When Instructions for Continued Airworthiness have a Detrimental Effect on Reliability

It started with a highly valued customer approaching us with a request for QCM Design’s  certification services. During subsequent investigations, we found, as part of our transition to the Design Management System (DMS) in accordance with Part 21 (21.A.239), a potential design deficiency that had an impact on the continuity of function of the associated Category II (CAT II) system installed in the Citation XLS+.

The company published a reference to the Instructions for Continued Airworthiness (ICA) supplements ICA-560XL-34-000005, named Category II (CAT II) Landing Operation in the Aircraft Maintenance Manual (AMM). The inclusion of applicable references is mandatory for each individually approved operator’s maintenance programme.

How Current Regulations Came to Be

In this case, the referenced ICA supplement requires the operator of the aircraft to remove the installed Line Replaceable Units (LRUs) associated with CAT II landing and send it for bench testing to an authorized shop. This practice has been around since the “early days”, when CAT II and CAT III operations began. Back then, a printed circuit board (PCB) looked completely different to what it does today. The oscillators, required for receiving and decoding the signal, were built of adjustable coils and capacitors. Adjustments were done through tiny screws without (very) reliable locking mechanisms. In most cases, the screws were painted after adjustment, in others, there was a counter-nut/screw (bearing some other issues).

Now, assuming you are flying an aircraft in Category III (CAT III) conditions with minimal visibility, and you must rely entirely on the accuracy of the Instrument Landing System (ILS), you would want certainty that the instruments are accurate and that you touch down on the runway – not half a meter to the right or to the left of it! You also want to be sure that the height above ground at Decision Height is accurate – and that you still have more than enough time to decide to either land the aircraft or initiate a go-around. Needless to say, the equipment used during this phase of flight must be accurate, and therefore needs to be checked regularly.

Aircraft maintenance hangars from the 1970s until the early 2000s looked quite different than they do today. Most of them had numerous workshops as part of the maintenance facilities in direct vicinity – very often in the same building complex. Most of them also had a shop full of “nerds” (like me) playing around with electronics and gadgets – the “Avionics Workshop” full of fancy and very expensive equipment. When the yearly inspection of the CAT II/CAT III equipment became due, a professionally trained mechanic removed the “black box” from the aircraft and brought it to the Avionics Workshop for testing and adjustment. Back in those days, you did not need to connect your wrist to the aircraft ground, because there were no Electrostatic Sensitive Devices (ESD).

Avionics over time

And today? If we look at the system design of a PCB, you’ll find hardly any “mechanically adjustable components” – even trim-potentiometers, used for adjustment, tuning and calibration in circuits, are almost gone. The components are produced to a high accuracy which results in adjustments, in most cases, no longer being required. The design also accounts for temperature variation, and, if adjustment is necessary, then it is done through electronic means. Built-In Test Equipment (BITE) was not as common in the early days as it is now; If you had BITE back then, then it checked if the equipment was operational in principle, but the signals used were not as accurate back then as they are today.

Another item we should consider is that the most critical failures to occur are the dormant failures: failures that cannot be detected when they occur. If the flight crew is able to identify that the CAT II or CAT III system is not reliable enough, then they will not continue to fly the approach, will they? The issue with dormant failures is that the longer the system is exposed to the risk, the higher the chances are that such a failure occurs. A very common way to “reset” such a condition is to complete regular tests also addressing the “dormant” part of the system. With the “legacy” equipment and in the “legacy maintenance environment”, it was more than logic and best practice to regularly bench-check the equipment – it was a matter of life and death.

But is this still true today? What has changed since then?

Weighing the Costs and Benefits of Regulations

The systems we use now are significantly more reliable when it comes to accuracy. The integrated system design also includes checking functions, and the built-in tests are more accurate than they were in the past; dormant failures are less likely to be present.

This begs the question: What is the benefit and what is the trade-off when removing the equipment from the aircraft and sending it back for shop testing? Each removal and installation event bears some additional risks. The connectors will experience mechanical wear; the electronic components are vulnerable to ESD damage, and such damage may cause subsequent failure, some of which may be dormant. Although everyone in aviation is very well trained, and the shipment of LRUs is well defined, there is still a certain risk that the equipment is mechanically damaged. As you know, the absence of an occurrence is not the absence of risk!

I am not reviewing the complete turnaround cycle for the equipment shipped to the shop, which might be, due to efficiency, located on a different continent. We should keep in mind that with the changed infrastructure of the maintenance hangars today, it is simply not feasible to keep Avionic Shops alive in large numbers, which means that in most cases, the LRUs must be shipped over large distances for routine maintenance. However, the resulting shop reports often show that no action is required to adjust (or even repair) the LRUs.

More and more often the question arises, “why should we send such equipment for bench testing?”. But in the FAA rules you’ll still find the requirement for bench checking.

The wording is very, very similar to the wording of FAA AC 91.16, issued in 1967 and subsequently cancelled in 2015 by means of an FAA memorandum. However, the OPS rules also include the possibility to abstain from bench checking once it is identified that this is not required.

Taking Costs into Consideration

Finally, and this is where the DMS comes into place, we also had a look at other risks and reviewed this topic from a perspective other than technical aspects. For example, what are the costs of the bench check compared to the benefits?

Why did we consider this, you ask? If the system fails, the aircraft might be lost in the most critical and catastrophic condition.

There are two points of views: one is to use the money “saved” by not bench checking to ensure sufficient resources for the operation of the aircraft, as well as for “unplanned” events (damages etc.); the other one is from our OPS colleagues identifying the “unacceptable cost” in case of an occurrence. Is the risk of inducing a failure due to the removal, installation, and shipping of the component worse than the performance of the bench check?

Our Approach

For us, the answer was to maintain the regular testing of the equipment, but “on wing” and using adequate and accurate ground test equipment.

The instructions verify the complete system as it is installed in the aircraft and covers antennae and EWIS components as well. The tests used today are accurate enough to come to meaningful results and interpretations of the system health status. Some of the tests were already part of the aircraft design, others needed the Instructions for Continued Airworthiness (ICA) to be amended.

Because the ICA are part of the aircraft design, and based on the fact that a failure of the affected system might have at least a “hazardous” impact, this change was classified as “Major” and an application for a Supplemental Type Certificate (STC) at EASA was made, which was then approved in winter last year. While this was not the only possible solution for this issue, for a Design Organization like QCM Design, it was the most complete one.

Written by Syrus Lou, April 2024

Our Part-21J design organization, QCM Design, has extensive experience certifying this change – if you’d like a quote to replace your fire extinguishers (or to have any other design changes certified), please reach out to our team at design@part-21.ch.


QCM Design is an EASA Approved Part-21 DOA with over 10 years’ experience helping clients to achieve their creative and technical design goals, while ensuring that the highest safety regulations and industrial quality standards for their aircraft are met.

As well as assisting with the certification of minor and major changes to airplanes and helicopters, we offer tailor-made solutions for any desired design concept, including the installation of new avionics or electronics systems, cabin interiors, galleys, or various other equipment installations.

For more information about how we can assist you with any design changes, contact us at design@part-21.ch or visit https://www.qcm.ch/doa/