Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013
Pu Purp rpose se for r FTA A In the face of potential failures, determine if design must change to improve: Reliability Safety Operation Secondary purposes: educate designers to potential problems perform root cause analysis when a fault occurs February 2013 2
Ba Basic sic Descrip scriptio ion Determines sources, or root causes, of potential faults Qualitative and quantitative Graphical, top-down approach Uses Boolean algebra, logic, and probability Can handle multiple failures Can support probabilistic risk assessment Part of system design hazard analysis type (SD-HAT) February 2013 3
Goals ls of FTA A Assess system safety Top-down analysis focused on system design Identifies potential root causes of failures Provides a basis for reducing safety risks Documentation of safety considerations What does it tell developer? – help find potential risks during design What does it tell regulator? – designers used a measure of discipline and rigor February 2013 4
Hist istory ry of FTA A Developed at Bell Labs for the guidance system of the U.S. Minuteman missile during the 1960s Used by Boeing for Minuteman Weapon System Regularly used by: Commercial aircraft industry Nuclear power industry February 2013 5
FTA A An Answ swers rs these se Quest stio ions s What are the root causes of failures? What are the combinations and probabilities of causal factors in undesired events? What are the mechanisms and fault paths of undesired events? February 2013 6
FTA A Symb Symbols ls February 2013 7
FTA A Symb Symbolic lic Eve Event Me Meanin ings s February 2013 8
FTA A Simp Simple le Logic ic February 2013 9
FTA A Exclu Exclusive sive and Inhib ibit it Logic ic February 2013 10
FTA A Me Methodolo logy y February 2013 11
St Step1: Defin ine the Syst System m Collect design Requirements Source Code Models Schematics Layout concept of operations or CONOPs Understand the system behavior February 2013 12
St Step 2: Defin ine Undesire sired Eve Event Identify the final outcome of the undesired event Identify sub-events that lead to final event Begin to structure the connections - - but - - Do Step 3 before completing structure of connections February 2013 13
St Step 3: Est Establish lish Rule les s Define analysis ground rules boundaries Concepts that you can (should) use: I-N-S: “What is immediate (I), necessary (N), and sufficient (S) to cause the event?” Helps focus on event chain Helps analyst from jumping ahead SS-SC: “What is the source of the fault?” If component failure – classify as SC (state-of February 2013 14
St Step 3: (co (contin inued) ) P-S-C: (Ericson, Fig. 11.8, p. 194) “What are the primary (P), secondary (S), and command (C) causes of the event?” Helps focus on specific causal factors SS-SC: If component failure – classify as SC (state-of-the- component) fault If not component failure – classify as SS (state-of-the- system) fault If fault is SC, then event ORs P-S-C inputs If fault is SS, then develop event further with using I- N-S logic February 2013 15
St Step 4: Bu Build ildin ing Tre ree Repetitive process Ericson, Fig. 11.9, p. 195 At each level determine Cause Effect Logical combination using logic symbols Construction rules (see Ericson, pp. 196 – 197), these are almost self-evident but still good, disciplined techniques February 2013 16
St Step 5: Est Establish lish Cut Se Sets s Cut set – critical path(s) of sub-event combinations that cause the undesirable final state event Ericson provides in-depth mathematical treatment of cut sets and probabilities on pp. 199 – 206 Often, mere inspection will reveal the weak links that indicate the most important cut set(s) that lead to the event February 2013 17
EXAMPL EXAMPLE E OF INCUBAT BATOR ISO SOLET ETTE E February 2013 18
Exa Examp mple le – – Incu cubator r Iso sole lette http://www.worldbiomedsource.com/images/products/pimage/Air%20Shield%20C550.jpg February 2013 19
Simp Simple le Iso sole lette Dia iagra ram m February 2013 20
St Step 1: Defin ine the Syst System m For simplicity, use the previous diagram as the system model Recognize several different subsystems: Controls Display Heater with closed loop thermal sensor Airflow fan and ductwork Independent thermal safety interlock Medical staff operating controls and display Patient receiving output (warmed air) February 2013 21
St Step 2: Defin ine Undesire sired Eve Event Undesired event: “Air is not warmed.” Sub-events: Operations error Heater fault or failure Air handling system fault or failure Thermal safety system fault or failure February 2013 22
St Step 3: An Analysis lysis Gro round Rule les s Understand process concepts: I-N-S P-S-C SS-SC February 2013 23
St Step 4: Const stru ruct ct Fault lt Tre ree (from Step 2, collect events) These are SS faults, so OR them together Proceed to next level Determine underlying events Apply process concepts: I-N-S P-S-C SS-SC Connect them together with logical linkages Repeat process for lower levels February 2013 24
St Steps s 5-7 -7: Fin ind Fault lt Pa Paths s Inspect paths for possible faults Generate the cut sets (for simplicity in this introduction, we are using inspection) Ericson gives detailed instructions for automating the selection of cut sets calculating probabilities of occurrence February 2013 25
Ex. Ex. – – Iso sole lette Warm rm Air Air Fault lt, Colle llect ctin ing Eve Event and Su Sub-e -eve vents s February 2013 26
Ex. Ex. – – Iso sole lette Warm rm Air Air Fault lt, Deve velo lop Fault lt Pa Paths s for r Su Sub-e -eve vents, s, Pa Part rt 1 February 2013 27
Ex. Ex. – – Iso sole lette Warm rm Air Air Fault lt, Deve velo lop Fault lt Pa Paths s for r Su Sub-e -eve vents, s, Pa Part rt 2 February 2013 28
Ex. Ex. – – Iso sole lette Warm rm Air Air Fault lt, Deve velo lop Fault lt Pa Paths s for r Su Sub-e -eve vents, s, Pa Part rt 3 February 2013 29
Ex. Ex. – – Iso sole lette Warm rm Air Air Fault lt, Pa Part rt 4: Fin inal l Ve Versio rsion of Fault lt Tre ree February 2013 30
Ex. Ex. – – What do yo you do now? For design purposes: Review each path Can you eliminate that path? If not, can it be made more fault resistant? Does fault tree represent the scope of possible paths (and reasonable – a meteor falling out of the sky and hitting it is not)? For root cause analysis: Does the evidence point to any fault path? If so, fix the problem. If not, revise the diagram. February 2013 31
CLASS ASS EXER EXERCISES SES – – PR PROBL BLEM EM #1 February 2013 32
St Step 1: Defin ine the Syst System m (d (done) For simplicity, use the previous diagram as the system model Recognize several different subsystems (done already) February 2013 33
St Step 2: Defin ine Undesire sired Eve Event Undesired event: “No airflow.” Sub-events: Operations error Air handling system fault or failure Eliminate sub-events and subsystems that do not interact or control the air handling system: Heater fault or failure Thermal safety system fault or failure February 2013 34
St Step 3: An Analysis lysis Gro round Rule les s Understand process concepts: I-N-S P-S-C SS-SC February 2013 35
St Step 4: Const stru ruct ct Fault lt Tre ree These are SS faults, so OR them together Proceed to next level Determine underlying events - Operations Assume that medical staff does not directly control airflow from interface panel Blocking air inlet Malicious Isolette inlet up against wall or obstruction ________________(hint – ignorance) February 2013 36
St Step 4: (co (contin inued) ) Determine underlying events – air handling ________________________(hint – fan) ________________________(hint – what directs airflow?) ________________________(hint – problem with control signal ________________________(hint – electrical current into subsystem) Apply process concepts Connect them together with logical linkages February 2013 37
Exe Exercise rcise – – Iso sole lette Airf Airflo low Fault lt February 2013 38
Recommend
More recommend