Fault Tree Analysis for the EnergyGrid

ProjektmodulSoftware und Systems Engineering

Fault Tree Analysis for the EnergyGrid

Eugen Petrosean(Matr-Nr. 1071092)

WS 2012/2013

Supervisor:

Jan-Philipp Steghöfer

November 2012

Contents

Contents

1 Introduction....................................................................................3

2 Fault Tree Analysis for the EnergyGrid – Basic Concepts...............42.1 Autonomous Virtual Power Plants ....................................................................42.2 Safety – A New Metric for Structuring of Autonomous Virtual Power Plants. .62.3 Fault Tree Analysis – Procedure Steps..............................................................8

3 Fault Tree Construction ................................................................103.1 Mutually Independent Basic Events.................................................................103.2 Common Cause Failures...................................................................................11

3.2.1 Beta Factor Method ..................................................................................11

3.2.2 Basic Parameter Method...........................................................................13

3.2.3 Multiple Greek Letter Method..................................................................13

3.2.4 Alpha Factor Method................................................................................14

4 Algorithms for Qualitative Analysis of Fault Trees........................194.1 MOCUS Algorithm............................................................................................194.2 FATRAM Algorithm.........................................................................................234.3 Reduction of Comparisons in the MOCUS and FATRAM Algorithms............284.4 Binary Decision Diagrams...............................................................................30

4.4.1 Shannon's Decomposition........................................................................33

4.4.2 Directed Acyclic Graph ............................................................................34

4.4.3 Priority Ordering Method of Basic Events ..............................................35

4.4.4 BDD Algorithms in Fault Tree Analysis ..................................................41

4.4.5 Algorithmic Complexity...........................................................................48

5 Importance Measures for Quantitative Analysis of Fault Trees....495.1 Risk Achievement Worth..................................................................................495.2 Risk Reduction Worth......................................................................................495.3 Fussel-Vesely Importance................................................................................505.4 Birnbaum Importance......................................................................................505.5 Criticality Importance......................................................................................50

6 Conclusions...................................................................................52

References.......................................................................................54

1 Introduction

1 IntroductionThe EnergyGrid is a simulation platform for power systems to deal with the upcoming challenges of decentralised heterogenous power supply and increasing number of power plants, especially weather dependent power plants, whose energy outputs are highly volatile. This simulation platform is being developed within the scope of the research unit „OC-Trust“ of the German research foundation and provides important approaches of how a future energy grid might work and how current systems and infrastructure could be evolved towards a more flexible and robust system. As the preliminary results of the EnergyGrid are very promising, the simulation environment and algorithms are being constantly refined in close cooperation with utilities in Southern Germany.

The fundamental concept of the EnergyGrid are self-organising Autonomous Virtual Power Plants (AVPPs) which structure themselves on the basis of a real power plant landscape with different types of power plants. These structures (AVPPs) then autonomously plan the power supply based on predictions made by the power plants and by the consumers. Depending on the process of structuring and controlling, different structures of a power plant landscape can be obtained which for their part can be classified into two categories whether they can meet the demand for power delivery or not.

In order to give accurate evidence during the structuring process within a power plant landscape whether an AVPP will be able to meet the demand for power delivery or not, an additional mechanism is required to provide a precise assessment of the ability of an AVPP to meet the power demand. As a result, in this paper we are going to introduce a new metric which should improve the structuring process of a power plant landscape and provide at the same time a reliable measure for the quality of forming a specific AVPP. This metric will be realised by means of fault tree analysis which comprises a range of steps required for this kind of analysis. These steps will form the main subject areas of this paper. Thus, our focus will be to provide an explanation of the specific fault tree procedure steps and elaborate a concept of computational techniques in terms of how they should be applied and implemented in the EnergyGrid.

The remainder of this paper is organised as follows. Chapter 2 highlights the idea of the partition safety metric with the goal to compute it by means of fault tree analysis. Chapter 3 describes how the fault tree for the EnergyGrid can be constructed considering common cause failures for weather dependent power plants. Chapter 4 explains how the qualitative evaluation of a fault tree can be optimally performed within the scope of computational procedures. Chapter 5 shows how the partition safety metric can be obtained from importance measures defined for the quantitative evaluation of a fault tree. Chapter 6 summarizes the results obtained in the previous chapters and draws conclusions about the set of approaches which should be realized in the EnergyGrid.

3

2 Fault Tree Analysis for the EnergyGrid – Basic Concepts


In this chapter we are going to explain the main idea of the EnergyGrid, the principles underlying the concept of Autonomous Virtual Power Plants (AVPPs) and introduce a new metric (Safety Metric) making the process of structuring and controlling distributed power sources through the usage of AVPPs within a power plant landscape more reliable and precise. This metric will rely on one of the most important bases of reliability assessment for technical systems, on fault tree analysis and indicate during the partitioning process of a power plant landscape into AVPPs and their subsequent adaption to certain circumstances and changing environmental conditions, whether the inclusion/removal of a specific power plant into/from an AVPP will increase/decrease the propability of meeting the demand for power delivery or balancing power supply and load by the specific AVPP.

2.1 Autonomous Virtual Power Plants Nowadays, one can observe dynamic changes (e.g. continuous increase of the number of power plants) and especially a rapid deregulation of the energy market in terms of utilising new types of power plants, such as photovoltaics, wind turbines, domestic combined heat and power units, which cannot be fully controlled and depend simultaneously on the continuous change of environmental conditions (e.g. weather conditions). These factors make a central control for balancing power supply and load more complicated and often inefficient [Ase10]. Therefore, the idea of Autonomous Virtual Power Plants was developed to solve on the one hand the problems described above and on the other hand to provide a mechanism for an autonomous, decentralised control which is be able to make decisions at runtime based on predictions made both by power plants about their future energy production and by the consumers about their consumption. According to the ideas of Organic Computing, an AVPP can be defined as follows:

Definition (Autonomous Virtual Power Plant). An Autonomous Virtual Power Plant (AVPP) is a self-organising ensemble of power plants which self-adapt and self-optimise in order to be able to deal with an increasingly decentralised, heterogeneous power supply.

The AVPP concept takes into account two fundamental concepts:

(1) Self-organisation – the capability of a system to find suitable organisational structures autonomously which support the system's goal, i.e., to find and maintain a suitable structure for the power plant landscape.

(2)Trust – the capability of a system to deal with uncertainties, i.e., to react to problems of not feeding the predicted amount of energy into the power grid due to technical problems of a power plant or to external, uncontrollable circumstances which affect primarily the output of weather dependent power plants. It comprises different facets such as:

1. Credibility – a power plant adheres to its predictions.

4


2. Reliability – a power plant is online and feeds power into the grid (when scheduled to do so).

3. Safety – the power plants act in such a way that no harm comes to the user, the system, or its environment. Thus, the system is able to operate in a stable fashion.

These types of concepts make sure that AVPPs do not consist of a predefined static set of power plants, but are changing their structure (see Figure 2.1) to meet the power demand and adapt to the current environmental conditions and circumstances. As long as the power plants do not change their behaviour fundamentally and the power plant landscape stays the same, the structure should become stable.

Figure 2.1: The structuring process of power plants into AVPPs

The structuring process of AVPPs during runtime and their subsequent adaption is driven by a number of crucial aspects:

5


(1) Energy Mix – an AVPP has to show an efficient composition of power plants in order to deal with load peaks or unexpected weather conditions, i.e., the energy mix should comprise at least some controllable power plants and ideally one or more storage power plants to avoid dependence on weather conditions and the time of day resulting from utilising for example only photovoltaics.

(2)Location – an AVPP should be located nearby its supply areas to avoid transmission losses of electricity as transmission losses increase with the transmission distance.

(3)Trustworthiness – an AVPP has to ensure that it has enough reserves to compensate the failure of unreliable or non-credible power plants which are dependent on the consumer's behaviour (e.g. combined heat and power units) or weather conditions (e.g. photovoltaics). Thus, this definition comprises two aspects described above: credibility and reliability.

(4)Demand and potential supply – an AVPP must be able to deal with the load curves of its supply areas, i.e., there has to be enough capacity to meet their demand for power delivery at any time.

2.2 Safety – A New Metric for Structuring of Autonomous Virtual Power Plants

The main purpose of introducing a new metric is to improve the structuring algorithm which is able to arrange a set of power plants into several AVPPs. Whereas the aspects described in Section 2.1 - Energy Mix, Location, Trustworthiness – have already been implemented in the EnergyGrid, the fourth aspect – Demand and potential supply – will be the subject of this section. As the structuring algorithm is a decentralised multi-agent set partitioning algorithm and an AVPP is considered as a partition, and a power plant as an agent, then agents can be partitioned according to four aspects:

(1) Partition Size1 – an agent prefers larger partitions.

(2)Partition Coherence – an agent prefers partitions which are close to its geographical location.

(3)Energy Mix – an agent switches partitions if this improves the energy mix of the new partition and of the old one.

(4)Former partition memberships2 – an agent prefers partitions in which it has been a member for a lot of time steps. The more time steps have passed since it was a member of a partition, the less this membership is considered.

Each agent can be a member of exactly one partition and each partition is led by exactly one agent, the leader. In each step, the partition head selects neighbours which are

1 Additional aspect to avoid small partitions2 Additional aspect to avoid thrashing

6


close to the partition and which would improve the quality of the partition's energy mix (see Figure 2.2). The decision of joining the specific partition or not is made finally by agents which take into account the four factors described above.The safety metric to be introduced in this section can be considered as an additional aspect of affecting the forming process of a partition. Whereas the whole structuring process of agents into partitions and their subsequent adaption to external impacts can be considered as a dynamic process, the evaluation of a specific partition in terms of the fault tree analysis can be considered as a static process because the structure of a partition remains unchanged at a particular time and can therefore be analyzed in terms of the fault tree analysis. This type of metric can be defined as follows:

Definition (Partition Safety). An agent prefers to join a new partition and to leave the old one, if the safety of the new partition will increase and improve the system stability due to the inclusion of the specific agent into the new partition whereas the safety of the old partition must not decrease significantly and impair the system stability due to the removal of the specific agent from the old partition. Therefore, both partitions, the new and the old one remain capable of meeting the demand for power supply thus ensuring the system stability.

Moreover, the partition safety metric can be computed by means of reliability assessment, by analyzing the impact on the capability of an AVPP to meet the desired demand for power delivery or not when the specific agent is included or removed from the specific AVPP.

Figure 2.2: The partition head of an AVPP selects a neighbour

This mechanism will be studied within this paper with the subsequent purpose to implement and to integrate the findings into the decentralised multi-agent set partitioning algorithm of the EnergyGrid. Moreover, we will answer the question of how the qualitative and quantitative fault tree evaluation3 can be efficiently performed and how environmental conditions (e.g. weather conditions) can be included into the

3 See MOCUS Algorithm, FATRAM Algorithm, Binary Decision Diagrams

7


fault tree construction4 to achieve more realistic results in terms of the partition safety metric.

2.3 Fault Tree Analysis – Procedure StepsThe fault tree analysis is a standard method for the assessment and improvement of reliability and safety in complex technical systems [Cep11].

Figure 2.3: Fault tree procedure steps

The fault tree analysis is an analytical technique, where an undesired state of the system is specified and then the system is analyzed in the context of its environment and operation to find all realistic ways in which the undesired event can occur. The undesired state of the system which is identified at the beginning of the fault tree analysis, is a state which is critical from a safety standpoint and is identified as the top event. The top event is therefore an undesired event which is further analyzed with the fault tree analysis.

4 See Common Cause Failures

8


This analytical technique will be used to compute the partition safety metric introduced in Section 2.1. It comprises a number of steps (see Figure 2.3), three of them are crucial for an efficient and accurate computation of the partition safety metric which will be discussed in detail in the next sections.

Step (4) – Fault Tree Construction (see Chapter 3)

After selecting the undesired event – AVPP cannot meet the power demand5 – as a top event and having analyzed the system so that we know all the causing6 effects, we can now construct the fault tree by using AND and OR gates which define the major characteristics of the fault tree.

Step (5) – Qualitative Fault Tree Evaluation (see Chapter 4)

After the fault tree has been constructed for the undesired event, a qualitative analysis can be performed to provide valuable information about failure combinations of power plants which can cause the undesired top event.

Step (7) – Quantitative Fault Tree Evaluation (see Chapter 5)

As the EnergyGrid has the infrastructure necessary to provide probabilities for the basic events of the fault tree by means of providing the reliability and credibility metrics of power plants7, the quantitative fault tree evaluation can therefore be performed to obtain the probability that the undesired top event will occur, and how the criticality of the basic events will influence the probability of the undesired top event. The latter aspect is important for identifying power plants which can impair the system stability in terms of reducing the ability of an AVPP to meet the demand for power delivery.

5 The undesired event results from the definition of the partition safety metric described in Section 2.2.

6 The fault tree analysis is based on the assumption that all causes which lead to the undesired state of the system – the undesired top event, are known.

7 The reliability and credibility metrics are provided by the EnergyGrid for each power plant from the corresponding power plant landscape.

9

3 Fault Tree Construction

3 Fault Tree Construction In fault tree construction the fault tree model is developed graphically or with Boolean equations which represent the fault tree. It is important to distinguish between dependent and independent basic events. If component fault states of the system exist only as mutually independent basic events without any shared root cause, then the fault tree construction will proceed according to standard procedure steps. If component fault states are a direct result of a shared root cause, then an additional approach is necessary to model such dependencies in a fault tree. These fundamental questions will be described in the following section due to the fact that weather conditions repre-senting a typical shared root cause have a direct impact on the operation of photo-voltaics, wind turbines and, to a lesser extent, hydropower stations modeled in the EnergyGrid.

3.1 Mutually Independent Basic EventsThe idea of fault tree analysis within the EnergyGrid is to construct as many fault trees as AVPPs were formed during the structuring process of a power plant landscape. Thus, each fault tree of the EnergyGrid provides a basis for a safety assessment of the specific AVPP with its power plants. The fault tree construction for AVPPs can be considered as the same in terms of the fault tree structure only with the difference that mainly different power plants are included. Each fault tree is built according to the EnergyGrid metrics (reliablity and crediability) to model that an AVPP cannot meet the demand for power delivery (see Figure 3.1, Figure 3.2, Figure 3.3, Figure 3.4). For specifying why an AVPP cannot meet the demand for power delivery and taking into consideration the two metrics mentioned above, we define two corresponding intermediate fault tree events – „Power Plant is not online“ (Negation of the reliability metric definition – see Figure 3.1) and „Power Plant does not adhere to its predictions“ (Negation of the credibility metric definition – see Figure 3.2). If we continue specifying these two intermediate fault tree events, we can say that a power plant can be offline due to technical problems (see Figure 3.1) and cannot adhere to its predictions due to insufficient fuel8 (see Figure 3.2) or unscheduled maintainance work (see Figure 3.3) or weather conditions (see Figure 3.4) with regard to specific types of power plants. The resolution of the fault tree within the EnergyGrid terminates with the modeling of concreate power plants represented by the basic events within our fault tree. The basic events are thus related to the failure modes of power plants as a whole and not to the larger number of components of power plants and their failure modes.The fault tree modeled for the EnergyGrid includes a big number of basic events related to the operability of the specific power plants. But not all of the basic events presented in the fault tree can be considered as mutually independent. As mentioned above, similar weather dependent power plants (see Figure 3.4) depend on weather conditions (e.g. cloudiness, dead calm, drought) to the same extent. Thus, we can assume that when the operability of a power plant drops due to weather conditions, then all similar power plants (power plants of the same type) located in direct proximity must have a similar drop in power supply. Therefore, during the quantitative evaluation of the fault tree this type of the shared root cause must be considered precisely to provide reliable and accurate results during the quantative evaluation of the fault tree modeled for the EnergyGrid. Although the methods for evaluating common cause failures will be presented in the next section (see Section 3.2), it is important to emphasize that the fault tree for the EnergyGrid comprises more than two components sharing the same

8 The insufficient fuel problem can be considered as a technical problem only for controllable power plants.

10


root cause which means that we are interested in methods considering common cause failures for more than two components.

3.2 Common Cause FailuresCommon cause failure (CCF) events [Cep11, Kep11] are a subset of dependent events in which two or more component fault states exist at the same time and are a direct result of a shared root cause. The definition of common cause failure is closely related to the general definition of dependent failure. The events A and B are dependent if:

P A∩B≠P A∗P B

where P x is the probability of event x . If the dependency exists between parallel events, the probability of system failure is larger than the product of failure probabilities of all parallel events:

P A∩BP A∗P B

Common cause failure results from the coexistence of two main factors:

(1) A susceptibility for components to fail or become unavailable because of a particular root cause of the failure.

(2)A coupling mechanism that creates the condition for multiple components to be affected by the same cause.

An example of common cause failures in the EnergyGrid is the case where photovoltaics fail to operate at the same time as a result of changing weather conditions (e.g. clouds). The methods for the evaluation of common cause failures include the following approaches:

(1) Beta factor method

(2)Basic parameter method

(3)Multiple Greek letter method

(4)Alpha factor method

The full effect of the difference between the methods is observed for the systems with more than two or three parallel branches or portions or redundant lines. If there are only two parallel components in the system, the differences between the methods are not notable. The simplest method for evaluation of common cause failures is the beta factor method which provides a good understanding of how common cause failures can be modeled in a fault tree.

3.2.1 Beta Factor Method The beta factor method9[Kep11] is a method where the likelihood of the common cause

9 The beta factor method is a special case of the multiple Greek letter method described in Section 3.2.3. It is an approach which can be applied if only two components with the same

11


failure is evaluated in relation to the random failure probability of the components susceptible to a common cause failure.If the failures of components are not completely independent from others, the original random failure probability of the failure mode of the specific component can be divided into two parts: independent failure probability and common cause failure probability (see Figure 3.5).

Figure 3.5: The FT from the explicit modeling of common cause failures

The fault tree shown in Figure 3.5 can be simplified through the equivalent Boolean representation of the top event (see Figure 3.6):

Top=K 1−ind∨CCF 12 ∧K 2−ind∨CCF 12=K 1−ind∧K 2−ind ∨CCF 12∧K 2−ind ∨K1−ind∧CCF12∨CCF 12∧CCF 12=

K1−ind∧K 2−ind ∨CCF 12

Figure 3.6: The simplified FT of the fault tree in Figure 3.5

The beta factor method is one parameter method where the factor β directs the

shared root cause should be modeled in a fault tree.

12


extent of the common cause failure probability related to the original random failure probability. The β factor is obtained from the historical data by determining the percentage of all the component failures in which multiple similar components failed versus single components failures. If β factor is not known, a general value of 0.1 is sometimes used.The general expression for contributions of failure probabilities of m parallel components for the component t is the following:

P k={1−β ×P t ; k=10 ; 1km

β×P t ; k=m

This expression shows that only the independent part of the component failure and the common cause failure contribution of all components failures at the same time are considered in the beta factor method.

3.2.2 Basic Parameter MethodThe basic parameter model [Iea92, Pil89] refers to the straightforward definition of the probabilities of the basic events P k

m . The total failure probability P t of a component in a common cause group of m components is:

P t=∑k=1

m

m−1k−1×P k

m

where the binomial term

m−1k−1 = m−1!

k−1!m−k !

represents the number of different ways that a specified component can fail withk−1 other components in a group of m similar components and the eventsPk

m and P jm are mutually exclusive for all k , j .

3.2.3 Multiple Greek Letter MethodThe multiple Greek letter method [Pil89] is used for a more accurate analysis of systems with higher levels of redundancy. The multiple Greek letter method uses other parameters in addition to the beta factor to distinguish among common cause events affecting different numbers of components in a higher order redundant system. The multiple Greek letter parameters consist of the total failure probability which includes the effects of all independent and common cause contributions to that component failure, and a set of failure fractions which are used to quantify the conditional probabilities of all the possible ways a common cause failure of a component can be shared with other components in the same group, given component failure has occured. For a group of three components, three different parameters are defined:

13


P k={ 1−β ×P t ; k=112β 1− χ ×P t ; k=2

β× χ×P t ; k=3

The general expression for the multiple Greek letter method is the following:

P k=1

m−1k−1

∏i=1

k

ρi×1−ρk1×P t where ρ1=1, p2=β , p3= χ , pm1=0

The beta factor method is a special case of the multiple Greek letter method. If χ of the multiple Greek letter method equals one, it becomes the beta factor method.

3.2.4 Alpha Factor MethodThe alpha factor method [Iea92, Pil89, War10] is a multiparameter method that can handle any redundancy level. The alpha factor method develops common cause failure probabilities from a set of failure ratios and the total component failure probabilities. The parameters of the model are:

P t

Total failure probability of each component due to all independent and common cause events

αk

Fraction of the total failure probability of events that occur in the system and involve the failure of k components due to a common cause

The general expression for the alpha factor method is the following:

P k=k

m−1k−1

αk

αt×Pt where αt=∑

k=1

m

k×αk where k=1, 2, ... ,m

14

Figure 3.1: The FT for the EnergyGrid – Part 1

15



16






4 Algorithms for Qualitative Analysis of Fault Trees

4 Algorithms for Qualitative Analysis of Fault TreesAs explained in the previous sections, the undesired state of the system which is identified at the beginning of the fault tree analysis, is a state which is critical from a safety standpoint and is identified as the top event. By means of the qualitative fault tree evaluation, we try to find such minimal combinations of basic events (minimal cut sets) which, if they occur, cause the undesired top event occurence. On the basis of obtained minimal cut sets during the qualitative analysis we can subsequently compute the probability of how likely is the occurence of the undesired state of the system. Under the assumption that the basic events are mutually independent, the propability for the occurence of the undesired top event can be computed as follows:

PTOP=∑i=1

n

PMCS i−∑

i j

n

PMCS i∩MCS j

∑i jk

n

PMCS i∩MCS j∩MCS k−⋯−1n−1PMCS 1∩MCS 2∩∩MCS n

PMCS i=∏

j=1

m

P B j

where P B jis the probability of the basic event B j representing the failure of the

corresponding component; B j are mutually independent basic events; PMCS iis the

probability of the occurence of the minimal cut set i ( MCS i ); m is the number of basic events in the minimal cut set i ; n is the number of minimal cut sets.

If the fault tree is written in the form of Boolean equations, those need to be combined into one by applying the rules of Boolean algebra to obtain the equation for the top event representing a disjunction of conjuctive clauses (DNF10). If the fault tree is developed in its graphical form, the Boolean equations need to be written first based on the logic of the gates and their inputs. Then, the rules of the Boolean algebra are applied to obtain the equation for the top event which consists of a disjunction of conjunctive clauses. When the disjunction of conjunctive clauses of basic events is expressed by the Boolean equations derived from the corresponding fault tree, each element of this disjunction includes conjunctive clauses of a certain number of basic events. Those basic events together represent a minimal cut set. This approach provides a method of how minimal cut sets can be obtained during the qualitative analysis of fault trees. However, this method cannot be used by means of computational techniques due to its complexity and inefficiency. Therefore, in the next sections we are going to explain existing algorithms such as MOCUS algorithm (see Section 4.1), FATRAM algorithm (see Section 4.2), an additional optimisation algorithm for MOCUS/FATRAM (see Section 4.3) and Binary Decision Diagrams (see Section 4.4) which provide an efficient implementation of the computation of minimal cut sets.

4.1 MOCUS AlgorithmOne of the most common FT algorithms for generating CSs (cut sets) is the MOCUS11

10 Disjunctive Normal Form11 MOCUS algorithm is the oldest and the most used one in FT analysis

19


(method for obtaining cut sets) algorithm [Fuv72], developed by J.Fussel and W. Vesely. It is an effective top-down gate substitution methodology for generating CSs from a FT. MOCUS is based on the observation that AND gates increase number of elements in a CS and that OR gates increase the number of CSs. The basic steps in the MOCUS algorithm are as follows:

(1) Name or number all gates and events.

(2) Place the uppermost gate name in the first row of a matrix.

(3) Replace the top gate with its inputs, using notation of:

(a) Replace an AND gate with its inputs, each input seperated by a comma.

(b) Replace an OR gate by vertical arrangement, creating a new line for each input.

(4) Reiteratively substitute and replace each gate with inputs, moving down the FT.

(5) When only basic inputs remain in the matrix, the substitution process is complete and the list of all CSs has been established.

(6) Remove all non-minimal CSs and duplicate CSs from the list using the laws of Boolean Algebra.

(7) The final list contains the minimal CSs.

Example of applying the MOCUS algorithm to an FT

Consider the fault tree given in Figure 4.1. The results obtained by applying the MOCUS algorithm to the FT are as follows:

(a) The TOP gate is located in the first row and column: G0. Since G0 is an OR gate, it is replaced by its input events in separate rows as follows:

{A}

{B}

{G1} .

(b) G1 is also an OR gate. Replacing it by its input events in separate rows yields

{A}

{B}

{G2}

{G3} .

20


(c) G2 is an AND gate. It should be replaced by its input events in separate columns as follows:

{A}

{B}

{G4 ,G5}

{G3} .

(d) Replacing G3 by its input events leads to

{A}

{B}

{G4 ,G5}

{C }

{G6 } .Continuing in this fashion, the total CSs are obtained to be

{A}, {B} ,{D , F ,G },{E ,F ,G} ,{C }, {E , F }

and are given in column 6 of Table 4.1. The individual steps for obtaining the CSs are shown in Table 4.1. It may be seen that the set {E , F ,G} includes {E , F } . It is a superset and should be removed, since it is not a minimal cut set. Therefore, the minimal cut sets are:

{A}, {B} ,{D , F ,G },{C }, {E , F } .

21


Figure 4.1: The FT for which the MOCUS algorithm is applied in the example

Steps 1 2 3 4 5 6

A A A A A A

B B B B B B

G1 G2 G4, G5 G4, G5 D, G5 D, F, G

G3 G3 C E, G5 E, F, G

G6 C C

E, F E, F

Table 4.1: The steps for obtaining the cut sets for the fault tree given in Figure 4.1

The MOCUS algorithm, as mentioned above, is the oldest deterministic algorithm developed for obtaining minimal cut sets. It provides a good basis for determining minimal cut sets in terms of computational techniques. However, its execution speed does not represent the upper limit for this kind of deterministic approach due to the existing weak point in treating repeated events [Ram78], and thus can be improved. This means, MOCUS can be optimised for fault trees containing a big number of repeated events. As our constructed fault tree (see Figure 3.1, Figure 3.2, Figure 3.3 and Figure 3.4) contains many different repeated basic events (power plants) in order to reproduce the technical specificity of the EnergyGrid, it is important to take a look at the FATRAM algorithm (see Section 4.2) and its subsequent optimisation algorithm

22


(see Section 4.3) dealing with this question. This insight will help us to get an overview of how they can be applied for our proposed fault tree.

4.2 FATRAM AlgorithmBesides the MOCUS algorithm, several other algorithms [Ben76, Ram78] have been developed for obtaining the minimal cut sets of FTs. The majority of these algorithms have tried to improve upon the MOCUS algorithm by taking into consideration the repeated events. Among the most important of such algorithms, we have the algorithm of FATRAM [Ram78].The FATRAM (fault tree reduction algorithm) algorithm is a top-down algorithm similar to MOCUS. Gates to be resolved are selected in such a manner that computer core requirements are minimized. The steps of the algorithm are:

(1) Resolution begins with the TOP event. If the TOP event is an AND gate, all inputs are listed as one set; if it is an OR gate, the inputs are listed as separate sets.

(2) Iterate until all OR gates with gate inputs and all AND gates are resolved. OR gates with only basic event inputs are not resolved at this time.

(3) Remove any supersets12 that still exist.

(4) Process any repeated basic events remaining in the unresolved OR gates. For each repeated event do the following:

(a) The repeated event replaces all unresolved gates of which it is an input to form new sets.

(b) These new sets are added to the collection.

(c) This event is removed as an input from the appropriate gates.

(d) Supersets are removed.

(5) Resolve the remaining OR gates. All sets are minimal cut sets.

The FATRAM algorithm, as mentioned above, is a more compact, new version of the original MOCUS algorithm. The FATRAM algorithm can bring about an improvement over the MOCUS algorithm only in the case of the FT having primary OR operators. In the opposite case, it does not offer any improvement in terms of execution time.

Example 1 of applying the FATRAM algorithm to an FT

The minimal cut sets for the fault tree in Figure 4.2 are determined in this example. The FT contains two repeated events, B and C; thus, all steps of the algorithm are illustrated.

12 A cut set that is not minimal. (In the intermediate steps of the analysis it may contain gates.)

23


Figure 4.2: The FT for applying the FATRAM algorithm

(a) The TOP gate is an AND gate; thus we obtain {G1 ,G2} .

(b) Gate G1 is an AND gate; thus, by Rule 2, it is resolved first yielding:

{A ,G3 ,G2} .

(c) Both G3 and G2 are OR gates, but G3 has only basic event inputs. Therefore, G2 is resolved next (Rule 2) to yield:

{A ,G3 , B}

{A ,G3 , E }

{A ,G3 ,G4} .

(d) G4 is an AND gate and is the next gate to be resolved (Rule 2); we obtain:

{A ,G3 , B}

{A ,G3 , E }

{A ,G3 , D ,G5} .

(e) The gates that remain, G3 and G5, are both OR gates with only basic event inputs. No supersets (Rule 3) exist in step (d) so repeated events (Rule 4) are handled next. Consider basic event B which is input to gates G2 and G3. G2 has already been resolved but G3 has not. Everywhere G3 occurs in the sets it is replaced by B creating additional sets. This gives:

24


{A ,G3 , B}

{A ,G3 , E }

{A ,G3 , D ,G5}

{A , B , B}

{A , B , E}

{A , B , D ,G5} .

Within the set {A , B , B} the redundant B is removed to obtain {A , B} giving:

{A ,G3 , B}

{A ,G3 , E }

{A ,G3 , D ,G5}

{A , B}

{A , B , E}

{A , B , D ,G5} .

Gate G3 (Rule 4c) is altered by removing B as an input. Hence, G3 is now an OR gate with two basic event inputs, C and H.

(f) Supersets are deleted here (Rule 4d), which leaves:

{A ,G3 , E }

{A ,G3 , D ,G5}

{A , B} .

(g) Basic event C is also a repeated event, it is an input to G3 and G5. By Rule 4a replace G3 and G5 in the sets by C, creating additional sets to obtain

{A ,G3 , E }

{A ,G3 , D ,G5}

{A , B}

{A ,C ,E }

{A ,C ,D ,C } .

The set {A ,C ,D ,C } is reduced to {A ,C ,D} because of the redundant basic event

25


C. The gate definitions into which C is input are altered. Thus, G3 has only input H, and G5 has inputs F and G.

(h) Supersets are removed at this point (Rule 4d). Since none exists and all repeated events have been handled, proceed to Rule 5. This results in obtaining all of the minimal cut sets:

{A , H , E }

{A , H , D , F }

{A , H , D ,G}

{A , B}

{A ,C ,E }

{A ,C ,D} .

Example 2 of applying the FATRAM algorithm to an FT

Consider the fault tree given in Figure 4.1. The FT contains two repeated events, E and F; thus, all steps of the algorithm are illustrated in the following section.

(a) The TOP gate is an OR gate; thus we obtain:

{A}

{G1}

{B} .

(b) Gate G1 is an OR gate; thus, by Rule 2, it is resolved first yielding:

{A}

{G2}

{G3}

{B} .

(c) Gate G2 is an AND gate; Gate G3 is an OR gate; thus, by Rule 2, we obtain

{A}

{G4 ,G5}

{C }

{G6 }

26


{B} .

(d) Gate G4 is an OR gate and G5 is an AND gate, but G4 has only basic event inputs. Therefore, G4 is resolved next (Rule 2) to yield:

{A}

{G4 , F ,G}

{C }

{G6 }

{B} .

(e) Gate G6 is an AND gate and is the next gate to be resolved (Rule 2); we obtain

{A}

{G4 , F ,G}

{C }

{E , F }

{B} .

(f) The gate that remains, G4, is an OR gate with only basic event inputs. No supersets (Rule 3) exist in step (e) , so repeated events (Rule 4) are handled next. Consider basic event E which is input to gates G4 and G6. G6 has already been resolved but G4 has not. Everywhere G4 occurs in the sets, it is replaced by E creating additional sets. This gives:

{A}

{G4 , F ,G}

{C }

{E , F }

{B}

{E , F ,G} .

Gate G4 (Rule 4c) is altered by removing E as an input. Hence, G4 is now an OR gate with one basic input, D.

(g) Supersets are deleted here (Rule 4d), which leaves:

{A}

27


{G4 , F ,G}

{C }

{E , F }

{B} .

Thus, G4 has only input D.

(h) Since all repeated events have been handled, proceed to Rule 5. This results in obtaining all of the minimal cut sets:

{A}

{D, F ,G}

{C }

{E , F }

{B} .

4.3 Reduction of Comparisons in the MOCUS and FATRAM Algorithms

This section describes a new algorithm [Liz86] for reduction when repeated events appear in the fault tree. It improves the conventional MOCUS top-down algorithm to obtain all minimal cut sets faster. The improvement is based on reducing the number of set comparisons required to find the minimal cut sets.The reduction of the obtained cut sets is the most time-consuming task. For a given number n of cut sets, n!/[2 n−2!] operations of comparison at the maximum have to be performed. This number increases when the number of cut sets is considerable. The MOCUS algorithm applied to an FT not containing any repeated event, directly yields the minimal cut sets without reduction. In [Liz86] has been shown that the cut sets not containing any repeated event are minimal. The reduction is then solely limited to the cut sets containing repeated events. The steps of the algorithm are as follows:

(1) Obtain the cut sets K (e.g. MOCUS). If the fault tree contains no repeated events K Min=K . Go to step (5).

(2) Partition K into two subsets K 1 and K 2 by examining all the cut sets. Those containing at least one repeated event constitute K 1 and others, K 2 .

(3) Reduce the cut sets in K 1 to obtain K 1Min.

(4) Let K Min=K 1Min∪K2 .

28


(5) Each element of K Min is a minimal cut set.

Example 1 of applying the Reduction algorithm to an FT

Consider the FT in Figure 4.3. The MOCUS algorithm generates the following 9 cut set:

{A}, {B} ,{C }, {F }, {H }, {D , F } ,{D ,G }, {E ,G },{E ,F } .

Figure 4.3: The FT for applying the Reduction algorithm

For reducing these cut sets, 36 comparisons should be made. By resticting oneself solely to the cut sets containing the repeated event F, that is, the cut sets{F }, {D, F } and {E , F } , (the other cut sets already being minimal), we have to

carry out 3 comparisons. The minimal cut sets are:

{A}, {B} ,{C }, {F }, {H }, {D ,G}, {E ,G} .

For a better undestanding we can now compare how many reductions are required for applying the FATRAM algorithm to the fault tree of Figure 4.3.

1. {A , B ,G3G4 ,C ,G6 }

The reduction requires a maximal number of comparisons equal to 10.

29


2. {A , B ,G3G4 ,G6 ,F ,G5 ,F }

The reduction requires a maximal number of comparisons equal to 21 (or 6 if we proceed group by group).

3. {A , B , D.G , E.G , H ,C , F }

are the minimal cut sets.

Example 2 of applying the Reduction algorithm to an FT

The Reduction algorithm can be also combined with the FATRAM algorithm. In this example we will show how the combination with FATRAM can be performed. Consider the fault tree given in Figure 4.2. By FATRAM we obtain:

1. {A.G3.B , A.G3.E , A.G3.D.G5 }

Reduction on 3 cut sets. With the Reduction algorithm, no reduction.

2. {A.G3.B , A.G3.E , A.G3.D.G5 , A.B , A.B.E , A.B.D.G5}

Reduction on 6 cut sets. With the Reduction algorithm reduction on 4 cut sets.

3. {A.G3.E , A.G3.D.G5 , A.C.E , A.C.D }

Reduction on 5 cut sets. With the Reduction algorithm reduction on 3 cut sets.

In conclusion, the FATRAM algorithm obtains all the minimal cut sets after a maximal number of comparisons equal to 28, and FATRAM combined with the Reduction algorithm obtains all the minimal cut sets after a maximal number of comparisons equal to 9.

4.4 Binary Decision DiagramsIn recent years, new algorithms concerning fault trees were proposed designated under the term of binary decision diagrams (BDD). The algorithms based on the BDD are exceptionally rapid. They have made possible the treatment of difficult test cases in a very short space of time (some seconds) instead of very long time periods (some hours, even some days) even with the most efficient traditional algorithms (e.g. MOCUS algorithm).Nevertheless, it has to be noted that these algorithms have not altered the nature of the problem which still continues to be NP-complete. As a result, there can be cases that are difficult to solve, even with these algorithms. A binary decision diagram [Rau93] is a graph encoding Shannon's decomposition of a formula. BDDs have two important features: (1) the graphs are compacted by sharing equivalent subgraphs, and (2) the results of operations performed on BDDs are memorized and thus a job is never performed twice. These two features make BDDs one of the most efficient methods for Boolean formulae management.This concept however comprises a larger number of algorithms (see Figure 4.4) which

30


are essential for the computation of minimal cut sets by means of BDDs:

Figure 4.4: BDD Procedure Steps

Step (1) – Algorithm for ordering basic events (see Section 4.4.3)

This algorithm is used to find the best possible sequence of basic events in order to construct a compact BDD with a minimum number of nodes. The result of this algorithm is the obtained sequence of basic events.

Step (2) – Algorithm of a binary operation between two BDDs (see Section 4.4.4)

This algorithm is used to combine two BDDs representing two Boolean formulae by using a binary connective (e.g. and, or). The result of this algorithm is a new composed BDD.

Step (3) – Algorithm for the construction of the BDD from the FT (see Section 4.4.4)

31


This algorithm is used to transform a FT into a BDD. The result of this algorithm is a BDD obtained from the corresponding FT.

Step (4) – Algorithm for implementing the „\“-operator (see Section 4.4.4)

This algorithm is used to realize the „without“-operator between two BDDs so that all the paths included in a path of the second BDD will be removed from the first one. The result of this algorithm is a new BDD without the removed paths.

Step (5) – Algorithm for computing the BDD encoding the minimal solutions (see Section 4.4.4)

This algorithm is used to compute the BDD encoding the minimal solutions according to the theorem of the characterization of minimal solutions. The result of this algorithm is a new BDD containing only the set of paths from the root to leaf 1 encoding minimal solutions.

Step (6) – Algorithm for computing solutions defined by a BDD(see Section 4.4.4)

This algorithm is used to compute solutions defined by paths from the root of a BDD to leaf 1. The result of this algorithm is a set of solutions so that each solution in turn is a set of nodes defining a path from the root of the BDD to leaf 1.

Step (7) – Algorithm for computing the probability of the root event (see Section 4.4.4)

This algorithm is used to compute the probability of the root event if the probabilities of the terminal events are known. The result of this algorithm is the probability of the root event.

32


4.4.1 Shannon's Decomposition

Definition. Let X={x1,... , xn} be a set of Boolean variables. An assignment of Xis a mapping from X into {0,1} .

Theorem (Shannon's decomposition). Let f be a Boolean function on X , andx be a variable of X then f =x∧ f {x=1}∨¬x∧ f {x=0 } , where f evaluated

in x=v is denoted by f {x=v} .

In order to make the notations correspond with the intuitive notion of binary tree induced by the Shannon's decomposition of a function, we introduce the ite (If-Then-Else) connective:

Definition. ite F ,G , H =F∧G∨¬F∧H

Each node in the BDD can be written as an ite format which represents an ordered triple with a variable, a pointer to the one-branch and a pointer to the zero-branch. Thus, ite A , f 1, f 2 can be interpreted as:

if A

then consider function f 1

else consider function f 2 .

The usual operations between the Boolean functions can be carried out with the help of this operation. For example:

F=ite F ,1,0

G=iteF ,G ,G

F∧G=ite F ,G ,0

F∨G=ite F ,1,G .

Definition. Let F be a Boolean formula. F is said to be in Shannon's form if either it is a constant or it is in the form ite x ,G , H where x is a variable andG and H are formulae in Shannon's form in which x does not occur.

Property. For any formula F a formula G exists in Shannon's form equivalent toF .

Example 1 of applying the Shannon's form

33


a∨c ∧b∨c =a∧1∨c ∧b∨c ∨¬a∧0∨c∧b∨c

=a∧1∧b∨c∨¬a∧c∧b∨c=a∧b∨c ∨¬a∧c

=a∧b∧1∨c∨¬b∧0∨c ∨¬a∧c=a∧b∧1∨¬b∧c∨¬a∧c

=a∧b∨¬b∧c ∨¬a∧c =a∧b∨¬b∧c∧1∨¬c∧0 ∨¬a∧c∧1∨¬c∨0

=ite a , ite b ,1, ite c ,1,0 , ite c ,1,0

The BDD associated with the formula

a∨c ∧b∨c =itea ,ite b ,1,ite c ,1, 0 , ite c ,1,0

is shown in Figure 4.5.

Figure 4.5: The BDD associated with a∨c ∧b∨c

4.4.2 Directed Acyclic Graph

Definition. Let < be a total order on variables. A binary decision diagram (BDD) is a directed acyclic graph (DAG). A BDD has two leaves: 0 and 1 encoding the two corresponding constant functions. Each internal node encodes an ite connective, i.e., it is labelled with a variable x and has two out-edges. These two edges are called 0-edge and 1-edge. An internal node descendant from a node labelled by a variable x is labelled by a variable y such that x < y.

A BDD is illustrated in Figure 4.6. The diagram is entered at the root vertex. Each vertex or node represents a basic event from the fault tree and has two exit branches below it. If the event occurs then the node is left on the 1 branch. For the non-occurrence of the basic event the node is left on the 0 branch.

34


When the set of component conditions is such that the top event is determined then a terminal-one node or a terminal-zero node occurs. A terminal-one vertex indicates top event occurrence and a terminal-zero vertex is the top event non-occurence. This encodes the structure function of the fault tree. The entire BDD in Figure 4.6 can be expressed using the following notation (see Shannon's decomposition) as:

ite A ,1, iteB , ite C ,1,0 ,0 .

Figure 4.6: Binary Decision Diagram Structure

Cut sets are combinations of component failures which cause the top event. On the BDD these can be tracked as component failure events which lead to a terminal-one vertex. So the BDD in Figure 4.6 has CSs {A} and {B ,C } . In this case the CSs are minimal. However the significant advantage to transforming the FT to the BDD form is gained when quantifying the top event probability and failure itensity. These can be obtained directly from the BDD without need to produce a list of the minimal cut sets as an intermediate stage or resort to approximations.

4.4.3 Priority Ordering Method of Basic Events Before converting the fault tree into a BDD, the ordering sequence of basic events in the fault tree must be determined first. The sequence of the basic events can directly influence the size of a BDD. If the ordering schemes are different, the same fault tree can be converted into different BDDs. In general, the smaller the BDD is, the less computation time is required.In practical systems the relationship between the basic events in a fault tree is quite complex. Hence, when ordering basic events, it is necessary to consider multiple factors to obtain the optimal result. Specifically, factors such as the number of layers, repeated events, and neighboring events and the number of basic events are considered and prioritized by the priority ordering method [Hul11].

(1) Priority 1: number of layers. The higher the layer where the basic event resides, the greater the effect it has on the top event. Therefore, when ordering basic events, the number of layers can be treated as the primary

35


factor, and the subtree with less number of layers has a higher priority.

(2)Priority 2: repeated events. The same basic events can appear in many different subtrees and may have an effect on these subtrees and other basic events. When calculating the influence of the basic events on the top event, repeated events can have a cumulative effect on it and may have a greater effect than that of the nonrepeated basic events on the same layer of a fault tree. However, repeated events are only considered from the basic event aspect and treated as more than one basic event. In contrast to this, the number of layers is considered from the subtree aspect. Therefore, a repeated event is less important than the number of layers and thus can be considered as the secondary factor when ordering the basic events. The event with larger number of repetition is assigned with a higher priority.

(3)Priority 3: neighboring events. When a basic event or gate event fails, its neighborhood will be influenced first. The neighbouring event of the ordered event has only a great influence on the basic events whereas its influence on the top event may be much lower. Therefore, it is treated as the third factor, and the neighboring event of an ordered event has a higher priority.

(4)Priority 4: number of basic events. The number of basic events does not mean to regard the basic events of the whole subtree, but rather the basic events under the same gate at the same layer. If there are fewer basic events in the subtree, its influence on the top event may be greater than those with more basic events. The factor is also considered from the basic events point of view and may have less effect on the top event than the first three factors. As a result, it is considered as the fourth factor, and the subtree with fewer numbers of basic events has a higher priority.

(5) Priority 5: from left to right. If the previously mentioned factors are not applicable, the left-right scheme can be adopted to order the basic events.

Example 1 of applying the priority ordering method

For a better understanding of this approach, the FT shown in Figure 4.7 is given as an example to illustrate the priority ordering method.Before the application of the priority ordering method, the fault tree should be simplified because the child events of G8 contain the basic event C and the brother events of G8 also contain C. Hence, the whole gate event of G8 is deleted on the basis of the absorption law of the Boolean algebra:

F∨D∨C ∧C∧G=C∧G .

G6 is an AND gate, and its child event G9 is also an AND gate. G9 is hence deleted. Its subevents B and I are moved up and become the child events of G6 on the basis of the exchange law of the Boolean algebra:

D∧B∧I =D∧B∧I .

36


Figure 4.7: A FT used to illustrate priority ordering method

Figure 4.8 shows the simplified fault tree model.

Figure 4.8: The simplified FT of the fault tree in Figure 4.7

The specific steps to order the basic events of the simplified fault tree using the priority ordering method are as follows:

(1) In this FT, the child event of the top event only has one basic event. We therefore chose the basic event and obtain the first order, φ1={A} .

37


(2)G1 and G2 are two brother gate events of A. Comparing their sizes, G2 only has two layers whereas G1 has three. Therefore, G2 is smaller and ordered first.

(3)The child events of G2 contain two gate events, G5 and G6. By comparing, one can find that both of the two gate events only have one layer, which cannot be compared in accordance with Priority 1. Then through Priority 2, one can find that both of the two gate events contain the repeated event I; hence, this priority also does not work. Next, use Priority 3, that is, the neighbor first ordering principle, to compare G5 and G6. Since neither has the basic event that has already been ordered, Priority 3 is not applicable either. Then in accordance with Priority 4, G5 has two child events and G6 has three; G5 is ordered first accordingly. The child event I in G5 is a repeated event and has a higher priority. The sequence φ2={I , H } is hence obtained. Then order G6; the repeated event I is ordered first. The remaining basic events D and B are ordered according to Priority 5, from left to right. This results in the sequenceφ3={I , D ,B } .

(4)Next, choosing from the remaining brother gate events of G2, we have G1. Its child events has two gate events G3 and G4. G3 has two layers and G4 only has one. On the basis of Priority 1, G4 takes the priority, and this results in the sequence φ4={C ,G} . Gate event G3 has one gate event and two basic events. Choose the basic events and order them with Priority 5, from left to right. This results in the sequence φ5={E , F } . Then order the gate event. Because all the child events of G7 have been already ordered, the ordering is complete.

Finally, the sequence of basic events is shown as follows (in the formula, „ A I 13“ means A is ordered before I).

A IHDBCGEF

Then through the Shannon's decomposition, the BDD is generated using the previous order, as shown in Figure 4.9.

13 We say that A is smaller than I (A < I) if A comes before I in the variable order, i.e., higher up in the BDD

38


Figure 4.9: The BDD generated using the order obtained from priority ordering method

Example 2 of applying the priority ordering method

Consider the fault tree given in Figure 4.1. Before the application of the priority ordering method, the FT should be simplified because the gate G2 is an AND gate, and its child event G5 is also an AND gate. G5 is hence deleted. Its subevents F and G are moved up and become the child events of G2 on the basis of the exchange law of the Boolean algebra:

D∨E ∧F∧G =D∨E∧F∧G

Figure 4.10 shows the simplified fault tree model.

39


Figure 4.10: The simplified FT of the tree in Figure 4.1

The specific steps to order the basic events of the simplified fault tree using the priority ordering method are as follows:

(1) In this fault tree, the child event of the top event has two basic events. We therefore chose the basic events and obtain the first order, φ1={A , B} .

(2)G1 is only one brother gate event of A and B, and therefore will be ordered first.

(3)The child events of G1 contain two gate events, G2 and G3. By comparing, one can find that both of the two gate events have two layers, which cannot be compared in accordance with Priority 1. Then through the Priority 2, one can find that unlike G3, G2 contains the repeated event F. G2 is ordered first accordingly. The child event F in G2 is a repeated event and has a higher priority. The sequence φ2={F ,G} is hence obtained. Then order the gate event G4. The child event E in G4 is a repeated event and has a higher priority. The sequence φ3={E ,D}is hence obtained.

(4)Next, choosing from the remaining brother gate events of G2, we have G3. G3 contains only one basic event. This results in the sequenceφ4={C } . Then order the gate event G6. Because all the child events

of G6 have been already ordered, the ordering is complete.

40


Finally, the sequence of basic events is shown as follows

ABFGEDC .

Then through the Shannon's decomposition, the BDD should be generated using the order identified above. The concrete algorithm of how the BDD can be generated from the given fault tree (see Figure 4.10) considering the determined order of the basic events, will be presented next.

4.4.4 BDD Algorithms in Fault Tree Analysis In Section 4.4.3 we presented an efficient method of how the ordering sequence of the basic events in a fault tree can be obtained. This technique is a very important step of transforming a fault tree into a binary decision diagram due to the fact that, if the ordering of the basic events is not chosen suitably, the size of the final BDD can grow exponentially. After obtaining the order of the basic events, the BDD Algorithms can be applied to compute MCSs of the BDD converted from the corresponding fault tree. These algorithms can be classified as follows:

– Algorithm of a binary operation between two BDDs

– Algorithm for the construction of the BDD from the FT

– Algorithm for implementing the „\“- operator

– Algorithm for computing the BDD encoding the minimal solutions

– Algorithm for computing solutions defined by a BDD

– Algorithm for computing the probability of the root event if the probabilities of the terminal events are given

Algorithm of a binary operation between two BDDs

Property (Logical operations on BDDs). Let x and y be two variables (x < y), let G1, G2, H1, H2 be four formulae and let be ◊ any binary connective (and, or), then the following equalities hold:

ite(x, G1, G2) ◊ ite(x, H1, H2) = ite(x, G1 ◊ H1, G2 ◊ H2)ite(x, G1, G2) ◊ ite(y, H1, H2) = ite(x, G1 ◊ ite(y, H1, H2), G2 ◊ ite(y, H1, H2))

Assume that we have built the two BDDs G = ite(a, 1, ite(c, 1, 0)) and H = ite(b, 1, ite(c, 1, 0)) encoding respectively the subformulae a∨c and b∨c of the formula of example . Now, in order to compute the BDD associated with the formula itself, we need to compute G∧H .

41


G∧H=ite a ,1∧iteb ,1,ite c ,1, 0 ,ite c ,1, 0∧iteb ,1,ite c ,1, 0=ite a , iteb ,1,ite c ,1, 0 ,ite c ,1, 0∧ite b ,1, itec ,1, 0

=ite a , ite b ,1, ite c ,1, 0 , ite b ,1∧ite c ,1, 0 , itec ,1, 0∧ite c ,1, 0=ite a , ite b ,1, ite c ,1,0 , iteb , ite c ,1,0 ,ite c ,1, 0

=ite a ,ite b ,1,ite c ,1, 0 , ite c ,1,0

These two equalities suggest clearly a recursive procedure [Rau93] (see Figure 4.11).

computation (op, F, G) =

if ((F=0) or (F=1) or (G=0) or (G=1))

return op(F, G) /* call to the truth table of op */

else if (computation-table has enty {<op, F, G>, R })

return R

else let x be the least14 variable of F and G

U computation(op, F← {x=1}, G{x=1})

V computation(op, F← {x=0}, G{x=0})

if (U = V)

return U

else

R find-or-add-ite-table(x, U, V)← insert-in-computation-table ({ <op, F, G>, R })

return R

Figure 4.11: Algorithm of a binary operation between two BDDs

To compute programmatically the BDD associated with G∧H , let us apply the algorithm in Figure 4.11.computation(and, ite(a, 1, ite(c, 1, 0)), ite(b, 1, ite(c, 1, 0)) =

/* let a be the least variable of F and G – that means a < b < c */U1 = computation(and, ite(1, 1, ite(c, 1, 0)), ite(b, 1, ite(c, 1, 0))) =

computation(and, 1, ite(b, 1, ite(c, 1, 0))) = ite(b, 1, ite(c, 1, 0))V1 = computation(and, ite(0, 1, ite(c, 1, 0)), ite(b, 1, ite(c, 1, 0))) =

computation(and, ite(c, 1, 0), ite(b, 1, ite(c, 1, 0)))/* let b be the least variable of F and G */UV1 = computation(and, ite(c, 1, 0), ite(1, 1, ite(c, 1, 0))) =

computation(and, ite(c, 1, 0), 1) = ite(c, 1, 0)VV1 = computation(and, ite(c, 1, 0), ite(0, 1, ite(c, 1, 0))) =

computation(and, ite(c, 1, 0), ite(c, 1, 0)) = /* let c be the least variable of F and G */UVV1 = computation(and, ite(1, 1, 0), ite(1, 1, 0))) =

computation(and, 1, 1) = 1VVV1 = computation(and, ite(0, 1, 0), ite(0, 1, 0)) =

14 At this point, we make use of the ordering sequence obtained according to Section 4.4.3 and select the smallest variable from it

42


computation(and, 0, 0) = 0thus, VV1 = ite(c, 1, 0)

thus, V1 = ite(c, 1, 0)thus, the result is ite(a, ite(b, 1, ite(c, 1, 0)), ite(c, 1, 0)).

Algorithm for the construction of the BDD from the FT

In this section we present an algorithm for the construction of the BDD from the FT [Lim07].

ft-to-bdd (node) =

if (node is a basic event)

return ite(node, 1, 0)

else /* node is an operator node/intermediate node */

op the operator associated with node← j first child of node← R ft-to-bdd(j)← for (for all the threads i of node and i ≠ j)

F ft-to-bdd(i)← R computation(op, R, F)← end for

return R

Figure 4.12: Algorithm for the construction of the BDD from the FT

Let us consider the Boolean formula a∨c ∧b∨c . To compute programmatically the BDD from the FT (see Figure 4.13) corresponding to this formula, we perform the following steps:

Figure 4.13: The FT for applying the FT-to-BDD Algorithm

43


ft-to-bdd (Top) = OP1 = andJ1 = G1R1 = ft-to-bdd(J1) = ft-to-bdd(G1) =

OP11 = orJ11 = AR11 = ft-to-bdd(J11) = ft-to-bdd(A) = ite(A, 1, 0)

/* next node of G1 */I11 = CF11 = ft-to-bdd(I11) = ft-to-bdd(C) = ite(C, 1, 0)R11 = computation(OP11, R11, F11) =

computation(or, ite(A, 1, 0), ite(C, 1, 0))/* let A be the least variable of formulae F and G */U1 = computation(or, ite(1, 1, 0), ite(C, 1, 0)) =

computation(or, 1, ite(C, 1, 0)) = 1V1 = computation(or, ite(0, 1, 0), ite(C, 1, 0)) =

computation(or, 0, ite(C, 1, 0)) = ite(C, 1, 0)thus, R11 = ite(A, 1, ite(C, 1, 0)

thus, R1 = ite(A, 1, ite(C, 1, 0)/* next node of Top Event */I1 = G2F1 = ft-to-bdd(I1) = ft-to-bdd(G2) =

OP12 = orJ12 = BR12 = ft-to-bdd(J12) = ft-to-bdd(B) = ite(B, 1, 0)/* next node of G2 */I12 = CF12 = ft-to-bdd(I12) = ft-to-bdd(C) = ite(C, 1, 0)R12 = computation(OP12, R12, F12) =

computation(or, ite(B, 1, 0), ite(C, 1, 0)) =/* let B be the least variable of formulae F and G */U2 = computation(or, ite(1, 1, 0), ite(C, 1, 0)) =

computation(or, 1, ite(C, 1, 0)) = 1V2 = computation(or, ite(0, 1, 0), ite(C, 1, 0)) =

computation(or, 0, ite(C, 1, 0)) = ite(C, 1, 0)thus, R12 = ite(B, 1, ite(C, 1, 0)

thus, F1 = ite(B, 1, ite(C, 1, 0))R1 = computation(OP1, R1, F1) =

computation(and, ite(A, 1, ite(C, 1, 0)), ite(B, 1, ite(C, 1, 0))/* compare the result from the example of the computation algorithm */thus, R1 = ite(A, ite(B, 1, ite(C, 1, 0)), ite(C, 1, 0))

thus, the result is ite(A, ite(B, 1, ite(C, 1, 0)), ite(C, 1, 0)).

Algorithm for implementing the „\“- operator

Theorem (Characterization of the minimal solutions). Let F=ite(x, G, H) be a monotonic Boolean formula in Shannon's form. Then, the following equality holds:

Solmin F ={σ │σ=δ∪{x }∧δ∈Solmin G ∧δ H =0}∪SolminH

By means of the described theorem, the minimal solutions of the BDD: ite((a, ite((b, 1,

44


ite(c, 1, 0)), ite(c, 1, 0)) are: the minimal solutions of the BDD ite(c, 1, 0) – i.e., {c} – the minimal solutions of the BDD ite(b, 1, ite(c, 1, 0)) – i.e., {b} and {c} – that are not solutions of the BDD ite(c, 1, 0) – i.e., {b} – augmented of a – i.e., {a, b}. Finally, we have:

Solmin(ite(a, ite(b, 1, ite(c, 1, 0)), ite(c, 1, 0))) = {{a, b}, {c}}.

This theorem suggests a recursive algorithm in order to compute the BDD Fmin encoding the minimal solutions of F. It consists in computing Gmin and Hmin encoding the minimal solutions of G and H, then removing from Gmin all the paths included in a path of H and finally composing the two obtained BDDs with x in order to obtain Fmin. Therefore, we define a new remove operation, the without operator denoted by „\“.

Corollary. Let F = ite(x, F1, F2) and G = ite(x, G1, G2) be two BDDs such that G encodes a monotonic function. Then, F \ G = ite(x, F1 \ G1, F2 \ G2).

The following algorithm presented by [Rau93] demonstrates the realization of the „\“-operator.

without (F, G) =

if (F=0) return 0

else if (G=1) return 0

else if (G=0) return F

else if (F=1) return 1

else if (computation-table has entry {<without, F, G>, R })

return R

else /* F = ite (x, F1, F2) */

/* G = ite (y, G1, G2) */

if (x < y)

U without(F1, G)← V without(F2, G)← R find-or-add-ite-table (x, U, V)← insert-in-computation-table (<without, F, G>, R)

return R

else if (x > y)

return without(F, G2)

else /* x = y */

U without (F1, G1)← V without (F2, G2)← R find-or-add-ite-table (x, U, V)← insert-in-computation-table (<without, F, G>, R)

return R

45


Figure 4.14: Algorithm for computing F\G

Algorithm for computing minimal solutions

The theorem about the characterization of the minimal solutions and the subsequent definition of the „\“-operator allow the description of an algorithm which computes the BDD encoding the minimal solutions of a monotonic Boolean function from the BDD encoding this function. minsol (F) =

if ((F = 0) or (F = 1)) return F

else if (computation-table has entry {<minsol, F, _>, R })

return R

else /* F = ite(x, G, H) */

K minsol(G)← U without(K, H) /* H is monotonic */← V minsol(H)← R find-or-add-ite-table(x, U, V)← insert-in-computation-table ({<minsol, F, _ >}, R})

return R

Figure 4.15: Algorithm for computing minimal solutions

Algorithm for computing solutions defined by a BDD

Property (Solutions defined by the paths in a BDD). Let ƒ be a Boolean function encoded by the BDD F and let σ be a solution of ƒ, then a path exists from the root of F to leaf 1 which defines a solution δ of ƒ such that δ is included in σ.

Corollary. If σ is a minimal solution of ƒ, then there exists only one path from the root of F to leaf 1 defining σ.

The algorithm for computing solutions defined by a BDD can be realized as following:

solutions (F, σ) =

if (F = 0) return ∅

else if (F=1) return {σ}

else /* F = ite(x, F1, F2) */

S solutions(F1, ← σ + {x}) /* σ{x}≡σ∪{x } */

T solutions(F2, ← σ)

46


return S + T /* ST≡S∪T */

Figure 4.16: Algorithm for computing solutions defined by a BDD

Example of applying the algorithm for computing minimal solutions

Let us apply the algorithm on ite a , ite b ,1, itec ,1,0 ,ite c ,1,0 minsol(ite(a, ite(b, 1, ite(c, 1, 0)), ite(c, 1, 0))) =

K1 = minsol(ite(b, 1, ite(c, 1, 0)) K11 = minsol(1) = 1U11 = without(1, ite(c, 1, 0)) = 1V11 = minsol(ite(c, 1, 0)) =

KV11 = minsol(1) = 1UV11 = without(1, 0) = 1VV11 = minsol(0) = 0

thus, V11 = ite(c, 1, 0)thus, K1 = ite(b, 1, ite(c, 1, 0))U1 = without(K1, ite(c, 1, 0)) = without(ite(b, 1, ite(c, 1, 0)), ite(c, 1, 0)) =

U12 = without(1, ite(c, 1, 0) = 1 /* b < c – first case */V12 = without(ite(c, 1, 0), ite(c, 1, 0))

UV12 = without(1, 1) = 0 /* c = c – third case */ VV12 = without(0, 0) = 0

thus, V12 = 0thus, U1 = ite(b, 1, 0)V1 = minsol(ite(c, 1, 0)) = V11 = ite(c, 1, 0) /* memorization of results */

thus, the result is ite(a, ite(b, 1, 0), ite(c, 1, 0)).

It is now easy to verify that the solutions of this BDD obtained by the procedure in Figure 4.16 are {a, b} and {c}, i.e., the minimal solutions of the considered formula:solutions(ite(a, ite(b, 1, 0), ite(c, 1, 0)), { }) =

S1 = solutions(ite(b, 1, 0), { } + {a}) =SS1 = solutions(1, {a} + {b}) = {{a, b}}TS1 = solutions(0, {a}) = ∅

thus, S1 = SS1 + TS1 = {{a, b}}T1 = solutions(ite(c, 1, 0), { }) =

ST1 = solutions(1, { } + {c}) = {{c}}TT1 = solutions(0, { }) = ∅

thus, T1 = ST1 + TT1 = {{c}}thus, the result is S1 + T1 = {{a, b}} + {{c}} = {{a, b}, {c}}.

Algorithm for computing p(F)

Theorem (Shannon's decomposition 2). Let ƒ be a function and x a variable occurring in ƒ, then the following equality holds:

p f = p x=1∗p f {x=1} px=0∗p f {x=0}

probability (F) = if (F = 0) return 0 else if (F = 1) return 1

47


else if (computation-table has entry { <probability, F, _>, R }) return R else /* F = ite(x, G, H) */ R p(x) * probability(G) + (1 – p(x)) * probability(H)← insert-in-computation-table({<probability, F, _>, R }) return R

Figure 4.17: Algorithm for computing p(F)

4.4.5 Algorithmic ComplexityThe complexity of a BDD [Lim07] is measured by its size, that is, by the number of the vertices contained in it. The size of a tree developed by Shannon representing a Boolean function of n variables, is

202122...2n=2n1−1 .

The maximum size of a reduced Shannon tree or BDD representing a Boolean function of n variables is given by

2n

n2ε

with ε≃3.125 . This boundary [Lia92] was obtained by considering uniquely the reductions due to the equivalent vertices.The introduction of BDD based methods has deeply impacted the framework of fault tree assessment algorithms. In most of cases, they outperform the other methods. However, BDDs also are subject to combinatorial explosion. For very large models [Rau03] considering a big number of

– basic events > 1300

– gate variables > 2500

– replicated events15 > 850

– singular input variables16 > 250

the BDD that encodes the model might be not computable within a reasonable amount of time and computer memory. The difficulty is that, conversely to MOCUS-like algorithms, the BDD technology does not easily support approximations. Therefore, BDD might be unable to provide any result, which is indeed unacceptable. Rauzy [Rau03] shows according to the experimental results obtained on the benchmark after carrying out several improvements on MOCUS and describing an efficient implementation of it that, in contrast to the BDD method, the MOCUS algorithm represents an efficient alternative algorithm supporting approximations for very large fault tree models as mentioned above.

15 A variable is replicated if it occurs more than once in the set of equations16 A variable is singular if there is only 1 path that goes from the variable to the top event

48

5 Importance Measures for Quantitative Analysis of Fault Trees


The quantitative results of the fault tree evaluation include different importance factors such as Fussel-Vesely importance, risk achievement worth, risk reduction worth, Birnbaum importance, criticality importance. The various importance measures are based on different interpretations of the concept of component importance. In general, the importance of a component within a system depends on the location of the component in the system, on the reliability of the component, and the reliability of the system. The importance measures can be quantified for each of the basic events, if the interest about the specific component is important.In our case, we consider a system as an AVPP and each power plant as a component in terms of the reliability assessment. This assumption makes it possible to compute the specific importance measures, so that each of these importance measures can function as a partition safety metric described in Section 2.2. For finalizing the decision about which of these measures will be used as a partition safety metric, an evaluation and the subsequent comparison of the experimental results which must be obtained on the benchmark are required. Although this kind of evaluation can be proceeded only after implementing and integrating the computation of the importance measures into the decentralised multi-agent set partitioning algorithm, it must be emphasized that the criticality importance fits very well with the definition of the partition safety metric presented in Section 2.2. As our purpose in this paper is to provide a mechanism for analyzing the impact on the power delivery of an AVPP in that moment when a power plant belonging to the specific AVPP gets the opportunity to leave it and to join another one, the criticality importance can fully reflect this insight due to the fact that the rate of change in the top event probability can be seen as an indicator parameter whether both AVPPs, the old and the new one, are able or not to meet the demand for power supply and ensure the system stability.

5.1 Risk Achievement WorthThe risk achievement worth for a basic event shows the increase in the probability of the top event that would be obtained if the lower-level event, e.g., the failure of a component modeled in the basic event, would occur.

RAW k=PTOP P k=1

PTOP

where RAW k is the risk achievment worth for component modeled in basic event k , PTOP P k=1 is the top event probability when failure probability of component

modeled in basic event k is set to 1, and PTOP is the top event probability.

5.2 Risk Reduction WorthThe risk reduction worth for a basic event shows the decrease in the probability of the top event that would be obtained if the lower-level event, e.g., the failure of a component modeled in the basic event, did not occur.

49


RRW k=PTOP

PTOP P k=0

where PTOP is the top event probability, PTOP P k=0 is the top event probability when failure probability of component modeled in basic event k is set to 0, and RRW k is the risk reduction worth for component modeled in basic event k .

5.3 Fussel-Vesely ImportanceFussel-Vesely importance shows the contribution of a given event to the top event probability. It provides a numerical significance of all the events as parts of the fault tree and allows them to be prioritized.

FV k=1−PTOP P k=0

PTOP=1− 1

RRW k

where FV k is the Fussel-Vesely importance for component modeled in basic event k , PTOP is the top event probability, PTOP P k=0 is the top event probability

when failure probability of component modeled in basic event k is set to 0, and RRW k is the risk reduction worth for component k .

5.4 Birnbaum ImportanceThe Birnbaum importance represents the rate of change in the top event probability as a result of the change in the probability of a given event. The Birnbaum importance can be calculated by first calculating the top event probability with the probability if the given event set to 1 and then subtracting the top event probability with the probability of the given event set to 0.

Bk=PTOP P k=1−PTOP P k=0

where PTOP P k=1 is the top event probability when failure probability of component modeled in basic event k is set to 1, and PTOP P k=0 is the top event probability when failure probability of component modeled in basic event k is set to 0.

5.5 Criticality ImportanceThe criticality importance represents the rate of change in the top event probability as a result of the change in the probability of a given event relatively to the top event probability and failure probability of component modeled in basic event k.

C k=PTOP P k=1−PTOP P k=0

PTOPP k

where PTOP P k=1 is the top event probability when failure probability of component modeled in basic event k is set to 1, PTOP Pk=0 is the top event

50


probability when failure probability of component modeled in basic event k is set to 0, PTOP is the top event probability, and Pk is the failure probability of component k .

51

6 Conclusions

6 ConclusionsIn this paper we provided an approach of how fault tree analysis suited for assessing the reliability of systems with a static structure can be applied to assess a dynamic structure of AVPPs. For this approach we introduced a new metric – partition safety metric – with the goal to provide a more reliable and precise assessment of AVPPs within the EnergyGrid in terms of answering the question whether a specific AVPP is capable of meeting the demand for power delivery when the structuring process of the power plant landscape into AVPPs has not been completed at that point of time and the decentralised multi-agent set partitioning algorithm is still looking for an optimal partitioning of the power plant landscape. Thus, for calculating this kind of metric at runtime the fault tree analysis has to be performed in an efficient way.

We presented the most common algorithms of the qualitative fault tree evaluation for computing minimal cut sets from a specific fault tree which will serve as a basis for calculating the importance measures during the quantitative fault tree analysis. Each of the presented algorithms fits in with the requirements of the EnergyGrid providing an enormous speed of calculation of minimal cut sets. MOCUS and FATRAM can be implemented more rapidly than Binary Decision Diagrams due to its extensive theory of how Boolean formulae can be managed efficiently in terms of programming techniques and how the subsequent evaluation of Boolean formulae has to be performed. But once the required mechanism is realised, Binary Decision Diagrams can be used as an efficient algorithm for evaluating Boolean formulae exceptionally rapidly as long as no kind of approximations for very large fault tree models is required.

We also discussed the problems of the fault tree construction which arise when we try to include weather dependent power plants into the realibility assessment of a specific AVPP, i.e., into the analysis of an AVPP whether it can meet the demand for power supply or not. On the basis of the modeled fault tree for the EnergyGrid which comprises different types of weather dependent power plants we have seen that for an accurate reliability assessment as many power plants as possible must be included for a precise analysis. This means that we have to deal with a very complex system with different types of common cause failures which can be evaluated either by the Basic Parameter Method or the Multiple Greek Letter Method or the Alpha Factor Method. Whereas the Multiple Greek Letter Method and the Alpha Factor Method provide a very accurate analysis of common cause failures, the Basic Parameter Method yields more approximated results of failure probabilities for power plants in a common cause group. Both approaches fit in to the same extent with the requirements of the EnergyGrid because the former is precise but more complicated to compute whereas the latter is less precise but easier to perform.

Moreover, we explained the concept of component importance used as the basis for drawing conclusions about the safety behaviour of a concrete power plant during the quantitative fault tree evaluation. Each of the described importance measures represents a mathematical equation which can be applied for computing the partition safety metric to indicate wheather the failure of the specific power plant in terms of the credibility and reliability aspects of the EnergyGrid does have an impact on the operability of the specific AVPP to meet the demand for power delivery or not. We also emphasized that the most suitable importance measure for computing the partition safety metric is the Criticality Importance due to the fact that it reflects the rate of change in the safety behaviour of the specific AVPP when on the one hand a power plant is considered as an inherent part of the AVPP and on the other hand the same power plant is considered as not being part of it.

52

6 Conclusions

Consequently, for an efficient and at the same time simplified application of fault tree analysis within the EnergyGrid we propose to implement the MOCUS algorithm in combination with the Basic Parameter Method and the Criticality Importance in order to establish primarily a technical and infrastructural basis for computing the introduced metric by means of the EnergyGrid. After obtaining the first results on the benchmark, it would be possible to give evidence whether the new metric does have a negative impact on the execution speed of the decentralised multi-agent set partitioning algorithm. If so, the computation of the partition safety metric could be speeded up by optimising the fault tree evaluation, e.g. by replacing the MOCUS algorithm with FATRAM or Binary Decision Diagrams. The same also applies to the Basic Parameter Method and the Criticality Importance in the event that these methods would yield unsatisfactory results.

In summary, it can be said that we provided a comprehensive overview of how a high-quality fault tree analysis can be performed for the EnergyGrid, and at the same time a good basis for the subsequent implementation and integration of it into the EnergyGrid.

53

References

References

And03 Andrews, J.D.: An Analysis Strategy for Large Fault Trees. Proceedings of the 21st International System Safety Conference, 2003

Ase10 Anders, Gerrit; Siefert, Florian; Steghöfer, Jan-Philipp; Seebach, Hella; Nafz, Florian; Reif, Wolfgang: Structuring and Controlling Distributed Power Sources by Autonomous Virtual Power Plants. Proceedings of the IEEE Power and Energy Student Summit, 2010

Ben76 Bengiamin, Nagy. N.; Bowen, B. Archie; Schenk, Kurt F.: An Efficient Algorithm for Reducing the Complexity of Computation in Fault Tree Analysis. IEEE Transactions on Nuclear Science, Vol. NS-23, No.5, 1976

Cep11 Cepin, Marko: Assessment of Power System Reliability – Methods and Applications. Springer-Verlag, 2011

Dus07 Du, SG; Sun, Y: A novel ordering method of binary decision diagram. International Conference on Management Science and Engineering, 2007

Fuv72 Fussell, J. B.; Vesely, W.E.: A new methodology for obtaining cut sets for fault trees. Trans. Amer. Nucl. Soc., Vol. 15, 1972

Hul11 Huang, Hong-Zhong; Zhang, Hua; Li, Yanfeg: A New Ordering Method of Basic Events in Fault Tree Analysis. Quality and Reliability Engineering International, 28, 297 -305, 2012

Iea92 International Atomic Energy Agency: Procedures for conducting common cause failure analysis in probabilistic safety assessment. IAEA-TECDOC-648, 1992

Kep11 Kancev, Dusko; Cepin, Marko: Common Cause Failures: Explicit Modeling of Single Failure Event within different Common Cause Groups. Nuclear Energy for New Europe, 20th International Conference, 2011

Lia92 Liaw, Heh-Tyan; Lin, Chen-Shang: On the OBDD-Representation of General Boolean Functions. IEEE Transactions on Computers, Vol. 41, No. 6, 1992

Lim07 Limnios, Nikolaos: Fault Trees. ISTE, 2007

Liz86 Limnios, N.; Ziani, R.: An Algorithm For Reducing Cut Sets in Fault-Tree Analysis. IEEE Transactions on Reliability, Vol. R-35, No.5, 1986

54

References

Pil89 Mosleh, A.; Fleming, K.; Parry G.; Worledge D.; Rasmuson D.: Procedures for Treating Common Cause Failures in Safety and Reliability Studies. NUREG/CR-4780 EPRI NP-5613, Vol.1, 1989

Ram78 Rasmuson, D. M.; Marshall N.H.: FATRAM – A Core Efficient Cut Set Algorithm. IEEE Transactions on Reliability, Vol. R-35, No.5, 1978

Ran06 Remenyte, R.; Andrews, J. D.: Qualitative analysis of complex modularized fault trees using binary decision diagrams. Proc. IMechE Vol. 220, 2006

Rau93 Rauzy, Antoine: New algorithms for fault tree analysis. Reliability Engineering and System Safety, 40, 203-211, 1993

Rau03 Rauzy, Antoine: Toward an Efficient Implementation of the MOCUS Algorithm. IEEE Transactions on Reliability, Vol. 52, No. 2, 2003

War10 Warren, Colie G.; Lockheed Martin Space Systems Company: Common Cause Failures: Implementation of a Simplified Alpha Factor Model. IEEE Reliability and Maintainability Symposium, 2010

55

Technology

Fault Tree Analysis for the EnergyGrid