3 Fault Tree Analysis (1)

Failure Analysis Failure Analysis of Engineering Systemsof Engineering Systems

Instructor: Professor Steve MaherInstructor: Professor Steve Maher

Module 3:Module 3:Scripture of the ModuleScripture of the Module5 – Fault-Tree Analysis5 – Fault-Tree Analysis

6 – Fault-Tree Analysis Special Topics6 – Fault-Tree Analysis Special Topics7 – Fault-Tree Analysis Quantification7 – Fault-Tree Analysis Quantification

Scripture of the ModuleScripture of the Module

““A prudent man sees danger and takes A prudent man sees danger and takes refuge, but the simple keep going and refuge, but the simple keep going and suffer for it.”suffer for it.”

- Proverbs 22:3- Proverbs 22:3

Failure Analysis of Engineering Systems ENGR 5323

2

AssignmentAssignment

Read Chapter 5, 6, and 7 of Read Chapter 5, 6, and 7 of Systems Systems Failure AnalysisFailure AnalysisDo Quizzes on Bb as they appearDo Quizzes on Bb as they appearQuiz next week at beginning of classQuiz next week at beginning of class


3

Berk’s Overall FA ProcessBerk’s Overall FA Process


4

Designate a team

Gather all related information

Review and define problem

Identify all potential failure causes

List causes in FMA & A

Converge on root cause

Determine Corrective Actions

Implement Corrective Actions

Assess Corrective Actions

Evaluate for Preventive Actions

Incorporate FA Findings

Fault-Tree AnalysisFault-Tree Analysis

What is Fault-Tree Analysis?It is a somewhat formal graphical process to identify all the possible events and combinations of events that can cause a single undesired event.

Developed to address the Air Force not wanting to inadvertently launch a nuclear ICBM.Developed by Bell Labs working with the Air Force and Boeing.Starts with the undesired event at the top and develops all causes from thereCan be done either before or after a failure occurs– In FA, typically after…– In System development/design, typically before


6

Fault-Tree Analysis (FTA) Fault-Tree Analysis (FTA) ConceptsConcepts

Start with single undesired event - be as Start with single undesired event - be as clear as possible in problem definitionclear as possible in problem definitionFTA can be computer generated FTA can be computer generated – In teams, developed by hand is typically betterIn teams, developed by hand is typically better– Develop by hand, then record on computerDevelop by hand, then record on computerFTA does not evaluate ALL potential failure FTA does not evaluate ALL potential failure modes of all parts of the systemmodes of all parts of the systemFTA does consider ALL potential causes of a FTA does consider ALL potential causes of a single system failure.single system failure.


Fault-Tree Analysis (FTA) Fault-Tree Analysis (FTA) ApproachApproach

Start with single undesired eventStart with single undesired event– System does not do what it is supposed to doSystem does not do what it is supposed to do– System does right thing at wrong timeSystem does right thing at wrong time– System does right thing but out of specSystem does right thing but out of spec– System does something it is not supposed to doSystem does something it is not supposed to doUse charting symbols to graph out possible Use charting symbols to graph out possible causes of the failing eventcauses of the failing event


FTA Charting SymbolsFTA Charting Symbols


Command Event

Undeveloped Event or Human

Error

Normal Event

Basic Event

AND

INHIBIT Gate

Transfer Symbol

FTA Symbol Definitions

Command event: Condition that is induced by the events immediately below it.

Basic Failure event: Bottom-level basic cause, e.g. part failure, software code error, bad connection.

Normal event: Condition that is normally present

Human error or undeveloped event: 1) Human mistake in operating the system; 2) Condition that needs no further analysis in context of system.


10

FTA Symbol Definitions (Cont)

OR gate: If any events beneath it happen, the event above occurs

AND gate: Event above occurs only if all events happen simultaneously.

INHIBIT gate: Constrains event – Constraint shown in ellipse (oval); if constraint is present and event below happens, then the event above the gate occurs.

Transfer symbol: Diagram continues on another pageFailure Analysis of Engineering Systems

ENGR 532311

Fault-Tree AnalysisFault-Tree AnalysisExample: Light BulbExample: Light Bulb

(in the textbook)(in the textbook) Let’s go through itLet’s go through it


12

Fault-Tree AnalysisFault-Tree AnalysisSpecial TopicsSpecial Topics


13

FTA Special Topics

Transfer symbols

INHIBIT gates

Sequential AND gates

State-of-the-part vs. state-of-the-system

Identifying redundancy-defeating failures


14

Transfer Symbols

FTA can include events and conditions in the hundreds+For a system of any complexity, one page will not hold all the FTATransfer symbols are used – To show connections between pages (or sheets)– In conjunction with Command events only

Usage:– Transfer out (to sheet #) and transfer in (from sheet #)– Each has a transfer designation number inside the triangle

Good to maintain a fault-tree transfer log


15

7

INHIBIT Gates

Special form of the AND gateBoth events must happen for the Command event above to occur (see Figs. 6.2 and 6.3)Many times this is used to show probability of the INHIBIT event happening– Probability can be assigned– Can stack events to stack probabilities


16

Gating eventProbability = p

Sequential AND gates

AND gate: all events must happen for above Command event to occurSometimes the ORDER of events is critical to the occurrence of the Command event– In one sequence, the failing event occurs– In another sequence, the failing event does not occur

Use an ellipse connected to the AND gate to show the necessary order.


17

Ex: R, then L

R L

State-of-the-Part vs.State-of-the-System

At every Command event, ask “State-of-the-part or state-of-the-system?”State-of-the-part = Single component or part failure can induce the condition– Typically not the only thing that can cause it– Use OR gate– Look for secondary events, environmental conditions, and

human errorState-of-the-system = A single component or part cannot cause the condition– Two or more conditions must be present– Use AND gate


18

Suggested Process to do FTA

Start at the point the failure manifests itselfWork through system point-to-pointAt each point, identify conditions that can induce the failureDetermine if state-of-the-part or state-of-the-systemFor state-of-the-part, use OR gate and look for secondary events, environmental conditions, and human errorFor state-of-the-system, use an AND gate


19

Identifying Redundancy-Defeating Failures

Sophisticated system design often contains redundancy, esp. mission critical systemsIdeally, FTA shows multiple failures must occur to defeat the redundancyOnce complete, FA team should ask:– What is probability of combined independent events

occurring?– Are the conditions independent, or are there any single-point

failures or conditions that can defeat the redundancy? Look for duplications in each redundant branchRe-review undeveloped events, environmental conditions, human errors, and event relationships


20

Fault-Tree AnalysisFault-Tree AnalysisQuantificationQuantification


21

Can Quantify Fault-Tree Analysis

A beauty of FTA is that you can calculate probabilities of failures and rank failure causesOn many systems, it is imperative to know probability of catastrophic failure before it happens– So it WON’T happen!– Military, anything involving nuclear energy, anything

involving significant safety issues– FTA is a very good tool for this requirement


22

Important Terms and Concepts

ProbabilityMTBFFailure rate (λ) = 1/MTBFPs = e-λt

Pf = 1 – Ps


23

FTA Probability DeterminationCommon Practices

Human errors probabilities (typically 10-5 to .3, well maybe .01 to .1)Normal events probabilities (depends on system)Basic failure events λ and operating timesUndeveloped events prob’s or λ/op timesInhibiting conditions prob’s (expected frequency)Command events calculated based on the probabilities of all the events that can cause it.


24

Calculating Command Event Probabilities

For OR gates:– 2 input: P1 + P2 – P1*P2

– 3 input: P1 + P2 + P3 – P1*P2 – P1*P3 – P2*P3 – P1*P2*P3

For AND gates (2 inputs):– 2 input: P1*P2

– 3 input: P1*P2*P3

For INHIBIT gates – P1*P2


25

Calculating Probabilities for Top Undesired Events

Start at bottom of FTA, quantifying probability of all possible causesMove up a level, calculating probability for first level of Command events.Move up through the FTA, calculating probability for each Command event until top event is quantifiedProbability of each branch (or path) is also quantifiedHighest probability branch(es) can be identified.Do not spend too much effort trying to be too precise– Some estimates will be high, some low– The overall estimate tends to balance out and be good– (“Big number” theory)


26

FTA Quantification vs. Systems FA

FTA quantification typically used for predictive analysisVery common to have specifications for System failure rate, e.g. system loss, system down timeIn design, FTA can point to needs for re-designFor FA (i.e. the failure has already occurred), FTA is typically used similar to the Ishikawa diagram– Quantification is generally not done– FTA will point to likely analytical paths– For recurring failures, likely cause is probably obscure

Once FA is done, FA team may want to take further action on other high probability conditions identified by FTA


27

Group ActivityGroup Activity(if time)(if time)

Documents

3 Fault Tree Analysis (1)