Fault Tree Analysis Including Component Dependencies

Fault Tree (FT) analysis is not only the most common technique used in engineering practice for the estimation of system reliability, but is also a key tool shared between designers, analysts, and regulators for the safe operation and licensing purposes. In spite of its long lasting success, traditional FT analysis presents significant limitations in modeling a wide range of features frequently encountered in modern systems. The most critical of these is the assumption of failure events independence, which is often not justified by the realistic behavior of the engineering system, undermining modeling accuracy. This article introduces a novel methodology for the analysis of FTs allowing for component dependencies and dynamic features. The proposed approach, based on the use of binary decision diagrams, is demonstrated using a simple numerical application for verification. Its applicability and computational feasibility is discussed in details.

translates into a valid modeling strategy for the representation of sequence-dependent events, spares, and dynamic redundancy management, dynamic FTs fail to offer a widely applicable solution for the treatment of the full range of dependence types.For such reason, the application of such technique in engineering practice remains still limited, in spite of numerous research efforts [3], [4], [5].
The second category entails modeling techniques such as static and dynamic Bayesian networks and Petri nets [6], [7], which while enhancing modeling flexibility, fail to meet the requirements dictated by industrial applications, such as modeling causality and computational feasibility.
This article offers a mathematical solution tackling two main challenges associated with the analysis of dependencies in system reliability: modeling flexibility and computational feasibility.The method implemented allows the incorporation of dependencies within FT analysis regardless of their type or location within the system [8], [9].Furthermore, it retains the familiarity and efficiency of the FT approach, so to match the needs and requirements of real-world industrial applications.

A. Binary Decision Diagrams (BDDs)
Binary decision diagrams (BDDs) are acyclic graphs able to encode and manipulate Boolean functions [10] and represent an efficient tool for the analysis of FTs [11].
As shown in Fig. 1, paths through the BDD originate from a root node and ends in terminal vertices, which can assume the value 1, indicating the occurrence of the system failure, or 0, its nonoccurrence.Each nonterminal node is labeled according to the FT basic event to which it refers.Basic events are considered in a specified order and, as common in FT practice the failure of system components.In this article, such events are labeled after the component of reference, while complimentary events (i.e., component working state) are instead indicated by a line over the variable name.The state space of a generic component X i is then expressed as where the probability q associated with each state verifies the condition Two edges originate from each node: one, namely 1-branch, refers to the occurrence of the associated basic event, the other  (i.e., 0-branch) with its nonoccurrence.The overall Boolean function encoded by the BDD structure is factorized node by node through the use of if-then-else (ite) structure, such that where N k refers to the Boolean structure of the kth node of the BDD and X k to the failure event represented by the node.The expression in (3) translates as: if X k fails, then consider the Boolean function h1, which lies on the 1-branch of N k ; else consider function h2 which, lying on the 0-branch, requires the working state of component X k [12].Algorithms are available for the conversion of FTs to BDDs [13], [14].This in fact a widely adopted strategy for the analysis of FTs, since it ensures the efficient and accurate computation of system reliability metrics, such as system failure probability, system failure intensity, and component importance measures [15].

B. Reliability Metrics
The proposed method focuses on the estimation of three reliability metrics: failure probability, component importance (Birnbaum's measure), and system failure intensity.
All BDD paths connecting the root node to a terminal 1 correspond to the associated FT cut sets and are referred to as paths to failure, P i .The system failure probability Q system can be then expressed as where q(P i ) indicates the probability associated with the ith of the m disjoint paths to failure represented by the BDD structure.The Birnbaum's measure of importance, G(X j ), of a generic component X j , quantifies the likelihood of the system to be in a critical state for that component so that the failure of the latter causes the system to pass from the working to the failed state.This can be calculated for each component as where Q system (X j ) and Q system (X j ) refer to the probability of failure of the system given the failure and working state of X j , respectively.Under the assumptions of components independence, (5) can be rewritten in function of the BDD paths to failure as From this, the failure intensity of the system, i.e., F system , can be calculated as where f (X j ) refers to the failure intensity of the jth of the k components of the system.

C. System Dependencies and Their Representation
The proposed method relies on the direct manipulation of joint probabilities, such as through marginalization and conditioning.The first of these procedures allows the marginal contribution of one or more dependent variables to be determined.Consider two components X i and X j , and the set of joint probability values over all their possible states, i.e., q(X i , X j ).The probability associated with the failure state X i of X i can be computed as where q(X i = X i , X j ) indicates the set of joint probability values covering the entire state space X j but including only the state X i for X i .
Conditional probability values can be obtain from joint probabilities through conditioning.This can be expressed as where q(X j , X i ) = q(X i = X i , X j = X j ), while q(X j | X i ) indicates the probability of component X j to be in the failure state X j given X i to be in state X i .

III. METHODOLOGY
This section describes, in detail, the algorithm developed for the calculation of the following three reliability metrics of interest discussed: r system failure probability (or top event probability); r system failure intensity (or top event intensity); r component importance measures.
A graphical overview of the proposed methodology is presented in Fig. 2.

A. Top Event Probability
The probability of the system failure can be calculated as the sum of all BDD paths probabilities [see (4)].Under the assumption of independence, these equal the product of the probabilities of individual events (working and failed) included in each path.Such procedure is not adequate in the presence of dependencies.
To take this into account, the proposed approach relies on the factorization of each paths into n + 1 groupings, corresponding to as many sets of components where n is the number of dependence groups, DG, featured in the system so that P i refers to the ith path of the BDD set of m paths to failure (PATHS) so that Its first component P 0 i refers to the set of all independent components included in P i so that DG0 being the set including all system independent components.
The first step of the proposed strategy addresses the identification of the BDD paths and their components.The probability associated with the path independent components, i.e., q(P 0 i ), is estimated simultaneously, as described in step three.The Algorithm 1: Path Identification.third step targets the estimation of the contributions to each path probability associated with dependent components (q(P k i ) with k = 1, . .., n).Finally, the system failure probability is computed in step four.
Step 1. Paths identification:Each BDD path is uniquely identified by the combination of the component event identifiers.The aim of the first step of the algorithm is then to record the events included in each path P i while classifying them according to the dependence group of reference.This is achieved node by node, in a bottom-up direction: starting from terminal 1, the set of Algorithm 2. Computation of Independent Probability Components.
parent node are identified.Each event associated with the branch linking the parent and child nodes is added to the component of path P i according to the dependence group of belonging.For instance, let assume terminal 1 has only one parent node N h (Pa(1) = N h ), such that ite(N h ) = (X, 1, 0) and X a dependent component of dependence group DGk.Hence, the event X is added to the kth component of path P i such that, for the current stage of the procedure, P k i = N h .The node N h is then processed in the same way, starting with the identification of its parents.The procedure is in fact repeated for all queued parents until the root node is reached and the queue empty.The path is duplicated in the case of multiple parents, so to allow the differentiation of branches originating from the same child and their assignment to separate paths.
Step 2. Independent path element probability, P 0 i computation: The probability associated with the path independent component, i.e., q(P 0 i ), is estimated simultaneously with the progression of the path identification procedure.In fact, the probability of the independent component q(P 0 i ) of the ith path can be calculated as the product of all independent events lying on it: hence, any time an independent event X is added to the subset P 0 i of the ith path P i (according to the former step), its probability q(X) is multiplied by the product of the probabilities of independent events previously recorded within the same path.For the sake of clarity, this further step is represented in a separate pseudocode, shown in Algorithm 2, which expands on the underlined sections of Algorithm 1.This finally results in the computation of the contributions of each paths independent component grouping probability, i.e., q(PATHS 0 ) = {q(P 0 1 ), q(P 0 2 ), . .., q(P 0 m )}.
Step 3. Dependent path probability computation: The contribution of a dependent event X, where X ∈ DGk with k = 0, to the probability of a generic path P i cannot be estimated as the product of marginal probabilities as done so far.Conversely, the value of X probability depends on the state of the other events from the same dependence group in the path.The contribution of dependent components to the overall path probability can, hence, be computed only after the path definition in Step 1 is completed.Once the events in P k i associated with dependence group DGk are known for each ith path to failure, their probability can be calculated on the basis of the joint probability in input, and finally, multiplied by the total path probability since the group is independent from other dependence groups.This procedure is summarized in Algorithm 3. Step 4. System failure probability: Once the probability of each BDD path has been computed, the failure probability of the system is calculated according to (4).

B. Birnbaum's Measure of Importance
Steps 5 and 6 are dedicated to compute the criticality function (Birnbaum's measure of component importance) for independent and dependent system components, respectively.
Step 5. Birnbaum's measure of importance: For independent components, the value of the Birnbaum's measure of importance can be calculated according to (6), as summarized in the pseudocode shown in Algorithm 4. The state of a dependent component, have a direct impact on the probability value associated with other members of the same dependence group.Hence, assumptions on the working or failure state of dependent components (as those implicitly adopted in the calculation of Birnbaum's measures), affect the probability of paths of belonging, as well as paths including other events from the same dependence group, even when excluding the component itself.In the first case, the contribution to the component Birnbaum's measures from paths including such component can be calculated following the same procedure discussed for independent component (Algorithm 4).The secondary contribution G(Y l ) i to the Birnbaum measure of the component Y l from the ith path including events of the same dependence group DGk but not Y l , Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
where q(P i | Y l ) and q(P i | Y l ) indicate the conditional probability associated to the ith path given the failure and working state of Y l , respectively, and q(P i k ) is the probability associated with the kth component of path P i, which includes exclusively any number of members of the dependence group DGK except Y l itself.Hence, the values q(P i k | Y l ) and q(P i k | Y l ) indicate the conditional joint probability of any component dependent on Y l and lying on path P i, and can then be calculated manipulating the joint probability in input through marginalization and conditioning [see ( 8) and ( 9)].The overall procedure is discussed further in Section IV-C.

C. Top Event Failure Intensity
The availability of the components Birnbaum's measures of importance enables the calculation of the final reliability parameter of interest, system failure intensity, carried out in step six.
Step 6.Failure intensity: The system failure intensity is computed according to (7).

D. Computational Feasibility
The complexity of the methodology proposed depends on the BDD structure, being directly proportional to the number of paths to failure.This implies that, for extremely large BDDs, the technique may become computationally intractable.
A possible alternative could be shifting to an approximate solution: this implies the exclusion from the computation of any path whose probability falls under a preestablished threshold q threshold .Such a truncation procedure could be carried out in  the path identification phase, hence modifying the procedure proposed in Algorithm 1 as shown in Algorithm 6.While the system failure probability calculated with the truncated paths set would result in an underestimation of the real value, by recording the number of censored paths it is possible to provide an upper bound to the approximate output.In fact, since each eliminated path P truncated j is associated to a probability value lower than q threshold , the maximum contribution to the overall failure probability lost through the truncation procedure is less than where M is the number of eliminated paths.Hence, it results in where Q approx system is the estimate approximating the real system failure probability Q system .

IV. NUMERICAL APPLICATION
In order to test the capabilities of the proposed methodology, a simple case study focusing on the FT structure shown in Fig. 3 has been analyzed, introducing multiple dependence groups.

A. Case Study
The FT shown in Fig. 3, represents a system of ten components: X1-X10.The top event TOP represents the simultaneous failure of two subsystems, in turn depicted by the FT subsections below gates G6 and G7.Both subsystems embrace two components working in parallel, i.e., X1 and X2 for gate G6, X7, and X8 for gate G7.These components below each gate are considered to have mutual dependencies: it is assumed that the failure of one of the parallel components will put a larger load on the other, increasing its failure probability.This results in the definition of two dependence groups, DG1 = {X1, X2} and DG2 = {X7, X8}.In order to test the generality of the proposed method, a further dependence relation embracing components belonging to different subsystem (i.e., X5 and X9) is also considered, resulting in a third dependence group DG3 = {X5, X9}.This could be representative of more complex types of dependencies, e.g., related to maintenance strategies.As discussed, the FT is first converted into a BDD structure: this is shown in Fig. 4. For the sake of clarity, nodes associated with dependent components (i.e., X1, X2, X5, X7, X8, and X9), are represented as double line ellipses, while different dependence groups are highlighted in different color shades.The dependence groups so defined are accounted for numerically through the use of joint estimates, as discussed in Section II-C: these are listed in Tables I-III for the dependence groups DG1, DG2, and DG3, respectively.The reliability information assumed for the remaining independent components are shown in Table IV.

B. System Failure Probability by Path
The application of the methodology described in Section III resulted in the identification of 45 disjoint failure paths, shown in Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE IV INDEPENDENT COMPONENTS RELIABILITY INFO
Table V together with their individual probabilities.The overall system failure probability is computed by the summation of such values as

C. Birnbaum's Measures of Importance
Birnbaum's measures of importance were calculated, resulting in the values shown in Table VI.
As described in Section III, the computation of the criticality measure of independent component follows Algorithm 4, which factorizes (6) into individual path contributions.For the independent component X3 in the example, this results in where the positive term refers to the probability of failure paths embracing the working state of X3 (i.e., paths 16-45 in Table V) conditional to the working state of the component.This is calculated dividing the joint probability of the paths by the probability of event X3 , according to the conditioning procedure of (9).Similarly, the negative term is associated with paths implying the failure of X3 (i.e., 6-15 in Table V).Paths from 1 to 5 in Table V do not contain events X3 or X3 , hence, contribute to system failure regardless of the state of the component: this implies the two resulting identical terms cancel themselves out when considered under both assumptions of X3 working and failure states, reducing to the expression in (17).While assumptions on the working or failure state of independent components affect only the failure probability of the individual component, similar hypothesis have a larger impact when entailing dependencies.For instance, assuming the dependent component X2 to be working correctly implies q(X2) = 0, q(X2) = 1 q(X1, X2) = 0, q(X1, X2) = q(X1|X2) q(X1) = q(X1|X2), q(X1) = q(X1|X2).(18) Hence, the calculation of the system failure probability conditional on the working or failure state of the dependent component X2 has to take into account not only the paths involving X2 itself, but also those including the other components of the dependence groups DG1 to which X2 belongs (i.e., X1).
When X2 is working correctly, BDD paths from 1 to 5 shown in Table V assume probability equal to 0 [due to q(X1, X2) = 0, as for (18)].Paths 21-25, 31-35, and 41-45 contain the simultaneous occurrence of dependent events X1 and X2, hence their probability contains the joint value q(X1, X2).According to the conditions in (18), this is equal to the conditional probability q(X1|X2) under the assumption of X2 working.Hence, in this case, the contribution of these paths to the system failure probability can be estimating dividing their individual probability by the q(X2), which is equivalent to substituting the joint value q(X1, X2) with the conditional probability q(X1|X2) in the expression of the individual path probability.
The probability associated with the paths including event X1 (i.e., paths 6-20, 26-30, and 36-40) needs to be "updated" according to the working assumption substituting the probability q(X1) with the conditional value q(X1|X2).This can be achieved multiplying the unconditional probability associated with such paths by q(X1|X2) q(X1) .Overall, the system failure probability conditional to the working state of X2 can then be expressed as j=31 q(P j ) + 45 k=41 q(P k ) q(X2) Similarly, the failure probability of the system conditional to the failure of X2, can be computed as As a result, the Birnbaum importance measure for the dependent component X2 can be calculated as Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.4 − 25 i=21 q(P i ) + 35 j=31 q(P j ) + 45 k=41 q(P k ) q(X2) + 20 l=6 q(P l ) + 30 w=26 q(P w ) + 40 h=36 q(P h ) • × q(X1|X2) q(X1) − q(X1|X2) q(X1) = 2.4360 • 10 −02 (21) which corresponds to the sum of all path contributions obtained with (14) according to the procedure described in Algorithm 5.

D. System Failure Intensity
Once the Birnbaum's measure of component importance are computed, the failure intensity of the overall system, i.e., F system , can be calculated.As for the failure probability values, the individual failure intensity of dependent components can be calculated through the marginalization procedure discussed in Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE VI COMPONENTS BIRNBAUM'S MEASURE OF IMPORTANCE
the previous sections.This finally results in ( V. CONCLUSION In this article, a novel FT analysis methodology based on the use of BDDs and allowing for component dependencies was proposed.The approach relied on the conversion of FT to BDD and the identification of the associated paths to failure.Each path probability was estimated taking into account the contribution of independent and dependent component, adopting joint probabilities to capture the relationships of dependent events.The resulting approach guarantees preserved the familiarity and efficiency of FT analysis while enhancing modeling flexibility.

Algorithm 3 :Algorithm 4 :
Computation of Dependent Path Probability Components.Computation of Birnbaum's Importance Measure of Independent Component X.

Algorithm 5 :
Computation of Birnbaum's Importance Measure of Dependent Component Y l .can be instead calculated as

Algorithm 6 :
Path Elimination Procedure for Approximate Failure Probability Computation.

Fig. 3 .
Fig. 3. FT structure for the case study analyzed.

Fig. 4 .
Fig. 4. BDD structure resulting from the conversion of the FT in Fig. 3. Double ellipses refer to dependent components, while color shades have been assigned to different dependence groups.

TABLE I JOINT
RELIABILITY INFORMATION FOR DG1

TABLE V FAILURE
PATHS FOR THE BDD IN FIG.