Reliability of Safety-Critical Systems 5.1 Reliability Quantification with FTs

Transcription

1 Reliability of Safety-Critical Systems 5.1 Reliability Quantification with FTs Mary Ann Lundteigen and Marvin Rausand RAMS Group Department of Production and Quality Engineering NTNU (Version 1.1 per August 2015) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 1 / 18

2 Reliability of Safety-Critical Systems Slides related to the book Reliability of Safety-Critical Systems Theory and Applications Wiley, 2014 Theory and Applications Marvin Rausand Homepage of the book: books/sis M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 2 / 18

3 Learning objectives The main purpose of this presentation is to: Give an overview and brief introduction to fault tree analysis Indicate the relationship between reliability block diagrams and fault trees M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 3 / 18

4 Key modeling symbols A fault tree includes the following main modeling symbols: TOP event, which is a description of the system failure Basic events, which are the type of faults and events that may contribute to the TOP event Logic OR or AND gates, which gives the logical relationship between the TOP event and the basic events A koon gate symbol also exists, but it should be noted that k in this case is the the minimum number of faults that leads to a failure, rather than success. What is often called a koon system would be modeled by a (n k + 1)oon gate in the fault tree. Other symbols: Transfer-out and transfer-in symbols, that links several fault trees together M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 4 / 18

5 Relationship with RBSs (i) TOP (ii) TOP (iii) TOP 1 G M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 5 / 18

6 Key modeling concepts The concept of minimal cut sets is key in relation to modeling and analysis of fault trees. Cut set: A cut set in a fault tree is a set of basic events whose (simultaneous) occurrence ensures that the TOP event occurs. Minimal cut set: A cut set that cannot be reduced without losing its status as a cut set. TOP event occurs if one more ore of the minimal cut sets occur. The M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 6 / 18

7 Example Consider the reliability block diagram of a SIS, as illustrated below: PT1 PT1 PT1 PT1 PT1 PT1 LS SDV1 SDV2 The corresponding minimal cut sets (denoted C i ) are: C 1 = {PT1,PT2} C 2 = {PT1,PT3} C 3 = {PT2,PT3} C 4 = {LS} C 5 = {SDV 1,SDV 2} M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 7 / 18

8 Illustration (overall system) Top structure No signal about high pressure from the pressure transmitters PT Critical high pressure in pipeline when outlet blocked Logic solver does not transmit signal about high pressure LS OR-gate TOP event description Shutdown valves fail to close on demand Transfer symbol Basic event description SDV 1 fails to close SDV 2 fails to close Basic event symbol SDV1 SDV2 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 8 / 18

9 Illustration (failure of pressure transmitter system) PT No signal about high pressure from the pressure transmitters PT 1 and PT 2 fail to signal high pressure PT 1 and PT 3 fail to signal high pressure PT 2 and PT 3 fail to signal high pressure AND-gate PT 1 fails to signal high pressure PT 1 fails to signal high pressure PT 1 fails to signal high pressure PT 3 fails to signal high pressure PT 2 fails to signal high pressure PT 3 fails to signal high pressure PT1 PT2 PT1 PT3 PT2 PT3 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 9 / 18

10 Illustration (alternative modelign of failure of pressure transmitter system ) PT No signal about high pressure from the pressure transmitters 2/3 PT 1 fails to signal high pressure PT 2 fails to signal high pressure PT 3 fails to signal high pressure PT1 PT2 PT3 Note that the k/n gate is (n k + 1)/n if it represents the failure of koon system. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 10 / 18

11 Key modeling rules The TOP event occurs if one of the minimal cut sets occurs The main challenge is therefore to identify the minimal cut sets If all minimal cut sets were independent, we could calculate the the probability of the top event by: Q 0 (t) = 1 k [1 ˇQ j (t)] j=1 where Q j (t) is the failure probability of minimal cut set C j : ˇQ j (t) = q i (t) i C j M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 11 / 18

12 Upper bound In reality, the minimal cut sets will not (normally) be independent, since the same basic event may belong to the several minimal cut sets. This type of dependency is called positive dependency, which increases the reliability. This double counting of basic events results in a higher failure probability of the TOP event, and consequently, we can claim that the true TOP event failure probability will be lower than:: Q 0 (t) 1 k [1 ˇQ j (t)] j=1 and we can therefore use this formula as a conservative approximation for the calculations. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 12 / 18

13 Illustration TOP Minimal cut set 1 fails Minimal cut set 2 fails Minimal cut set k fails k.1 k.2 k.3 M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 13 / 18

14 Failure probabilities Consider the state of the basic event i, E i. The choice of failure probability is dependent on the following factors: Alternative 1: The item in continuous operation and non-repairable. In this case we may be interested in the probability that item i has failed at time t, q i (t),which is: q i (t) = Pr[E i (t)] = Pr(T < t) If we assume exponential time to failure, q i (t) becomes: q i (t) = 1 e λ it M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 14 / 18

15 Failure probabilities Alternative 2: The item in continuous operation and repairable. We assume that the item runs to failiure and is then repaired. In this case, we may want to determine the mean unavailability of the item: q i = MTTR i MTTF i + MTTR i λ i MTTR i where MTTR i is the mean time after the failure, and MTTF i is the mean time to failure. Note that we here have assumed (again) exponentially distributed time to failure so that 1/MTTF i = λ i M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 15 / 18

16 Failure probabilities Alternative 3: The item that is normally passive and therefore subject to regular testing and repair. In this case, we may want to chose the mean unavailability or mean downtime due to a hidden failure: q i = λ iτ + Pr(Failure found) Mean downtime of the test 2 λ iτ 2 + λ iτ MRT i τ Note that λ i in this case represent DU failures, and that the mean down time due to other failure categories may need to be added in addition. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 16 / 18

17 Inclusion of Common cause failures There are mainly three strategies to modeling CCFs in relation to fault tree analysis: 1. Include in FT (explicit): Model each CCF cause as a separate basic event that may lead to the failure of several items 2. Include in FT (implicit): Model a CCF as a basic event that cover several causes that may lead to the failure of several items 3. Exclude from FT: Add the contribution from CCFs in the quantification after the minimal cut sets have been extracted. The last option may be favourable when the system complexity is high, and where dependency may exist between basic events at different levels and section of the fault tree. M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 17 / 18

18 Importance measure Several importance measures have been developed to measure the relative importance of basic events. One of particular importance is the Birnbaum measure, where the relative importance of basic event i is measures by: I B (i t) = δq 0(t) δq i (t) This may also be calculated more easily as: I B (i t) = Q 0 (t E i (t) = 1) Q 0 (t E i (t) = 0) M.A.Lundteigen (RAMS Group) Reliability of Safety-Critical Systems (Version 1.1) 18 / 18