SYREPA '87: A package of programs for systems reliability evaluations

deposit_hagen

Publikationsserver der Universitätsbibliothek

Mathematik und

Informatik

Informatik-Berichte 76 – 01/1988

SYREPA '87

A package of programs for systems reliability

evaluations

SYSTEMS RELIABILITY EVALUATIONS

h .

* w.

Sc neeweiss M. schulte

*

There exist world-wide a variety of cornputer-aided rnethods for reliability analyses. Here is another one. It is the outgrowth of the senior author'swork in this field,which occupied hirn part-tirne during the last 16 years,together with refincj PASCAL implernentations of several algorithrns by the junior author.

*

Chair of Computer Eng., Dept. of Math. & Comp. Sc.

Fernuniversität, Postfach 940, D-5800 Hagen

CONTENTS page 1 Introduction (with notation) . • • . . . 2 2 Using SyRePa '87 . . . 6 3 Calculating a short disjunctive normal form of a Boolean

function . . . . 9 4 Transforming a disjunctive normal form to one with pairwise

disjoint terms . . . 13 5 Performing an approximate fault tree evaluation • • . . . • . 17 6 Calculating system unavailability/unrealibility • . . . • . . . • 20 7 Calculating mean times of binary system states •.•.•....•.••. 21 8 Fault tree of a flow network . . . • . . . • . . . • . . . 23 9 Mean time to first failure of a non-reparable systern with

exponentially distributed cornponent lives . . . 26 10 References . . . ~ . . . . 31

1 INTRODUCTION (WITH NOTATION)

SyRePa is planned to become a long-term investigation,with the last two decimals of the year of release added for better identification.

The first release was SyRePa'86 published 1987 [O].

SyRePa'86 consisted of programs (including subroutines) for the - transformation of a Boolean function Cf to a disjunctive normal

form (DNF), unless the original

<f

is a DNF, (and production of an integer file for further processinq)

- calculation of an upper bound for the probability of p(~) being 1 by replacing in a DNF

I X.

l by p.=Pr{X.=1},

l l any disjunction

(OR) by addition, and any conjunction (AND) by multiplication; also:

calculation of corresponding values of system MTTF and system MTTR.

If the approximations are not good enough:

- transformation of a DNF (of

f)

to a short surn-of-products form by the Shannon decomposition algorithrn [ 1]

- calculation of exact numerical values of reliability parameters.

SyRePa'87 consists of

- SyRePa'86, i.e. programs for the

exact determination of unavailability, MTTF, and MTTR and of additional programs for the

calculations of MTTFF (mean time to first failure) assurning non- reparability and exponentially distributed component lives

- production of a new Boolean function

Cf

N based on the assumption that the above

Cf

describes failures of a point-to-point connection in a flow network. The new Boolean function is 1 iff the maximum possible flow rate between the two given points is below a given

value. The new

o/N

can be processed as

Cf

was, using the same reliability data and additional data for the maximum possible flow rates of the (possibly failing) links.

The user of SyRePa' 87 is assumed to be aquainted wi th [ 1 ] . A fairly good knowledge of PASCAL is also assumed.

No help is, as yet, given for the construction of the fault tree or a corresponding reliability block diagram, the output of which is

r-

Of course,

p

can also be the function of any other event tree. Hence, we keep notation in the general framework of probabilistic Boolean

analysis.

As is discussed in detail in [ 2], any polynomial form of p

1 ^{(as a} function of for any n component system) can be used to find the mean system failure frequency and, hence, mean time to

failure ahd mean time to repair for systems with stochastically independent x

1, ... ,xn, where for all i

(f

= Xi

'f i.

⁺

<f i. , ff i. :

^Boolean.

As concerns computer-aided analysis of Markov models the reader is ad- vised to look for first help in the IEEE Transactions on Reliability.

The numerical evaluation of Riemann integrals, including convolution integrals (for cases of cold stand-by etc.) should be done by proper numeric subroutines.

Problems in the field of applied renewal theory are also not covered by SyRePa '87.

Note that this is a scientific report. It contains enough information for a private implementation of the algorithms discussed. For several reasons the computer code of our PASCAL implementation is not given here. If you wish to obtain i t for your practical work, please con-

tact the authors.

NOTATION a. ,a.

l. l.

e. l.

A. l.

C. l.

DDNF DNF

E (R) FL (t)

(MC)k Pr{e.}

l.

p. l.

T. l.

X

"

V

coefficients random event i availability of Ci cornponent i (of S)

DNF with pairwise disjoint terms disjunctive normal form

expected value of random variable R

= Pr{L ~ t} probability distribution function of L life, i.e. duration of life, of Ci and S respectively mincut k

probability of e.

l.

Pr{Xi=1}

Pr{Cf =1}

system term i

unavailability of Ci

unreliability of C. at timet

l.

=

1 , if C. is

l.

O, if Ci is

bad (defective)}

good ( intact) (X 1 , ... ,Xn) system state vector AND operator

OR operator

indicator variable for state of C.

;X.

^:=1-X.

l. l. l.

f

(Y 1 , ... ,Yn) Boolean function (of Boolean variables Y1 , ... ,Yn) MTTR

M.TTF

*

MTTFF

*

rnean time to repair (mean down-time) mean time to failure (mean up-time)

rnean time to first failure (in case of no repair)

In much of the literature this is replaced by MTBF.

µ == 1/MTTR repair rate

/1. == 1/MTTF failure rate R. - ^{µ. [} 1 /h]

J. J.

F. - "A . [ 1 /h

J

J. l

2 USING SYREPA '87

Obviously, not in all conceivable applications of SyRePa'87 will all of its parts be needed.Details for selecting proper parts are given by the flowchart of fig. 1.

Program PRO_DNF produces a disjunctive normal form (DNF) for a given Boolean function

f.

Program SHANEX transforms a given DNF to one with mutually disjoint terms. Program SYSPAR calculates numerical values of

the more important reliability parameters, viz. unavailability, MTTF, and MTTR.

Note that the program PRO_DNF needs an algebraic description of the fault tree, and that program SYSPAR needs the failure rates A. and

i

the repair rates µ. of all system components C ..

i i

Program FLOWNET produces a DNF of a new fault tree, where system fai- lure does not only occur in case there is no path from a given input node to a given output node of a flow network, but where a minimum flow between these two nodes is prescribed, which leads the way to a new fault tree. (The connectedness of the above two nodes is modeled by a reliability block diagram and its corresponding fault tree.) Program FIRSTFAIL determines the MTTFF in the case of exponentially distributed component lives.

SyRePa'87 is as yet not an overly comfortable program; yet the neces- sary comfort corresponding to those parts of fig. 1, which are not in boxes with the above program names, is easily added. As a much more important addendum the user is informed by SyRePa'87 of syntactic errors in his input files.

START

Input fault tree function

ff

(properly coded) &

component failure rates & repair rates

function. txt prob• dat

1" - - - :7 PRO DNF 1 Produce a short, ordered DNF of rp ~ -

L_ - ~ _.__ - - - - - - .J

- into.dat

yes

Is the DNF of 'f tobe interpreted as an equivalent of the mincuts of a point-to-point connection with minimum flow demand?

FLOWNET

'

into.dat

-...

into.dat

.,,,.

r--- -- - -

^-,

Input max.flow rates of links &

1 min.point-to-

J point flow rate demand.

J

l Produce a 1 DNF of the

new fault tree.

L - - - ^_J

no

Is system MTTFF needed?

no

/ SHANEX

,- ^- - - - - - -- ^{- -} -,

1 Produce a short polynomial 1 _{form of} <f, where almost

J single variables are negated.

I

u ___________ ^J

-pi.:ob.fkt

,- ^{- -}

^{- - -} 1...-SYSPAR 1 Determine system

.I -

unavailabili ty 1 - MTTF (MTBF) f - MTTR

Print system - unavailability - MTTF

1 - MTTR

i_ - - - - - -'

Stop

into.dat

Are all component .lives exponentially

distributed?

_ _ _ _ye.2_ /FIRST

- - - FAIL Produce a multi-

linear polynomial form of

'f -

^{C~) ,}

where only

X.

's

l.

show up, and de- 1 termine system

r _MTTFF.

t

J~--.--t..--

yes

P;z;int the MTTFF value found.

Are system - unavailability - MTTF

- MTTR needed?

no

Fig. 1 Flowchart for using parts or all of SyRePa'87.

The linking of the different programs of SyRePa'87 to forma single

"super" program,as indicated in fig. 1,is left to the user.

The extraction of

<p

from a graphically given fault tree should also be a fairly simple task. After defining suitable auxiliary indicator variables, i t will be easy to find

<p

in a bottom-up fashion as shown in the following example.

EXAMPLE 2-1 : SIMPLE FAULT TREE

Here,from fig. 2 (in PASCAL notation and in the correct order) X7 := X1 AND X2 ;

X9 :=

xs

OR X6 ;

X8 := X4 AND X9 ; PHI ^:= X7 OR X3 OR X8

Fig. 2 Example fault tree.

x

₇^,

x

₈^,

x

₉ are auxiliary variables.

3 CALCULATING A SHORT DISJUNCTIVE NORMAL FORM OF A BOOLEAN FUNCTION In case the mincuts (minimal sets of components, whose combined

failure means system failure) are known, the production of a disjunc- tive normal form (DNF) of the given system's redundancy structure function x_{8 =} f(~) is trivial: Each mincut (MC)k={Ci,cj, ... } corres- ponds to a DNF term Tk=X.X ..•. , for if c. ,c., ... are down (faulty),

1. J 1. J

by definition of the components' indicator variables, X.=1, X.=1, ...

1. J

and hence Tk=1, so that x

8=1, meaning system failure.

However, on many occasions fault trees, i.e. functions (f(~),.are far from being DNFs, and since several modern algorithms for reliability evaluation start with a DNF and the Bonferroni inequalities also need them, there are enough good reasons to first transform any given

Boolean function ~ of n variables x₁, ... ,Xn to a DNF. Needless to say, a short one (with few short terms) is most desirable. In SyRePa'86 all this is done by the program 'PRO DNF' (short for PRO- DUCTION OF A SHORT DNF).

EXAMPLE 3-1 (EX. 2-1 CONTD.) Let, originally,

The proper output of 'PRO DNF' is + 3

+ 1 + 2 + 4 + 5 + 4 + 6

where the k-th line corresponds to the k-th term of the DNF.

EXTENDED COMMENTS ON THE PASCAL PROGRAM 'PRO_DNF'

*************************************************

THE PROGRAM 'PRO_DNF' CAN BE SEPERATED IN FIVE PARTS:

1) LEXICAL ANALYSIS OF THE GIVEN BOOLEAN FUNCTION 2) SYNTAX ANALYSIS.

3) EXECUTION OF ALL NEGATIONS\> EXCEPT WITH SINGLE VARIABLES, 4) COMPUTING ALL BRACKET-LEVELS,

5) BUILDING THE INTEGER-FILE,

WHICH CAN BE USED BY THE RELIABILITY PROGRAMS,

TO 1)f

LEXICAL ANALYSIS RESIDES IN THE PROCEDURE 'INREAD', THE PROCEDURE RECOGNIZES THE ALLOWED SYMBOLS

AND FORMS A SPECIAL INTEGER-CODE!

-1 FOR NEGATION -2 FOR OPEN BRACKET -3 FOR CLOSED BRACKET -4 FOR BOOLEAN 'AND' -5 FOR BOOLEAN 'OR'

i FORA NUMBER i

>

0

BECAUSE THE INPUT FILE ISA TEXT-FILE AND THE INTERNAL REPRESENTAT!ON ISA LIST OF INTEGERS, THE PROCEDURE 'INREAD' HAS TO TRANSLATE

A SEQUENCE OF CHARACTERS

o ••

9 INTO AN INTEGER-VALUE, BESIDE THIS, SOME ERRORS ARE RECOGNIZED,

NOTATION ON THE FILE IS:

n FOR Xn; - FOR BOOLEAN NEGATION; A FOR AND; 0 FOR DR FOR EXAMPLE THE TEXTFILE: ² >

-(3011A(1204)) BECOMES:

-1 -2 3 -5 11 -4 -2 12 -5 4 -3 -3

THE USE OF A DOUBLE LINKED LIST AND NOT AN ARRAY OF INTEGER HAS EFFICIENCY REASONS, CHANGING PARTS OF THE BOOLEAN FUNCTION

AS IN 'EXECUTE_NEGATIONS' COSTS A LONG SHIFTING FOR AN ARRAY, BUT ONLY THE CHANGE OF SOME POINTERS FOR THE LIST,

TO 2)!

THE SYNTAX-ANALYSIS RESIDES IN PROCEDURE 'SYNTAX_CHECK',

THIS PROCEDURE IS BASED ON THE SYNTAX OF NORMAL BOOLEAN ALGEBRA,

1) Using Shannon's inversion rule

2) The following text file corresponds to

(x

3 V

x

11)

(x

12 V

x

4).

TO 3)!

TO EXECUTE ALL NEGATIONS, THE PROCEDURE 'EXECUTE_NEGAT!ONS' IS USED, THE MAIN PROBLEM IS, THAT MOST EXPRESSIONS HAVE IMPLIEDr

BUT NOT EXPLICIT SPECIFIED BRACKETS,

BECAUSE 'AND' HAS HIGHER PRIORITY THAN 'OR',

SO, BEFORE USING THE SHANNON-RULE TO NEGATE AN EXPRESSION, ONE HAB TO INSERT SOME NEW BRACKETS! (EXCEPT THE OUTERMOST BRACKETS)

-BEHIND EVERY OPEN BRACKET A NEW OPEN BRACKET, -BEFORE EVERY CLOSED BRACKET A NEW CLOSED BRACKET.

-BEFORE EVERY 'OR' A CLOSED BRACKET AND BEHIND EVERY 'DR' AN OPEN BRACKET,

AFTER THIS, THE SHANNON-RULE CAN BE EMPLOYED, AT LAST ALL USELESS BRACKETS CAN BE DELETED,

IN THE PROCEDURE THE FIRST TWO JOBS, INSERTING BRACKETS AND EMPLOYING SHANNON-RULE, ARE DONE PARALELL WHILE WORKING ON THE EXPRESSION

TO NEGATE FROM LEFT TO RIGHT,

IF A NEW NEGATION APPEARS IN THE EXPRESSION, THE PROCEDURE CALLS ITSELF RECURSIVELY,

SO, THE EXAMPLE OF 1, WOULD YIELD LIKE AFTER APPLYING THE SHANNON-RULE: {N=127; NOT(Xi)t=N+i>

(130) A (138 0 ((139) A (131)))

**

AND AFTER DELETING USELESS BRACKETSt 130 A (138 0 (139 A 131))

**

<**

NOTICE: THESE REPRESENTATIONS ARE ONLY FOR GREATER CLEARNESS, INTERN THIS EXPRESSION ISA DOUBLE LINKED LIST

AS EXPLAINED IN 1,}

TO 4):

AFTER THE EXECUTION OF ALL NEGATIONS THE PROGRAM HAB TO COMPUTE ALL BRACKETS, TO GET A DNF,

FOR THAT, THE PROCEDURE 'RECURSIVE' EXAMINES THE BDOLEAN FUNCTION FROM LEFT TO RIGHT,

THE RESULT OF PROCEDURE 'RECURSIVE' !SA LINEAR LIST OF TERMS (TYPE SETLIST)

BEFORE RETURNING TO THE CALLER,'RECURSIVE' DELETES ALL

USELESS TERMS THROUGH PROCEDURE ABSORB, IN ORDER TO MAKE THE RESULT-LIST AS SHORT AS POSSIBLE,

IN DETAIL 'RECURSIVE' WORKS AS FOLLOWS:

- IF AN OPEN BRACKET APPEARS, THE PROCEDURE CALLS ITSELF RECURSIVELY, - IF THE NEXT CHARACTER ISA CLOSED BRACKET,'RECURSIVE' RETURNS

TO THE CALLING PROCEDURE WITH THE LIST OF TERMS,

- IF AN 'OR' APPEARS, THE ¹0LD¹ TERMS, WHICH START WITH 'LEFT' AND ARE THE RESULT OF EARLIER, NOT FINISHED OPERATIONS, CAN BE FINISHED, THE NEXT Xi IS PART OF A NEW TERM,

- !FAN 'AND' APPEARS, THE 'OLD' TERMS MUST BE 'MULTIPLIED' WITH THE NEXT Xi OR WITH THE RESULT OF A DEEPER CALL TO 'RECURSIVE'~

IF THE NEXT CHARACTER IS AN OPEN BRACKET,

THE OPERATION IS NOT FINISHED BECAUSE THE NEXT OPER~TOP CAN ALSO BE AN 'AND',

"MULTIPLICATION' OF TWO LISTS OF TERMS, WHICH MEANS COMPUTING THE EXPRESSION: (TERMv,,.,,vTERM) AND (TERMv,,,,,vTERM> IS DONE

IN PROCEDURE 'MULT',

THE EXAMPLE OF 3): 130 A (138 0 (139 A 131))

IS

COMPUTED

AS

FOLLOWS:

-FIRST Xi IS 130 --> FIRST TERM= C130J

-NEXT COMES

'A'

--> THE RESULT OF THE FOLLOWING MUST BE MULTIPLIED WITH [130]

-NEXT COMES AN OPEN BRACKET--> CALL 'RECURSIVE' -FIRST TERM= C138J

-NEXT COMES O --> FIRST TERM IS FINISHED, NO

¹

MULTIPLICATION

¹

WITH FOLLOWING RESULTS IS NECESSARY,

-NEXT COMES AN OPEN BRACKET--> CALL 'RECURSIVE' -FIRST TERM =C139J

-NEXT COMES 'A' --> RESULT OF THE FOLLOWING MUST BE

1

MULTIPLIED

¹

WITH C139J, -NEXT COMES 131 --> MULT (139,131>-->

RESULT IS THE TERM [131,139]

-NEXT COMES CLOSED BRACKET--> RETURN -RESULT ARE THE TWO TERMS C138J ,C131,139J -NEXT COMES CLDSED BRACKET -->RETURN

-MULTIPLIE C130J WITH THE TWO TERMS C138J,C131,139J -RESULT ARE THE TERMS t130,138J,t130,131,139J

-NEXT COMES CLOSED BRACKET -->RETURN= END OF BOOLEAN FUNCTION, -RESULT OF THE GIVEN FUNCTION IS:

-3 -11 -3 -4 -12

TO 5):

BUILDING THE RESULT-FILES IS DONE IN PROCEDURE 'PRINT'

4 TRANSFORMING A DISJUNCTIVE NORMAL FORM TO ONE WITH PAIRWISE DISJOINT TERMS

A Boolean function f(X

1, •.. ,Xn),given as a disjunctive normal form ( DNF) , i . e. as

r=

_i=1 ^m

^V

^{Ti '}

^x.

^~ J X.E{X.,X.},

J J J (4-1)

where

r

₁ is an index s e t : Ii c {1, ... ,n}, is usually transformed

before its probability pf of being 1 is calculated. If this is not done,

Pr

can only be found by the Poincaree-Sylvester method of in- clusion-exclusion

[3],

i.e. by calculating p~ as the lengthy sum

m m m-1 m

Pr{

U

ei} =

l

^{Pr{ei} -}

l

i=1 i=1 i=1

~ Pr{e 1 n eJ·}-+ ...

J==i+1

for random events ei ^:= (T. = 1 ) l. such that

m m

u

^{e. = (}

V

^T.

⁼

^{1 ) , e. n} e. = (T.T.=1), ...

i=1 l.

i=1 l. l. J l. J

However, if all the ei are pairwise disjoint with e. n e. = ~ ~ (T. T. =f 1) <=> (T. T.

=

0) ,

l. J l.J l.J

then (4-2) becomes simply m

=

l

^Pr{e₁^},

i=1 which corresponds to

(4-2)

(4-3)

(4-4)

(4-5)

m

p9' = I

i=1

Pr{T.=1}

l.

m

= I

i=1

E (T.) •

l.

Hence, changing (4-1) to

p ^{= V}

m' i=1

T.' l. U T . ' T . ' =O , ( rn ' ;;; m) V l. J

( 4-6)

(4-7)

is highly desirable unless the trouble to get (4-7) from (4-1) is greater than that of applying (4-2). Of the numerous methods for finding the Ti' the Shannon decornposition method described in detail in [1] is used here.

EXAMPLE 4-1 : (EX. 3-1 CONTD.) For

the Shannon decomposition yields

EXTENDED COMMENTS ON THE PASCAL PROGRAM 'SHANEX'

************************************************

THE PROGRAM IS BASED ON THE 'SHANNON EXPANSION ALGORITHM',

SOME FAMILIARITY WITH THIS ALGORITHM IS PRESUMED IN THE FOLLOWING, THERE ARE THREE MAIN SECTIONS IN THE PROGRAM!

1) READING AN EXTERNAL INPUT-FILE WITH A DNF ON IT, 2) EXECUTING THE ABOVE ALGORITHM.

3) PRINTING OF THE RESULT, A DNF OF DISJOINT TERMS CDDNF), Details :

{THE FIRST AND LAST SECTIONS ARE CONCEPTUALLY VERY SIMPLE)

1) THE PROCEDURE 'INREAD' READS THE EXTERNAL FILE AND PRODUCES A SIMPLE CONCATENATED LIST OF INDEX-SETS, WHICH CORRESPOND TO THE TERMS OF THE DNF GIVEN,

THE INDEX SETS IN THE LIST ARE ORDERED BY RISING LENGTH~ HENCE, THE SHORTEST TERM ⁽⁼ SHORTEST INDEX-SET) rs INSERTED AT THE START OF THE LIST, THE LONGEST TERM AT THE END,

THIS SORTING IS NECESSARY TO LIMIT THE GROWTH OF THE DDNF IN THE ALGORITHM OF SECTION 2,

2) THE IMPLEMENTATION OF THE ABOVE ALGORITHM IS MORE INVOLVED, IT IS BASED ON THE RECURSIVE PROCEDURE 'DISJOINT',

WHICH SPLITS AN EXPRESSION INTO TWO DISJOINT PARTS, HEADED BY Xi AND NOT(Xi) RESPECTIVELY,

THE PROPER Xi IS SELECTED FROM THE FIRST, I,E, THE SHORTEST TERM PRODUCED BY INREAD',

IF NECESSARY 'DISJOINT' CALLS ITSELF RECURSIVELY FOR BOTH PARTS, IN DETAIL, THE PROCEDURE 'DISJOINT' HAS SEVEN SUB-PROCEDURES, WHICH DO THE FOLLOWING WORK!

(1) PROCEDURE 'COPY' DUPLICATES THE EXPRESSION FOR THE DNF, WHICH ISA LIST OF INDEX-SETS, AND STORES IT BEHIND THE ORIGINAL ONE,

(2) AFTER THIS, IN PROCEDURE 'SEPARATE', THE PROPER Xi IS SELECTED AND BOTH PARTS ARE PROCESSED WITH:

Xi=TRUE FOR THE ORIGINAL DNF

NOT(Xi)=TRUE FOR THE DUPLICATED DNF

FOR THAT, THE PROCEDURE 'DELETE' IS NECESSARY TO DELETE INDEX-SETS (=TERMS) OUT OF THE LIST+ FOR EXAMPLE IF ONE OF THE TERMS BECOMES ALWAYS FALBE WITH NOT(Xi)=TRUE,

NOW, THERE ARE TWO DIFFERENT EXPRESSIONS, AND THE FOLLOWING PROCEDURES MUST BE USED ON BOTH+

(3) THE PROCEDURE 'INTERSECTION' COMPUTES THE INTERSECTION OF ALL TERMS IN THE EXPRESSION, AND ADDS THE RESULT AS A FnCTOR TO Xi DR NOT(Xi),

(4) TO REDUCE THE EXPRESSION MORE, THE PROCEDURE 'ABSORB' DELETES ALL TERMS, WHICH ARE USELESS BECAUSE OF THE RULE!

IF Ti<=TJ THEN DELETE TJ (Ti=TERM NUMBER i)

(5) NOW, IN ORDER TO PRESERVE THE ORDER BY RISING LENGTH OF THE TERMS IN THE LIST, THE EXPRESSION IS SORTED BY A SIMPLE EXCHANGE-SORT IN THE PROCEDURE 'SORT',

IF THE REMAINING EXPRESSION CONSISTS OF MORE THAN ONE TERM, 'DISJOINT' CALLS ITSELF RECURSIVELY,

(6) AFTER RETURNING FROH A POSSIBLE RECURSIVE CALL, THE FACTOR MUST BE ADDED TO ALL TERMS IN THE EXPRESSION WITH THE

PROCEDURE 'ADD_FACTOR',

(7) AT LAST, BEFORE RETURNING TO THE CALLER, BDTH PARTS MUST BE JOINED TOGETHER, AND THIS WHOLE EXPRESSION CONSISTS OF ONLY DISJOINT TERMS,

3) IN THE PROCEDURE 'PRINT', THE RESULT OF THE ALGORITHM, A DDNF IS PRINTED ON A COMPUTER-TERMINAL, AND A FILE IS PRODUCED FOR LATER USE,

EXAMPLE : 2-0UT-OF-3-SYSTEM

***************************

'f

⁼

^x

¹

^x

²

^{v x}

¹

^x

³

^{v x}

²

^x

³

=

x

₁ (X2 ^V

x

₃ ^V

x

₂

x

3) +

x

₁

x

₂

x

₃

=

x

₁ (X2 ^V

x

₃) +

=

x

₁ (X2 + X2X3)

=

x

₁

x

₂ +

x

₁

x

₂

x

₃

Computeroutput + 1 + 2

+ 1 - 2 + 3 - 1 + 2 + 3

- x

₁

x

₂

x

₃

+

x

₁

x

₂

x

₃

+

x

₁

x

₂

x

₃•

5 PERFORMING AN APPROXIMATE FAULT TREE EVALUATION

Traditionally many approximations consist of just replacing m

V

T.

i=1 ¹ by

Cf\,o

^{:= T. ,} J_

jEI.

/\

J_

x.

J (5-1)

( 5-2)

where Ikp is the set of terms of

'f

of at most k-th order and then of using the first Bonferroni inequality [3]

Pr{~ ei} ~ ~ Pr{ei}.

J_ J_

EXAMPLE 5-1 DELETING TERMS OF MORE THAN THIRD ORDER

03 0

=

X1X2 v X1X3X5 .

r ,

Hence, for s-independent X. _{J_}

(5-3)

The problem with this primitive type of approximation is that one does not know if

The next approximation consists of applying (5-3) to (4-1) yielding

;; I

m

i=1

Pr{T.=1}

l

m

= I

i=1

E (T.).

l (5-4)

To getan idea of the quality of this approximation (sometimes) the second Bonferroni inequality

Pr{U e.}

. l l

m rn-1

~

l

Pr{ei} -

l

i=1 i=1

rn

I

j=i+1

Pr { e. n e.}.

l J (5-5)

is applied. (For an extended proof see e.g. [4].) The application of (5-5) to (4-1) yields

rn rn-1 m

~

l

E(Ti) -

l l

i=1 i=1 j=i+1

Obviously, by (5-4) rn-1

t,

=

= I

i=1 m

I

j=i+1

E(T.T.)

l J

E(T.T.).

l J

is an upper bound for the error of this approxirnation.

(5-6)

(5-7)

If

e

₁ > e , the rnaxirnum allowed error,one can use further Bonfer- max

roni inequalities to find a sufficiently good approximation. Unfor- tunately,this process can be rather burdonsome as to the necessary cornbinatorial calculations. Hence,our advice is to calculate ~, first. If

e

₁ ^> ernax' then the following procedure is recornmended APPROXIMATE FAULT TREE EVALUATION (AFTE)

1) Given a DNF of

'f,

calculate all the E (Ti).

2) Order the E(Ti) according to ascending values.

3) Add the smaller E(T

1.) as long as their surn is smaller than e max

Let e be the final sum; e ~ e max

4) Delete all the Ti processed in step 3 from

f

(which is still Boolean) 'fr·

call the rest of ~

5) Process fr according to section 4 of this report.

A discussion of this AFTE including proofs and a hand-calculated

example can be found in [5]. Note that AFTE is not included in SyRePa '87. The main reason for that is the fact that - a s several examples revealed -often not SHANEX but rather PRO DNF is the most time con- surning part of the two, and any approximate AFTE would start from PRO DNF.

6 CALCULATING SYSTEM UNAVAILABILITY/UNRELIABILITY Given a DDNF

rn'

Cf= I

i=1

T.' l.

i t is well-known that

p~ : = Pr {

<f

= 1 } = E (

Cf ) ₌ I

^rn'

i=1

Pr{T. '=1}

l.

rn'

=

l

^E(Ti').

i=1

( 6-1)

If all the X.

J are s-independent, every x.

J of the Ti's has sirnply tobe replaced by _{p. '}

-

J including p.:=1-p. for the XJ .. In short :

J J

For f(~) in polynornial form (not only as a DDNF)

( 6-2) EXAMPLE 6-1 : 2-0UT-OF-3 SYSTEM

As is well known or easily verified, for the 2-out-of-3 systern e.g.

By (6-2)

or in fault tree notation

Two little exarnples with (MTTR) .

ui = - - - -l.

(MTTR) i + (MTTF)i

1/µ.

= - - - -

l.

1/µi + 1/11.i are given at the end of section 7.

(6-3)

(6-4)

( 6-5)

"-i

= - - - -

"-i + µi

7 CALCULATING MEAN TIMES OF BINARY SYSTEM STATES

In general, calculating mean times of binary system states is rather difficult. Detailsare discussed in [6]. However, for s-independent X. this is very easily done; see [2]. The main rule for getting

J

from a DDNF of (f is the following

1) Calculate p'f (as a function of the p. and

p.).

J J

2) Multiply each term p . p .•..

pkp

^{o • • • by ( µ . + µ , + • ••}

l. J -<- l. J

Here

1/µi is the mean time of a state 1 /ll.. ^{II II II II II II II}

l.

Hence, for

pi= Ui (unavailability of Ci), pi= Ai (availability of Ci) we have (as usual):

µi is the repair rate of Ci, /\.i is the failure rate of C ..

l.

EXAMPLE 7-1 2-0UT-OF-3 SYSTEM From (6-5)

with xi =1 ,

II X. =O.

l.

- ll.k - ll. l - ... ),

Instead of ¹¹EXTENDED COMMENTS ON THE PASCAL PROGRAM SYSPAR¹¹ two little examples follow:

EXAMPLE: 2-0UT-OF-3 SYSTEM

**************************

MULTILINEAR FORM (DDNF>: X1X2 v X1-X2X3 v -X1X2X3 WITH 'PROB.DAT' IN THE FORMAT:

Rl:1 R2:1 R3:1

Fl:0.0001 F2!0,000l F3:0.0001

'SYSPAR' YIELDS THE FOLLOWING RESULT:

SYSTEM UNAVAILABILITY rs: o.000000029992001 SYSTEM MTTR IS: 0.500016666666667

SYSTEM MTTF rs: 16671666.666666670000000

EXAMPLE: ARPA-NET

*****************

MULTILINEAR FORM <DDNF)!

X6X7 v X3X5X6-X7 v X1X2X3-X6 v X1-X2X4-X6X7 v

X1X2X3-X5X6-X7 v X1X2-X3X4-X6X7 v

-X1X2X3X4-X5X6-X7 v X1X2-X3-X4X5-X6X7 v X1-X2X3X4X5-X6-X7

WITH Ri=1 AND Fi=0.0001 IN 'PROB.DAT'~

'SYSPAR' YIELDS THE FOLLOWING RESULT:

SYSTEM UNAVAILABILITY rs: 0,000000010000999 SYSTEM MTTR rs: 0.499925036241061

SYSTEM MTTF IS: 49987506,872918880000000 IMPORTANT NOTICE !!

In order to get meaningful values of system MTTF /MTTR,

Cf

must be s- coherent, which means that in

=X.CD!+

1 l 1 i

=

1, . . . ,n

all the

Cf i.

must be Boolean. In example cases negative values of MTTF/

MTTR gave hints to this problems. In other cases this may not happen.

For deeper insight consult [6]. Nothing goes wrang, if the original form of ~ is without negations.

8 FAULT TREE OF A FLOW NETWORK

Frequently practical problerns can be rnodeled by a stochastic graph in which a rninirnum flow (of sorne material, or inforrnation, or energy) between two specific nodes rnust be guaranteed even though sorne edges may be deleted (pipes, or channels or wires failing}. Here we show how to derive a syrnbolic forrnula for the calculation of the proba- bility of having a network flow frorn vertex A (vA) to vertex B (vB) of a minimum flow rate. All the edges e. of the given (rnodel) graph G

l.

have maximum possible flow rate r .. The maximum possible rate of flow

l.

rA,B from vA to v₈ is supposed to have at last the value rA,B,min" The idea of the algorithm FLOWNET is to produce a fault tree in this case; i.e. a Boolean function

Cf<x

₁, ••• ,Xn), n

=

cardSe1whose value is 1 in case of insufficient flow, and O else. FLOWNET contains the following .main steps.

1) Production of the DNF

Cfo

of

{f

for the case of rA,B,min= 0, i.e.

for the case, where any subgraph G' of G, which is connected with respect to vA and vB, is "good". The terrns Ti of this DNF corre- spond to the mincuts of G; i.e.

2) Check if all K

n. l.

rc. ⁼

I

^r.

j=1 ^{l. .}

l. J

X. l.

n. l.

rnincuts c.

l.

;;; r

A,B,rnin

;= {ei1, .•• ,ei n. l.

}

.

allow for flow rates

; i=1, ... ,K.

If not, ^G never meets the dernand defined by r . and ^Cl) =1 • A,B,rnin l Otherwise, continue as follows :

3) Delete rnore and rnore edges e. ,e. ,e. , .•• of

11 ¹2 ¹3

resulting subgraphs G! of G, as G was checked

l.

G and check the in 2) . (The r.

l. .

J of

deleted edges are set to zero.) If G~ fails to rneet the rninirnurn

l.

flow rate dernand, then T¹. :::X. X. X. • •• is a terrn of

f/ .

^{Once a}

i l.1 l.2 l.3

G! "fails", no further edges are deleted from it.

l.

4) From all the m failing G! compute

l.

r ⁼

_i=1

^V

m

EXAMPLE 8-1 : SIMPLIFIED ARPA NET.

Fig. 3 shows the Gof this example. The(maximum)flow rates of the various edges are given in parantheses.

Fig. 3

e₂(Z} ^{/ 1}

Gof strongly simplified ARPA net (straight lines) with mincuts (edges on dotted lines).

Looking at the flow through the boundaries defined by the 6 mincuts one finds that for a minimal flow rate demand of 4 units

are all the minimal sets of edges whose deletion means too little flow between vA and vB. Hence,the new system fault tree function is

The corresponding output of the program FLOtillET is

+

¹

+

⁶ + 7

+

²

⁺

⁴

+

³ -t- 4 +5 Comparing CJJ with

i t is obvious that

Cf

corresponds to many more elementary system failure states (expressed by minterms) than

:fo

^does.

EXTENDED COMMENTS ON THE PASCAL PROGRAM 'FLOWNET'

*************************************************

This program consists mainly of two procedures:

1) NEXT_SET_OF_EDGES, which produces all subsets of edges of the original flow net graph G,

2) TEST_FLOW, which checks the remaining partial graph G' for its maximurn flow, which should surpass a given minimum value.

The (short) main program is optimized in that in TEST_FLOW only subsets of edges are processed,which could pontenially yield a success case.

Furthermore, FLOWNET consists of 3 procedures for input/output A) INREAD, which reads the (minimal) cut-file,

B) FLOWREAD, which reads the flow-rates of G, C) PRINT for the printing of the results.

9 MEAN TIME TO FIRST FAILURE OF A NON-REPARABLE SYSTEM WITH EXPONENTIALLY DISTRIBUTED COMPONENT LIVES

As is well-known, in non-reparable systems, with life L8 and survi- vor function (strict sense "reliability") FL (t), mean system life

s

can be calculated as

CO

= f FL (t)dt

0 S

F : = 1 - F .

In the so~called exponential case, where FL. (t)

=

1.

exp (-t... t) , 1.

-

( 9-1 )

(9-2)

(9-1) is very easily evaluated once FL is given as a polynomial öf

s

-

the FL. ¹s (of the C. ¹s of S). In fact, if a typical term of FL is

1. 1. s

= a

1. exp [ - ( L + t-.. + ••• + " ) t] ,

J

k

m

then, because of

CO

f exp(-ßt)dt = 1/ß, ß

>

o ,

0

the term (9-3} yields - as part of (9-1) - the term

EXAMPLE 4-1 ELEMENTkRY 3-COMPONENTS SYSTEM Let

-

_x

1 cx2 x1 cx

2 x2x3J

xs = ^V X

3) = + X3

- - -

= x1x

2 + x1x3

-

x 1x

2x 3

(9-3)

( 9-4)

(9-5)

(9-6)

Then, obviously - replacing formally Xi by FL.

J.

(9-7)

and, using (9-3,4,5) :

(9-8)

Unfortunately, in practice the derivation of the polynomial form of FL can be rather cumbersome in case improper methods are applied.

s

EXAMPLE 4-2 Let

2-0UT-OF-4:G SYSTEM

(9-9)

Obviously, the transformation of the last line to a polynomial is, even in this relatively simple case, a boring burdon for engineers.

Even with computers this type of formula manipulations can become a problem of computational complexity. Hence, we propose an algorithrn based on an idea of ENZMANN [ 8 ], which is sketched in the sequel.

DERIVATION OF A BOOLEAN POLYNOMIAL WITHOUT NEGATED VARIABLES

As is well-known [ 7 ] , any Boolean function

Cf

allows for a multi- linear polynomial representation:

+ a Y n n

+ a Y Y

n-1,n n-1 n

+ ... +

a,

, ••• , n ^Y1 (9-10)

Obviously,

f(O, ...

,o)

= a0 ,

<p (

^{1 ,}

o, ... , o) =

^a₀ ^{+ a}₁ ^,

Cf (

o, 1 , o, •.. , o) = a0 + a 2 ,

p (

o , ..• , o, 1 ) = a

0 + an ,

'f (

1 , 1 ,

o, ... ,

o) = a0 + a 1 + a 1 , 2 ,

<,'(1, ••• ,1)

=

a

0 + a1 + ..• +an+ a1 2 + ••. + a _

1 + ... + a

1 .

, n ,n , ... ,n

This system of linear equations for the coefficients of (9-11) is extremely easily solvable; see the following example, where Y. :=X ..

l. l.

EXAMPLE 4-3 : (EX. 4-2 CONTD.) Let

x

₈ =

'f

(X

1, ••.

,x

₄) . In (9-9) x₈=o, if at most one Xi=O. Hence,

Therefore, and since x

8=1, if two Xi's assume the value O a1,2 = a1,3 = a1,4 = a2,3 = a2,4 = a3,4 = 1 •

In case three of the Xi's assume the value 1, we have x

8=1, and 1 = a . . + a. k + a. k + a . . k

J.,J J., J, J.,J,

=

3 + a . .

J.,J,

k

Finally, since ff(O,O,O,O) = 1,

=;, a . . k

=

-2.

l . ' J '

1 - 6-8+ a > a = 3.

- 1,2,3,4 1,2,3,4

The fairly easily obtained multilinear polynomial is

( 9-11) This corresponds to ( 9-6) • Omitting the trivial intermediate step that resulted in example 4-1 in ^{( 9-7) ,} the mean time to first failure is

B (LS)

=

1 + ¹ + 1 + ¹ + ¹ + ¹

/\. 1 + /\.2 /\ 1 + A.3 /\.1 + A.4 /\ 2 + A.3 /\.2 + A.4 A.3 + /\4

2 2 2 ²

/\.1 + /\.2 + A.3 /\.1 + /\.2 + A.4 /\ 1 + A.3 + A.4 /\.2 + A.3 + A.4

+ - - - -

3 ^(9-12)

/\.1 + /\.2 + A.3 + A.4

The corresponding outputs of the PASCAL program 'FIRSTFAIL' are for ( 9-11 ) :

- 1 - 2 # # # + 1 ~

x

₁

x

₂

- 1 - 3 # # # + 1 ~

x

₁

x

₃

- 3 - 4 # # # + 1 - 1 - 2 - 3 # # # - 2

- 2 - 3 - 4 # # # - 2

= -

^{/\ 2X}₁

x

₃

x

₄

- 1 - 2 - 3 - 4 # # # + 3

₌

^/\ _3X

- - - -

1

x

₂

x

₃

x

₄

for (9-12) :

SYSTEM MTTFF IS ... (numerical value of E(Ls)).

EXTENDED COMMENTS ON THE PASCAL PROGRAM 'FIRSTFAIL'

***************************************************

The program 'FIRSTFAIL' needs the DNF produced in the program 'PRO_DNF' and the components failure rates of the input file 'PROB.DAT'. It consists essentially of the following 4 procedures 1) 'INREAD', which reads the DNF file in a standard way

2) 'READ_RATES', which reads the failure rates of 'PROB.DAT' (Repair rates are ignored.)

3) 'PHI', which determines values of the fault tree function

under consideration. (For this purpose the linear list of terms . produced by 'INREAD' is evaluated.)

4) 'DNF', which is based on the algorithm of ENZ.MANN [8).

In 'DNF' instead of <.p(~) rather 'f(~) = 1-

Cf<~)

is transformed to a multilinear polynomial

(f*cx

₁, ••• ,Xn). In case

rp*

should contain

the absolute term 1, a finite MTTF would not exist, since the MTTFF equals

A corresponding print out informs the user of this pathological case.

Note, that the value of the MTTFF is determined concurrently with the terms of

h

~* (

Furt ermore,

1 can be cut off yielding an approximate value of the MTTFF) after the terms of order m

<

n have been produced. This value m is asked for. Put m=n for the exact MTTFF !

Note that 'DNF' can yield wrong results, unless (f(~) depends on all of

x

₁, .••

,x.

Otherwise, the components of X have tobe renumbered.

n -

10 REFERENCES

[0] Schneeweiss

w.,

schulte M.: SyRePa'86 - a package of programs for systems reliability evaluations. Fernuniversität Hagen, Informatikber. 62 (4/1987).

[1] Schneeweiss W.: Disjoint Boolean products via Shannon's expansion. Trans. IEEE vol. R-33 (1984) 329-332.

[2] Schneeweiss W.: Addendum to computing failure frequency, MTBF &

MTTR via mixed products of availabilities and unavaila- bilities. Trans. IEEE vol. R-32 (1983) 461-462.

[3] Feller

w.:

An introduction to probability theory and its appli- cations. New York: Wiley 1957.

[4] Schneeweiss W.: Zuverlässigkeits-Systemtheorie. Köln text-Verlag 1980.

Datakon-

[5] Schneeweiss W.: Approximatefault-tree analysis with prescribed accuracy. Trans. IEEE-R 36 (1987) 250-254.

[6] Schneeweiss W.: The failure frequency of systems with dependent

components. Trans. IEEE-R 35 (1986) 512-517.

[7] Schneeweiß

w.:

Boolean Functions with Engineering Applications and Computer Programs. Springer 1988.

[8] Enzmann W.: Ein Algorithmus zur Berechnung von Zuverlässigkeits- daten komplexer redundanter Systeme. (An algorithm for the calculation of reliability parameters of complex redundant systems}. Angewandte Informatik 15 (1973) 493-499.