Many industries categorize products by criticality, especially when an individual’s safety or life is in danger. However, every industry has its own terminology and number of criticality categories. The military talk about mission criticality, whereas commercial aerospace is more concerned about safety criticality. Mass transport worries about vital equipment, while software gurus have five criticality categories for their products.

In principle, criticality is established by Hazard Analysis, which uses data from Failure Mode and Criticality Effects Analysis (FMECA). This fancy name is really a matrix that lists all failure modes of a system with their probability, effects on the performance of the system, and likelihood of affecting the criticality of the system.

For the purpose of illustration, equipment becomes nonessential, essential, or critical. Nonessential equipment can malfunction, provided that it doesn’t affect any other equipment. It may cause unhappy customers, but safety is not an issue and criticality is not a commercial consideration.

You have to be careful about potential fault propagation. Think about airborne-passenger entertainment equipment. Rumors that a faulty entertainment center caused an airliner crash not that long ago reinforce my qualifier that we must contain a failure within the equipment.

Essential equipment can fail only if the failure is guaranteed not to affect safety and the functional loss can be handled by an increased personnel workload. Such systems are usually fail safe or fail passive. For instance, a failure in an aircraft nosewheel steering system usually results in the loss of the hydraulic pressure from steering actuators, resulting in free castoring of the nosewheel. For the pilot, this is a nuisance, but the aircraft can be still controlled on the ground by differential braking and differential thrust of engines.

Many essential systems are a mixture of essential and critical functions. While the steering, in this case, can be classified as essential, the monitoring function (e.g., the circuits detecting failure and causing the removal of hydraulic pressure) is critical. When exposed to a High Intensity Radiated Field (HIRF), the steering may disconnect as a result of the interference, but it cannot refuse to be turned off, or allow or cause an uncommanded movement. In terms of practical implementation, the systems comprise two channels processing the same information. A disagreement between the two is classified as a failure and the control function is disconnected, reverting to manual.

Like the bunny in the Energizer commercials, critical equipment just keeps going and going and going. It is appropriately called fail operative. The system’s monitor will indicate a failure but will not stop the function. There is no reversion to manual. Flight controls are the best example. We have three controls on aircraft: yaw, pitch, and roll, and you can’t lose any of them. The fail-operative systems use a minimum of three channel systems with a majority vote.