consequences.
Note that in tt.is case the primary function of the brahe assembly
is subject to two failure possibilities, no braking action and reduced
braking action. Each of these functional failures must be considered
separately. The first type of failure is no braking action, caused by
brake wear:
If the brake pads are allowe~lto wear beyond a certain point, they come
loose from the rotor and jam between the rotors and stators, causing the
brake to seize. The wheel will therefore not rotate on landing, and the
tire will skid and blow out, throwing pieces around the wheelwell. The
resulting noise and vibration wollld be evident to the flight crew; thus
the answer to this question is yes.
With a yes answer to cluestion 1 wc must now consider the possible
consequences of this failure:
Docs the failure cause a loss of function or secondary damage that
could have a direct adverse effect on operating safety?
182
APPLICATIONS
Thc loss of braking function for one of the eight wl~eelsis not in itself
critical, so the answer to the first part of this question is no. The answer
to 7c second part is also no, because this failure has hecn taken into
account in the design of the wheelwell, so that secondary damage from
occasional tire failures will not be critical.
Although a scheduled task is not required for safcty reasons, the
secondary damage does hz.ve serious operational consequences:
Does the failure have a direct adverse effect on operational

capability?
In addition to the tinie rccluired to exchange the brake assembly, this

particular type of failure can result in extensive damage to hydraulic
lines, flight-control surfaces, and other fail-safe systems. Thus !he secondary damage alone may prevent the airplane from being dispatched.
Such a failure therefore has serious economic consequences, and we
must consider the possible preventive tasks.
'The first 1-hoice is an on-condition task directed at detecting brake
wear:
Is an on-condition task to detect potential failures both applicable
and effective?
This brake assembly is eqt~ippedwith wear indicators that show when

the pad and disk stack have reached a wear level that calls for replacement. Since thtl wear indicators make it possible to define a potential.
failure condition, an on-condition task is applicable; it will also be
effective as long as the il~spectioninterval is short enough to ensure
sufficient remaining p.iJ to keep the brake from locking.
In an initia: program inspection of the wear indicators might !v
assigned for every overnight layover at a maintenance station, si~iccthis
would be a convcnirnt time to change brake asseniblics i t a potenti'il
failure is fourlci. The brake assenibly will ordinarily be removed if thc
wear indicator shows that fewcr than 30 niore landings are possible.
The wear indicators will also he checked at every preflight : ~ ~ l l k a r o ~ ~ n d ,
but the wear criterion will be less stringent. The objective is for the
overnight mechanics to be the first to identify the need fcr a brake
change, to reduce the number of delays incurred by t!ie discovery of
potenti'11 failures in the field.
The second type of functional failure, reduced braking 'lction, is
caused by a broken pressure line the line froni the fluid quantity limiter to the brake assembly itself. (These lines are treated as part of the
brake assembly because the limiters and lines are independent for each
s:.rstem to each wheel.) Analysis of this failure possibility takes us
again to the first question in the decision diagram:
Is the occurrence of a failure evident to the operating crew during

perform~nceof normal duties?
1
SECTION 7 . 3
183
A broken pressure line will result in a loss of function for only half the
actuating pistons in the affected assembly, as the limiter stops the flow
of hydraulic fluid when the line b r t 2 s . Thus the other four pistons in
the assembly will still provide normal braking action. There is sufficient
braking margin that the slight reduction in braking capability would not
come to the attention of the operating crew-that is, the failure would
not be evident.
A no answer to the first question means that a scheduled task is
required to ensure that the failure will be found and corrected, and
fur::~er analysis falls in the hidden-function branch of the decision diagram. In this case either one of the directly preventive tasks or a failmefi~dinp;task must be assigned to avoid the risk of a multiple failure. The
choice depends on technical feasibility and relative cost.
14 Is an on-condition task to detect potential failures both applicable
and effective?
EXHIBIT 7-11 A worksheet showing the results of RCPA analysis of

the Douglas DC-I0 hr.ike assembly. References in the first column are
to the functions, tunc~iunaltailures, and failure modes listed in
Exhibit 7.10.
SYSTEM D W ' O N WORKSHEET type of aircraft
item name
Dough8 D C - l W
Brake aescmbly, main landing gear

reaponace to decision-diagram question8
ref.
184
APPLICATIONS
consequences
+askselection
On-condition inspections are not applicable for this failure mode because we cannot define a conditio~lthat will preclude functionnl failures.
This brings us to the question of a rework task:
15 Is a rework task to reduce the failure rate both applicable and
effective?
At the time the initial program is devc:oped there is no information to

indicate that a i-ework task is applicable and will be cost-effective; hence
the answer to this question is no.
Is a discard task to avoid failures or reduce the failure rate both
16
Once again, there is no information to support the applicability of all

economic-life limit, so the answer in an initial program'is no. A failure-
p.ge
of
item number
p r o w *k
initial interval
Inspect brake wear indicators
During walluround ch&

ovamight mtopr
h p d for broken tinee
Durlng wdkuound checb and
(failure finding)
wcmi&t 9top
Test outomtic bmke adjueter
Whenever brake awembly Ir in

hop
Ineptd for txtemd leaks (failure

findW
During walkamund checka and
and
ovrmi%tetopr
SECTION 7.3
185
finding task is therefore required-an inspection during preflight walkarounds and overnight layovers to check for broken lines.
In addition to its primary function of providing stopping capabilitv,
the brake assembly has two further functions. It must be capable of
releasing the brake, so that it does not drag, and it must contain the
hydraulic fluid. Brake drag is caused by a malfrlnctioning automatic
brake adjuster, and this subassembly is not visible unless the brake
assembly is removed and disassern'c'ed. In most cases the only effect of
this failure is increased brake wear, which will show up on the brake
wear indicator. Thus the brake assen~blywill eventually be removed for
repair as a result of the on-condition task already scheduled, and the
automatic adjuster can then be checked and adjusted as necessary while
the assembly is in the shop. In a few cases the failure effects may ii~clude
overheating of the brake assembly, pulling of the brake on one side, a
blowout of the tire-pressure plug, and possibly a landing on a flat tirein short, the same ultimate effects as those caused by a locked brake. In
this event the failure would be evident to the operating Crew; however,
the same additional task would apply in either case: a shop specitlcation
to irlspect the automatic brake adjuster on all brake assemblies that
come in for repair.
The last type of failure, hydraulic leaks causcd by damaged or distorted seals, results in a slow loss of fluid from the hydraulic system.
Like the broken pressure line, this failure possibility falls in the hiddenfunction branch. If some leakage were permitted, so that a slight leak
could be defined as a potential failure, an on-condition task would be
applicable. In this case, however, any leak is defined as a functional
failure. Rework and discard tasks are not applicable for this failure mode,
so the only choice, by default, is a failure-finding task, an inspection
during pretlight walkarounds and overnight layovers for external leaks.
Tile results of this analysis are summarized in Exhibit 7.11. Note
that we have discussed four types of functional failures, all of which
could ultimately affect the stopping capability of the airplane. If we had
treated reduced stopping capability as a single functional failure, we
would have considered exactly the same failure modes and identified
exactly the same inspection tasks for inclusion in the program.
ANMYSLS OF A HIGH-FREQULNCY COMMUNICATIONS SUBSYSTLM
The information worksheet in Exhibit 7.12 describes the high-frequency

communications system used for voice communications on Boeing 747
aircraft operated on long overwater flights. This system consists of two
identical subsystems which are completely independent of each other,
right down to the antennas and the source of electrical power from the
airplane's power-supply system. Thus either subsystem provides the
full system function. Additional sources of voice communication are
provided by a separate very-high-frequency system. Each of the subsystems consists of numerous assemblies and components, all of which
have specific functions. However, failure of any one of these components results in only three types of failure in terms of communications:
inability to transmit, inability to receive, or inability to select the desired channel (frequency).
The failure effects described in Exhibit 7.12 show that any of these three
basic types of failure will immediately be evident to the operating crew.
Hence the answer to the first decision question is yes.
-
Does the failure cause a loss of function or secondary damage that

Because of system redundancy, none of the failures will result in a loss

of the system function and will therefore not affect operating safety, so
the answer to this question is no.
This brings us to the question of operational consequences:
Does the failure have a direct adverse effect on operational
capability?
Most of the major assemblies in this item aro plug-inlphg-out units

and can be changed very quickly after a failure has occurred. The time
required to replace a failed unit may result in no delay if the failure is
reported at a maintenance statior,, but it will cause a delay if the failure
report is received at a nonmaintenance ,.tation. Since both subsystems
must be operative before the plane can v.- dispatched, a failure is considered to have operational consequences. This means that the item
must be classified as significant.
At this point we would ordinarily ex;-mine each failure mode to
find preventive tasks that are both ap2licable and cost-effective. However, past experience with .':is iyye of system has shown that, although
each major assembly is subject to many failure modes, current technology provides no means of detecting reduced failure resistance. There
are therefore no applicable forms of on-condition inspection. We would
not expect scheduled rework to reduce the failure rate in a complex
item, and in fact it does not. By the same token, discard tasks are not
EXHIBIT 7.12 A n infom~ationworksheet for the high-iriquency

con~niunicdtionssubsy tern in the Hoeing 747.
SYSTEM INIQRMATtOW WORKSHUT type 06 ilrcraft
Bocing 747
item number
item name
High-frequency communications subsystem
vendor p~ltlrnodelno.
All models
item description
Communicatinns subsystem consisting of receiver,

transmitter, power modulator, frequency-selector
panel, antenna coupler, accessory unit, lightning
arrester, and boom antenna.
reliability data
premature-removal rate (per 1,000 unit hnb-m)
fai!ure r ~ t e(per 1,000 unit hours)
source of data
functions
h~nctionalfailures
1 To tralrsm~tvoice signals
A No output
2 To recei.re voice signals
A No reception
3 'To select desired channel
Failure to tune to selected

channel
page
no. per aircraft
systenl Cummunications
- zonets)
prepared by
r
F. S. Nowlan
of
date 5/6/70
+wed by E. S. Wagner
date 3/6/78
appmvcd by
date
redundancica ..nd protective features (include in*tmmentation)
The system consists of two identical independent subsystems which

can be used simdtaneously for transmitting or receiving or. any
frequency. Backup sj-stems include a very-high-frequency system for
relay of messages and SELCAL (selective calling), which ~ l l o w sground
stations to ring bell in cockpit to notify crew o i call.
built-in test equipment (describe) Fault-annunciator panel on accessory unit

Can aircraft be di6;patched wit11 i t r ~ n
inoperative? I f so, list any lirnitatiol~s
significa~~t
hidden function
nonsignificant
failure modes
failure effects
1 Many
No voice amplification, n o response to transmission; loss of

backup-frequency transmitting capabilitv
1 Many
No background noise from receiver, no messages heard;

loss of backup-frequency monitoring capability
1 Failure of frequency selector
No response to transmission on expected frequencies;

possible loss of backup-frequency monitoring capability
Boeing 747
SYSTEM DMISkON WORKSHEET type of aircraft
item name
Xgh-frequency communications subsystem

mponses to decision-diagram questions
ref.
task selection
consequences
FF FM
----
N N N
N Y
----
N N N
N Y
----
N N N
10111213 1 4 N 1 6
U(HlB1T 7-13 A worksheet showing the results of RCM analysis of

the Boeing 747 high-frequency communications subsystem. The
references are to the functions, functional failures, and failure modes
listed in Exhibit 7.12.
applicable. We must therefore conclude that this system cannot benefit

from scheduled maintenance. If operating experience shows that its
reliability is inadequate, especially as the result of a dominant failure
mode, design changes directed at the faulty component will be the only
way of overcoming the problem. The results of this analysis are shown
in Bxhibit 7.13.
ANALYSIS O F OTHER TYPICAL SYSTEMS ITEMS
190
APPLICATIONS
The failure of a hidden function cannot, by definition, have a direct

effect on operating safety. In some cases, however, the consequences of
a multiple failure involving the loss of this function can be critical. This
situation is characteristic of emergency equipment, where the demand
for a hidden function arises as the result of some other failure. i'wo
examples are the powerplant fire-waming system and ejection-seat
pyrotechnic devices. All such items must be protected by some scheduled task to ensure that the hidden function will be available if it is
needed.
The powerplant fire-warning system is active whenever an zirplane
is in use, but its function is hidden unless it senses a fire. Although
some warning systems include fault indicators, certain failure modes
can result in a loss of function that is not shown by the indicators; consequently this systan is always classified as a hidden-function item.
However, the required failure-finding task is not necessarily performed
plBc
of
Item number
prep&
by
F. S. Nowlm
revlcmd by
B. 8. Wagner
None. T h m u e no rppllcrble
md effective echeduledmaintenance brkr for this
ByBttm.
by the maintenance crew. In this case it is specified as part of the duties

of the operating crew. The crew tests the system before each flight by
means of a built-in self-test circuit.
The pyrotechnic device in an ejection seat is also a hidden-function
item that requires a high degree of availability. Pyrotechnic materials
deteriorate with age whether they are installed or not, so a discard task
is applicable to this item. In an initial program the task interval is set
either conservatively low or at a life limit based an previous experience
with the same item in other aircraft. All units are tested when they are
removed from service to see whether they would have worked, and the
interval is adjusted as necessary on the basis of the test results. The
cool-gas generator for the inflatable evacuation chute of passenger aircraft is accorded the same treatment.
Although systems items in commercial transport airplanes rarely
fall in the safety branch of the decision diagram, not all systenls components can be protected by redundancy. One example is the hydraulic
landing-gear actuator, which powers the mechanism that raises and
lowers the landing gear. If the actuator fails to retract the gear, the airplane must return to the point of takeoff. If it fails to extend the gear, the
gear can still be extended by a free-fall feature. In either case the loss of
function does not affect safety, hut one of the failure modes does cause
secondary damage.
One failure mode for these actuators involves cracking or separa-
tion of the endcap as a result of fatigue, perhaps accelerated by pitting

corrosion. This type of failure may cause secondary damage to the aircraft structure, but only in the unlikely event of certain multiple failures.
The structural damage in this case does not affect safety, but it does have
major operational consequences, since any stn~cturalrepairs take the
entire aircraft out of service. Pitting corrosion, which will greatly shorten
the fatigue life of the endcap, is visible when the actuator is disassembled
in the shop. An on-condition inspection for corrosion is therefore applicable and would be scheduled as part of any shop visit of the landinggear actuator. However, the primary hilure process is fatigue, and it is
not feasible to inspect the endcap often enough to detect fatigue cracks
at the potential-failure stage. Scheduled rework is not applicable for this
fai:ure mode. A discard task would take care of the fatigue problem, but
this particular cap was designed for a fatigue lifc greater than the expected service life of the airplane; hence a life limit was considered
unnecessary.
7 4 ESTABLISHING TASK INTERVALS

initial intervals
the role of age exploration
At the time an initial maintenance program is developed there is usually

enough information to determine the applicability of on-conditton and
failure-finding tasks. However, the information needr I to determine
optimum inspection intervals is ordinarily not available until after the
equipment enters service. In many cases previous experience with the
same or a similar item serves as a guide, but in the absence of actual
operating data it is necessary to set conservatively short intervals for all
tasks and increase them on the basis of age exploration. Thus on a new
aircraft the tires and brake wear indicators are ordinarily checked once a
day to determine the rate of reduction in failure resistance unde~ictual
operating conditions. Once this has been established, precise limits can
be defined for potential failures ar.i the inspection intervals can be
adjusted as necessary.
Scheduled rework tasks have proved to be ineffective for complex
items in systems, and in any case, the information required to determine
their applicability is rarely availdble until sufficient operating experience has dccurnulated for an actuarial analysis. Occasionally prior experience or concern about the economic impact of failures leads to the
specification of rework tasks in an initial program. Seven items were
specified for rework ill the Douglas DC-10 program and eight in the
Boeing 747 program. The DC-10 generator control unit was scheduled
for rework at an initial interval of 3,000 hours, the DC-10 high-pressure
bleed-control valve at an interval of 8,000 hours, and the Boeing 747
generator at an interval of 5,000 hours.
The intervals for safe-life items are known at the outset, since these
are established by the manufacturer. Economic-life discard tasks for
simple items such as hydraulic lines may be anticipated in an initial
program, but they are rarely included at this stage. Like rework tasks,
there is no basis for establishing a cost-effective interval until the equipment begins to age in service. The role of age exploration, especially in
monitoring the performance of the malty systems assigned to no schedule maintenance, is discussed in detail in Chapter 11.
CHAPTER EIGHT
division of an airplane includes only the basic engine.

Engines bre complex, however, and are subject to numerous forms of
failure, most of which are expensive and some of which are critical. Morecver, nearly all powerplant failures have operational consequences,
since it is usually necessary to remove an engine and install a replacement after a failure has occurred. Thus the coet of failure includes both
opcr.ttiona1 consequences and the support cost of very expensive replar.t-..~~ent
units, in addition to the high cost of corrective maintenance.
Itor all these reasons there is a particularly strong incentive to find
applicv>bleand effective preventive tasks.
Tic ?everplant is accompanied by a number of engine-driven
accessories, such as the f ~ e pump
l
and the fuel-control system. On
some types of engines the thrust reverser is also an accessory, rather
ihan an integral pa t of the engine. TI:ese accessories, as well as their
connecting links to the engine, are treated as part of the systems division. However, some of thc failure possibilities to which they are exp sed will influence !.he furctioning of the engine itself; a fuel-pump
failure, for example, may c a u s ~an engine flameout. It is therefore impcrtant for the study group working on the powerplant program to
review the irndlyses of the essential engine accessories.
Because of its cvmplexity a turbine engine is subject to a great
many types of failures, most of which never reach the functionalfailure stage. While potential failures may result in age-related removals, particularly if there are dominant failure modes, the residual failure rate- those failures: seen by the operating crew - remains relatively
constant at all ages because uf the large number of failure modes involved. Chis fact has severzl implications for a scheduled-maintenance
program. First of all, because those functional failures that cannot be
THE POWERPLANT
i94
APFI ICATl(3NS
prevented by on-condition tasks occur at widely disparate ages, scheduled overhaul of the entire engine atasome particular age will d o little
or nothing to improve its reliability. However, engine removals for
both potential and functional failures result in a continual flow of engines to the shop throughout their operating lives, thus providing the
opportunity for a more effective form of protection through on-condition
tasks scheduled as part of the repair process. New engines in particular
supply an abundance of such opportunity samples, and the assignment
of internal engine parts to inspections for intensive age expioration is
an important part of the initial powerplant program
8 1 CHARACTERISTICS OF POWERPLANT ITEMS

The operating gross weights of transport aircraft are not only restricted
by structural considerations; they are also restricted Bight by flight to
ensure that a multiengine airplane will have a specified periwmance
capability, measured as available rate of climb, after a complete loss of
thrust from one engine (in some cases two engines). Hence the airplane
is capable of safe operation with one engine inoperative as long as the
remaining engines meet specified performance requirements. For this
reason the basic function of an aircraft engine is defined as the capnbility of providing a specified dmount of thrust, without vibration and
at acceptable Iwels of other operating parameters. If an engine cannot
perform this function, , I functional failure has occurred. This failure may
range from a completr loss of thrust (an engine shutdown) to insufficient thrust, caused, for example, by high exhaust-gas temperatures. In
aircraft other than civilian transport airplanes the basic function of the
the basic engine functior

design characteristics
nlai;ltenance characteristics
cngine can still be stated in terms of specified thrust, but the consequences of a functional tailure rnight be quite different. In a singleengine aircraft, for instance, a signific~ntloss of thrust would have a
direct effcct on operating safety, since there is oniy one source of power.
Cockpit instruments enable the operating crew to monitor most
aspects of engine performance, such as compressor ratation speed,
exhaust-gas temperature, fuel flow, oil pressure, oil-inlet temperature,
and the engine pressure mtio. The engine pressure ratio is correlated
with engine thrust, and power is set by advancing the throttle until a
desired pressure ratio is reached. Ordinarily power will be obtaincrl at
dn exhaust-gas temp~raturewell below the maximum limit. However,
when there is deterioration that reduces combustior, efficiency or the
efficienry of gas flow through the engine, more throttle movement, and
hence more fuel consumption, is needed to obtain the same power.
Consequently the exhaust-gas temperature is increased, and the engine
may become temperature-limited even though no parts within it have
failed. An cngine failure of this kind always has operational consequences because, although a multiengine airplane can safely complete
its flight with one engine inoperative, it cannot be dispatched in this
condition.
In addition to failure6 resulting from inefficient engine perfomance, an aircraft engine is subject to numerous other failure modes,
some of which cause secondary damage that presents a safety hazard.
For both these reasens the engine as a whole must be classified as a
significant item; a ful~ctionalfailure may have safety consequences and
always has major economic consequences. If the engine is partitioned
into smaller items, by nodule or by stage, many of its components will
also be classified as significant items.
As an example, consider the Pratt & Whitney JT8D engine, which is
in usc on such aircraft as thc Bocing 737, thc Douglas DC-9, and thc
Boeing 727. This turbine engine has five general sections, as illustrated
in Exhibit 8.1. The compLeessorsection consists of two axial-flow compressors, a front low-preswre compressor with six stages and a rear
high-pressure comprcc.;or ?vith seven stages. E ~ c hcompressor is built
up from individual disks '?r each stage. These disks rotate, and small
blades attached to their peripheries compress the air as it flows by
them. Air from the inlet section of the engine flows into the front compressor. The first two stages of this compressor are fan stages, and some
of the air that flows through them bypasses the other compressor stages;
the rest moves on to higher stages, with its pressure increased at each
successive stage. The compressed irir then enters the nine-can (canannular) combustion chamber. Fuel is added to the air, the mixture
is burned, and the expanding gases flow through a four-stage turbine
and filially pick up speed as they are expanded out of the exhaust nozzle,
(hereby creating thrust.
Flmt and second

Ian stages 1
Secondary Prltnary
air flow
air flow
\\
Low pressure +-I
Compressor
disklblade
assembly
High pressure rI
Firat-stage
nozzle gulde
vanes
\
First-stage
turbine blades
(a~iikrurt..l~i
rrtlion
'ILrbine
dlaklblade
-1
.--
C ' o i i i \ r ~ ~1. ~sectiot~

k~
Exhaust
nozzlc
I
l ~ ~ l i . i ~.i,ttio~i
~.t
1'1irhi1w\ L - C \ ~ I I I I
EXHIBIT 8.1 5clictiratir rltcrjir.rni of llre I1r.itt L Whitncv I'I'H'I Ir~rhitic
ctrfii~rr.'The thrust Ivversrt. is not slrorv~i.(ILthed on i'rdtt & \\'liittrt-!
tr.iini11gtiralerials)
Each stage of the turbine is disk with blades on its periphery, somewhat like the compressoi stages. The forward stage ot thc turbine drives
the high-pressure compressor and the other three stages drive the lowpressure compressor by . v a n s of cuncentric rotor shafts. Power is taken
from the outer shaft by bevel gears and directed down a towershaft to
the main accessory case. Each accessory attached to this case is driven
by a spline-pinion connection to thc main gear. Plenum rings and ports
built into the engire case bleed off air from the sixth, eighth, and thirteenth stages of the compressor and direct i t into ducting; this highpressure air supplies the pneumatic system for cabin pressurization, air
conditioning, anti-icing, thrust-reverser act:~aticn, and engine crossstarting capability.
The thrust leverser is an accessory on the IT8D e11gip.eand would
ordinarily be analyzed as a systems item. However, in some installations it is attached in such a way that it is removed along with the basic
engine, and on other t i r e s of engines it is often part of the basic engine.
,.For convenience, therefore, we will consider it as a powerpl~ntitem in
this case. The thrust reverser is mounted behind the exhaust nozzle.
198
APPLICATIONS
It is of the mechanical-blockage type and moves two clamshell-shaped

deflectors into the exhaust stream on the pilot's command. The deflected
exhaust is then redirected forward by a panel of cascade vanes mounted
on each side of the engine. The reverser is actuated pneumatically by a
system of controls, valves, actuators, linkages, and plumbing.
When the engine is partitioned into modules (systems), sections
(subsystems), and stages (assemblies), some modules will be found to
contain very few parts that are not significant. In a compressor, for
example, the disks, hubs, and shafts are all significant items. Failures
of most of the rotating parts and parts exposed to the gas path will be
evident to the operating crew from the cockpit instruments; they will
therefore have operational consequences. Failures of nonrotating, nongas-path parts, many of which iorm plenums (containing gases under
pressure) or reservoirs (containing operating fluids such as oil) may :lot
be evident and will require scheduled inspections for this reason. : i ~
short, there are very few parts of an engine that do not require some
form of scheduled maintenance.
Because of the great number of failure modes to which an aircraft
engine is exposed, RCM analysis of powerplant items may fall in any
of the four branches of the decision diagram. Many engine parts are
subject to failures with critical secondary damage and will therefore be
assigned safe-life discard tasks. In an initial powerplant program, however, the most frequent outcome in any consequence category is an oncondition task, with intensive inspection of certain items as part of the
age-exploration plan. One reason for this is that corrective maintenance
on engines is responsible for more than half the support cost for any
airplane, and even when fractured parts do not cause hazardous damage, they may cause damage that is very expensive to repair. Another
reason, of course, is to avoid the safety and operational consequences
of a functional failure.
On-condition inspections of powerplant items are performed at
two levels, depending on the accessibility of the 'tem. Many items can
be inspected visually or by borescoye and racliography techniques
while the engine is on the aircraft. Most internal engine parts cannot
be inspected without a certain amount of disassembly. These parts are
therefore assigned on-condition inspections in the shop when the engine is being disassembled for repair. When the combustion-chamber
retaining lug is removed, for example, a plug gage is fitted into the lug.
If the fit meets specifications the combustion chamber can be reinstalled as is; otherwise it is routed to repair.
Whereas on-condition inspections on installed engines are performed at fixed intervals, the shop inspections of internal engine items
are scheduled on the basis of opportunity samples, someiimes with a
maximum age interval as a precaution. Opportunity samples take advantage of the fact that with large fleets of multiengine airplanes there
will be a sufficient flow of engines through the shop to provide continuing exposure of all the major parts. During the first few years of
operation, when the fleet is small, the failure rate is ilsually also at its
highest, which automatically brings a larger number of engines to the
shop. These frequent sbop visits not only provide information on the
items that have failed, but also permit easy inspection of all the parts
that must be removed to gain access to the failed item. Thus, in addition
to the on-condition tasks that are known to be applicable, in an initial
program many internal engine parts are assigned such inspections for
the purpose of age exploration. Although some of these inspectiuns may
prove to have no real on-condition capability, they will be the only
source of information on items that are not experiencing failures.
8 2
The analysis of significant items in an aircraft powerplant requires a initial information requirements
broad knowledge of current maintenance practices, as well as a detailed the infomation worksheet
understanding of the specific engine under consideration. The memhpr- ~f the powerplant working group will know from previous experie1tc.e the areas of the engine that tend to be the most troublesome in new
designs. They will also be familiar with the various forms of on-condition
inspection and the uses of opportunity sampling in conducting age
exploration. In addition to this background information, the engine
manufacturer provides specific information about any new engine by
reviewing the design characteristics of the production model with the
entire working group. During this process similarities to and differences
from in-service types of engines become apparent. The review also pinpoints areas in which new, or relatively new, technology has been
incorporated in the design, either to reduce the weight of the engine or
to increase its performance capabilities.
New aircraft engines are designed and developed over a period of
years preceding certification of the aircraft in which they are installed.
Extensive testing is conducted at each stage of development to ensure
that a reliable product is being developed. Many different prototype
engines are usually used during the certificztion test flights of the airplane itself, and experience with these engines gives the manufacturer
an opportunity to identify and resolve any problems that come tc light.
In addition, once the engine design is stabilized, several engines are
tested in endurance runs, either as part of the engine certification program or as an adjunct to it. Unfortunately this early experience may not
be of great use during the development of an initial maintenance program, because the enginc will usually have been modified tc-, correct
any known problems before the production engiries are delivered. The
developn~entof an effective powerplant maintenance program thus
~ rlc~iiriits~iccdedf o r a~idly!~i?.
of p ~ ~ w e r p l d ~ i t
WHIBIT 8 ~2 1 1 1 ~d.rl,i
itc~~l?..
IDENllFICAnON OF ITfM
Type of aircraft
Quantity per engine
Type of engine
Location (section/rnodule)
Item name
Manufacturer's part and model number
ITFM 1NFORMATION
Item description (general function and major parts)
Redundancies and protective features (including instrumentation)
Built-in test equipment
AVAILMU WIABI LITY DAU
Anticipated premature-removal rate
Anticipated verified failure rate
Source of data (test data or operating experience)
RCM INPUT
Item functions
Functional failures (as defined 'qr each function)
Most probable failure n;odes
Predictable failure effects (for each failure mode)
Evidence of functional failure
Effects of loss of function on operating capability
Effects of failure beycr*:: loss of function (including
ultimate effects of possible secondary damage)
Nature of failure consequences
Evidence of reduced failure resistance that can be used to
define potential-failure conditions
Experience with other engines containing the same or
similar item
200
APPLICATIONS
depends heavily on the knowledge and experience of the working

group.
Exhibit 8.2 lists the data elements that must be assembled before
analysis begins. Much of this information comes from detailed review
of the production model, supplemented by the manufacturer's instruction manuals and test data. The data elements for each item to be analyzed are recorded on an information worksheet like that used for
systems items. In the case of powerplant items the manufacturer's
identification is usually functionally descriptive in itself. However, the
item description should include all major components and should reflect
the level of item being considered (see Exhibit 8.3). Where the item is
a module or stage, the description shculd list all the major assemblies it
contains.
As with systems items, it is important to list all redundancies and
protective features. Bypasses and pressure-relief systems, as well as the
extent of the cockpit instrumentation, are all factors in evaluating the
consequences of a functional failure. If the engine case is designed to
contain fractured parts, this information should be included, since it
means that the secondary damage resulting from certain failures will
not have safety consequences (although it may have major econcmic
consequences). Ordinarily an aircraft cannot be dispatched with any
major engine item inoperative (this information comes from the minimum-equipment list and pertains primarily to systems items). However, a yes answer for an individual part may mean that this item can
be classified as nonsignificant, since a functional failure will have no
operational consequences.
In listing the functions of an item it is important to describe both
its basic function and all secondary or characteristic functions. Each
function described should relate in some way to one of the overall
engine functions. For example, the basic function of the nozzle guide
vanes is to redirect the exhaust gases o r ~ t othe first-stage turbine blades;
a second function is to create the proper nozzle area for efficient engine
operation. The functional failures are the inability to perform these
functions; note that in some cases there is more than one failure possibility for a given function. The failure modes are the specific ways each
type of functional failure can occur. In addition to the failure modes
listed for the nozzle guide vanes, rotating parts such as blades and
disks are subject to fatigue. Combustion chambers may crack or burn
through, or their locating pins may wear. Unless the failure modes are
clearly identified, there is no way to determine what preventive tasks
might be applicable.
The failure effects identify the immediate result; 2f '.!ie failure. These
effects include any secondary damage caused by the iailure, as well as
the impact of the loss of function both un the engine and on the aircraft.
SECTION 8.2
201
EXHIBIT 8.3 An information wolksheet for the first-stage nozzle

guide vane!; of the Pratt & Whitney JT3D powerplant.
POW-
IWtOUUTION WORKSHUT type of aircraft
type of engine
Douglar D C 9
Pntt 4 Whitney JTJD
item number
item name
First-stage nozzle guide-vane aescmbly
5367JliJT3D
item description
The 63 nozzle guide vanes fonn a set of airfoils

located in the gas path immediately downskeam of
the combustion-chamber outlet duct. They accelerate
and direct hot gases onto the fint-stage turbine blades
at the proper angle for aerodynamic efficiency.
reliability data
premature-removal rate (pcr 1,000 unit hours)
source of data
functions
1 To redired gases at the
proper velocity and angle
functional failuroe
A Vanes fonn improper angle

and nozzle area
page
no. per engine 63

section
Turbine
prepared by
T. M. Edwards
date 6/26/78
reviewed by
T. N. Mix
date 6/26/78
approved by
module
of
date
redundancies and protective features (include instrumentation)
Van- axe made of small-grain alloy to m i s t heat deformation and

receive protective coating to n e b t heat damage and erosion. Vanes
are bolted in place to prevent fractured pacts from slippin8 into
aimtream.
Note: Multiple ~ u i d vanes
e
provide no functional redundancy.
built-in test equipment (describe)
None
Can aircraft be dispatched with item

inoperative? If sn, list an\. limitations
significant
hidden function
nonsignificant
failure modes
failure effects
1 Bowing of nozzle guide vanes

from heat deformation
Progressive loss in engine efficiency, increased fuel

consumption and exhaust-ga temperature, and possible
high-power stall resulting in en gin^ shutdown; if vanes
bow back into turbine-blade path, contact with rotating
blades resulting in fracture and critical secondary
damage from blade failure
2 Erosion of nozzle guide vanes
Pmaessive loss in engine efficiency, leading to possible

englne shutdown as for 1A 1 (no contact with turbine
blades)
from dimk exposu.re to exhaust-gas

particles
204
APPLICATIONS
The description should also specify any physical evidence by which the
occurrence of the failure can be recognized by the operating crew. In
the case of most engine failures this is an instrument indication, often
the exhaust-gas temperature reading. The failure effects must be described for each failure possibility, since they help to determine the
consequences of that failure, and hence the priority of maintenance
requirements.
As an example, one of the failure modes listed in Exhibit 8.3 for the
JT3D engine is bowing of the turbine nozzle guide vanes as a result of
prolonged exposure to high temperatures. The effects in this case are
progressive. Slight bowing will change the entry direction of the gases,
reducing the efficiency of turbine-blade action and causing the exhaustgas temperature to rise for a given thrust sating. If the temperature is
already high because of other deterioration in the engine, the permissible temperature will be exceeded, and the pilot will report a functional
failure. However, the exhaust-gas temperature measures the overall
efficiency of the engine, and if the limit temperature is not reached,
bowing may continue to a point at which the stationary vanes come
into contact with the rotating turbine blades. Either the blades or the
vanes will fracture, and if the engine case cannot contain the fractured
parts, the ultimate effect of bowed guide vanes in this engine design is
critical secondary damage. The fa!lure must therefore be classified as
having safety consequences.
All the relevant information is examined for each engine item, and
the item is then classified as significant or nonsignificant on the basis
of its failure consequences. Items in either category may have one or
more hidden functions; thus an i t ~ mmay be identified in this initial
partitioning process as nonsignificant, but also as having a hidden
function. Since all hidden functions must be protected by scheduled
maintenance to ensure that failures wili be found and corrected, both
significant items and hidden-function items must be subjected to full
RCM analysis.
The objective of the partitioning process outlined in Chapter 4 is
to select the most convenient level of item for analysis. Most powerplant
analyses can be conducted conveniently at the module or section level.
In this case the failure of any significant item included in the module or
sectiol~under consideration would constitute a failure mode. For example, if the item selected for study were the turbine section, one of the
failure modes would be failure of the first-stage turbinc nozzle gull2
vanes. However, th, powerplant itself can also be viewed as an item.
While this is only one of several possible approaches, it has certain advantages in sorting the vast number of failure possibilities that must be
considered into an organized pattern on the basis of their consequences.
In the examples that follow, therefore, we will consider the entire engine
as a significant item.
8 . 3 FAILURES OF THE BASIC ENGINE FUNCTION

The Pratt & Whitney JT8D engine used on the three-engine Boeing 727
is described by the information worksheet in Exhibit 8.4. Although this
engine might be analyzed at the mcdule or section level, at the engine
level its functions can be defined as follows:
b
To provide specified amounts of thrust without exceeding the acceptable levels of the engine operating parameters
To drive engine-mounted accessories, such as the fuel pump, oil

pump, fuel-control unit, hydraulic pump, and constant-speed drive
generator
To provide high-pressure air to the pneumatic.system for use by

subsystems
To provide reverse thrust to assist in braking the airplane (assumed

as a function of this engine design)
At this point let us consider the first type of engine failure, a failure to
provide specified thrust (including complete loss of thrust, or an engine
shutdown):
1 Is the occurrence of a failure evident to ihe operating crew during
normal performance of duties?
Any reduction in engine thrust will be evident, because the engine

pressure ratio and other instrument readings are closely monitored by
the operating crew. When the airplane is in flight, changes in engine
output may also be signaled by throttle vibration or audible thumps.
Hence the answer to this question is yes.
The next step in RCM analysis would ordinarily be to examine each
of the failure modes that might lead to this functional failure. In identijring the probable failure moc!:s, however, it will be found that some
involve the fracture of a part that can cause critical secondary damage,
whereas others involve a fracture without such damage, and still others
involve general deterioration with no fractured parts. For convenience,
then, we cdn group all significant assemblies and parts into these three
~ssesand analyze each class of failure modes separately.
'ACNILS WITH C r n c A L SECONDARY DAMAGE
-urnpressor disks, turbine disks, and turbine blades are typical of the
powerplant items whose fracture can cause critical secondary damage.
It is apparent from the failure effects described in Exhibit 8.4 that all
fractures with critical

secondary damage
fractures with no critical
secondary damage
failures caused by deterioration
EXHIBIT 8.4 An information worksheet for analysis of the Pratt &

Whitney JT8D-7 powerplant of the Boeing 727.
r O W U T U M INFO-ON
WOIlOHKT type of aircraft

type of engine
B O c h 727
Rrlt & Whitney JT8D-7
item number
item name
Ropuldon powerplant
JT8D-7
item de~ription
Axlzl-flow front-hubofan engine with r thirteenstage split compressor (two spools), r nine-cur
(can-annular)combnetion chamber, and a split fourstage turbine.
mliability data
premature-removal rate (per 1,000 unit hours)
source of data
functions
1 To provide specified mounbs
of W e t without exceeding the

acceptable values of engine
operating parameters
functional failurcr
A Engine docs not provide

specified b a t ~hduding
CUM of no thrust)
page
no. per aimraft 3
prepared by T.
section
reviewed hy
module
approved by
M. Edwuds
F. S. Nowlut
of
d-\r 2/14/70
cr.o
2/14/78
date
redundiurcia and protective features (include instrumentation)
The airplane har three engines; operating weight is contmll~dfor

all f l a b so that airworthiness reauimments c m be met with one enainr
inopeia~ve.Full inshumentaHon df all engtnt operaHng parametere;
each engine protected by fire-warning and fire-extinguishing system.
built-in teat equipment (describe) None
Can aimraft be dispatched with item

inoperative? If so, list my limitations
which must be obeewed.
hidden function
failure modes
1 Failure of p u t s whore fracture
can cause critical secondary damage:

a Failure uf .:ompressor or
turbine disks
Immediate lbas of thrust or flameout, confinned by

instrument readings; pomible critiial reconday dain~geif
engine case dots not contain frictured parts; y l b t will abort
takeoff if prior to takeoff-refusal cpeed, othrtmke will land
at neareat suitable airport; engine c h a n ~ ev q ~ i i c d
2 Failure of parts whose fracture

does not cause critical secondary
dunage:
Towershaft bearing or gear
failure
Immediate loss of ihmst or flameout, ccniinned by

instrument reading$; operafional effwta as for 1A 3; engine
change required
3 Failure resulting from general

deterioraHon without the fracture
of puts:
Deterioration of combustion
chambeis, nozzle guide vanes,
compressor bladcs, etc.
Progressive loss of engine efficiency as shown by inshument readings; it desired thrust cannot be ~btained
without exceeding mudmum exhaust-gas temperature.
pilot will abort takeoff if prior to '~keoff-refusalspeed;
if airborne may continue flight at reduced power or shut
down engine and land at nearest suitable airpott; engice
change may be required
such failures will immediately be evident to the operating crew. As for

ar.y failure of the basic engine function, therefore, the answer to the first
decision-diagram question is yes.
The next step in the decision process is to determine the precise
nature of the failure consequences:
2 Does the failure cause a loss of function or secondary damage that
Although the loss of thrust has no safety consequences, all items

w h s e failure involves sec0nda.q damage fall in the safety branch of
the decision diagram (see Exhibit 8.5).
Disks, for ex~mple,
are subject to low-cycle fatigue failures, and when
they fracture, any fragments that cannot be contained by the engine
case can damage the nacelle, wing, or fuselage. Even if these projectiles
do not damage the aircraft structure, t l ~ e ~isethe hazard of hot gases
escaping thmdgh the t o n engine case. Ejected turbine blades present
the same hazards. Turbine-blade failures have sometimes occurred with
no observable effect on thrust and no other evidence of failure (in this
case failure-finding inspections are necessary). However, they have also
been k ~ o w nto be eiected and cause critical secondary damage. There
is no way of knowing whether this problem has been overcome in the
present desfgn, so in the interests of conservatism the blades have been
iriduded ir! this class of items.
The next step is ;o eva!uate proposed scheduled-maintenance tasks.
A yes answer to the safety question means that no task can be considered effective unless it rcduces risk of a functional failure to an acceptable level. Srom this poi.nt on, however, we must examine each failure
niude separately, because the applicability of a particular task will
dspend on the faii1:re characteristics of the part. Our next question
therefore concerns a possible maintenance task for the disk:
4 Is an on-L. ~ ~ d i t i . o
task
n to iletect potential failures both applicable
and effective?
A low-cycle fatigue failure begins as a slip along crystallographic planes

in the metal, which progresses under repeated load applications until a
small crack eventually becomes visible. Afier this point, however, the
crack pto)ragates very rapidly te the point of fracture. Most of the disks
are also inaccessible in the installed engine; thus even if it were possible
to def~nethe crack as a potential-failure condition, the engine would
have to be reinoved and disassembled more frequently than is feasible.
An on-condition task is therefore not applicable to the disk.
+
COMB Rdenign
EXHIBIT 8.5 The branch of the decision diagram used for analysis of
engine failures invoiving critical secondary damage.
A no answer to the on-condition question means we must look for

other tasks:
Is a rework task to avoid failures or &,educethe failure rate both
5
The conditional probability of disk failure does increase at an identifiable operating age. Nowever, a rework task must restore the item's
orig;nal ,&stance to failure. For a part subject to metal fat~queno rework
method has been found that will eliminate the material's "memory" of
repeated loads, so the answer to the rework question is no.
Is a discad task to avoid failures or reduce the failure rate both
Because on-condition inspections are not applicable, the manufacturer

has established a safe-life limit for the disk in each stage of the compressor and the turbine. One engine manufactur~ruses a computer
model, based on material strength tests and stress calculations, that
simulates the in-service aging of the disk. This model has been validated
by the results of developmental spin testing of many different disks
used in various engine designs. The safe-life limit determined by this
technique is the operating age at which one disk per 1,000 will develop
a crack of 1/32 inch. The disks are designed to have safe lives ranging
from 10,000 to 20,000 hours, and these are the intervals that will be used
for the discard tasks.
The answer to the discard question is yes, and the analysis of this
failure mode is complete. Each type of disk is assigned a discard task
scheduled for the safe-life limit established for that disk. In this case
an on-condition task might alsc be assigned--an inspection for any
damage that might prevent attainment of the safe-life age, to be performed whenever the disks are accessible during the normal course of
repair work on the engine.
The failure process in turbine blades is somewhat different from
that in disks. The blades are in a hot-gas stream that exzrts at rodynamic
forces on them. The forces pulsate as the blades pass by the st~tionary
guide vanes, with the result that the blades are also subject to fatig-le
failure. The propzgation of fatigue cracks in blades, however, is much
slower than it is in disks. In addition, the blades are subject to creep and
oxidation caused by the high temperature of the gases and to erosion
from solid particles in the gas. In this case on-condition inspection is
more promising:
and effcctive?
210
APPLICATIONS
Potential failures can be defined for such conditions as oxidation, erosion, blade-root wear, and fatigue cracks; therefore an on-condition task
is applicable. It will also be effective, since the blades c'in be inspected
at short enough intervals to ensure that potential failures will preempt
functional failures. Thus the answer is yes, and analysis of this failure
mode is complete.
011-condition tasks for the blades would prc)bably h ~ !specified at

two levels-on the aircraft and in the shop. Far example, a bolescope
inspection of all turbine blades on installed engines might be assigned
at an initial interval of 150 operating hours, with a "broomstick" check
of the lourth-stage turbine blades for looseness sched~yledat intervals
of 300 to 400 hours. In addition, as part of the opportunity-sampling
program, an inspectiox? of the blades for creep, heat iqeterioration, cracks,
and wear at the roots would probably be schoi :lied f.w every shop visit
of the engine, with a threshold age of 500 hours.
Note that on some engines the first-stage tc:bine nozzle guide
vanes would also fall into the class cf items whose failure can cause
critical secondary danrage. The nozzlt guide vanes on the j'r3D engine.
described in Exhibit 8.3, would therefore be analyzed through the safety
branch of the decision di?gram. This e r g i ~ has
e a hollolv shaft throu~:h
which an isotope pill can be inserted to expose radiographic film placed
on the engine case at the outer ends of the vanes. l'he exposed film
shows the amount of bowing that has occurre~l,and also the remaining
c!earance between the vanes and the acijacent turbine blades. Thus an
on-condition task is aypli~~ible,
and it would be scheduled at intervals
short enouqlr to prevent all critiral failures.
In the engine under con side ratio^^ here the same task would ,~pply.
However, the JT8[) e~lginehas kcen designed so that bowing of the
nozzie guide vanes will cause the ~!xI~aust-gas
tem~eratureto reach the
limit before the vanes reach a stnte in wl~ichthey can intersect the turbine plane. Thus the ultimate effect of this failure mode in the JT8C
engine is a tiinctional failure caused by engilie irlefficiency, rather than
a failure with critical secondary dalnage.
FRACTURES WITH NO CRITICAL SECONDARY DAMAGE
Thc sccond class of powcrylant items is snbjcct to fracttires t h ~ do

t not
cause critical secondary damage (although the secondary ,lanlage is
often expensive), Typical items in this cl'~ssare the towerslraft bearing
and the towersh~ftgears. Fail~treof either of these items will .esult :n
inability to drive the engine-mounted accessories, including the fuel
pump, alrd the engine will flame out. We know, therefore, that the failurc wili be evident lo thr operating crew. S i n c ~a 105s of tklrust is not
c:rit~cn!and this class of i.~iluremodes llas no critic'l! secondary effects,
we also know that there are no s;,tety consec;uences.
A no answer to the sdfety questicm b r i ~ ~us
g sto thc questior. of opera!ional consequence?:
Does the failure i ~ a v r *a direct advers~effect on operational
capability?
SECTION 8.3 ?11
LL
NSM
EXHlbtT 8.6 The branch of the decision diagram used for analysis of
engine failures that do not invnlve critical secondary damage.
The answer to this question is yes, because any failure of the basic
engine function has operational consequences. Since these consequences are economic, scheduled maintenance is desirable if it is costeffective. Hence wc must examine all applicabie tasks on this basis (see
Exhibit 8.6).
Bearing and gear failures are caused by fatigue, perhaps accelerated
by inadequate or contaminated lubrication. The failure process begins
with spalling and fine cracks on tile bearings and wear and fine cracks
in the gears. Eventuallv flagments of metal arechipped from theworking
surfaces, and when the integrity of the hard surface has been lost, complete disintegration proceeds rapidly.
Is an on-condition task to detect pute~itialfailures both applicable
and effective?
In some cases fragments of shed metal can be detected by inspection

of magnetic plugs and oil screens, and the existence of these metal particles can be defined as a potential failure. While such inspections ace
applicable, they miss a large number of potential failures. They are costeffective, however, because the discovery of even one potential failure
more than offsets the cost of years of such inspections. Thus the answer
is yes for these tasks, and they would be included in the program.
The real c o n t r ~ of
l gear and bearing failures comes from on-condition inspections performed when the engine is in the shop. Visual
inspection of the balls, rollers, races, and gear teeth for cracking, wear,
or deformation, using 10- to 30-power magnification, has been found
to identify most potential failures. The bearings and gears are put in
the opportunity-sampling program to establish the optimum interval
for shop inspections, and the analysis of these items is complete.
FAILURFS CAUSED BY DETERIORATION
Whereas fractured parts can cause extensive secondary damage - with

or without safety consequences-a large number of engine failures arc
the result of deterioration that does not involve the fracture of any part.
When some part of the engine is not functioning efficiently, more and
more throttle is required to attain the desired thrust. This increases the
fuel flow, and thus the exhaust-gas temperature, which may further
accelerate deterioration of thc parts involved. Eventually one of the
engine operating parameters, usually the exhaust-gas temperature, will
be exceeded before the desired thrust is reached, and a functional failure of the engine has occurred. Items involved in this class of failure
modes are the airseais, compressor blades, combustion chambers, and
in this engine the turbine nozzle guide vanes.
The ~cductionin engine power is evident to the operating crew
and has no safety consequences. Such failures will still have operational consequences, however, because the engine may be replaced
after the airplane lands. Hence analysis of the items in this category also
t,~llsin the operational-cnnsequencrs branch of the decision diagram,
where scheduled maintenance is desirable if it is cost-effective.
Compressor blades are exposed to ero:,ion and airseals to wear,
causing losses in aerodynami: efficiency. Sin:e the burner cans and the
turbine nozzle guide vanes are in the gas path, they are also subject to
EXHIBIT 8.7 A worksheet showing the results of analysis for the

primary engine function of the Pratt 81 Whitney JT8D-7 powerplant.
The references in the first column are to the failure modes listed for
the primary engine function in F ,hibit 8.4.
mwmuwr DfUSKlW WOIKSHEn
type of a i m &
Boeing 727
type of engine Pratt & W h i t w Jl'BD-7

item name Propuleion powerplant
xwponsea to decision-diagram questions
ref.
F FF FM
A la
?ask wlection
conscquenrcs
1
N N Y
1 A l b Y Y - Y -
1011 U U 1 4 1 5 1 6
page 1 of
item number
prepared by
T. M. Edwards
reviewed by
F. S. NowIan
initial interval
Remove and discard all compressor and turbine d i s h at life limit
Manufacturefs safe-life limit for

each type of disk
Borescope inspectiun cf all

turbine blades
50 flight cycles or 150 hours,

whichever is first
Broomstick check of focrth-stage

turbirte blades for looseness
300 to 400 hours
Inspect all turbine blades for

wear, creep, and cracking
During engine shop visit; use

opportunity sampling to establish
best fr~?quency,initial threshold
500 hours
Check magnetic plugs and screens

for metallic particles
300 to 400 hours
Inspect a11 towemhaft and drivetrain elernentj for Hear, deformation, and cracking
During engine shop visit; use

opportunity sampling to esiablish
best fresuency, initial threshold
500 hours
Borescope inspection of combustion chambers, nozzle guide vanes,

linem, supports, and seals visible
through hot-section access ports

whichever is first
Borescope inspection of seventh- to

thirteenth-stage compressor blades,
stators, spacers, and seals visible
through compressor access ports

whichever is first
Inspect all rotating parts, gas-path

parts, hot-section parts, and main
bearings for wear, deformat,brt,
and cracking
During disassembly for engine

repair; use opportunity sampling
to establish best frequency,
initial threshold 500 hours
heat deformation. All these deterioration processes occur slowly and at

a relatively constant rate, a situation which favors on-condition inspections:
----
--
8 Is an on-condition task to detect potential failures both applicable
and effective?
The answer is yes for most of these items, such as compressor blades,
combustion chambers, and nozzle guide vanes. Their condition can be
ascertained by borescope or radioisotope inspections while the engine
is still installed, and the rate of deterioration is slow enough to identify
at the potential-failure stage.
Since the hot section usually suffers the most rapid deterioration
in a new engine, borescope inspections might be scheduled for the
combustion-chamber outlets, nozzle guide vanes, and surrounding
liners, supports, and seals at an initial interval of 50 flight cycles or 150
operating hours, whichever comes first.* Next to the hot section, the
high-pressure compressor has the highest rate of deterior~iion.Thus
borescope inspections of the seventh- to thirteenth-stage compressor
blades might be scheduled for an initial interval of 150 to 200 flight
cycles or 450 to 600 operating hours.
In addition to these scheduled inspections on installed engines,
most of the rotating parts, gas-path parts, hot-section parts, and bearings would be assigned to shop inspection of opportunity samples,
wit11 an initial age threshold of perhaps 500 hours. During these inspections the dimensions and condition of each part are compared with the
"acceptable for service" limits established by the manufacturer. Parts
that have deteriorated beyond these limits are repaired or replaced and
parts within the limits are returned to service.
Note that taking the engine out of service because the exhaust-gas
temperature exceeds a defined limit is in itself a form of on-condition
action, since this limit is established to prevent expensive damage to
the combustors, turbine blades, vanes, and liners. One might wonder,
therefore, why additional on-condition tasks are directed at these items.
The reason is that increzsed exhaust-gas temperature measures the total
efficiency of all gas-path parts. Thus the temperature might be within
the limit if most parts were in good condition, even if one part-say,
the nozzle guide vanes- had deteriorated beyond the point of economical repair. In the interests of economy, then, it is better to inspect the
nozzle guide vanes and judge them by their individual condition than
to wait for the temperature to reach the limit. This concept becomes
increasingly important for in-service engines, which are composed of
parts of diverse ages as a result of the normal repair cycle.
216
APPLICATIONS
'These luw initial intervals represent the practices followed in the mid-1960s.
It is also important to bear in mind that this analysis is based on a

redundant engine installation. The engine is one of three in a multiengine airplane. If this engine were installed in a single-engine aircraft, analysis of the same items would lead to completely different
results, because in this case a loss of function might in itself constitute
a critical failure. The analysis of all failure modes involving a major loss
of thrust would therefore fall in the safety branch, where any applicable
tasks would be scheduled regardless of cost effectiveness. The criteria
for task applicability would remain the same, however; thus scheduled
rework would still be applicable only for those engine parts whose
conditional-probability curves show both an identifiable wearout age
and a high probability of reaching that age without failure. Since an
item subject to numerous failure modes rarely satisfies these conditions
(see Section 2.8), scheduled rework of the entire engine would be unlikely to make a significant difference in its operating safety.
8.4
FAILURES OF SECONDARY
ENGINE FUNCTIONS
In addition to the ba\ic engine function of providing specified thrust, failure to drive accessories
three secondary functions have been listed for the Pratt & Whitney
to supply pneumatic
JT8D engine under consideration. These functions and their associated failure to provide reverse thrust
functional failures and failure modes are listed on the continuation
worksheet shown in Exhibit 8.8. One of these functions, to drive the
engine-mounted accessories, has two failure possibilities: inability to
drive cny of the accessories and the inability to drive a particular accessory. The failure modes that cause a total inability to drive any of the
accessories are associated with bearing and gear failures in the towershaft drive train, discussed in the preceding section. The inability to
drive individual accessories could be defined as a separtte functional
failure for each accessory. From the standpoint of the engine, however, we can consider this case as a single functional failuye with several
failure modes.
The first question, as before, is whether failure of the engine to
drive some one oi the accessories will be evident:
:;l:t",",

The performance of each engine accessory is monitored by means of

cockpit instrumentation, and a malfunction of any accessory would be
evident from the instrument readings (see Exhibit 8.8).Thus the answer
to this question is yes for all failure modes.
SECTION 8.4
217
LXHIBIT 8.8 Continuation information worksheet for the secondary

functions of the Pratt & Whitney JTBD-7 powerplant.
COW1PYUAIKm-
typcof 8Irurft
72'7
type of mglne h
t
t Q Wtney FOD.7
itan nurnkr
item name Pmpuldon powerplant
'\

\
JT8D-7
functional falun-s
functions
2 To drive the engine-mounted

acct~rics
A I ~ b l U t yto ME my w
a-Y
B Inability to drive one of the

en@e acctmdeo
3 To provide high-pressure air

to t h pneumatic system
4 To provide reverse thruet for
braking assistance
A Doea not provide ruffidtnt
bleed a& (pneumatic pmwuce)
A Inability to pmvide reverse

thntst
B ~ t r e v e m e junmed
r
during meme-thmt mequencc
no. per aircraft 3
prepactd by
T. M. Edwuds
date
2/14/78
section
~ v i c w c dby
F. S. Nowlm
date
2/14/78
module
appmved by
failure mode8
date
failure effecta
1 Failure of maingearbox drive
Instrumenb show no output from m y acmsory; enafne

fluneout; pilot will abort takeoff if prior to hkeoff-refud
speed, othervviw will land at neueat suitable airport; engine
c h g c rrquircd
1 Failure of co~turt-~pccd-drive
generator splines
Instrumtnb dhow no output from one perator; crew will

disconnect generator from constant-speed dtive M a
precaution; aircraft can be dispatched with one generator
inupmtive
2 Failure of hydraulic-pump drive

spline0
Inrtnuntnb show no prewure fmm one pump; cncw will

disconnect pump for completion of flight;
gearbox
or engine
change required at dtstinition
3 Failure of fuel-pump drive
lnstnunenb ehow no output from fuel pump; engine flameout, wikh operational effects as for 2 A 2; gearbox or engine
change required
splines or bearings
4 Failure of oil-pump drive
hstrumenb show 106s of oil p m w , requiring engine

shutdown; operatiomi tffecb as for 2 A 1; engine change
requirtd
beuings
b e e of anme pneumatic pressure, h t n u n e n b show increaed

fie1 flow, exhaust-gas temperature, and engine speed; heat
damage to insulation and hoses, with probable fire waming
m u l i n g in ergine hutdown; operational effecta as for 2 A 1;
engine chande required
1 Burst mddle duct
Burst pnrumatic-actuator supply

,.ct
1 Binding due to wear of

mechanical components
'
Instnunente show t h w t rwezwcr inoperative, 1-. of

braking wbtance from one engine; may require correction
before further dispatch
Instruments ehow thrust reverser active; ~omction're~uired
before fu'ttier dispatch
This bring* us to the question of possible safe+- consequences:
-.
ma..!a loss of function or secondary damage

.. -....UI
that could h a w a di. cct aeverse effect on operating safety?
2
Failure of certain of tile accessory drives, such as those for the fuel pump
and the oil pump, can lead to complete loss of thrust from the engine,
but an erlgine shutdown does not in itself affect safety. Recent engines,
inLludingthis one, hcve also been designed so that accessory-drivc parts
do not penetrate thc case. There is tl--refore no exposure to critical
secondaqjr damage from these failures, and the answer to this question
is no.
--
3 Does the failure have a direct adverse effect on operational
ca: ibility?
The airplane usually cannot be dispatched when one of the enginedriven accessories is inoperative (this information would appear on
the information ivorksheets for the pertinent systems items). If the problem is caused by a failure of the internal accessory drive, however,
it is necessary to repair or replace the engine before further dispatch.
Thus any failure of the accessory drive train has operational conseq lences, and scheduled maintenance is desirable if it is cost-effective.
To :aluate proposed tasks we must consider the failure process:
8 Is an on---.ndition task to detect potential failures both applicable
and effective?
220
AIPl 'CATIONS
Spline wear in each of the accessory drive trains is a major source of

troclble, and we know that on-condition inspections to measure spline
wear are applicable. Hence the answer to this question is yes. The
accessory drive shafts, gear, and bearings are assigned to the shop
oppor,unity-sampling program to determine the most effective inspecticn interval; in addition, the splines in the accessory gear box are scheduled for inspection on the aircraft whenever an accessory is changed.
The third function of thk engine is to provide high-pressure air
for the pneumatic system, 6 11 one failure mode is a burst bleed-air
duct. In a powerplan: analysis :re wcluld be concerned with the ducting that is part of the quick-engine-change assembly; this includes
the sixth-, eighth-, and thirtecntil-stzge saddle ducts. Downstream ducting is analyzed either as part of the pneumatic system or as part of the
system it serves. A burst saddle duct i n any of these stages will be evident to the operating crew. Cockpit instrumentation shows the pressure
in the duct to the cabin air-conditioning system, but hot air from the
duct will also trigger a fire warning, and the free escape of bleed air will
affect engine performance.
Because of the fire-warning system, tiis type of failure is not
critical. Although hot thirteenth-stage bleed air may burn wiring insulation and char hoses, the most serious effect ic the need to shut down
an engine after a fire warning. Such a failure does have operational
consequences, however, since the airplane cannot be dispatched until
the burst duct is repaired. Thus once again we are concerned only with
the cost effectiveness of proposed maintenance tasks.
Examination of the failure process shows that stresses in the duct
lead to the development of fine cracks, which can be detected by oncondition inspections. Experience with earlier equipment has shown
that such inspections will not identify all potential failures. However,
this task can be performed on installed engines and can be schedq-lled
for short intervals. An on-condition task is therefor? both a~plicable
and cost-effective, and our analysis of this type of failure is complete.
The fourth function of the engine is to provide reverse thrust to
assist in braking the airplane, and this function is also subject to two
failure possibilities: either the reverser will not operate at all or it jams
during the reversing sequence. The only predictable mode for the first
type of failure is bursting of the pneumatic supply duct to the actuator,
whereas the second type of failure can be caused by wear in many
different parts of the mechanical linkages. The cockpit instruments
include a light that indicates when the reverser has left its stowed position and is in transit to the reverse-thrust position. Inability of the
reverser to operate is therefore evident.
No credit is given to availability of reverse thrust in determining
the runway lengths required for landing and takeoff, and it is permissible to dispatch an airplane with one reverser inoperative. Thus the
failure of a reverser is not considered to have safety consequences.
The reverser does have great value in certain situations, however, such
as the need to avoid other aircraft on the runway or when braking
action is reduced by water or maw. For certain destination conditions
the operating crew may request that all reversers be operative at takeoff. A reverser failure is therefore classified as having operational consequences, although these consequences will not be involved under
all circumstances. Inspection of the pneumatic supply ducts would be
scheduled for the same work package as inspection of the engine pneumatic ducts, as shown in Exhibit 8.9.
The second type of failure, jamming of the reverser in the reverse,thrust position, is also evident, since there is a cockpit warning light
WHlBIT 8.9 A wnrksheet shc ,in&tl*-results of analysis for the

secsndary engine functio~isof the Prai & Whitney J n D - 7
powerplant. The reference:, rn the fint colum a n to the functions,
functional failures, and failure modes listed in Exhibit 8.8.
lam nun*
Propulrion powerplant
mporuar to drcMon.dLyPrn qu~tion~
nf.
222
APPLICATIONS
conuquenea
hrk ~1crtlon
page 2 of 2
item number
prepared by T.
M.Edwards
reviewed by F. S. Nowlan
pm~osedtask
inl;LI interval
Sune tasks as 1A 2 for towemhaft

drivetrain elements
Inspect all drive shafts for spline
wear
Whenever Pcceswly unit is

changed or is acccssiblc during
rngine ehop vidt
Inspect all acceseory ddve-train

elements for wear and cracking
During engine shop vieit; use

opportunity sampling to establish
best hequency, initial t h h o l d
500 hours
Inspect a11 engine pneumatic

ducts for heat distress, cracking,
and leaks
100 to 200 hours
Inspect thruat-reverser pneumatic

ducts for heat dietress, cracking,
and leaks
100 to 200 hours
Inspect thruet-reverser linkages,

tracks, and actuator mechanism
for wear or binding
100 to 200 hours
that indicates when the reverser is in this position. In this case the
failure clearly has operational conseqcences. V'?ar and binding in the
thrust-reverser mechanism are signs uf reduced resistance to failure,
On-condition inspection is therefore applicable. and tire various linkages, actuators, and tracks would be sched~.~led
for inspection at the
same time as the supply ducts.
8 * 5 THE ROLE OF AGE EXPLORIUTQN

sample-inspection requirements
the opportuni!y-samplins
program
age exploration and product
impmvcmcnt
224
APPLlCAnoNs
The preceding analysis covers only a few of +he tasks that would be
included in an initial powerplant program. It is apparent from t!~ese
examples, however, that when the engine itself is treated as a sisnificant item, the parts that cause it to fail will generally be assigned only
two types of tasks. Some parts whose failure could cause critical secondary damage will be assigned safe-life dischrd tdsks, but most parts are
assigned on-condition tasks, often as part of an o~portuni:v-sampling
age-exploration program.
The reason no failure-finding tasks were assigned has to d o with
the level of the analysis. The fracture of a single compressor bl?de or
guide vane does not cause a perceptible reduction in engine thrust
and since it also may not result in any secondary damage, the failure of
individual blades and vanes may not be evident to the operating crew.
Viewed from the parts level, each of these failures would be classified as
a hidden functional failure. Similarly, at the assembly level etosion uf
these parts beyond the acceptahle limits would be defined as o hidden
failure, since this condition would not necessarily be apparent frorr, the
overall exhaust-gas temperature. At the engine level, however, these
conditions become potential failures fur the engine itself, and in both
cases on-condition tasks have been specified. The periodic insrnctions
assigned to the compressor blades and the nozzle guide vanes would
reveal any fractured elements as well as other fonns of deterioration.
Note that the initial program also contains no rework tasks for
individual items. This is partly because there is no infomation at this
stage to support their applicability and partly because 01: condition
tasks are applicable to so many engine parts. After the equipment enters
service the abundance of opportunity samples results in a very rapid
accumulation of operating data on engines. Thus the applicability and
cost-effectiveness of rework for specific items can be established by the
tinic the first few airplanes in the fleet reach a proposed rework age.
Even when age exploration does show that certain items would benefit
from scheduled rework, however, the intenpals at which such tasks are
cost-effective may vary widely for different items. Since there are no
rework tasks that can be consolidated into a single work package to be
performed at some specified operating age, complete rework (scheduled

over\ - .:I\ of the entire engine is unl .ely to be justified at any point
\
ir, it; operating life, let alone in 3 n initial program.
An aee-exploration program is required for all new aircraft engines.
In most cases t h requirement
~
calls for the inspection of sets of parts
equivalent to two or three complete engines before any installed engine
exceeds a swecified ,~peratingage, say, 1,500 hours. The use of opportuni!y samples from engi tes that have aged to a specified lower limitperhaps SOU or I,lr00 hours- is permitted to satisfy this requirement. If
there are not enough premature removals to provide the required sam~ l e s it, may be nrccc:saryto remove and disassemble engines that have
reached the 1,500-hour limit for the sole purpose of inspecting their
parts. After the condition of the parts is evaluated, the upper limit for
complete sets of parts ntsy be extended, say, to 3,000 hours.
usually dropped
The requirement for whole-engine samplinr
after two such inspections, but there will be conti. ,lng age exploration
for certain selrcted items. The s,~mplingin this case may also be based
on two threshold limits tor each item. The inspection information is
useful in assessing the effects of age only if the item has aged to the
lower limit. With this type of program m y units of the item that have
aged to the upper threshold must be inspected even if additional disassembly of the engine is necessary to reach them. Such units are termed
forced snrnples, in contrast to the opportunity samples of parts available
for inspection during the normal course of disassembly. Both threshold
limits are ordinarily extended after two or three snrnples of an item have
been inspected and found to be in satisfactory condition.
A newer and more economical variation of this procedure is an
age-exploration plan based entirely on opportunity sampling. This concept involves a lower thresbnld limit and a sample size of one unit. The
first opportunity sample whose age exceeds an initidl lower limit is
inspected, and if the inspection findings are satisfactory, tile age of this
sample unit becomes the new threshold limit. As a result, documented
sample information increases steadily in small age increments, with the
age of the olde: I inspection sample roughly parallel at all times to the
age of the oldest installed engine (see Exhibit 5.9 in Chapter 5). It is
perferable in this type of program that the inspection samples not be
reworked before they are reinstalled unless their condition is, judget4
unacceptable for continued service. In this way tl time since'rework
is not zeroed out, and it is possible for sampling to proceed rapidly to
units of higher ages.
At some age the condition of the units inspected will show enough
deteriordtion to identify the appropriate intervals for first and repeat
inspections of all units of the item. In this case the condition defined as
a potential failure would be bascd on an inspection interval roughly
..
June4uy.t 1964
Augurt-October 1964
S)ctober-December 1964
Operating age rince last l o p visit (flight houm)

EXHIBIT 8.10 The results of successive age-reliability analyses of
the Pratt & Whitney JTBD-7 engine after it entered scwice.
(United Airlines)
equal to the interval between successive shop visits of the engine (the
mean time between removals). As an alternative, the sampling threshold
may be held at a fixed age limit to accumulate more information on the
condition of parts at that particular age. If this additional information
shows that a large proportion of the units are reaching the potentialfailure point at a fairly well-defined age, a rework task might be assigned to that item-or, depending on the ratio of rework cost to replacement cost, a discard task might be specified for a slightly higher
age.
Sxhibit 8.10 shows the results of successive age-reliability analyses
conducted as part of the age-exploration activities after the Pratt &
Whitney JT8D engine entered service. Each curve represents all premature removals, both those resulting from on-condition inspections
and those iesulting from crew-reported malfunctions. Whi!e the first
few curves show a very high conditional probability of failure, complete
engine overhauls at an age low enough to affect the premature-removal
rate would have grounded the fleet (engine overhauls take about 45
days). If the data had been partitioned to show the respective contributions of potential and functional failures to the total premature removals,
it would also be apparent that the potential failures were much more
age-related than the functional failures. In other words, on-condition
inspections were effectively removing faulty units from service at a
much earlie; stage than would have been feasible with any rework age
limit.
In this case actuarial analysis of the premature-removal data identified the dominant failure modes, which were in the hot section of the
engine, and redesign of the parts most susceptible to rapid heat deterioration resulted in the ultimate reliability shown by the final curves.
Apart from the fact that complete engine overhauls would have represented a needless expenditure on the other sections of the engine, which
were in excellent condition, they would have impeded improvement of
the engine itself. If all parts of the engine had been zero-timed a t fixed
intervals, there would have been no means of determining the actual
potential-failure ages of individual items and improving the inherent
reliability of the engine accordingly. In the powerplant division age
exploration in fact plays a dual role. On one hand, it provides a means
of determining the actual maintenance requirements of each engine
itern, and on the other, it provides the information necessary to improve
the overall safety and operating reliability of the engine. This latter role
is an integral part of the development process for any new engine.
CHAPTER NINE
rcm analysis of structures

THE S ~ U C T U I Idivision
L
consists of all the load-carrying elements of the
airplhne. These include not only the basic airframe- the fuselage, winbs,
and tail assembly- but a variety of other assemblies and components
that are subjected to loads:
b
The landing gear (except brakes.. tires, and retraction mechanisms)
Movable flight-control surfaces and high-lift devices (except their

associated actuators and gearboxes)
Integral fuel tanks
Powerplant pylons, supports, and cowlings
The aircraft skin
Doors, hatches, windshields, and cabin windows
Internal partitions, decks, and braces
Connecting elements such as brackets and clips
Airplane structures are subject to many types of loads during operation

gust loads, maneuvering loads, landing loads. The magnitude and frequency of these loads depend on the nature of the operating environment, although in general low loads will occur frequently and peak loads
will be encountered very infrequently. The structure must therefore be
designed in terms of all its load spectra and must be so strong that it is
extremely unlikely to encounter any load it cannot withstand duriiig
its intended type of operation. The role of scheduled maintenance is
to find and correct any deterioration that would impair this loadcarrying capability.
Unlike systems and powerplant item?, few failures short of a critical
failure will be evident to the operating crew. The ultimate effects of
most functional failures, however, have a direct impact on safety; hence

RCM analvsis of all structurally significant items falls in the safety
branch of the decision diagram. In [his case there are only two task outcomes: on-condition inspections for all items, with the addition of a
discard task for safe-liie elements. The focus in developing a structure
program, therefore, is not on a search for applicable and effective t.asks.
Rather, it is on determining an appropriate inspection interval for each
item. All parts of the structure are exposed to the age-related processes
of fatigue and corrosion, but these processes interact and arc not entirely
predictable. Thus even for an airplane that embodies well-known mateA.ials,design practices, and production processes, the int-jrvalsassigned
in an initial program are only a small fraction of the age at which any
evidence of deterioration is anticipated. In fact, the inspection plan
itself merely delineates the start of structural age-exploration activities.
9 1 CHARACTERESllCS OF
STRUCTURAL ITEMS
The structure of an airplane consists of numerous :: .dividual assemblies.
As an integral unit, however, it performs a variety of functions, a few of
which can be Jefitrkd as follows:
b
To enable aerodynamic lifting forces to balance the weight of the

airplane
To provide mounts for the powerplants that produce the thrust

necessary to balance aerodynamic drag
To provide movable flight-control surfaces for maneuvering the

airplane
design strength
the fatigue process
factors that affect fatigue life
structurally significant items
To provide the means (landl..g gear) for making a transition from

air to ground operation
To provide volumes for carrying fuel
To provide space and mounting points for the various systems

required for operating capability
To provide space with a suitable environment (often pressurized)

for the operating crew and the payload to be carried
Loads are imposed on the structure during the performance of these

functions, and if any major assembly cannot withstand them, the
structure experiences a functional failure. Thus the basic function of
individual assemblies or structural members is to withstand the loads
imposed on them without collapsing or fracturing.
Many of the functions !isted above are of such a nature that a functional failure would have an immediate effect on operating safety;
hence the design practices followed for the structure ensure that failures
are extremely unlikely. Whereas other parts of the aircraft are designed
to facilitate reports of functional failures by the operating crew, the
crew will rarely be in a position to report structural failures (although
there are occasional crew reports of failed landing gear and high-lift
devices).
It is also very difficult and expensive to replace parts of the structure. Systems and powerplant items are continually changed throughout the operating life of the aircraft; hence on any in-service airplane
these items are likely to be of widely varying ages. In contrast, structural
elelnents are repaired, often by the ~ s ofe doublers, and they are also
modified, but they are rarely replaced. Consequently, except for those
parts added as repairs or modifications, nearly ail parts of the structure
on any given airplane will be of the same age. Since all structural elements are subject to a primary failure process that is directly related to
total age, the structure as a whole i s designed to a goal of failure ages
far longer than the expected operating life of the airplane.
OMlGN STRENGTH
Airplane structures are designed to withstand many different kinds of

loads, such as those causcd by air turbulen~e,flight maneuvers, landi r ~ ~and
s , takeoffs. For commercial transport airplanes manufactured
in the dnited States, each of these load requirements is defined by FAA
airworthiness regulations. For aircraft operating in other contexts, load
requirements are specified either by the appropriate airworthiness
authority in the case of civil aviation or by the purchasing organization
in the case of military aviation. Individual design-load requirements
are stringent enough to ensure that a more severe load situation would
be cxtremely improbable in the operating environment for which the
airplane is desipned. For example, one of the load requirements for

structures in the commercial-transport category is defined as follows:*
25.341 Gust Loads
a The airplane is assumed to be subjected to symmetrical vertical.
gusts in level flight. The resulting limit load factors must correspond to the conditions determined as follows:
I Positive (up) and negative (down) raugh air gusts of 66 ips
at V H [the design speed for maximum gust intensity] must
be considered at altitudes between sea level and 20,000 feet.
The gust velocity may be reduced linearly from 66 fps at
20,000 feet to 38 fps at 50,000 feet.
2 Positive and negative gusts of 50 fps at V(.[the design cruising speed] must be considered at altitudes between sea level
.r.d 20,000 feet. The gust velocity may be reduced Ilnearly
irolil 30 fps at 20,000 feet to 25 fps at 50,000 feet.
3 Positive and negative gusts of 25 fps at V,, [the design dive
speed] must be considered at altitudes between sea level
and 20.000 feet. The gust vdocity may- be reduced linearly
fro111 25 fps at 20,000 feet to 12.5 fps at 50,000 fret.
During the development and certification of any new aircraft the

manufacturer conducts numerous tests to confirm that each structural
assembly can withstand the specified design loads without damage or
permaxlent deformation. Design loads with this objective are called limit
loads. There are also requirements that the structure be able to withstand at least 150 percent of the limit load without collapsing (experiencing a functional failure). When design loads are factored upward
in this way they are called ultimate loads. The present airworthiness
requirements for design strength have been effective in protecting
against functional failures as long as the specified load-carrying capabilities of the structure are preserved.
After the airplane enters service the operating organization is
responsible both for preserving the design strength of the structure and
also for ensurinb that the operating gross weight of the airplane does
not exceed the maximum weight at which the structure can satisfy the
various l o ~ drequirrments.
THE FATIGUE PROCUS
All the loads to which an aircraft structure is subjected are repeated

rnany times throughout the col;rse of its operating life. Although ar.y
single load application may be only a fraction of the load-carrying
capability of the element, the stress impos.ld by each one reduces the
*F~.drrnl Avintiot~ R~-&rtlatiotrs,Airworthiness Standards: Transport Categoty Airpl'lnes,
sec. 25.341, effcclivc Februar).. 1, 19h5.
CmakwtLLbrr
l 1 - P
-4P-Bod
%
'
DmBign limit lard
Applied lord (cycles)

EXHIBIT 9.1 Model of tne effect of fatigue on thc strenglh of a
single structural element exposed to cyclic loads.
remaining margin of failure resistance. Eventually, as a result of these

cumulative reductions, a small crack will appear in the metal. Until the
crack reaches the stage at which it is visible, there is little change in
the strength of the affected element. Thereafter, as internal stresses
cause the crack to propagate, the strength of the element is reduced at an
ever-increasing rate.
The fatigue process thus has two aspects. Because the effects of
repeated loads are cumulative, as the operating age increases, the age
interval before a crack will appear decreases-that is, there is a reduction in the remaining time before crack initiation, the appearance of a
visible crack. The operating age at which a fatigue crack first appears in
a structural item is termed the fatigue life of the item.* The second aspect
is the reduction in the strength, or load-resisting capability, of the item
associated with crack propagation. Both fatigue life and the rate of crack
propagation vary not only with the material from which the '~ t e mis
made, but also with its size and shape and the manufacturing process
by v%ich it was produced. For this reason fatigue tests must be conducted on actual structural elements and assemblies to determine their
individual fatigue characteristics.
The fatigue process in a single structural element is illustrated in
Exhibit 9.1. When the structure is new the element can withstand an
ultimate load, or 150 percent of its design limit load. As the element ages
'The term fatigue life is also used to denote the age at which a fract~reoccurs as a result
of fatigue. In this discussion fatigue life always means the time to crack mitiation.
EXHlBlT 9.2 Model of the effect of fatigre on the strength of a

:,!~l\iple-!oad-path(redundant) structural assembly exposed to
~ / c i i cloads.
in service its failure resistance (time to crack initiation) decreases with

repeated load applications until a fatigue crack appears. Up to this point
its load-resisting capability is relatively unchanged. Now, however,
the crack will propagate, and the strength of the element will decrease
accordingly. At some point the crack will reach a length at which the
element can no longer withstand the limit load; it then becomes a critical
crack. If this element is subjected to the limit load it will fracture immediately, but even when the continued loads are much lower than the
limit load, the rate of crack growth will become so rapid that a fracture
cannot be prevented by scheduled maintenance.
If the item that fractures is a monolithic element and is not part of
a redundant assembly, this functional failure is usually critical. If the
itern is one element of a multiple-load-path assembly, the fracture
reduces the load-carrying capability of the assembly but does not result
in a complete loss of function. The resulting redistribution of the load
to the remaining elements does, however, accelerate the fatigue process
in those elements. This situation is illustrated in Fxhibit 9.2. The cracking or fracture of the first element reduces the residual strength of the
assembly. After this the !oad-carrying capability will remain relatively
constant until a crack initiates in a second element, which results in a
transition to a still lower residual strength. The amount of reduction in
each case will depend on the contribution of each element to the total
strength of the assembly.
The difference between these two situations has led to two basic
structural-design practices to prevent critical failures. The older, and
SECTION 9.1
233
234
APPLICATIONS
perhaps better-known, practice is safe-life design, which applies to

structural elements with little or no redundancy. A newer practice is
damage-tolerant (f8il-safe)design. This term refers not only to redundant
fail-safe structure, but also to monolithic portions of the structure characterized by easily detected cracks with slow propagation rates. A structural assembly is said to be damage-tolerant if after the complete fracture of any one element it can still withstand the damage-tolerant loads
specified by the appropriate airworthiness authority. A monolithic item
is considered damage-tolerant if the rate of crack propagation is slow
enough for at least two inspections to be feasible during the interval
from crack initiation to a crack of critical length.
Suppose, for example, that the specified damage-tolerant load is
the design limit load treated as an ultimate load. This means that in its
intact condition a structural assembly must be capable of withstanding
the limit load without permanent defom~ation,
whereas after the failure
of oile of its elements it must be able to withstand the same load without a functional failure. This specification is similar to the requirement
that the engines on a transport airplane provide sufficient residual thrust
for safe operation after a complete loss of thrust from one engine (or,
in certain situations, from two engines). The residual strength after a
single element fails is lower than desired for continuous operation.
However, it is still so high that the airplane is unlikely to encounter
dangerous loads during the time that will pass before the failed element
is discovered and repaired. The concept of damage-tolerant design
depends, of course, on an adequate inspection program.
It is rare for the failure of a single element to reduce residual strength
to the damage-tolerant level. In fact, depending on the degree of redundancy (number of load paths), the failure of some structural elements
has little effect on the assembly. Moreover, the design strength of most
elements is determined by the single highest load requirement, such
as that for landing loads, and their contribution to the strength of the
assembly may be less under other loading conditions. The appearance
of a fatigue crack in an element can therefore be defined as a potentialfailure condition, and since even the fracture of a single element is not
critical, on-condition inspections will be effective at intervals short
enough to ensure that not more than one element will fracture.
Most modern aircraft employ damage-tolerant design principles as
widely as possible, but there are some parts of the structure, such as the
landing gear, for which the criteria for damage tolerance cannot be met.
Consequently it is necessary to impose eafe-life limits on these elements. Since fatigue is directly related to total operating age, the limit
is based on tests conducted to simulate operating loads in order to determine the fatigue life (time to crack initiation) for ewh element. Although
a safe-life discard task based on such fatigue tqs'fs is applicable, it cannot be considered effective in the case of structural elements because
they are e x ~ o s e dto other deterioration processes that may prevertt the
safe-life limit from being achieved. Hence any safe-life structural items
must be supported by a combination of tasks - on-condition inspections
for corrosion and accidental damage and a safe-life discard task to ensure
that the item is removed from service before a fatigue failure can occur.
The replacement of safe-li:e items and the repair of fatigue damage
in o t h ~ rstructural elements is both time-consuming and very expensive. 'Thus for econom;~reasons as well as safety reasons, the structure
of an aircraft is designed for high safe-life limits, and also for a long
tatigue liie. The design goal for the Douglas DC-10, for example, was
a mean fatigue life (to crack initidion) of 120,000 hours for the structure
as a whole, with the expectation that any individual airplane would be
free of ally fatigue prsblems up to 60,000 hours.
FAUORS MNAFFECT FATIGUE LIFE
The primary deterioration process in structure is fatigue. However, the

integrity of the structure is so threatened by manufacturing imperfections, accidental damage, overloads during operation, and corrosion.
All these factors can have a direct effect on structural strength and can
also accelerate the fatigue process itself. The age at which fatigue cracks
first appear in a given structural item may therefore vary widely from
one airplane to another, and structural inspections must begin long
before the age at which fatigue-test data indicate that a fatigue crack can
be expected.
One well-recognized manufacturing problem is assembiy-induced
preload, . condition caused by design, fabrication, or assembly errors.
Exhibit 9.3 shows an example of a preload condition in an angle splice.
In this case a missing chamfer allows the edge of the angle to gouge
into the radius of the chord piece. When the horizontal joint is drilled
and bolted without proper shimming, a further effect is deformation
..
E.XHIBCT 9.3 Example of a preload condition. Although the discovery
of this conditior~on one airplane prompted an immediate inspection

of the entire fleet, anly a few cases of preload were actually found.
Bulkhead c h o d
/
hper'chrmfer
~ i u i n chamfer
a
Deformation due to preload
of the pieces. ?'he result is either radial cracking at the joint or a splice
with such high imposed loads that it is highly susceptible to any small
additional loads, In either case the residual strength of the assembly
containing this chord and splice will deteriorate in a fraction of its intended design life. Fortunately the existence of a preload condition is
usually detected early in the age-exploration process, but its discovery
necessitates immediate inspection of the entire fleet to locate all defective units.
In addition to localized problems, all parts of the structure are
exposed to corrosion, the deterioration and ultimate destruction of a
metal by its environment. There are many different forms of corrosion,
ransing from simple oxidation to electrolytic reactions. Like fatigue,
corrosion is age-related. It is not nearly so predictable, however, since
metals corrode at rates that depend on a complex of environmental
cor~ditionsand maintenance practices. Corrosion damage has a particularly adverse effect on structural strength. Unless it is detected at an
early stage, the localized loss of material will reduce the load-carrying
capability of the portion of the stmcture affected, and the resulting
increase in stress levels will accelerate the fatigue process in the remaining metal.
Most types of corrosion are observable as surface deterioration
which results in a measurable reduction in the cross section of the element. Stress corrosion, however, is more difficult to detect. This fonn
of corrosion is caused by the combined effects of environment and
sustained or cyclic tensile stress, and it can lead to the spontaneous
collapse of the metal with no macroscopic signs of impending failure.
Stress corrosion develops as fine intercrystalline or transcrystalline
cracks in the metal itself. Since there may be no external evidence of
deterioration, we must rely on such nondestructive techniques as eddycurrent inspection to detect this condition. In a moist environment
stress-corrosion cracking can occur under stresses much lower than
the yield stress of the material. The problem is most commo? in highstrength aluminum alloys that have been strengthened by heat-treating.
It can be caused by improper heat treatment, a poor choice of materials
for a particular set of conditions, or the lack of adequate protective
coatings. In some cases it may also be caused by the sustained stress
created by preload conditions.
Generally tile areas that are exposed to dirt, moisture, and heat are
the most susceptible to corrosion, and properly applied and maintained
protective coatings are necessary to prevent deterioration. Particularly
short inspection intervals are required in such corrosion-prone areas
as fuselage bilges, the areas ur.der lavatories and galleys, and cargo
pits to check for incipient corrosion a l ~ drestore any deteriorated prstective coatings.
STRUCNMLLY SIGNIFICANT W
Nearly all parts of an airplane structure are inspected at one time or

another, both to preserve the design strength of the structure and hecause deterioration detected in its early stages is relatively inexpensive
to repair Because of the cost and difficulty of replacing failed structural nIen,oers, most such items might be viewed as significant on the
basis of economic consequences. Howcver, the primary consideration
in determilling structural significance is the effect that failure of an
element has on the residual strength of the remaining assembly and on
the functional capability of the overall structure. Thus safe-life elements
and damage-tolerant monolithic elements are classified as significant
because their failure would lead to a complete loss of function of a major
assembly either immediately or in the near future. Many elements of a
damage-tolerant assembly will also be classified as significant, depending on their contribution to the strength of the assembly and the significance of the assembly to the overall structure.
The generic term str~tct~trnlly
s i ~ t r i f i c a titcnt
~ t ( S S I ) is used to denote
each specific structural region that requires scheduled maintenance as
p i ~ of
~ t an RCM program to guard against the fracture of significant
elements. Such an item may be defined as a site which includes several
elements, it may be defined as the significant element itself, or it may
be defined in terms of specific regions on the element which are the
best indicators of its condition. In this sense a structurally significant
item is selected in much the same way as a functionally significant item,
which may be a system, .l subsystem, an assembly, or a significant part
in an assembly.
During the selection of str~lcturallysignificant items consideration
is also given to the susceptibility of various parts of the structure to
corrosiotl and accidental damage. Thus the relative ranking of signific ~ ~items
n t takes into account not only the effect of the item's failure, but
also how soon a particular item is likely to cause problems. Consequently, although significant items are often defined in terms of specific
stress points, such a s the joint between two structural members, an
entire area that is exposed to moisture, and hence tcl corrosion problems,
may also be classified as significant. In this case specific stress points
within the area might be designated as separate items on the basis of
fatigue factors. Sometimes different surfaces of the Sdme structural
element are designated as separate items, especially if different access
routes are required to perform the inspections.
In the development of a prior-to-service program thc manufacturer
provides the initial designation of sttucturally significant items, since
at that time he is the only one in a position to identify safe-life and
d,~m.~ge-tolerant
monolithic items, the effect of a failed element on the
strength of damage-tolerant assen~blies,and the expected fatigue life
and crack-propagation characteristics of each structural element. Although the numbering schemes differ from one manufacturer to another,
significant items are usually identified on the basis of a three-dimensiorral reference system that shows their exact physical location by
section or station 01. within a designated zone.
All structurally significant items are subjected to detniled i~rspec.Hot~s.
Many of these injpections are visual, but they must be performed at
close range and require special attention to small areas, such as a check
for corrosion in bolt holes. Others may entail the use of special equipment, such as x-ray or eddy-current devices. In addition to these detailed
inspections, many items also receive frequent gettern1 ittsyectiorts, visual
checks for any obvious problems, which require no tools or disassembly
other than the opening of quick-access doors. These latter inspections
are performed as part of the preflight walkaround checks, the zonal program, and general external inspections, which include nonsignificant
portions of the structure as well. Thus, although the RCM structural
program includes only those items designated as structurally significant, every aspect of the structure is examined at one time or another to
ensure that any signs of fatigue, corrosion, or accidental damage will
be detected in their early stages.
9 2 THE STRUCTURAL INSPECTION PLAN

'The structure of an airplilne is exposed to random datnage from contact
with loading or other ground equipment and from foreign objects such
as stones or ice on runways and bird strikes during flight. It is also
nilnrhcr subject to occasional severe loads during, ~ p e r ~ ~ t as
i o na result of air
relative itrsprction i~itr'rvals
turbulence or hard landiaigs. However, the chief causes of deterioration
(,I reduction in failure resistance) ,\re fatigue and corrosion, both of
which are age-related. Fatigtlr is related to the total operating age of the
structure, and corrosion is a function of the time since corrosion damage
was last repaired and antico rosion treatments were renewed. The objective of the structural inspection plan is to find and correct any :l,?terioration of those items of greatest significance to the structural integrity
of the airplane, and to collect inforn1at;on on the aging characteristics of
less signiticant items by inspections of a sample of the fleet. The sampling
information may, of rourse, lead to inspection of certain items on every
airplane as evidence of these char,~cteristicsbegins to appeal-.
Because deterioration in its early stages is relatively inexpensive
to repair, it is cost ~ffcctivcto i n s p x t many stnlctural items far more
frequently than would be required solely to prntect the airworthiness
of the airplane. General inspections of the external structure, for example, are scheduled very frecluently because they cc\i\ be performed
wtcrnrl anti intrvnal structure

structurally significant itcnis
structurai rating factors
quickly and easily. Extc.rttrtl strtirtitrnl items .Ire those portions of the
stnict~irc*that can be seen without removing any covering items r)r
opening any access doors. These general inspections will detect not
only accidental damage, but also any external signs of ink-al deteriand fuel
oration, such as discoloration, poppeci rivets, buckled r
leaks. This external evidence is often a specificdt?sign fea:. . C in damagetolerant structure, and the ease of external i~~spectians
makes it practical
and safe to lengthen the inspection intervals for the internal items
themselves.
Any part of the structure that is not visible externaily is termed an
itttrrtrnl strirctttn~litettt. Intcmal items are more difficult to inspect. Some
rcquire only the opening of quick-access doors, but others require the
removal of floorboards, linirlgs, and insulation or the disassembly of
other parts of the structlrre or of the aircraft systems. Internal significant
items, l ~ k externdl
e
o n e ., receive detailed inspections. However, whereas
external inspections a:e performed on every ai-plane, some internal
inspections are performed nn only a portion of the fleet. In the powerplant division age exploration of internal engine itcms is based on a
continual flow of engines through ;\e repair shop, but structure does
not provide such opportunity sampiea-portions removed and sent to
the shop while the airplane remains in service.Thus the inspection program itself is the onlv vehicle for age exploration. The intervals assigned
in an initial program therefore represent only a fraction of the ages at
which any signs of deterioration are expected and, in effect, merely define the start of age exploration for each item.
The current practice in developing an initial structure program is
based on a rating scheme that makes full use of the designer's i-\formation and the manufacturer's test data for the various stl.uctural elements. The first consicleration is whether the portion o i the structure
in question is a structurally signific'lnt item. If so, it will b~ assigned
a detailed inspection task, but the frequency of inspection will depend
on further considerations. If the item is on the underside of the airplane,
which is particularly susceptible to accidental damage, it will be inspected more often than one on the upper surf,lce. The inspection intervals for damage-tolerant items will be longer in general than those for
safe-life elements. In this case, however, the interval for internal items
wi!l depend on whether a damage-tolera~lias-embly has been designed
to provide external evidence of internal d,~nage.The general relatio~lship of these considerations is diagrammed in Exhibit 9.4.
The starting point for the development of a structure program is a
list of structurally significant items. Not all these items will be of the
same significance. The failure of some redundant elements, for example,
will cause a much greater reduction in residual strength than the failure
of others. Moreover, the test data on faiigue life, as well as differences
'
SECTION 9.2
239
in susceptibility tc corrosion and accidental damage, will usually indicate that inspection of all items need not start at the same operating age.
To determine an appropriate interval for each item, therefore, it is
necessary to assess the following design characteristics:
b
The ?ffect of failure of the item on residual s!:ength
EXHIIN 9.4 A plan for inspection of the complete structure.
- --
--
11 this p o d o n of the structure
a stmclurdly significant item?

pl
m
NONSKiNIFICAW STRUCNUL tlltM
Recelvea general Luptction am put
of other inspution pmg~.amr
S T I U C N l l U Y SSN!tKCMT !lfM
R m i v l r d d e d A~pectionunder
kCM struchrd inopcctlon program
Is the assembly damagetolerant
Damage-toleiant item
Rate for the following factors:
b Effect of failure un rebidual
strength
b Fatigue life
b Crack-propagation rate
b
I I
Safe-life item
Rate for the following factotn:
Susceptibility to c o m i o n
b Susceptibility to rccidental
damage
Susceptibility to corrosion
Susceptibility to accidentrl
Convert ratinga to class number
Convert ratings to class number
Establish inspection interval as a function

of class number, deeign goals, and operating
under walkar~und,zonal, or other non-RCM
The anticipated crack-free life (fatigue life) of the item

The crack-propagation characteristics of the item
Susceptibility of the item to corrosion
Susceptibility of the item to accidental damage
These five factors are used to develop inspection ratings for each item,
and the ratings are then transformed into a class number that identifies
the appropriate relative interval.
To illustrate, suppose the item is an internal structural element in
a damage-tolaant assembly. The first step is to rate each of the five
factors independently or a scale of 1 to 4, as outlined in Exhibit 9.5.
This scale keeps the nwnber of clloices small, but &lsoavoids a middle
value, which would tend to be overused. Note tllat the ratings for fatigue life and crack 1.ropagation for an intemal item may be increased
by 1 i i there is external evidence of the item's failure. This does not
apply to corrosion ratings, however, since the objective is to inspect
often enough to prevent corrosion damage from reaching the stage at
which it would be evident externally. Nor does it apply to accidental
damage. Thus this particular intemal item might be rated as having
very little effect on the residual strength of the assembly (4), moderate
fatigue life (2 + 1 = 3), rapid crack growth (1 1= 2), moderate scsceptibility to corr~sl .I (2), and very little exposure to accidental damage (4).
The procedure for safe-life items is similar, except that these items
are rated for only two factors: corrosion and exposure to accidental
damage. A fuilct;snal failure (fracture of the item) would reduce the
U(H[)m 9.5 Rating scales for the five factors that determine
stmctural inspection intervals. Each structural!y significant item is
ranked on a wale of 1 to 4 for each of the factors that apply. The
lowest of these rankings represents the class number assigned to
that item.
reduction in
midud rtrength
fatlpe
Ilfe*
tulp
short
M*
Modilnr
small
Log
v q 8md
"rrlr 1-8
ctack
PmP~hn*
W d
Modmak
Slow
very dow
rurccptlbllity to
cormdon
rurceptibllity to
accidmtal damrgc
raw
Ml@
Htsh
Modark
Lorv
M o d e
Law
2
3
vary low
very low
residual strength to zercs, and crack propagation is not a consideration

becal~sea safe-life item cannot be all~wedto reach the point of crack
initiation. If it were feasible to defii~ea crack as a potential failure and
depend solely on on-cond;tion inspections to ensure removal of the
item before the crack reached critical length, the item would have been
classified as damage-tolerant instead of safe-life.
While the ratings are clearly a matter of judgment, they make the
best possible use of the information that is available at the time. For
example, in assessing tne reduction in residual strength caused by the
fracture of a single element, consideration must be given not only to
the role of the element in relation to the load-carrying capability of the
assembly, but also to the role of the assembly itself in relation to the
overall structure. From the standpoint of the assembly, one detennining
factor is tl e number of elements at the same site that can fail before
damage-tolerant capabili j is lost. The reduction is rated as major if
the failure of a second element wou!d leave the assembly incapable of
supporting the damage-tolerant load; it would be rated as moderate if
the failure of two elements could be tolerated, and if the loads originally
carried by the two elements were of the same order of magnitude. Alternatively, the ratings can be based on the percentage of loss in residual
strength caused by the fracture of structural elements. For example, if
the failure of two elements can be tolerated, a rating of 2 would be used
if these failures reduce the margin between the ultimate and damagetolerant strength by 75 p'ercent; a reduction of 50 percent would be rated
as 3, and a reduction of 25 percent would warrant a rating of 4.
In assessing fatigue life and crack-propagdtion characteristics the
working group would consider whether or not the item had undergone
fatigue life of clement
reduction in residual strrngth

no. of elements that can fail
without reducing strength
below damage-tolerant level
rating
ratio to fatigue-life
design goal
rating
One
Two or more
Two or more
Two or more
1
2
3
4
Lea8 than 1
I-1%
1
2
ll/s-2
More than 2
fatigue and crack-propagation tests (if not, all the ratings would be
lower), whether the loads applied to the test items are representative
of the expected operating loads, and the results of the test in relation to
the fatigue-life goal for the airplane. In making corrosion ratings they
would consider previous experience with the anticorrosion treatments
used in manufacture, the type of environment in which the equipment
will be operated, and any specific problems related to the location of
the item in the equipment. Operation in a hot, humid environment close
to salt water, for examplt . would affect corrosior. ratings for the entire
structure. In commercial aircraft those structural items adjacent to the
cargo pits, galleys, hot-air ducts, and lavatories are particularly susceptible to corrosion. Susceptibility to corrosion is difficult to rate,
since corrosion is a function of the operating environment, and for some
types of equipment evidence of corrosion might be acceptable at much
lower ages than it is for transport aircraft. Similarly, the susceptibility
of an item to accidentai damage will range from high for external items
exposed to foreign objects on runways to low for internal areas subject
to little traffic from maintenance personnel.
One way of rating the fatigue life and crack-propagation characteristics of an item is in terms of the fatigue-life design goal for the
structure as a whole. The design goal for the Douglas DC-10, for example, was an average fatigue life of 120,000 hours to crack initiation (about
40 years of airline service, or two operating lifetimes). An individual
item with an expected fatigue life of less than 120,000 hours would be
rated 1 for fatigue life, an item with an expected fatigue life of 120,000
to 180,000 hours would be rated 2, and so on. The ratings for crack propaEXHIBIT 9.6 Factors uscd to dcvclop ratings for damagetolerant structurally signific~ntitems. In each case the item is
rated for the effect of a single failure on the residual strength
of the assembly. 'l'he fatigue life of each item represents the
time l o crack initiation in relation to the fatigue-life design
goal for the structure as a whole.
crack-propagation rate
susceptibility to corrosion
,
ratio of interval to
fatlgud-life design goal
rating
118
114
318
112
susceptibility to accidental damage
ratio of corrosion-free
ege to fatigue-life
design goal
rating
118
114
1
2
318
112
Low
very low
exposure a s a result
of location
'w
Moderate
rating
1
2
gation would be based similarly on a ratio of the crack-propagation

interval for the item to .'.e overall fatigue-life desidn goal. Thus an item
with an interval of less than 15,000 hours from the time of crack initiation to critical crack length (or in the case of a redundant element, to
fracture of the element) would receive a rating of 1 for this factor.
Corrosion ratings can be developed in the same way, by comparing
the age at h.hich corrosion is first expected t3 become evident with the
fatigue-life design goal. The ratings for susceptibility to accidental
damage callnot be expressed in terms of a reference age, but they ale
based on the item's resistance to damage, as well as the type and frequency of damage to which it is exposed.
Once the item under consideration has been rated for each of the
factors that apply, the lowest rating for any individual factor is assigned
as the class number for that item.* The damage-tolerant item de:scri'>ed
above has ratings of 4,3,2,2, and 4; hence its class number is 2. A safelife item rated 4 for corrosion and 1 for susceptibility to accidental
damage would have a class number of 1. The class number the basis
for the relative length of the initial inspection interval. The lower the
rating, the lower the class number, and thzrefore the shorter the inspection interval.
For damage-tolerant items the design goal can also serve as a reference for converting class numbers to inspection intervals. The interval
must be one that provides for at least two inspections during the crackpropagation interval; if the first inspection does not disclose a potential failure, the second one will. In addition, there should be 20 to 30
inspections before thc expected appearance of a fatigue crack on the
most significant items, although there may be as few as five for those
of least significance. Such inspections not only protect the structure
fiiom the effects of incipient corrosion and accidental damage, but also
make it possible to confirm that the design fatigue life has in fact been
achieved.
There is no hard-and-fast rule for cstablishing initial inspection
intervals, because the rating process itself must be based on cautious
informed professional judgment. The scale outlined in Exhibit 9.7 does,
however, reflect current practice for commercial swept-wing jet transport
aircraft. This scale applies only to structural items that meet damagetolerant design criteria. Safe-life items must also be inspected to find
and correct any deterioration that could prevent attainment of the safelife limit. The ratings for corrosion and susceptibility to accidental
damage will provide rankings for the relative intensity of such inspections, but there is no accepted basis for converting the resulting class
numbers to actual intervals. This is because of the wide variations both
in susceptibility to such damage and in the value judgments applied
'The lowest number m'ust be used because t h e ~ eis no basis for tradeoffs hetween any of
the individual rating factors.
fnltirl inopaetlon Intmval

rr r fraction of fatigueHfe dm@ p l
drr number urigned to item

as a moult of ratingr
note8
1 Anin~i~ln~~cl.un~bcrhrkm~kcr~~~dorrrrul
d e b i l i t y will hrvr an uJodaW atrmd 581witb the clrw number d the

i n t a d Atmn without thfr w.
2 CLr1.ndeku2I~nryhwnridcndfor~inlHdIntcrp.lron
l a m rirrnft after a otaffident number of kupectlonr on the o
r
i
w fl.rt have
&Own no 03gu of dotdontion.
3 Ctur3d~4itcm,maykcoluidduundi&~forbot.l-tlmr
fleet-leada umplin8 after pertinent operat@ h r f o ~ ~ available;
e o - -
EXHIBLT 9.7 A suggested scale for converting class numbers to

relative inspection intervals for significant items in damage-tolerant
structure. In this case the initial interval is expressed as a fraction of
the fatigue-life design goal for entire structure. A similar scale cannot
be csed for safe-life elements because the only two factors rated
(susceptibility to corrosion and accidental damage) vary with the item
and the intended use of the equipment.
to ratings i n individual operating contexts. Consequently the initial

intervals for safe-life elements are generally set a t conservative values
which reflect their relative class numbers and are extended, if possible,
on the basis of the findings from these inspections after the equipment
enters service.
At this point let us examine some of the implications of Exhibits
9.6 and 9.7 and see how the starting and repeat intervals for structural
items relate to the fatigue characteristics of the item. Consider a case
in which the class number of an item results from its crack-propagation
rating. The relationships would be as follows:
class number
ratio of crack-growth
interval to fatiguelife design goal
ratio of inspection
interval to fatiguelifg design goal
1I 8
114
318
112
1/24
1/12
118
1I 6
SECTION 9 . 2
245
In each case the inspection interval ensures three inspectiol~sbetween the time of crack initiation and time at which the crack will reach
critical length. The intervals are therefore quite satisfactory for use as
repeat intervals to detect potential failures before the item actually fractures. However, these intervals are also used in the initial program to
define the ages at which inspections rnust be performed to begin the
age-exploration process. The same interval will be used for the Cirst,
second, and subsequent inspections of the item until there is sufficient
information to support a change. Such information will usually show an
absence of deterioration at lower ages, and it will then be possible to
start inspections on later-delivery airplanes at a higher age- that is, to
eliminate the first few inspections in the sequence.
Now suppose that :he item in question has a class number of 1,
and that the ratings for residual strength and crack propagation are both
1. The inspection interval of 1/24 of the fatigue-life design goal is sufficiently conservative to protect a very significant item in damagetolerant structure. If both ratings are 2, the inspection interval will be
increased to 1/12 of the design goal. However, if the item has been rated
1 for residual strength and 2 for crack propagation, the class number is 1
and the inspection interval remains at 1/24 of the fatigue-life design
goal-a somewhat illogical but subjectively attractive increase in conservatism, both for protection of the item and for the intensity of age
exploration.
Low ratings for fatigue !;fe and exposure to corrosion or accidental
damage can lead in the same way to increased conservatism. Although
the intervals in Exhibit 9.7 are genera!ly conservative, items with fair':
rapid crack-propagation characteristics may be far off the scale and may
require special treatment. This is frequently the case with serious unanticipated failures which occur after the ail-plane enters service, but then
real information is available for use in establishing the appropriate
intervals for first a2d repeat inspections.
While the question of when each item should first be inspected is
always believed to be of intrinsic importance in developing an initial
inspection program, it is an interesting paradox that the methods actually used to determine initial intervals can be explained only in terms
of repeat intervals, with in-service age exploration to establish which
multiple of these intervals should be used as the starting interval on
later-delivery airplanes. There has been a gradual extension of initial
inspection intervals as a result of satisfactory experience with in-service
aircrait, and further experience may well support substantially longer
initial it~tervalsfor designs incorporating familiar technology.
It is important to remember that the intervals suggested in Exhibit
9.7 are based on vast experience with various types of airplanes that
have employed similar materials, design practices, and manufacturing
processes. They can therefore be applied with confidence to new types
of airplanes that represent an extrapolation of this experience. However,

if the aircraft designer is less experienced in this field, or if new types
of materials or new mmufacturing or bonding processes are empioyed,
or if the equipment is to be opereted in an unfamiiiar environment
(such as supersonic transport), the initial interrals must be far more
conxrvative and the age-exploration activity more intensive. It goes
without saying that the effectiveness of an inspection pogram depends
on the proper identification of stn~ctcrallysignificant items. It is essential, therefore, that all operating orga~tizationsreport serious structural
deterioration at any age to central coordinating agencies, usually the
ma~~ufacturer
and the regulatory agencies, who will evaluate them and
define new significant items, adjust inspection intervals, call for spccial inspections, or even require that modifications be made to the
structure.
9 3 ASSEMBLING THE REQUIRED

INFORMATlON
Most of r!,e information required to develop an initial structural program must be supplied by the manufacturer. In addition to the test
data usea to establish fatigue life and the effect of a failure on residual
strength, the working group must know the flight profile assumed as
the basis for fatigue-life design goals and the structural design philosophy that was followed. To determine appropriate inspecfion intervals,
they must also know whether the design characteristics include external
evidence of internal failures, what the accessibility of each item will be,
the physical propertiss of each of the materials used, anci the corrosionprevention procedures and types of paint systems used.
All this information is provided during the design reviews conducted by the manufacturer. As an example, the following design goals
were discussed with the entire working group during early prcsentations on the Douglas DC-10:
b
The residual strength after the failure of any single structural item
must be great enough to withstand the applied limit load considered as an ultimate load (the criterion for damage-tolerant
structure).
A part containing discontinuities must have a fatigue life equal to

or greater then the same part withoui discontinuities.
Joints rr~ustbe stronger than their surrounciing elements.
The design goal for the airplane is a mean fatigue life of 120,000
flight hours, with a reasonable probability that any single airpldne
will be crack-free to 60,000 hours (approximately 20 years).
initial inf~nnation
rcqu'"men's
thc information worksheet
Every effort must be made to ensure that areas most subject to

fatigue damage are easy to inspect by detailed inspections in small
localized areas.
The outer-skin cracks which are evidence of fractures in adjacent
internal elements must be detectable before they reach critical
length.
Proper evaluation of this informatioh, however, depends heavily

on the experience and professional judgment that the working-group
members bring to the decision process. From experience with other
recent designs, they will know the areas of the structure in which fatigue cracks are most likely to appear, the parts of the airplane subjected
to the harshest environmental conditions (trapped water, condensation,
spillage, damage from cargo), the durability and effectiveness of protect~vecoatings in actual use, and the reaction of various structural
materials under loads and environmental conditions similar to those
to which the new aircraft will be subjected.
The data elements that must be assembled for each structural item
to be analyzed are similar to those required for systems and powerplant
items. Because the primary decision problem concerns the assignment
of appropriate inspection intervals, however, the information is recorded in a slightly different form (see Exhibit 9.8). In addition to the
item name and number, which are usually based on the manufacturer's
identification of parts for design refelence, a brief description is needed
to pinpoint the exact location of the item. The zone numbers zre also
included, since they are useful when the tasks are assembled into work
packages. If an item appears on both sides of the aircraft, both zone
numbers should be included. Similarly, if it is a skin panel or some
other large area, all zone designators should be included.
It is important to specify the materials from which the item is manufactured, since prior experience with various materials will have great
bearing on the evaiuation of their properties. The results of fatigue and
static-load tests of the complete airplane or its major assemblies are
usualiy not available at the time an initial program is developed, since
the tests on most items will still be in progress. However, there are cften
test data on smaller assemblies, and in some cases relevant data may be
available for a similar portion of the structure on in-service aircraft.
'Where tests on safe-life items are still in progress, the test data which
are available must show a zero conditional probability of failure at the
safe-life limit indicated.
In the case of 811 structural analyses it is necessary to indicate
whether the item is a safe-life element or meets :he criteria for damagetolerant design. 'The worksheet should also show whether the item is an
internal one or is visible externally. As with systems and powerplant
items, the design redundancies that make an item damage-tolerant and

the external detectability of intemal problems help to determine the
specific area (or areas) of the structure defined as structurally significant, as well as the ratings which establish the intensity oi inspection
required. The ratings themselves are recorded on the worksheet, along
with the class number assigned to the item as a result of the controlling
rating factor. Where individual ratings have been increased because of
external detectability or decreased because of the absence of test data,
these adjustmer't factors should be noted. The information on related
structurally significant items is especially useful in evaluatit~glater
adjustmer~tsof the initial intervals as a result of age expl~~ration.
Whereas the information worksheets for eystems and powerplant
items included a detailed list of functions, functional failures, failure
modes, and failure effects, this informatioil is rarely needed on structures worksheets. (The reason for this will be explained in the next section.) Instead, the rest of the worksheet covers the nature of the proposed inspection tasks. Where both general and detailed inspections
are required for the same item, each task is listed separately, with its
appropriate interval. If the item is one that is likely to control the work
packagd in which it is included, the initial interval should be stated ir.
actual operating hours, spectrum hours, or flight cycles. Where a wide
range of intervals can be assigned, it may be necessary only to state the
letter-check package in which the task is to be included (see Section 4.6).
In assigning initial inspection intervals it is important to bear in
mind that the structural inspection pr3gram will provide the framework
for all the major scheduled-maintenance packages. Thus tasks must be
considered not only in terms of their frequency, but also in terms of the
length of time the aircraft will have to be out of service while they are
performed. Inspections directed at those portions of the structure that
are both easily accessible and the most susceptible to corrosion or accidental damage are called out in the more frequent lower-level packages,
from the walkaround check on up. While the intervals must be short
enough both to protect the equipment and to find damage at a stage
when it is still inexpensive to repair, when damage is found, the repair
itself may be scheduled for a later time.
The more extensive inspectinns- those that will take the airplane
out of service for more than twenty-four hours-are usually consolidated in a work package performed at much longer intervals. Many of
the intemal inspections can be performed only at the mkjor maintenarice base, where the airplane can be disassembled as necessary to
check parts of the structure for evidence of fatigue as well as corrosion
damage. This comprehensive inspection, or "cirplane overhaul," is
usually referred to as a D check and includes all, or nearly all, the inspection tasks in the program. Depending on the complexity of the structure
...
I.... . . . . .. ..........
EXHIBIT 9-13 A workslicct for 1.1.cording the relevant information,

r~litlgs,.ind task outconies for structumlly significant ile~ns.
STRUCTURES WORKSHRtT type of aircnft
item number
no. per aircraft
item name
major area
zone(s)
deocription/location details
material (include manufacture~strade name)
fatigue-test data
expected fatigue life
hours
crack propagation
hours
es!ablished safe life

design conversion ratio
residual
strength
fatigue
life
adjustment factor3
250
APPLICATIONS
crack
growth
operating toura/flight cycle
com~ion
accidental
damage
class no.
controlling
factor
dcrign criterion (check)
inspection accew (Aeck)
damye-tolermt element
internal
safe-life element
external
rcdundmcy and cxkrnal detectability
I6 element inspected via a related

SSI? If so, list SS! no.
classiHcation of
item (check)
nonsignificant
proposed task
initial interval
and the size of the maintenance crew, it may take the airplane out of
senrice fot a week to several months.
The first of these complete inspections is a very important part of
the age-exploration program, since it incl~rdesmany inspections that
are being performed for the first time. The first airplane that ages to the
initial interval becomes the inspection sample; the findings for each
item are carefully evaluated, tasks and intervals for individual items
are adjusted as necessary, and the conservative initial inkerval for the
D-check package is extended. Consequently, although external inspections fire performed on every airplane, most internal items will be
inspected at the initial interval only on the first one or first few airplanes to reach this age limit. They will, however, be inspected at successive]!~higher ages as the equipment ages in service, often 0x1 a fleetleader sampling basis.
9 - 4 RCM ANP.3SIS OF STRUCTURAL ITEMS

analysis of damage-tolerant
rlrmcnts
analvsis oi safe-litr rlr~nents
As we saw in Chapters 7 and 8, RCM analysis of systems and powerplant items may fall in any branch of the decision diagram. In contrast,
all structurally significant items fall in the safety branct and the evaluation of proposed tasks can have only one of two possible outconies
(see Exhibit 9.9). This is true no matter which of the structural functions
we consider. As an example, one function of the aircraft structure is to '
permit lifting forces to balance the weight of the airplane. Although
most uf the lift is provided by the wing, its center of lift does not necessarily coincide with the airplane's center of gravity, and the horizontal
stabilizer must provide a balancing load that brings the vertical folces
into equilibrium. The portions of the structure ~ssociatedwith this
function, therefore, are the wing, the fuselage, and the horizontal tail.
The first question is whether a loss c.f the balancing function will
be evident:
performance of nonrlal duties?
252
AHLICA~~N~
The answer is yes, of course, since a loss of this function as the result
of a structural failure would be a!l tot>evident, not only to the crew, but
to any other occupants of the airplane as well.
Next we would ordinarily examine the various failure modes that
could cause such a failure. In the case of structural items, however,
the failure modes all involve the fracture of a load-carrying metnbvr.
Thus the following question relates to any of the failure possibilities:
COMB Rdmlgn
WHIBII' 9.9 The branch of the decision diagram used for KCM
analysis of all function.- of the aircraft structure. The only possible task
outcomes for structurally significant items are on-condition inspection
for elements of damage-tolerant structure and a combination of
on-condition and discard tasks for safe-life elements.
2 D o e s t h e failure cause i; loss of function o r secondary d a m a g e that

could have a direct adverse effect o n operating safety?
The fracture of a structural item rnay well cause critical seconic~~ry

damage, but in this case the loss of function alone is sufficient to classify the
failure as critical. The answer to this question is therefore yes regardless of the failure mode involved, and further analysis falls in the safety
branch of the decision diagram. This means that scheduled maintenance is required and that a task will ' 2 considered effective only if it
reduces the risk of a functional faill.. 2 to an acceptable level; in other
words, it must result in substantial preservation of the load-carrying
capability of the Item.
The first type of task we would consider is an on-condition inspection:
and effective?
For items designed to damage-tolerance criteria the answer to this

question is yes. The existence of a crack in a structural element can be
defined as a potential failure, and in an assembly with redundant load
p ~ t h even
s
the fracture of one element will not reduce residual strength
below the safety level. Hence an on-condition task is applicable, and
if it is performed at short enough intervals to ensure that a second clement does not liacture (or in the case of a monolithic member, that the
crack does not pzopagate to critical length), the task is also effective.
RCM ana!-/sis of a damage-tolerant element is therefore complete once
this question has been answered, and all that remaips is to assign appropriate inspection intervals for each of the significant items.
For safe-life items the answer to question 4 is no. Although the
initiation of a fatigue crack can still be defined as 2 potential failure,
unless its propagation characteristics meet damage-tolerant load requirements, we cannot rely on on-condition inspections to prevent
fatigue failures. Such inspections are applicable to detect corrosion and
accidental damage, which can greatly shorten fatigue life, but since they
will not prevent all functional failures, we must look for other tasks:
5 Is a rework task to reduce the failure rate both applicabie and
effective?
-
Although the fatigue process is directly related to operating age, there

it; no form of remanufacture that will erase the cumulative effect of the
loads the material has experienced up to that point (restore the original
resistance to failure). A revpork task can therefore have no effect on the
time at which fatigue failures might occur. Since this task is not applicable, the answer fothe rework question is no, and we must consider the
nex! possibility, a safe-life discard task.
6 Is a discard task to avoid failures or reduce the failure rate both

-
A safe-life limit is based on the fatigue life of the item, as est.~blished

during developmental testing. However, since corrosion and damage
can affect that life, these factors may prevent a structural element from
reaching the safe-life age established on the basls of testing in a less
hostile environment. Consequently we cannot conclude that a safe-life
discard task alone will satisfy the critrrion for effectiveness in preventing critical failures, hnd the answer to this question is no.
A no answer to question 6 brings us to the final question in the
safety branch:
7
Is a combination of preventive tasks both appl::ablt and effective?
Both on-condition and discard tasks are applicable, and a combination

of the two meets the effectiveness requirements. The on-condition
inspections ensure that the item will reach its safe-life limit, and the
discard task ensures that it will be removed from service before a fatigue
failure occurs.
The results of this analysis are shown on the decision worksheet,
in Exhibit 9.10. Note that an iin,ilysis of any one of the functions listed
in Section 9.1 would follow tl-re same path and lead to the same outcomes: on-condition inspections for damage-tolerant items and oncondition inspections plus discard at the safe-life limit for safe-life
items. If the elements of a damagc-tolerant assembly were analyzed
individually, the fracture of a single element would be viewed at the
assembly level as a hidden failure. The task itself, however, would be
exactly the same-an inspection for cracks and corrosion scheduled at
intervals short enough to avoid the risk of a multiple failure of such
elements.
Once again, particular care must be given to the definition of functions and functional failures. For example, one of the functions of the
structure is to provide movable flight-control surfaces for maneuvering
thz airplane. However, if the ailerons on each wing are duplicated, a
failure of one of the two ailerons will not result in a loss of that function.
Rather, from the standpoint of maneuvering capability, it will result in
CI potential failure. In this sensc the f .illire of a single dileron is analogous
to the fracture of a single element in a damage-tolerant assembly, and
the maintenance task to prevent a loss of ,?ileron function to the aircraft
is an on-condition inspection scheduled at intervals short enough to
prevent the failure of more than one aileron.
Y Y
N N N Y
EXHIBIT 9-10 The results of RCM analysis for structurallv significant

items. All functions of the aircraft structure depend on the ability of
significant ele~nentsto withstand aplrlied loads, and all failure modes
lead ultimately to a fatigue failure resulting in the loss of this loadcanying capability. Thus the answers to the decision-dia,%rrm
questions will be the samc for any damage-tolerant item and for any
safe-life item, regardless of the particular item u~rdcrconsideration.
9 5
ESTABLISHING 1NinAL INSPECTION INTERVALS

damage-tolerant items
safe-life itelrrs
The Douglas DC-10 is basically a damage-tolerant aircraft, the only

safe-life items being the nonredundant parts of the landing gear. During
the very early development of this design typical structural components
were fatigue-tested, either individually or in assemblies or sections,
to determine their contribution to the design gar1 of an average crackfree fatigue lif? of 120,000 hours, with 60,000 hours of crack-free operation for any individual airplane. Although a fatigue test on the entire
structure was conducted to the full 120,000 hours, and insrections were
to be concentrated on this article as the test progressed, the final results
were not available at the time the initial program for the DC-10 was
developed. The following examples have been updated to reflect both
PYI
of
itnn number
On-condition iarpeetioa for arckr,

d o n , md d e n t a l m
Di$cmrd at wfe-life Wt
A, detemhed by
of item
A8 dttemrintd
for item
cLw number
by ufc-lfc limit
the results of the fatigue test and the additional parameters used in RCM
analysis.* However, the recommended intervals resulting from this
analysis are similar to (although not identical with) those in the original
prior-to-service program.
'The structural program for the DC-10, develcped just before this aircraft was certified,
was based on MSG-2 principles, which involved a similar con~prehensiveanalysis. For
a detailed discussion of the considerations behind the original program
see M. B. Stone
. and 14. F. Heap, Developing the DC-10 Structural lnspectior~Program. S E I J C I Annual
I~~
F A A Intcnlationnl A ~ ~ t i ~ t.Mnintc.nairct.
io~t
S~mgi>sivrn,
Oklahoma City, Oklahoma, December
7-9, 1971, and M. E. Stone, ~ i r w o r t h i n e ~ sh i l o s o ~ ehv~e l o ~ e d - f r oFull-scale
m
Testing,
HlannlcaI M r c t i ~ gof t\lc9 ~ntenrutional Cnmnlittrc 018 Aero~rautical Fatiguz, London, July
23-25, 1973.
SECTION 9 . 5
257
DAMAGE-TOLERANT STIUCTUW ITEMS
The wing-to-fuselage attach tee, together with the stnlctural area around
it, is one of the damage-tolerant struct~.irallysignificant items on the
Douglas DC-10.This portion of the structure, identified as SSI 105, is
located on the top surface of the wing and consists of the titanium-alloy
tee at wing station XW 118.2and the aluminum-alloy fuselage and upper
wing skin within 12 inches of it. The tee, which is in three separate,
sections, extends from the front to the rear spar and forms part of the
FXHIBIT 9.11 Worksheet for analysis of the wing-to-fuselage attach
tee on the Douglas DC-10.
type of a i m &
DO-
DC-10-10
item number 105
no. per rLenft 2
itrm nune W i ~ - b f w e rttrch

I ~ "tee"
major uer Outer
vendor put/model no. 573.01.105/DC-10-10
zone(8) 26415,16112, 254/5,2745
w rldn p e l
demiption/lof.tion detail8
At&& tee u located under upper *-root

fddq and runs don#
upper chord from front to rear rpu at wine W o n XW 118.2; SSI
includur attach tee and rkin 12 In.all rida of tee (both faced,
rcccasible through doom 527FB, 627FB, 527GB, md 627GB.
T i t d m d10y 6AL.4V
(Doughs rpecifiation l680)
materW (include cunufacturefs trade name)
fatigue-tesi data
expected fatigue life 240,000 houm
crack propagation 6
0
m houm
design conversion ratio 1.5 operating hourslflight cycle
residual
rtmngth
258
APPLICATIONS
fatigue
life
crack
growth
corrosion
accidental
damage
con troll in^

class no.
factor
mating joint between the wing and the fuselage. It also forms part of
the pressure vessel; thus it is subjected to pressurization loads as well
as to flight loads. This structural item cannot be seen externally. The
outer portion is under the wing-to-fuselage fairing and the inner portion
is under the cabin flooring.
Exhibit 9.11 shows all the pertinent information for this.signi.ficant
item, a record of the ratings, and the resulting inspection interval.
The rating for residual strength in this case is 4 because the tee plays
:,,.epared by
H.F. Heap
date 5/12/78
reviewed by
F. S. Nowlan
date 5/12/78
approved by
date
inspection access (check)
design criterion (check)
X internal
X damage-tolerant element
external
safelife element
redundancy and external detchbility
Three piece8 to prevent crack8 from growing to entire

length of tee; no external detectability.
Is element inspected via a related
SSl? If ao, list SSI no.
classification of
item (check)
X significant
nonsignificant
inspection
(int.lext.)
Internal
propostd task
Detailed visual inspection

for corrosion and cracking
initial interval
Not to exceed 20,001

hours (Dcheck)
EXHIBIT 9-12 A portion of (he Douglas DC-10 outer wing, showing

the outer face of the wing-to-fuselage attach tee (SSI 105). l'his view
is from the left-hand wing, looking inborrd at thc fusel.lge
touter fairing rcmovcd). tUot~glasAircraft)
260
APPLICATIONS
a relatively minor role in transferring wing loads to the fuselage, and

even the failure of two of the three sections of the tee results in only a
small reduction in the load-carrying capability of the basic structure.
The attach tee is made of an alloy that has excellent fatigue and corrosion resistance, and this part of the structure is expected to survive to
more than twice the 120,000-hour design goal; hence the fatigue-life
rating is 4. The crack-propagation interval is more than half the design
goal, so this rating is also 4. The area is well-protected and well drained,
and these properties, in addition to the high corrosion resistance of the
material itself, warrant a corrosion rating of 4. This is an internal
structural item (either the inner flooring or the outer fairing must be
removed for inspection), and since it is exposed to little mechanic traffic, the accidental-damage rating is also 4. The result of these ratings
is a class number of 4. From the rating scale outlined in Exhibit 9.7
we see that this class lumber represents an initial inspection interval
of 116 of the fatigue-life design goal, or 20,000 hours.
Another significant structural element on the Douglas DC-10 is the
wing rear spar, which is one cf the main load-carrying members of the
airplane. A failure of the aluminum-alloy lower cap of that spar would
cause a large reduction in the residual strength of the wing, although it
would still be able to carry the damage-tolerant load in the absence of
failures of any other significant eli~mentsat the same site. The spar also
forms the rear wall of the integral fuel tanks, and since the front tang
of the spar cap is therefore difficult to inspect, it was designed fora lower
stress level than the rear tang and will thu have a longer fatigue life.
This means that inspection of the rear tang will provide the first evidence
of fatigue in the spar cap, particularly if inspections arc concentrated on
regions of structural discontinuities, such as splices (the spar is made in
four sections which are spliced together).
The area identified as SSI 079 in Exhibit 9.13 is the rear tang >f the
lower spar cap at a point where the spar is spliced and also changes
direction. This point lies behind the wing-engine pylon and is in front
of the aileron attach fitting. The spar cap and splice require internal
EXHIBIT 9-13 A portion of the DougIrih DC-I0 wing rear spar,
showing the lower Spar cap and splice (SSI 079). 'Thib view is fmni
aft of the left-hand wing, looking fonvard at the outer-wing rear slur
and hailing-edge hcani. (Douglas ~ircraft)
'kailing-edge beam
Station XORS385
I Rear spar
\ .080 \ .082 \ Trailing-edge beam

SECTION 9.5
261
inspection and are accessible through two doors in the lower wing skin
behind the wing tank on each side of the aircraft. Internal problems are
expected to show such external signs as fuel leaks, cracked skin, or
popped rivets long before any extensive deterioration of the underlying
structure occurs.
The information for this item is summarized on the worksheet in
Exhibit 9.14. In this case a failure will have a large effect on residual
strength. The rating for residual strength is therefore 1. The splice has
EXHIBIT 9-14 Worksheet for analysis of the lower spar cap and splice
on the wing rear gpar of the Douglas DC-10.
item number 079

item name
no. per r i d 2
Lower rpu cap and bplice
major uu
vendor part/model no, 57l.M.O79/DC-10-10
Whg
zone(#) 541,641
derrdption/location detail8
Cap and #puce are located on at lower face of wing nuepu at w k r

to 480;SSI includcr aft face of u p and bplict,
WHB, M F B , and 641FlI.
material (include manufacturefr trade nune) Aluminum dloy 70'15-T651
fatigue-teat data
houm
expected fatigae life 1#)m
crack propryation 15,000 houm
eatabliched safe life

deeign conversion ratlo 1.5 operating houmltlight cycle
ratings
residual
etrength
fatigue
life
crack
growth
corrosion
accidental
damage
class no.
rdjuatment factors *I~lcreaetdby 1for exttmd dtktability
262
APPLICATIONS
controlling
factor
an anticipated fatigue life 1'h times the 120,000-hour design goal, and
the crack-propagation interval is 118 of this time. Ordinarily this would
mean a fatigue-life rating of 2 and a crack-propagation rating of 1. However, because of the excellent external i ~ d i c ~ t oof
r sdeterioration, both
ratings have been increased by 1. The corr?sion rating is 2 because of
the location of :his ~ t e mit; is exposed to dirt andmoisture condensation.
The rating for susceptibility to accidental damage is 4 because the item
is ~nternaland is expos,ed to very little mechanic traffic.
prrpared by
H. P. Heap
date 5/12/78
reviewed by
F. S. Nowlm
date 5/121?8
approved by
date
daign criterion (check)
X danqctolermt clement
mft-lik element
inrpection accees (check)

X internal
external
redundancy m d external detcchbility
Pcrigned fur =u tang of apu cap to ahow fimt evidence of

fatigue; deteriontion viaible externally (fuel Icrks, cncked
akin, popped riveb, dlscolorr~ion;
Is element lrrspected via a related
S311 If so, liat SSI no.
YW. SSI OR (forward face) SSI 079
(external axea)
inspection
(int.lext.1
Internal
classification of
item (check)
X significant
nonoignlficmt
proporcd task
initial interval
Detailed visual inrpcaion

for cormion and cracking
Not to exceed 5,000 hours
The controlling factor is the residual-strength rating. The class

number is therefore 1, and this item is scheduled for inspection at 1/24
of the overall fatigue life, or an interval of 5,000 hours. This is a starting
interval for the initial program, and it may be extended for later-delivery
airplanes on the basis of the inspection findings after the first airplanes
have gone into service. In addition to this internal inspection, the external area expected to show evidence of internal problems will also be
EXHIBIT 9.15 Workshrct for .lnalysis of tlie lower spar cdp d n d

splice (forward f.1c.c) or1 thc wing rcar spar of the L)ougl.~sDC-10.
item nilmber 077

item name LO-r
no. per aimnft 2
e p u Cap and 8 p l h
major area W b
57I.01.077/DC-lO-10
vendor part/modcl no.
zondd 599,
descriptionllocation dehilr
Cap and rplice ue locaicd on forwud f.ca of wing reu epu at o o h m r

spar rtationm X,gn
to 480;SSI includea forward face of cap and rplice,
acceeoiblr:through doom 533AT md 633AT.
Aluminum dloy -Ta1
matedal (include mmufacturpfs m d e name)
fatigue-test data
houn
crack propagation
hours
established safe life

residual
strength
fatigue
life
adjustn~entfactors
crack
growth
corrosion
accidental
damage
class no,
rontro!llng
factor
h$l not
for d d u d itnngth f a w e I&, and cmck
applicable, covere., by SSI 079
yo
desisnated ,I si~nitic'mtitem, and thrs external area will be inspected

~t least ,IS frequently.
The fnmt t ~ n gof the spar cdp, identified as SSI 077, is not expected
to be the first indicator of f.~tip\ledamage. It must be i n s p t ~ t r dfor
conusion. howevt-r, bec,~ust.it is in the h ~ e tartk
l
and is !hus exposed
td ,\ ~ l i f i r r ~environme~it
nt
from the wdr t,In$. Since thr fonv,ini fact: of
the spdr is ,In interior surf.~cr.of the iuel tank, it is .\wers,\v to brain and
drk
W1m
date
snnm
dc&
dhbn crltcdon (chech)

X drmaptoler~ntelement
ufc-life clement
Inqetlon a m s (chcckh
X Internal
crkmrl
dundancy and external dekctrb;lity

A8 for SSI 079
la clement inspwhd via a wlrtet.4

SSlt I I so, list SSI no.
Yn. SS1079 bh f a d , SSI 077

~e*CImrlanr)
inspution
tint.Iex1,~
lnhrnrl
p m p ~ xtask
l
Detailed vlruol inapedon

for c o w and arckhq
clrwiiic~tinnof
tkm (check)
significant
Initial inklurl
Not to acead 20,OO

houn (Dchtckb
Upper cap and eplice

Span at bulkhead
intemection
Lower cap and vplice
EXHIBIT 9.16 A portion of the Douglas DC-10 wing rear spar,

showing the fonvard face of the lower spar cap and splice (SSI 077).
This view is from forward ui the left-hand wing, looking aft at the
rear spar of the outer wing box (upper panel ren~uvedfor c!arity).
(Douglas Aircraft)
purge the tank in order to inspect it. The worksheet in Exhibit 9.15
shows n o ratings fi!r residual strength, fatigue life, or crack propagation
because these factors are covered for the spar cap by SSI 079.Susceptibility to cor~osionis rated as very low, 4, because the tank itself is completely sealed and is protected from microbial action by inhibitors.
The accidental-damage rating is also 4, because this fdce 01 the spar is
exposed to w e n less possibility for damage than the c>pp~)site
face.
The class number in this case is the lowcr of the two rating factors,
cr 4. Thus this item will be inspccted initially at 116 of the fatigue-life
design goal, ,)r an interv'tl of 2C,000 hours. With a ciass number of 4 , it
wii! also ba eligible ':i.i*reduced inspection in the ongoing program if
the results of carly sa~lplinl;confirm t'lat the area is not prone to deterioration. This is an example of a situation in which two structurally
signiticant itcms have heon designated to identifv specific regions ot a
single element that should be inspected to cater to different factors and

environments. There are many additional such designations along the
full length of the rear spal. The designer plays an important role in such
cases in making the primary indicators of deterioration occur in easily
inspectable areas.
SAR-LIFE STRUCNML ITfMS
The shock-strut outer cylinder on the main landing gear of the Douglas
DC-10 is one of the few safe-life structural items on this aircraft. The
following analysis of this item shows the treatment of a safe-life item
in an airline context. However, there is no universal approach to setting
inspection it~tervalsfor safe-life items, and eashcase must be considered
separately. This particular item is of interest because there are two
different models, and the outer cylinder on each model has a different
safe-life litnit. Exhibits 9.17and 9.18are worksheets for the two models.
Since this is a safe-life item, it must be removed from service before
J fatigue crack is expected to occur; hence it is not rated for residual
strength, fatigue life, or crack-propagation characteristics. Both models
are of the same material. However, the manufacturer's fat:'gue tests
showed that model ARC 7002-501had a safe-life limit of 23,200landings,
or 34,800flight hours, whereas tests on a redesigned model, ARG 7002505,resulted in a safe-life limit of 46,800landings, or 70,200flight hours.
The safe-life limits are effective only if nothing prevents the item from
reaching them, and in the case of structural items there are two factors
that introduce this possibility- corrosion and accidental damage. Both
factors reduce the expected fatigue life from that for an undamaged part,
and both apply equally to the two models of the shock-strut outer
cylinder.
Experience has shown that landing-gear cylinders of this type art.
subject to two corrosion problems. First, the outer cylinder is susceptible to corrosion from moisturc that enters the joints at which other
components are attached; second, high-strength steels srrch as 4330 M O D
are subject to stress corrosion in some of the same areas. Both models
are therefore gr en a corrosion eating of 1, which re:;ults in a class numbcr of 1.
The onset of corrosion is more predictable in a well-developed
design than irt a new one, and,previous operation of ,I similar design
in a similar environment has shown that severe corrosion is likely to
develop by 15,000to 20,000hours (five to seven yews of operation). I t
can be detected only I y inspcction of the internal joints after shop
disassembly; hence this inspection will be performed only in conjunction with scheduled inspecti~lnsof the landing-gear assemb!\~.This
corrosion inspection is one of the controlling tdctors in establishing the
shop-in~1,~ction
interval. It is custon~aryto start such inspections at a
conservative interval and increase the interval at .I rate determined try
EXHIBIT 9-17 Worksheet for analysis nf the outer cylinder of the

sllock-strut assembly, model A K C 7002-501, on the Douglas DC-10.
Dougdas DC-20-10
S T I U I C N W WOULSHW type of aircraft
item number
Item name
1.01
no. per a h a f t
Shock-strut outer cylinder
major a m
P.N. ARC 7002-501
zonets)
Main h d h g gear
144,145
Shock-strut maembly ie located on main landing gear; SSI consists of outer

cylinder (both faces).
Steel alloy 4330 MOD

(Douglas TRICENT 300 MI
material (include manufactures's trade name)
fatigue-test data
hours
cnck propagation
hours
established safe life 23,200 landings, 34,800 operating h o w

design conversion ratio
1.5 operating hourslflight cycle
ratings
residuai
strength
fatigue
life
- -
adjustment factors
268
APPLICATIONS
crack
growth
corrosion
accidental
damage
class no.
conhnlling
factor
Corrosion
prrputd by H. F. Heap
reviewed by
date 3/12/78
P. S. Nowlm
date 5/12/76
approved by
date
damage-talerant element
internal
safelife clement
external
redundancy and external dctcctability
NO rcdundancite; only one cylinder each 1 m b g gear,

left and right wings. No t x t e d detectabillty of
internal corrwion.
Is element inspected via a related
SSI? If so, l i ~ SSI
t no.
No
classification of
item (check)
significant
nonsignificant
inspection
(int.lext.1
proposed task
initial interval
Internal
Magnetic-particle inspecqion
for cracking and detailed
visual inspection for
corrosian
Sample at 6,000 to 9,000

hours and at l2,000 to
W,OOO hours to establish
best interval
Extr ma1
General inspection of outer

surface
During pmflight walkaround8 and at A checks

for corrosion and cracking
Not to exceed 1,000 hours

(C check)
Remove and diecard at life

limit
34,800 hours
SECTION 9 . 5
269
U(HIBIT 9.18 Worksheet for analysis of the outer cylinder of the

sbock-strut assembly. model ARC 7002-505, on the Douglas DC-10.
SMUCTUW WOI1I(SHtm type of aircraft
DougIar DC-10-10
item number 101
no. per aircraft 2
item name Shock-strut outer cylinder
major a n a Main landing gear
P.N.ARC 7002-505
zone(s) 144,145
description/location details
Shuck-strut assembly i s located on main landing gear; SSI condsta of
outer cylinder (both faces).
material (include manufactunefs trade name) Steel alloy 4330 MOD
(Douglas TRICENT 300 M)

fatigue-test data
hoilrs
crack propagation
hours
established safe life 46,800 landings, 70,200 operating hours

ratings
residual
strength
fatigue
life
crack
growth
cnmeion
accidental
damage
class nu.
controlling
factor
Corrosion
adjustment factors
270 APPLICATIONS
prepared by
H.P. Heap
date
5/12/70
reviewed by
F. S. NowIan
date
5/12/70

damage-tolerant clement
X uafciifc element
X internal
X external
redundancy and external detectabilily
No redundancies; only one cylinder each landing gear,

left and right wings. No external detectability
of internal comsion.
In element inspected via a related
SSI? If sc, liet SSI no.
classification of
item (check)
X significant
No
nonsignificant
inspection
(int.lext.)
proposed task
initial interval
Internal
Magnetic-particle inspection
for cracking and detailed
visual inspection for
comsion
Sample at 6,000 to 9,000

hours and at 12,000 to
15,000 hours to establish
beet interval
External
General inspection of outer

surface
During preflight walkaround8 and at A checks

for comsion and cracking
Not to exceed l,M h ~ u r s

(C check)
Remove and discard at Hfe

limit
70,200 hours
SECTION 9.5
271
WHIBIT 9.19 The shock-strut assembly on the main landing gear of

tnc Douglas DC-10. The cuter cylinder is a stmcturally significant
item; !he lest of the asuemhly is treated as a systems item. (Based on
Douglas DC-10 maintenance materials)
272
APPLICATIONS
experience and the condition of the first units inspected. The initial
requirement is therefore established as inspection of one sample between 6,000 and 9,000 hours and one sample between 12,000 and 15,000
hours to establish the ongoing interval. During the shop visits for these
inspections any damage to the structural parts of the assembly are
repaired as necessary and the systems parts of the assembly are usually
reworked. Thus the combined process is often referred to as landinggear rework.
In addition to the cor-osion rating, both 111odelsof the shock-strut
cylinder are rated for susceptibility to accidental damage The cylinder

is exposed to relatively infrequent damage from rocks and other debris
thrown u p by the wl~eels.The material is also hard enough to resist
most such damage. Its suscc.ptibility is therefore very low, and tile
rating is 4 in both cases. Ho ever, becausc the damage is random and
cannot be predicted, a general check of the outer cylinder, along with
the other landing-gear parts, is included in the walkaround inspections
and the A check, with a detailed inspection of the outer cylinder schedduled at the C-check interval. The same inspection program applies to
both n~odels,since they have the samc susceptibility to corrosion and
accidental damage. The only difference is in the interval for the safelife discard task; this task is scheduled at the safe-life limit for each
model.
rJote that the outer cylinder has been treated in this case as a single
structurally significant item. It could also have been designated as two
items, with the interval for the internal surface controlled by the corrosion rating and that for the external surface controlled by a single
rating for accidental damage. This treatment would, of course, have
resulted in the same set of tasks and intervals.
9 6 STRUCTURAL AGE EXPLORATION

In the systems and powerpldnt divisions the consequences of many
functional failures are economic and do not involve safety. Thus little
attempt is made to predict those reliability characteristics that cannot
be determined until after the equipment enters service. Instead, the
default strategy is employed, and additional tasks are incorporated in
the scheduled-maintenance program only after there is sufficient operating information to assess their ecc.nomic desirability. In the analysis
of structural items, however, thr determination of inspection intervals
for damage-tolerant structure is based 0.1 an assessment of the effect of
failures on rcsidual strength, the relationship oi fatigue-test results for
indiviuual items to the design goal for the overall structure, crackpropagation characteristics, and the anticipated rate of corrosion. All
these assessments involve some degree of prediction. The results are
therefore treated very conservatively, not only because they are extrapcjlations from test data, but also because manufacturil-,g variations,
differences in operating environments, and different loading histories
may lead to wide variations in fatigue life from one airplane to another.
In all cases there will be differences between the manufactur~r's
test environment and the environment in which a given fleet of airplanes is actually operated, If different airplanes in the fleet are to be
assigned quite different types of missions or will be operating in different types of environments, it may be advisable to devel~)pa separate
t i ~ crolc of the inspcction pl.111

thc flcet-lcadcr conccpt
Ibtrl number of rirplrncr o v e ~ r u l o d

EXHIBIT 9 * 2 0 The number of heavy structural inspections
(overhauls) required to reach the same maximum interval under
different maintenance policies. The figures shown for the Douglas
DC-6 indicate the total number of overhauls performed up to the time
of an interval extension. The very conuervativc initial interval for this
airplane was extended ~ i o w l yuntil a change in maintenance concepts
occurred. The initial interval for the Boeing 747 was established after
this change in concept, and only three h e a h inspections were
required to reach a 20.000-hour interval. (U~titcdAirlines)
274
APPLICATIONS
set of inspection intervals for each kind of operation and implement

these tailored programs from the outset. Any initial structure program,
however, merely specifies the start of age expluration for each item to
determine its actual fatigue characteristics. The progrS7mincludes all
the inspection tasks necessary to protect the structure, but it is the results
of these inspections after the equipment enters service that will determine the intervals to be used during continuing operation.
Until fairly recently structural inspection programs did not take
into account the explicit role of the inspections themselves in the ageexploration process. The hedvy structural inspections, the work package
that includes all the inspection tasks in the program, were often the
major part of what was called an "airplane overhaul"-an unfortuqate
tcrm, since it implies that something can be done to restore the structure to like-new condition. Although the repair of damage found during
such inspections will restore t l ~ eoriginal load-carrying capability, there
is n o f o m of remanufacture that will zera-time the effects of fatigue.
The so-called overhaul, therefore, could have no effect on the operating

age at which fatigue cracks might appear.
Under older policies a fairly large proportion of the fleet was given
a full structural inspection at a low age (1,500 hours in the case of the
Douglas DC-8), the inspection findings were assessed, and the procedurc, was then repeated at a slightly longer interval. At all times, however, the emphasis was on the time since the last inspection, not on the
total operating age of the airplane. As a result, 117 such inspectio~ls
were performed on one fleet of Douglas DC-8's before the overhaul
interval was extended beyond 5,000 hours, and of the 32 overhaul::
performed at the 5,000-hour limit, 9 represented the fourth overhaul
and 16 the third overhaul for individual airplanes (see Exhibit 9.20).
The density of inspections performed under this policy varied
from item to item; some items were inspected at every overhaul, some
'at every second cverhaul, and so on. This procedure was explicit recognition of the fact that some items were more significant than others and
that the exposure to deterioration varied from item to item. The concept of sampling is still employed in the age explora,tion ol internal
structural items with a high class number. This and other aspects of
structural age exploration are discussed in detail in Chapter 11.
Since the airplanes in any given fleet will have entered service over
a period of years, the difference in operating age between the oldest and
the youngest airplane may be as much as 30,000 hours. As it became
clear that the oldest members of the fleet were more likely to provide
new information about fatigue damage, inspection emphasis shifted
to what is often termed the fleet-leader concept, concentration of heavy
structural inspections of the airplanes wit;\ the highest total time. This
approach not only provides thc same amount of information in the
shortest calendar time, but identifies the age at which fatigue damage
is likely to appear before the younger aircraft reach this age limit.
Thus it is possible to perform fleetwide inspections for damage while
it is still in its early stages and also to develop design modifications
that will extend the fatigue life of the structural areas involved. The
result of this change in concept was much 5 o r e rapid extension of
overhaul iiitcrvals and fewer such overhauls performed on aircraft too
young to provide the necessary information.
As the structure ages in service the intervals for many individual
items will be adjusted to ensure that deterioration is found as early as
possible. and some items that are unacceptably short-lived may have
to be niodified to increase their fatigue lives. In general, however, the
state of the art is now such that the designer can often establish q-xite
meaningful predictions of fatigue life, and as these predictions have
been borne out by experience, there hds been a tendency to begin age
exploration at increasingly higher ages with each new design.
CHAPTER TEN
THUS FAR we have been concerned with scheduled-maintenance tasks

generated by explicit consideration of failu-e consequences and thc
inherent reliability characteristics of each item. These tasks comprise
the major portion of the total scheduled-maintenance pl.ogram, but not
all of it. The set of tasks identified by RCM analysis is supplemented by
certain other scheduled tasks which are both so easy to perform and
so obviously cost-effectivc that they require no major analvtic effort.
Five common categories of such additional tasks are zonal-installation
inspections, preflight walkaround inspections, general inspections of
extemal structure, routine servicing and lubrication, and regular testing
of functions that are used only intermittently by the operating crew.
Zonal il~spections,preflight walkarounds, and general inspections
of extemal structure are not directed at any specific item ,ind hence cannot in then~selvesbc considered RCrvl tasks. However, they often serve
as a vehicle for specific on-condition or failure-finding tasks. Servicing
and lubricaticln tasks do in fdct fit IiCM decision logic, but their benefits are so obvious that the cost of analysis is not worthwhile. In contrast, the testing of infrequently used functions merely takes advantage
of the scheduled-maintenance program to supplement the failurereporting duties of the operating crew.
O ~ l c eall the scheduled tasks have been assembled, we must turn
our attention to the problem the maintenance organization faces in
scheduling and controlling the accomplishment of the work. It is possible, of course, to schedule each of the hundreds of different tasks at
the optimum interval for each item. It may even he desirable to do so
if the fleet is very small and the opportunities for scheduled maintenance are very frequent. In most cases, however, it is necessary to group
the tasks into i- 'airly small number of work packages so that they can
be consolidated .,r a few maintenance stations and do not interfere with
scheduled use of the equipment. Although this procedure results in
shorter intervals thzn necessary tor a great many individual tasks, the
additional cost is more than offset by the overall increase in efticiency.
There is no single optlrnum way pf packaging tasks, since the overall
cost of the maintenance process depends on such factors as organizational structure, maintenance resources and facilities, and operating
requirements.
This chapter discusses the additiondl work, beyond RCM analysis,
that is required to complete an initial scheduled-maintenance program.
10 1 OTHER SCHEDULED-MAINTENANCE TASKS

ZONAL-INSmLWION INSPECTIONS
Zonal inspections are based on the three-dimensional reference system

required tv identify ille pl\ysicdl lccdtioll of ally itell) on an airplane,
The entire airplane is considered to be partitioned into discrete spaces,
or zorles, usually bounded by physical features such as floors, bulkheads, and outer skins. 'rhe specific zones in each type of airplane are
designated by the manufacturer, usually at the design stage, and are
then carried through to all reference material on maintenance for that
particular design. Exhibit 10.1 shows the zonal reference system used
for the McDonnell F4J and Exhibit 10.2 shows a portion of the Boeing
747 zonal system.
The various assemblies and cunnecting lines (wiring, hoses, ducting, aktach fittings) of the airc~aftsystems that are in each zone are referred to as zotrnl instc~llntio~ts.
In some cases, such as thc cockpit area, the
whole zone is readily accessible. More often, however, a zone must be
entered by some access door in the outer surface so that mechanics can
inspect, repair, or replace the various installations. Consequently renal
installations are subject not only to the nur.nal wear alrd tear of use, but
zonal-installation inspections
walkaround :nspcg-tionr:
general external insPcdtions
and luhrication tasks
Sen
used functions
testin5 Of
event-orir~~ted
inspections
hlrjor zones
Radome and radar compartment
Forward fuselage
Upper rlght wing
Aft fuselage and empennage
Upper left wing
Left intake duct and cavity
Center fuselage
Forward cockpit
Aft cockpit
Left engine
Right ensine
Major zones
EXHIBIT 10.1 The zone n u m h e r i n ~\ stem for tale McDonncll FJJ.

(McDonnell Aircraft maintenance materials)
Nose Iandir~ggear
R i ~ h intake
t
duct and cavity
Right main landing gear
Lowcr right wing
Aft fuselage and empennade
LOWer left wing
Left main landing gear
Left intake duct and cavity
Center fuselage
220
Control cabin and statemoms, sta 220 ,1 sta 720

221
222
223
224
225
226
Control cabin, left hand

Control cabin, right hand
Compartment aft of control cabh, left hand
Compartment aft of control cabin, right hand
Staterooms, left hand
Staterooms, right hand
hl.ijor ronr ?It\)

Upper lidlf of i u s ~ l a g e
hlajor zone location*

Major zone 200
Upper halt of f u s r l a g ~
Major zone 100

1.owcr half of fr~selagc
Major zone 400

I'ower plants . ~ n dstruts
EXHIBIT I O . 2 The zone numbering system

for the tloeing 747.
(Roc-ing Aircraft tnaintenan..: materials)
Lmding gear and

landing gear door
.. ,..
280
APPLICATIONS
also to accidental damage from the traffic of mechanics and other personnel in the zones. In the interests of prudence, therefore, a separate
zonal inspection progriim is weeded to complement the program of
RCM taJks.
Although zonal inspections are dirr,,+edprimarily at the installations in each zone, they also include general inspections of those porti8ns of the internal structure that can be seen with the installations in
place. These inspections are relatively nonspec~ficchecks on the security of installed items- to detect loose or missing parts or parts that may
rub against each other-checks for any accidental damage, and a quick
sutvey for obvious lea'ks. In some cases the number and location of the
access doors govern the amount of a zone that is inspected. These
inspections do not qualify as on-conditicn tasks, since they are not
directed at a specific failure mode, except where leaks have been defined as a failure condition for a given item. However, they are very
inexpensive to perform and provide a n o~portunityto spot early signs
of problems developing in the systems. 7'hus they are cost-effective if
they result in even a small reduction in repair costs or identify a potential failure at a time that avoids operational consequences.
In current practice the intervals assigned to zonal inspections are
judgmental, although they are based on a general consideration, zone
by zonc, of susceptibility and failure consequences. In this case susceptibility refers to the overall vulnerability of the installations withip a
zone to damage, loss of security, and leaks (which we can construe as
the probability of failure for the zone).. 'and failure consequences refers
to the ultimate effect of not detecting and correcting the conditions that
could be discovered by a zonal inspection. These effects include +he
conseo,uences of a functional failure (even the absence of emergency
equipment in the event of an emergency), a more advanced potentialfailure stage, or a multiple fdilure that might have been avoided by the
inspection.
The interval for some zones may be very short. The cockpit of a!l
airplane, for example, contains many items of emergency equipment,
and since it is subject to heavy traffic by memt :rs of the operating
crew, the caLln crew, and the maintenance crew, these items are all
susceptible to damage. The consequences of not having this equipment
i2 position and serviceable if it is needed are also very serious. These
considel ~tionslead to intervals a5 short as 2C hours and nevev longer
than 200 hours (the usual A-check interval) for zonal insperticns of
this area. These inspections are often complemented by additional
inspections that are part of the crew duties. At the other end of the s c ~ l e ,
zones that contain no system installations are inspected at D-check
intervals (20,000 hours or more). These inspections are for the sole purpose of looking at the nonsignificant portions of the internal structure
within these zones.
While the interval5 for tonal inspections are based on general

assessments, ra:her than a comprehensive analysis of spc,cific data, it
is sometimes helpful to rate each zone for susccptibility and consequences and then assign class numbers, much like the rating scheme
used to establish interva!~for structurally significant ':ems (see Sectior~
9.2). The considerations in rating a zone for susceptibility to trouble
would include:
b
The number and complexity of installed items in the zone
l'he susceptibility of individual items to deterioration of one kind

or another (damage due to corrosion, heat, or vibration, for example, will usually depend on the location of the zone)
The traffic in the zone that might cause damage, including the
relative frequency of access for on-condition tasks and the replacement or repair of failed items
As with structural items, a scale of 1 to 4 is used to rate susceptibility and consequences separately for the zone in question:
srl
sccpiil~ilit!y
High
Moderate
Low
None
C O ~ I S ~(ices
~ I ~ L
Serious
Moderate
Minor
None
In this case t r o t l i t means that there are no system installations in the

zone. Such zones are still given a rating, however, since the zonal
inspectio~~
program is the vehicle that ensures general inspections of
nonsignificant internal structural items. (Structurally significant items
arc covered by the basic structure program, as described in Chapter 9.)
The ratings for both factors are, of necessity, a matter of experience and
judgment. Although consequences are taken into account, the evaluation is a very broad one and is not based on detailed examination of the
reliability characteristics of each item, as is the case in developing a set
of RCM tasks.
The lower of the two ratings is the class number for the zone and
determines the relative frequency of zonal inspections: the lower the
class number. the shorter the inspcction interval for that zone. The
intervals themselves depend on further subjective considerations of design characteristics, operating environment, and the flight hours logged
during a given operating period.
The zonal inspection program is usually developed by a separate
working group, and the results must be intcgrated with the scheduled
tasks developed by the systems and structure groups to eliminate gaps
and overlaps between the two programs.
$ 4 ;
. 3 ;~i*g-%-.&:i~,
3 .
,.
umasL.-kxL<,,dr.e:
r.:
. .....
--
Check for signs of damage on

I Nose to wing root
'
3 Wing trailing edge and whcelwelts

4 Aft fuselage
5 Empennage
UHIBIT 10.3 Diagram for a walkaround check on the Douglas
DC-10, performed before or after each flight. (Douglas Aircraft
maintenance materials)
WNKAROUND INSPECTIONS
282
APPLICATIONS
Walkaround inspections are general visual inspections performed at

the ground level to detect any obvious external damage. This may be
accidental damage caused by contact with other aircraft, ground equipment, buildings, or debris thrown u p from the runway, or it may be
loose fittings or leaks from the various fluid lines. These checks are
performed by the maintenance crew before each departure from a maintenance station and often incorporate simple on-condition tasks, such
as a check of the brake wear indicators and specific checks of the structu dl areas expected to show external evidence of internal structural
damage. There may also be independent preflight inspections by a
member of the operating crew. In some military operations walkaround
checks are performed both before and after each flight.
minor conWalkaround inspections not olily detect failures
sequences, but often provide the first indication of an impending engine or stn:ctural failure. A simple diagram like that in Exhibit 10.3 is
usually included in the maintenance manual to identify the portions of
the airplane wlierv damage is most likely to be found.
GENERAL EXTERNAL INSPECnONS
General inspections of the external structure are similar to the inspections performed during walkarounds, except that they include those
portions of the structure that cannot be seen from the ground. Inspection of thc vertical tail and the upper surfaces of the wings and fuselage
requires the use of scaffolding that is part of the hangar dock. Consequentlv these inspections are performed at intervals corresponding to
those of work packages that require hangar facilities.
SERVICING AND LUBRtCATlON USKS
The scheduled-maintenance program also includes the per~odicservicing and lubrication tasks assigned to various items on the airplane. Servicing includes such tasks as checking fluid reservoirs and pressures
and replenishing or adjusting them as necessary, replacing filters,
adding nitrogen to tires and landing-gear struts, and so on. Eacb of
these tasks could be generated by RCM analysis (see Section 3.5),and
sometimes they are. More often, however, the tasks are simply scheduled
as recommended by the aircraft, powerplant, or system manufacturer,
since their cost is so lcw in relation to the obvious benefits that deeper
analysis is not warranted.
All servicing and lubrication tasks tend to involve the replacement of consumables, where it is expected that the need will be timerelated. Although such tasks are usually assigned conservatively short
intervals, the tasks themselves Ire so inexpensive that effort is rarely
spent on age exploration to find the most economical interval.
TESTING OF RARELY USED FUNCTIONS
Much of the scheduled-maintenatwe program hinges on the fact that

the operating crew will detect and report all evident functional failures.
In some situations, however, an evident function may be utilized infrequently or not used at all during certain deployment of the aircraft. Such
functions are not hidden in the strict sense uf the word, since a failure
would be evident during the normal performance of crew duties. Rather,
they are hidden only when they are not being used. Under these circumstances the scheduled-maintenance program is a convenient vehicle for periodic tests to ensure their continued ~ailability.
This continued availability is especially important for multipleroie equipment subject to sudden changes in operational use. One
obvious example is an airplane all of whose scheduled flights fall in the
daylight hours. In this case it is necessary to include tests of the landing
lights, cockpit lights, and other i' -ms used for nighttime operation in
the maintenance program, since actual use of the-? functions by the
operating crew will not constitute an adequate failure-reporting s y s t ~ m .
The inverse of this situation-the extension of crew duties to cover
tests of certain hidden-function items- usually applies in any operating
SECTION 10-1
283
context; hence it is taken into account during RCM analysis (tests by the
operatin crew make the failure evident). However, the need for inspection tasks to cover rarely used functions depends on the actual use of
the equipment, and such ii3sks must ordinarily be added to the program
on an individual basis by each operating organizaticrt. Where the airplanes in a fleet are used under diiferent sets of operating conditions,
these tasks may be required for some members of the fleet, but not for
others.
EVENT-ORIENTED INSPECTIONS
There are specia! inspections that are not scheduled in :he ordinary
sensr. :>utmust be perfonned after the occurrence of certain unusual
events. rypical examples are hard-landing an,{ rough-air inspections
of the stlucture and overtemperature anc! c-eerspeed inspections of
engines. These are all on-conditi, . insp?::tions of the specific significant itcms which are most iikeiy to be damaged by the unusually
severe load~naconditions.
10 2
PACKAGING THE MAINTENANCE WORKLOAD
letter-check intervals
main:~nrnce-packagccontents
284
APPLICA~ONS
All the task intervals we have discussed so far have been based on the
individual requirements of each item under consideration. The control
of these individual tasks is greatly simplified by grouping the tasks into
work packages that can be applied to the entire aircraft, to an installed
engine, or to a removable assembly. In many cases the study groups
developing each seg~nentof the program will have anticipated the packaging procedure; thus individual tasks may be specified for an interval that corresponds to the preflight walkaround or to the A-check or
D-check interval. In some cases a maximum interval is specified in
hours or flight cycles as well, and the grouping of tasks must ensure that
each task will be performed at some time within this limit.
Generally speaking, the tasks that heve the shortest intervals are
servicing tasks and simple inspections such as the walkaround checks,
which do not require specialized training, equipment, or facilities.
Thus the smaller maintenance packages are generally called serrticc
clrc>cks. A #1 service check may be a group of tasks that can be perionned at every slop at a maintenance station, and a heavier #2 service
check, an~oantingto 2 or 3 manhours of scheduled work, may be performt~rlduring every long layover if the airplane has flown more than
20 J ~ C L L ~ Ssince the preceding #2 service. The inajor work packages,
calied Iclttcr checks, are performed at successively longer intervals (see
Exhib~t4.11 in Chapter 4). Each letter check incorporates all the work
covered by the ?receding checks, plus the tasks assigned at that lettercheck interval. Thus each one reqtrircs an increasing amount of manpower, technical skills, and specialized equipmenl.
Although the intervals for letter-check packages are customarily

expressed in terms of operating hours, some organizations may prefer
to convert them to calendar time based on average daily use of the
e1,uipment. Packages would then be designed to include tasks to be
performed once a day, once a week, once a month, and so on. Similarly,
the operator of a small fleet-say, two airplanes-may not want to be
faced with a very heavy intermittent workload of two C checks a year,
each requiring an expenditure of perhaps 2,000 manhours. He may
prefer instead to distribute the C-check tasks among the more frequent
checks, with a different group of C-check tasks performed at every A
and B check. It is also possible to work out nightly packages with equalized work content by distributing the A and B packages as well. In this
case, although the workload will be relatively constant, the actual tasks
to be performed will vary greatly from night to night, making control
of their accomplishment more difficult.
Even when the letter-check packages arc not broken u p in thi3 way,
their content will not necessarily be the same each time they are performed. For example, a task that has a long irterval but is not timeconsuming may he assigned to one of tne more frequent letter checks
but scheduled only for every second or every fourth such check. Conversely, a group of tasks that are especially time-consuming may be
distributed among succ?ssive letter checks of the same designation. or
thcre may be items that are monitored independently and scheduled
for the time of the nearest check regardless of its designation. Consequently the actual tasks performed will often differ greatly for the same
letter check from one visit of the airplane to the next.
Usually the objective in packaging is to cnnsolidate the work into
as few check intervals as possible without unduly compromising the
desired task intervals. Some maintenance organizations attempt to
make the interval for each higher check a multiple of the lower checks.
This has the advantage of simplicity, but the necessity of maintaining
the geometric relationship penalizes workload scheduling. One method
of relating each check to the next higher check is illustrated in Exhibit
10.4. In this case the intervals are arranged to overlap as follows:
b The#2 service check includes a #1 service check and therefore
zero-times the #1 check.
b
The A check includes a #2 service check and zero-times it.
The B check includes the next A check due and zero-times all the
A-check tasks performed.
The C check includes the next B check due and zero-times all the
B-check tasks performed.
The D check includes the next C check due and zero-times all the
C-check tasks performed.
WHIDK 10.4 One method of relating letter-check intervals.

Note that the tim:! scale is different for each line, and each check is
scheduled to include the lower-level work package due at that
interval. The C check is a special case; the tasks scheduled fnr this
interval are split inte four different phase-check packages, to be
perforr.~cd at successive B checks. Thus the eq~~ivalent
of t h r first C
check has been completed by the 8, check, a11d so on. The D check,
scheduled at 2P.000 hours, zero-times all phase-check tasks
performed through the B,, check, but not those tasks scheduled
for the D,, c h r ~ k .
#l/#2 check
#1
L
5
10
20
Flight h o w
#?/A check
#?
#Z
L
0
#Z
#2
#2
I
100
50
YZ
150
200
Flight hours
A/B check
AI
As
As
&
r I I I 1
500
As
&
A6
1,000
1300
z,OOo
blight hours
B/C check
BI BI
0
C checka r w m p l i l e d rr phaw checks

B, BS 8s B, 8, & B,.
5,000
10,000
I
15,m
I
~ O r n
15,000
m.oao
Flight hours
i'u
BIC checklD check
5,000
10,000
Flight houm
Alternatively, the C check might be divided into four smaller packages, with one of these packages assigned to each B check. The check
that combines B- arid C-check tasks is often called a phase check. Whereas
a full C check would take the airplane out of service for 24 hours, it
may be possible to accomkiish a phase check in an elapsed time of 10
or 12 hours. When the C-check tasks are distributed in this way, the
D-check includes the next phase check and zero times the tasks in that
phase check.
The first step in assernbling the tasks for each letter-check package
is to establish the desired letter-check intervals. In an initial program
these intervals, like the task intervals themselves, are highly conservative. The next step is to adjust the intervals for individual tasks to correspond to the closest letter-check interval. Whenever possible, poor
fits should be accommodated by adjusting the tasli interval upward;
otherwise the task must be scheduled at the next. lower check or
multiple of that check. As an example, the initial interval assigned to a
corrosion-control task for the internal fuselage lower skin of the Poeing
747 was 9,000 hours. The inspection is essential to protect the bilge areas
of the plane from corrosion, but this interval would have necessitated a
separate visit to the maintenance base for a single task. Since the interval represented a conservative value in the first place, some flexibility
was considered allowable, and it was decided that the interval could
safely be exten&d to 1'1.000 hours, which coincided with a group of
tasks scheduled fsr a midperiod visit at half the D-check i~iterval.
Exhibit 10.5 shows a partial list of the scheduled tasks included in
each letter check for the Boeing 747. Note that this program employed
phase checks in place of a C-check work package. When phase checks
are used there is no real C check, in the sense of a group ot tasks all of
which are to be performed at the same time. It is helpful to refer to a
phantom C check, however, to develop the content of the phase-check
packages, and the tasks of the phantom C check have the desired interval if they are perfor~hedat every fourth phase check.
Exhibit 10.6 shows sample tasks from a somewhat different packaging scheme for the McDonnell F4J. This program was designed for a
military context, but it includes several of the pacEaging features found
in its commercial counterpart. For example, the work package designated
as the maintenance check is actually spread out over six lower-level
phase checks, much like the series of phase checks performed at the
B-check interval on the Boeing 747.
Both the task intervals and the package intervals in an initial program are subject to age exploration. Usually the intervals for individual
tasks are increased by extending the package intervals, as discussed in
Section 4.6. When a maximum interval is identified for a specific task,
the task will either be assigned to a different letter-check package or,
if it is a task that controls the rest of the package, the check interval will
be frozen.
EXHIBIT 10.5 I'.irti.~l I ~ ~ . I ~ I I ~ ~ I I . I I Icc. c~-~~ ~~ t. for

r~~c i~l if~t ist~* ~.111d
base in~inten,1n\cr,t\ the Horilig 747. (United .\i~.li~les)
LINE MF'NTFNANCE
BASE M A l m A N C E
# I SLRWCE After each completed flight, average 4

flight hours
ICHECK Limit 900 flijtht hours
Review flight lop

Perfonn walkamund check
#2 SERV!;E
Every 20 flight h o u n
Perfonn #1 service
Check tires and brake wear indicators
Check constant-speed-drive oil quarriity
Check engine oil auandh
Check exterior lights
Clear deferred flight-log items
A CHECK At overnight layover, limit 125 flight hours
Perform #2 service
Clreck essential and standby power
Check battery, auxiliary power unit
Check cool-gas generator freon level
Check portable fire extinguisher
Check hydraulic-syetem differential-pressure
indicator
Perform general visual inspection of landing gear
Inspect !andinggear shock ~tntts
Check huck-beam bumper padu, main
landing gear
Inspect cockpit zone
Perform next A check due

Check hydraulic-supply fire-shutoff valve
Lubricate main cargo door
Check hydraulic accumulator
Lubricate flap-transmission univenal joint
Lubricate midflap carriage roller
Inspect wing fixed trailing-edge upper panel
Inspect wing trailing-edge flap track
Inspect engine second-stage compnssor b!ades
Test engine and fuel-control trim
Check and service engine main oil screen
BZ check (every second B chcck)
Check magnetic plug, engine main 3 and 4 bearings

Inspect fire-extinguisher pylon support
Inspect body station 2360 pressure bulkhead, aft
side, for corrosion
Check and aervict?magnetic plug, auxiliary
power unit
Test and service battery and charger, inertial
navigation systein
153 check
(every third li check)
Insp~ctcrank, latch, and t o q u e tube, main cntry

dcmr (limit 3,ZW flight hours)
A5 chcck (every fifth A check)
C CNECK Performed as phr- . checks over four successive

B checks, limit 3,600 flight hours
Lubricate landing gear
Perform next B check due
Intensive inspection of outboard leading-ease flap

actuators, attach-fitting links, and bellcranks
Check operation of constanl-speed-drive
underspeed switch and freqeency drift
At 500 flight hours; performed
over six phase checks, or 480 flight hours
MAINTENANCE CHECK
External visual inspection of critical zones

!nternal visual inspection of critical zones
Check hydraulic-system filters; replace as necessary
Service hydraulic system
Inspect control cables for chafing, integrity, and
rigging
Inspect control-system mechanism; clean and
lubricate JS required
Replace air filters on electronic cooling-air system
Test operation of bell-mouth seal system
Test operation of IFR emergency-extend system
Check nose-landing-gear centering system
(strut extended)
Intensive inspection of nose-landing-gear extend
system
Lubricate nose-landing-gear bearing, doors, and
uplocks
Intensive inspection of critical structural items
Lu:lricate tiight controls
In~pectand test operation of boundary-layercontrol valves and systems
Check operation of seal trim system
Intensive inspection of stabilizer actuator, rod, and
actuator fitting
Test operation of canopy jettison system
At 300 days (ranges from 200 to 600 f l i ~ h hours)
t
Remove ejection seat for limited functional test;

check and service (corrosion protection) as
required
DWOT VISIT
Limit 960 flight hours or 42 months
Inspect and samplt- structural items
Remove ejection seat and perform general visual

inspection of cockpit
Repaint aircraft
Inspect control cables
Remove landin8 gear
Replace flight-control bearing
Check component hidden functions
SPECIAL CONLKTlONS
Engine removal, scheduled at 600 fiight hours or

on-condition
Check boundary-layer-control bleed-air check valve

Intensive inspection of engine mounts
Perfonn visual check of engine firewall
Before carrier duty
Check canopy-actuator shear-pin gap

Check operation of canopy emergency jettison
After 75 arrested landings
Perform magnetic-particle inspection of axlelbrakrflange fillets, main landing gear
CHAPTER ELEVEN
ACE FXPLOIATION,thc
process of determining the reliability characteristics of the equipment under actual operating conditions, begins the
day a new airplane enters service. This process includes monitoring the
condition and performance of each item, analyzing failure data to identify problems and their consequences, evaluating inspection findings
to adjust task intervals, and determining age-reliability relationships
for various iteins. Since the decision process that led to the initial
scheduled-maintenance program was based on prior-to-service information, the program will reflect a number of default decisions. As operating experience begins to produce real data on each item, the same
decision logic can now be used to respond to unanticipated failures,
assess thc desirability of additional tasks, and eliminate the cost of
unnecessary .lnd overintensive maintenance resulting from the use of
default answers.
In the preceding chapters we considered certain aspects of age
exploration as they relate to task intervals and the intensive study of
individual item? in the systems, powerplant, and structures divisions.
In a broad sense, however, age exploration encolnpasses all reliability
information on the aircraft as it ages in service. 'Thus the heart of an
ongoing maintenance program is the collection and analysis of this
information, either by the engiqeering organizdtion or by a separate
group.
Change oil, constant-speed drive unit

Replace aircraft battery and auxiliary-power
battery and test thermoswitch
Check external-power receptacles
Irispert cockpit equipment and installations
Check oil quantity and service horizontal-stabilizercontrol drive unit
Inspect wing trailing-edge sections
Perform separate operational check of each
flight-control hydraulic system
Treat wheelwell cables, main landing gear, for
corrosion protection (limit 4,000 flight houru)
Inspec; floor, main cabin and upper deck
Inspect etrgi1:e pylons
lnspect rrrddt; .stabilizer hinge-support fitting
Inspect cahin interior
C2 check (every recond C check or every eighth R check)
Inspect access door, electronic and air-conditioning

bay
Lubricate torque tube and sprocket, main entry
door
Test heat-override valve, aft c a g o compartment
Test electronic-equipment airflow detector
Test autothrottle limit
Lubricate flight-cilntrol-surlrie hi1ise6
Lubricate trailing-edge flap track
Inspect fillet-fairing suppurt structure for corrosion
Inspect lower rudder, upper closing rib
C4 check (every tor~rthC check)
lnspect tail-cone intercostals
CS chrck (every fifth C chrck)
Clean electronic racks

Senice alternate drive motor, wing trailing-edge
flap
Cxchrck ( a t nearest C check)
Inspect internal fuselage lolvet skin for corrosiqn

and apply I.PS oil (12,000 hounr start, repeat at
9,000 hours zt 2.000 hours)
D CHECK
Limit 25,000 flight hours
Perfonn next phase check due

Inspect and sample structural items
Refurbieh cabin
Repaint aircraft
inspect rrdder and elevator cables
Test aileron and aileron-trim systenr (also test all
other flight-control systems)
Teat fire-extinguishing system
Inspect a11 ac power wiring
Check flight-compartment access doors
Inspect cables, Cuselagepressurized rreas
Inspect spa~t-engineaft support fitling for
corrosion
Replace and rework la~~di~ig-gear
parts, oxygen
regulators, and othcr specified items
Average every 2 fli~ht~ O L I I Y

Clear pilut squawk ~ h e e t
Perform walkaruuaid rhrck for damage
Intensive inspection of torque-arm assembly,
nose landing gear
Check fluid quantity, hydraulic ~?servoim,and
service as required
Check operation uf boundary-layer-contml
airflow at onc-half and full flaps
Check pressure gage, emergency oxygen
supply
TiIRNARWND
DAILY Every dry aimraft is on operational status

Service liquid-oxy~enconverter (pilotlradar
operator oxygen supply)
C h ~ c kpmssum gwes, ~*lrerlrnutic-system
emergency bottles
Check tire mndition, nose landlng gear
se landing gear and main
Check sttut*
acrvice as required
landing gear,
Check brake condition, main landjng gear
Check pTasurr gages, hydraulic-system
accumula; .r
Check visual indicators, personnel emergency
equipment
Check boundary-iayer-control. bellows, and
outer-wing connectom
Ge~ierrivisual inspection of lower inboard and
outboaid wing surface
General \.isual inspection of wingfold area
Check engine oil quantity
...
SPECIAL A t 7
days when aircraft is on operdtic*nal
...tatus
Check chemical dryers

Clean water drain holes, lower forward fuselage
Inspect drag chute for damage (if deployed in
last 7 days)
Service constant-speed drive and check for
leaks
At 14 days when aircraft is on operational status
Lub~icaleaileron, spoiler, flap hingos, speed-brake

hinges, landing gear, and gesr doom
A t .W flight hours; when due, combine with lowrr check
Check operatiw of transducer probe heater

Check anglr-of-attack sensor and signal quality to
air-data computer
Check operation of accelerumeter
At 75 days when aircraft is on operatinnal status
Intensive inspection of wing rear spar
Intensive inspection of lower torque-box skin
Intensive inspection of allemn-actuator access door
Intensive inspection of canopy sill (undersiue)
for corrosion
Intensive inspection of u.pper longemn
At RU flight hours; six checks per 500-hour
cycle
Lubricate doors, uplocks, ring, and torque collar,
main I ~ n d i n ggear
Lrlhricate wingfold mechanisnis
Lubricate ejection-seat components
Inspect spoiler and aileron conttul-cylinder rods,
bolts, and nuts
Inspect wing upper and lower skin
Inspect amsting hook
Check operatim of refueling shutoff valves
PHASE CHECK
At 1bO flisht Irou~;eve^ second phase clirck)

Intensive iua,;-?c+ion of trunnion fitting, nose
landing gear
1n;ensive inspection of ai!eron lower-closure skin
Check operation of r:neBency UHF transmitter1
receiver
Lubricate landin;-gear contrcl handle
A t 240 flight hosrs 'rvew third phase check)
Check operation of landing-gear emeigency

extension system
Although intensive age exploration of individual items plays a direct types nf infomation systems
role ill assessing their maintenance requirements, this is only one of the uses of operating
information
many sources of reli, rlity information. In the case of airplanes it is
also not the informatitbn of most immediate concern. In order to respo,~d
to unanticipated problems, an operating organization must have some
means of identifying those that require first priority. On this basis the
airline industry ranks the various types oi re1iab;lity data according to
the priurity of failure consequences and is generally concerned with
information in the following order:
b
Failures that could have a direct effect on safety
Failures that have a direct effect on operational capability, either

by intcrruptil.\g the flight or by restricting its continuation
b The failure modes of units removed as a result of functional failures

b
The causes of potential failures found as a result of on-condition

inspections
The general condition of unfailed parts in units that have failed
The general condition of parts in units removed specifically for

sampling purposes
SECTION 11 1
293
This order of importance is consistent with the priorities underlying

the RCM distinctions between necessary and economically desirable
scheduled-maintenance tasks.
The data needed to manage the ongoing maintenance program
must usually be extracted from a number of information systems, some
of which were established for purposes quite different from that of
supplying data to maintenance analysis. As a result, it is soli~etimesa
iaborious process to assemble all the information elements needed for
maintenance decisions. Most information systems can be classified
according to three basic characteristics:
b
Event-orietrted systttns collect and record data whenever an undesirab!e event occurs. Such systems range from a plan for immediate
telephone communications between designated executives in the
event of any failure that involves safety considerations to a system
for recording unsatisfactory conditions found during scheduled
inspections.
1,
Monitoring systerm summarize data about some aspect of the operation during a specified calendar period. The data are extracted
from event-oriented systems and are summarized in reports such
as the monthly premature-removal report, the monthly delay-andcancellation report, and so on. These reports are prepared regardless
of the occurrent.: of any reportable events; thus they give positive
information about the absence of problems as well as information
on any problems that have occurred.
Annl!ysis systenis not only collect, summarize, and report data, but
also give the results of some special analysis of the information.
This might be an actuarial analysis, a determination of the 20 items
with the highest premature-removal rates, or some other specific
analysis.
One of the most important information systems is the airplane

flight log. The primary purpose of this log is to record the operating and
maintenance history of each airplane. Such information s the flight
number, the names of the crew members, fuel on board at takeoff, oil
on board at takeoff, takeoff time, landing time, and observed engine
performance parameters and vibration levels are always recorded. In
addition, any instances of unsatisfactory conditions observed during
the flight are entered on the log sheet to alert the ~naintenanceorganization to the need for corrective maintenance (see Exhibit 11;l). The
maintenance crew also uses the log to record the rrpairs made as a result
of these reports, to record the performance of scheduled tasks, and by
signing a maintenance release, to certify the airplane's airworthiness.
Copies of recent log sheets are kept in the airplane for review by the
operating crew, and the older sheets are sent to a permanent central file.
EXHIBIT 11.1 Log sheet from an airplane flight log. The flight log
shows any unsatisfactory conditions reported by the operating crew,
as well as the corrective action taken by the maintenance crew.
(United Airlines)
ORb
SLC
- --
.)Om
Pulled accy c a r r j
oil s t r i ~ r t u ;
oil
"'4"'1"d"
01
k
scrcevl,
mat*
svrcln Ceud o
e%l\ed
.R-A*
cn
0 K
oil tank.
tne.
p v SPOLM
SLC
N o \=ah.
~ o r g.,~v;c,
A. C v k * o l b
msk
R ~ c h c ~ kI *n
ail
by
~ r r r m
in &O
1-50
krs
17i\orol
pew aFoLM C o e h l r e r 2-17

o k h con+ Def. per
-l\er
~ ~ o L M
219
~ L cRsRACep E N T E R 80%
SLC
/ 8 . -1;
DEFIMM
2.1 8
SECTION 1 1 I
295
Another event-oriented system is the aircraft maintenance information system, which keeps track of all the scheduled-maintenance tasks
performed at each line station and the manhours required for each one,
as well as the time spent on corrective work as a result of crew-reported
failures or conditions discovered during performance of the scheduled
tasks. Some cf the larger airlines have computerized this system and
enter the log-book failure reports into it as additional data. This allows
a maintenance station to determine what deferred repairs are going to
be necessary for an arriving airplane. However, this real-time on-line
system is still in the early stages of development.
The daily operations report is both a monitoring and an evtntoriented system. Among other things, it provides a brief narrative
description of any unusual flight incident, flight interruption, delayed
departure, or cancelled flight that has occurred during the preceding
24-hour period.
Data associated with premature removals are reported by means oi
identification and routing tags, another event-oriented system. A tag
attached to the unit that is removed records the removal information
and information on the replacement unit and then routes the removed
unit back to a maintenance base (see Exhibit 11.2). The tag stays with
the unit throughout the repair process and is then filed for future reference. When a major assembly, such as an engine or a landing gear,
reaches the shop for rework, additional tags are generated for any subassembly that is removed and routed to another shop.
Some of the event-oriented systems are complemented by monitoring systems. For example, data are 2xtracted periodically from the
identification and routing tags to show the premature-removal rates
of significant items. Similarly, data extracted from the daily operations
report for the monthly summaly of delays and cancellations identify
the associated failures on a periodic basis.
There are additional information systems designed to ensure that
there will be a record of all adverse findings during every inspection
performed, as well as a record of any corrective work done as a result
of such findings. While this information is available on all items subject
to scheduled tasks, the data may be difficult to retrieve. For this reason
it i s common practice to designate certain units as time-extension samples
when an increase in task intervals is being concidered and to pay particular attention to data gathering for these samples.
In many cases it is relatively easy to review the data and decide
whether a change in the scheduled-maintenance program would be
desirable. If it takes a long time to repair a certain type of failure, and
scheduled flights must therefore be cancelled, the economic justification for a preventive task is apparent-particularly if the failure is one
that occurs frequently. And if no preventive tasks are applicable to
h r ~ . r ~ u u
-TION
1
& #wmNG TAG

&k.o.a
5 s
nUl'UJn
uW.
*.r
rs
r*r*
*Lc.(..L
L.w*
EXHIBIT 11.2 An identification and routing tag showing the unit

removed front the airplane, the reason for removal, verification of the
problem, and disposition of the unit. (United Airlines)
an item, there is no point in adding them, regardless of the operational

consequences of the failures (there may, of course, be a point in redesigning the item). Sometimes, however, when a functional failure might
or might not have operational consequences, depending on the circumstances, it may be necessary to retrieve info-mation from s number of
different sources to gain a clear picture of the problem.
EXHIBIT 11.3 Pretiidture-removal "top-twet~ty" report. This

infortnatic~n,extracted from the riionthly preniaturc-renloval report,
lists data on the 20 items with the highcst premature-removal rates.
Nottr that this report also shows the number o t premature removals
that wcrc verified as iuncttonal failures. (Uriited Airlines)
TOP TWENTY PllLMATURE lllMOVALS
type of aircraft
Boeing 727
prematureremoval maintenance
rank
records no.
II.
21392
43132
42210
25342
43122
43112
41701
23711
41134
42252
31212
33496
33495
2?113
43511
23311
23501
22305
17
18
19
20
41294
:l55
21329
41193
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
15
*Shop data incomplete.
period
name
prematu~eno. of
removal rate
p r e m a t u e (per 1,OCC
unit hours)
removak
Control, cabin pressure

Indicator, WX radar
Receiver, VHF navigation
Dispenser, coffee maker
Accessory unit, W X radar
Transmitter/receiver, W X radar
Indicator, standby attitude (SAI)
Recorder, cockpit voice
Comp lter, air data
Receiver, VHF nav/glidescope
Recorder, flight data
Light, anticollision
- Included with 33496
Channel-pikh control
Transmitterlreceiver, radi I altimeter
Amplifier, publir address
Accessory unit, audio
Controller, pedestal
Battery box, SAI system

Altimeter, electric
Controller, cabin pressure auto
Computer, air data
April-June 1978
no. of
verified
failures
18*
66*
percent of
verified
failures
32
35
7
56
189
71
368
161
151
13
124
31
22
104
10
3.28
1.85
1.68
1.59
1.58
1.48
1.28
1.22
1.14
1.08
1.02
.98
26
95
66
15
64
-96
-93
-88
.88
.86
23'
23
24
18
7
36
87
17
61
59
.85
.84
.82
.79
46"
3*
19"
16*
53
18
31
27
5*
l7l*
14'
73
4
82
21
10,
40
5*
b
2.3
12'
'
1
46
9
48
31
66
68
45
38
50
Suppose, for example, that the daily operations report, or perhaps

the nlonthly summary of delays and cancellations, indicates that failures
of a particular system item are causing a fairly large percentage of
delayed departures. Under these circumstances the maintenance organization would investigate to see whether these consequences csn be
alleviated. The first step is to review the delay-and-cancellation summaries for the past several months to obtain a broader-based statistic
on the delays. It is then necessary to go back to the daily operations
report to find out the actual length of the delay and the assembly or
assemblies involved in most of the failures.
Once the dimensions of the delay problem have been establiched,
the next step is to determine whether failures are evident to the operating crew, and if so, what is being reported in the flight log as evidence
of failure. It is always possible that the definitions of satisfactory performance are so demancling that the cost is greater than the benefits.
The log sheets may also supply some information on the assemblies
that are failing, but the best source of this information is the aircraft
maintenance information system. This system will show whether corrective maintenance involves replacing failed units, and if so, the frequency of replacement and the line-station cost of the work. The frequepcy of repairs may be much higher than the frequency of operational
delays; for example, failures on airplanes inbound to overnight layovers
would have no operational consequences.
If the failures do involve the removal of units, the monthly premature-removal report will provide an overview of the frequency of
premature removals. This report also shows the proportion of premature removals that are verified failures (see Exhibit 11.3). If there
are numerous unverified failures, Setter troubleshooting methods are
needed. A check of the present methods requires reference to the identification and routing tag system, shop records, and engineering records.
A quick analysis of these records will also show whether one or more
dominant failure modes account for a large proportion of the failures.
In either case the shop cost records must be examined to determine the
material and labor costs incurred in repairing failed units.
With this information, together with a figure for the imputed cost
of delays, it is now possible to return to the RCM decision diagram to
examine possible cost-effective tasks. If none can be found, or even if
there are applicable and effective tasks, the desirability of design
changes to improve the inherent reliability of the item should also be
investigated. One supplementary bit of information will help substantiate the cost effectiveness of a design change- the reduction in spare
replacement units that would result from a lc
premature-removal
rate. This information requires a special analy; by the inventoryplanning organization.
SECTION I I . I
299
A complete analysis of this type has required reference to eight

different information systems (see Exhibit 11.4). In time the use of
integrated data bases will make it easier to assemble the relevant data.
Fortunately, however, not all maintenance decisions require th';S complete a study. Indeed, the need for a formal study can often be determined fairly simply by means of the decision diagram discussed in
Section 4.4.
EXHIBIT 11.4 An example of the information systems that might be
consulted to detennine the desirability of introducing-a change in the
scheduled-:i~aintenanceprogram.
information needed
.
.
eource of dab
Daily operatiom report or monthly

Identification of system whom
fdwsmay be musing operattorul summrry of delay8 d
delap
~~ceIlrti01u
Frequency of delay
Monthly summry of dehyr
and C U t d 8 f i 0 ~
\
Daily opemtiona mpoa
'1, Length of delays
Flight-log Eh&
IdentifQation of assembly or part
clueing &.largeproportion of
system f d y r t s
Determinatih of whether repair at
line etatian ,nuires mplacemmt
(premature removal) of unit
Frequency of unit nplacement
Cost of comtive maintenance
Uabor) at line ahtion
Coot of comctive maintenance
(labor and nuterids) at
maintenance bass
Identification of failure modes and
failure-mode dominance
Desirability of modifying
scheduled-maintenance progr~m
Effect of failure rate on spup-unit
requirements
Desirability of design change
(product improvement)
Daily opetations report and

a h a f t nuintenmce infomation
syetcm
AIrcrPft maintenrnce infotamtion
system
A h a f t mrZntcnanct infarmation
syetem and monthly pmnaturercmovd report

Aircraft mrjntaunn infonmfion
sy8km
Shop coet
Shop records, identification and
m u t i q tags, special a n d y ~ h
RCM mdyub
I n v e n t o r y - p W g system
Special analpis
1 1 2 TYPICAL TYPES OF ROUTINE ANALYSIS

"Iany analyses are performed routinely as a part of age exploration.
The engine data recorded in the flight log, for example, are fed into a
computer after each flight and are analyzed on a daily basis. This cornputer analysis reduces the observed data to "standard-day" reference
conditions, compares the perfomlance of each engine with that of other
engines on each airplane for a specific flight, and compares each engine
with its prior history. The observed data are weighted so that small
changcs in recent information receive more attention than small changes
between receilt and older performance, and statistical-significance
tests are used to identify engines whose performance parameters rcquire further investigation.
This program of flight-log monitoring is useful in detecting minor
variations and trends that would not be apparent to the operating crew.
The process cannot pinpoint the exact cause of the variation, and the
readings can be affected by instrument changes, since each instrument
has different calibration errors. However, flight-log monitoring does
prompt investigations that may lead to engine removals (usually less
than 5 percent of the total premature-removal rate), and on this basis it
tight be considered a form of on-condition inspection.
Two other data elements that are monitored by trend analysis are
in-flight engine shutdowns and premature removals. Exhibit 11.5 shows
a cypical report generated by a shutdown event and a summary report
of all shutdowns for that type of engine during a given month. Exhibit
11.6 shows long-term trends in shutdown and premature-removal rates
for the same engine. Premature-removal rates are summarized monthly
for all significant items, usually with a supplementary report like that
in Exhibit 11.3, listing the items with the highest removal rates. These
summaries do not identify the failure soitTequences,but they do show
wb
3ems are the least reliable.
-mature-removal data are used r 3t only for actuarial analysis,
but ..I to help identify chronic maintenance problems, failures that
in a system and are not corrected by replacing the items that
are G
seem to be causing the problem. Removal data are fed into a computer
that retains a certain amount of recent history, usually covering a period
of about ; nonth. New data are compared with the stored history and
an aleri if ~ i v e nif an item has more than the expected number of remova!s *ring the period covered. This alert report identifies the air. have had repeated removals and also notifies the mainteplanes
nance organization that special troubleshooting effort is needed to
locate the source of the problem. Other systems for identifying airplanes with chronic problems use the flight log as a data base. All such
'
flight-log monitoring
chronic maintenance problem8
z;:ysis of promature-removal
actuarial
effect of an overhaul limit
on age exploration
plane no. m u
Incident na b e l a
delay
delry Hme
fllght Inidate
plane no. dbpatched
p r l m ~ ymap. rtrtlon ryrhaa 79
oution 8LC
&I@W
76
un~chw,lmdifq~
uneUatlon
flmt out/drb
in-n@t
aubatltutlaa
cnglnr In-fU@t rhutdown Y u
problem and repait, p a h mphcrd (include put nor.)
.--
Action: SLC:dM mfilled oil tank, ran 30 min, no oil 1No atbmrl oil
atuck at 8.5. Swapped lrgrr and OU
leakage found, Found oil qty
qty checked OK
fwiq om.
Arr,8-,
oil ecretn, main ail wmn all checked OK. hfemd SPOMM.
EXHIBIT 11.5 Left, a typical in-flight shutdown report showing the

details for that event, and right, a monthly summary of the in-flight
shutdowns for that type of engine. (United Airlines)
EXHIBIT 11-6 Shutdown and premature-removal rates plotted over an

la-month period for the Pratt & Whituey JT3D-3 engine on the
Douglas DC-8. (United Airlines)
Calendar time (montha)
302
APPLICATIONS
DC-8
typr of r b f t 00-
type of eqine Pmtt L W h e y JTSD-liSIS1
plrne,
no.
m u Y7
1
drh,
WlU
2
etulne
nuon for ohutdown
atation
SLC
2/11
ORD
-1
~dlkmparhur
line d o n
~
findin*
Undr(rrarlnrd
t
~
eltlcrl
2 2 m EngLnroilkmpartun
b a d nu
ma1 fcrild
b # n e w
C~tPUOfOill
mmc~vitrtlonaorlon
bL?"3ump
clr d a w Mroudr
wNeh oil l d e d
rdlcrI
dO(lU
3
2/18
JPK
. 16910
Low oil prruun
other X
other X
Found oil leak at B nub toore B nub at wkry

in1J and outlet of oil- Macn
M A v w renrm; =othrr X
torclued B nub, checked d ~ u l
reports are intended to aid in troubleshooiing on airplanes with especially complex systems, but as the use of built-in test equip.nent (BITE)
becomes more common, they may become unnecessary.
From time to time it is desirable to exp!ore the age-reliability relationship for a particular item to determine whether a scheduled rework
task is applicable. In this case the premature-removal data are supplemented by other data for the several different analyses that might be
made? Exhibit 11.7 shows the history of a constant-speed-drive unit
on the Boeing 727 over one calendar quarter. Note that this report identifies the types of functional failures,as well as the failure modes. Exhibit
11.8 shows the results of an actuarial analysis of this history, and the
curvcs in Exhibit 11.9 show a summary analysis of data over a period of
several years. The constant-speed drive shows no evidence of a wearout
age, indicating that removal of this item for rework at some arbitrary
operating age will have little effect on its reliability.
'For a detailed discussion of the actuarial techniques cmployed in these analyses, see
Appendix C.
EXHIBIT 11 '7 A history of operating experience over one calendar

quarter with the constant-speed drive on the Boeing 727. The unit
TSO refets to operating age since last shop visit. (Urritcd Airli~res)
Operating age rlna laat overhaul (flight houn)
Operating age since lart overhaul (flight houn)

EXHIBIT I 1 a 8 The results of actuarial analysis of the operating
history shown in Exhibit 11.7. df the total premature removals, some
units were repaired and returned to service and others required
sufficienll~ extcrlsive work to zero-time their operating ages.
(United Al11i11es)
At the time the curves in Exhibits 11.8 and 11.9 were developed this
constant-speed drive was subject to an overhaul age limit', although it
was being rapidly extended as a result of actuarial analysis and the
findings from teardown inspections of time-expired units. Evidence
of deterioration will usually be found in serviceable units that are
removed at somc specified age limit, but it is generally beyond human
capability to estimate from this early evidence the rate at which the
deterioration will progress. Consequently teardown inspections of
time-expired units rarely provide the information in which we are most
~nterested.The condition of parts in failed units, however, provides
informatioll on the general deterioration of these units, as well as on
the specific failure modes to which they are subject. Moreover, since
failed units are avai'able for inspection at far rnore frequent intervals
0l
1972
1973
l974
1975
1)76
1977
Cdmdu time
EXHIBIT 11 -9 The results of actuarial analysis of operating experience

over a five-year period for the constant-speed drive of the Boeing
727. (U~JtedAirlines)
I
.
306
APPLICATIONS
than would be necessary (or feasible) for a rework age limit, this infor- .,,'
mation accumulates continuously without the need to remove u n j d
from service at fixed intervals. Exhibit 11.10 shows how higlytiir~e
inspection samples become available for age exploration with and without the imposition of a rework age limit.
Of course, the real criterion of applicability for schedded rework
is the existence of a well-defined wearout.region in the conditionalprobability curve. Thus unless enough failures have occlirred to provide
the necessary data for a conditional-p!.obability curve, there is no basis
on which a rework task can be scheduled-nor is ihere any basis for
determining whether it would be cost-effective even if it proved to be
applicable.
Whereas age exploration to support scheduled rework tasks relics
on statistical analysis, the analyses directed2at extension of the initial
intervals in an RCM program are based on,;theresults of the tasks themselves. Most of the tasks in an initial yrpgram are on-condition inspec-
tions, dnd when they are grouped into the various letter-check packages, it is with the expectation that the insprction findings on a small
number of airplanes (time-extension samples) will support major extensions of these work-packagr intervals, During the period ill which
intervals are being extended, engineers and ~nalystsparticipate in the
inspections of the units designated as time-extension samples and
make their r?wnnotes to supplement the information that will become
available from other informalion systems.
The nature of the items in the systems, powerplant, and structures

divisions leads to different patterns in their maicltenance requirements,
and hence in the decision paths used to arrive at an initial set of scheduled tasks. For the s a n e reason, age-exploration activities in each of
the three major divisions tend to focus on different sources of reliability
information. In some cases the study oi individual items involves no
specified age limits; in other cases it involves limits that are moved
age exploration of syrrtems

age exploration of powerplants
qeexl'loration of str~ctu-s
EXHIBIT 11.10 The effect of an overhaul limit on agc e. plorai:on.
With a hard-time limit, units that fail shortly hefore they are due for
scheduled removal are overhauled prc.nr;rh;relv. This prrcedure zerotimes many units, thus reducing Ihe numbel. that survi\c to the rnd
of the interval and can be used as inspection samples to support
extdnsion of the current limit. With no fixed removal limit, the
economic reasons for premature overhaul n o longer exist, and
inspection of the oldcst opportunity saniples provided by failures
results in samples at increas~ngases instead of a number of samples
all of the same age.
Calendar time
Calendar time
freely an$,rapidly on the basis of inspection findings. The essential

factor i;wll cases is not the existence of an age limit, but knowing the
age of euuh unit of the item examined.
AGE EXPLOWON OF SYSTEMS M
The systems division consists of a large number of readily replaceable

complex items and their relatively simple fixed connecting lines. Usually
an initial systems program includes few scheduled-maintenance tasks
other than servicing and failure-finding inspections, and there are rarely
defined age-exploration requirements, as in the powerplant and structure programs. The cost of corrective maintenance is fairly low for most
systems items, and when operating data do indicate that additional preventive tasks are justified, it is generally because of an unexpectedly
high failure rate that involves operational consequencqs. In some cases
the failure rate may be high enough to warrant the replacement of certain components with more reliable ones.
One aspect of operational consequences no: discussed thus far is
passenger reaction to failures that would not otherwise affect the operating capability of the airplane. A case in point is the problem that
developed with toilets on the Boeing 747. The airplane is equipped with
eleven lavatories; hence the system is protected by redundancy. The
toilet units are of the recirculating type, in which the flushing water is
pumped through filters, deodorized, and eventually pumped back to
the unit for reuse. One failure mode is a plugged line or flushing ring,
so that the toilet can no longer be flushed. When this occurs the lavatory
is closecl, and the failure is recorded in the flight log for repair when
the airplane reaches its destination. However, with one or more lavatories closed, a long line forms at the operable units, and passengers
often find the wait uncomfortable. Moreover, one of the failure effects
that was over!ooked was the fact that the deodorizing action is ineffective on an inoperable toilet.
When passenger reaction indicated an extensive problem, especially during the summer, when each trip has more passengers and
more trips are full, the failure was treated as one that had serious operational consequences. In this case an on-condition task was added to the
program. A partially plugged line or ring is evidenced by incomplete
flow from the ?ing. Thus it was possible to check the amount of the bowl
wetted during the flushing operation and treat units with incompletely
wetted bowls as potential failures (see Exhibit 11.11). This task was
scheduled, of course, to coincide with inspections for other problems.
Since the reliability of systems items on the whole tends to be low,
the principal age-exploration tool in the systems division is actuarial
analysis of failure data. Ordinarily the conditional probability of failure
for a complex item is not expected to vary much with operating age.
gowevcr, a newly designed system will sometimes show a dominant
plane no. &let lWW
rklll
crew
COA no.
sonc
phrr
job no.
cost clru no.
09 Cleu flush-riag fluid outlet in bowl of

midue a l l check flurfiing adlon.
Caution: Do not opmte toilet flueit pump if w u t r
2
2
2
W
W
tank ir empty.
A With a long-handled biwh and ryrkm fltubing
fluid, nmow all m i d w from the florhlryring fluid outlrtr in bowl of toileto lirkd:
1 Lav U1
2 IrvB
3 Irvc
B Check toilet flultng action of each toilet
lilted below, u followr:
1 Push fluah button and allow completion of one
full cycle; wait 30 8econdr (minimum) before
-B
k 8 t cycle.
2 Ruh button for teat cycle. The cycle l o u l d
stut immediately and continue for 12 plus or
minus 3 eeconds. There mult be a vigorour
flushing action in the bowl and the inside of
the bowl &all be completely wetted. Make a
writeup to mmct inadequate fluah action.
EXHIBIT 11.11 The job instruction card for a task added to fhe
Boeing 747 maintenance program to prevent operational consequences.
(United Airlines)
F
tr-.
& .
'
.En
failure mode that is both age-related and expensive enough to make an

age-limit task desirable. Exhibit 11.12 shows a conditional-probability
curve derived from operating experience with the engine-driven generator-of the Boeing 727. Therc is little change in the failure rate until
about 2,000 hours, when the bearing starts to fail; thereafter the conditional probability of failure increases with age as this failure mode
becomes more dominant. The survival curve in Exhibit 11.12 shows the
probability that a generator will not suffer a bearing failure.
Opetitine age rince lrrt bcrrlng replacement (flight houn)
tam
2,m
3
m
1,000
s,m
Operating age rince last bearing mplrammt (flight houm)
EXHIBIT I I . I l The results of actuarial analysis of operating

experience with the engine-driven generator of thc Bocing 727. The
data rep~esclila total of 1,3111,269 unit hours from January 1, 1970 to
J.11iuary31, lQ7l.(United Airlines)
Rearing failures cause such extensive d a n ~ a yto

, ~ a gcnerator that
t i r c l entire generator must be scrapped and replaced wit11 a new one,
at cost of 'ibout $2,500,The bc..~ringitself costs only $50. In this cast- a
cost a i ~ i ~ l y showed
sis
t11,it it would be desir,~blcto assign an economiclife discilrJ task to the brairing at an intetv,il of 4,000 hours. Such a task
could ,~Isobc viewed 'is ,I scheduled rework task for the generator, with
the rework spccific.~tion iticluding discard 'ind repl,icement of the
be,~ritig.
'The generdtor and bus-tie relay on the Douglas DC-8 was assigned
a schedr~ledrework tlwk for a differe~~t
reason. Thc relay is a complex
1i1cchanic.il iten1 in the first type of aircraft to have three-phase400-cycle
ac power systcn~s.Its basic functions are to convey the power from each
generator to its own load bus and to convey ground power to the individual load buses. A failure of either of these functions will be reported
by the operating crew and will result in removal of the faulty relay for
repair. The relay also has a number of secondary functions, some of
which are hidden. However, the maintenance program for this aircraft
predated the use of RCM techniques, and at that time n o recognition
was given to hidden functions.
When older units began comiqg lnic ihe shop for repair, many of
the hidden functions were found to be in a failed state; in addition, many
of the parts were so worn that the units could no longer be repaired. On
this basis the relay was assigned a rework tssl. - scheduled removal at a
maximum age limit of 14,000 hours for shop disassembly to the extent
necessary for repair. This task was intended primari!y to protect the
important hidden function;, but the saving in repairable units in this
case more than offset the expense of scheduled removals.
Although unanticipated failures in the systems division rarely involve safety, some failures do have serious enough consequences to be
treated as if they were critical. One such case was a failure of the landinggear actuator endcap on the Douglas DC-10, discussed in Section 7.3.
The endcap was designed to have a fatigue life longer than the expected
service life of the airplane, and since corrosion was not expected to be
a problem with this item, the only task assigned in the initial program
was an on-condition inspection of the cap whenever the actuator was in
the shop for repair. A check for internal hydrauli: leaks had also been
discussed, but it was considered unnecessary for this type of actuator.
Unfortunately this actuator is not removed as part of the landing gear,
and it has a very low failure rate. Consequently no opportunity inspections had been performed.
The endcap ' ~ t u a l l yexperienced two failures in the industry, each
with different airlines. 'rl~esefailures originated in the exposed internal
portion of the endcay, where an O-ring is used to seal in the hydraulic
fluid. The original design and assembly techriiques had allowed moisture to accumulate between the cap and body of the actuator on the air
side of the O-ring, causing pitting corrosion. When the endcap separates
from the actuator, all the hydraulic fluid is lost from the number 3
hydraulic system, and the landing get3,cannot be retracted. If this failure
occurred during flight, the gear in the failed position would rest on the
doors, and when the pilot extended the landing gear, all three gears
would simply free-fall to the down and locked position. However, if the
gear doors were also to fail, the failed gear would free-fall through the
opcl!ing, and in the extreme case at high speed, the door could separate
and iall to the ground. This multiple failure would be considered critical.
While neither of the two etrdcap failures in themselves were classified as critical, thc action taken was similar to that for an unanticipated
critical failure. First, a safe-life limit was established for the endcap and
a modified part with greater fatigue life was designed. This modified
cap is being installed at or before the existing caps reach the present
life limit. Second, all actuators are being removed and sent to the shop
for upgrading as fast as they can be handled. Each actuator is disassembled, the endcap is replaced with the new part, corrosion on other
parts of the actuator is removed, and improved corrosion-protection
materials are applied on reassembly. This procedure consists of applying
fluid-resistant primer to the threads of both the endcap and the barrel,
renewing the cadmium plating and painting, assembling the actuator
with grease on all threads, and applying corrosion-inhibiting sealant
on the last thread at all threaded joints. When all the shorter-life parts
are removed from service and all the actuators have been assembled
with this new procedure, it is expected that the problem will be resolved.
Failure data are also the basis for adjusting task intervals for hidden
functions in systems items. Many of the failure-finding tasks are based
on opportunity samples, tests or inspections of hidden functions on
units sent to the shop for other repairs. The results of these inspections
are recorded and analyzed to find the inspection interval that will provide the required level of availability at the lowest inspection cost.
The units tested in the shop are considered to be a random sampling of
the units in the operating fleet. Thus the percentage of failures found
in the shop tests can be taken as the percentage of failures that would be
found throughout the fleet. Failure-finding inspections of items installed on the airplane are performed at scheduled intervals. In this case
the percentage of failures found will represent approximately twice
the percentage expected in the entire fleet, because the inspection
occurs at the end of the assigned interval, rather than at random times
since the preceding inspe~tion.
ACE LXPLORAnON OF POWFWLANT ITEMS
312
APPLICATIONS
Age exploration is an integral part of any initial powerplant program.

A completely n . 2 ~type of engine, often incorporating new technology,
is usually quite unreliable when it first enters service. During the first
few years of operation premature-removal rates are commonly as high
as 2 per. 1,000 engine hours. This high removal rate makes it possible
for the engine repair shop to obtain information not only on the parts
involved in the failure, but on the condition of other parts of the engine
as well.
Most new aircraft engines experience unanticip~tedfailures, some
of which are serious. The first occurrence of any serious engine failure
immediately sets in motion the developmental cycle described in Section 5.2. The cause of the failure is identified, and an on-condition task
is devised to control functional failures until the problem can be resolved
197l
1973
1972
Calendrr quutan
FXHIBTt 11a 1 3 History of the C-sump problem in the General Electric
CF6-6 engine on the Douglas DC-10. The on-condition task instituted
to control this problem had to be reduced to 30-cycle intervals in order
to prevent all functional tailures. The precise cause of this failure
was never pinpointed; however, both the inspection task and the
redesigned part covered both possibilities. Once modification
of all in-service engines was complete no further potential
failures were found, and the inspection requirement was
evet~tuallyr l h i n a t e d .
'
at the design level. Modified parts are then incorporated in the operating fleet, and when continued inspections have shown that the modification is successful, the special task requirements are terminated.
The General Electric CF-6engine on the Douglas DC-10 experienced
several such unanticipated failures during early operation. The lowpressure turbine sections separated from the engine, and these separated rear sections fell off the airplane. Investigation determined that
these failures were probably a result of oil fires in the engine case,
caused by seepage due to a pressure imbalance in the oil scavenging
system. However, there was also a possibility that there had been a
structural failure of the C sump, which supports two of the bearings.
Thus on-condition borescope inspections of the C sump were scheduled to search for either cracks in the C sump or oil on its external
surface. The initial interval for this inspection was 125 flight cycles,
but the interval was lowered to 30 cycles after another functional failure occurred (see Exhibit 11.13). Inspections were continued at this
short interval until the engines were modified.
U(HIBIT 1 1 14 A portinn of thr o p p o r t u n i t y - s a ~ ~ i p l iprngr.tn7.

~w
for age x p l o r ~ t i oof~ ~tho I'r.itt & Whit~icy11'811-7 engine.
(Clnited Airline$)
section and part name
---
inspection limit
inspection thr. ihold
COLD SECTION
No. 2 bearing aeeembly

Engine Manual, 72-09-5?
Intennrdiate case (Cadillac!
Engine Manual, 72-34 r
lntermediate case (non-Cadillac)
Engine Manual, 72-34-1
13th-stage bleed MFD
Heavy maintenancr, 72-72-0
8th-stage bleed MFD
Heavy maintenance, 72..72-0
No. 4% carbon seal,
X728981-600 assemblies only
Engine Manual, 72-09-i3
Heavy maintenance, 72-53
No. 4'12 carbon seal, other
part no. assemblies
Engine Manual, 72-09-1U
Heaky maintenance, 72-53
No. 6 car5on seal
Heavy maintenance, 72-53
Accessory bearings, front
accessory drive
Engine Marrual, 72-09-50
Accessory bearings, gearboxdrive towe~shait
Available
-Available
Available
Y,5W
Available
8,600
Available
21,MM-24,000
Over the course of six or seven years, as failure information is

use~dto improve the engine, the total premature-removal rate (for both
potential and functional failures) usually drops to 0.3 or less per 1,00r3
engine hours. There are many noncritical parts in the engine which
are quite reliable, however, and which may not fail at all until much
higher operating ages. The question is whether a rework or discard
age limit will prevent these failures from occurring. Until some unsatisfactory condition appears, there is no information from which to determine an age-reliability relationship. In this case all we can do is
,inspect unfailed parts at successive ages until some signs of deterioration appear. While such inspections do not always have on-condition
capability, they are the only source of information on parts that are
performing satisfactorily.
As opportunity samples provide documented information on parts
at increasingly higher ages, the maintenancp organization gradually
compiles a list of significant parts, their failure modes if they have
failed, and the age at which full inspection should be started for each
item. This list identifies the part, refers to the section of +he maintenance manual in which the task itself is defined, and states the threshold age limits at which the task is to be performed. The schedule shown
in Exhibit 11.14 uses two threshold limits for each engine item. Any
part th it falls within these age limits is treated as an opportuniry sample if it becomes available for inspection while an engine is being
disassembled for repair. If any engine has a part that has aged beyond
the upper limit, that part must be inspected even if further disassembly
is required for this purpose alone. In either case, the inspection sample
is measured against appropriate standards, and its condition is documented on a special sampling form.
The sampling requirements usuall!. specify that the threshold
limits for each item may be increased after two inspection samples have
been examined and found to be in satisfactory condition, although
engineers will often want to inspect far more than two samples before
authorizing -y+ension of the limits. To ensure that most of the samples
will be opy,ttu..ity samples, the two threshold limits are set ds much as
3,000 houl-. x:?: -t while t l . ~
inspection intervals are still being extended.
xim mum interval is identified, this "opporConseq . I ,, 5 i'yen a
tunit) . -,I-:.I" will already have removed a great many units before they
reached
: upper limit, leaving very few age-limited units in the
fleet. This type of age-exploration program has been quite successful
in extending limits without tlre need for engine removals solely io
iiispect parts.
If the item is one that has experienced functional failures, and an
actuarial analysis has established that a rework or discard task will
improve its reliability, the task is added to the program and the item is
removed from the sampling schedule. In the event of a serious unan81:.
.A.
ticipated failure of a high-time part, the age status of that item w111 L e
reviewed in the entire fleet, and the engines with high-tip- 7arts will
be inspected on the wing if this is possiblp. -'.!.,,vv~se ;cl~hengines
will be removed and cn-' . .
top tor disassembly.
,
AS a result of the continual process of repair and replhceinent of
failed parts and the incorporation of design modifications, the parts
oi any engine that has been ili service for some time will be of widely
disparate ages. The overall age identified with an engine is the age of
its nameplate. The nameplate is useful in referring to individual engines, but any engine in an operating fleet may consist of parts older
or younger than its nameplate. For this reason it is necessary to keep
track not just of the age of each engine, but of the ages oi all the pbrts
from which it is assembled.
AGE FXPLOIUTION OF STRUCTURAL ITEMS
Whereas systems and powerplant items are designed to be interchangeable, there is no simple way of replacing most structural elements.
Repairs and even detailed inspection of internal parts of the structure
involve taking the ent~reairplane out of service, sometimes for an
extended period. For this reason structural items are designed to survive to much higher ages than systems or powerplant components.
Nevertheless, initial intervals in the structural inspection plan are only
UHIBCT 11.15 A record of structural-in spec tic;^ findings and

corrective maintenance as reported during a r..tmbe~2 A check.
Omitted details include labor time, signoffs by the mechanic and
the inspector, and reference file numbers. (United Airlines)
pa.".
r,"
TSO
kun
w2cr
316
APPLICATIONS
lSGG
nin
.UIh
.mum
lype of r k k
ah.,
DIEV
*2SV
<
L*(
drl
* b r
mrh
at00
a fraction of this design life goal, both because of the consequences of

a structural failure and because of the factors that can affect the design
fatigue life in individual airplanes. These include variations in the
manufacturing process, overloads encountered by individual airplanes,
loading spectra that differ from the standards employed by the designer,
environmental conditions causing corrosiol~,and accidental darnc~e
from foreign objects.
In the structure division the inspection program itself is the vehicle
for age exploration. Thus the initial intervals are intended not only to
find and correct any deterioration that may have occurred, but also to
identify the age at which deterioration first becomes evident for each
structural item. Exhibit 11.15 shows the form in which the findings of
an A-check task are recorded, along with a record of any corrective
action taken. The inspection findings and work performed at line stations are usually monitored by engineers, who log all the relevant .Cindings on those airplanes destgnated as inspection samples in the form
shown in Exhibit 11.16. With this information there is a good basis in
the ongoing program for revising the age at whizh inspections of structurally significant items should begin in later-delivery airplanes.
In general the interval to the first inspection in the initial program
is the same as the int:erval for repeat inspections, and successive inspections are performed on each airplane as it ages to identify the age
at which deterioration first becomes evident. This procedure provides
adequate information if the interval is short in relation to the fatiguelife design goal. Inspection of an item at intervals of 5,000 hours, for
example, will result in documentation of its condition at total ages of
5,000 hours, 10,000 hours, 15,000 hours, and so on. However, if an item
is assigned an initial interval of 20,000 hours, subsequent 11.7sp ections at
total ages of 40,000 and 60,000 hours would leave great gaps in the flow
of age-condition information. It is therefore necessary to schedule
inspections of several airplanes at intermediate ages to ensure that the
age at which any deterioration begins can be identified within a close
enough range for the infom~ationto be useful. The items that are
assigned such long intervals, of course, are those which not only have
very little effect on residual strength, but also have a very low susceptibility to corrcsion and other damage.
Because it takes several years for a fleet of airplanes fo build up, it
is always hoped that the conservative start-of-inspection intervals in
the initial program will apply only to the first few airplane? to reach
these ages, and that inspection findings will support an increase in the
ages at which the fiwt inspections are performed on subsequent sirplanes entering the fleet. This increase is usually accomplished by
"forgiving" the first few inspections in the sequence, rather than by
changing the interval. The information obtained from the inspections
1 On 9/2/71 at 28!l houm
Indication8 of nlatrrlil flowing out of center war& pump h aft

wortb tank
103 rivets popped or l o w , RH ride ot aft pylon fin; % rlwh loow,
LH ride of aft pylon fin

2 On 9/28/7l at 5 7 l houm
No significant defects mcorded

3 On 11/3/71at 881 hours
No significant defecfa w r d e d
4 On 12/12/71 at 1,166 houm
No significant defects recorded

5 On 1/24/72 at 1,475 hours
A couple of wdteups that could indicate a chronic condition.
Numerous loose rivets on left dc right wing tips; dm loose riveta
.
I
on no. 2 engine top aft fairing.

Repair fuelage damage under captain's window, lee side of
fuselage; scrape 4 A long. Ren~ovedrivets, bumpex l out akin to
contour, installed 2024133 tapered l i m e between skin & frame,
reinstalled rivets. To be inspected, sta 330 frame, in approx. 3,000 hr.
Lower LH leading-edge skin cracked. Installed patdtee, replaced
door.
Iemding-edge doom found loose even though they had pmviously
been taped; one door had broken through tape, was hangiq) down
approx. 314 in.
Aft, center, k fwd cargo dcor hinges rusted. Cleaned and sprayed
with oil.
EXHIBIT 11.16 A n example of tire irtspcctions findings recbrdcd
I<rra designated iuspertion s.1111plcol the L>ougl.ls IIC-10 airplane.
(llniled Airline.;)
is supplemented by datd from the manufacturer's continuing fatigue

tests, as well as by inspection information from other operating organizations. Once the first evidence of deterioration does appear, t\'
,IS new
information may indicate that adjustment of the repeat interval itself
would be desirable. When early deterioration appears in a stn~ctural
item, low start-of-inspection and repeat intervals must be defined and
maintained until design changes have bcen incorporated that avoid the
need for such early and frequent inspections.
lividenct of workinp fiveto above LH oveming entry door at rplicar,

sllZS6 9 '1306 and lon@m3 Y. No adion taken.
M) rivets
loore & popped rt vert. stabilizer fin above aft engine hot
auction. R~placedrl-.
No. 6 axle slwve h u mimted and sutrted. Shop mpaired.
Bracket cracked on no. 1pylon cap m.Replaced bracket.
R w t inboard spoiler upper akin cracked. Replacrd spoiler.
Typical m d chmnlc loow leading-edge plates, poppt .. dveb on
wing-tip shuctun.
...
Possible corrosion source: drain in rervice center l e a b to FPR. Blew

out all d n i n lines, unable to find brce of leak.
Chronic right & left wing Ieading-dge plam cracked, latchen
I-,
etc.
Pirewall cracked, no. 2 engine, PIT bulkhead fittiq loow and bolt
mirslng just aft of aft engine mount. Stop-drilled cracks, installed
doubler under bulldread fitting.
9 On 8/7/72 at 2,968 houm
Rib fl.ngee cracked and rivets ahesred at fwd end of tail fin above
aft end of no. 2 engine. Zd, 3d, 4th, L 5th fmm top on left sidt and
Sth, 6th & 7th on right dde, interlor. OK t~ continue to special
mute for COA.
Lower leading-*e
plate cracked, looet, etc. (typical).
Lower leading-edge skin m a just fwd of center acceesory compartment has water. Sucked out water (recorded as possible corrosion
sourre).
LH no. 2 lead-edge slat retract cable frayed beyond limit8 (center
track at wing leading edge). !'eplaced cable. Cauetd by contact.
. ..
In short, the initial stn~cturalinspection program defines the starting points for an age-exploration program that will continue throughout
the operating life of the airplane. At first all significant '.items are
inspected on all airplanes, and as information is obtained, the starting
intervals assigned in the prior-to-service program are lengthened, if
possible, t~ reduce the inspection workload on tht. later-delivery 'lirplanrs. The major structt~ralinspections, or D checks, usually entail
inspection of all signific;.nt items and most nonsignificant ones, and
s.
-.,a*;
,
' ,s
..
B
A
'
iAirA.
.-.-
--AA
... .
I
320
APPLICATIONS
this may he the only work package that requires inspection of class 4
significant items.
The first D checks arc: performed on the highest total-time airplanes
of the fleet- the fleet leaders, which are the first airplanes to reach the
end of the starting interval. While the starting interval for this work
package is being extended, the number of major structural inspections
in any one fleet is relatively small. Once a maximum limit is reached,
however, the volume of major inspections increases markedly as h d i vidual airplanes age to this fixed limit. At this point it becomes necesPary to examine possibilities for reducing maintenance costs w h k h d o
not' involve interval extension. It is commoi? in the airline industry to
divide the ongoing inspection program into two parts-a 100 percent
program, which consists of those tasks to be performed on every airplane, and a sampling program, consisting of taslcs :o be performed only
on a specified portion of the fleet.
The two parts of the ongoing ilrspection program take into account
the wide range in the importance of individilal structurally significant
items which is exemplified by the rating process. Class 1 and class 2
items are identified by a joint consideration of the effect of their failure
on residual strength and their susceptibilitp to delerioration. If either of
these factors is large, that item must remain in the 100 percent program
to minimize the likelihood of a functional failure. The 100 percent program thus ensures the integrity of those structural elements which are
essential to the safety of the airplane.
The concept of damage-tolerant design depends on the existence of
this 100 percent inspection plan to reveal any failed stnlctural member
before the failure of a second member can cause an unacceptable reduction in residual strength. In practice the inspection intervals for such
elements are intended to detect cracks and corrosion at a sufficiently
carly stage to prevent the first lnetlrber f i .rm failing. This early detection
of damage also lowers the cost of repairs; however, we do not differentiate between structural integrity and economic considerations in the
100 percent program.
In contrast, the failure of a class 3 or class 4 item, by definition, has
only a small effect on residual strength, and such items also have little
susceptibility to deterioration. Consequently we can permit econor-ic
considerations to play a large role in their scheduled-maintenance
requirements. Detection of deterioration in its early stages will reducc
the c o 9 of repairs, but this saving must be balanced against the cost of
the inspections necessary to find the first evidence of deterioration in
every airplane. A sampling plan is therefore used to determine the age
characteristics of the fleet, with full knowledge that individual uninspected airplanes may require expensive repairs by the time the sample
inspections identify a problem area. Since the issue in this case is not
structural integrity, but the relative cost of repairs, the risk of occasional
high repair costs is acceptable if the result is a marked reduction in

inspection costs. This exposure would not be acceptable, of course, for
class 1 and class 2 items, where a failure would have a marked effect on
residual strength.
A relatively small number of sample inspections may be adequate
for economic purposes. For example, suppose an item has a relatively
shwt average fatigue life of 60,000 hours. In a sample of 10 airplanes all
of
same total age, the probability of discovering this defect by 50,000
h o ~ is .63, and the same defect would be expected to appear at this
Ige in 10 percent of the uninspected airplanes.* In practice, hcwrver,
the sample inspections are performed on hik;llest-age airplanes, and
when the defect is discovered, its incidence in the lower-age airplanesin the rest of the fleet will be much less than 10 percent. In bygone
years, when a large number of airplanes were to be inspected at a fixed
major-inspection i~itervalit was common practice to inspect items of
relatively low significance on a fraction of thc fleet-say, every fifth
airplane- and this practice was referred to as fractional sampling.
Once the sampling inspections have identified the age at \vhich an
item begins to show signs of deterioration, some action must be taken.
l'nis nlav be all increase in tile number of aircraft sampled, perhaps to
100 percent, or ~t may be treatment o: m ~ d i f i c ~ ~ tof
i o the
n affected area'
to forestall deterioration in other airplanes. For example, doublers may
be installed on all airplanes, or protective coatings may be applied to
prevent corrosion. As the fleet ages, more and more of the sampling
inspcctions will revert to 100 percent inspections unlrss such basic
preventive measures are tdken.
As the operating fleet of a specific type of airplane ages in service,
from time to time it is necessary to cnnduct a thorough review of the
structural maintenance program in light of the information obtained
from operating experience and later manufacturer's tests. In 1976 Douglas Aircraft conducted such a review for the DC-8,and special inspections for 27 items wcre added to the progrdm for airplanes with ages
greatei than 50,000 hours. Similat reviews of its strurtural designs are
being conducted by Boeing The British Civil Aviation Authority now
requires a Structural Integrity Audit and Inspectinn Documenkt
btructurrrl lnteyrity Audit R I I Inspection

~
IIoc~onr!rt
5
5.1 The Cottstructor's Role For each aeroplane tybe to which this
Notice is applicable the necessary work is that the constructor
should carry out a 'structural integrity audit' in which each
'M. E.Stone and H. F. Heap. Developing the DC-10 Structural Inspecticrit Pmgrarn,Seventh
Annual FAA International Maintenance Symposiurn,Oklahorna City,Olda..Dccembcr 7-9,
1971.
+Continuing Structural Integrity of Transport Acropl.~nes,Ci\d Aviation Authority, Airworthiness Noticc 89, August 23, la78.
SECTION 11.3
321
area of the structure for which fail-safe characteristics are

critical is considered, and the acceptable extertt, rate of
growth, and detectability of damage is assessed, together
with the probability of damage being present in associated
areas. Based on this Audit, an Inspection Docunient should
be drawn up and made available to operators.
5.1.1 The Inspection Document should include:
(a) A statement of (or reference to) all the inspectiorlc /7nd
replacements, repairs or modifications) condidc- .r by the
constructor to be necessary to ensure that a 3i e level of
s-tructural strength will be mdintatned.
(b) For each location, the thresholds (tirnelflights, to first
inspection) frequencies and type and method of inspections
required and the extent of damage which it is aimed to be
able to fjnd.
(c) Reference to the types of operations for which it is considered valid. Note: Its validity may, of course, be varied by
reissue from time to time.
5.1.2 The Inspecticn Document ~ o u l d
have to be prepared on the
basis of a Structural Integrity Audit (or other process providing similar results) generally acceptable to the Authority,
but would not require approval in detail. Guidance on the
method of carrying ot;t a Structural Integrity Audit and as to
what should be included in the Inspection Document is
given in CAX Information Leaflet, Continuing Intcgrityof
Transport Aeraplanes.
Wiile the manufacturer is formally responsible for conducting these
structura! reviews, their value depends on adequate information from
operati~lgorganizations.
Quite apart from problems associated with higher ages, there is
always the possibility oi an unanticipated failure of a structural item at
more modest ages, just as there is for systems and powerplant items.
One such example was the cracking of the Boeing 747 floor beams as a
result of cyclic loading from cabin pressurization. This problem was
first discovered when increased floor flexibility and loose seats were
reported in an airplane that had accumulated approximately 8,400
pressurization cycles. The discovery led to a Doeing service bulletin,
followed within a week by a U.S.Department of Transportation airworthiness directive, detailing an on-condition insppction program for
the floor beams and specifying a modification of the structure to
eliminate the problem.* The airworthiness directive required that all
'Boeing Service Bullctin 747-53-2176. February 10, 1978, and U.S. Department of Transportation Airworthiness Directive 78-04-04, F e h ~ a r y16, 1978.
airplanes with more than 6,000 landings be inspected within the next
100 landings and that the inspections be repeated within the next 1,200
landings if no cracks were found. If not more than one beam was found
to be cracked, and if the crack in the beam web was less than 3 inches
long, the crack would be stop-drilled and inspected for evidence of
further progression within the next 50 landings, subject to the provision
that the crack be permanently repaired within 1,2?0 landings. If a crack
more than 3 inches long was found, repair was required before further
flight.
Note that this directive embodies the concept of a long initial interval followed by short repeat intervals. In this case both of the intervals are firmly established by information derived from actual operating
experience. The contincing age exploration of damage-tolerant structure will lead to the same results. Once the age at which faiigue damage
becomes evident has been identified for each item, there will either
be short inspection intervals starting at this age or else a design modification that extends the fatigue li:e of the item and makes the inspection task unnecessary.
The decision to modify an airplane structure depends c n its remaining technolcgically useful life. When the airplane is likely to be
outdated soon by new designs, it is usually difficult to justify structural modifications on economic grounds, and it may be necessary to
perform frequent inspections of items that have been identified as
approaching their fatigue lives. In this case there is an increasing likelihood that the detection of a fatigue crack will also take the airplane
out of senrice for repair, and if the cost of repair cannot be justified, it
may be necessary to retire the airplane. Whenever an active modification policy is not followed, the frequency of repair and the number
of out-of-service incidents will be c direct function of the increasing
age of the airplane.
It is frequently considered axiomatic that all structural inspections
must be intensified when an airplane reachp, higher ages. However,
this has not necessarily been the experi-.rice with transport aircraft
because of the policy of modifying items as :?on as they are identified
as nearing their fatigue lives. Consequently in decisions concerning
fleet retirement the cost of maintaining structural integrity has been
secondary to such factors as fuel consumption, speed, passenger acceptance, and paylosdlrange capability.
When a safe-life structural item reaches its defined life limit there
is usually no alternative to replacing it with a new one. Thus an airplane
designed to safe-life structural criteria must have greater economic
viability than orie desighed as damage-tolerant structure in order to
justify the more expensive procedures that are required for c o n t i ~ u e d
operation.
1 1 * 4 INTEWALS: AN INFORMATION PROBLEM

the role of .?ge exploration
the dynamics of
product improvement
The difficulty of establishing "correct" intervals for maintenance tasks

is essentially a n informatilln problem, and one that continues throughout the operating life of the equipment. With the techniques of RCM
analysis it is fairly simple to decide what tasks to include in a scheduledmaintenance program, but the decision logic does nct cover the
intervals at which these tasks are to be perfonned. Since rework and
economic-life tasks are developed on the basis of age exploration, the
intervals for these tasks cannot be determined until operating information becomes available. Safe-life intervals, which are based on the
manufacturer's test data, are set prior to service with the expectation
that operating information will never become available. The most effective preventive tool in a maintenance program, however, is on-condition
inspections, and in this case there is just not enough information to
set fixed intervals, even after airplanes are in service and age exploration is under way.
At the time an initial program is developed the available information is usually limited to prior experience with similar items, familiarity with the manufacturer's design practices, and the results of the
developmental and fatigue tests for the new airplane. With this information it is possible to arrive at a rough estimate of the ages at which
signs of deterioration can be expected to appear. However, the initial
intervals are t+en set at cnly a fraction of these ages. Indeed, the fraction
may be a very small one, to force intensive age exploration, if the
manufacturer is relatively inexperienced, if the design contains new
materials or processes, or if the airplane is to be operated in an unfamiliar environment. While there is some economic penalty in the use
of such short intervals, the cverall impact is small because the intent
is to increase the intervals on the basis of actual operating data as the
new fleet grows in siie.
The basic concept underlying on-condition inspections is that the
interval to the first inspection sh.-uld be long enough for some physical evidence of deterioration to be seen, and the interval for repeat
~nspectionss h o ~ ~ lbe
d short enough to ensure that any unit that has
reached the potential-failure stage will be removed from service before
a functional failure can occur. In i.heory, then, it seems that the problem
should merely be one of using age exploration to determine the appropriate intervals for first inspection and repeat inspections of each item,
and that once this is done the intervals can be fixed. However, matters
'ire not quite that simple.
In most cases, particularly if the remaining service life of the airplane is high, once the potential-failure ages of significant items have
been identified, they will be judged undesirably low. Items will therefore be modified to increase their longevity, and there must be another
age-exploration cycle to determine the intervals appropriate to the
improved item. Consequently any set of initial and repeat intervals may
apply only from the time the original information becomes available
until the time the modified item goes into service. While the dynamics
of this process add to the age-exploration requirements, they also reduce the growth in the maintenance workload associated with short
repeat intel gals for more items as the airplane grows older.
11 5
RESOLVING DIFFERENCES OF OPINION
It is inevitable that there will be differences of opinion concerning the

interpretation of operating information and the r e v i s i o ~ sthat should
be made to the scheduled-maintenance program. In most cases these
differences can be resolved by reference to the principles underlying
the development of a n RCM program.
One common situation is that of an item initially assigned to no
scheduled maintenance which has experienced a high in-service failure
rate. Although the failure is one that has no safety consequences, the
engineer may assume that all mechanical items have a wearout age and
that the high failure rate is in itself evidence of wearou!!. On this basis
he might propose that the item be assigned a scheduled rework task
to improve its reliability. The data required for an actuarial analysis
are available in this case, since the failure rate is high; 11encewe can
gain a fair picture of the item's age-reliability characteristics. If the conditional-probability curve does show an increase with age, then the
failure rate that would result from the imposition of any given age limit
can be computed as described in Chapter 3.
So far there is n o difference of opinion. However, scheduled removals wili certainly increase the shop workload. The cost of the increased workload must therefore be compared with the saving that
would result from a reduction in the failure rate. If these added costs
outweigh the benefits, the task may be applicable, but it is not costeffertive. Even when the proposed task appears to be ccj9.t-effective,
there may be other difficulties. Very ofton the items that show high
failure rates in service -.,,ere not expected to d o so. Thus the spare-unit
inventory is already inadequate as a result of these unexpected failures, and the same is true of the parts and tools needed for repairs.
Consequently a rework task, although economically desirable on other
grounds, may be impractical, since adding scheduled removals to the
current workload would increase an already serious logistics problem.'
'For a further discussion of this point see Section C.5 in Appendix C.
benefits of a rework task

'he need for a safe-life limit
326
APPLICATIONS
There is usually no difficulty in reaching an agreement if it turns

out ihat it is not practical to implement a scheduled rework task. Suppose, however, that the conditional-probability curve shows that a rework task is not applicable to the item in question. In this case the
difference of opinion may be more difficult to resolve. The engineer
may want to know why the actuarial curves do not support his intuitive belief that a high failure rate is synonymous with wearout, and an
analyst working with statistical data is often not equipped to explain
why a particular item does not show wearout characteristics. The sitratiort may be further con~plicatedwhen teardown inspections show the
surviving units to be in poor physical condition. There have been many
instances in which highly qualified inspection teams have judged the
parts of time-expired samples to be in such poor condition that they
could not have survived to a proposed higher age limit. Nevertheless,
when these items were allowed to continue in service with no age
limit, subsequent a~alysisof their .opgrating histories showed no actual
increase in their failure rates. Under these circumstances the discrepancy
is between two sets of physical facts, and while the difference of opinicn
may not be resolved, an understanding of the principles discussed in
Chapters 2 and 3 will at least provide the basis for arriving at a decision.
Occasionally the problem is one that requires reference to the
decision logic itself. The following situation is more complex, end
fortunately far less common. The initial maintenance program for the
Douglas DC-8 called for lubrication of the flight-control elevator bearings at every D check. At this time half the bearings were to be removed
and inspected; those in good condition were then reinstalled and the
others were scrapped. n i s task specification had remained in the
program without change for many years. During that time there had
been major extensions of the D-check interval, and the interval for
newer planes entering the fleet had reached 17,000 hours. When these
later planes aged to the D-check interval, however, the inspections
showed that many of the bearings were badly corroded. The inner
race was difficult or impossible to t u n by hand, and when it could be
turned, some of the bearings felt rough. Obviously the interval between
lubrications had become too long, and it was reduced accordingly to
the C-check interval. But the problem was what to do about the hightime bearings in the rest of the operating fleet. One group insisted that
the situation was critical and that all high-time bearings would have to
be removd from service immediately; this was tantamount to imposing
a safe-hfe limit on the bearings. Another group felt that such drastic
action was not warranted.
For a clearer picture of the problem let 11s consider the bearing itself as a significant item. This item is a roller bearing housed in a fitting
attached to the stabilizer. A hinge bolt on the elevator passes through
the bearing to form a corltrol-surface hinge. The function of the bearing

is to reduce friction and wear (and consequent free play) in the rotating
joint. Only two types of failure are important: wear or mecha~icaldamage, resulting in loo~enessor free play in the bearing, and unacceptable
operating friction, leading to seizure of the inner and outer bearing
races. This latter failure mode is the olle of concern.
The designer's description of the control system for this aircraft
states in part:*
Flight control surface hinges and vilot control system rotating joints
were designed to be tolerant of inevitable deterioration andlor
possible failure of bearings. Possible seizure of a bearing's inner
and outer races is compensated for by assuring that the bearing's
function is transferred to the rotating joint's pin or shaft. Friction
. suld increase considerably in this event, but vould
in th *
not I>: , . relative motion between components. Control surface
monl~:.ts ahout the hinge line are so great that bearing seizure cannnt impede su~facetravel. Control surface hinges and other rotating
1~:ntsthat would be adversely affected oy bearing free play are
redundant such that deterioration or failure of the bearing in this:
mode will not create intolerable leve!s of looseness or structural
loading of the connection and will not, therefore, affect the airworthiness of the airplane.
,
If we apply the decision logic to these characteristics, we see immediately that a loss of function in this bearing will not be evident to
the operating crew. When flight tests were conducted on equipment
with high-time bearings, the handling characteristics of the airplane
were normal even though subsequent inspections showed that the
bearings were seriously deteriorated. However, while a bearing failure
has no direct effect on safety, its function is hidden. Therefore a scheduled task for the bearing is required to avoid the risk of a multiple
failure. The first possibility in the hidden-function sequence is an oncondition task, and we find that there is already such a task in the
program. Combined with more f r e q ~ e n tlubrication, the scheduled
inspection of the bearings for wear should ensure adequate availability
(although the interval for this task might require adjustment as well).
The conclusion in this case was that the situation was not critical
and there was no need to impose a safe-life limit on the bearing. However, those airplanes with high-time bearings that might already have
been affected by inadequate lubrication were scheduled for bearing
inspection prior to 20,000 hours as a failure-finding task.
'R. V. Frankel, Douglas Aircraft Company, letter to R. M. Casterline, United Airlines,
September 25, 1974.
11 6
PURGING THE PROGRAM

conducting the review
typical findings
One of the most important activities in the management of an ongoing

maintenance program is periodic purging of the entire program, an
organized review of all scheduled tasks to identify those that are no
longer worth continuing. Often the conditions that originally supported
the inclusion of a specific task will have changed, and the task can now
be deleted from the program. Moreover, in a maintenance organization
concerned with complex equipment many different groups will be
responsible for adding tasks to the program, and the additions are
often made without enough attention to the totality of scheduled tasks.
For this reason it is necessary to conduct a formal review every three
to five years to purge the program of all tasks that have become superfluous. The results can be impressive. In such a review of the Boeing 747
program after the airplane had been in service for six years, so many
tasks were eliminated from the phase-check package (a combination
of B and C checks) that the manhours required to ac :?mplish the scheduled work in this package were reduced by 21 percent.
The review should be conducted by a speciai team, with representatives from each of the organizational groups concerned with the
maintenance program. The people selected must be knowledgeable and
objective and fully prepared to challenge the continued requirement
for any scheduled task. Oncc the group has been assembled, it will
ordinarily be responsible for developing review standards and procedures, collecting and summarizirlg data, and assernbiing review packages consisting of task job cards, a sample of typical inspection findings, and a list of the review procedures. The review packages are
then processed through the various departments involved, including
production (maintenance shops), production planning, reliability analysis, and engineering, after which they are returned to the review team
for resolution of any disagreements. The review team then obtains approval for the changes and repackages the tasks for implementation.
Certain findings are typical in such a review:
b
Scheduled tasks that do not meet the criteria for applicability and
effectiveness; these can be deleted from the program.
Tasks that originally met these criteria but are no longer effective
because of subsequent modifications to the equipment; these can
be deleted from the program.
The absence of tasks that do meet the criteria; these can be added.
Tasks that are duplicated; the duplication can be eliminated.
Task intervals that are either too long or too short; these intervals
can be adjusted.
Job cards that either do not clearly define the requirements of the
task and the proccdures to be followed or do not reflect the intent
of the engineering department; these can be revised.
The final result of the review will be a more effective program, as well as
a less costly one.
CHAPTER TWEWE
the role of scheduled maintenance
ni~sC H A ~ Ris a reprise. It brings together the concepts discussed in

preceding chapters to expand in several areas on the role of scheduled
maintenance. One of these areas is the relationship of safety, reliability,
and scheduled maintenance as it pertains to the modern air-transport
industry. In particular, we wili examine the current safety level of transport airplanes, the manner in which this basic safety level is affected by
various types of functional failures, and the proposed requirement that
the likelihood of certain failures not exceed one in a billion flights. We
will also consider the design-maintenance partnership and the type of
relationship necessary both to realize the inherent safety and reliability
of the equipment and to identify the specific design modifications that
will improve it.
In the preceding chapters we have discussed the development and
evolution of RCM programs for new equipment. Because operating data
are already available for in-service fleets, it is a simple matter to extend
RCM analysis to the many types of airplanes that are currently being
supported by maintenance programs developed along other lines. However, the same principles extend to any complex equipment that requires
a maintenance support program. Although older designs may have more
limited capability for on-condition inspections to protect functional
reliability, RCM analysis will pinpoint their specific maintenance reqilirements, and thus permit the elimination of costly tasks which are
not applicable and effective.
42 1
SAFETY, RELIABILITY, AND

SCHEDULED MAINTENANCE
As we have seen throughout this volume, the failure process is a phenomenon that cannot be avoided by any form of preventive maintenance.
However, by focusing on this process in each item whose function is
essential to the aircraft, RCM programs ensure that the maximum capabilities of preventive maintenance are used to prevent those functional
failures which impair safety or operating capability. The ns:ure and
extent of the impairment - the consequences of a particular failure- as
well as the feasibility of protecting against it, depend on the design of
the equipment itself. It is possible to design equipment ill such a way
that individual failures do not affect operating safety, or else with specific provisions for controlling such i~iluresby scheduled maintenance.
These design characteristics determine the inherent safety level of the
equipment.
There is no yeally satisfactory analytic determination of the inherent safety level associated with current airworthiness requirements for
transport airplanes. There have been instances in which modem sweptwing jet aircraft have not had the structural or performance capability to
survive the conditions they encountered even when their structures
were intact and all engines were functioning normally. The number of
these accidents is too small to provide meaningful statistics, but in
:he effect of systelns failures

the effect
powerplant failures
the effect of
structural failures
SECTION 12.1
331
rough terms we might say the safety level of modem transport aircraft
whose capabilities have not been reduced by any functional failures is
somewhere on the order of
or 1 accident per 10 million flights.
Let us therefore examine the way in which safety levels are reduced by
functional failures and the role of scheduled maintenance in preventing
this reduction.
SYSTEMS FAILURES
332
APPLICATIONS
A complete loss of certain system functions would have critical consequences for the aircraft; for example, a loss of all electrical power in
weather that requires instrument procedures would clearly jeopardize
the equipment and its occupants. Other system functions, such as
pressurization and air conditioning, are more forgiving; pilots can cornyensate for the loss by changing the conduct of the flight and, if
necessary, by making an unscheduled landing. In this case the loss of
function affects operational capability, but it is not critical. There are
many other functions whose loss has only minor operational consequences or none at all. However, the designer of an aircraft system can
always ensure that the complete loss of a particular function will be
extremely unlikely simply by replicating the items that provide that
function.
The availability of a system function is usually a golno-go situation;
either the function is available to the airplane or it is not. When the
source of a function is duplicated the probability of its becoming unavailable during a given' flight is very small. If a failure of one source
does occur, the function is still available. Thus, although there may be
many flights during which one source of the function fails, the risk level
associatcd with any flight is the probability of a joint event-a failure of
one source, followed during the same flight by an independent failure
of the remaining source. After the first failure, however, the overall
exposure per flight hour during the remainder of the flight becomes
considerably higher, (see Section 2.4). Consequently the actual risk level
may vary not only during the course of the flight, depending on the
occurrence or nonoccurrence of a first failure, but also from one flieht
to another, depending on the duration of the flight. The risk level also
varies, of course, with the inherent reliability of the item and the degree
to which the function in question is essential to the aircraft.
This situation is illustrated in Exhibit 12.1. In a system with two
independent sources, point A represents normal performance when all
the items associated with both sources are serviceable. Functional
performance at the airplane level will still be normal after a failure of
one of these sources, but the risk per flight hour of a complete loss of
function is now much higher during the remainder of the flight. Except
for servicing and lubrication, scheduled maintenance usually can do
One mum of hurctlon failed B a
I
I
AUitcnulhur~Uond
II
I
I
A 4
WHIBm 12'1 The effect on operating safety of functional failures in
the systems division.
very little to reduce the failure frequencies of individual complex items

in the systems division. Failure-finding tasks will ensure the repair of
items that have already failed, but if the failure rate proves u~~acceptably
high, the only way to improve the reliability of such items is by design
changes. The information derived from operating experience will indicate very clearly the areas in which such action is needed.
POWERPUNT FAILURES
A complete loss of all propulsive power in an aircraft is always critical.

Once again, however, the likelihood of such a loss is made extremely
remote by replication of the basic engine function on multiengine transport airplanes. In some cases this protection is also supported by pertain
operating restrictions. For example, the length of overwater flights for
twin-engine airplanes in commercial service is restricted to ensure that
the airplane will not have to fly more than one hour if an engine becomes inope;.ative. Similarly, transport aircraft operating on transoceanic flights are restricted in weight to ensure that with two engines
inoperative the remaining engines will still provide the specified rate
of climb.
Although the design goal is assurance of adequate power tc overcome any conditions that the airplane may encounter, there is still the
remote possibility of extreme turbulence or wind shear that it cannot survive even wit11 all engines operative. When one or more engines are inoperative, even though the remaining engines provide the required
. ..
; *;
. ..
., ,
<.
,,
. ,
. .';. .., ...
.
.
i..
.r..;;,,i.~.P.~
,'<,
"
SECTION 12.1
333
minimum thrust, the airplane's performance capabilities are reduced,

Thus there is an increased risk during the remainder of the flight thci
it will encounter conditions that cannot be handled. This risk may vary
during the course of a flight, since it is higher after an engine shutdown
than it is when all e11p;inescan develop full power. The safety level may
also vary from flight Ln flight, since airplanes fly at different weights
below the maxfmutn pel ~nissibleones, and airport conditions, en route
terrain, and atmospheric conditions all vary from one flight to another.
The general effect of an in-flight engine shutdown on the le-,el of
operating risk is ihustrated in Exhibit 12.2. The performance capability
of the airplane, and hence the risk level, can be measured in terms of
available rate of climb. The risk is lowest when all the engines can generate full power and increases as the airplane has less reserve power to
draw upon. Unlike most systems functions, however, the situation is
not limited to the two cases defined by points A and B. Since an engine
failure is defined as the inability to develop a specified amount of
thrust, there are many functional failures in which power is reduced,
but not entirely lost. Thus the risk level may fall at various points between A and B.
In multiengine aircraft the primary control in maintaining a safe
level of available performance is flight-by-flight control of the oyerating weight of the airplane. Whenever the actual operating weight
is less than the maximum performance-limited weight, the available
rate of climb is increased accordingly. The effect of this weigh: reduction
EXHIBIT (2.2 The effect on operatinn safety of functional failures in
the powerplant division.
Effect of reduced
operating weight
Effect of reduced
operating weight
Available nh of climb (percent)
2,
on the risk level is shown in Exhibit 12.2. Scheduled maintenance does

play a secor.dary role, however, since it reduces the frequency of engine
failures, and hence the frequency with which the risk level approaches
point B. In the case of single-engine aircraft, of course, scheduled maintenance is the primary control, since there is only one source of F
r
regardless of the operating weight.
Scheduled maintenance can accomplish much more for engines than
it can for some of the systems items. Because modem aircraft engines
are designed to facilitate the use of advanced inspection technology,
many parts of the engine can be inspected without removing them from
the airplane. Thus on-condition tasks can be employed to protect individual engines against many types of fmctional failures, and safe-life
tasks usually prevent the few types of failures that can cause critical
secondary damage. While the inherent level of risk depends on the
degree of engine replication an,' the design features of individual engines, the overall effect of sck eduled maintenance for a multiengine
airplane is, in fact, equivalent te the effect that could be achieved by a
reduction in operating weight.
STRUCTURAL FAILURES
The consequences of a structural failure depend on the design cha1;c.teristics of the structure, but the functional failure of any major assembly
is usually critical. With the cxception of the landing gear, it is rarely
possible to replicate major structural assemblies; hence scheduled
maintenance is the only technique available to control the likelihootl of
functional failures. Although it usually includes some safe-life tasks, the
maintenance program consists for the most part of on-condition inspections directed at specific structural sites. It is possible to rely on oncondition tasks, not only because they ore applicable in all cases, but also
because most modern aircraft structures are designed to be damagetolerant- that is, they are designed to ensure that the residual strength
of a structural assembly meets specified standards after the fracture of
an individual element. Although the objective of the inspections is to
prevent the fracture of single elements, the practice of damage-tolerant
design ensures that a structural assembly will still be capable of withstanding the defined damage-tolerant load in the event that a fracture
does occur.
As in the case of the powerplant, there is always the remote possibility that an aircraft structure will encounter loading conditions it
cannot withstand even though there has been no reduction of its
original strength. Again, the risk level can also vary during a single
flight and from one flight to another. If a structural element fractures
in the course of a flight, the residual strength will be slightly lower
during the remainder of the ilight. Similarly, since the fractured element
Btt.ct of tedtlccd
operating weight
Effect of mdurrd
EXHIBIT 12.3 The effect un operatk~gsafely of functional failures in

the structure division.
tnay not be discovered and repaired until the next iaspection, the risk
level can vary from flight to flight, depending on whether a fracture has
occurred and the effect on residual strength of the particular element
that fractures. In addition, the opt-rating weights of individual airplanes
may be much less than the required structural limits, and there is a wide
variation sometimes from one moment to the next- in atmospheric
conditions.
Exhibit 12.3 illustrates the general effect that functional failures
(fractures) of individual structural elements have on the risk level associated with damage-toierant assemblies. The asse:nbly itself will suffer
a critical loss of functicn if it cannot withstand any load to which the
airplane is exposed. The risk of such an ebeilt is lowesf when the structure is intact, at point A. Tne operating weight of the airplane is restricted
to ensure that the structure can withstand certain defined loading conditions in its undamaged state; it must also be able to withstand the
defined damage-tolerant load at the same weight. After a failure occur?,
the risk level increases to point B and remains at this lev21 until the
damage is found and corrected. As in the powerplant division, however,
the actual operating risk can assume any value between A and B, and the
risk under any specific set of conditions is reduced when the operating
weight is less than the maximum permissible structural weight.
The primary contiol of the safety level for structures, then, is provided by damage-tolerant design practices and the control of operating
weights. The role of scheduled maintenance in this case i s to prevent
the fracture of individual elements by detecting fatigue cracks in these
elements soon after they occur. When the program is effective, the
operating risk rarely rises above the level represented by point A. Once
again, the overall effect of scheduled maintenance is equivalent to the
effect that would be achieved by a reduction in operating weight.
12 2 AIR-TRANSPORT SAFETY LEVELS

THE PROBLEM OF RISK NALUATlQN
As we have seen, there is a remote but undetermined risk level associated with an airplane before its resi~;anceto failure is reduced by any of
the forms of impairment to which it is exposed. This inherer.t level is
increased by functional failures, 1,ut the amount of increase depends on
such design features as \he rel~licationof essential functions and the
use of multiple ioad paths in damage-tolerant structures. Scheduled
maintenance rr~erely reduces the frequency with which functional
failures occur, and hence the frequency with which the basic risk levels
are exceeded. Unfortunately, however, we have n o precise means of
assessing either the inherent level of risk or the increased risks that do
result from failures.
At first glance the assessment of risks in the systems division might
seem to be a simple mat .r of ccmputing flight hours and the failure
rates of individual items. The problem is not this straightforward, however, because the results of these considerations must be modified by a
probability distribution rep,-esenting the degree to which each function
is essential for the safety of any individual flight. Another important
variable, and one that is least amenable to analytic treatment, is the
ability of the pilot to respond to and compensate for many types of systems failures.
Risk evaluation in the powerplant and structure divisions is even
more difficult. Airplane performance and stn~ctural-strengthrequirements have slowly increased over the years as a result of the few accidents that have occurred, until they have become stringent enough to
produce the current safety record. Thus both performance and strength
requirements are based on empirical data associated with the rare-events
end of a probability distribution describing the conditions that airplanes
must be able to withstand. The problem of assessing the basic risk level
for any individual airplane is further complicated by operating weights
which are usually much less than the airworthiness limits and flight
procedures which may differ markedly from those assumed for airworthiness purposes. Consequently, even if the effect of each reduction
in failure resist27ce could hc- evaluatcd satisfactorily, we have no means
of determining the actual level fro: which the increase should be
measured.
the problem of risk evaluation

the dilemma of
extreme improbability
SECTION 12.2
337
EXHIBIT 12'4 Fatal accident rates for all United States air carriers
over an eleven-year period. The lower curve represents the accidents that
involved a mechanical failure. (Based on National Transport Safety
Board statistics, 1965-1975)
338
AFrLlCAnoNS
Although accident statistics do not provide enough data :..? ?stablish meaningful safety levels, a review of the National Transportation
Safety Board statistics for the eleven-year period of 1965-1975 shows
the general trends plotted in Exhibit 12.4.The data represent all fatal
accidents on domestic and international operations of United States air
carriers (excluding training, ferry, and military flights) over a period
representing approximately 54 million flights. During these eleven
years there was a total of 523 accidents from all causes, both fatal and
nonfatal, and of the 73 fatal accidents, 11 were either caused by or involved a mechanical failure and 54 were landing accidents.
The causes cf these 11 accidents were classified as shown in Exhibit
12.5 to identify the ones that scheduled maintenance might have been
able to prevent. Even with the benefit of hindsight, it is unlikely that
additional or more effectively performed maintenance could have reduced the rate by more than half. The residual accident rate, vrhich
includes some failures of apparently sound structure in extreme turbulence, appears to be 1 per 10 million flights. Scheduled maintenance
probably never will be prescient enough to prevent the first occurrence

of certain completely unanticipated types cf failure, even though recurrences can be prevented. Thus it will be very difficult to reduce the rate
of such accidents to less than 1 in 10 million flights.
THE DlbFMMA OF U l R E M E IYPROMBlLITY
The current airworthiness regulations for transport airplanes cover many

aspects of aircraft design-structural strength, powerplant characteristics, airplane performance characteristics, flight-handling qualities,
and systems characteristics. These regulations are directed not only at
reducing the likelihood of various types of failure, but also at mitigating
the consequences of those failures that will inevitably occur. Thus
there are detailed requirements for damage-tolerant structure and for
the residual performance capabilities of the airplane after one (or more
than one) engine has lost power. In addition, there are many requirements to ensure that the operating crew will be capable of handling the
airplane safely after a failure h ~ occurred.
s
These airworthiness regulations have resulted in a commendable safety record for transport
aircraft.
W l l B m 12.5 Classification of fatal air-carrier accidents involving
mechanical failures.
c
a
w of accident
m~nrlrlkm
Obrcun uundorul frilorrr
involved, but role ia squence
of event@ lea*
to rcddent
annot be identified)
no. of
accidents
preventable by
stheduled rmintrmnn
The regulations include a certification process to verify that the

design requirements have in fact been met, and it then becomes the
responsibility of the operating r tganization to maintain the equipment
~ I such
I
a way that the design characteristics are preserved. The operator
must also ensure that the flight crews are trained in the procedures
necessary to cope with various types of failures. A unique problem is
now being encountered. howevel-, with certain systems whose functions
cannot be duplicated by the human flight crew. This situation introduces
the possibility that at some time a relatively u~~likely
sequence of failures, some of them perhaps hidden, might result in the loss of one or
more functions that are essential to operating safety.
The design objective, of course, is to ensure that such critical failures are extremely ir~probabie,
and the FAA has suggested that extremely
improbabla be defined as an expected failure rate of no more than 1 per
billion flights (or operating hours, as applicable). Eve:\ when an analysis
based on assumed failure rates does indicate that the requirement will
be met, the validity of the assumed rate cannot be determined in the
limited amount of flying done during the certification tests. A further
~roposal,therefore, is that the maintenance intervals be reduced if
actual failure rates are higher than those assumed for the calculations. A
reliability-stress analysis based or. assumed failure rates may be quite involved even for a simple system. For example, the Boeing 727 automatictakeoff thrust control is a nonredundant system whose failure can be
caused by the failure of any one of approximately 100 different items,
some of which have hidden functions. The item considered to be the
least reliable in this system was a fuel-control unit that had an estimated
mean time between failures of 167,000 hours. To meet the extremeimprobability requirement, however, the availability of this unit would
have to be protected by a failure-finding interval of only 125 hours.*
The question, of course, is whether such intensive maintenance
to meet this probability requirement is necessary or can possibly achieve
the desired lesult. One in a billion, or lo-!', is a very, very small number.
There probably have not been a billion airplane flights since the Wright
brothers took to the air. To put it another way, a billion flights represents 200 years of operation at the current activity level of the United
States air carrier industry. A risk level of 10-Ys 1 percent of the current
residual accident rcte that carrnot be reduced by scheduled maintenance,
and it is one-fifth of 1 percent of the current landing-accident rate. On
this basis the proposed requirement seems unrealistic. In f ~ c tit, may
e'ven be counterproductive, since it is likely to prevent the development
of systems that would improve safety even though they cannot satisfy
the extremeLprobability criterion. The real issue, however, is whether
340
APPLICATIONS
'For a discussion of this analysis see J.j. Treacy. Use of Probability Analysis in Aircraft
Certification and Its Effects on Maintenance and hquiyment Maintenance, AIAA Aircraft
Systems and Technology Meeting, Seattle, Wash., August 22-24, 1977.
it is possible to develop an analytic model for evaluating new systems

that is in itself accurate to anything approaching this order of magnit~de.
Undcr the circumstances, although reliability-stress analysis is a
valuable tool for comparing alternative design approaches, its application to actual operating and maintenance requirements would be difficult to justify. Further work is clearlv necessary to develop a more
viabie approach to the problem.
12 '3 THE DESIGN-MAINTENANCE PARTNERSHIP

The interrelationship between design and maintenance is perhaps most
apparent in the case of aircraft. On one hand, the design of the equipment determines its inherent reliability characteristics, including the
consequences of functional failures; on the other hand, scheduled maintenance attempts to preserve all the safety and operating reliability of
which the equipment is capable. Realization of this goal, however,
requires a joint effort which has not aiways been recognized. Designers
have not always understood the capabilities of scheduled maintenance
and the practical limits on these capabilities. By the same token, maintenance organizations have not always had a clear grasp of the design
goals for the equipment they maintain. The need for a cooperative
effort has always existed, but the comprehensive analysis required by
RCM techniques makes this need far more apparent.
During the development of a prior-to-service program the identificatlon of significant items and hidden functions depends on the
designer's information on failure effects as well as the operator's knowledge of their consequences. At this stage the information on anticipated
failure modes and their associated mechanisms must also come from
the designer. While the maintenance members of the study group will
be able to draw on prior experience with simiiar materials, design
practices, and manufacturing techniques, this information should be
complemented by the designer's advice concerning the ages at which
various forms of deterioration are likely to become evident.
At a more fundamental level, it is important for the designcr to
bear in mind some of the nractical aspects of scheduled maintenance.
In general, on-condition inspections are the most effective weapon
against functional failures. However, it must be possible to use them,
preferably without removing items from their installed positions on the
airplane. Thus the designer must not only help to identify the items
for which such inspections are applicable, but must also make sure
that there is some means of access to the area to be inspected. An equally
important factor is the use of materials and design features such as
damage tolerance which result in a relatively slow deterioration of
items intended for on-condition inspections.
$~,",~~,"~t~nlnce
reauirements
for
-.
---- .--;--~.
--
product rmprovement
---
Pdor to W
In wrvice
~
r
Failure consequences
Failure modes
Age-reliability
characteristics
(including failure
frequency)
Safe-life limits
Significant items
Hidden functions
Product
improvements
A
IdenHfy
significant item8
Measure
failure frequencies
Measure
Improve
maintenance
Initial
failure consequences
maintenance +
=b P V a m
Select applicable
Measure
prosram
Modify
and effective t a s h
age-reliability
relationships
hardware
Establish
task intervals
Add or delete
Develop
ncheduled tasks
work packages
Adjust task intervals
I '
I
I
I
Identify
hidden functions
Identify
mfe-life items
React to
unanticipated failurea
'
Information on tests
and experience of other operaton,
Information on operating experience

+
m d request for design changes
EXHIBIT 12.6 The design-maintenance parhemhip
Once the new airplane goes into service, there will be continuous
refinement and improvement of the basic maintenance program as a
r e s ~ ~ of
l t age exploration. There will also be ananticipated failures,
some of which require immediate action. In these cases the designer's
help is crucial in developing new interim sctredu:ed tasks that will
control the problem until design changes cdn be developed and incorporated in the operating fleet. Both the design and maintenance
organizations must work together to identify the failure mechanism..
because this information is needed for product improvement as wcll
as to develop the interim tasks. The product-improvement process and
its role in the development of all complex equipment was discussed in
detail in Section 5.5. However, it entails a two-way flow of information:
the operating organization must identify the need for an improvement,
and the manufacturer must advise the operator of the results of his
contii~uingtest programs and the experiences that other users of the
equipment have encountered. The development of airplanes that can be
more effectively maintained and achieve still higher levels of reliability
and safety depends on a continuing close partnership, with both design
and maintenance organizations familiar with and sympathetic to each
other's problems and goals.
12 * 4 R W PROGRAMS FOI,IN-SERVICE FLEETS

Aircraft have long service lives, and many of the airplanes now in
service are supported by maintenance programs developed on bases
quite different from RCM methods. For the most part these maintenance
programs have evolved to the point of providing adequate protection
of safety and operating capability. It is natural to wonder, however,
about the extent to which an RCM program would reduce maintenance
costs and even improve the reliability of in-service fleets. In nearly all
cases there will be some benefits, although the size of the benefits
will depend on the nature of the existing program. For an airline fleet
maintained by a program based on MSG-2 principles the gains may be
minimal, whereas a fleet supported by a traditional program will show
major savings. The gains will be solnewhat attenuated, however, by
Lhe fact that aircraft designed under earlier design philosophies may
have fewer items capable of on-condition inspections and more with
hidden functions.
The areas in which RCM analysis is likely to provide the greatest
economic benefits are in the elimination of tasks that are inapplicable,
particularly scheduled rework (hard-time overhaul) of powerplants and
systems items, increases in task intervals, and a reduction in the number
of items assigned to scheduled-maintenance tasks. ~ v e nwhere all
present tasks do meet the applicability criteria, the analysis will frequently eliminate a large number of unnecessary or overlapping tasks,
thereby providing further economic gains. To ensure that these gains
are realized it is important to reduce the size of the workforce to correspond to the reduction in the maintenance worklo~d.
When there is already an existing program it is sometimes tempting
to modify it by subjecting the present tasks piecemeal to RCM decision
logic. This practice is not recommended, since there is always a tendency to perpetuate some of the tasks that are not really justified.
Moreover, this approach will cert~inlyoverlook the need for new tasks.
The best procedure is to put the old program aside and conduct a pure
RCM analysis for the fleet. After the RCM program has been completed
it should be compared with the old program and corrected for any clear
omissions, and the differences should be evaluated to dr;ermine the
benefits the new program will provide.
It is usually most efficient to set up a special task force to conduct
the RCM analysis. The members of this team should be engineers,
reliability analysts, and possibly production or production-planning
personnel who are familiar with the type of airplane involved. The
analysis begins with the identification of the items to be considered
and the development of worksheets to record the data elements and the
decision process. Individual members of the task force are then assigned
JY.mYL.(1YYI
. .
,..
&-.A*.
. &LA".~eA,c:
.
.
.h-.-A..k.
. .
.'
I . . ,
.,
- ,
.. . .'; '. :
:
expected benefits
systems programs
powe@ant Programs
stNctUre pmgrams
to collect the data and complete the worksheets for each item. After each
member has completed the analysis of two or three items, the results
should be reviewed by the whole group. This review is necessary to
ensure a common understanding of the decision logic and to improve
the definitions of functions nd failure modes being used, Usually the
review will turn up a number of functions and failure modes that have
been overlooked.
Work should proceed quickly after this first review, with different
members of the task force assigned to the various systems, the powerplant, and the structure. Substantial operating history for an in-service
fleet should provide more than enough data on reliability characteristics
and cost factors to make default answers unnecessary for any of the
proposed tasks. When each major portion of the analysis has been
finished, it is reviewed, any necessary adjustments are made, and all
the scheduled tasks are then consolidated into work packages.
An alternative approach is to have the analysis done by the engineers who are normally responsible for the maintenance standards for
the various items on the airplane. While this method has the advantage
of utilizing the person with the most technical knowledge to analyze
each item, it has the drawback of involving a larger number of people,
with a conseqbent increase in the work of training and coordination.
SYSTEMS ? R O C I M I S
344
APPLICATIONS
The analysis of systems items for an in-service fleet is similar to that

for the initial program of a new type of airplane. The chief difference
is that in this case real data are available on reliability characteristics,
failure consequences, and costs. Although rework tasks are seldom
applicable to systems items, the information is on hand to determine
whether such tasks do meet the applicability criteria, and if so, whether
they are cost-effective. In fact, except for hidden functions and the
rare situation that involves safety consequences, all types of tasks must
meet the condition of cost effectiveness. The same information also
makes it possible to establish optimum task intervals at this stage.
The airlines have applied MSG-2 techniques, the predecessor of
reliability-centered maintenance, to the systems of many types of inservice flects with somewhat mixed results. The investigation of such
techniques on the Boeing 727 and 737 and the Douglas DC-8 was part
of the process that led to MSG-1 and MSG-2, and ultimately to RCM
analysis. Consequently, by the time MSG-2 programs were developed
for these aircraft it was found that the anticipated program revisions
for many items had already been accomplished in a rather piecemeal
fashion. Even so, the formal reviews led to significant reductions in
the number of scheduled rework tasks.
Exhibit 12.7 shows the results of an MSG-2 review of the systems
program for an in-service fleet of Boeing 727's. The differences are not
*WJ
of tbr brlo dgiadly & d i e d as m-catdltion did not vtlrtp flw & dl-alCrlrkchlrwoftuk,hrmn-tlndw(ukmdmdwdded BlinWt (no&tmp&fu wuv ~ L d a l r d
and m e
J
WON
w e ) .
tlkdve of th.rework ltmnr had nhort+r interval#lfta th.d m .

LXHIBIT 12.7 Summary of the changes in the Boeing 727 systems
program as a result of MSG-2review. (United Airlines)
as dramatic as they would have beon if the existing program had not
been undergoing continuous change in this direction as MSG-2 evolved.
Another factor is that many of the rework tasks left in the program
were for highly reliable items that had been assigned very long intervals, such as the major structural inspection interval. These rework
tasks were included not because they met the criteria for applicability
and effectiveness, but simply to provide a means for occasional inspection in the shop. In RCM terminology these tasks would simply be shop
on-condition inspections, although the requirement might be met instead by shop inspection of the older opportunity samples.
As noted in Section 3.5, there are some other differences between
RCM and MSG-2 terminology for the basic types of tasks. The category
now called no scheduled maintenance was termed condition monitoring
under MSG-2. MSG-2 also provided no explicit definition of failurefinding tasks; hence some of these tasks are included in the on-condition
category and others are included under condition manitoring.
POWERPIANT PROGRAMS
If the existing maintenance program for a turbine engine includes scheduled rework either for the whole engine or for its hot section, RCM
analysis will probably result in major reductions in the maintenance
workload. The review will be far less productive if the present program
is already based on the results of opportunity sampling and age exploraticn. The economic benefits may also be somewhat limited in the
SECTION 12.4
345
case of a single-engine airplane. Although complete dverhaul will do

no more to improve reliability than it would if the engine were installed
on a multiengine airplane, there is a natural tendency to specify all
possible tasks on the grounds of safety. (Unlike turbine engines, many
types of piston engines do have age-related wearout characteristics
and thus are more likely to benefit from complete rework.) However,
the safety branch of the decision diagram will also lead to the inclusion
of any task that is even partially effective in reducing the frequency of
loss of thrust; hence a larger number of rework tasks directed at specific
failure modes will probably be included on this basis.
The major benefit in applying RCM decision logic to in-service
powerplants is that it facilitates the identification of significant items,
so that a natural aging process can be established which minimizss
the need for scheduled removals or disassemblies. It is possible that the
existing opportunity-sampling program is adequate for age-exploration
purposes, but if there is any doubt, a new list of significant items can
be developed and compared with the present list. If the lists are the
same, there may be no need for further RCM analysis. If there are
only slight differences, it may still be possible to adjust the sampling
requirements instead of undertaking a complete analysis. Otherwise
an analysis should be completed for a sample of ten or so random significant itcms to judge whether further effort will be productive.
The existing mainten~nceprogram for the General Electric J-79
engine on the McDonnell F4J was reviewed in 1975 by MSG-2 techniques. The review did not result in a rrogram that was completely
structured by RCM logic, but major cost reductions were achieved
nevertheless by program revisions which greatly reduced the amount
of ineffective scheduled maintenance that was being perfomled. The
engine overhaul interval was doubled, from 1,200 1,our.s to 2,400 hours,
with a special inspection introduced at 1,200 hours, and a number of
tasks were eliminated from the hot-cection inspection performed every
600 hours.
STRUCTURE PROGRAMS
346
APPLICATIONS
The chief benefit in the review of an existing skructure program is

likely to be a more effective application of maintenance resources.
For example, an analysis of the McDonnell F4J structure identified 161
items as structurally significant, in contrast to only 97 in the original
program. Of these 161 items, 141 were scheduled for detailed inspections, whereas the prior program called for detailed inspectidn of only
66 items. Some of the additional iiems were designated as significant
to focus inspections on specific parts of the st~uctuiein which failures
w o ~ l dbe critical, and others were so designated to ensure the discovery
of early deterioration for economic reasons. It is difficult to assess the
economic impact of these program changes because there were many
adjustments of inspection intcrvals, a recommendation for a more

dynamic age-exploration program to reduce future costs, and a major
refinement of thc zonal ins~cl.::on program.
12 5 OCPANSION OF RSM APPLlCllllONS

The widespread and successful application of RCM principles in the
air-transport industry has important implications for many types of
con~plexeyuipn~entother than aircraft. Rapid-transit systems, fleets
of ships and buses, and even machineiy used in complex manufacturing processes all require scheduled-maintenance programs that will
ensurc safe and reliable operation. Many of the current problems indicate that the relationship between design and maintenance is not clearly
understood. In many instances, however the operating organizations
themselves have not considered the real capabilities and limitations of
scheduled maintenance and have been frustrated by their inability to
solve the operating problems that are caused by failures.
In most cases the equipment will not be designed to the same
standards as those applied to commercial aircraft. There is usually f.~r
less use of redundancy to protect essential functions, with the result
that any one of a n~ultitudeof minor failures can render the equipment
incapable of operation. There is .11so less instrument.\tion, so that
greater number of items are subject to hidden f,~ilures,and therefore
to the risk of a ii~riltiplefailure. Parts that require inspection are often
not accessible or have not heen designed to facilitgte the detection of
potential failures. Under these circumstances RCM analysis will not
produce .I magic solution to all reliability problems. However, it will
identify the maintenance tnsks and product improvements that would
alleviate suc'~problems. Me,~nwhile,it will result in n program that
ensures all the reliability of which the equipment is capable and includes
only the tasks that will accon~plishthis go,~l.
In general, 'tnv maintenance s1ippol.t progrilnl based on RCM principles has the following objectives:
b
To ensure realization of the inherent safety and reliability levels

of the equipment
To restore the erluipn~rntto these inherent levels when deterioration occurs
To obtain the inforn~,~tion

necessxy for design improvcmcnt of
those items whose inherent reliability proves to be i n a d e q ~ i ~ ~ t e
To a ~ ~ o n ~ p l tlit'3e
i s h goals at a niinim~rmtotal cost, including
m'iintenance costs, support costs, and the economic consequences
of operational failures
ohjectiven of a
maintenance pn'gram
basic RCM precepts
One obstacle to all these objectives is the tendency to rely on traditional

concepts of scheduled maintenance, especially the belief that scheduled
overhauls are a universally effective weapon against failures. Thus an
organization must recognize and accept the following facts before it is
prepared to implement a detailed RCM program for its equipment:
b
The design features of the equipment establish the consequences

of any functional failure, as well as the cost of preventing it.
Redundancy is a powerful design tool for preventing complete

losses of function to the equipment.
Scheduled maintenance can prevent or reduce the frequency of

complcte*losses of function (functional failures), but it cannot
alter their consequences.
Scheduled maintenance can ensure that the inherent reliability of

each item is realized, but it cannot alter the characteristics of the
item.
There is no "right time" for scheduled overhauls that will solve

reliability problems in complcx cqcipment.
On-condition inspections, which make it possible to preempt

functional failures by potential failures, are the most cffectiv~tool
of scheduled maintenance.
A scheduled-maintenancc program must be dynamic; any yriorto-service program is based on limited information, and the operating organization must be prepared to collect and respond to real
data throughout the service life of the equipment.
Product improvement is a normal part of the development cycle

for ,111 new equipment.
Until an operating organization is comfortable with these facts

it may be difficult to proceed confidently with the results of RCM
,tnalysis. There is often concern because hard-time tasks play such a
minor role and so many complex items have no schedulcd-maintenance
requircments. in this case an orga~~ization
may wish to reinforce its
confidence in the new approach by conducting studies similar to those
discussed in Appendix B. The ncw RCM program will always result in
substantial savings, chiefly through the elimination of unnecessary and
unproductive maintenance effort. More important, however, by directing
both scheduled tasks and intensive age-exploration activities at those
items whi 41 are truly significant at the equipment level, such a program
will ultin~atelyresult in equipment thiit provides a degree of reliability
consistent with the state of the art and the cap.ibilities of maintenance
technology.
PART THREE
APPENDIX A
is conducted by experienced maintenance people, and

l e i 3fessional expertise is one of their most valuable assets. This
.c~a~ized
experience has a corresponding penalty, in that it tends to
create certain biases which make objective judgment difficult. The
decision-making process therefore requires an independent review by
someone who is not directly involved in the analysis- an aaditor, who
can test the logic of the deci5ian against the prescribed criteria and
procedures and check for any flaws in the reasoning. Although the
auditor's own judgments may not be comvletely free of bias or error,
the fact that he is independent of the detailed analysis provides him
with a different perspective. Thus the audit serves as a practical tool
for identifying some of the common errors in the use of the decision
logir, and frequently some oi the more subtle errors as well.
In the air-transport industry the auditing function is performed by
members of the steering committee, which also has overall responsibility
for the program-development project (see Section 6.2). Thus the auditors
assigned to individual workitlg groups will be aware of the scope of the
project, the overlap of work among the various groups, and the ~pecific
level of effort needed to coordinate their activities. Because thc problems and focus of the analysis will diller from one group to another, it is
difficult to offer any universal guidelines. However, working groups
terd to stray fiom the objective of developing a set of applicable and
Lffective scheduled tasks, aqd it is important for the auditor to be able
to detect this and help keep the project on the track.
In many 0rgar.i-aticnal contexts the work of the stcering committee
and the overall management of thf. project are themselves subject to
audit, to ensure thclt the work will ~roceedefficiently and will result in
the intended product. 0:icr the program has beer! developed arld packAN RCI ANALYSIS
aged for implementation, a group within the operating organization

wil! be responsible for collecLing and analyzing t t ~ creliability data
needed to assess its effectiveness and evaluate the desirability of new
tasks. The auditing functions in these two areas often ~ e q u i r ae dlifercnt
set of skills and experience from those needed to yeview the detailed
analysis of the equipment. !n 8.11 cases, however, bcth the audit01 and
the program-development team will require a clear understanding of
the basic concepts outlined in this volume.
A 1 AUDITING THE FROGRAMDEVELOPMENT PROJECT

'I'he first draft of cn KCM program is generally prepared by a special
task force consisting of a steering committee and several working groups.
The project may Le organwed and managed ir. several ways, and the
auditor's first concern is whether the organization, staffing, and working
procedures are adequate to carry 9ut the project.
scorc or WE PROIECT
To ensure that the finished maintena Ice program will he accurate and
complete, both the auditor and all participants in the project must have
a clear understanding of its exact scope. In some cases :he project will
encorrpass cen.in portio 1s of the equipment, rather than the entire
aircraft. In either caw it is important lo know whether the program is
to cover all levels of ~n~~intenance,
from servicing tasks and walkaround
checks to the major-inspection level. I t is difficult to design a complete
maintcnnance program for only a few of the levels of maintenance, even
if the program is for just one p,. or, *.' the equipment. If Ihe prdject
does include only portions of the a1 .
%eremust also be clear provisions for handling items that intert.,
the portions that are trot
included. Otherwise the resu!ting ~sritus. ill lead almost inevitably
to gaps and overlaps in the total program. The auditor should make sure
he understands the s c ~ p cof the projecl and should check periodically
to see that it is not expanding beyond its intended bounds.
DEFINITION OF THE FINAL PRODUCT
The completed scheduled-maintenance prograF consists of all the

scheduled tasks and their intervals, but the exact form of this program
must also be specified. Both the auditor and the program-development
team must know whether the final product is to be simply a list of the
RCM tasks and intervals, with a brief description for the use of production planners, or whether it is to consist of a complete set of work
packages, like the letter-check packages assembled in airline practice. In
either case, the definition of the final prod:;,ct should specify the level
of task detail and the amount of descriptive material to be included.
'~Villthe procedures writers be able to translate the results of the analysis
into job instructio~lsthat accurately reflect the purpose of each task? For
whom is the final report intended? Are detailed explanatory writeups
of the program needed as part of the package? The final product will
have to be checked against these requirements before it is submitted,
dnd ,I clear understanding of them at the outset will facilitate the work
of the analyst and auditor alike.
T1METABU FOR THE PKOIECT
The timetable developed for completion of various aspects of the project

is also subject to audit. Is it realistic in terms of the amount of work to
be accomplished, the number of a ~ ~ a l y sassigned,
ts
and their previous
experience with RCM analysis? Are the milestones at logical points for
adequate control of the schedule-or perhaps overspecified, so that
crucial ta~gctdates arr likely to suffer? Do they take into account the
fact thit analysis of the first few items will proceed much more slowly
as part of the learning process? It is apparent from these questions that
the timetable must be reasonably tight, but also flexible and realistic.
The auditor must accomplish his own work within this timetable. In
most cases progress rebiews will be conducted when th2 overall plan
is drafted, \ v l ~n the program-develo~mentteam has heen organized
and trained, when edch working group has agreed on a list of significant
items and analysis of the iirst few iten~shas been completed, wl~elieach
major portion of the program has been completed, .lnd when the final
product has been assembled and is ready iorayprc>val.Additionalaudits
will bc needed betweeri these check points to review progress and
d t d r up any questions or misconceptions in the analysis itself. Whtre
subsequent work depends on the results of the auditor's review, is the

review timed to ensure that it will not impede other aspects of the
analyst's work?
THE PROCRAM-DEVELOPMENT TEAM
In addition to those factors that relate to the project itself, the auditor
must also consider the organization of the program-development team
and the skills of the people who comprise it. Whereas the analysts will
be working e~~gineers
with extensive hardware experience, the task
force should be headed by someone with managerial experience, and
preferably someone who has had experience on similar projects. Is the
manager himself knowledgeable about RCM principles, or is he assisted
by someone who is? Is he in an organizational position that will facilitate completion and implementation of the project? To what extent is
the project supported by top management?
The adequacy of the staffing, the working arrangements among the
team members, and the availability of outside resources all require
careful study. Are there enough people to do the work in the time
allotted-and not too many to work closely as a team? Are the analysts
in each working group experts in the portion of the equipment they will
be analyzing? Are all engineering and reliability disciplines represented
or availdble for consultation? How is the task force organized? Does
the organization provide for direct interaction among members of the
group, or are there organizational obstacles that may impede communication? Is each analyst responsible for a complete analysis, or are various
aspec Is of the job (researching information, completing worksheets, etc.)
assigned in a way that makes work difficult to integrate? What arrangements have been made for the analyst to obtain help from outside
resources or more details about the operation and construction of the
equipment? Is the designer available to answer questions about specific
failure modes and effects? Is there someone available to each working
group who has an extensive knowledge of RCM techniques?The auditor
should not only check the availability of these resources, but also determine how frequently they are being used.
STANDCLUDS AND PROCEDURES
Onc important function of the steering committee (or manager of the

task force) is to arrange for training of ell participants. This includes
general familiarization with the design features of the new equipnent,
as well as training in RCM procedures and the standards to be used for
this particular project. If this is a large project, some members will
require more training than others. Has each member of the task force
received adequate training in RCM methods, and is the RCM text available for easy reference? Other standards that apply to the project should
also be available in written form. Does each analyst have a copy of the
cost-tradeoff models to be used, including the costs imputed by this

organization to various types of operational failures? What failure rates
or repair expenses are considered high enough to qualify an item for
analysis? All written standards and procedures should be checked carefully for any ambiguity or lack of clarity. They should also be checked
for any fundamental conflicts with basic RCM concepts.
Each working group will require additional detailed training on the
portion of the equipment to be analyzed. Have all analysts been furnished with written materials, schematics, and full descriptions of the
hardware and its relationship to other aspects of the airplane? Are
reliability data available for similar items, either from developmental
testing or from service experience? Is there access to an actual production
model of the equipment if further questions arise?
A 2
AUDITING THE DECESION PROCESS

THE SUECTION OF ITEMS FOR ANALYSIS
Once the program-development team has been assembled, organized,

and trained, the focus of auditing shifts to the analysis process itself.
Ordinarily this phase of auditing is carried out by a member of tile
steering committee, but the chief prerequisite is a clear understanding
of RCM principles. As a preliminary step the working group will screen
out all obviously nonsignificant items and complete descriptive worksheets for those items selected for analysis. Thus the first problem may
be in arriving at a common definition of significant item. There is often
a tendency to identify items as significant on the basis of their cost
and complexity, rather than on the basis of their failure consequences.
It is important that all members of the group understand that failure
consequences refers to the direct impact of a particular loss of function
on the safety and operating capability of the equipment, not to the
number of failure possibilities for the item or the effect of these failures
on the item itself.
Another area that may require ciarification is the definition of
operational consequences. If the minintilm-equipment list or other
regulatio~~s
stipulate that the equipment cannot be dispatched with
an item inoperative, the iten1 is always classified initially as one whose
failure will have operational consequences. However, the actual economic impact will vary from one operating roiltext to another and
even from organization to organization, depending on scheduled use
of the equipment, maintenance facilities, the ease of replacing failed
units, and a variety of otherconsiderations. For this reason it is necessary
to have a clear definition of the circumstances that constitule operational
consequences and the relative costs imputed to those consequences
by the organization for which the program is being prepared. Without
this information there is no clear basis for determining whether a given

type of failure would have major economic consequences for this particular organization.
REVIEWING THE INFOllMAtlONWORKSHEETS
Several problems mi-y come to light when the completed worksheet

forms are examined. One of these is the design of the worksheets themselves. Each organization will have its own preferences about forms,
but the worksheets must cover all the points to be considered in the
analysis. Whenever worksheets are redesigned there is always the
danger of overlooking some of the basic elements or introducing "improvements" that reflect misconceptions. In general the forms should
be as simple as possible and still provide an adequate record of the
decision process. The chief criterion is that each task be completely
traceable. At any time, either during or after analysis, it must be yossible to start with any function and trace through to the task assigned
to protect it or to backtrack from a given task to examine the reasoning
that led to it. Obvious omissions can often be spotted from an examination of the blank forms, but more subtle difficulties may not come to
light until the first few worksheets are completed.
Another problem-and perhaps the single most important error for
thc auditor to detect-is improper definition of the functions of an
itcp~.Is the basic function stated precisely for the level of item in
question? Does it relate directly to some higher-level function that is
essential to operating capability? If not, there may be some confusion
about the level of item under discussion. Have all secondary or characteristic functions been listed, and is each in fact a separate function
from tl- standpoint of the operating crew or the system as a whole? Does
the list include all hidden functions (again, stated in !ems of the system
as a whole)? If there are failure possibilities with no related function,
this is a clue that the functions themselves require further thought.
For example, the basic function of a fuel pump is to pump fuel; however,
if this item is also subject to leaks, one additional function must be to
contain the fuel (be free of leaks).
It is important to bear in mind that the level of item being analyzed
will affect the way the functions are described. At the parts level each
part has a function with respect to the assembly in which it iscontained,
but a description of these functions leads to an analysis of failures
only from the standpoint of the assembly, not from the standpoint of the
system or the aircraft as a whole. At too high a level the number of
functions and failure possibilities may be too great for efficient analysis.
One test is to select a few items and try combining them or dividing
them further to see whether this chznges the list of functions. If so,
select the level that makes the analysis most efficient but still includes
all the functions that can clearly be visualized from the aircraft level.
SECTION A.2
355
The statement of functional failures should be examined care full!^

for any confusion between functional failures and failure modes. This
statement must describe the condition defined as a functional failure
(a loss of the stated function), not the manner in which this. failure.
occurs. There is often a tendency to describe a failure such as external
leaks as "leaking oil seal," with the result that other failure modes that
lead to external leaks may bc overlooked, or else erroneously attributed
to some other function. This problem is often a source of the difficulty
in defining the item's functions. The statement describing the loss of a
hidden function requires particular care to ensure that it does not refer
to a multiple failure. For example, if the function of a check valve is to
prevent backflow in case of a duct failute, the functional failure in this
case is not backflow, but no protection against backflow. Errors in this
area can be quite subtle and difficult to spot, but they frequently lead
to confusion about the failure consequences.
The identification of failure modes is another ~ r o b l e marea. Do the
worksheets list failure modes that have never actually occurred? Are
the failure modes reasonable in light of experience with similar equipment? Have any important fail~-.re
modes been overlooked? In this area
the auditor will have to rely on his own general engineering background
to identify points on which further consultation with the designer or
other specialists is advisable. One problem to watch for is superficiality- failure modes that are not the basic cause of the failure. Another is
the tendency to list all possible failure modes, regardless of their likelihood. This resul:: in a great deal of unnecessary analysis and the
possible inclusion of unnecessary tasks in thc initial program.
Just as failure modes may slide back into the description of functional failures, they also tend to s!ide into the description of failure
effects. Thus one point to watch for is a description of failure effects
that relate to the cause of the failure, rather than to its immediate results.
Again, the failure mode "leaking oil seal" will sometimes be stated as a
failure effect (perhaps with "oil-seal failure" given as the failure mode).
This is a subtle error, but it obscures the effect of the functional iailure
in question on the equipment and its occupants.
The description of failure effects must include all the information
necessary to support the analyst's evaluation of the failure consequences.
Does the statement inc!;tde the physical evidence by which theoperating
crew will recognize that a failure has occurred-01. if there is none (a
hidden failure), is this fact mentioned? Are the effects of secondary
damage stated, as well as the effects of a loss of function, and is it clear,
from the description whctlier or not the secondary damage is critical?
Is the description stated in ie~lnsof the ultimate effects of the failure
with no preventive maintenance? In the case of hidden fu~~ctions
the
ultimate effects will usually represent the combined effects of a possible
multiple failure. This information helps to establish the intensity of

maintenance required to protect the hidden function; however, it must
be clear from the description that these effects are not the immediate
result of the single failure under consideration.
The failure effects should be examined to ensure that they do not
represent overreaction by inexperienced analysts. At the other extreme,
there is a possibility that serious effects may have been overlooked
where the equipment cannot be shown to be damage-tolerant for certain
types of failures. In either case the effects stated - including secondary
damage-must be a direct result of the single failure in question, and
not effects that will occur only in conjunction with some other failure
or as a result of possible pilot error. As with hidden-function items,
protection against multiple failures is provided for in the decision
logic by independent analysis of each single failure possibility.
CLASSIFICATION OF FAILURE CONSEQUENCES
The first three questions in the decision logic identify the consequences
of each type of failure, and hence the branch of the decision diagram
in which proposed tasks are to be evaluated. The answers to these
questions therefore warrant special attention during auditing to ensure
that the tasks have been measured against the correct effectiveness
criterion. The basis for each answer should be clearly traceable to the
information recorded on the descriptive worksheet.
There are several common problems in identifying hidden func.
tions. The first matter to be ascertained concerns the use of the decision
diagram itself. Has the evident-failure question been asked, not for
the item, but for each of its functions? If not, the answer may be true
only for the basic function, and other functions will be analyzed
according to the wroirg criteria. And if the basic function of the item
happens to be evident, hidden functions that require scheduled tasks
may be overlooked. Another common error is the tendency to overlook
cockpit instrumentation as a means of notifying the operating crew of
malfunctions that would otherwise not be evident. An error that is more
difficult to spot is the identification of a replicated function in an active
system as evident when a failure would in fact not become evident until
both units failed.
Have the hidden functions of emergency items, such as ejectionseat pyrotechnics and stored oxygen, been overlooked? Hidden-function
items with built-in test equipment may be improperly identified as
having evident functions because failure-finding tasks are performed
by the operating crew. S;nilarly, items whose loss of function is evident
during normal use may be mistakenly classified as hidden-function
items simply because they are not used during every flight. (In this
case the failure-reporting system may have to be supplelnented by
SECTION A - 2
357
358
APPENDICES
maintenance checks to ensure continued availability, but the analysis

of this function does not fall in the hidden-function branch.)
Answers to the safety questions may reflect some misconceptions
about the definition of a critical failure. Has a failure been identified
as critical (or for that matter, as evident) on the basis of multiplefailure consequences, rather than the consequences of a single failure?
Has it been identified as critical because it requires immedidte corrective
maintenance-that is, it has operational (but not safety) consequences?
Has the analyst taken into account redundancy and fail-safe protection
that prevent a functional failure from being critical? One problem that
requires special attention is the failure to identify secondary damage
as critical when the aircraft cannot be shown to be damage-tolerant in
this respect.
Answers to the operational-consequences question should be
checked for any inconsistencies with the minimum-equipment list
(MEL)and the configuration-deviation list (CDL).The auditor should
watch for tendencies to interpret failures that are expensive to repair
as having operational consequences, or to ascribe operational consequences to failures that inconvenience the operating crew but do not
limit the operating capability of the equipment in any way. In some
cases operating restrictions associated with continued operation after
the occurrence of a failure may be overlc-oked as operational consequences. If they have also been over1ool;ed in the statement of failure
effects, they should be added to the information worksheet.
A no answer to question 3 means that the failure in question has
only nonoperational consequences, and that function need not be protected by scheduled tasks in an initial program. If the item is subject
to a particularly expersive failure mode, it will ordinarily be assigned
to intensive age explorati~ntc determine whether scheduled maintenance will be cost-effective. At this stage, however, any task analysis
that falls in the third Lrar,ch of the decision diagram is subject to challenge by the auditor and must be supported by a cost-tradeoff study
based on operating data for the same or a similar item.
All answer.; to the first three decision questions should be examined
in detail, at least for the first few items completed by each analyst.
Even experienced analysts will have to refer to the RCM procedures to
refresh their memories on certain points, and the auditor's review of
this aspect of the decision logic is essential not only to correct errors,
but to ensure that the analyst fully understands the nature of the
questions. Misconceptions in this area are often evidenced by attempts
to revise the decision diagram to overcome some apparent shortcoming.
So far such revisions have proved to stem from an inconlplete understanding of RCM concepts, rather than from deficiencies in the diagram.
The auditor should therefore be alert to this tendency and make sure
that the dzcision diagram has not been altered.
TASK SrLECnON: APPLICABILIIY CRITERIA
The answers to the remaining decision-diagram questions represent

the evaluation of proposed tasks. The most important point for the
auditor to determine here is that the analyst understands the relative
resolving power of the four basic types of task and the specific conditions under which each type of task is applicable. One frequent error in
evaluating an on-conditio~.task is the failure to recognize all the applicability criteria. If the ts.jk is merely a n inspection of the general
condition of the item and is not directed at a specific failure mode, it
does not constitute an on-condition task. The failure mode must also be
one for which it is possible to define a potential-failure stage, with an
adequate and fairly predictable interval for inspection. Another error is
extending the task to include the detection of functional failures (as
defined for the level of item being analyzed); the objective of an oncondition task is to remove units from service before the ful-~ctionalfailure point.
It is important to evaluate proposed on-condition tasks in terms of
their technical feasibility. The failure modc may be one for which oncondition inspection is applicable, but is the item accessible for inspection? Is the task one that is feasible within the maintenance framework
of the organization? Working groups often suggest inspection techniques that are still in the developmental state or recommend methods
that are feasible in theory but have not been tested. In the case of
critical failure modes this may be necessary, but it is equally likely that
redesign would eliminate the need for the task, and both alternatives
should be investigated. Does each inspection task includr the specific
evidence the mechanic is to look for? If not, the procedure vriters may
have difficulty converting the task to the proper job instruction, especially when tt.e task is a visual inspection.
If a rework task has been specified, have the age-reliability cha~acteristics of the item been established by actuarial analysis? Does the
conditional-probability curve show wearoc~tcharacteristics at an identifiable age nnd a high p1,obability of survival to that age? Is the failure
mode one for which rework will in fact restore the ori~inalresistance to
failure? The auditor should be prepared to question assumptions that
the item under study will prove to have the same reliability characteristics as a similar item that was shown to benefit from scheduled rework.
If there is reason to believe that scheduled removals for rework will be
of value, is there a cost-effective interval for this task? Has the item
been assigned to age exploration to obtain the necessary infennation?
'The only discard tasks that should appear in an initial prohram are
for items that have been assigned life limits I>yt:it mdnufacturer. However, there is sometimes confusion about the differdnce between safe-life
limits and other age limits. Does the safe-life limit represent a zero
conditional probability of failure up to that age? Is the limit supported
SECTION A.2
359
by nlanufacturer's test data? If the task interval instead represents the

average age at failure, it is incorrect. Safe-life tasks are applicable only
to items subject to critical failures; hence they should appear only in
the safety branch of the decision diagram. The life limits assigned to
hidden-function emergency items which are not in themselves subject
to critical failures-are adjusted on the basis of failure-finding tests and
in the strict sense are not safe-life limits. The auditor should question
anv safe-life discard tasks that are not supported by on-condition inspections (where possible) to ensure that the safe-life age will be
achieved.
There are several pitfalls to watch for in auditing failure-finding
tasks. One is the failure to recognize that these tasks are the result of
default-that is, they are the outcome of all no answers in the hiddenfunction branch of the decision diagram. Another problem is failure
to recognize that these tasks are limited to the detection of functional
failures, not potential failures. The intervals for such tasks should be
examined tor mistakcn assumptions concerning the required level of
a~~ailability.
Does the level of availability properly reflect the consequences of a possible multiple failure? Has the analyst overlooked the
fact that the interval is based only on the required availability of the
hidden function itself? Have failure-finding tasks covered by routine
crew checks been accounted for on the decision worksheets?
TASK SUECnON: EFFECTIVLNCSS CRITERIA
It is important to remember that the applicability criteria for tasks pertain only to the type of task and are true for that task regardless of the
nature of the failure consequences. The effectiveness criteria, however,
depend on the objective of the task the category of fai!ure consequences
it is intended to prevent-regardless of the nature of the task. 'Thus
the expected rcso!ving power of a particular task can be measured only
in terms of the effectiveness criterion for the branch of the decision
diagram in which the failure is being analyzed.
Some practical problerns often come up in interpreting the effectiveness criterion for the safety branch. Do the tasks and intervals selected
have a reasonable chance of preventing all critical failures? If not, what
is the basis for judging that the remaining risk level is acceptable? It is
important in this connection to bear in mind the resolving power of the
different types of tasks. On-condition tasks provide control of individual
units and therefore have a good chance of preventing all functional failures if the inspection interval is short enough; in r ontrast, age-limit tasks
(scheduled removals) merely control the overall failure rate for the item.
The auditor should therefore question the decision outcome of scheduled
rework in the safety branch, because a reduction in the failure rate is
unlikely to reduce the risk of failure to an acceptable level. What is the
policy or procedure for items for which n o applicable and effective
360
APPENDICES
tasks can be tounrl? Is there an est,~blisheilpn>c,eriurrfor referring them

l1.1ck for rcilesign? Is there pm\*isionfor a review with chcdesigner prior
to ,iny such referr,~ls?
_ .. . .
For t,~shsin the oper,~tinn,~l-conse~~i~e~~ces
hr.1nc.11 the only criterion
for effectiveness is cost efkctiveness. Does the ,~n.\lysisshow thc hasis
for determining that the tdsk will b e cost-effective? What costs art8
imputed to the operational constbquences, ,~ndw h ~ tis the ,si>un.cof
these costs? Is the nurnl~erof opt\ratii>n,~l
interruptions shown in thtl
,~ualvsisw.~listic?Is tht- cspected re1iuct;on in this number ,is ,I result
of the proposed t,\sk Pabed on real Jitta, or at \e,~streal d , ~ tfor
, ~ ,I sin~il,lr
item?
Cost effectiveness is far more difficult to justify in the nonoperational-conscquetwes br,lnch. if 11 t,~sLhas bcen assigned, wh,~tis the
b.~sisfor the cost-tr,ideoff ,~ru"ysis?Does the ,111,11vsis erro~~eotrslv
,\ttrihute imputetl costs irf i~pcr.itiondl interrt~ptiol~s
ti1 these f.~ilures?If it
includes any s,~vingsb e y o ~ ~the
d cost of c o r r t ~ t i n gthe f,iiIuw and its
resulting sccc>nd.~ryd , ~ n ~ a pthe
e , cost .~u,~lysis
is incorrect.
In the hidden-h~t~ction
br,Inch a pnlposed t ~ s hn ~ u s tcnsurr the
level of ,~v~~il,~bilitv
r~t-ccssaryto reduce tht. risk of a n~ultiplet.~ilure
to ,In , ~ c c t ~ p tIevt~l.
, ~ ~ ~Isl thew
~
,I policy c i ~ t ~ c c r n this
i ~ ~ grisk level t11.1t
can bi used to itlterpr1.t adcclu,ite ,~vail.~bility?
Docs thc policy diiicrt\nti,ltc between items on the 11dsis of ~ I I C ~ I > I I S I \ Y ~ ~ ~ Y of
ICC
the
*~ ~i~tlltipl~
f.iilurc?
__
USE OF THE DEFAULT STMlXtY
In ,111y initid ~lrosramthc di\cision path:: will rl*tlt'ct ~lcE,~ult

,Itls\vt-rs.
Thus the ,~n,ilyst'suse of the d a i u l t str~tcgyshould also bt. ,luditcJ.
tl,~vef.iilurcs which m.1~or m,~ynot bix cvidcl~tto thc opcr,~tingcriw
Ill\v.lvs ht\tvr cl,~ssific~i
as h i d ~ i t - ~\VIicrt.
i?
i t c.,111notbc dt-mo~~str,~tt*d
t11.1t
.my . ~ n t i c i p . ~ tsecnnc1,lry
~d
dam,~gewill I I O ~be critic,\l. IIJS the f,~ilurc
btvn ,~ssigl~cd
to thc safety bwt~cl~!
I l.\vt>, ~ n yopportu~iiticsbccn tr\'i\rlooked to ,issign on-co~~rlition
inspt~ctionst l i ~III.I~
t
bc p,irti.~llyeficctivc
in prccur~ptingf u ~ ~ c t i ~ f,~ilures?
mal
1 l,~ve,111 items for which thCncl.cess,ily
infon~~,ltion
w , ~ sun,~v,~il,~bli1iet.n ,issignt*ri to ,~geeqilor,ition? 111
checkin&the ,~n.~lyst's
\ ~ n d ~ r s t , ~ n dof
i n tlw
g tict,\ult .:tr,Itep,y, the ,ltiilitt~r
m,iy t ~ ~ l c o u nsonw
t ~ r instal~ct\sof overuse. I l.~vcJcf,lttlt .lnswi.rs bccn
used when real , I I I ~,~pplicablcd . ~ t ,for
~ tlw item arv in f,wt .~v,lil,il?lr,IS
thc lr,\sis for ,I tir111~ l ~ c i s i o r i ?
GENERAL USE OF M E DECISION LOGIC
: \ f t t ~ . i*u.~miuinginJiviliu,ll ,lspccts of the d c c i s i o ~Ic>$ic,
~
the ,~l.\iitor
must rix\.il*w thc rt~st~lts
of the ,~~i.ilysir;
in lar$cr pcr~fit*~tivt-.
t1,1s t%vt-ry
t ~ s hbeen ,issigntd througl~ciircct a p p l i c , ~ t i oof~tlic
~ dttc-ision logic: 011t>
~iiaiorprcjblt~mis tht. tcndetic\ tn sclcct ,I f.11niliartn,linti\n.~n~.c
t,wh ,11111
thcn ?\.orb b,lch t h r ~ i ~ gthc
h dt~cislcr~r
Iiy;ic ti> ii~stifyit. I'l~i:;I~,ir~~lic.~ps
the analysis in two ways: on one hand, more of the tasks tend to stay
i~stified,,111d on the other, the possibilities of new tasks are not explored. Some analysts may have a strong preference for rework tasks
and will specify them whether they are applicable or not. Others will
favor on-condition inspections under any and all circumstances.
The auditor should look for signs of individual bias during the
progress-review meetings, ,111d by actually counting the numbers of each
type of t ~ s kselected by the various analysts. If there are more than a
dozen rework tasks f o ~rt\e entire systems division of a new type of
airplane, the results of the analysis should be questioned. It is also
important to chc .'. the ilisposition of items t h d have no scheduled
tasks. Is the number disproportionately high or low? Have items whose
failures have neither safety qor operational consequences been reclassified as nonsignificant?
The worksheets and all supporting information should be assembled for t , ~ c hitem, iisually with a cover sheet summarizing all the tasks
, ~ n dinterv,~ls.After this material has been audited for accuracy and
cc~nipletent.ss,and revised or corrected as necessary, the auditor should
sign or initial the list of tasks as final approval.
A * 3 AUDITING ANALYSIS OF THE EQUIPMENT

The auditing principles discusseC. thus far apply to all divisiuns of the
equipment. Howe\rer, e,? 11 of the n~ajordivisiolis- systems,powerplant,
and structure- has certain features that pose specific prol-lems during
1'1 ~alysis.
ANALYSIS OF SYSTEMS ITEMS
The chief difficulty in analyzing systen~sitems is confusion about the

c:p~'ryi';:!i*
ot , t ! ' h ! j . ~ i b ,u\J the iunctions of the specific item
111iderconsider~rion.Dots the list of significant items consist of systems
a ~ i dsubsystenis, uerhaps with a few of the more important con~plex
,~,zseniblies?If nlnre th 111 5d0 systems items have been classified as
significant at the aircraft level, the list is probably too long, and if there
are fewer than 200, i t may be too short. If any subsystem includes more
than half a dozen functionally significant items, their classitication
should be reexamined.
A n ~ t h c rploblem is fillcling the divicling line between one system
a~rclnothe her. H,~vethe working groups agret.d on the list of significant
itcms and the specific 11,1rdware each ,~n,llysiswill cover? Does the procrdure allow for I'itcr revisions ,IS e.rch group gets into the details?
Working groups will occasionally overlook a ~ignificant item or a
hidden function. Thl. 'iuditc r should check for this by scanning the list of
items classifircl as ~ ~ o n s i g ~ \ i f i ca1111
a ~ iquestioning
t
any that are doubtful.
!:%lrp!
Several questions will come up in examining the list of functions

for each item, Is the basic function correctly stated fot. the system level
represented by the worksheet? (Is the system level clearly indicated on
the wocksheet?) How does the analyst know that all the functions have
been listed7 Does each functional failure have at least one failure mode,
and are the failure modes ,111 real and possible? Do the failure effects
reflect the complete impact nf each type of failure 011 the rest of the
equipment? It p ~ y to
s play "what if" with the analyst for I' sample of
failure p~~ssibilities
to determine whether he has analyzed the item in
sufficient depth.
In auditing the tasks assigned to the item the auditor should check
to see that on-condition inspections ,Ire generally limited to installeil
items. There is a tendency to specify shop inspections for systems items
simply because they will be in the shop often, which may unnecessarily
increast! the workload. Any rework tasks must be substantiated by
actuarial analysis. Does this analysis show that schrduled rework ill
in fact improve the reliability of the item? Rework is not cost-effective
for many systems items even when their failures are age-related. If a
rework task is applicable. has a cost-effective interval been touncl?
Are discard tas. , specified only for the fe*v systems items to which
the manufacturer has assigned life limits? Are safe-life limits supported,
where possible, by shop inspections of opportunity s.~n~ples
for corrosion or other damage? Do failure-finding tasks scheduled for installed
systen~sitems duplicate eithcr shop inspections or routine crew checks?
Vu'here such tasks are added to crew duties, what considcration has been
given to the present workload of the operating crew? Whiit provisions
have been'made for evident functions tllat the analyst knows will not be
used r2gularly in the intended operating context?
ANN'IGtS OF POWERPLANT I W S
In auditing I' powerplant progr,lm
it is import,lnt to know exdctly what

the powurpl,~nt includes. In sonle cases the ,lnalysis covers only the
basic engine; in others it includcs all the cluick-engine-change plrts.
If this has not been detennincd, some key items may escape ,111alvsis.
Cert.~in pr~,blemswill be a matter of coordinati~m.Was thr svstems
clnalysis of essentl,ll engine .~ccessoricstar enough ,llong to be t,lken
into account by the powerpl,~nt'l.lalysts7 Dill the\! :lL1vc~ c c c to
s ~the
structural .~n,~lvses
of the engine mounts ,11111 cowling? How do the failure possibilities for thcsc items atfcct the basic engine?
The engine itself is 91:bjec.tto a number of f,~iluremodes thdt in\*ol\.e
seconddry damage. Whothtv or not this dl1tn.lge is cqritical, however.
depends on both the model of engine dncl the !ype o i airplane. Docs
the working group have a conlplctc i~llderstanc~lng
of the specific design charaitcristics of this engine? The ' ~ i l u r eeffects rsquire pc~rticularlv
carecul aucliting. Has the ,ln,llvst considered the ultimate effects in the
absence of any preventive maintenance, or does the description presuppose that progressive failure modes will be halted before they reach
the critical stage? Will a tailure mode that would otherwise be critical
in fact be preempted by a noncritical loss of function? Where the failure
evidence depends OII cockpit instrumentation, what instrument indications are evidence of this particular type of failure?
Unless the engine is installed in a single-engine plane, an engine
failure that does not involve critical sec0nda.y damage does not have
safety consequences. Have evident failures been properly placed in the
operational-consequences branch of the decision diagram?
Safe-life items must be covered by discard tasks, but most of the
tasks in an initial powerplant program will be on-condition inspections.
Have these inspections been assigned to installed engines whenever
possible, to avoid the need for engine removals? Are they limited to
known problem areas, with the remaining on-aircraft inspection capability reserved for troubleshooting and later scheduled tasks if necessary?
The intervals for inspections on installed engines should be specified in
operating hours or flight cycles, whereas shop inspections of internal
engine iten~sshould be scheduled to take advantage of opportunity
samples. Have any shop inspections been specified in a way that will
require scheduled removais or unnecessary disassembly tc reach a single
part?
The entire age-exploration program for the powerplant should be
reviewed. Does it include procedures for increasing task intervals on
the basis of inspection findings? Does it provide for inspection of the
oldest parts available on an opportunity basis, without special disassembly for age-exploration purposes? Does it indude threshold limits,
or a similar plan, to allow the removal of most units from service at or
before the upper limit without special engine removals? If any of these
features are missing, that aspect of the age-exploration plan should be
questioned.
ANALYSIS OF THE STRUCTURE
364
APPENDICES
Auditing of the structure program consists of a review of the ratings

and class numbers used to establish the initial inspection interval for
each structurally significart item. Both the auditor and the analysts must
have a clear understanding of the difference between damage-tolerant
and safe-life structure, the rating factors that apply in each case, the basis
for rating each factor, and the basis for converting the final class number
into an inspection interval. Some members of the working group may
have more difficulty than others in grasping the distinction between
resistance to failure and residual strength. Are all members of the
working group using the same definition of fatigue life, and are the
manufacturer's data expressed in these terms? Was the conversion of
test data into safe-life limits based on an adequate scatter factor?
The definition of a structurally significant item is one of the most

important aspects of the analysis. Is the basis for this definition clearly
understood by the working group? Are the significant items generally
confined to primary structure, or is needless effort being devoted to
evaluation of much of the secondary structure as well? Has adequate
consideration been given to the possibility of multiple failures at the
same site? If the designations are correct, most of the significant items
will represent small localized areas, rather than whole structural members; otherwise each item will require much more inspection time in the
continuing program. Has the manufacturer's engineering department
participated in the identification of significant items? No one else is in
a position to identify the structural elements most susceptible: to fatigue
failure and the effect of such failures on the strength of the assembly.
If the structure includes any new material or man..-Cacturing processes or is to be operated under any new conditions, the inspection
intervals will be far more conservative. Even with familiar materials and
conditions, however, the test data must be data for this produc [ion
model. Is a fatigue test being conducted for the whole structure, and
will prelimivry results be available in time for use in developing the
initial prog-am? Will inspection findings and any failure data from the
flight-test program be available? The fatigue data should be examined
to determine whether the flight-load profile is realistic. The usual test
method is flight cycles; is the conversion to operating hours realistic for
the intended operating environment?
While structural strength and fatigue life are the manufacturer's
responsibility, the operating organization is concerned in these matters
as well. The working-group members must therefore have enough
information about the design and the test results to be able to evaluate
and question the manufacturer's maintenance recommendations. One
point the auditor should check at an early stage is whether there is
adequate interaction between the manufacturer's and the operator's
representatives to provide for full participation by all members. Before
work begins there must be general agreement on the basis for the
selection of significant items and the basis on which each factor will
be rated. A sample of structurally significant items and their ratings
shou!d be audited to make sure they correspond to this agieement
before sirnificant items are selected for the whole structure. Do the
ratings give proper recognition to areas prone to corrosion as a result
of their location? Has externai d2tectabilit.y heen properly considered?
What was the basis for converting class numbers to intervals? Are the
intervals similar to those in current use for other aircrait?
The number of structurally significant items on an airplane will
depend on the si+e of the airplane, the size of the area designated as
significant, and in some cases on the number of ways it can be accessed.
Has the exact location of each significant item been clearly designated?
SECTION A.3
365
Have photographs been provided which show the designated items7The

working group should verify the entire list of significant items by inspection of an airplane in its fully assembled configuration. Some items
assigned visual inspection may in fact be hidden beneath other structural elements or behind installations. In this case x-ray inspection
may have to be specified, or some other approach to the area may have
to be e m ~ l o y e dfor this significant item. The tasks themselves should
be audited to ensure that the inspection plan as a whole does not include
unnecessarily expensive or sophisticated techniques. Is x-ray inspection,
for example, limited to areas in which it is known to be useful, or are
all items covered in the hope that it will prove useful?
The basic inspection plan covers only structurally significant items.
However, it will be supplemented by general inspections of nonsignificant structure as part of the zonal program, preflight walkaround
inspections, and general inspections of the external structure. The
structure program should therefore be reviewed in connection with
these other programs, both for any obvious conflicts and to ensure
that all nonsignificant portions of the structure have been accounted
for. Has external strw-ture that is not visible from the ground been taken
in:o account? Do the inspections assigned to structural elements in
systems and powerplant items take into account the other inspection
requirements of these items?
NON-RCM PROGRAM UEMENTS
The zonal inspection program should be audited to ensure that all

zones in the airplane are included. If a rating scheme has been used to
establish relative inspection intervals, is it consistent with RCM principles? Do the relative intervals for each zone correspond to the rating
scheme? How do these intervals correspond tc, those for detailed inspection of internal structurally significant items? If there are conflicts,
can the zonal inspection intervals be adjusted? Zonal inspections are
general visual inspections; do the tasks clearly describe the elements
in the zone to be inspected?
The servicing and lubrication tasks shouid be audited for completeness, and any devi~tionsfrom the manufacturer's recommendations
should be substantiated. The specifications for walkaround and other
damage inspections should be audited to make sure that all the important areas are clearly indicated-especiaily those most likely to incur
damage from ground operation and from mechanic traffic itself.
THE COMPLETED PROGRAM
After each working group has completed its analysis and the results
have been audited separately, additional questions may arise when the
program is examined as a whole. Some apply to the accurac , and completeness of the worksheets when they are summarized for each major
portion of the airplane; others apply to packaging questions that arise

when all the tasks are grouped for implementation.
Do the tasks for each portion of the airplane cover all levels of maintenance? Have all of them been transcribed accurately? Do they still
make sense when they are viewed together? One problem that may
come up at this stage is a discrepancy in the level of task detail and
amount of explanatory material for different items. All the tasks should
bc reviewed to see that they meet the original definition of the final
product. Are there any gaps or overlaps? If the final product is simply a
list of the tasks and their intervals, have those intervals that are flexible
been indicated, to facilitate packaging decisions?
Packaging presents special auditing problems, since the standards
to be applied depend on the cirganization, its routing practices, the
fleet size, the number and location of maintenance facilities, and a
variety of other factors. Have these been taken into account? Are
the most frequent tasks the kind that can be accomplished at small
stations with limited staff and facilities? Auditing the packaging of the
tasks is primarily a matter of determining whether the tasks have been
scheduled as efficiently as possible for a given set of circumstances.
The impact of the maintenance program on the intended use of
the equipment should not be overlooked in the audit. Will the proposed
maintenance schedule permit each aircraft to carry out the longest series
of scheduled flights without interruption? If not, can either the operating
schedule or the maintenance schedule be revised? Does the program
allow for all the operating environments that will be encountered, including a possible change from one set of operating conditions to another
for the same aircraft? Does it provide for RCM analysis of any new
systems or tasks that may be added as a result of age exploration?
A - 4 AUDIflNG THE ONGOING PROGRAM

Once the initial RCM program has been completed and packaged for
implementation, a gloup within the organization will also be needed
to monitor failure data and the results of age exploration and revise the
prior-to-service program accordingly. The plans for these activities and
overall management of the ongoing program are also subject to auditing.
Certain information systems must be established before the aircraft
goes into service:
b
A system for rey'orting failures, their frequency, and their consequences
An age-exploration system for continual evaluation of age-condition

information, with procedures for extending task intervals as rapidly
as the data permit
SECTION A.4
367
A system for controlling the addition of new scheduled tasks to

ensure that they meet RCM criteria before they are accepted
A system for periodic reevaluatiori of all tasks in the program to

eliminate those which are no longer needed
A system for reviewicg the content of thk *$kk 'pdld&s as the

,.
size of the fleet grows
A system for evaluating unanticipated problems and determining

the appropriate action
Are the yresertt information systems adequate to meet all these requirements? Are they adequate for the size and age of the fleet? How familiar
are the key personnel with b,lsic RCM concepts, and how are differences
of opinion resolved?
Auditing an ongoing maintenance program may require different
skills and experience from those needed to audit program dev4opment.
The auditor's questions during program development are chiefly at the
procedural level. At this stage, however, the auditor may often find
himself in an adversary situation, where much,,of his work is with
people having differing viewpoints about what shoqld or should not
be done. Thus he will have to be both i n ~ u i d i i r e& ~ dobjective to
discern the overall pattern of reliability infdtrhatibn from various
sources and interpret its impact on the maintenatice pro'ogram,
A 5
AUDITING NEW PROGRAMS

FOR IN-SERVICE FLEETS
The auditing principles in Sections A.2 and A.3 a!so apply to new KCM
programs for in-service aircraft, but there are some additional factors
to bear in mind. Older aircraft may not be as sophisticated or complex
as those currently being developed, and there are often fewer fa;;-safe
or damage-tolerant features. Consequently both the pattern of analysis
and the resulting tasks may differ somewhat from those for a new airplane. Another reasoli'for the difference, howeder, is'that much of the
age-exploration information is already availablk t h b , the tasks that
would ordinarily be added later to a prior-to-service p&gram will appear
from the outset in a n ~ progrant
w
for in-service equipment. ,
It is especially important for the auditor to d e t ' M n A that the new
RCh4 program is not being developed by an analfsih of the existing
tasks, but represents a completely independent analysis of the equipment. The set of tasks resulting from this analysis should then be
compared with the existing program to determine the differences. At
this time the current tasks that were not included in the new program
should be reviewed, but only to ensure that nothing has been missed.
In developing a program for a new type of airplane reliability data

on similar items, even when it is available, may or may not apply to the
item under study. In this case, however, the necessary information is
available from actual operating expf.t.ie~~ce.
Thus one of the major difierences in auditing the analysis ,Lself is t Jeterrnine that the data
were in fact used and were used correctly. The auditor should make sure
that rework tasks, for example, have not been selected without an actuarial analysis of the data on this item. A sample of the actuarial analyses
themselves should be reviewed to see that they conform to the general
metl~odsoutlined in Appendix C.
The number of tasks in the program will ordinarily be somewhat
greater for an in-service airplane, and in many cases there will be quite
a few rework tasks for systems items. These should be reviewed thoroushly to make sure they are necessary; however, an older airplane may
require more rework tasks than a new one for several reasons. First,
the results of age exploration will show that a few rework tasks .ire
economically desirable and should be iniiuded in the program. Second,
the older designs may actually have more assemblies that show a wearout pattern. There may also be a larger number of scheduled tasks for
hidden functions because of older design practices, and the numb :r of
on-condition tasks may be slightly higher because ways of exploiting
these relatively inexpensive inspections will have been found for a
number of items.
In comparing the completed RCM program with the existing program the auditor will have to take differences in terminology into
account. Many older programs call some tasks on-condition that do not
meet the criteria for this type of task. They may be inspections of the
general condition of the item, or they may be inspections to find functional failures rather than potential failures. Similarly, the designation
condition monitoring will actually include failure-finding tasks for some
items. In case of doubt the auditor (or the analyst) may have to refer to
the job-instruction card for the present task to determine its act;ral
nature.
As with any program-development project, the results should b*
reviewed to ensure that they are in acccrd with the definition of the
final product. In the case of a program for in-service equipment the
final product may consist only of the new RCM program, or it may
include a full cost comparison of the two programs and perhaps a list
of recommendations.
APPENDIX B
the history of rcm pwrams
in the aircraft industry began with certain traditional ideas. One was the ass:imption that there is a one-to-one relationship between scheduled maintenance and operating reliability;
hence the more scheduled maintenance, the more reliable the equipment would be. Since it was further assumed that reliability is always
related to operating safety, these ideas led to the belief that each item
had a "right" overhaul time which could be discovered but must not
be exceedcd in the meantime.
Over the years equipment designers have been able to eliminate
the possibility of most critical failures, and although the two issues
cannot be entirely dissociated, modern aircraft design practices have
greatly weakened thc relationship between safety and reliability. While
safety is the first consideration that leads to failure-tolerant or damagetolerant design, redundancy in commercial aircraft usually extends beyond this point to enable an airplane to continue scheduled operations
despite one or more functional failures. In fact, dispatch reliability is
now a competitive design feature. As a result of these design practices,
equipment designers have, in effect, ensured that operating safety has
the least possible dependence on scheduled maintenance although this
dependence still exists for a small number of failure modes.
The gradual recognition that safety and reliability were no longer
synonymous in the case of aircraft led to a genera! questioning of traditional maintenanct. practices on economic grounds. Thcse questions
were given impetus by the fact that certain types of failures were not
being prevented even by the most intensive application of these prrrcMAINTENANCE THEORY
tices. Consequently a number of studies were conducted in the late

1950s to identify the actual relationship between overhaul times and
reliability. The results necessitated a rejection of the simple belief that
every item had a right overhaul time, and the focus changed to the
development of alterrrative approaches, which eventually culminated
in the present form of RCM analysis as a basis for determining maintenance requirements. This appendix describes the more important programs that were implemented during this evolutionary period, along
with some of the studies that led to the abandonment of traditional
hard-tune policies in the commercial-aircraft industry.
B 1 WE HARD-TIME PARADOX
The Fedcril Aviation Regulations governing the maintenance and operation of commercial aircraft still embody the traditional concept that
the lengti~of tirile between successive overhauls is an important factor
in operating safety. The Federal Aviation Act of 1958 ernpowered the
Secretary of Transportation to prescribe and revise from time to time
"reasonable rules and regulations governing, in the ~ t ~ t ~ r of
c s lsnf~ty,
. . . the periods for, and the manner in which, . inspection, servicing,
and overhauls shall be made." This wording is still in effect.? More
specifically, Federal Aviation Regulation 121.25, revised in 1973, requires
..
"Title Vl, Safety Regulation of Civil Aeronautics, Arrilttntiticnl S t n t u t ~ . s sec.

,
691(a)(3).
that all commercial air carriers fomlally institute "time limitations, or

standards far determining time limitations, for overhauls, inspections,
and checks of airframes, engines, propellers, appliances and emergency
equipment."
Besides the regulations proper, the FAA also provides guidelint .;
in the form of advisory circulars, intended to facilitate application of the
regulations. According to Advisory Circular 121-lA, issued in June 1978,
"for those aircraft not listed in AC 121-1A or an MRB document, the
basic principle followed by the Administrator will be that the inspections, checks, maintenance, or overhaul be performed at times well
within the expected or proven service life of each component of the
aircraft."* The interesting point about these regulations and guidelines
is that they are still the official form, even though most airlines today
receive full approval ol maintenance prograins that have little to do
with the traditional frame of reference implied by the rules.
Under these circumstances, however, it is not surprising that the
initial scheduled-maintenance program for the Douglas DC-8, authorized in 1959 by the FAA Maintenance Review Board, established hardtime overhauls for 339 items, in addition to scheduled overhauls for the
engine and for the airplane as a whole. The objective of the programdevelopment team was to establish overhaul times which were "well
within the expected or proven service life of each component of the
aircraft." It is interesting to examine the human capability of achieving
this objective as it was interpreted then.
Exhibit B.l shows the actual failure rates, plotted as a function of
the initial overhaul times, for the 55 items on the DC-8 which expel$enced the highest numbers of premature removals. The data arc separated to differentiate between electronic and nonelectronic items, hut
in either case thcre was evidently little success in associating an initial
interval with the failure rate that would be experienced, and h e w e
ensuring that overhaul occurred within the service life of the item. The
curve shows, for any given failure rate, the age at which only 10 percent
of the units would survive if the age-reliability relationship were exponential.
Because of the difficulty in predicting the expected right overhaul
time for each item, overhaul intervals on a new type of airplane were set
at relatively low ages and were increased only with great cautlon. The
FAA required at least three months between successive increases, but
most airlines in fact permitted much longer periods of time to elapse.
And when intervals were extended, the amount of increase was very
small. 'l'he FAA also li :ed any increase in powerplant overhaul times,
for examplc , to no more than 100 hours over the previous limit. The
*Stnrrdnrd Oyerntiorrs Syccificntiotts: Air,-raft Maitrtotnrtcc Hnttdbook, FAA Advisory Circular 121-lA, June 1978.
EXHIBIT B . 1 Premature-rt inoval rates of systems items on the

Douglas UC-8, plotted against the overhaul limit assigned to each
item in the initial maintenance prouram. The data points in color are
for electronic items and those itl black are for nonelettronic items.
The curve epresents the failure rate at which 10 percent of the urlitr,
(huth electronic and nonelectmnic) would survive to a given age li~nit.
(United Airlines)
basis for extending the overhaul limits was a complete teardown inspection of a number of serviceable items that had reached the current age
limit and an evaluation of the conditiol~of each part to judge whcther
it could have continued to operate to the proposed new age limit.
While this procedure might at first seem similar to an on-condition
process, note that in most cases there was no means of meeting the
criteria of applicability for an on-condition inspection:
b
It must be possible to detect reduced failure resistance for a specific

failure mode.
It must be possible to define n potential-failure condition that can
be detected by an explicit task.
There must be a reasonably consistent age interval between the time
of potential failure and the time of functional failure.
Since the te&irdown-inspectionfindings provided no objective basis for

extending overhaul intervals, the continued viability of the item \vas
tested by moriitori~~g
the failure rates and failure modes at the new limit
SECTION B . 1
373
EXHIBIT 6.2 Age-reliability analyses of two types of reciprocating
aircraft engineo which illustrate the difficulty in interpretinn

teardowr--inspection findings, Inspection reports were favorable for
the Wright R-3350and unfavorable for the Pratt & Whitney R-2800.
The red portion of the cu:vcs represents analyses perfonned in the
sprinu of 1959, and the hlack portion represents subsequent analyses
perfonned in 1963. (United Airlines)
374
APPENDICES
to ensure that the extension had not adversely affected reliability-and

then the cycle was repeated. The assumption was that this process of
incremental time extensioi~swould ultimately identify the correct overhaul age.
This procedure alsa led to some perplexing situations. In the spring
of 1959 extension of the overhaul limit for two different types of reciprocating aircraft engines was under consideration. One engine, the Wright
R-3350 TC 18, had a high enough failure ratc that very few engines survived to the current ovt.rhc~ullimit of 1,300 hours; consequently it was
difficult to obtain time-expired sample engines for the teardown inspections. Nevertheless, the opirrion of the inspection team was that the
parts of those engines that had surviveci to the limit were in very good
condition, and' that these particular engines could have continued in
operation to much higher ages without experiencing failures. O n this
basis the team recommended that the overhaul limit be extended. It was
apparent, I~owcver,that the time extension would be of little economic
benefit, since even fewer engines would survive to the new limit.
The other engine, the Pratt & Whitney R-2800 CA 15, had a low failure r.~te.Hence a large n u n h e r of engines had survived to the current
overh.?ul timc of 1, 30 hours, and i t was relatively easy to obtain timeexpired s,lmple engines for the teardown inspections. In this case, however, the same inspection team judged many of the parts to be in poor
enough condition that the sample engines could not have operated to
the proposed new overhaul limit without experiencing failures. The
inspection team thereforc recommended a g a i n ~ textending the limit
for this engine. The time extension would have high econolnic value,
t~o~vever,
if the opinion concerning increased likelihood of failure
proved incorrect, since so many engines were surviving to the current
limit.
A~:tuarial analvses were performed to determine the age-reliahil~ty
characteristics of both types of engines: the results of these an'llyses are
shown by the red portion of the curves in Exhibit B.2. Note that the
opinions expressed by the inspection team are equivalent to a contentiott (1)that the conditional probability of failure for the first c n g i ~ will
e
show a marked decrease a1 ages greater than the current limit, aAd (2)
that the conditional probabilit)-of fail~rrr!'or the second engine will show
an abrupt increase at ages greater than the current limit. The reliability
analysl., argued that abrupt changes in age-reliability characteristics
were unlikely to occur, and the overhaul tirr~esof both engines were
extended.
The black portion of the curves in Exhibit B.2 shows the results
of analyses irlade in March 1963,after the overhaul times of both engines
had been extended well beyond those that existed when the conflict
between the inspection findings and the actuarial findings first became
apparent. The overhaul time of the Prittt & Whittley R-2800 was ultimately extended to 3.300 hours, with substantid economic benefits,
despite adverse inspection reports at each step. Since the inspection
team consisted of skilled people familiar both with the items in question and with airline maintenance processes, this contradiction of their
findings by actuarial analysis lras coi~tinuedto be a paradox.
The FAA's last determined effor! to control operating reliability by
adjustment of hard-time overhaul limits was in August 1960, when it
issued the ri~rbineEngine Time Conlrol ProgrC~m.
In this case the basis
for adjustment of overhaul limits was the in-flight engine-shutdown
rate experienced by the operating airline, rather than the reconlmendation of an inspection team. The adiu~:mentof overha:~l intervals was
relaied to the shutdown rate for the preceding three-month period as
follows:
S ~ I I I ~ ~ ~ LVi~tc,
IT~~II
(pelr 1,000 c'rrgirrz Irc~~rrs)
Greater than 0.30
11.15-0.20
0.10-0.15
Less th,w 0.10
or~clrlraul-tir~rc
c~djrrstrrrort
100-hour reduction
No adjustment
100-hour extension
200-hour extension
SECTION S.1
375
This program elicited strong negative reaction from the airlines, since
the basin for adjustment was highly sensitive to variations in the shutdown rate caused by sampling effects and did -; ,t provide for engine
-hutdowns due to the failures of accessories which were not part of the
I \sic engine. The program was : hort-lived.
R 2
CHANGING PERCEPTIONS OF
THE HARD-TIME POLICY
By the 1 ~ t 1950s
e
sufficient operating data had accumulated for intensive
studies of the effectiveness of prevailing scheduled-maintenance methods. These studies brought several important facts to light:
b
It was beyond human capability to set an inifia! overliaul time that

would be well within the proven service life of an item.
When the likelihood of failure did increase with age, the reports
from teardown inspections often conflicted with the results of actuarial analysis. The teardown inspections were apparently unable to
identify failure resistance in a discriminating manner.
There wcre many items for which the likelihood of failure did not
increase with operating age, and hard-time limits had no effect on
reliability in these cases.
A better method of determining scheduled-maintenance requirements

was clearly needed.
During the same period the FAA and the airlines were expressing
continuing concern about the high failure rate of the Wright R-3350
engine and the fact that various changes in maintenance policy had
resulted in no significant improvement in its reliability. This situation,
and the general need for an improved overhaul-time policy for aircraft
turbine engines, led to the formation in 1960 of a task for, i?, with representatives from both the FAA 2nd the Air Transport .2ssociation. This
team was charged with the responsibility of obtaining a better understanding of the relationship between overhaul policy and operating
reliability.
The result of this study was the FAAllndustry Reliability Program,
issued in November 1961.The introduction to this publication stated the
objective of the program as follows:"
The development of this program is toward the control of reliability

through an analysis of the factors that affect reliability and provide a system of actions to improve low reliability levels when they
376
APPENDICES
' I A t \ / l t ~ ~ l ~ t s tliclinl~ility
ry
Prc)srt~?t~.
Federal Avialion Asency, November 7, 1961, p. I.
EXHIBIT 0 . 3 The effect of changing overhaul policies on the rate of

interval extension for the P~att& Whitncy JT4 engine. The Propulsion
System Reliability Program, authorized in November 1961, represented

the first significant change in the en~phasison overhaul intervals,
.rlthough it still presupposed a relationship between schedc!zd
overhaul and reliability. (United Airlines)
exist. In the past, a great deal of emphasis has been placed on

the control of overhaul periods to provide a satisfactory level of
reliability. After careful study, the Committee is convinced that
reliability and overhaul time control are not necessarily directly
associatcd topics; therefore, these subjects are dealt with separately.
Because the propulsion system has been the area of greatest conc e n in the recent past, and due to powerplant data being more
readily available for study, programs are being developed for the
propuision system first, as only one system at a time can be successfully worked out.
The publication authorized a trial period for a new Propulsion System Relidbility Program which establish1.d a shutdown-alert ratc for
each type of engine. If an airline experienced a shutdown rate that
exceeded the alert value, an investigation was required to determine the
reasons, and action appropriate to the results of the investigation was
to be taken. There was no requirement, however, that overhaul times
be either reduced or not extended further, unless the investigation indicated this action as a remedy. Teardown inspections were also restored
as the basis for extending overhaul times. The number of time-extension
samples was a function of fleet size and ranged from a sample of 1 for
SECTION Be2
377
378
APPENDICES
a fleet of four or fewer o?erating units to a sample of 6 for 101 or more

operating units. The requirement of a minimum calendar per? between successive extensions was eliminated. This last change greatly
increased the rate of overhaul-time extension (see Exhibit B.3) and lowercd maintenance costs by reducing the number of engines in the overhaul process.
It had already been recognized that each type of engine had a group
of short-lived parts that could not survive through the entire scheduledoverhaul interval. The trial program therefore provided for monitoring
of some of these parts by on-condition inspections, wlth replacement
of deteriorated parts as necessary. The other short-lived parts were to
be replaced at a scheduled "engine heavy maintenance" (hot-section)
visit. The limit on the heavy-maintenance interval was imposed by the
shortest-lived part that depended 3n this shop visit for maintenance
action. The limit was increaser! as improved parts were developed.
Again, each increase was based on the condition of a sample of timeexpired engines. The requirement for scheduled engine heavy maintenance was abandoned rritogether in 1972 in favor of scheduled rework
or discard tasks where applicable and effective for specified individual
engine parts.
The trial Propulsion System Reliability Program, which later became a permanent program, represented a significant weakening of the
traditionsi emphasis on hard-time overhauls as a major factor in engine
reliabi!ity. This program was legally enabled by the clause in the regulations covering "time limitations or standards for determining time
limitations"- the same clause that had been used earlier to promulgate
the short-lived Turbine Engine Time Control Program. At the time
the Propulsion System Reliability Program was instituted it was still
assumcd that a "right" overhaul time would ultimately he identified
for each tyre of engine.
After work on the powerplant proeran was finished there was no
agreement amoqg the industry members of the task force concerning
the iype of item that should be investigated next. Consequently the FAA
permitted each of the airlines represented on the task force to develop
and implement test programs for those items in which it was most interested. United Airlines chose to develop a Component Reliability Program for corr~plcxmechanical items which had previously been assumed
to be among the best candidates for hard-time overhaul. This program
was initiated in February 1963 and was at first applied to six items: the
cabin compressor, the constant-speed drive, and freon compressor on
the Douglas DC-8 and similar items on the Boeing 720.
The components program also presupposed that each item had an
optimum overhaul time, and the objective was simply to identify this
limit in the shortest possible calendar time with a minimum cost for
interim scheduled overhauls. The test program was designed to demon-
EXHIBIT 6.4 Experience with three systems items on the Douglas

DC-8 under the Component Reliability Program and later progrJrns,
Premature-removal rates are per 1,000 operating hours.
(United Airlines)
9
DC-8 cabin compmsar
d
cn
0l
DC-8 oo~hnt-rpccddrive
r o ....
cn
0.8 1
strate that reliability could be controlled in the absence of fixed overhaul times while the final right time was being sought. On t h i ~!,asis
particular attention was paid to the following iacton:
b
The age-reliability characteristics of the items as delemined by

actuarial analysis
New and undesirable failure modes that might appear at higher

ages
I ne total support cost for the item
The results of a limited teardown inspection of n s,llall number of

high-time units
There were no overhaul limits as such, and other un!.ts were permitted to
continue aging in service while the sample units were being inspected.
As a result, inspection data accumulated rapidly and continually for successive age intervals. Moreover, despite the continuous increases in the
age of sample overhauls, as illustrated in Exhibit B.4,there was no reduction in the reliability of the components under this program.
'The experience with the trial programs conducted by the various
airlines prompted the FAA to issue Advisory Circular 120-17, a HundOook
for Maintenance Control by Reliability Methods, ir. December 1964. The
purpose of this document was stated as follows:'
This handbook provides information and guidance material which
may be used to design or develop maintenance reliability programs
which include a standard for determining time limitations. . . It
is, in addition, a method to realistically and responsively relate
operating experience to the controls establisnrd.
With reference to the test progra:ns, the circular went on to sap:

The purpose of these stadies is to acquire, through practical application, information that could be used to amend and refine cur
present system of monitoring operator's maintenance quality and
yet permit the opera!cr maximum flexibility in establishing its
owl1 maintenance controls within the bounds of generally accepted
maintenance philosophies.
United Airlines moved quickly to qualify reliability programs for
various types of items, bec'iuse the reduced scheduled-maintenance
workload under the test programs had not resulted in any reduction in
reliability. The residual maintenance workload was still large enough,
however, to warrant further attention. In January 1965 IJnited qualified
'Ilntrdboc~kfor Mnitttctrnt~cc~
Cotrtrol
380
APPENDICES
December 31, 1964.
Iy K~linbilityMcflrods, FAA Advisory Circular 120-17,
its Turbine Engine Reliability Program under the tenns of Advisory Circular 120-17. This program was similar to the Component Reliability
Program, but there was a less demanding sample-overhaul requirement
of one engine per 10,000 hours of operating experience. This requirement
was changed from time to time in the r.ext few years until, in 1968, the
requirement for sample overhauls was eliminated entirely. The history
of the increase in the sample-overhaul time limit shown in Exhibit B.5
is typical of the pattern for turbine engines during that period.
In addition to the requirement for sample overhauls as a basis for
extending the engine overhaul limit, the turbine-engine prQgram included a scheduled shop visit for engine heavy maintenance, with time
extensions for this interval accomplished by a process similar to that
speciiied in the Propulsion System Reliability Program. There were also
scheduled tasks to replace specific time-limited parts whose failure couid
have a direct advers~effect on operating safety. The need for these
scheduled discard tasks has continued regardless of orher changes in
maintenance theory.
The Turbine Engine Reliability Program, bvith revisions, continued
in successful operation until 1972, when it was replaced with UI-ited
EXHIBIT B . 5 'The histnry of sample-overhaul requirements for the
I'ratt & M hitney J1'4engine , ~ n d e rsuccessive test programs. The
'rurhinc Engine Reliability Program, authorized in January 1965,
continued sc~ccesstullywithout t11 .ample-overhaul requirement until
it was replacc~lin 1972 hv curtent rt,'iability-centered programs.
(United Airlines)
CAR
Civil Aviation Reguhtiom
requirement e l i m i ~ t e d
PSRP Ropurrlon Syrttm Reliabtllty PNgnm

TERP
M i n e E e t e Reliability R o p m
P
0
l W
1%1
I%?
1963
1964
1%S
1966
l967
1968
1969
1970
382
APPENDICES
"
'
Airlines' current program, called Logical Information Based on Reliability Analysis (I.ISRA), which embodies decision logic. A permanent
and expanded Component Reliability Program also continued in operation, with only minor changes, until the current prcgram was established
in 1972. By 1969 there were 20 items under this components program. Not
all of them are still in service. but the ages of most of the items that are
in service are still being permitted to increase. The r a t e ~ i l r . l . ~ ~isanow
se
quite small, since few units survive to the maximum ages that have
been experienced without the need for repair work which is sufficiently
extensive to zero-time the unit. The operating experience illustrated in
Exhibit B.4 is typical of the pattern for such items.
In June 1965 United Airlines obtained approval to implement a permancnt Reliability Controlled Overhaul Program (RCOH). This program
in fact dated back to April 1958, but its use had been restricted to a small
number of ~tems.Items covered by this program were not subject to any
overhaul time limits at all; consequently ttrercs were no sample-overhaui
requirements. An item qualified for the program if actuarial analysis
demonstrated that the conditional probability of failure did not increase
with increased time since the last shop visit. In other words, the item
had to show an age-reliability relationship represented by curve L?, E,
or F in Exhibit 2.13, indicating that it could.not benefit from scheduled
overhaul. The program did require that an alert failure rate, based on
past operating history, be established for each item and that a factfinding investigation be conducted whenever the failure rate exceeded
the specified value. It was found, however, that most excursions above
the alert rate were associated with sampling effects, and not with
changes in age-reliability characteristics. By 1969 this program covered
277 l!ems from various types of airpianes. These items included many
mechanical and electromechanical assemblies, although most were electronic components. This program also continued in successful operation
until it was replaced in 1972 by the current program.
During the course of both the Turbine Engine Reliability Program
and the Component Reliability Program there was a rapid escalation of
o*rel.haulage limits and a continuing reduction in the number of sample
overhauls ret:uired at each limit. Wherever there might have been a
slight incrciise in thc failure rate as units reached higher ages, its effects
were more than offset by the results of product-improvement activity.
In the process numerous age-reliability relationships were defined. They
showed no pronounced wearout characteristics for the components, and
much of the wearout evident in the premature-removal rates for engines
was the result of on-condition inspections, not of functional failures.
Finally in 1972 the practice of a scheduled complete disassembly for
inspection, followed by an overhaul, was discontinued entirely in both
programs. '(he Reliability Controlled Overhaul Program had never required sample overhauls and relied instead on the results of actuarial
analysis. Note that all these programs were based on information that
had to be derived from operating ex*lerience.
B 3
THE INTRODUCTION OF
OM-CONDITION MAINTENANCE
The testing of new concepts in the edrly 1960s was not limited to a search
for the best way to identify optimum overhaul limits. In 1962 the overhaul concept itself was challenged. Traditional overhauls entailed complete disassembly and remanufacture, and a shop visit which entailed
less work than this was classified as a repair and was not considered to
zero-time the operating age of the unit. Serviceable units returned to the
supply organization after such a repair were classified as "pari-time
spares" to indicate that after they were installed, they could not remain
on the airplane for a full overhaul interval.
To reduce the need for these early scheduled removals, a new concept of "conditional overhaul" was tested on several items. A conditional overhaul consisted of:
b
Correction of the immediate cause of failure
Such additional work, if any, as required to enable the unit to mcet

the functional performance specifications for the item
Certain specified inspection and/or rework of known points of wear

or deterioration
The operating performance of the units that received conditicnal overhauls was carefully monitored, and actuarial analyses of these units were
compared with analyses of units that received the traditional complete
overhauls to determine whether there werc any undesirable differences
in age-reliability characteristics. The only notable difference was that
the units that had received conditiolial overhauls showed less infant
:nortality. Application of the conditional-overhaul concept grew, and by
1965 most of the items that were subject to overhaul limits were receiving conditional overhauls, and a conditional overhaul was considered
to zero-time the unit. This approach resulted in a markcd reduction in
shop maintenance costs with no adverse effect on reliability.
Another now concept introduced during this period was United
Airlines' Test and Replace as Necessary Program (TARAN), which was
approved in January 1964 for the Boeing 720 hydraulic system. Up to
this point many items in the hydraulic system had individual overhaul
limits, frequently timed to coincide with the overhaul age for the airplane itself. This program depended instead on on-condition tasks. It
consisted of a schedule of tests to be performed prior to this major airplane overhaul to determine whether there were internal leaks, an
indication of reduced failure resistance, in the hydraulic subsystems
SECTION B.3
383
and assemblies. Only those units that failed the lests were removed and
routed to the shop for overhaul (repair). By 1969 United Airlines had
qualified 209 items on various types of airplanr s under this on-condition
program.
Several facts had become apparent as a result of all these new
programs:
b
The reliability programs that had been developed and implemented

to "realistically 311dresponsively relate operating experience to the
maintenance controls established" had demonstrated that hardtime overhaul actions were of no benefit whatsoever in cor.trolling
the reliability of riiost items- that is, nlcrst items had no "right"
overhaul time5
Actuarial analysis provicied a means of determining the agereliability c:haracreristics of tlight equipment and controlling operating reliability in the absence of fixed overhaul limits.
Conditional overhauls were at least as effective for most items as

the overhauls carried out under traditional concepts.
Reliability programs achieved a major portion of the economic

gains that could be realized by elimination of those scheduledmaintenance tasks that were ineffectwe.
Administration of a large number of individual reliability programs was a burdensome procedure.
It was clearly time for something more than a piecemeal approach.

It was now necessary to consolidate the existing knowledge and develop
a technique by which:
b
An effeciive scheduled-maintenance program could be designed

before a new type of airplane entered service
This program could be modified after the airplane was in service

and reliability illformation from actual operating data was available
The first attempt at a decision-diagram approach to the development of

scheduled-maintenance programs was made in 1965, and by 1967 a
workable technique had been developed and described in professionai
papers.*
'H. N. Taylor and F. S. Nowlan, Turbine Engine Reliability Program, FAA Maintenance
Symposium on Continued Reliabi:ity of Transport-type Aircraft Propulsion Systems,
Washington, D.C., November 17-18, 1965. T. I). Matteson and F. S. Nowlan, Current
Trends in Airline Maintenance Prognms, AlAA Commcrc.al Aircraft Design and Operations Meeting, Los Angeles, June 12-14, 1967. F. S. Nowlan, The TJse of Decision Diagrams
for Logical Analysis of Maintenance Programs, United Airlines internal document, August
2, 1967.
Also in 1967, the initial program for the new Boeing 737 incorporated
a procedure called System and Component Operating Performance
Evaluation (SCOPE)."
This p:-ocedure was applicable to classes of items
which had been found histarically to have no marked age-reliability
relationships. The program provided for a two-year period free of any
overhaul limits. During this period the performance of each item was to
be monitored, and from then on its performance w;s to be compared
with standards based on the item's operation during those two years.
An item that did not meet the .;tandard of its previous perfonnanceone whose failure rate might be increasinp, with age-was then to be
investigated, and action was to be taken, if feasible, to improve its reliability. ?'he investigation might include actuarial analvses for specific
items that failed to meet the performance standards if an operating airline chose to conduct such studies. However, no actuarial studies were
required to qualify an item for exclusion from overhaul limits in an
initial program.
This program represented the first recognition in an initial program
that certain items do not benefil: from scheduled maintenance (later such
items would be said to be supported by condition monitoring). The
program covered 49 items that would have been assigned hard-time
overhaul limits under previous maintenance approaches.
B 4
THE AIR TRANSPORT ASSOCIATION

MSG- 1 AND MSG-2 PROGRAMS
By 1968, when the initial scheduled-maintenance program for the new

Boeing 747 was developed, there hsd been further developments. There
was general reco~~nition
of ttlrc.2 primary maintenance processes - hardtime overhaul, an on-condition prc .ess, and a condition-monitoring
process. The conditions that rncst kw niei i'or each of these processes
to be applicable had been clearly defined, and there was a workable
decision diagram that could be used to develop a scheduled-maintenance
program that encompassed these three primary processes.
The FAA had indicated an interest in working with the airline customers of the Boeing 747 to apply a newer and more modern technique to
the development of the initial maintenance program for this airplane.
Accordingly, a group of the airline representatives on tlte 747 Maintenance Steering Group drafted MSG-1,Handbook: Mairttennncr Ezraluatiott
nt~dProgram Der~c~loyment.
This document, issued in July 1968, was used
*Fcder,rl Arlintiot~A i i t t r i ~ t i s f ~ ' n;i,1nintcSttottcc
ti~~~~
Rcviru, Bonr:i Ke)rort, app. A, Boeing 737
Maintenance Program, Octoher 1967.
by special teams of industry and FAA personnel to develop the new

Boeing 747 program. As described by the FAA in a later publication,
these teams*
. . . sorted out the potential maintenance tasks and then evaluated

them to determine which must be done for operating safety or
essential hidden function protection. The remaining potential tasks
were evaluated to determine whether they are economically useful.
These procedures provide a systematic review of the aircraft design
so that, in the absence of real experience, the best [maintenance]
process can be utilized for each component or system.
The Boeing 747 maintenance program was the first attempt to apply RCM
concepts.
Actual work with MSG-1 identified many areas in which the document could be improved, and in March 1970 the Air Tr~nsportAssociation issued MSG-2: Airline/Manufactrrrer Mnintenance Proyran~Planning
Document. This document, which included further refinement of the
decision-diagram approach, was used to develop the initial maintenance programs for the Lockheed 1011 and the Douglas DC-10. A simil,\r
document, entitled European Muitrtet~atrccSystetn Guide,was prepared
in Europe and served as the basis for development of the initial programs for the .4irbus Industric A-300 and the Concorde. The impact of
MSG-1 ant1 MSG-2 on the resulting programs is apparent from the nurnber of items assiglled scheduled removal tasks-eight on the Boeing
747 and seven on the Douglas DC-10, in contrast to 339 in the earlier
program for the '3ouglas DC-8.
In 1972 MSG-2was used to develop reliability programs for all the
older fleets of airplanes operated by United Airlines. These individual
programs were implemtnted bv the single program LIBRA, which
replaced all the earlier reliability programs that had been developed on
a piecemeal basis for these aircraft. However, MSG-2focused primarily
on the tasks that should be included in an initial prograin and provided
little guidance on other aspects of the decision-making process, such
as the identification of significant items and the use of operating data
in modifying the initial program. The next step, therefore, was further
refinement of the decision-diagram technique to clarify the role of
failure consequences in establishing maintenance requirements, the
role of hidden-function failures in a sequence of multiple failures, and
the concept of default answers to be used as the basis for decisions in
thc absence of the necessary information. The result was the technique
of RCM analysis described in this volume.
'F(.dernl Arlintiotr Adtttitristrntia>t Ct,rtification P r ~ ~ r d ~ t Federal
rts,
Aviation Administration,
May 19, 1972, par. 3036.
- ..
d 5 l M E RELATIONSHIP OF SCHEDULED
MAINTENANCE TO OPERATING SAFETY
The traditional view of scheduled maintenance was that it must, of

necessity, increase operating safety, and therefore the more intensive
the maintenance, the safer an aircraft would be. It is quite possible, of
course, for the loss of an essential function or the secondary damage
caused by certain failure modes to have a direct effect on safety. Whether
this is the situation in specific cases, however, depends on the design
characteristics of both the item and the equipment in which it is
installed.
Since compiex high-performance equipment is by nature subject to
failures, a major safety consideration is to ensure that it will be failuretolerant (damage-tolerant). While the basic forms of preventive maintenance can very often prevent failures caused by specific failure modes,
they are not as sucrsssful in reducing the overall failure rate of complex
items subject to many different types of failure. Fortunately most critical
failures can be prevwted at the design stage by the use of redundancy
to protect against the complete loss of an essential function. Where a
specific failure mode can cause critical secondary damage, and this
possibility cannot be eliminated by modifying the design, there are two
preventive tasks that can be used to ensure safety: on-condition inspections, where they are applicable and effective, and discard of the part in
question at a predetermined safe-life limit. In both cases these tasks are
directed at the individual part in which the critical failure mode originates. Thus scheduled maintenance can ensure realizationof the inherent
safety levels of the equipment, but it cannot compensate for deficiencies
in those levels.
The process of RCM analysis cons is!^ of a detailed study of the
design characteristics of the equipment to determine the items whose
loss of function would have significant consequences at the equipment
level, as well as the specific failure modes most likely to lead tc. that loss
of function. This study identifies the failures and failure modes that are
critical-those which could have a direct effect on operating safety. It
also identifies those failures which will be hidden and therefore represent a loss of protection that might at some later time affect operating
safety. We then examine the various forms of preventive maintenance
at our disposal to determine which scheduled tasks are essential and
must be included in the program to prevent critical failures. This examination also tells 11s which tasks are likely to accomplish this objectivethat is, what tasks can prevent all failures and what tasks can merely
reduce the failure frequency.
Modem transport aircraft are subject to very few critical failure
modes because the design requirements of the FAA, as well as the
SECTION B . 5
387
specificatiot~sof operating organizations and manufacturers, have been

adjusted ;epcatedly over the years to overcome safety problems inherent
in the design as soon as they became apparent, In the pmcess, however,
equipment has become more complex, and therefore suk~jectto a greater
number of failures that do not affect safety. Current thinki;rg on the
relationship between sefety and scheduled maintenance can thus be
summarlzed as follows:
b
Failures are inevitab!e in complex equipment and can ncver be

entire!y prevented by scheduled maintenance.
Reliability can usually be dissociated from safety by the design

features of the equipment.
A failure is critical only if loss of the function in question has a

direct adverse effect on operating safety or if the failure mode that
causes a loss of function also causr!s critical secondary damage. Because of this second condition, ?.n item can have a critical failure
mode even when the loss of its function is not critical.
It is possible to drsign equipment so that very few of its failures

or failure modes will be critical.
In the few cases in which critical failure modes canriot be overcome

by design, on-condition tasks and spLe-lifediscard tasks can make
the likelihood of a critical failure extremely remote.
Scheduled overhaul has little or no effect on the reliability of complex items. Rework tasks directed at specific failure modes can
reduce the frequency of f a i l ~ ~ rresulting
es
from those failure modes,
but the residual failure rate will still represent an unacceptable
risk. Consequentlv scheduled rework is not effective protection
against critical failures.
The technique of RCM analysis explicitly identifies those scheduled
tasks which are essential either to prevent critical failures or to
protect against the possiblc consequences of a l~iddenfailure.
Scheduled-maintenance tasks :ha: do not relate to critical failures

have no impact on operating safety. They d o have an impact on
operating costs, and their effectiveness must therefore be evaluated
entire!y in economic terms.
APPENDIX C
actuarial analysis
mt APPLICABILITY criteriz for both scheduled rework tasks and economiclife tasks include two conditions which require the use of conditionalprobability and survival curves derived , om operating data:
b
There must be an identifiable age at which the item shows a rapid

increase in the conditional probability of failure.
A large proportion of the units must survive to that age.
60th condition>, of course, relate to the question of what good an age

limit might do. In this appendix we will consider the problems and
methods involved in determining whcther the failure behavior of an item
satisfies these conditions. Although much of the cvmputation is amenable to computer applications, the discussion here is confined to manua:
methods, both to illustrate the computational details and to indicate the
areas in which certain graphical procedures have distinct advantages
over most available computer methods.
TFle development of an age-reliability relationsl-.ip, as expressed by
a cunle representing the conditional probability of failure, requires a
considerable amount of datd. When the failure is one that has serious
consequences, this body of data will not exist,since preventive measures
must, of necessity, be taken after the first or the first few failures. T h ~ s
actuarial analysis cannot be used to establish the age limits of greatest
concern - those necessary to protect operating safety. In these cases we
must rely instead on safe-life limits established 9n the basis of the
manufacturer's test data. Fortunately safe-life iten~sarc single parts, and
the ages at failure are grouped fairly closely about the average. However, the test data for long-lived parts are so scanty that we usually cannot associate them with any of the well-developed probability distributions. Thus a safe-life limit is established by dividing the test results by
some conservatively large arbitrary factor, rather than by the tools of
actuarial analysis.
The same limitation applies to failures that have serious operational

consequences. The first occurrence of such a iailure frequently requires
an immediate decision about protective action, withoat waiting for the
additional data necersary for an actuarial analysis. At the other end of
the scale, there will usually be a large body of data available for thosc
items whose failure has only minor consequences. Thus there is ample
material for an actuarial analysis to determine whether an age limit
would be applicable, but far less likelihood that it will meet the conditions for cost effectiveness. The chief use of actuarial analysis is for
studying reliability problems in the middle range those failures which,
taken singly, have no overwhelming consequences, but whose cumulative effect can be an important cost consideration.
C 1 ANALYSIS OF LIFE-TEST DATA

.\ctuarial analysis is simplest when it is based o n data obtained from a
life test. In a life test a group of units of a given item begin operation
simultaneously under identical operating conditions. Each unit is then
permitted to operate until it either fails or reaches the age set as the termination age for the test. A life-test analysis conducted on a set of 50
newly installed engines will illustrate both the utility and the limitations
of this approach. The test period in this case was 2,000 operating hours,
and of the 50 units that started, 29 survived to the test-termination age,
accumulating a total of 58,000 hours of operating experience. At various
times during the test period, 21 anits failed, and these failed units
accumulated 18.076 hours of operating experience. The ages at failure
are listed in Exhibit C.l in order of increasing age at failure. It is important :o note that each of the 50 engines had an opprrtunity to survive
to 2,000 hours. Some did survive, whereas otfi+rs.failed at ages less than
2,000 hours.
.,
...
,
SECTION C.1
391
Exhibit C.lalso shows the proportion of units surviving after each

engine failure. The first engine failed at an age of 4 hours. The other 49
survived beyond that age. Thus 49/50, or 0.98, of the engines survived
to an age greater than 4 hours. Similarly, 48/50, or 0.96, of the engines
survived to an age greater than 33 hours. When the proportions surviving after the age of each failure are plotted on a graph, as shown in
Exhibit C.2, a smooth curve drawn through the points provides a smooth
.estimate of the proportion that would survive-the probabi!ity of
survival-at any interim age. This smooth curve can also be used to
estimate the probability of survival in the population of engines from
which the sample of 50 was selected.
While this freehand plocess is likely to result in slight differences
in the smooth curves drawn by different analysts, the curve is always
EXHIBIT C.1 I ifc-lt.st t~\pcrioicelo Z.Il00 hours wit11 50 llcwly
it~st.~llcd
I'!~ttk Wl~itne!.I WI>-7 engines. (United hirli~,t*a\
number of units in test 50
number of 11nitssurviving to 2,000 hours
29
number of units failed before 2,000 hours 21

failure age of units
that failed (hours)
proportion surviving
beyond failure age
4
33
112
0.98
0.96
0.94
0.92
0.90
0.88
0.86
0.84
0.82
0.80
0.78
154
309
337
359
403
694
724
736
Operating experience of 29 eurviving units = APOI) h o w

Operating experience of 21 failed unita
= 18,076 h o w
Total operating experfence dl unite = 76,076 houn
Failure rate = 21176,076 = 0.276 per 1,4NlOhorn
Mean time between failures = 76,076121 = 3,623 hourr,
Average age at failure = 18,076121= 861 houn
failure age of units

that failed (hours)
792
827
866
136
10638
1,657
1,664
law
1,818
10X = 18,076
proportion surviving
beyond failure age
0.76
0.74
0.72
0.70
0.68
0.66
0.61.
0.62
0.60
0.58
constrained by the fact that the proportion surviving (and hence the
probability of survival) cannot increase, so that by definition the first
derivative must be negative. This condition is generally sufficient to
force a high degree of conformity, at lehst in the curves drawn by
experienced analysts.
In looking at life-test data there is sometimes a temptation to concentrate on the ages of the units that failed, instead of balancing the
failure experience against the survival experience. For example, the
test data in Exhibit C.l show a mean time between failures of 3,623
operating hours, although the average age of the failed engines was
only 861 hours. This large difference results from the test-termination
age of 2,000 hours. If the test had run instead to a termination age of
3,000 hours, additional failures would have occurred at ages greater
than 2,000 hours, making the average agc. at failure much higher; in
contrast, the mean time between failures would not be much different.
If the life test were permitted to continue until all 50 of the units failed,
the average age at failure and the mean time between failures would,
of course, be the same.
Caution must be exercised in using life-test failure rates as estimates of what might happen in the future. If maintenance practice
required the replacement of all engines with new ones at the end of
2,000hours, and if the units in the life test represented a random sample
of the process that would supply the replacement units, then the failure
rate of 0.276per 1,000operating hours would be an accurate prediction
for the engine in Exhibit C.1. However, it is far more likely that expensive complex items will receive extensive corrective maintenance, and
a repaired unit may or may not exhibit precisely the same failure rate
as a new one. Moreover, as dominant failure mocies are identified and
corrected, the overall failure rate would be expected to drop. There would
also be little point in removing the units that survived the life test from
service unless there were strong evidence that removal at that age
would result in some overall gain, such as a lower failure rate. Thus the
failure rate for a life test tells us little more than the simple fact that there
were x failures for the number ot hours of experience covered by the test.
The life-test approach has certain disadvantages in an operational
setting. Usually it is not possible to select the test units as a random
sample of the population, since the objective of the test is to obtain
information as soon as possible. This means that the study will ordinarily be based on the first units to enter service. Also, it cannot be
terminated until each of the selected units has reached the specified
age- that is, until the last unit installed has reached the test-termination
age. The analysis can be advanced, of course, either by reducing the
number of units in the study or by reducing the length of the test
period. Reducing the number of units covered increases the likelihood
of being misled by sampling effects. Reducing the termination age
for the test results in disregarding part of the available informationthe actual experience at ages greater than the test-termination age.
WHIBIT C . 3 An example of the information excluded by life-test
data. Although information is available on unit 4, which replaced
failed unit 2, this unit will nut have aged lo 2.G00 hours by the
termination age, and hence cannot be taken into account.
Unit 1
Unit 2
rn
unit 3
Operating age
Ternhation age
394
APPENDICES
Unit 1
11
Exhibit C.3 illustrates another reason that certain available information cannot be used if operating data are used to simulate a life
test. Suppose units 1 and 3 survive to the test-termination age, and
unit 2 f3ils. In actual operations this failed unit will be replaced by
unit 4, which will age in service but will not have reached 2,000 hours
by the time units 1 and 3 reach the termination age. Thus, although the
experience of unit 4 is available, it cannot be considered in a life-test
format. The fact that this type of analysis does not permit us to use all
the ~vailableinformation is sufficient reason in itself to consider other
methods of analysis that do not have this shortcoming.
Life-test analysis has one further shortcoming from the standpoint
of an operating organization. If there are reliability problems, the operator will initiate product-improvement programs and is interested in
determining as quickly as possible whether such programs are successful. This interest may be as great as the interest in age-reliability relationships as such. For this reason procedures for analysis have been
developed which use operating data derived from experience over a
relztively short calendar period.
C 2
ANALYSIS OF DATA FROM A DEFINED

CALENDAR PERIOD
The first step in analyzing operating data over a defined calendar period
is to define the length of the period. The choice of an appropriate study
period is always a compromise between two factors. On the one hand,
a short period is desirable to expedite decision making and to minimize
the effects of changes in the character of the units and the external
environment. On the other hand, a short period limits the amount of
operating experience and failure data that can be considered. The relative magnitude of sampling effects is a function of the number of failures
and increases as the number of failures decreases. Experience suggests
that the calendar period selected for any item should be long enough to
include at least 20 failure events.
Once the period has been defined, the following data must be
obtained;
b
The age and identity of each unit of an item that was in operetion at
the beginning of the calendar period
The age and identity of each unit of an item that was still in operation at the end of the calendar period
The age and identity of each unit that was removed from operation
during the calendar period and the reason for removal (failure of
this unit or removal for some other reason)
SECTION C.2
395
The age and identity of each replacement unit that was installed
during the calendar period
Notice the emphasis on unit identification. Reliability analysis is

greatly facilitated by giving each unit a unique serial number. Exhibit
C.4 describes the operating history of seven such units over a threemonth calendar period. The same i~formationis displayed in Exhibit
C.5. Each horizontal line in the first graph represents a unit's. operating
position on a piece of equipment. If the history for all units wtre plotted,
an illstallation would follow the removal of unit 5810 on May4. Similarly,
a removal would precede the installation of unit 5880 on May 27unless that line represented equipment that first entered service on
that date. Lack of continuity on any line is an indication that unit life
histories are missing. The second graph shows the relationship between
events and the operating ages of the units.
Briefly, then, what happens during a fixed calendar period is this:
A certain number of units, of varying ages, enter the study period in
service; these units build up time, with some continuing in operation
over the entire period and others being withdrawn from service, either
because they have failed or for some other reason. New units enter
service to replace the ones that have been removed, and these new
units also accumulate operating experience during that time; some of
these may also be removed before the end of the calendar period and
replaced, in turn, by other new units. From this picture we want to
EXHIBIT C.4 Operating history of seven unita from May 1 to July 31,
1974. (United Airlines)
date off
reason
off
5/1/74
age on
age off
34
5/4/74
NF*
2,447
serial
number
5072
5810
5974
5880
6031
5827
61326
date on
4/23/74
12/17/72
8/19/73
5/27/74
7/7/74
3/18/74
12/15/73
6/29/74
Ft
*Removal for rcrrons nat awocirted with a failure.

tRemovid because of a failure.
a@,
2,441
1,251
167
639
age,
0
0
7/31/74
522
1,707
154
127
607
lM5
EXHIBIT C.5 Operating hietory of the seven units in Exhibit C.4

shown as a function of calendar time (top) and as a function of
operating age (bottom). (United Airlines)
#!mO
~lr.
Removal (2,447)
m
7
.
May
June
Calendar months
July
#5810
Removal
Failure
Operating age (hours)

SECTION C.2
397
determine what proportion of the units failed prior to a given age and
what proportion survived.
The first step in an actuarial analysis is to break the total lifetime
of the oldest unit down into age intervals. These may be age cells of
any length, but a reasonable rule of thumb is to have fewer age intervals
than there are failures (otherwise many of the intervals will have zero
failures). In the situation described in Exhibit C.6, for example, the
oldest engine in the study was less than 5,400 hours old, and there were
30 verified failures during the three-month study period; hence we can
use 200-hour age intervals. The total age range can then be viewed as a
series of discrete intervals -0-200 hours, 201-400 hours, 401-600 hours,
and so on - and the aging process consists of a series of trials to traverse
each successive interval. Thus the first trial for a newly installed unit is
to traverse the 0-200-hour interval. If the unit fails prior to 200 hours,
the trial is unsuccessful. If the unit survives this interval, its next trial
is to traverse the 201--400-hour interval. There are only two possible
outcomes for any trial: a successful traverse or a failure.
The ratio of failures during an interval to the number of trials at that
interval is the cotrditional probability of failure during that age intervalthat is, it is the probability of failure, given the condition that a unit
enters that interval. The ratio of successful traverses across an interval
to the number of trials at that interval is the conditional probability of
survival across that age interval.
A trial is counted as a whole trial under three circumstances:
A unit enters an interval and makes a successful traverse.

A unit enters an interval and fails in that interval.
A unit starts in an interval and fails in that interval.
A trial is counted as a fractional trial when:
A unit enters an interval and is removed during that interval without failure.
A unit star 's in an interval and either makes a successful traverse or

is removed during that interval without failure.
Each fractional trial is counted as half of a whole trial-which it is, on
the average.
Consider the 0-200-hour age interval. Some of the units that were
in that age interval on May 1 and some of the units that entered it after
May 1 failed. Others made a successful traverse and survived to enter
the next interval, 201-400 hours. The ni!mber that entered this next
interval is the number that were either in the 0-200-hour interval on
May 1 or entered it after that date, less the number of removals and the
number of units which were still in that interval cln July 31. In other
EXHIBIT C.6 Procedure followed in an actuarial analysis of operating

experience with the Pratt & Whitney JT8D-7 engine on the Boeing 737
from May 1 to July 31, 1974. (United Airlines)
age
interval
no. which no. in

no. in
entered
interval
interval total rein:erval on May 1 on July 31 moved
no. cumulative
failed
failures
no. of
trials
experience
in interval
cumulative
experience
words, referring to the column numbers in Exhibit C.6, the number of

units that leaves avy age interval to enter the next higher age interval is
computed as
col 2
+ col3 - col4 - col 5
Note that whenever a unit is removed, the replacement unit, which

has just come out of the shop, enters the O-200-hour interval at an age
of 0 hours. There were 42 units removed from service during the sttidy
period, 30 caused by failures and 12 for other reasons. This means that
42 units entered the O-200-hour interval as new units. The number
entering each of the other intervals must be calcrllated from the equation
above.
Now we mrlst calculate the trials associated with each age interval.
The number of traverses of the upper boundary of an interval is greater
than the number of successes during the calendar period, because those
units that were already in that interval on May 1 had, on the average,
each completed half a trial. The number of trials associated with the
successful traverses is therefore
(col2
col 3
col 3
+ col3 - col4 - col 5) - ,
-= col 2 + --- col4 - col5
2
L
Each engine failure counts as a full trial. The engine removals that
were not associated with failures and the units that were still in the
age interval on July 31 are counted as fractional trials. 'The lotal number
of trials associated witkc an dge interval is
col2
+--2 3
CO!
col 4 - col5
+ col 6 + ~ 0 1 -52 col6

col 3
='.o12+------+2
~014
2
col 4 col 5
2
2
+
col 6
2
Each trial associated with a successful traverse represented 200

hours of operating experience. Each engine removal and each unit still
in the interval on July 31 therefore represents an average of 100 hours of
operating experience. Consequently the operating experience reyresented by an age interval is computed as
200
L(
COI 2
col 3
+- cul4 - c015) i 2
(y+ -5-)]
col 4
col 3
= 2 0 0 x col2+----2
col 4
2
cO1
2
51
The next step is calculation of the proportion of the trials that end
in successful traverses of each age interval and the proportion that result
in failure in each interval. The results of these ca!c.~.l?.kionsare shown in
Exhibit C.7. The proportion of units surviving or failing in a given age
EXHIBIT C.7 Suw;val charactcristic~of the Pratt & Whitncy JTBD-7

engine nn the Boeing 737 during the period May 1 to July 31,1974.
(Uniteti Airlinm)
*Be
interval
(1)
6 2~
no. of
Mds
no. of
failures
pmporkion
eurvivfng
(2)
(3)
4
(4)
43.5
0.908
cumulaHve
probability
proportion
failing
cumulutive
faUum no.
(3)
(6)
0.908
0.092
(7)
0.092
201-
100
40.0
0.925
0.840
0.075
0.167
4Q1-
600
S.5
0.973
0.817
0.027
0.194
601-
800
4
2
0.W
3.724
0.114
0.308
801-l#W
35.0
25.0
0.920
F.666
0.080
9.388
1,001-1,200
17.0
0.941
0.627
n.0~9
0.447
1,zo1-1,40~
14.0
1.000
0.627
0.m
0.447
1,401-1,600
14.0
1.W
0.627
0.000
0.447
1,601-1,800
1,1~1-2p00
15.5
12.0
3
3
0.505
0.194
0.641
0.379
0.250
0.891
2,b01-2,00~
8.0
0.806
0.750
0.875
0.900
0.833
0.875
0.217
0.1s
1.408
2,801-3,000
4.0
1.000
0.217
0.000
1.408
3,OM-3,200
3.0
0.667
0.145
0.333
1.741
3f 01-3,-
2.5
0.600
0.067
0.400
2.141
3,401-3,600
1.0
0.500
0.044
0.500
2.641
3,601-3,600
1.5
1.000
0.044
3,801-4,OOO
1.5
1.000
0.044
0.000
U.000
2.541
2. - 4 1
4,001-4,200
0.5
1.W
0.044
0.000
2.641
4,201-4,400
0.0
2,001-2,200
8.0
2,201-2,400
10.0
2,401-2,600
12.0
0.332
0.125
'l.016
0.298
0.100
1.116
0.249
0.167
1.283
--
4,401-4,600
0.0
4,tio1-4,~0
0.0
----
----
4,801-5,000
0.5
1.0
0
1
1.00
0.044
0.000
2.641
5,001-5,200
0.000
0.000
1.000
3.611
5,201-5,400
0.0
0.W~
0.000
0.000
3.641
--
interval are considered to be estimates of the respective probabilities.
,The cumulative probability of survival tc the end of any interval is the

product of the survival probabilities for all preceding intervals and the
probability of survival across the intenpal in question. Similar!~, the
cumulative failure number for the end of any age interval is tb.e sQm
of the probabilities of failure in all preceding intervals and the probability of failure in this interval. The cumulative failure number is not a
probability, It can be considered to represent the average numbrr of
failures which would occur if single trials were made to traverse the
selected interval and each of the earlier intervals.
The occurrence of a fai!ure in any interval is a random evmt. Thus
it is possible !c have a number of failures in one age interval, none in
the next, and a few again in the next. Our concern with the age-reliahjlity
reiationship is the possibility that the failure rate may increase,significantly with age, and if it does, we may wis5 to evaluate the utility of a n
age limit for the item in question. (Infant mortality is also a concern,'
but this is a different and much simpler problem, since it occurs quickly,
if at all, and there is an abundance of data available for study.) Thus
local variations in tile failure rate are of little interest. This implies that
we will have to smooth the data to reduce the effect of the random time
occurrences of the failures.
C 3 THE SMOOTHING PROBLEM

The conditional probability of failure is simply the ratio ,)f the number
of failures in a give9 age interval to the number of units that attempt
that i-~tewal.In an actuarial study this represents the proportion of the
ilnits entering each a g interval
~ ~
that fail during that interval, as shown
irc column 6 of Exhibit (2.7. The proportions vary from 0 to 1, and as
expected, this variation tends to increase as the number of units in the
interval decreases.
The data for the engine under study suggest a relatively high failure
rate at low ages (infant mortality), a lower rate at the middle ages, and
a higher rate at the higher ages. This last possibility is of particular
interest 5ecause of its implications for scheduled rework and economiclife-limit tasks There are several ways of analyzing the data to try to
clarify the picture:
b
We can smooth the data through some standard smoothing procedure, such as a moving average or exponentid smoothing.
We can increase the length of the age intervals, which would

increase the number of failures per interval, and thus reduce the
variability of the failure rate.
We can construct cumulative graphs of the data in any of several

wavs and simply draw a slnooth curve through the data points.
The first of these procedures w~l!not be discussed here, since it
is well-covrred by tlle literature. The second smoothing procedureincreasing the age interval in such a vVaythat each interval has approximately the same amount of unit exp;ric.lce- is somewhat more comman. One such grouping, for . ...i~nytt:,yields the following results:
This grouping of the data suggests a linearly decreasing failure rate for
the first 1,600 hours, followed by a very sharp increase imn~ediatelyafter
this age. The intervals might also be adjusted as follows:
11
C
!
L
i
I
!
i
In this case the data suggest a more moderate initial decrease in failure
rate, folloyed by a more moderate increase starting at 1.200 hours (rather
than 1,600'hours). Other choices would lead to still other variations of '
this sort. Age grouping is simple and the statistical interpretation is
straighlfc~rward.However, it is obvious from the exalnples above that
the interpretation is higl~lydepen$ent on the grouping process.
Thr chief problen~in representing failure data is to reduce the apparent variations so that different analysts will come to sin~ilarconclusions.
A common engineering procedure to accomplish this is to cumulate the
data and the11graph the cumulative values. There are three methods in
general use, altl~oughall three have the limitation that they do not
explicitly take into iiccount the varying amounts of unit experience in
different ilge ir~tervals.For example, the engine data in Exhibit C.6 show
much more'exyerience in the earlier age intervals than in the later ones .and this will necessarily be the case whenever failed units are automatic~llyrepiaced by units with zero age. 'Thus the trial count in Exhibit
C.7 ranges from 43.5 to 35 trials in the first four age intervals, whereas
in the later intervals the number of trials was as smail as 4 or 2, or eve11 0.
This kind of variation in unit experience makes it more di.fficult to assess
the validity of the pattern suggested by a smooth curve.
One method of cumulating the data is to multiply the proportions

surviving successive age intervals to obtain the cumulative prctbclbility
of survival for each interval (column 5 in Exhibit C.7), draw a smoo:h
survival curve through the points (as shown in Exhibit C.2), and then
compute the conditional probability of failure for each interval from the
simple formula
) (
probability of probability of
Conditional probability - enterinr: interval -._- s u r v i v i ~ n t c r v a l
of failure in interval
probability of entering interval
L
I
This procedure breaks down, of course, when we reach an interval in

which all the units fail (because the proportion surviving is zero). However, the likelilioo - that all the units in an interval will fail is sm;lll
unless the number of units in that itlteival is itself small. With the engine
described in Exhibits C.6 and C,7 this happens for rhc first time in the
5,OOi)-5,200-hour interval, which contaii~sonly one unit. If, as somctimes happens, we had had failure data beyond this age interval, a
smoothing procedurt that relies on multiplication would not have permitted us to use it.
Anvther method makes usc of the cumulative failure number (c,dumn 7 in Exhibit C.?). 'This number, at the end of a give!) inteival is
the sum of the probabilities of failure in all preceding intervals and
the probability of failure in the interval in question. Kemenrber that the
cumulative failure number is not itself a probability; it represents the
average number of failures that would occur if single trials were made
to traverse the selected interval and each of thc earlier intervals. Exhibit
C.8 shows the cumulative failure numbers at the end of e.~chage interEXHIBIT C.8 The cumulativc failure number for the Pratt &I Whitney
]TED-7 engine on the Rncing 737. (United Airliuea)
Cumulative unlt experience (houn)

FXHIBIT C. 9
A simple method for determining the age-reliability

relationship of the Pratt & Whitney JT8D-?engine. The slope of the
smooth curve at any operating ages is a measure of the conditional
probability of failure at that age. (United Airlines)
val plotted as ,i function of operating age, with a smooth curve drawn

thmugh the points. The c3nditional probability of failure in an interval
is the difference between the cur.tulative iailure numbers at the end and
the beginning of the interval. For example, from Exhibit C.8, the
smoothed cumulative failure number at the end of 1,000 hours is 0.395
and at the end of 600 hours it is 0.310. Thus the conditional probability
of failure irr the 801-1,000-hour interval is .395 - 310 = .085, or at 900
hours (midinterval), .085/2 = .042 per 100 hours.
This procedure differs from the previous one in terms of the quantity th.it is being smoothed. The precise difference cannot be pinned
down if the graphing is don? manually, since there is no way to tell
with either met'lod precisely how the experienced arralyst is weighting
the two factors when he draws the smooth curve. The procedure is
prin~arilyadditive, liowever, so that there is no difficulty in treating
intervals in which all units fail.
A third method is to plot- the cumulative number of failures by the
end of each interval against the cumulative experience by the end of
that inte~ual.The values for both of these variables are listed in Exhibit
C.6, and the resulting plot is shuwn in Exhibit C.9. Tne slope of the
smc*>thcurve at any age is the conditional probat~lityof failure associated with that age. There is a temptation in +hiscase to represent the
plotted points by three 5traight line segments-one from 0 to 200 hours,
another from 200 to 1.800 hours, and a third from 1,800 to 5,200 hours.
Such straight line segments would lead to the following conditional

probabilities of failure:
operating age (hours)

0-200
200-1,800
1,800-5,200
conditional probability
of failure ( p e r 100 hours)
.048
.037
.I00
This construction suggests abrupt changes in the conditional probability

of failure at 200 hours and again at 1,800 hours. While it is conceivable
that dominant fai!ure modes might be dispersed about these average
ages, it is highly unlikely that there are actual discontinuities in the
conditional pl-obability of failure.
The discontinuities can be avoided simply by drawing a smooth
curve instead of straight line segments through the plotted points (the
black curve in Exhibit C.9). Conditional probabilities can then be
obiained from the smooth curve by drawing tangents to it at various
operating ages. Typical results are as follows:
operntitlg ~ g (ek o ~ i r s )
0
200
400
600
c.onditiona1 probability
of failure (per 100 Itours)
.050
.042
.038
.036
1,600
.049
...
...
The conditional-probability curve obtained by plotting the conditional

probability of failure as a function of operating age is shown in EXhibit C.10.
The average conditional probability of faiiure in the interval from
0 to 200 hours is .046 (at the midpoint of this interval); hence the probability that an engine will not survive to 200 hours is 2 x .046 = .092, and
the probability that it will survive is 1 - ,092 = .908. Similarly, the probability.that an engine which has survived to 200 hours will continue to
s~rrviveto 400 hours is 1 - (2 x .040) = ,920, The probability that an
engine will survive both the 0-200 and the 201-400-hour age intervals
is the product of both these probabilities, or .908 X .920 = .835. A plot
of the survival curve for this extended example is also shown in Exhibit
C.lO. Both the conditional-probability curve and the survival curve are
broken at ages above 9,600 hours as a warning that the levels of the
curves are not well-established bcyond that age. (The choice of 2,600
hours as a caution point is arbitrary.)
This.third procedure for computing conditional and surrival prob-
LxHIBIT C.10 Conditional-probability and survival c u r v ~ sderived

from the smooth cuwr in Exhibit C.9.
abilities allows the analyst t~ assess the varying numbers of failures and
trials, and hcncc to judge reasonably well what portion of the data is
well-defined and what portion is more questionable. The snioorhinp:
that does occur, while still subject to the variations of freehand consi.ruction, will usually lead to nearlv ide1,tical results for the s a n ~ data.
e
Exhibit C.ll shows co~iditional-prob,~bility
curves obtained by all
three methods, as an indication of the consistency of the CUNe that will
result, regardless of the prclcedure followed. The histogram below this
graph is 'I convenient way of displaying the experience on which the
analysis was based. Thc vertical bars ..how the volume of operation in
each age interv'd, and number above each bar is the number of failt~res
that occurred in that interval. A failure rate can be calculated for each age
interval. These failure rates are shown as data points on the conditionalprobability graph, but it would be difficult to fair a curve through them
and define a trend. The actuarial procedurcs we have discussed overcome this difficulty.
LXHIBIT C . ( 1 A comparison of conditional-probability curves derived

by three different methods. The bar chart shuws the distribution of
operating experience on which all three analyses were based.
C - 4 ANALYSIS OF A MIXED POPULATION

The data used in the preceding analyses pertain to an engine that is not
subject to scheduled removals. Each engine remains in service until an
unsatisfactory condition is detected, either by the maintenance crew or
by the operating crew. At that time the engine is removed and scnt to
the shop for corrective maintenance. Since extensive work may be doue
on the engine while it 1s in the shop, this repair process is considered
to zero-time the engin?. Its operating age is thus measured as engine
time since the last shop visit-that is, as the time since the last repairand 311 engines are treated as members of a single population.
When an engine is subject to a limit on maximum permissible
operating age, it is assumed that complete overhaul of a unit that was
operating satisfactorily will also reestablish its age at zero. In the text
discussion concerning the effects of an age limit (Section 2.7), it was

further assumed that both repaired and reworked engines have the same
age-reliability characteristics. This assumption is equivalent to saying
that both are members of the same population. Suppose we want to test
the validity of this assumption. In that case our analytic techniques
must allow for the possibility that the two shop processes may result
in different age-reliability characteristics. This can be done by treating
the total population of engines as a mixed population.
At one time it was believed that overhaul of a turbine engine prior
to a specified operating age played a major role in controlling reliability.
On this basis a complete overhaul was the only process considered to
zero-time the engine, and operating age was measured as the time since
overhual (TSO).Under this policy an engine removed prematurely for
corrective maintenance was repaired and returned to service, but was
considered to have experienced no change in its operating age. Two
factors, however, might result in premature overhauls-overhauls before
the scheduled removal age:
The occurrence oi a failure in the last 20 to 25 percent of the permissible operating age, in which case a complete overhaul during
this shop visit would avoid the need for a scheduled removal soon
after the repaired engine was reinstalled
A failure requiring such extensive repairs that it would be economically desirable to do the additional work needed for a comp!ete
overhaul, regardless of the age of the engine
Under these circumstances the results of an actuarial analysis of a mixed

po;>ulation would have to show survival curves, lwobability-density
curves, and conditional-probability curves for three iariables- failures,
repairs, and overhauls.
The analysjs of a mixed population requires very little change from
the method discussed in Section C.3. It is necessary only to plot the
cumulative number of repairs and the cumulative number of overhauls
for each age interval as a function of the cumulative experience for that
interval. Exhibit C.12 shows the results for a hypothetical analysis of
a mixed population subject to an overhau! age limit of 2,500 hours.
The conditional-probability curves show the probability of failure at all
ages up to the 2,500-hour limit and the probability of premature overhaul
of the units that fail. Below 2,000 hours most of the failed units are
repaired and returned to service without overhaul; after 2,000 hours all
failures bccome premature overhauls. Thc! survival curves show that
the probability of survival without overhaul decreases slowly up to
2,000 hours; thereafter it decreases at exactly the same rate as the probability of survival without failure. The probability of survival without
repair is higher than the probability of survival without failure, since
Time rince o v n h r d (flight houn)
survival without w.mapl
I
0
1,500
2,000
Time since overhaul (flight hours)
500
UHIDIT C.12 Hypothetical results of an actuarial analysis of a mixed

population subject to a scheduled rework task.
some failures will result in premature overhauls before 2,000 hours; after
2,000 hours the probability of survival without repair remains constant,
since all failed units after that age are overhauled.
Actuarial analysis of a mixed population requires a number of
detailed but simple changes in the format outlined in Exhibits C.6 and
C.7.The following adjustments are necessary in Exhibit C.6:
410
Column 2, which shows the number of units entering an age interval, must take into account reinstallation of a repaired unit, as well
as entry of a unit from the preceding interval.
The failure count in colun~n6 must be partitioned into the number

of failed units that are repaired and the number of failed units that
are overhauled.
The trial count in column 8 must be adjusted to account for the

experience of repaired units that are reinstalled during the study
period. The failure of a repaired unit during the interval in which
APPENDICES
'
A p&
..
. . ,;"
.. >3
..
., ;;,;..
-
:< it:
'1
.,
',
. , ;
I
.%,
'
.rm m:=.ra.t..
.*::i
.:;*
.....
i,.
..
-,
"L--..^l*ild
"
'
a
it was installed counts as a whole trial; if the unit survives to leave

this interval, this experience counts as a fractional trial.
Similar changes are necessary in the details of Exhibit C.7:
b
The failure number must be partitioned into failed units that are
repaired and failed units that are overhauled.
The probabilities of survival, both for each interval and cumulative,

must be partitioned into survival without overhaul, survival without repair, and survival without failure.
The calculations to detern~inethe probability of failure in each

interval must be repeated to obtain the probability of a repair in
each interval.
A cumulative repair number, like the cumulative failure number,

must be calculated for the end of each age interval. This number
will be less than the cumulative failure number. The difference
between these two numbers is the probability of an overhaul and
the complement of the cumulative probability of survival without
overhaul for the corresponding interval
C 5 USEFUL PROBABILITY DISTRIBUTIONS

At certain stages of an actuarial analysis curves are faired through sets
of data or calculated points, and subsequent calculations are then based
on numerical values read from these curves. This curve-fitting techn i q ~ eis not mathematically precise, and one ieels somewhat uncomfortable using extrapolations from such curves. In many cases it is
possible to model age-reliability relationships by the mathematical
functions which represent certain probability distributions. Special
graph papers are available for some of the more common distributions
which have the property that a survival curve appears on them as a
straight line.
It is known that certain failure processes and the cl~aracteristicsof
certain items result in age-reliability relationships that can be approximated by specific probability distributions. Much information on the
physical processes that produce this capability is available in the !iterature, and this knowledge is the best guide in evaluating the adequacy
of a given probability distribution to represent the results of an actuarial
analysis. Another more empirical guide is the shape of the conditionalprobability or probability-density curve that resulted from the initial
analysis. If there is reason to believe that the age-reliability characteristics of an item d o follow a particular probability distribution, it is ilsually
SECTION C.5
411
more accurate to fit a straight line through survival points on graph

paper that is unique to that distribution than it is to draw a curve through
the corresponding points plotted on cartesian coordinates.
Many probability distributions have been developed and can be
used for reliability analyses. The three which have the widest application are the exponential distribution, the normal distribution, and the
Weibull distribution. Exhibit C.13 shows the relationship of the conditional probability of failure, the probability density of failure, and the
probability of survival for the exponential distribution. The conditional
probability of failure associated with an exponential distribution is
constant at all ages- that is, the probability of failure is the same at any
age to which a given unit may survive. This is sometimes expressed by
saying that an item with exponential characteristics has no memory.
This conditional-probability relationship, described by curve E in
Exhibit 2.13, is characteristic of complex items with no dominant failure
modes, and also of electronic items, particularly at ages beyond the
infant-mortality period.
The failure-density curve shows that the incidence of failures for
items characterized by an expone~ltialdistribution is highest at low
ages, starting at installation. This, of course, is because low ages represent the greatest amount of unit experience, and since the conditional
probability of failure is constant, the more units there are in an age
interval, the more failures there will be. The survival curve of the exponential distribution has a shape similar to that of the density curve. The
exponential distribution is a single-parameter distribution. This parameter is the failure rate. It is a scaling parameter, since it determines the
magnitude of the conditional probability of failure, the initial value and
rate of decrease of the density curve, and the rate of decrease of the
survival curve.
Exhibit C.14 shows the corresponding relationships for the normal
distribution. The conditional probability of failure associated with a
normal distribution is relatively small at low ages and increases monotonically with increasing age. This distribution is therefore a candidate
for consideration when an item exhibits increasing signs of wearout
3fter relatively low probabilities of failure at earlier ages. The failuredensity curve for the normal distribution has a clearly defined maximum
value. This occurs at the average age at failure if all units are permitted
to continue in operation until they fail. Note that the density curve is
symmetrically disposed about this average age. This is an important
characteristic of a normal distribution. The survival curve passes through
a probability of .50 at the average age at failure and has twofold symmetry with respect to this probability point.
The statement that an item has a "life of x hours" is usually based
on a supposition that it has age-reliability characteristics which can be
U(HIBfl C.13 The relationship of cc,nditional probability, probability

density, and probability of survival for an rxpunential distribu*;n.-".
with a mean time between failur~s1.6 '-
Operating age (flight holm)
Operating age (flight hours)
I
0
1,000
2,000
Operating age (flight hours)
3,000
UHIBIT C.14 T h i relationship of conditional probability, probability
density, and pmbabil: of survival for a normal distrihrrtion with a

mean time betweCn failures of 2,000 hours and a standard deviation
in failure age of 500 hours.
Opentin8 r8e (illfit houn)
represented by a normal distribution. In other words, such a statement

assumes the followirtg characteristics:
b
The probability of failure at low agcs is very small.
The probability of failure increases as operating age increases.
There is an ag2 at which the density cf iailun! has a relatively welldefined maximum value.
The density of failure at lower or higher ages is symmetrically

disposed about the maximum value.
The normal distribution frequently does represent the age-reliability

characteristics of simple items (those subject to only one or:a very few
failure modes).
The normai distributioi~is a two-parameter distribution. One purameter is a location parameter; it defines the age at which the maximum
failure density occurs. The other parameter is a scaling parameter and
is determined by the degree of dispersion of the failure densities about
the peak value. The scaling parameter thus establishes the curvature of
the survival curve, the magnitudes of the conditional probabilities,
and the magnitude of the maximum failure density and of other densities about the maximum value.
Exhibit C.15 shows the characteristics of a WeiEull .distribution. In
this particular example the conditional-probability curve resembles that
for the normal distribution, in that the conditiorial probability of failure
increases monotonically with age. It is dissimilar, however, with respect
to the conditional probability at low ages, which is shown as being
relatively high. The Weibull distribution is a candidate for representing
items that have a moderately high probability of failure a: low ages
and demonstrate monotonica:;y increasing (or decreasing) failure probabilities thereafter.
This discussion takes considerable liberty with the Weibull distribution. The Weibull distribution is a very vrrsatile one with wide applicability. It can in fact be used to represent iterns with high or low
conditional probabilities at low ages, and age relationships in which
the probability of failure either increases or decreases with, increasing
age. The exponential and normal distributions are both special cases of
t h Weibull
~
distribution.
The Weibull distribution in Exhibit C.15has a failure-density curve
that is not too different from that for the normal distribi~tionshown in
Exhibit (2.14.
There is an age at which the density function has a welldefined nlaximum value. Unlike the r r ~ ~ r ndistribution,
al
however, the
densities in a Weibull distribution are not necessarily symmetrically
disposed about this peak value. They can b ~ >but
, they usually are not.
SECTION C.5
415
LXIIIBIT C a l l Rclatlonsl~ipnf conditional pmbabillty, probability

denaltv, and probability of nurvival fur a Welhull distribution with
,
I mean lime h c t w r r ~failurcn
~
of 1,013 hours, n c a l i n ~pata~l~etcr
o
33.15, and shapit,,; pdramcter 11 1.45.
Operating a p (fluhoud
t
By the same token, the survival curve for a Weibull distribution does
not necessarily pass through the .SO point at the age c:orresponding to
the maximurn failure density, nor does it have the symmetry of the
normal curve.
'The Weibull distribution described here is a three-paramett-r distribution. One parameter is a location parameter which, in effect, defines
a negative age at which the conditional probability of failure is zero.
The other parameters are scaling and shape parameters.
Each of the probability distributions enables us to express the conditional probability of failure, the probability density of failure, and
probability. of survival without failure as a function of operating age
and certain parameters. These parameters make it possible to develop a
large family of different relationskips for each type of probilbility distribution. In practical work we are ordinarily not concerned with enumerating the parameters that apply to a specific analysis or writing the
equations that describe the age-reliability relationskip. Thc purpose
of an actuarial analysis is to determine whether tlie reliability of the
item deteriorates with operating age, and if it does, to assess the desirability of imposing a l i m ~on
t operating age. Thus any interest in probability distributions is entirely pragmatic and centers on the possibility
of using the specialized graph papers for such distributions to simplify
the task of fairing curves through the survival data. Experience has
shown that none of these three probability distributions provide a
satisfactory motlel for the results of turbine-engine analysis, and in
that case representation still depends 011 subjective curve fitting by the
analyst.
C.6
A SPECIAL USE OF THE

EXPONENTIAL DISTRIBUTION
Spare units for each item are purchased and kept on hand to support
new equipment when it cwters service. The p r o v i s i o ~ ~ iis
t ~b,~sed
g
on an
anticipated failure rate for each item. It is not uncommon, however, for
an item on newly designed equipment to experience a failure rate much
higher t h m was anticipated. This result: in an unexpected increase in
the shop workload, and dlso in depletion of the'supply of serviceable
spare units needed to support the equipment. This means that pieces
of equipment mdy have to be removed f r o n ~s e ~ r i c cbecause there are
no replacement units of the unreliable item. .2 pn3blem of this kind can
persist for some time, sin::e the process of p~dvingthat specific design
changes do in fact improve reliability is a slow one. Moreover, not only
does it take time to ~nanufactureadditional spare tinits, but there is
a!so a reluctance to invest in additional units of a design that has proved
t~nsatisfactoty.
1,
SECTION C.6
417
Invariably the question arises as to whether a Hmit on the maximum upcrating age of such an item is desirable to alleviate the spareunit proble~i~
caused by a high failure rate. The exponential distribution
can give useful information that permits a quickanswer to this question.
Exhillit C.16 shows the probability of survival of an item with exponential rrlinbility characteristics, with the operating age expressed as a multiple of the metin time between failtlres. The exponential distribution
represents a constant conditional probability of failure at all ages, as
described by curve 2 in Exhibit 2.13. Obviously an item whose failure
behavior corresponded to curve A, C, or F in this family of curves would
have smaller sun~ivalprobabilities at all ages than one with exponential characteristics. Items with the characteristics described by curve B
have survival probabilities which are about the same, as those for a
class E item at low ages and ~leteriorateat high ages. -1he relatively few
items whose conditional-probability curves correspond to curve D have
survival probabilities which are - tually somewhat better khan exponential at higher ages. For tllc r ,,oses of this question, however, it is
reasonable td assume that the troublesome item call be represented try
the exponential survival curve in Exhibit C.16.
S ~ ~ p p o this
s e item has a failure rate of 1 per 1,000 hours. The mean
time between failures is, of course, 1,00011 = 1,000 hours. An age limit of
1,500 hours has been proposed for this item. If ive extrapolate values
from the exponential survival curve, we find thai at an age limit which
represents 1.5 times the mean time between failures, 22.3 percent of the
units can be expected to survive to that limit and become scheduled
removals:
ratio agr limit to
probability of survir~al
muan tittle brtti~eetifai1urc.s
to agr limit
0.1
.905
0.2
,819
0.4
0.6
0.8
1.o
.670
549
.449
.368
1.5
,223
.I35
2.0
2.5
3.0
3.5
4.0
5.0
418
APPENDICES
,082
.050
.030
.018
.On7
These scheduled removals will further increase the demand for spare
units, and hence will aggravate the present inventory problem instead
Ratio d age tu mean time khvcm frilund'

EXHIBIT C.16 A nondimensiondl fornr of the exponential survival
curve that can be used to determine the probabi!ity of survival to any
multiple of the mean time between failures.
of alleviating it. Any additional operating life that can be realized by

this 22.3 percent u,C the units represents a saving over the number of
spare units that would be needed with an age limit.
If there are major economic consequences associated with the
faijures-and if the conditional probability of failure in fact increases
rapidly after 1,500 hours-then an age limit may be desirabje to reduce
the failure rate regardless of the increase in the inventory prob!om. This,
however, is a solutioi~to a different problem from the one that has been
posed. There are many situations in which the assumption of a simple
exponential distribution serves as a useful tool in helping to definc the
actual problem.
APPENDIX D
WMES L DOLBY
m e BIBLI~GWHIC essay has three main purposes:

b
To list the seminal documents in statistics, quality control, reliability theory, information science, and decision analysis that preceded
the development of reliab~lity-centeredmaintenance as a logical
discipline
To provide access to the broader literature in each of these areas

for those readers who wnuld like to explore one or more of them
in greater detail
To provide specific access to the literature of reliability-centered

maintenance and directly related materials
The third task presents a problem not shared by the first tw). If one
follows t11e obvious path of searching the general literature using such
apparently reasonable terms as relinbility, prediction, Cecisior~analysis,
etc., the yield in retrieved documents is large, but the r~levancelevel
is extremely sm?!I. For instance, there is a very substantial literat~~re
on
reliability mraeling and prediction which is presumably of significant
benefit to the designers and manufacturers of complex equipment. Very
little of this literature is useful to one charged with designing a priorto-service maintenance program. The difference stems in Fast from
the differing needs of the equipment designer and the maintenanceprogram designer. A reliability model can be suffiziently close to reality
to allow the equipment designer to analyze the difference between two
competing design alternatives without being sufficiently real to allow
precise prediction of performance in the use.'- environment. The model
may be useful to the designer without providing specific insight as to
whether the deteriordtion which precedes failure is visible or not, let
alone information on the cost of obtaining such visibility when it is
possible.
Similarly, there is a significant amount of literature on actuarial

analysis and the fitting of various forms of failure distributions to
empirical data. However, the role of actuarial analysis in reliabilitycentered maintenance is sharply limited, on the one hand, by the fact
that we cannot afford to allow critical failures to occur in sufficient
numbers to make actuarial analysis meaningful, and on the other hand,
by the fact that most failures that tire allowable (in terms of their c t ~ l s e quences) are best dealt with by replacement at failure. Even in the
middle range, where actuarial analysis is usetul-at least in the ongding
program, after sufficient operating history h ~ built
s
up-the more
sophisticated approaches involving the use of distinguished probability
distributions and fine points of estimation theory are frequently misleading because of the stubborn refusal of real data to behave properly
at the tails of a distribution.
There is also a fairly substantial literature on the theory of maintained systems, much of which is devoted to the selection of "optimum
inspection intervals." Such approaches are rarely general eno~!gh to
take into account all the variables that matter, including such simplc
realities as the need to package tasks for reasonabie efficiency, contintally shifting operating requirements, the availability of maintenance
fazilities, and the utility of using opportunity samples. The prc5lem
is compounded by the general absence of hard data in the prior-toservice study and during the break-in period immediate1.y after the
equipment enters sewice, when the selection of intervals is of greatest
concern. High:y sophisticated techniques that begin tc~become useful
only 3s the equipment nears obsolescence are of limited utility.
As a result, most of the works cited arc important primarily b e c a u ~ e
thcy shed light on the bzckground in which XCM concepts developed
or because they provide same insight into the design process that precedes the development of the complex equipment. In a few cases works
that have tried to carry the notion of optimization too far are singled
out as a reminder of some of the pitfalls that await the innocent.
The references cited in this appendix were largely derived from an
exhaustive literature search of machine-readable and print data bases
conducted by Martha West and George Glushenok, who reduced several
thousand citations to some 500 pertinent references. The search area
encompassed such obvious general fields as engineering, electronics,
operations researchlmanagement science, information and computer
science, logistics, and statistics. In addition, certain selected publications, such as the Proceedings of the Annual Reliability and Maintainability
Symposia, were searched cover to cover. F. S. Nowlan and C. S. Smith
provided key documents from the aircraftlairline internal literature and
the Department of Defense, as well as a number of useful comments on
what to look for and what to ignore.
D 1
HISTORICAL DEVELOPMENT
The historical development of the study of reliability and maintenance
can be broken into three main periods, albeit with a fair degree of overlap. In the 20 years preceding World War I1 there were several developments that laid the necessary base both in theory and in application. In
the 1920s R. A. Fisher (1922) developed the essential structure of smallsample statistics and laid the basis for modem theories of estimation
and the design of experiments. Neyman and Pearson (1928) laid the
foundations for modem decision theory. Dodge and Romig produced
the first sampling plans, which were published in book form later (1944),
Fry (1928) and others showed how probabilistic analysis could be applied to the design of modern equipmer~t,and Shewhart (1931) invented
quality-control charts.
In the 1930s, even though industrial production was low because of
the Depression, many of these techniques were tested in application,
particularly in the telephone industry in this country and the chemical
industry in Great Britain. Kolmogorov (1933) provided the first complete axiomatic description of probability theory, and work was begun
on the problem of providing rlgorous structure to the ideas that Flsher
had pioneered.
The enormous expamion of industrial production in this country
after December 1941 provided the opportunity and the need to implement modem quality-control techniques through the defense industry.
The Statistical Techniques Group at Columbia University solidified
the earlier work at Be!l Laboratories in sampling plans, provided the
first tables for er .:imating tolerance limits for design, and produced the
first materials on decision theory. Most of this work became available
ill monographs published shortly after the war. E. L. Grant (1946) wrote
...
.. _
I
a primer on statistical quality control, Abrahara Wald (1947, 1950) provided two key texts on decision theory, and Eisenhart et al. (1947)
summarized other statistical developments derived at Columbia.
The second period of development, which had its roots in World
War I1 and in the theoretical developments in probability theory prior
to that time, properly begins after the war. One stimulus was the publication by A l t m a ~and
~ Goor (1946) of an application of actuarial
methods to engine failures on the B-29; another was the extensive conversion of surplus wartime equipment, particuiarly to civil aviation.
For the next 20 years the increasing use o l complex equipment, first
with aircraft and later with missiles, led to increasingly sophisticated
designs and manufacturing practices involving the use of redundancy
to reduce the consequences of failure and bum-in to reduce the incidence of infant mortality. Empirical studies of Davis (1950), Weibull
(1951), Epstein (1953), and others provided the base on which to make
increasingly sophisticated estimates of expected reliability.
In the later stages of these developments design attention turned
to problems of maintainabllity-the concept of making it easier to
detect failures (or potential failures) and to replace failed components
at reasonable costs. As with the quality-control era, maturity is marked
by the publication of a spate of books. Zelen (1963) edited the proceedings of a conference in Madison, Wisconsin, that covered a number
of areas of interest. Goldman and Slattery (1964) wrote the first text
c:;plicitly devoted to the maintainability problem. Piemschka (1963)
summarized much oi the associated statistical material. Barlow and
Proschan (1965) g a t h e r 4 together the mathematics of reliability theory,
,>nd Jorgenson, McCall, and Radnor (1967) considered the problem of
filding optimal maintenance policies.
Tho thread hegun by Neyman and Pearson and followed so beautifully by !l?'~idwas also continued by Von Neumann and Morgenstern
(1944) in their classic text Gn the theory of games. This work was in tum
integrated into modem decision thecry by Blackwell and Girshick
(1954) and extended toward what we now call decision an2lysis by the
French school, as reported in Masse (1962).
The third era, beginning in 1960 with the work at Sni:ec! Airlines,
saw yet a new focus o n the problem. Whereas the applications of the
1930s had concentrated on the problems of p r ~ d u c i n gand acquiring
appropriate quality, and the works that followed wete concerned with
reliability (the quality experienced over time in use) and its implications for design, attention now turned to the acquisition of appropriate
information- frequently in a context in which it was easier to get too
much, rather than too little.
While Nowlan, Matteson, and others at United Airlines were carefully studying the age-reliability characteristics of complex equipment to determine precisely what good, i f any, preventive maintenance
SECTION D.1
423
could do, Magee (1964a, 1964b) was exploring the possibilities of dec'sion diagrams based on an evaluation of the consequences of decisions.
In the statistical area, Tukey (1960) pointed out the distinctions between actions and conclusions and thereby laid the framework for
modern data analysis. And on yet another front, information science
began to evolve out of bibliometrics and information-retrieval studies.
Now, in turn, the monograph literature is ready to catch up with
the developnlents already published in proceedings and journals. The
National Academ;~ of Sciences (National Research Council, 1976) has
already published an extensive report on setting statistical priorities
which shows the interrelationship between information science and
statistics and pays particular attention to the problems of establishing
the utility of data in contexts where there may be far too much for easy
assimilation. Raiffa (1968), Schlaifer (1969), and others have routinized
decision analysis to the point where it is belng applied in an increasing
number of areas.
The presen! text on reliability-centered maintenance carries the
development one step further. By reversing the order of the questions
on decision diagtams, so that consequences are evaluated first instead
of last, and in gross rather than fine terms, Nowian and Heap have
shortened the path between decision making and data gathering in an
important way. Their emphasis on the use of the decision diagram as
an audit trail which links decision making lo results is strongly reminiscent of Shewhart's (1931) reasoning in establishing quality-control
charts and Demos' (1955) integration of such charts into a qualitycontrol system. Finally, their integration of data in the ongoing process
goes a lorig way toward formalizing the process of modifying decisions
as hard information develops. As such, it bears a mild resemblance tc~
the work of George Box (1957) on evolutionary operation, although the
latter presupposed the opportunity to modify the variables in an ongoing
process for gradual improvement of performance, whereas the reevaluation in this case is consequence-centered and connected only through
that mechanism to performance.
D 2
RELIABILITY THEORY AND ANALYSIS

In their excellent summary of the historical backgrourld of the mathematical theory of reliability, Barlow and Proschan (1965) begin with the
pioneering work of Khintchine (1932), Weibull (1939), Palm (1943), and
others in the 1930s and 1940s. In this work i t seems natural to start with
the key paper by Altman ~ n Goor
d
(1946) cn the reliability of engines
used in the 8-29 aircraft in World War Ii). Altman and Goor used actuarial methods of the life insurance industry and provided a detailed
example to illustrate this usage. Their primary interest was in the supply
problem, which required an estimate of the proportion of the engines

that would fail prior to their hard-time removal. Since they assumed
that there was an appropriate time to remove an engine from the aircraft, the only problem from their point of view was determining the
conditional probdbility of failure prior to this removal time. In addition to the actuarial analysis, they also noted that the frequency of
engine failuces plotted as a log function of total flying time was approximately a straight line, which has implications for the underlying failure
distribution. Altman and Coor also compared the results for new engines
with those that had been removed, overhauled, and returned to the
field ~ n noted
d
that the overhauled engines had a significantly shorter
average life. There was no hint in their work, however, that this
should be used as a basis for extending the overhaul interval.
In 1950 D. J. Davis produced a report for the Rand Corporation
which was later published in modified form in the Iournal of the
Americntt Statisticul Association (Davis, 1952). He considered both the
normal failure law and the exponential failure law and showed that
failures for a number of types of equipment, particularly electronic
components and other complex items, were better approximated by the
expol~entialfailure distribution. Davis also inquired into the nature of
the failure mechanism as a means for understanding the appropriateness of the failure distribution and discussed (briefly) the problem of
finding optimal replacement policies.
A number of other papers appeared about the same time, notably
that by Weibull (1951) on the distribution that now bears his rame and
that by Epstein and Sabel (1953) on the utility of the exponential distribution, particularly in the treatment of electronic equipment. The 1950s
also saw the beginnings of reliability study as a formal discipline, as
marked by a meeting in New York City in 1952 on applications of
reliability theory.
Other theoretical developments during this period included the
work of Moore and Shannon (1956) on the theoretical determination of
reliability in networks and a theoretical justificatio~~
by Drenick (1960)
of the use of the exponential distribution for complex equipment with
no dominant failure modes. By this time the empirical and theoretical
developments in reliability had led to an increased interest in maintainability. This term has been used in several ways, but here it refers
to those aspects of design provided to facilitcte mainter -nce by making
parts that are likely to fail easy to replace and/or easy to inspect. Much
of the design development in the 1Q50s, particularly that associated
with development of intercontinental ballistic missiles, had to do with
improved reliability through design, including the use of redundant
parts and the bum-in of parts with high rates of infant mortality. The
latter was investigated by ARINC (Aeronautical Radio,1958) with respect
to electron tubes.
Barlow and Scheuer (197l) consider some of the problems of estimation from accelerated life tests. Included is a useful bibliography by
Winter et al. (1964) of 20 papers in this area. Ladany and Aharoni (1975)
discuss maintenance policy of aircraft according to multiple criteria,
This paper is worthy of note primarily because it is a recent work that
does not appear to make use of the developments that occurred between
1963 and 1975. As a result, the writers are not convinced of the utility
of exponential distributions in reliability analysis and take a somewhat
peculiar view of the field with regard to optimum checking procedures,
given an exponential distribution. Miller and Singpurwalla together
and singly produced a series of three papers on the theoretical aspects of
maintained systems (Miller, 1975, 1976; Miller and Singpurwalla, 1977).
Yet another aspect sf the theoretical problem is the problem of computing the reliability of complex networks. This derives from the difficulty of determining how a piece of complex equipment will in fact
perform, given the re!iability of its several components and the mathe? ~ . - r ? interaction. Rosenthal (1977) summarizes this
matical form
problem niccl; and r:u:Iudes useful references.
There is a f;;
standard set of literature on the estimation problems invip!ved ill a::uarial analysis, and while fine estimation is not
usually Ilecessary, a paper by Rice and Rosenblatt (1976) covers the area
well for thcsc- who wish to make use of it. The actuarial techniques for
studying the utility of overhaul poiicies were well laid out by Altman
and Goor (1946) and are illustrated by Matteson (1966) with two different smoothing techniques. Another smoothing technique is suggested
by Barlow and Campo (1975). Their propos~lis identical to the method
recommended in this text (Appendix C), except that each scale is
divided by Its maximum value and the inverse function is plotted, so
that increasing failure rates plot as concave rather than convex curves.
'The utility of plotting both axes on (0,l) is that it simplifies the comparison to standard failure laws (such as Weibull) through the use of overlays.
The reciprocal of the slope is proportional to (rather than equal to) the
conditional probability of failure. With appropriate assumptions, the
TTT plot, as it is called by Barlow and Csmpo, can also be used to find
the optimal overhaul interval by graphical means, as is shown by
Bergman (1977). Bergman also calls attention to an earlier work (Bergman, 1976) and to Ingram and Scheaffer (1976). For a more general discussion of smoothing methods and their advantages and disadvantages,
see Tukey (1977)) particularly chap. 7.
Other rlseful papers in the theoretical area include a summary of
current academic research by Barlow and Proschan (1976bh a discussion
of Bayesian zero-failure reliability-demonstration testing procedure
by Waller and Martz (1977), and papers by Martz and Lian (1977) and
Martz and Waterman (1977) on other aspects of this problem. Martz,
Campbell, and Davis (1977) consider the use of the Kalman filter in
i k i
-+
426
APPENDICES
estimating and forecasting failure-rate processes and provide an interesting and useful bibliography of work in this general area, including
some 27 papers.
As a final note on reliability theory, a paper by D. C. Bridges (1974)
on the application of reliability to the design of ship's machinery offers
a concise discussion of this field as of 1974. In addition to a brief summary of reliability theory and techniques generally associated, there is
an almost passing mention of data collection and failure modes and
effects analysis. The paper concludes with a discussion by neveral other
participants in the forum and a reply by the writer, and these comments
help to point out the essence of the problem as it relates to design.
Unfortunately this paper does not go the next step and consider the
problems of reliability-centered maintenance from the user's point of
view.
D 3 INFORMATION SCIENCE AND

DECISION ANALYSIS
The fields of information sci,ence and decision analysis, with their substantial overlap, are well covered in an excellent bibliography by Lawrence (1976),titled The Value of Information in Decision Making. The
bibliography is an appendix to a National Academy of Sciences report
on setting statistical priorities and covers 184 items in a field Lawrence
defines as information science. It is broken down into several sections:
comparing information structures; user needs and parameters of
information-seeking and valuation behavior; managing information
systems; decision making under uncertainty, the expected value of information; the economics of lack of perfect information; information
and governmental policy; quantitative economic policy; the value of
ecoiiomic forecasts; does the market overprovide or underprovide for
ki~owledgeproduction; information theory, including statistics; and
applications to economics and psychology. A good many of the papers
cited are addressed to questions of how information affects policy.
While the emphasis is on application to governmental problems, the
papers in general are much broader. There is a heavy emphasis on
information in economic structures, and hence on the attempt to relate
information to costs of decisions.
There are several papers on the information problem in maintenance that are worthy of note. Hadden and Sepmcyer (1956)'g~ v ae
relatively short paper on the methodology .?orreliable failure reporting
from maintenance personnel which raised some useful questions on
consideration of the human factor. Shapero, Cooper, Rappaport, and
Schaffer (1960) co~isideredthe problem of data collection in weapon
systems test programs. Bell (1'165) gave a talk on information needs for
effective maintenance management to the DOD Logistics Research Con-
ference that is worth reading. During the same period th~rewereseveral

studies of the data problem in the military, including one by Cohen,
Hixon, and Marks (1966) on maintenance-data collection and the Air
Force base-maintenance management system. More recently Dudley,
Chow, Van Vleck, and Pooch (1977) have discussed how to get more
mileage out of data.
The formal term decision theory today usually refers to the work
originally done by Abraham Wald (1947) in the late 1930s and early
19dOs, in which he formulated the sequential decision problem as a
special case of sampling theory. A considerable volume of literature
derives from Wald's work.
The next stage historically is the development of the theory of
games, and the classic work on this is Von Neumann and Morgenstern
(1944). The first detailed application of this theory to busirless decisions
appears to be the work r9ported by Masse (1962). Shortly thereafter
Magee brought this concept to the attention of a broader cotnmunity
through the publication of two articles in the Hnrvnrd Rusiness Reviezo
(Magee, 1964a, 1964b). A good deal of the literature following Magee has
to do with investment decision making, and the basic thrust of the use
of a decision tree for such purposes is that the tree is laid out first in
terms of the available decisions and. next in terms of the various possible actions, including those not under the control of the decision maker.
Where it is reasonable to postulate a probability distribution for the
actions not under the control of the decision maker, this can be done;
the form of the tree then provides outcomes at each terminal in such a
way that their expected dollar values can be computed, given the appropriate information.
There is a fairly large literature showing applications of this approach, of which the following is but a salnpling to indicate the breadth
of the activity: Flinn and Turban (1970) on decisi~n-treeanalysis for industrial research; Berger znd Gerstenfeld (1971) on decision analysis
for increased highway safety; Chinn and Cuddy (197l) on project
decision and control; Gear, Gillespi, and Allen (1972) on the evaluation
of applied research projects; Swager (1972) on relevance trees for identifying policy options; Berger (1972) on implementing decision analysis
on digital computers; Feldman, Klein, and Honigfel (1972) on decision
trees for psychiatric diagnosis; Whitehouse (1974) on decision flow networks; Rube1 (1975) on logic trees for reactor safety; and Wheelwright
(1975) on decision theory for corporate management of currencyexchange risks.
There are three standard texts in this area that should be noted:
Schlaifer (1969), Raiffa (1966), and Keency and Raiffa (1976). Schlaifer's
book is a nonmathematical text for business students which goes into
the details of the decision problem extensively with a number of prob-
lems and references to standard Marvard case studies. Raiffa's treatment

is more sophisticated. Chapter 9, The Art of Implementation, and A
General Critique, provides a nice summary of the presentation which
goes beyond the step procedures and begins to evaluate how the
process is actually used in real problems, including mcssy real problems. Chapter 10 also provides a concise history of the subject, together
with useful observations about the interrelationship of stat is ti:^, information theory, and decision theory. In a very brief bibliography at the
end of the book Raiffa calls rtttention to Fellner (1965))which includes
an excellent annotated bibliography on 52 well-chosen texts.
In the preface to his book Raiffa (1968) lists the following steps for
analysis of a decision problem under uncertainty:
b
List the viable options available to you for gathering information,

for experimentation, and for action.
List the events that may possibly occur.
Arrange in chronological order the information you may acquire

and the choices you may make as time goes on.
Decide how well you like the consequences that result from the
various courses of action open to you.
Judge what the chances are that any particular uncertain event will
occur.
It is interesting to compare this list of priorities with those on which

RCM decision analysis is based:
b
Framing the questions to determine the consequences of failure

in such a way as to deiine the information required to make the
decision
Framing the questions to select those maintenance tasks which ars

both applicable and effective
Specifying the default ~ctionto be taken when information is

lacking
Extending the approach to the determination of when to make

economic-tradeoff studies for cases that are both important and too
close to call
Providing for the subsequent action to be taken when in-service

information begins to accumulate
The first application of the decision diagram to aircraft maintenance problems was developed by F. S. Nowlan (1965) at United Airlines. This internal document noted the importance of the mechanism of
SECTION D.3
429
failurc, the need for information about inherent reliability characteristics, and the conditions necessary for scheduled overhaul to be effective. The simple decision diagram presented was not unlike the top
portion of the RCM decision diagram described in this text, in which
the fundamental questions have to d o with (1) the evidence of failure
and (2) the consequences of tailure. A condensed version of this report
was also included in a papcr presented at an FAA maintenance symposium in November 1965 (Taylor and Nowlan, 1965).
These concepts were expanded on in a later paper by Matteson
and Nowlnn (1967), and the decision diagram presented in this work
was the basis for MSG-1, Hntttihook: Mtlit~totattccEvnl~iatiot~
and Progra~~t
Der~uloy:trrt~t
(747 Maintenance Steering Group, 1968). This document
led to f u r t h s ixprovernents, published as MSG-2, AirlinclMat~uJl~cttirer
M a i t t t r ~ ~ n r ~Progm~tr
ce
Plnt~ttitt~DoCutrtcrtt (Air Transport Association,
1970). These developments were also reported c n by Dougherty (1970),
Matteson (1972b), and Nowlan (1972). A European version of MSG-2,
Ettropcntt Mnirltertnr~~v
Systcms Guide (A-300 B Maintenance Steering
Commi~tee,1972), appeared only a few years later.
P) *J
MAINTENANCE THEORY AND PHILOSOPHY

Design developments in tlre aircraft industry from 1930 to 1960 greatly
improved operating safety and resulted in more maintainable equipment. However, these two objectives also had the combined effect of
significantly increasing the complexity of equipment and reducing
the utility of hard-time limits. In a review paper published in 1968,
W. C. Mentzer observed that United Air.lines began work under his
direction in 1960 on two basic questions: "Do we understand the fundamental principles which underlie the way we maintain our aircraft?"
and "Do we really know why we do what we do?". The incentive lor a
thorough investigation into these questions was provided by the very
simple fact that maintenance of aircraft for typical airlines in the United
States at that time represented approximatcly 30 percent of total direct
and indirect operating costs. The general history of this development is
well summarized in Appendix B of this book.
John F. McDonald (1963) presented a detailed and highly readable
paper titled Reliability, a Random Discussion, in which he takes a
closer look at the overall problem of reliability, the difficulties of predicting performance in the field ~ r i o rto actual experience, and the
i~tilityof hard-time limits in actual operation. As a vehicle for carrying
his general discussion, he repeatedly cites quotations from Oliver Wendell Holmes' famous poem Tltc Dilncc?tt's Masteryicci*, or Tltc Wondc~rfrrl
"011c-HossSliay," A Lv,q,cnl Story, including the key line that states "A
chaise breaks dozon, but doesn't rot9ar out." The suggestion that Oliver
Wendell Holmes is the true father of modem maintenance theory would
perhaps not be well met in all circles, but the observation that "things
break down but do not wear out" is, of course, one of the keys to the
understanding of the maintenance process for complex items. J. J. Eden
(1963), in a paper titled Engine Overhaul Life, An Outdated Concept,
makes the point quite clearly from his experience with 'rranscanada.
The inherent difficulties in predicting reliability first suggested by
McDonald were reiterated in two papers presented at the 1965 Meeting
on Reliability and Maintainability in Los Angeles. The titles are enough
to indicate the difficulty: Finocchi (1965) wrote that Reliability Has
Failed to Meet Its Goals, and Crose (1965) titled his paper Reliability Can
Be Predicted? (A Negative Position). Matteson (1966) provided additional insight into the use of reliability analysis of in-service equipment
as a guide for reducing maintenance cost and spare-parts requirements.
Ashendorf (1967)added further ideas in this direction by noting the
"pitfalls in reliability predictions." In all these works, from McDonald
to Ashendorf, one senses Ihe growing recognition that maintenance
must be able to cope with performance that falls short of design prediction. This implies the need to redesign and101 change mission
requirements to allow the user to get the maximum performance from
the equipment. Maintenance in turn must then be done in a context
which allows redesign as a possibility and also is prepared for surprise, particularly in the early years of use of the equipment. These
observations imply important ecor~omicconsequences that must be
planned for in preparation for the use and maintenance of the equipmcnt.
For many years primary maintenance consisted of lrard-time inspection and overhaul tasks. This concept underwent rapid reevaluation in the early 1960s, as pointed out by K. E. Neland (1966) in a paper
presented at the Maintenance Symposiuin on Continued Reliability of
Transport-type Aircraft Structure in Washington, D.C. Neland, then chief
of the air-carrier maintenance branch of the Federal Aviation Agency,
presented a brief history of de\rclopments of maintenance policies and
procedures from tile FAA point of view. In the first phase, he noted,
most aircraft prior to World War I1 were subject to the one-step overhaul
process. As a result of the rapid integration of surplus aircratt into
commercial fleets after World War 11, the late 1940s and 1950s were
dominated by a set of phase inspections which provided the FAA,
among others, with much more detailed information about the rate of
deterioration of performance and safety features over a period of time.
This history of deterioration allowed the FAA to take a much kinder
view toward the philosophy of on-condition inspection, which became
increasingly important after 1960.
In June of 1967 Matteson and Nowlan (1967) presented a paper titled

Current Trends in Airline Maintenance I'rograms at the AIAA Commercial Aircraft Design and Operations Meeting In Los Ange1c.s. In this
paper they gave a generalized definit:- of a failure and discussed the
mechanism by which failures occur
y then went on to develop a
decision diagram to facilitate 1ogici;q ,znalysis of the decisions r2quired
during deve!opment of a scheduled-maintenance program. Tllis discussion was essentially an update of Nowlan's earlier paper, and the decision diagram was considerably more detailed. It is this more detailed
decision diagram that provided the basis a year later for MSG-I, a working paper prepared by the Maintenance Steering Group for the Boeing
747 (1968). This document was approved by the 747 interairline maintainability conference on July 10, 1968.
The Boeing 747 was the first turbine-powered wide-body aircraft to
en .er commercial aviation. The prepar'ltion of a maintenance program
p n ? r to senrice involved even greater concern about safety, given the
large ilumber of passengers this aircraft would be carrying. This exercise was the fitst ap;,!ication of the concept of reliability-centered maintenance. While the procedure is now somewhat better understood, the
basic q u e s t i o ~ ~that
s had to be faced are the same today as they were a
decade ago.
The work that led to the development of MSG-1 was not lost on the
manufacturers of aircraft or on the FAA. Several papers appearing at
about the same time made it quite clear that the relationship between
the manufacturer's responsibility for maintainability and the user's
responsibility for maintenance were closely interrelated. R. B. Mac(;regor (1968) spoke to this question directly ,it thc Los Angclcs Maintainability 'Association in September 1968. Matteson (1969) discussed
in-sewice saiety and reliability and the role of maintenance at some
length. Nowlan (1969) reviewed the on-condition philosophies from a
planning and operational viewpoint. Matteson (1969b) discussed the
condition-monitoring path on the Boeing 747, and Adams (1969) pmvid.ed further insight into the concept of increased safety thrsugh the
new maintenance concepts. These developme~~ts
all had somt'iniluence
011 the crration of the Ai~litrc/Matrufr~ctrrrcr
Maitttrttrolct~Prc>smnr Plrttrrtirtg Doc~rmetrt,MSG-2 (Ail Transport Association,l970). This document,
which was prepared as the starting point for tht? wide. body Douglas
DC-10 and rhe Lockheed L-1011, represented a refinement of the MSG-I
procedures developed for the 747.
Also in 1970 the ATA Reliability and Maintainability Subcommittee,
consisting of half a dozen members from as many airlines, presented a
talk on reliability and maintainability from an airline standpoint
(Roberson, 19711). At about the same time I. E. Dougherty, Jr. (1970)
reviewed the development of thc initial maintenance program for the
Roeing 74? from the viewpoint of the Department of iransportation.
Other papers followed in order over the next year or two. Those which
are of general interest include Schonewise (1971), Heap and Cockshott
(i973), Matteson (1911a, 1971b, 1972b), Mellon (1972), and Novrlan (1972,
1973).
At this time also several writers began to look more closely at the
relationship between nondestructive testing and full-scale testing as
potential information generators for maintenance decisior~s.See, for
instance, Matteson (1972n) and Stone (1973), and Doughcrty (1974),
who reviewed FAA activities over the preceding 15 years and made
some suggestions as to where this activity was likely to go in the
future.
The development of practicing maintenance was very nicely summarized by John F. McDonald (1972) in a pa?er presented to the Seventh
Annual Convention of the Society of Logistics Engineers in August 1972.
This paper, in addition to summarizing the history for commercial airlines, draws interesting comparisons between what is done in the airlines and what is feasible in the military, with some strong suggestions
as to the utility of the techniques.
The obvious success of the principles embodied in Boeing 747 and
Doublas DC-10 maintenance programs was noted by the Department of
Defensc, which, of course, has a substantial maintenance problem. A
review of the McDonnell FA], an aircraft already in service, was done by
United Airlines (1974, 1975, 19773. Bell Helicopter Company published
a report on flight-control-system reliability and maintainability investigations for the Army (Zipperer, 1975). The National Security Ifidustria; Associaticn (1975) issued an ad hoc study on the impact of commercial-aircraft maintenance and logistic-support co~lceptson the flightcycle cost of air ASW weapons systems which provides some insight
into the economic questions of maintenance in military systems. The
Naval Air Systems Corr.mand (1975) also produced a managemeilt
manual, NAVAIR 00-25-400, which provided a maintenance-plan
analysis guide for in-service Naval aircraft, and Project Rand at about
the same time issued a study ircrm the Air Force point of view (Cohen,
1974). Rolf Krahenbuhl (1976) discussed the problem of maintaining
transport aircraft at a meeting given at Oxford. The British Civi!. Aviation Authority (1976) produced a workii~gdrafi on the safety assess nent
of systems in September 1976.
Returning to developments in the military in this country, Elwell
and Roach (1976) reported on the scheduled-maintaiiqance problems
:or the F4J aircraft. The following year Saia (3977) provided a comprehensive evaluation of changes in the U.S. Navy aircraft maintenance
yrograrrl i.:ld LaVallee (1377) prepared a Navy report on logistic support
analysis. Lockkeed, California, began an extended inquiry into the
applicabilitv of reliability-centered maintei~an;2 to Naval ships in 1977.
The ftrst report, Az)aiIability Centered Maintetznncr Program Survey (19770)
SECTION D . 4
433
was subsequently augmented by scheduled-maintenance programdevelopment procedures (19776).

Each of the basic types of maintenance tasks poses its own special
problems with regard to the selection of optimal intervals, and in each
case the problem must be further specified to a particular piece of equipment before it is resolvable. On-condition inspection, for instance, can
be specified in terms of two intervais: the time to the first on-condition
inspection and the repeat intervals after the llirst inspection. A recent
article discussing this problem in structures (with some 23 references) is
Johnson, Heller, and Yang (1977). The problem was also discussed in the
broader context of an MSG-2 analysis of the Douglas DC-10in Stone and
Heap (1971). For a nonairline example see Amett (1976). The possibility
of n.ixing random inspections 4 t h regularly scheduled inspeciions in
s t r ~ c t u r eis considered in Eggwertz and Lindsjo (197G), Study of Insixction Intervals, which also contains a useful set of references.
The use of the exponer~tial function for "random" failures as a
basis tor choosing inspection intervals for hidden functions was considered at length in Kamins (1960). Two other Rand repcrts consider
"noisy" (imperfect) inspections (Eckles, 1967) and the problem of measuring time in military operations, where use per unit of calendar time
can vary widely from one unit to the next (Cohen, 1972). The latter
report also provides some insight into the problenl of extending intervals in light of real operating experience.
Safe-life intervals provide a n entirely diflerent set of problems
because of the need to establish the intervals through test results. A
nice discussion of this is provided by Jensen (1965), who said:
It is not surprising that w e have reached the conclusiol~that fatigue
tests are nnt a panacea or cure-all to which we can turn in establishing a "safe-life." The assignment of a "safe-life" based on
tests involves a great many assumptions. If these assumptions are
wrong, we have the unpalatable result of a catastrophic failure.
43.1
APPENDICES
One of the assumptions in setting safe-life intervals is that it is possible

to accelerate a life test and determine from the accelerated test what can
be expected later in real time.
Thc deeper question of whether scheduled overhaui might actually
provide negativc effects is discussed in two Navy documents of some
importance, a study by LaVallee (1974) on aircraft depot-level maintenance, and one by Capra (2975) on engine maintenancr.
In the course of designing and bringing a piece of complex equipment to production, there is a considerable amount of activity aimed at
ensuring that the proper safety characteristics and overall system effectiveness ?ensures are met. In a usetul summary paper Crose (197111)
p~ovidesa breakdown of the basic areas of activity aimed at systent
effectiveness: design revlew; developn~enttest analysis; failure analysis

and corrective action; failure modes and effect:; analysis (FMEA); faulttree analysis; life testing; meintainability evaluation; parclmetricvariability analysis; prediction, apportionment, and sssessmer~t;producibility analvsis; stress testing; and tradeoff studies.
There is now a very large literature on the various aspects of system effectiveness, much of it specific to particular types of equipment,
such as electronic components. The 1977 Proceedings of the Annual Reliability und Mairltainability Symyosiunr i ~ ~ c l u d ae srepresentative set of
papers. Spoormaker (1977) discusses reliability prediction for airplanetype springs. Bertolino and Grefsrud (1977j consider the failure analysis
of digital 3ystems using simulation. Hughcs, Fischler, and Rauch (1977)
provide some idea of how to use pattern recognition in product assi.lrance. Onodera, Miki, and Nukada (1977) discuss a variatior, of the failure modes and effects analysis, which they call :+I-FMECA, in making
a reliability assessment for heavy machinery. Bishop et al. (1')77) go
over a number of aspects of reliability availability, maintainability,
and logistics. Dennis (1977) considers prediction of mechanical reliability, nondestructive evaluation, and other present and future design
practices. Plouff (1977) provides some infornlation on avionic rcliability
experience for the AR-104 and the 7818.
These proceedings also have three rather interesting papers on reliability and maintainability experiments. McCall (1977) discusses the
statistical design of such experiments, Iierd (1977) carries this a step
further, and Gottfried (1977) provides a brief discussion of the i ~ t e r pretation of statistically designed R & M tests.
Other work in this general area includes an evaluation by Barlow
and Proschann (1976~)of the techniques for analyzing multivariate
failure analysis and an article by Cooper and Davidson (1976) of the
parameter method for risk analysis. Callier, Chan, and Desoer (1976)
consider the input-outp~~t
problem using decomposition techniques.
The use of input-outpl-t methods goes back to Leontif and has been
widely used in an attempt to analyze complex economic systems. However, these techniques have not been in great use for analysis of the
reliability of a maintained piece of complex equipment for reasons that
are clear from the present text.
Weiss and Butler (1965), in a paper entitled Applied Reliability
Analysis, give a brief summary of the basic problem from design to
application, the analytic and information difficulties therein, and the
typical methods used to cope with these difficulties. Another aspect of
the design problem, now called cotttmort-fnilrrre-ntodc nnnlysis, appears
when a system designed to have redundant features to protect safety
and reliability has at the heart a common failure mode that can remove
the perfection provided by the redundancy. A summary discussion in
this area is given by Apostolakis (1976).
SECTION D.4
435
D 5
436
MAINTENANCE APPLICATIONS
APPENDICES
The main applications of reliability-centered maintenance as described

in this text are to commercial and military aircraft, and the primary
documents that one should study to get a full feeling for the depth of
the application are the Maintenance Review Board documents for these
aircraft, notably the Boeing 747, the Douglas DC-10, and the Lockheed
L-1011. The simple act of leafing through page after page of summary
worksheets, which show how the decisions were made for each of the
significant items, provides a feding of the reallty of these procedures in
practice on important physical equipment.
However, these docunlents are not widely available, and they are,
of coarse, quite bulky- typically running tc 12 inches or more of standard of S1/2 X 11 paper. A much shorier, but still interesting, overview
of this process is provided by the Orion Service Digest (1976), which
summarizes the studies for the Lockheed P3 maintenance program.
Among other things, this document provides a good picture of the packaging problen-., showing when the various tasks have to be done and how
they are grouped together. The reports by United Airlines (1974,1975~~
1975b), which conducted the comparable study for the McDonnell F4J,
include a fairly short report on the analysis process, as well as a nice
breakdown of the zonal description and inspection requirements.
In 1975 the Institute for Defense Analyses prevared an extensive set
of reports titled Pccornplishit~gShipyard Work for the United States Navy
(I-ieinze, 1975; Morgan et al., 1975). These reports do not get to the problem of reliability-.centered maintenance as currently conceived, but
rather provide extensive detail on the context in wbich a Navy shipyard
maintenance program must be implemented. The third volun~eof the
reports, by Heinze (1975), includes an extensive bibliography on the
subject.
Another picture of the problem from the Navy point of view was
developed by the Naval IJnderwater Systems Center at New London
(Howard and Lipsett, 1976) and published under the title Naval Sea
Systems Operatioi~alAvailability Quantification and Enhancement. This
is a fairly extensive report that tries to provide the overall context of the
problem, not just the maintenance pioblem itself, and ,he inherent
difficulties in hying to establish system effectiveness measures, availability me'lsures, and the like in the Naval situation.
At a more detailed level, the literature about main!enance of ~ircraft
can be broken into the three primary major divisions of the aircraft-structures, powcrplnnts, and system;. The literature on systems is
largely devoted to the reliability of particular components. The litera-
ture on structures is generally easier to obtain because the structure

as an integrated entity is generally subject to the common problems of
corrosion and fatigue, and the signals of reduced resistance to failure
are primarily those obtained by inspecting for cracks and leaks.
One view of the problem addressed specifically to maintenance
problems of structures can be found in the Lockheed L-1011.385-1 maintenance program, submitted to the FAA as justification for this program.
Section 3 on structures is brief, but to the poinl, and provides useful
background. The Douglas DC-10 strdctural inspection progzam; also
developed by analysis techniques which were the immediate predecessor of RCM analysis, was described extensively in a report by Stone
and Heap (1971). This paper provides a history of structciral analysis
an? a general description of the techniques employed.
The literature on powerplant maintenance problems is quite extensive. Rummel and Smith (1973) conducted a detailed investigation cf the
reliability and maintainability problems associated with Anny aircraft
engines. This report is primarily devoted to a careful examination of
the ways that engines can fail and the causes for removals. It is pertinent
to notc that in this study over 40 percent of the engine removals werc
for unknown or convenience reasons. Over half the remaining engine
removals were accounted for by foreign-object damage, improper
maintenance, leakage, erosion, operator-induced problems, elc. The
report provides a useful perspective on the overall maintenance problem in the Army's use of such equipment.
Sattar and Hill (1975) discussed the problems of designing jetengine rotors for long life. Edwards and Lew (1973) updated the Taylor
and Nowlan (1965) report on United Airlines' turbine-engine maintenance program, and Nowlan (1973) presented a further report on the
general background and development of this program.
The Center for Naval Analyses (Capra et al., 1975) did its own
survey of aircraft engine maintenance, which concluded that within
the c ~ ; r i ~ rar.ge
nt
of operations "engines wear in but do not wear out."
This of course, led to a recommendation that policies which would
declease the number of overhauls performed and increase the time
between overhauls appeared to be reasonable from a reliability and
safety standpoint. Histcrically, this report provided a major impetus
for the further study of reliability-centered maintenance in the Navy.
Boeing-Vertol also prepared a report on turbine-engine reliability
for the Eustis directorate of the U.S Army (Ru1~1me1and Byme, 1974).
'l'his was a follow-up to the report by Rumnlel and Smith (1973) on Army
aircraft engines and includes a careful overall description of the problems of maintenance in the armed services. This report notes in particular that one of the primary problems is the problem of maintenance
damage:
SECTION Do5 437
I'revious studies have shown that maintenance damage is a problem of similar magnitude in the three military services and is at
least 10 times that which had bcen experiencecl in the commercial
airlines service.
.-
This difficulty is at least partially attributable to the higher tu&over in

service personnel than is common in commer:ial airlines, which makes
an important difference in the ovcrall picture of maintenance anaiysis
for the military. It becomes even more critical in military applications
to ensure that unnecessary maintenance is carefully eliminated from
the maintenance schedule because of the relatively high probability
that it will in fact worsen the condition of the equipment.
Two recent papers might also be mentioned, as they point the way
toward increased emphasis on life-cycle analysis and logistics, which
includes, of course, the cost of maintenance as part of the overall cost
of operations. Nelson (1977) discusses the life-cycle analysis of aircraft
turbine engines in summary form from the executive point of view.
Benet and Shipman (1977) discuss a logistics-planning sin~ulation
model for Air Force spare-engine management.
Among the systems applications Cole (1971) provides a useful look
at effective avionic maintenance. Another example of 9 svstem of critical
importance is the helicopter transmission; this system is not redundant,
and a transmission failure can have critical consequences for the helicopter. Dougherty and Blewitt (1973) published a thorough study of
the possibie uses of on-condition maintenance for helicopter transmissions which provides insight into the nature of criticality analysis,
as well as the utility of on-condition maintenance as a maintenance
philosophy.
Another interesting set of papers on reliability theory was compiled
by Barlow, Fussell, and Singpurwalla (1975). This publication includes
papers by well-known writers on eight different topics: fault-tree methodology, computer analysis of fault trees and systems, mathematical
theory of reliability, theory of maintained systems, statistical theory of
reliability, network reliability, computer reliability, and reliability
and fault-tree applications. It is an excellent summary of the state of
the art in this area as of 1975.
D*6
A GUIDE TO
OTHER SOURCES
The first major bibliography on reliability was prepared by Mendenhall (1958) and updated by Govindaragulu (1964).The most rccent bibliography appears to be one by Osaki and Nakagawa (1976). In addition
to these special bibliographies, a number of books provide very useful
annotated bib1iograph.e~.Some of these already cited include Duncan
(1953) on quality control, Barlow and Proschan (1965) on the mathematical theory of reliability, and Lawrence (1976) on information science.
It should also be noted that most of the journal papers on the subject
are well-indexed in on-line data bases and printed indexes. Another
useful bibliography is one put together by the U.S.Air Force (1977),
which is broken down into several. sections: equipment and systems
reliability in maintenance, reliability physics, solid-state applications,
and software reliability studies.
The:e are also several basic publications that group together papers
of direct interest on this multifaceted subject. The l E E E Transactions on
Reliability, now in its twenty- sixth volume, covers much of the reliability
theory and applications to electronic equipment. From 1954 to 1965 there
was a yearly National Symposium on Reliability and Quality Control,
renamed from 1966 to 197l the Annual Symposium on Relia5ility. Concurrently from 1962 to 1971 there was a Reliability and Maintainability
Conference. In 1972 these two activities were merged as the Annual Reliability and Maintainability Symposium, which is still the current title.
As will have been noted from a casual inspection of the following reference list, a large nrlmber of the papers cited in this bibliography first
appeared in on-. of these annual proceedings.
Adams, H. W. (1969) Increased Safety through New Maintenance Concepts,
Fifth Annual Aviation Maintenance Symposium, Oklahon~aCity, Ok,
December 9-11, 1969 (Douglas 5698).
Aerojet Nuclear Systems (1970) lrrstrrrctior~sfor Systetn Fniltrre-tnotie, Effect, ,~trd
Criticnlity Anal!ysis for tite Nervrr E t r ~ i t r Aerojet
~,
Nuclear Systems Company,
Sacramento, Ca, July 1, 1970.
Aeronautical Radio, Inc. (1958) A Selrctiotl of Elcctror T~rltc.Relinbility Frrtlctiotrs,
Aeronautical Radio, lnc., Reliability Research Dcpartment, Washington,
DC, 1958 (AKINC Publ. 10).
Air Transport Association (1970) z4.irlitrr/Mnnrrfocfrrrrr A4nitrtetlnt1ce Progrant
l'lnntlitlg Docrrttrctit: MSG-2, Air Transport Association R&M Subcommitiee,
Washington, DC, March 25, 1970.
Altman, Oscar L., and Charles G. Goor (1946) Actuarial Analysis of the
Operating Life of 8-29 Aircxaft Engines, I. Attr. Statist. Assoc., 41:'IQO-205.
Apostolakis, George E. 11976) Effect of a Certain Class of Potential Common
Mode Failures o n the Reliability of Redundant Systems, Nrrcl. E t r ~Des.,
36(1):123-133.
Arnett, L. M. (1976) Optitnitntiotr of lrrserz~ic~*
Itrspectiot~ o f Prt.ssrrrz Vc7ssels,
Energy Research and Developnlent Administration, Savannah River Laboratory, Aiken, SC, 1974-1976.
Ashrndorf, George (1967) Pitfalls in Reliability Predictions, Atrtr. R~linl~ilitw
Mnitrtaitral~ility,6:576-581.
Jystcrrts Grrirlr
Association of European Airlines (1976) Errropmtr ~Mcitttc~trntrcc
to Dez~idoltitr,y Itlitin1 Mnitrti.t~ntrrc. Prc~,yrottrnrc~sf,)r Civil Air Trottsyort:
EMSG-2, Association of European Airlines, M&R Subcommittee, March,
1976 (draft).
440
APPENDICES
Barlow, R. E., and R. A. Campo (1975) Total Time on Test Processes and Applications to Failure Data Arrnlyses, John Wiley dr Sons, Inc. (SIAM Series),
New York, NY, 1975.
Barlow, R. E., J. B. Fussell, and N. D. Singpunvalla (1975) Reliability and
Fault Tree Analysis, Society for Industrial and Applied Mathematics,
Philadelphia, Pa, 1975.
Barlow, R. E., L. C. Hunter, and F. Proschan (1963) Optimum Checking IJrocedures, 1. Soc. Ind. Appl. Math., 11(4):1078-1095.
Bnrlow, R. E., and Frank IJroschan (1965) Mathematical Theory of Reliability.
John Wiley & Sons, Inc., New York, NY, 1965.
Barlow, R. E., and Frank Proschan (19760) Techniqttes for Analyzing Multivariate Failure Data, University of California, Berkeley, Operations Research
Center, Berkeley, Ca, April 1976 (ORC 76-11).
Barlow, R. E., and Frank Proschan (1976b) Some Current Academic Research
in System Reliability Theory, iEEE Trans. R~linbility,R-25(3):198-202.
Harlow, R. E., and Ernest M. Scheuer (1971) Estimation from Accelerated Life
Tests, Tecl~nometrics,13(1):145-159.
Bell, C . F., Jr. (1961) Throw Away Maintenance Policies, Rand Abstracts,
Rand Corporation, Santa Monica, Ca, October 1961.
Bell, C. F., Jr. (1965) Information Needs for Effective Maintenance Management, Rand-DOD Logistics Research Conference, Maintenance and Repair
Concepts, Warrenton, Ca, May 26-28, 1965; Rand Corporation, Santa
Monica, Ca, August 1965 (Rand Rept. P-3180, AD 619 702).
Benet, Humberto J., and Charles H. Shiprnan (1977) Logistics Planning Simulation Model for USAF Spare Engine Management, Proc. Ann. Relinbility
Mtlitrtaittnbility Sytrrp., 1977:500-505.
Berger, P. D., and A. Gerstenfeld (1971) Decision Analysis for Increased
Highway Safety, Slot~rrMarragetnetrt Rept., 1211-23.
Berger, Roger W. (1972) Implementing Decision Analysis on Digital Computers, Lrig. Et.otr., 17(4):241- 248.
Bergman, Bo (1976) Crossirr~in tlre Totrll Tirrre on Test Plot, University of Lund,
Dep~rtmentof Mathematical Statistics, Lund, Sweden, 1976 (LUNFD61
NFMS-304311-21).
Bergtnan, Bo (1977) Some Graphical Methods for Maintenance Planning,
Proc. Ann. Relinbility M~~itrtainnbility
Sytttp., 1977:467-471.
Bertolino, Luciano, and Leif E. Grefsrud (1977) Failure Analysis of Digital
Systems Using Simulation, Proc. Ann. Relinltilit!/ Maintainability Synrp..
1977:432-441.
Bishop, Lawrence I.., et al. (1977) Reliability, Availability, Maintainability1
Logistics (RAMILOG), Proc. Ann. Reliability Mnintnittnbility Synlp., 1977:
49-68.
C S Stntisticnl DeciBlackwell, E., and M. A. Cirshick (1954) Tlrpory of G I I ~ I Iurld
sions, John Wiley & Sons, Inc., New York, NY, 1954.
Box, George (1957) Evolutionary Operation: A Method for Increasing Industrial Production, Appl. Statist., 6:8:-101.
Bridges, D. C. (1974) Applicatior~of Reliability to the Design of Ships' Machinery, Trntrs. Inst. Mnrirre En,\.. ( G B ) , ser. A, 86(6):109-122.
C-E-1-R (1965) Evaluatiorr of Proposed O D 29394: Guide Manual for Reliability

M m s u r t ~ n e n tlJrograrn, C-E-I-R, lnc., Los Altos, Ca, January 21, 1965 (contract NOSP 64031-C-FSM).
Callier, F. M., W.5. Chan, and C. A. Desoer (1976) Input-output Stabili:
Theory of Interconnected Systems Using Decomposition Techniques, IEEE
Trans. Circuits Syst. ( U S A ) , 23(12):?14-729.
Capra, James R., et al. (1975) Aircraft Engine Maitrtenance Stuay, Institute of
Naval Studies, Center for Naval Analyses, Arlington, Va, November 21,
1975 (CNS 1060, contract N00014-76-C-0001).
Chinn, J. S., and W. A. Cuddy (1973 Project Decision and Control: A Case
History, Chem. Errg. Prog. (US;!), 67(5):17-21.
Civil Aviation Authority (1976) Thc Safet!y Assessment of Systems: Britislr Civil
Airworthitress Requirements, CAA Airworthiness Paper h70:1, September
1976.
Civil Aviation Authority (1978) Continuing Structu:al Integrity 0; Trntl+port
Aeroplanes, CAA Airworthiness Notice 89, August 23,1978.
Clarke, A. D. (1965) Methods of Structural Reliability Substantiatiori of CH-54A
Components Based on Luboratory Futigue- and night-test Data (Preliminary),
United Aircraft, Sikorsky Aircraft Division, Stratford, Ct, November 25,
1965 (rept. sER. 65189), (contract NOW 63-0150f).
Cohen, I. K. (1972) Aircraft Plarrired Irrsycctiort Policies: A Briejing, Rand Corporation, Santa Monica, Ca, June 1972 (Rand Rept. R-1025-PR, AD 748 990).
Cohen, 1. K., et al. (1974) Backgroutrd Strrdics, Altertrr~livrs,and Frattrcwork for
Addressitr,y Maitrtetrntrce Posture Inrproz~ettrent,Working Note for U.S. Air
Force Project Rand, Rand Corporation, Santa Monica, Ca, October 1974
[WN(L)-8852-PR, app. WN(L)-885211-PR].
Cohen, I. K., 0. M. Hixon, and Barbara G . Marks (1966) Maitttetrunce Dntn
Collectiot~ and Workload Cotftrol ltrforntntion Systt?t?rs:A Cast Sttcdy, Rand
Corporation, Santa Monica, Ca, November 1966 [Rand Rept. RM-4985-PR,
contract AF 49(638)-1700, AD 645 9941.
Cole, Robert A. (1971) Effective Avionic Maintenance, Seventh Annual FAA
International Aviation Maintenance Symposium, Oklahoma City, Ok,
December 7-9, 197l.
Cooper, D. O., and L. E. Davidson (1976) Parameter Method for Risk Analysis,
Clrcnr. Eng. Prog., 72(11):73-78.
Dallaire, E. E. (1969) Space Technology: Potential Payoff for CPl, Chenr. Etrg.,
76 (18):119-124.
Davis, D. J. (1950) A n Arraly?is o f Sorrrc* I'rlilrire Data, Rand Corporation, Santa
Monica, Ca, October 25, 1950 (Rand Rept. P-183); I. Attr. Statist. Assoc.,
47(258):113-150 (1952).
Demos, ?.'. P. (1955) Master Control System in General Electric, Itid. Qrrnl.
Control, 12(4):17-21.
Dennis, Norlran G. (1977) PMR, NDE Design Practices: Present and Future,
Proc, Ann. Relinliilit!j Mait~taitrrlbilitySynrp., 1977:161-169.
Dodge, H. F., and t4. G . Romig (1944) Sampling It~spc.ction Talllcs: Sitrglc and
Dorrble Snnryling, John Wilry & Sons, Inc., New York, NY, 1944.
SECTION D - 6
441
442 APPENDICES
Donaldson, T. S. (197l) A Sttrdy of IRAN Effecticen~ssfor the F-106, Rand Corporation, Santa Monica, Ca, August 1971 (Rand Rept. R-755-PR).
Dougherty, James E., Jr. (1970) Development of the Initial Maintenance Program for the Boeing 747, AIAA Second Aircraft Design and 0,erations
Meeting, Los Angeles, Ca, July 20-22, 1970 (AIAA 70-889).
Dougherty, James E., Jr. (1974) It's Time to Change, ATA Engineering and
Manufacturing Forum, Dallas, Tx, September 17-19, 1974.
Dougherty, J. J., 111, and S. J. Blewitt (1973) Analysis of Criteria for On-conditiot!
Maintenance for tielicopter Transn!issions,Boeing, Vertol Division, Philadelphia, Pa, September 1973(Boelng D210-10593-1, contract DAAJ02-72-C-0068,
.
USAAMRDL-TR-73-58, AD 773 024).
Dougherty, J. J., 111, and K. G.Rutnn -i '1972) Capability of CH-47C Fomard,
Af!, and Combining Gear Boxes f ~ "On-Cotrdition"
r
O p r r a t i ~ ~Boeing,
r,
Vertol
Division, Philadelphia ?a, March. 17, 1972 (code 77272, Boeing D21010367-1).
Drenick, R. E'. (1960) The Failure Law of Complex Equipment, 1. Soc. Ind. Appl.
Math., 8(4):680-690.
Drezner. S. M., and R. L. Van Horn (1968) Design Considera!ions for a Computerasskted Maintenance Planning and Control System, Rand Corporation, Santa
Monica, Ca, February 1968 (Rand Rept. RM-5255-PR, P-3765, AD 665 451).
Dudley, R. H., T. R. Chow, S. E. Van Vleck, and R. J. Pooche (1977) How to Get
More Mileage Out of Your Data, Pmc. Ann. Reliability Maintainability Symp.,
1977:414-420.
Duncan, A. J. (1953) Quality Control and Industrial Statistics, Richard 0. Irwin,
Inc., Homewood, 11, 1953.
Eckies, James E. (1967) Optinlum Maintenatlse with lncomplete Infortnation. Rand
Corporation, Santa Monica, Ca, Augus: 1967 (Rand Rept. RM-5390-PR,
contract F44620-67-C-0045, AD 657 010).
Eden, J. J. (1963) Engine Overhaul Life: An Outdated Concept, ATA Annual
Maintenance and Engineering Conference, Washington, DC, October 31,
1963.
Edwards, Thomas M., Jr., and Hu Lew, Jr. (1973) The Development of aTurbine
Engine Maintenance Program from a New Reliability Model, SAE Xlr Transportation Meeting, Miami, FI, April 24-26, 1973 (SAE 730374).
Eggwertz, Sigge, and Goran Lindsjo (1970) Study of Inspection Intervals for
Fail-safe Structures, Sixth 1CAF Congress, Munich, Gennanv, September
13, 1968; Flygtekniska Fijrsokanstalter~,Aeronautical Research Institute of
Sweden, Stockholm, Sweden, January 1970 (FFA 120).
Eisenhart, C., M. W. Hastay, snd W. A. Wallis (1947) Teclltliques of Statistical
At~nlysis.McGraw-Hill Rook Company, Inc., New York, NY, 1947.
Elwell, R., and C. D. Roach (1976) Scheduled Maintenance Policies for the F-4
Aircraft: Results of the Maintenance Posture lmprovemcnt Program, Rand Corporation, Santa Monica, Ca, June 1976 (Rand Rept. R-1942-PR).
Epstein, B., and M. Sabel (1953) Life Testing, I. An;. Stntist. Assoc., 48(263):
486-502.
Feldman, S.,D. F. Klein, and G . Honigfel (1972) Reliability of a Decision Tree
Technique Applied to Psychiatric Diagnosis, Biometiics, 28(3):831.
Fdler, William (1968) Aft Itrtroductiott tb Prolrkbility Theory nttd Its Applicattotts,
vol. 1, John Wiley & Sons, Jnc., New York, NY, 1968.
Fellner, William (1965) Probrrbility atid Profit: A Strrdy of Ecotlomic Belrnztior
nlorrg Bnyesintr Lirtcs, Richard D. Irwin, Inc., Homewood, 11, 1965.
Finocchi, A. 1. (1965) Reliability Has Failed to Meet Its Goals, Ann. Reliability
M~~intcritrnbility.
4:111-117.
Fisher, R. A. (1922) Cir: the Mathenlatical Foundations of Theoretical Statistics,
Pltil. Trfztts. Roy. Soc. Londott, ser. A, 222:309-368.
Flinn, R. A,, and E. Turban (1970) Decision Tree Analvsis for Industrial Research, Res. Managcnrerrt, 13(1):27-34.
F v , Thomton C. (1928) Probnbility arrd Its Ettgitreering USPS,Van Nostrand
Company, New York, NY, 1928.
Gear, A. E., 1. S.Gillespi, and 1. M.Allen (1972) Applications of Decision Trees
to Evaluation of Applied Research Projects, I. A4atr.lgentrttt Strcti., 9(2!:172181.
Gironi, G., and P. Malberti (1976) Bum-in Program for Vfearout Unaffected
Equipments, Microelectmn. Reliniaility, 15(3):227-232.
Goldman, A. S., and T. B. Slattery (1964) Muitrtnittnbility: A Major Elearetrt c ~ f
Systettr Eff~~iHvetr~.ss,
John Wiley Lir Sons, Inc., New Ynrk, Nv, 1964.
Gottfried, Paul (1977) The Interpretation of Statisticall) Designed R & M Tests,
Proi. Atrtt. Reli~zbilityMait~tniiiol)ilityS!/nry., 1977:203-205.
Govindarqplu, 2. (1964) Supplement to Wendenhall's aillliograyhy on Life
Testings and Related Materials, 1. .41n.Statist. ,4ssoc., 59:1231-1291.
Grant, E. I.. (lQ46) Stc~trsticnlQrcnlity Cotrtrol, McC~,iw-HillBookcompany, Inc.,
New York, NY, 1946.
Grose, Vernon L. (1965) Reliability Can Be Predicted? (A Negative Posi;ior),
At~rt.Re!inbility h4abtnirrr:b1lit.y, 4919-129.
Grose, Vernon L. (;9nrl) Status of Failure (Hazard) Mode and Efiect Analysis,
Fault Tree Analysis, and Prediction, Apportionment, 2nd Assessment.
Atltr. Rclinbility Mn;t~trrirtnbility,10:415-423.
Grose, 'v'rmon L. (197111) I:ystem Effectiveness: Where Do We Stand Today?
Atrrr. Rrlinbility Mniritilitrability, 10:400-402.
Hadden, F. A., and L. W. Sepmeyer (1955) Techniqu~sin Putting Failure Data
to Work for Management, IRE Trans. First N r t . Sytnp. Qrcal. Cotrtrol Reliability Electrcln., 1955:93-109.
tiadden, F. A,, and L. W. Sepmeyer (1956) Mcthodoivgy for Reliable Failure
-nt,
Reporting from Maintenance Personnel, IRE Trail. L'rrg. M ~ r i l n ~ c : t t ~EM3
(:):27-29.
Hadsman, W. H..and M. Kamins (1964) Enrly Fsilrtrc; iir .4r1totnol~il1~
I'nrts: A
Bnikgroirrrd Strttiy i ~ RClir:bilit!y,
l
Rand Corporation, Santa Monica, Ca, March
1961 (Rand Rept. RM-4002-PR).
Haviland, R. P. (1964) Etlgitleering Rclinbility atid Lotr,q Lift. Dcsistr, D. Van
Nostrand Company, Inc., Princeton, NJ, 1946.
SECTION D.6
443
S,itnp~!itlp,
1 itup. 11. I:.. L'. A. Asvitt, atid t 1. 1.. Storey (1qhh) :\ircrtitt ~t~'\lctilt't~
l~ispi>ctit\~i
Progr,~~iis,
l,t\t\ ill,ii~itt*~i,~:it-t\
:;v~i~pt)sik~t~i
OII L.o~ititiitt-d l;t>li.
,ibility o f 'I'r,~~~spart-tvlie
:\ircr,iit Structi~rv.\V,isliingtt~n.IIC NovcnJ\>cr
2-4, l')t>t>.
)\I> t\li,ilysis of L:c.c,nt)tiiit. ,11iti l<t)lid1I
I , I,, I
. . t t s t t I
bilitv l\!>p~.icti~c~
with tht* I3ocitig 747 itliiit~r,I C'u~itiitio~ihlt\~iitori~:::' I b p %
of hl,iintt>uanceI'rogr,i~ii, Nitit11 t \ ~ ~ n u , I:t\A
ll
Intt*rli,~tion.ilA\,i,iticui h,!,ii~itt\n,incc Sy~iipc~siutii.
I)t~ct~trrb~-r
11 - 13. lt)7.3.
I l c i ~ i ~ tht~nntltll
*,
?. (It'7.5) : \ t ~ t ~ o t t ~ ~ ~./S~/.I~I ~I t!~I ~t\\'tlri
~I ~~Iq~ !'t)t. t/tts ~111ttt~tI
St:lttbs
:\,ltl!/: l~~:d;t~dtit>
:, S!~$tt*ttts111tt1O\)t*rt~t~<~!ts
vid. 3 (l>~l>\it)g~.i}>\iv),
Ii>stityt~\
tor L)t>tclisc A t i , ~ l y s ~Cost
s,
Aii.~Iysis <;rottp. Arlili!:to~i. V,i, August 1ui.5
( \ > J ~ > 1'-II.V,
w
~.crutr,~ct
I)hl lC'15-73 <-0L1110, task $11.
I !..I,L~. L;. I<o11,11ti(It)::)
l'l,i~i~ii~is
St,itisli~-.it l ~ \ p t ~ r i ~ i i c ~l>t>sigtis
it,il
i l l I< k kt
. \ ~ ~ p l i c , i t i ~ ~l'r8l1.
t i s . ;\~ttt.K t ~ l ~ ~ t l ~: \ ~I I lI t~ tI !I ~~ I I ~ ~ I I I I ~ ~.Gwtt~y..
I I ~ ! I 1977:lt)S-202.
i~ { ~ I ' I ' I ~ ~ I ~ ~ I I I ~ !
i I<)\V.!> ti, l:ci\~,ir~i
I:,, ,111tiI I , ~ ; t * r rIyipst~tt(lL)ib\ .Yti<'tIi.5t'tl S!~~tt't!t~
,.\ t..I,; .I11I1tltt11 Ql~ttt~tt~It.~~tlt')t
111t11I't~l~~t~~t.c'tr~t')It.
\;,I\',II ll~itie'r\,'.~tt'rS \ . ~ t t l ~ l l ~
NC\V 1.011~io11.C't. I:cbru,i~.y 27. I ' ) h
Ccntt~r, Ntw. I.un~loliL.,~t>(>r,~tt)ry.
(Nl'SC7-l'l<-S2Il).
'
I l\\$I~t'% :\i~.\'~~i!t
(lt);tl\
I'IIIIII K t ' ~ ) t ~ ~l t' ~: t ~ ~ t t t t ~ :\II~I~!/.~~s

t * t i ~ ~ , <tit t \ t t s l.'/ti!111t~11
\II;IIII
I ' ~ I ' s . < I I ~ :\;I.
~ ' 1111tlI)t.!/ : \ ~ r5!/~tc't11~
t t l t 1'1' 1052 ~ . / ~ I s s
St~tjv I i \ ~ $ l ~ t -:\\rcr,itt
s
L'k\~iip,i~iv,
l:.,pcjt 511ppt)rt Syslt~~iis
l!t~~itltvri~~~
l ~ t ~ ~ x ~ tIi'i.,-t>
i l ~\ t~ ~. t )r~t r*ic.t
i
NOOl2.3- 70 ,L -001).
I 1 : 1 l < t I l \ k l i r t i ~ i\ I i s l ~ l it t I r
t I. I i i (
I llsi~i$
I'.itlt\r~i l<ct-r>s~iitioli
i l l I ' I . ~ ) L ~ \ I c I : \ S S L I ~ , I Ii'itlt..
~ L ~ ~:\~I!I.
~ . R~~litllltllcti.\lit:t~td11t~l9Iitt!/~ S ! / I ~ I /1977'
~ , : 101-- 107.
IIIS~AIII. L'. I<.. J I I L ~ I<. I. St.l~t>,iifttr(ltVt>) 0 1 1 L.t)~isistt>~~t
l ~ s t i ~ i i ~ l t i :\st>
~)~~
l<tlpl,icc~~i,cnt
11itt~rv.ils I i ~ t ~ l ~ t t t * ~1$:2l3-2I~),
~~~~trIt~s.
It~!ist*ti,I l,~rr\,1'. (lLl.>.5i l'lit> t<vc>li~tit>ti
ot S t t ~ ~ c . t ~ LiiI
~ r , i S,11t\
l
(.-t>~l,~i*!>ts,
l<olt>( ~ , i t tIC':\l:
.
5\*1i1pt,>ii11il
t ~ 1 1l:,~tisi~t>
l'rt)~,t~tii~rt~s.
I ~ I I I L * It>-- IS. lt)t>.5.
l < ~ l ~ ~ i sI< t >:\~ i :\ I Itdl1~1~
,11iti 1. N. ) % i 1 1(IL)77
~
!.'li$l~tl t ~ s p ~ ~ .L).it.~
t i ~ ,111tl
~~i
r
t
t
t i ~
I
\
I R / t 1 1 1 1 t t \ l ~ ~ ~ ~ t t t t I i l t t t 1977:
I.IP--I.'..[.
l t ~ r ~ k ~ t i s1).
t ~\\'.,
l \ . 1, 1. >lc~L~,lll.
,ltiti I<, l<,;tlllt)r (IL)bJ O/~tllll,l/
~ c ~ ~ ~ / l :*tit
t t ~ l't~/t,~,I/
l ~ l l
l<,l~iti-Alt~K.\Il~
& <'tit\i~>,i~iv.
lt\t,.. L'hi~.,i$o. 11, lL)t>;.
h.111ii1is A l i l t o ~(~l L ) ~ > O ) I'~~tt~tit~:tt~tt,<
i'!!tst'At>1tt
/~ltt,~i~al/S
!111 S!/.~ft'tt~>
5111~~t't't
t,)
R , t ~ t ~ I t ) ~I'~111~~1t~s.
tt
l<,i~i\iL . o r p t ~ r , ~ t iS,itlt.~
o ~ ~ ~Ato~iic,i.C'J, I \ I I ~ L , !5, l'~t>O(I<,~II.~
l < t y ~I<SI-~.TS,
.
:\I) :47 3S.I).
h.~l~iiii\\v.
:\~~.itt)lvI. ( I Y 3 ~ ~ t > t i ~ p ll)i,ig~it)stit~
ttt~r
\vitIl l*ilic~rt
111 l~'.~il-s,itt~lv.
1l.S. l',i!i~til .i.t+)2,QS\)( , ~ s s i s t l ~Ll.5,
~ t \ :\tt>1111t, l:tit>r!:v ~ ' t ~ ~ l l ~ i ~5tytk\tii~ssitu~~.
bt1r I<). lil:? (ltlt. <'I, c;\?P! I 1 00, 1'5 (-1, 2~35153..:40 172.5).
h.~r!: \\'. I' (lth+1) A I , ~ i ~ ~ t t * t i l<t~st*.~re.l~:
, ~ t i t ~ t ~ l'l!t- ht%ytc) iltitii~n,llsit- h t . ~ i ~ ~ t i v ~ . ~ ~ i c<'(>st>.
t.
1:11th: \ I ~ I ~ N:\vi.ltit)n
,I~
hl.ii~ilt\~ia~icc
S v ~ i i p t > s t i r Lt ~) l ~r h.l l i t \ ~ l l . t
< ' i t \ . . O h . 11t-t.l-t1iL>t~r
t ) - - I l . I')t>').
h
1
: I
I
t l t c i t s 01 I'rt~vt~titivthl.it~lIt~~l.~tic~t~
!I:~I.).IIII~.
,'
l'rtlbt Rt.5. t I A 1 14(3\:.;>~~--.i-l4,
1 Itat':,~It~*~s
:ti1 .\l~j/t~/p!t'
<'I*~~~t~tli+t.~:
h i ~ t ~ l l t12.iIt~li
~ v . I .. ,inti I lt>\v.ir.~i
1<,11tt1 ,IL)-(,)
I ' t t . I t ' t t . l l t . t s , ~ t i t l t ! \',,1:1t' I ' t ~ ~ ~ t l t ~
It11111
t ~ ! ) \\'11t'!.
~.
k SOII.. IIIC..Nt*\\' \ 111'lr. N\',
lL)7t*.
t t ' ~ t < ~ t t t ' .: S
~ I ~ / ~ S , I I St~
li~
i v~ ~ I I
is
444
APPENDICES
Kliilitcllitlc, A. \'a. (1932) Mathematischrs iiber die Erwartung von Eineti

Ot'let~tlich~r
Sch.iltcr, Mi~tt~itr.
Sl~oritik.1932.
Knudseti, G . E., ,ind J. K. Keating (197h) /!i'lic'o;~ti'r L7rirkbS!/st('r?t O~~-i.t)~triitic~~~
l V ~ ~ i t ~ t ~ ~ col)~~l)ilit!/
i t t ~ i ~ l . t , f LIti- I I/\H- I ), Bell Helicopter Compr-v, Fort Worth,
l'x, July 1 9 7 ~(Bell 299-939-003, contr,lct DAAjO2-74-C-00611, L24AMRDLTI<-75-52).
rft9rI.Vr~/rrst-/rt~itrli~~/~kt~its~'~~~~/~ti~i~~~~,~~~ri~~gcrKolmojiurov, A. (1933) Grrrirrll~t~~riffi~
Verl,~g,Berlin, Gernlany, 1933.
Konticli, I1ct..irli. (1976) The Aging Fleet: F.ict 01 F ~ b l e ?AI'A Engitieering ,111d
Maintensince t;oruni, October 12-14 14%.
E;r.ilienbulil, Rolf (197h) M.iititaitiiti): Trans;wrt Aircl.sift, c\irc.i,iift Eir,~..48(5):
4-8, 13.
Lad.ltiy, Slia~llP., and Matitp;lliit All,irc>ni (1975) Maintenance Policy of Aircr.ift ,iccorditig ta M~tltiplrCriteria, I ~ ~ t t ' ~ t ~!. r S
l t p. t . Sci., 6(11):10L)3-1101.
L,~rsc~i,
A. C., l i ~ i R.
~ i E. Wdtsoti (lL)hh! Stdte of tlie Art in Design and 'Testing to
Etisure Continued Aircraft Structural Integrity, FAA M.iintenalicc Synlpasiulv nn Cuntinued Reliability of Tr.u~sport-tvpe Aircrdt Structure,
Washington, DC, Noven~bcr7-4, I9hh.
I'(*rit1iiicL)t.pdt l.i9~1isl
~ I ~ i i i t t ~Sttitiy,
~!~~~~i~~i~
L,ivc~llee,
Wil1iar.1 F. (1974) LISN i\iv~.ri~ff
I~rstituieo! N,~v,ilStuJics,Centcr iorN,iv.i! Ati,iI~ses,Arli1-gton,V.1,
Novr~iihey. 197.4 (CNSIO?;.
~rt
Zrritlt.. NLival Avilltioli
L.iv.illec, WiIli,inr F. (1077) I.c!qistic. S r r / ~ / ~ i:\irr~l!~sis
Integmtcd Support Center, P,ituzent liivcr, hlcl, jutic 15, 1977 (Nt\II.SC
I'R-3-17).
S/III~,I~
L.~v.illee, Willialli F., John Schifier, ,ind j.111ii.s C'.ipra ilL'75) .*\ir(.r~~tt
t.t~~iii(.
H i ~ ~ ~ i i r t ~ ~Intern,il
~ t t ~ t ~ ttiiemolundum,
s,
It?stitutc of N . I ~ , I5ti1dit.s
~
Center tor N.iv.il An;.lvses, Arlillgton, V'i, Mvlay 11, 1975 ( C Y A 715-75).
L,iwrcncc, David H. (197b) The V,iluc of Ir.for~nationin Decisiu~lMaking: .\
l3ihlio~r.ipliv St.tttng St,ltistic.il I'riorities, i r i S c t t i ~ t Strrtistic.rr1
,~
I'rr~~r'itit's:
f<(ye~rt
ot t/;v l)t~iit-/o ~ i.\lt*t/~otto/(~~~!!
ta'r St~it!sli~~~i/
l'riorit~i~s,
N.~tii>ti.ill<cscarcli C'ouncil, C'o~iiniitt~e
o n N,~lio!iplSt,itistic..;, W.~sliingtc)ri,DL, I1)7r.
111' t11(~,~\1!i18r'i1~t1t1
Lt.ontiixt. \Y,~ss;l!, W., ~t ,)I. (1953) Strtt/iv.< t i t tlii- Stt:ri.t~i~,(~
l:~~t~1101i1!1.'l'Ii~~t~t~~ti~~111
i t i t t t l ' v i ~ / ~ i r il~.i/lIorittio~t
[.~~l
it1 /tt/~rit-or~t/~t~t
:\i~ttl!~sis,
t{arv,lr,l tict~nt~~iii;
I<csc.lr~.IiI'r~)lt'ct,Chtorii Llnivi'rsity I'rcss, Ncw YoI.!-.
NY. 19.?3.
rittlit-r ~ ~ I I ~ ~Sltot4:
~ I ~ ~,.\I ISittt~~/iI'i~~~/
I
;\tiitI!/::~s of
LiL)ovc, C. (lc)75) I.lttt-/~t~t.ks
I ' ~ ~ ~ . Y .Stt.c-ss
I ~ I . ~ Iit1
~ tlrc 1.iit-to-!,\':rll S(*II/.
Syr,~cuscLi~i:.ersity, New York. NY,
Dccc~iihcr197.5 (contr.~ctF3Oh02-71-2-0312,Ii~Zl~C'-T:<-iS-3OS.
A13 A021 :!.53).
I I /~(I*I ~~ ~ ~ ~ I I[I~I L~~' ~i *~ e ~ l ~ ~ ~ ~ t t ~ t ~ t i t
l.ockliceii, C,iliiorni.i C O I ~ ~ ~(Ilj7711)
, I I I ~ S C + ~ I C I /! I ~
I'rc~~~t~t/iir.i~s,
,.01. 2 , Ship Supp(>rtIt1ipro\~ctiicntI'roj~\st.I.irchlit-cd, C,iliArrtli,i
C O I I I ~ . I I:~~ ~VI I ,~ L ~ . I I I (:,I,
A , 1~1ly1077.
i t ! / - i.\~l~~ ~ i ~ t t t ~ ~I1?ott~i~i't~
l.i~~hl~t-c~ii,
C,I! I i.8 r ~ L'ori~p.~tiy
i~,~
(11)771*) ,.I i ~ t i ~ I ~ ~ l ~ i11/ ti'ristt
,yrllitt .s'rr~~rtii.~,:l/.
Ship Support Impro\-emrnt I'roji>ct. I.ockhccd, C.rlitorlii,i
C o m ~ , i n v I3usb.i1rL.
,
C.I. I~rlv14. 1977.
lor l < t ~ ; ~i's
tl~
I >~!'S I . I lh,~.isiorts.
I~I~
l.e>y,isticsM,~lia);~~rnt~lll
Itistitutl- (19hk) C.t,itt,ri~~
C'le,irit~::liousc tor E'cder,rl Scientific ,itid'fecli~~ir,rl
Intl>rm,itio~),
Spri~~gfit~lii.
SECTION D . 6 445
\,'a. M,IV lqhh (A11 48.1 603)
MacGregor, R. V. (1968) Mainttii~iabililylMainte~~,i~ice

Re!~tionships, Los
Anp,t%lesMaintair~~bility
Association September 17, lQ68.
hlager, John F. (IYb4o) Decision Trecs lor Decision Making, Hurocirtl R11.u. Kl*zl.,
42(4):126-138.
Mager, john 1:. (19b4P) How to Use Decision Trees in Capital Investment, Httrzltirti Rvs, Rca., 42 (5):79-96.
A-300 B Maintenance Steering Committee (1972) Etrropt*ntrMaitrtotcitrc-1'Systent
Gtcirlc' 10 I3c9ilcloljittgIttitit;l Mttifthlrrrittc.t~Pro~rtiffttttt*~
for Citlil Air Trctttsport.
Association of European Airlines, July 1972.
747 Mainten,ince Steering Gruup (1968) Iitit~til~ook:
Miiitttt~t~ti~tl-~Et~czItcitti(:f~
tttt,!
I'vclgrt~tft D~*vt~;optttt~~tt
(MSG-1). Air 'Transport Associi~tion,W,ishington,
DC, July 10, 1968.
Marsh, Robert T. (1'27h) A\.ic>nics Eyuipnrent Reliaiiility: An Elusive Objecrive,
Dcftvrrst3M~trrti.p,~trtt*rtt
1.. 12:24-29.
Martz, ti. F., jr., K. C i ~ ~ i ~ p b ,itid
e l l . t I. T. Davis (1977) Estitiit~tinp,dnd Forecasting I.ailure-mte Processes bv hlcans of thc K,ilman Filter, in i'./tl. 73tt ory tifrti
.4l~plicetiotr~
of Rt*litrljilil!i, vol. I, pp. 165-1Q2, Aca~leniicPress, Inc., New
York, NY, l W .
l i t , I F , 1 , 1 1 M. G L i t (
7 Bdycs anti Empirical B'iyes Point and
Intervdl Estim,~tionof Rcli,ibility for tlir Weihull Model, in Tilt*Tlrt3c)ry~itrtl
r\;~plic'l~tiotts
of RL-lii~l~ility . \fol. 1, pp. 203-2.33 Academir Press, Itic.. New
Yorh, NY, !Q77.
Martz, 1-1. F., )r., and h.1. S. \Y,~tcrniati(1977)
!;~I!IL~S~II~I
i\,lo~ti*l
for /2~*t~~rfrti11111~
t h ~Ol1ti1trttl Tcst St?c3ssfor 11 Sirt,q!t, ?'tbst Llttit. Trx.is Technical Universi:?,
Department of 1ndu~:trial Engineering, Lubbock, Tx, March 31, 1977 ( N R
042-320, TR-LA-UK-77-hA4, cantract N0001.I-75-C-0632).
M.isse, Pierr13 (I9h2) ~ ~ p t i t t 1~~t1, t1~ ~ ~ s t L?t*l.isio~ts:
~ ~ t c t t t R111t~s
~ L W.4t.fitv1 ~ttttii-ritt~rioi
for C'lr~ic*~*
(tr.111~.Script'i Tc:-li~~ic,~,
In(-.). I'rentict:-tiall, Inc.. Etrgit.wclud
Cliffs, N), 19h2.
M,~ttesotr,T. D, i14hb) In-service lic~li'ibility An,ilvsis: A C!tidc for 1ieJ11ci11g
XZC~intc.ti,\t~cc.
Costs . l i d spares Kcyuirenic~its. A11t1i1,il 5ytnposiunr on
Reli,ihility, SJII Fr.~n~iscc.
C'i, Id~iu.ity27. 1Qhh.
M,ittc.son, T. U. (196411) 111-service S,ifcty .in11 Reliability and the Ride of
Maintr11,incc. i;,ites lii117ber Cump.itiv 1:ourtli Annu,il I'l,itrt Engineer's
Confercnr:~,Denver. C o , hl,iv 12-lh, 19hQ.
M,~ttt.srln.'I . D. (1QhQb) Conciitioti M ~ ~ i i t o r i t i011
~ : tht> 747. Etigi~~eeritig
.11ir1
M~intt~nancc.
Cotitt~:cnce. No\.ember 5 , IsbQ.
M'ittt~sou, 1' D. (197111) Air l'r,insport h.laititei~,i~i~c
Technology Netds $1Nc\v
licgiil.iti)r\ h.lo~lcl,AIAA Cn:~icreticeon Air Tra~~sport~itioti
anri Society.
Kcv Hiscavnc. FI. June 7-Ill, 1971.
M ~ t t r s o n 'T.
. I?. (lv7111) Condition Motiitori~~g.
I'he Right H'indle, Air Tr,i~ispc'rt A:;soriatioti FAhiNTSH H~icfing,Oclolrer 5-+, 1971.
Mattcsc~u.7'.U.(1971~'1 The K e l , ~ t i u ~ ~ sbt.twt.t.n
hip
M,iinten,incc arid Operdting
S,iftbtyin Air Tr,insporl,i:ion, Stlventh t\nnu.il FAA Inter~i~itii~nal
Aviation
M.iintet~,inccSvniposiuni, Oklalio~ir,~
City, c>L 3eccmber 7-11, 1971.
hl.~ttrso:i, 'r. D. (lC)71ri) NU'i's I'iesc. of tiit. i'ie, A f A Nondestructive T e s t i ~ ~ g
Subcotilmi\tcc hlceting, Uctivtr, Co, S c p t t ~ r n b 2!),
~ r 1972.
Matteson, T. D. (19726) The Design of Modem Air Tiansport Maintenance

Programs, Association Aeronautique et Aerospatiait? Pranqaise, Paris,
France, November 6, 197:.
(1767) Current Trends in Airline MainMatteson, T. D., and F. S. '
t~:iancePrograms, AIA
.~mmercialAircraft Design and Operation Meeting, Los Ah~geles,' .. ) :12-14, 1967 (AIAA 67-374).
McCall, Ches:er, H., ,r. (1977) Statistical Design of RIM Experiments, Proc.
Anrl. Rt>linbilit!! Maintn!,~nbilityS y m p . , 1977:194-197.
McCa!l, J. J. (1967) W h e n tu Stop Sartrpling: lrritiate I'rodrrct lrrrproverirer~t,Rand
Corporation, Santa Monica, Ca, Februxy 1967 [Rand memo. RM-3014-PR,
contract AF49(638)-700, AD 272 1381.
McDonald, John F. (1363) Reliability: A Randoin Discussion? Lockheed, California Company, Service Engineering Division, Burbank, Ca, October 1963.
McDonald, John F. (1972) A Discourse on Some C ~ m p a r i s o n sbetween Commercial and Military Aircrdtt Logistics, Sevent!) Annual Convention of the
SOLE, Long Beach, Ca, August 22, 1972.
Meilon, E. G. (1972) Coping with Mair, qancc romplexities: A Manufacturer's View, FAA Maintenance Sympo:. ~ r r .ilhoma City, Ok, Ngvember
28-30, 1972.
d
Topics,
Mendenhall, William (~358) A Bibliography of Life Testing ~ n Relat~tl
Biomrtrika. 45:521-543.
Mentzer, W. C. (1968) The Evoluticn of Airline Aircraft Maintenance, Annual
General Meeting, Aeronautical Soc~etyof India, Bangalore, India, May 3,
1965.
Miller, Douglas R. (1975) A Corttir!rrit!y Tlreorer~rnrtd Sonre C u ~ r i r f ~ r c ~ ~ :for
nt~~I~.s
tlrr Tlri~or!yof Mairrtair~~d
S~lstenrs,University of h:issouri, Department of
Statistics, Columbia, Mo, LJecemller 1975 (UMC 66, contract N00014-76C-0843).
Prncfsses R I I ~
Miller, Douglas R. (1976) Alrrrost Srrre Cotrrpnriso~rsoy Rrrr~~zl~nl
Poisso.; IJrorc9ssi~szc~iili Ap/~licntior~to R~linbilit!l T / I P ( , I ! /University
,
of
Missouri. Department of Statistics, Columbia, Mo, June 1976 (L'MC 63,
con tract N00014-76-C-0843).
M~iier,Dongla$ li., and Nozer D. Singpurwalla (1977) Fnillrrc. Rntc Estirnntiorr
l l s i r r ~Rn~~dorrrSit~notlrii~g,
University of Missouri, nepartmcnt of Statistics,
Columbia, Mo, Aprii 1977 (UMC 67, contract N00014-76-C-0843).
Mnor~,,E. F., and C . E. Shannon (1956) Reliable Circuits Using Less lieliablr
lZd.'.lys, I . I'rn~rk/iirI I I S ~ . , 262(1):191--208. 262(2):281-297.
h.4-rgan, John D., N,.r!.nan B. Davi.;, hiarvin :-I. Hahn, and William I. E. Shafer
,1975) .-lccorriylr.slriir~ySlrip!/ar~i;York fcir tirr U ~ t i t c dStales N a r y : Irrstit~rtiorrs,
Systenr.~nrrri Operatiorre, vol. 1 (basic report), lnstituie for Defense Analyses,
Cost Analysis Group, Arlington, Va, August 1975 (paper P-1132, contract
DhtlC15-73-C-0200. task 81).
Morpin, jcjhii D.. horrnan B. Davis, Marvin ti. Kahn, and William J. E. Shafer
(191'5) / I t ~ i ~ ~ ~ i i r \ ~S1ripyi:rd
l ; ~ / r i ~ Work
~ , ~ for !'/ISLli~itt,iiSf11ti-5i V ~ i z yi:~ r s t i t ~ r t ; , ~ t ~ ~ ,
S!/st~.rt~..
r r r ~ rOpc~ri~lrclrrs,
~
vol. 2 (appendixes), Insti:ute for Defcnsc Analyses,
Cost t\na:ysit. Croup, Arlington, Va, Allgust 1975 (paper P-1132, contract
VAHC15-73-C-U20i', task 81): for vo!. 1 see Heinze.
~i~l
Kc})ort of tlte
Natioti,il Kc*searcli C'oit~i~il
(1'176) S z l l i i ~S~t r ~ t i ~ l iPrioiili~~s:
I'r~rrt'lorr A.lc~tlro~lt~lr)~!/
for Slirlislic-cil I'rioritiius. N,itional Rrscdrch Council,
hsscnibly c ~ M.itlicni.itical
f
.ind I'hysical Scicnccs, Coniniittce on Nation.il
St,ilistic's, W,ishingtoti, DC, 1976.
Airc-ri~fl
N,ition,il Sccul.ity Industrial Association (lq75) 1tt1pi1t.lof co~i~ii~tlrl.ii~l
A~li~~rrtt*i~~r~i~.t*
i~iril1.0~qisti1.Sr~/)/iorIc o r ~ ~ ~ ( oil
y t s I~'II, l.ifc C!/I.II* ti/ Air /'SW
b V t ~ i r ~ ~ o u ~ ! / ~/ \ Il/ ~1101.
~ r i ~Sl~id!/.
s:
I.ocklit!eil, Califostii.i Cotnp,i~iy,Burb'ink.
C.1, N1nc1i1bcr 1, 1975.
~ - I i i ~ ~ Critr.rir~.S u l i i n ~ ~
Cospoi
Nccdliatii, lan1i.s 1:. (1'179) I ' ~ ~ i l s r ~ f c - ! S l i f ~Iirrt~r~fi~~.t
r.ition, lIup,lics Ilclicopters, C'uIvcr City, Ca, Jatiuary 1975 ( H H 71-141,
cl)titr,ict llAAj02-74-C-0005, USAAMIIUL-'fH-74-IOl, AD A006 13!).
Ncl,inei, K. E. (Iqhh) FAA Prcst-nt ,ind 1:itturc Pl~ilosopliyin Regulating Aircr,lit St~.~tcl~~s.il
h-laintcn,incc I'rogsanis, F A A M'ii~*tenanreSymposium ;>n
C'c)ntinucd 12cli.ibility ot' Ts,insport-type Aircraft S~ructure,W,tsliinqton,
i X , Novcn~bcr2-4, Iqi>h.
of /\ircr11/1 .l'~ir/iii~t*
Ej~sir~t~s,
Exccu tivv
Nelson, I I<, [ lL)77) Lifts-[yc-Itsz-\iri~l~/si~:
Surnr:i,i~)-.I'sojrct Air 1:ctscc licpt., M,iscli 1977 (R-1103/1-At;).
I\;~*lscm,1. K., 1'. Konosl:c- Dcy, ct al. (11174) .\ \Vzii/~c~r~-s!~st~.rrr
LiJ~~-c-!/rl~
Orjc~ri-it-i~,:
'/?~t.:\ ' I ) I:.i\~t*r.rt.r~t.c',
li.i~id Cospo~.,ition,Santa Monica, C.1, October
lv7-1 (IZ.i~idlicpi, ii- 14.52-1'12, cotilr,ic.t I:4.L4h?(!-:.J-c-OI)ll).
of Certain
Ncvniati. 1.. ,ind I:. 5 . i'carson (1<)28) 011tlic Use ,lnd Intcrprclatio~~
I'tst ('riterid lor l ' u r p o s ~ s01 St.itistic,il Inicrcti~.c,Hio~jrt-1rtk.1,
20(1): 17.5-240,
20(7):2h3--7U4.
I
('c)tiip,isiso~~
of the- I'otcntial Eficctivcric.ss oi NunieriI
i
, I S I
0 ,
c,il I<cgul.~~osy
('olics it1 tlic I;iclJs oi ~)vcsli.iul ~'rriodicity, Airpl.inc
~ t r c t ~ ~ .~lici
t l i , :\irpl.ltic I'~riortil.ill~~,
Uliitt*ci Ais!i:i~s intertidl docwnent,
Unitcd Aisli~ics,S.in I:sa~icisco.C.1, April 14, lc)id) (1'0A-37).
nit^ I . 5. I
) Some C'onlmcnts !'crttiininl; 10 tCquipnicnt licliabilitv 'ind
kt.111itc~t1.11ic~cI'cI!I~.v.
L,111tviit i i r l ~ t i i *111ti>r11,il
~
~itti.~t~iii,~it,
L l ~ i t t ~Airltnes,
~ii
S.in I:r.~ti~~isc.o.
C'a, luly 17. IL)h5.
L3i,igr,itiis tor l.op,ii-'11 t\ti,~Iysis01
Xo\\*l,iti, I 5. (l~)i>7)'llil~G w (>I llc~l.isit\~i
h,l,iirit~~n.~~icc
I'!.og:s,i~i?s.L'nitc-ei Airlincs ititcsn.il iiocumcnt. Cltiitcii Airli~ic*s.
5,111l~'r.itic.iscct,C.,i, t \ ~ i g ~ ?,
~ s tc)h7.
t
No\vl,i~i,I:. S. (Ik)(+)) I<c\,ic~v
cii "On ('c~ticlitioii" I'liilosopl~ic:: frct:ii ,I I'i,inning
,11i1i~>p~.v,~tio~i.il
\iie~\vt>tlitit:l',i3t, I'rc-writ, I:~ttt~rcl~'iit~-c;~!li
Mevting l ~ i
!\I:\'I':\
I'ro~iuction I'l,ititii~ig ,itid C'otitrol S ~ ~ h ~ ~ n i n ~H Li t~ t~ ~ .iI ~L ~, c ' ,
~ ' ~ t p ~ ~ I .Cktol?c>s
~ v i , i , ?-.t), lc)i~O.
Ih*cision Ili.i~r.lni Apl~~.o.icli
to "On Condition" )'liilosI I I I ~S. I
0\>111t?i, . \ l l t ' ~ i l l l /'I!,<., 44( ~ ) : . ~ ? - . ~ i .
I'~lsl.~itit~
linginr Maitite11,incr I'rok;raln alid Lhc
I
I . S ( I ) \t C'~trn*t~t
l:\pc~rit~tic.c*
,it-~Il,ogic. t t } ~ \ t i\\'Iit~~liI t I < I % , . I ~t\!W1<
~ L ~ , G,IS'rt!t'.:iti~~
Ct)~ifcrt*tic.v.111dI'sotiucts Slio\v, April %-I?. Ii)73 (t\ShlH N 73-'r' h1).
Xc>\v1,11i,I:. S . (lt178) l's~*vc~~itivlhl,~ititi~ti.i~ic~:
I7,lst, I'rcsc~it, i t ~ ~ cI::tt~irc,
i
,\I/\:\ C ' I B It~~ s i ~ ~c ~i t tiI\~irt ~'I 1,1t15\~t~rt,iIioti,
l'cclitiicdl l't*rs}witi\~cs,itid 1:iwet.,~,tb. 1.0s /\ng~-lcs.C'J, ,\ut:ttst 21 -24, Ie)7ti.
> fii 1~t~ii\t~ri8iit.t3
t111 L ) ~ ~ ~ ~ ~ i i ~ r ~ ~ 1
i 1,~i;yc~-sc.t~/~*
~ 1 1 1 ~ ~ 1l'rol~;
S,\ 1 . 0 (lLli2) / ' ~ I v I ' ~ ' ~ / I ~ I , < t11
/CIII.< ~',itlibr~c~~:cs.
~ : t ~ g ~ , i tl ;il cl \ ~~ ,Ii'-%, 1072.
,
4-18 APPENDICES
Onoder.1, h.itsitshigc, Mitioru Miki, dtid Keizo Nt1h~1~1.i

(1977) l < t ~ l i , ~ l > i l i t ~
Asscssnlcnt for I l ~ > . ~ vM.~clrino'y
y
by "IiI-I~MECA" M r t l ~ o d ,PI.oI.. AIIII.
Kt-/i~i/lilit!~
~ i ~ i ~ r t t t i i ~ r.SIIIIII~,,
t ~ / ~ ~1977:34(7-352.
/il~~
Orroir StBrzlrc,~.
Di,gtsat,vol 3 1, M,irrIi 197h.
Os'iki, S.. ,111ii Ndhdg.i\v.i (1q7t>) l%ibliogr.ipliy for Kcliability and ~\v,ril.ihtlity
of Stoch'lstic Systctiis, I C I : E 'I'rrltis. lit*lrrrl~ilit!l.25:784-257 (sic).
I',ilni, C. (1943) Ititctisitdtssi-li\v.lllh 1ngc.n it11 I:c.rnsprccl~\~t~rLl~I~r,
Cril.sstirr
7iv.lrrtic.s. 44:3- 180.
I'cttigrc!:~, James L.. ,111d Kohert M. McC:osii (11177) 1)111~1r~~sfit~
< ; I I ~ I / ~ I~ ~, r r ~ i t t t ~
C.ottriifiort ,A~ortitortti,~,
~ ~ ~ i ~ i OIIC,
s i t ~ rStr.~tt*gic
i
Air C ~ ~ t ~ ~ t i iOffittl
~ i t i ~ lAir
,
I:orcc U,l:>e, Nb, Ft*bra,~ry1977
I'icritsclik.i, l:ri:li ,1063) l1~.irr,~;1~!,-~/<~~/i~r/~ilrt!~.
l ' r ~ ~ t ~ t i ~ : ~ - lltic.,
. ! ~ ~ l<t~glcll,
w o o ~ C!iits,
i
NI, l W .
I'louif. M'illi,itii 1:. (11)77) Avionic licli.ll.ili1.1 I(.;pt.ricnl.~~:,\li-104 .lnd 7SII3,
/ ) r o t . . ,4trrr. /<t~liri/~i/Il!,
~ \ l i ~ i ~ t t t t i r i ~ ~ S!/III/).,
l ~ i / i / ~ / 1977:.!00- 2 12.
' i ~t l ,o r 1 (
I 1 h.t~rsil)tt,~\~rril!/sis:
Irrlro !riist~)r!/1.c.c.lrrr.t.s,jri ('lr,iic.t9::rrirrlcr.
Ilrrt.c8r.triirrt~i.
Addison-\l'c.sIvv I'ttblisl1ing C'onipat~y.I<t..idit~g,hl.1, I%X.
I i ~ t i c iL.orpor'itioti (lL)04) / ' / ~ i ~ t ~It <
t ~t i~l ~ ~ l ~ t t ~1111t ~11r /{r~tl$~r.
1 1 ~ ~ ~ 1I<,III~
1
Corpor,ltiot~,
S.lntci M m i i c ~ Ca,
, hugitst luh4 (K.ltld liept. r'-?i?!lSj.
Kicc, john, and h l i t r r , ~Koscnbl,itt
~
(ILVh) /'~tirrr~tIIotr
t i t tiit* 1ox !4ir:*riltir /.IIII,.IIOII 111id I/,::rr~.t/ / ~ I I I ~ L ~ ! I ~St,~tistit:,~l
~II,
1'itblis~ii11gSot-icnty, L'.il~~~tlt,~,
It11li.1,
1470: rcp~.inlcd irom .Sii8~/iir!rrr(Inlli,iti It)urn,tl 01' St,~tislil.s).6;t.r. r\, vol. .3P.
}?I. I, lk)7t?.
Ilirsot, , I , 1 I . I
) I<cli,~bility.lnd 4l.rint.lin.ibilit\~ trot11 ,In Airlint.
S t , i t ~ ~ l p ~N,~tiotidl
i ~ ~ t . Air 'l'r,it~sp~rt,~!ion
nleetitig, r\pril 31-23, lQ70 (SAli
71103h).
I < ~ S ~ I ~ ~.lr~iic*
I I , ~ I(li)77\
,
< * t i ~ i ) p ~ ~ t il t: i~~l~!c~Ii,~~~ility
;
iii (:c)r)!plt%\ ?!~-!\vtirks,
5/8.\1\11. : \ r f ) t / . ~\lrrt\r..32(21:.\S4--~\~)1.
l<ubt.l, I'.ittl (1975) I5ot1s.ii: Culliv~tilipt l ~ cI . o ~ i c'l'riv. lor lic.ictor S,itcty, I'r~ir.
:\!!!I. / < i + / ! ~ ~ l~ ~\ ~ ~
1 1 i1 ~
~ 1 l1 !
1 1~1 1 1 i 1 / ~ ; ~ S!/rtt/t,
rt!/
. 1975: I.:-- I7
litttiiti~cl, K. C;,, ,IIIL~
h4. l3yrtit\ (1V.I) ;\II,I/!I~I.~ 1.11~,t~)rs
.~\il,~~~I;rr~g
li~rI111rt~
1'11sirrt~lit-l;rrllli1.11. l h ~ ~ - i tCotiip.iti\t,
~g
\'rrtol l,)ivisio~i,l'litl~:cii~l~~lii.i,
l',i,
Novct11bcr 11,?4 (I{oc.itig 117 10-10812. 1 . ~.c;t1cl..icI I~:\X101-73-L'-00;1.
USr\r?h.IKI31.-'l'lZ 74-$7).
Iiumnirl, Kirk (;.. ,111ii I I 1, h4. Stliitli (1'17.:) III~'L.~/ISIIIIIIII
a11111 :\tllrl!/.~i.i ot
/<~~~ji~/li/:t!/
:IIII/ , \ I I ~ ~ I I I ~ I I I I'~o/I/~~JII..
IIII~/~~
: \~
, ~I /~ ~ ~ ~ ~i1111i1
I I I ~:\I.IIIII
~ ~ I / :\;r,.~a!'I /:11
s~itrts.~,
I3i~c~itig
C'c)tlip,~tly,\'tv:ol l;ivisio~i, l ' l i i l ~ ~ ~ l ~ ~Ii,i,
l ~ ~~\ttgttsI
l i i , ~ , ll)-.3
(ct~titr,tl.tl)r\t\lO2-7 I - C'-005.5, L~S:\t\h~ll<l>I.l'l< 73-2s. /\I) 772 t1.50).
(
I t\n I:v.~lu,iticiii o l ( 'li,1ngc5 i l l 1 1 1 ~ 3 Li.5. N,I\ v :\ir~.r.ltt
S k ii
s
h.l,~ititi~:l,itii~il'rtigr,it~~.
t11,15tt,r'5 t I 1 ~ v . i ~ :\iitc3ril..i~i
.
L J ~ i i v t ~ r ~\l',isliiti~loti.
ity,
I X . klt1r1.h 1')77,
t
, S i i i \ I
I. ' I i l l (
I I:l-sipi o i Icl l.'tlgitii* Hotors iclr I.ong
l . i l ~ t , Sr\I; Air 'f.r,itis~~orI,~ti,)t~
Mi,~~titi!;,I I.irt1'tirii. C'f, M.iy (i.-X, 1075 (St\I;
"
/
.?uhlr)).
SECTION Dl6
449
Saunders, Sam C. (1976) A Confrontntiott of Mntltemnticnl Models for Fatigue

Life with Actrrnl Srruice Data, Washington State University, Dcpartment of
Pt.~reand Applied Mathematics, Pullman, Wa, June 1976 (AFFDL-TR-76
47).
Schlaifer, Robert (1969) Atrnlysis of Decisiotis under Unccrtninty, McGraw-Hill
Book Company, New York, NY, 1969.
Schonewise, R. H. (197l) An Apyronch to tire Desi,yrr of an Ittspectiutr Progrrim
for Motirrrr jet Transport Aircrnft Strrrcturc, United Airlines, Maintenance
Operations, San i,rancisco, Ca, February 16, 1971; rev. June 29, 1971 (MOA
145).
Shapero, Albert, et al. (1960) Htrtnntr Etrgitreerirt,q Testitrg and Maljrrtictiott Dntn
Collcrtiort br Wenpot1 Systetir Test Progrnttrs, Air Research and Development
Command, Air Development Division, Wright-Patterson Air Fotce Base,
Oh, February 1960 (WADD-TR-60-36).
Scheffey, Michael B. (1976) The Amount of a Charitable Contributicn of
Property: A Decision-tree Approach, Accorrtttiny Rev., 51(3):642-643.
Shewart, W. A. (1931) Economic Corrtrol of Quality of Manufactured Proriuct,
Van Nostrand Company, New York, NY, 1931.
Smith, Dennis E., and Robert L. Gardner (1976) A Stnell-scnlr Itrvestigntiort
of Stfitistics for D~t~~rtrrittitr~
tIt2 N ~ o n l ~ of
c r Cltlsters it1 a Dtrtn Snse. Desmatics,
lnc., State College, Pa, September 1976 (NR 102-3).
Spoormaker, Jan L. (1977) Reliability Prediction of Hairpin-type Springs,
Proc. Arrrr. Relinbility Mnirrtninnbility Syrriy., 1977:142-147.
Stone, M. E. (1965) Fatigue and Fail-safe Design of a New Jet l'ransport Airplane, lCAF Symposium on Fatigue Design Procedures, Munich, Germany,
June 16-18, 1965 (Douglas 3342).
Stone, M. E. (1973) Ainvorthiness Philosophy Developed lrom Full-scale Tesling, ICAF Biannual Meeting, London, England, July 23-25, 1973 (Douglas
6099).
Stone, M. E. and H. F. Heap (1971) Developing the DC-10 Structural Inspc~tion
Program, Seventh Annual FAA International Aviation Maintenance Symposium, Oklahoma City, Ok, 9ecenrber 7-9, 1971.
Swagcr, William L. (1972) Strategic Planning 11: Policy Options, Tec~lrtrol.
For;astitr,q, 4(4):151-172.
Taylor, 13. N., and F. S. Nowlan (1965) Turbine Engine Reliability Program,
FAA Maintenance Sy~nposiumon Continued Reliability of Transport-type
Aircraft Propulsion Systems, Washington, DC, November 17-18, 1965.
Treacy, J. J. (1977) Use of Prob.~bilityAnalysis in Aircraft Certificatiol~and
Its Effects on Maintenance and Equipment Maintenance, AlAA Aircraft
Systems and Technology Meeting, Seattle, Wa, August 22-24, 1977.
Trustee, R. (1976) Hclicq~terDrive Systcttr Otr-cottd~tiotiMair~tr.trrlnrrCnpnbility,
United Technolngies Corporation, Sikorsky Aircraft Divisioti, Stratford,
Ct, July 1976 (contract DAAJ92-74-C-0045,USAAMRDL-TR-75-57).
Tukey, John W. (1977) Esplorntory Dlrtn Attrrl!/si~,Addison-Wesley Publishing
Company, Reading, Ma, 1977.
2:423-433.
Tukey, John W. (1960) Conclusions vs Decisions, Teclt~,~~tttrr'rics.
United Airlines (1974) F4/ Maintenance Program Analysis Procedures Martual,

United Airlines, F4J Task Seleciion Team, San Francisco, Ca, September 4,
1974; rev. Mat- 21, 1975 (contract N62269-74-C-0777).
United Airlines (19750) Proposed Packaging and Sequencing Concepts for the
Organization and lnternrediate Irllairrtenance Process Activity (F4/), Repox? to
Naval Air Systems Command, United Airlines, F4JTask Selection Team,
San Francisco, Ca, August 15, 1975 (contract N62269-74-C-0777).
United Airlines (19756) Organizational and lttternredinte Level Muintenance
Program Specification, N a v y Model F-41 Aircrirft: ririal Report, vol. I discussioc report, vol. 2 analysis sheets and MRC's, Un~tedAirlines Maintenance
Operations, F4j, San Francisco, Ca, November 20, 1975 (contract N6226974-C-0777, P-00002).
United Airlines (1977) Analytical Mahitetrnnce Pro,yram for Nnvnl Aircraft: An
Evnluntiorr and Commetttury, United Airlines, Sarr Francisco, Ca, October 31,
1977 (contract N62269-76-C-0168).
U.S. Department of the Air Force (1977) Latest Reliability and Maintainability
Reports, Rome Air Development Center, Rome, NY, February 1977.
U.S. Department of the Army (1977) Analysis Guidelines for Deterntirration of
tire Maintenntrce Plan Using the Principles of Rcliability Cnrtereil Marntennrice,
app. C, Guide to Logistic Support Analysis, U.S. Army Maintenance Management Center, Lexington Ky, August 1977 (DARCOM C1, AMCP75016).
U.S. Department of Defense (1973) Logistic support Artalysis Data Element Defittitiotts, Military Standard, Department of Defense, Washington, DC,
October 15, 1973 (MIL STD 1388-2).
U.S. Department of Defense (1974) Etlgitleeriny Mnnn,gentent. Military Standard,
Department of Defense, Washington, DC, May 1, 1974 [MIL STD 499A
(USAF)].
U.S. Department of the Navy (1975) Maintenance Plan Analysis Guide for Inservice Nnval Aircraft: Managemerrt Manual, Naval Air Systems Command,
Washington, DC, August 1, 1975 (NAVAIR-00-25-400).
1I.S. Department of the Navy (197611) Atrnlyticnl Maintnrnnce Prograttr Sclredtrled Mainfe~ti~)tce
Eti.girrei~rir;gAnalysis Procedures for the F-14/A-6 Series
Aircraft and the TF30 Ettgitre. Specification, Naval Air Rework Facility,
Norfolk, Va, February 1976 (NARF NORVA AE-327).
U.S. Department of the Navy (1976b) Llser's Guide: Logistic Strpport Atinlysis,
Ship Support Improvement Project PMS 306, Naval Sea Systems Command,
October 1976.
Von Neumann, I., and 0. Morg2nstel.n (1944) Tlrcory of Gnnres and Ecot~onric
EL*llitvior,Princeton University Press, Princeton, NJ,1944.
Wald, Abraham (1947) Srqrreritral A~inlysis,john Wiley 5t Sons, Inc., New York,
NY, 1947.
WalJ, Abraham (1950) Stntisticnl Decisiorr I.'utrctiotrs, John Wiley & Sons, Inc.,
NEWYork, NY, 1950.
Waller, R. A, and H. F. Martz (1977) A Bayesian Zero-failure ( B A Z E ) Reliability

Demonstration Testing Ptocedure for Components of Nuclear Reactor Safety
Systems, Los Alamos Scientific Laboratory, Los Alamos, NM, June 1977
(LA 6813-MS).
Weibull, W. (1939) A Statistical Theory of the Strength of Material, Ing.
Vetenskaps Akad. H ~ n d l . vol.
,
151.
Weibull, W. (1951) A Statistical Distribution Function of Wide Applicability,
/. Appl. Medrarr., 18:293-297.
Weiss, U. W., and D. h1. Butler (1965) Applied Reliability Analysis, Trans.
A S M E Sixth joint Control Conf., 1965:848-856.
Wheelwright, S. C. (1975) Applying Decision Theory to Improve Corporate
Management of Currency Exchange Risks, Calif. Management RL-v., 17(4):
41-49.
Whit-house, G. E. (1974) Network Flow Analysis, 111, Using Decision Flow
Networks, Ind. Erig. ( U S A ) , 6(7):18-25.
Winter, a. B., et al. (1964) Accelerated Life Testing of Guidance Components, pp.
64-235, North American Aviation, Autometics Division, Anaheim, Ca,
1964 (A1 TDR).
Zelcn, Marvin (ed.) (1963) Stntistical Ilrcory of Reliability, University of Wisconsin Press, Madison, Wi, 1963.
Zipperer, John, Gavin Jenney, and Jerry Bryant (1975) Flight Control System
Reliability arid Mairrliairiability l~ivestigations,Bell Helicopter Company, Fort
Worth, Tx, March 1975 contra^ ! DAAJ02-73-C-0026, USAAMRDL-TR-7457).
------..--.-..%...-
ii.
actuarial analysis Statistical analysis of failure data to detennine the

age-reliability characteristics of an item.
age The measure of a unit's total exposure to stress, expressed as the
number of operating hours, flight cycles, or other stress units since new
or since the last shop visit.
age exploration The process of collecting and analyzing information*
from in-s,ervice equipment to deterrnine the reliability characteristics
of each item under actual operating conditions.
age at failure The age at which the failare of a specific unit of an item
is observed and reported (see avernge age at failure).
age-reliability characteristics The characteristics exhibited by the
conditional-probability curve which represents the relationship between the operating age of an item and its probability of failure (see
uctl~urinlariulysis, conditional probability of fuilure).
airworthiness directive A Federal Aviation Administration directive
that defines the schedu!ed maintenance tasks and intervals necessary
to prevent a specific type of critical failure. 'The directive is issued after
operating experience has shown than the equipment is exposed to such
a failure, and the specified maintenance must be continued until hardware modifications eliminate the need for it.
analysis and suweillance See nge e.rplorntion.
analysis systems One of the various information systems employed
for monitoring the performance and reliability of equipment in operation.
applicability criteria The specific set of conditions that must characterize the failure behavior of an item for a given type of maintenance
task to be capable of improving its reliability (see rffective~issscriteriori).
CLOSUlly
453
auditing The systematic review of the RCM decision-making process

by an independent observer.
average age at failure Tlie average of the failure ages of all failed units
of an item.
average availability The expected availability of a hidden function,
given a specified failure-finding task interval.
average realized life The expected life of an item, computed on the
basis of total removals and total exposure of all units of the item (see
survival curve).
bathtub curve A conditional-probability curve which represents the
age-reliability relationship of certain items, characterized by an infantmortality region, a region of relatively constant reliability, and an
identifiable wearout region,
borescope inspection A maintenance technique that employs an optical
device (borescope) for performing visual inspections of internal parts
of an assembly, usually through ports provided for that purpose.
class number A number that is the lowest of the individual ratings
for a structurally significant item or a zone, used to determine the
relative length of inspection intervals (see structural ratings).
complex item An item whose functional failure can result from any
one of numerous failure modes (see simple item).
condition-monitoring process In current regulatory usage, a maintenance process characterized by the absence of scheauled-maintenance
tasks. Items (including those with hidden functions) remain in service
until a functional failure occurs,and their overall reliabilitv is monitored
by analysis and surveillance programs (see no scheduled maintenancc,
failure-finding t ~ s k ) .
conditional overhaul A maintenance practice for returning the timesince-overhaul measure to zero, in which the content of the work varies
according to the condition of the unit when it arrives in the shop. This
can be as little as a postoverhaul performance test or as much as complete
disassembly and remanufa~turc..~:.
conditional probability of failure The probability that an item will
fail during a particular age interval, given that it survives to enter that
interval (see probability density of fiiilure).
454
GLOSSARY
consequences of failure The results of a given functional failure at the

equipment level and for the operating organization, classified in RCM
analysis as safety consequences, operational consequences, nonoperational consequences, and hidden-failure consequences.
corrective maintenance The replacement or repair of failed items (see

scheduled maintenance).
ct)msion The gradual deterioration of a metal or alloy as a result of
chemical interaction with its environment.
cost effectiveness Referring to a favorable cost-benefit ratio; the criterion of task effectiveness in preventing any functional failure that has
economic, but not safety, conseqcrences (see effectiveness criterion).
cost of failure For a failure that has operational consequences, the
combined cost of the operational consequences and the cost of corrective
maintenance; for a failure that has nonoperational consequences, the
direct cost of corrective maintenance.
1 1
cost-tradeoff study See economic-tradeoff studu.

crack initiation The first appearance of a fatigue crack in an item
subject to repeated loads, usually based on visual inspstion, but sometimes based on the use cf nondestructive testing techniques.
crack-propagation characteristics The rate of crack growth, and the
resulting reduction in residua: strength, from the time of crack initiation
to a crack of critical length.
critical crack length Thz length of a fatigue crack at which the residual
strength of the item is no longer sufficient to withstand the specified
damage- tolerant load.
critical failure A failure involving a loss of function or secondary
damage :hat could have a direct adverse effect on operating safety (see
snfefy cotrseqtrences).
critical failure mode A hit-re mode whose ultimate effect can be a
critical failure.
D check See lettcr clreck, nlnjor structural insyection.
damage Physical deterioration of an item from any cause.
damage-tolerant structure Structure whose residual strength enables

it to withstand specified damage-tc.lerant loads after ihe failure of a
significant element (in some cases the failure of multiple elements).
!
t
decision diagram In RCM analysis, a graphic display of the decision

process, in which the answers to an ordered sequence of yeslno questions lead to an identification of the appropriate maintenance action for
an item.
default answer In a binary decision pro(-ess, the answer to be chcsen
in case of uncertainty; employed in the development of an initial
$*?.
.
.I.?
i h & & & & & d ,;,A.*~

.~ ,
. . . ..- .
,
'
>,
.,
. . : . : . . . . t , . -. . .
I . .
-i
: ..
3-
.
;
,
.
a
%
-
..AL--*.-
scheduled-maintenance program to arrive at a course of action in the

absence of complete information.
direct effect of failure The pl~ysicaleffects resulting from a single
failure which will be felt before the planned completion of the flight.
discard task The scheduled ren~ovalof all units of an item to discard
the item or one of its parts at a specified life limit; one of the four basic
tasks in an RCM program.
dominant failure mode A single failure mode that accounts for a
significant proportion of the failures of a complex item.
economic consequences The only consequences of a functional failure
which is evident to the operating crew and has no direct effect on
operating safety (see post of fnilurc, operational cotrsequences, nonoperational consequences).
economic-life limit A life limit imposed on an item to reduce the frequency of age-related failures that have economic consequences (see
safe-life limit).
economic-tradeoff study A cost study to determine whether a proposed
course of action is cost-effective.
effectiveness criterion The criterion for judging whether a specific task
would be capable of reducing the failure rate to the required level for
the appropriate consequen~ branch of the decision diagram (see
~pplicabilitycriteria).
,.
engine flameout . The cessation of the combustion process in a turbine

engine, resulting in a complete loss of function of that engine.
engine shutdown Controlled shutdown of an engine by the pilot as a
response to evidence of unsatisfactory conditions.
event-oriented inspection A special on-condition inspection following
the occurrence of a specific event that map have caused damage.
event-oriented system' One of the various information systems employed in the aircraft industry for collecting data on specific failure
events.
evident function A function whose failure is evident to the operating
crew durir:g the performance of normal duties.
exposure to stress See axe.
external structural item Any portion of the structure that is visible
without the opening of quick-access panels or the removal of covering
items.
fail-operational system A system whosc complete lunctiorlal capability

remains available to the equipment without interruption when failures
occur within it.
fail-safe system A system whose function is replicated, so that the
function will still be available to the equipment after failure of one of
its sources.
failure An unsatisfactory condition; any identifiable deviation of the
condition ur performance capability of an item from its new state that
is unsatisfactory to a particular operating organization (see florctional
fnilure, poterttial fnilure).
failure data The ,reports of failure events, their causes, and their
consequences.
failure effecta The immediate physical effects of a functional failure
on surrounding items and on the functional capability of the equipment,
the principal determinant of failure consequences (see direct effect of
failure).
failure evidence An identifiable physical condition by which the
occurrence of a functional failure or a potential failure can be recognized.
failure-finding task Scheduled inspections of a hidden-function item
to find functional failures that have already occurred but were not
evident to the operating crew; one of the four basic tasks in an RCM
program.
failure mode The specific manner of failure; the circumstances or
sequence of events which leads to a particular functional failure.
failure observer The person who is in a position to observe a failure,
recognize it as such, and report it for correction.
failure process The interaction of stress and resistance 'to failure over
time.
failure rate The ratio of the number of failures of an item during a
specified period to the total experience of all units in operation during
that period, usually expre~sedas failures per 1,000 operating hours.
failure substitution Irl maintenance, the use of a potential failure to
preempt a functioniil fajlure; in design, the use of an item whose failure
has minor consequences to preempt a failure that would have major
consequences.
fatigue Reduction it? the failuw resistance of a tilaterial over time as a
result of repeated or cyclic applied loads.
fatigue life Far ,In item subject to i<itigi~e,the t ~ t i l ltime to crack

initi.~tion(see c.rtt1.k i~titictticvt.cntc-k-pn)prt$cttio~tc~hrtritc~t~risti~~s).
fleet-lewder concept 'The cu~rcentr~~tion
of s.~n\pleinspections on the
pic-cs of cqiiipment which have the highest operatin8 ages to identifv
the first e\~iclt~nc'e
of changes in their conclitiotr with incre,~singage.
flight cycles A me,\sun. of expcrz;ureto the st~vsses,rsscwictted with the
conrii~ctof it~dividualflights, exprt\ssed 11s the number ot' ground-nir
cycles,
flight hours c\ measure oi irperdtins b\gc:t.ai~wssedds the ~runrtrerof
opeluting Iroirrs CIVIII t,\keoff to I<u\dinp,
flight log In comnrt.n.i,~l,~\~i,\tion,
the lrffici,~lrwonl of each tlight. the
prima~yco~nn~itniccrtion
link betwren the oper,rting crew ,\ndthe nuintt~t\,\llt't'e1\\\v,
fond srmplc :In inspet-tion s,~nlplcobt<~it\tui

by spt~i<\l
dis,tssel\\\bl>lv
solclv for r r e c to
~ tl~dt
~ ~ item (see opport~otitustt??t~)lc).
function Thi- nt\rn~,?lor clr,~ractt~ristic
<letionsof <In itcnt, sometimes
tlvfinctl in trrtux irf ptbrilrr~~~~\nctt
c.~p.~bilitit*s.
iten\ to pt*r.itrnn its narrndl or char,\cfunctional failure F.~ilur\-of
tcristic .~ctirrnswithin spccifit\tl liimits.
functionally significant item t\n ittwr whost\ loss of function \\~oirld
h,rvt- sipnifie.,\nt t.tj~rst~yut~nt.es
&\ttht. tyiiipmc~~t
level (stv stnic.tvrltlly
S ; , ~ I I I ~ ' ! ' ~ * ~itt*~tt).
II~
hard-time process In cunvrrt wgul<~totyus.\gt*,sr.ht~rlulr\iwmov,~lof

,111 turits trf ,In item bt~hrivsornc sprc.ifit\ti m,\\imunr pcnnissible 'rpe
limit.
'
hidden-failure consequences 'l'ht. risA of ,I m ~ t l t i p i.~ilure

l~
.IS ,I result
t\f <111 untictt~tcde~r\it\r
t,\iluW i>t' ,\ hitidt\n-ii~~~ctilr~~
iten\: one of the
foiir const-tlrtt*nrSc
br,~ncllt.sof tht* KChl d t ~ i s i o ndi,\p.rn~.
hidden function :\ functiir~~
\vhnse f,aihiW will not be evidmt to the
opeluting crt\\v riliring tht. t>crfonn,~nct.
of nonnb\lciiititv.
hidden-function item :\nv item whosc !unctions includt-
.\
hiddct~
~ I I I I L~.O~ I I ,
intpmvahle failure rate l'\rt\ diiivnwce bctwccn thc i.\iluw r,Itt8 of ,111
ittw (\11 lli-\vIy ttesip~t.dcl\~iipmcirt.\!~dthe t*\ptu'ttd f . \ i l t ~r,Itt'
~ .\fcr
ptx~iti~*t
i~r\p~\\vt\t~\l~r~t
to t>Iit~~tt\,~
ttl titbt~\rt\.~t~t
i,lili~~v
~ i ~ o t l tthis
~ s ;~v<litc*tiotr 111 tht* f,~iIii~v
r.~ti\is ~ t * ~ \ t ~ r ~. ~~l l\ yt ~ i ~ ~,111tl
~ ~ c.rn
t ~ tl>t~
i . prt~tlict~*tl
~ l
t t x b t ~t*<\rIv
~
t.~ilrt~v
ti.\ t.1.
imputed cost The eco~homicvalue assigned to operational consequences as an opportunity cost.

infant mortality Thc. relatively high conditional probability of failure
during the period immediately after an item enters service.
- .. . . .. ..,
inhennt reliability level The level of raliebiiity of an item or of equipment that is attainable with an effective scl\eduled..maintenance program. . ..
,
inherent relicrhitity .characteristics The design character~sticsof an

item that detennine its inherent levcl nf reliability, including the
characteristics that determine the feasibility and cost effectiveness of
scheduled maintenance
inherent safety level The level of satety of an item or of eqdipment
that is associated with its inherent reliability level.
initial maintenance program The scheduled-maintenance tasks and
associated intervals developed for new equipment before it enters
service.
initial task intervals 'The task intervals assigned in a prior-to-service
maintenance program, subject to adjustment on the basis of findings
from actual operating experience.
inspection task A scheduled task requiring testing, n~?asure~lie!~t,
or
visual inspection for explicit failure evidence by maintenance personnel (see ott-cottditiott task, fr~ilto.i*-/'ittrii,r~trlsk).
internal structural item Any portion of the structure whose inspection
requires the opening of access doors or the removdl of covering items.
item Any Icvel of the equipment or its sets of parts (including the
equipment itself) isolatcd as an entity for study.
items that cannot benefit from scheduled maintenance ltenis for
tasks can be found that arr bc.th applicable and
which no nlai~iten,~nce
effective.
letter check In the airline industry, thc L~lphabetic
designations givsn
to scheduled-n~ainten~~nce
packages.
o r fs~ltrrc*.~trolutlIilitvc,i srrrrlirsrl.
life See c.o~ltiitiottsl/l~.ol)~al~ilit!/
l i (see satt1-lifts litttit, c*c.c~~tc~trtit.life-limit task A scheduled d ~ s c . ~task

lift*
litt~it).
line maintenance Sclicduled

ccrrrecti :e work perfomied by mect .lnics ,tt .I line st,~tio~t
that lt,ts been desip11att.d as n ~ ~ ~ i n t e ~ istation,
ance
usuallv consisting oi inspection tasks th,rt can be pertormeri on items
in their installed position and the repleccment, rather than repnir, of

failed units (see slioy maintettance).
lubrication taeke Scheduled tasks to assure the existence of completeness of lubrication films; uvually performed at intervals specified by
the manufacturer,
maintainability The ease with which srheduled or corrective maintenance can be performed on ,tn item.
maintenance base The major maintenance facility of an operating
organization, staffed and equipped to perform shop maintenance and
heavy maintenance or1 the equipment itself (see shop muintennnce).
maintenance package A group of mainte~rancetasks scheduled for
accomplishment at the same time.
Maintenance Review Board A designated group of FAA inspectors,
each with specialized skills, which is charged with the responsibility
of approving the initial maintenance program for a new coinmercial
trdnsport aircraft.
maintenancc station A line station staffed and equipped to perform
line maintenance (see littr mnitttet~u?tce).
major structural inspection The maintenance visit that includes inspection of most structurally significant items, called the D check in the
airline industry.
mean time between failures The ratio of total operating experience
of all units of an item during a specified period to tho n ~ i n b eof
r failures
during that period; the reciprocal of thc failure rate.
monitoring system One of thc various infomution systems employed
in the aircraft industry, consistirlg of periodic summ,\ries of the reliability data reported by event-oriented systems.
MSG1 A working paper prepared by the 747 Maintenance Steering
Group, published in July 191% under the title tfizttdl~ook:hfnititena?lce
Eor~l~riztii?tt
izttii Pri~rettrI)crillo~~~ttc~ttt
(MSG-]): the first use of decisiondiagram techniques to develop an initial schedulecl-maintenance F W gram.
MSG-2 A tifinenlent of the decision-diagram procedures in MSC-I,

published in March 1970 under the title hlSG-2: AirlirtrlMnt11rfact14r~~r
hl~~itttr~titttt~c~
Prc~,vriztttc'lr~!tttitt~Poc.tittrt*ttt; the immediate precursor of
RCM nlethods.
multiple failure A failure event consisting of the sey uential occurrence
of two or more independent tailures, which may have consequences
that would not be produced by any of the failures occurring st:parately

(see hidden-failure consequences).
no scheduled maintenance A maintenance term used to categorize
items that have been assigned no scheduled tasks, either because they
cannot benefit from scheduled maintenance or because the information
nec 2ssar-y to determine the applicability and effectiveness of a proposed
tad. must be derived from operating experience.
nonoperational consequences The economic consequences of a failure
that does not affect safety or operational capability, consisting of the
direct cost of corrective maintenance; one of the four consequence
branches of the RCM decision diagram.
nonsignificant item An item whose failure is evident to the operating
crew, has no direct effect on safety or on the operational capability of
the equipment, and involves no exceptionally expensive failure modes;
nonsignificant items that have no hidden functions are assigned to no
scheduled maintenance in an initial maintenance program.
on-condition process In current regulatory usage, scheduled inspections, tests, or measurements to determine whether an item is in, and
will remain in, a satisfactory condition until the next scheduled inspection, test, or measurement (see on-condition task).
on-condition task Scheduled inspections to detect potential failures;
one of the four basic tas1.s in an RCM program.
operating crew In tk,e airline industry, the flight and cabin crew, the
primary source of reports of functional failures.
operating informat;:~n Reliability information derived from actual
operating experisnce witn the equipment after it enters service.
operational consequences The economic consequences of a failure
that interferes with the plannrd use of the equipment, consisting of the
imputed cost of the lost operational capabi1ity:plusthe cost of corrective
maintenance; one of the four consequence branches of the RCM decision
diagram.
opportunity sample An item available for inspection at the maintenance base during the normal disassembly of failed units for repair.
overhaul In current regulatory usage, the maintenance operations
which form the basis for returning the measure of time since overhaul
to zero, accomplished by the shop as specified in the overhaul manual
(see conditional overhaul, rework task).
partitioning process The process of dividing complex equipment into
convenient entities for analysis.
performance requirement The stand'lrd of performance for an item

defined as satisfactory by an operating organization.
phase check A maintenance package subdivided into sets of tasks to
be accomplished at successive occasions of a more frequent lower-level
check.
potential fail-ate An identifiable physical condition which indica!cs
that a functional failure is imminent.
powerplant division One of the three major divisions of an aircraft,
consisting of the basic engine and in some cases including the thrust
reverser and other quick-engine-change parts.
preioad An unintended sustained-load condition caused by design,
fabrication, o. assembly errors.
premature removal Unscheduled removal of a unit because of a suspected or actrral potenti i or functional failure.
preventive mainienance See sclreduled tnnintetrance.
prior-to-service program See initial mnirrteirnrrce yrogrnt.v.
probability density of failure The probability that an item will fail
in a defined age interval; the difference between the probability of
survival to the start of the intlrval and the probability of survival to
the end of the interval (see cotrditional probnbility of failure).
probability of survival Tho probability that an item will survive to a
specified operating age, under specified operation conditions, without
failure (see srrrz~ivnlcirrzle).
product improvement Design modifications cf an existing item to
improve its reliability, usually in response to information derived from
operating experience after the equipment enters service.
purging The periodic review of a scheduled-maintenance program to
eliminate tasks that are superfluous or no longer effective.
RCM analysis Use of the RCM decision diagram to analyze the
maintenance requirements of complex equipment according to the
consequences of each failure possibility and the inherent reliability
characteristics of each item.
RCM program A scheduled-maintenance program consisting of a set of
tasks each of which is generated by RCM analysis.
RCM task A scheduled-maintenance task k~hichsatisfies the specific
applicability criteria for that type of task (see oil-coitditt,ltr task, rework
:ask, discord tnsk, fi~illrrc-fiiiditrg trlsk).
reduced resistance to failure Physical evidence of a deterioration in

the co.tdi:ion or performance of individual units of an item which can
be used to define a potential-failure condition for that iL2m(see wenrorrt
clraracteristics).
redundancy The design practice of replicating the sources of a function
so that the function remains available after the failure of one or mor:
items.
reliability See probability of surz~ivnl.
reliability-centeredmaintenance A logical discipline for developing a
scheduled-maintenance program that will realize the inherent reliability levels of complex equipment at minimum cost (see RCM ar~alysis).
reliability data All the failure data, inspection findings, and other
information derived from the actual service history of each item.
reliability function See srrrzlivnl rrrrop.
reliability growth The improvement in the reliability of a ncw item
as a result of product improvement after the equipment enters service
(see itnprozlable f11illrre rate).
reliability index O n e of several quantitative descriptions of failure
data (see fnilrrre rnte, probability lierlsit!y of fnilrrre, probobrlity of s~rrzjival,
cotrditiorrnl probrrbi!ity of firilrrrc).
residual failure rate The remaining failure rate of an item after all
applicable anci effective scheduled-maintenance tasks are performed.
residual strength The remaining load-carrying capability of a damagetolerant structural assembly after the failure of one of its elements
(see danra,gi~-tolcrntrtstrrrctrrre).
resistarrce to failure The ability of an item to withstand the stresses
to which it is exposed over time (see rciirrced r~sistr~trcc
to fnillrrr).
rework task The scheduled removal of all units of an item to perform
whatever maintenance tasks are necessary to ensure that the itenr
meets its defined condition and performance standards; one of the four
basic tasks in an RCM program (see or~crltaul).
safe-life limit A life limit imposed on an item that is subject to a
critical failure, established as some fraction of the average age at which
the manufacturer's test data show that failures will occur.
safe-life structure Structure that it is not practical to design todamagetolerant criteria; its reliability is protected by conservative safe-life
limits that remove elements from service before failures are expected.
GLOSSARY
463
safety cocsequences The consequences of a functional failure that

could have a direct adverse effect on the safety of the equipment and
its occupants; one of the four consequence branches of the RCM decision diagram.
scheduled maintenance Preventive-maintenance tasks scheduled to
be accomplished at specified intervals (see corrective maintenance).
scheduled removal Removal of serviceable unit at some specified age
limit to perfom a rework or a discard task (see premature removal).
secondary damage 'The immediate physical damage to other parts or
items that results from a specific failure mode.
servicing tasks Scheduled tasks to replenish fl t [id levels, pressures,
and consumable supplies.
shop niaintenance Scheduled and corrective work performed by
mechanics at the maintenance base, usually consisting of inspection
tasks that require disassembly of the item, scheduled rework and discard
tasks, and the repair of failed units removed from the equipment at line
maintenance stations (see line maintenance).
significant item An item whose functional tailures have safety or major
economic consequences (see ftinctionally significant item, structurally
significant iteitz).
simple item An item whose functional failure is caused by only one
or a very few failure modes (see complcx item).
spectrum hours The current flight histor, of an aircraft structure
expressed in terms of the spectrum loading pattern used in the inanufacturer's original fatigue tests.
stress The interaction of an item with its environment; the physical
processes that reduce resistance to failure.
stress corrosion Spontaneous collapse of metal with little or no macroscopic signs of impending failure, caused by the combined effects of
environment and tensile stress.
structure division One of +he three major divisions of an aircraft,
consisting of the basic airframe and its load-carrying elements.
structural inspection plan The set of on-condition tasks and their
intervals assigned to structurally significant items.
structural ratings Individual ratings for each of the factors affecting
the failure resistance of a maior structural assembly, used to determine
the class 1,umber that defines the relative length of maintenance intervals (see class number).
structurally significant item The specific site or region that is the best
indicator of the condition of a structural element whose failure would
result in either a material reduction in residual strength or the loss of a
basic structural function.
survival curve A graph of the probability of survival of an item as a
function of age, derived by actuarial ~nalysisof its service history.
The area under the curve can be used to measure the average realized
age (expected life) of the item under consideration.
system A set of conlponents and their connecting links that provide
some basic function at the equipment level.
systems division One of the three major divisions of An aircraft. consisting of all systems items except the powerplant.
task An explicit scheduled-maintenance activity performctnce by 1111.chanics.
teardown inspection The complete disassembly of a serviceable item
that has survived to a specified age limit to examine the condition of
each of its parts as a basis for judging whether it would have survived
to a proposed higher age limit.
technologically useful life The length of time equipment is expected
to remain in service before technological changes in new designs render
it obsolete.
time-expired unit A serviceable unit that has reached an age limit
established for that item.
time-extension sample A unit designated for special analvsis of inspection findings as the basis for extending task intervals.
time since last shop visit The operating age of a unit since its last shop
visit for repair or rework.
time since overhaul The operating age of a unit since its last overhaul; in current usage, time since last shop visit.
time since rework The operating age of a unit since it was last re
worked.
unvzrified failures Units removed froin the equipment because of
suspected malfunctions and subsequently determined by shop inspections and tests to be in an unfailed condition.
GLOSSARY
465
verified failures Units confirmed to have experienced a functional

failure.
walkaround inspection Scheduled general inspection by line mechanics of those portions of the equipment that are visible fro I the ground,
used as a vehicle for r ~ r t a i nspecific on-condition tasks.
wearout characteristics The characteristics of a conditional-probability
curve that indicate an increase in the conditional probability of failure of
an item with increasing operating age (see reduced resistance to fnilurc).
wearout region The portion of the conditional-probability curve that
sho~vsa marked increase in thc conditional probability of failure
after an identifiable age.
zero-time To restore the cperating age of a unit to zero by means of
inspection, rework, or repair.
zonal-installation inspections Scheduled general inspections of the
illstalled items in each geographic zone, including inspection of those
portions of the internal structure that can be seen with all installatigns
in place.
466
GLOSSARY
A check, 109-110, 285-286,316-319

Acceleration recorders, 34
Accident statistics, 338-339
Accidental damiige, 114, 129, 238
effect on fatigue life, 84, 235
Accidmtal-damage ratings, structurally significant
items, 241-246
zonal installation, 281
Actuarial analysis, 39-48, 57-58, 123- 126, 390-415,
data from defined calendar period, 395-402
homugeneous population, 395-408
to justify rework tasks, 48, 325-326, 953
life-t~stdata, 391-395
limitations of, 390-391
mixed population, 124-126, 408-411
smoothing problen~,402-408
useful probability dihtributions, 411-416
uses in age exploration, 123-126, 227
srs also age-reliability relationship
Actuator endcap, flight-control system, 161
landing gem, 191-192, 311-312
Age, 33
measures of, 33-34
operating age, 304, 408-400
Age , ~ failure,
t
35, 393
complex items, 38-39, 47
s1rnl4e items, 35-37, 48, 60
srr rllso averarr age at failure, prohahilit!! of
sl~rvival
Age distribulion of operating fleet, 105, 123
Age exploration, 106-108, 113, 114-115, 292,

actuarial analysis, 123-126
to adjust task intervals, 122, 192-193, 324-325
to determine applicability of rework tasks, 57,
224-225, 305-336, 309-31!, 325-316, 3b1
to identify necds for product improvement,

128-135
information requirements, 155, 233-297, 367-368

opprrtunity sampling, 108, 224, 225, 307, 314, 315
powerplant items, 106-107, 224-217,312-316
structut .11 items, 107. 273, 275, 316-323
systems items, !07-108, 192-193, 308-312
Age-exploration cycle, 155-156, 325
Age grouping, 403
Age intervals. 398
Age limit, applicability of, 46-48, 56-61, 390-391
effect on age exploration, 225, 227, 307
effect on average realized life, 41-42, 57-58
effect on inventory problems, 325, 417-119
effrct on failure rate, 44-45
set. nlso discard tasks, rework I,~sks,scheduled
overhaul
Age-reliability relationship. 40-49
characteristics of complex items, 46-49
characteristics of siu~pleitems, 47-48, 3h
dominant failure modes, 48, 57. 118-119,
310, 319
probability of survival, 40-42

wearout characteristics, 43--44, 47
Age-reliability relationships, Boeing 717 constant-
speed drive, 303-305

Boeing 727 generator, 310
General Electric CF6-6 engine, 124-1?5
patterns of, 46-48
Pratt QE Whitney JT8D-7 engine, 44, 226
Pratt & Whitney R-2800 CA-15 engine, 374
Wright R-3350 TC-18 engine, 374
Air Transport Association, 5, 386-387
Airborne integrated data systen- (4IDS), 127
Airbus lndustrie A-300, 5, 386
Air-conditicning pack, Douglas DC-101 164-170
Aircraft maintenance information .ystem, 290
~ i r p l a n eoverhaul, 249, 274
see also major structural inspection:.
Airworthiness, see satety levels
Airworthiness directives, Boeing 747, floor-beam
inspection, 322-323
history of, 135-136
Airworthiness requirements, powrrplants, 195
structure, 230-231
systems, 339-340
Alert rate, chlonic maintenance problems, 301
engine shutdourn, 377
failure, 382
Alert system, safety, 135, 247
set1 also information systems
Analysis of failure data, 301-307
see illso actuarial analysis
Analysi? and surveillance program, FAA, '54
Applicability criteria for marn!ena~tcetasks, 49,
50-51, 68-69, 142,359-360
discard tasks. economic-life, 60-61
safe-life, 59-60
failure-finding tasks, 62-63
on-condition tasks. 51-57
rework tasks, 56-58
Applied loads, 36, 228, 230-231, 331
Auditinp process, 152, 157, 350-369
analysis of equipment, "02-36"
decision process, 354-362
ongoing program, 367-368
packagir~g,367
powerplant an.lly sis, 3b3-364
program-development project, 351-354
programs for in-service aircraft, 368-369
structure analysis, 364-366
systems analysis, 362-363
Avcrage age at failure, 38-39, 60, 14.3, 093, 412
Averagc fatigue life, 243, 320
Average realized life, 42- 44

Average stress level, 37
B check, 109-110, 285-287, 28R
Bathtub curve, 45, 47
srlealso condit~onslprobability of failure
Bearins failure, accessory drive, Pratt & Whitney
JT8D-7, 207, 211-213
elevator, Douglas DC 8, 326-327
generator, Docing 727, 126, 309-310
Bird strike, scc accidental damage
Boeing 720, hydraulic system, 384
Doeing 727, autorr\atic-takeoff thrust control, 340
constant-speed drive, 303-306
generator, 126, 309-310
MSG-2 review of systems prngram, 344-345
rate of fleet t ; r .vth,
~
105
Boeing 737, hydraulic systen~,385
powerplant, see Pratt & Whitney ]T8D-7 engine
sl~cckstrut, main landing gI7ar, 12
Boeing 747, airworthiness directives, 135-137
changc-order authorizations, 135-137
failure reports by operating crew, 21
floor-beam failure, 322
subsystem,
high-frequency c~mmunicatik~~ls
186-190
initial maintendnce progrant, 5
maintenance manhou1.5, 74-75
maintenance-package contents, 288-289
major structural inspections, 6, 274-275
.
ov?rhaul (rework) items in initial plogram, 192
purging of maintenance progratn, 328
rate of fleet growth, 105
toilets, on-condition task for, 308-309
zone numberiny: system, 279
Porescope inspections, 52, 71, 76, 127, 196
Brake assembly, lllain landing gear, Douglas DC-IU,
12, 178-186
Brake wear indicator, 179, 183
Broomstick check, 71
Built-in test equipment, 150, 163, 303
C check, 109-1 10, 285-287, 288-289
C-sump problr!m, General Electric CF6-6, 313
Cancell;tions, scc operational consrquences
Certification, new aircraft, 106, 231
new cngines, 199
Change-order authorizatior~s,Boeing 747,
135-137
Chronic maintenance problem, 301,303

Class number, strucl :rally significant items, 244-295
zonal inspections, 280-281
see also structural inspection plan
Cockpit instrumentation, 34, 61, 127, 159, 163,
196, 357
Combustion chambers, 216
Communications system, high-frequency,
Boeing 747, 186-190
Complex equipment, maintenance-redesign cycle,
156,324-327
reliability problems in. 9-1 1, 388
role of product improvement in development,
75-77, 128-137
Complex items, 37
age-reliability characteristics, 47-48
average age at failure, 36-39
d o m i n a ~ failure
t
modes, 38, 119'
Component Reliability Program, ,378
Compressor, assembly, 121
blades, 12,216
disks, 118
rear frame, 12
see #/so turbine blades
Concorde, 5, 386
Condition-monitoring yro:ess, 05-66,345
Conditional overhaul, 72,383
Condition.ll probability of failure, 43-44, 398
patterns of, 46-48
see also age-reliability relationchip
Conditional-probability curve, 43
Configur<\tiol,devia~ionlist (CDL), 163,358
Consequences ot failure, 25-31
LL.layed,
88-89
effectiveness criteria for tasks, 51, 8649,
91-96,360
evaluation of, 86-89,357-358
hidden-failure consequences, 28
impact on maintenance decisions, 7, 25, 104,
116-171, 293
as inherent reliability characteri. tic, 104,342, 388
multiple failures, 29-30
nonoprratiol~alconseqnences, 27-28
operat .rial consequences, 27,85
role of design, 11, 75-76,85, 140-141,159-161,
230-237, 342,347, 388
safety consequence.\, 25-26
Constant-speed drive, Uoeing 727. 303-306
Douglas DC-8, 378
Controller, see maintenance controller

Corrective maintenance, 11
cost of failure, 27,95-96
deferral of, 13, 2?, 30, 88-89! 249
Corrosion, 236
effect on fatigue life. 84,236
environmental factors, 236, 237, 243,248
prevention, 236, 312
stress corrosion, 236
Corrosion ratings, structurally sisnificant items,
243-241
Cost data, see economic-tradeoff study
Cost of default decision:;, 98-99
Cost of failure, sce economic consequences
Cost effectiveness, 52, 70,98-103, 130-134
of basic tasks, 67-60
as criterion of task effectiveness, 52,57-58, 61,
63,68-69,95-96, 102,363
determination for appl~cabletask, 100-103
determination for product improvement,
130-134,323
impact of inherent reliability characteristics,
103-104
Cost-tradeoff analysis, see economic-tradeoff study
Crack, see fatigue crack
Crack initiation, 233
SPL. ~ I S Ofatigue life
Crack-propagation csharacteristics, 106-107, 208,
232-233
Crack-propagatior~ratings, structu~allysignificant
items, 241-246
Crew, 3rt. operating crew
Critical crack length, 233, 248, 323
Critical failures, 26
powerplant items, 85-86, 116-117, 194, 198,204,
205-211,313,358
product improvement, 128-137
structural items. 84,128-229,230, 252-257
:
systems items, 158, 161, 170-178
unanticipated, 115, 116-118, 135-136, 293
see RISO safety consequences
Cumulative failure number, 402-404
Cyclic loads, see .~ppliedload
D check, 249, 252, 285-287, 289,319-320
Daily operations report, 296
Damage, sw accidental damage, reduced
resistance to failure
Damage-tolerant (fail-safe) design, 234,320
Damage-tolerant strengtl-. 233-234, 242, 335-336

Damage t o l e ~ ~ i structural
nt
items, 237, 239,
253-254, 256-257
sclr II/EO structural inspection plan, structures
Data elements for analysis, stst. information
requirements
Decision-diagram approach, history of, 4-6, 784,
385-386
MSG-1, 4-5, ,785-386
MSG-2, 5, 386
Decision diagrams, cost effcctiveness of product
impro\.ement, 132
cost effectiveness of applicablc task, 101
evaluation of failure consequences, 88
evalualion of proposed tasks, 90
RCM riecision diagram, 92-93, 143, i60, 209,212, 2.53
structural inspection plan. 240
Decision making, in absence of infnrmation,
79, 97-99
bounding of p r h l e m , 78, 1.14, 152
RCM decision process, 86-99
sc.~' also RCM analysis
Decision worksheet, 151-153
Def.iult decisions, 95-96, 97-99
cost of, 99, 105
failure-finding tasks, 62
role of default strategy, 97, 361
Deferred rey'iirs, 13, 22, 30, 88-89, 249
Delays, st1r operational consequences
Delay and cancellation sunlmary, 294, 2.19
Depot. sts(, m,~ilttenancrbase
Design, damage-tillerant, 234
fail-operational, 160
fail. . d e , 159
safe-lift., #234
scVr 111
,tseclucnces r>F failure
Design changes. src, p r ~ ~ d u improvement,
ct
redesigr
complex equipment, 9-11,
Design ~har~lcteristics,
75-76, 140-141, 161, 347
powerplant items. 7b. 196-199, 2n1
structural items, 75-76, 229, 230-277
systems items, 75-76, 159-161. 163
Design goals, perform.~ncecap.lhilitirs, 10
s t r u c t i ~ r ~235,
~ l , 247-248
Design loads, .?30-211, 234
Design-m,~intenanccpartnership, 24, 135-136,
153-157, 341-342
Detailed inspections,.structi~rallysignificant
items, 238
Detection of failures, 20-24
failure-finding tasks, 50, 61, 190-191
on-condition tasks, 50, 51-32
role of the operating crew, 20-22
verification of failures, 22-24, 125
see ~ I s oevidence of failure
Deterioration, S(*C reduced resistance to failure
Developmental testing, powerplant items, 190
safe-life limits, 59-60
stl.uctural items, 231, 248
scr r~lsotest data
Diagnostic techniques, st7r inspection technology
Discard tasks, 50, 58-61, 359-360
applicability criteria, economic-life, 61, 98
wfe-life, 59, 98, 359-360
characteristics of, 66, 68-6U
clmtrol of critical failures, 58-60, 68, 381, 388
cost effectiveness, 58, 61, 68-69, 911
task intervals, sze sate-life limits
Dispztch reliabilitv, 135, 370
st*t,111so i>perCitionr~l
consequences
Domin.1nt tailure modes, 38
appl~cabilityof age limit, 48, 57, .?,lo
effect of product i~nprovement, :19, 227
Douglas A-4 fuel pump, 12, 170-178
Douglas DL-8, cabin compressor, 378
constant-speed drive, 378
elevator hearings, ,?26-327
freon compressor, 378
jienerato~and bus-tie relay, 310
hydrairlic pclmp, 378-379
major structural inspections, b, 276 -7-75
overhaul (rework) items in initial nrogram, 5, 372
premature-removal rate of systems items, 373
Uollglas DC-10, air-conditioning yitck, 16 i-170
brake assembly, main landing gear, 178-186
fatigue-life design goal, 235
initial maintenance program, 5, 163, 246-248,
256-257
landing-gear actuator end can, 31 1
o v e ~ h a (rrwork)
~~l
items in initial program, ?, 192
powerplant, si'c' General Electric CF6-6 engine
rate of fleet growth, 105
rear sp3r at hulkhead intersection, 12
shock-strut outer cylinder, 267-273
spar cap, wins rear spar, 260-267
w'ilkaround inspection plan, 282
wing-to-fuselage attach tee, 258-260
definition as potential failure, 52, 210

212-213, 242
effect on structural strength, 232
inspection intervals, 52-53, 106-107, 243-247
propagation characteristics, 106-107, 208, 232-233
see also crack initiation, crnck-propagation ratings
atigue damage, effect on structural strength,
232-233
repair of, 230, 274, 321, 323
see cllso external detectability
Fatigue life, 232
effect of corrosion, 84, 236
effect of preload condition, 235-236
Fatigue-life design goal, Douglas DC-10 structure
235, 247-248
as reference for relative inspection intervals,
244-247
as reference for structural ratings, 243-244
Fatigue-life ratings, structurally significant item -,
241-243
Fatigue-test data, see test data
Federal Aviation Administration, airw~rthiness
directives, 135-136, 322-323
analysis and surveillance pmgram, 154
certification procedures, 199, 231
Maintenance Review Board, 8, 145,372
Firc-extinguishing system, 22
Fire-warning system, powerplant, 22, 190-191
Fleet-leaber concept, li3, 275
Flight-control system, actuator endcap, 161
bearing failure, 326-32:
Flight cycles, 33-34
Flight log, 294-295
Flight-log monitoring, 301
Forced removals, 108
Foiced samples, 225
Fractional sampling, 321
Freon compressor, Doug1a.q DC-8, 378
Fuel pump, Douglas )\-a, 12, 170-178
Functional failures, 18-19
definition of, 31-32, 87, 149, 163, 201, 230. 356
effect of level of item, 53, 61, 224, 255
Functionally significant items, 85
seta also significant items
Functions, evident and hidden, 21-22, 87
o t item, 19, 31, 86-87, 161, 163, 201, 255, 355-357
of powerplant, 195, 205
rarely used, 283
rcdundant, 7.7. 158-160, 161-162, 195
of Structure, 229-230, 252, 255

of systems, 159, 161, 163
General Electric CF6-6 engine, age-reliability
cheracteristirs, 124-125
compressor rear frame, 12
C-sump problem, 313
initial inspection requirements, 106-107
General inspections, external structure, 240, 283
nonsignificant structural items, 240, 281, 282
structurally significant items, 238
walkaround inspections, 73, 282
zonal inspections, 73, 277-281
Generator and bus-tie relay, rlouglas DC-8,310
Generator, Boeing 727, 126, 309-310
Geriatric aircraft, 118, 131, 155-156, 321-323, 325
Gust loads. 231
Hard-time directory, 231
Hard-time maintenance process, 65, 385
Hard-time policy, 2-6, 371-382
changing perceptions of, 66, 376-382
current regulatory usage, 65, 371-372
hard-time paradox, 371-376
sre also discard tasks, rework tasks, scheduled
overhaul
Hidden-failure conwquences, 28-31, 87-89, 96
Hidden-function items, 21
identificatior, of, 81, 87, 97, 356
Hidden functions, 21-22, 61-64,356
regular testing by operating crew, 61, 283-284
required level of availability, 30-31, 62-63,
1C9, 361
role in multiple fdiluws, 28-31, 81
src also failure-finding tasks
High-frequency communications subsystem,
Boeing 747, 186-190
High-lift devices, 230
Identification and routing tag, 296-297
Improvable failure rate, 119- 120
l~nputedcost of operationai consequences, 7, 27,
95, 361
In-flight engine shutdown report, 301-302
In-service equipment, RCM pmgrams for, 137-138,
143-347
Infant mortality, 45, 125-126
Information excluded by life-test data, 394-395
Information flow, 153-157
Information problem, prior-to-service decisions,

7-8, 78-79, 97-99, 144
task intervals, 324-325
teardown inspections, 6, 66, 305, 372-375
Informtt..on requirements, assessment ol rework
tasks, 44-45, 57-58,91, 97-103, 359, 361,
363,390-391
management of ongoing program, 155, 293-297,
367-368
modification of initial program, 114-115, 293,
307-323
product improvement, 128-135
RCM analysis, 7-8,78-79, 86-99,144,146,149-151
powerplant items, 199-204
structural items, 247-252
systelns items, 161-166
sec also age exploration, RCM analysis
Information systems, 135, 293-300
Information worksheet, powerplant items, 149-151,
201-203
structural items, 248-251
systems items, 149-151, 163-165
Inherent reliability, 103
Inherent reliability characteristics, 75-76,
103-104, 114-115
Initial maintenance program, development of,
78-111, 147-152
auditing of program devebpment, 350-369
completion of, 72-73, 109-110, 276-291
organization of program-development team,
145- 147, 353
see R ~ S ORCM analysis
Inspectability, 140, 341
Inspection, see failure-finding tasks, general
inspections, on-conaition tasks
Inspection findings, as basis for interval extension,
107-108, 121-123, 225-226,306-307
structural, 316, 318-319
scr also teardown inspections
Inspection san?ples, powerplant items, 108, 225, 315
structure, 108, 319-321
see also time-extension samples
Inspection technology, 126-128, 341-342
Inspection, stmctural, see structural inspection
plan
Instrumentation, see cockpit instrumentation
Internal engine items, 195, 198-199,225
Internal structural items, 239, 252, 320-321
external detectability, 241, 248, 249
Intervhls, see age intervals, task intervals

Inventory problems, effect of re1:ork task, 325,
417-419
Isotope ins~ection,52, 71, 211
Item, 81
Item description, 149, 163, :'.31, 248
Items that cannot benefit from scheduled
maintenance, 70,85, 158-159, 161, 168, 176-177
c?e also nonsignificant items
Landing gear, actuaior endcap, 191-192,311-312
brake assembly, Douglas DC-10, 178-186
shock-strut outer cylinder, Douglas DC-10,
267-273
Letter checks, 109-110, 284--289
adjustment of intervals, 122-123
LIBRA (Logical Information of Reliability
Analysis), 382
Life of item, 48, 415
age at failure, 35-39, 47-48, 60, 393
average realized life, 42-44
conditional probability of failure, 43-44,
46-48,398
fatigue life, 232
probability of survival, 40-42
Life limit, see discard tasks, safe-l~felimits
Life tests, 391-395
Lightning strikes, see ~ccidentaldamage
Limit loads, structural, 231
Line maintenance, 13-14
Load requirements, 230-234
Lockheed 1011, 386
Log sheet, airplane flight log, 294-295
Lubrication tasks, 72-73, 283
Magnetic-plug inspection, 213
Maintenance, see corrective maintenance,
scheduled maintenance
Maintenance activities, 11-14, 71-75
Ms.intenance base, 13
Maintenance controller, 22
Maintenance cycle, 155
Maintenance information system, 296
see also information systems
Maintenance packages, 108-110, 285-291
partial contents for Boeing 747, 288-289
partial contents for McDonnell F4J, 290-291
Maintenance philosophy, xvi-xx, 347-348
Maintenancc pl,ln, 11-14, 367
Maintenance processes, current regulatory usage,

65-6b, 385
Maintenance program, see scheduled-maintenance
prograrr
Maintenance-redesign cycle, 116-121, 312-313
Maintenance Review Board, 8, 145, 372
Maintenance station, 13
Maintenance tasks, ser scheduled-maintenance
tasks
Maintenance technology, 126-128, 341-342
Major divisions of equipment, 81, 147-148
powerplant, 194
structure, 228-229
systems, 158
Major structural inspections, 249, 252
comparison of policies, 6, 274-275
role in age exploration, 274-275, 319-321
st1(*clso D check
hlanagement of the ongoing program, 153-1 56,
293-299,367-368
illformation systems, 293-299, 368
modifying the progra~n,121-128,307-325
purging the program, 328-329
reacting to unanticipated failures, 116-121
resolving differences of opinion, 325-327
uses of operating information, 113-110
sec slso age ex~loration
McDonnell F4J, maintenance-package contents,
290-291
M S G 2 review of program, 346-347
zone numbering system, 378
Mean time between failures, 40, 340
Military applications, 34, 94, 113, 135, 170-178
scc. slso Douglas A-4, McDonnell F4J
Minimum-equipment list (MEL), 163, 354, ?58
analysis of, 408-411
Mixed population, act~~arial
Model of failure process, 33-35
Monolithic elements, d.lmage-tolerant, 234, 137
MSG-1, 5, 344,385-286
MSG-2, 5, 343-347, 386
Dotlglas DC-10 structure program, 257
review oi Loeing 727 systcms program,
344-345
review of McDonneli F4J program, 346-347
Multiengine aircraft, consequences of engine
fa~lure,195, 333-335
spc3 illso powerplants
Multiple failures, evaluation of consequences, 28,
29-31, 311
probability oi, 28-29

role of hidden functions, 28-31, 81
Multiple-load-path structural assembly, see damagetolerant structural items
National Transport Safety Board statistics, 338-339
No scheduled maintenance, 65, 166, 193
as default decision, 77, 79, 97-98, 114
nonsignificant items, 80, 96, 158-161
Nonop~rationalconsequences, 27-28, 30,8849,
93, 142, 158-161,358
Non-KCM tasks, 72-73, 277-284, 366
event-oriented inspections, 284
general external inspections, 283
servicing and lubrication tasks, 72-73, 283
testing of rarely used functions, 283
walkaround checks, 73, 282
zonal inspections, 73, 277-281
Nonsignificant items, 81, 85, 97, 142, 148, 158
Normal distribution, 412-415
Nozzle guide vanes, Pratt & Whitney JT3D engine,
202-204
Pratt & VJhitney JT8D-7 engine, 209
Oil-screen inspection, 71, 213
On-aircraft inspections, see on-condition tasks
Gn-condition maintenance process, 65, 345
introduction of, 383-385
On-condition tasks, 50-56
applicability criteria, 52, 66, 98
characteristics of, 65, 67, 68-69
control of critical failures, 116-117, 312-313, 388
cffectivencss criteria, 52-53, 90-91, 98
inspection intervals, 52-53, 107, 192, 245-247,
324-325
on-aircraft inspections, 71, 198, 741
role in powerplant programs, 106, 198-199,
224,226
role in structure programs, 108, 229, 255
shop inspections, 198
scii also powerplant structures
Operating age, see. age
Operating crew, evident and hidden failures, 21,
61, 159, 163, 196, 357
failure-reporting system, 21, 22, 294-295
frame of reference, 22-23, 63
role as failure observers, 13, 20-22
testing of hidden-function items, 61, 312
Operating environmeni, effect on definition of
failure, 18
effect on definition of consequences, 27, 135
effect on task intelvals, 236, 237, 243, 247
Operating information, uses of, 113-115, 292-329
Operating reliability, and design, 75-76, 103-104,
140-141
and safety, 2-3, 331-337, 340-341,370
see also operational consequences
Operating restrictions, coping with failures, 22,
76-77, 118, 166.333
configuration-deviation list, 163, 358
control of gross operating weights, 195, 231
minimum-equipment list, 163,354,358
Operating safety, and design, 2-3, 11, 159-161,
201, 230-237,340-341, 388
relationship to scheduled maintenance, 2-3,
331--337,370-371, 387-389
see nlso hidden-failure consequences, safety
consequences
Operating weight, responsibilities of operating
organization, 195, 231
effect on level of operating risk, 334-335,
336-397
Operational conseqllences, 27, 30-31, 85, 88-89,
308, 354, 358
delermir~ationof, 27, 149-150, 159-161, 163, 194,
196, 201, 211-212, 213
imputed cost of, 7, 27, 95, 135, 361
Operational performance goals, 10, 234
Operational readiness, 135, 170
Opportunity samples, 108, 224, 225, 307, 312,
314, 315
see nlsu age exploration, powerplants
Overhaul, st7c rework tasks, scheduled overhaul
Packaging of maintenance tasks, 109-110,
284-291, 351-352, 367
structural inspel tion program, 249
Part-time spares, 385
Partitioning of equipment, identification of
significant items, 7, 81-83, 142, 149
major divisions of equipment, 81, 147-148
I'artitioning of premature-removal data, 124-126,
408-411
SL*C BISO actuarial analysis
100 percent program, structures, 320
Potential failure, 19
definition of, 19-20, 31-33, 53-55, 254
~ f f e coft level of item, 53, 61
preemption of functional failures, 11, 27, 76, 226

Powerplant division, 147-148, 191
Powerplants, age explovation of, 106-107, 224-227,
312-316
analysis of basic engine function, Pratt &
Whitney JTBD-7, 200-2217
failures caused by deterioration, 195-196,
213-247
fractures with critical secondary damage,
205-211
fractures with no critical secondary damage,
211-213
analysis of secondary engine functions, Pratt &
Whitney JTBD-7, 217-224
characteristics of powerplant iten-.s, 85-86,
195- 196
first-stage nozzle guide vanes, Pratt & Whitney
JT3D, 202-204
functions of. 195, 205
inform~tionrequirements, 199-204
role of scheduled maintenance, 331, 333-335
Pratt & Whitney JT3D engine, engine-shutdown
ra+e, 301-303
first-stage nozzle guide vanes, 202-204
premature-removal rate, 302
Pratt & Whitney JT4 engine, overhaul-ii~terval
history, 381
Pratt & Whitney JT8D-7 engine, age-reliability
relationship, 42-45, 398-408
history of reliability improvement, 119, 226-227
opportunity-sampling program, 122, 314-315
prediction of reliability improvement, 120
RCM analysis of, 205-224
Pratt & Whitney R-2800 CA-15 engine, agereliability relationship, 374-375
Precautionary removals, 24
Preload condition, 235-236
Premature removals, 24
actuarial analysis of, 39-48, 57-58, 123-126,
390-419
systems items, Douglas DC-8, 373
Premature-removal report, 298-299
scr nlso information systems
Preventive maintenance, 11
product improvement as, 75-77
s ~ ralso scheduled maintenance
Prior-to-service program, scc initial maintenance
program
Probability, dilemma of extreme improbability,
339-341
of survival, 40-42
see also conditional probability of failure
Probability density of failure, 42-43, 413, 414, 416
Probability distributions, 411-419
exponential, 412-413
n o n ~ a l ,412-415
\Vribull, 415
P~0duc.timprovement, 73-77, 128-137
deteimining desirability of, 131-134, 323
determining need for, 129-131
information requirements, 134-135
maintenance-redesign cycle, 116-121, 312-313
role in equipment development, 135-137,343
Program-development team, 145-1 47,353
Pyrotechnic devices, 59, 191
Radiography inspection, 52, 127
Random damage, see accidental damage
Rate of fleet growth, 105, 123
Rating scales, structurally significant items,
241-244
zonal installation, 281
RCM analysis, 6-Y,78-80,86-99,141-144,362-366
air-conditioning pack, Douglas DC-10, 164-170
brake assembly, main landing gear, Douglas
DC-10, 178-186
elevator bearings, flight-cor.trol system, Douglas
DC-8, 326-327
fuel pump, Douglas A-4, 170-178
high-frequency communications subsystem,
Boeing 747, 186-190
powerplant, Pratt & Whitney JTBD, 205-224
shock-strut outer cylinder, Douelas DC-10,
252-256,267-273
spar cap, wing rear spar, Douglas DC-iu,
252-256, 260-267
wing-to-fuselage attach tee, Douglas DC-10,
252-256,258-260
RCM decision diagram, 91-99, 358
evaulation of failure consequences, 86-89,
357-358
evdlualion of proposed tasks, 89-91, 359-361
RCM programs, auditing of program development,
350-369
applications to commercial air.:-aft, 140-157
applications to other equipment, 80, 140-111,
341-342,347-348
development of initial program, 78-111, 147-152
history of, 4-6, 370-38?

for in-service fleets, 137-138, 343-346
management of. 153-156,293-299,367-368
organization of program-development team,
145-147, 353
purging the program, 328-329
Rear spar at bulkhead intersection,
Douglas DC-10, 12
Reciprocating engines, 10, 47,374-375
Redesign, as default action, 92-93, 95, 96, 128-131,
176-177'
economic desirability, 131-135
sce also product improvement
Reduced operating capability, see operational
consequences
Reduced resistance to failure, 32-37
ability to measure, 19-20, 51-53, 104
rate of reduction, 104, 106-107, 114.-115
Redundancy, 5, 11, 75, 140, 149, 159-160, 161-162,
195, 201, 234, 249, 387
see also damage-tolerant structural items,
multiengine aircraft
Regulatory usage, 65-66,371-372,385
Reliability, 40
it, lexes of, 39-45
inherent reliabiiiiy, 103
Keliability-centered maintenance, 1, 6-9, 141-144
a maintenance philosophy, xvi-xx
relationship to MSG-2, vii-viii, 5-6, 385-387
see also K t 4 1 analysis, RCM programs
Reliability characteristics, inherent, 75-77,
103-105, 114-115
Reliability controlled overhaul program
(RCOH), 382
Reliability data, ranking of, 293
Reliability problems in complex equipment,
9-11,388
Reliability programs, 376-387
Reliability-stress analysis, 382
Removals, see premature removals, scheduled
removals
Repair costs, see economic consequences
Residual strength, effect of fatigue, 232-233
Residual-strength ratings, damage-tolerant
structural dements, 233, 241-242, 321
Resistance to failure, 32-37, 51-53, 84-85, 161,
233, 364
see also fatigue life, reduced resistance to failure
Resolving differences of opinion, 325-329
dimensions of, 71-75

see also initial maintenance program,
RCM programs
Scheduleci-maintenance requirements, see
consequences of failure
Scheduled-maintenmce tasks, 50-69
discard tasks, 58-61
failure-finding tasks, 61-64
non-RCM tasks, 72-73,277-284, 366
on-condition tasks, 51-56
rework tasks, 56-57
role in maintenance program, 71-72
Scheduled-maintenance workload, 75
Scheduled overhaul, 16,4748,56,65,66,249-274
changing perceptions of overhaul policy, 376-382
current regulatory usage, 65,371-372
the hard-time paradox, 371-376
see also agc limits, rework tasks
Scheduled removals, 24
see also discard tasks, rework tasks
Service checks, 110,255-286
Selyrice life, see average fatigue life, technologically
useful life
Servicing tasks, 72-73, 283
Shock strut, main landing gear, Boeing 737, 12
outer cylinder, Douglas DC-10,267-273
Shop maintenance, 13-14, 71-72
Shop workload, effect of scltduled removals,
57-58
Shotgun troubleshooting, 23
Significant items, 80-86
functionally significant items, 85
identification of, 80-83
s!ructurally significant items, 84, 237-238
Signature of failure mode, 127
Simple items, 34
age-reliability characteristics, 47-48
average age at failure, 37
failure process, 31-37
Single-celled item, see simple items
Single-engine ~ircrat't,94,95, 127.170-178, 217
Spar cap, wing rear spar, Douglas DC-10, 260-267
Spectrographic oil analysis, 71, 127
Spectrum hours, 249
SSI, see structurally significant items
Static load tests, see . . . .
Statistical reliability reports, 135
Statistical technique;, see actuarial analysis
Steering committl?e, 145-147, 351
Rework tasks, 50,56-58

applicability criteria, 4, 57, 66,71-72, 143,
224-225, 359, 363
characteristics of, 65,67,68-69
control of critical failures, 51, 66,360
default decision in initial program, 45,91,
97-99, 144, 361
effect on age exploration, 225
effect on failure rate, 44-45, 48
effect on inventory problems, 5, 67, 325, 417-419
effect on shop workload, 57-58
effectiveness criteria, 57-58, 100-103, 360, 363
task intervals, 58, 102, 193,224 225, 359,363
see also scheduled overhaul
Risk evaluation, prqblem of, 337-340
Safe-life design, 234
Safe-life discard tasks, see discard tasks
Safe-life items, powerplants, 72, 118, 198, 209-210
structure, 234-235, 237, ?40,242,244-245,
254-257,267-273
systems, 161, 311-312
Safe-life limits, 58-60, 2,q, 234-235, 248, 359-360
Safety, see oyjerating safety, safety level
Safety-alert ~ystem,135,247
Safety consequences, 25-27, 87-89,91-95,358
see also critical failures
Safety levels, 331-341
dilemma of extreme improbability, 339-341
effect of powerplant failures, 333-335
effect of structural failures, 335-337
effect of systems failures, 332-333
problem of risk evaluation, 337-339
Sample inspections, to determine optimum
inspection intervals, 106-107
requirements for age exploration, 106-108,
224-225, 274-275,312,312-321
Sample overhauls, 377-381
Samples, forced, 225
opportunity, 108,224, 225, 307,312,314, 315
time-extension, 121, 296, 307, 378
Sampling, fractional, 321
Sampling program, internal engine items, 195,
198-199, 225
internal structural items, 320-321
Scheduled maintenance, items that cannot benefit
from, 70,85, 158-159, 161,168,176-177
role of, xvi-rx, 3, 331-341, 347-348, 387-388
Scheduled-maintenance program, 11
.:
,
'4;
Stress, 32-39
Stress corrosion, 236
Stress cycles, 33
Structural inspection findings, 316-320
Structural inspection plan, 229, 238-247
nonsignificant structural items, 240, 280-281
100 percent program, 320
rating factors, 240-243
corrosion, 8n, 236,237, 241-244, 248
crack propagation, 232-233, 241-246
fatigue life, 84, 232, 235-236, 241-243
residual strength, 232-233, 241-242, 321
ratings for damage-tolerant items, 240-245
ratings for safe-life items, 240-241
relative inspection intervals, 244-247
role in age exploration, 229, 252, 273-275
sampling program, 320-321
Structural integrity audit and inspection document,
321-322
Structurally significant items, 84, 237-238, 240, 247
Structure division, 147, 272
Structures, age exploration of, 107, 273-275,
315-323
analysis of damage-tolerant items, 252-254,
256-257
spar cap, wing rear spar, Douglas DC-10,
260-267
wing-to-fuselage attach tee, Douglas DC-10,
258-260
analysis of safe-life items, 252-257
shock-strut outer cylinder, Douglas DC-10,
analysis of safe-life items, 252-257
267-273
characteristics of structural items, 84, 229-238
external and internal items, 238-239
functions of basic structure, 229-230
role of scheduled maintenance, 228, 247, 331,
335-337
see also structural inspection plan
Structures worksheet, 248-251
Survival curve, 40-41
Boeing 727 generator, 309-310
calculation of average life, 41-42
Pratt & Whitney JT8D engine, 41, 407
Systems division, 147, 158
Systems, age exploration of, 107-108, 192-193,
308-312
actuator endcap, landing gear, 191-192, 311-312
analysis of systems items, 166-192

air-conditioning pack, Douglas DC-10,164-170
brake assembly, main landing gear, Douglas
DC-10, 178-186
elevator bearings, flight-control system, Douglas
DC-8, 326-327
fuel pump, Douglas A-4, 170-178
high-frequency comjunications subsystem,
Bocing 747, 186-190
other typical systems items, 190-192
characteristics of systems items, 85, 158-161
role of scheduled maintenance, 331, 332-333,
340-341
Systems worksheets, i49-153, 163-165, 170-171
TARAN (Test and Replace as Necessary)
program, 384
Task, job instruction card, 309
level of detail, 352, 359, 367
see also maintenance tasks
Task intervals, 192-193, 324-325
economic-life limits, 60-61
failure-finding inspections, 61, 62-63, 169,
191, 312, 361
on-condition inspections, 52-53, 107, '92,
245-247,317-321,324-325
rework tasks, 58, 100-103, 193,224-225,359,363
role of age exploration, 121-123, 192-193,
224-226,314-325
safe-life limits, 58-60, 117, 193, 210, 235, 255,
311- 312, 324, 326-327, 359-360
servicing and lubrication tasks, 72-73, 283
see also packaging of maintenance tasks
Teardown inspections, 6, 66, 305, 372-375
Technological change, 9-11,115,126-128
Technologically useful life, 10, 131, 156
see also geriatric aircraft
TERP (Turbine Engine Reliability Program),
381, 382
TETCP (Turbine Engine 'Time Control Program),
378, 381
Test data, 147, 199, 239
fatigue and crack-propagation tests, 232.
234-235, 239, 243, 248, 256-257, 273
safe-life items, 59, 234-235, 248
Test and Replace as Necessary program
(TARAN), 384
Threshold limits, 225, 226, 314, 364
Time-extension samples, 121, 296, 307, 378

Tires, blowout as secondary damage, 182
tread wear as potential failure, 31-33
Training of program-development team, 146,
353-354
Troubleshooting methods, 23
Turbine blades, 23, 26, 71
Turbine engine, see powerplants
Turbine Engine Reliability Program (TERP),
381, 382
Turbine Engine Time Control Program (TETCP),
378, 381
Ultimate load, 231
Unanticipated failures, 112, 115, 116-121, 135-136,
307-327
Undetected failures, see hidden-failure
consequences
Unscheduled removals, see premature removals
Unverified failures, 23
Verified failures, 22-24, 125-126, 299

Walkaround inspections, 73, 282
\%'earout characteristics, 43-44, 47
Weibull distribution, 415
Working groups, see program-development
team
Worksheels, decision, 152-153
information, 150-151, 250-251
Wright Aeronautical R-3350 TC-18 engine,
age-reliability relationship, 374-375
x-ray inspections, 238
Zonal inspections, 73,277-281
rating factors, for inspection intervals, 280-281
Zone numbering systems, 248, 277
Boeing 747, 279
McDonnell F4J, 278
maintenance
WECUTWE SUMMARY
reliability-centered maintenan-
This executive s u m p ary provides an introductory

overview of the book Reliability-Centercd Mainterlance.
The following discussion is greatly condensed and
is intended only as a brief orientation to the
general subject matter. Those interested in a more
comprehensive understanding of specific points are
referred to the book for a thorough and detailed
development of the topic.
maintenance
In 1974 the Office of the Secretary of Defense, U.S.Department of
Defense, directed the military services to incorporate United States
commercial airline practices into maintenance programs for military
equipment. This directive has .been reaffirmed each year. Thus far,
however, efforts to implemei~tit have been har qpered by the absence of
explanatory material. The brief working papers which served as the
basis for airline maintenance programs were originally written for a
small group of readers with extensive backgrounds in airline maintenance, engineering, and reliability analysis, and the detailed clarification necessary for those in other fields to understand airline practices
was found to be unavailable in the published literature. To provide this
information, the Department of Defense commissioned United Airlines
to prepare a textbook that fully explains a logical discipline, based on
tested and proven airline practices, which can be used to develop
effective scheduled-maintenance programs for complex equipment. The
resulting book is titled Reliability-Centered Maintenance, and it represents the present state of the art in the field of preventive maintenance.
b
THE TRADITIONAL APPROACH TO

PREVENTNE MAINTENANCE
4 wrcunvr SUMMARY
The traditional approach to scheduled-maintenance programs was based

on the concept that every item on a piece of complex equipment has a
"right age" at which complete overhaul is necessary to ensure safety
and operating reliabiiity. Through the years, however, it was discovered.
that many types of failures could not be prevented or elfectively reduced
by such maintenance activities, no matter how intensively they were
performed. In response to this problem airplane designers began to
develop design features that mitigated failure consequences- that is,
they learned how to design airplares that were "failure-tolerant.''
Practices such as the replication of system functions, th- use of multiple
I . .
,:
..,
'
engines, and the design of damdge-tolerant structures greatly weakened

tht! relationship between safety and reliability, although this relationship has not been eliminated altogether.
Nevertheless, there was still a question concerning the relationship
of preventive maintenance to reliability, By the late 1950s the size of the
commercial airline fleet had grown to the point at which there were
ample data for study, and the cost of maintenance activities had become
sufficiently high to warrant a searching look at the actual results of
existing practices. At the same time the Federal Aviation Agency, which
was responsible for regulating airline maintenance practices, was fnlstrated by experiences showing that it was not possible to control the
failure rate of certain tlnreliable types of engines by any feasible changes
in either the content or frequency of scheduled overhauls. As a result, in
1960 a task force was formed, consisting of representatives from both
the FAA and the airlines, to investigate the capabilities of preventive
maintenance.
The work of this group led to the establishment of the FAAIlndusty
Reli(l5ility Program, described in the introduction to the authorizing
document as follow:,:'
The development of this program is towards the control of reliability
through an analysis of the factors that affect reliability and provide
a system of actions to improve low reliability levels when they exist.
In the past, a great deal of emphasis has been placed on the control
of overhaul periods to provide a satisfactory level of reliability. After
careful study, the Committee is convinced that reliability and overhaul time are not necessarily directly associated topics; therefore,
these subjects arc dealt with separately.
This approach was a direct challenge to the traditional concept that
the length of time between successive overhauls of an item was an
important factor in controlling its failure rate. The task force developed
a propulsion-system reliability program, and each airline involved in
the task force was then authorized to develop and implement reliability
programs in the area of maintenance in which it was most interested.
During this process a great deal was learned about the conditions that
must exist for scheduled maintenance to be effective. Two discoveritls
were especially surprising:
b
Scheduled overhaul has little effect on the overall reliability of a

complex itern unless the itt.111 has a doininai~tfailure mode.
There are many items for which there is no effective fnrm of
scheduled maintenance.
ULCUlIVE SUMMARY
b THE HISTORY O;F RCM ANALYSIS
LX~CUTIVESUMMARY
The next step was an attempt to organize what had been learned from
the various reliability programs and develop a logical and generally
applicable apprcach to the design of preventive-maintenance programs.
A rudimentary decision-diagram technique wds devised in 1965, and in
June 1967 a paper on its use was presented at the AIAA Commercial Aircraft Design and Operations Meeting.' Subsequent refinements of this
technique were embodied in a handbook on nlaintenance evaluation
and program development, drafted by the maintenance steering group
formed to oversee development of the initial prugram for the new Boeing
747 airplane.:' This document, known as MSG-1, was used by special
teains of industry and FAA personnel to develop the first scheduledmaintenance program based on the principles of reliability-centered
maintenance. The Boeing 747 maintenance program has been successful.
Use of the decision. diagram technique led to further improvements,
which were incorporated two years later in a second document, MSG-2:
Airlbtu;Mn)~ufnctlrrfrMnhitenanc~Program Tlnntlin,? Docutt*~nt.JMSG-2
was used to develop the scheduled-maintenance programs for the Lockheed loll an2 the Douglas DC-10 airplanes. These programs have also
been successtul. MSG-2 has also been applied to tactical military aircraft;
the first applications were for aircraft such as the Lcckheed S-3 and P-3
and the McDonnell F4J. A similar document prepared in Europe was
the basis for the initial programs for such recent aircraft as the Airbus
lndustrie A-300 and the Concorde.
The cbjective cf the techniques outlined in MSG-1and M S G 2 was
to develop a scheduled-maintenance program that assured the ma~imutn
safety and reliability of which the equipment was capable and also provided them at the lowest cost. As an example of the economic benefits
achieved with this approach, under traditional maintenance policies
the initial program for the Ilouglas DC-8airplane required scheduled
overhaul for 339 items, in contrast to seven such items in the DC-10 program. One of the items no longer subject to overhaul limits in the later
programs was the turbine propulsion engine. Elimination of scheduled
overhauls for engines not only led to major reductions in labor and
materials costs, but also reduced the spare-engine inventory required to
cover shop maintenance by more than SO percent. Since engines for larger
l
each, this is a respectablc saving.
airplanes now cost more t l ~ a n $million
As another exan~ple,under the MSG-1 program for the Boeing 747
United Airlines expended only 66,030 manhours on major structural
I,.
'
"
inopections before reaching a basic interval of 20,000 hours for the first
heavy inspections of this airplane. Under traditional maintenance policies it took an expenditure of more than 4 million manhours !.!:, arrive at
th'e same structural inspection interval for the smaller and less complex
Douglas DC-8. Cost reductions of this magnitude are of obvious importance to any organization responsible for maintaining large fleets 01
complex equipment. More important:
b
Such cost reductions are achieved with nu decrease in reliability.

On the contrary, a better understanding of the failure process in
conlylex equipment has actually improved reliability by making it
possible to direct preventive tasks at specific evidence of potential
failures.
Although the MSG-1 and MSG-2 documents revol~itionized the

procedures followed in developing maintenance programs for transport
aircraft, their application to other types of equipment was limitcd by
their brevity and specialized focus.In addition, the formulation of certain
concepts was incomplete. For example, the decision logic began with
an evalua;.ion of proposed tasks, rather than an evaluation of the failurr
consequences that determine whether they are needed, and if so, their
actual purpose. The problem of establishing task intervals was not
addressed, the role of hidden-function failures was unclear, and the
treatment of structur, naintenance was inadequate. There was also no
guidance on the use of operating information to refine or modify the
initial program after the caquipment entered service or the information
systems needed for effective management of the ongoing program. All
these .;hortcomings, as well as the need to clarity many ofthe underlying
principles, led to al~alyticprocedures of bioader scope and crystallization of the logical discipline now known as reliability-centered maintenance.
b
BASIC.CONCEPTS OF RIELIAEILllYCENTEZED MAINTENANCE
A reliability-centered maintenance (RCM)program consists of a set of

scheduled tasks generated on the basis of specific reliability characteristics of the equipment they are designed to protect. Complex equipment
is composed of a vast number of parts dnd assemblies. All these items
can be expected to fail at one time or another, but some of the failures
have more serious consequences than others. Certain kinds of failures
have a direct effect on operating safety, and others affect the operational
capability of the equipment. The consequences of a particular failure

depend on the design of the item and the equipment in which it is
installed. Alihough the environment in which the equipment is operated
is sometimes an additional factor, the impact of failures on the equipment, and hence their consequences for the operating organization, are
established primarily by the equipment designer. Failure consequences
are therefore a primary inherent reliability characteristic.
There are a great many items, of course, whose failure has no significance at the equipment level. These failures are tolerable, in the sense
that the cost of preventive maintenance would outweigh the benefits to
be derived from it. It is less expensive to leave these items in service
until they fail than it is to try to prevent the failures. Most such failures
are evident to the operating crew at the time they occur and are reported
to the maintenance crew for corrective action. Some items, however,
have functions whose failure will not be evideni to the operating crew.
Although the loss of a hidden function has no direct consequences, any
uncorrected failure exposes the equipment to the consequences of a
possible multiple failure as a result of some later second failure. For
this reason items with hidden functions require special treatment in a
scheduled-maintenance program.
The first step in the development of a maintenance program is to
reduce the problem o i analysis to manageable size by a quick, approximate, but conservative identification of a set of significant items- those
items whose failure could affect operating safety or have micjor economic
consequences. The definition of major economic consequences will vary
from one operating organization to another, but in most cases it includes
any failure that impairs thr operational capability of the equipment or
results in unusually high repair costs. At the same time all items with
hidden functions must be identified, ~ i n c ethey will be subjected to
detailed analysis along with the significant items.
The analysis itself begins with an evaluation of the failure consequences for each t'jpe 3 f failure to which the item is exposect. The logic
used to organizv this problem, shown in Exhibit 1, leads to four categories of fdiiure consequences:
b
Safety consequellces, which involve possible danger to the equipment and its occupants

loss in addition to the cost of repair
Nonoyerational consequences, which involve no economic loss

other than the cost of repair
Is the occurrence of a failure

evident to the operating crew during
performance of nonnal duties?
Y="
no

could have a direct adverse effed
on operating safetyt
Ym
no

adverse effect on operational
capability?
y='
no
v
Safety
consequences
Opentiorul consequences
(economic)
Impact immediate
Nonoperational consequences
(economic)
_I_
Hidden-failure
consequences
Impact delayed
EXHIBIT 1 Ilecision diagram to identify significant items and

h i d d e ~functions on the basis of failure consequences. Failures
that affect safety o r operating capability haw an immediate impact,
since the equipment c'innot be dispatched until they have been
corrected. The impact of nonoperational failures and hidden ldilures
is delayed in the sense that correction can be deferred to a convenient
time and location.
Hidclcn-failure consequences, which involve exposure of the equipment to a multiple failure as the result of a later failure of some
other item
If the failure is one that could have a direct effect on operating safety,
either through loss of an essential function or as a result of critical secondary damage, all maintenance work that is likely to prevent such fail-
EXECUWE SUMMARY
ures is required, and if maintenance does not have the capability to

reduce the risk of failure to an acceptable level, the item must be redesigned. If the failure is one that will not be evident to the operating crew,
and therefore reported and corrected, scheduled maintenance is also
required, to ensure adequate availability of the hidden function. In all
other cases the consequences of failure are economic, and the desirability
of preventive iilaintenance can be evaluated only in economic terms.
(One notable exception is the case of certain military equipment failures
that might additionally include consideration of a critical strategic or
tactical impact which may be difficult to quantify solely in economic
terms.) For failures that do not involve safety, then, the criterion 3f
maintenance effectiveness is cost effectiveness; the cost of preventive
tasks must be less than the cost of the failures they prevent.
b SELECTION OF MAINTENANCE TASKS
There are only four basic types of preventive-maintenance tasks, each of

which is applicable under a specific set of conditions:
b
Inspection of an item at specified intervals to find and correct

potential failures, thereby preempting functional failures
Rework (overhaul) of an itell1 at or before some specified operating

age to reduce the frequency of functional failures
Discard of an item or one of its parts at or before some specified

life limit to avoid functional failure or reduce their frequency
Inspection of .I hidden-function item at specified intervals to find

and correct functiondl failures that have dlreddy occurred but were
not evident to the operating crew
The first three types of tasks are directed at preventing single failures,
and the fourth is directed at preventing multiple failures. Inspection
tasks can generally be performed without removing the item from the
equipment, whereas rework and discard tasks generally require that the
item be removed and sent to a mzjor maintenance base.
The development of an RCM program consists of determining which
of
sse four types of tasks, if any, are both applicable and effective for
a given item. Thus an inspection for potential failures can be applicable
only if the item has reliability characteristics that make it possible to
define a potential-failure condition. Similarly, an age-limit task can be
applicable only if the failures a; which it is directed are related to operating age. Effectiveness is a measure of the results of the task; the cri'
10 rx~cumrtSUMMARY
t xion for these results, however, depends on the failure consequences

rhe task is designed to prevent. For example, a proposed task might
appear useful if it promises to reduce the overall failure rate, but it could
not be considered effective if the failures have safety consequences,
since the objective in this case is to prevent all occurrences of a functional
failure. The characteristics of the basic tasks, their relative resolving
power, and the specific applicability criteria for each one are described
in detail in the text Rcliability-Centered Maintenance. All these factors
result in a clear order of task perference, making it possible to evaluate
proposed tasks by means of the decision logic shown in Exhibit 2.
EXHIBIT 2 Decision diagram tq evaluate proposed scheduledmair.tenave tasks. I f none of the three directly preventive tasks
meets the critcria for applicability and effectiveness, an item whose
failures are evident cannot be considered to benefit from scheduled
maintenance. If the item has a hidden function, the default action is a
scheduled failure-finding task.
Is a n on-condition task to detect

and effective?
Is a rework task to reduce the

effective?
'
4
Rework
task
Is a discard task to avoid failures

applicabie and effective?
Discard
task
No scheduled
maintenance
b TASK INTERVALS: AN INFORMATION PROBLEM
12
EXECUTIVE SUMMARY
With the techniques of RCM analysis it is fairly simple to decide what

tasks to include in a scheduled-maintenance program, but the decision
logic does not cover the intervals at which these tasks are to be performed. Intervals for safe-life discard tasks are established by the manufacturer on the basis of developmental testing and are usually not
expected to change. The applicability of other age-limit tasks must be
determined through age exploration after the equipment enters service;
hence their intervals can be based at that time un actual operating info*
mation. The most effective tool in a scheduled-maintenance program,
however, is on-condition inspection for potential failures, and in this
case there is usually not enough information to set minimum-cost
intervals even after the equipment is in service and age exploration is
under way.
At the time an initial program is cieveloped, the available infon-..;tion is usually limited to prior experience with similar items, familiarity
with the manufactur~r'sdesign practices, and the results of developmental and fatigue tests for the new equipment. With this information
it is possible to arrive at rough estimates of the ages at which deterioration can be expected to become evident. However, the inspection intervals in an initial program are then set at only a fraction of these ages.
The fraction may be quite a small one, to force intensive exploration
of aging characteristics, if the manufacturer is relatively inexperienced,
if new materials or manufacturing methods have heen used, or if the
equipment is to be operated in an unfamiliar environment. While this
initial conservatism increases the cost of inspection on the first pieces of
equipment to enter service, the overall economic impact is small, since
the intent is to increase the intervals on the basis of the inspection
findings as the new fleet grows in size.
The principle of on-condition inspections is that the time to the
first inspection should be long enough for the first evidence of deterioration to be visible, and the intervals for repeat inspections should be
short enough to ensure that any unit that has reached the potentialfailure stage will be removed from service before a functional failure
occurs. In theory, then, the problem of establishing optimum intervals
should merely be one of using age exploration to identify the actual rate
of deterioratiun and potential-failure age of each item. Often, however,
once this age is identified, it will be judged t~ndesirablylow and the
item will be redesigned to increase its longevity. Consequently the
"correct" inspection interval for any item may apply only from the time
its original reliability characteristics are determined until the time the
modified item goes into service. While the dynamics of this process add
new age-exploration requirements throughout the life of the equipment,
they also reduce the growth in the maintenance workload that is associated with older equipment.
b
THE DESIGN-MAINTENANCEPARTNERSHIP
As a result of continuing interaction between design and maintenance

organizations, the future will see airplanes and othe: complex equipment that can be more effectively maintained and achieve still higher
levels of safety and reliability. On one hand, the design organization
determines the inherent characteristics of the equipment, including the
consequences of functional failures and the feasibility and cost of preventing them. On the other hand, the maintenance organization attempts
to realize all the safety and reliability of which the equipment is capable.
Achievement of this goal, however, requires a joint effort which has not
always been recognized. Designers have not always uriderstood both
the capabilities and the limitations of scheduled maintenance; by the
same token, maintenance organizations have not always had a clear
grasp of the design goals for the equipment they maintair.The need for
a close partnership has always existed, but the comprehensive analysis
required by KCM techniques makes this need far more apparent.
During the development of a prior-te-service program the identification of functionally and structurally significant items and hidden functions depends on the designer's information on failure effects as well
as the operator's knowledge of their consequences. At this stage the
information on anticipated failure modes must also come from the designer. In general, on-condition inspections arc the principal maintenance weapon against functional failures. However, it must be possible
to use them, preferably without removing items from the equipment.
Thus the designer must not only help to define the physical evidence
that makes such inspections applicable, but must also be sure therc is
some access to the item to be inspected.
Once the equipment enters service there will be a continual flow
of information on the condition and performanc~3f each item under
actual operating conditions. This information is wded not only to
refine and modify the maintenance program, b u t alsc o initiate product
improvement for those items whose reliability proyres to be inadequate.
One of the basic functions of the operdtor's age-exploration program is
EXECUTIVE SUMMARY
13
1.
1
,'
#
to provide the designer with the hardware information necessary for

product improvement. Certain items on newly designed equipment
frequently have a very high failure rate when they first enter service,
and this interaction between design and maintenance should be part of
the nom~aldevelopment cycle for all complex equipment.
The designer's help is of more immediate importance in dealing
with serious unanticipated failures. In this case the designer must help
the maintenance organization to devise interim maintenance tasks that
will control the problem until design changes have been developed and
incorporated in the operating fleet. The two organizations must work
together to identify the failure mechanism, because this information is
required for the development of interim tasks as well as for ultimate
solution of the problem by redesign.
b
Thus the key both tn effective maintenance and to greater inherent

reliability is a continuing close partnership, with both design and
maintenance organizations familiar with and sympathetic to each
other's problems, go..ls, and capabilities.
EXPANSION OF RCM APPLICATIONS

The widespread and successful application of RCM principles in the
air-transport industry has important implications for many types of
complex equipment other than aircraft. Mar..- sf the current problems
with rapid-transit equipment, fleets of ships and ground vehicles, and
even machinery used in complex manufacturing processes indicate that
the relationship between design and maintenance is not clearly understood. In many instances, hov~ever,operating organizations themselves
have not considered the real capabilities and limitations of scheduled
maintenance and have been frustrated by their inability to solve the
prob!erils of safew and operational disruptions caused by failures. While
no form of preventive maintenance can overcome reliability problems
that are inherent in the design of the equipment, RCM analysis does
provide a means of identifying the specific maintenance tasks and
product improvements that will alleviate such problems.
In ge::eral, any maintenalve support program based on RCM principles has the following objectives:
b
T(- ensure realizatio~lof the inherent safety and reliability levels

of the equipnient
To restore the equipment to these inlierent level\ when deterioratiot~uccurs
To obtain the information necessary for design improvemerrt of

those items whose inherent reliability proves inadequatc
To accomplish these goals at a niininiuni total cost, including maintenance costs, support costs, and the econnrnic consequences of
operational failures
One obstacle to all these objectives is the tendency to rely on traditional

concepts of scheduled mainte3lance, especially the beli1.f that scheduled
overhauls are universally applicable to complex equipment. T l ~ u san
operating organization must recognize the fo1lov:ing facts before it is
prepared to develop and implement a detailed RCM program for its
equipm.ent:
b
The design features of the equipnient establish the consequences

of any fu~ictionalfailure, as well as the cost of preventing it.
Redund.~ncy is a powerful design tool for reducing safety conscquerices to economic collsequences by preventing a coniplt.:t! loss
of function to the equipment.
Scheduled maintenatice can preverit or reduce the frequency of

functional iailures of an item, but it cannot alter theirconsequences.
Scheduled maintenance can ensure that the inherent reliability of

each iteni is realized, but it cannot alter the characteristics uf thc
item.
There is no "right time" for scheduled overhauls that will solve

reliability problen~sin co~nplexequipnient.
On-conditior inspections, w'iich make i t possil'i to preenipl lu.LCtional failures by potenti11 failures are the most effective tool o f
prevc~itivemaintenance.
1%scl~eduled-maintenance
prograni must he dyvatnic; a n v prior-toservice program is based on li~iii!~?d

infoniiatio~i,and a11 opcratin:;
~rganizationliiust hr preparcd to collect and respond to re.11 data
uougliout thc service l i f t of the crluipmciit.
Procluct iniprovcnient is a nor~nnlp,lrt of tlie development cycle

for -11 new equipment.
Once an operating organization is comfortabie with these facts, it

to proceed ccnfidently with the detailed development of an
KCM program. The resulting program will include all the scheduled
tasks necessary or desirable to protect the equipment, and because it
is r,:
EXECUTIVE SUMMARY
15
includes only the tasks that will accomplish this goal, this program can
provide major economic benefits. More important, by directing both
scheduled tasks and intensive age exploration at those items which are
truly significant at the equipment level, the ultimate result will be
equipment with a degree of inherent reliability that is consistent with
the state of the art and the capatilities of maintenance technology.
b CONCLUDING REMARKS
The book Reliability-Centered Maintenance is the first full discussion
of a decision-diagram technique that applies a straightforward logic
to the development of scheduled-maintenance y.. ;rams for complex
equipment. The net result of this analytic tool is a stxuctured, systematic
blend of experience, judgme~t,and specific information to determine
which maintenance tasks, if any, are both applicable and effective for
those items whose failure has significant consequences for the equipment in which they are installed. Part One of the book explains the basic
concepts and principles underlying RCM theory, and Part Two ;Ilustrates
actual hardware analyses, with examples drawn from aircraft systems,
pow~rplants,and structures. The problem of packaging maintenance
tasks for implementation, the information systems needed for effective
management of the ongoing program, and the uses of operating data as
part of a continuing dynamic process are also add;essed in detail.
REFERENCES
1 FAAllndustry Rcliubility Prograni, Federal Aviation Agency, November 7,
1361, p. 1.
2 T. D. Matteson and F. S, Nowlan, Current Trends in Airline Maintenance
Programs, AIAA Commercial Aircraft Design and Operations Meeting, Los

Angeles, Calif., June 12-14, 1967.
3 Hatldbouk: Maitltenallcr Ez~aluatioti otld Proxirnt D e v r l o p n t ~ ~(MSG-I),
t
747
Maintenance Steering Group. Air Transport Association, Washington, D.C.,
July 10, 1968.
4
A i r l i t ~ e l M a t ~ r r f a c t i ~ rM:~itrtorntrci*
er
Program Plnrrnir~gDocurnetit: MSG-?, Air
Transport Association R & M Subcommittee, Washington, D.C.,March 25,
1970.

Nowlan RCM Book

Uploaded by

Copyright:

Available Formats

Nowlan RCM Book

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nowlan RCM Book

Uploaded by

Copyright:

Available Formats

, -,

r , < m" ,.h r , <

4 ~ 7 . 1 ~ 351 ,!,I: r.m* rrv:~.

Office of Assistant Secretary of Defense

TYPE OF RFPORT d FLHlOD COILIIF::

q p r o v e d for public release; distribution unlimited. Copies may be obtained from

..,.. ,,. ., .,,

,,., ,,., , , ,,, ,,,

,,,. !,,.,,, ..,,,, *<..

Actu, ral analysis Aircraft maintenance Cost effectiveness Decision theory

,,.,.,. .> r . . . .,.

This book explains basic concepts, llrinciples, definitions, and applications of a

Appendices are included as follows:

Prodc~cedby Dolby Access Press

mls VOLUME provides the first full discl~ssionof reliability-centered

The difficulty that many people experienced in attempting to apply

KCM analysis both tn in-service fleets and to other types of complex

rcm: a maintenance discipline

I I THE EVOLUTION OF RCM ANALYSIS

1 - 2 THE BASIS O F RCM DECISION LOGIC

RELIABILITY PRCBLFMS I N CCMPLEX EQUIPMENT

1 - 4 A N OVERVIEW .OF MAINTENANCE ACTIVITY

PART ONE THEORY AND PRINCIPLES

the nature ot fdlure

THE DETECTION O f FAILURES

THE CONSEQUENCES OF FAILURE

THE FArlURE PROCLSS

FAILURE I N COMPLEX ITEMS

QU~NTIT,\TWE DfiCRlPTION5 OF FAILURE

the four basic rimalntenance tasks

SCHEDULED 0N.CONDlTION TASKS

SCHEDULED REWORK TASKS

SCHEDULED DISCARD TASKS

9CHEDULED FAILURE-FINDING TASKS

CHARACTERlSnCS OF THE CASlC TASKS

THE DIMENSIONS OF A SCHEDULED-MAINTENANCE PROGRAM

PRODUCT IMPROVEMENT AS PREVENTIVE MAINTENANCE

developing the initid program

THE N A N R E OF SIGNIFICANT ITEMS

THE RCM DEC:510N PROCESS

USE OF THE RCM 9ECISION DIAGRAM

DETEDMlYlNG COST E5FECWENESS

PACKAGING THE MAINTENANCE TASKS

evolution of the rcm prqram

T)IL USES OF OPERATING DATA

REACTING T O StRIOUS FAILURES

REFINING TWL MAINTENANCE P R O C M M

REVISIOYS I N MAINTENANCE REQUIREMENTS

THE PRODUCT-IMPROVEMENT PROCESS

RCM PROGRIMS FOR !N-SERVICE EQUIPMENT

PART TWO APPLlCATlONS

a p p t y i n ~rcm theory to aircraft

A SUMMARY OF RCM PRINCIPLES

6 - 4 THE INFORMATION FLOW I N DECISION MAKING

acm analysis of systems

CHARACTERISTICS OF SYSTEMS ITEMS

ASSEMBLING THE REQUIRED INFORMATION

ANALYSIS OF TYPICAL SYSTEMS ITEMS