Scalable Analysis of Fault Trees with Dynamic Features

Size: px

Start display at page:

Download "Scalable Analysis of Fault Trees with Dynamic Features"

Kristina Dorsey
6 years ago
Views:

1 Scalable Analysis of Fault Trees with Dynamic Features Jan Krčál 1, Pavel Krčál 2,3 1 Saarland University Computer Science, Saarbrücken, Germany 2 Lloyd's Register Consulting, Stockholm, Sweden 3 Uppsala University, Sweden DSN 2015 (IEEE/IFIP Conference on Dependable Systems and Networks) TUM, December 11, 2015

2 Probability of an incident?

3 Probability of an incident? There are some incidents you cannot avoid. For everything else there is

4 Probability of an incident? There are some incidents you cannot avoid. For everything else there is fault tree analysis!

5 (Static) Fault Trees: The Model

6 (Static) Fault Trees: The Model 9x10-4 5x10-3 8x10-3 5x10-3 8x10-3

7 (Static) Fault Trees: The Model How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200 Failure probability x10-4 5x10-3 8x10-3 5x10-3 8x10-3

8 (Static) Fault Trees: The Model 2) Time-dependent failure: 9x10-4 5x10-3 8x10-3 5x10-3 8x10-3 How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200 Failure probability On average once per 4700 h Mission time: 24h Probability to fail in 24 hours: 1 e

9 (Static) Fault Trees: The Model How to obtain the numbers? 1) Time-independent failure Average number of starts before failure: 200 Failure probability ) Time-dependent failure: 9x10-4 On average once per 4700 h Mission time: 24h Probability to fail in 24 hours: 1 e x10-3 8x10-3 5x10-3 8x10... and from -3 further models

10 Fault Trees: The Application Assessing & managing risk Nuclear power plants Nuclear Submarines Aviation & Aerospace Transportation systems

11 Fault Trees: The Application Assessing & managing risk Nuclear power plants Nuclear Submarines Aviation & Aerospace Transportation systems licensed at > 55% of nuclear PP

12 Fault Trees: The Application Assessing & managing risk Nuclear power plants Nuclear Submarines Aviation & Aerospace Transportation systems licensed at > 55% of nuclear PP fault trees with 50,000+ nodes

Transportation systems licensed at > 55% of nuclear PP fault trees

13 Fault Trees: The Application Assessing & managing risk Nuclear power plants Nuclear Submarines Aviation & Aerospace Transportation systems licensed at > 55% of nuclear PP fault trees with 50,000+ nodes model maintenance costs of millions of every year per nuclear PP

14 Theme of this work: The Tradeoff Expressiveness vs. Scalability

15 Theme of this work: The Tradeoff Expressiveness vs. Scalability

16 Theme of this work: The Tradeoff Expressiveness vs. Scalability

17 The tradeoff: Static not expressive Example: a redundant pump system: survives for 24h?

18 The tradeoff: Static not expressive Example: a redundant pump system: survives for 24h? 5x10-2 5x10-2 5x10-2 5x10-2 5x10-2 Failure probabilities obtained from a CTMC disregarding repairs:

19 The tradeoff: Static not expressive Example: a redundant pump system: survives for 24h? 5x10-2 5x10-2 5x10-2 5x10-2 5x10-2 Failure probabilities obtained from a CTMC disregarding repairs: Probability of failure: (0.05) 5 = unrealistically high!

20 The tradeoff: Dynamic not scale

21 The tradeoff: Dynamic not scale Analysis with timing scales to: 100 basic events and 200 gates

22 The tradeoff: Dynamic not scale Analysis with timing scales to: We need to analyze: 100 basic events and 200 gates basic events and gates

23 The tradeoff: Dynamic not scale Analysis with timing scales to: We need to analyze: 100 basic events and 200 gates states! basic events and gates a great achievement!

24 The tradeoff: Dynamic not scale Analysis with timing scales to: We need to analyze: 100 basic events and 200 gates states! a great achievement! basic events and gates states! can you handle it?

25 The tradeoff: Dynamic not scale Analysis with timing scales to: We need to analyze: 100 basic events and 200 gates states! a great achievement! basic events and gates states! can you handle it?

26 Outline: 1) The formalism: static and dynamic fault trees 2) The algorithm: minimal cut set list decomposition 3) Experiments: on toy & real-sized models

27 The Formalism: SD Fault Trees

28 The Formalism: SD Fault Trees

29 The Formalism: SD Fault Trees

30 The Formalism: SD Fault Trees

31 The Formalism: SD Fault Trees 9x10-4 5x10-3 8x10-3

32 Outline: 1) The formalism: static and dynamic fault trees 2) The algorithm: minimal cut set list decomposition 3) Experiments: on toy & real-sized models

33 The Algorithm: Static Fault Trees

34 The Algorithm: Static Fault Trees

35 The Algorithm: Static Fault Trees 9x10-4 Algorithm: 5x10-3 8x10-3 5x10-3 8x10-3

36 The Algorithm: Static Fault Trees 5x10-3 8x10-3 5x10-3 8x10-3 9x10-4 MCS: ac bd ad bc e Algorithm: 1. Find relevant minimal cut sets (MCS)

37 The Algorithm: Static Fault Trees 5x10-3 8x10-3 5x10-3 8x10-3 9x10-4 MCS: ac 2.5x10-5 bd 6.4x10-5 ad 4x10-5 bc 4x10-5 e 9x10-4 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS

38 The Algorithm: Static Fault Trees 5x10-3 8x10-3 5x10-3 8x10-3 9x10-4 MCS: ac 2.5x10-5 bd 6.4x10-5 ad 4x10-5 bc 4x10-5 e 9x10-4 ALL: 1.069x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS 3. Compute the overall probability of failure.

39 The Algorithm: SD Fault Trees

40 The Algorithm: SD Fault Trees

41 The Algorithm: SD FT 9x10-4 MCS: ac ad bc bd e 5x10-3 8x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS)

42 The Algorithm: SD FT 9x10-4 MCS: ac 2.5x10-5 ad 5x10-3. mc(d) = 2.37x10-2 bc 8x10-3. mc(b) = 2.37x10-2 bd mc(b,d) = 2.828x10-4 e 9x10-4 5x10-3 8x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS

43 The Algorithm: SD FT 9x10-4 MCS: ac 2.5x10-5 ad 5x10-3. mc(d) = 2.37x10-2 bc 8x10-3. mc(b) = 2.37x10-2 bd mc(b,d) = 2.828x10-4 e 9x10-4 ALL: 1.516x10-3 5x10-3 8x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS 3. Compute the overall probability of failure.

44 The Algorithm: SD FT 9x10-4 MCS: ac 2.5x10-5 ad 5x10-3. mc(d) = 2.37x10-2 bc 8x10-3. mc(b) = 2.37x10-2 bd mc(b,d) = 2.828x10-4 e 9x10-4 ALL: 1.516x10-3 5x10-3 8x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS 3. Compute the overall probability of failure.

45 The Algorithm: SD FT 9x10-4 MCS: ac 2.5x10-5 ad 5x10-3. mc(d) = 2.37x10-2 bc 8x10-3. mc(b) = 2.37x10-2 bd mc(b,d) = 2.828x10-4 e 9x10-4 ALL: 1.516x10-3 5x10-3 8x10-3 Algorithm: 1. Find relevant minimal cut sets (MCS) 2. Quantify the MCS 3. Compute the overall probability of failure.

46 The Algorithm: MCS Quantification Quantifying mc(b,d): 9x10-4 5x10-3 8x10-3

47 The Algorithm: MCS Quantification Quantifying mc(b,d): 1. Build a SD fault tree of the MCS 9x10-4 5x10-3 8x10-3

48 The Algorithm: MCS Quantification Quantifying mc(b,d): 1. Build a SD fault tree of the MCS 9x10-4 5x10-3 8x10-3

49 The Algorithm: MCS Quantification Quantifying mc(b,d): 1. Build a SD fault tree of the MCS 9x Translate the SD fault tree to its semantical CTMC II 5x10-3 8x10-3

50 The Algorithm: MCS Quantification Quantifying mc(b,d): 1. Build a SD fault tree of the MCS 9x Translate the SD fault tree to its semantical CTMC II 5x10-3 8x x Quantify the probability by transient analysis of the semantical CTMC

51 The Algorithm: MCS Quantification General model of a triggering gate g: 1. includes only dynamic BE from the MCS if g has static branching

52 The Algorithm: MCS Quantification General model of a triggering gate g: 1. includes only dynamic BE from the MCS if g has static branching 2. includes only dynamic BE below g if g has static joins

53 The Algorithm: MCS Quantification General model of a triggering gate g: 1. includes only dynamic BE from the MCS if g has static branching 2. includes only dynamic BE below g if g has static joins 3. includes the all BE below g otherwise.

54 The Algorithm: MCS Quantification Static branching: at most one child of any OR gate is dynamic Static joins: no child of any AND gate is dynamic A component has static branching for, e.g., 1. single dynamic BE; 2. arbitrarily many additional static BE; 3. redundant subcomponents; 4. nested triggering. A component has static joins for, e.g., 1. arbitrarily many dynamic subcomponents 2. as well as static; 3. can be combined into a sequence of redundant components.

55 Outline: 1) The formalism: static and dynamic fault trees 2) The algorithm: minimal cut set list decomposition 3) Experiments: on toy & real-sized models

56 Experiments: Can we really handle it? Experiments: 1. small realistically annotated tree only with static joins 2. industrial randomly annotated tree with static branching # # basic e. # gates # MCS

57 Experiments: Can we really handle it? Experiments: 1. small realistically annotated tree only with static joins 2. industrial randomly annotated tree with static branching RiskSpectrum (for finding MCSs) + PRISM (for analyzing MCS) # # basic e. # gates # MCS RiskSpectrum PRISM

58 Experiments: Can we really handle it? Experiments: 1. small realistically annotated tree only with static joins 2. industrial randomly annotated tree with static branching RiskSpectrum (for finding MCSs) + PRISM (for analyzing MCS) # # basic e. # gates # MCS RiskSpectrum PRISM < 1 s h 11min

59 Experiments: Can we really handle it? Experiments: 1. small realistically annotated tree only with static joins 2. industrial randomly annotated tree with static branching RiskSpectrum (for finding MCSs) + PRISM (for analyzing MCS) # # basic e. # gates # MCS RiskSpectrum PRISM < 1 s < 10 s h 11min 2m 12s

60 Experiments: Can we really handle it? Experiments: 1. small realistically annotated tree only with static joins 2. industrial randomly annotated tree with static branching RiskSpectrum (for finding MCSs) + PRISM (for analyzing MCS) # # basic e. # gates # MCS RiskSpectrum PRISM < 1 s < 10 s h 11min 2m 12s MCS sizes: Analysis time per size:

61 Summary

62 Summary 1. We allow timing for very large fault trees

63 Summary 1. We allow timing for very large fault trees 2. We show the boundaries of MCS decomposition

64 Summary 1. We allow timing for very large fault trees 2. We show the boundaries of MCS decomposition Future work Go beyond the restrictions of static branching/joins using analysis of incomplete Markov Chains Experiments with real large models (needs quite some effort)

65 Summary 1. We allow timing for very large fault trees 2. We show the boundaries of MCS decomposition Future work Go beyond the restrictions of static branching/joins using analysis of incomplete Markov Chains Experiments with real large models (needs quite some effort)

66 Current work beyond static-* Trigger in the SD fault tree of a MCS:

67 Current work beyond static-* Trigger in the SD fault tree of a MCS: Approximations: assume BEs with least impact fail at non-deterministic time (failure - a message in an open Interactive MC) Over: max over all schedulers Under: min over all schedulers

68 Current work beyond static-* Trigger in the SD fault tree of a MCS: Approximations: assume BEs with least impact fail at non-deterministic time (failure - a message in an open Interactive MC) Over: max over all schedulers Under: min over all schedulers

69 Current work beyond static-* Trigger in the SD fault tree of a MCS: Approximations: assume BEs with least impact fail at non-deterministic time (failure - a message in an open Interactive MC) Over: max over all schedulers Under: min over all schedulers Preliminary experiments: a small model hand-annotated without static joins/branching approximation: two significant digits in ca. 10 s; the full algorithm: never terminates

70 Summary 1. We allow timing for very large fault trees 2. We show the boundaries of MCS decomposition Future work Go beyond the restrictions of static branching/joins using analysis of incomplete Markov Chains Experiments with real large models (needs quite some effort) Thank you!

DEVELOPMENT OF AN ADVANCED FAULT TREE QUANTIFICATION ENGINE BASED ON BDD/ZBDD ALGORITHM

DEVELOPMENT OF AN ADVANCED FAULT TREE QUANTIFICATION ENGINE BASED ON BDD/ZBDD ALGORITHM Wei GAO 1, Qinfang ZHANG 1, Guofeng TANG 1 1 Shanghai Nuclear Engineering Research & Design Institute, Shanghai,