Docstoc

FTA

Document Sample
FTA Powered By Docstoc
					                                      Chapter 3
                                   System Analysis
                                  Fault Tree Analysis

                                    Marvin Rausand
                     Department of Production and Quality Engineering
                      Norwegian University of Science and Technology
                                 marvin.rausand@ntnu.no




Marvin Rausand, October 7, 2005                 System Reliability Theory (2nd ed), Wiley, 2004 – 1 / 32
Introduction
What is...?
History
Main steps
Preparation

Construction

Assessment

Quantification

Input Data
                                   Introduction




 Marvin Rausand, October 7, 2005       System Reliability Theory (2nd ed), Wiley, 2004 – 2 / 32
                     What is fault tree analysis?

Introduction
What is...?
                     u     Fault tree analysis (FTA) is a top-down approach to failure
History                    analysis, starting with a potential undesirable event
Main steps
Preparation
                           (accident) called a TOP event, and then determining all the
Construction               ways it can happen.
Assessment           u     The analysis proceeds by determining how the TOP event can
Quantification              be caused by individual or combined lower level failures or
Input Data                 events.
                     u     The causes of the TOP event are “connected” through logic
                           gates
                     u     In this book we only consider AND-gates and OR-gates
                     u     FTA is the most commonly used technique for causal analysis
                           in risk and reliability studies.




 Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 3 / 32
                     History

Introduction
What is...?
                     u FTA was first used by Bell Telephone Laboratories in
History                connection with the safety analysis of the Minuteman missile
Main steps
Preparation
                       launch control system in 1962
Construction         u Technique improved by Boeing Company
Assessment           u Extensively used and extended during the Reactor safety
Quantification          study (WASH 1400)
Input Data




 Marvin Rausand, October 7, 2005                  System Reliability Theory (2nd ed), Wiley, 2004 – 4 / 32
                     FTA main steps

Introduction
What is...?
                     u     Definition of the system, the TOP event (the potential
History                    accident), and the boundary conditions
Main steps
Preparation
                     u     Construction of the fault tree
Construction         u     Identification of the minimal cut sets
Assessment           u     Qualitative analysis of the fault tree
Quantification        u     Quantitative analysis of the fault tree
Input Data           u     Reporting of results




 Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 5 / 32
                     Preparation for FTA

Introduction
What is...?
                     u The starting point of an FTA is often an existing FMECA and
History                a system block diagram
Main steps
Preparation
                     u The FMECA is an essential first step in understanding the
Construction           system
Assessment           u The design, operation, and environment of the system must
Quantification          be evaluated
Input Data           u The cause and effect relationships leading to the TOP event
                       must be identified and understood




 Marvin Rausand, October 7, 2005                 System Reliability Theory (2nd ed), Wiley, 2004 – 6 / 32
                     Preparation for FTA

Introduction
What is...?
                                                       System block diagram
History
Main steps
                                   FMECA
Preparation

Construction

Assessment

Quantification

Input Data



                                                         Fault tree




 Marvin Rausand, October 7, 2005           System Reliability Theory (2nd ed), Wiley, 2004 – 7 / 32
                     Boundary conditions

Introduction
What is...?
                     u     The physical boundaries of the system (Which parts of the
History                    system are included in the analysis, and which parts are not?)
Main steps
Preparation

Construction         u The initial conditions (What is the operational stat of the
Assessment             system when the TOP event is occurring?)
Quantification        u Boundary conditions with respect to external stresses (What
Input Data             type of external stresses should be included in the analysis –
                       war, sabotage, earthquake, lightning, etc?)
                     u The level of resolution (How detailed should the analysis be?)




 Marvin Rausand, October 7, 2005                     System Reliability Theory (2nd ed), Wiley, 2004 – 8 / 32
Introduction

Construction
Construction
Symbols
Example

Assessment

Quantification

Input Data
                                   Fault tree construction




 Marvin Rausand, October 7, 2005            System Reliability Theory (2nd ed), Wiley, 2004 – 9 / 32
                     Fault tree construction

Introduction
                     u     Define the TOP event in a clear and unambiguous way.
Construction
Construction
                           Should always answer:
Symbols
                           What e.g., “Fire”
Example
                           Where e.g., “in the process oxidation reactor”
Assessment
                           When e.g., “during normal operation”
Quantification

Input Data           u What are the immediate, necessary, and sufficient events and
                       conditions causing the TOP event?
                     u Connect via AND- or OR-gate
                     u Proceed in this way to an appropriate level (= basic events)
                     u Appropriate level:
                           3       Independent basic events
                           3       Events for which we have failure data




 Marvin Rausand, October 7, 2005                          System Reliability Theory (2nd ed), Wiley, 2004 – 10 / 32
                     Fault tree symbols

Introduction                                                The OR-gate indicates that the output event
Construction                                                occurs if any of the input events occur
Construction                                     OR-gate
                                     Logic
Symbols                              gates
Example
                                                            The AND-gate indicates that the output event
Assessment                                                  occurs only if all the input events occur
                                                            at the same time
Quantification
                                                 AND-gate
Input Data
                                                            The basic event represents a basic equipment
                                                            failure that requires no further development of
                                     Input                  failure causes
                                     events
                                    (states)                The undeveloped event represents an event that
                                                            is not examined further because information is
                                                            unavailable or because its consequences are
                                                            insignificant

                                   Description              The comment rectangle is for supplementary
                                    of state                information

                                                 Transfer
                                                            The transfer-out symbol indicates that the fault
                                    Transfer        out
                                                            tree is developed further at the occurrence of the
                                    symbols
                                                 Transfer   corresponding transfer-in symbol
                                                    in




 Marvin Rausand, October 7, 2005                                System Reliability Theory (2nd ed), Wiley, 2004 – 11 / 32
                     Example: Redundant fire pumps

Introduction

Construction
Construction
Symbols                                 Valve
Example

Assessment
                                                                  TOP event = No water from fire wa-
Quantification
                                                                  ter system
                          Fire pump 1    Fire pump 2
Input Data
                              FP1            FP2
                                                       Engine     Causes for TOP event:
                                                                  VF = Valve failure
                                                                  G1 = No output from any of the fire
                                                                  pumps
                                                                  G2 = No water from FP1 G3 = No
                                                                  water from FP2
                                                                  FP1 = failure of FP1
                                                                  EF = Failure of engine
                                                                  FP2 = Failure of FP2




 Marvin Rausand, October 7, 2005                                System Reliability Theory (2nd ed), Wiley, 2004 – 12 / 32
                     Example: Redundant fire pumps (2)

Introduction                                                                              No water from
                                                                                        fire pump system
Construction
Construction                                                                                    TOP
Symbols
Example
                                                                            Valve blocked, or         No water from
                                                                               fail to open           the two pumps
Assessment
                                       Valve                                       VF
Quantification                                                                                              G1

Input Data
                                                                             No water from                                  No water from
                                                                                pump 1                                         pump 2

                         Fire pump 1    Fire pump 2                                G2                                            G3
                                                      Engine
                             FP1            FP2

                                                                   Failure of              Failure of             Failure of            Failure of
                                                                    pump 1                  engine                 pump 2                engine

                                                                      FP1                       EF                    FP2                   EF




 Marvin Rausand, October 7, 2005                               System Reliability Theory (2nd ed), Wiley, 2004 – 13 / 32
                     Example: Redundant fire pumps (3)

Introduction                                      No water from
                                                fire pump system
Construction
                                                        TOP
Construction
Symbols
                                    Valve blocked, or         No water from                                                              No water from
Example                                fail to open           the two pumps                                                            fire pump system

                                           VF
Assessment                                                         G1                                                                       TOP

Quantification
                                     No water from                                  No water from            Valve blocked, or          No water from             Failure of
                                        pump 1                                         pump 2                   fail to open            the two pumps              engine
Input Data
                                                                                                                    VF                                               EF
                                           G2                                            G3                                                  G1


                           Failure of              Failure of             Failure of            Failure of                  Failure of               Failure of
                            pump 1                  engine                 pump 2                engine                      pump 1                   pump 2

                              FP1                       EF                    FP2                   EF                           FP1                      FP2




                     The two fault trees above are logically identical. They give the
                     same information.




 Marvin Rausand, October 7, 2005                                                              System Reliability Theory (2nd ed), Wiley, 2004 – 14 / 32
Introduction

Construction

Assessment
Cut Sets
Qualitative
assessment

Quantification

Input Data
                                   Qualitative assessment




 Marvin Rausand, October 7, 2005           System Reliability Theory (2nd ed), Wiley, 2004 – 15 / 32
                     Cut Sets

Introduction
                     u A cut set in a fault tree is a set of basic events whose
Construction
                       (simultaneous) occurrence ensures that the TOP event
Assessment
Cut Sets               occurs
Qualitative
assessment           u A cut set is said to be minimal if the set cannot be reduced
Quantification          without loosing its status as a cut set
Input Data

                     The TOP event will therefore occur if all the basic events in a
                     minimal cut set occur at the same time.




 Marvin Rausand, October 7, 2005                  System Reliability Theory (2nd ed), Wiley, 2004 – 16 / 32
                     Qualitative assessment

Introduction         Qualitative assessment by investigating the minimal cut sets:
Construction         u     Order of the cut sets
Assessment           u     Ranking based on the type of basic events involved
Cut Sets
Qualitative
assessment
                           1. Human error (most critical)
Quantification
                           2. Failure of active equipment
Input Data
                           3. Failure of passive equipment
                     u     Also look for “large” cut sets with dependent items

                                   Rank   Basic event 1               Basic event 2
                                    1     Human error                 Human error
                                    2     Human error                 Failure of active unit
                                    3     Human error                 Failure of passive unit
                                    4     Failure of active unit      Failure of active unit
                                    5     Failure of active unit      Failure of passive unit
                                    6     Failure of passive unit     Failure of passive unit



 Marvin Rausand, October 7, 2005                          System Reliability Theory (2nd ed), Wiley, 2004 – 17 / 32
Introduction

Construction

Assessment

Quantification
Notation
Single AND-gate
Single OR-gate
TOP Event Prob.

Input Data
                                   Quantitative assessment




 Marvin Rausand, October 7, 2005            System Reliability Theory (2nd ed), Wiley, 2004 – 18 / 32
                     Notation

Introduction

Construction

Assessment
                             Q0 (t) = Pr(The TOP event occurs at time t)
Quantification                 qi (t) = Pr(Basic event i occurs at time t)
Notation
Single AND-gate              ˇ
                             Qj (t) = Pr(Minimal cut set j fails at time t)
Single OR-gate
TOP Event Prob.

Input Data           u Let Ei (t) denote that basic event i occurs at time t. Ei (t)
                       may, for example, be that component i is in a failed state at
                       time t. Note that Ei (t) does not mean that component i fails
                       exactly at time t, but that component i is in a failed state at
                       time t
                     u A minimal cut set is said to fail when all the basic events
                       occur (are present) at the same time.

                     The formulas for qi (t) will be discussed later in this presentation.


 Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 19 / 32
                     Single AND-gate

Introduction
                                                                                     TOP
Construction
                                                            S
Assessment

Quantification
Notation                           E1                  E2
Single AND-gate
                                                                           Event 1            Event 2
Single OR-gate
                                                                            occurs             occurs
TOP Event Prob.
                                                                             E1                 E2
Input Data

                     Let Ei (t) denote that event Ei occurs at time t, and let
                     qi (t) = Pr(Ei (t)) for i = 1, 2. When the basic events are independent,
                     the TOP event probability Q0 (t) is

                     Q0 (t) = Pr(E1 (t) ∩ E2 (t)) = Pr(E1 (t)) · Pr(E2 (t)) = q1 (t) · q2 (t)

                     When we have a single AND-gate with m basic events, we get
                                        m
                             Q0 (t) =         qj (t)
                                        j=1



 Marvin Rausand, October 7, 2005                            System Reliability Theory (2nd ed), Wiley, 2004 – 20 / 32
                     Single OR-gate

Introduction
                                                                                   TOP
Construction
                                                          S
Assessment

Quantification
Notation                           E1              E2
Single AND-gate
                                                                         Event 1            Event 2
Single OR-gate
                                                                          occurs             occurs
TOP Event Prob.
                                                                           E1                 E2
Input Data

                     When the basic events are independent, the TOP event probability
                     Q0 (t) is

                     Q0 (t) = Pr(E1 (t) ∪ E2 (t)) = Pr(E1 (t)) + Pr(E2 (t)) − Pr(E1 (t) ∩ E2 (t)
                            = q1 (t) + q2 (t) − q1 (t) · q2 (t) = 1 − (1 − q1 (t))(1 − q2 (t))

                     When we have a single OR-gate with m basic events, we get
                                            m
                             Q0 (t) = 1 −       (1 − qj (t))
                                            j=1


 Marvin Rausand, October 7, 2005                          System Reliability Theory (2nd ed), Wiley, 2004 – 21 / 32
                     Cut set assessment

Introduction
                                                            Min. cut set j
Construction                                                    fails
Assessment

Quantification
Notation
Single AND-gate
Single OR-gate            Basic event j1        Basic event j2                           Basic event j,r
TOP Event Prob.              occurs                occurs                                   occurs
Input Data                         Ej1                Ej2                                     Ejr
                     A minimal cut set fails if and only if all the basic events in the set fail
                     at the same time. The probability that cut set j fails at time t is
                                            r
                             ˇ
                             Qj (t) =            qj,i (t)
                                           i=1

                     where we assume that all the r basic events in the minimal cut set j
                     are independent.



 Marvin Rausand, October 7, 2005                                     System Reliability Theory (2nd ed), Wiley, 2004 – 22 / 32
                     TOP event probability

Introduction

Construction                                                TOP
Assessment

Quantification
Notation
Single AND-gate
Single OR-gate            Min. cut set 1   Min. cut set 2                         Min. cut set k
TOP Event Prob.                fails            fails                                  fails
Input Data                         C1            C2                                    Ck
                     The TOP event occurs if at least one of the minimal cut sets fails. The
                     TOP event probability is
                                             k
                             Q0 (t) ≤ 1 −             ˇ
                                                  1 − Qj (t)                                                    (1)
                                            j=1

                     The reason for the inequality sign is that the minimal cut sets are not
                     always independent. The same basic event may be member of several
                     cut sets. Formula (1) is called the Upper Bound Approximation.


 Marvin Rausand, October 7, 2005                              System Reliability Theory (2nd ed), Wiley, 2004 – 23 / 32
Introduction

Construction

Assessment

Quantification

Input Data
Types of events
Non-repairable
Repairable
Periodic testing
                                    Input Data
Frequency
On demand
Cut Set Eval.
Conclusions




  Marvin Rausand, October 7, 2005      System Reliability Theory (2nd ed), Wiley, 2004 – 24 / 32
                      Types of events

Introduction
                      Five different types of events are normally used:
Construction

Assessment

Quantification
                      u     Non-repairable unit
Input Data            u     Repairable unit (repaired when failure occurs)
Types of events
                      u     Periodically tested unit (hidden failures)
Non-repairable
Repairable            u     Frequency of events
Periodic testing
Frequency
                      u     On demand probability
On demand
Cut Set Eval.
Conclusions           Basic event probability:

                              qi (t) = Pr(Basic event i occurs at time t)




  Marvin Rausand, October 7, 2005                     System Reliability Theory (2nd ed), Wiley, 2004 – 25 / 32
                      Non-repairable unit

Introduction
                      Unit i is not repaired when a failure occurs.
Construction

Assessment
                      Input data:
Quantification

Input Data
Types of events
Non-repairable
                      u     Failure rate λi
Repairable
Periodic testing      Basic event probability:
Frequency
On demand
Cut Set Eval.
                              qi (t) = 1 − e−λi t ≈ λi t
Conclusions




  Marvin Rausand, October 7, 2005                          System Reliability Theory (2nd ed), Wiley, 2004 – 26 / 32
                      Repairable unit

Introduction
                      Unit i is repaired when a failure occurs. The unit is assumed to
Construction
                      be “as good as new” after a repair.
Assessment

Quantification

Input Data
                      Input data:
Types of events
Non-repairable
Repairable            u Failure rate λi
Periodic testing
Frequency
                      u Mean time to repair, MTTRi
On demand
Cut Set Eval.         Basic event probability:
Conclusions

                              qi (t) ≈ λi · MTTRi




  Marvin Rausand, October 7, 2005                   System Reliability Theory (2nd ed), Wiley, 2004 – 27 / 32
                      Periodic testing

Introduction
                      Unit i is tested periodically with test interval τ . A failure may
Construction
                      occur at any time in the test interval, but the failure is only
Assessment
                      detected in a test or if a demand for the unit occurs. After a
Quantification

Input Data
                      test/repair, the unit is assumed to be “as good as new”.
Types of events       This is a typical situation for many safety-critical units, like
Non-repairable
Repairable
                      sensors, and safety valves.
Periodic testing
Frequency
On demand             Input data:
Cut Set Eval.
Conclusions
                      u Failure rate λi
                      u Test interval τi

                      Basic event probability:
                                       λi · τi
                              qi (t) ≈
                                         2

  Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 28 / 32
                      Frequency

Introduction
                      Event i occurs now and then, with no specific duration
Construction

Assessment
                      Input data:
Quantification

Input Data
Types of events
Non-repairable
                      u     Frequency fi
Repairable
Periodic testing
Frequency             u     If the event has a duration, use input similar to repairable
On demand                   unit.
Cut Set Eval.
Conclusions




  Marvin Rausand, October 7, 2005                     System Reliability Theory (2nd ed), Wiley, 2004 – 29 / 32
                      On demand probability

Introduction
                      Unit i is not active during normal operation, but may be subject
Construction
                      to one or more demands
Assessment

Quantification

Input Data
                      Input data:
Types of events
Non-repairable
Repairable            u     Pr(Unit i fails upon request)
Periodic testing
Frequency
On demand             u     This is often used to model operator errors.
Cut Set Eval.
Conclusions




  Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 30 / 32
                      Cut set evaluation

Introduction
                      Ranking of minimal cut sets:
Construction

Assessment

Quantification         u Cut set unavailability
Input Data              The probability that a specific cut set is in a failed state at
Types of events
Non-repairable          time t
Repairable            u Cut set importance
Periodic testing
Frequency               The conditional probability that a cut set is failed at time t,
On demand
Cut Set Eval.
                        given that the system is failed at time t
Conclusions




  Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 31 / 32
                      Conclusions

Introduction
                      u     FTA identifies all the possible causes of a specified undesired
Construction
                            event (TOP event)
Assessment
                      u     FTA is a structured top-down deductive analysis.
Quantification

Input Data
                      u     FTA leads to improved understanding of system
Types of events             characteristics. Design flaws and insufficient operational and
Non-repairable
Repairable
                            maintenance procedures may be revealed and corrected
Periodic testing            during the fault tree construction.
Frequency
On demand             u     FTA is not (fully) suitable for modelling dynamic scenarios
Cut Set Eval.         u     FTA is binary (fail–success) and may therefore fail to address
Conclusions
                            some problems




  Marvin Rausand, October 7, 2005                    System Reliability Theory (2nd ed), Wiley, 2004 – 32 / 32

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:62
posted:11/3/2010
language:English
pages:32