计算机辅助故障树分析方法对高可靠和安全设计

Method of Computer-Aided Fault Tree Analysis for High-Reliable and Safety DesignYouji Hiraoka,Member,IEEE,Tamotsu Murakami,Katsunari Yamamoto,Yoshiyuki Furukawa,and Hiroyuki SawadaAbstract—Fault tree analysis(FTA)is a method of analyzing and visualizing the causes of a fault using a fault tree diagram(FT di-agram),which has a tree structure with logical steps.Design engi-neers developing a new product generally use FTA to analyze many fault events,calculate their probability,and include redundancy systems in the design process.Furthermore,FTA has been used to analyze problems with products and to prevent the occurrence of problems in the design phase.In particular,it is necessary for de-sign engineers to analyze the events after a failure to determine the root causes of the failure of the redundancy systems.However,it is not easy for design engineers to produce an accurate FT diagram in the actual design process.We have developed a computer-aided knowledge management system for creating FT diagrams(FTAid) as part of a collaborative group(The University of Tokyo,National Institute of Advanced Industrial Science and Technology(AIST), and Jatco Ltd.).This system has been verified by the design engi-neers of Jatco Ltd.in actual product development.We report its ef-fectiveness for predicting mechanical,electrical,and heat transfer failure,the verification of the system,and its validation in an actual design process.We conclude that the system can help design engi-neers to effectively and efficiently create FT diagrams in reliability engineering,although some existing ability in FTA and engineering is required.We also describe some outstanding issues regarding the improvement of FTAid,engineering education,and ensuring reli-ability.Index Terms—Design engineering,design for quality,fault tree analysis,knowledge management,reliability,reliability engineering.I.I NTRODUCTIONP RODUCT DESIGN is defined as the process of seekinga design solution that can meet functional requirements under numerous constraints(e.g.,cost,layout,weight,and man-ufacturing conditions)[1].In practical product design,owing to diverse functional requirements,complicated product design systems,and many constraints,obtaining an optimal design so-lution has been difficult for design engineers and their groups and has required significant effort.Many design engineers makeManuscript received December06,2014;revised April14,2015,November 06,2015;accepted December23,2015.Associate editor:W.-T.Chien.Y.Hiraoka is with the Department of Mechanical Engineering,University of Tokyo,Tokyo113-8656,Japan,and also with the National Institute of AIST, Ibaraki305-8564,Japan(e-mail:youji.hiraoka@).T.Murakami is with the Department of Mechanical Engineering,University of Tokyo,Tokyo113-8656,Japan(e-mail:murakami@mech.t.u-tokyo.ac.jp). K.Yamamoto is with Jatco Ltd.,Kanagawa243-0026,Japan(e-mail:kat-sunari_yamamoto@jatco.co.jp).Y.Furukawa and H.Sawada are with the National Institute of AIST,Ibaraki 305-8564,Japan(e-mail:y-furukawa@aist.go.jp;h.sawada@aist.go.jp). Digital Object Identifier10.1109/TR.2015.2513050full use of various design methods and examine their results to achieve the required quality,performance,and durability of products.General design is also a process used by design engineers to meet functional requirements.Because the opposite word to functionality is failure,failure must not occur in design systems.A method used to describe functions and failures and to devise measures to prevent failures is failure modes and effects anal-ysis(FMEA)[2].FMEA is used to manage the design process in total quality management and quality standards(TS16949 [3])and to confirm the safety of designs in accordance with safety standards(IS026262[4]).Furthermore,measures to pre-vent failures are verified by fault tree analysis(FTA),which is used for the quantitative evaluation of fault trees,calculating the probability of failure,and evaluating the probability to judge the effectiveness of measures[5].Therefore,the tools of FMEA and FTA are generally important in the design process for quality management and safety assessment.FTA is a method employed to analyze the cause of a fault. FTA uses a fault tree diagram(FT diagram),which has a tree structure with logical steps.The probability of a failure is cal-culated,which is used to judge the effectiveness of a multiple redundancy system.Therefore,FTA is used to ensure the safety of systems in the plant engineering,aviation,vehicle,and space industries[6]and the quality of products in general manufac-turing to comply with product liability laws.FT diagrams are often used to display events in a system in which a failure mode occurs.However,it has recently become necessary to display an event in terms of design parameters.This is because some prod-ucts do not allow the inclusion of redundancy systems owing to constraints of layout and cost,and the design engineers must prevent failure by setting appropriate design parameters. Recently,some serious accidents and major recalls problems of automobiles have occurred in America and Japan.These have been due to safety problems owing to the malfunction of a com-ponent or a subsystem in the product,for example,the recall of runaway Toyota cars in2011–2012and the recall of Takata airbags in2014.Accidents due to unintended acceleration(UA) of Toyota cars were investigated by NASA Engineering and Safety Center and the National Highway Traffic Safety Ad-ministration(NHTSA)[7].In this investigation,many analysis methods and tests and a large amount of statistical data obtained in thefield were used to establish and prove a hypothesis for the cause of the accidents.In particular,all factors that may have led to failures were analyzed using afishbone diagram,which is similar to an FT diagram,and verified by performing tests and simulations in system,software,and mechanical domains.0018-9529©2015IEEE.Personal use is permitted,but republication/redistribution requires IEEE permission.See /publications_standards/publications/rights/index.html for more information.Fig.1.P-FTA,D-QFD method[9].It was concluded that the cause of UA was the short distance between the accelerator pedal and thefloor mat or the driver error.The cause of accidents involving Takata airbags is cur-rently being investigated.The same analysis methods and tests as for the cause of Toyota cars will be employed.Therefore, design engineers must not only estimate the probability of the failure modes but also clarify all factors and scenarios by which failure may occur in safety problems such as the investigation of the UA of Toyota cars.At the end of the design process,design engineers must take measures to identify problems and verify their effectiveness.Therefore,it is necessary for design engi-neers to analyze all events and factors causing accidents,accu-rately display the design parameters of faults on an FT diagram, and judge that all possible events are included in the FT dia-gram.At the very least,design engineers must display events with accurate design parameters on an FT diagram in the design process.Miyamura[8]reported that the knowledge management of design information using FTA is possible and that it is an ef-fective method of ensuring the design quality of a product.The power train division of Nissan Motors and Jatco Ltd.make use of FTA for problem resolution in product development and pre-vention in the design process.Fig.1shows an example of a de-sign process using FTA:the P-FTA,D-QFD(Perfect-Fault Tree Analysis,Design-Quality Function Deployment)method[9] developed by the power train development division of Nissan Motors.P-FTA is a tool that displays an event causing failures including the design parameters selected by FMEA.Therefore, knowledge management based on FTA is practically effective in the problem resolution of products and in the design process. In this paper,we propose a new approach to FTA involving computerized support to improve the system used for FTA in previous studies.We confirm that an FT diagram can be classi-fied into component failure,system failure,and control failure diagrams in an actual design process.A component failure di-agram is created by a previously proposed computerized sup-port method based on quantity dimension indexing[10],[11]. System failure and control failure diagrams are created by a computerized support method utilizing block diagrams created by design engineers.We have developed this computer-aided FTA system for design engineers as a collaborative research group(The University of Tokyo,National Institute of Advanced Industrial Science and Technology(AIST),and Jatco Ltd.)[12], [13].This system is targeted towards design engineers who can create an accurate FT diagram efficiently using the system.We have investigated the accuracy of FT diagrams created with this system and the time required to confirm its effectiveness in an actual design process at Jatco Ltd.We conclude that the system can support design engineers to prevent almost all failures of machines.We report our verification of the system for many types of failures in machines by comparison between our predic-tion and results in the actual design process.We found that the average time required by engineers to create an FT diagram is decreased by over50%while improving the accuracy of the di-agram by analysis of an actual development process[12]–[15]. We also describe the potential uses of the system.II.P REVIOUS S TUDIES ON FTAFTA wasfirst conceived of in1961by H.A.Watson of Bell Telephone Laboratories jointly with the U.S.Air Force to study missile launch control systems.Since then,FTA has received widespread interest as a tool for ensuring the safety and reli-ability of complex dynamic systems such as vehicles,aircraft, space vehicles,and nuclear reactors.This section describes the previous studies on FTA from three viewpoints.A.Classical Analysis Techniques:FTA and Other Methods The fundamental concept in FTA is the translation of a phys-ical system into a tree structure,in which specified causes lead to a single top event.This logical diagram is generally constructed using event symbols and logic symbols.Upper and lower events are connected with AND and OR gates[5],[6].The top event in the tree structure is selected from the results of a prelimi-nary hazard analysis,design analysis,and quality management process.FTA consists of the following four steps[16]:•systems definition;•fault tree construction;•qualitative evaluation;•quantitative evaluation.In this paper,we only consider the second step of fault tree con-struction through computer-aided support for design engineers. This step is the most important when using FTA in the design process because a mistake in fault tree construction may lead to a problem in products or an unsafe event.Furthermore,FTA is useful for ensuring product quality by establishing the cause of product problems and obtaining design parameters for quality in manufacturing companies.Boeing has studied models of FTA,software for fault tree construction,and how to use FTA in the design process[6].FTA has been used in the design of commercial and military aircraft.Moreover,the knowledge management of design information using FTA(how to prevent past problems,how to design,etc.)is possible and ef-fective in general product design.The power train development division of Nissan Motors also uses FTA in the development process with FTA to ensure the quality in the design stage[8].HIRAOKA et al.:METHOD OF COMPUTER-AIDED FAULT TREE ANALYSIS FOR HIGH-RELIABLE AND SAFETY DESIGN3Fig.2.FT diagram used in actual design process[14].As a result,accurate FT diagrams help to ensure the quality of products in manufacturing companies.puter-Aided AnalysisFTA is useful for ensuring the quality and safety of products, but an FT diagram must accurately display the events leading to the top event.A practical FT diagram is too large and displays many events(Fig.2)[14].It is laborious for design engineers to create an accurate FT diagram in the product design process. Therefore,it is necessary to support them by providing knowl-edge-based information via computer support in the actual de-sign process.Computer support methods and systems aiding fault tree con-struction have been studied in many technical areas(e.g.,air-craft,nuclear power,and chemical plants).Many attempts have been made to develop a procedure for automated fault tree con-struction and an interactive procedure between a user and a com-puter system.These attempts can be classified into three types of computer-aided approaches to fault tree construction[16]. Thefirst uses the algorithmic procedures of traditional com-puter approaches.The CAT[17]and DIGRAPH[18]computer systems and a system based on Taylor's approach[19]have been developed and reported.The CAT approach is oriented towards a fully automated method based on a component model and a simplified scheme representing the system.The DIGRAPH system is thefirst functional approach using a graph connecting different functions and automatically construct the fault tree. Taylor presented a new component model approach in which each component is separately modeled by a context-indepen-dent representation.Second,CAFTS[20],Minitrees[21],and AFTGM[22]have been developed as automated fault tree generation methodolo-gies.CAFTS is an interactive approach between a user and the system,and is supported by modular component models and transfer logic models.Minitrees consists of component models of the physical behavior that are classified in an FT diagram. AFTGM was developed for electrical and electronic applica-tions and employs graph theory to determine the functional structures of the system.Finally,an expert system approach has been developed for computerized fault tree generation that employs artificial intel-ligence(AI).STARS[23]is an expert system for fault tree con-struction.Expert systems are designed so that the knowledge used in an application is separated from the reasoning mech-anism used to determine new facts and solve problems.Such systems employ an inference-engine-based computer code. C.Issues in Previous StudiesAutomated fault tree generation is faster and easier than a manual approach in the design phase,but it acts as a black box regarding FT diagram generation and its accuracy cannot be confirmed.Therefore,design engineers are not responsible for the accuracy of the FT diagram,and ultimately for the safety and reliability of a product.It is important that design engineers can interpret the obtained FT diagram.Furthermore,the methods outlined in the previous section are design support systems that require a database to be established correctly in accordance with the defined notation.Converting enormous amounts of corpo-rate design data into notation to establish the database requires a lot of labor hours and days of work.These were issues in pre-vious studies on the development of computer software.In this paper,we propose a new approach to computerized support for FTA,but that does not rely on“black box”software, and the interpreter of the obtained FT diagram is not a computer but a design engineer,who does not have to build a new database for the company.III.FTA IN THE D ESIGN P ROCESS AND I SSUES Design engineers must think logically when deciding the di-mensions,tolerances,and specifications of a system.They un-consciously logically consider tree structures along with dy-namics and engineering principles,and then make decisions re-garding the design process in accordance with this considera-tion.FTA is a familiar and important tool that visualizes the possibilities for system failure considered by design engineers. An FT diagram is a tool for visualizing the process of design consideration and can also be verified by a chief engineer and a senior manager in the design review.However,it takes time and effort for design engineers and a design team to create an accurate FT diagram.The following issues that design engineers must consider when creating an FT diagram in an actual design process at Jatco Ltd.have been defined[12].We believe that many manufacturing companies have the same issues and problems.•Since technical knowledge and profound expertise are required to create an FT diagram,it is difficult task for younger design engineers.•Since the thoughts of experienced design engineers are affected by past designs,problems,and experiments on products,it is difficult for experienced design engineers to create an error-free accurate FT diagram.4IEEE TRANSACTIONS ON RELIABILITY•Since an FT diagram for an actual design is complicated and the scale is large,checking and the correction of misun-derstandings and oversights may be difficult with the staff available.•Since,during the process of creating a new FT diagram, feedback from senior engineers and corrections must be repeatedly incorporated until the FT diagram is complete, its correction is a time-consuming process. Experienced design engineers are much more likely to de-scribe only the failures that they have experienced in an FT dia-gram,resulting in the FT diagram lacking some events.After re-ceiving feedback from senior engineers,the FT diagram is mod-ified by trial and error.Thoughts being affected by past experi-ences is a general phenomenon that is called“cognitive bias”in psychology[24],and it is frequently found in experienced design engineers.This psychological phenomenon probably af-fects an engineer thought in the actual design process of all com-panies.Thus,enabling design engineers to efficiently create an accurate FT diagram is a major challenge.IV.S UPPORT M ETHODS FOR FTAA.Concept of Classifying an FT DiagramFTA is a systematic method in which the possible causes of fault events can be analyzed and visualized during the product design and development process in the form of an FT diagram. Even in the fault analysis of a single component,the FT diagram frequently becomes large(Fig.1),since it is based on logic. Therefore,the FT diagram of the entire product has a much larger scale,and the checking and correction of possible fault events using human resources is difficult.FT diagrams are clas-sified as follows at Jatco Ltd.so that they can be easily handled by design engineers:•FT diagram of system failure;•FT diagram of component failure;•FT diagram of control failure.An FT diagram of system failure is defined as a tree diagram of some failures that occur between multiple components and controls,and an event that occurs at the end of the diagram is defined as a component failure or control failure.In an FT dia-gram of component failure,the breakage,wear,leakage,and so forth,of a component is defined as the top event.The FT dia-gram of control failure describes a failure in the control system such as a hydraulic system or an electronic system,and the con-trol logic and its input(from a sensor,etc.)are factors causing failure.From its definition,an FT diagram of system failure is composed of a complicated combination of top events in FT di-agrams of component failure and control failure,as shown in Fig.3[15]–[18].This approach to classifying FT diagrams has generally been used in previous studies[21].The proposed method of supporting the creation of FT dia-grams using bidirectional arrows is shown in Fig.3.Since the FT diagram of component failure follows physical phenomena in many cases,we support the creation of FT diagrams using the quantity dimension indexing method[11]–[13].Since the engi-neers responsible for the system and its control use a block dia-gram to analyze the behaviors of the system and control,we sup-port the creation of FT diagrams based on a block diagramincor-Fig.3.Structure of FT diagrams and support method[24].porating the FT diagrams of system failure and control failure. In this way,it is possible to support the creation of FT diagrams of a large-scale system or product by combining these support methods.B.Knowledge Management for FTA in Design ProcessThe concept of our proposed method of FTA is not the auto-mated generation of an FT diagram but a support system based on knowledge management for creating an FT diagram in the design process of product development.Knowledge manage-ment is a promising approach for supporting such complicated design processes,in which design knowledge and information are compileusing information technology then used.An approach to knowledge management based on physical quantities has been discussed in some studies[10].If we select the physical quantities appearing in two descriptions and rep-resent them using SI units(the international system of units), we can estimate their possible relevance because they have a common physical quantity such as temperature(K).This sug-gests a possible advantage of representing physical quantities as an index for estimating the relevance between design knowl-edge descriptions.On the basis of this observation,we propose quantity dimension indexing as a method for design knowledge management and describe the use of this method for FTA.1)Quantity Dimension Indexing:In SI units,all physical quantities describing physical phenomena can be defined by a combination of seven base quantities(and their units):length (m),mass(kg),time(s),electric current(A),thermodynamic temperature(K),amount of substance(mol),and luminous in-tensity(cd).The unit of a quantity is represented as a seven-di-mensional(7-D)vector in a space asHIRAOKA et al.:METHOD OF COMPUTER-AIDED FAULT TREE ANALYSIS FOR HIGH-RELIABLE AND SAFETY DESIGN5TABLE ID IMENSIONS OF V ARIOUS QUANTITIES For example,force kg m/s m kg s is expressed as [110000].We call this 7-D vector a quantity dimension vector.Examples of quantity dimension vectors for various quantities are listed in Table I.Because of the generality,objectivity,and universality of SI,it covers all physical quantities that may appear in any design knowledge or design problem in the past,present,or future,TABLE I (Continued.)D IMENSIONS OF V ARIOUS QUANTITIESand the same physical quantities are represented as the same vectors regardless of differences between people,products,do-mains,organizations,nations,and languages.This is expected to be a promising method for indexing design knowledge from the viewpoint of physical phenomena.One of the authors pre-viously reported that this method is effective for design knowl-edge management [11].6IEEE TRANSACTIONS ONRELIABILITYFig.4.FT diagram and quantity dimension indexing.(a)FT diagram.(b)FT diagram with quantity dimension indexing.2)Quantity Dimension Indexing Support for an FT Dia-gram:An FT diagram for component failure places a fault of a component as the top event.Since a fault of a component occurs following various physical phenomena,the events logi-cally leading up to the top event can mostly be expressed by a physical ually engineers include literal expression in FT diagrams as shown in Fig.4(a)for example.In this study,quantity dimension indexing is applied to such literal expressions as shown in Fig.4(b),as follows.•A physical quantity is defined by its unit expressions such as[N/m2].•The operator‘@’is used to assigning a description string toa physical quantity,for example,[N/m2]@“stress at con-tact”.•A fault value is represented qualitatively,similarly to in qualitative physics(e.g.,[25]).When the occurrence of a fault is because the magnitude of a physical quantity is above(below)the normal range of values,its fault value is represented as“”(“-”).•The operator‘:’is used to assign a qualitative fault value to a physical quantity,for example,[N/m2]@“stress”:means“the stress in N/m2is above the normal range of values.”When expanding a physical quantity of an upper event into dis-junctions or conjunctions of physical quantities of lower events, there appear to be two typical types of expansion.Thefirst type is the decomposition of a physical quantity into those with the same unit dimension,as in the second disjunction in Fig.4(b). In this case,the addition and subtraction of the physical quanti-ties of lower events should comprise the physical quantity of the upper event.The second type is the decomposition of a physical quantity into those with different unit dimensions,as in thefirst disjunction in Fig.4(b).In this case,the multiplication,divi-sion and exponentiation of the physical quantities of the lower events should comprise the physical quantity of the upper event.TABLE IIC OMMONALITY B ETWEEND IMENSIONLESS QUANTITIESIn this study,we assume that both types of physical quantity de-composition are well-structured and appropriate for satisfying necessary conditions for consistency,whereas other types of decomposition are possibly incorrect or unnecessarily compli-cated.This assumption is used to verify FT diagrams. Furthermore,since the indices based on the quantity dimen-sion vectors of each event can be easily found by the computer installed in the system,design engineers can obtain candidate patterns of events from a database and select the correct pattern. In design,dimensionless quantities such as the number of gear teeth,strain[m/m],and energy efficiency[J/J]are often used.Since the quantity dimension vectors of these quantities are the same,i.e.,[0000000],we cannot distinguish the number of gear teeth,strain,and energy efficiency.To solve this problem,special processing is introduced for dimension-less quantities as follows.1)A unit symbol“_”is introduced to directly define dimen-sionless quantities such as the number of items.2)When the resulting dimension vector of a quantity is[0000000],a definition structure is considered for the quantity.When a dimensionless quantity is defined in terms of quantities and by either division or multiplication ,a set of quantities appearing in the definition such as and are considered as defining quantities.Whenis[m/m],,and[(N*m)/J],for example,the defining quantities are{m,m},{m,m},and{(N*m), J},respectively.3)When two dimensionless quantities share the definingquantities of the same dimension,the two dimensionless quantities are regarded as having definition commonality.Table II shows examples of this.4)Similarity estimation between quantities is segmentalizedintofive degrees as shown in Table III.As a result,higher similarity is estimated between two dimen-sionless quantities with definition commonality than between those without definition commonality.3)Procedure Employed in Support System for an FT Dia-gram:Fig.5shows the computer-aided support process con-structed from the concepts of the support system used to create FT diagrams[12].After this system initially performs the quan-tity dimension indexing of a newly created FT diagram on aHIRAOKA et al.:METHOD OF COMPUTER-AIDED FAULT TREE ANALYSIS FOR HIGH-RELIABLE AND SAFETY DESIGN7TABLE IIID EGREE OFS IMILARITY B ETWEEN QUANTITIESFig.5.Support process of quantity dimension indexing [12].computer,the user checks and corrects it to determine the quan-tity dimension index of each event.The system judges the log-icality of each event by quantity dimension indexing and dis-plays the results in different colors (red:incorrect,blue:correct,yellow:caution advised).When it finds a mistake,the software searches the database for a pattern similar to the event in the FT diagram.It calculates the similarity between the mistaken event and the quantity dimensions of the patterns registered in the database,and presents the patterns to the user in order of de-creasing similarity,similarly to a search engine.The userselectsFig.6.Fault-cause patterns for excess electrical resistance.(a)Electrical resis-tance of object.(b)Fault-cause expansion.the pattern judged to be correct among the presented candidates and corrects the event.We considered the creation of two databases containing the past design data and theories.One database contains the pat-terns of FT diagrams created when resolving previous problems (experimental patterns),and the other database contains the pat-terns included in a textbook such as physical formulas and equa-tions (theoretical patterns).A new FT diagram should be com-pared with those in the two databases.If the experimental pat-tern database contains the new FT diagram,design engineers can easily utilize the know-how of the company by referring to the matched patterns.If the theoretical pattern database contains the new FT diagram,it allows the consistency with theories to be confirmed.Furthermore,by accumulating the FT diagrams in a database,the know-how on which FT diagrams are based can be compiled in a database.This means that we can update a data-base of FT diagrams in sequence by registering FT diagrams that have been made in actual design and whose logicality has been verified without building a new database.Note that the data-base of theoretical patterns comprises common data compiled by the University of Tokyo from textbooks and papers and is not confidential.The experimental patterns are confidential and were created to run previous FT diagrams in this system,change their format,and confirm their validity.It took one person,a few。