Fault Trees Atomic Formalism

From Mobius Wiki
Jump to: navigation, search

Fault Trees

Möbius also supports a fault tree formalism for analyzing system reliability. Although originally developed in the 1960’s to model the unreliability of the Minuteman missile system, fault trees have been extended to model computer systems as well[1]. Component failures are modeled as leaves of a tree, with system failure as the root. Component failures are connected by a series of logic gates representing the relationships between failures in the real system. By doing so, we can analyze the relationships between component failures, and the total system failure as well.

Typically, fault trees can be categorized as either static or dynamic. Static fault trees use logic gates to establish relationships between component failures, but suffer from the fact that they cannot model sequential relationships between failures. Dynamic fault trees, on the other hand, can model sequential failures between components[2]. In Möbius, the fault tree formalism includes all of the features of static fault trees, but only a subset of the features of dynamic fault trees. An example of a fault tree that uses both static and dynamic components is in <xr id="fig:atomic_fault_tree_editor" />.


<figure id="fig:atomic_fault_tree_editor">

Atomic fault tree editor.png


<xr id="fig:atomic_fault_tree_editor" nolink />: Example fault tree.
</figure>


Fault tree primitives

Fault trees consist of three primitives: nodes, events, and logic gates. Nodes represent the highest level performance we are trying to analyze, or the highest level of any submodel we are trying to analyze. Events describe when failures occur and how they affect others, while logic gates are used to connect failure events in a logical manner.


Nodes     Nodes are analogous to the places in SANs. In fault trees, nodes represent failure states of the modelled system, whether at the highest level (the root) or at any intermediate level of the tree. In either case, a node with value greater than zero represents a submodel that has failed.


Events     Events represent failures of components in a system. They are similar to timed activities in SANs and support the distributions described in Section 1.2.5.


Logic Gates     Logic gates perform the work in a fault tree. They represent the connections between component failures and describe how submodels interact. Logic gates fall into two categories: static or dynamic. The fault tree formalism supports the And, Or, Xor, and K-of-N static logic gates and the Priority AND dynamic logic gate.

Editor

This section covers the fault tree editor, including the creating and modification of fault tree primitives. Most of the editor is the same as for SANs, so refer to Section 2 for information on how to create and open fault tree models and Section 3.1 for details on common editor features.

Edit

The fault tree formalism has no unique features in the Edit menu. All functions are the same as those described in Section 3.1.

View

The fault tree formalism has no unique features in the View menu. All functions are the same as those described in Section 3.1.

Element

Elements are fault tree model primitives. They include the common primitives of cursor, text block, straight connection, connected line, and spline curve. More information about the connections, lines, and text boxes can be found in the “Arcs and lines” and “Text boxes” sections below.

In addition, they include the following fault-tree-specific elements:

  • Node, represented by smaller blue circles.
  • Event, represented by larger red circles.
  • And Gate, represented by a blue AND symbol.
  • Or Gate, represented by a blue OR symbol.
  • Xor Gate, represented by a blue XOR symbol.
  • K-of-N Gate, represented by a blue XOR symbol, with a white number in the middle representing the value of K.
  • Priority AND Gate, represented by a blue Priority AND symbol.


Fault tree model elements can be selected from the Elements menu or by clicking on the appropriate icon. In either case, the element is placed on the model by clicking the left mouse button. After doing so, an element-specific dialog will appear to enable modification of the default parameters. As in all Möbius atomic formalisms, names must be globally unique.


Basic Static Logic Gates

The basic logic gates including and, or, and xor have a common dialog box similar to <xr id="fig:atomic_fault_tree_basic" />.


<figure id="fig:atomic_fault_tree_basic">

Atomic fault tree basic.png


<xr id="fig:atomic_fault_tree_basic" nolink />: Basic fault tree logic gate.
</figure>


  • The Name text box allows you to modify the name, provided the new name is globally unique in the model. An error box will appear if it is not.
  • The OK button accepts changes to the element and returns to the Fault Tree editor. If there are any errors, an error message will appear.
  • The Cancel button disregards any changes you have made to the element and returns you to the Fault Tree editor.


Advanced Static Logic Gates

In addition to the basic static logic gates just seen in the previous section, the fault tree atomic formalism supports the K-of-N logic gate. For K-of-N logic gates, the output of the gate is active only if at least K of its inputs are active. For example, a four-input K-of-N gate with K = 2 would only be active if at least half of its inputs were active. The dialog to modify a K-of-N gate is shown in <xr id="fig:atomic_fault_tree_kofn" />.


<figure id="fig:atomic_fault_tree_kofn">

Atomic fault tree kofn.png


<xr id="fig:atomic_fault_tree_kofn" nolink />: K-of-N attribute dialog box.
</figure>


  • The Name text box allows you to modify the name, provided the new name is globally unique in the model. An error box will appear if it is not.
  • The K Value text box allows you to modify the value of K for the logic gate. Acceptable values range from 0 to N, where N is the number of inputs to the gate.
  • The Cancel button disregards any changes you have made to the element and returns you to the fault tree editor.


Dynamic Logic Gates

The Möbius fault tree formalism supports the Priority AND logic gate. With a Priority AND gate, the output is only active if the inputs become active in a particular order defined by the user. This order can be changed by the dialog box in <xr id="fig:atomic_fault_tree_priority" />.


<figure id="fig:atomic_fault_tree_priority">

Atomic fault tree priority.png


<xr id="fig:atomic_fault_tree_priority" nolink />: Priority AND attribute dialog box.
</figure>


  • The Name text box allows you to modify the name, provided the new name is globally unique in the model. An error box will appear if it is not.
  • The list box on the left contains the current inputs to the Priority AND gate. Elements higher in the list have higher priority.
  • The Up button moves the currently selected input up the priority list.
  • The Down button moves the currently selected input down the priority list.
  • The OK button accepts changes to the element and returns to the fault tree editor. The order of the inputs from top to button in the list box are now the priority order for the Priority AND logic gate. If there are any errors, an error message will appear.
  • The Cancel button disregards any changes you have made to the element and returns you to the fault tree editor.


Arcs and lines

Like the SAN (and other) formalisms, the fault tree formalism gives three drawing tools to connect logic gates, events, and nodes. They include straight connection, connected line, and spline curve. The details of how arcs and lines can be placed and modified is described in “Arcs and lines” in Section 4.2.5.

Lines and arcs in the Möbius fault tree formalism can only be drawn between objects in certain orders:

  • from a logic gate to any other logic gate
  • from a logic gate to a node
  • from an event to a node
  • from an event to any logic gate


Text boxes

Text boxes in the fault tree formalism are identical to those in SANs. Please refer to “Text boxes” in Section 4.2.5.

References

  1. R. Manian, J. Dugan, D. Coppit, and K. Sullivan. Bridging the gap between fault tree analysis modeling tools and the systems being modeled. In Annual Reliability and Maintainability Symposium 1999 Proceedings, pages 105–111, Washington, D.C., Jan 1999.
  2. R. Manian, J. Dugan, D. Coppit, and K. Sullivan. Combining various solution techniques for dynamic fault tree analysis of computer systems. In Third IEEE International High-Assurance Systems Engineering Symposium, pages 21–28, Washington, D.C., Nov 1998.