Airplane Rule

From the JargonFile (aka TheJargonLexicon?) 4.1.4:

airplane rule
n. Complexity increases the possibility of failure; a twin-engine airplane has twice as many engine problems as a single-engine airplane." By analogy, in both software and electronics, the rule that simplicity increases robustness. It is correspondingly argued that the right way to build reliable systems is to put all your eggs in one basket, after making sure that you've built a really good basket. See also KissPrinciple, elegant.

Actually, doubling the engines gets you more than twice the complexity. The airplane gets heavier so you require more fuel to keep it aloft. Which makes it heavier, so you need more horsepower and more fuel... you get the idea.

[Those things (fuel, etc) scale with the doubling of engines, but adding two engines you now have to worry about resonance on the single fuselage though which you never had to worry about before.]
There's a probability angle here. A lot of people writing on this page assume that engine failures are not correlated, which probably isn't true. Suppose an engine has a 50% probability of failing. On a single engine plane, there's a 50% chance that the single engine will fail in-flight. Now, for a twin engine plane, we'd expect that each engine has a 50% chance of failing, so there's only a 25% chance that both engines will fail during the flight.

Except the real odds of both engines failing are much higher, because both engines are on the same airplane, which is a strong correlation. Any environmental or systems factors that could cause one engine to fail are likely to affect the other engine equally. Suppose, for instance, the plane flies through a squadron of migrating geese and both engines are jammed up with goose feathers. If 20% of single engine failures are caused by goose-feather jammings or other environmental factors, the probability of both engines failing rises from 25% to 30% (is that the right answer?), because the failures are correlated.

Yep. In this kind of analysis, correlations should be looked at first, not last. However, some things that appear to be correlations can be treated separately. For instance, typically the age of the two engines is strongly correlated, so failure due to age-related issues will be correlated. But often you can just look at the age-adjusted expectancy of failures for each engine separately, because the failure of one for age-related reasons does not actually cause a failure of the other.

The issue with the geese is different, because then you have the same direct cause of failure for both engines.

The airplane rule is not about catastrophic failure, i.e. both engines malfunction. It is about maintenance cost. And two engines will double your cost for spare parts.

That depends on the failure rates. The need for replacements for planned maintenance will double, but the inventory to cover for some rarer failures will not double, as the stock need not be double. The real doubling would be if there were to be two engines of different type.
Getting bigger doesn't directly equate with complexity.

What does happen though is that not only do you need a unified control system for the two engines, but you also need the flexibility to drive them independently (in case one fails). Also, the fuel system must now allow feeding to two distinct sources, without simply segregating into two copies of the simpler version ... wouldn't do to run out of fuel in the left wing just because you can't get the fuel in the right wing across (whose engine you've cut).

Also, you'll add more stuff to it to support the extra things it can now do. It's better suited to IFR and overwater flights than a single-engine plane, so you'll add more navigation instruments to support those capabilities. It can now fly higher, so you may pressurize it. It will go faster, so you will probably give it retractable gear. All of this adds weight and complexity. Be sure to add lots more stuff to the cockpit for the pilot to manage all this stuff. Oh, and the wing loading is going to go up--it won't be capable of going as slow as a single-engine plane. That means that human errors will get you into trouble faster.

I heard that a recent study found that civilian pilots have many more accidents in twin-engine planes than in single-engine planes. If true, it makes sense, because the engines are now much more reliable than a pilot who is dealing with too much complexity.

It has been said that for the inexperienced pilot, in the case of an engine failure, the second engine is there to get you to the site of the crash.
A pilot must be trained and current with engine-out procedures in this type of aircraft. The stopped engine will cause a great deal of drag until the prop on that side is feathered. Once the prop is feathered, there will still be an asymmetric thrust and lift which must be accounted for with rudder and aileron. All this has to be done very quickly. It has also been found that most engine failures occur shortly after takeoff (i.e. close to the ground). Some of these problems are addressed in the design of the Cessna Skymaster, which has a fore-and-aft tractor and pusher configuration. --TimVoght
Example problem: The 1989 Kegworth air disaster, where a 2-engined airliner lost one engine on the landing approach, but the crew turned off the wrong engine (for various complicated and interesting reasons) and the plane hit the M1 motorway. -- AndrewMcGuinness
Don't forget that adding the second engine serves a purpose though. Although it is about twice as likely for a twin-engine plane to have an engine problem than a single-engine plane, a twin is thousands of times less likely to lose all its engines than is a single engine plane. --StefanVorkoetter

Really "thousands of times"? I know little about aviation, but it seems like faults that would take out both engines (electrical failure? contaminated fuel?) would happen at least once per thousand engine failures.

Good point about the kinds of failures that would take out both engines, but ... I was referring to failures of the engines inherent in the engines themselves (e.g. broken crankshaft). A fuel problem (or running out of fuel) will clearly take out both engines, and having more engines won't help. In most aircraft, an electrical system failure won't take out any engines at all; the electrical system is only used to run the starter motor. --StefanVorkoetter

There isn't a medical application out there at Class II or above that uses exactly one processor to run it. Why? Because one Master and one Safety can backcheck each other and make sure that a single point of failure won't cause a patient to die. I worked on one Class III apheresis machine that had 14 processors in it, and each one was needed.

This is off-topic but I'd love to know what Class II and Class III mean in this context. MedicalApplicationClasses? -- StevenNewton

[Class I is a device for which the controls are sufficient to provide reasonable assurance of the safety and effectiveness of the device.

Class II is a device used to support or sustain human life and requires "special controls" to assure the safe and effective operation of the instrument.

Class III is the most stringent regulatory category for medical devices. Class III devices are usually those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.

You can learn more by going to the FDA site and looking at the provisions of the Food, Drug, and Cosmetic Act. Medical device classification is covered under Section 501 [].]

Simpler is not always better. It smacks of DesertIslandFallacy. Tell me that having 14 processors doesn't make some aspect of it simpler. Ideally, one _never_ adds complexity for complexity's sake. Most likely it simplifies some aspect of fault-tolerance; it's a lot easier to deal with one failing processor among several than one failing transistor among several in a single processor. Simplification of the proof/demonstration of tolerance is still simplification. --WilliamUnderwood

This is reaching back a half dozen years or so, and some of the details have faded. The apheresis machine had six pumps that all operated independently. Each of the six axes had a board with two processors; a primary and a safety. One CPU was for external communications and wasn't critical to the instrument's safe operation. The last processor did all the UI and instrument management stuff, I think, but I don't remember.

This is where the details really begin to break up. As I recall, each of the six axes had a primary CPU that was on the board most closely related to the axis. However, the safety CPU was on a different board, randomly assigned at power up or procedure start or something. The idea was that a complete CPU board failure wouldn't freeze up an axis. The safety processor would take over (from afar) and finish the procedure. This was kinda important when you had as much as a liter and a half of the patient's blood hanging around in tubes, pumps, bags, centrifuge, and various other plumbing.

So, the use of all those 14 processors was important. This was not a case of doing something in a complex way because the simple solution was too hard.
Multiple engines are also needed for redundancy. In case of one failing, there is another to take place of the failing or non-functioning engine. Both in the military and in commercial aviation, by having properly-trained pilots this redundancy outweighs the statistical complexity.

Speaking of pilots, airliners have a pilot and a co-pilot, and to prevent a single point of failure they aren't allowed to have the same in-flight meal.
I think accounting goes against this -- after all, its heart is DoubleEntryBookkeeping. This system involves making at least two entries for every transaction: a debit in one account, and a corresponding credit in another account. The sum of all debits should always equal the sum of all credits, providing a simple way to check for errors. But... by the rule stated at the beginning of this page, double entry actually increases the likehood of errors, doesn't it?

Yes, it should approximately double the overall likelihood of an error occurring, but it greatly decreases the probability of having an error without knowing that it exists.
CategoryHardware, CategoryJargon, CategoryRealTime, CategorySimplification, CategorySolutions, CategoryStory

EditText of this page (last edited June 4, 2013) or FindPage with title or text search