SAE Fault Tree Calculations
SAE ARP4754A and ARP4761 provide processes and analysis methods for performing functional hazard and system safety assessments for aircraft verification and certification. In SAE trees, the main focus is to determine the probability of failure per flight or per flight hour. Therefore, the top event usually indicates the occurrence of an undesired event within a flight.
Exposure times depend on several factors, including:
• Flight duration
• Durations of specific flight phases where the functions associated with basic events are used
• Maintenance check intervals associated with items that can cause latent failures
• Monitor check intervals
• Monitor scrub times
In addition, exposure times depend on failure detection percentages and monitor scrub verification percentages.
• Assume an item is known to be working at the beginning of a flight and is used throughout the entire flight. The exposure time is then equal to the estimated average flight duration.
• Assume an item is used only in certain phases of a flight and is checked either at the beginning of the flight or just before its use. The exposure time is then less than the estimated average flight duration.
• Assume that the status of an item is not known at the beginning of a flight or before its use. The item might fail latent.
Latent failures disable protective mechanisms or reduce safety margins, increasing the risk of hazards due to subsequent conditions or failures. Usually latent failures affect only functions that are not relied on in normal operation, but which provide fail-safe coverage and/or protection against abnormal conditions.
Latent failures can persist for a time interval that is either greater than or less than the flight time. The exposure time is defined as the time between when an item was last known to be operating properly and when it will be known to be operating properly again. Proper operation might be verified during acceptance tests, maintenance checks, monitor cycle times, power-up tests, and more. For example, if an item is tested for proper operation every 20 flights, then the exposure time in the worst case scenario is 20 flight hours.
If a monitor is used to watch the status of an item, then the exposure time of this function or item is linked to the exposure time for the monitor. Assume that all failures of an item are detectable (failure percentage detection is 100). Also assume that the monitor's scrub verification is perfect (verification percentage is 100). The exposure time is then equal to the monitor's scrub time.
Once exposure times are determined for each item in the tree, you can calculate the probability of failure per flight.
One way to construct this type of tree is to explicitly specify each possible failure combination. This is the approach described by SAE ARP4761 in Appendix D and Appendix L. However, the FTA module supports high-level features to avoid the difficulties that arise in explicit modeling. The following topics describe both modeling approaches and provide examples of what these SAE trees might look like in the FTA module: