<div dir="ltr">Mike,<div><br></div><div>I agree with you concerning FTA.</div><div><br></div><div>SAE ARP4754B/EUROCAE ED-79B section 4.1.2 states, "There is no direct correlation between Functional Development Assurance Level and numerical probabilities", while section 5.2.3 states, "The assigned development assurance level does not imply particular random hardware failure probabilities". The probabilities in fault trees are random hardware failure probabilities, design errors are mitigated using development assurance instead. Section 4.1.2 goes on to state, "The safety objectives associated with Failure Condition Classifications can be satisfied by both the designated function development assurance rigor and by numerical analysis methods (as needed). These two separate methods, in general, are not related and complement each other".</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(34,34,34)"><a name="SignatureSanitizer_m_-5798674576462993830_SignatureSanitizer_SafeHtmlFilter_UNIQUE_ID_SafeHtmlFilter__MailAutoSig"><span style="font-size:10pt;font-family:Arial,sans-serif">Yours,</span></a><br></div><div style="color:rgb(34,34,34)"><div dir="ltr"><div dir="ltr"><p><span style="font-family:Arial,sans-serif;font-size:10pt">Dewi Daniels | Director | Software Safety Limited</span><br></p><p><span lang="FR" style="font-size:10pt;font-family:Arial,sans-serif">Telephone +44 7968 837742 | Email <a href="mailto:dewi.daniels@software-safety.com" target="_blank">dewi.daniels@software-safety.com</a></span></p><p><font face="Arial, sans-serif">Software Safety Limited is a company registered in England and Wales. Company number: </font><font face="Arial, sans-serif">9390590</font><font face="Arial, sans-serif">. Registered office: Fairfield, 30F Bratton Road, West Ashton, Trowbridge</font><span style="font-family:Arial,sans-serif">, United Kingdom </span><span style="font-family:Arial,sans-serif">BA14 6AZ</span></p></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 22 Aug 2024 at 09:43, M Ellims <<a href="mailto:mike@ellims.xyz">mike@ellims.xyz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I'm not an expert, but I have been over this a couple of times with representatives from the FAA.<br>
<br>
So here goes, for what it's worth.<br>
<br>
The first thing to note is that the figure given is for electronic/electrical hardware and excludes software.<br>
<br>
Guidance from the FAA is the software included in any FTA analysis should be assigned a failure rate of zero. The rational being that software failure rates are in general cannot be reliably estimated and thus the dependence/reliance on DO178.<br>
<br>
The failure rate applies to a single aircraft of a single type, and as pointed out is the sum of all possible failures in a system. The first step is to apportion failure rates to critical systems e.g. engines, flight control etc. which is dependent on things such as number of engines and how many have to operate to either get the hull off the ground or keep it in the air.<br>
<br>
One of the interesting features is that some of the 3-way voting is very straight forward on larger aircraft - for example on control surfaces 3 actuators are used such that any two can overpower the third. i.e. 3-way voting via brute force.<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: systemsafety [mailto:<a href="mailto:systemsafety-bounces@lists.techfak.uni-bielefeld.de" target="_blank">systemsafety-bounces@lists.techfak.uni-bielefeld.de</a>] On Behalf Of Phil Koopman<br>
Sent: 22 August 2024 00:59<br>
To: <a href="mailto:systemsafety@lists.techfak.uni-bielefeld.de" target="_blank">systemsafety@lists.techfak.uni-bielefeld.de</a><br>
Subject: Re: [SystemSafety] Difference between software reliability and astrology<br>
<br>
I was waiting for an aviation expert to jump in on this, but haven't <br>
seen it, so I will contribute some thoughts.<br>
<br>
The interpretation of 1e-9 / hr for aviation is a bit subtle.<br>
<br>
Indeed this number comes from FAA AC 25.1309-1A<br>
<a href="https://www.faa.gov/regulations_policies/advisory_circulars/index.cfm/go/document.information/documentID/22680" rel="noreferrer" target="_blank">https://www.faa.gov/regulations_policies/advisory_circulars/index.cfm/go/document.information/documentID/22680</a><br>
<br>
Page 7: "Catastrophic failures conditions must be Extremely Improbable"<br>
<br>
Page 15: "Extremely Improbable failure conditions are those having a <br>
probability on the order of 1 x 10-9 or less" (1e-9)<br>
<br>
Page 14: In the context of Qualitative Probability Terms: "Extremely <br>
Improbable failure conditions are those so unlikely that they are not <br>
anticipated to occur during the entire operational life of all airplanes <br>
of one type."<br>
<br>
So my takeaway is that 1e-9 applies to all aircraft OF ONE TYPE and not <br>
all aircraft in the fleet. Keep in mind this was written in 1988 when <br>
the skies were a lot less crowded. So someone did some back of envelope <br>
math on flight hours per day, number of aircraft of a popular type, and <br>
airframe lifetime and came up with this number.<br>
<br>
Also note that this is for a "failure condition" and is not the <br>
acceptable failure level for the aircraft. I believe there is an <br>
assumption that perhaps 10 different failure conditions might all be <br>
possible, making the aircraft loss rate an order of magnitude worse per <br>
hour (but I might not be remembering the number 10 correctly -- I don't <br>
know if it is really written down anywhere).<br>
<br>
With modern aircraft there might be a lot more of any one type of <br>
aircraft, and they might fly more hours + more years. And there might be <br>
a lot more pieces of kit that can fail catastrophically. So this amounts <br>
to a legacy number that is not necessarily closely tied to current <br>
systems. It might easily be a factor of 10-100 too permissive if the <br>
objective is to never have a failure on any aircraft of one type.<br>
<br>
That having been said, at some point the number becomes so low that it <br>
is likely failure conditions not anticipated in design become the long <br>
pole in the tent. If I remember correctly Concorde was designed to <br>
1e-10/hr and that is pretty much how things turned out.<br>
<br>
Nonetheless when combined with improved safety management system <br>
approaches the industry seems to have been doing pretty well when they <br>
don't game the safety system.<br>
<br>
Yes, the numbers for self-driving cars are challenging because of number <br>
of vehicles and hours. However on average a catastrophic mishap involves <br>
1-2 people rather than 100-200. So that becomes an complex discussion. <br>
I'll note that ISO 26262 characterizes things as improbable if they are <br>
unlikely to happen to any single vehicle -- not the fleet of vehicles.<br>
<br>
The numbers for autonomous air taxis (1-2 person electric passenger air <br>
vehicles) are different, and my understanding is that they are <br>
controversial (some proposed numbers are more like cars than heavy jets).<br>
<br>
If any aviation experts can improve this description I welcome it, <br>
because this topic comes up surprisingly frequently in various <br>
discussions I have. And while I've done a bit of work in aviation, I <br>
spent most of my time on automotive.<br>
<br>
-- Phil Koopman<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 8/21/2024 7:26 PM, Derek M Jones wrote:<br>
> Steve,<br>
><br>
> Thanks for the numbers update.<br>
><br>
>> 5 hours per day is way too low. Airplanes are very expensive, <br>
>> airlines are low profit margin businesses (which is why they are so <br>
>> interested in other, more highly profitable side business like credit <br>
>> cards), and airplanes only earn revenue when they are in the air.<br>
><br>
> I was not sure whether there was a long tail of less<br>
> frequently used aircraft.<br>
><br>
>> So if you double or triple your numbers below to account for 10-15 <br>
>> flight hours per day instead of the 5 you used, you get:<br>
>><br>
>> — 1 X 10^-5 equates to 2.5 to 3.75 Abnormal procedures per day<br>
>><br>
>> — 1 X 10^-7 equates to one Emergency procedure or Airplane damage <br>
>> every 30 to 45 days<br>
>><br>
>> — 1 X 10^-9 equates to one Catastrophic Accident every 6 to 10 years<br>
><br>
> To me 6-10 years is not Extremely improbable.<br>
> Perhaps the reliability figures were chosen when there were an order<br>
> of magnitude fewer aircraft.<br>
><br>
> Multiplying these values by lots of orders of magnitude implies<br>
> that self-driving car incidents are going to be routine.<br>
><br>
<br>
-- <br>
Phil Koopman m: 412-260-5955 <<a href="mailto:phil.koopman@hushmail.com" target="_blank">phil.koopman@hushmail.com</a>><br>
<br>
_______________________________________________<br>
The System Safety Mailing List<br>
<a href="mailto:systemsafety@TechFak.Uni-Bielefeld.DE" target="_blank">systemsafety@TechFak.Uni-Bielefeld.DE</a><br>
Manage your subscription: <a href="https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety" rel="noreferrer" target="_blank">https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety</a><br>
<br>
_______________________________________________<br>
The System Safety Mailing List<br>
<a href="mailto:systemsafety@TechFak.Uni-Bielefeld.DE" target="_blank">systemsafety@TechFak.Uni-Bielefeld.DE</a><br>
Manage your subscription: <a href="https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety" rel="noreferrer" target="_blank">https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety</a></blockquote></div>