MsKos сказал(а):
Ученый, FW,
Насколько мне удалось разобраться в проблематике CMR, то это:
Работа по ТО, направленная на выявление/предупреждение скрытого (для летного экипажа) функционального отказа, который в сочетании с другим видом отказа или событием может оказать прямое влияние на безопасность полетов.
Это слишком простое объяснение
Таких отказов может быть много, а CMR все же ограниченное число - то есть не все такие отказы, а только те, у которых или последствия двойного отказа очень нехорошие (КС) или вероятность такого события ("двухотказного") достаточно высокая.
Вот (для обсуждения) текущая ноая редакция текста упомянутого проекта новой редакции Руководства по летной годности про CMR:
1.13 CERTIFICATION MAINTENANCE REQUIREMENTS
AND AIRWORTHINESS LIMITATIONS
1.13.1 Introduction
1.13.1.1 Annex 6, Part I, 11.3.1 states:
“A maintenance programme for each aeroplane as required by 8.3 shall contain the following information:
a) maintenance tasks and the intervals at which these are performed, taking into account the anticipated utilisation of the aeroplane;”
1.13.1.2 Annex 8, Part III, Chapter 10 places an obligation on States of Design to ensure that information is provided for use in developing procedures for maintaining the aeroplane in an airworthy condition. Paragraph 10.4 contains the following requirement:
“10.4 Maintenance information resulting from
the type design approval
Maintenance tasks and frequencies that have been specified as mandatory by the State of Design in approval of the type design shall be identified as such.”
1.13.1.3 Where the maintenance tasks developed as a result from a system safety analysis, they are usually known as certification maintenance requirements (CMRs). A CMR is a required periodic task, established during the design certification of the aircraft as an operating limitation of the Type Certificate. Notwithstanding the importance of the other airworthiness limitations, this chapter is primarily intended to provide an introduction to the concept of CMRs, their relevance to an aircraft maintenance programme and their importance as an integral part of the in-service validation of the type design.
1.13.1.4 It should be noted that some CMRs require the performance of certain flight crew procedures. Where included in a CMR, these procedures are mandatory and must be shown as such in the AFM or equivalent document. It is likely that future design developments will limit the use of CMR to maintenance tasks.
1.13.2 Background
1.13.2.1 For a number of years, aeroplane systems were evaluated to specific requirements, to the single fault criterion, or to the fail-safe design concept.
1.13.2.2 As later-generation aeroplanes evolved, more safety-critical functions were required to be performed which generally resulted in an increase in the complexity of the system designed to perform these functions. The potential hazards to the aeroplane and its occupants that could arise in the event of loss of one or more functions provided by a system, or the effect of that system’s malfunction, had to be considered, as did the interaction between systems performing different functions.
1.13.2.3 These developments led to the general principle that an inverse relationship should exist between the probability of loss of function(s) or malfunction(s) leading to a serious failure condition and the degree of hazard to the aeroplane and its occupants arising therefrom. Airworthiness codes were amended to recognize this principle, two examples being the introduction of paragraphs 25.1309 in the United States Federal Aviation Regulations, Part 25 and the European Joint Aviation Requirements, JAR 25. To satisfy these requirements, it is necessary to complete a safety analysis of all system and powerplant installations to determine the effect on the aircraft of a failure condition or malfunction.
1.13.2.4 In assessing the acceptability of a design it was recognised that rational probability values would have to be established and these were set on the following basis:
a) Historical evidence indicates that the risk of a serious accident due to operational and airframe-related causes is approximately one per million hours of flight. Of this, 10 per cent can be attributed to failure conditions caused by aeroplane system problems. On this basis, it was considered that serious accidents caused by systems should not be allowed a higher probability than this in new designs. It is therefore required that the probability of a serious accident from all such failure conditions should not be greater than one in ten million flight hours, i.e. a probability of less than 1 x 10-7.
b) To be satisfied that this target can be achieved, it is necessary to analyse numerically all the systems on the aeroplane. For this reason, it is arbitrarily assumed that there are about 100 potential failure conditions which would prevent continued safe flight and landing. The target risk of 1 x 10-7 was apportioned equally amongst these conditions, resulting in a risk allocation of not greater than 1 x 10-9 to each one. Thus, the upper risk for an individual failure condition which would prevent continued safe flight and landing is set at 1 x 10-9 for each hour of flight.
1.13.2.5 Various analytical techniques were developed to assist designers in completing the necessary safety analysis to satisfy the requirements:
a) Quantitative, by the application of mathematical methods. Such analysis is often used for hazardous or catastrophic failure conditions of systems that are complex, that have insufficient service experience to help substantiate their safety, or that have attributes that differ significantly from conventional systems.
b) Qualitative, by assessment in a subjective, non-numerical manner. Examples of typical types of qualitative analysis are:
1) a review of the integrity of the installation and the design, based on experienced judgement; and
2) a systematic review of each component failure and an evaluation of its effect on the systems of the aircraft. An advantage to this approach is the identification of potential hidden effects of these failures.
In most cases equipment failures are inevitable. All anticipated aircraft failure can be divided in two groups:
1) evident to the flight crew during performance of normal duties and
2) hidden (or latent) - means non-evident to the crew.
1.13.2.6 All hidden (or latent) failures need to be discovered and rectified in a timely manner. The methods for discovering hidden failures may include:
a) failure monitoring and warning systems;
b) scheduled maintenance tasks (operational or functional checks of the sub-systems or components); and
c) special kind of checks (CMRs).
Within evident failures any single hazardous failure principally shall be eliminated or – with limited design capabilities – the probability of such a failure shall be limited in accordance with the airworthiness requirements. Evident failures of redundant components generally have no safety effect and could be treated the same way as most hidden failures – restoration tasks their intervals should be established. These tasks have the same physical nature as maintenance tasks listed in the maintenance programme but they forms separate document – MMEL. Reason for the same nature of hidden and evident non-critical failures in the fault tolerant systems is their similar restoration policy. For a hidden failure restoration interval will be the interval of scheduled maintenance check with subsequent item repair. And for an evident such a failure (MMEL item) this interval will be the allowed time for the item to be unserviceable (supposed an item failure to become evident during a flight).
Type Certificate holder always have a choice considering redundant components' failures. Sometimes it is more effective to keep them hidden (not disturbing the crew and not spending on failure warning systems) with the maintenance tasks scheduled for this type of failures. In other cases on-board failure monitoring is preferable - then components' failures have to be covered by the MMEL (see summary in the Table below).
Airworthiness control policy (Таблица не воспроизводится)
Historically, the MRB was the only body responsible for the determination of necessary maintenance tasks to prevent functional system failures, to find out and to eliminate hidden (or latent) failures of redundant systems or components. These tasks being proposed by the industry steering committee (ISC) then form the initial maintenance programme (or the MRB report) for the aircraft type. This document is subject for the approval of the MRB. The MRB report previously was the sole base for continuing airworthiness of the aircraft type. Later, a requirement in the FAR/JAR 25.1309 concerning the “latent failures” has lead to the procedures for certification maintenance co-ordination committee (CMCC) activities in the area of defining the scheduled tasks for timely elimination of the latent failures. In fact, these are the same activities as those of the MRB, but there is an option for a special kind of flight crew or maintenance personnel tasks. These tasks cover the type design features that cannot be treated effectively by other means (design change, etc.).
1.13.3 Failure Monitoring and Warning Systems
Completion of a safety analysis, using the techniques described in 1.13.2.5, 1.13.2.6 may identify potential latent failures. In some cases such failures should be identified to the flight crew by failure monitoring and warning systems. However, it is axiomatic that these systems should be practical and reliable, i.e. within the state of the art; a reliable system is one which will not result in either excessive failures of a genuine warning or excessive or untimely false warnings, which can sometimes be more hazardous than lack of provision for, or failures of, genuine but infrequent warnings. If a practicable and reliable monitoring and warning system cannot be provided, other means must be provided to detect significant latent failures, as described in the following paragraph.
1.13.4 Implementation of Certification
Maintenance Requirements (CMRs)
1.13.4.1 To reduce or eliminate the hazardous conse-quences of undiscovered pre-existing failures, checks for such failures should be accomplished. These checks can be developed through the MRB process, system safety assessment or CCMC procedures and published as CMRs where it is necessary to identify significant latent failures. Some checks of this nature may be performed by flight crews; if this is the case, they will be incorporated as mandatory procedures in the flight manual. As previously mentioned, current design philosophy is to eliminate CMRs from flight crew procedures in future designs and to limit CMRs to maintenance tasks.
1.13.4.2 CMRs are developed using rational methods, such as quantitative analysis or service experience. The tasks are intended to be implemented concurrently with routine maintenance inspection tasks, i.e. tasks not associated with the design compliance process described in 3.1.2 above.
1.13.4.3 CMRs are produced by the organizations responsible for the type design and approved by the State of Design during the type certification process. CMRs are listed in the Type Certificate Data Sheet or equivalent document. In many cases, it is appropriate for the Type Certificate Data Sheet to make reference to another document where CMRs may be placed for convenience to the operator (Air Transport Association of America - ATA formatted maintenance manual, Chapter 5, appropriate section of the maintenance planning data document (MPD) or in a separate airworthiness limitations manual).
1.13.5 Incorporation of Airworthiness Limitations
and CMRs in Maintenance Programmes
1.13.5.1 From the previous text, it will be apparent that CMRs are an integral part of the validation of the type design and are essential to continuing airworthiness, even though the same conclusion may be made in respect of other types of airworthiness limitations. During the approval of maintenance programmes (1.13.1.1 refers), the State of Registry should ensure that CMRs and airworthiness limitations (including their associated intervals and tolerances as established by the State of Design) are included.
1.13.5.2 The State of Registry should not approve changes to airworthiness limitations without consulting with the State of Design. Some type designs may include approved procedures which allow the aircraft operator to vary airworthiness limitations task intervals (or limits); it is essential that any variation is completed in accordance with these procedures.
1.13.5.3Based on service experience, it is normal practice for operators to develop maintenance programmes in terms of variation of task content and escalation of inspection and check intervals. Airworthiness limitations are to be excluded from this escalation process. It is strongly recommended that States of Registry ensure that:
a) airworthiness limitations are clearly identified as such in the maintenance programme; and
b) procedures exist to prevent airworthiness limitations being varied in any way without the approval of, or in accordance with, a procedure developed by the State of Design.