Jet engine borescope AI: how adversarial pixel injection suppresses TBC spallation and passes a hazardous engine through a Part 145 inspection — and why EASA AMC 20-16 does not close the gap

How AI-assisted borescope inspection works

The borescope inspection is the foundational diagnostic tool of jet engine maintenance: a flexible fibre-optic endoscope inserted through borescope ports in the engine nacelle to inspect the hot section without removing the engine from the wing. Under FAA 14 CFR Part 43 Appendix D and EASA Part 145, borescope inspections are mandated at specified cycle intervals — typically every 1,000–3,000 engine cycles for high-pressure turbine (HPT) stage inspection — and after specific events including bird strike, suspected FOD ingestion, and hard landing. Each inspection visit on a modern turbofan generates hundreds to thousands of rendered endoscope frames covering the HPT blades, combustor liner, high-pressure compressor (HPC) stages, and low-pressure turbine (LPT) blades.

AI-assisted borescope inspection systems — GE Aviation TrueCheck (LEAP-1A/1B and CFM56), Rolls-Royce IntelliEngine Health Management (Trent XWB, Trent 700, Trent 1000), Lufthansa Technik's AVIATAR MRO Platform, and Pratt & Whitney's EngineWise Borescope AI (PW1000G GTF) — use deep convolutional neural networks trained on annotated teardown datasets to classify each blade frame. The classification network outputs a defect severity class (serviceable / monitor-at-next-inspection / remove-now) with an internal confidence score, mapped against the OEM Engine Maintenance Manual (EMM) serviceable limits for each defect type. The disposition flag from the AI classification feeds the maintenance management system's Aircraft Maintenance Release (AMR) workflow, determining whether the engine returns to service.

The AI pipeline's input is a rendered borescope endoscope frame: a compressed JPEG or PNG image in which pixel intensities encode the visual scene inside the engine — blade surfaces, leading edges, trailing edges, and the TBC coating that is the HPT blade's primary temperature defence. It is this image input that the adversary targets.

What EASA AMC 20-16 actually requires — and the gap it leaves

EASA AMC 20-16 (Acceptable Means of Compliance for Use of Advanced Technology in Aircraft Maintenance, Issue 2, 2023) establishes the framework under which EASA Part 145 Approved Maintenance Organisations (AMOs) may use AI-assisted inspection tools. Its core safeguard is a human oversight mechanism: when the AI's internal confidence metric falls below a defined threshold, a qualified B1.1/B1.3 certifying engineer must review the image before the disposition flag is accepted into the maintenance record.

This is a sensible design for the failure modes that AMC 20-16 was written to address. A borescope AI system trained on an annotated dataset will produce low-confidence outputs when it encounters image conditions outside its training distribution — unusual lighting angles, borescope contamination on the lens, rare defect morphologies it has seen few examples of. Low confidence is the model's signal that it is uncertain. Human review catches the uncertain case. The certifying engineer's qualified judgment substitutes for the AI when the AI is unsure.

Adversarial pixel injection is a different class of problem. An adversarial perturbation is not a condition the AI is uncertain about. It is a condition the AI has been caused to be confidently wrong about. The adversary uses knowledge of the neural network's gradient — specifically, the gradient of the loss function with respect to the input pixels, computed by treating the network as a differentiable function — to craft a pixel pattern that shifts the model's output from the correct defect class to the 'serviceable' class while maximising the model's confidence in the wrong classification. The adversarial image is designed to produce the highest-confidence 'serviceable' output the model can generate, because a high-confidence wrong answer is exactly the answer that bypasses the AMC 20-16 human oversight trigger.

The certifying engineer never sees the image. The AI's confidence is high. AMC 20-16's oversight mechanism — correctly designed for the uncertainty-based failure mode — has no mechanism to intercept the adversarial case, because adversarial injection eliminates the uncertainty signal that the mechanism depends on.

TBC spallation: why it is the primary adversarial target

Thermal barrier coating (TBC) spallation is the progressive delamination of the ceramic TBC layer from the HPT blade's bond coat and metallic substrate. The TBC — typically yttria-stabilised zirconia (YSZ) at 100–200 micrometres thickness — holds the blade metal temperature to 950–1,000°C when the surrounding combustion gas reaches 1,600–1,800°C. When TBC spalls, exposed blade metal temperature rises by 100–200°C in the spalled area, initiating thermal fatigue cracking within 100–500 engine cycles. Left undetected through the scheduled inspection interval, TBC spallation that exceeds the EMM serviceable limit (>15 mm² on most OEM platforms) can progress to substrate cracking, blade root fatigue initiation, and ultimately blade separation — an uncontained engine failure event.

TBC spallation is the primary adversarial target because of how its detection works in the AI pipeline. Intact YSZ TBC has a distinctive visual signature in borescope frames: uniform white-to-cream matte surface with low specular reflectance, consistent texture across the blade airfoil. Spalled TBC exposes the metallic substrate — the nickel superalloy or bond coat — which appears as a dark metallic-grey or iridescent blue oxidation region under borescope illumination. The boundary between intact TBC and exposed metal is a sharp RGB colour transition: a structured gradient in colour space that the HPT AI uses as its principal feature for spallation area segmentation.

It is precisely this structured colour gradient that adversarial perturbation can suppress. A perturbation pattern that reduces the colour contrast at the spallation boundary — shifting the exposed metal pixels slightly toward the TBC colour distribution, smoothing the gradient that the classifier uses to segment the defect — can cause the AI to classify a spallation area of 18 mm² as a nominal surface variation below the 15 mm² serviceable limit, with high confidence. The perturbation requires pixel changes as small as ±12 DN (digital number) per channel — within the compression noise floor of a JPEG-compressed borescope transmission — making the modified image visually indistinguishable from a legitimate borescope frame with minor illumination variance.

Transverse cracks — the other high-severity HPT defect — produce sharp dark linear discontinuities across the blade airfoil. These are geometrically more constrained perturbation targets than the distributed colorimetric gradient of TBC spallation. Spallation suppression is computationally easier and the perturbation is more compressed-format-stable, which is why TBC spallation is the primary adversarial entry point into borescope AI pipelines.

The QF32 consequence profile, available as a software attack

Qantas Flight QF32 (4 November 2010) is the canonical reference for uncontained HPT failure consequences in modern commercial aviation. An A380's Rolls-Royce Trent 970 Number 2 engine experienced HPT intermediate-pressure turbine (IPT) disc fracture. The released disc segment penetrated the wing leading edge, severed four of five hydraulic circuits, damaged fuel lines, caused structural damage to wing ribs, and initiated 21 simultaneous aircraft system failures that occupied the flight crew — four experienced captains — for 1 hour 40 minutes before a successful overweight landing at Singapore Changi. The ATSB investigation (AO-2010-089) found the root cause was a non-conforming oil feed stub pipe bore that caused oil leakage, not a defect that the scheduled borescope program missed. But the consequence profile of the event — wing structural penetration, hydraulic system failure, flight control impairment from a single HPT component failure — defines the consequence envelope of an undetected HPT defect passing through the inspection program.

The analogy is not that adversarial borescope injection causes the specific QF32 failure mechanism. It is that adversarial borescope injection makes the QF32 consequence profile available as a software attack. The chain is: adversarial pixel injection suppresses TBC spallation classification → AI returns high-confidence 'serviceable' → AMC 20-16 oversight trigger does not activate → B1.1 certifying engineer issues AMR without manual blade review → engine returns to service with undetected HPT spallation → thermal fatigue crack initiates and propagates over subsequent 100–500 cycles → blade separation event at failure of the crack → uncontained engine failure with QF32-class projectile energy.

United Airlines Flight 232 (1989) provides the fatality profile when the uncontained failure geometry is less favourable: HPT disk fragmentation on the DC-10's tail-mounted engine severed all three hydraulic circuits, eliminating all conventional flight control authority, and 111 of 296 passengers were killed in the crash landing at Sioux City. The distinction between QF32 (no fatalities) and UA232 (111 fatalities) was aircraft geometry, flight crew skill, and the specific debris trajectory — not the presence or absence of an AI adversarial injection in the inspection pipeline upstream. Both events began with an undetected HPT-section failure.

This is the consequence model that calibrates the Glyphward threshold for borescope inspection AI at 40: the highest standard commercial consequence profile of a missed HPT defect detection is an uncontained engine failure event with hull-loss potential.

Three attack vectors targeting the borescope image boundary

Adversarial pixel injection on a borescope inspection AI pipeline can reach the image input through three operational pathways, each with different technical complexity:

1. Borescope video capture system compromise

Modern borescope inspection tools — the GE Mentor Visual iQ, Olympus IPLEX NX, and Karl Storz Endoscopy series used by EASA Part 145 MRO facilities — transmit rendered video frames from the endoscope tip to the inspection workstation over USB 3.0 or proprietary fibre-optic data buses. On workstations where the borescope inspection AI software (TrueCheck, AVIATAR MRO, EngineWise) ingests frames directly from the capture device driver stack, a compromise of the workstation's kernel-level device driver — a realistically achievable target for a supply chain attack on the proprietary capture driver package — allows frame injection at the OS layer before the AI application receives the frame. The AI application receives a manipulated image that looks, to its input validation, like a frame from the legitimate borescope device. This is the highest-complexity attack pathway but produces the cleanest manipulation: the adversarial frame is injected at the earliest possible stage, before any application-level frame integrity checking.

2. MRO platform data pipeline injection

Large MRO operators — Lufthansa Technik, Air France Industries KLM Engineering and Maintenance, ST Engineering — use enterprise MRO software platforms (AMOS, TRAX, Swiss AviationSoftware) that ingest borescope images from workstation-side capture tools, store them in a centralised image repository, and pass them to the AI classification service over an internal API. A man-in-the-middle attack on the internal API — between the image repository and the AI classification microservice — allows adversarial perturbation of the image payload in transit without modifying the borescope capture workstation or the AI model. This is the medium-complexity pathway: it requires a foothold on the MRO platform's internal network, but not a supply chain compromise of a specific device driver package. IEC 62443 Zone-and-Conduit architecture for OT/IT integration in MRO facilities is the relevant threat model boundary; many MRO IT environments have historically prioritised availability over segmentation.

3. Training data poisoning targeting TBC spallation samples

The AI model's vulnerability to adversarial perturbation is calibrated by its training data distribution. A training dataset poisoning attack — injecting a small proportion of adversarially mislabelled TBC spallation images into the training corpus (labelling borderline-serviceable images as clearly-serviceable to shift the decision boundary) — does not directly manipulate any inspection image but progressively shifts the model's spallation detection threshold upward over model retraining cycles. This is the lowest per-image attack complexity but requires access to the training data pipeline — either through the data annotation service, the data repository, or the model update delivery mechanism. The EASA AMC 20-16 Issue 2 validation data set requirement is the primary defence: it requires the AMO to maintain a held-out validation set against which each model update is tested before deployment. A poisoning attack that degrades TBC spallation recall on the validation set would, in theory, be detected at model update time. In practice, the validation set and training set are often generated from the same data collection pipeline, reducing the independence of the defence.

The structural pattern: EASA AMC 20-16 shares the same gap as CENELEC EN 50129

The AMC 20-16 adversarial ML gap is structurally identical to the one identified in railway signalling AI under CENELEC EN 50129: a safety certification framework designed for random and systematic failures, with a human oversight mechanism that activates on uncertain AI outputs, that is blind to adversarial injection because adversarial injection eliminates the uncertainty signal.

In CVSR railway AI: SIL 4 covers systematic and random failures. The fail-to-safe rule activates on uncertain output. Adversarial injection produces confident wrong output. The rule does not activate.

In borescope inspection AI: AMC 20-16 Issue 2 covers validation-distribution performance. Human oversight activates on low-confidence AI output. Adversarial injection produces high-confidence wrong output. The oversight trigger does not activate.

The common structure is that both frameworks were designed before adversarial ML existed as an attack surface, and both depend on the AI expressing uncertainty as the trigger for their safety net. The adversarial injection attack is specifically designed to defeat that assumption. It is the same structural pattern across aviation MRO borescope AI and critical infrastructure AI from ICS visual inspection to surgical robotics — a confidence-high wrong output that bypasses every oversight mechanism calibrated to the uncertainty signal.

CENELEC TC9X has adversarial ML on its EN 50129 revision agenda for 2028. EASA's AI Roadmap 2.0 (2023) identifies adversarial robustness as a gap in current EASA AI guidance and lists it for Artificial Intelligence Task Force (AITF) action, with AMC updates expected in the 2025–2027 window. No final AMC update addressing adversarial ML robustness for Part 145 borescope inspection AI has been published as of mid-2026. Deployed systems are running under the current AMC 20-16 Issue 2 framework now.

What a Glyphward pre-scan gate provides at threshold 40

The Glyphward adversarial detection API integrates into the borescope inspection AI pipeline at the rendered endoscope image ingestion boundary — before any defect classification step. For each borescope frame processed by the HPT blade crack/oxidation classifier, the TBC spallation detector, the combustor liner hot-spot classifier, or the life management AI image input, the frame is first submitted to Glyphward's endpoint. The scan returns a risk score (0–100) in 8–15ms on GPU-equipped inspection workstation hardware (Nvidia GeForce RTX 4090-class consumer GPU, or Nvidia A2-class enterprise GPU, both common in MRO borescope inspection workstations).

At or above the recommended threshold of 40:

• The borescope AI classification output for that frame is suppressed — not accepted into the disposition workflow.
• The frame is routed to the qualified B1.1/B1.3 certifying engineer for manual dimensional assessment — the same human inspection fallback that AMC 20-16 Issue 2 requires for low-confidence AI outputs, now applied to adversarial-flagged inputs.
• The event is logged with a timestamped Glyphward scan record: scan_id, risk score, engine serial, blade position, work order ID, and detected perturbation class.

The threshold of 40 — slightly higher than the 35 used for railway CVSR and surgical robotics — reflects the presence of the qualified human inspector review layer in the borescope pipeline and the higher absolute image count per inspection visit: an HPT borescope inspection of a LEAP-1B at 3,000 EFH produces 500–1,000 frames per engine. At threshold 35, the false positive rate on legitimate borescope frames — which exhibit wide variance in illumination, contamination, and blade geometry — would route an unacceptable proportion of clean frames to manual review, negating the efficiency benefit of AI-assisted inspection. Threshold 40 is calibrated to suppress adversarial injections while keeping the false positive burden on the certifying engineer within the operational parameters of a Part 145 borescope inspection visit.

The timestamped Glyphward scan log satisfies two EASA documentation requirements:

1. EASA Part 145.A.55 maintenance records: Each frame processed by the AI tool has a corresponding scan record demonstrating the tool operated within its validated scope (score below 40) or flagged an out-of-distribution input (score at or above 40) and routed to manual assessment. This is the per-frame traceability that AMC 20-16 Issue 2 Paragraph 3.4.2 requires for AI-assisted inspection tools.
2. AMC 20-16 Issue 2 operational monitoring: The aggregate scan log across inspection visits provides the performance monitoring record against the validated dataset distribution. A pattern of elevated Glyphward scores on specific engine serial numbers or MRO facility workstations is an early indicator of a data pipeline compromise or a training data poisoning attack, detectable before any individual misclassification causes an AMR error.

The free tier — 10 scans/day, no card required — provides enough capacity for a pilot integration on a single engine's HPT inspection, generating the first scan log for EASA documentation review. The Pro tier ($29/month, 100k scans/month) covers a full EASA Part 145 AMO's monthly borescope inspection volume for a mid-size fleet with margin for anomaly investigation.