On Qualitative Analysis of Fault Trees Using Structurally Persistent - - PowerPoint PPT Presentation

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

Ricardo J. Rodr´ ıguez rj.rodriguez@unileon.es

Research Institute of Applied Sciences in Cybersecurity University of Le´

• n, Spain

June 10, 2015 XXIII Jornadas de Concurrencia y Sistemas Distribuidos M´ alaga (Spain) To appear in IEEE Trans. on Systems, Man, and Cybernetics: Systems doi: 10.1109/TSMC.2015.2437360

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 2 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 3 / 29

Introduction (I)

Definition of Fault Tree

Fault Tree

Event-driven failure logic Top Event: undesired state (@ the root) Gates: describe logic that relates events Event: different kind (next slide)

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 4 / 29

Introduction (I)

Definition of Fault Tree

Fault Tree

Event-driven failure logic Top Event: undesired state (@ the root) Gates: describe logic that relates events Event: different kind (next slide) Coherent Fault Tree: logic restricted to AND/OR formulae

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 4 / 29

Introduction (II)

A bit more of Fault Trees. . . AND gate OR gate TRANSFER IN TRANSFER OUT BASIC CONDITIONING EXTERNAL UNDEVELOPED INTERMEDIATE event event event event event

Graphical symbols

AND / OR gates Event type:

Basic: component/human fault; failure & repair data available Conditioning: gate triggered by an event External (or house): normally expected to occur Undeveloped: no further developed (e.g., no consequence, lack of data) Intermediate: middle/top event, generated by combination of others

Transfer: to divide large FTs into smaller ones, or reduce duplication

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 5 / 29

Introduction (III)

Fault Tree Analysis

Find event combinations out that leads to an undesired state Top-down deductive analysis technique, from the early 60s Used in safety and reliability engineering

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 6 / 29

Introduction (III)

Fault Tree Analysis

Find event combinations out that leads to an undesired state Top-down deductive analysis technique, from the early 60s Used in safety and reliability engineering

(Minimal) Cut Sets

Set of basic events whose occurrence causes a system to fail Minimal Cut Set: it cannot be further reduced, and still leads to an undesired state

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 6 / 29

Introduction (III)

Fault Tree Analysis

Find event combinations out that leads to an undesired state Top-down deductive analysis technique, from the early 60s Used in safety and reliability engineering

(Minimal) Cut Sets

Set of basic events whose occurrence causes a system to fail Minimal Cut Set: it cannot be further reduced, and still leads to an undesired state

(Minimal) Path Sets

Set of basic events whose nonoccurrence assures the nonoccurrence of TE Minimal Path Set: it cannot be further reduced, and still leads to an undesired state MPS are a dual set of MCS

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 6 / 29

Introduction (IV)

Recall the example. . .

Six path sets:

PS1 = {E1, E2, E3, E4, E5} PS2 = {E1, E2, E3, E5, E6} PS3 = {E1, E2, E3, E5, E7} PS4 = {E1, E2, E3, E4, E5, E6} PS5 = {E1, E2, E3, E6} PS6 = {E1, E2, E3, E6, E7}

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (IV)

Recall the example. . .

Six path sets:

PS1 = {E1, E2, E3, E4, E5} PS2 = {E1, E2, E3, E5, E6} PS3 = {E1, E2, E3, E5, E7} PS4 = {E1, E2, E3, E4, E5, E6} PS5 = {E1, E2, E3, E6} PS6 = {E1, E2, E3, E6, E7}

Not minimal!

PS2 ⊃ PS5, PS4 ⊃ PS5 (or PS4 ⊃ PS1), PS6 ⊃ PS5

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (IV)

Recall the example. . .

Six path sets:

PS1 = {E1, E2, E3, E4, E5} PS2 = {E1, E2, E3, E5, E6} PS3 = {E1, E2, E3, E5, E7} PS4 = {E1, E2, E3, E4, E5, E6} PS5 = {E1, E2, E3, E6} PS6 = {E1, E2, E3, E6, E7}

Not minimal!

PS2 ⊃ PS5, PS4 ⊃ PS5 (or PS4 ⊃ PS1), PS6 ⊃ PS5

MPS: PS1, PS3, and PS5

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (IV)

Recall the example. . .

Six path sets:

PS1 = {E1, E2, E3, E4, E5} PS2 = {E1, E2, E3, E5, E6} PS3 = {E1, E2, E3, E5, E7} PS4 = {E1, E2, E3, E4, E5, E6} PS5 = {E1, E2, E3, E6} PS6 = {E1, E2, E3, E6, E7}

Not minimal!

PS2 ⊃ PS5, PS4 ⊃ PS5 (or PS4 ⊃ PS1), PS6 ⊃ PS5

MPS: PS1, PS3, and PS5 Five MCS:

MCS1 = {E1}, MCS2 = {E2} MCS3 = {E3}, MCS4 = {E5, E6} MCS5 = {E4, E6, E7}

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 7 / 29

Introduction (V)

Fault Tree Assessment

Qualitative analysis: extraction of MCS/MPS

Enables to characterize a TE by a logic formula

Quantitative analysis: for given data values, compute occurrence probability of the TE

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 8 / 29

Introduction (V)

Fault Tree Assessment

Qualitative analysis: extraction of MCS/MPS

Enables to characterize a TE by a logic formula

Quantitative analysis: for given data values, compute occurrence probability of the TE

Contributions

Computation of MCS/MPS of a FT is equal to compute minimal p-semiflows of a Petri net, obtained by model transformation Minimal p-semiflows are computable in polynomial time (for the subclass of PN obtained)

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 8 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 9 / 29

Definitions (I)

Formally defining a coherent Fault Tree

Coherent fault tree

F = E, G, G+, G∗, T , where: E, |E| ≥ 1: set of basic, undeveloped, or external events; G, |G| ≥ 1, G ∩ E = ∅: set of intermediate events; G+ : G × (E ∪ G) → {0, 1}: OR relationship between events G∗ : G × (E ∪ G) → {0, 1}: AND relationship between events T = {g}, g ∈ G: top event

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 10 / 29

Definitions (I)

Formally defining a coherent Fault Tree

Coherent fault tree

F = E, G, G+, G∗, T , where: E, |E| ≥ 1: set of basic, undeveloped, or external events; G, |G| ≥ 1, G ∩ E = ∅: set of intermediate events; G+ : G × (E ∪ G) → {0, 1}: OR relationship between events G∗ : G × (E ∪ G) → {0, 1}: AND relationship between events T = {g}, g ∈ G: top event

Some notes. . .

We denote G+, G∗, in matrix form, i.e., G+, G∗ ∈ {0, 1}|G|×(|E|+|G|) An event g ∈ G has only non-null components in either G+ or G∗, and not both Self-feedback is not allowed in intermediate events

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 10 / 29

Definitions (II)

On Petri nets

Petri nets

A Petri net (PN) is a 4–tuple N = P, T, Pre, Post, where: P and T are disjoint non-empty sets of places and transitions; and Pre (Post) are the pre–(post–)incidence non-negative integer matrices of size |P| × |T|

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 11 / 29

Definitions (II)

On Petri nets

Petri nets

A Petri net (PN) is a 4–tuple N = P, T, Pre, Post, where: P and T are disjoint non-empty sets of places and transitions; and Pre (Post) are the pre–(post–)incidence non-negative integer matrices of size |P| × |T| A Petri net system S = N, m0 is a Petri net N with an initial marking m0

Reachability Set and Boundedness

RS(N, m0): set of markings reachable from m0 in N A place p ∈ P is k − bounded if ∀m ∈ RS(N, m0), m(p) ≤ k

A net system S is k-bounded if each place is k-bounded A net system is bounded if ∃ some k for which it is k-bounded

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 11 / 29

Definitions (IV)

Identical and series places

A place p is identical to a place p′ = p if m0(p) = m0(p′), Pre(p, ·) = Pre(p′, ·), and Post(p, ·) = Post(p′, ·) Places p, p′ = p, are series places if Pre(p, ·) = Post(p′, ·)

P-Semiflows

y ≥ 0 such that y⊤ · C = 0 Token conservation law independent of any firing of transitions Minimal p-semiflow: y = {i|y(i) = 0}, is not a proper superset of the support of any other p-semiflow, and the greatest common divisor

• f its elements is one

Conservativeness: all places are covered by a p-semiflow

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 12 / 29

Definitions (V)

Transition conflicts

Structural conflict: •t ∩ •t′ = ∅ Effective conflict for a marking m: t, t′ in structural conflict and both enabled at m

Persistent net

For any reachable marking m and for all transitions ti, tj, ti = tj, enabled in m, the sequence ti, tj is firable from m

Structurally persistent net (SPN)

When N, m0 is persistent for all finite initial markings m0 SPN are totally conflict-free, i.e., no pair of transitions is in structural

• r effective conflict. That is, ∀p ∈ P, |p•| ≤ 1
• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 13 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 14 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G 3 Transform gate connections

AND gate

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G 3 Transform gate connections

AND gate OR gate

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G 3 Transform gate connections

AND gate OR gate

4 Remove tg of place pg, g = T

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G 3 Transform gate connections

AND gate OR gate

4 Remove tg of place pg, g = T 5 Petri net reductions rules applied

Elimination of identical places Fusion of series places

(a) Elimination of identical places (b) Fusion of series places

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Model Transformation: from a FT to a SPN N, m0

P in N is divided into three disjoint sets PE, PG, PEG

Steps

1 Transform every event e ∈ E 2 Transform every event g ∈ G 3 Transform gate connections

AND gate OR gate

4 Remove tg of place pg, g = T 5 Petri net reductions rules applied

Elimination of identical places Fusion of series places

Acyclic Bounded (∀t ∈ T, |•t| ≥ 1) (a) Elimination of identical places (b) Fusion of series places

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 15 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 16 / 29

Fault Tree Analysis using P-Semiflows (I)

FT-SPN SF = N, R, m0 obtained by transformation

Theorem

An FT-SPN is conservative Starting at the top event, we can reach the basic events recursively. . .

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 17 / 29

Fault Tree Analysis using P-Semiflows (II)

SF = N, R, m0 obtained by transformation of F = E, G, G+, G∗, T

Theorem

The set of places p ∈ PE contained in the support of a minimal p-semiflow

• f N representing events e ∈ E defines a path set of F
• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 18 / 29

Fault Tree Analysis using P-Semiflows (III)

Theorem

A minimal p-semiflow y of a FT-SPN, after applying reduction rules, that includes p ∈ PE in its support, i.e., p ∈ y, can be computed by the following Linear Programming problem: maximize y(p) subject to y⊤ · C = 0 y⊤ · m0 = 1 y ≥ 0

Proof.

Suppose that y =

n

• i=1

αi · yi, αi > 0

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 19 / 29

Fault Tree Analysis using P-Semiflows (III)

Theorem

A minimal p-semiflow y of a FT-SPN, after applying reduction rules, that includes p ∈ PE in its support, i.e., p ∈ y, can be computed by the following Linear Programming problem: maximize y(p) subject to y⊤ · C = 0 y⊤ · m0 = 1 y ≥ 0

Proof.

Suppose that y =

n

• i=1

αi · yi, αi > 0 y · m0 = 1 → n

i=1 αi · yi · m0 = α1 · y1 · m0 + α2 · y2 · m0 + · · · + αn · yn · m0 = 1, αi > 0

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 19 / 29

Fault Tree Analysis using P-Semiflows (III)

Theorem

A minimal p-semiflow y of a FT-SPN, after applying reduction rules, that includes p ∈ PE in its support, i.e., p ∈ y, can be computed by the following Linear Programming problem: maximize y(p) subject to y⊤ · C = 0 y⊤ · m0 = 1 y ≥ 0

Proof.

Suppose that y =

n

• i=1

αi · yi, αi > 0 y · m0 = 1 → n

i=1 αi · yi · m0 = α1 · y1 · m0 + α2 · y2 · m0 + · · · + αn · yn · m0 = 1, αi > 0

m0(p) = 1, ∀p ∈ PE , m0(p′) = 0, ∀p′ ∈ P \ PE → yi · m0 = yi(p), p ∈ PE , p ∈ yi α1 · y1(p) + α2 · y2(p) + · · · + αn · yn(p) = 1, αi > 0, where p ∈ PE , p ∈ yi, i = 1 . . . n |y| > |yi|, y(p) for a given p ∈ PE , the value of y(p) is not maximum

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 19 / 29

Fault Tree Analysis using P-Semiflows (IV)

Corollary

The computation of the minimal cut sets and minimal path sets of a coherent Fault Tree are solvable in polynomial time.

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 20 / 29

Fault Tree Analysis using P-Semiflows (IV)

Corollary

The computation of the minimal cut sets and minimal path sets of a coherent Fault Tree are solvable in polynomial time.

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 20 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 21 / 29

Case Study: A Pressure Tank System (I)

Pressure switch Pressure tank Outlet valve Pressure sense line Reservoir Pump Timer relay Relay K2 Relay K1 Pump motor Fuse Switch S1 Event Description Top Event Pressure tank rupture. E1 Pressure tank ruptures under load. E2 Tank ruptures due to improper installation. G1 Secondary failure of ruptured pressure tank. E3 Secondary failure of tank from some other out of tolerance conditions (e.g., mechanical, ther- mal). G2 K2 relay contacts remain closed for a time T > 60 seconds. E4 K2 relay contacts fail to open. E5 K2 relay secondary failure. G3 EMF to K2 relay coil for a time T > 60 seconds. G4 EMF remains on pressure switch (P/S) contacts when P/S contacts closed for a time T > 60 seconds. G5 P/S contacts closed, T > 60 seconds. G6 EMF through S1 switch contacts when P/S contacts closed, T > 60 seconds. G7 EMF through K1 relay contacts when P/S contacts closed, T > 60 seconds. E6 Pressure switch secondary failure. E7 Pressure switch contacts fail to open. E8 Excess pressure not sensed by pressure-activated switch. E9 S1 switch secondary failure. E10 S1 switch contacts fail to open. E11 External reset activation force remains on switch S1. E12 K1 relay contacts fail to open. E13 K1 relay secondary failure. G8 Timer relay contacts fail to open when P/S contacts closed, T > 60 seconds. E14 Timer does not timeout due to improper setting installation. E15 Timer relay contacts fail to open. E16 Timer relay secondary failure.

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 22 / 29

Case Study: A Pressure Tank System (II)

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 23 / 29

Case Study: A Pressure Tank System (II)

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 23 / 29

Case Study: A Pressure Tank System (II)

Place p Minimal p-semiflow MCS p|E1 y1 = {p|TopEvent, p|E1} {E1} p|E2 y2 = {p|TopEvent, p|E2} {E2} p|E3 y3 = {p|TopEvent, p|G1, p|E3} {E3} p|E4 y4 = {p|TopEvent, p|G1, p|G2, p|E4} {E4} p|E5 y5 = {p|TopEvent, p|G1, p|G2, p|E5} {E5} p|E6 y6 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E9} {E6, E9} p|E7 y7 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E7, p|G6, p|E9} {E7, E9} p|E8 y8 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E8, p|G6, p|E9} {E8, E9} p|E9 y9 = y6 {E6, E9} p|E10 y10 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E10} {E6, E10} p|E11 y11 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E11} {E6, E11} p|E12 y12 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E12} {E6, E12} p|E13 y13 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E13} {E6, E13} p|E14 y14 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E14} {E6, E14} p|E14 y15 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E15} {E6, E15} p|E16 y16 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E16} {E6, E16}

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 24 / 29

Case Study: A Pressure Tank System (II)

Place p Minimal p-semiflow MCS p|E1 y1 = {p|TopEvent, p|E1} {E1} p|E2 y2 = {p|TopEvent, p|E2} {E2} p|E3 y3 = {p|TopEvent, p|G1, p|E3} {E3} p|E4 y4 = {p|TopEvent, p|G1, p|G2, p|E4} {E4} p|E5 y5 = {p|TopEvent, p|G1, p|G2, p|E5} {E5} p|E6 y6 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E9} {E6, E9} p|E7 y7 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E7, p|G6, p|E9} {E7, E9} p|E8 y8 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E8, p|G6, p|E9} {E8, E9} p|E9 y9 = y6 {E6, E9} p|E10 y10 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E10} {E6, E10} p|E11 y11 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G6, p|E11} {E6, E11} p|E12 y12 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E12} {E6, E12} p|E13 y13 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E13} {E6, E13} p|E14 y14 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E14} {E6, E14} p|E14 y15 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E15} {E6, E15} p|E16 y16 = {p|TopEvent, p|G1, p|G2, p|G3, p|G4, p|G5, p|E6, p|G7, p|E16} {E6, E16} y1 ={p|TopEvent , p|G1 , p|G2 , p|G3 , p|G4 , p|G5 , p|E6∨E7∨E8 , p|G6 , p|E9∨E10∨E11 } y2 ={p|TopEvent , p|G1 , p|G2 , p|G3 , p|G4 , p|G5 , p|E6∨E7∨E8 , p|G7 , p|G8 , p|E14∨E15∨E16 } y3 ={p|TopEvent , p|G1 , p|G2 , p|G3 , p|G4 , p|G5 , p|E6∨E7∨E8 , p|G7 , p|E12∨E13 } y4 ={p|TopEvent , p|G1 , p|G2 , p|E4∨E5 } y5 ={p|TopEvent , p|G1 , p|E3 } y6 ={p|TopEvent , p|E1∨E2 }

MCS1 = {E6, E9} MCS11 = {E6, E15} MCS21 = {E7, E12} MCS2 = {E6, E10} MCS12 = {E6, E16} MCS22 = {E7, E13} MCS3 = {E6, E11} MCS13 = {E7, E14} MCS23 = {E8, E12} MCS4 = {E7, E9} MCS14 = {E7, E15} MCS24 = {E8, E13} MCS5 = {E7, E10} MCS15 = {E7, E16} MCS25 = {E4} MCS6 = {E7, E11} MCS16 = {E8, E14} MCS26 = {E5} MCS7 = {E8, E9} MCS17 = {E8, E15} MCS27 = {E3} MCS8 = {E8, E10} MCS18 = {E8, E16} MCS28 = {E1} MCS9 = {E8, E11} MCS19 = {E6, E12} MCS29 = {E2} MCS10 = {E6, E14} MCS20 = {E6, E13}

TE occurrence formula:

29

• i=1

MCSi

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 24 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 25 / 29

Related Work

Computation of MCS/MPS is an NP-hard problem (in general) Two main approaches, depending on how the FT is analyzed

Top-down Bottom-up

MOCUS, CARA, DICOMICS, FATRAM, MICSUP. . .

Other model transformation

To Coloured PNs, or Reverse PNs: Reachability graph, reachability markings

NP-hard problem, with exponential space requirements

To Reliability Block Diagrams To BDDs

Its computation may fail and does not avoid the exponential problem

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 26 / 29

Agenda

1

Introduction

2

Definitions

3

Model Transformation

4

Fault Tree Analysis using P-Semiflows

5

Case Study: A Pressure Tank System

6

Related Work

7

Conclusions and Future Work

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 27 / 29

Conclusions

Computation of MCS/MPS of a coherent Fault Tree performed in linear time, by model transformation into a Petri net Constraints applied:

Logic restricted to AND/OR formulae Only basic, undeveloped, external, and intermediate events considered

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 28 / 29

Conclusions

Computation of MCS/MPS of a coherent Fault Tree performed in linear time, by model transformation into a Petri net Constraints applied:

Logic restricted to AND/OR formulae Only basic, undeveloped, external, and intermediate events considered

Future work

Implemented as module of PeabraiN tool (done!) Better characterize coherent FT whose MCS/MPS are solvable in polynomial time Compare to existing approaches Do the maths to avoid model transformation

• R. J. Rodr´

ıguez On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets JCSD 2015 28 / 29

On Qualitative Analysis of Fault Trees Using Structurally Persistent Nets

Ricardo J. Rodr´ ıguez rj.rodriguez@unileon.es

Research Institute of Applied Sciences in Cybersecurity University of Le´

• n, Spain

June 10, 2015 XXIII Jornadas de Concurrencia y Sistemas Distribuidos M´ alaga (Spain) To appear in IEEE Trans. on Systems, Man, and Cybernetics: Systems doi: 10.1109/TSMC.2015.2437360