THE PROVISION OF ACCEPTABLE

LEVELS OF SAFETY FOR OPERATIONS

WITH EXPOSURE TO ENGINE FAILURE
IN HELICOPTER COMMERCIAL AIR
TRANSPORT

A Discussion Paper by the

Royal Aeronautical Society www.aerosociety.com
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...

THE PROVISION OF ACCEPTABLE

LEVELS OF SAFETY FOR OPERATIONS
WITH EXPOSURE TO ENGINE FAILURE
IN HELICOPTER COMMERCIAL AIR
TRANSPORT

RAeS ROTORCRAFT GROUP

Approved by the Chairman and the members of the

RAeS Rotorcraft Group Committee.

All comments may be addressed to:

RAeS Rotorcraft Group
Anika.Ved@aerosociety.com

About the Royal Aeronautical Society (RAeS)

The RAeS is the world’s only professional body dedicated
to the entire aerospace community. Established in 1866
to further the art, science and engineering of aeronautics,
the Society has been at the forefront of developments in
aerospace ever since. We seek to i) promote the highest pos-
sible standards in aerospace disciplines; ii) provide special-
ist information and act as a central forum for the exchange
of ideas; and iii) play a leading role in influencing opinion on
aerospace matters.

July 2016

Front cover: An Airbus Helicopters H130 foreground with a AS350B2 ROYAL AERONAUTICAL SOCIETY
Ecureuil behind. Airbus. No.4 Hamilton Place
London W1J 7BQ
United Kingdom
This Paper represents the views of the Rotorcraft Group of
the Royal Aeronautical Society. It has not been discussed T +44 (0)20 7670 4300
outside the Learned Society Board and, as such, it does not E raes@aerosociety.com
necessarily represent the views of the Society as a whole,
or any other Specialist Group or Committee. www.aerosociety.com
Royal Aeronautical Society copyright.
2 www.aerosociety.com
 The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure... - Royal Aeronautical Society
Airbus Helicopters H130. Airbus.
ABSTRACT
The Royal Aeronautical Society (RAeS) has an interest in
ensuring that, where matters of aviation safety are
discussed and decided, debate is open and informed. To
this end, the RAeS has representation on a number of ICAO
Panels and is active in its support of many Working Groups.
In offering an impartial opinion in debates, it seeks to employ
the knowledge that is present in its Specialist Group
Committees – of which the Rotorcraft Committee is one. The
content and conclusions of this paper are supported by the
RAeS Rotorcraft Committee.
The paper provides a history of the introduction of helicopter
Performance into ICAO Annex 6 Part III, its subsequent
adoption into the Code of Performance of European
regulations, and the conflicts that emerged. Resolution of
those conflicts resulted in the introduction of measured
exposure, by alleviation, into European regulations. The
principle of exposure was subsequently introduced to ICAO
Annex 6 Part III, Chapter 3, by replacing a number of
prescriptive requirements by objectives.
As further issues arose, during implementation of the
European regulation by member States, additional
alleviations, for operations over a hostile environment, were
added but without the establishment of specified levels of
safety that could be used in assessment. The paper discuss-
es a number of these activities, in the context of acceptable
levels of safety, and proposes a system of classification in
accordance with the principles of ICAO Annex 19 – Safety
Management, and associated ICAO Doc 9859 – Safety
Management Manual.
www.aerosociety.com
1. INTRODUCTION
The transport of passengers for remuneration or other
valuable consideration, is categorised as Commercial Air
Transport (CAT); it goes without saying that such operations
should be afforded the highest possible standard of aviation
safety.
By their very nature, helicopters used in CAT are highly
versatile and can be expected to operate in a wide range of
environments. Because of this versatility, it can be too easy
to disregard the associated risk of exposure to engine failure
on flights over a hostile environment1 and accept a lower
level of safety than would otherwise be expected (by
passengers and society).
When analysing aspects of any operation, not only should
the potential benefits and costs be quantified but acceptable
levels of safety must be established by assessing: the
likelihood of any event; the possible consequences; and, any
mitigating measures that must be applied. The operation of
CAT helicopters with extended exposure to engine failure
over a surface that does not provide the potential for a ‘safe
forced landing’2, and subsequent survival, is just such a
case; it requires transparent and effective management.
1
A hostile environment is one where: a safe forced landing cannot be accom-
plished; or, occupants cannot be protected from the elements; or, rescue is
not possible within anticipated survival time.
2
Safe forced landing. Unavoidable landing or ditching with a reasonable
expectancy of no injuries to persons in the aircraft or on the surface.
3
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...
In recent years, when providing a Code of Performance in
compliance with ICAO Annex 63, States have expressed
difficulty with the employment and documentation of
effective measures to permit the continuation of operations
which, while considered essential, have not been able to
meet the benchmark standard for performance – i.e. the
provision of engine-failure tolerance4.
This paper discusses cases of exposure to a critical engine
failure in helicopters when operated over a hostile
environment and puts forward a proposed classification –
thus allowing them to be conducted to an acceptable level of
safety.
2. ACCEPTABLE LEVEL OF SAFETY5
(For a complete text of the original ICAO Annex 116
Attachment E, see Appendix A.)
Absolute safety is generally an unachievable and very
expensive goal. Therefore, the concept of acceptable safety
has been adopted in risk bearing industries, including
aviation. The term ‘acceptable risk’ describes an event with
a probability of occurrence and consequences acceptable to
the society, i.e. the society is willing to take or be
subjected to the risk that the event might bring. It is the role
of the safety regulatory authorities to translate the society
expectations and perceptions into a qualitative or
quantitative Target Level of Safety.
“The acceptable level of safety expresses the safety goals
of an oversight authority, an operator, or a services provider.
From the perspective of the relationship between oversight
authorities and operators/services providers, it provides
the minimum safety objective(s) acceptable to the oversight
authority to be achieved by the operators/services providers
while conducting their core business functions.” (ICAO Annex
11, Attachment E).
The acceptable level of safety performance to be achieved
shall be established by the State7.
In aviation, the acceptable level of safety is generally defined
in terms of the probability of an aircraft accident occurring.
It is defined individually for each operator/service provider
on the basis of the target level of safety set by the regulator.
An array of factors such as the complexity of operations,
the operational context, past safety performance, existing
safety regulatory framework, applicable safety standards,
etc. are taken into account. “Each agreed established level
of safety should be commensurate with the complexity of
individual operator/service providers’ operational contexts,
and the level to which safety deficiencies can be tolerated
and realistically addressed.” (ICAO Annex 11, Attachment
E).
The acceptable level of safety performance (ALoSP) is
defined as “The minimum level of safety performance of civil
aviation in a State, as defined in its State Safety Program,
3
The ICAO Annex which contains the Standards and Recommended Practices
for Helicopter Operations.
4
This includes the engine failure accountability of Performance Class 1 and
safe forced landing for Performance Classes 2 and 3.
5
The text of this Section is an extract of an article in ‘SKYbrary’ entitled
‘Acceptable Level of Safety’.
6
The ICAO Annex which contains the Standards and Recommended Practices
for Air Traffic Services.
7
Guidance on defining an acceptable level of safety performance is contained
in the Safety Management Manual (SMM) (Doc 9859).
4 www.aerosociety.com
or of a service provider, as defined in its Safety
Management System, expressed in terms of safety
performance targets and safety performance indicators.”8
Within the context of aviation, safety is “The state in which
the possibility of harm to persons or of property damage is
reduced to, and maintained at or below, an acceptable level
through a continuing process of hazard identification and
safety risk management.”
3. PROVISIONS OF ICAO ANNEX 6 PART III
Initially, Annex 6 Part III introduced provisions for helicopter
operations related to flight data recorders (FDR) and cockpit
voice recorders (CVR). Subsequent proposals for Standards
and Recommended Practices (SARPs) covering other aspects
of helicopter operations were developed with the assistance
of the Helicopter Operations (Heliops) Panel. These
provisions, incorporated in Amendment 1, were adopted by
the Council on 21 March 1990, becoming effective on 30
July 1990 and applicable on 15 November 1990.
3.1 The Performance Standard
In formulating Annex 6 Part III performance standards, the
Heliops Panel adopted principles of performance applicable
to Aeroplanes in Annex 6 Part I – i.e. engine failure
tolerance. This included, as one of the objectives of
Performance Classes (PC) 2 and 39, the requirement to
perform a safe forced landing should an engine fail at a
critical time.
3.2 Compliance with ICAO SARPs
The provision of ICAO SARPs for helicopter operations in
1990 might have had little effect on world-wide helicopter
operations without the advent of the Joint Aviation Authority
(JAA) and the need of harmonised operational regulation for
the 43 European Member States. JAR-OPS 3 was
produced subsequent to the introduction of the 2nd Edition
of ICAO Annex 6 in November 1990 (the first complete set
of operational SARPs for helicopters) and the first operational
regulation designed to be wholly compliant with the new,
complete, ICAO Annex 6 Part III.
By 1998, helicopter performance standards produced by
the Heliops Panel, were beginning to be regarded as ‘some-
what aspirational’ and an unrealistic projection of helicopter
development (although similarly forecast by the Federal
Aviation Authority (FAA) in Notice of Proposed Rulemaking
(NPRM) 80-2510). As JAR-OPS was the first attempt at
providing a regulation in compliance with ICAO, the JAA
States were the first to contend that projections made by
the Heliops Panel were unrealistic and that adjustments to
the performance standards were needed to reflect
assessments of risk exposure.
Using the concept of ‘defined’ exposure formulated by the
JAA11, risks were assessed, presented at Board level, and
8
ICAO. (2012). Doc 9859 Safety management manual (SMM).
9
There are three Performance Classes used for Commercial Air Transport:
Performance Classes 1 & 2 which address operations for larger twin-engine
helicopters with more than nine passenger seats and which are Certificated
in Category A; and Performance Class 3 which addresses single and twin-
engine helicopters with nine or less seats and which are Certificated either in
Category A or Category B (or equivalent).
10
A Notice of Proposed Rule Making issued by the US Federal Aviation
Administration.
11
See Appendix B for the Case History – The Introduction of Exposure to
JAR-OPS 3 and EASA Part CAT.
 The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure... - Royal Aeronautical Society
published for general comment. Following acceptance by the
members of the JAA, necessary changes were made to
JAR-OPS. ICAO was informed of the resulting differences
and a proposal submitted to the ICAO Air Navigation
Commission12 (ANC) to amend Annex 6 Part III accordingly.
In 2002, the ICAO Helicopter and Tiltrotor Study Group
(HTSG) was formed and tasked with that revision. The
changes made to Chapter 3 – Performance, were objective,
permitting each State to regulate required performance and
to set the ALoSP.
4. A SYSTEMATIC APPROACH TO EXPOSURE
As shown in Appendix B13, helicopters are used for a number
of passenger transport activities over hostile environments.
The number of passengers carried can be up to 19 in the
case of offshore operations to helidecks. While it may be
desirable to require engine failure accountability when such
numbers are exposed to engine failure, this is not possible
for reasons set out in Appendix B, Paragraph 1.1. In the case
of offshore operations over a hostile environment, passenger
transport is performed using twin-engine helicopters for
which only the landing and take-off phases are subject to
exposure. This exposure should be measured and limited.
However, there are other types of activities which, although
regarded as essential, are not conducted with twin-engine
helicopters. These activities vary from mountain operations,
where required performance is not possible in all existing
twin-engine helicopters, to those in which complex issues
of social and economic circumstances mitigate towards
single-engine helicopters. Operations involving ‘extenuating
circumstances’ must be carefully regarded when setting the
ALoSP.
There is also the ‘general’ case of the carriage of passengers
over an environment which varies between non-congested-
hostile14 and non-hostile15 and, where the numbers carried,
and therefore likely casualties in the case of engine failure,
are limited16. Unrestricted exposure should never be permit-
ted as it renders meaningless the ICAO principle of engine
failure tolerance in CAT. This type of activity could be made
acceptable by setting an ALoSP which limits exposure
without rendering it impractical.
All of these activities require reliable engines to set an
ALoSP. Achieving an appropriate level of reliability depends
upon using the type of system described in Appendix B,
Paragraph 1.1.2.
In order for any applicant to seek approval for, and a State to
assess, the tolerability of exposure in an activity, a
framework is needed to evaluate the necessity, benefits,
justification and ALoSP.
12
The body which considers and recommends Standards and Recommended
Practices.
13
The introduction of exposure into JAR-OPS 3 and EASA Part-CAT.
14
A non-congested hostile environment is a hostile environment which is free
of third party risk.
15
A non-hostile environment is one where: a safe forced landing can be
accomplished; and, occupants can be protected from the elements; and,
rescue is possible within anticipated survival time.
16
A more detailed discussion of this issue is contained in Paragraph 2.3 of
Appendix B.
www.aerosociety.com
4.1 Setting an Appropriate Level of Safety for Exposure in
a ‘Non-Congested Hostile Environment’17
ICAO Doc 9859 requires that risks of all aviation activities
be assessed according to a scale ranging from ‘acceptable’
to ‘intolerable’. Activities at either limit of this range require
no further assessment.
Activities between ‘acceptable’ and ‘intolerable’ are deemed
‘tolerable’, or may be deemed ‘tolerable’ if mitigation is
applied. For activities considered in this paper, tolerability
is likely to be partially dependent upon the reason(s) for
that activity. Whilst the risk may be justifiable and therefore
tolerable for one activity, for another it may be necessary to
reduce the risk to make it tolerable.
Because in similar activities the consequence cannot be
altered, risk can only be reduced by lowering the probability
of occurrence. In the case of exposure to an engine failure in
a hostile environment, this will be achieved by reducing the
time during which an activity is exposed.
The conduct and documentation of the risk assessment
should be in accordance with ICAO Doc 9859. This will
result in ‘safety risk assessment’ and ‘safety risk
tolerability’ matrices which will establish if additional
mitigation is required for an activity to be found acceptable,
or at least, more tolerable.
In the absence of numeric values for setting ALoSP in
accordance to ICAO Doc 9859, the ‘severity of the failure
condition effect’ contained in the Guidance Material for FAR
2918 (Figure AC 29.1309-2 in Appendix C) can be used to
establish the quantitative ‘probability of failure condition’ as
the ALoSP for the risk assessment19. This will permit a finer
granularity of solution than is possible in a five-level
qualitative assessment.
4.2 Exposure in Offshore Operations in a Hostile
Environment
For offshore operations, it is shown in Appendix B that the
boundary of ‘Extremely Improbable’ or 1 x 10–9 for the
17
A Non-Congested Hostile Environment is an environment which is hostile
but where there is no third party risk.
18
The Certification Code for Large (Transport) Helicopters used by the FAA,
EASA, TC and other major States. The guidance material (AC 29-2C) is used
by all States that apply the code.
19
The guidance matrix of AC 29.1309 is used in this paper because it
provides quantitative values. ICAO Doc 9859 and AC 29.1309 have
equivalent qualitative values even though the terminology is slightly different.
5
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...
‘Catastrophic’ event with ‘Multiple Fatalities’ cannot be
achieved within operational constraints. However, it is
generally accepted that 5 x 10–8 for the event20 (an exposure
of nine seconds for a twin21) constitutes an ALoSP for this
type of operation. There is no reason why exposure should
always be present as the necessity for its use is limited to
those conditions where deck-edge clearance and fly-away
cannot be achieved for helideck environmental reasons.
Indeed, operations in PC2 ‘enhanced’ (PC2e) are aimed at
moving closer to PC1 levels of safety22.
From the foregoing, an ALoSP for ‘Exposure in Offshore
Operations in a Hostile Environment’ might be 5 x 10–8 –
i.e. tolerable.
4.3 Exposure in Onshore Operations – General
For onshore operations, it is suggested that the boundary
of ‘Extremely Remote’23 or a probability of 1 x 10–7 for the
‘Hazardous’ event with ‘Serious or fatal injury to a passenger’
be the ALoSP for consideration of alleviation to operate over
a ‘non-congested hostile environment’ (remembering that not
only the forced landing but the survival of occupants has to
be considered).
With a proven engine reliability figure between 1 x 10–5 and
1 x 10–6 per flying hour (reliability of most turbine engines
should be between those two values24), this would permit
Exposure of up to six minutes – sufficient for flight over a
mixed environment (non-congested-hostile and non-hostile)
but not sufficient for extended flight over a hostile
environment (such as mountains, extended forests, or arctic
deserts).
From the foregoing, an ALoSP for ‘Exposure in Onshore
Operations – General’ might be a probability of 1 x 10–7 for
the event – i.e. tolerable.
4.4 Exposure in Onshore Operations – with Extenuating
Circumstances
Where exposure is likely to exceed six minutes, it will not
be possible to meet the qualitative target of ‘Extremely
Remote’. Consequently, an economic argument should
not be the sole criterion for approval. The criteria for the
acceptance of extenuating circumstances should be clearly
expressed and should include the case where real hardship
and Comparative Risk25 is substantiated.
For operations with extenuating circumstances (outside
of Mountain Operations), it is suggested that a probability
of 1 x 10–6 for the event be the ALoSP. With reliability
within the boundaries enumerated above, this would permit
exposure of up to one hour26. (For one modern single the
failure rate has been shown to be 0.18 x 10–5; this would
permit exposure in excess of 30 minutes and, with a cruise
speed of 132kt, a range of about 65nm – probably more
than adequate for continuous flight over a non-congested
hostile environment.) An element of the approval might be
20
The figure represents the probability of an ‘event’ (hazardous or catastrophic)
that could occur during Exposure Time.
21
See Paragraph 1.1.1 of Appendix B.
22
When the wind vector does not prevent an unobstructed departure and/or
arrival sector.
23
The equivalent value in ICAO Doc 9859 is ‘Improbable’.
24
See Paragraph 1.1.2 of Appendix B.
25
Where the alternative means of transport is substantially less safe than that
of extended flight over a hostile environment in a single-engine helicopter.
26
This level of exposure is applicable when the reliability of the engine is
1 x 10–6.
6 www.aerosociety.com
the geographical boundaries (or functional boundaries in the
case of mountain operations) of the operation.
From the foregoing, an ALoSP for ‘Exposure in Onshore
Operations – with Extenuating Circumstances’ might be
a probability of 1 x 10–6 for the event – i.e. tolerable when
justified.
4.5 Exposure over a Congested Hostile Environment
A ‘congested hostile environment’ is defined in ICAO as a
hostile environment within a ‘congested area’. The derivation
of these two elements and how they are connected and
applied, is relevant to the understanding of helicopter
operations.
ICAO Annex 227 Chapter 3.1.2 (an ICAO Standard that is
implemented by States world-wide28) precludes flight:
“… over the congested areas of cities, towns or settlements
... except at such height as will permit, in the event of an
emergency arising, a landing to be made without undue
hazard to persons or property on the surface.”
ICAO Annex 6 Part III, defines a ‘congested area’ as:
Congested area. In relation to a city, town or settlement,
any area which is substantially used for
residential, commercial or recreational
purposes.
The definition of a congested area was produced essentially
for aeroplanes and is used in the provision of a ‘land clear’
clause. This definition is too broad for helicopters because
it precludes an otherwise safe operation over areas where
a helicopter autorotation and safe forced landing could be
conducted – for example the heli-lanes of London which are,
by definition, in a congested area.
In order to provide the necessary flexibility and permit
(safe) helicopter operations over this ‘assessed’29 non-
hostile environment, the definition of a ‘congested hostile
environment’ was introduced into Annex 6 Part III:
Congested hostile environment. A hostile environment
within a congested area.
This definition was intended to make clear that all parts of
a congested area in which a safe forced landing could not
be accomplished were hostile; and, conversely, those areas
within a congested area that could facilitate a forced landing
‘… without undue hazard to persons and property on the
surface’ were non-hostile.
Further clarification of this concept was provided in the
ICAO definition of a ‘non-hostile environment’ – specifically,
clause d) and the note:
Non-hostile environment. An environment in which:
a) a safe forced landing can be accomplished because the
surface and surrounding environment are adequate;
b) the helicopter occupants can be adequately protected
from the elements;
27
The Annex that addresses ‘Rules of the Air’.
28
Examples include: in Europe, SERA.3105 and CAT.POL.H.400(b); in the US,
FAR 91.119(a); in Canada, CAR 602.14(2)(a), 602.15(1) and 723.36(1)(g).
29
The matter of ‘assessed by whom’ is left moot at this point; there are two
possibilities: a static assessment (by the State); and a dynamic assessment
(by the pilot – taking into account the transit height). Clearly, a combination of
the two would provide maximum flexibility with a safe result.
 The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure... - Royal Aeronautical Society
c) search and rescue response/capability is provided
consistent with anticipated exposure; and
d) the assessed risk of endangering persons or property on
the ground is acceptable.
Note: Those parts of a congested area satisfying the above
requirements are considered non-hostile.
In the introduction it was stated that ‘when analysing
aspects of any operation, not only should the potential
benefits and costs be quantified but acceptable levels of
safety must be established…’.
Up to this point in the paper, the recipients of: the potential
benefits that accrue from operations with exposure over
a hostile environment outside of a congested area, are
the operator and passengers; and, the consequences of
a failure, the operator, crew and passengers. In a general
sense, all who are involved are (or should be) ‘knowing’
participants30.
With exposure over a congested hostile environment,
another element is present – the consequence to persons
and property on the ground (third parties). With ‘knowing’
participants, the risk/benefit equation will involve a process
of assessing whether the benefit justifies the risk31 – with
mathematical precision. For the third party there is no
benefit, only consequences.
In those States where ‘duty of care’32 provisions are
defined and used, the judgement that will follow any
hazardous or catastrophic event to third parties will take
into consideration whether the event was ‘reasonably
foreseeable’33. In view of the fact that this whole treatise is
about accepting and mitigating the risk of engine failure over
a hostile environment, it is difficult to reach a conclusion
other than such an event is reasonably foreseeable.
4.6 Exposure in a Congested Hostile Environment – in the
Public Interest
Section 4.5 was concerned entirely with consideration of
exposure in flight over a congested hostile environment
and the potential consequences for third parties; in this
section the discussion continues but consideration is given
to flights in the public interest34 e.g. Helicopter Emergency
Medical Service (HEMS), to and from a congested hostile
environment.
4.6.1 Flights to/from a ‘HEMS Operating Site’ (accident/
incident scene) in a Congested Area
In some States, rapid delivery of a trauma service to
inner city accident/incidents is undertaken by Helicopter
Emergency Medical Service (HEMS) operators35. As with
30
There is, of course, a necessity to ensure that when passengers carried on
flights where engine failure tolerance is not assured, they are advised and
understand the issues.
31
It will, or will not, have met the test of tolerability – as described in Section
4.1 above.
32
In tort law, a ‘duty of care’ is a legal obligation which is imposed on an
individual requiring adherence to a standard of reasonable care while
performing any acts that could foreseeably harm others. It is the first element
that must be established to proceed with an action in negligence.
33
Reasonable foreseeability is given a broad scope: to be foreseeable, a risk
does not have to be probable or likely to occur. That is a probability question
and is applied later. An unlikely risk can still be foreseeable. To be foreseeable,
the risk merely has not to be ‘far-fetched or fanciful’.
34
Although there could be a number of examples of ‘flight in the public interest’
in this section only Helicopter Emergency Medical Service (HEMS) is being
considered.
35
In European States, these are CAT operators with an additional HEMS
approval.
www.aerosociety.com
most HEMS missions, the potential ‘operating site’ is chosen
before departure and confirmed on arrival36. In view of
this, it is not always possible to operate with engine failure
tolerance – i.e. exposure is the norm.
It is rarely possible to establish, with any accuracy, the
size of the landing surface or the obstacle environment
of a ‘HEMS operating site’. Thus, precise determination of
the extent of exposure is not possible. However, there is a
reasonable expectation that, in most cases, exposure for
a twin-engine helicopter can be limited to nine seconds, or
confined to below 200ft.
Any safety risk assessment will have to weigh the likely
benefit of lives saved against the potential consequence to
third parties. If it is considered that the benefits outweigh
the consequences, it only remains to establish the ALoSP
for this type of activity. In view of third party involvement,
exposure should be limited by restricting it to the landing
and take-off phases only. An ALoSP of 5 x 10–8 for the event
appears to be justifiable.
4.6.2 Flights to/from a Public Interest Site (PIS – a hospital
in a congested hostile environment)
In Europe, and likely elsewhere, there are a number of
hospitals with heliports that do not meet the ICAO Annex 14
Standard. This was recognised during the implementation of
JAR-OPS 3 and is now described in ‘GM1 CAT.POL.H.225 –
Helicopter operations to/from a public interest site’:
“Problems with hospital sites
During implementation of JAR-OPS 3, it was established
that a number of States had encountered problems with
the impact of performance rules where helicopters were
operated for HEMS. Although States accept that progress
should be made towards operations where risks associated
with a critical power unit failure are eliminated, or limited by
the exposure time concept, a number of landing sites exist
which do not (or never can) allow operations to performance
class 1 or 2 requirements.
These sites are generally found in a congested hostile
environment:
- in the grounds of hospitals; or
- on hospital buildings;
The problem of hospital sites is mainly historical and, while
the Authority could insist that such sites not be used – or
used at such a low weight that critical power unit failure
performance is assured, it would seriously curtail a number
of existing operations.
Because such operations are performed in the public interest,
it was felt that the Authority should be able to exercise its
discretion so as to allow continued use of such sites provided
that it is satisfied that an adequate level of safety can be
maintained – notwithstanding that the site does not allow
operations to performance class 1 or 2 standards. However,
it is in the interest of continuing improvements in safety that
the alleviation of such operations be constrained to existing
sites, and for a limited period.”
Such sites allow a much more considered approach than
that for a ‘HEMS operating site’ because their dimensions
are known and the obstacle environment can be determined.
36
Using a defined procedure that enables the pilot to make, from the air, a
judgement on the suitability of the site.
7
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...
Thus, the extent of exposure can be established and
appropriate mitigating strategies put into place.
As with operations to a ‘HEMS operating site’ any safety
risk assessment will have to weigh the likely benefit of
lives saved against the potential consequence to third
parties. Where the continuation of operations to such a
site is considered as essential, exposure should be limited
by restricting it to the landing and take-off phases only. An
ALoSP of 5 x 10–8 for the event appears to be justified.
5. CONCLUSIONS
The ICAO policy of engine failure tolerability provides a
sound principle on which States should base their Codes of
Performance. However, because of the necessity to operate
in hostile environments, there is a need for flexibility within
the code to permit this if conducted to an acceptable level of
safety.
Flexibility is already contained within Annex 6, Part III,
Chapter 3.1.2, and Attachment A, along with benchmark
requirements against which such flexibility may be employed
by the State. The enabling text, whilst setting out the
conditions against which exceptions to the benchmark
may be provided, does not contain the requirement for the
State to set an ALoSP. This should be addressed in the next
amendment of Annex 6 Part III. The actual level of safety
should not be part of the guidance because ‘acceptable risk’
describes an event with a probability of occurrence and
consequences acceptable to ‘the society’ – therefore, it must
be for the State to decide what is acceptable.
Without an ALoSP, there is no objective against which a
8 www.aerosociety.com
minimum standard can be set and compliance tested. This
lack of an objective puts the regulator in a difficult
position because of the resulting need for subjective
judgment in assessing any proposal. Such an omission
exposes the regulator to the risk of submitting to the
pressure of a solely commercial or political argument. There
is also a danger of allowing ‘extended’ exposure over hostile
areas where, following an engine failure, the probability
of death, in the forced landing or the subsequent survival
phase, becomes almost a certainty.
ICAO Doc 9859 provides the basis on which to conduct a
safety risk assessment. AC 29.1309 contains a mapping of
the ‘effect on occupants’ to ‘quantitative probabilities’ that
can improve the granularity of a solution. Together, they can
be used to set an ALoSP for any proposed alleviation from
engine failure tolerability.
All solutions will be dependent upon a common assessment
of power-plant reliability. EASA has a documented
system which includes a definition of sudden power-loss,
smoothing in a five-year statistical window, and annual
reporting. To ensure assessment is based upon up-to-date
reliability data, there is a need for Original Equipment
Manufacturers (OEMs) to make their annual reports, currently
available to European Authorities, more widely available.
The current EASA Code of Performance, which addresses
performance alleviations, does not contain explicit ALoSPs
(although, for offshore operations, the target was
established in the early work on exposure by the JAA and
is implicitly accepted worldwide). This omission should be
rectified by revisiting the relevant guidance and inserting
ALoSPs appropriate to the anticipated exposure,
consequence and circumstances.
 The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure... - Royal Aeronautical Society
Appendix A
ICAO Annex 11 – (Former) Attachment E,
Acceptable Level of Safety
1. INTRODUCTION
1.1 The introduction of the concept of acceptable level of
safety responds to the need to complement the prevailing
approach to the management of safety based upon
regulatory compliance, with a performance based approach
that aims for continuous improvement to the overall level of
safety.
1.2 Acceptable level of safety expresses the safety goals
of an oversight authority, an operator, or a services provider.
From the perspective of the relationship between oversight
authorities and operators/services providers, it provides
the minimum safety objective(s) acceptable to the oversight
authority to be achieved by the operators/services providers
while conducting their core business functions. It is a
reference against which the oversight authority can measure
safety performance.
1.3 Establishing acceptable level(s) of safety for the safety
programme does not replace legal, regulatory, or other
established requirements, nor does it relieve States from
their obligations regarding the Convention on International
Civil Aviation and its related provisions.
1.4 Establishing acceptable level(s) of safety for the safety
management system does not relieve operators/services
providers from their obligations under relevant national
regulations and the Convention on International Civil
Aviation.
2. SCOPE
2.1 Within each State, different acceptable levels of safety
may be established between the oversight authority and
individual operators/services providers.
2.2 Each agreed established level of safety should be
commensurate with the complexity of individual operator’s/
service provider’s operational contexts, and the level to
which safety deficiencies can be tolerated and realistically
addressed.
www.aerosociety.com
3. IMPLEMENTATION
3.1 The concept of acceptable level of safety is expressed
in terms of safety performance indicators and safety
performance targets, and implemented through safety
requirements.
3.2 The relationship between acceptable level of safety,
safety performance indicators, safety performance targets
and safety requirements is as follows: acceptable level
of safety is the overarching concept; safety performance
indicators are the measures or metrics to determine if the
acceptable level of safety has been achieved, safety
performance targets are the quantified objectives pertinent
to the acceptable level of safety, and safety requirements
are the tools or means required to achieve the safety
performance targets.
3.3 The safety performance indicators of an acceptable
level of safety should be uncomplicated and linked to major
components of a State safety programme, or an operator/
services provider safety management system (SMS). They
are generally expressed in numerical terms.
3.4 The safety performance targets of an acceptable level
of safety should be determined after weighing what is
desirable and what is realistic for individual operator/
services providers. Safety performance targets should
be measurable, acceptable to the parties involved, and
consistent with the acceptable level of safety.
3.5 The safety requirements to achieve the safety
performance targets of an acceptable level of safety should
be expressed in terms of operational procedures, technology
and systems, programmes, contingency arrangements and
so forth, to which measures of reliability, availability and/or
accuracy may be added.
3.6 An acceptable level of safety should be expressed by
several safety performance indicators and translated into
several safety performance targets, rather than by single
ones.
9
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...
Appendix B
A Case History – The Introduction of
Exposure to JAR-OPS 3 and
EASA Part-CAT
1. EXPOSURE IN JAR-OPS 3
1.1 The Necessity for Exposure Established
When the first operator (Bristow Helicopters) attempted to
implement JAR-OPS 3 and was assessing the performance
requirement, it became apparent that offshore operations
did not fit into either PC 1 or 2. The operator could not, for
helideck environmental reasons, (always) apply Performance
Class 1; nor when in PC2, could they assure a safe forced
landing because of: the probability of a deck-edge strike; or,
if forced to ditch, safeguard the occupants. In addition, when
not applying a Category A procedure in light or moderate
wind conditions, they were in breach of the Height Velocity
(HV) Limitation (due to the height of the helideck above sea
level).
Alleviation from the safe forced landing requirement of PC2
was necessary for a short period on take-off or landing – i.e.
measured exposure.
1.1.1 Establishing the Acceptable Level of Safety – the
Quantitative Target
In the event of an engine failure without a safe forced landing
capability, it was clear that the consequences for the crew
and passengers could be catastrophic and result in multiple
fatalities or injury from the impact and/or ditching trauma.
For that reason, a probability that matched the consequence
was required. In the absence of a suitable scale for
operations, it had been the practice to use the ‘Table for
Failure Conditions Categories and Probability Definitions’
found in FAA Advisory Circular ‘Figure AC 29.1309-2’
(shown in Appendix C). In this table ‘Multiple Fatalities’ is
regarded as ‘Catastrophic’ with a quantitative probability of
≤ 1 x 10–9.
By modelling the manoeuvre, it was established that the
required Exposure (the time to reach Vstayup and avoid
ditching) was in the order of five to ten seconds.
(Simplistically) assuming an achievable engine/helicopter
type reliability of 1 x 10–5, the quantitative probability of
1 x 10–9 would, for a twin, have yielded Exposure of less
than a second – more than an order of magnitude less than
required:
TMAX = (100,000 . 3,600 . RA) / (n . PR)
Where:
TMAX = The maximum permitted exposure time (in seconds)
PR = Power unit failure rate per 100,000 engine hours
RA = Probability of power unit failure during the exposure
time
n = Number of engines
10
PR set to 1 x 10–9 produces the following TMAX:
TMAX = (105 . 3.6 . 103 . 10–9) / (2 . 1)
TMAX = (3.6 . 10–1) / (2) = 0.18 seconds
Because there was, effectively, no alternative to Exposure
under circumstances where continued operations were
critical, it was decided to work backwards and establish
what level of safety could meet an As Low As Reasonably
Practical (ALARP) target. The maximum length of exposure
was set at nine seconds which yielded a Target Level of
Safety of 5 x 10–8 – a challenging target but one that was
justified considering that more than nine passengers were
likely to be exposed:
TMAX set to 9 seconds produces the following RA:
RA = (TMAX . n . PR) / (105 . 3.6 . 103)
RA = (TMAX . 2 . 1) / (105 . 3.6 . 103)
RA = (9 . 2) / (3.6 . 108) = (9 . 2 . 10–8) / (3.6) = 5 x 10–8
The subsequent proposal to the JAA board contained a
full explanation of the problem, solution and Target Level
of Safety. This hypothesis was accepted by the board; the
proposal went to Notice of Proposed Amendment (NPA) and
was subsequently adopted into JAR-OPS 3.
1.1.2 Establishing Engine Reliability – the Minimum
Standard
As stated above, the assumed (target) level of engine
reliability was 1 x 10–5 – in ICAO terms, a ‘very reliable
engine’. However, when examining the existing failure rates
and taxonomy, it was not clear if this level of reliability could
be achieved.
The problem was twofold: engine failures were not required
to be reported under the ICAO Annex 13 provisions; and the
standard In-Flight Shutdown (IFSD) metric included
precautionary shutdowns (due to chip warnings etc.) that
greatly affected the rate.
Fortunately, the UK CAA had mandated, and had been
collecting, helicopter engine-failure data for a considerable
amount of time. After filtering this information to eliminate
other than ‘sudden in-service power loss’ events, it appeared
that the target reliability rate could be achieved but not for
all engine/helicopter types.
In order to provide a system more suited to the application
of limited exposure, a joint JAA operational/airworthiness
group produced a documented procedure for the initial and
periodic assessment of new and existing engine/helicopter
combinations which included yearly reporting. The procedure
was adopted into JAR-OPS 3 and subsequently transposed
to EASA Air Operations Regulation Part-CAT.
www.aerosociety.com
 The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure... - Royal Aeronautical Society
In addition to the assessment of reliability, measures were
put in place to improve the monitoring and maintenance of
engines that were to be used within the programme; this
included the implementation of a usage monitoring system
(UMS) - (FADEC with recording and downloading facilities
was later included within this designation).
2. EXTENDING EXPOSURE – HELICOPTER OPERATIONS
OVER A HOSTILE ENVIRONMENT LOCATED OUTSIDE
A CONGESTED AREA
Having acknowledged and addressed the complex issue of
permitting, but limiting, exposure in offshore operations, the
JAA was faced with two other types of operation that would
be curtailed unless the requirement for a safe forced landing
was alleviated:
Mountain Operations, where the existing generation of
multi-engined aircraft could not meet the requirement of
Performance Class 1 or 2 at high altitude; and
Operations in Remote Areas, where existing operations
were being conducted safely; and where alternative surface
transportation would not provide the same level of safety as
single-engined helicopters; and where, because of the low
density of population, economic circumstances would not
justify the replacement of single-engined by multi-engined
helicopters (as in the case of remote arctic settlements).
At the time that EASA became legally competent for the
safety of helicopter operations in Europe, this alleviation
was limited to the two types of operations described. The
alleviation was also confined to a ‘non-congested hostile
environment’ to ensure that there would be no ‘third party’
risk.
Because the alleviation was limited in its scope (both in use
and the number of passengers exposed – a maximum of six)
the JAA did not feel it would be beneficial to set a specific
Target Level of Safety, it therefore remained ‘unstated’ at
‘Remote’ or 1 x 10–5 – i.e. the required reliability for the
helicopter/engine combination
2.1 Mountainous Areas
Because operations in the mountains are not limited by the
type of flight (e.g. overflight), it was not thought beneficial
to set an arbitrary limit on the time a helicopter could be
exposed. This was not seen as an issue because any attempt
to limit the use of exposure in the mountains would have
been extremely complex, result in an artificial constraint and
have little safety benefit.
www.aerosociety.com
2.2. Remote Arctic Settlements
Unlike mountain operations, operation to remote arctic
settlements was a case where twin-engine helicopters could
meet the requirement but where the economics could not be
justified. Travelling on the surface, by land or water, in such
remote areas was also seen as posing a greater risk to
passenger safety than flight in a single-engine helicopter.
2.3 Other Areas
On transposition from JAR-OPS to EASA Air Operations
Regulation Part-CAT, the guidance which constrained avail-
ability of alleviation to the two types of use was ‘liberalised’
by adding a further clause ‘other areas of operation’ to the
guidance. The conditioning text for operational approval (the
list of factors to be considered) was based on that contained
in Attachment A of Annex 6 Part III with the addition of ‘(4)
safety target’.
Paraphrasing the guidance material; for an alleviation to
be considered for other areas of operation, the risk
assessment, conducted by the operator, had to have
consideration of the factors contained in the Acceptable
Means of Compliance (AMC). One of these elements was the
‘safety target’ (or acceptable level of safety). The Target Level
of Safety on which the Acceptable Level of Safety should
have been based was not set by EASA but was left to the
operator to decide.
Because the Target Level of Safety was left undefined there
was no primary objective on which the Acceptable Level of
Safety could be based and against which the Authority could
assess the application.
It was never the intention of the JAA to open this alleviation
to a purely ‘economic’ argument – i.e. single versus twin-
engine; from the EASA guidance “…where there is no
economic justification to replace single-engined helicopters
by multi-engined helicopters.” However, without the setting
of the Target Level of Safety, that appears to be precisely
what the liberalising clause has achieved. The end result
has been the undermining of the ‘underpinning’ element of
Performance Class 3 – that the ‘standard’ for passenger
carriage should be toleration of an engine failure.
Without setting a Target Level of Safety and/or limiting use
of the alleviation by geographic area, there is also a danger
of allowing ‘extended’ exposure over areas where,
following an engine failure, the probability of death, in the
forced landing or the subsequent survival phase, becomes
almost a certainty.
11
 Royal Aeronautical Society - The Provision of Acceptable Levels of Safety for Operations with Exposure to Engine Failure...

Appendix C
Failure Conditions Categories and
Probability Definitions

12 www.aerosociety.com