Radyban: ابزار برای تجزیه و تحلیل قابلیت اطمینان درخت های گسل پویا از طریق تبدیل به شبکه های بیزی پویا

In this paper, we present Radyban (Reliability Analysis with DYnamic BAyesian Networks), a software tool which allows to analyze a dynamic fault tree relying on its conversion into a dynamic Bayesian network. The tool implements a modular algorithm for automatically translating a dynamic fault tree into the corresponding dynamic Bayesian network and exploits classical algorithms for the inference on dynamic Bayesian networks, in order to compute reliability measures. After having described the basic features of the tool, we show how it operates on a real world example and we compare the unreliability results it generates with those returned by other methodologies, in order to verify the correctness and the consistency of the results obtained.

The modeling possibilities offered by fault trees (FT), one of the most popular techniques for dependability analysis of large, safety critical systems, can be extended by relying on Bayesian networks (BN) [1], [2], [3], [4] and [5]. This formalism allows to relax some constraints which are typical of FTs. In addition, BNs allow to represent local dependencies and to perform both predictive and diagnostic reasoning. In [6], we have shown how BNs can provide a unified framework in which also dynamic fault trees (DFT) [7], a rather recent extension to FTs able to treat several types of dependencies, can be represented. In particular, DFTs introduce four basic (dynamic) gates: the warm spare (WSP), the sequence enforcing (SEQ), the functional dependency (FDEP) and the priority AND (PAND). A WSP dynamic gate models one primary component that can be substituted by one or more backups (spares), with the same functionality (see Fig. 1(a), where spares are identified by “circle-headed” arcs). The WSP gate fails if its primary fails and all of its spares have failed or are unavailable (a spare is unavailable if it is shared and being used by another spare gate). Spares can fail even while they are dormant, but the failure rate of an unpowered (i.e. dormant) spare is lower than the failure rate of the corresponding powered one. More precisely, being λλ the failure rate of a powered spare, the failure rate of the unpowered spare is αλαλ, with 0⩽α⩽10⩽α⩽1 called the dormancy factor. Spares are more properly called “hot” if α=1α=1 and “cold” if α=0α=0. Full-size image (19 K) Fig. 1. Dynamic gates in a DFT. Figure options A SEQ gate forces its inputs to fail in a particular order: when a SEQ is found in a DFT, it never happens that the failure sequence takes place in different orders. SEQ gates can be modeled as a special case of a cold spare [8], so they will not be considered any more in the following.1 In the FDEP gate (Fig. 1(b)), one trigger event T (connected with a dashed arc in the figure) causes other dependent components to become unusable or inaccessible. In particular, when the trigger event occurs, the dependent components fail with pd=1pd=1; the separate failure of a dependent component, on the other hand, has no effect on the trigger event. FDEP has also a non-dependent output, that simply reflects the status of the trigger event and is called dummy output (i.e. not used in the analysis). We have generalized the FDEP by defining a new gate, called probabilistic dependency (PDEP). In the PDEP, the probability of failure of dependent components, given that the trigger has failed, is pd⩽1pd⩽1. Finally, the PAND gate reaches a failure state if and only if all of its input components have failed in a preassigned order (from left to right in graphical notation). While the SEQ gate allows the events to occur only in a preassigned order and states that a different failure sequence can never take place, the PAND does not force such a strong assumption: it simply detects the failure order and fails just in one case (in Fig. 1(c) a failure occurs iff A fails before B, but B may fail before A without producing a failure in G). The quantitative analysis of DFTs typically requires to expand the model in its state space, and to solve the corresponding continuous time Markov chain (CTMC) [7]. Through a process known as modularization [9], it is possible to identify the independent sub-trees with dynamic gates, and to use a different Markov model (much smaller than the model corresponding to the entire DFT) for each one of them. Nevertheless, there still exists the problem of state explosion. In order to alleviate this limitation, as stated above, we have proposed a translation of the DFT into a dynamic Bayesian network (DBN). With respect to CTMC, the use of a DBN allows one to take advantage of the factorization in the temporal probability model. As a matter of fact, the conditional independence assumptions implicit in a DBN enable a compact representation of the probabilistic model, allowing the system designer or analyst to avoid the complexity of specifying and using a global-state model (like a standard Markov Chain); this is particularly important when the dynamic module of the considered DFT is significantly large. In this paper, we describe Radyban (Reliability Analysis with DYnamic BAyesian Networks), a tool we have implemented able to realize an automatic translation of a DFT into the corresponding DBN. The tool allows the reliability engineer to access the modeling constructs of an enhanced version of the DFT formalism for the construction of the suitable reliability model; the resulting model is then compiled in the corresponding DBN and the analysis is performed in a transparent way to user, who has just to specify the desired type of analysis algorithm. The rest of the paper is organized as follows: In Section 2 we briefly review the basic framework of DBNs, in Section 3 we describe the main functionalities of Radyban, by taking into consideration in particular the translation from a DFT to a DBN for the computation of reliability measures, and finally in Section 4, we show an application of the tool features to a real world example taken from [2], concerning an active heat reaction system. Conclusions and future works are then reported in Section 5.

In this paper, we have described Radyban, a tool that allows the user to draw a DBN and to ask for diagnostic or predictive inference on it, as well as to draw a DFT, obtain an automatic conversion into the corresponding DBN, and ask for reliability measures by means of DBN inference algorithms. We have described the tool's functionalities, as well as the methodology underlying the translation of the input DFT into the DBN used for the analysis of the model. To test both the proposed conversion methodology and the tool performance, we have run some examples, one of which has been presented in this paper: the results obtained using the DBN are basically identical to the ones obtained using other analysis techniques described in the literature. Our experimental results therefore demonstrate how DBN can be safely resorted to if a quantitative analysis of the system is required. In the future, we plan to extend the tool capabilities, by adding ad hoc structures to the DFT, which can then be naturally characterized in the corresponding DBN: for example, we will allow the insertion of multi-valued nodes, the modeling of repair policies and the specification of conditional dependencies among basic events. A modularization procedure on the DFT (similar to that proposed in the Galileo tool) is currently under examination, in order to improve the inference computational time on the DBN in case of independent parts (modules) of the input DFT; this is investigated in connection with the BK inference algorithms where independent modules (called “clusters”) are exploited to speed-up inference or to approximate results.