On structured fault tree construction by modularizing control loops

The objectives of this article are: (1) to develop the fault trees for control loops in a way that they all appear in a proper form and as modules in the fault tree for the whole system; and also (2) to modularize each control loop in a system properly to establish its unit model. These two methods are essentially equivalent. Either of them can be applied to facilitate constructing fault trees for the whole system. To accomplish such equivalent or parallel objectives, we will first take the feedback and feedforward control loops in the heat exchanger system as examples and then: (1) construct the fault trees of deviations in controlled variable for the two control loops in the way that all of their non-basic terminal events should be deviations in variables on those streams that connect to the loop from their outside in the system; and (2) establish the unit model for each of such two loops. One of the purposes of (2), which will not be addressed here, is to regard each control loop as a dummy unit and hence reduce the system to facilitate system input and fault tree construction eventually for complete automation purpose.     

Computer-aided fault tree synthesis III: Real-time fault location

This paper is devoted to fault tree synthesis and is split up into three parts. Part I starts with the introduction of component models that show all fault propagation through the components and fault initiation by the components in both directions (upstream and downstream). Subsequently, it is shown how to create system models that interconnect a system's components and environmental variables. Then a fault tree construction algorithm is introduced which is able to generate fault trees from the given system and component models in two steps. First a causal tree is constructed showing the propagation paths for all basic events leading to any deviation in the top parameter. All control loops (feedback and feedforward loops) in this causal tree must be traced prior to any fault tree construction since they might prevent some faults from reaching the top parameter. They consequently require a special treatment. Part I ends showing how to adapt the causal trees for these loops. Part II discusses the final step of the fault tree construction algorithm, i.e. it shows how fault trees can be abstracted from the causal diagram, and ends with a comprehensive example. Finally, Part III discusses a method for real-time fault location which is based on the causal tree construction procedure introduced in Part I.     

Computer-aided fault tree synthesis I (system modeling and causal trees)

This paper is devoted to fault tree synthesis and is split up into three parts. Part I starts with the introduction of component models that show all fault propagation through the components and fault initiation by the components in both directions (upstream and downstream). Subsequently, it is shown how to create system models that interconnect a system's components and environmental variables. Then a fault tree construction algorithm is introduced which is able to generate fault trees from the given system and component models in two steps. First a causal tree is constructed showing the propagation paths for all basic events leading to any deviation in the top parameter. All control loops (feedback and feedforward loops) in this causal tree must be traced prior to any fault tree construction since they might prevent some faults from reaching the top parameter. They consequently require a special treatment. Part I ends showing how to adapt the causal trees for these loops. Part II discusses the final step of the fault tree construction algorithm, i.e. it shows how fault trees can be abstracted from the causal diagram and ends with a comprehensive example. Finally, Part III discusses a method for real-time fault location which is based on the causal tree construction procedure introducted in Part I.     

Integrated reliability analysis system (IRAS)

This paper will introduce a computer aided reliability analysis system, IRAS, which is a Unix-based software package. It provides the following features: a model builder, failure mode effect and criticality analysis (FMECA), fault tree synthesis and analysis (FTA) and real time fault location (RTFL). 1. The model builder allows the creation of reliability models for production systems, which are able to reflect the initiation and propagation of serious deviations outside the production and performance tolerances. The modelling procedure allows hierarchical modelling. 2. The failure mode effect and criticality analysis (FMECA) option uses the causal trees and cause-consequence diagrams that are created automatically from the IRAS model data base. The trees can be analysed by the user and the basic events can be grouped according to their criticality, probability and severity. 3. The fault tree analysis and synthesis (FTA) option enables the graphical analysis of fault trees. The generated tree can be trimmed automatically or by the user. It is also possible to extract the minimal cut-set from the complete tree. 4. RTFL enables the fast detection of the most probable fault locations in the system, during the continuous measuring of sensors of the production system and comparing the signals with the expected values of the stored operational vector. It alarms the user in case of serious deviations, thus reducing the out of work stage of the system by making quicker and more efficient reaction of the maintenance facility operators. The failure searching time reduction results in lower maintenance cost.     

Development of an analytical method to break logical loops at the system level

Logical loops or circular logics are interpreted as circular supporting relations among systems or their fault trees. The logical loops are located in the merged fault tree that is created by combining the system fault trees. The inconsistent manual breaking of the logical loops could be one of the major sources of the uncertainty in the fault tree analysis. This paper presents an analytical method to break the logical loops at the system level. The analytical solution at the system level is obtained in a mathematical way without an actual manipulation of the fault tree. Then, the actual manipulation of the fault tree in the analytical solution is performed and the resultant broken fault tree is solved by the fault tree quantifier.The analytical solution is consistent regardless of the knowledge, experiences, skills, and practices of the reliability specialist. The analytical solution of this method is easy to understand or trace how to break the logical loops. Reliability analysts and concerned people can communicate how to break the logical loops with the help of the mathematical expression of the analytical solution.     

Computerized fault tree construction for a train braking system

A new approach for fault tree automation is proposed which is a hybrid of the digraph and decision table methods, using the best features of both. The new method is based on the flexibility of the decision table method but incorporates a way of detecting, classifying and analysing control loops, similar to the use of operators in the digraph approach. As well as using operators to deal with control loops, a new operator is introduced that deals with electrical circuits. This means that when constructing the fault trees, difficulties of handling repeated events are eliminated and the size of the fault trees is significantly reduced. The method has been tested by its application to a braking system on a train. © 1997 John Wiley & Sons, Ltd.     

Structured fault tree synthesis based on system decomposition

The purpose of this article is to explain how to decompose a system so that its fault trees can be synthesized more efficiently and in a structured and recursive manner. Under such a decomposition, modules such as control/trip loops will be regarded as dummy units at first so that the system size can be reduced significantly and dramatically. The fault tree of a top event can thus be constructed as follows: the one for the reduced system is synthesized first and then each of its terminal events, when these are events of a dummy unit, will be further developed. In order to carry out such a synthesis automatically, each dummy unit must be tried first, in order to be standardized, so that its unit-model can be established, and then saved in a database in advance. A suitable system input format must also be designed so that the fault tree can be synthesized automatically simply by keying-in the top event and the system.     

An enhanced component connection method for conversion of fault trees to binary decision diagrams

Fault tree analysis (FTA) is widely applied to assess the failure probability of industrial systems. Many computer packages are available, which are based on conventional kinetic tree theory methods. When dealing with large (possibly non-coherent) fault trees, the limitations of the technique in terms of accuracy of the solutions and the efficiency of the processing time become apparent. Over recent years, the binary decision diagram (BDD) method has been developed that solves fault trees and overcomes the disadvantages of the conventional FTA approach. First of all, a fault tree for a particular system failure mode is constructed and then converted to a BDD for analysis. This paper analyses alternative methods for the fault tree to BDD conversion process.For most fault tree to BDD conversion approaches, the basic events of the fault tree are placed in an ordering. This can dramatically affect the size of the final BDD and the success of qualitative and quantitative analyses of the system. A set of rules is then applied to each gate in the fault tree to generate the BDD. An alternative approach can also be used, where BDD constructs for each of the gate types are first built and then merged to represent a parent gate. A powerful and efficient property, sub-node sharing, is also incorporated in the enhanced method proposed in this paper. Finally, a combined approach is developed taking the best features of the alternative methods. The efficiency of the techniques is analysed and discussed.     

An ordering heuristic to develop the binary decision diagram based on structural importance

Fault tree analysis is often used to assess risks within industrial systems. The technique is commonly used although there are associated limitations in terms of accuracy and efficiency when dealing with large fault tree structures. The most recent approach to aid the analysis of the fault tree diagram is the Binary Decision Diagram (BDD) methodology. To utilise the technique the fault tree structure needs to be converted into the BDD format. Converting the fault tree requires the basic events of the tree to be placed in an ordering. The ordering of the basic events is critical to the resulting size of the BDD, and ultimately affects the performance and benefits of this technique. A number of heuristic approaches have been developed to produce an optimal ordering permutation for a specific tree. These heuristic approaches do not always yield a minimal BDD structure for all trees. This paper looks at a heuristic that is based on the structural importance measure of each basic event. Comparing the resulting size of the BDD with the smallest generated from a set of six alternative ordering heuristics, this new structural heuristic produced a BDD of smaller or equal dimension on 77% of trials.     

Fault tree developed by an object-based method improves requirements specification for safety-related systems

Fault tree analysis is frequently used to improve system reliability and safety. To be suitable for analysis of software in computerised safety-related systems, it has to be modified accordingly. This paper presents a new application: the fault trees developed by an object-based method. The object-based method integrates structural and behavioural models of a system. The developed fault tree includes information on structure and the failure behaviours of classes of the system. Away from traditional use of the fault tree, which for traditional systems emphasises qualitative and quantitative results, the result of the new application emphasises the process of fault tree development and its qualitative results. Such fault tree application reduces the probability of failures in the requirements specification phase within the software life cycle, which increases the reliability of its product; however, it does not confirm this in a quantitative manner.     

Feature-based classifiers for design optimization

We present a design optimization method for systems with high-dimensional parameter spaces using inductive decision trees. The essential idea is to map designs into a relatively low-dimensional feature space, and to derive a classifier to search for high-performing design alternatives within this space. Unlike learning classifier systems that were pioneered by Holland and Goldberg, classifiers defined by inductive decision trees were not originally developed for design optimization. In this paper, we explore modifications to such classifiers to make them more effective in the optimization problem. We expand the notions of feature space, generalize the tree construction heuristic beyond the original information-theoretic definitions, increase the reliance on domain expertise, and facilitate the transfer of design knowledge between related systems. There is a relatively small but rapidly growing body of work in the use of inductive trees for engineering design; the method presented herein is complementary to this research effort.     

An analytic solution for a fault tree with circular logics in which the systems are linearly interrelated

A circular logic or a logical loop is defined as the infinite circulation of supporting relations due to their mutual dependencies among the systems in the fault tree analysis. While many methods to break the circular logic have been developed and used in the fault tree quantification codes, the general solution for a circular logic is not generally known as yet. This paper presents an analytic solution for circular logics in which the systems are linearly interrelated with each other. To formulate the analytic solution, the relations among systems in the fault tree structure are described by the Boolean equations. The solution is, then, obtained from the successive substitutions of the Boolean equations, which is equivalent to the attaching processes of interrelated system's fault tree to a given fault tree. The solution for three interrelated systems and their independent fault tree structures are given as an example.     

Probabilistic reasoning based on dynamic causality trees/diagrams

The techniques of artificial intelligence have been widely used in many areas, including reliability engineering and system safety, e.g. the expert systems for fault diagnoses of complex engineering systems. Uncertainties are an important issue to be addressed in these techniques. This paper presents a methodology dealing with the probabilistic reasoning under uncertainty in artificial intelligence systems. This methodology is based on the newly defined causality trees/diagrams that can be either singly or multiply connected; moreover, it can include causality loops. Two new kinds of events, basic events and linkage events, are introduced. Their probabilities of occurrence are easily obtained from subjective belief or statistics, and are independent of each other. Thus, they are modular and deliverable as a part of knowledge. Also, the causality trees/diagrams can include on-line dynamical information. Two equivalent belief updating approaches are presented which operate regardless of whether the target system is singly connected, multiply connected or causally looped.Two examples are given to illustrate and prove this methodology.     

On the use of non-coherent fault trees in safety and security studies

This paper gives some insights on the usefulness of non-coherent fault trees in system modelling from both the point of view of safety and security.A safety-related system can evolve from the working states to failed states through degraded states, i.e. working state, but in a degraded mode. In practical applications the degraded states may be of particular interest due e.g. to the associated risk increase or the different types of consequent actions. The top events definitions of such states contain the working conditions of some sub-systems/components. How the use of non-coherent fault trees can greatly simplify both the modelling and quantification of these states is shown in this paper. Some considerations about the interpretation of the importance indexes of negated basic events are also briefly described.When dealing with security applications, there is a need to cope not only with stochastic events, such as component failures and human errors, but also with deliberate intentional actions, whose successes might be characterised by high probability values. Different mutually exclusive attack scenarios may be envisaged for a given system. Hence, the essential feature of a fault tree analyser is the capability to determine the exact value of the top event probability containing mutually exclusive events. It is also shown that in these cases the use of non-coherent fault trees allows solving the problem with limited effort.     

Integrating cyber attacks within fault trees

In this paper, a new method for quantitative security risk assessment of complex systems is presented, combining fault-tree analysis, traditionally used in reliability analysis, with the recently introduced Attack-tree analysis, proposed for the study of malicious attack patterns. The combined use of fault trees and attack trees helps the analyst to effectively face the security challenges posed by the introduction of modern ICT technologies in the control systems of critical infrastructures. The proposed approach allows considering the interaction of malicious deliberate acts with random failures. Formal definitions of fault tree and attack tree are provided and a mathematical model for the calculation of system fault probabilities is presented.     

Fault diagnostics of dynamic system operation using a fault tree based method

For conventional systems, their availability can be considerably improved by reducing the time taken to restore the system to the working state when faults occur. Fault identification can be a significant proportion of the time taken in the repair process. Having diagnosed the problem the restoration of the system back to its fully functioning condition can then take place. This paper expands the capability of previous approaches to fault detection and identification using fault trees for application to dynamically changing systems. The technique has two phases. The first phase is modelling and preparation carried out offline. This gathers information on the effects that sub-system failure will have on the system performance. Causes of the sub-system failures are developed in the form of fault trees. The second phase is application. Sensors are installed on the system to provide information about current system performance from which the potential causes can be deduced. A simple system example is used to demonstrate the features of the method. To illustrate the potential for the method to deal with additional system complexity and redundancy, a section from an aircraft fuel system is used. A discussion of the results is provided.     

New Progressive Variable Ordering for Binary Decision Diagram Analysis of Fault Trees

The binary decision diagram (BDD) is the most efficient method currently available to analyse failure modes represented by fault trees. The fault tree is converted to this alternative structure representative of the failure mode as a Boolean equation. For the conversion the basic event variables within the fault tree are required to be placed in an order. The size of the resulting BDD and therefore the efficiency of the whole methodology is dependent upon the variable ordering chosen. Most commonly the order of variables is determined prior to the conversion using a structured or weighted approach and remains fixed during the process. Although there are several ordering heuristics available, no one heuristic has been found that will guarantee a minimal BDD for all fault trees. This paper proposes a new ordering methodology which seeks to select variables during the conversion process from a fault tree, allowing different potential ordering permutations on each path of the diagram. This method is simple to implement and is applied directly to the fault tree structure. When compared against the best sized BDD produced from 11 different methodologies, it produced a BDD of equal or smaller size in 82% of test cases. In addition, the technique has shown a 34% increase in the likelihood of producing the best BDD compared with the best individual heuristic from the 11 tested. Copyright © 2005 John Wiley & Sons, Ltd.     

Strategy and tool development for nuclear power plant design synthesis with measurement of reliability and simplicity

In this work, the conceptual design supporting tools for nuclear power plants have been developed. These tools are made for system synthesis, complexity measure and reliability analysis.This design synthesis program combined with the reliability analysis program accomplishes the system synthesis. This design strategy can reduce mistakes, effort and time. This design tool, based on Prolog language, is applied to the auxiliary feedwater system. A logic based fault tree analysis program (LOFT) is also developed using Prolog language. As LOFT performs symbolic computation during the fault tree analysis, linking with knowledge-base systems is very easy and the partial usage of the program is possible. The importance measure of components obtained from the system reliability analysis and the complexity measure of the system give very important information to the system designer.     

A recursive, time-averaged approach for fault tree quantitative analysis

A new approach in fault tree quantitative analysis, based essentially on the recursive evaluation of time-averaged reliability parameters associated with a fault tree, is presented. The methodology is a complete one covering the following problems: the evaluation of averaged unavailabilities or unreliabilities, failure and repair rates and failure and repair intensities associated with the basic events involved in a fault tree, the evaluation of unavailability or unreliability, occurrence rates and occurrence intensities associated with the top event of a fault tree, evaluation of the importance and sensitivity associated with basic events, and implicants according to different definitions. At this stage in the development of the methodology the common cause failures are not considered. Although in practice the presented algorithms have shown, in the cases of large fault trees, difficulties related to the computing speed and memory capabilities of present personal computers, the methodology remains valuable, at least by the new theoretical results.     

A tutorial on the principles of fault tolerance

The paper begins by examining the four aspects of fault tolerance — error detection, damage assessment, error recovery and fault treatment — and describes how these aspects can be incorporated in systems. Following this, a methodology for the construction of robust software systems is presented, covering the topics of design fault tolerance and software implemented fault tolerance. Some aspects of modelling faulty behaviour of components is presented and the notion of a family of fault-tolerant algorithms is introduced. The work reported here has been supported in part by research grants from the Science and Engineering Research Council and the Ministry of Defence. Comments from Tom Anderson on a previous version of the paper are gratefully acknowledged.