Determinación de la estabilidad estática longitudinal

The conversion algorithm and the probability computation will be discussed with the ex- ample of the pressure tank system, a system that discharges fluid from a reservoir into a pressure tank with a control system that regulates the operation of the pump. This example

is used only in this section for showing the conversion algorithm. Here is the description of the system [41]:

Figure 2.23– Pressure Tank System.

The function of the control system is to regulate the operation of the pump. It is assumed that it takes 10 minutes to pressurise the tank. The pressure switch has contacts which are closed when the tank is empty. When the threshold pressure has been reached, the pressure switch contacts open, de-energising the relay K2 so that K2 contacts open, removing power from the pump motor to cease operation. The tank is fitted with an outlet valve which allows the tank contents to be used when required. When the tank is empty the pressure switch contacts close and the cycle repeats.

Initially the system is considered to be in its dormant (de-energised) mode: tank empty, switch S1 contacts open, relay K1 contacts open, timer relay (TIM) contacts closed, pres- sure switch contacts closed.

System operation is started by momentarily depressing switch S1. This applies power to the relay K1 closing K1 contacts so that K1 is now electrically self-latched. Switch S1 contacts open. The closure of K1 contacts allows power to the relay K2 whose contacts close and start the pump motor.

The timer relay (TIM) is provided as a safety shut-down mechanism in the event that the pressure switch contacts fail to open when the tank is full. Initially the timer contacts are closed when the power is applied to K2 and this starts a clock in the relay. When the timer contacts open this breaks the circuit to relay K1 whose contacts open removing power from K2 and stopping the pump motor. When the circuit with K2 and the timer relay is de- energised, this resets the timer relay clock to zero. When the system stops due to a safety shut-down it requires a manual restart.

The top event considered is Pressure Tank Overfilled and the component failure modes are PRS Pressure switch fails to open

K2 Relay K2 contacts fail closed K1 Relay K1 contacts fail closed TIM Timer relay fails to time out S1 Switch contacts fails closed

and they have the following failure rates:

PRS If the pressure switch contacts fail to open this failure will be revealed since it will result in either the pressure tank becoming over-pressurised or the timer contacts open- ing (which requires a manual restart). This event has a failure rate λ = 1 x 10−4 _per

hour. The failure event could occur anytime in the 10 minutes operational time. K2 If K2 relay contacts fail to open then the tank will become over-pressurised and is hence

a revealed failure. This failure has a rate of occurrence of λ = 1 x 10−2 _{per hour and}

could occur anytime in the 10 minutes operation time.

K1 If relay K1 contacts fail to open this failure will be unrevealed. Its rate of occurrence is λ = 1 x 10−3 _{per operation. These contact are inspected/tested at intervals of one}

year.

TIM The time contacts are a safety feature of the system. Its failure is therefore unrevealed and occurs with a rate λ = 1 x 10−4 _{per hour. This component is also inspected in}

intervals of one year.

S1 If the switch fails to open after it is initially closed, this alone will not cause any problems and hence it will not be revealed. This has a failure probability per operation of 0.01.

Figure 2.24 shows the FT relative to the system described above, its minimal cut sets are {K2}, {PRS, K1}, {PRS, TIM}, {PRS, S1}.

Figure 2.24– FT for the Pressure Tank System.

Following steps {1 −2 −3} in the conversion algorithm for the qualitative part of the FT, the structure of the BN will result as in figure 2.25. It can be seen that 5 root nodes have been created corresponding to the basic events S1, K1, K2, PRS and TIM. The two remaining gates SystemControl and k2energised correspond to two nodes.

Node SystemControl corresponds to an OR gate, then its CPT will be as in figure 2.26 following the general rule given in figure 2.16.

Node K2energised corresponds to an AND gate, so its CPT will be as in figure 2.27 following the general rule given in figure 2.15.

Figure 2.25– BN for the Pressure Tank System.

Figure 2.26– CPT for the node SystemControl.

Figure 2.27– CPT for the node K2energised.

Finally, the node F ault corresponds to an OR gate, so its CPT will be as in figure 2.28 The probability of failure P for the nodes without parents can be calculated from the failure

Figure 2.28– CPT for the node F ault.

rates, considering the operational time of 10 minutes. For the components whose failure is revealed, considering the approximation P = 1 − e−λt _{≈ λt, the probabilities are:}

• P (P RS) = 1

6 x 10−4 = 0.16 x 10−4 = 0.000016,

• P (K2) = 0.16 x 10−2 _{= 0.001600,}

• P (S1) = 0.010000.

For the components with unrevealed failure K1 and TIM, inspected at intervals of one year, the following formula is used [42] :

P = 1 − 1

λθ(1 − e

−λθ_{), (2.31)}

where θ represents the time between inspections in unit time. Here the unit time is the operational time of 10 minute. If the system has two operations per day, the probabilities are: • P (K1) = 1 − 1 10−3 x 730(1 − e (−10−3 _{x 730)} ) = 0.339851, • P (T IM) = 1 − 1 10−4 x 730(1 − e (−10−4 x 730) ) = 0.035628,

where the value 730 is the number of operations in one year θ = 2 · 365 operations. The structure function for the top event unreliability in the FT is

T = 1 − (1 − K2)(1 − P RS K1)(1 − P RS T IM)(1 − P RS S1), an that, with the pivoting method, gives

Substituting the probabilities of the basic events gives for the top event probability: Q= P (P RS)[1 − (1 − P (K2))(1 − P (K1))(1 − P (T IM))(1 − P (S1))]+

+(1 − P (P RS))[1 − (1 − P (K2))] = 0.001606.

The same result can be achieved for the BN calculating the prior probability of the node f ault (denoted by F ) marginalising over all the other variables:

P(F ) = = X k2energ X K2 X P RS X SysCont X K1 X T IM X S1

P(F, K2energ, K2, P RS, SysCont, K1, T IM, S1). This can be done first calculating P (SystemControl) as

P(SystemControl) =X K1 X T IM X S1 P(SysCont, K1, T IM, S1), then P (K2energised) as P(K2energised) = X P RS X SysCont P(P RS, SysCont, K2energ), and finally P(F ) = X K2energ X K2 P(F, K2energ, K2).

The result is shown in figure 2.29 and it has been calculated with MSBNx, a free BN Editor and Toolkit from Microsoft (see Appendix C).

Figure 2.29– Prior Probability of the node Fault in the BN.

The FT and BN calculations lead to the same results. Assuming that the system is faulty, that is, giving evidence to the node fault, the posterior probabilities of the single components are calculated and shown in figure 2.30.

Figure 2.30– Posterior probabilities of the components, given that the system has failed.

These are obtained by equation 2.13. For example, for node K1, this becomes

P(K1 = Y es | F = Y es) = = X k2energ X K2 X P RS X SysCont X T IM X S1

P(F = Y, K2energ, K2, P RS, SysCont, K1 = Y, T IM, S1) X k2energ X K2 X P RS X SysCont X K1 X T IM X S1

P(F = Y, K2energ, K2, P RS, SysCont, K1, T IM, S1).

Component K2 appears to be the one which has the higher probability to have caused the failure of the system. Apart from the top event, other types of evidence can be introduced. An example is shown in figure 2.31, where all posterior probabilities are considered given that the control system has failed.

Figure 2.31– Posterior probabilities when the evidence about the system control is given.

In this case, K1 is the component that has the highest probability to have caused the failure of the control system.

Even though it is not possible to update probability following evidence with FTA, importance measures are used in order to obtain information on the criticality of the components of the system. In the next section, the principal importance measures are defined.