Explicit Modeling
In Appendix D and Appendix L of SAE ARP4761, fault trees are constructed by explicitly specifying each failure combination. The top event is an OR gate. The inputs, which correspond to each of its cut sets, are specified using AND gates. For each basic event, you supply either the probability of failure during the flight or the failure rate with the corresponding exposure time.
When you use explicit modeling, you must specify the different basic events associated with an item. For example, depending on the situation, you might need to consider the following events in the analysis:
• Item is failed before the flight.
• Item is failed during the flight.
• Function X fails in flight, and the failure is detectable.
• Function X fails in flight, and the failure is not detectable.
• Monitor fails, and its failure is detectable by monitor verification.
• Monitor fails, and its failure is not detectable by monitor verification.
In the above list, the first two events are disjoint events. Similarly, the third and fourth events are disjoint events, and the fifth and sixth events are disjoint events. Therefore, they should not be considered as independent events.
For example, consider that cut set 1 contains the first event and that cut set 2 contains the second event. These two cut sets are disjoint because they contain different disjoint events that belong to the same group. If the cut set summation calculation method is used, each cut set is automatically considered as a disjoint event. In other words, the probability of each cut set is calculated separately. The top event probability is then calculated as the sum of the probabilities of all cut sets.
When all cut sets are disjoint, the cut set summation method produces correct results. However, except in a few simple cases, it is difficult to determine whether all cut sets are really disjoint. If the cut sets are not disjoint, the cut set summation calculation method may over estimate the probability of the top event. However, when failure rates and exposure times are small, the error associated with this approximation is generally negligible.
When the exact calculation method is used with explicit modeling, it is important to specify the disjoint events. Although explicit modeling is useful, the way the number of cut sets increases rapidly with system size is problematic.
Another difficulty with explicit modeling is that basic events are not only related but also have combined events. For example, consider this event: Function X fails in flight, and the failure is not detectable. This is a combination of two events:
• Function X fails in flight.
• The failure is not detectable.
Two approaches exist for specifying these types of combined events:
• Use one basic event for each combined event. With this approach, the number of basic events increases with different possible combined events.
• Use two events (or multiple events as needed) and an AND gate to form a combined event. With this approach to specifying the third event, you would use an AND gate with two inputs:
◦ Function X fails in flight.
◦ The failure is not detectable.
Now consider this event: Function X fails in flight, and the failure is detectable. You would use an AND gate with two inputs:
• Function X fails in flight.
• A NOT gate with the following input: The failure is not detectable.
Although you can use these approaches for explicit modeling, they are not always convenient. For large systems, finding all possible failure combinations is very difficult, which means you might unintentionally omit some failure combinations.
The real disadvantage of explicit modeling stems from the fact that different flights have different exposure times due to latent failures. In such cases, the probability of failure varies from flight to flight due to different exposure times for system components. This leads to the concepts of average and worst case probabilities of failure per flight or flight hour.
In many cases, government regulatory bodies and safety assurance certification authorities set limits based on the average probability per flight or per flight hour. For example, in the United States, the FAA (Federal Aviation Administration) requires catastrophic failure conditions in an airplane to be extremely improbable. The average failure probability can be no more than 1E-9 per flight hour.
A conservative approach for dealing with different exposure times is to consider only the worst case scenario. You do this by using the maximum exposure times possible for each basic event. For example, you can specify the exposure times for backup components as their maintenance check intervals. This obtains an upper bound on the probability of failure in any single flight. However, this upper bound can be quite conservative, over estimating the probability of failure per flight.
To avoid the many difficulties associated with explicit modeling, the FTA module supports high-level modeling features. Thus, you can determine all possible failure combinations and exposure times for different flights. Analysis results include both average and worst case probabilities of failure per flight and per flight hour. In addition, the analysis is extended to include mission probability calculations, which consider the number of flights per mission.