Boeing WS-133B Fault Tree Analysis Program Plan 1963

I"apoe Tbadc aths
for modmol *
rsrbto su~b
J-
THE .ffAwF COMPANY 46i
- "CODE IDENT NO. 81245
: 1;
NUMBER D2-30207-J
CTITLE 'S-133B Fault Tree Analrsis Progra - Plan (U)
MODEL NO. 12-133B CONTRACT NO. .F2a(694)-266

ISSUE NO. ISSUED TO
SPECIAL LIMITATIONS ON ASTIA DISTRIBUTiON

ASTIA ay distribute this report to req esting agenc;es subject to their security agreemextk approved felds of interest. and the
fellowing:
UNLIMITED-T. 11 agencies of t%. Osparment of Defense and their contractors.
0 LIMITED.-To U. S. M;i;tar organz4ato only.
This report m be ds.ribvted to nonmilitary agencies not approved above sbject to Boeing opprovol of each recuest.
NOTE: the LIMITED categoy may be checked only because osf ctual or potential patent. progietery eticel, or similar Iplico.en.
PREPARED BY _. _ _ _- _ _ -
0. R._,ssbe . K- blr
APROVIED BY ~ ~ '7J 6 1 3 111/
APPROVED BY
c0C.Bo 'Sa
-. CLASS & DISTR~X'27
APPROVED BY 4 "€2"r,,*_ _ _
(DATE)
REV SYM T
T' docum nt bn y . NO.
I V.L OF 3
dtbttliwlim~cLSECT. 1 PAGE of 17
U 4287 9033 ORIG. -162
s~*.- _- - ---- ---- --- - ------ -- a 111--2- 2

VAV
WS-133B Fault Tree Aalysis P,:rog-ram Plan

LTITLE (Ui)
EL NO. W-3B CONTRACT NO. F (6L-6
appwoi'd
-Thi docuinal~t hca b..
Ifor
pui~c rolows~ cmd M*~Lta
dwi1budo1 Is wmU m-i4047
ACTIVE PAGE RECORD
ADDED PAGES
~
I-
ADDED
i
PAGES
0 "'
'> 0 - Ln
"
U
.Z- o.n0'--. ~ c Z~ .Z o
I.0j LZ
: £ iZ.L
.81 5 d
B
B
t2
D ) Bn
B 32 > > B
5
• 9 )36 B
-" 18 B1
S a C0 12 ,.99 10 B
14- B
B - B -1 tB 1 B
2 B 5 B F 32
212 6
BB: - -
6~~~-- 2333I
~ B
B 16
SB 5.7 B
'ii
10 320 B 37 1
1322 B 391 B
12
;1 H7
33
4
5 B 9
6 E1
8 (
9
I10 -- A I
13. a
14 3
15 5B 16 B6
2 13
17 6
S18
5
ORG. 6/62
20600
'~REV SYM...... Arr,/.O.D2-3020-

REVISIONS
SYM DESCRIPTION DATE APPROVED
5. S3ECTION AI
A Page 6 - Revised to clarify Fault Tree documentation.
Page 7 - Revised to identify IA&T as Integrating

Contractor.
Page 7,1 - Added to provide for Technical Interchange

Meetings
Page 8 - Revised to identify the Fault Trees.
SECTION B
Page 2 and 3 - Revised to correct scheduling to reflect

associate contractors commitments A/N Letter 63AM 3820
.dated 11 June 1963, Subject: Fault Tree Analysis
Program, and Sylvania Letter !POL-2-4-860 dated 14 June
1965, Subject: Fault Tree Coordination. Pages 4 and 5 ,i
deleted. SECTION
Pages 2 - Revised to clarify definitions 7/16 ///'/

- - SECTIUi! 1 .-.
B Pages,5, through. .o2 revised to redefine composition
of the -2 and -3 volumes. b.. /]
All pages are revised to reflect change in section

identification.
Pages 18 through 41, Section 1, added to provide 4.

additional mathematical methods.
Section F "References" is deleted. The references

are included in introductory- a~es of Section 1.
U3 4287 3023 ORIG. 162 241422
REVS"ID) S 1P2-30207-1
SECT. PAGE 3
I
TAL OF CONTENTS
D2-30207-1
Section 1 Program Plan

1.0 Introduction
2.0 Purpose
3.0 Organization and Scope
4.0 Contractors' Responsibilities
3.0 Ground Rules
6.0 Fault Tree Construction
7.O Applicable Mathematics
Section 2 Program Schedulec
Section 3 Definition of Terms

1.0 Definition of Terms
- 2.0 Logic Symbols
Section k- Method of Inadvertent LaL"ich Analysis

1.0 Method of Inadvertent Launch Analysis
Section 5 Discussion of Probabilities and Their Combinaticna

10Io0 Discussion of Probabilities and Their Combinations
- D2-30207-2
Section 1 General
Section 2 Inadvertent Launch Analyses
Section 3 Faulty Launch Analysis
D2-30207-3
Section 1 General
Section 2 Aerojet General
Section 3 Autonetics
Section 4 AVCO
Section 5 Boeing
Section 6 Hercules
Section 7 Sylvania
Section 8 Thiokol
U3 4288 2000 REV. 8/62 2-3142-2
REV SYM &. ADUE7AGN No. D2-30207-1

SECT. 1 IPAGE 4
1 Launch Control Safety Study; Vol. I and II; Bell Telephone
laboratories - September 15, 1962
2 D2-14134 Minuteman Electronic Part Failure Rates - WS-133-2
3-__3 _D2-10744 Minuteman Reliability Engineering Directives

#5, 6, 7 and 8
/ BAC Standards - D590 - Book No. 30 Section 500

5 Air Force Report
A65-E-62-123 WS-133B Weapon System Design Criteria
ii
11
1
-!: i
J J
U3 428 2000 REV. 8/62 2-51422
- ,SYM . RE'V
' .... . S
REV'r O P0 I °"
E T.
D2-3027-1
PAGE 4.1
. INTRDUCTION
1.1 Letter Contract AF04(694)-266 requires that a Fault Tree Analyses

to prepared to determine the probabilities of Inadvertent and
Faulty Launches in the VS-133B Weapon System. This type of
analysis provides a graphic display of fault sequences which can
cause an unwanted event and a measure of the system safety.
1.2 The determination of the ability of a complex system to provide

safety against an undesirable event is exceedingly involved.
An orderly analysis has been prepared by the Bell Telephone
Laboratories, entitled Launch Control Safety Study Report,
dated September 15, 1962 (ref. 1). They introduced a concept
of Fault Trees which, with equivalent Boolean equations,
provides a technique particularly adaptable to this effort.
The trees graphically illustrate, in a logical form, the
faults which might occur to permit an undesirable event*
- Boolean equations, which express the fault relationships,
offer mathematical simplifications for calculating the
Safety Constant.
2 PURPOSE
2.1 The purpose of the Fault Tree Analysis Program is to:
(a) Determine the probabilities of inadvertent and faulty

launches.
(b) Identify those failures which make excessive contribu-

tion to (a).
(c) Recommend corrective measures.
3 ORGANIZATION AND SCOPE
3.1. The WS-133B Fault Tree analysis program is organized into

three categories, each in a volume Of" this document as
follows:
D2-30207-1 Program Plan

D2-30207-2 Inadvertent and Faulty Launch Summary
D2-30207-3 Associate Contractor's Detail Analyses
3.1.1 The scope of the analysis is divided into 5 divisions.
U3 4288 2000 REV. 8/62 2-5142-2
REV SYM B Iflo"D . D2I-30207-I

SECT. IPAGE 5
3.1.1i The Alert System
This is the analysis of the probability of I.L. during the

system life. It includes the operational system during
the Strategic Alert, Strategic Standby, Launch Commanded,
and Launch in Process modes, the exercise of preparatory
launch commands, and also includes the probabilities of
those events which can be caused by commanded programmed
tests or calibration of the system, and by maintenance
equipment and procedures.
3.1.1.2 The System Under Commanded Tests, Calibration and Interrogations:
This is the detail analysis of the probabilities contributing

to I.L. during the periods of commanded tests and calibration.
It also includes the interactions of commanded tests and
interrogation of a specific LF upon the overall system. It
excludes the effects of MGE connected to the system, paragraph
3.1.2.4.
3.1.1;3 Assembly and Checkout Equipment "
This is the analysis of the A&CO equipment to determine

what unsafe residual or post test effects can be left in
the system by failures of the test equipment.
3o1.I.4 Maintenance Ground Equipment
This is the analysis of maintenance equipment effects at

the LCF, .LF and OCCP.
1. Analyze the maintenance conditions which contribute to

those events indicated in the analysis of the alert
system paragraph 3.1.2.1.
2. Determine what unsafe residual or post maintenance
effects can be left in the system by failure of the
maintenance equipment.
3. Determine maintenance equipment failure rates for the
modes of failure which are needed for (1) and (2) above.
3.1.1 .5 Faulty Launch Analysis - The Alert System
It includes equipment malfunctions and improper flight

instructions under operational and maintenance conditions.
3.2 D2-30207-1 WS-133B Fault Tree Analysis Program Plan
This volume defines the Fault Tree Analysis Program requirements

and responsibilities of all contractors and establishes ground
rules, formats, definitions and instructions for preparing
fault tree analyses.
U3 4288 2000 REV. 8/62 2-5142"2
REV SYM_-.A F YAl,fo V,U I No' D2-30207-1

SECT. j PAGE 5.1
3.3 D2-30207-2 WS-133B FA-uT TREE ANALYSIS - INADVERTENT AND FAULTY
LAUNCH SUMMARY
This volume contains the Weapon System Summary Fault Trees and
Analyses prepared by the Analysis Integration Contractor.
The contents of this volume are shown below:
SECTION 1. GENERAL
Title Page
Active Page Record Page
Revision Page
Table of Contents
References
Introduction
Summary
SECTION 2. INADVERTENT LAUNCH ANALYSES

1.0 The Alert System
1.1 Functional Flow and Block Diagrams
1.2 Fault Tree

1.3 Mathematical Solution
1.4. Recommendations for Change
2.0 The System Under Tests, Calibration and Interrogations

2.2 Fault Tree
2.4 Recommendations for Change
3.0 Assembly and Checkout Equipment

3.2 Fault Tree
4.0 Maintenance Ground Equipment

4.2 Fault Tree
SECTION 3. FAULTY LAUNCH ANALYSIS

1.2 Fault Tree
1.4 Recommendations for change
U 42 8 2000 REV. 0/62 2-5142-2
NO.
) REV SYM .
SECT. I 1PAGE 6
3.4 D2-30207-3 WS-133B FAULT TREE ANALYSIS - ASSOCIATE CONTRACTOR'S
DETAIL ANALYSES
This volume contains the detailed Fault Tree Analyses of each

Associate Contractor as received by the Integration Assembly
and Test Contractor in support of preparation of the System
Fault Trees contained in volume 2 of this document. The contents
of this volume are organized as follows:
SECTION 1. GENERAL
Title Page
Active Page Record Page
Revision Page
Table of Contents
References
Introduction
Summary
SECTION X* ASSOCIATE CONTRACTOR*
- 1.0 Inadvertent Launch Analyses
1.1.1 Functional Flow and Block Diagrams

1.1.2 Fault Trees
11.-3 Mathematical Calculati= s
1.2 tie System Under Tests, Calibration and Interrogation

1.2.2 Fault Trees
1.2.3 Mathematical Calctilations
1.3 Assembly and Checkout Equipment
1.3.1 'unctional Flow and Block Diagrams

1.3.2 Fault Trees
1.3.3 Mathematical Calculations
1.4 Maintenance Ground Equipment

1.4.2 Fault Trees
1.4.3 Mathematical Calculations
2.0 Faulty Launch Analysis

2.1.2 Fault Trees
2.1.3 Mathematical Calculations R
U3 4288 2000 REV. 8/62 2-5142"2
REV SYM ____ _. p2-30207-1

SECT. I PAGE 6.1
Im
4.0 Supporting Data
4.1 Failure Mode Analysis

4.2 Reliability Data
*Associate Contractor section numbers have been assigned as
follows:
SECTION 2. AEROJET GENERAL
SECTION 3. AUTONETICS
SECTION 4. AVCO
SECTION 5. BOEING
SECTION 6. HERCULES
SECTION 7. SYLVANIA
SECTION 8. THIOKOL
All Associate Contractors shall submit their inputs on their own P

stationary (8Ml x i1" to 11i"x 34211). Document, section and page
numbers shall be included in the lower right-hand corner of each
( page in accordance with the foliowinZ sample:
/[
1 Each Associate Contractor shall use the section number assigned
as shown in the organization of contents 4bove.
2 Page numbering shall start with Page No. 2. The Analysis

Integration Contractor shall add the Section Title Page to
facilitate handling and incorporation of individual sections
into D2-30207-3.
US 4288 2000 REV. 8/62 2-S142-2
REV SYM 5-' ADrE1W j D2 -30207-1
It iSECT
PAGE692 llm l
4 CONTRACTORS' RESPONSIBILITIES
The responsibilities of the contractors are described as

follows:
4. The Integrating Contractor
4.1.1 It is the prime responsibility of the Integrating Contractor

to prepare and submit the final Weapon System Fault Tree
Analysis to AFBSD.
4.1o2 Based on the Weapon System Fault Tree Analyses, the Inte-
L'rating Contractor shall provide guidance to other con-
tA'actors and generate requirements for specific inputs
from them.
4.1.3 The Integrating Contractor shall evaluate all detail Fault

Tree inputs from other Contractors for comrpatibility and
coordinat" interface problems in the analyses.
4.1o4 The Integrating Contractor shall develop and maintain

detailed schedules for preparation and submittal of
Weapon System Fault Tree Analyses.
4.1o5 The Integrating Contractor shall also fulfill vhe

requirements of para-aph h.2 below.
4.1.6 The Integrating Contractor shall honor the proprietary

rights of the Associate Contractors' submitted
proprietary data and shall delete this material from
the published submittals and reports.
4.2 All Assoclate Contractors
4.2.1 It is the prime responsibility of each contractor to pre-

pare detailed Fault Tree Analyses of the equipments he
provides.
4.2.2 All contractors shall submit their detail Fault Tree

Analyses, together with other substantiating data (failure
mode probability, worst case analyses, etc.), to the
Integrating Contractor for incorporat t n into the Weapon
System Fault Tree Analyses as outlines in Section 1
Subsection 3.3 and scheduled in Section 2.
4.2.3 Each Contractor may initiate recommendations for changes,

shall coordinate them with other Contractors and prepare
submittals to AFBSD for decision.
4.2.4 All contractors shall coordinate their Fault Tree Analysis

Schedules with the Integrating Contractor for compatibility
with the master Weapon System Fault Tree Schedules of.
Section 2.
'7 '"-
U3 4288 2000 REV. 8/62 2-5142-2
O1REV M __ I f.',W "NO. D2-30207-1

I SECT. I AE7 '
4.2.5 All contractors shall submit their inputs to Intecrating
Contrar.tor, in accordance with approved schedules, for
incorporation into auarterly submittals of the earon
System Fault Tree -malysis documentation.
4.2.6 Material of proprietary nature submitted to the integrating R

Contractor shall be so indicated. This data must be
submitted as a serarate attachment of the submittal
to permit its extraction without rework of the remaining
nateria!.
4.3 Technical Interchange (TI) Feetings
4.3.1 T! Meeting -will be held cn a monthly basis, the third

Tuesday of the month, except as indicated in nararaph
4.3.2. Additional meetincs may be scheduled on an
individual basis at the request of any Associate.
4.3.2 The TI Meetin's, to be held during the months quarterly

submittals are made to B3D/STL, are to be scheduled on
the day preceding the quarterly submittal meetinz date.
4.3.3 Announcement of the TI Meeting time and ulace is the

responsibility of the integrating Contractor with the
concurrence of the other Associate Contractors and
shall be such that travel is anortioned on an equitable
basis.
K
= 4.3.4 An action item Iog will be maintained by the Integrating
Contractor, as an instrument cf coordination, to
assure the timely flow of data among the Associated.
4.3.5 Each action item will be prepared by the representative

responsible for the provisions of the data and will
include a date for the completion of the action item.
4.3.6 Each Associate will be representea by personnel

who are knowledgeable in the fault tree effort and
who are prepared to commit a date for the completion
of an action item.
5. GROUND RULES
These ground rules are supplementary to Contractor's

Responsibilities and define a common approach for the
development of Fault Trees.
5.1 The Safety Constant objectives for the fault trees will be
tabulated and the values specified in the appropriate volumes
as shown typically below.
U3 4288 3O00 REV. 8/62 2-s142-2
REV SYM Iff""W" NO. D2-30207-1

I . I PAGE) 7.1
I~c-r
5.1 Continued
Safety Constant
- Fault "Tree Obiecti-e Unit .?imE - esults R
I.L. - Alert LlO -X System Life -
System, of Squadron
including effects
of:
System
Under Test,
Calibration
and Interrcgation -
!M'aitenance
Fnuipment -
Faulty Launch IXIO Per Launch
5.2 Terms and symbols defined in Section 3 will apply

throughout these analyses.
5.3 Fault Tree Analysis will be conducted similar to the outline

in Paragraph 6 and Section 4 and 5.
5.4 The transmission constant of the cable system will be

applied as furnished by the C-,S Contractor. These will
include noise and crosstalk values in the 100 to 5000
cycles band for normal and abnormal conditions caused by
cable system failures.
5.5 Failures will be assumed to occur in a random manner.
5.6 Those functions which are required to operatenormally to

transmit a fault will be assumed to be operating properly.
The probability of their failure, which in these instances
could block another failure function, is disregarded.
5.7 Failure-Rates and Mean-Tie-Between-Failures shall be

based upon Document D2-1 4 134 (reference 2) and Boeing
Standards (reference 4) or other Contractors' equivalent.
U3 4288 2000 REV. 8/62 2-5142-2
REV SYM___ AV,ff , !V " D2-302o0-1

I SECT. I I PAGE 8
-/,
5.8 The time during which a failure contributes to inadvertent

launch is evaluated as follows,
5.8.1 Failures which are detected and repaired by the normal

system maintenance shall be considered to be effective
- for forty-eight (48) hours.
5.8.2 Failures which upon detection cause a subsystem shutdown

shall be considered to be effective until shutdown.
5.8-3 Failures which are detectable by the system periodic,

testing shall be considered to be effective for the period
between these tests plus either the period to shut down
or 48 hours, whichever applies.
5.8.4 Failures which are not subject to monitored system detec-

tion shall be considered to be effective for ethe uainteagace
period- specified in the Forms C and ClI
-(
U3 4285 2000 REV. 8/62 2-5142"2
REV SYM_ _ " 2-3o2o7-l

ISECT. 3 PAGE 8.1
to the evaluation of the
5.9 For the aritieal circuits which contribute
circuit analyses
Safety Constants, The Boeing Company shall prepare
per Document D2-10744 - Minuteman Reliability Directives 5, 6, 7,per
their analyses
and 8 (Ref 3). Other Contractors' shall prepare
these or equivalent procedures.
shall be reduced to 1"
5.10 Functional flow and fault tree drawings folds) for
high by a maximum of 341J1 long (page edges; 6l
inclusion in documents.
is the system as designed,
5.11 The base line for starting this analysis
properly connected and properly operated.

to that level where
5.12 The fault tree development shall be pursued at the
the probability of failure can be readily substantiated
branches (equip-
lowest significant level of interface with other
ment).
I-I
SET PAG
(.
254-
U3 4288l 2000 REV. 8/62
! °" D2-3207-
RE YM & ,
SECT. . 1
P G .
6 FAULT TREE CONSTRUCTION
6.1 The purpose of a Fault Tree Analysis is to identify events leading

to a hazardous condition and organize these events in a logical
form which lends itself to a clear determination of sequence and
order of events leading to a hazard and to simple mathematical
analysis.
6.2 The basic principles for setting up and preparing Fault Tree
Analyses are given in Section VII of the BTL Report: Minute-
man Launch Control System Safety Study Report, Vol. I, included
as Sect. 4 of this document. P,
6.3 A Fault Tree Analysis shall be divided into three distinct parts,
1. Functional Flow Diagram,
- 2.,. Fault Tree,
3. Mathematical Analysis,
which are finally summed up in the Safety Constant. This safety

constant is a numerical evaluation of Safety for a given Fault
-Tree Analysis.
6.4 The following sequence of steps may be used as a guideline in
accomplishing Fault Tree Analyses:
1. Determine methods of operation
2. Prepare functional flow diagrams
3. Develop appropriate Fault Trees
4. Determine circuit and equipment reliability

5. Perform other mathematical analyses as necessary and calculate
Safety Constant.
6. Analyze and investigate phenomena that would affect the sensitive

elements and show effect on Safety Constant.
U3 4285 2000 REV. 8/62 2-5142-2
V D230207-1ANo.
SECT. I PAGE 10
6.3 EXAMPLE OF FAULT TRES
6.3-1 Inadvertent launch, defined for this example as at least silo

cover removal and first stage ignition, can be considered to
be caused by three separate branches of a fault tree as shown
in Figure 1. Improper initiation of the proper terminal launch
sequence (1) can be caused by faults at almost any point in the
command flow; the terminal sequence, once initiated, is irre-
versible and will certainly result in inadvertent launch (sequence
cancelling faults being ground rule out). Inadvertent launch
can also result from random critical failures (3); that is,
launch events occur not as ordered by an improperly initiate&
sequence, but as caused by random failures (the command flow
upstream from the DCU is not involved in this branch). Finally,
improper entry into the terminal launch sequence at other than
its initial point could cause an inadvertent launch if random
failures have effectively completed the necessary steps in
-skipped portion of the sequence (2) - i.e., inadvertent launch
due to interaction of (1) and (2)o
6.3.2 A breakdown of the (1) branch of the sample fault tree is

-shown in Figure 2o Since the DCU controls (or is involved
in) all events that must precede terminal sequence initiation
as well as controlling the terminal sequence itself, it is
advantageous to separate (by branches) faults upstream from
the DCU (11) from DCU faults (13), either of which can cause
an inadvertent launch. The third (12) branch is needed to
account for interaction between the (11) and (13) branches*
6.3.3 The branching philosophy shown in Figures 1 and 2 is obviously

not the only philosophy that could be used; however, it appears
useful from a bookkeeping point of view in that it permits com-
plete, independent investigation of portions of the total prior
to tangling with the maze of total interactions.
6.3.4 A breakdown of the (115) branch is shown in Figure 3. This sub-

branch is based on the sample functional flow shown in Figure 4.
Note that DCU faults do not appear in Figure 3 since the (115)
branch deals only with non-DCU faults. Again, the system is
apportioned by branch, with a "combination" branch to handle
-' interactions. At this point in the fault tree it is possible
to associate faults with specific equipments. Status system or
o remedial action failure, shown generally in Figure 3s is brought
in at this point of the tree since it is at this level that spe-
cific fault status items will usually be defined.
6.3.5 The Boolean equation describing each tree branch is shown on
the figures depicting each sample branch.
U3 4288 200 REV. 8/62 2-5142-2
SREV 5"YM .. NO. D2-30207-1

SECT. j DA 3 I,,.
MAIN BRANCHES OF INADVERTENT
LAUNCH FAULT TREE
- :
-~ UIOWRTVT 8 OLAN EQUJIVALENT 0- 14243
COMBINATIONS OF
IMPROPER ENTRY
IMPROPER INITIATION INTO SOME PHASE OF RANDOM qNNOTED
OF TERMINAL TERMINAL LAUNCH CRITICAL FAILURES
LAUNCH SEQUENCE SEQUENCE WITH
RANDOM UNNOTED
CRITICAL FAILURES
CAAI FAILRE EVENT EITER MUST BE

I Orm4O, Y FI.CPS OR INADVERTENT
LAUNCH MIJST OCCUR BEFORE CORRECTIVE
OREVENTIVE) ACTION CAN BE TAKEN nQ
UORECTIVE ACTION AUST FAIL
-:Z7_ _ _
_c.. _ _ _ _ 7Page~o~7 FIGURE I 12
OF fERMIX&J
IMPROMI OATA
IWOPER OATA
ECCLID A DCJiXtfUHO
MEWtIED ODJRISC TIAA
S "D RESO D
nSEC!
NoW11T
Cowho 111C d~rl
4cur1 LAjhC)
RUatvED
* * I
JWAW'D
aLYIITA
TIML~~AR
L~~~~tOD IMIAJSS'W~krC)IPRAN 1 ytur
LAUNICH COVA"D R(C(IVES

FAILS ARM
1ITI~~fl~ 4 w
CH
F
I UI Pl"AM 88
I
I TI 1lC
41
3
R(SU ~~C OltA'
I I OOJ :AVIOPIRLY ARMS
M ONL
1hch
IECEjAO RY LAUMC'4
.. )-FIGURE?2
D2-3020?-14
RAf tsec. I Ptar 1
pri
Liis
UI
eimma
I f
COMBINATION OIF
~LAUNCHER
LAUNCER LES EQUIP.MENT
FAULTS WITH GENERATION
EQUIPMEN FAULTS & TRANSMISSION OF
ONE LES SIGNAL FAULTS
I 11511
__I
LAUNCKLR VONITOR ING
51113
LANOe OEtCTIO
OF ILS SIG 4.S FAILS OFlE S SIC.%AL
PRESENCE FA ILS
__ _ _ _ _I "_ _ _ _
11512 115141
A
___
SWITCI4 FAILS ARMNO

1 SAFMT
CONTr3L
SWITCH CLOSURE
CIRCUITRY IMPROPERIY
CLOSES SCS
(3 A,/
*1 ____________ I ________77__
900" OW~IVAEI
LES FAIRE UNNOTD

MOR, IF NOMD REMEDIA.
Ac1'iCo FAILS ORIs1
10)0 LATEI
152
WERATIflN & TRANS-

OFSII4C
11521151
LES CABLE SPLMIK
PAENTIM FLS ATSWITCIINq MATPIX FAILS TRM~smisiCm 9AILS
i= 4 ~~W~D2-30207-1 Sec.
,q, LPape 1-4
4i
'Io4 LE
7 UiS
SELECT LF'S TO TR ANSMIT RCUE LES SIr,. AL
'hICe, LES SIGNAL
15 TO BE
--
] LES SIALS TO LOCAL IF
IC -
LF
IR
LE
CRE tFSo 9
2 j ITC
RECENTE LES
S G,
ASLS
SIETC
DTT SSIAS
SVESE-V
LESAL
[ JM PIi
MON_
TCF
P
C
SiOuNALS
LES- LAUNCH E-NA9LE SNSITCV ~AI

CTE- CABLE TRANSMI1TI\ (tI"':NT
CSE- CABLE SPLIT1ING E'I"\'VfNT
GRE- CABLE RECEIVING [UIPVFT
LESD- LAUNCH E-\AILE SV,'N&1 D~LC
C163A- SIGNAL CiNE11 11
DCII- DIGITAL CtV"l21~ VN
SCS- S frr' C0T RX 5 1 C
- -
~ - ~.'
INHIBT TH FOLOWIN
063 UNES LOE
C~~S35 THE FLLOWG

SNHBI
____________& UNLESS CLOSED l~
CLOS SC L LABIICALDAFIGES 4
WHN RDRE3ZAu2B07RY-CIVT
3.Soc(L~ERC
7. APPLICABLE MATHEMATICS
A -. Fault Tree analysis requires careful mathematical treatment.
Logic gates for combining faults, Boolean simplification to

properly compute the effects of interacting branches, and the
S- calculation of probability of failure in a periodically
tested system have been developed by the Bell Telephone
Laboratories. In addition to the preceding, the development
of failure rate exnression in the constantly monitored system
with allowance for repair periods has been added by Boeing.
Also included in this section are some approximations which

are useful to reduce undue complications in the Boolean
simplification; qualification applying to failure rate 4ata;
the method for performing the final sauadron calculations;
and some notes on the application of probability to the non-
repairable system or short time system modes.
II
A!
I-
ISCT IPE1
U3 4288 2000 REV. 8/62 2"5142"Z
NO.P
ii
T APPL1ICABLE MATHEMATICS -Contd.
7.1 General
The quantitative conclusion of a fault tree analysis is numeri-
cally expressed as the safety constant. The calculations neces-
sary to obtain it require:
I (a) The development of the Boolean equations (Paragraph 7.2)

(b) Reliability and failure rate data (Paragraph 7.3)
(c) Determination of failure rates and effective duration
+lies at logic gate outputs. (Paragraph T.4 ) i
(d) Effect of ir.teracting branches (Paragraph 7.5) !
(e) Nonrepairable and short-time system mode analysis

(Paragraph 7.6) 1
() Squadron and final calculations (Paragraph 7-T) g
7.2 Booleai Equations
Section VII of Vol. l and Section II (f Vol. 2 of the Bell

Telephone Laboratory inadvertent launch study describe the
generation and simplification of Boolean equations applicable
*;o the fault trees. These sections are included as part of
.,his document in Sections 6 and 7.
7.3 Failure Rates

In determining failure rates for parts and circuits, certain
assumptions have been defined. They are as follows:
7.3.1 Assumption 1
For electronic parts, assume a constant three (3) year failure

rate to apply for the ten (10) year period except in the cases
where information to the contrary is available.
%-3.2 Assumption 2
For parts and components whose failure distribution is Gaussian.

convert to the appropriate constant failure rate distribution
and specify assmed maintenance intervals. The steps involved
in converting a Gaussiaa distributicn to an approximate equi-
valent constant failure rate distribution are as follows:
(a) netermine, by prediction or estimation, the mean, (2),

and standard deviation, (a) of the Gaussian (normal)
failure distribution.
(b) Determine the number of standard deviations between t = o
(where t is time) and the mean.
U3 4288 2000 REV. 9/62 2-5142-2
, REV SYM______LrV NO. D2-30207-I

ISECT. 1 1-PAGE
(oG If ? is large as related to s, the shape of the normal
curve from t = o to t = x - 3s ia relatively flato The
failure rate over the range t'= o to t =T- 3s can be
.calculated by dividing the probability of failure (arew
under normal.curve) over this range by the time interval
of the range. Since the curve is essentially flats the
failure rate is approximately constant*
(d) The approximation to a constant failure rate is appro-
priate for only the duration of the interval used in
the calculation. However, if an equipment can be re-
stored to its original operating condition by performing
maintenance at intervals equal to, or less thant the
ones used in calculating a constant failure rate, this
failure rate can be applied to extended periods of time.
7-3.3 Assumption 3
'The density function of inadvertent launch is uniform with

time when Assumptions I and II above are utilized in calcula-
tions,
i",
4?
U3 4288 2000 REV. 8/62 2-SI142-2
SYM_
. 'REV __ ,' NO. D2-30207-1
SECT.~ P A~rE
'p
74 Logic Gate Formulas
5' These Logic Gate formulas are applicable to the inadvertent

launch calculations because they account for failure duration
times. They will not apply, except for r'&e instances, in
the faulty launch calculations.
7.4.1 Coexistence of Failures at AND Gates.
Given n repairable items. Let event A, represent the failure

of item 1, event A 2 the failure of itei 2, and in general A.
the failure item i. Suppose each item i fails randomly witi
constant failure rate A and duration time for
1, 29 * . o n where I.and 'T are in consistent units*
Duration time is defined as the time from the occurrence of
a failure to the time atwhich it is rendered ineffective.
The expression 1 - is the probability that an item,
with constant failure rate N , will fail in an interval
-of time T, given that the item was working at the beginn'ng
.of the interval.
Consider an interval of time 0 to T as shown in Fig. .;.4.1-1.
i t i
o tt+dt T
Fig. 7.4.1-1
If - i and are small for i = 1, 2, o n, then
the D:.obability that Al, A2 , • . • A coexist in the interval

(t, t + dt) given that they have notncoexisted up to time t
is; given by the following expression.
"A dt (1- e - e" 23 (Ael - (
(1 "dtTz 3"T3) .. AnTn)
~~ -dt,i(
." ~~~~~~~ (1 - -,",l-
o" (- Q" T ) -- • - "'A
(2) . 'n-
, , = (I
U3 4288 2000 REV. 8/62 2-5142-2
NO. D2-30207-1
SREV SYM B
- ---
, -T *- .
This expression is obtained by adding together the probab-
ilities of each way in which n events can coexistofor the
first time in the dt interval0 For example: A can happen
in the dt interval with a probability of dt. If A2 is
to coexist with A, in the dt interval, it must occur some
time in a 2 j e period prior to t; the probability of
this is (1'-2e' 2 2E~)o If A2occurs before t - .'19it
will be repaired before it ca 2 coexist with A in thdt
interval. If A occurs after t, it will not coexist with
in the particular dt interval under consideration.
:,ilarly, A must occur in a *T interval before t with
a probability of (1 - e- 3 1'3) in order to coexist with
f or the first time in the dt interval, etc. The product
these probabilities expresses their joint occurrence
and gives the first term of the above expression.
Now let f(t) be the probability that Al, A .. An have

not coexisted up to time.to Then f(t + dti is the proba-
bility that A19 A I A have not coexisted during the
time period from to t + dR; this can also be expressed as
f(t + dt) = f(t) (1 - H dt)

where (I - H dt) is the probability that A, 2' 0 A
do not coexist in.the dt interval*
Now by definition, the differential of f(t) is f(t + dt) -f(t);

therefore, d f(t) = f(t) (1 - H dt) - f(t)
d Wft)= f(t)
and.n . (- dt)
df~t)
f(t)=-Hdt
Solving this differential equation by integration we have

in f(t) Ht + co
But when t = o, f(t) = 1, in f(t) z o and therefore c a o

so that
f(t) e-Ht
The probability (P ) that A, A . . . A coexist at some time

during the intervai T is then gjven by tfe following:
-HT
P() = 1 - f(T) 1 - o
137 comparing this equation with te standard equation for

probability of failure (1 - e- ) one can easily see that
H is the failure rate for the coexistence of n events or, in
other words, it is the failure rate appearing at the output
of an AND gate. From this point on, therefore, H will be
replaced.by ? (i.e., the failure rate for the intersection of M
failures.) If ' hi is small for all i from 1 to n then H
reduces to the fo lowing expression,
U3 4288 2000 REV. 8/62 2-5142-2
M
REV-SYM 1 ISECT.
'NO. D2-30207-1
I aE
A 20
I If duration times are all equtal9 reduces to
An , ? j"A>2 ",," o n-1
7.4.2 Effective Duration Time ) at the Output of an AND Gate
Consider the logic configuration shown in Fig. 7.4.2-1.
At A '2 n
Fig. 7.4.2-1
By Boolean algebra it is evident that the output of gate (1)

is Al A2 . An+lo According to the general expression
obtained in paragraph 7o4.1, the failure rate at the output
ef gate (1) is, therefore,
1 -\ 2...cr2r3 .- r+l 13 #Tul1r2

... .
This must be equal to the failure rate obtained by combining

the out put of gate (2), having failure rate -An and duration
time "Tn, with the failure rate and duratio.,- time -of event
An+l This is expressed as follows:
Substituting in the general expression for An we get
r• ~T ...
Alj 2 %+?1 (2 3~ r-+l * .l
+1 2 ...
P U3 4288 2000 REV. 8/62 2-S142-2
REV SYM _ _ " " NO. D2-30207-1

SCT. IPAGE 21
Tkerefere ••
'y77' 007T 3 + +T 1r2 _n-i

-r r2 _(3' 000<f +o'~_r3 - *.I
or .
14
+ 1+ + 00
1f 2 *then'1r 'r
reduces to
'It can be observed that'+ is an essential factor which

enables the transfer of ittlure rates through succeeding
logic gates.,
7.43 Failure Rate (X U) at the Output of an OR Gate
Given an interval of time T, the probability (P ) that none

of the events A.1 A 2, "" An occur in the interval of time is
T T
A2 •
The probability (P) that any one of the events A1 , A2 , .. An

occurs is
P s P =1 • (0Al +A2 + +*..
This shows that the failure rate at the output of an OR

gate (iceo, the failure .rate for the union of failures) is
the sum of the input failure rates or
- + + -
7.4.4 Effective Duration Time (-u) at the Output of an OR Gate,,
Consider the logic configuration shown in Fig. 7.4*4-1.
U3 4288 2000 REV. 8/62 2N,
REV SYM 8...o NO. D2-30207-1
ISECT. 4~IPAGE22 -
I A U, ,,
A, A3.-- AM
Figo 7.4o4-1.
By Boolean algebra the output of gate (1) is
Al A+l + A2 ln+l + *ao + An Anti-
The failure rate for the output . gate (1) is, therefore,
+-A n=k
+1(r.q,+ )
This must be equal to the failure rate obtained by combining
the output of gate (2), having failure rate Au and effecti-
vity time rTu with the failure rate and effectivity time of
event An+l. This is expressed as follows:
Ui +
%0~~~
q" "0 0,
Substituting in the expression for v we get
(A, +?.2 2+ )) n+1 ( 'ru+ 'fl)
+ 00*U~ rn+~nl
Therefore, T ?\l 'l + 2 'r2 + + n T'n

\Al K 2 + 0*4+
U3 4288 2000 PEV. 8/62 2-5142-2
AN AVAU NO. D2-30207-1

, . REV SYM
"SECT. 2
,IPAGE .
-
If't - *o .1 . ="th*'n1'reduces to[
iYU
As with Tn , is an essential factor which enables the
transfer of failure rates through succeeding logic gates.
7.4-5 The foregoing results are summarized in Table 1. A general

- proof of the validity of these results is given in paragraph
7.4.7. The logic gate formulas are directly applicable to
Boolean expressions as well as to logic gates*
,J.
2-5142-2
U3 4288 2000 REV 8/62
PAG24
NO.CT. D2-30207-1
'"",vIVrs
REV SYM _ -
"-
Jz +
+ +
pF - z- 4-
c -IAI
/<<
- KI
++
4--
1-
1N_ A- tA-
t
( - I-C4
oi N
< -A <
(K.CT
_ _A___ _ _
7.4.6 Combining Probabilities with Failure Rates at Logic Gates
In evaluating the fault trees, the need will arise to

combine failure rates with probabilitieso .As example.
ef this are shown below0
7,4.6.1 Random Generation of ELO
7.4.6oi.l Conditionst
(a) Let and I be equipment failure ratee

and corresp nding fauli durations of equipment failures
I
wh:-ch result ia the generation, transmission$ or receipt
of random bits,
(U) Let P represent the probability that 1 word length

of random bits have the correct ELC format.
(o) Let C represent the period between radio or cable
slots at a particular Launch facility, i.e., the
time for one cycle. C is smaller than both 1 and
(d) Assume that only one valid ELC can be transmitted

( in a time sloto Assume also that P, and
al~i
; 2 -r2 are small.
7.4.6.1.2 Conclusion:
- The faiLure rate for the random generation of an ELC under

the above conditions is.
SP er l IT
U
ELC C 1
If only one equipment failure is required, then the failure

rate is
IC -
-- ,. effective duration of an ELC failure (iL)

e...... is zero.
U3 4288 2000 REV. 8/62 2-5142-2
REV SYM 1 . D2-30207-l

SECT. PAGE .2 6
lee~ -
7.4.6.1.3 Derivatont
Consider the interval of time shown in Fig. 7.4.6.1.3-1.
t- 7.4.6,oi.3-1 t'dt
"I rig- t+T2. t+,r,
By reasoning similar to that given in Paragraph 7o4.l,

the probability (PC) that Al and A 2 coexist with a time
slot in which a valid E=J is generated is
12
a dt 5+ P \dsK 2~-
2tP d
SS 2
Where is the number of slots available for ELC genera-

w=vas a function of position S.
From this it can be shown that the failure rate is
_AELC P X)\I2 "'rT 2 2

Ii
U3 4288 2000 REV. 8/62 2-5142-2
2.BNO.
RV SM D2-30207-1
1SECT. 1 PAC- 27
-"- - 72" - - -~-- -- ----. - .... 2L _-

-':"''--7 - -__-- "' - _ -
7.4.7 Proof of Logic Gate Formulas
Suppose we are given a fault tree where only coexistance
of events is of concern at each AND gate (i.e., the order
in which events occur in time is not important). Suppose
further the bottom elements of the fault tree consist of
items which can be assigned constant failure rates and
fixed duration times from the advent of the failure to
the correction of the failure (i.e., fixed repair times).
We proceed up the fault tree obtaining new X's and '
by use of the following formulas. Suppose we have n events,
A1 , A2 . a a An to be ANDed and suppose we have associated
with them the failure rates X1, a\2a * -n and "effec-
tive duration t4mes" T1, _T 2
of the gate is given by
a * l",n The output \,
n_1.2'ri'
+ 1_ 2 " 'n-P.n+ (1)
The I-output (effective duration time output) is given by
+
1 o (2) ,
, i + + q,
if the n events are to be ORed, the output is
Mal -~ 1
+ 2
+ 0 0 0 + -A (3)
and the routput is
... n+ . (4)
we will prove that the failure rate output at any gate

in the fault tree is correct when the above formulas are
used* Write the output from any logic gate as the union
of n chains, El, E2, 0 . . En, (A chain is a series of
ANDed events.) where
4 a 0 0 0
Z Sr 0 n n. . *. . .
*.1e En 1 n2
US 4288 2000 REV. 8/62 2-S142-2
REV SYM . .a ,"No. D2-30207-1

i SECT. i IPACGE 8
We will prove that in every case the "T output of any
logic gate will be of the form
'" I I
and the output will be of the form r.2 r
F,, , r " _ ,.,_,.+ ,

I (6)
To proceed by induction. We will assume that the above

is true for two inputs into an AND or an OR gate* This
will later by generalized for any number of inputs into
an AND or an OR gate.
7.14.7.1 Proof of OR Gate Formulas
Suppose at step n we take the union of two branches, branch 1

( i1 ) and branch 2(3).
Suppose branch 1 is the union of n chains,C, C..-Cwhere

.C,= A; nA' n,q aA'
Suppose branch 2 is the union of m chains
then by the induction assumption (Equations 5 and 6) the

'rs we have at this point are
'' A :.XAk(TA I.TA

K' + - I]
A - -.. ~.T~.A
• rL 1, + ,.+
.2
..
Al1kb,-rD)~I
+.
S+%I
..
rr3 X'rL, -r, + .'rr
"13 ..uM, M, ..- +- - 3 4
U3 4288 2000 REV. 8/62 2-5142-2
NO. D2-30207-1.
REV SYM 3 PG2
..
\~- )\'A 1 Q.. " :
.4er "" -" °tI- --
_--~ ~ ~ L- -.
(-; +.
9 1r.. +t.
- ,7;_ L
L) - consists of the m + n chains C1 It, n D,

From paragraph 7.4.3,
Write I0
where -A,= A._i
Similarly, write - = )
where
Now the - output should be - This is seen by
- ?\5, ',;
by examining Equation 5 where the chains are C.' Cn "
By equation 4,
"-+ -21
"N -
A,2m
This proves the -' output of an OR gate maintains the

applied* form (as given by Equation 5) when Equation 4 is
correct
7?.4.7.2 Proof of AND Gate Formulas
It will now be shown that the 'Toutput of an AND gate is of

the correct form and that the output of the AND gate is
correct given (by induction).that the A inputs are correct
and the Yr's are of the form indicated by Equation 5. We
are now interested in TO, n"fe, i
U3 4258 2000 REV. 8/62 2-S14 2
REV SYM XB_ No. 2 30207-
____ISECT~ PAGF-30~
i We first asoertain what the correct .
: r . ,c,.u.. --UC,) r\(1,U D U
u, U ,)
u cl i u
\ i " \D 1 U" W
n "Kn.. nA
=AnA
' 0A
n=n.f i,:1.
iho
The correct "Tby Equation 5 is seen to be
TA -a , +"
where,
°" 1 "A
Q' , T",,
A-f- + ..
| IA1j
!1 -
We have-I 2
IV
-A - -
ISE"T PAC 31..

Now
Nov~ AI ''AB, X~g, T'.T -r '--*
A*A Y' ) 8 3 r r3v
AB is therefore identical with the numerator of Equation 7o

It follows that we must now only show that A , + X = C. Xe
-- "N:, '"?KT [:' .. rk
, .
'i ""~
~~\a:* ~ PST"A -"' ±- "'-
Regrouping the above by adding line one of the albove to

line 3 and line 2 to line 4 (In general line y would be
added to line ±~+y for y=i, -n) it is easily
seen that the result is ( * It remains to show that
II -.
y ~~' us
the failure rate rvd
from the output of the
AltwAND gate is cor- '
rect. This means we must show that
TB4 'T4
-AT, kt
Gner3adliaine 2
liot3 oln In-.llneywudb
te faile ratefo
thae oupu the
f ANDrec
t e isor-
rect This mean we must show that
.J,, U3 4288 2000 REV. 8/82 2-5142-2
.REVSY I SEo. 02-3020'7-1

II
Assume I l is the correct "]formula for n items,

{, ~ "
~~then, '" T,
Asum
is the correct '(formula for n+l items ANDed together*
But
!This
I
I II
proves thet' r formula for n items ANDed together*
-A similar argument proves the OR formula for n items and
the formula for n items ANDed togethera
- ±
I,,
I ooo ,v./6 _,_ _ 2PACE

-,-
NO. -30207-
7.5 Interacting Branches
When two or more branches interact or, in other words, when
a failure is common to two or more branches of a fault tree,
error is induced into the final probability number unless
the Boolean expression is simplified. This fact is noted in
Section 5 Page 6o When combining failure rates through AND
and OR gates from the bottom of the fault tree to the top,
careful inspection must be employed to insure that no uncon-
servative error is induced into the probability calculation.
A conservative error is defined as an error which makes the
final probability number larger than it should be. A dis-
cussion of errors and remedies follows.
7.5.1 OR Gate Interaction Error
If two or more branches with common terms unite at an OR

gates the induced error is conservative and often insigni-
ficant. The general proof of this is found in paragraph
7.5.4.2. The conservative error induced by common branches
at an OR gate is not a serious condition; however, if
further refinement is desirable, the Boolean expression
may be obtained and simplified up to the point at which
the branches unite°
7.5.1.1 Examples:
~In both cases shown below, the probability ex-,ression on
the left of the inequality sign (the probability which
would be obtained by combining probabilities directly
through logic gates) is seen to be conservative.
(a) Unsimplified - Simplified
A + B + AC A + B
P(A) + P(B) + P(A) P(C)>P(A) + P(B) -
-P(A) P(B)
A B A G
b) ~-nsimplified -Simplified
AB .+ AC A(B + C)
P(A) P(B) + PCA)P(C),P(A)[P(B) + P(C) -
AB AC .-P(B) P(C ,
7.5.2 AID Gate Interaction Error -
If two or more branches with common terms unite at an AND

gate, an unconservative error is always induced. This is
proved in general in paragraph 7.5.4.3°
U3 4288 2000 REV. 8/62 2-5142-2
REV YM___ B,", "NO. D2-30207-1
SECT. 1 IPAGE 34
7.5.2.1 Examples:
I' & I both cases shown below, the probability expressicn on

the left of the inequality sign (the probability which would
be obtained by combining probabilities directly through
logic gates) is seen to be unconservative.
(a Unsimplified - Simplified
(A + B) AC - AC
2 3 [P~(A) + P(B)j P(A)P(C) < P(A)P(C)

A B AC
(b) Unsimplified - Simplified
(A + B) (A + C) = A + BC
2 (A 2+p(A)P(C)+P(A)P(B)+P(B)P(C) < P(A) + P(B)P(C

[P J- P(A)P(B)P(C)J
'A B A C
Since this condition results in a final probability number

which is smaller than it should be, a remedy must be applied
to eliminate its effect.
7.5.2.2 Remedies:
7.5.2.2o1 The AND gate interaction error can be removed entirely by

expressing the terms of the interacting branches in Boolean
form and by simplifying the expression. The logic gate
formulas can then be applied directly to the expression
without restoring it to fault tree form. The Boolean expres-
sion need only be obtained up to the logic gate at which the
interacting branches unite.
7.5.2.2.2 A conservative estimate of the final probability number may

be obtained by substituting a probability of unity into all
but one of the common terms. The unity probability should
be assigned first to common terms at OR gates when a choice
exists° If this remedy is applied to the probability expres-
sion of Example (a) of Paragraph 7.5.2.1, the following results
are obtained*
EP(A + (A)
PB)] (C) PWP(C)
[ + P(B) I P(A) P(C) > P(A) P(C)
P(C) + P(A) P(B) P(C)> P(A) P(C)

*P(A
U3 4288 2000 REV. 8/62 2-5142-2
REV SYM 1 NO. D2-30207-1

ISECT. 1 PAGE .45 V1
Similarly, applying this remedy to Example (b) of Paragraph
7.5.2.1, we obtain the following.
[PA) + P() i [P(A + PC,. < P(A) + P(B) P(C) - P(A) ?(B) P(C)
P(A) P(B) P(C)

I1i [P(A) + P(C)] > P(A) + P(B) P(C) -
1
+ P(B)]
' P(A) + P(C) + P(A) P(B) + P(B) P(C) > P(A) + P(B) P(C) - PB(C)
be negligible
7-5-3 Even though the probability of a common term may
to other probabilities at an OR gate, its effect
with respect
examle,
as an interacting branch cannot be ignored. For
Examples (a)
suppose P(A) is negligible compared to P(B) in
observed
and (b) of Paragraph 7.5.2.1. It can readily be
error is induced if the A tera at the
that an unconservative
affected OR gate (gate 2) is dropped.
failure rates through

7.5.4 The foregoing results apply when combining
probabilities. If the
logic gates as well as when combining
the following rules
methods of Paragraph 7.5.2.2.2 are used,
with unity proba-
govern in the combination of failure rates
bility:
unity probability at
7.5.4o If failure rates are to be combined with of
an OR gate, the output of the OR gate has a probability
unity.
unity probability
7°5.4°2 If failure rates are to be combined with
the input with unIty probability is ignored
at an AND gate,
since it has no effect at this gate.
at a Logic Gatea
7.5-5 Proof of the Effect of Interacting Branches
7.5-5.1 Preliwinary Information

a union
Any branch of a fault tree may be represented as
of one
of chains. A chain is defined as an intersection
branch of the fault
or more events. For example, suppose a
tree has the following Boolean equation.
R + S) T [N+ V (W + XY) + Z
This equation can be reduced to
RTN + RTVW + RTVXY + STN + STVW +.STaY + Z9
to
which is a'union of seven chains. In the discussion
and n will be used in the
follow, the Boolean symbols U the sake of clarity. The
place of + and x respectively for form.
above equation can then be expressed in the following
2"5142-2
U3 428a 2000 REV. 8/62
No. D2-30207-1
REV SYM f
.I1 PAGE
17 2
U K 2 u 3 KU4 u u K6 u K 7 9 K,
where K = RTN, K2 = IRVW, z = RTXY etco
Now suppose we wish to factor the common event R from each

of the terms of the above expression. We can write it as
follows t
S7 7
JKi - Ki u n r .
i=l 4 3=!
where L1 = TN, L 2 = TVW and L = TVXY.
7.5.5°2 Interacting Branches Unite at an OR Gate
Let A represent an event which is common to more than

one branch of a fault tree. Consider the logic gate at
which Lwo or more interacting branches unite. Since all
inputs of a logic gate can be combined two at a time, the
case of two branches into a logic gate need only be con-
sidered. Let the two input branches be labeled events B
and Co
Representing B and C as unions of chains as above, we get

the following:
m n
B=U D UnU E
a= F UA n ~
J=l k=
Th4se equations express the fact that the common term A is

contained in some chains and not in others*
If the two interacting branches unite at an OR gate, the

Boolean expression is
U C U D An U E U F UA U
g -_ i l J=l k -l
=U D u F u A n) U1 GL]
r J=1 k=-
~REV SYM ,''v,"NO. D2-30207-1
IsE.C. 1 1 G"
Ej 7
Applying probability as if the terms were mutually exclusive
(a good conservative approximation when probabilities are
'mall)
we get r
ms
P (BUC) IP(D') + 2 P
PpC1) +jP p( =
g=l j=l L=i k=l
This is equal to the probability [P(C) + P(D)] which would
be obtained by combining probabilities through logic gates.
Suppose n%*t that B has the following form:

U
'B U D U A
g=l g
Then all A n k terms drop out of C and
mP
4 BU C =U
g~Jl Dg U Au U F
j=!
Applying probability as above we get
m p
P(B U C) = -1 P(Dg) + P(A) + ; P(F ).
The probability which would be obtained by combining proba-

bilities through logic gates[P(B) + P(Cflis
m p r
P(B) + P(C) = L- P(D )\ + P(A) + X P(F4 ) + P(A) > P(G )
g=l g J=l k=l.
P(B) + P(C) = P(B u C) + P(A) >i P(k)

therefores
P(B) + P(c) 2 P(B u C)

Hence, the probability obtained by combining probabilities
:jinteracting
through logic gates is either correct or conservative for
branches which unite at an OR gateo
U3 4288 2000 REV. 8/62 2-5142-2
REV SYM.&. DAA~ NO. D2-.30207-1l

- 3 4 - I
-i
SECT. PAGE~ S8
-t
-
.
Io
7-5.5.3 Interacting Branches Unite at an AND Gata
X. Uf D nU R
g=l ' i=1.
C U F u A n 0 G
then
a n C nUD n-P69F U An UJGk

r 31 D
nU
+AflU -,n U j U ArU n j F.

i= . J=l k=3l i=l
I
Applying probability assuming mutually exclusive events, we
get .J,
P(B n C) = 7 P(Dg) "P(F) + P(A) P(o,)
g=l j=l k=2 g=l
Sn + P(A) L P(E ii ) p
' P(Fj) + P(A) Lr P(Gk) Ln P(Ei)
i=. J=l k--l i=!i
By combining probabilities through logic gates we would get
i P(B) P(c) P(D ) P( i P(F) P(A) > P(G,
m p r m
> P(D ) Z P(F + P(A) Y P (Gk) L P(D )
n 2 ?r r o
+ P(A) X P(E~ 2: P(F )+ rP(A) 2 P(E ) Y__ G
J= j i=l k=1
P(B) P(C) and P(B n C) are equivalent except for the last
terms.
U3 4288 2000 REV. 8/62 254-
REV SYM J . _. .-. C f NO. D2-30207-1

I SECT. -1 PAGE 39
- - ---
i-
FP ok)i2-± r << P(A) r P(Gk) >n~ P(E, )
k--1 i=l kl 1-i.
therefore,
P(B) P(C) < P(B n C)
That is, the probability obtained by combining the probabilities I

of two interacting branches at an AND gate is unconservative.
E .
~1
I
/ U3 4288 2000 REV. 8/62 2-5142"2
6- NO. D)2-30207-1
RSECTM. Z I PAGE 4r0
,.6 ,repai'h-1- and Short-time System Mode Analysis
7.6.1 During the missile flight or while the system is in a test mode,
the effective duration time of a failure (r) is that length of
time which begins with the event of failure and ends at the close
of the test mode or end of flight. Since this length of time depends
upon the particular event rather than upon a predictable repair
time, the method of calculation (AP) applicable to inadvertent
launch is not applicable to the faulty launch or test mode analysis.
The faulty launch tree is concerned with short-time modes and flight
events and a straight-forward probability analysis on a "per launch"
basis should be used. Similarl.y, the portions of a fault tree con-
cerning the system in a test mode or other short-time mode should
be treated on a "per test" probability basis.
T..6.2, -And"Gates •
In general, Pn = P P ....P . Since any reauirement for event

sequences will tena i3 reduce the overall probability, the
preceding expression is conservative.
Each of the input probabilities must be expressed on the same basis

(i.e.: "per test", or "per launch", etc.) and the resultant
probability will be in the same units.
,,
T.6.3 "Or" Gates
In general P =P + P + ....+P -- (Probabilities of all

combinationse. Auseilly conservative estimate is P = PI+P2+ +P
< < 1. U 1 "2" n
where P
Each of the input probabilities must be expressed on the same basis )
(i.e.: "per test", or "per launch", etc.) and the resultant

probability will be in the same units.
T.6.4 Conservative Estimates
For either type of gate, decision should be made on an individual

basis as to whether to use the preceding, conservative probability
expressions or more nearly exact expressions.
T.6.-5 In the acquisition of fundamental data, as failure rates, for

calculation in a fault tree, events may be characterized by
a failure rate (X) and duration tine (T) or by a probability
for a specified time or number of cycles.
For the faulty launch tree which is to be handled on a prcbability

basis, data which is acquired as a failure rate is converced to
a probability by multiplying Xby the length of time of the
mode where is in terms of failures per hour. When X is given
IL
U3 4288 2000 REV. 8/62 2-5 14' Z
REV SYM N-30207-1

o.aaAFAVA?
,- SECT.! PAG 41
) -, i o11
ti
7.6.5 Continred
in terms of failure- per cycle, then ?. multiplied by the

number of cycles in the mode is the probability of failure.
Sa For( the
't .inadvertent
I' ) basis, launch tree where
data which calculation is done on
is acquired as a probability
of failure per cycle or per hour must be incorporated in the
mathematical treatment of the tree. Wiere the cyclical
probability of failure for an event is given, an estimated A.
in failures per hour may be derived by multiplying the
cyclical probability by the estimated number of cycles per
hour. r
is determined as the duration time of the failure.
Where one event characterized by a probability acts as a
moderator (at an "and" gate) of an event characterized by a
and a " ,the output of the gate may be represented by
the product of the input probability and the input failure
rate which is interpreted as the output failure rate, and
output = T input.
II
U3 4288 200 REV. 3/64
REV SYM~ NO. D2-30207 -1

Sect. i PACE 42
7.7 Final Calculations
(7.7.1 System Safety Constants
The dystem fault trees may be separated into two categories:

a system tree(s) dealing -ith faulty launch and a system
tree(s) dealing with inadvertent launch. For tile weapon system
there is a probability of inadvertent launch during the system
life (inadvertent launch safety constant) and a probabi_-ty of
faulty launch duarni the system use (faulty launch safety
constant.) The determiraion of these constants is the goal
of the mathematical treatment of the fault trees.
7.7.2 Squadron Calculations
All calculations in a fault tree should be based upon failures

which affect a specific lau-nch facility. For the inadvertent
launch tree, the final failure rate (or prozabinity of failure)
should then be multiplied by 50 to obtain the applicable
failure rate (or probability of failure) for a squadron.
For the faulty launch tree, the final failure rate (or
i i probability of failure,' is ex-ressed on a "Der launch"
basis. (Reference )
7.7.3 Inadvertent Launch Safety Constant
The inr-dvertent launch safety constant, (S.C.) T is

composed of contributions both from lonterm oe5ating
events (characterized by a failure rate nd duration
'ime r ) and from short time test events represented by a
p.obability figure.
Use of the logic gate formulas provides a single failure

rate ( X ) for inadvertent launch at the top of those tree
branches derived from long-term events. To determine the
contribution of such a branch to the overall inadvertent
launch safety constant for a squadron over any period of
time (T), the following formula is used:
:., which reduces to ( .c. ) = 50o5 0 ,X1" i

when 50 ,T is small.
4 Those branches of the tree representing short-time test events
4provide a single probability of failure for inadvertent launch
per branch. Such a probability may be determined either on an
§1 event basis or on a time basis. Probabilities on a "ner event"

basis, when multiplied by the nunber of events in tine T, yield
the contribution to inadvertent launch by such branches. If
the test event contribution is determined on a time basis rather
jU 4288 2000 REV. 3/64
NO. __
Sect. 1 IFAGa 43
i 7<
7.7.3 Continued
than an event basis, then the probability per hour for a

squadron is converted to the souadron probability contri- t
bution to inadvertent launch for such branches for time T
by the followin-g formula: T
1. .
hTr. .h
which reduces to:
( s7c.).)-
when T is small.
The resultaut probabilities from the short-time event branches

of the tree added to the A-derived portions of the inadvertent
launch safety constant yields-the overall (S.C.) per squadron
fo - the system life.
7.7,4 Faulty Launch Safety Constant

The faulty launch safety constant (S.C.)r L is composed of
probability contributions from both re-TITht and flight
events.
Use of the probability formulas for the flight events of the

missile resIlts in a probability of faulty launch ze" missile
which is the faulty launch safety constant contribu.'on due
to the flight analysis. Short time events which contrioute to
faulty launch prior to flight initiation yield a probability
contribution to (3.C * L on a "per event" or "per unit time"
basis. Probabilities on a "per event" basis, when multiplied
by the number of events prior to launch, form the contribution
of such branches to (S.C.)F.L.
For test event contributions to (S.C.). T determined on a time

basis rather than an event basis, the prooability per hour for
a missile is converted to the missile probabilityfor any
time T by the following formula:
(s C,)7, - sc , J.1
which reduces to
when T (h.C.)1 is smal.
The resultant probabilities from the pre-flight events •.

added to the flight event contribution form the overall'
(S.C.) per missile for the missile life.
17 11 U3 4288 2000 REV. 3/64
REV SYM_ _ _ , , D2 -30207-1

Sect. 1 IPAGE 44
THE BOEING COMPANY
IL
NUMBER D2-30207-1 MODEL NO. WS-133B
TITLE Prorara Schedule

'*1!
PREPARED BY
> SUPERVISED BY
A a APPROVED BY
00 Idle
APP'ROVAL
cq (DATE)
D
0o
C,
ii ."z ..
I 04(694-266
CONTRACT NO. CHARGE NUMBER
I I
VCL. 1 NO.
,%> v6 8 SEC. . PAGE oro
v
.22
u2. 0
-C-9
C
~K
0- -C-
< V)
;C-4 C L
M.G -j
2D C14 -i
-k: CV) -
E u
5N C
-o LL V
NC 10-
- LU
Cs 0
VILI
c'2 D -8
E0 U2 '2
LI) 0 Z0
9)- Z4O C -
~
z~ ~ I-zD
w
0 V- 0
z - 0 E
U <
REV
B 6.
U--f OU No I300-
Sect, Par 2~
THE BOEING COMPANY
TITLE Definitions of Terms
. .
.. .,"
°. °
PREPARED BY _ t_____-__
0'4
Ll
SUPERVISED BY
a- APPROVED BY
APPR6VAL
(DATE)
Il
u,
ONTR ACT NO. ~.CHARGE NUMBER
t '--
. - -.. .,-
-• "VOL. SEC. 1 PAG

NO. I OF
Ju
SECTION DOCUMNT 0D2-30207-1)

Si DEFINITIONS OF TEW4
The following is a list of terms and symbols defined for use

in this document (D2-30207). It does not necessarily apply
i to the Bell Tele-ohone Laboratories material reprinted in
Sections 4 and 5-oS,
Io An *Inadvertent Launch" is defined as an unwanted launch -
(first stage igniticn) of a missile at the tactical site
caused by one or more fauso The silo cover is operated
Sto OPEN. The destination or successful firing of succeed-
"-. ~ing stages is not relevant. .. .
- A "Faulty Launch" is an authorized launch which malfunctions

--to result in impact of an armed warhead outside of the area
specified in AF BSD62-123o.
3- "Safety" is defined as freedom from the potential or actual

occurrence of undesired, unscheduled or out of sequence events
which jeopardize life, health or property.
A "Safety Item" is a deficiency in the design, procedures or

operations which will generate a Hazard.
5* "
A "Hazard" is a condition which will lead to a potentia] or
actual occurrence of undesired or out of sequence events
-:1," wbich jeopardize life, health, property, and the interna-
tional relations of the United States0
6# The "Safety Constant" is the probability for a specified
period of time of the occurrence of a defined undesired,
unscheduled or out of sequence event which jeopardizes life,
health or property.
70 A "Fault" is a malfunction within the system. It includes

the "Failure" of circuits and equipment to perform due to
<. any Oause, excluding human intervention.
o ' -'The *ffective Duration Period" of a failure is the time

from the occurrence of a failure to its correction, to
shutdown, or to safing of tae affected launc-h facilities
ormissiles.
' - ."
'; . ,-
*. *. .-* _, . .w~! " . ' e.a
U3 4288 2000 REV. 8/62 2-5142-2
M , 6,REV ''SC.''
WFA19 o ll
D2- 30207-1
LOGC SYMBOLS
D ~~ A VWea ANT) relation.
(~ A lgcal OR relation
LI As erent, usually a malcon-lidon, describabble in functional te-me.
An event, usually a malfunction, dtscritlable in terms ot a specific

circuit or component. It 15 represented b7 the symbol X wiUA a
numerical subscript.
KAn eyeast n~o, ',*,!1-- fa"h ~use of Uc'k of information or

e"
bcause of lack of Bulfizient consequence. It Is represented by
te symbol W vith a numeric.Al subscript.
IA event that is normally expected to occu~r.
.A connecting symbol to another part o( fault tree witbin the same

major branch. It Is repreeented by the symboi Y with it numericAl
Cubscript.
A connoct.Ing symbol to another part of fault tree In a dtfforent

mao branch (such as an Interconnection between the PIG and DPE
4 ranches). It is represented by the aymbol Z with a numerical sub-.
script.
A probtbiiity of failure whi'.,, though a numerical value can be
A probability o! failure which cann'n be asslighd a numerical ralue

but Is considered to be exetdinr.ly small and (a assumed tc, be zero.
~N1
THE BOEING COMPANY
(
Si
ci D2320-
_ _ _ _
WSWI _

TITLE Method of Inadvertent Launch Analysis. (Section
j VII, Vol. I of Bell Telephone Laboratorie ,
Launch Control Safety Study - 9-15-62)
PREPARED BY __
w4
I~l SUPERVISED BY /,/
SAPPROVED BY o.-efA
Iq APPROVAL
S * (DATE) 0
z.
CL
* S
t i:,CONTRACT NO. CHARGE NUMBER o
VOL.l NO.
A SEC. , PAGE I OF 20
-i ~.
f *
* --......
-*---*-.----*-----*-*--,-- ___
~~
____
-
____
-
____ ___
. -. a.
1 INTRODUCTION
iI The following pages of this section are a reprint of Section VII

of the Bell Telephone Labo-aLories t Launch Control Safety Study
dated September 15, 1962. 7Th s'reprint describes the fault tree
concept and mthods for developmenz and constructipn. Although
it was prepared fo te'WS-133A system, the methods are applicable
to the WS-133? Fvstem. Its references are to other Sections of
, he _ ety itudy which are not included in this document.
1.2 'Boe#ng - urn=nt pagd numberd are aC'ed' tofacilitate the handling
... zd release o .this section. • . , .- ,o " :
I
---
Co.
-4
0
U3 .. ... ~, -5142-2
'" REV SYM &. o, E7',,va D2-'O2O7-1
__
__ _ _ _ _ __ _ _CT. 4 PAGE 2 -
i+ II
rI
SWIM~o VII
METHOD OF INADVERTENT- LAUNCH ANALYSIS
1. INTRODUCTION
The task of the study was an examination of a complx data transmission and
processing system, called a Launch Control System (LCS), in order to determine
its ability to provide safety against an Inadvertent, i. e., accidental, Launch (IL).
In particular, it required an identificition of those elements ef the LCS in which a
failure significantly increased the probability of IL
The "fault tree" concept wan devised to carry out this task. The fault tree serves,
first of all, to identify the events, usually undesired, that contribute to 'tn IL It
then relates these events, logicaiy, I,, order to show which events must exist at
the same time and which are required on an "either-or" basis.
After fault trees are prepred for the ajor.. pa'te of the L-CS, the next step is to
determine the probability of occurrence of the sil-nificant failures and thence the
probability of occurrence of IL in a given time interval. In performing this step,
the major contributors to an IL appear, In order to accomplish this step in the
analysis, It is desirable in prepare Boolean expreaslons that are equivalent to the
fault tree and which rake it possible to take account of multiple appearances of the
same failures in the several branches of the tree, as vell as the appropriAte fault-
detection features.
Both of these steps in the IL analysis are described in this sectio, ef the report.
2. THE FAULT-TREE CONCEPT

The concept of a fault, tree can be illustrated by applying It to a simple and fa-
millar system. Figure 7-l2 shows a domestic hot-water system. The problem
is to determine its susceptibility to malfunctioning in a catastrophic way - in this
case, rupture of the hot-water tank. A fault tree is drawn (Figure -t-1b) that identi-
flei'the malfunctions that can contribute to a Ppture and that relates these logically.
It event B (temperature-measuring device fails to actuate controller), or event C
(controller fails to actuate gas valves), or event D (gas valve falls to close) should
1 occur, heat will be applied continuously to the water in the tank. If this happens
and event A (relief valve fails to at) has occurred, the pressure will not be relieved
as intended but will continue to rise until the tank eventually ruptures (event F).
The Boolean expression for the fault teee is F - A (B C + D), which statce thlat F
S, page
Y t7-
•
+o0 .... + + + ,
-ii
AA
Io
192300-
4Page
i
ttriieffAand(BorCrD)aretrue.
remainder of the
Notethatthefaulttre .asumesthatthe
stem fnctions properly ao that the check valve and the hot-water
faucet do not permit flow oA of the tank. The malfunction of either-to an open condi-
tion would negate event F. The fault tree can be developed further for events A
through D in terms of the p.arts making up the device referred to in each event. If
fal-ure rates for the parts were known, the probability of event F occurring in a . C
given period of time could be caic-.iLted The 4.AICu ation would have to account for
the fact Lhat, as a practical matter, event F Is more likely to occur if event A has
occurred prior to event B, C, or D. U B, C, or D occurs and the relief valve works
properly, flooding of the basement would provide warning of the malfunction in the
as control loop, which presumably would lead tu manual shutdown and repair
3. EXPLANATION OF LAUNCH CONTROL SYSTEM FAULT TREE

I
!.%a ftult tree for the Minuteman L S is the same In principle as that for the
simple system just described, though it Is,of course, far more complex. Figure
7-2 summarizes the symbols used in the various fault trees. (F:s 7-2 through
7-6 .ppear at tne end of this section.) The top of the LCS fault tree is shown In
Figure 7-3. The fault tree serves, first of all, to identify the events, usuaily u,,-
desired, that contribute to an IL. The fault tree then relates these events logically,
using disUnctive shape symbols for "AND" and "OR" in relating events. It should
be noted that in order for an IL to take place, it Is necessary that the required events
or malcondit/ons coexist. It is not necessary that the occurrence of these events be
idmultaneous.
The development of the relation of events proceeds from those describable in
-I functional terms to those that pertain to a specific basic circuit or component or to

a specific code group. For instance, ip the Launch Enable System (LES) branch,
the functional event of having the Safety Control Switch (SCS) armed is the result of
any ore of three subevents. Two of these are again functional statcmcnts that re-
quire further tree development, and the other is an event that pertains to s particu-
lar component, namely, the failure of a specific relay to the ARM condition. Evento
of a functional nature are noted in a rectangular box, or, in special cases discussed
below, in a hexagon, while events that concern specific circuits or components are
abown in a circle.
The fault tree for IL has three major branches. The Programmer Group (P/G)
branch includea, as well as the P/G equipment itself, the arm ordnance and Ignition
44 circuits to their terminal squibs in or near the missile, and anything else acting
directly upon the missile propellant charges, but it excludes the SCS. The second
4 branch of the tree is for the Data Processing Equipment (DPE), the top event of
this tree being the operation of the Command Signals Decoder (CSD) switch. The
5"*1.
Ito. D2-30207-1
~ 7
............
ZA,
d1drd m~ajor branch Is for the LES, with the top event here being the arming Of
the SC&.
lh addition to the above, fault troes have bean developed for several of the cr111-
Cal electromechanical devices that are used In the LCS, !or the formation of code
groups, and for the Status Reporting System and power subsystems. Though ma!-
tunctlona In the Status Reporting System do nr contribute directly to TL, they, can
prevent the detection of malconditions In the in-line equnipment, thus permitting
thema to persist for extended periods of t~gve.
~4
4. DEFINrI'ON OF INADVERTENT LAUNCH
For purposes of the study. IL is defined ad an event charact-rized by Ignition of
the first stage of the missile. rhis event may be divided into classes, according
to what occurs or does not occur within th., Launcn Facility (LF) and mies~iA In
addition to first-stage ignition, It is useful to define three classes, as follows:
This consists of first-tage igntlon and not launcher closure remo-al.

K. Shiort Launch
This consists of first-stage Ignition and launcher closure removal and not one
or more of the other actionsi essential to a proper taunch sequence.
c. Critical Launch ____ ____
This consists of first-stage Ignition 2nd launcher closure removal and all of the
other actions essential to a proper LAUNCH sequcence.
The different branches of the fauilt tree are biased in favor of one or another of
the classes of IL as defined above. The PIG branch Is heavily biased In favor of in
In-Silo Explosion, with the protmbllity being less for a Shiort Launch and much less
for a CriticAl bunch. The DPE branch is tblai-ed ahinost completely In favor of a
Critical Laiunch. since the P1(3 would byeexpected to function rormally oncc 'he
CSD switch has operated, assuming the SC'q armed, -and the normal LALINC~f ae
quence would occur. The LFS Lranch If,not biabed one way or the other, SCS
APJAED being a necessary condition tor any ~un.,h except those generated by the
Nozle Control 'Jnlts (NCU's) or within the explosive train ltsclI
5. PROGRAMMER GROUP FAULT TREE

Section 111of Volume 2 pretind~ the comnplete development of the fault tree for
P/C. This Includes, as well ats the P/G itself, the ordnanc, and arming circuits
-1to their terminal squibis in or ne~ar the nlsaito, I)--; oxcludes the SCS. Further, it
ticludes any malcondltions that act directly upon the explosive train and propellant
of tha missile downstream frmm the Ignition nxquibs. For Instance, as shown in
sAli-
Jo. D~-3O2O7-
1
7
J Figure
1S (1) power should be applied to one or more of the NCU's through
ftmtio of the P/t, and if ('I) the heat generated is sufficient to ignite one of the
stages, an IL of the In-Silo -xplosion class will occur. As a practical matter,
"i1-
It does not matter in this parecular case which stage ignites first. In an In-Silo
Explosion it can be expected ti.at all stages will be ignited within a short time once
a.y one of them has ignited. It ihould be noted, hat the second and third stages of
the missile were specifically excluded from the study under the terms of the con-
tract. The NCU's for these stages are included here only because t,eir effects
closely parallel those of the first-stage NCU'v, and because their relations with tht
P/G closely parallel those of the first-ttage NCU's.
In the fault tree for the P/G, two malconditiona must coextt 0i order to get an
output irm the [ault tree. These are shown In Figure 7-3. The first malcondition
is an Ignitor No. I or an Ignitor No. 2 firing signal sent by the P/G The second
malconditior is an Arm Ordnance signal sent by the P/G or Ignitor Safe and Arm
(S&A) device failing armed, or relay w-5 in the S&_A module failin,; closed The
last event asshown in a circle In that it is a malfunction describable 'nter-ns of a
specific component. The Ignitor S&A device failing armed is not,d in a hexagon,
indicating that a fault tree ,q heen developed separately for this particular electro-
me-.anical device. The oth,'r events, being describable in functional terms and
requiring furth, r development, are shown in rectangles,
The event "Ignitor No. 1 firing simnal ,ient by P/G" will be developed here ,
an illustration of the fault-tree method. Figure 7-4 is the Ioglk block diagram for
the part of the system under consideration. This chnws the circuit modules that
eznerate the firing signals to Ignitor No. I and Ignitor No. 2 of the first stage. It
also shows the final ga!e In the 1,,gic chain that trigge;gs the modules and the con-
tacts of the Launch Enable Switch ILESW) through which tie firijg signals pass.
The faul: trees for Ignitor No. I and !gnitor No. 2 are identical in form, and that
for Ignitor No. I only i given in Figure 7-5 Its development is detailed below.
a. An electrical signal to Ignitor No I requires both firing of the .quib Driver

(An SPS-5) and a path through (or around) the LESW to get the si::,tal to the
missile; hence, AND .*te A Is required.
k. In the left-hand branch, a signal path will exist If either the LESW cortact is
in the LAUNCH position or if Test Load - Type 2 (TL-1) is shorted; '%ence,
OR gnte B is required.
c. LESW contact No. 211 will be in the LAUNCH position if either the individual
contact shorts or ifthe switch is driven to LAUNCH; hence. OR gate C is
required.
d. The Inadvertent driving of the LESW involves a diffarent set of gates and will
not be developed here.
Sec. PLPage 7
+, : . -...
Ili l mlLl ~il lm ul . = ,.i N I|

e. In the right-hand branch, an SPS-5 firing signal can be achieved only if both
Squib Driver (SD) power is on and the SPS-5 triggered (AND gate D). The
SPS-5 is an SD circuit using a Silicon Controlled Rectifier (SCR) as a switch.
The SPS-5 driver circuit cannot fail in such a way as to provide squib firing
current without driver power being applied. The Driver Power On branch
will not be developed here.
fL The SPS-5 either may be self-triggered or may be triggered by receiving a
driving signal from the preceding stage (OR gate E).
g. The Power Buffer Amplifier - Type 1 (SA-1) will provide a driving signal to
the SD if either it fails so as to produce an output or it receives a driving
signal from the preceding stage (OR gate F).
h. Magnetic gate type M-3 (M-3) will produce an output if either the gate mal-
functions so as to produce an output or if the correct input conditions are
achieved (OR gate G).
L Both a-gate malfunction such as to produ!ce a logical "1" or "tr~e" output from
the magnetic core and an INTERLOCK signal to turn on the transistor output
amplifier, which is a part of the M-3 modale, are required to obtain ai, out-
put from the circuit module if the correct input conditions are not xret (AND
gate H). The INTERLOCK signal generation will not be developed here.
J. The input conditions required to yield an output (AND gate !), assuming proper
S operation of the M-3 module, are:
1. The presence of an Li signal (a P/G generated LAUNCH signal) and
2. The absence of a First-Stage Engine Timer inhibit signal, which is equiv-
alent to saying that a First-Stage Engine Timer signal appears to have
been generated, and ,
3. The absence of an Ordnance Armed inhibit signal, which is equivalent to
saying that the ordnance devizes appear to be armed, and
4. The presence of an INTERLOCK signal to turn on the transistor output
amplifier.
The INTERLOCK PRESENT condition is the output of an OR gate, cince either

a CSD INTERLOCK signal or a TEST"INTERLOCK signal will turn on the transistor
output amplifier. This is not shown in'Figure 7-5 nor is the- generation of the other
* input signals. The complete dev'lopment.wili-be fbund in Seation III of Volume 2.
,. DATA PROCESSING EQUIPMENT FAULT TREE - . . .
The fault tree for the DPE was developed [n a manner sainmlar to that desc-ribed
* for the P/G. The logic diagrams for the.DPE were'studied-ln; orde- to identify and-
I relate In fault-tree form those events that contributet IL. As shown in Figure 7-3,
S -the top event of the tree is the operation of the CSD switch. This may be'caused by
No. D2-30207-1
REV SYM S Sec. 4 Page 8 1?
'5k
i
t
either of two events, opera ion by failures intern4 to the CSD itself, or operation
by baring the proper code read into the CSD. The latter in turn requires that all
at three eondlttias coexist. First, the proper code must be In the Fire Code (FC)
store of LEU No. 2. Second, the FC gate must be enableo, and third, FC shift
Wptases must be received. Each of these ev-Is requires further faui trec develop-
ment, vhich is p.esanted fuUy in Section IV ot Volume 2.
The DPE fault tree shovs a number of hexagon symbols, indicating that these
events are developed further in additionAl fault trees. One case to in the operation
of the CSD by a failure within the de!vice itself. The sev-n other cases cencern the
formation of particular code gro.ps; namely, the 18-bit FC, the "sync" group, ar,
the five Launch Control Center (LCC) addresaor cods. E.,,t such event Ss identi-
nied by the symbol Z --Ith a numerical subscript.
I¢ 7. LAUNCH ENABLE SYSTEM FAULT TREE

The LES was added to the LCS as a part of Block Change No. 1. The purpose
vas to increase protection against IL and to provide selective control of the firing
of indiitdual missiles. It was designed to be a rAIL-AR.M system in order not to
Increae the vulnerability to Pnemv action of the Minuteman squadron. As a con-
sequence there are many malconditions, any one of which occurring will result in
the Urming of the SCS, which is the top event of the fault tree for the LES This
circumstance is reflected in the predominance of OR gates in the tree.
As ahown in Figure 7-3, either of three conditions may cause the top event -
arming of the SCS - to occur. These are a faliure internal to the SCS, a fatlure
of relay K-2 in the Safe and Arm Module of the Main Jnction Bom to the open state,
or the condition where the output relay in the 5400-cpe detector Is not closed. The
last condition requires further fault-tree development, which ib presented fully in .
Section V of Volume 2. Arming of the SCS by internal failure, shown in a hexagon
symbol, is considered in Section XII of Volum~e 2.
S. SUPPLEMENTARY FAULT TREES

In addition to the three major fault trees described kbove, there have been fault
t"so devoLopod in several other areas of special interest as discussed below.
a. atu stem Fault Tree. Section VI of Volume 2 develops the fault tree for
'he tatus System. This system Is relevant to the IL problem because it
informs the operator of the existence of faulty conditionas in the DPE and P/0
equipment at the LF's. If the Statua System fails to provide such indications.
the faulty condition, once having occurred, will be allowed to persist for a
prolonged period of time.
5o. D2-30207-1
Seo.. oPago 9
Th. status Luftceai of the SCS insa good example of the above point. Tto
operator Is provided with an ARMED light at the LCC when the SCS has lett
the SAFE position, provided that the Status System is functioning properly.
It certain pirticulAr maLunctions or combinations thereof have occurred in
the Status System, as shown on the fault tree for this system, the ARMED
Light at the console will fall to illuminate so that any one of a number of mal-
functions In the LES th.at results in the arming of the SCS will go undetecte~d
for a prolonged period of time.
b. Electromechanical Device Fault Trees. Section XII of Volume 2 contains th(e
fault trees for the critical electromechanical devices that are used in the U'1'.
These devices are the CSD, SCrS, S&A deviced, LESW, and the Volatile De-
coder of the DPE. FAult trees are developed separately fot thtse deN, Ices Nb-
cause 01 their mechanical aspects and the critical function that they perform
in the LCS. The outputs of the fault trees for these devices app, ar as Inp.1
at appropriate places in the PIG, DPE, and LES fault trees. They are Identi-
fled by a Z symbol, with a numerical subscript, enclosed In a hexagon.
I C. Fault Tree For Code-Greup Formation. Section X of Volume 2 uses the faul'-
tree method in order to Identify and n-late the conditions necessary for the
formation of code groups in the cable plant W~ivn P-tditfi-d by 'he probability
of having a particular code group !ormed, the cutputs of such a tree can be
used ad Inputs to the appropriate places in the fault tree for the OPE. -Such
inputs are also identified by a Z, symbol, with a nimerical subscript, en-
closed In a hexagon.
d. Power Subsystems Fault Tree Though this is developed as a part of the
LES fault tree in Section V of Volume 2, it is of interest In other respec'st
as well, inizh as in preventing an LCF from initiating an INHIBIT message
whiedn operating procedures call for it.
3. QUANTITATIVE ANALYSIS OF INADVFRTENT LAUNCH PROBABILITY

Conceivable causes of IL In the LCS were reviewed In Section VI to determine
WWhhbad the greatest significance. Component part failures wore particularly
s9ignfcant, to that the relevant circuits and electromechanical devices which 2p-
poared on the fault trees were analyzed to determine insofar as possible 'heir nlu-
wMerIcal rates of failure, in addition, a group of the causes reviewed were found
to We significant in the generation of undesired codes in the cable system. Their
offets were also analyzed and the numerical probabilities cd occurrence determined
for the formation of particular code groups of Interest. It now remains to apply
the results of these analyses to the fault tress in order to evaluate quantitatively
t6D 0!plbltyo
various parts of the LCS to IL Before this task becomes
manageable, there are several factors to be considered.
A__
' .40i pa'40
IAI
__ _ _ __4-_-- 0 -- ~
a. Factors To Be Considered 4
(1) Simplification. The first factor is that the fault tree can be simplified im-
mediately to some extent by disregarding two types of malconditions. The first is a
malcondition that has a probability of occurrence which, though a numerical va"ue
can be assigned, is sufficiently small to be neglected in the context in which it ap-
pears. The symbol 6 denotes this value of probability. For example, if there are
three inputs to an OR gate and the probability oi one of these inputs being true is
very small compared to the probabilities of the other two inputs being true, then it
is a valid simplification to ignore the first input. The second type of malcondition
that permits simplification of the fault tree is one that has a probabilhty of failurp
which cannot be assigned an exact value but which is judged to be exceedingly small
so that it can be assumed to be zero. The symbol E is used to denote this value of
probability. For instance, if there are three inputs to a given AND gate, one of
which has a probability of E of becoming true, then the output of this gate can be
considered as having a probability of E of becoming true, and the entire branch up
to and including the AND can be ignored;
(2) Interconnections. The second factor that must be considered is that there
are interconnections that appear in intermediate areas of some of the fault trees.
An example of this appears in Figure 7-6, which shows a simplified fault tree for
the P/G i-the STRATEGIC ALERT mode. The basic events in this tree have been
designated with the letters A through H in order to permit a description here nf the
principles involved in manipulating fault trees. In the left branch of this tree there
are two intermediate events developed, Y1 and Y 2 " (Y1 is the input to the top gate
from the left branch, but it appears as well at three places in the middle branch of
the tree and at one place in the right branch; Y2 appears once in the middle branch
and once in the right branch. ) Given the probabilities of the basic events A through .4
H occurring, the problem is to calculate the probability of the output of Gate No. 1
being true, taking into account the cross-connections represented by Y1 and Y 2 "
(3) Fault-Detection Features of LCS. The third factor that must be considered
is the effect of the various fault-detection features within the LCS. Such features
include the status indications, the Alarm and No-Go indicatIons, and the automatic
1 - shutdown provisions, for the various modes of opeation such as STRATEGIC ALERT,
TEST, and CALIBRATE. The fault-detectior. features must be taken Into account in
estimating the probabilities of IL because of their effe.ts on the expected duration of
the in-line malconditions that they sense.
The characteristics of the fault-detection features that arc of particular interest

are:
(a) Frequency of Operation. Some fault-detection features, such as the ARMED
status indication and the Critical Error (CE) circutry of the DPE, operate
No. D2-30207-1.
REV SYM Sec. 4 Page 1 p1
4?r
Continuously. A fault should b* noted immedirately upon occurrence. Other fault-
detectio features operat only at discrete timcs, auch as during a Sensitive Corn-
m-nd Network Test (9CNT) or a TEST.
.1 (b) Effect of Detecting a Fault. Information on some faults is displayed on the

LCC, while information on others is registered with the Voice Reporting Signal As-
ftmbly (VRSA), with only a gross FAULT Irdicuon showing at the LCC. Selected
faults, such as CE'. in the DPE, have an additonal effect in producing z No-Go con-
* ditlon at the LF.
(c) ellability of Fault Detection Path. If a failure should occur in the fault-
&tcton path, then the duration of the in-line malfuncUon will be extended, perhaps
i- ndefinitely,
.t h.Boolean Expressions
InOrder to accommodate the factors listed above, It Is very useful to develop
a Boolean expression that describes the fault tree. Through proper algebraic man-
ipulation, multiple connections drop out and the fault-tree output can be expressed
Interms rd the basic m=dconditions. Moreover, the terms of the final expression
can be r'romped in whatever manner is most convenient to allow for fault-detection
IBefore features.
proceeding further it may be useful to discuss Boolean algebra briefly
Thiz algebra was first conceiied by George Boole and presented in his book
entitled,
"An Investigation of the Laws of Thought," published in London in 1854. (Boolean
algebra ia related to symbolic logic, algebra of classes, calculus of propositions,
algebra of log.c, and switching algebra. ) Unlike ordinary algebra, Boolean algebra
deala with variables that are permitted to assume only two different values De-
pending on the type of problem
values: on or off, go~od or bad, being treated, a Boolean variable might have the
something or nothing, true or false, yes or no,
open or closed, preset or absent, etc. For a generalized mathematical approach,
It isconvenient to assign 0 and I as the two possible values of the variable and, in
turn, to let the 0 And I represent the two possibilities of a particular problem. In
the case of the fault tree, 0 represents false and I represents true, with respect to
a given malcondition that appears in the fault tree.
Th. basic operations most commonly used In Boolean algebra are a special form
,(aegatIon, a special form of addition, and a special form of multiplication. The
special form of negation used is symbolized with an overline, as T,or with a prime,
-4i, and may be read as "not a" or Ps "a prime." Functionally, the operation may
be written as NOT (a) - a'. Since only two variable values are permissible, if a
1,then a' 0, and if a- 0, then a'- 1.
Al go.
4A
I :12
The special form of addition employed is symbolized by a plus sign, as a + b,
and may be read as "a plus b." The expression signifies a "mixing" or "inclusive
OR" process and is also read as "a OR b." Functionally, OR (a, b) = a + b.
>1
-
The special form of multiplication used i8 symbolized like a Droiuct in ordinary
algebra, as a • b, a(b), a x b, or simply ab. It may be read as "a times b" or just
"ab." The product indicates a "coincidence" or "ANDing" process, and it is also
read as "a AND b." Functionally, AND (a, b) = ab. Unlike a product in ordinary
algebra, ab = 1 if, and only if, both a = 1 and b = 1.
Table 7-1 shows some of the fundamental identities of Boolean algebra that are
relevant to the remainder of this discussion.
A typical example of the development of a Boolean expression for a fault tree

will now be described. Figure 7-6 shows the simplified fault tree for a part of the
P/G in the STRATEGIC ALERT mode. The numbers within the logic gates denote
the output variable of that gate in the Boolean expressions. The letters A through H
denote basic events, usually malconditions describable in terms of a specific circuit
or component. The symbols Y1 and Y are intermediate events that appear at more
Table 7-1
FUNDAMENTAL IDENTITIES OF
BOOLEAN ALGEBRA
Title Identity
Elementary Propositions a + a' = I
aa = 0
4 a,+l1
a- 1a
* a+a~a
aX=a
"~f a -
-. ?~.-*
Associative Law Ilk -' c k: cb
, Commutative Lw +1 - b
-"'.". "" * " 4 e" .,.?-,,- - .b
b, 'g
.,, Distributive• -La.w.,**'

.. - ,. z ft b+. % ?.
(a -) tk
-! +"
'
:
RE Y . , '- - + ' No. D2-30207-1
.
RVSM ( .Sec. 4 Fa -e13

0
u------_ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _
i
i
of Gates NMe 1,briefly 10 ha,1 ofbeen

1, 4,the -arelation the
in tbSoffault
systom T, output*
tree.functions in order to indlCate
tca CopIWOe
deneribed in terms
Gate No. I in
An expreesioo for the output of
&4h tree to the physical system.
through if will now be developed.
utrms of thi basic events A
branch
Satrting at the bottom of the left
(14) C +D
For € nel~a lot
(13) .. Y2 + EC + D+EZ
(11) (B+3C) (C+ D+ )

Distributing
CD CE
(11) a BC + BD + BE + CC +
o algebra
From th elementry propositions
C .C.C-C" I
distributing
Grouping, commutating, and
C. i CB+CD+CE-C (I oB+D+E)-C
Substitutng and distributing
(11) C + B(D + E)
(10) aA (11) - A.+C + BC!)+ )
For convenience let
(10) Y a - C + B(D, E)
Going to the middle branch

(9) a Y1 * Y2
(8) - 0 *
(0) - G(i'i +
(7)- F. (9) - F(Y Y 2)
( T1 (8) a If I (Y1I Y2 )
Commuattnt and distributing

(6) - GY1 Y1 + GYIY 2
As before
ubstituting and distributing

(6) a GY 1 I + IY 2
aGYIe )
No. D2-30207-1
8~eo. a~ L.
660 Page J,
- 07
I I?
Similarl 1 M =5s17(Y
()T 1 .1+V
(4)- (5)+ (6)

a FYI + OY,
a Y1 (F + G)
Oidng to the righ branch
(3) - Y IY2
(2) H " (3) - R0Y, + Y2 )
Bringing the three brancheo together
= (1) -10) .-
(4) -. )
- YIY
1 (F + G) H(Y 1 + Y 2 )
PEducing In the same manner as for function (6)above

(1) a H(F + 0) Y1
SubstitutingI
(1). H F + G 1AI( + C + B(D + E)
Thus, the output of the simplified fault tree used in this exnmple can be expressed
entirely as a function of the basic events. All tasic events appear in the expression,
and each appears only once. This permits a quantitative estimate of the probability
of occurrence of the top event in the fault tree (1. e., the output of Gate No. I in
Figure 7-6), If the probabilities of occurrence of the basic events are known. The
next section wIU discuss these probabilities for significant elements in the I fault
trees.
. So. D2- CV07-)
~ 00
S . P
A U, Alogical AND) relation.
-o€-l
A logical OR relation
LI] An event, usually a malccndltion,, describable in functional terms.
An event, usually a malfunction, describable in terms of a specific

(x .
1 circuit or component. It is represented by the symbol X with a
numerical subscript.
K> - An event not developed further because of lack of Information or

because of lack of sufficient consequence. It is represented by
the symbol W with a numerical subscript.
1 [ j An event that is normally expected to occur.
A connecting symbol to another part of fault tree within the same

major branch. It is represented by the symbol Y with a numerical
subscript.
O A connecting symbol to another part of fault tree In a different

major branch (such as an interconnection between the P/G and DPE
branches). It is represented by the symbol Z with a numerical sub-
script.
7 8A probability of failure which, though a numerical value can be

assigned, is sufficiently small to be neglected in the context shown.
*1 A probability of failure which cannot be assigned a numerical value

but is considered to be exceedingly small and is assumed to be zero.
11
Figure 7-2. Fault-Tree Symbols
No. D2-30207-1
r sv3I 1 Sec. 4 Page.16
'IL
TA2
, zI
' o D 3 2
m, '
I'-I
Sec. 4 ag 1
I.•-------. --
- N o* D -3 20 -
LI E jo
20
1Lit
t
ET 4o FIRST TTASLC
M50IaTE
__________L TO INIOR No
zos SA S SPS-8S LfS
O080 IIERif ARMuCO

rtguro
T~isL -4. Exmple ofLogic lo-Diagam P/
~41
No D2 YI2Y-
sS h,
; FIRMh "kGALI
SEAT sy P/0 - - 1W
U140
IE
llS LESW 2S ps-$ 250
FAIL TO DRIVEN .FAIL TO DRIVINGO
L'TO. L' SIGNAL
b'il'iA-
$A
* S-I
W-3 IST TAGEDTIMR0 ORD7AR

REYSYM~~
Tje. Pae1
- 0 IN-iL -- -lONL N;IHII
JJ.,
10 ~4
AA
1 9 e
ftu~rs 7-4. A flimplifted P/0 rult Tree

fn RTCALERT Mode)
Ito.D2-30207-1
-~Si S 7 Pag" .'0

[: THE BOEING COMPANY
TITLE Discussion of Probabilities and their Combination

of Bell Telephone Laboratories Launch
.(~~-Section II,.. ol, II .. . =_
C~4
Control Safety
Study - 9-15-62)
j SUPERVISED BY
co ;,,,I
O,,o,, t
APPROVED BY /
Mr (D AT E)
15APPROVAL ______________
0 I~
oo
CONTRACT NO, CHARGE NUMBER
VOL. 1 NO.'
SEC. PAGE 1OF 18 {
tI
1. INTRODUCTION
1.1 The following pages of this section are reprinted from Section II
Voime I of zhe Eell Telephone Laboratories' Launch Control
SafetF Study dated September 15, 1962. it contains sign-ificant
mathematical analysis aDlicable to probability comutations.
- 1.2 Boeing document page numbers are added to facilitate the handling
and release of this section.
U3 Q,288 2000 RE'V. 8/62 2-514Z22w
REV SYM ,O N'.. ".D2-302C,--

SECT. 5 PAGE2
Section II
DISCUSSION OF PROBABILITIES AND THEIR COMBINATION
The theory of probability forms the basis for the quantitative aspects of this
study, and this section documents the manner in which probability theory was ap-
plied. It is intended to be neither a philosophical treatise nor a rigorous mathe- ZEC
matical treatment, but rather a self-contained account of the basic probability rules
and procedures employed in the program. - i,
Before giving consideration to the development of these rules, some cautionary I
remarks are in order regarding the application of probability theory to a real prob-
lem, and the interpretation of the numbers resulting therefrom. Like all mathe-
matical disciplines, the theory of probabilit isdeveloped inrelation to specific,
*abstract, conceptual models, and the formulas derived apply with exactness only to
.-%
those models. In applying the theory to the real world, even a most carefully formu-
lated mcdel may not be a wholly adequate repreenatdon of the real situat!on. The
degree of confidence in the results must then be tempered by objective estimation of
I
the disparity between model and reality. Because, however, the formulas may be
applied mechanically, and the results of a probability analysis, even a poor one, are
usually expressed as definite numbers, there is a strong tzidency to place implicit
iaith ia the numbers once they are generated, forgetting their shaky foundations.
Thus, for example, the simple exponential failure model is used for component fail-
ure almost universally in the study. While this model is believed to be a good de-
scription of device failure behavior, it is surely not a complete one. Burn-in and
wear-out failures are not included, this simplifying omission being justified by the
inception time and duration of the operation period. In other parts of the analysis,
probabilities may be combined in a manner that is valid only for events that are
"exhaustive and exclusive." While attempts are made to insure that the proper con-
ditions apply to the problem at hand, in the actual combinations some overlapping
may be present that will impair somewhat the validit- of results. Moreover, math-
ematical approximations are made for convenience throughout the work. This should -.
not affect the more significant figures in the computations, but It will have a minor
* impact on the results. It must be emplasized that the probability figures generated
.I in this study are not sacred (they are not necessarily accurate to the two significant
figures In which they are expressed). At the same time, one must recognize their
utility in pinpointing critical areas. It should also be emphasized that meticulcus IL
No. D2-30207-1
REV SYM S Sec. 5 Page 3
All
j
care must be taken in stating a probabilistic problem and in formulating the mathe-
matical model so as to minimize errors in the derived results.
-1. AN INTERPRETATION OF PROBABILITY FIGURES
'i
In connection with the problem of interpreting probabilIty figures, it may be use-
ful to discuss an implicit meaning of a given nunm..,rical probability value. To illus-
trate, consider the operation of the random code model discussed in paragraph 2 of k
-:t= X- TU zell is
ad _t
rar.e.se a-. cd stse.
r beha'io r b. 4s. z-.'..er,
an artificial invention developed to help estimate a lower bound of system perform-
I
ance. It assumes that an arbitrary sequence of l's and O's is continuously being
I&I generated at the bit rate. The probability that a bit is a 0 is 0. 5. Under this con-
dition, and assuming each new bit initiates an independent message, the model gen-
erates a 56-bit code with probability of 5.6 x 10-5 for a Flight of ten Launch Facili-
ties (LF's) in ten years.
It is difficult to comprehend the magnitude of this nunuber, let alone its signifi- i
cance in context. To make both aspects more meaningful., the following proposition
in probability theory is used: "If an event A has prcb'abil.y p of occurring in a
single trial, the most likely number of occurrences of A inn trials is np." Using
this proposition, the illustrative probability figure can be translated to other terms
Let atria for code generation ror.6tltute exposure of ten LF's to the random
model environment for ten years. Then, for example, ten trials would mean any
one of the following exposures: 100 LF's for 10 years, or 10 LF's for 100 years,
or 25 LF's for 40 years, or any other ten-fold scaling of te product of LF-years.
Now it can be seen that the above proposition applied tothe probability in the ex-
ample implies that the most liekly number of occurrences ci code generation will be
one launch code when
k
np=1 o n x 1 trials
Thus, the probability is equivalent to stating that the most probable time to a single
cede generation for a Flight of ten LF's will be 2 x 105 yezrs; or, alternatively, the
expected number of codes will be one.in 2 x 105 years. (lit is assumed that a
j Poisson probability model applies, the probability asscciated witb this single code
getweration in 2 x 105 years can be shown to be I/e = 0.37, but it drops off quickly
| t Iii
to near-zero values in the realistic future, diminishing to$.6 x 10 "D in ten years.)
The above is one of several possible interpretations whit may help give a proba-
blity valie some significance related to experience.
No. D2-30207-1
REVSyM Sec. Pare 4
[
2. BACKGROUND PREPARATORY TO COMBINING PROBABILITIES IN

FAULT TREES
a. Basic Considerations
This section is devoted to developing the background required for deriving the re-
latlons expressing overall probabilities, given the probabilities of component events
and the manner in which they are related logiczily as prescribed by the fault tree.
The basic mathematical doctrine drawn upon here is the set of rules governing corn-
binations of inoependent events. (Independent events are those for which the occur-
rence of one does not influence the occurrence of another.) The qualification "inde-
pendent" is imposed not only because of the resulting simplification but also because
the Boolean version of the fault tree contains only events that may be regarded as in--
dependent, as will be shown below. -l
For combining probabilities of two independent events A and B, the basic rules as
given by probability theory are:
1. The probability of the occurrence of both A and B, written in set symbology
P (An B), is
P(AnB) =P(A)" P(B)
2. The probability of the occurrence of either A or B or both, written P (A U B),
isi
P(A u B) = P(A) + P(B) - P(A n B)

In this case, since A and B are independent, rule I is used to obtain
P(A UB) = P(A) +P(B) - P(A) P(B)
and note that if both P (A) aind P (D) are small,
P (A U B) -- P (A) + P (B)
This approximate result is used throughout the subsequent development and
In all computations.
b. Composite Probability from Fault Tree and Boolean Expression
Turn now briefly to the format of the fault tree for an illustration of the applica-
tion of the probability rules thereto and the reason for introducing the Boolean con-
cept. Figure 2-1 shows a typical portion of a tree. The labels on the tree are
Boolean functions which take on the value 1 when the failures or malfunctions exist
and the value 0 otherwise. The tree shows that the joint occurrence of events A and
B (A r' B) constitutes event C which together with D either singly or jointly (C u D)
produces the event E. Tpus
AI E- (C 1 1 A n R)U D
41-
No. D2-30207-I
M, .YM ,Sec..5 Page 5 g
_ -_ _ __ _ )\
E (Strictly speaking, E is not Identical to the event
[(A rl B) U D], but rather E is implied by, or always
occurs with, the indicated composite event.)
Another way to express E is in Boolean terms:
= -B+D
E=A
The probability of E may be found from either of the

above relationships. Using the first, together with
01I
rules 1 and 2,
P(E) = 4f(A () B) U D]
a ~= P(A () B) + P(D)
Figure 2-1. Portion of -

= P(A) P(B) + P(D)
Typical Fault Tree P(E) also follows directly from the Boolean expression
Sand suggesi that a aimple, unifying approach to fault

probability determination may be to write the Boolean
expression for the occurrence of an event and tien convert it to a probability rela-
tion. ThisiC approach also has the virtue uf avo!dlng possible errors due to common
events (a form of dependency), as illustrated by the following example:
In Figure 2-2a, B is an event which renders D and E mutually dependent. Ignor-

Ing this fact and mechanically applying the rules yields
P(F) = P(D) + P(E) = P(A) - P(B) + P(B) + P(C)
If, however, the Boolean representation is used,

FAB +(B +C)
F
=AB+ B+C
thus
=B(A + 1 + C
=-B+C
P(F) = P(B) P(C)
This differs markedly from the first expression. The

latter is the correct result, and it is pcArayed in the
Boolean tree o Figure 2-2b. In this form, all events
are independent. (Note that the use of set relationships
could also yield a correct result, but this approach Is
r more unwieldy and difficult to apply to complex cases.)
A B C It is now evident that the Boolean approach is a simple
oFiulTree2 . Porion technique which handles the problem of dependent events -
of Fault Tree with
Dependent Events (of the type caused by a common element) by yielding an
i, -| equivalent format wherein all events are independent.
No. D2-30207 -,
REV SYM GSec. 5 Pabe 6
""
", -" .• "" ;. ,:- . ..
c. Reliability Function F
Before proceeding to the development of actual

* composite event probabilities, it is necessary to in-
troduce yet another fundamental relationship - the
reliability function used extensively throughout the
fault-tree computations. Because of its importance
and the degree to which it is called upon in the sub- Fgr
Figure 2--b ola
2b. Boolean :
sequent development, an extended if nonrigorous Equivalent of
discussion of the reliability function, its comple- Figure 2-2a
ii ment, ard its associated density functions is pre-

_ _
_sented.
(1) Device Reliability. Suppose a large set of N 0 identical (with respect to nanu-
facture) devices is subjected to life test, after having eliminated "burn-in" or early-
- life failures of the substandard members. At time t, NF(t) devices have failed and
Ns(t) survive. Then the reliability of the device, R(t), may be defined as the proba-
bility of a member's survival to time t and would be given empirically by the ratio
of surviving to original members as a function of time, averaged over many such
life tests.
R -Ns(t)
NO
N O - NF(t)
No
NF(t)
Although NFM), and consequently R(t), take on only discrete values, it may be
assumed that continuous functions approximate them, and then
d R(t) I1 F(t)
dt No dt
or
d NF(t) -
dt -NO dR(t)
Now d NF(t)/dt is the failure rate at time t, while Id NF(t)/dtl dt is the number of
failures in the Interval (t, t + dt). On dividing d NF(t)/dt by N,(t), the failure
rate per surviving member is obtained, which is called the hazard function, h(t).
i i, .;,s"
h(t) = 1) d NF(t)
)N(t d
4 N .- INo.
V SYM Sec.
D2-30207-1
Page7
r!
The hazard function h(t) is in the nature of a conditional probability density o time-
to-failure, because
d KF(t)
h(t) t = Ns(t)
is the fraction of surviving members at the start of an interval (time t) which fall in
the interval (t, t + dt).
(2) Failure Density -ilunction. If d NF(t) /dt is divided by No instead of by
Ns(t), the failure rate per original member, designated f(t), is obtained as
f(t)= 1 d NFit)
No dt
This failure rate f(t) is also a probability density function of time-to-failure, since
1 f(t) dt
NFM)
_d
N o
represents the fraction of original members that fall in the interval (t, t + dt).
Some useful reliability relationships can be derived from these definitions.
Starting with h(t):
1
h(t) NONs(t) d NF(t)
d
"0 d R(t)
NS(t) dt
1 d R(t)
R(i) dt
or
h(t) dt=- d R(t)
Integrating, "
t
" I[ hW) dt =-ln Rlt) + k
fo
t Since
-11
44-
No. D2-30207-1
REVSYM Sec. Page 8
then k =O, and
t
i R't)=e
t)=e h(t) dt
If h(t) is assumed to be constant, a condition closely -ealized in life testing ex-

perience, and h(t) = X is called simply the failure rate, the R(t) = e is the relia-
bility function giving the probability of member >urvival to time t. (It is assumed
that the device is not operated long enough to exceed the constant X range.)
The probability that the device will have failed by time t is the complementary
function Q(t), where
Q(t) 1 - R(t)
- t
I- e X
This is the expression used to evaluate the fault-tree "circles" (basic circuit fall-
ures). To illustrate its use, suppose that a device failure rate X = 250 failures per
10 hours, and t= 30, 000 hours. Then
-
Q= 1 - e >t
1- l+t- I X2t2+...
2
Xt
If higher order terms may be neglected (the usual situation in this study).
250
:. Q= -109 x30,000=0.0075
An interpretation of this result (as indicated in paragraph 1) is that if 10, 000 such
circuits were run for 30, 000 hours each, about 75 failures could be expected among
them.
Returning now to f(t),
1 d NF(t)
No dt
,t° - d R(t)
0 -" dt I
dt
d-t
S=t Ae
-
-16-
No. D2-30207-1
REV SYM joSoo.5 Page9
i~m I ,i
i. iOn ),o _
inegatn fo~ P! 1W
dt f (t) dt + ( dt
=-e + -e-
0 t
- t "
= 1- e t) + eA
= Q(t) + R(t)
The preceding states that Q(t), the probability of failure by time t, may be found
by integrating the density function from 0 to t; the graphical significance is shown
in Figure 2-3a.
To obtain the probability of failure in some crucial interval subsequent to 0, say
(tl, t 2 ), f(t) must be integrated over that interval:
pt2
Q(tl, t 2 ) ff(t) dt
" 1 '
I io Xe-tdt
_e-At I e t 2
tii
-t2-
1
Xt
- (t +)
4e~
e=x
~ -[I e AXT]
R(t 1) -
Q(T)
where
=t - t I
This result states that the failure probability in ani Interval of length 'r starting
at t1 is equal to the probability that the device has survived to time tl, multiplied by
the probability of failure in an Interval of length r which starts at 0. The graphical
interpretation of Q(t,, t.) is shown in Figure 2-3b.
4-
.No. D2-30207-1
REV S Sec. 5 PaCe 10 .' .
-i -.
QMt AREA FROM 0 TO t
t~t) ....
t R(t) aAREA FROM t TO-
f W
6
(a)
Figure 2-3a. Graphical Significance of Q(t) and R(t)
Q(tg t 2 ) Q "- Q(ti)
tt
0 tl t2
(b)
Graphical Significance of Q(t, t2 )

Figure 2-3b.
density of time-
One additional fact is drawn from f(t). Since f(t) is a prooability
of failure probability
to-failure (which is to say that there is a time distribution
is the mean of this distribution.
densities), it is in order to inquire which value of t
density and
The answer is found by "weighting" each value of t with its associated
integrating over all t:
mt : t • f (t) dt
fCt.e tdt
A
*9-
REV SYH
Sec.,. Page i
No, D2-30207-1
, J
Jk
Vq
Thus, for the constant hazard function,
In
" -
That is, the mean-time-between-failure (MTBF) is the reciprocal of the failure rate.
-In the following work, m and 1/k are used interchangeably as convenience dic-
tates.
3. COMPOSITE FAILURE PROBABILITY UNDER SPECIFIC CONDITIONS

With the background of paragraph 2, the main objective of this section may be
undertaken - the derivation of relationships for composite probability of failure
under specific conditions prescribed by the fault trees. (Note that rules are not de-
veloped here for determining circuit failure from probabilities of component failure.
I This aspect is dealt with in Sections VII and VIII. )
Inthe following discussion the fault detection feature associated with some
events is at once the significant element in the composite event and the complicating
part of the analysis. Fault detection enters the analysis by prescribing a necessary
sequence or order of failures ifthe composite eient is to occur. It enters the physi-
cal system through the alarm and status features, as well as through test modes.
One starts with two events, A and B, which are independent failure conditions
having constant failure rates XA, B or, alternatively, MTBF's mA, mB , respec-
tively. The composite event of interest is the combination of A and B in an AND
Gate under various conditions, resulting in event F. (In Boolean terms, F = A - B.)
* Required is the probability P(F) that F occurs under the following different circum-
stances:
CASE I. Neither A nor B is subject to detection throughout t12 entire operation
period T O -
Solution: This is the case that applies to the buik of the computations. Since A
and B are independent,
P(F) = P(A) •P(B)
)- T 0AT)(-eBTO)
En InB
x ATo XBT 0
mAmB
No, D2-30207-1
R~v sym~ Sec. 5 lage)12 R
CASE 1H. Condition A triggers a detection alarm and is corrected immediately
on occurrence. B is not subject to detection.
is to have B
Solution: Under the given hypothesis, the only way for F to occur
precede A, since if A precedes B, A is always corrected and the two events can
*
order con-
never coexist (neglecting precisely simultaneous failures). An implicit
dition is thus imposed by the detection feature.
dt which
First express the probability that B occurs in the differential interval
), given that
starts at t and is followed by the occurrence of A in the interval (t, T0
A has not occurred up to t:
t/A
PA(T 0 -t)r e-(To -
= B e t/mdt L -
P[B (dt)]
P(F)
Since F will result if the above compound event occurs for any t in (0, TO),
is obtained by integrating over t in the overall interval:
'To
(=0 1 -(T t)/mAd

P(F) = e A] dt
~TO t m e
e.1 -t/mB dt 1 e'T0/mA + t/mA - t/m B dt

m B m
If mA = mB =M,
T0 To
-t/m " O/m

e -T
P(F) = -e e
00
T0 /m T o 0-T /m
• I =l-e - m -e
0 /m
K .=I-(l+-) eT
Preserving nily first and second order exponential terms,

2
i P(F) t-- -
2m'
No. D2-30207-1
Sec. 5 Page 13
M SYM B
Iio ,'
A B
TO
PM1, I - e B - To/mA mA mB rmB mA)/(mAmB)lt
m B m B -m A
mB B
This Is the exact expression for the general case. On expanding the exponentials to
seconrt order terms,
A D
Comxparting this result with the approximation in Case I, one notes that the In-
stantaneous detection feature hae decreased the failure probability to hall the un-
checked value. This aspect is discussed more fully later.
In addition to the alarm detection situdtlon specifled in tbc hypothesis, Case U

also applies to the following- Suppose B I'k th falhre of an enable input to a gate.
A is a Sporadic pulse whose rise (or fall) in coil,,,-mZIo with B results in F. Be-
fore the occurrence of B (the persistent change of state) the appearance of A (a spo-
radic pul.se) has no effect and Is equ~valeit It. failure and immediate correction
But once B has occurred, the reappeatan e of A give- F
CASE Ila. F resLIts only if B occurs befor' A in (0, TI), but neither is sLbject
to detection.
Solution: This case Is sl3nllar to . '-,tII in .hat ,, order ',nditlon is Imposed.

(Her* It is explicit ) It differs from Ci,=ke II in that ahence of fallui t , tecl
l n re-
quires P(F) to Include an addiltional factor for 'ht probability that A has not occurred
up to the time b occurs. (In Case U, this factor Is unity by virtue of the Itstuntane.
ous detection and correction condition.) Ther. 4ort, the expression wanted is for
the probability of the event, -B occur,i in the differential interval dt starting at i,
A has net occurred up to i, A occurs in (t, T&0"
P-"(d Jt ( P[i 0 ] - e, -t m A [ ( A]
i
A3before, F will result If this compound evwnt occurs for any t in (0,T 0 ). P(F)
f
I-{,.is
/ obta ned by W egratlon:
"( jTO
*-Vm~
6-t11 a t/
m
A
[~ -
*-(To
o/o
~f~
A] dt !
mB 0
,-.t/-B [-'/-A^ -TO/mA]
TomB
A B + e-TdrnmA -nBIT
MA -[( f3A* B)/A ItITrO
0 00"--
mW
AA B.
B
It-0mAIt-
.iImA "e"O/m
Wm AWI A'0/ B
MA MB aUe"+mBVMmBm] To. _°-T O/.A

MA $ mB mA + MB
C This Is the exact expression In the general case. 1! m - M -B .

IL< I -2To/m e-To/,
' 2 -
Again neglecting exponentl-i terms, above the second degree,
P(F) -, 0I
2
2m
.'his result Is the jamae an in Case 11.

If one now approximates P(F) when m A , M P by preserving terms ovay up to the
second order, one again obtains
) 0mm--
P(lr w
A InnCase 11. Apparently the order condition alone has reduced the probability c
ahlure by one hal
CASE i1. The system is examined for the occurrence c A at discrete times
T 1 , 2TO, nT I To . If A has occurred, corrective action Is taken to replaceo
4f-
Wo. D2 07-1
3".5 race 15
.....
the fImluro at the end of the Interval In which it occurred. B's >ccurrence is not
wbject to detection throughout (0, TO).
Solutioa: This case Introduces the effect of periodic testing of one critical ele-
meat In the logical AND gate. In the actual system. T1 could correspond to the
daily Sensitlve Command Network Test (SCNT) or the monthly TEST.
Y will occur if both A and B coexist at any time. Because B's failure is persist-
ent, while A's lists only for the balance of the interval in which It occurs, Fle he
event "B falls in an interval, and A falls In tIe same or a subsequent interval."
P[F(, Td)]- P[B(O, T,) PA(O, T
.+P . 2T,,. P[AC,. Toi]
+1
+* +"
P[B(2TPJB[(n )] ) T,.
. 3T - 1 nT, .]Po) A[^
P[A(2T 1 .-,) ,,.°n,]
1
/P But
(tTI, nT1 )] - I - fP[A(0, T 1 )]
The probability that A occurs In at least one of (n - 1) inter-vals is the complement

of the probability that It fails to iccur In all of them.
P 0~.To)d P[B(05 i'1 )] {lI - Pn1A +~P[B(T1 . 2Tr1 ) {1I pn-I t~
where
Now
T e-A B! 1I. B
Pr(I
and
ti- 9M- *
"
I1 - e k
"
-)TI
:1~o T - - 1 Tl~ _;kABlTI - A(n ) TI]

1-0
(©
*o. 5e0. Page 16F;2
M I
*1.
a- 1 )T
47(0. ~ 1~-.L
~3 1 -n~ .ae
+o] - *(n -
e 1
OAT,
Agaen th Cs 118ntd
a-hiyt
1.0
Lot'
(1 - r)-rig an-
p~(,TO
1.0. 1'0
r_)__
2z
a-r
S -rfj a V-r
ft *(I- rf- an]a-rL
a - r
*~ ~~~~~ 5
-r
?~~~~A[ - r
s-r
5-I" a-r
The reault has beez expressed In this form to exhibit the remarkable symmetry
ia r and a or, equivalently, in A and XB. This means that, if XA amd AB are inter-
chazked, the composite failure probability is not changed. Thus, if A has an MTBF
o 10 hours while B has an MTB? of 1.05 hours, the probability of F Is exactly the
same as if these attributes were reversed. An even morc arprislng interpretation
of the symmetry Is that the probability of composite fathire is the same whether one
checks the more reliable or the less reliable device at the periodic Intervals! This
tact may have significant implications on maintenance procedures.
For use in computations, P[F(O, To)] is expressed as
P[F(O, Td, - "BP

eAT I l -'BT -AAnT I I O-OB - XA)nTl
( -A)Ii
Once again the approximate expression retaining squzred terms only is
P[F(0.2 4A nnlT i~ T2]~

~
P[F(D, ~A TO]
( AA
)T1AB
Thie result tell. how much protection Is ac.!eve hy checking one device n times
In the interva! (0, To). In partiuLar, If there is no chocking (n - 1),
r[(D To)] - I+1 A - 2

P1 FO, (~l) ~ B 0 AB
as1 in Ca"- 1, and the probability of composite failure 13 twice as great as in the rae
of Insntaneous checking (Case 13). (The Case II result also follows by putting n -
in the above approximation for I(F].) U a check Is made once at the midpoint c
(0, TO) so that n - 2, the probability of F is reduced by 25 percent from the no-
check condition. Nine checks (n - 10) give a 45 percent reduction of the probability
of F from the no-check case. With 100 checks, the probability of F is practically
an low as in the Case Ufcondition. Thus Caie Ill otcludes Cases I and 1I as special
cues.
, " &. S Page 18
121
I
S -
.
F
U
H a

Boeing WS-133B Fault Tree Analysis Program Plan 1963

Uploaded by

Copyright:

Available Formats

Boeing WS-133B Fault Tree Analysis Program Plan 1963

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Boeing WS-133B Fault Tree Analysis Program Plan 1963

Uploaded by

Copyright:

Available Formats

I"apoe Tbadc aths

THE .ffAwF COMPANY 46i

- "CODE IDENT NO. 81245

CTITLE 'S-133B Fault Tree Analrsis Progra - Plan (U)

MODEL NO. 12-133B CONTRACT NO. .F2a(694)-266

SPECIAL LIMITATIONS ON ASTIA DISTRIBUTiON

s~*.- _- - ---- ---- --- - ------ -- a 111--2- 2

WS-133B Fault Tree Aalysis P,:rog-ram Plan

EL NO. W-3B CONTRACT NO. F (6L-6

'~REV SYM...... Arr,/.O.D2-3020-

Page 7 - Revised to identify IA&T as Integrating

Page 7,1 - Added to provide for Technical Interchange

Page 8 - Revised to identify the Fault Trees.

Page 2 and 3 - Revised to correct scheduling to reflect

Pages 2 - Revised to clarify definitions 7/16 ///'/

All pages are revised to reflect change in section

Pages 18 through 41, Section 1, added to provide 4.

Section F "References" is deleted. The references

U3 4287 3023 ORIG. 162 241422

Section 1 Program Plan

Section 2 Program Schedulec

Section 3 Definition of Terms

Section k- Method of Inadvertent LaL"ich Analysis

Section 5 Discussion of Probabilities and Their Combinaticna

Section 2 Inadvertent Launch Analyses

Section 3 Faulty Launch Analysis

Section 2 Aerojet General

U3 4288 2000 REV. 8/62 2-3142-2

REV SYM &. ADUE7AGN No. D2-30207-1

2 D2-14134 Minuteman Electronic Part Failure Rates - WS-133-2

3-__3 _D2-10744 Minuteman Reliability Engineering Directives

/ BAC Standards - D590 - Book No. 30 Section 500

A65-E-62-123 WS-133B Weapon System Design Criteria

U3 428 2000 REV. 8/62 2-51422

1.1 Letter Contract AF04(694)-266 requires that a Fault Tree Analyses

1.2 The determination of the ability of a complex system to provide

2.1 The purpose of the Fault Tree Analysis Program is to:

(a) Determine the probabilities of inadvertent and faulty

(b) Identify those failures which make excessive contribu-

(c) Recommend corrective measures.

3 ORGANIZATION AND SCOPE

3.1. The WS-133B Fault Tree analysis program is organized into

D2-30207-1 Program Plan

3.1.1 The scope of the analysis is divided into 5 divisions.

U3 4288 2000 REV. 8/62 2-5142-2

REV SYM B Iflo"D . D2I-30207-I

This is the analysis of the probability of I.L. during the

3.1.1.2 The System Under Commanded Tests, Calibration and Interrogations:

This is the detail analysis of the probabilities contributing

3.1.1;3 Assembly and Checkout Equipment "

This is the analysis of the A&CO equipment to determine

3o1.I.4 Maintenance Ground Equipment

This is the analysis of maintenance equipment effects at

1. Analyze the maintenance conditions which contribute to

3.1.1 .5 Faulty Launch Analysis - The Alert System

It includes equipment malfunctions and improper flight

3.2 D2-30207-1 WS-133B Fault Tree Analysis Program Plan

This volume defines the Fault Tree Analysis Program requirements

U3 4288 2000 REV. 8/62 2-5142"2

REV SYM_-.A F YAl,fo V,U I No' D2-30207-1