Aerospace and Electronic Systems Magazine March 2017 - 12

Refining Fault Trees Using Aviation Definitions for Consequence Severity
with terrain) and F02 (control system failure causing crash with
another flying object).

ANALYSIS AND DISCUSSION
Categorizing faults using more than just one severity level allows
each fault to be assessed in a more refined manner. This contributes to reducing overconservatism, since conventional fault trees
lump less severe faults together with more severe faults, and since
those combined faults must all be modeled at the severity level
associated with the worst fault in the group. By contrast, because
CSL analysis allows fault probabilities to be separated into different severity levels with different safety requirements, CSL analysis
allows designers more flexibility to meet overall safety requirements.
In quantifying our use case related to UAS inspection, we assumed the damage conditions of most concern would fall in the
hazardous category, based on the presumed low speed, low weight,
and small size of the aircraft. As such, we analyzed the risk of damage using Figure 5, assuming a requirement that top-level risk not
exceed 10−7 for hazardous consequences.
The details of the assigned fault probability values are provided in the appendix. Fault probabilities were selected such that the
top-level probability for a major consequence was approximately
10−5 and for a hazardous consequence, 10−7. In other words, the
probabilities were allocated so that the system would satisfy the
design specification, at least in concept.
The resulting top-level fault risk for each of the three methods
described in this article (binary, fuzzy, and CSL analyses) is summarized in Table 12.
Of the three analyses, the binary analysis is most problematic,
because it lumps major, hazardous, and catastrophic consequences
into one category. As such, there is no way to distinguish between
the various categories, so the entire top-level risk (a probability
of 10−5) must be compared with the specification (allowable probability of hazardous consequence should be no more than 10−7). In
this sense the binary analysis cannot verify the system meets its
requirement.
The fuzzy and CSL analyses introduce more granularity, and
separate out major consequences from hazardous consequences.
As indicated by the values in Table 12, both analyses suggest the
system meets the 10−7 limit on hazardous consequences.
Although both fuzzy and CSL analyses suggest hazardous
consequences are sufficiently rare, it is not clear that the fuzzy
method is a useful tool for verification of a safety-critical sys-

tem. On closer scrutiny, it is evident that the fuzzy and CSL
analyses differ in their predicted probability distributions at
all severity levels. Notably, the fuzzy analysis results in higher
probabilities at both extremes; this is to say that the fuzzy analysis has both a higher probability of "no failure" events and a
higher probability of "catastrophic" events than CSL analysis.
This phenomenon can be understood by examining the fuzzy
logic mappings described by (9) and (10). Because the fuzzy operators use max and min functions on the input states, they tend
to push probability to the more extreme states (i.e., to no failure
and catastrophic consequences). By comparison the promotion
and mitigation operators described by (11) and (12) are designed
such that it is possible to restrict shifts of probability to only one
severity level up or down. This means that the CSL promotion
gate does a better job of maintaining probability at all severity
levels, unlike fuzzy logic, which tends to push probability to the
extremes of the distribution. The fact that fuzzy analysis pushes
probability toward the extreme severities makes for a gradual
erosion of the probability distribution, with the distribution tending increasingly toward a binary distribution (with all probability at the top and bottom severity level) as the number of fuzzy
logic operations increases.
This limitation of fuzzy logic is complemented by two additional issues: 1) if a fuzzy OR gate is used to model a promotion
event, the result is highly sensitive to the promotion event's assigned probability distribution, and 2) if a fuzzy AND gate is used
to model a mitigation event, the result does not guarantee safety,
as the process of mapping probability toward the lower extremes
(the no fault case) tends to underpredict consequence probabilities
at later stages of the analysis.
The CSL analysis addresses these undesirable characteristics
of a fuzzy analysis through simpler yet more accurate modeling using promotion and mitigation gates. The result is that CSL analysis
more appropriately preserves gradations of probability across all
severity levels.

CONCLUSION
This article described a new alternative to fault-tree analysis for a
UAS, an approach we dub CSL analysis. Since not all faults in unmanned aircraft will put human lives in danger, splitting up faults
into different severity levels and then performing CSL analysis allows the less severe faults to be subjected to less restrictive safety
requirements. In this sense, CSL analysis allows UAS designers
more flexibility to meet the FAA's safety requirements, particu-

Table 12.

Top Level Risk Probability
None
Binary

12

Min

Maj

1-10−5

Haz

Cat

10−5

Fuzzy

0.956

0.044

10−5

10−7

5.0*10−10

CSL

0.951

0.049

1.4*10−5

5.1*10−8

6.0*10−12

IEEE A&E SYSTEMS MAGAZINE

MARCH 2017



Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine March 2017

No label
Aerospace and Electronic Systems Magazine March 2017 - No label
Aerospace and Electronic Systems Magazine March 2017 - Cover2
Aerospace and Electronic Systems Magazine March 2017 - 1
Aerospace and Electronic Systems Magazine March 2017 - 2
Aerospace and Electronic Systems Magazine March 2017 - 3
Aerospace and Electronic Systems Magazine March 2017 - 4
Aerospace and Electronic Systems Magazine March 2017 - 5
Aerospace and Electronic Systems Magazine March 2017 - 6
Aerospace and Electronic Systems Magazine March 2017 - 7
Aerospace and Electronic Systems Magazine March 2017 - 8
Aerospace and Electronic Systems Magazine March 2017 - 9
Aerospace and Electronic Systems Magazine March 2017 - 10
Aerospace and Electronic Systems Magazine March 2017 - 11
Aerospace and Electronic Systems Magazine March 2017 - 12
Aerospace and Electronic Systems Magazine March 2017 - 13
Aerospace and Electronic Systems Magazine March 2017 - 14
Aerospace and Electronic Systems Magazine March 2017 - 15
Aerospace and Electronic Systems Magazine March 2017 - 16
Aerospace and Electronic Systems Magazine March 2017 - 17
Aerospace and Electronic Systems Magazine March 2017 - 18
Aerospace and Electronic Systems Magazine March 2017 - 19
Aerospace and Electronic Systems Magazine March 2017 - 20
Aerospace and Electronic Systems Magazine March 2017 - 21
Aerospace and Electronic Systems Magazine March 2017 - 22
Aerospace and Electronic Systems Magazine March 2017 - 23
Aerospace and Electronic Systems Magazine March 2017 - 24
Aerospace and Electronic Systems Magazine March 2017 - 25
Aerospace and Electronic Systems Magazine March 2017 - 26
Aerospace and Electronic Systems Magazine March 2017 - 27
Aerospace and Electronic Systems Magazine March 2017 - 28
Aerospace and Electronic Systems Magazine March 2017 - 29
Aerospace and Electronic Systems Magazine March 2017 - 30
Aerospace and Electronic Systems Magazine March 2017 - 31
Aerospace and Electronic Systems Magazine March 2017 - 32
Aerospace and Electronic Systems Magazine March 2017 - 33
Aerospace and Electronic Systems Magazine March 2017 - 34
Aerospace and Electronic Systems Magazine March 2017 - 35
Aerospace and Electronic Systems Magazine March 2017 - 36
Aerospace and Electronic Systems Magazine March 2017 - 37
Aerospace and Electronic Systems Magazine March 2017 - 38
Aerospace and Electronic Systems Magazine March 2017 - 39
Aerospace and Electronic Systems Magazine March 2017 - 40
Aerospace and Electronic Systems Magazine March 2017 - 41
Aerospace and Electronic Systems Magazine March 2017 - 42
Aerospace and Electronic Systems Magazine March 2017 - 43
Aerospace and Electronic Systems Magazine March 2017 - 44
Aerospace and Electronic Systems Magazine March 2017 - 45
Aerospace and Electronic Systems Magazine March 2017 - 46
Aerospace and Electronic Systems Magazine March 2017 - 47
Aerospace and Electronic Systems Magazine March 2017 - 48
Aerospace and Electronic Systems Magazine March 2017 - 49
Aerospace and Electronic Systems Magazine March 2017 - 50
Aerospace and Electronic Systems Magazine March 2017 - 51
Aerospace and Electronic Systems Magazine March 2017 - 52
Aerospace and Electronic Systems Magazine March 2017 - 53
Aerospace and Electronic Systems Magazine March 2017 - 54
Aerospace and Electronic Systems Magazine March 2017 - 55
Aerospace and Electronic Systems Magazine March 2017 - 56
Aerospace and Electronic Systems Magazine March 2017 - 57
Aerospace and Electronic Systems Magazine March 2017 - 58
Aerospace and Electronic Systems Magazine March 2017 - 59
Aerospace and Electronic Systems Magazine March 2017 - 60
Aerospace and Electronic Systems Magazine March 2017 - 61
Aerospace and Electronic Systems Magazine March 2017 - 62
Aerospace and Electronic Systems Magazine March 2017 - 63
Aerospace and Electronic Systems Magazine March 2017 - 64
Aerospace and Electronic Systems Magazine March 2017 - Cover3
Aerospace and Electronic Systems Magazine March 2017 - Cover4
http://www.brightcopy.net/allen/aesm/34-2s
http://www.brightcopy.net/allen/aesm/34-2
http://www.brightcopy.net/allen/aesm/34-1
http://www.brightcopy.net/allen/aesm/33-12
http://www.brightcopy.net/allen/aesm/33-11
http://www.brightcopy.net/allen/aesm/33-10
http://www.brightcopy.net/allen/aesm/33-09
http://www.brightcopy.net/allen/aesm/33-8
http://www.brightcopy.net/allen/aesm/33-7
http://www.brightcopy.net/allen/aesm/33-5
http://www.brightcopy.net/allen/aesm/33-4
http://www.brightcopy.net/allen/aesm/33-3
http://www.brightcopy.net/allen/aesm/33-2
http://www.brightcopy.net/allen/aesm/33-1
http://www.brightcopy.net/allen/aesm/32-10
http://www.brightcopy.net/allen/aesm/32-12
http://www.brightcopy.net/allen/aesm/32-9
http://www.brightcopy.net/allen/aesm/32-11
http://www.brightcopy.net/allen/aesm/32-8
http://www.brightcopy.net/allen/aesm/32-7s
http://www.brightcopy.net/allen/aesm/32-7
http://www.brightcopy.net/allen/aesm/32-6
http://www.brightcopy.net/allen/aesm/32-5
http://www.brightcopy.net/allen/aesm/32-4
http://www.brightcopy.net/allen/aesm/32-3
http://www.brightcopy.net/allen/aesm/32-2
http://www.brightcopy.net/allen/aesm/32-1
http://www.brightcopy.net/allen/aesm/31-12
http://www.brightcopy.net/allen/aesm/31-11s
http://www.brightcopy.net/allen/aesm/31-11
http://www.brightcopy.net/allen/aesm/31-10
http://www.brightcopy.net/allen/aesm/31-9
http://www.brightcopy.net/allen/aesm/31-8
http://www.brightcopy.net/allen/aesm/31-7
https://www.nxtbookmedia.com