B.H. Far

Transcription

1 SENG 521 Software Reliability & Software Quality Chapter 8: System Reliability Department of Electrical & Computer Engineering, University of Calgary B.H. Far 1

2 Contents System reliability Reliability Block Diagram (RBD) Serial and parallel configuration Active redundancy Hazard analysis: FMEA, FTA 2

3 Dependability Models Dependability models capture conditions that make a system fail in terms of the structural relationships between the system components Dependability models Reliability Graph Fault Tree model Reliability Block Diagram far@ucalgary.ca 3

4 System Reliability /1 A system usually consists of components. Each component consists of sub-components. Components may have Different reliability Different dependencies among each other System reliability is a function of the reliabilities of the (sub-) components and of the relationships between the components. far@ucalgary.ca 4

5 Reliability Block Diagram (RBD) Reliability Block Diagram (RBD) is a graphical representation of how the components of a system are connected from reliability ypoint of view. Reliability of the system is derived in terms of reliabilities of its individual components The most common configurations of an RBD are the series and parallel configurations. A system is usually composed of combinations i of serial and parallel configurations. RBD analysis is essential for determining reliability, availability and down time of the system. far@ucalgary.ca 5

6 Reliability Block Diagram (RBD) In a serial ilsystem configuration, i the elements must all work for the system to work and the system fails if one of the components fails. The overall reliability of a serial system is lower than the reliability of its individual id components. In parallel configuration, the components are considered to be redundant and the system will still cease to work if all the parallel components fail. The overall reliability of a parallel system is higher than the reliability of its individual components. far@ucalgary.ca 6

7 RBD Example: Storage /1 host bus adapter (HBA) COPYRIGHT: DELL 7

8 RBD Example: Storage /2 host bus adapter (HBA) COPYRIGHT: DELL 8

9 RBD: Process Steps 1. Define boundary of the system for analysis 2. Break system into functional components 3. Determine serial-parallel combinations 4. Represent each components as a separate block in the diagram 5. Draw lines connecting the blocks in a logical order for mission success far@ucalgary.ca 9

10 Serial System Reliability /1 No redundancy d ALL component of the system are needed to make the system function properly If any one of the components fails, the system fails Example diagram m block d System Power Unit CPU Hard Drive GPU far@ucalgary.ca 10

11 Serial System Reliability /2 Reliability Block Diagram System is composed of n independent serially connected tdcomponents. Failure of any component has a cross system effect, i.e., results in failure of the whole system. Example... R 1 / 1 R 2 / 2 Power Unit R1 /1/ CPU R2 /2 Hard Drive R3 /3 GPU R4 /4 far@ucalgary.ca 11

12 Combining Reliabilities Serial system reliability can be calculated from component reliabilities, if the components fail independently of each other. For serial systems: Q p Q p Qp number of components R R and k 1 k k 1 k Rk component reliability Components reliabilities (Rk) must be expressed with respect to a common interval. A serial system has always smaller reliability than its components (because Rk 1). far@ucalgary.ca 12

13 Example: Serial System The system is composed of 3 independent serially connected components R1 = 0.95 R2 = R3 = 0.82 Note: all Rs must be given for a common duration, e.g., 10 hours of operation. Rsystem = = Serial system reliability is smaller than any individual reliability of the components far@ucalgary.ca 13

14 Parallel System Reliability /1 System with Redundancy d Only ONE out of N (identical) components is needed to make the system function properly If ALL of the components fail, the system fails Example System block diagram Server 1 Server 2 far@ucalgary.ca 14

15 Parallel System Reliability /2 System is composed of n independent components connected in parallel. Failure of all components results in the failure of the whole system (principle of active redundancy). Q p unreliability F F k 1 p p p 1 k 1 1 k k Q Q Q R F R and 1 1 k1 k1 k 1 k R 1 /1 R 2 /2... far@ucalgary.ca 15

16 Parallel System Example The system is composed of 2 identical servers connected in parallel R1 = R2 = Server 1 Rs1 /s1 Server 2 Rsystem = 1 (( ) Rs2 /s2 ( )) = Parallel system reliability is greater than any individual reliability of the components far@ucalgary.ca 16

17 Sequential System Reliability When one component fails, the next one is assigned to fulfill the job (e.g., telephone switching circuits) This is done in sequence until no components left Reliability for such system: C 1 C 2 C i R sys (t) n1 i λ t i λ t i! i 0 e i C n far@ucalgary.ca 17

18 Mixed System Reliability /1 System with Redundancy d Only ONE out of N set of components is needed to make the system function properly If ALL sets of components fail, the system fails Example System block diagram Power Unit Processor GPU Power Unit Processor GPU far@ucalgary.ca 18

19 Mixed System Example Reliability Block Diagram Server 1 Rs1 /s1 System level Component level Power Unit R1 /1 Server 2 Rs2 /s2/ Processor R2 /2 GPU R3 /3 Power Unit Processor GPU R R1 /1 R R2 /2 R R3 /3 far@ucalgary.ca 19

20 Parallel-Series System R 11 R 12 R 1j R 1n path R 21 R 22 R 2j R 2n R i1 R i2 R ij R in R m1 R m2 R mj R mn n Path reliability Ri Rij j1 System reliability R m 1 (1-R i) 1 i 1 m i 1 (1- n j 1 R ij) far@ucalgary.ca 20

21 Various Configurations /3 Series-Parallel configuration Power Unit 1 Processor 1 GPU 1 Bus 1 Bus 2 Power Unit 2 Processor 2 GPU 2 far@ucalgary.ca 21

22 Various Configurations /4 Reliability Block Diagram for Series-Parallel configuration Power Unit Processor GPU R1 /1 R2 /2 R3 /3 Power Unit Processor GPU R1 /1 R2 /2 R3 /3 22

23 Series-Parallel System R 11 R 12 R 1j R 1n R 21 R 22 R 2j R 2n R i1 R i2 R ij R in R m1 R m2 R mj R mn subsystem Subsystem reliability R System reliability R j 1 m i1 (1-R ij) n n m R j 1 j1 1 i j (1-Rij) j 1 far@ucalgary.ca 23

24 Other Constructs One-way bridge Two-way bridge 24

25 Active Redundancy Employs parallel lsystems. All components are active at the same time. Each component is able to meet the functional requirements of the system. Only one component is required to meet the functional requirements of the system. Each component satisfies the minimum reliability condition i for the system. System only fails if all components fail. far@ucalgary.ca 25

26 m out of n System System has n components. At least m components need to work correctly for the system to function properly (m n). m=n: serial system m=1: parallel system e.g.: airplane with 4 engines can fly with only 2 engines. R 1 R 2 R i R n m/n Assumption: All components R have the same reliability. sys (t) 1 m1 i0 n R(t) i i (1 R(t)) n i n i n! i! (n i)! far@ucalgary.ca 26

27 Example: Bicycle Can you find any redundancy? Handle? Saddle? Frame? Brake? Gear? Wheel? Wheel spokes? SENG521 (Winter 2008) 27

28 RBD: Example /1 Possible single point of failure (SPF) 28

29 RBD: Example /2 Possible over redundancy 29

30 SPF: How to Avoid? Adopt redundancy d Use dissimilar i il methods consider common-cause vulnerability Adopt a fundamental design change Use equipment which is extremely reliable/robust Perform frequent Preventive Maintenance/ Replacement repair before failure happens Reduce or eliminate service and/or environmental stresses extreme stress leads to failure far@ucalgary.ca 30

31 Example 1 In reliability prediction for an assembled system we usually use a bottoms-up approach by estimating the failure rate for each subsystem and then combining the failure rates for the entire assembly. The following figure illustrates a system in which the subsystems A, B, C, and D are in a serial configuration. Each subsystem is composed of several parts which h are connected as serial or parallel l as shown. far@ucalgary.ca 31

32 Example 1 (cont d) The failure rates of serial parts 1, 2, and 3 are 0.1, 0.3, and 0.5 per hour, respectively. Determine the failure rate and MTTF for subsystem A. A failures per hour A MTTF A hours 0.9 far@ucalgary.ca 32

33 Example 1 (cont d) The failure rates of parallel parts 4, 5, and 6 in subsystem B are 0.2, 0.4, and 0.25 per hour, respectively. Determine the failure rate and MTTF for subsystem B. B R e t 1 (1 R )(1 R )(1 R ) B B RB Bt (1 )(1 )(1 ) R e e e e B e t = failures per hour B MTTF B 1 B hours far@ucalgary.ca 33

34 Example 1 (cont d) The failure rate of parallel parts 7 is constant and is 0.2 per hour. Determine the failure rate and MTTF for subsystem C in which at least 2 out of 3 items must be working. m1 n i ni 0.2 R C 1 R 7 1 R 7 R 7 e i0 i R 1 R (1 R R (1 R 1 (1 R 3 R (1 R C 7 7) 7 7) 7) 7 7) 0 1 R C t RC e =1.004 C failures per hour 1 MTTF C hours ( ) ( ) = C far@ucalgary.ca 34

35 Example 1 (cont d) The failure rates of parallel lparts 8 and d9i in subsystem D are 0.25 and 0.2 per hour, respectively. Determine the failure rate and MTTF for subsystem D. R e 1 (1 R )(1 R ) D Dt 8 9 t D R e 1 (1 e )(1 e ) R D D Dt e = D 0409 failures per hour 1 MTTFD hours D far@ucalgary.ca 35

36 Example 1 (cont d) Determine the overall failure rate and MTTF for the whole system. system A B C D system failures per hour MTTF system 1 system hours far@ucalgary.ca 36

37 Example 2 The fastening of two mechanical parts in an automobile brake system should ldbe reliable. It is E3 E1 done by means of two flanges E2 which h are pressed together with 4 E4 bolt and nut pairs E1 to E4 placed 90 degrees to each other. Experience shows that the fastening hld holds when at least one bl bolt and nut pair located opposite to each other work, i.e., (E1 and E2) or (E3 and E4) far@ucalgary.ca 37

38 Example 2 (cont d) a) Draw the reliability block diagram (RBD) for this fixation of the system. far@ucalgary.ca 38

39 Example 2 (cont d) b) Compute reliability of the fixation described in (a) () if all bolt and nut pairs have the reliability of R=0.90 for 50K miles of operation. R1 = R2 = = 0.81 Rsystem = 1 (1 R1) (1 R2) = 1 (1 0.81) )(1 0.81) = far@ucalgary.ca 39

40 Example 2 (cont d) c) Name the redundancy type if any pair of bolts and nuts were sufficient for the required brake function. Two-out-of-four f redundancy. d far@ucalgary.ca 40

41 Example 2 (cont d) d) Compute reliability for case (c) if all bolt and nut pairs have the reliability of R=0.90 for 50K miles of operation. R e) What can be concluded? far@ucalgary.ca 41

42 RBD: When and How When to use RBD? When reliability of a complex system must be calculated and the reliability-wise weaknesses of the system must be identified. How to use RBD? Draw the RDB diagram. sometimes not that simple! Calculate the system reliability using the RBD diagram. Perform calculation such as availability and downtime. There are a number of automated tools, integrated with the other methods, such as Fault Tree Analysis (FTA), to generate the diagram and to analyze it. far@ucalgary.ca 42

43 RBD: Benefits & Limitations RBD is the simplest way of visualizing i the reliability of the complex systems. The benefits of the RBD are: Establishes reliability goals; Evaluates component failure impact on overall system safety; Provides a basis for what if analysis; Allocates component reliability by calculating system MTBF; Provides cost savings in large system trouble-shooting; Estimates system reliability; Analyzes various system configurations in trade- off studies; Identifies potential design problems; Determines system sensitivity to component failures Disadvantages are that some complex constructs, such as standby, branching and dload sharing, etc., cannot tbe clearly l represented using the traditional RBD constructs. far@ucalgary.ca 43

44 RBD: Conclusion Restricting assumptions: Statistical independence Failures independence Repairs independence d far@ucalgary.ca 44

45 Hazard Analysis A common mistake in engineering, is to put too much confidence in software. There seems to be a feeling among non-software professionals that software will not or cannot fail, which leads to complacency and over reliance on computer functions. Nancy G. Leveson Leveson, N.G., Safeware System Safety and Computers, Addison-Wesley, far@ucalgary.ca 45

46 Hazard Analysis Goal Identify events that may eventually lead to accidents Determine impact on system Techniques FMEA: Failure Modes and Effects Analysis FMECA: Failure Modes, Effects and Criticality Analysis ETA: Event Tree Analysis FTA: Fault Tree Analysis HAZOP: HAZard and OPerability studies 46

47 FMEA FMEA is a technique to identify and prioritize how systems fail, and identify the effects of failure. FMEA is used when Designing products or processes, to identify and avoid failure-prone designs. Investigating why existing systems have failed and to identify possible causes. Investigating possible solutions, to help select one with an acceptable risk. Planning actions, in order to identify risks in the plan and hence identify countermeasures. far@ucalgary.ca 47

48 FMEA Questions Identification: How ( i.e., in what ways) can this element fail (failure modes)? Ramification: What will happen to the system and its environment if this element does fail in each of the ways available to it (failure effects)? Prevention: What needs to be done to prevent or mitigate the problem? far@ucalgary.ca 48

49 FMEA: How to /1 Interface matrix C t Reflects how components of the system are connected & function together Example: Range hood Comp ponents Components far@ucalgary.ca 49

50 FMEA: How to /2 50

51 FMEA Template Sample FMEA template N o Part Name Part tno. Function Failure Mode Mechanisms &C Causes of. Failure 1 Position Receive Loose Wear and Controller a cable tear demand connection Operator position Incorrect error demand signal Effect(s) Current P.R.A. Recommended of ffailure Control Corrective P S D R Action Motor fails to move Position controller breakdown in a long-run Replace faulty wire QC checked Intensive training for operators. Action Tk Taken P = Probabilities (chance) of occurrences S = Seriousness (impact) of failure D = Likelihood that the defect will reach the customer R = Risk priority measure (P x S x D) 1 = very low or none 2 = low or minor 3 = moderate or significant 4 = high 5 = very high or catastrophic far@ucalgary.ca 51

52 FMEA: When? FMEA cannot be done until design has proceeded to the point that system elements have been selected at the level the analysis is to explore in software system after software architecture is finalized (requirement volatility kills FMEA!) FMEA can be done anytime in the system lifetime, from initial design onward 52

53 FMEA: Usage Industries that frequently use FMEA: Consumer products: toys/home appliances/home electronics Automotive industry Aero/space: Boeing, NASA Df Defence id industry: DoDD Process industries, e.g., oil and gas, chemical plants industrial control systems Software industry? not popular p yet far@ucalgary.ca 53

54 FMEA: Summary Mthdf Method: from known or predicted dfailure modes of components, determine possible effects on system Good for hazard identification early in development, by considering possible failures of system functions: loss of function (omission failure) function performed incorrectly function performed when not required (commission failure) No good for concurrent multiple failures No good when requirements change 54

55 Fault Tree Analysis (FTA) Fault tree analysis is a graphical representation of the major faults or critical failures associated with a product, the causes for the faults, and potential countermeasures. FTA helps identify areas of concern for new system design or for improvement of existing systems. It also helps identify corrective actions to correct or mitigate problems. FTA can also be defined as a graphic model of the pathways within a system that can lead to a foreseeable, undesirable event. The pathways interconnect contributory events and conditions, using standard logic symbols. Fault tree analysis is useful both in designing new systems, products or services or in dealing with identified problems in existing products/services. As part of process improvement, it can be used to help identify root causes of trouble and to design remedies and countermeasures. far@ucalgary.ca 55

56 How to Use FTA? 1. Select a component for analysis. Draw a box at the top of the diagram and list the component inside. 2. Identify critical failures or faults related to the component. Using Failure Mode and Effect Analysis is a good way to identify faults during quality planning. For quality improvement, faults may be identified through Brainstorming or as the output of Cause and Effect Analysis. 3. Identify causes for each fault. List all applicable causes for faults in ovals below the fault. Connect the ovals to the appropriate fault box. 4. Work toward a root cause. Continue identifying causes for each fault until you reach a root or controllable cause. 5. Identify countermeasures for each root cause. Use Brainstorming or a modified version of Force Field Analysis to develop actions to counteract the root cause of each critical failure. Create boxes for each countermeasure, draw the boxes below the appropriate root cause, and link the counter measure and cause. far@ucalgary.ca 56

57 Steps in FTA FMEA (Failure Modes and Effects Analysis) dt determines the failure fil modes that are likely to cause failure events. Then it determines what single or multiple point failures could produce those top level events. FMEA asks the question, What can go wrong? even if the product meets specification. In order to perform FTA one first needs to perform FMEA. 57

58 FTA: Example 1 Tank overflow AND Inlet valve B Outlet valve closed Inlet valve fails Inlet open OR Wrong control to inlet valve OR Controller Sensor X Y Outlet valve A Controller fails Sensor X fails AND Sensor Y fails far@ucalgary.ca 58

59 FTA: Example 2 far@ucalgary.ca 59

60 FTA: Benefits & Limitations Benefits: Producing meaningful data for evaluation and improvement of the overall reliability of the system. Evaluating effectiveness of and need for redundancy. Limitation: Undesired event evaluated must be foreseen and all significant contributors to the failure must be anticipated. This effort may be very time consuming and expensive. Overall success of the process depends on the skill of the analyst involved. 60

61 FTA: Summary Mthd Method: trace faults stepwise back through hsystem design to possible causes atreewithatop a top event at the root logic gates at branches, linking each event with its immediate causes initiating faults at leaves (eventually) Good for tracing system hazards to component failures, and allocating safety requirements Good for systems with multiple failures Good dfor checking completeness of safety requirements Can be difficult, time-consuming, hard to maintain far@ucalgary.ca 61

62 62