SPS Case Study
A self protection system, such as the Chaff & Flare Dispensing System (CFDS) in the photograph on the cover of this book, presents interesting system safety challenges, and is a suitable case study for the themes discussed in the book.    

Consider the failure mode: "Loss of CFDS function":

Civil Regulatory Authorities would typically require (see Chapter 5) the application of FAR25.1309 (in the USA) or CS25.1309 (in Europe) when evaluating system safety.

AMC 25.1309 provides the following failure severity categories:



No Safety Affect





Failure Conditions that may not have an effect on safety, operational capability or crew workload. 
At most a nuisance.
Slight reduction in safety margins.
Slight increase in crew workload.
Some inconvenience to occupants. 
May require operating limitations or emergency procedures.
Significant reduction in safety margins or functional capabilities.
Significant increase in crew workload impairing crew efficiency.
Some discomfort to occupants.
Requires operating limitations or emergency procedures.
Large reduction in safety margins or functional capabilities.
Higher workload or physical distress.
Adverse effects upon occupants.

All conditions which prevent continuous safe flight and landing.


So, what is the severity of the failure condition "Loss of CFDS function"?

  • Well, some might argue that the "Loss of CFDS Function" does not affect airworthiness (i.e. the ability of the aircraft to continue safe flight and landing) and is thus a "MINOR" or "NO SAFETY EFFECT" failure condition.
  • Others, such as the flight crew, would argue that the CFDS is there to protect them against missiles and should be a "CATASROPHIC" failure condition.  This assumes that the CFDS is actually effective against the threat
    • e.g. many RPGs are simple "dumb" missiles with no guidance system.
    • e.g. many SPS’s are tested against simulated threats, as there are few volunteers to actually test the real thing.
  • Others might argue that the failure condition causes "Large reduction in safety margins or functional capabilities" and should thus be HAZARDOUS.

The severity classification results in a safety objective for the system (see table below), so close agreement with the regulatory authority will be required in this process.


Severity No Safety Affect Minor Major Hazardous Catastrophic
Allowable Probability


Reasonably Probable Remote    Extremely Remote Extremely Improbable




Consider the failure mode: "Loss of CFDS function":

Military Regulatory Authorities would typically require (see Chapter 4) the application of DEF STAN 00-56 (in the UK) or MIL-STD-882 (in the USA) when evaluating system safety.

DEF-STAN 00-56 provides the following accident severity categories:






At most a single minor injury or minor occupational illness.

A single severe injury or occupational illness; and/or multiple minor injuries or minor occupational illnesses.

A single death; and/or multiple severe injuries or severe occupational illnesses.

Multiple Deaths


Def Stan 00-56 Issue 2 (Part 1 Para 7.3.2.c) state that "some systems have a defensive role whereby inaction under hostile circumstances may constitute a hazard. Safety targets for such systems shall address the requirements to reduce, to a tolerable level, the risk resulting from inaction under hostile circumstances".

So, "Loss of CFDS function" could result in the aircraft being shot down, which is obviously a "CATASTROPHIC" accident.

We now need to determine the probability of the accident occurring and classify it according to the following table:


Accident Probability
(Qualitative Probability)

(during operational life considering all instances of the system)

Quantitative Probability
(per Operating Hour)


Likely to be continually experienced

< 1xE-2


Likely to occur often

< 1xE-4


Likely to occur several times

< 1xE-6


Likely to occur some time.

< 1xE-8


Unlikely, but may exceptionally occur

< 1xE-10


Extremely unlikely that the event will occur at all, given the assumptions recorded about the domain of the system

< 1xE-12


The accident probability is obtained by considering all the events in the accident sequence. A simple accident sequence is illustrated below, where the probability of the accident is dependent on the probability of a projectile firing and the probability of CFDS failure

i.e. Pprojectile x PCFDS = Paccident



The designer might be able to predict PCFDS, but has no control over Pprojectile. The operator needs to provide Pprojectile (and Def-Stan Issue 2 (Part 1 Para 7.3.2.c) states that the threat condition can be assumed to be 1).

Once Paccident is calculated, the Risk can be determined via the following typical matrix:


  Catastrophic Critical Marginal Negligible
Frequent A A A B
Probable A A B C
Occasional A B C C
Remote B C C D
Improbable C C D D
Incredible C D D D


  • Class A: These risks are deemed as being intolerable and shall be removed by the use of safety features.
  • Class B: These risks are considered as being  undesirable, and shall only be accepted when risk reduction is impracticable.
  • Class C: These risks are deemed as being tolerable with the endorsement of the Project Safety Review Committee. May need to show that risk is ALARP (see para 4).
  • Class D: These risks are accepted as being tolerable with the endorsement of normal project reviews. No further action needed.

Note, however, that the accident sequence above is far too simplistic as it assumes that a functioning CFDS will prevent all Projectiles from causing an accident. See the following development of this accident sequence, which might result in a higher priority required for another type of protective system (e.g. Explosion Suppressant Foam in the fuel tanks) to keep the risk of this type of accident tolerable:




Consider the failure mode: "SPS functions when not required".

This failure mode could present the following hazardous conditions:

  • During formation flying (and/or air-to-air refueling) unexpected CFDS dispensing by the lead aircraft might present all sorts of hazards to other aircraft.
  • The aircraft might be in an emergency condition in a threat environment, which may require dumping of fuel. The pilots are faced with 2 choices:
    1. Retain the self protection system, but risk possible fuel ignition if dispensing occurs
    2. Disable the self-protection system in a high threat environment
  • Uncommanded (or uncontrolled) functioning of a DIRCM (Directional Infra Red Countermeasure) system might result in severe retina (eye) damage to a third party (e.g. other pilots, ground crew, civilian personnel).