Non-coherent modelling in compositional fault tree analysis

Abstract

The inclusion of NOT gates in a fault tree creates a 'non-coherent' structure in which not only the failure of a component but also the negation of failure, i.e. the working state of the component, can contribute to the undesirable effects on a system. This type of non-coherent modelling remains controversial; its usefulness is still debated among academics, which explains why NOT gates have not been included in the Fault Tree Handbook. In this paper, we review work on non-coherent fault trees and highlight circumstances where non-coherent modelling is appropriate and useful. We then describe an extension to HiP-HOPS (Hierarchically Performed Hazard Origin and Propagation Studies), a recently proposed compositional safety analysis method, that enables model-based synthesis and analysis of non-coherent fault trees. A small example is given to illustrate application of the extended method and demonstrate how this type of non-coherent modelling can give a more precise and ultimately more correct insight into failure behaviour. Copyright © 2007 International Federation of Automatic Control All Rights Reserved.