SIST EN 61165:2007

6/29(16., 6,67(1

67$1'$5'
MDQXDU
8SRUDEDWHKQLN0DUNRY,(&
LVWRYHWHQ(1
$SSOLFDWLRQRI0DUNRYWHFKQLTXHV,(&
,&6 5HIHUHQþQDãWHYLOND

6,67(1HQ
!"#$%&’( )&!*+,%- .
EUROPEAN STANDARD
EN 61165
NORME EUROPÉENNE
July 2006
EUROPÄISCHE NORM
ICS 03.120.01; 03.12.30; 21.020

English version
Application of Markov techniques
(IEC 61165:2006)
Application des techniques de Markov Anwendung des Markoff-Verfahrens
(CEI 61165:2006) (IEC 61165:2006)

This European Standard was approved by CENELEC on 2006-07-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Cyprus, the Czech
Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: rue de Stassart 35, B - 1050 Brussels

© 2006 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 61165:2006 E
Foreword
The text of document 56/1096/FDIS, future edition 2 of IEC 61165, prepared by IEC TC 56,
Dependability, was submitted to the IEC-CENELEC parallel vote and was approved by CENELEC as
EN 61165 on 2006-07-01.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2007-04-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2009-07-01
Annex ZA has been added by CENELEC.
__________
Endorsement notice
The text of the International Standard IEC 61165:2006 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:
IEC 60812 NOTE  Harmonized as EN 60812:2006 (not modified).
IEC 61078 NOTE  Harmonized as EN 61078:2006 (not modified).
__________
- 3 - EN 61165:2006
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year

IEC 60050-191 1990 International Electrotechnical Vocabulary - -
(IEV)
Chapter 191: Dependability and quality of
service
1) 2)
IEC 60300-3-1 - Dependability management EN 60300-3-1 2004
Part 3-1: Application guide - Analysis
techniques for dependability - Guide on
methodology
IEC 61508-4 1998 Functional safety of EN 61508-4 2001
+ corr. April 1999 electrical/electronic/programmable electronic
safety-related systems
Part 4: Definitions and abbreviations

1)
Undated reference.
2)
Valid edition at date of issue.

NORME CEI
INTERNATIONALE
IEC
INTERNATIONAL
Deuxième édition
STANDARD
Second edition
2006-05
Application des techniques de Markov

Application of Markov techniques

 IEC 2006 Droits de reproduction réservés  Copyright - all rights reserved
Aucune partie de cette publication ne peut être reproduite ni No part of this publication may be reproduced or utilized in any
utilisée sous quelque forme que ce soit et par aucun procédé, form or by any means, electronic or mechanical, including
électronique ou mécanique, y compris la photocopie et les photocopying and microfilm, without permission in writing from
microfilms, sans l'accord écrit de l'éditeur. the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
CODE PRIX
V
PRICE CODE
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
Pour prix, voir catalogue en vigueur
For price, see current catalogue

61165  IEC:2006 – 3 –
CONTENTS
FOREWORD.7
INTRODUCTION.11

1 Scope.13
2 Normative references .13
3 Terms and definitions .13
4 Symbols and abbreviations.17
4.1 Symbols for state transition diagrams.17
4.2 Other symbols and abbreviations.19
4.3 Example .21
5 General description .21
6 Assumptions and limitations .23
7 Relationship with other analysis techniques.25
7.1 General .25
7.2 Fault Tree Analysis (FTA).25
7.3 Reliability Block Diagram (RBD) .27
7.4 Petri nets.27
8 Development of state transition diagrams .27
8.1 Prerequisites .27
8.2 Rules for development and representation.29
9 Evaluation .31
9.1 General .31
9.2 Evaluation of reliability measures .33
9.3 Evaluation of availability and maintainability measures.33
9.4 Evaluation of safety measures.35
10 Documentation of results .35

Annex A (informative) Basic mathematical relationships for Markov techniques .37
Annex B (informative) Example: Development of state transition diagrams .43
Annex C (informative) Example: Numerical evaluation of some reliability, availability,
maintainability and safety measures for a 1-out-of-2 active redundant system .53

Bibliography.63

Figure 1 – Diagram of transition probabilities in time interval (t,t+Δt), for arbitrary value
of t and small Δt, for a non-restorable one-element system with constant failure rate λ .21
Figure 2 – State transition diagram of a non-restorable one-element system.21
Figure 3 - Interpretation of failure and restoration times in different contexts .33
Figure B.1 – State transition diagram for a restorable one-element system .43
Figure B.2 – State transition diagram with three states for a one-element system .43
Figure B.3 – State transition diagram when restorations may be made from state 2 for
a one-element system.43

61165  IEC:2006 – 5 –
Figure B.4 – State transition diagram when direct transition is considered for a one-
element system.45
Figure B.5 – State transition diagram for the evaluation of reliability of a one-element
system .45
Figure B.6 – State transition diagram for a 1-out-of-2 active redundant system with no
restorable elements .45
Figure B.7 – State transition diagram for a 1-out-of-2 active redundant system with
restorable elements, two restoration teams and no restoration limitations .47
Figure B.8 – State transition diagram for a 1-out-of-2 active redundant system with
restorable elements, two restoration teams and common cause for a system failure .47
Figure B.9 – State transition diagram for a 1-out-of-2 active redundant system with
only one restoration team and restoration priority as first-in/first-out .49
Figure B.10 – Reliability block diagram for a 2-out-of-4 active redundant system .51
Figure B.11 – Aggregated state transition diagram for reliability computation of the
system in Figure B.10 .51
Figure C.1 – State transition diagram for 1-out-of-2 active redundant system with
different elements and two restoration teams .53
Figure C.2 – State transition diagram for a 1-out-of-2 active redundant system with
identical elements, two restoration teams and unlimited restoration resources .53
Figure C.3 – Numerical example for unavailability.57
Figure C.4 – Numerical example for dangerous failure rate.61

61165  IEC:2006 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
___________
APPLICATION OF MARKOV TECHNIQUES

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61165 has been prepared by IEC technical committee 56:
Dependability.
This second edition cancels and replaces the first edition published in 1995, and constitutes a
technical revision. The revision was necessary in order to facilitate the application of this
standard for safety analysis as well as the increased importance of numerical solutions
compared to analytical solutions of Markov techniques.
The main changes with respect to the previous edition are the following:
• additional annexes with application examples have been removed.
• the mathematical terminology and symbols have been updated.
• terminology has been harmonised.

61165  IEC:2006 – 9 –
The text of this standard is based on the following documents:
FDIS Report on voting
56/1096/FDIS 56/1111/RVD
Full information on the voting for the approval of this standard can be found in the voting
report indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed;
• withdrawn;
• replaced by a revised edition, or
• amended.
61165  IEC:2006 – 11 –
INTRODUCTION
Several distinct analytical methods for reliability, availability, maintainability and safety
analysis are available of which the Markov technique is one. IEC 60300-3-1 gives an overview
of available methods and their general characteristics.
This standard defines the basic terminology and symbols for the application of Markov
techniques. It describes ground rules for the development, representation and application of
Markov techniques as well as assumptions and limitations of this approach.

61165  IEC:2006 – 13 –
APPLICATION OF MARKOV TECHNIQUES

1 Scope
This International Standard provides guidance on the application of Markov techniques to
model and analyze a system and estimate reliability, availability, maintainability and safety
measures.
This standard is applicable to all industries where systems, which exhibit state-dependent
behaviour, have to be analyzed. The Markov techniques covered by this standard assume
constant time-independent state transition rates. Such techniques are often called
homogeneous Markov techniques.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60050(191):1990, International Electrotechnical Vocabulary (IEV) – Chapter 191:
Dependability and quality of service
IEC 60300-3-1: Dependability management – Part 3-1: Application guide – Analysis techniques
for dependability: Guide on methodology
IEC 61508-4:1998, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 4: Definitions and abbreviations
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050(191):1990
and the following apply.
NOTE To facilitate the application of this standard for safety evaluations, the terminology from IEC 61508 is used
where appropriate.
3.1
system
set of interrelated or interacting elements
[ISO 9000, 3.2.1]
NOTE 1 In the context of dependability, a system will have a defined purpose expressed in terms of intended
functions, stated conditions of operation/use, and defined boundaries.
NOTE 2 The structure of a system may be hierarchical.
3.2
element
component or set of components, which function as a single entity
NOTE An element can usually assume only two states: up or down (see 3.4 and 3.5). For convenience the term
element state will be used to denote the state of an element.

61165  IEC:2006 – 15 –
3.3
system state
X(t)
particular combination of element states
NOTE X(t) is the state of the system at time t. There are other factors that may have an effect on the system state
(e. g. mode of operation).
3.4
up state
system (or element) state in which the system (or element) is capable of performing the
required function
NOTE A system can have several distinguishable up states (e.g. fully operational states and degraded states).
3.5
down state
system (or element) state in which the system (or element) is not capable of performing the
required function
NOTE A system can have several distinguishable down states.
3.6
hazard
potential source of physical injury or damage to the health of people or property
[IEC 61508-4, 3.1.2, modified]
3.7
dangerous failure
failure which has the potential to put the safety-related system in a hazardous state or fail-to-
function state
[IEC 61508-4, 3.6.7, modified]
NOTE 1 Whether or not the potential is realised may depend on the architecture of the system.
NOTE 2 The term unsafe failure or hazardous failure is also commonly used in this context.
3.8
safe failure
failure which does not have the potential to put the safety-related system in a hazardous state
or fail-to-function state
[IEC 61508, modified]
3.9
transition
change from one state to another state
NOTE Transition takes place usually as a result of failure or restoration. A transition may also be caused by other
events such as human errors, external events, reconfiguration of software, etc.
3.10
transition probability
P (t)
ij
conditional probability of transition from state i to state j in a given time interval (s, s+t) given
that the system is in state i at the beginning of the time interval
NOTE 1 Formally P (s, s+t) = P(X(s+t) = j | X(s) = i). When the Markov process is time-homogeneous, then P (s,
ij ij
s+t) does not depend on s and is designated as P (t).
ij
NOTE 2 For an irreducible Markov process (i.e. if every state can be reached from every other state) it holds that
P (∞)=P , where P is the asymptotic and stationary or steady-state probability of state j.
ij j j
61165  IEC:2006 – 17 –
3.11
transition rate
q
ij
limit, if it exists, of the ratio of the conditional probability that a transition takes place from
state i to state j within a given time interval (t, t+Δt) and the length of the interval Δt, when Δt
tends to zero, given that the system is in state i at time t
NOTE p or c are also used in this context.
ij ij
3.12
initial state
system state at time t = 0
NOTE Generally, a system starts its operation at t = 0 from an up state in which all elements of the system are
functioning and transits towards the final system state, which is a down state, via other system up states having
progressively fewer functioning elements.
3.13
absorbing state
state which once entered, cannot be left (i. e. no transitions out of the state are possible)
3.14
restorable system
system containing elements which can fail and then be restored to their up state without
necessarily causing system failure
NOTE Repairable is also used in this context.
3.15
non-restorable system
system the state transition diagram of which contains only transitions in the direction towards
system failure states
NOTE Non-repairable is also used in this context.
4 Symbols and abbreviations
4.1 Symbols for state transition diagrams
Markov techniques are graphically represented by state transition diagrams or by transition
rate diagrams, both terms being used as equivalents in this standard.
The following symbols are used throughout this document. Other symbols may be applied as
appropriate.
4.1.1 State symbol
A state is represented by a circle or a rectangle.
NOTE In order to increase readability, down states can be highlighted, e. g. by bold lines, colouring or hatching.
4.1.2 State description
The state description is placed inside the state symbol and may take the form of words or
alphanumeric characters defining those combinations of failed and functioning elements which
characterise the state.
61165  IEC:2006 – 19 –
4.1.3 State label
A state label is a number or a letter in a circle, placed adjacent to the state symbol, or in the
absence of a state description, within the state symbol itself.
NOTE The state can often be adequately represented by a circle with the state number or letter.
4.1.4 Transition arrow
The transition arrow indicates the direction of a transition (e. g. as a result of failure or
restoration). Transition rates are written near the transition arrow.
4.2 Other symbols and abbreviations
Symbols for reliability, availability, maintainability and safety measures follow those of
IEC 60050(191), where available. The references below with a prefix 191 are from
IEC 60050(191). In this standard the following symbols are used:
Symbol/
Abbreviation Term Reference
R()t reliability
NOTE 191-12-01 uses the general symbol R()t ,t
1 2
DFR dangerous failure rate IEC 61508
NOTE In a safety context, hazard rate (HR) is commonly used for DFR.
MTTF mean time to failure 191-12-07
MTTFF mean time to first failure 191-12-06
MTTFH mean time to first hazardous situation
PFD probability of failure on demand (unavailability) IEC 61508
NOTE The PFD at a given time t corresponds to P (t) for all down states j.
j
∑
j
λ()t (instantaneous) failure rate 191-12-02
µ()t restoration rate
NOTE 191-13-02 uses µ()t for repair rate
A()t instantaneous availability 191-11-01
U(t) instantaneous unavailability 191-11-02
A asymptotic and steady-state availability
NOTE Steady-state availability has the same numerical value
as asymptotic availability.
MUT mean up time 191-11-11
MDT mean down time 191-11-12
P ()t probability of finding the system in state i at time t
i
P asymptotic and steady-state probability of finding the system in state i at
i
time t
Δt a small time interval
P ()t
transition probability from state i to state j in time t
ij
q transition rate from state i to state j, j≠i
ij
NOTE q is formally defined as q = q . It is the departure rate from state i.
i i ∑ ij
j≠i
61165  IEC:2006 – 21 –
4.3 Example
As an example, Figure 1 shows the diagram of transition probabilities in (t,t+Δt), for t arbitrary
and small Δt, for a non-restorable item with constant failure rate λ.
λΔt
Up state Down state
IEC  660/06
Figure 1 – Diagram of transition probabilities in time interval (t,t+Δt), for arbitrary value
of t and small Δt, for a non-restorable one-element system with constant failure rate λ
λΔt is the conditional probability of a transition between state 0 and state 1 in the small time
interval (t,t+Δt) given that the system was in state 0 at time t. To simplify the notation, the
quantity Δt is often omitted and the transition probabilities diagram of Figure 1 becomes the
transition rates diagram given in Figure 2.

λ
0 1
IEC  661/06
Figure 2 – State transition diagram of a non-restorable one-element system
In Figure 2 and in the following, the term state transition diagram will be used as equivalent to
the term transition rates diagram.
5 General description
The Markov techniques make use of a state transition diagram which is a representation of
the reliability, availability, maintainability or safety behaviours of a system, from which system
performance measures can be calculated. It models the system's behaviour with respect to
time. In this standard, a system is regarded as a number of elements, each of which can
assume only one of two states: up or down. The system as a whole, however, can assume
many different states, each being determined by the particular combination of functioning and
failed elements. Thus as an element fails or is restored, the system "moves" from one state to
another state. This kind of model is generally called a discrete-state, continuous time model.
Markov techniques are especially suited to the investigation of systems with redundancy, or to
systems where system failure depends on sequential events, or to systems for which the
maintenance strategies are complex, e.g. systems with restoration priorities or multiple
restoration teams, queuing problems, and resource restrictions. The analyst should ensure
that the model adequately reflects the operation of the real system with respect to
maintenance strategies and policies. In particular the suitability of exponential distributions for
the modelling of restoration times must be reviewed. It should be noted that when redundant
repairable systems are modelled with limited repair capacity then due to the memory-less
property of the model the actual repair time can be overrepresented, see Figure B.9 for an
example.
61165  IEC:2006 – 23 –
Provided the assumptions and limitations described in Clause 6 can be accepted, one of the
major advantages of Markov techniques is that maintenance strategies, for example
restoration priorities of individual elements, can be modelled. Moreover, the order in which
multiple failures occur can be considered in the model. It should be noted that other analysis
techniques e.g. fault tree analysis (FTA) and reliability block diagram (RBD) methods (as
described in IEC 61025 and IEC 61078 respectively) do not allow complex maintenance
strategies to be taken into account, though they may have special gates represented by
special symbols (dynamic gates) to indicate the presence of those cases. However, the effect
of those gates has to be evaluated separately by Markov techniques or other techniques, and
the results included in the analysis of the Fault Tree or RBD, whilst observing the possible
limitations.
Although Markov techniques, from a theoretical viewpoint, are flexible and versatile, special
precautions are necessary to deal with the difficulties of practical applications. The main
problem is that the number of system states and possible transitions increases rapidly with
the number of elements in the system. The larger the number of states and transitions, the
more likely is it that there will be errors and misrepresentations. To reduce this risk, it is
advisable that certain rules be followed in designing the state transition diagram (see clause 8).
Also the numerical techniques used for the evaluation of the diagram can be time consuming
and may require special computer programs.
Not only are Markov techniques suited to the modelling of maintenance strategies, but such
methods enable the failure/restoration events to be modelled in a pictorial way, which is in
itself a valuable feature. The process of failure/restoration is represented by transitions from
one state symbol to another in the array of state symbols which together constitute the system
state transition diagram.
As the number of possible states is finite, the sum of all the state probabilities is unity, i.e. at
any instant in time the system can be in one – and only one – of the states in the state
transition diagram. If, for practical reasons, states with very low probability are omitted, then
the sum of all state probabilities is only approximately one.
The modelling techniques described can also be applied to systems where some or all of the
elements are not restored. Note that a system with non-restorable elements can be regarded
as a special case of a system with restorable elements where the restoration rates are zero
(or restoration times are infinite).
6 Assumptions and limitations
The rules given in 8.2 of this standard, for generating the state transition diagram, apply
generally (apart from rule h). However, the description of numerical techniques applies only
when all transition rates are constant, which implies that failure and restoration rates of all
elements in the analyzed system are constant with respect to time. The assumption of
constant failure rate is reasonably acceptable for components in many systems before the
wear-out period (however should also be justified) but the assumption of constant restoration
rate should be justified unless the mean time to restoration of elements is very small by
comparison with the corresponding mean times to failure. Evaluation for the general case
where failure rates or restoration rates are not constant with time, is outside the scope of this
standard.
One particular limitation arises because of the assumption used for mathematical solutions,
namely, the future behaviour of the system depends only on the present state of the system,
and not on the way the system arrived at this state. The analyst should ensure that this
memory-less property of Markov models is a sufficient approximation of the real system

61165  IEC:2006 – 25 –
behaviour (see 8.1). Special care is needed when modelling effects of common cause failures
that may result in some potential intermediate states being by-passed (see Figure B.4).
The usual assumptions for each element in the system considered can be summarised as
follows:
– the failure rate, λ, and the restoration rate, µ, are constant (time-independent);
– the transition probability from a state i to a state j within the small time interval (t,t+Δt)
given that the system is in state i at time t is q Δt, where q is a sum of failure and
ij ij
restoration rates of involved elements.
NOTE Theoretically the limitation with respect to the constant failure and restoration rates can often be overcome
at the expense of expansion of the state space, as many non-exponential distribution of times to failure or to
restore can be approximated by a sum of exponential distributions. Each of these exponential distributions has to
be modelled as an additional state, which acts as a kind of memory for the elapsed time to failure or time to
restore. However, this concept, usually called phase (or supplementary states) concept, has not been widely put
into practice.
7 Relationship with other analysis techniques
7.1 General
Markov techniques can be used to model events or states in other modelling techniques, in
particular, when these other techniques lack certain capabilities which Markov techniques
have, e. g. the ability to express time or state dependent behaviour. The resulting models are
often called hybrid models.
A comprehensive discussion of modelling techniques is given in IEC 60300-3-1. A full
discussion on hybrid models is left to the standards which utilize Markov state transition
diagrams for this purpose, e.g. IEC 61078 or IEC 61025. The purpose of this clause is to give
some general considerations for hybrid models.
7.2 Fault Tree Analysis (FTA)
FTA can be used to evaluate the probability of a failure at a given instant t in time using
Boolean logic. This logic may not express time or state dependencies properly. In these cases
it is possible to extend FTA by creating new gates, which represent particular Markov models,
which are separately evaluated and hide the actual Markov model from the user. Such gates
bear the name of “Dynamic” gates, for example PRIORITY AND, SEQUENTIAL INHIBIT or
SPARE gate. Each of such gates may be replaced by a basic event with the probability of
occurrence as calculated from the Markov technique. The resulting model is often called
hybrid or dynamic FTA.
Both static and dynamic gates of a fault tree can be modelled by Markov techniques.
However, particular attention shall be paid to independence properties between the events in
the Markov model and the events in the fault tree. In the fault tree, the parts evaluated by
Markov techniques have to be assumed to be independent branches.

61165  IEC:2006 – 27 –
7.3 Reliability Block Diagram (RBD)
A RBD is also a technique that may use Boolean logic and therefore has similar limitations to
those of FTA.
In the RBD, it is possible to delineate the portions of the RBD (by encircling the blocks), for
which the Markov model is to be used. The encircled blocks have to form a network with a
single input and a single output, and must not include blocks replicated elsewhere. Further
guidance is given by IEC 61078.
7.4 Petri nets
Petri nets are a graphical technique for the representation and analysis of complex logical
interactions among elements in a system.
A particular class of Petri nets, the General Stochastic Petri Nets (GSPN) have an equivalent
modelling capability to Markov techniques. Petri nets may be regarded as a natural implicit
expression of its explicit Markov model representation. Petri nets can be converted to Markov
models. So General Stochastic Petri Net models containing complex interactions can often be
described more easily and with a smaller diagram than using Markov techniques. For
evaluation purposes, the Petri net is converted to its corresponding Markov model, which is
then analyzed. In practice, this is automated by software tools.
8 Development of state transition diagrams
8.1 Prerequisites
Before starting to analyze a system, the following general tasks should be performed:
a) Set the goal of the analysis: The first crucial question which has to be answered is what
should be the objective of the analysis. This could be any one or more of the following:
– the probability that the system will fail before time t;
– the frequency of hazardous events;
– the mean time before the first system failure occurs;
– the steady-state availability;
– the probability that the system will fail when a request for its operation is issued (for
systems not in continuous use);
– other measure, to be specified.
The unit of measurement also needs to be defined.
b) Define the characteristics of the system and the boundary conditions of the analysis.
Here questions such as the following need to be answered:
– what are the important features of the system which need to be modelled?
– how can these features be validated or at least be checked for plausibility?
– will the system be restored (after a failure) or not?
– is it necessary to describe time-dependent behaviour?
– what is the actual uncertainty of the data, e.g. failure and restoration rates, or
common-cause factors?
– what is the required accuracy and/or confidence level of the results?

61165  IEC:2006 – 29 –
If some features of the real world system are not important for the model this should be
justified.
c) make sure that the Markov technique is the most appropriate analysis technique for the
task. The choice of technique should be based on the objectives of the analysis and the
characteristics of the system, not vice versa; otherwise certain characteristics of the
system may not be modelled at all. In particular the assumptions and limitations of the
model need to be carefully checked.
d) the model and the input data should be reviewed by experts (practitioners with field
experience), because errors or inaccuracies in the model or the data could have a high
impact on the result of the analysis.
A critical task in Markov analysis is the proper design of the state transition diagram.
Subclause 8.2 gives some recommended rules. The rules should be established before the
analysis is undertaken and hence should provide for a proper identification of the individual
states. This will enable construction of clear graphical models.
8.2 Rules for development and representation
The rules below are given as a guide for the systematic development of state transition
diagrams. State transition diagrams following these rules will allow easy comprehension and
comparison. Other symbols or diagram arrangements may be more suitable in some
instances.
a) the state should be depicted by a circle or rectangle with identification which allows the
numerical procedure to refer uniquely to that state. The identifier is usually a letter or a
number.
b) when necessary for clarity of the state transition diagram, the state symbol should include
a clear description of the state, either directly or by reference to an explanatory list.
c) states should be arranged so that the leftmost state is an up state and the rightmost state
is a down state of the system. The relative positions of intermediate states should be such
that a transition from left to right is a result of a failure, and a transition from right to left is
achieved by restoration.
d) system states corresponding to the same number of down elements should be aligned
vertically.
e) transitions between states should be marked by lines with arrows interconnecting the
particular states. A line with an arrow on the right represents a failure and a line with an
arrow on the left represents a restoration. If a transition between two states can be
achieved by either a failure or a restoration, then the particular states should be
interconnected by a single line with arrows on both ends. On a simple state transition
diagram, separate transition lines may be used to indicate failure and restoration.
f) the arrows on the lines representing transitions should be labelled with the corresponding
transition rates. This may be done by indicating the rates either directly or by reference to
an explanatory list.
g) where possible, each transition should link only neighbouring state symbols. If a common
cause failure disables simultaneously two or more elements, a state needs to be by-
passed.
h) to increase readability, down states at system level can be highlighted (e.g. by bold lines,
colouring or hatching).
The application of these rules is illustrated in Annex B.

61165  IEC:2006 – 31 –
9 Evaluation
9.1 General
The purpose in evaluating the state transition diagram is to determine the reliability,
availability, maintainability or safety measures of the system. The evaluation uses well-known
mathematical techniques (see annexes A to C). Note that the task of obtaining transient (time
dependent) measures, e.g. R()t and A()t , requires considerably more computational effort
than that of obtaining a steady-state measure A or mean values, e.g. MTTF, MDT, MUT. An
example for the calculation of transient measures is given in Annex C.
At the start of the analysis, one should decide whether the main objective in the state
transition diagram evaluation is to obtain transient or steady state values of the state
probabilities. Although for availability investigations the latter can be obtained from the former
(by letting t tend to infinity), a relatively simple mathematical procedure can be used if, at the
outset, it is known that only the steady-state solution is required (see Annex A). If on the other
hand a transient solution is required, then a much more specialised procedure involving, for
example, Laplace transforms or matrix algebra (see Annex C) may be needed. In general,
reliability, availability, maintainability or safety measures can be derived from state
probabilities.
The distinction between reliability, availability, maintainability and safety measures lies mainly
in the focus of the analyzes and the interpretation of results. To explain this, a restorable
element can be considered, whose performance is usually defined by a failure rate λ and a
restoration rate µ. Usually, after a failure within an item has appeared, at least two things
have to occur in order to get the item working again:
– the fault has to be detected and isolated (sometimes also called negated: this means that
a state, where a failure has no further consequence, should be entered);
– the item has to be restored and put back into service.
The restoration time in this context includes the logistic time for restoration after fault
detection, actual restoration time (fault finding, restoration, replacement, check) and time to
put the elements or the system itself into operation.
In the common basic model, the four time intervals of interest need to be assigned to two
parameters (a failure rate λ and a restoration rate µ) only.
In the context of reliability, maintainability or availability, the time to detection is taken into
account by the failure rate calculation and the time from detection to restoration by the
restoration rate calculation. Safety-critical applications may not rely on self-tests or similar
measures (which are common in the availability context), but the detection and isolation has
to be performed independently of the item (see IEC 61508 for particular requirements and
examples). The distinction between reliab
...