Calculating exact top-event probabilities using ΣΠ-Patrec

Calculating exact top-event probabilities using ΣΠ-Patrec

Reliability Engineering and System Safetv 50 (1995) 253-259 ~'~. ~,~ ELSEVIER 0951-8320(95)00088-7 © 1996 Elsevier Science Limited Printed in North...
Download PDF
526KB Sizes 27 Downloads 95 Views
Report

Reliability Engineering and System Safetv 50 (1995) 253-259

~'~. ~,~ ELSEVIER

0951-8320(95)00088-7

© 1996 Elsevier Science Limited Printed in Northern Ireland. All rights reserved 0951-8320/95/$9.50

Calculating exact top-event probabilities using ZII-Patrec A . Sharif H e g e r , a Jayaram K. Bhat, a D e s m o n d W. Stack b & D a l e V . Taibott b aUniversity o f New Mexico, FEC 247 Albuquerque, N M 87131-1341 U.S.A bLos Alamos National Laboratory, TSA-11 Los Alamos, N M 87545 U.S.A

(Received 15 April 1995; accepted 22 August 1995)

In this paper a method for calculating top-event exact probability is presented. The method combines the YII algorithm of Corynen and the pattern recognition scheme of Koen et al. The PC-based program that is based on this method is called ZII-Patrec and computes the exact probability of the top-event of a system fault tree model as defined by its cut sets. The YlI module of the program partitions and disjoints the cut sets and solves the resultant sub-models recursively. The pattern recognition module of the code reduces the computational complexity by recognizing repeated sub-models in the calculation process and thus avoiding repeated evaluations. ZII-Patrec can evaluate both coherent and incoherent fault trees. The input to ZII-Patrec is a collection of cut sets in disjunctive normal form and need not be minimal. The description of the algorithm is presented through an example problem. The results of several experiments with large accident sequences are also presented.

problems, however, this method may not be computationally feasible, as the number of terms in the rule increases exponentially with the number of minimal cut sets. T o alleviate this difficulty, several variations of the inclusion-exclusion method, such as 'rare-event approximation' and 'min-cut upper-bound' methods, have been developed and used extensively in probabilistic risk assessment ( P R A ) applications. As long as the basic event probabilities are small, these methods provide reasonably accurate estimates of top-event probability. They provide fast and fairly accurate estimates of the top-event probability for fault tree models with large numbers of minimal cut sets. With large basic event probabilities, however, such as those representing human factors, these methods can lead to inaccurate values, and, potentially, misleading results. Several methods to calculate the exact top-event probability also exist. 1'7-9 In general, this class of methods is mostly limited to small fault trees or require special computing environments to handle large problems. For example, Erl 1 was originally designed to run on a Cray. Koen and others pioneered the method of direct evaluation in the 1970's and 1980's. 3 Probably the most extensive research in this area is that of Page & Perry, TM who have

1 INTRODUCTION In this paper, a method for the exact calculation of top-event probabilities is presented. The method has its foundation in the ZII method of Corynen m and pattern recognition scheme of Koen et al. 3 The former is based on Shannon's theorem of pivotal decomposition; 4 while the latter has its foundation in dynamic programming. The input to ZH-Patrec is a set of cut sets in disjunctive normal form (DNF) generated by other codes such as SETS or S A B L E . 5'6 ZH-Patrec converts the set into its own sparse-matrix representation for disjointing and partitioning the cut sets and subsequent calculation of the top-event probability. Given a fault tree model of a system, its top-event Ell can be represented as the union of cut sets ZII of the system. Each minimal cut set is composed of the Boolean product of several binary basic events YII. With this representation, the probability of the top-event equals:

of

Using the inclusion-exclusion rule, the exact value the top-event may be calculated. For large 253

A. Sharif Heger et al.

254

investigated direct evaluation methods for top-event evaluation in a m i c r o c o m p u t e r environment. ZII-Patrec offers a PC-based program that is based on the original Z I I algorithm, 1 augmented with the pattern recognition scheme to reduce computational demand. 3 The basic foundation of ZH is to transform the set of cut sets into another set of mutually exclusive events ( M E E ) and then reduce the top-event probability evaluation to a simple summation given as:

(2)

P ( T ) = 2 P(MEEj). j

I

To this end, ZH partitions the fault tree model into weakly interacting sub-problems and then disjoints them. Once the original problem is completely converted to a set of M E E ' s , YI-I uses eqn (2) to calculate the exact top-event probability. The partition of the matrix representing the cut sets is a key step in the evaluation process, since it creates matrices with null intersections; thus, they meet the condition of mutual independence. The partitioning and subsequent disjointing processes reduce the scope of the evaluation to smaller sub-matrices and subsequently solve them in polynomial time rather than exponential time. During these operations, several M E E ' s can be repeated. Depending on the structure of the fault tree model, these repetitions can represent a significant portion of the calculation. To avoid the unnecessary computation, the pattern recognition module keeps track of the M E E ' s that are created by the disjoint operation. If a repeated pattern is detected, the partitioning and disjointing operations cease and the M E E is replaced by the value from a lookup table maintained by the pattern recognition module.

2 THE ~H MODULE A fault tree model of a system can also be viewed as a matrix of the cut sets, as shown in Fig. 1. Each row of the matrix corresponds to one of the cut sets (S), which may not be minimal; each column of the matrix corresponds to the basic events in the system (C), and

CI S1

C2

Q

Cn Eln

Ell

each cell of the matrix represents the state (E) of a basic event in a given cut set. The value of E can be 0, 1, or -, where '0' represents a basic event in its failed state, and '1' represents a basic event in its operating state. A '-' represents an indifferent status, 2 i.e., the basic event is not a m e m b e r of the cut set. Internally, ZII-Patrec stores the matrix using a method similar to adjacency matrices used for representing graphs. 1° To evaluate the exact top-event probability, a divide-and-conquer strategy is pursued by which the set of cut sets {Si: = 1,2...,m} is transformed to an equivalent set of mutually exclusive events {MEEj: J = 1,2...,n}, with n -> m. Consequently, the evaluation of the top-event probability reduces to the arithmetic sum of the probability of these MEE's:

P(T) = P

(S,) =

Ei I

Eij

Ein

P(MEEj)

6 ( C , , C 2 , . . . , C , , , ) = C,4XC,,C~ ..... C, ,,1,C, +, ..... C,,,)

+ C,6(C,,C2 ..... C, ,,1,C,+1 ..... Cm)

Ernl

Ernn

Fig. 1. System fault tree represented as a matrix of cut sets.

(4)

Equation (4) can further be expanded about all of its variables. W h e n completely expanded, Z I I terms, which are disjoint and consist of a min-term and a coefficient, will be formed. The min-terms represent the product of Xi's and their complements. The coefficients represent the structure function evaluated with either ones or zeros corresponding to the occurrence or non-occurrence of ZH. For example, let 40(CI,C2,C3,C4) = ClC2 + C3C4 represent the top event of a simple system. Using Shannon's method, this expression can be expanded as follows:

~(Cl

,C2,C3,C4)

~-~

Cl(C 2 -Jr-C3C4 ) ~- C'1(C3C4 )

C3C4)-~- C1C2(C3C4)

q- C'I(C3 C4) = C I C 2 -[- C I C 2 C 3 C 4

Sm

(3)

The transformation of the cut sets into the set of disjoint events has its foundation in Shannon's method, 1"4"11 which is a general expansion technique and is applicable to any Boolean expression. According to this method, a Boolean function of m variables can be expanded about one, two, or all of the variables. For example, consider a collection of m Boolean variables, say the basic events (C) of a system, and a structure function, oh, of these variables, ch(CI,C2 ..... C,,,) that represent the top event. Shannon's method states that this structure can be expanded along any variable, Ci, as follows:

= C,C2(1 + Si

j=l

2i-

C1C3C4

The resultant events are mutually exclusive and the top-event probability may be calculated as: P ( T ) = P ( C , C2) + P ( C ,

C'2C3C4)+ P([~'I C3C4)-

Calculating exact top-event probabilities using ZII-Patrec

255

START

Read user specified input files. (enough t0m~nriXdvsmall. ~m : uaalet ht0~w.

Yes J Evaluateanddisplay t0p-eventpr0bability.

Read the cutset expression and convert it to the sparse matrix representation. R e m o v e any non m i m i m a l cutsets. Freeupthememory allocatedbythecode. Initializedatastack,valuestack Factor any c o m p o n e n t s that have a "O' or a " 1' in every cutset in the sparse matrix.

+

andsearchlist.

I

STOP

1

Pushmatrixintodata stackfordisjointing.

Fig. 2. Flow chart for YH-Patrec. The flow chart in Fig. 2 shows the implementation of this method in YH. Initially, the code establishes a library of basic events, the cut sets, and repeated patterns. For reduced memory allocation, the cut sets are stored using the sparse matrix representation and hash tables. Non minimal cut sets are also removed using the Boolean identity and subsumption operations. At this stage, the matrix is ready for disjointing and subsequent evaluation. Before the process commences, two events take place. First, the pattern recognition module is invoked to explore if the matrix has been evaluated. If so, the value of the matrix is returned and the evaluation of that matrix is circumvented. Otherwise, the disjointing module is invoked which is responsible for splitting the matrix into two parts.

Prior to disjointing the cut sets, ZH finds the set of basic events that can be clustered together to minimize the size and number of the resultant sub-matrices. To affect this clustering, a 'pivot' must be selected. A pivot is defined as a component that either it or its complement appears in all of the cut sets. If such a condition does not exist then an optimal component is selected that has largest access to the cut set using the graph-theoretic reachability argument. Once the pivot is selected, the matrix is disjointed based on Shannon's theorem. The sub-matrices are pushed on a data stack for further evaluation. The resultant sub-matrices are first subject to removal of all common factors among its cut sets. After this factorization, the Boolean subsumption and identity rules are applied to remove the cut sets that

A. Sharif Heger et al.

256

NO

heoriginalmatrixstructure

Has a similar

YES

toobtainthetopevent probabili~,.

NO

part of the structure ?

Freeupthe memory allocatedbythecode.

Push the valueof the matrix to the value

NO

stack. Popmatrixfrom datastack. Can the matrixbe evaluatedwithout YES

disjointingit ?

Poptheprobabilitiesofthe solvedchildmatricesfrom valuestackandpushtheir sumto thevaluestack.

()

NO

Make a copyof the matrix,markit

NO

Insertmatrixto search list forpatternrecognition.

as visitedand push it ontothe data stackfor futureevaluation.

() Fig. 2. (Continued.) are not minimal. If the r e d u c e d matrix is a null, one of the stopping criteria of the Y.IJ code is m e t and the partition process terminates. If the resultant matrix contains only o n e or two cut sets, the o t h e r stopping criteria are met, the matrix is e v a l u a t e d and its value is p u s h e d on the value stack for future use. Following this evaluation, the code visits all of the u n e v a l u a t e d matrices using the in-order traversal m e t h o d . O n c e all of the matrices have b e e n disjointed, the e v a l u a t i o n process begins. ZI-I evaluates each M E E and c o m b i n e s the results using eqn (4) to calculate the exact probability of the top-event.

3 THE PATTERN EXTENSION

RECOGNITION

(PATREC)

E H is b a s e d on a d i v i d e - a n d - c o n q u e r algorithm which can theoretically reduce the c o m p u t a t i o n a l d e m a n d t h r o u g h a d e c o m p o s i t i o n process. F o r large p r o b l e m s , h o w e v e r , e x p e r i e n c e has shown that this technique can affect a rapid growth in the n u m b e r of sub-matrices that must be evaluated. W i t h o u t any intelligent scheme, this growth can lead to a similar complexity issue to that which XFI was originally designed to o v e r c o m e . T o alleviate this secondary

Calculating exact top-event probabilities using XII-Patrec

257

handed over to the partitioning and disjointing processes. This extension of ZII with the Patrec module can result in better efficiency and in some cases reduction in complexity due to the fact that repeated evaluation of sub-matrices is avoided. 4 EXAMPLE

The following example problem is intended to illustrate how ZII-Patrec evaluates the exact value of the top-event. Let T, given by the following expression, represent the fault tree model of a system failure: T = C1"C3"C4 + C1"C2"C4 -~- C 1"62"C3 + C 1"C5"C7 -1- C 1"C6"C 7 -~- C 5 . 6 8 . C 9 + C 6 . 6 8 . C 9.

Find the optimum componentthat can serve as the pivot.

YES

Split matrix into two along the componentand push the sub-matricesto the data stack.

() Fig. 2. (Continued.) problem, ZH-Patrec uses a variation of dynamic programming called memoization, 1° which is similar to the original pattern recognition technique developed by Koen et al. 3 Using the memoization process, ZII-Patrec memorizes and subsequently recalls all results computed. To achieve this, ZII-Patrec maintains a table for the solution to each sub-matrix. When a sub-matrix is first encountered during the execution of ZII-Patrec, it's solution is computed and then stored in the table. Before further splitting of a matrix, the Patrec module is invoked to decide whether the matrix has already been evaluated. If so, the processing of the matrix terminates, the matrix is tagged with its values, and is pushed on a stack for the final top-event evaluation. If the matrix has not been evaluated, it is

(5)

There are seven minimal cut sets and nine components in this expression. Therefore, the matrix representing this top event consists of seven rows and nine columns. The conceptual representation of the matrix is shown as matrix (0) in Fig. 3. A '0' entry corresponds to a component failure and a '-' entry indicates that the component does not appear in the cut set expression and, thus it 'does not care.' Therefore, the first row which represents C1"C3"64 is equal to (0-00 . . . . . ). Had the expression contained the complement of a basic event, it would have appeared as '1'. After the initialization process, Xl-I-Patrec converts eqn (5) to its sparse-matrix equivalent (data representation module in Fig. 2). Then, the factorization module is invoked to remove any component or its complement that appears in all cut sets (i.e., a '0' or '1' in all rows). In this example, there are no common components. Common '-'s are automatically eliminated in the data representation module. In the next step, the libraries for storage of matrix structures (data stack), corresponding values (value stack), and pattern recognition (search list) are created. First, the resultant matrix is processed by factorization and reduction modules. Next, a pivot is found (partitioning process) to split the matrix into two disjoint parts (disjointing process). If a component or its complement appears in each and every cut set, it is reachable by all cut sets and, thus, it is an ideal pivot for disjointing the matrix. For this problem no component meets this criterion, therefore a component that has the highest reachability must be selected. To this end, C1 is selected as the pivot and the sub-matrices (2) (i.e., the sub-matrix associated with C1) and (1), corresponding to the complement of C1, are generated. Xlq stores the left-hand branch, i.e., (2), on the list stack for future evaluation. The right-hand side (i.e., matrix (1) of Fig. 3) is submitted for further processing. Again matrix (1) is factorized and reduced to matrix (3). At this time, the Patrec module is invoked to

A. Sharif Heger et al.

258 CI

C2

C3

C4

s~

o

o

-

o

s4

o

s~

c-~ [

sl

~2

o

S4

[

Sl

S2 S3 s,I

s~

C5

C7

ca

0

-

-

-

o

o

-

o -

o -

-

o

o

.

-

-

o

c~

c4

c~

SS 32

o

0-

S4

-

s7

o

-

c _ . ~ c__L

C9

o

-

o

-

-

.

o

t,

-

n

o

o

o
.

.

c,

C2

c_?

C3

I > C4

::1.

.

-

_

0

.

0

-

o

o

-

-

o

-

-

o

o

-

o

o

o

-

C8

-

C6

~ o. c9

-

-

o>

cs

c9

o ol (1)

I

C 5

C "6

s 7 s 6 ~ 1

C7

........ . o


.

I

C5

(3)

i >

/

C4

-

-

.

.


0

SYt

o

.

C7

= o >

- o>

C3

~'6

o

.

s~ s~

s7 < c2

c_.2_~ c~4 c 5

.

C6

.

-

s7
C5

('3

C9

C4

(.g)

C5

('6

o

s l l ~

.~4

-

.

-



C7

,i

.

<'8

£'9

-

-

-

o

-

o

.

-

s7

o o

o

-

o

o

C7

ca

c9

-

-

o

o

o

I

~-~ -

o

" o

I

(19)

¢'~

s7

o -

-

o



c5

c6

-

s4

-

s~

-

S6

-

S7

-

C7

: ......

o

o

-

o

o

t'~ C 9 -

-

0

o

o

-

-

-

,,

o

-

o

o

o

o

4

-

C4

C5

-

0

-

iil ..... -

C~

C7

c~

C7

-

o

S5

-

o

o

s~

o

-

cs

-

0

0

0

Ca

-

C9

-

-

-

o

o

o

o

s6

o

o

o o

s6

o

s7

-

C6

C7

cs

= I>

-

-

0

( 2 0 )

..... -

S6

-

c'le, C 8 -

o ~ _ ~

c8


<'9

c~

C9

o_

c~

o

o

o

_-

o-

= o > ] i F" co cs

o

o-


0--

= i

c5

-

o

c6

= 1 > c8

c,~

o o

(s)

o

>

/ C5

c9

s~

-

SsTSl 6

I >

s7

(9)

c4

~cl

(121

g7

o

-

C6

Ca

C9

~

o

o

0

o

o

s T s e ~ [ ~

-]

cs

(lO)

111) PATREC

~

c6

(16)

-

-

(-~

::I! C4

C6

¢:S

C9

( 2 2 )

st

C5

-


1

o

.o>

I

<(75.

('4

$4

SS 67 (14)

(~

o

l> c8

S6

~

C~

CS

C9

-

-

oo -

(e,

c8

c9

o

( 1 5 )

I

<% ....
d~

C9

o

o

C'~

s~


C5


C4

c, Ico .-, co

= o >

(21)

C9 -

o o

o

s4

<[C4

-

C')

o

C3 c .

.,io o

C8

.

I

o

C5

o

s~ s7

('3

S4

.

.... I'"

0

C6

cs

(?)

-

-,io-I c~

c4

~

so

= o >


-"

......., C3

(ts)

s l l °

C4'C8 ~

C9 I (17)

c9 ¢241

S7

,C9~> C~ C~1C6

S7S6[~

C6

$ 7 8 6 ~

(261

(27)

Fig. 3. Computation of top-event probability by ZII-Patrec.

determine whether the reduced matrix has been previously evaluated. In this example problem, matrix (3) has not been evaluated in prior steps, but it meets one of the stopping criteria. Matrix (3) is now evaluated and its structure and the product of its value and those of its common factors is stored by the Patrec module in its library. In addition, this value is pushed on the value stack for future use. Using the in-order traversal method, matrix (2) is visited next. Again the matrix is factorized, reduced, and disjointed (creating sub-matrices (4) and (5)) as described in the previous paragraph. This process continues until all of the branches of the tree are evaluated. Then, they are simply popped from the value stack and their values are summed up to arrive at the top-event value. Note that in this simple example, matrix (3) is repeated four times. These repetitions represent more

than 15% of the matrices evaluated. Although these repeated matrices are admittedly trivial, in larger problems they can be large and their elimination can lead to significant savings in computation and storage requirements. 5 APPLICATION The performance of ZH-Patrec has been evaluated on various sample trees, including those from the accident sequence analysis for internally initiated events for Grand Gulf Unit 112 and Patenaude. 2 Table 1 summarizes the performance of the code with and without the pattern recognition modules. The times given for ZH reflect its performance on a Pentium with a 90-MHz processor, 16 MBytes of R A M and a math co-processor. Two important factors must be

Calculating exact top-event probabilities using YII-Patrec

259

Table 1. Computation speed of with and without the Patree module

Case description

1002 MCS and 79 basic events, coherent structure; Grand Gulf Risk Assessment Sequence 3-14 t2 20 MCS and 38 basic events, coherent structure; Test 3 of Ref.2 20 MCS and 28 basic events, incoherent structure; Test 4 of Ref.2 144 MCS and 55 basic events, coherent structure; Grand Gulf Risk Assessment taken into account when comparing the p e r f o r m a n c e data of Z H with others. The input to Ell is in the cut set (or minimal cut set) format and can include incoherent trees. Z H interfaces with fault tree generation and evaluation code, S E A T R E E and S A B L E , respectively. S E A T R E E is a graphic and user-friendly fault tree generation p r o g r a m and S A B L E converts the data from S E A T R E E to a D N F f o r m readable by Ell. In cases where the cut sets were generated in the D N F format by S A B L E , the time it takes to do this is included in the p e r f o r m a n c e data in Table 1. In situations where the n u m b e r of sub-matrices is not large, such as row two of Table 1, the computational overhead of the pattern recognition module could result in no gain in p e r f o r m a n c e data.

6 CONCLUSIONS T h e r e has been a surge in the application of P R A techniques to ecological and w e a p o n safety assessments. In these domains, basic event probabilities can be large; events characterizing h u m a n error and some natural p h e n o m e n a are typical examples. Current quantification techniques in P R A that are based on approximation methods can therefore be inappropriate in these cases and m a y lead to erroneous, overly conservative results. Specialized techniques for exact top-event probability quantification exist, but they are limited to small problems that do not reflect realistic problems in P R A . The m e t h o d using XH-Patrec, described in this paper, is particularly attractive for evaluation of fault trees which incorporate basic events with large probabilities. XI1-Patrec is also designed to quantify the fault tree models of both coherent and incoherent systems, and interfaces with the graphic package, S E A T R E E , for interactive generation of fault trees. In the expected case, the Xli-Patrec m e t h o d of evaluation of exact top-event probability is polynomial in the n u m b e r of cut sets; it can, however, be weakly exponential in the worst c a s e ) In either case, this

Run time without Run time with pattern pattern recognition recognition (seconds) (seconds) 38

34

33

53

1

1

66

2

method results in a substantial reduction in computational requirements c o m p a r e d to the inclusionexclusion method. ACKNOWLEDGEMENT The authors wish to express their gratitude to Donnie Whitehead and G r e g o r y Wyss of Sandia National Laboratories for their technical support of this project. REFERENCES 1. Corynen, G., Evaluating the response of complex systems to environmental threats: the ZII method. UCRL-53399, Lawrence Livermore National Laboratory, CA, 1983. 2. Patenaude, C. J., SIGPI: A users manual for fast computation of the probabilistic performance of complex systems. NUREG/CR-4800, Nuclear Regulatory Commission, Washington D.C., 1988. 3. Koen, B. V. & Carnino, A., Calculation of system reliability by pattern recognition. Trans. Am. Nuclear Soc. Winter meeting, Washington D.C., 1973. 4. Vesley, W. E. & Goldberg, F. F., Fault tree handbook. NUREG-0492, Nuclear Regulatory Commission, Washington D.C., 1981. 5. Stack, D. W., A SETS manual for accident sequence analysis. NUREG/CR-3547, U.S Nuclear Regulatory Commission, Washington D.C., 1984. 6. Daniel, S. L., Introduction to SABLE, Sandia National Laboratories, Albuquerque, NM, 1993. 7. Page, L. B. & Perry, J. E., Direct evaluation algorithms for fault-tree probabilities. Computers in Chemical Engng, 15 (1991) 157-169. 8. Page, L. B. & Perry, J. E., An algorithm for exact fault-tree probabilities without cut sets. IEEE Trans. Reliab., R-35 (1986) 48-50. 9. Patterson-Hine, F. A. &Koen, B. V., Direct evaluation of fault-trees using object-oriented programming techniques. 1EEE Trans. Reliab., R-38 (1989) 186-192. 10. Cormen, T. H., Leiserson, C. E. & Rivest, R. L., Introduction to Algorithms, MIT Press, Cambridge, MA, 1990. 11. Barlow, R. E. & Proschan, F., Statistical Theory of Reliability and Life Testing Probability Models, Holt, Rinehart, and Winston, Inc., New York, 1975. 12. Drouin, M. T., Drouin, M. T., LaChance, J. L., Shapiro, B. J., Miller, S. & Wheeler, T. A., Analysis of core damage frequency: Grand Gulf, Unit 1 internal events. NUREG/CR-4550, Nuclear Regulatory Commission, Washington D.C., 1989.