A BDD-Based Algorithm for Reliability Evaluation of ... - CiteSeerX

A BDD-Based Algorithm for Reliability Evaluation of Phased Mission System Xinyu Zang, Hairong Sun and Kishor S. Trivedi fxzang, hairong, [email protected] Center for Advanced Computing and Communications Department of Electrical and Computer Engineering Duke University Durham, NC 27708 Abstract

In this paper, a new algorithm based on Binary Decision Diagram (BDD) for reliability evaluation of Phased Mission System (PMS) is proposed. This algorithm uses phase algebra to deal with the dependence among the phases, and a new BDD operation is proposed to incorporate the phase algebra. Due to the nature of BDD, cancelation of common components among the phases can be combined with the BDD generation without additional operations, and the sum of disjoint products (SDP) can be implicitly represented by the nal BDD, so that it can avoid huge storage for large number of SDPs. Several examples and experiments show the eciency of this algorithm. This paper also presents the expression for the transient behavior of PMS when the failure function of components are general rather than exponential. Index Terms: Phased Mission System (PMS), Reliability Evaluation, Transient Analysis, Fault Trees, Binary Decision Diagram (BDD)

 This research was supported in part by the National Science Foundation under Grant No. EEC9418765,

and by the Department of Defense as an enhancement project to the Center for Advanced Computing and Communications in Duke University.

1

1 Introduction Phased mission system (PMS) consists of consecutive, non-overlapping time periods, called phases during which the system con guration, success criteria, and component behavior may vary from phase to phase. Many practical systems are actually phased mission systems, e.g., the voyage of an aircraft can be divided into several phases, such as take o, cruise and landing, each with completely dierent reliability requirements and behaviors. Compared with single phased systems, the reliability evaluation of PMS is much more complex, because of the dependence across the phases. For instance, the state of a component at the beginning of a new phase is identical to its state at the end of the previous phase[10]. The dynamic structure and con guration of the PMS usually requires a distinct model for each phase, which also increases the complexity of modeling and analysis. Although reliability evaluation of PMS has been studied for more than twenty years, the size of problems that can be solved is still very small due to the high computational complexity of the methods for the evaluation of PMS. Generally, there are two classes of models to address PMS problems: Markov chain based models [1, 11, 9, 14, 2, 20, 15, 22, 3] and combinatorial models [23, 10, 16, 12, 6, 21]. The main idea of Markov chain based models is to directly or indirectly (e.g., starting with a Petri Net) construct a Markov chain to represent the system behavior. These models at once take into account of the dependence among the components within a phase and the dependence across phases. However, the Markov chain based models suer from state explosion problem especially when the number of components becomes large. The assumption of combinatorial models for PMS is that all the components in system are independent. This assumption can simplify the analysis, however limits the application of the models because the dependence does exists in some PMSs. Special methods have 2

to be used to address the dependence across phases. In [10], Esary and Ziehms introduced a method which can deal with the dependence across phases, i.e., using a series of independent mini-components to replace the component in each phase. However, this method causes the size of the problem to become very large as the number of phases increases. Cancelation method was introduced by Pedar and Sarma in [16], which, however, needs additional calculation on mincuts. In [23], Somani and Trivedi used phase algebra to address such dependence. Based on this, Ma and Trivedi [12] combined the idea of phase algebra with cancelation method, but still needed to obtain the sum of disjoint product (SDP) explicitly. As the number of components becomes large, the number of SDPs also increases rapidly, which subsequently increases the amount of storage and computation time. The computational complexity of combinatorial models is much less than that of Markov chain based models. However, these models normally need to nd mincuts of systems and calculate the sum of disjoint products, which is still computationally-intensive. Binary Decision Diagrams (BDD) were, at rst, used in VLSI design and veri cation as an ecient method to manipulate Boolean expressions [5, 4]. Bryant [5] and other researchers have shown that, in most cases, BDDs use less memory to represent large Boolean expressions than representing them explicitly. Because BDDs are based on Shannon's decomposition, reliability expression is easily from the BDD format. Several researchers have used BDD to do reliability analysis for fault trees [17, 7, 18, 19, 8]. In this paper, a new algorithm for PMS based on BDD is proposed. As in [23], this algorithm uses phase algebra to deal with the dependence across phases. The nature of BDD ensures that the cancelation of components from an earlier phase when it is accounted in a later phase is automatic and does not increas any extra computations. The nal BDD of the system can represent the SDPs implicitly, avoiding the huge storage for large number 3

of SDPs. Thus there is considerable reduction in computing and storage requirements over the earlier approaches. The paper is organized as follows. Section 2 presents some preliminary concepts, such BDD, phase algebra, etc. Section 3 presents our PMS algorithm based on BDDs. Several examples are provided in Section 4 to show the eciency of the algorithm. Section 5 presents the advantage of BDD algorithm by comparison with other approaches. The last section gives the conclusion and future work.

2 Preliminary concepts 2.1 Binary Decision Diagrams (BDD) In [5], Bryant gave the basic de nitions for BDD (also known as function graph). A subset of general BDD, reduced ordered binary decision diagrams (ROBDD) were introduced as ecient means to manipulate the Boolean expressions. Several researchers [17, 7, 18] applied BDD to reliability evaluation for fault trees. Here we will review some basic concepts of BDD.

2.1.1 Shannon's decomposition and ite format Theorem 1 Shannon's Decomposition: let f be a Boolean expression on X , and x be a variable of X , then,

f = x
fx=1 + x
fx=0

where f evaluated in x = v is denoted by fx=v .

4

(1)

Shannon's decomposition is the basis of using BDD. In order to express Shannon's decomposition concisely, the If-Then-Else (ite) format is de ned as:

f = ite(x; F1 ; F2 ) = x
F1 + x
F2

(2)

where F1 = fx=1 and F2 = fx=0 .

2.1.2 BDD A BDD is a directed acyclic graph (DAG) that is based on Shannon's decomposition. The graph has two sink nodes, labeled 0 and 1, representing the two corresponding constant 0 and 1. Each non-sink node is labeled with a Boolean variable x and has two outgoing edges that represent the two corresponding expressions in the Shannon's decomposition. These two edges are called 0-edge (or else-edge) and 1-edge (or then-edge). The node linked by 1-edge represents the Boolean expression when x = 1, i.e., fx=1 in Eqn. (1), while the node linked by 0-edge represents the Boolean expression when x = 0, i.e., fx=0 in Eqn. (1). Thus, each non-sink node in BDD encodes an ite format. Obviously, one of the key feature of BDD is the disjoint nature of the two subexpressions. An ordered binary decision diagram (OBDD) is a BDD with the constraint that the variables are ordered and every source to sink path in the OBDD visits the variables in ascending order. A reduced ordered binary decision diagram (ROBDD) is an OBDD where each node represents a distinct Boolean expression. In practice, ROBDDs are widely used. Actually, to generate a ROBDD, the ordering of the variables has to be selected rst and this order of variables is not changed during the generation1 . In this paper, we denote xi < xj as variable xj is behind variable xi in the order of variables. Fig. 1 shows the ROBDD for several Boolean expressions. 1 We do not consider the dynamic reordering of BDD in this paper

5

a

a 0

1

0

1

G1

H2

b

b 1

0

0

G2

1

H1

c

c

1

0

1

0

0

0

1

(a) g = a c + b c


1

(b) h = a b + c







Figure 1: BDD representation of Boolean expressions

2.1.3 Manipulation of BDDs BDDs represent Boolean expressions graphically. The manipulation of BDDs using logical operations is very easy. For instance, consider a logic operation AND on two Boolean expressions g and h. We rst generate two BDDs for g and h respectively using the same ordering of variables. We assume that the rst variable is common to g and h. Let this common variable be denoted by x,. Using Eqn. (2), the ite formats of the expressions are

g = ite(x; gx=1 ; gx=0) = ite(x; G1 ; G2) h = ite(x; hx=1 ; hx=0 ) = ite(x; H1 ; H2) The g + h represented by ite format will be:

ite(x; G1 ; G2) + ite(x; H1 ; H2) = g + h 6

a 0

1

G1+H1

G2+H2

a 0

b 0

1

b 1

0

1

b

REDUCE 0

0+H1

G2+H1

H1+G2

1+G2

1

c 1 0

c

0

c

1

0

1

0

1

0

1

0

1

Figure 2: OR operation of two BDDs

7

1

= ite(x; (g + h)x=1 ; (g + h)x=0 ) = ite(x; (gx=1 + hx=1 ); (gx=0 + hx=0 )) = ite(x; (G1 + H1 ); (G2 + H2 ))

(3)

The recursive method can be used for G1 + H1 and G2 + H2 till one of them becomes a constant expression, 0 or 1, or they do not have the rst variable in common. Next we assume h does not have variable x, but has variable y, and x < y in order of variables. The ite formats of the expressions are

g = ite(x; gx=1 ; gx=0) = ite(x; G1 ; G2) h = ite(y; hy=1 ; hy=0 ) = ite(y; H1 ; H2 ) The g + h represented by ite format will be:

ite(x; G1 ; G2 ) + ite(y; H1 ; H2 ) = g + h = ite(x; (g + h)x=1 ; (g + h)x=0 ) = ite(x; (gx=1 + h); (gx=0 + h)) = ite(x; (G1 + h); (G2 + h))

(4)

In the above example, we used OR operation, but any other logical operation can be used and the only dierence is to use the dierent truth tables when one of the operands becomes constant expression. Actually, in practice, the BDD is generated by using logical operations on variables rather than using Shannon's decomposition directly. Fig. 2 shows the OR operation of two Boolean expressions in Fig. 1. Note that two reductions are made \on-the- y" while carrying out the operation: 8

 Because the result of 0+ H 1 and G2+ H 1 is the same, node b at left becomes irrelevant and can be removed.

 Because the 0-edge of node b at right is linked to the same subtree as the 0-edge of node a(the node b at left is reduced), these two subtrees can be reduced to a single one.

2.2 Failure function of a component in a speci c phase As stated in Section 1, the dependence across phases for a given component increases the complexity of reliability analysis for PMS. Esary and Ziehms [10] introduced a method to deal with such dependence, i.e., by using a series of independent mini-components to replace the component in a speci c phase. For instance, a component A in phase j can be replaced by a system of mini-components a1 , a2 ,


, aj in series. Fig 3 shows the reliability block diagram (RBD) and fault tree (FT) format of Esary's solution. The component A is operational in phase j if and only if it functioned in all previous phases. In [23], the failure function of component A in phase j , i.e., FA;j (t) was given assuming the failure function is exponential. We wprovide here FA;j (t) when the failure function is general. Let pA;i (t) be the failure function of mini-component ai , de ned as:

8 >< P [XA (t) = 0] i=1 pA;i(t) = > : P [XA (t + Ti?1 ) = 0 j XA (Ti?1) = 1] 1 < i  j

where Ti is the duration time of phase i. Because all ai ; i = 1; 2; : : : ; j are in series, the failure function for component A in phase j is given by:

9

Aj

Aj

a1 a2

a1

a2

aj

aj

Figure 3: RBD and FT format of Esary's solution

Lemma 1

jY ?1

FA;j (t) = 1 ? ( (1 ? pA;i(Ti)))(1 ? pA;j (t)) = (1 ?

i=1 jY ?1

jY ?1

i=1

i=1

(1 ? pA;i (Ti ))) + ( (1 ? pA;i (Ti )))pA;j (t)

(5)

Here time t is measured from the beginning of phase j so that 0  t  Tk . Ti represents the duration for phase i. The rst term in Exp. (5) represents the probability that component has already failed in the previous phases (phase 1; 2; : : : ; j ? 1). The second term represents the failure probability distribution of the component in phase j . The time origin for phase j is reinitialized to the beginning of the phase. Exp. (5) can be used to study the transient behavior of the phased mission system.

10

Failure

Failure

Failure

A A B C

A B C B C

Phase X

Phase Y

Phase Z

Figure 4: System con guration in three phases

2.3 Phase algebra In [10], after replacing the component A by a series system of independent mini-components a1 , a2,


and ai, a new equivalent system is formed by subsystems in series. In [10], it is shown that the ordinary reliability of this equivalent system is the same as the phasedmission reliability of the original system. Consider a simple example: Example 1: The system has three phases X , Y and Z whose con gurations are shown in Fig. 4 in FT format. The equivalent system is shown in Fig. 5. Let A = 0 (or A = 1) mean that component A has failed and A = 1 mean that component A is operational. Using this notation, we can use Boolean expression to describe the failure combinations for each phase. Let Ei denote the Boolean expression specifying the failure combinations for phase i, the system unreliability is then given by:

[n

UR = P [ Ei] i=1

(6)

As in [23], we use a variable Ai whose failure function is FA;i in Exp. (5) to represent behavior of component A in phase i. Because the dependence exists among Ai 11

Failure

a 1 b1 c 1

a1 a2 b1 b2 c 1 c 2

a 1 a 2 a 3 b1 b2 b3 c 1 c 2 c 3

Figure 5: Equivalent system for the end of mission (i = 1; 2; : : : ; j ? 1), special treatment is needed for the combination terms which contain more than one Ai ; 1  i  n. Phase algebra can be used to deal with this. Let i and j be two phases (i < j ). The rules of phase algebra are listed in Table 1. Twocombinations, Ai Aj and Ai + Aj , are not given in [23]. The rst combination , i.e., Ai Aj , means that component A is operational until the end of phase i and then fails sometime during phase j . The probability of this term is

Yi

Yj

k=1 Yi

Yj

k=i+1

k=1

k=1

P (Ai Aj ) = ( (1 ? pA;k (Tk )))(1 ? =

(1 ? pA;k (Tk )) ?

= FA;i (Ti ) ? FA;j (Tj )

(1 ? pA;k (Tk ))

= P (Ai ) ? P (Aj ) The second term, i.e., Ai + Aj , has no physical meaning. 12

(1 ? pA;k (Tk )))

(7)

Ai Aj ! A j AiAj ! Ai AiAj ! 0

Ai + Aj ! Aj Ai + Aj ! Ai Ai + Aj ! 1

Table 1: Rules of phase algebra Note that the phase algebra rules are to be applied to variables belonging to the same component. The ordinary Boolean relations still hold for the variables representing dierent components. Note also that the variables such as Ai and Bj are independent.

3 BDD algorithm for phased mission system 3.1 BDD operation for phase algebra The relations of phase algebra in Table 1 are dierent from the ordinary logical relations. A special BDD operation should be derived for these relations. We call these BDD operations as phase dependent operations (PDO). Because BDD operations heavily depend on the order of variables, there are two classes of PDOs:

 forward PDO: the order of variables is the same as the phase order, i.e., A1, A2,


, An.  backward PDO: the order of variables is the reverse of the phase oder, i.e., An, An?1,


, A1 . Let Ei and Ej denote the Boolean expressions specifying the failure combinations for phases i and j (i < j ), respectively, and assume Ai exists in Ei and Aj exists in Ej . Using 13

ite format, Ei and Ej can be written as:

Ei = ite(Ai ; (Ei )A =1; (Ei )A =0 ) = ite(Ai ; G1; G2) i

i

Ej = ite(Aj ; (Ej )A =1; (Ej )A =0) = ite(Aj ; H1 ; H2) j

j

We use  to denote logical operations AND or OR.

Lemma 2 For the forward PDO, ite(Ai ; G1; G2)  ite(Aj ; H1 ; H2) = ite(Ai ; G1  H1; G2  Ej )

(8)

Proof: Because component A must be in failed state in phase j if it has already failed in

phase i, i.e., Ai = 1 implies Aj = 1, hence

ite(Ai ; G1; G2)  ite(Aj ; H1 ; H2) = Ei  Ej = ite(Ai ; (Ei  Ej )A =1 ; (Ei  Ej )A =0 ) = ite(Ai ; (Ei )A =1  (Ej )A =1 ; (Ei )A =0  (Ej )A =0 ) i

i

i

j

i

i

= ite(Ai ; G1  H1 ; G2  Ej )

(9)

2

Lemma 3 For the backward PDO, ite(Ai ; G1; G2)  ite(Aj ; H1 ; H2) = ite(Aj ; Ei  H1; G2  H2)

(10)

Proof: Because component A must be operational in phase i if it is operational in phase j , i.e., Aj = 0 implies Ai = 0, hence

ite(Ai ; G1 ; G2)  ite(Aj ; H1; H2 ) = Ei  Ej = ite(Aj ; (Ei  Ej )A =1 ; (Ei  Ej )A =0 ) = ite(Aj ; (Ei )A =1  (Ej )A =1 ; (Ei )A =0  (Ej )A =0 ) j

j

j

j

= ite(Aj ; Ei  H1 ; G2  H2 ) 14

i

j

(11)

2 Fig 6 shows the algorithm for the forward and backward PDO. The function of the computed-table and unique-table are explained in [4].

3.2 Ordering strategy The order of variables is very important for BDD generation. The size of BDD (the number of nodes in BDD) heavily depends on the order. But the problem of computing an ordering that minimizes the size of BDD is itself a co NP-complete problem. The previous study showed that a set of heuristics may be used to select an adequate ordering [5]. We us heuristic H4 [13] to decide the order of each component. After ordering the components, we replace each component with a series of variables that represent this component in each phase. As stated in the preceeding section, there are two classes of PDO available, each one requires a speci c ordering of these variables that belong to the same component. Checking the sizes of nal BDDs (shown in Fig. 7) generated by forward PDO and backward PDO, we nd that the size of BDD generated by backward PDO is smaller than that generated by forward PDO. Observing the BDD in Fig. 7(b), we note that variable A1 does not occur in it. This means that A1 is a common component which is accounted for in later phases. Therefore, if backward PDO is used to generate the BDD for PMS, the cancelation of common components can be done automatically during the generation of BDD without any additional operations.

15

pdo(op, F, G) { if ((F == 0) or (F == 1) or (G == 0) or (G == 1)) return op(F, G) /* call to the truth table of op */ else if (cpomupted-table has entry {(op, F, G),R}) return R else { x = the top variable of F y = the top variable of G v = top of x and y if (x, y are the variables of different components) { F1 = F(v=1), F2 = F(v=0) G1 = G(v=1), G2 = G(v=0) } else if (x == v) { F1 = F(x=1), F2 = F(x=0) if (forward PDO) G1 = G(y=1), G2 = G else G1 = G, G2 = G(y=0) } else { if (forward PDO) F1 = F(x=1), F2 = F else F1 = F, F2 = F(x=0) G1 = G(y=1), G2 = G(y=0) } T = dpo(op, F1, G1) E = dpo(op, F2, G2) if (T == E) return T R = find_or_add_unique_table(v, T, E) insert_computed_table({(op, F, G), R}) return R } }

Figure 6: Algorithm for PDO

16

A1 0

1

A3

A2 0

0

1

A2

A3 0

1

B1

0

1 0

1

B3

B1

1

0

B2

0

0

1

1

B2

B2 1

1

0

0

B1

B3 0

1

C1 0

0

C1 1

0

C2

0

0

1

C3

1

1

C2

1

1

0

0

B1 0

C3

C1

1

0

1

C1

1

1

0

0

1

(a) forward PDO

0

1

(b) backward PDO

Figure 7: BDD generated by PDO 17

1. Use Exp.(5) to obtain the value for each variable 2. Order components and their corresponding variables 3. Generate BDD for each phase 4. Using PDO combine these BDDs to obtain the nal BDD 5. Evaluate the nal BDD to obtain the result. Figure 8: BDD algorithm for PMS

3.3 BDD algorithm for PMS Fig. 8 gives the main procedure of reliability evaluation of PMS using BDD. First step is to order the variables using the heuristics mentioned in the preceeding section. BDDs can be generated for each phase by using ordinary logical operations. Then phase algebra and the corresponding backward PDO operation is applied to generate the nal BDD from the BDDs of each phase. Finally, an evaluation algorithm is used to obtain the unreliability of the PMS. All the procedures except evaluation algorithm are discussed in the preceding sections. Now we will present an evaluation algorithm which deals with the dependence among the variables that belong to the same component. Fig. 9 shows the details of the evaluation algorithm. Observing the BDD generated by backward PDO, we see that the 0-edge always links two variables that belong to dierent components. But for the 1-edge, there are two cases which need to be evaluated dierently: the 1-edge linking the variables of dierent components and the 1-edge linking the variables of the same component. 18

Prob(G) { if (G == 1) return 1 else if (G == 0) return 0 else if (computed-table has entry {G, P_G}) return P_G else { /* G = ite(x, G1, G2), G1 = ite(y, H1, H2) */ P_G1 = Prob(G1), P_G2 = Prob(G2) if (x, y are variables of different components) P_G = P_G1 + (1 - P(x)) * (P_G2 - P_G1) else P_G = P_G1 + (1 - P(x)) * (P_G2 - Prob(H2)) } insert_computed_table({G, P_G}) return P_G }

Figure 9: Algorithm for evaluation of BDD of PMS For the 1-edge linking the variables of dierent components, it is the same as the ordinary BDD. Ordinary evaluation method for BDD can be used as:

G = ite(Aj ; G1; G2 ) = Aj
G1 + Aj
G2 P (G) = P (ite(Aj ; G1; G2)) = P (Aj
G1 + Aj
G2 ) = P (Aj )P (G1 ) + P (Aj )P (G2 ) = P (G1 ) + (1 ? P (Aj ))(P (G2 ) ? P (G1 ))

(12)

For the 1-edge linking the variables of the same component, because Ai and Aj are not independent, a special treatment is needed for this case:

G = ite(Aj ; G1; G2 ) = Aj
G1 + Aj
G2 19

G1 = ite(Ai ; H1; H2 ) = Ai
H1 + Ai
H2 P (G) = P (ite(Aj ; G1; G2)) = P (Aj
G1 + Ai
G2 ) = P (Aj
(Ai
H1 + Ai
H2 )) + P (Aj )P (G2 ) = P (Aj Ai H1 + Aj Ai H2 ) + (1 ? P (Aj ))P (G2 ) According to rules of phase algebra and

(13)

Ai = Aj Ai

Ai = Aj + Ai = Aj + Aj Ai

We can obtain

P (G1 ) = P (Ai
H1 + Ai
H2) = P (Aj Ai H1 + (Aj Ai + Aj )H2 ) = P (Aj H2 ) + P (Aj Ai H1 + Aj Ai H2 ) therefore,

P (Aj AiH1 + Aj Ai H2) = P (G1) ? P (Aj H2) = P (G1 ) ? (1 ? P (Aj ))P (H2 )

(14)

Substituting Exp. (14) to Exp. (13), we have

P (G) = P (G1) ? (1 ? P (Aj ))P (H2 ) + (1 ? P (Aj ))P (G2 ) = P (G1 ) + (1 ? P (Ai ))(P (G2 ) ? P (H2 )) 20

(15)

Therefore, according to the type of the variables linked by 1-edge, Exp. (12) or Exp. (15) is chosen to evaluate each node in BDD. The probability of the root node of the nal BDD gives the unreliability of the PMS.

3.4 Transient analysis Transient analysis refers to reliability of PMS at any time during the mission. Let t be the time point at which the reliability of a system is considered. Assume the system has P completed phase i ? 1 (i.e., ik?=11 Tk < t, where Tk is the duration of phase k), and is in phase i. Using the same algorithm in preceeding section and Exp.(5), we can generate the BDD of PMS upto phase i and evaluate its unreliability at time t. In [21], latent failures were de ned to address the upwards change in the unreliability value at the phase transition time which corresponds the case that some of the success states in phase i may be failed states in phase i + 1. It should be noted that the time point t P might happen to be the phase transition time, i.e., t = ki?=11 Tk . In this case, we evaluate the unreliability:

 at t?, i.e., the system being at the end of the phase i ? 1.  at t+, i.e., the system being at the beginning of the phase i.

4 Examples Example 2: In Example 1, the phase order is X Y Z . The BDDs for the other ve permutations, i.e., X Z Y , Y X Z , Y Z X , Z X Y , Z Y X , are shown in Fig. 10. We assume that the durations of all the three phases are 10 hours each and the failure rate of each component is 0:0001/hour. The unreliability of six permutations is listed in Table 2. Note 21

Perm

t=0

t = (10)?

t = (10)+

t = (20)?

t = (20)+

t = 30

XY Z XZY Y XZ Y ZX ZXY ZY X

0.00000000e+00 0.00000000e+00 0.00000000e+00 0.00000000e+00 0.00000000e+00 0.00000000e+00

2.99550450e-03 2.99550450e-03 1.00049817e-03 1.00049817e-03 9.98501249e-10 9.98501249e-10

2.99550450e-03 2.99550450e-03 2.99550450e-03 1.00049817e-03 2.99550450e-03 1.00049817e-03

3.99300567e-03 2.99550549e-03 5.98203595e-03 1.00050116e-03 5.98203595e-03 2.00198537e-03

3.99300567e-03 3.99300567e-03 5.98203595e-03 5.98203595e-03 5.98203595e-03 5.98203595e-03

3.99300865e-03 4.99149291e-03 5.98203694e-03 8.95962123e-03 6.97654910e-03 8.95962123e-03

Table 2: Unreliability of six permutations in Example 2 that there are some latent failures at the phase transition times. For example, at t = 10 and t = 20 in permutation Z Y X , there are jumps in the unreliability function. Example 3: Modifying the space application in [15], we get an example whose mission alternates between operational phases Launch, Asteroid, Comet, with Hibernation phases. There are four types of equipments:

 La and Lb: only needed for Launch, at least one of them should be functional during the Launch phase.

 Aa and Ab: only needed for Asteroid, at least one of them should be functional during the Asteroid phase.

 Ca and Cb: only needed for Comet, at least one of them should be functional during the Comet phase.

 Ha, Hb, Hc, Hd: Ha and Hb work during all phases, and Hc and Hd only work during the operational phases. During the operational phases, at least three of them should be functional, and during the hibernation phases, at least one of them should be functional. The system con guration is shown in Fig. 11(a). The BDD of the system at the end of 22

A3 0

1

A2

A3 0

0

1

B3

B3 0

1

0

1

B2

B1 0

B2 1

0

1

0

1

C3

C3 0

1

0

1

C2

C1

1

1

0

0

0

0

1

(a) X Z Y

1

(b) Y X Z A3 0

1

B3 0

1

A3 0

0

B3 0

C3

A3

B2 1

0

1

B3

C3 1

1

0

C2

1

0

0

C3

1

1

(c) Y Z X

1

1

0

0

0

1

0

1

(d) Z X Y

0

1

(e) Z Y X

Figure 10: BDD of ve permutations of phase X , Y and Z 23

Phase Name Duration(Hours) Failure rate of Lx Failure rate of Ax Failure rate of Cx Failure rate of Hx

Launch 48 0.00005 0 0 0.00001

Hibern1 17520 0 0 0 0.000001

Asteroid 672 0 0.00001 0 0.00001

Hibern2 26952 0 0 0 0.000001

Comet 672 0 0 0.0001 0.00001

Table 3: System parameters in Example 3 the mission is shown in Fig. 11(b). The failure rate of each equipment is listed in Table 3. The unreliability of the system during the mission, i.e., the transient behavior, is shown in Fig. 12. From this gure, we can also observe that there are latent failures at some phase transition points, i.e., at the transition from Hibern2 to Comet, and at the transition from Hibern1 to Asteriod (which is insigni cant). At the other transition points, no latent failure occurs.

5 Advantages of BDD algorithm for PMS As seen in preceeding sections, BDDs have some advantages in reliability evaluation of PMS:

 Cancelation can be done automatically by backward PDO without additional operations.

 In most cases, the sizes of nal BDDs are not very large.  Because BDD is based on Shannon's Decomposition, the evaluation of nal BDD is easy and fast. Let n be the number of nodes in the nal BDD, the evaluation procedure only needs n multiplications and 2n additions.

24

Failure

Failure

Ca5 2/4

Ha La Lb

0

Hb

1

Phase 2: Hibern.1

0

Cb5 1

Ha Hb Hc Hd Phase 1: Launch

Ha5 0

Failure

1

Failure

Hb5 0

1 0

Hc5 Ha Aa Ab

1

Hc5

0

2/4

Hb5

1 0

1

Hb

Phase 4: Hibern.2

Hd5

0

1

Ha Hb Hc Hd

Aa3

Phase 3: Asteroid

1

0 Failure

0

Ab3

1

La 1 1

0

2/4 0

Lb1

1

Ca Cb Ha Hb Hc Hd Phase 5: Comet

(a) System con guration

0

1

(b) BDD representation

Figure 11: System con guration and its BDD represtation 25

0.012 Operational Phase Non−Operational Phase 0.01

Unreliability

0.008

0.006

0.004

0.002

0

0

1

2

3 Time (hours)

Figure 12: Unreliability of space application

26

4

5 4

x 10

Mission Name

M1 M2 M3 M4

Phase Number 2 3 4 5

Mission Con guration Phase A, Phase E Phase A, Phase B, Phase E Phase A, Phase B, Phase C , Phase E Phase A, Phase B, Phase C , Phase D, Phase E

Table 4: Mission con guration In this section, we will give some experimental results to show the eciency of our algorithm. At least in one case2 we also provide a comparison with the MT algorithm in [12]. The latter is based on an MVI SDP method of solving fault trees. Consider a system consists of 7 groups of components and each group has n components, some system con gurations are shown in Fig. 13 and Fig. 14, and the mission con gurations are listed in Table 4. We vary the value of n from 2 to 5 amd obtain the experimental results shown in Table 5.

6 Conclusion We presented a BDD-based algorithm for reliability evaluation of phased mission systems. Phase dependent operations were developed for BDD to realize the phase algebra, and a special evaluation procedure was proposed for these phase dependent BDDs. Due to the natures of BDD, this algorithm is more ecient than the algorithm based on SDP method in both computation time and storage space, which makes it possible for us to study some practically large phased mission systems. 2 For the case n = 2 and mission M1 , the MT algorithm needed 10:59 seconds and produced 2302 disjoint phase

products

27

Failure

x1,1

x1,n

x2,1

x2,n

x3,1

x3,n

x4,1

x4,n

x5,1

x5,n

x6,1

x6,n

x7,1

x7,n

x5,1

x5,n

x6,1

x6,n

x7,1

x7,n

x5,1

x5,n

x6,1

x6,n

x7,1

x7,n

Phase A Failure

x1,1

x1,n

x2,1

x2,n

x3,1

x3,n

x4,1

x4,n

Phase B Failure

x1,1

x1,n

x2,1

x2,n

x3,1

x3,n

x4,1

x4,n

Phase C

Figure 13: System con guration 28

Failure

x1,1

x1,n

x2,1

x2,n

x3,1

x3,n

x4,1

x4,n

x5,1

x5,n

x6,1

x6,n

x7,1

x7,n

x5,1

x5,n

x6,1

x6,n

x7,1

x7,n

Phase D Failure

x1,1

x1,n

x2,1

x2,n

x3,1

x3,n

x4,1

x4,n

Phase E

Figure 14: System con guration (continued)

29

n 2

3

4

5

Mission

M1 M2 M3 M4 M1 M2 M3 M4 M1 M2 M3 M4 M1 M2 M3 M4

# of Nodes 40 70 142 170 59 104 225 273 78 138 288 376 97 172 361 479

Time(s) 0.09 0.10 0.11 0.12 0.09 0.10 0.12 0.13 0.10 0.11 0.13 0.15 0.10 0.12 0.15 0.17

Table 5: Experimental results

30

References [1] M. Alam and U.M. Al-Saggaf. Quantitative reliability evaluation of repairable phasedmission systems using markov approach. IEEE Transaction on Reliability, R-35(5):498{ 503, 1986. [2] J. Arlat, T. Eliasson, K. Kanoun, D. Noyes, D. Powell, and J. Torin. Evaluation of fault-tolerant data handling systems for spacecraft: Measures, techniques and example applications. Technical Report 86.321, LAAS-CNRS, 1986. [3] A. Bondavalli, I. Mura, and M. Nelli. Analytical modeling and evaluation of phasedmission systems for space applications. Proceedings IEEE High-Assurance System Engineering Workshop (HASE-97), Bethesda, Maryland, 1997. [4] K. Brace, R. Rudell, and R. Bryant. Ecient implementation of a bdd package. Proc. 27th ACM/IEEE Design Automation Conference, pages 40{45, 1990. [5] R. Bryant. Graph based algorithms for boolean function manipulation. IEEE Transactions on Computer, 35(8):677{691, 1987. [6] G. R. Burdick, J.B. Fussel, D.M. Rasmussen, and J.R. Wilson. Phased mission analysis: A review of new developments and an application. IEEE Transaction on Reliability, 26(1):43{49, 1977. [7] O. Coudert and J.C. Madre. Metaprime: An interactive fault-tree analyzer. IEEE Transactions on Reliability, 43(1):121{127, 1994.

31

[8] S.A. Doyle and J.B. Dugan. Dependability assessment using binary decision diagrams. Proc. 25th International Symposium on Fault-Tolerant Computing, pages 249{258, 1995. [9] J.B. Dugan. Automated analysis of phased-mission reliability. IEEE Transaction on Reliability, 40(1):45{52, 1991. [10] J.D. Esary and H. Ziehms. Reliability analysis of phased missions. Proc. Conference on Reliability and Fault Tree Analysis, pages 213{236, 1975. [11] K. Kim and K.S. Park. Phased-mission system reliability under markov environment. IEEE Transaction on Reliability, 43(2):301{309, 1994. [12] Y. Ma and K.S. Trivedi. An algorithm for reliability analysis of phased-mission systems. accepted subject to revision, Reliability Engineering. [13] M.Bouissou. An ordering heuristic for building binary decision diagrams from faulttrees. Proc. 1996 Annual Reliability and Maintainability Symposium, pages 208{214, 1996. [14] J.F. Meyer, D.G. Furchgott, and L.T. Wu. Performability evaluation of the sift computer. Proc. 1979 IEEE Fault-Tolerant Computing Symposium (FTCS-79), Madison Wisconsin, pages 43{50, 1979. [15] I. Mura, A. Bondavalli, X. Zang, and K.S. Trivedi. Dependability modeling and evaluation of phased mission systems: a dspn approach. accepted, Proc. Dependable Computing for Critical Applications (DCCA) 7 . [16] A. Pedar and V.V.S. Sarma. Phased-mission analysis for evaluating the eectiveness of aerospace computing systems. IEEE Transaction on Reliability, 30(5):429{437, 1981. 32

[17] A. Rauzy. New algorithms for fault tree analysis. Reliability Engineering and System Safety, 40:203{211, 1993. [18] R.M. Sinnamon and J.D. Andrews. Improved accuracy in quantitative fault tree analysis. Quality and Reliability Engineering International, 13:285{292, 1997. [19] R.M. Sinnamon and J.D. Andrews. Improved eciency in qualitative fault tree analysis. Quality and Reliability Engineering International, 13:293{298, 1997. [20] M. Smotherman and K. Zemoudeh. A non-homogeneous markov model for phasedmission reliability analysis. IEEE Transaction on Reliability, 38(5):585{590, 1989. [21] A.K. Somani. Simpli ed phased-mission system analysis for systems with independent component repairs. International Journal of Reliability, Quality and Safety Engineering, 4(2):167{189, 1997. [22] A.K. Somani, J.A. Ritcey, and S.H.L. Au. Computationally ecient phased-mission reliability analysis for systems with variable con gurations. IEEE Transaction on Reliability, 41(4):504{511, 1992. [23] A.K. Somani and K.S. Trivedi. Phased-mission systems using boolean algebraic methods. Performance Evaluation Review: Proc. 1994 ACM SIGMETRICS Conference, 22(1):98{107, 1994.

33