For any aircraft fleet, it is neither economically nor operationally feasible to inspect every structural component after each flight. Therefore, it is crucial to establish optimized inspection procedures and intervals based on the risk that each component poses to the aircraft and its systems. This paper aims to present two risk assessment methodologies, Probabilistic Safe-Life and Probabilistic Damage Tolerance, outlining the key steps required for an effective risk evaluation. Case studies for each method will be provided to illustrate their practical applications.
Probabilistic Safe-Life only considers the fatigue cycles, the materials resistance to it and assumes that no cracks are present at the start of the study, the model does not take into consideration punctual damage events. The analysis is based on probabilistic models that should be chosen based on fleet data and assessed with a goodness of fit evaluation or general experience and distribution characteristics. The advantage of this method is that it can be performed when only the Time to Failure (TTF) and Time in Service (TIS) are known. In general, it is recommended to use the Weibull distribution as classically it best represents fatigue failures (Tridello et al., 2023), one also has to make sure that the corresponding R2 and p-values are acceptable. Other models can be used but the user has to be experienced and aware of the models’ limitations (Tuegel et al., 2018).
Probabilistic Damage tolerance assumes that cracks are already present and grow under specific loading cycles, aiming to model crack growth through statistical inputs, including loading, initial crack size and material properties. A case study will be presented demonstrating the methodology and how a maintenance interval may be optimized. Due to the sensitive nature of the structural parts within this paper, the source data cannot not be shared and was altered.
The following methodology chapter outlines the main procedure to follow. While it provides a comprehensive overview of the procedural framework, it does not delve into the details of each step but instead highlights the necessary actions to take.
The general risk assessment procedure, shown in Figure 1, can be divided into three phases:
Phase 1 – Data collection: Gather information on the structure being analyzed, ranging from analytical studies to in-service findings and failure data. A certain level of precision is required to ensure the results are reliable.
Phase 2 – Calculation and evaluation: Classify the structure under one of the two methods: Safe-Life or Damage Tolerance. In this phase, the corresponding distribution functions and hazard assessments are determined.
Phase 3 – Validation and implementation: Validate and apply the results from Phase 2. Risks are assessed at three levels: component, aircraft, and fleet. The findings are then implemented according to the platform-specific System Safety Program Plan (SSPP).
Risk assessment flowchart.
This phase may, if not already implemented, require the most effort since it needs a precise failure and part tracking system. Furthermore, a suitable metric to track the life of the structure is required. Such a metric is called a Life Usage Index (LUI), this index can be the amount of flight hours, number of landings etc. (a structure may have multiple LUIs). This system must ensure that each failure and fault is documented, analyzed (engineering or laboratory analysis) and that positive adequate corrective actions are taken to prevent recurrence (Departement of Defence, 1985).
The Safe-Life design philosophy applies only to the period before cracks or other damage appear, ensuring the structure maintains its ultimate load capability up to a predetermined Safe-Life limit. This approach considers only fatigue-induced damage throughout the aircraft’s lifespan and does not account for isolated damage events.
Safe-Life assessments are determined based on the availability of findings. If no findings are available, the first assessment relies on cumulative damage analysis and a spectrum of available flight data. If findings are available, the second assessment requires only a statistical analysis.
In the methodology outlined in Figure 2, each simulation “i” (e.g., Monte Carlo Sampling) selects a flight spectrum from the flight data recorder or the full-scale fatigue spectrum and a value for the damage model D (e.g. Miner’s Rule), which is frequently normally distributed with a known mean μ and standard deviation σ. If information from test data or experience is not available for the damage model, initial values of μ = 1.0 and σ = 0.1 are recommended.
No findings, probabilistic Safe-Life methodology.
Using miner’s damage accumulation rule, each load pair “j” from the flight load spectra is passed through the S-N curve to calculate the life Nfj. The current accumulated damage dC is then calculated. The damage for each load pair in the spectrum is computed and accumulated until the accumulated damage equals or exceeds the damage model value D. This process is repeated until enough simulations are generated to achieve statistical confidence in the mean value for Monte Carlo simulations. Once enough samples are generated, they undergo statistical processing, as explained below.
In a probabilistic Safe-Life methodology, existing findings, inspection data, cracking, and failures can be used to calibrate the model based on cumulative or individual failure rates.
An alternative approach involves calculating the underlying distribution function while considering both failures and suspensions. To ensure accuracy, it is essential to account for structures that have not yet failed, known as “suspensions,” recorded at a specific Time in Service (TIS). A more precise model is achieved with a larger dataset.
The Statistical Processing chapter outlines the steps required for this analysis, and the case study below provides further detail, it also exposes the Weibayes method used in the eventuality where there are very few failures.
Damage tolerance is the attribute of an aircraft structure that permits it to retain its required residual strength in the presence of damage for a period of unrepaired usage. This attribute enables the detection and repair of these cracks before they can lead to a structural failure.
In the case where inspection findings (Non-Destructive Inspection: NDI) are available, it is possible through statistical processing to model different crack growth scenarios. The processing uses, for example, 0.01 mm as the initial crack size for the various growth models. This analysis gives an indication of the time required for the length of the crack to become critical. NDI crack indications can be used as a starting point and then the cracks grown to a critical size and subsequently provide new crack distributions for the Weibull analysis. Naturally this method becomes more helpful the more findings there are.
An alternative approach, not necessarily requiring findings, is to consider using all relevant inputs for a risk analysis these include but are not limited to: Equivalent Initial Flaw Size (EIFS)/Equivalent Initial Discontinuity State (EIDS) distributions, load spectra, chemical and thermal environment, material properties, NDI probability of detection (POD) etc. Figure 3 shows the Probabilistic Damage Tolerance Analysis (PDTA) methodology.
Damage tolerance PDTA methodology.
The first (1), out of four inputs, is from fracture mechanics with two curves, crack growth analysis and residual strength calculation. The physical limitations of the studied material must be also known.
The second input (2) is the maximum load that that aircraft is submitted to. This must put into the form of an extreme value distribution (EVD) obtained either through real flight data or simulated.
The third input (3) is the EIFS/EIDS which assumes that on the first cycle the crack begins to grow. Tracking the cracks back to their starting point can give an indication on the initial “quality” of the material and how well it was manufactured. Using a lognormal fitting of the findings gives us then the distribution from which it is possible to calculate the part’s lifespan solely based on crack growth. Not considering the initiation time allows for a representation of the flaws observed in service as they propagate forward.
The fourth input (4) provides the simulation of repairs and inspections. It is important to include the Probability of Detection (POD) curve and the size of the repaired crack. This is used to model the impact of inspections and repairs. This curve depends on a few factors, notably the part geometry, material, inspection method, accessibility and inspector experience. For the simulations the crack size is adjusted by detecting and removing a percentage of large cracks which are then replaced with a weighted distribution of repaired cracks. These efforts reduce the overall risk and should be done at regular intervals or when the risk reaches a predetermined limit. The different probabilities of failure used in PDTA are clearly explained in the paper by Juan D. Ocampo (Ocampo et al., 2023).
This methodology leverages pre-existing deterministic crack growth (“a vs. N”) and residual strength (“σRS vs. N”) curves to predict probabilistic crack growth. The key advantage of this approach is the ability to “shift” and “scale” crack growth life and residual strength based on pre-existing damage tolerance analyses for various initial crack sizes and fracture toughness values. This eliminates the need to conduct a crack growth analysis for each unique realization of initial crack size or fracture toughness, significantly speeding up the process compared to repeated lifing analyses. However, the method is constrained to two random variables: initial crack size and fracture toughness.
In this analysis, the probabilistic model incorporates three random variables: the equivalent initial flaw size, the fracture toughness, and the extreme value load, which is independent of the crack growth analysis. For each realization of initial crack size and fracture toughness, the damage tolerance analysis is updated. The residual strength curve is employed to calculate the Probability of Failure (POF) for that specific realization. As described, POF represents the probability that the maximum load per flight will exceed the residual strength of the structure at a given flight number.
The crack growth analysis is then used to conduct the inspection simulation at a predetermined flight number or required risk level. Detected cracks are repaired, restoring the structure’s residual strength. After sufficient simulations, the expected value of all POF realizations is computed.
SMART|DT (Risk Assessment SMART|DT, 2023) is a risk assessment computer code developed with sponsorship from the Federal Aviation Administration (FAA). It can account for variabilities in material properties, crack growth parameters, usage, inspection probability of detection, and build quality. Additionally, it integrates with NASGRO and AFGROW, enabling crack growth simulations.
The code directly applies the methodology outlined in this section, allowing for the incorporation of additional random variables related to geometry and material properties.
Statistical processing was performed using an in-house tool. Each step is reproducible and does not rely on proprietary statistical analysis.
The first step is to determine the most appropriate model to represent the data set. At this stage, the following distribution functions are considered: Weibull, Lognormal, Normal, Exponential, Gumbel Max and Extreme Value Minimum (EV Minimum). A goodness-of-fit test is then performed using the Anderson-Darling test, and the corresponding p-value and R2 are calculated. The model with the highest score is selected, which is then extended and integrated with historical data to create a reliable dataset.
The process also requires several input parameters, including maximum flight hours, time of interest (ToI), number of items analyzed per aircraft, hazard severity (specific to each SSPP), fleet size, operational factor (indicating whether failures are potential, such as loss of redundant component that does not result in total failure, or a crack that propagates circumferentially rather than longitudinally), and total fleet flight hours.
The second step is to calculate the probability density function (PDF) and cumulative density function (CDF). The failure rate curve is then derived to evaluate the influence of different inspection intervals using the equation (1) below. The cumulated failure rate from each aircraft yields the risk for the fleet.
The WeiBayes model can only be used instead of the Weibull model if there are deficiencies in the data. These deficiencies could be too few or no failures, or an unknown aircraft age. It is recommended to use WeiBayes when less than four data points are available. The principle of the method is to estimate the two variables that describe the Weibull model, the shape/slope parameter (β) and the scale (η). β can be estimated from historical data or engineering knowledge of the physics of the failure. Once assumed it is possible to estimate η as described in equation (1) below (Abernethy et al., 1983).
The USAF Aircraft Structural Reliability and Risk Analysis Handbook Volume 1 (Tuegel et al., 2018), proposes the following characteristic Weibull shape parameters for aerospace metallic materials when no previous experience or information about the failure mode is known:
High strength steels (Ftu > 1379MPa (200ksi)): β = 2.0 to 2.5,
Titanium alloys: β = 2.5 to 3.0,
Low strength steels (Ftu < 1379 MPa (200 ksi)): β = 3.0 to 3.5,
Aluminum alloys: β = 3.5 to 4.5.
This step depends heavily on the SSPP in effect. This plan sets the failure rate limits as well as the criticality for the evaluated structure. The criticality depends on the design of the specific system and the platform in which it is built-in and is directly correlated with the function (primary, secondary etc.) of the considered part. The consequence of a functional failure of this component means that this function is no longer guaranteed. By iterating these failure conditions for all reasonable scenarios, the criticality and the corresponding effect at the aircraft level are determined.
The initial task is to validate the results provided by the analysis. This process involves comparing calculated risk values with empirical data gathered from operational environments. By assessing the consistency and accuracy of these metrics against real-world performance and failure incidents, analysts can ensure that the risk assessments are realistic and reliable. Any discrepancies identified during this comparison should be investigated and, if necessary, adjustments should be made to the models or assumptions. This iterative process helps in refining the risk assessment methodologies and enhances the confidence in the derived risk values. Before implementation three calculations at different levels can be made, the single point risk (part level) then the aircraft risk and finally the fleet risk.
After detecting cracks in the in-flight refueling bell cranks, inspections were scheduled at shorter intervals. Figure 4 shows the in-flight refueling bell crank, positioned at the center, serving as the link between the nozzle actuation mechanism and the door actuating mechanism. Since the failure of this component is not critical to the aircraft’s airworthiness, it is a strong candidate for inspection interval optimization.
In-Flight refueling bell crank.
The data available for this analysis are the actual FH for each aircraft at the inspection point. As data there are suspensions (non-failed components) and findings (failed components). However, the values used for this report are for demonstration purposes only and are not the actual flight hours of the fleet. The suspensions were marked at the actual FH of the aircraft, the findings however were marked at the amount of FH at the time of failure.
Table 1 shows an example of the input data for the analysis. Suspensions are important for understanding the global picture and to have more data points, resulting in a model that is less pessimistic.
Example of data for Safe-Life analysis (extract).
| Aircraft actual FH | Tail number | Suspension (FH) | Finding (FH) |
|---|---|---|---|
| 5954 | 1001 | 5954 | |
| 6001 | 1002 | 3783 | |
| 5189 | 1003 | 4088 | |
| 6198 | 1004 | 6198 |
Figure 5 shows the obtained Weibull distribution at the subcomponent level. From this distribution the fleet failure rate is calculated using the fleet size and the number of times the part is installed per aircraft. The distribution includes the suspension data which explains why the PDF curve is not centered around the failures highlighted by a red circle.
Safe-Life, Bell Crank Weibull distribution.
Figure 6 shows the fleet risk calculated for three different inspection intervals, short, medium and long. After reviewing the results of the analysis, it is noticeable that the difference between the short and long schedule is only marginal and does not exceed the risk limits established in the fleets SSPP. Thus, the increase of the inspection intervals from short to long while balancing operational efficiency and the required high safety standards is possible. Moreover, the conservative nature of the model provides an addition safety margin as the model does not account for the possible installation of a modified part with an increased fatigue life.
Fleet risk comparison with different inspection intervals.
During a wing replacement, an inspection of a former revealed a crack in one of the holes. When conducting this type of analysis, it is crucial to ensure the quality and precision of the input data. This example was created for illustrative purposes to demonstrate the feasibility of using probabilistic methods for risk management in the Swiss fleet.
For this case study, NDI inspection findings were available; however, the inspections POD was not available so a generic POD was used. The extracted crack growth can be seen in Figure 7 left and on the right is the calculated residual strength using classical fracture mechanics:
Crack growth analysis (left) and the residual strength calculation (right).
The aircraft load was extracted from an existing database of flight loads and onto that a stress multiplication factor was applied. The data was then fitted using a Gumbel Extreme Value Distribution in order to obtain a continuous data set. The obtained fit is shown in Figure 8 and is conservative for large loads (the end of the right tail of the distribution allows for higher loads than in real life) and under conservative for medium loads.
Max load per flight fitting - Gumbel [7.4187, 3.53].
The EIFS/EIDS distribution can be extracted from the nine fleet findings (flight hours and crack length were used) and from four Quantitative Fractography (QF) data sets. These extra data sets allow for a more comprehensive model. Figure 9 (left) shows the findings and QF data linearized and traced back to their initial size. The distributions shown in Figure 9 (right) were obtained using a lognormal fit. The final result displayed below was obtained using the combined distribution. By using the EIFS as initial crack size distribution and growing the crack size with the given crack growth model, the time to failure can be calculated.
Example of Crack grown to its initial size (left), EIFS/EIDS Distribution (right).
Using SMART|DT the result shown in Figure 10 was obtained. The red line represents the evolution of the Single Flight Probability of Failure (SPOF) without inspections. The goal was to find a suitable inspection interval with a life limit of 6’000 FH. The red line passes the probability of 10−7 (given acceptable risk level for catastrophic events, as defined by the SSPP) at around 4’400FH at which point the inspections start with an initial exploratory interval of 400FH. The blue line shows the evolution of the probability with inspections. At each inspection interval, a certain percentage of the cracks are found and repaired (the percentage is given by the selected POD). For these findings the crack size is set back to the initial crack size. Due to the repairs, the POF decreases after an inspection interval. As time passes, the inspections become less and less impactful.
SFPOF vs. FH, with inspections.
Given that the cracks grow faster the bigger they are, the interval of 400FH is not enough to keep the risk within an acceptable level. It is therefore recommended to start the inspection sooner in the life of the item or to reduce the inspection interval. The impact on the fleet availability and costs of both options need to be further evaluated within the SSPP. For this case study the aim is to avoid that the probability reaches and unacceptable level of safety (10-5). The probability limits and the color bands are dependent on the Hazard Severity and the Hazard Risk index which are obtained from the Hazard Risk Matrix. These are dependent of the current SSPP in effect.
This paper discusses a tailored workflow for risk evaluation, covering different structural design philosophies—Safe-Life and Damage Tolerance—while considering the available fleet data. The first approach, Safe-Life, relies heavily on statistical modeling, such as a Weibull distribution. It is crucial to distinguish between cases where fleet findings are available and those where data is not. When no data is available, a Weibayes analysis is recommended, whereas in cases with existing findings, a more reliable statistical approach can be applied.
For the Damage Tolerance approach, a statistical method is also recommended, particularly when specific data, such as crack growth rates, is unavailable. The most detailed analysis can be achieved using a probabilistic model. The proposed workflow serves as a guideline for translating these methods into real-world applications and can be tailored to the specific needs of a fleet.
The bell crank and the cracked former hole illustrate two examples of applying this workflow using available data—whether for improving inspection schedules or determining initial and recurring inspection intervals. With the establishment of this workflow and its associated tools, an efficient framework for risk management has been developed, which can be implemented within the SSPP.