Reliability Analysis of Cold Standby System with Scheduled Backups

具有优先权的3部件冷贮备退化系统的几何过程模型张芳;刘卫东;董秋仙【摘要】A cold standby repairable system consisting of three different components and one repairman was investigated in this study.It was assumed that the working time and the repair time distributions of the three di?erent components were exponentially distributed.And component 2 was a redundant of compo-nent ponent 3 was given priority and it was found as good as new after repair,but component 1 and component 2 were not so well as new system.The system was analyzed using the geometric process and the method of supplementary variable under these assumptions.Some reliability could induce the system availa-bility,reliability,MTTFF,ROCOF and the idle probability of the repairman.%研究3个不同型部件和一个修理工组成的冷贮备可修系统，针对3个部件的工作时间和维修时间都服从指数分布，部件2为部件1的冷贮备，部件3具有优先修理权且故障后可以修复如新，对于部件1、2故障后均不能修复如新的情况建立了该系统的一般模型，运用几何过程理论和补充变量法得到了系统的可用度、可靠度、首次故障前平均工作时间（MTTFF）、系统瞬时故障频度（ROCOF）和修理工空闲的概率等可靠性指标的 Laplace 变换式。

第４４卷　第７期系统工程与电子技术Ｖｏｌ．４４　Ｎｏ．７２０２２年７月ＳｙｓｔｅｍｓＥｎｇｉｎｅｅｒｉｎｇａｎｄＥｌｅｃｔｒｏｎｉｃｓＪｕｌｙ ２０２２文章编号：１００１ ５０６Ｘ（２０２２）０７ ２３５７ ０７　网址：ｗｗｗ．ｓｙｓ ｅｌｅ．ｃｏｍ收稿日期：２０２１０３１０；修回日期：２０２１１２２３；网络优先出版日期：２０２２０３０２。

网络优先出版地址：ｈｔｔｐｓ：∥ｋｎｓ．ｃｎｋｉ．ｎｅｔ／ｋｃｍｓ／ｄｅｔａｉｌ／１１．２４２２．ＴＮ．２０２２０３０２．０９４１．００２．ｈｔｍｌ 通讯作者．引用格式：胡听春，孙宇锋，李肖肖，等．任意分布的冷备表决系统可靠度求解［Ｊ］．系统工程与电子技术，２０２２，４４（７）：２３５７ ２３６３．犚犲犳犲狉犲狀犮犲犳狅狉犿犪狋：ＨＵＴＣ，ＳＵＮＹＦ，ＬＩＸＸ，ｅｔａｌ．Ｓｏｌｕｔｉｏｎｏｆｒｅｌｉａｂｉｌｉｔｙｏｆｃｏｌｄｓｔａｎｄｂｙｖｏｔｉｎｇｓｙｓｔｅｍｗｉｔｈａｒｂｉｔｒａｒｙｄｉｓｔｒｉｂｕｔｉｏｎ［Ｊ］．ＳｙｓｔｅｍｓＥｎｇｉｎｅｅｒｉｎｇａｎｄＥｌｅｃｔｒｏｎｉｃｓ，２０２２，４４（７）：２３５７ ２３６３．任意分布的冷备表决系统可靠度求解胡听春，孙宇锋，李肖肖，赵广燕（北京航空航天大学可靠性与系统工程学院，北京１００１９１） 摘　要：ｋ／ｎ：Ｍ（Ｇ）冷备表决系统包含狀个工作部件，犕个冷储备件，至少有犽个部件工作时系统工作。

然而，现有对于ｋ／ｎ：Ｍ（Ｇ）冷备表决系统的研究集中在同型指数分布的情况，缺乏针对其工作部件非同型且服从任意分布的情况的研究。

本文研究了ｋ／ｎ：Ｍ（Ｇ）冷备表决系统的可靠度，系统部件服从任意分布，冷备件服从同一分布。

对犽＝狀的情况，给出了犕取任意值时部件同型和非同型情况下的系统可靠度解析式。

对于犽＜狀的情况，考虑了两种不同的冷备件替换策略，给出了部件同型情况和非同型犕取特定值情况下的系统可靠度解析式。

蒙特卡罗仿真实验证明了所提方法的准确性。

电力系统p o w e r s y s t e m 发电机g e n e r a t o r 励磁e x c i t a t i o n 励磁器excitor电压voltage电流current升压变压器step-up transformer母线bus变压器transformer空载损耗no-load loss铁损iron loss铜损copper loss空载电流no-load current有功损耗active loss无功损耗reactive loss输电系统power transmission system高压侧high side输电线transmission line高压high voltage低压low voltage中压middle voltage功角稳定angle stability稳定stability电压稳定voltage stability暂态稳定transient stability电厂power plant能量输送power transfer交流AC直流DC电网power system落点drop point开关站switch station调节regulation高抗high voltage shunt reactor 并列的apposable裕度margin故障fault三相故障three phase fault 分接头tap切机generator triping高顶值high limited value 静态static (state)动态dynamic (state)机端电压控制AVR电抗reactance电阻resistance功角power angle有功（功率）active power 电容器Capacitor电抗器Reactor断路器Breaker电动机motor功率因数power-factor定子stator阻抗impedance功角power-angle电压等级voltage grade有功负载: active load PLoad无功负载reactive load档位tap position电阻resistor电抗reactance电导conductance电纳susceptance上限upper limit下限lower limit正序阻抗positive sequence impedance 负序阻抗negative sequence impedance 零序阻抗zero sequence impedance无功（功率）reactive power功率因数power factor无功电流reactive current斜率slope额定rating变比ratio参考值reference value电压互感器PT分接头tap仿真分析simulation analysis下降率droop rate传递函数transfer function框图block diagram受端receive-side同步synchronization保护断路器circuit breaker摇摆swing阻尼damping无刷直流电机Brusless DC motor 刀闸(隔离开关) Isolator机端generator terminal变电站transformer substation永磁同步电机Permanent-magnet Synchronism Motor异步电机Asynchronous Motor三绕组变压器three-column transformer ThrClnTrans双绕组变压器double-column transformer DblClmnTrans 固定串联电容补偿fixed series capacitor compensation 双回同杆并架double-circuit lines on the same tower单机无穷大系统one machine - infinity bus system励磁电流Magnetizing current补偿度degree of compensation电磁场:Electromagnetic fields失去同步loss of synchronization装机容量installed capacity无功补偿reactive power compensation故障切除时间fault clearing time极限切除时间critical clearing time强行励磁reinforced excitation并联电容器shunt capacitor<下降特性droop characteristics线路补偿器LDC(line drop compensation)电机学Electrical Machinery自动控制理论Automatic Control Theory电磁场Electromagnetic Field微机原理Principle of Microcomputer电工学Electrotechnics电路原理Principle of circuits电机学Electrical Machinery电力系统稳态分析Steady-State Analysis of Power System电力系统暂态分析Transient-State Analysis of Power System电力系统继电保护原理Principle of Electrical System's Relay Protection电力系统元件保护原理ProtectionPrinciple of Power System 's Element电力系统内部过电压Past Voltage within Power system模拟电子技术基础Basis of Analogue Electronic Technique数字电子技术Digital Electrical Technique电路原理实验Lab. of principle of circuits电气工程讲座Lectures on electrical power production电力电子基础Basic fundamentals of power electronics高电压工程High voltage engineering电子专题实践Topics on experimental project of electronics电气工程概论Introduction to electrical engineering电子电机集成系统Electronicmachine system电力传动与控制Electrical Drive and Control电力系统继电保护Power System Relaying Protection主变压器main transformer升压变压器step-up transformer降压变压器step-down transformer工作变压器operating transformer备用变压器standby transformer公用变压器common transformer三相变压器three-phase transformer单相变压器single-phase transformer带负荷调压变压器on-load regulating transformer 变压器铁芯transformer core变压器线圈transformer coil变压器绕组transformer winding变压器油箱transformer oil tank变压器外壳transformer casing变压器风扇transformer fan变压器油枕transformer oil conservator(∽drum 变压器额定电压transformer reted voltage变压器额定电流transformer reted current变压器调压范围transformer voltage regulation rage 配电设备power distribution equipmentSF6断路器SF6 circuit breaker开关switch按钮button隔离开关isolator,disconnector真空开关vacuum switch刀闸开关knife-switch接地刀闸earthing knife-switch 电气设备electrical equipment 变流器current converter电流互感器current transformer 电压互感器voltage transformer 电源power source交流电源AC power source直流电源DC power source 工作电源operating source 备用电源Standby source 强电strong current弱电weak current继电器relay信号继电器signal relay电流继电器current relay电压继电器voltage relay跳闸继电器合闸继电器closing relay中间继电器intermediate relay时间继电器time relay零序电压继电器zero-sequence voltage relay 差动继电器differential relay闭锁装置locking device遥控telecontrol遥信telesignalisation遥测遥调teleregulation断路器breaker,circuit breaker少油断路器mini-oil breaker,oil-mini-mum breaker 高频滤波器high-frequency filter组合滤波器combined filter常开触点normally opened contaact常闭触点normally closed contaact并联电容parallel capacitance保护接地protective earthing熔断器cutout,fusible cutout电缆cable跳闸脉冲tripping pulse合闸脉冲closing pulse一次电压primary voltage二次电压secondary voltage并联电容器parallel capacitor无功补偿器reactive power compensation device 消弧线圈arc-suppressing coil母线Bus,busbar三角接法delta connection星形接法Wye connection原理图schematic diagram一次系统图primary system diagram 二次系统图secondary system diagram 两相短路two-phase short circuit 三相短路three-phase short circuit 单相接地短路single-phase ground short circuit 短路电流计算calculation of short circuit current 自动重合闸automatic reclosing高频保护high-freqency protection距离保护distance protection横差保护transverse differential protection 纵差保护longitudinal differential protection 线路保护line protection过电压保护over-voltage protection母差保护bus differential protection 瓦斯保护Buchholtz protection变压器保护transformer protection 电动机保护motor protection远方控制remote control用电量power consumption载波carrier故障fault选择性selectivity速动性speed灵敏性sensitivity可靠性reliability电磁型继电器electromagnetic无时限电流速断保护instantaneously over-current protection 跳闸线圈trip coil工作线圈operating coil制动线圈retraint coil主保护main protection后备保护back-up protection定时限过电流保护definite time over-current protection 三段式电流保护the current protection with three stages 反时限过电流保护inverse time over-current protection 方向性电流保护the directional current protection零序电流保护zero-sequence current protection阻抗impedance微机保护Microprocessor Protection。

注册可靠性工程师CRE要求目前在北京，上海，深圳可以进行CRE考试，2008年CRE考试每年有2次考试，3月和7月。

如果你的能力够的话可以尝试做做CRE题目。

目前在美国地区得到广泛应用，在我国台湾和香港地区也有很多大公司要求CRE，此外，像国外Dell，Intel，hp，Sunmicro等公司有要求ODM可靠性工程师取得CRE资格证书。

一般来说取得CRE证书后比没有取得证书薪资方面回增加2～3倍, 目前国内正在逐步开始CRE的培训。

同时根据ASQ的要求，考试人员对各种不同学历的人都有要求。

Reliability Engineer CertificationStudy GuideTest your preparedness for the exam using this study guide. Answers are at the end.1.Which of the following is best defined as the practice of using parallelcomponents and subsystems?a.Maintainabilityb.Reliabilityc.Optimizationd.Redundancy2.Balancing a reliability requirement against other design parameters,such as performance, cost, or schedule, and then analyzing theconsequences of placing special emphasis on one of these factors iscalleda.reliability allocationb.reliability predictionsc.trade-off decisionsd.system modeling3.Software reliability planning includes all of the following EXCEPTa.selecting models for data analysis and predictionb.modeling acquisition of computer software systemsc.trade-offs of general purpose programs vs. commerciallyavailable programsd.trade-offs involving cost, schedule, and failure intensityof software products4.The lifetime of a mechanical lifter is normally distributed with a meanof 100 hours and a standard deviation of 3 hours. What is the reliability of the lifter at 106 hours?a.0.0228b.0.0570c.0.9430d.0.97725.In an analysis of variance, which of the following distributions is thebasis for determining whether the variance estimates are all from the same population?a.Chi squareb.Student's tc.Normald. F6. A full factorial design of experiments has four factors. The first factorhas two levels, the second factor has three levels, the third factor has two levels, and the final factor has four levels. How many runs are are required for this analysis?a.16b.48c.192d.2567.In a certain application, two identical transducers are used to measurethe vacuum in a system. The system is considered to have failed if either of the vacuums read by the transducers varies from the standard by more than 10 mm Hg. Which of the following is the correct reliability logic block diagram for the transducer assembly?8.Assuming perfect switching and perfect starting, which of the followingsystems has the longest mean life if each system consisits of n units with identical reliability?a. A series systemb. A parallel systemc. A k out of nsystemd. A cold standby systemQuestions 9-11 refer to the following situation:A high incidence of failures has developed during aircraft acceptance testing. The identified failure is that an instrument panel light has malfunctioned on 6 of the last 10 aircraft tested. This problem needs to be investigated and a Failure Reporting and Corrective Action System (FRACAS) needs to be completed without stopping aircraft production.1.The first step of the investigation should be toa.collect additional data on similar events over the last twoyearsb.conduct failure analysis to determine the failure mode andmechanismc.conduct surveillance testing on suspect componentsd.establish a cross-functional team to brainstorm on the causeand effect2.If the cause of the failure is determined to be a faulty subassemblymanufactured only by a single supplier, and this situation isthreatening to shut down aircraft production, the next step should betoa.visit the supplier to assist in determining the root causeof the problemb.initiate a supplier corrective action and return all of theunsorted inventoryc.issue a Government and Industry Data Exchange Program (GIDEP)alertd.update the inspection instruction and retrain receivinginspection3.If a corrective action notice was sent to the supplier of a faultysubassembly and the supplier's response states that the root cause issimply an operation error, the next step should be toa.accept the response and close the FRACASb.visit the supplier to develop a better understanding of theroot causec.issue a Government and Industry Data Exchange Program (GIDEP)alertd.begin looking for a new supplier4.Which of the following is an appropriate use for experimental design?a.Establishing product requirementsb.Developing a fault-tree analysisc.Ensuring the robust design of a productd.Analyzing customer complaint reports5.Which of the following is NOT considered good practice in reliabilitydesign?ing proven partsing series designing failure mode and effects analysis (FMEA)d.Simplifying item configuration6.According to Taguchi, robustly designed experiments should employ allof the following techniques EXCEPTa.inner and outer arraysb.signal-to-noise ratiosc.linear graphsd.fold-over capabilities7.Which of the following measures can be used to find a quick approximationof the availability of a system?a.Mean time to failure (MTTF) and mean time to repair (MTTR)b.Failure rate and failure modec.Mission time and failure rated.Downtime and time to repair8.The investment in automated test equipment is often justified underwhich of the following circumstancesa.Numerous tests must be performed.b.Repair times must be short.c.Conformance records are required.d.Traceable records are required.9.For a company operating multiple units of production equipment, theobserved failure rate is 42 x 10-6 failures per operating hour, and the preventive maintenance rate is 320 x 10-6 actions per hour. What is the mean time between corrective and preventive maintenance (MTBM)?a.2,688.2 hrb.2,762.4 hrc.2,840.9 hrd.26,935.0 hr10.All of the following are purposes of a production reliability assurancetest (PRAT) EXCEPT toa.detect significant shifts between the as-built reliabilityand the as-designed reliabilityb.assess performance against reliability requirementsc.assess actual product reliability against reliabilityrequirementsd.minimize the need for specific process controls11.The primary aim of sequential-life testing is to determinea.the probability density function of failuresb.the mean time between failures (MTBF)c.whether the stress-level variation is significantd.whether a lot meets the reliability goal12.A small sample from a product population is subjected to multiple levelsof elevated stress. Which of the following could be used to model the life of the product?a.Poisson processb.Pascal expansionc.Pareto ruled.Inverse power law13.Which of the following are important elements in the concept of consumerrisk?o Frequencyo Scheduleo Damagea.I and II onlyb.I and III onlyc.II and III onlyd.I, II, and III14.Which of the following tools is used to analyze the safety of a system?.Fault-tree analysisa.Failure reporting and corrective action systemb.Reliability allocationc.Environmental stress screening15.A component fails on the average of once every 4 years with 75% of thefailures observed to occur during stormy weather. If there are 12 hours of stormy weather to every 240 hours of good weather, what are the failure rates for stormy and good weather,respectively?16.A go/no-go device is tested until it fails. If X is the number of teststo first failure with no wear out present, and the probability of success on each test is .99, then the probability that X is greater than 5 is: .0.9310a.0.9410b.0.9510c.0.961017.Given a reliability growth test in progress having accumulated 4failures during 5000 test hours. Assume a growth rate of 0.3, what is the expected MTBF at 25,000 hours?.1250 hrsa.1895 hrsb.2026 hrsc.3856 hrs18.A Weibull distribution has been found to describe the reliabilitydistribution with characteristic life = 12,000 hours, and shapeparameter If these are good parameters, at what time will reliability decrease to .85?.2204 hrsa.3503 hrsb.4838 hrsc.5254 hrs。

安全操作规程 Safety regulations for operations 安全极限 Safety margins 安全间隙 safe gap安全监测Safety monitoring 安全监察 Safety supervision 安全检查 safe review，SR安全检查表分析 safety checklist analysis，SCA 安全鉴定：Safety appraisal安全经济效益Safety Cost Effectiveness 安全经济学Safety economics安全考核 Safety check assessment 安全可靠性 Safety Reliability安全模拟与安全仿真学 Safety simulation & imitation 安全评价 Safety Assessment安全人体工程Safety livelihood engineering work安全人因工程学Safety human factors engineering安全认证Safety approval and certification 安全审核员 Safety auditor安全生产指标体系 safety production target system安全生产指数 safety production index 安全事故 Safe Accidents安全事故罪Crime of safety accident 安全疏散Evacuation安全梯，防火应急出口，安全出口 fire escape 安全危害因素Hazardous elements安全系数 Safety Factor 安全系统工程 Safety System Engineering 安全销Shear pin安全信息论Safety information theory 安全验收评价 Safety Assessment Upon Completion安全隐患 potential safety hazard 安全预评价 Safety Preliminary Evaluation 安全阈值Safe threshold value 保安矿柱 Safety pillars 保护装置：Protection devices 保险装置Physical protection devices 报警设备 Warning equipment 爆破 blasting 爆破地震 blast seism 爆破片 bursting disc 爆破有害效应 adverse effects of blasting 爆破有害效应 intrinsic safety 不安全行为 unsafe act 抽出式通风 exhaust ventilation 防爆Explosion-proofing防爆电气设备 explosion-proof electrical equipment防爆墙 anti-explosion wall 防尘工程Dust control engineering 防毒Anti-toxin防高温High temprature prevention 防护堤 protection embankment 防护口罩Safety mask防护设备 Safeguard 辐射防护：Radiation protection 高温作业Hotwork个体保护用品Individual protection articles 工程事故Engineering accidents工伤事故 industial accidents 工业防尘：Industrial dust suppression 工业防毒：Industrial gas defense 工业通风：Industrial ventilation 工业灾害控制：Control of industrial disaster 共同安全署(美国) Mutual Security Agency (U. S. )故障假设分析方法 what…if，WI故障类型和影响分析 failure mode effects analysis，FMEA故障树分析 fault tree analysis，FTA 锅炉事故：Boiler breakdowns 核安全Nuclear safety化工安全 Chemical engineering safety 环保工程师 Environmental Protection Engineer机械通风 mechanical ventilation 极限载荷 limit load 监测点 monitoring point交通安全教育 Traffic Safety Education 局部通风 local ventilation可靠性分析 reliability analysis，RA 矿井通风 mine ventilation矿井通风方式 layout of ventilation shafts 矿用安全型：Mine permissible type 劳动保护Labour protection 临界安全 critical safety 临界量 threshold quantity 漏风 air leakage 起重安全Lifting safety 潜在危险Potential hazards 缺水事故 Water deficiency emergence (or accident) 人机工程学 ergonomics 人机界面：human-machine interface 人失误 human error 伤亡率 Rate of casualty 伤亡事故Casualty accidents 设备事故Equipment accident 审查人员 authorized person 生态安全 Ecological safety 事故处理Accident handling 事故树分析Accident tree analysis 事故致因理论：Accident-causing theory 事件树分析 Event Tree Analysis 通风与空调工程Ventilation engineering & air conditioning 危险辨识：Hazard identific危险和可操作性研究 hazard and operability study HAZOP危险评估Risk assessment 危险源Dangerous source 危险源辨识 hazard identification 危险源控制 hazard control 危险指数法 risk rank，RR 违章作业：Operation against rules 温度报警器：Temperature alarm 矽肺病 silicosis 系统安全分析System safety analysis 系统危险性评价 system risk assessment 压力容器 pressure vessels 易燃物品：Inflammable article 应急避难所 emergency shelter 应急对策：Emergency countermeasures 应急预案 emergency plan 有害作业：Harmful work 职业安全卫生Occupational health and safety 职业安全卫生标准Occupational health and safety standards 职业安全卫生体系Occupational health and safety management system 职业危害Occupational hazard 重大事故 major accident 重大危险源 major hazard installations 注册安全工程师Certified Safety Engineer 专项安全评价Safety Specific Evaluation 自然通风 natural ventilation 阻燃剂 flame retardant 最佳起爆距离 optimum burst range 作业环境卫生 Work environment hygiene 作业条件危险性评价法 job risk analysis,LEC安全边界Safety limits安全辩证法Safety dialectic安全标志Safety sign安全标准Safety standards安全玻璃Safety glass安全操作规程Safety regulations for operations安全车Security vehicle安全成本Safety cost安全措施Safety measures安全带(飞行器) Safety belts(aircraft)安全带Safety belts安全灯Safety lamps安全等级Safety level安全电气工程Safety electric engineering安全调度(电力系统) Security dispatching(electrical power systems)安全度Degree of safety安全对策Safety countermeasures安全阀Relief valves安全法规Safety laws and regulations安全法学Safety jurisprudence安全防护Safety protection安全防护照明Protective lighting安全风险Safe risk安全工程Safety engineering安全工程技术人员Technical personnel of safety engineering安全工程师Safety engineer安全工作Safety work安全工作体系Safetywork system安全观Safety outlook安全管理Safety management安全管理Safetymanagement安全管理体系Safety administration system安全规程Safety regulation安全航速Safe ship speed安全极限Safety margins安全计量Safety measurements安全计量学Safety metrology安全技术Safety techniques安全监测Safety monitoring安全监察Safety supervision 安全监控Safety supervising安全监控系统Safety monitoring system安全检测与监控技术Safety detection & monitoring-controlling technique安全检查Safety inspection安全检查表Safety check lists安全健康产品Health and safety production安全鉴定Safety appraisal安全教育Safety education安全教育学Safety pedagogy安全经济效益Safety cost effectiveness安全经济学Safety economics安全考核Safety check assessment安全科学Safety science安全科学技术Safety technique安全壳(反应堆) Containments(reactors)安全壳系统Containment systems安全可靠性Safety reliability安全控制技术Safety control technology安全控制论Safety cybernetics安全离合器Overload clutches安全立法Safety legislation安全联锁系统Safety interlocking system安全联轴器Safety couplings安全伦理学Safety ethics安全美学Safety aesthetics安全模拟与安全仿真学Safety simulation & imitation安全模式Safety pattern安全培训Safety training安全评价Safety assessment安全气囊Safety gasbag安全墙Safety walls安全人机界面Safetyman-machine interface安全人体工程Safety livelihood engineering work安全人体学Safety livelihood science安全人因工程学Safety human factors engineering安全认证Safety approval and certification安全三级教育Three degree safety education安全设备Safety equipment安全设备工程Safety equipment engineering work安全设备机电学Safety equipment electro-mechanics安全设备卫生学Safety equipment hygienic安全设备学Safety guard science 安全设计Safety design安全社会工程Safety social engineering work安全社会学Safety sociology安全审核员Safety auditor安全生产Safety production安全生理学Safety physiology 安全生育Safety fertility安全史Safety history安全事故Safe accidents安全事故罪Crime ofsafety accident安全试验Safety experiment安全疏散Evacuation安全素质Safety disposition安全体系学Science of safety system安全统计Safety statistics安全头罩Hood安全投入Safety investment安全危害因素Hazardous elements安全唯物论Safety materialism安全委员会Safety committee安全文化Safety culture安全系数Safety factor安全系统Safety system安全系统分析Safety system analysis安全系统工程Safety systematic engineering work安全系统学Safety systematology安全线迹缝纫机Safety stitch sewingmachines安全香料Safety flavoring安全销Shear pin安全心理学Safety psychology安全信号Safety signals安全信息Safety information 安全信息工程Security in information technology安全信息论Safety information theory安全行为Safe behavior安全性Nature of safety安全性理论Safety theory安全性约束Safety restrain 安全宣传Safety propaganda安全训练Safety training安全烟Safe cigarettes安全仪表Safety instruments安全意识Safety consciousness安全因素Safety elements安全隐患Safety potential 安全用电Electric safety安全阈值Safe threshold value安全员Safety personnel安全运筹学Safety operation research安全运输Safety transportation安全栅栏Safety barrier安全炸药Safety explosives安全哲学Safety philosophy安全执法Safety law enforcement安全质量隐患Safety quality potential安全中介组织Intermediary organization of safety安全装置Safety devices安全自组织Safety self-organizing安全组织Safety organization靶场安全Range safety搬运安全Carrying safety保安矿柱Safety pillars保护装置Protection devices保险机构(引信) Safety and arming devices保险装置Physical protection devices报警设备Warning equipment报警系统Warning systems爆破安全Shotfiring safety爆破安全仪表Safety blasting instruments爆炸安全工程Explosion safety engineering本质安全Intrinsic safety本质安全电路Intrinsically safety circuit部门安全工程Industrial safety engineering产品安全性能Safety functions充气安全装备Inflatable devices船舶安全Ship safety导弹安全Guided missile safety低压安全阀Low-pressure safety valve地下生保系统Underground life support systems电力安全Power system safety电气安全Electrical safety电子防盗器Electron theft proof instrument短路事故Short circuit accidents 堆安全研究所Institute for reactor safety反应堆安全Reactor safety反应堆安全保险装置Reactor safety fuses防爆Explosion-proofing防爆试验Explosion-proof tests防尘工程Dust control engineering防毒Anti-toxin防毒工程Industrial poisoning control engineering防高温High temprature prevention防护设备Safeguard防火Fire safety防火堤Fire bank防冷To be protected from cold防热Solar heat protection防暑Heat stroke prevention防尾旋系统Anti-spin systems放射性Radioactivity放映安全技术Safety techniques of film projection飞机安全装备Air emergency apparatus飞机防火Aircraft fire protection飞行安全Air safety飞行安全装备Flight safety devices风险评价与失效分析Risk assessment and failure analysis辐射防护Radiation protection辐射分解Radiolysis辐射屏蔽Radiation shielding辐射危害Radiation hazards妇女劳动保护Protection of women labour force高低温防护High and low temperature protection高温作业Hotwork个人飞行安全装备Personal flight safety fitting个体保护用品Individual protection articles个体防护装备Personal protection equipments工厂安全Factory safety工程事故Engineering accidents工伤事故Industrial accident工业安全Industrial safety。

Engineering failure analysisAbstractThe scale and complexity of computer-based safety critical systems, like those used in the transport and manufacturing industries, pose significant challenges for failure analysis. Over the last decade, research has focused on automating this task. In one approach, predictive models of system failure are constructed from the topology of the system and local component failure models using a process of composition. An alternative approach employs model-checking of state automata to study the effects of failure and verify system safety properties. In this paper, we discuss these two approaches to failure analysis. We then focus on Hierarchically Performed Hazard Origin & Propagation Studies (HiP-HOPS) – one of the more advanced compositional approaches –and discuss its capabilities for automatic synthesis of fault trees, combinatorial Failure Modes and Effects Analyses, and reliability versus cost optimisation of systems via application of automatic model transformations.We summarise these contributions and demonstrate the application of HiP-HOPS on a simplified fuel oil system for a ship engine. In light of this example, we discuss strengths and limitations of the method in relation to other state-of-the-art techniques.In particular,because HiP-HOPS is deductive in nature, relating system failures back to their causes, it is less prone to combinatorial explosion and can more readily be iterated. For this reason, it enables exhaustive assessment of combinations of failures and design optimisation using computationally expensive meta-heuristics.1. IntroductionIncreasing complexity in the design of modern engineering systems challenges the applicability of rule-based design and classical safety and reliability analysis techniques. As new technologies introduce complex failure modes, classical manual analysis of systems becomes increasingly difficult and error prone.To address these difficulties, we have developed a computerised tool called ‘HiP-HOPS’(Hierarchically Performed Hazard Origin & Propagation Studies) that simplifies aspects of the engineering and analysis process. The central capability of this tool is the automatic synthesis of Fault Trees and Failure Modes and Effects Analyses (FMEAs) by interpreting reusable specifications of component failure in the context of a system model. The analysis is largely automated,requiring only the initial component failure data to be provided, therefore reducing the manual effort requiredto examine safety; at the same time,the underlying algorithms can scale up to analyse complex systems relatively quickly, enabling the analysis of systems that would otherwise require partial or fragmented manual analyses.More recently, we have extended the above concept to solve a design optimisation problem: reliability versus cost optimisation via selection and replication of components and alternative subsystem architectures. HiP-HOPS employs genetic algorithms to evolve initial non-optimal designs into new designs that better achieve reliability requirements with minimal cost. By selecting different component implementations with different reliability and cost characteristics, or substituting alternative subsystem architectures with more robust patterns of failure behaviour, many solutions from a large design space can be explored and evaluated quickly. Our hope is that these capabilities, used in conjunction with computer-aided design and modelling tools, allow HiP-HOPS to facilitate the useful integration of a largely automated and simplified form of safety and reliability analysis in the context of an improved design process. This in turn will, we hope, address the broader issue of how to make safety a more controlled facet of the design so as to enable early detection of potential hazardsand to direct the design of preventative measures. The utilisation of the approach and tools has been shown to be beneficial in case studies on engineering systems in the shipping [1] and offshore industries [2]. This paper outlines these safety analysis and reliability optimisation technologies and their application in an advanced and largely automated engineering process.2. Safety analysis and reliability optimisation3. Safety analysis using HiP-HOPSHiP-HOPS is a compositional safety analysis tool that takes a set of local component failure data, which describes how output failures of those components are generated from combinations of internal failure modes and deviations received at the components’ inputs, and then synthesises fault trees that reflect the propagation of failures throughout the whole system.From those fault trees, it can generate both qualitative and quantitative results as well as a multiple failure mode FMEA[35].A HiP-HOPS study of a system design typically has three main phases:Modelling phase: system modelling & failure annotation.Synthesis phase: fault tree synthesis.Analysis phase: fault tree analysis & FMEA synthesis. Although the first phase remains primarily manual in nature, the other phases are fully automated. The general process in HiP-HOPS is illustrated in Fig. 2 below: The first phase –system modelling & failure annotation –consists of developing a model of the system (including hydraulic, electrical or electronic, mechanical systems, as well as conceptual block and data flow diagrams) and then annotating the components in that model with failure data. This phase is carried out using an external modelling tool or package compatible with HiP-HOPS. HiP-HOPS has interfaces to a number of different modelling tools, including Matlab Simulink, Eclipse-based UML tools, and particularly SimulationX. The latter is an engineering modelling & simulation tool developed by ITI GmbH[36] with a fully integrated interface to HiP-HOPS. This has the advantage that existing system models, or at least models that would have been developed anyway in the course of the design process, can also be re-used for safety analysis purposes rather than having to develop a new model specific to safety. The second phase is the fault tree synthesis process. In this phase, HiP-HOPS automatically traces the paths of failure propagation through the model by combining the localfailure data for individual components and subsystems. The result is a network of interconnected fault trees defining the relationships between failures of system outputs and their root causes in the failure modes of individual components. It is a deductive process, working backwards from the system outputs to determine which components caused those failures and in what logical combinations.The final phase involves the analysis of those fault trees and the generation of an FMEA. The fault trees are first minimised to obtain the minimal cut sets – the smallest possible combinations of failures capable of causing any given system failure –and these are then used as the basis of both quantitative analysis (to determine the probability of a system failure) and the FMEA, which directly relates individual component failures to their effects on the rest of the system. The FMEA takes the form of a table indicating which system failures are caused by each component failure.The various phases of a HiP-HOPS safety analysis will now be described in more detail.4. Design optimisation using HiP-HOPSHiP-HOPS analysis may show that safety, reliability and cost requirements have been met, in which case the proposed system design can be realised. In practice, though, this analysiswill often indicate that certain requirements cannot be met by the current design, in which case the design will need to be revised.This is a problem commonly encountered in the design of reliable or safety critical systems. Designers of such systems usually have to achieve certain levels of safety and reliability while working within cost constraints. Design is a creative exercise that relies on the technical skills of the design team and also on experience and lessons learnt from successful earlier projects, and thus the bulk of design work is creative. However, we believe that further automation can assist the process of iterating the design by aiding in the selection of alternative components or subsystem architectures as well as in the replication of components in the model, all of which may be required to ensure that the system ultimately meets its safety and reliability requirements with minimal cost.A higher degree of reliability and safety can often be achieved by using a more reliable and expensive component, analternative subsystem design (e.g. A primary/standby architecture), or by using replicated components or subsystems to achieve redundancy and therefore ensure that functions are still provided when components or subsystems fail. In a typicalsystem design, however, there are many options for substitution and replication at different places in the system and different levels of the design hierarchy. It may be possible, for example, to achieve the same reliability by substituting two sensors in one place and three actuators in another, or by replicating a single controller or control subsystem, etc. Different solutions will, however, lead to different costs, and the goal is not only to meet the safety goals and cost constraints but also to do so optimally, i.e. find designs with maximum possible reliability for the minimum possible cost. Because the options for replication and/or substitution in a non-trivial design are typically too many to consider manually, it is virtually impossible for designers to address this problem systematically; as a result, they must rely on intuition, or on evaluation of a few different design options. This means that many other options –some of which are potentially superior – are neglected. Automation of this process could therefore be highly useful in evaluating a lot more potential design alternatives much faster than a designer could do so manually.Recent extensions to HiP-HOPS have made this possible by allowing design optimisation to take place automatically [38].HiP-HOPS is now capable of employing genetic algorithms in order to progressively ‘‘evolve” an initial design model thatdoes not meet requirements into a design where components and subsystem architectures have been selected and where redundancy has been allocated in a way that minimizes cost while achieving given safety and reliability requirements. In the course of the evolutionary process, the genetic algorithm typically generates populations of candidate designs which employ user-defined alternative implementations for components and subsystems as well as standard replication strategies.These strategies are based on widely used fault tolerant schemes such as hot or cold standbys and n-modular redundancy with majority voting. For the algorithm to progress towards an optimal solution, a selection process is applied in which the fittest designs survive and their genetic makeup is passed to the next generation of candidate designs. The fitness of each design relies on cost and reliability. To calculate fitness, therefore, we need methods to automatically calculate those two elements. An indication of the cost of a system can be calculated as the sum of the costs of its components (although for more accuratecalculations,life-cycle costs should also be taken into account, e.g. production, assembly and maintenance costs) [39]. However, while calculation of cost is relatively easy to automate, the automation of the evaluation of safety or reliability is more difficult as conventional methods rely on manual construction of the reliability model (e.g. the fault tree, reliability block diagram or the FMEA). HiP-HOPS, by contrast, already automates the development and calculation of the reliability model, and therefore facilitates the evaluation of fitness as a function of reliability (or safety). This in turn enables a selection process through which the genetic algorithm can progress towards an optimal solution which can achieve the required safety and reliability at minimal cost. One issue with genetic algorithms is that it has to be possible to represent the individuals in the population –in this case,the design candidates –as genetic encodings in order to facilitate crossover and mutation. Typically this is done by assigning integers to different alternatives in specific positions in the encoding string, e.g. a system consisting of three componentsmay be represented by an encoding string of three digits, the value of each of which represents one possible implementation forthose components. However, although this is sufficient if the model has a fixed, flat topology, it is rather inflexible and cannot easily handle systems with subsystems, replaceable sub-architectures, and replication of components, since this would also require changing the number of digits in the encoding string.The solution used in HiP-HOPS is to employ a tree encoding, which is a hierarchical rather than linear encoding that can more accurately represent the hierarchical structure of the system model. Each element of the encoding string is not simply just a number with a fixed set of different values, it can also represent another tree encoding itself. Fig. 7 shows these different possibilities: we may wish to allow component A to be replaced with either a low cost, low reliability implementation (represented as 1), a high cost, high reliability implementation (2), or an entirely new subsystem with a primary/standby configuration (3). If the third implementation is selected, then a new sub-encoding is used, which may contain further values for the components that make up the new subsystem, i.e. the primary and the standby.Thus encoding ‘‘1” means that the first implementation was chosen, encoding ‘‘2” means the second was chosen, ‘‘3(11)”means that the third was chosen (the subsystem) and furthermore thatthe two subcomponents both use implementation 1,while ‘‘3(21)”for example means that the primary component in the subsystem uses implementation 2 instead. Although the tree encoding is more complex, it is also much more flexible and allows a far greater range of configuration optionsto be used during the optimisation process.HiP-HOPS uses a variant of the NSGA-II algorithm for optimisation. The original NSGA-II algorithm allows for both undominated and dominated solutions to exist in the population (i.e. the current set of design candidates). To help decide which solutions pass on their characteristics to the next generation, they are ranked according to the number of other solutions they dominate. The more dominant solutions are more likely to be used than the less dominant solutions. HiP-HOPS is also able to discard all but the dominant solutions. This is known as a pure-elitist algorithm (since all but the best solutions are discarded) and also helps to improve performance.To further enhance the quality of solutions and the speed with which they can be found, a number of other modifications were made. One improvement was to maintain a solution archive similar to those maintained by tabu search and ant colony optimisation; this has the benefit of ensuring that good solutions are not accidentally lost during subsequentgenerations. Another improvement was to allow constraints to be taken into account during the optimisation process, similar to the way the penalty-based optimisation functions: the algorithm is encouraged to maintain solutions within the constraints and solutions outside, while permitted, are penalised to a varying degree. In addition, younger solutions – i.e. ones more recently created – are preferred over ones that have been maintained in the population for a longer period; again, this helps to ensure a broader search of the design space by encouraging new solutions to be created rather than reusing existing ones.工程故障分析摘要像在交通运输业和制造业中，使用的基于计算机安全的系统的规模和复杂性，对工程故障分析带来了重大的挑战。