From:         Pete Mellor <>
Date:         08 Nov 96 05:24:24 
References:   1 2 3 4 5 6 7
Next article
View raw article
  or MIME structure

Lou Scheffer <> wrote on 05 Nov 96 04:13:57:-

>  In the aviation world, safe enough is usually
> one failure in 10^9 hours (this was set so that there would be no expected
> failures in a popular type of airplane over the life a fleet of them).

The maximum acceptable 10^-9 probability per hour of flight* of a
catastrophic** failure (one which "prevents continued safe flight and
landing") applies to an individual system on board.

The argument in support of this in the European regulations (JAR-25 and
its supporting documents) goes as follows:-

1. One crash per million hours of flight is "acceptable". (Current rate
   of fatal accidents is 2 per million departures, and the rate of
   hull losses is 1.5 per million departures.*** Given an average flight
   duration of 1.5 hours, you get a hull loss probability of around
   1 per million hours. In other words, the accident rate we have now
   is "acceptable".)

2. Around 10% of all accidents are caused by equipment failure. To keep
   the loss rate due to all causes within the acceptable range,
   probability of loss due to equipment failure must be kept below 10^-7.

3. There are around 100 safety-critical systems on board. (This is
   a conservative estimate. The A320 has around 70, for example.)
   If ANY ONE of these fails, a crash could occur. To keep the loss
   rate due to equipment failure within the acceptable range, the
   probability of failure of each individual safety-critical system
   must therefore be kept below 10^-9.

Interestingly enough, if you base the calculation on the average size
of fleet of a single type combined with the length of service life of
each example, with the objective of ensuring that a catastrophic failure
of a safety-critical system is "not expected to occur in the service
life of an entire fleet of a given type", then you get the same figure.

* Note: Not quite the same thing as "one failure in 10^9 hours ".

** The targets are lower for less serious failures. In JAR, they are:-
   "Catastrophic" - 10^-9, "Hazardous" - 10^-7, "Major" - 10^-5,
   "Minor" - 10^-3.

*** From Boeing's Statistical Summary.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585