10e9 reliability can only be achieved on paper and can never be demonstrated.

The basic reliability of an individual component in the electronic system (or any other type of system) is derived by selecting numbers taken from an Air Force database which are then manipulated by multiplying that number by other numbers that represent the environment that the unit will operate in. This assumed reliability is then manipulated by placing the individual units and multiplying the assumed reliabilities of the individual units in the string. If the unit contains built in redundancy there is a formula to calculate the reliability of the unit but this number is based on the numbers in the Air Force database which may or may not be truly representative of the parts that make up the actual component.

Once this number is derived it is cast in concrete that is until the manufacturer has to show reliability growth and to do this he mainly selects better numbers from the database. In rare cases testing and development achieve this reliability growth but as I said it is rare.

The component and its' numbers are then given to the airframe manufacturer who will then calculate the reliability of the system to include the wires, connectors, terminal strips and everything that goes into the system. He uses numbers for the wires and the other components that are taken from another Air Force database that in almost every case are not representative of the actual elements in the system. In order to show the best reliability the airframe manufacturer will select the best numbers. If he has to show reliability growth and has used the best numbers available he is allowed to show growth by the use of engineering judgement, which is totally acceptable.

Once the system reliability has been calculated the airframe manufacturer will calculate the safety of the individual systems and then feed these calculations into a fault tree representative of the entire aircraft.

In calculating the safety of both the systems and the entire aircraft they manipulate the numbers which may not be representative by the use of Boolean algebra to calculate the overall safety.

The FAA stipulates That the death of a passenger or loss of the aircraft can occur no more frequently than 1 10e9. This is at the system level not the aircraft level. In almost every case the manufacturer can show that he can give even better numbers than required. I worked on one program where the airframe manufacturer showed his safety calculation was 1 10e18.

The key to this is the fact that the airframe manufacturer is not required to show the safety of the aircraft. If they took the collective systems and their individual safety numbers and multiplied them using the same Boolean algebra the overall safety of the aircraft would be about 1 10e7 which is slightly better than the safety demonstrated by the collective commercial aircraft fleets.

What I am about to say is representative of what went on in the past. In the specification for the Apache the Army required a total safety level of one hull loss with loss of crew every 34,000 hours of operation.

This had to be demonstrated or bettered on paper using the exact same calculation methods and numbers and the same databases used in the calculation of the safety of commercial aircraft. Eighteen months later the manufacturer had to show reliability growth. He did this by selecting better numberss and he had not changed the design.

In real life the figure 1 10e9 is a myth and only exists on paper and in the minds of the certification authorities.

By the way a control tube in a 737 would be calculated from the Air Force database using the following number 4.7237 10e6. This number is from some unknown source that is listed as ground mobile possibly a truck. This number must then be manipulated first to transpose it from ground mobile to aircraft. This number must then be further manipulated to show if it is located in a pressurized temperature controlled installation or in a wing where it is non pressurized and exposed to the ambient temperature environment. At the very best the reliability of a control tube would be 10e7 or by some stretch of the imagination 1 10e8.
.
In short they have changed black into white and this is totally acceptable by the certification authorities and the US Military. The UK uses Def Stan. 00-41 which is taken directly from the US Military documents so, they do it the same way.