JAN.-FEB.1970 SUPERSONIC AIR TRANSPORT 9 Table 8 Systems safety assessment of number of channels Life of specimen System 1 (EG powered System 2 flight controls) (EG INS) MTBF 5000hr 2000hr Single failure prob- ability in 1 hr 2.104 5.10-4 10 Data Accident probability in pure fatigue the case of a total system failure Approx.1 10-5 Simplex system 2.10- 5.10-9 02101 10 606 Accident.probabilitics Duplex system 4.10-8 25.10-1 Fig.15 Fatigue-creep interaction at 150C. Triplex system 8.10-12 125.10-7 Preferred system Triplex system How can this be done in practice?Well,given a set of Duplex system 8.10 1 2.5.10-12 circumstances,one must determine what snags could arise and what their probability and consequences are going to be. Relatively harmless consequences can be accepted with a quarters.In other words,these people talk as if the solutions fairly high frequency.Serious consequences must have a used on current aircraft were adequate to resolve the prob- very low probability rating so as to remain consistent with lems of the supersonie transport.I must caution you against a loss probability of less than 1 in 10 million hr.In practice that notion. it is difficult,and usually outright impossible,to evaluate The CONCORDE projeet and the rules which were drawn probabilities of 10-8 with any accuracy.In point of fact, up for certification of the aireraft were reviewed concurrently the double failure coneept means that probabilities can be in order to achieve enhanced safety and reliability.From brought down to more manageable magnitudes:10-3 or the outset we set ourselves a goal,which emerges elearly 10-4per flight hour.Table 8 shows how. from Fig.16. Many systems have MTBFs of 1000-10,000 hr,and it is This graph,which is drawn from an ITA publication, precisely these MTBFs which must be checked.Having done gives a very clear idea of jet aireraft loss probabilitics and this and having approximately estimated the probability the way they evolve.In the casc of subsonic jets,it has of a disastrous accident linked to a failure in the system dropped from an initial 1 in 100,000 hr to 1 in 400,000 hr being checked (e.g.,1 or 10-2 or 10-),calculation will operation-a figure that has been maintained for several show whether the system must be duplicated or triplicated. years.With the CONCORDE,the objective we set our- Naturally the calculations in Table 8 are highly simplified. selves was one loss in 10 million hr.We shall not succeed But the figure does nevertheless illustrate my point well, from the very start,but we do hope to achieve a curve of the namely that,despite its relatively low MTBF,system 2 kind shown,cqualling from the start at least the current rate does not substantially improve safety unless something is for subsonic aircraft,and ultimately tending toward the done about system 1.Assuming only those two systems target rate. existed on the aireraft,the step to be taken would be to At this point,I would like to stress a fact which stands out improve the MTBF of system 1. in the figure,namely that absolute safety is a pipe dream In actual fact,sinee we cannot achieve better than 10- What is more,to reduce the hazards as much as possible on or 10-1 on many systems,it is quite illusory to seek values specific items is not the proper course cither,for the means beyond 10-or 10-12 on other systems,aud any efforts along at our disposal are limited,so that efforts must be direeted such lines will ncecssarily prove of no avail.It would be with discernment,where they are going to he most effective tantamount to digging valleys instcad of eropping the peaks For instance,many people consider that,for the price and in order to avoid colliding with mountains. Yet there are weight allowed for rafts on transoccanie fights,the aireraft pcople who still dig valleys.In my view,the inereasing could be equipped with more effective altimeter or anti- number and complexity of on-board systems,especially on collision warning systems,for example.In other words, SSTs,precludes this luxury there can be no question of eoncentrating on,for example In the case of the CONCORDE,the tests as a whole were the most reliable power flying control units or the most conducted along these lines:to obtain a degrec of safety con- reliable powerplant without bothering about the rest. The sistent with our goal.In the case of certification too,the aim is to have the safest and most reliable complete airplanc with the means at one's disposal.The development effort should therefore be directed to the less reliable systems,with H special emphasis on those affecting flight safety. 1/10000000 20 TOTAL NUMBER OF FLICHT HOURS MILLIONS Fig.14 Center web of frame 66. Fig.16 Trend in jet aireraft losses.JAN.-FEB. 1970 SUPERSONIC AIR TRANSPORT Table 8 Systems safety assessment of number of channels , Data MTBF System 1 (EG powered flight controls) 5000 hr System 2 (EG INS) 2000 hr Single failure prob￾ability in 1 hr 2.10~4 5. 1C)-4 Accident probability in the case of a total system failure Accident probabilities Simplex system Duplex system Triplex system Preferred system Approx. 1 2.10-4 4.10-8 8.10~12 Triplex system 8.10-12 H)-5 5.10-9 25.10-" 125. 10 ~ 17 Duplex system 2.5.10-12 quarters. In other words, these people talk as if the solutions used on current aircraft were adequate to resolve the prob￾lems of the supersonic transport. I must caution you against that notion. The CONCORDE project and the rules which were drawn up for certification of the aircraft were reviewed concurrently in order to achieve enhanced safety and reliability. From the outset we set ourselves a goal, which emerges clearly from Fig. 16. This graph, which is drawn from an IT A publication, gives a very clear idea of jet aircraft loss probabilities and the way they evolve. In the case of subsonic jets, it has dropped from an initial 1 in 100,000 hr to 1 in 400,000 hr operation—a figure that has been maintained for several years. With the CONCORDE, the objective we set our￾selves was one loss in 10 million hr. We shall not succeed from the very start, but we do hope to achieve a curve of the kind shown, equalling from the start at least the current rate for subsonic aircraft, and ultimately tending toward the target rate. At this point, I would like to stress a fact which stands out in the figure, namely that absolute safety is a pipe dream. What is more, to reduce the hazards as much as possible on specific items is not the proper course cither, for the means at our disposal are limited, so that efforts must be directed with discernment, where they are going to be most effective. For instance, many people consider that, for the price and weight allowed for rafts on transoceanic flights, the aircraft could be equipped with more effective altimeter or anti￾collision warning systems, for example. In other words, there can be no question of concentrating on, for example, the most reliable power flying control units or the most reliable powerplant without bothering about the rest. The aim is to have the safest and most reliable complete airplane with the means at one's disposal. The development effort should therefore be directed to the less reliable systems, with special emphasis on those affecting flight safety. Life of specimen (hours) 103 pu cree > fatigue creep interaction pure fatigu Frequency (cycles/hour) 10-2 10'1 1 10 102 103 104 105 106 107 Fig. 15 Fatigue-creep interaction at 150°C. How can this be done in practice? Well, given a set of circumstances, one must determine what snags could arise and what their probability and consequences are going to be. Relatively harmless consequences can be accepted with a fairly high frequency. Serious consequences must have a very low probability rating so as to remain consistent with a loss probability of less than 1 in 10 million hr. In practice it is difficult, and usually outright impossible, to evaluate probabilities of 10~8 with any accuracy. In point of fact, the double failure concept means that probabilities can be brought down to more manageable magnitudes: 10~3 or 10~4 per flight hour. Table 8 shows how. Many systems have MTRFs of 1000-10,000 hr, and it is precisely these MTBFs which must be checked. Having done this and having approximately estimated the probability of a disastrous accident linked to a failure in the system being checked (e.g., 1 or 10~2 or 10~4 ), calculation will show whether the system must be duplicated or triplicated. Naturally the calculations in Table 8 are highly simplified. But the figure does nevertheless illustrate my point well, namely that, despite its relatively low MTBF, system 2 does not substantially improve safety unless something is done about system 1. Assuming only those two systems existed on the aircraft, the step to be taken would be to improve the MTBF of system 1. In actual fact, since we cannot achieve better than 10~9 or 10 ~ 10 on many systems, it is quite illusory to seek values beyond 10~n or 10~12 on other systems, and any efforts along￾such lines will necessarily prove of no avail. It would be tantamount to digging valleys instead of cropping the peaks in order to avoid colliding with mountains. Yet there are people who still dig valleys. In my view, the increasing number and complexity of on-board systems, especially on SSTs, precludes this luxury. In the case of the CONCORDE, the tests as a whole were conducted along these lines: to obtain a degree of safety con￾sistent with our goal. In the case of certification too, the 60-, 20,, 10 15 20 TOTAL NUMBER OF FLIGHT HOURS (MILLIONS ) Fig. 14 Center web of frame 66. Fig. 16 Trend in jet aircraft losses