Aerospace and Electronic Systems Magazine March 2017 - 4

Feature Article:

DOI. No. 10.1109/MAES.2017.150171

Refining Fault Trees Using Aviation Definitions for
Consequence Severity
Tszhim J. Leung, Jason Rife, Tufts University, Medford, MA, USA

INTRODUCTION
Unmanned aerial systems (UAS) are being considered for civilian tasks that are time consuming and costly for humans, such as
package delivery or surveillance. To derive maximum benefit in
these applications, UAS will need to be autonomous rather than
remotely operated. Safety rules for autonomous, unoccupied vehicles have yet to be defined. As of February 2015, the Federal
Aviation Administration (FAA) still requires that a UAS operator
maintain line of sight with the UAS [1]. As safety standards for
autonomous flight emerge, it is expected that a very large number
of UAS will take to the skies.
Current methods for certification of aviation technologies are
rooted in the assumption of manned flight in relatively low-density
airspace. The massive number of expected UAS flights and the
introduction of increasingly autonomous software autopilots mean
that new methods for certifying UAS technologies are warranted.
In particular, it is overconservative to assume that failures that
could result in the loss of aircraft are necessarily catastrophic, as
they would be in the case of a manned aircraft. In order to provide
more flexibility in modeling faults, this article introduces methods
that tune certification processes to better match FAA standards and
to reduce overconservatism that can delay system certification.
The basic idea of our work is to update the venerable fault tree,
which is at the heart of most certification cases for new aviation
technology. A fault tree quantifies risks associated with various
failure events and maps the risk to a consequence, which is an unfavorable or hazardous outcome of those fault events [2]. Failure
events (also called fault modes) and their associated consequences
(also called effects) are typically identified through a process called
failure modes and effects analysis (FMEA) [3]. Failure modes are
then mapped on to the fault tree, where related faults form branches that lead to an undesired consequence. Typically fault trees use
a binary state to represent each event: either a fault event has occurred or it has not. The probability of fault occurrence is generally
much, much lower than the probability of a nonoccurrence.
Authors' current address: Tufts University, Dept. of Mechanical Engineering, 200 College Ave, Medford, MA 02155, USA.
E-mail: (jason.rife@tufts.edu).
Manuscript received August 7, 2015, revised March 7, 2016,
April 5, 2016, and ready for publication May 29, 2016.
Review handled by R. Wang.
0885/8985/17/$26.00 © 2017 IEEE
4

Whereas conventional fault-tree analysis uses a binary state for
each fault, our proposed method is different in that it uses a multilevel state. Introducing multiple severity levels allows for the consequences of events to be classified more precisely, recognizing
that not all faults have the same (e.g. catastrophic) consequences.
More precise classification of consequences promotes reduced
overconservatism, particularly in safety-critical applications, like
aviation, where sets of faults are classified by the worst case example from the set [4].
Our work is not the first to generalize fault-tree analysis to use
fault states with more than two values. Notably, fuzzy logic has
been applied in the past to model multilevel fault states in general
and aviation-specific safety systems [5], [6]. The limitation of prior
work is that multiple severity levels have been assigned at the level
of the fault mode (root cause) rather than at the level of the fault
effect (final consequence). For safety analysis, unfortunately, it is
not usually clear how to combine faults of different severity levels
to determine their effect. Do two low-severity faults occurring simultaneously result in a higher severity consequence? There is no
generic answer to this question for aviation applications, because
the answer depends on the relationship between the two faults,
which must be characterized on a case-by-case basis, for example
by using an FMEA.
Our proposed method modifies the structure of a traditional
fault tree, by shifting focus away from individual faults and to
groups of faults, called fault chains. A fault chain is a set of events
that together result in an undesired consequence. Because the focus
of the method is on consequences (rather than fault events) and
because those consequences may take on multiple levels of severity, we call our method consequence severity level (CSL) analysis.
The remainder of the article describes CSL analysis and its applications. As a starting point, Section II provides background on
aviation severity levels and fault-tree analysis. Section III introduces CSL analysis. Afterward, Section IV presents a UAS case
study for a representative application: the use of a UAS for an
inspection application. Section V quantifies this application using
both conventional and CSL analysis. To conclude, a final section
summarizes key technical results and their impact for certification
of future UAS.

BACKGROUND
This section describes why aviation severity levels are difficult to
analyze with conventional fault trees, whether using conventional

IEEE A&E SYSTEMS MAGAZINE

MARCH 2017



Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine March 2017

No label
Aerospace and Electronic Systems Magazine March 2017 - No label
Aerospace and Electronic Systems Magazine March 2017 - Cover2
Aerospace and Electronic Systems Magazine March 2017 - 1
Aerospace and Electronic Systems Magazine March 2017 - 2
Aerospace and Electronic Systems Magazine March 2017 - 3
Aerospace and Electronic Systems Magazine March 2017 - 4
Aerospace and Electronic Systems Magazine March 2017 - 5
Aerospace and Electronic Systems Magazine March 2017 - 6
Aerospace and Electronic Systems Magazine March 2017 - 7
Aerospace and Electronic Systems Magazine March 2017 - 8
Aerospace and Electronic Systems Magazine March 2017 - 9
Aerospace and Electronic Systems Magazine March 2017 - 10
Aerospace and Electronic Systems Magazine March 2017 - 11
Aerospace and Electronic Systems Magazine March 2017 - 12
Aerospace and Electronic Systems Magazine March 2017 - 13
Aerospace and Electronic Systems Magazine March 2017 - 14
Aerospace and Electronic Systems Magazine March 2017 - 15
Aerospace and Electronic Systems Magazine March 2017 - 16
Aerospace and Electronic Systems Magazine March 2017 - 17
Aerospace and Electronic Systems Magazine March 2017 - 18
Aerospace and Electronic Systems Magazine March 2017 - 19
Aerospace and Electronic Systems Magazine March 2017 - 20
Aerospace and Electronic Systems Magazine March 2017 - 21
Aerospace and Electronic Systems Magazine March 2017 - 22
Aerospace and Electronic Systems Magazine March 2017 - 23
Aerospace and Electronic Systems Magazine March 2017 - 24
Aerospace and Electronic Systems Magazine March 2017 - 25
Aerospace and Electronic Systems Magazine March 2017 - 26
Aerospace and Electronic Systems Magazine March 2017 - 27
Aerospace and Electronic Systems Magazine March 2017 - 28
Aerospace and Electronic Systems Magazine March 2017 - 29
Aerospace and Electronic Systems Magazine March 2017 - 30
Aerospace and Electronic Systems Magazine March 2017 - 31
Aerospace and Electronic Systems Magazine March 2017 - 32
Aerospace and Electronic Systems Magazine March 2017 - 33
Aerospace and Electronic Systems Magazine March 2017 - 34
Aerospace and Electronic Systems Magazine March 2017 - 35
Aerospace and Electronic Systems Magazine March 2017 - 36
Aerospace and Electronic Systems Magazine March 2017 - 37
Aerospace and Electronic Systems Magazine March 2017 - 38
Aerospace and Electronic Systems Magazine March 2017 - 39
Aerospace and Electronic Systems Magazine March 2017 - 40
Aerospace and Electronic Systems Magazine March 2017 - 41
Aerospace and Electronic Systems Magazine March 2017 - 42
Aerospace and Electronic Systems Magazine March 2017 - 43
Aerospace and Electronic Systems Magazine March 2017 - 44
Aerospace and Electronic Systems Magazine March 2017 - 45
Aerospace and Electronic Systems Magazine March 2017 - 46
Aerospace and Electronic Systems Magazine March 2017 - 47
Aerospace and Electronic Systems Magazine March 2017 - 48
Aerospace and Electronic Systems Magazine March 2017 - 49
Aerospace and Electronic Systems Magazine March 2017 - 50
Aerospace and Electronic Systems Magazine March 2017 - 51
Aerospace and Electronic Systems Magazine March 2017 - 52
Aerospace and Electronic Systems Magazine March 2017 - 53
Aerospace and Electronic Systems Magazine March 2017 - 54
Aerospace and Electronic Systems Magazine March 2017 - 55
Aerospace and Electronic Systems Magazine March 2017 - 56
Aerospace and Electronic Systems Magazine March 2017 - 57
Aerospace and Electronic Systems Magazine March 2017 - 58
Aerospace and Electronic Systems Magazine March 2017 - 59
Aerospace and Electronic Systems Magazine March 2017 - 60
Aerospace and Electronic Systems Magazine March 2017 - 61
Aerospace and Electronic Systems Magazine March 2017 - 62
Aerospace and Electronic Systems Magazine March 2017 - 63
Aerospace and Electronic Systems Magazine March 2017 - 64
Aerospace and Electronic Systems Magazine March 2017 - Cover3
Aerospace and Electronic Systems Magazine March 2017 - Cover4
http://www.brightcopy.net/allen/aesm/34-2s
http://www.brightcopy.net/allen/aesm/34-2
http://www.brightcopy.net/allen/aesm/34-1
http://www.brightcopy.net/allen/aesm/33-12
http://www.brightcopy.net/allen/aesm/33-11
http://www.brightcopy.net/allen/aesm/33-10
http://www.brightcopy.net/allen/aesm/33-09
http://www.brightcopy.net/allen/aesm/33-8
http://www.brightcopy.net/allen/aesm/33-7
http://www.brightcopy.net/allen/aesm/33-5
http://www.brightcopy.net/allen/aesm/33-4
http://www.brightcopy.net/allen/aesm/33-3
http://www.brightcopy.net/allen/aesm/33-2
http://www.brightcopy.net/allen/aesm/33-1
http://www.brightcopy.net/allen/aesm/32-10
http://www.brightcopy.net/allen/aesm/32-12
http://www.brightcopy.net/allen/aesm/32-9
http://www.brightcopy.net/allen/aesm/32-11
http://www.brightcopy.net/allen/aesm/32-8
http://www.brightcopy.net/allen/aesm/32-7s
http://www.brightcopy.net/allen/aesm/32-7
http://www.brightcopy.net/allen/aesm/32-6
http://www.brightcopy.net/allen/aesm/32-5
http://www.brightcopy.net/allen/aesm/32-4
http://www.brightcopy.net/allen/aesm/32-3
http://www.brightcopy.net/allen/aesm/32-2
http://www.brightcopy.net/allen/aesm/32-1
http://www.brightcopy.net/allen/aesm/31-12
http://www.brightcopy.net/allen/aesm/31-11s
http://www.brightcopy.net/allen/aesm/31-11
http://www.brightcopy.net/allen/aesm/31-10
http://www.brightcopy.net/allen/aesm/31-9
http://www.brightcopy.net/allen/aesm/31-8
http://www.brightcopy.net/allen/aesm/31-7
https://www.nxtbookmedia.com