Systematic evaluation of fault trees using real-time model checker UPPAAL

Fault tree analysis, the most widely used safety analysis technique in industry, is often applied manually. Although techniques such as cutset analysis or probabilistic analysis can be applied on the fault tree to derive further insights, they are inadequate in locating flaws when failure modes in fault tree nodes are incorrectly identified or when causal relationships among failure modes are inaccurately specified. In this paper, we demonstrate that model checking technique is a powerful tool that can formally validate the accuracy of fault trees. We used a real-time model checker UPPAAL because the system we used as the case study, nuclear power emergency shutdown software named Wolsong SDS2, has real-time requirements. By translating functional requirements written in SCR-style tabular notation into timed automata, two types of properties were verified: (1) if failure mode described in a fault tree node is consistent with the system's behavioral model; and (2) whether or not a fault tree node has been accurately decomposed. A group of domain engineers with detailed technical knowledge of Wolsong SDS2 and safety analysis techniques developed fault tree used in the case study. However, model checking technique detected subtle ambiguities present in the fault tree.     

Criteria for evaluating protection from single points of failure for partially expanded fault trees

Fault tree analysis (FTA) is a technique that describes the combinations of events in a system which result in an undesirable outcome. FTA is used as a tool to quantitatively assess a system's probability for an undesirable outcome. Time constraints from concept to production in modern engineering often limit the opportunity for a thorough statistical analysis of a system. Furthermore, when undesirable outcomes are considered such as hazard to human(s), it becomes difficult to identify strict statistical targets for what is acceptable. Consequently, when hazard to human(s) is concerned a common design target is to protect the system from single points of failure (SPOF) which means that no failure mode caused by a single event, concern, or error has a critical consequence on the system. Such a design target is common with “by-wire” systems. FTA can be used to verify if a system is protected from SPOF. In this paper, sufficient criteria for evaluating protection from SPOF for partially expanded fault trees are proposed along with proof. The proposed criteria consider potential interactions between the lowest drawn events of a partial fault tree expansion which otherwise easily leads to an overly optimistic analysis of protection from SPOF. The analysis is limited to fault trees that are coherent and static.     

Accident sequence analysis of human–computer interface design

It is important to predict potential accident sequences of human–computer interaction in a safety-critical computing system so that vulnerable points can be disclosed and removed. We address this issue by proposing a Multi-Context human–computer interaction Model along with its analysis techniques, an Augmented Fault Tree Analysis, and a Concurrent Event Tree Analysis. The proposed augmented fault tree can identify the potential weak points in software design that may induce unintended software functions or erroneous human procedures. The concurrent event tree can enumerate possible accident sequences due to these weak points.     

Incorporating organizational factors into Probabilistic Risk Assessment (PRA) of complex socio-technical systems: A hybrid technique formalization

This paper is a result of a research with the primary purpose of extending Probabilistic Risk Assessment (PRA) modeling frameworks to include the effects of organizational factors as the deeper, more fundamental causes of accidents and incidents. There have been significant improvements in the sophistication of quantitative methods of safety and risk assessment, but the progress on techniques most suitable for organizational safety risk frameworks has been limited. The focus of this paper is on the choice of “representational schemes” and “techniques.” A methodology for selecting appropriate candidate techniques and their integration in the form of a “hybrid” approach is proposed. Then an example is given through an integration of System Dynamics (SD), Bayesian Belief Network (BBN), Event Sequence Diagram (ESD), and Fault Tree (FT) in order to demonstrate the feasibility and value of hybrid techniques. The proposed hybrid approach integrates deterministic and probabilistic modeling perspectives, and provides a flexible risk management tool for complex socio-technical systems. An application of the hybrid technique is provided in the aviation safety domain, focusing on airline maintenance systems. The example demonstrates how the hybrid method can be used to analyze the dynamic effects of organizational factors on system risk.     

Fault tree developed by an object-based method improves requirements specification for safety-related systems

Fault tree analysis is frequently used to improve system reliability and safety. To be suitable for analysis of software in computerised safety-related systems, it has to be modified accordingly. This paper presents a new application: the fault trees developed by an object-based method. The object-based method integrates structural and behavioural models of a system. The developed fault tree includes information on structure and the failure behaviours of classes of the system. Away from traditional use of the fault tree, which for traditional systems emphasises qualitative and quantitative results, the result of the new application emphasises the process of fault tree development and its qualitative results. Such fault tree application reduces the probability of failures in the requirements specification phase within the software life cycle, which increases the reliability of its product; however, it does not confirm this in a quantitative manner.     

A method for analysing the reliability of a transmission grid

The paper describes a probabilistic method for transmission grid security evaluation. Power system security is the ability of the power system to withstand sudden disturbances such as short circuits. The method presented here uses event and fault trees and combines them with power system dynamic simulations. Event trees model the substation protection and trip operations after line faults. Different event tree end states (fault duration, circuit breaker trips) are simulated with power system dynamic analysis program. The dynamic analysis results (power system post-fault states) are then classified into secure, alert, emergency and system breakdown. The probabilities, minimal cut sets and grid level importance measures (Fussell-Vesely, risk increase and decrease factors) are calculated for the total and partial system breakdown. In this way, the relative importance of the substation devices regarding to the system breakdown can be reached. Also the more and less likely contributing factors to system breakdown are received. With this method, an existing 400 kV transmission grid with its line fault and device failure statistics is analysed.     

Analyses of robot systems using fault and event trees: case studies

Safety in the use of robotics outside factories or processing plants has become a matter of great international concern. Domestic robots and those intended to assist nurses and surgeons in hospitals are examples of cases where safety and reliability are considered critical. The safe performance of robot systems depends on many factors, including the integrity of the robot's hardware and software, the way it communicates with sensory and other production equipment, the reliable function of the safety features present and the way the robot interacts with its environment. The use of systematic techniques such as Fault and Event Tree analysis to examine the safety and reliability of a given robotic system is presented. Considerable knowledge is needed before the application of such analysis techniques can be translated into safety specifications or indeed ‘fail-safe’ design features of robotic systems. The skill and understanding required for the formulation of such specifications is demonstrated here based on a number of case studies.     

Level-1 probability safety assessment of the Iranian heavy water reactor using SAPHIRE software

The main goal of this review paper is to analyze the total frequency of the core damage of the Iranian Heavy Water Research Reactor (IHWRR) compared with standard criteria and to determine the strengths and the weaknesses of the reactor safety systems towards improving its design and operation. The PSA has been considered for full-power state of the reactor and this article represents a level-1 PSA analysis using System Analysis Programs for Hands-On Integrated Reliability Evaluations (SAPHIRE) software. It is specifically designed to permit a listing of the potential accident sequences, compute their frequencies of occurrence and assign each sequence to a consequence. The method used for modeling the systems and accident sequences, is Large Fault Tree/Small Event Tree method. This PSA level-1 for IHWRR indicates that, based on conservative assumptions, the total frequency of accidents that would lead to core damage from internal initiating events is 4.44E−05 per year of reactor operation.     

Development of measures to estimate truncation error in fault tree analysis

The fault tree quantification uncertainty from the truncation error has been of great concern for the reliability evaluation of large fault trees in the probabilistic safety analysis (PSA) of nuclear plants. The truncation limit is used to truncate cut sets of the gates when quantifying the fault trees. This paper presents measures to estimate the probability of the truncated cut sets, that is, the amount of truncation error. The functions to calculate the measures are programmed into the new fault tree quantifier FTREX (Fault Tree Reliability Evaluation eXpert) and a Benchmark test was performed to demonstrate the efficiency of the measures.The measures presented in this study are calculated by a single quantification of the fault tree with the assigned truncation limit. As demonstrated in the Benchmark test, lower bound of truncated probability (LBTP) and approximate truncation probability (ATP) are efficient estimators of the truncated probability. The truncation limit could be determined or validated by suppressing the measures to be less than the assigned upper limit. The truncation limit should be lowered until the truncation error is less than the assigned upper limit. Thus, the measures could be used as an acceptability of the fault tree quantification results. Furthermore, the developed measures are easily implemented into the existing fault tree solvers by adding a few subroutines to the source code.     

The mathematical formulation for the event sequence diagram framework

The Event Sequence Diagram (ESD) framework allows modeling of dynamic situations of interest to PRA analysts. A qualitative presentation of the framework was given in an earlier article. The mathematical formulation for the components of the ESD framework is described in this article. The formulation was derived from the basic probabilistic dynamics equations. For tackling certain dynamic non-Markovian situations, the probabilistic dynamics framework was extended. The mathematical treatment of dependencies among fault trees in a multi layered ESD framework is also presented.     

Analytical simulation and PROFAT II: a new methodology and a computer automated tool for fault tree analysis in chemical process industries

Fault tree analysis (FTA) is based on constructing a hypothetical tree of base events (initiating events) branching into numerous other sub-events, propagating the fault and eventually leading to the top event (accident). It has been a powerful technique used traditionally in identifying hazards in nuclear installations and power industries. As the systematic articulation of the fault tree is associated with assigning probabilities to each fault, the exercise is also sometimes called probabilistic risk assessment. But powerful as this technique is, it is also very cumbersome and costly, limiting its area of application. We have developed a new algorithm based on analytical simulation (named as AS-II), which makes the application of FTA simpler, quicker, and cheaper; thus opening up the possibility of its wider use in risk assessment in chemical process industries. Based on the methodology we have developed a computer-automated tool. The details are presented in this paper.     

Assessment of fire vulnerability for nuclear power plant safety systems by combining fault-and success-oriented logic with physical models

The time behaviour of potential accident sequences may carry important information regarding nuclear power plant (NPP) safety operation and shutdown. In the case of external and environmental events, the ability of NPP components to operate correctly can be changed dramatically in a short time. In contrast to the failures caused by internal events, these two groups of undesirable events may lead to dynamic dependent failures among components of one or several systems. Such kinds of failure should be taken into account in the models of NPP behaviour. To evaluate how successfully the tasks of the safety systems will be carded out, logical models such as fault trees are usually used. The fault trees are not efficient at describing the short-term changes of the failure probabilities for system components. A method that has some advantages over the pure fault tree logic is proposed. The main features of the method are demonstrated by using examples.     

SMV model-based safety analysis of software requirements

Fault tree analysis (FTA) is one of the most frequently applied safety analysis techniques when developing safety-critical industrial systems such as software-based emergency shutdown systems of nuclear power plants and has been used for safety analysis of software requirements in the nuclear industry. However, the conventional method for safety analysis of software requirements has several problems in terms of correctness and efficiency; the fault tree generated from natural language specifications may contain flaws or errors while the manual work of safety verification is very labor-intensive and time-consuming. In this paper, we propose a new approach to resolve problems of the conventional method; we generate a fault tree from a symbolic model verifier (SMV) model, not from natural language specifications, and verify safety properties automatically, not manually, by a model checker SMV. To demonstrate the feasibility of this approach, we applied it to shutdown system 2 (SDS2) of Wolsong nuclear power plant (NPP). In spite of subtle ambiguities present in the approach, the results of this case study demonstrate its overall feasibility and effectiveness.     

Use of risk assessment in the nuclear industry with specific reference to the Australian situation

The use of risk assessment in the nuclear industry began in the 1970s as a complementary approach to the deterministic methods used to assess the safety of nuclear facilities. As experience with the theory and application of probabilistic methods has grown, so too has its application. In the last decade, the use of probabilistic safety assessment has become commonplace for all phases of the life of a plant, including siting, design, construction, operation and decommissioning. In the particular case of operation of plant, the use of a ‘living’ safety case or probabilistic safety assessment, building upon operational experience, is becoming more widespread, both as an operational tool and as a basis for communication with the regulator. In the case of deciding upon a site for a proposed reactor, use is also being made of probabilistic methods in defining the effect of design parameters. Going hand in hand with this increased use of risk based methods has been the development of assessment criteria against which to judge the results being obtained from the risk analyses. This paper reviews the use of risk assessment in the light of the need for acceptability criteria and shows how these tools are applied in the Australian nuclear industry, with specific reference to the probabilistic safety assessment (PSA) performed of HIFAR.     

On the numerical solution of fault trees

In this paper an account will be given of the numerical solution of the logic trees directly extracted from the Recursive Operability Analysis. Particular attention will be devoted to the use of the NOT and INH logic gates for correct logical representation of Fault Trees prior to their quantitative resolution.The NOT gate is needed for correct logical representation of events when both non-intervention and correct intervention of a protective system may lead to a Top Event.The INH gate must be used to correctly represent the time link between two events that are both necessary, but must occur in sequence. Some numerical examples will be employed to show both the correct identification of the events entering the INH gates and how use of the AND gate instead of the INH gate leads to overestimation of the probability of occurrence of a Top Event.     

A model to assess the fatigue behaviour of ageing aircraft fuselage

A computer efficient model for assessing the fatigue behaviour of ageing aircraft components in the presence of multiple site damage is introduced. The model involves the computation of crack initiation scenarios on the basis of a probabilistic approach and the estimation of the fatigue behaviour of complex, highly loaded aircraft structures using a deterministic concept. To reduce the computing effort because of the model size and mesh difficulties in crack propagation calculations, a sub-structuring procedure under the FE method is utilized. An incremental approach for calculating crack initiation and crack propagation has been involved; it leads to a further essential reduction of the computing effort. Computer simulation is compared with experimental results for characteristic multiple site damage problems of aluminium 2024 lap and butt joints.     

Fault trees analysis using expert opinion based on fuzzy‐bathtub failure rates

The main objective of fault tree analysis method is to estimate the “Top Event occurrence probability”. This requires determination of failure time distribution functions also known as “Bathtub Curves” for each of the system elements/events. This paper introduces a novel method to determine the failure time distribution functions using possibility theory. For this purpose, fuzzy‐bathtub distributions using expert opinions are generated for basic events and fuzzy formulas are derived for static and dynamic gates fault tree constructions. This process completed by proposed fuzzy Monte Carlo simulation throughout the preferred operational time and uses the actual time‐to‐failure data. Accordingly, the Top Event failure curve and the reliability profile of the system are depicted based on the defuzzificated basic‐events' bathtub‐failure‐rates. The results show that the proposed method not only is feasible and powerful but can also be accurate more than the other probabilistic and possibilistic techniques because of the component failure rates follow the real failure distributions.     

Safety Investment Allocation by Dynamic Programming1

A two-phase model is proposed for determining and evaluating alternative safety investments. The first phase involves the analysis of safety problems by the use of Fault Tree Analysis. The resulting Fault Trees are then used to establish the probabilistic structure through which the returns of safety investments can be determined. This is integrated into a dynamic programming algorithm so that the variety of discrete alternatives can be evaluated under the constraints of a total safety budget.     

Reliability importance analysis of Markovian systems at steady state using perturbation analysis

Sensitivity analysis has been primarily defined for static systems, i.e. systems described by combinatorial reliability models (fault or event trees). Several structural and probabilistic measures have been proposed to assess the components importance. For dynamic systems including inter-component and functional dependencies (cold spare, shared load, shared resources, etc.), and described by Markov models or, more generally, by discrete events dynamic systems models, the problem of sensitivity analysis remains widely open. In this paper, the perturbation method is used to estimate an importance factor, called multi-directional sensitivity measure, in the framework of Markovian systems. Some numerical examples are introduced to show why this method offers a promising tool for steady-state sensitivity analysis of Markov processes in reliability studies.     

Analysis and synthesis of the behaviour of complex programmable electronic systems in conditions of failure

This paper introduces a new method for safety analysis which modifies, automates and integrates a number of classical safety analysis techniques to address some of the problems currently encountered in complex safety assessments. The method enables the analysis of a complex programmable electronic system from the functional level through to low levels of its hardware and software implementation. In the course of the assessment, the method integrates design and safety analysis and harmonises hardware safety analysis with the hazard analysis of software architectures. It also introduces an algorithm for the synthesis of fault trees, which mechanises and simplifies a large and traditionally problematic part of the assessment, the development of fault trees. In this paper, we present the method and discuss its application on a prototypical distributed brake-by-wire system for cars. We argue that the method can help us rationalise and simplify an inherently creative and difficult task and therefore gain a consistent and meaningful picture of how a complex programmable system behaves in conditions of failure.