STARS: Knowledge based tools for safety and reliability analysis

The paper discusses the issues involved with computer support for systems reliability modelling. The problems related to computer aided logic model construction are explained. Expert system technology offers promising perspectives to solve these problems. Combined with graphics interface and analysis capabilities, a tool based on expert system technology can provide a natural engineering oriented environment for computer assisted reliability and safety modelling and analysis. Expert systems can explain their reasoning so that the analyst can become aware of how and why results are being obtained. Hence, the learning aspect involved in manual reliability and safety analysis can be maintained and improved.

Next the STARS project is presented. STARS (Software Tool for the Analysis of Reliability and Safety) aims at developing an integrated set of Computer Aided Reliability Analysis tools for the various tasks involved in systems safety and reliability analysis including hazard identification, qualitative analysis, logic model construction and evaluation. For fault tree construction, a frame/rule based expert system is used, in which the deductive (goal driven) reasoning and the heuristics, applied during manual fault tree construction, is modelled.     

Reliability and safety analysis of fault tolerant and fail safe node for use in a railway signalling system

In this paper, we propose a Markov Reliability model for a transputer based fail safe and fault tolerant node for use in a network of distributed safety critical railway signalling systems. Using the Markov model we quantify the reliability and safety in terms of Probability of being in unsafe state, Probability of Safe shutdown during the useful life period and last phase of bath-tub curve. A fault analysis of the fail safe and fault tolerant node addressing Byzantine (malicious) faults with an extension of Byzantine General's problem is given.     

An optimized technique for reliability analysis of safety‐critical systems: A case study of nuclear power plant

Stochastic models are extensively used in quantifying the reliability of safety critical systems. These models use the state‐space model for reliability quantification. Markov chain is comprehensively used in describing a sequence of possible events of any system in which the probability of each event depends only on the state attained in the previous event. Markov chains are convenient to model the software system of the SCS with the help of Petri Nets, a directed bipartite graph widely used for the verification and validation of real‐time systems. However, the stochastic model suffers from the state‐space explosion problem. In this paper, we proposed a technique for reliability analysis of safety critical systems, excavating into the coherent optimization of Markov chain. The approach has been validated on 17 safety critical systems of nuclear power plants.     

Posbist fault tree analysis of coherent systems

When the failure probability of a system is extremely small or necessary statistical data from the system is scarce, it is very difficult or impossible to evaluate its reliability and safety with conventional fault tree analysis (FTA) techniques. New techniques are needed to predict and diagnose such a system's failures and evaluate its reliability and safety. In this paper, we first provide a concise overview of FTA. Then, based on the posbist reliability theory, event failure behavior is characterized in the context of possibility measures and the structure function of the posbist fault tree of a coherent system is defined. In addition, we define the AND operator and the OR operator based on the minimal cut of a posbist fault tree. Finally, a model of posbist fault tree analysis (posbist FTA) of coherent systems is presented. The use of the model for quantitative analysis is demonstrated with a real-life safety system.     

Reliability Analysis of a conveyor system using hybrid data

The quantification of a fault tree is difficult without an exact probability value for all of the basic events of the tree. To overcome this difficulty in this paper, we propose a methodology which employs ‘hybrid data’ as a tool to analyse the fault tree. The proposed methodology estimates the failure probability of basic events using the statistical analysis of field recorded failures. Under these circumstances, where there is an absence of past failure records, the method follows a fuzzy set based theoretical evaluation based on the subjective judgement of experts for the failure interval. The proposed methodology has been applied to a conveyor system. The results of the analysis reveal the effectiveness of the proposed methodology and the instrumental role played by the experience of experts in providing reliability oriented information. Copyright © 2006 John Wiley & Sons, Ltd.     

An analysis of safety-critical digital systems for risk-informed design

This paper quantitatively presents the results of a case study which examines the fault tree analysis framework of the safety of digital systems. The case study is performed for the digital reactor protection system of nuclear power plants. The broader usage of digital equipment in nuclear power plants gives rise to the need for assessing safety and reliability because it plays an important role in proving the safety of a designed system in the nuclear industry. We quantitatively explain the relationship between the important characteristics of digital systems and the PSA result using mathematical expressions. We also demonstrate the effect of critical factors on the system safety by sensitivity study and the result which is quantified using the fault tree method shows that some factors remarkably affect the system safety. They are the common cause failure, the coverage of fault tolerant mechanisms and software failure probability.     

SMV model-based safety analysis of software requirements

Fault tree analysis (FTA) is one of the most frequently applied safety analysis techniques when developing safety-critical industrial systems such as software-based emergency shutdown systems of nuclear power plants and has been used for safety analysis of software requirements in the nuclear industry. However, the conventional method for safety analysis of software requirements has several problems in terms of correctness and efficiency; the fault tree generated from natural language specifications may contain flaws or errors while the manual work of safety verification is very labor-intensive and time-consuming. In this paper, we propose a new approach to resolve problems of the conventional method; we generate a fault tree from a symbolic model verifier (SMV) model, not from natural language specifications, and verify safety properties automatically, not manually, by a model checker SMV. To demonstrate the feasibility of this approach, we applied it to shutdown system 2 (SDS2) of Wolsong nuclear power plant (NPP). In spite of subtle ambiguities present in the approach, the results of this case study demonstrate its overall feasibility and effectiveness.     

Identification of Pivotal Causes and Spreaders in the Time‐Varying Fault Propagation Model to Improve the Decision Making under Abnormal Situation

Under abnormal conditions, timely and effective decisions of system recovery and protective measures are of great significance for safety‐critical systems. The knowledge of the roles that network nodes play in the spreading process is crucial for developing efficient maintenance decisions; for singling out and preferential control, the ‘pivotal spreaders’ may be a way to maximize the chances to timely hinder the fault pervasion. Inspired by the inhomogeneous topological nature of a complex fault propagation network, this study is devoted to exploring the spreading capabilities of nodes regarding both structural connectivity and causal influence strength, so as to provide decisions of preferential recovery actions under specific fault scenarios. Specifically, the dynamic betweenness centrality and nonsymmetrical entropy are incorporated to adaptively measure the system‐wide fault diffusion risk of a set of controllable fault events. In order to model the dynamics and uncertainties involved in the complex fault spreading process, we introduce the model of a dynamic uncertain causality graph, based on which solutions of time‐varying structure decomposition and causality reduction are adopted to improve the reasoning efficiency. Verification experiments consisting of simulated calculation cases and generator faults of a nuclear power plant show empirically the effectiveness and applicability of this method in large‐scale engineering practice. Copyright © 2014 John Wiley & Sons, Ltd.     

Development of measures to estimate truncation error in fault tree analysis

The fault tree quantification uncertainty from the truncation error has been of great concern for the reliability evaluation of large fault trees in the probabilistic safety analysis (PSA) of nuclear plants. The truncation limit is used to truncate cut sets of the gates when quantifying the fault trees. This paper presents measures to estimate the probability of the truncated cut sets, that is, the amount of truncation error. The functions to calculate the measures are programmed into the new fault tree quantifier FTREX (Fault Tree Reliability Evaluation eXpert) and a Benchmark test was performed to demonstrate the efficiency of the measures.The measures presented in this study are calculated by a single quantification of the fault tree with the assigned truncation limit. As demonstrated in the Benchmark test, lower bound of truncated probability (LBTP) and approximate truncation probability (ATP) are efficient estimators of the truncated probability. The truncation limit could be determined or validated by suppressing the measures to be less than the assigned upper limit. The truncation limit should be lowered until the truncation error is less than the assigned upper limit. Thus, the measures could be used as an acceptability of the fault tree quantification results. Furthermore, the developed measures are easily implemented into the existing fault tree solvers by adding a few subroutines to the source code.     

Fault‐tolerant procedures for redundant computer systems

Real‐time computer systems deployed in life‐critical control applications must be designed to meet stringent reliability specifications. The minimum acceptable degree of reliability for systems of this type is ‘7 nines’, which is not generally achieved. This paper aims at contributing to the achievement of that degree of reliability. To this end, this paper proposes a classification scheme of the fault‐tolerant procedures for redundant computer systems (RCSs). The proposed classification scheme is developed on the basis of the number of counteracted fault types. Table I is created to relate the characteristics of the RCSs to the characteristics of the fault‐tolerant procedures. A selection algorithm is proposed, which allows designers to select the optimal type of fault‐tolerant procedures according to the system characteristics and capabilities. The fault‐tolerant procedure, which is selected by this algorithm, provides the required degree of reliability for a given RCS. According to the proposed graphical model only a part of the fault‐tolerant procedure is executed depending on the absence or presence (type and sort) of faults. The proposed methods allow designers to counteract Byzantine and non‐Byzantine fault types during degradation of RCSs from N to 3, and only the non‐Byzantine fault type during degradation from 3 to 1 with optimal checkpoint time period. Copyright © 2008 John Wiley & Sons, Ltd.     

Fault Diagnosis Improvement Using Dynamic Fault Model in Optimal Sensor Placement: A Case Study of Steam Turbine

Health data are collected dominantly through sensors mounted on different locations in the system. Optimization of sensor network has a significant influence on the reliability of system health prognostics process. In this research, the effect of sensors reliability is studied on their placement optimization. Sensors are considered in this study as components in system failure model. This study is aimed to use ‘Priority AND’ gate for evaluating the effect of time dependencies of sensors as well as components failure on the optimal sensor placement. Because of that, PAND gate is added to the fault tree between all sensors and their corresponding components to develop the failure model of each sensor placement scenario. For calculating the probability of top event, a Monte Carlo‐based algebraic approach is proposed. In algebraic approach, temporal operator ‘BEFORE’ is proposed for calculating the probability of ‘PAND’ gate. The result of using ‘BEFORE’ operator is an analytical solution for probability of each cut sequence. Because of the complexity of analytical solution in practical problems, a Monte Carlo simulation is utilized on the solution in this research. Then the probability of each cut sequence is calculated. Consequently, the probability of top event for each scenario is obtained. Finally, all scenarios are ranked based on top event probabilities. As a case study, optimization of sensor placement has been demonstrated on steam turbine and results are discussed. Copyright © 2016 John Wiley & Sons, Ltd.     

Impacts of networking effects on software reliability growth processes: A multi‐attribute utility theory approach

Software reliability growth models, which are based on nonhomogeneous Poisson processes, are widely adopted tools when describing the stochastic failure behavior and measuring the reliability growth in software systems. Faults in the systems, which eventually cause the failures, are usually connected with each other in complicated ways. Considering a group of networked faults, we raise a new model to examine the reliability of software systems and assess the model's performance from real‐world data sets. Our numerical studies show that the new model, capturing networking effects among faults, well fits the failure data. We also formally study the optimal software release policy using the multi‐attribute utility theory (MAUT), considering both the reliability attribute and the cost attribute. We find that, if the networking effects among different layers of faults were ignored by the software testing team, the best time to release the software package to the market would be much later while the utility reaches its maximum. Sensitivity analysis is further delivered.     

An architectural model for software reliability quantification: sources of data

Software reliability assessment models in use today treat software as a monolithic block. An aversion towards ‘atomic' models seems to exist. These models appear to add complexity to the modeling, to the data collection and seem intrinsically difficult to generalize. In 1997, we introduced an architecturally based software reliability model called FASRE. The model is based on an architecture derived from the requirements which captures both functional and nonfunctional requirements and on a generic classification of functions, attributes and failure modes. The model focuses on evaluation of failure mode probabilities and uses a Bayesian quantification framework. Failure mode probabilities of functions and attributes are propagated to the system level using fault trees. It can incorporate any type of prior information such as results of developers' testing, historical information on a specific functionality and its attributes, and, is ideally suited for reusable software. By building an architecture and deriving its potential failure modes, the model forces early appraisal and understanding of the weaknesses of the software, allows reliability analysis of the structure of the system, provides assessments at a functional level as well as at a systems' level. In order to quantify the probability of failure (or the probability of success) of a specific element of our architecture, data are needed. The term element of the architecture is used here in its broadest sense to mean a single failure mode or a higher level of abstraction such as a function. The paper surveys the potential sources of software reliability data available during software development. Next the mechanisms for incorporating these sources of relevant data to the FASRE model are identified.     

Effective Safety Management: a Case Study in the Chemical Industry

A major non‐trivial problem within the area of industrial safety management today is to analyse, next to the safety impact of the technical equipment, the safety impact of a ‘business process’ as currently required by regulation and safety standards. This paper describes a case study of a pesticide company struggling with the question of how to improve the safety of their operational process further and at the same time also improve the reliability of their operational process. According to the literature ‘control of the business process’ is the keyword to improve the safety and reliability ‘performance’ of a company. A formal control model is proposed together with a classification system (using maturity levels) to analyse and qualify business processes with respect to their impact on process safety. This method has been applied in a case study where it resulted in a model of a business process. Using the model it was possible to classify the business process control system used and to identify related improvement opportunities. The proposed method showed that, in contrast to the company's perception, it was not the production department that was responsible for most of the problems but the peripheral processes relating to the production department. The interaction between departments caused not only potential safety problems, but also caused system reliability problems. For the company it was demonstrated that the interdependency of the (different activities in the‐) operational process is an essential element preventing further improvement if not addressed properly. Copyright © 2004 John Wiley & Sons, Ltd.     

Approximate Reliability and Availability Models for High Availability and Fault‐tolerant Systems with Repair

Systems designed for high availability and fault tolerance are often configured as a series combination of redundant subsystems. When a unit of a subsystem fails, the system remains operational while the failed unit is repaired; however, if too many units in a subsystem fail concurrently, the system fails. Under conditions usually met in practical situations, we show that the reliability and availability of such systems can be accurately modeled by representing each redundant subsystem with a constant, ‘effective’ failure rate equal to the inverse of the subsystem mean‐time‐to‐failure (MTTF). The approximation model is surprisingly accurate, with an error on the order of the square of the ratio mean‐time‐to‐repair to mean‐time‐to‐failure (MTTR/MTTF), and it has wide applicability for commercial, high‐availability and fault‐tolerant computer systems. The effective subsystem failure rates can be used to: (1) evaluate the system and subsystem reliability and availability; (2) estimate the system MTTF; and (3) provide a basis for the iterative analysis of large complex systems. Some observations from renewal theory suggest that the approximate models can be used even when the unit failure rates are not constant and when the redundant units are not homogeneous. Copyright © 2004 John Wiley & Sons, Ltd.     

Enhancing software safety by fault trees: experiences from an application to flight critical software

The fault tree analysis is a well-established method in system safety and reliability assessment. We transferred the principles of this technique to an assembler code analysis, regarding any incorrect output of the software as the undesired top-level event. Starting from the instructions providing the outputs and tracking back to all instructions contributing to these outputs a hierarchical system of references is generated that may graphically be represented as a fault tree. To cope with the large number of relations in the code, a tool suite has been developed, which automatically creates these references and checks for unfulfilled preconditions of instructions. The tool was applied to the operational software of an inertial measurement unit, which provides safety critical signals for artificial stabilization of an aircraft. The method and its implementation as a software tool is presented and the benefits, surprising results, and limitations we have experienced were discussed.     

Reliability Analysis Considering the Component Collision Behavior for a Large‐scale Open Source Solution

Open source software systems that serve as key components of critical infrastructures in the society are still ever‐expanding now. Many open source software systems are developed in all parts of the world, that is, Firefox, Apache HTTP server, Linux, Android, and so on. Especially, a large‐scale open source solution composed of several open source software is now attracting attention as a next‐generation software development paradigm because of the cost reduction, quick delivery, and work saving. In this paper, we propose a new approach to software reliability assessment based on stochastic differential equations and a hierarchical Bayesian model in order to consider the interesting aspect of the collision status in the binding phase of open source software. Also, we analyze actual software fault‐count data to show numerical examples of software reliability assessment considering the component collision for several open source software. Moreover, we show that the proposed reliability analysis can assist improvement of quality for the large‐scale open source solution. Copyright © 2013 John Wiley & Sons, Ltd.     

Development of a FTA versus Parts Count Method Model: Comparative FTA

This study adopts a special Fault Tree Analysis (FTA) method called Comparative FTA to compare the reliability of an electronic braking system with its mechanical counterpart. To this end two Top Events, ‘Ineffective parking braking’ and ‘Wheels jamming during emergency braking’, were analysed. One of the limitations of classic FTA is that the setting up of the tree diagram requires the long‐term involvement—one to two months according to Fiat Auto—of specialists of the system being studied. For this reason, therefore, when dealing with relatively complex systems, classic FTA is only used when safety is involved. This paper introduces a simplified FTA model based on the same principle as the Parts Count Method, which limits its attention to the new branches, thereby avoiding the study of all the branches of the tree, in order to make FTA management easier and to encourage its use. The probability that a Top Event takes place is therefore evaluated by studying the different causes which diversify the solutions considered. This approach is a lean practice to minimize the resources and the time of the analysis. It has guaranteed very satisfactory results and, therefore, Fiat Auto has introduced the practice in their Corporate Instructions. Copyright © 2003 John Wiley & Sons, Ltd.     

An analytic solution for a fault tree with circular logics in which the systems are linearly interrelated

A circular logic or a logical loop is defined as the infinite circulation of supporting relations due to their mutual dependencies among the systems in the fault tree analysis. While many methods to break the circular logic have been developed and used in the fault tree quantification codes, the general solution for a circular logic is not generally known as yet. This paper presents an analytic solution for circular logics in which the systems are linearly interrelated with each other. To formulate the analytic solution, the relations among systems in the fault tree structure are described by the Boolean equations. The solution is, then, obtained from the successive substitutions of the Boolean equations, which is equivalent to the attaching processes of interrelated system's fault tree to a given fault tree. The solution for three interrelated systems and their independent fault tree structures are given as an example.     

Change-points-based software scheduling

Software reliability literature consists of various change-point-based software reliability growth models and related release time problems. The primary assumption of the existing models is the existence of change-point before software release time only. This does not look practical as the testing team becomes more proficient in detecting the faults due to their continuous involvement in software development by the software release time. Hence the fault detection rate in the pre- and postrelease phase is not the same. To capture this change in fault detection rate in the pre- and postrelease testing phase, we propose a new software reliability modeling framework by considering two change-points during the software lifecycle; that is, there exists a change-point before release time and release time as a change-point. Further, in the last one-decade software firms have changed their strategy of stop testing the software after release and continue to test even after release to remove the number of faults to provide better user experiences. This phenomenon attracted academicians to develop theoretical as well empirical study on postrelease testing and formulation of related release time problem. In this paper, we propose a software cost model to determine optimal release and testing stop time considering under the assumption of two change-points as mentioned above. The proposed model is validated on real-life data set.