VIEWS: 62 PAGES: 32 POSTED ON: 11/3/2010
Chapter 3 System Analysis Fault Tree Analysis Marvin Rausand Department of Production and Quality Engineering Norwegian University of Science and Technology marvin.rausand@ntnu.no Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 1 / 32 Introduction What is...? History Main steps Preparation Construction Assessment Quantiﬁcation Input Data Introduction Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 2 / 32 What is fault tree analysis? Introduction What is...? u Fault tree analysis (FTA) is a top-down approach to failure History analysis, starting with a potential undesirable event Main steps Preparation (accident) called a TOP event, and then determining all the Construction ways it can happen. Assessment u The analysis proceeds by determining how the TOP event can Quantiﬁcation be caused by individual or combined lower level failures or Input Data events. u The causes of the TOP event are “connected” through logic gates u In this book we only consider AND-gates and OR-gates u FTA is the most commonly used technique for causal analysis in risk and reliability studies. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 3 / 32 History Introduction What is...? u FTA was ﬁrst used by Bell Telephone Laboratories in History connection with the safety analysis of the Minuteman missile Main steps Preparation launch control system in 1962 Construction u Technique improved by Boeing Company Assessment u Extensively used and extended during the Reactor safety Quantiﬁcation study (WASH 1400) Input Data Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 4 / 32 FTA main steps Introduction What is...? u Deﬁnition of the system, the TOP event (the potential History accident), and the boundary conditions Main steps Preparation u Construction of the fault tree Construction u Identiﬁcation of the minimal cut sets Assessment u Qualitative analysis of the fault tree Quantiﬁcation u Quantitative analysis of the fault tree Input Data u Reporting of results Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 5 / 32 Preparation for FTA Introduction What is...? u The starting point of an FTA is often an existing FMECA and History a system block diagram Main steps Preparation u The FMECA is an essential ﬁrst step in understanding the Construction system Assessment u The design, operation, and environment of the system must Quantiﬁcation be evaluated Input Data u The cause and eﬀect relationships leading to the TOP event must be identiﬁed and understood Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 6 / 32 Preparation for FTA Introduction What is...? System block diagram History Main steps FMECA Preparation Construction Assessment Quantiﬁcation Input Data Fault tree Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 7 / 32 Boundary conditions Introduction What is...? u The physical boundaries of the system (Which parts of the History system are included in the analysis, and which parts are not?) Main steps Preparation Construction u The initial conditions (What is the operational stat of the Assessment system when the TOP event is occurring?) Quantiﬁcation u Boundary conditions with respect to external stresses (What Input Data type of external stresses should be included in the analysis – war, sabotage, earthquake, lightning, etc?) u The level of resolution (How detailed should the analysis be?) Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 8 / 32 Introduction Construction Construction Symbols Example Assessment Quantiﬁcation Input Data Fault tree construction Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 9 / 32 Fault tree construction Introduction u Deﬁne the TOP event in a clear and unambiguous way. Construction Construction Should always answer: Symbols What e.g., “Fire” Example Where e.g., “in the process oxidation reactor” Assessment When e.g., “during normal operation” Quantiﬁcation Input Data u What are the immediate, necessary, and suﬃcient events and conditions causing the TOP event? u Connect via AND- or OR-gate u Proceed in this way to an appropriate level (= basic events) u Appropriate level: 3 Independent basic events 3 Events for which we have failure data Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 10 / 32 Fault tree symbols Introduction The OR-gate indicates that the output event Construction occurs if any of the input events occur Construction OR-gate Logic Symbols gates Example The AND-gate indicates that the output event Assessment occurs only if all the input events occur at the same time Quantiﬁcation AND-gate Input Data The basic event represents a basic equipment failure that requires no further development of Input failure causes events (states) The undeveloped event represents an event that is not examined further because information is unavailable or because its consequences are insignificant Description The comment rectangle is for supplementary of state information Transfer The transfer-out symbol indicates that the fault Transfer out tree is developed further at the occurrence of the symbols Transfer corresponding transfer-in symbol in Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 11 / 32 Example: Redundant ﬁre pumps Introduction Construction Construction Symbols Valve Example Assessment TOP event = No water from ﬁre wa- Quantiﬁcation ter system Fire pump 1 Fire pump 2 Input Data FP1 FP2 Engine Causes for TOP event: VF = Valve failure G1 = No output from any of the ﬁre pumps G2 = No water from FP1 G3 = No water from FP2 FP1 = failure of FP1 EF = Failure of engine FP2 = Failure of FP2 Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 12 / 32 Example: Redundant ﬁre pumps (2) Introduction No water from fire pump system Construction Construction TOP Symbols Example Valve blocked, or No water from fail to open the two pumps Assessment Valve VF Quantiﬁcation G1 Input Data No water from No water from pump 1 pump 2 Fire pump 1 Fire pump 2 G2 G3 Engine FP1 FP2 Failure of Failure of Failure of Failure of pump 1 engine pump 2 engine FP1 EF FP2 EF Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 13 / 32 Example: Redundant ﬁre pumps (3) Introduction No water from fire pump system Construction TOP Construction Symbols Valve blocked, or No water from No water from Example fail to open the two pumps fire pump system VF Assessment G1 TOP Quantiﬁcation No water from No water from Valve blocked, or No water from Failure of pump 1 pump 2 fail to open the two pumps engine Input Data VF EF G2 G3 G1 Failure of Failure of Failure of Failure of Failure of Failure of pump 1 engine pump 2 engine pump 1 pump 2 FP1 EF FP2 EF FP1 FP2 The two fault trees above are logically identical. They give the same information. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 14 / 32 Introduction Construction Assessment Cut Sets Qualitative assessment Quantiﬁcation Input Data Qualitative assessment Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 15 / 32 Cut Sets Introduction u A cut set in a fault tree is a set of basic events whose Construction (simultaneous) occurrence ensures that the TOP event Assessment Cut Sets occurs Qualitative assessment u A cut set is said to be minimal if the set cannot be reduced Quantiﬁcation without loosing its status as a cut set Input Data The TOP event will therefore occur if all the basic events in a minimal cut set occur at the same time. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 16 / 32 Qualitative assessment Introduction Qualitative assessment by investigating the minimal cut sets: Construction u Order of the cut sets Assessment u Ranking based on the type of basic events involved Cut Sets Qualitative assessment 1. Human error (most critical) Quantiﬁcation 2. Failure of active equipment Input Data 3. Failure of passive equipment u Also look for “large” cut sets with dependent items Rank Basic event 1 Basic event 2 1 Human error Human error 2 Human error Failure of active unit 3 Human error Failure of passive unit 4 Failure of active unit Failure of active unit 5 Failure of active unit Failure of passive unit 6 Failure of passive unit Failure of passive unit Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 17 / 32 Introduction Construction Assessment Quantiﬁcation Notation Single AND-gate Single OR-gate TOP Event Prob. Input Data Quantitative assessment Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 18 / 32 Notation Introduction Construction Assessment Q0 (t) = Pr(The TOP event occurs at time t) Quantiﬁcation qi (t) = Pr(Basic event i occurs at time t) Notation Single AND-gate ˇ Qj (t) = Pr(Minimal cut set j fails at time t) Single OR-gate TOP Event Prob. Input Data u Let Ei (t) denote that basic event i occurs at time t. Ei (t) may, for example, be that component i is in a failed state at time t. Note that Ei (t) does not mean that component i fails exactly at time t, but that component i is in a failed state at time t u A minimal cut set is said to fail when all the basic events occur (are present) at the same time. The formulas for qi (t) will be discussed later in this presentation. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 19 / 32 Single AND-gate Introduction TOP Construction S Assessment Quantiﬁcation Notation E1 E2 Single AND-gate Event 1 Event 2 Single OR-gate occurs occurs TOP Event Prob. E1 E2 Input Data Let Ei (t) denote that event Ei occurs at time t, and let qi (t) = Pr(Ei (t)) for i = 1, 2. When the basic events are independent, the TOP event probability Q0 (t) is Q0 (t) = Pr(E1 (t) ∩ E2 (t)) = Pr(E1 (t)) · Pr(E2 (t)) = q1 (t) · q2 (t) When we have a single AND-gate with m basic events, we get m Q0 (t) = qj (t) j=1 Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 20 / 32 Single OR-gate Introduction TOP Construction S Assessment Quantiﬁcation Notation E1 E2 Single AND-gate Event 1 Event 2 Single OR-gate occurs occurs TOP Event Prob. E1 E2 Input Data When the basic events are independent, the TOP event probability Q0 (t) is Q0 (t) = Pr(E1 (t) ∪ E2 (t)) = Pr(E1 (t)) + Pr(E2 (t)) − Pr(E1 (t) ∩ E2 (t) = q1 (t) + q2 (t) − q1 (t) · q2 (t) = 1 − (1 − q1 (t))(1 − q2 (t)) When we have a single OR-gate with m basic events, we get m Q0 (t) = 1 − (1 − qj (t)) j=1 Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 21 / 32 Cut set assessment Introduction Min. cut set j Construction fails Assessment Quantiﬁcation Notation Single AND-gate Single OR-gate Basic event j1 Basic event j2 Basic event j,r TOP Event Prob. occurs occurs occurs Input Data Ej1 Ej2 Ejr A minimal cut set fails if and only if all the basic events in the set fail at the same time. The probability that cut set j fails at time t is r ˇ Qj (t) = qj,i (t) i=1 where we assume that all the r basic events in the minimal cut set j are independent. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 22 / 32 TOP event probability Introduction Construction TOP Assessment Quantiﬁcation Notation Single AND-gate Single OR-gate Min. cut set 1 Min. cut set 2 Min. cut set k TOP Event Prob. fails fails fails Input Data C1 C2 Ck The TOP event occurs if at least one of the minimal cut sets fails. The TOP event probability is k Q0 (t) ≤ 1 − ˇ 1 − Qj (t) (1) j=1 The reason for the inequality sign is that the minimal cut sets are not always independent. The same basic event may be member of several cut sets. Formula (1) is called the Upper Bound Approximation. Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 23 / 32 Introduction Construction Assessment Quantiﬁcation Input Data Types of events Non-repairable Repairable Periodic testing Input Data Frequency On demand Cut Set Eval. Conclusions Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 24 / 32 Types of events Introduction Five diﬀerent types of events are normally used: Construction Assessment Quantiﬁcation u Non-repairable unit Input Data u Repairable unit (repaired when failure occurs) Types of events u Periodically tested unit (hidden failures) Non-repairable Repairable u Frequency of events Periodic testing Frequency u On demand probability On demand Cut Set Eval. Conclusions Basic event probability: qi (t) = Pr(Basic event i occurs at time t) Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 25 / 32 Non-repairable unit Introduction Unit i is not repaired when a failure occurs. Construction Assessment Input data: Quantiﬁcation Input Data Types of events Non-repairable u Failure rate λi Repairable Periodic testing Basic event probability: Frequency On demand Cut Set Eval. qi (t) = 1 − e−λi t ≈ λi t Conclusions Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 26 / 32 Repairable unit Introduction Unit i is repaired when a failure occurs. The unit is assumed to Construction be “as good as new” after a repair. Assessment Quantiﬁcation Input Data Input data: Types of events Non-repairable Repairable u Failure rate λi Periodic testing Frequency u Mean time to repair, MTTRi On demand Cut Set Eval. Basic event probability: Conclusions qi (t) ≈ λi · MTTRi Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 27 / 32 Periodic testing Introduction Unit i is tested periodically with test interval τ . A failure may Construction occur at any time in the test interval, but the failure is only Assessment detected in a test or if a demand for the unit occurs. After a Quantiﬁcation Input Data test/repair, the unit is assumed to be “as good as new”. Types of events This is a typical situation for many safety-critical units, like Non-repairable Repairable sensors, and safety valves. Periodic testing Frequency On demand Input data: Cut Set Eval. Conclusions u Failure rate λi u Test interval τi Basic event probability: λi · τi qi (t) ≈ 2 Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 28 / 32 Frequency Introduction Event i occurs now and then, with no speciﬁc duration Construction Assessment Input data: Quantiﬁcation Input Data Types of events Non-repairable u Frequency fi Repairable Periodic testing Frequency u If the event has a duration, use input similar to repairable On demand unit. Cut Set Eval. Conclusions Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 29 / 32 On demand probability Introduction Unit i is not active during normal operation, but may be subject Construction to one or more demands Assessment Quantiﬁcation Input Data Input data: Types of events Non-repairable Repairable u Pr(Unit i fails upon request) Periodic testing Frequency On demand u This is often used to model operator errors. Cut Set Eval. Conclusions Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 30 / 32 Cut set evaluation Introduction Ranking of minimal cut sets: Construction Assessment Quantiﬁcation u Cut set unavailability Input Data The probability that a speciﬁc cut set is in a failed state at Types of events Non-repairable time t Repairable u Cut set importance Periodic testing Frequency The conditional probability that a cut set is failed at time t, On demand Cut Set Eval. given that the system is failed at time t Conclusions Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 31 / 32 Conclusions Introduction u FTA identiﬁes all the possible causes of a speciﬁed undesired Construction event (TOP event) Assessment u FTA is a structured top-down deductive analysis. Quantiﬁcation Input Data u FTA leads to improved understanding of system Types of events characteristics. Design ﬂaws and insuﬃcient operational and Non-repairable Repairable maintenance procedures may be revealed and corrected Periodic testing during the fault tree construction. Frequency On demand u FTA is not (fully) suitable for modelling dynamic scenarios Cut Set Eval. u FTA is binary (fail–success) and may therefore fail to address Conclusions some problems Marvin Rausand, October 7, 2005 System Reliability Theory (2nd ed), Wiley, 2004 – 32 / 32