1
Methods of increasing modelling power for safety
analysis of digital systems, applied to a Gas
Turbine Control System
A. Bobbio
1
, E. Ciancamerla
2
, G.Franceschinis
1
, R. Gaeta
3
, M. Minichino
2
,
L. Portinale
1
,
1
DISTA, Università del Piemonte Orientale,
15100 Alessandria (Italy)
2
ENEA CR Casaccia, 00060 Roma
(Italy)
3
Dipartimento di Informatica, Università di Torino, 10150 Torino (Italy)
Abstract.
The paper describes a probabilistic approach, based on
methods of increasing modelling power and differe
nt analytical
tractability, to analyse safety of a Gas Turbine Digital Controller.
First, a Fault

Tree (FT) has been built to model system basic
assumptions, such as independent stochastic activities and binary
states. Then, the FT has been converted into
a Bayesian Net, to
include multi

states and sequentially dependent failures of
components and to perform diagnoses, and further into a Stochastic
Petri Net, to accommodate
repair activity and components in cold
stand

by redundancy. Due to the very large
space of states of the
Stochastic Petri Net
model,
Stochastic Well formed Net (SWN) have
been adopted to alleviate the state explosion problem. SWN allowed
to compact symmetries of the system and to fold components with the
same failure rates, by the use
of colours
.
Safety measures have been
computed, referring to the emergent standard IEC 61508. The
applicability, the limits and the main selection criteria of the
investigated methods are provided.
1. Introduction
The paper describes a probabilistic app
roach, based on methods of
increasing modelling power and different analytical tractability, to analyse
safety of a Gas Turbine Digital Controller. The Gas Digital Controller belong
to a co

generative plant, ICARO, in operation at centre ENEA CR Casacc
ia.
The plant is composed by two sections: the gas turbine section of producing
electrical power and the heat exchange section for extracting heat from the
turbine gas exhaust gases. The Gas Digital Controller performs both control
and protection functions
in order to allow the Gas Turbine section works
efficiently, with high availability and to protect the engine from over

temperature and over

speed, so involving safety aspects. A fault or a
deterioration in the Gas Turbine Digital Controller could res
ult in a reduction
of plant efficiency (i.e increasing fuel consumption or nitrogen oxide
pollution), in a reduction of plant availability (i.e. decreasing of operating
2
time due to trips or failures) or in a reduction of plant safety (i.e. on failure
of
a protection function, which could result in a damage of the engine,
safety critical to the plant because of its high capital cost).
The control and protection functions rely on a digital system. That, if on
one side increases benefits, on the other s
ide increases risks due to
vulnerability to random failures and design errors of such systems.
For digital systems, the demand of safety is more and more urgent even in
conventional application domains, like ICARO co generative plant, as proven
by the in
creasing demand of conformity to IEC 61508 standard. IEC 61508
standard does not address any specific sector. A very important concept in
IEC 61508 is that of Safety Integrity Level (SIL). SILs are used as the basis
for specifying the safety integrity requ
irements for the safety functions to be
implemented by the safety related system. As far as it concerns the
determination of the appropriate Safety Integrity Level, IEC 61508 is based
on the concept of risk and provides a number of different methods,
qua
ntitative and qualitative, for determining it
As a starting point, a Fault

Tree, modelling system basic assumptions,
such as independent stochastic activities and binary states, has been built and
analysed. To include multi states and sequentially depende
nt failures of some
components of the Digital Controller and to perform diagnoses, FT has been
converted into a Bayesian Net. To accommodate
statistical dependence of
the transition rates and repair transitions,
FT has been converted into a
Stochasti
c Petri Net
. The Stochastic Petri Net model resulted unmanageable,
due to a very large space of states. To manage such a complexity,
Stochastic
Well formed Net, a special class of Stochastic Petri Nets have been adopted.
Stochastic Well formed Nets allow
to compact symmetries of the system, by
using colours and to alleviate the states explosion problem
.
Model results
have been compared with Safety Integrity Levels of IEC 61508 standard.
The paper is organised in the following sections. We start in sect
ion 2 with
the main requirements of IEC 61508 standard. Section 3 deals with the
description of the case study. Sections 4, 5 and 6 provide the models of the
case study using the different methods, the investigated measures and the
experimental results.
In section 7 there are the conclusions.
2. IEC 61508 Standard
Process industry requires that well defined safety requirements must be
achieved, as hazards may be present in process installations. IEC 61508
introduces a principle referred to with the na
me As Low As Reasonably
Practicable (ALARP). ALARP defines the tolerable risk as that risk where
additional spending on risk reduction would be in disproportion to the
actually obtainable reduction of risk. The strategy proposed by IEC 61508
takes into acc
ount both random as systematic errors, and gives emphasis not
only to technical requirements, but also to the management of the safety
activities for the whole safety lifecycle [2].
3
IEC 61508 has introduced the concept of Safety Integrity Level (SIL)
att
empting to homogenise the concept of safety requirements for the Safety
Instrumented Systems. According to IEC 61508 the SIL is defined as
“one of
4 possible discrete levels for specifying the safety integrity requirements of
the safety functions to be all
ocated to the safety

related systems. SIL 4 has
the highest level of safety integrity, SIL 1 has the lowest”.
The target dependability measures for the 4 SILs are specified in Table 1,
for systems with low demand mode of operation and with continuous (or
high
demand) mode of operation. The determination of the appropriate SIL for a
safety

related system is a difficult task, and is largely related to the
experience and judgement of the team doing the job. IEC 61508 offers
suitable criteria and guidelines fo
r assigning the appropriate SIL as a function
of the level of fault

tolerance and of the coverage of the diagnostic.
Table
1
.
Safety Integrity Levels: Target Failure Measures
Safety
Integrity
Level
LOW DEMAND MODE OF
OPERATION
(Probability
of failure to perform its
design function on demand)
CONTINUOUS/HIGH DEMAND
MODE OF OPERATION
(Prob of a dangerous failure per hour)
4
>=10

5
to <10

4
>=10

9
to <10

8
3
>=10

4
to <10

3
>=10

8
to <10

7
2
>=10

3
to <10

2
>=10

7
to <10

6
1
>=10

2
to <1
0

1
>=10

6
to <10

5
3. Gas Turbine Section
The gas turbine section (figure 1) consists fundamentally of four main
parts: the compressor, the combustion chamber, the turbine itself and the
generator. The gas turbine is a single shaft engine. The roto
r, which rotates at
22500 Rpm, is linked to a reduction gear for coupling with the generator.
The compressor feeds air to the combustion chamber where the gas is also
fed. Here, the combustion produces high pressure gases and high
temperature. The cont
ent of NOx can be maintained inside the requested
limits by a water injection to reduce the flame temperature. The expansion of
these gases in the turbine produces the turbine rotation with a torque that is
transmitted to the generator in order to produc
e the electrical power output
.
4
Figure 1

Gas turbine section
The air flow rate is constant and a control valve regulates the gas fuel in
the combustion chamber. The control valve is actuated by the control system
and a position sensor reads its positio
n. The exhaust gas temperature, which
is the most critical variable for the engine control system, is taken as an
average of eight thermocouples, located along the circumference of the
turbine exit. Among all variables that participate in the gas turbi
ne only a
few are directly measured by the
sensors. From these sensors averages are
taken by analog circuitry and are used, together with speed of turbine, to
protect the engine
3.1. Gas Turbine Digital Controller
Gas Turbine Digital Controller performs
both control functions and
protection functions [3,4]. It also performs alarm monitoring and
communication functions, not considered in this paper.
Control functions
address the normal run operation and all plant
sequencing needed in starting and stopp
ing operations. In performing control
functions, the control system evolves throughout several states: from starting
to no

load states, running on load and shutting down states. From such states
shutdown requests override control logic and lead the system
to the prior to
start state. At any time a shutdown request will cause the control system to
enter in its emergency shutdown state and carry out the shutdown actions
which include the de

energisation of related relays. The control functions are
essentiall
y based on the control of fuel metering valve position.
Protection functions simply consist in providing the engine protection by
independent overtemperature and overspeed shutdowns. Two thermocouple
sensors are used, together with one speed probe as in
puts of the protection
functions. Gas turbine control system (figure 2) comprises a Main
Controller, which implements the control functions, and a Backup Unit,
which implements the protection functions. The Main Controller and the
Backup Unit have separat
e processors and independent power supplies so
that the Backup Unit is able to provide independent protection functions.
The Main Controller occupies two boards in full: the Baseboard and the
Expansion Board, and a portion of the Auxiliary Board that is
shared with
the Backup Unit. In the Baseboard is located a processor performing the main
control functions. The Expansion Board provides an additional intelligent
I/O capacity. The Backup Unit occupies one other portion of the Auxiliary
Board on which an
independent processor performs the protection functions.
The sensors and the actuators, reported in figure 2, are limited to the ones
needed to perform the fuel demand control logic at run state.
5
Figure 2

High level architecture of the Gas Turbine Co
ntrol System
The Backup Unit implements the protection functions of the turbine by
providing an independent overtemperature and overspeed shutdown.
The hardware structure of the control system has been summarised as
composed by two subsystems (figure 3
), representing the Main Controller
and the Back

Up unit. Each unit has an independent CPU, uses a separate
power supply circuit (operating from the same supply inlet) but shares the
following transducer signals: 2 thermocouples and 1 speed probe.
"Watc
hdog" relays are associated to each hardware circuit board.
6
DI

Digital input;
AI

Analog input;
CPU

32

bit microprocessor;
MEM

Memory;
I/O

I/O bus;
DO

Digital output;
AO

Analog input;
WD

Watchdog relay;
PS

Power Supply inlet;
S
MC

Supply circuit of
the main controller.
RO

Relay output.
Figure 3

Main Controller and Backup Unit hardware structure
The elementary components of the gas turbine control system are assumed
to have constant failure rates (table 2).
Table 2

Compon
ent /Failure Rate (f/h)
Component
Failure rate (f/h)
Iobus
IO
=2.0 10

9
Therm.
Th
=2.0 10

9
Speed
Sp
=2.0 10

9
Memory
M
=5.0 10

8
DO
DO
=2.5 10

7
AO
AO
=2.5 10

7
RO
RO
=2.5 10

7
DI
DI
=3.0 10

7
AI
AI
=3.0 10

7
PS
PS
=3.0 10

7
S
MC
Smc
=3.0 10

7
S
BU
Sbu
=3.0 10

7
CPU
CPU
=5.0 10

7
WD
WD
=2.5 10

7
7
4. The Fault Tree model
At the highest level of the analysis we adopt a Fault Tree model (figure 4).
Figure 4

Fault Tree model for safety critical failures
The Fault Tree analysis is based on th
e following simplifying
assumptions: components (and the system) have binary behaviour (up or
down) and failure events are statistically independent. Qualitative and
quantitative analyses of the FT have been carried out. Qualitative analysis
has been aim
ed at enucleate the most critical failure paths (
mcs)
. Quantitative
analysis has been aimed at evaluate measures useful to characterise safety.
The analysis has found 43
mcs
, with the characteristics given in the table 3.
The most critical
mcs
sorted b
y order are shown in table 4.
Table 3

Order and number of mcs
Order
Number of mcs
% on TE Unreliability
4
2
93.09
3
41
6.91
8
The following measures have been performed:
Unreliability versus time;
Safe Mission Time (SMT) computed as the time inte
rval in which the
system unreliability is strictly lower than a pre assigned threshold;
Mean Time To Failure (that we consider a less significant measure with
respect to SMT);
Most critical failure paths;
SIL evaluation limited to table 1 requirements of
IEC61508 standard.
Table 4

Most critical mcs
Minimal Cut Set
1
PS WDB WDM
2
CPUB CPUM WDB WDM
3
Speed WDB WDM
4
AIB CPUM WDB WDM
5
DIM CPUB WDB WDM
6
SupM CPUB WDB WDM
7
CPUM SupB WDB WDM
8
AIM CPUB WDB WDM
Unre
liability versus time and failure frequency have been computed
(table 5)
for SIL evaluation according to IEC 61508.
Comparing the results
for the failure frequency of dangerous failures of the table (third column),
and comparing t with the SIL Target
Failure requirements (table 1), it is
obtained SIL

3 up to 500,000 h.
Fixing a limit for the Unreliability
U=1.0* 10

3
,
the Safe Mission Time is
SMT= 210.000 (h).
The Mean Time To Failure for the Top Event is:
MTTF(for the TE) =
3.072 * 10
6
(h)
Table 5

Unreliability and failure frequency of dangerous failures
Time t (h)
TE
Unreliability
Failure
Frequency
10,000
9.095 10

9
9.095 10

13
50,000
5.157 10

6
1.031 10

10
100,000
7.317 10

5
7.317 10

10
150,000
3.291 10

4
2.194 10

9
200,000
9.256 10

4
4
.128 10

9
250,000
2.014 10

3
8.056 10

9
300,000
3.730 10

3
1.243 10

8
350,000
6.181 10

3
1.766 10

8
400,000
9.447 10

3
2.372 10

8
450,000
1.358 10

2
3.018 10

8
500,000
1.861 10

2
3.722 10

8
9
5. The Bayesian Network model
According to the translation
algorithm presented in [5], the Bayesian
network derived from the FT of Figure 7 is reported in Figure 8.
In the BN of
Figure 8, gray ovals represent root nodes
(corresponding to the basic events
in the FT), while white ovals represent non

root nodes.
Eve
ry node in the BN
is a binary node, since the variable associated to it is a binary variable. The
binary values of the variables associated to the nodes represents the presence
of a failure condition (true value) or an operational condition (false value).
The only chance (probabilistic) nodes of the BN are the roots (gray nodes).
All the other nodes in the BN (white ovals) are deterministic nodes whose
Conditional Probability Tables contains only 0 or 1 and are determined by the
type of the gate in the FT t
hey refer to (namely by the boolean AND function
and by the boolean OR function) [5]. The root nodes must be assigned a
probability value. Since the information about the failure probability of the
system components is in the form of a constant failure rat
e (Table 2), the
probability for the true value is obtained by computing the probability of
generic component
C
(with failure rate
C
) at a specific mission time
t
as
Pr
(
C=true
)
= 1

e

t
).
Given the prior failure probabilities of system components (i
.e. basic
events in the FT) computed at different mission times (from
t = 1 * 10
5
h
to t = 5 * 10
5
h
), we can evaluate the unreliability of the TE
by computing
the probability of node TE in the BN of Figure 5 given a null evidence.
10
Figure 5

The
Bayesian Net traslating the FT of figure 4
5.1 Posterior analysis
The novelty and the strength of the BN approach consists in the possibility
of computing posterior probabilities (i.e. diagnoses), in order to analyze the
criticality of the system componen
ts with respect to partial or total system
failure. To this end, a probabilistic computation has to be carried out, by
considering the occurrence of the TE as the evidence provided to the BN.
There are two main probabilistic computations that can be perfo
rmed:
1.
the posterior probability of each single component (in terms of BN, a
belief updat

ing propagation must be carried out);
2.
the joint posterior probability over the set of components (in terms of BN,
a belief revision looking for the most probable confi
gurations of the root
variables must be carried out).
The first analysis allows to obtain information about the criticality (with
respect to the occurrence of TE) of each single component alone, by
computing the probability of each single component being
down, given that
the TE has occurred. The second kind of analysis is much more sophisticated
and approaches the criticality problem over a set of components. However, it
is worth noting that, differently from MCS computation, all the components
(i.e. basic
events) are considered in a given configuration, by providing a
more precise information. In this case, the posterior joint probability of all the
components, given the fact that the TE has occurred, is computed. Table 6
reports the posteriors of each sin
gle component computed at time
t = 5 *10
5
h.
Table 6

Posterior Probabilities for single components
Component
Posterior
WDb
WDm
CPUb
PS
CPUm
AIb
SB
ROb
AIm
SM
DIm
AOm
DOm
Mem
Speed
I/Ob
I/Om
Th1
Th2
1
1
0.37063624
0.34525986
0.3
0848555
0.2333944
0.2333944
0.19688544
0.19425736
0.19425736
0.19425736
0.16387042
0.16387042
0.03443292
0.00247744
0.00167474
0.00139391
0.00100097
0.00100097
11
The component criticality is a more significant measure with respect to
their (prior) failure
probability. Indeed the order in which components appear
are different in the prior and in the posterior computations. We can notice
that the two watchdogs WDm and WDb have a criticality 1, since their
failures are necessary in order to have a system failu
re (as it could have been
easily deduced from the structure of the FT as well). Moreover, the
probability of a CPU failure in case of TE occurrence is about 30% for the
CPU M of the main controller and about 37% for the CPU B of the backup
unit. Notice tha
t this posterior values are different, even if the failure rate of
both CPUs is the same, because of the different role they play in the overall
system dependability. In fact, the failure both of the main controller MC and
of the backup unit BU are provide
d by the
failure of the corresponding CPU
in boolean OR with the failure of the PER sub

system, but the failure of PER
M follows a different sequence of events than the failure of PER B, resulting
in different posterior probabilities also for the two CPUs.
5.2 Multi

state nodes and sequentially dependent failures
In the present section, we discuss the use of BN which enlightens two
peculiar features, not considered in FT, namely: the possibility of modeling
non

binary events (like events whose behavior is
more carefully considered
by multi

state variables), and the inclusion of localized dependencies (where
the state of a root component influences the state of other root components).
A more realistic case for the power supply PS is to find it in three diffe
rent
conditions (states):
working
,
degraded
and
failed
. When PS is in state
degraded
it induces an anomalous behavior also in the supply equipment
(SM) of the main controller (MC) and (SB) the back

up unit (BU). The BN,
that models the described situation,
is reported in Figure 6, where only the
relevant part of the BN of Figure 5 is reconsidered. The PS node has three
states denoted by
W
for
working
,
deg
for
degraded
and
F
for
failed
. The
prior probabilities of the PS node in the three different states is
also
reported
on the Figure. The arcs connecting node PS with both nodes SM and SB
indicate a possible influence of the parent node PS on the children nodes SM
and SB. This influence is quantified in the CPT’s reported in Figure 6, where
it is shown that a
degradation in PS induces a failure also in SM and SB with
probability 0.9.
12
Figure 6
: Portion of the BN showing the influence of a PS degradation
The degradation of the power supply PS does not have a direct effect on
the system dependability, but its
effect originates from a negative influence
of the degradation on other components of the system. Introducing this
localized
dependence in the overall BN model of Figure 5, the analysis has,
however, shown a little effect on the TE unreliability.
6. St
ochastic Petri Net models
The way followed to build the Stochastic Petri Net Model has been to
convert the FT of figure 1 by a conversion algoritm [6]. Some interesting
points have emerged. The FT of Figure 1 has 19 basic components and this is
a relative
ly small number for a FT, whose quantitative analysis is based on
combinatorial techniques. Instead, for a state space based analysis technique,
like Petri Net or Markov Chain, the complexity of the problem changes
drastically. The state space of a system
with 19 basic components consists of
2
19
states. Moreover, the translation rules to convert a FT into a PN introduce
several immediate transitions that produces several vanishing states in the
reachability set. Hence, the number of states to be generated
(tangible plus
vanishing) from the generated PN is larger than the value of 2
19
tangible
states. The lesson to be learned is that, even a ”small” FT may produce an
unmanageable PN. In order to produce useful results with a PN model, some
simplification mu
st be adopted. A basic idea stems from the observation that
often, due to symmetries or redundancies in the system to be modeled, the
model may contain several similar components. To make the model more
compact, the similar components may be folded and par
ameterized, so that
only one representative is explicitly included in the model, while, at the same
time, the identity of each replica is maintained through the parameter value.
To do that a special class of the Stochastic Petri nets, called Stochastic We
ll

formed Net (SWN) has been used. The SWN
formalism was introduced [7]
with the aim of alleviating the state space explosion problem that often
undermines state space based models. Restrictions on color domains, arc
functions and initial marking are impos
ed that lead to the definition of
symbolic marking. A symbolic marking may be viewed as a high level
description of sets of actual markings, expressed in terms of sets of colors.
The definition of symbolic markings allows to exploit symmetry properties in
the model and to generate the lumped Markov chains. Figure 7 shows the
SWN model. The model has been obtained by observing that several basic
components have the same failure rates and may be grouped into classes. The
symmetry property that is exploited in
this case, is that each class contains
object with the same failure rate. To make the figure more clear, we have not
represented the inhibitor arcs from the TE to all the transitions. The function
of these inhibitor arcs can be appreciated only at the ana
lysis level, since they
allow to avoid the generation of non relevant absorbing states. The
13
advantages of the SWN model with respect to the Stochastic Petri Net model
are evidenced in Table 7, where the state count is reported together with the
reduction f
actor obtained with the symbolic state representation of the SWN
with
respect to the unfolded Stochastic Petri Net model.
In spite of the reduced symmetries present in the model, the reduction
factor is quite consistent. The SWN model allows to add new m
odeling
issues that could not have been included in the FT and in th Bayesian models.
In particular:

Statistical dependence of the transition rate on the state of the system

Repair transitions that enforce a cyclic behavior in the system.
Figure 7

The
SWN model
Table 7

Reduction factor of GSPN states versus SWN symbolic states
Tangible states
Vanishing states
Absorbing states
GSPN
SWN
393503
83063
665285
141364
130785
27529
Reduction
Factor
4.7
4.7
4.7
14
6.1 Hot and cold stand

by
For mod
eling statistical dependencies of the transition rates we consider
the case of redundant components in hot and cold stand

by. FT can only
model parallel operation (some times called hot stand

by) in which the
parallel units have the same failure rate inde
pendently on the state of the
others. In a stand

by (or more precisely cold stand

by) operation the stand

by
unit has a zero failure rate when non in operation. This behavior induces a
dependence of the failure rate of the stand

by unit with respect to the
unit
under operation, and as such cannot be included in FT models. The same
behavior, on the other hand, can be very simply adjusted in SWN by using
marking dependent transition rates for the failure transitions.
6.2 Global repair
FT and Bayesian networks
are intrinsically acyclic graph structures and
hence cannot be invoked to model systems in which actions are possible, in
consequence to a fault, to restore the system to a previous condition.
It has been assumed that the system is repaired whenever it fa
ils and that
the repair restores the system to its initial marking with all components up
and the repair rate is constant (”As good as new” repair policy). To include a
global repair, the basic SWN model of Figure 7 must be modified. The
modification, cons
ists in adding a timed transition, denominated
Glob R
,
modeling the stochastic duration of the repair activity. The timed transition
Glob R
has the TE as the only input place. Moreover, a number of additional
immediate transitions of higher priority must b
e inserted in a way that, when
the SWN model reaches a state where place TE becomes marked, all the
timed transitions in the SWN model are disabled except transition
Glob R
.
When transition
Glob R
fires then the high priority immediate transitions
restore
the SWN in its initial state thus restarting the model. We have run the
SWN model with global repair and with different values of the repair rate
.
The obtained steady state availability is reported in Table 8 as a function of
the repair rate. As a final
numerical example, we have computed the steady
state availability with a repair rate
= 1 assuming for the thermocouples a
hot (parallel) stand

by configuration and a cold stand

by configuration. The
results are reported in Table 9. The effect of the oper
ation policy is very little,
but, as can be expected, the cold stand

by policy proves to be superior.
Table 8

Steady state availability versus repair rate
Repair rate
Availability
1
0.999999666667
0.1
0.999996666678
0.01
0.999966667778
0.001
0.99966
6777741
Table 9

Steady state availability versus the configuration policy of the
thermocouples
15
Configuration
Availability
Hot stand

by
0.999999666667
Cold stand

by
0.999999674650
7. Conclusions
The present paper has investigated classic and new m
ethodologies for
medelling and quantitatively evaluating dependability measures and
SIL
evaluation
of
a Gas Turbine Digital Controller, with reference to IEC 61508
standard. First
, a Fault Tree model have been built,
adopting simplified basic
assumptions
. Then FT has been translated into a BN that is still an acyclic
model, but possesses more modelling and analysis power. Furthermore, FT
have been translated into a Stochastic Petri Net, aspace state based model.
That increased exponentional the complexity
(the state explosion problem),
so that even a small FT has become untractable as PN. T o partially alleviate
this problem Stochastic Well formed Net have been adopted. By SWN
system global availability has been computed. The applicability, the limits
and
the main selection criteria of the investigated methodologies have been
provided dealing with an application coming from the real world.
References
1.
P. Incalcaterra

Impianto di cogenerazione del centro ricerche Casaccia
dell'ENEA

Rapporto interno ENEA

1
8 gennaio 1999
2.
S. Bologna

Safety applications of programmable electronic systems in
the process industry: impact of emerging standards

16th International
System Conference, Seattle, Washington, USA

Sept. 14

18, 1998
3.
System manual of gas turbine gove
rnor controller of ICARO plant

September1992
4.
Hardware and Software design specification for a controller of ICARO
plant gas turbine

October 1997
5.
A. Bobbio, L. Portinale, M. Minichino, E. Ciancamerla

Improving the
Analysis of Dependable Systems by M
apping Fault Trees into Bayesian
Networks

Reliability Engineering and System Safety Journal

vol. 71
N.3 March 2001 pages 249

260

ISSN 0951

8320
6.
S. Bologna, E. Ciancamerla, M. Minichino, A. Bobbio, G. Franceschinis,
L. Portinale, and R. Gaeta

"Co
mparison of methodologies for the safety
and dependability assessment of an industrial programmable logic
controller", In European Safety Dependability Conference (ESREL2001),
pages 411
–
418, September 2001
16
7.
G. Chiola, C. Dutheillet, G. Franceschinis, and S
. Haddad

"Stochastic
well

formed coloured nets for symmetric modelling applications", IEEE
Transactions on Computers, 42:1343
–
1360, 1993
Comments 0
Log in to post a comment