- Email: [email protected]
Advanced concepts in fault tree modularization
Nuclear Engineering and Design 91 (1986) 79-91 North-Holland, Amsterdam
ADVANCED
CONCEPTS
79
IN FAULT TREE MODULARIZATION
by Leonidas CAMARINOPOULOS
and Javier YLLERA
Institute for Nuclear Engineering, Technical University of Berlin, Fed. Rep. Germany Received 8 February 1985
In the present paper a new modular decomposition concept is presented, which unifies and generalizes those known. This is done by characterizing a module by a set of modular functions on a modular set of components, rather than by a single modular function. This extension of the module concept leads to a more flexible and efficient modular decomposition, thus providing a powerful method to compute reliability parameters of very large fault trees containing many repeated events, which considerably impede modularization by existing procedures. However, the efficiency of the method depends on an appropriate selection of the modules and on the methods available for evaluating modular functions. These two subjects are treated in detail in this work, which in addition proposes an algorithm for modular evaluation of fault trees. The implementation of this algorithm in the computer code TREEMOD and its application to the evaluation of some examples serve to illustrate the advantages of the method.
1. Introduction A considerable a m o u n t of work has been dedicated to developing analytical m e t h o d s for the evaluation of fault trees. Most of them deal with the e n u m e r a t i o n of minimal cut-sets, using basically two different approaches t o p - d o w n [1] a n d b o t t o m - u p [2], or even a c o m b i n a t i o n of them. Since the n u m b e r of cut sets of a tree increases in a more t h a n linear way with the n u m ber of events, there is no algorithm which can guarantee the solution of large systems by direct e n u m e r a t i o n of all its minimal cut-sets or even only of the more relevant ones, due to excessive m e m o r y a n d c o m p u t i n g time requirements. Therefore m e t h o d s exploiting m o d u l a r decomposition have gained popularity during the last few years because they permit the p r o b l e m to be linearized up to some point by analyzing smaller a n d i n d e p e n d e n t subsystems separately. In addition, the c o m b i n a t i o n of the results o b t a i n e d at m o d u l a r levels yields better upper b o u n d s for the top event probability. Unfortunately, m a n y technical subsystems are not completely independent, b u t they have a n u m b e r of interfaces, as, for instance, the power supply. These kinds of interdepencies a m o n g subsystems often prevent the carrying out of modularization efficiently. Some a t t e m p t s have been made to perform m o d u l a r evaluation of subsystems, which interact at only a few points
with the remaining system [3]. For this purpose, conventional module definitions have to be extended. This is d o n e in the theory part of this paper. In the following sections the applicability of the new module theory to the evaluation of fault trees is studied and an algorithm based on it is proposed.
2. Modular representation of fault trees The intuitive concept of a module as an assembly of c o m p o n e n t s of a system organized in some substructure of their own, which only affect the system by the p e r f o r m a n c e of this substructure and thus can be removed and replaced as a whole, was formulated mathematically by B i r n b a u m and Esary [4] for coherent systems as follows: Let (C, ~ ) denote a system defined by a coherent structure function ~b(x) operating on the c o m p o n e n t set C = { c p c 2 . . . . . cn}, whose state is indicated by the b o o l e a n vector x = ( x l, x 2 . . . . . xn). A n o n e m p t y subset A of C is a m o d u l a r set of (C, ~ ) iff ~ ( x ) can be expressed as:
~ ( x ) = ¢ ( . ( x ~ ) , xC-~),
(1)
where a is a coherent structure function on A, called
0029-5493/86/$03.50 © E l s e v i e r S c i e n c e P u b l i s h e r s B.V. (North-Holland Physics Publishing Division)
L. Camarinopoulos,J. Yllera / Fault tree modularization
80
the modular function and ~. is another coherent structure function depending on the modular function a, and the remainder set of A. The coherent SYstem (A, a) is said to be a module of the system (C, ¢ ) and might be modularized further. A trivial conclusion to be drawn from the above definition is that every component as well as the system as a whole may be considered as a module. For differentiation all but the afore-mentioned modules are called proper modules. A coherent boolean function which does not have proper modules is called a " p r i m e boolean function". For instance, the structure function of an N out of M system is prime. A modular decomposition of a coherent system (C, q~) is defined as a set of disjoint modules (A, a), (B, /3) . . . . organized by a coherent structure function }:
* ( X ) = 4 ' ( a ( x A ) , /3(X 8) . . . . ), C=AuBu
.
.
.
(2)
.
In a reliability block diagram a module is an isolated subdiagram that has only one input from the remainder of the system and only one output to it, i.e. a two-terminal subblock. In a fault tree every branch, which, if eliminated, would make all the components it contains disappear from the tree, is a module. For this reason, modularization of fault trees without repeated events is straightforward. Fault trees with repeated events may contain some other modules according to eq. (1) which are not so obvious and which possibly do not correspond to physical modules in the system. Therefore, recognition of modules in trees with repeated events may become a difficult task. According to eq. (2) several modular decompositions of a coherent system might be obtained. However, a very important result of this module definition is that the modular factorization of a coherent binary system produces a unique decomposition into, in a qualified sense, its largest possible disjoint modules, also called modular factors [4]. The function which organizes these modules is either a pure disjunction, a pure conjunction or a prime boolean function. This statement is equivalent to the unique factorization theorem for simple games, proved by Shapley [5]. This should not be surprising if one takes into account that a simple game can be clearly and unequivocally described by a unique set of minimal winning coalitions, and in the same way, a coherent boolean function has a unique equivalent representation in terms of its minimal cut-sets. Both minimal winning coalitions and minimal cut-sets fit in the global definition of a clutter. A clutter can be defined as a family of different subsets of a finite set,
having the property that no subset of the family is properly contained in another one. Obviously the minimal cut sets of a structure function are a clutter on the set of its components. An algorithm for the decomposition of clutters has been developed by Billera [6]. Such an algorithm can also be applied to the decomposition of a coherent boolean function [7], once its minimal cut-sets and path-sets are known. The algorithm has been reformulated and improved by Chatterjee [8] for its application to the modular decomposition of coherent fault trees. If the above defined modular factors, which are also coherent binary systems, are decomposed recursively into their own modular factors until further decomposition becomes impossible, i.e. the modular factors are single components, then the so-called finest modular decomposition has been reached. Chatterjee's algorithm leads to this representation of the fault tree, which can also be defined in a more usual fault tree terminology as an equivalent representation of the tree where - every branch of the tree is independent, i.e. there are no repeated events, and therefore every subtree can be considered as a module and the logic function associated with each gate is either an O R (disjunction) or an A N D (conjunction), having no inputs from other gates of the same type, or a prime boolean function. Since Chatterjee's algorithm produces this representation starting from the minimal cut-sets, the prime gates are characterized by a sum of minimal cut-sets based on their inputs, but in general a prime gate would not be different from a boolean function representing a fault tree without modules. The basic events of this tree some of them are necessarily repeated - are the inputs of the original prime gate. This algorithm is not useful for the purpose of reducing the effort in computing the system reliability parameters, because it requires all minimal cut-sets as input information. Once these are available, the desired parameters can be obtained directly and no other representation is needed. In many cases, however, it is impossible in practice to obtain all minimal cut-sets. If we define by N(qS) the effort associated with the evaluation of a function ¢, it is easy to show by considering the intuitive module concept of an independent subsystem which can be evaluated separately and then treated like a single component that -
N(¢)>__N(d/)+ N ( a )
(3)
because the effort for evaluating a function grows non-
L. Camarinopoulos, J. Yllera / Fault tree modularization linearly with the n u m b e r of components. F r o m this p o i n t of view, the finest m o d u l a r representation would b e the ideal representation of a fault tree, which, in fact, it is. O n the other h a n d , the effort involved in the m o d u l a r i z a t i o n process has to be taken into account too. Until now, no suitable m e t h o d has been proposed for o b t a i n i n g the finest m o d u l a r representation of a fault tree directly from its structure. Nevertheless, there exist some algorithms which p e r f o r m a n effective modularization b y recognizing i n d e p e n d e n t subtrees a n d groups of u n r e p e a t e d events which are inputs to the same gate, a n d by c h a n g i n g the tree structure without altering its t r u t h table in order to produce such p a t t e r n s with a n admissible effort [9,10]. However they do not normally lead to the finest m o d u l a r representation. For n o n c o h e r e n t systems eqs. (1) a n d (2) can be used with the i n t r o d u c t i o n of slight modifications, namely with the condition that b o t h intact a n d failed states of a c o m p o n e n t belong to the same m o d u l a r set. Obviously, either some m o d u l a r function or the organizing function, or both, will be noncoherent. It is well known, that for coherent systems better probability u p p e r b o u n d s are available than for n o n c o h e r e n t ones. Therefore it is convenient to reduce the n u m b e r a n d size of noncoherent functions as m u c h as possible. F o r a more detailed discussion of this item see [11]. F o r n o n c o h e r e n t systems n o factorization theorem has been given and C h a t terjee's algorithm is not applicable, because a n o n c o h e r ent system can be described by more t h a n one minimal family of prime implicants. The same definition can also be extended to systems with multistate c o m p o n e n t s always u n d e r the condition that a m o d u l a r set has to include every possible state of its c o m p o n e n t s [12]. The m o d u l a r a n d organizing functions should be checked for coherence in order to establish which type of probabilistical u p p e r - b o u n d is applicable to each function. A m e t h o d to recognize whether a system with multistate c o m p o n e n t s is coherent or not has been given by Caldarola [13].
81
d e p e n d e n t only on the subset A, is a modular subset of
(c, 0). A m o d u l e is defined by a m o d u l a r set and a finite n u m b e r of m o d u l a r functions (A, cq, a2 . . . . . a , ) . If n = 1, eq. (4) is immediately reduced to eq. (1). F r o m now on, we will reserve the n a m e " m o d u l e " for first order modules, i.e. n = 1 a n d we will designate any other modules of order n > 1, as " s u p e r m o d u l e s " . As before, is the organizing function. It is obvious, that every set of c o m p o n e n t s can be a m o d u l a r set by defining an adequate set of m o d u l a r functions. In a similar way to eq. (2), a m o d u l a r decomposition c a n be defined as:
, A, ) ..... ~°,(x 1 ~2(,,
A,
),
%
~(x~)'
~ ( x ~ ) ..... '~"~-~(x~)'
(5)
. . . . . . . Olm . (m X )A) , where A l, A z . . . . . A , are disjoint subsets of C. M o d u l a r functions from different supermodules are statistically i n d e p e n d e n t . However, for a given s u p e r m o d u l e , a i2 . . . . . a ,i) the functions eq, i a i2 . . ... . a i , are (A, a 1, normally not statistically independent. This fact has to be considered when quantifying the organizing function In a reliability block diagram a module was a subblock having only one i n p u t from the remainder of the system a n d one o u t p u t to this remainder. A supermodule has only one i n p u t from the r e m a i n d e r of the system a n d a finite n u m b e r of outputs to it. In order to illustrate this, consider, e.g. the bridge structure, fig. 1, which is k n o w n to be prime, i.e. it has n o conventional p r o p e r modules according to eq. (1). The block S 1 containing c o m p o n e n t s x a a n d x 2 could be replaced by a supermodule. This would not be meaningful however, because, if we a t t e m p t to describe its outputs b y m o d u l a r functions, we would just r e n a m e the basic events x 1 a n d x 2. O n the other hand, if the
3. A more general decomposition method N o w we give a m u c h b r o a d e r definition, which also covers the m o d u l e definition according to eq. (1) a n d its extension to n o n c o h e r e n t a n d multistate systems. Let (C, 0 ) be a structure function. Each n o n e m p t y subset A of C which permits the structure function to be expressed as
q~(x) = ¢ ( a , ( x A ) ,
etz(X A) . . . . .
a,,(xA),
xC-A),
(4)
n being a finite n u m b e r a n d a], a 2 , . . . , a n are functions
r
]
I i
® J
Fig. 1. Reliability block diagram of the bridge structure.
82
L. Camarinopoulos, J. Yllera / Fault tree modularization
incompatible products, each of them decomposable in two statistically i n d e p e n d e n t factors. As we will show later this expression can be used as a n alternative m e t h o d for the evaluation of the system structure. If (A, Oil, 0~2 . . . . . ~ n ) is a supermodule of (C, q,) the application of pivotal decomposition on a 1, a 2 . . . . . a n to the organizing function ~b leads to:
,(x)=¢(~,=o,.2=o "Otl " 0:2 " "'"
Fig. 2. Reliability block diagram of the functions a 1, a 2, ft.
+ Y'~ t=
..... ~°=O,x' A)
"~n
a,=l,
I
a,,=0 ~= 1 ..... s'~i
, x (-A
. a i.
n
~ ~= 1 ~-t
tl
+
/ s2
_%
)Vf )
q:
Fig. 3. Fault tree representation of the bridge structure.
block S 2 containing c o m p o n e n t s x 1, x 2, x 3 is considered as a supermodule, the reliability block diagrams for the organizing a n d modular functions change as shown in fig. 2. In a fault tree representation of the structure function, a supermodule is just a part of a tree containing all the c o m p o n e n t s belonging to the modular set and having several outputs to the rest of the tree. The fault tree representation of a bridge structure with the selected supermodule ( S 2, a 1, a2), x $ 2 = (x~, x 2, x3) constructed in accordance with the functions shown in fig. 2 is given in fig. 3.
4. Some properties of supermodules The application of pivotal decomposition on all the m o d u l a r functions of a supermodule leads to a sum of
Y~
q~ a , = c ~ y = l ,
1
• O~i • O~j "
a,=O ~= 1 ..... s, 4 - i ~ /
--
~
s 4- t ~ /
, x c-m n
) /
+¢(a 1 =1, Ot2=l ..... %=1,
X c-A)
•a , - a 2 . . . . . a , , .
(6)
In this expression a , ( x A) was replaced by a, for simplicity. ~i means the c o m p l e m e n t or negation of a,. Eq. (6) can be easily proved a n d underlines the idea that the c o m p o n e n t s of a supermodule can only influence the p e r f o r m a n c e of the system through the performance of the modular functions. In other words, the state of the system depends only on the states of the modular functions a n d not on the c o m b i n a t i o n of the states of the c o m p o n e n t s of the modular set which led to them. In a module, the unique modular function and the organizing function are uniquely determined, once the modular set is defined. In supermodules, several sets of m o d u l a r functions can be defined on the same modular set of components. For instance, in the case of the bridge structure, presented in fig. 1, the following modular functions al = x l ' ( x 2
+ x3), az=Xl
+x3, a3=x:
can also be defined for the m o d u l a r set S 2, x s 2 = ( x 1, x 2, x3) together with the organizing function ,p = ( x . + < ) - ( x 5
+
~-~,).
Every c o m b i n a t i o n of n c o m p o n e n t s can be considered as a modular set, because there always exists the possibility of defining n modular functions each of them
L. Camarinopoulos, J. Yllera / Fault tree modularization depending only on one component of the modular set, as for instance the supermodule S, of fig. 1, but this kind of supermodule is trivial and does not offer any advantage. A supermodule is said to be nontrivial if the number of modular functions is smaller than the number of components included in the modular set. Finally, if (A, a l, 0/2 . . . . . 0/,) is a supermodule of (C, q,), then (A, a~, 0/~ . . . . . O/D) is also a supermodule of (C, ~D) where a~, 0/z° . . . . , a ,D, ~bO are the dual functions of 0/1, a2 . . . . . o/n, ~ respectively.
5. Evaluation of modularized fault trees
tions and a simplified form of the organizing function, where the modular functions have been set either intact or failed, and which therefore is independent of the other factors of the term. Let us consider the fault tree in fig. 4 for explanation purposes where the supermodule of 2nd order (A, 0/1, 0/2), x A = (X3, X4, X5, X8), 0/1 ~- Gs, 0/2 =- G7, has been selected for simplicity but without loss of generality. The application of the pivotal decomposition on event gates G 5, G 7 leads to
= q,(x) =
The evaluation of fault trees containing only first order modules is a topic which has often been discussed in the literature, e.g. [8,9]. A natural and efficient strategy is to begin with the modular functions of the lowest level modules, i.e. those modules which do not contain any other modules. If now these modules are considered as components whose failure probabilities are obtained from the modular functions, this procedure can be repeated until the top event probability has been calculated. The evaluation of the modular functions or the organizing functions can be carried out with one of the normal cut-sets or prime implicants enumeration methods. If one of these functions is a pure addition, a pure multiplication, or a symmetric prime function like an n out of m system, all the terms of the inclusion-exclusion method can be easily considered and the corresponding probability can be calculated exactly. Attention will be focused now on the evaluation of higher order modules, whose selection is treated in the following section. The property which makes the evaluation of these modules special is that modular functions of the same supermodule are normally statistically dependent. Therefore conjunctions of them cannot be evaluated as the product of expected values of the single modular functions, i.e. E { a'~' . 0/'~ } ~ E { 0/'~ } . E ( a~ }. This problem will appear in the evaluation of the organizing function or in the evaluation of the modular functions if a supermodule has been decomposed in further supermodules. In the following, three possible methods for handling these statistical dependencies are presented.
83
c7, xCA), c7.
= 0, G7 = 0, x c - A )
+ Gs" G7" ~(G5 = 1, G 7 = O, x c'A) +Gs'G7"qJ(Gs=0,
x °A)
+ G s ' G 7 " q , ( G s = I , G 7 = I , xC'A).
(7)
Since components are assumed to be statistically independent the expected value for the top event E{ ~ ( x ) } can be written as:
=E{Gs'GT}E(ff(Gs=0,
G v = 0 , xC'A)}
+ E { G s " G v } E { #(G5 = 1, Gv=O, xC-A)} + E ( G s" G v } E ( ~ / , ( G 5 = 0, G 7 = 1, xC-A)}
+E{G,'Gv}E{+(G,=I,
5.1. First method As shown before, pivotal decomposition on modular functions leads to an expression of 2" exclusive terms, n being the order of the supermodule. Each of these terms consists of products of modular functions or their nega-
67=1,
Fig. 4. Fault tree example 1.
G 7 = I , xC-A)}
(8)
L Camarinopoulos, J. Yllera / Fault tree modularization
84
T h a t means the statistical dependencies between the m o d u l a r functions have been eleminated from the organizing function at the cost of building 2 n new terms which contain every possible c o m b i n a t i o n of conjunctions between the m o d u l a r functions. These products have to be developed in the form of prime implicants for considering their statistical dependencies (components are assumed to be independent). The procedure can be applied recursively to other supermodules of lower rank. The determination of prime implicants for the example of fig. 4 gives:
Each of the terms is considered as a failed state of a s u p e r c o m p o n e n t Q: Q1 = al " a2, Q2 = al " a2, Q3 = al • or2. The c o m p l e m e n t a r y intact state of Q would be Q0 = al • o~2. The organizing function is developed taking into account that the states of Q are exclusive. For the example of fig. 4: ~b(x) = x 1 . x 2 . x 6 + x 1 - x 7 - Q2 + x l "x2"xT" Q3 + xl "x6" Q1, being Q1 = Gs" G 7 , Q2 = G s G7, Q3 = Gs" G7.
Gs
(10)
• G 7 = x 4 . x 3 • x8,
Gs " G 7 = 0, G 5 " G 7 = x 4 " x 5 ' x 3 -k x 3 • X 4 + x 8 • .x4 -}- x 8 " x 3 " x 5 ,
Gs • G 7 = x 4 • x 5 + x 4 • x3, •(O5
xC'A)=xl
= 0, G 7 =0,
"X2"X6,
,k(Gs=l, C7=0, xCA)=xl.x6, ~(G5
= 0 , G7=
1, xC-A)=xl
.X2.X6+Xl.X2.X7,
= 1, 6 7 = 1, xC A ) = x , - x 6 + x l x 7
(9)
The expected values of this set of functions can be calculated and substituted in eq. (8), in order to obtain
E(,/,(x)). This m e t h o d involves the evaluation of n o n c o h e r e n t functions, even when the original system is coherent, a n d possibly the evaluation of products of m o d u l a r functions which are not present in the fault tree or are not possible at all like G s • G 7. The success of this m e t h o d depends on selecting the supermodules in such a way so as to produce considerable simplifications of the organizing functions and limiting them to low orders, in order to avoid the exponential growth of the n u m b e r of terms. Therefore, the selection is restricted for efficiency reasons. 5.2 Second method
This m e t h o d was presented before in [3] and makes use of the Boolean Algebra with restricted variables. T h e procedure is basically as follows: Each m o d u l a r function of a supermodule is considered as a sum of 2 n 1 incompatible terms, which comprise every possible c o m b i n a t i o n of states of the other m o d u l a r functions. F o r instance in the case of a second order supermodule 0/1 ~ 0/1 " 0:2 ~ 0/1 " ~ 2 ,
Or2 ~ 0/1 " 0/2 -{- ~1 " Ol2 "
The method also requires the evaluation of products of m o d u l a r functions or their complements, thus h a n d l i n g n o n c o h e r e n t functions, even if the system is coherent. T h e n u m b e r of products of m o d u l a r functions and their complexity grows exponentially with the order of the supermodules. In addition the complexity of the organizing function also increases, because every modular function is replaced by 2" 1 different states of a supercomponent. Therefore, the m e t h o d can only handle supermodules of low order efficiently. Normally, prime implicants of products of m o d u l a r functions of the form a i . g~y are formed from the minimal cut-sets of a, together with different c o m b i n a t i o n s of intact states of components, which prevent % from being failed. This fact leads to a b a d estimate of the expected value of E{ a~- ~j } if only the first term of the i n c l u s i o n - e x c l u s i o n relation is taken into account. For example, if the prime implicants x s . ~ 4, x s . x 3 . x s of the product G 5 • G 7 are considered a n d the failure p r o b ability of each c o m p o n e n t is 0.1, then E ( x 8 . x 4 ) + E{xs.x3.xs}=O.l.O.9+O.l.O.9.0.9=O.171. However it is clear that the result c a n n o t be greater than 0.1, the failure probability of x s. T h a t means, more terms of the inclusion-exclusion m e t h o d should be taken into account to o b t a i n better results. If the system was originally coherent it would be possible to replace the intact states of the c o m p o n e n t s by one a n d apply the absorption law to the implicants. This can also be done in the first method. Since the absorption rule can be applied only at the level of m o d u l a r functions, it is possible that some n o n - m i n i m a l cut-sets have not been eliminated. In any case a conservative estimate of the system failure probability is obtained. 5.3. Third method
A n o t h e r possibility of h a n d l i n g dependencies between modular functions is to simply develop the
L. Camarinopoulos, J. Yllera / Fault tree modularization
organizing function up to the level of modular functions, and to subsequently evaluate the modular functions or combinations of them, which have been found separately, and to use the results thus obtained for recalculating the organizing function. For the example of fig. 4, the development of the organizing function would lead to: ~,(x) = x,
.x2.x6+x, .x2.x;.C7
+ x l • x6' G5 + xl • x7" G1 " G2.
(11)
N o w the modular functions a I ~- G 5, o~2 ~. G 7 and their product a I • ~2 -= G5 " G7 can be quantified separately, e.g. using their minimal cut-set representations: Gs ~ X4.
X 5 -}- x 4 .
G 7 = x 4 ~- x 3 ~- x 8 ,
x3,
Gs
" G 7 = X 4 "X 5 + X 4 "X 3.
(12)
Insertion of the results obtained in the organizing function, eq. (11), allows an estimate to be obtained of the desired system value. Nevertheless, in this case as well, it is possible, that some nonminimal or repeated cut-sets are considered. For instance, the organizing function may contain cut sets like x i • x j . x k - a r, xi. x j . x k • a S which only differ by the modular functions c~r, asand in addition a r and a~ have some common minimal cut-sets. If upper-bounds corresponding to the quality standards of minimal cut-sets enumeration are desired, a demodularization of the supermodules can be performed and the nonminimal cut-sets can be eliminated. The demodularizatiorkis the reverse process of the modularization. By this process modular functions or products of them contained in the minimal cut sets of the organizing function are replaced by their corresponding minimal cut sets representation. As a result the minimal cut-sets of the original structure function are obtained. This process can be carried out with low computing time requirements, because modular functions or products of them have been already quantified and a cut-off procedure is very efficient in that case. Their replacement by their minimal cut-sets takes place in addition in a single development stage. There are two major advantages of this method: firstly, it does not require the handling of noncoherent functions when the system is coherent. Secondly, the effort never is greater than the effort of a normal cut-set enumeration for every possible selection of supermodules. This means, that there is no practical limitation to the order of the supermodules to be selected, since only the products of modular functions resulting from the development of the organizing function are evaluated instead of 2 n combinations of them.
85
6. Selection of supermodules Now, we consider the problem of selecting those supermodules which appreciably reduce the effort required for evaluating fault trees. It is obvious that the effort for selecting the supermodules has to be taken into account as well in order to establish a valid criterion. In considering this question, the possibility of using cut-off procedures should be ignored, because the failure data influence could change every prediction based on structural considerations of the fault tree. The potential number of cut-sets of a structure function and their respective length will be considered as an estimate of the computational effort involved in its probabilistic evaluation. The selection of supermodules is particularly interesting in the case of prime functions or functions where no standard modules can be found with the searching methods available. These kinds of functions have to be evaluated hitherto by cut-set enumeration methods. If a reduction in the computational effort for their evaluation can be achieved by using supermodules, then the advantages of their use have been proved for any kind of functions, because standard modular decomposition is used too, and this process leads to one of the types of function described above. If one of the first two evaluation methods is to be used, special attention has to be paid to the fact that the number of combinations of products of modular functions or their negations, that have to be evaluated separately, grows exponentially with the order of the supermodule, just as the effort for the evaluation of each of the combinations grows too. Therefore, in practical applications, the order of the supermodules should be restricted to a maximum of three or four, (8 or 16 possible combinations respectively). One way to obtain supermodules of a given order k is to consider the fault tree as a directed graph having as nodes the components and gates of the fault tree and as vertices the connections between them. This graph can be split into its k-connected subgraphs (some algorithms to do this are already known from graph theory [14]). The modular functions are defined by the outputs of the subgraphs obtained. ]=or the resulting supermodules it is possible to check if the effort for the evaluation of the products of the modular functions and the organizing function is smaller than the effort for the evaluation without supermodules. This procedure would not be satisfactory in general, because the searching algorithm might not be fast enough if the number of events in the tree is above a certain limit. In addition, it is possible that the supermodules obtained do not lead to the desired reduction of computational effort.
L. Camarinopoulos, J. Yllera / Fault tree modularization
86
If the third method is used, there are no practical restrictions of the order of the supermodules, a n d it is k n o w n that the effort in evaluating the tree using supermodules will be n o more than required without their application. A n overproportional increase of the nu.mber of minimal cut-sets of a tree is originated by " A N D " gates having inputs with more than one potential cut-set. In this case the p r o b l e m can be reducod to linearizing the effort on evaluating the " A N D " gates. Let us consider an " A N D " gate G with inputs G 1, G 2. This is not a real restriction in the n u m b e r of inputs, since G 1 or G 2 could in turn represent " A N D " gates. If the o u t p u t event of gate G1 is considered as a modular function c~j of a supermodule, whose modular set consists of the c o m p o n e n t s contained in the tree b r a n c h u n d e r gate G 1, then the remaining m o d u l a r functions can be defined as those events in the three b r a n c h u n d e r G~ that are inputs to other gates outside of the branch. If such events do not exist, a s t a n d a r d module has been found. In a general case there would be some modular functions a r, a . . . . . . which do not enter gates in the subtree u n d e r G 2, a n d some o t h e r m o d u l a r f u n c t i o n s a,, aj . . . . . which at least enter gates in the subtree under G 2. At the moment, our attention is paid to the latter. This situation is indicated in fig. 5. In order to establish a relationship between the c o m p u t a t i o n a l effort involved in the evaluation of gate G with a n d without modularization, a top-down development of gate G is performed stopping when those events are found which have been defined as modular
functions. The resulting sum of products can be expressed as:
G = ~ o . a l + x i . a 1.a, + ~ / . a 1.aj + ... q- K i j • a 1 • OLi • OLj -~- . . .
for i v~j v~ 1 a n d a 1 --- G].
(13)
In this expression the functions ~ represent families of cut-sets formed with c o m p o n e n t s which do not belong to the modular set. The c o m p u t a t i o n a l effort, measured for instance as the potential n u m b e r of cut-sets, for the evaluation of the subtree of G a t e G by a cut-set enum e r a t i o n algorithm can be estimated as:
N( G) = N( G1). N( G2) = N ( I C o ) - N ( a l ) + N( Ki)" i ( al) "N( ai) + N(
Kj) . N(
.1)
. N(
ot/) +...
+U(Kij)'U(al).U(ai).U(aj)+
....
(14)
If, on the other hand, the fact that the functions • are statistically i n d e p e n d e n t of modular functions is taken into account, the evaluation of a product like Ki • a 1 • a, can be split into the separate evaluation of Ks and a l . a ~. Hence the computational effort N*(G) for the probabilistic evaluation of gate G considering the supermodule would be:
N*( G) = N(Ko) + U( al) + U(Ki) + N ( a , ) . U ( a i ) + N(K/ ) + N( a l ) . N( o~i) + ...
I
'/
/
,
+N(K,j)+N(a,)'N(ai)N(aj)+...
lal""
/ ~G~\
""\
."
/
//~k \)
rT__~ca21
,"
"-I I I I t I I I f I
! \
//
Fig. 5. Illustrating scheme for the supermodule selection strategy.
(15)
where it has been assumed that the function a I has to be evaluated only once. A comparison of eqs. (14) and (15) reveals that the c o m p u t a t i o n a l effort using modularization decreases substantially as the n u m b e r of potential cut-sets of functions departs from one. This reasoning can be applied to conjunctions between the other modular functions a r, a~ . . . . and other gate events outside the tree b r a n c h u n d e r gate G as well. Such conjunctions can exist explicitly as a n " A N D " gate in the given form of the tree or can represent an intermediate stage in a cut-set e n u m e r a t i o n algorithm. According to the above arguments the selection of supermodules can be carried out by investigating the " A N D " and " n out of m " gates with more than one gate input following a decreasing order to their potential n u m b e r s of cut-sets. A supermodule is constructed
L. Camarinopoulos, J. Yllera / Fault tree modularization
with the subtree of the input wl~ich has the largest possible number of cut-sets, unless the modular set is not disjoint from the modular sets of supermodules selected before making this impossible. The remaining modular functions are defined again as those events of the subtree which are inputs of gates outside the subtree. When no more supermodules can be found this way, the procedure is applied within each supermodule. It then leads to a set of supermodules of a lower hierarchical level and is continued until no more nontrivial supermodules can be found. This selection procedure is likely not to be an optimal strategy in many cases but its efficiency has been justified by the above reasoning. It can be accomplished in a very fast and easy way, whereas the application of some other procedures might not be justified for a general case or involve time consuming searching procedures.
7. Algorithm for the modular evaluation of fault trees The algorithm which is presented now has been implemented in the computer code TREEMOD, which forms part of the program system RISA, [15]. Apart from standard modules, whose search and evaluation has already been described in [10], it now handles supermodules according to the selection algorithm presented above and evaluates them using the principles of the third evaluation method. Its application will be demonstral~ed using the fault tree of fig. 6. This fault tree has been evaluated before in [3] with the second evaluation method and has been chosen because no modules were found with the search algorithm described in [10]. Furthermore, it contains a large number of possible cut-sets despite its relatively small size. The first supermodule selected according to the strategy proposed in section 6 consists of the elements of the tree branch under gate O2E, which is one of the gates with the maximum number of potential cut-sets entering an AND-gate (an "n out of m " gate is a disjunction of AND-gates). The modular functions are characterized by the outputs of gates 02E, G06, G05 (a third order supermodule). No other disjoint supermodules can be found by the algorithm at this hierarchical level. The application of the selection algorithm within the supermodule thus obtained gives the supermodule under gate G05 with modular functions equivalent to the outputs of gates G05, 10X, 10Y, 10Z. No more disjoint supermodules are found at the second hierarchical level. At the third hierarchical level the supermodule under gate 09Z with modular functions 09Z, 10Z, 01,
87
02, 03 is selected. No other disjoint supermodules can be found by the algorithm. The algorithm stops at this hierarchical level because modularization of the subtree under gate Z would not reduce the evaluation effort since no other gates enter gate 10Z and the supermodules under gates 15Z, 16Z and 17Z are trivial. The evaluation algorithm, which uses a top-down development method, follows the depth-first evaluation strategy, partially represented in fig. 7. In order to avoid complications in the graph, the last supermodule has not been considered. The undirected edges between the nodes of the graph connecting one level with the next mean that the combination of modular functions at the lower level is found during the development of the combination at the higher level. The order followed in the evaluation of the combinations is given by the numeration sequence of the nodes. A discontinous directed edge between two nodes means that the combination at the starting point of the edge is a subset of the combination at the end point, and therefore the cut-sets of the subset were used for speeding up the evaluation of the combination at the end point. When the evaluation sequence of the combination goes upwards, this means that a combination has been already evaluated by introducing in its cut-sets the results obtained from the evaluation of the combinations downwards, which are connected with the corresponding node by undirected edges. If the numeration of two connected nodes is such that the number of the lower node is smaller, this means that, by the time the higher node is evaluated, the combination corresponding to the lower node has been evaluated already and the result can subsequently be used. The process ends when every node has been evaluated. At that stage, an upper bound for the failure probability of the system is known. During the development of the structure function corresponding to every node of the graph a quantitative cut-off procedure can be used. It thus eliminates those terms that make a small contribution to the desired reliability parameter of the function. This parameter can be its unavailability or its failure frequency density, from which its failure probability can be estimated. A conservative estimate of the unavailability ~ or the failure frequency density h i of a partially developed term i can be computed from the reliability parameters of the components it contains. Should the term also contain modular functions or products of them that have been quantified already, they are taken into account for the estimate too. On the other hand, probabilities of one are assumed for any other parts of the term, i.e. event gates or nonquantified modular functions or products of them.
88
L. Camarinopoulos, J. Yllera / Fault tree modularization
c
¢ 3~14A
j
T
/
~o~
/ / f~o~ ~ 08X
.
/
/:/ *
lOX
t'
GO5
,\
/ /
IOY
/
Fig. 6. Fault tree example 2.
The unavailability and failure frequency density of a term i estimated according to their quantified parts 1, 2 . . . . . j are calculated as follows: J
Ui, j = l--I Uk , k=l
J
J
h,,j = E h~. ]-[ V,. k=l
/=l
14~k
If the estimate for one term is smaller than a certain cut-off criterion, then the term is eliminated and this
89
L. Camarinopoulos, J. Y//era / Fault tree rnodularization TOP
GO5 ~
~8
- ~
7
~ iF
%/I-
-~
Fig. 7. Depth-first evaluation graph for the fault tree example 2.
estimate is used to calculate a conservative estimate of the total contribution of all the eliminated terms to the desired parameter for the structure function of the node. The corresponding estimate for the whole system can be derived from the contribution of the terms eliminated at every node. A more detailed description of the cut-off procedure used is given in refs. [10] and [16]. Using the failure probabilities of the components given in [3] the estimated value for the top event is 2.18 x 10 -5. No cut-off procedure, which would be applied in general, has been used. This value might include the contribution of nonminimal cut-sets. A demodularization process permits them to be eliminated and also to obtain the dominant minimal cut-sets of the system, which are more valuable information. Experience shows that the demodularization can be performed much faster by a top-down algorithm than a normal cut-set enumeration of the tree, because the intermediate stages of the development, which now are products of modular functions rather than of gates, have been evaluated before and a cut-off criterion is highly efficient. The entire evaluation process described calculates the 82 further relevant minimal cut-sets of the tree, which give a failure probability of 1.944 x 10-s consid-
ering the first term of the inclusion-exclusion method. The cut off part is estimated to be less than 1.26 x 10 -7. The computing time on a Cyber 170-835 was 3 s. In the light of the arguments presented, the following evaluation procedure is proposed: - searching for standard modules and obtaining as fine a decomposition as possible. Starting evaluation with the lowest level standard modules and using the results obtained for evaluating higher level modules until the entire system has been evaluated. If in separately evaluating these independent subsystems cut-sets have to be obtained because the structure function of the subsystem is either prime or no finer standard modular decomposition can be achieved with the searching methods available, then the following algorithm, which is applicable to any independent coherent structure function, is used. It can be summarized in the following way: -
I. Select supermodules II. Call "development procedure (top event, 0)" III. Perform demodularization and minimalization in order to get the minimal cut-sets of the structuree function IV. End
90
L. Camarinopoulos, J. )7lera / Fault tree modularization
Development procedure (i, n): (Estimates reliability parameters for event or product of events i). I. Check if the procedure was called before with the same parameters and, if true return former results. !I. Set stopping conditions defined as the modular functions of the supermodules of the hierarchical level n + 1. III. Search for previous results of the procedure for the largest possible subset j of i at the hierarchical level n. IV. Perform a top-down development of set i until stopping conditions are found. If a subset j was found at step I l L use the results for j in speeding up the development of set i. A family K of partially and completely developed cut-sets will be obtained. V. For all supermodules at the hierarchical level t7 + 1 search and sort the different modular functions or products of modular functions of the same supermodule that are present in the cut-sets of family K, and form with them the family J. VI. For all j e J call " d e v e l o p m e n t procedure ( j , n + 1)" and use the results obtained in order to recalculate all k e K I j c k. Vil. O b t a i n reliability parameters for set i from the reliability p a r a m e t e r of the members of family K. VIII. Store family K and reliability parameters of set i for future use in the demodularization process and in steps I. and II. IX. End.
and 11 were selected automatically and a total of 219 products of modular functions were evaluated separately. Satisfactory results have also been obtained in safety studies from the international use of this code with larger systems.
9. Concluding remarks The modularization theory exposed is quite general and includes any other module concept for binary systems presented up to date. Nevertheless, attention was especially focused on coherent systems for which the proposed evaluation algorithm was developed. It would, however, not be especially difficult to extend it to the evaluation of other types of systems. This algorithm was i m p l e m e n t e d on the computer code T R E E M O D and its usefulness was proved in cases where standard modularization techniques do not give successful results. It has to be emphasized that the third evaluation method, presented in section 5.3, allows supermodules of almost every order to be handled efficiently (up to 11 in the last example) always with less computational effort than a normal cut-set development. This is its most i m p o r t a n t property because it offers great freedom in the selection of supermodules. A further improvement of the selection methods with the aim of optimizing the global efficiency of the evaluation process can be a point for future work.
Acknowledgement 8. An example Since the presentation of complex fault trees c a n n o t be accomplished here for technical reasons, we just report our experience with the relatively complicated fault tree for a part of a reactor protection system presented in [3]. This tree contains more than 10 3° cut-sets, of which approximately 1.1 x 10 v are minimal. The fault tree is so highly interlinked that its modularization by s t a n d a r d procedures leads to an only slightly simplified tree which still contains more than 10 26 cutsets, and c a n n o t be evaluated in a reasonable period of time. However, if supermodules are not excluded from the algorithm, the most p r o b a b l e 272 minimal cut-sets are obtained in 41 s, giving a top event probability of 1.0446 x 10 - s and estimating the contribution of the neglected cut-sets to be less than 1.097 × 10 9. In the demodularization process, only 1.5 s of c o m p u t i n g time were consumed. Eight supermodules of order between 3
One of the authors, Javier Yllera, would like to express his gratitude to the G e r m a n Academic Exchange Service for the financial support of his stay at the Technical University of Berlin.
References [1] J.B. Fusell et al., Mocus, a computer program to obtain minimal sets from fault trees; Aerojet Nuclear Co. ANCR-1156 (August, 1974). [2] P.K. Pande et al., Computerized fault tree analysis: TREEL and MICSUP~ Operational Research Center, University of California, Berkeley, ORC 75-3 (April 1975). [3] L. Caldarola and A. Wickenh~user, The Boolean algebra with restricted variables as a tool for fault tree modularization, KfK 3190 EUR 7056e (August 1981). [4] Z.W. Birnbaum and J.D. Esary, Modules of coherent binary systems, SIAM J. 13, No. 2, June (1965) 444-462.
L. Camarinopoulos, J. Yllera / Fault tree modularization
[5] L.S. Shapley, Compound simple games Ill. On committees, The RAND Corporation, RM-5438-PR (October, 1967). [6] L.J. Billera, On the composition and decomposition of clutters, J. Combinatorial Theory 11 (1970) 41-48. [7] L.J. Billera, Clutter decomposition and monotonic Boolean functions, Ann. NY Acad. Sci. 175 (1970) 41-48. [8] P. Chatterjee, Modularization of fault trees: a method to reduce the cost of tghe analysis, in: Reliability and Fault Tree Analysis (SIAM, Philadelphia, 1975) pp. 101-126. [9] J. Olmos and L. Wolf, A modular representation and analysis of fault trees, Nucl. Engrg. Des. 48 (1978) 531-561. [10] L. Camarinopoulos and J. Yllera, An improved top-down algorithm combined with modularization as a highly efficient method for fault tree analysis, Reliability Engrg. 11 (1985) 93-108. [11] T.L. Chu and G. Apostolakis, Method for probabilistic
[12]
[13] [14]
[15]
[16]
91
analysis of noncoherent fault trees, IEEE Trans. Reliability R-29, No. 5 (December 1980) 354-360. J.C. Hudson and K.C. Kapur, Modules in coherent multistate systems, IEEE Trans. on Reliability R-32, No. 2 (June 1983) 183-185. L. Caldarola, Coherent systems with multistate components, Nucl. Engrg. Des. 58 (1980) 127-139. A.V. Aho, J.E. Hopcroft and J.D. Ullman, The Design and Analysis of Computer Algorithms (Addison-Wesley, Reading, Massachusetts, 1975) pp. 171-223. L. Camarinopoulos and A. Becker, Description of program system RISA, Version 3.8, CD Manual (November 1981). L. Camarinopoulos and G. Richter, KARl - ein neues analytisches programm zur Berechnung von zuverlassigkeitsmerkmalen technischer Systeme Angewandte Informatik (December 1975) 529-533.
ADVANCED
CONCEPTS
79
IN FAULT TREE MODULARIZATION
by Leonidas CAMARINOPOULOS
and Javier YLLERA
Institute for Nuclear Engineering, Technical University of Berlin, Fed. Rep. Germany Received 8 February 1985
In the present paper a new modular decomposition concept is presented, which unifies and generalizes those known. This is done by characterizing a module by a set of modular functions on a modular set of components, rather than by a single modular function. This extension of the module concept leads to a more flexible and efficient modular decomposition, thus providing a powerful method to compute reliability parameters of very large fault trees containing many repeated events, which considerably impede modularization by existing procedures. However, the efficiency of the method depends on an appropriate selection of the modules and on the methods available for evaluating modular functions. These two subjects are treated in detail in this work, which in addition proposes an algorithm for modular evaluation of fault trees. The implementation of this algorithm in the computer code TREEMOD and its application to the evaluation of some examples serve to illustrate the advantages of the method.
1. Introduction A considerable a m o u n t of work has been dedicated to developing analytical m e t h o d s for the evaluation of fault trees. Most of them deal with the e n u m e r a t i o n of minimal cut-sets, using basically two different approaches t o p - d o w n [1] a n d b o t t o m - u p [2], or even a c o m b i n a t i o n of them. Since the n u m b e r of cut sets of a tree increases in a more t h a n linear way with the n u m ber of events, there is no algorithm which can guarantee the solution of large systems by direct e n u m e r a t i o n of all its minimal cut-sets or even only of the more relevant ones, due to excessive m e m o r y a n d c o m p u t i n g time requirements. Therefore m e t h o d s exploiting m o d u l a r decomposition have gained popularity during the last few years because they permit the p r o b l e m to be linearized up to some point by analyzing smaller a n d i n d e p e n d e n t subsystems separately. In addition, the c o m b i n a t i o n of the results o b t a i n e d at m o d u l a r levels yields better upper b o u n d s for the top event probability. Unfortunately, m a n y technical subsystems are not completely independent, b u t they have a n u m b e r of interfaces, as, for instance, the power supply. These kinds of interdepencies a m o n g subsystems often prevent the carrying out of modularization efficiently. Some a t t e m p t s have been made to perform m o d u l a r evaluation of subsystems, which interact at only a few points
with the remaining system [3]. For this purpose, conventional module definitions have to be extended. This is d o n e in the theory part of this paper. In the following sections the applicability of the new module theory to the evaluation of fault trees is studied and an algorithm based on it is proposed.
2. Modular representation of fault trees The intuitive concept of a module as an assembly of c o m p o n e n t s of a system organized in some substructure of their own, which only affect the system by the p e r f o r m a n c e of this substructure and thus can be removed and replaced as a whole, was formulated mathematically by B i r n b a u m and Esary [4] for coherent systems as follows: Let (C, ~ ) denote a system defined by a coherent structure function ~b(x) operating on the c o m p o n e n t set C = { c p c 2 . . . . . cn}, whose state is indicated by the b o o l e a n vector x = ( x l, x 2 . . . . . xn). A n o n e m p t y subset A of C is a m o d u l a r set of (C, ~ ) iff ~ ( x ) can be expressed as:
~ ( x ) = ¢ ( . ( x ~ ) , xC-~),
(1)
where a is a coherent structure function on A, called
0029-5493/86/$03.50 © E l s e v i e r S c i e n c e P u b l i s h e r s B.V. (North-Holland Physics Publishing Division)
L. Camarinopoulos,J. Yllera / Fault tree modularization
80
the modular function and ~. is another coherent structure function depending on the modular function a, and the remainder set of A. The coherent SYstem (A, a) is said to be a module of the system (C, ¢ ) and might be modularized further. A trivial conclusion to be drawn from the above definition is that every component as well as the system as a whole may be considered as a module. For differentiation all but the afore-mentioned modules are called proper modules. A coherent boolean function which does not have proper modules is called a " p r i m e boolean function". For instance, the structure function of an N out of M system is prime. A modular decomposition of a coherent system (C, q~) is defined as a set of disjoint modules (A, a), (B, /3) . . . . organized by a coherent structure function }:
* ( X ) = 4 ' ( a ( x A ) , /3(X 8) . . . . ), C=AuBu
.
.
.
(2)
.
In a reliability block diagram a module is an isolated subdiagram that has only one input from the remainder of the system and only one output to it, i.e. a two-terminal subblock. In a fault tree every branch, which, if eliminated, would make all the components it contains disappear from the tree, is a module. For this reason, modularization of fault trees without repeated events is straightforward. Fault trees with repeated events may contain some other modules according to eq. (1) which are not so obvious and which possibly do not correspond to physical modules in the system. Therefore, recognition of modules in trees with repeated events may become a difficult task. According to eq. (2) several modular decompositions of a coherent system might be obtained. However, a very important result of this module definition is that the modular factorization of a coherent binary system produces a unique decomposition into, in a qualified sense, its largest possible disjoint modules, also called modular factors [4]. The function which organizes these modules is either a pure disjunction, a pure conjunction or a prime boolean function. This statement is equivalent to the unique factorization theorem for simple games, proved by Shapley [5]. This should not be surprising if one takes into account that a simple game can be clearly and unequivocally described by a unique set of minimal winning coalitions, and in the same way, a coherent boolean function has a unique equivalent representation in terms of its minimal cut-sets. Both minimal winning coalitions and minimal cut-sets fit in the global definition of a clutter. A clutter can be defined as a family of different subsets of a finite set,
having the property that no subset of the family is properly contained in another one. Obviously the minimal cut sets of a structure function are a clutter on the set of its components. An algorithm for the decomposition of clutters has been developed by Billera [6]. Such an algorithm can also be applied to the decomposition of a coherent boolean function [7], once its minimal cut-sets and path-sets are known. The algorithm has been reformulated and improved by Chatterjee [8] for its application to the modular decomposition of coherent fault trees. If the above defined modular factors, which are also coherent binary systems, are decomposed recursively into their own modular factors until further decomposition becomes impossible, i.e. the modular factors are single components, then the so-called finest modular decomposition has been reached. Chatterjee's algorithm leads to this representation of the fault tree, which can also be defined in a more usual fault tree terminology as an equivalent representation of the tree where - every branch of the tree is independent, i.e. there are no repeated events, and therefore every subtree can be considered as a module and the logic function associated with each gate is either an O R (disjunction) or an A N D (conjunction), having no inputs from other gates of the same type, or a prime boolean function. Since Chatterjee's algorithm produces this representation starting from the minimal cut-sets, the prime gates are characterized by a sum of minimal cut-sets based on their inputs, but in general a prime gate would not be different from a boolean function representing a fault tree without modules. The basic events of this tree some of them are necessarily repeated - are the inputs of the original prime gate. This algorithm is not useful for the purpose of reducing the effort in computing the system reliability parameters, because it requires all minimal cut-sets as input information. Once these are available, the desired parameters can be obtained directly and no other representation is needed. In many cases, however, it is impossible in practice to obtain all minimal cut-sets. If we define by N(qS) the effort associated with the evaluation of a function ¢, it is easy to show by considering the intuitive module concept of an independent subsystem which can be evaluated separately and then treated like a single component that -
N(¢)>__N(d/)+ N ( a )
(3)
because the effort for evaluating a function grows non-
L. Camarinopoulos, J. Yllera / Fault tree modularization linearly with the n u m b e r of components. F r o m this p o i n t of view, the finest m o d u l a r representation would b e the ideal representation of a fault tree, which, in fact, it is. O n the other h a n d , the effort involved in the m o d u l a r i z a t i o n process has to be taken into account too. Until now, no suitable m e t h o d has been proposed for o b t a i n i n g the finest m o d u l a r representation of a fault tree directly from its structure. Nevertheless, there exist some algorithms which p e r f o r m a n effective modularization b y recognizing i n d e p e n d e n t subtrees a n d groups of u n r e p e a t e d events which are inputs to the same gate, a n d by c h a n g i n g the tree structure without altering its t r u t h table in order to produce such p a t t e r n s with a n admissible effort [9,10]. However they do not normally lead to the finest m o d u l a r representation. For n o n c o h e r e n t systems eqs. (1) a n d (2) can be used with the i n t r o d u c t i o n of slight modifications, namely with the condition that b o t h intact a n d failed states of a c o m p o n e n t belong to the same m o d u l a r set. Obviously, either some m o d u l a r function or the organizing function, or both, will be noncoherent. It is well known, that for coherent systems better probability u p p e r b o u n d s are available than for n o n c o h e r e n t ones. Therefore it is convenient to reduce the n u m b e r a n d size of noncoherent functions as m u c h as possible. F o r a more detailed discussion of this item see [11]. F o r n o n c o h e r e n t systems n o factorization theorem has been given and C h a t terjee's algorithm is not applicable, because a n o n c o h e r ent system can be described by more t h a n one minimal family of prime implicants. The same definition can also be extended to systems with multistate c o m p o n e n t s always u n d e r the condition that a m o d u l a r set has to include every possible state of its c o m p o n e n t s [12]. The m o d u l a r a n d organizing functions should be checked for coherence in order to establish which type of probabilistical u p p e r - b o u n d is applicable to each function. A m e t h o d to recognize whether a system with multistate c o m p o n e n t s is coherent or not has been given by Caldarola [13].
81
d e p e n d e n t only on the subset A, is a modular subset of
(c, 0). A m o d u l e is defined by a m o d u l a r set and a finite n u m b e r of m o d u l a r functions (A, cq, a2 . . . . . a , ) . If n = 1, eq. (4) is immediately reduced to eq. (1). F r o m now on, we will reserve the n a m e " m o d u l e " for first order modules, i.e. n = 1 a n d we will designate any other modules of order n > 1, as " s u p e r m o d u l e s " . As before, is the organizing function. It is obvious, that every set of c o m p o n e n t s can be a m o d u l a r set by defining an adequate set of m o d u l a r functions. In a similar way to eq. (2), a m o d u l a r decomposition c a n be defined as:
, A, ) ..... ~°,(x 1 ~2(,,
A,
),
%
~(x~)'
~ ( x ~ ) ..... '~"~-~(x~)'
(5)
. . . . . . . Olm . (m X )A) , where A l, A z . . . . . A , are disjoint subsets of C. M o d u l a r functions from different supermodules are statistically i n d e p e n d e n t . However, for a given s u p e r m o d u l e , a i2 . . . . . a ,i) the functions eq, i a i2 . . ... . a i , are (A, a 1, normally not statistically independent. This fact has to be considered when quantifying the organizing function In a reliability block diagram a module was a subblock having only one i n p u t from the remainder of the system a n d one o u t p u t to this remainder. A supermodule has only one i n p u t from the r e m a i n d e r of the system a n d a finite n u m b e r of outputs to it. In order to illustrate this, consider, e.g. the bridge structure, fig. 1, which is k n o w n to be prime, i.e. it has n o conventional p r o p e r modules according to eq. (1). The block S 1 containing c o m p o n e n t s x a a n d x 2 could be replaced by a supermodule. This would not be meaningful however, because, if we a t t e m p t to describe its outputs b y m o d u l a r functions, we would just r e n a m e the basic events x 1 a n d x 2. O n the other hand, if the
3. A more general decomposition method N o w we give a m u c h b r o a d e r definition, which also covers the m o d u l e definition according to eq. (1) a n d its extension to n o n c o h e r e n t a n d multistate systems. Let (C, 0 ) be a structure function. Each n o n e m p t y subset A of C which permits the structure function to be expressed as
q~(x) = ¢ ( a , ( x A ) ,
etz(X A) . . . . .
a,,(xA),
xC-A),
(4)
n being a finite n u m b e r a n d a], a 2 , . . . , a n are functions
r
]
I i
® J
Fig. 1. Reliability block diagram of the bridge structure.
82
L. Camarinopoulos, J. Yllera / Fault tree modularization
incompatible products, each of them decomposable in two statistically i n d e p e n d e n t factors. As we will show later this expression can be used as a n alternative m e t h o d for the evaluation of the system structure. If (A, Oil, 0~2 . . . . . ~ n ) is a supermodule of (C, q,) the application of pivotal decomposition on a 1, a 2 . . . . . a n to the organizing function ~b leads to:
,(x)=¢(~,=o,.2=o "Otl " 0:2 " "'"
Fig. 2. Reliability block diagram of the functions a 1, a 2, ft.
+ Y'~ t=
..... ~°=O,x' A)
"~n
a,=l,
I
a,,=0 ~= 1 ..... s'~i
, x (-A
. a i.
n
~ ~= 1 ~-t
tl
+
/ s2
_%
)Vf )
q:
Fig. 3. Fault tree representation of the bridge structure.
block S 2 containing c o m p o n e n t s x 1, x 2, x 3 is considered as a supermodule, the reliability block diagrams for the organizing a n d modular functions change as shown in fig. 2. In a fault tree representation of the structure function, a supermodule is just a part of a tree containing all the c o m p o n e n t s belonging to the modular set and having several outputs to the rest of the tree. The fault tree representation of a bridge structure with the selected supermodule ( S 2, a 1, a2), x $ 2 = (x~, x 2, x3) constructed in accordance with the functions shown in fig. 2 is given in fig. 3.
4. Some properties of supermodules The application of pivotal decomposition on all the m o d u l a r functions of a supermodule leads to a sum of
Y~
q~ a , = c ~ y = l ,
1
• O~i • O~j "
a,=O ~= 1 ..... s, 4 - i ~ /
--
~
s 4- t ~ /
, x c-m n
) /
+¢(a 1 =1, Ot2=l ..... %=1,
X c-A)
•a , - a 2 . . . . . a , , .
(6)
In this expression a , ( x A) was replaced by a, for simplicity. ~i means the c o m p l e m e n t or negation of a,. Eq. (6) can be easily proved a n d underlines the idea that the c o m p o n e n t s of a supermodule can only influence the p e r f o r m a n c e of the system through the performance of the modular functions. In other words, the state of the system depends only on the states of the modular functions a n d not on the c o m b i n a t i o n of the states of the c o m p o n e n t s of the modular set which led to them. In a module, the unique modular function and the organizing function are uniquely determined, once the modular set is defined. In supermodules, several sets of m o d u l a r functions can be defined on the same modular set of components. For instance, in the case of the bridge structure, presented in fig. 1, the following modular functions al = x l ' ( x 2
+ x3), az=Xl
+x3, a3=x:
can also be defined for the m o d u l a r set S 2, x s 2 = ( x 1, x 2, x3) together with the organizing function ,p = ( x . + < ) - ( x 5
+
~-~,).
Every c o m b i n a t i o n of n c o m p o n e n t s can be considered as a modular set, because there always exists the possibility of defining n modular functions each of them
L. Camarinopoulos, J. Yllera / Fault tree modularization depending only on one component of the modular set, as for instance the supermodule S, of fig. 1, but this kind of supermodule is trivial and does not offer any advantage. A supermodule is said to be nontrivial if the number of modular functions is smaller than the number of components included in the modular set. Finally, if (A, a l, 0/2 . . . . . 0/,) is a supermodule of (C, q,), then (A, a~, 0/~ . . . . . O/D) is also a supermodule of (C, ~D) where a~, 0/z° . . . . , a ,D, ~bO are the dual functions of 0/1, a2 . . . . . o/n, ~ respectively.
5. Evaluation of modularized fault trees
tions and a simplified form of the organizing function, where the modular functions have been set either intact or failed, and which therefore is independent of the other factors of the term. Let us consider the fault tree in fig. 4 for explanation purposes where the supermodule of 2nd order (A, 0/1, 0/2), x A = (X3, X4, X5, X8), 0/1 ~- Gs, 0/2 =- G7, has been selected for simplicity but without loss of generality. The application of the pivotal decomposition on event gates G 5, G 7 leads to
= q,(x) =
The evaluation of fault trees containing only first order modules is a topic which has often been discussed in the literature, e.g. [8,9]. A natural and efficient strategy is to begin with the modular functions of the lowest level modules, i.e. those modules which do not contain any other modules. If now these modules are considered as components whose failure probabilities are obtained from the modular functions, this procedure can be repeated until the top event probability has been calculated. The evaluation of the modular functions or the organizing functions can be carried out with one of the normal cut-sets or prime implicants enumeration methods. If one of these functions is a pure addition, a pure multiplication, or a symmetric prime function like an n out of m system, all the terms of the inclusion-exclusion method can be easily considered and the corresponding probability can be calculated exactly. Attention will be focused now on the evaluation of higher order modules, whose selection is treated in the following section. The property which makes the evaluation of these modules special is that modular functions of the same supermodule are normally statistically dependent. Therefore conjunctions of them cannot be evaluated as the product of expected values of the single modular functions, i.e. E { a'~' . 0/'~ } ~ E { 0/'~ } . E ( a~ }. This problem will appear in the evaluation of the organizing function or in the evaluation of the modular functions if a supermodule has been decomposed in further supermodules. In the following, three possible methods for handling these statistical dependencies are presented.
83
c7, xCA), c7.
= 0, G7 = 0, x c - A )
+ Gs" G7" ~(G5 = 1, G 7 = O, x c'A) +Gs'G7"qJ(Gs=0,
x °A)
+ G s ' G 7 " q , ( G s = I , G 7 = I , xC'A).
(7)
Since components are assumed to be statistically independent the expected value for the top event E{ ~ ( x ) } can be written as:
=E{Gs'GT}E(ff(Gs=0,
G v = 0 , xC'A)}
+ E { G s " G v } E { #(G5 = 1, Gv=O, xC-A)} + E ( G s" G v } E ( ~ / , ( G 5 = 0, G 7 = 1, xC-A)}
+E{G,'Gv}E{+(G,=I,
5.1. First method As shown before, pivotal decomposition on modular functions leads to an expression of 2" exclusive terms, n being the order of the supermodule. Each of these terms consists of products of modular functions or their nega-
67=1,
Fig. 4. Fault tree example 1.
G 7 = I , xC-A)}
(8)
L Camarinopoulos, J. Yllera / Fault tree modularization
84
T h a t means the statistical dependencies between the m o d u l a r functions have been eleminated from the organizing function at the cost of building 2 n new terms which contain every possible c o m b i n a t i o n of conjunctions between the m o d u l a r functions. These products have to be developed in the form of prime implicants for considering their statistical dependencies (components are assumed to be independent). The procedure can be applied recursively to other supermodules of lower rank. The determination of prime implicants for the example of fig. 4 gives:
Each of the terms is considered as a failed state of a s u p e r c o m p o n e n t Q: Q1 = al " a2, Q2 = al " a2, Q3 = al • or2. The c o m p l e m e n t a r y intact state of Q would be Q0 = al • o~2. The organizing function is developed taking into account that the states of Q are exclusive. For the example of fig. 4: ~b(x) = x 1 . x 2 . x 6 + x 1 - x 7 - Q2 + x l "x2"xT" Q3 + xl "x6" Q1, being Q1 = Gs" G 7 , Q2 = G s G7, Q3 = Gs" G7.
Gs
(10)
• G 7 = x 4 . x 3 • x8,
Gs " G 7 = 0, G 5 " G 7 = x 4 " x 5 ' x 3 -k x 3 • X 4 + x 8 • .x4 -}- x 8 " x 3 " x 5 ,
Gs • G 7 = x 4 • x 5 + x 4 • x3, •(O5
xC'A)=xl
= 0, G 7 =0,
"X2"X6,
,k(Gs=l, C7=0, xCA)=xl.x6, ~(G5
= 0 , G7=
1, xC-A)=xl
.X2.X6+Xl.X2.X7,
= 1, 6 7 = 1, xC A ) = x , - x 6 + x l x 7
(9)
The expected values of this set of functions can be calculated and substituted in eq. (8), in order to obtain
E(,/,(x)). This m e t h o d involves the evaluation of n o n c o h e r e n t functions, even when the original system is coherent, a n d possibly the evaluation of products of m o d u l a r functions which are not present in the fault tree or are not possible at all like G s • G 7. The success of this m e t h o d depends on selecting the supermodules in such a way so as to produce considerable simplifications of the organizing functions and limiting them to low orders, in order to avoid the exponential growth of the n u m b e r of terms. Therefore, the selection is restricted for efficiency reasons. 5.2 Second method
This m e t h o d was presented before in [3] and makes use of the Boolean Algebra with restricted variables. T h e procedure is basically as follows: Each m o d u l a r function of a supermodule is considered as a sum of 2 n 1 incompatible terms, which comprise every possible c o m b i n a t i o n of states of the other m o d u l a r functions. F o r instance in the case of a second order supermodule 0/1 ~ 0/1 " 0:2 ~ 0/1 " ~ 2 ,
Or2 ~ 0/1 " 0/2 -{- ~1 " Ol2 "
The method also requires the evaluation of products of m o d u l a r functions or their complements, thus h a n d l i n g n o n c o h e r e n t functions, even if the system is coherent. T h e n u m b e r of products of m o d u l a r functions and their complexity grows exponentially with the order of the supermodules. In addition the complexity of the organizing function also increases, because every modular function is replaced by 2" 1 different states of a supercomponent. Therefore, the m e t h o d can only handle supermodules of low order efficiently. Normally, prime implicants of products of m o d u l a r functions of the form a i . g~y are formed from the minimal cut-sets of a, together with different c o m b i n a t i o n s of intact states of components, which prevent % from being failed. This fact leads to a b a d estimate of the expected value of E{ a~- ~j } if only the first term of the i n c l u s i o n - e x c l u s i o n relation is taken into account. For example, if the prime implicants x s . ~ 4, x s . x 3 . x s of the product G 5 • G 7 are considered a n d the failure p r o b ability of each c o m p o n e n t is 0.1, then E ( x 8 . x 4 ) + E{xs.x3.xs}=O.l.O.9+O.l.O.9.0.9=O.171. However it is clear that the result c a n n o t be greater than 0.1, the failure probability of x s. T h a t means, more terms of the inclusion-exclusion m e t h o d should be taken into account to o b t a i n better results. If the system was originally coherent it would be possible to replace the intact states of the c o m p o n e n t s by one a n d apply the absorption law to the implicants. This can also be done in the first method. Since the absorption rule can be applied only at the level of m o d u l a r functions, it is possible that some n o n - m i n i m a l cut-sets have not been eliminated. In any case a conservative estimate of the system failure probability is obtained. 5.3. Third method
A n o t h e r possibility of h a n d l i n g dependencies between modular functions is to simply develop the
L. Camarinopoulos, J. Yllera / Fault tree modularization
organizing function up to the level of modular functions, and to subsequently evaluate the modular functions or combinations of them, which have been found separately, and to use the results thus obtained for recalculating the organizing function. For the example of fig. 4, the development of the organizing function would lead to: ~,(x) = x,
.x2.x6+x, .x2.x;.C7
+ x l • x6' G5 + xl • x7" G1 " G2.
(11)
N o w the modular functions a I ~- G 5, o~2 ~. G 7 and their product a I • ~2 -= G5 " G7 can be quantified separately, e.g. using their minimal cut-set representations: Gs ~ X4.
X 5 -}- x 4 .
G 7 = x 4 ~- x 3 ~- x 8 ,
x3,
Gs
" G 7 = X 4 "X 5 + X 4 "X 3.
(12)
Insertion of the results obtained in the organizing function, eq. (11), allows an estimate to be obtained of the desired system value. Nevertheless, in this case as well, it is possible, that some nonminimal or repeated cut-sets are considered. For instance, the organizing function may contain cut sets like x i • x j . x k - a r, xi. x j . x k • a S which only differ by the modular functions c~r, asand in addition a r and a~ have some common minimal cut-sets. If upper-bounds corresponding to the quality standards of minimal cut-sets enumeration are desired, a demodularization of the supermodules can be performed and the nonminimal cut-sets can be eliminated. The demodularizatiorkis the reverse process of the modularization. By this process modular functions or products of them contained in the minimal cut sets of the organizing function are replaced by their corresponding minimal cut sets representation. As a result the minimal cut-sets of the original structure function are obtained. This process can be carried out with low computing time requirements, because modular functions or products of them have been already quantified and a cut-off procedure is very efficient in that case. Their replacement by their minimal cut-sets takes place in addition in a single development stage. There are two major advantages of this method: firstly, it does not require the handling of noncoherent functions when the system is coherent. Secondly, the effort never is greater than the effort of a normal cut-set enumeration for every possible selection of supermodules. This means, that there is no practical limitation to the order of the supermodules to be selected, since only the products of modular functions resulting from the development of the organizing function are evaluated instead of 2 n combinations of them.
85
6. Selection of supermodules Now, we consider the problem of selecting those supermodules which appreciably reduce the effort required for evaluating fault trees. It is obvious that the effort for selecting the supermodules has to be taken into account as well in order to establish a valid criterion. In considering this question, the possibility of using cut-off procedures should be ignored, because the failure data influence could change every prediction based on structural considerations of the fault tree. The potential number of cut-sets of a structure function and their respective length will be considered as an estimate of the computational effort involved in its probabilistic evaluation. The selection of supermodules is particularly interesting in the case of prime functions or functions where no standard modules can be found with the searching methods available. These kinds of functions have to be evaluated hitherto by cut-set enumeration methods. If a reduction in the computational effort for their evaluation can be achieved by using supermodules, then the advantages of their use have been proved for any kind of functions, because standard modular decomposition is used too, and this process leads to one of the types of function described above. If one of the first two evaluation methods is to be used, special attention has to be paid to the fact that the number of combinations of products of modular functions or their negations, that have to be evaluated separately, grows exponentially with the order of the supermodule, just as the effort for the evaluation of each of the combinations grows too. Therefore, in practical applications, the order of the supermodules should be restricted to a maximum of three or four, (8 or 16 possible combinations respectively). One way to obtain supermodules of a given order k is to consider the fault tree as a directed graph having as nodes the components and gates of the fault tree and as vertices the connections between them. This graph can be split into its k-connected subgraphs (some algorithms to do this are already known from graph theory [14]). The modular functions are defined by the outputs of the subgraphs obtained. ]=or the resulting supermodules it is possible to check if the effort for the evaluation of the products of the modular functions and the organizing function is smaller than the effort for the evaluation without supermodules. This procedure would not be satisfactory in general, because the searching algorithm might not be fast enough if the number of events in the tree is above a certain limit. In addition, it is possible that the supermodules obtained do not lead to the desired reduction of computational effort.
L. Camarinopoulos, J. Yllera / Fault tree modularization
86
If the third method is used, there are no practical restrictions of the order of the supermodules, a n d it is k n o w n that the effort in evaluating the tree using supermodules will be n o more than required without their application. A n overproportional increase of the nu.mber of minimal cut-sets of a tree is originated by " A N D " gates having inputs with more than one potential cut-set. In this case the p r o b l e m can be reducod to linearizing the effort on evaluating the " A N D " gates. Let us consider an " A N D " gate G with inputs G 1, G 2. This is not a real restriction in the n u m b e r of inputs, since G 1 or G 2 could in turn represent " A N D " gates. If the o u t p u t event of gate G1 is considered as a modular function c~j of a supermodule, whose modular set consists of the c o m p o n e n t s contained in the tree b r a n c h u n d e r gate G 1, then the remaining m o d u l a r functions can be defined as those events in the three b r a n c h u n d e r G~ that are inputs to other gates outside of the branch. If such events do not exist, a s t a n d a r d module has been found. In a general case there would be some modular functions a r, a . . . . . . which do not enter gates in the subtree u n d e r G 2, a n d some o t h e r m o d u l a r f u n c t i o n s a,, aj . . . . . which at least enter gates in the subtree under G 2. At the moment, our attention is paid to the latter. This situation is indicated in fig. 5. In order to establish a relationship between the c o m p u t a t i o n a l effort involved in the evaluation of gate G with a n d without modularization, a top-down development of gate G is performed stopping when those events are found which have been defined as modular
functions. The resulting sum of products can be expressed as:
G = ~ o . a l + x i . a 1.a, + ~ / . a 1.aj + ... q- K i j • a 1 • OLi • OLj -~- . . .
for i v~j v~ 1 a n d a 1 --- G].
(13)
In this expression the functions ~ represent families of cut-sets formed with c o m p o n e n t s which do not belong to the modular set. The c o m p u t a t i o n a l effort, measured for instance as the potential n u m b e r of cut-sets, for the evaluation of the subtree of G a t e G by a cut-set enum e r a t i o n algorithm can be estimated as:
N( G) = N( G1). N( G2) = N ( I C o ) - N ( a l ) + N( Ki)" i ( al) "N( ai) + N(
Kj) . N(
.1)
. N(
ot/) +...
+U(Kij)'U(al).U(ai).U(aj)+
....
(14)
If, on the other hand, the fact that the functions • are statistically i n d e p e n d e n t of modular functions is taken into account, the evaluation of a product like Ki • a 1 • a, can be split into the separate evaluation of Ks and a l . a ~. Hence the computational effort N*(G) for the probabilistic evaluation of gate G considering the supermodule would be:
N*( G) = N(Ko) + U( al) + U(Ki) + N ( a , ) . U ( a i ) + N(K/ ) + N( a l ) . N( o~i) + ...
I
'/
/
,
+N(K,j)+N(a,)'N(ai)N(aj)+...
lal""
/ ~G~\
""\
."
/
//~k \)
rT__~ca21
,"
"-I I I I t I I I f I
! \
//
Fig. 5. Illustrating scheme for the supermodule selection strategy.
(15)
where it has been assumed that the function a I has to be evaluated only once. A comparison of eqs. (14) and (15) reveals that the c o m p u t a t i o n a l effort using modularization decreases substantially as the n u m b e r of potential cut-sets of functions departs from one. This reasoning can be applied to conjunctions between the other modular functions a r, a~ . . . . and other gate events outside the tree b r a n c h u n d e r gate G as well. Such conjunctions can exist explicitly as a n " A N D " gate in the given form of the tree or can represent an intermediate stage in a cut-set e n u m e r a t i o n algorithm. According to the above arguments the selection of supermodules can be carried out by investigating the " A N D " and " n out of m " gates with more than one gate input following a decreasing order to their potential n u m b e r s of cut-sets. A supermodule is constructed
L. Camarinopoulos, J. Yllera / Fault tree modularization
with the subtree of the input wl~ich has the largest possible number of cut-sets, unless the modular set is not disjoint from the modular sets of supermodules selected before making this impossible. The remaining modular functions are defined again as those events of the subtree which are inputs of gates outside the subtree. When no more supermodules can be found this way, the procedure is applied within each supermodule. It then leads to a set of supermodules of a lower hierarchical level and is continued until no more nontrivial supermodules can be found. This selection procedure is likely not to be an optimal strategy in many cases but its efficiency has been justified by the above reasoning. It can be accomplished in a very fast and easy way, whereas the application of some other procedures might not be justified for a general case or involve time consuming searching procedures.
7. Algorithm for the modular evaluation of fault trees The algorithm which is presented now has been implemented in the computer code TREEMOD, which forms part of the program system RISA, [15]. Apart from standard modules, whose search and evaluation has already been described in [10], it now handles supermodules according to the selection algorithm presented above and evaluates them using the principles of the third evaluation method. Its application will be demonstral~ed using the fault tree of fig. 6. This fault tree has been evaluated before in [3] with the second evaluation method and has been chosen because no modules were found with the search algorithm described in [10]. Furthermore, it contains a large number of possible cut-sets despite its relatively small size. The first supermodule selected according to the strategy proposed in section 6 consists of the elements of the tree branch under gate O2E, which is one of the gates with the maximum number of potential cut-sets entering an AND-gate (an "n out of m " gate is a disjunction of AND-gates). The modular functions are characterized by the outputs of gates 02E, G06, G05 (a third order supermodule). No other disjoint supermodules can be found by the algorithm at this hierarchical level. The application of the selection algorithm within the supermodule thus obtained gives the supermodule under gate G05 with modular functions equivalent to the outputs of gates G05, 10X, 10Y, 10Z. No more disjoint supermodules are found at the second hierarchical level. At the third hierarchical level the supermodule under gate 09Z with modular functions 09Z, 10Z, 01,
87
02, 03 is selected. No other disjoint supermodules can be found by the algorithm. The algorithm stops at this hierarchical level because modularization of the subtree under gate Z would not reduce the evaluation effort since no other gates enter gate 10Z and the supermodules under gates 15Z, 16Z and 17Z are trivial. The evaluation algorithm, which uses a top-down development method, follows the depth-first evaluation strategy, partially represented in fig. 7. In order to avoid complications in the graph, the last supermodule has not been considered. The undirected edges between the nodes of the graph connecting one level with the next mean that the combination of modular functions at the lower level is found during the development of the combination at the higher level. The order followed in the evaluation of the combinations is given by the numeration sequence of the nodes. A discontinous directed edge between two nodes means that the combination at the starting point of the edge is a subset of the combination at the end point, and therefore the cut-sets of the subset were used for speeding up the evaluation of the combination at the end point. When the evaluation sequence of the combination goes upwards, this means that a combination has been already evaluated by introducing in its cut-sets the results obtained from the evaluation of the combinations downwards, which are connected with the corresponding node by undirected edges. If the numeration of two connected nodes is such that the number of the lower node is smaller, this means that, by the time the higher node is evaluated, the combination corresponding to the lower node has been evaluated already and the result can subsequently be used. The process ends when every node has been evaluated. At that stage, an upper bound for the failure probability of the system is known. During the development of the structure function corresponding to every node of the graph a quantitative cut-off procedure can be used. It thus eliminates those terms that make a small contribution to the desired reliability parameter of the function. This parameter can be its unavailability or its failure frequency density, from which its failure probability can be estimated. A conservative estimate of the unavailability ~ or the failure frequency density h i of a partially developed term i can be computed from the reliability parameters of the components it contains. Should the term also contain modular functions or products of them that have been quantified already, they are taken into account for the estimate too. On the other hand, probabilities of one are assumed for any other parts of the term, i.e. event gates or nonquantified modular functions or products of them.
88
L. Camarinopoulos, J. Yllera / Fault tree modularization
c
¢ 3~14A
j
T
/
~o~
/ / f~o~ ~ 08X
.
/
/:/ *
lOX
t'
GO5
,\
/ /
IOY
/
Fig. 6. Fault tree example 2.
The unavailability and failure frequency density of a term i estimated according to their quantified parts 1, 2 . . . . . j are calculated as follows: J
Ui, j = l--I Uk , k=l
J
J
h,,j = E h~. ]-[ V,. k=l
/=l
14~k
If the estimate for one term is smaller than a certain cut-off criterion, then the term is eliminated and this
89
L. Camarinopoulos, J. Y//era / Fault tree rnodularization TOP
GO5 ~
~8
- ~
7
~ iF
%/I-
-~
Fig. 7. Depth-first evaluation graph for the fault tree example 2.
estimate is used to calculate a conservative estimate of the total contribution of all the eliminated terms to the desired parameter for the structure function of the node. The corresponding estimate for the whole system can be derived from the contribution of the terms eliminated at every node. A more detailed description of the cut-off procedure used is given in refs. [10] and [16]. Using the failure probabilities of the components given in [3] the estimated value for the top event is 2.18 x 10 -5. No cut-off procedure, which would be applied in general, has been used. This value might include the contribution of nonminimal cut-sets. A demodularization process permits them to be eliminated and also to obtain the dominant minimal cut-sets of the system, which are more valuable information. Experience shows that the demodularization can be performed much faster by a top-down algorithm than a normal cut-set enumeration of the tree, because the intermediate stages of the development, which now are products of modular functions rather than of gates, have been evaluated before and a cut-off criterion is highly efficient. The entire evaluation process described calculates the 82 further relevant minimal cut-sets of the tree, which give a failure probability of 1.944 x 10-s consid-
ering the first term of the inclusion-exclusion method. The cut off part is estimated to be less than 1.26 x 10 -7. The computing time on a Cyber 170-835 was 3 s. In the light of the arguments presented, the following evaluation procedure is proposed: - searching for standard modules and obtaining as fine a decomposition as possible. Starting evaluation with the lowest level standard modules and using the results obtained for evaluating higher level modules until the entire system has been evaluated. If in separately evaluating these independent subsystems cut-sets have to be obtained because the structure function of the subsystem is either prime or no finer standard modular decomposition can be achieved with the searching methods available, then the following algorithm, which is applicable to any independent coherent structure function, is used. It can be summarized in the following way: -
I. Select supermodules II. Call "development procedure (top event, 0)" III. Perform demodularization and minimalization in order to get the minimal cut-sets of the structuree function IV. End
90
L. Camarinopoulos, J. )7lera / Fault tree modularization
Development procedure (i, n): (Estimates reliability parameters for event or product of events i). I. Check if the procedure was called before with the same parameters and, if true return former results. !I. Set stopping conditions defined as the modular functions of the supermodules of the hierarchical level n + 1. III. Search for previous results of the procedure for the largest possible subset j of i at the hierarchical level n. IV. Perform a top-down development of set i until stopping conditions are found. If a subset j was found at step I l L use the results for j in speeding up the development of set i. A family K of partially and completely developed cut-sets will be obtained. V. For all supermodules at the hierarchical level t7 + 1 search and sort the different modular functions or products of modular functions of the same supermodule that are present in the cut-sets of family K, and form with them the family J. VI. For all j e J call " d e v e l o p m e n t procedure ( j , n + 1)" and use the results obtained in order to recalculate all k e K I j c k. Vil. O b t a i n reliability parameters for set i from the reliability p a r a m e t e r of the members of family K. VIII. Store family K and reliability parameters of set i for future use in the demodularization process and in steps I. and II. IX. End.
and 11 were selected automatically and a total of 219 products of modular functions were evaluated separately. Satisfactory results have also been obtained in safety studies from the international use of this code with larger systems.
9. Concluding remarks The modularization theory exposed is quite general and includes any other module concept for binary systems presented up to date. Nevertheless, attention was especially focused on coherent systems for which the proposed evaluation algorithm was developed. It would, however, not be especially difficult to extend it to the evaluation of other types of systems. This algorithm was i m p l e m e n t e d on the computer code T R E E M O D and its usefulness was proved in cases where standard modularization techniques do not give successful results. It has to be emphasized that the third evaluation method, presented in section 5.3, allows supermodules of almost every order to be handled efficiently (up to 11 in the last example) always with less computational effort than a normal cut-set development. This is its most i m p o r t a n t property because it offers great freedom in the selection of supermodules. A further improvement of the selection methods with the aim of optimizing the global efficiency of the evaluation process can be a point for future work.
Acknowledgement 8. An example Since the presentation of complex fault trees c a n n o t be accomplished here for technical reasons, we just report our experience with the relatively complicated fault tree for a part of a reactor protection system presented in [3]. This tree contains more than 10 3° cut-sets, of which approximately 1.1 x 10 v are minimal. The fault tree is so highly interlinked that its modularization by s t a n d a r d procedures leads to an only slightly simplified tree which still contains more than 10 26 cutsets, and c a n n o t be evaluated in a reasonable period of time. However, if supermodules are not excluded from the algorithm, the most p r o b a b l e 272 minimal cut-sets are obtained in 41 s, giving a top event probability of 1.0446 x 10 - s and estimating the contribution of the neglected cut-sets to be less than 1.097 × 10 9. In the demodularization process, only 1.5 s of c o m p u t i n g time were consumed. Eight supermodules of order between 3
One of the authors, Javier Yllera, would like to express his gratitude to the G e r m a n Academic Exchange Service for the financial support of his stay at the Technical University of Berlin.
References [1] J.B. Fusell et al., Mocus, a computer program to obtain minimal sets from fault trees; Aerojet Nuclear Co. ANCR-1156 (August, 1974). [2] P.K. Pande et al., Computerized fault tree analysis: TREEL and MICSUP~ Operational Research Center, University of California, Berkeley, ORC 75-3 (April 1975). [3] L. Caldarola and A. Wickenh~user, The Boolean algebra with restricted variables as a tool for fault tree modularization, KfK 3190 EUR 7056e (August 1981). [4] Z.W. Birnbaum and J.D. Esary, Modules of coherent binary systems, SIAM J. 13, No. 2, June (1965) 444-462.
L. Camarinopoulos, J. Yllera / Fault tree modularization
[5] L.S. Shapley, Compound simple games Ill. On committees, The RAND Corporation, RM-5438-PR (October, 1967). [6] L.J. Billera, On the composition and decomposition of clutters, J. Combinatorial Theory 11 (1970) 41-48. [7] L.J. Billera, Clutter decomposition and monotonic Boolean functions, Ann. NY Acad. Sci. 175 (1970) 41-48. [8] P. Chatterjee, Modularization of fault trees: a method to reduce the cost of tghe analysis, in: Reliability and Fault Tree Analysis (SIAM, Philadelphia, 1975) pp. 101-126. [9] J. Olmos and L. Wolf, A modular representation and analysis of fault trees, Nucl. Engrg. Des. 48 (1978) 531-561. [10] L. Camarinopoulos and J. Yllera, An improved top-down algorithm combined with modularization as a highly efficient method for fault tree analysis, Reliability Engrg. 11 (1985) 93-108. [11] T.L. Chu and G. Apostolakis, Method for probabilistic
[12]
[13] [14]
[15]
[16]
91
analysis of noncoherent fault trees, IEEE Trans. Reliability R-29, No. 5 (December 1980) 354-360. J.C. Hudson and K.C. Kapur, Modules in coherent multistate systems, IEEE Trans. on Reliability R-32, No. 2 (June 1983) 183-185. L. Caldarola, Coherent systems with multistate components, Nucl. Engrg. Des. 58 (1980) 127-139. A.V. Aho, J.E. Hopcroft and J.D. Ullman, The Design and Analysis of Computer Algorithms (Addison-Wesley, Reading, Massachusetts, 1975) pp. 171-223. L. Camarinopoulos and A. Becker, Description of program system RISA, Version 3.8, CD Manual (November 1981). L. Camarinopoulos and G. Richter, KARl - ein neues analytisches programm zur Berechnung von zuverlassigkeitsmerkmalen technischer Systeme Angewandte Informatik (December 1975) 529-533.