Lesson learnt from the Isograph

Training Course
Winterthur 24th to 26th of July 2017

Miriam Blumenschein, Saskia Hurst and Estrella Vergara

- RAS Working Group Meeting -
31st of August 2017

2
1. Isograph for beginners
Estrella Vergara

31/08/2017 3
Reliability Workbench During installation…

Available in CMF Packages: Isograph – RelWorkbench 13.01

Password needed for installation: cernvflxn07

Modules available
• Prediction Methods
• Failure Mode Effect and Criticality Analysis (FMECA)
CERN licenses

• Reliability Block Diagrams (RBD)

• Fault Tree Analysis (FTA)
• Event Tree Analysis (ETA)
• Markov Analysis
• Weibull
• Reliability Growth
• Reliability Allocation

Tutorials for each module:

Help  Getting Started  Tutorial
31/08/2017 4
 Prediction module
Provide consistent methods of estimating failure rates using Handbooks and standards

CERN license: Only 1 license:

• Telecordia TR/SR • 217 Plus Prediction
• MIL-217 Prediction • FIDES Prediction
• NSWC Prediction

Project Hierarchy Diagram Block Systems and Components Properties

DISK
CPU 1
1
MEM 1
MEM
3
Environmental
DISK
2
CPU 2 Properties
MEM 2

Simplified Computer System Schematic

Parameters for the component type

(defined by Handbook or Standard)
- External Category: entering data manually

• Entering prediction data manually or using libraries (Project and Library must follow the same Standard or Handbook)
• Possibility to associate maintenance tasks in the prediction hierarchy
• Option to specify the phases if the ambient conditions change during the lifetime of the system

31/08/2017 5
 DISK 1 CPU 1

Prediction module MEM 3

MEM 1

Results DISK 2 CPU 2

MEM 2

Simplified Computer System Schematic

Plots

Failure rate (FITS)

MTTF (Ghrs)

Temperature
Temperature

31/08/2017 6
 Fault Tree Analysis (FTA) • Show interaction to failures
• Creation of fault trees manually

GATES TYPES EVENT TYPES

Symbol Name Meaning Inputs Symbol Name Meaning

OR BASIC
TRUE if any input is TRUE ≥2 Basic event

AND UNDEVELOPED A system event which is yet to be

TRUE if all inputs are TRUE ≥2
developed

VOTE CONDITIONAL Conditional event connected to an

m TRUE if m inputs are TRUE ≥3
inhibit gate
EXCLUSIVE TRUE if one and only one HOUSE Definitely operating or definitely not
OR 2
inputs is TRUE operating

INHIBIT TRUE if all inputs are TRUE; DORMANT Failure not immediately revealed;
GATE ≥2
one input is conditional latent/ hidden failure

PRIORITY TRUE if inputs occur in left to

AND ≥2
right order

NOT
TRUE if inputs is FALSE 1

Transfer In Inputs appear elsewhere on

same page or on another page

Transfer Output appears elsewhere on

Out same page or another page

31/08/2017 7
Fault Tree Analysis (FTA) • Show interaction to failures
• Creation of fault trees manually thought gates

Simple Cooling System

TOP event

• No limit of gates or events (“Page” checkbox)

• Special Function: Multiple Project option:
̵ ID must be coherent
̵ Connection between gates (no events)
̵ Minimal Cut Set:
̵ Minimum combination of events which cause TOP event
̵ First step of Analysis
̵ Produced using Boolean algebra

31/08/2017 8
Reliability Block Diagram (RBD)
• Used to predict the reliability of entire systems
• Similar to FTA:
• RBD  Process (availability) / FTA  Hazards

DISK 1 CPU 1

MEM 1
MEM 3

DISK 2 CPU 2

MEM 2

Simplified Computer System Schematic

• Flow from left to right – easy to read

• Blocks connected in series/ parallel
• Option to Copy-Paste to duplicate a block (e.g. “MEM 3”)
• Special functions: RBD to FTA, Prediction to RBD and FMECA to RBD

31/08/2017 9
 Reliability Block Diagram (RBD)
ASSIGNING FAILURE MODELS TO BLOCKS

• Failure and repair date is entered in a failure model

̵ Local Failure Model: attached to one block only
̵ Generic Failure Model: can be attached to multiple blocks
• Applicable for FTA as well

Generic Failure Models

Assigning Generic
Failure Model to a
Block

31/08/2017 10
Reliability Block Diagram (RBD)
PERFORMING AN ANALYSIS - Results

Summary Cut Sets: Combination of component block

failures that will cause system failure

Importance: Block’s contribution to the unavailability of the system

31/08/2017 11
Event Tree Analysis (ETA)
• Identifies outcomes of initiating event
• ETA & FTA closely linked:
̵ FTA can be used to quantify events in ETA sequence
̵ Use cut sets and same quantitative methodology

Fault Tree created in FTA module Event Tree Analysis

31/08/2017 12
Failure Mode Effect and Criticality Analysis (FMECA)
• Rates failure modes by danger

31/08/2017 13
2. Compendium of useful features
Miriam Blumenschein

Prediction – FMECA – Fault Tree

31/08/2017 14
Prediction
1. Component library
• Construct a project from a library:
• File ►Attach Library
• Drag and drop parts or structures to system structure
• No automatic update if library is modified
• Build a library: create components in prediction (blue fields)
• Common CERN library?

31/08/2017 15
Prediction
2. Import of bill of material:
• Easy to import: blue fields (component properties) part number, ID, quantity, description
and category
• ► Manual chapter “Importing a Bill of Materials”
• Not (yet) easy to import: black fields (operating environment), filled in manually
• Common Excel format of BOM ?

Id PartNumber Quantity Description Category

1 0-1 1 OPL-Repeater_HW02 MIL-BK
2 0-2 1 OPL-Trans_1414_HW02 MIL-BK
3 0-3 1 OPL-REC-2418_HW02 MIL-BK
1.1 C-EUC0805_1000nF 1 MIL-CR
1.2 C-EUC0805_100nF 1 MIL-CR
1.3 C-EUC0805_100nF 1 MIL-CR
1.4 AFBR-2418 1 MIL-LB
1.5 C-EUC0805_100nF 1 MIL-CR

31/08/2017 16
Prediction
3. Rename option
• Objects under the current tree control selection will be renamed based on the name of their
parent
• Select parent block ► Tools ► Rename ► Blocks under selection

4. View option:
• Determination of the data which is displayed in the project tree control
• Project Options ► View ► check “Show category”; “Show component part; … number”

31/08/2017 17
Prediction
5. Help option in dialog boxes
• “?” on the top right in each dialog opens corresponding chapter of the manual

6. Part number
Several Functions are linked to the part number
• Blue fields = component properties: same properties for same part number
• Black fields = operating environment: independent of part number
• Part Selection facility, Auto search project, auto search library, Auto Add Apportioned Failure Modes,
Linked block, …

31/08/2017 18
Prediction
7. Unit of failure rate
• Project Options ► General ► Units

8. Change component parameters

• Temperature, Environment, …
• Select section in tree control ► Special Functions ►
change temperature/ MIL-217 environment
OR
• Export block properties to Excel (table PDBlocks; columns
PartNumber, ParamValuesKey), find and replace
properties in Excel, import Excel file

9. Project Options, Special Functions and Tools

change from one module to the other, always worth
having a look at
10. Recommendation: Always create system structure
in the prediction module, even if no prediction is
performed

31/08/2017 19
From one module to another
1. Data conversion
• prediction hierarchy to FMECA, RBD, fault tree
• FMECA hierarchy to RBD, fault tree
• RBD to fault tree
• Common way: Prediction to FMECA to Fault Tree
• Special Functions ►Convert pull-down menu
2. Data links
• Needs to be defined before the data conversion!
• Data links will be automatically created between objects when copying between modules
• Customize data conversion: Project options ► Data links ► check “ Assign data link on
inter-module copy within project”
• Prediction to FMECA: Edit ►Transfer linked data ►run the FMECA simulation
• FMECA to Fault Tree: Run the FMECA simulation Edit ►Transfer linked data ►run the
Fault Tree simulation
3. Update of system structure
• Failure modes remain
• Prediction to FMECA: Special Functions ►Convert pull-down menu

31/08/2017 20
FMECA-module
1. Apportionment table
• Lists a component type (defined by the part number) and its failure modes and %
• Apportionment table can be imported from excel
• Add failure modes to existing blocks: Add ► Auto Add Apportioned Failure Modes
OR
• Add apportioned block
• Common CERN apportionment table?

31/08/2017 21
FMECA-module
2. Severity matrix
• Tabulates the number of failure mode contributors in each severity category for each block
in the system
• Exported as excel file
• If severity categories are defined as system failure modes: number of root contributors per
system failure mode
• Special Functions ► Export ► Severity Matrix
3. Criticality matrix
• Tabulates the severity category and criticality for each failure mode
• Special Functions ► Export ► Criticality Matrix

31/08/2017 22
Fault Tree
1. System lifetime
• Unit of system lifetime corresponds to unit of failure
• Project Options ► Calculation
2. Failure and repair models
• 17 model types with different failure and repair characteristics
• Rate models: Constant failure and repair rate
• Input Rate Model: failure rate λ and repair rate µ
µ = 0: non-repairable components
• Input Rate/MTTR: failure rate λ and MTTR
MTTR = 0: failures are immediately repaired
• Dormant failure model: non repairable components between inspections
• Three methods: mean (default), max (worst case), IEC 61508
• Local failure model (for one event): Primary Event Properties ► Local Failure Model ►
Failure Model Properties
• Generic failure model (for any event): Add ► Failure model ► Failure Model Properties

31/08/2017 23
Fault Tree
3. Calculation methods:
• Cross Product, Esary-Proschan (Bertsche), Rare, Optimum Upper Bound (default), Lower
Bound
• Project Options ► Set Generations ► Custom Options

4. Result Summary
• CFI: Conditional Failure Intensity corresponds to λ (t) (Bertsche):
• probability per unit time that the component or system experiences a failure at time t, (operating, or was repaired
to be as good as new, at time zero and operating at time t).
• Unconditional Failure Intensity or Failure Frequency ω(t) Frequency:
• probability per unit time that the component or system experiences a failure at time t, (operating at time zero).
 CFI-λ(t), ω(t) Difference: the CFI has an additional condition that the component or
system has survived to time t.

31/08/2017 24
Fault Tree
5. Quantity of gates
• Specifying a quantity of n is equivalent to including n identical gates underneath an gate,
with no common cause failures, in the fault tree diagram.
• Quantity values may only be specified for gates that have Modularization set to “Forced
on” (default = automatic).

6. House event
• Used for “what if”: switches branches on (Q = 1) and off (Q = 0)
• Primary event properties ► Type ► House; logic mode True or False

31/08/2017 25
Fault Tree
7. Event symbols dormant
• Option to visualize the failure model
• Primary event properties ► Type ► Dormant

8. Append facility
• Alternative to library
• Batch append: transfer all the fault tree structures from a group of projects in one go
• Partial append: append parts of a single project by selecting individual gates
• If branches need to be combined in different fault trees and the event ID needs to remain
• Special Functions ► Append

9. MTTF
• By default not calculated
• Calculation requires numerical integration methods to be employed and may be time
consuming for large numbers of minimal cut sets
• Project Options ► Calculation ► MTTF/MTBF/MTTR calculations ► Method ► Standard

31/08/2017 26
Fault Tree
10. Importance analysis
• Helps determine:
• Event contribution to TOP event
• TOP event sensitivity to event changes
• Weak areas in the system
• 6 different importance measures, most useful (?) Fussell-Vesely Importance (contribution
to system Q)
11. Confidence analysis
• Introduces uncertainty in component Q
• Project Options ► Confidence

31/08/2017 27
3. Isograph and the IEC 61508 Standard
Saskia Hurst

31/08/2017 28
IEC 61508 - General SIL Verification
Three Barriers:
1.
PFH/PFD Compliance
Calculation

2. Architectural 3. Systematic
Constraints Capability/
SFF/HFT Integrity

 Barrier 1 and barrier 2 can be calculated in Isograph

31/08/2017 29
 IEC 61508 - SIL Quantitative Calculation
Reliability Prediction Prediction module

FMEDA Analysis FMECA module

λ𝑠𝑎𝑓𝑒,λ𝑑𝑎𝑛𝑔𝑒𝑟𝑜𝑢𝑠, DC

FMECA module
PFD/ SFF/
FTA/ RBD module
PFH HFT FTA/ RBD module

SIL Evaluation IEC 61508

31/08/2017 30
FMEDA (Failure Modes, Effects and Detectability Analysis)
• Takes into account:
• Failure rates of components,
• Failure mode probabilities,
• Failure effect of each failure mode,
• Diagnostic coverage:
λ𝑆𝐷 λ𝐷𝐷
𝑆𝐶 𝑆𝑎𝑓𝑒 𝐶𝑜𝑣𝑒𝑟𝑎𝑔𝑒 = λ ; 𝐷𝐶 (𝐷𝑎𝑛𝑔𝑒𝑟𝑜𝑢𝑠 𝐶𝑜𝑣𝑒𝑟𝑎𝑔𝑒) = λ ,
𝑆𝐷 +λ𝑆𝑈 𝐷𝐷 +λ𝐷𝑈

• Division into safe λ𝑆 and dangerous λ𝐷 and detectable and

undetectable failure rates (λ𝑆𝐷 , λ𝑆𝑈 , λ𝐷𝐷 , λ𝐷𝑈 )

31/08/2017 31
IEC 61508 - SFF Calculation
• Calculation in the FMECA module of Isograph by doing a FMEDA
• SFF is the ratio of safe and dangerous detected failures to the total
failure rate
• Safe Failure Fraction (SFF) for a component:
λ𝑆𝐷 + λ𝑆𝑈 +λ𝐷𝐷
𝑆𝐹𝐹 =
λ𝑆𝐷 +λ𝑆𝑈 +λ𝐷𝐷 +λ𝐷𝑈
• Safe Failure Fraction (SFF) for a subsystem (safety function):
σ λ𝑆𝐷 + σ λ𝑆𝑈 + σ λ𝐷𝐷
𝑆𝐹𝐹 =
σ λ𝑆𝐷 + σ λ𝑆𝑈 + σ λ𝐷𝐷 + σ λ𝐷𝑈

31/08/2017 32
IEC 61508 - HFT Calculation
• Calculation in the Fault Tree module of Isograph

• Hardware Fault Tolerance (HFT) is the maximum number of faults

that can be tolerated before the loss of the safety function
• i.e. HFT = N means that N + 1 faults will cause a loss of the function
• Isograph selects HFT by calculating SFF and cross referencing it
against the SIL target for the gate (tables 2 and 3 from IEC 61508-2)

31/08/2017 33
IEC 61508 - PFH/PFD Calculation
• Calculation in the Fault Tree module or RBD module in Isograph
• Probability of dangerous Failure per Hour PFH (continuous or high
demand mode)
 Frequency ω in Isograph
• Probability of dangerous Failure on Demand PFD (low demand
mode)
 Unavailability Q in Isograph

PFD
PFH

31/08/2017 34
Important Settings in Isograph
• Set IEC 61508 requirement by either defining
• Required SIL or
• Required risk reduction factor

31/08/2017 35
Important Settings in Isograph
• Dormant failure model  IEC 61508

• Logic for average: 1. Product of the function (Fault Tree Logic)

2. Average of the result

31/08/2017 36
Important Settings in Isograph
• Default setting: calculation of PFD/PFH with dangerous failure rate λ𝐷𝑈

• “Only model spurious trip failure”: calculation of PFH/PFD with λ𝑆

• “Only model spurious trip failure” and “Include DD failures for spurious trip”:
calculation of PFH/PFD with λ𝑆 and λ𝐷𝐷

31/08/2017 37
Important Settings in Isograph
• For continuous or high demand functions (PFH): “Exclude DD failures in frequency”

 Calculation of the frequency (PFH) with only dangerous undetectable failures λ𝐷𝑈
according to IEC 61508 standard

31/08/2017 38
Important Settings in Isograph
• Model type: IEC 61508

31/08/2017 39
Common Cause Failures
• β Factor Model (used in IEC 61508)

• Calculates the proportion of event failures due to common cause

𝑄1 = 1 − β ∙ 𝑄𝑇 ; QCCF = β ∙ 𝑄𝑇
𝑄1: Q due to independant failure, 𝑄𝑇: Total Q, 𝑄𝐶𝐶𝐹 : Q due to common cause failure

• β-factor can be determined by “Apply IEC model” with a

questionnaire which is implemented in Isograph

31/08/2017 40