曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
through predictions, allocations, or historical data.
5. Establish a Boolean equation for the tree using Boolean logic and evaluate the probability of the
undesired top level event.
6. Compare to the system level requirement. If it the requirement is not met, implement corrective
action. Corrective actions vary from redesign to analysis refinement.
The FTA is a graphical logic representation of fault events that may occur to a functional system. This
logical analysis must be a functional representation of the system and must include all combinations of
system fault events that can cause or contribute to the undesired event. Each contributing fault event
should be further analyzed to determine the logical relationships of underlying fault events that may cause
them. This tree of fault events is expanded until all "input" fault events are defined in terms of basic,
identifiable faults that may then be quantified for computation of probabilities, if desired. When the tree
has been completed, it becomes a logic gate network of fault paths, both singular and multiple, containing
combinations of events and conditions that include primary, secondary, and upstream inputs that may
influence or command the hazardous mode.
FAA System Safety Handbook, Chapter 9: Analysis Techniques
December 30, 2000
9 - 6
Engine
Failure
O1
Fuel
1
Cooling
2
Ignition
3
O2 O3 O4
No
Fuel
Fuel
Pump
2
Filter
3
Carburetor
4
Fan
2
No
Coolant
1
Ignit.
Sys.
#1
Pump
3
O4
Seal
1
Bearing
2
Frozen
1
Friction
2
Loose
3
Ignit.
Sys.
#2
Figure 9-1: Sample Engine Failure Fault Tree
Standardized symbology is used and is shown in Figure 8-5. A non-technical person can, with minimal
training, determine from the fault tree, the combination and alternatives of events that may lead to failure or
a hazard. Figure 9-1 is a sample fault tree for an aircraft engine failure. In this sample there are three
possible causes of engine failure: fuel flow, coolant, or ignition failure. The alternatives and combinations
leading to any of these conditions may also be determined by inspection of the FTA.
Based on available data, probabilities of occurrences for each event can be assigned. Algebraic
expressions can be formulated to determine the probability of the top level event occurring. This can be
compared to acceptable thresholds and the necessity and direction of corrective action determined.
The FTA shows the logical connections between failure events and the top level hazard or event. "Event,"
the terminology used, is an occurrence of any kind. Hazards and normal or abnormal system operations are
examples. For example, both "engine overheats" and "frozen bearing" are abnormal events. Events are
shown as some combination of rectangles, circles, triangles, diamonds, and "houses." Rectangles represent
events that are a combination of lower level events. Circles represent events that require no further
expansion. Triangles reflect events that are dependent on lower level events where the analyst has chosen
to develop the fault tree further. Diamonds represent events that are not developed further, usually due to
insufficient information. Depending upon criticality, it may be necessary to develop these branches further.
FAA System Safety Handbook, Chapter 9: Analysis Techniques
December 30, 2000
9 - 7
In the aircraft engine example, a coolant pump failure may be caused by a seal failure. This level was not
further developed. The example does not include a "house." That symbol illustrates a normal (versus
failure) event. If the hazard were "unintentional stowing of the landing goal", a normal condition for the
hazard would be the presence of electrical power.
FTA symbols can depict all aspects of NAS events. The example reflects a hardware based problem. More
typically, software (incorrect assumptions or boundary conditions), human factors (inadequate displays),
and environment conditions (ice) are also included, as appropriate.
Events can be further broken down as primary and secondary. A primary event is a coolant pump failure
caused by a bad bearing. A secondary event would be a pump failure caused by ice through the omission
of antifreeze in the coolant on a cold day. The analyst may also distinguish between faults and failures. An
ignition turned off at the wrong time is a fault, an ignition switch that will not conduct current is an
example of failure.
Events are linked together by "AND" and "OR" logic gates. The latter is used in the example for both fuel
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(47)
