DUAs Derivados

Before going through some of the more modern solutions to the problem, it is worth taking a brief look at FTA's original solution to the issue of temporal analysis: the venerable Priority- AND (PAND) gate, as mentioned in section 2.2.3. The PAND gate allows the analyst to introduce an order to a set of events, putting them into a sequence and thus expressing some amount of time-dependent information within the fault tree. This sequence is typically defined explicitly as a conditioning event. Unfortunately, PAND gates are generally overlooked in FTA.

The problem with the PAND gate is that it was never thoroughly defined, meaning it is difficult to use it in qualitative analysis. The Handbook states that:

"The PRIORITY AND-gate is a special case of the AND-gate in which the output event occurs only if all input events occur in a specified ordered sequence. The sequence is usually shown inside an ellipsis drawn to the right of the gate." (Vesely et al., 1981, p IV-11)

This definition gives no indication of what sequence to use if none is given in a conditioning event, nor does it indicate whether the gate is still true if one or more of its inputs occurs simultaneously. Furthermore, it fails to address any of the issues raised by the possibility of events occurring in sequence, e.g. whether it is possible for contradictions to arise, whether events must be consecutive or not, or what happens if the same event occurs more than once in the same sequence.

Part of the problem is the precise meaning of an event. For example, the question of what happens if the same event is used more than once as an input to the same PAND gate depends to a large extent on whether it is possible for the same event to occur more than once. The

Handbook seems to suggest not, because it states firstly that "Under conditions of no repair, a

fault that occurs will continue to exist", and shortly thereafter, "From the standpoint of constructing a fault tree we need only concern ourselves with the phenomenon of occurrence. This is tantamount to considering all systems as nonrepairable." (Vesely et al., 1981, p V-1) But it says nothing about whether events occur instantaneously or whether they can have a duration (in which case, they may overlap).

Furthermore, the Handbook simply defines an AND gate as being true "if all the input events occur." (p IV-3) But several of the temporal FTA approaches discussed later in this chapter raise the question of whether or not these input events should have to occur simultaneously or whether it is sufficient for them to occur in any order. The Handbook does seem to suggest the latter interpretation, as on pages IV-7 and IV-8, it discusses the problems of dependencies:

"When describing the event input to an AND-gate, any dependencies must be incorporated in the event definitions if the dependencies affect the system logic." (p IV-7)

The example given separates the possible sequences of inputs into two AND gates and an OR gate, such that one AND gate has the inputs "X" and "Y given that X has occurred" and the other has the inputs "Y" and "X given that Y has occurred". Clearly neither of these pairs of events can occur simultaneously as the event definitions themselves preclude that possibility. What is not clear is why a Priority-AND was not used in these situations instead.

Clearly, there are a lot of unanswered questions surrounding the Handbook's definition of the PAND gate, in particular:

• What sequence of events is used if none is specified? A default left-to-right sequence?

• Do events occur instantaneously or do they have a duration? (And if they have a duration,

what happens if they overlap?)

• What happens if inputs to the PAND gate occur at the same time?

• What happens if the same event is used more than once as an input to the same PAND gate?

• What happens if the logic introduces a contradiction? For example, if we have an expression like (X PAND Y) AND (Y PAND X), assuming that X PAND Y means that X occurs before Y, the situation is impossible – how can X occur before Y and Y also occur before X?

With all this confusion, it is no wonder that many cut set analysis algorithms, ranging from older tools such as SETS (Worrell & Stack, 1978) to more modern software packages like older versions6 of FaultTree+ (Isograph Ltd, 2002), simply treat the PAND gate as a normal AND gate for the purposes of logical reduction. It is often argued that the replacement of a PAND by an AND simply leads only to a conservative prediction of the failure behaviour of the system, but this claim is not necessarily true. Consider the simple example of a standby recovery system in Figure 15.

Figure 15 – An example system where a PAND might be useful

Normally the system performs its function using component A. Component A is monitored by a switch which starts standby component B when there is an omission of output from A. In a classical fault tree, the following expression relates the top event to logical combinations of causes:

System Fails = A.B + A.Switch

i.e. if both A and B fail, so will the system, or if A fails and the switch fails, the system will also fail. However, the above is not only pessimistic in quantitative terms, but it is also logically wrong: the system does not fail if the switch fails after A. It is necessary to be able to specify the order of events more precisely to be able to distinguish between sequences that cause failure and sequences that do not:

System Fails = A.B + Switch fails before or at the same time as A

The Priority-AND gate is intended to do this, but the difficulties with the gate stem from its lack of a rigorous definition. The PAND gate is true if its inputs occur in a set order, but what if two of the events occur at the same time, e.g. what if the switch fails at the same time as A? It will

still cause a failure, but it might not strictly be considered part of the PAND's defined sequence. For that matter, it is not clear how to define whether one event occurs before another as they may overlap if they have durations.

It is these problems that have resulted in the Priority-AND gate being so often ignored, at least during qualitative analysis. However, the story is quite different when it comes to quantitative analysis, and over the years there has been a considerable body of work focused on finding methods of quantifying PAND gates. The quantification of sequential failures in fault trees (as modelled by PAND gates) is often termed 'Sequential Failure Logic', or SFL. SFL has been used in the quantitative analysis of a number of different types of dynamic systems, including space satellites, human-robot systems, product liability prevention, and so on (Long et al., 1999).

There are several methods of solving SFL as part of quantitative FTA. One method is to use Markov chains, as in the Dynamic Fault Tree approach described in the next section. However, the Markov approach suffers from a number of drawbacks: in particular, it is computationally expensive and struggles to cope with shared input events. Another method is the Priority-AND Quantification (PAQ) method, originally proposed by Fussel et al. (1976). The PAQ method is an approximation but it is much simpler and applicable to a wider range of systems; it involves treating the Priority-AND as an INHIBIT gate, i.e. an AND gate with an additional conditioning event which specifies the order in which the events should occur. Fussel et al. also described an exact solution but stated that it "cannot readily be used in existing methodologies for quantitative system logic model evaluation, such as fault tree analysis techniques." (p 325). However, both methods are only suitable for non-repairable systems. Long & Sato (1998) conducted a comparison between PAND quantification methods and concluded that the PAQ method had the advantage in simplicity and, for a PAND gate with three inputs, the results were the same as the Markov method. Also, while the Markov approach grows increasingly difficult as more input events are added, the PAQ method can be used with an arbitrary number of inputs. Long et al. (1999) also provide methods of solving the analysis of Priority-AND gates with many inputs, since multiple integration for large numbers of inputs can be difficult.

Yuge and Yagani (2008) present an additional method of quantifying PAND gates without resorting exclusively to the use of Markov chains. Because Markov models have a number of disadvantages when created from fault trees, especially if the dynamic gates of the fault trees have shared events (i.e. the same event is an input to more than one gate, in which case the gates are no longer independent), Yuge and Yagani propose the use of the inclusion-exclusion method 6 _{Version 10 of FaultTree+ did not detect contradictions; Version 11 (the current version at the time of} writing) detects simple contradictions like (X PAND Y) AND (Y PAND X) but cannot analyse them –

to calculate the probability of the top event. This method can handle the presence of repeated/shared inputs to PAND gates, but it relies on the minimal ordered cut sets already being known; thus for a complex dynamic fault tree, without a clear method of obtaining its cut sets, this approach is not as suitable. The computation time also strongly depends on the number of cut sets.

Regardless of which approach is chosen, the problem remains that performing quantitative analysis on PAND gates without prior qualitative analysis can lead to anomalies and errors in the calculations. Most importantly, quantitative analysis has no way of detecting contradictions, which – being impossible – have a probability of 0.

Unfortunately, whilst there are several examples of techniques of quantifying PAND gates, there are far less examples of qualitative techniques. There are some approaches (described later in this chapter) which mention the generation of ordered cut sets or minimal cut sequences etc, such as the work of Güdemann et al. (2008) and the CSSA approach (Liu et al., 2007), but usually only as a step towards quantitative analysis. The effect of PAND gates on the identification of minimal cut sets is rarely considered, and methods of reducing them in certain situations (e.g. when the output is a tautology or a contradiction) are completely absent. The implications of including a PAND gate in qualitative analysis are not taken into account at all; for example, not all of the Boolean rules that apply to an AND gate apply to a PAND gate. Most obviously (using '<' to represent PAND):

Non-Temporal Temporal

Commutative: X.Y = Y.X X<Y ≠ Y<X

Idempotent: X.X = X X<X = 0 7

The Idempotent law is one of the main laws used in static qualitative analysis, since it removes redundancies from cut sets; it is doubtful that (X PAND X) could be reduced in the same way if PAND does not account for the simultaneous occurrence of its inputs.

Thorough qualitative analysis of PAND gates needs to be able to detect such situations and deal with them appropriately, particularly when those situations – like contradictions – have a bearing on any subsequent quantitative analysis. Although, for certain levels of detail, replacing PAND gates with AND or even INHIBITed AND gates is a sufficient approximation, in many cases this can lead to pronounced inaccuracies or even logical errors.

the user is forced to change the fault tree.