[ghostfish]

Two thoughts here. 1) You're working from an awfully small sample, especially for a component that is supposed to be of such a high reliability. Then again, look at the probabilistic assessment of Shuttle success vs. actual. 2) The Merlin 1C engine is only going to make a few more flights afaik. Starting some time in 2013 they'll be switching to Merlin 1D.

[btilly]

Indeed, predictions are extremely hard. Especially about the future.

At least I am explicit in the assumptions behind that model. They are:

1. A priori, all possible reliability numbers for a single engine are assumed equally likely. (This can be debated endlessly, but you need SOME prior for Bayesian analysis. If we had more data, then the prior would matter a lot less, but we don't so it does.)

2. Failure of engines is independent.

3. The rocket actually operates according to design parameters. That is it will survive the loss of any 2 engines, but not the loss of 3.

4. Past performance is a predictor of future performance.

Every one of those assumptions is questionable.

[pilom]

Unfortunately #2 is extremely unlikely to be true. Engine failures are very related in very unexpected ways. The SpaceX guys have worked very hard to make them as independent as possible but with so many failure modes it is impossible to say that an engine failure (i.e. explosion) will have no impact on its neighbors.

[neurotech1]

Actually, in the NAS Oceana F/A-18 crash, two different engines failed for different reasons. The first one was a right engine compressor failure, the second was an apparent afterburner blowout. A twin engine jet crashed as a result.

[pilom]

Do you have a primary source? I'm genuinely interested in the report if it is available. Google just gives news stories saying "OMG a plane crashed into an apartment building!" which isn't helpful to the engineer in me.

[neurotech1]

Here is the mishap report http://goo.gl/GuHG5 I mentioned this because double engine failures due to separate causes do actually occur, although rarely.

Short version: The right engine compressor failed due to apparent fuel ingestion, causing a major over-temp. The noise was mistakenly attributed to a blown tire, so the pilot left the gear down. This required MAX Afterburner on the remaining engine to recover, except the engine had a afterburner blowout, and didn't provide MAX power and the jet departed controlled flight due to low speed.

[pilom]

Thanks for the report. A really interesting read for the engineer in me. Under "primary cause analysis" on page 18 of the report (pg 24 of the pdf) it says that they may have actually been related:

In summary, after the right engine failed due to fuel ingestion, the left engine had to push some air over to the non-functioning engine (for cooling I assume but it isn't stated). When the left engine afterburner did not light, it's "relight logic" did not trigger possibly because of the lower air amount. So the engineer who wrote the relight logic, assumed that the temperature would drop at a certain rate when the afterburner failed to light. Because the engine was working to assist the failed engine, that temperature drop did not happen and thus the afterburner did not attempt to automatically relight itself.

Sounds like it may be dependent after all.

[btilly]

Yup.

I invite you to create a toy model that takes that into account in some way and see what answers you come up with.

[maaku]

> 4. Past performance is a predictor of future performance.

This is your real error. SpaceX is effectively acting in perpetual “test” mode. New lessons are learned with each flight and each rocket test, and that greatly informs all follow-on operations.

The type of analysis you've done is reasonable for a fleet of deployed 747's. It is (forgive me) entirely useless for this sort of endeavour at it's current stage.

I wonder what your analysis of SpaceX's future performance would have been in Oct 2008, right after their first successful Falcon 1 launch and three failed priors?