Department of Transport and Regional Development

Bureau of Air Safety Investigation

Human factors in airline maintenance:

A study of incident reports

Released by the Secretary of the Department of Transport and Regional Development

under the provisions of Section 19CU of part 2A of the Air Navigation Act (1920).
 When the Bureau makes recommendations as a result of its
investigations or research, safety, (in accordance with its
charter), is its primary consideration. However, the Bureau
fully recognises that the implementation of recommendations
arising from its investigations will in some cases incur a cost
to the industry.
Readers should note that the information in BASI reports is
provided to promote aviation safety: in no case is it intended
to imply blame or liability.

ISBN 0 642 25639 X June 1997

This report was produced by the Bureau of Air Safety Investigation (BASI), PO Box 967, Civic Square ACT 2608.
Readers are advised that the Bureau investigates for the sole purpose of enhancing aviation safety. Consequently,
Bureau reports are confined to matters of safety significance and may be misleading if used for any other purpose.
As BASI believes that safety information is of greatest value if it is passed on for the use of others, readers are
encouraged to copy or reprint for further distribution, acknowledging BASI as the source.
Contents
Page
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Aims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Analysis of incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Safety actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Appendixes
1. Maintenance incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2. Human factors in maintenance coding sheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3. Reliability of coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4. Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5. Maintenance incident events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

iii
 Abbreviations
AME Aircraft Maintenance Engineer
ATA Air Transport Association
CAA Civil Aviation Authority
CFIT Controlled Flight Into Terrain
CRM Crew Resource Management
ETOPS Extended Range Twin-engine Operations
FAA Federal Aviation Administration
ICAO International Civil Aviation Organisation
LAME Licensed Aircraft Maintenance Engineer
MEDA Maintenance Error Decision Aid
OH&S Occupational Health and Safety
SHEL Software Hardware Environment Liveware
TCAS Traffic Alert and Collision Avoidance System

iv
Summary
Maintenance incidents contribute to a significant proportion of worldwide commercial jet
accidents, yet until recently, little was known of the nature of maintenance incidents and the
factors which promote them.
In face-to-face interviews, maintenance technicians were asked to report examples of maintenance
incidents which they had experienced first-hand. Eighty-six incident reports were recorded.
Human factors were involved in most of the reported incidents, with workers on duty between
the hours of 0200 and 0400 having a greater chance of having an incident than workers on duty
at other times of the 24-hour clock. The frequency of incidents increased as the shift progressed
up to the second-last hour, after which the frequency of incidents diminished.
For those incidents which had the potential to affect the airworthiness of an aircraft, difficulties
with procedures emerged as the most significant factor. This included misunderstandings and
ignorance of procedures.
For those incidents which had the potential to affect the health and safety of workers, difficulties
with tools and equipment emerged as the most frequent factor.
The majority of the human errors involved in incidents were rule-based mistakes, many relat-
ed to mistaken assumptions. Absent-minded slips and lapses were involved in approximately
one-third of the incidents.
The final section of the report contains suggested safety actions, intended firstly to reduce the
frequency of human error and maintenance incidents and secondly, to reduce the conse-
quences of any such errors which do occur.

v
Introduction

The cost of maintenance failures

Air safety statistics have tended to understate the significance of maintenance as a contributing
factor in accidents. Figures for the worldwide commercial jet transport industry for example,
show maintenance as the ‘primary cause factor’ in only 5.9% of hull loss accidents, compared
with flight crew actions implicated as a ‘primary cause factor’ in greater than 70% of accidents
(Boeing 1996). Yet when safety issues are presented alongside the fatalities which have resulted
from them on worldwide airline operations for the period 1982–1991, maintenance and
inspection emerges as the no. 2 safety issue after controlled flight into terrain (Russell 1994)
(see Figure 1).

Figure 1 Safety issues versus onboard fatalities: worldwide jet fleet 1982–1991

Safety issue
Controlled flight into terrain (CFIT) 2169
Maintenance and inspection 1481
Loss of control 1387
Air Traffic Control 1000
Approach and landing without CFIT 910
Post-crash smoke or fire 644
In-flight smoke/fire 610
Ground de-icing/anti-icing 384
Windshear 381
Uncontained engine failure 199
Out of configuration takeoff 188
Airport ground operations 136
0 500 1000 1500 2000 2500
Onboard fatalities
Source: Boeing

Maintenance incidents are not merely costly in terms of life and property, but can also impose
significant costs when flights are delayed or cancelled. In 1989 maintenance constituted 11.8%
of US airline operating costs or more than US$8 billion per year (Shepherd 1992). The annual
cost to the Australian airline industry is likely to be in the order of several hundred million dol-
lars per year. Gregory (cited in Marx & Graeber 1994), estimated that each delayed aircraft costs
an airline on average US$10,000 per hour, while each flight cancellation can be expected to cost
approximately US$50,000. When these costs are considered, it is apparent that airlines stand to
gain significant benefits by even a small reduction in the frequency of maintenance-induced
delays, particularly those which occur closest to scheduled departure times, during line main-
tenance or when an aircraft is being prepared for departure.

Existing data on maintenance failures

Despite the importance of maintenance quality, there is a lack of empirical research on the
nature of maintenance incidents and the human factors which contribute to them. The UK
CAA produced a list (Civil Aviation Authority (UK) 1992) of the most frequent maintenance
incidents in aircraft over 5,700 kg. Most of these incidents did not lead to accidents. The top
eight problems were as follows:
1. incorrect installation of components;
2. the fitting of wrong parts;
3. electrical wiring discrepancies (including cross-connections);
4. loose objects (e.g. tools) left in the aircraft;
1
 5. inadequate lubrication;
6. cowlings, access panels and fairings not secured;
7. fuel/oil caps and refuel panels not secured; and
8. landing gear ground lock pins not removed before departure.
In 1993, Boeing researchers analysed 122 maintenance occurrences involving human factors
and concluded that the main categories of maintenance ‘error’ were:
1. omissions (56%);
2. incorrect installations (30%);
3. wrong parts (8%); and
4. other (6%) (International Civil Aviation Organisation 1995).
In recent years, human factors issues in maintenance have begun to be examined by human
factors researchers. Much of the recent research has been sponsored by the US Federal Aviation
Administration (FAA) Office of Aviation Medicine. Research has been directed at a wide vari-
ety of issues including the organisational structure of maintenance organisations (Taylor
1990), visual inspection issues (Drury & Gramopadhye 1990; Latorella & Drury 1992),
advanced technology as an aid to maintenance training (Johnson 1990), employment of
women and minorities in military aviation maintenance (Eitelberg 1991), illumination in
maintenance workplaces (Reynolds and others 1992), the design of work control cards (Patel,
Prabhu & Drury 1992), future availability of aircraft maintenance personnel (Shepherd &
Parker 1991), and the introduction of crew resource management to maintenance training
(Taggart 1990; Stelly & Taylor 1992)
While the research outlined above has undoubtedly contributed to airline safety, to date,
researchers have focused on highly specific maintenance issues and there has been few broad
examinations of aircraft maintenance incidents.
Such an examination could be achieved by examining the errors which occur when airline air-
craft are being maintained. In essence, there is a need for a system to categorise and describe
maintenance errors. The information obtained would be central to the design of system
improvements.

Human error
Most accidents to complex industrial systems such as powerplants or transport systems feature
some involvement of human error. The terms ‘error’ and ‘human error’ are widely used in the
safety field and do not imply that operators are blamed for workplace incidents. Nevertheless,
concluding that human error was involved in an accident or incident does not generally help
to prevent such occurrences from happening again. In order to more fully understand why the
event occurred, it is necessary to describe in some detail the type of error the person made, and
if possible, to identify some of the reasons or factors which led to the error. Different types of
errors may require different preventative strategies.
One of the most basic description systems for human error is to categorise errors as those of
omission, commission or substitution, based on the work of Swain (Miller & Swain 1987). An
error of omission occurs when a person fails to perform a step in a task which should have been
performed; an error of commission occurs when a person performs an action which should not
have been performed. A related type of error is substitution, where an undesired action is per-
formed in place of the desired action. A fourth category of mis-timed actions can also be
included. This simple system of describing errors has the advantage of being relatively straight-
forward, but unfortunately does not describe the error in detail and does not give much insight
into why the person made the error.
A more detailed system of describing errors which gives insight into why the person made the
error was developed by Rasmussen, partly as a result of his examination of the errors of nuclear
powerplant operators. Rasmussen proposed that performance can be categorised according to
the level of cognitive control which the person is expending on the task at the time of the error.

2
His skill-rule-knowledge framework (1983) has become a widely accepted model of human
error. Using this framework, the activities of a maintenance engineer can be divided into three
types of actions: knowledge-based behaviour, rule-based behaviour and skill-based behaviour.

1. Skill-based behaviour
Skill-based behaviour is unconscious, rapid, does not seem to take conscious mental effort and
most importantly, is automatic. Many skilled routine actions such as opening and closing pan-
els can be performed automatically. Skilled workers possess an extensive repertoire of skill rou-
tines which can be initiated consciously and then left to run their course. Any maintenance task
which is performed frequently is likely to involve skill routines. One of the most common skill
errors is ‘environmental capture’ or habit intrusion. This occurs when a well learnt routine
action is performed in familiar surroundings, despite an original intention to perform anoth-
er action. A person who is distracted may carry out a well learnt action without modifying it
to new or unusual circumstances. A frequent error of this type is filling in a cheque in January
and writing in the previous year.
Another common skill error is the ‘omission following an interruption’. If a well-practised rou-
tine is interrupted, it may never be completed, or may be picked up again at the wrong stage.
One of the most dangerous manifestations of this in aviation is the interrupted checklist.
Omissions following interruption have particular relevance to aircraft maintenance.
Skill-based performance calls on very little mental effort and generally results in few errors. The
automatic nature of skill frees workers to think about other things, but the cost of this is that
they are less likely to monitor what they are doing. As a result, absent minded slips and lapses
are a particular risk. It is very difficult to modify an automatic skill once it has been learnt.
However, this is not to say that checks cannot be built into work performance.
A further difficulty with skill-based performance is that skilled operators are generally unaware
of the automatic procedures they are following and may be unable to explain to another per-
son how the task is performed.

2. Rule-based behaviour
People use rules or plans constantly in everyday life, without necessarily being aware of them.
These rules are often procedures which have been learnt through trial and error and are then
applied to situations as an aid to decision making in an ‘if...then...’ manner, for example, ‘If the
dipstick indicates that the engine oil is low, then top up the oil’. Although it is often a conscious
process, it does not require the person to go back to first principles in the way that knowledge-
based behaviour does. Aircraft mechanics constantly apply rules or expertise which enable
them to deal effectively with familiar or common situations. Many of these rules are formally
laid-down procedures; however, just as important are the unwritten work practices which are
applied to particular situations. Rule-based errors may occur when a person applies an inade-
quate rule to a situation or misapplies a good rule.

3. Knowledge-based behaviour
Knowledge-based behaviour is required when there is no pre-packaged solution to a situation.
Knowledge-based behaviour tends to be slower than other forms of behaviour and is very
demanding of mental resources, but is necessary when a person is faced with an unfamiliar
problem. Knowledge-based errors are errors of decision making, and may reflect a lack of
information on the task.
The skill-rule-knowledge distinction helps to explain why errors occur and to predict the types
of errors that will occur under various circumstances. Errors at the skill-based level are com-
monly referred to as slips and lapses, while errors at the rule-based and knowledge-based levels
are commonly referred to as mistakes. Many of the same basic error types have been observed
in a wide range of industrial settings, supporting the view that human errors are not usually
random deviations from normal performance, but rather follow systematic patterns and hence
can be partly predicted and prevented.

3
 The Reason model of accident causation
In addition to the immediate unsafe acts or errors committed by operators, investigations typ-
ically reveal that longstanding systemic failures have had a role in causing, permitting or exac-
erbating accidents and incidents. Therefore it is important to consider not just the immediate
circumstances of maintenance incidents, but also the underlying or systemic failures which
make such incidents possible.
The model of system breakdown proposed by James Reason, illustrated in Figure 2, has become
a standard framework for analysing accidents in industrial and transport settings (see Reason
1990, 1991). The model has been advocated for accident investigation purposes by ICAO
(International Civil Aviation Organisation 1993), has been used in the analysis of anaesthetic
accidents (Runciman and others 1993) and has been applied by its originator to the analysis of
accidents in various settings, including nuclear power plants, chemical plants and transport
applications . While the Reason framework was initially proposed to account for accidents, it
can also be applied to less catastrophic occurrences.

Figure 2 The Reason model

Defences

Organisational Local Unsafe ACCIDENTS

deficiencies factors acts

Reason recognises that human behaviour is the greatest contributor to system failure. He con-
siders that system breakdowns result from combinations of active failures and latent failures,
sometimes in conjunction with unusual environmental forces. Active failures are the events
which immediately precede the breakdown. Unsafe acts such as errors or violations are the
most commonly identified active failures.
In Reason’s terminology, latent failures are the longstanding system problems which create the
circumstances in which active failures occur, and have the potential to make the consequences
of active failures especially serious. Latent failures include inadequate defence systems and con-
ditions which promote unsafe acts in the workplace. Latent failures often have their origin in
management and may be put in place well before the breakdown occurs. Using a medical anal-
ogy, Reason has given the label ‘resident pathogens’ to longstanding system failures.

The SHEL model

The SHEL model is a human factors analysis framework originally proposed in the 1970s by
Edwards and now formally recommended by ICAO (International Civil Aviation Organisation
1992). The letters in the acronym SHEL represent Software, Hardware, Environment and
Liveware (see Figure 3).

Figure 3 The SHEL model

4
In contrast to the Reason model, the SHEL model is most useful in considering human factors
at the ‘sharp end’, that is, the performance of individual operators. The SHEL model and the
Reason model complement each other and can be used jointly.
The SHEL model enables human factors issues to be divided into four broad areas. The first is
the interaction between people (‘liveware’) and software such as procedures, documentation
and manuals. The second element of the model is the interaction between people and hard-
ware, such as tools and equipment. The third element of the model represents the interaction
between people and the environment. The last element of the model represents the interactions
between people in the system, and includes issues such as communication, teamwork and
group interactions.
The SHEL model provides a simple but powerful framework in which most individual human
factors problems can be described. The SHEL model provides a useful guide to assist in the
investigation of maintenance incidents as it acts as a prompt to ensure that all relevant factors
have been identified.

5
 Aims
This study was conducted with the aim of achieving a better understanding of maintenance
incidents, including the role of human error and the underlying factors which lead to such inci-
dents; identifying areas where safety improvements can be made; and making recommenda-
tions to achieve improvements.

6
Method
Maintenance technicians were asked to provide examples of incidents, following a structured
questionnaire based on the critical-incidents technique pioneered by Fitts and Jones (1947) in
their study of pilot error and further developed by Flanagan (1954). The critical-incident tech-
nique is a key human factors method which has been used for many years in the aviation indus-
try, and has also been applied in medicine and the nuclear power industry. The technique
involves gathering first-hand accounts by operators of critical incidents, accidents, mistakes
and near accidents which have occurred in the performance of job tasks. The technique is par-
ticularly useful where a system has been in operation for some time and where operational dif-
ficulties have been experienced but where the nature of the difficulties is not well understood.
A copy of the questionnaire can be found at appendix 1.
During interviews held in 1994 and 1995, maintenance technicians were asked to report inci-
dents which had occurred in the previous 12 months in which they had a first-hand involve-
ment, either as a participant or as an observer. All participants in this study were involved in
the maintenance of aircraft with a certified maximum seating capacity greater than 38 seats
and/or a maximum payload exceeding 4,200 kg. Although the primary focus of BASI is on
incidents which could affect the safety of public transport operations, incidents which could
have affected the safety of workers were also collected. Both types of incidents can arise from
underlying deficiencies in maintenance organisations.
Safety incidents frequently involve a sequence of events, so the incidents were broken down
into event sequences using a system developed by Williamson and Feyer (1990) at the National
Institute of Occupational Health and Safety. The coding system used to analyse incidents can
be found at appendix 2. This system was originally developed to examine fatal workplace acci-
dents. As well as considering each incident as a sequence of events, each event was categorised
according to whether it involved the actions of a person, a failure of equipment or an environ-
mental event such as wind or rain. The contributory actions of people in the incident sequence
were categorised according to Swain’s omission, commission, substitution categories of human
error and the SRK framework of Rasmussen (1983). Each event was considered as a separate
‘sub-incident’ and was assigned contributing factors where appropriate. A sample of the inci-
dents was coded independently by two coders to evaluate the reliability of the coding system.
The results of this evaluation can be found at appendix 3. Definitions of terms used during cod-
ing can be found at appendix 4.

7
 Results

General
Of the 86 incident reports collected, 46 were classified as airworthiness occurrences, as they had
the potential to affect the operation of an aircraft, and 49 were classified as occupational health
and safety (OH&S) occurrences as they related to the health and safety of maintenance per-
sonnel. Nine incidents fell into both categories, in that they related to both airworthiness and
worker safety. A significant number of incidents (54%) had not been reported through official
channels. Error types were categorised with a system developed from Boeing’s Maintenance
Error Decision Aid (MEDA) system (Boeing 1994). A brief summary of the incident events can
be found at appendix 5. Note that an incident may have involved more than one type of error
(see Table 1).
The most frequently reported type of error was system operated in unsafe condition. This
included incidents where aircraft systems such as flaps or thrust reversers were operated dur-
ing maintenance when obstructions or workers were in the vicinity. In some cases aircraft sys-
tems were operated while the system was partly disassembled. The following incident is an
example of a system operated in an unsafe condition:

Table 1
Frequency of Maintenance Error Types
Type of Error
System operated in unsafe condition 16
Towing event 10
System not made safe 10
Equipment failure 10
Degradation not found 6
Falls and spontaneous actions 6
Incomplete installation 5
Work not documented 5
Person entered dangerous area 5
Person contacted hazard 4
System not reactivated/deactivated 4
Did not obtain or use appropriate equip. 4
Unserviceable equipment used 4
Verbal warning not given 3
Vehicle driving (not towing) 2
Pin or tie left in place 2
Warning sign or tag not used 2
Not properly tested 2
Safety lock or warning removed 2
Vehicle/equipment contacted aircraft 2
Material left in aircraft/engine 1
Access panel not closed 1
Contamination of open system 1
Equipment not installed 1
Panel installed incorrectly 1
Required servicing not performed 1
Unable to access part in stores 1
Wrong equipment/part installed 1
Wrong fluid type 1
Wrong orientation 1
Unable to be coded 6

8
 On a night shift at about 2.30 a.m., the crew were performing a rigging check on the
leading edge slats after gearboxes had been changed. At the end of this work, one
torque tube was left disconnected from a gearbox. The crew went for a break and after
they returned they extended the slats on hydraulics as a check of their work. One sec-
tion of the slats did not move, because of the unconnected torque tube. As a result part
of the leading edge was torn off. The crew would normally have checked their work
before extending the slats, but this check had been omitted because of the interrup-
tion caused by the break. The reporter considered that in hindsight, it would have been
more sensible to have extended the slats electrically as they would have moved more
slowly. In addition, had docking been available, they could have walked along the
length of the wing to check the connections.
The second most frequently reported error reflects the potential for damage to aircraft as they
are manoeuvred by maintenance personnel in areas where space is restricted. The following is
an example of such an incident:
As a large multi-engine aircraft was being pushed out of a hangar on a dark night, the
left winglet hit the left stabiliser of a twin-engine aircraft. An engineer stationed under
the wing saw that the collision was about to occur and made torch signals to alert the
licensed engineer stationed near the nose of the aircraft, who could have given the tug
driver a signal to stop the tug. However, the licensed engineer did not see the torch
signals in time to prevent the collision. The twin-engine aircraft had to be re-scheduled
while the damage was repaired. The reporter stated that he was not aware of any stan-
dard procedures for stopping aircraft with torch signals. The reporter considered that
fatigue was a factor in this occurrence.
The third most frequent error, system not made safe, refers to situations where an aircraft sys-
tem was not disabled or locked out appropriately before work commenced. Included are
instances where electrical power was left on while electrical work was carried out and instances
where hydraulically activated systems were not isolated from hydraulic power.
Equipment failure refers to situations where an item of maintenance equipment or an aircraft
component failed and this was not a result of maintenance actions. On some occasions, an
equipment failure combined with a human error to create the incident; for example, there were
two occasions where workers’ unsafe behaviour brought them into contact with faulty electri-
cal equipment, resulting in non-fatal electric shocks.

Incident outcome
Incidents were coded using the coding sheet reproduced in appendix 2. The end results of the
incidents are summarised in Figure 4.
Figure 4 Outcome of maintenance incidents.

Number of incidents
0 5 10 15 20 25 30 35

Potential hazard

Exposure to hazard

Damage to aircraft

Correction of problem

Potential damage to aircraft

Aircraft signed off with

unrectified problem

Delayed aircraft

Aircraft signed off with problem

arising from maintenance action

9
 Incidents which related to the safety of workers (OH&S incidents) were classified according to
whether they resulted in death of a worker, exposure of the worker to a hazard or potential
exposure of the worker to a hazard. None of the reported incidents resulted in death. Incidents
with airworthiness implications were classified according to whether they resulted in damage
to an aircraft, potential damage to an aircraft, an aircraft signed off with an unrectified prob-
lem, a delayed aircraft, an aircraft signed off with a problem which resulted from maintenance
action, or the detection and correction of a problem.
Note that nine incidents involved both an airworthiness element and an OH&S risk. In Figure 4,
these incidents have been counted separately under both the appropriate airworthiness and
OH&S category. As can be seen, the most frequently reported incident outcome was potential
hazard, where there was a risk that a worker could have been exposed to a hazard such as
hydraulically activated aircraft components or dangerous working surfaces. Exposure to hazard
refers to situations where the final outcome of the incident was that a worker came into contact
with a hazard, whether or not they had any control over the situation. Two examples of this inci-
dent type are a worker who was doused in fuel and a worker who received a cut hand when he
came into contact with windmilling engine fan blades. Correction of problem refers to situations
where a maintenance error was made but then recognised and corrected before the work was
signed off. For example, a part was installed upside down, but then removed and reinstalled cor-
rectly by the same workers. Potential damage to aircraft includes situations where an aircraft sys-
tem was not disabled before maintenance work was carried out and where the system would
have been damaged if it had been activated during maintenance.

Reporting of incidents
Most incidents which had an airworthiness element had been officially reported within the
company; however, only a minority of the incidents with OH&S implications had been offi-
cially reported (see Figure 5). In considering the unreported airworthiness incidents, it should
be noted that it would not normally have been necessary to report an incident which resulted
in only potential damage to an aircraft or where a mistake was rectified.

Figure 5 Previous reports submitted

35

30
Number of incidents

25

20

15

10

0
Reported Not Information
previously reported not available
previously

Airworthiness OH&S

Previous occurrence of similar incidents

The results summarised in Figure 6 emphasise the recurring nature of many incidents. In most
cases the reporter considered that the type of incident had happened before, and in nearly all
cases, reporters said the incident could happen again.

10
Figure 6 Previous occurrence of similar incidents
25

20

Number of incidents
15

10

0
Has happened Has not Information
before happened before not available

Airworthiness OH&S

Area of aircraft involved

The area of the aircraft which was involved or was being worked on when the incident occurred
was coded using standard Air Transport Association (ATA) descriptions. As Figure 7 indicates,
engines, flight controls and thrust reversers featured most frequently in the reported incidents.
Engines were involved in the largest number of OH&S incidents, but also featured significant-
ly in airworthiness incidents. The number of airworthiness incidents involving thrust reversers
and flight controls (particularly flaps), largely reflects the potential to damage these systems by
deploying, stowing or retracting them while maintenance is in progress. The airworthiness
incidents involving wings generally occurred while aircraft were being manoeuvred in confined
spaces.

Time of incident
The times of day at which incidents occurred is summarised in Figure 8. There were two peaks,
one in the late morning after 1000 hours, the other in the mid-evening between 1800 and 2000.
Care should be exercised in interpreting these figures as they may reflect the hours at which
most maintenance work is carried out and may not necessarily indicate a higher rate of inci-
dents in a particular time period.
As there were no discernible differences between the time at which OH&S and airworthiness
incidents occurred, and because of the relatively small number of incidents in each 2-hour time
period, information relating to the time of occurrence is not broken down by incident type.
At the time that the study was conducted, the day shift commenced at 0600 and concluded at
1400, the afternoon shift commenced at 1400 and concluded at 2200, and the night shift com-
menced at 2200 and concluded at 0600. There were approximately three times as many work-
ers present during morning and day shifts as during night shifts. Hence, if the frequency of
incidents reflected only the number of workers present and not the time of day, it would be
expected that there would be three times as many incidents during morning and day shifts as
during night shifts.
Figure 9 presents the relative number of incidents at each time of day when the variation in the
number of workers present has been taken into account by dividing the incidents which
occurred during morning and day shifts by a factor of three.
In essence, this figure presents the relative frequency of incidents which could be expected if the
same number of workers were present at all times throughout the day. A cyclic pattern of inci-
dents can be seen, corresponding to the three shift patterns described above. However, the
greatest relative frequency of incidents occurred on the night shift between the hours of 0200
and 0400.
11
 Figure 7 Area of aircraft involved in the incident
Area of aircraft
Engine

Flight controls

Thrust reversers

Wings

Landing gear

Galley

Fuselage

Hydraulics Airworthiness
incidents
Fuel
OH&S incidents
Engine oil

Doors
Stabiliser
Radar

Pneumatics
Igniters

General exhaust area

Fuel pumps
Engine strut
Engine air

Electrical power

APU

Air-conditioning

0 2 4 6 8 10 12 14

Number of incidents

Figure 8 Time of incident

10

8
Number of incidents

0
0
0
0
0

0
0
0
0
0

0
00

0
60
20
80
40

20
80
40
00
60

40
00
02

-1
-1
-0
-0

-2
-1
-1
-1
-0

-2
-2
-

01
01
01
01

01
01
01
01
01

01
00

01
14
10
06
02

20
16
12
08
04

22
00

18

Time of day

12
Figure 9 Relative frequency of incident corrected for number of workers present

4.0

Number of incidents normalised

3.5

for workers on shift

3.0

2.5

2.0

1.5

1.0

0.5

0.0

0
0
0

0
0
0
0
0

0
0
0

20

60
80
40

20
80
40
00
60

40
00
20

-1

-1
-0
-0

-2
-1
-1
-1
-0

-2
-2
-0

01

01
01
01

01
01
01
01
01

01
01
00

10

14
06
02

20
16
12
08
04

22
18
00

Time of day

Time into shift

All the incidents were reported by workers on 8-hour shift patterns. As can be seen from
Figure 10, there was a tendency for incidents to become more frequent as the shift progressed.
An exception to this was that relatively few incidents were reported to have occurred in the last
hour of the shift. This may indicate that the last minutes of the shift are used to perform clean-
up and ‘housekeeping’ tasks which are less likely to lead to incidents.

Figure 10 Timing of incidents within 8-hour shift pattern

15

12
Number of incidents

0
1 2 3 4 5 6 7 8

Hours into shift

Incident involvement
An incident may have involved more than one event. For example, a worker may have made an
error during the installation of a component and a second worker may then have failed to
detect the error during a check. Each event in the incident sequence was classified according to
whether it involved the actions of a person, a failure of equipment or an event in the environ-
ment (such as a gust of wind).

13
 Eighty-seven per cent of the incident events involved the actions of people. Equipment failures
accounted for 12% of events, while environmental events represented less than 1% of the total
events (see Figure 11).

Figure 11 Incident involvement

100
90
80

70
% of events

60

50
40

30
20

10
0
People Equipment Environment

Event type

Human errors
Errors were categorised with Swain’s error classification system, described earlier.
Omissions constituted the greatest proportion of human errors in the incidents (see Figure 12).
Commissions constituted the second-most frequent type of error.

Figure 12 Human errors

Mis-timed actions
3%
Substitutions
12%

Omissions
48%

Commissions
37%

14
Analysis of Incidents
In the following section, the incidents are analysed using models of human error and accident
causation. Maintenance errors are first analysed with the skill-rule-knowledge framework
developed by Rasmussen. The Reason model is then applied to the incidents, first by examin-
ing the local factors which contributed to the incidents and then by considering the wider
organisational factors which were involved in incidents. This section concludes with a qualita-
tive analysis guided by the SHEL model described in the introduction of this report.

Results in terms of the skill-rule-knowledge model of human error

The errors made by technicians were divided into skill-rule-knowledge categories, see
Figure 13. Some errors could not be categorised with complete certainty, but were assigned to
a category on the basis of probability. Some reports identified risky behaviour or conscious rule
violations. For the purposes of this study, no distinction was made between violations and
errors and such behaviours were coded as errors.
Figure 13 Human error types (skill-rule-knowledge)

Unclassifiable
10%
Probably knowledge Probably skill
4% 23%

Skill
11%
Rule
34%

Probably rule
18%

Knowledge-based errors were relatively rare and only 4% of errors were classified as ‘probably’
knowledge-based errors. Thirty-four per cent of the errors were skill-based. There was a degree
of uncertainty in classifying these errors, and most of these errors could only be classified as
skill-based errors with less than complete certainty. An example of a skill-based error follows.
A technician working under the fan cowl of an engine left a large spanner wedged
between tubing. After the aircraft had departed, the technician realised that the span-
ner was missing but did not take steps to alert the airline. The technician retrieved his
spanner when the aircraft returned.
The initial error in this case was a skill-based lapse, related to an inadvisable work practice
(resting tools on convenient parts of aircraft). The technician’s subsequent response to this
lapse can be seen as a rule-based mistake.
In 52% of cases, the action took the form of a rule-based error. For example:
An ignition check was being performed on a GE CF6 engine using a test box. Both
ignition plugs were disconnected and one igniter at a time was plugged into the box
where it was fired. The wrong cannon plug at the low tension end had been discon-
nected, with the result that the igniter which had been left hanging free in the air was
still connected. During the igniter check, the loose igniter fired and sparked across to
the engine. The person who disconnected the cannon plug had thought (wrongly) that
15
 the upper ignition box connected to upper ignition. But in fact in the CF6 engine, the
top ignition box provides power to the bottom ignition and vice versa. The reporter
conceded that it had been a bad maintenance practice to leave both leads out at the
same time.
The person involved made a rule-based mistake by assuming that disconnecting the top can-
non plug would deactivate the top igniter.

Local factors in terms of the Reason model

Local factors were assigned to each event in the incident sequence on the basis of the informa-
tion provided by the reporter. A local factor is a situation which existed in the local work area
and which had a deleterious effect on the work of people at the time of the incident. Some local
factors may have only occurred at the immediate time and place of the incident, while others
may be more widespread within the organisation.
Each event could be assigned multiple factors. It was apparent that the local factors assigned to
OH&S incidents were significantly different to those associated with airworthiness occur-
rences. For this reason, the local factors for OH&S and airworthiness incidents are presented
separately.

Local factors in OH&S incidents

The most frequent local factors in OH&S events are presented in Figure 14. The factor tools and
equipment refers to difficulties such as broken stands and faulty electrical equipment. Examples
of environment factors are weather, darkness and slippery work surfaces. Convenience was
coded as a factor in incidents where a worker was motivated by a desire to reduce inconve-
nience. Examples are not using uncomfortable safety equipment or not obtaining the correct
equipment for a small task when the equipment is not readily at hand.
Figure 14 Most frequent local factors in OH&S events
Factor
Tools and equipment
Perceived pressure or haste
Environment
Convenience
Knowledge, skills, experience
Communications
Procedures
Control and supervision of work
Distraction
Space restrictions
Design of system or component
Documentation
Fatigue
Automated systems

0 3 6 9 12 15

Number of events

Local factors in airworthiness incidents

The most frequently assigned factors in airworthiness incidents are presented in Figure 15. The
factor procedures reflected several difficulties with procedures, including uncertainty about cor-
rect procedures, and differences in interpretation between crews. Communication breakdowns
most frequently occurred between crews or shifts. Control and supervision issues typically
emerged with the work of apprentices, and most occasions where the factor ‘knowledge, skills &
experience’ was listed related to the work performance of apprentices. Space restrictions in gen-
eral related to difficulties moving aircraft in confined areas.

16
Figure 15 Most frequent local factors in airworthiness events
Factor

Procedures
Communications
Control and supervision of work
Preceived pressure or haste
Knowledge, skills, experience
Tools and equipment
Space restrictions
Aircraft design
Documentation
Shift change
Fatigue
Distraction
Environment

0 2 4 6 8 10 12 14 16 18 20

Number of events

Some factors were reported less frequently than anticipated. For example, fatigue was not one
of the more frequent factors. When it was reported, the fatigue had sometimes been induced
by social life outside work rather than the work itself. Anecdotal evidence suggests that task
interruption is a significant challenge to work quality, yet this factor was mentioned in only a
few cases.

Organisational factors in terms of the Reason model

Organisational factors were coded for each incident, using the coding sheet presented at appen-
dix 2. An evaluation of the reliability of coding for organisational factors indicated that the reli-
ability of coding between the two coders was low (see appendix 3).
Figure 16 presents organisational factors in terms of the Reason model. Given the low reliabil-
ity of the coding system, the information on organisational factors should be viewed as opin-
ion rather than as factual information. As can be seen, organisational factors were identified
more frequently in airworthiness incidents than in OH&S incidents.
Figure 16 Organisational factors
Organisational factor
Control of procedures

Equipment maintenance

System defences
Design issues

Materials

Goal conflict Airworthiness

Management oversight
OH&S
Communications

Norm/procedure conflict
Training

0 5 10 15 20

Number of events

17
 Control of procedures emerged as the most frequent organisational factor. A local difficulty with
the application of procedures may reflect a wider organisational problem in the development
and dissemination of procedures. Hence, procedures feature as both local and organisational
factors. These results suggest that management may need to take a more active role in standar-
dising and documenting procedures, and in ensuring that procedures are followed.
Equipment maintenance emerged as an organisational level factor relevant to both OH&S and
airworthiness incidents. This is closely related to the incidence of equipment deficiencies as a
local factor, in that the presence of broken or faulty equipment (such as stands and lighting) on
the hangar floor may reflect a wider organisational problem in the maintenance of equipment.
System defences generally refers to procedures such as engine runs and dual inspections intend-
ed to ensure that maintenance has been carried out correctly. On some occasions where this
factor was identified, incorrect maintenance was not detected and corrected before the aircraft
was released from maintenance.

Results in terms of the SHEL model

In the following section, incidents are analysed according to the SHEL model. In contrast to the
previous sections of this report, this does not involve an analysis of the frequency of various
factors. However, the SHEL model provides a simple framework within which to review and
discuss some of the common features of the incidents.
The procedural issues identified in this study fall into the ‘software’ element of the SHEL
model.

Software (procedures, training and defences)

Variations in procedures
There were cases in which disagreements had arisen concerning the correct procedures to be
followed. This may indicate a problem with initial or recurrent training. For example:
A servicing crew had commenced an A-check on a twin-engine jet aircraft. There was
a requirement to lock out the thrust reverser on a GE CF6 engine, although there was
no work to be done on the thrust reverse system. The crew elected to use a lockout
plate to de-activate the reverser; however, there was no requirement to write up the de-
activation in the defect log, and hence no log entry was made. After a shift change, a
second crew completed the A-check. The task card called for system re-activation;
however, because no work had been done on the reverser system, the crew did not
expect that reverse thrust would have been de-activated and did not check the status
of the lockout plate. The aircraft was dispatched with an inoperative and undocument-
ed reverse thrust system.
This incident was considered to involve two events. First, the thrust reverser was locked out
using the lockout plate: an unusual but permitted work practice. Although this action was a
departure from normal work practice, it was not an error. Second, the crew responsible for sys-
tem reactivation did not check the status of the reverser lockout plate, as they assumed that the
thrust reverser had not been locked out, which represents a rule-based error.
The following factors were relevant to this incident: Methods of thrust reverser deactivation
were not standardised across crews and some crews did not lock out reversers if they were not
working on or near that system. There was no requirement to write up the de-activation in the
defect log. The relevant task card did not specify that reverse thrust should be reactivated but
instead referred to ‘system re-activation’. The lockout system on the aircraft uses a small metal
plate situated inside the thrust reverser cowl. Once the cowl is closed, there is no indication that
the lockout plate is in place. Other aircraft operated by this airline use a pin and streamer sys-
tem which provides a more noticeable indication of system lockout. There was no requirement
for a reverser functional check before dispatch.
A second example of a variation in understanding of procedures also involved a large twin-
engine jet transport aircraft.

18
 One maintenance crew was working on the left engine of the aircraft. Another crew
working on the right engine had locked out the leading edge flaps, and had reverser
cowls open but had not locked out reversers. If the reversers had been activated, it
would have severely damaged the reverser halves. The crew working on the left-hand
engine believed that procedures required the reversers to be locked out and docu-
mented. A disagreement ensued between members of the two crews about whether it
was necessary to lock out the reversers.
In another case, a crew reported that they performed additional functional checks on aircraft
systems, not called for in procedures, as they believed that the procedures were inadequate.
While the additional checks may be beneficial, they result in a variation in procedures across
crews.
Some small tasks, such as activating hydraulics or moving flight controls appear to be per-
formed according to the individual work habits and common sense of the engineer rather than
in accord with formal procedures or guidelines. This informal aspect of task performance
increases the chance that steps will be omitted, that systems will be activated in unsafe condi-
tions, or that tools or other devices will be left inside aircraft. A greater use of formal checklists
or procedures could help to avoid some of the incidents which were related to lapses or incor-
rect assumptions about system status. It should also be possible to periodically review the work
practices of individuals and crews and ensure that divergent work practices do not develop and
that procedures are understood.

Aircraft towing procedures

The methods used to ensure that aircraft do not contact obstructions during towing in con-
fined spaces are in need of revision. At present, in most circumstances, engineers walking under
the wings of a towed aircraft give ‘thumbs up’ signals to an engineer walking near the nose of
the aircraft. This engineer typically has an interphone connection to the engineer riding in the
cockpit, but cannot talk to the tug driver. Communication with the tug driver is generally via
hand signals, or in an emergency, via a stop or caution button located on the outside of the tug.
If the tug is moving forward, the driver is unlikely to be looking directly at the engineer walk-
ing near the nose and is less likely to see signals from the engineer.
Dell and Ojczjk (1996) reviewed 47 aircraft pushback accidents which had occurred worldwide
between 1964 and 1993. They concluded that changes to the pushback methods are required to
reduce the rate of injury to personnel.

Training
There was a view among some interviewees that recurrent training was lacking. This included
refresher training and training in some new systems. It was reported that some personnel had
serviced systems such as the Traffic Alert and Collision Avoidance System (TCAS) without
appropriate training.
There were also indications that the training system does not always receive adequate feedback
on the problems which occur on the hangar floor. For example, some recurring problems could
be addressed by changes to the training system.

Defences
Authorities on human factors in aviation such as Hawkins (1993) recommend a ‘two-pronged’
approach to human error. First, errors should be minimised. Second, the consequences of those
errors which nevertheless occur should be reduced. Defences are part of this second approach
to error. Defences can be built into the system to catch errors before they have the opportuni-
ty to cause serious consequences.
Examples of defences in maintenance are functional checks, dual certification and visual
inspection of systems. Several incidents indicated that defence ‘safety nets’ were failing to catch
maintenance errors which had occurred in earlier maintenance procedures. The following inci-
dent involved a defence which failed to identify a maintenance error.

19
 A fuel filter was being re-fitted to a GE CF6 engine after a fuel pump had been
changed. Six studs held the filter on, with two in an inaccessible position. It was not
possible to see the nuts on two of the studs without a mirror. These two nuts were left
off, but the other four had been installed correctly. Two workers were performing the
task, an apprentice and a licensed aircraft maintenance engineer (LAME). They knew
there were six nuts to install, but thought they had fitted them all. There were many
loose parts around. A leak check at idle power didn’t reveal any leaks. When the air-
craft took off, the pilot was advised by air traffic control that there was vapour stream-
ing from the engine. The aircraft continued to its destination, and on landing, the pilot
was again informed of vapour by the tower. A power run was carried out at the desti-
nation and the problem was identified. It was subsequently determined that more than
20 such incidents had occurred worldwide at various airlines.
In this case the defence, a leak check, failed to disclose a problem which subsequently became
evident at takeoff. This was not the only occasion in which an idle power run or engine spin
failed to show up a problem.

People issues (‘liveware’)

The following issues relate to the L-L element of the SHEL model, namely, the interactions
between people.

Shift handover
Overseas accident experience has indicated that inadequate shift handover can be a significant
problem for maintenance organisations. However, shift handovers were attributed as a factor
in fewer than 10% of the current airworthiness incidents. No information is available on the
proportion of jobs which require more than one shift to complete. If such information were
available, it would be possible to express shift handover problems as a proportion of all shift
handovers.
The following relatively minor incident was related to a shift change:
During a routine engine change during night shift, a strut inspection was performed
after engine removal and it was noticed that there was a crack in the pre-cooler. The
fault was marked on the pre-cooler and was documented. A new pre-cooler was
ordered and was delivered and put under the engine before the night shift went home.
The day shift arrived and in their eagerness to get the job done, installed the new
engine without changing the pre-cooler. This was partly understandable as the work
schedule did not include the pre-cooler and the crew did not browse through the doc-
umentation sheets before starting work.

Communication
Sometimes the dissemination of information within maintenance organisations is inadequate.
For example, at times a new task such as a modification led to mistakes when a crew was tasked
with performing the work for the first time. Other crews which had previously performed the
task had also made the same mistakes, yet the lessons had not been communicated to all appro-
priate personnel.
Communication between technicians with differing trade backgrounds can also be a problem.
This was evidenced by several incidents which involved misunderstandings between specialist
technicians such as personnel with electrical qualifications and those with engine and airframe
licences.

Crew resource management (CRM)

Accident investigations and research have determined that a lack of flight crew coordination
can pose a serious threat to the safety of airline operations. However, research has also indicat-
ed that improvements in crew performance can be achieved through training which focuses on
important, but sometimes overlooked, non-technical skills. In recognition of this, most major
airlines now provide flight crew with training in non-technical skills such as delegation of tasks,
communication, management and leadership (Wiener, Kanki & Helmreich 1993).
20
There is an increasing recognition that non-technical skills such as communication and
assertiveness are as important within maintenance operations as they are for flight crew (for
example, Taggert 1990).
Maintenance organisations tend to be strongly hierarchical, with a strict order of status from
apprentices through tradesmen, licensed aircraft engineers, leading hands, supervisors and
management. For example, those lower in the hierarchy are expected to show deference to
those above and are more likely to be asked to perform menial or dirty tasks. While this system
has its benefits, it also has the potential to diminish team performance. Some potential prob-
lems are junior staff being unaware of the ‘big picture’ of why a task is being performed, and
junior staff being reluctant to express disagreement with senior staff. The following incidents
illustrate this problem:
The aircraft was at the terminal and had to be towed to the run bay. An engineer was
working in the engine on the variable inlet guide vanes. The APU was started to pro-
vide hydraulic power (but no air was supplied to the engine). The acting leading hand
suggested that to save time, the engineer should continue working in the engine as the
aircraft was towed to the run bay. The engineer remained in the engine as the aircraft
was towed. There was some disagreement in the crew about whether this was a good
idea. About 10 minutes was saved.
The crew had the task of ‘panelling up’ an aircraft after work had been carried out by
another crew on an engine. The aircraft was scheduled to depart shortly but was
delayed in getting to the run bay due to a problem with the delivery of catering sup-
plies. During the engine run, an oil leak was detected. Oil lines were checked to try and
locate the leak. As this was being done, the tug arrived to take the aircraft to the ter-
minal for departure. Time was limited and after tightening some oil lines, a dry spin was
performed. No leak was detected during the spin. Some crew members considered
that an additional engine run should have been performed but did not forcefully
express this view to more senior personnel. The engine was subsequently shut down
in flight due to oil loss from loose oil lines.
The concept of cockpit authority gradient has been applied to explain why flight crew perfor-
mance is sometimes poor when there is a steep difference in authority between senior and
junior crew (Hawkins 1993). The above incidents appear to illustrate a similar difficulty with-
in maintenance. However, just as a steep authority gradient can reduce performance, so too can
an excessively flat gradient or a laissez-faire approach prove to be a hazard, as the following
incident illustrates.
The crew had just finished installing an upper deck escape slide (a job which takes
about 4 man-hours). During the job, the crew were noisily fooling around, people were
talking to the LAME in charge, and there were many disturbances; however, the LAME
did not want to get the other workers to be quiet as it would have made him look fool-
ish. At the end of the job there is a test to make sure that the door goes from auto to
manual smoothly. The door was accidentally left in ‘automatic’, and when the door was
operated at the end of the job, the slide partly fired. Although the slide did not inflate,
it hit docking. The LAME realised that they had not been taking the job seriously
enough.
CRM for flight crew generally entails coordinating the work of people within a single crew.
Maintenance personnel face the additional challenge of coordinating the work of multiple
crews, particularly when a task extends for longer than one shift or more than one crew is
working on an aircraft simultaneously.
A significant number of incidents collected in this study reflected the difficulties of more than
one crew working on an aircraft at the same time. The following example illustrates this:
A crew was working on the centre hydraulic system in the wheel well of a twin-engine air-
craft. Some hydraulic lines (which operate at 3,000 lb/in 2) were disconnected. A member of
another crew was in the cockpit changing a light bulb on an overhead panel switch for the
centre hydraulic system. Although the switch was believed to have been tagged to prevent
activation, the worker pushed in the switch and the hydraulic system activated. The engi-
neers in the wheel well evacuated the area when they heard the hydraulic system activate.
21
 Not all the information collected indicated poor CRM performance. Most crews obviously per-
form their work in a coordinated and efficient manner and some positive CRM practices were
noted. For example, some leading hands encourage all crewmembers to browse through the
task documentation at the start of the shift.

Equipment issues—hardware
The hardware element of the SHEL model refers to the physical equipment used in the job.
Several issues emerged concerning this aspect of the work of maintenance engineers, particu-
larly in incidents with OH&S implications.

Equipment maintenance
Problems with the maintenance of hangar equipment such as stands, lighting system and vehi-
cles featured frequently in incident reports. In some cases, equipment which had been identi-
fied as unserviceable was still available for use. For example:
While changing the logo light in the tail of an aircraft, the lift truck, which had been
extended over the tail (horizontal stabiliser), slowly dropped onto the stabiliser. The truck
had been snagged as unserviceable due to a hydraulic leak, but had still been issued
to the workers. When the truck platform was retracted, the main supports gouged into
the leading edge of the stabiliser. The worker reported that he had learnt from this expe-
rience to avoid, where possible, putting ground equipment over an aircraft.
Although some equipment has been in service for many years, several reporters specifically
mentioned that some older equipment, particularly old stands and mobile stairs, were still use-
ful for many maintenance tasks.

Warning and lockout devices

Several incidents involved various lockout devices, ties or pins being left in place. This finding
is consistent with the UK statistics referred to in the introduction which indicated that the fail-
ure to remove ground lock pins was a significant error in maintenance. This may reflect diffi-
culties with the control and storage of this equipment. For example, such devices are not always
stored in a manner which would make it obvious when a device has been unintentionally left
in place. Storage of these devices in slots or boxes would make it easier to detect when one has
gone astray.
A crew was required to do a functional check after rigging work had been performed
on the flight controls of an aircraft by another crew. During the check to make sure all
rigging pins were removed from the control runs inside the aircraft, it was found that
one rigging pin was still in place (in the tail of the aircraft). Pins are issued with long red
plastic streamers attached, but there was no streamer on this pin. The controls of the
aircraft could have been damaged had they been moved with the pin in place. When
asked why he thought the incident happened, the reporter mentioned that some rig-
ging pins are stored in a box (which makes it easy to keep track of how many have
been collected), but these ones might not have been stored in this way. He thought the
other crew had forgotten about the pin and he said it was not easy to see if all pins had
been collected.

Design issues
There were several incidents where an error made by engineers was related to the design of air-
craft or engines. For example, several incidents were reported in which thrust reversers were
left locked out on twin-engine aircraft (an example of such an incident has been reported ear-
lier). All of these incidents involved aircraft equipped with GE CF6 engines: none occurred on
Pratt and Whitney engines. These incidents appear to be directly related to the design of the
lockout system. Other incidents involving the incorrect or incomplete assembly of components
appear to reflect designs which increase the potential for error. The example of an incomplete
installation of a fuel filter referred to earlier illustrates this problem.

22
It would appear that ergonomic maintenance considerations are sometimes overlooked when
aircraft and systems are being designed. Better feedback to manufacturers on the errors which
occur during the maintenance of their products may help to reduce design-related mainte-
nance errors.

23
 Discussion
The data collected in this project has provided some useful insights into the nature of mainte-
nance incidents.
Most types of incidents were repetitive. The recurring nature of such incidents means that they
are to some extent predictable, and hence measures can be taken to prevent them.
Many incidents involved flight controls, engines, and thrust reverser systems.
Human error featured in most incidents, with omissions being the most frequent type of error.
The skill-rule-knowledge framework proved to be an adequate classification system for main-
tenance errors, although in some cases, the framework was difficult to apply. Errors due to
inadequate knowledge were rare and were usually committed by trainee technicians. Skill-
based errors occurred in approximately 34% of the incidents. However, the majority (52%) of
the errors took the form of rule-based mistakes. Many of these errors took the form of mistak-
en assumptions, particularly where workers wrongly assumed that an aircraft system was in a
particular configuration.
Williamson and Feyer (1990), in examining the errors which preceded a sample of 1,020 work-
related fatalities, found that just over 50% of errors were skill-based, while fewer than 14% were
rule-based mistakes and fewer than 14% were knowledge-based mistakes. In contrast, the cur-
rent study, while based on a significantly smaller number of incidents, would appear to indi-
cate that formal and informal rules play a significant part in guiding the actions of maintenance
technicians and that these rules provide a significant source of errors.
A common rule-based error was the activation of an aircraft system (such as hydraulics), with-
out first checking the status of cockpit controls. Remedial action for such errors could include
ensuring that technicians acquire appropriate situational awareness before activating systems,
possibly by the use of checklists to guide performance of routine actions.
The type of error which can be expected on a given task appears to be closely related to the fre-
quency with which that task is performed. By definition, rule-based or knowledge-based mis-
takes can be expected to be particularly prevalent when the task is unusual, but to become less
common on tasks which are performed frequently. Skill-based slips and lapses, on the other
hand, are relatively uncommon on unusual tasks but may become problematic on tasks which
are performed routinely.
For example, frequently performed tasks such as routine boroscope inspections have the poten-
tial to produce skill-based errors because of the familiarity of the work and the potential for
absent-minded task performance. An important consequence of the relationship illustrated in
Figure 17 is that by categorising tasks according to the frequency of their performance, main-
Figure 17 Task frequency and the prevelance of error

Mistakes Slips and lapses

Prevalence of error

Unusual task Routine task

Frequency of task performance

24
tenance managers will be better placed to anticipate errors and introduce appropriate counter-
measures. A further implication of this relationship is that for individual workers, there may be
an optimum level of task familiarity lying somewhere between the extremes of highly unusual
and highly routine tasks.
Several patterns emerged in the timing of incidents. In general, the frequency of incidents grad-
ually increased as the shift progressed, with a peak of incidents in the second-last hour of the
shift. The last hour of the shift, however, was the time when the least number of incidents
occurred. This may reflect a change in the work being carried out, as workers clean up work
areas and prepare to finish work for the day.
Research on the timing of workplace and transport accidents indicates that the early hours of
the morning and early afternoon are times at which accidents are particularly likely to occur.
For example, Williamson and Feyer (1995) found that when the number of people at work
throughout the 24 hours of the day is taken into account, fatal workplace accidents in Australia
are more likely to occur at night than during the day. The results of this study are consistent
with those findings, and indicate that the rate of incidents per worker is greatest in the period
between 0200 and 0400.
The local factors underlying airworthiness incidents were generally different to those underly-
ing OH&S incidents. For airworthiness incidents, procedures, control and supervision and
communications emerged as the most significant factors. For OH&S incidents, tools and
equipment, perceived pressure or haste, and the physical environment were the three most fre-
quent local factors.
Attributing local factors was relatively straightforward in most cases. However, organisational
factors could not be identified with a high level of reliability using the coding sheet presented
in the appendix.
Much of this document to this point has been concerned with the factors which lead to errors.
However, it is important to recognise that errors can also be addressed in at least two other
ways.
First, some errors occur while preventative maintenance or inspection tasks are being per-
formed. It is possible that in some cases, the risk of a system failure caused by a maintenance
error will be greater than the risk of a failure if the system is left undisturbed. A well known
example which illustrates this problem occurred in North America when an L1011 lost oil from
all three engines when magnetic chip detectors were fitted without O-rings. The benefits of the
inspection program would certainly have been outweighed by the risk of such an error occur-
ring (National Transportation Safety Board 1984).
In planning maintenance tasks, it may be necessary to factor in the probability of a human
error occurring during the task. For example, an inspection task which requires the frequent
opening and closing of access covers is likely to produce occasional skill-based lapses where
access covers will be left unsecured. Where the maintenance is designed to achieve financial
rather than safety benefits, such as extending the service life of a system, there may be occasions
where it would be preferable to leave a system undisturbed in order to avoid the possibility of
a maintenance error.
The second approach to human error is to acknowledge that errors will occur from time to
time and to design procedures and systems which can tolerate such errors. Avoiding the simul-
taneous performance of the same task on similar systems is an example of such an approach.
For example, on 25 February 1995, a European-operated 737-400 was forced to divert shortly
after departure following a loss of oil quantity and pressure on both engines. Both of the air-
craft’s engines had been subject to boroscope inspections during the night prior to the incident
flight. High-pressure rotor drive covers had been left unsecured on each engine and, as a result,
nearly all the oil had been lost from each engine during the brief flight (Air Accidents
Investigation Branch 1996).
Where extended range twin-engine operations (ETOPS) are being conducted, the performance
of identical maintenance actions on multiple elements of critical systems is avoided wherever
possible. Engines, fuel systems, fire suppression systems and electrical power are examples of

25
 ETOPS critical systems on aircraft such as the B767 and B737. Boeing lists several approaches
designed to minimise the impact of human error in maintenance of ETOPS aircraft. These
include performing maintenance actions on different legs of a flight, having two identical tasks
performed by different mechanics, adding inspections to detect errors, and carrying out tests
to verify that maintenance has not introduced a problem (Boeing 1994a). However, these pre-
cautions to minimise the impact of human error are not generally applied to aircraft with more
than two engines, or to twin-engine aircraft which are not being maintained in accordance with
an ETOPS maintenance program.
The extension of ETOPS philosophies to non-ETOPS aircraft would help to contain mainte-
nance induced problems. For example, staggered maintenance may reduce the risks associated
with simultaneous maintenance of similar systems.

26
Conclusion
It should be noted that this study is based on a limited sample of maintenance incidents that
may not be representative of all possible maintenance incidents. Hence, the issues raised in this
report will not necessarily apply to all maintenance operations. Furthermore, much of the
information in this report is derived from the knowledge and experience of maintenance engi-
neers themselves and the results will to some extent reflect their perceptions. Nevertheless, a
picture has emerged of the types of incidents which occur during maintenance work and the
factors which lead to these problems. The airworthiness incidents examined in this report indi-
cate that procedures, equipment, communications and control, and supervision of work may
be worthwhile areas for attention.

27
 Safety Actions
The following suggested safety actions are presented as a result of this study. Organisations will
need to assess the extent to which these suggested safety actions are appropriate for their own
operations.

1. Procedures
1.1 Maintenance organisations should periodically review documented maintenance proce-
dures to ensure that they are accessible, consistent and realistic.
1.2 Maintenance organisations should periodically examine work practices to ensure that
they have not evolved to the extent that they differ significantly from formal procedures.
Narrowing the gap between work practices and formal procedures may require modifi-
cations to procedures as well as to work practices.
1.3 Maintenance organisations should, where possible, ensure that standardised work prac-
tices are adhered to across their maintenance operations.
1.4 Maintenance organisations should evaluate the ability of checklists, whether performed
from memory or from paper, to assist the performance of maintenance personnel in rou-
tine situations such as activating hydraulics, moving flight surfaces or preparing an air-
craft for towing.

2. Managing the risk of human error

2.1 Maintenance managers should reconsider the need to disturb normally functioning air-
craft systems to conduct non-essential periodic maintenance checks or inspections, as
each disturbance to a system carries with it the risk of a maintenance error.
2.2 Maintenance organisations should formally review the adequacy of defences, such as
engine runs, designed to detect maintenance errors. Such a review could commence with
a listing of hazards followed by the listing of existing defences designed to address these
hazards. The aim of such a review would be to identify absent or inadequate defences.
2.3 Where possible, the simultaneous performance of the same maintenance task on similar
redundant systems should be avoided, whether or not the aircraft is an ETOPS aircraft.

3. Communication
3.1 Maintenance organisations should ensure that adequate systems are in place to dissemi-
nate important information to all maintenance personnel, particularly where procedures
have changed or where an error has occurred repeatedly on a task.

4. Tools and equipment

4.1 Maintenance organisations should review the systems by which equipment such as light-
ing systems and stands are maintained to ensure that unserviceable equipment is
removed from service and repaired rapidly.
4.2 Lockout devices should be stored in such a way that it is immediately apparent when they
have been inadvertently been left in place. For example, storage of gear-lock pins in a slot-
ted box would be preferable to loose storage in plastic bags.

5. Shift handover
5.1 Maintenance organisations should review the adequacy of shift handover practices, with
particular attention to documentation and communication, to ensure that incomplete
tasks are seamlessly transferred across shifts.

28
6. Supervision
6.1 Maintenance organisations should recognise that supervision and management oversight
may need to be increased, particularly in the last few hours of each shift, as errors become
more likely.

7. Towing aircraft
7.1 The procedures and equipment used to tow aircraft to and from maintenance facilities
should be reviewed. Particular attention should be paid to the possible need for a direct
verbal communication link between engineering personnel and tug drivers, to reduce the
current heavy reliance on hand signals. The procedures used to maintain safe clearance
between towed aircraft and obstructions in confined spaces should also receive attention.

8. Design issues
8.1 Manufacturers should give greater consideration to maintenance ergonomic issues when
designing systems and should actively seek information on the errors which occur when
systems are being maintained.

9. Training
9.1 Maintenance organisations should consider introducing crew resource management
training for maintenance engineers and other personnel (such as tug drivers) who inter-
act with maintenance personnel.
9.2 Regular refresher training should be offered to maintenance engineers with particular
emphasis on company procedures. Such training could help to reduce the frequency of
incidents related to misunderstandings of company procedures.

10. Feedback on maintenance incidents

10.1 Maintenance organisations should ensure that engineering training schools receive regu-
lar feedback on recurring maintenance incidents in order to target corrective programs
at these problems.
10.2 Managers of maintenance organisations should ensure that they receive regular, struc-
tured feedback on maintenance incidents, with particular emphasis on the underlying
conditions or latent failures which promote such incidents.

29
 Appendix 1
Maintenance Incidents
I am studying incidents in aircraft maintenance. By maintenance incident, I mean any situa-
tion in which something happened which could have prevented the aircraft from operating
normally or could have put the safety of anyone (including maintenance workers) at risk. I am
interested in any occasion when a problem happened in maintenance, including the big prob-
lems and the small mistakes and including the times when a problem occurred but was cor-
rected before the aircraft was signed back to the line.
I know that most of the time, maintenance is uneventful, but by gathering information about
the occasions when things go wrong, I hope to learn about the entire maintenance system.
A. First, I would like you to describe an incident that put at risk your safety, or the safety of
one of your workmates. I am only interested in incidents that happened in the last 12
months or so, that you actually saw happen, either to you or to someone else. Your iden-
tity will remain confidential and if you want, the information you give me will also
remain confidential. I am interested in the incident itself, and what it tells us about the
maintenance system. I am not interested in individuals and I am not interested in blam-
ing people for things that have happened.

1. How long ago did it happen?

2. Is this the first time that this has happened?

3. Was it officially reported? Was corrective action recorded?

4. Could it happen again?

5. What time was it?

6. How long into the shift was it?

7. Did it involve another shift/another crew?

30
8. Was it a routine task?

–was the person distracted?

–would their actions have been correct in other circumstances?

9. Did the incident occur while a problem was being dealt with?

–was there a standard set of rules to deal with this problem?

10. What type of work was being performed at the time?

11. What part of the aircraft was being worked on?

12. Why do you think the incident happened?

–People

–Equipment

–Environment

–Task

13. Would you object if I included this incident in a report for Unions and Management?

B. Now can you tell me about a maintenance incident that could have prevented an aircraft
from operating normally. Again, I am interested in incidents which occurred in the last
12 months or so, that you actually saw happen, either to you or to someone else.

1. How long ago did it happen?

2. Is this the first time that this has happened?

31
 3. Was it officially reported? Was corrective action recorded?
4. Could it happen again?
5. What time was it?
6. How long into the shift was it?
7. Did it involve another shift/another crew?
8. Was it a routine task?
–was the person distracted?
–would their actions have been correct in other circumstances?
9. Did the incident occur while a problem was being dealt with?
–was there a standard set of rules to deal with this problem?
10. What type of work was being performed at the time?
11. What part of the aircraft was being worked on?
12. Why do you think the incident happened?
–People
–Equipment
–Environment
–Task
13. Would you object if I included this incident in a report for Unions and Management?

32
Appendix 2
Human factors in maintenance coding sheet
1. Case number___ Coder___ Reporter___ Aircraft type______

2. Type of Incident

(a) OH&S incident resulting in__:

(A1) death
(A2) exposure to hazard
(A3) potential hazard
(A4) not OH&S incident

(b) Maintenance incident resulting in__:

(B1) actual damage to aircraft
(B2) aircraft signed off with unrectified irregularity
(B3) aircraft signed off with irregularity resulting from maintenance action
(B4) potential damage to aircraft
(B5) delayed aircraft
(B6) correction of problem
(B7) no maintenance problem

3. Events in sequence ___

(3.1) Description of event 1

(16.2) Description of event 2

(16.3) Description of event 3

33
 (16.4) Description of event 4

4. How long ago did it happen? ___ Weeks

5. Is this the first time that this has happened? Y N DK
6. Was it officially reported? Y N DK
7. Was corrective action recorded Y N DK
8. Could it happen again? YES NO MAYBE
9. What time was it? ___ Hours
10. How long into the shift was it? ___ Hours
11. Did it involve another shift/another crew? YN
12. What type of work was being performed at the time?

13. What part of the aircraft was involved? (ATA Chapter) _________

14. Would the reporter object if this incident was made public? YN

15. EVENT 1

(15.1) Type of event

(A1) Behavioural event
(B1) Environmental event
(C1) Equipment related event

(15.2) If event was behavioural;

(Circle one of ‘Yes’ or ‘Probably’ for each question)

(15.2.1) Is this the way the job is normally done?

(A) Yes
(B) Probably
(C) Probably not
(D) No
(E) Don’t Know

(15.2.2) Was action

(A) Consistent with good safety practices? Yes Probably
(B) Inconsistent with good safety practices? Yes Probably
(C) Not known whether consistent or inconsistent Yes
34
(15.2.3)
What was the highest level of cognitive control called for?
(A) Skill-based behaviour Yes Probably
(B) Rule-based behaviour Yes Probably
(C) Knowledge-based behaviour Yes Probably
(D) Unclassifiable Yes

(15.2.5)
If behaviour was abnormal and/or rule breaking, was action:
(A) Omission Yes Probably
(B) Commission Yes Probably
(C) Substitution Yes Probably
(D) Mis-timed action Yes Probably
(E) Unclassifiable in above categories Yes

16.1 Local factors relating to event 1

1 PHYSICAL FACTORS
1A Anthropometric characteristics
1B Sensory limitations
1C Fatigue
1D Drugs (including alcohol)

2 COGNITIVE FACTORS
2A Distraction from task
2B Memory
2C Workload
2D Knowledge, skills and experience
2E Perceived pressure or haste
2F Convenience

3 BETWEEN PEOPLE
3A Planning within crew
3B Visual signals or visibility of other workers
3C Communication
3D Control and supervision of work

4 TASK ASPECTS
4A Shift change
4B Procedures
4C Documentation
4D Task order within work package

35
 4E Interruption
4F Conflict between norms and formal procedures
4G Job scheduling
4H End of shift
5H Overtime

5 PHYSICAL OBJECTS
5A Inadequate tools and equipment
5B Space restrictions
5C Illumination
5D Design of aircraft component or system
5E Automated systems

6 PHYSICAL ENVIRONMENT
Includes:
(Temperature extreme, glare, noise, air quality, weather, darkness, heights, working surface or
ground surface)
16.2 Organisational factors relating to event 1
(A) Incompatible goals
(B) Inappropriate structure
(C) Poor communications
(D) Poor planning
(E) Management oversight, control and monitoring
(F) Design failures
(G) Inadequate system defences
(H) Unsuitable materials
(I) Control of procedures
(J) Poor training
(K) Inadequate maintenance of equipment
(L) Inadequate regulation
(M) Conflict between norms and formal procedures

36
Appendix 3
Reliability of coding
For event types and skill rule knowledge error types, the reliability of coding was assessed by
calculating values of Cohen’s kappa (Breakwell, Hammond & Fife-Schaw 1995). Cohen’s kappa
ranges between 0 and 1 and represents the proportion of agreement corrected for chance. Fleiss
(1981) describes values of Cohen’s kappa greater than 0.75 as ‘excellent’, and values between 0.6
and 0.75 as ‘good’ (reported in O’Hare and others 1994).
Forty incidents were coded by a second coder, in addition to the coding conducted by the pri-
mary coder. The forty incidents contained a total of 63 incident events.

Breakdown into event types

Events were broken down into event types following the method developed by Williamson and
Feyer (1990). Events could be either behavioural, equipment-related or environmental. For the
first events in the incident sequences, a 100% level of agreement was obtained. Lower levels of
agreement were obtained on second, third and fourth events. The value of Cohen’s kappa for
these subsequent events was 0.71.
An overall value of Cohen’s kappa for all events was not calculated as the number of coding
choices was different when coding first events than when coding subsequent events. There were
three potential choices for first events, behavioural, equipment related or environmental, and
four potential choices for subsequent events (as above but with the additional possibility of no
event).

Skill-rule-knowledge error types

A value of Cohen’s kappa was calculated for the skill-rule-knowledge categorisation system for
those cases where both coders agreed that a behavioural event had occurred. For the purposes
of calculating Cohen’s kappa, ‘probably’ codings were combined with ‘yes’ codings to achieve
an overall assignment to skill-rule-knowledge categories. The value of Cohen’s kappa was 0.72.

Incident factors
Local factors
For the purposes of calculating the reliability of factor codings, local factors were aggregated
into the broad category headings as seen on the coding sheet elsewhere in the appendix. Local
factors assigned to events by the primary coder were also identified by the second coder on 65%
of occasions.

Organisational factors
The reliability of organisational factors was significantly less than that for local factors, and
only 33% of organisational factors identified by the primary coder were identified by the sec-
ond coder.

37
 Appendix 4
Definitions
Communications. Information which is essential for the safe functioning of the organisation
does not reach the necessary recipients. Includes communication from the shop floor upwards
and from management downwards.
Commission. An error which occurs when an operator performs a task incorrectly or performs
a task which is not appropriate to the circumstances.
Conflict between norms and formal procedures. Actual work practices do not reflect formal
procedures. In some cases this may because formal procedures are cumbersome or difficult to
comply with.
Control of procedures. Important safety, working or operational regulations and procedures
are not clear, difficult to follow, incorrect, incomplete or inaccessible.
Design failures. Relates to the design of tools, equipment, work environments and procedures.
Inadequate design may promote errors or violations or may produce situations where non-
standard performance results in negative and irreversible consequences.
Environmental events. Relates to elements of the physical environment in which the task was
being performed which cannot be changed or compensated for. Weather-related phenomena
are examples of environmental events.
Equipment-related events. Concerns breakages or malfunctions of equipment, tools and
machinery, including aircraft components.
Event. An occurrence, action or closely related series of actions which occurred at a particular
place and time. Where the actions are behavioural, and a series of actions were performed by
different people, separate events are required for each person.
Inadequate maintenance of equipment. Deficient management of maintenance of tools and
equipment, including lack of preventative maintenance, poor maintenance scheduling and
excessive delays in repairing equipment.
Inadequate regulation. Inadequate surveillance by government bodies or their delegated
authorities. Absence of appropriate laws to regulate dangerous operations.
Inadequate system defences. An absence or inadequacy of ‘safety nets’ in the system. Such
defences can serve to detect or prevent unsafe job performance, or minimise the consequences
of such performance. Includes cases where existing defences are circumvented.
Inappropriate structure. Relates to the structure of the organisation. For example, manage-
ment responsibilities may be blurred or poorly defined.
Incident. A situation in which events occurred which could have prevented an aircraft from
operating normally or could have put the safety of any person (including maintenance work-
ers) at risk.
Incompatible goals. Organisations are generally pursuing several goals at the one time, for
example safety and production. This factor should be coded in cases where the incident events
reflect a poorly resolved goal conflict.
Knowledge-based errors. Occur when a person is required to solve an unfamiliar problem for
which no procedures exist. Knowledge-based errors are typically related to an inappropriate
mental model of the system or a lack of resources for dealing with a complex problem. Rule-
based errors and knowledge-based errors are commonly referred to as mistakes.
Management oversight, control and monitoring. Relates to the way management monitors
the performance of planned work and ensures that work is completed in accord with guide-
lines.
Planning. Where management planning and scheduling of activities has not adequately taken
safety considerations into account.

38
Poor training. Indicated by deficiencies in the knowledge or skills of employees.
Rule-based errors. Occur in familiar situations where, in the process of dealing with a situa-
tion, the worker either applies a bad rule or misapplies a good rule. A typical case is the appli-
cation of a general procedure to a specific situation which calls for a modified version of the
procedure .
Rule-based errors and knowledge-based errors are commonly referred to as mistakes.
Skill-based errors. Occur in rapid automatic mode where the person has invested a minimum
of mental resources to the task at hand. Such errors occur in familiar situations involving
highly practiced automatic routines which may have developed after extensive training and
experience.
Two particular types of skill-based errors are slips and lapses. Slips are errors in which an oper-
ator intends to perform a correct action but accidentally performs another well-learnt action
or action sequence. A lapse is a failure to carry out an intended action. An example is the omis-
sion of a step in a procedure following an interruption.
Substitution. An error in which an operator performs an action in place of the desired action.
Substitution can be considered to be a special type of commission error.
Unsuitable materials. To be coded where the event is related to the provision of unsuitable
tools and equipment or other work materials.

39
 Appendix 5
Maintenance incident events
Note: This listing of incident events excludes six incidents where the reporter asked that the inci-
dent remain confidential.

Event description
—Thrust reversers locked out during A check, not documented.
—Thrust reversers not reactivated.
—Worker knowingly used unserviceable stand.
—Acting leading hand suggested that worker remain in engine during towing.
—Worker remained in engine as the aircraft was towed.
—During work on leading edge slats one torque tube not connected.
—Slats extended with one torque tube not connected.
—Stair locking mechanism failed.
—Worker on stairs reacted inappropriately to situation by holding onto engine while still
standing on stairs.
—Worker did not take wind into account when depressurising reservoir.
—Wind blew hydraulic fluid into eyes.
—Rigging pin used without attached streamer.
—Rigging pin left in flight controls (found before work signed off).
—Circuit breaker pulled without being tagged before engine spin.
—Worker pushed circuit breaker in to its normal position and fuel spilled.
—Thrust reversers locked out when not strictly necessary.
—Thrust reversers not reactivated before aircraft dispatch.
—Crew ran engines causing blast to affect other workers.
—Tug driver delayed stopping once signal to stop had been given.
—Tug driver delayed stopping once signal given.
—Stairs rolled back as locking system failed to hold.
—Workers on stairs reacted inappropriately by holding onto aircraft while still standing on
stairs.
—Tradesperson pressed hydraulic switch button while it was tagged as not to be used.
—During a fuel pump change a fuel line was not reconnected properly.
—Lead hand did not check that everyone was clear before calling for a wet spin of engine.
—During inspection of the engine serious damage to part of a fan air valve was missed. (dis-
covered later).
—Incoming shift reinstalled engine without changing pre cooler as documented.
—Igniter circuit breakers not pulled before conducting a wet spin.
—LAME reacted incorrectly to engine start by shutting off fuel and starter, instead of just fuel.
—Driver misjudged tow, aircraft scraped docking.
—Thrust reversers inspected with power running without them being locked in place.
—Incorrectly installed panel on twin-engine aircraft.

40
—Flap lever had been moved up while flaps were in down position with power off.
—Hydraulics had been started without first ensuring that flaps and flap lever were consistent.
—Crew not looking, towed aircraft hit a tree.
—Engine jammed as it was being hoisted.
—Person put fingers between engine and mounts.
—Crew failed to notice that rod end was incorrectly adjusted.
—Previous crew had left aircraft with flap lever inconsistent with flap position and
hydraulics off.
—Worker in cockpit started hydraulics without first confirming that flap lever and flap posi-
tion were consistent.
—Mechanical crew told electrical crew that it was OK to run flaps with panel incompletely fit-
ted, flaps damaged.
—Foot slipped while working on engine.
—Worker did not pull circuit breakers before starting electrical work.
—Tool crib permitted truck to be used which had been snagged US.
—Truck settled on hydraulics while positioned over horizontal stabiliser.
—Platform retracted, scraped aircraft.
—Worker slipped on wet surface.
—Worker attempted to perform task without appropriate equipment.
—Person drove vehicle near engine that was about to be started.
—AME left parked tug with engine running.
—Tug transmission slipped into reverse, collided with engine cowl of 737.
—Cleaner drove vehicle into unsafe area.
—LAME on interphone did not see warning signal of wingman, continued tow until collision.
—Two nuts left off fuel pump filter.
—System did not leak under a leak check.
—Jet blast from B747 affects hangars.
—Worker failed to torque 2 nuts on GE CF6 fuel system.
—Technicians started pneumatics without first warning other workers working on the aircraft.
—Electrical crew failed to lock out reversers when thrust reverse cowls open.
—Workers seen riding on the tray of a utility vehicle, in contravention of safety guidelines.
—Crew failed to re-activate thrust reverse during system re-activation.
—Worker positioned in dangerous location without adequate handholds, resulted in fall.
—Aircraft wingtip struck a tree while being towed.
—No warning PA was made before aircraft was towed, worker was up ladder in cabin at time.
—Crew members sheltered from rain as aircraft pushed back from terminal, insufficient peo-
ple to check clearance.
—Tug driver could not follow line due to poor visibility, aircraft struck parked aircraft.
—Upper deck door was left on automatic after test.
—Door opened automatically, slide deployed.
—Failed to find and correct aircraft fault.

41
 —Valve stuck open directing fuel to an area which could have been occupied by a worker.
—Worker did not pull out circuit breaker before working on electrical system, resulted in elec-
tric shock.
—Stand was not moved out of the way before aircraft was towed out of hanger.
—Crew failed to notice that the aircraft was too close to the stand, in time to prevent contact.
—No warning sign used when radar switched on with people in vicinity.
—All four reverse thrust blocker doors were activated while people were working on the air-
craft.
—Wrong valve fitted to aircraft pneumatic system.
—Valve broke—distributing metal fragments in pneumatic system, damaging heat exchangers.
—AME left spanner under engine cowl.
—After aircraft departed, suspected where spanner was, but did not notify company.
—Before compressor wash, blanked off wrong sense line.
—Washed compressor with wrong lines blanked off.
—LAME started APU even though it was tagged for safety reasons.
—Towing cable attached to blast fence badly worn.
—Worker did not ensure that a fire extinguisher was available while conducting work with the
fire system inoperative.
—After adding oil to RB211, LAME replaced oil cap but did not push locking flap down.
—One igniter was left disconnected while other was being checked.
—Wrong igniter was fired, sparked across to engine.
—Worker started working in slippery dangerous area without first taking precautions to reduce
the risk.
—Worker slipped and cut hand on rotating turbine blade.
—Unable to find part (static invertor) in computerised parts inventory system.
—Part was ‘robbed’ from another aircraft.
—Details of ‘robbed’ part were passed to an apprentice instead of being documented in log.
—Apprentice did not act on the information.
—AME accidentally put engine oil into hydraulic system of B747.
—Water heating system (hot cup) failed due to short circuit.
—LAME tested system by placing hand into ‘live’ water, received shock.
—Fault not found on walkaround.
—Earth pin on power lead broken.
—Worker attempted to plug two live leads together.
—Door power assist system malfunctioned when door opened.
—Aircraft signed out of hangar with inoperative spoilers, reason not established.
—Reporter forgot to lower wheels of towbar before tug drove away, towbar dropped on foot.
—Ladder slipped on stand while worker was trying to reach radome.
—Technicians climbed from stand onto an engine.

42
References
Air Accidents Investigation Branch 1996, Report on the Incident to a Boeing 737–400, G-OBMM
near Daventry on 25 February 1995, Aircraft Accident Report 3/96, HMSO, London.
Boeing 1994, Maintenance Error Decision Aid, Boeing Commercial Airplane Group, Seattle.
Boeing 1994a, ETOPS Guide, Maintenance Program Guidelines, Revision A, Boeing Commercial
Airplane Group, Seattle.
Boeing 1996, Statistical Summary of Commercial Jet Aircraft Accidents, Worldwide Operations
1959–1995, Boeing Commercial Airplane Group, Seattle.
Breakwell, G. M., Hammond, S., & Fife-Schaw, C. (eds) 1995, Research Methods in Psychology,
Sage, London.
Civil Aviation Authority (UK), Flight Safety Occurrence Digest 92/D/12.
Dell, G. P., & Ojczjk, U. L. 1996, ‘Aircraft pushback accidents: The myth of carelessness and
common sense dispelled’, Safety in Australia, Mar.
Drury, C. G., & Gramopadhye, A. K. 1990, ‘Training for visual inspection’, in Proceedings of
Third Federal Aviation Administration Meeting on Human Factors Issues in Aircraft Maintenance
and Inspection, Atlantic City, New Jersey, pp. 149–164.
Eitelberg, M. 1991, ‘Increased use of women and minorities in military aviation maintenance’,
in Proceedings of the Fourth Federal Aviation Administration Meeting on Human Factors Issues in
Maintenance and Inspection, Alexandria, Virginia, pp.154–178.
Fitts, P. M., & Jones, R. H. 1947, ‘Analysis of factors contributing to 460 “pilot error” experi-
ences in operating aircraft controls’, in Selected Papers on Human Factors in the Design and Use
of Control Systems, ed. H. W. Sinaiki, Dover, New York.
Flanagan, J. C. 1954, ‘The critical incident technique’, Psychological Bulletin, vol. 51, no. 28,
pp 327–358.
Hawkins, F. 1993, Human Factors in Flight, Ashgate, Aldershot.
International Civil Aviation Organisation 1995, Human Factors in Aircraft Maintenance and
Inspection, Circular 253-AN/151, ICAO, Montreal.
International Civil Aviation Organisation 1993, Human Factors, Management and
Organisation, ICAO Circular 247-AN/148, ICAO, Montreal.
International Civil Aviation Organisation 1992, Ergonomics, ICAO Circular 238-AN/143,
ICAO, Montreal.
Latorella, K. A., & Drury, C.G. 1992, ‘A framework for human reliability in aircraft inspection’,
in Proceedings of the Seventh Federal Aviation Administration Meeting on Human Factors Issues
in Aircraft Maintenance and Inspection, Atlanta, Georgia, pp. 71–81.
Marx, D. A., & Graeber, R. C. 1994, ‘Human error in aircraft maintenance’, in Aviation
Psychology in Practice, Avebury Technical, Aldershot.
Miller, D. P., & Swain, A. D. 1987, ‘Human error and human reliability’, in Handbook of Human
Factors, ed. G. Salvendy, John Wiley & Sons, New York.
National Transportation Safety Board 1984, Eastern Airlines, Lockheed L1011, Aircraft Accident
Report 84/04, NTSB, Washington.

43
 O’Hare, D., Wiggens, M., Batt, R., & Morrison, D. 1994, ‘Cognitive failure analysis for aircraft
accident investigation’, Ergonomics, vol. 37, no. 11, pp. 1,855–1,869.
Patel, S., Prabhu, P., & Drury, C. G. 1992, ‘Design of work control cards’, in Proceedings of the
Seventh Federal Aviation Administration Meeting on Human Factors Issues in Aircraft
Maintenance and Inspection, Atlanta, Georgia, pp. 162–172.
Rasmussen, J. 1983, ‘Skills rules and knowledge: Signals, signs and symbols, and other distinc-
tions in human performance models’, IEEE Transactions on Systems, Man and Cybernetics, vol.
SMC-13, no. 3, pp. 257–266.
Reason, J. 1990, Human Error, Cambridge University Press, Cambridge.
Reason, J. 1991, Identifying the latent causes of aircraft accidents before and after the event,
paper presented to the 22nd Annual Seminar of the International Society of Air Safety
Investigators, Canberra, 4–7 Nov.
Runciman, W. B., Sellen, A., Webb, R. K., Williamson, J. A., Currie, M., Morgan, C., & Russell,
W. J. 1993, ‘Errors, incidents and accidents in anaesthetic practice’, Anaesthesia and Intensive
Care, vol. 21, no. 5, pp. 506–519.
Russell, P. D. 1994, ‘Management strategies for accident prevention, Air Asia, vol. 6, pp. 31–41.
Shepherd, W. T. 1991, The FAA human factors program in aircraft maintenance and inspec-
tion, paper presented to Fifth Federal Aviation Administration Meeting on Human Factors Issues
in Aircraft Maintenance and Inspection, Atlanta, 19–20 June.
Shepherd, W. T., & Parker, J. F. 1991, ‘Future availability of aircraft maintenance personnel’, in
Proceedings of the Human Factors Society 35th Annual Meeting, Human Factors and Ergonomics
Society, Santa Monica, pp. 33–36.
Stelly, J,. & Taylor, J. 1992, ‘Crew coordination concepts for maintenance teams’, in Proceedings
of the Seventh Federal Aviation Administration Meeting on Human Factors Issues in Aircraft
Maintenance and Inspection, Atlanta, Georgia, pp. 173–206.
Taggert, W. R. 1990, ‘Introducing CRM into maintenance training’, in Proceedings of Third
Federal Aviation Administration Meeting on Human Factors Issues in Aircraft Maintenance and
Inspection, Atlantic City, New Jersey, pp. 93–110.
Taylor, J. C. 1990, ‘Organisational context in aviation maintenance: Some preliminary findings
and training implications’, in Proceedings of Third Federal Aviation Administration Meeting on
Human Factors Issues in Aircraft Maintenance and Inspection, Atlantic City, New Jersey,
pp 163–176.
Wiener, E. L., Kanki, B. G., & Helmreich, R. L. 1993, Cockpit Resource Management, Academic
Press, London.
Williamson, A., & Feyer, A. 1990, ‘Behavioural epidemiology as a tool for accident research’,
Journal of Occupational Accidents, vol. 12, pp. 207–222.
Williamson, A., & Feyer, A. 1995, ‘Causes of accidents and the time of day’, Work and Stress,
vol. 9, no. 2/3, pp. 158–164.

44