Suscriptores del sistema de alcantarillado

Both DFTs and TFTs are gate-based approaches and attempt to represent the temporal information as part of the fault tree structure by incorporating new, temporal gates with fixed meanings into the fault tree. The alternative is the event-based approach, as exemplified by the work of Gorski & Wardzinski and Hansen et al., which incorporates the temporal information in the definitions of the events (whether intermediate or basic) instead. These approaches are meant to allow for a more precise and more formal specification of the temporal constraints on the events of a fault tree.

Gorski and Wardzinski accomplish this through the use of an enabling condition, which is an intermediate event that represents the temporal constraints. This is then included in the analysis as a kind of conditioning event and thus can be derived from the minimal cut sets at the end, in the same way TFTs can convert their temporal gates to a form of INHIBIT gate. The enabling conditions are subject to a formal specification known as CSDM (Common Safety Description Model), i.e. they are not written in natural language like normal basic events and instead use a form of predicate logic. For example, for two events e1 and e2 in a cut set, there may also be an enabling condition, e.g.:

The basic notion of CSDM is the event, which is defined as "a distinguished state of a system which can last for some time." (Gorski & Wardzinski, 1996) An event is therefore not instantaneous and can occur more than once (i.e. it can repeat), so to distinguish between multiple occurrences of an event, the notion of an action is introduced – an action is an instance of an event. The definition of an event is important in determining the formal semantics of the technique; as such, the approach also takes into account the temporal dependencies of intermediate events (i.e. logic gates), e.g. an AND gate implies a causal relationship between input and output and thus there is a temporal precedence – causes must come before effects (Gorski, 1994). However, the formal semantics are not meant to be excessively restrictive and can even be added to a fault tree post-construction, once the relationships between events have already been established.

Each action has a start time and an end time, known as transitions, and represented for action a by start(a) and end(a) respectively. Thus the duration of an action can be calculated by subtracting the start time from the end time. The presence of transitions also makes it possible for actions to overlap in time. The model of time used is linear and continuous, meaning that transitions can be mapped into real numbers by Time functions, each of which represents one 'scenario' of system behaviour. This system makes it possible to define very precise events, e.g. checking that the duration of an event was more than a certain value, or that two events had overlapped for at least a certain amount of time. For example, an overlap between a gas leak and a naked flame – once a sufficient amount of gas has leaked out (at time tG), the flame would ignite it:

explosion = occur(gas_leak) ∧ occur(fire) ∧ overlap(gas_leak, fire) ∧ duration(gas_leak, fire)

> tG

Transitions themselves are instantaneous and actions always end, so events are not persistent: any given occurrence of an event (an action) will eventually cease. There are two types of temporal relations between actions – temporal ordering (i.e. one action occurred before or after another) or temporal equality (both occurred at the same time, e.g. because they were triggered by the same causes).

Qualitative analysis is then carried out as in a normal fault tree, but at each stage, the enabling condition of any gate or event has to be taken into account. Once the MCS have been obtained, real-time requirements are then generated from the temporal aspects of the MCS, i.e. the enabling conditions. The system can then be specified according to these requirements, e.g. that it should not be possible for a gas leak to exist for more than tG seconds. By preventing the enabling condition from being fulfilled, it is possible to prevent a given minimal cut set from

becoming true and thereby preventing it from leading to the top event and causing a hazard. The enabling condition is not necessarily present in the minimal cut sets; it can also be derived by examining the MCS and determining what conditions are necessary for those events to cause the top event.

It is important to point out that the CSDM approach simply augments fault trees: it is meant to be possible to add the formal specifications to an existing fault tree as well as build a formal fault tree from nothing. In effect, the formalism adds a second layer – a temporal layer – on top of the existing Boolean layer of semantics. This is the reason for the two-stage analysis where temporal relationships between events in a minimal cut set are determined after standard qualitative analysis has taken place. The results of this second stage can then be used to produce the timing requirements for the system specification. Notably, other techniques can be used to perform a second, more detailed 'temporal' phase of analysis, e.g. time Petri nets (Gorski & Wardzinski, 1997). Petri nets are a widely used tool for analysing complex systems and can be used as a visual aid similar to flow charts. In this case, the general algorithm is as follows:

1. Produce a conventional fault tree.

2. Formalise it using CSDM, removing ambiguities and establishing temporal relationships between events.

3. Calculate MCS and, for each MCS, the enabling conditions necessary for it to cause the top event.

4. Perform a time Petri net (TPN) analysis to establish hazard reachability. The fault tree is transformed into a TPN and analysed to see whether the top event is reachable given the time dependencies present in the enabling conditions.

This second, separate analysis can check the results of stage 3 and can potentially identify anomalies caused by hitherto unidentified relationships between events.

The approach taken by Hansen et al. (1998) is similar in that it establishes more precise semantics for events in fault trees, but instead of CSDM it uses Duration Calculus, which is based on Interval Temporal Logic (ITL) and in particular employs the 'chop' operator (written ';' in Duration Calculus). Other operators include 'somewhere' or ◊ (i.e. an event occurs somewhere within a given interval) and 'everywhere' or  (i.e. an event is true throughout a given interval). These can then be used to produce safety requirements, e.g.

which means function (which may in turn be composed of other functions) must not be true within a given interval. Functions are system-specific. As in CSDM, these statements are treated as basic or intermediate events and can be combined as normal by using normal logical gates. Based on the results of the fault tree analysis, formal safety requirements can be derived using the formalised events and more formal semantics of the logic gates. For example, if a system failure could be caused by X AND Y, the designer may add a safety requirement to the system to prevent this combination from becoming true, e.g. ¬X ∨ ¬Y. If either X or Y can never be true, then X AND Y can never be true either.

The main disadvantage to event-based approaches like these is that the temporal information is entirely encapsulated within the descriptions of the events, not the logic of the fault tree structure itself, and so cannot take part in the qualitative analysis of the system. Instead, the cut sets are derived in the usual fashion and the temporal information dealt with separately. Unfortunately, this means that the potential for simplification and reduction due to the temporal information is lost, because the temporal data is not being analysed directly.

The advantage, of course, is that it allows for a much more precise specification of the failure behaviour of the system. In both of these approaches, this is done for the purposes of defining the safety requirements for a system, particularly software-based systems, and as such the precision is necessary to ensure that the system meets those requirements. The formalised semantics of CSDM and Duration Calculus help to remove any ambiguities in the meaning of the fault tree and ensure that the fault tree represents a more accurate model of the system failure behaviour.