eEdition Journal of System Safety

President's Message From the Editor's Desk TBD In the Spotlight: Considering System Risks Redundancy for Safety Gains from Losses: System Safety and Aging Systems Tech Corner Chapter News Mark Your Calendar About this Journal Classifieds Advertising in eJSS Contact Us Puzzle

Vol. 45, No. 3 • May-June 2009

In the Spotlight

Redundancy for Safety

by Vito Faraci Jr.

Pages 1 | 2 | 3 | 4 | 5

Safety is difficult to measure quantitatively. Traditionally, safety is measured by counting and keeping records of accidents and injury rates. But such measurements are "after the fact." While they do provide important information, "before the fact" measurements would encourage actions to prevent or at least mitigate the undesired event. Thanks to the relatively new science called "reliability," pertinent "before the fact" probability of success and/or failure measurements can be made.

Although safety and reliability are not the same, often (but not always) increasing reliability has the effect of increasing safety. A common example is the single-engine airplane. An engine failing during flight is a very unsafe situation, and could be life threatening. As a private pilot, this example stands out vividly in my mind. No engine, even the most reliable, has a 100 percent probability of success (P_S) for, let's say, a three-hour flight. In other words, there is no 100 percent guarantee that an engine will run smoothly without failure during an entire three-hour interval. A major reason for multi-engine airplanes is the increase in safety. Twin-engine airplanes can and should be designed to fly on one engine in the event that the other engine fails. This capability adds not only reliability, but, more importantly, safety. Similarly, any three- or four-engine airplane should be designed to fly with one or more engines failed. With this capability, multi-engine airplanes can be thought of as systems with engines as "active redundant" components.

Now some logical questions will arise from several groups, including airplane manufacturers, the FAA, NASA, safety engineers, reliability engineers, pilots, airplane passengers and others. For example, what is the amount of safety increase with the addition of one or more engines? Is a twin-engine airplane twice as safe as a single-engine airplane?

Objective
The objective of this paper is not to try to quantify safety, but to show what is involved in quantifying the probability of success of systems utilizing redundancy, which, in many cases improves probability of success, which ultimately results in increased safety. In other words, to show how to calculate reliability of systems that utilize "redundant" components in parallel and, at the same time, illustrate the effect (probability of success increase) with each addition of a redundant component. It should be noted that reliability and failure rate of parallel configurations using unequal failure rate components can certainly be calculated, as shown in Figure 1. However, this paper will concentrate only on configurations (systems) using redundant components of equal failure rate.

Definitions
In the world of reliability, two items are said to be in "parallel" if system success means both components are operating, or one component is operating. The two diagrams in Figure 1 represent reliability block diagrams, both showing components in parallel. Systems can be comprised of three or more components in parallel. In those cases, system success must be clearly defined as to the minimum number of components that must operate for system success. For example, a three-engine airplane may be designed to fly with two engines operating, thus allowing for one engine to fail. On the other hand, a three-engine airplane may be designed to fly with only one engine operating, thus allowing two engines to fail.

Components in parallel are usually identical and, therefore, will have the same failure rate. However, this is not always the case. The configurations in Figure 1 both show two components in parallel. However, one shows a system with its component failure rates equal, and the other shows a system with unequal failure rates.

Figure 1 — A Reliability Block Diagram.
Click to enlarge

Definitions (continued)
"m of n": m or more functional items required for system success where 1 ≤ m ≤ n. In other words, at least m items are required to be functional (out of n) for system success.

Examples:
"3 of 3": Given a three-engine airplane, the airplane requires all three engines to fly. Note no failures allowed in this case.
"2 of 3": Given a three-engine airplane, the airplane requires two or more engines to fly. Note one failure allowed.
"1 of 3": Given a three-engine airplane, the airplane requires one or more engines to fly. Note two failures allowed.

Copyright © 2009 by the System Safety Society. All rights reserved. The double-sigma logo is a trademark of the System Safety Society. Other corporate or trade names may be trademarks or registered trademarks of their respective holders.