1. No category

Fault Tree Training – Course Notes

Fault Tree Training – Course Notes
Copyright © 2015 Isograph Limited
All rights reserved. This document and the associated software contains proprietary information which is protected by copyright and
may not be copied in whole or in part except with the prior written permission of Isograph. The copyright and the foregoing restrictions
on the copyright extends to all media in which this information may be preserved.
Isograph makes no representations or warranties of any kind whatsoever with respect to this document and its associated software.
Isograph disclaims all liabilities for loss of damage arising out of the possession, sale, or use of this document or its associated software.
1
Fault Tree Analysis
An Introduction
©2015 Isograph Inc.
Reliability Workbench
1–1
Fault Tree Analysis
An Introduction
Joe Belland, Isograph Inc.
[email protected]
©2015 Isograph Inc.
2
Reliability Workbench
1–2
Isograph
Founded in 1986
Nuclear industry
Off-the-shelf PRA tool
Products
Fault Trees, simulation, optimization,
prediction
©2015 Isograph Inc.
Reliability Workbench
1–3
Me
Joined Isograph in 2003
Background in Math/Comp Sci
Support, training, development
©2015 Isograph Inc.
Reliability Workbench
1–4
3
This Presentation
Overview of Fault Tree
methods
Includes examples from RWB
Not in-depth look at Isograph’s FT
Sept 15-16, Alpine, UT
Oct 6-7, Detroit, MI
©2015 Isograph Inc.
Reliability Workbench
1–5
Fault Tree Software
Examples from Reliability
Workbench
http://isograph.com/download
Password: weaverham
©2015 Isograph Inc.
4
Reliability Workbench
1–6
Introduction
Chapter 1
©2015 Isograph Inc.
Reliability Workbench
1–7
Deductive and Inductive techniques
Inductive
ETA
Fire
Hazard
FTA
Deductive
©2015 Isograph Inc.
Reliability Workbench
1–8
5
What is Fault Tree Analysis?
No power
Deductive analysis
Determine causes
of TOP event
TOP event = hazard
Logic gates
Basic events
Qualitative
Quantitative
©2015 Isograph Inc.
AND
No power from
mains
Generator
doesn't start up
MAINS FAILURE
OR
Generator
failure
Mains failure
not detected
EVENT1
EVENT2
Reliability Workbench
1–9
TOP Events
Determine the scope of the
analysis
Chosen by Hazard
Identification
TOP events: want info on
Bottom events: already have info on
©2015 Isograph Inc.
6
Reliability Workbench
1–10
Typical Basic Events
Pump failure
Temperature controller failure
Switch fails closed
Operator does not respond
Crash or unexpected failure of
Software routine
©2015 Isograph Inc.
Reliability Workbench
1–11
Typical TOP Events
Loss of hydraulics in airplane
Total loss of production
Fire protection system
unavailable
Car does not start
Toxic emission
Aerial refuelling system fails to
transfer fuel at the proper rate
©2015 Isograph Inc.
Reliability Workbench
1–12
7
Failure vs Success Logic
Normally failure events instead of
success
Some trees have both
Failure easier to define
Failure space is smaller, simpler
Easier to analyze; probabilities tend to be
lower
Some events neither failure nor success
TOP event can be success state
(dual tree)
Harder to analyze
Harder to conceptualize
©2015 Isograph Inc.
Reliability Workbench
1–13
Quantification Parameters
Probabilistic System
Parameters:
Unavailability
Unreliability
Failure Frequency
Risk Reduction Factor
Component Parameters:
Unavailability
Failure Frequency
Failure rate and Repair rate
Inspection Interval and Time at Risk
©2015 Isograph Inc.
8
Reliability Workbench
1–14
Failure Rate
Failure rate
Component failure rate (probability
per unit time)
Burn in
©2015 Isograph Inc.
Useful life
Wear out
Reliability Workbench
1–15
Constant failure rate
Analytical methods assume
constant failure rate
Real-life components age: nonconstant failure rate
Underlying assumption that
preventive maintenance flattens
failure rate curve
(Generally speaking, of course)
Weibull failure model
Markov analysis
©2015 Isograph Inc.
Reliability Workbench
1–16
9
Non-constant failure rate
Aging model requires
numerical solution
Can’t be reduced to analytical
expression
Monte Carlo simulation
Availability Workbench
Exponential, Normal, Lognormal,
Weibull, etc.
Strong dependencies
Maintenance costs
Optimization
©2015 Isograph Inc.
Reliability Workbench
1–17
Constant Failure and Repair rates
If the rates are constant then:
Failure rate (λ) = 1/MTTF
Repair rate (µ) = 1/MTTR
Example:
MTTF = 4 years → λ = 0.25
MTTR = 1 week = 1/52 years → µ =
52
Consistent units
©2015 Isograph Inc.
10
Reliability Workbench
1–18
Unavailability Q(t)
Unavailability: not operating at
time t
Continuously operating systems
Unavailability: does not work
on demand
Safety/standby system
PFD
Unavailability per flight hour:
Q(T)/T
Used in aerospace/ISO 26262
©2015 Isograph Inc.
Reliability Workbench
1–19
Unreliability F(t)
Probability of failure over time
Prob. that system fails between time
0 and time t
Prob. that system fails over given
time period
Non-repairable systems
Probability of catastrophic
event
Warranty costs
©2015 Isograph Inc.
Reliability Workbench
1–20
11
Q&F
In general
Q(t) ≤ F(t)
Non repairable
Q(t) = F(t)
Unavailability = Unreliability
©2015 Isograph Inc.
Reliability Workbench
1–21
Failure Frequency ω(t)
AKA Unconditional Failure
Intensity
Occurrences/Unit Time
About how often a failure is expected
Integrating gives W(t)
No. of spares to carry on a mission
©2015 Isograph Inc.
12
Reliability Workbench
1–22
Risk
Quantifiable with ETA
Coupled with Fault Trees (or just
using ETA)
Failure Frequency * Consequence Weighting
©2015 Isograph Inc.
Reliability Workbench
1–23
Risk
Categories and policy
Safety
E.g. deaths per million operating hours
Environmental
Tons of toxic release over lifetime
Operational
Threat to completion of mission
Economic
Financial loss
©2015 Isograph Inc.
Reliability Workbench
1–24
13
Risk policy (acceptable risk)
Aerospace
deaths per flight hour
Automotive
controllability of vehicle
Railway
deaths per train miles
Space
operational risk
Pharmaceutical
human risk
©2015 Isograph Inc.
Reliability Workbench
1–25
Risk Reduction Factor
How much each protection
layer lowers risk
Reciprocal of Qmean
Current risk ÷ risk policy =
required further RRF
©2015 Isograph Inc.
14
Reliability Workbench
1–26
End of Chapter 1
Summary
FT is deductive hazard analysis
Graphically shows logical relationship
between TOP and Basic events
Qualitative/quantitative
Constant rates
Unavailability/Unreliaiblity/Frequency
Risk
©2015 Isograph Inc.
Reliability Workbench
1–27
15
Fault Tree Construction
Chapter 2
Reliability Workbench
©2015 Isograph Inc.
2–1
Common Gate Types
Symbol
m
Name
Logic
OR
TRUE if any input is TRUE
≥2
AND
TRUE if all inputs are TRUE
≥2
VOTE
TRUE if m inputs are TRUE
≥3
TRUE if inputs occur in left to right order
≥2
PRIORITY
AND
©2015 Isograph Inc.
16
Reliability Workbench
Inputs
2–2
Other Symbols
Symbol
Name
Meaning
Transfer In
Inputs appear elsewhere on same page or
on another page
Transfer Out Output appears elsewhere on same page or
on another page
Indicate logic flow
©2015 Isograph Inc.
Reliability Workbench
2–3
OR Gate Example
No output from
High Pressure
Valve 1
HPV1
High Pressure No input flow ing
Valve 1 stuck to High Pressure
Valve 1
closed
HPV1 FAIL
©2015 Isograph Inc.
HPV1 INPUT
Reliability Workbench
2–4
17
AND Gate Examples
Fire
Propagates
Both Pum ps
Unavailable
FPROP
PUMPSYS
Fire Starts
Fire Protection
System Fails
to Operate
Prim ary Pum p
Out of Service
Secondary
Pum p Out of
Service
FSTART
FPROTECT
PUMP1
PUMP2
Reliability Workbench
©2015 Isograph Inc.
2–5
Vote Gate Examples
Temperature
Sensors Fail to
Detect High
Temperature
Ins ufficient
Braking to
Stop Aircraft
2
HIGHTEMP
2
BRAKEFAIL
Tem perature
Tem perature
Tem perature
Sensor 1 Fails Sensor 2 Fails Sensor 3 Fails
TEMP1
©2015 Isograph Inc.
18
TEMP2
TEMP3
Brake 1 Fails
Brake 2 Fails
Revers e
Thrust Not
Engaged
BRAKE1
BRAKE2
RTHRUST
Reliability Workbench
2–6
Priority AND Gate Example
System
Unavailable
SYS
©2015 Isograph Inc.
Switch Fails
then Primary
Sub-System
Fails
Primary and
Standby
Systems Fail
GATEA
GATEB
Switch Fails
Primary
Sub-System
Fails
Primary
Sub-System
Fails
Standby
Sub-System
Fails
SWITCH
SYS1
SYS1
SYS2
Reliability Workbench
2–7
Transfer Symbols
©2015 Isograph Inc.
Reliability Workbench
2–8
19
Transfer Symbols
Loss of supply
TP1
Leg 1
Leg 2
GT1
GT2
CON1
GT3
SEN1
©2015 Isograph Inc.
CON2
GT3
SEN2
Reliability Workbench
2–9
Gate Types
Other Gate Types
Inhibit
NOT
Exclusive OR
Special Cases
Not normally used
Not covered
©2015 Isograph Inc.
20
Reliability Workbench
2–10
Primary Event Types
Symbol
Name
Meaning
BASIC
Basic event
HOUSE
Definitely operating or definitely not
operating
DORMANT
Failure not immediately revealed;
latent/hidden failure
Other Event Types
Undeveloped, Conditional
Symbol does not affect behavior
Reliability Workbench
©2015 Isograph Inc.
2–11
House Event Example
System
Unavailable
SYSFAIL
©2015 Isograph Inc.
Sub-System X
Unavailable
Sub-System Y
Unavailable
X
Y
X Unavailable
Due to Faults
Preventive
Maintenance
Y Unavailable
Due to Faults
Preventive
Maintenance
SX
HX
SY
HY
Reliability Workbench
2–12
21
House Event Example
System
Unavailable
SYSFAIL
Sub-System X
Unavailable
Sub-System Y
Unavailable
X
Y
X Unavailable
Due to Faults
Preventive
Maintenance
Y Unavailable
Due to Faults
Preventive
Maintenance
SX
HX
SY
HY
False
False
Reliability Workbench
©2015 Isograph Inc.
2–13
House Event Example
System
Unavailable
SYSFAIL
Sub-System X
Unavailable
Sub-System Y
Unavailable
X
Y
X Unavailable
Due to Faults
Preventive
Maintenance
Y Unavailable
Due to Faults
Preventive
Maintenance
SX
HX
SY
HY
True
©2015 Isograph Inc.
22
Reliability Workbench
False
2–14
System & Component Events
System Events
Failures not directly associated with a
single component
Component Events
Failures entirely associated with a
given component
©2015 Isograph Inc.
Reliability Workbench
2–15
Component Events
COMPONENT
UNAVAILABLE
PRIMARY
FAILURE
©2015 Isograph Inc.
COMMAND
FAULT
Reliability Workbench
2–16
23
Construction Guidelines
Define system bounds
Identify TOP event(s)
Identify immediate causes
using top-down approach
Continue to identify immediate
causes through intermediate
levels of complexity
©2015 Isograph Inc.
Reliability Workbench
2–17
Construction Guidelines (cont.)
Terminate roots with primary
events
Identify distinct causes
Always provide complete
descriptions
Use distinctive names
©2015 Isograph Inc.
24
Reliability Workbench
2–18
Example 1: Electrical System Fault Tree
GRID
DGEN
T1
C1
T2
BOARD A
(PUMPS)
T3
C3
©2015 Isograph Inc.
C2
T4
BOARD B
(VALVES)
C4
Reliability Workbench
2–19
Board B Fault Tree
LO SS O F
SUPPLY TO
BO ARD B
ELECB
NO SU PPLY
FR OM
CON TAC T
BREAKER 3
©2015 Isograph Inc.
NO SU PPLY
FROM
CONTAC T
BR EAKER 4
Reliability Workbench
2–20
25
Board B Fault Tree
NO SU PPLY
FROM
CONTAC T
BREAKER 3
G AT E1
CO NTACT
BREAKER 3
F AILURE
NO SU PPLY
FROM
TRANSFOR MER
3
C3
G AT E3
Reliability Workbench
©2015 Isograph Inc.
2–21
Board B Fault Tree
NO SU PPLY
FROM
CONTAC T
BREAKER 3
G AT E1
©2015 Isograph Inc.
26
CO NTACT
BREAKER 3
F AILURE
NO SUPPLY
FROM
TRANSFORMER
3
C3
G AT E3
TRANSFORMER
3 FAILURE
LO SS O F
SUPPLY TO
BO ARD A
T3
ELECA
Reliability Workbench
2–22
Board B Fault Tree
LOSS OF
SUPPLY TO
BOARD B
ELECB
NO SUPPLY
FROM
CONTACT
BREAKER 3
NO SUPPLY
FROM
CONTACT
BREAKER 4
GATE1
CONTACT
BREAKER 3
FAILURE
NO SUPPLY
FROM
TRANSFORMER
3
C3
GATE3
TRANSFORMER
3 FAILURE
LOSS OF
SUPPLY TO
BOARD A
T3
ELECA
Reliability Workbench
©2015 Isograph Inc.
2–23
Board B Fault Tree
LO SS O F
SUPPLY TO
BO ARD B
ELECB
©2015 Isograph Inc.
NO SUPPLY
FROM
CONTAC T
BREAKER 3
NO SUPPLY
FROM
CONTAC T
BREAKER 4
G ATE1
G ATE2
CO NTACT
BREAKER 3
FAILURE
NO SUPPLY
FROM
TRAN SFOR MER
3
CO NTACT
BREAKER 4
FAILURE
NO SU PPLY
FROM
TRAN SFOR MER
4
C3
G AT E3
C4
G AT E4
TRANSFORMER
3 FAILURE
LO SS O F
SUPPLY TO
BO ARD A
TRANSFORMER
4 FAILURE
LO SS O F
SUPPLY TO
BO ARD A
T3
ELECA
T4
ELECA
Reliability Workbench
2–24
27
Board A Fault Tree
LO SS O F
SUPPLY T O
BO ARD A
ELECA
NO SUPPLY
FROM
CONTAC T
BREAKER 1
NO SUPPLY
FROM
CONTAC T
BREAKER 2
Reliability Workbench
©2015 Isograph Inc.
2–25
Board A Fault Tree
NO SU PPLY
FROM
CONTAC T
BREAKER 1
G AT E6
©2015 Isograph Inc.
28
CO NTACT
BREAKER 1
F AILURE
NO SUPPLY
FROM
TRANSFORMER
1
C1
G AT E8
Reliability Workbench
2–26
Board A Fault Tree
NO SU PPLY
FROM
CONTAC T
BREAKER 1
G AT E6
CO NTACT
BREAKER 1
F AILURE
NO SUPPLY
FROM
TRANSFORMER
1
C1
G AT E8
TRANSFORMER
1 FAILURE
GRID
UNAVAILABLE
T1
G RI D
Reliability Workbench
©2015 Isograph Inc.
2–27
Board A Fault Tree
LOSS OF
SUPPLY TO
BOARD A
ELECA
NO SUPPLY
FROM
CONTACT
BREAKER 1
NO SUPPLY
FROM
CONTACT
BREAKER 2
GATE6
CONTACT
BREAKER 1
FAILURE
NO SUPPLY
FROM
TRANSFORMER
1
C1
GATE8
TRANSFORMER
1 FAILURE
T1
©2015 Isograph Inc.
GRID
UNAVAILABLE
GRID
Reliability Workbench
2–28
29
Board A Fault Tree
LO SS O F
SUPPLY TO
BO ARD A
ELECA
©2015 Isograph Inc.
NO SUPPLY
FROM
CONTAC T
BREAKER 1
NO SUPPLY
FROM
CONTAC T
BREAKER 2
G ATE6
G ATE7
CO NTACT
BREAKER 1
FAILURE
NO SUPPLY
FROM
TRAN SFOR MER
1
CO NTACT
BREAKER 2
FAILURE
NO SU PPLY
FROM
TRAN SFOR MER
2
C1
G AT E8
C2
G AT E9
TRANSFORMER
1 FAILURE
GRID
UNAVAILABLE
T1
G RID
TRANSFORMER
DIESEL
2 FAILURE
G ENERATO R
FAILURE
T2
DG EN
Reliability Workbench
2–29
Reducing Fault Trees
Simplify diagram
Maintain same failure logic—
same combination of events
produce TOP event
©2015 Isograph Inc.
30
Reliability Workbench
2–30
Reducing Fault Trees
Linked OR gates can become
single OR gate
TOP1
E VENT 1
=
GATE1
E VENT 2
TOP1
GATE2
EVENT1
EVENT3
EVENT2
EVENT3
EVENT4
EVENT4
Reliability Workbench
©2015 Isograph Inc.
2–31
Reducing Fault Trees
Common failures under each branch of an
AND gate can sometimes be simplified
TOP1
TOP1
=
GATE1
EVENT1
COMMON
©2015 Isograph Inc.
GATE2
EVENT2
GATE1
COMMON
Reliability Workbench
EVENT1
COMMON
EVENT2
2–32
31
Reducing Electrical Fault Tree
ELECA brought to top of tree
It causes route from A to B to be lost
Component events combined
Transformer and contact breaker
failures are linked OR gates
Reliability Workbench
©2015 Isograph Inc.
2–33
Reduced Board B Fault Tree
LO SS O F
SUPPLY TO
BO ARD B
ELECB
©2015 Isograph Inc.
32
LO SS O F
BO ARD A
SUPPLY
ROUTE FROM
BOARD A TO
BOARD B LOST
ELECA
G ATE3
T3 O R C3
FAILED
T4 O R C4
FAILED
G ATE4
G ATE5
CO NTACT
BREAKER 3
FAILURE
TRANSFORMER
3 FAILURE
CO NTACT
BREAKER 4
FAILURE
TRANSFORMER
4 FAILURE
C3
T3
C4
T4
Reliability Workbench
2–34
Reduced Board A Fault Tree
LO SS O F
BO ARD A
SUPPLY
ELECA
CO NTACT
BREAKER 1
FAILURE
C1
©2015 Isograph Inc.
NO SUPPLY
FROM G RID
NO SUPPLY
FRO M
DIESEL
GAT E1
GAT E2
TRANSFORMER
GRID
1 FAILURE
UNAVAILABLE
GRID
T1
CO NTACT
BREAKER 2
FAILURE
DIESEL
GENERATO R
FAILURE
TRANSFORMER
2 FAILURE
C2
DGEN
T2
Reliability Workbench
2–35
Rocket Propulsion Example
From Fault Tree Handbook with Aerospace Applications,
NASA Office of Safety and Mission Assurance
Dr. Michael Stamatelatos, et. al.
August 2002
©2015 Isograph Inc.
Reliability Workbench
2–36
33
Rocket Propulsion Example
Define System Bounds:
Items shown in schematic
Both mechanical and electric circuits to
be included
Identify TOP events
3 Possible system failures:
Failure to provide propulsion on demand
Inadvertent firing of the system when not
required
Continued firing after system has been
commanded off
Examine third possibility
©2015 Isograph Inc.
Reliability Workbench
2–37
Rocket Propulsion Fault Tree
Identify immediate causes of
TOP event
Thruster
supplied with
propellant after
thrust cutoff
THRUST
©2015 Isograph Inc.
34
Isolation valve
IV3 remains
open after
cutoff
Isolation valve
IV2 remains
open after
cutoff
IV3 OPEN
IV2 OPEN
Reliability Workbench
2–38
Rocket Propulsion Fault Tree
Continue identifying immediate
causes through intermediate levels
Isolation valve
IV3 remains
open after
cutoff
IV3 OPEN
©2015 Isograph Inc.
EMF continues
to be supplied
to IV3 after
cutoff
Primary failure
of IV3 to close
after cutoff
IV3 POWER
IV3
Reliability Workbench
2–39
Rocket Propulsion Fault Tree
Isolation valve
IV3 remains
open after
cutoff
IV3 OPEN
©2015 Isograph Inc.
Reliability Workbench
EMF continues
to be supplied
to IV3 after
cutoff
Primary failure
of IV3 to close
after cutoff
IV3 POWER
IV3
EMF continues
to be supplied
to K5 after
cutoff
Primary failure
of K5 to open
after cutoff
K5 POWER
K5
2–40
35
Rocket Propulsion Fault Tree
Isolation valve
IV3 remains
open after
cutoff
IV3 OPEN
©2015 Isograph Inc.
EMF continues
to be supplied
to IV3 after
cutoff
Primary failure
of IV3 to close
after cutoff
IV3 POWER
IV3
EMF continues
to be supplied
to K5 after
cutoff
Primary failure
of K5 to open
after cutoff
K5 POWER
K5
EMF continues
to be supplied
to K3 after
cutoff
Primary failure
of K3 to open
after cutoff
K3 POWER
K3
Reliability Workbench
2–41
Rocket Propulsion Fault Tree
Isolation valve
IV3 remains
open after cutoff
IV3 OPEN
©2015 Isograph Inc.
36
Reliability Workbench
EMF continues
to be supplied to
IV3 after cutoff
Primary failure
of IV3 to close
after cutoff
IV3 POWER
IV3
EMF continues
to be supplied to
K5 after cutoff
Primary failure
of K5 to open
after cutoff
K5 POWER
K5
EMF continues
to be supplied to
K3 after cutoff
Primary failure
of K3 to open
after cutoff
K3 POWER
K3
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
S3 CLOSED
K6 CLOSED
2–42
IV2 Leg
Isolation valve
IV2 remains
open after
cutoff
IV2 OPEN
©2015 Isograph Inc.
EMF continues
to be supplied
to IV2 after
cutoff
Primary failure
of IV2 to close
after cutoff
IV2 POWER
IV2
Reliability Workbench
2–43
Rocket Propulsion Fault Tree
Isolation valve
IV2 remains
open after
cutoff
IV2 OPEN
©2015 Isograph Inc.
Reliability Workbench
EMF continues
to be supplied
to IV2 after
cutoff
Primary failure
of IV2 to close
after cutoff
IV2 POWER
IV2
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
S3 CLOSED
K6 CLOSED
2–44
37
Rocket Propulsion Fault Tree
Isolation valve
IV2 remains
open after
cutoff
IV2 OPEN
©2015 Isograph Inc.
EMF continues
to be supplied
to IV2 after
cutoff
Primary failure
of IV2 to close
after cutoff
IV2 POWER
IV2
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
S3 CLOSED
K6 CLOSED
Primary failure
of S3 to open
when
commanded
Operational
failure of S3 to
open when
commanded
Primary failure
of K6 to open
after timing out
Primary failure
of K6 timer to
time out
S3
S3 OP
K6
K6 TIMER
Reliability Workbench
2–45
Rocket Propulsion Fault Tree
Thruster
supplied with
propellant after
thrust cutoff
THRUST
©2015 Isograph Inc.
38
Isolation valve
IV3 remains
open after
cutoff
Isolation valve
IV2 remains
open after
cutoff
IV3 OPEN
IV2 OPEN
Reliability Workbench
2–46
Rocket Propulsion Fault Tree
Isolation valve
IV3 remains
open after
cutoff
IV3 OPEN
EMF continues
to be supplied
to IV3 after
cutoff
Primary failure
of IV3 to close
after cutoff
IV3 POWER
IV3
EMF continues
to be supplied
to K5 after
cutoff
Primary failure
of K5 to open
after cutoff
K5 POWER
K5
EMF continues
to be supplied
to K3 after
cutoff
Primary failure
of K3 to open
after cutoff
K3 POWER
K3
Reliability Workbench
©2015 Isograph Inc.
2–47
Rocket Propulsion Fault Tree
EMF continues
to be supplied
to K3 after
cutoff
K3 POWER
©2015 Isograph Inc.
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
S3 CLOSED
K6 CLOSED
Primary failure
of S3 to open
when
commanded
Operational
failure of S3 to
open when
commanded
Primary failure
of K6 to open
after timing out
Primary failure
of K6 timer to
time out
S3
S3 OP
K6
K6 TIMER
Reliability Workbench
2–48
39
Rocket Propulsion Fault Tree
Isolation valve
IV2 remains
open after
cutoff
IV2 OPEN
©2015 Isograph Inc.
EMF continues
to be supplied
to IV2 after
cutoff
Primary failure
of IV2 to close
after cutoff
IV2 POWER
IV2
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
S3 CLOSED
K6 CLOSED
Primary failure
of S3 to open
when
commanded
Operational
failure of S3 to
open when
commanded
Primary failure
of K6 to open
after timing out
Primary failure
of K6 timer to
time out
S3
S3 OP
K6
K6 TIMER
Reliability Workbench
2–49
Reducing Rocket Fault Tree
S3, K6 brought to top of tree
Simultaneous failure causes both IV2
and IV3 to remain open
Component events combined
IV3, K5, K3 and contact breaker
failures are linked OR gates
©2015 Isograph Inc.
40
Reliability Workbench
2–50
Reduced Rocket Fault Tree
Thruster
supplied with
propellant after
thrust cutoff
THRUST
Q=0.0002715
Arming circuit
remains
closed
Isolation
valves
remain open
ARMING
IVS
Emergency
switch S3 fails
to open after
cutoff
Primary failure
of K6 to open
after cutoff
Isolation valve
IV3 remains
open after
cutoff
Primary failure
of IV2 to close
after cutoff
S3 CLOSED
K6 CLOSED
IV3 OPEN
IV2
Q=0.01005
Q=0.02294
Q=0.00619
Primary failure
of S3 to open
when
commanded
Operational
failure of S3 to
open when
commanded
Primary failure
of K6 to open
after timing out
Primary failure
of K6 timer to
time out
Primary failure
of IV3 to close
after cutoff
Primary failure
of K5 to open
after cutoff
Primary failure
of K3 to open
after cutoff
S3
S3 OP
K6
K6 TIMER
IV3
K5
K3
©2015 Isograph Inc.
Reliability Workbench
2–51
Disadvantages
May be more difficult to
understand
Errors may be made in
construction process
©2015 Isograph Inc.
Reliability Workbench
2–52
41
Workshop 2.1: Chemical Reactor vessel
CON
MV1
Input 1
MV2
EV1
Input 2
EV2
TS
NRV
OP
Pressure relief
PS
ALARM
By-product
Product
©2015 Isograph Inc.
Reliability Workbench
2–53
Workshop 2.1
TOP event – Fails to stop
rupture
Base events:
Name
EV1
EV2
MV1
MV2
CON
OP
Description
Electrical valve 1 failure
Electrical valve 2 failure
Manual valve 1 stuck open
Manual valve 2 stuck open
Controller failure
Operator Unavailable
©2015 Isograph Inc.
42
Name
TS1
PS1
ALARM
NRV
GRID
Description
Temperature sensor failure
Pressure sensor failure
Alarm unit failure
Pressure relief valve failure
No electrical supply from the grid
Reliability Workbench
2–54
Workshop 2.1
CON
MV1
Input 1
MV2
EV1
TS
NRV
Pressure
Input 2
EV2
OP
relief
PS
By-product
Name
EV1
EV2
MV1
MV2
CON
OP
ALARM
Product
Description
Electrical valve 1 failure
Electrical valve 2 failure
Manual valve 1 stuck open
Manual valve 2 stuck open
Controller failure
Operator Unavailable
Name
TS1
PS1
ALARM
NRV
GRID
Description
Temperature sensor failure
Pressure sensor failure
Alarm unit failure
Pressure relief valve failure
No electrical supply from the grid
Reliability Workbench
©2015 Isograph Inc.
2–55
Workshop 2.1 Solution
FAILS TO
STOP
RUPTURE
G0
©2015 Isograph Inc.
FAILS TO
SHUT DOWN
BOTH INPUTS
VALVE STUCK
CLOSED
G1
NRV
INPUT 1 NOT
SHUT DOWN
INPUT 2 NOT
SHUT DOWN
G2
G3
Reliability Workbench
2–56
43
Workshop 2.1 Solution (cont.)
INP UT 1 NOT
S HUT DOW N
G2
MA NUA L
V A LVE 1 NOT
S HUT
E LE CTRICA L
V A LV E 1 NOT
S HUT
G4
G5
OPE RA TOR
FA ILS TO
RE S P OND
V A LV E
S TUCK
OP E N
NO SIGNAL FROM
CONTROLLER
E LE CTRICA L
V A LV E 1
FA ILURE
NO P OWE R
S UP P LY
FROM GRID
G8
MV 1
G9
EV1
GRID
A LA RM
DOE S NOT
S OUND
OPERATOR
UNAVAILABLE
NO S IGNA L
FROM
S E NS ORS
CONTROLLER
FAILURE
G11
OP
G10
CON
NO S IGNA L
FROM
S E NS ORS
A LA RM UNIT
FA ILURE
P RE SS URE
S E NS OR
FA ILURE
TEMPERATURE
SENSOR FAILURE
G10
A LA RM
PS 1
TS 1
Reliability Workbench
©2015 Isograph Inc.
2–57
Workshop 2.1 Solution (cont.)
INP UT 2 NOT
S HUT DOW N
G3
E LE CTRICA L
V A LV E 2 NOT
S HUT
G6
G7
OPE RA TOR
FA ILS TO
RE S P OND
V A LV E
S TUCK
OP E N
NO SIGNAL FROM
CONTROLLER
E LE CTRICA L
V A LV E 2
FA ILURE
NO P OWE R
S UP P LY
FROM GRID
G8
MV 2
G9
EV2
GRID
A LA RM
DOE S NOT
S OUND
OPERATOR
UNAVAILABLE
NO S IGNA L
FROM
S E NS ORS
CONTROLLER
FAILURE
G11
OP
G10
CON
NO S IGNA L
FROM
S E NS ORS
A LA RM UNIT
FA ILURE
P RE SS URE
S E NS OR
FA ILURE
TEMPERATURE
SENSOR FAILURE
G10
A LA RM
PS 1
TS 1
©2015 Isograph Inc.
44
MA NUA L
V A LVE 2 NOT
S HUT
Reliability Workbench
2–58
End of Chapter 2
Summary
Gate symbols
Event symbols
Construction guidelines
©2015 Isograph Inc.
Reliability Workbench
2–59
45
Minimal Cut Sets
Chapter 3
©2015 Isograph Inc.
Reliability Workbench
3–1
Minimal Cut Sets
First step of Analysis
Minimum combinations of
events which cause TOP event
Produced using Boolean
algebra
Quantitative data not required
©2015 Isograph Inc.
46
Reliability Workbench
3–2
Boolean Algebra Techniques
Represent gates with
equivalent Boolean expression
Variables represent inputs
©2015 Isograph Inc.
Reliability Workbench
3–3
Boolean Algebra Operators
EventX·EventY
· symbol represents AND logic
EventX + EventY
+ symbol represents OR logic
©2015 Isograph Inc.
Reliability Workbench
3–4
47
AND gate
TOP1 = A · B
3 inputs: TOP1 = A · B · C
TOP1
A
©2015 Isograph Inc.
B
Reliability Workbench
3–5
OR gate
TOP1 = A + B
3 inputs: TOP1 = A + B + C
TOP1
A
©2015 Isograph Inc.
48
B
Reliability Workbench
3–6
VOTE gate
TOP1 = A·B + A·C + B·C
3oo4 (failures):
TOP1 = A·B·C + A·B·D + A·C·D + B·C·D
2
TOP1
A
©2015 Isograph Inc.
B
C
Reliability Workbench
3–7
Boolean Algebra Rules
Remove redundant expressions
to produce Minimal Cut Sets
Use following rules:
Idempotent Law
A+A=A
A∙A=A
Law of Absorption
A+A∙B=A
A ∙ (A + B) = A
Distributive Law
(A + B) ∙ (A + C) = A + B ∙ C
A · B + A · C = A · (B + C)
©2015 Isograph Inc.
Reliability Workbench
3–8
49
Boolean Algebra Example
G1 = A + B
G2 = A·C + A·D + C·D
TOP = G1 · G2
TOP
2
G2
G1
A
©2015 Isograph Inc.
B
A
Reliability Workbench
C
D
3–9
Boolean Algebra Example
TOP = (A + B) · (A·C + A·D + C·D)
= A·A·C + A·A·D + A·C·D + B·A·C + B·A·D + B·C·D
(Distributive law)
= A·C + A·D + A·C·D + B·A·C + B·A·D + B·C·D
(Idempotent law)
= A·C + A·D + B·C·D
(Law of Absorption)
Minimal Cut Sets:
A·C, A·D, B·C·D
A·C, A·D are second order
B·C·D is third order
©2015 Isograph Inc.
50
Reliability Workbench
3–10
Workshop 3.1
HEX
NRV1
EP1
EV1
Cooling
NRV2
FS1
EP2
EV2
CON1
©2015 Isograph Inc.
Reliability Workbench
3–11
Workshop 3.1
TOP event: Total Loss of
Cooling
Mechanical failures only
Ignore electrical failures
Ignore failure of FS1 and CON
Assume negligible probabilities
Build tree & calculate cut sets
by hand
©2015 Isograph Inc.
Reliability Workbench
3–12
51
Workshop 3.1
HEX
NRV1
EP1
EV1
Cooling
NRV2
EP2
FS1
EV2
CON1
Event Name
Description
Event Name
Description
EV1
Electric Valve 1
NRV1
Non-return valve 1 stuck closed
EV2
Electric Valve 2
NRV2
Non-return valve 2 stuck closed
EP1
Electric Pump 1
HEX
Heat Exchanger Failure
EP2
Electric Pump 2
Reliability Workbench
©2015 Isograph Inc.
3–13
Workshop 3.1 Solution
TOTAL LOSS
OF COOLIN G
COOLING
HEAT
EXCH ANGER
FAILU RE
SYS1
HEX
LOSS OF
COOLING
LEG 1
LOSS OF
COOLING
LEG 2
SYS2
SYS3
PUMP 1
PRIMAR Y
FAILURE
VALVE 1
STUC K
CLOSED
NON-RETURN
VALVE STUCK
CLOSED
PUMP 2
PRIMAR Y
FAILU RE
VALVE 2
STUC K
CLOSED
NON-RETURN
VALVE STUCK
CLOSED
EP1
EV1
NR V1
EP2
EV2
NR V2
©2015 Isograph Inc.
52
LOSS OF
COOLING TO
HEX
Reliability Workbench
3–14
Workshop 3.1 Solution
Minimal Cut sets:
HEX
EV1.EV2
EV1.EP2
EV1.NRV2
EP1.EV2
EP1.EP2
EP1.NRV2
NRV1.EV2
NRV1.EP2
NRV1.NRV2
©2015 Isograph Inc.
Reliability Workbench
3–15
Workshop 3.2
Determine by hand the minimal
cut sets for ‘Total Loss of
Cooling’ fault tree from
Workshop 3.1
Consider the full fault tree
including electrical faults
©2015 Isograph Inc.
Reliability Workbench
3–16
53
Cooling System
TOTAL LOSS
OF COOLING
COOLING
LOSS OF
COOLING TO
HEX
HEAT
EXCHANGER
FAILURE
SYS1
HEX
LOSS OF
LOSS OF
COOLING LEG COOLING LEG
1
2
SYS2
SYS3
Reliability Workbench
©2015 Isograph Inc.
3–17
Cooling System
LOSS OF
COOLING LEG
1
SYS2
©2015 Isograph Inc.
54
PUMP 1
UNAVAILABLE
VALVE 1
CLOSED
NON-RET URN
VALVE
ST UCK
CLOSED
PUMP1
VALVE1
NRV1
LOSS OF
BOARD A
SUPPLY
PUMP 1
PRIMARY
FAILURE
LOSS OF
BOARD B
SUPPLY
VALVE 1
ST UCK
CLOSED
ELECA
EP1
ELECB
EV1
Reliability Workbench
3–18
Cooling System
LOSS OF
COOLING LEG
2
SYS3
PUMP 2
UNAVAILABLE
VALVE 2
CLOSED
NON-RET URN
VALVE
ST UCK
CLOSED
PUMP2
VALVE2
NRV2
LOSS OF
BOARD A
SUPPLY
PUMP 2
PRIMARY
FAILURE
LOSS OF
BOARD B
SUPPLY
VALVE 2
ST UCK
CLOSED
ELECA
EP2
ELECB
EV2
Reliability Workbench
©2015 Isograph Inc.
3–19
Electric System
LO SS O F
SUPPLY TO
BO ARD B
ELECB
©2015 Isograph Inc.
LO SS O F
BO ARD A
SUPPLY
ROUTE FROM
BOARD A TO
BOARD B LOST
ELECA
A TO B
T3 O R C3
FAILED
T4 O R C4
FAILED
LEG 3
LEG 4
CO NTACT
BREAKER 3
FAILURE
TRANSFORMER
3 FAILURE
CO NTACT
BREAKER 4
FAILURE
TRANSFORMER
4 FAILURE
C3
T3
C4
T4
Reliability Workbench
3–20
55
Electric System
LO SS O F
BOARD A
SUPPLY
ELECA
CO NTACT
BREAKER 1
FAILURE
NO SUPPLY
FROM GRID
NO SUPPLY
FRO M
DIESEL
NSGRID
NSUD
TRANSFORMER
G RID
1 FAILURE
UNAVAILABLE
C1
©2015 Isograph Inc.
G RID
T1
CO NTACT
BREAKER 2
FAILURE
DIESEL
GENERATOR
FAILURE
TRANSFORMER
2 FAILURE
C2
DG EN
T2
Reliability Workbench
3–21
Cooling
TOTAL LOSS
OF COOLING
COOLING = SYS1 + HEX
SYS1 = SYS2 · SYS3
COOLING
LOSS OF
COOLING TO
HEX
HEAT
EXCHANGER
FAILURE
SYS1
HEX
LOSS OF
LOSS OF
COOLING LEG COOLING LEG
1
2
SYS2
©2015 Isograph Inc.
56
Reliability Workbench
SYS3
3–22
SYS2 – Loss of Cooling Leg 1
SYS2 = PUMP1 + VALVE1 + NRV1
PUMP1 = ELECA + EP1
VALVE1 = ELECB + EV1
LOSS OF
COOLING LEG
1
SYS2
©2015 Isograph Inc.
PUMP 1
UNAVAILABLE
VALVE 1
CLOSED
NON-RET URN
VALVE
ST UCK
CLOSED
PUMP1
VALVE1
NRV1
LOSS OF
BOARD A
SUPPLY
PUMP 1
PRIMARY
FAILURE
LOSS OF
BOARD B
SUPPLY
VALVE 1
ST UCK
CLOSED
ELECA
EP1
ELECB
EV1
Reliability Workbench
3–23
SYS3 – Loss of Cooling Leg 2
SYS3 = PUMP2 + VALVE2 + NRV2
PUMP2 = ELECA + EP2
VALVE2 = ELECB + EV2
LOSS OF
COOLING LEG
2
SYS3
©2015 Isograph Inc.
PUMP 2
UNAVAILABLE
VALVE 2
CLOSED
NON-RET URN
VALVE
ST UCK
CLOSED
PUMP2
VALVE2
NRV2
LOSS OF
BOARD A
SUPPLY
PUMP 2
PRIMARY
FAILURE
LOSS OF
BOARD B
SUPPLY
VALVE 2
ST UCK
CLOSED
ELECA
EP2
ELECB
EV2
Reliability Workbench
3–24
57
ELECB – Loss of Supply to Board B
LO SS O F
SUPPLY TO
BO ARD B
ELECB = ELECA + A TO B
A TO B = LEG3 · LEG4
LEG3 = C3 + T3
LEG4 = C4 + T4
©2015 Isograph Inc.
ELECB
LO SS O F
BO ARD A
SUPPLY
ROUTE FROM
BOARD A TO
BOARD B LOST
ELECA
A TO B
T3 O R C3
FAILED
T4 O R C4
FAILED
LEG 3
LEG 4
CO NTACT
BREAKER 3
FAILURE
TRANSFORMER
3 FAILURE
CO NTACT
BREAKER 4
FAILURE
TRANSFORMER
4 FAILURE
C3
T3
C4
T4
Reliability Workbench
3–25
ELECA – Loss of Supply to Board A
ELECA = NSGRID · NSUD
NSGRID = C1 + GRID + T1
NSUD = C2 + DGEN +T2
LO SS O F
BO ARD A
SUPPLY
ELECA
CO NTACT
BREAKER 1
FAILURE
C1
©2015 Isograph Inc.
58
NO SUPPLY
FROM G RID
NO SUPPLY
FRO M
DIESEL
NSG RID
NSUD
TRANSFORMER
GRID
1 FAILURE
UNAVAILABLE
GRID
Reliability Workbench
T1
CO NTACT
BREAKER 2
FAILURE
DIESEL
GENERATO R
FAILURE
TRANSFORMER
2 FAILURE
C2
DGEN
T2
3–26
Cooling
COOLING = SYS1 + HEX
SYS1 = SYS2 · SYS3
COOLING = SYS2 · SYS3 + HEX
TOTAL LOSS
OF COOLING
COOLING
LOSS OF
COOLING TO
HEX
HEAT
EXCHANGER
FAILURE
SYS1
HEX
LOSS OF
LOSS OF
COOLING LEG COOLING LEG
1
2
SYS2
©2015 Isograph Inc.
Reliability Workbench
SYS3
3–27
Workshop 3.1 Solution (cont.)
COOLING =
SYS2 ·
SYS3
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–28
59
Workshop 3.1 Solution (cont.)
COOLING =
(PUMP1 + VALVE1 + NRV1) ·
(PUMP2 + VALVE2 + NRV2)
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–29
Workshop 3.1 Solution (cont.)
COOLING =
([ELECA + EP1] + [ELECB + EV1] + NRV1)
·([ELECA + EP2] + [ELECB + EV2] + NRV2)
+ HEX
©2015 Isograph Inc.
60
Reliability Workbench
3–30
Workshop 3.2 Solution (cont.)
COOLING =
ELECA +
ELECB +
(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–31
Workshop 3.2 Solution (cont.)
COOLING =
ELECA +
ELECA + A TO B +
(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–32
61
Workshop 3.2 Solution (cont.)
COOLING =
ELECA +
A TO B +
(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–33
Workshop 3.2 Solution (cont.)
COOLING =
NSGRID · NSUD +
LEG3 · LEG4 +
(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)
+ HEX
©2015 Isograph Inc.
62
Reliability Workbench
3–34
Workshop 3.2 Solution (cont.)
COOLING =
(C1 + GRID + T1) · (C2 + DGEN +T2) +
(C3 + T3) · (C4 + T4) +
(EP1 + EV1 + NRV1) · (EP2 + EV2 + NRV2)
+ HEX
©2015 Isograph Inc.
Reliability Workbench
3–35
Workshop 3.2 Solution (cont.)
COOLING =
C1·C2 + C1·DGEN + C1·T2 +
GRID·C2 + GRID·DGEN + GRID·T2 +
T1·C2 + T1·DGEN + T1·T2 + C3·C4
+ C3·T4 + T3·C4 + T3·T4 + EP1·EP2
+ EP1·EV2 + EP1·NRV2 + EV1·EP2
+ EV1·EV2 + EV1·NRV2 + NRV1·EP2
+ NRV1·EV2 + NRV1·NRV2 + HEX
©2015 Isograph Inc.
Reliability Workbench
3–36
63
Program Demonstration
Using a Fault Tree program to
obtain cut sets
©2015 Isograph Inc.
Reliability Workbench
3–37
End of Chapter 3
Summary
Boolean operators
Boolean gate expressions
Boolean algebra rules
Evaluating cut sets in a computer
program
©2015 Isograph Inc.
64
Reliability Workbench
3–38
Basic Probability Theory
Chapter 4
©2015 Isograph Inc.
Reliability Workbench
4–1
Basic Probability Theory
First step in analysis: calculate
cut sets
Second step in analysis: calculate
cut set Q
Third step: calculate TOP event Q
Need laws of probability
Multiplication law
Addition law
Used to calculate Qs
©2015 Isograph Inc.
Reliability Workbench
4–2
65
Independent Events
Independent events:
unaffected by other’s
occurrence
Rolling a die, flipping a coin
Generally Assumed in FTA
Simplifies calculations
Not necessarily the case
Increased stress, etc.
CCFs, discussed later
©2015 Isograph Inc.
Reliability Workbench
4–3
Exclusivity
Mutually exclusive events:
cannot occur together
Ex: Failed and working states
Non-exclusive events
Ex: failure of two independent
components
Die showing 6, coin landing heads
©2015 Isograph Inc.
66
Reliability Workbench
4–4
Multiplication Law
P ( A ⋅ B ) = P ( A) ⋅ P ( B )
Where:
P(A·B) = probability of A and B occurring
together
P(A) = probability of A occurring
P(B) = probability of B occurring
A, B independent, non-exclusive
©2015 Isograph Inc.
Reliability Workbench
4–5
Multiplication Law
P( A ⋅ B ⋅ C ) = P( A) ⋅ P( B) ⋅ P(C )
For three events
n
P ( A1 ⋅ A2 ⋅ K An ) = ∏ P( Ai )
For n events
©2015 Isograph Inc.
Reliability Workbench
i =1
4–6
67
Addition Law
P( A + B) = P( A) + P ( B ) − P ( A) ⋅ P ( B )
Where:
P(A+B) = probability of A and B
occurring together
P(A) = probability of A occurring
P(B) = probability of B occurring
A, B independent, non-exclusive
Reliability Workbench
©2015 Isograph Inc.
4–7
Addition Law
Illustrated with Venn diagram
P(A)
P(A)·P(B)
P(B)
P( A + B) = P( A) + P ( B ) − P ( A) ⋅ P ( B )
©2015 Isograph Inc.
68
Reliability Workbench
4–8
Addition Law for 3 Events
P( A + B + C ) = P( A) + P( B ) + P(C )
− P( A) ⋅ P ( B) − P( A) ⋅ P(C ) − P( B) ⋅ P(C )
+ P( A) ⋅ P( B) ⋅ P(C )
P(A)
P(A)·P(B)·P(C)
P(B)
P(C)
P(B)·P(C)
Reliability Workbench
©2015 Isograph Inc.
4–9
Addition Law
General form:
n
n −1
P ( A1 + A2 + ... + An ) = ∑ P( Ai ) − ∑
i =1
n
∑ P( A ) P( A ) + ...(−1)
i
j
n +1
P ( A1 ) P ( A2 )...P( An )
i =1 j =i +1
Very complex
Approximation methods
Success states
©2015 Isograph Inc.
Reliability Workbench
4–10
69
Addition Law
Success states:
P( A ⋅ B)
P(A) P(A)·P(B) P(B)
P( A + B) = 1 − P( A ⋅ B)
©2015 Isograph Inc.
Reliability Workbench
4–11
Addition Law
Using Multiplication Law
P ( A + B ) = 1 − P ( A) ⋅ P ( B ) = 1 − (1 − P ( A)) ⋅ (1 − P ( B))
For three events
P ( A + B + C ) = 1 − (1 − P ( A)) ⋅ (1 − P ( B )) ⋅ (1 − P (C ))
For n events
n
P ( A1 + A2 + ... An ) = 1 − ∏ (1 − P ( Ai ))
i =1
©2015 Isograph Inc.
70
Reliability Workbench
4–12
Example 4.1
Two-sided coin and a twentysided die are thrown
Probability of the coin landing heads
AND the dice showing 20?
©2015 Isograph Inc.
Reliability Workbench
4–13
Example 4.1 Solution
P(Heads) = ½ = 0.5
P(20) = 1/20 = 0.05
Independent, non-exclusive?
Yes! Multiplication law
P(Heads·20) = 1/2 x 1/20 =
1/40 = .025 = 2.5%
©2015 Isograph Inc.
Reliability Workbench
4–14
71
Example 4.2
Spin 3 coins
Probability of AT LEAST ONE landing
heads?
©2015 Isograph Inc.
Reliability Workbench
4–15
Example 4.2 Solution
Probability of coin A landing
heads = P(A) = ½ = 0.5
P(B) = ½ = 0.5
P(C) = ½ = 0.5
Addition law
A OR B OR C
3·½ – 3 · ½·½ + ½·½·½ =
0.875
©2015 Isograph Inc.
72
Reliability Workbench
4–16
Example 4.3
3 sensor system
99.9% uptime
Probability of all sensors being
unavailable at the same time?
Probability of AT LEAST ONE
sensor being failed?
©2015 Isograph Inc.
Reliability Workbench
4–17
Example 4.3 Solution
Unavailability of sensor
Q = 0.001
Probability all sensors
unavailable: multiplication law
Q.Q.Q = 10-9
Probability of at least one
being unavailable: addition law
Q + Q + Q - 3Q.Q + Q.Q.Q
=0.002997001
©2015 Isograph Inc.
Reliability Workbench
4–18
73
Lower/Upper bounds
Q=0.001
Q + Q + Q = 0.003
3Q·Q = 0.000003
Q·Q·Q = 0.000000001
Cumulative total
Q+Q+Q
0.003
3·Q·Q
0.002997
Q·Q·Q 0.002997001
©2015 Isograph Inc.
Change
0.003
0.000003
0.000000001
% Change
100%
1%
0.00003%
Reliability Workbench
4–19
Example 4.4
Weather forecaster predicts
40% chance of rain for five
days
Probability that it rains at least
one day?
©2015 Isograph Inc.
74
Reliability Workbench
4–20
Example 4.4 Solution
P(Rain) = 0.4
5·P(Rain) = 2
10·P(Rain)2 = 1.6
5 choose 2 = 10
10·P(Rain)3 = 0.64
5 choose 3 = 10
5·P(Rain)4 = 0.128
5 choose 4 = 5
P(Rain)5 = 0.01024
Reliability Workbench
©2015 Isograph Inc.
4–21
Example 4.4 Solution
2.5
2
2
1.5
1.04
0.92224
1
Cumulative total
0.912
0.5
0.4
0
5·P
©2015 Isograph Inc.
-10·P^2
+10·P^3
-5·P^4
Reliability Workbench
+P^5
4–22
75
End of Chapter 4
Summary
Independence
Exclusivity
Multiplication Law
Addition Law
De Morgan’s Theorem
©2015 Isograph Inc.
76
Reliability Workbench
4–23
Quantitative Data
Chapter 5
©2015 Isograph Inc.
Reliability Workbench
5–1
Quantitative Data
Fault Trees are both:
Qualitative
Quantitative
Qualitative
Cut set analysis
Quantitative
Multiplication/Addition laws
Need input values
©2015 Isograph Inc.
Reliability Workbench
5–2
77
Input Data
Entered for all events
Required for quantitative analysis
Function to calculate Q and ω
Equation depends on event
characteristics
Options will differ between FT
tools
©2015 Isograph Inc.
Reliability Workbench
5–3
Common Parameters
Unavailability
Failure Frequency
Mean Time To Failure (MTTF)
Failure Rate (1/MTTF)
Inspection (Test) Interval
Mean Time to Repair (MTTR)
Repair Rate (1/MTTR)
Time at Risk/Lifetime
©2015 Isograph Inc.
78
Reliability Workbench
5–4
Common Event Models
Fixed Failure Probability
Failures on demand, operator errors,
software bugs, conditional events
Fixed probability of failure
Constant Rate
Repairable or non-repairable
components with a constant failure
rate and repair rate
Weibull
Failure rate varies with time
©2015 Isograph Inc.
Reliability Workbench
5–5
Common Event Models
Dormant
Hidden or latent failures
Only revealed on testing
Time at Risk
Non-repairable components with a
phase-related hazard
Usually in aerospace
©2015 Isograph Inc.
Reliability Workbench
5–6
79
Fixed Probability
Constant Q and ω
Useful for
Operator errors
Failure on demand
Software bugs
Conditional events
Probability of failure on
demand = Q
Input Q and ω directly
©2015 Isograph Inc.
Reliability Workbench
5–7
Fixed Probability
Initiators and Enablers
Failure frequency = 0 (usually)
Event is an enabler
Only interested in system Q
For initiators:
Use Fixed model
Input ω only
Program will ignore Q
©2015 Isograph Inc.
80
Reliability Workbench
5–8
Constant Rate
Failures immediately revealed
Constant Failure and repair
rates
Component does not age
Preventative maintenance before
wear out
Exponentially distributed
Both failures and repairs
©2015 Isograph Inc.
Reliability Workbench
5–9
Constant Rate
Inputs
Failure rate or MTTF
Repair rate or MTTR
λ=
©2015 Isograph Inc.
1
MTTF
µ=
Reliability Workbench
1
MTTR
5–10
81
Constant Rate
Q (t ) =
λ
(1 − e −( λ + µ )t )
λ+µ
ω (t ) = λ[1 − Q(t )]
λ = failure rate, µ = repair rate
If Q(t) ≈ 0 (usually the case)
ω (t ) ≈ λ
©2015 Isograph Inc.
Reliability Workbench
5–11
Constant Rate
Steady-state Region
Q(t)
Transient Region
t
©2015 Isograph Inc.
82
Reliability Workbench
5–12
Constant Rate
Transient Region
For short lifetime:
Q(t ) ≈ λt
(λ + µ )t << 1
Applicable for aircraft, military
©2015 Isograph Inc.
Reliability Workbench
5–13
Constant Rate
Steady-state Region
For longer lifetime:
Approaches steady-state Q
Q(t ) ≈
λ
λ+µ
(λ + µ )t >> 1
©2015 Isograph Inc.
Reliability Workbench
5–14
83
Non-Repairable Events
Non-repairable components
Repair rate = 0
Substitution yields:
Q(t ) =
λ
λ +0
(1 − e −( λ + 0 )t )
Q(t ) = 1 − e −λt
©2015 Isograph Inc.
Reliability Workbench
5–15
Non-Repairable Events
1
0.8
0.6
0.4
0.2
0
©2015 Isograph Inc.
84
Reliability Workbench
5–16
Exposure Time
Determined by FT goals
Lifetime of the system
Time between overhauls
Mission time
Maintenance budgeting interval
Global
All components in the fault tree
Event-specific
Each event has independent time at
risk
©2015 Isograph Inc.
Reliability Workbench
5–17
Dormant Failures
Failures not immediately
revealed
Non-repairable between inspections
Ex: Protection/standby system
Failures only revealed on
inspection (test)
Fixed test interval
Repair if test reveals failure
©2015 Isograph Inc.
Reliability Workbench
5–18
85
Dormant Failures
Three methods for calculating
Q
Mean
Max
IEC 61508
Must calculate single Q
Multiplication and addition laws don’t
work on functional inputs
Reliability Workbench
©2015 Isograph Inc.
5–19
Dormant Failures
Q(t)
τ
2τ
3τ
4τ
τ << MTTF
©2015 Isograph Inc.
86
Reliability Workbench
5–20
Mean Unavailability
Qmean
λτ − (1 − e − λτ ) + λ ⋅ MTTR(1 − e − λτ )
=
λτ + λ ⋅ MTTR(1 − e −λτ )
ω = λ (1 − Qmean )
Simplifies to:
Qmean =
λτ
+ λ ⋅ MTTR
2
where τ , MTTR << MTTF
Reliability Workbench
©2015 Isograph Inc.
5–21
Mean Unavailability
Qmean
τ
©2015 Isograph Inc.
2τ
Reliability Workbench
3τ
4τ
5–22
87
Maximum Unavailability
Qmax = 1 − e − λτ
ω = λ (1 − Qmax )
Reliability Workbench
©2015 Isograph Inc.
5–23
Maximum Unavailability
Qmax
τ
©2015 Isograph Inc.
88
2τ
Reliability Workbench
3τ
4τ
5–24
IEC 61508 Averaging
From the standard
Q for 1 oo 2 voted configuration:
ܲ‫ܦܨ‬௔௩௚ = 2( 1 − ߚ஽ ߣ஽஽ + 1 − ߚ ߣ஽௎ )ଶ ‫ீݐ‬ா ‫ݐ‬஼ா + ߚ஽ ߣ஽஽ ‫ ܴܶܶܯ‬+ ߚߣ஽௎
߬
+ ‫ܴܶܶܯ‬
2
where
©2015 Isograph Inc.
‫ீݐ‬ா =
ߣ஽௎ ߬
ߣ஽஽
+ ‫ ܴܶܶܯ‬+
‫ܴܶܶܯ‬
ߣ஽ 3
ߣ஽
‫ݐ‬஼ா =
ߣ஽஽
ߣ஽௎ ߬
+ ‫ ܴܶܶܯ‬+
‫ܴܶܶܯ‬
ߣ஽ 2
ߣ஽
FTA IEC 61508
25
IEC 61508 Averaging
Example inputs:
λ = 4.6E-6, MTTR = 0.001, τ = 17520
Using IEC 61508 Standard:
Q = 0.002165
Using Multiplication Law with
Mean unavailability
Q = 0.001539
©2015 Isograph Inc.
Reliability Workbench
5–26
89
IEC 61508 Averaging
Reason for the discrepancy
For a given function f(x):
݂(‫)ݔ(݂ ∙ )ݔ(݂ ≠ )ݔ(݂ ∙ )ݔ‬
Approximating in FT
Apply Markov to cut sets with two or
more dormant failure events
©2015 Isograph Inc.
FTA IEC 61508
27
Which Method?
Max method – worst case
Ex: safety-critical system
IEC 61508 – multiple dormant
events
Ex: Protection system with many
overlapping dormant faults
Mean method otherwise
©2015 Isograph Inc.
90
Reliability Workbench
5–28
Weibull Distribution
Failure rate varies with time
Requires 3 parameters:
η – Characteristic Lifetime
β – Shape Parameter
γ – Location Parameter
©2015 Isograph Inc.
Reliability Workbench
5–29
Weibull Distribution
Rate, Unreliability given by:
r (t ) =
β (t − γ )
ηβ
β −1
, F (t ) = 1 − e
 t −γ
−
 η



β
Must use numerical integration
to solve
Solve for different t value, average
©2015 Isograph Inc.
Reliability Workbench
5–30
91
Other Cases
Phases
Failure Rate, Q change with respect to phase
E.g., rocket launch (on pad, launch, in space
flight)
Steady State
Component already in use
Normal, Lognormal
Other statistical distributions
Sequences
Failures can only occur in sequence
Limited replacement spares
Limited repair crews
Standby failure rate
Imperfect Proof Testing
©2015 Isograph Inc.
Reliability Workbench
5–31
Failure Rates
Historical Data
CMMS tracking/Work order history
Weibull analysis
Libraries
NPRD 2011, IAEA
Integrated with RWB
Exida
Linked via External App
SIS-Tech
©2015 Isograph Inc.
92
Reliability Workbench
5–32
Failure Data Sources
Prediction Standards
Electronic
MIL-HDBK-217F
RIAC 217+
Telcordia SR-332 Issue 3
IEC TR 62380
Siemens SN 29500
GJB/z 299
Mechanical
NSWC
©2015 Isograph Inc.
Reliability Workbench
5–33
Failure Data Sources
Manufacturer testing
Not necessarily relevant to each
usage or environment
Engineering judgment
Subjective
©2015 Isograph Inc.
Reliability Workbench
5–34
93
End of Chapter 5
Summary
Common model parameters
Common event failure characteristics
©2015 Isograph Inc.
94
Reliability Workbench
5–35
System Quantification
Chapter 6
©2015 Isograph Inc.
Reliability Workbench
6–1
System Quantification
Determine cut sets
Solve Q and ω
For basic events
For cut sets (multiplication law)
For TOP events (addition law)
Use TOP event Q and ω to
solve:
TDT, W, F, CFI
©2015 Isograph Inc.
Reliability Workbench
6–2
95
Calculation Methods
Cross Product
Esary-Proschan
Rare
Lower Bound
Reliability Workbench
©2015 Isograph Inc.
6–3
Example
A.B + A.C.D + A.C.E
Q=0.01
w=2
TP1
GT1
A
©2015 Isograph Inc.
96
GT2
B
A
C
GT3
D
Reliability Workbench
A
C
E
6–4
Minimal Cut Set Q and ω
Multiplication law
n
Q cut (t ) = ∏ Qi (t )
i =1
n
n
ω cut = ∑ ω j
j =1
∏Q
i
i =1,i ≠ j
n = number of events in cut set
©2015 Isograph Inc.
Reliability Workbench
6–5
Example
Cut Set Q and ω
QAB = 0.01 × 0.01 = 10-4
QACD = 0.01 × 0.01 × 0.01 = 10-6
QACE = 0.01 × 0.01 × 0.01 = 10-6
ωAB = ωA QB + ωB QA = 2 × 0.01 + 2 × 0.01 = 0.04
ωACD = ωA QC QD + ωC QA QD + ωD QA QC
= 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 = 0.0006
ωACE = ωA QC QE + ωC QA QE + ωE QA QC
= 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 + 2 × 0.01 × 0.01 = 0.0006
©2015 Isograph Inc.
Reliability Workbench
6–6
97
Cross-Product Method
Exact method
Slow to solve for large trees
Limit product terms
Upper bound
n
n −1
QSYS = ∑ Qcuti (t ) − ∑
i =1
n
∑Q
ij
i =1 j =i +1
n − 2 n −1
(t ) + ∑
n
∑ ∑Q
ijk
(t )...( −1) n +1 Q1.2.3...n (t )
i =1 j = i +1k = j +1
n = number of cut sets
©2015 Isograph Inc.
Reliability Workbench
6–7
Example
Cross-Product
QSYS = QAB + QACD + QACE
– QABCD – QABCE – QACDE
+ QABCDE
= 10-4 + 10-6 + 10-6
– 10-8 – 10-8 –10-8 + 10-10
= 0.0001019701
≈ 0.000102
©2015 Isograph Inc.
98
Reliability Workbench
6–8
Esary-Proschan Method
Multiplication law
Odds that no cut set occurs
Upper-bound
Faster, still accurate
m
n


Qsys (t ) = ∏ qi 1 − ∏ [1 − Qcutj (t ) ]
i =1
j =1


n
n
i =1
j =1
j ≠i
ω sys (t ) = ∑ ω cuti (t )∏ [1 − Qcutj (t ) ]
©2015 Isograph Inc.
Reliability Workbench
6–9
Example
Esary-Proschan Approximation
QSYS = QA [1 – (1 – QB)(1 – QCD)(1 – QCE)]
= 0.01[1 – 0.99 × 0.9999 × 0.9999]
= 0.000101979901
≈ 0.000102
ωSYS = ωAB (1 – QACD)(1 – QACE) + ωACD (1 – QAB)(1 – QACE)
+ ωACE (1 – QAB)(1 – QACD)
= 0.04 × 0.999999 × 0.999999 + 0.0006 × 0.9999 × 0.999999
+ 0.0006 × 0.9999 × 0.999999
= 0.04119979880016
≈ 0.0412
©2015 Isograph Inc.
Reliability Workbench
6–10
99
Rare Approximation
Cross Product — First iteration
Upper bound
Fastest
Less accurate for Q > 0.2
n
QSYS (t ) = ∑Qcuti (t )
i =1
n
ωSYS (t ) = ∑ωcuti (t )
i =1
©2015 Isograph Inc.
Reliability Workbench
6–11
Example
Rare Approximation
QSYS = QAB + QACD + QACE
= 10-4 + 10-6 + 10-6
= 0.000102
ωSYS = 0.04 + 0.0006 + 0.0006
= 0.0412
©2015 Isograph Inc.
100
Reliability Workbench
6–12
Lower Bound for Q
Cross Product
First two iterations
n
n−1
n
Qlower (t ) = ∑Qcuti (t ) − ∑ ∑Qij (t )
i =1
©2015 Isograph Inc.
i =1 j =i +1
Reliability Workbench
6–13
Example
Lower Bound
QSYS = QAB + QACD + QACE
– QABCD – QABCE – QACDE
= 10-4 + 10-6 + 10-6 – 10-8 – 10-8 –10-8
= 0.00010197
≈ 0.000102
©2015 Isograph Inc.
Reliability Workbench
6–14
101
Errors Due to Approximations
A + B·C + B·D
Computed System Unavailabilities
Event Q
Cross Product
Esary-Proschan
Rare
Lower Bound
0.5
0.6875
0.71875
1
0.625
0.1
0.1171
0.11791
0.12
0.117
0.01
0.01019701
0.01019799
0.0102
0.010197
% Difference
Event Q
Cross Product
Esary-Proschan
Rare
Lower Bound
0.5
0%
4.5%
45%
9.1%
0.1
0%
0.69%
2.5%
0.085%
0.01
0%
0.0096%
0.029%
0.000098%
Reliability Workbench
©2015 Isograph Inc.
6–15
Other System Parameters
∞
T
TDTSYS = ∫ QSYS (t ) ⋅ dt
0
WSYS = ∫ ω SYS (t ) ⋅ dt
0
ω SYS
1 − QSYS
T
FSYS
= 1 − e ∫0
©2015 Isograph Inc.
102
0
1
ω (∞ )
Q (∞ )
MTTR SYS =
ω (∞ )
TDT SYS
Q SYS =
T
1
RRF =
Q SYS
MTBF SYS =
T
λ SYS =
MTTF SYS = ∫ R (t ) ⋅ dt
− λ SYS ( t )⋅dt
Reliability Workbench
6–16
Modularizing Fault Trees
Goal: Reduce analysis time
Reduce number of cut sets
Replace isolated sections of
tree with super-events
Analyze sections independently
©2015 Isograph Inc.
Reliability Workbench
6–17
Modularization Example
Cut sets:
TOP1 = GATE1 · GATE2
GATE1 = A + B
GATE2 = C + D
Unmodularized:
TOP1 = A·C + A·D + B·C + B·D
QTOP1 = QAB + QAD + QBC + QBD – QACD – QABC
– QABCD – QABCD – QABD – QBCD + QABCD +
QABCD + QABCD + QABCD – QABCD
15 product terms
©2015 Isograph Inc.
Reliability Workbench
6–18
103
Modularization Example
Modularized:
QGATE1 = QA + QB – QAB
QGATE2 = QC + QD – QCD
QTOP1 = QGATE1 · QGATE2
7 product terms
©2015 Isograph Inc.
Reliability Workbench
6–19
Program Demonstration
Using a FT tool to analyze a
tree
©2015 Isograph Inc.
104
Reliability Workbench
6–20
End of Chapter 6
Summary
Approximation methods
Cross Product, Esary-Proschan, Rare,
Lower Bound
Differences
Other parameters
Modularization
©2015 Isograph Inc.
Reliability Workbench
6–21
105
Importance Analysis
Chapter 7
©2015 Isograph Inc.
Reliability Workbench
7–1
Importance Analysis
Helps determine:
Event contribution to TOP event
TOP event sensitivity to event
changes
Weak areas in the system
Where to cut corners
Useful during the design stage
©2015 Isograph Inc.
106
Reliability Workbench
7–2
Importance Measures
Fussell-Vesely Importance
Birnbaum Importance
Barlow-Proschan Importance
Sequential Importance
Risk Reduction Worth
Risk Achievement Worth
Reliability Workbench
©2015 Isograph Inc.
7–3
Fussell-Vesely Importance
Contribution to system Q
High F-V Importance — worst
actor
Decreasing Q on these events =
biggest decrease to system Q
Percentage of failures
involving the event
I iFV =
©2015 Isograph Inc.
QSYS − QSYS (qi = 0)
QSYS
Reliability Workbench
7–4
107
Birnbaum Importance
Sensitivity of system Q
High Birnbaum — highly
sensitive
Increasing Q on these events =
biggest increase in system Q
n
∑Q
cutj
j =1
I iBB ≈
qi
Where n = number of cut sets containing event i
Reliability Workbench
©2015 Isograph Inc.
7–5
Barlow-Proschan Importance
Contribution to ω as initiator
Last to fail
Probability system fails because
event failed last
Sum of frequency terms with event
as initiator ÷ system ω
n
∑ω Q
i
I
BP
i
=
cutj
j =1
ω SYS
Qcutj = product of events in j-th cut set, excluding event i
©2015 Isograph Inc.
108
Reliability Workbench
7–6
Example
Barlow-Proschan
A·B + A·C·D
Frequency terms: ωA·QB, ωB·QA,
ωA·QC·QD, ωC·QA·QD, ωD·QA·QC
I
BP
A
©2015 Isograph Inc.
ω A × QB + ω A × QC × QD
=
ω SYS
Reliability Workbench
7–7
Sequential Importance
Contribution to ω as enabler
Not last to fail
Probability system fails
because event was failed when
failure event occurred
Sum frequency terms with
event as enabler ÷ system ω
©2015 Isograph Inc.
Reliability Workbench
7–8
109
Example
Sequential
A·B + A·C·D
Frequency terms: ωA·QB, ωB·QA,
ωA·QC·QD, ωC·QA·QD, ωD·QA·QC
I AS =
ω B × Q A + ω C × Q A × QD + ω D × Q A × QC
ω SYS
©2015 Isograph Inc.
Reliability Workbench
7–9
Risk Reduction Worth
Contribution to risk
Maximum possible risk
reduction
Inverse of F-V importance
I iRRW =
©2015 Isograph Inc.
110
QSYS
QSYS (qi = 0)
Reliability Workbench
7–10
Risk Achievement Worth
Contribution to risk
Worth of component to current
risk level
Importance of maintaining
reliability of component
I iRAW =
©2015 Isograph Inc.
QSYS ( qi = 1)
QSYS
Reliability Workbench
7–11
Program Demonstration
Using a FT program to
calculate importance
©2015 Isograph Inc.
Reliability Workbench
7–12
111
End of Chapter 7
Summary
Importance analysis
Fussell-Vesely, Birnbaum, BarlowProschan, Sequential, Risk Reduction,
Risk Achievement
©2015 Isograph Inc.
112
Reliability Workbench
7–13
Common Cause Failures
Chapter 8
©2015 Isograph Inc.
Reliability Workbench
8–1
Common Cause Failures
Affect multiple otherwise
independent components
System, component and operator
failures
Environment
Maintenance and testing
Manufacturer
Installation
Calibration
External impacts
Stress
Ageing
©2015 Isograph Inc.
Reliability Workbench
8–2
113
CCF Model Types
Beta Factor Model
Multiple Greek Letter (MGL)
Model
Alpha Factor Model
Beta Binomial Failure Rate
(BFR) Model
©2015 Isograph Inc.
Reliability Workbench
8–3
Pump Example
Two pumps
Independent power supplies
Attached to same structure
Vibration, high temperature,
humidity, impact, stress
May be identical pumps
Incorrect maintenance
Manufacturing defects
©2015 Isograph Inc.
114
Reliability Workbench
8–4
Two Pump System
Both pumps
unavailable
TP1
Pump1 failure
Pump 2 failure
P1
P2
Reliability Workbench
©2015 Isograph Inc.
8–5
Beta Factor Model
TP2 = CCF + P1 · P2
Both pumps
unavailable
TP2
©2015 Isograph Inc.
Pump 1
unavailable
Pump 2
unavailable
PUMP1
PUMP2
Pump 1 failure
Common causes
Pump 2 failure
Common causes
P1
CCF
P2
CCF
Reliability Workbench
8–6
115
Beta Factor Model
QI = (1 − β ) ⋅ QT
QCCF = β ⋅ QT
β = beta factor
QI = Q due to independent
failures
QCCF = Q due to CCF
QT = Total Q
©2015 Isograph Inc.
Reliability Workbench
8–7
Beta Factor Model
Example
QT = 0.001, β = 0.1
QTOP = 0.1 × 0.001 + (0.9 × 0.001)(0.9 × 0.001)
= 1.0081 × 10 − 4
Contrast with independent failures
only
QTOP = 0.001 × 0.001 = 10 −6
©2015 Isograph Inc.
116
Reliability Workbench
8–8
IEC Beta Factor Model
What if I don’t know what Beta
factor to use?
IEC 61508-6 Annex D
Provides method for determining beta
factor
Table D.1: questionnaire about
components
Beta assigned based on score
©2015 Isograph Inc.
Reliability Workbench
8–9
IEC Beta Factor Model
Table D.1 example
Separation/segregation
Are all signal cables for the channels routed separately at all positions?
Are the logic subsystem channels on separate printed-circuit boards?
Are the logic subsystem channels in separate cabinets?
If the sensors/final elements have dedicated control electronics, is the
electronics for each channel on separate printed-circuit boards?
If the sensors/final elements have dedicated control electronics, is the
electronics for each channel indoors and in separate cabinets?
©2015 Isograph Inc.
Reliability Workbench
8–10
117
CCF Models
Beta factor: “All or nothing”
CCFs affect either all components in
group, or none
All sensors failed
TP2
©2015 Isograph Inc.
Sensor 1 failed
Sensor 2 failed
Sensor 3 failed
SENSOR1
SENSOR2
SENSOR3
Sensor 1 failure
All sensors fail
due to common
causes
Sensor 2 failure
All sensors fail
due to common
causes
Sensor 3 failure
All sensors fail
due to common
causes
S1
CCF
S2
CCF
S3
CCF
Reliability Workbench
8–11
Beta Factor Adjustment
Applying Beta factor to CCF
group of 3 or more can be
pessimistic
Less likely that CCF will affect all
rather than some
Can adjust beta factor to
compensate
IEC 61508, 2010 has a table for this
©2015 Isograph Inc.
118
Reliability Workbench
8–12
Beta Factor Adjustment
Calculation of β for systems with levels of redundancy
greater than 1oo2 (IEC 61508, 2010)
m oo n
n
(success)
2
3
4
5
m
1
β
0.5β
0.3β
0.2β
2
–
1.5β
0.6β
0.4β
3
–
–
1.75β
0.8β
4
–
–
–
2β
©2015 Isograph Inc.
Reliability Workbench
8–13
CCF Models
Alternate method: other CCF
models
Replace a single event with
multiple events representing
possible combos
Beta factor replaces event with two
events (independent and CCF)
Other models replace with multiple
events (combinations of CCF events)
©2015 Isograph Inc.
Reliability Workbench
8–14
119
CCF Models
Example: CCF Group A, B, C, D
Event A replaced in cut sets with:
A + [AB] + [AC] + [AD] + [ABC] +
[ABD] + [ACD] + [ABCD]
A represents independent failure
[] represent CCF event affecting
those components
[ACD] represents CCF of A, C, and D
Reliability Workbench
©2015 Isograph Inc.
8–15
CCF Models
Example: 3 sensors
All sensors failed
TP1
©2015 Isograph Inc.
120
Sensor 1 failed
Sensor 2 failed
Sensor 3 failed
S1
S2
S3
Reliability Workbench
8–16
CCF Models
TP2 = S1.S2.S3 + S12.S3 +
S13.S2 + S23.S1 + S123
All sensors
failed
SENSORS
Sensor 1
failed
Sensor 2
failed
Sensor 3
failed
SENSOR1
SENSOR2
SENSOR3
Sensor 1
failed
Sensors 1
and 2 failed
Sensors 1
and 3 failed
Sensors 1,
2, and 3
failed
Sensor 2
failed
Sensors 1
and 2 failed
Sensors 2
and 3 failed
Sensors 1,
2, and 3
failed
Sensor 3
failed
Sensors 1
and 3 failed
Sensors 2
and 3 failed
Sensors 1,
2, and 3
failed
S1
S1-2
S1-3
S1-2-3
S2
S1-2
S2-3
S1-2-3
S3
S1-3
S2-3
S1-2-3
©2015 Isograph Inc.
Reliability Workbench
8–17
MGL Model
Expansion of Beta Factor model
Three parameters: β, γ, δ
β — conditional probability that
component failure is CCF shared by 1 or
more other components
γ — conditional probability that CCF
shared by 1 or more other components
is shared by 2 or more other
components
δ — conditional probability that CCF
shared by 2 or more other components
is shared by 3 other components
©2015 Isograph Inc.
Reliability Workbench
8–18
121
MGL Model
CCF Event Probability
௞
1
ܳ௞ =
ෑ ߩ௜ 1 − ߩ௞ାଵ ்ܳ
݉−1
݇ − 1 ௜ୀଵ
Where ܳ௞ = unavailability of kth order CCF failure
ߩଵ = 1, ߩଶ = β, ߩଷ = ߛ, ߩସ = ߜ, ߩ௠ାଵ = 0
்ܳ = total unavailability
m = CCF group size
݉−1 !
݉−1
=
݇−1
݉−݇ ! ݇−1 !
Reliability Workbench
©2015 Isograph Inc.
8–19
MGL Model
Q1 = Independent probability
ܳଵ =
1
1 1 − ߚ ்ܳ = (1 − ߚ)்ܳ
݉−1 !
݉−1 ! 1−1 !
MGL model with two events in
group = beta model
ܳଶ =
©2015 Isograph Inc.
122
1
2−1 !
2−2 ! 2−1 !
1 ∙ ߚ 1 − 0 ்ܳ = ߚ ∙ ்ܳ
Reliability Workbench
8–20
MGL Model
Sensor Example
QT = 0.001, β = 0.1, γ = 0.2, δ = 0
ܳଵ = 1 − ߚ ்ܳ = 9.0 × 10ିସ
ܳଶ =
1
1
1 ∙ ߚ 1 − ߛ ்ܳ = ߚ 1 − ߛ ்ܳ
3−1 !
2
3−2 ! 2−1 !
= 4.0 × 10ିହ
ܳଷ =
1
1 ∙ ߚ ∙ ߛ 1 − 0 ்ܳ = ߚߛ்ܳ
3−1 !
3−3 ! 3−1 !
= 2.0 × 10ିହ
Reliability Workbench
©2015 Isograph Inc.
8–21
MGL Model
Example
TP2 = 0.0009∙0.0009∙0.0009 +
0.00004∙0.0009 + 0.00004∙0.0009 +
0.00004∙0.0009 + 0.00002 =2.011E-5
All sensors
failed
TP1
Q=2.011E-05
©2015 Isograph Inc.
Sensor 1
failed
Sensor 2
failed
Sensor 3
failed
S1
S2
S3
Q=0.001
Q=0.001
Q=0.001
Reliability Workbench
8–22
123
Comparison
Beta factor model, β = 0.1
All sensors
failed
SENSORS3
Q=0.0001
©2015 Isograph Inc.
Sensor 1
failed
Sensor 2
failed
Sensor 3
failed
S1
S2
S3
Q=0.001
Q=0.001
Q=0.001
Reliability Workbench
8–23
Alpha Factor Model
Similar to MGL
Except absolute instead of conditional
percents
Four parameters: α1, α2, α3, α4
αk: proportion of failures in the group
due to a failure that is common to k
events
Proportional to each other
E.g., α1 = 5, α2 = 2 means 5/7ths of failures
are independent, 2/7ths are common cause
Usually easier just to make sure alphas sum
to 1 or 100
©2015 Isograph Inc.
124
Reliability Workbench
8–24
Alpha Factor Model
CCF Event Probability
݇
ߙ௞
ܳ
݉ − 1 ߙ் ்
݇−1
Where ܳ௞ = unavailability of kth order CCF failure
்ܳ = total unavailability
m = CCF group size
ܳ௞ =
௠
ߙ ் = ෍ ݅ߙ௜
௜ୀଵ
݉−1 !
݉−1
=
݇−1
݉−݇ ! ݇−1 !
Reliability Workbench
©2015 Isograph Inc.
8–25
Alpha Factor Model
Sensors Example
QT = 0.001, α1 = 0.9507, α2 = 0.04225, α3 = 0.007042
௠
ߙ ் = ෍ ݅ߙ௜ = 0.9507 + 2 ∙ 0.04225 + 3 ∙ 0.007042 = 1.056
௜ୀଵ
ܳଵ =
1 0.9507
∙
0.001 = 0.0009
1 1.056
ܳଶ =
2 0.04225
∙
0.001 = 4.0 × 10ିହ
2 1.056
ܳଷ =
3 0.007042
∙
0.001 = 2.0 × 10ିହ
1
1.056
©2015 Isograph Inc.
Reliability Workbench
8–26
125
Program Demonstration
CCF Model
Include CCFs without another event
Not recommended for system,
component and operator failures
Cut sets/Importance
©2015 Isograph Inc.
Reliability Workbench
8–27
End of Chapter 8
Summary
Model types
Beta factor model
MGL, Alpha factor models
Including CCFs in a FT
©2015 Isograph Inc.
126
Reliability Workbench
8–28
Confidence Analysis
Chapter 9
©2015 Isograph Inc.
Reliability Workbench
9–1
Confidence Analysis
Assuming failure rates exactly
known
Not necessarily true
Sparse data
Introduces uncertainty in component
Q
©2015 Isograph Inc.
Reliability Workbench
9–2
127
Confidence Analysis
Example
10 components tested for 1
year
2 failures occur
λ estimate= 0.2 / year
Could be 0.25 or 0.15
Unlikely to be 0.9 or 0.01
More data — more certainty
©2015 Isograph Inc.
Reliability Workbench
9–3
Confidence Analysis
Uncertainty expressed as
range, distribution
10–5 ± 0.5×10–5 normal distribution
10–6 to 10–4 lognormal distribution
Modeled using Monte Carlo
sampling
Pick failure rates from distribution
Run analysis
Repeat
©2015 Isograph Inc.
128
Reliability Workbench
9–4
Sampling procedure
Sample failure rates
from distribution
For n = 1 to number
of simulations
Run analysis, record
results
Loop performed repeatedly
More iterations, more accuracy
©2015 Isograph Inc.
Reliability Workbench
9–5
Program Demonstration
Using a FT program to find
confidence bounds
©2015 Isograph Inc.
Reliability Workbench
9–6
129
End of Chapter 9
©2015 Isograph Inc.
130
Reliability Workbench
9–7
Initiators, Enablers, and Sequencing
Chapter 10
©2015 Isograph Inc.
Reliability Workbench
10–1
Initiating & Enabling Events
Used when order is important
Initiator — last to occur
Frequency event
Enabler — cannot occur last
Probability event
Initiator/enabler — any order
Default
©2015 Isograph Inc.
Reliability Workbench
10–2
131
Initiator Example
SPARK is initiator
IMFLAM is enabler
SPARK → INFLAM: safe
INFLAM → SPARK: fire
Similar for FIRE and
PROTECT
Explosion
TOP1
Gate status automatically
determined
Fire Starts
PROTECTION
SYSTEM
UNAVAILABLE
FIRE
PROTECT
Inflammable
Material
Present
E
Spark Occurs
I
INFLAM
SPARK
Q=0.1
w=2
Reliability Workbench
©2015 Isograph Inc.
10–3
Cut set Frequency
ωFIRE = ωSPARK .QINFLAM
Example
A, B, C, D initiators
ωCUT = ω A. .QB .QC .QD + ω B .QA .QC .QD +
ωC .QA .QB .QD + ω D .Q A .QB .QC
A initiator only
ωCUT = ω A. .QB .QC .QD
©2015 Isograph Inc.
132
Reliability Workbench
10–4
Sequencing
More precisely specify order of
failures
First, second, third, fourth, fifth, etc.
Priority AND gate
Applied to cut sets
Markov used to solve
Reliability Workbench
©2015 Isograph Inc.
10–5
Sequencing and Markov
TP1
1
2
All working
3
A
B
C
λ1
λ2
λ3
λ1
λ2
A
B
λ2
λ3
A→B→C
©2015 Isograph Inc.
C
λ1
λ3
A→B
λ3
λ1
λ3
A→C
λ2
A→C→B
B→A
λ3
B→A→C
Reliability Workbench
λ2
B→C
λ1
B→C→A
C→A
λ2
C→A→B
C→B
λ1
C→B→A
10–6
133
Modularizing Priority AND
Example
TOP1
GATE1
1
2
A
©2015 Isograph Inc.
D
3
B
C
Reliability Workbench
10–7
Modularizing Priority AND
Modularized cut sets
TOP1 = GATE1 · D
GATE1 = A · B · C
Allowed failure sequences
D→A→B→C
A→D→B→C
A→B→D→C
A→B→C→D
©2015 Isograph Inc.
134
Reliability Workbench
10–8
Modularizing Priority AND
Non-modularized cut sets
TOP1 = A · B · C · D
Allowed failure sequences
A→B→C→D
©2015 Isograph Inc.
Reliability Workbench
10–9
Program Demonstration
Event sequence status
Sequencing options
Auto-sequence Priority AND
Verification
Exactly 1 initiator under AND
Results
©2015 Isograph Inc.
Reliability Workbench
10–10
135
End of Chapter 10
©2015 Isograph Inc.
136
Reliability Workbench
10–11
Event Trees
Chapter 11
©2015 Isograph Inc.
Reliability Workbench
11–1
Event Tree Analysis
Identifies outcomes of
initiating event
Uses inductive approach
Fault trees use deductive approach
ETA & FTA closely linked
FTs can be used to quantify events in
ET sequences
Use cut sets and same quantitative
methodology
©2015 Isograph Inc.
Reliability Workbench
11–2
137
Pipe Break Event Tree
Nuclear safety example
Examines effectiveness of protective
system
Initiating event - Pipe break
Enablers - Protective systems
All possible outcomes examined
Each branch examines failure or
success
Failure branches: failure of basic event
or the minimal cut sets of a gate
Success branches: success state of basic
event or minimal path sets of a gate
Reliability Workbench
©2015 Isograph Inc.
11–3
Pipe Break Event Tree
Pipe Break
Electric Power
Emergency Cooling
Fission Product
Removal
Containment
Integrity
Consequence
Success
Success
Success
No Release
Failure
Success
Failure
Success
Failure
Success
Success
Failure
Failure
Success
Failure
Failure
Failure
Success
Success
Success
Failure
Success
Failure
Failure
Failure
Success
Success
Failure
Failure
Success
Failure
©2015 Isograph Inc.
138
Reliability Workbench
Failure
No Release
No Release
Very Small Release
Small Release
Small Release
Small Release
Medium Release
Medium Release
Large Release
Medium Release
Large Release
Large Release
Large Release
Large Release
Very Large Release
11–4
Pipe Break Event Tree
Simplify by
Removing impossible sequences
Removing sequences leading to ‘No
Release’
Combine neighbouring end-branches
with the same consequences
Reliability Workbench
©2015 Isograph Inc.
11–5
Simplifying – Impossible Sequence
Pipe Break
Electric Power
Emergency Cooling
Fission Product
Removal
Containment
Integrity
Consequence
Success
Success
Success
No Release
Failure
Success
Failure
Success
Failure
Success
Success
Failure
Failure
Success
Failure
Failure
Failure
Success
Success
Success
Failure
Success
Failure
Failure
Failure
Success
Success
Failure
Failure
Success
Failure
©2015 Isograph Inc.
Reliability Workbench
Failure
No Release
No Release
Very Small Release
Small Release
Small Release
Small Release
Medium Release
Medium Release
Large Release
Medium Release
Large Release
Large Release
Large Release
Large Release
Very Large Release
11–6
139
Simplifying – “No Release”
Pipe Break
Electric Power
Emergency Cooling
Fission Product
Removal
Containment
Integrity
Consequence
Success
Success
Success
No Release
Failure
Success
Failure
Success
Failure
Success
Success
Failure
Failure
Success
Failure
Failure
Failure
Success
Success
Success
Failure
Success
Failure
Failure
Failure
Success
Success
Failure
Failure
Success
Failure
Failure
No Release
No Release
Very Small Release
Small Release
Small Release
Small Release
Medium Release
Medium Release
Large Release
Medium Release
Large Release
Large Release
Large Release
Large Release
Very Large Release
Reliability Workbench
©2015 Isograph Inc.
11–7
Simplifying – Combining Branches
Pipe Break
Electric Power
Emergency Cooling
Fission Product
Removal
Containment
Integrity
Consequence
Success
Success
Success
No Release
Failure
Success
Failure
Success
Failure
Success
Success
Failure
Failure
Success
Failure
Failure
Failure
Success
Success
Success
Failure
Success
Failure
Failure
Failure
Success
Success
Failure
Failure
Success
Failure
©2015 Isograph Inc.
140
Reliability Workbench
Failure
No Release
No Release
Very Small Release
Small Release
Small Release
Small Release
Medium Release
Medium Release
Large Release
Medium Release
Large Release
Large Release
Large Release
Large Release
Very Large Release
11–8
Simplified Pipe Break Event Tree
Pipe Break
Electric Power
ω=0.01
Q=0.00016
Emergency
Cooling
Q=0.0016
Success
Success
Fission Product
Removal
Containment
Integrity
Q=0.02
Consequence
Frequency
Q=0.01
Failure
Failure
Success
Null
Very Small
Release
2e-6
Small Release
1.4e-5
Small Release
2.8e-7
Medium
Release
2.9e-9
Large Release
1.5e-6
Large Release
3.1e-8
Very Large
Release
3.2e-10
Failure
Success
Failure
Failure
Failure
Success
Failure
Null
Null
Success
Failure
Failure
©2015 Isograph Inc.
Reliability Workbench
11–9
Pipe Break Minimal Cut Sets
Obtained with AND logic at
each branch
“Very Large Release”
PIPE ⋅ ELEC ⋅ FISSION ⋅ CINT
“Medium Release”
PIPE ⋅ ELEC ⋅ COOL ⋅ FISSION ⋅ CINT
ELEC and COOL are FTs
Share common events
Must be resolved to FT basic events
©2015 Isograph Inc.
Reliability Workbench
11–10
141
Spark Event Tree
Explosion
TOP1
Fire Starts
PROTECTION
SYSTEM
UNAVAILABLE
FIRE
PROTECT
Inflammable
Material
Present
E
Spark Occurs
I
INFLAM
SPARK
Q=0.1
w=2
Reliability Workbench
©2015 Isograph Inc.
11–11
Spark Event Tree
Spark Occurs
Inflammable
Material Present
Protection System
Unavailable
ω=2
Q=0.1
Q=0.017
Consequence
Frequency
Success
None
1.77
None
0.0306
None
0.197
Explosion
0.0034
Success
Failure
Success
Failure
Failure
©2015 Isograph Inc.
142
Reliability Workbench
11–12
Results
Per Consequence
Frequency
Importance
Cut sets
Per category
Risk
©2015 Isograph Inc.
Reliability Workbench
11–13
F-N Curve
Correlates weight with
frequency
X-axis: weight
Y-axis: cumulative frequency of all
consequences with that weight
In a given category
©2015 Isograph Inc.
Reliability Workbench
11–14
143
Pipe Break F-N Curve
Safety F-N Curve
0.0001
1E-05
1E-06
Cumulative frequency
1E-07
1E-08
1E-09
1E-10
1E-11
1E-12
1E-13
0.1
1
10
Weight
Reliability Workbench
©2015 Isograph Inc.
11–15
Modularization
Consider:
Tank Overfill
Shutoff
Emergency Relief
Success
Consequence
No effect
Success
Failure
No effect
Success
No effect
Failure
Failure
Chemical spill
©2015 Isograph Inc.
144
Reliability Workbench
11–16
Modularization
Where:
Shut off does not
engage
Emergency relief
system fails to
open
SHUTOFF
RELIEF
Q=0.0199
Q=0.0199
Shut-off valve
fails open
Level sensor fails
to detect high
level
Pressure relief
valve fails closed
Level sensor fails
to detect high
level
VALVE
SENSOR
PVALVE
SENSOR
Q=0.01
Q=0.01
Q=0.01
Q=0.01
Reliability Workbench
©2015 Isograph Inc.
11–17
Modularization
If SHUTOFF and RELIEF considered
separately:
Tank Overfill
Shutoff
ω=2
Q=0.0199
Emergency
Relief
Consequence
Frequency
Q=0.0199
Success
No effect
1.921
No effect
0.03901
No effect
0.03901
Chemical spill
0.000792
Success
Failure
Success
Failure
Failure
©2015 Isograph Inc.
Reliability Workbench
11–18
145
Modularization
SHUTOFF
= VALVE + SENSOR
= 0.0199
RELIEF
= PVALVE + SENSOR
= 0.0199
Chemical Spill
= OVERFILL · SHUTOFF ∙ RELIEF
= 2 · 0.0199 · 0.0199
= 7.92E-4
©2015 Isograph Inc.
Reliability Workbench
11–19
Modularization
However, SENSOR is common
event
SHUTOFF and RELIEF are not
independent
Chemical Spill ≠ OVERFILL ∙
SHUTOFF · RELIEF
Accurate calculation must resolve
consequences to minimal cut sets
©2015 Isograph Inc.
146
Reliability Workbench
11–20
Modularization
Chemical Spill:
SHUTOFF · RELIEF
= (VALVE + SENSOR) · (PVALVE + SENSOR)
= SENSOR + VALVE · PVALVE
Reliability Workbench
©2015 Isograph Inc.
11–21
Modularization
If SHUTOFF and RELIEF resolved to
minimal cut sets:
Tank Overfill
Shutoff
Emergency
Relief
Consequence
Frequency
ω=2
Success
No effect
1.941
No effect
0.0196
No effect
0.0196
Chemical spill
0.0202
Success
Failure
Success
Failure
Failure
©2015 Isograph Inc.
Reliability Workbench
11–22
147
Partial Failure Branches
Success/Failure logic
Gives two and only two outcomes
Partial failure
More than two possible outcomes
Gives a gradation of possibilities
Not necessarily mutually exclusive
Each branch associated with a
different gate or event failure
E.g., partial capacity
Reliability Workbench
©2015 Isograph Inc.
11–23
Partial Failure Branches
High speed
derailment
Dual track
Train passing on
other track
ω=5.154E-4
Q=0.9
Q=0.01
Passenger
exposure
0-10 passengers
False
Null
Consequence
Frequency
2 fatalities
1.031E-5
4 fatalities
2.577E-5
8 fatalities
1.546E-5
2 fatalities
9.184E-5
4 fatalities
2.296E-4
8 fatalities
1.378E-4
8 fatalities
9.277E-7
16 fatalities
2.319E-6
24 fatalities
1.392E-6
11-20 passengers
21-30 passengers
0-10 passengers
Success
11-20 passengers
21-30 passengers
True
0-10 passengers
Failure
11-20 passengers
21-30 passengers
©2015 Isograph Inc.
148
Reliability Workbench
11–24
Program Demonstration
Evaluating an Event Tree in a
computer program
©2015 Isograph Inc.
Reliability Workbench
11–25
End of Chapter 11
©2015 Isograph Inc.
Reliability Workbench
11–26
149

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz