Fault tree developed by an object-based method improves requirements specification for safety-related systems

Fault tree analysis is frequently used to improve system reliability and safety. To be suitable for analysis of software in computerised safety-related systems, it has to be modified accordingly. This paper presents a new application: the fault trees developed by an object-based method. The object-based method integrates structural and behavioural models of a system. The developed fault tree includes information on structure and the failure behaviours of classes of the system. Away from traditional use of the fault tree, which for traditional systems emphasises qualitative and quantitative results, the result of the new application emphasises the process of fault tree development and its qualitative results. Such fault tree application reduces the probability of failures in the requirements specification phase within the software life cycle, which increases the reliability of its product; however, it does not confirm this in a quantitative manner.     

Software safety analysis of function block diagrams using fault trees

As programmable logic controllers (PLCs) are often used to implement safety–critical embedded software, safety demonstration of PLC code is needed. In this paper, we propose a fault tree analysis technique on Function Block Diagrams (FBDs) which is one of the most widely used PLC programming languages. FBD is currently being used to develop Reactor Protection System (RPS) for a nuclear power plant in South Korea. Our approach to fault tree analysis, which combines fault-oriented and cause/effect-oriented viewpoints, is easy to understand and offers systematic guidelines to ensure safety of PLC code. Domain experts found the approach to be useful through a case study on RPS, and this paper compares completeness and comprehensiveness of the semi-automatically generated fault trees using the proposed approach against the one manually prepared by nuclear safety engineers.     

Enhancing software safety by fault trees: experiences from an application to flight critical software

The fault tree analysis is a well-established method in system safety and reliability assessment. We transferred the principles of this technique to an assembler code analysis, regarding any incorrect output of the software as the undesired top-level event. Starting from the instructions providing the outputs and tracking back to all instructions contributing to these outputs a hierarchical system of references is generated that may graphically be represented as a fault tree. To cope with the large number of relations in the code, a tool suite has been developed, which automatically creates these references and checks for unfulfilled preconditions of instructions. The tool was applied to the operational software of an inertial measurement unit, which provides safety critical signals for artificial stabilization of an aircraft. The method and its implementation as a software tool is presented and the benefits, surprising results, and limitations we have experienced were discussed.     

Demonstration of the Dynamic Flowgraph Methodology using the Titan II Space Launch Vehicle Digital Flight Control System

The Dynamic Flowgraph Methodology (DFM) is a new approach for embedded system safety analysis. This methodology integrates the modeling and analysis of the hardware and software components of an embedded system. The objective is to complement the traditional approaches which generally follow the philosophy of separating out the hardware and software portions of the assurance analysis. In this paper, the DFM approach is demonstrated using the Titan II Space Launch Vehicle Digital Flight Control System. The hardware and software portions of this embedded system are modeled in an integrated framework. In addition, the time dependent behavior and the switching logic can be captured by this DFM model. In the modeling process, the dimensionality of the decision tables for software subroutines creates a problem. A possible solution for solving the software portion of the DFM model is suggested. This approach makes use of a well-known numerical method, the Newton-Raphson method, to solve the equations implemented in the subroutines in reverse. Convergence can be achieved in a few steps.     

State/event fault trees—A safety analysis model for software-controlled systems

Safety models for software-controlled systems should be intuitive, compositional and have the expressive power to model both software and hardware behaviour. Moreover, they should provide quantitative results for failure or hazard probabilities. Fault trees are an accepted and intuitive model for safety analysis, but they are incapable of expressing state dependencies or temporal order of events. We propose to combine fault trees with an explicit State/Event semantics, using a graphical notation that is similar to Statecharts. Our new model, named State/Event Fault Trees (SEFTs), subsumes both deterministic state machines suited to describe software behaviour, and Markov chains that model probabilistic failures, while keeping the visualisation of causal chains known from fault trees. We allow exponentially distributed probabilistic events, deterministic delays, and triggered events. The model provides a component concept, where components are connected by typed ports. Quantitative evaluation is achieved by translating the component models to Deterministic and Stochastic Petri Nets (DSPNs) and using an existing tool for analysis or simulation. This paper, which is an extended version of [Kaiser B, Gramlich C. State-Event-Fault-Trees—a safety analysis model for software controlled systems. Computer safety, reliability, and security. Proceedings of the 23rd international conference, SAFECOMP 2004, Potsdam, Germany, September 21st–24th. Lecture Notes in Computer Science, vol. 3219, 2004.p. 195–209], revisits the model elements and the analysis procedure and provides a small case study of a fire alarm system, completed by an outlook on our tool project ESSaRel.     

自动可调内容积比螺杆机组的PLC控制系统

介绍了自动可调内容积比机组的控制原理和方法。并对以西门子(SIEMENS)S7-200可编程控制器(PLC)作为控制核心的控制系统、硬件结构和特点以及软件的设计做了相应的介绍。     

The systematic integration of human factors into safety analyses: An integrated engineering approach

The performance of the human reliability analysis (HRA) and integration of its outcomes into quantitative risk assessment schemes remains quite a difficult and complex task to perform. Even worse is the assessment of organisational reliability assessment. The reasons of this difficulty mainly lay on the absence of a generically accepted paradigm that enables engineers to include systematically human and organisational factors (H&OF) into the analysis. Broadly speaking, engineering approaches very often account for error of omission forgetting the errors of commission (EOC), and, on top of that, they do not make any macro distinction between pre- and post-initiating human failures. This paper offers a paradigm on how to integrate H&OF into safety analysis by means of the recursive operability analysis (ROA), which has been adapted to accommodate H&OF, and renamed integrated recursive operability analysis (IROA). By means of a practical example, the method will illustrate how to account for H&OF in a systematic and consistent manner using an engineering approach. The paper will even provide a paradigm for the construction of integrated fault trees consistent with the IROA framework.     

SMV model-based safety analysis of software requirements

Fault tree analysis (FTA) is one of the most frequently applied safety analysis techniques when developing safety-critical industrial systems such as software-based emergency shutdown systems of nuclear power plants and has been used for safety analysis of software requirements in the nuclear industry. However, the conventional method for safety analysis of software requirements has several problems in terms of correctness and efficiency; the fault tree generated from natural language specifications may contain flaws or errors while the manual work of safety verification is very labor-intensive and time-consuming. In this paper, we propose a new approach to resolve problems of the conventional method; we generate a fault tree from a symbolic model verifier (SMV) model, not from natural language specifications, and verify safety properties automatically, not manually, by a model checker SMV. To demonstrate the feasibility of this approach, we applied it to shutdown system 2 (SDS2) of Wolsong nuclear power plant (NPP). In spite of subtle ambiguities present in the approach, the results of this case study demonstrate its overall feasibility and effectiveness.     

基于小波变换的故障电弧断路器设计

故障电弧是引起电气火灾的主要原因之一,故障电弧断电保护作为一项较新的电路保护技术,能较好地防止因故障电弧而引发的火灾.通过分析故障电弧特征信号,提出了一种故障电弧检测方法,设计了故障电弧断路器的硬件和软件.利用电流互感器采集电流信号,经滤波处理后送入MCU,利用Daubechies 4阶小波变换对检测到的电流信号进行处理分析,判断有无故障电弧产生并做出相应处理.经试验分析,表明该设计是有效的,该故障电弧断路器同时具有漏电保护功能,具有识别率高、误动作率低等特点,可最大限度地保护供电系统、用电设备和人员的安全.     

Integrating cyber attacks within fault trees

In this paper, a new method for quantitative security risk assessment of complex systems is presented, combining fault-tree analysis, traditionally used in reliability analysis, with the recently introduced Attack-tree analysis, proposed for the study of malicious attack patterns. The combined use of fault trees and attack trees helps the analyst to effectively face the security challenges posed by the introduction of modern ICT technologies in the control systems of critical infrastructures. The proposed approach allows considering the interaction of malicious deliberate acts with random failures. Formal definitions of fault tree and attack tree are provided and a mathematical model for the calculation of system fault probabilities is presented.     

Safety-barrier diagrams as a safety management tool

Safety-barrier diagrams and “bow-tie” diagrams have become popular methods in risk analysis and safety management. This paper describes the syntax and principles for constructing consistent and valid safety-barrier diagrams. The latter's relation to other methods such as fault trees and Bayesian Networks is discussed. Important advantages of safety-barrier diagrams as compared to other graphical risk-analysis methods are, firstly, the relative simplicity that supports communication with non-expert stakeholders and, secondly, the focus on deliberately inserted safety systems that supports the management and maintenance of these systems. Safety-barrier diagrams provide a useful framework for an electronic data structure that integrates information from risk analysis with operational safety management.     

A knowledge-based approach to the evaluation of fault trees

A list of critical components is useful for determining the potential problems of a complex system. However, to find this list through evaluating the fault trees is expensive and time consuming. This paper intends to propose an integrated software program which consists of a fault tree constructor, a knowledge base, and an efficient algorithm for evaluating minimal cut sets of a large fault tree. The proposed algorithm uses the approaches of top-down heuristic searching and the probability-based truncation. That makes the evaluation of fault trees obviously efficient and provides critical components for solving the potential problems in complex systems. Finally, some practical fault trees are included to illustrate the results.     

基于贝叶斯网络的核电站应急电力系统安全评价

在故障树分析法(FTA)基础上提出了一种基于贝叶斯网络(BN)的核电站应急电力系统安全评价方法,比较了FTA和BN在建立安全评价模型和评价能力上的不同.该方法在应对众多影响因素上有很大优势,能进行更多有意义的分析:既能进行前向的预测推理,又能进行后向的诊断推理,可以找出影响故障的组合模式,从而能够找出系统的薄弱环节.同时采用基于Matlab的BNT软件包,大大简化了计算过程.通过对10MW高温气冷堆(HTR-10)应急电力系统的安全评价实例的分析,证明该方法是对传统的基于故障树分析的安全评价方法的有益改进.     

TOPAAS: An Alternative Approach to Software Reliability Quantification

In the realm of safety related systems, a growing number of functions are realized by software, ranging from ‘firmware’ to autonomous decision‐taking software. To support (political) real‐world decision makers, quantitative risk assessment methodology quantifies the reliability of systems. The optimal choice of safety measures with respect to the available budget, for example, the UK (as low as reasonably practicable approach), requires quantification. If a system contains software, some accepted methods on quantification of software reliability exist, but none of them is generally applicable, as we will show. We propose a model bringing software into the quantitative risk assessment domain by introducing failure of software modules (with their probabilities) as basic events in a fault tree. The method is known as ‘TOPAAS’ (Task‐Oriented Probability of Abnormalities Analysis for Software). TOPAAS is a factor model allowing the quantification of the basic ‘software’ events in fault tree analyses. In this paper, we argue that this is the best approach currently available to industry. Task‐Oriented Probability of Abnormalities Analysis for Software is a practical model by design and is currently put to field testing in risk assessments of programmable electronic safety‐related systems in tunnels and control systems of movable storm surge barriers in the Netherlands. The TOPAAS model is constructed to incorporate detailed fields of knowledge and to provide focus toward reliability quantification in the form of a probability measure of mission failure. Our development also provides context for further in‐depth research. Copyright © 2013 John Wiley & Sons, Ltd.     

RIFIT: analyzing hardware and software in safeguarding systems

Currently many systems used to safeguard processes in industry use a combination of hardware and software. Many of the analysis techniques applied in this field, however, quantify aspects of hardware only. This paper presents a technique that is used to quantify the safety of safeguarding systems as a whole, including hardware and software. The techniques used bases itself on a combination of simulation and fault injection techniques. This paper will present this new technique and will demonstrate that it is possible using this “Random Intelligent Failure Injection Technique” to analyze and optimize practical safeguarding systems.     

Application of the fault tree analysis for assessment of power system reliability

A new method for power system reliability analysis using the fault tree analysis approach is developed. The method is based on fault trees generated for each load point of the power system. The fault trees are related to disruption of energy delivery from generators to the specific load points. Quantitative evaluation of the fault trees, which represents a standpoint for assessment of reliability of power delivery, enables identification of the most important elements in the power system. The algorithm of the computer code, which facilitates the application of the method, has been applied to the IEEE test system. The power system reliability was assessed and the main contributors to power system reliability have been identified, both qualitatively and quantitatively.     

Systematic evaluation of fault trees using real-time model checker UPPAAL

Fault tree analysis, the most widely used safety analysis technique in industry, is often applied manually. Although techniques such as cutset analysis or probabilistic analysis can be applied on the fault tree to derive further insights, they are inadequate in locating flaws when failure modes in fault tree nodes are incorrectly identified or when causal relationships among failure modes are inaccurately specified. In this paper, we demonstrate that model checking technique is a powerful tool that can formally validate the accuracy of fault trees. We used a real-time model checker UPPAAL because the system we used as the case study, nuclear power emergency shutdown software named Wolsong SDS2, has real-time requirements. By translating functional requirements written in SCR-style tabular notation into timed automata, two types of properties were verified: (1) if failure mode described in a fault tree node is consistent with the system's behavioral model; and (2) whether or not a fault tree node has been accurately decomposed. A group of domain engineers with detailed technical knowledge of Wolsong SDS2 and safety analysis techniques developed fault tree used in the case study. However, model checking technique detected subtle ambiguities present in the fault tree.     

Reliability graph with general gates: an intuitive and practical method for system reliability analysis

In this paper, we propose an intuitive and practical method for system reliability analysis. Among the existing methods for system reliability analysis, reliability graph is particularly attractive due to its intuitiveness, even though it is not widely used for system reliability analysis. We provide an explanation for why it is not widely used, and propose a new method, named reliability graph with general gates, which is an extension of the conventional reliability graph. An evaluation method utilizing existing commercial or free software tools are also provided. We conclude that the proposed method is intuitive, easy-to-use, and practical while as powerful as fault tree analysis, which is currently the most widely used method for system reliability analysis.     

Fast Fault Tree Analysis for Hybrid Uncertainties Using Stochastic Logic Implemented on Field‐Programmable Gate Arrays: An Application in Quantitative Assessment and mitigation of Welding Defects Risk

This paper presents a stochastic logic‐based method for quantitative risk assessment using fault tree analysis (FTA) that can take into account both types of uncertainties including objective and subjective uncertainties. In the proposed method, each fault tree gate is translated to its corresponding stochastic logic template and then is implemented on a field programmable gate array (FPGA). Because the analysis does not utilize any transformation methods, the results of analysis are more accurate than those methods which are based on transformation from possibility to probability distributions or vice versa. Experimental results for a benchmark fault tree show that this method accelerates analysis time compared to conventional hybrid uncertainty analysis method and transformation methods. The efficiency of the proposed method is demonstrated by implementation in a real steel structure project. The quantitative risk assessment is performed for the incomplete penetration as one of the defects encountered in arc welding process, and its results are compared with transformation methods. The comparison results show the proposed hybrid uncertainty analysis method is also more accurate in comparison to the transformation‐based approaches. Copyright © 2016 John Wiley & Sons, Ltd.