Originally Posted by
JFZ90
1. As you say, the civil rules have no latitude for ALARP per se, and only work to absolute safety target. But, it raises the supplementary question - what do you conclude from the AD, either:
a) an airbus with white clips doesn't meet the 10-7 hull loss safety targets, or
b) an airbus with white clips meets the 10-7 target anyway, but they are doing it to reduce the risk lower still
If a), then by rights it shouldn't be certified.
If b), then to be flippant why are they bothering as it already meets the targets?
Can you find out which it is?
b) seems more likely to me, and it has the hallmarks of an ALARP based judgement by the CAA as to whether to enforce it on airlines.
SFAR88, which is the US additional rules relating to risks of fuel tank explosions are a very special case for continuing airworthiness. The risk criteria used in determining actions taken to comply with SFAR88 are very much more stringent than for almost any other hazard type - in effect, the FAA said "no more exploding fuel tanks". The 'classical' 10e-9 etc probability criteria have been abandoned for that specific case. The likelihood is that most, if not all, fuel systems met the standard 25.1309 requirements for hazards before the SFAR came out.
However, as a general comment, the rules of 25.1309 (and equivalent regs in other jurisdictions) apply as an absolute only at the instant of type certification. If an issue is found in-service, you are generally permitted to accept an increased risk during the rectification period - and JAR.39 and the associated ACJ 39.3(b)(4) give a mathematical means to arrive at the level of risk which can be accepted for any given period of time - basically, the more you breach the 25.1309 requirements, the less time you have to get things fixed. Once you get a couple of orders of magnitude worse than the requirement, you usually end up being grounded, or taking other action to entirely eliminate the risk (operational restrictions, for example)
The following is taken from the ACJ
3.8 Thus a 'reaction table' can be created as indicated in Table 1 (the last two columns assuming a typical aircraft design life of 60,000 hours and an annual utilisation of 3000 hours per annum) showing the flying or calendar time within which a defect must be corrected if the suggested targets are to be met.
Table 1
Column 1: Estimated catastrophe rate to aircraft due to the defect under consideration (per a/c hour)
Column 2: Necessary reaction time for each aircraft at risk (hours)
Column3: On a calendar basis
4 x 10e-8 3750 15 months
5 x 10e-8 3000 12 months
1 x 10e-7 1500 6 months
2 x 10e-7 750 3 months
5 x 10e-7 300 6 weeks
1 x 10e-6 150 3 weeks
1 x 10e-5 15 Return to base
apologies for the poor formatting
Therefore an AD with a 2 year compliance period implies that the probability of a catastrophic hazard arising from the item being addressed in the AD is about 2.5*10e-8