Aerospace and Electronic Systems Magazine March 2017 - 8

Refining Fault Trees Using Aviation Definitions for Consequence Severity
actions when the aircraft wing begins to ice; the second fault is
that sensors fail to detect and warn the pilot that icing is occurring. The severity of the icing itself is relatively clear. Left unmitigated the icing could have hazardous or catastrophic consequences
(A ∈ {3,4}). The severity of the alarm failure is much less clear. In
isolation the alarm failure has low severity, perhaps minor at worst
(B = 1). If these two inputs were combined in an AND gate then,
according to Table 6, the output would be a minor event (C=1).
This result would be nonsensical. The combination of the wing icing and alarm failure should have a greater severity than the wing
icing alone. In other words, we would expect C ∈ {2,3,4}.
Note there would be no ambiguity in the binary case. For binary states, the icing fault implies A=1, and the monitor fault implies
B=1. The resulting output is also a fault (C=1). Ambiguities only
arise when we introduce the notion of severity.
To retain the advantages of the multilevel analysis without introducing ambiguity, it is necessary to add additional nuance to our
analysis. For instance, in the above example, it seems prudent to
model the failure of the icing monitor not as a fault but as a modifier. The modifier would adjust the severity of another fault, in this
case the severity of the icing event.

CONSEQUENCE SEVERITY LEVEL ANALYSIS
This section introduces a new method for quantifying risk that
resolves the limitations of the conventional logic and fuzzy logic
fault-tree analyses identified in the previous section.
The new approach is called CSL analysis. The basic concept
in CSL analysis is to recognize as faults only those events (or sequences of events) that can result in negative consequences for the
aircraft. This sequence is labeled a fault chain. Each fault chain
can be assigned a severity level from Table 4 appropriate to the
consequences. In general, the consequences of the fault chain are
probabilistic, with a distribution of nonzero probabilities associated with any or all of the severity levels from Table 4.
An important property is that each fault chain is analyzed assuming that its consequences are not related to those of other fault
chains. The implication is that fault chains can only be combined
with OR gates and not AND gates. In place of using AND gates, a
distinct fault chain must be introduced for each set of interacting
faults.
Events that can modify fault chain severity but that do not
directly result in a new consequence are designated as modifier
events. For instance, darkness is a modifier event. An aircraft accident might be aggravated by darkness (resulting in a more severe
consequence), but darkness by itself cannot cause an aircraft accident. In this sense, darkness is a modifier that can increase (or
promote) the severity of an accident. This is in contrast with an
automated monitoring system, like the icing monitor discussed in
the prior section. Such monitors are modifiers that decrease (or
mitigate) severity.
For completeness, we also consider another type of modifier,
one that places a cap (or threshold) on the severity of an accident.
An example that might be modeled as a threshold on severity is automobile airbag deployment. An airbag does not activate for minor
incidents like skidding stops or small bumps, and therefore does
8

Figure 2.

Five types of state variable for CSL analysis.

not impact safety for low speed crashes. In a high-speed collision,
however, the vehicle decelerates sharply enough that the airbag
deploys. The airbag greatly reduces the risk of loss of life during
a high-speed collision. This step change in effectiveness might be
modeled as an upper threshold on the risk of loss of life, with severity increasing to a particular level but not increasing farther. The
complement to an upper threshold event is a lower threshold event,
which would be an aggravating factor that guarantees a minimum
severity for a fault chain. Though upper and lower thresholds have
some potential applications, they are most useful as points of comparison to fuzzy logic gates.
Taken together, we have qualitatively described four types of
modifiers: promotion events (that increase severity), mitigation
events (that decrease severity), upper threshold events (that put a
ceiling on severity), and lower threshold events (that put a floor on
severity). In concept, other types of modifiers might be defined,
but this set of modifiers is sufficient to convey the concept of CSL
analysis. Each modifier event, like each fault chain, is modeled as
a state variable described by a probability distribution over a set of
discrete values. We assume in this article that the discrete values
for each modifier event are the same as those for a fault chain, e.g.,
{0,1,2,3,4}.
The introduction of the concept of modifier events means that
the notion of the logic gate must also be generalized. As in the
binary and fuzzy logic cases described above, a gate will still be
defined as an operator that combines two input probability distributions into a single output probability distribution. In CSL analysis, however, the output and one of the inputs must be a fault chain.
The second input can be a fault chain or a modifier. The second
input determines how the gate functions (i.e., what mathematical
operator is used to combine the two input probability distributions
into an output probability distribution). Before defining the gates
as mathematical operators it is perhaps helpful to visualize them
graphically.
In order to support visualization, each modifier event is assigned a unique icon, as illustrated in Figure 2. Since the nature
of each gate is determined by its inputs, there is no need to depict
gates explicitly in a CSL network. Rather, the fault tree can simply depict nodes, which are points on the fault tree where a fault

IEEE A&E SYSTEMS MAGAZINE

MARCH 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine March 2017