manual - Michigan State Universitycse.msu.edu/~cse870/Materials/FaultTolerant/manual-gal… ·...

Galileo User’s Manual &Design Overview

(Version 2.11-Alpha)

University of Virginia Kevin Sullivan, Computer Science

Joanne Bechta Dugan, Electrical Engineering

Contributors: Tom Sabanosh, Sara Jane Curwen, Michael Taylor, Steven J. Miller

_____________________________________________________________________________________________

Table of Contents

I. INTRODUCTION TO GALILEO...........................................................................................................................1

OVERVIEW..................................................................................................................................................................1SYSTEM REQUIREMENTS............................................................................................................................................1

Hardware Requirements.......................................................................................................................................1Software Requirements..........................................................................................................................................1

INSTALLATION............................................................................................................................................................1

II. TECHNICAL OVERVIEW AND DESIGN RATIONALE OF GALILEO......................................................2

PACKAGE-ORIENTED PROGRAMMING FOR LARGE-SCALE REUSE..............................................................................2THE DIFTREE APPROACH TO MODULAR DYNAMIC FAULT TREE ANALYSIS............................................................3

III. BASIC OPERATION OF GALILEO..................................................................................................................3

RUNNING GALILEO.....................................................................................................................................................4CREATING A NEW FAULT TREE..................................................................................................................................4OPENING AN EXISTING FAULT TREE..........................................................................................................................4SAVING A FAULT TREE...............................................................................................................................................4PRINTING A FAULT TREE............................................................................................................................................4EXITING FROM GALILEO.............................................................................................................................................4

IV. EDITING FAULT TREES IN GALILEO...........................................................................................................4

SELECTING A VIEW TO EDIT.......................................................................................................................................4EDITING IN THE TEXTUAL VIEW................................................................................................................................5

Gates......................................................................................................................................................................5Basic Events..........................................................................................................................................................6An Example Fault Tree.........................................................................................................................................7

EDITING WITH VISIO...................................................................................................................................................8SWITCHING BETWEEN EDITING MODES...................................................................................................................10

V. ANALYZING A FAULT TREE USING GALILEO.........................................................................................11

VI. GALILEO’S WEB-BASED HELP SYSTEM....................................................................................................11

VII. KNOWN BUGS AND TROUBLESHOOTING...............................................................................................12

SOMETIMES WHEN I OPEN AN *.FTD FILE THE VISIO VIEW IS BLANK!.....................................................................12I ACCIDENTALLY CLOSED THE VISIO STENCIL. WHAT SHOULD I DO?.....................................................................12HOW DO I IMPORT FAULT TREES FROM GALILEO VERSION 1.4?..............................................................................12WHEN I TRY TO RENDER MY TEXTUAL FAULT TREE TO VISIO OR TO ANALYZE THE TREE, I GET A SYNTAX ERROR ON LINE N. HOW CAN I FIND THAT LINE WITHOUT HAVING TO COUNT EACH INDIVIDUAL LINE OF CODE?............12SOMETIMES WHEN I START GALILEO AND CREATE A NEW FAULT TREE, THE WORD AND VISIO APPLICATIONS OPEN EXTERNALLY. WHAT SHOULD I DO?...............................................................................................................12I RECEIVE THE ERROR MESSAGE "BASIC LOGIC GATES IS PART OF THE WORKSPACE BUT CANNOT BE OPENED. FILE NOT FOUND."............................................................................................................................................................13SOMETIMES, WHEN I TRY FILE/NEW OR FILE/OPEN, GALILEO CRASHES.................................................................13THE VISIO VIEW AND STENCIL LOCK UP. WHAT SHOULD I DO?.............................................................................13GALILEO PROMPTS ME TO SAVE MY FAULT TREE WHEN IT IS UNNECESSARY. WHY DOES THIS OCCUR?...............13THE INTERNET EXPLORER WINDOW IS NOT RESIZING PROPERLY. WHAT CAN I DO TO FIX THIS PROBLEM?..........13

_____________________________________________________________________________________________

Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved.

_____________________________________________________________________________________________

I. Introduction to Galileo

OverviewGalileo is an easy-to-use research prototype software tool for dynamic fault tree analysis on personal computers, namely PC machines running Microsoft’s Windows 95, 98 or NT operating system. Fault tree analysis is one of several important approaches to probabilistic risk assessment for engineered systems. We selected the name Galileo for our tool because Galileo was the first person to study the failure of engineered systems systematically.

Galileo is distinguished in two key dimensions. First, it supports the DIFtree modular dynamic fault tree analysis approach of Professor Joanne Bechta Dugan, of the Electrical Engineering Department at the University of Virginia. Second, it provides this capability to engineers in a tool based on the Package-Oriented Programming (POP) design approach of Professor Kevin Sullivan, of the Department of Computer Science also at the University of Virginia.

In particular, Galileo hosts DIFtree in a tightly integrated and easy-to-use package that integrates Microsoft's Word and Visio's Visio Technical drawing program within an overall interface based on Microsoft Windows user interface technology. The POP approach enables engineers to edit and display fault trees in either textual and graphical form, using a tool based on standard, widely used, commercially supported components that are easy to integrate into real engineering practice. Our POP software development approach has given us (and you) a tool that appears to be far richer, easier to use and more easily changed than would otherwise possible.

In a nutshell, Galileo allows you to enter and manipulate dynamic fault trees in either textual form, using a little language for fault trees, or in Visio graphical form. It allows you to map these representations back and forth, e.g., to automatically generate a drawing of a tree from a textual specification. And it allows you to submit a specified tree to the underlying analysis engine. Galileo also has an embedded World-Wide-Web help and support function.

NOTE WELL: Despite our advances, Galileo remains a research prototype. Read the known bugs list at the end of this document. Galileo 2.11-Alpha cannot be relied upon for the analysis of critical systems, e.g., nuclear, medical.

System Requirements

Hardware Requirements

Minimum Recommended

CPU: P90 P166

Memory: 16MB 32MB

HD space: 35MB (including 30 at runtime) 50MB

Software Requirements

In order to run Galileo, you must have Microsoft Windows 95, 98 or NT and Microsoft Internet Explorer 4.0 and at least one of Microsoft Word 97 or Visio Technical 5.0 installed on your computer.

Installation1. Whether you downloaded the tool from the Web or received it on diskette, you need to unzip the Galileo

archive. If you received the disks, insert the first disk into the appropriate drive. The easiest way to unzip the

_____________________________________________________________________________________________

Copyright 1996, 1997, 1998 University of Virginia. All Rights Reserved. 1

_____________________________________________________________________________________________

archive is to use Nico Mak Computing's WinZip utility, available at http://www.winzip.com. Select the archive in WinZip and click the install button. WinZip will extract the files and run Setup.exe for you. If you extracted the files manually, run Setup.exe from the directory in which you unzipped the archive.

2. Galileo has to install its Visio stencil in your Visio program's stencils directory (if you have one). If Visio is installed on your hard drive, the Galileo setup program will automatically locate its directory. If setup cannot find the Visio folder for some reason, you will be asked to supply the path name. Do so, or click on the Next button if Visio is not installed.

3. Run Galileo by clicking on the icon located on the Programs sub-menu of the Windows 95/98/NT Start menu.

II. Technical Overview and Design Rationale of GalileoWe now describe Sullivan’s Package-Oriented Programming approach and Dugan’s DIFtree analyzer in detail.

Package-Oriented Programming for Large-Scale ReuseFrom a software engineering research perspective our work represents an attempt to evaluate Professor David Garlan’s (CMU) thesis that architectural mismatch makes large-scale reuse hard or infeasible. The idea that has driven our work is that with a suitable component integration architecture and conformant components, large-scale reuse is possible and profitable. We agree with the implicit claim that lack of such an architecture makes large-scale reuse hard. We claim (with Garlan’s work as evidence) that integration architectures are necessary for large-scale reuse. The question we address is: do integration architectures exist that are sufficient to enable large-scale reuse?

In order to answer this question, we have adopted the informal hypothesis that the reuse and integration of massive components conforming to an effective integration architecture enables the rapid and inexpensive production of industrially viable software systems. To test this hypothesis, we negated it and restricted it to software tools for engineering analysis, with fault tree analysis as a convenient (and useful) example. The null hypothesis was thus that the reuse and integration of massive components conforming to an integration architecture could not enable rapid and inexpensive production of industrially viable software tools for engineering modeling and analysis. Galileo is the result of our attempt to test this claim. We adopted Microsoft’s integration architecture (comprising elements including OLE Automation and the Active Document Architecture) with Microsoft Office application components as perhaps the best known, most promising integration architecture for our purposes. Galileo is the result. To the extent that Galileo has clear potential as an industrially viable tool, we have to reject the null hypothesis.

From a component package integration perspective, Galileo is distinguished in several dimensions.

Tight Integration of Multiple Packages

Galileo is based on the tight integration of multiple shrink-wrapped commercial-off-the-shelf (COTS) packages. It is not built on a single package, but instead integrates multiple packages as co-equal components.

Package-Based Views of Engineering Models

Galileo uses packages as user-friendly and richly functional views of an engineering model (i.e., of a fault tree). Microsoft Word presents the tree being edited in a textual form based on the Galileo fault tree language. Visio presents the tree as a structured technical drawing using Galileo shapes and behaviors programmed for Visio.

Compiler-Based Consistency Model

Galileo keeps views consistent in a manner based on an analogy with a compiler. A compiler is tool used in computer programming, in which a program is first edited using one tool, a text editor, and when that is done it is submitted to a compiler to be translated into executable code, a form that can run on computer hardware. The source code form is convenient for people; and the object code, for the computer. In Galileo, you edit a fault tree in either textual or graphical form, and, when you are ready, you ask Galileo to “compile” it into the other

_____________________________________________________________________________________________


http://www.winzip.com/

_____________________________________________________________________________________________

form. Unlike a traditional compiler, however, Galileo can translate in both directions. You can thus use a form most appropriate for your needs, e.g., text for editing and graphics for presenting to engineering management.

Tight Integration of Component User Interfaces

Whereas in earlier versions of Galileo, component packages appeared as disconnected windows on the screen, in version 2.11-Alpha, there is just one Galileo window. The package windows are integrated as children of the Galileo window. We use Microsoft’s active document architecture to achieve very tight integration at the user interface level. In particular, there is only one set of menus visible (rather than several, one set presented by each tool window). As you select one or another view to edit, the application menus appropriate for that view are integrated with the Galileo menus. What you see at the top of the Galileo window is therefore a set of menus which is the sum of the Galileo-specific menus and the menus for the package that you have selected.

The DIFtree Approach to Modular Dynamic Fault Tree AnalysisFault trees are mathematical models of how component-level failures in an engineered system combine to produce system level failures. Fault trees have a convenient pictorial representations that are accepted as making it easier for reliability engineers to build, reason about, and validate such models. For more, read: Dugan, Venkataraman, and Gulati, "DIFtree: A software package for the analysis of dynamic fault tree models," Proceedings of the 1997 Reliability and Maintainability Symposium, January 1997.

A fault tree (a graph in general) has nodes called basic event nodes that model components of an engineered system. The assignment of a probability distribution to a basic event models how that component fails over time. A fault tree has other nodes called gates that model subsystems composed from basic components. Gates show how failures of components combine to produce susbsystem failures. The top-level gate in a fault tree corresponds to the overeall system. Combinatorial gates, such as and and or gates, indicate that the failures of the inputs lead to a failure of the subsystem if, respectively, all or one of the input components or subsystems has failed.

Probabilistic reliability assessment using fault trees requires the assignment of probability distributions to the basic events of a fault tree. One such distributions are assigned, calculations are performed to compute a distribution for the tree as a whole. When a tree contains only standard combinatorial gates, it is called a static tree, and well-known methods can be used to compute its overall failure probability (to solve the tree). DIFtree permits dynamic gates to appear in a tree, as well. A tree with one or more dynamic gates is called a dynamic tree. The outputs of dynamic gates are sensitive the order in which inputs fail.

In particular, DIFtree decomposes a complex fault tree into subtrees that are independent in that they do not share any basic event nodes, and that are either static or dynamic. The idea is to handle as much of the solution problem as possible using techniques for static trees, and to handle the rest using techniques for dynamic trees. Static trees can be analyzed efficiently using combinatorial techniques. DIFtree solves static trees using an algorithm based on Binary Decision Diagrams (BDD). For dynamic trees, Markov solution methods are employed. Markov methods can be used to solve any tree, but the computational complexity of this approach makes it infeasible for use on large or complex trees. The idea behind DIFtree is to split trees into independent parts (modular subtrees) and to solve them using the most efficient techniques. Thus a given tree is split into parts and either a BDD or Markov approach is used to solve the subtrees depending on their types. DIFtree thus first calls a routine called SplitTree, a fast and efficient algorithm to break up a given tree into smaller independent subtrees, followed by calls to routines called DREDD and Dynasolver, respectively, to solve the independent static and dynamic subtrees. SplitTree combines the solutions for the subtrees into a solution for the overall fault tree. In a nutshell, that is how DIFtree works.

III. Basic Operation of GalileoThis section describes the basic operation of Galileo. Editing and analyzing trees are complicated enough to have their own sections, which follow.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Running GalileoTo run Galileo go to the Start Menu and find Galileo under the Programs folder. Galileo will open with a splash screen and a blank main window. This window will serve as a container for the Word and Visio views of the current fault tree as well as for online help and web-based support through Internet Explorer.

Creating a New Fault TreeTo create a new fault tree, select the New option from the File menu. This will cause the Word and Visio windows to appear with blank documents in the main window. Note well: Galileo can only have one tree open at a time. You must close any opened file before creating a new tree or opening another existing one.

Opening an Existing Fault TreeTo open a previously created fault tree, select the Open option from the File menu. A window will appear allowing you to open files Fault Tree files of type ".ftd". Choose the file that corresponds to the tree you wish to open and the Fault Tree tool will open the appropriate files for Visio and/or Word. As with creating a new tree, only one tree may be active at a time, so you must close any opened file before opening another tree. Note well: we regret that it is not possible to open fault trees created with Galileo version 1.4 or earlier. However, there is a work-around that permits you to convert trees created in Visio 1.4. Please see Troubleshooting for more information.

Saving a Fault TreeTo save a fault tree when editing is complete, choose the Save or SaveAs option from the File menu. This will save the tree and each of its components for Word and Visio. Galileo will ask you for a file name as necessary.

Printing a Fault TreeGalileo provides the user with two printing options. The first prints only the current active document. This is done by selecting Print from the File menu. The second option prints both the Word and Visio documents. This is done by choosing Print All from the File menu.

Exiting from GalileoTo exit Galileo, choose the Exit option in the File menu of the main Galileo window. This will close the Word and Visio windows as well.

IV. Editing Fault Trees in GalileoIn this section, we describe how to edit fault trees in Galileo. One of Galileo’s strengths is its support for editing fault trees in textual or graphical form (provided that you have the required packages installed on your machine) and to generate one form from the other automatically on demand. Suppose that you prefer to edit tree as text but you need graphics for engineering presentations. Create the tree in Word then have Galileo generate the drawing.

Selecting a View to EditYou select a view to edit using the Application View menu. Choose to make the desired view writable. Galileo updates the newly writable view from the current view if necessary. Note Well: NEVER EDIT A VIEW THAT’S NOT SELECTED. YOUR CHANGES WILL BE LOST. GALILEO OUTLINES READ-ONLY VIEWS IN RED.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Editing in the Textual ViewThe editor for fault trees in text form is Microsoft Word. We assume that you know how to use Microsoft Word. Fault trees are written in the Galileo fault tree language. A fault tree specification must begin with the line

toplevel <name>;

<name> is the name of the top level node. A <name> begins with a letter and use only letters, underscores and dashes. spare, trigger, and primary are reserved words that you cannot use as names. Every line in a fault tree ends with a semicolon. Comments can be included: text after "/*" and before "*/" is ignored. Note Well: Comments are not well supported; they are lost in the translation from textual to graphical form and back.

Gates

The following table gives the syntax for declaring different kinds of gates, with the kind of gate in the first column, and the syntax for declaring such a gate in the second column. The keywords are in bold face.

Gate Type Usage

OR <name> or <input1> <input2> ... <inputN>;

AND <name> and <input1> <input2> ... <inputN>;

Hot Spare <name> hsp <primary_input> <input2> ... <inputN>;

Warm Spare <name> wsp <primary_input> <input2> ... <inputN>;

Cold Spare <name> csp <primary_input> <input2> ... <inputN>;

Priority AND <name> pand <input1> <input2>;

Sequence Enforcing <name> seq <input1> <input2> ... <inputN>;

K of M <name> xofy <input1> ... <inputY>;

Note: x and y are integer number for the desired K and M respectively

Functional Dependency <name> fdep <trigger_input> <input1> ... <inputN>;

<name> is your name for a gate. <inputN> is the <name> of a Basic Event or gate input to the given gate. The input order for gates is left to right. Order matters in analyzing dynamic gates and is used in graphical layout. There are no keywords for Connectors or Basic Events. Connections are implicit in the structure of the tree.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Basic Events

The syntax for specifying a basic event varies, depending on the probability distribution and coverage information associated with the event. The following tables summarize the relevant information and define the language syntax.

Replication To specify replication add repl = n to the basic event declaration, n being an integer. The default is 1. Replication specifies the number of copies of the basic event in the system. If an AND gate has three identical events as inputs, one with a replication of three can be used.

Dormancy To specify a dormancy factor add dorm = f with f between 0.0 and 1.0, inclusive. An input to a warm spare fails at the rate obtained by multiplying its failure rate by dorm.

Distribution You choose among a constant, exponential, lognormal, or Weibull distribution. At this time, the lognormal distribution is not supported for dynamic trees. In the graphical view, you select a distribution by name (see below). In the textual view, the choice of distribution is indicated by the key words that you use in specifying the event, as follows.

Probability The syntax is prob=f (with f as above). The prob parameter indicates a constant distribution.

Lambda The syntax is lambda=f. Lambda indicates exponential distribution function.

Rate The syntax is rate=f. This construct indicates a Weibull distribution.

Shape The syntax is shape=f. This parameter specifies the shape of the Weibull distribution.

Mean The syntax is mean=f. The expecation of the normal distribution for the lognormal case.

Standard Deviation Syntax: stddev=f. The standard deviation of the normal distribution for the lognormal case.

Fault tolerant systems often have built-in recovery mechanisms. Coverage, Restoration, and Single Point Failure factors associated with basic event specification help to model such recovery mechanisms in some cases. For more information, refer to the following: Joanne Bechta Dugan and K.S. Trivedi: “Coverage modeling for dependability analysis of fault-tolerant systems,” IEEE Transactions on Computers, 38(6): 775-787, 1989

Single Point Failure

It is the probability that the entire system fails, given that this component fails. Think of single point failure of a component as a catastrophic failure.

Coverage It is not always that the failure of a component results in the failure of the entire system, or there will be no need for fault tree analysis! The Coverage factor is the probability that the failure of a component does not lead to the failure of the system unless specified by the fault tree.

Restoration The Restoration factor models transient faults in the component which are glitches that do not last long enough to cause the failure of either the component or the system.

Galileo requires Coverage + Restoration + Single Point Failure = 1.0. You must specify the parameters values in basic events in the order presented above. Galileo requires distribution information for exactly one distribution type. Galileo substitutes default values for coverage and replication parameters. Default values are as follows:

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Parameter Default Valuecov 1res 0repl 1

dorm 0.5

.

The following entries define the syntax and meaning for basic events. You may leave some fields blank. Note well: If you generate a graphical form from text then regenerate text, Galileo fills in all of the default information. Galileo does not preserve text formatting, so we recommend that you not use any.

Constant Distribution

<name> prob=<probability> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;

The failure probability = prob if cov = 1.0

Exponential Distribution

<name> lambda=<lambda> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;

The distribution function is where = lambda

Weibull Distribution

<name> rate=<rate> shape=<shape> cov=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;

The distribution function is where = rate, = shape

LogNormal Distribution

<name> mean=<rate> stddev=<coverage> res=<restoration> repl=<replication> dorm=<dormancy>;

The distribution function is where = stddev, = mean

An Example Fault Tree

We now present fault tree in text form. The top level gate, specified on the first line, as required, is an OR gate with two inputs, a basic event, event1, and the subtree, Andtree. Andtree has two basic event inputs, event2, and event3. The basic event declarations are at the end, but they could appear anywhere but for the first line. Note Well: Galileo generally changes the order in which declarations appear when it regenerates a text from from the graphical form.

toplevel TopGate;TopGate or event1 Andtree;Andtree and event2 event3;event1 prob=0.5 cov=1 res=0.5 repl=1 dorm=.5;event2 prob=0.75 cov=1 res=0.5 dorm=.5;event3 prob=0.25;

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Editing with VisioGalileo supports the graphical editing and display of fault trees in addition to textual editing and display. The following picture is the Visio drawing of the tree just specified in the textual formalism. In this subsection, we tell you how to manipulate fault trees in this graphical form. We describe only Galileo-specific issues. We do not try to teach you how to use Visio. We refer you to the Visio User’s Manual, and suggest that you learn something about Visio, before trying to use Visio in the context of the current version of Galileo.

Problems with Graphical Editing in Galileo

Before discussing precisely how to edit fault trees using Visio within the Galileo framework, we must present a disclaimer. In a nutshell, because we have not yet invested much time in graphical display and editing aspects of Galileo, they do not work well. They are awkward to use and in some ways produce visually unacceptable results. At this time, our advice is to specify trees in text form. We plan to improve Galileo’s graphics in the next release.

In particular, the current tool has several problems. First, it provides no mechanisms for splitting drawings into page-sized chunks, nor for collapsing subtrees to abstract away undesired detail. It simply draws an entire tree as a monolith on a single virtual sheet sized to fit the tree. If you print a large drawing using Visio’s print function, Visio will distribute the single large drawing across as many smaller pages as necessary. You can use Visio’s scaling functions if you want to make such a tree fit on a single physical page.

Second, Galileo provides no functions for drawing multiple copies of shared gates or events, converting complex graph-structured trees into tree-structured drawings. Galileo depicts such trees directly. As a result, there will be edge crossings in drawing of complex trees. Because we use elbow-style connectors in our prototype, these edge crossings make graphical representations ambiguous: You cannot always tell from a drawing alone which outputs are connected to which inputs. By selecting a connector in Visio, you can determine the connection because Visio will illuminate the connection points. However, there is no way to tell what they are from a print-out.

Third, Galileo does not provide high-level drawing operations, such as add-a-subtree-to-a-gate, that can be used with a single click of a mouse. Rather, it requires the user to use Visio’s elementary drawing operations. Thus, to add a gate to a tree, you have to drag and drop a gate shape, manually fill in its name, drag and drop a connector, manually fill in its input order (explained below), and attach both ends of the connector to the relevant gates ports. This is awkward at best. Again, we plan to attack this problem in the next release of Galileo, to provide much more usable graphical tree manipulation functions.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Graphical Editing of Fault Trees in Galileo

With that disclaimer out of the way, we now discuss how to edit trees in graphical form The following table defines the graphical shapes that are used in displaying and editing fault trees in Galileo.

Basic Event- Failure behavior is characterized by either a failure probability or a failure rate. A basic event can represent one or more statistically identical components. A replication factor identifies the number of components represented by the event.

OR Gate- This event will fail if one or more of its inputs fail.

AND Gate- This event will fail only if all of its inputs fail.

K of M Gate- This event will fail only if at least K of the M inputs fails.

Hot Spare Gate- Represents a system with redundant units kept "running hot". The failure rate of a hot spare is unaltered by its spare status. The first input to a spare gate is the primary; others are the spares. Spares are used left-to-right order. The output event is true when all spares fail or are in use elsewhere.

Warm Spare Gate- Represents a system with redundant units kept "running warm". The failure rate of a warm spare is attenuated by the dormancy factor. Otherwise warm spare gates are like hot spare gates.

Cold Spare Gate- Represents a system with redundant units kept "running cold". The failure rate of a cold spare is multiplied by zero until the spare is used, at which point it is multipled by unity. Otherwise the cold spare gate is like the hot or warm spare gate.

Sequence Enforcing Gate- Specifies that certain failures can only occur in the order specified by the ordering of inputs to the gate. The purpose of this gate is to express a constraint that can be exploited to simplify the dynamic analysis problem (because some paths become infeasible in the Markov chain). An example is that a short in a circuit cannot occur before the insulation fails. The output of this gate is what we call dummy: it is not a failure per se. However, in the graphical depiction, the output must connect to the fault tree. You can choose to connect it at any convenient point.You may not input replicated basic events to a SEQ; a replicated event must be connected through another gate, such as an AND or OR gate.

Functional Dependency Gate- Represents a coupling condition such that one failure causes another to occur. The first input to this gate is a trigger; the remaining inputs are 'dependent' inputs. The latter fail if the trigger fails. Like SEQ gate, the output of FDEP gate is dummy. The trigger cannot be replicated; a replicated trigger event must be connected through another gate, such as an AND gate or an OR gate. In the textual representation, the first input is the trigger.

Priority AND Gate- Represent a system where a failure occurs only if the inputs fail in a specified order. Due to implementation constraints, it can have only two non-dummy inputs. PAND gates can be stacked, however, to overcome this limitation. To fail, both non-dummy inputs must fail and the left input must fail before the right one. Also, note that a replicated basic event cannot be used as an input.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

The Visio portion of Galileo consists of the Stencil and the Drawing windows. The Stencil window contains the Master Shapes for the gates (And, Or, etc.) that are to be used in building the fault tree. To use a shape located in the stencil window, simply click on the desired shape and drag it to the drawing area, releasing the mouse button once the shape is correctly placed. If you are unable to recognize the shapes on the Visio stencil, hold the mouse cursor over a shape to display its name. To connect gates and subtrees together use the Connector shape. Drag it onto the drawing area, then adjust the ends so that they connect at the appropriate places on the gate and event graphics. The ends of a connector will turn red when connected properly.

When you drop a gate/basic event on the Visio page, a dialog box pops up asking for the "Abbreviated Name" and "Full Name". The Full Name is the label used internally to represent the gate. The Abbreviated Name is the label on the Visio shape. This difference is useful in cases where the Full Name may be too long to fit in a shape. (Currently, any changes to the Abbreviated Name are lost when the user renders the fault tree to the Word view.) To modify the names associated with a gate/basic event, double-click on the shape to view its Custom Properties.

When you add a Connector, Visio will prompt for the ordering of that connector relative to other inputs to the same gate. The first connector is input number 1. The input order is necessary for gates such as the Priority AND gate or the Sequence Enforcing where order of failure is important. Even if you are connecting to a gate where order is not important for dynamic analysis purposes, you must supply input orders. Galileo requires them to preserve order in mapping between textual and visual representations. To change the input order of a connection once it has already been set, simply double-click the connector in question to view its Custom Properties.

To remove a shape from the diagram, right click on it and then choose Cut, or select it with the left mouse button and push the Delete key. For further information on Visual editing, consult the Visio user’s manual.

The Custom Properties sub-menu of Visio allows you to edit the information associated with a basic event. It is up to you to supply this information, or use the default values.

Switching Between Editing ModesThis section applies to users who have both Word and Visio installed. The Galileo model for editing trees is that you edit in a view that has been selected for editing (the writable view); and that you can select another view to be writable if you want to edit in that view. Galileo ensures that any changes made to one view are propagated to the other before writing of the other view begins. Galileo does not enforce the non-writable status of views; and if you make changes to a non-writable view, they will be lost when you select that view for writing. In order to remind you not to make changes to non-writable views, Galileo highlights the non-writable view window with a red border.

For a new tree, the writable view is Word. For an existing tree, the writable view is the one that was writable when the tree was saved. If you want to edit in Visio when the Word view is writable (or vice versa), pick the Application View menu. Select Show Visio. Then, choose the option, Update Changes and Make Visio Writable. Galileo will take a little time to update the graphical view from the text view. Do not manipulate Galileo during this process.

NOTE WELL: There is a “hokey” problem with new fault trees in this release of Galileo. When you first open a new tree, Word is the selected view. If you want to edit the Visio view, in order to be given the option to edit in Visio, you first have to type something in Word. So, type something, then erase it, and then go to the Application View menu and select Visio to be the writable view.

To return to the textual version of the fault tree, return to the Application View menu and select Show Word, and then Update Changes and Make Word Writable. Galileo presents two options:

1. Update Changes and Make Word Writable – The valid view switches to Word and any changes made to the Visio drawing will appear in the Word document.

2. Update Changes and Keep Word Read-Only – The valid view remains as Visio, but any changes made to the Visio drawing will appear in the Word document. NOTE: The user should NOT edit in the Word window. Any changes made to the document will be lost.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

V. Analyzing a Fault Tree Using GalileoOnce you input a fault tree specification, whether in textual or graphical form, you can invoke the DIFtree analyzer by choosing the Analyze option under the Fault Tree pull-down menu. Galileo checks to see that the tree is well-formed. If not, it gives an error message and abort the analysis. If valid, the tree is sent to the DIFtree analyzer. The DIFtree analyzer appears in a small text-based interactive window, which we call the DIFtree window.

If your tree is dynamic, DIFtree asks you to enter the number indicating how many component failures the analyzer will simulate before truncating the generated Markov chain. Galileo uses this value to limit the size of the Markov chain generated from a dynamic tree, thus the required time to solve the tree. The trade-off is a loss of accuracy in the resulting computation. Refer to the papers mentioned above for more information on this technical issue.

Whether your tree is static or dynamic, DIFtree asks you whether you want to specify a range of mission times. If your tree is a dynamic tree answer y. If you do enter y, DIFtree asks you to specify a range of times by entering the smallest and largest mission times and a step. DIFtree will then analyze your tree for each mission time starting with the minimum and incrementing by the step until the mission time would exceed the maximum mission time. If you enter n in response to the mission time question, DIFtree asks you for a mission time, anyway. This is a small usability bug inherited from an earlier version of DIFtree that we have not yet removed. Enter any number, e.g., 1.

When DIFtree finally analyzes your tree, it generates a report, which it displays in the DIFtree window. The report identifies the independent subtrees that the SplitTree algorithm found along with the computed unreliability for each subtree and for the entire tree. The DIFtree window displays the report. You can see text that has scrolled out of the window using the scroll bar on the right hand side of the DIFtree window. When the analysis is done, you can save the resulting report in several ways. You can cut and paste the text in the DIFtree window into another application; or you can click on the Save button on the DIFtree window. If you do the latter, a standard Windows file browser window will appear to obtain from you the name of a file into which the analysis report is to be saved.

NOTE WELL: Several technical issues bear mentioning. First, Galileo uses generic time units to permit analysis of data on any scale. You are responsible for being consistent with units. For example, you must be careful not to use both seconds and days as time units in the same fault tree. Second, the computational complexity of the analysis is worst case exponential. It is easy to build trees which the analyzer is incapable of analyzing in a reasonable amount of time. If you run the DIFtree analyzer and it still hasn’t produced an answer a day or two later, you are probably asking it to solve a system that is beyond its computational capabilities. Third, Galileo 2.11-Alpha contains a new implementation of the dynamic solver (DynaSolver). The Markov chains that it produces are slightly different in concrete form (though not in abstract meaning) from those produced by earlier versions of Galileo and DIFtree. As a consequence of that and the imprecision of computer arithmetic, Galileo 2.11 produces answers that differ slightly from those produced by previous versions. In our experience, differences can show up in the third significant digit. So, whereas an earlier version might have produced an answer of .499524 (.500), this one might produce .499498 (.499). The problem appears to be an artifact of all versions reporting more significant digits than justified by the underlying numerical computations. If appropriate rounding is used, answers for all versions should match. We are planning on addressing the issue of numerical round-off and precision rigorously in the next release of Galileo.

VI. Galileo’s Web-Based Help SystemWe integrated Microsoft Internet Explorer into Galileo to give you a fast and easy way to get help and information. You can access these features in one of two ways:

1. Choose Galileo Help from the Help menu. Select Galileo on the Web. At this point, select the desired option.

2. Click the InfoViewer menu and select Galileo on the Web. The options are the same as described above.

Standard menu options for Microsoft Explorer are available under the InfoView menu.

The following features require an Internet connection:

_____________________________________________________________________________________________


_____________________________________________________________________________________________

Galileo at the University of Virginia (our homepage)

Register Online to Receive E-mail Notifications about Galileo

Send Feedback to the Galileo Developers’ E-mail Account

Other features use files installed on your hard drive. To see the most recent versions, visit the Galileo homepage.

On-Line Help System

This User’s Manual

A Galileo Tutorial

VII. Known Bugs and Troubleshooting

Sometimes when I open an *.ftd file the Visio view is blank!A: Visio does not always resize the drawing area correctly. Either zoom out to show the portion of the screen containing the drawing, or resize the drawing page manually by selecting “Edit” -> “Drawing Page” -> “Page Setup” -> “Size Page to Fit Drawing.” Note that this phenomenon only occurs when a file is opened on a machine other than the one on which the file was created. We have not yet debugged this problem.

I accidentally closed the Visio Stencil. What should I do?A: If the Visio Stencil window is closed accidentally, do not save your changes. The stencil is part of the ".ftd" file and if the file is saved, the stencil window will be permanently lost for this fault tree. Close the fault tree without saving changes and reopen it in the condition since the last save.

How do I import fault trees from Galileo version 1.4?A: Create a new fault tree. Pull up Microsoft Word from outside of Galileo and open the ".doc" portion of the desired fault tree. Copy the text from the ".doc" file and paste it into the Microsoft Word file embedded within the Galileo window. Switch the view to Visio and update the changes.

When I try to render my textual fault tree to Visio or to analyze the tree, I get a syntax error on line n. How can I find that line without having to count each individual line of code?A: Microsoft Word is equipped with a function that will position the cursor at a desired line. Press Ctrl-G. A dialog box will appear. In the "Go to what" box, select Line. Then, enter the appropriate line number.

Sometimes when I start Galileo and create a new fault tree, the Word and Visio applications open externally. What should I do?A: Close the external copies of Visio and Word. Then exit Galileo and restart. This is a known bug that we have not yet pinned down.

_____________________________________________________________________________________________


_____________________________________________________________________________________________

I receive the error message "Basic Logic Gates is part of the workspace but cannot be opened. File not Found."A: Step 2 of the installation was not completed properly. Go to the root of the Galileo folder (which also contains the Galileo.exe program) and locate a file entitled "Basic Logic Gates.vss". Copy this file to the sub-directory of your Visio folder labeled "Solutions".

Sometimes, when I try File/New or File/Open, Galileo crashes. A: Use the Windows Task Manager to kill any "zombie" Word or Visio processes.

The Visio view and Stencil lock up. What should I do?A: Close the file, saving changes if necessary, and reopen the file.

Galileo prompts me to save my fault tree when it is unnecessary. Why does this occur?A: This is a known bug. The problem is that Galileo cannot really tell precisely when you have made changes to a document since the last time that document was generated. We are currently working on a solution.

The Internet Explorer window is not resizing properly. What can I do to fix this problem?A: Click on the window's divider bar. The window will redraw itself correctly.

_____________________________________________________________________________________________


manual - Michigan State Universitycse.msu.edu/~cse870/Materials/FaultTolerant/manual-gal… ·...

Documents

Transcript of manual - Michigan State Universitycse.msu.edu/~cse870/Materials/FaultTolerant/manual-gal… ·...