No man-made machine or system can be designed to be 100% reliable. Any machine or system we can design and build will eventually break down and fail. In many cases, a breakdown can be handled simply by repairing or replacing a defective system or part. For example, when a light bulb burns out, you simply replace it with a new bulb. If a household appliance such as a dishwasher or oven in your kitchen breaks down, you may be inconvenienced until the appliance can be repaired but few other adverse consequences generally occur. However, as we trust and rely on technology more and more, there is an increased risk that technology failure can have catastrophic consequences.
Consider, for example, what would happen if the braking system in your car failed just when you needed to stop suddenly to avoid an oncoming car. Imagine the consequences if a heart-lung machine were to fail during an operation, or if an aircraft propulsion system were to fail in mid-flight. Picture what would happen if the power grid of a major metropolitan city were to cease operating during a heat wave, or if a city's emergency responder communications system were to fail during a large-scale emergency. Imagine the disaster that would occur if a nuclear reactor were to fail, such as at Chernoble, in a catastrophic manner that released radiation into the surrounding area.
To prevent single point failures from having catastrophic consequences, system designers often build in redundancy and fault protection. Such “fault-tolerant” systems are designed so that if one important component or function fails, another part of the system stands ready to take its place or at least provide sufficient functionality to continue safe operation. For example, an aircraft or spacecraft may be designed to have a main power system plus a backup power system. If the main power system fails, the backup power system immediately takes over. Similarly, aircraft are usually provided with redundant instrumentation so that even if certain instrumentation fails, the pilot still has the information she needs to continue to fly the plane safely.
While such fault tolerant designs have been highly successful, they introduce additional complexity to the already complex problem of reliably predicting how the system will operate in the event of certain faults. Fault testing is certainly a useful way of predicting system behavior, but there is generally a need for tools that help system designers predict system fault behavior without subjecting the system being analyzed to potentially destructive exhaustive fault testing.
Fault analysis using Fault Trees is a common method known and widely used in various industries and developments to evaluate object efficiency and safety. Generally speaking, a fault tree is a logical construct that attempts to represent system operational and fault states with nodes and paths that in some sense resemble the root, trunk, branches and leaves of a tree. The paths to the nodes are typically defined using Boolean logic which precisely describes logical combinations of nodes and paths. Such fault tree representations allow system and reliability engineers to visualize and analyze system failure modes so they can predict how certain types of faults will affect system operation. Using such fault tree analysis, it is possible, for example, to predict co-dependencies between faults and to isolate which faults that could potentially cause mission-critical systems and subsystems to catastrophically fail. Fault trees also give system designers a better idea concerning overall system reliability and behavioral complexity and can help designers simplify their systems to achieve higher reliability with reduced cost and greater efficiency.
Various computerized tools have been developed to construct and calculate Fault trees by e.g., inputting Fault Tree logic (using logical Gates, accordingly to e.g., NUREG-0492, Fault Tree Handbook) and fault Date Bases (e.g., logging or otherwise recording failure rate and exposure time, or failure probability).
Generally speaking, there are two types of Fault Tree (failure combinations) analyses: quantitative and qualitative. A quantitative analysis is generally linked with Fault Tree Top Event probability calculation. A qualitative analysis generally envisages the evaluation of Fault Tree structure, Fault Tree Cut Sets, combinations of evident and latent failures, possible failure propagation, and the like. Each type of analysis can be useful and powerful.
Much work has been done in the area of Fault Tree techniques, Fault Trees generation and analysis. Some, for example, have developed methods for the automated generation of an extended Fault Trees, adapted to a production installation or a specific installation. Others have developed methods for technical system fault tree determining with extended fault description. Still others have proposed system integrated fault tree analysis methods. Some have declared fault tree displaying method for system diagnosis.
Many prior approaches, if implemented to construct fault trees for complex integrated systems/installations (for example, in the aeronautic industry) will result in extended large fault trees, that can consist about 200-300 failure nodes. Such fault trees if printed out in a graphical format could result for example in hundreds of printed pages considering the practices recommended by NUREG-0492, Fault Tree Handbook, and the Aerospace Industry (see specification ARP4761). Such graphical representation provides a complex set of fault event and logical gate images and also takes stock of relevant information presented on the fault tree for fault tree Top event probability calculation. Unfortunately, such complex fault tree graphical representations are, because they are so large, not possible or practical to display on a single display screen or page view. Rather, systems analysts must generally print out the fault tree and conduct analyses than can span over many tens or even hundreds pages of graphical representation. The complexity of such graphical representations can be overwhelming.
Hence, existing computerized tools to perform fault tree creation generally can show large and complex fault trees on a computer screen only one part at a time. Furthermore, a printed report also generally presents the fault tree page by page. The amount of time and complexity required to analyze such multi-view representations can be substantial. For example, consider a person who is not author of this fault tree, but who needs to understand the fault tree logic (e.g., to evaluate the fault tree accuracy, to merge various fault trees on the systems integrated level, etc.) and perform the fault tree analysis. The task such a person faces can be difficult, and can obviously involve considerable time outlay.
It is possible to make the following observations or definitions concerning fault tree terminology:                Evident failure—a failure which is detected and/or annunciated when it occurs.        Latent failure—a failure which is not detected and/or annunciated when it occurs. A failure is latent until it is made known by special test/proceeding.        Repeated failure—a failure that appears more than once in the given Fault Tree.        Fault Tree Cut Set—smallest set of failures which must occur in order for the Fault Tree Top Event to occur.        
System designers and reliability engineers strive to design systems so that no single point of failure than completely comprise system functionality. Therefore, those skilled in the art understand that a particular failure which is repeated multiple times in a fault tree can be especially significant. The multiple repetitions mean that this particular failure can contribute to multiple failure modes. As it is known (see Aerospace Recommended practice specification ARP4761 and other sources), repeated failures can vastly impact Fault Tree Top event probability and Fault Tree structure, primarily because they introduce potential lack of independence between Fault Tree elements (failures). To provide more detailed analysis in this case, the Fault Tree is generally handled correctly by the application of Boolean algebra to generate what are referred to above as “Cut Sets.” After implementing in Boolean algebra, the Fault Tree structure may then be subject to alteration. Therefore, to avoid mistakes, knowledge about repeated event locations within the Fault Tree can be very important and useful.
Some known tools support performing Fault Tree analysis (assessment) by Cut Set generation and failure importance determination. Such support in some cases includes failure table generation. However, using such approaches, it is often difficult to apprehend why determined failures have entered in the cut sets, where in the fault tree the repeated failures are located, and how their positions influence fault tree Top event probability.
While much work has been done in the past, further improvements are possible and desirable.
The technology herein provides a Fault Tree map generation method that transforms a conventional fault tree to new type of fault tree diagram (“Fault Tree Map”), which permits drastically compact fault tree depiction and representation through special techniques.
Exemplary illustrative non-limiting techniques for generating fault tree maps graphically present fault trees in a compact, understandable, efficient manner from which repeated event location and other information can be readily ascertained. Exemplary illustrative non-limiting fault tree map generation provides a fault tree map that graphically presents fault tree failures with graphical identification of failure type and shows failure/gates repetition, cut set consistency and failure propagation potentiality, besides facility of localization of each Fault Tree logical Gate and relevant failures in the Fault Tree printed report.
In a non-limiting illustrative example fault tree map, markings are used to indicate repeated events to readily indicate the location of repeated failure on the fault tree. For example, repeated events are can be indicated by colored trapezoids; bolded (red) triangles indicate “top” events; and bolded (violet) circles indicate repeated gates. In addition, arrow connectors indicate events with exposure time in excess of flight duration. Different cutsets can be indicated by differently colored solid circles. AND logical connectors can be indicated by one symbol (e.g., triangle) and OR logical connectors can be indicated by a different symbol (circle), such symbols being different from the conventional AND and OR gate symbols that are typically used. Word descriptions are generally omitted in the exemplary illustrative non-limiting implementation.
In more detail, an exemplary illustrative non-limiting implementation provides the following exemplary steps using a conventional fault tree as a starting point:                Substitution of the all logical Gates by adequate symbols, which graphically define the Gate type and content the Gate identification Code;        Exclusion of the Gate description;        When on the report generation stage, inclusion of the numbers of pages, where the logical Gate is placed;        Substitution of evident failures by adequate symbols, which graphically define the failure type;        Substitution of all latent failures by adequate symbols (different than evident failure symbols), which graphically define the failure type;        Substitution of other types of failures by adequate different symbols, which graphically define the failure types;        Exclusion of all evident/latent/other failures description;        Using special or distinctive markings for repeated gates;        Using special or distinctive markings for repeated failures;        Using special or distinctive markings for failures of the same Cut Set;        Using special or distinctive markings for indicating failure importance evaluation results.        
As a result of such exemplary illustrative non-limiting Fault Tree transformation, a resulting exemplary illustrative non-limiting Fault Tree Map reflects the Fault Tree logic, presents all Fault Tree failures with graphically identification of the failure type, and shows failure/Gates repetition, Cut Sets consistency and also failure criticality (importance) to Fault Tree Top Event probability.
One exemplary illustrative non-limiting Fault Tree Map image contains all information necessary to Fault Tree qualitative analysis, and allows one to comprehend at a glance (e.g., on a single printed page A4 or display screen view) a complex Fault Tree that for example may include 100-120 failure nodes (corresponding e.g., to 40-50 printed pages A4, as it is presented by existing computerized tools for Fault Tree creation).
Using this exemplary illustrative non-limiting compact Fault Tree depiction provided by the technology herein, any specialist, including one who is not the Fault Tree author, can rapidly understand the Fault Tree logic and conduct an appropriate failure analysis.
Considering the graphically defined failures type (latent or evident) that is clearly visible on the exemplary illustrative non-limiting Fault Tree Map provided by the technology herein, including its combination across the Fault Tree structure, analysis of the failures combinations that lead to a so-called Fault Tree Top Event (for example, a combination of one evident failure and one latent failure, or one evident and two latent failures, which are important to perform Safety Assessment and may depend on the failure combination hazard classification) can be performed to perceive what part of the System any failure belongs to and how far, within the fault tree, from the Fault Tree Top Event the failure is located.
In one exemplary illustrative non-limiting implementation, analysis of combinations of logical Gates through Fault Tree structure, that can be performed quickly and without hash due to possibility to discern entire Fault Tree on a single page, allows a reliability engineer to make conclusion about potentiality failure propagation (OR'ed combination of failure support the failure propagation, AND'ed combination of failures prevent the failure propagation) and also determine elements of the system that provide mitigation factor functionality.
Considering the high impact of repeated failures to Fault Tree Top event probability and Fault Tree structure, an exemplary illustrative non-limiting Fault Tree Map, that has opportunity to show, using special marking, various sets of repeated events, provides easy comprehension about the location of the repeated failures on the Fault Tree to provide adequate and efficient Fault Tree treatment.
In one exemplary illustrative non-limiting implementation, it is easy to perform failure Qualitative Importance Determination using a Fault Tree Map where failures that belong to each Cut Set were marked. This exemplary illustrative analysis can be performed to comprehend what part of the System the failure belongs to or is associated with, and how far from the Fault Tree Top Event the failure is located. The exemplary illustrative non-limiting implementation fault tree map also makes evident failures which appear more times in the Cut Sets and are located near to Fault Tree Top Events, thereby giving them enlarged importance to the Fault Tree.
Several computerized tools designed for Fault Tree treatment, perform quantitative failure Importance Evaluation. The exemplary illustrative non-limiting Fault Tree Map provided by the technology herein, which marks results of said Importance Analysis, allows one to understand why particular failures are important for the Fault Tree (for example, failures that provide input to OR'ed Boolean logic combinations are generally more critical or important than those failures that provide input to AND'ed combinations), and to provide, if necessary, adequate mitigation means to decrease the failure importance.
Thus the Fault Tree Map according to this exemplary illustrative non-limiting implementation is easy to understand, convenient to use and provide high analysis efficiency together with considerable time economy.
If desired, during analysis of the Fault Tree Map, some additional information about failure or logical Gates, in the form of data may be obtained from conventional Fault Tree, may be provided and represented on the Fault Tree Map using failure (or Gate) identification Code.
The exemplary illustrative Fault Tree Map may be analyzed by itself, or it may be used as a map or guide for analyzing the underlying more detailed and complex fault tree—thus serving as a map the same way that a roadmap helps one to navigate the complexity of city streets. For example, occasionally, at the report generation stage, a Fault Tree may need to be divided and paged. In the exemplary illustrative non-limiting implementation at this stage, the logical gates on the Fault Tree Map may be completed or identified by report page number, where each logical Gate is placed. This action provides highly efficient guidance for using the exemplary illustrative Fault Tree Map to guide the reliability engineer to traverse and analyze the conventional Fault Tree, to perform any type of failure analysis desired. For large-scale Fault Trees, this type of guidance allows one to appreciably decrease of the time outlay and avoid hash and mistakes during Fault Tree evaluation, including Fault Trees merging on the systems integration level.
One exemplary illustrative non-limiting method for Fault Tree Map generation employs transformation of Fault Trees, using manual means. Other exemplary illustrative non-limiting implementations transform Fault Trees to Fault Tree maps using computerized means. Or a combination of manual and computer techniques may be used to transform a Fault Tree to a Fault Tree map. Involvement of the computerized tool to perform Fault Tree Map generation provides more time economy and results confidence.
An exemplary illustrative non-limiting method for Fault Tree Map generation provides transformation of Fault Trees of production installation, specific installation, technical system/equipment (Hardware and integrated Hardware/Software).
One exemplary illustrative non-limiting method of generating a graphical presentation of a fault tree map for use in technical system or installation design and/or diagnostics, said method comprises creating a fault tree including cut sets and events important evaluation; analyzing the fault tree to determine latent failures, repeated events and gates; generating a compact map of said fault tree, said compact map graphically indicating evident event (failure) type with a first connector symbol and indicating events with exposure time in excess of flight duration (mission time) with a second connector symbol different from said first connector symbol; graphically indicating logic gates with predetermined symbols different from Fault Tree gates image; and graphically presenting said compact fault tree map.
The graphically presenting may comprise repeated events and repeated gates with predetermined symbols/colors. It is possible to indicate different cut sets with different colors and more important event with predetermined symbols. The graphically presenting may comprise displaying said compact fault tree map on an electronic display. One exemplary illustrative non-limiting implementation suppresses from said map, display of wordbased events (failures) and gates descriptions. Failure propagation may be demonstrated by color indicating of the propagation path. Numbers of Fault Tree report pages where gates are placed may be included.
The Fault Tree Map construction and advantages thereof will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.