Dynamic Fault Tree Analysis Based On The Structure Function

Texte intégral

(1)Dynamic Fault Tree Analysis Based On The Structure Function Guillaume Merle, Jean-Marc Roussel, Jean-Jacques Lesage. To cite this version: Guillaume Merle, Jean-Marc Roussel, Jean-Jacques Lesage. Dynamic Fault Tree Analysis Based On The Structure Function. Annual Reliability and Maintainability Symposium 2011 (RAMS 2011), Jan 2011, Lake Buena Vista, FL, United States. pp. 462-467. �hal-00566334v2�. HAL Id: hal-00566334 https://hal.archives-ouvertes.fr/hal-00566334v2 Submitted on 17 Feb 2011. HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés..

(2) Dynamic Fault Tree Analysis Based On The Structure Function Guillaume Merle, PhD, LURPA, ENS Cachan Jean-Marc Roussel, PhD, LURPA, ENS Cachan Jean-Jacques Lesage, Habil., PhD, LURPA, ENS Cachan Key Words: Boolean function, fault trees, probability, reliability, symbol manipulation SUMMARY & CONCLUSIONS This paper presents an algebraic approach allowing to perform the analysis of any Dynamic Fault Tree (DFT). This approach is based on the ability to formally express the structure function of DFTs. We first present the algebraic framework that we introduced to model dynamic gates and hence be able to determine the structure function of DFTs. Then, we show that this structure function can be rewritten under a canonical form from which the qualitative analysis of DFTs can be performed directly. We finally provide a probabilistic model of dynamic gates to be able to perform the quantitative analysis of DFTs from their structure function. 1 INTRODUCTION Fault Tree Analysis (FTA) is one of the oldest, most diffused techniques in industrial applications, for the dependability analysis of critical systems [1-3]. When the interactions between events can be described by means of Boolean OR/AND gates only, so that only the combination of events is relevant, and not their sequence, Fault Trees are called Static Fault Trees (SFT). SFTs are commonly analyzed directly from their structure function, which is the logical expression between the top event and the basic events of the SFT. The qualitative analysis consists in determining the minimal cut sets – the minimal combinations of events which are sufficient to engender the top event – of the SFT. The quantitative analysis consists in computing the failure probability of the top event of the SFT. Dugan et al. [4-5] proposed a new model allowing to include various kinds of temporal and statistical dependencies in the SFT model, which is the Dynamic Fault Tree (DFT). The DFT is based on the definition of gates Priority-AND (PAND), Functional Dependency (FDEP), and Spare. Even though the semantics of dynamic gates allows to model complex failure mechanisms that SFTs cannot take into account, DFTs cannot be analyzed by using regular approaches as their structure function cannot be determined. Other types of approaches are hence used to perform the analysis of DFTs. These approaches are mainly based on Zero-suppressed Binary Decision Diagrams (ZBDD) [6], Continuous Time Markov Chains (CTMC) [7], Stochastic Petri Nets (SPN) [8], and dynamic Bayesian Networks (BN) [9]. However, these approaches have limits in the analyses. that they allow as well as in the distributions that can be taken into account, even though any distribution can, in most cases, be accommodated by numerical simulation. In a previous article [10], the authors proposed to extend the approaches commonly used to analyze SFTs to DFTs. We hence proposed an algebraic framework allowing to determine the structure function of DFTs including dynamic gates PAND and FDEP, as well as an analytical approach allowing to perform the analyses from this structure function. In this paper, we propose to extend the approach considered in [10] to the case of Spare gates. The main approaches allowing to analyze DFTs and their respective limits are presented in Section 2. The algebraic framework allowing to determine the structure function of DFTs is recalled in Section 3, and the behavioural and probabilistic models of dynamic gates are respectively presented in Sections 4 and 5. Finally, we illustrate our approach on a DFT example from the literature in Section 6. 2 STATE OF THE ART Many approaches have been envisaged to analyze DFTs. In [6], each dynamic gate of the considered DFT is replaced by the static gate corresponding to its logic constraints; the minimal cut sets of the resulting SFT are then generated by using ZBDDs, and these minimal cut sets are expanded to minimal cut sequences by considering the timing constraints. The authors of [7] propose to convert the DFT into a failure automaton which models the changing state of the system as failures occur. This failure automaton can then be converted into a CTMC, and the solution of the corresponding set of differential equations allows to determine the failure probability of the top event of the DFT. These two approaches have been implemented in Galileo [5]. Other model-based approaches can be used to perform the quantitative analysis of DFTs. For instance, in [9], the whole DFT is converted into a dynamic BN and the failure probability of the top event of the DFT can be determined by using inference algorithms. In [8], the dynamic subtrees of DFTs are converted into a class of coloured SPNs called Stochastic Well-formed Net (SWN). This SWN can be converted into a CTMC to determine the failure probability of the top event of the dynamic subtree, and this failure probability can then be cast back into the original DFT. These.

(3)

(4) ! " !# $%!&'!* +!%<! =* > & '& ? & # +! !@%!!!!@%>%

(5) Q +>V

(6)

(7) XYXY\= !'"^>+!! %X\_ *! !

(8)

(9) >&

(10) !%!%

(11) % !%`

(12) & j& !

(13) ! ! !

(14) { j

(15)

(16) |

(17) @! ! !j #

(18) !

(19)

(20) & !# & &j } ! @@ @! @% #

(21) @

(22) ~ # <%&#j & %!# !

(23) j &

(24) % #!

(25) &#.

(26) tw wo approaches have been respectively implemented in the W Windows [9] annd Linux [11] version of Drrawnet. These apprroaches, as w well as the nuumerous ones which haave not been cited in this section, s are more of less eff fficient, buut they proviide literal quaantitative resuults for exponnential diistributions oonly, even thhough numeriical simulatioon still alllows to accoommodate anyy distributionn. Because of o this lim mit, we chosse to propose an extensiion of the annalysis appproaches used for SFTs annd based on thhe structure funnction. Thhe algebraic fframework thaat we introducced to determiine the sttructure function of DFTs iss recalled in Seection 3. 3 ALGEBRAIC IC FRAMEWO ORK FOR THE E MODELLIN NG OF DYNAMIC C FAULT TREE ES. The exhaustiive list of all the theorems verified by thhese three operators caan be found in [13]. 4 BEHAVIO OURAL MODE EL OF DYNAMIC GATES The three tem mporal operatoors defined in Section 3.2 allow model of dynnamic gates. The to ddetermine the behavioural m behaavioural modeels of gates PA AND and FDE EP can be founnd in [10] and are illusttrated in Tablee 1. Symbool Behaviouural model ܳ ൌ ‫ ܣ‬ή ‫ ܤ‬ή ሺ‫ܤ ٳ ܣ‬ሻ ൌ ‫ ܤ‬ή ሺ‫ܣ‬ ‫ܤ ٳ ܣ‬ሻ. 3..1 Hypothesess • • • •. The hypothheses considerred in this worrk are as follow ws: the DFTs that we consiider are the D DFTs defined in [4], which incllude static gaates (OR, AND D, and K-outt-of-N) and dynam mic gates (PAN ND, FDEP, andd Spare); events are nnot repairablee, in accordancce with [3]; basic eventts have continnuous failure ttime distributioons, as consideredd in [12], soo that indepeendent basic events cannot occur simultaneously; and intermediatte events oof a DFT can still occur simultaneoously if the D DFT contains repeated events, as explained iin [10].. 3..2 Basics andd notations of oour algebraic framework f The Boolean model com mmonly used tto model evennts and gaates in SFTs ddoes not allow w to take into account the orrder of apppearance of eevents which iis needed to m model dynamicc gates. To be ablee to take into account this ttemporal aspeect and heence model ssequences off events, we consider eveents as Boolean functiions defined on o the set off positive times and w which take Booolean values. As we consider non-repairable evvents, each noon-repairable eevent a can bbe assigned a uunique daate of appearrance d(a). The timing diagram of a nonreepairable evennt a is shown inn Figure 1.. ‫ ் ܣ‬ൌ ሺ‫ܶ ٳ ܣ‬ሻሻ ൅ ܶ ൌ ‫ ܣ‬൅ ܶ ‫ ்ܤ‬ൌ ሺ‫ܶ ٳ ܤ‬ሻሻ ൅ ܶ ൌ ‫ ܤ‬൅ ܶ. T Table 1 – Behaavioural modeels of gates PA AND and FDEP EP Regarding Sppare gates, according to [3]], Spare gatess can be C Cold (CSP), W Warm (WSP), oor Hot (HSP). In this paperr, we conssider that CSP P and HSP gaates are speciific cases of W WSP gatees. We hencee respectively present the bbehavioural m model of single WSP gaates and multiiple WSP gatees sharing a spare s evennt in Sectionss 4.1 and 4.2, before presennting the channges that must be maade in the beehavioural moodel to take into accoount the speciffic case of CSP and HSP gaates in Sectionn 4.3. Finaally, we show in Section 4.44 how this behhavioural modeel of dynaamic gates alllows to perfoorm the qualiitative analysiis of DFT Ts directly. 4.1 Behavioural m model of a Spaare gate with 2 input eventss Let us considder a Spare ggate with 2 innput events – the mary event A and one sparee event B – ass shown in Figure prim 2.. F Figure 1 – A non-repairablee event In additionn to operatorss OR (+) andd AND (ή), wee have deefined three teemporal operaators on the set s of non-repairable evvents Enr to model dynam mic gates. T These operatoors are opperators non--inclusive BE EFORE (‫)ٱ‬, SIMULTAN NEOUS (ᇞ ᇞ), and Inclusiive BEFORE (‫)ٳ‬. The defi finition of these three opperators can be b found in [[10] and is baased on the ddate of apppearance of ttheir operands, as illustratedd by the definiition of thhe temporal opperator Inclusiive BEFORE: ݀ ݀ሺܽሻ݀ሺܽሻ ൏ ݀ሺܾሻ (1) ݀ ሺܽ ‫ܾ ٳ‬ሻ ൌ ቐ ൅ ൅λ݀ሺܽሻ ൐ ݀ሺܾሻ ݀ ݀ሺܽሻ݀ሺܽሻ ൌ ݀ሺܾሻ. Figure 2 – A single Sparee gate with 2 iinput events As stated in [[3], the outputt Q of the gatee occurs whenn the prim mary and all spares s have ffailed, so wheen A and B have h.

(27) faailed, in this case. c A and B are basic evvents and cannnot fail siimultaneously, so Q occurrs if A and B fail accordding to seequences ሾ‫ܣ‬ǡ ‫ܤ‬ ‫ܤ‬ሿ or ሾ‫ܤ‬ǡ ‫ܣ‬ሿ. It is importtant to note tthat in seequence ሾ‫ܣ‬ǡ ‫ܤ‬ሿሿ, B fails whiile in its active mode (denooted by Ba), whereas inn sequence ሾ‫ܤ‬ ‫ܤ‬ǡ ‫ܣ‬ሿ, B fails w while in its doormant m mode (denotedd by Bd). It is essential to distinguishh both faailure modes by b using two ddifferent variabbles, for quanttitative annalysis purposses. Indeed, B does not haave the same failure diistribution whhen it fails duriing its dormannt mode (‫ܤ ؠ ܤ‬ௗ ) or duuring its active mode (‫ܤ ؠ ܤ‬௔ ). As we aim at m making poossible the quantitative anallysis of DFTs from their strructure fuunction, this sttructure function must hencce provide suffficient innformation to kknow whetherr spare events are in their doormant orr active mode. Finally, thee behavioural m model of gatee Spare caan hence be exxpressed as ܳ ൌ ‫ܤ‬௔ ή ሺ‫ܤ ٱ ܣ‬௔ ሻ ൅ ‫ ܣ‬ή ሺ‫ܤ‬ௗ ‫ܣ ٱ‬ሻ (2) Furthermorre, as B cannoot be both in an a active state and in a dormant state, we have (3) ‫ܤ‬ௗ ή ‫ܤ‬௔ ൌ٣ w where ٣ is the nnever-occurrinng event whicch correspondss to the addditive identityy of the set off non-repairablle events. 4..2 Behaviouraal model of 2 Spare S gates w with 2 input eveents shharing a sparee event Let us connsider the speccific case of 2 Spare gates – with prrimary events A and B – shaaring a spare eevent C, as shoown in Fiigure 3.. (2) becomes. •. ܳ ൌ ‫ܤ‬௔ ή ሺ‫ܤ ٱ ܣ‬௔ ሻ, (6) f while in itss dormant modde. as B cannot fail In the case off a hot spare eevent, the behhavioural model in (2) becomes ܳ ൌ ‫ ܤ‬ή ሺ‫ܤ ٱ ܣ‬ሻ ൅ ‫ ܣ‬ή ሺ‫ܣ ٱ ܤ‬ሻ ൌ ‫ ܣ‬ή ‫ܤ‬, (7) as B has the same distribuution functionn in its active and dormant modde (‫ܤ‬௔ ‫ܤ ؠ‬ௗ ‫)ܤ ؠ‬.. Ts 4.4 Qualitative analysis of DFT This behaviooural model of dynamic gates allowss to deteermine the struucture functioon of any DFT. The theorrems verified by tempooral operators allow a to reducce it to a canonnical form m under the forrm (8) ܶ‫ ܧ‬ൌ σ ቀς୧ ς൫୨ ‫ ٱ‬୩ ൯ቁ ǡ ‫ ב‬ሼǡ ሽ wheere TE is the top event of the DFT andd bx are the bbasic evennts of the DFT T, which mayy be spare eveents in their acctive or ddormant state. Even if it alllows to perfoorm the qualiitative analysiis of Ts directly, thiis canonical fo form of the strructure functioon is DFT not ssufficient to pperform their quantitative q annalysis for whiich a probbabilistic moddel of dynam mic gates is necessary. This probbabilistic model is presentedd in Section 5. 5 PROBABIILISTIC MOD DEL OF DYNA AMIC GATES The probabilistic models of o gates PAN ND and FDEP can be found f in [10], so we only consider the caase of Spare ggates in thhis section. Let L us first reecall the probbabilistic form mulas whicch allowed too determine thhe probabilistiic model of ggates PAN ND and FDEP P, and which w will be neededd to determinee the probbabilistic moddel of Spare gates. g Givenn an event x w with cum mulative distribbution functioon (Cdf) ‫ܨ‬௫ ሺ‫ݐ‬ሻሻ, and probabbility denssity function (pdf) ݂௫ ሺ‫ݐ‬ሻ, tthe following expressions hhold undeer the hypotheesis of statisticcal independennce: ୲ ሺ (9) ܲ‫ݎ‬ሼ‫ܤ ٱ ܣ‬ሽሺ‫ݐ‬ሻ ൌ ‫׬‬଴ ୅ ሺሻ൫ͳ െ ୆ ሺሻ൯ ୲. ܲ‫ݎ‬ሼ‫ ܤ‬ή ሺ‫ܤ ٱ ܣ‬ሻሽሺ‫ݐ‬ሻ ൌ ‫׬‬଴ ୆ ሺሻ ୅ ሺሻ. Figure 3 – Two Spare gates sharingg a spare eventt If we focus on the Sparee gate on the left side, Q1 occurs ass soon as A annd C have faileed – as stated iin Section 4.1 – or if A fails and C iss made unavaiilable becausee B has failed before A A. As a conseqquence, the beehavioural moddel of the Spaare gate onn the left side is ܳͳ ൌ ‫ܥ‬௔ ή ሺ‫ܥ ٱ ܣ‬௔ ሻ ൅ ‫ ܣ‬ή ሺ‫ܥ‬ௗ ‫ܣ ٱ‬ሻ ൅ ‫ ܣ‬ή ሺ‫ܣ ٱ ܤ‬ሻሻ (4) The algebrraic expression for the Spaare gate on thhe right siide can be deteermined in thee same way byy symmetry: ܳʹ ൌ ‫ܥ‬௔ ή ሺ‫ܥ ٱ ܤ‬௔ ሻ ൅ ‫ ܤ‬ή ሺ‫ܥ‬ௗ ‫ܤ ٱ‬ሻ ൅ ‫ ܤ‬ή ሺ‫ܤ ٱ ܣ‬ሻሻ (5) The behaviioural model oof Spare gatess in the general case off n Spare gatess sharing a Sppare event can be found in [113]. 4..3 Specific caase of Cold andd Hot Spare ggates The behaviioural models presented in Sections 4.1 aand 4.2 caan be simplified in the speccific cases of Cold and Hott Spare evvents: • In the case of a cold sparre event, the behavioural b moodel in. (10). 5.1 Probabilistic model of a Sppare gate withh 2 input events ts The behaviouural model of a single Sparee gate with 2 innput evennts is given inn (2). B cannnot fail both beefore and afteer A, so bboth algebraic terms are disjooint and ܲ‫ݎ‬ሼሼܳሽሺ‫ݐ‬ሻ ൌ ܲ‫ݎ‬ሼ‫ܤ‬ ‫ܤ‬௔ ή ሺ‫ܤ ٱ ܣ‬௔ ሻሽሽሺ‫ݐ‬ሻ ൅ ܲ‫ݎ‬ሼ‫ ܣ‬ή ሺ‫ܤ‬ௗ ‫ܣ ٱ‬ሻሽሺ‫ݐ‬ሻሻ(11) On the one hhand, the Cdf aand pdf of Bd do not depend on A, so s the probabiility of occurreence of the seecond term caan be deteermined by meeans of the exppression (10) aas ୲ (12) ܲ‫ݎ‬ሼ‫ ܣ‬ή ሺ‫ܤ‬ ‫ܤ‬ௗ ‫ܣ ٱ‬ሻሽሺ‫ݐ‬ሻ ൌ ‫׬‬଴ ୅ ሺሻ ୆ౚ ሺሻ On the other hand, the Cddf and pdf of Ba depend onn the failuure date of A,, so the probabbility of occuurrence of the first term m cannot be deetermined by means m of the expression e (100) as A aand Ba are staatistically deppendent. The rewriting of this probbability by m means of exppectation valuues and indiccator funcctions [14] alllows to determ mine the following expresssion for ܲ ܲ‫ݎ‬ሼ‫ܤ‬௔ ή ሺ‫ܤ ٱ ܣ‬௔ ሻሽሺ‫ݐ‬ሻ, as deetailed in [13]:: ୲ ୲ ܲ‫ݎ‬ሼ‫ܤ‬௔ ή ሺ‫ܤ ٱ ܣ‬௔ ሻሽሺ‫ݐ‬ሻ ൌ ‫׬‬଴ ቀ‫ ୴׬‬୆౗ ሺǡ ሻቁ ୅ ሺሻ (13) The probabillistic model oof a single S Spare gate with 2.

(28) innput events caan hence be oobtained by suumming expreessions (112) and (13) according to (11). It cann be noted thhat this prrobabilistic m model does nnot depend oon the distriibution coonsidered for basic b events.. ware applicatiion. Thus thee HECS will ffail if any of these softw subssystems fail. The DFT whiich models thhe potential faiilure of thhe HECS is shhown in Figuree 5.. 5..2 Quantitativve analysis of DFTs The inclusiion-exclusion formula [15] and the probab abilistic m model of dynam mic gates presented in [10]] and in Sectiion 5.1 alllow to perform m the quantitaative analysis of any DFT. It can bee noted that bboth the probabilistic modeel of dynamicc gates annd the expresssion for the faailure probability of the topp event w which will be obtained froom this probabilistic moddel can acccommodate aany distributioon for basic events. We illustraate this approach on a DFT T example froom the litterature in Secction 6. 6 AP PPLICATION N TO A DFT EX EXAMPLE 6..1 A Computeer System Exam mple (HECS) We are goiing to illustratte our approacch on the DFT T of an H Hypothetical E Example Com mputer System m (HECS) froom [3] w which is shownn in Figure 4.. Figgure 5 – The D DFT of the HE ECS 6.2 Canonical forrm of the struccture function. Figurre 4 – The Com mputer System m Example The HECS S includes duall-redundant prrocessors A1 aand A2 annd a cold sparre processor A A, which can replace either upon faailure. Processors A1, A2, aand A are all identical processors, ruunning the sam me operating ssystem. The ssystem can coontinue too operate until all three processors have faailed. The HECS S also includdes five mem mory units of which thhree are requirred. These m memory units are a connectedd to the reedundant bus via two mem mory interface units. If a m memory innterface unit fails, the meemory units connected c to it are unnusable. Mem mory unit 3 (M M3) is connectted to both inteerfaces foor redundancyy; thus M3 is accessible as long as either innterface unit iis operational.. A memory interface uniit must heence be operaational in ordeer for the mem mory units whiich are coonnected to itt to be accesssible, thus thee memory unnits are fuunctionally deppendent on thee interfaces. There are two identicaal redundant buses (BUS S1 and BUS2), of whicch one is requuired for systeem operation. Thus thhe bus subsysteem fails whenn both of the buuses fail. The last subsystem to be consideredd is the application suubsystem. Thhe applicationn software runns on the com mputer syystem. The ooperator is a human who interfaces wiith the coomputer via a Graphical Usser Interface (G GUI) that runss on an innterface devicee. Thus an appplication (sofftware (SW)) failure, f G GUI (hardwaree (HW)) failuure or human operator (OP) error w will lead to systtem failure. The HEC CS requires the correct operation oof the prrocessing, meemory, and bbus subsystem ms, as well as the. The DFT in F Figure 5 can bbe divided intto the 4 follow wing indeependent subtrrees: • Subtree 1 corrresponds to thhe processing system failuree. It is dynamic annd its top evennt will be denooted by TE1. • Subtree 2 corrresponds to thhe memory syystem failure. It is dynamic and its top event w will be denoted by TE2. • Subtree 3 coorresponds to the bus system failure. It is static and its top event willl be denoted byy TE3. • Subtree 4 corrresponds to tthe applicationn/interface faillure. It is static andd its top eventt will be denotted by TE4. The structuree function of thhe DFT of thee HECS can heence be eexpressed as ܶ ൌ ܶ‫ܧ‬ଵ ൅ ܶ ܶ‫ܧ‬ ܶ‫ܧ‬ଶ ൅ ܶ‫ܧ‬ଷ ൅ ܶ ܶ‫ܧ‬ସ (14) Subtrees 3 annd 4 are static, so their struccture functionn can be ddetermined eassily as ܶ‫ܧ‬ଷ ൌ ‫ܷܤ‬ ܷܵͳ ή ‫ʹܷܵܤ‬ (15) ܶ‫ܧ‬ସ ൌ ‫ܹܪ‬ ܹ ൅ ܱܲ ൅ ܹܵ (16) The structuree function of subtree s 2 can be obtained ffrom the behavioural b m model of gate FDEP F as ܶ‫ܧ‬ ‫ܧ‬ଶ ൌ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ ‫ܷܫܯ‬ଶ ൅ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ଷ ൅ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ସ ൅‫ܷܫܯ‬ଵ ή ‫ܯ‬ହ ൅ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଵ ൅ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଶ ൅ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଷ ൅‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ଷ ൅ ‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ସ ൅ ‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ହ ൅‫ܯ‬ଵ ή ‫ܯ‬ଷ ή ‫ܯ‬ସ ൅ ‫ܯ‬ଵ ή ‫ܯ‬ଷ ή ‫ܯ‬ହ ൅ ‫ܯ‬ଵ ή ‫ܯ‬ସ ή ‫ܯ‬ହ ൅‫ܯ‬ଶ ή ‫ܯ‬ଷ ή ‫ܯ‬ସ ൅ ‫ܯ‬ଶ ή ‫ܯ‬ଷ ή ‫ܯ‬ହ ൅ ‫ܯ‬ଶ ή ‫ܯ‬ସ ή ‫ܯ‬ହ ൅‫ܯ‬ଷ ή ‫ܯ‬ସ ή ‫ܯ‬ହ (17) Finally, the bbehavioural moodel of Spare gates presenteed in t determine tthe structure fu function of subbtree Secttion 4 allows to 1 as ܶ‫ܧ‬ଵ ൌ ‫ܣ‬௔ ή ‫ ʹܣ‬ή ሺ‫ͳܣ‬ ͳ ‫ܣ ٱ‬௔ ሻ ή ሺ‫ʹܣ ٱ ͳܣ‬ሻ (18) ൅‫ܣ‬௔ ή ‫ ͳܣ‬ή ሺ‫ܣ‬ ‫ܣ ٱ ʹܣ‬௔ ሻ ή ሺ‫ܣ‬ ‫ͳܣ ٱ ʹܣ‬ሻ.

(29) The canonical form of the structure function of the HECS can hence be determined as the conjunction of these 4 expressions. 6.3 Qualitative analysis The canonical form of the structure function of the HECS contains 23 (2 + 17 + 1 + 3) terms. On the one hand, 21 terms do not contain the temporal operator ‫ٱ‬. They are static and can hence provide the minimal cut sets of the DFT: ‫ܷܫܯ‬ଵ ή ‫ܷܫܯ‬ଶ ǡ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ଷ ǡ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ସ ǡ ‫ܷܫܯ‬ଵ ή ‫ܯ‬ହ ǡ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଵ ǡ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଶ ǡ ‫ܷܫܯ‬ଶ ή ‫ܯ‬ଷ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ଷ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ସ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ଶ ή ‫ܯ‬ହ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ଷ ή ‫ܯ‬ସ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ଷ ή ‫ܯ‬ହ ǡ ‫ܯ‬ଵ ή ‫ܯ‬ସ ή ‫ܯ‬ହ ǡ ‫ܯ‬ଶ ή ‫ܯ‬ଷ ή ‫ܯ‬ସ ǡ ‫ܯ‬ଶ ή ‫ܯ‬ଷ ή ‫ܯ‬ହ ǡ ‫ܯ‬ଶ ή ‫ܯ‬ସ ή ‫ܯ‬ହ ǡ (19) ‫ܯ‬ଷ ή ‫ܯ‬ସ ή ‫ܯ‬ହ ǡ ‫ ͳܷܵܤ‬ή ‫ʹܷܵܤ‬ǡ ‫ܹܪ‬ǡ ܱܲǡ ܹܵ On the other hand, 2 terms contain the temporal operator ‫ٱ‬. They are dynamic and can hence provide the minimal cut sequences of the DFT. The algebraic term ‫ܣ‬௔ ή ‫ ʹܣ‬ή ሺ‫ܣ ٱ ͳܣ‬௔ ሻ ή ሺ‫ʹܣ ٱ ͳܣ‬ሻ indicates that A1 must fail before Aa and A2 and hence corresponds to the two minimal cut sequences ሾ‫ͳܣ‬ǡ ‫ʹܣ‬ǡ ‫ܣ‬௔ ሿ and ሾ‫ͳܣ‬ǡ ‫ܣ‬௔ ǡ ‫ʹܣ‬ሿ. The algebraic term ‫ܣ‬௔ ή ‫ ͳܣ‬ή ሺ‫ܣ ٱ ʹܣ‬௔ ሻ ή ሺ‫ͳܣ ٱ ʹܣ‬ሻ indicates that A2 must fail before Aa and A1 and hence corresponds to the two minimal cut sequences ሾ‫ʹܣ‬ǡ ‫ͳܣ‬ǡ ‫ܣ‬௔ ሿ and ሾ‫ʹܣ‬ǡ ‫ܣ‬௔ ǡ ‫ͳܣ‬ሿ. The minimal cut sequences of the DFT hence are ሾ‫ͳܣ‬ǡ ‫ʹܣ‬ǡ ‫ܣ‬௔ ሿǡ ሾ‫ͳܣ‬ǡ ‫ܣ‬௔ ǡ ‫ʹܣ‬ሿǡ ሾ‫ʹܣ‬ǡ ‫ͳܣ‬ǡ ‫ܣ‬௔ ሿǡ ሾ‫ʹܣ‬ǡ ‫ܣ‬௔ ǡ ‫ͳܣ‬ሿ (20). does not depend on the distribution considered for basic events as the probabilistic model of dynamic gates can accommodate any distribution for basic events. In the particular case of exponential distributions with the failure rates given in Table 2, we obtain an unreliability of 95.92% after 100 hours. We have retained this mission time because it is the one retained in [3], even though the quantitative results obtained are different as basic components are considered as repairable in [3]. Basic component Failure rate (h-1) A1, A2, A 10-4 M1, M2, M3, M4, M5 6 x 10-5 MIU1, MIU2 5 x 10-5 BUS1, BUS2 10-6 HW 5 x 10-5 SW 3 x 10-2 OP 10-3 Table 2 – Failure rates of the basic events of the DFT of the HECS, from [3] As the exponential distribution is not necessarily the most suitable to model the failure of components as it does not take into account their aging, the failure probability of the HECS could be computed by considering other more suitable distributions, such as the Weibull distribution, for instance.. 6.4 Quantitative analysis The probabilistic model of dynamic gates presented in Section 5 allows to determine the failure probability of the top event of the 4 subtrees considered in Section 6.2. For instance, in the case of subtree 1, the structure function of the subtree is given in (18). We have shown in Section 6.3 that the two algebraic terms of (18) correspond to the four minimal cut sequences given in (20). The structure function for TE1 can hence be rewritten as ܶ‫ܧ‬ଵ ൌ ‫ܣ‬௔ ή ሺ‫ʹܣ ٱ ͳܣ‬ሻ ή ሺ‫ܣ ٱ ʹܣ‬௔ ሻ ൅‫ ʹܣ‬ή ሺ‫ܣ ٱ ͳܣ‬௔ ሻ ή ሺ‫ܣ‬௔ ‫ʹܣ ٱ‬ሻ ൅‫ܣ‬௔ ή ሺ‫ͳܣ ٱ ʹܣ‬ሻ ή ሺ‫ܣ ٱ ͳܣ‬௔ ሻ ൅‫ ͳܣ‬ή ሺ‫ܣ ٱ ʹܣ‬௔ ሻ ή ሺ‫ܣ‬௔ ‫ͳܣ ٱ‬ሻ(21) and the probability of these four disjoint algebraic terms can be determined from the probabilistic formulas recalled in Section 5 so as to determine the failure probability of TE1: ሼܶ‫ܧ‬ଵ ሽሺሻ ୲. ୲. ୳. ൌ න ቆන ቆන ୅ଶ ሺሻቇ ୅౗ ሺǡ ሻቇ ୅ଵ ሺሻ ଴. ୲. ୵. ୵. ୵. ୵. ൅ න ቆන ቆන ୅౗ ሺǡ ሻቇ ୅ଵ ሺሻቇ ୅ଶ ሺሻ ଴ ୲. ଴ ୲. ଴ ୲. ୵ ୵. ଴. ଴. ୴ ୳. ൅ න ቆන ቆන ୅ଵ ሺሻቇ ୅౗ ሺǡ ሻቇ ୅ଶ ሺሻ ୵. ୵. 7 CONCLUSION & PROSPECTS In this paper, we presented the behavioural and probabilistic model of Spare gates. On the one hand, the behavioural model allows to take into account any type – Cold, Warm, or Hot – of Spare gate and to determine the structure function of any DFT under a canonical form thanks to the behavioural model of gates PAND and FDEP from [10]. The qualitative analysis of DFTs can then be performed directly from this canonical form. On the other hand, the probabilistic model allows to perform the quantitative analysis of any DFT from the canonical form of its structure function. It can be noted that, as this probabilistic model does not depend on the distribution considered for basic events, any distribution can be accommodated during the quantitative analysis. Ongoing work is currently addressed to the elaboration of efficient algorithms allowing to determine the structure function of DFTs and to perform their analysis directly from this structure function. Besides, the set of minimal cut sequences obtained with this approach is not necessarily minimal as it may contain redundant minimal cut sequences. We should hence define one or many minimization criterion and develop optimization algorithms allowing to reduce this set of minimal cut sequences.. ൅ න ቆන ቆන ୅౗ ሺǡ ሻቇ ୅ଶ ሺሻቇ ୅ଵ ሺሻ. REFERENCES. ୴. (22) The failure probability of the top event of the DFT of the HECS can hence be determined by using the inclusionexclusion formula. It can be noted that this failure probability. 1. 2.. E. Henley, H. Kumamoto, Reliability Engineering and Risk Assessment, Prentice Hall, 1981. N. Leveson, Safeware: System Safety and Computers, Addison-Wesley, 1995..

(30) 3.. 4.. 5.. 6.. 7.. 8.. 9.. 10.. 11.. 12.. 13.. 14.. Fault Tree Handbook With Aerospace Applications, NASA Office of Safety and Mission Assurance, 2002, pp. 1-205. J.B. Dugan, S. Bavuso, M. Boyd, “Fault Trees and Sequence Dependencies,” Proc. Ann. Reliability & Maintainability Symp., (Jan.) 1990, pp. 286-293. J.B. Dugan, K.J. Sullivan, D. Coppit, “Developing a lowcost high-quality software tool for dynamic fault-tree analysis,” IEEE Trans. Reliability, vol. 49, no. 1, (Mar.) 2000, pp. 49-59. Z. Tang, J.B. Dugan, “Minimal cut set/sequence generation for dynamic fault trees,” Proc. Ann. Reliability & Maintainability Symp., (Jan.) 2004, pp. 207-213. D. Coppit, K.J. Sullivan, J.B. Dugan, “Formal Semantics of Models for Computational Engineering: A Case Study on Dynamic Fault Trees,” Proc. 11th Int. Symp. on Software Reliability Engineering (ISSRE 2000), (Oct.) 2000, pp. 270-282. A. Bobbio, D. Codetta-Raiteri, “Parametric Fault Trees with Dynamic Gates and Repair Boxes,” Proc. Ann. Reliability & Maintainability Symp., (Jan.) 2004, pp. 459465. S. Montani, L. Portinale, A. Bobbio, D. Codetta-Raiteri, “DBNet, a tool to convert Dynamic Fault Trees into Dynamic Bayesian Networks,” Technical report TR-INF2005-08-02, (Aug.) 2002. G. Merle, J.-M. Roussel, J.-J. Lesage, A. Bobbio, “Probabilistic Algebraic Analysis of Fault Trees With Priority Dynamic Gates and Repeated Events,” IEEE Trans. Reliability, vol. 59, no. 1, (Mar.) 2010, pp. 250261. V. Vittorini, G. Franceschinis, M. Gribaudo, M. Iacono, N. Mazzocca, “Drawnet: Model objects to support performance analysis and simulation of systems,” Proc. 12th Int. Conf. on Modelling Tools and Techniques for Computer and Communication System Performance Evaluation, Springer Verlag – LNCS, vol. 2324, 2002, pp. 233-238. J.B. Fussell, E.F. Aber, R.G. Rahl, “On the Quantitative Analysis of Priority-AND Failure Logic,” IEEE Trans. Reliability, vol. R-25, no. 5, (Dec.) 1976, pp. 324-326. G. Merle, “Algebraic modelling of Dynamic Fault Trees, contribution to qualitative and quantitative analysis,” PhD thesis, ENS de Cachan, (Jul.) 2010. G.R. Grimmett, D.R. Stirzaker, Probability and Random Processes, Oxford University Press, 2001.. 15. K. Trivedi, Probability & Statistics with Reliability, Queueing & Computer Science Applications, Wiley, 2001. BIOGRAPHIES Guillaume Merle, PhD LURPA, ENS Cachan 61 avenue du Président Wilson Cachan, 94230, France e-mail: merle@lurpa.ens-cachan.fr Guillaume Merle received the PhD degree in Electrical and automation engineering and the MSc degree in Systems engineering at the Ecole Normale Supérieure de Cachan (France), respectively in 2010 and 2007. His main research interests span the area of algebraic methods, with application to performance evaluation, and reliability. He is a member of IEEE. Jean-Marc Roussel, PhD LURPA, ENS Cachan 61 avenue du Président Wilson Cachan, 94230, France e-mail: roussel@lurpa.ens-cachan.fr Jean-Marc Roussel received the PhD degree in 1994. He is currently Associate Professor of Automatic Control at the Ecole Normale Supérieure de Cachan and carries out research at the LURPA (Automated Production Research Laboratory) on the control of Discrete Event Systems with algebraic approaches. Jean-Jacques Lesage, Habil., PhD LURPA, ENS Cachan 61 avenue du Président Wilson Cachan, 94230, France e-mail: lesage@lurpa.ens-cachan.fr Jean-Jacques Lesage received the PhD degree in 1989, and the Habilitation in 1994. He is currently Professor of Automatic Control at the Ecole Normale Supérieure de Cachan. His research topics are formal methods and models of Discrete Event Systems (DES), both for modelling synthesis and analysis. The common objective of his works is to increase the dependability of the DES control. He is a member of IEEE..

(31)