Systems Engineering for Safety Critical Applications

Part 3 - Redundancy as a Tool for Dependable System Design

Redundancy is a powerful design tool that can, if employed carefully, improve system dependability. If employed without care, the increased system complexity can actually undermine system dependability. After all, it is a fundamental doctrine in reliability analysis that, if no compensatory measures are undertaken, the reliability of a system decreases with increase in complexity of the system. A dependable system then is one that strikes a balance between keeping the system simple, and implementing features for fault tolerance.

In this post we will use the fault tree modelling tool we built in part 2 to compare, quantitatively, different redundancy architectures imposed on a simple automotive braking system model. If you want to skip forward or back in the series, links are below.

Gross Dependability Analysis with Markov Chains. A gross dependability analysis to derive a qualitative numerical estimate of system dependability
Failure Analysis with Binary Fault Trees. An extended Binary Fault Tree to calculate the smallest sets of nodes that, by failing, will bring the system down.
Redundancy as a Tool for Dependable System Design. Using the fault tree modelling tool from part 2 to compare, quantitatively, different redundancy architectures imposed on a simple automotive braking system model.

All code, derivations, tools and files used to generate the analyses are made available to the reader at github.com/hgrw/safety-critical-systems-blog.git.

The System Under Test: Automotive Braking System

To represent the simple system under test we will use the following notations and symbols.

MC - Master Cylinder

W - Wheel Cylinder

L - Hydraulic Line

$$ R(M) = 0.995,\hspace{3mm} R(W_i) = 0.999,\hspace{3mm} R(L_i) = 0.999$$
Safe braking is achieved when either the front break works or the rear break works or both.

1 - No Redundancy

This is the traditional brake design with two front and two rear cylinders connected the hydraulic lines and a master cylinder

Fig.1 - Traditional brake design

\[ R_1 = R_{M1}[1-(1-R_{W1}R_{L1}R_{W2}R_{L2})(1-R_{W3}R_{L3}R_{W4}R_{L4})] = 0.995[1-(1-0.999^4)^2]=0.9949841\]

2 - System Redundancy

Install a duplicate set of brake shoes and cylinder on each wheel and feed these with separate hydraulic lines attached to a second master cylinder. This results in two separate systems and doubles the cost, weight and volume of the system.

Fig.2 - Redundancy at the system level

\[ R_2 = 1 - [(1-R_1)(1-R_1)] = 1 - (1-0.99498)^2 = 0.9999748\]

3 - Component Redundancy

Parallel two master cylinders and run two parallel hydraulic lines to each wheel which connects to a parallel pair of wheel cylinders. In this case, each component is in parallel. Components are individually paralleled.

Fig.3 - Redundancy at the component level

For each of the wheel cylinder and hydraulic line legs in parallel, we get

Top Half
$\({\left \{ 1-\prod\limits_{i=1}^2(1-R_{L_i}) \right \}}^2 {\left \{ 1-\prod\limits_{i=1}^2(1-R_{W_i}) \right \}}^2 = (0.999998)(0.999998)=999996$\)

Bottom Half
$\({\left \{ 1-\prod\limits_{i=1}^2(1-R_{L_i}) \right \}}^2 {\left \{ 1-\prod\limits_{i=1}^2(1-R_{W_i}) \right \}}^2 = (0.999998)(0.999998)=999996$\)

Wheel and Hydraulic Line Subsystem
$\(R_{WL} = {1-(1-0.999998)(1-0.999998)} = 1.6e(-11)$\)

Master Cylinder Subsystem
$\(R_M = 1-(1-0.9995)^2=0.999975$\)
$\(R_3 = R_{WL}R_M=(1-0.000004^2)*0.999975=0.9999750$\)

4 - Targeted Redundancy

In a system with targeted redundancy, we bolster the weakest link, the master cylinder, and leave the rest of the system as-is. A single brake pedal activates two separate master cylinders. One master cylinder feeds a set of hydraulic lines, which connects to the front wheel brakes, and the other master cylinder operates the rear wheel brake cylinder through its own set of lines.

Fig.4 - Hybrid/designed redundancy

Reliability the front wheel, line and master cylinder system

\[R_F = R_{M1}R_{L1}R_{W1}R_{L2}R_{W2}=(0.995)(0.999)^4\]

And at the rear

$RR=RF,$ hence

\[R_4 = 1-[1-(0.995)(0.999)^4]^2=0.9999195\]

Run the Script

Here we run our trusty script from the previous post and generate the TOP node FIT for each redundancy strategy. We expect to see numbers approximately equal to the calculated figures above.

Running 2-extended-boolean-fault-tree-analysis.py yields:

$ python3 2-extended-boolean-fault-tree-analysis.py --input models/automotive-braking-system-no-redundancy.graphml --no-mocus --top-fit-only
System FIT%: 5.01587e-3
$ python3 2-extended-boolean-fault-tree-analysis.py --input models/automotive-braking-system-system-redundancy.graphml --no-mocus --top-fit-only
System FIT%: 2.51590e-5
$ python3 2-extended-boolean-fault-tree-analysis.py --input models/automotive-braking-system-component-redundancy.graphml --no-mocus --top-fit-only
System FIT%: 2.50000e-5
$ python3 2-extended-boolean-fault-tree-analysis.py --input models/automotive-braking-system-hybrid-redundancy.graphml --no-mocus --top-fit-only
System FIT%: 8.05333e-5