Reliability block diagrams should be considered as a basis for more complex analyses like FTA. By means of a reliability block diagram, the information of whether to connect faults AND-wise or OR-wise in the FTA can be determined. The technique is nicely explained in the Applied R&M Manual for Defence Systems.
We’ve implemented techniques for safety analysis in UML, where reliability block diagrams are not available. We use only standard UML diagram types, so the technique can qualify as semi-formal. In all our models, we use relationships to express structure and stereotypes to express classification, which we implement as UML profile in Enterprise Architect.
Our overall objective is to have the analysis integrated with the requirements and systems model, which does not just exist as text or drawing on paper but as object-oriented model in a database with full integration, verifiability and traceability.
For reliability block diagrams, we chose the component diagram and the realization.
In the example, we modeled the reliability of components with respect to an overall function ‘Safety function’. The function is realized by two elements, one of which is a component ‘Manual control element’, and the other is another function ‘Sub safety function’.
The ‘Safety function’ corresponds to a serial group of elements in a reliability block diagram, which fails if one of the elements fails. We classified it by the stereotype ‘FS_TwoOfTwo’, which is a term from IEC 61508-6 and corresponds to a reliability model. This particular reliability model succeeds if both of its elements succeed, thus two-of-two, and it fails in the inverse case, corresponding to an AND-wise connection.
We classified the manual control element by the stereotype ‘FS_Element’, which is a term from ISO 26262-1, corresponding to a system, subsystem, component, part or unit.
In the original reliability block diagram, the ‘Safety function’ and the ‘Sub safety function’ would not have been modeled. These functions are useful not just here but also in the failure-network of an FTA where they would aggregate the failure states of their realizing elements.
The ‘Sub safety function’ corresponds to a parallel group of elements in a reliability block diagram, which fails if both of the elements fail. We classified it by the stereotype ‘FS_OneOfTwo’, which is another term from IEC 61508-6. This particular reliability model succeeds if any of its elements succeed, thus one-of-two, and it fails in the inverse case, corresponding to an OR-wise connection. The function is realized by two elements, ‘System element 1’ and ‘System element 2’, both classified by the stereotype ‘FS_Element’.
Standby groups can not be expressed by AND-wise or OR-wise connections, thus they can not be modeled by this technique.