Fault tree analysis

history

Developed fault tree analysis was in the early 1960s by HA Watson at the Bell Laboratories to assess the safety of the launch control system of Boeing produced ICBM type LGM-30 Minuteman . In the years that followed, Boeing also used fault tree analysis in the design of commercial aircraft. In the 1970s and 1980s, fault tree analysis was used, among other things, in the planning of nuclear power plants; the first commercial software packages for FTA were also created in this period. Subsequently, areas of application were added by automobile manufacturers and their suppliers. The latest developments concern dynamic fault tree analysis , within the framework of which the temporal sequence of failures and dependencies on basic events can be modeled.

Procedure

So-called negative logic is used as part of the fault tree analysis , i. H. the fault tree describes a failure function, which expresses a failure in the logical 1 state , and a functional system in the logical 0 state . Since the fault tree analysis of Boolean algebra operated, the overall system or subsystems may as components only in the two states Functional (logic- 0 ) or Unusual (logic- 1 are located).

A system analysis is based on a single undesired event, which is at the top of the fault tree, the so-called top event, which describes, for example, the overall failure of the system under consideration and is determined as part of a hazard analysis. Depending on the task, this top event can be restricted to certain boundary conditions, in aviation technology, for example, to catastrophic conditions in which the uncontrollable crash of the aircraft is the result.

Simple fault tree with the logical links shown as gates and eight different basic events that lead to a failure of subsystem A.

Based on this top event, the fault tree is created in a top-down analysis down to the individual failure states of the components. In the case of more complex systems, the division into subsystems takes place, which are further subdivided in the same way until the complete system is mapped in the form of minimal sections that can no longer be further subdivided in the form of basic events. The failure combinations in the fault tree are logically linked with Boolean algebra and its symbols, in particular the and and or .

In the simplest case, components of a system which depend on one another in terms of their functionality are linked by the logical OR function. In this case, the failure of just one component leads to the failure of the entire system. Components that can replace each other in terms of their function ( redundancy ) are linked by the AND function in the fault tree. In complex systems, cross-redundancy errors can also occur; these are sources of error that occur in several places in the error tree and cannot be directly summarized in a minimal section due to the system structure. These so-called "common cause failure" (GVA) English Common Cause Failure (CCF) complicate the analysis.

In the fault tree, system components are usually divided into three fault categories, which are linked via an OR gate:

1. Primary failure: failure of the system component due to technical failure under otherwise permissible operating conditions, for example material failure of the system component.
2. Secondary failure: failure of the system component due to impermissible usage and / or ambient conditions, e.g. operation at impermissible ambient temperatures.
3. Commanded failure: a functional system component which is activated or deactivated at the wrong time or in the wrong place, for example due to the failure of an auxiliary power supply or a faulty control via an interface.

calculation

After the creation of the fault tree, each base event is assigned a certain probability of occurrence for the failure in the quantitative fault tree analysis. Data for specific failure rates can come from our own test series for the individual basic components, or free databases such as MIL-HDBK-217F or commercial databases such as 217Plus are used for commercially available components and components . Ambient conditions such as special temperature ranges, planned operating times, maintenance intervals and the like can also be included in the determination of the probability of occurrence.

${\ displaystyle P = 1-e ^ {- \ lambda t}}$

what an approximation for sufficiently small values ​​of λt <0.1

${\ displaystyle P \ approx \ lambda t}$

corresponds. The values ​​in the fault tree are normally related to a specific, fixed time interval. This interval for the normalization can be selected differently depending on the system, for example in the case of an airplane it can be related to an hour of flight. The probabilities of occurrence are therefore dependent on the choice of this time interval.

The failure probabilities are related to one another in the fault tree analysis using the symbols of logic gates. An AND gate links two statistically independent events at its two inputs and and at its output it forms the probability that both systems have failed: ${\ displaystyle P (A)}$${\ displaystyle P (B)}$

${\ displaystyle P (A \, {\ textrm {and}} \, B) = P (A \ cap B) = P (A) \ cdot P (B)}$

An OR gate corresponds to the function in the fault tree:

${\ displaystyle P (A \, {\ textrm {or}} \, B) = P (A \ cup B) = P (A) + P (B) -P (A) \ cdot P (B)}$

and forms the probability if one of the two or both basic components has failed. This allows iteratively to calculate the individual failure probabilities in the tree up to the top event. Special cases such as "Commonly Caused Errors" (GVA) require extended models. As a rule, especially with complex systems, various simplifications are made in the calculation. Among other things, due to the generally small probability of occurrence, it is assumed that a system failure does not result from the simultaneous failure of several minimum cuts, which means that the higher-order terms are negligible when calculating the overall failure probability. Special software is available for the evaluation of complex fault trees, which facilitates the graphic creation, calculation and evaluation.

literature

Individual evidence

1. ↑ W. Vesely et al. a .: " Fault Tree Handbook. " (PDF; 9.49 MB) NUREG-0492, US Nuclear Regulatory Commission, Washington DC 1981 (English)
2. ↑ International Electrotechnical Commission [IEC] (Ed.): Fault Tree Analysis, IEC 61025 . 2nd Edition. 2006, ISBN 2-8318-8918-9 . 
3. ↑ DIN 25424 Fault Tree Analysis , Edition 1981-09, Beuth Verlag Berlin
4. ^ Clifton A. Ericson: Fault Tree Analysis - A History. (PDF) A History from the Proceedings of The 17th International System Safety Conference. (No longer available online.) The Boeing Company; Seattle WA, 1999, archived from the original on July 23, 2011 ; Retrieved December 25, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.  @1@ 2Template: Webachiv / IABot / www.fault-tree.net 
5. ↑ Simon J. Schilling: Contribution to dynamic fault tree analysis without module formation and state-based extensions . Dissertation at the Bergische Universität Wuppertal, 2009 ( uni-wuppertal.de [PDF]). 
6. ↑ W. Vesely et al. a .: Fault Tree Handbook. (PDF; 9.49 MB) NUREG-0492 Page V-3: Component Fault Categories , US Nuclear Regulatory Commission, Washington DC 1981 (English)
7. ↑ Military Handbook 217F: Reliability Prediction of Electronic Equipment. (PDF) Retrieved March 14, 2019 .  
8. ^ Reliability Information Analysis Center: 217Plus. Retrieved December 4, 2017 .  

Web links