Galileo User’s Manual &
Design Overview
(Version 2.11-Alpha)
University of Virginia
Kevin Sullivan, Computer Science
Joanne Bechta Dugan, Electrical Engineering
Contributors: Tom Sabanosh, Sara Jane Curwen, Michael Taylor, Steven J. Miller
_____________________________________________________________________________________________
Table of Contents
I. INTRODUCTION TO GALILEO .........................................................................................................................1
OVERVIEW .................................................................................................................................................................1
SYSTEM REQUIREMENTS ...........................................................................................................................................1
Hardware Requirements ......................................................................................................................................1
Software Requirements.........................................................................................................................................1
INSTALLATION ...........................................................................................................................................................1
II. TECHNICAL OVERVIEW AND DESIGN RATIONALE OF GALILEO......................................................2
PACKAGE-ORIENTED PROGRAMMING FOR LARGE-SCALE REUSE..............................................................................2
THE DIFTREE APPROACH TO MODULAR DYNAMIC FAULT TREE ANALYSIS .............................................................3
III. BASIC OPERATION OF GALILEO .................................................................................................................3
RUNNING GALILEO ....................................................................................................................................................4
CREATING A NEW FAULT TREE .................................................................................................................................4
OPENING AN EXISTING FAULT TREE ..........................................................................................................................4
SAVING A FAULT TREE ..............................................................................................................................................4
PRINTING A FAULT TREE ...........................................................................................................................................4
EXITING FROM GALILEO ............................................................................................................................................4
IV. EDITING FAULT TREES IN GALILEO ..........................................................................................................4
SELECTING A VIEW TO EDIT ......................................................................................................................................4
EDITING IN THE TEXTUAL VIEW ................................................................................................................................5
Gates ....................................................................................................................................................................5
Basic Events .........................................................................................................................................................6
An Example Fault Tree ........................................................................................................................................7
EDITING WITH VISIO ..................................................................................................................................................8
SWITCHING BETWEEN EDITING MODES ................................................................................................................... 10
V. ANALYZING A FAULT TREE USING GALILEO ......................................................................................... 11
VI. GALILEO’S WEB-BASED HELP SYSTEM ................................................................................................... 11
VII. KNOWN BUGS AND TROUBLESHOOTING .............................................................................................. 12
SOMETIMES WHEN I OPEN AN *.FTD FILE THE VISIO VIEW IS BLANK! ....................................................................... 12
I ACCIDENTALLY CLOSED THE VISIO STENCIL. WHAT SHOULD I DO? ...................................................................... 12
HOW DO I IMPORT FAULT TREES FROM GALILEO VERSION 1.4? ............................................................................... 12
WHEN I TRY TO RENDER MY TEXTUAL FAULT TREE TO VISIO OR TO ANALYZE THE TREE, I GET A SYNTAX ERROR ON
LINE N. HOW CAN I FIND THAT LINE WITHOUT HAVING TO COUNT EACH INDIVIDUAL LINE OF CODE? ..................... 12
SOMETIMES WHEN I START GALILEO AND CREATE A NEW FAULT TREE, THE WORD AND VISIO APPLICATIONS OPEN
EXTERNALLY. WHAT SHOULD I DO? ........................................................................................................................ 12
I RECEIVE THE ERROR MESSAGE "BASIC LOGIC GATES IS PART OF THE WORKSPACE BUT CANNOT BE OPENED. FILE
NOT FOUND." ........................................................................................................................................................... 13
SOMETIMES, WHEN I TRY FILE/NEW OR FILE/OPEN, GALILEO CRASHES. ................................................................. 13
THE VISIO VIEW AND STENCIL LOCK UP. WHAT SHOULD I DO?............................................................................... 13
GALILEO PROMPTS ME TO SAVE MY FAULT TREE WHEN IT IS UNNECESSARY. WHY DOES THIS OCCUR? .................. 13
THE INTERNET EXPLORER WINDOW IS NOT RESIZING PROPERLY. WHAT CAN I DO TO FIX THIS PROBLEM? ............. 13
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
_____________________________________________________________________________________________
I. Introduction to Galileo
Overview
Galileo is an easy-to-use research prototype software tool for dynamic fault tree analysis on personal computers,
namely PC machines running Microsoft’s Windows 95, 98 or NT operating system. Fault tree analysis is one of
several important approaches to probabilistic risk assessment for engineered systems. We selected the name Galileo
for our tool because Galileo was the first person to study the failure of engineered systems systematically.
Galileo is distinguished in two key dimensions. First, it supports the DIFtree modular dynamic fault tree analysis
approach of Professor Joanne Bechta Dugan, of the Electrical Engineering Department at the University of Virginia.
Second, it provides this capability to engineers in a tool based on the Package-Oriented Programming (POP) design
approach of Professor Kevin Sullivan, of the Department of Computer Science also at the University of Virginia.
In particular, Galileo hosts DIFtree in a tightly integrated and easy-to-use package that integrates Microsoft's Word
and Visio's Visio Technical drawing program within an overall interface based on Microsoft Windows user interface
technology. The POP approach enables engineers to edit and display fault trees in either textual and graphical form,
using a tool based on standard, widely used, commercially supported components that are easy to integrate into real
engineering practice. Our POP software development approach has given us (and you) a tool that appears to be far
richer, easier to use and more easily changed than would otherwise possible.
In a nutshell, Galileo allows you to enter and manipulate dynamic fault trees in either textual form, using a little
language for fault trees, or in Visio graphical form. It allows you to map these representations back and forth, e.g.,
to automatically generate a drawing of a tree from a textual specification. And it allows you to submit a specified
tree to the underlying analysis engine. Galileo also has an embedded World-Wide-Web help and support function.
NOTE WELL: Despite our advances, Galileo remains a research prototype. Read the known bugs list at the end of
this document. Galileo 2.11-Alpha cannot be relied upon for the analysis of critical systems, e.g., nuclear, medical.
System Requirements
Hardware Requirements
Minimum
Recommended
P90
P166
Memory:
16MB
32MB
HD space:
35MB (including 30 at runtime)
50MB
CPU:
Software Requirements
In order to run Galileo, you must have Microsoft Windows 95, 98 or NT and Microsoft Internet Explorer 4.0 and at
least one of Microsoft Word 97 or Visio Technical 5.0 installed on your computer.
Installation
1.
Whether you downloaded the tool from the Web or received it on diskette, you need to unzip the Galileo
archive. If you received the disks, insert the first disk into the appropriate drive. The easiest way to unzip the
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
1
_____________________________________________________________________________________________
archive is to use Nico Mak Computing's WinZip utility, available at http://www.winzip.com. Select the archive
in WinZip and click the install button. WinZip will extract the files and run Setup.exe for you. If you extracted
the files manually, run Setup.exe from the directory in which you unzipped the archive.
2.
Galileo has to install its Visio stencil in your Visio program's stencils directory (if you have one). If Visio is
installed on your hard drive, the Galileo setup program will automatically locate its directory. If setup cannot
find the Visio folder for some reason, you will be asked to supply the path name. Do so, or click on the Next
button if Visio is not installed.
3.
Run Galileo by clicking on the icon located on the Programs sub-menu of the Windows 95/98/NT Start menu.
II. Technical Overview and Design Rationale of Galileo
We now describe Sullivan’s Package-Oriented Programming approach and Dugan’s DIFtree analyzer in detail.
Package-Oriented Programming for Large-Scale Reuse
From a software engineering research perspective our work represents an attempt to evaluate Professor David
Garlan’s (CMU) thesis that architectural mismatch makes large-scale reuse hard or infeasible. The idea that has
driven our work is that with a suitable component integration architecture and conformant components, large-scale
reuse is possible and profitable. We agree with the implicit claim that lack of such an architecture makes large-scale
reuse hard. We claim (with Garlan’s work as evidence) that integration architectures are necessary for large-scale
reuse. The question we address is: do integration architectures exist that are sufficient to enable large-scale reuse?
In order to answer this question, we have adopted the informal hypothesis that the reuse and integration of massive
components conforming to an effective integration architecture enables the rapid and inexpensive production of
industrially viable software systems. To test this hypothesis, we negated it and restricted it to software tools for
engineering analysis, with fault tree analysis as a convenient (and useful) example. The null hypothesis was thus that
the reuse and integration of massive components conforming to an integration architecture could not enable rapid
and inexpensive production of industrially viable software tools for engineering modeling and analysis. Galileo is
the result of our attempt to test this claim. We adopted Microsoft’s integration architecture (comprising elements
including OLE Automation and the Active Document Architecture) with Microsoft Office application components
as perhaps the best known, most promising integration architecture for our purposes. Galileo is the result. To the
extent that Galileo has clear potential as an industrially viable tool, we have to reject the null hypothesis.
From a component package integration perspective, Galileo is distinguished in several dimensions.

Tight Integration of Multiple Packages
Galileo is based on the tight integration of multiple shrink-wrapped commercial-off-the-shelf (COTS) packages.
It is not built on a single package, but instead integrates multiple packages as co-equal components.

Package-Based Views of Engineering Models
Galileo uses packages as user-friendly and richly functional views of an engineering model (i.e., of a fault tree).
Microsoft Word presents the tree being edited in a textual form based on the Galileo fault tree language. Visio
presents the tree as a structured technical drawing using Galileo shapes and behaviors programmed for Visio.

Compiler-Based Consistency Model
Galileo keeps views consistent in a manner based on an analogy with a compiler. A compiler is tool used in
computer programming, in which a program is first edited using one tool, a text editor, and when that is done it
is submitted to a compiler to be translated into executable code, a form that can run on computer hardware. The
source code form is convenient for people; and the object code, for the computer. In Galileo, you edit a fault
tree in either textual or graphical form, and, when you are ready, you ask Galileo to “compile” it into the other
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
2
_____________________________________________________________________________________________
form. Unlike a traditional compiler, however, Galileo can translate in both directions. You can thus use a form
most appropriate for your needs, e.g., text for editing and graphics for presenting to engineering management.

Tight Integration of Component User Interfaces
Whereas in earlier versions of Galileo, component packages appeared as disconnected windows on the screen,
in version 2.11-Alpha, there is just one Galileo window. The package windows are integrated as children of the
Galileo window. We use Microsoft’s active document architecture to achieve very tight integration at the user
interface level. In particular, there is only one set of menus visible (rather than several, one set presented by
each tool window). As you select one or another view to edit, the application menus appropriate for that view
are integrated with the Galileo menus. What you see at the top of the Galileo window is therefore a set of
menus which is the sum of the Galileo-specific menus and the menus for the package that you have selected.
The DIFtree Approach to Modular Dynamic Fault Tree Analysis
Fault trees are mathematical models of how component-level failures in an engineered system combine to produce
system level failures. Fault trees have a convenient pictorial representations that are accepted as making it easier for
reliability engineers to build, reason about, and validate such models. For more, read: Dugan, Venkataraman, and
Gulati, "DIFtree: A software package for the analysis of dynamic fault tree models," Proceedings of the 1997
Reliability and Maintainability Symposium, January 1997.
A fault tree (a graph in general) has nodes called basic event nodes that model components of an engineered system.
The assignment of a probability distribution to a basic event models how that component fails over time. A fault
tree has other nodes called gates that model subsystems composed from basic components. Gates show how failures
of components combine to produce susbsystem failures. The top-level gate in a fault tree corresponds to the overeall
system. Combinatorial gates, such as and and or gates, indicate that the failures of the inputs lead to a failure of the
subsystem if, respectively, all or one of the input components or subsystems has failed.
Probabilistic reliability assessment using fault trees requires the assignment of probability distributions to the basic
events of a fault tree. One such distributions are assigned, calculations are performed to compute a distribution for
the tree as a whole. When a tree contains only standard combinatorial gates, it is called a static tree, and well-known
methods can be used to compute its overall failure probability (to solve the tree). DIFtree permits dynamic gates to
appear in a tree, as well. A tree with one or more dynamic gates is called a dynamic tree. The outputs of dynamic
gates are sensitive the order in which inputs fail.
In particular, DIFtree decomposes a complex fault tree into subtrees that are independent in that they do not share
any basic event nodes, and that are either static or dynamic. The idea is to handle as much of the solution problem
as possible using techniques for static trees, and to handle the rest using techniques for dynamic trees. Static trees
can be analyzed efficiently using combinatorial techniques. DIFtree solves static trees using an algorithm based on
Binary Decision Diagrams (BDD). For dynamic trees, Markov solution methods are employed. Markov methods
can be used to solve any tree, but the computational complexity of this approach makes it infeasible for use on large
or complex trees. The idea behind DIFtree is to split trees into independent parts (modular subtrees) and to solve
them using the most efficient techniques. Thus a given tree is split into parts and either a BDD or Markov approach
is used to solve the subtrees depending on their types. DIFtree thus first calls a routine called SplitTree, a fast and
efficient algorithm to break up a given tree into smaller independent subtrees, followed by calls to routines called
DREDD and Dynasolver, respectively, to solve the independent static and dynamic subtrees. SplitTree combines the
solutions for the subtrees into a solution for the overall fault tree. In a nutshell, that is how DIFtree works.
III. Basic Operation of Galileo
This section describes the basic operation of Galileo. Editing and analyzing trees are complicated enough to have
their own sections, which follow.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
3
_____________________________________________________________________________________________
Running Galileo
To run Galileo go to the Start Menu and find Galileo under the Programs folder. Galileo will open with a splash
screen and a blank main window. This window will serve as a container for the Word and Visio views of the current
fault tree as well as for online help and web-based support through Internet Explorer.
Creating a New Fault Tree
To create a new fault tree, select the New option from the File menu. This will cause the Word and Visio windows
to appear with blank documents in the main window. Note well: Galileo can only have one tree open at a time.
You must close any opened file before creating a new tree or opening another existing one.
Opening an Existing Fault Tree
To open a previously created fault tree, select the Open option from the File menu. A window will appear allowing
you to open files Fault Tree files of type ".ftd". Choose the file that corresponds to the tree you wish to open and the
Fault Tree tool will open the appropriate files for Visio and/or Word. As with creating a new tree, only one tree may
be active at a time, so you must close any opened file before opening another tree. Note well: we regret that it is not
possible to open fault trees created with Galileo version 1.4 or earlier. However, there is a work-around that permits
you to convert trees created in Visio 1.4. Please see Troubleshooting for more information.
Saving a Fault Tree
To save a fault tree when editing is complete, choose the Save or SaveAs option from the File menu. This will save
the tree and each of its components for Word and Visio. Galileo will ask you for a file name as necessary.
Printing a Fault Tree
Galileo provides the user with two printing options. The first prints only the current active document. This is done
by selecting Print from the File menu. The second option prints both the Word and Visio documents. This is done
by choosing Print All from the File menu.
Exiting from Galileo
To exit Galileo, choose the Exit option in the File menu of the main Galileo window. This will close the Word and
Visio windows as well.
IV. Editing Fault Trees in Galileo
In this section, we describe how to edit fault trees in Galileo. One of Galileo’s strengths is its support for editing
fault trees in textual or graphical form (provided that you have the required packages installed on your machine) and
to generate one form from the other automatically on demand. Suppose that you prefer to edit tree as text but you
need graphics for engineering presentations. Create the tree in Word then have Galileo generate the drawing.
Selecting a View to Edit
You select a view to edit using the Application View menu. Choose to make the desired view writable. Galileo
updates the newly writable view from the current view if necessary. Note Well: NEVER EDIT A VIEW THAT’S
NOT SELECTED. YOUR CHANGES WILL BE LOST. GALILEO OUTLINES READ-ONLY VIEWS IN RED.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
4
_____________________________________________________________________________________________
Editing in the Textual View
The editor for fault trees in text form is Microsoft Word. We assume that you know how to use Microsoft Word.
Fault trees are written in the Galileo fault tree language. A fault tree specification must begin with the line
toplevel <name>;
<name> is the name of the top level node. A <name> begins with a letter and use only letters, underscores and
dashes. spare, trigger, and primary are reserved words that you cannot use as names. Every line in a fault tree ends
with a semicolon. Comments can be included: text after "/*" and before "*/" is ignored. Note Well: Comments are
not well supported; they are lost in the translation from textual to graphical form and back.
Gates
The following table gives the syntax for declaring different kinds of gates, with the kind of gate in the first column,
and the syntax for declaring such a gate in the second column. The keywords are in bold face.
Gate Type
Usage
OR
<name> or <input1> <input2> ... <inputN>;
AND
<name> and <input1> <input2> ... <inputN>;
Hot Spare
<name> hsp <primary_input> <input2> ... <inputN>;
Warm Spare
<name> wsp <primary_input> <input2> ... <inputN>;
Cold Spare
<name> csp <primary_input> <input2> ... <inputN>;
Priority AND
<name> pand <input1> <input2>;
Sequence Enforcing
<name> seq <input1> <input2> ... <inputN>;
K of M
<name> xofy <input1> ... <inputY>;
Note: x and y are integer number for the desired K and M respectively
Functional Dependency
<name> fdep <trigger_input> <input1> ... <inputN>;
<name> is your name for a gate. <inputN> is the <name> of a Basic Event or gate input to the given gate. The input
order for gates is left to right. Order matters in analyzing dynamic gates and is used in graphical layout. There are
no keywords for Connectors or Basic Events. Connections are implicit in the structure of the tree.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
5
_____________________________________________________________________________________________
Basic Events
The syntax for specifying a basic event varies, depending on the probability distribution and coverage information
associated with the event. The following tables summarize the relevant information and define the language syntax.
Replication
To specify replication add repl = n to the basic event declaration, n being an integer. The
default is 1. Replication specifies the number of copies of the basic event in the system. If
an AND gate has three identical events as inputs, one with a replication of three can be used.
Dormancy
To specify a dormancy factor add dorm = f with f between 0.0 and 1.0, inclusive. An input
to a warm spare fails at the rate obtained by multiplying its failure rate by dorm.
Distribution
You choose among a constant, exponential, lognormal, or Weibull distribution. At this time,
the lognormal distribution is not supported for dynamic trees. In the graphical view, you
select a distribution by name (see below). In the textual view, the choice of distribution is
indicated by the key words that you use in specifying the event, as follows.
Probability
The syntax is prob=f (with f as above). The prob parameter indicates a constant distribution.
Lambda
The syntax is lambda=f. Lambda indicates exponential distribution function.
Rate
The syntax is rate=f. This construct indicates a Weibull distribution.
Shape
The syntax is shape=f. This parameter specifies the shape of the Weibull distribution.
Mean
The syntax is mean=f. The expecation of the normal distribution for the lognormal case.
Standard Deviation
Syntax: stddev=f. The standard deviation of the normal distribution for the lognormal case.
Fault tolerant systems often have built-in recovery mechanisms. Coverage, Restoration, and Single Point Failure
factors associated with basic event specification help to model such recovery mechanisms in some cases. For more
information, refer to the following: Joanne Bechta Dugan and K.S. Trivedi: “Coverage modeling for dependability
analysis of fault-tolerant systems,” IEEE Transactions on Computers, 38(6): 775-787, 1989
Single Point
Failure
It is the probability that the entire system fails, given that this component fails. Think of single
point failure of a component as a catastrophic failure.
Coverage
It is not always that the failure of a component results in the failure of the entire system, or there
will be no need for fault tree analysis! The Coverage factor is the probability that the failure of a
component does not lead to the failure of the system unless specified by the fault tree.
Restoration
The Restoration factor models transient faults in the component which are glitches that do not last
long enough to cause the failure of either the component or the system.
Galileo requires Coverage + Restoration + Single Point Failure = 1.0. You must specify the parameters values in
basic events in the order presented above. Galileo requires distribution information for exactly one distribution type.
Galileo substitutes default values for coverage and replication parameters. Default values are as follows:
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
6
_____________________________________________________________________________________________
Parameter
Default Value
cov
res
repl
dorm
1
0
1
0.5
.
The following entries define the syntax and meaning for basic events. You may leave some fields blank. Note well:
If you generate a graphical form from text then regenerate text, Galileo fills in all of the default information. Galileo
does not preserve text formatting, so we recommend that you not use any.
Constant Distribution
<name> prob=<probability> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;
The failure probability = prob if cov = 1.0
Exponential Distribution
<name> lambda=<lambda> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;
The distribution function is
f (t )   exp( t ),0  t   where  = lambda
Weibull Distribution
<name> rate=<rate> shape=<shape> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;
The distribution function is
f (t )    t  1 exp[ ( t )  ],0  t   where  = rate,
 = shape
LogNormal Distribution
<name> mean=<rate> stddev=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;
The distribution function is f (t ) 
1
2 t
exp[ 
(ln( t )   ) 2
],0  t   where  = stddev,  = mean
2 2
An Example Fault Tree
We now present fault tree in text form. The top level gate, specified on the first line, as required, is an OR gate with
two inputs, a basic event, event1, and the subtree, Andtree. Andtree has two basic event inputs, event2, and event3.
The basic event declarations are at the end, but they could appear anywhere but for the first line. Note Well: Galileo
generally changes the order in which declarations appear when it regenerates a text from from the graphical form.
toplevel TopGate;
TopGate or event1 Andtree;
Andtree and event2 event3;
event1 prob=0.5 cov=1 res=0.5 repl=1 dorm=.5;
event2 prob=0.75 cov=1 res=0.5 dorm=.5;
event3 prob=0.25;
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
7
_____________________________________________________________________________________________
Editing with Visio
Galileo supports the graphical editing and display of fault trees in addition to textual editing and display. The
following picture is the Visio drawing of the tree just specified in the textual formalism. In this subsection, we tell
you how to manipulate fault trees in this graphical form. We describe only Galileo-specific issues. We do not try to
teach you how to use Visio. We refer you to the Visio User’s Manual, and suggest that you learn something about
Visio, before trying to use Visio in the context of the current version of Galileo.
Problems with Graphical Editing in Galileo
Before discussing precisely how to edit fault trees using Visio within the Galileo framework, we must present a
disclaimer. In a nutshell, because we have not yet invested much time in graphical display and editing aspects of
Galileo, they do not work well. They are awkward to use and in some ways produce visually unacceptable results.
At this time, our advice is to specify trees in text form. We plan to improve Galileo’s graphics in the next release.
In particular, the current tool has several problems. First, it provides no mechanisms for splitting drawings into
page-sized chunks, nor for collapsing subtrees to abstract away undesired detail. It simply draws an entire tree as a
monolith on a single virtual sheet sized to fit the tree. If you print a large drawing using Visio’s print function, Visio
will distribute the single large drawing across as many smaller pages as necessary. You can use Visio’s scaling
functions if you want to make such a tree fit on a single physical page.
Second, Galileo provides no functions for drawing multiple copies of shared gates or events, converting complex
graph-structured trees into tree-structured drawings. Galileo depicts such trees directly. As a result, there will be
edge crossings in drawing of complex trees. Because we use elbow-style connectors in our prototype, these edge
crossings make graphical representations ambiguous: You cannot always tell from a drawing alone which outputs
are connected to which inputs. By selecting a connector in Visio, you can determine the connection because Visio
will illuminate the connection points. However, there is no way to tell what they are from a print-out.
Third, Galileo does not provide high-level drawing operations, such as add-a-subtree-to-a-gate, that can be used
with a single click of a mouse. Rather, it requires the user to use Visio’s elementary drawing operations. Thus, to
add a gate to a tree, you have to drag and drop a gate shape, manually fill in its name, drag and drop a connector,
manually fill in its input order (explained below), and attach both ends of the connector to the relevant gates ports.
This is awkward at best. Again, we plan to attack this problem in the next release of Galileo, to provide much more
usable graphical tree manipulation functions.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
8
_____________________________________________________________________________________________
Graphical Editing of Fault Trees in Galileo
With that disclaimer out of the way, we now discuss how to edit trees in graphical form The following table defines
the graphical shapes that are used in displaying and editing fault trees in Galileo.
Basic Event- Failure behavior is characterized by either a failure probability or a failure rate. A basic
event can represent one or more statistically identical components. A replication factor identifies the
number of components represented by the event.
OR Gate- This event will fail if one or more of its inputs fail.
AND Gate- This event will fail only if all of its inputs fail.
K of M Gate- This event will fail only if at least K of the M inputs fails.
Hot Spare Gate- Represents a system with redundant units kept "running hot". The failure rate of a
hot spare is unaltered by its spare status. The first input to a spare gate is the primary; others are the
spares. Spares are used left-to-right order. The output event is true when all spares fail or are in use
elsewhere.
Warm Spare Gate- Represents a system with redundant units kept "running warm". The failure rate
of a warm spare is attenuated by the dormancy factor. Otherwise warm spare gates are like hot spare
gates.
Cold Spare Gate- Represents a system with redundant units kept "running cold". The failure rate of a
cold spare is multiplied by zero until the spare is used, at which point it is multipled by unity.
Otherwise the cold spare gate is like the hot or warm spare gate.
Sequence Enforcing Gate- Specifies that certain failures can only occur in the order specified by the
ordering of inputs to the gate. The purpose of this gate is to express a constraint that can be exploited
to simplify the dynamic analysis problem (because some paths become infeasible in the Markov chain).
An example is that a short in a circuit cannot occur before the insulation fails. The output of this gate is
what we call dummy: it is not a failure per se. However, in the graphical depiction, the output must
connect to the fault tree. You can choose to connect it at any convenient point.You may not input
replicated basic events to a SEQ; a replicated event must be connected through another gate, such as an
AND or OR gate.
Functional Dependency Gate- Represents a coupling condition such that one failure causes another to
occur. The first input to this gate is a trigger; the remaining inputs are 'dependent' inputs. The latter
fail if the trigger fails. Like SEQ gate, the output of FDEP gate is dummy. The trigger cannot be
replicated; a replicated trigger event must be connected through another gate, such as an AND gate or
an OR gate. In the textual representation, the first input is the trigger.
Priority AND Gate- Represent a system where a failure occurs only if the inputs fail in a specified
order. Due to implementation constraints, it can have only two non-dummy inputs. PAND gates can be
stacked, however, to overcome this limitation. To fail, both non-dummy inputs must fail and the left
input must fail before the right one. Also, note that a replicated basic event cannot be used as an input.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
9
_____________________________________________________________________________________________
The Visio portion of Galileo consists of the Stencil and the Drawing windows. The Stencil window contains the
Master Shapes for the gates (And, Or, etc.) that are to be used in building the fault tree. To use a shape located in
the stencil window, simply click on the desired shape and drag it to the drawing area, releasing the mouse button
once the shape is correctly placed. If you are unable to recognize the shapes on the Visio stencil, hold the mouse
cursor over a shape to display its name. To connect gates and subtrees together use the Connector shape. Drag it
onto the drawing area, then adjust the ends so that they connect at the appropriate places on the gate and event
graphics. The ends of a connector will turn red when connected properly.
When you drop a gate/basic event on the Visio page, a dialog box pops up asking for the "Abbreviated Name" and
"Full Name". The Full Name is the label used internally to represent the gate. The Abbreviated Name is the label
on the Visio shape. This difference is useful in cases where the Full Name may be too long to fit in a shape.
(Currently, any changes to the Abbreviated Name are lost when the user renders the fault tree to the Word view.) To
modify the names associated with a gate/basic event, double-click on the shape to view its Custom Properties.
When you add a Connector, Visio will prompt for the ordering of that connector relative to other inputs to the same
gate. The first connector is input number 1. The input order is necessary for gates such as the Priority AND gate or
the Sequence Enforcing where order of failure is important. Even if you are connecting to a gate where order is not
important for dynamic analysis purposes, you must supply input orders. Galileo requires them to preserve order in
mapping between textual and visual representations. To change the input order of a connection once it has already
been set, simply double-click the connector in question to view its Custom Properties.
To remove a shape from the diagram, right click on it and then choose Cut, or select it with the left mouse button
and push the Delete key. For further information on Visual editing, consult the Visio user’s manual.
The Custom Properties sub-menu of Visio allows you to edit the information associated with a basic event. It is up
to you to supply this information, or use the default values.
Switching Between Editing Modes
This section applies to users who have both Word and Visio installed. The Galileo model for editing trees is that
you edit in a view that has been selected for editing (the writable view); and that you can select another view to be
writable if you want to edit in that view. Galileo ensures that any changes made to one view are propagated to the
other before writing of the other view begins. Galileo does not enforce the non-writable status of views; and if you
make changes to a non-writable view, they will be lost when you select that view for writing. In order to remind
you not to make changes to non-writable views, Galileo highlights the non-writable view window with a red border.
For a new tree, the writable view is Word. For an existing tree, the writable view is the one that was writable when
the tree was saved. If you want to edit in Visio when the Word view is writable (or vice versa), pick the Application
View menu. Select Show Visio. Then, choose the option, Update Changes and Make Visio Writable. Galileo will
take a little time to update the graphical view from the text view. Do not manipulate Galileo during this process.
NOTE WELL: There is a “hokey” problem with new fault trees in this release of Galileo. When you first open a
new tree, Word is the selected view. If you want to edit the Visio view, in order to be given the option to edit in
Visio, you first have to type something in Word. So, type something, then erase it, and then go to the Application
View menu and select Visio to be the writable view.
To return to the textual version of the fault tree, return to the Application View menu and select Show Word, and
then Update Changes and Make Word Writable. Galileo presents two options:
1.
Update Changes and Make Word Writable – The valid view switches to Word and any changes made to
the Visio drawing will appear in the Word document.
2.
Update Changes and Keep Word Read-Only – The valid view remains as Visio, but any changes made
to the Visio drawing will appear in the Word document. NOTE: The user should NOT edit in the Word
window. Any changes made to the document will be lost.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
10
_____________________________________________________________________________________________
V. Analyzing a Fault Tree Using Galileo
Once you input a fault tree specification, whether in textual or graphical form, you can invoke the DIFtree analyzer
by choosing the Analyze option under the Fault Tree pull-down menu. Galileo checks to see that the tree is wellformed. If not, it gives an error message and abort the analysis. If valid, the tree is sent to the DIFtree analyzer.
The DIFtree analyzer appears in a small text-based interactive window, which we call the DIFtree window.
If your tree is dynamic, DIFtree asks you to enter the number indicating how many component failures the analyzer
will simulate before truncating the generated Markov chain. Galileo uses this value to limit the size of the Markov
chain generated from a dynamic tree, thus the required time to solve the tree. The trade-off is a loss of accuracy in
the resulting computation. Refer to the papers mentioned above for more information on this technical issue.
Whether your tree is static or dynamic, DIFtree asks you whether you want to specify a range of mission times. If
your tree is a dynamic tree answer y. If you do enter y, DIFtree asks you to specify a range of times by entering the
smallest and largest mission times and a step. DIFtree will then analyze your tree for each mission time starting
with the minimum and incrementing by the step until the mission time would exceed the maximum mission time. If
you enter n in response to the mission time question, DIFtree asks you for a mission time, anyway. This is a small
usability bug inherited from an earlier version of DIFtree that we have not yet removed. Enter any number, e.g., 1.
When DIFtree finally analyzes your tree, it generates a report, which it displays in the DIFtree window. The report
identifies the independent subtrees that the SplitTree algorithm found along with the computed unreliability for each
subtree and for the entire tree. The DIFtree window displays the report. You can see text that has scrolled out of the
window using the scroll bar on the right hand side of the DIFtree window. When the analysis is done, you can save
the resulting report in several ways. You can cut and paste the text in the DIFtree window into another application;
or you can click on the Save button on the DIFtree window. If you do the latter, a standard Windows file browser
window will appear to obtain from you the name of a file into which the analysis report is to be saved.
NOTE WELL: Several technical issues bear mentioning. First, Galileo uses generic time units to permit analysis of
data on any scale. You are responsible for being consistent with units. For example, you must be careful not to use
both seconds and days as time units in the same fault tree. Second, the computational complexity of the analysis is
worst case exponential. It is easy to build trees which the analyzer is incapable of analyzing in a reasonable amount
of time. If you run the DIFtree analyzer and it still hasn’t produced an answer a day or two later, you are probably
asking it to solve a system that is beyond its computational capabilities. Third, Galileo 2.11-Alpha contains a new
implementation of the dynamic solver (DynaSolver). The Markov chains that it produces are slightly different in
concrete form (though not in abstract meaning) from those produced by earlier versions of Galileo and DIFtree. As
a consequence of that and the imprecision of computer arithmetic, Galileo 2.11 produces answers that differ slightly
from those produced by previous versions. In our experience, differences can show up in the third significant digit.
So, whereas an earlier version might have produced an answer of .499524 (.500), this one might produce .499498
(.499). The problem appears to be an artifact of all versions reporting more significant digits than justified by the
underlying numerical computations. If appropriate rounding is used, answers for all versions should match. We are
planning on addressing the issue of numerical round-off and precision rigorously in the next release of Galileo.
VI. Galileo’s Web-Based Help System
We integrated Microsoft Internet Explorer into Galileo to give you a fast and easy way to get help and information.
You can access these features in one of two ways:
1.
Choose Galileo Help from the Help menu. Select Galileo on the Web. At this point, select the desired option.
2.
Click the InfoViewer menu and select Galileo on the Web. The options are the same as described above.
Standard menu options for Microsoft Explorer are available under the InfoView menu.
The following features require an Internet connection:
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
11
_____________________________________________________________________________________________

Galileo at the University of Virginia (our homepage)

Register Online to Receive E-mail Notifications about Galileo

Send Feedback to the Galileo Developers’ E-mail Account
Other features use files installed on your hard drive. To see the most recent versions, visit the Galileo homepage.

On-Line Help System

This User’s Manual

A Galileo Tutorial
VII. Known Bugs and Troubleshooting
Sometimes when I open an *.ftd file the Visio view is blank!
A: Visio does not always resize the drawing area correctly. Either zoom out to show the portion of the screen
containing the drawing, or resize the drawing page manually by selecting “Edit” -> “Drawing Page” -> “Page
Setup” -> “Size Page to Fit Drawing.” Note that this phenomenon only occurs when a file is opened on a machine
other than the one on which the file was created. We have not yet debugged this problem.
I accidentally closed the Visio Stencil. What should I do?
A: If the Visio Stencil window is closed accidentally, do not save your changes. The stencil is part of the ".ftd" file
and if the file is saved, the stencil window will be permanently lost for this fault tree. Close the fault tree without
saving changes and reopen it in the condition since the last save.
How do I import fault trees from Galileo version 1.4?
A: Create a new fault tree. Pull up Microsoft Word from outside of Galileo and open the ".doc" portion of the
desired fault tree. Copy the text from the ".doc" file and paste it into the Microsoft Word file embedded within the
Galileo window. Switch the view to Visio and update the changes.
When I try to render my textual fault tree to Visio or to analyze the
tree, I get a syntax error on line n. How can I find that line without
having to count each individual line of code?
A: Microsoft Word is equipped with a function that will position the cursor at a desired line. Press Ctrl-G. A dialog
box will appear. In the "Go to what" box, select Line. Then, enter the appropriate line number.
Sometimes when I start Galileo and create a new fault tree, the Word
and Visio applications open externally. What should I do?
A: Close the external copies of Visio and Word. Then exit Galileo and restart. This is a known bug that we have
not yet pinned down.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
12
_____________________________________________________________________________________________
I receive the error message "Basic Logic Gates is part of the
workspace but cannot be opened. File not Found."
A: Step 2 of the installation was not completed properly. Go to the root of the Galileo folder (which also contains
the Galileo.exe program) and locate a file entitled "Basic Logic Gates.vss". Copy this file to the sub-directory of
your Visio folder labeled "Solutions".
Sometimes, when I try File/New or File/Open, Galileo crashes.
A: Use the Windows Task Manager to kill any "zombie" Word or Visio processes.
The Visio view and Stencil lock up. What should I do?
A: Close the file, saving changes if necessary, and reopen the file.
Galileo prompts me to save my fault tree when it is unnecessary.
Why does this occur?
A: This is a known bug. The problem is that Galileo cannot really tell precisely when you have made changes to a
document since the last time that document was generated. We are currently working on a solution.
The Internet Explorer window is not resizing properly. What can I do
to fix this problem?
A: Click on the window's divider bar. The window will redraw itself correctly.
_____________________________________________________________________________________________
Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.
13