An enhanced component connection method for conversion of fault trees to binary decision diagrams

Fault tree analysis (FTA) is widely applied to assess the failure probability of industrial systems. Many computer packages are available, which are based on conventional kinetic tree theory methods. When dealing with large (possibly non-coherent) fault trees, the limitations of the technique in terms of accuracy of the solutions and the efficiency of the processing time become apparent. Over recent years, the binary decision diagram (BDD) method has been developed that solves fault trees and overcomes the disadvantages of the conventional FTA approach. First of all, a fault tree for a particular system failure mode is constructed and then converted to a BDD for analysis. This paper analyses alternative methods for the fault tree to BDD conversion process.For most fault tree to BDD conversion approaches, the basic events of the fault tree are placed in an ordering. This can dramatically affect the size of the final BDD and the success of qualitative and quantitative analyses of the system. A set of rules is then applied to each gate in the fault tree to generate the BDD. An alternative approach can also be used, where BDD constructs for each of the gate types are first built and then merged to represent a parent gate. A powerful and efficient property, sub-node sharing, is also incorporated in the enhanced method proposed in this paper. Finally, a combined approach is developed taking the best features of the alternative methods. The efficiency of the techniques is analysed and discussed.     

A fault tree analysis strategy using binary decision diagrams

The use of binary decision diagrams (BDDs) in fault tree analysis provides both an accurate and efficient means of analysing a system. There is a problem, however, with the conversion process of the fault tree to the BDD. The variable ordering scheme chosen for the construction of the BDD has a crucial effect on its resulting size and previous research has failed to identify any scheme that is capable of producing BDDs for all fault trees. This paper proposes an analysis strategy aimed at increasing the likelihood of obtaining a BDD for any given fault tree, by ensuring the associated calculations are as efficient as possible. The method implements simplification techniques, which are applied to the fault tree to obtain a set of ‘minimal’ subtrees, equivalent to the original fault tree structure. BDDs are constructed for each, using ordering schemes most suited to their particular characteristics. Quantitative analysis is performed simultaneously on the set of BDDs to obtain the top event probability, the system unconditional failure intensity and the criticality of the basic events.     

Efficient algorithms to assess component and gate importance in fault tree analysis

One of the principal activities of risk assessment is either the ranking or the categorization of structures, systems and components with respect to their risk-significance or their safety-significance. Several measures, so-called importance factors, of such a significance have been proposed for the case where the support model is a fault tree. In this article, we show how binary decision diagrams can be use to assess efficiently a number of classical importance factors. This work completes the preliminary results obtained recently by Andrews and Sinnamon, and the authors. It deals also with the concept of joint reliability importance.     

A fast BDD algorithm for large coherent fault trees analysis

Although a binary decision diagram (BDD) algorithm has been tried to solve large fault trees until quite recently, they are not efficiently solved in a short time since the size of a BDD structure exponentially increases according to the number of variables. Furthermore, the truncation of If–Then–Else (ITE) connectives by the probability or size limit and the subsuming to delete subsets could not be directly applied to the intermediate BDD structure under construction. This is the motivation for this work.This paper presents an efficient BDD algorithm for large coherent systems (coherent BDD algorithm) by which the truncation and subsuming could be performed in the progress of the construction of the BDD structure. A set of new formulae developed in this study for AND or OR operation between two ITE connectives of a coherent system makes it possible to delete subsets and truncate ITE connectives with a probability or size limit in the intermediate BDD structure under construction. By means of the truncation and subsuming in every step of the calculation, large fault trees for coherent systems (coherent fault trees) are efficiently solved in a short time using less memory. Furthermore, the coherent BDD algorithm from the aspect of the size of a BDD structure is much less sensitive to variable ordering than the conventional BDD algorithm.     

A simple component-connection method for building binary decision diagrams encoding a fault tree

A simple new method for building binary decision diagrams (BDDs) encoding a fault tree (FT) is provided in this study. We first decompose the FT into FT-components. Each of them is a single descendant (SD) gate-sequence. Following the node-connection rule, the BDD-component encoding an SD FT-component can each be found to be an SD node-sequence. By successively connecting the BDD-components one by one, the BDD for the entire FT is thus obtained. During the node-connection and component-connection, reduction rules might need to be applied. An example FT is used throughout the article to explain the procedure step by step.Our method proposed is a hybrid one for FT analysis. Some algorithms or techniques used in the conventional FT analysis or the newer BDD approach may be applied to our case; our ideas mentioned in the article might be referred by the two methods.     

An improved decomposition scheme for assessing the reliability of embedded systems by using dynamic fault trees

The theories of fault trees have been used for many years because they can easily provide a concise representation of failure behavior of general non-repairable fault tolerant systems. But the defect of traditional fault trees is lack of accuracy when modeling dynamic failure behavior of certain systems with fault-recovery process. A solution to this problem is called behavioral decomposition. A system will be divided into several dynamic or static modules, and each module can be further analyzed using binary decision diagram (BDD) or Markov chains separately. In this paper, we will show a very useful decomposition scheme that independent subtrees of a dynamic module are detected and solved hierarchically. Experimental results show that the proposed method could result in significant saving of computation time without losing unacceptable accuracy. Besides, we also present an analyzing software toolkit: DyFA (dynamic fault-trees analyzer) which implements the proposed methodology.     

Integrating cyber attacks within fault trees

In this paper, a new method for quantitative security risk assessment of complex systems is presented, combining fault-tree analysis, traditionally used in reliability analysis, with the recently introduced Attack-tree analysis, proposed for the study of malicious attack patterns. The combined use of fault trees and attack trees helps the analyst to effectively face the security challenges posed by the introduction of modern ICT technologies in the control systems of critical infrastructures. The proposed approach allows considering the interaction of malicious deliberate acts with random failures. Formal definitions of fault tree and attack tree are provided and a mathematical model for the calculation of system fault probabilities is presented.     

An ordering heuristic to develop the binary decision diagram based on structural importance

Fault tree analysis is often used to assess risks within industrial systems. The technique is commonly used although there are associated limitations in terms of accuracy and efficiency when dealing with large fault tree structures. The most recent approach to aid the analysis of the fault tree diagram is the Binary Decision Diagram (BDD) methodology. To utilise the technique the fault tree structure needs to be converted into the BDD format. Converting the fault tree requires the basic events of the tree to be placed in an ordering. The ordering of the basic events is critical to the resulting size of the BDD, and ultimately affects the performance and benefits of this technique. A number of heuristic approaches have been developed to produce an optimal ordering permutation for a specific tree. These heuristic approaches do not always yield a minimal BDD structure for all trees. This paper looks at a heuristic that is based on the structural importance measure of each basic event. Comparing the resulting size of the BDD with the smallest generated from a set of six alternative ordering heuristics, this new structural heuristic produced a BDD of smaller or equal dimension on 77% of trials.     

Model-based system monitoring and diagnosis of failures using statecharts and fault trees

Models such as statecharts and fault trees become increasingly more available in electronic form as they progressively find more useful applications in the development of safety critical systems. As these models typically reduce in their utility after system certification, however, useful knowledge about the behaviour of the system remains unused in the operational phase of the system lifecycle. In this paper, we show that this knowledge could be exploited in the context of an on-line hazard-directed monitoring scheme in which a suitable specification derived from design models and safety analyses forms a reference monitoring model. As a practical application of this approach, we propose a generic safety monitor that can operate on statecharts and fault trees to support the on-line detection, diagnosis and control of hazardous failures in real-time. We discuss the structuring of the monitoring model, the monitoring algorithms and report on a case study performed on a model aircraft fuel system.     

Application of the fault tree analysis for assessment of power system reliability

A new method for power system reliability analysis using the fault tree analysis approach is developed. The method is based on fault trees generated for each load point of the power system. The fault trees are related to disruption of energy delivery from generators to the specific load points. Quantitative evaluation of the fault trees, which represents a standpoint for assessment of reliability of power delivery, enables identification of the most important elements in the power system. The algorithm of the computer code, which facilitates the application of the method, has been applied to the IEEE test system. The power system reliability was assessed and the main contributors to power system reliability have been identified, both qualitatively and quantitatively.     

On the numerical solution of fault trees

In this paper an account will be given of the numerical solution of the logic trees directly extracted from the Recursive Operability Analysis. Particular attention will be devoted to the use of the NOT and INH logic gates for correct logical representation of Fault Trees prior to their quantitative resolution.The NOT gate is needed for correct logical representation of events when both non-intervention and correct intervention of a protective system may lead to a Top Event.The INH gate must be used to correctly represent the time link between two events that are both necessary, but must occur in sequence. Some numerical examples will be employed to show both the correct identification of the events entering the INH gates and how use of the AND gate instead of the INH gate leads to overestimation of the probability of occurrence of a Top Event.     

Computation of joint reliability importance of two gate events in a fault tree

Joint reliability importance (JRI) of two gate events (GEs) is investigated along with its properties in a fault tree (FT). Computation of JRI of two GEs involves complexity because statistical dependency between GEs exists as a result of replication of basic events (BEs). To avoid complexity in computing the JRI, the topological relationships of two GEs in a FT are identified and classified into three classes. The explicit formula for the JRI of the two GEs is derived. JRI for each class is shown to be computed by using a conventional FT algorithm. By illustrating min. cut set representation of the bridge network, it is also shown that the degree of relationship between two min. cut sets can be measured by the JRI of the corresponding two GEs.     

Analysis of large fault trees based on functional decomposition

With the advent of the Binary Decision Diagrams (BDD) approach in fault tree analysis, a significant enhancement has been achieved with respect to previous approaches, both in terms of efficiency and accuracy of the overall outcome of the analysis. However, the exponential increase of the number of nodes with the complexity of the fault tree may prevent the construction of the BDD. In these cases, the only way to complete the analysis is to reduce the complexity of the BDD by applying the truncation technique, which nevertheless implies the problem of estimating the truncation error or upper and lower bounds of the top-event unavailability.This paper describes a new method to analyze large coherent fault trees which can be advantageously applied when the working memory is not sufficient to construct the BDD. It is based on the decomposition of the fault tree into simpler disjoint fault trees containing a lower number of variables. The analysis of each simple fault tree is performed by using all the computational resources. The results from the analysis of all simpler fault trees are re-combined to obtain the results for the original fault tree.Two decomposition methods are herewith described: the first aims at determining the minimal cut sets (MCS) and the upper and lower bounds of the top-event unavailability; the second can be applied to determine the exact value of the top-event unavailability. Potentialities, limitations and possible variations of these methods will be discussed with reference to the results of their application to some complex fault trees.     

An algorithm for reliability analysis of phased-mission systems

The purpose of this paper is to describe an efficient Boolean algebraic algorithm that provides exact solution to the unreliability of a multi-phase mission system where the configurations are described through fault trees. The algorithm extends and improves the Boolean method originally proposed by Somani and Trivedi. By using the Boolean algebraic method, we provide an efficient modeling approach which avoids the state space explosion and the mapping problems that are encountered by the Markov chain approach. To calculate the exact solution of the phased-mission system with deterministic phase durations, we introduce the sum of disjoint phase products (SDPP) formula, which is a phased-extension of the sum of disjoint products (SDP) formula. Computationally, the algorithm is quite efficient because it calls an SDP generation algorithm in the early stage of the SDPP computation. In this way, the phase products generated in the early stage of the SDPP formula are guaranteed to be disjoint. Consequently, the number of the intermediate phase products is greatly reduced. In this paper, we also consider the transient analysis of the phased-mission system. Special care is needed to account for the possible latent failures at the mission phase change times. If there are more stringent success criteria just after a mission phase change time, an unreliability jump would occur at that time. Finally, the algorithm has been implemented in the software package . With , the complexities of the phased-mission system is made transparent to the potential users. The user can conveniently specify a phased-mission model at a high level (through fault trees) and analyze the system quantitatively.     

Timing analysis of safety properties using fault trees with time dependencies and timed state-charts

Behavior in time domain is often crucial for safety critical systems. Standard fault trees cannot express time-dependent behavior. In the paper, timing analysis of safety properties using fault trees with time dependencies (FTTDs) and timed state-charts is presented. A new version of timed state-charts (TSCs) is also proposed. These state-charts can model the dynamics of technical systems, e.g. controllers, controlled objects, and people. In TSCs, activity and communication times are represented by time intervals. In the proposed approach the structure of FTTD is fixed by a human. Time properties of events and gates of FTTD are expressed by time intervals, and are calculated using TSCs. The minimal and maximal values of these time intervals of FTTD can be calculated by finding paths with minimal and maximal time lengths in TSCs, which is an NP-hard problem. In order to reduce the practical complexity of computing the FTTD time parameters, some reductions of TSCs are defined in the paper, such as sequential, alternative, loop (iteration), and parallel. Some of the reductions are intuitive, in case of others—theorems are required. Computational complexity of each reduction is not greater than linear in the size of reduced TSC. Therefore, the obtained results enable decreasing of the costs of FTTD time parameters calculation when system dynamics is expressed by TSCs. Case study of a railroad crossing with a controller that controls semaphores, gate, light-audio signal close to the gate will be analyzed.     

Systematic evaluation of fault trees using real-time model checker UPPAAL

Fault tree analysis, the most widely used safety analysis technique in industry, is often applied manually. Although techniques such as cutset analysis or probabilistic analysis can be applied on the fault tree to derive further insights, they are inadequate in locating flaws when failure modes in fault tree nodes are incorrectly identified or when causal relationships among failure modes are inaccurately specified. In this paper, we demonstrate that model checking technique is a powerful tool that can formally validate the accuracy of fault trees. We used a real-time model checker UPPAAL because the system we used as the case study, nuclear power emergency shutdown software named Wolsong SDS2, has real-time requirements. By translating functional requirements written in SCR-style tabular notation into timed automata, two types of properties were verified: (1) if failure mode described in a fault tree node is consistent with the system's behavioral model; and (2) whether or not a fault tree node has been accurately decomposed. A group of domain engineers with detailed technical knowledge of Wolsong SDS2 and safety analysis techniques developed fault tree used in the case study. However, model checking technique detected subtle ambiguities present in the fault tree.     

Identification of independent modules in fault trees which contain dependent basic events

The reliability performance of a system is frequently a function of component failures of which some are independent whilst others are interdependent. It is possible to represent the system failure logic in a fault tree diagram, however only the sections containing independent events can be assessed using the conventional fault tree analysis methodology. The analysis of the dependent sections will require a Markov analysis. Since the efficiency of the Markov analysis largely depends on the size of the established Markov model, the key is to extract from the fault tree the smallest sections which contain dependencies. This paper proposes a method aimed at establishing the smallest Markov model for the dependencies contained within the fault tree.     

Condition-based fault tree analysis (CBFTA): A new method for improved fault tree analysis (FTA), reliability and safety calculations

Condition-based maintenance methods have changed systems reliability in general and individual systems in particular. Yet, this change does not affect system reliability analysis. System fault tree analysis (FTA) is performed during the design phase. It uses components failure rates derived from available sources as handbooks, etc. Condition-based fault tree analysis (CBFTA) starts with the known FTA. Condition monitoring (CM) methods applied to systems (e.g. vibration analysis, oil analysis, electric current analysis, bearing CM, electric motor CM, and so forth) are used to determine updated failure rate values of sensitive components. The CBFTA method accepts updated failure rates and applies them to the FTA. The CBFTA recalculates periodically the top event (TE) failure rate (λ_TE) thus determining the probability of system failure and the probability of successful system operation—i.e. the system's reliability.FTA is a tool for enhancing system reliability during the design stages. But, it has disadvantages, mainly it does not relate to a specific system undergoing maintenance.CBFTA is tool for updating reliability values of a specific system and for calculating the residual life according to the system's monitored conditions. Using CBFTA, the original FTA is ameliorated to a practical tool for use during the system's field life phase, not just during system design phase.This paper describes the CBFTA method and its advantages are demonstrated by an example.     

Bayesian networks for multilevel system reliability

Bayesian networks have recently found many applications in systems reliability; however, the focus has been on binary outcomes. In this paper we extend their use to multilevel discrete data and discuss how to make joint inference about all of the nodes in the network. These methods are applicable when system structures are too complex to be represented by fault trees. The methods are illustrated through four examples that are structured to clarify the scope of the problem.     

A note on reliability estimation of functionally diverse systems

It has been argued that functional diversity might be a plausible means of claiming independence of failures between two versions of a system. We present a model of functional diversity, in the spirit of earlier models of diversity such as those of Eckhardt and Lee, and Hughes. In terms of the model, we show that the claims for independence between functionally diverse systems seem rather unrealistic. Instead, it seems likely that functionally diverse systems will exhibit positively correlated failures, and thus will be less reliable than an assumption of independence would suggest. The result does not, of course, suggest that functional diversity is not worthwhile; instead, it places upon the evaluator of such a system the onus to estimate the degree of dependence so as to evaluate the reliability of the system.