Fault tree synthesis from a directed graph model for a power distribution network

Powers Carnegie-Mellon University, Pittsburgh Reader Aids-Purpose: Tutorial Results useful to: Reliability engineers and theoreticians I Summary & Conclusions-The Lapp-Powers fault tree

Fault Tree Synthesis From a Directed Graph Model for a Power

Daniel L Cummings

Gary J Powers

Carnegie-Mellon University, Pittsburgh

Reader

Aids-Purpose: Tutorial

Results useful to: Reliability engineers and theoreticians I

Summary & Conclusions-The Lapp-Powers fault tree synthesis B 16 20 S 23 13 B4

algorithmis appliedto an electrical power distribution network and the 2L 21 2 2

cut sets are derived for a sustained loss of power on one busbar This

algorithm is based on a directed graph (digraph) representation of the Fig 1 Single-line diagram of a power supply network All devices are system, in contrast with the method of Camarda, et al which is based on labeled and all lines numbered for later referencing.

a reliability graph The digraph model forces an explicit evaluation of the

corrective actions (negative feedback and negative feed forward) that are

taken to counteract disturbances which enter the network The presenta- Notation

tion is tutorial and shows the disciplined application of fault-tree

ES electrical signal

(digraph) model ofcause and effect for individual system FO fails open

Linking these unit models gives the global behavior and NFL netive fow

highlights the presence of an important system feature, NFBL negative feedback loop

loops The corrective actions of negative feedback and

negative feed forward loops are crucial in counteracting Assumptions

disturbances that enter the system Use of the digraph

The power distribution problem is of interest because 4 All devices are 2-state (working or failed), and

such networks consist of a large number of interacting shorts to ground are not considered (The response to a

0018-9529/83/0600-0140$O1 OO©1983 IEEE

6 Each of the mains, A(l), andtransformers, T(i),are relationship (direct = +, inverse = -, null = 0) and some

sized to carry the entire plant load senseof thestrength (strong = 10, normal = 1) arerequired

tained loss ofpower on the bars to evaluate the capability of the loop in order to determineif

it hasadequatepower and speed to correct thedisturbance

Thedigraphprocessmodelcapturesthecausalrelation- SO+1 S

ships betweenvariables includingnormal and failedstates F2

changes intheinputvariable, VI On thenormaledge,the

tion is true An example might be CONDITION = 6

SWITCH FAILED OPEN, CONDITIONAL GAIN = 0 S5 +

SOURCE

Fig 3a Part 1 of the system digraph which traces current flow Some causal links are shown as bidirectional for clarity only.

NORMAL EDGE: GAIN

LAG

DEADTIME

primal events The unit models describe both normal and Fall

sos rather than numbers, it is common to discretize the two parts of the digraph are tied together by primal events which affectboth voltageandcurrent(e.g S5 FO) and by electrical signals thatclose

gains so that only anunderstanding of thedirectionof the switches (e.g ES205)

Simplified Network Example ded in thesystem digraph, figure 3 All of theseloops are

NFFLs and by assumption 8, all are fast enough to correct

of the disturbance We are concerned about a sustained structing the faulttree

loss ofpower tobar B3, i.e 116(- 10) By connecting unit

models forthedevicesinfigure1,the digraph is developed

digraph One follows the current flow and the other - -

-follows the voltage signals that initiate corrective actions

corrective devices (e.g S8 = CLOSED)

3 THEDIGRAPH MODEL - LOOPS

General

The existence ofnegative feedback loops (NFBL) and

negative feedforward loops (NFFL) is an important

topological feature of digraphs since disturbances would

cancelling interaction of loops Consider the example in 4 FAULT TREE CONSTRUCTION

figure 4 which is one loop extracted from the digraph in

figure 3 Adisturbance, S5 FAILSOPEN, entersthe net- The NFFL Operator

work; it drives 17 down which in turn drives 116 down Fault tree synthesis operators organize process

recur-sivelyuntil the responsesofall process variables have been

116pexplainedin termsofprimal events

to control disturbances (the rows of asterisks are used in

Fig 4 Example of a negative feed forward loop (NFFL) which acts to place of hand drawn lines so thatprinters and typewriters

correct disturbances to 116.

can easily draw the trees):

Theloop from S5 FO to 116canbeanalyzedas aNFFL Present output variable

as follows Sinceboth sides oftheloop originate atprimal with present output value

that ofa NFFL, namelythe disturbances propagate down NFFL with adisturbance that enters NFFLafter the start *

Normal, man- Corrertive

two paths from the primal event to the output variable in is beyond the of the NFFt so ageable disturbanre artion(s) of the

Furthermore, there are two ways to fail the corrective

a new digraph It is merely an abstract of the loops embed- the digraph;

2 Findequipmentfailures thatreversethenormalgain 120(0) indicates a failure of the NFFL corrective action

figure 6 under gates 1, 2, 16 Continuing development of

Present output variable

OR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~TOP EVENT: [16 (-Io)

Inputs, too Inputs which Input which Other side(s) 3MATD Gum

large or too do not start starts NFFL of NFFt fail II

fast, which NFFL.

start NFFt OR INTFL FAILS ST ES 120 (01

15(I) GATE 4 NFFL FAIL CORRECTIVE

G~ATE OA S ASS CHALLENGE PFE ACTION TOETIT7

(Odd combinations) If~~~~~~~~~~~I FFL FOILS NAFFL FAIL CORRECTIVE (Odd combinations) 14 I-IT) GATE?7 ~~~~~~~~~~~~~~~GATE AND 6 CHALLENGE E 2 ACTION TOUTI17

which which give which give give which give I S~~~~~~~~~~~~~~~~~~~~I REE~~~~~~~~~~~~~~~~~~~~~~~~NFL 3 FT FAIL ACTION CORRECTIVE

101 10)

by the gain from input to output (as on the digraph), the SN -TI

II1-0RFL FAI TOO 20) GATE T1

I

NFFL CORRECTIVE CORRECTVE AFFL CORNECTOR CORNRECTVE

Synthesis of the faulttreerequires repeated application CHALLENGE P.E.4 ACTION~~~~~GATE11 ACTIONGATE12 CHALLENGEFE.S ACTIONTOOTI3 TOOTNCTION 019 1-10112 GATE 22

16-10v' The loop summary (figure 5) shows that thisI IFT GA1-1I01 I IVIA1-101 ST FT I I

I FE 6 TOUT IS GATE 23 F.E 6

I-17 and 120 are operatorentries underare empty 17ad10aepossible enre udr51-01I~~~~~~~~ - 02 (- 101 05 1-101

GATE IS SN FT 032 OFt 002 FAILS VOEN2L 56 FO T 02 FT 04 FT GATE 25 TOOT IS

I P.~~~~~~~~~~~~~~~~~~~ E IS

rent flow, thus 120 cannot take on the required input 02 FT Al FAILS 001 FAILS VOl SPL VSENI FAILS RFFL NFIL Al FAILS SIFT

116 (-1l)

OR ~~~~~~~~~~~Fig.6 Fault tree for simplified network The development of this tree is

0 ,.OOO.O,0 O.O.0000000., O,.0.,0.00.,.000.O.,.0 detailed in the text P.E = Primal Event and TOUT =Transferto out

None O AL.,,11,O* None ()challenges come from the events TI FO and S3 FO

No suitable value Thedevelopment under gate 17 gives possible reasons for

The only undeveloped variable is 17 (- 10), which is on a Thereareotherreasons for the loss of 15 which areoff

re-TABLE 1 cause failure of bothpaths This common-cause istreated

Al FAILS NFFL CHALLENGE EVENT I S5 FO HEEL CHALLENGEgaeatexlnioudr

EVENT 7 52 FO EVENT 13 VS2 SFL gate 13 is not the same as that under gate 17 because the

M.C.S NO 3 M.C.S NO 4 network is responding to different gop of challenges

EVENT 14 V52 FAILS EVENT 7 S2 FO that are qualitatively distinct

M.C.S NO 5 M.C.S NO 6 The fault tree in figure 6 can beanalyzed for its "cut

EVENT 1 55 FO HEEL CHALLENGE EVENT 55 FO NEEL CHALLENGE

EVENT 15 SEN2LFALS EVENT 7 T2 FOsets",those minimalgroupsofprimaleventsthatcausethe

EVENT 3 53 FO HEEL CHALLENGE EVENT 3 53 FO NFFL CHALLENGE network.

EVENT 6 S7 FO EVENT 16 S6 FO

M.C.S NO 9 M.C.S NO 10

EVENT 3 53 FO HEEL CHALLENGE EVENT 2 Ti FO HEEL CHALLENGE

EVENT 2 TI FO HEEL CHALLENGE EVENT 2 Ti FO HEEL CHALLENGE

M.C.S NO 13 M.C.S NO 14

EVENT 6 S7 FO EVENT 16 S6 FO20

M.C.S NO 15 M.C.S NO 162

EVENT 1 S5 FO EFL CHALLENGE EVENT 4 Al FAILS HEEL CHALLENGE

EVENT 4 Al FAILS NIFEL CHALLENGE EVENT 4 Al FAILS HEEL CHALLENGE

EVENT 10 VS1 SPL EVENT 9 VS1 FAILS

M.C.S NO 19 M.C.S NO 20

EVENT 4 Al FAILS NFFL CHALLENGE EVENT 1 S5 FO NFFL CHALLENGE

EVENT 8 A2 FAILS EVENT 18 S4 EQD

EVENT 2 TI EQ NFFL CHALLENGE EVENT 2 Ti EQ NFFL CHALLENGE

EVENT 13 V52 SPL EVENT 14 V52 FAILS

EVENT 2 Ti EQ NFEEL CHALLENGE EVENT 2 Ti EQ HEEL CHALLENGE B3 3- VSEN o 36 37EN 8

M.C.S NO 25 M.C.S NO 26 205

EVENT 11 VSENI FAILS EVENT 10 VSI SPL

EVENT 5 51 EQ NHEFL CHALLENGE EVENT 5 51 EQ NFEL CHALLENGE 1028o0 21

EVENT 2 TI EQ HEEL CHALLENGE EVENT 3 S3 EQ HEEL CHALLENGE 1210 I

EVENT 3 53 EQ NFFL CHfALLENGE EVENT 3 S3 EQ HEEL CHALLENGE

EVENT 14 V52 FAILS EVENT 15 VSEH2L FAILS Fig 7 Single-line diagram of the complex power supply network.

EVENT 3 S3 EQ HEEL CHALLENGE EVENT 3 S3 EQ HEEL CHALLENGE 5 O P E E W R

M NO 35 M.C.S NO 36Decito

EVENT 5 51 EQ HEEL CHALLENGE EVENT 5 51 EQ HEEL CHALLENGE Decito

EVENT 6 57 FO EVENT 6 S7EFO

EVENT 17 T2 EQ EVENT 18 S4 EQ The network in figure 7 is a detailed version of the

EVENT 5 51 EQ HEEL CHALLENGE EVENT 5 51 EQ HEEL CHALLENGEby aiar , L J* ntio EVENT 6 S7 EQ EVENT 6 S7EQ andasu pin are the same as bfr withth addition

EVENT 13VS2 SPL VENT 14 92 FAILSof diesel generators, D(i), and synchronous motors, M

M.C.S HO 39 M.C.S NO 40

EVENT 5 51 EQ HEEL CHALLENGE EVENT 4 Al FAILS HEEL CHALLENGE The diesels are started on loss of voltage at VSEN2 and any EVENT 6 S7 EQ EVENT 6 S7EQtedeelFeieOpwra

EVENT 4 Al FAILS HEEL CHALLENGE EVENT 4 Al FAILS HEEL CHALLENGE breakers, SlO and 515, also close on loss of voltage but

Digraph and loop analysis

,No

Si=1o- 2 S2) V¶12= sustained loss ofpower to bar B5, i.e 127(-10)

+i +1 ~~~~~~~~~~~corrective actions interact In thenormalcourse of events,

,l/ 54 DI ,0 '(;/ ) DshouldthemainAl fail,thebackupA2cutsinvia thepath

13 0= L N1 v 02-003 0 4=4 Al-V1-V2-ES201-ES202-S2-113-114-130-129-14 and the

14 I42 116 disturbance is intercepted (i.e. NFFL action) This action

I60=FO I^ e ,>~<N~\443 117 simultaneously propagating along V3-V29-V30-V14

+i S5= FO S~~~~~~~~~~~ S6=FO 1

-<x>+ ~~~~~~~V45|/406 S15=

e'l \t +110 =losd -22=-1 Fig 9 A more complex example of interacting NFFLs which have

dif-ferent dynamics The path V2-ES201-ES202-S2 is especially important

and will be referred to as the V2-S2 path in the fault tree.

Foils < are true(i.e. there isa failure such asS2 FO), then both of

+1 VSIFailsV Fls I Thus the NFFLs that pass through the diesels are

This"conditional" loop arrangement has an important

T,c- B0 * *12F50F0o T2 loop is failed.

V41 V43 )i ( ( (Table 2 summarizes all the loops affecting 127. Only

,-=^ -= t<1>fast< enoughto correctdisturbances to 127 (if the loops are

(10s.FO 9 5not inactivated)

t,,,'L15@3.FO Ss~~~~~14- e+)Fault-tree construction begins by applying the NFFL

r y <y

~~~~~~~~~~the previous one with the exception of the "conditional"

loop feature

Fig 8 Digraphof the complex network Al FAILS and there can be two responses depending on

thestateof theV2-S2path. Ifthispath isfunctioningnor- TABLE 3

mally, gate 26 (page03), then the three NFFLs 4b, 4d, 4f Some cut sets for thecomplexnetwork

must fail simultaneously. Otherwise, gate 27, the NFFLs

7b, 7d, 7f, 8b, 8d, 8f, 9b, 9d, 9f, 9h must fail MO.5C NO. INM.5C NO 24

EVENT 16 VS4 SPL EVENT 15 S15 FO

EVENT 19 V5EN3L FAILS EVENT 9 516 FO

EVENT 2 TI FO EVENT 8 Al FAILS

3a S5 O-V7-8-V9-VO-VllV44-ES08-ES10-Sl5I45-I4-I27EVENT 9 S16 FO EVENT 9 S16 FO

Ia 15 FO VI4-127IV1V450E515545417EVENT29 VSENIR FAILS EVENT 19 VSENIL FAILS

3c S3 FO I44-127 ~~~~~~~~EVENT 12 V52 FAILS EVENT 20 S14 FO

M.C.S NO 291 MOCS NO 292

4a S1 FO-V2-ES201-ES202-S2-I 13Il4130-I29-14 EVENT I Sil FO EVENT I Sil FO

4c 51 FO-V2-E5201 .114-115 1817 510 131-18 EVENT 28 VSI SPL EVENT 27 VSI FAILS

4e S1 FO-V2-ES201 I114-I15 I19 S15 I144-127 EVENT 15 S8 FO EVENT 15 S8 FO

4f Al FAILS I44-I27

M.CS NO 415 MO.C5 NO 416

5c V3(-L0)-V29-V30-VL4-ES203-ES204D1 V31-V7 V4-V29 V18-V19 EVENT 31 01 FAILS EVENT 10 S9 FO

5d V3(-10) Dl V32 S10 V37-V19 EVENT 15 S8 FO EVENT 35 S8 FO

Sf V3(-10) D3 V37-Vl9

7a 81 FO-V2-V3 ES203-ES204-Dl 112 .S10 I17-Il18 129-I4 EVENT 24 T12 FO EVENT 24 T12 FO

7b Al FAILS I29-I4 ~~~~~~~~~~EVENT26 SlO FO EVENT 26 SlO FO

7c IL FO-V2-V3 ES203-ES204-D2-I40-I41-135-I37-Il I129-14 EVENT 38 S01 FAIL EVENT 38 01O FAIL

7e 51 FO 03 I129-I4

EVENT 2 TI FO EVENT I Sli FO

EVENT 31 03 FAILS EVENT 30 S9 FO

8f Al FAILS I131-I8

9a 51 FO-V2-V3-ES203-ES204-D1L S810 I19 I44-I27

90 Al FAILS I144-I27

9c S1 FO 02 .119 I144-I27

9d Al FAILS I44-I27

9e 51 FO D3 .119 I44-I27

9! Al FAILS 144-I27

9g 81 FO Dl1 I131 I.4 I115 119 I144-I27

9h Al FAILS I144-I27

10a V14 (-10)-ES203-ES204-Dl-V38-V39-V32 SIO V37-V19

boc V14(-10) DI V37-V19

LOd V14(-1I) Dl1 V31 .V4 Vl5. .V18-V19 library of standard device models A modelmight not be

complete but it is relatively easy to add new behavior

6 COMPARSON WITHRELIABILTY GRAPH applied. Global behavior isthen deduced accordingto the

TOP EVENT: 127 (-10) 17 (-10) 16 (-10) PAGE 01 POWER DISTRIBUTION NETWORK

PAGEOl1

GATES5 GATE 6 P.E 1 TOUT 21 GATE 16 GATE 33 P.E 6

II

GATE 7 GATE 8 P.E 2 TOUT 21 GATE 17 TOUT 66 GATE 73

I ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~II I

II

16 (-10) PAIL V46 (-10) SIS (0) Al FAILS LOOPS Si P0 LOOPS V46 (-10) S15 (0)

TOUT 10 GATE 11 TOUT 23 GATE 24 P.E 8 TOUT 25 P.E 7 TOUT 25 GATE 47 TOUT 24

II

SS P0 LOOPS S15 F0 V54 SPL V54 FAILS FAILS GATE 51 TOUT 52

PAGE 01I

Via (-10) V37 (-10)

TOUT 67 GATE 57 PAGE 03 OR

S16 FO SIO (0) V7 (-10)

P.R 9 TOUT 34 TOUT 31

PAGE 02 PAGE 02

V33 (-10) SlO (0) S6 P0 T2 FO S4 P0 V15 (-10)

V4 (-10) V7 (-10) 510 P0 VS3 FAILS V53 SPL VSEN3R FAILS V14 (-10) V37 (-10) Vi8 (-10) GATE 40 GATE 31 F.E 26 P.E 27 PFE 28 PFE 29 GATE 58 TOUT 49 TOUT 54

CONDITION PAGE 03 POWER DISTRIBUTION NETWORK

-T.'IN 19 -GATE 25 PAGE 01 OR

S10 FO VS3 FAILS VS3 SPL FAILS S6 FO T2 FP S4 FO S7 FO Dl FAILS TO DIESELS V34 (-10) S1O (0)

P.E 26 P.E 27 P.E 28 P.E 19 P.E 23 P.E 24 P.E 25 P.E 37 P.E 38 TOUT 63 GATE 61 TOUT 36

PAGE 03 AND PAGE 03 V2-S2 PATH

NO SIGNAL S9 FO D3 FAILS TO DIESELS

PAGE 03 PAGE 03

II VS2 FAILS VS2 SPL VSEN2 FAILS P.E 32 P.E 33 P.E 34

-T.IN 33 -GATE 66 PAGE 01 AND

V14 (-10) 144 (0) I31 (0) TOUT 58 GATE 71 TOUT 69 PAGE 02 OR PAGE 03 II

S15 (0) V46 (-10)

V22 (-10) V19 (-10)

S5 FO V39 (-10) TO FO S3 FO S16 FO S6 FO T2 FO S4 FO V41 (-10) V43 (-10) V33 (-10)

P.E 4 GATE 46 P.E 5 P.E 6 P.E 9 P.E 23 P.E 24 P.E 25 GATE 62 TOUT 60 GATE 64

07 FO Dl FAILS TO DlESELS FAILED 129 (0) S8 FO D2 FAILS TO DIESELS V39 (-10) S10 (0)

P.E 37 P.E 38 TOUT 63 T.IN 27 -GATE 22 P.E 35 P.E 36 TOUT 63 TOUT 46 TOUT 34

S6 PO T2 FO S4 FO 137 (0) S16 PO

P.E 23 P.E 24 P.E 25 GATE 37 P.E 9

AND

09 P0 03 FAILS TO DIESELS S8 P0 02 P'AII.S TO0 DIESELS 510 (0) 039 (-10)

P.R 30 P.R 31 TOUT 63 P.R 35 P.E 356 TOOT 63 TO0UT 36 TOUT 46

Fig 10 (con't) Fault tree for the complex network.

REFERENCES ing from MIT and is presently research engineer with Amoco Production

Company.

[1] P Camarda, F Corsi, A Trentadue, "An efficient simple

algorithm for fault tree automatic synthesis from the reliability Dr Steven A Lapp; Design Sciences, Inc.; RD 5 Chestnut Road; graph", IEEE Trans Reliability, vol R-27, 1978 Aug, pp 215-221 Sewickley, PA 15143 USA.

[2] S.A Lapp, G.J Powers, "Computer-aided synthesis of fault Steven A Lapp is vice-president of Design Sciences Inc., a firm

trees", IEEE Trans Reliability, vol R-26, 1977 Apr, pp 2-13 specializing in quantitative risk and reliability assessment He received his

[3] J.A Shaelwitz, S.A Lapp, G.J Powers, "Fault tree analysis of se- BS, MS, and PhD degrees in Chemical Engineering from Carnegie-quential systems", I&EC Proc Des Dev., vol 16, 1977 Apr, pp Mellon University and has worked for the Exxon Company.

529-549.

[4] D.L Cummings, "Modeling hardware and software failures in real- Gary J Powers; Department of Chemical Engineering; Carnegie-Mellon time computer control systems", PhD Thesis, Department of University; Pittsburgh, PA 15213 USA.

Chemical Engineering, Carnegie-Mellon University, 1981 Gary J Powers is known for his research and teaching contributions [5] S.A Lapp, "Computer assisted fault treesynthesis", PhDThesis, in safety and reliability analysis of chemical and petroleum processes He

Department of Chemical Engineering, Carnegie-MellonUniversity, is a Professor of Chemical Engineering at Carnegie-Mellon University

1978 and previously taught at MIT He is the author of over 100 books and

papers dealing with process design and safety and reliability analysis He

numerous other chemical companies as a consultant He is president of

Daniel L Cummings; Amoco Production Research; PO Box 591; Tulsa, DesignSciences,Inc and is agraduateof theUniversityofMichiganand

Daniel L Cummings was a graduate student in Chemical Engineering

at Carnegie-Mellon University studying cause and effect models for Manuscript TR81-129 received 1981 October 29; revised 1983 February engineering processes He received his SB and SM in Chemical Engineer- 22.

FREE Proceedings

Members, andonlymembers, oftheReliability Societyof IEEE andoftheElectronicsDivisionofASQCcanreceive the

following publicationsfree ofextra charge Just writeto theplace indicated forthat group andpublication;you MUST

first-come first-served basis If youarenot amemberof either group and would like tojoin,seetheinsidefrontandrear

Sentannually to allmembers, except student-members A Request must go to Lawrence A Johmann, (ASQC-ED);

available, but only for those who did not receive a copy Plainfield, New Jersey07061 USA

Write to the Editor; be sure to give your IEEE member

Proceedings Annual Reliability and Maintainability Proceedings International Reliability Physics Symposium

Proceedings International Reliability Physics Symposium

Proceedings Product Liability Prevention Conference The free supply is gone Members of either of the two groups above can order at the special member price of $12 each (send check with order) from: Consultant Services Institute,