Reliability analysis of dynamic reliability block diagram based on dynamic uncertain causality graph

Reliability analysis of dynamic reliability block diagram based on dynamic uncertain causality graph

Journal Pre-proof Reliability analysis of dynamic reliability block diagram based on dynamic uncertain causality graph Lulu Jia, Yi Ren, Dezhen Yang, ...
Download PDF
1MB Sizes 0 Downloads 44 Views
Report

Journal Pre-proof Reliability analysis of dynamic reliability block diagram based on dynamic uncertain causality graph Lulu Jia, Yi Ren, Dezhen Yang, Qiang Feng, Bo Sun, Cheng Qian PII:

S0950-4230(19)30432-2

DOI:

https://doi.org/10.1016/j.jlp.2019.103947

Reference:

JLPP 103947

To appear in:

Journal of Loss Prevention in the Process Industries

Received Date: 28 May 2019 Revised Date:

3 August 2019

Accepted Date: 21 August 2019

Please cite this article as: Jia, L., Ren, Y., Yang, D., Feng, Q., Sun, B., Qian, C., Reliability analysis of dynamic reliability block diagram based on dynamic uncertain causality graph, Journal of Loss Prevention in the Process Industries (2019), doi: https://doi.org/10.1016/j.jlp.2019.103947. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier Ltd.

Reliability Analysis of Dynamic Reliability Block Diagram Based on Dynamic Uncertain Causality Graph Abstract A dynamic reliability block diagram (DRBD) is often used in various industrial fields because of its ability to represent the dynamic behaviours of systems, despite its difficulty dealing with common cause failures and its quantitative result being hard to obtain due to the lack of a simple and practical solution method. Although some techniques, such as Petri net, Markov chain, and dynamic Bayesian network (DBN), have been proposed for analysing DRBDs, they are usually complicated and impractical for various reasons, such as state explosion in a Markov chain and a DBN and a complicated conversion process for a Petri net. To alleviate these problems, a common cause failure block is added to the DRBD, and a new solution method based on a dynamic uncertain causality graph (DUCG) is presented in this paper. Based on the conversion rule, the DRBD is mapped into a DUCG that needs fewer parameters and can be easily analysed according to the DUCG’s reasoning algorithm. Finally, considering a subsea blowout preventer (BOP) control system as an example, a more accurate and concise model of the BOP control system is built. Key Words: Dynamic Reliability Block Diagram, Dynamic Uncertain Causality Graph, subsea Blowout Preventer (BOP) control system

1. INTRODUCTION A dynamic reliability block diagram (DRBD), an extended and enhanced successor of a reliability block diagram (RBD) (H. Xu and L. Xing 2007; H. Xu, L. Xing, and R. Robidoux. 2009; S. Distefano. et al. 2014), is an effective and powerful tool for modelling dynamic behaviours. Combined with the fault tree analysis (FTA), it is widely used in the risk analysis of thermal power plants (Bhangu, Navneet Singh et al. 2019) and complex industrial robot systems’ reliability evaluation and block diagram design (Fazlollahtabar, Hamed et al. 2018). However, its quantitative results are usually difficult to obtain. To address this problem, many transformation techniques have been proposed. A method for analysing a DRBD based on a Markov chain has been described (Distefano, S., and N. L. Xing et al. 2006.). A DRBD has also been converted into a coloured Petri net (CPN) (R. Robidoux. et al. 2010), although this solution is complicated and inefficient because many values are needed. Subsequently, K. Li. et al. (2016) proposed a way to map a DRBD into a dynamic Bayesian network (DBN). Other methods based on agents and game algorithm have also been studied (Feng, Q.et al. 2017, Feng, Q.et al. 2017, Feng, Q.et al. 2019, Ren, Y.et al. 2019). Inheriting the advantages of a DBN, a dynamic uncertain causality graph (DUCG) can conveniently take dynamics, dependencies, redundancy and load sharing into account (Zhang, Qin. et al. 2010; Zhang, Qin. et al. 2012; Q. Zhang. et al. 2014; C. Dong. et al. 2014; Q. Zhang. et al. 2015). Compared with a DBN, a DUCG is a compact causality representation that does not overly rely on parameter accuracy and thus needs fewer parameters. In recent years, DUCGs have been

steadily developed (Q. Zhang. et al. 2015; Q. Zhang. et al. 2015; C. Dong. et al. 2016) and have been applied in nuclear power plant’s online monitoring, diagnosis forecasting, risk assessment, etc. (Q. Zhang and S. Geng. 2015 ; Q. Zhang. et al. 2016; C. Dong. et al. 2016; Z. Zhou. Et al. 2017; Chunling, D. et al. 2018; Q. Zhang. et al. 2018). A subsea blowout preventer (BOP) is an important piece of equipment designed to provide a safe working environment during drilling. To avoid catastrophic events caused by a BOP system, extensive efforts have been made to ensure its reliability that has been analysed by failure modes and effects analysis (FMEA) and FTA (Fowler, J.H., Roche, J.R., 1994 ) and other methods (Cai, B.et al.). Using the FTA method, Holand, P., Awan, H. (2012) evaluated subsea BOPs’ failure data. However, both FMEA and FTA analyses lack the time element (Sadou, N., Demmou, H., 2009), and FMEA lacks the ability to deal with failures resulting from common causes. Cai, B.P. et al. (2012) used the Markov method to assess a BOP system’s performance, although its state space grew exponentially with the number of components (Boudali, H., Dugan, J.B., 2005 ). In recent years, Bayesian networks (BN) have also been used in reliability analysis because of their higher uncertain inference capacity and ability to deal with multiple sources of information, such as expert knowledge, empirical data, etc. (Cai, B. et al. 2017. ). To fully use a BN, numerous conversion methods have been proposed, such as the fault tree’s conversion method by Bobbio, A. et al. (2001), dynamic fault tree’s conversion by Boudali, H. et al. (2005), the event tree’s conversion method by Bearfield, G. et al. (2005) , bond graph model’s conversion by Lo, C.H. et al. (2011) , RBD’s conversion by K, Li. et al. (2016) and GO method’s conversion (Yong Chena. et al. 2012; Dongming Fan. et al. 2016 ; Kanjing Li. et al. 2018). Based on all of these studies, a method of reliability analysis of a subsea blowout preventer control system based on GO graph’s conversion to a BN has been proposed (Liu, Z. et al. 2018; Liu, Zengkai. et al. 2019). Liu, Z. et al. (2015) used a DBN in a reliability analysis of the BOP stack. Although Markov chain, Petri net (PN) and DBN methods have been used in analysing a DRBD, they all have limits in their applications. A Markov chain’s state explosion problem can be significant if the system is very complex (Boudali, H. et al. 2005). The conditional probability table (CPT) of a DBN is very complex because the number of parameters increases exponentially with the number of parent nodes. For large-scale DRBDs, conditional probability tables of DBNs may be too large and complex. As for the PN, its state reachability graph is difficult to obtain. In addition, although extensive efforts have been made to develop DRBDs, common cause failures are difficult to model using the existing DRBD methods. The motivation of this paper is to resolve issues including dependence, spare capacity, load sharing and common cause failures by converting a DRBD into a DUCG. In this paper, a common cause failure (CCF) block is introduced into a DRBD to address common cause failures, and a new method of analysing a DRBD based on a DUCG is proposed. Based on the conversion rule, a DRBD is mapped into a DUCG that needs fewer parameters and can be easily analysed according to the DUCG’s reasoning algorithm. The remainder of the paper is organized as follows. Section 2 provides a brief introduction to DRBD. Next, DUCG is presented in section 3. Section 4 describes a method of mapping a DRBD into a DUCG. Compared with a DUCG being created directly, the proposed method makes the creation of a DUCG easier because the physical structure and the logical information of the system DRBD is shown to be a useful input to the DUCG. A case study is performed to evaluate this method in section 5. Finally, section 6 concludes the paper.

2. DYNAMIC RELIABILITY BLOCK DIAGRAM

On the one hand, as an extension and a redefinition of RBD, DRBD can represent dynamic behaviours of systems; on the other hand, it is motivated by the simplicity and versatility of a native modelling tool. However, the introduction of new DRBD policies increases the model’s complexity. As a result, DRBD constructs based on a simple notation are revised by the introduction of new DRBD constructs (R. Robidoux et al. 2010). DRBD constructs have recently been extended (H. Xu, L. Xing et al. 2010) by an introduction of several key modelling constructs shown in Figure 1 (a) (b) (c), such as state dependency (SDEP), spare part (SPARE), and load-sharing (LSH) blocks. To model the common cause failures in the system, a CCF block shown in Figure 1 (d) is introduced in this paper. Trigger

F

Primary Unit

SDEP

D|F

SPARE

A

A

A|D|F

A|D|F

C|W|H1

...

1

...

C|W|Hn

n

(b) SPARE block (a) SDEP block LSH

CCF D|F

D|F

D|F

D|F

1 1

...

F

F ...

n

n

(c) LSH block

(d) CCF block Figure 1. Blocks in DRBD

2.1. SDEP block SDEP blocks are used to model the state-based dependence relationships between components in a system. In such blocks, trigger events caused by a trigger component’s state change can result in state changes of target components. Additionally, both trigger events and target events can be of three types: “Activation”, “Deactivation” and “Failure”. Activation (A) means that components are in working state, and Failure (F) means that products are in a failed state. In contrast to Activation or Failure that are established states, Deactivation (D) means that components are not operating but still have the possibility of entering the working or failed states. As a result, there are nine types of dependency relationships among the components: (A, A), (A, D), (A, F), (D, A), (D, D), (D, F), (F, A), (F, D), and (F, F). To formalize the DRBD model, a mathematical model is proposed in this paper. An SDEP block can be defined as a 7-tuple  =< C , C , E , E , , S , S > , where C is the trigger component in the SDEP block, C is the target component in the SDEP block, represented as  = [ ,  , … ,  ],

E is the trigger event in the SDEP block that represents trigger components’ state change, E is the target event that represents target components’ state change caused by trigger events = [ ,  , … ,  ], S is the state of target components, represented as  = [ ,  , … ,  ], where n is the number of the target components, S is the state of trigger components, and

is the function that represents the relationship between trigger components and target components: T ,   =  . As to the function of F-A dependency in SDEP blocks, we have

  = !"#$%"#$&',  = "#$%"#$&' → )"$*+,- =  = !"#$%"#$&' → "#$%"#$&' Other kinds of dependencies can similarly be easily obtained.

2.2. SPARE block SPARE blocks represent systems’ redundant behaviours, whereby n components are used as redundant backups for the primary component. In SPARE blocks, primary components’ deactivation or failure leads to the first spare component’s activation. Similarly, the first spare component’s deactivation or failure leads to the second spare component’s activation. Additionally, the block enters the “failure” state if both the primary component and all the spare components fail or are deactivated. From the description above, we know that spare components are in fact simple components with ordinal numbers. In SPARE blocks, spare components with the lowest ordinal numbers are activated first when primary or standby components fail. Accordingly, components in hot and warm standby states can also fail, but cold standby components never fail while awaiting activation. A SPARE block can be defined as a 7-tuple =< C. , C/ , E , E , S01 , S02 , S3 >, where C. is the primary component in the SPARE block,

C/ is the standby components in the SPARE block, represented as 4 = [4 , 4 , … , 4 ], E is the trigger event in a SPARE block that represents trigger components’ state change,  = [ ,  , … ,  ],

E is the target event that represents target components’ state change caused by trigger events,  = [ ,  , … ,  ], S01 is the state of the primary component, S02 is the state of spare components, represented as S05 = [s75 , s75 , … , s75 ], where n is the

number of spare components, and S3 is the function that represents the relationship among primary components and spare components, S3 8S01 , S02 , E 9 = E. As to the spare components’ configuration, function S3 can be defined as S3 8S02 = :s75 = )"$*+,, s75 = )"$*+,, … , s75 s7 5

= , … , s75  >, S01

<

= )"$*+,, s75 = !"#$%"#$&',

= )"$*+,, e@< = "#$%"#$&' → )"$*+,9 = e@ = !"#$%"#$&' →

"#$%"#$&' where k is the ordinal number of components such that 1 ≤ k ≤ n.

2.3. LSH block LSH blocks represent an intermediate state where a component is inactive yet at the same time has not failed, i.e., they can be used to model reliability conditions changing in relation to the variation of the load shared among various components. LSH blocks can operate well only if more than k components are in a good state, which is similar to “k/n” gates. If more than n-k components enter the failed/deactivated state in an LSH block, other components will fail or be deactivated because of overloading. To express our proposed DRBD model formally, a mathematical model is proposed in this paper. An LSH block can be defined as a 5-tuple  =< , S0 , E , E , E >, where

is the component in the load-sharing block,"#$%"#$&'F S0 is the components’ state, G = [H , H , … , H ], where n is the number of components in a load-sharing block, H = "#$%"#$&', "#$%"#$&'F , )"$*+, ( 1 ≤ k ≤ n ), activation represents components that operate without other components’ failure, and activation represents components that operate when another component fails, E is the trigger event in LSH blocks that represent components’ state change,  = [ ,  , … ,  ], E is the target event caused by a trigger event,  = [ ,  , … ,  ], and E is the function that represents the relationship among components, LS0 , E  = E. As to the function of load-sharing dependency in load-sharing blocks, we have LS0 = [H = "#$%"#$&', H = "#$%"#$&', … , H = activation], eP = "#$%"#$&' → )"$*+,- = e@ = "#$%"#$&' → "#$%"#$&'F where i = 1,2, … , n − 1 and k ≠ i.

2.4. CCF block CCF blocks represent that several components experience simultaneous failures if some common causes occur. A CCF block can be defined as a 5-tuple  =< , S0 , E , E , E >, where

is the component in a common cause failure block, S0 is the set of components’ states, G = [H, H , … , H ], where n is the number of components in a load-sharing block, E is the trigger event in the CCF block that represents the occurrence of the common cause, e = 0, 1, where 1 represents the occurrence of the trigger event, and 0 represents that the trigger event did not occur, E is the target event that represents the target components’ state change caused by trigger events,  = [ ,  , … ,  ] and E@ = "#$%"#$&' → )"$*+,, and

E is the function that represents the relationship between common causes and components in the CCF block. As to the function in common cause failure blocks, we have E = 1 = e@ = "#$%"#$&' → )"$*+, where k = 1,2, … , n.

3. DYNAMIC UNCERTAIN CAUSALITY GRAPH

DUCG is a new theoretical model proposed by Zhang et al. for dealing with multiple assignments. A DUCG is composed of nodes and edges, and the events and causal interactions are represented by various graphical symbols in such a graph. B1 X4 G6

B2

D7

X7

X5 B3

Figure 2. DUCG of an intrusion detection system

3.1. Definitions of variables in DUCG The DUCG in Figure 2 shows that events in a DUCG can be classified into various categories. Drawn as a single-line square, UV is a basic or root event that can change the system state independently. Drawn as a circle, W represents a child event or a cause of other events. X , called a default event, represents an unknown cause of child event W and is usually drawn as a diamond. Y;V is used in single-valued cases and drawn as a solid green arrow, representing the

linkage event matrix between [V and W . Used in multivalued cases and drawn as a solid red arrow, \;V is a weighted functional event matrix between [V andW . Dashed edges Y;V and\;V ,

drawn as a dashed green arrow and a dashed red arrow, respectively, are conditional on the observable condition event ];V .

3.2. Logic gate Logic gate event ^V is introduced to represent complicated relationships among input variables. ^V represents a logic gate event in DUCG, and its logic is specified in logic gate specification (E^V ). ^_ in Figure 2 is a logic gate in the shown DUCG.

3.3. Probabilistic reasoning of DUCG The analysis of a DUCG is based on the following hypothesis. Assuming that VV [ ∈ {X, B, G} is the parent event of X  , the following equation can be obtained: X  = g,;V /,  g i V

jk

;Vjk

[Vjk

where lV represents the state of the parent variable, ,;V represents the causal relationship between child variable X  and parent variable VV , and i ;Vjk , a functional event, is a virtual random event introduced in the DUCG to model the uncertain causal relationship between X  and [Vjk . Figure 3 explains this assumption. According to the equation above, the following results can be obtained: Pr {X  | p [Vjk } = g,;V /,  g " V

V

x ≡ Pr {X  } = ∑V,;V /,  ∑jk "

;Vjk

jk

;Vjk

Pr {[Vjk }=∑V,;V /,  ∑jk "

;Vjk

%Vjk

where %Vjk ≡ Pr {[Vjk }, and ,;V represents the uncertainty between parent event VV and child

event X  . Such uncertainty is usually determined by experts in related fields. As a result, if a direct relationship between VV and X  has been identified, ,;V = 1; if there is no relation between VV and X  , ,;V = 0; in other cases, ,;V is between 0 and 1. V2j2 V1j1

Vmjm

(rn;2/rn)Ank;2j2

Parent event

Weighted action events

+

Xnk=Xnk;1j1+Xnk;2j2+...+Xnk;mjm

is the XOR operator

Figure 3. Explanation of DUCG hypothesis

4. METHOD OF MAPPING DRBD INTO DUCG Although DUCG is a powerful tool for expressing and quantifying uncertainty, it is difficult to establish it directly because it is challenging to ascertain directly the logic of various elements it needs. Using the information obtained from a DRBD simplifies the creation of a DUCG. The procedure of mapping a DRBD into the corresponding DUCG consists of two steps: first, mapping all the basic blocks in the DRBD into the corresponding nodes in a DUCG, and second, adding arcs and logic gates to express the logic between nodes. In the following subsection, we show DRBD’s conversion into the equivalent structures in a DUCG, where state 0 represents a normal state, and state 1 indicates otherwise.

4.1. SDEP Block As we explained above, SDEP blocks model dependency relationships between components. Three most commonly used models will be described in the following subsections; other models extending them can be created easily. V1

F

SDEP

F

V2

V1(t-1) G1

V2(t)

V2(t-1)

Figure 4. F-F dependency

j

Table 1. Logic gate specification (LGS) of G1

G,u

 ",v;,j

 ",;,j

4.1.1.

<

<

1 2

[,v

1 − Y 0

[,v else

Y 1

F-F dependency

As Figure 4 shows, an F-F dependency represents that [ ’s failure leads to [ ’s failure. As a result, the state of [ at time t depends on [ ’s state at t-1 and [ ’s state at t-1. The relationship of [ and [ can be shown by a logic gate in the DUCG; its logic expression is shown in Table 1, and Y = Y[ # = 1|[ # − 1 = 0, [ # − 1 = 0. Assuming that components’ failure time follows an exponential distribution, we can obtain the failure probabilities of [ and [ , denoted by Y and Y,respectively. It is worth noting that Y’s and Y’s calculation methods are different. Failure probabilities of primary components can be easily determined by the following equation: 

P # = x )y #!# = 1 − 
Where }y| is the failure rate of [ .

The determination of [ ’s failure probability is more complex:

[, = g,;V ⁄, - g i V

= ,;⁄, -i,

jk

= ,;⁄, - 8i,

4.1.2.

;Vjk

;, ^,

[Vjk

+ i,

;, ^, -

< < [,v ;, [,v

+ i,

< < [,v ;, [,

<

+ [,

<

[,

<

+ [,v

<

[,

9

F-A and A-F dependencies V1

F

SDEP

F

V2

V1(t-1)

G2

V2(t)

V2(t-1)

Figure 5. F-A dependency

j

1 2 3

G,u

#−1

[2,1

Table 2. LGS of G2 "#2,0;2,l

#−1 #−1 [2,0 [1,0

else

0

1 − Y 1

"#2,1;2,l 1

Y2 0

An F-A dependency or an A-F dependency indicates that component [ ’s failure (or activation) leads to component [ ’s activation (or failure). The logic gate used to determine [ ’s

failure probability in this scenario is shown in Figure 5, and its logic gate specification is shown in Table 2. The equation used to determine [ ’s failure probability is [, = g,;V ⁄, - g i V

jk

= ,;⁄, - 8i,

4.1.3.

[Vjk

;Vjk

< ;, [,v

+ i,

< < [,v ;, [,v

+ i,

< < [, 9 ;, [,v

Interactive dependency SDEP F

F

F

F

V1

V2 SDEP

V2(t-1) V2(t)

G4

G3

V1(t)

V1(t-1)

Figure 6. Interactive dependency Table 3. LGS of G3 G,u "#1,0;3,l

j

#−1

1

[1,1

#−1 #−1

2 3

[1,0 [2,0 else G‚,u

j

#−1

1

[2,1

1 − Y 1

Table 4. LGS of G4 "#2,0;4,l

Y1 0

1

1 − Y 1

„lse

1

"#2,1;4,l

0

#−1 #−1 [1,0 [2,0

2 3

0

"#1,1;3,l

Y2 0

If components [ and [ are interaction-dependent, so can be their states. The respective logic can be expressed by the logic gate shown in Figure 6, and the respective LGS is shown in Table 4. The equation used to determine [ ’s failure probability is [, = g,;V ⁄, - g i V

jk

= ,;⁄, - 8i,

;Vjk

[Vjk

< ;, [,

+ i,

< < [,v ;, [,v

+ i,

< < [, 9 ;, [,v

4.2. SPARE Block SPARE blocks shown in Error! Reference source not found. are usually used to represent redundant behaviours in systems. Hot spares in the system can be treated directly as an OR gate. As a result, the DUCG for hot spares is shown in Error! Reference source not found. (c), and the LGS of ^† is presented in Table 5. As to cold or warm components with two spare components, the respective relationship is usually modelled as a logic gate, and only if all inputs fail, the spare block fails. In these cases, a spare component [ ’s states depend on its states at the preceding slice t-1 and [ ’s state at time t. Similarly, [ ’s state depends on [ ’s state at time t-1 and [ ’s state at time t. To represent the spare components’ failure probabilities, a dormancy factor α0 ≤ α < 1 is introduced. The dormancy factor depends on the spare configuration and is 0 for a cold spare, and 0 ≤ α < 1 in a warm spare. The LGS of ^_ and ^ˆ are shown in Table 6 and Table 7, respectivelyError! Reference source not found.. V2(t) V1

F

SPARE

V1(t) F

F

V2

V3

G5

V4(t)

V3(t)

(a)

(b)

V2(t-2) G6

V2(t-1)

V1(t-2) V1(t-1)

G7

V3(t)

V3(t-1)

(c) Figure 7. Spare block

j

1 2 j

G†,u

Table 5. LGS of G5 "#2,0;5,l

"#2,1;5,l

G_,u

Table 6. LGS of G6 "#−1 2,0;6,l

"#−1 2,1;6,l

#

#

[2,1 [1,1 else

0 1

1 0

#−1

1

0

[2,1

2 3

#−1

1

[3,1

1 − Y

3

Y21

"#3,1;7,l

0

#−1 #−1 #−1 [1,1 [2,1 [3,0

2

Y20

Table 7. LGS of G7 "#3,0;7,l

Gˆ,u

j

1

1 − Yv

#−1 #−1 [1,0 [2,0 #−1 #−1 [1,1 [2,0

1

1 − Y

else

Y31

1 − Yv

Y30

Considering component [ as an example, the failure probability of [ in the standby state is

Yv = Y[ # = 1|[ # − 1 = 0, [ # − 1 = 0 = 1 −  <Œz{ ∆ If [ is in the working state, the failure probability of [ can be obtained by Y = Y[ # = 1|[ # − 1 = 1, [ # − 1 = 0 = 1 − 
[, = g,;V ⁄, - g i V

= ,;⁄, -i,

jk

;Vjk

;ˆ, ^ˆ,

= ,;⁄, - 8i,

[Vjk

+ i,

< ;ˆ, [,

<

+ [,v

;ˆ, ^ˆ,

+ i,

;ˆ, ^ˆ, -

< < < [, [, ;ˆ, [,v

< < [,v

[,v

+ i,

<

+ [,v

+ i,

< < < [,v [, ;ˆ, [,v

< < [,v 9

[,

4.3. LSH Block Various load sharing configurations in DRBDs can be represented by LSH blocks. As Error! Reference source not found. shows, components [ and [ share workload in this LSH block. [ or [ ’s failure rate is βλ0 < β < 1 of the other component works perfectly, and the failure rate will increase to λ if one component fails. The LGSs of ^‘ and ^’ are shown in Table 8 and Table 9, respectivelyError! Reference source not found.Error! Reference source not found.. F

F V1

F

LSH

F

V2

V2(t-1) V2(t)

G9

G8 V1(t-1)

Figure 8. LSH Block Table 8. LGS of G8

V1(t)

G‘,u

"#1,0;8,l

"#1,1;8,l

#−1 #−1 [1,0 [2,0 #−1 #−1 [1,0 [2,1

1 − •v

•10

“

#−1

1

0

[1,1

2 3

G’,u

“

#−1

1

[2,1

1 − •

"#2,1;9,l

0

1

1 − •v

[1,0 [2,0

#−1 #−1 [1,1 [2,0

3

•11

Table 9. LGS of G9 "#2,0;9,l

#−1 #−1

2

1

•20

1 − •

The equation used to determine [ ’s (or [ ’s) failure probability is [, = g,;V ⁄, - g i V

jk

= ,;⁄, -i,

;Vjk

;‘, ^‘,

[Vjk

+ i,

< ;‘, [,

= ,;⁄, - 8i,

•21

;‘, ^‘,

+ i,

+ i,

;‘, ^‘, -

< < [,v ;‘, [,v

+ i,

< < [,v 9 ;‘, [,

4.4. CCF block Systems influenced by common causes are usually represented by a CCF block. As Error! Reference source not found. shows, components [ , [ and [ may fail at the same time because of common causes C123. [ and [ may fail at the same time because of C. [ and [ may fail at the same time because of C. Additionally, [ and [ may fail at the same time because of C. The DRBD and DUCG of this system are shown in Error! Reference source not found., where [‚ is the system composed of [ , [ and [ . The logical relationship among common causes and components is specified in the LGS. Although common cause failures of [ , [ , and [ are the same, their logic gate specifications (LGS) are different because of different configurations of [ , [ and [ . For the “2 out of 3” system considered as an example, Table 10Error! Reference source not found. shows the LGS of [ , [ and [ . CCF123 F

F

F

V1

V2

V3

F

F

F

F CCF23

CCF12 F CCF13

F

G10

Figure 9. CCF block

j 1 2

Table 10. LGS of G10 (the “2 out of 3” structure) Gv,u C,vC,vC,v + C, C,v C,v + C,v C, C,v + C,v C,v C, - ,v ,v ,v ,v else

"‚,v;v,u "‚,;v,u 1

0

0

1

5. CASE STUDY To evaluate our proposed method, control systems of subsea blowout preventer (BOP) (Cai, Baoping, et al. 2012; Cai, Baoping, et al. 2012; Cai, B. 2012 ) with triple modular redundancy (TMR) and double dual modular redundancy (DDMR) are studied in this section. As BOP is an important equipment used to provide safe working conditions during drilling, subsea blowout preventer control systems consist of surface components, subsea components and the connecting umbilical cable. Surface components mainly consist of the central control unit (CCU) used to transmit commands from the surface to subsea electronics modules (SEM). The CCU of control systems includes three control stations: the driller’s panel, the tool pusher’s panel and the work station. The driller’s panel is the primary control station and is used to control all functions associated with the BOP stack. The tool pusher’s panel and the work station are the second and the third control stations, respectively, and provide the same functionality as does the primary station. In this case, control stations are thought of as personal computers (PC). The modular processor subsystem of the CCU with triple redundancy consists of three PLCs, and each PLC executes the same application program. The voting adaptation for this subsystem is 2/3, i.e., the processor subsystem only operates properly if at least two of the three PLCs survive. The only difference between the triple modular redundancy (TMR) and double dual modular redundancy (DDMR) control systems is the design of PLCs. In the dual modular redundant processor subsystem, four PLCs are divided into two groups, which are in parallel configuration. Ethernet communication networks with dual redundancy are implemented between the PCs and PLCs using two Ethernet switches. The computers in the CCU normally communicate with the PLCs through the primary Ethernet network. If the primary network fails, the communication will switch to the secondary Ethernet network automatically. In subsea components of the control system, two SEMs are used to assure redundant control of all subsea valves and communicate with the CCU. The yellow and blue SEMs are completely

independent and are connected in parallel. The SEM system only fails if both the blue and the yellow SEMs fail. Even if one SEM fails, the other can nonetheless effectively perform all the subsea functions. The architectures of the yellow and blue SEMs are completely identical, and consist of subsystems for discrete input/output and analogue input. The discrete input subsystem, the analogue input subsystem and the discrete output subsystem all consist of three groups, and their voting configurations are set to 2/3 because they can only operate properly if at least two groups are functional. To transmit the signals sent from the surface and electric power to the SEMs, subsea umbilical cables are used; however, their failures are not considered in this case.

5.1. Modelling The reliability blocks of the TMR and DDMR control systems are shown in Figure 10 and Figure 11. Based on the reliability blocks, an application of our proposed method results in the DUCGs of two systems shown in Figure 12 and Figure 13. Additionally, the logic gate specification (LGS) of the logic gates for the TMR and DDMR systems are presented in Table 12Error! Reference source not found. and Table 12,Error! Reference source not found. respectively. Because the differences between the TMR and DDMR control systems mainly involve their different PLC configurations, only the LGS of G_, Gˆ and G‘ are presented for the DDMR control system, and others are similar to the LGSs of the TMR control system.

A PC-A

F SPARE A PC-B

PC-C

ES-A

CCF

ES-C CCF

CCF

PLC-A

PLC-C

PLC-B CCF CCF

2oo3

CCF

BAI-A

CCF

CCF

BAI-B

BAI-C

YAI-A

CCF

YAI-B CCF

CCF

2oo3

2oo3

CCF

BDI-A

CCF

CCF

BDI-B

BDI-C

YDI-A

CCF

YDI-B

YDI-C

CCF

CCF

CCF

CCF

2oo3

2oo3

CCF BDO-A

YAI-C

CCF

CCF

CCF

CCF BDO-B

BDO-C

YDO-A

CCF YDO-B

YDO-C

CCF

CCF

CCF

CCF

2oo3

2oo3

Figure 10. DRBD for the TMR control system

A PC-A F SPARE A

ES-A

PC-B

PC-C

CCF

ES-C

PLC-A

PLC-C CCF

CCF

PLC-B

CCF

BAI-A

PLC-D

CCF

CCF

BAI-B

BAI-C

YAI-A

CCF

CCF

YAI-B

CCF

CCF

2oo3

CCF

BDI-A

2oo3

CCF

CCF

BDI-B

BDI-C

YDI-A

CCF

CCF

YDI-B

YDI-C

CCF CCF

CCF

2oo3

CCF BDO-A

YAI-C

CCF

2oo3

CCF

CCF BDO-B

BDO-C

CCF

YDO-A

CCF YDO-B

YDO-C

CCF CCF

2oo3

CCF

2oo3

Figure 11. DRBD of the DDMR control system

X1(t-1)

X2(t-1)

G2 X1 PC1

B1 ES_S1

X3(t-1)

B2 ES_S2

G3

X2 PC2

B3 ES_S12

B4 PLC_S1

B5 PLC_S2

B6 PLC_S3

G5

X3 PC3

B7 PLC_S1 2

B8 PLC_S1 3

B9 PLC_S2 3

B10 PLC_S1 23

G6 X5 ES

X6 PLC

G4

X4 PC B11 BAI_S1

B12 BAI_S2

B13 BAI_S3

B14 BAI_S1 2

B15 BAI_S1 3

B16 BAI_S2 3

B17 PLC_S1 23

X16 SYSTE M

X15 SEM

B32 YAI_S1

B33 YAI_S2

B34 YAI_S3

G15

B35 YAI_S1 2

B37 YAI_S2 3

B38 PLC_S1 23

B43 YDI_S1 3

B44 YDI_S2 3

B45 PLC_S1 23

B50 YDO_S1 3

B51 YDO_S 23

B52 YDO_S 123

B36 YAI_S1 3

G10

G7 X10 YAI

X7 BAI

B18 BDI_S1

B19 BDI_S2

B20 BDI_S3

B21 BDI_S1 2

B22 BDI_S1 3

B23 BDI_S2 3

B24 PLC_S1 23

X13 BSEM

X14 YSEM

G13

B39 YDI_S1

B40 YDI_S2

B41 YDI_S3

G14

B42 YDI_S1 2 G11

G8 X11 YDI

X8 BDI

B25 BDO_S 1

B26 BDO_S 2

B27 BDO_S 3

B28 BDO_S1 2

B29 BDO_S 13

B30 BDO_S 23

B46 YDO_S 1

B31 BDO_S 123

B47 YDO_S 2

B48 YDO_S 3

B49 YDO_S 12

G12 G9 X9 BDO

X12 YDO

Figure 12. DUCG of the TMR control system

X1(t-1)

X2(t-1)

G2 X1 PC1

B1 ES_S1

X3(t-1)

B2 ES_S2

G3

X2 PC2

B3 ES_S12

B4 PLC_S1

G5

X3 PC3

X6

X7

PLC(AB)

PLC(CD)

G4

G8 X8 PLC

X4 PC

B7 BAI_S1

B8 BAI_S2

B9 BAI_S3

PLC_S12

G7

G6 X5 ES

B6

B5 PLC_S2

B10

B11

B12

B13

BAI_S12

BAI_S13

BAI_S23

PLC_S123

X17 SEM

X18 SYSTEM

B28 YAI_S1

B29 YAI_S2

B30 YAI_S3

G17

B31

B32

B33

B34

YAI_S12

YAI_S13

YAI_S23

PLC_S123

G12

G9 X12 YAI

X9 BAI

B14 BDI_S1

B15 BDI_S2

B16 BDI_S3

B17

B18

B19

B20

BDI_S12

BDI_S13

BDI_S23

PLC_S123

X15 BSEM

X16 YSEM

B35 YDI_S1

B36 YDI_S2

B37 YDI_S3

B38

B39

B40

B41

YDI_S12

YDI_S13

YDI_S23

PLC_S123

G13 G10

G15

G16 X13 YDI

X10 BDI

B21 BDO_S1

B22

B23

B24

B25

B26

B27

BDO_S2

BDO_S3

BDO_S12

BDO_S13

BDO_S23

BDO_S123

B42

B43

B44

B45

B46

B47

B48

YDO_S1

YDO_S2

YDO_S3

YDO_S12

YDO_S13

YDO_S23

YDO_S123

G14 G11 X11 BDO

X14 YDO

Figure 13. DUCG of the DDMR control system

i

j 1

2

2 3 1

3

2 3 4 1 2 1 2 3 1 2 3 4 5 1 2 1 2 1 2

4 5

6

13 15 16

i 6 7 8

j 1 2 1 2 1 2

Table 11. LGSs of logic gates of the TMR control system GP,u "P,v;P,u #−1 #−1 W1,0 W2,0 #−1 #−1 W1,1 W2,0

*e

#−1 #−1 W2,0 W3,0 #−1 #−1 #−1 W1,0 W2,1 W3,0 #−1 #−1 #−1 W1,1 W2,1 W3,0

* X,v X,v X ,v * B,v B,v B, B,v B,v * B‚,v B†,v B_,v Bˆ,vB‘,v B’,v Bv,v B‚, B†,v B_,v Bˆ,vB‘,v B’,v Bv,v B‚,v B†, B_,v Bˆ,vB‘,v B’,v Bv,v B‚,v B†,v B_, Bˆ,vB‘,v B’,v Bv,v * X ˆ,v X ‘,v X ’,v * X,v X‚,v * X ‚,v X †,vX _,v X†,v *



<—| =—˜ =—|˜ ∆

1−

"P,;P,u

<—| =—˜ =—|˜ ∆

 <—=—|=—˜ =—|˜∆ 0

1 −  <— =—|=—˜=—|˜∆ 1

 <—| =—˜=—|˜∆

1 −  <—|=—˜ =—|˜∆

 <—| =—˜=—|˜∆

 <—=—|=—˜ =—|˜∆ 0 1 0 1 1 0 1 1 1 1 0 1 0 1 0 1 0

1 −  <—|=—˜ =—|˜∆

1 −  <— =—|=—˜=—|˜∆ 1 0 1 0 0 1 0 0 0 0 1 0 1 0 1 0 1

Table 12. LGSs of logic gates of the DDMR control system GP,u "P,v;P,u B‚,v B†,v B_,v 1 0 *e B‚,v B†,v B_,v 1 0 * X _, X ˆ, 0 1 *

"P,;P,u 0 1 0 1 1 0

5.2. Analysis Based on the component failure rates given in Table 13Error! Reference source not found. and Table 14, Error! Reference source not found. shows the results obtained by the DUCG method. Taking the common cause failure and warm standby into account, the method we propose can model the system more realistically because the common cause failure and a warm backup configuration are important factors, and a method that treats common causes as general causes in fact makes an excessive simplification that has a non-negligible effect on the results. For example, common causes such as S can result in the entire system’s failure if such a cause occurs but can only affect one component if it is regarded as a general cause. To clarify the effect of a warm spare and common cause failures, the result obtained without considering a warm spare and the

common cause failure is shown in Figure 15. Comparing Error! Reference source not found. and Figure 15, we observe a clear difference. Although a warm backup reduces the product’s failure probability to some extent compared with that of a hot standby, the common cause failure significantly reduces the system reliability. The above figures show that ignoring common cause failures in reliability analysis leads to an overestimation of system reliability. Table 13. Failure rates of components of a TMR control system Common cause Common cause Failure rate in Failure rate of Componen failure rate of failure rate of the operating single component β t three two components condition λ components λ λ PC 9.41299e-06 0.05 ES 1.28604e-05 9.67989e-07 PLC 1.70156e-05 3.54492e-07 3.54492e-07 AI 3.29735e-06 2.56460e-07 1.09912e-07 DI 3.82301e-06 2.97345e-07 1.27434e-07 DO 8.20473e-06 5.35091e-07 1.78364e-07

PC ES PLC AI DI DO

reliability of control system 1

TMR control system DDMR control system

0.995

0.99

reliability

Component

Table 14. Failure rates of components of a DDMR control system Common cause Failure rate of Common cause Failure rate in failure rate of single failure rate of the operating three component two components condition components λ λ λ 1.389979e-05 1.28604e-05 9.67989e-07 1.01232e-05 3.13089e-07 3.29735e-06 2.56460e-07 1.09912e-07 3.82301e-06 2.97345e-07 1.27434e-07 8.20473e-06 5.35091e-07 1.78364e-07

0.985

0.98

0.975

0.97 0

720

1440

2160

2880

3600

4320

time (h)

Figure 14. Reliability probabilities of two kinds of control systems

β 0.05

reliability of control system (static) 1 TMR control system DDMR control system

reliability

0.999

0.998

0.997

0.996 0

720

1440

2160

2880

3600

4320

time (h)

Figure 15. Reliability probabilities of two kinds of control systems (without considering the common cause failure and warm standby)

Method DBN DUCG

Table 15. Comparison between DUCG and DBN System Number of nodes Number of parameters type TMR 98 606 DDMR 99 588 TMR 71 114 DDMR 69 109

The model we build holds several advantages: (1) By defining the CCF block in a DRBD, the new model performs better in dealing with common cause failures. The design that considers the components influenced by common cause failures as a whole, on the one hand, reduces the number of parameters and, on the other hand, increases the accuracy of calculations and avoids excessive estimation of system reliability due to the neglect of common cause failures. (2) According to the comparison between DUCG and DBN shown in Table 15Error! Reference source not found., we observe that the number of nodes in a DUCG is smaller than that in a DBN, and the number of parameters in a DUCG is significantly lower than that in a DBN, which proves the conciseness of a DUCG. (3) In contrast to a DBN analysis based on the full probability formula that needs the complete set of conditional probabilities for the calculation, the DUCG approach involves fewer computations because it only calculates probabilities related to the specified status. Considering W_ as an example; as we know, the formula for a DBN is PW_,v - = PW_,v™W‚,v W†,v W_,v W†,v-PW‚,v W†,v W_,v W†,v + PW_,v™W‚, W†,v W_,v W†,v-PW‚, W†,v W_,v W†,v + PW_,v™W‚,v W†, W_,v W†,v-PW‚,v W†, W_,v W†,v + PW_,v |W‚, W†, W_, W†, PW‚, W†, W_, W†,  The respective formula for a DUCG is PW_,v - = ,_,_ /,_ "_,v;_, š‚,v š†,v š_,v š†,v

6. CONCLUSIONS Although DRBD is a powerful tool for modelling systems’ dynamic behaviour, it is difficult to use it to obtain quantitative results because it lacks simple and practical analysis methods and

cannot deal with common cause failures accurately. To solve these problems, DRBD is extended with a common cause failure block, and a mapping method from a DRBD to a DUCG is proposed in this paper. Compared with other analysis methods, DUCG’s advantages mainly pertain to its easy conversion, concise expression and simple calculation. In the case of child nodes with seven parent nodes (for a node in a common cause failure block such as W_), the number of parameters needed in a DBN’s conditional probability table is , but the number of parameters needed in a DUCG is only 5, which reflects the simplicity of the DUCG’s representation. Additionally, the computation for a DUCG is much easier than that for a DBN because of the DUCG’s simplification before the calculation (only nonzero parameters are used in the calculation).

Acknowledgements Supported by National Natural Science Foundation of China (Grant No. 51805018).

References Bearfield, G., Marsh, W., 2005. Generalising event trees using Bayesian networks with a case study of train derailment. Lect. Notes Comput. Sci. 3688, 52–66. Bhangu, Navneet Singh , R. Singh , and G. L. Pahuja . "Availability Performance Analysis of Thermal Power Plants." 2019. Bobbio, A., Portinale, L., Minichino, M., Ciancamerla, E., 2001. Improving the analysis of dependable systems by mapping fault trees into Bayesian networks. Reliab. Eng. Syst. Saf. 71, 249–260. Boudali, H., Dugan, J.B. A discrete-time Bayesian network reliability modeling and analysis framework. Reliab. Eng. Syst. Saf. 87, 337e349, 2005. Boudali, H., Dugan, J.B., 2005. A discrete-time Bayesian network reliability modeling and analysis framework. Reliab. Eng. Syst. Saf. 87, 337-349. Boudali, H., Dugan, J.B., 2005. A discrete-time Bayesian network reliability modeling and analysis framework. Reliab. Eng. Syst. Saf. 87, 337–349. C. Dong and Q. Zhang, “Identification of pivotal causes and spreaders in the time-varying fault propagation model to improve the decision making under abnormal situation,” Qual. Rel. Eng. Int., vol. 32, pp. 99–109, 2016. C. Dong, Y. Zhao, and Q. Zhang, “Assessing the influence of an individual event in complex fault spreading network based on dynamic uncertain causality graph,” IEEE Trans. Neural Netw. Learn. Syst., vol. 27, no. 8, pp. 1615–1630, Aug. 2016. C. Dong,Y.Wang, Q. Zhang, andN.Wang, “The methodology of dynamic uncertain causality graph for intelligent diagnosis of vertigo,” Comput. Methods Programs Biomed., vol. 113, pp. 162–174, 2014. Cai, B. , Liu, Y. , Liu, Z. , Tian, X. , Li, H. , & Ren, C. . (2012). Reliability analysis of subsea blowout preventer control systems subjected to multiple error shocks. Journal of Loss Prevention in the Process Industries, 25(6), 1044-1054. Cai, B., Huang, L., Xie, M., 2017. Bayesian networks in fault diagnosis. IEEE Trans Industr Inform 13, 2227–2240. Cai, B.P., Liu, Y.H., Liu, Z.K., Tian, X.J., Zhang, Y.Z., Liu, J., 2012. Performance evaluation of subsea blowout preventer systems with common-cause failures. J. Pet. Sci. Eng. 90-91, 18-25 Cai, Baoping , et al. "Development of an automatic subsea blowout preventer stack control system using PLC based SCADA." Isa Transactions 51.1(2012):198-207.

Cai, Baoping, et al. "Using Bayesian networks in reliability evaluation for subsea blowout preventer control system." Reliability Engineering & System Safety 108.12(2012):32-41 Chunling, D. , Zhenxu, Z. , & Qin, Z. . (2018). Cubic dynamic uncertain causality graph: a new methodology for modeling and reasoning about complex faults with negative feedbacks. IEEE Transactions on Reliability, 1-13. Distefano, S. , and N. L. Xing . "A new approach to modeling the system reliability: dynamic reliability block diagrams." Rams 06 Reliability & Maintainability Symposium IEEE Computer Society, 2006. Dongming Fan, Zili Wang, Linlin Liu, Yi Ren. “A modified GO-FLOW methodology with common cause failure based on Discrete Time Bayesian Network”,Nuclear Engineering and Design, Vol. 305, pp 476-488, 2016 Fazlollahtabar, Hamed, and S. T. A. Niaki. "Fault Tree Analysis for Reliability Evaluation of an Advanced Complex Manufacturing System." Journal of Advanced Manufacturing Systems 17.01:107-118, 2018. Fowler, J.H., Roche, J.R., 1994. System safety analysis of well-control equipment. SPE Drill. Complet. 3, 193-198. H. Xu and L. Xing, “Formal semantics and verification of dynamic reliability block diagrams for system reliability modeling,” in Proc. 11th Int. Conf. Softw. Eng. Appl., Cambridge, MA, Nov. 2007, pp. 155–162. H. Xu, L. Xing, and R. Robidoux, “DRBD: Dynamic reliability block diagrams for system reliability modeling,” Int. J. Comput. Appl. (IJCA), vol. 31, no. 2, pp. 132–141, 2009. Holand, P., Awan, H., 2012. Reliability of Deepwater Subsea BOP Systems and Well Kicks. ExproSoft Report ES, 52/02. (Unrestricted version). K. Li, R. Yi and Z. Ma, "Reliability analysis of dynamic reliability blocks through conversion into dynamic bayesian networks," 2016 IEEE International Conference on Industrial Engineering and Engineering Management (IEEM), Bali, 2016, pp. 1330-1334. Kanjing Li, Yi Ren, Dongming Fan, Linlin Liu, Zili Wang, Zheng Ma, “Enhance GO methodology for reliability analysis of the closedloop system using Cyclic Bayesian Networks”, Mechanical Systems and Signal Processing vol.113, pp237–252, 2018 Liu, Z. , Liu, Y. , Cai, B. , Zhang, D. , & Zheng, C. . (2015). Dynamic bayesian network modeling of reliability of subsea blowout preventer stack in presence of common cause failures. Journal of Loss Prevention in the Process Industries, 38, 58-66. Liu, Z. , Liu, Y. , Wu, X. L. , & Cai, B. . (2018). Risk analysis of subsea blowout preventer by mapping go models into bayesian networks. Journal of Loss Prevention in the Process Industries, 52, 54-65. Liu, Zengkai ; Liu, Yonghong. . (2019). A Bayesian network based method for reliability analysis of subsea blowout preventer control system. Journal of Loss Prevention in the Process Industries, 59, 44-53. Lo, C.H., Wong, Y.K., Rad, A.B., 2011. Bond graph based Bayesian network for fault diagnosis. Appl. Soft Comput. 11, 1208–1212. Q. Zhang and Q. Yao, “Dynamic uncertain causality graph for knowledge representation and reasoning: Utilization of statistical data and domain knowledge in complex cases,” IEEE Trans. Neural Netw. Learn. Syst., vol. 29, no. 5, pp. 1637–1651, May 2018. Q. Zhang and S. Geng, “Dynamic uncertain causality graph applied to dynamic fault diagnoses of

large and complex systems,” IEEE Trans. Rel., vol. 64, no. 3, pp. 910–927, Sep. 2015. Q. Zhang and Z. Zhang, “Dynamic uncertain causality graph applied to dynamic fault diagnoses and predictions with negative feedbacks,” IEEE Trans. Rel., vol. 65, no. 2, pp. 1030–1044, Jun. 2016. Q. Zhang, “Dynamic uncertain causality graph for knowledge representation and probabilistic reasoning: Directed cyclic graph and joint probability distribution,” IEEE Trans. Neural Netw. Learn. Syst., vol. 26, no. 7, pp. 1503–1517, Jul. 2015. Q. Zhang, “Dynamic uncertain causality graph for knowledge representation and reasoning: Continuous variable, uncertain evidence, and failure forecast,” IEEE Trans. Syst., Man, Cybern., Syst., vol. 45, no. 7, pp. 990–1003, Jul. 2015. Q. Zhang, C. Dong, Y. Cui, and Z. Yang, “Dynamic uncertain causality graph for knowledge representation and probabilistic reasoning: Statistics base, matrix, and application,” IEEE Trans. Neural Netw. Learn. Syst., vol. 25, no. 4, pp. 645–663, Apr. 2014. R. Robidoux, H. Xu, L. Xing, and M. C. Zhou, "Automated Modeling of Dynamic Reliability Block Diagrams Using Colored Petri Nets.," IEEE Transactions on Systems Man & Cybernetics Part A Systems & Humans, vol. 40, pp. 337-351, 2010. S. Distefano, "Standby System Reliability through DRBD," in IEEE International Parallel & Distributed Processing Symposium Workshops, 2014, pp. 1330 - 1337. Sadou, N., Demmou, H., 2009. Reliability analysis of discrete event dynamic systems with Petrinets. Reliab. Eng. Syst. Saf. 94, 1848-1861 Yong Chen, Yi Ren, Linlin Liu, Dezhen Yang, “A new algorithm of GO methodology based on minimal path set,” AASRI Procedia,Vol. 3, pp 368-374, 2012 Z. Zhou and Q. Zhang, “Model event/fault trees with dynamic uncertain causality graph for better probabilistic safety assessment,” IEEE Trans. Rel., vol. 66, no. 1, pp. 178–188, Mar. 2017. Zhang, Qin . "Dynamic Uncertain Causality Graph for Knowledge Representation and Reasoning: Discrete DAG Cases." Journal of Computer Science and Technology (English Language Edition) 27.1(2012):1-23. Zhang, Qin . DUCG: A New Methodology to Deal with Dynamical Uncertain Causalities(I):The Static Discrete DAG Case. Chinese Journal of Computers, 2010, 33(4):625-651. Feng, Q., Bi, W., Chen, Y., Ren, Y., Yang, D., 2017. Cooperative game approach based on agent learning for fleet maintenance oriented to mission reliability. Comput. Ind. Eng. 112, 221–230. Feng, Q., Bi, X., Zhao, X., Chen, Y., Sun, B., 2017. Heuristic hybrid game approach for fleet condition-based maintenance planning. Reliab. Eng. Syst. Saf. 157, 166–176. Feng, Q., jiezhao, X., Fan, D., Cai, B., Liu, Y., Ren, Y., 2019. Resilience design method based on meta-structure: A case study of offshore wind farm. Reliab. Eng. Syst. Saf. 186, 232–244. Ren, Y., Fan, D., Feng, Q., Wang, Z., Sun, B., Yang, D., 2019. Agent-based restoration approach for reliability with load balancing on smart grids. Appl. Energy 249, 46–57. Cai, B., Shao, X., Liu, Y., Kong, X., Wang, H., Xu, H., Ge, W. Remaining useful life estimation of structure systems under the influence of multiple causes: Subsea pipelines as a case study. IEEE Trans. Ind. Electronics. In press.

Highlights

(1) A common cause failure block is added to Dynamic Reliability Block Diagram (DRBD) to deal with common cause failures. (2) A new solving method based on Dynamical Uncertainty Causality Graph (DUCG) is presented, which needs less parameters and can be easily analyzed. (3) To alleviate the solved complication of DRBD introduced by Petri net, Markov chain, and Dynamic Bayesian Network (DBN).