deposit_hagen
Publikationsserver der Universitätsbibliothek
Mathematik und
Informatik
Informatik-Berichte 52 – 12/1984
Tutorial on Advanced Concepts in
Fault Tree Analysis
Tu.TORIAL ON ÄDVANCED CoNCEPTS IN FAULT TREE ANALYSIS
Winfrid G. Schneeweiss
Preface
In the framework of the ISP RA* )-Course UNCERTAINTY MODELLING IN
PROBABILISTIC RISK ASSESSMENT (from 19.-23. Now. 1984)
The following intimately coupled invited lectures were given I) UNCERTAINTY PROPAGATION AND APPROXIMATIONS IN FAULT TREE
ANALYSIS
II) MODELLING BOOLEAN FUNCTIONS FOR PROBABILISTIC ANALYSIS WITH APPLICATIONS TO FAULT TREE ANALYSIS
To make this material which, though _tutorial in essence, touches strongly on recent research, readily available, i t is published here provisionally.
*
At Ispra/Italy the CEC (Comm.ission of t~e European Communities) runs its Joint Research Centrel) MODELLING BOOLEAN FUNCTIONS FOR PROBABILISTIC ANALYSIS WITH APPLICATIONS TO FAULT TREE ANALYSIS
Winfrid G. Schneeweiss
Abstract
In this report the theory of Boolean functions (of indicator variables is developed in an extremely economical way to give sufficient insight into modern algorithms for the determination of disjunctive normal forms consisting of pairwise disjoint terms (DDNF's).
After that i t is shown how easily DDNF's lend to-stochastic analysis especially to the determination of the probability of a Boolean func- tion being 1 (which -corresponds to system unavailability in fault tree analysis) and of the mean time a Boolean function is O viz. 1 (which corresponds to MTBF viz. MTTR in fault tree analysis.
Contents
1 Introduction
2 .Boalean functions of indicator variables 3 Boolean functions without Boolean operators 4 Algorithms to get disjunctive normal forms
of disjoint conjunction terms
5 Application of multilinear Boolean polynomials to fault tree analysis
6 References
- 2 -
1 INTRODUCTION
Traditionally the application cf Boolean algebra to fault tree ana- lysis has been very strongly influenced by digital switching circuits engineering. This means in essence that the Boolean function of the fault tree has been minimized, typically by the well known Quine- McCluskey procedure,and then a pessimistic mincut analysis has been performed. It is the conviction of this author that not two much more manpower and/or computer work should be invested into this classical type of optimization since the final result is not well adapted to probabilistic analysis. In fact, disregarding approximations, i t is much better to find a minimal disjunctive normal form of disjoint terms than to search for all the prime implicants of a given Boolean functions and then determine a minimal subset of them. In the former case replacing each indicator variable by i t ' s probability of being 1
{indicating the failure state) gives system unreliability or unavaila- bility
u
5..; whereas in the latter case, one only knows that, forevents ai refering to terms i assuming the value 1 ,
=P{Ua.}
i l.
( 1 )
And consequently the rather simplistic approximation (1) is most widel~
used.
Hence, in this report I will aim at determining "short" DDNF's, i.e.
~isjunctive normal forms of mutually {pairwise) disjoint terms.
2 BOOLEAN FUNCTIONS OF INDICATOR VARIABLES
Indicator variables X are usually Boolean in the sense that X E { O, 1} ; O and 1 integers.
A Boolean function
p
of indicator variablesx
1, .•• ,Xn is (in modern notation)p:
{0,1} n +{0,1}, ( 2)or, in engineering notation, with S indicating a systern tobe rnodelled
The rnost "fundarnental11 Boolean functions are the 1-variable function negation
<p
(X) =x
=, { ~:~!
X X=
= 0 1and the two 2-variables functions conjunction
1 )
l
1'
if X1=
x2=
'f)(X1,X2)
=
x1 A x2=
0
'
elseand disjunction (OR)
l
0'
if X=
X2=
cp<x
1 ,x 2>= x,
V x2=
1 .1
'
else.
(AND)
1
0
1) As in most of the literature, the symbol Ais deleted henceforth.
(3)
( 4)
(5)
- 4 -
The following theorem reveals, in which sense the above 3 functions are fundamental.
Theorem 2-1 : Any Boolean function can be expressed by nested alge- braic expressions using only the operations of negation, conjunction and disjunction.
(A proof is given in §4.1.)
Another proof uses the concept of a minterm, which we explain next:
Clearly, a Boolean function can also be defined by its truth table, which is simply a listing of a~l of its argument n-tuples together with the corresponding values of the function. Tab. 2-1 gives the truth table of the 2-out-of-3 function
Tab. 2-1 : Function table of (6) X1 x2 x3 ~
0 0 0 0 0 0 1 0
0 1 0 0
0 1 1 1 1 0 0 0 1 0 1 1 1 1 0 1 1 1 1 1
(6)
(This function is needed for an understanding of many safety systems and of any binary adder.)
Now, the auxiliary Boolean function (so called term) 1 '
0 '
if
x
1= o, x
2=
1,x
3=
1 else.Similar simple relations hold for M2 := x1 XX X3
,
M3 := x1 x2 x3 and
M4 := x1 x2 x3
.
Hence, obviously (see Tab. 2-1) for the
<p
of (6)p =
M1 v M2 v M3 v M4 .M1 thru M
4 are minterms of
<p.
They "contain" all the variables of<p ,
normal (unchanged) or negated.This result is readily generalized for any Boolean function of n variables.
Theorem 2-2 : Any Boolean function i.s the disjunction of i t ' s min- terms. - - (This also proves theorem 2-1 .)
(7)
A disjunction of conjunctive terms is called a disjunctive normal form (DNF). If the terms are minterms, as in _(7), the DNF is called cano- nical (CDNF).
DNF's can be shortened by the absorption rule
(8)
Corollary 2-1 : Any Boolean function is transformable to a disjunctive normal form.
(Proof: A CDNF is a DNF.)
CDNF's have unpractical lengths. They can be shortened by the merging rule (for Boolean
"tf)
- 6 -
(9)
which is clear from the obvious factoring rule
( 10)
and the inverse-element rule
(for the literals X. and X.)
l. l. ( 11 )
•
which is easily proved by use of (5).
If a term Ti of a DNF cannot be shortened, i. e, if Ti =1 implies
:f
=1 , but Ti without one of i t ' s literals doesn'tJ then Ti is a prime implicant (or prime term).Two terms are called disjoint if their conjunction is O (always).
Lemma 2-1 : Two terms are disjoint iff one contains at least o.ne literal which the other contains negated. (The simple proof is an exercise.)
Among the DNF's there are such with pairwise disjoint terms, we abbreviate them here qS DDNF's.
Lemma 2-2 : Any CDNF is a DDNF.
(The simple proof is an exercise.)
The systematic construction of DDNF's is discussed in §4; they are of considerable interest in probabilistic analysis of Boolean functions.
Fora proper understanding of the main algorithm of §4.1 the following DDNF is needed, which is always 1 :
( 12)
Proof: By (11)
Furthermore
which is (12) for m=2. Let (12) be true for m=k. Then for m=k+1, expanding only the last term of the first brackets,
( 1 3)
which is again of the type (12) with m=k+1. Hence, by the principle of induction, (12) is true for all m E JN, q.e.d •.
- 8 -
3 BOOLEAN FUNCTIONS WITHOUT ijOOLEAN OPERATORS
It is easily verified that the Boolean Operators - (negation), A (AND),
v (OR) can be replaced by operators of "usual" algebra. In fact
George Boole did so(or rather: he did not use Boolean operators; at least in his famous Book of 1854). For (Boolean) indicator variables X. ,X.
l. J
X.
=
1 - X.l. l.
(complement with respect to 1)
X. A X.= X. X.
l. J l. J
(multiplication)
X. v X.= X. + X. - X. X.
l. J l. J l. J
(sum minus product).
Also, in practical calculations the idempotence rule
is used quite often, which is almest trivially true.
EXAMPLE : 2-0UT-OF-3 SYSTEM Repeating (6)
By (10) and (16)
( 1 4)
( 1 5)
( 1 6)
( 17)
Now, with
( 1 6 ) y i e ld s f or X
.i
V Xj
whence, on applying (17)
( 1 8)
In general, given DNF of
<p ,
using (from ( 1 6)) V X.=
1-
II X.i J. i J.
( 1 9)
one has
ITT. --
xs
=
V T.=
1- =
1- J / (
1-
Ti)i J. J. . J. i ( 20)
Unfortunately,the computational complexity of the last expression equals that of the principle of inclusion/exclusion. Only to humans the expansion of the product
looks simpler than the calculation of the terms of the Poin,care/Syl-1
vester formula
P{ U ai}
= I
P{ai} -I
i i i<j
P{a.na.)
J. J
+
I
P{a.na.nak}- + i<j<k 1 J( 21 )
- 10 ;_
The transformations of DDNF's to forms without Boolean operators is extremely simple.
Theorem 3-1 : In disjunctions of mutually disjoint Boolean functions the OR operator can be replaced by the +-sign.
Proof : (By induction : ) If
cp
1<p
2 =O, by ( 1 6)<f)1 V
e.p2 = p
1 +<p
2 •Let i t be assumed that m
V i=1
m
= l
CD.i=1 T 1.
Then, by (16)
m+1 m
m+1 V
i=1
= I
i=1
cp
i -?
m+1f
=1cp
iNow, by assumption all C0.
m.
=O (i~j). Hence, from the assertion being· T 1. TJ
true form functions i t follows that i t is also true for m+1 func- tions, and, by induction, for any number of functions, q.e.d ..
4 ALGORITHMS TO GET DISJUNCTIVE NORMAL FORMS OF DISJOINT CONJUNCTION TERMS
Now we describe and discuss.two very interesting and fairly new
algorithms for the transformation of Boolean functions to DDNF's. The decomposition procedure of § 4.1 does not demand for a DNF ~s the starting form; however the set-"addition" procedure of § 4.2 does.
With both procedures approximations gained by deleting terms give too small values of P{X
5=1}; i.e., in fault tree analysis : optimistic values, because all terms are added, and each is positive.
Comment: However nice the concept of the KARNAUGH map be, I have not introduced if here to avoid the introduction of too many new things in too short a time.
- 12 -
4,1 THE SHANNON DECOMPOSITION PROCEDURE
This procedure is a straight forward consequence of the well known Shannon decomposition theorem (formula). For any i E {1, . . . ,n}
cp ( ~) = cp (
X 1 , • • • , xn)= xi
'f (~)/
xi =1 v xicp
(X)/ xi =o• = : Xi
<p
(Xi= 1 ) v Xicp
(Xi =0) , (22)which is easily verified; including the disjointness of the two terms
X.
cp
(X. =1) andX.
C1J (X. =0). Continuing wi th this type of decomposi tionl l l T l
in a binary tree-type algorithm one ends, after at most n steps, with a nested algebraic expression which is (conceptually) easily trans- formed to polynomial form, i.e. to a DDNF or, by theorem 3-1, to a usual multilinear polynomial.
Trivially, (22) yields
X. v X.
=
X. v X.X.l J l l J
EXAMPLE : 2-0UT-OF-3 SYSTEM In the first step (22) yields
1with i=1
1 from (6)
By (8) X2X3 in the brackets is absorbed. Then by (23)
(Check that this is in fact a DDNF!)
(23)
(24)
4,2 THE ABRAHAM '77-PROCEDURE
This algorithm needs a few explanations for motivation and technical - procedure in non trivial examples.
Main idea: Start with a term T1 (preferably a shortest) of a DNF of the given
cp.
Then add to T1 those minterms of a second term T2 , which are not minterms of T1 • Then add those minterms of a third term T3 which are not minterms of the above intermediate result etc., see Fig. 1Fig. 1 Venn diagramm for the main idea of the ABRAHAM '77 algorithm. Dots correspond to minterms of
cp
EXAMPLE; 2-0UT-OF-3 SYSTEM In (6) the terms are
Now, by (10) and (11) T2 is expanded to
- 14 -
Likewise
Hence, the rninterm X1X2X3 of T2 is also a minterm of T 1 • This yields the intermediate result
(2 5)
Looking at X2X3 , its minterm X1X
-
2X3 is disjoint of the noted right hand side of (25). Hence, finally- -
<p
= X1X2 V X1X2X3 V X1X2X3 (26)is the desired DDNF.
In examples of a more realistic complexity, the DDNF (12) can be used to find that "part" of a further T. which is disjoint with the
1
hitherto found intermediate result [5].
5 APPLICATION OF MULTILINEAR BOOLEAN POLYNOMIALS TO FAULT TREE ANALYSIS
We regard the..multi1inear polynornial of n indicator variables
rn ni
x5 =
<f
ML(X) := c0 +2
(c. ITX
0 )i=1 1 k=1 ~i,k with
as the algebraic description of a fault tree. Frorn (27) we try to deterrnine
1) systern reliability viz. systern availability,
(27)
2) systern rnean time to failure in case of no repair viz. systern MTBF (~ean !irne ~efore !ailure) in case of repair,
3) MTTR (rnean !irne !O Eepair).
Now, by the well known definition of the rnean value (expectation E) of a discrete randorn vari·able as the sum of i t 's possible values weighed each by i t ' s probability of appearance (occurrance), i t is
true that, for any Boolean indicator variable X,
E (X)
=
0·P{X=0} + 1 .:p{X=1}=
P{X=l} • (28)Hence, taking the expected value of (27)
rn n.
J. 1 )
Ps := P{Xs:;:1}
=
Co :( + 1=1f
(c. 1 P{ k=1 IIx
l. k i , = 1 } ) • (29)Specifically, if all the Xj are stochastically independent (of each other) i t is well known that
1) Notice that the event ( II Xk=l) equals the joint event
n
(Xk=l),k k
- 16 -
P { n xk =1} =
-
k
( 30)
This changes (29) to
Ps =Co+
I
mi=1
n. l.
(Ci n n
-
) ;k=1 . l :i,k
p.' if
X
.=X'J J J
p .
=
1-p . , i f ){ .=x . ,
J J J J ( 31 )
which can mean either system unreliability or, with non time depen- dent p., system unavailability. In thc former case the well known
J formula
CO
E(L)
=
J [1- FL(t) ]dt0
(32)
for the mean life of a unit under consideration can be used to compute mean· system life E(LS) as
CO
= f [1- Ps(t) ]dt.
0
EXAMPLE : 2-0UT-OF-3 SYSTEM WITH EXPONENTIAL LIFE By (6) with
pi(t)
=
FL. (t)=
1- exp(-Ait)l.
one gets
CO
+ exp(-A2t)exp(-A3t)-2exp(-A1t)exp(-A2t)exp(-A3tjdt
= 1
+ 1 + 1 - 2' _ _ 1 _ _
..
(33)
(34)
(35)
2
3A
=
6A' 5which is smaller than the mean life 1/A of a single component (!) System MTBF and MTTR can be found easily under two conditions
I) The system (i~e. the fault tree function
c.p)
is coherent.(36)
II) All the system components are independently of each other good or bad, i.e. the Xi are stochastically independent.
Otherwise i t is, in general, not known how to determine MTBF and/or MTTR. Only in cases wher~ the MARKOV model applies [1], [2 (in German)]
this is different.
Let us assume conditions I and I I given. Then, as shown e.g. in [3], the mean frequency of system failures viz. restarts is (with U:=p)
m
vs= I
i=1 {
n. 1 } n. 1 (C. 1 IT
ü l
k=1 l ~ k=1 where
~
{
µ. I ifu.
=u.
~
J J Jµ. =
J -A, if
u.
=u.
J ,
J J
with µ. viz. A• repair rate viz. failure rate of C.
J J l
µ. J := 1/(MTTR). , . J AJ, = 1/(MTBF)J . •
(37a)
(37b)
(38) It is worth noting how similar (37a) is to (31) 1>. On the right hand side of (37a) every term of (31) 1> is multiplied by an easy-to-remem- ber sum, and much the same is done on the left hand side, since, with the definition of unavailability
1) with p replaced by u
18 -
MTTR
U := MTBF + MTTR' one has
V := 1
MTBF + MTTR = Uµ •
Furthermore, i t is easily verified that {with A for availability)
~
=
{1-U)A=
AA .Clearly, often vs is not as important or interesting as AS or i t ' s inverse, the (MTBF)S. However (41) shows the easy way to this goal
1 1- U A
MTBF
=
A= =
V V
Similarly, if the MTTR is needed
1 U
MTTR
= =
µ V
(The indices are missing because the equations hold for components and systems.)
EXAMPLE: 2-0UT-OF-3 SYSTEM From (see (18))
there follows immediately
( 39)
{40)
(41)
(42)
(43)
( 44)
(457
(46)
From (46) and (44) for U1=U2=U3=U we get by (42)
(MTBF) 5
1-3U2 +2U 3
= 6U2 (1-U)µ
'
(47)
and by (43)
(MTTR) S
=
3u2 -2u 3 = 3-2U 6(1-U)µ.
6U2 (1-U)µ
(48)
To show the full power (flexibility) of (37) we redo this example on the basi s of ( 2 6) . From ( 2 6) , by ( 31 ) 1 >
( 49)
Hence, by (37)
(50)
1) with p replaced
~r
UREFERENCES · ( l)
[ 1 ]
[ 2 ]
[ 3 ]
[ 4]
[ 5]
- 20 -
Singh,
c.,
Billinton R.: System reliability modelling and evaluation. London: Hutchinson, 1977.Schneeweiss, W.: Zuverlässigkeits-Systemtheorie. Köln:
Datakontext-Verlag, 1980.
Schneewei3s, W.: Addendum to computing failure frequency, MTBF & MTTR via mixed products of availabilities and unavailabilities. (To appear in Trans. IEEE- Reliability 1984.)
Schneeweiss, W .. : Disjoint Boolean products via
Shannon's expansion. (To appear in Trans. IEEE- Reliability 1985.)
Abraham J.: An improved algorithm for network relia- bility. Trans. IEEE, vol. R~26 (1979), 58-61.
II) UNCERTAINTY PROPAGATION AND
APPROXIMATIONS IN FAULT TREE ANALYSIS
Winfrid G. Schneeweiss
Abstract
It is shown how fault trees can be evaluated quantitatively. This implies a demonstration of how the uncertainties concerning the be- haviour of the components of a system influence overall system per- formance.
After a very short introduction of the concept of a fault tree, two typical algorithms for quantitative fault tree evaluation are presen- ted. Many ,0thers had tobe di~carded either for lack of merits or for lack of space here.
Furthermore, i t is discussed how uncertainties in basic data influence final results such as·system availability.
Finally, several aspects of approximate analysis are discussed, ranging from the calculation of upper and lower bounds to mere order of
magnitude considerations.
Contents
1 Introduction
2 The fault tree concept 3 Fault tree evaluation 4 Sensitivity analysis 5 Statistical analysis 6 Appro.ximations
7 References
- 22 -
1 INTRODUCTION
Fault tree analysis (FTA) is one of the favorite rneans·to deterrnine, how uncertainty as to the reliability of cornponents influences the uncertainty of systern perforrnance pararneters. Fault trees are usually favoured with respect to their dual, the reliability block diagrarns because only with fault trees good approximate results can be gained.
(Details follow in the main text.)
Fault trees give only strnctural information concerning the logical combination of faulty component states to yield faulty states of the system under consideration. Mind that any dependencies of component states, or only stochastic correlations between them, are not modelled by the fault tree. They must be introduced into the analysis at the point,where joint probabilities (probabilities concerning several components) are needed. E.g. if x1 and X2 are the Boolean state indi- cator variables of a cornponent C1 and i t ' s back up C2, then, if C1 and c2 are stochastically independent of each other (as typically in c-ase of hot stand-by), the joint probability
P{X1X2=1} = P {(X1~1)rdX2=1)}
= P{X1=1} P{X2=1}
Andin case ,of cold stand-by, with x
1=1 for the faulty state of Ci and
FL. (t) := P{Li ~tJ = P{xi (t)=1}=ui (t)
l.
the probability distribution function of C. 's life L., i.e. the un-
i l.
reliability of c 1
P{~1 (t)X2 (t) = 1} =
J
~1'. P{x1 ('t')=1}P{x2 (t-t')=1}at',0
which is only a reformulation of the well known result
with
*
as the convolution operator.•
. - 24 -
2 THE FAULT TREE CONCEPT
A fault tree is a graph of a Boolean (switching) function which des- cribes faults of technical (technological) systems. With the indicator variables
1)
r , when System s is "good"
xs :=
,
when System s is "bad" ( 1 )and
{
0 when component i (Ci) is "good"X. :=
1. 1
,
when C. is "bad"1. (2)
the general algebraic description of a fault tree for n components is (3) Typically, the fault tree of a 2-out-of-3 "safety" system~with a voter that may fail too, is depicted in Fig. 1. C1,C2,c 3 are the 3, possibly diverse, measurement channels, and c4 is the majority voter. The
symbols of the switching elements are those of an IEC-(International Electrotechnical Commission) norm.
Obviously, in general a fault tree is not a tree in the sense of graph theory [1], but i t is a directed graph with a root (the top). Notice, that this type of digraph has, except for the leaves and the root, usually at least two types of nodes (vertices), namely AND-gates and·
OR-gates.
1) Often, the event X =1 is called the top (event) since, customarily, the root of a fault tree is dr~wn on top of the tree.
Fig 1
X„
Xs
~1 ____ ,ogical OR
lpgical
i
ANDX~ fvoterJ
Fault tree of 2-out-of-3 system with voter
In the western literature the AND-viz. OR-gate pictures of a US mili- tary standard prevail, see Fig. 2. Notice that the AND-gate bow is of Romania style type and the OR-gates' upper bow is of Gothic type!
AND OR
Fig. 2 Basic gates of US-MIL standard
In standard safety analyses two habits deserve some criticism:
1) The inputs of gates are not led to the gate input individually but rather "attached" to a common input line;which may lead to severe
- 26 -
misunderstandings; see Fig. 3 •
Fig. 3 Not recommended drawing of gate inputs
2) Often intermediate events (indicator variables) are named or des- cribed in boxes interrupting "signal" linesj see Fig. 4. This could lead to grave misunderstandingsin case one would like to indicate pictorially some manipulation of a signal, typically i t ' s delay.
power supply &
baffe faitea
at least one er line down
Fig. 4·: Unapproved boxes in signal lines
My advice is : Comment on signals,leaving the edges of the fault tree undisturbed ! If there have to. be bockes for text, draw them beside the edges !
An algebraic description of the example fault tree of Fig. 1 is
(4)
where
A ~ AND, V~ OR
Here we will omit A in the sequel, writing e.g. (4) as
(5)
- 28 -
3 FAULT TREE EVALUATION
The most frequent questions tobe answered by a quantitative fault tree analysis are
1) How big is the probability of the faulty state (top event) ? 2) When will - in some stochastic sense - the "good" state end;
typically how long is the mean time to first failure?
3) How long is the.mean time of a good state in case of continual repairs?
4) How long is the mean down time in case of repairs?
Good answers (at least to some of these questions) are given in books like [2], [3], [4 (in German}] . Because of the limitations of time and space, I will concentrate here on question 1 since the analysis con- cerning uncertainty propagation and approximations is similar in all the above mentioned 4 cases.
Now, concentrating on the probability of X =1, how can we calculate s
(6) knowing all the n
(7) being the unavailabilities (steady state case) viz. the time dependent unreliabilities (narrow sense) of the n components C1, ••• ,Cn?
For practically all of the known methods of fault tre.e analysis (FTA) first
cpcx
1 , •.. ,Xn) is transforrned to a so-called disjunctive normal form (DNF) which has much similarity with a polynomial. More precisely, a DNF is a disjunction, i.e. an expression (function) consisting of ORed terms with the terms being conjunctions i.e. ANDed expressions consisting of literalsi and literals are normal or negated Booleanindicator variables. E.g. (5) is a DNF.
In FTA often a term of the above type is called a mincut being an abbreviation for minimal cut set. A mincut can bebest understood by looking at the dual of a fault tree, namely the reliability block diagram (RBD). Fig. 5 shows one sample corresponding to Fig. 1. The
idea of these diagrams is to show that a systems is good so long as
Fig. 5 Reliability block diagram (RBD) corresponding to the fault tree of Fig. 1
one can pass through the RBD (from one cmd to the other) passing good components only. (Notice, that components existing only once can appear several times in a RBD.) Now,a mincut is a minimal set of components whose joint failure means system failure. Hence,to a term X.X .•.. of
l. J
p
there corresponds the set of components wheneverx.x ....
=1.l. J
c.,c., ...
l. J which fail jointly
System states where terms of a DNF of
f
.assume the value 1 are com- pound events a .• For these the Poincare-Sylvester sum formula ofl.
probability calculus1> gives the probability of system failure ~s
1) Synonymous of the principle of inclusion/exclusion
- 30 -
- + ... + (-1) rn-1 P ~{ m }
1ai · (8)
For the 2-out-of-3 system with an ideal voter (X
4
=o in (5)) one gets withand by (8) (for m=3)
Ps = P{X1X2 =1} + P{X1X3=1} + P{X2X3=1}
- 3 P{X1X2X3=1} + P{X1X2X3=1J •
Finally, since for stochastically independent events a.
1
p. ,
1 ( 9)
for stochastically independent component states, expressed by X.=O
1
viz. X. =1 ,
1
( 1 O)
One of the most recent approaches to FTR· is based on a DNF of
<p
whose terms correspond to mutually disjoint random events a! such that by (8)1
The basic idea of this approach is unusually simple
[s] ,
[6] • The following formula, .. known as Shannon' s decomposi tion theorem( 1 _1)
<p (~) /
vxi f (_~) lx . --o
X.=1
1 1
( 12)
is easily verified. In this disjunction both terms correspond to dis- joint events, since one term contains Xi and the other Xi' such that, whenever one of the two terms assumes the value 1, the other will assume the value 0.
If (12) corresponds to the events' equation
the next recursive decomposition step,i.e. the decomposition of
p
(Xi =1) viz.<p
(Xi =O) corresponds towith all a .. disjoint of each other.
1J
In the above 2-out-of-3 system example (with ideal voter) one gets from (5) by (12) with i=1
Now, elementary Boolean algebra teaches that, by an absorption rule, ( 13}
Further,(12) applied to
x
2vx
3 yields the decompositionX 2 V X3
=
X2 V X2X3 •-
( 1 4)Hence, finally, (5) (with
x
4=o)
is transformed to(, 5)
- 32 -
where the events
are pairwise disjoint, such that by (11) system unavailability viz.
unreliability is with
The correspondirg MTBF/MTTR analysis is discussed in
[7].
4 SENSITIVITY ANALYSIS
For stochastically dependent components a sensitivity analysis 1s, in general, extremely difficult. However, for independent components i t is relatively simple : By the well known rule of total probability
( 1 8)
Hence Ps depends linearly on pi
( 1 9)
and the total differential of
Ps
isn bps n
dpS = ~ dp. =
L
bi dp..
i=1
bp.
.1. i=1 .1..1.
(20)
This shows very explicitely how changes of the probabilities of the input events of a fault tree influence the probability of the top event.
Since
in general,
-1c:::b.'=1.
.1.
1)
For coherent systems, where ~(O)=O,
<p(Xi =1) =1 .
Hence, in this case
1) o = (O, ••• ,o),.!.= (1, ••• ,1) n-vectors
( 21)
(22)
f
(_1_) =1 1) and(23}
--:- 34- -
Nevertheless, one should not conclude that all the b. are of approxi-
1
rnately the sarne size; the relative differences- rnay be several orders of rnagnitude.
To conclude, in general not only all the b
1 of. (21), but also all the
(2 4)
rnust be known tobe able to judge the influence of uncertainties of one or several of the p. on the accuracy of systern availability and/
1
or reliability
Ps.
Much the sarne is true for other systern reliability parameters [7].5 STATISTICAL ANALYSIS
In
[aJ,
andin some of the ltterature cited there, a true statisti- cal analysis of fault trees is presented. I have conceptual problems with such an approach: Clearly, the inputs x1 to a fault tree are random variables. However, they are binary such that typical concepts from mathematical statistics don't make much sense. E.g., by i t ' s well known definition, the variance of Xi equals
: =
E r L: X . -l. E (X . l. ~ 2Now, because of the idempotence rule X. 2
=
X. ,l. l.
and because of
we have
p. l. for p. << 1 •
l.
Hence, for p.« 1, as is usually the case,
l.
6
2 X ~ E (X.).. l.
l.
. 2 .
In the same way one can calculate6X. But what does i t mean?
~ s -
(25)
(26)
(27)
(28)
On the other hand, if the uncertainty in p
5, due to uncertainties in the pi is meant, this gives good sense, even though the concept of the
. z
uncertainty of a probability needs some explanatiori. Let
6,...
be the. pi
variance of the statistical experiment yielding p. and let the esti-
1
mation of p. be free of bias, i.e. E(p.)=p., ·then one can calculate
l. l. l. .
- 36 -
the variance-of
p
5 as(29) Since p 2
5 is a multilinear polynomial (of the pi),p
5 contains at most squares of p. 's. Hence, assuming stochastically independent (random
l.
"'
variables) p. , on using
l.
6~
r2one can express ., as a polynomial in p. 's and o~ 's.
Ps 1 pi
EXAMPLE By ( 10)
2-0UT-0F-3 SYSTEM
2 2 2 2 2 2 2
Ps = P1 P2. + P1 P3 + P2 P3 + 4
2 2
+ 2p1 P2P3 + 2~1 P2 P3
-
4p;2. z - 4P1P2 P3 and
2, 2 2 2
=
( 6" +
P1 )(6 ....
+ P2, )P1 P2.
Firially,
6;. =6 ...
262
"' +p263
+ P2. 252
P1. Ps P1 P2 1 P2
Pf p~ P3 2
p2 2 P3 + 2p1 P2 P3 2
+
...
+
...
(30)
( 31 )
(32)
(33)
Unfortunately, in practical situations, especially when relying on data like those of MIL HDBK (U.S. military handbook) 217c, one can be happy i-f one finds p. wi th an accuracy of a factor 2 in both directions.
l. .
6 APPROXIMATIONS
As in all fields of engineering (or, rather, applied mathematics) also in FTA there are numerous approximations possible. To ease analysis, they should be made as soon as possible; preferrably when "construc- ting" the fault tree.
The mathematically best type of approximation is the one via (close) upper and lower bounds. This is possible by the Bonferroni ineguali- ties trivially derivable from the Poincare/Sylvester formula (8).
Specifically (proof in ~])
( 3 4)
(35)
P
{u
a. }~
2: P {a. } - '2: P {a. n a. } ·. 1 . 1 . , 1 J
1 1 1<]
+ '2: P{a.ri a . n a } , . . k. i J K 1<]<
( 36)
Other approximations are possible on the basis of the fact that, usually, not only all pi<<1, but that they differ by at most one or two orders of rnagnitude, so that one can safely disregard terrns of a DNF with rnore than 3 or 4 normal variables Xi • Mind that negated
variables, appearing e.g. in the Shannon decornposition procedure, must not be counted. E.g.~ starting with (15), the second and the third term should also be evaluated since their corresponding p~obabilities can ev.en be bigger than that of the first term; see (17).
- 38 -
Generally, i t is advisable to delete only terms, whose probability is only a small fraction of that of a non deleted term. E.g. in (10) 2 p1p 2 p 3 can be deleted since, usually,
2 p1 p 2p 3
<<
p1 P2 , i. e. 2p 3<<
1 •Above all, however, one should never forget that bhis type of approxi- mation does not answer the important question of if this approximation
is optimistic or pessimistic. And a variation of the maximum order of the terms taken into accc,·..1i.t does not solve this problem, even th,:mgh i t can give helpful hints.
REFERENCES (II)
[1] Harary F.: Graph theory. Menlo Park,Cal.: Addison-Wesley, 1969.
[2] Barlow R., Proschan F. : Statistical theory of reliability and life testing. New York: Holt, Rinehart & Winston, 1975.
[3] Sing
c.,
Billinton R.: System reliability modelling and[ 4 ]
evaluation. London: Hutchinson, 1977.
Schneeweiss W.: Zuverlässigkeits-Systemtheorie. Köln kontext-Verlag, 1980.
Data-
[S] Corynen G.: A fast procedure for the exact computation of the performance of complex probabilistic systems. Proc.
Intern. ANSIENS_ Topical Meeting on "Probab. Risk Assess- men t", Port Chester, N. Y. , 1981 .
[6] Schneeweiss W.: Disjoint Boolean products via Shannon's expansion. Trans.IEEE-Reliability (to appear 1985).
[7 ] Schneeweiss W. : Computing failure frequency, MTBF & MTTR via mixed products of availabilities and unavailabilities.
Trans. IEEE, vol. R-30 (1981), 362-363.
[8] Colombo A.: Uncertainty propagation in fault tree analysis.
From: Synthesis & analysis methods for reliability studies. (Eds. Apostolakis, New York : Plenum Press 1980, 95-103.