On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets Ricardo J. Rodríguez rj.rodriguez@unileon.es Research Institute of Applied Sciences in Cybersecurity University of León, Spain June 10, 2015 XXIII Jornadas de Concurrencia y Sistemas Distribuidos Málaga (Spain) To appear in IEEE Trans. on Systems, Man, and Cybernetics: Systems doi: 10.1109/TSMC.2015.2437360

Agenda 1 Introduction 2 Definitions 3 Model Transformation 4 Fault Tree Analysis using P-Semiflows 5 Case Study: A Pressure Tank System 6 Related Work 7 Conclusions and Future Work R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 2 / 29

Introduction (I) Definition of Fault Tree Fault Tree Event-driven failure logic Top Event: undesired state (@ the root) Gates: describe logic that relates events Event: different kind (next slide) R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 4 / 29

Introduction (I) Definition of Fault Tree Fault Tree Event-driven failure logic Top Event: undesired state (@ the root) Gates: describe logic that relates events Event: different kind (next slide) Coherent Fault Tree: logic restricted to AND/OR formulae R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 4 / 29

Introduction (II) A bit more of Fault Trees... AND gate OR gate TRANSFER IN TRANSFER OUT BASIC CONDITIONING EXTERNAL UNDEVELOPED INTERMEDIATE event event event event event Graphical symbols AND / OR gates Event type: Basic: component/human fault; failure & repair data available Conditioning: gate triggered by an event External (or house): normally expected to occur Undeveloped: no further developed (e.g., no consequence, lack of data) Intermediate: middle/top event, generated by combination of others Transfer: to divide large FTs into smaller ones, or reduce duplication R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 5 / 29

Introduction (III) Fault Tree Analysis Find event combinations out that leads to an undesired state Top-down deductive analysis technique, from the early 60s Used in safety and reliability engineering (Minimal) Cut Sets Set of basic events whose occurrence causes a system to fail Minimal Cut Set: it cannot be further reduced, and still leads to an undesired state (Minimal) Path Sets Set of basic events whose nonoccurrence assures the nonoccurrence of TE Minimal Path Set: it cannot be further reduced, and still leads to an undesired state MPS are a dual set of MCS R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 6 / 29

Introduction (IV) Recall the example... Six path sets: PS 1 = {E 1, E 2, E 3, E 4, E 5 } PS 2 = {E 1, E 2, E 3, E 5, E 6 } PS 3 = {E 1, E 2, E 3, E 5, E 7 } PS 4 = {E 1, E 2, E 3, E 4, E 5, E 6 } PS 5 = {E 1, E 2, E 3, E 6 } PS 6 = {E 1, E 2, E 3, E 6, E 7 } Not minimal! PS 2 PS 5, PS 4 PS 5 (or PS 4 PS 1 ), PS 6 PS 5 R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (IV) Recall the example... Six path sets: PS 1 = {E 1, E 2, E 3, E 4, E 5 } PS 2 = {E 1, E 2, E 3, E 5, E 6 } PS 3 = {E 1, E 2, E 3, E 5, E 7 } PS 4 = {E 1, E 2, E 3, E 4, E 5, E 6 } PS 5 = {E 1, E 2, E 3, E 6 } PS 6 = {E 1, E 2, E 3, E 6, E 7 } Not minimal! PS 2 PS 5, PS 4 PS 5 (or PS 4 PS 1 ), PS 6 PS 5 MPS: PS 1, PS 3, and PS 5 R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (IV) Recall the example... Six path sets: PS 1 = {E 1, E 2, E 3, E 4, E 5 } PS 2 = {E 1, E 2, E 3, E 5, E 6 } PS 3 = {E 1, E 2, E 3, E 5, E 7 } PS 4 = {E 1, E 2, E 3, E 4, E 5, E 6 } PS 5 = {E 1, E 2, E 3, E 6 } PS 6 = {E 1, E 2, E 3, E 6, E 7 } Not minimal! PS 2 PS 5, PS 4 PS 5 (or PS 4 PS 1 ), PS 6 PS 5 MPS: PS 1, PS 3, and PS 5 Five MCS: MCS 1 = {E 1 }, MCS 2 = {E 2 } MCS 3 = {E 3 }, MCS 4 = {E 5, E 6 } MCS 5 = {E 4, E 6, E 7 } R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (V) Fault Tree Assessment Qualitative analysis: extraction of MCS/MPS Enables to characterize a TE by a logic formula Quantitative analysis: for given data values, compute occurrence probability of the TE R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 8 / 29

Introduction (V) Fault Tree Assessment Qualitative analysis: extraction of MCS/MPS Enables to characterize a TE by a logic formula Quantitative analysis: for given data values, compute occurrence probability of the TE Contributions Computation of MCS/MPS of a FT is equal to compute minimal p-semiflows of a Petri net, obtained by model transformation Minimal p-semiflows are computable in polynomial time (for the subclass of PN obtained) R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 8 / 29

Definitions (I) Formally defining a coherent Fault Tree Coherent fault tree F = E, G, G +, G, T, where: E, E 1: set of basic, undeveloped, or external events; G, G 1, G E = : set of intermediate events; G + : G (E G) {0, 1}: OR relationship between events G : G (E G) {0, 1}: AND relationship between events T = {g}, g G: top event Some notes... We denote G +, G, in matrix form, i.e., G +, G {0, 1} G ( E + G ) An event g G has only non-null components in either G + or G, and not both Self-feedback is not allowed in intermediate events R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 10 / 29

Definitions (II) On Petri nets Petri nets A Petri net (PN) is a 4 tuple N = P, T, Pre, Post, where: P and T are disjoint non-empty sets of places and transitions; and Pre (Post) are the pre (post )incidence non-negative integer matrices of size P T R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 11 / 29

Definitions (II) On Petri nets Petri nets A Petri net (PN) is a 4 tuple N = P, T, Pre, Post, where: P and T are disjoint non-empty sets of places and transitions; and Pre (Post) are the pre (post )incidence non-negative integer matrices of size P T A Petri net system S = N, m 0 is a Petri net N with an initial marking m 0 Reachability Set and Boundedness RS(N, m 0 ): set of markings reachable from m 0 in N A place p P is k bounded if m RS(N, m 0 ), m(p) k A net system S is k-bounded if each place is k-bounded A net system is bounded if some k for which it is k-bounded R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 11 / 29

Definitions (IV) Identical and series places A place p is identical to a place p p if m 0 (p) = m 0 (p ), Pre(p, ) = Pre(p, ), and Post(p, ) = Post(p, ) Places p, p p, are series places if Pre(p, ) = Post(p, ) P-Semiflows y 0 such that y C = 0 Token conservation law independent of any firing of transitions Minimal p-semiflow: y = {i y(i) 0}, is not a proper superset of the support of any other p-semiflow, and the greatest common divisor of its elements is one Conservativeness: all places are covered by a p-semiflow R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 12 / 29

Definitions (V) Transition conflicts Structural conflict: t t Effective conflict for a marking m: t, t in structural conflict and both enabled at m Persistent net For any reachable marking m and for all transitions t i, t j, t i t j, enabled in m, the sequence t i, t j is firable from m Structurally persistent net (SPN) When N, m 0 is persistent for all finite initial markings m 0 SPN are totally conflict-free, i.e., no pair of transitions is in structural or effective conflict. That is, p P, p 1 R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 13 / 29

Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG Steps 1 Transform every event e E R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG Steps 1 Transform every event e E 2 Transform every event g G R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG Steps 1 Transform every event e E 2 Transform every event g G 3 Transform gate connections AND gate OR gate 4 Remove t g of place p g, g = T R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

(b) Fusion of series places R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29 Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG Steps 1 Transform every event e E 2 Transform every event g G 3 Transform gate connections AND gate OR gate 4 Remove t g of place p g, g = T 5 Petri net reductions rules applied Elimination of identical places Fusion of series places (a) Elimination of identical places

Model Transformation: from a FT to a SPN N, m 0 P in N is divided into three disjoint sets P E, P G, P EG Steps 1 Transform every event e E 2 Transform every event g G 3 Transform gate connections AND gate OR gate 4 Remove t g of place p g, g = T 5 Petri net reductions rules applied Elimination of identical places Fusion of series places (a) Elimination of identical places Acyclic Bounded ( t T, t 1) (b) Fusion of series places R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Starting at the top event, we can reach the basic events recursively... R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 17 / 29 Fault Tree Analysis using P-Semiflows (I) FT-SPN S F = N, R, m 0 obtained by transformation Theorem An FT-SPN is conservative

Fault Tree Analysis using P-Semiflows (II) S F = N, R, m 0 obtained by transformation of F = E, G, G +, G, T Theorem The set of places p P E contained in the support of a minimal p-semiflow of N representing events e E defines a path set of F R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 18 / 29

Fault Tree Analysis using P-Semiflows (III) Theorem A minimal p-semiflow y of a FT-SPN, after applying reduction rules, that includes p P E in its support, i.e., p y, can be computed by the following Linear Programming problem: maximize y(p) subject to y C = 0 y m 0 = 1 y 0 Proof. Suppose that y = n α i y i, α i > 0 i=1 y m 0 = 1 n i=1 α i y i m 0 = α 1 y 1 m 0 + α 2 y 2 m 0 + + α n y n m 0 = 1, α i > 0 m 0 (p) = 1, p P E, m 0 (p ) = 0, p P \ P E y i m 0 = y i (p), p P E, p y i α 1 y 1 (p) + α 2 y 2 (p) + + α n y n(p) = 1, α i > 0, where p P E, p y i, i = 1... n y > y i, y(p) for a given p P E, the value of y(p) is not maximum R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 19 / 29

Fault Tree Analysis using P-Semiflows (IV) Corollary The computation of the minimal cut sets and minimal path sets of a coherent Fault Tree are solvable in polynomial time. R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 20 / 29

Case Study: A Pressure Tank System (I) Relay K1 Switch S1 Relay K2 Timer relay Pressure switch Pressure sense line Outlet valve Fuse Pump motor Reservoir Pump Pressure tank Event Description Top Event Pressure tank rupture. E1 Pressure tank ruptures under load. E2 Tank ruptures due to improper installation. G1 Secondary failure of ruptured pressure tank. E3 Secondary failure of tank from some other out of tolerance conditions (e.g., mechanical, thermal). G2 K2 relay contacts remain closed for a time T > 60 seconds. E4 K2 relay contacts fail to open. E5 K2 relay secondary failure. G3 EMF to K2 relay coil for a time T > 60 seconds. G4 EMF remains on pressure switch (P/S) contacts when P/S contacts closed for a time T > 60 seconds. G5 P/S contacts closed, T > 60 seconds. G6 EMF through S1 switch contacts when P/S contacts closed, T > 60 seconds. G7 EMF through K1 relay contacts when P/S contacts closed, T > 60 seconds. E6 Pressure switch secondary failure. E7 Pressure switch contacts fail to open. E8 Excess pressure not sensed by pressure-activated switch. E9 S1 switch secondary failure. E10 S1 switch contacts fail to open. E11 External reset activation force remains on switch S1. E12 K1 relay contacts fail to open. E13 K1 relay secondary failure. G8 Timer relay contacts fail to open when P/S contacts closed, T > 60 seconds. E14 Timer does not timeout due to improper setting installation. E15 Timer relay contacts fail to open. E16 Timer relay secondary failure. R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 22 / 29

Case Study: A Pressure Tank System (II) R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 23 / 29

Case Study: A Pressure Tank System (II) Place p Minimal p-semiflow MCS p E1 y1 = {p TopEvent, p E1 } {E1} p E2 y2 = {p TopEvent, p E2 } {E2} p E3 y3 = {p TopEvent, p G1, p E3} {E3} p E4 y4 = {p TopEvent, p G1, p G2, p E4} {E4} p E5 y5 = {p TopEvent, p G1, p G2, p E5} {E5} p E6 y6 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G6, p E9} {E6, E9} p E7 y7 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E7, p G6, p E9} {E7, E9} p E8 y8 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E8, p G6, p E9} {E8, E9} p E9 y9 = y6 {E6, E9} p E10 y10 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G6, p E10} {E6, E10} p E11 y11 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G6, p E11} {E6, E11} p E12 y12 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G7, p E12} {E6, E12} p E13 y13 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G7, p E13} {E6, E13} p E14 y14 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G7, p E14} {E6, E14} p E14 y15 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G7, p E15} {E6, E15} p E16 y16 = {p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6, p G7, p E16} {E6, E16} y 1 ={p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6 E 7 E 8, p G6, p E9 E 10 E 11 } y 2 ={p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6 E 7 E 8, p G7, p G8, p E14 E 15 E 16 } y 3 ={p TopEvent, p G1, p G2, p G3, p G4, p G5, p E6 E 7 E 8, p G7, p E12 E 13 } y 4 ={p TopEvent, p G1, p G2, p E4 E 5 } y 5 ={p TopEvent, p G1, p E3 } y 6 ={p TopEvent, p E1 E 2 } MCS1 = {E6, E9} MCS11 = {E6, E15} MCS21 = {E7, E12} MCS2 = {E6, E10} MCS12 = {E6, E16} MCS22 = {E7, E13} MCS3 = {E6, E11} MCS13 = {E7, E14} MCS23 = {E8, E12} MCS4 = {E7, E9} MCS14 = {E7, E15} MCS24 = {E8, E13} MCS5 = {E7, E10} MCS15 = {E7, E16} MCS25 = {E4} MCS6 = {E7, E11} MCS16 = {E8, E14} MCS26 = {E5} MCS7 = {E8, E9} MCS17 = {E8, E15} MCS27 = {E3} MCS8 = {E8, E10} MCS18 = {E8, E16} MCS28 = {E1} MCS9 = {E8, E11} MCS19 = {E6, E12} MCS29 = {E2} MCS10 = {E6, E14} MCS20 = {E6, E13} TE occurrence formula: 29 MCS i i=1 R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 24 / 29

Related Work Computation of MCS/MPS is an NP-hard problem (in general) Two main approaches, depending on how the FT is analyzed Top-down Bottom-up MOCUS, CARA, DICOMICS, FATRAM, MICSUP... Other model transformation To Coloured PNs, or Reverse PNs: Reachability graph, reachability markings NP-hard problem, with exponential space requirements To Reliability Block Diagrams To BDDs Its computation may fail and does not avoid the exponential problem R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 26 / 29

Conclusions Computation of MCS/MPS of a coherent Fault Tree performed in linear time, by model transformation into a Petri net Constraints applied: Logic restricted to AND/OR formulae Only basic, undeveloped, external, and intermediate events considered Future work Implemented as module of PeabraiN tool (done!) Better characterize coherent FT whose MCS/MPS are solvable in polynomial time Compare to existing approaches Do the maths to avoid model transformation R. J. Rodríguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 28 / 29