1、 Standard ANSI/AIAA S-102.2.18-2009 Performance-Based Fault Tree Analysis Requirements AIAA standards are copyrighted by the American Institute of Aeronautics and Astronautics (AIAA), 1801 Alexander Bell Drive, Reston, VA 20191-4344 USA. All rights reserved. AIAA grants you a license as follows: The
2、 right to download an electronic file of this AIAA standard for storage on one computer for purposes of viewing, and/or printing one copy of the AIAA standard for individual use. Neither the electronic file nor the hard copy print may be reproduced in any way. In addition, the electronic file may no
3、t be distributed elsewhere over computer networks or otherwise. The hard copy print may only be distributed to other employees for their internal use within your organization. ANSI/AIAA S-102.2.18-2009 American National Standard Performance-Based Fault Tree Analysis Requirements Sponsored by America
4、n Institute of Aeronautics and Astronautics Approved 17 November 2008 American National Standards Institute Abstract This standard provides the basis for developing the performance-based fault tree analysis (FTA) to review and analytically examine a system or equipment in such a way as to emphasize
5、the lower-level fault occurrences that directly or indirectly contribute to the system-level fault or undesired event. The requirements for contractors, planning and reporting needs, and analytical tools are established. The linkage of this standard to the other standards in the new family of perfor
6、mance-based reliability and maintainability (R limit of fault tree resolution capability level measure of the ability of an R b) the FTA requirements as needed to support the project, including milestones for developing the fault trees or modifying existing fault trees; b) scope, level of resolution
7、, and ground rules of the FTA; c) detailed procedures for selecting the set of system-level faults of concern; d) detailed procedures for establishing the component-level to which each system-level fault is examined; e) detailed FTA process flow diagrams and samples of fault trees; f) detailed proce
8、dures for constructing the fault tree, such as the approach for determining the immediate causes for each fault at progressively lower levels until a component-level fault is reached; g) detailed procedures for documenting and reporting the FTA data/results in a timely manner; and h) definitions of
9、FTA data attributes, i.e., data characteristics and format, that accommodate the needs of other project functions, including those of the FMECA, event tree analysis (ETA), system reliability modeling, system safety, maintainability, and risk management. The minimum tasks that shall be prescribed in
10、the FTA plan shall be based on the required capability level, as defined in Annex B. The description of the specified capability level shall include, at a minimum, all activities described for that capability level and all lower capability levels in this standard. The contractor shall consider the a
11、pplicability of capability level growth over the life cycle of a project when planning the FTA process. ANSI/AIAA S-102.2.18-2009 7 4.3 FTA Report The contractor shall document the results of the FTA in a timely manner and shall provide the most current version of the documentation to the acquisitio
12、n activity upon request. The FTA report shall include a complete FT dataset for each top event and sufficient information to allow independent verification of the analysis results within the ground rules established for the project. The FTA shall be kept updated at all times with an appropriate revi
13、sion number assigned. 5 Detailed Requirements The following detailed requirements pertain to the performance-based FTA tasks defined in Annex B. 5.1 System Design Data Collection Prior to beginning the evaluation of the undesired event causes, the contractor shall collect sufficient system design in
14、formation to identify all possible functional and physical dependencies in the system, within analytical ground rules to be specified by the contractor. The system design information shall include all system levels, mission phases, and environments, and all normal, degraded, and contingency system m
15、odes that are applicable to each mission phase. If a Capability Level 3 or higher FTA is required, this information shall be entered into the FTA database to allow cross-referencing of identified failure causes against official design drawings. 5.2 FTA Procedures The contractor shall perform the FTA
16、 in an orderly fashion with the following steps incorporated as appropriate: Define the objective of the FTA. Identify the top event of the fault tree (FT). Define the scope of the analysis. Define the FTA resolution (the failure causes level of detail). Define the ground rules for the FTA. Construc
17、t the FT. Evaluate the FT qualitatively. If a Capability Level 3 FTA is required, evaluate the FT quantitatively. Interpret and present the results. 5.2.1 Define Objectives of the FTA The contractor shall define the objective of the FTA in terms of functionality of the system to be analyzed, definit
18、ions of system or mission failure, highest number of events in a cut set, precision of probability estimates, etc. 5.2.2 Identify Top Event of the FT The contractor shall identify the top event for which the failure causes will be analyzed and resolved. 5.2.3 Define Scope of the Analysis The contrac
19、tor shall define the FTA scope in terms of 1) which particular system design version and mission time period(s) will be analyzed; and 2) which of the system failure events and contributors will be included and which will not be included. ANSI/AIAA S-102.2.18-2009 8 5.2.4 Define FTA Resolution The co
20、ntractor shall typically resolve each failure event, i.e., the top event, to the major components in the system. If quantification is required, the FT shall be developed to a level of detail where the best failure probability data are available. 5.2.5 Define FTA Ground Rules The contractor shall def
21、ine the FTA ground rules that include: 1) selecting the FT data sources and data processing methods4; 2) describing how consistency will be achieved among independently constructed FT; 3) defining the procedures and nomenclature by which events and gates are named in the FT; and 4) describing how ex
22、ternal system interfaces and influences, e.g., human errors, operating environments, etc. are going to be modeled. 4This is a process-validation activity when it includes evaluation of the appropriateness of the FTA process prior to its use. ANSI/AIAA S-102.2.18-2009 9 5.2.6 Construct FT The contrac
23、tor shall construct the FT based on the system element relationships and functional logic derived from the system schematics and functional descriptions. The symbols that are used in the FT shall represent the relationships between events. The contractor shall choose from the typical logical symbols
24、 used as the building blocks to construct the FT, e.g.: If a Capability Level 2 FTA is required, the fault tree shall include human error modes. If a Capability Level 3 FTA is required, the fault tree shall include software components, functional loops/feedback, phase and time dependent failure, and
25、 common cause failure modes. 5.2.7 Qualitatively evaluate FT The contractor shall derive the minimal cut sets, by applying the Boolean reduction laws. The type and number of basic events in the combined minimal cut sets shall be documented in the FT dataset for each general event an event results fr
26、om a combination of other events basic event (primary) an event that requires no further development undeveloped event an event that is not developed further either because unnecessary or no information house event an event that is expected to occur normally transfer (used to link trees) AND gate OR
27、 gate ANSI/AIAA S-102.2.18-2009 10 of the top events. The minimum cut sets shall be sorted by order, i.e., the lowest to highest number of events in a cut set. If a Capability Level 4 FTA is required, the FT shall be validated for configuration accuracy by using one of the following methods: 1) Use
28、the system schematics or functional flow diagrams to verify that minimum cut sets are indeed valid failure paths to the top event. If validating the top event directly is too difficult, e.g., the smallest order cut sets contain a large number of basic events that are difficult to check, then identif
29、y lower order faults (i.e., intermediate events) in the FT and validate the cut sets for these faults. 2) Identify the smallest success paths of the FT and use the system schematics or functional flow diagrams to validate that these are indeed success paths. 5.2.8 Quantitatively Evaluate FT If a Cap
30、ability Level 3 FTA is required, the contractor shall calculate the top event and contributing events probabilities and the importance measure of each basic event established. The importance measures shall be used to establish the significance for all the events in the fault tree in terms of their c
31、ontributions to the top event probability. Both intermediate events (gate events) as well as basic events shall be prioritized according to their importance. If a Capability Level 4 FTA is required, an uncertainty analysis shall be performed for each basic event. This analysis shall consist of assig
32、ning an uncertainty distribution to each data parameter to describe the possible values that the data parameter may have. The contractor shall identify the mean value, median value, standard deviation, 5thpercentile and 95thpercentile for each probability distribution. Also, the contractor shall che
33、ck if failures and basic events identified in the FT have occurred previously in heritage systems, and if so, evaluate the probabilities of the minimum cut sets and their relative contributions to determine if the results are reasonable. If there is no failure history of similar systems, then the co
34、ntractor shall check the history of similar subsystems or assemblies for field data that can be used to evaluate probabilities of intermediate faults. 5.2.9 Interpret and Present the Results The contractor shall place emphasis on the interpretation of the results in the FTA report. The report shall
35、describe all significant implications of the FTA results to the original FTA objective, to the extent that the project management understands the implications. 5.3 FTA Database If a Capability Level 3 FTA is required, the contractor shall establish a FTA database that contains the FTA data products
36、that are identified in the established systems engineering data flow schemas for all applicable product development phases and that has data change control and tracking procedures5. If a Capability Level 4 FTA is required, all data that are entered in or extracted from the FTA database shall be pref
37、aced with one or more keyword data element descriptions (DED) listed in Annex C. Each keyword DED belongs to one of the following data types: Physical or Functional Characteristic Physical or Functional Dependency Application Failure Mode and Effects Analysis (FMEA) 5The objective here is to ensure
38、that all identified failures/basic events are documented, the history of designed-in reliability improvements is maintained, and current data is distinguishable from out-of-date data. ANSI/AIAA S-102.2.18-2009 11 Criticality Analysis Anomaly Detection and Response (ADR) Reliability, System Safety, a
39、nd Maintainability Critical Item Failure Compensation Identification Maintainability Analysis Unit Reference Value Comment Attachment Database Administration The FTA database shall be structured to allow: 1) independent verification of the system-level faults for all component-level failures that ar
40、e Severity Classification 3, 4, or 5, and 2) online review of the most current and all prior fault trees. If a Capability Level 4 FTA is required, the contractor shall establish and maintain an interface that permits data exchange between the FTA database, product FMECA database, and the project R I
41、dentification of one or more top events of the FTA (defines the top-level failure of the system to be analyzed); definition of the scope of the FTA (boundary conditions for the analysis); definition of the FTA lowest level of resolution (the failure causes level of detail); definitions of the ground
42、 rules. (This is a process validation activity when it includes evaluation of the appropriateness of the FTA process prior to its use); descriptions of all the mission phases; descriptions of all the system life-cycle environments; descriptions of the systems normal and degraded modes of operation;
43、and descriptions of all the functional and physical, inherent8failure modes of each H/W component (within the analytical ground rules to be specified by the contractor). B.1.2 Timely establishment of FTA implementation technical performance metrics (TPM). B.1.3 Timely construction of a top-down faul
44、t tree, being a logical model that identifies all the lower-level events contributing to the top event (within the analytical ground rules to be specified in B.1.1); B.1.4 Timely qualitative evaluation of the fault tree, including the identification of the minimal cut sets for a top event (the basic
45、 events and their combinations that result in the top event); and B.1.5 Timely interpretation of the FTA results and their documentation in an FTA report. B.2 The Capability Level 2 Fault Tree Analysis shall include all the tasks in the Capability Level 1 Fault Tree Analysis plus the following: B.2.
46、1 Timely collection and evaluation of the necessary system design and performance information to identify the contributions made by component-level basic events to each specified failure condition or undesired event. The scope of the system design information that is collected and evaluated shall in
47、clude the following: descriptions of each components physics-based characteristics; descriptions of the component-level environmental conditions; 8In this standard inherent failure modes are the result of characteristic weaknesses related to an items specified design and materials. ANSI/AIAA S-102.2
48、.18-2009 16 descriptions of all the basic events that affect each component; and descriptions of all the phenomenological sequences that affect each component. B.2.2 Timely assignment of the probability of failure for each basic event (within the analytical ground rules to be specified by the contra
49、ctor); B.2.3 Timely calculation of the probability of failure of each H/W component and the top event (within the analytical ground rules to be specified by the contractor); and B.2.4 Timely prioritization of risks using importance measures. B.3 The Capability Level 3 Fault Tree Analysis shall include all the tasks in the Capability Level 2 Fault Tree Analysis plus the following: B.3.1 Timely creation of a fault tree analysis plan or procedure that describes the objectives, ground rules, scope, assumptions,