Quantification of sequential failure logic for fault tree analysis

Fault tree analysis (FTA) is generally accepted as an efficient method for analyzing system failures. It is well known that a fault tree (FT) is equivalent to a minimal cut set fault tree with all minimal cut-AND structures. The minimal cut-AND structure is an AND conjunction of an output and all inputs that compose a minimal cut set. For the structure, the failed state of the output becomes true when all failed states of inputs exist simultaneously. There are cases where the output of the minimal cut-AND structure depends not only on all failed states of inputs but also on the sequence of occurrences of those failures. This sequential failure logic (SFL) is equivalently expressed with Priority-AND gates in FTA, where inputs to the gates have constant failure and repair rates. A probabilistic model for analysis of SFL was proposed and equations with multiple integration for arbitrary number of inputs were derived from the model. However, it is usually difficult to solve the multiple integration when the number of inputs exceeds a certain range. This paper presents analytical solutions of the probability that the output is in a failed state at time t and the statistically expected number of failures of the output per unit time at time t for the special case where inputs are characterized by common failure and repair rates. In addition, the analysis of FT involving SFL is demonstrated by means of software Mathematica.     

An enhanced component connection method for conversion of fault trees to binary decision diagrams

Fault tree analysis (FTA) is widely applied to assess the failure probability of industrial systems. Many computer packages are available, which are based on conventional kinetic tree theory methods. When dealing with large (possibly non-coherent) fault trees, the limitations of the technique in terms of accuracy of the solutions and the efficiency of the processing time become apparent. Over recent years, the binary decision diagram (BDD) method has been developed that solves fault trees and overcomes the disadvantages of the conventional FTA approach. First of all, a fault tree for a particular system failure mode is constructed and then converted to a BDD for analysis. This paper analyses alternative methods for the fault tree to BDD conversion process.For most fault tree to BDD conversion approaches, the basic events of the fault tree are placed in an ordering. This can dramatically affect the size of the final BDD and the success of qualitative and quantitative analyses of the system. A set of rules is then applied to each gate in the fault tree to generate the BDD. An alternative approach can also be used, where BDD constructs for each of the gate types are first built and then merged to represent a parent gate. A powerful and efficient property, sub-node sharing, is also incorporated in the enhanced method proposed in this paper. Finally, a combined approach is developed taking the best features of the alternative methods. The efficiency of the techniques is analysed and discussed.     

Analysis of large fault trees based on functional decomposition

With the advent of the Binary Decision Diagrams (BDD) approach in fault tree analysis, a significant enhancement has been achieved with respect to previous approaches, both in terms of efficiency and accuracy of the overall outcome of the analysis. However, the exponential increase of the number of nodes with the complexity of the fault tree may prevent the construction of the BDD. In these cases, the only way to complete the analysis is to reduce the complexity of the BDD by applying the truncation technique, which nevertheless implies the problem of estimating the truncation error or upper and lower bounds of the top-event unavailability.This paper describes a new method to analyze large coherent fault trees which can be advantageously applied when the working memory is not sufficient to construct the BDD. It is based on the decomposition of the fault tree into simpler disjoint fault trees containing a lower number of variables. The analysis of each simple fault tree is performed by using all the computational resources. The results from the analysis of all simpler fault trees are re-combined to obtain the results for the original fault tree.Two decomposition methods are herewith described: the first aims at determining the minimal cut sets (MCS) and the upper and lower bounds of the top-event unavailability; the second can be applied to determine the exact value of the top-event unavailability. Potentialities, limitations and possible variations of these methods will be discussed with reference to the results of their application to some complex fault trees.     

Timing analysis of safety properties using fault trees with time dependencies and timed state-charts

Behavior in time domain is often crucial for safety critical systems. Standard fault trees cannot express time-dependent behavior. In the paper, timing analysis of safety properties using fault trees with time dependencies (FTTDs) and timed state-charts is presented. A new version of timed state-charts (TSCs) is also proposed. These state-charts can model the dynamics of technical systems, e.g. controllers, controlled objects, and people. In TSCs, activity and communication times are represented by time intervals. In the proposed approach the structure of FTTD is fixed by a human. Time properties of events and gates of FTTD are expressed by time intervals, and are calculated using TSCs. The minimal and maximal values of these time intervals of FTTD can be calculated by finding paths with minimal and maximal time lengths in TSCs, which is an NP-hard problem. In order to reduce the practical complexity of computing the FTTD time parameters, some reductions of TSCs are defined in the paper, such as sequential, alternative, loop (iteration), and parallel. Some of the reductions are intuitive, in case of others—theorems are required. Computational complexity of each reduction is not greater than linear in the size of reduced TSC. Therefore, the obtained results enable decreasing of the costs of FTTD time parameters calculation when system dynamics is expressed by TSCs. Case study of a railroad crossing with a controller that controls semaphores, gate, light-audio signal close to the gate will be analyzed.     

Software safety analysis of function block diagrams using fault trees

As programmable logic controllers (PLCs) are often used to implement safety–critical embedded software, safety demonstration of PLC code is needed. In this paper, we propose a fault tree analysis technique on Function Block Diagrams (FBDs) which is one of the most widely used PLC programming languages. FBD is currently being used to develop Reactor Protection System (RPS) for a nuclear power plant in South Korea. Our approach to fault tree analysis, which combines fault-oriented and cause/effect-oriented viewpoints, is easy to understand and offers systematic guidelines to ensure safety of PLC code. Domain experts found the approach to be useful through a case study on RPS, and this paper compares completeness and comprehensiveness of the semi-automatically generated fault trees using the proposed approach against the one manually prepared by nuclear safety engineers.     

Identification of independent modules in fault trees which contain dependent basic events

The reliability performance of a system is frequently a function of component failures of which some are independent whilst others are interdependent. It is possible to represent the system failure logic in a fault tree diagram, however only the sections containing independent events can be assessed using the conventional fault tree analysis methodology. The analysis of the dependent sections will require a Markov analysis. Since the efficiency of the Markov analysis largely depends on the size of the established Markov model, the key is to extract from the fault tree the smallest sections which contain dependencies. This paper proposes a method aimed at establishing the smallest Markov model for the dependencies contained within the fault tree.     

Systematic evaluation of fault trees using real-time model checker UPPAAL

Fault tree analysis, the most widely used safety analysis technique in industry, is often applied manually. Although techniques such as cutset analysis or probabilistic analysis can be applied on the fault tree to derive further insights, they are inadequate in locating flaws when failure modes in fault tree nodes are incorrectly identified or when causal relationships among failure modes are inaccurately specified. In this paper, we demonstrate that model checking technique is a powerful tool that can formally validate the accuracy of fault trees. We used a real-time model checker UPPAAL because the system we used as the case study, nuclear power emergency shutdown software named Wolsong SDS2, has real-time requirements. By translating functional requirements written in SCR-style tabular notation into timed automata, two types of properties were verified: (1) if failure mode described in a fault tree node is consistent with the system's behavioral model; and (2) whether or not a fault tree node has been accurately decomposed. A group of domain engineers with detailed technical knowledge of Wolsong SDS2 and safety analysis techniques developed fault tree used in the case study. However, model checking technique detected subtle ambiguities present in the fault tree.     

Approximate estimation of system reliability via fault trees

In this article, we show how fault tree analysis, carried out by means of binary decision diagrams (BDD), is able to approximate reliability of systems made of independent repairable components with a good accuracy and a good efficiency. We consider four algorithms: the Murchland lower bound, the Barlow-Proschan lower bound, the Vesely full approximation and the Vesely asymptotic approximation. For each of these algorithms, we consider an implementation based on the classical minimal cut sets/rare events approach and another one relying on the BDD technology. We present numerical results obtained with both approaches on various examples.     

On the numerical solution of fault trees

In this paper an account will be given of the numerical solution of the logic trees directly extracted from the Recursive Operability Analysis. Particular attention will be devoted to the use of the NOT and INH logic gates for correct logical representation of Fault Trees prior to their quantitative resolution.The NOT gate is needed for correct logical representation of events when both non-intervention and correct intervention of a protective system may lead to a Top Event.The INH gate must be used to correctly represent the time link between two events that are both necessary, but must occur in sequence. Some numerical examples will be employed to show both the correct identification of the events entering the INH gates and how use of the AND gate instead of the INH gate leads to overestimation of the probability of occurrence of a Top Event.     

How to avoid the generation of logic loops in the construction of fault trees

Generation of an infinite series of identical sub-trees may occur during the construction of a Fault Tree (FT) when one item of equipment in a plant is considered several times in the same sub-tree in the course of the tree extraction from a HazOp (Hazard Operability analysis) analysis.Generation of loops in the construction of an FT can be avoided by means of an ad hoc logical analysis in which certain simple rules of syntax are taken into account.A radical solution, however, can be obtained if identification of unwanted events in a process plant is not undertaken with conventional procedures, such as HazOp (Operability Analysis with guide words, failure mode and effect analysis (FMEA) etc.), but with a more modern and structured version, such as Recursive Operability Analysis (ROA), which is both systematic and complete, and allows direct extraction of logic trees, (FT, event trees, etc.) for subsequent quantification. This feature means that, by contrast with conventional operability analysis, the congruence of the ROA itself can be checked.The ROA method is illustrated in this paper with the aid of some simple examples.     

Enhancing software safety by fault trees: experiences from an application to flight critical software

The fault tree analysis is a well-established method in system safety and reliability assessment. We transferred the principles of this technique to an assembler code analysis, regarding any incorrect output of the software as the undesired top-level event. Starting from the instructions providing the outputs and tracking back to all instructions contributing to these outputs a hierarchical system of references is generated that may graphically be represented as a fault tree. To cope with the large number of relations in the code, a tool suite has been developed, which automatically creates these references and checks for unfulfilled preconditions of instructions. The tool was applied to the operational software of an inertial measurement unit, which provides safety critical signals for artificial stabilization of an aircraft. The method and its implementation as a software tool is presented and the benefits, surprising results, and limitations we have experienced were discussed.     

A practical method for accurate quantification of large fault trees

This paper describes a practical method to accurately quantify top event probability and importance measures from incomplete minimal cut sets (MCS) of a large fault tree. The MCS-based fault tree method is extensively used in probabilistic safety assessments. Several sources of uncertainties exist in MCS-based fault tree analysis. The paper is focused on quantification of the following two sources of uncertainties: (1) the truncation neglecting low-probability cut sets and (2) the approximation in quantifying MCSs. The method proposed in this paper is based on a Monte Carlo simulation technique to estimate probability of the discarded MCSs and the sum of disjoint products (SDP) approach complemented by the correction factor approach (CFA). The method provides capability to accurately quantify the two uncertainties and estimate the top event probability and importance measures of large coherent fault trees. The proposed fault tree quantification method has been implemented in the CUTREE code package and is tested on the two example fault trees.     

Model-based system monitoring and diagnosis of failures using statecharts and fault trees

Models such as statecharts and fault trees become increasingly more available in electronic form as they progressively find more useful applications in the development of safety critical systems. As these models typically reduce in their utility after system certification, however, useful knowledge about the behaviour of the system remains unused in the operational phase of the system lifecycle. In this paper, we show that this knowledge could be exploited in the context of an on-line hazard-directed monitoring scheme in which a suitable specification derived from design models and safety analyses forms a reference monitoring model. As a practical application of this approach, we propose a generic safety monitor that can operate on statecharts and fault trees to support the on-line detection, diagnosis and control of hazardous failures in real-time. We discuss the structuring of the monitoring model, the monitoring algorithms and report on a case study performed on a model aircraft fuel system.     

Condition-based fault tree analysis (CBFTA): A new method for improved fault tree analysis (FTA), reliability and safety calculations

Condition-based maintenance methods have changed systems reliability in general and individual systems in particular. Yet, this change does not affect system reliability analysis. System fault tree analysis (FTA) is performed during the design phase. It uses components failure rates derived from available sources as handbooks, etc. Condition-based fault tree analysis (CBFTA) starts with the known FTA. Condition monitoring (CM) methods applied to systems (e.g. vibration analysis, oil analysis, electric current analysis, bearing CM, electric motor CM, and so forth) are used to determine updated failure rate values of sensitive components. The CBFTA method accepts updated failure rates and applies them to the FTA. The CBFTA recalculates periodically the top event (TE) failure rate (λ_TE) thus determining the probability of system failure and the probability of successful system operation—i.e. the system's reliability.FTA is a tool for enhancing system reliability during the design stages. But, it has disadvantages, mainly it does not relate to a specific system undergoing maintenance.CBFTA is tool for updating reliability values of a specific system and for calculating the residual life according to the system's monitored conditions. Using CBFTA, the original FTA is ameliorated to a practical tool for use during the system's field life phase, not just during system design phase.This paper describes the CBFTA method and its advantages are demonstrated by an example.     

Fault diagnostics of dynamic system operation using a fault tree based method

For conventional systems, their availability can be considerably improved by reducing the time taken to restore the system to the working state when faults occur. Fault identification can be a significant proportion of the time taken in the repair process. Having diagnosed the problem the restoration of the system back to its fully functioning condition can then take place. This paper expands the capability of previous approaches to fault detection and identification using fault trees for application to dynamically changing systems. The technique has two phases. The first phase is modelling and preparation carried out offline. This gathers information on the effects that sub-system failure will have on the system performance. Causes of the sub-system failures are developed in the form of fault trees. The second phase is application. Sensors are installed on the system to provide information about current system performance from which the potential causes can be deduced. A simple system example is used to demonstrate the features of the method. To illustrate the potential for the method to deal with additional system complexity and redundancy, a section from an aircraft fuel system is used. A discussion of the results is provided.     

Combining task analysis and fault tree analysis for accident and incident analysis: A case study from Bulgaria

Understanding the reasons for incident and accident occurrence is important for an organization's safety. Different methods have been developed to achieve this goal. To better understand the human behaviour in incident occurrence we propose an analysis concept that combines Fault Tree Analysis (FTA) and Task Analysis (TA). The former method identifies the root causes of an accident/incident, while the latter analyses the way people perform the tasks in their work environment and how they interact with machines or colleagues. These methods were complemented with the use of the Human Error Identification in System Tools (HEIST) methodology and the concept of Performance Shaping Factors (PSF) to deepen the insight into the error modes of an operator's behaviour. HEIST shows the external error modes that caused the human error and the factors that prompted the human to err. To show the validity of the approach, a case study at a Bulgarian Hydro power plant was carried out. An incident – the flooding of the plant's basement – was analysed by combining the afore-mentioned methods. The case study shows that Task Analysis in combination with other methods can be applied successfully to human error analysis, revealing details about erroneous actions in a realistic situation.     

Development of measures to estimate truncation error in fault tree analysis

The fault tree quantification uncertainty from the truncation error has been of great concern for the reliability evaluation of large fault trees in the probabilistic safety analysis (PSA) of nuclear plants. The truncation limit is used to truncate cut sets of the gates when quantifying the fault trees. This paper presents measures to estimate the probability of the truncated cut sets, that is, the amount of truncation error. The functions to calculate the measures are programmed into the new fault tree quantifier FTREX (Fault Tree Reliability Evaluation eXpert) and a Benchmark test was performed to demonstrate the efficiency of the measures.The measures presented in this study are calculated by a single quantification of the fault tree with the assigned truncation limit. As demonstrated in the Benchmark test, lower bound of truncated probability (LBTP) and approximate truncation probability (ATP) are efficient estimators of the truncated probability. The truncation limit could be determined or validated by suppressing the measures to be less than the assigned upper limit. The truncation limit should be lowered until the truncation error is less than the assigned upper limit. Thus, the measures could be used as an acceptability of the fault tree quantification results. Furthermore, the developed measures are easily implemented into the existing fault tree solvers by adding a few subroutines to the source code.     

Safety analysis in process facilities: Comparison of fault tree and Bayesian network approaches

Safety analysis in gas process facilities is necessary to prevent unwanted events that may cause catastrophic accidents. Accident scenario analysis with probability updating is the key to dynamic safety analysis. Although conventional failure assessment techniques such as fault tree (FT) have been used effectively for this purpose, they suffer severe limitations of static structure and uncertainty handling, which are of great significance in process safety analysis. Bayesian network (BN) is an alternative technique with ample potential for application in safety analysis. BNs have a strong similarity to FTs in many respects; however, the distinct advantages making them more suitable than FTs are their ability in explicitly representing the dependencies of events, updating probabilities, and coping with uncertainties. The objective of this paper is to demonstrate the application of BNs in safety analysis of process systems. The first part of the paper shows those modeling aspects that are common between FT and BN, giving preference to BN due to its ability to update probabilities. The second part is devoted to various modeling features of BN, helping to incorporate multi-state variables, dependent failures, functional uncertainty, and expert opinion which are frequently encountered in safety analysis, but cannot be considered by FT. The paper concludes that BN is a superior technique in safety analysis because of its flexible structure, allowing it to fit a wide variety of accident scenarios.     

An improved decomposition scheme for assessing the reliability of embedded systems by using dynamic fault trees

The theories of fault trees have been used for many years because they can easily provide a concise representation of failure behavior of general non-repairable fault tolerant systems. But the defect of traditional fault trees is lack of accuracy when modeling dynamic failure behavior of certain systems with fault-recovery process. A solution to this problem is called behavioral decomposition. A system will be divided into several dynamic or static modules, and each module can be further analyzed using binary decision diagram (BDD) or Markov chains separately. In this paper, we will show a very useful decomposition scheme that independent subtrees of a dynamic module are detected and solved hierarchically. Experimental results show that the proposed method could result in significant saving of computation time without losing unacceptable accuracy. Besides, we also present an analyzing software toolkit: DyFA (dynamic fault-trees analyzer) which implements the proposed methodology.     

Posbist fault tree analysis of coherent systems

When the failure probability of a system is extremely small or necessary statistical data from the system is scarce, it is very difficult or impossible to evaluate its reliability and safety with conventional fault tree analysis (FTA) techniques. New techniques are needed to predict and diagnose such a system's failures and evaluate its reliability and safety. In this paper, we first provide a concise overview of FTA. Then, based on the posbist reliability theory, event failure behavior is characterized in the context of possibility measures and the structure function of the posbist fault tree of a coherent system is defined. In addition, we define the AND operator and the OR operator based on the minimal cut of a posbist fault tree. Finally, a model of posbist fault tree analysis (posbist FTA) of coherent systems is presented. The use of the model for quantitative analysis is demonstrated with a real-life safety system.