This item was submitted to Loughborough’s Institutional Repository by the
author and is made available under the following Creative Commons Licence
conditions.
For the full text of this licence, please go to:
http://creativecommons.org/licenses/by-nc-nd/2.5/
Fault Tree Analysis and Binary Decision Diagrams
Roslyn
M.
Simalnoli Loughborough University Loughborough
John
D.
Andrews
Loughborough University Loughborough
Key Words: Fault Trees, Biuwy Decision Diagrams
SUMMARY
8
CONCLUSIONS
Fault tree malysis is now commonly
used
to
;issess
the
adequacy,
in
reliability
terms,
of
inclustri:tl systems. For
complex systems
;in
m;ilysis may
produce
thousands of
combinations
of
events which
c;in
c;iuse
system failure
(minimal
cut
sets).
The deterinination of
these
minimal cut
sets
cm
be
a
very time consuming
,process
even
on
inodeni
high
speed
digital computers.
Also
it
the
fault tree
h:is
inmy
minimal
cut
sets calculating the exact
top
event prob:ibility
will
require
extensive
calcul;ilions.
For
many complex fault
trees
this
requirement
is
beyond
the
capability
of
Lhe
iivailaible
machines, thus
appro
xi
in
at
i
on
t
ec
hi1
i
y
u
es
nee
cl
to
be
introduced
resulting
in
loss of accuracy.
This
paper
describes
the
use
of
;I
Binary hcision 1)i:igr:un
for
Fault Tree Analysis
mcl
soine ways
ill
which
it
c;m
be
efficiently iinpleiiiented on
:L
cornputer. The
work
to
date
shows
:i
substmtial improvement in computation;il effort
for
large, complex fault trees an;ilysetl with this
method
in
comp:rison
to
the tr:iditionad
approach.
The
Binxy
Decision
Diagram method
has
the additional ndvantage
that
;ipproximalions
are
not required. exact cdcu1;itions
lor
the
top
event pw:uneters
C;LII
be
perfonned.
1.
INTRODUCTION
The fault
tree
diagram itself is
an
excellcilt way of deriving
the
failure logic for
;i
system auld representing it
in
;I
form which
is
ideal
for
communic~itioIi to
other
managers/
clesigners/operiitors
etc.
The
f;iult
tree is discussed
in
cletail
iii
Andrews
and
Moss
(Ref.
1).
Since
the
method
was first
conceived in
the
early sixties, algorithms
to
dcrive the minimal
cut
sets
have
worked directly with the
fault
tree diagram itself
using either bottom-up, Seinanderes (Ref.
2).
or
top-down,
Fussell
and
Vesely (Ref.
3),
appro:ichcs. C'ompulerised
methods
to
conduct
this
:ui;tlysis
we
iiow
so
well clevelopecl
that further
refinement
is
unlikely
to
resul~
in
vxt
rcductions
in computer
time.
Tackling this
problem
to
impi-ove
computational efficiency
has
heell the miiiii
conceni
over
the
yews for many
fault
tree
rese:uchers,
Bennetts (Ref.
4)
and
Bengiamiii
et
al.
(Ref.
5)
hnve
both
aclclre
I~Jsu
a1
1
y
by modify
i
11
g
t
h
e
est
ab
1
i
sh
ecl
,
con
ve
11
ti
on
a
1
approaiclies
such
:is
MOCT
JS
(Ref.
3).
It
is
felt
that
substmtial improvement
in
computer utilisation
will only
result
from
;I
completely
new
:ippro:ich.
Such
:in
approach would involve spccifyiilg
the
logic cyu:ilion
in
;I
form
which
is easier to
1nanipu1;ite
th;tn
;I
tau11
wee.
A
recent
p:tper
by Riuzy
(Ret.
6)
tias
iiiclicatecl
that
;in
nllcm;itive
approach
hter
:md
P(
Top)
Ci
using
a
Binary Decision Diagram may provide
a
more
efticient
means
of
aindysing tault
trees.
2.
NOTATION
-
Probability
ot Top
Even1
of
;i
hult
tree.
-
Minirnal
('ut
Set.
PRE
(Top)
-
R:re Event
Approximation
of
Top
Event
Prohability.
P~c,su~(Top)
-
Minirnal Cut
Set
Upper
Bound
of
Top
Event Probability.
Xi
-
Boolean Variable.
f(x)/fl/f2
-
Boolean Functions.
ire
Ikcision 1)Bcgcun.
<0p>
Fi
Q,sy
W(0,
t)
~"sy.v
Gi
(Y)
-
If-Then-Else structure
for
Binary
-
Boolem
operation
( .
01-
+).
-
Nocles/Vertices in
II
Binary 1)ecision
-
Probability
of
occurrence
of
top
event
of
-Expected number
of
top
event
-
System
T
Tnconclitional Failure Intensity.
-
(Iriticality Function
for
component
i
I>ingr:un.
frlult
tree.
()cc
U
rrences
.
3.
ARRREVIATION,S
s.0.p
-
sum
of
products expression
BDI)
-
Binary 1)ecisioii 1)i:igram.
4.
FAULT TREE ANALYSIS
The analysis
of
the
fault
tree
is
generally unclert:ken in
two
stages: qualitative analysis
and
quantitative analysis.
Qualitative nnalysis involves
obtaining
the
various
combinations
of
events
which
c;iuse
system ftiilure (minimal
cut
sets)
and
yu;uitificatioii then
cleats
with calculating the
probability
or
freyuency
that
system
failure
will
occur.
The conventional
:ipproach
to obtain the minimal
cut
sets
is to
take
the
Boolean
logic expression
for
the
Top Event and
transform
it into
;i
sum
of
products
(s.0.p)
form.
(.)ne
way
of
doing
this is
to
use
;I
Bottom-'I
Jp
procedure
such
;is
that
of
Sem:inderes
(Ref.
2).
To
obtain the
w.p
form
for
the
Top
Event of
the
f:tult
tree,
the
inputs
to
the lowest gates ;re
0-7803-3112-5/96/$5.00
0
1996
IEEE
1996 PROCEEDINGS
Annual
RELIABILITY
and
MAINTAINABILITY
Symposium
215
represented ais logic equations. Once the lowcr gates have %e11
expressed in
this
way highei- gates
:U-e
then treated sirnil:u-ly.
The final
s.0.p
fonn should
be
in
term of basic events only.
If
the fault tree contains repeated events then the resulting
s.0.p
will not be minin~l and tlie minimal cut sets
c;ui
not
be
directly obtained. If this is the
case
Boo1e;iu Recluction
RI~!~
must
first
be
applied
to
the
s.0.p
form to obtain
the
minirnal
cut
sets.
The task
of
obtaining the minimal
cut
sets
of
;i
ftiult
tree can become computationally intensive.
if
the logic
equations produce many cut sets, due to the number of
compzu-isons that
2u.e
needed
to make the expression minirnal.
Also the expansion procedure c;ui
rnake
extensive dernands on
memory
space.
To
overcome these problems various techniques hwe been
employed
to
reduce
the
uurnber of compnrisons (Ref.
7).
Some
methods only
produce
the most important minirnal
cut
sets.
(hie
of these techniques
is
refeired
to
;is
culling, which means
that
cut
sets
of
a
certain order, s:iy
4
and
above,
;re
ignored
or
deleted from
the
expression, Rasmuson
and
Marshall (Ref.
X)
employ this technique in their paper.
The
.i
ustificntion for
doing
this is that cut sets of
;I
high order tend
to
have
;I
low
probability
of
occurrence
ancl
therefore do
not
1nake
;I
significmt contribution
to
the Top Event prolxibility. However
the dis;idvantage of this is that when coininon cause failures
:re involved this
method
results
in
consider;ible inaccuracies.
Probabilistic culling
GLII
also be
applied, in this
cxe
;i
cut set
whose probability of occuirence is below some thresholcl limit
will ag:un
be
ignored.
4.2
Qurr
n
tit(
i
tivc
An
(I
1y.v
is
The
convenlional ;ipproach (see Henley and Kurn:unoto
in
Ref.
9)
to
obtain the exact probability
of
the
'Top
Evcnt
is
to
use the formula:
Where
ci,
i=l,
.....,....
uc we
the
minini~il cut sets
of
the
Top
Event, i.e. product
term.
Clearly if the
fiiult
bee
has
many minirnal cut sets calculating
P(Top)
will require extensive
calcu1:itions
to evaluate
each
term
in
the expression, for rnaiiy complex fault trees the
requirement is beyond the capability of
the
available
machines.
To
simplify
the
calculation the Rare Eveut
Approximation,
PR~
I TO^),
cm
he used which is:
111'
(2)
i=l
However
a
more
;iccut';ite
approxi~nation is the Mininixl
(:ut
Set
T
Jpper Bound,
PM~-,~~~(TO~),
which is:
5.
BINARY IIECISION
DIAGRAM
MElHOII
The
Binary
Decision Diognun
(BL>I>)
method, developed by
Rauzy
(Ref.
(71,
first convei-ts the
fault
tree
to
;I
binary decision
diagram which encodes
;in
If-Then-Else
(ire)
structure. The
attractive thing
:&out
the
BIN>
method
is
that
the ite structure
derives from Shannons' formula (Ref.
lo),
such
that
if
f(x)
is
the
Boolean
Function for the
top
event
of
a
lault tree theu the
Shannon
formula
cm he written
its:
XI.
,f'l
+
XI.
f2
(4)
and
the corresponding ite structure
is
ite(X1,
fl,
f2),
for
;I
detailed account of this procedure refer
to
Ref.
11
and
Ref.
12.
From this diagram both the qualitative
xicl
quantitative
analysis
can
be
achievecl.
The
size
of the
resultkg
BDD
is cleterminecl by the ordering
that
has
to
be
given
to
the basic events in the fault tree before
the
BDD
is constructecl. This ordering
has
further implications
for the analysis. If the
BDD
is not in
;I
minimal
fonn,
then the
BDD
must
first undergo
;I
rniniinising algorithm
before
the
minimal cut
sets
c:ui
he obtained, this minimising technique is
discussed
in
section 6.
The
quantitative analysis must be
performed
011
the unminirnised diagram. The reason being
that
the minimising procedure produces
;i
new
BDD
which only
encodes the minimal
cut
sets. However if the ordering of
the
basic
events produces
;I
minimal
BDI>
then both the
yunntitutive and qualitative analysis is straight forw:ud.
It
is
therefore beneficial
to
achieve
xi
ordering which
is
optimal
in
terms of the resulting size
of
the
BI>I>.
The ordering of basic
events to produce
;i
minimal diagram
is
consiclered in (Ref.
11)
:ind discussed
in
section
7.
To
illustrate the method
of
obtaining
the miniinad
cut
sets
and
probability of
occuirence
of
tlie
top
event
using
the
BI)I)
method refer to the example
fault
tree
111
tiguic
1.
Q
G
1
9
Figure
1.
Example
Fault
Tree.
Assume
xi
ordering
for
the
basic
events which is derived by
considering those events
at
higher levels in the tree structure
first:
216
1996
PROCEEDINGS
Annual
RELIABILITY
and
MAINTAINABILITY
Symposium
XI<X2<X3<X4
F1
To
obtain
the
ire structures for
each
gate
in
the
f:iult
tree
the
following procedures are
usccl:
(1) Taking X<Y;
Let
J=ite(X, F1, F2) and II=ice(Y,
(;I,
(i2)
then:
J<op>Ii=ite(X,
Fl<op>lI,
1:2<op>I
I)
(5)
(2)
Taking X=Y:
i.e., J=ite(X, F1,
F2)
:md
II=ite(X,
(;I,
(;2)
then:
J<op>H=ite(X,
Fl<op>(il,
F2<op>(;2)
(6)
where
<op>
corresponds
to
the Boolexi
operation
ot
the
logic
gates in the
fault
tree.
For
:ui
AND
gate
<op>
will
he
the
dot
or
product
symbol
aiid
tor
;in
OR
gate
<op>
will
hc
the
addition symbol.
Also
it
is eviclent
that;
Figure
2.
BDD
for
ite(X1. ite(X2. itebX3.
1,
ite(X4.
1.
O)),
ite(X3.
1.
0)).
tb
To
oht:un
the
cut
sets
~t
the
hult tree
the
pnths
through
the
BDD
:re
traced
from
the
top
or root vertex
to
;I
terminal
1
vertex. Only
the
basic evem
that
lie
oil
;I
1
hriuich
(indicating
the friilure of
that
basic event)
on
the way
to
;I
terminal
1
vertex
are
included in
;I
path.
Thereforr
the
p:iths
through
the
BDD
which correspond
to
the
cut
set\
of
tlie
lault
tree
:re:
Therefore the BDT) calculations
for
the
fault
tree
in iigure 1
are
tlie
following:
G2
=
ite(X3, 1,O)+itc(X4,
1,
0)
=
ite(X3, 1, ite(X4,
1,O))
Ci1
=
ite(X2, l,O)+ite(X3,
1,
0)
(1)
Xl.X2.X3
(2) Xl.X2.X4
(3)
XI.X3
=
ite(X2,
1,
ite(X3,
I,
0))
=
ite(X2,
I,
ite(X3,
I,
O)).ite(X3,
1,
ite(X4,
1,O)).
=
ite(X2, itc(X3,
1,
ite(X4,
1,
O)),
ite(X3,
1,
0).
Cllearly the resulting BDI) for this orclering is
not
minimum
;is
it
procluces
one
reclundant cut
set.
The
minimising
procedure
for
the
BDI) which will
produce the
miiiimal
Cut
sets
directly
is discussed in section
6.
Top
=
Gl.G2.XI
ile(X1,
1,
0)
ite(X3,
1,
ite(X4,
1,
O)).ite(Xl,
1,
0)
=
ite(X2, ite(X3,
1,
itc(X4.
1,O)).
ite(X3,
1,
0))
To
obtxin
the prohahility
of
occurrence
oi
the
top
evellt
ot
the
fault tree
(
e,,,,,,
1
the
prohahihty
ot
(lie
mn
of
the
clisloiiit
.ite(Xl, 1,
0)
Top
=ite(X1, ite(X2, ite(X3,
1,
itc(X4. 1,
O)),
ite(X3, 1,
O)),
0)
This
top
event
ire
swucture
coi-respontls
to
the
B1)I:)
shown in
figure 2.
paths
through
the
BDL)
iu-e
culcul:wd.
The
clis,joint paths
through
the
BDD
are
iouncl hy simply iriclucling in
a
path
the
basic events
thar
lie
oil
;I
0
branch
mcl
inclicathig
~hese
;is
xi,
i.e.,
'Not'
Xi, meiuiing basic event i
cloes
1101
occur. 1)isjoiiit
paths through the BIN)
ire:
_.
(1)
Xl.X2.X3
(2)
Xl.X2.X1.X4
(3)
Xl.X2.X3
Before continuing with
the
calculation
of
Q,vy,s
the
basic
emits
iu
the
fdt
tree
ireecl
to
he
assigned prohahilities, which
for
this
example
:re
given
in table
1.
1996
PROCEEDINGS
Annual
RELIABILITY
and
MAINTAINABILITY
Symposium
217
Talde
1.
Basic
Event
Data.
Where;
qi
-
I
Jnavailability
of compoiienr
i.
hi
-
Conditional failure intensity
of
coinpoileiit i.
wi
-
1
Jiicoiiditioiial failure intensity
of
component i.
Since
e,(?,,
cm
be
obtained
from
the
probability
of
the
sum
of
the dis.ioint paths through the
BIII)
then:
Q,,,,s
=
P(
x1. x2.
x3
+
x1. x2.m. x4
+
X1.E. X3)
-
-
Yxl-qx2.Yx3
+Yxl-Yx2.(1-Yx?)-'1x4
+
=
0.0
1(0.02)((
).
03)
+
0.0
I((
).
(
)2)(
1
-
(
).
(13)
Yxl-(l-Yx2)-'Ix3
(0.04)
+
O.Ol(1-
0.02)(0.03)
Q,v,s
=
3.0776E
-
4
The algorithm used by RX~J for calculating
the
probability is
given in
Ref.
6.
For some systems it is
Uie
unreliability which
IS
required
tor
the top event
i.e.,
the probability it will
not
work
continuously
over
;I
given time period. An
upper
bound
lor
this is the
Expected number of top
event
tccurrences
W(0,
t):
t
W(0,
t)
=
J
W,s,,,dt
0
w,~,~,~
is
the
system unconditional f;iilure iiiteiisi(y:
e(l;,
q)
-
is die probability
of
system f%ilure with
qi
=
1.
e(oi,y)
-
is
the probability of system failure with
yi
=
0.
Evaluating
each
of
the two
terms
Q(l,
,
y)
mcl
Q(0,
,
y)
to1
each
cornponent
coulcl
be
:ichievecl
by
tn\t
\ub\titutiiig
q,
=
1
aiid
then
yi
=
0,
i.e., the probability
that
coinpoiieiii
i
ecluals
1
and
0
respectively,
and
re-running tlie system failure
probability calculations.
This
would require
the
equivalent
of
211
evalu:ttions
of
the
top
event probability
to
cleduce
all terms
required
in
the expression
for
I.v,~,,,~
in
eq
(X),
Coiisicler
the
vat-iable Xi which
occurs
at
two
nodes
in
tlie
BDD
(Figure
3)
then:
/A\
/\
/
\
/ \
/
Node
;I
@
@
Node
b
1,'
\o
l/
/
\
/
\.
/
\
/
\
/
\\
/
\
/
Fipure
3.
Considerinlr
varialde
Xi.
where:
(7)
where
Gi
(y)
is
tile
criticality tunction
lor
e:tc~i
componeri(
The
criticality function
Gi
((1)
is defined
as
the prob;ibility
that
the
system
is
in
it
critical state with respect
to
componeiit
i
and
that
the
failure of coinpoileiit i will then
cause
the
system
to go from the working
to
the
f;ulecl
state,
i.e., the probability
that
the
system
fails
only
if
component i liiils.
Therefore:
Where;
117-~~(q)
-
is
tlie
probability
of
the
path
section
from
tlie
1-oot
1
p,.i
(q)
-
is
the probability
of
the
path
section
from
node
to
node
xi.
node
xi
to
the
terminal
1
nocle
after the
1
branch
from
node
xi.
0
poV,
(y)
-
is
Uie
probability
of
the
path
sectioii
from
nocle
xi
to the termin:il
I
node after
the
0
branch
from
node xi.
-
is
the
probability
of
paths
from
the
root
node
to
the terminal
1
nodes
which
clo
not
go
through
;i
node
for
variable xi.
Z(q)
I1
-
All Iiocles for variable xi
on
the
BDD.
Therefore:
218
1996
PROCEEDINGS
Annual
RELIABILITY
and
MAINTAINABILITY
Symposium