Scribd
Upload
145 views120 pages

EDTO Module 4 - Type - Design - and - Reliability - Assessment

Uploaded by

MEDDEB HSAN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
145 views120 pages

EDTO Module 4 - Type - Design - and - Reliability - Assessment

Uploaded by

MEDDEB HSAN
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 120

Module 4

Type Design & Reliability Considerations

ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations


Course Structure

Module 1 Module 2 Module 3


Course Introduction EDTO Foundation Approval Process

Module 4 Module 5 Module 6


Type Design & Reliability Flight Operations Maintenance
Considerations Considerations Considerations
Module 8
Module 7 Module 9
Implementing EDTO
Continued Surveillance Assessment
Regulations

Module 10 – Wrap Up
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 2
Objectives

At the end of this module, participants will be


familiar with the affected areas of Type Design
and Reliability, supporting the demonstration of
the EDTO capability of the aeroplane as well as
the aspects of continued validity of the EDTO
certification .

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 3
EDTOM References
Doc 10085: Extended Diversion Time Operations (EDTO) Manual

Chapter 1: Policy and general information


1.5 Continuity of EDTO certification — aeroplanes with two turbine engines
(not applicable to aeroplanes with more than two engines)

Chapter 2: Aircraft airworthiness considerations for EDTO


2.1 Background
2.2 Airworthiness considerations for aeroplanes with two turbine engines
2.3 Airworthiness considerations for aeroplanes with more than two turbine
engines

05/11/2019 (v-01) ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 4
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 5
Aircraft airworthiness considerations for EDTO
Applicability to aeroplanes with 2 or more engines

Annex 6, Part 1 (4.7.2.3):

4.7.2.3 When approving the appropriate maximum diversion time


for an operator of a particular aeroplane type engaged in extended
diversion time operations, the State of the Operator shall
ensure that:

a) for all aeroplanes: the most limiting EDTO significant system time limitation, if any,
indicated in the aeroplane flight manual (directly or by reference) and relevant to that
particular operation is not exceeded; and

b) for aeroplanes with two turbine engines: the aeroplane is EDTO certified.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 6
Aircraft airworthiness considerations for EDTO
Applicability to twins

Annex 6, Part 1 (4.7.2.6):

4.7.2.6 The State of the Operator shall, when approving maximum


diversion times for aeroplanes with two turbine engines,
ensure that the following are taken into account in providing the
overall level of safety intended by the provisions of Annex 8:

a) reliability of the propulsion system;

b) airworthiness certification for EDTO of the aeroplane type; and

c) EDTO maintenance programme.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 7
Aircraft airworthiness considerations for EDTO
Applicability to twins

Additional guidance from EDTO Manual (extracts)


Aeroplanes with 2 engines

2.2.1.1 The EDTO certification of the aircraft is granted by the State of Design of the aircraft manufacturer. This EDTO
certification may also be called EDTO type design and reliability approval of the aircraft.

2.2.1.3 The EDTO certification is always granted to a given aeroplane/engine combination (AEC). It is not granted
indefinitely and is subject to continued surveillance by the State of Design of the in-service reliability of the worldwide
fleet of the concerned aeroplane/engine combination.

2.2.1.6 The certified EDTO capability of the aeroplane is reflected in the Type Certificate Data Sheet (TCDS), the
aircraft flight manual (AFM) or AFM EDTO supplement, as applicable, and the EDTO CMP document.

2.2.1.7 The EDTO certification of the aircraft granted by the State of Design should then be validated or accepted by
the State of Registry and, if different, the State of the Operator prior to the intended start of EDTO operations by the operator.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 8
Aircraft airworthiness considerations for EDTO
Applicability to aeroplanes with more than 2 engines

Additional guidance from EDTO Manual (extracts)


Aeroplanes with more than 2 engines

2.1.5 The airworthiness considerations for aeroplanes with more than two turbine engines were
discussed during the development of the EDTO criteria. In this context, a review was performed of the
reliability of operations on extended diversion time routes with aeroplanes with more than two engines, and it
was concluded that both the basic type certification standards and maintenance programme provided the
required level of safety for EDTO and remained suitable for EDTO operations.

2.1.5.1 Accordingly, the EDTO Standards do not introduce additional maintenance


requirements or any additional certification requirements for aeroplanes with more
than two engines. This means that for EDTO with Tris/Quads, there is no need for a review; both remain
acceptable for EDTO operations.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 9
Aircraft airworthiness considerations for EDTO
Applicability to aeroplanes with 2 engines

Annex 8, Part III: Operating limitations and information


Chapter 9.2.7 in Part IIIA or Chapter 7.2.8 in Part IIIB*
*Note:
Part IIIA applies to Aeroplanes over 5 700 kg for which application for certification was submitted between June 1960 and March 2004
Part IIIA applies to Aeroplanes over 5 700 kg for which application for certification was submitted on or after 2 March 2004

Flying time limitation after system or engine failure

The systems limitations shall include the maximum flying time for which system
reliability has been established in relation to the approval of operations by
aeroplanes with two turbine engines beyond the threshold time
established in accordance with 4.7 of Annex 6, Part I.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 10
Aircraft airworthiness considerations for EDTO
Twins vs Aeroplanes with more than 2 engines

Additional guidance from Airworthiness Manual Doc 9760 (extracts)


Chapter 5 – Airworthiness Requirements for EDTO

5.1.3 […] Chapter 5.2 of this manual contains the airworthiness considerations for aeroplanes with
more than two turbine engines, and the subsequent chapters contain guidance on the
continuing airworthiness and airworthiness approval for aeroplanes with two turbine engines.

5.2 Airworthiness Considerations for aeroplanes with more than 2 engines

5.2.1 The most limiting EDTO significant system time limitation, if any, must be indicated in the aircraft flight
manual (directly or by reference) and relevant to that particular operation.

5.2.2 There are no additional EDTO airworthiness certification, maintenance procedures or maintenance
programme requirements for aeroplanes with more than two engines.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 11
Aircraft airworthiness considerations for EDTO
Summary
Annex 6, Part 1 Doc 10085 Annex 8, Part IIIA Doc 9760
Section 4.7.2 EDTO Manual Section 9.2.7 A/W Manual

§ 4.7.2.3 § 2.2.2 § 9.2.7 / 7.2.8 § 5.6


EDTO certification Systems performance
Elements of the EDTO Flying time limitations and reliability
Twins is required certification are established assessment

§ 2.3.1 § 5.2.1
§ 4.7.2.3 Identification of Time Identification of Time
EDTO certification capability of most capability of most
Aeroplanes with more is NOT required limiting limiting
than 2 engines relevant EDTO relevant EDTO
significant system significant system

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 12
EDTO Significant Systems
Definition & concept

Both Aeroplane Manufacturers and Operators have to develop an


EDTO Significant Systems List

A system is identified as “EDTO Significant” when it has a unique influence for


EDTO, i.e. it specifically participates to the EDTO philosophy : "Preclude and
Protect the diversion“.

Accordingly, a EDTO Significant System is either:


‒ A system whose functional failure or degradation could adversely affect the safety
particular to an EDTO flight, or
‒ A system whose continued functioning is specifically important to the safe flight
and landing of an aeroplane during an EDTO diversion (for the contemplated
maximum diversion time)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 13
Review Questions

Question 4.1 :
Which of the following systems is an EDTO Significant System?
– Landing Gear
– Thrust Reverser
– Flight Controls
– Toilets
– Ram Air Turbine

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 14
EDTO Significant Systems
Creation and utilization

Review by the System Safety Analyses


Manufacturer Identification of failure cases requiring functions Review by the
and systems to be available for EDTO Operator
and/or
EDTO Type Design Requirements
List of functions or systems required
as per the applicable EDTO regulations
(established by the Manufacturer)
and/or
EDTO Type Design Assessment
List of functions or systems supporting EDTO
Operations as per applicable definition of (may be identical to the one
EDTO significant Systems provided by the Manufacturer)

The list of EDTO Significant Systems is used by EDTO operators for:


‒ Reliability monitoring and tracking program, and for reporting of EDTO relevant events
‒ Maintenance (verification program, Dual Maintenance restrictions, elements of training program which has to bring
special attention for qualified maintenance personnel)
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 15
EDTO Significant Systems
Group 1 and Group 2

EDTO Significant Systems may be divided in two Groups


• EDTO Significant Systems Group 1 and Group 2
‒ Note: this classification is mainly relevant for Manufacturers and of limited value to the Operator. Indeed Group 1
and Group 2 systems must be equally considered by the Operator except for the selection of EDTO related tasks
in the frame of maintenance staff EDTO qualification (see Module 6).

• The identification of Group 1 Significant Systems is done through the assessment of the
consequence of an engine failure. Accordingly, Group 1 EDTO Significant Systems are:
‒ Systems related to number of engines and that drive the systems redundancy (e.g. engines, fuel feed, electrical
system, bleed system…)
‒ Systems that may affect the proper functioning of the engines
‒ Could result in an in-flight shutdown or loss of thrust and consequently to diversion
‒ Systems that contribute to the safety of EDTO flight, as well as to the safety of a maximum length diversion and
landing at an alternate airport

• The Group 1 systems participate to both the “preclude” and “protect” concepts

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 16
EDTO Significant Systems
Group 1 and Group 2

EDTO Significant Systems may be divided in two Groups


• The Group 2 EDTO Significant Systems are:
‒ Systems not related to number of engines and therefore equally important for an
aeroplane engaged in EDTO operation regardless of the number of engines e.g. autopilot,
navigation system, communication systems…
‒ Among those, there are also the Time Limited Systems that may size the maximum diversion
time, such as the cargo fire suppression system, or the oxygen on freighter aircraft.

• The failure of Group 2 EDTO Significant Systems would reduce the capability of the aeroplane or the
ability of the crew to cope with a maximum length diversion and landing at an alternate airport
‒ As such they participate mainly to the “protect” concept as they alleviate the crew workload during
a maximum length diversion

• Therefore Group 2 systems are typically common to both twins and aeroplane with more than 2 engines

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 17
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 18
EDTO Approval Elements
To operate beyond EDTO Threshold, two conditions must be met:
EDTO Type Design (AEC) Evaluation
EDTO Operational Evaluation
(Certification required for Twins only)

Applicant: Applicant:
MANUFACTURER OPERATOR

Annex 8 + EDTO Manual CS 25 + AMC 20-6 FAR 25/33 + AC25xx (TBC) Annex 6 + EDTO Manual AIR OPS + AMC 20-6 FAR121/135 +AC120-42B

Prime Certification Authority


+
National Aviation Authority
Validation Authorities
NAA Rules

EDTO Type Design Evaluation must be completed before granting of operational approval of Operator for EDTO
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 19
EDTO Type Design and Reliability Assessment
Aeroplanes with more than 2 engines

• An assessment of the aeroplane and engine design should be performed to identify


relevant EDTO Significant Time Limited Systems, if any, and to confirm the capability of
the most limiting one :
– In most cases, it is the capability of the Cargo Fire Suppression system which defines this
limitation for EDTO

– The capability of this most limiting EDTO Significant Time Limited System must be considered
at dispatch for the purpose of identification and selection of en-route alternates (verification of
weather)

• This assessment should be performed by the manufacturer


– Corresponding time limitation should be provided in relevant aeroplane documentation
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 20
EDTO Type Design and Reliability Assessment
Aeroplanes with more than 2 engines

• No dedicated certification for EDTO is required


– The systems configuration and the maintenance standards defined through the basic type
certification of an aeroplane with more than two engines are considered as adequate for EDTO
operations.
– Note: a given State may require an EDTO certification provided related design and reliability
criteria have been defined (engine reliability objective is usually not considered)

• There are also no additional maintenance requirements for EDTO.


– Basic maintenance program remains valid to support EDTO

• The EDTO certification requirements detailed in the following slides are therefore
applicable to Twin engine aircraft only.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 21
EDTO Type Design and Reliability Approval
Aeroplanes with 2 engines

• It is the responsibility of the aircraft manufacturer to obtain the EDTO certification


of the aeroplane.
– The EDTO certification is always granted to a given aeroplane/engine combination
– It is subject to a continued surveillance of the in-service reliability

• It is a prerequisite to the start of the EDTO operations (EDTO operational approval).

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 22
EDTO Type Design and Reliability Approval
Aeroplanes with 2 engines

• The Authority in charge of this approval is the Primary Certifying Authority of the
manufacturer (State of Design), e.g. EASA for Airbus or FAA for Boeing.

• The EDTO certification of an aircraft is an assessment of the compliance of the


candidate aeroplane/engine combination (AEC) with all the design provisions and
reliability objectives of the applicable EDTO criteria (e.g.: EASA AMC 20-6, FAA Part
25.1535, ...).
– These design and reliability requirements are further detailed in the following slides

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 23
EDTO Type Design and Reliability Approval
Aeroplanes with 2 engines

Methods for EDTO Certification:


Increasing

2
in-service
In-service experience experience
> 100 000 EH (EASA)
Review of in-service data > 250 000 EH (FAA)
Flight tests for ESS failures (incl. OEI diversions)
100,000 EH

1 2 Combined service experience and Early EDTO


> 15 000 EH (FAA)
Review of in-service data
Flight tests for ESS failures (incl. OEI diversions)
3000 cycles tests (APU + Engine)
15,000 EH

1 Early EDTO
Flight tests for ESS failures (incl. OEI diversions) No prior in-service
experience
3000 cycles tests (APU + Engine)
Flight + Bench Tests for maturity purpose
Lessons learnt activity
Early EDTO reporting and tracking EIS

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 24
EDTO Type Design and Reliability Approval
Early EDTO Certification elements

The 5 Main Elements of Early-EDTO Ensure EDTO Capability at Service Entry:

1 Design for EDTO

EDTO

Early-EDTO Type Design


Certification Process
philosophy 2 Relevant Experience (Lessons Learned)

PRECLUDE 3 Maintenance & Operations Procedures Validation


Avoid the diversion

PROTECT 4 EDTO Testing (Ground & Flight tests)


Ensure that the diversion is safe

5 Problem Tracking and Resolution

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 25
EDTO Type Design and Reliability Approval
Deliverables / documentation
Aeroplane Manufacturer Engine Manufacturer
Design Reliability & Maturity
assessment assessment
(continuing)
Certification Documents Service Data Service Data

Type Design Authority Type Design Authority


Specialists Reliability Tracking Board (Continuing Process) and
other world Authorities

Design Compliance Findings Assessment Report


Reliability Findings
Type Design Authority
National Aviation
Project Manager
Authorities

ASR
Validation Statement
MPD
FCOM
CMP

MMEL

TCDS

MRB
IPC
AFM

CMP MMEL AFM FCOM IPC MPD TCDS MRB

For EDTO, the A/C must be configured, maintained & operated according to the CMP
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 26
EDTO Type Design and Reliability Approval
Deliverables / documentation
Aeroplane Manufacturer Engine Manufacturer
Design Reliability & Maturity
1
1 2
assessment assessment
(continuing)
Design assessment is
Certification Documents Service Data Service Data detailed in following slides
Type Design Authority
Specialists Reliability Tracking Board (Continuing Process)

2
Reliability & Maturity
Design Compliance Findings assessment is detailed in
Reliability Findings
Type Design Authority following section of this module
Project Manager

• Both the Design and the Reliability & Maturity assessments are performed in parallel for
the initial EDTO certification of the candidate Aeroplane/Engine Combination (AEC).
– The Design assessment is performed once whereas the Reliability & Maturity assessment is a continuing process.
– The Design assessment is also performed in case of Change to Type Design in case of potential impact on the
already certified EDTO configuration.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 27
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :
Adequate Adequate cockpit &
Adequate APU design (start communication cabin environment
capability within the overall systems Acceptable Crew
Workload
flight envelope) (under failure conditions)

Fuel availability

Safe flight and landing


in EDTO icing
conditions Single engine operation :
adequate system
redundancy
Adequate Propulsion Electrical power source
System Design & Adequate Cargo Fire
redundancy & capability
Reliability Suppression System

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance
Each particular assessment is detailed in the following slides
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 28
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :
Adequate Adequate cockpit &
Adequate APU design (start communication cabin environment
capability within the overall systems Acceptable Crew
Workload
flight envelope) (under failure conditions)

Fuel availability

Safe flight and landing


in EDTO icing
conditions Single engine operation :
adequate system
redundancy
Adequate Propulsion Electrical power source
System Design & Adequate Cargo Fire
redundancy & capability
Reliability Suppression System

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 29
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Safety Analyses

Safety analyses (FHA and SSA) are reviewed to consider the EDTO mission times:
‒ Contemplated Maximum Diversion Time
‒ Mean Flight Time (which is expected to be more than the non-EDTO mean flight time)

The criteria for assessing the safety risk severity vs probability is the same as for basic Type Design
assessment :
‒ Same classification of failure severity vs expected/targeted probability
Probability Probable Remote Extremely remote Extremely
Improbable
(per FH) 1 x 10-5 1 x 10-7 1 x 10-9

Severity Minor Major Hazardous Catastrophic

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 30
Review Questions

Question 4.2 :
Is it correct to say that the increased length of the EDTO diversion always
increases the severity of a given system failure ?

– Yes

– No

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 31
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Safety Analyses

The Maximum Diversion Time (and distance, if relevant) considered in the Safety Analyses are usually
sizing the Time limitation of the EDTO Significant Most Time Limited System (Other than Cargo Fire
Suppression System).
‒ Corresponding value(s) must be published in the EDTO limitations section of the Flight Manual
‒ These limitations mays also be repeated in the EDTO CMP document

Example of WP-911 AFM EDTO supplement for EDTO>180 min capability:

Aeroplane Flight Manual


EDTO Beyond 180 Minutes - Time Limited System Capability
The time capability of the cargo fire suppression system is 225 minutes
The time capability of all other EDTO significant systems is at least 290 minutes

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 32
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Single engine operation :


adequate system
redundancy

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 33
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Adequate System Redundancy

In case of engine failure, the remaining electrical, hydraulic and pneumatic power (as
applicable) must be sufficient for safe flight and landing.
‒ Examples of power sources redundancies:

Systems Normal One engine shutdown

3 systems 2 systems
Hydraulic
1 RAT backup 1 RAT backup
4 generators 3 generators
- 2 engines - 1 engine
Electrical
- 1 APU - 1 APU
- 1 Emergency Gen - 1 Emergency Gen
3 air bleed sources 2 air bleed sources
Pneumatic - 2 engines - 1 engine
- 1 APU - 1 APU

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 34
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Acceptable Crew
Workload
(under failure conditions)

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 35
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Crew Workload and Passenger Physiological needs

For failure conditions not shown to be extremely improbable and for the maximum diversion
time/distance, the Manufacturer must demonstrate that :
‒ The crew workload remains acceptable
‒ The Crew and Passenger physiological needs are adequately fulfilled (see also cabin environment)

• Flight tests are performed to validate acceptable flight crew workload and adequacy of
procedures, and to confirm that no more than average piloting skills or crew co-ordination is required
‒ e.g. One-Engine-Inoperative test flights combined with various system failure simulations are performed
‒ Diversions conducted in emergency electrical configuration,
‒ Emergency descent and diversion at FL 100,
‒ Failure of autopilot, autothrust, etc…

• Availability of toilets and cabin lights is assessed (for failure cases not extremely improbable).
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 36
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :
Adequate cockpit &
cabin environment

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 37
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Air Conditioning (ATA 21)

Adequate cockpit and cabin environment must be preserved following all combinations of
propulsion and electrical system failures which are not shown to be extremely improbable (e.g. in
emergency electrical configuration)

On modern EDTO aircraft, pressurization and equipment cooling can typically be ensured with air
from one engine air-bleed system only or the APU air-bleed system (up to a given altitude or FL).

Excess temperature in avionics compartment must be extremely improbable


‒ Degraded avionics cooling configuration considered (unless shown to be extremely improbable)

Body Core Temperature analyses performed to assess impact of loss of cabin temperature control.
‒ Assessment performed for both hot and cold conditions
‒ Conservative assumptions considered for outside air temperature and cabin occupancy (i.e. low for cold
temperature, high for hot temperature)
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 38
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :
Adequate
communication
systems

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 39
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Adequate Communication Systems (ATA 23)

One voice based communication system is required for all EDTO operations up to 180 min DT.

Satellite-based Voice Communication system required for EDTO beyond 180 minutes operations
‒ In areas where SATCOM is not available (Polar regions) or does not allow voice communication, a backup voice
system is required (HF)
Flight Traffic Satellite Satellite-based Voice
Communication system
HF/VHF Radio
Communications
must be operative
(VOICE)
Satellite
Communication
for EDTO beyond 180 min
(VOICE/DATA)

HF/VHF Radio
Communications
(VOICE/DATA)

Airlines Operations Airport

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 40
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Electrical power source


redundancy & capability

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 41
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Electrical Power sources (ATA 24)


The aeroplane must be fitted with at least three independent and reliable generators

‒ Each generator must be capable of supplying enough services to ensure continued safe flight and
landing under adverse operating conditions

Additional requirement EDTO > 180 min: a 4th generator is required unless the loss of the 3 independent
sources is showed to be extremely improbable (EASA requirement)

‒ Note: FAA has a prescriptive requirement for a 4th generator which shall power one cross-feed valve
and one fuel boost pump in each tank
IDG1

EDTO aeroplane are fitted with at least APU Gen


3 independent electrical generators
IDG2

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 42
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Electrical Power sources - Backup Electrical Power


Additional back-up electrical power sources are considered in the EDTO assessment if they provide all
electrical loads for a safe EDTO diversion and landing

‒ This additional redundancy allows EDTO dispatch with main gen inoperative (e.g. IDG)

Full-up Airplane Backup Generator Only

Example: Dispatch with Generator or APU/APU Gen Inop


Lose an Engine
Lose another Generator or APU/APU Generator
Backup Gen Powers all EDTO Loads

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 43
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Examples of Electrical Power architectures for EDTO

WP-911 WP-911SP+ WP-Millennium


APU Gen APU Gen Back-up Gen 2 x APU Gens

1 x IDG 1 x IDG 1 x IDG 1 x IDG 2x VFGs 2x VFGs

All 3 generators are APU GEN or one IDG may be inop 2 GENs (APU or VFG) may be inop
required for EDTO for EDTO up to 180 min for EDTO up to 180 min

Additional back-up generator must be All 4 generators are APU GEN or one VFG may be inop for
installed for EDTO>180 min required for EDTO>180 min EDTO>180 min

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 44
Review Questions

Question 4.3 : VFG 1A

VFG 1B

VFG 2A

VFG 2B

The above aeroplane is fitted with 4 electrical generators (2 on each engine). Is it


correct to say that this configuration complies with the EDTO requirement to have at
least 3 independent generators?
– Yes
– No
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 45
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Adequate Cargo Fire


Suppression System

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 46
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Cargo Fire Suppression System (ATA 26)

EDTO regulations require the cargo fire suppression system to cover the maximum approved
diversion time plus an additional 15 minutes allowance for approach and landing, e.g.:
‒ For 120 min EDTO 135 min minimum protection time needed
‒ For 180 min EDTO 195 min minimum protection time needed

Cargo smoke detection and control of ventilation/heating (Isolation valves) must be available on
each single electrical power source considered for EDTO assessment (see ATA 24)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 47
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Cargo Fire Suppression System (ATA 26)


Cargo holds fire protection times are demonstrated by flight tests and/or analyses
‒ Same requirement of fire extinguishing agent concentrations level as for basic Type Certification
‒ Most “Class C” systems are made of fire extinguishing bottle, with the first bottle providing a high rate
flow of extinguishing agent, and the other bottles(s) being flow metered.

Bottle 1 Bottle 2
(high discharge rate) (flow-metered
1 2 discharge rate)

Example of typical
Cargo Fire Protection System
FWD Cargo Hold AFT Cargo Hold

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 48
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Cargo Fire Suppression System (ATA 26) – Impact on AFM

The Cargo Fire Suppression Time demonstrated in Flight Test (or analyses) is the time limitation that must
be identified in the aeroplane documentation
‒ Corresponding value must be published in the EDTO limitations section of the Flight Manual
‒ These limitations mays also be repeated in the EDTO CMP document

Example of WP-911 AFM EDTO supplement for EDTO>180 min capability:


Aeroplane Flight Manual
EDTO Beyond 180 Minutes - Time Limited System Capability
The time capability of the cargo fire suppression system is 225 minutes
The time capability of all other EDTO significant systems is at least 290 minutes

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 49
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Example of Cargo Fire Suppression Times & configurations


Bottle 1
(high discharge rate)

WP-911SP+ Bottle 2
(low discharge rate)

Bottle 3 - optional
(low discharge rate)

Basic 180 min EDTO EDTO>180 min EDTO>180 min


Option 1 Option 2
Bottle 1 1800 cu.in. 1800 cu.in. 1800 cu.in. 1800 cu.in.

Bottle 2 1100 cu.in. 1800 cu.in. 2200 cu.in. 1800 cu.in.

Bottle 3 - - - 1100 cu.in.

Suppression time 135 min 195 min 225 min 310 min

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 50
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Fuel availability

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 51
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Fuel System (ATA 28) – Fuel cross feed & engine operation

Fuel cross feed to operative engine during single engine operation (twin engine aircraft) must be protected
against single malfunctions:
‒ The normal procedure for fuel cross-feed is by opening the fuel cross-feed valve
‒ Cross feed function must remain available in single electrical power source configuration

Engine operation: Effect of turbulence and negative “G” must be evaluated if:
‒ fuel boost pumps are not powered (e.g. limitation in emergency electrical configuration)
‒ the loss of all fuel boost pumps is not showed to be extremely improbable

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 52
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Example of Fuel X-Feed configurations

Single X-Feed valve Two X-Feed valves


Dual actuator In parallel

Preflight check of the fuel


Preflight check of the fuel
X-feed valve is required.
X-feed valve is NOT required.
Note: per FAA policy,
Note: the valves must be
check of the X-Feed valve must
checked as per applicable
be performed at end of cruise
maintenance task interval.
(instead of preflight)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 53
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Fuel System (ATA 28) – Low Fuel Alert

An alert must be displayed to the Flight Crew when the quantity of fuel available to the engines falls below
the level required to fly to the destination.
‒ The alert must be given when there is enough fuel remaining to safely complete a diversion.

Low Fuel Alert for EDTO is typically made of :


‒ Fuel System Alerts (e.g. FU/FOB DISAGREE) on the system warning
Detection of important fuel display (e.g. ECAM, EICAS)
leaks due to system failure(s)
‒ Fuel Leak Detection downstream the Fuel Flowmeter - FADEC based
alert, comparison between the 2 engines fuel flows and fuel used
Detection of small leaks, flight
plan anomalies, unexpected
adverse operating conditions ‒ FMS “DEST EFOB BELOW MIN” alert

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 54
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Example of FMS generated low fuel alert

MIN DEST FOB = ALTN + FINAL

EXTRA = DEST EFOB – (ALTN + FINAL)

If DEST EFOB becomes lower than MIN DEST FOB :

 DEST EFOB turns amber; and


 DEST EFOB BELOW MIN is generated by FMS

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 55
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Safe flight and landing


in EDTO icing
conditions

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 56
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Ice and Rain Protection (ATA 30)

EDTO regulations require analyses to be performed to assess the aircraft capacity to fly for prolonged
exposure duration in icing conditions
‒ For failure cases not extremely improbable leading to fly at altitudes were icing conditions can be met (e.g. engine failure,
depressurization)

EDTO ice shapes are computed for the 3 following EDTO diversion scenarios (considering contemplated
maximum diversion time and/or distance) :
‒ OEI FL and max OEI speed (VMO target)
‒ AEO at FL100 and LRC speed
‒ OEI at FL100 and max OEI speed (VMO target)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 57
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Ice and Rain Protection (ATA 30)

Impact of the accretion (ice shapes) on handling qualities and performance are assessed.
‒ Fuel penalty resulting from EDTO ice shapes and accretion are then included in relevant aeroplane’s operational
documentation for flight operations engineers/dispatchers
‒ Those penalties have to be taken into account during fuel planning, for computation of fuel reserves for EDTO

The anti-ice system control must remain available on single electrical power source
(i.e. those considered for the EDTO assessment – see ATA 24) :
‒ Engine air-intake anti-ice
‒ Wing anti-ice
‒ At least one alpha probe anti-ice
‒ At least one pitot probe de-ice

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 58
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Adequate APU design (start


capability within the overall
flight envelope)

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 59
Review Questions

Question 4.4 :
Is it correct to say that any aeroplane designed for EDTO must be fitted with
an APU ?

– Yes

– No

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 60
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Auxiliary Power Unit (ATA 49)

APU may provide electrical or bleed power and may therefore be one of the required sources for EDTO.

APU installation should meet normal certification requirements :


‒ APU does not need to be certified as essential even if considered as one power source for EDTO

APU should meet additional EDTO requirements to demonstrate its intended function (e.g. third
electrical generator for EDTO) :
‒ In-flight start capability : 95%
‒ Run reliability : failure rate less than 1x10-3 per APU operating hour (MTBF > 1,000 H)
‒ Compliance with above reliability objectives must be demonstrated through service experience or as
part of Early EDTO program in case of EDTO certification with reduced service experience

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 61
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Auxiliary Power Unit (ATA 49) – High altitude start capability

APU must be able to be started up to the maximum operating altitude, in cold soak conditions
‒ If the in-flight start capability of the APU has not been demonstrated, the APU must be started and kept
running throughout the EDTO sector of the flight

ALTITUDE (ft)

41,100
(for WP-911SP+)

APU START LIMIT WITH NORMAL


AEROPLANE POWER SUPPLY
and
APU OPERATION LIMIT for ELEC POWER* *Note : the ceiling for APU bleed output
is normally lower (typically around FL220)
This is acceptable for EDTO.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 62
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Auxiliary Power Unit (ATA 49) – High altitude start demonstration

Accordingly an APU In Flight Start demonstration has to be performed by the Manufacturer


‒ Statistical demonstration of the APU capability to start at any altitude up to the maximum aircraft
operating altitude, in cold soak conditions.
‒ Number of starts should provide a representative sample to meet regulatory start success rate of 95%.
Typical number of in-flight starts is between 60 to 300 starts.
‒ A successful start is typically when the APU starts within 3 attempts
‒ Cold soak should demonstrate stabilized APU parameters, in particular lowest temperatures for
the APU, fuel and oil. Typical duration of the cold soak is 2 to 4 hours in cruise before APU in flight
start attempt.

This APU In Flight Start capability has to be monitored by the EDTO operators (see Module 6)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 63
EDTO Type Design and Reliability Approval
EDTO Design Requirements
To obtain an EDTO certification of the candidate AEC, the Manufacturer must show :

Adequate Propulsion
System Design &
Reliability

Demonstration and analyses must consider failure conditions for the maximum diversion time/distance

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 64
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Powerplant (ATA 71 to ATA 80)

There is no EDTO specific design criteria on the powerplant, except:


‒ EDTO engines must be fitted with an oil tank filler cap

‒ Failures (contained or not) of propulsion system should not adversely affect remaining system or
equipment :
• Propulsion System Safety analyses (including Uncontained Engine Rotor Failure analyses) consider
average EDTO mission time and contemplated maximum diversion time
• Sustained Engine Imbalance (SEI) analyses are normally performed with a maximum diversion time of 180 min.
• Demonstration of continued engine rotation in windmilling configuration without oil for contemplated
maximum diversion time

‒ Sizing of oil tank should consider longest duration flight dispatched with both engine recorded
at maximum allowed oil consumption, with engine failure and remaining engine at MCT thrust
for a maximum duration diversion.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 65
EDTO Type Design and Reliability Approval
EDTO Design Requirements

Powerplant (ATA 71 to ATA 80)

Engines must meet EDTO reliability objectives (IFSD target rate) :


‒ Compliance with these reliability objectives must be demonstrated through in service experience and
Early EDTO demonstration in case of EDTO certification with reduced service experience – See next
section of this module.

‒ This requirement may lead to design change mandatory for EDTO

An Engine Condition Monitoring program must be available


‒ The procedures and tools for engine condition monitoring have to be validated and included in
relevant maintenance instructions (aircraft and/or engine documentation)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 66
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 67
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Initial reliability & maturity demonstration


To obtain an EDTO certification, a demonstration of the initial reliability and maturity must be performed
through either :

• The In-service experience method when the world fleet of candidate aircraft has the required
minimum amount of service experience (as discussed in Part II of this module).
‒ The reliability and maturity demonstration is based on available in-service data

• The Early EDTO program method when the candidate aircraft has no or reduced in-service
experience (as discussed in Part II of this module).
‒ The reliability and maturity demonstration is done through a dedicated Early EDTO program:
 Dedicated tests (e.g. engine 3,000cy test, aircraft flight tests, …)
 Operations and reliability validation flights
 Lessons Learned analyses More info on
 Events tracking and reporting NEXT
slides!
‒ A typical Early EDTO Program is detailed in the following slides
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 68
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program


The Early EDTO certification of the WP-Millennium required specific maturity and reliability demonstrations:

• Design Goals (e.g. Cargo Fire Suppression) and consideration of EDTO Certification Basis

• Contemplated 350 min maximum diversion time (OEI) capability

• Specific ground testing and EDTO airplane demonstration (flight testing)

• Validation of Maintenance Tasks and Operational Procedures

• Events Reporting and Tracking

• Consideration of relevant experience and maturity demonstration for EDTO Significant


Systems

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 69
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Specific ground testing


The propulsion system (engine and aeroplane accessories) completed 3000 simulated flight cycles:

• Electrical generator and hydraulic systems fully loaded

• Engine intentionally imbalanced to validate engine accessories durability

• Operational thrust reverser

• 3 x maximum diversion time cycles (350 min +15 min)

• Full post test tear down and inspection

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 70
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Specific ground testing


The APU also completed 3000 simulated flight cycles:

• Electrical generators fully loaded and Post test tear down and inspection

Design for in-flight start reliability


• 200 simulated in-flight altitude starts including cold soak
• Collected APU in-flight start data during flight test program
• Cold weather demonstration

APU maintenance task validations


• 3 airlines and 122 tasks validated

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 71
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Specific ground testing

EDTO Operators
Demonstrated APU in-flight start APU in-flight start
Monitoring Program
WonderPlanes
capability higher than 95%
In-Service In-flight
APU starts due to
Non-normal events

Production
Flight Tests
(Loaded Gen)

WonderPlanes EDTO
Testing and Function
& Reliability testing
(Loaded Gen)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 72
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Demonstration flight tests


• Multiple 365 minute engine-out diversion demonstrations
‒ MCT (2 repeated on same engine)
‒ Decompression at 10,000 ft
‒ Drift down profile

• Multiple degraded system diversion scenarios (365 minutes) Cruise


altitude
OEI FL

• Multiple cycles from humid environment to cold soak at altitude


OEI OEI
350 min 15 min
• Maximum duration flight demonstration

• Use of in-service manuals and procedures Cruise


altitude

FL100
• Post test inspection
OEI OEI
350 min 15 min

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 73
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Demonstration flight tests


MegaThrust MegaThrust MT2050
Scenarios/Other Totals
MT2050 Package +
Number of Aeroplanes 3 2 5
Flights 29 2 31
Flight hours 217 14 231*
Humidity cycles 10  10
Engine-out conditions 8 2 10
(365 minutes)

Degraded electrical (365 min) 6 2 8


Single VFG 2  2
APU only 1  1
Degraded Avionics & Cabin
ventilation (365 min) 6  6
Max EDTO mission 20:19  
Diversion airports 3  3
Post-test inspections Yes Yes  * 3,100 total WP-MIL flight test hours thru today

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 74
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Maintenance & Operational Task Validations

• All EDTO significant system maintenance & operational tasks validated as part of Early EDTO certification

• Airplane and engine tasks validated by several means:


‒ Desk top validation / Lab test and ground tests / Flight tests

• EDTO Propulsion & APU 3000-cycle tests


‒ Normal scheduled maintenance that would be expected to occur during 3000 cycles

• WonderPlanes WP-Millennium aeroplane demonstration Flight Test


‒ Test airplanes operated and maintained using recommended procedures

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 75
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Typical Early EDTO Program – Maintenance & Operational Task Validations

Quick Reference Handbook


Examples of Operational Procedures validated:
Fuel System
 Fuel Leak
 Fuel Press Eng L, R
 Fuel Pump Center L, R
 Fuel Pump L, Aft, Fwd
 Fuel Pump L, Aft, Fwd
 Fuel Qty Low
 Fuel Temp High
 Fuel Temp Low All WP-Millennium Flight Operations Procedures
 Fuel Valve APU Affecting EDTO Significant Systems

Validate Procedures
• Analysis
• Engineering Cab
• Flight Test
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 76
EDTO Type Design and Reliability Approval
Deliverables / documentation
Aeroplane Manufacturer Engine Manufacturer
Design Reliability & Maturity
1
1 2
assessment assessment
(continuing)
Design assessment is
Certification Documents Service Data Service Data detailed previous section of
Type Design Authority this module
Specialists Reliability Tracking Board (Continuing Process)

2
Reliability & Maturity
Design Compliance Findings assessment is detailed in
Reliability Findings
Type Design Authority following slides
Project Manager

• Both the Design and the Reliability & Maturity assessments are performed in parallel for
the initial EDTO certification of the candidate Aeroplane/Engine Combination (AEC).
– The Design assessment is performed once whereas the Reliability & Maturity assessment is a continuing process.
– The Design assessment is also performed in case of Change to Type Design in case of potential impact on the
already certified EDTO configuration.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 77
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability reviews (Reliability Tracking Board)

In addition to the EDTO Type Design assessment, a reliability review has to be


performed in the frame of EDTO certification of the candidate aeroplane
‒ Perform review of the in-service experience of the candidate aeroplane-engine combination

‒ Should be conducted prior to first EDTO Type Design & Reliability approval
and on a continuing basis thereafter (see next section of this module)

For initial certification, this first reliability review covers the experience accumulated
since :
‒ the Type certification (In service EDTO certification); and/or

‒ during the maturity and reliability demonstration (Early EDTO certification).

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 78
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability reviews – In service event filtering


In-service
Event involving EDTO-significant ATA chapter / system
occurence
NO YES
NO EDTO-significant function / sub-system / component

NO
YES
Event consequences potentially more important for EDTO

NO YES
Non EDTO related
Corrective actions already taken in the scope of
event
Continued Airworthiness are adequate for EDTO
YES
NO
No further action restricted to EDTO only Specific corrective action needed for EDTO

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 79
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability Requirements – IFSD rate monitoring

The IFSD target rate are defined to ensure that dual engine failure for independent
causes remains extremely improbable.
Accordingly, the IFSD target rate are usually set as follows:
EDTO up to 120 min up to 180 min Beyond 180 min

IFSD Target Rate


0.050 0.020 0.010
per 1,000 Engine Hours

The IFSD rate is normally computed:


‒ For a given fleet of aeroplane/engine combination e.g. WP-911SP+ models fitted with Greenpush
RG3350-SP series of engines
‒ On a 12 month rolling basis.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 80
Review Questions

Question 4.5 :
The IFSD target rate are defined to ensure that dual engine failure remains extremely
improbable. Considering that P1 is the probability of failure of the 1st engine and P2
the probability of failure of the 2nd engine, the probability of the loss of both engines
on a twin engine aircraft may be simplified as :

– P1 x Flight Time x P2 x Diversion Time

– 2 x P1 x (Flight Time - Diversion Time) x P2 x Diversion Time

– 2 x P1 x Flight Time x P2 x Diversion Time

– P1 x P2 x (Flight Time)2
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 81
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability Requirements - Determination of IFSD target rates

 The next slides provide an overview of the various risk models and concepts developed by ICAO since
1953, and further elaborated since the inception of ETOPS in 1984 (up to the introduction of
ETOPS/EDTO >180 min by FAA and EASA from 2007 onwards)
 Terms used :
– Pf – Safety objective (probability) for Total Loss of thrust from independent causes
– P – IFSD target rate (to comply with relevant safety objective Pf)
– P1 or Cr – Probability of failure of the 1st engine
– P2 or Mr – Probability of failure of the 2nd engine
– T – Flight time
– D – Maximum diversion time
 Recall: the probability of the loss of both engines on a twin engine aircraft may be simplified as follows:
Pf = 2 x P1 x exposure time for 1st engine failure x P2 x exposure time for 2nd engine failure
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 82
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – ICAO 1953

 Summarized Risk model formula for a two-engine aeroplane is:


Pf = 2 x P1 x T x P2 x D/2
 Assumptions
– Safety objective for Total Loss of thrust from independent causes :
Pf = 10E-08
– Probability of failure is the same for 1st and 2nd engine and corresponds to average failure rate (P):
P1 = P2 = P
– Average exposure time of a single engine diversion is half of the maximum diversion time (D)
– Full mission time (T) is considered

 Hence the IFSD target rate :


P= 10E-08 / (T x D)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 83
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – ICAO 1984


 Summarized Risk model formula for a two-engine aeroplane is:
Pf (T) = 10E-08 x(0.4T+0.6) = 2 x P1 x T x P2 x D
 Assumptions
– Safety objective for Total Loss of thrust from independent causes is sized as a function of the mission
time (T), and is set at 10E-08 for a flight of 1FH, as in 1953 formula:
Pf = 10E-08 x(0.4T+0.6)
– Probability of failure of 1st engine (P1) is half of average failure rate (P), and probability of failure of
2nd engine is equal to average rate :
P1=½ x P P2=2xP1= P
– Full mission time (T) is considered, and exposure time of a single engine diversion is the max
diversion time (D)

 Hence the IFSD target rate :


P= 10E-08 / (T x D)
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 84
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – FAA 1984/2007*


*new FAA ETOPS rule

 The risk model is based upon “the known service records of an established large fleet of twin-engine civil transport-turbo fan
powered airplane”.
Concept of “base fleet”
 Assumptions
– Safety objective for Probability of engine failure is assumed to be the one achieved by the “base fleet” over a 10-year
period:
Average inflight shutdown rate (P) of approximately 0.020/1000 EH
– This figure is considered conservative vs the rates determined with ICAO 1984 equation, considering a flight of 7 FH:
• 0.049/1,000 for 2 hour diversion time
• 0.040/1,000 for 3 hour diversion time

 Hence the retained target IFSD rates :


P = 0.050 / 1,000 EH for diversion times up to 120 min
P = 0.020 / 1,000 EH for diversion times up to 180 min
P = 0.010 / 1,000 EH for diversion times beyond 180 min*
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 85
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – EASA 2010 (up to 180 min)


 Summarized Risk model formula for a two-engine aeroplane is:
Pf = 2 x P1 x T x P2 x D
 Assumptions for EDTO (ETOPS) up to 180 min
– Safety objective for Total Loss of thrust from independent causes is sized as a function of the mission
time (T) as in ICAO 1984 equation, but set to a slightly more conservative 3x10E-09 for a flight of 1FH
Pf (T) = 3x10E-09 x(0.4T+0.6)
– Probability of failure of 1st (P1) and 2nd (P2) engine is derived from average failure rate (P) :
P1=½ x P P2=2xP1= P
– Full mission time (T) is considered, and exposure time of a single engine diversion is the max
diversion time (D)

 Hence the IFSD target rate :


P= 3x10E-09 x(0.4T+0.6) / (T x D)

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 86
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – EASA 2010 (beyond 180 min)


 Summarized Risk model formula for a two-engine aeroplane is:
Pf = 2 x Cr x (T-D) x Mr x D
 Assumptions for EDTO (ETOPS) beyond 180 min
– Safety objective for Total Loss of thrust from independent causes is set to 10E-09 for a flight of 1FH :
Pf (T) = 1x10E-09 x T
– Probability of failure of 1st engine (Cr: Cruise rate) and of 2nd engine (Mr: MCT rate) is respectively half
or equal to 2 x the average failure rate (P) :
Cr=½ x P Mr=2 x P
– For the 1st engine failure, the exposure time is Full mission time (T) minus the max diversion time (D)
– Exposure time of a single engine diversion is the max diversion time (D)

 Hence the IFSD target rate :


P= 10E-09 x T / 2 x (T-D) x D
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 87
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

Determination of IFSD target rates – Resulting target rates

Diversion Flight Time


ICAO 1953 ICAO 1984 FAA EASA
Time (FH) (FH)

2 7 (0.027) 0.049 0.050 0.027

3 7 (0.022) 0.040 0.020 0.022

10 20 (0.007) (0.021) 0.010 0.010

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 88
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability Requirements – Example of IFSD rate curves


0.020

0.018

0.016

0.014

0.012

0.010
0.010

0.008 Manufacturer : Bigfan


Engine Family : Nexus-6
0.006
Manufacturer : Thunderbird
0.004
Engine Family : T2
0.002
Manufacturer : Greenpush
Engine Family : RG3350-89

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations
EDTO Type Design and Reliability Approval
EDTO Reliability & Maturity Requirements

EDTO Reliability Requirements – IFSD definition

The In-flight shutdown (IFSD) is when an engine ceases to function in flight and is
shutdown, whether self induced, flight crew initiated or caused by an external influence, for
example (list is not exhaustive) :
‒ flameout, internal failure, foreign object ingestion, icing,
‒ flight crew initiated shutdown e.g. when unable to obtain or control desired thrust or power, cycling
of the start control (even if the engine operates normally for the remainder of the flight).

The IFSD definition usually excludes the airborne cessation of the functioning of an engine
when immediately followed by an automatic engine relight and when an engine does not
achieve desired thrust or power but is not shutdown.
‒ These events as well as engine failures occurring before take-off decision speed or after touch-
down, although not counted as IFSD, are reviewed in the frame of continued airworthiness
for EDTO.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 90
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 91
Continued validity of EDTO certification
Aeroplane with 2 engines

Section 1.5: Continuity of EDTO Certification EDTOM


(Two Engine Aeroplanes)

“The EDTO certification is not granted permanently. It is


submitted to a continued surveillance by the State of Design of
the in-service reliability of the worldwide fleet of the concerned
aircraft model/type.

The certified EDTO capability of the aircraft may therefore be


reduced, suspended or even revoked if no solution exists to a
major problem…”

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 92
EDTO Type Design and Reliability Approval
Continued validity of EDTO certification

EDTO Reliability reviews (Reliability Tracking Board)

Once granted, the EDTO certification must be maintained.

EDTO Continued Airworthiness activities typically consist in reviewing the reliability of the
aeroplane EDTO Significant Systems, APU and Engines

‒ These reviews may be performed during dedicated meetings of the


so-called EDTO Reliability Tracking Board

‒ Reliability review meetings are held on a regular basis


(typically every 3 to 6 months in the early service life of the
aeroplane, and every 1 to 2 years for mature product)

‒ Statistical reliability indicators are also reported regularly.


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 93
EDTO Type Design and Reliability Approval
Continued validity of EDTO certification

EDTO Reliability Requirements

The continued monitoring on in-service data aims at ensuring that:


‒ Aeroplane systems failure rates (Mean Time Between Failure - MTBF) do not exceed the rates
considered in the safety analysis.

‒ Engines meet EDTO reliability objectives (IFSD target rate)

Compliance with these reliability objectives must be demonstrated through Early EDTO
demonstration in case of EDTO at EIS, and in any case through in service experience.
‒ Corrective action may be mandated to restore adequate reliability levels

‒ EDTO certification may be reduced or suspended if reliability objectives are not met and no
corrective action is available

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 94
EDTO Type Design and Reliability Approval
Continued validity of EDTO certification

Implementation of corrective actions


Corrective action(s) may be mandated to restore adequate reliability levels
‒ e.g. worldwide fleet IFSD rate should be maintained at or below applicable target rate.

It shall be noted that exceedance of applicable reliability targets may not lead to systematic
mandatory corrective action. The decision to mandate (or not) a corrective action may also
consider the following elements:
‒ Identification of the root cause
‒ Affected fleet (all or subset only) and operational specificities (e.g. weather, type of fuel, …)
‒ etc…

Conversely, corrective actions may also be mandated even if prescribed worldwide reliability
targets are met e.g. to address an issue impacting a sub-fleet of aeroplanes.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 95
EDTO Type Design and Reliability Approval
Continued validity of EDTO certification

Implementation of corrective actions

A corrective action may be :


‒ Upgraded / new design
‒ Additional maintenance tasks or existing tasks with reduced interval
‒ Revised/new Flight Crew procedures
‒ More stringent EDTO MMEL dispatch allowance

EDTO standards are not frozen


and may potentially be impacted / revised

Such corrective action may be mandated by the State of Design through either a
revision of the EDTO CMP document or a dedicated Airworthiness Directive (AD)
‒ Continued compliance of the EDTO operators with applicable revision of the EDTO CMP
Document or “EDTO” AD is mandatory for continued EDTO operations.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 96
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 97
EDTO Documentation
Aeroplanes with 2 or more engines

EDTO Standards and Limitations in the Aeroplane’s documentation.


• Two engines aeroplanes
– As the aeroplane must be certified for EDTO Certification, the EDTO Standards and
Limitations are identified in approved EDTO CMP Document and EDTO Supplement of the
AFM.
– The MMEL and Maintenance Review Board report (MRBR) may also include EDTO related
information, as these documents are reviewed as part of the EDTO certification exercise

• Aeroplanes with more than two engines


– EDTO certification and EDTO maintenance program requirements are not applicable.
Accordingly, it is considered that the aeroplane design and maintenance program defined
as part of the basic Type Certification exercise are adequately supporting EDTO operations
– Capability of the EDTO Significant Time Limited System(s) is identified in relevant
documentation (e.g. FCOM)
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 98
EDTO Documentation
Aeroplanes with more than 2 engines

EDTO Standards and Limitations in the Aeroplane’s documentation.

• Unless otherwise stated in the documentation or tools supporting the


operations of the aeroplane, there are no specific configuration, maintenance,
crew procedures or dispatch standards for EDTO.
– Note: some States have implemented criteria for EDTO certification of aeroplanes with more
than 2 engines. In this case, the Standards and Limitations for EDTO may be found in
dedicated EDTO CMP document and EDTO supplement of the AFM.

• The maximum diversion time capability of the aeroplane is sized by the


capability of the relevant EDTO Significant Time Limited System

• This information should be reflected in the applicable documentation (e.g.


FCOM), as indicated by the Manufacturer of the aeroplane.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 99
EDTO Documentation
Two engines aeroplanes

EDTO Standards and Limitations in the Aeroplane’s documentation.

• The Standards for EDTO are listed in the applicable issue of the
EDTO CMP Document

• The limitations for EDTO, and in particular the capability of the EDTO
Significant Time Limited Systems, are identified in the approved
EDTO supplement of the AFM

• The dispatch restrictions specific to EDTO are listed in the MMEL

• Additional data relevant to EDTO operations may be found in other


documents or tools supporting the operation of the aeroplane, such
More info on
as the MRB Report, IPC, FCOM, etc... NEXT
slides!

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 100
EDTO Documentation
EDTO CMP Document

The EDTO CMP Document defines:


‒ The configuration standards of the airframe, the engines
and the APU for EDTO
‒ The maintenance tasks specific to EDTO (also found in
the MRBR)
‒ The flight crew procedures specific to EDTO (also found in
the AFM and FCOM)
‒ The dispatch limitations specific to EDTO (also found in
the MMEL)

For EDTO, the aircraft must be configured, maintained and operated according to the
applicable CMP Document
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 101
EDTO Documentation
EDTO CMP Document
For Entry into Service: For Aircraft in-service:
 Flight Test Results  Reliability trends
 Simulation  Events
 System Safety Assessment  Modifications
 Lessons Learned  Other aeroplane related events

CMP

FCOM
MMEL
IPC

AFM
IPC MMEL - AFM - FCOM

• EDTO Maintenance Practices on EDTO Significant


AMM
Systems (e.g. Dual Maintenance limitations)
MPD

JIC
• Non-aeroplane specific maintenance requirements
(e.g. oil Consumption monitoring) MPD - AMM - JIC*
*JIC : Job Instruction Card

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 102
EDTO Documentation
EDTO CMP Document

The EDTO limitations may also be identified in the CMP:

These limitations are sizing the maximum diversion


time / distance for the concerned aeroplane family.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 103
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ The CMP standards may typically split by ATA
chapter, e.g. ATA 21 standards in this example.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 104
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ The CMP standards are split as follows:
1. Configuration
2. Maintenance
3. Procedures
4. Dispatch

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 105
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ Each CMP item contains the following information:
 Diversion Time Range applicability
 Compliance Schedule (mostly for Configuration
and Maintenance items)
 Description of the items
 Compliance Solution(s)
Example on
NEXT
slides!

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 106
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ Example of a configuration item with a limit date
for embodiment

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 107
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ Example of a maintenance item with a not to
exceed interval in Flight Hours.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 108
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ Example of a Flight Crew procedure item .

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 109
EDTO Documentation
EDTO CMP Document

Example of EDTO CMP Document page


layout:
‒ Example of a Dispatch item referring to MMEL for
resolution, applicable to EDTO beyond 180 min only
(see description text).

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 110
EDTO Documentation
EDTO Parts List

Purpose of the EDTO Parts List

The EDTO CMP document defines the required EDTO configuration of the aeroplane in
terms of Modifications or Service Bulletin references
Corresponding Part Numbers (P/N) are usually not listed. Hence the EDTO Parts
List assists the operator in identifying the P/N's, which are either:
 NOT approved for EDTO i.e. P/N's not to be fitted on EDTO aircraft; and
 The minimum standards of P/N’s required for proper EDTO configuration

The Parts List is not an approved document : in case of any doubt, the EDTO CMP document
should be used as the reference for ascertaining the required EDTO configuration.

Note : Except otherwise stated, any P/N above the minimum standard P/N is considered
approved for EDTO.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 111
EDTO Documentation
EDTO Parts List

From the EDTO CMP Document to the Parts List and IPC
For each item: list of MOD/ SB/ VSB
1 - Configuration items
2 - Maintenance items

CMP Pre-MOD P/N Post-MOD P/N

IPC
IPC

Illustrated
Parts Catalog

Parts Parts
NOT APPROVED Parts
NOT APPROVED
APPROVED
Parts List

EDTO
for EDTO for EDTO (mandatory)
Part List after specified end date
for EDTO

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 112
Review Questions

Question 4.6 :
Is it correct to say that any system listed in the EDTO Significant System list
can also be found in the EDTO Parts List ?

– Yes

– No

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 113
EDTO Documentation
AFM EDTO Supplement

Approved AFM EDTO supplement


The approved EDTO Supplement within Appendices &
Supplements section of the AFM, is approved as part of the EDTO
certification and applies to EDTO operated aeroplanes.

This finding does not constitute approval to conduct EDTO

Note that the EDTO supplement is usually for a given EDTO


capability of the aeroplane, e.g.:
- 180 min EDTO
- Beyond 180 min capability

Even if certified for a higher diversion time, the aeroplane cannot be


operated beyond the EDTO limitations specified in its AFM.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 114
EDTO Documentation
AFM EDTO Supplement

Approved AFM EDTO supplement

It confirms whether procedures listed in AFM Emergency


Procedures & Abnormal Procedures remain applicable for
EDTO (it is usually the case).

It identifies the additional diversion cases for EDTO, if any


(e.g. in case of one remaining main generator).

It provides reference to applicable performance data within


FCOM and/or performance programs.
.

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 115
EDTO Documentation
EDTO MMEL

EDTO dispatch restrictions in MMEL

The dispatch restrictions specific to EDTO are


identified in the MMEL as part of the EDTO
certification activities :

The EDTO Operator’s MEL must include the MMEL


restrictions for EDTO operations
‒ As for non-EDTO, the “EDTO MEL” cannot be less
restrictive than the “EDTO MMEL”

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 116
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 117
Module 4 : EDTO Type Design & Reliability Considerations
Summary

Before it can be operated on EDTO, the aeroplane must be :


 Certified for EDTO if it is a twin engine aeroplane
‒ The EDTO certification of twins is a two-step process: 1-Type Design Review and 2-EDTO Reliability Review
‒ This EDTO certification of twins is granted by the State of Design, and supported by the approval of an EDTO CMP
Document and of an EDTO supplement to the AFM which are listing the EDTO standards and limitations.
‒ Once granted, EDTO certification of twins are maintained through EDTO Continued Airworthiness activities
(Review of in-service events and of engines’ IFSD rates)
 Assessed for EDTO if it is an aeroplane with more than two engines
‒ The aeroplane design and maintenance program defined as part of the basic Type Certification exercise are adequately
supporting EDTO operations
‒ Capability of the EDTO Significant Time Limited System(s) is identified in relevant documentation (e.g. FCOM)

Assessment or Certification activities of EDTO capability of the aeroplane and identification of


applicable time capability of concerned EDTO Significant System(s) are led by the
Manufacturer of the Aeroplane.
05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 118
Module 4 - Outline

Part I Aircraft airworthiness considerations for EDTO

Part II Type Design Assessment

Part III Reliability & Maturity Assessment

Part IV Continued validity of EDTO certification

Part V EDTO Documentation (CMP, AFM, …)

Part VI Summary

Part VII Practical Exercise


05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 119
Questions?

EDTO Workshop
End of Module 4 – Type Design & Reliability
Considerations

05/11/2019 ICAO EDTO Workshop – Module 4 : Type Design & Reliability Considerations 120

You might also like