- Email: [email protected]
A new hybrid method for fault tree analysis
Reliability Engineeringand System Safe~ 49 (1995) 13-21
ELSEVIER
0951-8320(95)00021-6
~) 1995 Elsevier Science Limited Printed in Northern Ireland. All rights reserved 0951-8320/95]$9.50
A new hybrid method for fault tree analysis S. Contini European Commission, Joint Research Centre, lspra Establishment, Institute for Systems Engineering and Informatics,
Industry Environment Unit, 1-21020 ISPRA (VA), Italy (Received 21 December 1994)
This paper describes a new method for determining the significant minimal cut sets of complex fault trees. It can be classified as hybrid, being based on the application of both Top Down and Bottom Up reduction approaches. This solution has been adopted particularly to accurately estimate the truncation error when the probabilistic cut-off technique is applied. Experimental results on real fault trees proved that the degree of conservatism of the truncation error is negligible at any practical combination of the probabilistic and logical threshold values. This new fault tree analysis procedure has been implemented, in C language, in the second version of the computer programme ISPRA-FTA.
INTRODUCTION
Conceptually, these techniques are very simple: all gates are substituted with their input events until the set of combinations of primary events is found. In the TD technique the reduction starts from the top event, while in the BU the starting points are the gates having only primary events as input variables. Apart from very simple cases (e.g. fault trees with no repeated events/gates) for which the two techniques are equivalent, it is hard to state that one is superior with respect to the other, since this strongly depends on the structure of the fault tree, i.e. the number of repeated subtrees and their links, the number of repeated primary events, etc. A factor of complexity in determining the MCSs is the presence of repeated subtrees and repeated primary events, which gives rise to the problem of the identification and elimination of not-minimal combinations. The computation time is also affected by the sequence of analysis of the gates of the fault tree. Since this sequence is completely different in TD and BU techniques, it follows that there are fault trees for which TD is superior with respect to BU, and vice versa. Consequently, the existing computer programmes, based on one of these techniques, are particularly efficient for certain structures and less efficient for others. As a rule of thumb, it can be said that TD is generally more suitable when the tree contains many repeated subtrees which are located close to the top-event, while BU is preferable when there are few repeated subtrees possibly located towards the bottom of the tree. If one simply considers the fault tree construction
The fault tree technique is a powerful tool to estimate the reliability and availability of complex systems and has been well consolidated, for many years, in various industrial fields as a support tool in the design phase. The Fault Tree Analysis (FTA) is a formalized deductive technique allowing the investigation of the ~ possible causes of occurrence of pre-identified and undesired system states. These states, referred to as Top events, are associated with abnormal system behaviours, caused by hardware failures, human errors and/or by external perturbances. Starting from the top event description, the fault tree methodology allows the systematic description of the relationships between events at different levels of system decomposition by means of the Boolean logical operators. The results of the analysis of the fault tree gives useful information on how to improve the system performances through the identification of the (relatively) weakest parts, where the most effective design changes can be adopted. In fault tree analysis an important step is the determination of the Minimal Cut Sets (MCSs). Many methods to determine the MCSs have been developed in the past, as testified by the vast literature on the subject. However, most of the developed computer programmes are based on one of the following reduction techniques: --top-down (TD), --bottom-up (BU). 13
14
S. Contini
mechanism (top-down decomposition), the immediate conclusion is that the TD is the natural analysis approach, because repeated subtrees are generally located in the upper part of the tree. However, this conclusion does not take into consideration the use of the cut off techniques as a means to analyse complex fault trees. In fact, there is no practical need to determine all MCSs: the most relevant ones are sufficient for system improvement. The use of the cut-off technique is more natural and straightforward with BU. Some packages contain both techniques and the user can select, case by case, the more suitable one. The application of the cut-off technique entails the need to estimate the truncation error Pe, i.e., the cumulative probability of all neglected MCSs. Several methods have been proposed to solve this problem 4-7 but the experience of the writer is that all these methods overestimate Pe by orders of magnitude, when the tree contains many dependent branches. The different features of TD and BU approaches and the need to reduce the degree of conservatism of Pe for any fault tree led to the development of a new method of analysis of mixed or hybrid type. The description of such a method is the subject of this paper.
DESCRIPTION OF THE HYBRID METHOD The logical analysis methodology implemented in ISPRA-FTA is articulated in four main phases: 1. fault tree simplification; 2. fault tree modularisation; 3. fault tree segmentation; 4. fault tree reduction. Briefly, in the simplification phase the fault tree is transformed into a logically equivalent tree containing only the basic set of operators (AND, O R and NOT) through the expansion of complex operators (e.g. XOR, K/N, etc). The modularisation phase aims at producing a simpler tree by identifying independent subtrees, i.e., independent modules (i-mods). Algorithms implemented in these phases are partly common to those described in Refs 1 and 2. The content of the paper refers to phases 3 and 4, implementing the proposed hybrid analysis method. Furthermore, for the sake of clarity, the description will be limited to A N D - O R fault trees only. Fault tree segmentation The input of this phase is the modularised fault tree resulting from phase 2. The aim of the segmentation phase, preparatory to the determination of the
Significant Minimal Cut Sets (SMCS), is to decompose the modularised tree into segments for the definition of the hybrid analysis strategy. The segmentation algorithm is based on the definition of pseudo module: a pseudo module is a subtree not containing any reference to other repeated subtrees. From this definition it follows that: - - a pseudo module (p-mod) is nothing but a subtree containing any number and type of primary events and independent modules (repeated/not repeated, negated/not negated); --because repeated primary events/i-mods can appear in the p-mod definition, p-mods can be probabilistically dependent on one another. For the sake of simplicity, the segmentation procedure is described by means of the sample modularised tree in Fig. 1. Independent modules are represented by M1, M2 and M3, respectively descending from G4, G l l and G3. In Fig. 1 three subtrees satisfying the p-mod definition are: G9, G10 and G l l . In fact, neither of these subtrees contain references to other repeated subtrees; note that G9 is, itself, a repeated subtree. Thus, G9, G10 and G l l are removed from the tree and substituted by dummy variables with the same name. This operation generates the set S1 = {G9, G10, Gll} and a simpler tree, represented in Fig. 2, in which the elements of S1 are considered as new primary variables. From this point on, the repeated identification of p-mods generates the set $2. In Fig. 2, G9, G10 and G l l being primary variables, the p-mod G5 is identified. After removing it, a new and simpler tree is obtained in which G5 becomes a dummy variable. The set $2 = {G5}. Continuing the application of this procedure, the subtree G3 is identified and removed giving $2 = {G5, G3}. Then, one step later, G2 is removed and added to $2. The remaining tree cannot be segmented any more: the segmentation procedure stops and Top is added to $2. The set $ 2 = {G5, G3, G2, Top}. The graphical representation of the result of the segmentation is shown in Fig. 3. Dotted lines indicate the logical links among the identified segments. The elements of $2 are associated with levels established by their position in the identification sequence. The level 1 is assigned to all elements of S1. Set S1...Level 1...G9, G10, G l l Set S2...Level 2...G5 -Level 3...G3 Level 4...G2 Level 5...Top Gates in subtrees.
bold
characters
represent
repeated
A new hybrid method for fault tree analysis
15
I Topgate I
~ T'op
I I GateGI
,I
I
. ][Repeated G2 gate]I I Repeated G3 gate1 I
I
I GateG4 [ ~ p 9 |
,
I
I
[ GateG8 ~ [ Independent ImOdule M| ~G8 I
i
IP",m,7°',, , ;-I
O'MI O+
/~G5 i
~G6 ,
I
i
l"~m+,~°"°"'I"o,"::+i J
0+,,
Oc
/~o+
GateGIl [ [RepeatedgateiG2 _I |
|
i Independent I
mOduleM2
Zel
[ Repeated gate [
-I
G5
//~G5 /'
I
' i
I~nm~z°+1 [R+.,:d+.°l
I.
I
O + I , ©°+ ' '~ ,I Repeated gateI o+°°,0 I
~o~
~o,0
IP"ma?,°'entI I~?°'~°v°°t[ Fig. 1. Sample case. Modularised fault tree (independent modules are M1, M2 and M3).
From Fig. 3 it can easily be recognised that: -the segment at the maximum level Imp, always has Top as its root; -segments at the minimum level It are p-mods containing primary events only; -a segment classified at an intermediate level 1(l,,~.~<-l<-2) contains references to one or more segments classified at a level lower than l;
--all references of a segment at level l(l,,o~ < 1 <--1) are contained in the set of segments at higher levels. Elements of $2 make up the Macro Fault Tree (MFT), the leaves of which are elements of $1, single primary events and independent modules. The MFT is analysed downwards (use of the TD approach) without applying any cut off technique. To reduce the computation time and the working memory require-
16
S. Contini
Top gate Top I I GateG I
!
I o.too. I |
G2 I I
I
] IRepeat~dgatel /~G2
I
t t
/"XG3 '1
Repeated gate' ] Repeated gate I G9 i I G5 I
[~,m-~°,eat[ |
,
.,
I°I
1
I
I
Repeated gate I ]Primaryevent I I Repeated gate I G9
I I
c
I^1
Ga
I
0 c L._~'---~G3
O.
I
I GateG7
[ Im"d°43:d° I";I
I
Gate G 1!
I
I
module Mi I
I
I IRepeated gate
(~)M3
t
!
I
I I o..o,o
G5
I I
Z , G5
t
/' /
t
iI ~t
/I
i/
t
iI
t ~t
/ /
t Il t tt
S
/ /I
i!
/
,,
t t t t t t
,, tl
I
I I
I
I GateG l I GI1 I
I I I primar~ cvcntJ
I I°:eo~:"de:~
Repeated gate [ G9 ,J
[~),~9. !
I IPrimarFYevent[ IPrimar~Hevent]
1 OateGlO 1
~
Ir,movootj I
GI0
I
Fig. 2. Segmented fault tree resulting from pruning p-mods G9, G10 and Gll. ments, it is convenient to adopt a strategy that expands the least number of gates before minimising the combinations obtained. To this aim it is sufficient to logically manipulate each segment at level 1 (1,,~-<1-<3) in such a way that it contains only references to segments at level 1 - 1. This can be done by grouping references to branches classified at levels lower than l - 1. Thus new segments are generated
and classified at a level given by the maximum level of its descendants +1. Fault tree reduction Considering that the elements of $2 are repeated subtrees, the preferable reduction technique is Top-Down. The segmentation phase also defines the
A new hybrid method for fault tree analysis
17
I Top gate I (~Top
I Related
ReI~ ted
..o~ II-o3 I
I G'~°' I
I t I I l I I I I I I I I
I
G9 I I °'~ o4 II "°~',-"=d
I
I I
~NxlnleM I I I I'''~-'':
I °-°' (~G8
I
>
I
O M,
I I I I I
I
pteG2 _l I°~ °'' I i'~'
I I I I I I I t I I I I I I t I I I I I
I Repeated gateG2 I |
!
i,o,.~ Sate G5 ii o..oo i I
'
3
|
il ,.-.,
gate G3
I
!
C
I
""
I
I Repeated g'*,"G3 [
1 1 I
T
I
I
moduleM3 OM3
I
,
~
I I I I I I I
I-I-IG'/ ,
I ,o~..o, I I o-o,o
I
;
iI iI iI
II
iI
I "e~= gateG5 I
I I I I I I I I I I I I I I I I I t I I |
iI / ¢ I I I
! iI
eventB J I Repeated (~)B " ¢
•
/
/
/
¢
/
¢
¢
/
I ¢
I
I
/
iI
/I /
/
iI iI
I I
11
iI
¢ I
I GateGII I ~GII Inclel~ndent Pril~
moduleM2 I eventF I
@.,
iI
/
I" l ae~
@,F
[ o,"o'o I
@ G, !
~GI0 !
eventF i i event i ~.., ,,°.,H i
@,,
©,.
,
eventH
©,.
©.
Fig. 3. Segmented fault tree at the end of the segmentation phase.
S. Contini
18
TD reduction strategy. Indeed, the segmented tree, at a generic level/, contains all occurrences of repeated subtrees classified at level 1 - 1 ; therefore, the TD expansion can be oriented, at each step, towards all the occurrences of repeated subtrees classified at level l-1. The TD analysis of the MFT generates a set of minimal combinations, referred to as Macro Cut Sets, containing elements of S1, primary events and i-mods. The composition of each Macro Cut Set allows a straightforward application of the BU analysis procedure with estimation of the truncation error. The fault tree reduction procedure is therefore composed of two main parts: (1) the MFI ~is analysed downwards without applying any cut off technique; the generated minimal combination are referred to as Macro Cut Sets; (2) each Macro Cut Set is analysed upwards, the cut off techniques applied and the corresponding truncation error estimated.
After combining and minimising: TOP = G3G9 + G3M1 + G3G11.
Level 3 At this level the minimal cut sets of G3 are determined and expanded into the Top expression. The cut sets containing the repeated subtrees at level 2 (i.e., G5) are minimised. This means that the tree is expanded so as to reach all the occurrences of the gate G5. TOP = (M3 + G5G10)G9 + (M3 + G5G10)M1 + (M3 + G5G10)Gll. The resulting expression is: TOP = M3G9 + G5G9G10 + M1M3 + M1G5G10 + M 3 G l l + G5G10Gll.
First part The procedure for the analysis of the MPT is as follows: (i) start from the disjunction of the minimal cut sets of the segment at Top level; (ii) for j = l,,,~, - 1-2 expand segments at the j-th level into the TOP expression and minimise the resulting combinations containing the repeated subtrees classified at level j - 1. The analysis is therefore performed in a TD way. At each level 1 the gates to be expanded are well identified and the potential not-minimal combinations, to be minimised, can also be univocally identified. As an example, consider the segmented fault tree represented in Fig. 2. Subtrees to be considered are the elements of $2, examined from level 5 to level 2, i.e., $2 = {TOP, G2, G3, G5}. The MFT analysis starts from level 5, i.e., with the Top-event expression: TOP = G2G3G9 + G2G3M1 + G 2 G 3 G l l and proceeds with the examination of subtrees at lower level.
Level 4 Subtrees belonging to this level are analysed and their MCSs substituted into the Top expression; the minimisation is then applied to the combinations containing the repeated elements belonging to level 3. This criterion orients the TD expansion towards all the occurrences of the repeated subtree G3: TOP = (G5 + C + G3)G3G9
Level 2 Now G5 is analysed, its minimal cut sets expanded into the Top expression and the cut sets generated are minimised with respect to the repeated subtrees at level 1, i.e., G9: TOP = M3G9 + (B + G9)G9G10 + M1M3 + MI(B + G9)G10 + M 3 G l l + (B + G9)G10Gll. The resulting Macro Cut Sets are therefore: TOP = M3G9 + G9G10 + M1M3 + M1BG10 + M 3 G l l + BG10Gll.
Second part The analysis technique applied in this step is of Bottom Up type. In fact each Macro Cut Set is a subtree containing primary events and independent modules for which the application of the cut off technique is straightforward. The way the truncation error is estimated is described in the next section. The application of the BU analysis technique, to the Macro Cut Sets containing at least one element of $1, gives the disjunction of the Significant MCSs of the modularised fault tree. TOP --- FH + M1M3 + M1BH + M1BK + M2M3
+ (G5 + C + G3)G3M1
+ M3F + BHM2
+ (G5 + C + G3)G3G11.
+ BKM2 + BKF.
19
A new hybrid method for fault tree analysis
Finally, the same procedure is applied to generate the MCSs of the input tree by expanding the independent modules.
G2 and suppose we are interested in the set of SMCSs having probability not less than Pt~m, order not greater than ntim; and in the estimation of the corresponding truncation error Pe. Thus, (1)
Gr = G1 ^ G2
CUT OFF TECHNIQUES AND ESTIMATION OF THE TRUNCATION ERROR
with:
nl
G1 = ~ / C , ,=1
The most useful technique to reduce the computation time for determining the MCSs of complex fault trees is to limit the analysis to a small subset, made up by only those giving the greater contribution to "the system failure probability (i.e. mission time unavailability). This can be achieved through the definition of MCS's importance measures, based on: --the cut set order, and --the cut set occurrence probability. With the first criterion (logical cut-off) any MCS having order n less than or equal to a user established limit nt~,, is considered significant. The justification for the use of the logical cut-off is based on the consideration tha the ~ccurrence probability of a cut set is inversely proportional to its order. But this means that events m an MCS are assumed to have equal failure probabiht~, which is a hypothesis hardly acceptable in practice. According to the second criterion (probabilistic cut off) an MCS is considered significant when its probability P is greater than or equal to a pre-established threshold value P~m. Clearly, this criterion is more useful because the importance of an MCS depends only on its failure probability value. The determination of the Significant Minimal Cut Sets (SMCSs) allows a strong reduction of the computation time, but it implies the need to estimate the truncation error, Pe, i.e. the total probability of non SMCSs. The problem of accurately estimating Pe is of fundamental importance; a too conservative value would entail the false need to repeat the analysis with lower thresholds. Furthermore, if the degree of conservatism of Pe is very low, the top event failure probability Pt can be assumed as equal to Pt = Ptop + Pe, even when Pe is greater than or is comparable to Ptop (Ptop is determined on the basis of the SMCSs only). The described hybrid method is suitable for accurately estimating the truncation error, since many not-minimal cut sets are already deleted during the TD reduction phase. The method used to estimate Pe will be described with reference, for the sake of simplicity, to a Macro Cut Set of the second order composed of two p-mods. All considerations that will be made are easily applicable to more complex situations. Consider the problem of combining two p-mods G1,
n2
G2 = ~ / Ch h=l
where Ci and Ch represent generic combinations of primary events. (1) Initially, suppose that G~ and G2 are probabilistically independent: P(C, ^ Ch) = P(C,)P(Ch)
for all i, h
w i t h i = l . . . . . nl a n d h = l . . . . ,n2 In this situation Pe can simply be determined as follows: Pe = Pt - P{set of SCSs} (2) where:
nl
n2
(3a)
Pt = ~ P(Ci) ~ P(Ch) i=1
h=l
P{set of SCSs} =
~
P(C)
(3b)
over all cuts C w i t h P>_Plim
The set of SCSs (Significant Cut Sets) is equal to the set of SMCSs because all combinations are minimal. Unfortunately, this condition does not represent the general case. (2) Suppose now that G1 and G2 are probabilistically dependent, which is the situation frequently met in practice. In this case the previous method cannot be applied because it would give not conservative results for Pe. To make the applicability of eqn (2) and (3) still possible, the following numerical transformation is applied. Consider again two combinations C i c G 1 and Ch c G2. Suppose X be a primary event common to C/ and Ch, then: Ci = Cc ^ X
and
Ch
~-
Ch' A X.
Since C/and Ch are dependent: P(Ci ^ Ch) : P(C~/Ch)P(Ch) = P(CJCh)P(Ch/X)P(X).
(4)
It can easily be proved that: P(C,/Ch) = P(C,,)
(5)
P(Ch/X) = P(Ch,).
(6)
and, Substituting eqns (5, 6) into (4), one gets: P(C~ ^ Ch) = P(Cr)P(Ch,)P(X).
(7)
S. Contini
20 Equation (7) can also be written as:
e ( c , ^ Ch) = P(Cr) PV~(X)P(Ch,)V~(X). Setting:
P*(C~) = P(Cr) PV-P-~(X),and P*(Ch) = P(Ch,)V-~X) one gets:
P(Ci ^ Ch) = P*(Ci)P*(Ch). More generally, if an event x is common to w elements of the Macro Cut Set of order n (n-> w) under analysis, its failure probability P(x) is modified as P(x) l/w This numerical transformation allows to determine an upper bound of the probability of a generic combination of minimal cuts C,- and Ch without explicitly constructing the resulting MCSs (i.e., without removing redundant events), but simply by making the product of their modified probabilities P*(Ci) and It should be stressed that the numerical transformation is not a new idea; it was proposed and implemented some time ago in the JRC computer programme SALP-MP4 adopting a BU analysis procedure, and to a TD procedure: The numerical transformation was applied to the 'effectively' repeated primary events in the whole tree. For each repeated event, an algorithm was applied to determine the maximum number of times the event could combine with itself. If a repeated primary event did not combine with itself, its failure probability was not changed. Practical uses of this method to the whole tree revealed that the approximation on Pe could be too high to be really useful in those cases where the number of repeated events was greater than 10-15 and their effective repetitions factor greater than 3-4. This was, in fact, the main reason for the development of the hybrid method. The advantage of the numerical transformation is the rapid application of the probabilistic cut off procedure for screening purposes, i.e., for identifying the set of combinations from which the SMCSs are determined through the correct determination of their failure probability. The numerical transformation also allows the application of eqns (2) and (3) valid for the particular case of independence. The gain in computation time is evident. The degree of conservatism of Pe depends on the degree of dependence of the elements in each Macro Cut Set. This method has also been implemented in ISPRA-FTA version 1. 3 This software, running on a PCs, was written in Fortran 77, but suffered from the limitation of the 640 Kb barrier. Version 2 is written in C language and the limitation on working memory is given only by the dimension of the available RAM memory.
EXPERIMENTAL
RESULTS
The performances of the hybrid method and the numerical transformation implemented in ISPRAFTA Version 2.0 have been tested on many different fault trees, some of which are listed in Table 1. The parameters chosen to characterise these trees are the number of gates and primary events, the number of repeated subtrees, the number of repeated events not belonging to repeated subtrees and the number of MCSs. In Table 2 for certain probabilistic thresholds Plim, corresponding to negligible truncation errors Pe, the number of SMCSs and the top event unavailability Pt are given. Pt can then be considered as the true top event unavailability value. The computation times, in seconds, have been obtained by running ISPRA-FTA on a personal computer AST PREMMIA 4/66d. In Table 3, the sample fault trees have been analysed using probabilistic thresholds corresponding to a very small number of SMCSs; the sum of the top event unavailability Ptop determined on the set of SMCSs, and the corresponding truncation error Pe, can be compared with Pt in Table 2 to reveal the very small degree of conservatism of Pe. Note that, in almost all cases, Ptop is less than Pe or has comparable value. The reduction of Pe for lower values of Plim is very rapid for all cases examined. For example, in case 5 with Plim = 1 0 - 9 the number of SMCSs is 85, Ptop = 1-94 × 10 -5 and Pe becomes negligible (Pe = 3 x 10-8). Analogously, for case number 4 with Plim = 10 -6, the number of SMCSs is 128, Ptop = 6.41 × 10 -3, and Table 1. Characteristics of the sample fault trees
No.
Gates
Events
1 2 3 4 5 6 7
104 122 95 132 40 41 65
143 116 91 215 32 89 74
Repeated Repeated subtrees events 10 14 21 29 39 -13
8 14 23 11 -14 9
MCSs >105 >105 3 554 >10s 5 630 1 776 66916
Table 2. Top event unavailability for the sample fault trees No.
Plim
SMCSs
1 2 3 4 5 6 7
10 -12 10 -16
14 520 7902 3081 9784.5 1 100 691 86
10 -18 10 -12 1 0 -14
10 -12 10 -18
Pt
Pe
1.49 X 10 - 2 5.49 × 10 -9 1 . 4 0 × 1 0 -5 4.34 x 10 -13 9 . 0 4 × 1 0 -5 1.15 x 10 -14 6 . 6 9 × 1 0 -3 4 . 4 7 × 1 0 -8 1"94 × 10 -5 1"41 × 10 -1° 1 . 1 × 1 0 -3 6 . 0 8 × 1 0 -11 1"05 × 10 - 9 2"67 X 10 -17
Time(s) 7.2 6.6 2.2 34 21"4 0"55 9.2
A new hybrid method for fault tree analysis
21
Table 3. Degree of conservatism Pe for very high Plim values No.
Plim
SMCSs
Ptop
Pe
Ptop + Pe
Time(s)
1 2 3 4 5 6 7
5 × 10 -4 2 × 10 -~
4 1 2 8 10 2 1
2-22 × 1 0 -3 3"98 X 10 -6 8"08 X 10-5 6"2 X 10 _3 1.2 X 10 --~ 9 × 1 0 -4 4"99 × 10 io
1"34 × 10 -2 1"0 × 10 -~ 9"98 × 10 -~ 2"05 × 10 -3 2.91 × 10-5 2 . 0 1 × 1 0 -4 5"55 × 10 -'°
1"56 X 10 -2 1"4 X 10 .s 9"08 × 10 5 8"25 × 10 -3 3-03 × 10 -~ 1.1X 10 -3 1"05× 10 9
0"8 1"9 0'6 2"8 12"5 0"39 8.9
10 -6
10 -4 5 × 10 7 5 × 1 0 -4 2 × 10 -~°
Table 4. Variation of Prop + Pe for the first sample case fault tree
Plim
nlim
SMCSs
Ptop
5 × 10 -4 10 4 10 6 10 8 10- ' ° 10 -'z 10-'° 10 -~° 10-'° 10 to
-__ __ __ --1 2 3 4 1 2
4 42 297 590 1903 14520 1 552 640 705 1 296
2.22 X 10 -3 1-11×10 _2 1"48 × 10 _2 1-49 × 10_2 1"49× 10 -2 1-49×10 -2 5"05 × 10-4 1"49 × 10 -2 1"49 × 10 -2 1"49 × 10-: 5-04 X 10 -a 1-48 X 10 -2
10 -6
10 6
Pe = 5.85 × 10 -4, s u m m i n g u p to 6.99 × 1 0 - 3 - - v e r y close to the v a l u e o b t a i n e d with Plim = 10 -~2. T h e v a r i a t i o n o f Pe for different values o f Plim a n d nlim has b e e n p e r f o r m e d for all s a m p l e cases; the results were always very good. A s a n e x a m p l e , the v a r i a t i o n of Ptop + Pe for several cut-off t h r e s h o l d s are r e p o r t e d in T a b l e 4 for the first s a m p l e tree. F r o m the results o b t a i n e d it c a n be realised that the e s t i m a t i o n of Pe is very good, i.e., the d e g r e e of c o n s e r v a t i s m is n e g l i b i b l e at a n y c o u p l e of values of the pi:obabilistic a n d logical cut off thresholds.
CONCLUSIONS I n this p a p e r a n e w a p p r o a c h to fault tree analysis, r e f e r r e d to as h y b r i d , has b e e n described. T h e r e a s o n for its d e v e l o p m e n t was the n e e d to r e d u c e , as m u c h as possible, the d e g r e e of c o n s e r v a t i s m in e s t i m a t i n g the t r u n c a t i o n e r r o r w h e n the cut off t e c h n i q u e (probabilistic + logic) is applied. T h e results o b t a i n e d were very g o o d for all fault trees e x a m i n e d d u r i n g the testing p h a s e of I S P R A - F T A . T h e h y b r i d a p p r o a c h also offers o t h e r possibilities, which are b e i n g i m p l e m e n t e d in I S P R A - F F A , c o n c e r n i n g the use of cut off p a r a m e t e r s less u n c e r t a i n
Pe
Prop + Pe
1"34× 10 -2 1"567 × 10 2 4 . 0 8 × 1 0 -3 1.522×10 2 7.73 × 10 -5 1.49 × 10 `2 1-47 × 10 -6 1"49× 10 _2 1.79×10 7 1.49×10 -2 5 . 4 9 × 1 0 -~ 1 . 4 9 × 1 0 -z 1.69 × 10 2 1-74 × 10 _2 8.27 × 10 _6 1"49X 10 _2 8.05 X 10 -6 1"49X 1 0 = 2"34 × 10 -6 1"49× 10 2 1"69× 10 -2 1"74X 10 2 8-09 × 10 -~ 1"49× 10 -e
Time(s) 0"8 1"0 1"1 1"6 3"5 7'2 0.9 1"0 1' 1 1'1 0'8 1-0
t h a n Plim, as for i n s t a n c e the m a x i m u m n u m b e r of M C S s a n d the m a x i m u m p e r c e n t a g e value of the t r u n c a t i o n error.
REFERENCES 1. Russell, K. D. & Rasmuson, D. M., Fault tree reduction and quantification--an overview of IRRAS algorithms. Reliab. Engng System Safety, 40 (1993) 149-164. 2. Niemela, I., On simplification of large fault trees. Reliab. Engng System Safety, 44 (1994) 135-138. 3. Contini. S. ISPRA-FTA. Fault tree analysis tool for personal computers. V. 1.1 Methodological aspects and user interface description. EUR 13997 EN, European Commission Joint Research Centre, Ispra, Italy, 1992. 4. Astolfi, M. & Contini, S., A method for the estimation of the residual error in the SALP approach for fault tree analysis. EUR 6750 EN, European Commission Joint Research Centre, lspra, Italy, 1980. 5. Contini, S. & Garribba, S. Prior built-in sensitivity analysis for fault trees with special concern for reliability calculations in nuclear power plants. CESNEF/IAEA IN-OIO, Polytechnic of Milan, Italy, 1979. 6. Modarres, M. & Dezfuli, H., A truncation methodology for evaluating large fault trees. IEEE Transaction on Reliability, R-33 (1984) 325-328. 7. Brown, K. S., Evaluating fault trees with repeated events. IEEE Transaction on Reliability, 39 (1990) 226-235.
ELSEVIER
0951-8320(95)00021-6
~) 1995 Elsevier Science Limited Printed in Northern Ireland. All rights reserved 0951-8320/95]$9.50
A new hybrid method for fault tree analysis S. Contini European Commission, Joint Research Centre, lspra Establishment, Institute for Systems Engineering and Informatics,
Industry Environment Unit, 1-21020 ISPRA (VA), Italy (Received 21 December 1994)
This paper describes a new method for determining the significant minimal cut sets of complex fault trees. It can be classified as hybrid, being based on the application of both Top Down and Bottom Up reduction approaches. This solution has been adopted particularly to accurately estimate the truncation error when the probabilistic cut-off technique is applied. Experimental results on real fault trees proved that the degree of conservatism of the truncation error is negligible at any practical combination of the probabilistic and logical threshold values. This new fault tree analysis procedure has been implemented, in C language, in the second version of the computer programme ISPRA-FTA.
INTRODUCTION
Conceptually, these techniques are very simple: all gates are substituted with their input events until the set of combinations of primary events is found. In the TD technique the reduction starts from the top event, while in the BU the starting points are the gates having only primary events as input variables. Apart from very simple cases (e.g. fault trees with no repeated events/gates) for which the two techniques are equivalent, it is hard to state that one is superior with respect to the other, since this strongly depends on the structure of the fault tree, i.e. the number of repeated subtrees and their links, the number of repeated primary events, etc. A factor of complexity in determining the MCSs is the presence of repeated subtrees and repeated primary events, which gives rise to the problem of the identification and elimination of not-minimal combinations. The computation time is also affected by the sequence of analysis of the gates of the fault tree. Since this sequence is completely different in TD and BU techniques, it follows that there are fault trees for which TD is superior with respect to BU, and vice versa. Consequently, the existing computer programmes, based on one of these techniques, are particularly efficient for certain structures and less efficient for others. As a rule of thumb, it can be said that TD is generally more suitable when the tree contains many repeated subtrees which are located close to the top-event, while BU is preferable when there are few repeated subtrees possibly located towards the bottom of the tree. If one simply considers the fault tree construction
The fault tree technique is a powerful tool to estimate the reliability and availability of complex systems and has been well consolidated, for many years, in various industrial fields as a support tool in the design phase. The Fault Tree Analysis (FTA) is a formalized deductive technique allowing the investigation of the ~ possible causes of occurrence of pre-identified and undesired system states. These states, referred to as Top events, are associated with abnormal system behaviours, caused by hardware failures, human errors and/or by external perturbances. Starting from the top event description, the fault tree methodology allows the systematic description of the relationships between events at different levels of system decomposition by means of the Boolean logical operators. The results of the analysis of the fault tree gives useful information on how to improve the system performances through the identification of the (relatively) weakest parts, where the most effective design changes can be adopted. In fault tree analysis an important step is the determination of the Minimal Cut Sets (MCSs). Many methods to determine the MCSs have been developed in the past, as testified by the vast literature on the subject. However, most of the developed computer programmes are based on one of the following reduction techniques: --top-down (TD), --bottom-up (BU). 13
14
S. Contini
mechanism (top-down decomposition), the immediate conclusion is that the TD is the natural analysis approach, because repeated subtrees are generally located in the upper part of the tree. However, this conclusion does not take into consideration the use of the cut off techniques as a means to analyse complex fault trees. In fact, there is no practical need to determine all MCSs: the most relevant ones are sufficient for system improvement. The use of the cut-off technique is more natural and straightforward with BU. Some packages contain both techniques and the user can select, case by case, the more suitable one. The application of the cut-off technique entails the need to estimate the truncation error Pe, i.e., the cumulative probability of all neglected MCSs. Several methods have been proposed to solve this problem 4-7 but the experience of the writer is that all these methods overestimate Pe by orders of magnitude, when the tree contains many dependent branches. The different features of TD and BU approaches and the need to reduce the degree of conservatism of Pe for any fault tree led to the development of a new method of analysis of mixed or hybrid type. The description of such a method is the subject of this paper.
DESCRIPTION OF THE HYBRID METHOD The logical analysis methodology implemented in ISPRA-FTA is articulated in four main phases: 1. fault tree simplification; 2. fault tree modularisation; 3. fault tree segmentation; 4. fault tree reduction. Briefly, in the simplification phase the fault tree is transformed into a logically equivalent tree containing only the basic set of operators (AND, O R and NOT) through the expansion of complex operators (e.g. XOR, K/N, etc). The modularisation phase aims at producing a simpler tree by identifying independent subtrees, i.e., independent modules (i-mods). Algorithms implemented in these phases are partly common to those described in Refs 1 and 2. The content of the paper refers to phases 3 and 4, implementing the proposed hybrid analysis method. Furthermore, for the sake of clarity, the description will be limited to A N D - O R fault trees only. Fault tree segmentation The input of this phase is the modularised fault tree resulting from phase 2. The aim of the segmentation phase, preparatory to the determination of the
Significant Minimal Cut Sets (SMCS), is to decompose the modularised tree into segments for the definition of the hybrid analysis strategy. The segmentation algorithm is based on the definition of pseudo module: a pseudo module is a subtree not containing any reference to other repeated subtrees. From this definition it follows that: - - a pseudo module (p-mod) is nothing but a subtree containing any number and type of primary events and independent modules (repeated/not repeated, negated/not negated); --because repeated primary events/i-mods can appear in the p-mod definition, p-mods can be probabilistically dependent on one another. For the sake of simplicity, the segmentation procedure is described by means of the sample modularised tree in Fig. 1. Independent modules are represented by M1, M2 and M3, respectively descending from G4, G l l and G3. In Fig. 1 three subtrees satisfying the p-mod definition are: G9, G10 and G l l . In fact, neither of these subtrees contain references to other repeated subtrees; note that G9 is, itself, a repeated subtree. Thus, G9, G10 and G l l are removed from the tree and substituted by dummy variables with the same name. This operation generates the set S1 = {G9, G10, Gll} and a simpler tree, represented in Fig. 2, in which the elements of S1 are considered as new primary variables. From this point on, the repeated identification of p-mods generates the set $2. In Fig. 2, G9, G10 and G l l being primary variables, the p-mod G5 is identified. After removing it, a new and simpler tree is obtained in which G5 becomes a dummy variable. The set $2 = {G5}. Continuing the application of this procedure, the subtree G3 is identified and removed giving $2 = {G5, G3}. Then, one step later, G2 is removed and added to $2. The remaining tree cannot be segmented any more: the segmentation procedure stops and Top is added to $2. The set $ 2 = {G5, G3, G2, Top}. The graphical representation of the result of the segmentation is shown in Fig. 3. Dotted lines indicate the logical links among the identified segments. The elements of $2 are associated with levels established by their position in the identification sequence. The level 1 is assigned to all elements of S1. Set S1...Level 1...G9, G10, G l l Set S2...Level 2...G5 -Level 3...G3 Level 4...G2 Level 5...Top Gates in subtrees.
bold
characters
represent
repeated
A new hybrid method for fault tree analysis
15
I Topgate I
~ T'op
I I GateGI
,I
I
. ][Repeated G2 gate]I I Repeated G3 gate1 I
I
I GateG4 [ ~ p 9 |
,
I
I
[ GateG8 ~ [ Independent ImOdule M| ~G8 I
i
IP",m,7°',, , ;-I
O'MI O+
/~G5 i
~G6 ,
I
i
l"~m+,~°"°"'I"o,"::+i J
0+,,
Oc
/~o+
GateGIl [ [RepeatedgateiG2 _I |
|
i Independent I
mOduleM2
Zel
[ Repeated gate [
-I
G5
//~G5 /'
I
' i
I~nm~z°+1 [R+.,:d+.°l
I.
I
O + I , ©°+ ' '~ ,I Repeated gateI o+°°,0 I
~o~
~o,0
IP"ma?,°'entI I~?°'~°v°°t[ Fig. 1. Sample case. Modularised fault tree (independent modules are M1, M2 and M3).
From Fig. 3 it can easily be recognised that: -the segment at the maximum level Imp, always has Top as its root; -segments at the minimum level It are p-mods containing primary events only; -a segment classified at an intermediate level 1(l,,~.~<-l<-2) contains references to one or more segments classified at a level lower than l;
--all references of a segment at level l(l,,o~ < 1 <--1) are contained in the set of segments at higher levels. Elements of $2 make up the Macro Fault Tree (MFT), the leaves of which are elements of $1, single primary events and independent modules. The MFT is analysed downwards (use of the TD approach) without applying any cut off technique. To reduce the computation time and the working memory require-
16
S. Contini
Top gate Top I I GateG I
!
I o.too. I |
G2 I I
I
] IRepeat~dgatel /~G2
I
t t
/"XG3 '1
Repeated gate' ] Repeated gate I G9 i I G5 I
[~,m-~°,eat[ |
,
.,
I°I
1
I
I
Repeated gate I ]Primaryevent I I Repeated gate I G9
I I
c
I^1
Ga
I
0 c L._~'---~G3
O.
I
I GateG7
[ Im"d°43:d° I";I
I
Gate G 1!
I
I
module Mi I
I
I IRepeated gate
(~)M3
t
!
I
I I o..o,o
G5
I I
Z , G5
t
/' /
t
iI ~t
/I
i/
t
iI
t ~t
/ /
t Il t tt
S
/ /I
i!
/
,,
t t t t t t
,, tl
I
I I
I
I GateG l I GI1 I
I I I primar~ cvcntJ
I I°:eo~:"de:~
Repeated gate [ G9 ,J
[~),~9. !
I IPrimarFYevent[ IPrimar~Hevent]
1 OateGlO 1
~
Ir,movootj I
GI0
I
Fig. 2. Segmented fault tree resulting from pruning p-mods G9, G10 and Gll. ments, it is convenient to adopt a strategy that expands the least number of gates before minimising the combinations obtained. To this aim it is sufficient to logically manipulate each segment at level 1 (1,,~-<1-<3) in such a way that it contains only references to segments at level 1 - 1. This can be done by grouping references to branches classified at levels lower than l - 1. Thus new segments are generated
and classified at a level given by the maximum level of its descendants +1. Fault tree reduction Considering that the elements of $2 are repeated subtrees, the preferable reduction technique is Top-Down. The segmentation phase also defines the
A new hybrid method for fault tree analysis
17
I Top gate I (~Top
I Related
ReI~ ted
..o~ II-o3 I
I G'~°' I
I t I I l I I I I I I I I
I
G9 I I °'~ o4 II "°~',-"=d
I
I I
~NxlnleM I I I I'''~-'':
I °-°' (~G8
I
>
I
O M,
I I I I I
I
pteG2 _l I°~ °'' I i'~'
I I I I I I I t I I I I I I t I I I I I
I Repeated gateG2 I |
!
i,o,.~ Sate G5 ii o..oo i I
'
3
|
il ,.-.,
gate G3
I
!
C
I
""
I
I Repeated g'*,"G3 [
1 1 I
T
I
I
moduleM3 OM3
I
,
~
I I I I I I I
I-I-IG'/ ,
I ,o~..o, I I o-o,o
I
;
iI iI iI
II
iI
I "e~= gateG5 I
I I I I I I I I I I I I I I I I I t I I |
iI / ¢ I I I
! iI
eventB J I Repeated (~)B " ¢
•
/
/
/
¢
/
¢
¢
/
I ¢
I
I
/
iI
/I /
/
iI iI
I I
11
iI
¢ I
I GateGII I ~GII Inclel~ndent Pril~
moduleM2 I eventF I
@.,
iI
/
I" l ae~
@,F
[ o,"o'o I
@ G, !
~GI0 !
eventF i i event i ~.., ,,°.,H i
@,,
©,.
,
eventH
©,.
©.
Fig. 3. Segmented fault tree at the end of the segmentation phase.
S. Contini
18
TD reduction strategy. Indeed, the segmented tree, at a generic level/, contains all occurrences of repeated subtrees classified at level 1 - 1 ; therefore, the TD expansion can be oriented, at each step, towards all the occurrences of repeated subtrees classified at level l-1. The TD analysis of the MFT generates a set of minimal combinations, referred to as Macro Cut Sets, containing elements of S1, primary events and i-mods. The composition of each Macro Cut Set allows a straightforward application of the BU analysis procedure with estimation of the truncation error. The fault tree reduction procedure is therefore composed of two main parts: (1) the MFI ~is analysed downwards without applying any cut off technique; the generated minimal combination are referred to as Macro Cut Sets; (2) each Macro Cut Set is analysed upwards, the cut off techniques applied and the corresponding truncation error estimated.
After combining and minimising: TOP = G3G9 + G3M1 + G3G11.
Level 3 At this level the minimal cut sets of G3 are determined and expanded into the Top expression. The cut sets containing the repeated subtrees at level 2 (i.e., G5) are minimised. This means that the tree is expanded so as to reach all the occurrences of the gate G5. TOP = (M3 + G5G10)G9 + (M3 + G5G10)M1 + (M3 + G5G10)Gll. The resulting expression is: TOP = M3G9 + G5G9G10 + M1M3 + M1G5G10 + M 3 G l l + G5G10Gll.
First part The procedure for the analysis of the MPT is as follows: (i) start from the disjunction of the minimal cut sets of the segment at Top level; (ii) for j = l,,,~, - 1-2 expand segments at the j-th level into the TOP expression and minimise the resulting combinations containing the repeated subtrees classified at level j - 1. The analysis is therefore performed in a TD way. At each level 1 the gates to be expanded are well identified and the potential not-minimal combinations, to be minimised, can also be univocally identified. As an example, consider the segmented fault tree represented in Fig. 2. Subtrees to be considered are the elements of $2, examined from level 5 to level 2, i.e., $2 = {TOP, G2, G3, G5}. The MFT analysis starts from level 5, i.e., with the Top-event expression: TOP = G2G3G9 + G2G3M1 + G 2 G 3 G l l and proceeds with the examination of subtrees at lower level.
Level 4 Subtrees belonging to this level are analysed and their MCSs substituted into the Top expression; the minimisation is then applied to the combinations containing the repeated elements belonging to level 3. This criterion orients the TD expansion towards all the occurrences of the repeated subtree G3: TOP = (G5 + C + G3)G3G9
Level 2 Now G5 is analysed, its minimal cut sets expanded into the Top expression and the cut sets generated are minimised with respect to the repeated subtrees at level 1, i.e., G9: TOP = M3G9 + (B + G9)G9G10 + M1M3 + MI(B + G9)G10 + M 3 G l l + (B + G9)G10Gll. The resulting Macro Cut Sets are therefore: TOP = M3G9 + G9G10 + M1M3 + M1BG10 + M 3 G l l + BG10Gll.
Second part The analysis technique applied in this step is of Bottom Up type. In fact each Macro Cut Set is a subtree containing primary events and independent modules for which the application of the cut off technique is straightforward. The way the truncation error is estimated is described in the next section. The application of the BU analysis technique, to the Macro Cut Sets containing at least one element of $1, gives the disjunction of the Significant MCSs of the modularised fault tree. TOP --- FH + M1M3 + M1BH + M1BK + M2M3
+ (G5 + C + G3)G3M1
+ M3F + BHM2
+ (G5 + C + G3)G3G11.
+ BKM2 + BKF.
19
A new hybrid method for fault tree analysis
Finally, the same procedure is applied to generate the MCSs of the input tree by expanding the independent modules.
G2 and suppose we are interested in the set of SMCSs having probability not less than Pt~m, order not greater than ntim; and in the estimation of the corresponding truncation error Pe. Thus, (1)
Gr = G1 ^ G2
CUT OFF TECHNIQUES AND ESTIMATION OF THE TRUNCATION ERROR
with:
nl
G1 = ~ / C , ,=1
The most useful technique to reduce the computation time for determining the MCSs of complex fault trees is to limit the analysis to a small subset, made up by only those giving the greater contribution to "the system failure probability (i.e. mission time unavailability). This can be achieved through the definition of MCS's importance measures, based on: --the cut set order, and --the cut set occurrence probability. With the first criterion (logical cut-off) any MCS having order n less than or equal to a user established limit nt~,, is considered significant. The justification for the use of the logical cut-off is based on the consideration tha the ~ccurrence probability of a cut set is inversely proportional to its order. But this means that events m an MCS are assumed to have equal failure probabiht~, which is a hypothesis hardly acceptable in practice. According to the second criterion (probabilistic cut off) an MCS is considered significant when its probability P is greater than or equal to a pre-established threshold value P~m. Clearly, this criterion is more useful because the importance of an MCS depends only on its failure probability value. The determination of the Significant Minimal Cut Sets (SMCSs) allows a strong reduction of the computation time, but it implies the need to estimate the truncation error, Pe, i.e. the total probability of non SMCSs. The problem of accurately estimating Pe is of fundamental importance; a too conservative value would entail the false need to repeat the analysis with lower thresholds. Furthermore, if the degree of conservatism of Pe is very low, the top event failure probability Pt can be assumed as equal to Pt = Ptop + Pe, even when Pe is greater than or is comparable to Ptop (Ptop is determined on the basis of the SMCSs only). The described hybrid method is suitable for accurately estimating the truncation error, since many not-minimal cut sets are already deleted during the TD reduction phase. The method used to estimate Pe will be described with reference, for the sake of simplicity, to a Macro Cut Set of the second order composed of two p-mods. All considerations that will be made are easily applicable to more complex situations. Consider the problem of combining two p-mods G1,
n2
G2 = ~ / Ch h=l
where Ci and Ch represent generic combinations of primary events. (1) Initially, suppose that G~ and G2 are probabilistically independent: P(C, ^ Ch) = P(C,)P(Ch)
for all i, h
w i t h i = l . . . . . nl a n d h = l . . . . ,n2 In this situation Pe can simply be determined as follows: Pe = Pt - P{set of SCSs} (2) where:
nl
n2
(3a)
Pt = ~ P(Ci) ~ P(Ch) i=1
h=l
P{set of SCSs} =
~
P(C)
(3b)
over all cuts C w i t h P>_Plim
The set of SCSs (Significant Cut Sets) is equal to the set of SMCSs because all combinations are minimal. Unfortunately, this condition does not represent the general case. (2) Suppose now that G1 and G2 are probabilistically dependent, which is the situation frequently met in practice. In this case the previous method cannot be applied because it would give not conservative results for Pe. To make the applicability of eqn (2) and (3) still possible, the following numerical transformation is applied. Consider again two combinations C i c G 1 and Ch c G2. Suppose X be a primary event common to C/ and Ch, then: Ci = Cc ^ X
and
Ch
~-
Ch' A X.
Since C/and Ch are dependent: P(Ci ^ Ch) : P(C~/Ch)P(Ch) = P(CJCh)P(Ch/X)P(X).
(4)
It can easily be proved that: P(C,/Ch) = P(C,,)
(5)
P(Ch/X) = P(Ch,).
(6)
and, Substituting eqns (5, 6) into (4), one gets: P(C~ ^ Ch) = P(Cr)P(Ch,)P(X).
(7)
S. Contini
20 Equation (7) can also be written as:
e ( c , ^ Ch) = P(Cr) PV~(X)P(Ch,)V~(X). Setting:
P*(C~) = P(Cr) PV-P-~(X),and P*(Ch) = P(Ch,)V-~X) one gets:
P(Ci ^ Ch) = P*(Ci)P*(Ch). More generally, if an event x is common to w elements of the Macro Cut Set of order n (n-> w) under analysis, its failure probability P(x) is modified as P(x) l/w This numerical transformation allows to determine an upper bound of the probability of a generic combination of minimal cuts C,- and Ch without explicitly constructing the resulting MCSs (i.e., without removing redundant events), but simply by making the product of their modified probabilities P*(Ci) and It should be stressed that the numerical transformation is not a new idea; it was proposed and implemented some time ago in the JRC computer programme SALP-MP4 adopting a BU analysis procedure, and to a TD procedure: The numerical transformation was applied to the 'effectively' repeated primary events in the whole tree. For each repeated event, an algorithm was applied to determine the maximum number of times the event could combine with itself. If a repeated primary event did not combine with itself, its failure probability was not changed. Practical uses of this method to the whole tree revealed that the approximation on Pe could be too high to be really useful in those cases where the number of repeated events was greater than 10-15 and their effective repetitions factor greater than 3-4. This was, in fact, the main reason for the development of the hybrid method. The advantage of the numerical transformation is the rapid application of the probabilistic cut off procedure for screening purposes, i.e., for identifying the set of combinations from which the SMCSs are determined through the correct determination of their failure probability. The numerical transformation also allows the application of eqns (2) and (3) valid for the particular case of independence. The gain in computation time is evident. The degree of conservatism of Pe depends on the degree of dependence of the elements in each Macro Cut Set. This method has also been implemented in ISPRA-FTA version 1. 3 This software, running on a PCs, was written in Fortran 77, but suffered from the limitation of the 640 Kb barrier. Version 2 is written in C language and the limitation on working memory is given only by the dimension of the available RAM memory.
EXPERIMENTAL
RESULTS
The performances of the hybrid method and the numerical transformation implemented in ISPRAFTA Version 2.0 have been tested on many different fault trees, some of which are listed in Table 1. The parameters chosen to characterise these trees are the number of gates and primary events, the number of repeated subtrees, the number of repeated events not belonging to repeated subtrees and the number of MCSs. In Table 2 for certain probabilistic thresholds Plim, corresponding to negligible truncation errors Pe, the number of SMCSs and the top event unavailability Pt are given. Pt can then be considered as the true top event unavailability value. The computation times, in seconds, have been obtained by running ISPRA-FTA on a personal computer AST PREMMIA 4/66d. In Table 3, the sample fault trees have been analysed using probabilistic thresholds corresponding to a very small number of SMCSs; the sum of the top event unavailability Ptop determined on the set of SMCSs, and the corresponding truncation error Pe, can be compared with Pt in Table 2 to reveal the very small degree of conservatism of Pe. Note that, in almost all cases, Ptop is less than Pe or has comparable value. The reduction of Pe for lower values of Plim is very rapid for all cases examined. For example, in case 5 with Plim = 1 0 - 9 the number of SMCSs is 85, Ptop = 1-94 × 10 -5 and Pe becomes negligible (Pe = 3 x 10-8). Analogously, for case number 4 with Plim = 10 -6, the number of SMCSs is 128, Ptop = 6.41 × 10 -3, and Table 1. Characteristics of the sample fault trees
No.
Gates
Events
1 2 3 4 5 6 7
104 122 95 132 40 41 65
143 116 91 215 32 89 74
Repeated Repeated subtrees events 10 14 21 29 39 -13
8 14 23 11 -14 9
MCSs >105 >105 3 554 >10s 5 630 1 776 66916
Table 2. Top event unavailability for the sample fault trees No.
Plim
SMCSs
1 2 3 4 5 6 7
10 -12 10 -16
14 520 7902 3081 9784.5 1 100 691 86
10 -18 10 -12 1 0 -14
10 -12 10 -18
Pt
Pe
1.49 X 10 - 2 5.49 × 10 -9 1 . 4 0 × 1 0 -5 4.34 x 10 -13 9 . 0 4 × 1 0 -5 1.15 x 10 -14 6 . 6 9 × 1 0 -3 4 . 4 7 × 1 0 -8 1"94 × 10 -5 1"41 × 10 -1° 1 . 1 × 1 0 -3 6 . 0 8 × 1 0 -11 1"05 × 10 - 9 2"67 X 10 -17
Time(s) 7.2 6.6 2.2 34 21"4 0"55 9.2
A new hybrid method for fault tree analysis
21
Table 3. Degree of conservatism Pe for very high Plim values No.
Plim
SMCSs
Ptop
Pe
Ptop + Pe
Time(s)
1 2 3 4 5 6 7
5 × 10 -4 2 × 10 -~
4 1 2 8 10 2 1
2-22 × 1 0 -3 3"98 X 10 -6 8"08 X 10-5 6"2 X 10 _3 1.2 X 10 --~ 9 × 1 0 -4 4"99 × 10 io
1"34 × 10 -2 1"0 × 10 -~ 9"98 × 10 -~ 2"05 × 10 -3 2.91 × 10-5 2 . 0 1 × 1 0 -4 5"55 × 10 -'°
1"56 X 10 -2 1"4 X 10 .s 9"08 × 10 5 8"25 × 10 -3 3-03 × 10 -~ 1.1X 10 -3 1"05× 10 9
0"8 1"9 0'6 2"8 12"5 0"39 8.9
10 -6
10 -4 5 × 10 7 5 × 1 0 -4 2 × 10 -~°
Table 4. Variation of Prop + Pe for the first sample case fault tree
Plim
nlim
SMCSs
Ptop
5 × 10 -4 10 4 10 6 10 8 10- ' ° 10 -'z 10-'° 10 -~° 10-'° 10 to
-__ __ __ --1 2 3 4 1 2
4 42 297 590 1903 14520 1 552 640 705 1 296
2.22 X 10 -3 1-11×10 _2 1"48 × 10 _2 1-49 × 10_2 1"49× 10 -2 1-49×10 -2 5"05 × 10-4 1"49 × 10 -2 1"49 × 10 -2 1"49 × 10-: 5-04 X 10 -a 1-48 X 10 -2
10 -6
10 6
Pe = 5.85 × 10 -4, s u m m i n g u p to 6.99 × 1 0 - 3 - - v e r y close to the v a l u e o b t a i n e d with Plim = 10 -~2. T h e v a r i a t i o n o f Pe for different values o f Plim a n d nlim has b e e n p e r f o r m e d for all s a m p l e cases; the results were always very good. A s a n e x a m p l e , the v a r i a t i o n of Ptop + Pe for several cut-off t h r e s h o l d s are r e p o r t e d in T a b l e 4 for the first s a m p l e tree. F r o m the results o b t a i n e d it c a n be realised that the e s t i m a t i o n of Pe is very good, i.e., the d e g r e e of c o n s e r v a t i s m is n e g l i b i b l e at a n y c o u p l e of values of the pi:obabilistic a n d logical cut off thresholds.
CONCLUSIONS I n this p a p e r a n e w a p p r o a c h to fault tree analysis, r e f e r r e d to as h y b r i d , has b e e n described. T h e r e a s o n for its d e v e l o p m e n t was the n e e d to r e d u c e , as m u c h as possible, the d e g r e e of c o n s e r v a t i s m in e s t i m a t i n g the t r u n c a t i o n e r r o r w h e n the cut off t e c h n i q u e (probabilistic + logic) is applied. T h e results o b t a i n e d were very g o o d for all fault trees e x a m i n e d d u r i n g the testing p h a s e of I S P R A - F T A . T h e h y b r i d a p p r o a c h also offers o t h e r possibilities, which are b e i n g i m p l e m e n t e d in I S P R A - F F A , c o n c e r n i n g the use of cut off p a r a m e t e r s less u n c e r t a i n
Pe
Prop + Pe
1"34× 10 -2 1"567 × 10 2 4 . 0 8 × 1 0 -3 1.522×10 2 7.73 × 10 -5 1.49 × 10 `2 1-47 × 10 -6 1"49× 10 _2 1.79×10 7 1.49×10 -2 5 . 4 9 × 1 0 -~ 1 . 4 9 × 1 0 -z 1.69 × 10 2 1-74 × 10 _2 8.27 × 10 _6 1"49X 10 _2 8.05 X 10 -6 1"49X 1 0 = 2"34 × 10 -6 1"49× 10 2 1"69× 10 -2 1"74X 10 2 8-09 × 10 -~ 1"49× 10 -e
Time(s) 0"8 1"0 1"1 1"6 3"5 7'2 0.9 1"0 1' 1 1'1 0'8 1-0
t h a n Plim, as for i n s t a n c e the m a x i m u m n u m b e r of M C S s a n d the m a x i m u m p e r c e n t a g e value of the t r u n c a t i o n error.
REFERENCES 1. Russell, K. D. & Rasmuson, D. M., Fault tree reduction and quantification--an overview of IRRAS algorithms. Reliab. Engng System Safety, 40 (1993) 149-164. 2. Niemela, I., On simplification of large fault trees. Reliab. Engng System Safety, 44 (1994) 135-138. 3. Contini. S. ISPRA-FTA. Fault tree analysis tool for personal computers. V. 1.1 Methodological aspects and user interface description. EUR 13997 EN, European Commission Joint Research Centre, Ispra, Italy, 1992. 4. Astolfi, M. & Contini, S., A method for the estimation of the residual error in the SALP approach for fault tree analysis. EUR 6750 EN, European Commission Joint Research Centre, lspra, Italy, 1980. 5. Contini, S. & Garribba, S. Prior built-in sensitivity analysis for fault trees with special concern for reliability calculations in nuclear power plants. CESNEF/IAEA IN-OIO, Polytechnic of Milan, Italy, 1979. 6. Modarres, M. & Dezfuli, H., A truncation methodology for evaluating large fault trees. IEEE Transaction on Reliability, R-33 (1984) 325-328. 7. Brown, K. S., Evaluating fault trees with repeated events. IEEE Transaction on Reliability, 39 (1990) 226-235.