Embed Size (px)
Citation preview
ZS
WK
a
ARRA
1
1
op
1
ritmmab
0d
Nuclear Engineering and Design 239 (2009) 2085–2092
Contents lists available at ScienceDirect
Nuclear Engineering and Design
journa l homepage: www.e lsev ier .com/ locate /nucengdes
BDD algorithm features for an efficient Probabilisticafety Assessment
oo Sik Jung ∗
orea Atomic Energy Research Institute, PO Box 105 Yuseong, Daejeon 305-600, South Korea
r t i c l e i n f o
rticle history:eceived 30 March 2009eceived in revised form 28 April 2009ccepted 4 May 2009
a b s t r a c t
This paper explains a Zero-suppressed Binary Decision Diagram (ZBDD) algorithm and introducesadvanced ZBDD algorithm-based features that are implemented into a fault tree solver Fault Tree Reli-ability Evaluation eXpert (FTREX). The ZBDD algorithm and its advanced features have been developedfor solving a fault tree in Probabilistic Safety Assessment (PSA) of a nuclear power plant. The ZBDD canbe interpreted as a factorized structure of minimal cut sets (MCSs). A ZBDD algorithm was developed in2004 for performing a Boolean operation of ZBDDs. The ZBDD algorithm is based on a set of new ZBDDoperation formulae. The ZBDD algorithm is known as an efficient replacement of a cutset-based algorithmthat is based on traditional Boolean algebra.
This paper explains how to perform a delete-term operation and a rule-based post-processing of MCSsby the ZBDD algorithm and demonstrates the efficiency of the ZBDD algorithm by performing benchmarktests. By using the ZBDD algorithm in this study, a long run time for (1) solving a fault tree, (2) performing a
delete-term operation to handle negates, and (3) performing a rule-based post-processing of MCSs couldbe significantly reduced. Since the ZBDD algorithm is based on the factorized form of MCSs, it uses muchless memory than the cutset-based algorithm.Due to the small memory requirement of the ZBDD algorithm from solving a fault tree to performinga rule-based post-processing, a much smaller truncation limit can be used than that in the cutset-basedalgorithm. By lowering the truncation limit, accurate PSA results such as a core damage frequency and
ld be
importance measures cou. Introduction
.1. Notations
x = random variable or basic event in a fault tree; p(x) =ccurrence probability of x; px = occurrence probability of x,x = p(x); qx = non-occurrence probability of x, qx = 1 − px.
.2. Cutset-based algorithm
Fault tree analysis is extensively and successfully applied to theisk assessment of safety-critical systems such as nuclear, chem-cal and aerospace systems. The fault tree analysis is being usedogether with an event tree analysis in Probabilistic Safety Assess-
ent (PSA) of nuclear power plants. Most of the fault tree analysisethods and softwares for a PSA are based on the cutset-based
lgorithm. They generate minimal cut sets (MCSs) from a fault treey using a traditional Boolean algebra. In a PSA, MCSs for acci-
∗ Tel.: +82 42 868 2764; fax: +82 42 868 8256.E-mail address: [email protected].
029-5493/$ – see front matter © 2009 Elsevier B.V. All rights reserved.oi:10.1016/j.nucengdes.2009.05.005
calculated by the ZBDD algorithm.© 2009 Elsevier B.V. All rights reserved.
dent sequences are generated from a set of fault trees and eventtrees. Each MCS represents an accident sequence that results in anundesired condition such as core damage. An accident sequencerepresents successive failures of components or systems after aninitiating event.
Since the PSA fault trees have a huge size and the num-ber of MCSs grows exponentially with the size of a fault tree,cutest-based fault tree solvers employ approximations in order toovercome high memory requirements and a long computing time.The typical approximations are a truncation (Cepin, 2005; Jung etal., 2005), a rare-event approximation, and a delete-term opera-tion. First, during the MCS calculations of gates in a fault tree, atruncation is performed to discard MCSs that have lower prob-abilities than a given truncation limit. Second, quantitative topevent probabilities/frequencies and importance measures of basicevents or equipment failures are computed from the MCSs usingthe rare-event approximation. Third, the delete-term operation is
an approximation to simulate gates or events in fault trees and eventtrees that are in a successful state.The other approximate method in a PSA is a post-processing ofMCSs. The accident sequence MCSs are post-processed for a realisticanalysis of the accident sequences. This post-processing of MCSs is
2 g and D
pmfa
1
csft
bi(srdslpstdir
1
Tirtet
086 W.S. Jung / Nuclear Engineerin
erformed in order to delete a physically impossible MCS that hasutually exclusive events and to take into account recovery actions
or an accident sequence and the dependencies among the recoveryctions.
.3. ZBDD algorithm
A Zero-suppressed Binary Decision Diagram (ZBDD) was an effi-ient data structure that encodes MCSs (Minato, 1993). The ZBDDtructure is interpreted as a factorized form of MCSs. If a variableactorization order is optimally chosen, MCSs could be encoded intohe smallest ZBDD.
A ZBDD algorithm was developed for the Boolean operationetween two ZBDDs (Jung et al., 2004) and it was implemented
nto a fault tree solver Fault Tree Reliability Evaluation eXpertFTREX) (Jung et al., 2008a). The ZBDD algorithm is based on aet of new ZBDD operation formulae. It is known as an efficienteplacement of the cutset-based algorithm that is based on tra-itional Boolean algebra. The compact ZBDD structure and theimple ZBDD operation formulae made it possible to quickly solvearge fault trees with a small truncation limit within limited com-utational resources. The ZBDD algorithm can more efficientlyolve a large fault tree and generate numerous MCSs than theraditional cutset-based algorithm since the ZBDD algorithm han-les a factorized form of MCSs. The ZBDD algorithm is one of
mportant variations of a Binary Decision Diagram (BDD) algo-ithm.
.4. BDD algorithm
A BDD algorithm generates a BDD structure from a fault tree.he BDD algorithm calculates an exact top event probability sincet does not employ any approximations such as a truncation, a
are-event approximation, and a delete-term operation of nega-ions. A BDD truncation algorithm (Jung et al., 2008b,c) is anxceptional case of a BDD algorithm since it allows BDD trunca-ion.Fig. 1. Sample fault tree that has a negate.
esign 239 (2009) 2085–2092
The BDD (Lee, 1959; Akers, 1978; Bryant, 1986) provides an effi-cient representation and manipulation of Boolean formulae. BDDhas been shown to be an effective tool in diverse fields of com-puter science and reliability (Bryant, 1992). Bryant popularizedthe use of the BDD by developing a set of algorithms for an effi-cient construction and manipulation of BDDs (Akers, 1978). TheBDD algorithm has been applied to reliability analysis (Coudertand Madre, 1992; Rauzy, 1993) and the use of BDDs to solvelarge fault trees and importance measures have been investigated(Coudert and Madre, 1993; Rauzy and Dutuit, 1997; Dutuit andRauzy, 2001; Epstein and Rauzy, 2005; Jung et al., 2008b,c). TheBDD algorithm has become a very popular method to calculate anexact top event probability of a small or intermediate size faulttree.
The size of a BDD structure that is measured by the number ofnodes is drastically dependent on the choice of the variable orderingfor a BDD construction. In order to solve a large reliability prob-lem within limited computational resources, many attempts havebeen made, such as heuristic static and dynamic variable order-ing schemes, to minimize BDD size. The most recent achievementamong the heuristic approaches to optimally choose the initial vari-able ordering is in (Banov et al., 2008). On the other hand, the newalgorithm in (Jung et al., 2008b,c) is the first successful applicationof a BDD truncation during a BDD calculation.
1.5. Objectives and structure of the paper
Uncertainty in the PSA of nuclear power plants could be classi-fied into parameter uncertainty, model uncertainty, completenessuncertainty, and quantification uncertainty. The first three uncer-tainties are well described in (Reinert and Apostolakis, 2006).The sources of quantification uncertainty are the truncation, therare-event approximation, and the delete-term operation. Thequantification uncertainty from the truncation has been of greatconcern in the PSA industry (Cepin, 2005). The truncation of MCSsmight result in a significantly underestimated top event probability,and thus inaccurate importance measures.
The efforts for reducing the quantification uncertainty from thetruncation have focused on (1) developing measures that estimatethe amount of truncated MCS probabilities and (2) developing anefficient algorithm that facilitates the application of a very low trun-cation limit. As the first effort, considerable progresses have beenmade by developing truncation measures (Cepin, 2005; Jung et al.,2005). On the other hand, the ZBDD algorithm development is oneof the second efforts.
Since the ZBDD algorithm is developed on the factorized formof MCSs, it uses much less memory than the cutset-based algo-rithm. Due to the simple Boolean operation nature and a smallmemory requirement of the ZBDD algorithm, a much smaller trun-cation limit can be applied than that in the cutset-based algorithm.Thus, accurate PSA results such as a core damage frequency andimportance measures could be calculated by the ZBDD algorithm.By using the ZBDD algorithm for (1) solving a fault tree, (2) perform-ing a delete-term operation to handle negates, and (3) performing arule-based post-processing of MCSs, a long run time could be easilyovercome.
This paper is written to explain the ZBDD algorithm and ZBDDalgorithm-based features such as a rule-based post-processing anda delete-term operation for negates. This paper is structured in fourparts. First, this paper compares typical fault tree solving meth-ods of a cutset-based algorithm and a BDD algorithm in Section
2. Second, a delete-term operation that is implemented by theZBDD algorithm is explained in Section 3. Third, a rule-based post-processing that is based on the ZBDD algorithm is explained inSection 4. Last, benchmark test results to demonstrate the ZBDDalgorithm efficiency are summarized in Section 5.
g and D
2
2
i
na
HsBcb
2
boAah
Gihio
G
c
2
3
eva
W.S. Jung / Nuclear Engineerin
. Typical fault tree solving methods
.1. Ideal cutset-based algorithm to solve negates
Let us solve a fault tree in Eq. (1). The sample fault tree is depictedn Fig. 1.
G0 = G1G2
G1 = G3 + e
G2 = bd
G3 = G4G5
G4 = a + b + c
G5 = a + d + e.
(1)
The fault tree is solved in a bottom-up or top-down way andegates are expanded at the last stage. The fault tree in Eq. (1) hassolution in Eq. (2).
G0 = G1G2
= (G3 + e)G2
= ((a + ad + ae + ab + ac + bd + be + cd + ce) + e)(bd)
= (a + bd + be + cd + ce + e)(bd)
= (a + e + bd + cd)(b + d)
= (a + e + cd)(b + d).
(2)
ere, please note that subsets {ad, ae, ab, ac} are subsumed into auperset {a}. The terms {be, ce} are subsumed into {e}. When theoolean equation (bd) is expanded, DeMorgan’s law is applied andutsets that have logically impossible state combinations such asb and dd are deleted.
.2. Practical cutset-based algorithm to solve negates
In the conventional fault tree analysis, the complex Boolean alge-ra to solve negates takes a very long time. Therefore, a delete-termperation is employed in order to obtain an approximate solution.ll cutset-based fault tree solvers for a PSA of a nuclear power plantre using the delete-term operation to quickly solve a fault tree thatas negates.
The delete-term operation is based on the fact that the event1G2 cannot occur when G2 is in a TRUE state. The following are
llustrations of a delete-term operation. When the fault tree thatas a negate is solved with popular fault tree solvers in the nuclear
ndustry, the delete-term operation is performed at the last stagef the calculation.
0 = G1G2 = (a + e + bd + cd) · G2. (3)
The delete-term operation is performed on the four temporaryutsets {a · G2, e · G5, bd · G2, and cd · G2}.
1. The cutset {bd} is deleted since failed b and d make G2 in a TRUEstate. In the other words, subsets in G1 is deleted if G2 has asuperset.
. The cutsets {a, e, cd} are selected as MCSs since they do not makeG2 in a TRUE state.
. Finally, {a, e, cd} remain as final MCSs as
G0 ≈ a + e + cd. (4)
It is a typical example of a delete-term operation. When a rare-vent approximation is assumed, that is, the event probabilities areery small, the top event probabilities calculated by Eqs. (2) and (4)re very close.
esign 239 (2009) 2085–2092 2087
2.3. BDD algorithm
The typical BDD algorithm except for the BDD truncation algo-rithm (Jung et al., 2008b,c) does not employ any approximationssuch as a truncation, a rare-event approximation, and a delete-termoperation of negations. Thus, the BDD algorithm calculates an exacttop event probability. Since the BDD algorithm consumes a largeamount of run time and memory, it has been a very difficult task tosolve a large fault tree with the BDD algorithm.
The Shannon decomposition is succinctly defined in terms of theternary If-Then-Else (ITE) connectives as
f = ite(x, f1, f0) = x · f1 + x · f0. (5)
The BDD operation is recursively performed on a higher priorityvariable x as
ite(x, L1, R1) · ite(x, L2, R2) = ite(x, L1L2, R1R2)
ite(x, L1, R1) + ite(x, L2, R2) = ite(x, L1 + L2, R1 + R2)
ite(x, L1, R1) · ite(y, L2, R2) = ite(x, L1h, R1h)
ite(x, L1, R1) + ite(y, L2, R2) = ite(x, L1 + h, L2 + h)
(6)
where x and y are two variables with a variable ordering x < y andh = ite(y, L2, R2).
The exact probability of a BDD structure f = ite(x, f1, f0) is recur-sively calculated by using the equation
p(f ) = px × p(f1) + (1 − px) × p(f0). (7)
The BDD algorithm solves a fault tree in a bottom-up way andgenerates BDD structures. When the fault tree in Fig. 1 is solved bythe BDD algorithm in Eq. (6) with an alphabetical variable orderinga < b < c < d < e, the BDD structures become
G1 = ite(a, 1, ite(b, ite(d, 1, ite(e, 1, 0)),
ite(c, ite(d, 1, ite(e, 1, 0)), ite(e, 1, 0)))). (8)
G2 = ite(b, ite(d, 1, 0), 0). (9)
G2 = ite(b, ite(d, 0, 1), 1). (10)
Then, the top event G0 = G1G2 is solved by recursively combiningtwo BDDs in Eqs. (8) and (10) according to the BDD formulae in Eq.(6) and the following BDD is calculated.
G0 = ite(a, ite(b, ite(d, 0, 1), 1), ite(b, ite(d, 0, ite(e, 1, 0)),
ite(c, ite(d, 1, ite(e, 1, 0)), ite(e, 1, 0)))). (11)
The expanded form of the BDD in Eq. (11) is abd + ab + abde +abcd + abcde + abce.
The BDD structures in Eqs. (8)–(11) are depicted in Fig. 2. Accord-ing to the variable ordering a < b < c < d < e, a variable a is located inthe highest position and e is in the lowest position in the BDD struc-ture. Each BDD node that has a circular shape has a pair of failed andsuccessful states. The solid and dashed lines from a node denotefailed and successful states of a node, respectively. The terminalnodes of a BDD structure are always one of two terminal nodeslabeled 0 or 1. They are square boxes in Fig. 2 where 1 and 0 denotefailed and successful states, respectively. The exact probability of aBDD structure in Fig. 2d is recursively calculated by using Eq. (7) as
p(G0)=pa(pbqd + qb) + qa(pbqdpe + qb(pc(pd + qdpe) + qcpe)). (12)
3. ZBDD algorithm and delete-term operation
A ZBDD is an efficient data structure that encodes MCSs asa factorized form of MCSs. The ZBDD is a Boolean structure
2088 W.S. Jung / Nuclear Engineering and D
Fig. 2. BDD solutions of the sample fault tree. (a) BDD for G1 = a + a(b(d + de) +b ¯ ¯ ¯ ¯
G
ti
f
aZc
Zfx
G0 = G1G2 ≈ G1\G2 = ite(a, 1, ite(c, ite(d, 1, 0), ite(e, 1, 0))). (20)
Please note that the ZBBD in Eq. (20) has the same three MCSs
(c(d + de) + ce)), (b) BDD for G2 = bd, (c) BDD for G2 = b + bd, and (d) BDD for G0 =1G2 = a(bd + b) + a(bde + b(c(d + de) + ce)).
hat consists of recursively connected ITEs. The ZBDD ITE isnterpreted as
= ite(x, f1, f0) = x · f1 + f0. (13)
Please note the difference of the BDD and ZBDD ITEs in Eqs. (5)nd (13). By optimally choosing the factorization order, that is, aBDD variable ordering, the ZBDD size can be minimized signifi-antly.
A set of the special formulae for Boolean operations for two
BDDs was developed by Jung et al. (2004). A Boolean operationor two ZBDDs is performed by using the formulae in Eq. (14). Ifand y are two variables with a variable ordering x < y, then theesign 239 (2009) 2085–2092
following equalities hold for coherent fault trees.
ite(x, L1, R1) · ite(x, L2, R2) = ite(x, (L1L2 + L1R2 + R1L2), R1R2)
ite(x, L1, R1) + ite(x, L2, R2) = ite(x, (L1 + L2), (R1 + R2))
ite(x, L1, R1) · ite(y, L2, R2) = ite(x, L1h, R1h)
ite(x, L1, R1) + ite(y, L2, R2) = ite(x, L1, (R1 + h))
(14)
where h = ite(y, L2, R2). Here, please note that the first and last equa-tions in Eq. (14) differ from the operations in the conventional BDDalgorithm in Eq. (6).
In order to maintain minimal solutions in a ZBDD structure, asubsuming is performed whenever a gate is solved. The subsumingis recursively performed from the root ITE to the child ITE connec-tives by comparing the left and right ITE connectives. Let us considerrecursive ITE connectives
F = ite(t, G, H) = t · G + H
G = ite(x, G1, G2)
H = ite(y, H1, H2) .
(15)
In order to obtain MCSs of F, a subsuming operation G\H is per-formed. A subset is always located in the left ITE connectives due tothe ZBDD ITE definition in Eq. (13). A cutset in G is deleted if H has itssuperset. Rauzy (1993) proposed an efficient subsuming operationin Eq. (16).
Subsume(G, H) = G\H
=
⎧⎪⎨⎪⎩
ite(x, G1\H, G2\H) , x < y
G\H2 , x > y
ite(x, G1\(H1 or H2), G2\H2) , x = y
. (16)
The term G1\(H1 or H2) in the last case denotes that each cutsetin G1 is tested and deleted if H1 or H2 has its superset.
A coherent fault tree is solved with a truncation limit in abottom-up way by using Eqs. (14) and (16). The sum of MCSprobabilities is calculated by recursively calculating the followingequation:
px × p(f1) + p(f0). (17)
The ZBDD algorithm is an important variation of the BDD algo-rithm and it quickly solves a large fault tree with a truncation limit.If a MCS probability is less than a truncation limit, it is deleted dur-ing the ZBDD calculation. The ZBDD algorithm (Jung et al., 2004)and its software FTREX (Jung et al., 2008a) were developed to over-come huge memory requirements and a long run time. Benchmarktests (Jung et al., 2004) were performed to demonstrate the effi-ciency of the ZBDD algorithm. In view of the short computationtime and small memory usage of a ZBDD algorithm, the ZBDD algo-rithm is much more efficient than the cutest-based algorithms thatare based on the traditional Boolean algebra.
If the fault tree in Fig. 1 is solved with an alphabetical variableordering a < b < c < d < e by the ZBDD algorithm, the final ZBDDs forthe gates G1 and G2 are
G1 = ite(a, 1, ite(b, ite(d, 1, 0), ite(c, ite(d, 1, 0), ite(e, 1, 0)))). (18)
G2 = ite(b, ite(d, 1, 0), 0). (19)
The delete-term operation to approximate G0 = G1G2 could beaccomplished by the subsuming operation in Eq. (16).
as those in Eq. (4)
G0 ≈ a + e + cd. (21)
g and Design 239 (2009) 2085–2092 2089
aBa
Zeitcsi
FZ
W.S. Jung / Nuclear Engineerin
The ZBDD structures in Eqs. (18)–(20) are depicted in Fig. 3. Vari-bles a and e are located in the highest and lowest positions in theDD structure according to the predetermined variable ordering< b < c < d < e, respectively.
The subsuming operation in Eq. (16) is performed whenever aBDD for each gate is calculated in order to maintain the small-st ZBDD in the computational memory. A subsuming operation isllustrated in Fig. 4. The two ZBDDs for G1 in Fig. 4a and b are iden-ical Boolean equations, but the ZBDD in Fig. 4a has subsets {be,
e} of {e}. If a ZBDD in Fig. 4a is generated during the calculation, aubsumed ZBDD in Fig. 4b is obtained by the subsuming operationn Eq. (16).ig. 3. ZBDD solutions of the sample fault tree. (a) ZBDD for G1 = a + e + bd + cd, (b)BDD for G2 = bd, and (c) ZBDD for G0 = G1G2 ≈ G1\G2 = a + e + cd.
Fig. 4. Example of ZBDD subsuming. (a) ZBDD for G1 = a + bd + be + cd + ce + e and (b)ZBDD for G1 = a + bd + cd + e.
4. ZBDD algorithm and rule-based post-processing
4.1. Rule-based post-processing
The accident sequence MCSs can be post-processed for a real-istic analysis of the accident sequences. This post-processing ofMCSs is manually or automatically performed in order (1) todelete a physically impossible MCS that has mutually exclusiveevents and (2) to take into account recovery actions in a MCS anddependencies among the recovery actions. Generally, a rule-basedpost-processing is performed to handle many MCSs. A set of rulesare developed by examining MCSs, and then a post-processing isautomatically performed by applying the set of rules to MCSs witha specialized tool.
Two or more events are said to be mutually exclusive if theoccurrence of any one of them excludes the occurrence of the oth-ers. The term mutually exclusive events refer to two or more basic
events that appear in a single cut set which logically should notappear together. Generally, mutually exclusive events should notappear together in a single cut set for one of two reasons. First, plantoperating restrictions such as Technical Specifications may prevent
2 g and Design 239 (2009) 2085–2092
totmcMeutTi
parccttiaet
4
eBE
S
C
E
HYifid
S
eoa
tsps
aFntbZc
S
S
Z
Fig. 5. Sample ZBDDs for the rule-based post-processing. (a)
090 W.S. Jung / Nuclear Engineerin
wo components from being out of service at the same time. Sec-nd, other general logic modeling concerns may lead the analysto remove specific combinations of events. During the PSA logic
odeling phase, the analyst may or may not recognize that certainombinations of mutually exclusive events will appear in the sameCS. A PSA analyst could refine a fault tree model so that mutually
xclusive events will not appear in the same MCS. However, somenrecognized mutually exclusive events may not be evident untilhe analyst generates and evaluates the system or sequence cut sets.hus, the post-processing to delete physically impossible MCSs isnevitable.
In order to model the PSA accident sequences as accurately asractical, operator actions that could prevent the accident sequencere reflected to MCSs by using recovery events. The recovery eventsepresent the probability that the operator or operators fail to suc-essfully prevent the accident by restoring one or more of the failedomponents in the MCSs. The recovery events are frequently calledhe non-recovery probability events. In a PSA, operator actionshat could prevent an accident sequence may not be specificallyncluded in the logic models. To model the accident sequences asccurately as practically possible, a reliability analyst applies recov-ry events to the appropriate MCSs. These recovery events denotehe failure of a recovery action.
.2. ZBDD algorithm for the rule-based post-processing
Let us illustrate a rule-based post-processing. A sample Booleanquation is given in Eq. (22) that is a general expression whenoolean equations for a condition and an exception are given inqs. (23) and (24).
= ab · (de · T + f · U + V) + c · (de · W + f · X + Y) + Z (22)
ondition C = ab + c (23)
xception E = de + f. (24)
ere, the variables a, b, c, d, e, and f are basic events and T, U, V, W, X,, and Z are functions of variables g–z. Since the Boolean equationsn Eqs. (22)–(24) are simple, a new Boolean equation that satis-es the conditions C and E in Eqs. (23) and (24) could be manuallyerived as
CE = ab · V + c · Y. (25)
If the Boolean equations in Eqs. (22)–(24) are expanded Booleanquations, that is, expanded MCSs, all MCSs should be examinedne by one and lots of comparisons should be performed. Thus, thectual calculation of SCE in Eq. (25) takes a very long time.
This study introduces a very simple rule-based post-processinghat is based on the ZBDD algorithm. If the MCSs exist as a ZBDDtructure, that is, a factorized MCS form, the rule-based post-rocessing could be performed in a simple way by the ZBDDubsuming operation in Eq. (16) and ZBDD formulae in Eq. (14).
When an alphabetical variable ordering a <b < c < · · · < y < z ispplied, ZBDD structures for Eqs. (22)–(24) could be depicted inig. 5. A rule-based post-processing should be performed with aew ZBDD that satisfies the conditions C and E. The creation ofhe new ZBDD structure that satisfies the conditions C and E coulde accomplished by using the subsuming operation in Eq. (16). ABDD structure SC that satisfies the condition in Eq. (23) could bealculated by performing the subsuming operation in Eq. (16) twice
C = S\C = Z. (26)
C =S\SC=ab · (de · T + f · U + V) + c · (de · W + f · X + Y). (27)
The ZBDD SC that satisfies Eq. (23) could be divided into twoBDDs SCE and SCE . A ZBDD SCE that satisfies C and E is obtained by
S = ab·(de·T + f·U + V) + c·(de·W + f·X + Y) + Z. Variable ordering = a < b < c < · · · < y < z.T, U, Z = functions of variables g to z, (b) condition C = ab + c, (c) exception E = de + f,and (d) SCE = SC\E = ab · V + c · Y .
g and Design 239 (2009) 2085–2092 2091
p
S
S
(
pp
S
Setsr
2
3
poZ
Table 1OPR1000 PSA model.
Single top fault treeNumber of total gates 4,838Number of total events 2,452Number of negates 239Number of initiators 28
Post-processing rulesNumber of total rules 128
TO
T
1
1
1
1
W.S. Jung / Nuclear Engineerin
erforming the subsuming operation SC\E as
CE = SC\E = ab · V + c · Y. (28)
CE = SC\SCE = ab · (de · T + f · U) + c · (de · W + f · X). (29)
Since S = SC + SC and SC = SCE + SCE , the main ZBDD S in Eq.22) could be expressed as
S = SC + (SCE + SCE)
= SCE + (SC + SCE)
= SCE + Z + ab · (de · T + f · U ) + c · (de · W + f · X ).
(30)
A new ZBDD SNewCE
is calculated by performing rule-based post-
rocessing operations on SCE , and a new SNew is obtained as a post-rocessed ZBDD.New = SNew
CE+ Z + ab · (de · T + f · U ) + c · (de · W + f · X ). (31)
The following are typical post-processing examples for SNewCE
andNew such as an addition of recovery events, a replacement of somevents, and an elimination of mutually exclusive events. Please notehat the arbitrary Boolean equation R in Eqs. (32)–(35) has a ZBDDtructure, and the new ZBDDs SNew
CEand SNew in Eqs. (32)–(35) are
ecursively calculated by the ZBDD formulae in Eq. (14).
1. Add an arbitrary Boolean equation R to SCE .
SNewCE
= R · SCE = ab · R · V + c · R · Y. (32)
SNew = ab · R · V + c · R · Y + Z + ab · (de · T + f · U )
+ c · (de · W + f · X ). (33)
. Replace {ab} or {c} in SCE with an arbitrary Boolean equationR. After removing {ab} or {c} in the ZBDD structure SCE , thearbitrary Boolean equation R is added to (V + Y).
SNewCE
= R · (V + Y). (34)
SNew = R · (V + Y) + Z + ab · (de · T + f · U )
+ c · (de · W + f · X ). (35)
. Delete cutsets that satisfy the conditions C and E.
SNewCE
= ˚. (36)
SNew = Z + ab · (de · T + f · U ) + c · (de · W + f · X ). (37)
As illustrated with sample ZBDDs, the rule-based post-rocessing with ZBDDs could be very quickly performed since allperations for the post-processing is performed without expandingBDDs.
able 2PR1000 calculation.
runcation limit Calculation Accumulated run time
.0 × 10−11 Before delete-term operation 1.92Before post-processing 4.17Final 4.77
.0 × 10−12 Before delete-term operation 3.48Before post-processing 11.88Final 13.36
.0 × 10−13 Before delete-term operation 7.58Before post-processing 41.20Final 48.34
.0 × 10−14 Before delete-term operation 18.00Before post-processing 160.53Final 181.85
a The number of MCSs could be calculated from a ZBDD structure, since a ZBDD is a fac
Number of rules for adding operation 10Number of rules for replacing operation 115Number of rules for deleting operation 3
5. FTREX and benchmark tests
FTREX provides a significant improvement in the quantificationspeed for large PSA fault trees even with a small size memory. Asan independent fault tree solver, FTREX can be used together witha number of PSA software packages and online risk monitoring sys-tems. Currently, FTREX has an interface with two PSA tools AIMS(Han et al., 2008) and EPRI R&R Workstation tools (EPRI, 2008).
Boolean operations with MCSs when (1) solving a fault tree, (2)performing a delete-term operation to handle negates, and (3) per-forming a rule-based post-processing take a very long time, sinceall MCSs should be examined one by one and lots of comparisonsshould be performed.
The simple ZBDD algorithm nature and features that areexplained in this study could be an excellent solution to overcomea long run time of the cutset-based algorithm. The following areimportant FTREX calculation procedures to solve a fault tree thathas negates and to perform a rule-based post-processing. Pleasenote that a ZBDD structure is maintained during the whole calcu-lation and it is expanded into the final MCSs at the last stage.
1. Solve negates first with Eqs. (14) and (16).2. Solve a top event with Eqs. (14) and (16). Here, negates are treated
as basic events.3. Perform a delete-term procedure with Eq. (16) in order to sim-
ulate negates. Here, negates exist as basic events in a ZBDDstructure of a top event.
4. Perform a rule-based post-processing with Eq. (16).5. Calculate a top event probability with Eq. (17).6. Transform the final ZBDD structure of a top event into expanded
MCSs.
In order to demonstrate the efficiency of the proposed methods,a PSA model of an Optimized Power Reactor (OPR1000) (KEPCO,2004) was solved. The OPR1000 is a 1000 MWe pressurized waterreactor located at the Korean coastline. As listed in Table 1, a fault
(s) Number of MCSsa Core damage frequency (reactor-year)−1
69,325 Not applicable21,569 6.9045 × 10−6
14,935 5.6586 × 10−6
307,418 Not applicable100,409 7.1468 × 10−6
68,889 5.8286 × 10−6
1,163,546 Not applicable387,442 7.2358 × 10−6
261,520 5.8928 × 10−6
4,248,049 Not applicable1,397,567 7.2673 × 10−6
924,596 5.9151 × 10−6
torized form of MCSs.
2 g and D
tnftb
1pvtn
6
mutoboot
MDhTi
toabbdbww
raci
ooe
092 W.S. Jung / Nuclear Engineerin
ree for the internal core damage has 4838 gates, 2452 events, 239egates, and 28 initiators. The OPR1000 PSA model has 128 rules
or the post-processing of MCSs. Since some Boolean components ofhe rules are complex Boolean equations, lots of MCSs are affectedy the rules.
Test calculation results with truncation limits 1.0 × 10−11 to.0 × 10−14 are listed in Table 2. Since the rule-based post-rocessing is performed with a ZBDD structure, its running time isery small. The delete-term operation takes relatively longer timehan the other calculations since the OPR1000 model has manyegates.
. Conclusions
There exist four uncertainties such as parameter uncertainty,odel uncertainty, completeness uncertainty, and quantification
ncertainty in the PSA. The quantification uncertainty results fromhe truncation, the rare-event approximation, and the delete-termperation. The uncertainty from the truncation could be reducedy developing an efficient algorithm that facilitates the applicationf a very low truncation limit. The ZBDD algorithm in this study isne of the efforts that reduce the quantification uncertainty fromhe truncation.
Since the ZBDD algorithm is based on the factorized form ofCSs, it uses much less memory than the cutset-based algorithm.ue to the small memory requirement of the ZBDD algorithm, auge fault tree can be solved with a very small truncation limit.hus, accurate PSA results such as a core damage frequency andmportance measures could be calculated by the ZBDD algorithm.
Boolean operations with MCSs in the cutset-based algorithmake a very long time, since all MCSs should be examined one byne and lots of comparisons should be performed. The simple ZBDDlgorithm nature and features that are explained in this study coulde excellent solutions to overcome a long run time of the cutset-ased algorithm when (1) solving a fault tree, (2) performing aelete-term operation to handle negates, and (3) performing a rule-ased post-processing of MCSs. Please note that the most efficientay to save memory is to maintain a ZBDD structure during thehole calculation and expand it into the final MCSs at the last stage.
MCSs could be calculated by the traditional cutset-based algo-ithm or the ZBDD algorithm. Although the MCSs are generated withtraditional cutset-based algorithm, a rule-based post-processing
ould be efficiently performed with a ZBDD structure after convert-
ng the MCSs into a ZBDD structure.In order to calculate an accurate top event probability/frequencyr importance measures within the limited computational mem-ry, it is strongly recommended to use the ZBDD algorithm for gen-rating MCSs and performing a rule-based post-processing of MCSs.
esign 239 (2009) 2085–2092
Acknowledgement
This work was supported by Nuclear Research & DevelopmentProgram of the Korea Science and Engineering Foundation (KOSEF)grant funded by the Korean government (MEST).
References
Akers, B., 1978. Binary decision diagrams. IEEE Transactions on Computers C-27 (6),509–516.
Banov, R., Simic, Z., Mikulicic, V., 2008. One heuristic to minimize BDD represen-tation of the fault tree. In: International Probabilistic Safety Assessment andManagement Conference, Hong Kong, China, May 18–23.
Bryant, R., 1986. Graph based algorithms for Boolean function manipulation. IEEETransactions on Computers C-35 (8), 677–691.
Bryant, R., 1992. Symbolic Boolean manipulation with ordered binary decision dia-grams. ACM Computing Surveys 24, 293–318.
Cepin, M., 2005. Analysis of truncation limit in probabilistic safety assessment. Reli-ability Engineering and System Safety 87, 395–403.
Coudert, O., Madre, J.C., 1992. Implicit and incremental computation of primes andessential primes of Boolean functions. In: Proceedings of the 29th ACM/IEEEDesign Automation Conference, DAC’92.
Coudert, O., Madre, J.C., 1993. Fault tree analysis: 1020 prime implicants andbeyond. In: Proceedings of the Annual Reliability and Maintainability Sympo-sium, Atlanta, NC, USA.
Dutuit, Y., Rauzy, A., 2001. Efficient algorithms to assess component and gate impor-tance in fault tree analysis. Reliability Engineering & System Safety 72, 213–222.
EPRI, 2008. FTREX User Manual Version 1.4. Electric Power Research Institute (EPRI),Palo Alto, CA.
Epstein, S., Rauzy, A., 2005. Can we trust PRA. Reliability Engineering & System Safety88, 195–205.
Han, S.H., Lim, H.G., Yang, J.E., 2008. AIMS-PSA: a software for integrating varioustypes of PSAs. In: International Probabilistic Safety Assessment and ManagementConference, Hong Kong, China, May 18–23.
Jung, W.S., Han, S.H., Ha, J.J., 2004. A fast BDD algorithm for large coherent fault treesanalysis. Reliability Engineering and System Safety 83, 369–374.
Jung, W.S., Canavan, K., Riley, J., 2008a. ”FTREX Features for an Efficient PSA. In:Proceedings of ANS PSA 2008 Topical Meeting, Knoxville, Tennessee, September7–11.
Jung, W.S., Han, S.H., Yang, J.E., 2008b. Fast BDD truncation method for efficient topevent probability calculation. Nuclear Engineering and Technology 40, 63–72.
Jung, W.S., Yang, J.E., Canavan, K., 2008c. Practical top event probability calculation byBDD truncation algorithm. In: Proceedings of International Probabilistic SafetyAssessment and Management Conference, Hong Kong, China, May 18–23.
Jung, W.S., Yang, J.E., Ha, J.J., 2005. Development of measures to estimate truncationerror in fault tree analysis. Reliability Engineering and System Safety 90, 30–36.
KEPCO, 2004. Probabilistic Safety Assessment for Ulchin Units 3 & 4—Level 1 PSA.Korea Electric Power Corporation (KEPCO).
Lee, C.Y., 1959. Representation of switching circuits by binary-decision programs.Bell System Technical Journal 38, 985–999.
Minato, S., 1993. Zero-suppressed BDDs for set manipulation in combinatorialproblems. In: Proceedings of the 30th International Conference on DesignAutomation, pp. 272–277.
Rauzy, A., Dutuit, Y., 1997. Exact and truncated computations of prime implicants of
coherent and non-coherent fault trees within Aralia. Reliability Engineering andSystem Safety 58, 127–144.Rauzy, A., 1993. New algorithms for fault trees analysis. Reliability Engineering andSystem Safety 40, 203–211.
Reinert, J.M., Apostolakis, G.E., 2006. Including model uncertainty in risk-informeddecision making. Annals of Nuclear Energy 33, 354–369.
