Fault Tree Training – Course Notes - System safetyissc2015.system-safety.org/T05_...

Fault Tree Training – Course Notes

Copyright © 2015 Isograph Limited

All rights reserved. This document and the associated software contains proprietary information which is protected by copyright and

may not be copied in whole or in part except with the prior written permission of Isograph. The copyright and the foregoing restrictions

on the copyright extends to all media in which this information may be preserved.

Isograph makes no representations or warranties of any kind whatsoever with respect to this document and its associated software.

Isograph disclaims all liabilities for loss of damage arising out of the possession, sale, or use of this document or its associated software.

1

©2015 Isograph Inc.

An Introduction

Fault Tree Analysis

Reliability Workbench 1–1


An Introduction

Joe Belland, Isograph Inc.

[email protected]

Fault Tree Analysis


2


Isograph

� Founded in 1986

� Nuclear industry

� Off-the-shelf PRA tool

� Products

� Fault Trees, simulation, optimization, prediction



Me

� Joined Isograph in 2003

� Background in Math/Comp Sci

� Support, training, development


3


This Presentation

� Overview of Fault Tree methods

� Includes examples from RWB

� Not in-depth look at Isograph’s FT

� Sept 15-16, Alpine, UT

� Oct 6-7, Detroit, MI



Fault Tree Software

� Examples from Reliability Workbench

� http://isograph.com/download

� Password: weaverham


4


IntroductionChapter 1



Deductive and Inductive techniques

Inductive

Deductive

Hazard

ETA

FTA

Fire


5


What is Fault Tree Analysis?

� Deductive analysis

� Determine causes of TOP event

� TOP event = hazard

� Logic gates

� Basic events

� Qualitative

� Quantitative

AND

No power

OR

Generatordoesn't start up

MAINS FAILURE

No power frommains

EVENT1

Generatorfailure

EVENT2

Mains failurenot detected



TOP Events

� Determine the scope of the analysis

� Chosen by Hazard Identification

� TOP events: want info on

� Bottom events: already have info on


6


Typical Basic Events

� Pump failure

� Temperature controller failure

� Switch fails closed

� Operator does not respond

� Crash or unexpected failure of Software routine



Typical TOP Events

� Loss of hydraulics in airplane

� Total loss of production

� Fire protection system unavailable

� Car does not start

� Toxic emission

� Aerial refuelling system fails to transfer fuel at the proper rate


7


Failure vs Success Logic� Normally failure events instead of success� Some trees have both

� Failure easier to define

� Failure space is smaller, simpler

� Easier to analyze; probabilities tend to be lower

� Some events neither failure nor success

� TOP event can be success state (dual tree)� Harder to analyze

� Harder to conceptualize



Quantification Parameters� Probabilistic System Parameters:� Unavailability� Unreliability� Failure Frequency� Risk Reduction Factor

� Component Parameters: � Unavailability� Failure Frequency� Failure rate and Repair rate� Inspection Interval and Time at Risk


8


Failure Rate

� Component failure rate (probability per unit time)

Fa

ilu

re r

ate

Burn in Useful life Wear out



Constant failure rate

� Analytical methods assume constant failure rate

� Real-life components age: non-constant failure rate

� Underlying assumption that preventive maintenance flattens failure rate curve

� (Generally speaking, of course)

� Weibull failure model

� Markov analysis


9


Non-constant failure rate

� Aging model requires numerical solution� Can’t be reduced to analytical

expression

� Monte Carlo simulation� Availability Workbench

� Exponential, Normal, Lognormal, Weibull, etc.

� Strong dependencies

� Maintenance costs

� OptimizationReliability Workbench 1–17


Constant Failure and Repair rates

� If the rates are constant then:

� Failure rate (λ) = 1/MTTF

� Repair rate (µ) = 1/MTTR

� Example:

� MTTF = 4 years → λ = 0.25

� MTTR = 1 week = 1/52 years → µ =

52

� Consistent units


10


Unavailability Q(t)

� Unavailability: not operating at time t� Continuously operating systems

� Unavailability: does not work on demand � Safety/standby system

� PFD

� Unavailability per flight hour: Q(T)/T� Used in aerospace/ISO 26262



Unreliability F(t)

� Probability of failure over time

� Prob. that system fails between time 0 and time t

� Prob. that system fails over given time period

� Non-repairable systems

� Probability of catastrophic event

� Warranty costs


11


Q & F

� In general

Q(t) ≤ F(t)

� Non repairable

Q(t) = F(t)

Unavailability = Unreliability



Failure Frequency ωωωω(t)

� AKA Unconditional Failure Intensity

� Occurrences/Unit Time

� About how often a failure is expected

� Integrating gives W(t)

� No. of spares to carry on a mission


12


Risk

� Quantifiable with ETA

� Coupled with Fault Trees (or just using ETA)

Failure Frequency * Consequence Weighting



Risk

� Categories and policy

� Safety

� E.g. deaths per million operating hours

� Environmental

� Tons of toxic release over lifetime

� Operational

� Threat to completion of mission

� Economic

� Financial loss


13


Risk policy (acceptable risk)

� Aerospace� deaths per flight hour

� Automotive� controllability of vehicle

� Railway� deaths per train miles

� Space� operational risk

� Pharmaceutical� human risk



Risk Reduction Factor

� How much each protection layer lowers risk

� Reciprocal of Qmean

� Current risk ÷ risk policy = required further RRF


14


End of Chapter 1

� Summary

� FT is deductive hazard analysis

� Graphically shows logical relationship between TOP and Basic events

� Qualitative/quantitative

� Constant rates

� Unavailability/Unreliaiblity/Frequency

� Risk


15


Fault Tree ConstructionChapter 2



Common Gate Types

Symbol Name Logic Inputs

OR TRUE if any input is TRUE ≥2

AND TRUE if all inputs are TRUE ≥2

VOTE TRUE if m inputs are TRUE ≥3

PRIORITY

AND

TRUE if inputs occur in left to right order ≥2

m


16


Other Symbols

� Indicate logic flow

Reliability Workbench

Symbol Name Meaning

Transfer In Inputs appear elsewhere on same page or

on another page

Transfer Out Output appears elsewhere on same page or

on another page

2–3


OR Gate Example

HPV1

No output from

High Pressure

Valve 1

HPV1 INPUT

No input flow ing

to High Pressure

Valve 1

HPV1 FAIL

High Pressure

Valve 1 stuck

closed


17


AND Gate Examples

PUMPSYS

Both Pumps

Unavailable

PUMP1

Primary Pump

Out of Service

PUMP2

Secondary

Pump Out of

Service

FPROP

Fire

Propagates

FPROTECT

Fire Protection

System Fails

to Operate

FSTART

Fire Starts



Vote Gate Examples

HIGHTEMP

2

Temperature

Sensors Fail to

Detect High

Temperature

TEMP1

Temperature

Sensor 1 Fails

TEMP2

Temperature

Sensor 2 Fails

TEMP3

Temperature

Sensor 3 Fails

BRAKEFAIL

2

Insufficient

Braking to

Stop Aircraft

RTHRUST

Reverse

Thrust Not

Engaged

BRAKE1

Brake 1 Fails

BRAKE2

Brake 2 Fails


18


Priority AND Gate Example

SYS

System

Unavailable

GATEA

Switch Failsthen PrimarySub-System

Fails

GATEB

Primary and

Standby

Systems Fail

SYS1

Primary

Sub-System

Fails

SWITCH

Switch Fails

SYS1

Primary

Sub-System

Fails

SYS2

Standby

Sub-System

Fails



Transfer Symbols


19


Transfer Symbols


TP1

Loss of supply

GT1

Leg 1

GT2

Leg 2

GT3CON1 GT3CON2

SEN1 SEN2

2–9


Gate Types

� Other Gate Types

� Inhibit

� NOT

� Exclusive OR

� Special Cases

� Not normally used

� Not covered


20


Primary Event Types

� Other Event Types

� Undeveloped, Conditional

� Symbol does not affect behavior


Symbol Name Meaning

BASIC Basic event

HOUSE Definitely operating or definitely not

operating

DORMANT Failure not immediately revealed;

latent/hidden failure

2–11


House Event Example

SYSFAIL

System

Unavailable

X

Sub-System X

Unavailable

Y

Sub-System Y

Unavailable

SX

X Unavailable

Due to Faults

HX

Preventive

Maintenance

SY

Y Unavailable

Due to Faults

HY

Preventive

Maintenance


21


House Event Example

SYSFAIL

System

Unavailable

X

Sub-System X

Unavailable

Y

Sub-System Y

Unavailable

SX

X Unavailable

Due to Faults

HX

Preventive

Maintenance

False

SY

Y Unavailable

Due to Faults

HY

Preventive

Maintenance

False



House Event Example

SYSFAIL

System

Unavailable

X

Sub-System X

Unavailable

Y

Sub-System Y

Unavailable

SX

X Unavailable

Due to Faults

HX

Preventive

Maintenance

True

SY

Y Unavailable

Due to Faults

HY

Preventive

Maintenance

False


22


System & Component Events

� System Events

� Failures not directly associated with a single component

� Component Events

� Failures entirely associated with a given component



Component Events

COMPONENT

UNAVAILABLE

PRIMARY

FAILURE

COMMAND

FAULT


23


Construction Guidelines

� Define system bounds

� Identify TOP event(s)

� Identify immediate causes using top-down approach

� Continue to identify immediate causes through intermediate levels of complexity



Construction Guidelines (cont.)

� Terminate roots with primary events

� Identify distinct causes

� Always provide complete descriptions

� Use distinctive names


24


Example 1: Electrical System Fault Tree

GRID DGEN

BOARD A

(PUMPS)

BOARD B

(VALVES)

T1

C1

T2

C2

T3

C3

T4

C4



Board B Fault Tree

ELECB

LOSS OFSUPPLY TO

BOARD B

NO SUPPLYFROM

CONTACTBREAKER 3

NO SUPPLYFROM

CONTACTBREAKER 4


25


Board B Fault Tree

GATE1

NO SUPPLYFROM

CONTACTBREAKER 3

GATE3

NO SUPPLYFROM

TRANSFORMER3

C3

CONTACTBREAKER 3

FAILURE



Board B Fault Tree

GATE1

NO SUPPLYFROM

CONTACTBREAKER 3

GATE3

NO SUPPLYFROM

TRANSFORMER3

C3

CONTACTBREAKER 3

FAILURE

ELECA

LOSS OFSUPPLY TO

BOARD A

T3

TRANSFORMER3 FAILURE


26


Board B Fault Tree

ELECB

LOSS OFSUPPLY TO

BOARD B

GATE1

NO SUPPLYFROM

CONTACTBREAKER 3

NO SUPPLYFROM

CONTACTBREAKER 4

GATE3

NO SUPPLYFROM

TRANSFORMER3

C3

CONTACTBREAKER 3

FAILURE

ELECA

LOSS OFSUPPLY TO

BOARD A

T3




Board B Fault Tree

ELECB

LOSS OFSUPPLY TO

BOARD B

GATE1

NO SUPPLYFROM

CONTACTBREAKER 3

GATE2

NO SUPPLYFROM

CONTACTBREAKER 4

GATE3

NO SUPPLYFROM

TRANSFORMER3

C3

CONTACTBREAKER 3

FAILURE

GATE4

NO SUPPLYFROM

TRANSFORMER4

C4

CONTACTBREAKER 4

FAILURE

ELECA

LOSS OFSUPPLY TO

BOARD A

T3


ELECA

LOSS OFSUPPLY TO

BOARD A

T4



27


Board A Fault Tree

ELECA

LOSS OFSUPPLY TO

BOARD A

NO SUPPLYFROM

CONTACTBREAKER 1

NO SUPPLYFROM

CONTACTBREAKER 2



Board A Fault Tree

GATE6

NO SUPPLYFROM

CONTACTBREAKER 1

GATE8

NO SUPPLYFROM

TRANSFORMER1

C1

CONTACTBREAKER 1

FAILURE


28


Board A Fault Tree

GATE6

NO SUPPLYFROM

CONTACTBREAKER 1

GATE8

NO SUPPLYFROM

TRANSFORMER1

C1

CONTACTBREAKER 1

FAILURE

T1


GRID

GRIDUNAVAILABLE



Board A Fault Tree

ELECA

LOSS OFSUPPLY TO

BOARD A

GATE6

NO SUPPLYFROM

CONTACTBREAKER 1

NO SUPPLYFROM

CONTACTBREAKER 2

GATE8

NO SUPPLYFROM

TRANSFORMER1

C1

CONTACTBREAKER 1

FAILURE

T1


GRID

GRIDUNAVAILABLE


29


Board A Fault Tree

ELECA

LOSS OFSUPPLY TO

BOARD A

GATE6

NO SUPPLYFROM

CONTACTBREAKER 1

GATE7

NO SUPPLYFROM

CONTACTBREAKER 2

GATE8

NO SUPPLYFROM

TRANSFORMER1

C1

CONTACTBREAKER 1

FAILURE

GATE9

NO SUPPLYFROM

TRANSFORMER2

C2

CONTACTBREAKER 2

FAILURE

T1


GRID

GRIDUNAVAILABLE

T2


DGEN

DIESELGENERATOR

FAILURE



Reducing Fault Trees

� Simplify diagram

� Maintain same failure logic—same combination of events produce TOP event


30


Reducing Fault Trees

� Linked OR gates can become single OR gate

= TOP1

EVENT1 EVENT2 EVENT3 EVENT4

TOP1

GATE1E VENT 1

GATE2EVENT 2

EVENT3 EVENT4



Reducing Fault Trees� Common failures under each branch of an

AND gate can sometimes be simplified

TOP1

GATE1 GATE2

EVENT1 COMMON EVENT2 COMMON

=

TOP1

GATE1 COMMON

EVENT1 EVENT2


31


Reducing Electrical Fault Tree

� ELECA brought to top of tree

� It causes route from A to B to be lost

� Component events combined

� Transformer and contact breaker failures are linked OR gates



Reduced Board B Fault Tree

ELECB

LOSS OFSUPPLY TO

BOARD B

ELECA

LOSS OFBOARD ASUPPLY

GATE3

ROUTE FROMBOARD A TO

BOARD B LOST

GATE4

T3 OR C3FAILED

GATE5

T4 OR C4FAILED

C3

CONTACTBREAKER 3

FAILURE

T3


C4

CONTACTBREAKER 4

FAILURE

T4



32


Reduced Board A Fault Tree

ELECA


GATE1

NO SUPPLYFROM GRID

GATE2

NO SUPPLYFROMDIESEL

C1

CONTACTBREAKER 1

FAILURE

GRID

GRIDUNAVAILABLE

T1


C2

CONTACTBREAKER 2

FAILURE

DGEN

DIESELGENERATOR

FAILURE

T2




Rocket Propulsion Example


From Fault Tree Handbook with Aerospace Applications,

NASA Office of Safety and Mission Assurance

Dr. Michael Stamatelatos, et. al.

August 2002

2–36

33


Rocket Propulsion Example

� Define System Bounds:� Items shown in schematic

� Both mechanical and electric circuits to be included

� Identify TOP events� 3 Possible system failures:

� Failure to provide propulsion on demand

� Inadvertent firing of the system when not required

� Continued firing after system has been commanded off

� Examine third possibility



Rocket Propulsion Fault Tree

� Identify immediate causes of TOP event


THRUST

Thrustersupplied with

propellant afterthrust cutoff

IV3 OPEN

Isolation valveIV3 remainsopen after

cutoff

IV2 OPEN


cutoff

2–38

34



� Continue identifying immediate causes through intermediate levels


IV3 OPEN


cutoff

IV3 POWER

EMF continuesto be supplied

to IV3 aftercutoff

IV3

Primary failureof IV3 to close

after cutoff

2–39




IV3 OPEN


cutoff

IV3 POWER


to IV3 aftercutoff

IV3


after cutoff

K5 POWER


to K5 aftercutoff

K5

Primary failureof K5 to open

after cutoff

2–40

35




IV3 OPEN


cutoff

IV3 POWER


to IV3 aftercutoff

IV3


after cutoff

K5 POWER


to K5 aftercutoff

K5


after cutoff

K3 POWER


to K3 aftercutoff

K3


after cutoff

2–41




IV3 OPEN

Isolation valveIV3 remains

open after cutoff

IV3 POWER

EMF continuesto be supplied toIV3 after cutoff

IV3


after cutoff

K5 POWER

EMF continuesto be supplied to

K5 after cutoff

K5


after cutoff

K3 POWER

EMF continuesto be supplied to

K3 after cutoff

K3


after cutoff

S3 CLOSED

Emergencyswitch S3 failsto open after

cutoff

K6 CLOSED


after cutoff

2–42

36


IV2 Leg


IV2 OPEN


cutoff

IV2 POWER


to IV2 aftercutoff

IV2


after cutoff

2–43




IV2 OPEN


cutoff

IV2 POWER


to IV2 aftercutoff

IV2


after cutoff

S3 CLOSED


cutoff

K6 CLOSED


after cutoff

2–44

37




IV2 OPEN


cutoff

IV2 POWER


to IV2 aftercutoff

IV2


after cutoff

S3 CLOSED


cutoff

K6 CLOSED


after cutoff

S3

Primary failureof S3 to open

whencommanded

S3 OP

Operationalfailure of S3 to

open whencommanded

K6


after timing out

K6 TIMER

Primary failureof K6 timer to

time out

2–45




THRUST



IV3 OPEN


cutoff

IV2 OPEN


cutoff

2–46

38




IV3 OPEN


cutoff

IV3 POWER


to IV3 aftercutoff

IV3


after cutoff

K5 POWER


to K5 aftercutoff

K5


after cutoff

K3 POWER


to K3 aftercutoff

K3


after cutoff

2–47




K3 POWER


to K3 aftercutoff

S3


whencommanded

S3 OP


open whencommanded

K6


after timing out

K6 TIMER


time out

S3 CLOSED


cutoff

K6 CLOSED


after cutoff

2–48

39




IV2 OPEN


cutoff

IV2 POWER


to IV2 aftercutoff

IV2


after cutoff

S3 CLOSED


cutoff

K6 CLOSED


after cutoff

S3


whencommanded

S3 OP


open whencommanded

K6


after timing out

K6 TIMER


time out

2–49


Reducing Rocket Fault Tree

� S3, K6 brought to top of tree

� Simultaneous failure causes both IV2 and IV3 to remain open

� Component events combined

� IV3, K5, K3 and contact breaker failures are linked OR gates


40


Reduced Rocket Fault Tree


THRUST

Q=0.0002715



ARMING

Arming circuitremainsclosed

IVS

Isolationvalves

remain open

IV3


after cutoff

K5


after cutoff

K3


after cutoff

S3


whencommanded

S3 OP


open whencommanded

K6


after timing out

K6 TIMER


time out

S3 CLOSED

Q=0.01005


cutoff

K6 CLOSED

Q=0.02294


after cutoff

IV3 OPEN

Q=0.00619


cutoff

IV2


after cutoff

2–51


Disadvantages

� May be more difficult to understand

� Errors may be made in construction process


41


Workshop 2.1: Chemical Reactor vessel

CON

Input 1 Input 2

Pressure relief

By-productProduct

MV1 MV2

EV1 EV2

TS

PS

NRV

ALARM

OP



Workshop 2.1

� TOP event – Fails to stop rupture

� Base events:


Name Description Name Description

EV1 Electrical valve 1 failure TS1 Temperature sensor failure

EV2 Electrical valve 2 failure PS1 Pressure sensor failure

MV1 Manual valve 1 stuck open ALARM Alarm unit failure

MV2 Manual valve 2 stuck open NRV Pressure relief valve failure

CON Controller failure GRID No electrical supply from the grid

OP Operator Unavailable

2–54

42


Name Description Name Description

EV1 Electrical valve 1 failure TS1 Temperature sensor failure

EV2 Electrical valve 2 failure PS1 Pressure sensor failure

MV1 Manual valve 1 stuck open ALARM Alarm unit failure

MV2 Manual valve 2 stuck open NRV Pressure relief valve failure

CON Controller failure GRID No electrical supply from the grid

OP Operator Unavailable

CON

Input 1 Input 2

Pressure relief

By-productProduct

MV1 MV2

EV1 EV2

TS

PS

NRV

ALARM

OP

Workshop 2.1



Workshop 2.1 Solution

G0

FAILS TO

STOP

RUPTURE

G1

FAILS TO

SHUT DOWN

BOTH INPUTS

NRV

VALVE STUCK

CLOSED

G2

INPUT 1 NOT

SHUT DOWN

G3

INPUT 2 NOT

SHUT DOWN


43


Workshop 2.1 Solution (cont.)

G2

INPUT 1 NOTSHUT DOWN

G4

MANUALVALVE 1 NOT

SHUT

G5

ELECTRICALVALVE 1 NOT

SHUT

G8

OPERATORFAILS TO

RESPOND

MV1

VALVESTUCKOPEN

G9

NO SIGNAL FROMCONTROLLER

EV1

ELECTRICALVALVE 1FAILURE

GRID

NO POWERSUPPLY

FROM GRID

G11

ALARMDOES NOT

SOUND

OP

OPERATORUNAVAILABLE

G10

NO SIGNALFROM

SENSORS

CON

CONTROLLERFAILURE

PS1

PRESSURESENSORFAILURE

TS1

TEMPERATURESENSOR FAILURE

G10

NO SIGNALFROM

SENSORS

ALARM

ALARM UNITFAILURE




G3

INPUT 2 NOTSHUT DOWN

G6

MANUALVALVE 2 NOT

SHUT

G7

ELECTRICALVALVE 2 NOT

SHUT

G8

OPERATORFAILS TO

RESPOND

MV2

VALVESTUCKOPEN

G9

NO SIGNAL FROMCONTROLLER

EV2

ELECTRICALVALVE 2FAILURE

GRID

NO POWERSUPPLY

FROM GRID

G11

ALARMDOES NOT

SOUND

OP

OPERATORUNAVAILABLE

G10

NO SIGNALFROM

SENSORS

CON

CONTROLLERFAILURE

PS1

PRESSURESENSORFAILURE

TS1

TEMPERATURESENSOR FAILURE

G10

NO SIGNALFROM

SENSORS

ALARM

ALARM UNITFAILURE


44


End of Chapter 2

� Summary

� Gate symbols

� Event symbols

� Construction guidelines


45


Minimal Cut SetsChapter 3



Minimal Cut Sets

� First step of Analysis

� Minimum combinations of events which cause TOP event

� Produced using Boolean algebra

� Quantitative data not required


46


Boolean Algebra Techniques

� Represent gates with equivalent Boolean expression

� Variables represent inputs



Boolean Algebra Operators

EventX·EventY

· symbol represents AND logic

EventX + EventY

+ symbol represents OR logic


47


AND gate

� TOP1 = A · B

� 3 inputs: TOP1 = A · B · C


TOP1

A B

3–5


OR gate

� TOP1 = A + B

� 3 inputs: TOP1 = A + B + C

TOP1

A B


48


VOTE gate

� TOP1 = A·B + A·C + B·C

� 3oo4 (failures): TOP1 = A·B·C + A·B·D + A·C·D + B·C·D

TOP1

2

A B C



Boolean Algebra Rules

� Remove redundant expressions to produce Minimal Cut Sets

� Use following rules:� Idempotent Law

� A + A = A

� A ∙ A = A

� Law of Absorption� A + A ∙ B = A

� A ∙ (A + B) = A

� Distributive Law� (A + B) ∙ (A + C) = A + B ∙ C

� A · B + A · C = A · (B + C)


49


Boolean Algebra Example

G1 = A + B

G2 = A·C + A·D + C·D

TOP = G1 · G2


TOP

G1 G22

A B A C D

3–9


Boolean Algebra ExampleTOP = (A + B) · (A·C + A·D + C·D)

= A·A·C + A·A·D + A·C·D + B·A·C + B·A·D + B·C·D

(Distributive law)

= A·C + A·D + A·C·D + B·A·C + B·A·D + B·C·D

(Idempotent law)

= A·C + A·D + B·C·D

(Law of Absorption)

� Minimal Cut Sets:

� A·C, A·D, B·C·D

� A·C, A·D are second order

� B·C·D is third orderReliability Workbench 3–10

50


Workshop 3.1

CON1

FS1

HEX

NRV1

NRV2

EP1

EP2

EV1

EV2

Cooling



Workshop 3.1

� TOP event: Total Loss of Cooling

� Mechanical failures only

� Ignore electrical failures

� Ignore failure of FS1 and CON

� Assume negligible probabilities

� Build tree & calculate cut sets by hand


51


Workshop 3.1

CON1

FS1

HEX

NRV1

NRV2

EP1

EP2

EV1

EV2

Cooling

Event Name Description Event Name Description

EV1 Electric Valve 1 NRV1 Non-return valve 1 stuck closed

EV2 Electric Valve 2 NRV2 Non-return valve 2 stuck closed

EP1 Electric Pump 1 HEX Heat Exchanger Failure

EP2 Electric Pump 2




COOLING

TOTAL LOSSOF COOLING

SYS1

LOSS OFCOOLING TO

HEX

HEX

HEATEXCHANGER

FAILURE

SYS2

LOSS OFCOOLING

LEG 1

SYS3

LOSS OFCOOLING

LEG 2

EP1

PUMP 1PRIMARYFAILURE

EV1

VALVE 1STUCK

CLOSED

NRV1

NON-RETURNVALVE STUCK

CLOSED

EP2


EV2

VALVE 2STUCK

CLOSED

NRV2

NON-RETURNVALVE STUCK

CLOSED


52



� Minimal Cut sets:� HEX

� EV1.EV2

� EV1.EP2

� EV1.NRV2

� EP1.EV2

� EP1.EP2

� EP1.NRV2

� NRV1.EV2

� NRV1.EP2

� NRV1.NRV2



Workshop 3.2

� Determine by hand the minimal cut sets for ‘Total Loss of Cooling’ fault tree from Workshop 3.1

� Consider the full fault tree including electrical faults


53


Cooling System


COOLING

TOTAL LOSS

OF COOLING

SYS1

LOSS OF

COOLING TO

HEX

HEX

HEAT

EXCHANGER

FAILURE

SYS2

LOSS OF

COOLING LEG

1

SYS3

LOSS OF

COOLING LEG

2

3–17


Cooling System


SYS2

LOSS OFCOOLING LEG

1

PUMP1

PUMP 1UNAVAILABLE

VALVE1

VALVE 1CLOSED

NRV1

NON-RETURNVALVESTUCKCLOSED

ELECA


EP1


ELECB

LOSS OFBOARD BSUPPLY

EV1

VALVE 1STUCKCLOSED

3–18

54


Cooling System


SYS3

LOSS OFCOOLING LEG

2

PUMP2

PUMP 2UNAVAILABLE

VALVE2

VALVE 2CLOSED

NRV2


ELECA


EP2


ELECB


EV2

VALVE 2STUCKCLOSED

3–19


Electric System


ELECB

LOSS OFSUPPLY TO

BOARD B

ELECA


A TO B


BOARD B LOST

LEG3

T3 OR C3FAILED

LEG4

T4 OR C4FAILED

C3

CONTACTBREAKER 3

FAILURE

T3


C4

CONTACTBREAKER 4

FAILURE

T4


3–20

55


Electric System


ELECA


NSGRID

NO SUPPLYFROM GRID

NSUD

NO SUPPLYFROMDIESEL

C1

CONTACTBREAKER 1

FAILURE

GRID

GRIDUNAVAILABLE

T1


C2

CONTACTBREAKER 2

FAILURE

DGEN

DIESELGENERATOR

FAILURE

T2


3–21


Cooling

COOLING = SYS1 + HEX

SYS1 = SYS2 · SYS3COOLING

TOTAL LOSS

OF COOLING

SYS1

LOSS OF

COOLING TO

HEX

HEX

HEAT

EXCHANGER

FAILURE

SYS2

LOSS OF

COOLING LEG

1

SYS3

LOSS OF

COOLING LEG

2


56


SYS2

LOSS OFCOOLING LEG

1

PUMP1

PUMP 1UNAVAILABLE

VALVE1

VALVE 1CLOSED

NRV1


ELECA


EP1


ELECB


EV1

VALVE 1STUCKCLOSED

SYS2 – Loss of Cooling Leg 1

SYS2 = PUMP1 + VALVE1 + NRV1

PUMP1 = ELECA + EP1

VALVE1 = ELECB + EV1



SYS3

LOSS OFCOOLING LEG

2

PUMP2

PUMP 2UNAVAILABLE

VALVE2

VALVE 2CLOSED

NRV2


ELECA


EP2


ELECB


EV2

VALVE 2STUCKCLOSED

SYS3 – Loss of Cooling Leg 2

SYS3 = PUMP2 + VALVE2 + NRV2

PUMP2 = ELECA + EP2

VALVE2 = ELECB + EV2


57


ELECB

LOSS OFSUPPLY TO

BOARD B

ELECA


A TO B


BOARD B LOST

LEG3

T3 OR C3FAILED

LEG4

T4 OR C4FAILED

C3

CONTACTBREAKER 3

FAILURE

T3


C4

CONTACTBREAKER 4

FAILURE

T4


ELECB – Loss of Supply to Board B

ELECB = ELECA + A TO B

A TO B = LEG3 · LEG4

LEG3 = C3 + T3

LEG4 = C4 + T4



ELECA – Loss of Supply to Board A

ELECA = NSGRID · NSUD

NSGRID = C1 + GRID + T1

NSUD = C2 + DGEN +T2

ELECA


NSGRID

NO SUPPLYFROM GRID

NSUD

NO SUPPLYFROMDIESEL

C1

CONTACTBREAKER 1

FAILURE

GRID

GRIDUNAVAILABLE

T1


C2

CONTACTBREAKER 2

FAILURE

DGEN

DIESELGENERATOR

FAILURE

T2



58


COOLING

TOTAL LOSS

OF COOLING

SYS1

LOSS OF

COOLING TO

HEX

HEX

HEAT

EXCHANGER

FAILURE

SYS2

LOSS OF

COOLING LEG

1

SYS3

LOSS OF

COOLING LEG

2

Cooling

COOLING = SYS1 + HEX

SYS1 = SYS2 · SYS3

COOLING = SYS2 · SYS3 + HEX




COOLING = SYS2 · SYS3 + HEX


59



COOLING = (PUMP1 + VALVE1 + NRV1) · (PUMP2 + VALVE2 + NRV2) + HEX




COOLING = ([ELECA + EP1] + [ELECB + EV1] + NRV1) ·([ELECA + EP2] + [ELECB + EV2] + NRV2)+ HEX


60



COOLING = ELECA +ELECB +(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)+ HEX




COOLING = ELECA +ELECA + A TO B +(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)+ HEX


61



COOLING = ELECA +A TO B +(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)+ HEX




COOLING = NSGRID · NSUD +LEG3 · LEG4 + (EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)+ HEX


62



COOLING = (C1 + GRID + T1) · (C2 + DGEN +T2) +(C3 + T3) · (C4 + T4) +(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)+ HEX




COOLING = C1·C2 + C1·DGEN + C1·T2 + GRID·C2 + GRID·DGEN + GRID·T2 + T1·C2 + T1·DGEN + T1·T2 + C3·C4 + C3·T4 + T3·C4 + T3·T4 + EP1·EP2 + EP1·EV2 + EP1·NRV2 + EV1·EP2 + EV1·EV2 + EV1·NRV2 + NRV1·EP2 + NRV1·EV2 + NRV1·NRV2 + HEX


63


Program Demonstration

� Using a Fault Tree program to obtain cut sets



End of Chapter 3

� Summary

� Boolean operators

� Boolean gate expressions

� Boolean algebra rules

� Evaluating cut sets in a computer program


64


Chapter 4

Basic Probability Theory



Basic Probability Theory

� First step in analysis: calculate cut sets

� Second step in analysis: calculate cut set Q

� Third step: calculate TOP event Q

� Need laws of probability

� Multiplication law

� Addition law

� Used to calculate Qs


65


Independent Events

� Independent events: unaffected by other’s occurrence

� Rolling a die, flipping a coin

� Generally Assumed in FTA

� Simplifies calculations

� Not necessarily the case

� Increased stress, etc.

� CCFs, discussed later



Exclusivity

� Mutually exclusive events: cannot occur together

� Ex: Failed and working states

� Non-exclusive events

� Ex: failure of two independent components

� Die showing 6, coin landing heads


66


Multiplication Law

� Where:

� P(A·B) = probability of A and B occurring together

� P(A) = probability of A occurring

� P(B) = probability of B occurring

� A, B independent, non-exclusive

)()()( BPAPBAP ⋅=⋅



Multiplication Law

� For three events

� For n events

)()()()( CPBPAPCBAP ⋅⋅=⋅⋅

∏=

=⋅⋅

n

i

in APAAAP1

21 )()( K


67


Addition Law

� Where:

� P(A+B) = probability of A and B occurring together

� P(A) = probability of A occurring

� P(B) = probability of B occurring

� A, B independent, non-exclusive

)()()()()( BPAPBPAPBAP ⋅−+=+



Addition Law

� Illustrated with Venn diagram

)()()()()( BPAPBPAPBAP ⋅−+=+

P(A)P(A) P(B)P(B)P(A)·P(B)


68


Addition Law for 3 Events

)()()(

)()()()()()(

)()()()(

CPBPAP

CPBPCPAPBPAP

CPBPAPCBAP

⋅⋅+

⋅−⋅−⋅−

++=++

P(A)P(A)

P(C)P(C)P(B)P(B)P(B)·P(C)

P(A)·P(B)·P(C)



Addition Law

� General form:

� Very complex

� Approximation methods

� Success states

)()...()()1...()()()()...( 21

11

1 11

21 n

n

j

n

i

n

ij

i

n

i

in APAPAPAPAPAPAAAP+

−

= +==

−+−=+++ ∑∑∑


69


Addition Law

� Success states:

P(A)P(A) P(B)P(B)P(A)·P(B)

)( BAP ⋅

)(1)( BAPBAP ⋅−=+



Addition Law

� Using Multiplication Law

� For three events

� For n events

))(1())(1(1)()(1)( BPAPBPAPBAP −⋅−−=⋅−=+

))(1())(1())(1(1)( CPBPAPCBAP −⋅−⋅−−=++

∏=

−−=++

n

i

in APAAAP1

21 ))(1(1)...(


70


Example 4.1

� Two-sided coin and a twenty-sided die are thrown

� Probability of the coin landing heads AND the dice showing 20?



Example 4.1 Solution

� P(Heads) = ½ = 0.5

� P(20) = 1/20 = 0.05

� Independent, non-exclusive?

� Yes! Multiplication law

� P(Heads·20) = 1/2 x 1/20 = 1/40 = .025 = 2.5%


71


Example 4.2

� Spin 3 coins

� Probability of AT LEAST ONE landing heads?




� Probability of coin A landing heads = P(A) = ½ = 0.5

� P(B) = ½ = 0.5

� P(C) = ½ = 0.5

� Addition law

� A OR B OR C

� 3·½ – 3 · ½·½ + ½·½·½ = 0.875


72


Example 4.3

� 3 sensor system

� 99.9% uptime

� Probability of all sensors being unavailable at the same time?

� Probability of AT LEAST ONE sensor being failed?




� Unavailability of sensor

� Q = 0.001

� Probability all sensors unavailable: multiplication law

� Q.Q.Q = 10-9

� Probability of at least one being unavailable: addition law

� Q + Q + Q - 3Q.Q + Q.Q.Q =0.002997001


73


Lower/Upper bounds

� Q=0.001

� Q + Q + Q = 0.003

� 3Q·Q = 0.000003

� Q·Q·Q = 0.000000001

Cumulative total Change % Change

Q+Q+Q 0.003 0.003 100%

3·Q·Q 0.002997 0.000003 1%

Q·Q·Q 0.002997001 0.000000001 0.00003%



Example 4.4

� Weather forecaster predicts 40% chance of rain for five days

� Probability that it rains at least one day?


74



� P(Rain) = 0.4

� 5·P(Rain) = 2

� 10·P(Rain)2 = 1.6� 5 choose 2 = 10

� 10·P(Rain)3 = 0.64� 5 choose 3 = 10

� 5·P(Rain)4 = 0.128� 5 choose 4 = 5

� P(Rain)5 = 0.01024




2

0.4

1.04

0.912

0.92224

0

0.5

1

1.5

2

2.5

5·P -10·P^2 +10·P^3 -5·P^4 +P^5

Cumulative total


75


End of Chapter 4

� Summary

� Independence

� Exclusivity

� Multiplication Law

� Addition Law

� De Morgan’s Theorem


76


Quantitative DataChapter 5



Quantitative Data

� Fault Trees are both:

� Qualitative

� Quantitative

� Qualitative

� Cut set analysis

� Quantitative

� Multiplication/Addition laws

� Need input values


77


Input Data

� Entered for all events

� Required for quantitative analysis

� Function to calculate Q and ω

� Equation depends on event characteristics

� Options will differ between FT tools



Common Parameters

� Unavailability

� Failure Frequency

� Mean Time To Failure (MTTF)

� Failure Rate (1/MTTF)

� Inspection (Test) Interval

� Mean Time to Repair (MTTR)

� Repair Rate (1/MTTR)

� Time at Risk/Lifetime


78


Common Event Models

� Fixed Failure Probability

� Failures on demand, operator errors, software bugs, conditional events

� Fixed probability of failure

� Constant Rate

� Repairable or non-repairable components with a constant failure rate and repair rate

� Weibull

� Failure rate varies with timeReliability Workbench 5–5


Common Event Models

� Dormant

� Hidden or latent failures

� Only revealed on testing

� Time at Risk

� Non-repairable components with a phase-related hazard

� Usually in aerospace


79


Fixed Probability

� Constant Q and ω

� Useful for

� Operator errors

� Failure on demand

� Software bugs

� Conditional events

� Probability of failure on demand = Q

� Input Q and ω directly



Fixed ProbabilityInitiators and Enablers

� Failure frequency = 0 (usually)

� Event is an enabler

� Only interested in system Q

� For initiators:

� Use Fixed model

� Input ω only

� Program will ignore Q


80


Constant Rate

� Failures immediately revealed

� Constant Failure and repair rates

� Component does not age

� Preventative maintenance before wear out

� Exponentially distributed

� Both failures and repairs



Constant Rate

� Inputs

� Failure rate or MTTF

� Repair rate or MTTR


MTTF

1=λ µ =

1

MTTR

81


Constant Rate

λ = failure rate, µ = repair rate

� If Q(t) ≈ 0 (usually the case)

λω ≈)(t

)](1[)(

)1()( )(

tQt

etQt

−=

−

+

=+−

λω

µλ

λµλ



Constant Rate

Q(t)

t

Transient Region

Steady-state Region


82


Constant RateTransient Region

� For short lifetime:

� Applicable for aircraft, military

1)(

)(

<<+

≈

t

ttQ

µλ

λ



Constant RateSteady-state Region

� For longer lifetime:

� Approaches steady-state Q

1)(

)(

>>+

+

≈

t

tQ

µλ

µλ

λ


83


Non-Repairable Events

� Non-repairable components

� Repair rate = 0

� Substitution yields:

t

t

etQ

etQ

λ

λ

λ

λ

−

+−

−=

−

+

=

1)(

)1(0

)( )0(



Non-Repairable Events

0

0.2

0.4

0.6

0.8

1


84


Exposure Time

� Determined by FT goals� Lifetime of the system

� Time between overhauls

� Mission time

� Maintenance budgeting interval

� Global� All components in the fault tree

� Event-specific� Each event has independent time at risk



Dormant Failures

� Failures not immediately revealed

� Non-repairable between inspections

� Ex: Protection/standby system

� Failures only revealed on inspection (test)

� Fixed test interval

� Repair if test reveals failure


85


Dormant Failures

� Three methods for calculating Q

� Mean

� Max

� IEC 61508

� Must calculate single Q

� Multiplication and addition laws don’t work on functional inputs



Dormant Failures

Q(t)

τ 2τ 3τ 4τ

τ << MTTF


86


Mean Unavailability

� Simplifies to:


)1(

)1(

)1()1(

mean

mean

Q

eMTTR

eMTTReQ

−=

−⋅+

−⋅+−−=

−

−−

λω

λλτ

λλτ

λτ

λτλτ

MTTFMTTR

MTTRQmean

<<

⋅+=

, where

2

τ

λλτ


Mean Unavailability


Qmean

τ 2τ 3τ 4τ

87


Maximum Unavailability


)1(

1

max

max

Q

eQ

−=

−=−

λω

λτ


Maximum Unavailability


Qmax

τ 2τ 3τ 4τ

88


IEC 61508 Averaging

� From the standard

� Q for 1 oo 2 voted configuration:

where

FTA IEC 61508

�� = 2( 1 − � � + 1 − � � �)�� + � � �� + ��

�

2+ ��

�� =� �

�

�

3+ �� +

�

� ��

�� =� �

�

�

2+ �� +

�

� ��

25


IEC 61508 Averaging

� Example inputs:

λ = 4.6E-6, MTTR = 0.001, τ = 17520

� Using IEC 61508 Standard:

� Q = 0.002165

� Using Multiplication Law with Mean unavailability

� Q = 0.001539


89


IEC 61508 Averaging

� Reason for the discrepancy

� For a given function f(x):

� Approximating in FT

� Apply Markov to cut sets with two or more dormant failure events

FTA IEC 61508

�(�) ∙ �(�) ≠ �(�) ∙ �(�)

27


Which Method?

� Max method – worst case

� Ex: safety-critical system

� IEC 61508 – multiple dormant events

� Ex: Protection system with many overlapping dormant faults

� Mean method otherwise


90


Weibull Distribution

� Failure rate varies with time

� Requires 3 parameters:

� η – Characteristic Lifetime

� β – Shape Parameter

� γ – Location Parameter



Weibull Distribution

� Rate, Unreliability given by:

� Must use numerical integration to solve

� Solve for different t value, average


β

η

γ

β

β

η

γβ

−−−

−=−

=

t

etFt

tr 1)( ,)(

)(1

91


Other Cases� Phases

� Failure Rate, Q change with respect to phase� E.g., rocket launch (on pad, launch, in space flight)

� Steady State� Component already in use

� Normal, Lognormal� Other statistical distributions

� Sequences� Failures can only occur in sequence

� Limited replacement spares� Limited repair crews� Standby failure rate� Imperfect Proof Testing



Failure Rates

� Historical Data

� CMMS tracking/Work order history

� Weibull analysis

� Libraries

� NPRD 2011, IAEA

� Integrated with RWB

� Exida

� Linked via External App

� SIS-Tech


92


Failure Data Sources

� Prediction Standards

� Electronic

� MIL-HDBK-217F

� RIAC 217+

� Telcordia SR-332 Issue 3

� IEC TR 62380

� Siemens SN 29500

� GJB/z 299

� Mechanical

� NSWC



Failure Data Sources

� Manufacturer testing

� Not necessarily relevant to each usage or environment

� Engineering judgment

� Subjective


93


End of Chapter 5

� Summary

� Common model parameters

� Common event failure characteristics


94


System QuantificationChapter 6



System Quantification

� Determine cut sets

� Solve Q and ω

� For basic events

� For cut sets (multiplication law)

� For TOP events (addition law)

� Use TOP event Q and ω to solve:

� TDT, W, F, CFI


95


Calculation Methods

� Cross Product

� Esary-Proschan

� Rare

� Lower Bound



Example

� A.B + A.C.D + A.C.E

� Q=0.01

� w=2


TP1

GT1 GT2 GT3

A B A C D A C E

96


Minimal Cut Set Q and ω


� n = number of events in cut set

∑ ∏

∏

= ≠=

=

=

=

n

j

n

jii

ijcut

n

i

icut

Q

tQtQ

1 ,1

1

)()(

ωω



ExampleCut Set Q and ω

QAB = 0.01 × 0.01 = 10-4

QACD = 0.01 × 0.01 × 0.01 = 10-6

QACE = 0.01 × 0.01 × 0.01 = 10-6

ωAB = ωA QB + ωB QA = 2 × 0.01 + 2 × 0.01 = 0.04

ωACD = ωA QC QD + ωC QA QD + ωD QA QC

= 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 = 0.0006

ωACE = ωA QC QE + ωC QA QE + ωE QA QC

= 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 = 0.0006


97


Cross-Product Method

� Exact method

� Slow to solve for large trees

� Limit product terms

� Upper bound

� n = number of cut sets

)()1...()()()( ...3.2.1

12

1

1

1 1

1

1 11

tQtQtQtQQ n

nn

i

n

ij

n

jk

ijk

n

i

n

ij

ij

n

i

cutiSYS

+

−

=

−

+= +=

−

= +==

−+−= ∑∑ ∑∑ ∑∑



ExampleCross-Product

QSYS = QAB + QACD + QACE

– QABCD – QABCE – QACDE

+ QABCDE

= 10-4 + 10-6 + 10-6

– 10-8 – 10-8 –10-8 + 10-10

= 0.0001019701

≈ 0.000102


98


Esary-Proschan Method


� Odds that no cut set occurs

� Upper-bound

� Faster, still accurate

[ ]

[ ]∏∑

∏∏

≠

==

==

−=

−−=

n

ijj

cutj

n

i

cutisys

n

j

cutj

m

i

isys

tQtt

tQqtQ

11

11

)(1)()(

)(11)(

ωω



ExampleEsary-Proschan Approximation

QSYS = QA [1 – (1 – QB)(1 – QCD)(1 – QCE)]

= 0.01[1 – 0.99 × 0.9999 × 0.9999]

= 0.000101979901

≈ 0.000102

ωSYS = ωAB (1 – QACD)(1 – QACE) + ωACD (1 – QAB)(1 – QACE)

+ ωACE (1 – QAB)(1 – QACD)

= 0.04 × 0.999999 × 0.999999 + 0.0006 × 0.9999 × 0.999999

+ 0.0006 × 0.9999 × 0.999999

= 0.04119979880016

≈ 0.0412


99


Rare Approximation

� Cross Product — First iteration

� Upper bound

� Fastest

� Less accurate for Q > 0.2

)()(

)()(

1

1

tt

tQtQ

n

i

cutiSYS

n

i

cutiSYS

∑

∑

=

=

=

=

ωω



ExampleRare Approximation


= 10-4 + 10-6 + 10-6

= 0.000102

ωSYS = 0.04 + 0.0006 + 0.0006

= 0.0412


100


Lower Bound for Q

� Cross Product

� First two iterations

)()()(1

1 11

tQtQtQn

i

n

ij

ij

n

i

cutilower ∑∑∑−

= +==

−=



ExampleLower Bound


– QABCD – QABCE – QACDE

= 10-4 + 10-6 + 10-6 – 10-8 – 10-8 –10-8

= 0.00010197

≈ 0.000102


101


Errors Due to ApproximationsA + B·C + B·D

Computed System Unavailabilities

Event Q Cross Product Esary-Proschan Rare Lower Bound

0.5 0.6875 0.71875 1 0.625

0.1 0.1171 0.11791 0.12 0.117

0.01 0.01019701 0.01019799 0.0102 0.010197

% Difference

Event Q Cross Product Esary-Proschan Rare Lower Bound

0.5 0% 4.5% 45% 9.1%

0.1 0% 0.69% 2.5% 0.085%

0.01 0% 0.0096% 0.029% 0.000098%



Other System Parameters

∫−=

−

=

⋅=

⋅=

⋅−

∫

∫

T

SYS dtt

SYS

SYS

SYS

SYS

T

SYSSYS

T

SYSSYS

eF

Q

dttW

dttQTDT

0)(

0

0

1

1

)(

)(

λ

ωλ

ω

SYS

SYS

SYS

SYS

SYS

SYS

QRRF

T

TDTQ

QMTTR

MTBF

dttRMTTF

1

)(

)(

)(

1

)(0

=

=

∞

∞=

∞

=

⋅= ∫∞

ω

ω


102


Modularizing Fault Trees

� Goal: Reduce analysis time

� Reduce number of cut sets

� Replace isolated sections of tree with super-events

� Analyze sections independently



Modularization Example

� Cut sets:TOP1 = GATE1 · GATE2

GATE1 = A + B

GATE2 = C + D

� Unmodularized:TOP1 = A·C + A·D + B·C + B·D

QTOP1 = QAB + QAD + QBC + QBD – QACD – QABC

– QABCD – QABCD – QABD – QBCD + QABCD + QABCD + QABCD + QABCD – QABCD

� 15 product terms


103


Modularization Example

� Modularized:

QGATE1 = QA + QB – QAB

QGATE2 = QC + QD – QCD

QTOP1 = QGATE1 · QGATE2

� 7 product terms




� Using a FT tool to analyze a tree


104


End of Chapter 6

� Summary

� Approximation methods

� Cross Product, Esary-Proschan, Rare, Lower Bound

� Differences

� Other parameters

� Modularization


105


Importance AnalysisChapter 7



Importance Analysis

� Helps determine:

� Event contribution to TOP event

� TOP event sensitivity to event changes

� Weak areas in the system

� Where to cut corners

� Useful during the design stage


106


Importance Measures

� Fussell-Vesely Importance

� Birnbaum Importance

� Barlow-Proschan Importance

� Sequential Importance

� Risk Reduction Worth

� Risk Achievement Worth



Fussell-Vesely Importance

� Contribution to system Q

� High F-V Importance — worst actor

� Decreasing Q on these events = biggest decrease to system Q

� Percentage of failures involving the event

SYS

iSYSSYSFV

iQ

qQQI

)0( =−

=


107


Birnbaum Importance

� Sensitivity of system Q

� High Birnbaum — highly sensitive

� Increasing Q on these events = biggest increase in system Q

i

n

j

cutj

BB

iq

Q

I

∑=

≈1

Where n = number of cut sets containing event iReliability Workbench 7–5


Barlow-Proschan Importance

� Contribution to ω as initiator

� Last to fail

� Probability system fails because event failed last

� Sum of frequency terms with event as initiator ÷ system ω

SYS

n

j

cutji

BP

i

Q

Iω

ω∑=

=1

Qcutj = product of events in j-th cut set, excluding event i


108


ExampleBarlow-Proschan

� A·B + A·C·D

� Frequency terms: ωA·QB, ωB·QA, ωA·QC·QD, ωC·QA·QD, ωD·QA·QC

SYS

DCABABP

A

QQQI

ω

ωω ××+×

=



Sequential Importance

� Contribution to ω as enabler

� Not last to fail

� Probability system fails because event was failed when failure event occurred

� Sum frequency terms with event as enabler ÷ system ω


109


ExampleSequential

� A·B + A·C·D

� Frequency terms: ωA·QB, ωB·QA, ωA·QC·QD, ωC·QA·QD, ωD·QA·QC

SYS

CADDACABS

A

QQQQQI

ω

ωωω ××+××+×

=



Risk Reduction Worth

� Contribution to risk

� Maximum possible risk reduction

� Inverse of F-V importance

)0( =

=

iSYS

SYSRRW

iqQ

QI


110


Risk Achievement Worth

� Contribution to risk

� Worth of component to current risk level

� Importance of maintaining reliability of component

SYS

iSYSRAW

iQ

qQI

)1( =

=




� Using a FT program to calculate importance


111


End of Chapter 7

� Summary

� Importance analysis

� Fussell-Vesely, Birnbaum, Barlow-Proschan, Sequential, Risk Reduction, Risk Achievement


112


Common Cause FailuresChapter 8



Common Cause Failures� Affect multiple otherwise independent components� System, component and operator failures

� Environment� Maintenance and testing� Manufacturer� Installation� Calibration� External impacts� Stress� Ageing


113


CCF Model Types

� Beta Factor Model

� Multiple Greek Letter (MGL) Model

� Alpha Factor Model

� Beta Binomial Failure Rate (BFR) Model



Pump Example

� Two pumps

� Independent power supplies

� Attached to same structure

� Vibration, high temperature, humidity, impact, stress

� May be identical pumps

� Incorrect maintenance

� Manufacturing defects


114


Two Pump System

TP1

Both pumps unavailable

P1

Pump1 failure

P2

Pump 2 failure



Beta Factor Model

� TP2 = CCF + P1 · P2

TP2

Both pumps unavailable

PUMP1

Pump 1 unavailable

PUMP2

Pump 2 unavailable

P1

Pump 1 failure

CCF

Common causes

P2

Pump 2 failure

CCF

Common causes


115


Beta Factor Model

� β = beta factorQI = Q due to independent failuresQCCF = Q due to CCFQT = Total Q

TCCF

TI

QQ

QQ

⋅=

⋅−=

β

β )1(



Beta Factor ModelExample

� QT = 0.001, β = 0.1

� Contrast with independent failures only

4100081.1

)001.09.0)(001.09.0(001.01.0

−

×=

××+×=TOPQ

610001.0001.0 −

=×=TOPQ


116


IEC Beta Factor Model

� What if I don’t know what Beta factor to use?

� IEC 61508-6 Annex D

� Provides method for determining beta factor

� Table D.1: questionnaire about components

� Beta assigned based on score



IEC Beta Factor Model

� Table D.1 example


Separation/segregation

Are all signal cables for the channels routed separately at all positions?

Are the logic subsystem channels on separate printed-circuit boards?

Are the logic subsystem channels in separate cabinets?

If the sensors/final elements have dedicated control electronics, is the

electronics for each channel on separate printed-circuit boards?

If the sensors/final elements have dedicated control electronics, is the

electronics for each channel indoors and in separate cabinets?

8–10

117


CCF Models

� Beta factor: “All or nothing”

� CCFs affect either all components in group, or none


TP2

All sensors failed

SENSOR1

Sensor 1 failed

SENSOR2

Sensor 2 failed

SENSOR3

Sensor 3 failed

S1

Sensor 1 failure

CCF

All sensors faildue to common

causes

S2

Sensor 2 failure

CCF


causes

S3

Sensor 3 failure

CCF


causes

8–11


Beta Factor Adjustment

� Applying Beta factor to CCF group of 3 or more can be pessimistic

� Less likely that CCF will affect all rather than some

� Can adjust beta factor to compensate

� IEC 61508, 2010 has a table for this


118


Beta Factor Adjustment

Calculation of β for systems with levels of redundancy

greater than 1oo2 (IEC 61508, 2010)

m oo n

(success)

n

2 3 4 5

m 1 β 0.5β 0.3β 0.2β

2 – 1.5β 0.6β 0.4β

3 – – 1.75β 0.8β

4 – – – 2β



CCF Models

� Alternate method: other CCF models

� Replace a single event with multiple events representing possible combos

� Beta factor replaces event with two events (independent and CCF)

� Other models replace with multiple events (combinations of CCF events)


119


CCF Models

� Example: CCF Group A, B, C, D

� Event A replaced in cut sets with:

� A + [AB] + [AC] + [AD] + [ABC] + [ABD] + [ACD] + [ABCD]

� A represents independent failure

� [] represent CCF event affecting those components

� [ACD] represents CCF of A, C, and D



CCF Models

� Example: 3 sensors


TP1

All sensors failed

S1

Sensor 1 failed

S2

Sensor 2 failed

S3

Sensor 3 failed

8–16

120


CCF Models

TP2 = S1.S2.S3 + S12.S3 + S13.S2 + S23.S1 + S123


SENSORS

All sensorsfailed

SENSOR1

Sensor 1failed

SENSOR2

Sensor 2failed

SENSOR3

Sensor 3failed

S1

Sensor 1failed

S1-2

Sensors 1and 2 failed

S1-3


S1-2-3

Sensors 1,2, and 3

failed

S2

Sensor 2failed

S1-2


S2-3


S1-2-3

Sensors 1,2, and 3

failed

S3

Sensor 3failed

S1-3


S2-3


S1-2-3

Sensors 1,2, and 3failed

8–17


MGL Model

� Expansion of Beta Factor model

� Three parameters: ββββ,,,, γγγγ,,,, δδδδ� β — conditional probability that component failure is CCF shared by 1 or more other components

� γ — conditional probability that CCF shared by 1 or more other components is shared by 2 or more other components

� δ — conditional probability that CCF shared by 2 or more other components is shared by 3 other components


121


MGL Model

� CCF Event Probability


�� = 1 − 1� − 1

� ��

��1 − ��

Where �� = unavailability of kth order CCF failure

� = 1, � = β, � = �, � = �, �� = 0�� = total unavailability

m = CCF group size

− 1� − 1 = − 1 !

− � ! � − 1 !

8–19


MGL Model

� Q1 = Independent probability

� MGL model with two events in group = beta model


�� = 12 − 1 !

2 − 2 ! 2 − 1 !1 ∙ � 1 − 0 �� = � ∙ ��

�� = 1 − 1 !

− 1 ! 1 − 1 !1 1 − � �� = (1 − �)��

8–20

122


MGL ModelSensor Example

QT = 0.001, β = 0.1, γ = 0.2, δ = 0


�� = 1 − � �� = 9.0 × 10#�

�� = 13 − 1 !

3 − 2 ! 2 − 1 !1 ∙ � 1 − � �� = 1

2 � 1 − � ��

= 4.0 × 10#&

�� = 13 − 1 !

3 − 3 ! 3 − 1 !1 ∙ � ∙ � 1 − 0 �� = ��

= 2.0 × 10#&

8–21


MGL ModelExample

TP2 = 0.0009∙0.0009∙0.0009 + 0.00004∙0.0009 + 0.00004∙0.0009 + 0.00004∙0.0009 + 0.00002 =2.011E-5


TP1Q=2.011E-05

All sensorsfailed

S1

Sensor 1failed

Q=0.001

S2

Sensor 2failed

Q=0.001

S3

Sensor 3failed

Q=0.001

8–22

123


Comparison

� Beta factor model, β = 0.1


SENSORS3Q=0.0001

All sensorsfailed

S1

Sensor 1failed

Q=0.001

S2

Sensor 2failed

Q=0.001

S3

Sensor 3failed

Q=0.001

8–23


Alpha Factor Model

� Similar to MGL� Except absolute instead of conditional percents

� Four parameters: α1, α

2, α

3, α

4

� αk: proportion of failures in the group

due to a failure that is common to kevents

� Proportional to each other� E.g., α

1= 5, α

2= 2 means 5/7ths of failures

are independent, 2/7ths are common cause

� Usually easier just to make sure alphas sum to 1 or 100


124


Alpha Factor Model

� CCF Event Probability


�� = � − 1� − 1

'�'�

��

Where �� = unavailability of kth order CCF failure

�� = total unavailability

m = CCF group size

'� = ( )'��

��

− 1� − 1 = − 1 !

− � ! � − 1 !8–25


Alpha Factor ModelSensors Example

QQQQTTTT = 0.001, = 0.001, = 0.001, = 0.001, αααα1111 = 0.9507, = 0.9507, = 0.9507, = 0.9507, αααα2222 = 0.04225, = 0.04225, = 0.04225, = 0.04225, αααα3333 = 0.007042= 0.007042= 0.007042= 0.007042


'� = ( )'��

��= 0.9507 + 2 ∙ 0.04225 + 3 ∙ 0.007042 = 1.056

�� = 11 ∙ 0.9507

1.056 0.001 = 0.0009

�� = 22 ∙ 0.04225

1.056 0.001 = 4.0 × 10#&

�� = 31 ∙ 0.007042

1.056 0.001 = 2.0 × 10#&

8–26

125



� CCF Model

� Include CCFs without another event

� Not recommended for system, component and operator failures

� Cut sets/Importance



End of Chapter 8

� Summary

� Model types

� Beta factor model

� MGL, Alpha factor models

� Including CCFs in a FT


126


Confidence AnalysisChapter 9



Confidence Analysis

� Assuming failure rates exactly known

� Not necessarily true

� Sparse data

� Introduces uncertainty in component Q


127


Confidence AnalysisExample

� 10 components tested for 1 year

� 2 failures occur

� λ estimate= 0.2 / year

� Could be 0.25 or 0.15

� Unlikely to be 0.9 or 0.01

� More data — more certainty



Confidence Analysis

� Uncertainty expressed as range, distribution

� 10–5 ± 0.5×10–5 normal distribution

� 10–6 to 10–4 lognormal distribution

� Modeled using Monte Carlo sampling

� Pick failure rates from distribution

� Run analysis

� Repeat


128


Sampling procedure

� Loop performed repeatedly

� More iterations, more accuracy

Sample failure rates

from distribution

Run analysis, record

results

For n = 1 to number

of simulations




� Using a FT program to find confidence bounds


129


End of Chapter 9


130


Initiators, Enablers, and SequencingChapter 10



Initiating & Enabling Events

� Used when order is important

� Initiator — last to occur

� Frequency event

� Enabler — cannot occur last

� Probability event

� Initiator/enabler — any order

� Default


131


Initiator Example

� SPARK is initiator

� IMFLAM is enabler

� SPARK → INFLAM: safe

� INFLAM → SPARK: fire

� Similar for FIRE and PROTECT

� Gate status automatically determined

TOP1

Explosion

FIRE

Fire Starts

PROTECT

PROTECTION

SYSTEM

UNAVAILABLE

INFLAM

Inflammable

Material

Present

E

Q=0.1

SPARK

Spark Occurs

I

w=2



Cut set Frequency

� Example

� A, B, C, D initiators

� A initiator only

INFLAMSPARKFIRE Q.ωω =

CBADDBAC

DCABDCBACUT

QQQQQQ

QQQQQQ

......

.......

ωω

ωωω

+

++=

DCBACUT QQQ ....ωω =


132


Sequencing

� More precisely specify order of failures

� First, second, third, fourth, fifth, etc.

� Priority AND gate

� Applied to cut sets

� Markov used to solve



Sequencing and Markov


λ1λ1λ1λ1

λ2λ2λ2λ2λ3λ3λ3λ3

λ2λ2λ2λ2

λ3λ3λ3λ3

λ3λ3λ3λ3

λ1λ1λ1λ1

λ3λ3λ3λ3

λ3λ3λ3λ3

λ1λ1λ1λ1

λ2λ2λ2λ2

λ2λ2λ2λ2λ2λ2λ2λ2 λ1λ1λ1λ1 λ1λ1λ1λ1

All working

A B C

A→B A→C B→A B→C C→A C→B

A→B→C B→A→C C→A→BA→C→B B→C→A C→B→A

TP1

A

1

λ1

B

2

λ2

C

3

λ3

133


Modularizing Priority ANDExample

TOP1

GATE1 D

A

1

B

2

C

3



Modularizing Priority AND

� Modularized cut sets

� TOP1 = GATE1 · D

� GATE1 = A · B · C

� Allowed failure sequences

� D → A → B → C

� A → D → B → C

� A → B → D → C

� A → B → C → D


134


Modularizing Priority AND

� Non-modularized cut sets

� TOP1 = A · B · C · D

� Allowed failure sequences

� A → B → C → D




� Event sequence status

� Sequencing options

� Auto-sequence Priority AND

� Verification

� Exactly 1 initiator under AND

� Results


135


End of Chapter 10


136


Event TreesChapter 11



Event Tree Analysis

� Identifies outcomes of initiating event

� Uses inductive approach

� Fault trees use deductive approach

� ETA & FTA closely linked

� FTs can be used to quantify events in ET sequences

� Use cut sets and same quantitative methodology


137


Pipe Break Event Tree� Nuclear safety example

� Examines effectiveness of protective system

� Initiating event - Pipe break� Enablers - Protective systems� All possible outcomes examined� Each branch examines failure or success� Failure branches: failure of basic event or the minimal cut sets of a gate

� Success branches: success state of basic event or minimal path sets of a gate



Pipe Break Event TreePipe Break Electric Power Emergency Cooling Fission Product

Removal

Containment

Integrity

Consequence

Failure

Success

Success

Success

SuccessNo Release

Failure

Failure

No ReleaseSuccess

Failure

No Release

Failure

Success

Very Small ReleaseSuccess

Failure

Small Release

Failure

Failure

Small ReleaseSuccess

Success

Small Release

Failure

Success

Medium Release

SuccessMedium Release

Failure

Failure

Large ReleaseSuccess

Failure

Medium Release

Failure

Success

Large Release

SuccessLarge Release

Failure

Failure


Large ReleaseFailure

Very Large Release


138


Pipe Break Event Tree

� Simplify by

� Removing impossible sequences

� Removing sequences leading to ‘No Release’

� Combine neighbouring end-branches with the same consequences



Simplifying – Impossible SequencePipe Break Electric Power Emergency Cooling Fission Product

Removal

Containment

Integrity

Consequence

Failure

Success

Success

Success

SuccessNo Release

Failure

Failure

No ReleaseSuccess

Failure

No Release

Failure

Success


Failure

Small Release

Failure

Failure


Success

Small Release

Failure

Success

Medium Release


Failure

Failure


Medium Release

Failure

Success

Large Release

Success

Failure

Large Release

Failure

Failure



Very Large Release


139


Simplifying – “No Release”Pipe Break Electric Power Emergency Cooling Fission Product

Removal

Containment

Integrity

Consequence

Failure

Success

Success

Success

SuccessNo Release

Failure

Failure

No ReleaseSuccess

Failure

No Release

Failure

Success


Failure

Small Release

Failure

Failure


Success

Small Release

Failure

Success

Medium Release


Failure

Failure


Failure

Medium Release

Failure

Success

Large Release


Failure

Failure



Very Large Release



Simplifying – Combining BranchesPipe Break Electric Power Emergency Cooling Fission Product

Removal

Containment

Integrity

Consequence

Failure

Success

Success

Success

SuccessNo Release

Failure

Failure

No ReleaseSuccess

Failure

No Release

Failure

Success


Failure

Small Release

Failure

Failure


Success

Small Release

Failure

Success

Medium Release


Failure

Failure


Failure

Medium Release

Failure

Success

Large Release


Failure

Failure



Very Large Release


140


Simplified Pipe Break Event TreePipe Break Electric Power Emergency

Cooling

Fission Product

Removal

Containment

Integrity

Consequence Frequency

ω=0.01 Q=0.00016 Q=0.0016 Q=0.02 Q=0.01

Failure

Success

Success Failure Failure Very Small

Release2e-6

Failure

Success NullSmall Release 1.4e-5

Failure

Failure

Success

Null

Small Release 2.8e-7

Failure

Success

Medium

Release2.9e-9

NullLarge Release 1.5e-6

Failure

SuccessLarge Release 3.1e-8

Failure Very Large

Release3.2e-10



Pipe Break Minimal Cut Sets

� Obtained with AND logic at each branch

� “Very Large Release”

� “Medium Release”

� ELEC and COOL are FTs

� Share common events

� Must be resolved to FT basic events

CINTFISSIONELECPIPE ⋅⋅⋅

CINTFISSIONCOOLELECPIPE ⋅⋅⋅⋅


141


Spark Event Tree

TOP1

Explosion

FIRE

Fire Starts

PROTECT

PROTECTION

SYSTEM

UNAVAILABLE

INFLAM

Inflammable

Material

Present

E

Q=0.1

SPARK

Spark Occurs

I

w=2



Spark Event Tree

Spark Occurs Inflammable

Material Present

Protection System

Unavailable


ω=2 Q=0.1 Q=0.017

Success

SuccessNone 1.77

FailureNone 0.0306

Failure

SuccessNone 0.197

FailureExplosion 0.0034


142


Results

� Per Consequence

� Frequency

� Importance

� Cut sets

� Per category

� Risk



F-N Curve

� Correlates weight with frequency

� X-axis: weight

� Y-axis: cumulative frequency of all consequences with that weight

� In a given category


143


Pipe Break F-N CurveSafety F-N Curve

0.1 1 10

Weight

1E-13

1E-12

1E-11

1E-10

1E-09

1E-08

1E-07

1E-06

1E-05

0.0001

Cu

mu

lative

fre

qu

ency



Modularization

� Consider:Tank Overfill Shutoff Emergency Relief Consequence

SuccessNo effect

Success

FailureNo effect

SuccessNo effect

Failure

FailureChemical spill


144


Modularization

� Where:


SHUTOFF

Q=0.0199

Shut off does notengage

VALVE

Shut-off valvefails open

Q=0.01

SENSOR

Level sensor failsto detect high

level

Q=0.01

RELIEF

Q=0.0199

Emergency reliefsystem fails to

open

PVALVE

Pressure reliefvalve fails closed

Q=0.01

SENSOR

Level sensor failsto detect high

level

Q=0.01

11–17


Modularization

� If SHUTOFF and RELIEF considered separately:

Tank Overfill Shutoff Emergency

Relief


ω=2 Q=0.0199 Q=0.0199

SuccessNo effect 1.921

Success

FailureNo effect 0.03901


Failure

FailureChemical spill 0.000792


145


Modularization

� SHUTOFF= VALVE + SENSOR= 0.0199

� RELIEF= PVALVE + SENSOR= 0.0199

� Chemical Spill= OVERFILL · SHUTOFF ∙ RELIEF= 2 · 0.0199 · 0.0199= 7.92E-4



Modularization

� However, SENSOR is common event

� SHUTOFF and RELIEF are not independent

� Chemical Spill ≠ OVERFILL ∙ SHUTOFF · RELIEF

� Accurate calculation must resolve consequences to minimal cut sets


146


Modularization

� Chemical Spill:

SHUTOFF · RELIEF= (VALVE + SENSOR) · (PVALVE + SENSOR)

= SENSOR + VALVE · PVALVE



Modularization

� If SHUTOFF and RELIEF resolved to minimal cut sets:

Tank Overfill Shutoff Emergency

Relief


ω=2


Success

FailureNo effect 0.0196


Failure

FailureChemical spill 0.0202


147


Partial Failure Branches

� Success/Failure logic

� Gives two and only two outcomes

� Partial failure

� More than two possible outcomes

� Gives a gradation of possibilities

� Not necessarily mutually exclusive

� Each branch associated with a different gate or event failure

� E.g., partial capacity



Partial Failure BranchesHigh speed

derailment

Dual track Train passing on

other track

Passenger

exposure


ω=5.154E-4 Q=0.9 Q=0.01

0-10 passengers2 fatalities 1.031E-5

False Null 11-20 passengers4 fatalities 2.577E-5



Success 11-20 passengers4 fatalities 2.296E-4

True



Failure 11-20 passengers16 fatalities 2.319E-6



148



� Evaluating an Event Tree in a computer program



End of Chapter 11


149

Fault Tree Training – Course Notes - System safetyissc2015.system-safety.org/T05_...

Documents

Transcript of Fault Tree Training – Course Notes - System safetyissc2015.system-safety.org/T05_...