The usage of Fault Tree Analysis (FTA) is predominant as a means of compliance to verify quantitative safety objectives in the aerospace industry as, for instance, those stablished in FAR/CS 2X.1309, and mandatory to verify Catastrophic and Hazardous Failure Conditions.
The Fault tree analysis is a graphical modelling technique that analyses particular system failures (e.g. Failure conditions assessed in the FHA) connecting all its contributor causes with logical relationships, mainly AND and OR gates.
When analysing architectures containing a closed loop contribution, such as ATA 24 Electrical power system or ATA 21 Environmental control system, circular logic might appear in the Fault Trees. An illustrative example of circular logic would be a gate used as input at a lower level inside the same gate. How shall we solve a Fault Tree containing this kind of dependence?
In the example from Figure 1 we have 2 systems feeding each other. The failure of system A would lead to system B failure and the failure of system B leads to failure of system A.
When breaking down the Fault tree analysis we encounter an infinite loop issue as illustrated in Figure 2.
Figure 1: Functional Block Diagram of simple architecture containing circular logic
Figure 2: Fault tree representation when analysing Failure of system A
Quick solution approach:
A first approach on the calculation of the top event (Failure of system A) is to remove the contribution of system A to all other systems. By removing the output of system A from the diagram as represented in Figure 3, we have a simple and correct by-pass of the closed loop when only analysing system A.
In this case, we replace a generic gate, that is, one that considers all dependencies and contributions leading to the gate, for a specific gate, one with some dependencies or contributions being removed. In Figure 4, the OR gate B01_specific is used instead of the generic B01, which means we consider “Failure of system B without the contribution of system A” instead of the generic “Failure of system B”.
Figure 3: Functional Block Diagram of the architecture without system A output contribution)
Figure 4: Fault Tree representing Failure system A without loop
PROS: Removing the contribution of system A to system B in the diagram would be correct in the case where only system A is to be assessed. It is the simplest solution.
CONS: If we would want to analyse system B as well, we need a similar approach which requires 2 different diagrams. In the example above it would be a manageable solution but the effort to keep a consistent analysis could increase drastically on more complex systems.
A generic solution with a single equivalent diagram without loop is required.
Generic solution:
To illustrate a broader approach to solving closed loop Fault Tree Analyses, we are going to analyse a fictional ATA 24 subsystem, an electrical power generation system of an aircraft, whose functionality is schematized in Figure 5.
Figure 5: Fictional ATA 24 system
System: Electrical power generation system of an aircraft
- The Generator Control Unit is supplied by the Permanent Magnet Generator in normal operation and batteries as redundant back-up back-up power source
- FADEC provides engine speed data to the GCU necessary to regulate generator voltage
- Finally, the GCU regulates the generator speed, voltage and frequency closing the loop
For the purpose of making an illustrative example , we are going to assess the “Loss of the Generator Control Unit” Failure Condition. If we breakdown the FC in the Fault Tree we realise that the top event must also be placed in a lower level, as seen in Figure 6.
For the purpose of the analysis we are going to analyse the assess “Loss of the Generator Control Unit” Failure condition. If we breakdown the FC in the Fault Tree we will encounter the top event in a lower level (See Figure 6).
Figure 6: Fault Tree (Loss of Generator Control unit)
To draft a solution to break the loop, we use the same principle as in the first example (Figure 7). Removing the GCU contribution to other systems, when only analysing GCU, leads to a correct result as it still considers all the other blocks. But Loss_GCU_supply and Loss_PMG are both wrong!
Figure 7: Breaking GCU contribution
To overcome the issue, an equivalent functional block diagram shown in Figure 8 is proposed.
Figure 8: FBD of ATA24 without loop
Green blocks are specific nodes where contribution of PMG is removed. The breakdown of the Fault Tree is depicted in Figure 9.
With this approach, Loss_GCU, Loss_GCU_supply and Loss_PMG are assessed with the appropriate contributions (all of the contributions of the other blocks are included in each of the nodes) therefore the nodes could be used as required in other fault trees or systems.
PROS: Solution is exact for all the nodes of the diagram.
CONS: Fault tree size could increase drastically (depending on loop size) but is mitigated by the usage of suitable software tools*.
We hope you have enjoyed this article and do not hesitate to contact us if we can help you farther with your closed loops in Fault Tree Analysis.
* DMD Solutions has developed a software FTA tool which allows the repetition of nodes in other fault trees or other systems FTAs and is consistent with changes propagation (e.g allowing the usage of electrical power system fault trees in other system fault trees such as avionics).
Figure 9: Fault Tree “Loss of GCU” without loop
