The Fault Tree Analysis, or “FTA”, is a top-down, analysis of failure propagation. It employs a deductive analysis of the failures to determine which combination of lower-level, or “primary” failures can combine to cause a “critical event” or an “undesired state” of the fielded system. It is used particularly for safety and risk assessment for air-worthiness certification and in other safety-critical systems, products or industries. In design development, the FTA analysis serves as an instrument to provide feedback of areas in the design that need to be improved during design development, whether, for example, to add design redundancy or improve component/subsystem reliability.
above is a greatly simplified example of an aircraft propulsion system showing the eXpress FMECA/FTA within the eXpress Diagnostics Engineering application, showing the ability to toggle between the eXpress FMECA and the eXpress FTA structure (as shown in the design window on the right).
Notice that the four (4) blue circles on the bottom represent the primary failures, which combine in the next level above as “intermediate failures” as depicted by the use of an orange “or-gate”, meaning that the presence of a failure from either primary failure would cause the branch to fail. The green “and-gate” identifies that the “Undesired Event” (Red Header in the top box) requires the loss of both branches of the “intermediate failures” to occur. The likelihood of this Undesired Event occurring is represented by the “Q: 3.484E-014”, or signifying its contribution to system “Unreliability”.
The Fault Tree Analysis is a deductive, top-down method of analyzing the effects of any combination of lower-level failures, including external events, on the complex or fielded system. This contrasts with the FMEA or the FMECA, which are inductive, bottom-up analysis methods for analyzing the effects of single component or failures on equipment or subsystems. The FTA provides to describe how resistant a system is to individual or combined failures. That said, it is not able to consider all possible primary failures. The FMEA is more capable of considering all possible primary failures and then describe their local effects as produced from the defined failure mode(s). The FMEA, though is not capable of considering any multiple failures or any of their combined failure effects at a system level. The FTA will also consider external events, which for example, would be an event caused from the operation of the system in a specific uncontrolled environmental condition. The FMEA will not consider any external events. In civil aerospace the usual practice is to perform both FTA and FMEA, with a failure mode effects summary (FMES) as the interface between FMEA and FTA. As such, these are static design analyses and reflect the failures determined to be relevant at the specific time of which the analysis was performed. Any updates to the design would necessitate a full rework cycle on these analyses.
Above is a greatly simplified example of an aircraft propulsion system showing the “Traditional” FMECA available as a turn-key output within the eXpress Diagnostics Engineering application. Since eXpress retains comprehensive diagnostic detail, it can greatly extend the purposes of the FMECA, as described further below.
Some programs use FMECA’s and FTAs for diagnostic purposes. Usually, this results from not fully understanding the value of diagnostics engineering. In a traditional design development process, the attempt to use the FMECA or FTA in lieu of investing into quality diagnostics engineering during design development, will yield limited diagnostic or sustainment effectiveness due to the inability to provide conclusive and comprehensive diagnostic conclusions.
Both the FMECA and the FTA are design development tools to provide feedback to system integrators or system engineers during the design development lifecycle. This analysis provides insight into the manifestation of failure occurrence from lower levels and their impact upon the operational viability at the system or product level. The FTA provides a cost effective opportunity to implement design changes during the design development process for the better management of failure occurrence before the design is delivered or failure consequence by fielded. The core strength of the traditional FTA is to provide another system reliability perspective in terms of which lower-level failures could cause an “Undesired Event” or Critical System failure to occur and what is the likelihood of any experiencing any of those critical failures. Any further operational or diagnostic use of the FTA outside of design development is subject to scrutiny.
In order to use the FMECA or the FTA for operational diagnostics or fault isolation purposes for complex, critical, large-scale or complex systems, the system integrator would need to institute more collaborative and comprehensive diagnostic engineering processes. Traditional design development processes would need to do much more than simply “incorporate” each FMECA for each independent design included in the complex, critical or large-scale systems.
Furthermore, Reliability Engineers do not always use the same tools or approaches in their performing of the FMEA, FMECA or FTA analyses. As such, it should be expected that these design assessment products will be produced at the same level of comprehensiveness or expertise as readied for fielded product “integration”, is simply not possible with the traditional approaches or tools.
At some point, the bottom-up describing of component failure effects (and their respective severities) within the FMECAs will then rise to a level of design hierarchy whereby the combined failure effects at the fielded product’s integrated system’s level becomes obscured. This is where the “other RE’s” come in – those Reliability Engineers that work the FTA’s, which are typically at a different level of expertise than those who are working or describing the lower-level primary failure effects. Knowing the “diagnostic” impact of BIT test coverage, at the integrated systems’ level, is not a strong suit for the FTA assessment product. The FTA is NOT a replacement for diagnostic engineering, nor is the FTA a wise substitute for advanced diagnostics engineering tools.
As the subsystem designs are retrieved and become “integrated”, even the expertise of the more skilled Reliability Engineers will be greeted with further complications that are frequently arising during design development and impact the effectiveness of the fielded systems’ FTA or FMECA. While this more typically occurs during design development, it may also occur during the sustainment lifecycle, whenever any subsystem is updated. As design updates occur for independent designs, the subsystem FMECA or FTA must be “integrated” into and amongst other integrated subsystem designs. If the “integrated systems” FMECA is not sufficiently “agile” to “integrate” the new designs into the existing subsystem designs – and then into the system level design, then this is where we begin to lose the integrity of the FTA or FMECA for fault detection and most certainly, for any effective fault isolation purposes.
With a traditional FTA, describing the impact of the entire manifestation of the all of the failure causes of a complex integrated design and then bringing this level of detail, for even the non-critical primary failures, to the integrated systems’ level, would be cost prohibitive and may not be possible for certain complex systems. But if one of the objectives of the FTA is to use it for diagnostic purposes, then unfortunately, it would need to capture this more comprehensive and lower-level failure or functional detail with precision. This would be required should the FTA be adequately serviceable in the operational diagnostic or troubleshooting environment. This is not a viable expectation or responsibility of the FTA.
Imagine the expectation of tasking the Reliability or Systems Engineers to describe the simple independent propagation of these “step-laddered” & “step-across” levels of failure effects throughout the entire complex system. If the design team could tack “all” of the propagations of failure effects from the bottom up beginning with the lowest replacement levels of the complex design, then this is essentially a method to build an “inverted FMECA”. This is the first step towards developing the FTA, but more Subject Matter Expertise is required.
Although attempting to perform the comprehensive tracking of failure propagation from the bottom-up is unable to be exhaustively performed in the traditional FTA on large, complex integrated systems, the expert captured knowledgebase in eXpress will inherently describe all of these interrelationships with ease and precision!
As a valuable component of DSI’s ISDD capability, eXpress the functional and failure propagation interrelationships are interdependent between all of its tools, including the FMECA and the FTA and are associated to, and by, the diagnostic capability and constraints of the complex system. This enables the unique capability to associate the exhaustive diagnostic capability with the FMECA and the FTA!
An inherent value of establishing the Diagnostic-Informed FMECA, is that all of the root causes throughout every integrated design piece are locked into the expert captured knowledgebase. Similarly, the Diagnostic-Informed FTA will have use of all of this low-level diagnostic and FMECA detail for each design piece, and will essentially represent the initial FTA structure as a top-down or “inverted” view of the FMECA. Both assessment products are pulled directly from the exact same, comprehensive and comprehensively integrated systems’ knowledgebase.
Below is an image of a highly-unique capability of the Diagnostic-Informed, eXpress FMECA Plus, showing the impact of the full diagnostic capability for each component described in the design. This opens the capability to know exactly which fault group the component will reside, along with the fault group constituency, the failure modes, the severity of the failure modes, and if the failure modes are able to be “uniquely isolated” (FUI) within the constraints of the design.
FUI is a term that is unique to the eXpress Diagnostics and overall ISDD paradigm, although it should be a term used ubiquitously within the diagnostic engineering community. It is a metric that describes a specific isolation precision so failures are not mischaracterized as a result of the constraints of the deployed diagnostic paradigm. In such manner, FUI provides tremendous value in the immediate and significant reduction of NFF’s, CND’s, RTOK’s and the more serious “False System Aborts”, False Alarms and preventing errors in determining corrective actions corresponding to “assumed detected” failures.
Using the eXpress, any FMECA and its companion Fault Tree Analysis (FTA) architecture can be toggled from the eXpress “FMECA Plus” to immediately determine if & how any of the lower level (primary failures) failure modes & failure effects propagate to the higher levels of the design. The link at the bottom of this page, demonstrates how simple it is to trace failure modes and failure effects and if & when they combine to cause any critical failure (undesired event) at the integrated systems’ level (seeding the companion Risk Assessment activities). Unlike the FMECA, the FTA assessment is only concerned with tracking and the combining of ultimately, the critical failures (and external events) that could lead to an “Undesired Event” or “Critical Event”.
Above is a greatly simplified example of an aircraft propulsion system showing the “eXpress FTA” available as interdependent on the FMECA and Diagnostic capability of the design. The “FD” below each node of the FTA describes the portion of the failure that can be detected. The “FUI” identifies the portion of the failure that can be “uniquely” isolated at each node.
The other failure effects that were assigned with lower-level severities, are effectively ignored in the resultant delivery of the FTA assessment product and since the FTA analysis is used for risk assessment at the integrated systems’ level (fielded product). The FTA is a required analyses, for example, for any air vehicles that are over 55 pounds that fly in the US airspace above civilian population. Therefore, the FAA requires this FTA as a Risk Assessment product as part of its airworthiness certification requirements.
We’ve used the interrelated FTA to validate and correct hard-to-discover errors in the traditional FMECAs many times! The traditional FMECA’s may appear correct for any particular design piece, but when the independent designs must be integrated with other designs, the inconsistencies, omissions, errors and other disparities are sometimes very subtle, but lead to miscalculations of any other interdependent assessment product or extended operational use of such data for purposes of Testability, Maintainability, Availability, Reliability, etc.
In the eXpress paradigm, the FMECA can be immediately viewed in the FTA structure with every primary failure totally considered and combined through the use of “or-gates”. We have been informed that this immediate benefit alone will greatly increase accuracy and reduce FTA development work-cycle by a minimum of 50%!
Once the FTA has been vetted to include the necessary external events, the polling “or-gates” and the combining of the failure causes by the Subject Matter Expert, this knowledge is forever captured in the eXpress knowledgebase.
Anytime any piece of the design is updated, during design development, or at any time during the sustainment (or “resilience”) lifecycle, the SME knowledge will be retained so that fully-featured FMECAs and FTAs can be instantly produced as turn-key outputs from the captured expert knowledgebase.
The ongoing benefit is that such data contained in the FMECA or the FTA may be (re)used in in the sustainment paradigm to optimize sustainment accuracy and effectiveness. Most diagnostic engineering tools can use little, if any data from the FTA. But eXpress can “push” this diagnostic-integrated knowledge directly to the sustainment or operational support paradigm(s). As such, RTAT and DSI Workbench are tools within the ISDD tools suite to make effective (re)use of the investment into the FTA.
As the fielded design is maintained, the sustainment activities will forever change the impact of the effectiveness of the FTA which is meant to be a “static” representation of a “design at delivery”. Instead, the FTA assessment product can be provided immediately and cost effectively at any time to reflect any updates to any of the integrated design pieces. Furthermore, the test coverage of any of the BIT tests is dependent upon the impact of the integrated subsystems that may also cause “test coverage interference” (per any controlled state of system/vehicle operation). The full reuse of this knowledge is just a coordinated use of ISDD. The integrated FD and FUI knowledge will keep the designer advised of the constraints of the diagnostic integrity of the fielded product at the systems’ level at all times.
An eXpress FTA, which is generated automatically when an eXpress FMECA is created.
One of the most obvious differences between the eXpress FTA is and the traditional FTA, is that it includes diagnostic detail and identifies the portion of the failure causes that are detectable (FD) or Uniquely Isolatable (FUI) at each node of the eXpress FTA.