"There exists a subtle, but important distinction between system safety and reliability , and the reader is urged to fully understand this distinction. Basically, the two disciplines answer two different questions about two different things. Reliability answers the question "how often does something fail?" whereas system safety answers the question, "what happens when something does fail?" Reliability is usually more directly concerned with individual parts, although it is obviously also concerned with the total system failure rate. System safety is directly concerned with the integrity of the system as a whole.

The distinction of "how often" versus "what happens" is the reason for the status of system safety as an independent discipline (i.e., independent from system reliability). It is well known that a reliable system is not necessarily a safe system!"

Safety is not reliability. As applied to civil aircraft designed to FAR 25 standards they are related but distinctly different concepts with different objectives. In the briefest sense:

• Reliability is concerned with the frequency of failure;
• Safety is concerned with the impact of failure;
• Both are concerned with the causes of failure but the solutions necessary to satisfy their respective concerns are different.

An aircraft design can be safe but unreliable; it can be reliable but unsafe; and it can be safe and at the same time reliable. Safety and reliability are essentially related, independent design parameters that tend to complement or oppose each other but one cannot be substituted for the other.

The type certification process finds an aircraft design to be in compliance only with safety standards; it does not and cannot establish the reliability level of the design. FAR 25 does not require a reliability finding. FAR 25.1309 does not contain the word "reliability."

[Note from Prof. Leveson: Look at the FAA standard for software development, DO-178B. Would you call this a safety standard or a reliability standard? To me it appears to be a reliability standard. Do you agree or disagree?]

Five recent large transport accidents and one near accident illustrate and emphasize the total unsuitability of numerical probability analysis as a viable transport design safety methodology. In all cases, a probability of failure was calculated to be 10^-9 or less using the accepted techniques of the industry; moreover, these calculated probabilities are typical of those often accepted by FAA as evidence of a safe design. In several cases, the need for specific compliance to fail safe standards was judged not necessary based upon these probability calculations.

The six severe failure cases are presented below with a brief explanation of the failure and the consequences:

1. MD-11, AAL fuel dump incident of June 1992 where the failure of a No. 2 engine and its electrical bus-tie transfer relay disabled all remaining fuel tank automatic fuel dump float-operated shutoff switches. Fuel dumping continued without shutoff past the low-level shutoff quantity and nearly depleted the two remaining engine's main tanks of fuel. The calculated probability of this occurring using conventional numerical probabability methodology is less than 10^-9.
   
   
2. MD-80, SAS accident from ice ingestion in both engines during takeoff, December 1991. The ground crew failed to detect upper wing ice after inspecting the aircraft for ice; also, a de-icing procedure failed to eliminate ice on the upper wing. During takeoff, ice dislodged and caused surge in both engines. In response to an engine thrust reduction, the autothrottle system unclamped and advanced the throttles in both engines causing a steady state surge condition that mechanically failed both engine compressors. The pilot did not disconnect the autothrottles after engine surge as required by the SAS flight crew procedures. The calculated probability of these events occurring in this sequence is less than 10^-9.
   
   
3. 767, Lauda accident, June 1991, following uncommanded in-flight reversal of the No. 1 engine reverser. While climbing through 25,000 ft., a reverser malfunction warning light illuminated indicating an open isolation valve in the No.1 engine reverser hydraulic system. AFM flight crew procedures advised the crew to continue the flight and do maintenance checks at the next flight stop. The calculated probability of unwanted reversal from system failures as occurred in this accident had been determined to be less than 10^-12.
   
   
4. DC-8 main gear wheel burst accident, Charter Airline, Jeddah Arabia, July 1991, where the wing fuel tank was penetrated by gear wheel fragments during takeoff and uncontrollable in-flight fire resulted. Prior to this accident, the manufacturer had submitted numerical probability calculations showing that the probability of catastrophic fuel-fed fires occurring in flight from main landing gear wheel or tire bursts was was 10^-9 or less.
   
   
5. DC-10, UAL accident from total loss of hydraulic power, Sioux City, Iowa, August 1989. A No. 2 engine fan disc fatigue failure during cruise at 37,000 ft. discharged high energy shrapnel over the horizontal tail surfaces and caused the severing of all three hydraulic system lines and the subsequent loss of fluid. Flight controls were totally disabled and the aircraft made a crash landing using engine thrust as the sole means of control. The manufacturer, during certification of the DC-10, submitted a numerical probability calculation showing the chances of total loss of hydraulic fuel from engine rotor burst was 10^-9 or less.
   
   
6. 747, UAL accident from explosive decompression following failure of forward cargo door, February 1989. During climb at 23,000 ft., the cargo door suddenly opened and resulted in explosive decompression and the loss of nine passengers. Design deficiencies in the door locking system and the electrical actuation system were cited by NTSB as causes of the door failure. Numerical probability calculations using accepted and conventional techniques show the probability of these failure causes to be less than 10^-9.