Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability

Fault Tree Analysis

advertisement 
PROCEEDINGS of the 16th INTERNATIONAL SYSTEM SAFETY CONFERENCE -- 1998
Tutorial
Fault Tree Analysis
Dr John Andrews
Department of Mathematical Sciences
Loughborough University
Loughborough
LE11 3TU, UK
Tel: +44 (0)1509 222862
Fax: +44 (0)1509 223969
E-mail: J.D.Andrews@lboro.ac.uk
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Contents
_Session 1: Basic Concepts
l Fault Tree Symbols/Terminology
l Fault Tree Construction
l Minimal Cut Sets
l Component Failure Models
l Top Event Probability
l Top Event Frequency
l Other Top Event Parameters
l Importance Measures
2
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
_Session 2: Advanced Features
l Initiator/Enabler Events
l Non-Coherent Fault Trees
_Session 3: Current Research
l Binary Decision Diagrams
l Dependency Modelling
l Optimal System Design
3
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Session 1: Basic Concepts
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
History
_1961 - FTA Concept by H Watson, Bell Telephone
Laboratories
_1970 - Vesely - Kinetic Tree Theory
_Importance measures - Birnbaum, Esary, Proschan, Fussel,
Vesely
_Initiator/Enabler Theory - Lambert and Dunglinson
_FTA on PCs with GUI’s
_Automatic Fault Tree Construction
_Binary Decision Diagrams
5
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Fault Tree Example
Fire protection
system fails
TOP event
OR gate
Fire detection
system fails
Water deluge
system fails
intermediate
event
AND gate
Smoke
detection
fails
Heat
detection
fails
Pump
fails
Nozzles
blocked
SD
HD
PUMP
NOZ
Basic
event
6
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Voting Gates k/n
Gas Detection
System Fails
2/3
Gas Detector 1
Fails
Gas Detector 2
Fails
GD1
GD2
Gas Detector 3
Fails
GD3
7
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Exclusive OR Gate
Partial Loss
of Power
Power
Supply B
Fails
Power
Supply A
Fails
Partial Loss
of Power
Power
Supply A
Fails
A
Power
Supply B
Works
B
Power
Supply B
Fails
B
Power
Supply A
Works
A
8
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
House Events
Protection
Systems
Fail
No protection
from system A
System A
Fails
System
A Down for
Maintenance
No protection
from system B
System
B Down for
Maintenance
System B
Fails
9
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Transfer IN/OUT
System
Failure
Power not
Isolated
Operator not
Informed
Warning
Light
Fails
No
Alarm
Signal
Power
Trip
Fails
1
No
Alarm
Signal
1
10
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Inhibit Gate
Tank Rupture
Tank Rupture
Under High
Pressure
High Pressure
in Tank
11
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
valve
Outlet
Pressure Tank Example
relay
K2
Motor
Timer
Relay
Switch S1
K1
Relay
Pump
switch S
Pressure
Pressure Tank
12
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Circuit Actions
Transition to pumping
Relay K2
Timer Rel
Pressure SW
- Energized
(closed)
- Starts timing
- Contacts close
Pump starts
Dormant mode
- Contacts open
Relay S1
- Contacts open
Relay K1
- Contacts open
Relay K2
- Contacts closed
Timer Rel
- Contacts closed
Pressure SW
Start-up transition
S1
Relay K1
Relay K2
Timer Rel
Pressure SW
- Momentarily
C losed
- Energized &
latched
- Energized
(Closed)
- Starts timing
- Monitoring
pressure
Pumping mode
- Contacts open
S1
- Contacts closed
Relay K1
- Contacts closed
Relay K2
- Contacts closed
Timer Rel
& timing
- Contacts closed
Pressure SW
& monitoring
Transition to ready
Relay K2
Timer Rel
Pressure SW
- De-energized
(open)
- Resets to
zero time
- Contacts open
Ready mode
- Contacts open
S1
- Contacts closed
Relay K1
- Contacts open
Relay K2
- Contacts closed
Timer Rel
- Contacts open
Pressure SW
& monitoring
Pump stops
Pump starts
Emergency
shutdown
transition
(assume
pressure
switching up)
Relay K1
Relay K2
Timer Rel
Pressure SW
- Contacts open
- Contacts open
- Times out & opens
- Failed closed
Pump stops
Emergency shutdown
S1
- Contacts open
Relay K1
- Contacts open
Relay K2
- Contacts open
Timer Rel
- Contacts open
Pressure SW
- Contacts closed
13
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Tank
over-pressure
on pumping
operation
Pump Motor
operates too
long
Relay K2
energized
Relay contacts K2
fails closed
K2
Pressure
switch
contacts
closed
Current
across
switch S1/K1
contacts
section
PRS
1
14
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Current
across
switch S1/K1
contacts
section
1
Relay K1
contacts closed
Switch
S1 closed
S1
Relay K1
contacts fail
closed
K1
Relay K1
energized
Timer contacts
closed
TIM
15
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Minimal Cut Sets
_Cut sets
l A list of failure events such that if they occur then so
does the top event.
_Minimal Cut Sets
l A list of minimal, necessary and sufficient conditions
for the occurrence of the top event.
TOP
_Example
A
B
G1
C
B
D
16
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
List of possible failure combinations
A
B
C
D
AB
AC
AD
BC
BD
CD
ABC
ABD
ACD
BCD
ABCD
System State
F
F
W
W
F
F
F
F
F
F
F
F
F
F
F
17
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
_Minimal Cut Sets
A
B
CD
_We want a way to produce the minimal cut sets from the
fault tree structure then:
T = A + B + C.D
18
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Qualitative Fault Tree Analysis
_Need to identify the min cut sets whose occurrence is most
likely.
_Minimal Cut Set expression for the top event.
T = C
1
C
i = 1 ,L , n
i
,
+ C
2
e.g. T = A + BC + CD
+ C
3
+ L + C
n
are the minimal cut sets
3 minimal Cut Sets
1 first order
2 second order
19
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Laws of Boolean Algebra
• AND
+ OR
Distributive
(A + B) . (C + D) = A.C + A.D + B.C + B.D
Idempotent
A+A=A
A. A=A
Absorption
A+A.B=A
20
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Example
T
G2
G1
A
G3
B
C
G4
C
A
B
21
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Bottom-up method
T
B+C+A
B
G2
G1
A
G3
B+C
(B + C + A) . (C + A . B)
C
C+A.B
G4
C
A
A.B
B
22
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
TOP = (B + C + A) . (C + A . B)
=B.C+B.A.B+C.C+C.A.B
+A.C+A.A.B
(A . A = A)
=B.C+A.B+C+C.A.B
+A.C+A.B
(A + A = A)
TOP = B . C + A . B + C + C . A . B + A . C
(A + A . B = A)
TOP = A . B + C
23
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
The tree could have been drawn:
T
G1
C
A
B
24
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Pump System Example
K2
PRS
Minimal Cut Sets
K2
PRS
PRS
PRS
S1
K1
TIM
S1
K1
TIM
25
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Component Performance Characteristics
Typical History of a Repairable Component
STATE
W
F
TIME
Downtime Depends on
l
Failure detection time
l
Availability of Maintenance team
 Obtain replacement
l
Repair time

 Installation
System Test Time
Performance indicators
l
Rate at which failures occur
l
Measure of expected up-time
l
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
26
The Failure Process
λ( t)
hazard
rate
Typical
Mechanical
Equipment
λ
Typical
Electrical
Equipment
Random Failure Rate
Burn-in
period
Useful life period
Wear-out
period
Time
27
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
For useful life period
Unreliability
F ( t) = 1 − e
(Density Function)
f ( t) = λ e
Reliability
R ( t) = 1 − F ( t)
= e−
1
=
λ
− λ t
− λ t
λ t
Mean Time to Failure
λ ( t) =
Conditional failure rate (hazard rate)
Probability that a component fails in
(t, t + dt) given that it was working at t
28
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Maintenance Policies
1. No Repair
q ( t)
- unavailability
F ( t) - unreliability
F ( t) = 1 − e
− λ t
q ( t) = F ( t)
q (t)
1
0
Time
29
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Repairable Components
Failure/Repair Process
Component
Fails
Failure
Rate =
λ
W
F
Component
Repaired
Repair
Rate =
υ
1. Only one transition can occur in a small period of time ∆t.
2. Change between states is instantaneous.
3. Following repair components are as good as new.
30
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
2. Revealed Failures - unscheduled maintenance
λ - failure rate
ν - repair rate
µ - Mean time to failure
τ - Mean time to repair
q(t) - unavailability
λ
1− e−(λ +ν)t
λ+ν
λ
τ
=
≈ λτ
at steady state
q=
λ+ν µ+τ
q(t)=
(
)
31
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
q (t)
1
λ
λ + ν
0
Time
32
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
3. Unrevealed or Dormant Failures - Scheduled Maintenance
θ
- time between inspections
q (t)
1 − e
0
− λ t
2 θ
θ
q ≈ λτ
(for revealed failures
)
33
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Mean time to restore
+ mean time to repair
= mean detection time
=
θ
2
τ
+
θ
∴ qAV = λ + τ
2 
In general
θ >> τ
qAV ≈
λθ
2

(1− e−λθ )
More accurate alternative
qAV = 1−

λθ 

34
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Top Event Probability
Top
Gate 1
A
Gate 2
B
C
D
All basic event independent with prob 0.1
P(Gate 1) = P(A) . P(B) = 0.01
P(Gate 2) = P(C) . P(D) = 0.01
And P(TOP) = P(Gate 1 OR Gate 2)
= P(Gate 1) + P(Gate 2) P(Gate 1) . P(Gate 2)
= 0.01 + 0.01 - 0.0001
= 0.199
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
35
Top
A
Gate 1
Gate 2
Gate 3
B
C
B
D
all basic events are independent and
q
A
= q
B
= q
C
= q
D
= 0 .1
36
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
The minimal cut sets of the fault tree are:
A
B C
B D
T = A + BC + BD
Q s(t) = P(T) = P(A + BC + BD )
Using three terms of the inclusion-exclusion expansion gives:
P(BC)+
P(BD)]
= [P(A
14)+
44
4244
44
3
1stterm
)+4P(ABD
P(BCD
)]
− [P(ABC
1444
424)+
44
443
2nd term
)]
+ [P(ABCD
14243
3rd term
= [0.1+ 0.01+ 0.01]− [0.001+ 0.001+ 0.001]+ [0.0001]
= [0.12]− [0.003] + [0.0001]
= 0.1171
37
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Probability
value
Q (t)
s
Exact
Probability
1 2 3 4 5 6
No of terms
used in expansion
to calculate probability
38
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Convergence of Inclusion-Exclusion Expansion
P(T) =
nC
nC
i=1
i= 2 j=1
i−1
∑ P(C i) − ∑ ∑ P(C i ∩ C j)+
+L(−1)nC −1P(C 1 ∩ C 2 ∩ L∩ C nC )
nC
∑ P(C i)
Q rare event
=
Q lower=
i=1
nC
nC
i=1
i= 2 j=1
i−1
∑ P(C i) − ∑ ∑ P(C i ∩ C j)
nC − no of min cut sets
39
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Q exact= 0.1171
Q rare event
= 0.12
Q lower= 0.117
Minimal Cut Set Upper Bound
Q MCSU = 1−
nC
∏ (1− P(C i))
i=1
= 1− (1− 0.1)(1− 0.01)(1− 0.01)
= 0.11791
Q lower≤ Q exact≤ Q MCSU ≤ Q rare event
40
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Pump System Example
Component probabilities
Relay K1 contacts
K1
Relay K2 contacts
K2
Pressure switch
PRS
Timer relay
TIM
Switch
S1
1 × 10-4
1 × 10-4
5 × 10-4
3 × 10-4
5 × 10-3
Minimal Cut Sets
K2
1 × 10-4
PRS S1
2.5 × 10-6
PRS K1
5.0 × 10-8
PRS TIM 1.5 × 10-7
41
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Top Event Probability
Rare Event
Q SYS =
nC
∑QC
i=1
i
= 1.027× 10−4
Minimal Cut Set Upper Bound
Q SYS = 1−
nC
∏(1− Q C )
i=1
i
= 1.027× 10−4
Exact
Q
SYS
= 1 . 026987
× 10
− 4
42
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Importance Measures
_Critical System State
For component i is a state of the remaining (n - 1)
components such that the failure of component i causes the
system to go from a working to a failed state.
_Birnbaums Measure (IB )
The probability that the system is in a critical state for the
∂Q SYS
IB =
component.
i
∂qi
IB i
- Birnbaum importance measure for component i
Q SYS
- System unavailability
qi
- Component unavailability
43
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Example
System
Failure
Gate 1
A
B
Minimal Cut Sets
C
qA = qB = qC = 0.1
AB
AC
44
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Q SYS = P(AB + AC )
= qA qB + qA qC − qA qBqC
= 0.019
IB A =
∂Q SYS
= qB + qC − qBqC
∂qA
= 0.19
IB B =
∂Q SYS
= qA (1− qC )
∂qB
= 0.09
IBC =
∂Q SYS
= qA (1− qB )
∂qC
= 0.09
45
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Fussell-Vesely Measure (IFV)
Probability of the union of all Minimal Cut Sets containing the
component given that the system has failed.
Example
System
Failure
Gate 1
A
B
C
qA = qB = qC = 0.1
46
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Minimal Cut Sets
AB
AC
IFV A =
P(AB + BC) Q SYS
=
= 1.0
Q SYS
Q SYS
IFV B =
P(AB) qA qB 0.01
=
=
= 0.526
Q SYS 0.019
Q SYS
IFV C =
P(AC ) qA qC
0.01
=
=
= 0.526
Q SYS
Q SYS 0.019
47
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Pump System Example
Importance Measures
Fussell
Vesely
Birnbaum
K2
0.974
0.9999
PRS
0.026
5.397 × 10-3
S1
0.024
4.9975 × 10-4
TIM
0.0015
4.974 × 10-4
K1
0.0005
4.973 × 10-4
48
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Session 2: Advanced Features
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Minimal Cut Set Failure Frequency
wC k (t) − unconditional failure intensity
of cut set k
n − components in min cut set
wC k (t) =
n
n
i=1
j=1
j≠i
∑ wi(t) (∏ Q j(t))
Example Min Cut Set 1 = ABC
w
C
1
= w
A
q
B
q
C
+ w
B
q
A
q
C
+ w
C
q
A
q
B
50
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
w(t) - unconditional failure intensity
The probability that a component fails in
(t, t + dt)
w ( t) = λ ( t) [ 1 − q ( t) ]
Expected Number of Failures W(0, t)
t
W (0,t) = ∫ w(u)du
0
51
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Top Event Failure Frequency
(upper bound approximation)
wSYS =
nC
nC
(1− Q Cj))
∑ wC (1− ∏
j=1
i=1
i
j≠i
nC
−
no of min cut sets
52
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Initiator/Enabler Theory
Vaporiser
Trip Loop 2
(C)
Trip Loop 1
(A)
Liquid
Butane
Failure Modes:
(D)
(B)
Pump
Vent
Valve
Pump Surge
(control system failure)
A
Trip Loop 1 fails to act
B
Trip Loop 2 fails to act
C
Vent Valve fails to act
D
53
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Component Data
τ
λ
w =
λ (1 − q )
A
6 . 667
× 10
− 3
B
9 . 091
× 10
− 3
C
9 . 091
× 10
−3
D
9 . 091
× 10
− 3
λτ
λτ + 1
+
q=
*
θ
q = λ(τ + )
2
54
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
High Pressure
at Vaporiser
Coil
High pres.
into vap.
Trip Loop
2 fails
C
High pres.
at vent
valve
Vent valve
fails to act
D
High pres.
surge into
system
Trip loop
1 fails
A
B
55
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Conventional Approach
ws(t) = wC 1 (t)
=
4
4
qi (t)
∑ wj(t)∏
i=1
j=1
i≠ j
= wA qB qC qD + wBqA qC qD + wC qA qBqD
+ wD qA qBqC
= 5.0075× 10−6 + 2.5037× 10−5
+ 2.5037× 10−5 + 2.5037× 10−5
= 8.012× 10−5
Expected number of failures over 10 years
87600
W (0,87600) =
∫
8.012× 10−5dt
0
= 7.02
56
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
The Window for Initiating Events
Critical System State
Occurrence of
ENABLING
events
Safety system
inactive
t
0
t
Time
1
INITIATING
event
Initiating Events
Initiating events perturb system variables
and place a demand on control/protection
Systems to respond.
Enabling Events
Enabling events are inactive control/
Protection systems which permit initiating
Events to cause the top event.
57
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Using initiator/enabler theory
ws(t) = wC 1 (t)
= wA qBqC qD
= 5.0075× 10−6
Expected Number of Failures over 10 years
87600
W (0,87600) =
∫ 5.0075× 10
−6
dt
0
= 0.4387
58
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Not Logic
Noncoherent Fault Trees
Barlow - “A physical system would be quite
unusual (or poorly designed) if improving
the performance of a component (ie by
replacing a failed component by a
functioning component) causes the system
to deteriorate (ie change from a functioning
to a failed state)”
59
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Example
Min Cut Set
AB C
Is not a coherent structure as
AB C
ABC
→
→
System fails
System works
Coherent structure consist of only:
•
•
AND gates
OR gates
Noncoherent Structures
Are those which do not conform to the definition of a coherent structure
This occurs if the NOT operator is used or implied
eg XOR
60
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Laws of Boolean Algebra - Not Logic
A +A =1
A .A = 0
De Morgan’s Laws
(A + B) = A .B
(A .B) = A + B
61
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Road Junction Example
G
C
G
R
A
B
R
A - Car A fails to stop
B - Car B fails to stop
C - Car C stops
62
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Collision
at Junction
Car B Hits
Car A
Car A Hits
Car C
A
C
A
B
TOP = AC + AB
63
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Implicant Set is a combination of basic events (success or
failure) which produces the top event.
Prime Implicant Set is a combination of basic events
(success of failure) which is both necessary and sufficient to
cause the top event.
TOP
What about
= A C
+ A B
CB
it is a prime implicant
64
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Conventional approaches to fault tree reduction do not deliver
all prime implicants for every non-coherent tree
so:
TOP
= A C
+ A B + C B
Coherent approximation
TOP
= A
+ B
OK if
P (C ) ≈ 1
65
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Example
Lu
L
D1
D2
S
Supply
R
R contacts
System Functions - on detecting gas
a)
b)
c)
to alert the operator via a lamp
to alert the operator via a siren
to isolate electrical ignition sources
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
66
Leak detection
System Fails
Failure of
Siren
No signal
from Lu
Siren
fails
Failure to
isolate
electrics
Failure of
lamp
No signal
from Lu
Lamp
fails
S
L
No signal
from Lu
R
1
Lu
fails
Relay
fails
1
1
No signal
from
detectors
Lu
D1
fails
D1
D2
fails
D2
67
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
System Outcomes
1
2
3
4
5
6
7
8
SIREN
LAMP
ISOLATION
SYSTEM
W
W
W
W
F
F
F
F
W
W
F
F
W
W
F
F
W
F
W
F
W
F
W
F
?
68
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Operator alerted of spill (Siren and Lamp)
But electric circuits active
L Lu (D1 + D2)
S Lu (D1 + D2)
Failure of
Siren
Failure to
isolate
electrics
Failure of
lamp
No signal
from Lu
Siren
fails
R+Lu+D1.D2
Lamp
fails
S
No signal
from Lu
L
No signal
from Lu
R
1
Lu
fails
Relay
fails
1
1
No signal
from
detectors
Lu
D1
fails
D2
fails
D1
D2
69
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
TOP
= ( S Lu ( D 1 + D 2 )).( L Lu ( D 1 + D 2 )).( R + Lu
= S L Lu ( D 1 + D 2 ).( R + Lu
+ D 1 .D 2 )
+ D 1 .D 2 )
= S L Lu ( D 1 + D 2 ). R
Coherent Approximation
TOP = R
70
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Session 3: Current Research
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Problem areas in conventional
Fault Tree Analysis
_Qualitative Analysis
For very large fault trees it may not be possible to produce
a complete list of minimal cut sets.
Solution
Evaluate only those minimal cut sets which have the most
significant contribution to system failure
• Order culling
• Probability or Frequency culling
72
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
_Quantitative Analysis
l Requires minimal cut sets
l Calculations are too computer intensive to perform fully
Solution
• Use most significant minimal cut sets
• Use approximate calculation techniques.
73
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Binary Decision Diagrams
BDD’s
1 Developed over last 5 years.
2 Fault Tree - Good representation of
engineering failure logic
- Poor efficiency/accuracy in
mathematical calculations
BDD
- Poor representation of
engineering failure logic
- Good efficiency/accuracy in
mathematical calculations.
3 Trade-off for improved efficiency/accuracy is conversion
between FT → BDD.
4 Minimal cut sets not required to perform quantification. 74
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
B.D.D. Structure
Root Vertex
X1
0
1
X2
0
1
0
X3
1
1
X4
1
1
Non Terminal
Vertex
0
0
0
0
Terminal Vertex
75
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Fault Tree -> B.D.D
1. Initially requires basic events in the fault
placed in an ordering.
2. Most common method -
tree to be
If-Then-Else Structure
* ITE(X1, f1, f2) means
if X1 fails
then consider f1
else consider f2
1
f1
X1
0
f2
76
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Simple Conversion - ite method
Rules : G = ite (x, g1, g2), H = ite (y, h1, h2)
G*H=
if (x < y) => ite (x, g1*H, g2*H)
if (x = y) => ite (x, g1*h1, g2 *h2)
if * = AND
if * = OR
=> 1 * G = G, 0 * G = 0
=> 1 * G = 1, 0 * G = G
77
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Fault Tree Structure
TOP EVENT
GATE 1 (G1)
A
B
C
A = ite (A, 1, 0)
B = ite (B, 1, 0)
C = ite (C, 1, 0)
78
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Simple Conversion cont...
Order
G1 = A + B
A<B<C
= ite(A, 1, 0) + ite(B, 1, 0)
= ite(A, 1+ite(B, 1, 0), 0+ite(B, 1, 0))
= ite(A, 1, ite(B, 1, 0))
TOP = G1.C = ite(A, 1, ite(B, 1, 0)).ite(C, 1, 0)
= ite(A, 1.ite(C, 1, 0), ite(B, 1, 0).ite(C, 1, 0))
= ite(A, ite(C, 1, 0), ite(B, 1.ite(C, 1, 0),
0.ite(C, 1, 0)))
= ite(A, ite(C, 1, 0), ite(B, ite(C, 1, 0), 0))
Root Vertex 1 branch
0 branch
79
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Resulting Diagram
Minimal Cut Sets :Failure events on
path to terminal 1
A
1
0
C
B
0
1
1
1
0
0
C
1
AC
0
1
0
0
BC
80
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Top Event Probability from B.D.D
=> Probability of the sum of disjoint paths through the bdd.
Disjoint Path - included in a path are the basic events that lie on
a 0 branch on the way to a terminal 1 vertex.
Basic Events lying on a 0 branch are denoted as Xi, ie. ‘Not’ Xi
81
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
A
1
0
C
B
0
1
1
1
0
0
C
1
AC
0
1
0
0
BC
The disjoint paths of the bdd are :
AC, ABC
Top event probability : P(AC + ABC)
82
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Disadvantages of BDD
• FTA → BDD conversion
• Poor ordering can give poor efficiency
Advantage of BDD
• improved efficiency
• improved accuracy
83
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Result of Different Ordering
Permutations
TOP
An Example Tree Structure
G1
X1
G2
X2
G3
X3
X2
X4
84
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Result of Ordering :
X1 < X2 < X3 < X4
X1
1
X2
X3
1
X4
1
0
0
85
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Result of Ordering :
X4 < X3 < X2 < X1
X4
X3
X3
1
X2
X2
1
X1
1
1
0
X1
1
0
86
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
FAULT TREE CHARACTERISTICS
????
EFFICIENT B.D.D VARIABLE
ORDERING
87
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Training Methods
• Classifier System
• Neural Networks
Direct evaluation of Fault Tree Structure
88
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Safety System Design
Considerations
D Redundancy and diversity levels
D Component selection
D Time interval between testing the system
*Choice of design not unrestricted
89
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
System Analysis
D Fault Trees represent and quantify the system unavailability of each potential design
D House events used to construct a single fault tree representing the failure mode of EACH
design
V al v e F ail ure
Fault tree
representing
selection of
valve type
1,2 or 3
Va lv e N o . 1
s e lec t e d an d
F ai ls
Va lv e 1
F ail s
Va lv e N o . 2
s e lec ted an d
F ail s
Va lv e 2
F a ils
Va lv e N o .
1 F it ted
i.e.
H1 = 1
Va lv e N o. 3
s el ec ted an d
F ails
V alv e 3
F a ils
Va lv e N o .
2 F it ted
i .e .
H2 = 1
V al ve N o.
3 F i tt e d
i. e .
H3 = 1
90
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
System Analysis, contd.
Binary Decision Diagrams improve efficiency of system analysis
BDD
D Connecting branches
D Non-terminal vertices
l correspond to basic events
D Terminal vertices
l 0, i.e. system works
l 1, i.e. system fails
BDD - Valve selection
qV1
V1
1 - qV1
1 - qH1
H1
qH 1
V2
q V2
1
H2
qH2
1 - qV 2
1 - qH 2
V3
qV3
1
1 - qV3
H3
0
q H3
1 - q H3
1
0
91
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
The Optimisation Problem
D System performance CANNOT be expressed as an explicit
objective function
D Most design variables are integer or Boolean
D Constraints are of both implicit and explicit type
92
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
High Integrity Protection System
Sub-system 1
PT
PT
Master Wing
PT
Sub-system 2
PT
PT
PT
ESDV1ESDV2
HIPS1 HIPS2
Designer Options
Variable
vNo. ESD valves (0,1,2)?
v No. HIPS valves (0,1,2)?
v No. PT’s each subsystem (0 to 4)?
v No. PT’s to trip?
v Type of valve?
v Type of PT?
v MTI each subsystem (1 to 104 weeks)?
E
H
N1, N2
K1, K2
V1, V2
P1 , P2
θ1, θ 2
93
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Limitations on Design
D Cost < 1000 units
D Maintenance Dwn Time (MDT) < 130 hours
D Spurious trip occurrences < 1 per year
94
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Genetic Algorithms
Structure of the GA
Set up initial population
of strings
Loop
D Evaluate fitness of each
string
D Selection - biased
roulette wheel
D Crossover/Mutation on
selected offspring
Selection
Biased roulette wheel
P4
= 5.5%
P1 = 30.9%
P3 = 49.2%
P2 = 14.4%
*One iteration of each loop
= generation
Pi =
individual fitness of
chromosome
total fitness of gene
pool
95
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Initialising a System Design
7 bits
7 bits
Ø1-1 to 104 weeks
3 bits
N1
3 bits
1 & 1 bit
Ø2
V1,V2 P1,P2
3 bits
3 bits 2 bits 2 bits
N2
K1
Total = 32 bits
K2
E
H
96
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Evaluating Design Fitness
The fitness of each string comprises of four parts;
v
v
v
v
Probability of system unavailability
Penalty due to excess cost
Penalty due to excess MDT
Penalty due to excess spurious trip frequency
As a sole fitness value;
'
Q SY
S = Q SY S + C P + M D TP + STFP
*
= penalised probability of system unavailability
97
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Best Design’s Characteristics
Subsys 1 & 2
v
v
v
v
No. ESD/HIPS valves
No. PT’s
No. PT’s to trip system
M.T.I.
v MDT
v Cost
v Spurious trip
System
Unavailability
0
3
2
23
2
3
2
57
Type
2
1
123 hours
842 units
0.455
0.0011
98
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Diagram of The Deluge System
cv
FIREWATER
RINGMAIN
Filt er
J oc key Pum p
P
S
P
S
Press ure
Sensor
Powe r
F ilter
AFFF
RINGMAIN
E
Power
cv
E
cv
D
AF FF
D elu ge Valve
CV
AFF F
C heck
Valve
(0 T O 4 Electric)
MAIN FIREWATER
PUMPS
D ie se l
Ta nk
AF F F
Tank
L evel
A larm
L eve l
al ar m
AFFF PUMP S
Wa ter Deluge
valve
Indu ct or Stra ine r
N ozzle
(0 to 4 Diesel)
F ilter
J
open-vent
D
CV
D iesl
tank
Level
alarm
Signal to
P umps
P
S
W ate r C losingDELUGE
SKID
Circuit
P
S
M AIN F IR E AND
G AS PAN EL
Man u al
Signal on
T rip
Re le as e
SMech
an is m
s ig n al to
V
ve n t
en oi d
S
1 2 xVSol
a lv es
V
2
= isolation valves,
pressure relief
valves,
flow control valves
99
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Design Variables of
Deluge System
v
v
v
v
v
v
v
v
v
v
v
v
v
No. of electric pumps firewater system (1 to 4) – type E1 to E5
No. of electric pumps AFFF system (1,2) – type E6, E7
No. of diesel pumps firewater system (1 to 4) – type D1 to D5
No. of diesel pumps AFFF system (1,2) – type 6, D7
No. of pressure sensors firewater ringmain (1 to 4)
No. of sensors to trip
Type of pressure sensor
Type of water deluge valve
Type of afff deluge valve
Type of pipework
Maintenance interval for pump tests
Maintenance interval for pump and ringmain tests
Maintenance interval for full tests
100
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Deluge system
D Fault tree in excess of 450 gates and 420 basic
events
D Fault tree converted to 17 BDD’s
D In excess of 44000000000 design variations!!
101
provided as a free service by www.fault-tree.net and Dr. John Andrews/Loughborough University
Related documents
Metamagnetism and the Possibility of Novel Phase Formation
Metamagnetism and the Possibility of Novel Phase Formation
Scottish Hellenic Society of St Andrews Membership Application
Scottish Hellenic Society of St Andrews Membership Application
University of St Andrews Superannuation and Life Assurance Scheme
University of St Andrews Superannuation and Life Assurance Scheme
Document10567549 10567549
Document10567549 10567549
Download
advertisement