Apollo logic diagram analysis guideline by Pleas, D. R. & Yoseph, R. S.
rA-A 
0 
* N7O -242Q 14 
(ACCESSIO0 NUMBER] (TM L) 
U (NASA CR OR TMX OR AD NUMBER) C R) 4CATEcORronPOaLO 
Reproduced by the 
CEA RINGHOUSE 
for Federal Scientific & Technical | 
Information Sprngfield Va. 22151 
https://ntrs.nasa.gov/search.jsp?R=19700025068 2020-03-11T23:45:29+00:00Z
DOCUMENT NO. -D2-117018-i- Y-
TITLE APOLLO LOGIC DIAGRAM ANALYSIS GUIDELINE 
MODEL NO. APOLLO CONTRACT NO. NASw-1650 
4F D.NR-w-PLEA
 
SYSTEM SAFETY ANALYSIS 
REVISION A
 
JUNE 17, 1968 
R.fOSEPE 
MANAGER - SYSTEM SAFETY
 
AND PROGRAM ASSURANCE
 
ISSUE NO. ISSUED TO
 
THE SOF"A'S COMPANY SPACE DIVISION 
D2-117018-lA
 
DISTRIBUTION LIST
 
R.S. Yoseph 5-2320 RS-09 
 (1 copy)

E.J. Boyle 5-2322 RS-09 
 (1 copy)

E.G. Newberg 5-2324 RS-09 (1 copy)

D.R. Pleas 5-2321 RS-09 
 (i copy)

C.F. Slumpff 5-2323 RS-98 
 (1 copy)

D.B. Jacobs 5-2200 RS-02 
 (1 copy)

N. Johnson 5-8231 
 FT-05 (2 copies)
F.W. Bushman 5-8230 
 FT-68 (i copy)

J.W. Davis 5-8232 FT-90 (2 copies)

H.D. Boring 5-2700 HR-I1 
 (1 copy)

R.B. McMurdo 5-2660 HR-01 
 (2 copies)

W.B. Dalrymple 5-6700 AA-58 
 (2 copies)

R.E. Evans 5-6762 AA-73 (2 copies)

J.W. Griswold 2-5020 84-39 
 (i copy)

N.E. Classon 2-5020 84-38 
 (1 copy)

H.D. Trettin 2-5020 
 84-38 (1 copy)

G.R. Herrold 2-5025 84-38 (1 copy)

J.M. Barker 5-2330 RS-11 
 (I copy)

C.P. Martin 5-2100 RS-12 
 (1 copy)

APO-TIE Library File No. 1
 
ii
 
D2-117018-lA
 
ABSTRACT
 
This document provides a general set of guidelines to stand­
ardize logic diagram (fault tree) methodology for system

safety analysis in the Apollo program These guidelines
 
cover both the qualitative and quantitative aspects.
 
KEY WORDS
 
System Safety
 
Logic Diagram
 
Event
 
Fault Duration Time
 
Dominant Path
 
Failure Data Development
 
Apollo
 
Logic Diagram Analysis
 
Qualitative Evaluation
 
Quantitative Evaluation
 
System Safety Analysis
 
Fault Tree Analysis
 
Monte.Carlo Simulation
 
Importance Sampling
 
Lambda-Tau
 
iii
 
D2-11701-8-IA
 
FOREWORD
 
This guide has been prepared to establish uniformity in tht

application of logic diagram (fault tree) methodology where

used in the Apollo program system safety analyses. Imple­
mentation of standardized terminology, symbolism and proce­dures as 
defined in this document is necessary to ensure
 
compatibility in the logic diagram analyses being performed

concurrently at the various Apollo geographical locations.
 
iv
 
D2-117018-1A
 
CONTENTS
 
Page
 
1.0 	 INTRODUCTION 1-i
 
1.1 	 Purpose 1-1
 
1.2 	 Scope 1-i
 
2.0 	 SYSTEM SAFETY ANALYSIS FLOW 2-1
 
2.1 	 Analysis Activity 2-1
 
2.2 	 Program Activity 2-1
 
2.3 	 Apollo Logic Diagram Format Requirements 2-5
 
3.0 	 SYSTEM SAFETY INTERFACES 3-1
 
3.1 	 Configuration Management Interface 3-1
 
3.2 	 Design Engineering Interface 3-2
 
3.3 	 Quality Assurance 3-2
 
3.4 	 Test Planning and Reporting 3-3
 
3.5 	 Reliability Interface 3-3
 
3.6 	 Maintainability and Human Engineering
 
Interface 3-4
 
3.7 	 Health and Safety Interface 3-4
 
4.0 	 SYSTEM SAFETY LOGIC DIAGRAMMING 4-1
 
4.1 	 General 4-1
 
4.2 	 Event Description 4-1
 
4.3 	 Symbols 4-2
 
4.4 	 Special Symbols 4-12
 
4.5 	 Event Identification 4-14
 
4.6 	 Basic Diagram Methodology 4-16
 
4.7 	 The Human Element 4-20
 
4.8 	 Dominant Path 4-21
 
5.0 	 DRAFTING OF LOGIC DIAGRAMS 5-1
 
APPENDIX A --	 SYSTEM SAFETY FAILURE DATA 
DEVELOPMENT A-I 
APPENDIX B --	 SYSTEM SAFETY LOGIC DIAGRAM 
EVALUATION B-I 
APPENDIX C --	 CONSTANT REPAIR OR '"LAMBDATAU" METHOD 
FOR LOGIC DIAGRAM EVALUATION C-I 
APPENDIX D --	 ADVANCED CONCEPTS IN THE USAGE OF THE
 
MATRIX GATE D-1
 
APPENDIX E --	 LOGIC DIAGRAM EXAMPLE E-I 
v
 
D2-117018-1A 
ILLUSTRATIONS
 
Figure No. Page
 
1 ANALYSIS FLOW 2-2
 
2 PROGRAM FLOW 2-4
 
3 TRANSFER SYMBOL USAGE 4-13
 
4 STANDARDIZED EVENT NOTATION 4-15
 
5 LOGIC DIAGRAM SEGMENTS 4-17
 
6 LOGIC DIAGRAM RELATIONSHIPS 4-19
 
7 EXAMPLE OF COMMAND PATH 4-20
 
HUMAN ELEMENT EXAMPLE 4-22
 
9 STEPS OF MECHANIZED DRAFTING 5-2
 
10 ARRANGEMENT OF COMPUTER CARD DECK 5-3
 
11 COMPUTER DATA CARDS 5-7 thru 5-17
 
12 DATA CARD LISTING 5-18
 
13 EXAMPLE LOGIC DIAGRAM 5-19
 
Al SYSTEM SAFETY FAILURE DATA FORMAT A-2
 
Dl GENERALIZED MATRIX GATE D-2
 
D2 VARIABLE MATRIX GATE D-3
 
D3 CONDITION MATRIX GATE D-6
 
D4 CONDITION MATRIX GATE D-7
 
D5 GENERALIZED MATRIX GATE - MATHEMATICAL D-9
 
EQUATIONS
 
El SYSTEM BLOCK DIAGRAM E-2
 
E2 SYSTEM SCHEMATIC E-3
 
E3 LOGIC DIAGRAM CROSS REFERENCE E-5
 
E4 thru
 
E7 HAND DRAWN LOGIC DIAGRAMS E-6 thru E-9
 
E8 thru
 
Ell MACHINE DRAFTED DIAGRAMS E-10 thru E-13
 
vi ­
D2-117018-lA
 
1.0 INTRODUCTION
 
1.1 PURPOSE
 
The purpose of this document is to provide the basis for

standardized Apollo system safety logic diagram analysis
 
efforts.
 
1.2 SCOPE
 
This document establishes standards for Apollo logic
diagram (fault tree) analysis methods, terminology and

symbolism. Three basic analytical elements are defined:
 
1) System safety logic diagramming (Section 4); 
2) System safety failure data development (Appendix A); 
3) System safety logic diagram evaluation (Appendix B). 
The document also 'describes-the analysis flow process,
logic diagram format requirements, two methods of drafting

logic diagrams, and the interfaces between system safety

engineering and other engineering disciplines.
 
D2-117018-lA
 
2.0 SYSTEM SAFETY ANALYSIS FLOW
 
2.1 ANALYSIS ACTIVITY
 
in order to place Apollo System Safety efforts in the proper

perspective, the following problem solving steps are con­
sidered essential as an underlying basis for a systems ap­proach to safety. These steps will enable the risk of un­
desired (hazardous) events identified in the Apollo Program
 
to be maintained at an acceptable level.
 
1) Identification of undesired events; 
2) Structuring identified undesired events into a logic 
diagram; 
3) Determination of fault inter-relationships; 
4) Evaluation for "likelihood" of identified undesired 
events; 
5) Trade-off decisions and/or corrections. 
As depicted in Figure 1, steps 1) and 2) above are necessary

to develop what is commonly known as a "Top" logic diagram.

The top logic diagram plays an essential part in performing
 
a system safety logic diagram analysis. It is a starting

guide which shows how and where the logic diagram is to be
 developed (or expanded) by further analysis activity. It
 
organizes all of the system unique logic relationships into
 
a pattern whereby the system hardware and software functions
 
can be analyzed in an orderly and logical manner. This
 
means that the top must be structured so that the end anal­
ysis is complete in satisfying what is defined by the top
 
undesired event(s).
 
System unique logic relationship variables which must be
 
carefully structured are things such as: 1) system opera­
tion modes, 2) mission phases and/or operations, 3) the de­
gree of man/machine relationship in the system, 4) inter­
relationships of the Centers with the system functions, and
 
5) functional order of the system.
 
This list of relationship variables covers the top structure
 
gross considerations, and indicates the types of activity

involved. System unique logic relationship variables will
 
vary with the different systems being analyzed, with the de­
gree of difference depending upon the similarity between
 
systems.
 
D2-117018-1A
 
SYSTEM
 
DEFINITION 
SYSTEM
 
INFOPMTION 
CONFIGURATION /DEVELOPING TOP LOGIC 
CONTROL DIAGRAM STRUCTURE 
IDEITIFICATION 
OF UNDESIRED
 
EVEITS
 
STRUCTURNG IDET.l 
DIAGRAMII 
LOGIC DIAGRAM I" LIKELIHOOD" OF
 
AAToCONSTRUCTION AND-" ._, [NDESIRED EVET
 
EAALUATIONOR 
DECISIONS 
ANALYSIS FLOW 
FlGURE 1 
2-2
 
D2117018-1A
 
As already stated, the top logic diagram is a starting

"guide" for a complete system logic diagram analysis. This
 
means that once the top is started it is not necessarily

"cast in concrete", but is subject to change as analysis

activity progresses. Experience has shown that as an anal­
ysis proceeds to completion, more system information and
 
understanding is gained. As system information and under­
standing develop, modification to the top logicdiagram is
 
required to reflect this current knowledge.
 
Step 3) is the actual development of the logic diagram.

This is the point where analysis activity starts from the
 
top logic diagram structure and proceeds through the hard­
ware level. This step of analysis is the foundation of a
logic diagram analysis. The fault mode relationships, once
 
correctly and completely structured, will usually never
 
change - unless hardware design changes occur.
 
Step 4) is an evaluation of the completed logic diagram for
 
the purpose of: 1) determining the likelihood of identified
 
undesired events, and 2) determining the identity and rank­
ing of "chains" of -events and event relationships leading

to the identified undesired event(s). Evaluation can be

accomplished by rigorous mathematical processes (quantita­
tive evaluation) or from intuitive (inductive) methods.
 
However, the results obtained (quantitative/inductive) will
 
only be as complete as the applied rigor. Useful results
 
can be obtained from evaluations made during the course of
 
development of the logic diagram analysis.
 
Step 5) If it is determined through the evaluation of the
logic diagram (or as a result of other analyses) that cor­
rective action is required, the logic diagram analysis it­
self is a valuable source of information for change decisions.
 
Proposed corrections such as design changes, procedure

changes, etc., can be evaluated in the context of the logic

diagram to determine a relative measure of improvement.
 
In order to achieve a meaningful and useful analysis, two
 
important points must be emphasized. First, the output of
 
an analysis is only as valuable and reliable as the quality

and quantity of effort and information going in to the anal­
ysis. Second, hardware and operating procedures configura­
tion control must be maintained at all times to avoid erro­
neous conclusions being drawn from the analysis.
 
2.2 PROGRAM ACTIVITY
 
The flow of activity necessary for a complete system-inte­
grated Apollo logic diagram analysis should follow a pattern
 
as shown in Figure 2. This flow takes into consideration
 
the steps required to perform an analysis, along with the
 
2-3
 
APD FOR DEVELOP AGREEMENT ASSIGNMENT 
APOLLO TOP LOGIC BY CENTERS OF EVENT CENTER 
SYSTEM DIAGRAM ON TOP DEVELOPMENT ANALYSESH
SAFETY STRUCTURE STRUCTURE TO CENTERS 
RE-ITERATIVE 
REVIEW AND 
INTEGRATION 
OF CENTER 
ANALYSES 
DAY-TO-DAY COMMUNICATIONS 
PROGRAM FLOW 
FIGRE 2 
STEP 
DOCUMENT AND 
RELEASE SYSTEM 
BASELINE 
ANALYSIS 
D2-117018-lA
 
difficult task of consolidating the Center analyses into
 
one complete system/mission oriented analysis.
 
As shown in Figure 2, the first step in program development

is the structuring of the top logic diagram. This is done
 
primarily by the APO, with the aid of the Centers. 
After
 
a suitable top has been structured and agreed upon by all
 
involved, each of the Centers is assigned specified portions

of the logic diagram for further development. While the
 
Centers are conducting their analyses, the task of reviewing

the output of each Center and combining the output into one
 
complete systems analysis is performed by the APO. When
 
the Apollo system analysis for system safety is complete,

it will be documented, approved and released.
 
An important factor necessary in accomplishing a system-in­
tegrated analysis is the media of communications. Without
 
an effective communications network, operable on a "day-to­
day" basis between the Centers and the APO, loss of direc­
tion, efficiency and effectiveness will result.
 
2.3 APOLLO LOGIC DIAGRAM FORMAT REQUIREMENTS
 
To achieve a consistency of approach and to assure analysis

completeness, the following requirements must be met by each
 
MSF Center submitting logic diagram analyses.
 
1) 'Structuring must follow the rules and symbolism 
set forth in this document. 
2) Each "diamond" event must have the following in­
formation/reason for analysis termination of the 
event: 
(a) Insignificant (with rationale) 
(b) Lack of system information 
(c) Identification of other analyses which 
satisfactorily analyze the failure modes 
and system effects for that event. 
3) Development information sources must be identified 
by schematic, flow, time, mechanical, electrical, 
operation, maintenance drawing and/or document 
numbers. The revision date and/or number must be 
included for each source. This source information 
must be included as part of each submittal. 
4) Each Center must utilize the logic diagram alpha­
betic code assignments made in the Apollo Logic
Diagram Analysis Guidelines document. 
2-5
 
D2-117018-lA
 
5) Each submittal shall indicate the Apollo System 
configuration represented, i.e., AS-503, AS-504, 
in the "Model" block. 
6) Revision codes will be included by each Center 
and will be based on the standard Boeing practice 
of assigning progressive alphabetic characters be­
ginning with A. 
7) Identify all components and subsystems by part 
number and part number source if part number source 
is different from logic diagram structure source. 
2-6
 
D2-117018-1A
 
3.0 SYSTEM SAFETY INTERFACES
 
3.1 CONFIGURATION MANAGEMENT INTERFACE
 
Configuration Management is the system engineering manage­
ment which describes, identifies and controls the system/

equipment configuration throughout the definition, develop­
ment, production and change phases.
 
A primary function of System Safety is to develop a logic

diagram analysis which reflects the system/equipment of an
 
established and well defined baseline configuration. To
perform this task System Safety must have available an es­
tablished baseline configuration and detailed baseline
 
system/equipment design and operation information. 
The re­
sponsibility of establishing the baseline configuration and
 identifying this configuration by documentation of detailed
 design and engineering data lies with Configuration Manage­
ment.
 
Another function of System Safety is to analyze the effect
 
of proposed changes on the baseline configuration with re­
spect to the logic diagram analysis performed on the base­line configuration. Decisions as to the acceptability and
 
cost-effectiveness of proposed changes, with regard to
System Safety, can be made based on the mathematical model
 (logic diagram) of the system/equipment. Proposed System
Safety design changes resulting 
-from logic diagram analyses

must be implemented through Configuration Management.
 
Demonstration that the system/equipment development is in

accordance with the specification/requirements is accomplished

through internal and contractually required design reviews
 
and equipment inspections. System Safety is required to
participate in the reviews and to show that the design meets
 
the specification/requirements allocated for System SafdEy,

and that, in general, no problem areas exist. Demonstration
 
that baseline requirements and specifications are being met
 
with respect to System Safety is accomplished through the
 
medium of logic diagram analysis.
 
Verification and certification of all manufactured end items
 is the responsibility of Configuration Management, but is 
a
 direct task of Quality Assurance. The interface between
 
System Safety and Quality Control is discussed in further
 
detail in Section 3.3.
 
Data on the accumulated operating time/cycles and the number
 
of failures of identified hardware items is essential to
 
System Safety in order to identify potential "weak links"
in a system and to quantitatively evaluate logic diagrams.

Also, a record of approved changes with their scheduled
 
3-1
 
D2-117018-1A
 
incorporation date into the hardware and the actual incorpo­
ration date is vital to System Safety. With this informa­
tion, the status of the baseline configuration and the base­
line logic diagram analyses can be kept current.
 
3.2 DESIGN ENGINEERING INTERFACE
 
The interface between System Safety and Design Engineering

requires a "day-to-day" working relationship between members
 
of each organization. The results of this close relation­
ship are inherently beneficial to both organizations.
 
Design Engineering is a source of valuable information on
 
the operating and functional characteristics of the system/

equipment. The detailed and gross level information ob­
tained during the initial design stage is invaluable to
 
System Safety. In retrospect, System Safety can make known
 
to designers the ideas and practices associated with de­
signing an inherently safer system.
 
Knowledge of proposed changes to the system/equipment can
 
be acquired during the conceptual and initial design change

stage, and suggestions made to the designers to provide a
 
safer and/or safety cost-effective change. System/equip­
ment design changes which are needed for improved system

safety can be discussed with the designers to select the
 
most effective design alternative with respect to safety

and System effectiveness.
 
Close work between the two organizations at an early stage

will allow differences to be worked out before procedural

formalities of the "organizational system" require a longer

period of negotiation in order to yield a design acceptable
 
to both Design Engineering and System Safety.
 
3.3 QUALITY ASSURANCE INTERFACE
 
The system significance of a particular event or part detail
 
cannot be determined by study of the design alone. There­
ford, predictive system safety analyses must be made from
 
drawings, procedures and other documented instructions.
 
Thus, the accuracy of such analyses and the conclusions de­
rived from them are dependent on activities of quality tech­
nicians and inspectors in assuring that instructions are
 
followed.
 
Quality requirements are determined and satisfied throughout

all phases of contract performance, including preliminary

and engineering design, development, fabrication, processing,

assembly, inspection, test, checkout, packaging, shipping,

storage, maintenance, field use, flight preparations, flight

operations and flight analysis. The Quality Assurance pro­
gram ensures that quality aspects are fully included in all
 
3-2
 
D2-117018-1A
 
designs and are continuously maintained in the fabricated
 
articles. 
Any change required to improve components, sub­
system, or system performance without compromising quality,

reliability or safety should be incorporated at the earlies
 
practical point in development and fabrication. The pro­gram provides for the early and prompt detection of actual
 
or potential deficiencies, system incompatibility, marginal

quality, and trends or conditions which could result in
 
unsatisfactory quality. Objective evidence of quality con­formance, including records of inspection and test results,
 
are made available to cognizant organizations. This infor­
mation is a necessary part of system safety analyses in
 
order to provide a high level of confidence in the logic
diagram representation of system faults and confidence in
 
the assignment of probabilities to the fault events.
 
3.4 TEST PLANNING AND REPORTING INTERFACE
 
Special tests are conducted on hardware end items for relia­
bility data, qualification, quality assurance, and system

*hardware integration. From these tests considerable data
 
is produced and made available which is necessary for logic
diagram evaluation. Conversely, requirements for special

tests to obtain data specifically needed by System Safety
 
may result from logic diagram analyses.
 
System safety analyses conducted on proposed test plans may
initiate special test procedures and corrective measures to
 
existing test plans.
 
3.5 RELIABILITY INTERFACE
 
A function of Reliability is system/hardware analysis for
 
failure data; such as failure modes, failure effects,
 
mean time between failures, probabilities of failure and as­
sessment of system failures on mission accomplishment.

Much of this type of data is used by System Safety for both
 
qualitative and quantitative system safety analysis. For
 
example, existing and substantiated failure modes and ef­
fects data is an invaluable aid in the qualitative logic
diagram analysis of a system. In a quantitative logic dia­
gram evaluation, hardware failure rate data is a necessary
item. In retrospect, the results of a system, safety anal­
ysis may have a direct impact upon reliability; such as re­quiring further testing of certain hardware or improving

the reliability of a particular system element. 
Therefore,

it is essential that System Safety coordinate closely with

Reliability for an exchange of data on a timely basis.
 
Since reliability data is a'prime source of information for
 
system safety analyses, there is a significant degree of
inherent compatibility. However, it should be noted that
 
complete numerical parity should not be expected because
 
reliability "numbers" normally refer to both primary and
 
3-3
 
D2-117018-1A
 
secondary failures for particular failure modes. Thus, it
 
is entirely possible for a system to have reliability which
 
is the complement of one failure per 1000 operating hours
 
and a probability of significant undesired event, i.e.,
 
accident,'of one per 1,000,000 operating hours.
 
Conversely to System Safety use of reliability data, relia­
bility considerations may be altered by System Safety anal­
ytical results. For example, it may be necessary to make
 
a particular system element-more reliable because of its safety
 
significance even though the system reliability is already
 
adequate.
 
3.6 MAINTAINABILITY AND HUMAN ENGINEERING INTERFACE
 
Maintainability is a design discipline that provides for
 
ease, economy and safety in all maintenance functions and
 
the use of maintenance equipment. Therefore, System Safety
 
and Maintainability must work closely in order for System
 
Safety to perform safety analyses on .maintenanceequipment
 
and to certify the safety of maintenance equipment design
 
and maintenance operations.
 
Human Engineering is involved in the designing of equip­
ments for human use so that they can be used efficiently,
 
accurately and safely. Human Engineering and System Safety
 
must make use of, as a part of the safety analyses, human
 
factor statistics (data) available as the result of human
 
factor studies. The human/system interface is a necessary
 
consideration in safety analyses.
 
3.7 HEALTH AND SAFETY INTERFACE
 
System Safety is concerned with test, assembly, checkout,
 
maintenance and use of systems which provide a possibility
 
of serious injury, loss of life, loss of equipment or
 
significant equipment damage. In other words, concern with
 
the above undesired events as a result of the existence of
 
the system. Health and Safety is concerned with providing
 
a safe working environment for employees. It is obvious
 
that there will be some overlap between the two functions
 
and in this case the more stringent standards of accepta­
bility would apply.
 
System Safety can aid the Health and Safety activity by pro­
viding hardware oriented data and by identifying hazardous
 
areas. Health and Safety can aid System Safety by provid­
ing information and data on.human factors, toxic materials,
 
anthropometric considerations and other specialized data re­
lated to the human working environment.
 
3-4
 
D2-117018-lA ,
 
4.0 SYSTEM SAFETY LOGIC DIAGRAMMING
 
4.1 GENERAL
 
The system safety logic diagram is a logic oriented graphic

representation of the parallel and series combinations of
 
independent personnel or equipment subsystem and component

failure and normal operating modes -that can result in a
 
specified undesired event. This representation can be quan­
tified to provide a relative measure of the paths leading to
 
these events.
 
The following sections discuss basic rules, definitions and
 
methodology of the logic diagramming technique.
 
4.2 EVENT DESCRIPTION
 
The term "event" denotes a dynamic change of state that occurs
 
to a system element, where an element is inclusive of hardware,

software, personnel and environment. If the change of state
 
is such th&t the intended function of the particular element
 
is not achieved, or an unintended function is achieved, the
 
event is an abnormal system function or "fault event." If the
 
change of state is such that the intended function occurs as
 
planned (designed), the event is then a normal system function
 
or "normal event." Thus, two types of events exist -- those
 
which are not intended and those which are intended.
 
Fault events can be divided into two categories: basic events
 
and gate events. Basic events are events whereby system ele­
ments (usually at the component level) go from an unfailed
 
state to a failed state, and are related to a specific failure
 
rate and fault duration time. These events are used only as
 
inputs to a logic gate (never as outputs) and are therefore
 
independent events. On a logic diagram, basic events are
 
depicted by a circle and/or a diamond. A gate event is the
 
event (or system failure) which results from the output of a
 
logic gate. Since the gate event is dependent upon the input

events and the type of logic gate function, it is therefore a
 
dependent event. It must be noted that the gate event is not
 
the logic gate itself, but the result of the logic gate func­
tion and the input events. The gate event is depicted by a

rectangle above the logic gate. As a logic diagram develop­
ment progresses, gate events on one level become inputs to
 
gate events on the next higher level.
 
In the logic diagram analysis of a system-the inherent modes
 
of failure of system elements are delineated as primary,

secondary and command. These failure modes are referred to
 
as "primary events," "secondary events," and "command
 
events" respectively, and are depicted on the logic diagram
 
as the combination of basic events and/or gate events. In
 
4-1
 
D2-117018-lA
 
other words, these events are generally identified at a gate
 
event level, and depending on the level of analysis, are fur­
ther developed until the event can be identified as a basic
 
event.
 
In a logic diagram analysis, the dynamic change of state
 
that occurs to a system element is defined as & binary type
 
event. That is, a system element is always in one of two
 
states, ON or OFF. The ON state (or 1) corresponds to a
 
failed condition and the OFF state (or 0) corresponds to an
 
unfailed condition. The example below illustrates the
 
binary manner of a system element. The element operates
 
normally (OFF state) until failure occurs (ON state). After
 
the fault event occurs (dynamic change of state) the element
 
remains failed (ON state) until repair of some sort has been
 
effected. When repair is accomplished, the element returns
 
to the unfailed state (OFF). By representing events and
 
g.ates in a binary manner, logic diagrams can be analyzed by
 
the rigorous techniques of Boolean algebra.
 
Event Duration Time Event Duration Time 
ON 1 
STATE OF O 0 7 
ELEMENT OPP AA B C D 
A - Time of 1st failure
 
B - Time ist failure is repaired
 
C - Time -of 2nd failure
 
D - Time 2nd failure is repaired
 
4.3 SYMBOLS
 
Rectangle
 
The rectangle identifies an event (gate event) that results
 
from the combination of fault events through a logic gate.

The rectangle is also used to describe a conditional input
 
to a functional condition INHIBIT gate (described below).
 
w
 
4-2
 
D2-117018-lA
 
Circle
 
The circle describes a basic fault event that requires no
 
further development. The frequency and mode of failure of
 
items so identified is derived from empirical data. The rate
 
of occurrence of such a primary event is normally the gen­
eric failure rate of the component for the particular failure
 
mode.
 
0
 
House
 
The house indicates an event that must occur (or is expected
 
to occur) due to normal operating conditions in the system.
 
The house does not indicate a fault event. An example is
 
a phase change in a dynamic system, such as the landing,
 
flight, and take-off phases of an aircraft.
 
Diamond
 
The diamond describes a fault event that is considered basic
 
in a given logic diagram. The possible causes of the event
 
are not developed either because the event is of insufficient
 
consequence or the necessary information for further
 
development is unavailable. For Apollo T.I.E. system safety
 
applications, it also can indicate non-development because an
 
analysis already exists that is of satisfactory depth and
 
breadth.
 
4-3
 
D2-117018-1A
 
Oval
 
The oval is used to record the conditional input to a random
 
condition INHIBIT gate. It defines the state of the system
that permits a fault sequence to occur, and may be either
 
normal to the system or result from failures. It is also

used to indicate the necessary sequence of events required to
 
pass through an "AND" or an "OR" gate function.
 
Double Diamond
 
The double diamond is used in the simplification of a logic

diagram for numerical evaluation. The event described re­
sults from the causes that have been identified, but are not
 
shown on a particular version of the logic diagram.
 
"AND" Gate
 
The "AND" gate describes the logical operation whereby the

co-existence of all input events is required to produce the
 
output event. The fault duration time of an "AND" gate is
 
expressed in terms of the input fault duration times.
 
L2 or Mre 
1Inputs 
4-4
 
D2-117018-1A
 
Example of "AND" Gate Usage: 
Ligtt 
NC Off 
a C 
Ata itoB, 
Another example of "AND" Gate Usage: 
Lighit "CK 
A B 
lose lose 
"OR" Gate 
The "OR" gate defines the situation whereby the output event
 
will exist if one or more of the input events exists. The
fault duration time of an "OR" gate is expressed in terms of 
the input fault duration times.
 
output 
2 or more loput. 
4-5 
D2-117018-IA
 
Example of "OR" Gate Usage: 
Light Wc 
on 
to ite 
0 a 
Another example of "OR" Gate Usage:
 
Light "C-
A I 
itc Wite 
A 
"PRIORITY AND" Gate 
The "PRIORITY AND" gate performs the same 
logic function as

the "AND" gate with the additional stipulation that sequence
 
as well as co-existence is required.
 
X2 or More nputs 
4-6 
D2-117018-lA
 
Example of "PRIORITY AND" Gate-Usage
 
Assume: For an aircraft the safety monitor feature monitors
 
the system response to automatically control and inhibit
 
those control inputs which exceed system limits.
 
"CONSTANT FAUL DURATION AND" Gate
 
The "CONSTANT FAULT DURATION AND" gate symbolized
 
' 
describes the same logical function as the "AND" gate except
 
that the fault duration time of the output event is not de­
pendent upon the fault duration times of the inputs. The
 
fault duration time of this gate is determined as a function
 
of the system operation.
 
fult duraton time o teutput eveti o e
that he 

<7al
 
4-7
 
D2-117018-1A
 
Example of "CONSTANT FAULT DURATION AND" Gate Usages
 
Consider the undesired event "Rocket Motor Inadvertently Ignited."
 
Assume the "armed" results in a warning light prompting immed­
late-repair action. If the "armed" event occurs and the warning
 
system is working, the fault duration time is one unit. If the
 
"armed" event occurs and the warning system has failed, the
 
fault duration time is naturally longer, being dependent upon
 
how often the monitoring system is functionally checked.
 
Rocket Motor
 
Inadvertently

Ignited
 
Safec-Arm Ignition 
Meohaniam Current 
Armed fresent 
A 1 Unit Fault Duration 
Time 
A' = I Unit Fault Duration 
Nixon* 
n 
.silona, 
Arme 
Tine + 4 Mnitoring 
Sstemy antional 
Check Time 
Duration (Monitoring 
Time Spates A Check 
Tim) 
, -ot----­
MissileSafe-Arm 
Ar'ed Meah l 51 
A Monitor Sytm 
failure 
WebD DACMA 
4-8
 
D2-117018-1A
 
"EXCLUSIVE OR" Gate
 
The "EXCLUSIVE OR" gate functions as 
an OR gate with the
 
restriction that specified inputs cannot co-exist. 
This
 
gate will not respond to the co-existence of two or more
 
specified input events.
 
2 or More Inputs 
Example of "EXCLUSIVE OR" Gate Usage:
 
Assmetric 
Thrust 
Assume: Twin, side mounted engine vehicle. Simultaneouuly
 
WOEDIARAM gifte No. 1 Engine No. 2 
"CONSTANT FAULT DURATION OR" Gate
 
The "CONSTANT FAULT DURATION OR" gate performs the 
same
 
function as 
the "OR" gate except that the fault duration time

of the output event is not dependent upon the fault duration
 
times of the inputs. The fault duration time of the output

event is strictly dependent upon system operation variables,
 
and must be determined from system information rather than
 
in terms of the input event fault duration times.
 
Output 
- ault 
Duration
 
Time
 
2 @r~toire Inputs
 
4-9 
D2-117018-lA
 
"INHIBIT" Gates
 
"INHIBIT" gates describe a causal relationship between one
 
fault and another. The input event directly produces the
 
output event if the indicated condition is satisfied. The
 
conditional input defines a state of the system that permits
 
the fault sequence to occur, and may be either normal to the
 
system or result from failures. The conditional input is
 
represented by an oval if it describes a specific failure
 
mode and a rectangle if it describes a condition that may
 
exist for the life of the system. The conditional input is
 
further described on the following pages. The logical
 
"INHIBIT" functions are symbolized in system safety logic
 
diagrams as follows:
 
Type Of 
contita 
"FUNCTIONAL CONDITION INHIBIT" Gate
 
The "FUNCTIONAL CONDITION INHIBIT" gate provides a means for
 
applying conditional probabilities to the fault sequences. If
 
the input event occurs and the "condition" is satisfied, an
 
output event will be generated. The duration time of the
 
output event may be either the duration time of the fault
 
input or may be separately generated.
 
Soutput 
4-10
 
D2-11J018-1A
 
Example of "FUNCTIONAL CONDITION INHIBIT" Gate Usage:
 
Causedrecky Blowout 
pad Wet Road 
Road
that
I-
I 
Faults that
 
Cause Blowout 
"RANDOM CONDITION INHIBIT" Gate
 
'The "RANDOM CONDITION INHBIT" gate is the same as the "FUNC-

TIONAL CONDITION INHIBIT" gate except that the status of the
 
conditional input to a "RANDOM CONDITION INHIBIT" gate is
 
variable while it remain constant in the "FUNCTIONAL CONDI-

TION INHIBIT" gate. The fault duration time of the output
 
event is always generated within the gate.
 
output 
Coaditi 
Example of "RANDOM INHIBIT" Gate Usage:
 
ydn-ulie Line 
Nrmken in Wheel 
C~tLas asaulie Ia 
in~N. WLineel 
4-11
 
D2-117018-1A
 
4.4 SPECIAL SYMBOLS
 
"MATRIX" Gate
 
Output Outpu 
SConditions 
2 Inputstpul 
2 Inputs only 

-1 
 Input Only
 
The "MATRIX" gate is used to describe a situation in which an
 
output event is produced for certain combinations of events at
 
the inputs. A matrix showing the event combinations that
 
produce the output event will accompany each usage of this
 
symbol. (Refer to Appendix D for further details.)
 
Example of "VARIABLE TYPE MATRIX" Gate Usage
 
ire Al, A2 or A) 
-. has voltage on it
o0 0 9 and shorts to Wir 
Al shorts to D 1.0 0 0 
A2 shorts to D 0 1.0 0 Faults that allowvires Al, A2 or Faults that allowoern is 
t sh
0 0 1.0 ire toU shorts to D 
Example of "CONDITIONAL TYPE MATRIX" irlae Crashes 
Gate Usage
 
P1. Roll~ss 
.Airplane
Faults 
Roll .4 .5 ." / 
Taw .7 .8 .4 
Pitch .6 .7 
-
.6 Faults causing Faults causing Fut asn 
- rudder to Je aileron to Ja= tjrottle to Ja 
4-12 
D2-ll7018-1A
 
Transfer Symbols
 
The "transfer" symbol is used to allow continuity between
 
two parts of a logic diagram. A line drawn into the side of
 
a triangle transfers everything below that triangle to another­
location, which is identified by a triangle with a line drawn
 
from the apex and containing matching nomenclature and
 
identifying symbol. The methodology 'i illustrated below:
 
A als aleslscl t nom lttuf 
symbol 
Two types of transfer symbols exist. The "internal" (local)
 
transfer symbol transfers portions of a logic diagram on2y
 
within a particular logic diagram. The idea behind this being
 
that whenever the development of a certain portion of logic
 
diagram is identical in two (or more) places, on the same
 
logic diagram, it need only be developed in one place.
 
The "external" (global) transfer symbol transfers a portion
 
of a logic diagram to another, -entirely separate, logic
 
diagram. This happens when a development is identical for
 
one event on two separate logic diagrams. Also, when a
 
diagram is developed until there is no longer room for fur­
ther expansion on the sheet (or it is desired to end-at a
 
particular place) an external transfer is used to continue
 
development on another sheet. This is the method by which
 
new logic diagram developments (sub-diagrams) are started.
 
Figure 3 is an example of transfer symbol usage. It shows
 
the correct use of both internal and external transfers.
 
rigire 3
 
Transfer Symbol Usage
 
4-1-3 
D2-11:7018-lA 
Output Encompassing Ellipse
 
An ellipse with a line extending out along the major axis
 
is used when a component appears several times at the same
 
place (e. g., a 10-stage counter where all 10 stages can be
 
represented by illustrating one stage). Only one of the
 
inputs is drawn to encompass the output. This indicates that
 
the failure rate of that event is to be multiplied by the
 
given factor (times 10 for the 10-stage counter) for an
 
"OR" gate or raised to a given power and multiplies by the
 
expression (ntn-l) for an "AND" gate. This symbol is
 
illustrated below.
 
An or 
X (nrn-!) 
4.5- EVENT IDENTIFICATION
 
All events comprising a logic diagram must be identified by
 
a code. This is necessary for four reasons* 1) easy and pre­
cise referencing, 2) for purposes of drafting, 3) in order
 
for a log of events to be maintained, and C) for purposes of
 
quantitative evaluation. The means by which events are
 
identified is generally dependent upon the requirements and
 
objectives of the particular analysis. A standardized pro­
cedure should be set up and adhered to for an entire analysis
 
program.
 
The size and complexity of the Apollo system has demanded that
 
a unique method of event identification be utilized. The
 
method chosen has been developed to satisfy the present re­
quirements and objectives of the Apollo system oriented
 
logic diagram analysis, plus allowance for future expansion
 
or quantitative ev&luation.
 
To begin, all events are classified into one of two cate­
gories. These two categories are'referred to as "global"

events and "local" events. Global events are defined as
 
events which are used on more than one logic diagram, and
 
local events are defined asevents which are unique to one
 
logic diagram. The notktion Xor code) for events allows
 
each event to be uniquely represented, at the same time
 
differentiating between global and local events. The
 
standardized notation is shown in Figure 4.
 
4-14
 
D2- 11 7018-1A
 
vol V100thru thruV99 
 V999
 
W0 1 WIOC 
thru thru
W99 
 W999 
X01 ( 1100

thru thruX99 E999 
Z01 zio0 
thru thruZ99 Z999 
Y01 Y100 
thru thru199 1999 
01 AkA
thru thin 
99 
 2ZZZ
 
Figure 4
 
Standardized Event Notation
 
4-15 
D2-117018-1A
 
From Figure 4, it can be readily discerned that the apha
 
character identifies the type of event. That is, "W" indi­
cates a house, "X" indicates a circle, "Z" indicates a
 
diamond, any "Y" indicates an oval. Local events are
 
numbered from 01 through 99 for each and every logic dia­
gram. For example, diamonds on the AAA logic diagram are
 
randomly numbered as Z01, Z02, Z03, etc., and diamonds on
 
the RAA logic diagram are also numbered as Z01, Z02, Z03,
 
etc. The only way to differentiate between local events
 
is by indicating the logic diagram on which they are
 
located. Global events are numbered from 100 through 999
 
and an index must be used to locate logic diagrams on
 
which these events appear.
 
For the identification of global transfers (sub-diagrams)
 
a three character alpha system is utilized. Using three
 
alpha characters allows identifying nomenclature for a
 
possibility of 17,576 logic diagrams. In conjunction with
 
this method, a breakdown has been established which immed­
iately identifies the source of the logic diagram. This
 
,breakdown consists of delegating the first letter, of all
 
three letter combinations, to a particular MSF Center. The
 
breakdown is as follows:
 
AAA thru AZZ WDC/Seattle (676 diagrams) 
BAA thru HZZ MSFC (4732 diagrams) 
IAA thru QZZ KSC (6084 diagrams) 
RAA thru ZZZ MSC (6084 diagrams) 
As shown, local transfer symbols are numbered from 01
 
through 99 for each logic diagram. When referring to a
 
particular local transfer, the diagram on which it appears
 
must also be given.
 
4.6 BASIC DIAGRAM METHODOLOGY
 
The development of a logic diagram commences with the
 
definition or identification of the top "undesired event"
 
to be analyzed. The top undesired event can be an encompas­
sing event, such as Tmission loss,'-" indicating a complete
 
system analysist it could be a limiting event, such as
 
Wcrash due to engine failure,3 indicating analysis of an
 
identifiable potential hazard? or it could be a specific
 
event,. such as "amplifier fails resulting in low output,"

indicating analysis beginning at a hardware level. Once
 
definition of the undesired event has been accomplished,

the system is analyzed using the following rules and
 
4-16
 
D2-117018-1A
 
definitions of logic diagramming to determine and model the
 
inter-relationships and combinations of both normal and
 
abnormal system functions which could cause the occurrence
 
of the top undesired event.
 
The next step is to divide the system operating modes into
 
phases. A phase is that increment of a system's life which
 
can be analyzed independently, yet recognizing that there
 
may be commonality of analysis between any of the phases.

Some phases may be further divided into sub-phases, depending
 
upon the system structure. System phase breakdown should
 
continue (corresponds to system engineering functional
 
analysis) until the environment stays relatively constant
 
through the phase element and system operational character­
istics do not change the fault environment. The development

of a logic diagram proceeds through the identification and
 
combination of the system events (normal and fault) until all
 
fault events are definable in terms of basic identifiable
 
hardware faults, to which failure rate data can be applied.
 
Figure 5 shows the general relationship of logic diagram
 
segments. Although shown as distinct elements, it should
 
be noted that the segments Will, to a certain extent, "mix"
 
together throughout the logic diagram structure.
 
Undesired 
 1 
F nt(s) Top
 
Structure
 
System Phases
 
Major System Flow
 
of Cause
Identifcatian
Sources (fault flow) Flow+ 
Primary, Secondary & Command Paths + 
Detailed Hardvtre Flow 
Primary Event Identification' 
Figure 5 
Logic Diagram Segments
 
Developing the "fault flow," 
or cause and effect relationship

of events through a system, requires deductive reasoning at
 
each "gate event" or level of the logic diagram. This
 
deductive reasoning basically involves the answering of five
 
questions: 1) necessity, 2) sufficiency, 3) primary,

4) secondary, and 5) command. 
These questions effectively

develop the structure of the logic diagram on a progressive,
 
or level-by-level, basis.
 
4-17
 
D2-117018-lA
 
To answer the questions "necessity" and "sufficiency" re­
quires an evaluation of the system for normal and abnormal
 
functional event relationships. This evaluation determines
 
the system unique events, and logic gates combining them,
 
to result in the undesired event. This is accomplished by

looking at the undesired event and asking, "What is necessary

and sufficient to cause this undesired event?" 
 For example,
 
an ordnance device will be activated when two-events occur:
 
1) the ordnance device Safe and Arm mechanism closes, "AND"
 
2) energizing power is available on the ordnance device
 
ignition line. These two events are all that is 
"necessary"

and "sufficient" to cause activation of the ordnance device.
 
The questions "primary" and "secondary" are questions requir­
ing an evaluation of the system to determine what primary

and/or secondary fault events can occur to result in another
 
fault event. These questions also identify the specific

primary and secondary failure modes of the fault event. 
For
 
example, a primary failure mode of an ordnance device would
 
be the mode of auto-ignition. A secondary failure mode
 
would be that of ignition due to excessive external shock or
 
heat.
 
The question "command" is really a guideline for development

through the system. The question asks, "What upstream event
 
will command the downstream event to occur?" The upstream

event may be a primary and/or secondary event, or it may be
 
an event commanded by an event further upstream. Essenti­
ally, the "command path" is a chain of events delineating

the failure path of command events through a system. The
 
command path ultimately results (at the finish of the
 
analysis) as a primary and/or secondary fault event. Take
 
for example, a set of relay contacts failing closed, as part

of a system function. The contacts may fail closed as 
a
primary failure, they may fail closed from a secondary cause
 
such as foreign material bridging the contacts, or they
 
may be commanded to close by a relay coil failure. 
 If an
 
upstream event causes the relay coil to be energized, the
 
contacts are effectively "commanded" to close as 
a result of
 
this upstream event.
 
The effective inter-relationship of the five necessary deduc­
tive questions is shown below:
 
Logic necessity primary event
 
Diagram sufficiency jsecondary event
 
1command event
 
As indicated, a logic diagram is constructed of primary

events, secondary events and command events through the
 
medium of necessity and sufficiency.
 
4-18
 
D2-117018-1A
 
In developing a logic diagram certain thought processes take
 
place in the mind of the analyst. The steps of development
 
at each level of the logic diagram delineating these thought
 
processes are:
 
1) 	 Define the undesired output event;
 
2) 	 Determine what is "necessary and sufficient" to
 
produce the undesired output;
 
3) 
 List all primary events related to the undesired
 
output;
 
4) 	 List all secondary events related to the undesired
 
output;
 
5) Define the undesired input event which could command 
- the output event; 
6) 	 Repeat steps 1 - 5 for the new undesired event
 
defined in step 5.
 
Figure 6 shows the relationship of the above steps to the
 
structure of a logic diagram. The inherent simplicity and
logical process is readily apparent from this example.
 
Secondary Secondary
 
Faults Faults
 
(power) (environnnt)
 
Command Primary tUndesiredflul ti f~ault(s) ' Otu 
SecodaryUndesired
 
Faults Output
 
(reference)
 
Faults Faults (Bbi- Faults cnaynn 
Figure 6
 
Logic Diagram Relationships
 
4-19
 
Figure 7 shows a logic diagram structure which portrays the
 
relationship of the command event to the primary and second­
ary events, and also how command events lead to a "command 
path." It must be remembered that the command path, as such,
is only a guideline for analysis of event development
 
through a system. Command events create an orderly and logi­
cal manner of analysis at each level of the logic diagram.

Once an analysis is completed, comparison between the
 
logic diagram and signal flow diagram will show that the
 
logic diagram "command path" of a branch will represent the
 
steps of signal flow along a single thread.
 
*vent Bevet
 
chain of oomnd 
events fcoma pathl 
Seodr eveent.t een 
Zvsnt .D
 
even evn
 
Filure 7 
Exaple of Commad Path 
HUMANn4.7 THE ELEMENT 
Logic diagram analysis has been applied to hardware and 
software elements of a system extensively. The human ele­
ment has been included only to the extent of "lumping" all 
cause and effect relationships into a single consideration
of'human failure.
 
4'-20
 
Any system which requires the human element in order to
perform its intended function must have an analytical devel­
opment that includes the human as part of the system. 
The
human element is as much a subsystem as' are the hardware and

software subsystems which make up the rest of the total
 
system. The human element is much more complex and the least
 
understood perhaps, but still a subsystem of the total
 
system.
 
Since the human element is a major subsystem of Apollo,

analyses must include human aspects in a natural manner. 
In
 
other words, human cause and effect relationships must be
 
an integral part of the system hardware and software logic­
diagram structure.
 
An example of how the human element can be portrayed in a
logic diagram is shown in Figure 8. 
The top event defines
 
any arbitrary human operation and is used merely to illus­
trate the development below the event. 
The circle shown as
 
"Crew Member rails to Perform Function" (the identified
 
critical function) represents the possibility of inadver­
tent error, usually highly improbable. The other two inputs

to the top "OR" gate represent the "command" (no input

information) development and the "secondary" cause devel­
opment. Either of these two branches will most likely

contain the dominant factors associated with failure of a
 
crew member to perform a critical function. The events
 
shown in this logic diagram, Figure 8, are examples of the
 
types of causes which could result in no action taken by a
 
crew member. There are others which for simplicity are not

shown in this illustration (indicated by dotted lines).
 
During the development of system safety logic diagram anal­
yses on the Apollo mission, the human element must be
 
considered an integral part of the total system.
 
4.8 DOMINANT PATH
 
A dominant path is the chain of events which is most "likely"

to result in the undesired event (potential accident). In
 
a typical case, there may be several paths of various de­grees of dominance which can result in a given undesired
 
event. 
These chains and their associated degrees of domin­
ance are most clearly identified by the system safety model
(logic diagram). Dominant path(s) and their relative degrees

of dominance are 
determined by event weighting (inspection)
 
or rigorous mathematical solution of the model.
 
Since the dominant path is the most likely avenue along

which the undesired event(s) can occur, the most cost
 
effective approach is to concentrate the initial prevention

effort in this area. It may be necessary to consider other
 
paths within the model, in a descending order of dominance,
 
4-21
 
railsem enc0b. 
tzo 
.x.IInoratis e ts enotr- ob Numbe wd C ttt s 
rtnolton"Unccpn
mIo  c,.aons Unconesoioum. Uooosaun 
3MAN ELEMENT EXAMPLE 
Figure 8 
D2-117018-lA
 
in order to achieve an acceptable level of risk for the
 
occurrence of a particular undesired event.
 
Preparing to locate dominant paths requires that the system

safety model for a given undesired event (potential accident)

has been developed to the extent necessary to identify domi­
nant paths. As a minimum, the logic diagram development

must encompass all those safety features and devices which
 
have been designed into the system. This assures that
 
adequate consideration has been given to those areas of the
 
system which are of the greatest "risk," since safety

devices are normally placed where the greatest risk of an
 
undesired event occurring exists.
 
Logical inspection or mathematical processes determine the
 
degree of dominance for those paths of the model which
 
contribute the most to the likelihood of the undesired event.
 
The term "logical inspection" is defined to mean the logical

thought processes of a trained and experienced analyst being

applied through examination of the model, these processes

associated with whatever mental weighting factors he may

consider during the examination to determine which events
 
"look to be" more probable than others. This would lead
 
to the resulting statement by the analyst of "these events
 (identified) and path(s) look to be the most probable."
 
The term "mathematical process" can be a solution of the
 
model by any of the methods discussed in Appendix B. Normal
 
practice is to solve a diagram with 250 events or less by

the Lambda-Tau (hand calculated) method and a diagram with
 
greater than 250 events on a digital computer using Monte
 
Carlo simulation with importance sampling. An event in this
 
case is defined to be any element of the diagram other than a
 
logic gate. Since the purpose of the quantitative evaluation
 
of a diagram is to identify dominant paths and their relative
 
significance, the diagram is usually simplified by inspection

to minimize the structure to be simulated. This inspection

is the elimination of those events and branches which are
 
obviously insignificant compared to others which are inputs
 
to the same gate.
 
Control of the dominant path(s) is accomplished by the
 
following:
 
1) Establish a predetermined limit within which the
 
initial path selection is bounded. This involves the
 
identification of those paths which are computed to
 
be above any established limit for the system.
 
If the paths are near or below the limit, then they
 
are selected by picking those which are within an
 
"order of magnitude" or so of the limit, or are
 
of the same type.
 
4r23 
D2-117018-lA
 
2) 	 The initial selection must be divided into groups

for which a set of predetermined limits has been
 
established for each grouping. The grouping of
 
paths is accomplished by selecting those within an
 
order of magnitude of each other or those which
 
have an apparent commonality within the system.
 
3) 	 Determine if a common point of departure exists
 
among the paths of each group. This evaluation
 
involves determining if there are common faults
 
among the paths. Recommended changes to the system
 
at these common points provides the most effective
 
way to 	eliminate paths, or at least reduce them
 
to an acceptable level,
 
4) 	 Convert the logic diagram dominant paths by grouping
 
events at logical summary points. Conversion of the
 
logic diagram dominant paths involves making a
 
listing of these events which, when "OR"-ed, result
 
in an interim event. The method is to convert
 
each path to a simplified alternating "AND," "OR,"
 
"AND," "OR,'" etc., relationship.
 
5) 	 Simplify the logic diagram of the dominant path by
 
logically rediagramming. Simplification involves
 
rediagramming the relationships summarized in step 4.
 
This results in a simplified diagram of each path
 
which can be readily correlated with a functional flow
 
diagram of the system. The paths can now be verified
 
as to accuracy and the actual fault points introduced
 
into a functional flow diagram to show where and how
 
the fault combinations affect system operation.
 
6) 	 Determine those events for which a design change or
 
the development of a procedure will best and most
 
cost effectively reduce the probability of occurrence
 
of an undesired event to an acceptable level of risk.
 
7) 	 Insert alternative solutions as derived by steps 1
 
through 6 and repeat the process until an acceptable
 
level of risk is obtained. This step involves work­
ing with designers and selecting several alternative
 
system changes to reduce the probability of occurence
 
of each path. For each alternative to be evaluated,
 
the logic diagram is changed to reflect the change
 
and the diagram is recomputed to determine the
 
change impact. Care must be exercised to assure that
 
other paths or branches of the diagram which have the
 
same event or fault sequence are also changed to
 
reflect the change being evaluated.
 
8) Advise appropriate level of management of findings
 
and recommendations.
 
4-24
 
D2-117018-1A
 
5.0 DRAFTING OF LOGIC DIAGRAMS
 
At the present time two methods exist for drafting logic
diagrams in a document form. 
The first, or traditional

method, is hand drafting which requires draftsmen or illus­
trators. 
The second method is mechanized drafting, which
 
uses a computer and electro-mechanical plotter..
 
The mechanized drafting method, which has recently been
developed for the drafting of logic diagrams, uses a Univac
1108 computer in conjunction with a Cal-Comp (California

Computer Products) incremental X-Y Plotter. A preliminary

cost analysis shows that the mechanized method can cost

approximately one-third of the hand drawn method.
 
For the Apollo System Safety effort, the most efficient

and cost-effective drafting of logic diagrams can be accom­plished using the mechanized drafting method. This is true
for four reasons: 
 1) The total Apollo Program integrated
logic diagram analysis will be comprised of a large quantity

of diagrams, 2) document quality vellums can be produced
in approximately two days for use as working drawings or for
 
support of meetings, 3) revisions and updates can be made

with little expense or effort, and 4) the cost savings

involved.
 
Figure 9 shows the steps required for mechanized drafting

of logic diagrams. 
 This process begins with the engineer's

rough draft (logic diagram) which is coded, in a specified

format, on a keypunch form. The information on the key­punch form is punched in standard computer data cards, which
 
are combined with a standardized computer program and sub­
mitted to the computer. The computer calculates the spacing
between blocks and instructs the plotter in the proper

manner to draw (plot) a particular logic diagram. When the
 
computer completes all calculations it outputs the necessary
information on a magnetic tape. 
 The magnetic tape is then
placed in the Cal-Comp tape reader, which translates, the
 tape into mechanical movement instructions for the plotter.
Once the information is placed on magnetic tape, it is semi­permanent. That is to say, it remains on the tape and can
be used as many times as desired to produce plots. 
To make
 
a change in a drafted logic diagram, it is only necessary

to make the appropriate computer data card change(s) and
 
generate a new magnetic tape.
 
In order for the computer to process a logic diagram, the

"deck" of computer data cards must be arranged in a certain
 
order, with the information on these cards in 
a specific
format. Transferring information from the rough draft logicdiagram onto computer data cards, via keypunch forms, is
referred to as "coding". The required arrangement of cards
 in the.logic diagramplotting deck is shown in Figure 10.
 
5-1
 
Keypunched Cards 
Ingineer's 
Rough Draft 
Coding 
Keypunch 
Form 
Standardized 
Program 
M 
Finished DiagramIH 
Tape 
Interpreter 
Univac 
8 
1180 
H 
on Document 
Vellum 
Gal-cmp 
Plotter 
Magnetic 
Tape 
Figure 9 
STEPS OF MECHANIZED DRAFTING 
InputRu 
E trdbf"= 
gorardrd 
, Cad 
BlockCards 
Variableitio 
i 
f3 
IU 
CM 
D 
i 
$b. 
aaf$dPI 
ofiPlot and 
lotimi~ i~ 
iCard 
llll 
lll lll llll llll llllllll l 
171 
AC$i i 
117 lI 11 
ii 
111# 
i ii 
111 113 
I 
I, 
-
IiiII 
TitlFiur tiil 1ad40 
CaMPUTE 
AR AG M N R= CAR DECK 
D2-117018-1A
 
"Run cards" are special cards necessary for a program to
 
enter and exit from the computer. These cards are generally
 
unique to a particular computer system. As shown, these
 
cards are at the beginning and end of the deck.
 
To begin the coding, all "events" on the rough draft logic

diagram must be identified. Gates are identified using an
 
alphanumeric system. The top gate (first gate)"is identified
 
as the "Al" gate. Gates on the second level are identifies
 
as Bl through B14, moving from left to right on the logic

diagram. Gates on the third level are identified as Cl throu
 
C40, and so on, until the ninth level is reached where the
 
gates are identified as Il through 140. Circles, diamonds,
 
houses, ovals, and triangles are identified according to the
 
procedures defined for a particular program. For the Apollo
 
logic diagram analysis, these events will be identified as
 
defined in Paragraph 4.3.
 
The information that must be transferred from the rough
 
draft to computer data cards is delineated as follows:
 
A- Number of Plots and Plot Size Card
 
States the number of plots (logic diagrams) in the
 
particular run and the size of the plots. The size
 
of the drawing can be varied from an 11 x 260 inch
 
vellum to a 29 x 260 inch vellum.
 
B- Scaling Variable Card
 
States the desired distance between rectangles on
 
a drawing.
 
C- Diagram Identification Card
 
States the revision letter, sheet number, document
 
number and model which will appear on the drawing.
 
D- Title Card
 
States the title which will appear on the drawing.
 
E- Tree Definition Block Cards
 
Defines the structure of the logic diagram. Effec­
tively, they position the location of each "event",
 
state the type of gates used, the inputs to each
 
gate, and identify all ovals.
 
5-4
 
J-/tL /Ulu-IA
 
F- Standard Input Block Cards
 
Defines the type of input for all input events called
 
out in Section D. The types are: triangle, circle,
 
diamond and house.
 
G- End 1 $ Card
 
This is essentially a special program run card. It
 
denotes to the computer the end of a certain section
 
of information.
 
H- Event Description Block Cards
 
These cards state the words which will appear in each
 
event on the drawing.
 
I- End 2 $ Card
 
Same as card G.
 
J- Extra Information Cards
 
These cards locate and state words in transfer
 
symbols that are connected to the side of a block,

if any. Also, state information under any particular

transfer symbol, if desired. It is possible for this
 
section.to be void of any cards.
 
K- End 3 $ Card
 
Same as card G.
 
Certain limitations must be observed for each mechanized
 
logic diagram drawing. These limitations are written into
 
the standardized program and could-be changed if necessary.

They are:
 
1) 10 levels of rectangles, or nine levels of gates;
 
2) 14 inputs per gate;
 
3) 40 events per level;
 
4) 250 events per logic diagram;
 
5) 260 inches by 29 inches vellum size.
 
The positioning of information on the computer data cards
 (Figure 11) is shown on pages 5-7 through 5-17 as it would
 
be done on keypunch forms. It must be remembered that each
 
line on a keypunch form represents one computer data card,
 
5-5
 
D2-117018-lA
 
and that the numbered columns on the keypunch form correspond

to the same columns on-the data cards.
 
Figure 12 (page 5-18) is 
an example "listing" (printout) of
 
the computer data card deck required to produce a drafted
logic diagram. The coded information shown was used to pro­
duce the example logic diagram in Figure 13 (page 5-19).

Column numbers have been purposely placed at the top of the
 
listing in order to denote the proper perspective of the
 
coded information. This example demonstrates the relation­
ship between the coded information and the finished logic

diagram.
 
5-6
 
A - Number of 	Plots and Plot Size (1 Card)
 
213141161781I10 112114 11 78 r41617S 	 45 66 17Sl t 23 5 - DI,i 21345678r901 50 	 I612 678 90112 4 1 2 3145 9 
i * M I *1 1, 	 i s 1 2 1 ' f . * b , I ,3 L. 15 191 1 t I 1 , 1 1 1 1 12 1,1 I I I i I , e I l 1 '21Sa I 1 	 1 I 1 
'4 	 I'1'1 '2 .. . ..If ...I''jj..12. 16. ' .... I ..8'14'I .. . . . 
Sa 1; .. , 	 . . .. 1' ..1631. . 1 '12 . . ... . . .. ' 1 16' 1 .. 6 fig 17I. 
"P'ot..... ....... :........... .. . . .' . . , 
.7. .11.9 I o 	pots:.. ,0 5 =ioq~~ :~~ (1.)
 
(,mzp t
629 '
 
... ~ . ..... ..... .. .. I I.. .. 	 . . .. .I.'..... I.. .I , .. .., , i',fi 'i . . ' .

'I....................... 	 ...... ...
.... . ..
 
... ... ' ' ... ' ']. .
. : , 	 ,'I..."'. ., .I. ,I, .I .I ., .. .I' ':m I.,'....I 

. . . . . + , I. I- . . . '* ' I . . . . . . .. I I.. ' 
. .,. I' ' ' 	 1... I .. 
0000000001 1 till 22222222223333333333444444444455 	 5555555566666666667 7 7 7 77777782 3	 4 72 t sI 	 1 1 ,0151617,1aO9O01 1-213 15I16 9 i2 3 14 , , ,33 4 15 ,11	 t 7 , 0 1 . ,4, 9,0 f ,21 ,4 6178191Computer Data Cards
 
Figure 11
 
B - Scaling Variable (i Card)
O O OOIIIII0 lit 1, 2 2 2 2 2 2 2 2 23 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 44 5 5 5 5 5 5 555 5 6 6 6 60
11t3 1445 1S 71 10811: 121 14 15 16 111 1l6l12 151I ,11 2,3 33 11 11 7 7 7 7$ 
 3z 1 7 243,_Ir1e5,!1,13 1 121314 1 516[ 7181910 1Ir1 1314 1S 16 17l l1 i0l 1 1 1 10' j 1
' r l
j 
~ 
l|
' * l l a * * ' d ' I ' a ' i ' * i' I a * IB I*l P * * l I ' 1 1 I " I ' r a * 
,..-. . . ,........,......eF~t~... .. ... , .. .L .. .. . I . I. 
gpciD stace (i.glitdjpst3 
norII il
I ri1 I ,.. ,
 
. . . . . . . .. . .. .. : . .:. .. . . ' .. . . " p"" . .I. . H
' Il... 

... . ...... t.... 4 I, .......... i ' ,I.. ,I,. I, ,,. 
. . . . .
 
. ' ,I.,..~n Diac tA't.. .... ..
.. 
 ** ..... . ..p'g
.1 
... :.... . .. i' i .' .h .I '. .. ,,'. .......'..
..  I .. . . .
 
JI I 
 I II' I ~ r 
1 t I....... ' ' :. . '.. ., . .: . . I . .J. . . . . . . . . '. . '. . . . I. . 
... . . I ' ' ' ,n I a I ~..~'I' . . .. .Ir''I. . 
I t 
' ' ' .'[ .. . ... . . .,,, 
I 1..1 ,.,l.j i. I ,I I 
o oo I ,OO ,ii ,2 2 2 3,223 3 3 3 3 4 4 4 4 4 4 5 ' 5 5 S 5,66 6 , , .
e ' , , 7, 7 7 77.. 

0 910lI 2'13 106 07A ,21 ;1 5I r 1 1 , 3143i4116 718,910I1 12314 5I16, 7,3~I 2, 3,14,516i7,8i9.OI0I 121314,5I6,718,910112131451678is9,O I1i2,1 1s 6 7. 1 1 
Figure 11 (Cont'd) 
G - Diagram Identification (i Card)
 
003000000I3 
 2222313 3 14 4 ' 1 1222222 ,66 5 777777777I2 1781910111231'451 5 ls 112131S ill 7 901 r1 1 5 6710 2134 67 90 12 1 3 14 1 s 61 1 78R19 10 i 131456 7890 '3456' 1917101 
......................................... I,... 
' * * ''*, 
I:. .... N tyI-.Wo rf, sujiA b 
.aev .S rxo. t-k ,frl autoai engin , 
*'.... 
.cpnt ed1 ±na2 
RSUALUF E, 
I ''i' '............. 
' ' I' ''  i'' 
wdsv;ce 
Le N 
n, 
, 
'' 
ri, 
,H... 
,*'' 
, 
. 
H,, 
J, , =l .' 
1, 
. Ii i II * ' i ' L ' 1 ' ' 
a 
r 
910 
r , r r , . . 
ii 
. . . . . 
I 
IY 
0I0i.. 3 Il . 7 ,o,' PI( 1Z,1 r 213 4e5 16f71o5soi l 2 314 16, 7,8 Ul .234 5167,819.011,2 14 ,16,7j, ..1 71..0. 4 ,,,, 
Figure 11 (Contd) 
D - Title (1 card) 
. .. .. I.Tit e itL
 
I ***jI titin ia, .
 
,
,
. . .. .. . . 
. m . I ,. I , 
. . ... .... .I..... ..... '*.. ... *...', , I'.... I.. .. . ... '..  I**'-*j..' .''~.I .
..F,! 
',. . II-' ' '''' ' .. '...... I ' : .. ,' ' , 'u.. I'ru fi j . 
..... .......... ., ' .... ... .
 
II r,..,I..m., 3* ,**I,'?'-,',*i*** ,if,) ,,,L, 
.............. .n 
no- m~aeratr .#te-.z .0 . .
,~ ].P C~WU.$ .lc.e?~znti.p 
. ........ p. ............... I. .. . .... .e .,in.title, . ,.. . .I,.. . .,I . . . I . . . I ' ' ' ' ' . . . . '. .
 
I I ***i 0U 
. . . . .
. . .
 
. . I 
. . ... . . . . . . . . . 
: . . J . . ri, . . . .I I .I 
.. . :. . . . . 
o 1 DIII lIII lJ 
4 4 s 5 s 6 6 6I33 6667777777i 777I i 3 000 0 0 1 I I 22 2 2 2 3 3 3 4 4 4 5 5 
. . .... . . ...
 i. 
 I.' I I ', 
I 12 . . 16,718,9 2i . I.a901I. 415I .... .. ... 2114g1 I71,9, i 12,314516.718,90 . 6 ..4 0 Y ... .. .. .234 . .. I I . . 
Figure 11 (Cont'd) 
card)
Z - Tree Definition Block (more than 1 3 3 1 3 3 3 3 4 4 4' 4 4 4 4 4 4 6 6 6 s s 6 6 7 7 ? 12 11111 s6 11716, o 1 1213 14 15lb a ~ h IS 17 110 12 1 11 1 11 1,'6 17 0 1 91 1 12 131 t * I I 2 I I I I I I2121.114~~~~ II'[~ ~6S~~7 8ej s67e 10,2 190 1!2 314 5 6[ 7 19 0lo 23r4ss~ego1234s o2123431 4 5i 1 9i 
,AI lrIp Input 
. ..... . . . .2 te .4. . .5. .... iI,, . . , 1 , 
...... . .. ... . . I IInutInu , 
' ' .......'I I' i : l . H
 
Trpli I ljput npiut , pzI t, npp%,,lpu4 ,iP1 Trppu , nu InpunuInput. 
.. I I .. l''I' ' 
.gate, . 
.. ... -,.. ,'. .i€.. £ ,I'' ,' I ' ' ,l ' ''I ''' I' ' H 
.... .. ... L A..I 
' 
.....f 1 I * P~* R t , 1 I'''',I' '',''~ .. .',I' lI'''I ' 'I. coi........ . ~~* 6 .*~5rCWI~,.1 . ' * ... ,....qte, 'i . '''
 
e dt:reprnnp ' .I-'.. ....... ] .... . 'Ormana%.I~TI N ip r-ilt .. .... yr'' ' . gaI cI.... , ..sage)
 
q , ,.: -,..... , , 
,a,,,I I II
...... .... ......... .. ... , . .... ,,,,, .... , .. .. , ., . at , ,;,aC
 
. 1 , I" , ,1 ,,i, a . ,~ ~ 1 1 '1 516 '1 "eD C E K 3 44 44 . . . ' 6 6. . . . . . . .• a~~ .. , . . 2 2t 2-A . . . . . . 4 4 . . .SS SS . 6.. . . .67 . . .7 77 . . .. 
4 4 5 55 55 5 66 66 6 66 77 7 77 7
0000 00 1 I I I 22 2 2 2 2 33 3 3 3 3 44 4 

........
S ...... , '. . .. 3. -  . .. . . ... , . . 
S ,2 I4 II l I,3i 4 14, 3.4, I 7, ,11 1 I23,4I,1 3 56 718 ,0 51TI6 s 1 0 
Figure 11 (Cont'd)
 
F - Standard Input Block (more than 1 card)
 S 5555556 656 665 6 777?7777' 778I 223O'00O@00000 t 1 '11 1222222222 333333 34444 4444455 6,le'l '9o IT1z3231 1 is' 1a'1 1'111 1'17,1 9,1 4 1 116,41 ,71213141*51 1110e 910 11 1,13 111, 3s 1S16 17 1 9 11 121314 6 I2[314F SI  7131oI' I 1213 itISISI?IJ111 IigttdtI I ISI9lIl *|o|i IS 
.I, .,I F , F I iI I i 
.. F . . 
___ 
___ 
___ 
___ 
0 * i't '' I I ! 
i .
-- .. A.r.. . . . . , . ., . . .d,'. ' . . . .,,,....... .. ,iP. . .. ,, , , . . . . i.,'. .
 
• ,­
. '' F '. .~ . 
.. . di . . . ~ l , . ,.... .. . .. .. ... . .. . .., .. F.. .F .r-t s ) u., ,,~ .. 

to
 
I|
.4- .4'' II 
F . . . l . . . r . . I . . . . 
. .. . . . . . . .
. . . . .

. . . . 
, . . , ... 
''' F ''1•'t'! ' I 
I ' iI * F F F F * 
i..:.. I*' '.. m......I I . . . ... ''I'....I''''l '. .. .......  ' .. I ' ' H.. 

F F f FF II' ' IF,, ~ I I [F F [ ' .| I I '' I*''I' t . . .' . . . . .. . . . . . . .:. ...... . ... . .. .. . . ... . . . ..
 
'1
 
...... 
. ....... .. "... t...... 

. F F.FII 2 F ± v I F I F FI F I I . |I t FF F F j 
2 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 44 5 5 5 S 5 5 5 5 65 6 6 6 6 7 7 77 7 70 0 0 00 0 0 0 1 I 1 I I 1 1 22 2 2 2 2 2 
S22134 5, 4IS l i 1113456,718,9 234 7 0 2345 90 J.,,2 45 7 90 2345 5 O 2, 51 -
Figure 1i (Cont'd)
 
G EnLd 1I (I. Card) 
~s*.4~tad~4y'. .. 41wI ..i I... I' 

I2 j4 *34 15S,7j14a, I o444 1.2o .3 11tj11 ' I' i'' 

Figure44 11 Coid
 
H - Event Description Block (more than 1 card)
 
00 t II 4 1I I , I I 811 222 2 33 19 13 3 4II 2 344 4 444 4 4 43 5 5 5 1 66I Io1 31 77
7ol
66f6 6 6 17_910 6171 13 lof1 2 3 S 55 1 1 i 66 77 
:sI. . ?sg~ ~ l Tjl ;L..l ..... .. ljj I~ .z341Ii 6 f "Line 
.
il,ori 

gaj q!L _utfle qrilti 
 2 
~~ 4 (flghtSa persfl p 
, J • • It, ,I fI I , i. I, ,*t I , I p, It , 1 1 t * i]I I I I Ii I, 1 * S I 
a .. . ..2 ,0.. . ,, 4 .444. .4S55 ,,,I . . . .. . 71.. .... .3.3333 ,.. , . . S6,. . ,. . 
it 12 ,, 1214 12 1 tS6789 2 4 I47 , 0 
V('''I'' U I I'h' 
.... ~ ~ ~~~~~~Fgr '.. ~e eC~ion t+ ) .. '..... ..11 (,.........'d.. '.. +..
 
I(c 

e I n r 
I - End 2 $ (1 Card) 
3f I't~I f6 7 a 

1,, 126,11,.19101117'141'1910341'101'
14 11 161 1821  12I'll49I'llI'l 1110 11101 ) 03 1 
*1. . * ' j 6118,3 .1 
,1' '1'~* I' ' 
..... 
.... . . 
SI 
,I'' . . 
... . . ..I' ' I 
. . 
. . .. 
. .. 
',. 
.'' , 'I ,,,,'', 
. , .j.., 
.. 
.'I'', . 
I I I 
.H 
. . , , 
, . . 
I ,'. , 
I 
i 
,. 
't 
I 
166618 'l1 
. . ., 
' ' '' ' ' 
I 
. 
, , , 
.I. . 
t 
a o 0 0 I II I I 2 2 2 2 2 3 3 
3 3 3 3 4 4 4 4 4 44 55 55 55 6 6 66 
66 7 i, 7 7 
...  . .., 
. .... ... ~~~~F... .(.. 
I 21.314. . .,
. . . 
I 
,..... 
. . 
Figure 11 Cntd 
I 
... .,I, .... I ,.... .... .. ..,, 2111 1:1 .9 
i ur 11. . , ,n. . . . . ,. . . . . 
34.51.7 .18 
. .d..). 
.. ...,5 617 l 10 
. .!. . 
, 
J - Extra Information Block (0 several cards)
0008000O0 ' I IIII12222222222333333333344444444'44 S555555555666666666677 777777778 
. 1. . . . .1 1 1 '1. . . . . . . .I l . f .. I l P, 1 ' . . .1 ' 1 . . . .4 I . . . . . . . . . . 11 . .1 . . . 16 . . . 6 6. 6' 6. . 7 . 7 . 1 7 7 . .. 
I I I I I 'II , 1 
lpxtrat~oml~~I'' I 11 
center wordinh aloed spae
I ; -I
 
E i o o I I| I I I 
~~~~~~~~~~ .lf l ll lI~ ~~~ ' ... .|I. .i . . .l . .l . l. 1.1 1l l ll ll ,l 

2-trianilpused stra7npferfuptoiN
 
. . .21 .. dex c dEuder tran..er (.nsftput. t.. r,, n .. . .. H 

InputCcode H 
I 
000030000. 11 ,1 ,1 ,,1222222222 l333 333 ,33 r4444 l5566 166666667777777 ,77
l 4444555555S
....... 4e CdeL 20
 
. .a i. .r trua Exora info.ords .!M,II 
,*a,(iCiont*'d*).l~ ~ ~ ~ ~ ~ ~ ~ F g r i 11, i l? r a ,+ l l l tr s i iO 1 1 , ,, ~ . 
Sb. 1Coa621 
I 213 4 1i a19*Ol~l , , , 3l , 3I4"1' , 1, 51,71 901,2,314,5 718s,0 II2,3411 79906 , l l .2131.~t11111,l 1 1(Con314'd)1lJI 11.1 1Figur 

K - End 3$ (1 card) 
I,,I . .. ' 1' .. II *I101'1 '1'' I .. ' 177'i17 71'1 1.I 
'1' 1114,.2 '".... I... f1 . '1I l ...S I , p . I .... I .... 
* .... ImI 
.... .. {.I. . . .... '.. ... I'' ,I' ... p '...i '.' I' , It.. . ,I. I 
(SIi iiII I rl 
. . . ... . , . .
. ,I. . ... . , . . . '' ' .'I . ... ,t ' j'. .,' ... . ' I.' . . .... I .... H 
. . .. . . .. .I .. .... .. ... .. I , . . ' .. I . .II...I. .. 
.I . . ..t..I . 
......... ..... ,....,.I.... I....I, .. .. .,.j . ,. .I.' I 1 ..* . I,I....,.I... I', . .
 
0000 000.0.0 I I I I 1 22 22222 22 233 3 34 6666 7777777777 a 
li Z 3 14 151617 8190 I1 12 13, 1 1~617 8is9 It 12 131415161718,9,011,213 4 15I16,i7801 1 1213141 S1i7,819 011 .213141516,71a.90I1,2,314,5[617s 161 I Ig4S t *II 
Figure 11 (Cont'd) 
D2-117018-lA
 
)0000000011OO11111222222222233333333334444444444555555555566666666667
 
1234567890123456789012345678901234567890123456789012345678901234567890.
 
1 0d6
 
0.7
 
CODING EXAMPLE)
 
Al 0 81 B2
 
B1 1 Cl C2
 
-B2 2 YO1 C3
 
Cl 4 Y02 AAB Dl
 
C2 5 Y03 02 01
 
C3 1 XO1 WOl
 
Dl 0 X02 ZOI
 
wol 14
 
X0l 12
 
X02 12
 
ZOl 13
 
0l 10
 
02 10
 
AAB 10
 
ENDl$
 
Al 

BEl 

82 

'2 

C3 

Dl 

Wol 

X01 

X02 

YOl 

Y02 

Y03 

ZOl 

01 

02 

AAB 

END2$ 
Al 20 AAA 
C3 20 01 
Dl 20 02 
END3$
 
APOLLO
 
UNDES'IRED 

EVENT 

EVENT 

EVENT 

EVENT 

-EVENT 

EVENT 

NORMALLY 

PRIMARY 

PRIMARY 

CONDITIONAL 

PRIORITY 

RESTRICTION 

SECONDARY 

EVENT 

EVENT 

EVENT 

EVENT
 
A
 
B
 
C
 
D
 
'E
 
G
 
XPECTED EVENT
 
7AILURE
 
FAILURE
 
EVENT
 
DESCRIPTION
 
DESCRIPTION
 
FAILURE
 
I
 
H
 
F
 
Figure 12
 
Data Card Listing
 
5-18
 
I-m II
 
L'VI NT ~ ~~ ~~~l EVETLV~TetNTIiNTtyI 
EM • RSAT N REFALUR EXPCTE 
0 
IFAIrXE EXPECTED 
H Inu CoH -J 
Figure 13 
Example Logic Diagram 
IITItLS DATE 7IT|IRLs DRTE TITLE "'5IWL 
-CL 
CNECK¢ 
A-WI*. URflLE nuL 
El UPn- BOE~ING~f 5~ 
D2-117018-1A
 
APPENDIX A
 
SYSTEM SAFETY FAILURE DATA DEVELOPMENT
 
Failure data is developed as a tool to define the effects
 
of various component failure modes and classify these effects
 
on system equipment or personnel. The format in Figure A-1
 
is provided for assistance and guidance in developing sys­
tem safety failure data. This format can be changed accord­
to various requirements and should be considered as an ex­
ample only.
 
The various columns are explained as follows:
 
COLUMN I - COMPONENT 
Components are defined, at the discretion of the analyst,

by their physical or functional significance. The follow­
ing guide will help in defining the major components or
 
facilitate understanding of the types of natural separations

to consider. It is not intended to be exhaustive.
 
1) Electronic Logic Circuits
 
Many systems or subsystems are made up of a number of
 
,basic circuit designs which perform an identifiable
 
purpose. These are used as building blocks for larger

circuits designed to perform the required logic func­
tions of the system or subsystem. To minimize the
 
analysis required, the basic circuits can be defined
 
as major components, and an ahalysis made of each
 
logic function.
 
2) Mechanical Devices
 
Mechanical devices can be either a single part or an
 
assembly of parts which perform one function. The use
 
in the circuit will dictate to what level of detail
 
mechanical parts should be considered. Single parts whic:
 
can be considered major components are: solid driveshaft
 
engine blocks, primary structure, etc. The majority of
 
mechanical devices will be assemblies of many parts and
 
it is more reasonable to treat the assemblies as major
 
components, for example: relays, pumps, motors, mech­
anical safety devices, etc. This permits the majority

of vendor-supplied mechanical devices to be analyzed as
 
major components..
 
3) Electrical Systems
 
Major components can be basic components of a circuit
 
or combinations of components used to perform one
 
A-1
 
II III IV V VI VII
 
COMPONENT COMPONENT FAILURE SOURCE COMPONENT EFFECT OF REMARKS 
FAILURE MODE RATE OF DATA FAILURE STATE COMPONENT 
FAILURE 
Mi' 
C> 
FIGURE Al 
Systen.Safety Failure,..Data Format 
0 
D2-117018-lA
 
single function such as amplifiers, rectifiers, or regu­lators. The level of data development should be based
 
on the importance of the part as a functional element
 
in the design.
 
4) Chemical Systems
 
In systems containing chemical compounds, the chemicals

should be considered as major components if these 
com­
pounds 
can cause failures of other components through

chemical reaction or release of chemical energy. Exam­
ples of chemical components are: fuels, pressurants,

coolants, and preservatives.
 
5) Safety Devices
 
Safety devices will normally be considered major com­ponents since they are used primarily to protect against
 
undesired events.
 
6) Wiring
 
Interconnecting wiring of major components will be con­
sidered a major component. Internal wiring will be con­
sidered as a part of a major, component. Physical

characteristics of cables which circumvent failures
 
,between wires should be stated in the cable analysis.
 
COLUMN II - COMPONENT FAILURE MODE
 
Failures of major components consisting of one part require
 
a listing of the modes in which that part may fail. 
 Failures
 
of major components consisting of more-than one part will

require a failure mode and effects analysis to determine how
 
the failure modes of each part affect the components' output.

These effects will be the failure modes of the major compo­
nent listed in the system safety failure data. All failure
 
modes of the component should be listed.
 
COLUMN III - COMPONENT FAILURE RATE
 
The predicted reliability or the failure rate computed from
 
actual field data of primary failures should be tabulated in

this column for each major component in each of its modes of
failure. 
 This data can be used in evaluating the probability

of the fault event or in selecting which critical or cata­
strophic events should be analyzed if the decision is made
 
not to analyze an event so classified. 
It also serves as a
data bank for future reference when the need arises to analyze

other undesired events as 
a result of system changes.
 
A-3
 
D2-ll7018-iA
 
COLUMN IV - SOURCE OF DATA
 
This column states the source of the failure rate data.
 
It shows the differentiation between field data, test data,
 
calculated data, etc.
 
COLUMN V - FAILURE STATE
 
Many major components are only recurrently activated during

the system's operational life. The level of stress on these
 
components will change from one system mode to another. The
 
effect of a failure in each mode can be different; for exam­
ple, components supplied with power only during a test can
 
create a fault hazard only while a test is performed. Fail­
ures existing in one mode of system operations can also
 
adversely affect the system when the mode is changed. This
 
column therefore should reflect the environmental state of
 
the component when it failed.
 
COLUMN VI - EFFECT OF COMPONENT FAILURE
 
This column states-the effect on related system equipment
 
and/or personnel due to the component failure.
 
COLUMN VII - REMARKS
 
This column may be used to include additional information
 
need&d to clarify or verify information in other columns as
 
well as other information currently pertinent to system
 
safety efforts.
 
Appendix E shows the application of this data format to a
 
specific example.
 
A-4
 
D2-117018-1A
 
APPENDIX B
 
SYSTEM SAFETY LOGIC DIAGRAM EVALUATION
 
After the logic diagram has been constructed and input data
 
acquired, the diagram can be evaluated. The object is to
 
establish-the likelihood of occurrence of the "undesired
 
event" and to evaluate the relative contribution of each
 
indicated failure mode. With this information the safety
 
analyst can identify the dominant-system failure modes
 
(dominant paths) and management can make the decision as to
 
whether or not corrective action is warranted.
 
There are two basic approaches used to quantify system safety
 
logic diagrams. The two approaches are 1) calculation, and
 
2) simulation. The calculation or deterministic approach
 
will be considered first. -For logic diagrams where every
 
basic input is non-repairable, classical probability can be
 
used. In this case, each gate merely represents the
 
Operation to be performed(i.e., union for "OR" gates and
 
intersection for "AND" gates). The classical probability
 
approach, while simple and efficient, is not adequate for
 
logic diagrams where the effect (s) of a basic failure can
 
- be eliminated before the defined mission length is revealed
 
(e.g., a failed component is located and repaired). A
 
basic failure whose effect can be removed is called repair­
able; however, the usage of the word "repairable" is
 
irregular because the effect may be terminated without
 
actually repairing or replacing the failed item. A more
 
definitive time is "fault duration time" which will be used
 
in the application of any quantitative solution to Apollo
 
logic diagrams. The analysis of repairable systems requires
 
special statistical techniques.
 
COMPUTATION
 
One technique in the calculation or deterministic approach
 
is the "Lambda-Tau" method to evaluate logic diagrams,
 
failure rates must be small, fault duration times must be
 
small with regard to mission length, and redundant inputs
 
must be removed. Redundancies that are not removed may lead
 
to serious unbounded errors in the answer. The logic diagram
 
is usually expressed algebraically and operated on by
 
theorems of Boolean algebra to remove redundancies. The
 
"Lambda-Tau" method can be appiied by hand or by digital
 
computer. However, as the logic diagrams get larger in size,
 
the task of hand calculation becomes time consuming, laborious
 
and error prone. A computer program can write the algebraic
 
expression and can use Boolean algebra toremove the redun­
dancies. However, computer core storage on most computers
 
limits the size of the logic-diagram.solvable by this method.
 
B-1
 
D2-117018-lA
 
Nevertheless, smaller logic diagrams can be calculated
 
accurately by hand or computer using "Lambda-Tau" methods.
 
(See Appendix C for further details.)
 
SIMULATION
 
In the simulation approach, a logic diagram is represented

on a computer and failures are simulated over a given mission
length. The computer prints out the failure which leads to
 
the undesired event, and the.probability is calculated.
The simulation approach has all the advantages of the calcu­lation approach except for the greater amount of computer

time needed to simulate system safety logic diagrams with

small probabilities. Simulation offers several advantages:
namely, the dominant paths are listed and the computer can
 
.

solve larger diagrams (10 times larger than "Lanbda-Tau"-
Simulation has gone through many stages of development.

In its early stages, the amount of computer time required
became prohibitive; however, special Monte Carlo variance

reducing techniques (importance sampling) have reduced
greatly the computer time required. The importance sampling

technique distorts the true failure distribution to make

events occur more rapidly. Thus, the number of trials (a
trial represents the predefined mission length of the system)

required for an acceptable statistical confidence is reduced.
With fewer trials required, computer time is reduced. 
The
distortion of the distribution, when using importance

sampling, is compensated for by calculation weight factors.
See Nagel, P.M., and Schroder, R. J., "The Efficient Simula­tion of Rare Events in Complex Systems", D2-114072-1.
 
Overall, simulation offers more potential and had proven to
be more effective in calculation accurate answers 
than the.
 
calculation method.
 
B-2
 
D2-117018-1A
 
APPENDIX 0 
REPAR OR "LAIDA TA" t' METHOD FR LOGIC DIAGRAM EVALUATIONCCNSTANT 
Coexistence of Failures 
Suppose there is given a group of n repairable items, and these items 
may or may not fail in a given time period, T. Let event A, represent 
the failure of item 1, event A2 the failure of item 2, and in general 
event Ai the failure of item i, i n I, 2, . . . , n. These failures are 
chance failures, occurring at random and independent of each other. It 
is these chance failures vhich have an exponential distribution of their 
time to failure. Eence the probability that an item in that group will 
not fail may be expressed in 
npt) - e(1It) 
-*ere ~i is the given time period and X is the miter of tailures 
per umit time. This may also be called the reliability of an item in 
that group. The unreliability or chance of failure is 
-Xt 
This umreliability may also be called the probability that item i will fail. 
Hence, it expresses the-probability that event Ai For eachwill happen. 
item i assute a constant failure rate Xi and repair time T Further 
is and that % is" small.assie 'that TiiT is allX i small, , 
C-i 
D2-117018-1A
 
Consider an interval of time from 0 to T as shom in Figure 2. 
I 
2 
t T t t + dt 
In order for a failure to exist in the small time interval, dt, the failure 
must occur either in the small interval, dt, or in some time interval 
previous to t, from t - 'r -tot. If the failure occurs before t - Ti, 
it irll be repaired before it can exist in the dt interval; and if it 
occurs after t + dt, it cannot possibly exist in the dt interval. The
 
probability of the event A. happening some time in the r, time period is
 
- e-Xii). The probability of event Ai happening in the dt'time 
interval is X.dt. These are the only two vays in v;ich the event Ai can 
happen. The probability for all events, Al, A2 , ... , An to coexist in 
the dt interval is given by the formula 
X1ldt(1-e )(-e 333 .fl (1-e ) 
+ X3 t-e ) 2-e n n) 
+" ndt(l-- I(1 -e )..2 (1-eX n-1I )7­
= Hdt 
C-2
 
D2-117018-1A
 
Consider the first term in this formula, which expresses the probability 
that event A1 occurs in the dt interval and coexists with the other failure 
having occurred previous to t. The probability of event A occurring in dt 
is Xdt, and the probability of the occurrence of A in some time period
1 2 
T2 previous to t is (1-e'22). The product of these probabilities gives 
the probability of the coexistence of At, A21 . ., An where AI occurs 
during dt. The second term gives the probability of the coexistence of 
A1, A2, ... An where event A2 occurs during the time interval dt. The 
sum of these terms gives the total probability of n events coexisting in
 
the dt interval.
 
Now let f(t) be the probability that Al; A . .. A have not coexisted 
up to time t. Likewise f(t + dt) expresses the probability that A1, A2, 
S• . An have not coexisted from time 0 to t + dt. This can be expressed
 
as
 
f(t + dt) = f(t) (1 - Hdt) 
Where At + dt) is the product of the probability of no coexistence
 
of the items A, ...An from 0 to t, f(t), and the probability of no
 
coexistence of the items Ali . . . A from time t to t + dt, (I
n - Hdt). 
Now by definition, the differential of f(t) is f(t + dt) - f(t); therefore:
 
dfat) = f(t) (i - Hdt) - f(t)
 
da(t) = - f(t) Hdt
 
and f = - Hdt
 
Solving this differential equation by integration,
 
Inf(t) = -t + C 
C-3
 
D2-117018-lA 
Sabstituting the condition that when t 0, f(t) = 1,that is, at 
time zero, the probability that A, A . . An have not coexisted is 
equal to 1. Since In(1) = 0, 
" (-)f(t) = e-A 
The probability that events-A, A21 . . . An have coexisted at some tine t, 
is 
F(A) f(t) 1 - HT 
For sufficiently small HT, 
P(A) - T (5) 
Hence P(A)- HT = (X1 jT2X3 . • . n 
+ 	X2XI'IX 3 3  " " Xa n 
+ 	 i-i2 . . . Xin.n .1)T (6) 
%=l2 "''Xn(23 "Tn + TIT3 ...Tn + + T1r2""n-I)T 
C-4
 
D2-117018-1A
 
"AND" GATE X
 
The form of the probability figure for the coexistence of failures A1,
 
A2 ) . . . An suggests that the failure rate for all these events is
 
"' Tn-l)
X1= X 'n(r "' 'n + r 1 r3 nIr" + --- '"l2... 32 

"AIM" GATE T 
A2, . . . A + coexistLet us consider a situation in vhich events A1 

and find the duration time Tn for the coexistence of events Ali A2, ...,
An
 
Let X be the failure rate and 'r the effective duration time of the
 
. . .Ancoexistence of failures Al. A2 

%nkn+l(-r + rn+ ) = %I%2 ... kn+1(Z *' n+1 + ... '"r2 ... Tnn 3 

...Tn + -i-' "'" n + "." IT2 ...Tn
-d
Since X. = X1X2 ...Xn(r2T 3 3 

Then
 
(X r3-.in + rI ... T,n + ...r 1 2 ... Tn-1) 
= 
X 2... 1 3 

n+l (Tn + Tn+1)
 
n )
 
1k2 ... kn+l( "' 1 I3 "' n+1 "' 1I2 ' 

Therefore
 
T I T2 .. . In . ... 1 ... 
4 T + -+ +-

T1 T2 Tn
 
T. 3 ... 'n n 
by mathematical induction.
 
c-5
 
D2-117018-1A
 
"OR" GATE 
Considering the same group of n items i 
= 1, 2, ... n in a given time 
period T, the probability that none of the events occurs during this 
time period is given by
 
. . . eeIT eRi(t) 
. . + Xn) T ) -(X1 + X2 + .
 
Hence the probability that any one of the events occurs is
 
.+ Xnn)Te-(?, + 12 +Qi(t) = 1 - nit) : 1 - e2+ * 
Hence the failure rate for the occurrence of any event in the time 
intervaLis = X1 + X2 +. . + Xn from the general form of the 
In 
reliability equation.
 
"OR" GATE T 
To find effective duration time for the condition that any one of the
 
group of items may fail in the time period, consider the following
 
example. Let any one of the events A , A21 . . . An coexist with an 
event An+I Let X and Ti represent respectively the failure rate and 
effectivity time obtained from the union of events A to A when event
 
A or A2 or A3,.. An occur in the given time interval. If these 
events Al. A2 .. o An occur wirth event An+,, the result is XUXn+ ( + Tn+ I ) 
from the coexistence of failures discussion, and
 
C-6
 
D2-117018-1A
 
uxn+T( + Tn+1) = 1 n+i (T I + 'i n+1)+ X2X+ (2 + Tn+1) + 
+ kn n' (,r- + T_ 
Since X = x . 
Then 
(x1 	+ 2 + ... + n)xn+x (r + Tn+i) = 1Xn+I (T1 + Tn+1 >n+I( 2+ rn+) ++ 2
.."+ xnxn+1 Cn + rn+) 
Hence
 
1 T1 	 + X 2 + .. . + Xnn
 
x1 + ?2 + • + 
n
 
The outputs of the AM and OR gates are given in tabular form at the end of
 
this paper.
 
FAILURES OCCURING IN A GIVEN ORDER
 
The probability expression for n items failing in an interval of time in
 
a given order, will be derived in the following discussion, and the XT
 
approximation will be proved valid for small 
 r.
 
Suppose there is given a group of n items, Al, A2, 
. .n, each working 
at the beginning of an arbitrary interval of time, T. Let X1. X ... Xn 
be the respective failure rates of the n items, and suppose that X1 1, ... XnT 
are very small. Let E be the event which occurs when AV A . . . A all 
fail in some specified order, e.g., A occurs, then A., then A3, etc., then 
. XnTn1iX2 . .P (B) 
n'.
 
C-7
 
D2-117018-IA
 
PROOF:
 
The above approximation will be proved by induction 
 After proving it is 
valid for n =ri, it will be valid for h if it isvalid for n - 1. If Xr 
is small then for all 0 < t T, X > 0 and e >0 
1- e-Xr-,tlc sx. 
where e is very small* In other words, I - e - is closely 
approximated by Xr when the difference of the two expressions is very 
small. The following discussion shows that e is very small. Since
 
xt 2Ar- x3t 3 
by a Tahyor series expansion, e-x = I-X-r + + " " 
- -XT-..MI T . ­-- . . 
2 3. 
XY +% t3t3 
2t = 3-.7 y17-
Xt L - X% + X-­
"2 3'3
 
IT+P2SXt Xt 2+133XT 
let e XT + %22 AI2 3' 
Aa upper bound for e is 
2 
_L 

1 ] 
C-S 
D2-117018-1A
 
'nich is in itself a very small number since XT was chosen to be very 
small. 
Now let gi (t) be the true probability that i events have occurred up 
to time t in a specified order, e.g., A1 occurs, then A then A3 
etc.
 
Then let fi(t) = I - gi(t) be the true probability that i events have not 
occurred up to time c in order. Assume the approximation is very good 
for n-i. This may be expressed in the following form: 
%1 . xn-i-1 tn-1gn-1 (t) - (n-l ) n I < 1- i C8) 
where t is a very small number.
 
Herafte Wk = x x 2 . x 
Now let fn (t + dt) express the probability that n events have not 
occurred up to time t 4 dt in some specified order. Tha is 
(t + dt) = f(t) i - gn(t) Xndt 
where fn(t + dt) is the product of the two following probabilities; the 
probability that n-1 events have not occurred up to time t in order and 
the probability that the nth event occurred during dt. 
C-9
 
D2-117018-IA
 
The expression g- 1 (t) is the probability that n-1 events have occurred 
upto time t in order, and (Xndt) is the probability that event An occurs 
during at. The product of these probabilities gives the probability that 
the nth event occurs during dt. The probability that the nth event does
 
not occur during dt is given by 
1 - g 1 (t) Xt 
By definition of a differential, dfn(t) = n(t + dt) - fn(t) 
dfn(t)= n(t) " gn-I (t)kndt 
da (t)
 
f,(t) gng1 1 (t) %Xndt
 
lnf(t) = - X f in(.s)as
 
0
 
lnfn(t) ? n f tk - - s 1 + n-1i9n (n-1 . ( 1. 
0 
F - n-1 n{ fsinr (t) =-x - Xn1 sxn 
+-f(n-lA de 
=
Using equation 8 and the notation Xn-1 X1 . . . xn_1 yields 
n-1 -n-I 
s n -
"en-ISn' (s % -I < e n n-1 
- -Tnn 
__i1 71 
C-10
 
D2-117018-1A
 
Integrating this inequality yields
 
- nn- t f ttnIs X ds C< n t 
ntj n-1\Q Z7-1jnt 
0 
Postulate a variable r(t) such tnat -e <r(t) < e 
n - 1 1t n n - r(t)t 
gn 1 (s) ni ds n j n-11n! 
0 
Substituting this value into equation (9) yields
 
- nSr(t )%n 1t + n-1ltn 
lnfn(t) = - Xn n:tnt"_ 
and
 
nn [t(t) +I 
fn (t) = e 
n 
Since gi(t) = I - fi(t) 
*1x t 
gnst) 1 - fn (t) =1 - e t 
For sufficiently small Xt, so that the exponent of the above expressio 
will be small
 
"t n 
xnt [r(t) + I 
C-11
 
D2-117018-lA
 
This may also be expressed as follows
 
n t + 1 tn' 
1--n' [rt - r(t) + 1]<6-n [r(t) .+1 
or 
"
 [rCt) + 11 1 < n [r(t) + < n ngn(t) -Ln 

where 6 > 0 is very small. Hence 
,Tt(,.+ tn [
 
-<t (t) [(t)+1 < L-I (< + . 
Expanding the above expression yields 
6&Tt', (C + 1)tn(t) n A, n
 
n g n %n-T
n , - < ) n ' n . n . + 
tn 
-- nT ( + 

n'. n < nt) n. n n!
 
I 8T tn T tn
 
9;n(t) _ n < 1 (1+) +n 
n'. n! n'
 
Factoring the right hand side Of the inequality yields 
7 tn - tng_(t) _ n_ < 1 [8(1 +C1 +
 
I . n I n! 
Since 6 a-nd e vere chosen to be very small, the right half of the 
ineqtality is very small, and hence 
c-12 
D2-117018-IA
 
tn 
gn(t) ~ n*__*I~gnn! Q. E. D. 
xI •x *•x . . X 
In previous discussion; the expression 
 n was
 
obtained for the probability of occurrence of n events A1, A2, 
 An
 
in a particular order over a time period 
T. Using these results, the
 
probability 
ill now be obtained for the occurrence of four events in
 
order over a time period T when repair times are unequal.
 
Let four events A1 , A2 , A3, A4 have respective repair times T'i '2' T
T 

and failure rates 
Xl X2, %3 X4 . Let the magnitudes of the repair times 
have the relationship, T!1 > T2 > r3 > T4 as shovm below 
~T
 I
 
-T~ 2. t d 
_0T1 - '2r 2 - 3 -I. t 
For this particular example event A1 shall occur first, then A, 
then A3'
 
then Ah. Events A1, A2, and A3 shall occur prior to 
t and event A4 shall
 
occur in the dt interval. The probability of A4 occurring in the dt interval 
is X,,dt. To coexist with A,, in the dt interval, A1, A2 , and A3 can occur 
in the five following w-ays: 
r
a. A occurs in interval 
- T A2 occurs in interval T -
­
and A3 occurs in interval 3
 
P(a) =X 1 ( 1 r 2 )XT - r
XX(( 2 
C-13
 
D2-117018-1A
 
b. 	 A occurs in interval -2 and A2 and A3 both occur in order 
in interval 3 
'r2 
P(b) 	= I ( T I - i 2 ) 
c. 	 AI and A2 both occur in order in.the interval T T' and A Occurs 
in the interval 3
 
2
XlX(-	_-.r)
3
P(c) 	 =2 LL2m 
d. 	 A1 Iccurs in interval (T2 - T3) and A2 and A3 occur in order in 
the interval T3 
P(d) -Xri( T)212 3 2 
e. 
 Al, 	A2 and A3 all occur in order in the interval
 
P(e) 	= 
The total probability, P(t), for the occurrence of A,, A2, A3 in order 
is the sum of these probabilities 
P(t) 	=P(a) + P(b) + P(c) + P(d) 
2T T2 T+ l3 
11 2 x3 	 (T i-g 3 " 2 - 2 + - ) 
C-14 
D2-117018-1A
 
The product of P(t) and X4dt therfore, gives the probability that 
A1, A2 A, 3 A4 occur in the given order and coexist for the first time 
in the dt interval. If f(t) is defined as the probability that 
A1, A2,A 3, A4 have not occurred up to time t in a given orderi and
 
f + dt) is the probability of A1, A2 , A3 , and A4 have not occurred
 
up to time t + dt in a given order, then
 
f(t + dt) = f(t) (i - P(t) x4 dt) 
Since P(t) X dt gives the probability that A,, A2I A I A, occur in the 
1 2' 3' 
given order, I - P(t)X4dt gives the probability that they do not occur 
as specified.
 
f(t + dt) - ft = - f(t)P(t)X4dt 
dr(t) = - f(t)P(t)X4dt
 
df~t)
(t)=

- (t)dt 
Inf(t) P(t)x4 ­fo t 

f0
 
= e ­f(t) 

-
P(t)x 4W
 
= 1-e
1-f(t) 

If P(T)X4T is small, then the probability of the occurrence of this chain
 
of events over time T, P(1234) is
 
2 2 3
 
),T T +.3- )
P(1233) = x 4 (T1 2 3 2 2 + 6 
c-15
 
D2-117UI8-IA
 
By similar manipulationsj the probability for the occurrence of A1 , A2,
 
A3, A4 in that order is
 
u~~T2 T3 2-j Ti>2 3 4 

Similarly
 
=
P (3214) Y12X3 4 6 Tq 
3 
P(3214) = Xl 2X3X4 6 T 
P(31 4) = X1X2X3X4 j--TP,

2 3 
('.324) X1 2 3 +
 
The sun of these probabilities is
 
P(4) = xIIkx 3x4 (7rT2>3) T 
if A is the last event, r4 takes the place of T3 on the figure and 
the resulting probability is 
P(3) =x X(TlTZ 4) T 
Similarly if A2 and A1 are respectively the last events, the associated 
probabilities are 
C-16
 
D2-117018-1A
 
P(2) X1X2 X3 4('t 3rj) T 
r~)= 1' 
These probabilities may be added (P(i), P(P), P(3), and P(4) mutually 
exclusive) giving the total probability of the coexistence of A1 l A2
 
A3, and A4.
 
P = X1X2 X3 X4 (T 2 73 + r1'4 + T 3') + r2 3 T 
it is to be noted that this is equivalent to the coexistence formula. 
Thus, the probability for the coexistence of events can be obtained as 
the sum of the probabilities of each ordered chain of events. 
c-17 
'r' OMOINATION 
2 INPUTS 3 INPUTS n INPUTS 
T's 
N 
E 
A 
N L 
n 
U~~~~~~~ ~ X m 
+(T2 + 
Y2"1Y26(~3I3+T~ 
3 
%2X2 . . x1 3 . . . in + 
+IT *1T2 
TI 3 . . . i 
T.-I ) 
r 
E 
X n 241y 3&112X3 2x)3T 2 *n-
H 
oL 
U 
A 
r I.2 3 
T 
n 
C 
Tr's 
U 
N 
X.u1 + 12 X'1 + X'2 + 3 )LI+ X2 + """ + XUn 
Q 
U 
x,-r1 1.+11 
~ , u 
2 X,11- + Y..2 + 
+.... 
Y3.3 l + X2*r2 
.. 
+ ,. 
+* 
+ Xnlr 
.' 
T u" Xs' + X2 XI + X12 4 '3 X + '2 + + ;In 
U 
A 
L T u -T 
D2-117018-lA
 
APPENDIX D
 
ADVANCED CONCEPTS IN ThE USAGE OF THE MATRIX GATE
 
INTRODUCTION
 
In logic diagram analysis of systems and subsystems many
fault events are used repeatedly in order to denote the
 proper sequence of logic leading to an undesired event, Fre­quently the redundant fault events are related to one another
by a second fault event, resulting in a unique combination

of events. When these combinations are expressed by con­
ventional fault tree techniques, the result is usually long

and repetitive. The Matrix Gate is a method by which logic
diagram construction is simplified with reference to
permutations of redundant (or similar) fault events.
 
It must be emphasized that the Matrix Gate is not a unique
logic operator in logic diagram analysis techniques. The
Matrix Gate is merely a simplified or abbreviated repre­
sentation of an already existing portion of logic diagram;
the existing portion of a logic diagram being a series of
two-input AND gates 
(with related inputs) summed together by
 
an OR gate.
 
Whenever the Matrix Gate is used it is accompanied by a

matrix, whose elements are the redundant (or similar) fault

events. This matrix is necessary in order to denote which

combination of events are applicable to the analysis, the
total number of combinations, and the probability of a
particular combination resulting in the undesired event.
 
In order for the Matrix Gate to meet all possible situations
it is necessary for two types of gate to exist; the variable
 
type Matrix Gate and the conditional type Matrix Gate. The

variable type gate handles situations where both of the
inputs to the gate consist of fault, events (fault events
being referred to as variables). The conditional type gate
handles situations where one input consists of fault events
(variable) and the other input consists of conditional events.
 
Example 1 (Figure Dl) is a generalized case using the

variable type Matrix Gate. 
Fault events Al, A2, A3 and A4
 
are unique but similar and fault events B!, B2, B3 and B4
 
are unique but similar. The Boolean Expression derived from
the sample fault tree agrees with the Boolean expression

extracted from the Matrix Gate and its concomitant matrix.
 
VARIABLE TYPE MATRIX GATE
 
Example 2 (Figure D2) is a typical problem in which a four­
wire cable is to be analyzed. The wires are identified as
Al, A2, A3 and B, 
Under standby operating conditions, assume
that none of these wires carry voltage, and furthermore, that

wire B is an ordnance line and wires Al, A2 and A3 carry
 
D-1
 
MATRX 
Al I 0 0 0 
A2 82 
- -
*3 AZ 0 1 0 0 
A4 84/ 
3 0 0 0 
At g 0 0 I 
Example 1
 
Figure Dl
 
Generalized Matrix date
 
C 
WIREAA HAS ON ITAND 
TO A 
FAULTSGTHATOFAULTSOTHAT 
WIRE THASVOTLTAGEON IT ADD 
SHR OHTO A 
FAULTSTHA 
WIREA3 TAOOLOAGEON IT ANDI 
SHORTTOB 
ILA 
0 
AUTTAALLOW 
ON WR A3 
WIEGE 
VOAGAG 
-C7 
A 
T 
FAL THA ,SE 
O N 
L 
V 
S 
T 
-­ a 
SHORTTO 
IT 
TA 
AG 
AA1 VN 
O WF AND-REN 
.-r-7 N 
C 
-3 
AZTO 
H 
[ \ 
lo\Xwl/ FAILTS~THATAGALOA "A 
/ 
W2 
8 
\ ,/ < 
\>\X2Yi3ALTNHTCUSDIEA TOPSTOR TOF N' 
V 
-
> T 
Z2 
/R 
PO , . 
i-' 
/X3 
T 
/ 
11 HFUT 
/l XI' 
VOLTAE 
ATRIblGATriGt 
2 ORA3WAONONA], 
TA/A 
Nlz 
WIE A 
TW 7 
l 
Example 2 
Figure D2 
variable matrix Gate 
D2-117018-lA
 
voltage at certain discrete time intervals. The undesired
 
event is wire Al, A2, or A3 shorting to wire B and at the
 
same time having voltage on it from a fault condition at the
 
voltage source.
 
In this example the events which cause wire Al to short to
 
wire B will be similar to the events which cause wire A2 to
 
short to wire B and wire A3 to short to wire B. For example,

they could be shorts caused by an insulation failure or a pri­
mary wire failure. Therefore, the fault conditions of these
 
three wires are unique, yet similar.. Since they are similar,

they are drawn only once with the Matrix Gate, instead of three
 
times under conventional techniques.
 
The fault events which allow power onto wire Al may or may

not be similar to the events which allow power onto wire A2
 
or A3, depending upon the circuitry involved. If the fault
 
events are similar (or the same) the Matrix Gate can be
 
utilized easily, with the fault event drawn only once. 
How­
ever, if the fault events are completely different for each
 
wire, the Matrix Gate becomes more complex, and each distinct
 
fault event must be drawn (with little saving over conventional
 
techniques). Since the circuitry at the voltage source is
 
not developed in this example, an assumption will be made
 
that the faults are similar for each wire.
 
The ,3x 3 matrix drawn in Example 2 points out the combina­
tions of interest in this particular analysis. The boxes
 
which contain a "one" are the combinations of concern. These
 boxes, figuratively speaking, say that "the faults allowing
 
power on wire Al" are ANDED with "the faults causing wire Al
 
to short to wire B", and "the faults allowing power on wire
 
A2" are ANDED with "the faults causing wire A2 to short to

wire B", and "the faults allowing power on wire A3" are ANDED
 
with "the faults causing wire A3 to short to wire B" which
 
are all summed together by an OR gate.
 
The significance of using a Matrix Gate in Example 2 may not
 
be readily apparent, but suppose the four-wire cable had been
 
a 50 wire cable. Instead of drawing 50 iterations of wire
 
shorts combined with faults allowing power on the wire, the
 
Matrix Gate requires only one iteration of the combination.
 
The tediousness of drawing and reading superfluous informa­
tion has been eliminated, yet the necessary information is
 
not lost.
 
CONDITION TYPE MATRIX GATE
 
Example 2 demonstrated the Matrix Gate with both of the inputs
 
as variables. That is, both of the inputs to the gate con­
sisted of fault conditions. A second, and slightly different,
 
way of using the Matrix Gate is with one input as a variable
 
and the other input as a condition. This type of usage is
 
D-4
 
D2-117018-lA
 
fitted for situations whereby the Matrix Gate is employed
 
to replace Inhibit Gates which have similar or redundant
 
inputs. Example 3 depicts this type of usage.
 
Example 3 (Figure D3) deals with a car and highway situation.
 
In this example a car is analyzed for the undesired event
 
'car wreck" and the only failure modes being considered are:
 
In
1) blowout, 2) loss of steering, and 3) brakes locking-

addition to analyzing the car to determine the causes of
 
these failure modes, certain road conditions are placed on
 1) the road being
These conditions are:
each failure mode. 

wet, 2) the road being dry, and 3)- the road being icy.
 
As is apparent from the logic diagram shown in Example 3,
 
the variable inputs to the Inhibit Gates are redundant, and
 
result in a unique set of combinations. This unique set of
 
combinations results in a long and repetitious fault tree,
 
which can be effectively reduced in size and complexity as
 
shown.
 
The 3x3 matrix shown in Example 3 demonstrates that nine
 
unique, but related combinations result from this particular
 
example. Furthermore, it shows which fault event is com­
bined with which conditional event, and the number of times
 
each event is combined.
 
THE MATRIX
 
Now that the Matrix Gate has been exemplified in a simple a
 
and concise manner, a small adjustment factor must be intro­
duced. This adjustment factor involves the "one" and "zero"
 
placed inside the boxes of the matrices. These numbers are,
 
in actuality probability numbers which represent the prob­
ability of an. Inhibit Gate allowing each combination (of
 
fault events) to result in the undesired event. To be spe­
cific, an Inhibit Gate is located between each AND gate com-

This "hidden" Inhibit
bination and the summing OR Gate. 

Gate does not appear in the fault trees of Examples 1, 2,
 
and 3 because the probability of a particular combination
 
resulting in the undesired event has been assumed as one or
 
zero. When the probability was zero for a certain combina­
tion this meant that the combination was either impossible
 
or not desired for analysis. When the probability was one
 
for a certain combination this meant that when the two
 
events occurred, the undesired event was immediately real­
ized. The probability of the-combination resulting in the
 
end event is not always one or zero, but frequently some
 
value in-between.
 
Example 4 (Figure D4) isa.continuation of Example 3, ex­
cept the "hidden" Inhibit Gate is- shown in.the logic diagram.
 
This example demonstrates the.probability involved for real­
izing a car wreck given that a car fault occurs and the
 
D-5
 
AU.CAUSE' 
U 
CAUSEITCAUSE LOSS 
WRECKCK 
IC .. RODB NT FDAB 
CAUSE LOSS CAUSE LOSS 
CARC 
CAUSE BRKSCAUSE MFSCAUSEBRESh 
STIRIE 
F-2 
TIONS 
CAL 
MARIXTGAT 
LOSS.LSLO 
AARI 
LRU 
Figure D3" 
Condition Matrix Gate 
Example 3 
BLWU........OFILOCKE BRAKES:'Z 
AND WETiROAD STEE NG AND 
WTRSTEERING 
OWERODON 
ON 
DRY ROAD 
A , 
OVIy :A : 
e 
•FAULTS THAT 
CAUSE 
BL.OWOU0T 
FALSTA 
CAUSE L' SS 
OF STEI NG 
I 
FUT H 
AUSE BRAKZ 
T OK 
'-­
0 z0 
Figure D4 
Condition Matrix Gate 
ROAD F6.8 Tr 
OM) -4 .7 .4 
ICY 
ROAD ,8 . 6Example 
MTRX 
4 
D2-117018-lA
 
appropriate road condition is fulfilled. 
Take for example
the fault tree path "blowout on a wet road". When a blow­
out occurs and the road is wet it does not necessarily fol­low that there will be a car wreck. There is a certain
 
probability involved for a blowout on a wet road to result
 in a wreck, and this probability is represented by. an Inhib­
it Gate condition. The probability of-this condition is
 
placed inside the matrix which accompanies the Matrix Gate.
 
The probability numbers in the matrix should not be taken
 
as the probability of two fault events being combined to­gether. These numbers indicate the probability that two
 
combined fault events will result in the undesired event
 
after they have statistically been combined. Example 5
(Figure D5) shows the generalized case and the mathematical
 
equations involved.
 
CONCLUSION
 
The preceeding discussion provides evidence that the Matrix
 
Gate and its concomitant matrix successfully represent a

condition of similar or redundant fault event combinations
 
in a simple and concise form while at the same time yielding

all of the qualitative information involved.
 
£3-8 
EU 
Y2 DI 03
 
B! C2 C3
 
Al yi 1 A2? I­
-l )..1. ) + Y2 (A28 2) +Y3 A3.23)+ O(Mkt32 +0 A E= '(T (AA2 t 0 02 fi 'YI (AlI4)+ Y 2 (fl-f2)+ fl W -3 )A3- - - C C fl 
IMATNX Example 5 
Figure DS 
Generalized Matrix Gate - Mathematloal Eqations 
D2-117018-lA
 
APPENDIX E
 
LOGIC DIAGRAM EXAMPLE
 
The following analysis is an example of logic diagramming,
 
notation and the use of logit diagram symbols. This
 
example analysis is made on a rocket launching system,

composed of the following manufactured -subsystems: control
 
panel, power and signal distribution box, and rocket. The
 
system has been analyzed by a logic diagram for the
 
undesired event of "Inadvertent Rocket Ignition."
 
Figure El is essentially a block diagram which describes
 
the components in the subsystem, and their relationship
 
to each other. Figure E2 is an electrical schematic of the
 
- system and from this the method of system operation can be
 
derived.
 
To launch the rocket in a normal operating manner,switches
 
S1 and 82 on the control panel are operated simultaneously.

Switch S1 is moved to the "arm" position and switch S2 is
 
moved to the "launch" position. Then, in exactly five
 
minutes the rocket is ignited (launched). By moving
 
switch S2 to the "inhibit" position within five minutes
 
*after switch S1 has been moved to "arm" the launch can be
 
inhibited, but not after five minutes. Also, switch Sl can
 
be moved from "arm" to "safe" (within five minutes)in order
 
to inhibit the launch. When positive voltage is applied to
 
terminal 1 and ground to terminal 2 of the "arm & monitor
 
switch" motor, the motor drives the arm switch closed and
 
the monitor switch open. In order to open the arm switch
 
and close-the monitor switch, positive voltage must be
 
applied to terminal 2 of the motor and ground to terminal 1.
 
When positive voltage is applied to the coil in the "five
 
minute sequencer" a timing device is initiated in the
 
stepper switch (position 1) five minutes after voltage has
 
been applied to the coil, as long as the voltage is
 
continuous. If, in the five-minute period, voltage is
 
discontinued, the timer will stop and automatically

readjust to zero time (position 2).
 
When voltage is applied to the coil in the "delay gate" the
 
switch is instantaneously closed. If voltage to the coil
 
is terminated the switch will open.
 
The light on the control panel is the monitoring device.
 
This light is on continuously and extinguishes when the arm
 
switch is closed. When the light goes out the control
 
panel operator knows that the arm switch is closed and that
 
the five-minute sequencer stepper switch will be closed in
 
five minutes. The only other alternative when the monitor
 
E-1
 
POWER AND SIGNAL 
DISTRIBUTION BOX 
AM 
CONTROL 
PANEL BAT ROCKET 
S-
SIB 
S2 INHI 
LAUNCH 
CABLE ARM & 
MON ITOR 
SWITCH 
5--MIN 
[ SEQ 
DELAY 
GATE 
CAB 
r 
C 
o 
Figure El 
System Block Diagram 
CONTROL PANEL 
POWER AMD SIGNAL DISTRIBUTION BOX 
BATTERY #2
ri i 
ii 
BATTERY #1AR.AM&DELAY 
Pi P2 
~~MONITOR 
_--_ji 
ii3P 
GATE ROCKET 
SAFE 
I 
I 
---
BATTERY #3 
5 MINUTE 
SEQUENCER 
Figure E2 
System Schematic 
D2-117018-lA
 
light goes out is that battery #2 on the battery connecting
 
circuitry has failed.
 
Figure E3 shows two methods for denoting the relationship

of the logic diagrams constructed for the undesired event
 
"Inadvertent Rocket Ignition." These two methods merely

denote which logic diagrams are an input into another logic

diagram and is 
a cross index of the entire set of diagrams.
 
Figures E4 through Ell are the logic diagrams for the
 
rocket launching system. These diagrams use most of the

symbols of logic diagramming and the alpha-numeric system

of identifying input events. Figures E4 through E7 are
 
hand drawn logic diagrams using a basic system of event
 
identification. Figures E8 through Ell are the same 
logic

diagrams as E4 through E7 respectively except they are
 
mechanically drafted and use the event identification
 
method described in section 4.5.
 
The data charts (pages E-14 through E-20) shown following the
 
logic diagrams represent an application of these charts to
 
an example problem. The failure rate (MTBF) and "source
 
of data" information columns contain information which was
 
arbitrarily selected to show the ranges of data and types

of sources which could be expected. All other columns,

however, represent exact information related to the system
 
of this example.
 
Column definitions and general discussion of the data chart
 
can be found in Appendix A.
 
E-4
 
LOGIC DIAGRAM CROSS INDEX 
1NADVERTEt 
ROCKET INTO A INTO A INTO I 
IGNITION 
AI 
LOGIC DIAGRAM MAP 
DU 
CWR P 
v ~ rl ,ael
NONE ~s vLNONE 
C 
Pigure 23
 
Logic DiagramCross Reference
 
r 100 
a' 
-I 
FAL 	 C0 
OD 
Figure B4
 
Hand Drawn Logic Diagram
 
MIO 
$TA~ 
Afl SIA rot PT 
FM CD 
" n3 Iv N " P 6 
W AU 
Figure E5 
Rand Drawn Logic Diagram
 
[LFRO ONUOLSWI HA 
ON'9P IN dN 
SHORTST 
PL 
SLECOHO5 SCOW 
CLSE HOT TOH W, Q HRSW? O HfSW~ 
2W 0X0O Cf2S 021 
VILTAaLV 
TOd I 
bTMd 
4 
Figure E6
 
Hand Drawn Logic Diagram
 
'D
 
POSITIVE 
VOLTAGE ON P2 
PIN b 
FROM SHORTS 
PIN b 
SHORTSPIN TOc 
IN?I PLUG 
DZ038 
~ 
IN CABLE WI 
SHORTS T"O 
POSITIVE
VOLTAGE> 
MATRIX 2' 
<<HRSt 
I 
I 
I 
LGP 
DZ039 
WIRE b SHORTSTOWIRE a, cr 
ORd 
POSITIVEVOLTAGE ON 
WIRE a, cORd 
IU 
b 
-I 
-
0 
I 
0,i 
FROMPRIMARY 
-
DX013DX014DX015 
TS T 
SHOLTDZ035 
DZ06DZ037 
PANELSHORTSWIRE TO I 
BATTERY #I 
DX016DX017DX018 
PANEL SHORTS 
aAntwRS,....._Y 2=TT 
DX019DX020DX02I VOLTAGE 
SHORT 
a TO b 
a 
1 
b, 
0 
c 
0 
cTOb 0 1 0 
d TOb 0 0 1 
Figure E7 
Hand Drawn Logic Diagram MATRIX 2 
PIN B SHORTS TO PIN 8 SHORTS TO HIRE a IN CR3LE
 
PIN C FIN IN
C P2 TLUM S N OHOT O TPOSITIVE VOLTAGE
 
PRE R STSCHO
TO HIRE A OR C POITIV VOLT SGOON WIRiE R OR C 
OOR 0 
HIRES SHORT FRM A TTRMAL ENERGY 
 IN CONTROL
1SHORT SHORT IN CONTROL
POPRIMARY FPULT 4 CAUSES HIRES TO ANEL BANEL SHOTSS'Lp-JSHORT] HIRE TO BRlTTERY.1 HIRE TO BFTTERY.2
( )\ • SPN ,7 \X09 -4 
Figure E10 
Machine Drafted Diagram 
INTAS DT 
I TRD RE 
REV BY 
INITIALS DATE TITLE MODEL 
CALC 
CHECK 
APPO 
APPO 
RPPD 
REV LTR __BOEING 
AARB-POSITIVE VOLTROE ON P2 PIN 8 FROM SHORTS 
!N.O- Z 
R 
o7018 
AlPOLLO 
Z 08 
C 
(A 
LO CKFR 
OSCCL 
5ECONTROL ETN 1 2 PIN O 
F CLOSES 2 CONTACTS COET CT F ILURE CLOSES 2 CO T CT S PRIRR Y F AT HRCAUSS HRES TO NRAN E!TSHORTS 
BATTERYii 
RPANL SHORTS 
BATTERY*2 
0 
OR C.Hm K 
I NITICLS 
tALC 
PRIMRY 2STCTHR 
RPPP 
_ _ __ _ _8 
RENA F R 
ATE RCV 
",E 
T MAE fT 
E G 
L 
OBB--!ONER AVAILABLESRO RST 
I 
L 
TR I3 
. S IN 
ODV 
APOLLO 
Figure Eli 
Machine Drafted Diagram 
II 
COMPONENT COMPONENT 
FAILURE MQDR 
Switch Si 	 Contacts fail 

open 

Contacts fail 

closed - arm 

position 

Contacts fail 

closed - safe 

position 
Contacts fail 

to open - arm 

position 

Contacts fail to 

open - safe 

position 

Contacts fail to 

close 

III 
FAILURE 
RATE 
IV, 
SOURCE 
OF DATA 
V 
COMPONENT 
FAILURE STATE 
VI 
EFFECT OF 
COMPONE T 
FAILURE 
VII 
REMARKS 
MTBF 
7 x 109 Hr 
Field ExperiencE Standby Arm & Monitor 
(A&M) Switch 
Motor cannot be 
activated. 
System is 
disabled 
MTBF 
4 x 10 Hr 
Field Experienoe Standby Positive voltage 
applied to ter­
minal 1 of Arm 
Switch Motor H 
MrBF 
4 x 107 Hr 
Field ExperiencE Standby Positive voltage 
applied to ter­
minal 2 of Arm 
Switch Motor 
MTBF 
5 x 10 Hr 
Safety Test Standby Positive voltage 
remains on ter­
minal I of Arm 
Switch Motor 
MTBF 
5 x 1011 Hr 
Safety Test Standby Positive voltage 
remains on ter­
minal 2 of Arm 
Switch Motor 
MTBF 
5 x 1012 Hr 
Safety Test Standby Positive voltage System is 
cannot be app- disabledlied to either 
erminal 1-or 4 
of Arm Switch Motor. 
In III IV V VI VII 
CCM F, JT C0M.IPOFE"NT 
FAILURE NODE 
FAILURE 
RATE 
SOURCE 
OF DATA 
CO0lPONIMT 
FAILURE STATZ 
EFFCT OF 
COIPO'OiNT 
FAILURE 
REMAVIIDS 
Switch S2 Contacts fail 
closed 
MTBF 
4 x 107 Hr 
Field Experience Standby Positive voltage 
applied to se­
quencer stepping 
switch 
Contacts fail 
open 
MTBF 
7 x 109 Hr 
Field Experience Standby Positive voltage 
cannot be app­
lied to sequen­
cer stepping 
switch 
N 
Contacts fail 
to open 
MTBF 
5 x 1011 Hr 
Safety Test 
Saet 
S dPositive 
Standby 
o 
Poiievoltage
cannot be re- C H 
moved from se­
quencer stepping 
switch 
Contacts fail 
to close 
MTBF 
5 x 11 Hr 
Safety Test Standby Positive voltage 
cannot be app­
lied to sequen­
cer stepping 
switch 
II 
_2iogT COMPOCN£rT 
FAILURE NODE 
Arm & Monitor Arm contacts 

(A&M) Switch fail open 

Arm contacts 

fail closed 

Monitor contacts 

fail open 

ONo
 
Monitor contacts 

fail closed 

Motor fails to 

operate 

Motor operates 

inadvertently 

lI 

FAILURE 
RATE 
MTBF 

1 x 10 Hr 

MTBF 

6.3 x 106 Hr 

MTBF 

1 x 107 Hr 

MTBF 

6.3 x 106 Hr 

MTBF 

5.1 x 104 Hr 

MTDF 

8 x 1011 Hr 

IV 

SOURCE 
OF DATA 
Safety Test 

Safety Test 

Safety Test 

Safety Test 

Safety Test 

Safety Test 

V 
COMPONENT 
FAILURE STATE 
Standby 

Standby 

Standby 

Standby 

Standby 

Standby 

VI VII 
EFFECT OF 
CO O"EFAILURE T 
Positive voltag(
 
cannot be app­
lied to coil of
 
sequencer
 
Positive voltagE
 
is applied to
 
coil of sequen-

cer 
Monitor light 

goes out 

Monitor light
 
stays on con­
tinually
 
Positive voltage
 
cannot be app­
lied to delay
 
gate or sequen­
cer
 
Positive voltage
 
applied to dela3
 
gate and sequen­
cer, monitor
 
-lightgoes off
 
REEt.RKS 
U 
H 
H 
I 
COMIPOI"E:iT 
II 
COUPO 
FAILURE 
NET 
MODE 
III 
FAILURE 
RATE 
IV, 
SOURCE 
OF DATA 
V 
COMPONLNT 
FAILURE STATE 
VI 
EFFECT OF 
COMPONDT 
VII 
REMApIKS 
FAILURE 
5 Minute 
Sequencer 
Stepping switch 
contacts fail 
open (position 2) 
MTBF 
9 x 101 Hr 
Field experience Standby Positive voltage 
cannot be app­
lied to delay 
gate coil 
H 
Stepping switch 
contacts fail 
closed (position 
1) 
Coil fails open 
MTBF 
1.3 x 108 Hr 
MTBF 
9 x 108 Hr 
Field experience Standby 
Field experience Standby 
Circuit to delay 
gate coil is 
completed 
Stepping switch 
will not step to 
position 2 
N 
H 
0 
Coil fails 
shorted 
MTBF 
1.1 x 108 Hr 
Field experience Standby Battery #2 out-H 
put will be shor­
ted to ground -
switch will not 
step to position 
1 
Monitor 
Lamp 
Burns out MTBF 
4 x 105 Hr 
Field experience Standby Indicates A&M 
switch is armed 
SII 
C(3.... COMjPOTNNT 
FPJLJR7, MODE 
Delay Gate Contacts fail 
open 
Contacts fail 
closed 
H Coil fails 
open 
Coil fails 
shorted 
III 
FALUI 
RTE 
IV 
SOURCE 
OF DATA 
V 
C0M.-0r21"T 
FAILURE STATE 
VI 
EFFECT OF 
COMPOI{5NTFAILUR! 
VII 
RFU4ACS 
MTBF 
.7 x 107 Hr 
Field experience Standby Positive voltage 
cannot be app­
lied to rocket 
ignition 
squib 
MTBF 
1.5 x 109 hr 
Field sxperienc Standby Circuit to roc­
ket ignition 
squib is com­
pleted 
MTBF 
1.1 x 108 Hr 
Field experience Standby Switch cannot 
be closed 
MTBF 
.7 x 107 Hr 
Field experienc Standby Switch cannot be> 
closed - Battery 
#2 output will 
be shorted to 
ground 
I 
... !POIIN....... 
II 
C. NT 
FAILURiE MODE 
____ ___ ____ 
III 
FAILURE 
RNPE 
IV 
SOUC2E 
OF DATA. 
V 
of' 
FAILLEM STATE 
VI 
7PsJV. OF 
C NT 
F:1[ LUPJI 
711 
Battery #1 No power output MTBF 
.5x 107 Hr 
Field experience Standby A&M motor cannot 
be operated 
Battery #2 No power output MTBF 
.5x 107 Hr 
Field experience Standby Power not avail­
able to ignition 
squib or sequen­
cer coil 
HO 
Battery #3 No power output 
tfl 
MTBF 
.5 x 107 Hr 
Field experience Standby Power not avail­
abe to delay 
gate coil 
0 
H 
m 
I II III IV V VI VII 
COliPO ERlIT C001IPCNEUT 
FAILURE MODE 
FAILURE 
RATE 
I SOU R1CE 
OF DATA 
V O POIIETT 
FAILURE STATE 
VI t'VE.T OF 
CO? "!'PUNT 
FAILURE 
VII 
Rocket Ignition Fails to ignite 
Squib 
MTBF 
3 x 107 Hr 
Safety Test Standby Rocket propel­
lant will not be 
ignited 
Ignites inadver-
tently (auto-
ignition) 
MTBF 
7 x 1011 Hr 
Safety Test Standby Rocket propel­
lant will be 
ignited prema­
turely 
Rocket Propel-
Slant (Solid)I 
Fails to ignite MTBF 
1 x 106 HrH 
Safety Test Standby Rocket will not 
be launched 
C.)0 
Ignites inadver-
tently (auto-
ignition) 
TBF 
.9 x 1012 Hr 
Safety Test Standby Rocket will be 
launched pre­
maturely 
0-.H 
D2-117018-1A
 
LIMITATIONS
 
This document is controlled by Apollo/
 
TIE System Safety and Program Assurance.
 
All revisions to this document shall be
 
approved by the above noted organization
 
prior to release.
 
F-i
 
D2-117018-1A
 
ACTIVE SHEET RECORD
 
ADDED SHEETS
ADDED SHEETS 
SHEET t SHEET t SHEET SHEET t SHEET SHEET 
NUMBER UNUMBER="NUMBER >"NUMBENUMBER NUMER 
ii A 4-22 A
 
iii 4-23
 
iv 4-24
 
v 
vi 5-1 
5-2
 
1-1 5-3
 
5-4
 
2-1 5-5
 
2-2 5-6
 
2-3 5-7
 
2-4 5-8
 
2-5 5-9
 
2-6 5-10
 
5-11 
3-1 5-12
 
3-2 5-13
 
3-3 5-14
 
3-4 5-15
 
5-16 
4-i 5-17
 
4-2 5-18
 
4-3 5-19
 
4-4
 
4-5 A-I
 
4-6 A-2
 
4-7 A-3
 
4-8 A-4
 
4-9
 
4-10 B-1
 
4-11 B-2
 
4-12 C-I
 
C-2
4-13 

4-14 
C-3
4-15 
C-4
4-16 
C-5
4-17 

C-6
4-18 C-7
4-19 C­4-20 C4-21 A 
F-2
 
D2r I70-iB-iA 
ACTIVE SHEET RECORD 
ADDED SHEETS ADDED SHEETS 
SHEET S SHEET S SHEET S SHEET S SHEET SHEET 
NUMBER , NUMBER " NUMBER NUMBER " NUMBER " NUMBER = 
C-10 A F-I A 
C-l1 F-2 
C-12 F-3 
C-13 F-4 A 
C-14 
C-15 
C-16 
C-17 
C-18; 
D-I 
D-2 
D-3 
D-4 
D-5 
D-6 
D-7 
D-8 
D-9, 
E-1 
E-2 
E-3 
E-4
 
E-5
 
E-6 
E-7 
E-8 
E-9 
E-10 
E-II 
E-12 
E-13 
E-14 
E-15 
E-16 
E-17 
E-18 
E-19 
E-20 A 
F-3 
D2-117018-1A
 
REVISIONS 
REV.SYM DESCRIPTION DATE APPROVED 
A COMPLETE REVISION 6/17/8 D.R. PLEAS 
V- 4
 
D2-117018-1A
 
IT,AN IO 
M CH NI RL 80 Cfl1UITlhOi TTBO 
CUSS OErCORE ~ 
N 
SGNITE 
A I N 
g 4PNA
 
AAUl'TTOF 
N 2.T N0 
,~~~~ -C,I 
CTERITT 000ELFROI INC -CRO 000 MIE00 I' 
Figure E8 
 I 
DiagraoMachine Drafted 
IJIIEL TITLEN, FrlL
 
CHECKICH 
RTRNT0 LONITIO0 TE MCCM .OTTON C CNUEICEHIY-- TOP-- INC 01 T TC'NTICI lICI 
...LTA 86FFNG o E-T .... FOLDOUT FRAME E-iO 
FOLDOUT F 
