- Email: [email protected]
Development of a computer code AFTC for fault tree construction using decision table method and super component concept
Reliability Engineering and System Safety 25 (1989) 15-31
Development of a Computer Code AFTC for Fault Tree Construction Using Decision Table Method and Super Component Concept Sang H o o n Han, Tae W o o n Kim, Y o u n g Choi & K u n J o o n g Y o o Reactor Safety Department, Korea Advanced Energy Research Institute, PO Box 7, Daeduk-Danji, Choong-Nam, Republic of Korea (Received 7 July 1988; accepted 17 July 1988)
A BS TRA C T In system reliability analysis, the construction of fault trees is necessary and has still remained a manual task which usually requires the bulk of time. In this paper, the computer code A F T C is developed to automatically generate fault trees, which will result in the saving of time and efforts to construct fault trees. In the AFTC, components are modeled using decision tables and a system is modeled using flow diagrams. A decision table describes relations between inputs, internals and outputs of a component, and a flow diagram describes connections between components of a system. Super component concept is introduced to model a small subsystem as one component. For common cause failure modeling, the Basic Parameter Method or Binomial Failure Rate Method can be used. The final fault tree is generated using modularization techniques.
1 INTRODUCTION Given a piping and instrumentation diagram (P & ID) and information for a system, the construction of the fault tree is carried out by a logical and deductive method and it can be computerized. In this paper, the AFTC code is developed by improving the CAT 1 methodology. The features added are small subsystem modeling by super component concept, common cause failure (CCF) modeling, a modularization scheme for fault tree construction, and incorporation of a reliability database for future usage. 15 Reliability Engineering and System Safeo' 0951-8320/89/$03.50 © 1989 Elsevier Science Publishers Ltd, England. Printed in Great Britain
16
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
Library: Store in Database Component Modeling (Decision Table) Super Component Modeling Reliability Data
I System P&ID
Flow Diagram TOP Event CCF Candidates
t
AFTC
Fault Tree Reliability Data
MODULE code Cut Set Generation Importance Analysis Uncertainty Analysis
CUT code Cut Set Generation
Fig. i. Work flow diagram of AFTC, MODULE and CUT. The construction of the fault trees of many systems by humans requires much effort and tedious work to repeat the same procedures to construct subtrees for the same types of components and trains. In the A F T C , the same types of components and subsystems are modeled by decision tables or super component, which are stored in a library. Therefore, the effort to construct subtrees for the same c o m p o n e n t type can be greatly reduced. The A F T C is a useful tool to construct the fault trees of many systems which are essential to carry out probabilistic safety analysis of nuclear power plants. In the A F T C , a system is represented by components and connections between these components, i.e. nodes and arcs. A basic c o m p o n e n t is
Development of a computer code ,4FTC for fault tree construction
17
modeled by a decision table which describes the relation between states of inputs, internals and outputs of the component. A small subsystem can be modeled as one component by the super component concept and it is considered as a basic component. The flow diagram is used to represent the connection between input and output of components, which is similar to the P & ID of a system. Given the decision tables (basic component models), super component models, and flow diagram, the A F T C generates the basic fault tree of the system. After constructing this basic fault tree, CCF are modeled and merged into the fault tree. Finally, the fault tree is modularized. The A F T C generates the final fault tree and reliability data as input form of the M O D U L E 2 and C U T 3 code. M O D U L E is the code to perform generation of minimal cut sets, importance calculation, and uncertainty calculation. C U T is the code to generate minimal cut sets, which can handle Boolean equations in a similar way to SETS. 4 The work flow of system fault tree construction and reliability analysis, which are done by AFTC, M O D U L E , and CUT, is shown in Fig. 1. The A F T C is written in C-language and runs on IBM-PC/Compatibles. M O D U L E and C U T run also on IBM-PC/Compatibles.
2 THE AFTC METHOD The procedures used in A F T C are as follows. At first, a fault tree is generated using basic component models (decision table), super component models, and a flow diagram. Next, C C F models are merged into the fault tree, and finally, the fault tree is modularized. Each procedure and concept is described in the following sections.
2.1 Decision table library A basic component model is represented by a decision table, 1 which describes the relations between inputs, internals, and outputs for the component type. In Fig. 2, two decision table libraries are presented for a valve and OR type junction. In a library, the first line describes the name of the library, number of inputs, internals, and outputs, and number of lines in the decision table. The second line gives comments on inputs, internals, and outputs, and the next table is the decision table. In a decision table, one line represents one combination of input, internal, and output. A decision table should contain all possible combinations of inputs, internals, and outputs for the component type. In a decision table, the state of output is determined by the state of input and the state of internal.
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
18
Decision Table Libraries LIB IN
1
VV VV
OUT
-1
0
0 -l
3
1
0
VV
3
1
1
3 IN
0
N
OUT
1 Valve closed
10
1.0E - 3
END LIB
OR INI
1
2 IN2
-1
-1 0
0
1
3
IN1
OUT
1
1 1
0
0
OUT IN2
END
State Description Input Output Internal
- 1
0 - no Input/Output 1 - Input/Output Exists 0 - Normal State > 0 - Fault/Failure of the Component Don't Care
Fig. 2.
Example of decision table.
For the example of a valve, the first line '0 - 1 0' means that the input does not exist (state 0), then the output does not exist (state 0) regardless of the state of valve ( - 1). In the second line' - 1 3 0', the valve is closed (state 3) and the output does not exist (state 0). In a decision table, state 0 represents 'no input/output' and state 1 represents 'input/output exists'. For the internal of the component, the state 0 represents the normal state and the state greater than 0 represents some fault of the component. For all cases, state - 1 represents 'do not care', that is, regardless of the state. Figure 3 shows the fault trees corresponding to the decision tables in Fig. 2. Basically, the decision table is not different from the fault tree. Comparing Fig. 2 with Fig. 3, the relation between decision tables and fault trees is governed by the following four rules. (1)
In a decision table, lines having the required output states are linked with OR logic. In the valve decision table, there are two lines whose output states are zero. These are linked with O R logic. This rule explains the OR gate in the constructed fault tree. (2) In a line, the inputs and internals are linked with A N D logic. In the junction OR, the output state 0 is produced with all 0s for both input states. This rule explains the A N D gates in the constructed fault tree.
Development of a computer code AFTC for fault tree construction
No output from valve
19
]
c) valve closed
no input to valve
No output to OUT
L
no input from IN 1
no input from IN2
Fig. 3. The fault trees corresponding to the decision tables of Fig. 2.
(3) The internals in the decision tables always become basic events in the constructed fault tree. (4) The inputs for a component are successively developed and these inputs become lower level gates. This procedure is described in next section.
2.2 Flow diagram A system is described by the connection of components contained in the system. The flow diagram represents how the components are connected. The connection between components is performed through nodes, where a node represents a connection between components or between components and a junction, that is, a node is a mid-point of a connection between an output of a component and an input of another component. The upper part of Fig. 4 shows an example of a sample system, where two valves are connected in parallel and J 1 is a junction. Using libraries of Fig. 2, the flow diagram is constructed by the user as shown in the bottom of Fig. 4.
20
Sang Hoon Han. T'ae Woon Kim. Young Choi, Kun Joong Yoo Sample A),stem
V!
1 JI
>
3
V2
Flow Diagram [br the Sample System J1 V1 V2
OR VV VV
2 4 4 Fig. 4.
3 2 3
1
An example of a flow diagram.
This flow diagram is used as input to the A F T C code. The junction J1 is OR type and receives two inputs from nodes 2 and 3, and produces output to the node 1, where library OR type is defined to require two inputs and to produce one output in the decision table library. Node 2 receives input from node 4 through valve V1, and node 3 receives input from node 4 through valve V2, where the type VV has two nodes which are one for input and one for output. The number of inputs and outputs for each component in the flow diagram must be consistent with those defined in the decision table library. The procedures to construct the fault tree from the flow diagram are as follows. (1/ Start from the top node, which is node 1. (2) Find the component which produces output to node 1, which is J1. (3) Check the decision table for J1, which is OR type. (4) Develop the subtree for J1. (5) Check the input nodes for J1, which are nodes 2 and 3. (6) Repeat procedures 1-5 for input nodes 2 and 3 of J1. Figure 5 illustrates the peer concept for the above procedures.
2.3 Super component library Another type of component model needed is the super component model. The super component model is similar to a flow diagram of a small
Development of a computer code AFTC for fault tree construction
21
No Output From Node 1
I No Output From Node 2
I'
1'
I I I I I
f
I I
I I
No Output From Node 2
I From Node 4 Fig. 5.
No Output From Node 3
Ii wle, 1 Closed
No Output From Node 3
No Output From Node 4
Valve 2 Closed
Procedures to construct a fault tree for the flow diagram of Fig. 4.
subsystem and it can be used in the same way as a basic component model of a decision table is used in a flow diagram. For example, the small system in Fig. 4 can be represented by one super component having one input and one output which is illustrated in Fig. 6. In Fig. 6, the first line of the super component library describes the name and the number of inputs and outputs for the library. The second line is comments on the inputs and outputs. The next three lines are flow diagram descriptions for a super component PARVV. These are similar to the flow diagram. The negative numbers are used to represent the internal nodes which are used only inside the super component and the positive numbers represent the input and output nodes. The same types of subsystem or trains can be modeled by super component. Therefore, the small subsystems appearing repeatedly can be modeled by a one component model, which results in reduction of human effort to repeat the same procedures in constructing the flow diagram.
22
Sang Hoon ttan, Tae Woon Kim, Young Choi, Kun Joong Yoo
Super Component Library SUPER IN
PAR-VV OUT OR VV VV
1 -1 1 1
1 -2 -1 -2
END
Flow Diagram O~'ing Super Component PAR
PAR-VV
I
Fig. 6.
An example of a super component library.
2.4 Common cause failure modeling CCF modeling in a fault tree is the same for the Basic Parameter Model, for the Binomial Failure Rate Model, and for the Multiple Greek Letter Model. Figure 7 shows an example of a CCF fault tree model for a three-pump system based on procedures presented by Mosleh et al. 5 In the AFTC, CCF candidates are required as input in the same way that the components and failure modes are specified.
failurc of A
1 independent failure of A
doublc failure
triple failure of A, B and C
c) double failure of A and B Fig. 7.
double failure of A and C
An example of c o m m o n cause failure fault tree model.
Development o f a computer code AFTC for fault tree construction
23
Component Name
Il l l
Iml
Y
1
I
train
system code component identifier
Basic Event Name
t~]
l
t__J
I
T
component type system code
failure mode
train
component identifier
Common Cause Event Name
I
I
failure mode
system code
trains
component identifier
Gate Name
I system code output mode Fig. 8.
l
output node number Event and gate naming rule.
24
Sang Hoon Han, 7ae Woon Kim, Young Choi, Kun Joong Yoo
2.5 Reliability data The reliability data for each failure mode of the component are given by the mean and the error factor of the lognormal distribution in a corresponding library. An example of the reliability data is shown at the bottom line of the valve library in Fig. 2.
2.6 Naming of events and gates A F T C generates the names of all events and gates in the form given in Fig. 8. The naming rule makes the generated fault tree clear to read.
3 SAMPLE R U N To demonstrate the A F T C code, a sample system is selected which is shown in Fig. 9. The system has two pump trains and one water tank. Each pump train has one pump, one motor operated valve, and one manual valve. In the sample run, the support systems such as electric power and component cooling water systems are not modeled. The input for the A F T C is given in EK416 401 I
EA 120 SI 441 I
421 I
CCWS ED125 HVAC 431 601 611 I / I
6
4 VIA
3
EM480 411 /
[]
[~
SI EA 120 421 I
441 I
2
V2A
8
1 >P
~ V2B
V1B
I 501 EK416
I 541 SI
5
I 521 EA120
I 531
602 CCWS
ED ! 25 Fig. 9.
i 612 HVAC
Sample system.
I
511 EM480
,
521 EA 120
I 541 SI
Development of a computer code AFTC for fault tree construction $LIBRARY LIB MV-C 3 1 1 5 IN EP SI MV OUT -1 -1 0 0 -1 -1 0 -1 -1 0 -1 -1 0 -1 0 -1 -1 -1 3 0 1 1 1 0 1 GATE 0 no flow from MOV % to node 4b MV 3 4.0E-3 10 MOV % fails to open E ND
LIB IN 0 -1 -1 -1 -1 1 GATE CB TF SL E ND
LIB IN 0 -1 -1 -1 -1 -1 --1 1 GATE PP PP PP END
MO-BRK 2 3 1 6 EA CB TF SL OUT -1 -1 -1 -1 0 0 -1 -1 -1 0 -1 7 -I -1 0 -1 -1 7 -1 0 -1 -1 -1 7 0 1 0 0 0 1 0 MOV % not actuated 7 1"3E-3 10 failure of MOV % circuit breaker 7 2.6E-5 10 failure of transformer for MOV circuit breaker 7 4.0E-3 10 failure of MOV % SSILS
PUMP EP -1 0 -1 -1 -1 -1 --1 1 0 I 6 4
5 1 1 8 Sl CC HV PP OUT -1 -1 -1 -1 0 -1 -1 -1 -1 0 0 -1 -1 -1 0 -1 0 -1 -1 0 -1 -1 0 -1 0 -1 -1 -1 1 0 --1 -1 -1 6 0 1 1 1 0 1 No flow from Pump % to node # 5"0E-4 10 Pump % fails to start 4"8E-4 10 Pump % fails to run 2.0E-4 10 Pump % unavailable during T & M
Fig. 10.
Input for AFTC.
25
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
26
3 ~.~ 1 6 PP B R K SI CB SL OUT EA ED -1 -I -1 0 0 -1 -1 -1 -1 0 -1 0 0 -l -1 0 -1 -1 -1 7 -1 0 -1 -1 -1 -1 7 0 -1 -1 1 0 0 1 1 1 P u m p % not actuated GATE 0 1.3E-3 10 Failure o f p u m p % circuit breaker CB 7 4.0E-4 10 Failure o f p u m p % SSILS SL 7 END LIB
LIB IN 0 -1 1 GATE VV END
LIB TK 7 0 GATE TK END LIB lbll 1 -1 0 GATE
1 1 1 VV-0 VV OUT -1 0 14 0 0 1 N o flow from VV % to node # 0 10 VV % not restored after T & M 14 2.5E-4
TANK 0 1 1 OUT 0 1 0 no flow from T a n k % to node 4~ 7 1.0E-6 10 T a n k % failure
OR2 2 0 1 3 IN2 OUT -1 1 1 1 0 0 0 no flow from % to node 4~
END SEND
$SUPER SUPER IN % %
SMV-C 4 EM480 EAI20 MV-C 1 MO-BRK 4
1 2 3
2 SI - 1 - 1
OUT 5
END Fig. 10.
I n p u t for AFTC--contd.
Development o f a computer code A F T C f o r f a u l t tree construction
S UP E R IN % %
EK416 PUMP PP-BRK
SI 1 4
EA120 2 5
- 1 3
EDI25 6 - 1
7
CCWS 8
27
OUT
HVAC
END SEND
$COMP COMP COMP COMP COMP COMP COMP COMP COMP SEND
SSINJ SSV02A SSP01A SSV01A SSV02B SSP01B SSV01B SSCSK
OR2 SMV-C SPUMP VV-O SMV-C SPUMP VV-O TANK
2 3 4 8 6 7 8 8
5 411 401 4 511 501 7
$CCF CCF SEND
SSPPS
PUMP
PP
S
STOP TOP SEND
1
2
1 421 441
441 421
2 431
601
611
3
521 541
541 521
5 531
602
612
6
SSP01A
SSP01B
0 Fig. 10.
Input for AFTC--contd.
Fig. 10 and the resulting fault tree and module information generated by the AFTC are shown in Figs 11 and 12, respectively. The fault tree is the same as that constructed by hand. Given the component models, i.e. decision tables or super components, it is easier to prepare the flow diagram than to construct the fault trees directly by hand.
4 CONCLUSION The A F T C is developed by improving the CAT methodology. The new features added are the super component concept, CCF fault tree modeling, and modularization of the fault tree. The method used in the A F T C is useful for constructing fault trees of many systems, which have many similar types of components and trains. The A F T C will greatly reduce the effort needed to repeat similar works and will help the human to construct fault trees. The results of the sample run are sufficiently good compared with the fault tree
GOSS 3 / \
A
No flov, from Pump SSPOIA to node 3
i
]]
A
I
GOES441 / \
A
No Sa feL', Injection Signal ESAOI Irom node 441
GOEM411
I
I
/~x
1
Fig. 11.
GO~EA42 I / \
I
G~ss6\
/
SSPOIB to node 6
GOSS 1
I
[
I
Fault tree generated by AFTC.
SSMVVO2ZA
MODULE MOV SSV02A fails to open
No 120V AC Power EAJP3 from node 421
OOSS- I
I I MOV SSVO2A not I I actuated
I
GOSS 2
No 480V Po~,er EMAOI from node 411
I
I
no flow from MOV SSVO2A to node 2
1
no flow ~om SSINJ Io node
!
I
1
G/ O ~ 5 4\1
I
GO~521 t \
1. . . .
SSMVV02ZB
MODULE MOV SSV02B fails to open
No 120V AC Power EAJP6 from node 521
c-r4
GOSS-3
' MO'v SSV02B not actuated
GOSS 5
No Safety Injection Signal ESBOI tYom node 541
GO~511 / x
No 480V Pov, cr EMB01 from node 511
I
I
no flow from MOV ] SSVO2B to node 5
SSTKCSKF
f~
Tank SSCSK lailure
I
/\
GOEA421
I
Fig. l l--contd.
A
No 125V IX" Power EDA20 from node 431
No 120V AC Power EAJP3 from node 421 GOED431
GOSS-2
(iOE~401
I
I
Pump SSPOIA not actuated
I
No 4.16KV Power EKA01 from node 401 %
Fault tree generated by AFTC.
A
GOES441 # \
! No Safety Injection Signal ESAOI from node 441
/
GOCH611
A
GOCC601 I
A
I No HVAC CHA I I from node 611
[
No CCWS CCAOI from node 601
~-------~GOSS3
No flow from Pump SSPOIA to node 3
SSPPSS 12
I CCF for SSPPS (type:PP mode:S) SSPOI A SSPOI B
I
SSPPPOIZA
MODULE Pump SSP01A unavailable during T&M
I
SS t K('SK F
I ank S S ( S K failure
\ Fig. l l - - c o n t d .
GOEI)53 I / \
/\
!
GOEA52 I
/\ A
\
No Safety Injcction Signal ESBOI from node 541
Fault tree g e n e r a t e d by A F T C .
I No 125V D(" Pov*er ILDB20 from node 531
t
/\ (iOCH612 I \
/\ G0(7C002
No 120V A ( Pov, cr EAJP6 from node 521
/'N
No H \ A C ( H B 2 1 from node 612
I NO C ( ' W S ('('B01 from node 0t)2
GOSS-4
t Pump SSPOI B not acluatcd
GOEK501 / \
/\
No 4'16kV Power EKBOI from node ~01
f\
z>--©
No flow from Pump SSP01B to node 6
I
SSPPSSI2
( £ F Ior SSPPS IDPc:PP modc:SI SSPOIA SSPOI B
I
~J
SSPPPOIZB
,'--'N
MODULE Pump SSPOIB unavailable during T & M
Development of a computer code A FTCforfault tree construction MODULE--SSMVV02ZA mean : 9.33e--003 ef : 6-12 SSMVV02OA mean : 4.00e~03 SSSLV02FA mean : 4.00e-003 SSTFV02FA mean : 2.60e-005 SSCBV02FA mean : 1-30eq303
ef ef ef ef
10.00 10.00 10.00 10.00
MODULE--SSCBP01ZA mean : 2.93e-003 ef : 5'15 SSPPP01RA mean : 4.80e-004 SSPPP01SA mean : 5-00eq~4 SSVVV01UA mean : 2.50e-004 SSSLP01FA mean : 4.00e-004 SSCBP01FA mean : 1.30eq~03
ef ef ef ef ef
10.00 10.00 10.00 10-00 10.00
MODULE--SSMVV02ZB mean : 9.33e~03 ef : 6'12 SSMVV02OB mean : 4.00e-003 SSSLV02FB mean : 4-00e-003 SSTFV02FB mean : 2.60eq305 SSCBV02FB mean : 1-30e~03
ef ef ef ef
10.00 10-00 10-00 10-00
MODULE--SSCBP01ZB mean : 2.93e~003 ef : 5.15 SSPPP01RB mean : 4.80e~04 SSPPP01SB mean : 5.00e~)04 SSVVV01UB mean : 2.50e-004 SSSLP01FB mean : 4.00e~04 SSCBP01FB mean : 1.30e-003
ef ef ef ef ef
10-00 10.00 10.00 10.00 10.00
Fig. 12.
31
Module information for example run.
constructed by hand. A fault tree can be developed within half the time that is r e q u i r e d t y p i c a l l y , w h i c h r e s u l t s in a l a r g e a m o u n t o f s a v i n g o f c o s t a n d manpower.
REFERENCES 1. A p o s t o l a k i s , G. E., et al., C A T : a c o m p u t e r c o d e for the a u t o m a t e d c o n s t r u c t i o n o f fault trees. E P R I - N P - 7 0 5 , Electric P o w e r R e s e a r c h Institute, P a l o Alto, C A , 1978. 2. Sang H o o n H a n , Tae W o o n K i m & K u n J o o n g Y o o , D e v e l o p m e n t o f an i n t e g r a t e d system reliability analysis c o d e M O D U L E by m o d u l a r i z a t i o n technique. Reliability Engineering and System Safety, 21(2) (1988) 145-54. 3. S a n g H o o n H a n & K i m , T. W., C U T reference m a n u a l . K A E R I - N S D - P R A - 0 0 2 , K o r e a A d v a n c e d E n e r g y R e s e a r c h Institute, C h o o n g - N a m , 1988. 4. W o r r e l l , R. B., S E T S reference m a n u a l . N U R E G / C R - 4 2 1 3 , S a n d i a N a t i o n a l L a b o r a t o r i e s , A l b u q u e r q u e , N M , 1985. 5. Mosleh, A. et al., Procedures for treating common cause failures in safety and reliability studies. N U R E G / C R , - 4 7 8 0 , P i c k a r d , Lowe, a n d G a r r i c k , Inc., N e w p o r t Beach, C A , 1988.
Development of a Computer Code AFTC for Fault Tree Construction Using Decision Table Method and Super Component Concept Sang H o o n Han, Tae W o o n Kim, Y o u n g Choi & K u n J o o n g Y o o Reactor Safety Department, Korea Advanced Energy Research Institute, PO Box 7, Daeduk-Danji, Choong-Nam, Republic of Korea (Received 7 July 1988; accepted 17 July 1988)
A BS TRA C T In system reliability analysis, the construction of fault trees is necessary and has still remained a manual task which usually requires the bulk of time. In this paper, the computer code A F T C is developed to automatically generate fault trees, which will result in the saving of time and efforts to construct fault trees. In the AFTC, components are modeled using decision tables and a system is modeled using flow diagrams. A decision table describes relations between inputs, internals and outputs of a component, and a flow diagram describes connections between components of a system. Super component concept is introduced to model a small subsystem as one component. For common cause failure modeling, the Basic Parameter Method or Binomial Failure Rate Method can be used. The final fault tree is generated using modularization techniques.
1 INTRODUCTION Given a piping and instrumentation diagram (P & ID) and information for a system, the construction of the fault tree is carried out by a logical and deductive method and it can be computerized. In this paper, the AFTC code is developed by improving the CAT 1 methodology. The features added are small subsystem modeling by super component concept, common cause failure (CCF) modeling, a modularization scheme for fault tree construction, and incorporation of a reliability database for future usage. 15 Reliability Engineering and System Safeo' 0951-8320/89/$03.50 © 1989 Elsevier Science Publishers Ltd, England. Printed in Great Britain
16
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
Library: Store in Database Component Modeling (Decision Table) Super Component Modeling Reliability Data
I System P&ID
Flow Diagram TOP Event CCF Candidates
t
AFTC
Fault Tree Reliability Data
MODULE code Cut Set Generation Importance Analysis Uncertainty Analysis
CUT code Cut Set Generation
Fig. i. Work flow diagram of AFTC, MODULE and CUT. The construction of the fault trees of many systems by humans requires much effort and tedious work to repeat the same procedures to construct subtrees for the same types of components and trains. In the A F T C , the same types of components and subsystems are modeled by decision tables or super component, which are stored in a library. Therefore, the effort to construct subtrees for the same c o m p o n e n t type can be greatly reduced. The A F T C is a useful tool to construct the fault trees of many systems which are essential to carry out probabilistic safety analysis of nuclear power plants. In the A F T C , a system is represented by components and connections between these components, i.e. nodes and arcs. A basic c o m p o n e n t is
Development of a computer code ,4FTC for fault tree construction
17
modeled by a decision table which describes the relation between states of inputs, internals and outputs of the component. A small subsystem can be modeled as one component by the super component concept and it is considered as a basic component. The flow diagram is used to represent the connection between input and output of components, which is similar to the P & ID of a system. Given the decision tables (basic component models), super component models, and flow diagram, the A F T C generates the basic fault tree of the system. After constructing this basic fault tree, CCF are modeled and merged into the fault tree. Finally, the fault tree is modularized. The A F T C generates the final fault tree and reliability data as input form of the M O D U L E 2 and C U T 3 code. M O D U L E is the code to perform generation of minimal cut sets, importance calculation, and uncertainty calculation. C U T is the code to generate minimal cut sets, which can handle Boolean equations in a similar way to SETS. 4 The work flow of system fault tree construction and reliability analysis, which are done by AFTC, M O D U L E , and CUT, is shown in Fig. 1. The A F T C is written in C-language and runs on IBM-PC/Compatibles. M O D U L E and C U T run also on IBM-PC/Compatibles.
2 THE AFTC METHOD The procedures used in A F T C are as follows. At first, a fault tree is generated using basic component models (decision table), super component models, and a flow diagram. Next, C C F models are merged into the fault tree, and finally, the fault tree is modularized. Each procedure and concept is described in the following sections.
2.1 Decision table library A basic component model is represented by a decision table, 1 which describes the relations between inputs, internals, and outputs for the component type. In Fig. 2, two decision table libraries are presented for a valve and OR type junction. In a library, the first line describes the name of the library, number of inputs, internals, and outputs, and number of lines in the decision table. The second line gives comments on inputs, internals, and outputs, and the next table is the decision table. In a decision table, one line represents one combination of input, internal, and output. A decision table should contain all possible combinations of inputs, internals, and outputs for the component type. In a decision table, the state of output is determined by the state of input and the state of internal.
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
18
Decision Table Libraries LIB IN
1
VV VV
OUT
-1
0
0 -l
3
1
0
VV
3
1
1
3 IN
0
N
OUT
1 Valve closed
10
1.0E - 3
END LIB
OR INI
1
2 IN2
-1
-1 0
0
1
3
IN1
OUT
1
1 1
0
0
OUT IN2
END
State Description Input Output Internal
- 1
0 - no Input/Output 1 - Input/Output Exists 0 - Normal State > 0 - Fault/Failure of the Component Don't Care
Fig. 2.
Example of decision table.
For the example of a valve, the first line '0 - 1 0' means that the input does not exist (state 0), then the output does not exist (state 0) regardless of the state of valve ( - 1). In the second line' - 1 3 0', the valve is closed (state 3) and the output does not exist (state 0). In a decision table, state 0 represents 'no input/output' and state 1 represents 'input/output exists'. For the internal of the component, the state 0 represents the normal state and the state greater than 0 represents some fault of the component. For all cases, state - 1 represents 'do not care', that is, regardless of the state. Figure 3 shows the fault trees corresponding to the decision tables in Fig. 2. Basically, the decision table is not different from the fault tree. Comparing Fig. 2 with Fig. 3, the relation between decision tables and fault trees is governed by the following four rules. (1)
In a decision table, lines having the required output states are linked with OR logic. In the valve decision table, there are two lines whose output states are zero. These are linked with O R logic. This rule explains the OR gate in the constructed fault tree. (2) In a line, the inputs and internals are linked with A N D logic. In the junction OR, the output state 0 is produced with all 0s for both input states. This rule explains the A N D gates in the constructed fault tree.
Development of a computer code AFTC for fault tree construction
No output from valve
19
]
c) valve closed
no input to valve
No output to OUT
L
no input from IN 1
no input from IN2
Fig. 3. The fault trees corresponding to the decision tables of Fig. 2.
(3) The internals in the decision tables always become basic events in the constructed fault tree. (4) The inputs for a component are successively developed and these inputs become lower level gates. This procedure is described in next section.
2.2 Flow diagram A system is described by the connection of components contained in the system. The flow diagram represents how the components are connected. The connection between components is performed through nodes, where a node represents a connection between components or between components and a junction, that is, a node is a mid-point of a connection between an output of a component and an input of another component. The upper part of Fig. 4 shows an example of a sample system, where two valves are connected in parallel and J 1 is a junction. Using libraries of Fig. 2, the flow diagram is constructed by the user as shown in the bottom of Fig. 4.
20
Sang Hoon Han. T'ae Woon Kim. Young Choi, Kun Joong Yoo Sample A),stem
V!
1 JI
>
3
V2
Flow Diagram [br the Sample System J1 V1 V2
OR VV VV
2 4 4 Fig. 4.
3 2 3
1
An example of a flow diagram.
This flow diagram is used as input to the A F T C code. The junction J1 is OR type and receives two inputs from nodes 2 and 3, and produces output to the node 1, where library OR type is defined to require two inputs and to produce one output in the decision table library. Node 2 receives input from node 4 through valve V1, and node 3 receives input from node 4 through valve V2, where the type VV has two nodes which are one for input and one for output. The number of inputs and outputs for each component in the flow diagram must be consistent with those defined in the decision table library. The procedures to construct the fault tree from the flow diagram are as follows. (1/ Start from the top node, which is node 1. (2) Find the component which produces output to node 1, which is J1. (3) Check the decision table for J1, which is OR type. (4) Develop the subtree for J1. (5) Check the input nodes for J1, which are nodes 2 and 3. (6) Repeat procedures 1-5 for input nodes 2 and 3 of J1. Figure 5 illustrates the peer concept for the above procedures.
2.3 Super component library Another type of component model needed is the super component model. The super component model is similar to a flow diagram of a small
Development of a computer code AFTC for fault tree construction
21
No Output From Node 1
I No Output From Node 2
I'
1'
I I I I I
f
I I
I I
No Output From Node 2
I From Node 4 Fig. 5.
No Output From Node 3
Ii wle, 1 Closed
No Output From Node 3
No Output From Node 4
Valve 2 Closed
Procedures to construct a fault tree for the flow diagram of Fig. 4.
subsystem and it can be used in the same way as a basic component model of a decision table is used in a flow diagram. For example, the small system in Fig. 4 can be represented by one super component having one input and one output which is illustrated in Fig. 6. In Fig. 6, the first line of the super component library describes the name and the number of inputs and outputs for the library. The second line is comments on the inputs and outputs. The next three lines are flow diagram descriptions for a super component PARVV. These are similar to the flow diagram. The negative numbers are used to represent the internal nodes which are used only inside the super component and the positive numbers represent the input and output nodes. The same types of subsystem or trains can be modeled by super component. Therefore, the small subsystems appearing repeatedly can be modeled by a one component model, which results in reduction of human effort to repeat the same procedures in constructing the flow diagram.
22
Sang Hoon ttan, Tae Woon Kim, Young Choi, Kun Joong Yoo
Super Component Library SUPER IN
PAR-VV OUT OR VV VV
1 -1 1 1
1 -2 -1 -2
END
Flow Diagram O~'ing Super Component PAR
PAR-VV
I
Fig. 6.
An example of a super component library.
2.4 Common cause failure modeling CCF modeling in a fault tree is the same for the Basic Parameter Model, for the Binomial Failure Rate Model, and for the Multiple Greek Letter Model. Figure 7 shows an example of a CCF fault tree model for a three-pump system based on procedures presented by Mosleh et al. 5 In the AFTC, CCF candidates are required as input in the same way that the components and failure modes are specified.
failurc of A
1 independent failure of A
doublc failure
triple failure of A, B and C
c) double failure of A and B Fig. 7.
double failure of A and C
An example of c o m m o n cause failure fault tree model.
Development o f a computer code AFTC for fault tree construction
23
Component Name
Il l l
Iml
Y
1
I
train
system code component identifier
Basic Event Name
t~]
l
t__J
I
T
component type system code
failure mode
train
component identifier
Common Cause Event Name
I
I
failure mode
system code
trains
component identifier
Gate Name
I system code output mode Fig. 8.
l
output node number Event and gate naming rule.
24
Sang Hoon Han, 7ae Woon Kim, Young Choi, Kun Joong Yoo
2.5 Reliability data The reliability data for each failure mode of the component are given by the mean and the error factor of the lognormal distribution in a corresponding library. An example of the reliability data is shown at the bottom line of the valve library in Fig. 2.
2.6 Naming of events and gates A F T C generates the names of all events and gates in the form given in Fig. 8. The naming rule makes the generated fault tree clear to read.
3 SAMPLE R U N To demonstrate the A F T C code, a sample system is selected which is shown in Fig. 9. The system has two pump trains and one water tank. Each pump train has one pump, one motor operated valve, and one manual valve. In the sample run, the support systems such as electric power and component cooling water systems are not modeled. The input for the A F T C is given in EK416 401 I
EA 120 SI 441 I
421 I
CCWS ED125 HVAC 431 601 611 I / I
6
4 VIA
3
EM480 411 /
[]
[~
SI EA 120 421 I
441 I
2
V2A
8
1 >P
~ V2B
V1B
I 501 EK416
I 541 SI
5
I 521 EA120
I 531
602 CCWS
ED ! 25 Fig. 9.
i 612 HVAC
Sample system.
I
511 EM480
,
521 EA 120
I 541 SI
Development of a computer code AFTC for fault tree construction $LIBRARY LIB MV-C 3 1 1 5 IN EP SI MV OUT -1 -1 0 0 -1 -1 0 -1 -1 0 -1 -1 0 -1 0 -1 -1 -1 3 0 1 1 1 0 1 GATE 0 no flow from MOV % to node 4b MV 3 4.0E-3 10 MOV % fails to open E ND
LIB IN 0 -1 -1 -1 -1 1 GATE CB TF SL E ND
LIB IN 0 -1 -1 -1 -1 -1 --1 1 GATE PP PP PP END
MO-BRK 2 3 1 6 EA CB TF SL OUT -1 -1 -1 -1 0 0 -1 -1 -1 0 -1 7 -I -1 0 -1 -1 7 -1 0 -1 -1 -1 7 0 1 0 0 0 1 0 MOV % not actuated 7 1"3E-3 10 failure of MOV % circuit breaker 7 2.6E-5 10 failure of transformer for MOV circuit breaker 7 4.0E-3 10 failure of MOV % SSILS
PUMP EP -1 0 -1 -1 -1 -1 --1 1 0 I 6 4
5 1 1 8 Sl CC HV PP OUT -1 -1 -1 -1 0 -1 -1 -1 -1 0 0 -1 -1 -1 0 -1 0 -1 -1 0 -1 -1 0 -1 0 -1 -1 -1 1 0 --1 -1 -1 6 0 1 1 1 0 1 No flow from Pump % to node # 5"0E-4 10 Pump % fails to start 4"8E-4 10 Pump % fails to run 2.0E-4 10 Pump % unavailable during T & M
Fig. 10.
Input for AFTC.
25
Sang Hoon Han, Tae Woon Kim, Young Choi, Kun Joong Yoo
26
3 ~.~ 1 6 PP B R K SI CB SL OUT EA ED -1 -I -1 0 0 -1 -1 -1 -1 0 -1 0 0 -l -1 0 -1 -1 -1 7 -1 0 -1 -1 -1 -1 7 0 -1 -1 1 0 0 1 1 1 P u m p % not actuated GATE 0 1.3E-3 10 Failure o f p u m p % circuit breaker CB 7 4.0E-4 10 Failure o f p u m p % SSILS SL 7 END LIB
LIB IN 0 -1 1 GATE VV END
LIB TK 7 0 GATE TK END LIB lbll 1 -1 0 GATE
1 1 1 VV-0 VV OUT -1 0 14 0 0 1 N o flow from VV % to node # 0 10 VV % not restored after T & M 14 2.5E-4
TANK 0 1 1 OUT 0 1 0 no flow from T a n k % to node 4~ 7 1.0E-6 10 T a n k % failure
OR2 2 0 1 3 IN2 OUT -1 1 1 1 0 0 0 no flow from % to node 4~
END SEND
$SUPER SUPER IN % %
SMV-C 4 EM480 EAI20 MV-C 1 MO-BRK 4
1 2 3
2 SI - 1 - 1
OUT 5
END Fig. 10.
I n p u t for AFTC--contd.
Development o f a computer code A F T C f o r f a u l t tree construction
S UP E R IN % %
EK416 PUMP PP-BRK
SI 1 4
EA120 2 5
- 1 3
EDI25 6 - 1
7
CCWS 8
27
OUT
HVAC
END SEND
$COMP COMP COMP COMP COMP COMP COMP COMP COMP SEND
SSINJ SSV02A SSP01A SSV01A SSV02B SSP01B SSV01B SSCSK
OR2 SMV-C SPUMP VV-O SMV-C SPUMP VV-O TANK
2 3 4 8 6 7 8 8
5 411 401 4 511 501 7
$CCF CCF SEND
SSPPS
PUMP
PP
S
STOP TOP SEND
1
2
1 421 441
441 421
2 431
601
611
3
521 541
541 521
5 531
602
612
6
SSP01A
SSP01B
0 Fig. 10.
Input for AFTC--contd.
Fig. 10 and the resulting fault tree and module information generated by the AFTC are shown in Figs 11 and 12, respectively. The fault tree is the same as that constructed by hand. Given the component models, i.e. decision tables or super components, it is easier to prepare the flow diagram than to construct the fault trees directly by hand.
4 CONCLUSION The A F T C is developed by improving the CAT methodology. The new features added are the super component concept, CCF fault tree modeling, and modularization of the fault tree. The method used in the A F T C is useful for constructing fault trees of many systems, which have many similar types of components and trains. The A F T C will greatly reduce the effort needed to repeat similar works and will help the human to construct fault trees. The results of the sample run are sufficiently good compared with the fault tree
GOSS 3 / \
A
No flov, from Pump SSPOIA to node 3
i
]]
A
I
GOES441 / \
A
No Sa feL', Injection Signal ESAOI Irom node 441
GOEM411
I
I
/~x
1
Fig. 11.
GO~EA42 I / \
I
G~ss6\
/
SSPOIB to node 6
GOSS 1
I
[
I
Fault tree generated by AFTC.
SSMVVO2ZA
MODULE MOV SSV02A fails to open
No 120V AC Power EAJP3 from node 421
OOSS- I
I I MOV SSVO2A not I I actuated
I
GOSS 2
No 480V Po~,er EMAOI from node 411
I
I
no flow from MOV SSVO2A to node 2
1
no flow ~om SSINJ Io node
!
I
1
G/ O ~ 5 4\1
I
GO~521 t \
1. . . .
SSMVV02ZB
MODULE MOV SSV02B fails to open
No 120V AC Power EAJP6 from node 521
c-r4
GOSS-3
' MO'v SSV02B not actuated
GOSS 5
No Safety Injection Signal ESBOI tYom node 541
GO~511 / x
No 480V Pov, cr EMB01 from node 511
I
I
no flow from MOV ] SSVO2B to node 5
SSTKCSKF
f~
Tank SSCSK lailure
I
/\
GOEA421
I
Fig. l l--contd.
A
No 125V IX" Power EDA20 from node 431
No 120V AC Power EAJP3 from node 421 GOED431
GOSS-2
(iOE~401
I
I
Pump SSPOIA not actuated
I
No 4.16KV Power EKA01 from node 401 %
Fault tree generated by AFTC.
A
GOES441 # \
! No Safety Injection Signal ESAOI from node 441
/
GOCH611
A
GOCC601 I
A
I No HVAC CHA I I from node 611
[
No CCWS CCAOI from node 601
~-------~GOSS3
No flow from Pump SSPOIA to node 3
SSPPSS 12
I CCF for SSPPS (type:PP mode:S) SSPOI A SSPOI B
I
SSPPPOIZA
MODULE Pump SSP01A unavailable during T&M
I
SS t K('SK F
I ank S S ( S K failure
\ Fig. l l - - c o n t d .
GOEI)53 I / \
/\
!
GOEA52 I
/\ A
\
No Safety Injcction Signal ESBOI from node 541
Fault tree g e n e r a t e d by A F T C .
I No 125V D(" Pov*er ILDB20 from node 531
t
/\ (iOCH612 I \
/\ G0(7C002
No 120V A ( Pov, cr EAJP6 from node 521
/'N
No H \ A C ( H B 2 1 from node 612
I NO C ( ' W S ('('B01 from node 0t)2
GOSS-4
t Pump SSPOI B not acluatcd
GOEK501 / \
/\
No 4'16kV Power EKBOI from node ~01
f\
z>--©
No flow from Pump SSP01B to node 6
I
SSPPSSI2
( £ F Ior SSPPS IDPc:PP modc:SI SSPOIA SSPOI B
I
~J
SSPPPOIZB
,'--'N
MODULE Pump SSPOIB unavailable during T & M
Development of a computer code A FTCforfault tree construction MODULE--SSMVV02ZA mean : 9.33e--003 ef : 6-12 SSMVV02OA mean : 4.00e~03 SSSLV02FA mean : 4.00e-003 SSTFV02FA mean : 2.60e-005 SSCBV02FA mean : 1-30eq303
ef ef ef ef
10.00 10.00 10.00 10.00
MODULE--SSCBP01ZA mean : 2.93e-003 ef : 5'15 SSPPP01RA mean : 4.80e-004 SSPPP01SA mean : 5-00eq~4 SSVVV01UA mean : 2.50e-004 SSSLP01FA mean : 4.00e-004 SSCBP01FA mean : 1.30eq~03
ef ef ef ef ef
10.00 10.00 10.00 10-00 10.00
MODULE--SSMVV02ZB mean : 9.33e~03 ef : 6'12 SSMVV02OB mean : 4.00e-003 SSSLV02FB mean : 4-00e-003 SSTFV02FB mean : 2.60eq305 SSCBV02FB mean : 1-30e~03
ef ef ef ef
10.00 10-00 10-00 10-00
MODULE--SSCBP01ZB mean : 2.93e~003 ef : 5.15 SSPPP01RB mean : 4.80e~04 SSPPP01SB mean : 5.00e~)04 SSVVV01UB mean : 2.50e-004 SSSLP01FB mean : 4.00e~04 SSCBP01FB mean : 1.30e-003
ef ef ef ef ef
10-00 10.00 10.00 10.00 10.00
Fig. 12.
31
Module information for example run.
constructed by hand. A fault tree can be developed within half the time that is r e q u i r e d t y p i c a l l y , w h i c h r e s u l t s in a l a r g e a m o u n t o f s a v i n g o f c o s t a n d manpower.
REFERENCES 1. A p o s t o l a k i s , G. E., et al., C A T : a c o m p u t e r c o d e for the a u t o m a t e d c o n s t r u c t i o n o f fault trees. E P R I - N P - 7 0 5 , Electric P o w e r R e s e a r c h Institute, P a l o Alto, C A , 1978. 2. Sang H o o n H a n , Tae W o o n K i m & K u n J o o n g Y o o , D e v e l o p m e n t o f an i n t e g r a t e d system reliability analysis c o d e M O D U L E by m o d u l a r i z a t i o n technique. Reliability Engineering and System Safety, 21(2) (1988) 145-54. 3. S a n g H o o n H a n & K i m , T. W., C U T reference m a n u a l . K A E R I - N S D - P R A - 0 0 2 , K o r e a A d v a n c e d E n e r g y R e s e a r c h Institute, C h o o n g - N a m , 1988. 4. W o r r e l l , R. B., S E T S reference m a n u a l . N U R E G / C R - 4 2 1 3 , S a n d i a N a t i o n a l L a b o r a t o r i e s , A l b u q u e r q u e , N M , 1985. 5. Mosleh, A. et al., Procedures for treating common cause failures in safety and reliability studies. N U R E G / C R , - 4 7 8 0 , P i c k a r d , Lowe, a n d G a r r i c k , Inc., N e w p o r t Beach, C A , 1988.