You are on page 1of 22

CAP 693


CAA AAD 001-05-99


CAP 693


CAA AAD 001-05-99









Means of Compliance

Compliance by Method A

Compliance by Method B


Additional Guidance for compliance by Method A





The Civil Aviation Authority has issued AAD 001-05-99, which became effective on
7 June 1999. The AAD makes the installation and use of health monitoring systems
(HMS) mandatory for United Kingdom registered helicopters issued with a Certificate
of Airworthiness in the Transport Category (Passenger), which have a maximum
approved seating configuration of more than 9 passengers. However this Directive is
not applicable to helicopters certificated to BCAR 29 or JAR-29.
This CAP provides operators with the basis for an acceptable means of compliance
with the Directive.
Figure 1 shows the operator options and timescales for compliance with this AAD.

CAA Health Monitoring


Not Applicable to:

Type Approvals
BCAR 29 or JAR-29
Design Assessment

Certificate of Airworthiness in the
Transport Category (Passenger)
with seating Configuration of more
than nine


Comply by Agreed

1 year

Is an approved system
currently fitted?


Comply by fitting an
approved system



Comply with
procedures and

Certificate and fit

new system and
comply with
and practices.

2 years

2 years


AAD 001-05-99 when referring to HMS or HUMS means a system utilising on
board equipment for monitoring the health of helicopter rotor and rotor drive system
components. Helicopters affected by this AAD will need to demonstrate an effective
vibration health monitoring capability. Consequently much of this CAP relates
specifically to vibration monitoring systems. However, it is accepted that many
methods of health monitoring, such as transmission magnetic plugs, chip detectors, oil
analysis, will already be adequately controlled by the helicopter constructors
maintenance instructions. The monitoring techniques to be considered are;
Vibration Monitoring System (VMS) which should monitor :

Engine to main gearbox input drive shafts

Main gearbox shafts, gears and bearings
Accessory gears, shafts and bearings
Tail rotor drive shafts and hanger bearings
Intermediate and tail gearbox gears, shafts and bearings
Oil cooler drive
Main and tail rotor track and balance

Plus existing established techniques :

Physical Displacement (Rotor blade and tracking is a practical
Debris generation via real time analysis in fluid streams (Oil and
exhaust gases)
Magnetic Plugs
Spectrographic Oil Analysis

Absence of any of the above techniques will need to be justified.

It is acknowledged that existing health and vibration monitoring systems are complex,
and that there may be many different methods to monitor a particular failure mode.
For this reason this CAP is not prescriptive with respect to items such as the position
of accelerometers, algorithms and threshold settings. The object of this CAP is to
describe the level of monitoring required and give advice on ensuring that the
monitoring is effective and reliable.

The purpose of this CAP is to provide guidance to industry on what the CAA consider
to be an acceptable means of compliance with the subject AAD.
The AAD has been raised in response to numerous AAIB rotorcraft accident/incident
reports which have highlighted the positive role that vibration monitoring systems
could play in reducing the accident rate in the helicopter community.
The benefits of vibration monitoring in the UK have so far been limited to North Sea
operations of Transport Category (Passenger) helicopters, where the operators have
fitted these systems in recognition of the benefits together with their desire to satisfy
their customers safety objectives.
The CAA has been proactive in promoting the positive aspects of health monitoring
and has adopted requirements for the certification of large helicopters which include a
rotor and transmission design assessment, in which health monitoring is an acceptable
compensating provision. The decision to mandate the installation and use of health
monitoring systems has been taken in response to the recent AAIB recommendations
relating to incidents and accidents.

In the early 1980s in response to a growing unease with the safety record of large civil
transport helicopters, the Chairman of the CAA requested that the Airworthiness
Requirements Board (ARB) establish a panel to review existing helicopter
airworthiness requirements. This panel, the Helicopter Airworthiness Review Panel
(HARP), reported in 1984 and confirmed that the fatal airworthiness accident rate for
large twin engine helicopters was significantly higher than for comparable aeroplanes.
From their review of failures, HARP recognised that the helicopter is different. So
much of its critical mechanism, the rotors and rotor drive system, involved single load
paths without duplication or redundancy. They identified a fundamental difference
between the helicopter and fixed wing aircraft, the inability to guard against a failure
by duplication.
However, experience showed that although this machinery employed safe life rather
than fail safe design, often defect propagation would occur for a period of time before
failure occurred. This, coupled with the recognition that there had been important
developments in health monitoring system (HMS) technology, encouraged the
members of HARP to recommend the philosophy that where full redundancy has not
been possible by design then warning of likely failure in a suitable time scale could
provide an acceptable level of safety.
The types in todays UK fleet are likely to remain in service for the foreseeable future.
Therefore, all the really significant improvements to the airworthiness codes that the
CAA/JAA has introduced over the past few years are effective for new helicopters,
but are currently of no benefit to the existing fleet. Therefore, there is a need to
improve the airworthiness of the current fleet.

Operational trials of health monitoring systems were carried out between 1987 and
1991 over the North Sea. These trials demonstrated the technical feasibility of first
generation HMS, including vibration monitoring, in what must be considered as a
very testing environment. Today all large UK registered helicopters employed in
North Sea operations have HMS fitted, as a customer requirement, rather than a
mandatory requirement, except for the S61, where a CAA mandatory AAD
necessitates HMS for a specific component.
The CAA has recognised that helicopter rotor and transmission systems are
susceptible to potentially hazardous and catastrophic failure effects, due to the very
nature of their design (single load path) and has for many years realised the benefit of
the installation of HMS as a compensating provision, for new certifications.
The CAA has sponsored, along with the UK government, a comprehensive safety
research programme which culminated in successful operational trials of HMS
equipment on four North Sea oil/gas support helicopters. The Authority has also
managed extensive research programmes exploring the technical feasibility of HMS,
including in-service trials and seeded fault tests.
It is considered that the first generation HMS, which added comprehensive vibration
monitoring to existing health monitoring techniques, has already demonstrated the
ability to identify potentially hazardous and catastrophic failure modes, and has
already reduced fatal accident statistics.
First generation HMS (including vibration monitoring) has been shown to be both
technically feasible and economically justifiable for existing operational helicopters.
The CAA believes that it is technically feasible to extend the benefits from HMS to
helicopters currently in service (helicopters issued with a Certificate of Airworthiness
in the Transport Category (Passenger), which have a maximum approved seating
configuration of more than 9 passengers).
Several HMS systems are available for most types of medium and large helicopter.
The systems employed by operators have generally been designed for retrofit into
existing helicopters. The recent UK CAA requirement for CVFDR systems to be
installed on helicopters above 2730 kg has allowed system designers to incorporate
Health Monitoring Functions along with the mandatory CVFDR functions. This
combining of systems has reduced the overall design, implementation and weight
burden of two separate systems. It follows that many UK operators complying with
CVFDR requirement now operate their helicopters with health monitoring including
vibration monitoring.



Demonstration of Compliance
The following two methods are acceptable for showing compliance with this AAD.
These are;
Method A :

By utilising a health monitoring system which is already approved.

Note : A list of AAN numbers defining currently approved health
monitoring systems for different helicopter types is contained within
the AAD.

Method B :


By obtaining CAA approval for an alternative health monitoring


Continuation of Compliance
Once compliance has been demonstrated the CAA will monitor compliance with this
AAD by continued surveillance visits and direct input where the means of compliance
has been predicated upon CAA involvement. It is anticipated that the degree of direct
(day to day) CAA involvement will be minimal and will take the form of an audit
function based upon satisfactory demonstration of capability. The CAA will therefore
seek a management structure with appropriate safeguards and controls that will ensure
that all changes and decisions are made by appropriately trained and authorised
personnel of the operator. This will include, where applicable, sub-contractors
involved in maintenance of the helicopter as part of the overall quality function.
Compliance with this Directive will affect maintenance activity and therefore will be
audited under JAR-145 procedures.

As detailed in section 1 of this CAP, the CAA AAD applies to helicopters issued with
a Certificate of Airworthiness in the Transport Category (Passenger), which have a
maximum approved seating configuration of more than 9 passengers.
Compliance with Method A utilises HMS which are currently approved by the CAA.
This can be applied to helicopters already fitted with such systems (North Sea
operation) and also helicopters of the same types which are not yet fitted with HMS.
Existing operators with approved systems will need to address all the aspects of this
section, however this is unlikely to require additional testing or design assessment. It
is considered that such systems / operator combinations have a proven capability with
respect to an acceptable standard of transmission fault detection such that a degree of
credit can be granted for their compliance with this AAD. As such the period for
compliance has been set at 1 year from the effective date of the AAD.

Operators of helicopters not already fitted with a HMS, who elect to comply by
installing an existing CAA approved system will need to demonstrate to the
satisfaction of the Authority that their fitment and use of the system offers an
equivalent level of safety to that currently afforded by existing operators of the
system. Operators may also elect to incorporate, as much as possible, the controls and
procedures available from the vendor in order to facilitate demonstration of
compliance. As such the period for compliance has been set at 2 years from the
effective date of the AAD.
In assessing compliance with this AAD the CAA are seeking procedures and practices
associated with a well managed health monitoring system.
It is anticipated that the procedures and practices highlighted in this section may well
mirror that of some existing operators and therefore the degree of adjustment may be
minimal. In showing compliance the CAA expects existing operators of approved
systems to utilise, as much as possible, their existing procedures and working

Exposition / Handbook - Method A

In order to show compliance with AAD 001-05-99 each affected operator will need to submit
the following information with respect to the HM systems and procedures in place
within their organisation. This may be submitted in the form of a stand alone
document / handbook. Alternatively a cross reference to the relevant company
procedures may be provided. This documentation will need to be accepted by the
CAA during finding of compliance as a record of the operators methods of satisfying
the CAA AAD.
Below are the subjects which need to be addressed.

6.1.1 Duties and responsibilities of HMS personnel

This section should clearly define those personnel (management and technical) involved
in all aspects of the health monitoring activity, giving a description of each of their
roles and responsibilities. The scope of authority for decisions based on health
monitoring information and data is extremely important and therefore should be
clearly defined and understood. A flow chart detailing the process and personnel
involvement in clearing the helicopter for flight may be useful.

Organisational chart
This should show the position of the personnel detailed in 6.1.1 above, within the


General vibration monitoring process procedures

General procedures covering, as a minimum, frequency, content and method of down
loading data, troubleshooting, maintenance instructions associated with alerts,
correlating alerts with their cause, review in the event of a persistent alarm,

Maintenance of HMS, interface with HMS supplier, interface with CAA, review and
control of excessive false alarm rates, data storage etc.
It may also be necessary to define particular helicopter operating conditions that need to
be established prior to acquiring data.

HMS facilities
This section should identify the ground based HMS equipment and its location on site
with respect to flight crew and maintenance personnel accessibility.


Helicopters affected
This should list all the helicopters affected by the AAD detailing the helicopter type,
registration and HUM system configuration. Also the standard of accelerometer
supports, position and type should be controlled.

6.1.6 Procedures for changing HMS equipment, software or maintenance practices

The procedures detailed in the handbook / cross reference list will control HMS related
activity within the company. As this documentation will be accepted by the CAA as
showing the means of compliance with the AAD, any changes affecting the handbook
must also be agreed by the CAA. A procedure for controlling these changes must be
put in place.

Supervision of subcontractors involved in HMS activity.

Where any part of the health monitoring process is subcontracted to another
organisation, the operator will be responsible for ensuring that all subcontract activity
is in compliance with the appropriate procedures.


Threshold setting and adjustment

Current HMSs generate indicator values from vibration recordings taken from different
positions on the rotor drive system. These indicators will show different pre-failure
conditions such as gear tooth damage, shaft imbalance, shaft misalignment etc. Each
indicator will have one or more threshold settings which, when exceeded by the
indicator value will alert the maintenance staff to investigate the problem.
All thresholds must be defined whether in the form of absolute signal values, number of
standard deviations above the mean fleet value, or other means. Any change to these
values should be agreed by the HMS system supplier and recorded along with the
reason and justification for the change. All changes will be reviewed periodically by
Some indicators may require trend monitoring, such as the AS332 input drive shaft,
resulting from an AD or other source. These trends must also be defined. Again any
change to these values should be agreed by the HMS system supplier and be recorded
along with the reason and justification for change. All changes will be reviewed
periodically by CAA.

Where the constructor is prepared to offer advice, regarding the setting of thresholds, this
information should be adopted.

Minimum Equipment List

The maximum allowable unserviceable period of any items of HMS equipment will
need to be agreed with the Authority and defined in the Minimum Equipment List.
The factors to be considered in establishing acceptable periods for HMS equipment
unserviceability will be:

Propagation rate of the failure mode being monitored

Other means of monitoring the same failure mode
Service history of similar failures on the helicopter type
Any mitigating actions, such as checking previous HMS data to establish the
indicator level and look for rising trends

The Master Minimum Equipment List for each affected type will be amended
6.1.10 Training
Training must cover all personnel involved in HMS activity to ensure that the
competencies necessary to ensure effective use of the systems can be achieved and
maintained. CAA will periodically review training records, initially in order to accept
compliance with the AAD and later during routine operation and maintenance
approval audits.
6.1.11 Event Reporting
Any cases of successful VHM alerts, or defective components found where VHM failed
to alert, should be notified to CAA. This will continue until system reliability has been
confirmed and will not replace the need to submit an MOR where this is applicable.
6.1.12 Quality System

Describe links with company quality system

Audit plan
Remedial action
Audit training

More detailed guidance on some of the above subjects can be found in Appendix A.

In demonstrating compliance using this method the applicant will also need to address
the requirements of method A, (i.e. paragraphs 6.1.1 to 6.1.12 above and the guidance
material of Appendix A). It is considered that normal means of compliance with this
CAA AAD will be method A as it presents less of a cost burden to the operator. This
section does not therefore repeat the method A requirement details.

Compliance by method A is predicated upon existing CAA approved health and

vibration monitoring systems. These systems have already been assessed with respect
to failure modes, which in most cases were assessed without the input of the
constructors. The analysis of these failure modes and the positioning of sensors was
however part of an extensive study over many years involving the CAA and the
equipment providers. The algorithms and thresholds were established on the basis of
analysis, component testing and a period of helicopter validation testing.
In complying with method B the operator would be expected to base their application
on the current JAA requirements which cover the aspects of health monitoring. The
applicable requirements and their relevant advisory material can be found in:
JAR 29.547(b) Main And Tail Rotor Structure;
JAR 29.917(b) Rotor Drive System; and
JAR 29.1309 Equipment, systems and installations.
The above requirements necessitate that a design assessment including top down as
well as bottom up (FMECA) techniques be carried out in order to determine all the
rotor and rotor drive system components for which functional failure would prevent
continued safe flight or safe landing of the helicopter. Once these components are
identified any health monitoring provisions which are considered to be both
technically feasible and economically justified must be identified and used to form a
health monitoring specification.
The helicopter health monitoring system must then be designed, manufactured and
demonstrated against this specification. Currently draft JAR / FAR advisory material
is contained in NPA 29-18 which details the considerations necessary in order to
claim safety credit for a health monitoring system.
The CAA accepts that this task will be more difficult without the input of the
constructor. Where this input cannot be obtained the CAA will take this into
consideration in the demonstration of absolute proof against certain failure modes.
It should be made clear that the purpose of the design assessment is to establish the
failure modes, for which the likelihood of occurrence must be minimised. The CAA
consider that, for conventional design helicopters (i.e. those which rely heavily upon
single load path critical parts), in order to achieve the minimise objective above,
vibration monitoring would be necessary.
Approval of a new system design, as required for compliance by Method B, will
require detailed discussion with the CAA in order to establish a satisfactory
methodology for performing the design assessment, agree the basis of approval of the
system hardware and software and demonstrate monitoring technique performance.



Management procedures within the organization should be established to include ground
station hardware and software support procedures, backup, archiving and retrieval of data. At
bases where operators fly large numbers of helicopters, expanded ground station capability
may be required to allow more than one user to access health and vibration monitoring data at
any one time.

Training - Initial and Continuing

With the introduction of health and vibration monitoring the appropriate staffing levels and
skills are necessary. Some of these skills such as aircraft system maintenance can be handled
by existing staff with additional training. However, organizations unfamiliar with advanced
health and vibration monitoring techniques or large computer based systems may require the
employment of appropriate personnel.
Experience with health and vibration monitoring to date has indicated that training is needed
to make full use of the system. This can range from basics such as computer familiarity and
keyboard skills to detailed training in the vibration algorithms and their significance. Such
training is necessary as an ongoing task to maintain skills, implement improvements in the
use of existing health and vibration monitoring capabilities, or implement added capabilities.
Improving the ability of the system to analyse the data acquired and improving the interface
with the system, the operator can reduce the training required to use the monitoring system.
Integration of the monitoring system and its outputs with the maintenance and logistic support
systems will also require training of the personnel involved to make full use of such
The introduction of health and vibration monitoring to an operators fleet will demand new
skills of that operator, in particular from the maintenance personnel who in most operations
will be the principal interface point. These new skills should be identified and appropriate
training carried out. In some organizations a cell of specialists is already in existence for
condition and vibration monitoring.
The helicopter constructor (if possible) and equipment supplier should work with the intended
user to carry out a study of the available manpower and the abilities present in the personnel
who will be tasked with carrying out health and vibration monitoring functions in the
organization, with a view to identifying areas where additional training is likely to be
required. Assessment of this training and the availability of a training plan and records will
form part of the CAAs assessment for compliance with this AAD.


Computer Skills Training

Both existing and intended potential health and vibration monitoring users have reported that
personal computer (PC) operation is an area where basic skills are likely to be lacking. In
many cases this may be the first use of computers as such by flight line personnel. While
stores stock and technical records computers have been in use in this environment for some
time, the interfaces tend to be simpler and less intimidating to non-computer people.
Many experienced line technicians have limited PC skills. Conversely skilled PC users tend
to have less hands on helicopter experience. Condition monitoring specialists may already
have useful PC and data analysis/handling skills which will be a sound basis for advanced
training. Any computer skills training may well need to be structured at two levels: basic,
covering routine operations needed to transfer and assess data at line level, and advanced,
covering additional tasks such as software and operating system installation, text editor usage,
disk management, and communications/networking operations. Operators without previous
experience in house may need to bring in specialist advice in these areas.
One operator has reported that computer training specifically avoiding use of jargon has been
effective in gaining acceptance of HMS and PCs as an engineering tool rather than a
specialist function. Another operator has assisted staff in the purchase of PCs for home use.
The resultant increase in computer literacy and awareness was considered to be a good
training investment. Targeting and winning over engineers is seen as essential in successful
health and vibration monitoring implementation.
Data Interpretation Training
Health and vibration monitoring data may require interpretation by the operator, as systems
currently available tend to present much processed gearbox data in the form of esoteric defect
indicators derived from gear vibration. The principles behind the indicator extraction and the
significance of the indicators themselves will have to be taught to line operators who may be
required to make go / no-go decisions on the basis of data produced by a system where there
is an element of manual interpretation. The depth of training should obviously reflect the
extent of exposure and decisions expected of the individual.
Case studies will be required to assist training in diagnostics and prognostics. Threshold
setting is a potentially controversial area. If the intention is to devolve authority to change
thresholds, thorough training in data interpretation and the principles applied to establishing
thresholds must be provided. This process and the associated controls will form part of the
AAD compliance documentation submitted.
Awareness Training
Higher levels of engineering management, commercial departments, and pilots should have
an understanding of how health and vibration monitoring operates and how the organisation
uses it. While these people may not be exposed regularly or be required to carry out data
interpretation they should have a basic knowledge of the system functions, capabilities and
limitations. They should also be informed of any administrative or organizational changes
which may be required for its use.


The operator will have to arrange maintenance training classes for his personnel in the use
and intended applications . The training will prepare the operators personnel to perform 1st
(field), and 2nd (routine) level maintenance to the level of scheduled and unscheduled
maintenance based on HMS advisory messages.
Training classes will have to cover the use of health and vibration monitoring data to schedule
inspection, cleaning, replacement/repair, and for performing adjustments, operational checks,
and troubleshooting of the system and monitored components.
Two different philosophies have been reported regarding the approach to training. One is to
instigate a formal classroom based course lasting several days, while the other is to carry out a
series of less formal one day teach-ins, on a one-to-one basis.
The classroom based training offers the potential of training to a deeper level of knowledge
but can be lacking in practical content unless very carefully structured. This approach may not
suit an operator who chooses to introduce system functions gradually, as training may well be
forgotten before the opportunity to apply it is available. One day teach-ins have the advantage
that training content will always be up to date and can be readily re-structured. If presented
one-on-one, this training will also be able to focus on an individuals particular needs. This
could, however, become a burden as it may not make the most efficient use of an instructors
External courses run by equipment suppliers have been used by most system operators.
Where the operator is not the equipment supplier, this has so far been the approach to training
in data interpretation by the operator. Equipment suppliers courses have been reported, in
general, as being too deep and too expensive for large numbers of line personnel. The
approach has generally been to send monitoring specialists and supervisors on such courses
and use them to train line personnel in house.


Most operators using existing health and vibration monitoring, to date, have had a significant
input into the installation design and in many cases have performed the installations in house.
This experience has been invaluable in terms of building knowledge of the system and
evolving fault diagnostic procedures.
There may well be new or unfamiliar hardware in the HMS installation, e.g. the
accelerometers, microdot connectors, and miniature co-axial cables used in the early
production systems. These items require specialist handling and termination techniques which
must be incorporated into initial technician training. Sensors themselves also present some
new considerations with respect to testing and trouble shooting.
From the helicopter operators point of view current HMS are complex systems. They
interface with many other helicopter systems and are not self-contained in the way many other
avionic systems such as Flight Management System (FMS) or Electronic Flight

Instrumentation System (EFIS) can be. Successful trouble shooting may require a knowledge
of the architecture of the system and software processes in use.
Suggested topics for a users course are:

Cockpit Voice / Flight Data Recorder (CVFDR) system, associated components,

Built In Test Equipment (BITE) indications, mandatory parameters, and data
acquisition. Legal implications of data use (pilot confidentiality, etc), defect
investigation, and rectification.


Health and vibration monitoring sensors, interface/relationship to CVFDR,

displays, and BITE indications. Gearbox / transmission monitoring principles
and responses to indications. System troubleshooting and rectification.

(iii) Rotor monitoring, diagnostics, and adjustments.

(iv) Transmission trend and vibration monitoring.

Data transfer operations, ground station use including navigation through

displays, and airborne system configuration if applicable.

Personnel attending such courses will require background experience and knowledge of
helicopter maintenance. There is some overlap of trade boundaries in the course requirements
which will have to be considered and addressed by the course provider with respect to
licensing and approval regulations applicable to individuals.
Continuation Training
HMS although not new is still a dynamic technology and as a consequence is changing
rapidly. Continuation training is necessary as changes are implemented. Operators and
equipment suppliers should hold regular reviews on the subject of such changes and revise
training programmes to incorporate the effects of significant changes.
Threshold Changes
The refinement of the HMS limits will be an ongoing process accompanying the validation
effort. Refining the limits requires an understanding of the relationship between the values of
the various parameters or algorithms and the increase in the severity of the fault detected. In
some cases some improvement in limits can be fairly easily made. Several instances of
removal of a component for an indicated fault, followed by inspection of the component
which shows that no fault or a level of damage which is insufficient to warrant removal of the
component from service, would serve to indicate that some increase in the corresponding
limit can be made. In general, however, one needs to have a history for the particular
component to develop the relationship between the severity of the fault and the health and
vibration monitoring indication or indications. In the cases of the existing approved systems
this was developed for gearboxes by several research programmes sponsored by the CAA.
The procedures and controls for these limits and any proposed changes will need to be agreed
with the CAA and should be based upon past experience coupled with sound engineering

Correlation of HMS data

Correlation of health and vibration monitoring data with component tear down reports is an
important part of the process of validating the vibration algorithms and limits. This requires
co-operation between the operator and the constructor (where possible, or equipment
providers) or any other organization that overhauls / inspects the gearboxes or other
The operator needs to obtain as much information as possible to relate the severity of the
component damage to the health and vibration monitoring indications. This knowledge will
permit better setting of criteria for defining fault indication levels which require action.
Agreements between the operators and the constructors (where possible, or equipment
providers) may be negotiated where information beyond that usually provided to the operator
is requested.
Flight Data Recorders
Operators who use Flight Data Recorder sensors to gather parameters for HMS analysis are
required to ensure that the data gathering systems related to those parameters are always
Many operators who have begun to work towards JAR-OPS compliance will be aware of the
5% rule in JAR-OPS which states that operators are allowed to have up to 5% of the
parameters they are required to record inoperative before a data recorder is declared
unserviceable. HMS operators should note that the 5% will not apply to any HMS parameters.
The operability of all such parameters is mandatory unless agreed with the CAA under
MMEL provision.
Laptop Computers
Careful attention should be given to any commercially available lap top computer which may
be required to be connected to the airborne health and vibration monitoring system and
operated when the helicopter is flying. Unlike avionics equipment these laptops are not
subject to the same rigorous Electro-Magnetic Interference (EMI) tests and there have been
cases of laptops interfering with helicopter systems whilst in use.
System and Data Considerations

Who Is Going To Use The System ?

There are two aspects to this, firstly, which departments should have access to the system and,
secondly, what level of expertise do they have in using the system?
The question of who should have access to the system is very important, especially if the
outputs of the system are important to the analysis processes. Systems whose output is
important have to be sufficiently protected to prevent data corruption or loss. This implies
that the only people who should have access to it are those who are going to be doing or
analysing the processing related to that system. Even if the possibility of malicious sabotage

is discounted, if other departments such as sales or even other engineering departments, are
allowed to have access to the system (even indirectly via a network) there is the possibility
that system data could be accidentally lost or corrupted. There are other aspects to protecting
health and vibration monitoring analysis systems from accidental or deliberate damage and
these are discussed later in this CAP.
The level of expertise of the intended users is just as important as the restricted use of the
system. Health and vibration monitoring analysis is detailed and complex and if the analysis
team is presented with a tool they are unfamiliar with their job can only become harder.
If a completely new system is being selected the associated training needs of the staff must be
considered and provided before the tool is put in to use, particularly if there is any level of
importance associated with its output.
Equally, if a modification is being made to the system, the effect on how the system is used
must be carefully considered. Human factors research indicates that, when a system is
modified in such a way that it appears to be largely unchanged, errors start to occur because
system operators incorrectly assume that it will perform in exactly the same way as the
previous version. This misjudgement can, and does, lead to serious errors. If the system in
question is calculating or analysing something that has an airworthiness impact on the
helicopter, this should be carefully considered.

How Can Data Be Protected?

Several steps can be taken to protect data from corruption or loss and some of these, such as
careful scrutiny of the gathering, storage and transfer systems have already been discussed but
there are other steps that can be taken.
Firstly, once the required function of a system has been determined, all software other than
that needed for the required functionality should be removed from the machine it is running
on. This will ensure that there is no way any other software programs can accidentally corrupt
it. The system should also be isolated wherever possible. i.e. not connected to networks,
adjacent systems or the internet as this will help to protect it from misuse and viruses. It will
also help to protect it from the accidental corruption that can occur when interlinked networks
A set of procedures related to the access and use of the system and its related data should also
be created to prevent accidental misuse. These procedures should also cover any applicable
security aspects of data protection such as the application of disk drive and store room locks
and a list of who has keys to them. The procedures should be reviewed on a regular basis to
ensure their continued applicability.
Finally a set of verification and validation procedures should be put in place to ensure that
any accidental or deliberate corruption of data can be spotted in time to compensate for it.
These procedures should also deal with the issue of what to do if corrupted data is found and
how and if it can be of continued use. Some systems that monitor component usage deal with
corrupted data by taking a deliberately pessimistic view of the analysed flight and assigning
figures that represent severe use and wear for that flight, this is one possible way to deal with
corrupted or missing data.

JAR-29 Issue 1. Large Rotorcraft.
JAA/INT/POL/27 and 29/1, Issue 2. Protection From The Effects of HIRF.
EUROCAE ED-12B, RTCA DO-178B Software Considerations on Airborne Systems and
Equipment Certification.
EUROCAE ED-14C, RTCA DO-160C Environmental Conditions and Test Procedures for
Airborne Equipment.
Airworthiness Notice 45A Software Management and Certification Guidelines.
CAAIP Leaflet 11-16 Computer Control - Records and Programmes.
AMC / IEM 20-115B