Sae Ja1011
Sae Ja1011
Sae Ja1011
Background
The intent of this document is to demonstrate that the RCM process provided in NAVAIR 00-25-
403 is compliant with SAE JA1011. It should be noted that several of the authors of SAE JA1011 were
NAVAIRSYSCOM employees at the time and were also authors of NAVAIR 00-25-403. It was their
intent to create a document that would allow the use of the NAVAIR 00-25-403 process in contract
solicitations via the reference of commercial standard. It should therefore be evident that the authors
would not have created a document that contradicted their own.
To illustrate the connection with NAVAIR 00-25-403, the following is quoted directly from SAE
JA1011 (page 1): “The criteria in this SAE Standard are based upon the RCM processes and concepts in
three RCM documents: (1) Nowlan and Heap’s 1978 book, Reliability-Centered Maintenance, US Naval
Aviation’s MIL-STD-2173(AS) Reliability-Centered Maintenance Requirements of Naval Aircraft,
Weapons Systems and Support Equipment and its successor, US Naval Air Systems Command
Management Manual 00-25-403 Guidelines for the Naval Aviation Reliability-Centered Maintenance
Process, and (3) Reliability-Centered Maintenance (RCM II) by John Moubray. These documents are
widely-used RCM documents available.”
While the above statements illustrate that a general assumption could be made that the NAVAIR
00-25-403 process is compliant with SAE JA1011 based on association and intent, the remainder of this
document will demonstrate line by line and conclusively that this is the case. The final part of this
document will address some specific previously raised concerns about the NAVAIR 00-25-403 process
relative to SAE JA1011 compliance.
SAE JA1011 Requirements
The requirements for a process to be called RCM are provided in section 5 of SAE JA1011. The
requirements are summarized at the beginning of the section as follows:
“5. Reliability-Centered Maintenance (RCM) - Any RCM process shall ensure that all of the
seven questions are answered satisfactorily and are answered in the sequence shown as follows:
a. What are the functions and associated desired standards of performance of the asset in its
present operating context (functions)?
b. In what ways can it fail to fulfill its functions (functional failures)?
c. What causes each functional failure (failure modes)?
d. What happens when each failure occurs (failure effects)?
e. In what way does each failure matter (failure consequences)?
f. What should be done to predict or prevent each functional failure (proactive tasks and task
intervals)?
g. What should be done if a suitable proactive task cannot be found (default actions)?
To answer each of the previous questions “satisfactorily”, the following information shall be
gathered, and the following decisions shall be made. All information and decisions shall be
documented in a way which makes the information and the decisions fully available to and
acceptable to the owner of the asset.” (SAE JA1011, page 6)
The following illustration, from the training material for NAVAIR 00-25-403 process, shows
that the basic steps and sequence outlined above are included in the NAVAIR 00-25-403 RCM process:
IMPLEMENT RESULTS
1. Package Maintenance Task Maintenance
2. Implement Onetime Tasks Maintenance
Program
Program
SUSTAIN
1. Emergent Issues
2. Age Exploration
3. Hardware Changes Data
4. Trend/degrader analysis Data
5. Document Reviews
The remainder of section 5 of SAE JA1011 addresses specifics for each of these seven basic
questions. The table in the following pages contains the remaining text of SAE JA1011 section 5, and
provides, point by point, the NAVAIR 00-25-403 or training manual text of identical meaning.
5.1 Functions
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.1.1 The operating context of the asset shall be defined. “The FMECA is a process used to identify and
document the functions, functional failures, failure
modes and failure effects of an item.
5.1.2 All the functions of the asset/system shall be “A function is the intended purpose of an item as
identified (all primary and secondary functions, described by a required standard of performance. It is
including the functions of all protective devices). not necessarily what the item is capable of doing, as
shown in the example below. A complete function
description should include any specific performance
limits (upper and/or lower bounds).
5.1.3 All function statements shall contain a verb, an
object, and a performance standard (quantified in every Although most equipment is designed to perform a
case where this can be done). specific or single function, many systems may perform
multiple functions or have secondary functions. Some
functions are "demand" driven, such as an ejection
seat, while others operate continuously. Care must be
5.1.4 Performance standards incorporated in function taken to ensure functions are not overlooked, and that
statements shall be the level of performance desired by the function statement is clear, including any operating
the owner or user of the asset/system in its operating context notations.” (NAVAIR 00-25-403, Section
context. 3.2.1).
5.2 Functional failures
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.2 Functional failures— All the failed states associated “A functional failure is defined as the inability of an
with each function shall be identified. item to perform a specific function within the specified
limits. A functional failure may not necessarily be a
complete loss of the function. Proper functional failure
descriptions are based on the function description.
Functional failures will likely result in either reduced
performance or total loss of the system. Separate
functional failures should be listed where the effects of
less than total loss of the function are different from
total loss.” (NAVAIR 00-25-403, Section 3.2.2).
5.3 Failure modes
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.3.1 All failure modes reasonably likely to cause each “A failure mode is a specific physical condition that
functional failure shall be identified. can result in a functional failure. The failure mode
statement should include a description of the failure
mechanism (e.g., fatigue) whenever possible. Many
failure modes could be listed, but only failure modes
that are “reasonable” should be identified.” (NAVAIR
00-25-403, Section 3.2.4)
5.3.5 Lists of failure modes should include any event or "A failure mode is a specific physical condition that
process that is likely to cause a functional failure, can result in a functional failure. The failure mode
including deterioration, design defects, and human error statement should include a description of the failure
whether caused by operators or maintainers (unless mechanism (e.g., fatigue) whenever possible. Many
human error is being actively addressed by analytical failure modes could be listed, but only failure modes
processes apart from RCM). that are “reasonable” should be identified. The RCM
program plan’s Ground Rules and Assumptions section
will define “reasonable.” (NAVAIR 00-25-403,
Section 3.2.4)
5.4 Failure Effects
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.4.1 Failure effects shall describe what would happen if "Failure effects should be described as if no PM task is
no specific task is done to anticipate, prevent, or detect in place to prevent or find the failure." (NAVAIR 00-
the failure. 25-403, Section 3.2.5)
5.4.2 Failure effects shall include all the information "Failure effect is described as the impact that a
needed to support the evaluation of the consequences of functional failure has on the item under analysis, the
the failure, such as: surrounding items, and the functional capability of the
end item. A failure effect should be described in terms
a. What evidence (if any) that the failure has occurred of physical damage, including both primary and
(in the case of hidden functions, what would happen if a secondary damage that may occur. It should also
multiple failure occurred) address the action required to mitigate the loss of the
b. What it does (if anything) to kill or injure someone, or function during operation." (NAVAIR 00-25-403,
to have an adverse effect on the environment Section 3.2.5)
c. What it does (if anything) to have an adverse effect on
production or operations
d. What physical damage (if any) is caused by the failure
e. What (if anything) must be done to restore the
function of the system after the failure
5.5 Failure Consequence Categories
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.5.1 The consequences of every failure mode shall be See below:
formally categorized as follows:
5.5.1.1 The consequence categorization process shall "Failure consequence evaluation is a two-step process.
separate hidden failure modes from evident failure First, functional failures are separated into two
modes. categories: those that are evident to the crew or
operator and those that are not. For a functional failure
to be classified as “evident,” it must be evident to the
operator on its own. This means that no other failure
or event needs to occur to make the functional failure
evident." (NAVAIR 00-25-403, Section 3.4.1)
5.5.1.2 The consequence categorization process shall "The second step in evaluating failure consequences is
clearly distinguish events (failure modes and multiple to separate, within the hidden and evident categories,
failures) that have safety and/or environmental those failure modes that affect safety or environmental
consequences from those that only have economic compliance from those that do not. Evident failures
consequences (operational and non-operational that have adverse impacts on safety or environmental
consequences). compliance resulting from the loss of function
(including any secondary damage that was caused by
the occurrence of the failure mode) require action (on-
condition task, hard time task, or other action) to avoid
unacceptable consequences." (NAVAIR 00-25-403,
Section 3.4.1)
5.5.2 The assessment of failure consequences shall be "Failure effects should be described as if no PM task is
carried out as if no specific task is currently being done in place to prevent or find the failure." (NAVAIR 00-
to anticipate, prevent, or detect the failure. 25-403, Section 3.2.5)
5.6 Failure Management Policy Selection
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.6.1 The failure management selection process shall "Facts about overhauls:
take account of the fact that the conditional probability - Many failure modes do not support overhaul
of some failure modes will increase with age (or philosophy- have no ‘right’ overhaul time.
exposure to stress), that the conditional probability of - Lose considerable component life.
others will not change with age, and the conditional - Overhauls re-introduce infant mortality failures."
probability of yet others will decrease with age. (Fundamentals of RCM Analysis. page I.1.13.
Copyright 2002, Information Spectrum, Inc. All Rights
Reserved)
"RCM applies the most appropriate maintenance
philosophy to each failure mode." (Fundamentals of
RCM Analysis. page I.1.16. Copyright 2002,
Information Spectrum, Inc. All Rights Reserved)
5.6.2 All scheduled tasks shall be technically feasible "The cost of each possible solution plays a significant
and worth doing (applicable and effective), and the part in determining which one is ultimately selected.
means by which this requirement will be satisfied are set Remember that at this point in the analysis each option
out in 5.7. has already been shown to reduce the consequences of
failure to an acceptable level. A solution that contains
any of these options will meet the program’s criteria.
5.6.3 If two or more proposed failure management
Since safety, environmental impact, and mission have
policies are technically feasible and worth doing
already been dealt with at this point, considering cost is
(applicable and effective), the policy that is most cost-
appropriate. The best solution at this point will be
effective shall be selected.
determined by the cost of executing that solution and
the operational consequences that that solution will
5.6.4 The selection of failure management policies shall have on the program’s maintenance operations."
be carried out as if no specific task is currently being (NAVAIR 00-25-403, Section 3.6.1)
done to anticipate, prevent or detect the failure.
5.7 Failure Management Policies— Scheduled Tasks
SAE JA1011 NAVAIR 00-25-403 & Training Manual
5.7.1 All scheduled tasks shall comply with the See below:
following criteria:
5.7.1.1 In the case of an evident failure mode that has "NAVAIR 00-25-403 3.5.8 No PM
safety or environmental consequences, the task shall If safety/environmental compliance is not involved, not
reduce the probability of the failure mode to a level that performing PM may be the most appropriate option of
is tolerable to the owner or user of the asset. dealing with the functional failure. In this case, the
item is allowed to remain in operation until it fails.
When safety/environmental compliance is involved,
however, the functional failure must be prevented.
This is accomplished by either performing a PM task,
or taking some other action that is warranted.”
5.7.1.4 In the case of a hidden failure mode where the "For Hidden Economic/Operational consequence
associated multiple failure does not have safety or failure modes, the method used must ensure that the
environmental consequences, the direct and indirect Failure Finding task is cost-effective. Again, the task
costs of doing the task shall be less than the direct and interval can be determined in a number of ways. The
indirect costs of the multiple failure plus the cost of method(s) adopted should be documented in the
repairing the hidden failure mode when measured over program’s RCM plan." (NAVAIR 00-25-403, Section
comparable periods of time. 3.5.7.2)
5.7.2.2 There shall exist an identifiable P-F interval (or "To develop an On Condition task, the following
failure development period). questions must be addressed:
* What will be defined as Functional Failure?
* What will be defined as Potential Failure?
* What is the Potential Failure to Functional Failure
(PF) interval; how consistent is it?
* Can a task interval be developed that reduces the
probability of failure to an acceptable level?"
(NAVAIR 00-25-403, Section 3.5.5.1)
5.7.2.3 The task interval shall be less than the shortest "For failure modes that result in safety/environmental
likely P-F interval. evident or hidden safety/environmental failure
consequences, the shortest PF interval of the range
should be selected." (NAVAIR 00-25-403, Section
3.5.5.4)
5.7.2.4 It shall be physically possible to do the task at "If a lower limit for the PF interval cannot be
intervals less than the P-F interval. determined, or if it is considered to be too short for one
type of degradation indicator, the On Condition task
might be salvaged by considering a different
degradation indicator. If this approach fails, then
another type of task should be considered. One
method of conducting On-condition inspections at very
short intervals is through on-board or imbedded PHM
sensors and monitoring devices." (NAVAIR 00-25-
403, Section 3.5.5.4)
5.7.2.5 The shortest time between the discovery of a "For failure modes with safety/environmental
potential failure and the occurrence of the functional consequences, the goal is to develop a task interval that
failure (the P-F interval minus the task interval) shall be will reduce the probability of experiencing a functional
long enough for predetermined action to be taken to failure to an acceptable level. For failure modes with
avoid, eliminate, or minimize the consequences of the hidden safety/environmental consequences, the goal is
failure mode. to develop a task interval that will reduce the
probability of experiencing a multiple failure (or
failure on demand for protective functions required
upon the occurrence of a demand event) to an
acceptable level." (NAVAIR 00-25-403, Section
3.5.5.5)
"For failures that result in non-safety/environmental
consequences, the goal is to pursue the most cost-
effective option. Appendix B provides some methods
for determining task intervals; other methods may be
applicable. The method(s) adopted for determining
task intervals should be documented in the program’s
RCM plan." (NAVAIR 00-25-403, Section 3.5.5.5)
5.7.5.1 The basis upon which the task interval is selected "For a Failure Finding task to be acceptable for Hidden
shall take into account the need to reduce the probability Safety/Environmental consequence failure modes, the
of the multiple failure of the associated protected system probability of multiple failure (or failure on demand)
to a level that is tolerable to the owner or user of the with the Failure Finding task in place must be less than
asset. or equal to the acceptable probability of failure, Pacc
established for functional failure of
safety/environmental consequence failures. The
probability of multiple failure (or failure on demand),
Pmf, is the product of the probability of failure of the
hidden function and the probability of failure of the
function (or the probability of the occurrence of the
event) that would make the hidden failure evident. As
with the previously discussed tasks, there are various
methods of ensuring that the Pmf £ Pacc. Appendix B
provides some general methods for determining task
intervals. The method(s) adopted for determining task
intervals should be documented in the program’s RCM
plan." (NAVAIR 00-25-403, Section 3.5.7.1)
5.7.5.2 The task shall confirm that all components "Since failure-finding tasks are directed at functional
covered by the failure mode description are functional. failures, it is often possible to determine one task that
can protect multiple failure modes." (NAVAIR 00-25-
403, Section 3.5.7)
5.7.5.3 The failure-finding task and associated interval "For a Failure Finding task to be acceptable for Hidden
selection process should take into account any Safety/Environmental consequence failure modes, the
probability that the task itself might leave the hidden probability of multiple failure (or failure on demand)
function in a failed state. with the Failure Finding task in place must be less than
or equal to the acceptable probability of failure, Pacc
established for functional failure of
safety/environmental consequence failures. The
probability of multiple failure (or failure on demand),
Pmf, is the product of the probability of failure of the
hidden function and the probability of failure of the
function (or the probability of the occurrence of the
event) that would make the hidden failure evident. As
with the previously discussed tasks, there are various
methods of ensuring that the Pmf & Pacc. Appendix B
provides some general methods for determining task
intervals. The method(s) adopted for determining task
intervals should be documented in the program’s RCM
plan." (NAVAIR 00-25-403, Section 3.5.7.1)
5.7.5.4 It shall be physically possible to do the task at
the specified intervals.
5.9.2 Therefore any RCM process shall provide for a "The basis for the decisions made during an RCM
periodic review of both the information used to support analysis change continuously as the program
the decisions and the decisions themselves. The process experiences growth and maturity, which is brought
used to conduct such a review shall ensure that all seven about by time, use, modifications, updates, etc.
questions in Section 5 continue to be answered Because of this, review and refinement of the PM
satisfactorily and in a manner consistent with the criteria program must be an ongoing process. It requires an
set out in 5.1 through 5.8. organized information system that provides a means to
conduct surveillance of items under actual operating
conditions. The information is collected for two
purposes. First, it is used to determine what
refinements and modifications need to be made to the
initial PM program (including task interval
adjustments). Secondly, it is used for collecting data to
determine the need for taking some other action, such
as product improvement or making operational
changes. These two purposes are met by monitoring
and adjusting existing maintenance tasks, developing
emergent requirements, and periodically assessing
RCM-generated maintenance requirements. Analysts
use this new information to revise RCM analyses,
which subsequently may reflect a need for changes to
the PM program." (NAVAIR 00-25-403, Section 5.1)
"The objective of the sustainment process is to
continually monitor and optimize the current PM
program, delete unnecessary requirements, identify
adverse failure trends, address new failure modes, and
improve the overall efficiency and effectiveness of the
RCM and PM programs. Sustainment efforts should
be structured such that the results can be effectively
used to support RCM analysis updates. The process of
monitoring existing maintenance tasks entails
reviewing the many sources of task effectiveness
information and maintaining accurate and efficient
analysis data. The types of efforts used in the RCM
sustainment process include Top Degrader Analyses,
Trend Analyses, PM Requirements Document
Reviews, Task Packaging Reviews, Fleet Leader
programs, Age Exploration (AE) tasks, and handling
the day-to-day emergent issues." (NAVAIR 00-25-403,
Section 5.2)
5.10 Mathematical and Statistical Formulae
Several specific concerns were raised previously regarding the compliance of NAVAIR 00-25-
403 with SAE JA1011. This section will attempt to address each of those issues individually:
Concern:
Operating context was not adequately addressed.
Response:
NAVAIR 00-25-403 addresses operating context though-out. Prior versions of the training materials
addressed operating context implicitly rather than directly. Training materials have since been updated
to more thoroughly address the issue of operating context.
Concern:
NAVAIR 00-25-403 process excludes human error from RCM analysis.
Response:
NAVAIR 00-25-403 does not specifically exclude human error issues. It does not address human error
directly because human error failures are addressed via other processes in NAVAIR such as quality
assurance and human factors analysis. Reference SAE JA1011 Paragraph 5.3.5: “Lists of failure modes
should include any event or process that is likely to cause a functional failure, including deterioration,
design defects, and human error whether caused by operators or maintainers (unless human error is
being actively addressed by analytical processes apart from RCM).”
Historically, some have improperly attempted to use PM to address human issues rather than attack them
at the source. For example, inspecting for improperly installed components rather than enforcing quality
assurance procedures. If a failure mode is caused by poor design, poor maintenance practices, etc. and
can be predicted, there is nothing in the process that says not to include these failure modes. The Other
Action category addresses maintenance process and design improvements as recommended failure
management approaches. Additionally, NAVAIR RCM training materials have been updated to ensure
human error failures are not overlooked.
Concern:
Significant function logic requires determination of failure consequences out of required order.
Response:
The significant function selection process is considered an “optional” step which does not in any way
affect the remainder of the analysis steps. In most cases of properly performed analysis the logic does
not preclude any functions from analysis; it is only used as a categorization tool. Additional response
from NAVAIR is provided below:
Concern:
NAVAIR 00-25-403 process does not require a description of the evidence (if any) that the failure has
occurred and does not require information about what must be done to restore function to the system.
Response:
The description of evidence is included in the failure detection portion of the FMECA in NAVAIR 00-
25-403. This meets the intent of the JA1011 for "description of evidence". As far as what is required to
restore functionality, JA1011 was not meant to require a complete description of the repair process or
corrective maintenance steps. Something like "extensive depot repair required", or "removal and
replacement required" is sufficient in most cases. Training has been updated to reflect this issue.
Summary
It has been the intent of the authors of NAVAIR 00-25-403 to comply with all requirements of SAE
JA1011. Where questions of compliance do occur, it is usually a matter of interpretation of one
document or the other. In any case, users of either document can make minor modifications or
clarifications to achieve a desired interpretation. The NAVAIR 00-25-403 has always been intended to
be used as a guide subject to adjustment by individual users.
Note: Anteon Corporation, using information from the NAVAIR training program, and the NAVAIR
RCM Steering Committee, among other sources, prepared the above July 2004.