Home / Guides / Structuring the fault tree for FAA / EASA review
ARP 4761 · Worked example

Structuring the fault tree for FAA / EASA review

A fault tree submitted to the FAA under 14 CFR 25.1309 — or to EASA under CS-25.1309 — is read by certification engineers whose job is to find the hole the applicant didn't see. The structural conventions of an SSA tree differ from automotive HARA submissions in ways that aren't always obvious to engineers crossing over: top events bind to specific failure conditions in the FHA, common-cause is its own deliverable rather than a β-factor in the tree, and reviewers expect the tree's order-1 cut sets to map cleanly to the "no single failure causes catastrophic" claim. This guide covers the framework, the conventions, and a worked aircraft hydraulic-loss tree end-to-end.

≈ 18 min read Worked example: aircraft hydraulic-power loss Standards: ARP 4761 / ARP 4754A, 14 CFR 25.1309, CS-25.1309

Why aviation FTA is a different conversation

Three structural differences between an aviation safety case and any other domain shape how the tree gets read:

  1. The acceptable failure rate scales with consequence severity, not with development cost. 14 CFR 25.1309(b) and CS-25.1309 specify that the probability of any failure condition must be "inversely proportional to the severity of its effects". Catastrophic conditions must be extremely improbable (≤ 10⁻⁹/flight-hour); hazardous conditions extremely remote (≤ 10⁻⁷); major conditions remote (≤ 10⁻⁵); minor conditions probable (≤ 10⁻³). These thresholds are bright lines, not negotiating positions.
  2. The tree must trace to a specific failure condition in the FHA. Every top event in an SSA-supporting FTA is a verbatim failure condition from the Functional Hazard Assessment. Aggregating two failure conditions into one tree to share basic events, or splitting one across multiple trees, both break the traceability the certification engineer is using to verify completeness. One FHA failure condition, one FTA, no exceptions.
  3. "No single failure causes catastrophic" is a separate claim. The reviewer specifically checks that the minimal cut sets of every catastrophic-classified tree contain no order-1 cuts. This is a structural property of the tree, independent of probabilities, and it is its own audit item — passing the 10⁻⁹/flight-hour quantification while having a single basic event in an order-1 cut is a non-finding-but-noted observation that triggers a redesign conversation regardless of the rate.

Beyond these three, aviation tree submissions tend to be larger than automotive ones (a single-aisle aircraft's complete SSA covers thousands of failure conditions across hundreds of trees) and are reviewed against published advisory circulars (FAA AC 25.1309-1A, EASA AMC 25.1309) that name specific expectations the trees have to satisfy. The volume alone is why structural conventions matter: the certification engineer is reading dozens of trees for one programme, and consistency of structure is what lets them spot the one that's wrong.

FAA vs EASA — same standards, different review style ARP 4761 is the SAE-published technique; both regulators reference it via their respective advisory documents. The FAA tends to verify by independent quantitative spot-check (re-running specific cut sets through the applicant's model). EASA tends to verify by structural analysis (asking why a particular failure condition was not modelled, or why a specific cut set was assumed independent). The trees themselves are interchangeable; the conversation around them differs by reviewer culture. Building a tree that survives both conversations is the safest target.

Step 1The ARP 4761 framework FTA fits into

FTA isn't a standalone deliverable in the aviation safety process — it's the deductive technique inside a larger framework. The framework progresses through four phases, each of which produces artefacts that flow into the next:

PhaseArtefactFTA's role
FHA — Functional Hazard Assessment (top-down at aircraft, system, item levels). List of failure conditions, each with severity classification and a per-condition target probability. None directly. FHA produces the top events that downstream FTAs will use. Done qualitatively, often via SAE J1739-style HAZOP guide-words.
PSSA — Preliminary System Safety Assessment. Allocation of failure-rate budgets to subsystems and items; preliminary FTAs showing the architecture can in principle meet the FHA targets. Primary artefact. Each FHA failure condition gets a top-down preliminary FTA whose basic events are subsystem-level. Quantification uses budget allocations, not validated component data.
SSA — System Safety Assessment. Verified FTAs against the as-designed system; CCAs (PRA, ZSA, CMA); operational reliability programmes; conformance to advisory expectations. Primary artefact. Each PSSA tree is re-quantified using validated component data; cut-set analysis verifies the "no single failure" property; CCA results fold back as basic events.
CCA — Common Cause Analysis (parallel to PSSA + SSA). Three sub-analyses: Particular Risks Analysis (PRA — fire, lightning, engine debris), Zonal Safety Analysis (ZSA — what shares physical space), Common-Mode Analysis (CMA — design and manufacturing commonality). Integration into the FTA artefact. Each CCA finding becomes either a new basic event in the relevant trees or an explicit shared-cause connection between two basic events in different trees.

The two structural points to note for tree-builders crossing over from other domains:

Step 2What the reviewer actually looks at

Six things a certification engineer examines on a submitted FTA, in roughly the order the issues tend to surface during review. Knowing the order lets the analyst pre-empt findings — most of these are cheap to fix during build and expensive to fix during certification.

What's checkedCommon finding when it goes wrong
1. Top event matches the FHA verbatim. The exact wording of the failure condition from the FHA, character-for-character. Severity classification carried alongside, with the per-condition probability target stated. "Top event reads Loss of all hydraulic power supply; FHA failure condition reads Loss of all hydraulic power. Confirm equivalence or align." Looks pedantic; isn't. Reviewers use the FHA→FTA wording match to verify completeness across hundreds of trees.
2. Gate symbols per IEC 61025 Annex A. AND, OR, INHIBIT, PRIORITY-AND, voting (k-out-of-n), exclusive-OR all drawn to specified geometry. Conditioning events on INHIBITs explicitly named. Transfer in / out symbols labelled with the receiving / sending tree. Custom gate shapes (a hexagonal "majority vote", a triangular "human action") trigger "non-standard symbol — please reference standard equivalent". Inconsistent shapes across trees in the same submission compound the problem.
3. Independence claims under every AND gate. Every pair of inputs to an AND gate carries an implicit "these are independent" claim. The reviewer checks the claim against the design — different vendors, separated physical zones (per ZSA), separated power, separated communications, separated firmware. Where independence fails, a CCA basic event is expected. "Two inputs to the AND gate are described as redundant but both reside in the same Loadable Software Image. CMA expected." Most common review finding by volume on first-pass SSAs.
4. Basic-event probabilities with traceable data sources. Each basic event names its data source: MIL-HDBK-217F Notice 2, NPRD-2016, FIDES 2009, IEC TR 62380, or vendor-supplied with reliability prediction methodology. Bayesian updates from operational data are acceptable but the prior and the update both have to be cited. "Basic event BE-014: Hydraulic pump pressure regulator drift shows λ = 1.5×10⁻⁶/h with no data source." Engineering-judgement values without citation are systematically flagged; even if the number is correct, the finding stands.
5. Cut-set analysis included with the tree. Minimal cut sets enumerated with order, individual cut probabilities, and the contribution to top-event probability. Reviewers spot-check by re-running selected cuts with their own data. "Cut set {BE-007, BE-019} contribution shown as 8.2×10⁻⁹/h; recomputation with NPRD-2016 base rates gives 1.4×10⁻⁸/h. Reconcile." Always carry the cut-set table; always carry the data-source list with it.
6. Flight-hour normalisation. All rates and probabilities are per flight-hour. Mission-time-based numbers from a vendor's automotive or industrial reliability sheet need explicit conversion, with the assumed flight profile (cruise vs landing-cycle weighting) stated. "BE-022 cited at 5×10⁻⁵/year; conversion to per-flight-hour assumes 8000 flight hours/year — please confirm against operator profile." Missing conversions are easy to spot and easy to correct, but invariably trigger a clarification round.

Two structural patterns under these are worth naming:

The "no single failure causes catastrophic" check is structural, not numerical

For any tree with severity classification Catastrophic, the reviewer reads the minimal cut-set list and confirms that no order-1 cut exists. This is independent of the per-cut probability — even an order-1 cut at 10⁻¹²/h is a finding, because the property being verified is the architecture's robustness to single-point failure rather than its quantitative rate. AC 25.1309-1A explicitly requires this property; CS-25.1309 §AMC matches. Trees where an order-1 cut survives the SSA tend to have a basic event that "shouldn't really be order-1 because we mitigate it operationally" — the reviewer's response is "operational mitigation isn't a basic-event property, model it as an INHIBIT gate or accept the order-1 finding".

"Probability of failure" vs "Average Probability of Failure on Demand"

Aviation and process-industry reviewers use different conventions for what gets quantified. ARP 4761 defaults to per-flight-hour rates (a continuous demand profile). IEC 61511 SIS conventions (used in process plants) default to PFDavg — the time-averaged probability that the safety function is in the failed state when called upon. Trees that mix the two — perhaps because the analyst was trained in one domain and is now submitting in the other — produce numerically incomparable cut sets. ARP 4761 §3.4 names this trap explicitly; the reviewer flags any tree where some basic events are rates and others are demand probabilities without an explicit mapping.

The single biggest difference from automotive submissions Aviation reviewers do not accept "we ran the analysis and it passed". They run the analysis themselves on selected paths and confirm. This means every assumption — independence, data source, conversion factor, mission profile — has to be reconstructible from the submission package alone. A tree that requires the analyst to be in the room to defend it isn't a submission; it's a discussion document. The analyst's job, on top of getting the analysis right, is making the artefact stand on its own.

Step 3Worked example — total loss of aircraft hydraulic power

Take the failure condition from the FHA verbatim: "Total loss of aircraft hydraulic power". Severity classification: Catastrophic (loss of primary flight controls, landing gear retraction, normal braking). Per-condition target: ≤ 10⁻⁹ /flight-hour. Development Assurance Level: DAL A.

The architecture is the canonical wide-body civil pattern: three physically and electrically independent hydraulic systems (System A, System B, System C), each capable of supporting flight on its own. Top-level structure:

Total Loss of Aircraft Hydraulic Power
                  │
                  ▼
                 AND
                / | \
              A   B   C    ← three independent hydraulic systems
              │   │   │
             OR  OR  OR    ← per-system failure modes
            /|\  /|\  /|\

First-pass quantification — independent failures only

Per-system failure rate, summing the dominant contributors (engine-driven pump, line rupture, fluid loss): approximately 10⁻⁵/h per system. Validated data sources: MIL-HDBK-217F Notice 2 for the pump and pressure-regulator failure rates, NPRD-2016 for tubing and seals, vendor-supplied FMEDA for the system-level reservoir and accumulators. With three independent systems and a typical 5-hour flight mission:

P(System X fails over 5h mission) ≈ 10⁻⁵ × 5 = 5×10⁻⁵
P(all three independent fails)    ≈ (5×10⁻⁵)³ = 1.25×10⁻¹³ /mission
Per-flight-hour rate              ≈ 1.25×10⁻¹³ / 5 ≈ 2.5×10⁻¹⁴ /flight-hour

2.5×10⁻¹⁴/h vs the 10⁻⁹/h target. The independent-failures arithmetic gives an answer five orders of magnitude under target — comfortably catastrophic-extremely-improbable, on paper.

This number is also a fantasy, and the certification engineer knows it. The Sioux City story (UA Flight 232, 1989) is the canonical instance: triple-redundant DC-10 hydraulics defeated by a single fan-disc fragment that punctured all three systems simultaneously. The independent-failures arithmetic ignored the particular-risk path entirely, and the actual dispatch-relevant rate was dominated by it. The next step is exactly the structural lesson the post-Sioux City regulatory environment crystallised: independent-failure quantification is necessary but not sufficient. CCA's three sub-analyses each contribute order-1 or order-2 cuts that the independent tree never sees.

Second-pass — folding in the CCA results

The Common Cause Analysis (run in parallel with the SSA) yields three new basic events, each entering the FTA at the top level via OR with the independent-failure AND-gate:

CCA sub-analysisBasic eventRate (/flight-hour)Cut-set order
Particular Risk (PRA) BE-PR-001 — uncontained engine debris damages all 3 hydraulic systems ~1×10⁻⁹ (per AC 25.1309-1A guidance, calibrated against actual fleet data) 1
Zonal Safety (ZSA) BE-ZS-001 — fire in the wing-root zone damages co-routed System A and System B lines ~5×10⁻¹⁰ (with System C surviving since it routes through the keel) 2 (with System C failure)
Common-Mode (CMA) BE-CM-001 — contaminated hydraulic fluid (single batch through all three systems' shared servicing port) ~2×10⁻¹⁰ 1

Re-quantifying the top event with these added:

P(TOP) ≈ P(independent ABC) + P(PRA) + P(ZSA AND System C) + P(CMA)
       ≈ 2.5×10⁻¹⁴ + 1.0×10⁻⁹ + (5×10⁻¹⁰ × 5×10⁻⁵×5)/5 + 2.0×10⁻¹⁰
       ≈ 1.0×10⁻⁹ + (negligible) + 2.0×10⁻¹⁰
       ≈ 1.2×10⁻⁹ /flight-hour

1.2×10⁻⁹/h vs 10⁻⁹/h target. Fails the catastrophic threshold — the PRA basic event alone is already at 10⁻⁹/h and the CMA stacks on top. The independent-failures contribution is invisible at this scale; the per-system reliability programme is doing nothing for the limiting answer.

Third-pass — design response

The certification engineer reads the order-1 cut {BE-PR-001} and the order-1 cut {BE-CM-001} and asks: what mitigates these directly? The architectural responses are the same ones the post-Sioux City era introduced into wide-body design:

Re-quantified with RAT and CMA-eliminated:

P(TOP) ≈ P(PRA AND RAT-fail) + P(independent ABC) + P(ZSA AND C-fail)
       ≈ 1×10⁻⁹ × 1×10⁻³ + 2.5×10⁻¹⁴ + ~10⁻¹⁴
       ≈ 1.0×10⁻¹² /flight-hour

10⁻¹²/h, three orders of magnitude under the catastrophic target. The architecture meets the rate, the order-1 catastrophic cuts are eliminated, and every basic event has a validated data source. The submission package contains the three trees (independent-only, post-CCA, post-mitigation) so the reviewer can see exactly how the architecture evolved to clear the bar.

What this worked example demonstrates that an automotive HARA never would Two things. First: the independent-failure quantification was off by five orders of magnitude until CCA was folded in — and the final answer was dominated by particular-risk, not by component reliability. Per-component reliability programmes are necessary but they're not what the safety case rests on. Second: the architectural response is the lever, not the per-component lever. The RAT didn't make any single component more reliable; it added a 4th independent path that converted order-1 cuts into order-2. That structural move is invisible in any analysis that doesn't trace cut-set orders explicitly. Reviewers know this; analysts who don't yet sometimes spend reliability budget where it can't help.

Step 4How CCA findings actually fold back into the FTA

The mechanical question is: where in the tree does each kind of CCA finding land, and what data source supports its basic-event probability? Three sub-analyses, three different patterns:

CCA sub-analysisWhere it lands in the FTAData source
Particular Risks Analysis (PRA) — external threats: engine debris, lightning, hail, bird strike, runway debris, rotor burst, wheel rim failure, tyre fragments. AC 25.1309-1A §10 supplies the canonical list. Top-level OR with the independent-failures sub-tree, when the particular risk could defeat all redundancy. For risks that only affect a subset, lower in the relevant branch. AC 25.1309-1A guidance values, calibrated against fleet experience (FAA Service Difficulty Reports, EASA accident database). Per-risk rates are well-published; the analyst chooses applicability and routing.
Zonal Safety Analysis (ZSA) — what shares physical space, and what shared environment can damage co-located items: fire, fluid leak, electrical short, mechanical interference. The aircraft is partitioned into zones (typically 30–60 per single-aisle) and each zone is reviewed item-by-item. As a basic event paired (under AND) with whatever items aren't in the affected zone. The article's worked example used {BE-ZS-001, System-C-fail} because System C routes through a different zone. Zone-specific failure rates. Fire rates from FAR 25.853 / 25.869 substantiation tests; hydraulic rupture rates from line-failure databases; electrical short rates from wiring-aging studies (FAA EAPAS). Rates vary 10–100× across zones.
Common-Mode Analysis (CMA) — design, manufacturing, maintenance commonality: shared software components, identical compiler runs, identical maintenance intervals, single-vendor sourcing, single-batch fluids. ARP 4761 §2.2.4 lists the dimensions. Top-level OR (eliminates redundancy entirely) when the commonality crosses every redundant channel; lower within a branch when it crosses only some channels. This is where the data is hardest. Software CMA defended primarily qualitatively via diversity arguments (per ARP 4754A §5.4.1). Hardware CMA quantified from manufacturing-batch defect rates and shared-source vendor reliability.

The integration discipline is the part that's easy to get wrong. Each CCA sub-analysis is run by a different specialist (zone engineer, particular-risk engineer, software diversity reviewer), produces its own report, and feeds basic events into the FTA via change-impact analysis. Changes to any of the three CCAs trigger an FTA revision. Trees that lag the CCA — common in late-stage programmes where requirements are churning — get flagged as "not aligned with current CCA findings", which is its own audit item separate from the technical content.

Five pitfalls a reviewer will catch

Where to go next