Latent Catastrophe

A latent failure condition consisting of two individually latent faults can be represented by a four-state Markov model as shown below.

We assume the duration of each flight is 7.5 hours, and the repair transitions occur at intervals of 187 flights (1400 hours) back to State 0. To illustrate with a numerical example, suppose the failure rates are λ₁ = 1.728E-07/hr and λ₂ = 3.257E-07/hr. This results in a normalized average probability for State 3 of 4.958E-09/FH. This is the measure of risk/exposure of this totally latent condition (with the 1400 hour interval) to a subsequent fault that would result in a catastrophic condition, so if our intent is to impose a limit on the risk of this totally latent condition, this is the relevant probability.

Now suppose we implement a real-time detection feature for State 3, and whenever we detect this dual-failure state we annunciate a “no dispatch” message, which requires that both components be repaired prior to the next flight. Hence the repair transition occurs every 1 flight, instead of every 187 flights, as indicated in the model below.

For this situation the normalized average probability for State 3 is 7.891E-11/FH. As we would expect, this is significantly reduced, because we no longer allow the dual-failure condition to persist beyond the flight in which it arises. So, the probability of the system being in State 3 is greatly reduced.

As an aside, these models are so simple that we can very easily compute approximate results from trivial formulas. In the first case, both faults have an exposure time of T = 1400 hours (187 flights of duration τ = 7.5 hours), and there is an averaging factor of about 1/3 for this two-component failure, so the normalized average probability is given closely by

Which is very close to the exact value computed by the Markov model previously. For the second case, where we detect and repair State 3 before each flight, the first failure is T hours of exposure and the second has τ hours of exposure, with an averaging factor of 1/2, but there are two ways this can happen, i.e., C₁ with the long exposure and C₂ with the short exposure, or vice versa, so the normalized average probability in this case is given closely by

This again closely approximates the exact value computed by the Markov model previously.

Now we can address a point that sometimes confuses people. Returning to the first system, with no built-in detection feature to benignly trigger an immediate repair of State 3, suppose State 3 is itself catastrophic. The effect of this is to effectively turn the second fault into an “active” detected fault, because obviously a catastrophic failure is not latent. This is treated by the second Markov model, i.e., exactly as if we have a benign detection feature that triggers repair whenever State 3 is entered. The difference is that the detection means is no longer benign, and the repair is replacement of the airplane. It sometimes strikes people as paradoxical that the normalized average probability of State 3 in the first model is reduced simply by stipulating that it is not a latent combination, but is instead catastrophic. The result would be the same if we stipulate that State 3 causes some noticeable loss of function, that is not catastrophic, but that leads to repair before the next flight.

This is not really paradoxical, though, because if State 3 is actually latent, it obviously is not catastrophic, and hence the acceptable threshold would be much less stringent, since a catastrophic condition would only arise after some subsequent failure, and the exposure to that event does indeed depend on the full latency of State 3. Typically the requirement on the latent part would be orders of magnitude greater than the requirement on a catastrophic state. In contrast, if State 3 really is catastrophic itself, the normalized average probability of State 3 really is lower (because there is no extended exposure), but the requirement is correspondingly more stringent.

Return to MathPages Main Menu