- Email: [email protected]
Methods for the estimation of confidence bounds for the top-event unavailability of fault trees
Nuclear Engineering and Design 41 (1977) 4 1 1 - 4 1 9 © North-Holland Publishing Company
411
METHODS FOR THE ESTIMATION OF CONFIDENCE BOUNDS FOR THE TOP-EVENT UNAVAILABILITY OF FAULT TREES George APOSTOLAKIS and Yum Tong LEE Energy and Kinetics Department, School of Engineering and Applied Science, University of California, Los Angeles, California 90024, USA Received 26 July 1976
The estimation of confidence bounds for the probability of existence of the top event of a fault tree is the subject of this work. Given the uncertainties of the primary input data a method is described for the evaluation of the first two moments of the top event existence probability. These moments are then used to estimate confidence bounds by several approaches which are based on standard inequalities (e.g. Tchebycheff, Cantelli, etc.) or on empirical distributions (the Johnson family). Several examples indicate that the Johnson family of distributions yields results which are in good agreemerit with those produced by Monte Carlo simulation.
1. Introduction The evaluation of probabilities of rare events is of major importance in the quantitative assessment of the risk from large technological systems. In particular, for nuclear power plants the complexity of the systems, their high reliability and the lack of significant statistical records have led to the extensive use of logic diagrams in the estimation of low probabilities [1 ]. The two major methodologies which are based on logic are fault tree and event tree analysis. The merit of this approach is that it ultimately yields the probability QT that the event of interest exists as a function of the parameters Xi that determine the probabilities of existence of other, better understood, events. Thus, one can write QT =f(Xl ..... Xi ..... X n ) .
of QT from the given spreads of the values of X i. The common way of reporting these uncertainties is in the form of confidence bounds and section 2 reviews the literature on this subject. Section 3 contains the proposed methods of evaluating confidence bounds. Several definitions and the formulation of the problem are given in section 3.1, while sections 3.2 and 3.3 present methods based on inequalities and empirical distributions, respectively. The approaches of section 3 require knowledge of the mean and variance of QT and section 4 shows how these moments can be evaluated from the moments of the parameters of the primary inputs of a fault tree. Section 5 contains several applications of the proposed methods and, finally, section 6 summarizes the work of this paper.
(1)
The determination of this function is a relatively simple matter for event trees, while for fault trees it is quite cumbersome. Several common cases are presented in section 2. For the components and systems of interest in the quantitative risk assessment of nuclear power plants, the parameters Xi (e.g. the failure rates) have large uncertainties associated with them. It is natural then to seek to determine the uncertainty in the evaluation
2. Problem statement and current approaches Functions of several random variables of the form of eq. (1) appear in many areas of reliability evaluations, e.g. in the study of stress-strength models [2, 3]. This work will be concerned with such functions as they occur in fault tree analysis, although the general method of estimation of confidence bounds, as it will be described later, is not necessarily limited to this case.
412
G. Apostolakis, Y.T. Lee / Estimation of confidence bounds for top-event unavailability
Fault tree analysis is the major deductive method in quantitative risk assessments and it has been used extensively in probabilistic nuclear reactor safety studies [1,4-6]. The analysis begins with a well-defined undersirable event (e.g. the failure of a system to perform its intended function under given conditions) which is called the top event. The question that one attempts to answer, then, is 'how can the top event occur?'. In answering this question one proceeds to uncover the various combinations of 'simpler' events (e.g. subsystem and component failures), whose occurrence guarantees the occurrence of the top event. The analysis stops at the level at which the events are completely understood and quantitative information regarding their frequencies of occurrence is available. These events are called the primary inputs of the tree. The probabilistic analysis of fault trees is described in detail in the cited references. If the tree has k minimal cut sets and the probability of existence of the ith minimal cut set is Qi then a good conservative approximation (i.e. an upper bound) of the probability of existence of the top event QT is given by (rare-event approximation) k
QT "" ~ Qi.
(2)
i=1
A lower bound to QT can be given if eq. (2) is modified to include the probabilities Qij of the simultaneous existence of the ith and/th minimal cut sets, i.e. k
k-1
QT ~- ~ Q i - ~ i=1
k
~
i=1 /=i+1
Qii.
(3)
Due to the smallness of the contribution from the Qii, eq. (2) is almost always used in safety analyses. The evaluation of the individual Qi values must include the probabilities of existence of the events that constitute the minimal cut sets, possible dependencies, etc. The simplest case is when the ith minimal cut set consists of m i components, each of which is under an alternating renewal process with failure rate ki and mean-time-to-repair ri. Then the unavailability Qi is given by mi
Qi = 1-I
kjT"j
j=l l + X i r j
(4)
In most applications the products aid are very small
(less than 10 - 2 ) and eq. (4) is replaced by mi Oi m n . X/T/" /=l
(s)
It should be noted that the probabilities of eqs. (4) and (5) are asymptotic results which are reached very quickly. The time-dependent probabilities can be determined by the theory of Markov processes, if it is desired to do so. A frequent case in applications (e.g. in the study of the availability of the engineered safeguards of a nuclear power plant) is the determination of the Qi when the redundant components of the system are under periodic test and maintenance. Asymptotic expressions for the unavailabilities do not exist and the time-dependent results are too complicated (see ref. [7] for some general analytical expressions). It is common practice under these conditions to use average unavailabilities [1 ], i.e. the average of the time-dependent pointwise unavailabilities over the period (usually 720 hr) of the test or maintenance act. Expressions for the mean unavailability of various redundant systems are derived in refs. [2] and [8]. As an example, we consider a system with two redundant components and we assume that they are consecutively tested every T hours and the test time is r. Each component is disabled by the test. Under the usual assumptions regarding the magnitudes of the failure rates kl and X2 and the intervals Tand r. (i.e. 1/?,1, l/k2 > > T > > r), it can be shown that the average unavailability of the system is Q T ~-I- ~ k l k 2 T 2 + ~.2r.
(6)
Thus, the system has two minimal cut sets: {both components fail randomly during the time between inspections T} and {component 2 fails randomly during the test time r of component 1}. The terms of eq. (6) give the average probabilities of these two events, which can be identified as Q1 and Q2 ofeq. (2). Two comments are in order here. (i) It has been assumed in the derivation of eq. (6) that component 1 is tested first. There is a third minimal cut set, namely {component 1 fails randomly during the test time of component 2}, which is neglected in eq. (6), since its probability is much smaller than the retained terms [2,8]. (ii) Even if the components are nominally identical it is not allowed to set kl = k2 - k in eq. (6), be-
G. Apostolakis, Y.T. Lee / Estimation of conf, dence bound° for top-event unavailability
cause the failure rates will be treated as random variables, as will be discussed shortly. The only case where such a simplification is allowed is when a point estimate for QT is sought or when there is complete couling between the two components. Having determined the expressions for the top event unavailability, a major problem that arises is how to propagate the uncertainties in the parameters of the primary inputs to the top event. Murchland and Weber [9] have proposed a method for the evaluation of the mean and variance of the probability of existence of the top event of a fault tree. The tree must be simple in the sense that each primary input and the outcome of each gate are inputs to only one gate (the authors indicate, however, how trees that are not simple can be reduced to this form by boolean manipulation). The primary inputs are assumed to be statistically independent and the means and the variances of their existence probabilities to be known [expressions of average unavailabilities like that of eq. (6) are not considered]. From the mean and variance of the top event unavailability the authors suggest the derivation of confidence bounds using the Tchebycheff inequality. The approach taken by WASH-1400 [1 ], Appendices II and III, utilizes Monte Carlo simulation (computer code SAMPLE). The top event unavailability is expressed in the form of eq. (2) and each Qi is written as a function of the failure rates, test times, human error probabilities, etc. of the primary inputs, i.e. equations similar to eq. (6) are developed (as it is shown in ref. [8], there are some differences between the expressions of the report and the exact expressions of certain average unavailabilities, which, however, do not have a great impact on the results, due to the smallness of the numerical values of the unavailabilities and the order-of-magnitude accuracy that is
sought). The uncertainty in each of the parameters is expressed by fitting a lognormal distribution to the several values of that parameter, that are collected from various sources. A number of reasons are given in the report to argue that the appropriate distribution to be used for sparse data with a large assessed range is the lognormal distribution. These arguments are summarized in the statement that the lognormal distribution was chosen because 'it was flexible, it was consistent with reliability and data properties and it is a stan-
413
dardly employed and straightforward distribution' [11. Using the appropriate expressions for the unavailability of the top event and the lognormal distributions for the input parameters, a value for the unavailability of each primary input is selected randomly and the top event probability is calculated by the SAMPLE code. This process is usually repeated 1200 times and the resulting probabilities are ordered and the median value is determined as well as the 5% and 95% percentiles. When a distribution for the top event probability is needed, e.g. to be used in event-tree calculations, the lognormal distribution is again fitted to the points derived by the SAMPLE code.
3. Derivation of confidence bounds
3.1. Definitions The probability of existence of the top event, Qr, is the random variable for which we seek confidence bounds (in the Bayesian sense). Following the terminology of Lindley [10], we call the interval I~ the 100 ~ (Bayesian) confidence interval for Q'r if Pr (Or E I~) =/3,
(7)
where Pr denotes probability. In particular, we wiU be concerned with the 100/3% upper confidence bound U# for QT, in which case eq. (7) is written as
Pr(Qr ~
(8)
Notice that since Q'r is a probability, it is always nonnegative, so the interval of eq. (8) is actually twosided, i.e. 18 = (0, U#). The reason that we use Bayesian confidence intervals is that all the parameters of the problem (e.g. failure rates) are treated as random variables, as WASH-1400 proposes. The evaluation of confidence intervals would be trivial, if the probability density function (pdf) of Qx, f(QT), were known. In such a case, eq. (8) would be written as
J~'afx(x)dx =/3
(9)
o
and, given/3, U# is determined by solving eq. (9). This pdf, however, is very difficult to fend for a given fault
414
G. Apostolakis, Y.T. Lee / Estimation of confidence bounds for top-event unavailability
tree and we have to resort to approximate methods. Then, eq. (8) is written as Pr (aT <~ U#) >i 13
(10)
and Ua is called an approximate 100 t3% confidence bound for QT. In this paper two methods are proposed and compared for the derivation of bounds like eq. (10). The first method utilizes several inequalities and the second proposes an approximate pdf for QT. 3.2. Inequalities Conservative confidence bounds for a random variable X can be produced, if its first several moments are known. A useful and quite general inequality is that of Markov [1 I], i.e. Pr (--d < X - x o < d) ~> 1 ' - (Mr/dr),
(11)
where Mr is the rth absolute moment of the random variable X about Xo, i.e. E I X - Xolr, where E denotes expectation, and d is any positive number. When r = 2, the inequality reduces to the well-known Tchebycheff inequality, i.e. Pr(-d
x o~ 1 - (M2/d2).
(12)
The Tchebycheff inequality can be improved and written as [11,12]
M2-M] Pr (X < d) ~
d ~
and M2 - M]
Pr(X
d>~ml, (14)
where Xo in these inequalities is set equal to zero. These general inequalities can be improved further if additional information about the random variable is known. For example, if X is a positive random variable, and this is the case of interest to us, since QT is positive, then the inequality of eq. (14) can be improved as follows
MI M2 Pr(Xl-y, M, <<.d
(15)
Eqs. (13), (15) and (14) with a new range ford, i.e.
Mz/M 1 <<.d, are known as the Cantelli inequalities. It is evident that to use the above inequalities the first two moments of QT will be needed. If higher moments are known, and they are quite cumbersome to produce, the Markov inequality, eq. (11), can be used, or the inequalities given by Zelen [13]. 3. 3. Empirical distributions The second proposed method for estimating confidence bounds consists of selecting an approximate probability density function f x ( x ) and using eq. (9) to find U& The justification for the use of such distributions and a description of the commonly used Johnson and Pearson distributions can be found in Hahn and Shapiro [14]. The distribution that is proposed here is the Johnson SB distribution [ 14,15 ]. If the random variable X is confined in the interval ~<~X<~ +O,
(16)
where ~ and 0 are constants, and if the random variable V, where V=3'+61n ( OX - X ~+~ 1,
%~--const.,
(17)
is the standard normal variate, then X is distributed according to the Johnson S~ distribution. In other words, this distribution is based on eq. (17), which transforms the random variable of interest, X, into a standard normal variate. In general the S a distribution has four parameters, i.e. ~, 0, 7 and 8. In our case, however, X is the top event unavailability, QT, and since
o
(18)
we take =0
and 0 = 1 .
(19)
Thus, eq. (17) is written as V = 7 + 6 ln(1_ ~ T )
(20)
and the only parameters left are 6 and 7. Since V is a standard normal random variable the derivation of the Sa distribution is straightforward involving a simple transformation of variables through
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds for top-event unavailability
415
eq. (20). Thus, we get
4. Evaluation of moments
1 fQT(QT) - V~-~'OQT(1 -- QT)QT
The problem that is addressed in this section is the evaluation of the mean and varianceof each parameter X i of eq. (1) are known. It should be pointed out that QT is not necessarily a linear function of the X i values, as eqs. (2) and (4) show. In order to propagate the moments we expand the function f(X1 ..... Xn) about the mean values of its arguments by a multivariable Taylor series, that is,
X exp(~(ln[(1-QT)/QTI-laQT}) .....
(21)
O~ T
where we have defined OQT ~ 1/6,
btQT= 7/8
(22)
and QT is bounded as in eq. (18). Notice that the S B distribution can be approximated by the lognormal distribution, if the values of QT greater than, say, 10 -2 have a negligible probability of occurrence, in which case we can approximate 1 - QT = 1
i=1
Z \ i= 1 ~ i
(23)
in eq. (21) and produce the lognormal density. Of course, in this case QT is theoretically unbounded on the right (this situation is similar to the justification of using the normal distribution as the failure distribution of components where the probability of negative times to failure is required to be negligible small). Besides having the correct range for QT [eq. (18)], the S B distribution is more flexible than the lognormal (for example, it can be bimodal, see fig. 6 - 3 of [14]). The parameters/dQT and OQT (or, 3' and 6) can be determined by moment matching, if the mean and variance of QT are known. Since simple analytical ex. pressions for the moments of the S B distribution are not available, the estimation of the parameters is done numerically within the program BOUNDS, which has been developed to implement the work of this paper [16]. In order to evaluate the upper bound Ua of eq. (9), we take advantage of the fact that the variable V of eq. (20) is the standard normal variate. Solving eq. (20) we get exp
.....
-
]
UI3= 1 + exp [(ko - 7)/~i1
(24)
where k# is the/3100th percentile of the standard normal distribution, e.g. ko.os = 1.645. The next section shows how the mean and variance of QT can be evaluated. These two moments are needed for the evaluation of confidence bounds in both the methods that were presented in this section.
.-1
( x i -- ~ ' i ) 2
~2f
.
+2 ~
~
i
- -
( X i - Y(i)(X]- )(])] +
i= I i=i+ i axiax.i
....
(25) where Xi is the mean of Xi and all the partial derivatives are evaluated at the mean values of the Xi values. To find the mean of QT we simply take the expectation of both sides of eq. (25) and we get
....
n--I
2
i=1
~//a2~ai) "
n
i= l /=i+ I axiax/
eI(Xi
-
(x/-
+ ....
(26) where
la2(Xi) = E[(Xi - ~-/)2 ] = variance of Xi and
E[(Xi - f(i)(X/ - ~'/)] = covariance of Xi and X/. This covariance is, of course, zero when the variables are uncorrelated. The variance of QT can be obtained from
la2(QT) = E(Q~r) - QTz ,
(27)
where E(Q~) can be obtained by squaring both sides of eq. (25) and taking the expected value. Thus, we get n
,=1 k a x i /
u2(xi)
416
G. Apostolakis, Y.T. Lee /Estimation o f confidence bounds for top-event unavailability n--1
+
n
2G
i=1 i=i+1 3Xi bXi
Ie[(x,
-
-
,j)] +
. . . .
(28)
This approach of Taylor series expansions is quite general and, in principle, it can be applied directly to a fault tree with Xi being the basic input parameters (e.g. the failure rates). However, for a general fault tree the calculations may become very cumbersome and the following stepwise precedure is preferable. The first step is to take advantage of the linearity of eqs. (2) or (3). To include all possibilities, we write
depend on the minimal cut set and the repair or inspection policies that are employed. The only information that is needed for each Zi is its mean and variance. Then, using eqs. (26) and (28) for the function of eq. (32), we get
m/
Yi = I1 2i
and U2(Y/) =/=~
m/-
Fn
QT = ~ SiYi,
(29)
i=l
if Yi is the probability of the simultaneous existence of any odd number of min cut sets, if Yiis the probability of the simultaneous existence of any even number of min cut sets.
1,
Si = - 1 ,
Thus, for eq. (2) we have m = n, Yi - Qi and Si = 1, i = 1 ..... n. The mean and the variance of QT a're now produced by using eqs. (26), (28) and (29), i.e.
1
\ Z i ,I
m/
+2 ~
i=1
where the Yi values are appropriately defined to be equal to the Qi and Qq values. Since we desire the Yi values to be probabilities, we have introduced the factors S i as
(33)
i=1
~
Yi 5 j E [ ( Z i - Z i ) ( Z k - 2k)]-(34)
k=i+l Z i Z k
As was mentioned above, the expression for each
Zi varies depending on the situation at hand. A few examples will illustrate the various possibilities. If the expression for Qx is given by eq. (6) we simply write QT = Y1 + Y2 ,
(35)
where YI = Z 1 Z 2 Z 3
,
Z2 ~ ~2 ,
~ ~kl,
(36)
Z3 - -~T2 ,
(37)
Z1
and (38)
Y2 =- Z4Zs ,
m
Q---T = ~
SiYi ,
(30)
i=1 m
~u2(av ) = ~
#2(Yi)
i=1 m--1
+2 ~
m
~
i=1 ]=i+ 1
SiSi E [ ( Y i - 17i)(Yi- Yt')]. (31)
These equations are exact, because higher order terms of eqs. (26) and (28) vanish due to the linearity of eq. (29). The next step involves the evaluation of the mean and variance of each Yi" In general, Yi has the form
mi Y/= I-I Z i ,
(32)
Z s ==- r
Z 4 ~ ~k2 ,
.
(39)
Notice that Za and Z s in the present case are not random variables and, consequently, their variances will be taken to be identically equal to zero in the calculations. Although only the moments of the various Zi values are needed in this work, in practice the parameters which determine the Zi values are usually given as being lognormally distributed [1 ]. The lognormal density function is 1
fz(z) - ~/-ff~OZ exp -
(In z - tt) 2 202
(40)
and the mean and variance are given by
i=1
where the Zi values represent basic inputs and they
2 = exp0/+ ~1 o 2) ,
/R2(Z) = 22rfl ,
(41,42)
417
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds jor top-erent unavailability
Failure'I
where r72 = e a2 - 1. When Z is lognormally distributed, we write symbolically Z ~ A(p, o2).
System
(43)
Frequently, the evaluation of Yi involves the multiplication of lognormaUy distributed random variables. Because of the multiplicative properties of this distribution of Yi is also lognormal. Thus for eq. (36) we will have Y1 ~ A(~z1 +/aZ2 +/aZ3' O21 + O22) '
(44)
i
where o23 = 0, since Z 3 is not a random variable. The above approach applies also to eq. (5). If, however, the more exact eq. (4) is used, then, in order to conform with eq. (32), we must define
Zi - Xirl/(1 + ~kiTi).
(45)
The moments o f Z i can now be determined either by a Taylor series expansion of the function of eq. (45) or, in the case of lognormal Xi and r i, by using the distribution of Z i, which is [18]
1 g(zi)
- ~
OZi zi( l -- Zi)
e x p ( _ l {ln[(1--Zi)/Zi] +.IIZL}) 02 i
(46)
SAMPLE code in WASH-1400 [1] (Appendix II, ch.3). The tree is very simple, as is shown in rigA. It consists of seven primary events, whose probabilities of existence are indicated by X(i), i = 1..... 7 and they are shown in table 1. The distribution of each X(/) is assumed to be the lognormal and the table gives the median value and the error factor, i.e. the ratio of the
Table 1 Failure data for the fault tree of fig. 1.
where
idzi = t2hi + Uri ,
Fig. 1. Example fault tree from WASH-1400.
o2i = o~i -I- o2i .
Notice that the density of eq. (46) is the density of the Johnson SB distribution, eq. (21). In the present case, of course, the distribution is not 'empirical' but exact. The calculations of this section for the propagation of moments are done by the program BOUNDS [ 16].
PRIMARY FAULT
Median
Error
Probability
Factor
Component Failure
= X(1)
1.0X10"3
3
Component Failure
= X(2)
3.0X10-2
3
5. Applications
Operator Error
= X(3)
1.0X10"2
3
Two examples are presented here, which compare the results of the proposed methods with those derived via Monte Carlo simulation.
Component Failure
= X(4)
3.OX10-2
3
= X(5)
1.0X10-2
3
Test and Maintenance
= X(6)
3.0X10"3
3
Component Failure
= X(7)
1.0X10-6
10
Example 1 In this e..ample we use the fault tree which is presented as an example of the applicability of the
i0perator Error
418
G. Apostolakis, Y.T. Lee / Estimation of confMence bounds for top-event unavailability
95% percentile of the distribution and the median. The program BOUNDS admits the data of table 1 as inputs and produces the mean and variance of each
RPSFailure to Trip for Small LOCA
I
x(o. Eq. (2) for this fault tree takes the form aT -~ X(1) + X(6) + X(7) + X(2)X(5)
+ X(2)X(4) + X(3)X(4) + X(3)X(5).
(47)
The program BOUNDS calculated the mean and variance Of QT to be 7.501 × 10 - 3 and 1.394 × 10 - s , respectively. The corresponding results of Monte Carlo simulation are 7.617 × 10 -3 and 1.377 × 10-So (The Monte Carlo simulation is done by the computer code COMMODE which is a version of the SAMPLE code developed at UCLA. The COMMODE does essentially the same things as the SAMPLE, but it is faster than SAMPLE by a simple improvement of the sorting routine.) The 80%, 90% and 95% upper bounds are shown on table 2. The calculations were repeated with eq. (47) replaced by the lower-bound eq. (3), but no significant differences were found in the results.
Example 2 The reactor protection system (RPS) is considered here. The event of interest is the failure of a sufficient number of rods (more than 2 out of 48) to enter the
Fig. 2. Reduced fault tree of the reactor protection system [1 ].
core when conditions are nresent which require such a scram. The detailed analysis is presented in Appendix II of WASH-1400. The reduced fault tree is shown in fig. 2 with the contributions from common mode faults, core distortion and wire faults being neglected. The omission of these three contributions does not change the final result since their probabilities are assessed to
Table 3 Failure data for the Reactor Protection System.
Table 2 Upper bounds for the unavailability of the system of fig. 1. METHOD OF ESTIMATION
80%
90%
95%
Bound
Bound
Bound
Unavailability Event qi
Error Factor
X(1)
1.7XI0°5
10
X(2)
3.6XI0"4
3
X(3)
I.OXIO"3
3
3.751XI0 -2
7.SO1XIO"2
1.500XI0"1
1.583X10"2
1.931X10-2
2.420X10-2
X(4)
1. OX10"3
3
1.497X10-2
1.870X10-2
2,378X10-2
X(S)
3.6X 10-4
3
Cantellt
1,497X10"2
1.870X10"2
2.378)(10"2
X(6)
6.1XI0"3
4
6.1X10"3
4
1.01BX10"2
1.268X10°2
1.490X10-2
X(7)
Monte Carlo Simulation
(2400 trials)
X(8)
9.7X10-4
I0
SB Distribution
X(9)
9.7XI0"4
10
Markov (rll, Xo=O) General
Tchebycheff
Improved
Tchebycheff
g.934X10"3
1.223X10"2
1.450X10-2
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds for top-event unavailability Table 4 Upper bounds for the Reactor Protection System unavailability.
419
were determined through Taylor series expansions. The computer program BOUNDS has been developed to implement the proposed approaches. Numerical examples show that the SB distribution gives results in very good agreement with those of Monte Carlo simulation, although, for the accuracy required in applications, the results of the inequalities are also satisL ctory.
80%
90%
95%
Bound
Bound
Bound
(I) Markov (r=1, Xo= O)
5.430XI0 -4
1.086X10 -3
2,172X10 -3
(2) General Tchebycheff
5.293X10 -4
7.036X10 -4
9.500X10 -4
(3) Improved Tchebycheff
4.849X10 -4
6.731X10 "4
9.287X10 "4
Acknowledgments
(4) Cantelli
4.849X10 -4
6,731X10 -4
9.287X10 "4
(5) Monte Carlo Simulation (2400 trials)
1.430X10 -4
2.431X10 -4
3.760X10 "4
This work was in part supported under Electric Power Research Institute Contract RP297-1, and in part under National Science Foundation Grants GI-39416 and OEP75-20318.
(6) SB
1.463X10 -4
2,456XlO "4
3.765X10 -4
METHODOF ESTIMATION
Distribution
References be negligible. This results in a fault tree with nine pri. mary inputs whose failure data are available and summa,ized in table 3. In the present case, eq. (2) becomes aT = X(1) + X(2)X(4) + X(2)X(5) + X(2)X(9) + X(3)X(4) + X(3)X(5) + X(3)X(9) + X(8)X(4) + X(8)X(5) + X(8)X(9) + X(8)X(7) + X(9)X(6). 1,48) The results for the upper bounds are shown in table 4. Again, the calculations using lower-bound techniques, e0. (3), showed no significant difference.
6. Summary and conclusions Methods for the estimation of confidence bounds for the unavailability of complex systems were presented. The estimation utilizes standard inequalities or the Johnson S B distribution and it requires knowledge of the mean and variance of the unavailability. These
[1] US Nuclear Regulatory Commission, WASH-1400 (NUREG-75/014), Oct. (1975). [2] A.E. Green and A.J. Bourne, Reliability Technology, (Wiley-lnterscience, New York, 1972). [3] M.L. Shooman, Probabilistic Reliability: An Engineering Approach (McGraw-Hill,New York, 1968). [4] G.E. Apostolakis. UCLA-ENG-7464, Sept. (1974). [5] H.E. Lambert, Lawrence Livermore Laboratory, UCRL51829, Oct. (1975). [6] W.E. Vesely, Nuel. Eng. Des. 13 (1970) 337. [7] L. Caldarola, Nucl. Eng. Des. 36 (1976) 109. [8] G.E.Apostolakis and P.Po Bansal, UCLA-ENG-7650, [9] J.D. Murchland and G.G. Weber, Proc., Annual Rel. and Maint. Symp. (1972) pp. 565-575. [10] D.V. Lindley, Introduction to Probability and Statistics. Part 2: Inference (Cambridge University Press, 1970). [11] A. Wald, Ann. Math. Stat. 9 (1938) 244. [12] H.L. Royden, Ann. Math. Stat. 24 (1953) 361. [13] M. Zelen, J. Res. Nat. Bur. Stand. 53 (1954) 377. [14] G.J. Hahn and S.S. Shapiro, Statistical Models in Engineering (Wiley-Interscience,New York, 1968). [15] N.L. Johnson, Biometrika 36 (1949) 149. [16] Y.T. Lee and G.E. Apostolakis, UCLA-ENG-7663, June (1976). [17] L. Aitchison and J.A.C. Brown, The Lognormal Distribution (Cambridge University Press, 1957). [18] B.B. Chu, Amer. Nucl. Soc. Trans. 23 (19/6) 228.
411
METHODS FOR THE ESTIMATION OF CONFIDENCE BOUNDS FOR THE TOP-EVENT UNAVAILABILITY OF FAULT TREES George APOSTOLAKIS and Yum Tong LEE Energy and Kinetics Department, School of Engineering and Applied Science, University of California, Los Angeles, California 90024, USA Received 26 July 1976
The estimation of confidence bounds for the probability of existence of the top event of a fault tree is the subject of this work. Given the uncertainties of the primary input data a method is described for the evaluation of the first two moments of the top event existence probability. These moments are then used to estimate confidence bounds by several approaches which are based on standard inequalities (e.g. Tchebycheff, Cantelli, etc.) or on empirical distributions (the Johnson family). Several examples indicate that the Johnson family of distributions yields results which are in good agreemerit with those produced by Monte Carlo simulation.
1. Introduction The evaluation of probabilities of rare events is of major importance in the quantitative assessment of the risk from large technological systems. In particular, for nuclear power plants the complexity of the systems, their high reliability and the lack of significant statistical records have led to the extensive use of logic diagrams in the estimation of low probabilities [1 ]. The two major methodologies which are based on logic are fault tree and event tree analysis. The merit of this approach is that it ultimately yields the probability QT that the event of interest exists as a function of the parameters Xi that determine the probabilities of existence of other, better understood, events. Thus, one can write QT =f(Xl ..... Xi ..... X n ) .
of QT from the given spreads of the values of X i. The common way of reporting these uncertainties is in the form of confidence bounds and section 2 reviews the literature on this subject. Section 3 contains the proposed methods of evaluating confidence bounds. Several definitions and the formulation of the problem are given in section 3.1, while sections 3.2 and 3.3 present methods based on inequalities and empirical distributions, respectively. The approaches of section 3 require knowledge of the mean and variance of QT and section 4 shows how these moments can be evaluated from the moments of the parameters of the primary inputs of a fault tree. Section 5 contains several applications of the proposed methods and, finally, section 6 summarizes the work of this paper.
(1)
The determination of this function is a relatively simple matter for event trees, while for fault trees it is quite cumbersome. Several common cases are presented in section 2. For the components and systems of interest in the quantitative risk assessment of nuclear power plants, the parameters Xi (e.g. the failure rates) have large uncertainties associated with them. It is natural then to seek to determine the uncertainty in the evaluation
2. Problem statement and current approaches Functions of several random variables of the form of eq. (1) appear in many areas of reliability evaluations, e.g. in the study of stress-strength models [2, 3]. This work will be concerned with such functions as they occur in fault tree analysis, although the general method of estimation of confidence bounds, as it will be described later, is not necessarily limited to this case.
412
G. Apostolakis, Y.T. Lee / Estimation of confidence bounds for top-event unavailability
Fault tree analysis is the major deductive method in quantitative risk assessments and it has been used extensively in probabilistic nuclear reactor safety studies [1,4-6]. The analysis begins with a well-defined undersirable event (e.g. the failure of a system to perform its intended function under given conditions) which is called the top event. The question that one attempts to answer, then, is 'how can the top event occur?'. In answering this question one proceeds to uncover the various combinations of 'simpler' events (e.g. subsystem and component failures), whose occurrence guarantees the occurrence of the top event. The analysis stops at the level at which the events are completely understood and quantitative information regarding their frequencies of occurrence is available. These events are called the primary inputs of the tree. The probabilistic analysis of fault trees is described in detail in the cited references. If the tree has k minimal cut sets and the probability of existence of the ith minimal cut set is Qi then a good conservative approximation (i.e. an upper bound) of the probability of existence of the top event QT is given by (rare-event approximation) k
QT "" ~ Qi.
(2)
i=1
A lower bound to QT can be given if eq. (2) is modified to include the probabilities Qij of the simultaneous existence of the ith and/th minimal cut sets, i.e. k
k-1
QT ~- ~ Q i - ~ i=1
k
~
i=1 /=i+1
Qii.
(3)
Due to the smallness of the contribution from the Qii, eq. (2) is almost always used in safety analyses. The evaluation of the individual Qi values must include the probabilities of existence of the events that constitute the minimal cut sets, possible dependencies, etc. The simplest case is when the ith minimal cut set consists of m i components, each of which is under an alternating renewal process with failure rate ki and mean-time-to-repair ri. Then the unavailability Qi is given by mi
Qi = 1-I
kjT"j
j=l l + X i r j
(4)
In most applications the products aid are very small
(less than 10 - 2 ) and eq. (4) is replaced by mi Oi m n . X/T/" /=l
(s)
It should be noted that the probabilities of eqs. (4) and (5) are asymptotic results which are reached very quickly. The time-dependent probabilities can be determined by the theory of Markov processes, if it is desired to do so. A frequent case in applications (e.g. in the study of the availability of the engineered safeguards of a nuclear power plant) is the determination of the Qi when the redundant components of the system are under periodic test and maintenance. Asymptotic expressions for the unavailabilities do not exist and the time-dependent results are too complicated (see ref. [7] for some general analytical expressions). It is common practice under these conditions to use average unavailabilities [1 ], i.e. the average of the time-dependent pointwise unavailabilities over the period (usually 720 hr) of the test or maintenance act. Expressions for the mean unavailability of various redundant systems are derived in refs. [2] and [8]. As an example, we consider a system with two redundant components and we assume that they are consecutively tested every T hours and the test time is r. Each component is disabled by the test. Under the usual assumptions regarding the magnitudes of the failure rates kl and X2 and the intervals Tand r. (i.e. 1/?,1, l/k2 > > T > > r), it can be shown that the average unavailability of the system is Q T ~-I- ~ k l k 2 T 2 + ~.2r.
(6)
Thus, the system has two minimal cut sets: {both components fail randomly during the time between inspections T} and {component 2 fails randomly during the test time r of component 1}. The terms of eq. (6) give the average probabilities of these two events, which can be identified as Q1 and Q2 ofeq. (2). Two comments are in order here. (i) It has been assumed in the derivation of eq. (6) that component 1 is tested first. There is a third minimal cut set, namely {component 1 fails randomly during the test time of component 2}, which is neglected in eq. (6), since its probability is much smaller than the retained terms [2,8]. (ii) Even if the components are nominally identical it is not allowed to set kl = k2 - k in eq. (6), be-
G. Apostolakis, Y.T. Lee / Estimation of conf, dence bound° for top-event unavailability
cause the failure rates will be treated as random variables, as will be discussed shortly. The only case where such a simplification is allowed is when a point estimate for QT is sought or when there is complete couling between the two components. Having determined the expressions for the top event unavailability, a major problem that arises is how to propagate the uncertainties in the parameters of the primary inputs to the top event. Murchland and Weber [9] have proposed a method for the evaluation of the mean and variance of the probability of existence of the top event of a fault tree. The tree must be simple in the sense that each primary input and the outcome of each gate are inputs to only one gate (the authors indicate, however, how trees that are not simple can be reduced to this form by boolean manipulation). The primary inputs are assumed to be statistically independent and the means and the variances of their existence probabilities to be known [expressions of average unavailabilities like that of eq. (6) are not considered]. From the mean and variance of the top event unavailability the authors suggest the derivation of confidence bounds using the Tchebycheff inequality. The approach taken by WASH-1400 [1 ], Appendices II and III, utilizes Monte Carlo simulation (computer code SAMPLE). The top event unavailability is expressed in the form of eq. (2) and each Qi is written as a function of the failure rates, test times, human error probabilities, etc. of the primary inputs, i.e. equations similar to eq. (6) are developed (as it is shown in ref. [8], there are some differences between the expressions of the report and the exact expressions of certain average unavailabilities, which, however, do not have a great impact on the results, due to the smallness of the numerical values of the unavailabilities and the order-of-magnitude accuracy that is
sought). The uncertainty in each of the parameters is expressed by fitting a lognormal distribution to the several values of that parameter, that are collected from various sources. A number of reasons are given in the report to argue that the appropriate distribution to be used for sparse data with a large assessed range is the lognormal distribution. These arguments are summarized in the statement that the lognormal distribution was chosen because 'it was flexible, it was consistent with reliability and data properties and it is a stan-
413
dardly employed and straightforward distribution' [11. Using the appropriate expressions for the unavailability of the top event and the lognormal distributions for the input parameters, a value for the unavailability of each primary input is selected randomly and the top event probability is calculated by the SAMPLE code. This process is usually repeated 1200 times and the resulting probabilities are ordered and the median value is determined as well as the 5% and 95% percentiles. When a distribution for the top event probability is needed, e.g. to be used in event-tree calculations, the lognormal distribution is again fitted to the points derived by the SAMPLE code.
3. Derivation of confidence bounds
3.1. Definitions The probability of existence of the top event, Qr, is the random variable for which we seek confidence bounds (in the Bayesian sense). Following the terminology of Lindley [10], we call the interval I~ the 100 ~ (Bayesian) confidence interval for Q'r if Pr (Or E I~) =/3,
(7)
where Pr denotes probability. In particular, we wiU be concerned with the 100/3% upper confidence bound U# for QT, in which case eq. (7) is written as
Pr(Qr ~
(8)
Notice that since Q'r is a probability, it is always nonnegative, so the interval of eq. (8) is actually twosided, i.e. 18 = (0, U#). The reason that we use Bayesian confidence intervals is that all the parameters of the problem (e.g. failure rates) are treated as random variables, as WASH-1400 proposes. The evaluation of confidence intervals would be trivial, if the probability density function (pdf) of Qx, f(QT), were known. In such a case, eq. (8) would be written as
J~'afx(x)dx =/3
(9)
o
and, given/3, U# is determined by solving eq. (9). This pdf, however, is very difficult to fend for a given fault
414
G. Apostolakis, Y.T. Lee / Estimation of confidence bounds for top-event unavailability
tree and we have to resort to approximate methods. Then, eq. (8) is written as Pr (aT <~ U#) >i 13
(10)
and Ua is called an approximate 100 t3% confidence bound for QT. In this paper two methods are proposed and compared for the derivation of bounds like eq. (10). The first method utilizes several inequalities and the second proposes an approximate pdf for QT. 3.2. Inequalities Conservative confidence bounds for a random variable X can be produced, if its first several moments are known. A useful and quite general inequality is that of Markov [1 I], i.e. Pr (--d < X - x o < d) ~> 1 ' - (Mr/dr),
(11)
where Mr is the rth absolute moment of the random variable X about Xo, i.e. E I X - Xolr, where E denotes expectation, and d is any positive number. When r = 2, the inequality reduces to the well-known Tchebycheff inequality, i.e. Pr(-d
x o
(12)
The Tchebycheff inequality can be improved and written as [11,12]
M2-M] Pr (X < d) ~
d ~
and M2 - M]
Pr(X
d>~ml, (14)
where Xo in these inequalities is set equal to zero. These general inequalities can be improved further if additional information about the random variable is known. For example, if X is a positive random variable, and this is the case of interest to us, since QT is positive, then the inequality of eq. (14) can be improved as follows
MI M2 Pr(X
(15)
Eqs. (13), (15) and (14) with a new range ford, i.e.
Mz/M 1 <<.d, are known as the Cantelli inequalities. It is evident that to use the above inequalities the first two moments of QT will be needed. If higher moments are known, and they are quite cumbersome to produce, the Markov inequality, eq. (11), can be used, or the inequalities given by Zelen [13]. 3. 3. Empirical distributions The second proposed method for estimating confidence bounds consists of selecting an approximate probability density function f x ( x ) and using eq. (9) to find U& The justification for the use of such distributions and a description of the commonly used Johnson and Pearson distributions can be found in Hahn and Shapiro [14]. The distribution that is proposed here is the Johnson SB distribution [ 14,15 ]. If the random variable X is confined in the interval ~<~X<~ +O,
(16)
where ~ and 0 are constants, and if the random variable V, where V=3'+61n ( OX - X ~+~ 1,
%~--const.,
(17)
is the standard normal variate, then X is distributed according to the Johnson S~ distribution. In other words, this distribution is based on eq. (17), which transforms the random variable of interest, X, into a standard normal variate. In general the S a distribution has four parameters, i.e. ~, 0, 7 and 8. In our case, however, X is the top event unavailability, QT, and since
o
(18)
we take =0
and 0 = 1 .
(19)
Thus, eq. (17) is written as V = 7 + 6 ln(1_ ~ T )
(20)
and the only parameters left are 6 and 7. Since V is a standard normal random variable the derivation of the Sa distribution is straightforward involving a simple transformation of variables through
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds for top-event unavailability
415
eq. (20). Thus, we get
4. Evaluation of moments
1 fQT(QT) - V~-~'OQT(1 -- QT)QT
The problem that is addressed in this section is the evaluation of the mean and varianceof each parameter X i of eq. (1) are known. It should be pointed out that QT is not necessarily a linear function of the X i values, as eqs. (2) and (4) show. In order to propagate the moments we expand the function f(X1 ..... Xn) about the mean values of its arguments by a multivariable Taylor series, that is,
X exp(~(ln[(1-QT)/QTI-laQT}) .....
(21)
O~ T
where we have defined OQT ~ 1/6,
btQT= 7/8
(22)
and QT is bounded as in eq. (18). Notice that the S B distribution can be approximated by the lognormal distribution, if the values of QT greater than, say, 10 -2 have a negligible probability of occurrence, in which case we can approximate 1 - QT = 1
i=1
Z \ i= 1 ~ i
(23)
in eq. (21) and produce the lognormal density. Of course, in this case QT is theoretically unbounded on the right (this situation is similar to the justification of using the normal distribution as the failure distribution of components where the probability of negative times to failure is required to be negligible small). Besides having the correct range for QT [eq. (18)], the S B distribution is more flexible than the lognormal (for example, it can be bimodal, see fig. 6 - 3 of [14]). The parameters/dQT and OQT (or, 3' and 6) can be determined by moment matching, if the mean and variance of QT are known. Since simple analytical ex. pressions for the moments of the S B distribution are not available, the estimation of the parameters is done numerically within the program BOUNDS, which has been developed to implement the work of this paper [16]. In order to evaluate the upper bound Ua of eq. (9), we take advantage of the fact that the variable V of eq. (20) is the standard normal variate. Solving eq. (20) we get exp
.....
-
]
UI3= 1 + exp [(ko - 7)/~i1
(24)
where k# is the/3100th percentile of the standard normal distribution, e.g. ko.os = 1.645. The next section shows how the mean and variance of QT can be evaluated. These two moments are needed for the evaluation of confidence bounds in both the methods that were presented in this section.
.-1
( x i -- ~ ' i ) 2
~2f
.
+2 ~
~
i
- -
( X i - Y(i)(X]- )(])] +
i= I i=i+ i axiax.i
....
(25) where Xi is the mean of Xi and all the partial derivatives are evaluated at the mean values of the Xi values. To find the mean of QT we simply take the expectation of both sides of eq. (25) and we get
....
n--I
2
i=1
~//a2~ai) "
n
i= l /=i+ I axiax/
eI(Xi
-
(x/-
+ ....
(26) where
la2(Xi) = E[(Xi - ~-/)2 ] = variance of Xi and
E[(Xi - f(i)(X/ - ~'/)] = covariance of Xi and X/. This covariance is, of course, zero when the variables are uncorrelated. The variance of QT can be obtained from
la2(QT) = E(Q~r) - QTz ,
(27)
where E(Q~) can be obtained by squaring both sides of eq. (25) and taking the expected value. Thus, we get n
,=1 k a x i /
u2(xi)
416
G. Apostolakis, Y.T. Lee /Estimation o f confidence bounds for top-event unavailability n--1
+
n
2G
i=1 i=i+1 3Xi bXi
Ie[(x,
-
-
,j)] +
. . . .
(28)
This approach of Taylor series expansions is quite general and, in principle, it can be applied directly to a fault tree with Xi being the basic input parameters (e.g. the failure rates). However, for a general fault tree the calculations may become very cumbersome and the following stepwise precedure is preferable. The first step is to take advantage of the linearity of eqs. (2) or (3). To include all possibilities, we write
depend on the minimal cut set and the repair or inspection policies that are employed. The only information that is needed for each Zi is its mean and variance. Then, using eqs. (26) and (28) for the function of eq. (32), we get
m/
Yi = I1 2i
and U2(Y/) =/=~
m/-
Fn
QT = ~ SiYi,
(29)
i=l
if Yi is the probability of the simultaneous existence of any odd number of min cut sets, if Yiis the probability of the simultaneous existence of any even number of min cut sets.
1,
Si = - 1 ,
Thus, for eq. (2) we have m = n, Yi - Qi and Si = 1, i = 1 ..... n. The mean and the variance of QT a're now produced by using eqs. (26), (28) and (29), i.e.
1
\ Z i ,I
m/
+2 ~
i=1
where the Yi values are appropriately defined to be equal to the Qi and Qq values. Since we desire the Yi values to be probabilities, we have introduced the factors S i as
(33)
i=1
~
Yi 5 j E [ ( Z i - Z i ) ( Z k - 2k)]-(34)
k=i+l Z i Z k
As was mentioned above, the expression for each
Zi varies depending on the situation at hand. A few examples will illustrate the various possibilities. If the expression for Qx is given by eq. (6) we simply write QT = Y1 + Y2 ,
(35)
where YI = Z 1 Z 2 Z 3
,
Z2 ~ ~2 ,
~ ~kl,
(36)
Z3 - -~T2 ,
(37)
Z1
and (38)
Y2 =- Z4Zs ,
m
Q---T = ~
SiYi ,
(30)
i=1 m
~u2(av ) = ~
#2(Yi)
i=1 m--1
+2 ~
m
~
i=1 ]=i+ 1
SiSi E [ ( Y i - 17i)(Yi- Yt')]. (31)
These equations are exact, because higher order terms of eqs. (26) and (28) vanish due to the linearity of eq. (29). The next step involves the evaluation of the mean and variance of each Yi" In general, Yi has the form
mi Y/= I-I Z i ,
(32)
Z s ==- r
Z 4 ~ ~k2 ,
.
(39)
Notice that Za and Z s in the present case are not random variables and, consequently, their variances will be taken to be identically equal to zero in the calculations. Although only the moments of the various Zi values are needed in this work, in practice the parameters which determine the Zi values are usually given as being lognormally distributed [1 ]. The lognormal density function is 1
fz(z) - ~/-ff~OZ exp -
(In z - tt) 2 202
(40)
and the mean and variance are given by
i=1
where the Zi values represent basic inputs and they
2 = exp0/+ ~1 o 2) ,
/R2(Z) = 22rfl ,
(41,42)
417
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds jor top-erent unavailability
Failure'I
where r72 = e a2 - 1. When Z is lognormally distributed, we write symbolically Z ~ A(p, o2).
System
(43)
Frequently, the evaluation of Yi involves the multiplication of lognormaUy distributed random variables. Because of the multiplicative properties of this distribution of Yi is also lognormal. Thus for eq. (36) we will have Y1 ~ A(~z1 +/aZ2 +/aZ3' O21 + O22) '
(44)
i
where o23 = 0, since Z 3 is not a random variable. The above approach applies also to eq. (5). If, however, the more exact eq. (4) is used, then, in order to conform with eq. (32), we must define
Zi - Xirl/(1 + ~kiTi).
(45)
The moments o f Z i can now be determined either by a Taylor series expansion of the function of eq. (45) or, in the case of lognormal Xi and r i, by using the distribution of Z i, which is [18]
1 g(zi)
- ~
OZi zi( l -- Zi)
e x p ( _ l {ln[(1--Zi)/Zi] +.IIZL}) 02 i
(46)
SAMPLE code in WASH-1400 [1] (Appendix II, ch.3). The tree is very simple, as is shown in rigA. It consists of seven primary events, whose probabilities of existence are indicated by X(i), i = 1..... 7 and they are shown in table 1. The distribution of each X(/) is assumed to be the lognormal and the table gives the median value and the error factor, i.e. the ratio of the
Table 1 Failure data for the fault tree of fig. 1.
where
idzi = t2hi + Uri ,
Fig. 1. Example fault tree from WASH-1400.
o2i = o~i -I- o2i .
Notice that the density of eq. (46) is the density of the Johnson SB distribution, eq. (21). In the present case, of course, the distribution is not 'empirical' but exact. The calculations of this section for the propagation of moments are done by the program BOUNDS [ 16].
PRIMARY FAULT
Median
Error
Probability
Factor
Component Failure
= X(1)
1.0X10"3
3
Component Failure
= X(2)
3.0X10-2
3
5. Applications
Operator Error
= X(3)
1.0X10"2
3
Two examples are presented here, which compare the results of the proposed methods with those derived via Monte Carlo simulation.
Component Failure
= X(4)
3.OX10-2
3
= X(5)
1.0X10-2
3
Test and Maintenance
= X(6)
3.0X10"3
3
Component Failure
= X(7)
1.0X10-6
10
Example 1 In this e..ample we use the fault tree which is presented as an example of the applicability of the
i0perator Error
418
G. Apostolakis, Y.T. Lee / Estimation of confMence bounds for top-event unavailability
95% percentile of the distribution and the median. The program BOUNDS admits the data of table 1 as inputs and produces the mean and variance of each
RPSFailure to Trip for Small LOCA
I
x(o. Eq. (2) for this fault tree takes the form aT -~ X(1) + X(6) + X(7) + X(2)X(5)
+ X(2)X(4) + X(3)X(4) + X(3)X(5).
(47)
The program BOUNDS calculated the mean and variance Of QT to be 7.501 × 10 - 3 and 1.394 × 10 - s , respectively. The corresponding results of Monte Carlo simulation are 7.617 × 10 -3 and 1.377 × 10-So (The Monte Carlo simulation is done by the computer code COMMODE which is a version of the SAMPLE code developed at UCLA. The COMMODE does essentially the same things as the SAMPLE, but it is faster than SAMPLE by a simple improvement of the sorting routine.) The 80%, 90% and 95% upper bounds are shown on table 2. The calculations were repeated with eq. (47) replaced by the lower-bound eq. (3), but no significant differences were found in the results.
Example 2 The reactor protection system (RPS) is considered here. The event of interest is the failure of a sufficient number of rods (more than 2 out of 48) to enter the
Fig. 2. Reduced fault tree of the reactor protection system [1 ].
core when conditions are nresent which require such a scram. The detailed analysis is presented in Appendix II of WASH-1400. The reduced fault tree is shown in fig. 2 with the contributions from common mode faults, core distortion and wire faults being neglected. The omission of these three contributions does not change the final result since their probabilities are assessed to
Table 3 Failure data for the Reactor Protection System.
Table 2 Upper bounds for the unavailability of the system of fig. 1. METHOD OF ESTIMATION
80%
90%
95%
Bound
Bound
Bound
Unavailability Event qi
Error Factor
X(1)
1.7XI0°5
10
X(2)
3.6XI0"4
3
X(3)
I.OXIO"3
3
3.751XI0 -2
7.SO1XIO"2
1.500XI0"1
1.583X10"2
1.931X10-2
2.420X10-2
X(4)
1. OX10"3
3
1.497X10-2
1.870X10-2
2,378X10-2
X(S)
3.6X 10-4
3
Cantellt
1,497X10"2
1.870X10"2
2.378)(10"2
X(6)
6.1XI0"3
4
6.1X10"3
4
1.01BX10"2
1.268X10°2
1.490X10-2
X(7)
Monte Carlo Simulation
(2400 trials)
X(8)
9.7X10-4
I0
SB Distribution
X(9)
9.7XI0"4
10
Markov (rll, Xo=O) General
Tchebycheff
Improved
Tchebycheff
g.934X10"3
1.223X10"2
1.450X10-2
G. Apostolakis, Y.T. Lee /Estimation of confidence bounds for top-event unavailability Table 4 Upper bounds for the Reactor Protection System unavailability.
419
were determined through Taylor series expansions. The computer program BOUNDS has been developed to implement the proposed approaches. Numerical examples show that the SB distribution gives results in very good agreement with those of Monte Carlo simulation, although, for the accuracy required in applications, the results of the inequalities are also satisL ctory.
80%
90%
95%
Bound
Bound
Bound
(I) Markov (r=1, Xo= O)
5.430XI0 -4
1.086X10 -3
2,172X10 -3
(2) General Tchebycheff
5.293X10 -4
7.036X10 -4
9.500X10 -4
(3) Improved Tchebycheff
4.849X10 -4
6.731X10 "4
9.287X10 "4
Acknowledgments
(4) Cantelli
4.849X10 -4
6,731X10 -4
9.287X10 "4
(5) Monte Carlo Simulation (2400 trials)
1.430X10 -4
2.431X10 -4
3.760X10 "4
This work was in part supported under Electric Power Research Institute Contract RP297-1, and in part under National Science Foundation Grants GI-39416 and OEP75-20318.
(6) SB
1.463X10 -4
2,456XlO "4
3.765X10 -4
METHODOF ESTIMATION
Distribution
References be negligible. This results in a fault tree with nine pri. mary inputs whose failure data are available and summa,ized in table 3. In the present case, eq. (2) becomes aT = X(1) + X(2)X(4) + X(2)X(5) + X(2)X(9) + X(3)X(4) + X(3)X(5) + X(3)X(9) + X(8)X(4) + X(8)X(5) + X(8)X(9) + X(8)X(7) + X(9)X(6). 1,48) The results for the upper bounds are shown in table 4. Again, the calculations using lower-bound techniques, e0. (3), showed no significant difference.
6. Summary and conclusions Methods for the estimation of confidence bounds for the unavailability of complex systems were presented. The estimation utilizes standard inequalities or the Johnson S B distribution and it requires knowledge of the mean and variance of the unavailability. These
[1] US Nuclear Regulatory Commission, WASH-1400 (NUREG-75/014), Oct. (1975). [2] A.E. Green and A.J. Bourne, Reliability Technology, (Wiley-lnterscience, New York, 1972). [3] M.L. Shooman, Probabilistic Reliability: An Engineering Approach (McGraw-Hill,New York, 1968). [4] G.E. Apostolakis. UCLA-ENG-7464, Sept. (1974). [5] H.E. Lambert, Lawrence Livermore Laboratory, UCRL51829, Oct. (1975). [6] W.E. Vesely, Nuel. Eng. Des. 13 (1970) 337. [7] L. Caldarola, Nucl. Eng. Des. 36 (1976) 109. [8] G.E.Apostolakis and P.Po Bansal, UCLA-ENG-7650, [9] J.D. Murchland and G.G. Weber, Proc., Annual Rel. and Maint. Symp. (1972) pp. 565-575. [10] D.V. Lindley, Introduction to Probability and Statistics. Part 2: Inference (Cambridge University Press, 1970). [11] A. Wald, Ann. Math. Stat. 9 (1938) 244. [12] H.L. Royden, Ann. Math. Stat. 24 (1953) 361. [13] M. Zelen, J. Res. Nat. Bur. Stand. 53 (1954) 377. [14] G.J. Hahn and S.S. Shapiro, Statistical Models in Engineering (Wiley-Interscience,New York, 1968). [15] N.L. Johnson, Biometrika 36 (1949) 149. [16] Y.T. Lee and G.E. Apostolakis, UCLA-ENG-7663, June (1976). [17] L. Aitchison and J.A.C. Brown, The Lognormal Distribution (Cambridge University Press, 1957). [18] B.B. Chu, Amer. Nucl. Soc. Trans. 23 (19/6) 228.