Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
2009-01-3107
System Dependency Analysis Supporting Common Cause Analyses
of Complex Aircraft Systems
Copyright © 2009 SAE International
ABSTRACT
The system dependency analysis for complex aircraft
systems is a model-based methodology and tool for
analyzing availability and minimum acceptable control
requirements for failures or event scenarios to support
the aircraft and system safety analyses (SAE ARP4761)
required to show compliance to 14CFR/CS §25.1309,
§25.671 and others. Aspects of the system such as
functional interaction and dependencies to supply
systems, physical items (equipment, wiring and tubing)
and installation aspects are included in the analysis. The
SAE paper "System Dependency Analysis for Complex
Aircraft Systems" (2007-01-3852) describes the
modeling approach and the analysis of system
dependencies supporting the aircraft and system safety
analyses.
This paper provides examples for using the system
dependency analysis to support the common cause
analyses (SAE ARP4761) for complex aircraft systems.
Each element of a common cause analysis – the
particular risk analysis (PRA), the zonal safety analysis
(ZSA) as well as the common mode analysis (CMA) –
can gain advantage of the system dependency analysis
with the integrated system model to show the failure
propagation causing a system and aircraft level effect for
various analyses and cases using the same system
model and analysis database.
An example of a quad-redundant flight controls system
for a regional jet aircraft serves to show the process, the
system model, analysis management and the results
including the definition of integration and installation
requirements.
28 SAE Int. J. of Aerosp. | Volume 2 | Issue 1
Klaus Fritz
INTRODUCTION
SYSTEM DEPENDENCY ANALYSIS – The system
dependency analysis provides a model-based systematic
approach to determine fault propagation within supply
systems and sub-systems up to the main system
functions. It is based on the general principle to detect
erroneous behavior near the failure source with
subsequent fail-safe reaction deactivating the affected
function. Deactivation may occur on any functional level
depending on severity of the fault leading to a "loss of
function". The function loss either propagates through
the system, e.g. loss of an electric power supply leads to
loss of a control function, or does not propagate if
redundancy is available, e.g. a dual redundant power
input prevents loss of a control function after loss of one
power input.
For aircraft level analyses, the system model needs to
consider end-to-end functionality, e.g. from the system
sensors to the effective control actuation, as well as the
integration with supply systems needs to consider
source-to-end, i.e. from the power generation to the
supply of power to control and actuation. All functions
and the links between the functions are being
considered. In addition, the system model includes the
physical representation of the functions and links, such
as equipment, wiring, hydraulic tubing or mechanical
parts as well as their specific installation into the aircraft.
To allow determination of main function availability with
failures present, performance criteria (minimum
acceptable control criteria or MACC) are also integrated
into the system model. A performance criterion may, for
example, determine the capability of continued safe flight
and landing of the aircraft after occurrence of a failure
condition.
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018

The inclusion of the integration aspects (supply

systems/functions), the physical implementation and the    
installation aspects into the system model allows not only 

to support the single and multiple failure analyses, but 
 

  
 

  

also provides capability to analyze event scenarios to be
analyzed for the common cause analyses (e.g. PRA,  
ZSA and CMA) as per SAE ARP4761. Those typically
create event scenarios to be analyzed for their functional 

 

 


effect, i.e. multiple failures of physical items, such as
equipment, wiring bundles, hydraulic tubing or
mechanical parts, of the system itself, but also of the
supply systems. This paper provides examples for using       
the system dependency analysis especially for the   
common cause analyses. 
 





MODELING TECHNIQUE – The system model for the
system dependency analysis integrates all model items,
representing functions, sub-functions, function links, 
  
  
 
performance criteria (MACC) and all physical items
including their installation aspects equally into a
 


database structure independent of their hierarchical
level. The model for each item consists of a list of the
associated dependencies and an analysis failure
injection. The model result function combines the status
of all dependencies and the fault injection, i.e. a model
function is available, if all inputs to the function are
available and if it is not set failed itself. The fault injection
is used to set failure conditions for the analyses
performed on the system model. The positive-fail logic
uses "1" or "TRUE" representing a function "failed" and
uses "0" or "FALSE" representing a function "ok" or
"available". The result function may include a logic
"AND"-function to represent redundancies. The logic
"OR"-function is used to list dependencies leading
directly to loss of the function. By integrating the model
items into a system model, the database structure using
lookup functions automatically connects the items to an
overall system function "network" enabling visualization
of the failure propagation.
The main aspects include, but are not limited to, the
functional, the physical implementation and the
installation levels (see figure 1). The modeling technique
allows introduction of as many hierarchical levels and
sub-levels as required to perform the analyses and to
ensure a structured modeling approach. This technique
also allows grouping of physical items and installation
aspects for analysis purposes.
ANALYSIS TECHNIQUE – By extending the system
model database with an analysis management
connected to the model items failure injection, the
system model can be subjected to various sets of failure
conditions. The analysis management stores the fault
injection for the individual analysis cases and scenarios
and logs the associated results. The analysis
management enables the use of a single system model
for a wide variety of analyses and analysis cases. Storing
the results allows documentation in order to support the
traditional suite of safety analyses, but also enables
determination of the impact of changes to system
function, implementation, integration or installation
without manually repeating all individual analyses.
SAE Int. J. of Aerosp. | Volume 2 | Issue 1
 

Figure 1: System Model Hierarchy
RESULT VISUALIZATION – The system dependency
model and analysis database allows to visualize the
failure propagation throughout the system up to the
performance criteria. This is important not only for model
generation, model debugging and verification, but most
important to show analysis results at various level of
detail. The visualization within the model items, the
overall system model and optional visualization at aircraft
system level allows to trace deficiencies and root causes
in the system function architecture, and especially for
integration and installation aspects including the supply
systems.
Resolving these issues allows the creation of integration
and installation concepts and requirements to ensure
sufficient availability of system resources for all failure
conditions or events.
EXAMPLE SYSTEM – A typical quad-redundant fly-by-
wire flight control system to control the aircraft pitch axis
is shown in figure 2. This simplified system will be used
as a demonstration example for the system dependency
model and analysis. The aircraft pitch axis is controlled
by the flight crew operating the control columns installed
on the flight deck. The movement of the columns is
sensed by a position sensor package (SP). The pitch
control computer (PCC) uses the position of the columns
to control the elevator surface actuators (PA). Position
sensors integral to the actuators allow closed loop
control of the pitch actuator. The pitch control function is
comprised of 4 redundant control channels, with 2
actuators in an active-active configuration moving each
one of the two elevator surfaces (LH and RH ES). For
this example, the minimum acceptable pitch control
requirement for continued safe flight and landing is
fulfilled, if at least one control channel is available to
operate an elevator surface. The fly-by-wire computer
29
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
has a dual redundant electrical power supply. The
surface actuator is hydraulically powered.
Figure 2: System block diagram of a quad-redundant
pitch control function
The SAE paper "System Dependency Analysis for
Complex Aircraft Systems" (2007-01-3852) describes the
modeling and analysis technique in detail. An example
model and analysis database implementation uses the
desktop computer software Microsoft Excel © on the
example fly-by-wire flight control system.
Besides many different possible applications of the
system dependency analysis supporting the suite of
system and aircraft safety analyses, the following
sections describe how it can be used specifically in the
field of common cause analyses (SAE ARP4761), i.e. the
particular risk analysis, the zonal safety analysis and the
common cause analysis.
PARTICULAR RISK ANALYSIS
ANALYSIS VARIANTS - The particular risk analysis
(PRA) is defined in SAE ARP4761 based on the
certification paragraph for "equipment, systems and
installation" (14CFR/CS §25.1309) which requires a
system to function "under all foreseeable conditions".
These foreseeable conditions identified for a system can
be failure conditions caused by events or influences
which are outside of the system or even outside of the
aircraft. Those particular risks may include fire (e.g.
cargo bay fire or equipment bay overheat), high energy
devices (e.g. engine rotor burst), leaking fluids (e.g. toilet
water tanks or hydraulic tubing failures), weather
conditions, bird strike, tire failures (e.g. flailing tires or rim
release), etc.
Occurrence of these particular risks may lead to single or
multiple failures in the system or supply systems with
failures propagating affecting continued safe flight and
landing of the aircraft. The objective of the PRA is either
to eliminate the safety related effects by generating
requirements for appropriate mitigation or to show the
risk to be acceptable. The certification paragraph and the
associated acceptable means of compliance guidance
(AMJ/AMC §25.1309) specifically includes the supply
systems into the analysis considerations. Due to the
30 SAE Int. J. of Aerosp. | Volume 2 | Issue 1
character of the particular risk analysis, the installation
aspects of the physical items (equipment, wiring,
hydraulic tubing etc.) of the system and supply systems
are the focus of the analysis for determination of the
aircraft level effects.
In general, the PRA is performed based on a specific risk
assumption for one or more specific aircraft installation
areas. The PRA for each risk assumption may include
various cases of damage scenarios and associated
failure conditions. A specific set of failure conditions on
the physical items of system and supply systems
considering the installation is determined for each
analysis case. The failure effects of these conditions on
physical items of the system function is evaluated
concerning the aircraft minimum acceptable control
criterion using the system dependency analysis.
The system dependency analysis provides the capability
to analyze the system functional dependencies in
combination with the installation aspects based on a
single model for all cases. The functional model of the
system (end-to-end) and the supply system (source-to-
end) ensure consideration of failure propagation through
the system and all dependencies up to the main system
function and the associated MACC.
The following example for the pitch control function uses
the system dependency analysis to perform a main
engine rotor burst analysis, which is one type of analysis
out of the suite of safety analyses which can be
supported using a single system model.
EXAMPLE – Performance of a main engine rotor burst
analysis is required by the 14CFR/CS E for engine
certification. The guidance for the development of the
damage scenario cases and determination of the
affected system items is provided by AC/AMC-20-128A,
and in the system context within 14CFR/CS §25.1309.
The practice for system effect analysis and the
associated PRA (high energy devices) is recommended
by SAE ARP4761.
A main engine rotor burst analysis determines the
aircraft level effects concerning continued safe flight and
landing on an uncontained rotor burst of the aircraft main
engines. The particular risk assumption includes various
different cases including analysis of small fragments as
well as a failure of the main rotor disk separating a 1/3
disc fragment with very high kinetic energy.
This simplified PRA example develops relevant cases for
a main rotor disc failure limited to the LH main engine of
a regional jet airliner showing the effect on the pitch
control function of the flight control system including the
associated supply systems.
To determine the relevant cases for this system all
potential trajectories of the 1/3 disc fragment are
analyzed and affected system and supply system
equipment identified. The outline for all trajectories
considers all translational release angles, i.e. the 360
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
degree ejection around the rotational axis of the engine
(see figure 3) in combination with a spread angle, i.e. the
ejection along the longitudinal axis of the engine (see
figure 4). Following a worst-case analysis approach of
AC/AMC-20-128A, it is assumed that the 1/3 disc
fragment rotates around the center of gravity with
sufficient kinetic energy to cut through all aircraft
structures without deflections.
Figure 3: Two example trajectories affecting the
fuselage for LH engine rotor burst – 1/3 disc, front view
All those trajectories are considered relevant risk angles,
where physical items of the pitch control function (e.g.
control computers, sensors, actuators, electrical signal
wiring, etc.) or items of the supply systems (electric or
hydraulic power supply) are affected. Each single
trajectory is analyzed to identify affected items and
evaluated for the analysis cases (includes generation of
worst-case-scenarios and summarization of effects).
The PRA for the catastrophic failure conditions of the
pitch control function analyzes all cases where physical
items of the pitch control function (end-to-end) or of all
supply functions (source-to-end) are affected.
Figure 4: Two example trajectories affecting the
fuselage for LH engine rotor burst – 1/3 disc, top view
SAE Int. J. of Aerosp. | Volume 2 | Issue 1
Power Sources Affected by the Rotor Burst – Following a
conservative worst-case safety analysis approach in
combination with the characteristics of the example
aircraft, it is assumed that the failure of the LH engine
results in a loss of electric and hydraulic power in the
associated systems.
For the hydraulic system, it is assumed that the nominal
power demand for the flight controls cannot be provided
by the electric motor pump (EMP) after loss of power to
the engine driven pump (EDP), wing or engine hydraulic
tubing is affected or that the disintegrated engine has
caused a total loss of hydraulic pressure in hydraulic
system 1 (leak).
The engine driven generator of the electric system 1 is
not powered after the engine failure or failed due to the
rotor burst damage. The APU as an additional source of
electric power is not considered and not modeled for this
example since it is a MMEL item and therefore assumed
not available as a worst-case scenario. Additionally, the
power cross feed between the electric systems is
assumed to be not available since it is not tested before
flight or is a MMEL item.
Equipment in the Rotor-Burst Zone – All potential
trajectories for a 1/3 disc fragment following failure of the
LH engine do not affect the aircraft equipment bays,
therefore no equipment (controllers, electric power
supply equipment, etc.) of the system and supply
system. Various cases affect wiring of the pitch control
function as well as power supply wiring and tubing of the
hydraulic system installed in the rotor burst zone (see
figure 4 hatched area).
Wiring Installation in the Rotor Burst Zone – In the rotor
burst zone, the wiring bundles of the example are
installed in 4 dedicated wiring areas (see figure 5).
Those include the signal wiring as well as the wiring of
the electric system. Although flight controls signaling and
electric power wires are segregated into separate
bundles, those bundles may be installed in the same
wiring area. Following a conservative worst-case
approach, it is assumed that the wiring area fails at once
when affected. The analysis of the trajectories shows
that all wiring areas fail independently for all cases,
except the "lower" areas, which can also fail together.
The characteristic of the wiring installation of the
example regional aircraft considering the worst-case
approach leads relevant analysis cases of very simple
nature. Partial failures of the wiring zones are not
considered due to condensation to worst-case effects.
Different trajectories along the longitudinal axis of the
rotor burst zone do not lead to additional cases due to
characteristics of the wiring installation. Wing leading
edge installation areas contain own engine wiring and
tubing only. Failure of these areas is considered within
the worst-case assumptions for the engine failures.
An interface or wiring FMEA (refer to SAE ARP4761) has
shown that a bundle failure leads to a fail safe state of
31
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018

the affected function (i.e. loss of function) for all signal relevant cases. If issues arise during the analyses, more
types, their associated failure modes (open, short to details may have to be incorporated to the model or the
ground) and failure combinations of wires (short to signal system, supply systems, the implementation or the
or signal power) within the affected bundles. associated installations will have to be changed (new
requirements).
In the rotor burst zone, the wiring areas include the
following wire connections (see figure 5): The following cases are developed for the PRA example
in addition to the engine related power source failures:
LH high (WA_LH-1)
• Signal and control wiring for the pitch control function All Cases
channel 2 • LH engine fails rotor burst failure
• Power supply wiring from secondary power • Hydraulic System 1 (HS 1) loss of hydraulic power
distribution (SP 6) to pitch control computer (PCC_2) • Electric System 1 (PP 1) loss of primary power
• Power supply wiring from primary power distribution
(PP 1) to secondary power distribution (SP 6) Case 1
• Power supply wiring from primary power distribution • Wiring area LH – high loss of functions
(PP 1) to primary power distribution (PP 3) (essential
power supply) Case 2
RH high (WA_RH-2) • Wiring area RH – high loss of functions
• Signal and control wiring for the pitch control function Case 3
channel 3
• Wiring area LH – low loss of functions
• Power supply wiring from primary power distribution
(PP 1) to secondary power distribution (SP 1)
Case 4
• Power supply wiring from primary power distribution
(PP 3) (essential power supply) to hydraulic system • Wiring area LH – low loss of functions
(HS 3) DC motor pump (DCMP) • Wiring area RH – low loss of functions

LH low (WA_LL-3) Case 5

• Signal and control wiring for the pitch control function • Wiring area LH – low loss of functions
channel 1 • Wiring area RH – low loss of functions
• RH engine fails loss of power
RH low (WA_RL-4) • Hydraulic System 2 (HS 2) loss of primary power
• Signal and control wiring for the pitch control function • Electric System 2 (PP 2) loss of hydraulic power
channel 4
• Power supply wiring from primary power distribution Cases 3 through 5 are identical with increasing failure
(PP 2) to secondary power distribution (SP 2) effect. Case 5 represents the trajectory through the lower
• Power supply wiring from primary power distribution fuselage section also failing the other engine (worst-case
(PP 2) to primary power distribution (PP 3) (essential assumption).
power supply)
Modeling Approach – The model used for this analysis
includes as a minimum the following items (see figure 2):
• pitch control system functions (4-channel) and links
• surface level function and pitch control MACC
• associated equipment and wiring
• installation areas for the equipment and wiring

A basic model of the electric power supply system

Figure 5: Wiring bundle installation, front view
Summary of Relevant Cases – The development of the
rotor burst cases from the potential disc trajectories
generates a very high number of cases. If the affected
items are included into the case definition, the number of
cases can be summarized. With system knowledge a
conservative worst-case approach can be applied to
condense the cases to a representative number of
provides detail for all redundant path from the power
source at the main engines, via generators and
generator control, primary power distribution (PP),
secondary power distribution (SP) to the consumer at the
pitch control computers. Details for installation of
equipment and wiring are also included in the model.
The model for the hydraulic power supply system is kept
very simple, but sufficient for the analyses performed on
this model. The failure modes of each sub-system
including the tubing (loss of pressure) are condensed
into a global model item. The detail of the redundant
paths is provided covering the hydraulic tubing from the

32 SAE Int. J. of Aerosp. | Volume 2 | Issue 1

 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
power source at the engines via the engine drive pumps
to the consumer at the pitch control actuators. The
hydraulic system control is also not modeled for this
example since additional analysis has shown the control
items to be fail operational. The power supply to the
electrically driven hydraulic pumps is modeled by a
connection to the appropriate sources at the electric
system including the wiring and the associated wiring
installation areas.
The ram air turbine (RAT) provides back-up electrical
power for a total loss of engine power powering the
essential channel of the electric system. The RAT
function creates additional analysis cases, as it is
normally not activated. A battery backs up electric power
for RAT start-up and final landing phases. The charge
function of the battery is not modeled. This modeling
limitation may be acceptable, but requires additional
analysis cases (BAT discharged).
Rotor Burst Analysis Results – The system dependency
analysis returns the following failure effects for the pitch
control channels and the MACC when subjected to the
rotor burst cases developed for the PRA example above:
Case 1
• Pitch control channel 1 (LH outboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 1.
• Pitch control channel 2 (LH inboard elevator
actuator) fails to passive/damped mode due to loss
of the signal and control wiring of this channel.
The left hand elevator surface is passivated due to both
actuators failing to passive/damped mode. The MACC is
not violated. A visualization of the result is provided in
figure 6.
Case 2
• Pitch control channel 1 fails (LH outboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 1.
• Pitch control channel 3 fails (RH inboard elevator
actuator) fails to passive/damped mode due to loss
of the signal and control wiring of this channel.
Both elevator surfaces remain operational. The MACC is
not violated. Note, that the surface actuation may have a
reduction of performance due to active/damped surface
actuation configuration. Performance degradation is
modeled by the model item result function or the surface
function model by setting the threshold of availability.
Additional criteria can be integrated into the model to
visualize performance aspects.
Case 3
• Pitch control channel 1 fails (LH outboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 1 and due to
loss of the signal and control wiring of this channel.
SAE Int. J. of Aerosp. | Volume 2 | Issue 1
Both elevator surfaces remain operational with potential
performance reduction (see above). The MACC is not
violated.
Case 4
• Pitch control channel 1 fails (LH outboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 1 and due to
loss of the signal and control wiring of this channel.
• Pitch control channel 3 fails (RH inboard elevator
actuator) fails to passive/damped mode due to a
dual loss of electrical power. If the RAT is deployed
manually (and the battery is charged), this channel
remains operational.
• Pitch control channel 4 fails (RH outboard elevator
actuator) fails to passive/damped mode due to loss
of the signal and control wiring of this channel.
At least one elevator surfaces remains operational with
potential performance reduction (see above). The MACC
is not violated.
Case 5
• Pitch control channel 1 fails (LH outboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 1 and due to
loss of the signal and control wiring of this channel.
• Pitch control channel 2 (LH inboard elevator
actuator) fails to passive/damped mode due to loss
of hydraulic power supplied by system 2.
• Pitch control channel 4 fails (RH outboard elevator
actuator) fails to passive/damped mode due to loss
of the signal and control wiring of this channel.
The left hand elevator surface is passivated due to both
actuators failing to passive/damped mode. RAT
activation and battery back-up are required to maintain
continuous safe flight and landing with pitch control
channel 3 operating the RH elevator surface with
potential performance reduction (see above). The MACC
is not violated.
Result Summary – The rotor burst analysis for an
uncontained engine failure of the LH main engine
separating a 1/3 disk fragment shows that a minimum
set of pitch control channels is available for continued
safe flight and landing of the aircraft for all cases. The
most severe case 5 requires RAT operation and battery
back-up. A system block diagram (figure 6) showing the
system dependency network end/source-to-end with a
visualization of the failure propagation is generated for
rotor burst analysis case 1.
This example is limited to a sub-set of cases required for
completion of the PRA for high energy devices.
Additional cases for the RH engine and the APU are
required as well as additional scenarios (e.g.
uncontained engine failure for small fragments). These
cases can be performed using the same system model.
The sensitivity analysis below shows an example where
an analysis case fails and the associated benefit.
33
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018

Figure 6: System dependency network of the pitch control function and associated supply functions –
visualization of the failure propagation for rotor burst case 1

Note: The red/dark colored items indicate propagation of lost/failed functions caused by the LH engine failure finally
affecting the LH elevator surface (LH ES). The MACC is not violated, indicated by a white/light color scheme.

Sensitivity Analysis – The system dependency analysis
may be used to determine the impact of design changes
on already existing safety analyses. If all use the same
system model, a full picture of the change can be
generated re-using the existing model and associated
analyses to determine acceptability of the change
concerning the compliance to safety requirements in
comparison to previous results.
system change is introduced at a higher functional level,
the impact on the safety analyses may be obvious and
predictable by experience and system knowledge. If a
system change is introduced somewhere further down in
the hierarchy of the system model, for example at supply
system level and maybe even the installation of the
supply system items, the impact may not be obvious and
a detailed analysis update is required.

The rotor bust analysis example above includes several
layers of models which are interconnected to determine
the aircraft level MACC. Several systems are
interconnected – the pitch control function which
provides the MACC, and the supply systems, i.e. the
electric system and the hydraulic system. All systems are
modeled on a function level with the addition of models
for the physical items and installation aspects. If a
Based on the example above, a change is introduced
into the system model affecting the installation of supply
system items. The power supply from the primary power
distribution channel 3 (PP 3) to the hydraulic system 3
(HS 3) DC motor pump (DCMP) is moved from wiring
area RH high (WA_RH-2) to wiring area RH low
(WA_RL-4).

34 SAE Int. J. of Aerosp. | Volume 2 | Issue 1

 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
The system dependency analysis is re-run using the
updated model. The results for case 5 change such that
the MACC is violated even with the RAT activated due to
an additional failure of pitch control channel 3 caused by
the loss of hydraulic system 3. Consequently continued
safe flight and landing capability is marginal, depending
on worst-case assumptions for modeling in combination
with the general flight conditions and the flight phase.
In detail, case 5 above fails the pitch control channel 3
due to loss of hydraulic power system 3. In this example,
hydraulic system 3 is powered by 2 redundant electric
motor pumps. One pump, the AC motor pump (ACMP),
is supplied by primary electric power system 2 (PP 2)
generator driven by engine 2, which has failed in this
case (as before the change). The other pump, the DC
motor pump (DCMP), now fails after the change due to
failure of the electric power wiring, which was moved to
the wiring area RH low (WA_RL-4) affected by the 1/3
disc fragment trajectory.
Note, that the example aircraft uses the ram air turbine
(RAT) for total loss of power scenarios, including case 5
above, in conjunction with the essential electric system
(channel 3), the hydraulic system 3 (purely electrically
powered) and dedicated pitch control channels for
directional flight controls. This path should remain
operational for all loss of power cases required by
certification regulations.
This example variant is added to this paper to show the
almost unlimited capability of the system dependency
analysis to determine feasibility of system designs and to
determine the margin of system architectures after
integration and installation into an aircraft.
Requirements Derived from the Analysis – The system
dependency analysis can be used for all phases of
aircraft and system design. The above example shows a
more or less final state which can be used to support the
system safety assessment (SSA, see SAE ARP4761)
conducted to show compliance to regulations for aircraft
certification.
If the system dependency analysis is used for early
design phases, it can be used for the preliminary aircraft
(or system) safety assessment (PASA or PSSA, see
SAE ARP4761). In these phases it may be very
beneficial to conduct the suite of PRAs to show feasibility
of system architectures after integration into an aircraft
environment (supply system distribution or installation
aspects).
The lack of detailed or concise information common to
early design phases encourages generation of concepts
or principles for integration of a system into an aircraft
using the system dependency analysis not only in the
context with the rotor burst analysis. If system functions
are modeled in conjunction with integration constraints
supported by other safety analyses, it may even be
advisable to freeze the modeling assumptions into
SAE Int. J. of Aerosp. | Volume 2 | Issue 1
(derived) system or safety requirements assuring a
concept leading to certification success.
The rotor burst analysis using the system dependency
analysis contributed significantly to the aircraft wiring
installation concept, and the electric and hydraulic power
supply distribution to the flight control system for the
example regional jet airliner generating associated
requirements. The system design, integration and
installation of the pitch control function including all
necessary supply functions have already been optimized
to pass the analysis cases shown above. The concept
for the wiring installation within the rotor burst zone as
well as the detailed distribution of wiring, electric power
to the PCC channels and the hydraulic power to the PA
channels are derived as requirements from the analysis
cases. During the optimization process, the model was
iteratively changed and detailed more and more to allow
consideration of alternate solutions and additional
analysis cases with varying pass/fail scenarios. In
addition to creating requirements, the process helped the
analyst as well as system designers to understand the
complex dependencies of the aircraft systems.
ZONAL SAFETY ANALYSIS
ANALYSIS VARIANTS – The zonal safety analysis (ZSA)
defined in SAE ARP4761 is based on the same
motivation as the particular risk analysis derived from the
14CFR/CS §25.1309. Where, in comparison, the PRA
analyzes the effects of specific damage scenarios, the
ZSA covers the aspects of unspecific failure scenarios to
determine potential interference effects between systems
with equipment installed in proximity within an aircraft
zone. Those zonal failure scenarios may include, for
example, a failure affecting all physical items
(equipment, wiring, etc.) installed in an electronic
equipment bay, a structural failure causing simultaneous
effect on items (wiring, tubing, etc.) installed in proximity,
etc. Other aspects of the ZSA mainly referring to basic
installation and maintenance errors are not addressed by
this paper.
The rationale and objectives of the ZSA are more or less
identical to the PRA since both analyze failure conditions
of physical items installed in certain areas of the aircraft.
The difference of the ZSA, compared to the PRA, is that
the failure cause is not necessarily known at the time
when the analysis is performed. Instead, the analysis
task is to determine a potential interference between
systems which may cause catastrophic effect preventing
continued safe flight and landing of the aircraft.
Important, also for the ZSA, is to analyze the systems in
combination with their supply systems and specifically in
combination with adjacent systems forming
redundancies. Those adjacent systems may be identical
or similar function channels or completely different
functions with similar means controlling the aircraft (e.g.
wheel brakes and thrust reverser for stopping the aircraft
on the runway).
35
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
The ZSA may be performed identically to the PRA using
the system dependency analysis for known zonal failure
conditions created on the basis of checklists, experience
or system/aircraft knowledge. If system conflicts leading
to catastrophic or hazardous failure conditions at aircraft
level cannot be concluded by segregation of systems
when integrated into the aircraft systems environment,
the ZSA may have to consider additional cases
performed on pure combinatorial considerations leading
to a high number of analysis cases. This may also be
required for computer platform based, highly integrated
systems, if sufficient segregation cannot be provided or
verified due to complexity. Although the system
dependency analysis can also address the more
combinatorial oriented analysis technique (refer to SAE
paper "System Dependency Analysis as a Common
Cause Search Engine for Complex Aircraft Systems",
2009-01-3105), this paper is limited to showing examples
for predefined failure conditions.
If a zonal safety analysis is performed based on
predefined aircraft zones to be analyzed, the system
dependency analysis may support the analysis of
systems interference for failure conditions where a failure
condition leads to a loss of any combination of systems
or supply systems installed in this zone. This assumes
that either structural damage or a zonal event leads to
failure of several items or that failure of one system
affects other items within this aircraft zone. Use of the
system dependency analysis to determine the overall
aircraft effect of this failure condition also relies on the
assumption that each system detects the potential failure
modes of the items installed in the zone and de-activates
appropriate functions leading to a "loss of function" (see
also PRA).
EXAMPLE – To perform a zonal analysis to analyze the
system interference (dependency) following a zonal
failure condition with the system dependency analysis,
the physical items installed in each aircraft zone provide
the basis to determine the analysis cases.
Determination of Analysis Cases – For each aircraft
zone, the physical items potentially affected by the failure
condition are listed to generate analysis cases. To limit
the number of different cases for each zone, a
conservative worst-case assumption can be used to
simplify the analysis considering all items lost
simultaneously. Aircraft zones may include electronics
equipment bays, fuselage sections, wing sections, tail
cone or empennage sections, pressure bulkhead feed
through, etc. The physical items to be considered are
Avionics equipment, sensors, actuators, wiring, hydraulic
tubing, and mechanical parts, etc. Due to the similarity of
the ZSA with the PRA, the example is kept general
without specific failure scenarios highlighting additional
aspects.
Modeling Approach – As for the PRA, the system model
requires a full model of the redundant pitch control
function, including the surface level function, MACC and
the associated equipment and wiring. Equally important
36 SAE Int. J. of Aerosp. | Volume 2 | Issue 1
is the modeling of the supply systems, which may need
more detail to address zonal differences concerning
detailed functions, also including functions to prevent
failure propagation (e.g. electric or hydraulic fuses),
implementation detail or additional installation aspects. It
is fully acceptable to start with a conservative, worst-
case failure hypothesis (e.g. set failure of a complete
electric system channel instead of failing a supply wire to
a specific consumer protected by a fuse) and add detail
to the model where required to prove failure
containment.
For the purpose of efficient modeling for the ZSA, the
system dependency analysis is capable to structure
model items in a hierarchical manner. Not only model
items of functions and sub-functions can be structured,
but also the physical items and more important for the
ZSA, the installation dependencies. For example,
physical items, such as wiring may be structured in
single signal wires, wire bundles for specific functions,
bundle sections or full length wire bundles. Concerning
the hierarchy of installation aspects, a physical item with
limited physical dimension is likely to be assigned to one
specific installation zone, e.g. an electronic controller is
installed within an equipment bay or rack in the aircraft.
Other physical items, such as wiring or wire bundles may
be assigned to several installation areas as a wiring
bundle can stretch from an equipment bay through the
fuselage into the wing passing several aircraft zones.
This feature of the system dependency analysis also
allows the addressing of the proximity aspects where
items are installed in one zone closely to an item
assigned to another zone, even though this may require
an additional analysis case. This is feasible since the
modeling technique does not limit the amount of
dependencies which can be defined for a model item.
The database background ensures interconnection of
the model items and allows different views to create and
verify the system model using filter mechanisms. To
ensure maintainability of the model a consistent
application of the structuring capabilities is
recommended, maybe by definition of a modeling
standard.
ZSA Results – The ZSA results are generated as for the
PRA example setting the failure conditions for each
analysis case within the analysis management and
applying each case to the system model. The analysis
results are documented to support the traditional suite of
safety analyses. The stored results may also be
compared to results after a system model change as
shown for the sensitivity analysis performed within the
PRA example.
Requirements Derived from the Analysis – As already
discussed for the PRA example, the ZSA performed with
the system dependency analysis can be used to support
the system safety assessment in order to show
compliance to certification regulation and safety
requirements.
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018

The benefit of performing parts of the ZSA using the
system dependency analysis, like for the PRA, is to
confirm feasibility of integration and installation of
systems into the aircraft during early design phases.
When starting the analysis with basic model worst-case
assumptions associated with the lack of detail within the
system model may lead to non-passing analysis results.
This requires re-visiting the system integration or
installation, maybe even the system architecture to
introduce changes or detail to show compliance to
analysis objectives. All model items added or changed or
new assumptions generated should be documented as
requirements for the system, integration or installation.
The modeling activity supports verification of the existing
architectural concepts and requirements by different than
traditional means. After successful analysis, the model
itself may act as an additional checklist to verify the
actual and final design ensuring compliance to the
certification regulation and safety requirements.
COMMON MODE ANALYSIS
ANALYSIS VARIANTS – The common mode analysis
(CMA) defined in SAE ARP4761 is indirectly motivated
by the certification paragraph for "equipment, systems
and installation" (14CFR/CS §25.1309). The acceptable
means of compliance guidance material recommends
performing a fault tree analysis or alternatively a
dependency diagram (or Markov analysis). The common
mode analysis is performed to verify that ANDed events
are independent in the actual implementation ensuring
that identical items, i.e. equipment hardware and
software, representing redundancies do not fail
simultaneously due to a generic or common fault.
performance to ensure continued safe flight and landing
of the aircraft.
EXAMPLE – A common mode analysis performed with
the system dependency analysis is generally based on
the physical implementation of the system and sub-
system functions, i.e. the implementation in hardware
and software items. The variety of similar or identical
hardware and software items throughout the systems to
be analyzed provides the basis to determine the analysis
cases.
Determination of Analysis Cases – The principle
requirements for independence within the system and
supply systems to be analyzed should be known by the
fault tree analysis performed for the catastrophic and
hazardous failure conditions determined for the system.
The items to be independent within the system equally
represent the analysis cases postulating the these items
fail due to a common mode fault. According to the
certification regulation and associated guidance common
mode failure conditions do not have to be combined with
additional (common mode or random) failures, but to be
combined with any MMEL case and operation mode of
the system.

Common mode faults may be caused by hardware or

software, failures, errors, production and repair flaws,
situation related or environmental stress or cascading
failures, etc. Since based on the certification paragraph
referenced above, the common mode analysis should
include the analysis of the supply systems, like for the
PRA and ZSA, in an end/source-to-end manner.
Traditional aircraft designs were based on more or less
independent system hierarchies, each providing
individual redundant functional path with sufficient
independence ensured at system level. Future aircraft
designs potentially using highly integrated, platform
oriented systems with flat hierarchies. Those may also
utilize high performance hardware items (e.g.
communication ICs or CPUs) with associated software
operating systems and drivers vulnerable to common
mode failures across many systems, even throughout all
aircraft systems potentiating aircraft level failure effects Figure 7: Physical implementation modeling for the
(multiple systems failures). common mode analysis

The system dependency analysis provides the capability
to analyze the concept of independence between
systems within the aircraft to ensure for potentially
occurring common mode failures leading to multiple
system failures that the remaining redundant functional
paths provide sufficient control availability and
Modeling Approach – As for the PRA and the ZSA, the
system model requires a full model of the redundant
pitch control function, including the surface level function,
MACC and the associated equipment and wiring. The
specifics of the common mode analysis require detail
concerning the physical implementation of the items,

SAE Int. J. of Aerosp. | Volume 2 | Issue 1 37

 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018
especially with respect to the hardware and software
implementation as well as any items identified by the
FTA (refer to SAE ARP4761) to be independent.
To achieve the additional detail, the physical presentation
modeling may be hierarchically structured in a similar
manner as for the functional modeling level (see figure
7). A function fails if the equipment hardware/software
items or sub-items fail. Hardware items could be, for
example, processing units (CPUs), communication ICs,
or other (complex or non-complex) electronic hardware
items. Software items could be, for example, operating
systems, communication interface drivers, or any other
common software procedures.
The unlimited capability to introduce additional
hierarchical levels into the system modeling allows to
group similar, identical or non-independent items of
different equipment items which can be failed at once
during the analysis. This also ensures that the analysis is
performed without the influence of naming conventions
and the analyst specifically assigns an item to a specific
group aware of the independence requirement generated
in the FTA.
CMA Results – The CMA results are generated as for
the PRA and the ZSA by setting a group of common
items to the failed status for each analysis case within
the analysis management and applying each case to the
system model. The analysis returns the result showing if
the MACC is passed or violated indicating the concept of
independence to be acceptable or not.
Requirements Derived from the Analysis – Similar to the
PRA and ZSA, the CMA performed with the system
dependency analysis can be used to support the system
safety assessment in order to show compliance to
certification regulation and safety requirements.
The benefit of supporting the system or aircraft level
CMA with the system dependency analysis is to confirm
the feasibility of the independence concept of functions
and physical implementation items. The system
dependency analysis proofs minimum acceptable control
for continued safe flight and landing after occurrence of a
common mode failure. When performed for preliminary
architecture and design concepts, the modeling for the
CMA already requires a detailed concept for the
independence or motivates to create assumptions to be
documented as requirements.
Where PRA and ZSA focus addressing the integration
and installation aspects of the system into the aircraft,
the CMA focuses on the physical implementation of
functions within hardware and software design.
CONCLUSION
The system dependency analysis provides the capability
to analyze complex systems at system and aircraft level
to determine acceptability of functional interdependence,
integration into the aircraft environment (e.g. with supply
38 SAE Int. J. of Aerosp. | Volume 2 | Issue 1
systems), implementation of functions into physical items
(hardware and software), and the installation of these
items into the aircraft installation zones. The acceptability
criterion (e.g. minimum acceptable control) represents
associated system safety and certification requirements
integral to the model and analysis database (see also
SAE paper "System Dependency Analysis for Complex
Aircraft Systems", 2007-01-3852). The system
dependency analysis is not comprehensive to replace
parts of the traditional suite of safety analyses, but may
be utilized for early design phases to support concept
and requirements definition and also for final design to
support requirements compliance and certification.
This paper shows examples to use the system
dependency analysis to support the common cause
analyses (CCA), such as the particular risk analysis
(PRA), zonal safety analysis (ZSA) and the common
mode analysis (CMA) as defined per SAE ARP4761. For
the PRA, a detailed example shows analysis of a main
engine rotor burst analysis for a redundant flight controls
function (fly-by-wire pitch control) of a generic regional jet
airliner. This includes showing generation of the analysis
cases, modeling necessities, analysis process and the
analysis results including visualization of the failure
propagation within the system (end/source-to-end). The
result shown for an already optimized system is
complemented by a sensitivity analysis, which shows a
failing analysis case violating the minimum acceptable
control criterion, and by indicating the benefit of
generating requirements during the model generation
and analysis iterations.
More generic examples are provided for the ZSA and
CMA addressing special needs for the specific types of
analyses. The zonal safety analysis relies on process
oriented determination of analysis cases based on
analysis of items installed in aircraft zones. The CMA
requires specific detail within the system model
concerning the implementation of the system functions
with respect to similar or identical hardware and software
items or items determined to be independent.
The current system dependency analysis methodology is
based on failure conditions created from predetermined
events, which are defined in certification regulation or
industry guidance checklists, created from system and
aircraft characteristics or known by experience. To
engage additional value from the system model for
potential, not predetermined failure conditions (failure
cause not predefined), the system dependency analysis
can be converted to be used as a common cause search
engine for complex aircraft systems (refer to SAE paper
2009-01-3105).
ACKNOWLEDGMENTS
I am grateful to all those who supported me with this
paper. Especially, I would like to thank David McLaughlin
and Eric Peterson for their encouragement and valuable
support during my work on the system dependency
analysis.
 Downloaded from SAE International by Univ of California Berkeley, Sunday, July 29, 2018

REFERENCES APU Auxiliary Power Unit

ARP Aircraft Recommended Practice
1. Airworthiness Standards for Transport Category BAT Battery
Airplanes, 14 CFR Part 25, Federal Aviation CCA Common Cause Analysis (SAE ARP4761)
Administration (FAA) CFR Code of Federal Regulations
2. Certification Specification for Large Aeroplanes, CS- CMA Common Mode Analysis (SAE ARP4761)
25, European Aviation Safety Agency (EASA)
CPU Central Processing Unit
3. Design Considerations for Minimizing Hazards CS Certification Specification
Caused by Uncontained Turbo Engine and Auxiliary
DCMP Direct Current (DC) Motor Pump
Power Unit Rotor Failure, 14CFR Part AC 20-128A
(FAA) and AMC-20-128A (EASA) DD Dependency Diagram (SAE ARP4761)
EDP Engine Driven Pump
4. Guidelines and Methods for Conduction the Safety
Assessment Process on Civil Airborne Systems and EMP Electric Motor Pump
Equipment, ARP4761, SAE EQM Equipment
5. K.Fritz, System Dependency Analysis for Complex ES Elevator Surface
Aircraft Systems, presented at SAE AeroTech FCT Function / Sub-Function
Congress & Exhibition, 2007-01-3852, 2007 FMEA Failure Modes and Effects Analysis (SAE
ARP4761)
6. Fritz, K., “System Dependency Analysis as a
Common Cause Search Engine for Complex Aircraft FTA Fault Tree Analysis (SAE ARP4761)
Systems,” SAE Int. J. Aerosp. 2(1):21-27, 2009. HS Hydraulic System
HW (Electronic) Hardware
7. U.Persson and K.Fritz, 728JET Primary Flight
IC Integrated Circuits
Control System, presented at the 7th Scandinavian
International Conference on Fluid Power (SICFP'01), INST Installation Location
2001 LH Left Hand
8. U.Persson and C.Schallert, The 728JET Flight MACC Minimum Acceptable Control Criterion
Control System, presented at the DGLR Deutscher MMEL Master Minimum Equipment List
Luft- und Raumfahrt-Kongress, DGLR-2001-032, PA Pitch Actuator
2001 PCC Pitch Control Computer
PCF Primary Control Function
PPS Primary Power Supply
CONTACT PRA Particular Risk Analysis (SAE ARP4761)
PSSA Preliminary SSA
Klaus Fritz System Safety Engineer PWR Power Supply
Address: Manzweg 40, 88662 Uberlingen, RAT Ram Air Turbine
Germany RH Right Hand
SAE Society of Automotive Engineers
eMail: klaus.fritz68@arcor.de
SDA System Dependency Analysis
SP Sensor Package
SPS Secondary Power Supply
DEFINITIONS, ACRONYMS, ABBREVIATIONS
SSA System Safety Analysis
SW Software
System Integration: Integration of a system into an
operating environment (aircraft) including assignment of WA Wiring Area
system interfaces to system internal or external supply ZSA Zonal Safety Analysis (SAE ARP4761)
sources or consumers (e.g. assignment of a hydraulic
system to supply a specific actuator of the pitch control
system; refers to electric/hydraulic power supply,
communication, etc).
System or Function Implementation: Assignment of a
function, sub-function or function link to a physical item
or sub-item (e.g. assignment of the pitch control function
to the pitch control computer) and the associated
technical solution.
System Installation: Installation of the physical items of
a system (e.g. equipment, wiring, tubing, mechanical
items) into dedicated aircraft installation zones.

SAE Int. J. of Aerosp. | Volume 2 | Issue 1 39