Upload
gang-xie
View
213
Download
0
Embed Size (px)
Citation preview
Reliability Engineering and System Safety 40 (1993) 295-309
TREE-EXPERT: a tree-based expert system for fault tree construction*
Gang Xie, Dazhi Xue & Shuren Xi Institute of Nuclear Energy Technology, Tsinghua University, Beijing 100084, People's Republic of China.
(Received 11 March 1992; accepted 23 September 1992)
This paper addresses the topic of automatic fault tree construction, utilizing an expert system with Artificial Intelligence (AI) techniques and presents the related software tool, TREE-EXPERT--an expert system for automatic fault tree construction. In the light of the features involved in developing a fault tree, a new and more reasonable structure of knowledge representation, which is knowledge tree based, has been established. The knowledge tree provides the means by which component failure behaviors can be described by a group of particular fault tree modules instead of production rules. By introducing the conditional branch function, the new design of the knowledge base incorpor- ates many good features such as strong expressivity, flexibility and ease of extension and it takes advantage of the user's familiarity with the field of fault tree analysis. Additionally, the design of the inference engine is original in that it deals with nodes, which it treats, as special components, so that many complicated engineering cases, such as the application of success criteria, and the problems of flow diversions and flow reversals in a process system, can be well managed and the function of the expert system is improved as a whole. TREE-EXPERT can be used to deal with large-scale and complicated engineering systems, and many engineering factors can be considered, e.g. more than one system parameter and the effect on them switching of the system operating states, bi-directional inference, human error failure, common-cause failure, maintenance and test, etc. On the other hand, the software uses P & ID (Pipe & Instrument Diagram) type interface to describe the system topology, which provides an easier man-machine interface with powerful graphics functions. This software can handle not only 'process' systems but also, with appropriate additions to the generic knowledge base, electrical systems and other similar systems.
1 I N T R O D U C T I O N
1.1 Background
Automat ion of logic modeling has been the main aim in applying artificial intelligence (AI) techniques to probability safety analysis (PSA). 2-1° System analysis in conventional PSA, especially fault tree construc- tion, is t ime-consuming and susceptible to human error. Various degrees of ' au tomat ion of the tree
• This paper is written based on Dr. Xie's doctoral dissertation, see Ref. (1).
Reliability Engineering an d System Safety 0951-8320/93 / $06.00 © 1993 Elsevier Science Publishers Ltd, England.
295
construction process ' can certainly increase the speed of system analysis and reduce the opportunit ies for human error. However , this is achieved at a certain price. Similar work had been under taken by PSA analysts before they were aware of AI techniques and expert systems. Research was done on the so-called 'computer-aided construction of fault trees ' for electrical systems, chemical process systems, and nuclear reactor systems. Although they have not been called expert systems, these software tools do possess similar knowledge and inference logic structures. None of them, however, has been used extensively by the PSA community. The main reasons for this can be summarized as follows:
• Although the logical mechanisms in these tools are well developed, the user-interface devices are
296 G. Xie, D. Xue, S. Xi
not designed in a satisfactory manner. For example, some codes require numerical coding in their input of all the failure modes and connection nodes, and they generate long lists of coded numbers in their output. Users usually find that the interpretation of these results requires significant effort and causes errors.
• Even for system analysis, PSA requires many judgements. For example, the analysts needs to determine the possible impact of human actions, such as maintenance work or emergency proce- dures, on the function of systems or components. Another example is the judgement involved in assessing the effects of common-cause failure. These events are not easily dealt with by a computerized tool, because the logical reasoning involved is usually not straightforward. This causes difficulties in constructing a fault tree in a 'fully automatic' way.
• The fault tree construction itself is an important process in the safety analysis, during which the analyst gains a deep understanding of the system behavior and learns about potential system malfunctions and their causes. Therefore many safety analysts think that automatic fault tree construction skips one of the important steps in the safety analysis.
For those reasons, the effort involved in automatic fault tree construction will not be accepted by the safety analyst unless the drawbacks are eliminated. The authors think that the current development of computer techniques could produce a satisfactory man-machine interface for analysts, and by means of AI techniques (e.g. an expert system) more complicated logical reasoning and even engineering judgment could be involved. It is not necessary to worry that the computer software will replace analysts in conducting system analysis. In fact, the objective in developing this kind of expert system is to help system analysts to work in an efficient way. With the current development of AI techniques and expert systems, methods for automatic fault tree construction and their applications seem to have regained momentum. Lessons learned in the past will be helpful in developing future expert systems. From these points of view, a software development project on T R E E - E X P E R T has been initiated with the following aims:
• The expert system should deal with systems for which the system topology can be described by a P&ID diagram, such as hydraulic systems, electrical systems, etc.
• A more reasonable knowledge base structure should be produced to make inference convenient.
• It should be possible to consider more than one
system parameter, e.g. pressure, temperature, flow rate, liquid level, etc., simultaneously.
• Engineering judgment should be involved in some complicated engineering cases, for instance, for the application of success criteria, and in problems involving, flow diversions and flow reversals.
• The logical reasoning should be bi-directional, i.e. upstream and downstream, so that inference could be started from any point of the system.
• It should be possible to consider more than one configuration, to deal with the switching of the system operating states.
• Maintenance and test, human error, support system, and common-cause failure should be involved on demand of the user.
• The software should be PC-based to benefit users in the PC community.
• The software interface should be user-friendly and easy to use. Generally, graphics techniques should be applied.
1.2 Overview of the TREE-EXPERT structure
The final product of this research project is a PC software tool for fault tree construction in PSA. The data flow chart of T R E E - E X P E R T is shown in Fig. 1. The heart of the expert system is its knowledge base and inference engine. On the other hand, a powerful graphic user interface has been designed to establish relations between the user and the computer.
In the following, Section 2 will describe the structure of the knowledge base, Section 3 will discuss the approach to inference and fault tree synthesis, Section 4 will show how T R E E - E X P E R T works, and Section 5 will conclude this paper.
2 THE STRUCTURE OF THE KNOWLEDGE BASE
There are two levels of knowledge base in this software. The first level, which is called the generic knowledge base, describes the information at the component level. The second level, which is called the system-specific knowledge base, includes information at the system level. This permits the inference engine to work according to the 'direct cause concept' . Failure of a component can be divided into internal and external failure. Based on the generic knowledge base, the internal failure can be developed in the form of component failure modes. Based on the system- specific knowledge base, the external failure (up- stream and downstream) can be propagated through- out the system. Figure 2 shows the overall structure of the knowledge base.
Automatic fault tree construction 297
User
Fault Tree
G R
A P H I C
I N
T E R
F A C E
Generic Knowledge base
Inference Engine
System-specific] Knowledge Base
Component library • Component icon • Definitions • Knowledge tree
Fault tree synthesis • Define top event • Inference • Loop control • Tree generator
System description . P&ID • Connection map • Component states . Other information
Fig. 1. The data-flow chart of TREE-EXPERT.
2 . 1 T h e g e n e r i c k n o w l e d g e b a s e
The so-called generic knowledge base (GKB) is a component library, which includes information on each component appearing in all the systems concerned. The GKB includes general information on the component type, i.e. it does not directly correspond to any specific component in the system being treated. In most cases, only a part of the generic information for a component will be applied to a specific component in the system treated. By means of the GKB editor, the GKB can be easily managed, e.g. the user can add/delete/modify a component. For each component, the following items are taken into account:
• component icon; • component definition table; • knowledge tree.
The component icon is a graphics image of the
component, which will appear in the system P&ID. All the icons in the GKB can be organized in an icon menu, which can be retrieved conveniently as the user pops up the menu (see Figs 13 and 11, respectively, for example screens of the graphics editor and the pop-up menu for the component icons).
The component definition table includes several groups of items:
• component identifier; • hardware input---output (I/O) descriptions; • failure modes and codes; • support systems; • operating modes.
Most of the information specified in the component definition table is usually used to generate event descriptions while building the fault tree and to prompt the user to input the component information correctly. The component identifier includes its name and component type code. The hardware I/O
Knowledge Tree
Definition Component Component Table Icon States
-I >~ VOI: I
POII
<7
V 0 2
: I
" " I
knowledge tree for isolated valve
knowledge tree for motor ~ driven pump
!definition table for isolated valve
definition table for motor driven pump
Generic
Knowledge Base
System!Specific
Knowledge Base
Fig. 2. The overall structure of the knowledge base.
System P&I Diagram
67
298 G. Xie, D. Xue, S. Xi
descriptions are designed specially for the components which have more than one input or output leg. For example, while connecting a heat exchanger in the system P&ID, the user should specify which side, tube side or shell side, it should be linked to/from. The component may have, at most, three pairs of I/O legs. In the failure modes and codes, all possible basic failure modes and their codes should be specified; these will appear in the knowledge tree as the basic events. The support systems give out the support system names which may connect to the component. The operating modes include all the possible operating states for the component (see Fig. 14 for an example screen of the definition table editor).
The knowledge tree is the key part of the GKB. It includes all the logical relations between its input and output parameters, failure modes, and other relevant factors. In many other similar expert systems, the knowldge base is usually rule-based, in which many production rules are defined in an IF () THEN () format. For fault tree construction, this kind of knowledge representation may have the following deficiencies:
• The process of establishing the rules is compli- cated because the rules are written independently and the potential relationships between the rules have to be identified by the user. Analysts may find that the establishment of the rules requires significant effort and causes errors.
• To describe the behaviors of a component, it is necessary to establish many rules. The relation- ships between these rules are not sufficiently obvious for the inference engine to work efficiently. To expand one rule in to another, it is usually necessary to search in whole rule space. On the other hand, because the format of the rules is different from that of the fault tree, the inference engine has to convert these rules to the fault tree format, e.g. AND/OR gates.
To eliminate these problems, an improved knowl- edge base, called as knowledge tree, is presented in this paper. The knowledge tree is built at the component level and is also composed of a group of rules. The difference is that these rules are organized in the form of a fault tree. The following advantages may be achieved from this improvement:
• The building of the knowledge base is simplified. The process of establishing rules becomes the development of a group of small fault tree modules. This may be easily accepted by users who are working in the field of reliability engineering.
• By means of the fault tree diagram, the relations between the rules can be expressed clearly so that the process of establishing rules becomes well
Symbols Types Descriptions
i ]
f~
@ @ i ,i
\ _ s
AND And gate
OR Or gate
CDT Conditional gate
NOT Not gate
DEU Upstream developed event
DED Downstream developed event
BE Basic event
Fig. 3. Event types in knowledge tree.
organized, and the opportunity to make mistakes will decrease.
• The inference can be simplified and generation of the tree becomes easier because of their similar structures.
Figure 3 shows the event types which may be used in knowledge trees. The gate events are used to describe the logical relationships between the events and mostly have the same meaning as in the fault tree. The characteristic of the knowledge tree is the use of a conditional gate, through which the corresponding sub-trees can be kept and/or eliminated from the knowledge tree on the basis of operating states specified in the system-specific knowledge base (see Section 2.2). By introducing the conditional branch function, the new design of the knowledge base is equipped with many good features such as strong expressivity, flexibility, ease of extension and taking advantage of the user's familiarity with the field of fault tree analysis. The upstream developed event (DEU) and down stream developed event (DED) denote the externally developed events, i.e. failures that result from external reasons, and the inference directions (upstream or downstream reasoning). Upstream reasoning is toward the input leg and downstream reasoning is toward the output leg. This allows the inference engine to work with two- directional inference. The basic event (BE) event for the component internal failure modes.
To build and use the knowledge tree, a coding system has been defined. In the knowledge tree, the codes are usually used as the name for top events and externally developed events and consist of six characters, as shown in Fig. 4. The inference engine will work based on this coding system. For a particular component, there is a group of top events which correspond to the relevant abnormal states of the system parameters, e.g. 'no flow to output leg', 'high pressure on output leg', etc. All these events will be coded according to the coding system. The inference engine will retrieve the corresponding knowledge tree for these events by searching for their codes. On the
Automatic fault tree construction 299
Parameter - -
xx x
P -- Pressure T -- Temperature F -- Flow rate L -- Level of liquid
IlO leqs I
I
State - -
-- others
~ +i0 -- very high (has) +01 -- high +00 -- unexpected -00 -- loss of expected -01 -- low -i0 -- very low (no)
-- others
Ii -- first input leg Ol -- first output leg
-- I2 -- second input leg 02 -- second output leg
-- others
Fig. 4. Coding system in knowledge tree.
other hand, during the inference, the failure (a relevant abnormal event code) will be propagated throughout the system according to the P&ID.
Figure 5 is an example of a knowledge tree for 'loss of output flow of a motor-operated valve', which demonstrates the typical structure of the knowledge tree for a hydraulic component. The top structure of the knowledge tree is a logic combination of the external and internal failure events. The details of the knowledge tree are concerned with internal failure, which is developed according to the failure class- ification, e.g. failure on demand, failure during operation, failure during standby, common-cause failure, etc. The reader may notice that the conditional gates are used many times and all the conditional gates are numbered. The numbered conditions (see Table 1 for the meaning of the numbers) correspond to the component operating states that are specified in the system-specific knowledge base, which will be dealt with by a C function called the condition analyzer. The basic events F1-F5 correspond to the failure modes in the definition table (see Fig. 14 below). The other basic events refer to the system-specific information (see Fig. 17 below). To carry out a common-cause analysis, an interactive common-cause failure viewer has been developed in TREE-EXPERT, which could help the user to identify and build in the common-cause failure on the system fault tree.
2.2 The system-specific knowledge base
The so-called system-specific base knowledge (SKB) is a dynamic knowledge base, which is generated based on the GKB and system-specific information. From
the viewpoint of the users, it is essential to establish the corresponding SKBs for different systems. The SKB describes the specific system configuration, i.e. where the components are located and how they work. In a word, the SKB includes all the necessary information for fault tree construction, besides that in the GKB. The following information has been considered:
(1) The system topology, i.e. system P&ID:
• component name; • icon's position in P&ID; • connections to other components.
(2) Component information:
• pointer to GKB; • operating states for different system
configurations; • support system information; • human error failure information; • common-cause failure information; • Maintenance and test information; • recovery information.
The SKB consists of two main parts. The first part is system P&ID. Similar to the method used by a PSA analyst, a simplified system P&ID is used as the main working interface. By means of the powerful graphics editor, the user can easily build P&ID on screen. The editor works in an efficient way so that the internal relationships between the components are created at the same time as the user connects components on the screen. Once the system P&ID is built, the component connection map is set up and ready for inference. Figures 15 and 16, respectively, show an
I Co
ns~d
e( co
rrfn
on-
cot.c
s e
to~l
ur e
I Lo
ss
of
flow
at
vc
dve
inpu
t
4>
11F-
10
01
F-1
0
I a,%Sg
,~ °' ~
t%t
#
I N
ot
cons
ider
re
cove
r
~ppo
r t
~y s t
enn
foilu
re
ICO
NTRO
L SI
GNA
L ~
I W
ith
switc
hing
op
erat
ing
stat
e
FNlur
e de
g,~
I Th
e ex
pect
ed
oper
otin
st
ate
is
not
gCLO
SE
V~v
e in
tern
al
to'lu
re
No
switc
hln
oper
atin
g st
oC~e
DE
ID
, +
J C
on~i
der
~ C
on~d
er
art
F oilu
r e
Con
side
r re
cove
r er
rOro
pera
tlngin
sw
itchin
gstot
e sY
~ACt
em B
~f°
l e
durin
g st
ondb
y
I I
Failu
re
to
H~T
~n
erro
r Su
p~)o
rl B
corw
'no~
:l vo
~e
whi
le
switc
hing
~
'~u~ s
tem
M
ant o
nenc
e du
rln 9
S ~a~
dby
Con
side
r V(
~ve
lug
OPE
N op
erat
ing
stat
e al
lure
an
d Te
st
reco
ver
man
ually
fNlur e
CONT
ROL S
IGNA
L
+
dem
and
DE
ID
Fig.
5.
E
xam
ple
of k
now
ledg
e tr
ee (
loss
of
outp
ut f
low
for
a m
otor
-ope
rate
d va
lve)
.
Valv
e fo
ils
clos
ed
durin
g op
erat
ion
Fmlu
re
due
to
moi
nt o
nenc
e an
d te
st
Ope
ratin
g st
ate
is
OPE
N
FNlure
duri
r~
aper
ohoi
~
DE
IO I
Con
side
r hu
man
err
or
durin
g st
ondb
y
Hum
an e
rror
du
ring
stan
dby
& fo
ils
to
reco
ver
©
1 H
~nno
n er
ror
durin
g st
ond
by
Conm
ider
hu
man
er
ror
durin
g op
erat
ion
H~
er
r~
~ri
n
op~o
~on
Automatic fault tree construction 301
Table 1. Meanings of the condition numbers
Number Meaning
0 No condition 1 The practical operating state = = operating state 1
(M1 in Fig. 14) 2 The practical operation state = = operating state 2
(M2 in Fig. 14) 3 The practical operating state = = operating state 3
(M3 in Fig. 14) 4 The practical operating state = = operating state 4
(M4 in Fig. 14) 5 The initiating (standby) state !=operating state,
necessary to switch state 6 The initiating (standby) state = = operating state,
not necessary to switch state 7 If consider the common-cause failure 8 If consider the human error failure during
operation 9 If consider the human error failure on demand
10 If consider the human error failure during standby 11 If consider the recover (only for demand type
failure) 12 If recover automatically 13 If recover manually 14 If consider the maintenance and test 14 If the support system 1 has been attached (S1 in
Fig. 14) 16 If the support system 2 has been attached ($2 in
Fig. 14) 17 If the support system 3 has been attached ($3 in
Fig. 14) 18 If the support system 4 has been attached ($4 in
Fig. 14)
Notes: (1) The conditions in this table are based on the information in the system-specific knowledge base. (2) A '1' will be returned by the condition analyzer if the condition is true, otherwise a '0' will be returned. (3) For the condition with a 'not', e.g. -11, a contrary result will be returned. (4) If necessary, a new condition could be added by the user.
example of a system P&ID and a component connection map.
The second part is a database which includes component state information for a specified system. There is also an interactive dialogue program which follows the graphics editor. During or after construc- tion of the P&ID, the program will prompt the user to input the system-specific information about the components, such as initiating state., operating state, support system attached, whether maintenance and test, and human error failure are considered, etc. T R E E - E X P E R T can deal with multi-operating states. For different configurations, the component can work on different operating states (see Fig. 17 for an example of the dialogue window).
Table 2 shows an example of the recorder format in SKB for a motor-operated valve. It may be noted that similar information can be found in both the GKB and
the SKB, e.g. operating states, support system information, etc. (see Fig. 14). The difference is obvious, e.g. the GKB describes that it has an AC power as support system, but the SKB specifies which AC power bus is attached. Another example is related to the operating states; the GKB demonstrates that there are two operating states, OPEN and CLOSE, but the SKB should specify one of these two states as the component operating state.
3 INFERENCE ENGINE
The design of the inference engine is another important task in implementation of an expert system. Generally, the inference engine has three main functions. To start the inference engine (begin to build the fault tree), the user should first specify the top event. Second, the inference engine should be able to perform the local inference for a component . The so-called local inference is to go through the knowledge tree for the component under study, during which all the details of the fault tree will be generated. Third, for external failure produced during the local inference, the inference engine should be able to perform a global inference. The so-called global inference is actually to go through the system P&ID, which is based on the 'direct cause concept' and the component connection map. The main logical stem of the fault tree is generated during the global inference, which will control the work of the inference engine. Figure 6 gives the data flow chart for the inference engine.
The backward chaining inference is used in T R E E - E X P E R T with two stacks, STACKA and STACKB. STACKA is for storage of the events to be developed, i.e. events generated on going through the knowledge tree. STACKB is for storage of the events which have been developed. Once an event has been developed, it will be pushed into STACKB. To avoid loops during the inference, before pushing the events into STACKA, it is necessary to make sure that those events do not exist in STACKB. The structure of the stacks is shown in Table 3.
In designing the inference engine, the problem may arise of how to deal with a node which is an intersecting point when more than two components are connected. Figure 7 shows four types of node which must be considered in T R E E - E X P E R T . T R E E - E X P E R T will automatically generate nodes in necessary cases. The three steps to generate a node are shown in Fig. 8. The node will determine the fault tree logic and is related to engineering judgments such as to apply the success criteria, to identify flow diversions and flow reversals. T R E E - E X P E R T can deal with the nodes in such a way that a node could be treated as a special kind of component , which means
302
Data field
G. Xie, D. Xue, S. Xi
Table 2. Example recorder form in SKB for a motor-operated valve
Data Descriptions
COMP_NAME COMP_LEFT_UP COMP_RIGHT_DOWN COMP_NAME_LEFT_UP NUM_INPUT INPUTS
NUM_OUTPUT OUTPUTS
GKB_POINTER
OPERATING_STATES
NUM_SUPPORT SUPPORT_SYS_ 1 SUPPORT_SYS_2 SUPPORT_SYS_3 SUPPORT_SYS_4 COMMON_CAUSE HEF_DURING_OP HEF_ON_DEMAND HEF_DURING_SB MANT_TEST RECOVER
v001 (100, 100), (120,120) (100, 80) 1 (2, O, O)
l (7, O, O)
150
(1 ,2 ,0 ,0 ,0 )
2 AC-BUS-A CTL-SGN-B NULL NULL NULL 1 0 0 1 0
The name code for the valve in P&ID The left-up coordinate for the valve's icon The right-down coordinate for the valve's icon The left-up coordinate for the name code 'V001' There is only input leg The input leg is connected to another (number 2) component's output leg There is only output leg The output leg is connected to another (number 7) component's input leg
The 150th recorder in GKB is related to motor-operated valve
The component operates at M1 (OPEN) state in the first phase (initiating state). After switching to the second phase (operating state), the component operates at M2 (CLOSE) state There are two support systems The first support system is AC bus A The second support system is control signal B None None The common-cause failure is not considered The human error failure during operation is considered The human error failure on demand is not considered The human error failure during standby is not considered The maintenance and test are not considered The recover is not considered
Global Inference
Specify the top event l
I Push the top event into STACKA I
Pop up an event from STACKA and push i t into STACKB
I Retrieve the knowledge t ree Cut and reduce the knowledge
tree on the condi t ions
I Go through the knowledge tree
fo r DED and DEU event I m
Trac~ for DED and DEU event according to P&ID and inference direction, generate new developed events (done by tracer)
in STACKB I I t
Check i f the new I I developed events has H been in the STACKB
not in STACKB i
Push the new developed I t events in the STACKA II
l
H Stop white the I STACKA is empty
fo r the other events
Generat~ the f a u l t t ree I in a readable form, e.g. I graphic drawing, etc. I
Retrie~E~ the developed event name, and merge into the fault tree
Loop control
Fig. 6. The data flow chart for the inference engine.
Local inference
Automatic fault tree construction
Table 3. Structure of the stacks for inference engine
303
Data field Description Example data
EVENT_CODE DIRECTION COMP_NUMBER POINTER_KT GATE_NAME
The event code (see Fig. 4 for details) The inference direction The relevant component number The pointer to retrieve the knowledge tree The gate name generated for this event
'OIF-10' (loss of output flow) - 1 upstream, +1 downstream 'V001' 150 (see Table 2) 'AFWG034'
(a) (b) (c)
_ l t (d)
Fig. 7. Examples of nodes.
that from the point of view of the GKB, the behaviors of nodes can be described by the knowledge tree and the conditional branches can be used to distinguish the different cases, and from the point of view of the SKB, the operating states specified in the SKB for a node will be used to identify the different engineering cases which include the user's engineering judgment.
The success criteria are very important in fault tree construction. For the nodes in (a) and (c) of Fig. 7, the success criteria have to be applied to determine which kind of gate should be generated while performing the logical reasoning at a node. For example, case (a) can be considered as a high- reliability water supply system, in which the two inputs come from two pump trains. The related failure event is 'loss of water flow at its output ' . If the success criterion is ' the output is sufficient if one of the two pump trains is working', then an AND gate would be necessary in the fault tree for this node. On the other hand, if the success criterion is ' the output is sufficient while both pump trains are working', then an O R gate would be necessary. An example of a knowledge tree for this kind of node is given in Fig. 9, ill which different gates are used for different success criteria.
For the nodes in (b) and (d) of Fig. 7, the cases are a somewhat complicated. One of the outputs may be affected by not only its input but also its other output(s). To take (b) as an example, let us suppose
that one of the outputs is used as the main flow path, and another output is connected to a safety release path, i.e. a safety rease valve which is normally closed and will open when the pressure is too high. In this case, the main flow may be insufficient, as a result of either low input flow or undesired flow to another path established by abnormally opening the safety valve, i.e. some kind of flow diversion. Another case is that the two outputs of the node share 50% input flow, in which one of the outputs will have low flow if another output has high flow. Figure 10 shows the knowledge tree for the node in this example, in which the event O1F-01 is divided into two different developed events for different cases.
T R E E - E X P E R T can carry out the logic reasoning in two directions, i.e. upstream and/or downstream. This is based on inclusion in the knowledge tree of two-directional knowledge, i.e. knowledge of how the output(s) and the input(s) affect each other. Because the different types of developed event, i.e. D E U and DED (see Section 2.1), have been defined in the GKB, the tracing path can be easily controlled.
In summary, the advantages of the idea of dealing with nodes as a special component are obvious, and many difficulties in designing the inference engine, e.g. applying success criteria, dealing with flow diversions, etc., have been overcome as a result of the capability of the knowledge tree.
4 H O W T R E E - E X P E R T W O R K S
4.1 O v e r v i e w of the user interface
Generally, T R E E - E X P E R T is a fault tree construc- tion expert shell. All the information needed for the
t ~ t l~ t °c
~ ~ ) t><l------ ------t>~ ~ - ; I:><3----- UB U~ UB t ~ FI 1 UB
la) Ibl Icl
Fig. 8. The three steps to generate a node.
304 G. Xie, D. Xue, S. Xi
01F-I0
I k~suf ficient woter flow ot output
I
I CASE 1
Loss of flow at input 1 or input 2
I I I i Loss ol Flow Loss of flow Loss of flow l
ot input 1 ot input 2 ot input 1 I
< > + d > 11F-I0 12F-I0 11F-I0
I
LOSS of flow ot input 1
end input 2
I Loss of flow
ot input 2
12F-I0
Fig. 9. The knowledge tree for the node in Fig. 7(a).
I Lo.~ woter flow
ot input
11F-01
01F-01
I Low woter flow
ol output
# I 1 i
CASE I [ CASE 2 I
Intermed~ote gote Interme~ote 9ore
1 I I / ~ . ~ , ° a .oto, l Lo. ~ t . , , e . / ~ .ot.~ ,~.m
flow estoblished/ ot input r t cmother outpu] tot or, other output~
<> <> <> 02F+O0 IIF-01 O2F+01
Fig. 10. The knowledge tree for the node in Fig. 7(b).
fault tree construction, i.e. GKB and SKB, can be created and modified by the user. The interface of T R E E - E X P E R T is a powerful graphics editor that can be driven by a mouse or a keyboard, by which all the necessary information can be input. The editor uses two pop-up menus. One is the command menu shown in Fig. 11. All the software functions can be invoked from this menu. The other is a component icon menu, also shown in Fig. 11, which can be managed (add/dele te /modify) by the user. By means of this menu, the user can retrieve a component
library while building the P&ID. A status line on the top of the editing screen displays the editing status, which can easily be changed on demand by the user. Figure 12 is a data flow chart to describe the procedure for using T R E E - E X P E R T .
4.2 Creation of G K B
To use T R E E - E X P E R T , the work may be initiated by creating the GKB. This can be done with the help of the system engineer (expert) who may have
Automatic fault tree construction
F i l e Nod Tex t F i l l LI H l r r o Rotat Menu( I Re at
• ~I'31
1411"II
1) , : I , ' ! ,:
1'," i , i t
lh~ i I d
E ~ i t
I¢IIl
Fill
D e f i n t . ~
305
F i l e nod Tex t F i l l L i n e t l i r r ~ r R o t a t e Menu( ) Re a t
+
Fig. 11. The pop-up menus for commands and component icons.
U s e r
] Main Control Screen and P&ID Editor
I I I GKB SKB Top Event
Editor Editor Editor
I I I II Inference I Fault
GKB SKB Engine Tree
Fig. ~ . The data flow chart to for use of TREE-EXPERT.
parameter editor. Figure 14 shows related editing screen. The knowledge is constructed by means of a knowledge tree editor. The current version of T R E E - E X P E R T includes only a text form editor; the future version could be graphics one. The component icons are arranged in the icon menu, as shown in Fig. 11. If necessary (to add/remove/modify) , the menu could be rearranged.
experience in component functional mechanisms and system behavior. Although T R E E - E X P E R T provides a powerful tool to help users to create the GKB, this expends time and manpower. Fortunately, a pre- developed GKB is included in T R E E - E X P E R T . It contains components mostly in use in PSA for nuclear power plant (NPP) so that the user need only make some necessary additions and/or modifications to it.
To build the GKB, the steps below should be followed for each component involved.
• The component icon is built by means of the icon editor. Figure 13 shows an example screen for a component icon editor.
• The component is defined by means of the
4.3 Creation of SKB
For a daily user, the work on fault tree construction may begin from creation of the SKB. The SKB should
306 G. Xie, D. Xue, S. Xi
Fig. 13. The editor for component icon.
Fig. 14. The editor for component definition table.
include all the system-specific information for fault tree construction. T R E E - E X P E R T uses a simplified system P&ID as the main working interface, which specifies the topology of the system. By means of the P&ID editor, the user can pick up a component icon from the icon menu and position it on the screen (see Fig. 15). The components could be connected during the building of the diagram. A show function has been provided to check the connecting map whenever the user is editing a P&ID (see Fig. 16). Besides the P&ID, the user should input detailed information on each component involved via a dialogue window (see
Fig. 17). A group of commands, such as copy, move, erase, etc., can be used to simplify this work. Once the SKB is built, T R E E - E X P E R T is ready for inference.
4.4 Performing of inference and generation of fault tree
Once the knowledge base is completed, TR EE- EX P ERT is ready for inference. To start the inference engine, a top event has to be specified by the user. The following steps show the sequence for defining
Automatic fault tree construction 307
F i l a ~ e l f p l , . . ~ 1 T e x 4 F i l l | L i t : m H l r r ~ - ~ Rotate
mlFO E~PPD
BO2PO M
BS, ND
I I . u ( I I ) b ~ t
5 816UD B344/D 829UD
B41UD BZ3K/D
01ZUD 838UD 8Z'M,JD
! 8 3 " P ~ 819UD i 8141)D 832UD O28UD
818UD - " 839UD 821UD
t Fig. 15 The editor for system P&ID.
Fi leN~lJ phx.~_ 1 Tex t l l F i l l | L i ~ m H i r r o r * - , R o t a t e I1enu(n II) RePea t
T~4X 881UD 887VD 816UD 834VD _ _ BBIPO . . . . . . . . . . a,~:mm I " ' - I
BH~PO e~SUD
84eUD 8Z2VD T 8 2 ~ D I I
8'11U]) BT-.'~D
81ZVD 83~/D 827VD 1"--7
83151D 819UD
814UD H3ZUD ~
8BgUD
TUPJ I1~
811UD
1 ~ ¸
the top event:
• A component or node is located on the P&ID, the output of which is concerned with the top event.
• The program will then retrieve the knowledge tree and list all the possible failure states for the selected component or node. One of these should be specified as the top event (see Fig. 18).
• The inference direction should be specified; this can be upstream or downstream or both.
• If more than one top event is selected, it is necessary to combine them logically to form a general top event, e.g. the user may first specify
0.3BUD ~ D ~ ~ D I I
B39UD 821UD 13lUll 1 ~ FROIS.-SG1
FROH-S~2
13:3~,~ 131K~ ~ FROM-SG3
Fig. 16. Example of 'show' function, giving relationships between the components.
'loss of input flow' of three steam generators as sub-top events, and then, based on the system success criterion, use a 2/3 vote gate to combine them as the general top event (see Fig. 19 for a example screen).
• After the user completes the definition of the top event, the inference engine may begin to generate the fault tree automatically.
5 CONCLUSIONS
With the current rapid advances in personal computer and AI development, workers in the PSA community
308
Fi h~h~J
G. Xie, D. Xue, S. Xi
pk~,L.~ 1 Tex tn F i l l l L | " ~ m Nlrr.m~,-. R o t a t e
Fig. 17. The editor for the component states in SKB.
F I le~US~Jl
RlU
OaZVD
I ~ - ~ 1 Text I F I l l I L ~ - - / N i r r o r R o t a t e I~le'mt(ll n ) i . . . . . . . . . .
81~/D 8340D 8~UD / - ~
841VD 11~3UD
8 ~ 83~/D 8~r/VD
148 ~ ~ 1
837VD 8 1 ~ D
t I 814VD 832VDN3 828UD / - ~
~ - ~ J 818Vn " ' 83~7n 821Vn 1 3 1 ~
Fig. 18. Specification of the top events.
are considering making further advances in the application of PSA. The aim of PSAs' development is 'living PSA'. This should provide a good, user- friendly, and easy-to-use interface, because the users will be workers who might not perform the PSA. System modeling, i.e. fault tree analysis, is a very important step in conducting PSA. In a sense, whether or not it can be automated is one of the decisive factors in defining 'living' PSA as living. T R E E - E X P E R T is just such a software tool, which in its current version, can provide the means of
automatic fault tree construction. It is expected that the future version of T R E E - E X P E R T will be used as the interface in 'living PSA'. Compared with other similar expert systems, T R E E - E X P E R T has de- veloped a more reasonable structure of the knowledge base, i.e. the so-called knowledge tree. The knowledge tree, which is flexible and capable, can be easily understood and developed by the PSA analyst. Many valuable features can be found in its structure, e.g. several relevant system parameters and their relationships can be considered, two-directional
Automatic fault tree construction
F I I m ~ V l P h a s e I T e x t F i l l L i n e N i r r o r R o t a t e I ~ n u ( R m ) IJDls~LV~
LOGlC!
STEAM GENERRTOR ~ NO FLOW AT INPUT LEG
309
H13 1 3 2 ~ ,~ FROIT--,~2 T
'IMJRB n, lE 138vtJ / 133t,~ /
• FROI'I-SG3
Fig. 19. Definition of the top logic.
inference can be established, etc. Additionally, the management of the knowledge tree by PSA analysts is easy because its structure is similar to that of the generic fault tree. The development of knowledge trees for different components is relatively independ- ent. Even a complicated node can be treated as a component so that the inference can be simplified. T R E E - E X P E R T has been tested with a group of academic examples 11 and practical engineering systems 12 and it has been proved that TREE- E X P E R T is able to construct fault trees for complicated engineering systems.
Work on the T R E E - E X P E R T project is continuing, with the hope that T R E E - E X P E R T will become the new member in the family of PSA tools.
REFERENCES
1. Xie, G., The study on the expert system for fault tree construction (in Chinese) Doctoral dissertation, Instit- ute of Nuclear Energy Technology, Tsinghau Unversity, Beijing, 1992.
2. Majumdar, D., Artificial intelligence applications in the nulcear industry. Idaho National Engineering Labora- tory, DOE/ID-10191, UC-523, 1988. pp. 11-1-11-19.
3. Salem, S. L., Wu, J. S. & Apostolakis, G., Decision table development and application to the construction of fault-tree. Nuclear Technol. 42 (1979) 51-64.
4. Poucet, A., CAFFS: computer aided fault tree analysis. Proc. Int. ANS/ENS Topical Meeting on Probabilistic Safety Methods and Applications, San Francisco, 24 February-1 March 1985. Electric Power Research
Institute, Inc. (Vol. 3) pp. 115-1-115-10. 5. Poucet, A., STARS: knowledge based tools for safety
and reliability analysis. Reliab. Enging System Safety, 30 (1990) 379-97.
6. Kafka, P. & Kunitz, H., Computerized systems for high-level information processing and decision-making, PSA. Reliab. Enging System Safety, 30 (1990) 3-20.
7. Sang Hoon Han, Tae Woon Kim, Young Choi & Kun Joong Yoo, Development of a computer code AFFC for fault tree construction using decision table method and super component concept. Reliab. Enging System Safety, 25, (1989) 15-31.
8. Schwarzblat, M., Baker, J. C., Anderson, J. W. & Smith, J. E., PC-FTA: an expert system for fault tree construction. Proc. Int. Conf. Probabilistic Safety Assessment and Management (PSAM) (Vol. 2), 4-7 February 1991, Beverly Hills, CA. Elsevier, New York, pp. 793-9.
9. Takahashi, H., Kitamure, Y., & Takahashi, A., Development of expert systems to support system reliability analysis. Proc. Int. Conf. Probabilistic Safety Assessment and Management (PSAM) (Vol. 2). 4-7 Februray 1991, Beverly Hills, CA. Elsevier, New York. pp. 929-34.
10. Sanmi, M., Fukuda, M., Hasegawa, K. & Kojima, S., Development of the living PSA system for a nuclear power plant. Proc. Conf. Probabilistic Safety Assess- ment and Management (PSAM) (Vol. 2) 4-7 February 1991, Beverly Hills, CA. Elsevier, New York. pp. 1013-18.
11. Vesely, W. E., Goldberg, F. F., Roberts, N. H. & Haasl, D. F., Fault Tree Handbook. U.S. Nuclear Regulatory Commission.
12. Xue, Dazhi et al., Guangdong Nuclear Power Station Probabilistic Safety Assessment: Level 1 System Analysis and Accident Sequence Analysis. Nuclear Safety Tech. Rep. NNSA-0008, Beijing, 1990.