This has been brought over from FAA Approves Boeing 787 Battery System Changes because it fits with safety metrics.

Quoting zeke (Reply 133):
*From a pure maths point of view, the probability of a specific event is actually zero. The reason being the aircraft as a system is a continuous random variable with an infinite number of outcomes, thus it does not have discrete countable outcomes. We measure (i.e. continuous distribution) rather than count (i.e. discrete distribution) aircraft in service events and reliability. We can come up with a probability for a range of measurements on a continuous distribution, however not a singular value as we have an infinite number of outcomes.
*
In a similar fashion I have seen people "abuse" stats when talking about engine reliability, engines are also a continuous distribution, decreasing/increasing the number of engines on an aircraft does not actually decrease/increase the rate of engine failures for an airframe. We never know when an engine will fail, as a system it has an infinite number of outcomes. If we did know when one would fail, it would be changed before hand and thus the discrete event never realised. |

This also does not make much sense. If you had "four engines" on an airplane versus "one engine" on an airplane the probability of "any one of the 4 engines" failing is 4 times greater than it is for the one engine on the single engine airplane. Your last sentence - When discussing statistics you are never dealing with a single event. You are dealing with metrics derived from sufficient data points to do normal distribution, frequency analysis, probability distribution etc. The experts that develop the metrics for engine reliability likely have 3 inch thick binders on methodology, statistical modeling and have the data flowing in from a number of sources - airplanes in service, continious 24/7/365 testing data from

RR,

GE, etc.

* Quote:"To put this in the battery context, having two batteries in the aircraft does not double the chance of failure, as both batteries may go their entire service life with failing. When a battery will fail is unknown."*
This does not make any sense. Two batteries versus one battery doubles the probability that any "one of the two batteries" could fail before the single battery. Look at it this way, if you took a healthy person and you took 1,000 healthy people what would be the probability of that single person dying before "any one of " at random of the 1,000 people more or less? It would be less by 1/1,000. What would be the probability of that single person dying before a particular "one of " the 1,000 people? It would be even odds. Isn't that how insurance companies make money?

*Quote:"Pure maths seems illogical at times, however this containment fix is actually mathematically sound. It should not factor into ETOPS at all".*
You are right 'pure math' is too theoretical and doesn't appear to have any practical application here other than to cloud and fog the issues at hand. Since when do mathematicians design pressure vessels or give advice on something they know nothing about? The design involves engineers that are familiar, with thermodynamics (mechanical and chemical engineers) material engineering and structural engineering.

The purpose for posting this in the first place was to gain some small understanding in how these metrics for safety might work. I qualified myself that I'm not an expert in this field and was seeking help in furthering this along.

I must admit I didn't expect a long qualitative circular discussion with undefined phraseology, that neither I or 99.0% of the posters could understand. It also suprised me that someone with a math and supposed statistics background stayed away from numbers and the quantitative, which is after all the language of these sciences. If you are capable and are still interested please comment specifically on the issue and methodology described for the metrics of two engines out.

The question is how do you compute safety at the overall airplane level of 1: 10^7 (1:10 million) from combining the various levels or layers of redundancies? Sometimes things can be better clarified if you hang numbers on them, however there is always the danger of being wrong (I was never good at statistics), but others that know better can always jump in and correct.

Now lets assume (a) is the first level/ layer of redundancy and (b) is the second level of redundancy and the overall combination safety metric at the airplane level is (c) for catastrophic failure**. So ( a) x (b) = (c). We always know (c) = 1:10^7 (1:10 million hrs) and we always know either one of (a) or (b). Note**: Since origionally posting according to

AC 23.1309-1E - (3) Hazardous failure condition is 1:10^7 hrs (1:10 million) and (4) Catastrophic failure condition is 1:10^9 hrs (1: 1 billion) not sure which applies to two engines out but will use (3) for discussion purposes and for simplicity and methodology.

_____________________________________________________________________________________________

Two engines out - assume (a) = (b) for reliability of engines

--(a)---one engine out------------------------------1: 3200 hrs (approx) (by deduction)

--(b)---two engines out-----------------------------1: 3200 hrs (approx) (by deduction)

--(c)---Safety metric overall airplane level-----1: 10^7 hrs (1:10 million) (known) (assume Hazardous failure condition)

_____________________________________________________________________________________________

Assume the the number of hrs to failure metric for one engine is derived statistically by all means available and in this case has to be greater than 3,200 hrs to meet overall safety metric requirement at airplane level of 1: 10^7 hrs

This assumes engines are regularly inspected and maintained as per specifications.

____________________________________________________________________________________________

Definition of Hazardous Failure Conditions

- Extremely remote failure conditions. Those failures not anticipated to occur to each airplane during its total life, but may occur a few times when considering the total operational life of all airplanes of this type. (Note: This could easily involve over 3,000 aircraft over a period of 30 years)

- Failure conditions that would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent there would be the following (a)-large reductions of safety margines of functional capabilities. (b)-physical stress and higher work load such that the flight crew can not be relied upon to perform their tasks accurately or completely or (c)-serious or fatal injury to an occupant other than the flight crew.