2

Figure 23.9 Double Failure Matrix (DFM) for electric distribution system in example.

Figure 23.9 Double Failure Matrix (DFM) for electric distribution system in example.

tion are:

a) Total loss of electricity to surgical suite.

b) Total loss of chilled water to computer facility.

c) Steam boiler unable to generate steam.

d) Loss of natural gas feedstock to fertilizer plant.

e) Water supply to major metropolitan area curtailed to half of minimum requirement.

f) Environmental conditioning of controlled experiment is interrupted for more than thirty minutes.

The faults can be initiated by sabotage actions, software failures, component hardware failures, human errors, or other pertinent events. The relationship between these events is depicted with logic gates.

The most important event and logic symbols are shown in Figure 23.10. A basic event is an initiating fault that requires no further development or explanation. The basic event is normally associated with a specific component or subsystem failure. The undeveloped event is a failure that is not considered in further detail because it is not significant or sufficient information is not available.

Logic gates are used to depict the relationship between two or more events and some higher level failure of the system. This higher level failure is known as the output of the gate. These higher level failures are combined using logic gates until they culminate in the top event of the tree, which is the previously defined undesired event. A simple fault tree is illustrated in Figure 23.11.

The "OR" gate shows that the higher level failure will occur if at least one of the input events occurs. An "OR" gate could be used to model two circuit breakers in series on a radial underground feeder. If either circuit breaker is opened the circuit path will be broken and all loads served by that feeder will be deprived of electricity.

The output event of an "AND" gate occurs only if all of the input events occur simultaneously. It would be used to model two redundant pumps in parallel. If one pump fails the other will continue to circulate fluid through the system and no higher order failure will occur. If both pumps fail at the same time for any reason the entire pumping subsystem fails.

The logic of the fault tree is analyzed using boolean algebra to identify the minimal cut sets. A minimal cut set is a collection of system components which, when failed, cause the failure of the system. The system is not in a failed state if any one of the components in this set has not failed or is restored to operation. In fault tree terminology, a cut set is a combination of basic events that will result in the undesired top event of the tree. A computer is normally used to automate this tedious and error prone mathematical procedure.

Cut sets are utilized because they directly correspond to the modes of system failure. In a simple case, the cut sets do not provide any insights that are not already quite obvious. In more complex systems, where the system failure modes are not so obvious, the minimal cut set computation provides the analyst with a thorough and systematic method to identify the combinations of component failures which culminate in the top event. Once an exhaustive list of cut sets is assembled, they can be analyzed to determine which components occur in failure modes with the highest frequency. These, along with the single point failures, are the most critical components of the entire system and merit special attention to keep them out of harm's way.

Figure 23.10 Event and logic symbols
Figure 23.11 Sample fault tree for electric distribution system with uninterruptible power supply and emergency generator.
0 0

Post a comment