Formal FT-based Cause-Consequence Reliability Analysis using Theorem Proving
FFormal FT-based Cause-Consequence ReliabilityAnalysis using Theorem Proving
Mohamed Abdelghany and Sofi`ene TaharDepartment of Electrical and Computer Engineering,Concordia University, Montr´eal, QC, Canada { m eldes,tahar } @ece.concordia.ca TECHNICAL REPORT
January 2021 a r X i v : . [ c s . F L ] J a n bstract Cause-consequence Diagram (CCD) is widely used as a deductive safetyanalysis technique for decision-making at the critical-system design stage. Thisapproach models the causes of subsystem failures in a highly-critical systemand their potential consequences using Fault Tree (FT) and Event Tree (ET)methods, which are well-known dependability modeling techniques. Paper-and-pencil-based approaches and simulation tools, such as the Monte-Carloapproach, are commonly used to carry out CCD analysis, but lack the ability torigorously verify essential system reliability properties. In this work, we proposeto use formal techniques based on theorem proving for the formal modelingand step-analysis of CCDs to overcome the inaccuracies of the simulation-basedanalysis and the error-proneness of informal reasoning by mathematical proofs.In particular, we use the HOL4 theorem prover, which is a computer-basedmathematical reasoning tool. To this end, we developed a formalization of CCDsin Higher-Order Logic (HOL), based on the algebraic approach, using HOL4.We demonstrate the practical effectiveness of the proposed CCD formalizationby performing the formal reliability analysis of the IEEE 39-bus electricalpower network. Also, we formally determine the Forced Outage Rate (
F OR )of the power generation units and the network reliability index, i.e., SystemAverage Interruption Duration Index (
SAIDI ). To assess the accuracy of ourproposed approach, we compare our results with those obtained with MATLABMonte-Carlo Simulation (MCS) as well as other state-of-the-art approaches forsubsystem-level reliability analysis.
Keywords—
Cause-Consequence Diagram, Event Tree, Fault Tree, ReliabilityAnalysis, Safety, Formal Methods, Theorem Proving, HOL4, Monte-Carlo, FMECA,Electrical Power Network, FOR, SAIDI. 2
Introduction
Nowadays, in many safety-critical systems, which are prevalent, e.g. in smart grids [1]and automotive industry [2], a catastrophic accident may happen due to coincidenceof sudden events and/or failures of specific subsystem components. These undesirableaccidents may result in loss of profits and sometimes severe fatalities. Therefore, thecentral inquiry, in many critical-systems, where safety is of the utmost importance, isto identify the possible consequences given that one or more components could fail ata subsystem level on the entire system. For that purpose, the main discipline for safetydesign engineers is to perform a detailed Cause-Consequence Diagram (CCD) [3]reliability analysis for identifying the subsystem events that prevent the entire systemfrom functioning as desired. This approach models the causes of component failuresand their consequences on the entire system using Fault Tree (FT) [4] and EventTree (ET) [5] dependability modeling techniques.FTs mainly provide a graphical model for analyzing the factors causing a systemfailure upon their occurrences. FTs are generally classified into two categories StaticFault Trees (SFT) and Dynamic Fault Trees (DFT) [6]. SFTs and DFTs allow safety-analysts to capture the static/dynamic failure characteristics of systems in a veryeffective manner using logic -gates, such as OR, AND, NOT, Priority-AND (PAND)and SPare (SP) [4]. However, the FT technique is incapable of identifying the possibleconsequences resulting from an undesirable failure on the entire system. ETs providerisk analysis with all possible system-level operating states that can occur in thesystem, i.e., success and failure, so that one of these possible scenarios can occur [5].However, both of these modeling techniques are limited to analyzing either a critical-system failure or cascading dependencies of system-level components only, respectively.There exist some techniques that have been developed for subsystem-level reliabil-ity analysis of safety-critical systems. For instance, Papadopoulos et al. in [7] havedeveloped a software tool called
HiP-HOPS (Hierarchically Performed Hazard Origin& Propagation Studies) [8] for subsystem-level failure analysis to overcome classicalmanual failure analysis of complex systems and prevent human errors. HiP-HOPS canautomatically generate the subsystem-level FT and perform Failure Modes, Effects,and Critically Analyses (FEMCA) from a given system model, where each systemcomponent is associated with its failure rate or failure probability [7]. Currently,HiP-HOPS lacks the modeling of multi-state system components and also cannotprovide generic mathematical expressions that can be used to predict the reliability ofa critical-system based on any probabilistic distribution [9]. Similarly, Jahanian in [10]has proposed a new technique called Failure Mode Reasoning (FMR) for identifyingand quantifying the failure modes for safety-critical systems at the subsystem level.However, according to Jahanian [11], the soundness of the FMR approach needs to beproven mathematically.On the other hand, CCD analysis typically uses FTs to analyze failures at thesubsystem or component level combined with an ET diagram to integrate their3ascading failure dependencies at the system level. CCDs are categorized into twogeneral methods for the ET linking process with the FTs [12]: (1) Small ET diagramand large subsystem-level FT; (2) Large ET diagram and small subsystem-level FT.The former one with small ET and large subsystem-level FT is the most commonlyused for the probabilistic safety assessment of industrial applications (e.g., in [13]).There are four main steps involved in the CCD analysis [14]: (1)
Component failureevents : identify the causes of each component failure associated with their differentmodes of operations; (2)
Construction of a complete CCD : construct a CCD modelusing its basic blocks, i.e.,
Decision box , Consequence path and
Consequence box ;(3)
Reduction : removal of unnecessary decision boxes based on the system functionalbehavior to obtain a minimal CCD; and lastly (4)
Probabilistic analysis : evaluatingthe probabilities of CCD paths describing the occurrence of a sequence of events.Traditionally, CCD subsystem-level reliability analysis is carried out by usingpaper-and-pencil-based approaches to analyze safety-critical systems, such as high-integrity protection systems (HIPS) [14] and nuclear power plants [15], or usingcomputer simulation tools based on Monte-Carlo approach, as in [16]. A majorlimitation in both of the above approaches is the possibility of introducing inaccuraciesin the CCD analysis either due to human infallibility or the approximation errorsdue to numerical methods and pseudo-random numbers in the simulation tools.Moreover, simulation tools do not provide the mathematical expressions that canbe used to predict the reliability of a given system based on any probabilisticdistributions and failure rates.A more safe way is to substitute the error-prone informal reasoning of CCDanalysis by formal generic mathematical proofs as per recommendations of safetystandards, such as IEC 61850 [17], EN 50128 [18] and ISO 26262 [19]. In this work, wepropose to use formal techniques based on theorem proving for the formal reliabilityCCD analysis-based of safety-critical systems, which provides us the ability to obtaina verified subsystem-level failure/operating consequence expression. Theorem provingis a formal verification technique [20], which is used for conducting the proof ofmathematical theorems based on a computerized proof tool. In particular, we useHOL4 [21], which is an interactive theorem prover with the ability of verifying awide range of mathematical expressions constructed in higher-order logic (HOL).For this purpose, we endeavor to formalize the above-mentioned four steps of CCDanalysis using HOL4 proof assistant. To demonstrate the practical effectivenessof the proposed CCD formalization, we conduct the formal CCD analysis of anIEEE 39-bus electrical power network system. Subsequently, we formally determinea commonly used metric, namely Forced Outage Rate (
F OR ), which determinesthe capacity outage or unavailability of the power generation units [22]. Also,we evaluate the System Average Interruption Duration Index (
SAIDI ), which de-scribes the average duration of interruptions for each customer in a power network [22].The main contributions of the work we describe in this report can be summarizedas follows: 4
Formalization of the CCD basic constructors, such as
Decision box , Consequencepath and
Consequence box , that can be used to build an arbitrary level of CCDs • Enabling the formal reduction of CCDs that can remove unnecessary decisionboxes from a given CCD model, a feature not available in other existing ap-proaches • Provide reasoning support for formal probabilistic analysis of scalable CCDs con-sequence paths with new proposed mathematical formulations • Application on a real-world IEEE 39-bus electrical power network system andverification of its reliability indexes
F OR and
SAIDI•
Development of a Standard Meta Language (SML) function that can numericallycompute reliability values from the verified expressions of
F OR and
SAIDI•
Comparison between our formal CCD reliability assessment with the correspond-ing results obtained from MATLAB MCS and other notorious approachesThe rest of the report is organized as follows: In Section 2, we present the relatedliterature review. In Section 3, we describe the preliminaries to facilitate the under-standing of the rest of the report. Section 4 presents the proposed formalization ofCCD and its formal probabilistic properties. In Section 5, we describe the formal CCDanalysis of an electrical network system and the evaluation of its reliability indices
F OR and
SAIDI . Lastly, Section 6 concludes the report.
Only a few work have previously considered using formal techniques [20] to modeland analyze CCDs. For instance, Ortmeier et al. in [23] developed a framework forDeductive Cause-Consequence Analysis (DCCA) using the SMV model checker [24]to verify the CCD proof obligations. However, according to the authors [23], there isa problem of showing the completeness of DCCA due to the exponential growth ofthe number of proof obligations with complex systems that need cumbersome proofefforts. To overcome above-mentioned limitations, a more practical way is to verify generic mathematical formulations that can perform N -level CCD reliability analysisfor real-world systems within a sound environment. Higher-Order-Logic (HOL) [25] isa good candidate formalism for achieving this goal.Prior to our work, there were two notable projects for building frameworks to for-mally analyze dependability models using HOL4 theorem proving [21]. For instance,HOL4 has been previously used by Ahmad et al. in [26] to formalize SFTs. The SFTformalization includes a new datatype consisting of AND , OR and NOT
FT gates [4] to an-alyze the factors causing a static system failure. Furthermore, Elderhalli et al. in [27]had formalized DFTs in the HOL4 theorem prover, which can be used to conductformal dynamic failure analysis. Similarly, we have defined in [28] a new
EVENT TREE multi-state sys-tem components and is based on any given probabilistic distribution and failure rates,which makes our proposed work the first of its kind. In order to check the correctnessof the proposed equations, we verified them within the sound environment of HOL4.
In this section, we briefly summarize the fundamentals of the HOL4 theorem provingapproach and existing FT and ET formalizations in HOL4 to facilitate the reader’sunderstanding of the rest of the report.
Theorem proving [20] is one of the formal verification techniques that use a computer-ized proof system for conducting the proof of mathematical theorems. HOL4 [21] is aninteractive theorem prover, which is capable of verifying a wide range of safety-criticalsystems as well as mathematical expressions constructed in HOL. In general, given asafety-critical system to be formally analyzed, we first model its structure mathemat-ically, then using the HOL4 theorem prover, several properties of the system can beverified based on this mathematical model. The main characteristic of the HOL4 the-orem prover is that its core consists only of four axioms and eight inference rules. Anyfurther proof or theorem should be formally verified based on these axioms and rules orbased on previously proven theorems. This ensured the soundness of the system modelanalysis, i.e., no wrong proof goal can be proved. Moreover, since the system propertiesare proven mathematically within HOL4, no approximation is involved in the analysisresults. These features make HOL4 suitable for carrying out the CCD-based reliabil-ity analysis of safety-critical systems that require sound verification results. Table 1provides the HOL4 symbols and functions that we will use in this report.
Measure space is defined mathematically as (Ω, Σ, and µ ), where Ω represents thesample space, Σ represents a σ -algebra of subsets of Ω, and µ represents a measure withthe domain Σ. A probability space is a measure space (Ω, Σ, and Pr), where Ω is thecomplete sample space, Σ is the corresponding event space containing all the events ofinterest, and Pr is the probability measure of the sample space as 1. The HOL4 theorem6able 1: HOL4 Symbols and Functions HOL4 Symbol Standard Meaning { x | P(x) } { λx . P ( x ) } Set of all x such that P ( x )h :: L cons Add an element h to a list LMAP ( λ x. f(x)) X x ∈ X → ( λ x. f) Function that maps eachelement x in the list X to f(x)L ++ L append Joins lists L and L togetherprover has a rich library of probabilities, including the functions p space , events , and prob . Given a probability space p , these functions return the corresponding Ω, Σ,and Pr, respectively. The Cumulative Distribution Function (CDF) is defined as theprobability of the event where a random variable X has a value less or equal to avalue t , i.e., P ( X ≤ t ). This definition can be been formalized in HOL4 as [29]: (cid:96) CDF p X t = distribution p X { y | y ≤ t } where the function distribution takes three inputs: (i) probability space p ; (ii)random variable X ; and (iii) set of real numbers, then returns the probability of thevariable X acquiring all the values of the given set in probability space p . Fault Tree (FT) analysis [4] is one of the commonly used reliability assessment tech-niques for critical-systems. It mainly provides a schematic diagram for analyzing un-desired top events , which can cause complete system failure upon their occurrence. AnFT model is represented by logic -gates, like OR, AND and NOT, where an OR gatemodels the failure of the output if any of the input failure events occurs alone, whilean AND gate models the failure of the output if all of the input failure events occurat the same time, and lastly a NOT gate models the complement of the input failureevent. Ahmad et al. [26] presented the FT formalization by defining a new datatypegate, in HOL4 as:
Hol datatype gate = AND of (gate list) |OR of (gate list) |NOT of (gate) |atomic of (event)
The FT constructors
AND and OR are recursive functions on gate -typed lists, whilethe FT constructor NOT operates on a gate -type variable. A semantic function is thendefined over the gate datatype that can yield an FT diagram as:7 efinition 1: (cid:96)
FTree p (atomic X) = X ∧ FTree p (OR (h::t)) = FTree p h ∪ FTree p (OR t) ∧ FTree p (AND (h::t)) = FTree p h ∩ FTree p (AND t) ∧ FTree p (NOT X) = p space p DIFF FTree p X
The function
FTree takes an event X , identified by a type constructor atomic , andreturns the given event X . If the function FTree takes a list of type gate , identifiedby a type constructor OR , then it returns the union of all elements after applying thefunction FTree on each element of the given list. Similarly, if the function
FTree takes a list of type gate , identified by a type constructor
AND , then it performs theintersection of all elements after applying the function
FTree on each element of thegiven list. For the
NOT type constructor, the function
FTree returns the complementof the failure event obtained from the function
FTree .The formal verification in HOL4 for the failure probabilistic expressions of theabove-mentioned FT gates is presented in Table 2 [26]. These expressions are verifiedunder the following constrains: (a) F N ∈ events p ensures that all associated failureevents in the given list F N are drawn from the events space p ; (b) prob space p ensures that p is a valid probability space; and lastly (c) MUTUAL INDEP p F N ensuresthe independence of the failure events in the given list F N . The function (cid:81) takes a listand returns the product of the list elements while the function PROB LIST returns alist of probabilities associated with the elements of the list. The function
COMPL LIST returns the complement of the given list elements.
Event Tree (ET) [5] analysis is a widely used technique to enumerate all possiblecombinations of system-level components failure and success states in the form of aTable 2: FT HOL4 Probabilistic Theorems
FT Gate Probabilistic Theorem
Failure 1Failure N AND prob p(FTree p (AND F N )) = (cid:81) (PROB LIST p F N ) Failure 1Failure N OR prob p(FTree p (OR F N )) =1 - (cid:81) (PROB LIST p (COMPL LIST p F N )) Node and then allpossible scenarios of an event that can occur in the system are drawn as
Branches . ETswere formally modeled by using a new recursive datatype
EVENT TREE , in HOL4 as [28]:
Hol datatype
EVENT TREE = ATOMIC of (event) |NODE of (EVENT TREE list) |BRANCH of (event) (EVENT TREE list)
The type constructors
NODE and
BRANCH are recursive functions on
EVENT TREE -typedlists. A semantic function is then defined over the
EVENT TREE datatype that can yielda corresponding ET diagram as:
Definition 2: (cid:96)
ETREE (ATOMIC X) = X ∧ ETREE (NODE (h::L)) = ETREE h ∪ (ETREE (NODE L)) ∧ ETREE (BRANCH X (h::L)) = X ∩ (ETREE h ∪ ETREE (BRANCH X L))
The function
ETREE takes an event X , identified by a type constructor ATOMIC andreturns the event X . If the function ETREE takes a list of type
EVENT TREE , identifiedby a type constructor
NODE , then it returns the union of all elements after applyingthe function
ETREE on each element of the list. Similarly, if the function
ETREE takesan event X and a list of type EVENT TREE , identified by a type constructor
BRANCH ,then it performs the intersection of the event X with the union of the head of the listafter applying the function ETREE and the recursive call of the
BRANCH constructor.For the formal probabilistic assessment of each path occurrence in the ET diagram,HOL4 probabilistic properties for
NODE and
BRANCH
ET constructors are presented inTable 3 [28]. These expressions are formally verified under the same FT constrains,i.e., X N ∈ events p , prob space p and MUTUAL INDEP p X N . The function (cid:80) P isdefined to sum the probabilities of events for a list.Table 3: ET HOL4 Probabilistic Theorems ET Constructor Probabilistic Theorem N ode X1XNN
Branch prob p (ETREE (NODE X N )) = (cid:80) P p X N B ranch Y Z1ZNNBranch prob p(ETREE (BRANCH Y Z N )) = (prob p Y) × (cid:80) P p Z N Cause-Consequence Diagrams
Cause–Consequence Diagram [15] (CCD) has been developed to analyze the causes ofan undesired subsystem failure events, using FT analysis, and from these events obtainall possible consequences on the entire system, using ET analysis [30]. The descriptionof the CCD basic constructors are illustrated in Table 4 [14]. CCD analysis is mainlydivided into two categories [31]: (1)
Type I that combines SFT and ET, as shown inFig. 1 and Table 5 [12]; and (2)
Type II that combines DFT and ET without sharedevents in different subsystems, as shown in Fig. 2 and Table 6 [12]. In this analysis,we focus on the CCD-based reliability analysis at the subsystem level of
Type I .Table 4: CCD Symbols and Functions
CCD Symbol Function
Component / System Functions Correctly
YES NO FT Decision Box: represents thefunctionality of a component.(1)
NO Box : describes the component orsubsystem failure behavior. A FT of thecomponent is connected to this box thatcan be used to determine the failureprobability ( P F )(2) YES Box : represents the correctfunctioning of the component or reliability,which can be calculated by simply takingthe complement of the failure probabilitydetermined in the NO Box, i.e., 1 - P F Consequence Path: models thenext possible consequence scenarios due toa particular event
Consequence Box: models theoutcome event due to a particular sequenceof events10 ubsystem 1
Functions Correctly
YES NO Subsystem 2
Functions Correctly
YES NO C D X A B X SFT
Subsystem 2
Functions Correctly
YES NO C D X X X X OR OR ET SFT
AND X X X Figure 1: CCD Analysis Type ATable 5: SFT Symbols and Functions
SFT Symbol Function
AND A B AND Gate: models the failure of the output if allof the input failure events, i.e., A and B, occur at thesame time (simultaneously) C D OR OR Gate: models the failure of the output if anyof the input failure events, i.e., C or D, occurs alone
Subsystem 1
Functions Correctly
YES NO Subsystem 2
Functions Correctly
YES NO C D X A B X DFT
Subsystem 2
Functions Correctly
YES NO C D X X X X ET DFT X X X PAND SP SP Figure 2: CCD Analysis Type B11able 6: DFT Symbols and Functions
DFT Symbol Function
PAND A B Priority-AND (PAND) Gate: models thedynamic behavior of failing the output when allinput events occur in a sequence, i.e., A then B C D SP SPare (SP) Gate: models the dynamic behaviorof activating the spare input D after the failure of themain input CFig. 3 depicts the overview of the four steps of CCD analysis [3]: (1)
Com-ponents failure events : identify the causes of the undesired failure events for eachsubsystem/component in the safety-critical system; (2)
Construction of a completeCCD : draw a complete system CCD model using its basic constructors consideringthat the order of components should follow the temporal action of the system; (3)
CCDmodel reduction : remove the unnecessary decision boxes in the system to obtain itsminimal CCD representing the actual functional behavior of the system; and (4)
CCDprobabilistic analysis : evaluate the probabilities of all CCD consequence paths. Thepaths in a CCD represent the likelihood of specific sequence scenarios that are possibleto occur in a system so that only one scenario can occur [30]. This implies that allconsequences in a CCD are disjoint (mutually exclusive) [14]. Assuming that all eventsassociated with the decision boxes in a CCD model are mutually independent, thenthe CCD paths probabilities can be quantified as follows [15]:1. Evaluate the probabilities of each outgoing branch stemming from a decision box ,i.e., quantifying the associated FT models2. Compute the probability of each consequence path by multiplying the individualprobabilities of all events associated with the decision boxes
Step 1
Step 2
Components
Failure Events SP Construction of a
Complete CCD Model
YES NO X YES NO Y Y CCD
Model Reduction
YES NO X Y Step 3
YES NO YES NO CCD
Probabilistic Analysis
Step 4
YES NO X Y Path 1
Path 2
Path 3
YES NO Figure 3: Overview of CCD Analysis12. Determine the probability of a particular consequence box by summing the prob-abilities of all consequence paths ending with that consequence eventAs an example, consider a Motor Control Centre (MCC) [32] consisting of threecomponents
Relay , Timer and
Fuse , as shown in Fig. 4. The MCC is designed tocontrol an Induction Motor (IM) and let it run for a specific period of time then stops.The IM power circuit is energized by the closure of the Relay Contacts (Rc), as shownin Fig. 4. Rc closes after the user press the Start button that energizes R and at thesame time energizes an ON-delay Timer (T). The Timer opens its contacts (Tc) aftera specific period of time t and consequently the IM stops. If the IM is overloadedthan its design, then the Fuse (F) melts and protects both MCC and IM from damage.Assume that each component in the MCC has two operational states, i.e., operatingor failing. The four steps of a CCD-based reliability analysis described by Andrews etal. [14] are as follows [30]: Start L1 L2 L3 N IM Motor Power Circuit
Motor Control Centre (MCC) T F R Start Tc Rc Legend
Relay
Fuse
Timer ON Delay
Lines & Neutral
Timer Normally
Closed Contact
Relay Contact
Start Normally
Open Contact
Induction Motor R L1 L2 L3 N T Rc F IM Tc Figure 4: Schematic of an Example MCC1.
Components failure events : Assign a FT to each component in the MCC, i.e.,FT
Relay , FT
T imer , FT
F use .2.
Construction of a complete CCD : Construct a complete CCD model of the IMcontrol operation, as shown in Fig. 5. For instance, if the condition of the firstdecision box is either satisfied or not, i.e., YES or NO, then the next systemcomponents are considered in order, i.e.,
Timer and
Fuse , respectively. Eachconsequence in the CCD ends with either motor stops (MS) or motor runs (MR).3.
CCD model reduction : Apply the reduction process on the obtained completeCCD model. For instance, if the condition of the first decision box (RelayContacts Open) is satisfied, i.e., YES box, then the IM stops regardless ofthe status of the rest of the components, as shown in Fig. 6. Similarly, if thecondition of the second decision box (Timer Contacts Open) is satisfied, then theIM stops. So, Fig. 6 represents the minimal CCD for the IM control operation.13 T Fuse FT Timer
Fuse Melts
YES NO MS MR Timer Contacts
Open
YES NO FT Relay
Relay Contacts
Open
YES NO FT Timer
Timer Contacts
Open
YES NO FT Fuse
Fuse Melts
YES NO MS MS Fuse Melts
YES NO MS MS Fuse Melts
YES NO FT Fuse FT Fuse MS MS Figure 5: Complete CCD Model of the MCC
Consequence Path FT Timer
Fuse Melts
YES NO FT Fuse MS MR MS : Motor Stops
MR: Motor Runs
Decision Box
Consequence Box
Timer Contacts
Open
YES NO MS FT Relay
Relay Contacts
Open
YES NO MS Figure 6: Reduced CCD Model of the MCC4.
CCD probabilistic analysis : The probabilities of the two consequence boxes MSand MR in Fig. 6 can be expressed mathematically as: P ( Consequence Box MS ) = P ( Relay S ) + P ( Relay F ) × P ( T imer S )+ P ( Relay F ) × P ( T imer F ) × P ( F use S ) (1) P ( Consequence Box MR ) = P ( Relay F ) × P ( T imer F ) × P ( F use F ) (2)where P ( X F ) is the unreliability function or the probability of failure for acomponent X , i.e., FT X model, and P ( X S ) is the reliability function or theprobability of operating, i.e., the complement of the FT X model.In the next section, we present, in detail, the formalization of CCDs in the HOL4theorem prover to analyze the failures at the subsystem level of a given safety-critical complex system and determine all their possible cascading dependencies ofcomplete/partial reliability and failure events that can occur at the system level.14 .1 Formal CCD Modeling We start the formalization of CDDs by formally model its basic symbols, as describedin Table 4 in HOL4 as follows:
Definition 3: (cid:96)
DEC BOX p X Y = if X = 1 then FST Y else if X = 0 then SND Y else p space p where Y is an ordered pair ( FST Y , SND Y ) representing the reliability and unreliabilityfunctions in a decision box, respectively. The condition
X = 1 represents the
YES Box while
X = 0 represents the
NO Box . If X is neither nor , for instance, X = 2 , thisrepresents the irrelevance of the decision box, which returns the probability space p tobe used in the reduction process of CCDs.Secondly, we define the CCD Consequence path by recursively applying the
BRANCH
ET constructor on a given N list of decision boxes ( DEC BOX N ) using the HOL4 recursivefunction FOLDL as:
Definition 4: (cid:96)
CONSEQ PATH p (DEC BOX ::DEC BOX N ) =FOLDL ( λ a b. ETREE (BRANCH a b)) DEC BOX DEC BOX N Finally, we define the CCD
Consequence box by mapping the function
CONSEQ PATH on a list using the HOL4 function
MAP , then applies the
NODE
ET constructor:
Definition 5: (cid:96)
CONSEQ BOX p L M = ETREE (NODE (MAP ( λ a. CONSEQ PATH p a) L M )) Using the above definitions, we can construct a complete CCD model (
Step 2 inFig. 3) for the MCC system shown in Fig. 5, in HOL4 as: (cid:96)
MCC COMPLETE CCD FT R FT T FT F =CONSEQ BOX p[[DEC BOX p 1 ( FT R , FT R );DEC BOX p 1 ( FT T , FT T );DEC BOX p 1 ( FT F , FT F )];[DEC BOX p 1 ( FT R , FT R );DEC BOX p 1 ( FT T , FT T );DEC BOX p 0 ( FT F , FT F )];[DEC BOX p 1 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 1 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 1 ( FT T , FT T );DEC BOX p 0 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 1 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 0 ( FT F , FT F )]] In CCD analysis [30],
Step 3 in Fig. 3 is used to model the accurate functionalbehavior of systems in the sense that the irrelevant decision boxes should be removedfrom a complete CCD model. Upon this, the actual CCD model of the MCC systemafter reduction, as shown in Fig. 6, can be obtained by assigning X with neither nor ,for instance, X = 2 , which represents the irrelevance of the decision box, in HOL4 as: (cid:96)
MCC REDUCED CCD FT R FT T FT F =CONSEQ BOX p[[DEC BOX p 1 ( FT R , FT R );DEC BOX p 2 ( FT T , FT T );DEC BOX p 2 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 1 ( FT T , FT T );DEC BOX p 2 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 1 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 0 ( FT F , FT F )]] verify the above reduced CCD model of the MCC system, inHOL4 as: (cid:96) MCC REDUCED CCD FT R FT T FT F =CONSEQ BOX p[[DEC BOX p 1 ( FT R , FT R )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 1 ( FT T , FT T )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 1 ( FT F , FT F )];[DEC BOX p 0 ( FT R , FT R );DEC BOX p 0 ( FT T , FT T );DEC BOX p 0 ( FT F , FT F )]] where FT X for a component X is the complement of FT X . The important step in the CCD analysis is to determine the probability of eachconsequence path occurrence in the CCD [14]. For that purpose, we formally verifythe following CCD generic probabilistic properties, in HOL4 as follows:
Property 1 : The probability of a consequence path for one decision box assignedwith a generic
FT model, i.e., OR or AND, as shown in Fig. 7, under the assumptionsdescribed in Table 2, respectively as follows:
Theorem 1: (cid:96) prob space p ∧ F N ∈ events p ∧ MUTUAL INDEP p F N ⇒ prob p(CONSEQ PATH p [DEC BOX p X (FTree p (NOT (OR F N )),FTree p (OR F N ))]) =if X = 1 then (cid:81) (PROB LIST p (COMPL LIST p F N ))else if X = 0 then 1 - (cid:81) (PROB LIST p (COMPL LIST p F N )) else 1 For example, consider a system X consists of two components C and C . Assumingthe failure of either one them causes the system failure, i.e., C F or C F , We canformally model the FT of the system (FT system ), in HOL4 as: (cid:96) FT system p C F C F = FTree p (OR [ C F ; C F ]) Using Theorem 1, we can obtain the probability of a decision box
YES/NO outcomesconnected to the above FT model, respectively, in HOL4 as:
Component
Functions Correctly
YES NO Component
Functions Correctly
YES NO OR Failure 1
Failure N
AND
Failure 1
Failure N
Figure 7: Decision Boxes with FT Gates16 prob p (CONSEQ PATH p [DEC BOX p 1 ( FT system , FT system ))]) =(1 - prob p C F ) × (1 - prob p C F ) (cid:96) prob p (CONSEQ PATH p [DEC BOX p 0 ( FT system , FT system ))]) =1 - (1 - prob p C F ) × (1 - prob p C F ) Theorem 2: (cid:96) prob space p ∧ F N ∈ events p ∧ MUTUAL INDEP p F N ⇒ prob p(CONSEQ PATH p[DEC BOX p X (FTree p (NOT (AND F N )),FTree p (AND F N ))]) =if X = 1 then 1 - (cid:81) (PROB LIST p F N )else if X = 0 then (cid:81) (PROB LIST p F N ) else 1 For instance, in the above example, assume the failure of both components simul-taneously only causes the system failure, i.e., C F and C F . We can formally modelthe FT of the system, in HOL4 as: (cid:96) FT system p C F C F = FTree p (AND[ C F ; C F ]) Using Theorem 2, we can obtain the probability of a decision box
YES/NO outcomesconnected to the above FT model, respectively, in HOL4 as: (cid:96) prob p (CONSEQ PATH p [DEC BOX p 1 ( FT system , FT system ))]) =1 - prob p C F × prob p C F (cid:96) prob p (CONSEQ PATH p [DEC BOX p 0 ( FT system , FT system ))]) =prob p C F × prob p C F System X
Functions Correctly
YES NO System Y
Functions Correctly
YES NO FT Y — FT X System X
Functions Correctly
YES NO System Y
Functions Correctly
YES NO FT Y FT X System X
Functions Correctly
YES NO System Y
Functions Correctly
YES NO FT Y FT X X Y — — — — — OR Failure 1
Failure N OR Failure 1
Failure M OR Failure 1
Failure M
AND
Failure 1
Failure N
AND
Failure 1
Failure N
AND
Failure 1
Failure M
Figure 8: Two-level Decision Boxes for CCD Analysis17 roperty 2 : The probability of two -level decision boxes assigned to a CCD pathwith all combinations of FT gates (
AND - OR / OR - AND , AND - AND and OR - OR ), as shown inFig. 8. Each combination has 4 possible operating scenarios that can occur ( , , and ) and 2 other possible reduction scenarios that may be required in Step and ), which represents the removal of the decision box Y from the path. Thebasic idea is to select different combinations of decision boxes to achieve the desiredsystem behavior and also select the reduction combination ( >
1) to remove irreverentdecision boxes. This probabilistic expressions can be formally verified, in HOL4 as:
Theorem 3: (cid:96) prob space p ∧ ( ∀ y. y ∈ ( F N ++ F M ) ⇒ y ∈ events p) ∧ MUTUAL INDEP p ( F N ++ F M ) ⇒ prob p (CONSEQ PATH p[DEC BOX p X (FTree p (NOT (AND F N )),FTree p (AND F N ));DEC BOX p Y (FTree p (NOT (OR F M )),FTree p (OR F M ))]) =if X = 0 ∧ Y = 0 then (cid:81) (PROB LIST p F N ) × (1 - (cid:81) (PROB LIST p (COMPL LIST p F M )))else if X = 0 ∧ Y = 1 then (cid:81) (PROB LIST p F N ) × (cid:81) (PROB LIST p (COMPL LIST p F M ))else if X = 1 ∧ Y = 0 then(1 - (cid:81) (PROB LIST p F N )) × (1 - (cid:81) (PROB LIST p (COMPL LIST p F M )))else if X = 1 ∧ Y = 1 then(1 - (cid:81) (PROB LIST p F N )) × (cid:81) (PROB LIST p (COMPL LIST p F M ))else if X = 0 ∧ Y = 2 then (cid:81) (PROB LIST p F N )else if X = 1 ∧ Y = 2 then (1 - (cid:81) (PROB LIST p F N )) else 1 Theorem 4: (cid:96) prob p (CONSEQ PATH p[DEC BOX p X (FTree p (NOT (AND F N )),FTree p (AND F N ));DEC BOX p Y (FTree p (NOT (AND F M )),FTree p (AND F M ))]) =if X = 0 ∧ Y = 0 then (cid:81) (PROB LIST p F N ) × (cid:81) (PROB LIST p F M )else if X = 0 ∧ Y = 1 then (cid:81) (PROB LIST p F N ) × (1 - (cid:81) (PROB LIST p F M ))...else if X = 1 ∧ Y = 2 then (1 - (cid:81) (PROB LIST p F N )) else 1 Theorem 5: (cid:96) prob p (CONSEQ PATH p[DEC BOX p X (FTree p (NOT (OR F N )),FTree p (OR F N ));DEC BOX p Y (FTree p (NOT (OR F M )),FTree p (OR F M ))]) =if X = 0 ∧ Y = 0 then(1 - (cid:81) (PROB LIST p (COMPL LIST p F N ))) × (1 - (cid:81) (PROB LIST p (COMPL LIST p F M )))else if X = 0 ∧ Y = 1 then(1 - (cid:81) (PROB LIST p (COMPL LIST p F N ))) × (cid:81) (PROB LIST p (COMPL LIST p F M ))...else if X = 1 ∧ Y = 2 then (cid:81) (PROB LIST p (COMPL LIST p F N )) else 1 roperty 3 : A generic probabilistic property for a consequence path consisting ofcomplex four -level decision boxes associated with different combination of FTs and eachone consisting of N components ( AND - OR - AND - OR / OR - AND - OR - AND / AND - AND - OR - OR / OR - OR - AND - AND ), which has 16 possible operating scenarios that can occur and 14 other possiblereduction possibilities, as shown in Fig. 9, in HOL4 as:
Theorem 6: (cid:96)
LetW F = (cid:81) (PROB LIST p F N );W = 1 - W F ; X F = 1 - (cid:81) (PROB LIST p (COMPL LIST p F K )); X = 1 - X F ; Y F = (cid:81) (PROB LIST p F M );Y = 1 - Y F ; Z F = 1 - (cid:81) (PROB LIST p (COMPL LIST p F J )); Z = 1 - Z F inprob p(CONSEQ PATH p[DEC BOX p W (FTree p (NOT (AND F N )),FTree p (AND F N ));DEC BOX p X (FTree p (NOT (OR F K )),FTree p (OR F K ));DEC BOX p Y (FTree p (NOT (AND F M )),FTree p (AND F M ));DEC BOX p Z (FTree p (NOT (OR F J )),FTree p (OR F J ))]) =if W = 0 ∧ X = 0 ∧ Y = 0 ∧ Z = 0then W F × X F × Y F × Z F else if W = 0 ∧ X = 0 ∧ Y = 0 ∧ Z = 1then W F × X F × Y F × Zelse if W = 0 ∧ X = 0 ∧ Y = 1 ∧ Z = 0then W F × X F × Y × Z F ...else if W = 1 ∧ X = 1 ∧ Y = 2 ∧ Z = 2then W × Xelse if W = 1 ∧ X = 2 ∧ Y = 2 ∧ Z = 2then W else 1
For complex systems consisting of N -level decision boxes, where each decision boxis associated with an AND/OR gate consisting of an arbitrary list of failure events,we define three types A , B and C of possible CCD outcomes, as shown in Fig. 10,with a new proposed mathematics as: Property 4 (N Decision Boxes of Type A):
The probability of n decision boxesassigned to a consequence path corresponding to n subsystems, where all decisionboxes are associated with FT AND models consisting of arbitrary lists of k events,can be expressed mathematically at a specific time t for three cases as:(A1) All outcomes of n decisions boxes are NO F A ( t ) = n (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (3)19 System W
Functions Correctly
YES NO System X
Functions Correctly
YES NO FT X FT W W X Y Z — — System Y
Functions Correctly
YES NO System Z
Functions Correctly
YES NO FT Z FT Y W X Y Z Operating Scenarios
Reduction Scenarios OR Failure 1
Failure K OR Failure 1
Failure J
AND
Failure 1
Failure M
AND
Failure 1
Failure N
Figure 9: Four-level Decision Boxes for CCD Analysis
Subsystem 1
Functions Correctly
YES NO Subsystem 2
Functions Correctly
YES NO X X FT Subsystem 2
Functions Correctly
YES NO F X X X OR OR ET AND F F F Subsystem N
Functions Correctly
YES NO Subsystem P
Functions Correctly
YES NO F N(J) X N X X P X P F N(1) FT X X X FT AND F N(J) X N F N(1)
AND F F FT Subsystem N
Functions Correctly
YES NO F P(S) X P OR F P(1) X N X N ET Subsystem P
Functions Correctly
YES NO X P X P F P(S) X P OR F P(1) X N X N ET Figure 10: Generic N -level CCD Analysis20A2) All outcomes of n decisions boxes are YES F A ( t ) = n (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (4)(A3) Some outcomes of m decisions boxes are NO and the rest outcomes of p decisionsboxes are YES F A ( t ) = (cid:32) m (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) p (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) (5)To verify the correctness of the above-proposed new safety analysis mathematicalformulations in the HOL4 theorem prover, we define two generic CCD functions SS Y ESAND and SS NOAND that can recursively generate the outcomes YES and NO of the function
FTree , identified by gate constructors
AND and
NOT , for a given arbitrary list of allsubsystems failure events (
SSN ), respectively, in HOL4 as:
Definition 6: (cid:96) SS
Y ESAND p (SS::SSN) = FTree p (NOT (AND SS1)):: SS Y ESAND p SSN
Definition 7: (cid:96) SS
NOAND p (SS1::SSN) = FTree p (AND SS1):: SS NOAND p SSN
Using above defined functions, we can verify three two-dimensional and scalable proba-bilistic properties corresponding to the above-mentioned safety equations Eq. 3, Eq. 4,and Eq. 5, respectively, in HOL4 as:
Theorem 7: (cid:96) prob p (CONSEQ PATH p ( SS NOAND p SSN)) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSN) Theorem 8: (cid:96) prob p (CONSEQ PATH p ( SS Y ESAND p SSN)) = (cid:81) (MAP ( λ b. (1 - (cid:81) (PROB LIST p b))) SSN) Theorem 9: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSm);CONSEQ PATH p ( SS Y ESAND p SSp)]) = (cid:18) (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSm) (cid:19) × (cid:18) (cid:81) (MAP ( λ b. 1 - (cid:81) (PROB LIST p b)) SSp) (cid:19) roperty 5 (N Decision Boxes of Type B): The probabilistic assessment of n decision boxes assigned to a CCD consequence path, where all decision boxes areassociated with generic FT OR models consisting of arbitrary lists of k events, can beexpressed mathematically for three cases:(B1) All outcomes of n decisions boxes are NO F B ( t ) = n (cid:89) i =1 (1 − k (cid:89) j =2 (1 − F ij ( t ))) (6)(B2) All outcomes of n decisions boxes are YES F B ( t ) = n (cid:89) i =1 k (cid:89) j =2 (1 − F ij ( t )) (7)(B3) Some outcomes of m decisions boxes are NO and some outcomes of p decisionsboxes are YES F B ( t ) = (cid:32) m (cid:89) i =1 (1 − k (cid:89) j =2 (1 − F ij ( t ))) (cid:33) × (cid:32) p (cid:89) i =1 k (cid:89) j =2 (1 − F ij ( t )) (cid:33) (8)To verify the correctness of the above-proposed new CCD mathematical formulasin HOL4, we define two generic functions SS Y ESOR and SS NOOR to recursively generatethe outcomes YES and NO of the function
FTree , identified by gate constructors OR and NOT , for a given list of subsystems events.
Definition 8: (cid:96) SS
Y ESOR p (SS::SSN) = FTree p (NOT (OR SS1)):: SS Y ESOR p SSN
Definition 9: (cid:96) SS
NOOR p (SS1::SSN) = FTree p (OR SS1):: SS NOOR p SSN
Using above defined functions, we can formally verify three scalable probabilisticproperties corresponding to Eq. 6, Eq. 7, and Eq. 8, respectively, in HOL4 as:
Theorem 10: (cid:96) prob p (CONSEQ PATH p ( SS NOOR p SSN)) = (cid:81) (MAP( λ a.(1 - (cid:81) (PROB LIST p (compl list p a)))) SSN) Theorem 11: (cid:96) prob p (CONSEQ PATH p ( SS Y ESOR p SSN)) = (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSN) heorem 12: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOOR p SSm);CONSEQ PATH p ( SS Y ESOR p SSp)]) = (cid:81) (MAP( λ a.(1 - (cid:81) (PROB LIST p (compl list p a)))) SSm) × (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSp) Property 6 (N Decision Boxes of Type C):
The probabilistic assessment of n decision boxes assigned to a consequence path for a very complex system, where some m decision boxes are associated with generic FT AND models consisting of k -events,while other p decision boxes are associated with generic FT OR models consisting of z -events, as shown in Fig. 10, is proposed to be expressed mathematically for nine cases as:(C1) All outcomes of m and p decisions boxes are NO. F C ( t ) = (cid:32) m (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) p (cid:89) i =1 (1 − z (cid:89) j =2 (1 − F ij ( t ))) (cid:33) (9) Theorem 13: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSm);CONSEQ PATH p ( SS NOOR p SSp)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b.(1 - (cid:81) (PROB LIST p (compl list p b)))) SSp) (C2) All outcomes of m and p decisions boxes are YES. F C ( t ) = (cid:32) m (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) p (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) (10)23 heorem 14: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS Y ESAND p SSm);CONSEQ PATH p ( SS Y ESOR p SSp)]) = (cid:81) (MAP ( λ a. 1 - (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSp) (C3) All outcomes of m decisions boxes are NO and all outcomes of p decisions boxesare YES. F C ( t ) = (cid:32) m (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) p (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) (11) Theorem 15: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSm);CONSEQ PATH p ( SS Y ESOR p SSp)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSp) (C4) All outcomes of m decisions boxes are YES and all outcomes of p decisions boxesare NO. F C ( t ) = (cid:32) m (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) p (cid:89) i =1 (1 − z (cid:89) j =2 (1 − F ij ( t ))) (cid:33) (12) Theorem 16: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS Y ESAND p SSm);CONSEQ PATH p ( SS NOOR p SSp)]) = (cid:81) (MAP ( λ a. 1 - (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b.(1 - (cid:81) (PROB LIST p (compl list p b)))) SSp) s out of m decisions boxes are NO, some outcomes of u out of m decisions boxes are YES and all outcomes of p decisions boxes are NO. F C ( t ) = (cid:32) s (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) u (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) p (cid:89) i =1 (1 − z (cid:89) j =2 (1 − F ij ( t ))) (cid:33) (13) Theorem 17: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSs);CONSEQ PATH p ( SS Y ESAND p SSu);CONSEQ PATH p ( SS NOOR p SSp)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSs) × (cid:81) (MAP ( λ b. 1 - (cid:81) (PROB LIST p b)) SSu) × (cid:81) (MAP( λ c.(1 - (cid:81) (PROB LIST p (compl list p c)))) SSp) (C6) Some outcomes of s out of m decisions boxes are NO, some outcomes of u out of m decisions boxes are YES and all outcomes of p decisions boxes are YES. F C ( t ) = (cid:32) s (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) u (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) p (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) (14) Theorem 18: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSs);CONSEQ PATH p ( SS Y ESAND p SSu);CONSEQ PATH p ( SS Y ESOR p SSp)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSs) × (cid:81) (MAP ( λ b. 1 - (cid:81) (PROB LIST p b)) SSu) × (cid:81) (MAP( λ c. (cid:81) (PROB LIST p (compl list p c))) SSp) (C7) Some outcomes of s out of p decisions boxes are NO, some outcomes of u out of p decisions boxes are YES and all outcomes of m decisions boxes are NO. F C ( t ) = (cid:32) m (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) u (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) × (cid:32) s (cid:89) i =1 (1 − z (cid:89) j =2 (1 − F ij ( t ))) (cid:33) (15)25 heorem 19: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSm);CONSEQ PATH p ( SS Y ESOR p SSu);CONSEQ PATH p ( SS NOOR p SSs)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSu) × (cid:81) (MAP( λ c.(1 - (cid:81) (PROB LIST p (compl list p c)))) SSs) (C8) Some outcomes of s out of p decisions boxes are NO, some outcomes of u out of p decisions boxes are YES and all outcomes of m decisions boxes are YES. F C ( t ) = (cid:32) m (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) u (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) × (cid:32) s (cid:89) i =1 (1 − z (cid:89) j =2 (1 − F ij ( t ))) (cid:33) (16) Theorem 20: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS Y ESAND p SSm);CONSEQ PATH p ( SS Y ESOR p SSu);CONSEQ PATH p ( SS NOOR p SSs)]) = (cid:81) (MAP ( λ a. 1 - (cid:81) (PROB LIST p a)) SSm) × (cid:81) (MAP( λ b. (cid:81) (PROB LIST p (compl list p b))) SSu) × (cid:81) (MAP( λ c.(1 - (cid:81) (PROB LIST p (compl list p c)))) SSs) (C9) Some outcomes of s out of m decisions boxes are NO, some outcomes of u out of m decisions boxes are YES, some outcomes of v out of p decisions boxes are NO andsome outcomes of w out of p decisions boxes are YES.26 C ( t ) = (cid:32) s (cid:89) i =1 k (cid:89) j =2 F ij ( t ) (cid:33) × (cid:32) v (cid:89) i =1 (1 − z (cid:89) j =1 (1 − F ij ( t ))) (cid:33) × (cid:32) u (cid:89) i =1 (1 − k (cid:89) j =2 F ij ( t )) (cid:33) × (cid:32) w (cid:89) i =1 z (cid:89) j =2 (1 − F ij ( t )) (cid:33) (17) Theorem 21: (cid:96) prob p(CONSEQ PATH p[CONSEQ PATH p ( SS NOAND p SSs);CONSEQ PATH p ( SS Y ESAND p SSu);CONSEQ PATH p ( SS NOOR p SSv);CONSEQ PATH p ( SS Y ESOR p SSw)]) = (cid:81) (MAP ( λ a. (cid:81) (PROB LIST p a)) SSs) × (cid:81) (MAP ( λ b. 1 - (cid:81) (PROB LIST p b)) SSu) × (cid:81) (MAP( λ c.(1 - (cid:81) (PROB LIST p (compl list p c)))) SSv) × (cid:81) (MAP( λ d. (cid:81) (PROB LIST p (compl list p d))) SSw) Therefore, by verifying all the above-mentioned theorems in HOL4, we showed thecompleteness of our proposed formal approach and thereupon solving the scalabilityproblem of CCD analysis for any given large engineering complex system at thesubsystem level [33].
Property 7 : A generic probabilistic expression of
CONSEQ BOX for a certain eventoccurrence in the entire system as the sum of all individual probabilities of all M CONSEQ PATH ending with that event:
Theorem 22: (cid:96)
LetCONSEQ PATHS L M = MAP ( λ a. CONSEQ PATH p a) L M )inprob space p ∧ MUTUAL INDEP p L M ∧ disjoint (CONSEQ PATHS L M ) ∧ ALL DISTINCT (CONSEQ PATHS L M ) ⇒ prob p (CONSEQ BOX p L M ) = (cid:80) (PROB LIST p (CONSEQ PATHS L M )) where the HOL4 function disjoint ensures that each pair of elements in a given list ismutually exclusive while the function ALL DISTINCT ensures that each pair is distinct.27he function (cid:80) is defined to sum the events for a given list. Remark that all above-mentioned CCD new formulations have been formally verified in HOL4, where theproof-script amounts to about 16,000 lines of HOL4 code, which can be downloaded foruse from [33]. Also, this code can be extended, with some basic knowhow about HOL4,to perform dynamic failure analysis of dynamic subsystems where no dependenciesexist in subsystems using DFTs, such as PAND and SP, i.e, CCD reliability analysisof
Type II (see Fig. 2).To illustrate the applicability of our proposed approach, in the next section, wepresent the formal CCD step-analysis of the standard IEEE 39-bus electrical powernetwork and verify its reliability indexes (
F OR and
SAIDI ), which are commonlyused as reliability indicators by electric power utilities.
An electrical power network is an interconnected grid for delivering electricity from pro-ducers to customers. The power network system consists of three main zones [1]: (i) gen-erating stations that produce electric power; (ii) transmission lines that carry powerfrom sources to loads; and (iii) distribution lines that connect individual consumers.Due to the complex and integrated nature of the power network, failures in any zoneof the system can cause widespread catastrophic disruption of supply [1]. Therefore arigorous formal cause-consequence analysis of the grid is essential in order to reduce therisk situation of a blackout and enable back-up decisions [34]. For power network safetyassessment, reliability engineers have been dividing the power network into three mainhierarchical levels [12]: (a) generation systems; (b) composite generation and transmis-sion (or bulk power) systems; and (c) distribution systems. We can use our proposedCCD formalization for the formal modeling and analysis of any hierarchical level in thepower network. In this case study, we focus on the generation part only, i.e., hierar-chical level I. Also, we can evaluate the Force Outage Rate (
F OR ) for the generationstations, which is defined as the probability of the unit unavailability to produce powerdue to unexpected equipment failure [34]. Additionally, we can determine the SystemAverage Interruption Duration Index (
SAIDI ), which is used to indicate the averageduration for each customer served to experience a sustained outage.
SAIDI is de-fined as the sum of all customer interruption durations (probability of load failures (cid:69) multiplying by the mean-time-to-repair the failures and the number of customers thatare affected by these failures) over the total number of customers served [34]:
SAIDI = (cid:80) P ( X (cid:69) ) × MTTR X × CN X (cid:80) CN X (18)where CN X is the number of customers for a certain location X while MTTR X is themean-time-to-repair the failure that occurred at X . We formally define a function (cid:80) T (cid:69) in HOL4 to sum all customer interruption durations. Also, we formally define a genericfunction SAIDI by dividing the output of (cid:80) T (cid:69) over the total number of customersserved, in HOL4 as: 28 efinition 10: (cid:96) (cid:80) T (cid:69) (L::L M ) (MTTR::MTTR M ) (CN:CN M ) p =prob p (CONSEQ BOX p L M ) × MTTR × CN + (cid:80) T (cid:69) L M MTTR M CN M p Definition 11: (cid:96) SAIDI L M MTTR M CN M p = (cid:80) T (cid:69) L M MTTR M CN M p (cid:80) CN M where L M is the list of CCD paths, MTTR M is the list of meantime to repairs, and CN M is the list of customer numbers. The function (cid:80) T (cid:69) (Definition 10) modelsthe numerator of Eq. 18, which is the sum of all customer interruption durationsat different locations in the electrical power grid. Each probability of failureis obtained by evaluating a CONSEQ BOX consisting of a list of M CONSEQ PATH ,which cause that failure. Definition 11 represents the division of output of Defini-tion 10 over the total number of customers at all those locations as described in Eq. 18.Consider a standard
IEEE 39-bus electrical power network test system consisting of10 generators (G), 12 substations (S/S), 39 Buses (Bus), and 34 transmission lines (TL),as shown in Fig. 11 [35]. Assuming the generators G1-G10 are of two types: (i)solar photo-voltaic (PV) power plants G1-G5; and (ii) steam power plants G6-G10.Using the Optimal Power Flow (OPF) optimization [36], we can determine the flow ofelectricity from generators to consumers in the power network. Typically, we are onlyinterested in evaluating the duration of certain failure events occurrence for specificloads in the grid. For instance, if we consider the failure of load A, which accordingto the OPF is supplied from G9 and G5 only, as shown in Fig. 11, then the failure ofeither one or both power plants will lead to a partial or a complete blackout failure atthat load, respectively. Assuming the failure of two consecutive power plants causesa complete blackout of the load. Hence, considering the disruption cases of only one supply generator, then different partial failures for loads A, B, C and D, as shown inFig. 11, can be obtained by observing different failures in the power network as:a. P (Load A (cid:69) ) =(1 − F OR G ) × F OR G + F OR G × (1 − F OR G )b. P (Load B (cid:69) ) =(1 − F OR G ) × F OR G + F OR G × (1 − F OR G )c. P (Load C (cid:69) ) =(1 − F OR G ) × F OR G + F OR G × (1 − F OR G )d. P (Load D (cid:69) ) = (1 − F OR G ) × (1 − F OR G ) × (1 − F OR G ) × F OR G + (1 − F OR G ) × (1 − F OR G ) × F OR G × (1 − F OR G )+ (1 − F OR G ) × F OR G × (1 − F OR G ) × (1 − F OR G )+ F OR G × (1 − F OR G ) × (1 − F OR G ) × (1 − F OR G )Therefore, the assessment of SAIDI for the Grid (G) shown in Fig. 11, including anevaluation for the
F OR of all its power plants, can be written mathematically as:
SAIDI G = P (Load A (cid:69) ) × MTTR
Load A × CN Load A + . . . CN Load A + CN Load B + CN Load C + CN Load D (19)29 us 26 Bus 37
Bus 25
Bus 6
Bus 29
Bus 27
Bus 30
Bus 38
Bus 17
Bus 18
Bus 2
Bus 1
Bus 39
Bus 9
Bus 8
Bus 7 G6 G8 Bus 28
Bus 31
Bus 10
Bus 20
Bus 32
Bus 36
Bus 34
Bus 33
Bus 35
Bus 22
Bus 21
Bus 16
Bus 15
Bus 4
Bus 3
Bus 5
Bus 14
Bus 12
Bus 11
Bus 13
Bus 19
Bus 24
Bus 23
Legend TL Power Flow
Generator
S/S
Bus
Power
Outage
G10 G3 G5 G4 G1 G2 G7 G9 Load D
Load B
Load C
Load A
Load
Supplied From A G9, G5 B G7, G9 C G1, G2 D G6, G3, G8, G4
Figure 11: IEEE 39-bus Electrical Power Network [35]
We can apply our four steps of CCD formalization to verify the expression of
SAIDI in terms of the power plant generator components, in HOL4 as:
Step 1 (Component failure events) :The schematic FT models of a typically PV power plant consisting of 2 solar farms [37]and a steam power plant consisting of 3 generators [34] are shown in Fig. 12 and Fig. 13,respectively. Using the formal FT modeling, we can formally define the FT models ofboth plants, in HOL4 as:
Definition 12: (cid:96) FT P V p [LF1;LF2] [DC DC1;DC DC2] [SA1;SA2] [DC AC1;DC AC2] =FTree p (OR [OR [LF1;DC DC1;DC AC1;SA1]; OR [LF2;DC DC2;DC AC2;SA2]])
Definition 13: (cid:96) FT ST EAM p [BO1;BO2;BO3] [TA1;TA2;TA3] =FTree p (AND [AND [BO1;TA1]; AND [BO2;TA2]; AND [BO3;TA3]])
Steps 2 and 3 (Construction of a CCD and Reduction) :Construct a formal complete CCD for all loads in our case study (Fig. 11), i.e., A, B,C, and D, then remove the irrelevant decision boxes according to the electrical powernetwork functional behavior. For instance, we can model the CCD models for loads Aand D, as shown in Fig. 14, respectively, in HOL4 as:30 R PV Power Plant
FailureOR L i n e F il t er D C - AC I n v er t er S o l a r A rr ay DC - DC C o n v er t er OR L i n e F il t er D C - AC I n v er t er S o l a r A rr ay DC - DC C o n v er t er Figure 12: FT Model of aPV Power Plant
ANDSteam Power Plant
Failure B o il er T u r b o A l t er n a t o r AND ANDAND B o il er T u r b o A l t er n a t o r B o il er T u r b o A l t er n a t o r Figure 13: FT Model of aSteam Power Plant
Definition 14: (cid:96)
CCD LOAD A =CONSEQ BOX p[[DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 1 ( FT P V , FT P V )];[DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 0 ( FT P V , FT P V )];[DEC BOX p 0 ( FT ST EAM , FT ST EAM );DEC BOX p 1 ( FT P V , FT P V )];[DEC BOX p 0 ( FT ST EAM , FT ST EAM );DEC BOX p 0 ( FT P V , FT P V )]]
Definition 15: (cid:96)
CCD LOAD D =CONSEQ BOX p[[DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 1 ( FT P V , FT P V );DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 1 ( FT P V , FT P V )];[DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 1 ( FT P V , FT P V );DEC BOX p 1 ( FT ST EAM , FT ST EAM );DEC BOX p 0 ( FT P V , FT P V )];...[DEC BOX p 0 ( FT ST EAM , FT ST EAM );DEC BOX p 0 ( FT P V , FT P V )]]
Step 4 (Probabilistic analysis) :We can use our proposed formal approach to express subsystem-level failure/reliabilityprobabilistic expressions of electrical power grids, which enable us to analyze the cas-cading dependencies with many subsystem levels, based on any probabilistic distri-bution. In this work, we assumed that the failure of each component is exponentiallydistributed (i.e.,
CDF p X t = 1 − e ( − λ X t ) , where λ X is the failure rate of the variable X and t is a time index). 31 Generator 9
Functions Correctly
YES NO Generator 5
Functions Correctly
YES NO FT PV FT STEAM
Generator 5
Functions Correctly
YES NO Generator 6
Functions Correctly
YES NO Generator 3
Functions Correctly
YES NO Generator 3
Functions Correctly
YES NO Generator 8
Functions Correctly
YES NO Generator 8
Functions Correctly
YES NO Generator 4
Functions Correctly
YES NO Generator 4
Functions Correctly
YES NO Generator 4
Functions Correctly
YES NO FT PV FT PV FT PV FT PV FT PV FT PV FT STEAM FT STEAM FT STEAM PF NO PF CF PF NO NO : Normal Operation
PF : Partial Failure
CF : Complete Failure CF PF CF PF CF CF CCD of Load A
CCD of Load D
Figure 14: CCD Analysis of Loads A and D
F OR
Analysis
Using Definitions 12 and 13 with the assumption that the failure states of componentsare exponentially distributed, we can formally specify the probabilistic
F OR expressionfor both PV and steam power plants, in HOL4 as:
Definition 16: (cid:96) F OR
P V p [LF1;LF2] [DC DC1;DC DC2] [SA1;SA2] [DC AC1;DC AC2] =prob p ( FT P V p ( ↓ [LF1;LF2]) ( ↓ [DC DC1;DC DC2])( ↓ [SA1;SA2]) ( ↓ [DC AC1;DC AC2])) Definition 17: (cid:96) F OR
ST EAM p [BO1;BO2;BO3] [TA1;TA2;TA3] =prob p ( FT ST EAM p ( ↓ [BO1;BO2;BO3]) ( ↓ [TA1;TA2;TA3]) where the function ↓ takes a list of N components and assigns an exponential failingevent to each component in the list.We can formally verify the above-expressions of F OR
P V and
F OR
ST EAM , inHOL4 as:
Theorem 23: (cid:96) F OR
P V p [LF1;LF2] [DC DC1;DC DC2] [SA1;SA2] [DC AC1;DC AC2] = − e ( − λ LF t ) × e ( − λ LF t ) × e ( − λ DC DC t ) × e ( − λ DC DC t ) × e ( − λ SA t ) × e ( − λ SA t ) × e ( − λ DC AC t ) × e ( − λ DC AC t ) Theorem 24: (cid:96) F OR
ST EAM p [BO1;BO2;BO3] [TA1;TA2;TA3] = (1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) ) .1.2 SAIDI
Analysis
Using Theorems 1-24 with the assumption that the failure states of components areexponentially distributed, we can formally verify
SAIDI G (Eq. 19), in HOL4 as: Theorem 25: (cid:96) SAIDI [[CONSEQ PATH p[DEC BOX p 1(FTree p (NOT ( FT ST EAM p ( ↓ [BO1;BO2;BO3]) ( ↓ [TA1;TA2;TA3]))), FT ST EAM p ( ↓ [BO1;BO2;BO3]) ( ↓ [TA1;TA2;TA3]));DEC BOX p 0(FTree p (NOT ( FT P V p ( ↓ [LF1;LF2]) ( ↓ [DC DC1;DC DC2])( ↓ [SA1;SA2]) ( ↓ [DC AC1;DC AC2]))), FT P V p ( ↓ [LF1;LF2]) ( ↓ [DC DC1;DC DC2])( ↓ [SA1;SA2]) ( ↓ [DC AC1;DC AC2]))];[DEC BOX p 0(FTree p (NOT ( FT ST EAM p ( ↓ [BO1;BO2;BO3]) ( ↓ [TA1;TA2;TA3]))), FT ST EAM p ( ↓ [BO1;BO2;BO3]) ( ↓ [TA1;TA2;TA3]));DEC BOX p 1(FTree p (NOT ( FT P V p ( ↓ [LF1;LF2]) ( ↓ [DC DC1;DC DC2])( ↓ [SA1;SA2]) ( ↓ [DC AC1;DC AC2]))), FT P V p ( ↓ [LF1;LF2]) ( ↓ [DC DC1;DC DC2])( ↓ [SA1;SA2]) ( ↓ [DC AC1;DC AC2]))]];...][MTTR LoadA;MTTR LoadB;MTTR LoadC;MTTR LoadD][CN LoadA; CN LoadB; CN LoadC; CN LoadD] p = ((1 − (1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) )) × (1 − e ( − λ LF t ) × e ( − λ LF t ) × e ( − λ DC DC t ) × e ( − λ DC DC t ) × e ( − λ DC AC t ) × e ( − λ DC AC t ) × e ( − λ SA t ) × e ( − λ SA t ) )+(1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ BO t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) ) × (1 − e ( − λ TA t ) ) × e ( − λ LF t ) × e ( − λ LF t ) × e ( − λ DC DC t ) × e ( − λ DC DC t ) × e ( − λ DC AC t ) × e ( − λ DC AC t ) × e ( − λ SA t ) × e ( − λ SA t ) ) × MTTR LoadA × CN LoadA + . . . )CN LoadA + CN LoadB + CN LoadC + CN LoadD
To further facilitate the exploitation of our proposed approach for power grid re-liability engineers, we defined a Standard Meta Language (SML) functions [33] thatcan numerically evaluate the above- verified expressions of
F OR
P V , F OR
ST EAM , and
SAIDI . Subsequently, we compared our results with MATLAB CCD algorithm basedon Monte-Carlo Simulation (MCS) and also with other existing subsystem-level relia-bility analysis techniques, such as HiP-HOPS and FMR, to ensure the accuracy of ourcomputations, which is presented in the next section.33 .2 Experimental Results and Discussion
Considering the failure rates of the power plant components λ BO , λ TA , λ LF , λ DC DC , λ DC AC and λ SA are 0.91, 0.84, 0.96, 0.67, 0.22, and 0.56 per year [38], respectively. Also,assuming that MTTR Load A , MTTR Load B , MTTR Load C , and MTTR Load D are 12, 20, 15,and 10 hours/interruption [39] and CN Load A , CN Load B , CN Load C , and CN Load D are 500,1800, 900, and 2500 customers, respectively. The reliability study is undertaken for 1year, i.e., t = 8760 hours. Based on the given data, we can evaluate F OR and
SAIDI for the electrical power network (Fig. 11) using following techniques:1. Our proposed SML functions to evaluate the verified expressions of
F OR
P V , F OR
ST EAM , and
SAIDI in HOL4 (Theorems 23-25), as shown in Fig. 15.Figure 15: SML Functions:
F OR and
SAIDI
Results2. MATLAB MCS-based toolbox that uses a random-based algorithm to obtain
F OR and
SAIDI for the electrical grid. The steps followed in this techniqueare as follows [40]: • Read the values of failure rate λ in f/hours and repair time r in hours foreach component • Generate a random number U • Calculate the predicted next Time to Fail (
TTF ) and Time to Repair (
TTR )from the equations
T T F = − ln Uλ T T R = − ln Ur (20) • Repeat the above iterative process till the number of iterations exceeds 1e5Based on the above-mentioned MCS steps, we obtain different results of
F OR and
SAIDI every run of the algorithm depending on the generated randomnumber with a tolerance error between 4-9%. So, we present in Table 7 the best-estimated results of
F OR and
SAIDI in MATLAB based on the MCS approachwith the least errors. Subsequently, we take the mean average of all the obtained
F OR and
SAIDI results for the power grid.34able 7: MATLAB MCS:
F OR and
SAIDI
Results
Run
FOR
P V
FOR
ST EAM
SAIDI
Composition : Failure mode variables are defined and a set of logical impli-cation statements is generated that express local failure modes.(b)
Substitution : Local statements will be combined to create a single globalimplication statement between the critical-system inputs and outputs.(c)
Simplification : The complex formula is simplified, where we trim off anyredundant statements.(d)
Calculation : The probability of failure is evaluated using the componentfailure rates.Based on the above-mentioned FMR procedures, we can express the component-level failure analysis of the PV power plant (Fig. 12) as:(ˆ o = ˙ f ) ⇒ ( ˆ x = ˙ f ∨ ˆ x = ˙ f ) (21)The above equation means that if the output o is False by fault then either oneof its inputs to the OR gate, i.e., x or x , must be False by fault. We now needto determine what can cause ˆ x = ˙ f and ˆ x = ˙ f . Similar to Eq. 6, we can write:( ˆ x = ˙ f ) ⇒ ( ˆ x = ˙ f ∨ ˆ x = ˙ f ∨ ˆ x = ˙ f ∨ ˆ x = ˙ f ) (22)( ˆ x = ˙ f ) ⇒ ( ˆ x = ˙ f ∨ ˆ x = ˙ f ∨ ˆ x = ˙ f ∨ ˆ x = ˙ f ) (23)where x , x , x , x , x , x , x , x are LF , DC DC , DC AC , SA , LF , DC DC , DC AC , SA , respectively. Similarly, we can express the component-level failure analysis of the steam power plant (Fig. 13) as:(ˆ o = ˙ f ) ⇒ ( ˆ x = ˙ f ∧ ˆ x = ˙ f ∧ ˆ x = ˙ f ) (24)35 ˆ x = ˙ f ) ⇒ ( ˆ x = ˙ f ∧ ˆ x = ˙ f ) (25)( ˆ x = ˙ f ) ⇒ ( ˆ x = ˙ f ∧ ˆ x = ˙ f ) (26)( ˆ x = ˙ f ) ⇒ ( ˆ x = ˙ f ∧ ˆ x = ˙ f ) (27)where x , x , x , x , x , x , are BO , T A , BO , T A , BO , T A , respec-tively. Table 8 shows the results of F OR
P V , F OR
ST EAM , and
SAIDI basedon FMR analysis using the assumed failure rates of the power plant components.Table 8: FMR:
F OR and
SAIDI
Results
FOR
P V
FOR
ST EAM
SAIDI
F OR
P V , F OR
ST EAM , and
SAIDI based on HiP-HOPSanalysis are equivalent to the FMR analysis results presented in Table 8.It can be observed that
SAIDI result obtained from our formal HOL4 analysis areapproximately equivalent to the corresponding ones calculated using FMR and HiP-HOPS approaches. On the other hand, MATLAB MCS-based uses a random-basedalgorithm, which estimates different results of
F OR and
SAIDI every generationof a random number with errors between 4-9%. This clearly demonstrates that ouranalysis is not only providing the correct result but also with a formally proven relia-bility expressions (Theorems 23-25) compared to simulation tools, i.e., the soundness ofsubsystem-level reliability analysis. By performing the formal CCD step-analysis of areal-world 39-bus electrical power network, we demonstrated the practical effectivenessof the proposed CCD formalization in HOL4, which will help design engineers to meetthe desired quality requirements. Also, our proposed formal approach can be used toanalyze larger scale CCD models of other complex electrical power system applications,such as Smartgrids [1]. 37
Conclusions
In this work, we developed a formal approach for Cause-Consequence Diagrams (CCD),which enables safety engineers to perform N -level CCD analysis of safety-critical sys-tems within the sound environment of the HOL4 theorem prover. Our proposed ap-proach provides new CCD mathematical formulations, which their correctness wasverified in the HOL4 theorem prover. These formulations are capable of performingCCD analysis of multi-state system components and based on any given probabilisticdistribution and failure rates. These features are not available in any other existing ap-proaches for subsystem-level reliability analysis. The proposed formalization is limitedto perform CCD-based reliability analysis at the subsystem level that integrates staticdependability analysis. However, this formalization is generic and can be extended toperform dynamic failure analysis of dynamic subsystems where no dependencies existin different subsystems. We demonstrated the practical effectiveness of the proposedCCD formalization by performing the formal CCD step-analysis of a standard IEEE 39-bus electrical power network system and also formally verified the power plants ForceOutage Rate (
F OR ) and the System Average Interruption Duration Index (
SAIDI ).Eventually, we compared the
F OR and
SAIDI results obtained from our formalCCD-based reliability analysis with the corresponding ones using MATLAB based onMonte-Carlo Simulation (MCS), the HiP-HOPS software tool, and the Failure ModeReasoning (FMR) approach. As future work, we plan to integrate Reliability BlockDiagrams (RBDs) [41] as reliability functions in the CCD analysis, which will enable usto analyze hierarchical systems with different component success configurations, basedon our CCD formalization in the HOL4 theorem prover.
References [1] X. Fang, S. Misra, G. Xue, and D. Yang, “Smart Grid—The New and ImprovedPower Grid: A Survey,”
IEEE Communications Surveys & Tutorials , vol. 14,no. 4, pp. 944–980, 2011.[2] M. Rahman, “Power Electronics and Drive Applications for the Automotive In-dustry,” in
Conference on Power Electronics Systems and Applications . IEEE,2004, pp. 156–164.[3] J. D. Andrews and L. M. Ridley, “Reliability of Sequential Systems Using theCause—Consequence Diagram Method,”
Part E: Journal of Process MechanicalEngineering , vol. 215, no. 3, pp. 207–220, 2001.[4] M. Towhidnejad, D. R. Wallace, and A. M. Gallo, “Fault Tree Analysis for Soft-ware Design,” in
NASA Goddard Software Engineering Workshop , 2002, pp. 24–29.[5] I. A. Papazoglou, “Mathematical Foundations of Event Trees,”
Reliability Engi-neering & System Safety , vol. 61, no. 3, pp. 169–183, 1998.386] O. B¨ackstr¨om, Y. Butkova, H. Hermanns, J. Krˇc´al, and P. Krˇc´al, “Effective Staticand Dynamic Fault Tree Analysis,” in
Computer Safety, Reliability, and Security ,ser. LNCS, vol. 9922. Springer, 2016, pp. 266–280.[7] Y. Papadopoulos, M. Walker, D. Parker, E. R¨ude, R. Hamann, A. Uhlig, U. Gr¨atz,and R. Lien, “Engineering Failure Analysis and Design Optimisation with HiP-HOPS,”
Engineering Failure Analysis , vol. 18, no. 2, pp. 590–608, 2011.[8] HiP-HOPS, 2020. [Online]. Available: https://hip-hops.co.uk/[9] S. Kabir, K. Aslansefat, I. Sorokos, Y. Papadopoulos, and Y. Gheraibia, “AConceptual Framework to Incorporate Complex Basic Events in HiP-HOPS,” in
Model-Based Safety and Assessment , ser. LNCS, vol. 11842. Springer, 2019, pp.109–124.[10] H. Jahanian, “Failure Mode Reasoning,” in
International Conference on SystemReliability and Safety . IEEE, 2019, pp. 295–303.[11] H. Jahanian, D. Parker, M. Zeller, A. McIver, and Y. Papadopoulos, “FailureMode Reasoning in Model Based Safety Analysis,” 2020. [Online]. Available:https://arxiv.org/abs/2005.06279[12] M. ˇCepin,
Assessment of Power System Reliability: Methods and Applications .Springer Science & Business Media Springer, 2011.[13] T. Liu and J. Tong, J.and Zhao, “Probabilistic Risk Assessment Framework De-velopment for Nuclear Power Plant,” in
International Conference on IndustrialEngineering and Engineering Management . IEEE, 2008, pp. 1330–1334.[14] J. D. Andrews and L. M. Ridley, “Application of the Cause-Consequence DiagramMethod to Static Systems,”
Reliability Engineering & System Safety , vol. 75, no. 1,pp. 47–58, 2002.[15] L. M. Ridley, “Dependency Modelling Using Fault-Tree and Cause-ConsequenceAnalysis,” Ph.D. dissertation, Loughborough University, UK, 2000.[16] M. Bevilacqua, M. Braglia, and R. Gabbrielli, “Monte Carlo Simulation Approachfor a Modified FMECA in a Power Plant,”
Quality and Reliability EngineeringInternational , vol. 16, no. 4, pp. 313–324, 2000.[17] R. E. Mackiewicz, “Overview of IEC 61850 and Benefits,” in
Power EngineeringSociety General Meeting . IEEE, 2006, pp. 623–630.[18] B. Gallina, E. G´omez-Mart´ınez, and C. B. Earle, “Deriving Safety Case Fragmentsfor Assessing MBASafe’s Compliance with EN 50128,” in
Conference on SoftwareProcess Improvement and Capability Determination . Springer, 2016, pp. 3–16.[19] R. Palin, D. Ward, I. Habli, and R. Rivett, “ISO 26262 Safety Cases: Complianceand Assurance,” in
Conference on System Safety , 2011, pp. 1–6.3920] O. Hasan and S. Tahar, “Formal verification methods,” in
Encyclopedia of Infor-mation Science and Technology, Third Edition . IGI Global, 2015, pp. 7162–7170.[21] HOL Theorem Prover, 2020. [Online]. Available: https://hol-theorem-prover.org[22] J. J. Grainger and W. D. Stevenson,
Power System Analysis . McGraw-Hill, 2003.[23] F. Ortmeier, W. Reif, and G. Schellhorn, “Deductive Cause-Consequence Analy-sis,”
IFAC Proceedings Volumes ∼ modelcheck/smv.html[25] D. Miller and G. Nadathur, Programming with higher-Order Logic . CambridgeUniversity Press, 2012.[26] W. Ahmad and O. Hasan, “Towards Formal Fault Tree Analysis Using TheoremProving,” in
Intelligent Computer Mathematics , ser. LNCS, vol. 9150. Springer,2015, pp. 39–54.[27] Y. Elderhalli, O. Hasan, and S. Tahar, “A Methodology for the Formal Verificationof Dynamic Fault Trees using HOL Theorem Proving,”
IEEE Access , vol. 7, pp.136 176–136 192, 2019.[28] M. Abdelghany, W. Ahmad, and S. Tahar, “A Formally Verified HOL4 Algebrafor Event Trees,” 2020. [Online]. Available: http://arxiv.org/abs/2004.14384[29] O. Hasan, N. Abbasi, B. Akbarpour, S. Tahar, and R. Akbarpour, “Formal Rea-soning About Expectation Properties for Continuous Random Variables,” in
For-mal Methods , ser. LNCS, vol. 5850. Springer, 2009, pp. 435–450.[30] G. Vyzaite, S. Dunnett, and J. Andrews, “Cause-Consequence Analysis of Non-Repairable Phased Missions,”
Reliability Engineering & System Safety , vol. 91,no. 4, pp. 398–406, 2006.[31] H. Xu and J. Dugan, “Combining Dynamic Fault Trees and Event Trees for Prob-abilistic Risk Assessment,” in
Symposium Reliability and Maintainability . IEEE,2004, pp. 214–219.[32] L. R. Olsen, J. A. Kay, and M. Van Krey, “Enhanced Safety Features in MotorControl Centers and Drives for Diagnostics and Troubleshooting,” in
IAS ElectricalSafety . IEEE, 2015, pp. 1–9.[33] M. Abdelghany, “Cause-Consequence Diagrams Formalization in HOL4,” 2020.[Online]. Available: https://github.com/hvg-concordia/CCD[34] R. N. Allan,
Reliability Evaluation of Power Systems . Springer Science & BusinessMedia, 2013.[35] G. Bhatt and S. Affljulla, “Analysis of Large Scale PV Penetration Impact onIEEE 39-Bus Power System,” in
Riga Technical University Conference on Powerand Electrical Engineering . IEEE, 2017, pp. 1–6.4036] D. Gan, R. J. Thomas, and R. D. Zimmerman, “Stability-Constrained OptimalPower Flow,”
IEEE Transactions on Power Systems , vol. 15, no. 2, pp. 535–540,2000.[37] A. Alferidi and R. Karki, “Development of Probabilistic Reliability Models ofPhoto-Voltaic System Topologies for System Adequacy Evaluation,”
Applied Sci-ences , vol. 7, no. 2, p. 176, 2017.[38] W. Li et al. , Reliability Assessment of Electric Power Systems Using Monte CarloMethods . Springer Science & Business Media, 2013.[39] G. J. Anders and A. Vaccaro,
Innovations in Power Systems Reliability . Springer,2011.[40] A. K. Pradhan, S. K. Kar, P. Dash et al. , “Implementation of Monte Carlo Sim-ulation to the Distribution Network for Its Reliability Assessment,” in
Innova-tion in Electrical Power Engineering, Communication, and Computing Technol-ogy . Springer, 2020, pp. 219–228.[41] W. Ahmed, O. Hasan, and S. Tahar, “Formalization of Reliability Block Diagramsin Higher-Order Logic,”