Fault tree and reliability analysis by Olmos, Jaime & Wolf Lothar
NUCL EAR? ENGINEERING
READING H004M.T
MITNE-209
A MODULAR APPROACH TO FAULT TREE
AND RELIABILITY ANALYSIS
by
Jaime Olmos
Lothar Wolf
August 1977
DEPARTMENT OF NUCLEAR ENGINEERING
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
Cambridge, Massachusetts 02139
NUCLEAR Er(INEERING
READING RO0M - M.I.T.
A MODULAR APPROACH TO FAULT TREE
AND RELIABILITY ANALYSIS
by
Jaime Olmos
Lothar Wolf
August 1977
Department of Nuclear Engineering
Massachusetts Institute of Technology
MITNE-209
ABSTRACT
An analytical method to describe fault tree diagrams in
terms of their -modular composition is developed. Fault tree
structures are characterized by recursively relating the top
tree event to all its basic component inputs through a set of
equations defining each of the modules for the fault tree. It
is shown that such a modular description is an extremely valu-
able tool for making a quantitative analysis of fault trees.
The modularization methodology has been implemented into
the.PL-MOD computer code, written in PL/1 language, which is
capable of modularizing fault trees containing replicated com-
ponents and replicated modular gates. PL-MOD in addition can
handle mutually exclusive inputs and explicit higher order
symmetric (k-out of - n) gates.
The step-by-step modularization of fault trees performed
by PL-MOD is demonstrated and it is shown how this procedure
is only made possible through an extensive use of the list pro-
cessing tools available in PL/l.
A number of nuclear reactor safety system fault trees
were analyzed. PL-MOD performed the modularization and evalu-
ation of the modular occurrence probabilities and Vesely-Fussell
importance measures for these systems very efficiently. In
particular its execution time for the modularization of a PWR
High Pressure Injection System reduced fault tree was 25 times
faster than that necessary to generate its equivalent minimal
cut-set description using MOCUS, a code considered to be fast
by present standards.
Inquiries about this research and for the computer program
should be directed to the second author at MIT,
ii
TABLE OF CONTENTS
PAGE
ABSTRACT
LIST OF ILLUSTRATIONS vi
LIST OF TABLES ix
ACKNOWLEDGEMENTS x
INTRODUCTION 1
CHAPTER 1: FAULT TREE AND RELIABILITY ANALYSIS
CONCEPTS AND METHODS 11
1.1 Introduction 11
1.2 Fault Tree Analysis 11
1.3 Coherent Structure Theory 15
1.3.1. Dual Coherent Structures 17
1.3.2. Minimal Cut-Set and Path-Set
Representation of Coherent
Structures 18
1.3.3. Simple and Higher Order Coherent
Structure Gates 20
1.4 Probabilistic Evaluation of Fault Trees 24
1.5 Importance Measures for System Components
and Fault Tree Events 28
1.5.1 Structural Importance 28
1.5.2 Birnbaum's Importance 29
1.5.3 Criticality Importance 30
1.5.4 Vesely-Fussell Importance 30
1.6 Methods for the Generation of a Minimal
Cut-Set or Path-Set Fault Tree Description33
1.6.1 MOCUS 34
1.6.2 TREEL & MICSUP 39
1.7 Methods for the Manipulation of Boolean
Equations Describing a Fault Tree 42
iii
PAGE
1.7.1 SETS 44
1.7.2 BAM ,
1.8 Reliability Calculations by a Pattern
Recognition Method 59
1.9 The IMPORTANCE Computer Program 68
CHAPTER 2: MODULAR REPRESENTATI'ON OF FAULT TREES 74
2.1 Introduction 74
2.2 Modular Decomposition of Coherent Systems 74
2.3 The Finest Modular Representation 75
2.4 Reliability Evaluation of Modularized
Fault Trees 82
2.5 Reliability Importance of Modules 88
2.5.1 Summary of Reliability Importance
Measures 88
2.5.2 The Birnbaum and Criticality
Measures of Importance for Modules 90
2.5.3 The Vesely-Fussell Importance Measure
for Modules 92
2.5.4 Evaluation of the Vesely-Fussell
Importance Measures for a Modular-
ized Fault Tree 95
CHAPTER 3: PL-MOD: A FAULT TREE MODULARIZATION COMPUTER
PROGRAM WRITTEN IN PL/l 101
3.1 Introduction 101
3.2 Algorithm for the Modular Decomposition of
Fault Trees 102
3.3 PL/l Language Features Used for the Represen-
tation and Modularization of Fault Trees 114
3.3.1 Introduction 114
3.3.2 Structure Variables 115
3.3.3 Pointers, Based and Controlled
Variables 116
3.3.4 The Refer Option for Based Variables 118
3.3.5 Bit String Variables 122
3.4 Definition and Organization of the PROCEDURES
Used in PL-MOD for the Modularization of
Fault Trees 124
iv
PAGE
3.5 The Pressure Tank Rupture Fault Tree
Example 130
3.6 INITIAL and TREE-IN 135
3.7 COALESCE 149
3.8 MODULA 158
3.9 BOOLEAN and SYMM 181
3.9.1 Description of Higher Order Modules
by Means of PROP,PER and VECTOR
Structures 181
3.9.2 Procedure SYMM 187
3.9.3 Procedure BOOLEAN 195
3.10 TRAVEL and TRAPEL 226
3.11 Replicated Modules 230
3.12 Dual State Replicated Components 232
3.13 NUMERO 235
3.13.1 PL-MOD's Quantitative Analysis of
Modularized Fault Trees 235
3.13.2 STAT-IN 238
3.14 DOTPLUS and MINUP 238
3.15 EXPECT 244
3.16 IMPORTANCE 249
CHAPTER 4: NUCLEAR REACTOR SAFETY SYSTEM FAULT TREE
EXAMPLES 260
4.1 Introduction 260
4.2 TRIGA Scram Circuit 261
4.3 Standby Protective Circuit 269
4.4 High Pressure Injection System for a
Pressurized Water Reactor 275
CHAPTER 5: CONCLUSIONS AND RECOMMENDATIONS 307
5.1 Summary and Conclusions 307
5.2 Recommendations for Future Work 309
VPAGE
REFERENCES 311
APPENDIX: PL-MOD's Input and Output Description 313
vi
LIST OF ILLUSTRATIONS
FIGURE PAGE
1.1 Standby Protective Circuit Diagram. 2
1.2 Fault Tree for Standby Protective, Circuit. 3
1.3 Fault Tree Symbols. 13
1.4 Fault Tree Example I. 14
1.5 Higher Order Structures for a Set of Three Inputs 22
1.6 Dual Fault Tree for Example I. 38
1.7 EXCLUSIVE OR-Gate and SPECIAL Gates Available in
SETS. 45
1.8 Fault Tree Including Mutually Exclusive Mainten-
ance Events. 53
1.9 Representation of an Event B, Dependent on the
Occurrence of Event A. 56
1.10 Representation of an Event C Dependent on the
Occurrence of Events B and A. 57
1.11 Fault Tree Including Common Mode Event A. 58
1.12 Fault Tree Example II in Binary Gate Form. 61
1.13 Fault Tree Example II in its Ordered Form 61
1.14 Equivalent Binary Tree Patterns. 62
1.15 PAT-REC's Library of Patterns Stored in a Tree-
like Form 63
1.16 Final Ordered Form for Fault Tree Example II. '65
1.17 Fault Tree Dependencies Reduced Out When
y = 0 or y = 1. 67
2.1 Simple Sub-tree I with no Replications 77
2.2 Finest Modular Representation of Sample Sub-
Tree 1. 78
2.3 Sample Sub-tree II with Replications 80
2.4 Finest Modular Representation of Sample Sub-
tree II 81
vii
PAGE
2.5 AND-Gate Super-module 97
2.6 OR-Gate Super-module 97
2.7 Higher Order Prime Gate. Super-module 99
3.1 Fault Tree Modularization Algorithm Flow Chart 104
3.2 Fault Tree NODES 105
3.3. Fault Tree NODE.ROOTS 106
3.4 Fault Tree Node Interconnections 107
3.5 Fault Tree Bottom Branch Gate Nodes 107
3.6 Coalesced Gateless Nodes 108
3.7 Modularized Gateless Nodes 110
3.8 Interdependent Nodes in Temporary Nested Module
Form 110
3.9 Complete Set of Nested Sub-Modules 111
3.10 Modular Minimal Cut-set Representation 112
3.11 Symmetric Modularized Gate 113
3.12 Modularized Gates as Super-Components 113
3.13 Fault Tree in Binary Gate From 119
3.14 Sample Gate Node 120
3.15 Interdependent Gate Interconnections 126
3.16 Transfer of Gate Interconnections 127
3.17 Internal Gate Interconnections 128
3.18 Boolean Vector Representation 129
3.19 Pressure Tank Example 132
3.20 Pressure .Tank Rupture Fault Tree 133
3.21 Simple PROP Structures 170
3.22 Symmetric Higher Order Modules 171
3.23 Simple Gate Module 182
viii
PAGE
3.24 Higher Order Module 182
3.25 Explicitly Symmetric Modular Gate 188
3.26 Symmetric Higher Order Modules 197
3.27 Pressure Tank Fault Tree with Gates G4,G5,G9
Modularized 199
3.28 Pressure Tank Fault Tree with Gates G4,G5,G9
Modularized and Gl,G2,G3 Coalesced. 200
3.29 Ordering of PROP Structure Allocations for a
Higher Order Module 206
3.30 Higher Order Modular Composition for the Pressure
Tank Fault Tree 209
3.31 OR-Parent Gate Higher Order Module Example' I 214
3.32 AND-Parent Gate Higher Order Module Example II 215
3.33 Replicated Leaf Associated with a Module 231
3.34 Dual Component States 233
3.35 Interdependent Gates due to Mutually Exclusive
States 234
3.36 Simple Gate Modular Occurrence Probabilities 240
3.37 Prime Gate Modular Occurrence Probability 242
4.1 TRIGA Scram Circuit Diagram 262
4.2 TRIGA Scram Fault Tree 263
4.3 HPIS Simplified System Diagram 276
4.4 HPIS Reduced Fault Tree 277
4.5. "Empty" Nested AND Gate 291
A.1 SAMPLE Problem Fault Tree 316
ix
LIST OF TABLES
TABLE PAGE
1.1 Minimal Cut-Sets for the SPC Fault Tree 5
1.2 SPC Modularized Minimal Cut-Sets 7
1.3 Canonical Expansion for ClUC2 49
1.4 Canonical Expansion for C1U(C 22 03) 50
1.5 Canonical Expansion for Fault Tree with Main-
tenance Events 54
1.6 Basic Event Importance Measures Computed by the
IMPORTANCE Code 69
3.1 Pressure Tank Rupture Fault Tree Failure Probabi- 134
lity Data
3.2 Replicated Event Nomenclature 143
4.1 Triga Scram Circuit Basic Event Data 267
4.2 Occurrence Probabilities and V.F. Importance
Values for the Triga Scram Circuit 270
4.3 Standby Protective Circuit Data 272
4.4 Unavailabilities and Vesely-Fussell Importance
Values for SPC Fault Tree 274
4.5 PWR System Identification Code 283
4.6 Component Code 284
4.7 Failure Mode Code 286
4.8 HPIS Reduced Fault Tree Basic Event Data -292
4.9 HPIS Reduced Fault Tree Minimal Cut-Set Boolean
Matrix 298
4.10 HPIS Reduced Fault Tree Modular Components 299
4.11 HPIS Reduced Fault Tree Modular Unavailabilities 304
4.12 HPIS Reduced Fault Tree Vesely-Fussell Modular
Importances 306
A-1 Sample Problem Input 317
A-2 Sample Problem Output 319
xACKNOWLEDGEMENTS
The work summarized in this report was partly performed
under the auspices of the U.S. Nuclear Regulatory Commission.
We are especially indebted to Dr. William E. Vesely,
Special Assistant for Methodolgy at NRC, for providing the
financial support.
In addition, we express our sincere appreciation to
Professor Norman C. Rasmussen for his useful criticism,
suggestions and for his guidance and interest in this research.
The authors wish to thank Rachel Morton who, with her
limitless patience, helped to unravel the intricacies of the
PL/1 programming and the compiler at MIT-IPC.
INTRODUCTION
The objective of this res.earch has been to develop and
implement the modularization technique for the analysis of
operating systems modeled by means of fault trees, and to
apply this methodology to safety systems commonly found in
nuclear reactors.
In the past the usual approach has been to describe the
structure of a fault tree in terms of the minimal sets of basic
event failures (cut-sets) causing.overall system failure. How-
ever since for complex systems, a complete enumeration of its
minimal cut-sets is not feasible, it is common practice to
generate only the dominant contributor cut-sets, i.e., single,
double and triple event fault cut-sets.
Figures 1.1 and 1.2 show the system and fault tree diagrams
for a Standby Protective Circuit (SPC) found in reactor safety
systems E.63. Inspection of the fault tree demonstrates that it
is composed of 29 event inputs and 19 gates. In Table 1.1 a
list is provided of the 100 minimal cut-sets associated with
the SPC fault tree.
A closer scrutiny of the SPC fault tree diagram and minimal
cut-set table indicates that certain classes of minimal cut-sets
are closely associated to each other. Thus for example, if gate
G8 is thought of as a super-component (.i.e., a module) given by
G8 ={C17,C18,C19,C20,.C21,C22;U}
1
PSC
R2
R LY RLY RLY
I2 R323efine:
Success
* 1R3
Closes
F - Inline Puse
TS - Test switches - used monthly test
LS - Level switch - tested yearly
MS - Manual switch - tested monthly
PS - Pressure switch - tested yearly
Figure 1.1 Standby Protective Circuit for Comparison Studies
F( F2 BATT. WIRE
FALS FAILS FAItS SHORT
610 CII C2 C13
C13
Figure 1.2 Fault Tree for Standby Protection Circuit
LA)
C25 C26 C27 C28 C25 C29 C23 C27 C28 C29 C24 C28
Figure 1.2 Continued
Fault Tree for Standby Protection Circuit
5TABLE 1.1
MINIMAL CUT-SETS FOR THE S.P.C. FAULT TREE
SINGLE CUT-SETS
1) C10
2) C3
3) Cll
4) C12
5) C13
6) C16
7) C2
8) C15
DOUBLE CUT-SETS
1) C17, Cl
2) C17, C14
3) C18, Cl
4) 018,
10) C20,C1
11) C22,01
12) C22,C14
C14
5) 019, Cl
6) C19, C14
7) C21, Cl
8) C21, 014
9) C20, Cl
1) C4,C5,c6
2) C7,C5,C6
3) C4,c8,c6
4) C7,C8,C6
5) C17,C25,C24
6) C4,C5,C9
7) C18,C25,C24
8) C19,C25,C24
9) C7,C5,C9
10) C21,C25,C2 4
11) C20,C25,C24
12) C22,C25,C24
13) C17,C27,C24
14) C4,C8,C9
15) C18,C27,C24
16) C19,C27,C24
17) C21,C27,C24
18) C7,C8,C9
19) C20,C27,C24
20) C22,C27,C24
21) C17,C25,C26
22) C17,C25,C28
23) C17,C25,C29
24) C18,c25,c26
25) C18,C25,C28
26) C18,C25,C29
27) C19,C25,C26
6
TABLE 1.1. CONTINUED
28) C19,C25,C28
29) C19,C25,C29
30) C21,C25,C26
.31) C21,C25,C28
32) C21,C25,C29
33) C20,C25,C26
34) C20,C25,C28
35) C20,C25,C29
36) C22,C25,C26
37) C22,C25,C28
38) C22,C25,C29
39) C17,C27,C26
40) C17,C27,C28
41). C17,C27,C29
42) C18,C27,C26
43) c18,C27,C28
44) C18,C27,C29
45) C19,C27,C26
46) C19,C27,C28
47)- C19,C27,C29
48) C21,C27,C26
49) C21,C27,C28
50) C21IC27,C29
51) C20,C27,C26
52) C20,C27,C28
53) C20,C27,C29
54) C22,C27,C26
55) C22,C27,c28
56) C22,C27,C29
57) C17,C23,C26
58) C17,C23,c28
59) C18,C23,C26
60). C18,c23,c28
61) C19,C23,C26
62) C19,C23,C28
63) C21,C23,c26
64) C21,C23,C28
65) 020,023,C26
66) C20,C23,C28
67) C22,C23,c26
68) C22,C23,C28
69) C17,c19,c26
70) C17,C29,C28
71) C18,c29,C26
72) C18,C29,C28
73) C19,C29,C26
74) C19,C29,C28
75) C21,029,c26
76) C21,C29,C28
77) C20,C29,C26
78) C20,C29,C28
79) C22,C29,C26
80) C22,C29,028
7TABLE 1.2
MODULARIZED MINIMAL
G8 = {C17, C18, C19, C20,
Cut-sets
(G8, C1)
(G8,c14)
(G8, C25,C24)
(G8,C25, C26)
(G8,C27,C24)
(G8,C25,C28)
(G8, C25, C29)
(G8,C27,C26)
(G8,C27,C28)
(G8,C27,C29)
(G8,C23,C26)
(G8,C23,C28)
(G8,C29,C26)
(G8,C29,C28)
CUT-SETS
C21; U )
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
8
it becomes clear that for every minimal c.ut-set containing
component C17, five other similar cut-sets may be found with
component C18,C19,C20,C21, or C22 replacing component C17, e.g.
(.C17,C1), (Cl8,Cl), C19,C1), (C20,Cl), (C21,Cl), (C22,Cl). In
fact by modularizing gate G8, 14 groups of similar cut-sets
will be found. Therefore, as shown in Table 1.,2, the listing
of 84 different minimal cut-sets would be unnecessary to des-
cribe the SPC fault tree structure by keeping track of the cut-
sets affected by the modularization of gate G8.
It is clear then that there are advantages to be gained by
using the modularization procedure to describe fault trees as
illustrated by the above example. In this thesis, the formalism
necessary to characterize fault trees in terms of their modular
structures shall be presented. And the methodology adopted by
the computer program PL-MOD in order to implement a modular
approach to fault tree and reliability analysis will also be
discussed.
The organization of the thesis is as follows:
Chapter One consists of a summary of the concepts used
and of the methods devised for the safety and reliability
analysis of operating systems by the fault tree technique. The
structural relationship between a system and its components
shall be defined in terms of a deterministic coherent structure
function, while the reliability of a system will be determined
as a function of the probabilistic reliabilities of its compo-
nents..
Coherent structure function relationships will be shown
9
to be describable by means of minimal cut-set and path-set
representations and by Boolean algebra and truth-table methods.
Since the exact computation of the system reliability
parameters is in general too difficult, appropriate bounds
will be given which can be easily computed. Also, probabilistic
importance measures will be introduced for the purpose of
numerically ranking the various sets of fault events leading to
the.occurrence of the top event in order of their significance.
Chapter Two deals with the means by which the structural
as well as the probabilistic analysis of fault trees may be
accomplished in terms of a modular tree description.
A module is defined to be a set of components behaving as
a super-component, i.e%, the set affects the overall system per-
formance only through the operational state of the super-compo-
nent.' Modules will be classified into "simple" (AND and OR)
gate modules and higher order "prime" gate modules describable
by a set of Boolean state vector equations. Exact expressions
as well as bounds will be given for the probability of occur-
rence ("reliability") and importance value of a modular gate
event, and it will be shown how these quantities of interest
can be straightforwardly computed.
In Chapter Three the computer program PL-MOD written in
PL-1 language will be described. It will be shown how to
implement an algorithm for the modularization of fault trees
directly from their diagram description.. The procedure which
is to accomplish this task was only made possible by an ex-
tensive use of a number of unique tools available in PL-1, among
10
them are the options to use dynamical variables, based struc-
tures, pointers, bit-string variables, Boolean operations and
functions, etc.
In Chapter IV, results are presented for the analysis per-
formed by PL-MOD on a number of nuclear reactor safety system
fault tree, namely: A Triga Scram Circuit, a Standby Protec-
tive -Circuit and a PWR High Pressure Coolant Injection System.
The performance of the PL-MOD code is assessed with these
examples and the advantages of modularizing large fault trees
instead of generating their minimal cut-set event description
is demonstrated.
In Chapter V the modular approach developed throughout
this thesis is summarized and a discussion is given of further
possibie extensions to the PL-MOD computer code.
11
CHAPTER ONE
FAULT TREE AND RELIABILITY ANALYSIS CONCEPTS AND METHODS
1.1. Introduction
Fault tree analysis is one of the principal methods to
analyze safety systems. It is a valuable tool for identifying
potential accidents in a system design, and for predicting
the most likely causes of system failure in the event of sys-
tem breakdown [3].
In th'is chapter the basic concepts necessary for the struc-.
tural analysis and probabilistic evaluation of fault trees are
presented. In addition a review is given of the current methods
used to analyze the logical structure of a fault tree diagram
and for making a quantitative assessment of the reliability
characteristics of safety systems modeled by fault trees.
1.2. Fault Tree Analysis
Fault tree analysis is a systematic procedure used to
identify and record the various combinations of component fault
states and other events that can result in a predefined unde-
sired state of a system D.9J. Fault trees are schematically
represented by a logic diagram in which the various component
failures and fault events combine through a set of logical
gate operators leading to the top tree- event defined as an
undesired state of the system.
The term event, denotes a dynamical change of state occur-
ring to a system element or to a set of system elements [3].
12
The symbols shown in Figure 1.3 represent the different
type of tree events and logical gate operators commonly found
in fault trees. In addition to the usual AND and OR gate
operators, the less often used NOTI gate operator has been in-
cluded. A fault tree example is given in Figure 1.4 which
will be used throughout to illustrate some of the concepts
and methods dealt with in this chapter. Notice that for the
example I fault tr'ee the basic fault events 3 and 7 are t.wice
replicated in the fault tree.
The following definitions will be used to develop the sub-
ject of fault tree analysis C7].
Branch: when a fault event is further developed, the sub-
tree which results is called a branch. Thus, for the fault
tree example I, a branch corresponds to each intermediate
gate event E2,E3,E4,E5,E6,E7,E8.
Gate Domain: The set of all basic events that logically
interact to produce an intermediate gate event is defined to
be the domain for the intermediate gate.
Independent Gate Branch: If the domain of an intermediate
gate is disjoint from the rest of the branches found elsewhere
in the tree, then it is called an independent gate branch.
Thus, for fault tree example I only gate events E4 and E5 are
independent branches since they include no basic event repli-
cated elsewhere in the fault tree.
Module; Since an independent gate branch does not con-
tain in its domain any basic.. events appearing elsewhere in
the tree, then the effect that these basic events have on the
13
OUTPUTS 8
INPUTS 1 ...
n
x B 1
UNDEVELOPED EVENT
C
NOT Gate
(1-X ) XC a 1 - X
PRIMARY INPUT EVENT
"1"t
LLVU TRANSFERS:
FAULT TREE SYMBOLS
XA = X 1 X2**X n
INTERMEDIATE EVENT:
FIGURE 1. 3
G2
i-A
06
7
FAULT TREE EXAMPLE I
G4
5
FIGURE 1. 4
15
event is only through the functional state (failed or unfailed)
of the gate event for th.e branch. Hence, it interacts with the
rest of the tree as a super-component which in the context of
coherent structure theory is equivalent to a module. Thus,
for fault tree example I gates E4 and E5 corresponds to modules
M4,M5 given by
M5 = {8,9,U}
M = {l,2,M 5
Where U = event union (OR) operator and
9 event intersection (AND) operator.
It should be mentioned here that since both basic events
and complete fault trees are fully characterized, as far as
the tree logic is concerned, by being either in a failed or
unfailed functional state, they therefore may also be con-
sidered to be modules.
1.3. Coherent Structure Theory
Let N = (.CC 2 *jC n) be a set of basic events, and let
1 if basic event i has occurred (1.1)
0 otherwise
Then [N , yl'%23''n ) defines the vector of basic event
outcomes, and the Boolean structure function [1] r(YN) deter-
mines the overall state of the system, i.e.
N) / 1 if the TOP event occurs
Y = -i(1.2)
>L 0 otherwise
16
Consider the basic AND and OR logic gates operating on
the set N of inputs. The. structure function representing an
AND gate is given by
N Y n
$AND N ln2'' n - (1.3)
while an OR gate is represented by
$OR N 2 n
n (1.4)
4-yi
In general a Boolean structure function will define a
coherent system provided
N(a) $ ) is an increasing function of each basic event
Boolean indicator y., i.e.,
(1.5)
$(Y lY2''''' i =0,...,Yn ) 10Y 3 2'''' i
= 1,...,Yn
(b) each basic event is relevant to the outcome, i.e.,
no basic event Boolean Indicator y exists such that
$(.y y2' ' ... i = 0(...yyn 'y 2 '' ' ,'='''y n)
for all values of y. (j-1, 2,.. .,i-1,i+1,. . .n)
Using the following notational convention
17
o(71,- -. , = 1 ,---,yn l'''''Y),(.Yl. 3i ' ' *'ni
conditions (a) and (b) may be rewritten as
(a) ( ) (lY) for all (i,;) (1.7)
and (b) 0(0#,Y) / o(1 , ) for some (i,Y) (1.8)
with (i,Y) representing any of the 2n-1 vectors (y1,y2 '' i
fixed, y i+13' ' yn)'
It should be pointed out that fault tree diagrams which
include the NOT gate operator do not obey condition (a) and
are therefore represented by a Boolean function which is not
coherent. Thus, a single event Y operated by a NOT gate will
be given by
NOT i (.1.9)
with $NOT( 0 ) 1 > NOT~') 0 (1.10)
I.3.1. Dual Coherent Structures
A fault tree used for studying a safety system will have
as its top event an overall system malfunction. However, for
reliability considerations one may be interested in modeling
the system with a diagram showing the occurrence of an unfailed
functional state as its top event. Such a diagram may be
easily obtained from the original fault tree by replacing its
OR gates by AND gates and viceversa, and by replacing
all basic. event failures by the non-occurrence of such faults.
The resulting diagram is called a dual fault tree.
In terms of coherent structures, the Boolean function des-
cribing a dual fault tree will be given by
D
with $ associated with the original tree, Y representing the
Boolean vector of basic success events and 1 - Y' = (1-Y{,
2 n
Thus, as expected, AND gate structure functions will be
dual to OR gates and viceversa since
(1.12)
ANDI~ N = ~yl* =>n = l.(l~Yl)133(-y n)
AND
OR
and 50R n~l ~ .~OR =l-(1-(1-l+y1 )
(1-l+Y n) =AND
(1.13)
I.3.2. Minimal Cut-Set and Path-Set Representations of
Coherent Structures
A cut-set is a group of basic fault events wh.ose occurrence
will cause the top tree fault. event to occur, while a path-
19
set is a group of basic fault events whose non-occurrence will
insure the non-occurrence of the top tree fault event. Further-
more a cut-set (or patbh-set) is minimal if it cannot be further
reduced and still remains being a cut-set (or path-set).
As may be verified the minimal cut-sets corresponding to
fault tree example 1 are
K1 = (3,6,7)
K2 = (4,5,6,7)
K3 = (1,2,5,6,7,8)
K4 = (.1,2,5,6,7,9)
From this, the minimal path-sets may now be derived by taking
minimal groups of elements P such that no minimal cut-set
may be found which contains no element in the group P . Thus,
for example element 7 by itself forms a minimal path-set since
it is found in all universal cut-sets K,K 2,K3,K . Hence
P = (7), similarly, the remaining min. path-sets for the
fault tree may be deduced to be
P2 (6)
P3 = (3,5)
P4 = (2,3,4)
P5 = (1,3,4)
P = (3,4,8,9)
Given the complete set of minimal cut-sets K (j = 1,2,...,
t) for a fault tree, its coherent structure may be expressed
in terms of a set of minimal cut-set structure functions de-
fined by
20
k = R Y (1.124)
i K
.j - 1 . . ,t
t t
as follows YCYN) 1 (1-k) =H k (1.15)
should all elements in a min cut-set K fail (i.e., y, = 1
for all i K ) then.e>k = 1 "" = 1.
In a similar way the coherent structure for a fault tree
may be expressed in terms of its min path-set structure func-
tion defined by
P = 1 - (1- (1.16 )
(i e,2,...,h)
as
h
N
~J=1 ) J (1.17)
Should all elements in a min path-set not fail (i.e., y =O
for all iP) -->P = 0-> $= 0.
1.3.3. Simple and Higher Order Coherent Structure Gates
The minimal cut-set representation for an AND gate struc-
ture consists of a single cut-set
K = (C1 ,C 2,...C ) (1.18)
21
with C denoting the i-th event input to the AND gate, hence
i
n
$AND = k =T y (1.19)
i=1
Similarly the minimal path-set representation for an OR gate
structure consists of a single path-set
P = (C ,C2,...,Cn) (1.20)
hence
n
O =P= y (1.21)
OR 1=
Because of their simple cut-set and path-set representa-
tion, AND and OR gates are named 'simple' coherent structure
gates. It is possible however to define other gates a(YN
which operate on the set of Boolean indicator inputs (yly2
y ) by characterizing them in terms of two or more minimal cut-
sets or path-sets. Such gates are defined to be higher order
gate structures. Thus for example given a set of three basic
events (C 1 ,C2 C3 ), the following higher order gates may be
defined (Figure 1.5)
a 1: CC1).
(C2 'C3) (1.22)
a 2; (C1 ,C2
CC2 , C3
22
i = 1,2,3
a2 :
a3.
FIGURE 1.5
HIGHER ORDER STRUCTURES FOR A SET OF THREE INPUTS
a 1:
23
a 3; (C1 ,. C2)
(Cl, C3 )
CC2,3 C3)
Each of the above gates exemplify the different character-
istics that a higher order gate structure a(Y N) operating on
a set of event (C1 , C2.***Cn) may have. Thus, since for
gate a its two cut-sets are disjoint, a fault tree diagram
including no replicated events may be drawn which represents
the gate. Furthermore a may be decomposed into two disjoint
coherent structures a,, a2 as
a, 1 - (1 - $l)(1-$2) with $ y1 , and
02 y2Y3'
In Chapter Two it will be shown that such a decomposition
amounts the modularization of a fault tree.
Both gates, a2 and 3 do not contain any minimal cut-set
which are disjoint to the others defining the gate structure.
As a result such higher order structures will be called 'p.rime'
gates since they do not allow for any further structural decom-
position. If a higher order prime gate is represented by an
equivalent diagram of AND and OR gates, then the gate at the
top of the diagram is named the parent gate for the higher
order structure.
Gate g is called symmetric since the order of its inputs
does not alter its structure, i.e.
a 3 23 3 (yly 3 y'2 )a3 (y 3 3 y 2 1
=a 3 (Y 2 Yl'73) -0*3 (y2 'Y3 'yl) = 3 (y3 ,yly 2 ) (1.20)
Symmetric gates are in fact completely defined by specifying
the number k out of the n basic events necessary to cause
the gate event to occur (k-out of-n). In contrast gate a2 is
an asymmetric prime gate requiring its full min cut-set list-
ing for its definition.
In terms of a higher order structure, fault tree example
I is given by
TOP : (C3,' 1)
(C4,C5'M 1
(M2,Ml)
(1.21)
with 04 - - 7 2, . ' , = y. y2 0= (M2 l 2 l 1 2 2 8-y)(l-y 9
and M1 = y6 Y7
1.4. Probabilistic Evaluation of Fault Trees
Given a coherent structure function O(YN) which relates
the occurrence of a top event to a set (CiC 2 ''''Cn) of basic
event occurrences each represented by a Boolean indicator
variable Y i(i,1,2,. .. ,n) in the coherent structure expression
it should be possible to find the probability of occurrence
for the TOP event, P(TOP), as a function of the occurrsnce
probabilities for each basic event Pi (i=1,2,...,n).
25
Formally, the occurrence probability for event C is
obtained by applying the expectation value operator E to the
Boolean variable Y., i.e.,
P = E = P (Yi 1) (1.22)
similarly, for the coherent structure $.( N) the TOP event
occurrence P(TOP) is given by
P(TOP) = E(YN) , p NN) = 1) (1.23)
Assuming all basic event probabilities to be statisti-
cally independent it is possible to express P(TOP) as
P(TOP) = P( $ = 1) = h(P)
(1.24)
with = (P 2 ' n)'
h(Z) is commonly referred to as the reliability func-
tion by coherent structure theorists [1]. It must be realized
however that when the coherent structure represents a fault
tree, h(Q) measures the unreliability of a system defined as
the probability that the system is in a failed state.
In general the occurrence probability P for each basic
fault event input will be a time dependent function, i.e., P (t).
For these cases one is interested in addition to find the un-
reliability of the system as a function of time, in evaluating
the asymptotic system unavailability given by
26
.U = lim h (Z(t)) = h(g) (1.25)
with g = (u ,u 2 ''''' n) measuring the unavailability for
component i, i.e. u - lim P i(t).
By using a minimal cut-set or path-set representation
for the coherent structure function (equations 1.15 and 1.17)
h() may be computed as
t h
h(Z) = E( H R y) = E(l H yi) (1.26)
j=i i K j=l i P
However since in general a basic event may appear in
more than one min cut-set (or path-set) it follows that the
probability of occurrence for a min cut-set (or path-set)
event is not statistically independent of the other min
cut-sets (or path-sets) defining the structure. Hence, the
expectation value operator does not commute with the first
(Pi) operator and (ip) operator indicated in Equation (1.26).
To illustrate this, consider the -coherent structure example
a2 given in Equation (1.22).
2 2
2 i i (1.27)i K J=l i.P
with K1  (C1,C2 ), K2  (C2,C3) and P = (C2 * 2 = (ClC 3 *
P2 (yl'Y 2 'y3 ) will be given by either of the following
two expressions
27
a2  (1y 2) 2y3) (cut-sets)
a2 y2(l-(l-y1 )(l-y 3)) (path-sets)
(1.28)
(1.29)
Since a Boolean variable y may only equal 0 or 1,
then the idempotency rule applies, i.e., y 2 = y . Hence
equations (1.28) and (1.29) further reduce to
a2 1 - (1-Y1Y2 - y2Y3 + y y2Y3
and a2 ' y2 - y2 ( + y y3 - y1 - y3 ) (1.30)
therefore
(1.31)a2 = l2 + y2 3 Yy 2y 3
Ea2 P1 2 + P2 3 
- 1 P2 P3
however 2
Ea2  _ E( 12 J=1 i eK
Thus, in general t
h(Z) #I
i CK j
= 1 2 +P2 3 
- 1 P 22P3
h
P and h()# H
j=1
P i.
Esary and Proschan [8] have nevertheless proved that
the above expressions give an upper and lower bound for h(P),
i.e.
h t
T f P < P(TOP) = h(P)< ft P Ij=l i P <j i Ke j e j
(1.34)
or
and
(1.32)
(1.33)
28
These bounds are known respectively as the minimal cut upper
bound and minimal path lower bound.
The minimal cut upper bound may be further simplified
by making a first order expansion of the full expression
yielding
t
h(Z) < Z P1 (1.35)
J=l i K
which is the rare-event approximation to the minimal cut
upper bound and neglects the simultaneous occurrence of
minimal cut-sets. For values of P <10-2 Equation (1.35)
may be safely used.
I.5. Importance Measures for System Components and Fault
Tree Events
Given a system made up by a network of components
which performs a specific task or function, as a result of
the system's structural arrangement only, some components
will be more critical than others to the functioning of the
system. Moreover a component's reliability will also be a
factor in assessing its importance in determining the overall
functional state of the system.
1.5.1. Structural Importance
The importance of a component purely by virtue of the
role it plays in a system's structure characterized by the
coherent structure $( ) may be measured by
29
S (i) = [$(1 ,-) - $( , )
y,y, fixed
(1.36)
By fixing the value of Boolean variable yi, 2n-1 possible
state vectors (yi,y2''' 1-l'Ii fixed, yi+1'-' ) may
be found for each such vector the i-th event will be critical
to the overall state of the system if
$ 1 and ( = 0, i.e.
- = 1 (1.37)
Hence the structural importance I (1) will rank each basic
event i according to the number of critical state vectors
that may be associated with the event.
I.5.2. Birnbaum's Importance
In terms of $ and $(0 3 ), the coherent struc-
ture function $(3) is given by
$()=Y $( , i~) +(1-Yi) $0 , V) (1.38)
as may be verified since $(O,) = (0) $(1 ,V + (1-0)$(0 ,3)
and $(li,) = (1)0 (1iX) + (1-1) $(0 ,Y. Therefore by
applying the expectation value operator E to equation (1.38)
h(P) will be found to be given by
h( ) = E $( ) = (EY i)(E4(1ii)) +(l-EY i)(E4(0i,))
> h(V)= P h(1,3) + (1-P i)h(O,) (i = 1,2(,..n)
(1.39)
30
Birnmaum's importance measure for event i is defined to be
the partial derivative of h(P) with respect to P., i.e.,
I B() * h(lV) - h(O ,z) (1.40)i ap i
It is seen from Equation (1.40) that the Birnbaum importance
for event i is independent of its occurrence probability P .
1.5.3. Criticality Importance
The criticality importance for fault tree event i
is defined as the probability that event i is in a failed
state and at the same time is critical to the system's failure
given that the system has failed, i.e.
r Pt(h(lPg) -h (Ogj; )) (1.41)
1.5.4. Vesely-Fussell Importance
The failure of a component ci will contribute to
system failure provided at least one min cut-set containing
C has failed. Hence, the probability for the occurrence of
the union event of all minimal cut-sets containing ci will
measure the contribution of the component to the system's
failure, i.e.,
P(UIK) = P(X ) = 1) (1.42)
where X i( is the Boolean indicator function for the union
K
of all cut set functions containing Boolean variable y , thus
31
Nik
Xi( )= y (1.43)j=11 ZK
i K
with Ni total number of min cut-sets containing the ith
component.
The Vesely-Fussell importance measure [10] is defined
as the probability that component c contributes to system
failure given that the system has failed, hence
V.F. h ( c)Sh( (1.44)
with
hi(g) = EX (Y) = P(X i(Y) = 1) (1.45)K - K -K
The Vesely-Fussell and criticality importance measures
differ from each other in that component ci will contribute
to a system's failure and still not be critical to the system
if at least two minimal cut-sets have failed, one containing
ci and another one not containing c . Nevertheless, as shown
below, if the minimal cut-upper bound is used in the rare
event approximation form, to evaluate both h i(P) and h(P),
then the value obtained for both importance measures will
coincide
Nik
h (V) ~ E I P (1.46)
j=1 t K
i K
32
and
h( ) ~
N
E Tr P
j1 ZC K
hence
V. F. h )
i h()
Ni
( K ze P9)
N e
e
at the same time
kNj
Pz + E II
J1 iKj
l KJ
therefore
N-Ni
h(11 P)1
* j=1
Nik
+ z
j
iK
i eK (1) g p2K
Li
i# z
and
N-Nki
h(Oit) ~-E
j=l
NiNk
in + (0)i eK j + (0) i E:K z
Z Kd Z K
0
(1.47)
(1.48)
N~iN-Nj
1 j
Ir
i K
zeKg
PI (1.49)
x
33
Hence
C (h( ,) -h(o,))
I =
i h(g)
Ni
Nk( Z E Pg )
j ijK
Pi -- E K
N( E PL)
J2l ieKz
(1.50)
Thus comparing Equations (1.48) and (1.50) it is found
that
Cr V. F. (1.51)
in the rare-event approximation.
1.6. Methods for the Generation of a Minimal Cut-Set or
Path Set Fault Tree Description
For a large fault tree made up of hundreds of logical
gates and basic events, its total number of min cut-sets can
easily amount to thousands of cut-sets. Therefore a computer
program will be needed even to generate the minimal cut-set
which contribute the most to system failure L22, (i.e., single,
double and triple fault cut-sets) .
34
Computer programs MOCUS [9], TREEL and MICSUP [16]
implement two different algorithms for the generation of a
fault tree's minimal cut-sets. Both algorithms are based on
the fact that AND gates increase the size of a cut-set while
OR gate increase the number of cut-sets in a fault tree. Both
MOCUS and TREEL & MICSUP were written in FORTRAN and are re-
stricted to fault tree diagrams operated by AND and OR gates
only. Thus NOT gates are not allowed by either of the two
codes.
1.6.1. MOCUS
Computer program MOCUS [9] was written to replace
PREP [23] as a minimal cut-set generator for computer programs
KITT-1 and KITT-2 which evaluate time dependent fault trees in
the framework of Kinetic Tree Theory £231. As shown in Chapter
IV for the particular case of a Standby Protective Circuit, it
is a considerable improvement over PREP's deterministic minimal
cut-set generation option COMBO. COMBO determines the minimal
cut-sets for a fault tree by considering a combination of fault
events at a time and testing if the fault tree logic implies
that the combination considered causes the occurrence of the
TOP tree event.
The algorithm used by MOCUS starts with the TOP event
of the fault tree and proceeds, by successive substitution of
gate equations, to move down the tree until only basic events
remain in the list of possible TOP tree event occurrence causes.
... ........ 1_ , __ - - -_._--___
35
For fault tree example I the process takes the follow-
ing form
STEP 1
STEP 2
STEP 3
STEP 4
G1
G2, G3
G4, G3
G6, G3
G4, 6, 7, G8
G6, 6, 7, G8
STEP 5 1, 2, G5, 6, 7, G8
3, 6, 7, G8
G7, 6, 7, G8
STEP 6 1, 2, 8, 6, 7, G8
1, 2, 9, 6, 7, G8
3, 6, 7, G8
STEP 7 7, 4, 6, 7, G8
1, 2, 8, 6, 7, 5
1, 2, 8, 6, 7, 3
1, 2, 9, 6, 7, 5
1, 2, 9, 6, 7, 3
3, 6, 7, 5
3, 6, 7, 3
4, 6, 7, 5
4, 6, 7, 3
Thus, the idea of the algorithm is to replace each
gate by its input gates and basic events until a list matrix
36
is constructed, all of whose entries are basic events. Each
time an OR gate is substituted, rows are added to the matrix,
while a substituted AND gate results in the addition of elements
to an existing row.
The cut-sets obtained this way are called Boolean
Indicated Cut-Sets (BICS). For fault tree example I its list
of BICS will be
BICS
(1) 1, 2, 5, 6, 7, 8 minimal
(11) 1, 2, 3, 6, 7, 8 non-minimal
(iii) 1, 2, 5, 6, 7, 9 minimal
(iv) 1, 2, 3, 6, 7, 9 non-minimal
(v) 3, 5, 6, 7 non-minimal
(vi) 3, 6, 7 minimal
(vii) 4, 5, 6, 7 minimal
(viii) 3, 4, 6, 7 non-minimal
If a fault tree contains replicated events then its
set of BICS will include certain cut-sets which are not mini-
mal. The minimal cut-sets (MICS) are obtained by discarding
those rows which are non-minimal since they are super-sets
for another row in the list. For fault tree example I the
second, fourth, fifth and eighth rows are supersets for the cut-
set given in the sixth row (3,6,7). Hence they must be dis-
carded in order to obtain a list of MICS for the fault tree
37
MICS
1, 2, 5, 6, 7, 8
1, 2, 5, 6, 7, 9
3, 6, 7
4, 5, 6, 7
The minimal path sets for a given fault tree may be
easily obtained by applying the same algorithm to its dual
fault tree. Thus, for fault tree example I, MOCUS will find
its min path sets by applying the algorithm to the tree dia-
gram shown in Figure 1.6 as follows
STEP 1 Gl
STEP 2 G2
G3
STEP 3 G4, G6
6
7
G8
STEP 4 1 G6
2 G6
G5 G6
6
7
5, 3
STEP 5 1, 3, G7
2, 3, G7
FIGURE 1.6 DUAL FAULT TREE FOR EXAMPLE 1
IImEinIinEIEI!iinEIIEhIEim!!
CO
111 11 1 1   , III I , , 'I 1111'  if ill 11 11 p III  I I
39
8, 9, 3, G7
6
7
5, 3
STEP 6 1, 3, 4
1, 3, 7
2, 3, 4
2, 3, 7
8, 9,
8, 9,
3, 4
3, 4
6
7
3, 5
Again here since the second, fourth and sixth rows
are supersets to minimal path set (7), they must be discarded to
obtain the set of minimal path-sets for the original fault tree
1, 3, 4
2, 3, 4
3, 4, 8, 9
3, 5
6
7
I.6.2. TREEL & MICSUP
The minimal cut-set upward algorithm [16] program ob-
tains minimal cut-sets starting with the lowest level gate
basic inputs and working upward to the TOP tree event.
......... 
TREEL
4o
is a preprocessing program needed to execute MICSUP. TREEL
transforms the tree into a form convenient for computer analy=
sis, checks for possible errors in the tree construction and
provides the number and maximum size for the Boolean Indicated
Cut-sets and Path Sets. These numbers are useful since they
provide an upper bound on the number and size of minimal cut-
sets and path sets which characterize the fault tree, hence on
that basis the user may decide to have MICSUP determine either
a minimal cut-set or path-set description for the fault tree.
The algorithm used in MICSUP was given by Chatterjee
[6]. As mentioned earlier it starts out with lowest level gates
defined to be those gates which have basic event inputs only.
The minimal cut-sets for these gates are found and are substi-
tuted as a representation for these gates. The procedure is
repeated with those gates directly attached to the lowest level
gates and so on, until the Boolean indicated cut-sets are found
for the top event.
For fault tree example I the procedure takes the
following form
STEP 1 G5: 8
9
G7: 4, 7
G8: 3,
5
STEP 2 G4: 1, 2, 8
1, 2, 9
G6: 3
41.
G3:
STEP 3 G2:
4, 7
6, 7, 3
6, 7, 5
1, 2, 8
1., 2, 9
3,
4, 7
G3: 6, 7, 3
6, 7, 5
STEP 4 GI: 1, 2, 8, 6, 7, 3
1, 2, 8, 6, 7, 5
1, 2, 9, 6, 7, 3
1, 2, 9, 6, 7, 5
3, 6, 7
3, 6, 7, 5
4, 7, 6, 6, 3
4, 7, 6, 5
therefore the BICS for the top event are
1, 2, 3, 6, 7, 8
1, 2, 5, 6, 7, 8
1, 2, 3, 6, 7, 9
1, 2, 5, 6, 7, 9
3, 5, 6, 7
3, 4, 6, 7
4, 5, 6, 7
non-minimal
minimal
non-minimal
minimal
non-minimal
minimal
minimal
42
yielding the expected TOP event MICS
1, 2, 5, 6, 7, 8
1, 2, 5, 6, 7, 9
3, 6, 7
4, 5, 6, 7
It should be noticed that in contrast to MOCUS, the
MICSUP algorithm offers the advantage of generating the BICS
for each gate in the tree. Therefore the minimal cut-set
composition for each sub-tree in the system will be obtained.
by discarding at each level any non-minimal cut-sets that may
appear. As a result for fault trees which include many event
replications, a significant reduction in storage requirements
will take place by discarding non-minimal BICS as soon as
they appear for an intermediate gate in the tree. In Chapter
III it will be shown that the computer program PL-MOD modular-
izes fault trees by an algorithm similar to that used in MICSUP
in that it starts with the lowest level gates and proceeds up-
wards to the top event. Hence an analogous advantage to that
cited for MICSUP will thereby apply for PL-MOD.
1.7. Methods for the Manipulation of Boolean Equations
Describing a Fault Tree
In section 1.3.2 coherent structure functions were
expressed in terms of their minimal cut-set description as
t t
$(=N) 1  k = j 11  (1.52)
j= j= 1,K
43
What this equation signifies is that the TQP event of a fault
tree is given by the union of all its minimal cut-set event
K (i - 1,2,..,,t}, thus
TOP K 1UK2U..,U .N C 1,531
with
K i CC i ,,2  C C1,541
In section 1.7.1. it w-ill he discussed how- the com
puter program SETS [21] generates the set of Equations C1.541
by a direct manipulation of the Boolean logic equations des-
cribing a fault tree. A feature particular to SETS is that
in addition to the AND and OR gates commonly found in fault
trees,, it can also handle NOT gate's, EXCLUSIVE OR gates and
SPECIAL gates which are previously defined by, the user in
terms of a specific set of Boolean equations.
In section I.7,2. the BAM [181 CBoolean Arithmetic
Model) computer program will be discussed which evaluates the
TOP event occurrence probability
PCTO)P1 PCK1U 2 U, , , , ,1Ktl C1,551
by expanding the Boolean expression corresponding to the top
event in a series of mutually exclusive events, As will be
shown, such an expansion is only made possible by simultaneously
considering the set of basic events Cc, , , , , , cn as well as
their corresponding complement events Ccl , 23 '' n. obtained
44
by applying the complement (upper bar) operation to the original
basic events and defined by
cUc = S (1.56),
where S = the universal set.
By including complement state events in its formalism,
BAM succeeds to incorporate dependent as well as mutually
exclusive events. As a result BAM is capable of computing
the unavailabilities -for systems undergoing test and maintenance
procedures as well as for systems which are subject to common
mode failures.
1.7.1. SETS
The Set Equation Transformation System 21] symbol-
ically manipulates Boolean equations formed by a set of events
operated on by a particular set of union, intersection and com-
plement operators.
Given a fault tree, a Boolean equation is established
to represent each intermediate event as a function of its input
events. In addition to AND and OR gates, intermediate events
may also be related-by EXCLUSIVE OR gates and SPECIAL gates
(Figure 1.7) to their inputs. For an EXCLUSIVE OR gate, its
output event will occur only if exactly one of the input events
occurs while the other inputs do not occur. Thus if the EXCLU-
SIVE OR gate operates on two events (c1 , c2 ) then its output
is given by
EXCLUSIVE 
- OR (c1,c2) 1(c1 c2 )U(c 1c 2 ) (1.57)
45
1 2n
EXCLUSIVE OR-GATE
il 2 i
SPECIAL GATE
FIGURE 1.7
EXCLUSIVE OR GATE AND SPECIAL GATES AVAILABLE IN SETS
........... - . , , !" ,"-
46
Special gates are uniquely defined by a Boolean equa-
tion provided by the user. Thus, if for example a SPECIAL
2 - out of - 3 gate is wanted, then it must be defined by
SPECIAL GATE 1 (c ,c2,c3  (c1 c2 )U(c S c3 )U(c2 Sc3) (1.58)
The computer program SETS offers the user the option
to develop the set of Boolean equations describing the fault
tree in such a way as to directly derive the set of "prime
implicants" [l7 corresponding to any desired intermediate gate
event.
Each prime implicant for an intermediate gate will
correspond to one of its minimal cut-set events with the res-
triction that there be no simultaneous occurrence of a basic
event (c) and its complement (~) in the cut-set.
SETS derives the prime implicant description for an
intermediate gate by using a set of substitutions and succes-
sively applying the distributive law
An(BUC) = (AnB)U(AnC) (1.59)
Suppose for example that SETS has been commanded to
derive a representation for gate G2 of fault tree example I.
The following procedure would take place
STEP 1 G2 = G4 U G6
G4 = Cl GC2 nG5, G5 = C8 U C9
G6 = C3 U G7 , G7 = C7 n C4
47
STEP 2 G6 = C3U(C7QC4)
G4 = Cl2C2Q(C8 U c9)
STEP 3 G2 = (C01C2 Q(C8 U C9)U(C3 U (C7QC4))
STEP 4 Apply distributive law (equation 1.59)
> G2 = (ClT(C2nC8)U(C2rC9)U
((C3) U (C7 =C4)
G2 = (ClC2nC8)U(ClaC2Qc9)u
(C3) U(C7QC4)
Hence the prime implicants (minimal cut-sets) for G2 are
K1 = (Cl,C2, 08)
K2 = (Cl, 2, C9)
K3 = (C3)
K4 = (C7,C4)
The above procedure is generally used to derive the prime im-
plicants for any fault tree, however the additional identities
C QC = C1, C 0 C = $ (empty set) (1.60)
may sometimes be needed.
I.7.2 BAM
Computer program BAM [18J uses a Boolean algebra
minimization technique to find intermediate and top event logic
expressions from the input fault tree and calculates the point
unavailabilities associated with these events.
48
By including basic events (on states) as well as
their respective complements (OFF states) BAM is able to con-
struct a truth table which describes each intermediate gate
event in the fault tree as the union of mutually exclusive (ON
and OFF) state events. Thus, for example consider an OR gate
operating on components (Cl, C2).
Its coherent structure description will be (Equa-
tion 1.4)
OR 1 - 1 -2 (1.61)
at the same time recall that (Equation 1.9)
$NOT(7) = 1 - y (1.62)
hence
OR NOT NOT 1 'NOT 2)) (1.63)
The above equation may now be reexpressed in set theoretical
form by replacing AND, OR and NOT gates by union (U), inter-
section (0) and complement (-) operations, thus
(1.64)
C1 U C2
1 2
Using now the identity
S = (Cl2C2) U(C10f2)U(lnC2)U(6l02) (1.65)
with S = CUU 2 the universal set. It follows that
C U C2 = (C1 2 )U(C N1 2 )U(ClQC2 ) (1.66)
49
which is the desired expansion, since all events given in the
right hand side of Equation (1.66) are mutually exclusive.
In Table 1.3 and 1.4 the truth tables [18] associated
with the above logical expression (C1 U 02 ) as well as C U(C )
are given
I II II
p-terms y y2  1 U c2
c ac21 21 1 1
C 1 c2  0 1 1
c 1 2 1 0
c1 2 0 0 0
Table 1.3 Canonical Expansion for C1 U C2
In general the truth table for an expression consisting
of'N distinct logical variables is expanded using 2N P-terms.
Columns I and II are equivalent representations for each P-term
needed for a canonical expansion. Thus, Column II can be de-
rived from Column I by assigning a 1 value to ON states. and
a 0 value to OFF states. The canonical expansion (Column III)
for a particular logical expression is then obtained by per-
forming for each row in the truth table a series of Boolean
arithmetic operations equivalent to the set of operations
indicated in the logical expression. Thus, C1 U C2 requires
only that variables y1 and y2 be added at each row. While
C1 U (C 2 n 3 ) requires the set of operations
50
I II
P-terms
C 1 C2 0 C3
C 1 C2 n C3
C 1 C 2Q C 3
C 12 C2 Q C3
C 1 C2 0 C3C~ GC 2 03C
C 1 C2 nC3
Cl C2 C3
III
I I 4"
y y2 3
1
1
1 1
1 0
1 0 1
1 0 0
0 1 1
0 1 0
0 0 1
0 0- 0
C2Q 3
0
1
0
0
1
0
0
C 1TU(C 2  3
0
0
0
d J. I.
Table 1.4 CanonicalExpansion for
C 1U(C2 Q C3)
C U CC2  C3 ) = y1 + (y2 ' 3 ) (1.67)
It should be recalled that the following identities apply for
Boolean arithmetic variables
(1.68)
1 + 0 = 1
1 0 0
0 -0 =1
T= 0
Therefore the addition implied by C 1 U
1st row 1 + 1 =
2nd row 1 + 0 =
3rd row 0 + 1 =
4th row 0 + 0 =
C2 will result in
1
1
1
0
so as expected
C 1U C2 = 1 (C1 C2 )1(C C2 ) l (1n 2)
=> P(C1 U C2 ) = P(CC C2 ) + P(CI 7 2 ) + P(C C2)
->P(C U C2 1 2 + p1 (l - p 2 ) + p2 (l p1)
= P(C U C2 = ~9192 + p + p2 (1.69)
52
Similarly for C 1 U (C2  C3) each row is applied the operation
yi + (y2' 3
Thus, it follows that
lst row 1+ (1 ) = 1 + 0 = 1
2nd row 1 + (l - ) =1 + 1 = 1
etc.
By inspection of Table 1.4 it -is found that
P(C1 U CC2 2 C3)) = P1P2p3 + plp 2 (1 + p3 ) +
+p 1 (1-p2 ) P3 + pI(' - P2 2(1 P 1-P 3 ) + (1-pl)
p2 ( - p3
= P(C1 U CC2 nC 3) 1 + P2 ~ 1P 2 ~ p2 P3 + plp 2 P 3
(1.70)
The following examples illustrate how the BAM code is capable
of handling fault trees which include mutually exclusive events
and dependent failures.
Figure 1.8 depicts the fault tree for a system C, made up
of two sub-systems A.and B each of which may not be functioning
due to either a hardward failure or because it is undergoing
maintenance events MA and MB, should be mutually exclusive,
hence the appearance of complement events MA and MB in the
53
C2 C3
FIGURE 1.8 Fault Tree Including Mutually Exclusive
Maintenance Events
C2
54
TABLE 1.5
CANONICAL EXPRESSION FOR FAULT TREE WITH MAINTENANCE EVENTS
C1  C2 C3  C4 G2=C 1U(C2 Q3 3=C4 U(C3 Q.2 ) Gl=G 2  G 3
k1 2 y3 4 1 +(Y2  3 ) 2 4 3 2 Zl Z 2
1 1 1 1
1 1 0 1 1
1 0 1 1 1 1 1
1 0 0 1 1 1
0 1 1 1 0 0
0 1 0 1 1 1
o 0 1 1 0 1 0
o 0 0 1 0 0
1 1 1 0 1 0 0
1 1 0 0 1 0 0
1 0 1 0 111
1 0 0 0 1 0 0
0 1 1 0 0 0 0
0 1 0 0 1 0 0
0 0 1 0 0 1 0
0 0 0 0 0 0 0
55
fault tree. Table 1.5 provides the truth table for the fault
tree. Notice that even though
P(TOP) # P(G2) P(G3) (1.71)
since gates G2 and G3 are interdependent, it is however
feasible to compute
P(TOP) = pp 4 + p p3 + p4p2  (1.72)
using the cannonical expansion for Gl corresponding to
z = z 1z2
In figure 1.9 an event B dependent on the occurrence of event
A is represented in terms of a tree logic diagram which includes
the events
B/A = Event B given the occurrence of A
B/T =Event B given the occurrence of A
as
B = (A QB/A) U (T QB/T) (1.73)
This representation is quite convenient for performing quanti-
tative evaluations of a fault tree which includes event B
since
P(AnB/A) = P(A) - P(B/A)
and P(W QB/A) = P(I)- P(B/T) (1.74)
The above representation for an event dependent on the occur-
rence of a single event has been generalized in BAM for the
case of events dependent on a multiple number of basic events
56
FIGURE 1.9 Representation of an Event B
Dependent on the Occurrence of Event A
FIGURE 1.10
REPRESENTATION OF AN EVENT C DEPENDENT ON THE OCCURRENCE OF EVENTS B AND A
. 11 mEI,
58
FIGURE 1.11
FAULT TREE INCLUDING COMMON MODE EVENT A
59
(Figure 1.10) as well as to common mode failures depicted as
a multiple set of events whose occurrence probability is depen-
dent on a common initiating event (Figure 1.11).
1.8. Reliability Calculations by a Pattern Recognition
Method
The computer program PATREC Q.2] relies on the recognition
of sub-tree patterns whose probability combination laws have
been previously stored in the computer code's library. The
sub-tree is then replaced by a supercomponent with an associated
occurrence probability equal to that of the recognized sub-tree.
By repeating this process the whole tree is eventually trans-
formed into a single super-component whose occurrence probabi-
lity corresponds to that of the top tree event.
The elementary pattern recogniztion methodology used by
PATREC entails that large amounts of non-numerical data inter-
related on a-complicated way be handled. To this end the com-
puter language PL-1 was chosen given its list processing capa-
bilities.
The task of evaluating the TOP tree event occurrence
probability is performed by PATREC through the following set of
manipulations on .the fault tree structure which is subject to
the following restrictions:
(a) Pattern recognition is made possible by giving the
fault tree diagram in a binary gate form (Fig. 1.12).
(b) Because of the binary gate form of the fault tree,
to each gate there corresponds a left hand side and
60
a right hand side sub-tree.
(c) Before proceeding on to identify sub-tree patterns
at each step in the tree reduction, PATREC intern-
ally reorders the fault tree diagram in a way such
that if to every AND gate one unit of weight is
assigned and to every OR gate two units of weight
are assigned, then for each gate its right hand
sub-tree will be heavier than its left hand side.
Figure 1.13 shows the fault tree example Il reordered
according to the above rule. The-above tree reorder-
ing is done in ord-er to avoid the storage of dif-
ferent patterns which correspond to the same logic
structure (Figure 1.14)
(d) Using list processing methods the pattern library is
stored in the computer memory in a tree-like form.
As a result redundant information about similar sub-
patterns isn't stored separately and moreover the
largest pattern found in PATREC's library are guaran-
teed to be identified each time. In Figure 1.15 the
tree representing the set of 12 basic patterns stored
in PATREC is shown. Tree patterns are represented
in reverse polish notation, thus
= A B Q = A QB (1.75)
5 = A B C QU = A U (B n C)
= A B £C D U = (A SIB) n (C U D)
etc.
61
G1
G2 G3
G4
FIGURE 1.12 FAULT TREE EXAMPLE II IN BINARY GATE FORM
Gl
G3 G2
FAULT TREE EXAMPLE II IN ITS ORDERED FORMFIGURE 1.-13
Pattern found In PAT-REC's
library
Pattern not found In
PAT-REC's library
FIGURE 1.14
EQUIVALENT BINARY TREE PATTERNS
01%
J AtJUI1 I Ai(UUUI AMI AUCDI
P4 P6A u
ABnCDn ABaCDU ABUCDU
n U A U A U
ABFCDAA ABACDAU ABACDUA ABACDUU ABUCDUA ABUCDUU
P7 PI ' P8 12 10 P14
FIGURE 1.15
PAT-REC'S LIBRARY OF PATTERNS STORED IN A TREE-LIKE FORM
64
(e) Basic components are required not to be replicated in
the fault tree. Consequently, each time a sub-tree is
found to correspond to a particular pattern in PATREC's
library, it will be possible to replace it by a super-
component having the same occurrence probability as
that of the sub-tree's top event. Thus, since gate G2
of fault tree example II is the top gate for a sub-tree
with the same structure as that of pattern P5, it will
be replaced by a supercomponent having an occurrence
probability
PG2 3 + (P2 1 3P2Pl) (1.76)
Subsequently a new ordered representation for the fault
tree will be found (Figure 1.16), which corresponds to pattern
P = ABC U , hence the TOP event occurrence probability is
finally determined as
P(TOP) = PG2 (P4 + P5  P4P 5 (1.77)
As explained above the procedure used by PATREC is restric-
ted to fault trees which does not include replicated events. For
most real problems however a number of basic components will be
replicated several times in the fault tree. Therefore it is
necessary that the methodology be somehow generalized to handle
these situations. Computer code PATREC-DE [4] was created for
this purpose. Its procedure is based on expressing the struc-
ture of a fault tree which includes replicated events in terms
of a number of fault trees having no replications in their struc-
ture. Thus, recall that the dependency of a coherent structure
65
Gl
G2)
FIGURE 1.16
FINAL ORDERED FORM FOR FAULT TREE EXAMPLE II
G3
66
function $(YN) on any of its basic inputs y may be explicitly
indicated as
Y= y ( 1, ) + (1 - Yi) $(0,1) (1.38)
= h(Z) = P h(l , ) + (1 - Pi) h(0i, ) (1.39)
This expansion has the effect of wiping out the depen-
dency on Y from the fault trees representing $(1, ) and
$O , ) (Figure 1.17). Therefore by repeatedly expanding in
all variables Y ( i = 1,2,..., ) which correspond to repli-
cated basic events, it is possible to relate the original
fault tree to a number of fault trees which include no repli-
cated events in their structure, i.e.,
N r Y 1-y C
.R ylx R
where the sum is extended over all of the 2r binary vectors
Z corresponding to a particular combination of ON and OFF
states for the replicated events, RURC = N and 00 = 1.
The TOP event occurrence probability for the original
fault tree will then be given by
r Y 1-Y C
P(TOP) = h(P) = II x (1
~R J=l - 4  ~~R
(1.79)
Notice, however that this procedure has the disadvantage of
67
k 21 1=j
n
n
k i.
Y Y
y yInn
FIGURE 1 17
FAULT TREE DEPENDENCIES REDUCED OUT WHEN Y = 0 OR Y
Y,
= 1
68
requiring that 2 different fault tree TOP event occurrence
probabilities be evaluated.
1.9. The IMPORTANCE Computer Program
IMPORTANCE [14] is a computer program which was developed
to rank basic events and cut-sets according to various importance
measures.
The IMPORTANCE computer code is capable of.handling time-
dependent fault trees under the assumption that each basic com-
ponent be statistically independent and that its failure and
repair distribution be exponential in time. Thus to each basic
event there correspond a set of parameters (v,X) i such that the
failure occurrence probability P i(t) obeys the equations
q(t).= 1 - p(t) (1.80)
dt) + Xq(t) = vp(t)
dp(t) +vp(t) = Xq(t)
dt
q(0) = 1
Therefore p(t) will be given by
p(t) X ( e, - (X+v)t) (1.81)X+v
and U = lim P(t) T
t- V+X + - T+
1' 7-
69
TABLE 1.6
BASIC EVENT IMPORTANCE MEASURES COMPUTED BY THE IMPORTANCE CODE
Measure
1. Birnbaum
Expression
h((t= h(1
aP i(t) l
2. Criticality
3. Upgrading Function
4. Vesely-Fussell
ft
5. Barlow-Proschan o
ah (ZP(t ) )
3P (t )
xi
h(P,.t))
Pi(t)
3h( (t))
h i((t))
h(P(t))
- h(0 P(t 1 )]dW ,i(t )
ECNs (t)]
6. Steady State Barlow-Proschan (BP,SS)
[h(1i, )
n
Z [h(1jml
- h(o, V)/yi +Ti
,tg) - h(0 , )]/y~ +tj
Ch(1 ,[m(t ))
70
TABLE 1.6
7. Sequential
(Continued)
Contributory
z t
jij
i&j K
for some I
h( 1 ,0 , (t. ).].P i(t. )dW f (t )
ECN (t)]
[h (1.,I. )
71
where W 2 component mean time to failure and T = component
mean time to repair (for convenience the component index i
has been omitted in the above equations).
Table 1.6 lists the seven measures of basic event import-
ance computed by the IMPORTANCE code.
The first four basic event importance measures relate
to the fault tree at a certain point in time t. The first,
second and fourth measures were previously discussed in section
1.5. The Upgrading Function Importance measure proposed by
Lambert CL4] offers the advantage that as opposed to failure.
probability P i(t) is a physically measurable parameter. Moreover
Lambert has shown how the Upgrading Function may be used as a
tool to decide on an optimal choice for system upgrade.
The fifth and seventh basic event importance measures
are different in that they take into account the way components
failed sequentially in time to cause system failure. Thus, the
Barlow-Proschan importance [2] for component i measures the
probability the system has failed by time t because a minimal
cut-set critical to the system has failed with component i
failing last.
The Barlow-Proschan measure is obtained by integrating
over the component failure density Wfi(t) and by dividing over
the expected number of system failures ECN s(t)] by time t.
Wfi(t)dt is defined as the probability that event i will fail
in the time interval (t,t+dt). Furthermore Wfis(t) df is de-
fined to be the probability that an overall system failure will
occur in the interval (t,t +dt). Murchland [15] has shown that
72
the system failure density Wfs(t) may be given in terms of
Wfi(t) as
n h (((t.) )
W, ,s(t) = E P (t) Wf ,i(t) (1.82)
i=l
From a knowledge of Wfs(t) the expected number of failures
over the time interval [O,t] will be given by
EENs(t)] = Wfs(t)dt (1.83)
The sequential contributory importance measure is useful to
assess the role of the failure of a component i when any other
component j is the cause of system failure. For this case
the failure of i will contribute to system failure only if i
and j are contained in at least one minimal cut-set associated
with the fault tree.
Finally the Barlow-Proschan steady-state importance mea-
sure is concerned with the asymptotic behavior of each component
in the fault tree. Asymptotically the probability that a com-
ponent is down is given by its unavailability (Equation 1.81)
ut
u = y t(1.81)
hence the asymptotic value of its probability density Wf i(t)
will be T
lim Wi(t) T +T (1.84)
t0-10-01 i
73
On the other hand the probability that component i causes
system failure in the interval (t, t+dt) is given by
n
r[h(1 ,[(t))
j=1
therefore,
failure is
the steady state probability that component i causes
Ch(IL2 ~)
n
Z [h(l ,)J=1
(1.85)
1
1.I. i.i
] 1
(1.86)
d- , I I I I - " ---- -4ilhg- --
-. h (.0O ' (t.)] Wf ,I(.t.) -dt[h(1:L (t.) ).
- h(0j , (t))] Wfj(t)dt
I BP ,SS *
- h (0j , )
74
CHAPTER TWO
MODULAR REPRESENTATION OF FAULT TREES
II.1. Introduction
Defined in terms of a reliability network diagram, a
module is a group of components which behaves as a super-
component. That means, it is completely sufficient to know
the state of the super-component, and not the state of each
component in the module, to determine the overall state of
the system. In what follows, the properties associated
with modularized fault trees and the computational advan-
tages of analyzing fault trees by means of a modular
decomposition will be presented.
11.2. Modular Decomposition of Coherent Systems
In the context of the theory of coherent structures, a
niodule is formally defined as follows [ 1 ]:
Let G( N) be the coherent structure function for a
system having the vector ZN , = 1 Y2''''' n ) of basic
input events. Then the subset M of basic events contained
in N together with the coherent structure function a( M
define a module provided
N. M (2.1)
E(JN) = a( a(JM), yMC)(21
where a is a coherent structure function operation on
the super-component state a( M) and on the set of events
MC with N = MUMC
75
Thus, a module a(M ) for system O( N) is a coherent
subsystem acting as a super-component. It follows then
that in terms of a fault tree diagram, an intermediate gate
event will be a module to the top event if the basic events
contained in the domain of this gate do not appear else-
where in the fault tree.
Hence the modularization of fault trees having no
replicated events or gates can be easily accomplished, since
every intermediate gate for such a fault tree will be the
top event for a tree sub-module. Nevertheless, as soon as
replicated events and gates occur in the fault tree, the
modular decomposition becomes a more involved procedure.
11.3. The Finest Modular Representation
An algorithm to decompose a fault tree into its finest
modular representation given its minimal cut-set structure
composition, was originated by Chatterjee [ 7 ].
The finest modular representation for a coherent struc-
ture function e (Y N) is defined to be its mathematically
equivalent fault tree diagram having the following properties:
1. All tree branches are independent, i.e., every
intermediate gate event in the tree is modular-
izable;
2. The logic function associated with each gate is
either "prime", or "simple" having no inputs
from other "simple" gates of the same type.
AND and OR gates are defined as the "simple" gates, since
76
they are characterized by a single cut-set and a single path-
set,respectively. The second property requires that AND and
OR gates present in the finest modular representation be of
maximal size, i.e., if a simple gate has as inputs a number
of simple gates of the same type, then all these gates must be
collapsed together into one gate.
Higher order "prime" gates are defined to be Boolean
logic funct.ions which are not further modularizable. Prime
logic functions are thus characterized by an irreducible set
of Boolean cut-set vector equations.
Let a(XM) be the coherent structure function corresponding
Mto a prime gate having inputs Y (Y ,2'''' m), then each of
its minimal cut-sets will be represented by a Boolean vector
S = (S11, S2j''' Snj) (2.2)
(j =1,..., Z), with S 1 if the input i is contained
in the cut-set j and S = 0 if the input i is not contained
in the cut-set j (i = 1,2,...,n).
Thus, consider the sub-tree examples shown in Figures 2.1
and 2.3. Figure 2.1 represents a sub-tree having no replicated
events, and its finest modular representation (Figure 2.2) is
readily obtained by coalescing gates Gl and G2. Its modular
structure is given by the following set of recursive equations.
M 1 = {M3 ,M4,M5 ;!} (2.3)
M3 = {a,b,c,;U} (2.4)
M 4 ={d,e,f;u}
M5 {g,h,i;U}
I- I --- , . , M, M 
77
G1
G2 + G5
g
± G4
G3 +
a b c
FIGURE 2.1
SAMPLE SUB-TREE I WITH NO REPLICATIONS
. .. . n.... 1, .. .. - -- - i . -
78
Gl
G3 G4 G 5 $
a b c d e f g h i
FIGURE 2.2
FINEST MODULAR REPRESENTATION OF SAMPLE SUB-TREE I
79
Alternately, the sub-tree structure could have been
described by listing its 27 different minimal cut-sets
(ad,g), (b,d,g), (c,d,g), etc.
Figure 2.3 represents a sub-tree having replicated
event r as an input to gates G3 and G5. To obtain its finest
modular representation (Figure 2.4) one must first realize
that events (a,b), (g,i) and (d,e,f) form modules associated
with simple OR gates
M '{a,b;U1 (2.5)3
M= {d,e,f;u}
M 5  {g ?i;U}
Furthermore, these modules together with replicated
event r will become the inputs to a higher order prime gate
a(Yr' YM3' YM4 YM5) characterized by a set of MODULAR
minimal cut-sets represented in Boolean vector form as:
B = (YR' YM3' YM4' MS (2.6)
S = (1,0,1,0) (2.7)
S2 = (0,1,1,1)
It should be noted here how each of these modular minimal
cut-sets is a compact representation for the usual basic
event minimal cut-sets. Thus S1 includes the 3 minimal cut-
sets (r,d), (r,e), (r,f); while S2 incorporates the other
12 remaining minimal cut-sets (a,d,g), (b,d,g), (a,d,i), etc.
It must be stressed here that the algorithm given by Chatter-
jee was devised for deriving the modular composition of a
fault tree given the minimal cut-set structural description
Gl
G2 G5
g r i
G4
G3
a b r
FIGURE 2.3
SAMPLE SUB-TREE II WITH REPLICATIONS
81
G
G4 G
a b d e f g i
FIGURE 2.4
FINEST MODULAR REPRESENTATION OF SAMPLE SUB-TREE II
r
82
of the fault tree. In complete contrast with this, the
modularization algorithm given in Chapter III derives the
modular composition of a fault tree directly from its
diagram description.
11.4. Reliability Evaluation of Modularized Fault Trees
Once the modular structure of a fault tree has been
derived, a quantitative evaluation of reliability and impor-
tance parameters of the fault tree may be efficiently per-
formed. In particular, the probability of the occurrence
of the top .event, P(TOP), is obtained by means of a series
of recursive calculations requiring the evaluation of the
probability expectation value of each of the modules con-
tained in the tree.
Thus, if a particular module M in the tree has a set
(M, M2,. .. , Mn ) of modules as inputs, and is characterized
by the coherent structure function aM
am = l(a' 2 ''' ''.n) (2.8)
with ai = aN (i=l,. . .,n), then its expectation value
i
h (P) is given by
h( ) = h (ha +),ha2([),...,h (()) (2.9)aa 1 . ha2 ( 2e~ n
For the case of simple AND and OR gate modules, the
expression for h reduces to
M {M , M n nn
->h =h h ....h =r h (2.10)
1 72 an i=1 ai
83
M = {M, M2, . ,Mn;)
n
-> h = 1-(1-h )(1-ha ) . (1-h ) h a (2.11)
While for a higher order gate module h8 ( ) is given by
NkN
= 1I K
J> = ieKj (2.12)
where ieK includes all modules contained in the
minimal cut-set K , Nk is the total number of minimal cut-
sets representing the module structure aM and E represents
the probability expectation value operator which when
applied on the structure function a yields
E (ai) = h (P) (2.13)
An exact computation of h for a higher order gate
may be done by performing the operations indicated on the
right-hand side of equation (2.12) and using the idem-
potency property of a i.e. a = a . An expression for
aM linearly dependent on a for all i will be thus obtained.
It is then possible to apply equation (2.13) yielding h
as a function of hai (i=l,...,n).
For a higher-order module involving a large number of
cut-sets, such an evaluation technique would be, however,
too complex. So that for these cases it is preferred to
use an approximation by applying the familiar minimal
84
cut-set upper bound formula
Nk
h (P) < i h ( ) (2.14)
=1 1i i
which in its first order expansion reduces to the rare-
event approximation
N
h < h ( . (2.15)
J=l iekj i
It may be seen now that the top event occurrence proba-
bility, P(TOP), can be derived by successivly using, where-
ever necessary, the minimal cut upper bound approximation
for the evaluation of modular reliabilities contained in
the fault tree.
The following theorem states that such a series of
approximations will yield an upper bound value closer to
P(TOP) than that obtained by applying the minimal cut
upper bound to the family of cut-sets characterizing the
full fault tree. The proof of the theorem closely follows
the line of arguments given by Barlow and Proschan C 1 ]
to show the analogous result for the minimal path lower
bound approximation to P(TOP).
NTheorem: Let 0(JN) be a coherent structure of
independent components with modular decomposition
{(Mi,a 1 ), (M2 ' 2 ),....,(Mrar)
and organizing coherent structure function i .e.
9([N l'3 2 ''''',r) (2.16)
p
-w-g" PNNRO -
85 ~
with M OM = the empty set for i# J.
< u( ) UN Zj0*3Here detal utp
Here ij- denotes the minimal cut upper
Y
coherent
Then
(2.17)
bound for a
structure function y(y1,...,ym) i.e.
Y(M ) Nk
iK
In order to prove
Nk
1 Kr Pi
the theorem (equation 2.17),
(2.18)
it is
necessary to first introduce the following Lemma:
Lemma: Let a coherent structure function y consist
n modules connected in series,
of
that is
n
Y( ) = 7 Y( )Y '1=1 (2.19)
and consider all components to be
pendent.
statistically
Then -
n
i u ( )i=1 11
Proof of Lemma: We may represent yj in terms of its
minimal cut-set structure functions
Ki
Y, Hj =l
it follows that
inde-
< u (z) (2.20)
xii ()
as
(2.21)
yi .> U Y (P)
l ,..,ikt
(i=l,..n)
86
xi() = 1)I)(Z) = 1 P(
and hence
n n
i l () = it
1=1 1
Ki
j l
P(X (U)=1)
Now, if we replace replicated components in the minimal
cut-set representation for y (Z) by identical but mutually
independent components, we will obtain a new coherent
structure function y having the same upper bound as y i.e.
uy 1(.) = uY(Z) (2.24)
11
But by the definition of y
n
h (g) =(
1=1 i
there-fore
n
iu () < U
1-1 i
(2.25)
(2.26)
q.e.d.
Proof of Theorem: Let v, v2,.. .,v t denote the minimal
cut-set structure functions of the organizing coherent
structure function S(a1 ,...,ar); let a () = v [a ( ), . ,
r ( ) ] be the minimal cut-set indicator function constituted
(2.22)
(2.23)
87
by a number of modules (M.1, M12,...
sarily connected in series. And let
denote the minimal cut-set structure
(j=l,2,....t).
Then
k=1,...,t
{jk1
,M i) which are neces-
u , j J2' ' ' ' 'P tj
functions for $
constitute the set of minimal cut-set structure function of
G(N) since (a) each ujk is distinct given that the modules
in the structure 8(a ,. . ., a r) are disjoint. (b) ujk 1
-> v9 1-> 6 = 1-> G - 1 therefore u is a cut-set
structure function of 8. Moreover the sets u jk are minimal.
It follows that
t t
lu ( ( ) = i 1j=1 k=l (P) (2.27)
Furthermore since the modular components of v are
connected in series, one may apply the above Lemma to
obtain
h alh
Finally, using (2.27) and (2.28) it follows that
t
"6$
(2.28)
(Ual(?) .liarjT) h IV. (Ua 3 Uaar- y=1. -1 1
t t t
u (U =H H hujk $(Z) 2.2j=1 y=1 k=1
9)
q.e.d.
'''''" ar ) U$. (z)
88
11.5. Reliability Importance of Modules
11.5.1 Summary of Reliability Importance Measures
It has been shown that for a modularized fault tree,
the evaluation of the top event occurrence probability
P(TOP) requires that the occurrence probabilities of
all the intermediate gate events corresponding to a
module in the fault tree be evaluated in advance. It is
obvious, however, that because of the recursive nature of
the modular equations, the execution of this task may be
done very efficiently. Furthermore, it will be shown in
this section that the additional information obtained in
this process, i.e., the modular reliabilities, is needed
to evaluate the reliability importance of each of the
modules and basic events contained in the fault tree.
In Chapter I several measures of importance were
introduced and defined in terms of h(P) the top event
occurrence probability given as a function of the occur-
rence probabilities of the basic events
P(TOP) = E(e( N = Prob [G(Z) = 11 = h(P)
with = (y1 , y 2 '''''n) and P .(P3 P2'' n
defined as
E(yi )= Prob (yi=l) = P(
2.30)
2.31)
Thus, Birnbaum's measure of importance for system's
component i was defined as the rate of change of the
overall system reliability as the reliability of component
i is changed.
'I
U
I
U
U
.. Ou"Wal
89
I( B, =) - h(O , ) (2.32)
The criticality importance of component i was defined
as the probability that the system is in a state in which
component is both "critical" to the system and is in a failed
state, given that the system has failed
Cr . Prob (i critical)- PI
i h( ) (2.33)
where component i is defined to be critical to the
system if the system fails provided i is in a failed state
but does not fail if component i is not in a failed state,
i.e., it is required that the state vector be such that
(1 ) 1 and (0 , ) = 0
(Recall (1lv ,) O(Y1 , Y2 '. .,Yi=l,.. n
Hence
Prob(i critical)
= P(G(l ,3)=l) - P (e(o0, )=l) (2.34)
-> P(i critical) = h(l, ) h(Oi, ) (2.35)
By substituting equation (2.35) into equation (2.33),
the following equation is derived:
I Cr = (h (1 ) - h( )) (2.36)
h(Q)
The Vesely-Fussell importance measure for component i
90
was defined as the probability that component i will
contribute to system failure, given that the system is in
a failed state. As component i contributes to system
failure only if a cut-set containing i has failed, it is
convenient to define ek () to be the Boolean operator
function for the union of all cut-sets containing event i
Nik
S( -_ L1. (2.37)
J=1 LeKj
isK
with N = number of cut-sets containing basic event, 1,
Z and i _K' implies index X includes all basic events in
cut-set Kj which necessarily contains event i. Then in
terms of G 1 ( ) the Vesely-Fussell importance of component
i is given by
V.F. k h (P) (2.38)
I hP (G(3)=l) - h( )
11.5.2 The Birnbaum and Criticality Measures of Importance
for Modules
Since for a modularized fault tree each of its modules
may be considered as a super-component independent of the
rest of the tree, the above definitions may also correctly
apply for modular importances.. Thus, if a( M) is the
coherent structure function associated with module M for
a fault tree characterized by coherent structure function
( N
91
N(=NM MC (2.39)
and
he(g) u ba (h(M MC) (2.40)
then Birnbaum's importance measure for module M will be
B =aha(ha( ), MC
aM (2.41)
aha(i)
and since the set M of inputs is disjoint from the rest of
the tree, we can use a partial derivative chain rule to
obtain the Birnbaum importance of input i contained in
module M [ 5 3
B aha(ha( M  pMC) ha( M
e,i -(2.42)
h (pM) i
(ieM)
-I IB I (2.43)
In words, the above chain-rule states that the Birnbaum
importance of event i is given by the product of its Birn-
baum importance with respect to the module to which it
belongs and the Birnbaum importance of the module with
respect to the top tree event.
The criticality importance measure for module M is
given by
92
Cr 3, 3b by(M CM)
M (2.44)
ah, ( M M MC)
so a reliability change in module M proportional to its
expectation value
Aha~= CMba (ZM) (2.45)
causes a system reliability fractional change given by
Ca " a CM I r (2.46)
II.5.3 The Vesely-Fussell Importance Measure for Modules
The Vesely-Fussell importance measure for module M
will be given by
IV.F. . Prob (a (a( M MC (2.47)M (C
Prob (a(a( M MC
with a (a( M MC) defined to be the Boolean operator
function for the union of all cut-sets of a(a( m), JMC)
containing super-component event a(M i.e.
Na
S(a(jM MC I (ar ) (2.48)
J=l ZeKj
eKj
with
MC M aa= a(I ) Nk = number of cut-sets
93
containing super-component a and K a cut-set containing
necessarily the super-component state a.
Chatterjee [ 6] has shown that a chain-rule, analogous
to the one given for the Birnbaum importance of component i
in module M (equation 2.43), holds for the Vesely-Fussell
importance measure, namely
IV.F. = IV.F. IV.F. (2.49)0,i a,M ai
with
O() = a(a( M MC ) and Y e
This relation has been proven by Chatterjee as follows:
The family of minimal cut-sets of 9( ) containing events
i(K(i)) may be generated by taking the family of minimal
cut-sets of '(a((M fMC) which include module M (=Ka(M))
and then substituting superevent M by the family of minimal
cut-sets of a( M) which contain event i (= K (i)), therefore
K0 (i) = K (i) x {K (M) - (M)} (2.50)
By defining the following events
A = at least one of the minimal cut-sets of module M
which contains i fails, i.e., Ka(i) fails.
B = at least one of the minimal cut-sets of module M
fails, i.e. K a fails (notice AC=B).
C = at least one of the elements of Ka(M)-(M) fails
(notice event C is disjoint with any event within
the module).
It follows that COB is the event = module causes system
failure. And AnBQC is the event = module causes system
94
failure with event i failing.
Also, one has
P(AQBQC) = P(B)- P(AOBIB)- P(C) (2.51)
since event C is independent of A and B, and P(AaBIB) is
the conditional probability that event AnB occurs, given
that event B has occurred.
Furthermore, since AC1B then AOB = A and since C and B
are independent events P(C)P(B) = P(CaB), hence
P(AQBOC) P(AIB) - P(CMB) (2.52)
It is now only necessary to realize that the following
relations hold
V.F., P(i has failed with at least one of its minimal
',i cut-sets)
P(the system has failed)
-> V ' = P(A!B) - P(CMB)
0h ( ) (2.53)
also
I ' ' = P(A|B) (2.54)
IV.F. P(CAB)a,M h(Z) (2.55)
Hence
IV.F. . V.F. 1V.F. (2.56)9,1 aM 7a,i
q.e.d.
95
11.5.4 Evaluation of the Vesely-Fussell Importance Measures
for a Modularized Fault Tree
In what follows it will be shown how the Vesely-
Fussell importance for modules and basic events can be
easily computed from a knowledge of the modular structure
of a fault tree by a successive use of the recursive
modular equations
a M 8(al'a 2 '' 3n) (2.57)
and by using the Vesely-Fussell modular importance chain-
rule
. V.F. IV.F.e6,1 aM ap,i (2.58)
Indeed, for the case of the super-module aM composed
of modules (a ,a2,' 'an), the Vesely-Fussell importance of
each of these modules is given by
IV.F. = V.F. IV.F. (2.59)
,a 1 a,M a
(j=l, 2,.. .n)
with
( ) = (M M) ZMC) (2.60)
Equation (2.59) giving the V.F. importance of modules
(a,...,an ) contained in aM with respect to the TOP tree
event, acquires a very simple form for the case of "simple"
AND and OR gates. Thus, for an AND gate (Figure 2.5) super-
module the following equation results
96
n
M AND a (2.61)
Therefore, a failure of the super-module implies
necessarily that all of its modules have failed, i.e., the
probability that module a (J=l, 2,...n) contributes to
failure of aM given that am has failed equals one
IV.F. = 1. (2.62)
V.F.
=0.9 a a,M (2.63)
In other words, a module a which is an input to an
AND gate super-module aM will have the same V.F. importance
with respect to the TOP tree event as the super-module a-M'
For the case.of an OR gate super-module (Figure 2.6),
the structure function will be given by
n
am = OR H J aj (2.64)
J=1
Here, module a contributes to the failure of aM only
through the single event cut-set (M ). Therefore the
probability that it contributes to the failure of am
given that am has failed is
I V.F. = h a I) (2.65)
IV.F. = IV.F. h
e,a1 a,M ha (2.66)
... ....
jFW.'_ _- - _ - - , - '-_____- - l--- ... "" ----- "-----,-, '-"'-- -- I 1 .11, 1- _ _ ... ...... -
97
M
Cut-sets
K = (M ,M2, ,M )
M M2 Mn
FIGURE 2.5 AND GATE SUPER-MODULE
Cut-sets
K (M 1 )
K2 = (M2 )
V.F.
IM i
K
n
hM
V.F.
hM
(Mn)
i = 1,2,.
OR GATE SUPER-MODULE
V. F. V.F.
= M
i = 1,2,...,n
. , n
FIGURE 2.6
98
It should be noticed here that hqj and ha are the
modular reliabilities which were needed to be evaluated in
advance to fine the TOP tree event occurrence probability
P(TOP).
Finally, the evaluation of the Vesely-Fussell impor-
tance of modules a which are inputs to a higher order prime
module aM (Figure 2.7) have to be considered:
NJk
M '1' ai (2.67)
The probability that modulea will contribute to the
failure of its parent module aM, given that the parent module
has failed. is given by
IV.F. K n (2.68)
I ((2(al. 6n
now
P((a ,. ..,a1 ) = h (2.69)
M
and equation (2.67) implies that K is given by
NJ
$ K Z1K a (2.70)
Z= 1 jeK
Thus, the V.F. importance for module with respect to
the TOP event will be
99
Cut-sets
V.F.
x0 1 n M* 0
= (0, 0,....l..0..
=
P(K (M))
hM
i = 1,2,
(0,.. ...
HIGHER ORDER PRIME GATE SUPER-MODULE
Y
Kn
V. 
FIGURE 2.7
T a) = 1)
ZeKZ
j eK
100
V.F.
e, aj
=V.F.
a,3M.- -
K
P(( HL
.4 1
haM
(2.71)
U
4
101
CHAPTER THREE
PL-MOD: A FAULT TREE MODULARIZATION COMPUTER
PROGRAM WRITTEN IN PL-1
III.1 Introduction
As pointed out in Chapter II, it is possible, to, find for
any fault tree diagram an equivalent tree representation such
that all of its intermediate gates correspond to a modular
super-event independent from the rest of the tree. Further-
more, these modular gates are associated with Boolean logic
functions which are either "prime"', i.e., they are represented
by an irreducible set of minimal cut-sets, or are "1simplelt of
maximal size, i.e., they are AND or OR gates having no inputs
from other gates of the same type.
A number of computational advantages result by using
this modular representation to analyze fault trees:
(a) Probabilities of occurrence for the TOP and inter-
mediate gate events may be efficiently computed, by evaluating
these modular events in the same order that they are generated;
(b) Modular and component importance measures are easily
computed by starting at the TOP tree event and successively
using a modular importance chain-rule;
(c) -For complex fault trees necessitating the use of
minimal cut-set upper bounds for their quantifidation,
sharper bounds will result by using the minimal cut-set upper
bound at the level of modular gates.
. .
102
In this chapter, an algorithm will be given for arriving
at the modular decomposition of fault trees. The implementa-
tion of the algorithm by the computer code PL-MOD will be dis-
cussed and its operation shall be illustrated by means of the
familiar Pressure Tank Rupture fault tree example [1]. Finally,
it will be shown how PL-MOD proceeds to use the modular infor-
mation for the evaluation of modular event occurrence proba-
bilities and of modular and component Vesely-Fussell importance
measures.
111.2. Algorithm for the Modular Decomposition of Fault
Trees
In Figure 3.1 a flow-chart is given for the algorithm
used by PL-MOD to modularly decompose fault trees.
The tree- modularization is achieved by performing a
series of manipulations on its nodes as outlined by the
following steps:
(a) Each NODE in the fault tree is defined as a gate
operator (AND , OR, K-out-of-N) together with a set of
attached input gates and basic event components (Figure 3.2).
(b) A NODE's output will be an input to another NODE
defined to be its NODE ROOT (Figure 3.3).
(c) NODES having common replicated inputs are inter-
connected (Figure 3 .4). These interconnections then identify
sets of nodes which are not immediately modularizable in the
original form of the fault tree.
(d) The tree modular decomposition is simultaneously
103
started at all bottom branch gate nodes (Figure 3.5) defined to
be those having no gate inputs (GATELESS NODES).
(e) Simple (ANDOR) gateless nodes having as NODE ROOT another
gate of the same type (Figure 3.6), are coalesced with their NODE
ROOT by transferring all their inputs to the NODE ROOT and thus
reducing the number of gate inputs to the NODE ROOT.
(f). Simple gateless nodes having a gate of a different type
as NODE ROOT are modularized (Figure 3.7). Those gateless nodes
having replicated components or "nested sub-modules as inputs are
temporarily transformed into "nested" modules (Figure 3.8), unless
it is found that the set of replicated events within the gate is
complete (Figure 3.9) in which case a modular minimal cut-set rep-
resentation for its composition will be performed. The minimal
cut-sets will then be constituted by replicated events and proper
modules arising from each of the nested modules (Figure 3.10).
(g) Symmetric (K-out of-n) gate NODES are immediately
modularized and given their Boolean representation (Figure 3.11).
(h) Nodes which have been transformed into proper modules
or temporary nested sub-modules are attached to their NODE ROOT
gate as additional component-like inputs thereby reducing the
number of gate inputs to their NODE ROOT gate (Figure 3.12).
(i) As steps (e), (f), (g) and (h) reduce the number of
gate inputs to each of the NODE ROOT gates attached to a gate-
less node, a new set of gateless nodes will necessarily be
104
FtGURE 3.1
FAULT TREE MODULARIZATION ALGORITHM
INPUT TREE
CONNECT INTER-
DEPENDENT NODES
FIND ALL GATES
HAVING NO GATE
INPUTS
CHECK IF "GATELESS" NODE N
IS INPUT TO A NODE OF
THE SAME TYPE (+ OR -)
COALESCE. GATELESS NODE
WITH ITS ROOT-NODE &
REDUCE # OF GATE I PUTS
TO ROOT-NODE BY ONE
LOOK FUR NEd GATELESS
NODES
ATTACH SUBMODULE OR
SUERC OMPONENT TO
RdOT-NODE &'REDUCE #
OF GATE INPUTS TO
ROOT-NODE BY ONE
.CREATE CREA TE
SUB-
CHECK IF MODULE
MODULE is NO
1PROPER
YES
r
CHECK IF MODULE
CONTAINS DEPEN-
DENT SUBMODULES I
GENERATE MODULE
MINIMAL CUT-SET
REPRESENTATION
CREATE SUPER-
CHECK IF SUPER..
CCOMPONENT CON-
TAINS ALL THE
TREE COMPONENTS
END
NO
NO
0
,
NODE (1)
Cl
01
2
02
FIGURE 3.2
FAULT TREE NODES
NODE(2 01
Cl
G2
H
0
tn
G3
NODE(1)
NODE(2);j G2
01
G3
Cl C2
G4
NODE(2).ROOT = NODE(1)
NODE(3).ROOT = NODE(3)
+ 05
FIGURE 3.3
FAULT TREE NODE.ROOTS
107
G1
Cl.
G2
r c
.FIGURE 3.4
G2(
G3
r
FAULT TREE NODE INTERCONNECTIONS
0 Gl
- -f-G3
Bottom Nodes = {G2,G4}
FAULT TREE BOTTOM BRANCH GATE NODESFIGURE 3.5
01
2
Cl
C2 C3
3 03
H
0
C5 C6
.04
COALESCED GATELESS NODES
Cl
G2
FIGURE 3.6
01 + 01-f
C g g3
g2 = {C C2 C 3}
G2
g3 = {C5,C6;Q}
MODULARIZED GATELESS NODESFIGURE 3.7
Gi
g5
r
G2 1
g g3
g3 = fCl,C2,r;U}
g4 = {c3,(4),C5;Ul
g5 = {C5,C6,r;U}
H
H
FIGURE 3.8
INTERDEPENDENT NODES IN TEMPORARY NESTED MODULES g3, g5
G2 05
G4 03
G1
g5
g2 = g4 = {C3,C4,C5;U}
g3 = (C1,C2;U}
g5 = {C5,C6;U}
FIGURE 3.9
COMPLETE SET OF NESTED SUB-MODULES
G1
G2
g g3g
r g2 g3 g5
YBy B
S =
S2
H
(r ,Yg2 g3l g5
(1, 1, 0, 0)
(0.1 12 1, 1)
03 04 C5 Cl C2 r
FIGURE 3.10
MODULAR MINIMAL CUT-SET REPRESENTATION
01
G5
02
G4
C5 C6 r
....  .....
oe
113
=(Y 1Y C
Cl, C2'
=(1, 1, 1,S
g2 Cl g3 c2 S2
S3
yg2' Yg3
0)
= (1, 0, 1, 1)
= (1, 1, 0, 1)
= (0, 1, 1, 1)
FIGURE 3.11
SYMMETRIC MODULARIZED GATE
G1 Gl
C6
G3
C
g2 {C ,C2,C3 ;U}
93 = {C4 'C5; U
FIGURE 3.12
MODULARIZED GATES AS PSEUDO-COMPONENTS
G2
114
obtained. Therefore steps (e) through (h) will be successively
applied to newly obtained sets of gateless nodes until the TOP
tree event is reached, thus leading to a modularization of the
whole tree.
Careful examination of the kinds of fault tree structural
modifications needed to modularly decompose a fault tree, will
lead to the conclusion that a quite involved logical procedure
must be followed to accomplish this task. Therefore, in order
to implement the modularization of fault trees by the computer
program PL-MOD, it has been necessary to turn to a programming
language capable of dynamically following the step-by-step
structural changes effected by the modularization algorithm.
In the following sections of the chapter, programming language
PL-1, shall be shown to be particularly suited for this objec-
tive. Consequently the logical manipulations required to mod-
ularize fault trees will be illustrated throughout by the PL-1
statements contained in the PL-MOD code.
111.3. PL-l Language Features Used for the Representation
and Modularization of Fault Trees
11.3.1. Introduction
In Chapter I, it was discussed how the computer code
PATREC [1; utilized a number of PL-1 language [lJJ tools for
the analysis of non-replicated event fault trees by means of
a pattern recognition technique. It was pointed out that its
procedure relies on the recognition of sub-tree patterns with-
115
in the fault tree which conform to known tree patterns stored
in the the computer code library. Each recognized sub-tree
portion is then replaced by a super-component with an occur-
rence probability which has been computed by PATREC. New
sub-tree patterns are then recognized which include these super-
components until ultimately the tree reduces to a single super-
component with an occurrence probability equal to the overall
system reliability.
The approach taken by PL-MOD is quite different in that
its purpose is to obtain the full structural information for
the fault tree. This information is needed to allow for a
much more extensive analysis of the fault tree, rather than
the sole evaluation of the overall system reliability.
III.3.2. Structure Variables
A structure in PL-1 is a hierarchical collection of
related data items of different types.
In the computer code PL-MOD, a node is represented by a
structure containing relevant information such as its NAME
(chosen to be a number), its VALUE-(a number which equals 1
for AND gates and 2 for OR gates), the number of gate inputs
it contains * GIN, the number of non-replicated inputs it
contains (called free leaves) = LIL, the number of replicated
inputs it contains (called replicated leaves) = DIR, etc.
Thus, the NODE structure has a declaration statement of the
form
116
DECLARE 1 NODE
2 NAME FIXED,
2 VALUE FIXED,
2 GIN FIXED
2 LIL FIXED,
2 DIR FIXED,
2 etc.
111.3.3. Pointers, Based and Controlled Variables
PL/l provides several facilities normally found only in
assembler or in list-processing languages. The essence of
list processing is the ability to dynamically allocate blocks
of core storage, to link those blocks together into a structure,
and to store and to retrieve data from the blocks. List pro-
cessing for complicated data structures, such as those required
by PL-MOD, are very difficult or impossible to achieve through
manipulations of simple arrays.
Each individual block of list-processing storage is
called a BASED VARIABLE and is usually defined as a data struc-
ture. Since several based variables with identical structures
will in general exist at a time, a POINTER VARIABLE is required
to point at a specific one.
Thus, in order to handle sets of similar NODE structures,
it is necessary that they be declared as BASED variables
117
DECLARE 1 NODE BASED (NT),
2 NAME FIXED,
2 VALUE FIXED,
2 GIN FIXED
2 LIL FIXED,
2 DIR FIXED,
2 etc.
Each time a NODE structure needs to be created, an
ALLOCATE statement is used (ALLOCATE NODE) with pointer
variable NT automatically acquiring a different value for
each NODE structure. This set of different NT pointer values
may be then kept in an array of pointers SPINE (I) (I = 1,2,
...,GUM = total number of gates) for identification of each
of the nodes in the tree.
The follJowing statements allocate and identify a NODE
associated with Gate I
ALLOCATE NODE;
SPINE (I) = NT;
After the node has been allocated, it will be possible to
specifically refer to it through the qualified expression
SPINE (I)+NODE
Finally, whenever the NODE associated with Gate I is no longer
needed, its storage space may be released by the statements
NT = SPINE (I);
FREE NODE;
Another type of variable used throughout PL-MOD is the
118
CONTROLLED variable. These variables are similar to BASED var-
iables in that they can be dynamically allocated and released
at any time by means of the ALLOCATE and FREE statements. Never-
theless, two or more CONTROLLED variables having the same name
cannot coexist, since they are only identified by their name
and no pointer exists which locates them in the computer memory.
111.3.4. The REFER Option for Based Variables
In Chapter I, it was mentioned that the computer code
PATREC requires that fault trees be represented in binary
gate form (Figure 3.13). As a result each NODE structure in
PATREC requires the same amount of storage. In the approach
taken by PL-MOD no restriction exists on the number of gates
and component inputs that a NODE may have, and thus it is
necessary that the NODE structures in PL-MOD be made of input
arrays having a variable number of dimensions.
The REFER option for based structure variable can fulfill
such a task as illustrated by the NODE example of Figure 3.14:
AND Gate 7 consists of two gate inputs (8,9), three leaf inputs
(3,5,7) and one replicated leaf input (r-leaf) (20001). There-
fore, NODE.NAME = 7, NODE.VALUE = 1, NODE.GIN = 2, NODE.LIL =
3 and NODE.DIR 1. Gate 7 is 'connected to its input gates
by means of an array variable NODE.SPIT which stores the
pointers corresponding to NODES 8 and 9 (i.e., SPINE (8) and
SPINE (9)). NODE.SPIT is then a variably dimensioned array of
pointers. Its dimension will be given by a variable (GINO) out-
side the NODE structure and its value shall be assigned to a
"#Mft . 'Ir . .........
119
Original Tree
G1
G3
G2
4. G3
04
Tree in Binary
Fo .m
Gl +
G5
3
G6
G7
4
7
FIGURE 3.13 FAULT TREE IN BINARY GATE FORM
120
G7
3 7
20001 5
G8 +
FIGURE 3.14
SAMPLE GATE NODE
121
NODE structure variable (NODE.GIN) as required by the PL/1 REFER
option:
DECLARE 1 NODE BASED (NT),
2 NAME FIXED,
2 GIN FIXED BINARY,
2 SPIT (GINO REFER(NODE.GIN))POINTER,
tC.
(GINO = NODE .GIN)
In a similar way, the set of numerical values identifying
the free leaf and r-leaf inputs of the NODE will be assigned
to NODE.TIL(LILO REFER(NODE.LIL)) and NODE.TIR(LILO REFER
(NODE.LIR)) respectively.
In addition, the pointer value locating the NODE for gate
5 will be assigned to structure variable NODE.ROOT.
The following statements allocate the required space
assign the desired set of inputs and output connection for
NODE 7:
and
DECLARE 1 NODE BASED (NT),
2 NAME FIXED,
2 VALUE FIXED,
2 GIN FIXED BINARY,
2 LIL FIXED BINARY,
2 DIR FIXED BINARY,
2 SPIT (GINO REFER (NODE.GIN))POINTER,
122
2 TIR (LIRO REFER (NODE.DIR))FIXED,
2 TIL (LILO REFER (NODE.LIL))FIXED:
GINO = 2;
LIRO = 1;
LILO = 3;
ALLOCATE NODE;
SPINE (7) = NT;
NT = SPINE (7);
NODE.TIL (1) = 3;
NODE.TIL (2) =,5;
NODE.TIL (3) = 7;
NODE.TIR (1) = 20001;
NODE.SPIT (1) = SPINE (8);
NODE.SPIT (2) = SPINE (9);
NODE.ROOT = SPINE (5);
111.3.5. Bit String Variables
In Chapter II, it was shown how prime modular gates may
be represented by a set of Boolean state vectors each repre-
senting a cut-set member of the family of minimal cut-sets
characterizing the module structure function.
Boolean vectors can be conveniently depicted in PL/l by
means of a string of BIT variables. A bit-string is simply
a group of binary digits (0 or 1) enclosed in single quotes
and followed by a B character (e.g., 101011B).
123
A number of built-in functions and operations are provided
in PL/l for the effective handling and manipulation of bit-
strings, as required by PL-MOD to generate a Boolean vector
represenation for higher order modular gates. Thus, consider
for example th.e following set of controlled bit variables
DECLARE TOD BIT(LARG) CONTROLLED;
DECLARE DOTT BIT (WEST) CONTROLLED;
DECLARE KOF BIT (JUST) CONTROLLED;
DECLARE KOD BIT (JUST) CONTROLLED;
DECLARE TOG BIT (JUST) CONTROLLED;
After these variables have been allocated with dimensions
WEST = 3, LARG = 6 and JUST = LARG + WEST = 9, the following
operations and funtions existing in PL/1 may be applied to
them
Repeat function:
KOD = REPEAT ('O'B, JUST) = KOD = 000000000'B
Substring pseudo-function
SUBSTR (KODLARG + 1,1) = 'l'B = KOD '0000001001B
SUBSTR (KOF, NUB + 21) = 'l'B = KOF = '000010000B
Substring function:
DOTT = SUBSTR (KOD,LARG + 1, WEST) = DOTT = '100'B
INTERSECTION (&), Union (/) and complement (-1) oper-
ations:
TOG = KOF & KOD = TOG = '000000000B
TOG = KOF/KOD = TOG = '000010100'B
TOG = ' KOF = TOG = '111101111'B
124
111.4. Definition and Organization of the Procedures Used in
PL-MOD for the Modularization of Fault Trees
PL-MOD accomplishes the modularization of a fault tree by
calling a number of procedures in the following order
CALL INITIAL;
CALL TREE-IN;
FLAG = 1;
DO WHILE (FLAG - = 0);
CALL COALESCE;
CALL MODULA;
END;
Internal procedures TRAVEL and TRAPEL are called by pro-
cedures COALESCE and MODULA, while internal procedure BOOLEAN
is only called by MODULA.
The task performed by each of these procedures is defined
below.
INITIAL: This procedure allocates the necessary storage
space for each of the nodes in the fault tree (including NODE
space for replicated module sub-trees).
TREE-IN: Attaches to each NODE its corresponding set of
gate and component inputs, interconnects interdependent gates
having common replicated inputs and assigns to each NODE its
output gate defined to be its NODE.ROOT.
COALESCE: Collapses simple gateless NODES with their
NODE.ROOT gates if they are of the same type.
MODULA: (a) Transforms simple gateless NODES having no
125
replicated inputs into modular super-components and attaches
them as inputs to their NODE.ROOT gate.
(b) Transforms simple gateless NODES having replicated in-
puts into temporary NESTED modules, unless the gate is the top
event for a complete set of replicated events (i.e., a parent
gate) in which case by calling BOOLEAN it modularizes the full
set of NESTED modules into a higher order module whose inputs
are the set of replicated events and a new set of proper
modules in place of the temporary NESTED module set.
(c) Modularizes symmstric K-out of-n gates explicitly
included in the fault tree.
Procedures COALESCE and MODULA. are sequentially called
one after the other until the TOP tree event is reached, at
which time the complete fault tree will have been modularized.
TRAVEL and TRAPEL: As mentioned before, interdependent
gate NODES are interconnected to insure that only proper
modules are generated (Figure 3.15). Each interdependent gate
will in general have two interconnections leading to other
interdependent gates (e.g., NAILG4 and WHIPG4 due to repli-
cated component r 1 ) for each replicated input it contains
(these interconnections are given the names NODE.WHIP and NODE.
NAIL).
Particular care must be taken that these interconnections
be kept each time the fault tree structure undergoes a trans-
formation enacted by the COALESCE and MODULA procedures.
Thus, whenever COALESCE collapses a simple gate containing
replicated inputs with its NODE.ROOT gate, its WHIP and NAIL
126
SUB-TREE EXAMPLE
G1
G3 5
G2 G7 r3 rl cl
r
rl G4
c5 c2
G6
r1 r3
r2 c4 c3
Connections
WHIPG2GG G2
NAIL
WHIP
r2 G6 + G7NAIL G
WHIP G3 G4
NAILIGURE I3.
FIGURE 3.15
INTERDEPENDENT GATE INTERCONNECTIONS
127
SUB-TREE EXAMPLE
G2
ri g6 rl r3
Nested modules
g6 = {r2,c3,c4;U}
g7 = {r2,c2,c5;U}
G2
WHIP
NAIL
G3
FIGURE 3.16
TRANSFER OF GATE INTERCONNECTIONS
128
SUB-TREE EXAMPLE
G 1
g2 g3 g4
nested modules
g2 = {rl, g6 ;Q}.
g3 = {r3,g7;Q}
g4 = (r2,r3;Q}
g5 = {ri,ci;Q}
FIGURE 3.17
INTERNAL GATE INTERCONNECTIONS
g5
129
SUB-TREE EXAMPLE
M 5 ={C1} , M6
S
S2
3 3
S4
rl r2 r3 M5  M6
= (c3 ,C4 ;U} , M7 = {C2,
=(Yrl'r2' r3' M5'M6 -M7
= (1, 1, 0, 0, 0, 0)
= (1, 0, 0, 0, 1, 0)
= (1, 0, 1, 0, 0, 0)
= (1, 0, 0, 1, 0, 0)
(0, 1, 1, 0, 0, 0)
(0, 0, 1, 0, 0, 1)
FIGURE 3.18
BOOLEAN VECTOR REPRESENTATION
M,7
C 5 ; ul
. .........
130
interconnections must be transferred to the NODE.ROOT gate.
Similarly when a gate with replicated inputs is temporarily
transformed into a nested module input attached to its NODE.
ROOT gate, its WHIP and NAIL connections must also be trans-
ferred (Figure 3.16).
Procedures TRAVEL and TRAPEL help perform this task.
TRAVEL insures that NODES attached by means of a NAIL inter-
connection to another NODE which is to be absorbed by its
NODE.ROOT gate in a COALESCE or MODULA step, are interconnected
by a NAIL interconnection to the NODE.ROOT gate. Similarly,
TRAPEL provides for the transfer of WHIP interconnections
of NODES attached to a NODE which is collapsed or modularized
by a COALESCE or MODULA step.
Notice that a set of nested modules will be complete, and
thus representable by a higher order module, when a gate has
been reached such that all its NAIL and WHIP interconnections
are internal to the gate (Figure 3.17).
BOOLEAN: Yields a minimal cut-set representation in
Boolean vector form for higher order modules.
Each state component in the Boolean vector corresponds
to either a replicated event in the domain of the set of nested
modules or a proper module derived out of one of the nested
modules (Figure 3.18).
111.5. The Pressure Tank Rupture Fault Tree Example
The operation of each of the procedures in PL-MOD will be
discussed in detail in the following sections of this chapter.
131
In order to clarify the discussion, at each step reference is
made to a slightly modified version of the familiar pressure
tank example due to Haasl [ 1 ]. The diagram of the system
is given in Figure 3.19.
A hazard associated with the operation of the pressure
tank system is the occurrence of a rupture of the pressure
tank. Figure 3.20 is a fault tree showing the series of
events leading to a pressure tank rupture.
The system is designed such that gas will start to be
pumped into the pressure tank if the push-button switch Sl is
actuated. This causes a flow of current in the control cir-
cuit of the system and thus activates relay coil K2. Relay
contacts K2 will then close causing the pump motor to start.
After about 20 seconds, the pressure switch contacts will
open given an excess pressure has been detected by a 2-out of-
3 pressure switch device. Contacts K2 will then open, shutting
off the motor as soon as the K2 coils have been de-energized
due to a lack of current in the control circuit. For addi-
tional safety, in case of a pressure switch malfunction, a
timer relay is set to open the circuit after 60 seconds thus
shutting off the pump motor.
In the fault tree shown, a common cause failure event
among the control circuit devices has been assumed to be the
main contribution to the secondary failure of each of the con-
trol circuit components, i.e., K1, K2 and T. Table 3.1 is a
list of all the basic fault event inputs and of their occur-
rence probability.
OUTLET VALVE
SENSE LINE
I
I
I
-I
I
I
I
INFINITE
RESERVOIR
PUSH S, TO START FILLING TANK
PRESSURE
TANK
FIGURE 3.19 PRESSURE TANK EXAMPLE
I
I
133
Gl
G3
G9
G5
G6
G8
PRESSURE TANK RUPTURE FAULT TREEFIGURE 3.20
134
TABLE 3.1
PRESSURE TANK RUPTURE FAULT TREE FAILURE PROBABILITY DATA
Basic Event i Event Description Failure Rate
(Per Loading Cycle)
Pressure Tank Faulure
Secondary failure of Pressure Tank
Due to Improper Selection
Secondary failure of Pressure Tank
Due to out-of-tolerance conditions
K2 relay contacts fail to open
31 switch secondary failure
Sl switch contacts fail to open
External reset actuation force remains
on switch S1
Kl relay contacts fail to open
Timer does not "time-off" due to
improper setting
Timer relay contacts fail to open
Pressure switch not actuated by sensor
1
Pressure switch not actuated by sensor
2
Pressure switch not actuated by sensor
3
Replicated Event i
(3000)1
Event Description Failure Rate
(Per Loading Cycle)
Common Cause failure among 10-5
relays K1 ,K2 and timer T
1
2
3
4
5
6
7
8
9
10
11
12
13
10-8
10-5
10-5
10-5
10-5
10-5
10-5
10-5
10-5
10-5
10-5
10-5
10-5
135
111.6. INITIAL and TREE-IN
INITIAL: The INITIAL procedure allocates the necessary
storage for each of the NODES making up the fault tree. The
value of GUM = total number of gates in the fault tree, is
read in and arrays
SPINE(GUM) POINTER CONTROLLED;
AGIN(GUM) FIXED CONTROLLED;
ALIL(GUM) FIXED CONTROLLED;
ALIR(GUM) FIXED CONTROLLED;
BOST(GUM) POINTER CONTROLLED;
are allocated.
Array SPINE is used to store the pointer values (NT)
locating each NODE based structure. This allows that each of
the different NODE structures allocated be assigned the set
of input data corresponding to the gate they represent.
Arrays AGIN, ALIL and ALIR are used to store the number
of gate, free leaf and replicated leaf inputs each node con-
tains. Thus for the pressure tank example (Figure 3.20).
AGIN(l) = 1, ALIL(l) = 2, ALIR (1) = 0,
AGIN(2) = 1, ALIL (2) = 1, ALIR(2) = 0,
AGIN(3) = 1, ALIL(3) = 1, ALIL(3) = 1,
etc.
Finally, array BOST(GUM) will store the pointers locating
each of the proper modules to be created by PL-MOD (clearly
the number of modules to be found in a fault tree will be
less than the number of gates (GUM) in the treel
136
A DO loop group follows
DO I = 1 to GUM;
GET LIST (I, AGIN(I), ALIL (I), ALIR (I));
ZEN: ALLOCATE NODE;
SPINE (I) = NT,
END;
which allocates the space needed by each node
given the number of gate, leaf and r-leaf inputs it contains.
In addition each array variable is initialized to be zero or
NULL depending on whether the variable is a number (FIXED) or
a pointer and the pointer NT associated with the NODE repre-
senting gate I (I = ,2,...GUM), is assigned to SPINE (I) for
later reference.
The value of NOR = the number of dependent components is
read in and arrays
SPRING (NOR) POINTER CONTROLLED;
F (NOR) FIXED CONTROLLED;
are allocated. SPRING(K)
(K = 1,2,...,NOR) will later be used in TREE-IN to attach
the NODE.WHIP and NODE.NAIL interconnections among interdepen-
dent gates having common replicated component K as input. The
numerical variable F(K) is initialized to be zero and is later
increased by one in TREE-IN, each time replicated component K
is read in as an input to some gate in the fault tree.
TREE-IN: Once each NODE has been allocated by INITIAL,
137
TREE-IN proceeds to assign initial values to each NODE varible
as inferred from the node input data NODE IN which is read in.
In addition, TREE-IN finds the initial set of "gateless" nodes
which are to be processed by the set of procedures COALESCE
and MODULA.
The full NODE structure is composed of the following var-
iables
1 NODE BASED (NT),
2 TIPO FIXED
2 NAME FIXED,
2 VALUE FIXED,
2 GINT FIXED,
2 LILT FIXED,
2 LIRT FIXED,
2 LIMD FIXED,
2 LIMT FIXED,
2 NEST FIXED,
2 WHIZ FIXED,
2 ROOT POINTER,
2 LIP POINTER,
2 LID POINTER,
2 GIN FIXED BINARY,
2 LIL FIXED BINARY,
2 DIR FIXED BINARY,
2 NAIL(LIRO REFER (NODE.DIR)) POINTER
2 WHIP (LIRO REFER (NODE.DIR)) POINTER
2 TIR (LIRO REFER (NODE.DIR)) FIXED,
138
2 SPIT (GINO REFER (NODE.GIN)) POINTER
2 TIL (LILO REFER (NODE.LIL)) FIXED:
In Section 111.3.4., variables NAME, VALUE, ROOT, GIN, LIL,
DIR,TIR,SPIT and TIL have already been defined. As explained
in section 111.4., variables NAIL and WHIP are the arrays of
pointers used for interconnecting NODES having common repli-
cated events.
The methodology employed by PL-MOD to modularize a com-
plete fault tree consists of piecewise collapsing and modu-
larizing portions of the tree. As a consequence, at the inter-
mediate stages of the modularization procedure some nodes are
taken away from the tree while others undergo changes in the
type and number of inputs they have. For this purpose, a num-
ber of variables need to be added to the NODE structure. Thus
NODE.LIP is a pointer variable -used to add on to the node a
set of free leaf and r-leaf inputs which have been collapsed
into the node. These additions to the NODE are done by means
of based structure variables STIP.
NODE.LID is a pointer variable used to add on to the node
free and nested module structures. . These additions are done
through based structure variables STID.
NODE.GINT equals the total number of gate inputs to the
node. Initially NODE.GINT = NODE.GIN, however, as each of the
gate inputs is either collapsed or modularized to the node,
NODE.GINT is reduced by one until it eventually equals zero
(i.e., the node has become gateless).
139
NODE.LILT equals the total number of free leaf inputs to
the node (initially NODE.LILT = NODE.LIL).
NODE.LIRT equals the total number of replicated inputs
to the node (initially NODE.LIRT NODE.LIR).
NODE.LIMD measures the number of nested modules directly
attached as modular inputs to the node.
NODE.NEST measures the total number of nested modules in
the domain of the node gate, these nested modules are there-
fore directly or indirectly connected to the node.
NODE.LIMT measures the total number of free modules
attached as inputs to the node.
NODE.WHIZ is an index used by TREE-IN to keep track of the
WHIP interconnections that are being attached to the node as
the NODE IN data for each of the gates in the tree is read in.
NODE.TIPO equals 1 for every node in the tree. Its pu-r-
pose is to distinguish NODE structures from other structures
which are involved in the TRAVEL and TRAPEL procedures (thus
STIP.TIPO - 2, STID.TIPE = 3, MOD.TIPO =-4, AP,TIPO = 0).
The set of statements making up TREE-IN are
168 1 0 TREU.IN: PROC;
169 2 0 ALLOCATE. ELM (GUM);
170 2 0 .- 1:
171 2 0 00 tIe TO GFM;
172 2 1 GINO*AGIN (1)
173 2 1 LIRO-ALI (I);
1741 2 1 LILO-ALIL(I);
175 2 1 ALLOCATT 00 NODEIN;
176 2 1 GET LIST(NODEIN)
140
177 2 1 PUT EDIT (INODE' ,MODEIN. NAME) (SKIP (2), A (5) ,?(5))
('YALUE=',NDEIN.VALUE) (X(2),A (6),P(5))
('GATE INPUTS=*) (X(2) A (12))
178 2 1 PUT LIST( NODEIN.PIT);
179 2 1 PUT EDIT('FRFE LEAF INPUITSm') (X(2),A(17)) .
180 2 1 PUT LIST (NODEIN.QTIL)-
181 2 1 PTr EDIT ('DEP LEAF INPITS=*) (1 (2),A(16))
182 2 1 PUT LIST(NODEIN.QTIR):
183 2 1 NT-SPINE(NOtETN.NAKE);
184 2 1 NOD..NAMFNDOCEIN.NAM E
185 2 1 NODE.VALURmon0FIN.vALU;
186 2 1 NODE.TIL=NOfEIN.QTIL;
1A7 2 1 NOIE.LILTNODEIN.LILt;
188 2 1 NODE.TIPZIN0DEIN.OTIP;
189 2 1 NODE.LIRT-NODEIN. LIRI;
190 2 1 IF(NODE.LIRT-0) THEN GO TO LOCA;
191 2 1 DO LA*1 TO LIRO;
192 2 2 MAmN0DE.TIP(LA) ;
193 2 2 DA-CEIL(-MA/10000);
1344 2 2 JAm-CEIL (-MA/1000)
195 2 2 JAKJA-10*nA;
196 2 2 NA*MA-(1000)*JA;
197 2 2 P(NA)=F(NA)+1;
148 2 2 IF (F(NA),=1) THEN GO TO LOC!:
199 2 2 ELSE NODE. NAIL(LA)SNT:
200 2 2 SPRING(NA)=NT;
201 2 2 GO TO LOCO:
202 2 2 LOCE: NODE. NAIL (LA) =SPRING (NA);
203 .2 2 ARIUNT;
204 2 2 I(F(NA),wDA) THN 10n TO AMP:
205 2 2 *?(JAK-,9) THfN GO TO LUXE;
206 2 2 DO I1z TO IROP;
207 2 3 IF (TRTM (IX) M A) TtFN ,00 TO r.r";
208 2 3 'ND;
209 2 2 LUCE: ALLOCATE AP:
210 2 2 PRIN(IX)*APT;
211 2 2 AP.SPITUPRIM(IX);
212 2 2 PRIM(IX)->NODE. rOOT A PT:
213 2 2 GO TO LUCI:
214 -2 2 LUXE: ALLOCATE AP,
215 2 2 AP.SPITzNULL;
216 2 2 LUCI: ZA-NODE.WHIZ+1:
217 2 2 NODE.WHIP(ZA)zAPT;
218 2 2 NODE.WHIZsZA;
219 2 2 IF(JAKz1fJAK-2) THEN AP.PEt-DA:
220 2 2 ELSE AP.REP=DA;.
221 2 2 AP.TIPO-0;
222 2 2 AP.VALJ!0:
22J 2 2 AP.'AP=MA;
141 ,
PL/I OPTIM7%tI COMPILER /* MOntE PROGRAM */
STIT LEV HT
224 2 2 PUT EDIT('DEP COP*, AP.NAP, *APPFARANCS=*, AP.REP)
(SKIP (2) X(2) ,A (9) ,(5) ,X (2) ,A(12) ,1(5))
225 2 2 Am P: NT*SPRING(NA);
226 2 2 ZA-mODE.WHII+1Z.
227 2 2 NODE.WtIP(ZA)=ARI:
228 2 2 N0D8.WHIZJZA;
229 2 2 SPRING(NA)*ARI;
230 2 2 NT=ARI%
231 2 2 LOCO: END:
232 2 1 LOCA: NODE.GINT*NODEIN.GID
233 2 1 tF(NODE.GINT)0} THEN GO TO BOTTOM;
234 2 1 DO L-1 TO GINO;
235 2 2 NODE.SPIT(L)-SPINE(NODIN.PIT(t))
236 2 2 AT=NODE. SPIT (L) :
237 2 2 AT->NODR.ROOT=NT;
238 2 2 END;
239 2 1 GO TO BOT!;
240 2 1 DOTTOM: ELM (J) =NT;
241 2 1 JJ+1;
242 2 1 BOTF: MREE NODEIN:
243 2 1 END:
244 2 0 BUMUJ-1:
245 2 0 ALLOCATF OLM (HUM)
246 2 0 DO K1 TO BUM;.
247 2 1 OLM(K)aELN(K);
248 2 1 END;
249 2 0 FRF! ELXi
250 2 0 FR ER AGIN;
251 2 0 FRZE ALILe,
252 2 0 FREE ALTV;
253 2. 0 FREE SPINE1
254 2 0 FR FE SPRING:
255 2 0 RETURN:
Ar 7 0 END TRE IN
In anticipation of the set of initial gateless nodes to
be found by TREE-IN, controlled pointer array variable ELM(GUM)
is allocated (clearly the number of initial gateless nodes in
the tree BUM is less than GUM) to store the locations of each
gateless node.
The set of values associated with each .node are read in
by means of the controlled structure variable NODEIN.
------- - -
142
1 NODEIN CONTROLLED,
2 NAME FIXED,
2 VALUE FIXED,
2 GID FIXED,
2 PIT (GINO)FIXED
2 LILI FIXED,
2 QTIL (LILO) FIXED,
2 LIRI FIXED,
2 QTIR (LIRO) FIXED;
Thus, for our pressure tank example, the first NODEIN values
read from the input are
1 NODEIN,
2 NAME = 1,
2 VALUE = 2,
2 GID = 1
2 PIT(l) = 2
2 LILI = 2
2 QTIL(l) = 1,
2 LIRI = 1
(GID = NODE.GIN)
(LILI = NODE.LIL
QTIL(2) = 2,
(LIRI = NODE.LIR)
2 QTIR(LIRO) = 0;
and they are passed on to the node whose pointer NT satisfies
NT = SPINE (NODEIN NAME). Thus a correspondence exists between
-143
NT = SPINE(l) and NODEIN.NAME = 1
NT2 = SPINE(2) and NODEIN.NAME = 2
etc.
Those nodes having replicated events (i.e., NODE.LIRT # 0)
are processed by an internal loop (DO LA = 1 to LIRO;) which
sets up the interconnections among interdependent nodes.
Replicated components are identified by means of a five
digit number (Table 3.2). The three lower digits are reserved
for numbering (this convention allows for a total of 999 repli-
cated events. The next digit will be zero unless the event
represents a replicated module (in which case it equals nine)
or if the replicated component is operated by a NOT gate some-
where in the tree (ON and OFF states are then distinguished by
a 1 or 2 value for the fourth digit.*
Finally, the last digit denotes the total number .of times
the replicated component appears in the tree.
NOMENCLATURE
SIMPLE REPLICATED COMPONENT AOBCD
REPLICATED MODULE A9BCD
DUAL REPLICATED COMPONENT ON AlBCD
I OFF A2BCD
(A = Total number of appearances)
Table 3.2 Replicated Event Nomenclature
* Replicated modules and dual state replicated components
are discussed in Sections I11.11 and 111.12.
'A.W - -_- - . --. - 1- - '4AW"UQ .. -. ". _.'" . !--' .___.6 _-- ___
144
Each time a replicated component is found in a new NODEa
it is connected to the previous NODEb, containing the same
replicated component by a NAIL pointer (i.e., NODEa - NAIL=NTb)'
while the previous NODEb is connected to the new NODEa with
a WHIP pointer (i.e., NODEb.WHIP = NTa). At the same time,
variable F(K) is increased by one each time replicated component
K is found in a NODE (K = 1,2,...,NOR). When F(K) equals the
total number of appearances for r - leaf K, a structure variable
AP is allocated
1 AP BASED (APT),
2 TIPO FIXED,
2 NAP FIXED,
2 VALUE FIXED,
2 REP FIXED,
2 SPIT POINTER
and is interconnected by
means of a WHIP pointer to the last node including replicated
event K.
The variables making up the AP structure have the follow-
ing definitions: AP.TIPO = 0 and AP.VALUE = 0 for every AP stru-
structure, AP.NAP = replicated input name, AP.REP = number of
appearances in the fault tree for the replicated input, AP.SPIT
= NULL for all AP structures except those associated with a
replicated module input (See Section III.11).
For the pressure tank example the following NAIL and WHIP
interconnections exist (Figure 3.20).
...........
145
1 NODE BASED (NT = SPINE(3)),
2 TIPO = 1,
2 NAME = 3,
2
2
VALUE = 2,
DIR = 1,
2 NAIL(1) = SPINE(3),
2 WHIP(1) = SPINE(7),
1 NODE BASED (NT = SPINE(7))
2 TIPO = 1
2 NAME = 7,
2 VALUE = 2,
2 DIR 1,
2 NAIL(1) = SPINE(3)
2 WHIP(1) = SPINE(8)
1 NODE BASED (NT = SPINE(8)),
2 TIPO = 1,
2 NAME = 8
2 VALUE = 2,
2 DIR = 1,
2 NAIL(1) = SPINE(7),
2 WHIP(l) = APT1 ,
146
1 AP BASED (APT 1 )
2 TIPO = 0
2 NAP = 30001,
2 VALUE = 0
2 REP 3,
2 SPIT = NULL;
Notice that the node with the first r-leaf appearance is "1self-
nailed" and that the node with the last r-leaf appearance has
a whip interconnection to the AP structure corresponding to the
particular replicated leaf. This last interconnection is
needed later by BOOLEAN in order to set up a Boolean vector
representation which includes the required r-leaf inputs.
Following the loop for the node interconnections, TREE-
IN proceeds to attach gate inputs and root connections to each
node with the statements
IF (NODE.GINT 0) THEN GO TO BOTTOM;
DO L = 1 TO GINO;
NODE.SPIT(L) = SPINE(NODEIN.PIT(L)0;
AT = NODE.SPIT(L);
AT-NODE.ROOT = NT;
END;
(AT is a pointer variable)
Thus, for the pressure tank example, the following con-
nections would be established:
147
I NODE BASED (NT = SPINE (1)),
2 TIPO = 1,
2 NAME = 1,
2 ROOT = NULL,
2 GIN = 1,
2 SPIT(1) = SPINE(2),
I NODE BASED (NT = SPINE (2)),
2 TIPO = 1,
2 NAME = 2,
2 ROOT = SPINE (1),
2 GIN = 1,
2 SPIT(1) = SPINE(3),
1 NODE BASED (NT = SPINE (3)),
2 TIPO = 1,
2 NAME a 3,
2 ROOT = SPINE(2),
2 GIN = 1,
2 SPIT(1) = SPINE(4),
2 NAME = 4
1 NODE BASED (NT = SPINE (4)),
2 TIPO = 1,
148
2 VALUE = 1,
2 ROOT = SPINE(3)
2 GIN = 2,
2 SPIT(l) = SPINE(5), SPIT(2) = SPINE(9),
etc.
At the same time the pointers locating all gateless nodes
(i.e., NODE.GINT = 0) are singled out for storage in array ELM
BOTTOM: ELM(j) NT;
J = J + 1;
BOTE: FREE NODEIN;
END;
And at the end of TREE-IN's main external loop (DO I = 1
TO GUM), all these pointers are transferred to pointer array
OLM(BUM).
For the pressure tank example 3 gateless nodes are initially
found, i.e.,
BUM = 3;
OLM(l) = SPINE(6);
OLM(2) = SPINE(8);
OLM(3) a SPINE(9);
Finally those controlled variables no longer needed for
the rest of the program are released
149
FREE ELM;
FREE AGIN;
FREE ALIL;
FREE ALIR;
FREE SPINE;
FREE SPRING:
This storage saving capability of PL/1 is used throughout
the procedures of PL-MOD.
111.7 COALESCE
Inspection of the pressure tank fault tree example indicates
that gates (G6, G7, G8) can be collapsed together with gate G5.
The COALESCE procedure, given by the following statements,
will be shown to perform this task by successively allocating
STIP structures and connecting them to the node corresponding
to gate G5.
150
* COALESCE *
330 1 0 COALESCE:PROC:
331 2 0 DtIDmnUM:
332 2 0 ALLOCATF OLD(BUD):
333 2 0 DO Kul TO BUD;
334 2 1 OLD(K)=OLM(K);
4 335 2 1 END:
336 2 0 TREE ;OLM
337 2 0 da1;
330 2 0 ALLOCATE GOLR (GUM):
339 2 1 LOOP'1: JO-1;
340 2 0 A.LOCATE ELD(BUD)
34 1 2 0 LOOP.2: -00 ul TO 0BUD;
342 2 1 CATmOLD(I);
343 2 1 DOoWCAT->NODE.ROOT;
344 2 1 IF (DOGKNULL) THEN GO TO SKIP;
345 2 1 I? (DOG->NODf.VALUE-CAT->tl002.VALt') THE?,N GO TO SXIP;
346 2 1 SEARCHwDOG->NODE. LIP;
347 2 1 IF (SEARCH=NULL) TEN AJAIs1:
3148 2 1 ELSE AJAX0:
349 2 1 DO IlILF (SEARCU--NULL)o
350 2 2 SEALeSEARCH;
351 2 2 SEAVCniISEAPCH->STIP.LIP:
352 2 2 END:
3")3 2 1 NT*CAT:
354 2 1 LErO=tODT.LILT:
355 2 1 RENOsNODE.LIRT;
356 2 1 D11LO-NODE.LIL;
357 2 1 DIRO=NODF. DIR
358 2 1 MENO0N0DE.LINT;
359 2 1 MEDOQNODF'.LTiD;
360 2 1 . REZONODE. NEST:
351 2 1 ALLOCAIE STIP:
362 2 1 STIP.TIPO=2:*
363 2 1 QUE!NST;
364 2 1 I?( AJAX=I) TItE DOG->NODE.LIP-ST;
365 2 1 ELST SrAL->STT.LIP-ST:
366 2 1 STIP.TIL-NODE.TTL:
: I +(WOjj~ I ? &
I:I ops or I L z rL1
!:)00-(or) a L L17
, I-xxvTMaOD-diID3ROg L z 6 0t
ca Nw.I**vm c lwzlz 'BOOKH I z Lot
1 4W T1aoofa01drI1uI *2 I 907
ON 1; 011loiia ON ulaao) LVO I sot
*)IP +ia(~ION17jsaaot CO 3 I z V tn '77 
1- r) 1J *0 N aa ?j L Z i)
'UUZt 01~ 00 NEIUX (Glu(I')Ll~dS*2ON) .21 z z of)
* : oa. Lar oo L z u1
:,vDl I Z L6[
x1f*2ClON<-!DOaT- I z ;
,diiaaoN<-iv:)jan oiis I Z t,6E
'(-1 03ON(..;V;)wI7*Ils<-VLE 2912 I z Tric
:zioaco.Lv:maciv7aoom<-Doa N~uiJ Laxyryi ji tzZGE6
Lari aijs<-uzvaswfluvas ZZ 06
6:1vass'vas r z 6 ic
(T eN-HOHY2vsWalzxua oa I 80
&uYC asii.( uavrasli L z till
C117 *sOONR(1-laHVaS I z SUE
W (ig 0aOa.()I) fiNots ans z z rOE
±iss6l) iiv&4Lt~s zNau. (.ixm(00rnmaao )ii W
' 00) dll]iVaao)N= (1) fliS4IlZS US4i z z p :Sa(X)4111id1.S 92H (VDNXMalliV42001M ).lX z z 06C
:o0IG~ OZ 1&-)1 c0 :x~vJls I z Gtr
I z L
:092 OX) US z z LLU
:Xzvus 3 0 OD uJ. (.ivaavl) Li z z tiLE
: IV ( 7v) vNsa~Om 4VDGVl USv~ V 11 z CLC
(I Y) Inano Iavvl)1A~VH. i 'vv z L asm vi 0. OD MKni (ZY:)OY'vp) al z z ILE
:Ul 03. LT-7vN 00 I Z 69t
03.J~ a 0!) )xIl (0-(&) 32oIl), al Iz~ 99C
8IaoN=~vAl .1 L~
TST
152
PL/t OP1TIItZING CONFILER /* NODflLE PROGPAN
STMT LFY NT
416 2 1 LEAP: ?ND;
417 2 0 FREE OLD:
418 2 0 BfuflJO-1;
419 2 0 r?(8UL W0) THEN GO TO ALE;
420 2 0 ALLOCATE OLD (BUD)
421 2 0 - 00 Ku TO BUD;
422 2 1 OLD(K)*ELD(K);
423 2 1 END;
424 2 0 FRET BI,
4325 2 0 GO TO LOOP 1;
426 2 0 ALE: BUGaM-I;
427 2 0 ALLOCATE GOLD (BUG)
428 2 0 00 Kl TO BtUG;
429 2 1 GOLD (N) =GOLII (K)
430 2 1 END;
431 2 0 FREE GOLM;
432 2 0 RETURN:
U33 2 0 END COALESCE*;
The array of initial gateless node pointers OLM(K)
(K 1,2, ...,BUD) is freed after its values have been passed
on to array OLD. And in anticipation of the set of NODES to
be modularized array GOLM is allocated.
For the pressure tank example it may be seen that once
G8 has been collapsed with G7, G7 can immediately be collapsed
with G5. Two nested loops (LOOP-1 and LOOP-2) are needed by
COALESCE to be able to deal with this type of situations. Thus,
in LOOP-2 every time a coalescing of a NODE pointed at by OLD(I)
(for some I) unfold, a new gateless node, array ELD(JO) (JO =
1,2, ... BUD) will store the pointer location -for the new gateless
node pointers OLD(I) (I = 1,2,...,new BUD value). And this new
set is in turn processed by LOOP-2, and so on until no gate can
be found which may be coalesced (i.e., until BUD = 0). At this
153
point a set of NODES located by GOLD has to be modularized by
MODULA before any further collapsing of gates is possible.
For the pressure tank example, initially array OLD con-
sists of
OLD(l) = SPINE(6);
OLD(2) = SPINE(8);
OLD(3) = SPINE(9);
The first set of iterations for LOOP-2 will find which
nodes are to be coalesced and which must be collapsed. Thus
for
I = 1: CAT = SPINE(6), DOG = SPINE(5)
- > CAT -+ NODE.VALUE = DOG +)NODE.VALUE = 2
I 2: CAT = SPINE(8), DOG SPINE(7)
> CAT-NODE.VALUE = DOG-+NODE.VALUE 2
I 3: CAT SPINE(9), DOG = SPINE(4)
> CAT + NODE.VALUE = 203 # DOG+NODE.VALUE
Therefore SPINE(9)+ NODE must be modularized, while
SPINE(6) +NODE and SPINE(8) *NODE should be freed and their
inputs transferred to SPINE(5)+NODE and SPINE(7)+NODE respec-
tively, by means of two STIP structures. STIP structures have
the following c6mposition
154
1 STIP BASED(ST)
2 TIPO FIXED,
2 LIP POINTER,
2 DIL FIXED BINARY,
2 DIR FIXED BINARY,
2 NAIL(DIRO REFER(STIP.DIR)) POINTER,
2 WHIP(DIRO REFER(STIP.DIR)) POINTER,
2 TIR(DIRO REFER(STIP.DIR)FIXED,
2 TIL(DILO REFER(STIP.DIL)) FIXED;
Variables DIL and TIL are needed for the storage of free leaf
inputs, while DIR, TIR, NAIL and WHIP handle the information
associated with r-leaf inputs including their interconnections
with other structures in the tree.
Procedures TRAVEL and TRAPEL are called by COALESCE in
order to reassign to the new STIP structure the NAIL and WHIP
interconnections other structures originally had with the node
which is replaced by the STIP structure.
For the pressure tank example the first two STIP structures
created are
1 STIP BASED(ST 1 )
2 TIPO = 2,
2 LIP = NULL,
2 DIL = 3,
2 DIR = 1,
2 NAIL(l) = NULL,
2 WHIP(l) = NULL,
. I- I -. 1"Rmw
155
2 TIR(1) = 0
2 TIL(1) = 5, TIL(2) = 6, TIL(3) = 7;
1 STIP BASED(ST 2)
2 TIPO 2,
2 LIP NULL
2 DIL 2,
2 DIR = 1,
2 NAIL(1) = SPINE(7)
2 WHIP(1) = APT1
2 TIR(1) = 30001,
2 TIL(1) a 9, TILL(2) = 10;
At the same time TRAPEL transfers the WHIP interconnection of
SPINE(j) -NODE
1 NODE BASED (NT .SPINE(7)),
2 TIPO 12,
2 NAME = 7,
2 VALUE = 2,
2 DIR = 1,
2 NAIL(1) = SPINE(3)
2 WHIP(l) 
= ST2 '
The two structures ST + STIP and ST -+ STIP, are attached to
1 -2
SPINE(5) -NODE and SPINE(7) -NODE respectively by the state-
ments
ail
156
SEARCH = DOG NODE.LIP;
IF(SEARCH NULL, THEN AJAX = 1);
IF (AJAX = 1) THEN DOG -NODE.LIP = ST;
(Recall NODE.LIP was initialized to be NULL in INITIAL.
Similarly NODE.LID, STIP.LIP and STID.LID are also initialized
to be NULL).
Hence SPINE(5)+ NODE.LIP = ST and SPINE(7)- NODE.LIP ST2.
The STIP.LIP pointer is necessary since more than one node
may coalesce with the same NODE.ROOT. In fact, after a second
iteration through LOOP-l gates (G5, G6, G7, G8) will be col-
lapsed together for the pressure tank rupture fault tree. The
set of gates will then be represented by
NODE BASED (NT = SPINE(5)),
TIPO = 1,
NAME a 5,
VALUE = 2-,
GINT = 0,
LILT = 6,
LIRT = 2,
LIMD = 0,
LIMT = 0,
NEST = 0,
WHIZ = 0,
ROOT = SPINE(4),
LIP = ST1
157
2 LID = NULL,
2 GIN = 2,
2 LIL = 1,
2 DIR = 1,
2 NAIL(1) = NULL,
2 WHIP(1) = NULL,
2 TIR(1) = 0,
2 SPIT(1) NULL, SPIT(2) = NULL,
2 TIL(1) 0;
1 STIP BASED(ST 1 )
2 TIPO 2,
2 LIP = ST3
2 DIL = 3,
2 DIR = 1,
2 NAIL(1) = NULL,
2 WHIP(1) = NULL,
2 TIR(1) = 0,
2 TIL(I) = 5, TIL(2) 6, TIL(3) = 7;
1 STIP BASED (ST3)
2 TIPO = 2,
2 LIP = ST2
2 DIL = 1,
2 DIR =1,
2 NAIL(1) = SPINE(3),
2 WHIP(1) = ST 2 '
158
2 TIR(1) =:30001,
2 TIL(1) ='8;
I STIP BASED (ST2)
2 TIPO = 2,
2 LIP = NULL,
2 DIL = 2,
2 DIR = 1,
2 NAIL(1) 
=-ST 2
2 WHIP(1) APT,
2 TIR(1) -30001,
2 TIL(1) 9, TIL(2) = 10;
At this point gates G5 and G9 are ready to be processed by
MODULA and no more gateless nodes can be found which may be
coalesced, i.e.,
BUD = 0;
BUG = 2;
GOLD(1) = SPINE(5);
GOLD(2) = SPINE(9);
111.8. MODULA
The objective of procedure MODULA, is to modularize all
those gateless nodes which cannot be further coalesced with
their root-node.
Recall that a gateless node will have WHIP and NAIL inter-
connections with other parts of the tree if the set of replica-
159
ted events within its domain is not complete. To allow for
this possibility, MODULA temporarily allocates a MOD structure
to represent a modularized node. A MOD structure, say MODa'
will then be transformed into a proper module (represented by
a PROP structure) only if it shows no interconnections with
other nodes in the tree. Otherwise procedures COALESCE and
MODULA will need to further transform the tree
DO WHILE (FLAG " 0),
CALL COALESCE;
CALL MODULA;
END;
until a MOD structure is found con-
nected to a set of MOD structures (nested modules) including
MOD and containing in its domain a complete set of replicateda
inputs.
This set of nested modules will then be given a higher
order modular representation by procedure BOOLEAN. In general
a tree will contain several complete sets of nested modules,
and each time such a set is found BOOLEAN will be called by
MODULA.
Structures MOD and PROP have the following composition
1 MOD BASED(MT)
2 TIPO FIXED,
2 NAME FIXED,
2 VALUE FIXED,
2 NEST FIXED,
160
2 LIM FIXED BINARY,
2 RIM FIXED BINARY,
2 RIMO FIXED BINARY,
2 MIM FIXED BINARY,
2 MID FIXED BINARY,
2 NAIL (LIRO REFER(RIMO)) POINTER
2 WHIP (LIRO REFER(RIMO)) POINTER,
2 TIR (LIRE REFER(RIM)) POINTER,
2 TID (LIDE REFER(MID)) POINTER
*2 PIM (LIME REFER(MOD.MIM)) POINTER,
2 TIM (LIME REFER(MOD.LIM)) FIXED;
1 PROP BASED (PT),
2 TIPO FIXED,
2 ROOT POINTER,
2 REZ FIXED BINARY,
2 NAME FIXED,
2 VALUE FIXED,
2 LIM FIXED BINARY,
2 MIM FIXED BINARY,
2 HOST POINTER,
2 REL (DEL REFER (PROP.REZ)) FLOAT,
2 TIL (LILE REFER (PROP.LIM)) FIXED,
2 PIM (LIME REFER(PROP.MIM)) POINTER;
Before proceeding on to define each of the variables contained
in structures PROP and MOD, it is necessary to explain how STID
161
structures are used to represent MOD and PROP structures while
their root node has not been modularized.
Structure STID has the following composition
1 STID BASED (SD),
2 TIPO FIXED,
2 LID POINTER,
2 STIM FIXED,
2 LTIM POINTER,
2 DIR FIXED BINARY,
2 NAIL (DIRO REFER (STID.DIR)) POINTER,
2 WHIP (DIRO REFER(STID.DIR)) POINTER;
(STID.TIPO =.3 for all STIDs)
For every newly created PROP or MOD structure a STID structure
is allocated and attached in its place as an input to the root
node which corresponds to the MOD or PROP structure. Variables
LTIM and STIM identify the structure represented by STID i.e.,
MT for MOD structures
STID.LTIM =
PT for PROP structures
MT MOD.NAME
STIDSTIM HPT PROP.NAME
If STID represents a nested module (i.e., a MOD structure) then
necessarily a set of WHIP and NAIL interconnections exists
between the nested module and other gates in the tree, these
interconnections are therefore passed on from MOD to its STID
representation, i.e.,
162
MOD.NAIL for nested modules
STID.NAIL
NULL for PROP modules
' MOD.WHIP for nested modules
STID.WHIP *
NULL for PROP modules
Finally, STID.LID is necessary in case more than one MOD
or PROP structures are attached as inputs to a node. In
general a set of LID connections will exist of the form
1 NODE BASED (NT)
2 TIPO = 1,
2
2
LIP,
LID SD
-1 STID BASED (SD 1 )
2 TIPO = 3,
2 LID = SD2
1 STID BASED (SD n)
2 TIPO * 3,
2 LID = NULL,
163
A description of the variables contained in structure MOD
follows:
MOD.TIPO 4 for every MOD structure. It is needed to distin-
guish MOD from the other type of structures (STIP, STID, NODE,
AP) handles together by TRAVEL and TRAPEL.
MOD.NAME is a number identifying the gate associated with the
MOD structure (MOD.NAME = NODE.NAME).
MOD.VALUE identifies the type of gate operator associated with
the MOD structure (MOD.VALUE = NODE.VALUE).
MOD.NEST measures the total number of nested modules (MOD
structures) within the domain of the gate associate with the
MOD structure (MOD.NEST = NODE.NEST).
MOD.LIM dimensions the array of free leaf inputs attached to
MOD.
MOD.RIM dimensions the array of replicated leaf inputs attached
to MOD.
MOD.RIMO dimensions the array of WHIP and NAIL interconnections
attached to MOD (notice MOD.RIM X MOD.RIMO).
MOD.MIM dimensions the array of independent module (PROP
structures) inputs attached to MOD.
MOD.MID dimensions the array of nested modules (MOD structures)
inputs directly attached to MOD (Notice MOD.MID / MOD.NEST).
MOD.NAIL and MOD.WHIP are the arrays of pointers intercon-
necting MOD with other parts of the tree which have replicated
inputs in common to the full domain of MOD.
MOD.TIR is the array of replicated leaf inputs attached to
MOD.
Thus MOD.PID(I) will be the po nter for the Ith nested. module
input to MOD (MOD.PID(l) = MTI) and MOD.TID will be the name
of the Ith nested module input (MOD.TID(I) = MT 1 MOD.NAME)
Arrays MOD.PIM and MOD.TIM identify the free module inputs
attached to MOD. Thus MOD.PIM(J) is the pointer for the Jth
free module input to MOD(MOD.PIM(J) = PTJ) and MOD.TIM is
the name of Jth free module input (MOD.TIM(J) = PT, PROP.
NAME). MOD.TIL is the array of free leaf inputs attached to
MOD.
The procedure modula starts out by determining the storage
space needed to allocate a MOD structure for gateless node M
(M=l,2,...,BUG) and assigns the values to variables MOD.VALUE,
MOD.NAME, MOD.NEST and MOD.TIPO with the following statements:
/* 5ODULA */
434 1 0 MODULA: PPOC:
435 2 0 ALLOCATE NODUL;
436 2 0 IT=IT+1;
1437 2 0 0UR(IT)=5UT:
438 2 0 ALLOCATE FELD(11UG)
4139 2 0 MOu1:
440 2 0 D0 n-1 TO BUG:
44 1 2 1 CA TvGOLfD (N) 
-
442 2 1 NTsCAT:-
443 2 1 Ll IP,&NO DE. L LT:
444 2 1 LIRZNE DE.IRT:
4415 2 1 LINE-NODE.LIMT;
44A 2 1 LI RO2 OE. IRT:
447 2 1 LITD ?,-NOD1)E. LI MD -
448 2 1 SEARCU*EAL-. LID:
4'a9 2 1 00 WILF (SEARCH-OT HLL) :
450O 2 2 SEALA TILfRCH
45 1 2 2 DIVT*EAL->STID.DIr:-
452 2 2 Ir (DIRT*1z & SEAL->STID. MALL(1) =NULL) THErN DIRT,&0;
453 2 2 LIFRO=LI10+VIRT:
454 2 2 - SEARCHSEZAL->STID. LID:
455 2 2 EN0
456 2 1 IF (LIL E,0) THFN I.ILE*1;
457 2 1 IF LINEv0 TH7TN LIME91:
458 2 1 Ir LIDF~n TItEN LIDE21;
459 2 1 IF LIVE*0 ?!UEN LIRE*1:
460 2 1 IF LIRav0 Tix 080u1:
461 2 1 ELSE ORCO.:
462 2 1 IP 090*1 THEN LIR0=1:
463 2 1 ALLOCATF MOD;
165
164 2 1 QUEEN=MT
465 2 1 1f0D.TTL0;
466 2 1 00.TIR-0;
467 2 1 MOD.NAIL=MULL:
468 2 1 10D.WH1TP'sNTL:L
469 2 1 11OD. PI=NILL;
470 2 1 M10D.TIEM=0;
471 2 1 MOD. PIDWNULL;
472 2 1 M0D.TVw*O:
473 2 1 MODTIL. DULL (M) *MT:
474 2 1 500.VALUEtIQD.VALUF:
475 2 1 MO D.NAi.F*NODI.NAMP:
476 2 1 30D.NESTwWODE.NFST:
477 2 1 ROD.TIP0"4
Notice that structure MOD has a number of interconnections
(WHIP (I) and NAIL(I), I = 1,2, ... ,LIRO) which is in general
different from the number of replicated inputs (TIR(I) I = 1,2,
... ,LIRE) it contains, i.e., LIRO # LIRE. This refflects the
fact that structure MOD absorbs only those inputs contained
in the structure NODE and all its connected STIP structures.
At the same time, however, MOD receives all interconnections
attached to the NODE structure as well as its STIP and STID
connected structures. This feature particular to MOD struc-
tures makes it possible to identify higher order modules con-
tained in the tree. Indeed, a MOD structure will correspond
to a higher order module only if all its interconnections are
self-contained, i.'e.,
MOD.NAIL(I) = MT
and
MT
MOD.WHIP(I) =
-APTg
f or all I (I= 1, 2,. .. ,LIRO; J = 1, 2, . . ., NTM; with NUM = total
number of replicated components in the domain of the higher
order module).
166
The next variables to be assigned values by MODULA. are
MOD.TIL and MOD,TIR which get va-lues from the NODE structure
and the set of STIP structures connected to the NODE:
478 2 1 SEAtlS=NODE. LIP:
47 9 2 1 BILu0;
480 2 1 DIRo0;
481 2 1 00 1WHILE(S'EARS5"NitL)
482 2 2 STSEARS;
483 2 2 DIAL*STIP.DIL;
434 2 2 IF (DIA Ll & STIP.TIL(1)w1) Tl1 N DIAL;
485 2 2 IF DIAL*O THEN GO TO BACH;
4t. 2 2 00 I1u TO DIAL:
4437 2 3 NOD.T L (DIL+T)wS IP.T.TL(t)
'488 2 3 END*
489 2 2 BACH: DIAR=STIP.DIR:
490 2 2 IF (DIATR=1 9 STIP.TR(1)-z0) T1!3 DIARQ0:
491 2 2 IP DIARaO TnZH GO TO MACH:
492 2 2 DO TI TO DIAR;
493 2 3 * MOD. TIP (fIR+) 2STIP. TI1? (I):
494 2 3 END:
4r5 2 2 'ACIT: BIILwBIL+DIAL:
496 2' 2 D RDIR+DI'AR:
497 2 2 SEARS*SEARS->STIP.LIP:
498 2 2 END;
499 2 1 00 IunIL+1 TO LILF;
500 2 2 J*I-8IL:
501 2 2 3O0.TTL(T)=MODC.TIL(J);
502 2 2 ttD:
503 2 1 00 uSBTR+1 TO LIE;
504 2 2 Jul-cIR;
505 2 2 0D.TIR (I)=mODE.TIR(J)
5o 2 2 FND4:
At this point once all WHIP and NAIL interconnections in struc-
ture NODE and the set of STIPS connected to the NODE are trans-
ferred to MOD, then all these structures may be freed.
507 2 1 NIt N0DP.DI R
500 2 1 IF (NIR*1 , NODF.TIR(1)wln) THFN NIP-0;
509 2 1 IF (NIRsO) T1!HN GO TO 3tTE;
510 2 1 00 NAL-1 TO MIR:
511 2 2 LADvCAT->NODE.ViTTP(NAL)
512 2 2 IT (LADsCAT) TUEN GO TO CITF
167
513 - 2 2 CALL TDAVEL (LAD, QUTEN, CAT)
514 2 2 CITE: LAD*CAT->NODE.NA 1L(NA.)
515 2 2 IF LAD-CAT T!TH GO TO RITTT;
516 2 2 CALL TRAPEL(LAn, QOtriN, CAT)
517 2 2 RIT: END;
518 2 1 TaCAT:
519 2 1 DO Kal TO NIR:
520 2 2 17 (NODE. WHIP (K):*CAT) TH1EN MOD. ht41P (K)wflT;
521 2 2 ELSV !00. WHIP (K)*NODE.WHIP (K);
522 2 2 I?(NODE.NAIL(K)=CAT) THEN 4OD.NAtL(K)=zT:
523 2 2 ELSE 3O.NAIL(K)zNOD r.NAIL(K):
524 2 2 END;
525 2 1 BITZ: SPAFC1tNODE.LIP
526 2 1 SEARSoNODE. LID;
527 2 1 SEANvNODE.ROOT:
5213 2 1 ?FEE NODE;
529 2 1 DO WHILE (SEARC1--WI.LL)
530 2 2 ST*SEARCH;
531 2 2 lAT*ST:
532 2 2 SIR*STIP.DIr;
533 2 2 IF (SIR=1 C STIP.TIR (1) aO) TIP1n StRwa0
534 2 2 IF SIR*0 THEN GO TO BITS:
535 2 2 DO NAL=1 TO SIR;
'536 2 3 LAnDHAT->STIP.WIIP (NAL)
517 2 3 I? (LADWDAT)- TERN GO TO CITS:
53U 2 3 CALL TRAVEL(LAD, QUEN, OAT)
519 2 3 CITS: LADewDAT->STIP. NAI. (RAT.)
540 2 3 IF(LA0-BAT) TilRN 00 TO RETS;
541 2 3 CALL TRAPRL (LAD, O?0FN, SAT):
542 2 3 RITS: ?NO:
513 2 2 STenAT:
5414 2 2 00 K? TO SIR;
545 2 3 IF(STIP.VWHIP(K)*ST) TURN NOD.'4IPI(NI RT:
5t 6 2 3 ELSR MOD.WIP (NIR+K) *STIP. IWHIP (K)
547 2 .3 IF (STIP.MAII.(K)wST) TttrN NOD.XAIL(NIrR+rKNT:
548 2 3 ELS MOD.,NAIL (NtI+K) 6STIP.!1AIL (K)
549 2 3 END;
550 2 2 BITS: MIIR2NIR+SIR:
551 2 2 SEARClIu-SEARCH->STIP.LP:
552 2 2 FREE STIP:
553 2 2 END;
It should be noted that before freeing structure NODE, its
pointer variable NODE.LID was assigned to variable SEARS.
Keeping this pointer will make it possible to transmit to MOD
all the values it receives from the set of STID structures
previously connected to the NODE.
A loop similar to the one used for transmitting to MOD
values from the STIP structures (DO WHILE (SEARCH-"?= NULL;)
follows for the set of STID structures
- - I I 1 11 -- ," " 00 , ., -, ; - 1@ 1 - -- I I . I
168
554 2 1 LA U=0:
5'5 2 1 PAtux0;
5 16 2 1 DO WHILE(S.RARS-stULL)
557 2 2 SD=SEA RS;
558 2 2 BATzSD:
559 2 2 SX1=STTD.DIR;
560 2 2 IF (STR1u C STID-NAIL(1)WNTLL) THEN STR=0;
561 2 2 IF SIRaO THEY GO TO DITA;
562 2 2 DO NAL*? TO SIr:
63 2 3 LA "CAT->STID.WHIP(NAL):
564 2 3 IF(LADm8AT ) THEK GO TO CTTA:
565 2 3 CALL TPAVEL (LAD, 0uEN, CAT)
566 2 3 CITA: LADVBAT->STID.YArL(XAL):
567 2 3 IF (LAD*AT) THEN GO TO RITA;
568 2 3 CALL TRAPEL(LAD, QUEEN, BAT);
569 2 3 RITA: END;
570 2 2 SDuSAT:
571 2 2 DO Knl TO SIR;
572 2 3 IF(STID. WHIP(K)-SD) THEN NOD.WfTP (NIR+K) =MT,
573 2 3 ELSE l00.WHIP(NIR+K)-STI.WIP() :
574 2 3 ITF(STID.NAIL(K) *SD) THEN O?.'NAIL (KIR+K) -NT;
575 2 3 ELSE 1100. NATL (SIR+K) *STIDl. NAIL (K)
4 576 2 3 END;
577 2 2 NIp=nIR+si:
578 2 2. LAU=LAU+1;
579 2 2 NO D. TI D (LA U) STID. S TI:
589' 2 2 ROD.PID(LA f) STID.J.TI :
581 2 2 GO TO PITA:
5d2 2 2 nITA: PAtY*PAU+1;
8 3 2 2 NO D. TI M (PAff) *STI D.STT;
54 2 2 NOD.PIM (PAU)=STID.LTIN;
585 2 2 PITA: SXAS*SEARS->STID.LID:
5G 2 2 FREE STID
587 2 2 END;
A STID structure will either transmit values to MOD.TIM
and MOD.PIM if it represents a PROP structure (proper module)
in which case STID includes no WHIP and NAIL interconnections,
or it will transmit values to MOD.TID and MOD.PID as well as
values to pointers MOD.WHIP and MOD.NAIL if it represents a
MOD structure (nested module).
Each STID pertaining to the set is processed by the loop
(SEARS =,SEARS '+STID.LID; =SEARS points each time at a new
STID in the set after which its storage is released (FREE STID;:).
At this point all variables contained in the new MOD struc-
ture have been assigned their values, so MODULA can proceed now
169
to check whether the MOD structure created represents a
proper or a nested module.
Before allocating a MOD structure, variable ORO was used
to distinguish those gateless nodes having no replicated events
in their domain (IF(LIRO a 0) THEN ORO = 1; ELSE ORO a 0;).
The MOD structure for a gateless node having no replicated in-
puts may be immediately transformed into either a "simple"
PROP structure (Figure 3.21) or into a set of PROP structures
organized by a set of Boolean vectors characteristic of a sym-
metric (k-out of-n) gate (Figure 3.22).
Symmetric gates are allowed to appear explicitly in the
fault tree, as long as each of their inputs is independent from
the rest of the tree (i.e., each input to the gate is either a
component or a super-component). Symmetric gate operators are
represented by a three digit number (KON). The highest digit
represents the minimum number of simultaneous failures necessary
to cause a gate failure, the middle digit is always equal to
zero, and the lowest digit represented the total number of in-
puts to the gate (Thus, a node having a 2-out of- 4 gate oper-
ator has a NODE.VALUE = 204).
In the next statements MODULA considers the two possibili-
ties available for a non-replicated event MOD structure,
IF (ORO = I & MOD.VALUE> 2) THEN GO TO RED;
IF (ORO = 1 & MOD.VALUE <= 2) THEN GO TO HANA;
For the pressure tank example MODULA will allocate two
MOD structures. The first one (GOLD(l)) associated with gate
G5 does contain replicated events in its domain and will there-
Mb
dl dn b
M1 bMP
(Ma and Mb are simple prop structures)
SIMPLE OR AND AND GATE PROP STRUCTURES
cl
--
C)
M a
FIGURE 3. 21
M M2 M c c2 M4 M 5
H
YB =Ml'M2' M3
S = (0, 1, 1)
S2 = (1, 0, 1)
S 3= (1, 1, 0)
B=
3 =2 =
S =
S =
(Yecl' c2' Ym4, M5
(0, 1, 1, 1)
(1, 0, 1, 1)
(1, 1, 0, 1)
(1, 1, 1, 0)
FIGURE 3.22 SYMMETRIC HIGHER ORDER MODULES
111hillillili
172
fore be later checked on whether it represents a nested. module
or the top event for a higher order module (i.e., the parent
gate for a set of nested modules).
The second MOD structure ass:ociated with gate G9 (GOLD(2))
represents a symmetric gate module and will therefore be given
its corresponding Boolean representation by procedure SYMM.
In the next section of this Chapter, the methods by which
procedures BOOLEAN and SYMM derive a Boolean representation for
higher order modules and for symmetric gate modules explicitly
included in a fault tree, are discussed.
For the pressure tank example, the following MOD structures
represent gates G5 and G9.
1 MOD BASED (MT 1 ),
2 TIPO = 4,
2 NAME = 5,
2 VALUE = 2,
2 NEST = 0,
2 LIM = 6,
2 RIM = 2,
2 RIMO = 2,
2 MIM = 1,
2 MID = 1,
2 NAIL(l) = SPINE(3), NAIL(2) = MT1,
2 WHIP(l) = MT1, WHIP(2) = APT 1 ,
2 TIR(l) = 30001, TIR(2) = 30001,
2 RID(l) = NULL,
2 TID(l) = 0,
173
2 PIM(1) = NULL,
2 TIM(1) = 0,.
2 TIL(1) = 5, TIL(2) = 6, TIL(5) = 7, TIL(4)=8,
TIL(5) a 9, TIL(6) = 10;
It may be seen that this MOD structure, associated with gate
G5 represents a nested module since the requirement MOD.NAIL
(I) = MT1 is not satisfied for I 1.
1 MOD BASED (MT2 )
2 TIPO = 4,
2 NAME = 9,
2 VALUE = 203,
2 NEST a 0,
2 LIM = 3,
2 RIM = 1,
2 RIMO = 1,
2 MID 1,
2 NAIL(1) = NULL,
2 WHIP(l) = NULL,
2 TIR(1) = 0,
2 PID(1) a NULL,
2 TID(1) = 0,
2 PIM(1) = NULL,
2 TIM(1) = 0
2 TIL(1) = 11, TIL(2) = 12, TIL(3) = 13;
. 1. 1. ! I I I-- -- I I 1 11, -1-1 1 111 -, 0"." OR M-- - - - 11
174
piocedure SYMM will automatically generate the Boolean repre-
sentation for this MOD structure associated with gate G9
YB = cll' c12' cl3
S 1 (1, 0, 1)
S2 U (0, 1, 1)
S3 = (1, 1, 0)
and these vectors will be attached to the PROP structure
representing gate G9 (see section 111.9.2).
The set of statements outlined below form the final part
of the MODULA procedure. The tasks they perform include
(a) Testing if a MOD structure containing replicated com-
ponents represents a nested or a higher order module.
(b) Calling procedures BOOLEAN and SYMM to generate mini-
mal cut-set representations for higher order and explicitly
symmetric modules.
(c) Allocating PROP structures for those MOD structures
which include no replicated events.
(d) Allocating STID structures to represent PROP and MOD
structures and attaching them to NODE structures in the fault
tree.
175
508 2 1 IF (ORO*1 & OD.VALUr>2) TfN Go TO RED:589 2 1 IF (OROul & MOD.VALUT<=2) THEN GO TO HANA;
590 2 1 SUMO0:
591 2 1 Inst
592 2 1 ALLOCATE GUT;
593 2 1 NOX*O:
594 2 1 00 CAP=1 TO LIRO.
595 2 2 VICe'?On.NAIL(CAp):
596 2 2 I?(VIC,*N?) THEN GO TO DANA;
597 2 2 VITWmOD. WUlP (CAP);
598 2 2 IF (VIT-'w? & VIT->NOEl.,TIPtf-wt0) THEN GO TO DANA-
599 2 2 1? (VIT->NoOt.T'ro-,=0) THEN GO TO SANA;
600 2 2 REVIVZT->REP:
601 2 2 T? (REV<0) THFN 00n:
602 2 3 NOXI1:
603 2 3 sUNaSUM1-RTV;
604 2 3 MAsVTT->NAPI
005 2 3 DA-CIL(-nA/10000);
606 2 3 JAm-CIIL(-MA/1000)
607 2 3 NA*VA-(1000)*JA;
608 2 3 GUT(IR)u10000*DA+1000+NA;
609 2 3 anT(IR 1)-CUT(IV) +000
610 2 3 tRuIR+2-
611 2 3 END:
612 2 2 ELSE DO:
613 2 3 SUflnSUM+REY:
614 2 3 GUT(IR)uTIT->NAPe
615 2 3 IRmIR+1
616 2 3 END:
617 2 2 SANA: END:
618 2 1 PUT EDIT('TOTAL SUM REP*',SUfM)
(SKIP(2),X(2) ,A(1l) ,F());
619 2 1 NU*IRs-1;
620 2 1 ALLOCATE PUT;
621 2 1 00 Il1 TO NUM
622 2 2 PtT(T).aGUT(r):
62.3 2 2 END:
624 2 1 FRE GOUT:
625 2 1 CALL BOOLEA;
1111 2 1 CANA: DlR0=1;
1112 2 1 ALLOCATE STID;
1113 2 1 SFARSu5D;
1114 2 1 STID.NAItvNfILL;
1115 2 1 STID.N1IP*NULL;
1116 2 1 STID.LIDNULL:
1117 2 1 STID.STI MSTORK->PROP.NAM E;
111HR 2 1 STID.LTIM*STORIC;
1119 2 1 MTenODUL.DULL (N)
1120 2 1 FREE MOD;
1121 2 1 IF (SEAN=NULL) THEN GO TO REAL;
1122 2 1 IF SEAN->NODE.TrPO*1 THlTN G.0 TO CARX:
1123 2 1 APT=SEAN:
1124 2 1 AP.SPIT=STORE;
1125 2 1 STORK->PROP.ROO TSEAN:
1126 2 1 GO TO REAP:
1127 2 1 CANX: NTSFAN:
1128 2 1 NO0E.LINT=NODE.LINT+1:
1129 2 1 SIERRfAKODE.LID:
1130 2 1 IF (STEPRRA-NILL) THEN NODr.LID-SEARS:
1131 2 1 'LS' GO TO Z'AL;
. ...
..
176
PL/I OPTIMIZING COMPILER /* NODULE PROGRAM *
STMT LEY NT
1132 2 1 GO TO VEAL;
1133 2 1 RID: NUBulMOD.LIM:
1134 2 1 IP(NUO-1 F MODO.TIL(?)w0) T11IEf NUlM*0;
1135 2 1 ELSE NUM1MUD;
1136 2 1 WEST*MOD.HIMN ;
1137 2 1 IP(VSTsl F MOD.PTM(1)NfTLL) T1178 NEZT0;
1138 2 1 ELSE NE2TV*WST;
1139 2 1 ALLOCATE PMi
114)0 2 1 P71.TAR=MOD.TIL;
1141 2 1 PER.KIOMaOD.PI1;
1142 2 1 PpR.JIw1MO0.TIM;
1143 2 1 LOSTvPP;
1144 2 1 LILE-1:
1115 2 1 LI 11
1146 2 1 ALLOCAT PROP;
1147 2 1 PROP.TtPO=5;
1148 2 1 IaI+1;
1149 2 1 STORKzPT:
11'0 2 1 8OST(I8)wSTORN;
1151 2 1 00 La1 TO WEST:
1112 2 2 ATP FR.KIM(L);
1153 2 2 IF (AT-NULL) THFN AT->PROP.RO0TSTORK;
11t i4l 2 2 END;
11S5 2 1 PROP.NAM-MOD.NAME;
1156 2 1 PROP.VALUFmMODV.YALUE;
1157 2 1 PROP.TILa:
1159 2 1 PROP.TTM-0;
1159 2 1 PPRlP.PIMNULL;
1160 2 1 PUT EDIT ('SYMM MODTILE NAM?*',PROP.NAME,'VALUE,**
PROP.YALUE) (SKIP(2) ,A(17) ,7(5),I(7,A (6),F(5));
116 1 2 1 PROP.HOSTaLST:
1162 2 1 LARGvNfUM+NEZTw
1163 2 1 KAT(PRO9.YALTIE-LARG)/100;
1164 2 1 CALL SY3M;
1165 2 1 LO$T->HECTOcORUwtEEIN:
1166 2 1 PUT EDIT (' DEP COMPS-') (SKIP (1) , A (10));
1167 2 1 P1Tt LIST(PER.TAR) ;
1168 2 1 PUT EDIT ('D EP MODS**) (SXT (1) , A (9))
1169 2 1 P9T LIST (PER.JIM):
1170 2 1 PUT EDTT ('MINIMIAL C"T STS') (SKIP(2) ,(12), A (16)):
1171 2 1 VITsPER.HECTOR;
1172 2 1 00 WitTLr (VIC%wNUJLL)
1173 2 2 VICwVIT:
117 4 2 2 PUT EDIT (VIC->COM P) (SKIP (1) , P)
1175 2 2 VYT=YIC->FLOOR;
117b 2 2 END: -
1177 2 1 GO TO CANA;
177
I:4-4
I
'4
.1I
.4
~i1I
.4
I
II
~ii
-4I
-4
12481 2tsq12419
1250
125 1
1252
1253
.12514
1255
1256
1257
1258
1259
12603
126 1
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1276
1274
1275
1276
1277
1278
127
1280
1281
1282
1283
12184
1285
129112 2
1287
1298
q9
1290
1291
1292
1293
1 2913
1295
1296,
1297
1298
129 9)
1300
HANA: LLEzM0D.LIM1
LIIMWIOD. iIN
ALLOCATF PROP:
PROP.TIP0=5:
STORKwPT;
PROP. HOST=NLL;
PROP.NAMfEwmOD.NAM1E;
PROP.VALUE*0D.VALUE:
PROP.TILveI.TIL:
PROP.TIM*MOD.TI1;
PROP. PV :hOD. PIfl
AR*IPT:
DO Lw1 TO LINE;
ATvPROP. PIM (L) :
I? (AT-*NafILL) T HEN AT->PROP.PrOOTvARI;
END:
PUT EDIT ('FRFE MODITE NANll'1, PROP.NAME,'VALUE=',
PROP.VALUE, 'HUMN LEAF INP*', PROP.LI, 'NU. MOD INP=',
(SKIP (2),*A (19) ,F(5),.X(2),.A(6) ,V(5) ,X(2) ,A (13) ,P(5) ,I(2)
P"T EDIT ('LEAF INS**) (SKIt(1), A(9)):
PUT LIST( PPOP.TIL):
PUT EDIT('I0D INSa') (SK IP(1),A(8)):
PUT LIST (PROP.TIM) ;
Ia3tsIt+ 1:
GOST (ID) *PT;
FREE OD:
DIROWI;
ALLOCATE STID:
SPARSMSP';
STID. NA I ItL I.:
STI.D.Will PwN U LL;
STID. LI D*NILLt
STID.STINsBOST (IP) ->PROP. N AM;
STID.LTt18OST(I1) :
IF (SE ANwNULL) THEN (0 TO RE AL:
IF (SAN->NOD.TIPO=1) TI!EN GO TO fIANF:
APT=SEAN:
AP.SPITmSTORK:
STORK->PROP.ROOT=SEAN;
GO TO REAP:
RANM: NTuSEAN:
NODE.LIMTWINOD.LIrT+1;
SI PRRAwMODE. LID;
I?(SERRA=NULL) TIEN NOD.LID=SEAPS;
ELSE GO TO ZEAL:
GO TO VEAL;
DANA: DIRO*NOD.RInO;
ALLOCATE STID:
STI D. TI P-w 3:
SEARS-SD:
ST.LD.STIMl 00V.NAhRll:
VICaMO DU L. DULL ()
MT=V IC;
STID. LTTIuV'IC:
PUT EDIT('INESTID=' ,STTD.STIn)
PROP. NIM)
,A (12)
(51) ;
1 1. .I - I I . 'jkj-"'k- z1", ,_'. - '. .' - I . . I I - . I , , , . - 1 -, - '- , - - , - - , - I - I . I I I I . I - - 11- - - - .I - - -. .- - I . - '. -- _ '-- I . I I I - I .. - .1 1 - - - -
1MtU11~1U0 z OC
013di4 L4a 0 z 6ftcL
nas (I)w~ 14zI LJ f C L?~
Iw~lu 01 1 -1 00 0 z 9 t" v
±A-0UwiJaj 0 z ti t;% L
.d-RI 01u 00 L (111r1
L z tofCL
:Ilya&0)0X3 L z V
ddV20101 z0fl 0:N~O ) L z LfCLL
L-1MLi0Ua1I1)1U0 L z 61[1
~~I~fl vas (ow) naa:34
Q:IV4 O 01 11211, C v (roxIID aol)l z PECL
LV 0 LEE 00L
I'I11A 01 0 L z 0jrcL
~V~~0'I0IS(Va?1 ti LEL
:v01vr 01 z ZEL
:7aA0 D z OVrL
C*) vswI'10aits(v ii 01 11 L z 6ZEL
20111101 00 I iSZ L 1 C t
ISUvaS.Ux'I10Loi RiIu1 V1u1(MyakaS) ii L z ZZCL
!c~via-malsL Z L1VL
.L *0wI7r-G0N0w1ojGD L z 6tfl
!Nvama1 1. z LLE 1
(A 1vj)ow m 7I uzAh1 vgLL *al s IS r z tLCL
as )'1I,(1.S121 nW00 (XN Go LaX 00 Z 1LVt
I01111 01 LAX 001I L~~2 z1 z L BCt
:(i~)1vuow~1A0L z LOCL
~~~1oz (zA' zU2'3'~ V1 1 r t0C
IU1tl U1 on) mn4U (:)IJoYPI) a1 1 z sort
(0 1 A 1;UV @)'1 V4 1 Zz9
I0.1D01(n 0.1. L:)AIuvl 00 z 1 , C L
6 'T1a G.1 intVN 00 L z rLWL
Iss01 o!0 x311.1 (VinlNas) all L z IOEL
8 LT
179
The set of statements following label HANA create PROP struc-
tures which represent simple gate modules. Variables PROP.
NAME, PROP.VALUE, PROP.LIM, PROP.MIM, PROP.TIL, PROP.TIM and
PROP.PIM have the same meaning and are. therefore assigned the
same values formerly associated with the MOD structure for the
gate i.e.,
PROP.NAME = MOD.NAME
PROP.PIM1(J) = MOD.PIM(J)(J = 1,2,. ..,MIM)
etc.
(PROP.TIPO = 5 for all PROP structures)
In the numerical evaluation to be performed later by PL-MOD,
modular occurrence probabilities and Vesely-Fussell importances
will be computed. These values shall 'be stored for each PROP
structure in PROP.REL(L) and PROP.REL(2) (thus parameter DEL
must be set equal to 2).
Pointer variable PROP.HOST is only needed to attach to a
parent gate the Boolean vector representation for its higher
order symmetric or asymmetric structure. Therefore, PROP.HOST=
NULL for the case of simple gate modules.
Inspection of the DO loop (DO CAP = 1 TO LIRO;) used to
test if a MOD structure represents a higher order module or a
nested module, reveals that nested modules are handled by the
set of statements following label DANA.MOD structures repre-
senting nested modules may not be immediately freed. There-
fore for this case the STID structure created locates a MOD
structure and it contains the WHIP and NAIL interconnections
which were passed on by MOD to the STID structure.
180
Both higher order modules and explicitly symmetric modules
are handled by the statements following label CANA. However
this is done only after they were previously processed by
BOOLEAN or SYMM respectively.
In all cases, whether the STID represents a PROP structure
(simple gate module, or higher order parent module) or a MOD
structure (nested module), it is attached as a pseudo-component
to its node root (SEAN * CAT-*NODE.ROOT). This therefore re-
sults in a decrease in the number of gates which are input to
the nodes which are roots to the modularized gates (FRED: NODE.
SPIT(J) = NULL; NODE.GINT = NODE.GINT-1;). Hence a number of
new gateless nodes (OLM(BUM)) will be found to which procedures
COALESCE and MODULA may be then applied.
181
111.9 BOOLEAN and SYMM
111.9.1. Description of Higher Order Modules by Means of
PROP,. NER and VECTOR Structures.
In its final form the modular structure for a fault tree
will be given by a set of PROP structures each of them con-
taining a set of basic events (free. leaf and replicate leaf
components ) and proper modules (PROP structures) as inputs.
For the case of simple modular gates (Figure 3.23) each
input holds the same structural relation to its gate oper-
ator. Therefore a listing of the inputs to the PROP struc-
ture together with the gate operator (AND,OR) coupling the
inputs, will completely define the module. Thus, the PROP
structure
1 PROP BASED (PT 1 ),
2 TIPO a 5,
2 REZ = 2,
2 ROOT = PT15 3
2 NAME = 14,
2 VALUE = 2,
2 LIM = 2,
2 MIM = 3,
2 HOST * NULL,
2 REL(2) FLOAT,
2 TIM(l) = 10, TIL(2) = 11,
2 TIM(l) = 13, TIM(2) = 12, TIM(3) = 11,
2 PIM(l) = PT1 3, PIM(2) = PT1 2, PIM(3) = PT11 ;
uniquely defines module M = {C10 'l1 ,M11 , M1 2, M13 ; U}, with
182
4.1
c 0 c 1 c 2 11 12 13
FIGURE 3.23 SIMPLE GATE MODULE
+ Gl
r Ma
* G2
G3
C
FIGURE 3.24 HIGHER ORDER MODULE
183
module M included as an input to module M1 5 '
However, for the case of a higher order modular gate.,
all its inputs do not hold the same relation with the parent gate
operator. Thus, consider the higher order modulae shown
in Figure 3.24 (the pressure tank fault tree example shall
later be shown to have a structure similar to that of Figure
3.24). Because Qf the appearance of replicated input r1 in
gates G1 and G5, gates G 1, G4 and G5 do not correspond to
simple gate modules representable by a PROP structure. Instead,
each of these gates can be seen to be composed of a proper and
an improper part
Proper Part Improper Part
Parent Gate GI Ma r , G4
Nested Gate G4 Mb G5
Nested Gate G5 Mc r
The higher order module representing this fault tree may
now be constructed by taking the proper part for each gate in
the structure, as well as the replicated events which provide
for theinterdependencyamong .the gates, i.e.,
G (r, M1, M4, M5)
where Mi denotes the proper part for each of the gates in the
higher order module. Hence M 1 Ma, M4 = Mb, M5 = Mc'
The Boolean vector describing the minimal cut-set compo-
sition for the higher order module will then be
B =r' YM ' M M ) and as a result thel 1 4 5
minimal cut-sets will be represented by
184
S1  ( 0, 1, 0, 0)
32 = 1,V 0, 0,. 0)
S = (0, 0, 1, 1)
From this it follows that a higher order module may be
described by a set of PROP structures associated with the
proper part of the parent and nested module gates, together
with a set of replicated events and a series of Boolean vectors
denoting each of the minimal cut-sets for the module.
The approach taken by the procedures BOOLEAN and SYMM
is to attach this minimal cut-set information to the PROP
structure associated with the parent gate(Pointer variable
PROP.HOST is used for this purpose)& Thus, for the example
given in Figure 3.24, the parent gate Gl is represented by a
PROP1 structure containing'information on its proper part M1 ,
In addition a structure PER will be attached to PROP contain-
ing the information on the structural composition of the higher
order module whose parent gate is Gl, that is, PROP .HOST = PR1
with PR locating a based structure PER.
Structure PER has the following composition
1 PER BASED (PR),
2 REZ FIXED BINARY,
2 HECTOR POINTER,
2 DEXTER POINTER,
2 RAM FIXED BINARY,
2 REL(DEL REFER (PER.REZ)) FLOAT,
2 TAR (NUM REFER(PER.RAM)) FIXED,
185
2 KIM (WEST REFER (PER.LEAL)) POINTER,
2 JIM (WEST REFER(PER.LEAL)) FIXED;
The variables contained on PER are defined as follows:
PER.REZ dimensions array PER.REL which is used to store the
reliability and importance information for the higher order
module (normally DEL a 2 =>PER.REZ = 2).
PER.HECTOR is the pointer locating the list of VECTOR struc-
tures each defining a minimal cut-set for the higher order
module.
VECTOR structures are defined by
1 VECTOR BASED (VT),
2 LORO FIXED BINARY,
2 FLOOR POINTER,
2 COMP BIT (LARG REFER (VECTOR.LORO));
The set of minimal cut-sets are then attached by PER.HECTOR
VT1 , VT1 - VECTOR.FLOOR = VT2 3 ''VTn -+ VECTOR.FLOOR = NULL.
With VECTOR.COMP holding the Boolean bit-string representation
for a minimal cut-set.
PER.DEXTER is a pointer locating a structure QER derived by
procedure IMPORTANCE (see sections 3.15 and 3.16).
PER.RAM dimensions array PER.TAR which stores the number of
variables identifying each of the replicated event inputs to
the higher order module.
PER.LEAL dimensions arrays PER.KIM and PER.JIM, PER.LEAL equals
the total number of nested modules in the domain of the parent
gate.
PER.KIM contains the pointer locating the PROP structures
186
associated wiLth each nested module, while PER.JIM
contains the number variable identifying the structure (i.e.,
PER.KIM(I)+ PROP.NAME = PER.JIM(I), I = k,2,...,PER.LEAL).
Thus, the PER and VECTOR structures describing the higher
order modular structure of Figure 3.24 are
1 PER BASED (PR = PT ),
2 REZ = 2,
2 HECTOR = VT1 ,
2 DEXTER POINTER,
2 RAM - 1,
2 LEAL = 2,
2 REL(2) FLOAT,
2 TAR(l) = 20001,
2 KIM(4) = PT4 , KIM(2) = PT5 '
2 JIM(1) = 4, JIM(2) = 5;
1 VECTOR BASED (VT1 )
2 LORO = 4,
2 FLOOR 
= VT 2
2 COMP 10100'Bi
1 VECTOR BASED (VT2) ,
2 LORO = 4,
2 FLOOR = VT3
2 COMP = '1000'B;
1 VECTOR BASED (UT3) '
2 LORO = 4,
2 FLOOR = NULL,
2 COMP = b0011'B;
187
(With PT1 , PT4 and PT5 locating the PROP structures
corresponding to gates G1, G4 and G5.)
111.9.2. Procedure SYMM
When a fault tree diagram explicitly includes a sym-
metric higher order module, procedure SYMM will be used to
generate its Boolean vector representation. A restriction
imposed by PL-MOD is that the inputs to the symmetric gate
be either non-replicated basic events or modules (Figure 3.25).
Before procedure SYMM is called, the PROP and PER
structure associated with the symmetric gate are created by a
set of statements following label RED.
1133 2 1 RID: NIID-?!0.LIM:
11.14 2 1 It7(tWNU1 S MOD.TIL(1) z0) THIEN N(rl=O,;
I 13 2 1 ELSR NDRUMUD;
11.16 Z I WEST=nOD.ntn:
1137 2 1 IP(W ?.Tl & fOD.PTIX(1)N ItLL) TitN N2%aT0;1138 2 1 ELS9 N3ZTuVEST;
1139 2 1 ALLOCATT PER;
1140 2 1 9IM. TAReOD. TIL ;
11141 2 1 PM. KI=NOD. pill;
114 2 2 1 PPR. J1 taNO0. TIt:
1143 2 1 .OST*PP:
1144 2 1 LI;
114S5 2 1
1t46 2 1 ALLOCAT PROP:
1147 2 1 PROP.TIPO*5;
1148 2 1 Iatl+1;
1149 2 1 stOWKPT:
1110 2 1 BOST (Ir1)ws'TORK
I TS 1 2 1 DO Lil TO V WST;
1192 2 2 ATvP FR. KIN(L);
11)3 2 2 I? (AT-'.NTL.) THFN AT->PnOP.ROOTTSTORK;
1114 2 2 ENDO-
11S1 2 1 PROP.NAFl'u1OD.NAMtE;
1156 2 1 PROP.TA.UT0100I.YALUE;
1157 2 1 PROP.TIaL
1158 2 1 PROP.TTnvO;
1159 2 1 PvnP.PtaNLL;
1160 2 1 PUT EDT ('SYEf DODW7L A
PROP.YALUE) (SKIP(2) ,A (17) ,7(5),? (2 ,; (6) , (5) )1 16 t 2 1 PROP. OST*LOST
1132 2 1 LARG=N4+SE2T;
1163 2 1 KAY(PROP.ViALTIF.-.LARG)/100;
11A49 2 1 CALL T NH
- -~--~---~----
188
c 1 c2 **cr M1 M2..M
MOD .TIL(1) + 1
MOD TIL(r) +Cr
MOD.TIM(1)-+ M
MOD:TIM(s ) +-Ms
(r + s = n)
FIGURE 3.25
EXPLICITLY SYMMETRIC MODULAR GATE
189
1165 2 1 LOST- HECTo0trEEX;
1166 2 1 PITT EDIT (' D EP COMPS') (SKIP (1) , A (10))
1167 2 1 PITT LIST(PEH.TAR):
1168 2 1 PIT EDIT r(', EP 100S= (SKIP (1), A (9))
1169 2 1 PUT LIST (PER.JIN);
1170 2 1 PITT EDTT (' INTl1AL C17T SETS') (SKIP (2) r(12), A (16));1171 2 1 YIT*PE1.NECTon;
1172 2 1 00 1TnLIE (VIC Nt7LL)
1173 2 2 VICVIT;
1174 2 2 PUT EDIT (VIC->ConP) (SKIP'(1),P)
1175 2 2 VIT=VIC->FL t9OR;
117 b 2 2 END1
1177 2 1 GO TO CANA;
It should be noticed here that for a symmetric gate,
the role played by its free leaf inputs corresponds to that
of the replicated inputs for a higher order module since
PER.TAR(l) = MOD.TIL(l) I = 1,...,MOD.LIM
At the same time its modula' inputs (MOD.TIM(J)) will play
the role which corresponds to the nested gate PROP structures
for a higher order module since
PER.KIM(J) = MOD.PIM(J) J = 1,...,MOD.MIM
PER.PIM(J) = MOD.TIM(J)
As a result the PROP structure associated with a sym-
metric gate will have no direct inputs (PROP.TIL = 0, PROP.
TIM = 0).
For the pressure tank fault tree example gate G9 is a
2-out of-3 symmetric gate. Its MOD structure was given in
section 111.8 as
1 MOD BASED (MT2)
2 TIPO = 4,
2 NAME = 9
2 VALUE = 203,
.- - --A . I U " I 1 -- 1-1- 1.1111- - _-- . I .I .. I . I - - ....................... .1 1 - ''I - I I - I - _11 - "I - l-."-- --, ,---",Z" ,. l.---, -
190
2 NEST = 0,
2 LIM = 3,
2 RIM = 1,
2 RIMO = 0,
2 MID = 1,
2 NAIL(1) = NULL,
2 WHIP(1) 
- NULL,
2 TIR(1) = 0,
2 PID(1) = NULL,
2 TID(l) = 0,
2 PIM(1) = NULL,
2 TIM(1) = 0
2 TIL(l) = 11, TIL(12), TIL(13) 13;
So for this particular example the Boolean state vector include
no modular inputs (sin,ce MOD.TIM = 0) but only basic component
events (MOD.TIL(l), I = 1,2,3).
The PROP and PER structure associated with gate G9 are
1 PROP BASED (PT 1),
2 TIPO = 5,
2 REZ 2,
2 ROOT POINTER,
2 NAME = 9,
2 VALUE = 203,
2 LIM = 1,
2 MIM = 1,
2 HOST 
= PR1
191
2 REL(2) FLOAT,
2 TIL(l) = 0,
2 TIM(l) = 0,
2 PIM(l) = NULL;
(PROP.ROOT will later be assigned the pointer locating the
PROP structure for gate G4.)
1 PER BASED (PR )
2 REZ w 2,
2 HECTOR POINTER,
2 DEXTER POINTER,
2 RAM 3,
2 LEAL = 1,
2 REL(2) FLOAT,
2 TAR(1) = 11, TAR(2) = 12, TAR(3) = 13,
2 KIM(l) = NULL,
2 JIM(1) * 0;
Procedure SYMM, outlined by the statements given below,
will generate the set of VECTOR structures for a symmetric gate
given the values of LARG = NUM +NEZT and KAY = (PROP.VALUE -
LARG)/100.
1178 2 1
1179 T ~1
1180 3 1
1181 3 1
1182 3 1
1183 3 1
1184 3 1
1195 3 1
1186 3 1
1137 3 1
1188 3 2
1199 3 2
1190 3 2
SYMMETRIC
SYt : PROC:
ALLOCATI SO?-
ALLOCATT TOD
ALLOCATE VECTOR;
QUEENSVT:
S0F2REPEAT(1'I'B,LARG):
SUBSTl (SO?, LARG, 1)3' 1' T:
VECTOR.COMP SOF;
LADYuVT:
DO I1 TO LARG-3
ALLOCATE VECTOR:
LADY->PLOOR=VT;
T.A fY=TT
*/
192
1191 3 2 5orsettEAT('0'PLARC)
1192 3 2 - SJDSTR (SOP, LA RG-T,1) '1' 0;
1193 3 2 VECTOR.COMPUsoF:
1194 3 2 END:
1195 3 1 ALLOCATr VPCT R;
1196 3 1 LADY->FLOORaVT:
117 3 1 VECTOP.PLOORatIhLL:
11i8 3 1 SOrwREPEAT(b0',LARG):
1199 3 1 STunSTR (SP, 2, 1) ''1'n;
1200 3 1 V7CToR.CCfPSgO;
Up to here, SYMM has created a set of LARG-1 vectors
which contain a single '1' bit component. Consider for example
a 3-out of-5 symmetric gate, then PROP.VALUE 305, LARG = 5 =>
KAY 3 and the vectors created are
1 VECTOR BASED (VT 1 ),
2 LORO = 5,
2 FLOOR = VT2 '
2 COMP = '00001'B;
(QUEEN VT )
1 VECTOR BASED (VT2),
2 LORO = 5,
2 FLOOR VT3'
2 COMP = '00010'B;
1 VECTOR BASED (VT 3
2 LORO = 5,
2 FLOOR a VT4
2 COMP a '00100'B;
1 VECTOR BASED (VT )
2 LORO e 5,
2 FLOOR = NULL,
2 COMP ='01000' B;
The minimal cut-sets for the 3- out of -5 gate are then found
193
by adding I' bits in any position to the left of the place
where the first 'l' bit is found, and by successively repeating
this operation KAY-1 times requiring that each final vector in-
clude a total of KAY (=3) bits
Initial Vectors '00001'
'00010'
'00100'
'01000'
B
B
B
B
Vectors After 1st
Iteration '00011'
'00101'
'01001'
('10001'
'00110'
'01010'
('10010'
'01100'
('10100'
('11000'
B
B
B
B)
B
B
B)
B
B)
B)
Cancelled out
Cancelled out
Cancelled out
Cancelled out
Minimal cut-set vectors
found after 2nd iteration
'00111' B
'01011' B
'10011' B
'01101' B
'10101' B
194
11001' B
'01110' B
10110' B
11010' B
'11100' B
The following DO loop performs this operation (function
INDEX (VECTOR.COMP, '1'B) yields the number location for the
first element of the string matching substring 'l'B, e.g.,
INDEX ('01101' B, '1'B) = 2).
1201 3 1 DO 12 TO KAY:
102 3 2 LATY%0f?7FN;
1203 3 2 DO WHILF (LADT-%JNULL):
1204 3 3 STl: VT=LAD;
1205 3 3 JtINDIX (ECTO'.COMP, '1' ):
1206 3 3 IF Jv1 T11EN DO:
1207 3 4 IF LADY=QU7EEN THEN DO;
1208 3 5 QIEEN*LADY->FLOOR:
1209 3 5 FREE TECTOR:
1210 3 5 LAD0Y'OtEN:
1211 3 5 END:
1212 3 4 ELSE DO;
1213 3 5 MOAN->OFLO0RLADY->T.001-:
1214 3 9 FREE VECTOR:
1215 3 5 LADY*MOAN->FL00R:
1216 3 5 END;
1217 3 14 END;
1218 3 3 ELS? DO:
1219 3 4 Ton=VCTOR.COMlP:
1220 3 4 DO L21 TO J-1:
1221 3 5 ALLOCATE VECTOR;
1222 3 5 IF Ls1 THEN KINGVT:
1223 3 5 ELSE PAIN->PLO0ORVT:
12245 3 5 SO?-PEPIAT('0'qT.APt:)
1225 3 5 SITiSTR(SO7,L,1)w'1'11n
1226 3 5 V ECTO.COMPm SOFI TnD;
1227 3 5 PAWNVVT:
1228 3 5 PAWN->tOORN LL;
1229 3 5 END:
1230 3 4 1 LADYQu7tN THItt DO:
1231 3 5 QtfE!W =KTNG;
1232 3 5 PAWN->FLOOR*LADY->1LOOR;
1233 3 5 IOANUPAWN;
1234 3 5 LADYWPAVN->LO0R:
1235 3 5 END;
1216 3 4 ELSE DO:
1237 3 5 tOAN->FLOOR=KtNC:
1230 3 5 PAWN->PLOOR*LADY->FLOOR;
1239 3 5 ROAN=PAWN:
195
1240
124 1
124 2
1243
1244
12115
1246
1247
3 5
3 5
3 4
3 3
3 2
.3 1
3 1
321
LADY P A'N-> FLOOR
END-
END;
END;
END;
PRgP SO;
FRFF TOD;
ENID SYMN;
ENO or s1tIntiZTC '/
For the pressure tank fault tree, procedure SYMM will thus
yield the following vectors associated with gate G9.
with PR 1
1 VECTOR (VT 1 ),
2 LORO * 3,
2 FLOOR 
= VT2'
2 COMP '011' B;
1 VECTOR (VT2),
2 LORO * 3,
2 FLOOR = VT3 '
2 COMP '101'B;
1 VECTOR (VT3),
2 LORO = 3,
2 FLOOR = NULL,
2 COMP a '110' B;
-PER.HECTOR = VT1 .
III.9.3. Procedure BOOLEAN
The generation of a Boolean vector representation for a
higher order module, composed of a set of replicated events and
nested modules, is a quite complicated task as compared with
that of finding a Boolean representation for an explicitly sym-
196
metric gate. PL-MOD's capability of handling higher order
symmetric gates (Figure 3.26) in an explicit fashion is there-
fore a very desirable feature, since considerable savings will
result by using this option for the analysis of systems con-
taining a large number of symmetric redundencies.
In general, however, fault trees will be composed of
higher order modules whose structural composition needs to be
found. For these cases it will be necessary to call upon
BOOLEAN to generate a minimal cut-set representation for the
higher order module.
Consider the pressure tank fault tree example. Up to
this point it has been shown how PL-MOD internally represents
gate G9 as a PROP structure (PT1 + PROP) and gate G5 as a
nested MOD structure (MT +MOD). The following set of internal
transformations still need to be performed by PL-MOD before
the modularization for the full tree has been completed:
(a) G5 and G9 become nested module (MOD) and proper module
(PROP) entries to a MOD structure associated with G4
1 MOD BASED (MT3)'
2 TIPO = 4,
2 NAME = 4,
2 VALUE = 1,
2 NEST = 1,
2 LIM = 1,
2 RIM = 1,
2 RIMO = 2,
2 MIM = 1,
197
EXPLICIT FORM
IMPLICIT FORM
i = 1,2,3
FIGURE 3.26
SYMMETRIC HIGHER ORDER MODULES
198
2 MID = 1,
2 NAIL(l) = SPINE(3),NAIL(2) = MT3 '
2 WHIP(l) = MT3, WHIP(2) = APT1 ,
2 TIR(1) = 0,
2 PID(l) a MT1 ,
2 TID(l) = 5,
2 PIM(l) = PT,
2 TIM(l) = 9,
2 TIL(1) = 0;
Since MOD.NAIL(I) = MT is not satisfied for I = 1, then gate3
G4 does not correspond to a higher order module, so structures
MT1 *MOD (given in section 111.8) and MT-+MOD must be kept in
3
the same form until the parent gate for the higher order module
to which they belong is found (Figure 3 .27).
(b) G3 will become a gateless node once G4 is attached to
it as a STID structure. Furthermore, since gates G1, G2 and
G3 are all of the same type, procedure COALESCE will collapse
them together (Figure 3.28). The NODE structure representing
Gl will then be given by
1 NODE BASED (VT = SPINE(l)),
2 TIPO = 1,
2 NAME = 1,
2 VALVE = 2,
2 GINT = 0,
2 LILT = 4,
2 LIRT = 1,
199
G2
G3
Proper
Part
4
4
Improper
Part
g5
r 3 0 0 0 1
Mg
FIGURE 3.27
PRESSURE TANK FAULT TREE WITH GATES G4,G5,G9 MODULARIZED
-Ao
G1
200
G4
g5 + z/
FIGURE 3.28
PRESSURE TANK FAULT TREE WITH GATES G4, G5 AND
G9 MODULARIZED AND GATES G1, G2, G3 COALESCED
201
2 LIMD = 1,
2 LIMT = 0,
2 NEST = 2,
2 WHIZ = 1,
2 ROOT = NULL,
2 LIP = ST4 ,
2 LID = SD2
2 GIN = 1,
2 LIL = 2,
2 DIR = 1,
2 NAIL(1) = NULL,
2 WHIP(1) = NULL,
2 TIR(1) = 0,
2 SPIT(1) = NULL,
2 TIL(1) = 1, TIL(2) 2;
And the set of STIP and STID structures attached to the NODE
are
1 STIP BASED (ST4),
2 TIPO = 2,
2 LIP = ST5'
2 DIL = 1,
2 DIR = 1,
2 NAIL(1) = NULL,
2 WHIP(1) = NULL,
2 TIR(1) = 0,
(Represents gate G2)
2 TIL(1) = 3;
202
1 STIP BASED (ST5),
2 TIPO - 2,
2 LIP NULL,
2 DIL = 1,
2 DIR = 1,
2 NAIL(1) = ST5 %
2 WHIP(1) =SD2,
2 TIR(1) = 30001,
2 TIL(1) = 4;
1 STID BASED(SD 2 ),
(Represents Gate G3)
(Represents Gate G4)
2 TIPO 2 3,
2 LID = NULL,
2 STIM = 4,
2 LTIM = MT3 '
2 DIR = 2,
2 NAIL(l) = ST 5, NAIL(2) a SD2,
2 WHIP(l) = SD2 , WHIP(2) = APT1 ,
(c) Brocedure MODULA will then create a MOD structure
to represent SPINE(1) NODE including its attached STID and
STIP structures
1 MOD BASED (MT4 ),
2 TIPO = 14,
2 NAME = 1,
2 VALUE = 2,
2 NEST = 2,
203
2 LIM = 4,
2 RIM = 1,
2 RIMO = 3,
2 MIM = 1,
2 MID = 1,
2 NAIL(1) = MT 4 , NAIL(2) = MT4 , NAIL(3) = MT4,
2 WHIP(1) = MT 4, WHIP(2) = MT4 , WHIP(3) = APT1,
2 TIR(l) = 30001,
2 PID(l) = MT3,
2 TID(l) = 4,
2 PIM(1) = NULL,
2 TIM(1) = 0,
2 TIL(1) = 1, TIL(2) = 2, TIL(3) = 3, TIL(4) =4,
Inspection of the MOD structure shows that the criterion
(I = 1,2,3)
MOD.NAIL(I) 
= MT4
MOD.WHIP(I) = MT4 or APT1
is met. There-
fore BOOLEAN must derive a representation for the higher order
module associated with MT4-MOD.
Procedure BOOLEAN starts off by creating the PROP struc-
tures associated with the parent gate and each nested gate, as
well as the PER structure containing the structural information
for the higher order module
204
* OOLFAN SUDPOtITNF*/
626 2 1 (CHECK(WEST,LEG,EST,LOG, EG,LA A,1,!X,03,C1,C2,
FOG,XOD,C1C,XOG, C1ZC2M,C27 ,KOF,KO,?On,DOTT,-
NICSSPU4)):
BOOLEAN: PROC;
627 3 1 PUT SKIP LIST ('BOOLEAN !AS B1EN CALLFTD'):
62R 3 1 MTuODUL. DULL (im.)
629 3 1 WE$TwnOD. NEST;
630 3 1 JSTVwEST+1:
631 3 1
632 3 1 ALLOCATr PER*
633 3 1 PEP. TARpUPT;
634 3 1 FREE PUT;
635 3 1 LOSTvPR:
636 3 1 ALLOCATW PEN;
637 3 1 ?ROST=e ;
638 3 1 LIL1eNOD.LIN
639 3 1LI*0.T-
640 3 1 ALLOCATF DPOP;
641 3 1 PROP.TIPO*S;
642 3 1 18,wT.+ 1;
6143 3 1 STORK=PT;
6414 3 1 DOST (I)aSTORK:
645, 3 1 -PROP.NVA~lg=OD. NAME;
646 3 1 PROP.VALUEN=OD.VALUE:
6147 3 1 PROP.TIL*Io 0. TL;
648 3 1 ' PR:P.TI::0.T::;
649 3 1 PROP. PrIncOD.PIR:
650 3 1 PUT EDIT ('PARENT MODULE NAME*', PROP.NAMF,'VALUlua
PROP.VALUE, 'NUM LEAP INPw', PROP.LIN, 'NrtM MoD INP=', PROP.NT)
651 3 1 PUT EDIT (' L EAF INS-') (iKIl (1) , A (9))
652 3 1 PUT LIST( PROP.?Ti.):
653 3 1 PUT EDIT('OD INSa') (SKIP(1),A(8))
654 3 1 P UT LST (PPOP. TIX) ;
655 3 1 PROP.ltOSTsLOST:
656 3 1 FOGanfOD.ID;
657 3 1 DO Il1 TO FOG:
658 3 2 PEN.NIN(I) 
-sOc.PID(I)
659 3 2 PEN.JIN (1) *MO0.TID (1);
6A0 3 2 END:
661 3 1 LEG*FOG:
662 3 1 ALLOCATE DRUG;
663 3 1 FROG*OD.PID;
664 3 1 ZEGOG;
66 1 3 1 GR.G.VDR:
666 3 1 GROG*1;
667 3 1 ESTs0v1
(68 3 1 GREYOR:
66 9 3 1 00 W HILE. (GROG-0);
S670 3 2 LOG=0;
671 3 2 00 KaI TO MEG:
672 3 3 IF (FROG (K) ->PID (1) -NULL) TREN P rfe ;
673 3 3 ELSE PVGai;
674s 3 3 LOGsLt0GPEG;
675 3 3 RND:
676 3 2 IP (LOGmO) THEN GROG*0;
677 3 2 V FRl EG;
205
678 3 2 DR=GREY:
679 3 2 DO 0-1 TO MEG:
690 3 3 MT-FROG (Q) .
631 3 3 LILF=M'D.LIM
682 3 3 LIE=M00. MIM;
683 3 3 ALLOCATE PPOP;
684 3 3 PROP.TIPO=5;
6R5 3 3 ARIaPT:
686 3 3 IBwB+1:
( 7 3 3 BOST (IB) =PT;
683 3 3 RST=EST+1;
689 3 3 PER.KIM(EST)-PT;
690 3 3 PER.JIM(EST) -MOD.NAME
69 1 3 3 PROP.NAMEmMOD. N AME:
612 3 3 PROP.VALW1E=M0O0.VALUE:
693 3 3 PROP.TILzMOD.TIL;
694 3 3 PROP.TIMMOD.TIM:
695 3 3 PROP.PtlMOD.PIM
696 3 3 PROP.ROOT=STORK:
697 3 3 00 L=l TO LIng:
698 3 4 ATIPPOP.PIM(L);
699 3 4 IF (AT-uNULL) THEM AT->PrOP.R0T-ART:
700 3 4 END:
701 3 3 PIUT FOIT ('NESTED MDULE NAi1', PROP.HAME,'YALUrE2',
PROP.YALUE, 'NTIM LIAF INPs', PTOP.LIM, 'HUM OD INP0', PROP.MIM)
'(SKIP (2) ,A (19) , F (5), X (2) , A(6) , F (5), X (2) , A (13) ,! (5) ,1 (2) , A (12),e (5) 
702 3 3 PUT EDIT (ILEAF INI%') (SKIP (1) , A (9));
703 3 3 PUT LIST( PROP.TtL)
704 3 3 PUT EDIT(' 1OD INS*') (SKIP (1),A(s))
705 3 3 PUT LIST (P10P. TIM)-
706 3 3 PROP. HOSTWNULI
707 3 3 OGMO00.If;
700 3 3 IF( FOG=1 6 M01.PID(1)WNULL) TT1EN r# TO UNO
709 3 3 DO Tul TO FOG;
710 3 4 PFN.KIN (ZEG+1)=MOD.PID (I) ;
711 3 4 PEN.JEN(7.FG+1)MOD.TID();
712 3 4 END;
713 3 3 ZFGwZ!G *FOG;
714 3 3 UNO: PND;
715 3 2 FREE DRUG;
716 3 2 LVGsZEG-WER;
717 3 2 ALLOCATE DRUG;
713 3 2 GRFTYDR:
719 3 2 00 ID=1 TO LEG;
720 3 3 DRTiG.7ROG (ID) zFEN.KIN (Pr~+ID) ;
721 3 3 END;
722 3 2 END:-
PROP structures are allocated starting at the top with
the parent gate and then proceeding to successively deeper
levels of nested gate modules in the higher order structure.
Figure 3.29 shows an example of a higher order module consist-
ing of 3 levels of nested gates. In the diagram only the nest-
ed gates of the structure are portrayed and all other input
details to the higher order module have not been included
206
Parent Gate
Nested Gates
1st Level
2nd Level
3rd Level (8)r
Allocation order is given by (i),
FIGURE 3.29
ORDERING OF PROP STRUCTURE
(1) 2
(7)
(9)
i=l, 2, .
ALLOCATIONS FOR A HIGHER ORDER MODULE
207
(i.e., replicated inputs and proper modular inputs to each
gate).
BOOLEAN suc.ceeds to allocate the PROP structures in the
desired order with the help of a set of DRUG structures which
contain the pointer locations for each of the MOD structures
at a given nested gate level. Structure DRUG is defined by
1 DRUG BASED (DR)
2- MEG FIXED BINARY,
2 FROG (LEF REFER(MEG)) POINTER;
Thus, for the example given in Figure (3.29), three DRUG
structures would be needed by BOOLEAN
1 DRUG BASED (DR 1 ),
2 MEG a 3,
2 FROG(l) MT., FROG(2) = MT2. FROG(3) MT3;
1 DRUG BASED (DR2 ),
2 MEG 4,
2 FROG(1) = MT4 , FROG(2) = MT5 '
FROG(3) = MT6, FROG(4) = MT7 ;
1 DRUG BASED (DR3
2 MEG = 2,
2 FROG(l) = MT8 , FROG(2) = MT9 ;
Where this notation means that MT I locates the MOD structure
associated with the (i-th) nested gate.
While the name and pointer location for each nested
gate PROP structure are stored in PER.JIM(I) and PER.KIM(I)
208
(I = 1, 2,...,WEST), the name and pointer location for the MOD
structure associated with each nested gate are stored in the
structure PEN defined by
1 PEN BASED (PN)
2 LEAL FIXED BINARY,
2 KIM (WEST REFER(PEN.LEAL)) POINTER,
2 JIN (WEST REFER (PEN.LEAL)) FIXED;
The higher order modular structure composition for the
pressure tank fault tree example is quite simple, since
only two nested gate levels exist each consisting of a single
gate (Figure 3.30). Its PROP, PER and PEN structures are
given by
1 PROP BASED (PT2
2 TIPO = 5,
2 REZ = 2,
2 ROOT = NULL,
2 NAME = 1,
2 VALUE = 2,
2 LIM = 4,
2 MIM = 1,
2 HOST = PR 2,
2 REL(2) FLOAT,
2 TIL(l) = 1, TIL(2) = 2, TIL(3)=3,TIL(4)=4,
2 TIM(l) = 0,
2 PIM(l) = NULL;
209
Proper Part
M * (Cl, C2,C3,C4;U}
Improper Part
r 30001' G4
G4
G5
M4 {M }
9
G5
M 5 U (c5,c6,c7,C8'c9 c1 0,0 r30001
(M = {Cl,(12, C13; 2-out of-3 operator})
FIGURE 3.30
HIGHER ORDER MODULAR COMPOSITION FOR THE PRESSURE TANK
FAULT TREE
210
1 PROP BASED (PT3
2 TIPO = 5,
2 REZ = 2,
2 ROOT = PT2 '
2 NAME = 4,
2 VALUE = 1,
2 LIM = 1,
2 MIM = 1,
2 HOST = NULL,
2 REL(2) FLOAT,
2 TIL(1) 0,
2 TIM(1) = 9,
2 PIM(1) = PT1;
1 PROP BASED (PT4),
2 TIPO = 5,
2 REZ = 2,
2 ROOT = PT2
2 NAME = 5,
2 VALUE = 2,
2 LIM = 6,
2 MIM = 1,
2 HOST = NULL,
2 REL(2) FLOAT,
2 TIL(1)-5,TIL(2)=6,TIL(3)=7,TIL(4) = 8,
TIL(5)=9, TIL(6)=10,
2 TIM(1) = 0,
211
2 PIM (1) = NULL;
1 PER BASED (PR2)
2 REZ 2,.
2 HECTOR POINTER,
2 DEXTER POINTER,
2 RAM - 1,
2 LEAL 2,.
2 REL(2) FLOAT,
2 TAR(1) = 30001,
2 KIM(1) = PT3, KIM(2) = PT4,
2 JIM(1) = 4, JIM(2) 5;
1 PEN BASED (PN 1)
2 LEGAL = 2,
2 KIN(l) = MT3, KIN(2) MT ,
2 JIN(l) a 4, JIN(2) - 5;
Once BOOLEAN has mapped out the structural composition for the
higher order module, it is then ready to proceed to generate
the set of VECTOR structures representing the modular minimal
cut-sets for the higher order structure.
The process by which each minimal cut-set VECTOR is found,
is a recursive one. By starting with a Boolean representation
for the parent gate given in terms of its improper modular in-
puts (MOD structures), each of the nested gates are explicitly
incorporated by making a set of substitutions consistent with
212
the structural relationship each nested gate holds with the
parent gate. Ultimately each minimal cut-set is given by~ a
VECTOR structure of dimension LARG = NUB + 1 + WEST, where
NUB = total number of replicated event inputs to the higher
order module and WEST = total number of nested gates contained
by the higher order module. That is
Y B (y 1' 2' '''Y) ( L= LARG)
the order in which each of the inputs to the higher order module
is entered is given by
BY B * (yr ' r ''''090m * m '''y
r1 r2 rn oM 1 n
with ri = replicated input i, n = NUB, m = parent gate PROP
input, mi = ith nested gate PROP input-, w = WEST, n + 1 + w = Z.
However, as discussed earlier BOOLEAN derives this set of
VECTORS by a series of substitutions of improper modules (MOD
structures) by their replicated input (r-leaf) and proper in-
put (PROP) parts. Therefore in order to make this feasible
BOOLEAN needs to perform a set of manipulations with a set of
SECTOR based structures defined by
1 SECTOR BASED (SR),
2 LORO FIXED BINARY,
2 DOOR POINTER,
2 COD BIT (JUST REFER(SECTOR.LORO));
with JUST = LARG + WEST.
Every replicated input, PROP and MOD structure in the
higher order module will be represented by a Boolean variable
213
within each SECTOR structure in the following order
zB (B XB
with B containing the same inputs as a VECTOR bit-string and
4 B '(yd ' ' d ) representing the nested MOD structures in
1 w
the higher order module, i.e., di ith nested gate MOD
structure.
The minimal cut-set generation procedure is begun by
finding the set of VECTOR and SECTOR structures which initially
represent the parent gate. Figures 3.31 and 3.32 illustrate
the two possible instances of higher order modules with an OR-
operator or an AND-operator parent gate. For the OR-parent
gate, example I, the full modular structure consists of five
nested gates and two replicated events. Its VECTOR and SECTOR
bit-strings will therefore have the form
B (Yr , ,Y, Y Y ,Y ,Y)
1r' r 21 m0 ml 2m2 tm3? m4 M 5
zB (YB y dy a' d = (YB xB
and the parent gate shall be initially represented by
M0=>Ymo 1 1 VECTOR BASED(VT1 ),
2 LORO = 8
2 FLOOR = NULL,
2 COMP = '00100000'B;
G 1>d=1 1 SECTOR BASED (SR1 ),
2 LORO = 13,
G0
a G2
G3 G4
OR-PARENT GATE HIGHER ORDER MODULE EXAMPLE I
nj
H
5
FIGURE 3. 31
FIGURE 3.32 AND - PARENT GATE HIGHER ORDER EXAMPLE II
NH
216
2 DOOR = SR2
2 COMP = ,00000000o y B
G2 =>Yd2 = 1 1 SECTOR BASED (SR2)
2 LORO = 13,
2 DOOR = NULL,
2 COMP = ',0000000001000 B;
For the AND-parent gate, example II, a single SECTOR shall
initially represent it. Since. the full modular structure for
example II consists of one replicated event and four nested
gates then
Y B = (Y r Y y Y I y m .
B 0 1, 2  3  4
zB (B Y y y I (YB xB
4.d d 2 d3 d4 
-
so the initial representation for the parent gate shall be
1 SECTOR BASED (SR 1 ),
2 LORO = 10,
2 DOOR = NULL,
2 COMP = '1000QQ,1110 ' B
LARG
m 0 d d 2d3oY1  1    d3=1
The following statements outline the method used by BOOLEAN to
derive the initial parent gate Boolean representation for a
higher order module. For the OR-parent gate case (MOD.VALUE=
217
OP=2) the statements following' label B2 apply, while for AND-
parent gates the statement following label Bl apply.
723 3 1 MT-MIt30UL.nt1LL (P)
724 3 1 LAaafUP+WEsT+1;
725 3 1 JUSTu .ARG+WEST:
726 3 1 ALLOCAT? KOF:
727 3 1 ALLOCATE KOD;
728 3 1 ALLOCATE XOO
729 3 1 ALLOCATZ TOO;
730 3 1 ALLOCATE DOTT:-
731 3 1 ALLOCATE TOG;
732 3 1 ALLOCATE XOG;
. 733 3 1 OP*0OU.VALUE:
734 3 1 LATKIJLL;
735 3 1 LOR OuNitLL;
736 3 1 ?F(OPel) TiUtN GO TO 81:
737 3 1 r? (OP*2) Titt GO TO 02:
730 3 1 51: ALLOCATE SECTOR!
739 3 1 KINGwSW:
74 0 3 1 SCTOR.000U~lLL:
741 3 1 SrCTOR.COD REPKAT (''TJUsT);
742 3 1 TOGR EPEATr(10'1,JST)-
743 3 1 SURSTR (TOG, NUTt , 1) 1'l n;
744' 3 1 SrCTOR.CODTOG;
745 3 1 FO00?tOc.RINIx
7146 3 1 IF ('OI1 c i0o?.TTrP(1j*0) TIMW 00 TO M1A;
747 3 1 DO QU1 TO FOX-
748 3 2 TtSTnMD.TIR(Q);
749 3 2 DO Rul TO TNUo,
750 3 3 IF (TESTaER.?AP(R)) TIMN .0 TO 01P;
711 3 3 ENn;
752 3 2 818: TOGat SP PAT ('0* 8JUST);
753 3 2 SBSTR (TOG,,1)**1'V:
754 3 2 SFCTOR.CQ0=SCTOR.C DI TOG:
755 3 2 END
756 3 1 81A: POGaROO.MID
757 3 1 00 Qvl TO FOG;
758 3 2 TOG*REP1EAT('O'SJf1ST);
759 3 2 SUPSTR (TOG, LARG+O, 1) ** 1 1 G
7r0 3 2 SFCTOR.CODuSECTOtt.COITnO;
761 3 2 -END
762 3 1 ESTOOG ;
76 3 3 1 GO TO 03;
764 3 1 82: ALLOCATE VECTOR;
765 3 1 QUEENT:
766 3 1 TODREPEAT(''lLANG):
767 3 1 StinSTR(TOD,LARG-WEST,1)'1'D0:
7r,8 3 1 VECTOR.COMP=TOU;
769 3 1 VECTOR. FLOORuntLL;
770 3 1 LADYaQUEEN:
771 3 1 FOX'sNO8.RIN:
772 3 1 IF (FOX-i 1 OD.TIRT(1)*0) TUrEN GO TO 02A-
773 3 1 DO Qul TO POX;
77 4 3 2 TRST* NOD. TIR (0);
775 3 2 00 Ro1 TO MU N1
776 1 3 IF (TEPSTvPER.TAVi(Ri)) TIMEW On TM 0271-
777 3 3 END: .
218
778 3 2 82B: ALLOCATr V1C''OR:
779 3 2 IF( Q=POX) TtiEN VrCTOR.FT.00R=Nr7LL;
780 3 2 LAnY->FLOOP=VT:
781 3 2 LADY!VT:
782 3 2 TOD=REPEAT('O'BLARG)
783 3 2 SUBSTR(TOD,R,1)='1'B;
704 3 2 YECTOP.C0r=TOD:
7815 3 2 EN;
786 3 1 32A: FOG=mmD.MID
787 3 1 TSTOPOG:
788 3 1 DO 0x1 TO FOG;
789 3 2 ALLOCATr SPCTOR:
790 3 2 IF (OOFOG) THFN SPCTOR.W)ORNUT!..;
791 3 2 IF (LOR-mNtULL) TUFW G1 TO 120:
792 3 2 KING=SR;
793 3 2 LORD=SR;
794 3 2 GO TO n2D*,
795 3 2 82C: LORD->D00R=SP:
796 3 2 LORD=Sp;
797 3 2 32D: SECTOR.CllRP AT('n'fl.,JtlST)a
798 3 2 TOG=REP FAT0('0 R,1JUST)
799 3 2 SirBSTR(TOGLARU* ,1)=' l'
800 3 2 SECTOR.CODTOG;
801 3 2 END:
It should be noticed here that the SECTOR.COD bit strings
associated with the parent gate imply a dependence on all
nested gates contained within the higher order module. This
dependence shows up through the non-zero entries in the XB
portion of Z the SECTOR.COD bit string (XB = SUBSTR(SECTOR.
COD, LARG + 1, WEST). The objective of BOOLEAN will now be
to substitute for each improper modular entry in SECTOR.COD
an equivalent set of replicated leaf, proper module and
improper modular entries.
Thus, for the two examples given above their dependence
on nested gate Gl may be eliminated (i.e., Yd may be set to
zero) as follows:
Example I: G1  fM 1G3G4;}=
=>d(Y )(Y = 1) (Y = 1)(Y = 1)
l1 3-4
219
Hence SR +SECTOR.COD '00..00000010000B is replaced
by SR 1 SECTOR.COD = '.Q00010000o0l010B
Example II: G 4MG;U}
=> (Yd )(Y
Hence SRI+ SECTOR is replaced by the two new sectors
with
SR +SECTOR.COD = 0110000110'B
.SR2+ SECTOR .COD = 01000,0111'B
By continuing this process all nested gate improper
dependencies that a SECTOR might have will eventually be
eliminated. That is, ultimately all SECTORS generated will
contain a null substring B = , and therefore will have been
transformed into Boolean Indicated cut-set VECTORS (BICS)[16].
An outline of the statements in Boolean which provide for
the deduction of Boolean indicated cut-set VECTORS follows
802 3 1 33: DO IT.*1 TO WEST:
803 3 2 MT=PE'N.XZ (L)
804 3 2 0UMO1DYALUSS,
805 3 2 PAVN*KING;
806 3 2 XOD0REPEAT('',JsUST)
807 3 2 X00wREPAT('0'0,JIIS1)
808 3 2 StreT1t(XOD,LARG *IL,1)' 1'.
809 3 2 SUnSTR (C0G,sUD+rL*1,1)*11':
810 3 2 KOflPFepAT('0',JUST):
811 3 2 KODwftEPEAT ('0'1 ,JUST) '
812 3 2 IF(0P1) T EN GO TO Cl;
81 3 2 IF (OP-2) THEN GO TO C2:
814 3 2 Cl: FOX*MOD.RIN;
815 3 2 TI (?0X=1 & nOD.TIR(1)=0) THEN GO TO CIA:
816 3 2 00 0=1 TO FOX:
817 3 3 TESTtIOD. TIR (Q) :
818 3 3 00 R-1 TO NUB;
819 3 14 ir (T.PST=PER.TAR(R)) THEN GO TO C18:
820
821
822
823
824
825
826
827
828
829
830
83 1
832
833
834
835
836
837
818
839
840
841
842
843
844
845
846
847
848
849
85 1
852
85 3
854
055
856
837
.858
859
860
8617
87' 1
872
863
4
865
66
67
868 L
869
870
87 1
872
873
874
875
876
877
878
879
8100
881
8 2
883
Cly: MOAN=PAWN:
PAWN=SECTOR. DOOR;
C1Z: END;
GO TO C2Z;
C2: ALLOCATE SECTOR;
SECTOR.DOOR=NULL:
KONG!SR;
LRRD=SR;
SECTOR.COD=XOG;
FOX=OD. RIM:
IF (POX=l & MOD.TIR(1)=0)
DO 0-1 TO FOX;
TEST-MOT).TIR(Q):
DO Rul TO NUB:
IF(TEST-PER..TAR(R)) THEN
END:
C2B: ALLOCATE SECTOR;
SECTOR. DOORlNELL:
C2C: LERD->DOOR=SR;
LERD=SR;
C2D: TOG=REPEAT('Ot,JUST);
SUDSTR (TOG, R, 1)-'1 ';
SECTOR.COD=TOn!
THEN GO TO C2A:
GO TO C2B;
220
END
Ci: TOG REPAT('O'B,JUST)
SUDSTR (TOG, R,1)=1'B
KOF=KOP I TOG;
END;
CIA: FOG=MOaD.ID;
IF (FOG=1 MOD.TID (1) -0) THEN GO TO CIC
DO Qml TO FOG;
TOGuR TPAT('O',JUST);
SUTISTR (TOG,LARG+0+ESTO, 1) ' 1'B:
KOD=KODITOG;
END:
ESTO-PSTO+FOG:
C1C: DO WITILF(PAWNafULT.);
SR=PAWN;
TOG-SECTOR. COD&XODo
IF (TOG) THEN GO TO C1K;
ELS7 GO TO C1Y;
C1K: SCTOR.COD*SFCTOR.CODf (-XOD);
SPCTO!.CODwSCTOR.CODIjKOD:
SECTt2z.COD=SECTOP.CODIX0G;
SECTOR.CODSECTOR.CODI KOF;
D0TTREPEAT('0'!,WEST):
DOTT=S7SSTR (SECTOR.COD,LAPG+.1,IFST):
IF (DOTT-m'0't) TIEN GO TO C1Y:
ALLOCATE VECTOR;
IT (LADY=NULL) THEN QEENVT:
ELSE LADY->VLOOR=VT;
LADY=VT;
VECTOR. FLOOR=NULL:
VrCTOR.COMPmSUBSTR(SECTOR.CD,1,LARG);
IF(SE?2KING) THEN KING-SrCTOR.DOOR;
ELSE GO TO D1;
PAWN=KING;
FREE SECTOR:
IF (PAWNsNULL) THEN GO TO KICS;
GO TO CIZ;
01: PAWN=SECTOR.DOOR:
FREE SECTOR;
MOAN->DOOR PAWN;
GO TO C1Z;
221
884 3 3 IND;
885 3 2 C2A: FOGUnOD.1ID;
806 3 2 IF(F7OG* & 0O.TIf(1)0) TUH 0 TO C2H:
807 3 2 DO Ql TO 70G
888 3 3 ALLOCATt SECTOR;
889 3 3 SECTO f.DOORaN ULL:
890 3 3 CZ: LEP->D00kRSR;
891 3 3 LEROtSR;
892 3 3 C2G: SCTU0R.COwREPEAT('0',JU1ST):
893 3 3 TO(wREPEAT (01,JT);
11)4 3 3 SUfIST(TOG,LAa.00+ESTo,1)*'lr;
8l's 3 3 SECTOR.C0OTOG;
896 3 3 END:
897 3 2 C22: ESTO*ESTC+POG;
890 3 2 C2tJ: MOANmNULL;
849 3 2 DO WFHILE(PAW-%NJLL):
900 3 3 SltPAWN:
901 3 3 KOFwREPEAT (f'B, JUST):
902 3 3 TODO*RPEAT(V0'RLARG);
903 3 3 TOOvSWf8STR(SCTOR.CO0,1,LARG):
904 3 3 SUPSTRCK0F,1,LARG)=TOD:
905 3 3 K0Ds11EPAT('0'n,JUST);
906 3 3 DOTTwREPEATt(0R9, PST):
907 3 3 DOTTwSUBSTR (SECTOR.COD,LARPG+1,WST);
908 3 3 SUnSTR (K0,tARG+1,WEST)aDOTT;
909 3 3 TOC*KODEXOD:
910 3 3 IF (TOG) THEY GO TO C2;
911 3 3 ELSE GO TO C2L;
912 3 3 C2K: PEON*KONG;
913 3 3 LUT!lNn1tL;
914 3 3 KODVKQ06(-X0D);
91S 3 3 DO WHILE (PEON-=NfLL):
916 3 4 ALLOCATE SECTOR;
917 3 4 SECTOR.DOOV*NULL;
919 3 4 SECTOR.COOPEO N,>SECTOR.COD1KO:
919 3 4 SECTOR.CODOSECTODt.COf OD:
920 3 4 COTT*REPIAT('0's,9EST):
921 3 4 DOTTSUBqSTR (SECTOR.COD,LANG1,vEST) :
922 3 4 I (DOTT-%**091*) THEY GO TO C2X;
923 3 4 ALLOCATE VECTOR:
924 3 4 IF (LADT-NULL) THEN QUEEN=MT:
925 3 4 ELSE LADT->FLOOR=VT:
926 3 4 LADTuVT;
927 3. 4 VECTOR&FLOORwNLL:
928 3 4 VECTOR.COMPwSURSTR(SECTOR.COD,1,LARG):
929 3 4 FREE SECTOR;
930 3 4 00 TO C2T;
931 3 4 C2X: IF (LUTE*NRLL) THEN KUNGmSt:
932 3 4 ELSE LUlTE->OC0RvSR:
933 3 4 LUTxSP:
q34 3 4 C2Y: OONwPO0N:
935 3 4 PE2Own00N-> SECTOR.DOP:
936 3 4 END;
917 3 3 SVwPAWN:
938 3 3 IF (LITEuNLL f MOANwNIILL) THEN GO TM C2Q:
939 3 3 ELSE GO TO C2R;
940 3 3 C20: T? (SFCTOR.D000'wSNULL) THMI rO TO C2W;
941 3 3 FREE SECTOR;
222
PL/I OPTIMIZING COMPILER /* .ODfYLE PROGRAM *
STvT LEV NT
942 3 3 GO TO IICS;
943 3 3 C27: PA 1N=SFCTOR.EOO:
944 3 3 KING=PAWN;
945 3 3 FRFE SECTOR;
946. 3 3 GO TO C2K:
947 3 3 C2p: IF (MCAN,=NULL S LUT1W.-Nt1LL) THEN GO TO C3A:
948 3 3 ELSE GO TO C3D:
949 3 3 C3A: MOAN->DOORaKUNG:
950 3 3 LIT->DOORnSECTOR.DOOR:
951 3 3 FRFE SECTOR:
952 3 3 MOANWLUTE:
953 3 3 PAWN=LUTF->DOOR;
954 3 3 GO TO C2M:
955 3 3 C30: IF (LTITE=NULL) THEN GO TO C3C:
956 3 3 ELSE GO TO C3D;
957 3 3 C3C: PAWN=SECTOR.DOOR;
9I'8 3 3 FREE SECTOR:
195 9 3 3 MOAN->DOOR*PAN;
960 3 3 GO TO C23;
961 3 3 C3D: KINGuKUNG;
962 3 3 LUTE->DOOR*SECTOP.DOO?;
963 3 3 FPEE SECTOR:
964 3 3 NOANLI!TE;
9 6 3 3 PAWN%-ItTF-> DO HR:
alf:66 3 3 GO TO C2M:
967 3 3 C2L: MOAN=PAWN;
18 3 3 PAWN-SECTOR.DOOR;
969 3 3 C2M1: END;
970 3 2 C2Z: END;
The step-by-step process by which BOOLEAN derives the
VECTOR BICS for the pressure tank fault tree example, is as
follows
Replicated inputs: r30001 =>NUB = 1
Parent gate Gl, nested gates (G,G 5 ) =>
WEST = 2, LARG = UM + 1 + WEST = 4 JUST = 6
B=(Y r.Yml Y m3Y M)
r 4' ml' d4'm5
(B Bd' 5
223
Step 1) Parent gate Boolean representation
(Yml = 1)U(Yr = 1)U(Yd4)
1 VECTOR BASED (VT1 ),
2 LORO - 4,
2 FLOOR = VT2,
2 COMP '0100'B;
1 VECTOR BASED (VT2),
2 LORO * 4,
2 FLOOR = NULL,
2 COMP =u1000'B;
1 SECTOR BASED (SR1),
2 LORO = 6,
2 DOOR = NULL,
2 COD = 000010?B;
Step 2) Eliminate second nested gate (G4) by the
substitution Yd4 = 1 (Ym4 l)Q (Yd5l)
> 1 SECTOR BASED(SR 1 ),
2 LORO a 6,
2 DOOR = NULL,
2 COD = '0001' B;
Step 3) Eliminate second nested gate (G5) by the
substitution Yd5= 1 m5-1J. Iyr"al
1 SECTOR BASED (SR 1 ),
224
2 LORO = 6,
2 DOOR = SR2
2 COD = '001100t'B;
1 SECTOR BASED(SR 2
2 LORO = 6,
2 DOOR = NULL,
2 COD = '10100.0.B;
Since = for both SR 1 + SECTOR.COD and SR2 + SECTOR.COD, they
may be replaced by two new vec.tors.
1 VECTOR BASED (VT3),
2 LORO = 4,
2 FLOOR = VT ,
2 COMP = '0011'B;
(with VT2 VECTOR.FLO0R VT3
1 VECTOR BASED (VT 4 ),
2 LORO = 4,
2 FLOOR + NULL,
2 COMP = '1010"B;
Hence, the set of BICS for the pressure tank fault tree is
Y = (0,1,0,0)1
Y B (1,0,0,0)
Y = (0,0,1,1)3
Y = (1,0,1,0)Y14
To obtain now the set of minimal cut-sets (MICS), it is only
necessary to eliminate those BICS vectors containing a sub-set
of non-zero elements which also form a BICS vector. For the
225
B Bpressure tank fault tree is contained in , therefore the
set of MICS for the pressure tank fault tree consists only of
~B B anB , Y , and Y .
.71 4.2 ' 4-3-
The following BOOLEAN statements derive the set of MICS
by eliminating the non-minimal cut-set vector included in the
set of BICS.
/* fICS
971 3 1 RICS: LADY*0QtEEN;
972 3 1 PUT SKIP LIST (' BICS') Z
973 3 1 00 WHILE(LAD-wtNULL):
974 3 2 VTsLADY:
975 3 2 PUT LIST('COMPI',ECTOR.COM'):
976 3 2 LADY*LADT->Ft.0O00
977 3 2 END;
978 3 1 LADYsOUIEEN:
979 3 1 ALLOCATt SO?:
980 3 1 DO WHILE (LAD-euNt.LL);
941 3 2 TODef.A0->COlP:
9$2 3 2 M1OONQUIRN:
983 3 2 00 VfHIL 1 (MOUNatN LL)
9134 3 3 IP (MON*LADY) TH EN GO TO M37;
485 3 3 VT-MOON:
986 3 3 IF(TODeVZCTO.COMP) TIlMN GO TO MSA;
987 3 3 SOrs (TODCVECTOR.C1t');
98s 3 3 If (SO!-wTOD) THIEN GO TO NSA;
919 3 J3 IP (SouVTCTOR.Cnt') THEN GO TO aSfl;
990 3 3 GO TO SZ:
99 1 3 3 MSA: T F ('00N-*Q1F1T1N) TilTEN QU FPN*3onN->FL.0OR:-99 2 3 3 ELSE GO TO MSO:
99 3 3 3 FR EE Y ECTOR-,
994 3 3 NOONSOUEN.
995 3 3 Gan TO MST:
991 3 3 MS: IPOON->,0ROOON->FOR)T.0
997 3 3 FREE VECTOR:
998 3 3 GO TO MSY;
999 3 3 SD: VTLADY;
1000 3 3 I(L.ADTWQUEEN) TURN OrIT*N=LADY- >FLOOR.
1001 3 3 ELSE GO TO MSR:
1002 3 3 FREE VPCTOR:
1003 3 3 MOANQUtEN;
1004 3 3 GO TO MSX:
1005 3 3 MSR: MOAN->FLOORuLADT->PLO0R-
1006 3 3 FrrE VFCOR:
1007 3 3 GO TO MSX;
1008 3 3 RSZ: NOONAnOON:
1009 3 3 lISY: MOOWNOO N->LOon:
1010 3 3 END:
1011 3 2 MOANaLADY:
1012 3 2 MSX: LAnyNoaN->FT00:
1013 3 2 RNT);
226
111.10 TRAVEL and TRAPEL
Gates having replicated event inputs in common are inter-
connected by means of WHIP and NAIL pointer variables. However,
since PL-MOD arrives at the final modular decomposition through
a series of different intermediate structural representations
for the fault tree, at each step interdependent gate interconnec-
tions are attached to a different set of NODE,STIP, STID and MOD
structures.
Procedures TRAVEL and TRAPEL are called by COALESCE and
MODULAR to transfer NAIL and WHIP interconnections whenever a
structural transformation is effected which involves intercon-
nected structures.
Thus, given a set of structures A i(i = 1,2,...,n) attached
by NAIL pointers to a structure B (i.e., A .NAIL = pointer
locating B for some J.) which is to be replaced by a new struc-
ture C. Then TRAVEL will replace the old NAIL pointers connect-
ing the set of structures Ai to B by a new set connecting them
to C (i.e., A .NAIL J = pointer locating C for i = 1,2,...,n).
Similarly TRAPEL will replace all WHIP connections to structure
B by a new set of connections to structure C (i.e., if originally
D i WHIP J= pointer locating B, then TRAPEL will change this
to Di. WHIP J = pointer locating C i = 1,...,m).
For example, in Section 111.9 the NODE, STIP and STID struc-
tures representing the top gate for the pressure tank fault tree
were given. In particular, structures ST -STIP and SD 2-STID
were interconnected by
227
PRIM(1) = SPINE(4)
The values of TRIM (IX) and TRIN(IX) (IX * 1,2,....,RMOD)
are read in and the value-s corresponding to PRIM(IX) are
assigned in procedure INITIAL with the following statements
DO IX = 1 to RMOD;
GET LIST (TRIM) (IX),TRIN(IX));
ICH = TRIN (IX);
PRIM (IX) = SPINE(ICH);
END;
In Section 111.6 it was pointed out that for every replicated
input a structure AP is allocated by procedure TREE-IN. Struc-
ture AP is connected to the tree by a WHIP pointer corresponding
to a structure containing the particular replicated event. AP
has the following composition
1 AP BASED (APT),
2 TIPO = 0,
2 NAP replicated event name,
2 REP = total number of appearances
of the event in the fault tree,
2 SPIT POINTER,
(With A.WHIP = APT for some structure A)
Pointer AP.SPIT is in general NULL except when the replicated
event represents a module. In that case TREE-IN will use
AP.SPIT to store the pointer locating the top gate for the
modular sub-tree (i.e. AP.SPIT = PRIM(IX) for some IX).
228
ST 5 STIP
ST 5 STIP
SD 2 STID
SD2  STID
SD 2 + STID
SD2 STID
. NAIL (1)
. WHIP(1)
. NAIL(1)
. WHIP (1)
. NAIL(2)
. WHIP(2)
However, in the next stage of the tree modularization pro-
cedure, gate B was represented by the single structure MT4  MOD.
Hence TRAVEL and TRAPEL were needed to transfer all NAIL and
WHIP interconnection to MT * Thus,
MT4 = MOD.NAIL(l) = MOD.NAIL(2) = MOD.NAIL(3)
and
MT 4 = MOD.WHIP(l) = MOD.WHIP(2)
The statements corresponding to the TRAVEL AND TRAPEL procedures
are given below.
217 1 0 TRAVEL: P90C(GRISKING,MOON)
258 2 0 DECLARE (GRIS, KING, MOON) POINTER:
219 2 0 GALGRIS->N0DE.TIPO;
260 2 0 IF (GAL=0) THFEi GO TO CIM:
26 1 2 0 EL.SE I? (GAL-1) TIPN GO TO CIN E:
262 2 0 ELSE I (GAL=2) THEN GO TO CIPP;
263 2 0 FLSF IF (nAL=3) TUItF GO TO CIT%":
264 2 0 ELSE IF (GAL=4) THN (0 TO CIXI;
265 2 0 CINE: NTGRIS:
266 2 0 FPALaO0r.DIR;
267 2 0 DO nAL*1 TO FAL;
268 2 1 IF (NODE.NAIL(MAL)-=00N) TIEN GO TO LAN:
269 2 1 END
= ST
5
= SD2
= ST 5
= SD 2
= SD2
= APT
270 2 0 4nnF.NAIL(MAL)=KIN1G:LA NF:
229
271 2 0 RPTURN;
272 2 0 CIPR: ST=GRIS:
273 2 0 FAL STIP.DIR:
274 2 0 DO MALIl TO FAL;
271 2 1 IF (STIP.NAIL(MAL) *OON) TuRN (10 TO LAPR;
276 2 1 END;
277 2 0 LAPE: STTP.NAIL(MAL)-KING:
278 2 0 RETTURN:
279 2 0 CIDE: SflDGRtS;
280 2 0 FAL*STID.DIR;
281 2 0 D0 MALu1 TO FAL:
282 2 1 IF (STID.NAIL(AL)w*OON) TURN 0 TO LADE;
283 2 1 END;
284 2 0 LADE: STTD.NAlL(MAL)*KING;
295 2 0 RETURN;
246 2 0 CItE: MT=GRIS;
2k17 2 0 FAL-MOD.RIN0;
280 2 0 00 MAL=1 TO FAL;
299 2 1 IF (MOD.NAIL(NAL) *OOf) THEN GO TO LArE;
290 2 1 END*
291 2 0 LAXE: MOD.NAIL(MAL)*KING-
292 2 0 CIME: RETURN;
293 2 0 END TRAVEL;
/* TRAPEL */
294 1 0 TRAPEL: PROC (GiS, KING, ROON)
2115 2 0 DECLARE (GRIS, KING, NOON) PntN1T!R;
296 2 0 GALaGRIS->No0E.TIPo;
297 2 0 IF GALv1 THEN GO TO CORR;
298 2 0 I? (GAL*2) T1RE GO TO CORP;
299 2 0 IF (GAL*3) TIlER GO TO CORD:
300 2 0 IF GAL*4 THEN GO TO CORX;
301 2 0 CO-RN: NT=GRIS;
302 2 0 FALmNODE.DIR;
303 2 0 DO MAL=1 TO PAL:
304 2 1 IF (NODE.W1IP(MAL) -NOON) THEN f0 TO LINE:
305 2 1 END;
306 2 0 LINE: NODE.VRIP(MAL)mKING;
307 2 0 RETURN;
309 2 0 CORP: ST-GRIS;
309 2 0 FAL=STIP.DIR;
310 2 0 DO MALw1 TO FAL;
311 2 1 IF (STIP. ?IP (MAL) -MOON) TiiEN M. TO T.IPE:
312 2 1 END;
313 2 0 LIPE: STIP.WU1IP((MAL) -KING:
314 2 0 RETURN;
315 2 0 CORD: SD=GRIS;
316 2 0 FAL=STID.DIR;
317 2 0 DO MALs1 TO FAL;
318 2 1 tP (STID.WHIP(MAT.)*100N) TTHfN 0 TO LIDF:
319 2 1 END
320 2 0 LYDE: STID.WtIP(MAL)=KING:
321 2 0 RETURN;
322 2 0 CORX: ITGRLS;
323 2 0 FALxMOD.RIMO:
324 2 0 DO MALtl TO PAL;
325 2 1 IF(MOD.r.JTIP(MAL)MfOON) THEN GO TO LIXIP
326 2 1 END;
327 2 0 LIXE: MOD.WHIP(MAL)=KING
328 2 0 RETURN;
329 2 0 END TRAPEL;
230
111.11. Replicated Modules
An option exists in PL-MOD which provides for the analysis
of fault trees containing smaller independent replicated sub-
trees (i.e., replicated' modules).
PL-MOD handles replicated modules by analyzing their sub-
tree representation separately and by associating to each
replicated module a replicated leaf input (Figure 3.33).
The total number of replicated modules RMOD in the tree
is read in by procedure INITIAL which allocated the following
four arrays
GET LIST (RMOD);
IF (RMOD = 0) THEN GO TO XEN;
ALLOCATE TRIM (RMOD);
ALLOCATE TRIN (RMOD);
ALLOCATE PRIM (RMOD);
ALLOCATE PRIN (RMOD)
XEN:
Variables TRIM and TRIN are number arrays storing the repli-
cated leaf and gate names associated with the top event of
each replicated module. Thus, for the example given in
Figure 3.33Y
RMOD = 1
TRIM(l) = 29001
TRIN(l) = 4
Variable PRIM is a pointer array which stores the locations
of the node structures associated with the replicated module
TOP gates. Thus, for the above example PRIM(l) = SPINE(4) = NT
63
G2
SUB-TREE TOP
G4 +
4 5
G5
6 7
FIGURE 3.33
REPLICATED LEAP ASSOCIATED WITH A MODULE
62
G4
232
More.over the top modular gate NODE.ROOT will point to AP
(PRIM(IX)-+ NODE.ROOT = APT) and the set of pointers APT
associated with replicated modules will be s.tored by array
PRIN(IX).
III.12. Dual State Rep1icated Components
In Chapter I the NOT gate operator was shown to be a useful
tool for handling common mode failure event dependencies and
mutually exclusive events normally found in systems undergoing
tests and maintenance [10. PL-MOD contains an option that
allows the handling of dual component states which arise by
the application of the NOT gate operator (Figure 3.34). Apply-
ing the NOT operator to basic event b results in an event
b = NOT(b). Since events b- and b are mutually exclusive,- the
gates to which these dual states are attached become interdepen-
dent. Hence dual state components necessarily belong to the
same higher order module (Figure 3.35).
As explained in Section 111.6 dual states are identified
by the nomenclature AlBCD, A2BCD (1 = ON state, 2 = OFF state).
Notice that since the three lower digits are the same for both
the ON and OFF states of a dual component, procedure TREE-IN
will attach WHIP and NAIL interconnections among mutually ex-
clusive gates as desired. Therefore, if a higher order modular
structure contains an ON dual state, then it will also contain
its corresponding OFF state.
In the following statements included in BOOLEAN, the can-
cellation of all modular minimal cut-sets which require the
233
C
C
FIGURE 3 .3 4
DUAL COMPONENT STATES
(M4)
b
FIGURE 3.35
INTERDEPENDENT GATES DUE TO MUTUALLY EXCLUSIVE DUAL COMPONENT STATES
WK
235
simultaneous occurrence of mutually exclusive events will be
acheived.
1046
1047
1048
10419
10,50
1051
105 2
10,53
1054 I
10 S 5
105 2
1057
1059
1061
1052
106 4
1065
1066,
1067
1068
1061
1070
1071
1072
1073
1074
1075
1076
1077
1070
1079
10701080
3 1
3 2
3 2
3 2
3 2
3 2
3 2
3 3
3 3
3 3
3 3
3 4
3 4
3 4
3 23 3
3 3
3 3
3 3
3 4
3 4
3 4
3 4
3 11
3 4
3 4
3 3
3 3
3 3
3 2
3 2
3 2
3 1
Ill. 13. NUMERO
111.13.1. PL-MOD's Quantitative Analysis of Modularized Fault
Trees
Up to now this Chapter has dealt with the methodology used
by PL-MOD to obtain the modular decomposition for a fault tree.
Once the modularization task has been accomplished, PL-MOD
proceeds to evaluate modular event occurrence probabilities as
well as Vesely-Fussell importance values for modular and basic
component events. The set of procedures used by PL-MOD for
this purpose are all contained within procedure NUMERO. There-
fore PL-MOD commands a quantitative analysis for a fault tree
1'~
/* (AS-A) STATE CANCLLATION */
IF (N1OXu1) TtIrN DO;
PR*LOST:
NU M*PEII. RAM:
ALLOCA'TE 2OTM:
ALLOCATE 20CO;
20T0R1PEAT('O'JMON):
DO KIXa1 TO NI:
MA-P!R.TAR(NIX) :
DA*-C~tL (-?IA/10000):
JA W-CMe (~rAn/1000):
IF((JA-10*DfA)*1) THEN DO:
suMST(.oT,KrX,2) *11'l
KIX*WIX+ 1;
END:
IND:
r0 WHILN (VITiaNULL):
VT*VIT:
ZOCO-sOSSTP (VECTO.COP. P, 1, 411r)
7OCOvZOCO70TO:
1U(TNDE)(Z20CO,'11'8) -=) TU N DO:
TI VITwotlEEN THEM QUEEN T!CTOR.FLOOR;
ELSt GO TO SNV1;
F7U! VFRCTOI;
7IT*IJPVN:
GO TO SNU2;
SNUl: LAr->F.0oanvIT->PLOOR:
FtrE TICTOR;
END;
ELS LADYVIT;
VIT*LA C->FLOOR
s?,g2: Et40
FPtE Z0oI0:
LOST->fIKCTORaQUEEN:
236
by the statement
CALL NUMERO;
It should be stressed here that the modular structure
information derived by PL-MOD is internally arranged in a manner
which allows for an efficient numerical evaluation of the fault
tree. Thus, storage space has been provided in structures PROP
and PER for assigning reliability parameters to the simple and
higher order modules represented by the struc.tures
(Simple Module) 1
2
2
2
2
(Higher Order
Module) 1
2
PROP BASED (PT)
TIPO FIXED,
ROOT POINTER,
REZ FIXED BINARY,
REL(DEL REFER (PROP. REZ.)) FLOAT,
PER BASED (PR)
REZ FIXED BINARY,
2 REL (DEL REFER (PR. REZ)) FLOAT,
In the present PL-MOD version REZ = 2 since only a set of
occurrence probabilities and Vesely-Fussell importance point
values are evaluated. It should be noticed here that the pointer
location for each module is stored both as an input to another
module (PROP.TIM(I) or PER.TAR(j) and as the root to other
237
modules (PROP.ROOT).
Procedure NUMERO internally calls the following procedures
CALL STAT-IN;
CALL EXPECT ;
CALL IMPORTANCE;
Procedure STAT-IN is used for reading in a list of input
values for the basic event occurrence probabilities, such as
those given in Table 3.1 for the pressure tank rupture fault
tree. Having this information procedures EXPECT and IMPORTANCE
then perform the evaluation of modular event occurrence probabil-
ities and modular and basic component Vesely-Fussell importance
measures respectively.
238
111.13.2 STAT-IN
Procedure STAT-IN is given by the following statements
26 1 0 STAT.tN: PROC:
27 2 0 P-DEL:
2A 2 0 GET LIST (PITN)
29 2 0 PITT EnIT('lilN FRit YrtT IPUT.=',7UN) {SKIP(2),A(22),?(5))
30 2 0 GET LIST (DUN):
31 2 0 Pl7T DIT ('NUM REPLICATED EVFT IN PTT,%S',DUN) (SKIP (2),A (28),?(5)):
32 2 0 ALLOCATE STATE;
33 2 0 ALLOCATE STATD;
34 2 0 PUT ?DIT('FREE INP1TT','IRTLtABILTY')
(SKIP(2),X(2),A (10),X(1),A (11)):
35 2 0 00 It TO FIN:
36 2 1 GET LIST (I, STATF (1,I))
37 2 1 PUT EDIT(I,STATP(1,I)) (SKIP(2),F(12),E(18,6))
18 2 1 END;
39 2 0 PUT EDIT('DEP INPUT','RELTABILITY')
(SKIP (2) ,X (3),A (9) ,X (1),A (11))
(40 2 0 00 11 TO DUN:
41 2 1 GET LIST (I,STATD (1,t)),
' 2 2 1 PUT EDIT(I,STATD(1,t)) (SKIP(2),F(12),E(18,6)) ;
43 2 1 END):
44 2 0 END STAT.IN
The number of free event (FUN) and replicated event (DON) in-
puts is read in. And arrays STATE (P.FUN) and STATD(P.DON)
are allocated with P = 2. The free and replicated basic event
probability values are read in and stored in STATE (1,1) and
STATD (L,I). Later on the Vesely-Fussell importance corres-
ponding to each free and replicated basic event will be stored
in STATE (2,1) and STATD (2,J) respectively.
111.14 DOT, PLUS and MINUP
Proceudres DOT, PLUS and MINUP are internally called by
EXPECT to evaluate the occurrence probability for a simple
AND, simple OR and higher order prime module, given the set
of occurrence probability values for all the inputs to the
module. Moreover procedure MINUP is also called by IMPORT-
ANCE to evaluate the Vesely-Fussell importance value for
239
events which are inputs to a higher order module.
Given the occurrence probabilities for the set of inputs
to a simple gate PROP structure (Figure 3.36), the probability
of occurrence for the modular gate event will be given by
OR gate: P(M) = PLUS(C 1 ,02...CnM1 ,...MP)
AND gate: PCM = DOT(C ,02,...,C M ,..M )
In its present form procedure PLUS uses the rare-event approx-
imation to evaluate OR gate modular event probabilities. Thus
n P
PLUS (C1 .. = E P + E PM
while
n P
DOT (C1,C2,...,C ,nMM2 3...MP =( P ) PMil i1
Procedures PLUS and DOT are given by the following statements.
71 1 0 PLUS: PROC(DAT,EXA);
72 2 0 DECLARE OAT POTNTER;
73 2 0 DECLARE EXA LABEL;
741 2 0 PT-HAT:
75 2 0 REXso:
7S 2 0 IF (PROP.LIM=1 & PROP.TTL(1)uO) THRN GO TO PLt.A;
77 2 0 DO Jul TO PROP.LIH:
7U 2 1 RXARIX+STATE(1,PqOP.TIL(J));
79 2 1 END:
80 2 0 PLUA: IP (PROP.ZI~el r. PROP.PIM (1) =tfrLL) TIPN GO TO PLUS;
81 2 0 00 Jul TO PROP.Ir;
82 2 1 IF (PnP.PIln(J)->PROP.IOST-NTr.L) TIEN 00;83 2 2 PP*PhOP. PrN (J) ->PROP.1IOST:
04 2 2 RE~zPEX+PER.Ret(1);
85 2 2 END:
86 2 1 ELSE RPXaRpX *POP.PIN (J) ->Pittp. REL (1);
87 2 1 END;
38n 2 0 PLUS: PROP.I?EL(1)aR!X:
89 2 0 GO TO XA;
90 2 0 END PLIS;
91 1 0 DOT: PPOC(BAT,EXA);
92 2 0 DECLARE DAT POIUTER;
93 2 0 DECLARE RXA LABEL:
94 2 0 PT*RAT;
240
M
P(M) = PLUS(c 1 ,...,cn,M 1 ,...,M)
P(M) = DOT(c ,...,cnM1 1,...,M )
FIGURE 3.36
SIMPLE GATE MODULAR OCCURRENCE PROBABILITIES
241
95 2 0
96 2 0
97 2 0
98 2 1
99 2 1
100 2 0
101 2 0
102 2 1
103 2 2
104 2 2
105 2 2
106 2 1
107 2 1
108 2 0
109 2 0
110 2 0
IF (PRnP.LIM=1 C PROP.TIL(1)=0) THEN GO TO DOTA;
DO Jt TO PROP. LIN:
R EXRPEg*STA TE (1, PROP.Tt (J))
DOTA: IF (PROP.I1n3m & PROP.PIM1(1)=NULL) THN GO TO D0S;00 J=l TO PROP.MIN:
IF (PROP. PIn () ->P0oP.1o ST-=N1LL) TIMN 00:
PR*PROP. rPi (J) ->PROP. HsT:
RIXPEEX*PER. RgL (1);
ISER IR-* O20P. PIM (J) ->PROP. R t (1)
DOTS: P1ROP.REL(1) RM;
Go TO RXA:
END DOT:
Since higher order modular structures (Figure 3.37) are charac-
terized by a set of modular minimal cut-sets, their occurrence
probability may be evaluated using the minimal cut upper bound
in its rare-event approximation form (Equation 2.15) i.e.,
P(M0) < i IT0 .jul ieK
with Nk = total number of cut-sets associated with the prime
gate. Given the occurrence probabilities for each input to
the prime gate, procedure EXPECT will store these values in
a structure QER defined by
1 QER BASED (AT),
2 QEL FIXED BINARY,
2 QU (LARG REFER (QER.QEL)) FLOAT;
with PER.DEXTER = AT for the PER structure associated with
a particular prime moduel, Procedure MINUP will then use the
QER.QU(1) (I 1,2,.,.,LARG) values coupled with the set of
MICS VECTORS for the prime mo.dule to evaluate its occurrence
probability as follows:
P I MINUP( r ,3%...,$rnMoMl...,Mw)
242
(n + w + 1 = L)
YB = '( y
r
Kt
'''0 rn1'M M '
= ( t. 1,...,.. .1)
(t = Nk)
P(M) = MINUP(r 1 ,r 22,.. .,Mo,M 1 ,...,Mw)
FIGURE 3.37
PRIME GATE MODULAR OCCURRENCE PROBABILITY
''' M
243
RELIABILITY CALCULATTON */
/* tNTP *
45 1 0 MINUP: PROC(MX);
46 2 0 DECLARE EX FIXED;
47 2 0 PR-TIERRA:
48 2 0 VIT=PER. HECTOR:
49 2 0 LA9G=VIT->VECTOR.LORO:
50 2 0 REY'0;
51 2 0 Do WHILF (VIT-'NULL);
S2 2 1 RFXat:
53 2 1 VTitTII
54 2 1 DO EL21 TO LARG;
55 2 2 POW=SUBSTR(VECTOP..CMPEL,1)
56 2 2 IF ET=EX TUIEN DO:
57 2 3 IF poWn-'0'5 THEN REX=0;
58 2 3 ELS7 GO TO NUB;
59 2 3 GO TO NUr:
60 2 3 END;
61 2 2 1U: IF (pot; V'D) TI1 N NOW =:
62 2 2 ELSR iOW=0;
63 2 2 R FMQER.U(EL)
AU 2 2 IF(REN0 r NOW-0) THEN RRn=1;
65 2 2- RE'X=REX* (TVEM**NOW);
66 2 2 END*
67 2 1 NUP: REYPEY+REX~
68 2 1 VIT*VtT->FLOOR;
69 2 1 LND0
70 2 0 END mtNUPT-
As shown in Sections 111.15 and 111.16, each time procedure
MINUP is called by EXPECT, variable EX equals zero. However
whenever MINUP is called by the IMPORTANCE procedure, to evaluate
nested gate and replicated event Vesely-Fussell importances, the
value of EX is always different from zero.
Procedure MINUP essentially consists of a DO loop in which
pointer VT successively locate a different MICS VECTOR for the
prime gate module. The contribution of each vector to the mini-
mal cut upper bound is found by multiplying the occurrence probab-
ilities (QER.QU(EL)) corresponding to non-zero bits in the vector
(i.e. POW=SUBSTR(VECTOR.COMP,EL,1) # 'O'B). Finally all the
vector contributions are added together (REY=REY + REX) to obtain
the rare-event approximation to the minimal cut-set upper bound.
Notice however that that when EX is different from zero, only
those contributions coming from a vector which has a 'l' bit in
244
the EX-th location are added together CIF POW '0 1 B THEN REX
= 0;).
III.15. EXPECT
Modular occurrence probabilities are easily computed by
procedure EXPECT following the same order in which the modules
were originally created by procedure MODULAR. Each time a
PROP structure was created in MODULA, its pointer location
was stored in array BOSTCIB) and variable IB was increased by
one. Hence the set of modular occurrence probabilities are
computed in the desired order by means of the DO LOOP
DO I =11 to IB;
CAT BOST(TZ);
PT = CAT;
ESTA
END;
For the case of simple AND and OR gate modules, their
occurrence probabilities are easily evaluated using the
statements
CALL DOT(CAT,ESTA);
and
CALL PLUS( CAT, ESTA);
where the values for the modular input occurrence probabilities
245
are guaranteed to have: been previously evaluated by EXPECT
because of its recursive: computational ordering CDO I = 1 to
IB;).
Particular care must however be taken for the ease of
higher order modular structures CFigure 3.37). For this case
BOOLEAN first allocated the PROP structure associated with
the parent gate CM) and later on allocatei the set of PROP
structures associated with each of the nested gates (M1 ,M2,...,
M ) included in the higher order module.n
As explained in Section III.4, EXPECT calls procedure
MINUP(EX) (EX = 01 to compute the higher order. gate occurrence
probability CPER.RELC1), Rowever to make this evaluation
possible, it la necessary that EXPECT previously Ca) compute
the set of occurrence probabilities corresponding to each
nested simple gate PROP structure CWEST = total number of
nested gates) by calling procedures DOT and PLUS, and that
(b) QER.QUCJ) (J = 1,2,...,LARG; LARG NUM + WEST + 1) be
assigned the set of values associated with each replicated
event and nested gate module contained in the prime gate
module.
This set of tasks are performed by EXPECT through the
following statements;
:1SOII'dc)Hd<...tIdS*dVaiUd t z I t
:00 iKa1. ( ociioaJ id~ v) al r z 0 S (X1)Madd : VLalx C Z 6ti
±.lJix 01 o!) Juni. (vww(xz)w~ia.)a1 tz L ,Id !ows~ 
0. LALXI 0a r 9171
LVJOD J~ :U113 E z~A L V
YNIi)aus-(r n.vovl iicz Ohl.
zacflN=i.L uanvr osa1v).d Z Z L I r yp* (00
1) 4VW.13 I 8 11
!wmolLr aI z ELL
Mia O O 111aUza i LzI c OI
LL*Z24WA-DV' aS.3 I z 611
:(v~s~'.~v~)triaLiv2NaiN:)y, 112U.1YhOrid41 Al~L
~ ia 11.11AdL kh1 asia I z 911
lso-1iz.K1, Co-()i~z 2aJ (LfuN-tsodu ) l L z 9II
'I)s iazsit ~ L SCL.
:01 O. la00 0~ ZL
soWNcl 0()setai9LUi :~di X 0 1 ILL
917E
247
PL/I OPTIMIZING COMPILER NUMEPO: PROCEDTIYVr;
STMT LEY NT
157 2 3 PIT EDIT('REP nODULEs,A,Lst*,TATD(1,NA))
158 2 3 END:
159 2 2 END;
160 2 1 TIP PROP.VAL1tal THEN CALL DOT(CATpLSA):
161 2 1 IF PROP.VALtlRm2 THEN CALL PLTUS(rATr,ELSA);
162 2 1 ELSA: PITT SKIP LIST('PATiVIARCH t118ODriLt');
163 2 1 PUT EDIT(*MODfILE NAME* ,',P P.NAME,'RRLa',PROP.3EL.(1))
(SKIP(1),A (12),P(5),x(2),A(4),E(18.,5)):
1614 2 1 QER.QU(Nf1M+11*PROP.R EL(1).
165 2 1 SAT=PT;
166 2 1 O tNAT1 TO I6N?7T:
16 7 2 2 LAD80OT(rN);
168 2 2 PT=LAOi
1.69 2 2 IP PROP.VALIIEuI THEN CALL DOT(LAD,-LtA);
170 2 2 1F PttOP.YAL*E2 THEN CALL PLUS(LAI,EL1MA);
171 2 2 ELSA: PUT SKIP LIST(*NESTPD MODULE') :
172 2 2 PIT? EDIT('IM0O0T.E NA1Ee'ROP.9.NAMP.'REL*',PROP.REL(1))
(SETP(1) ,A(12),P(5) ,X (2) ,A(4) ,E(18,5))1 .
173 2 2 QEt.QU(NUM+1+tN-t)uPROP.RPL.1):
174 *2 2 END:
175 2 1 1r0;
176 2 1 CALL NINITP(EX)
177 2 1 PER.REL(1)wREY;
178 2 1 PUT SKIP LIST ('PATUIARCH MODULE*)
179 2 1 1=I+NE2T:
180 2 1 PT*BAT;
181 2 1 PUT EDIT('IMODIIL.E NAA',ORO?.HARR,'nELw',PER.RET.(1))
(SKIP(1),A(12),F(5),X(2),A(4),E(18,6)):
1R2 2 1 GO TO EZTA;
/9 STMMF.TRIC CASK */
183 2 1 CUTA: PPOP.REL(1)no:
184 2 1 BATsPT;
185 2 1 IF NTIlM- THEN GO TO CnTR:
186 2 1 DO Jul TO HM1;
187 2 2 QTR.0U (J)-STATE (1, E.TAn (J)):
188 2 2 END;
189 2 1 CUTD: IF NEET0 THEN GO TO CTTC:
190 2 1 DO IX=NUM+1 TO NUM+NEZT:
191 2 2 PTsPER.XKIM (IX-NUM) ;
192 2 2 IF (PlOP.HOSTsNULL) TI RN QFIR.Qt (TX)=PPOP.9 EL (1):
193 2 2 ELSE Q ES.Qff (1 X) -PROP. 1OST->P EP .t (1):
19t 2 2 N D':
195 2 1 CUTC: 3X*1;
196 2 1 CALL mfINUP(!X)
197 2 1 PEP. REL (1).R EY:
198 2 1 PTenAT;
199 2 1 PROP.REL(1)wREY:
200 2 1 PUT SKIP LIST ('5YMM StrMPenDTLF')
248
PL/I OPTIMIZING COMPILER NUIMRPO: PROCIDt1RI;
STMT LEY NT
201 2 1 PITT RDIT('?1ODU.E NAME',PROP.NAMERELw',PER. REL(1))(SKIP (1),A (12) , F(S), X(2) ,A (4), E(18,6)) :202 2 1 GO TO FZTA;
203 2 1 ESTA: PUT SKIP .IST('FR"E MOD!L E');204 2 1 PUT EDIT('MODUILE INAME',PROTP.NAME,'REL',PROP.REL(1))
(SKIP(1) ,A (12) , (5) ,X (2) ,A(4),ER(18,6));
2Qs 2 1 rTA: END;
206 2 0 END EXPECT:
For the pressure tank rault tree example procedure EXPECT
computes the modular and top event occurrence probabilities
in the following steps
STEP 1 Symmetric higher order module M9
B y11 ' 12 ' 1 3
K = (0,1,1)
K2
1(3 (1,1, 0)
= = P3  10P 2  =1-
>PM = 3 x 101
STEP 2 (a) Parent gate sub-module M1
M {1,2,3,4; U}
P =10"' , P2 =P 3 = 10-5
=>PM =q 3.001 x 10-5
249
(b) Nested gate module M
M (M }
4g
=>P M4 3 x 10-10
Cc) Nested gate module M
M5 {5,6,7,8,9,l0; U}
P5 6 7. 8 =P9 P10 10-05
P 6 x 10-5
M5
STEP 3 Top tree event higher order module M
S=(Yr M ' M*
1 4 5
K C (o, 1, 0, 0)
K2 a Cl, 0, 0, 0)
K 3 (0, 0, 1, 1 )
Cr = 30001) Pr = 10-5
=> P(TOP) = 4.001 x 10-5
111.16 IMPORTANCE
Procedure IMPORTANCE evaluates the Vesely-Fu.Ssell import-
ance (IV.F. ) for every modular event and every basic component
in the fault tree. XMPORTANCE performs this evaluation by
starting at the top tree gate event (I ''- 1) and proceedingTOP t b
down to the bottom branch modules of the tree by means of the
_11_--._-.-. -- - -_ -- _.. -, -_-.-_-- . . ..... ---
250
modular importance chain-rule (See Section II.5.4.)
For the case of simple AND and OR gate modules, the
modular importance. cha4.n rule takes the forms
AND gate: IV.F. (VF. C =1,2CI
(i = 1,2,..,,nl
OR gate: I I ( V :F ) Ci =
i FM
P
I V.F. 7VFP Ci
MiC ) C i = 1,3,...,P)
For an AND gate module, all its inputs have the same import-
ance as the module since the probability that any input has
failed given that the AND gate module has failed equals one.
However for an OR gate, the probability that a given input
is in a failed state given that the OR gate has failed is
equal to
PCinput has failed)
PM
Notice that the required modular occurrence probabilities
(PM and P ) were previously computed by EXPECT. For the case
of higher order modular gates CFigure 3.371 the modular
importance chain rule in the rare-event approximation takes
the form
251
V.F . V.F. j.r K 
r = M P (M) ''i 1
P(K)
IV.F. V . , i ) i - 0 . .. ,u)
m~ P (M)
t
with P(M) Z P(K )
It should be recalled that the occurrence probability for a
higher order module PCt) was computed in EXPECT by calling
procedure MINUP(EX) with EX = 0. Nevertheless the expression
appearing in the numerator
1: P(K 1
J,xeK (x-r i or Mjj
is yet to be evaluated by IMPORTANCE. To this end procedure
MINUP(EX) will be called with variable EX locating the posi-
tion in the VECTOR.COMP bit-string which corresponds to input
x (See Section 111.14).
Procedure IMPORTANCE starts out by assigning importance
values to all modular and component inputs to the top gate
event (First generation), and at the same time stores in
array OLM(BUM) all the pointer locations for the modular
gate inputs to the top gate module. This task is performed
for simple and prime gate top event modules by the following
statements
* IPORT&NCE (VESELY- PU
IMPORTANCF: . PROC;
SUG=1;
PTuSTORK;
IF PROP.IIOST-wNULL THEN GO TO IRA;
SSELL)
BtIM=PR1OP. NIM:
ALLOCATT OLM (SU.)
OLMuPROP.PIM;
PROP. IEL (2) a ;
PITT EDIT ('MODULE',PROP.AM.,IMP!',PROP.REL (2))
(SICIP(I) ,A (7),P?(5) ,A (4) , E(18,6));
IF PROP.VALUE=1 THEN DO-
IF (Pr-P.LINz1 C PROP.TIL(1)wO) THEN GO TO INE;
00 Il TO PROP.LIMI
STATE(2,PROP.TIL(I))=1;
END;
END:
IF PROP.VALUPF2 TrEN DO:
I? (PROP.LINzl PROP.TTL(1)=n) TifEN GO TO tME;
Do 1=1 TO PROP.LIM;
STATE (2, PROP. TIL (I) ) -STATE (1 ptmr.T'r. (I)) /Ppop.
END;
END;
GO TO IME;
/* CUT SET CASE */
IRA: PrvPROP.-lOST:
IF (PROP.MIM-1 F PROP.PIM(1) NUT..) THEN 00;
END;
ELSE DO;
SUBVPROP.MIM;
Styx a 1;
END;
fUM=OUl+PE.LEAL;
00 IK-1 TO PFP.RAi;
MAwPER.TAR (TK) ;
DA=-CEIL (-MA/l00flO):
JA--CEtL (-MA/1000);
JAKmJA-10*DA;
ij
I
I
III
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
23 1
232
233
234
235
236
237
238
239
240
241
24 2
243
244
252
9 EL (1) -
253
P./r OPTImrztNG COMPILEt NTilMERO: PROCH'IfRR:
STMT LEV NT
245 2 1 IF JAK*9 THEN 00;
246 2 2 suMwO11M#1; .
247 2 2 END;
248 2 1 END;
249 2 0 8lV7=fT l- ii
250 2 0 ALLOCATE OLN (fltM) :
251 2 0 IF StTN*O TUEN DO:
252 2 1 aft:
253 2 1 Go TO InA0;
254 2 1 END;
255 2 0 00 I*1 TO PROP.NM;
256 2 1 OL (?)-aPROP.PIN(I):
257 2 1 ENO:
258 2 0 INA0: DO tLT*+1 TO SUM-tU!:
259 2 1 OLI (IL) *PER.KIN (IL-I);
260 2 1 IND;
261 2 0 IF (80JmO) THEN DO;
262 2 1 00 1sl TO PIR.tALn
263 2 2 N&=Pt.?AR(XX):
264 2 2 DAW-C ?I L (dA/10000)
265 2 2 JAz-CIL(-ilA/1000):
266 2 2 JAK*JA-10*OA;
26T 2 2 IF (JAKs9) TRFN DO;
268a 2 3 O Xv1 TO RmnO;
269 2 4 IF (TRIfl(IX)vKA) THIN GO TO TNA4:
270 2 4 END:
271 2 3 INA4: OLM(IL)*PRIN(IX)+>AP.SPIT:
272 2 3 PUT EDIT(tINDEXw.IL,'POP-*,OLM(IL)->PROP.NAME)
(SRIP (1) , A (6) , P (r)) ,A (5) , P (5)):
273 2 3 tt*IL+1
274 2 3 END:
275 2 2 END;
276 2 1 END:
277 2 0 PER . RIL (2) 1:
278 2 0 PTT EDT?('PATR-,4r OP.NAT, 'IM',P!?P. ML(2))
279 2 0 IF PROP.VAT.;1"2 TfEN GO TO TNA2:
200 2 0 IF PROP.VALUE21 TIEN DO!
291 2 1 IF (PROP.LIM*1 9 Pf0OP.TIL(1)w0) TIEM DO :
282 2 2 PROP.NEL(2)=0;
283 2 2 00 TO IRA1;
284 2 2 END:
285 2 1 PRtOP.R7L(2)1l
286 2 1 00 Is1 TO PROP.L.IM;
287 2 2 STATE(2,PROP.T1L(I))a1:
288 2 2 END;
289 2 1 END:
290 2 0 IF PUnP.VALUi.s2 TH1N fl*:
211 2 1 T? (PROP.LIM-1 F- PROP.TTIL(1)0) T11?N DO;
254
Ie
PL/ OrPTIMIZING COMPILER NITM.RO: PRo('fntIRT!:
STMT LEV 3T
29 2 2 2 PROP.RFL(2)-0;
293 2 2 GO TO IMA1;
294 2 2 END:
295 2 1 PROP.RFL(2)-PROP. RL(1)/PRR.rRL(1);
296 2 1 -DO I-1 TC P90P.LIM:;
297 2 2 STATE(2, PROP.IIL (1) ) STATT'(IPrlOP.TIL (T))/P.R.REL (1);
298 2 2 END;
2499 2 1 END;
300 2 0 IMA1: DO 1-1 TO PER.RA3;
30 1 2 1 EX*I:
302 2 1 TIERRA-P;
303 2 1 QT=PPR.rl'V?n:
304 2 1 CALL MTNDJP(X)
305 2 1 PUT EDIT('I',I,.'PE.TAR=',PFR.TAP(r),'RoY=, riy)
(SKIP (2) , A (2) ,F (5) , A (0), (5) ,A (4) , 18,) ) ;
306 2 1 - MAsPER.TAP (I) ;
307 2 1 DA-CEIL (-.4A/10000):
308 2 1 JAu-CEIL(-MA/1000)
309 2 1 JAK-JA-10*DA:
J10 2 1 NA-MA-(1000)*JA;
311 2 1 IF (JAK-e=2) THEN STATD(2,NA) REY/PER.RFL (1)
312 2 1 IF (JAK-2) THEN DO;
313 2 2 SNOT*RE/PER.REL(1) 
-
314 2 2 PUT EDTT('NOTSTAT?3,M Ai'IMP-',SNOT)
(SKIP(2),A(9),F(5),X(2),A(4),E(18,6)):
3115 2 2 END:
316 2 1 END;
317 2 0 GO TO IME;
/* SYM METRIC CASE */
318 2 0 INA2: PROP. REL (2) 0o;
319 2 0 IF (PER.RAMa1 & PEP.TAR-(1)m0) THEN GO TO IM P
320 2 0 E.SE DO I=1 TO PER.RAMI
321 2 1 E (TI
322 2 1 END;
323 2 1 QT=POg. nEXTER
32 4 2 1 CALL 3INlP (FX);
325 2 1 PUT EDIT ('I=', I,'PER. TAR 'PER.TA R (I) ,'RIRY* ,RT)
326 2 1 -STATE (2, PER. TAR (I)) -REY:
327 2 1 END;-
328 2 0 GO TO IME:
255
At this point IMPORTANCE is ready to assign importance
values to the second generation of fault tree inputs, and
at the same time st-oring the pointers locating the second
generation modules. This process will then be continued
on until a generation Clast generation) is .found which con-
tains no modular inputs (i.e., no-gates}, IMPORTANCE per-
forms this task by means of a DO LOOP which stops when the
last generation is found (=)BUG = 0).
Each generation of modules GOLD(BUGJ is created by pass-
ing on the old value. of array OLMCBUMI found in the pre-
vious sweep. Moreover, a new generation of module pointers
is created and assigned to OLMCBUM1 with the following
statements
/W LOOP STARTS I1MP */
329 2 0 Ift1: DO WfIt.(BUG-.*0) :
330 2 1 BUGM8Ufl:
331 2 1 PfT LIST ('UGm', PUG)
332 2 1 IF (DUG:0) THEN GO TO I11E:
333 2 1 ALLOCATE GOLD (DUG) ;
334 2 1 DO Z1 TO RUJG:
335 2 2 GOLD(I)*LN(T):
336 2 2 PITT PIT('GOLD', I,*PROPv' ,GULD(T)-> ft'P.NAfME)
337 2 2 END;
33R 2 1 F1PF Op.M:
339 2 1 DUTMS0;
340 2 1 DO I1 TO BUG:
341 2 2 PTWGOLD(I);
342 2 2 I? PROP.itOSTNULL THEN DO;
343 2 3 IF (PROP.11IN11 f PROP.PIfL(1)aNtI1LL) THEN GO TO 1113;
344 2 3 ELSE Bumefiin+PRoP.nrI;
345 2 3 GO TO IR3:
346 2 3 IN r;-
347 2 2 ELSE PRWOP.HOST:
348 2 2 17 (PROP.MTM=1 & PROP.PEM (1) NfTtL) THFN GO TO INE2;
349 2 2 ELSE BTINaftin+PROP. (It M1
350 2 2 InE2: IF (PEV.LEAL1 & PEP.KIT1(1)=HULL) THSN GO TO Il1;
351 2 2 ELSE BrIM=SUM+PER.LEAL:
352 2 2 IHE1: DO IX1l TO PER.RANI:
313 2 3 NAaPER.TAR(IX);
354 2 3 DA=-CFTL (-MA/10000) :
35 2 3 JAr-CEIL (-MA/1000);
356 2 3 JAKwJA-10*DA;
397 2 3 IF JAK-9 THEN DOI
--------------- --------- ... I'll,111 11 - 1 -1 111-- .16W..4.&- ."%6 I 1 1 &"- - I
256
358 2 4 ' 01113 !+11 + I
319 2 4 END;
360 2 3 END;
361 2 2 IME3: END:
362 2 1 Ir Dlinw0 THEN GO TO TM113
363 2 1 ALLOCATE OLM (BUM)
364 2 1 L-(;
365 2 1 DO I=1 TO 811G:
366 2 2 PTzGOLD(I);
367 2 2 IF PROP.HO9TVNULL THEN DO:
368 2 3 IF (PROP.MIM=1 6 PROP.PIM (1)NILL) THrEN GO TO 11114:
369 2 3 DO IT=1 TO PROP.MXI:
370 2 4 tL=IL+1
371 2 4 OLN (IL) =PROP. PIM. (IT)
372 2 4 END:
373 2 3 GO TO I1I4:
374 2 3 END;
375 2 2 ELSE PRIIPROP. HOST:
376 2 2 PIT EDIT ('10ST',' PROP' ,PROP. NAM?)
377 2 2 IF (P1?0P.NIM=1 r. PROP.PLN(1)NTItLL) TIEN GO TO 1I12;
378 2 2 DO IT-1 TO PROP-MIM: -
379 2 3 IL=IL+Il
380 2 3 OLM(IL)12PROP.PI M(IT):
381 2 3 END:
382 2 2 IMI2: IP (PER. LEAL=1 P't?.KIM (1)=N 1LT.T) TITEN1 GO TO II1:
383 2 2 DO IT=1 TO PED.LEAL:
384 2 3 ILIL+1:
385 2 3 OLM (IL)=PER.KIlM(IT):
186 2 3 END;
3n7 2 2 I111: no IK=1 TO PER.RAM;
391P 2 3 MA-PFR.TAR(TK)
33I9 2 3 DA--CETL(-MA/10000);
390 2 3 JA-CEIL(-MA/1000);
391 2 3 JAK=JA-10*DA:
392 2 3 IF JAK=9 THEN DO;
393 2 4 DO 11=1 TO RMOD:
394 2 5 IF (TRIM(IX)-A) THEN GO TO IMK1;
395 2 5 END;
396 2 4 IMK1: OL.l(IL+1) PPIN (tXT->AP.SPIT:
397 2 4 IL=IL+1:
3918 2 4 END;
399 2 3 - ND:
400 2 2 IMI4: ND:
In addition, the set of basic component and modular gate
inputs to the older generation of modules pointed at by
GOLD(I) are assigned importance values with the following
statements
/* ASSIGN IMPORTANCES Or OLDER GENERATION */401 2 1 IMI3: DO i=1 TO BUG;
402 2 2 PT=GOLD(I);
403 2 2 CAT=PROP.ROOT:
404 2 2 IF (CAT->PNOP.TIP0=0) THFEN DO;405 2 3 APT-CA?;
106 2 3 MA2AP. NAP;
407 2 3 JAz-CFIL(-MA/1000);
408 2 3 NA-MA-(1000)*JA:
409 2 3 IF(PPOP-11OST,=NULL) THEN DO410 2 4 PRxPROP.HOST;
411 2 4 TIERRA-PP;
412 2 4 QT2PER.DFXTER
413 2 4 PER.REL(2)STATD(2,NA)
414 2 4 GO TO 1NK3:
415 2 4 END'416 2 3 EtSr PROP.REL (2) xSTATD(2,NA)
...... _ 4, - . , 
. - -- law
(X2)d11h1w v@VV) E r 9 01
*G2c zr tv~
:wv12ww ox OD ~ FU zLW Z L tin
'uka r z L i
(X-&)dujKxW 'V) t z 69t)
:L1 X3 t -e 19 9
owvs!Ma 0.1, Lail 00 E z IL9t;
'2WV .1 0!) 1141U (Os(L)HS1*iid 3 LwsjkiY4j2d) dl c z 99t,
OIL ~ ~ (Z u olar S9t
'0 NLUI. Z<2fl1VA~d0Ud dlI Z z t9
L3Iw3 01. 00 r£ z Z91
'UK tz 9t
&1iwrd0dd 01L Loll 00 E z 65t~
±Lawa 01 00 t~ z 1
:Or.W 1iUco0d117 z S;1
'Ma N311. Z&Z11'Vhd0d dl z I
I uI3 z r S17
:LNijz 01 U30 r z 1 .o
: crpIaodOccp((1)II*dCad')J.yJ.s t z 6 tj h
*NldO~d 01 Loll 00 C Z tit t
:L;z 01 00 C5 t?
u00 Kalil (O (0 #IIZdCgd 2 L&IIed&bL) il c z I
DID00 l' 1=3U 1 LZA0Bod a1 *.M 1'u Z Z Z ti
(012~dHd-Z3/Z)v1jfdQd<IY* 0 la 084a ()@3 *diid~ IS72z Z Z L tt
MiK Ib ailIVA d0Id-.L: 11 z z Ott1
:1131X20 Ofid&10. z z tct1
:ZsH~dHd~d .v z Lft
1I.(Y 01 0D C z , l
/Cz)viav *dou* (1IPIIIO~d' 0)lVIS (17) 11d0fi4't) RV IS ti z CC"
ol~dMd OZ Lull 00 r z Ut1
*daiv 0ca 00 imu (u.(vuzedov 2 tauxZ1joiJ) ax r z r
:uo0 as'xz Z Z 0C1
'Q2 z 6111
hilldoild 01 Lial 00 r Z s117
ZURV 0.1 0!0 92111. (Oa(W)111wild 9 LauM11%d~d) J1 r z t711
UO -N2IL L.1620VAd~3t3 a : ~Z39 z z rzt)
13 8L &3dL)M<...VZ/ (Z) '12 *U8,d<-IVz7 (0) '1311 440d~ Cr-) 1138 "40a14 26*12 z z 1117
I i ') ld- VD& Z)71 1d UUa X3I111. -11~1 V A'd USd <-1 Y 4 1 *7-WIz I. z Lt
4V '" 01 UD MSI1 TILuN&ISORd~dd J1 z z Ozlt
:1yw3 ~~ ~ :01 01 OL tCa1iL8 ~uaM(1~L 1 t
?-e1wl 01L O'J E z 1
258
478
479
480
48 1
482
483
484
4q5s
486
487
488
489)
490
491
412
493
494
491;
49 6
497
498
499
500
501
5 2
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
)25
526
527
"28
529
530
531
532
533
534
535
536
537
538
539
540
541
END;
PnT SKIP(2) LIST('RErLICATED EVENTS');
DO t-1 TO DUN;
PUT SKIP DATA (I,STATD(2,I))
END;
PUT SKIP(2) LIST('qMODU(LFS')
DO '-I1TOT IO
PTwDOST(t):
PUT EDIT('MODtILE NAMFE',Por.NAEe TtpePROP.RNL(2))
(S I () A(12),?(-,),X(2),A(4), (8 6 )
I? (PROP.IIO8T,=NnLL) TITF13N DO:
PT EDlIT('Iir='PRO.ln'T->PEn.REL (2))
END;
END:
END IMPORTANCE:
END NtIMERO;
DA2-CEIL(-MA/100O)
JA=-CEIL(-MA/1000)
JAK=JA-10*DA:
NA=MA-1000*JA:
IF (JAK,=2) THTEN STATO(2,4A)=PET*PER. REL (2) /PER. REL (1)
IF JAK-2 THEN DO:
SNOT=RVY*PFR.RPL (2)/PER.RL(1)
PUT EDIT('NOTSTATw=',IA,.'INPu',sNOT)
(STKIP(2) ,A(9) ,F(5) ,X(2),A(4) ,E(18,6));
END:
END;
GO TO AME;
/* NESTED CASE */
E3A2: PR=CAT->PROP. ROST;
TIERRA*PR:-
QT=PER.DEITER;
00 ITl TO PER.LEAL;
IF PER.KIN(IT)*COLD(I) THEN GO TO EM.A3;
END:
GO TO IMK4:
EMA3: I? CAT->PROP.VALUF<=? THEN rXPT+1+P0R.RAM-:
ELSE tr (PFR.RAMfl1 , PPR.TAR(1)=0) TITM X=IT:
ELSE EX=rT+PER.RAM:
CAL. MINUP(EX);
Ir (PROP.UOST.sNULL) TaifTN ;n
PROP.EtOSf->PEP. RFL (2) rTE*PfPR RET. (2) /PP. REL (1);
PR=PROP.lHOST;
TIERRA*Pg9
QT=PFR.rr.%TP:
GO To INK3;
ENn:
ELSE PROP.REL(2)=EY*PER.RFLt(2) /PP.?.PEL(1)
IF PROP.VALUEal THEN DO:
I(PROP.IrM=1 & PROP.TlT.(1)=0) THEN GO TO AME;
ELSE Do IT=1 TO PrOP.LTI;
STATE(2,PROP..TIL(IT) )PROP'.R 1L(2)
END;
ENPR AE T 0
I (PROP.VALUE= THEN DO:
IL (PROP.LITrl TC PROP.TXL(1) 20)THRU GO TO ANN
RLS(DO .TIL TO POP.LT(:
STATP.(2 1 PROP.TL(IT))ST(1,PRP.TIL(I))P)OP.L(P;(2)
PROP.RFL(E);
END:
AflE: END:
FREE GOLD;
END:
PUT SKrP(2) LIST('VESPLY-F'SSPLL IMPOPTANCES')
PUT SKIp(2) t.IT('FREE EVENTS')
DO 11 TO FIINl
PUT SKIP DATA (rSTATE(2,I)):
1
2
2
1
0
0
259
For the pressure tank fault tree example, procedure
IMPORTANCE assigns the modular and basic event Vesely-Fussell
importance values in the following steps
STEP 1 I * .1
P
IV.F. -00W- 2.49937 x 10
r P(TOP)
P M
.F= 7.500625 x 10
M1 P(TOP)
I P. IV.F. 5 a 4.49887 x 10
M4 M5 P(TOP)
V.F. V.F. l 2.49937 x 10
1 M I P M
5
V.F. .F. .F. . M.F. 10 2.49937 x 10
2 3 4 M1 PM
STEP 2
M = I =* - 4.49887 x 10-10
M9 M4
:V.F. = I7.F. I 77.F., I7.F., JV.F.= IV.F.*
5 6 7 8 9 10
IV. -. .0'--5 = 7.49812 x 10
5 M5
STEP 3
-5 2V.F. IV.F V F V,F, , 2x(10) 2.99924 x 10-10
11 1 2 13 M 29P9M.49
260
CHAPTER FOUR
NUCLEAR REACTOR SAFETY SYSTEM FAULT TREE EXAMPLES
IV.l. Introduction
The PL-MOD code was used to analyze a number of nuclear
reactor safety system fault trees, and its performance and
results were compared to those obtained using the minimal
cut-set generation codes PREP and MOCUS.
The safety systems analyzed included:
(a) a Triga Scram Circuit [14] fault tree
composed of 22 simple AND and OR gates,
a 3-out of - 4 symmetric gate, 20 non-
replicated basic events and 2 replicated
events.
(b) A Standby Protective Circuit [1 fault
tree composed of 19 gates, 24 non-repli-
cated basic events and 5 replicated basic
events.
PL-MOD executed the modularization
of the SPC fault tree in a time comparable
to that taken by MOCUS (.034 min.) to
list the set of 100 minimal cut-sets
associated with the fault tree. However,
the execution time taken by PREP's deter-
ministic routine COMBO was about 6 times
longer (2 min.).
261
(c) A PWR High Pressure Coolent Injection
System E2G reduced fault tree composed
of 59 non-replicated gates, 4 replica-
ted modular gates, 142 non-replicated
basic components and 9 replicated
basic components.
The execution time taken by PL-MOD
to modularize this larger tree was
about 25 times smaller (.081 min.)
than that taken by MOCUS (2.015 min.)
to generate the set of 2724 single,
double, and triple fault cut-sets
associated with the fault tree.
IV.2. Triga Scram Circuit
A simplified diagram of the TRIGA Scram Circuit CLa is shown
in Figure 4.1, while Figure 4.2 shows the fault tree describing
the possible combination of events causing a failure of the
reactor to scram as required when the steady state reactor
power exceeds a one megawatt level.
The triga circuit is turned on when an operator pushes
the "power-on" switch. An operator key switch is placed in the
reset position to momentarily energize relays R19 and R20, which
in turn energize relays R7 to R12. The lower "B" contacts of
each of the relays receive voltage from one of the corresponding
instrument channels, thus maintaining the coils energized. The
upper "Al" contacts will maintain relay K1 energized and thus
FIGURE 4.1 TRIGA Scram Circuit
POWER ON
SWITCH
r)
263
TRANSIENT SAFETY ROD SHIM ROD REGULATING
o D a 1R RO EROD FAILURE 11 FAI LURE IFFFA11L U RE FAILURE
FIGURE 4.2 TRIGA Scram Fault Tree
264
FIGURE 4.2 Continued
265
EMF THROUGH
K1I CONTACTS
Ki CONACTS
CLOSED 7
HE-2
FIGURE 4.2 Continued
266
provide power to the magnets and solenoid valve. However, when
any instrumentation channel interrupts its voltage supply to
the corresponding relay, a scram control rod drop should occur
due to a de-energized scram magnet or solenoid valve.
For a successful TRIGA reactor shut-down, at least 2 out
of the 4 control rods must be inserted in the reactor. Hence
G2 is a 3-out of-4 symmetric gate, since it is necessary that
3 out of the 4 control rod drop mechanisms fail to cause a
TRIGA scram system failure. Notice that since relay K1 is
common to each of the four rod-drop mechanisms, gate G8 may
be taken as a direct input to gate Gl.
In Table 4.1 the nomenclature identifying each basic
event as well as its description and failure rate are given.
The failure data are expressed in failures per cycle (there
are 300 cycles per year assumed).
The modular structure determined by PL-MOD for the Triga
scram fault tree is as follows:
G2:
Y B
K=
K1
K2 =
K
3
S { 1 4
G 3 = {1, 15;U}I
Symmetric 3-out of-4 module
(YG3 'YG5' YG6' Y73
(1, 1, 0, 1)
(1, 0, 1, 1)
(0, 1, 1, 1)
(1, 1, 1, 0)
G = {2} , a6 = {3} , G7 = {4}
267
TABLE 4.1
TRIGA SCRAM CIRCUIT BASIC EVENT DATA
PL-MOD
Identifier
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Alphanumeric
Identifier
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6
PE-7
PE-8
PE-9
PE-10
PE-11
VE-1
VE-2
VE-3
VE-4
VE-5
VE-6
Event Failure Rate
Description (Per Cycle)
Solenoid Valve Fails 10~4
to open
Electromagnet Safety 10-5
rod shorts to ground
Electromagnet of Shim 10-5
rod shorts to ground
Electromagnet of Regula- 10-5
ing rod shorts to
ground
Ki Contacts fail to open 10-5
K7A Contacts fail to open 105
K8A contacts fail to open 10-5
K9A Contacts fail toopen 10-5
K19A Contacts fail to open 10-5
E19B Contacts fail to open 10-5
K19C Contacts fail toopen 10-*5
Mechanical jamming of 
-6
control rods 10
Gross movement of core 10-6
Control rods are of insuf-
ficient worth 10-6
Air Tube to Piston Cham-
ber clogged 10
Linear Channel remains
energized when P>lMw 10~
% Power Channel remains
energized when P>lMw 10~
,,- ...
268
PL-MOD
Ident ifier
Alphanumeric
Id entifier
Event
De s'cription
Failure Rate
(Per Cycle)
Period Channel fails to 10~4
de-energize when T<3
sec.
T<3 see when P>1 MW
T 3 sec when P 1 Mw
0.5
0.5
Reset Switch sticks in 10"'
reset position
External Force preventing 
-5switch from opening 10
18 VE-7
19
20
30001
30002
HE-1
HE-2
VE-8
VE-9
269
G9 Higher Order Module
(r1 =.30001, r 2 = 30002)
S1  r2 ' M9  G10' YG13' YG17' iG18' YG19
K1 = (0, 0, 1, 1, 1, 1, 0, 0)
K2 = (1, 0, 1, 0, 0,. 1, 0, 0)
K = (0, 1, 1, 0, 0, 1, 0, 0)
Kg 4 (0, 0, 1, 1, 1, 0, 1, 1)
K5 = (1, 0, 1, 0, 0, 0, 1, 0)
K6 = (0, 1, 1, 0, 0, 0, 1, 0)
Gl: TOP gate event
G1 = 5, 12, 13, 14, G2, G9; U
Hence basic events 5, 12, 13 and 14 correspond to single event
minimal cut-sets.
A list of all modular and single event minimal cut-set
event occurrence probabilities (P) and Vesely-Fussell importance
measures (IV.F.) computed by PL-MOD for the fault tree after one
cycle period is given in Table 4.2.
IV.3. Standby Protective Circuit
Figures 1.1 and 1.2 given in the thesis' Introduction
illustrate a standby Protective Circuit System's diagram and
fault tree [.I. This system is similar to reactor protective
circuits and is normally found in a standby mode. The purpose
of the system is to recognize an abnormal pressure or level
condition and then close a relay which initiates other action.
270
TABLE 4.2
OCCURRENCE PROBABILITIES AND VESELY-FUSSELL
IMPORTANCE VALUES FOR THE TRIGA SCRAM FAULT TREE
Module PI
G1 3.3007xl0-5
G9 2. 0072x 0-5
G10 1.2x10 4-
G13 1.2x10-4
G17 0.5
G18 0.5 4
G19 1.2x10
G2 3.4x10-14
G3 1. 4
G5 10-5
G6 10-5
G7 10-5
Single Event Cut-Set
5
12
13
14
6.0614xio-l
2.1816x1O-4
2.1816x10-4
3.0318x10-1
3.0296x10-1
2.6176x10-8
1.0301x10-9
10-
6.97x10-10
6.97x10- 10
6. 97x10-1o
P
10-5
10-6
10-6
10 -6
3.0296 x10-1
3. 0296 x10-2
3. 0296x10-2
3 . 0296x10-2
271
The fault tree's top event corresponds to a failure of
relay R3 contact #1 to close. Normally relays Rl, R2 and R3
are deenergized. Relay RI receives power if one of the branches
of contacts in line with it permit current to flow (such as con-
tacts LSA #1 and LSB #1). To be energized relay R2 requires
that either contact RI #1 or both manual switch MS1 and MS2 be
closed. Relay R3 becomes energized if one pressure switch
(PSA, PSB, or PSC) and the contact associated with relay R2
are closed (test switches TS1 and TS2 are not included in the
fault tree). The nomenclature and unavailability data for each
basic event are given in Table 4.3.
The minimal cut-set description for the SPC fault tree
was given in Table 1.1 in the Introduction, while its modular
structure determined by PL-MOD is as follows:
G12 = {4,7;U} G13 {5,8;U} G14 = (6,9;U}
G6 = {G121G13,Gl4;n}
G8  {17,18,19,20,21,22; U
G16= Higher Order Module
YB r 1 r2 ' r3 r'
K1 = (1, 0, 0, 0, 0, 1, 0,
K2  ( 1, 0, 1, 0, 0, 1, 0,
K3 a (1, 0, 0, 1, 0, 1, 0,
K4 = (1, 0, 0, 0, 1, 1, 0,
K = (0, 0, 1, 0, 0, 1, 0,
K6 (0, 1, 1, 0, 0, 1, 0,
Triple cut-sets)
r}
Ir5' Ym16'9 G 17 3 YG18 2 G19)
0, 1)
0, 0)
0, 0)
0, 0)
1, 0)
0, 0)
272
TABLE 4.3
STANDBY PROTECTIVE: CIRCUIT BASIC EVENT DATA
PL-MOD
Ident if ier
Alphanumeric
Identifier
Event
Description
Unavailibility
Per Demand
N. 0. R1
N. 0. R2
N.O.R3
APS
BPS
CPS
N. 0. AP
N.O.BP
N.O.CP
F1
F2
BAT
WSC
R1
R2
R3
MS1
MS2
N.0.MS1
N. 0. MS2
OP.MS1
OP.MS2
NO.J LSA#2
NOJ LSB#2
NO. LSA#l
NO. LSB#l
ALS
BLS
CLS
1
2
3
4
5
6
7
8
9
l.lxl0~
4.3x10 4
3x10~4
1.1x10-3
1.1x10~4
Normally open con-
tacts fail
open
Pressure sensor
fails
Normally Open Pres-
sure sensor contacts
fail open
Fuse Fails Open
Battery Fails
Wires short in cir-
cuit
Relay Fails on
Demand
Manual switch fails
to function on
demand
Manual Switch fails
to close
Operator does not 
-3initiate manual switch 10
Normally Open Level
Sensor Contact fails 4.3x10~
Open
Level sensor fails
3.6x10- 5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
20003
20004
20001
20002
20005
10 -
273
K = (0, 0, 1, 0, 1, 1, 0, 0, 0)
K8 = (0, 1, 0, 0, 0, 1, 0, 0, 1)
K 9 (0, 1, 0, 1, 0, 1, 0, 0, 0)
K10 = (0, 1, 0, 0, 1, 1, 0, 0, 0)
K11 = (0, 0, 0, 1, 0, 1, 0, 1, 0)
K12 = (0, 0, 0, 1, 1, 1, 0, 0, 0)
with r = 20001, r2 = 20003, r3 20002, r4 = 20004,
r=5 20005. and
M16 = {empty set}
G 17 ={empty set}
G1 = {23}
G {24}
G 9{1, 4, G16; U}
G7 ={G8, Gg;n} (Double and Triple cut-sets)
TOP EVENT: G= {2, 3, 10, 11, 12, 13, 15, 16, G6, G7;U}
Hence (2, 3, 10, 11, 12, 13, 15, 16) are single event
cut-sets.
In Table 4.4 a list is provided of all modular and single
event minimal cut-set unavailabilities (U) and Vesely-Fussell
importances values (IV.F.) computed by PL-MOD for the SPC fault
tree.
274
TABLE 4.4
UNAVAILABILITIES AND VESELY-FUSSELL IMPORTANCE MEASURES
FOR THE STANDBY PROTECTIVE CIRCUIT FAULT TREE
U
3.2204x10-3
1.489x10 1 0
4. 4115xl0-7
2.092x10- 3
2 .1087x10~4
5.3x10-4
5.3x10- 4
5.3x10-4
8.748x10-7
1.1x10-4
1
4.623x10-8
1. 37x10-4
1. 37x10-4
1. 37x10-4
4.623x10-8
4.623x10-8
4.623x10-8
5.6827x10-7
3.858x10-8
3.858 x10-8
Single Event Cut-Set
2
3
10
11
12
15
16
U
1.1x10~ 4
1. lx10'4
3x10-4
3x10~ 4
1.1xl0-3
10-4
IV. F.
3 . 416 xl0 -2
3. 416x10-2
9 .315x10-2
9 . 315xl0- 2
3. 416x10-1
3.105x10-2
3 .105x10-2
Module
G6
07
G8
G9
G12
013
G14
G16
G18
G19
z V.F.
275
IV.4. High Pressure Injection System for a Pressurized Water
Reactor
The PWR High Pressure Injection System (HPIS) is a part of
the emergency coolant injection system (ECIS) which provides a
high pressure source of emergency cooling water to the reactor
coolant system (RCS) [2d. The HPIS is mainly used for small
loss of coolant accident (LOCA) or secondary (steam) ruptures
such that the RCS pressure is not low enough for use of the low
pressure injection system (LPIS) or accumulator injection.
Figure 4.3 shows a simplified system diagram for the HPIS.
The high pressure charging pumps are used to draw water from
the refueling water storage tank CRWST) and injects the water
at normal RCS pressure into the cold legs. Another function
of the HPIS is to push the 12 weight percent boric acid solution
in the 900 gallon boron injection tank (BIT) into the RCS to pro-
vide for a reactivity suppresion when a steam rupture occurs.
The required flow for successful injection is- 150 gpm, which
corresponds to at least one charging pump function.
During normal operation, one operating charging pump draws
water from the volume control tank (VCT) and discharges to the
RCS through the open valves 1289A and 1289B. However, when the
safety injection control system (SICS) is activated the follow-
ing changes take place in the HPIS system configuration:
(1) The supply valves 1115B and 11150 are opened to
allow the RWST to provide water for the HPIS pump
suction.
(2) The standby charging pumps are started.
1115DTo LPIS115
Suction
FIGURE 4
.3
Simplified System Diagram
To PCS
Cold Legs
S
Or'
rmvaowra 6446m g FPPCSSOR f V350C .
BORON~~~~INU PPCOOR 8O RO M ISFCP 0LN L ING IN SUri C SE CEI UF. CH SERVICESOO P N O P aORtON PPf W 4 INSUF Cie3  a FROM STAND8Y WATER FROM CNtvPl WATER FROM CHP X
COLD SPOTS A * 0AT TRACIN FROCP PUJp SERVICE FUMP STANDBY PUMP
alli G53 01G3 014 at$ Gig
FOOSMX F000ATS X FCNCC2FC8C20 0 FCNC 2 FOLCC2A8 FNWIOAK fICI A FPNW 
OAF
FXVWsSMFC8W2OO FOLWIOSFND
FIGURE 9
REDUCED FAULT TREE OF THE HPIS
FAILURE Of SLOW
FRON CHP TO IPIS
G15
a C CHP SYSTEMS
FAIL
624
ClIP biac FLOWS
FAIL INDEP. FAULT [
FCNCDJ2C 20
FLOW FAILS FLDW FAILS
CHP a CIP C
A 0
CPA
v 1i 000 AI
FXVPASWY FCVC258D PST26A D FCN206AC
FCN4AI7I FSTSIAAF FR1E27H12
FSTCPIAA
FTFIOIAP
FSTCPIAF
CHP A FLOW FAILS
NO FLOW CHP 88C
020
CHIP SYS TEM
A FAILS
025
P A FLOW FLOW
AI-INOEP.FL LO3S
6 FPMCHIAY
FCN869AC
FWRCPIAN FCNIHO9C
CHP 8 FLOW MILS NO FLO W CHP C
NO FLOW CHP AAC CHP AaC FLOW FAILS
021 G22 023
ClIPASS FLO.4-S ClIP SYSTEMCHP SYSTEta CHIP A AC CHAL LOS C S E8 FAILS SYSTEMS FAIl FAIL INDEP FAULT C FAILS
029 650 F Y 02 027
X0 LOSS OF FLOW 
FLOW FLOW FLOW F LOW FLOW
OSS OF FL 
LS F L
GAW bbI FAC. FFICIC
FLOW FAILS FCNS9AC FLOW FA LS FLO FA L S FCN869ACG61 6 0 2 2
CliP p C89i'LfO AlIL0 CFOAIS FOWFISFN6A
FXVPSWY FST20680F FWRCPIBII FCMSI48F F8T8IADF
fCVClGTD FCN280IiC FCN481TI(
F&T24TAO FCN267AC FST269AD FCN209AC FSTCPIBA FSTCPIBF
FCNS14AF0 FXVPASWX
Q
FFLTSIP
FXVPWSWX FTFiOilIP FXVPsCWX FTFHIODP
FXVPACWX FTFIIOAP
Figure 9 continued
---
FFLTSIAP
also
FCCPNdOI FCSCPASK FCtNS6068 FCN5A45i(
FCSCPCBK FCNCPCSI( FCN6O0II( FEUCPCOB
YMK) U9Ymal FI$FCN5OINC FC111INTOC FXVCPILAX VTPCPLOY
fmMOViY FMOMOVIA FOL14OVIO valENvf FOSNVIBB
VCNMOVII( FMVIMWIO FLUAV048
Figure 9 continued
FSTSIAAF FCNSIAF FSTSIABF FCNSI3F FSTSIAAF fCNSIAF FSTSIALIF
HEAT TRACING
043
NEAT TRACING
CIRCUITS FAL
044
00000
FHTS15f8 FTf5I5TF fTSSIS7Y
FHIS153 FTSSISTM fCaSISTO
FCNS13BF
LOSS OF IE ft
TRACING 4AILS J
JOOV8 II N
0 45
000( ().FIUISTBUX FCNHTI2K JOOVOISN
FTTSS/AF FA40699F IANOGOX
F T J SA V
Figure 9 continued
f\)
00
281
(3) Isolation valves 1115C and 1115E are closed to pre-
vent draining of the VCT.
(4) The normal charging line isolation valves 1289A
and 1289B are closed.
(5) The isolation valves 1867A and 1967B at the BIT
tank inlet are opened as well as the isolation
valves 1967C and 1967D at the BIT outlet.
(6) The boric acid recirculation line trip valves
are closed terminating recirculation between
the Boric Acid Tanks (BAT) and the Boron Injec-
tion Tank (BIT).
(7) Charging System mini-flow valves are closed so
that all operable charging pumps will pump water
from the RWST to discharge header C{-80 through
HPIS line S1-57, through the SZT, and to the RCS
cold legs.
In the Reactor Safety Study, the HPIS unavailability esti-
mates obtained were
U med = 8.6 x lo-3
U lower = 4.4 x 10O
U upper a 2.7 x 10-2
with the lower and upper bound evaluated by a Monte-Carlo
simulation. The point estimates obtained were
U total = 3.8 x 10-3
U singles = 1.1 x-10- 3
U doubles = 2.5 x 10-3
U charging pump = 7.0 x 10-6
282
U test and maintenance = e=0
The reduced fault tree given in the Reactor Safety Study
for the HPIS system is shown in Figure 4.4. Each basic input
event in the fault tree is labeled by an eight character code
name [ ]. The coding scheme specifies the system, component
type, identifier and failure mode for each basic event as
follows:
283
TABLE 4.5
PWR SYSTDI IDENTIFICATION CODE
CODE SYSTMI NAME
A Accumulator (ACC)
G Containment Leakage (CL)
N Consequence Limiting Control System (CLCS)
K Containment Heat Removal .System (CHRS)
C Containment Spray Injection System (CSIS)
D Containment Spray Recirculation System (CSRS)
J Electrical Power (EPS)
F High Pressure Injection System (HPCIS)
H High Pressure Recirculation System (HPCRS)
B Low Pressure Injection System (LPIS)
E Low Pressure Recirculation System (LPRS)
L Sodium Hydroxide Addition System (SHAS)
Reactor Protection System (RPS)
M Safety Injection Control System (SICS)
P Auxiliary Feedwater (AF)
284
TABLE 4.6
CO'PONENT CODE
Mechanical Components
Accumulator
Blower
Control Rod Drive
Unit
Cover Plate
Damper
Diesel
Expansion Joint
Filter or Strainer
Gas Bottle
Gasket
Heat Exchanger
Nozzle
Orifice
Pipe
Pipe Cap
Pressure Vessel
Pump
Reactor Control Rod
Refrigeration Unit
Sluice Gate
Sump
AC
BL
CD.
FA
DM
DL
XJ
FL
GB
GK
HE
NZ
OR
PP
CP
-PV
PM
ED
RF
Subtree
Tank
Tubing
Turbine
Valve, aheck
Valve, Explosive Operated
Valve, Hydraulic Operated
Valve, Manual
Valve, Motor Operated
Valve, Pneumatic Operated
Valve, Relief
Valve, Safety
Valve, Solenoid Operated
Valve, Stop Check
Valve, Vacuum Relief
Vent
Well
SL
SP
ST
TK
TG
TB
CV
EV
HV
XV
MV
AV
RV
SV
KV
DV
VV
VT
WL
ma-
285
TABLE 4.6 (Continued)
Electrical Components
Amplifier
Annunciator
Battery
Battery Cherger
Bus
Cable
Circuit Breaker
Clutch
Control Switch
Coil
Detector
DC Power Supply
Flow Switch
Heating Element
Input Module
Inverter (solid
Level Switch
Light
Limit Swtich
state)
Manual Switch
Motor
Motor Starter
Neutron Detector
Potentiometer
Recorder
Lightning Arrester
AM
AN
BY
BC
BS
CA
CB
CL
CS
CO
DI
DC
FS
HG
IM
IV
ES
LT
LS
SW
MO
MS
ND
PT
RC
LA
Ground Switch
Relay
Relay or Switch Contact
Reset Switch
Resistor, Temp. Divice
Signal Comparator
Switch, Pressure
Switch, Torque
Switch, Temperature
Terminal Board
Diode or Rectifier
Fuse
Generator
Heat Tracing
Test Pushbutton
Thermal Overload
Timer
Transformer, Current
Transformer, Potential
(or control)
Transformer, Power
Transmitter, Flow
Transmitter, Level
Transmitter, Pressure
Transmitter, Temperature
Wire
Event (where no component
involved)
GS
RE
CN
RS
RT
AD
PS
QS
TS
TM
DE
FU
GE
HT
SB
OL
TI
CT
OT
TR
TF
TL
TP
TT
WR
00
286
TABLE 4.7
FAILURE MODE CODE
Failure Mode
Closed C
Disengaged G
Does Not Close K
Does Not Open D
Does Not Start A
Engaged E
Exceeds Limit M
Leakage L
Loss of Function F
Maintenance Fault Y
No Input N
Open 0
Open Circuit B
Operational Fault X
Overload H
Plugged P
Rupture R
Short Circuit Q
Short to Ground S
Fault Transfer T
b
287
Thus, for example, basic event FMV866FX refers to a High Pres-
sure Injection System Motor Operated Valve tailoring due to an
Operators error.
A large number of basic events shown in the reduced
fault tree do not contribute to the system's failure since
their unavailabilities were found to be negligible (e +0) by the
Reactor Safety Study. Table 4.8 is a list of those basic events
which were included in the analysis performed by PL-MOD and MOCUS.
The number identifying each event input along with its unavail-
ability and alphanumeric identifier are given in the Table.
A total of 142 non-replicated basic events, 9 replicated events
adn 4 replicated modular gates were included in the reduced
fault tree. PL-MOD computed a point unavailability
U 4.71 x 10-3
for the HPIS reduced fault tree. The reduced fault tree was
found to be representable by a 50 component Boolean vector
higher order structure, i.e.
B , r 13' m' m '''' 3 6
Table 4.9 is the PL-MOD output giving the order in which each
replicated event and nested module is listed in the Boolean
vector, as well as the modular minimal cut-set matrix K repre-
senting the higher order gate.
Thus it may be seen by inspecting Table (4,9) that
ry a20006, r2 = 20005,.......,r 1 3 = 29010,
288
MO = G1 sub-module, M = G8, m2  G9,.. .,v1 35 G56, M36 G63.
and
K 1
K 
~K 2
K6 3
Notice that each modular cut-set may include single, double
and triple basic event cut-sets. Thus for example K consists
of a single modular event K1 = (M0 ) corresponding to the proper
port attached to top gate Gl. And as seen in Table (4.10)
Mo =(48, 49, 50, 51, 52, 53, 54, 55, 1, 2, 3, 12, 13,,
G2, G38, Gli; U}
with G2 = {G5, G6;Q}
G5 ={4, 5, 6, 7; U} G6 {8, 9, 10, 11; U}
G38 = {56, 57; n}
Gll = {G17, G18;n}
G17 = {30, 31, 32, 33, 34; U} G18 ={36, 37, 38, 39; U}
Hence, Kl includes single as well as double basic event minimal
cut-sets.
The modular gate event occurrence probabilities (unavail-
abilities) computed by PL-MOD for the reduced fault tree are
given in Table 4.11. Thus for example gates Gl, G5 and TOP
289
have the unavailabilities
P(Gl) = 1.126x10 3", P(G5) = 2.7 x 10-3
P(TOP) = 4.7118 x 10-3
It should be mentioned that "empty" nested AND gates appearing
in a higher order structure are given a unit probability of
occurrence (Figure 4.5). Thus, the fault tree shown in Figure
4.5 has the following cut-set description
(M2 = empty AND gate)
K = (0, 1, 0, 0, 0)
K2  (1, 0, 0, 0, 0)
K3in (0, 0, 1, 1, 1)
However, since P(M2 ) a 1, then P(K3  M3 M as required.
The modular Vesely-Fussell importance values are listed
in Table (4.12). Thus, for example
TOI = 1, M = 2.39 x 10l 1VI. 2.08 x 10~
The evaluation of the Vesely-Fussell importances may
be seen to be particularly useful for cutting off unimportant
portions of the fault tree before proceeding on to make a
Monte-Carlo simulation to find upper and lower bounds on the
uncertainty in the overall system unavailability. Thus, if
for the HPIS reduced fault tree one were to cut off modules
having an importance smaller than 2 x 10 2, then its Boolean
state vector representation would be considerably simplified
to
Y1B 0 r '' 'r ' 1 '''''1 3r1 r131Y0 0 1 M13
290
with
Ml = G35
M2 = G47
M3 = G48
M4 = G43
M5 = G53
M6 = 039
M7 = G40
M8 = G49
M9 = 050
M1O = G51
M11 = G52
M12 = G45
M13 = 056
291
G1
G2
G4
FIGURE 4.5
"EMPTY" NESTED AND GATE
G
M2 * Empty
292
TABLE 4.8
HPIS REDUCED FAULT TREE BASIC EVENT DATA
NUa FRE! EVEbT INPUIS* 142
NUM REPLICATED EVENT INPUTS=
FREE INPUT RELIABILXIY
1 3.599999E-07
2 9.999999E-05
3 3.5999991-07
4 3.COOOQO-04
5 1.3C00CF-03
6 9.599999E-05
7 9.999999E-04
8 9.999999E-04
9 3.cooaOE-04
10 9.999999E-04
11 - 1.3000001-03
12 0.COOO00+OC
13
AL?'"A N)
F P PC + A
F T FIr-
r- m y cs E X
r c ye;
7.;: -5r.I
FC V 0
F c v o 3Zoo
F-r y S 3 2
F T 'A s '10 21
1 of 6
0
293
TABLE 4.8 (CONTINUED)
13
14
15
16
17
18
19
20
21-
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
9.999991-05
4.2999991-05
7.1999991-0 4
1.4000001-03
2.2COOOCE-02
5.SCOCE-04
7. 199999L-04
9.9999991-04
3.5999991-0 4
7. 199999 E-04
4.299999E-05
1.4000001-03
2.2C00001-02
3.5999991-04
5. 5000001-04
7.199999E-04
9.999999!-04
3.999998E-04
1.5000001-03
4. 99999el-04
3.0CO00E-04
9.999999 -05
9.999999E-05
2.699999E-05
2.500000E-03
2.50000C -03
2.7000001-06
9.9999981-03
9.999999E-05
1.7999991-05
2 of 6
Fo ui d a 2A
1=0 L. OC.2 a e
F p m t O Z SF
Fe. WC!.2 IK
r- 0 LC. t2ZF ?p M. c. 2 A F
.L C, 2 AO
I= I. V IOA 0
PA Q LOA1P
LIi oA -Q6'
pg v S t o3
FX V C. 11 1 -1K.
FA V C -I C
F A V P 10 -
r- AVEOi
py5 1 Xa
v- A.1 -q..v
p t. s
FC N ? L- 6A(
294
TABLE 4.8 (CONTINUED)
9. 999999E-04
1 .799999E-05
9. 999999E-04
2.500000E-03
2.5000O0f-03
3.000000E-04
9.999999E-05
9-. 999999E-05
9. 999999 E-05
3.0C0OCC-04
0. 000000E+00
4.4000001-07
4.40000CE-07.
3. 0000001-04
3.000000E-04
2.20COOC-04
1. 9C00001-02
2.200000E-04
1.9COOCE-02
7.799998E-03
9.9999991-04
8.7999991-05
8.799999E-05
7.79999dE-03
8. 799999E-05
8.799999 E-05
9. 9999991-04
3.000000E-04
2.9C0000C E-03
3. 999998 E-04
F W if c-, IA V%
(:-' r2G A Cw
X v r 7 SX
rS T '2.(a I A 1
F S V $~2 Bc
F C V S -2 2C
F X-V C -2. 5 c
F e P 1i 67 A
F L S - 5ogr'
F L S A 5 '1o)
rsr itS 0 c
F d KJ I tV D C
Fs T 11 5 DD
FC.N i t $c'r
FO L I t 5C V Fpg 1.1tsc 0
FC N i 15E.\
Fl W 'I 15 SEa
FOL -e. r F 5
F M - S E -
F T S SI 5 PZ
3 of 6
I
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
4 of 6
295
TABLE 4.8 (CONTINUED)
8.8000002-03 r--TS M 5 -1 F
2.900000E-03 FctS5S~(1
1.300000E-03 FON4Tit 1
4.3999991-05 Ti 2\\
1.1000001-03 FTr S54 AF
9.999999E-05 S- f A X
0.C0000C1+00 E A NQ0
3.0000OCE-02 y.
1.3C000CE-03 FCN ~At 2 K
2.2000002-04 ±t '.C:.YC
0.000000E+00 F 
-
1.9COOCCI-02 F q T 8G10.
1.300000E-03 rc a %P n
2.200000E-04 yc 10 -
0.00000 C+00 F NN i)
1.90000E-02
1.300000E-03 
-CN 5AQ1A
2.200000E-04 r(.e.;"/%-
0.00000cE*00 M 3 A
1.9CC0oc-02 I TC-1 A i
1.300000E-03 re N K
2.200000E-04
0.c0000CE+00
1.9C0000E-02 
-,-r ca6 1 6 D
1.1C0000C-04 
'A . Dc 0 F
9.999999t-04 b-x g
3.600000f-05 yu* w. x
1.1000001-02 p r S IF
T.1000001-02 F ci d\ e A-
1.100000E-04 N 33
........................ ...................... 
296
TABLE 4.8 (CONTINUED)
103
104
105.
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
9.999999E-05
7.200000E-05
7. 199999E-04
2.200000-04
7.199999E-04
7.200000E-05
9.9999991-04
2.2CO00CF-02
2.200000E-02
5.79999EE-03
1.3300001-03
5.1900001-03
9.999998E-03
9.999999E-05
1.799999E-05
9.999999E-04
1.799999E-05
9.999999E-04
2.500000E-03
2.500000E-03
5.299998E-03
1.330000E-03
5.1900002-03
9.999998-03
9.999999E-05
1.7999999-05
9.999999E-04
1.799999E-05
9.9999991-04
2.500000E-03
5 of 6
FCN rS T k-%AC
F JGc Ll 7 0 A r
g y 5ogetA cy
VC.NT T 4A
S T ' A
: -, T5 A A F
F Tc . A
\j Fz e~V1 '
E C v C2(D
C 7':
[N 2 AC
'S c A Ab
T - A I
F 'V PCE
FW c 'C 1-
F . N 2 4t A
p \j P C.F S L3 g C (A
297
TABLE 4.8
2.5 0000 0 -03
5.7999981-03
1.3300001-03
5.190000E-03
1. 9C000 0-02
1.9000001-02
1.9c0000-02
9.9999991-05
4. C9999 -05
1. C999991-06
ELIABILITY
4,C999991-05
4.0999991-05
4.C999991-05
1. 999991-06
4.C99991-05
4.C99999E-05
5.7999981-03
5.7999981-03
1.799999E-05
' 0.000000r+00
0.C00000E+QC
0.C000001+00
0.00000C2+0C
(CONTINUED)
fqT 2 9- c.1
F' r r\c t\
E PMC~ H M-
FCKJC.r -J 2(,
350 C.
c) 0
.3 c eA
7 8 Oi C.
-C. t''
6 of 6
133
134
135
136
137
138
139
140
141
142
DEP INPUT
1
2
3
4
s
6
7
8
9
10
11
12
13
000000000100000030003000000100300000000030t0000000
onooaoDO33LO3000000.130()()300tlo3coooo()Ootoooooooooo
0000060000toooDooooooooooootoo3oooooooootoo(IDOODoo
00000033)113300030003Oo:)DOOtOO3CO00000030000000DOO
00003000300000000000)OOOOOooi33000000ot3ooooLOO000
0000000,03 Go 00000300 Do 0050 of)() I 00600fifiCS00000) Ito 3093
0000000030000000000000()30000103(:0000botloOoootoooo
OOOODOO33333DOOD333050003oo3t3)oo3ooooo3oj3tatoooo
00000000301)001000000300ao()Ooot)oooooootojoooo 
-00000
0000300033:103LOO30003003)004)iltDfiCOOOOOOOOODi(103000
()OU()DOOODD(ljotooouo000000000()LDOOOOO'00000030000too
00003033)333)[003000300D OO93t3ODOUOOOO3333OO[OIDOO
0000000033300ttooooo30003000ot3coooooooo3o30030000
000030ODDOODOOOODOOt)000300OODOtOO000000DOODO110100
0000000030000000300000003004)ootof)o()00004111)on(tio1100
ooooooaoJD03000133303003000030100000000ia)lotooioo
0000000000000()00030030000000000010()00()030000()000tt
000000OD3333)ooot 30310009003.0 31 ot. 000 0 Ono a If) 000,01.) at
600000ob4 00000000 1001) 0000 000003 fit 000 0003 0 00110 OfIV 10
OUOOOD33)3331003tt330OUDOOt')000301000000300DOnOOC)OO
00000030000000003000300a300000330toopoooooocoooott
-000000003303:)OOOOULODUOOOOOO033OOLOO3OO(i3l3O(jO3',)3t
ooooooao3ooooooooootoooooooooooootooo()0000()()()O()()10
000000033133330030it3oi)3103333)DOtO3500330DObOO330
00000000300(loooo3ooo000000()OOOOPOOLOOOOOLOIOO00000
0()003aaa))333000000OL0330000003000toooooo3te101)()030
0000000000000410()O()00O&OOOOOO(103000tooooot00(loo 000
000030303303 M) OU300 at t0390do(MV001,0000)J00 00 00000
000000303000000030003ooooooooaacoootooooiot0600000
00'(10000000003000000000t33000033O)OOtOOOOtO3ODOnD3O
000000033000030030000OOt3nf)OO3300001(loooootolonoo,,)
0000000003:)33000300030tt),)Ot)333330013ooujo)oooo3o')
00000003000()0300',10003033')0000001.0000000330!)O()DtLOO
000000003aoo3oooooooat)ooi)onooo3ot)oooiooo0000()00000
S13S U13 IVRTNTW
OtOO00033303DO00000000DOtOO00000000009030000000000
IIOOOtOD0333OOOO5OOOOODOtUOOOJ3000000003io3oaaoooo
ootoaoooooooooooooooooooooootoooooooooooooootolloo
ouLoooo333o3oooo3oooo000000otoooooooOO0030000titoo
oootoooooooo3oooaoooooooooooot)oooooootooooototooo
000100003000000000000000000ootooooooOO03303itotooo
Otl()tooooooooooooooooooo00000ot3oooooooooooootolloo
oootDo3o3ooo3ooD3oD330003ooootooooooooo3ooootttooo
OOOtOO003000DOtOOOOOD0000060OLOO00000000003OLOtOOO
(100030333)00)00000003033tOOODJDDOOOODttO3OOOOOO3OO
tlo()0100000000000000000001000005000000tooooooo00000
OUUO3tO33000300030003000t0000330000000100000000030
ooooti3ooaa3ooooooooooootoooOO50000000003000000000
()OUOOOOODOOOOOOOOOOOOoooot0000000000001000000000oo
OOO3D3tD33033000300030000LOO00300OOOOOOOOOOOOODOOO
00000000300000033000300000t000300000000totoooooooo
000030033000000030000oooootoooooooooooo3it30000000
O(iOaoooiaooooooooooo000000tooooooooooooo6loooooooo
60003003333030033033aDO33Oi3333300000OOtOOtOO00000
00()OOOOODOUO()OOOOOUOJOO03utooooooooooooatotoooo000
0000000t)330300330003000)010003000000OODOOtOO00000
(10000000toooooodoooo300000tOOOD00000000toooooooo00
00033033t3O3ODOO3OOO3OOB9OtOOOOOOOOOOOD3tO3OOOOOOO
ooooooottoooo0oa3aao300000tooo3oooooooo3oo00000000
000000000000000000000000000tOO30000030013t3OOOOOOO
000030000000000000000O003OOLOODOOOOOOO00ttO0000000
obooooodatoo3ooooooo3000000L3530000000030too3ooooo
00 * 0000000000000000OD3OO3OOOkOOPOOOOOOOOt3OtOOOOOOO
000000103000300030003000300100DO000000OOtO&OODOOOO
j
j
w
kD
0D
6
0 0
J uz
us
[z
S 1.
Lb
sc
LOOOZ
I to6l,
4L
i I
tj
9t
0 b
Ic
t 00611
c L 0 C "
0 Z
0
z s
b z
6 c
c h
z z
Goooz
6000C
I () fir
i ot361
ZOOO" 1000Z
11000Z 9030Z
9 c =U3,1400W daffl RON Et =S1A3K3d"n:) d33 Wild I
xTd4uW uRaT009 qas-4no TuwluTW@ail 4nlpd paDnpaH SIdH
ariuvi ,
-TABLE 4.10
HPIS Reduced Fault Tree Modular Components
Fit:E M0OCI1.E NAME=
LEAF INS=
ROL IRS=
FilEE NOCULE NARE=
LEAF INSr
111 INS=-
NESTID= 13
NESIIC= 14
NEST1= 15
WES11t= 16
FREE HIItEK NAME=
LEAF IRS=
35
NOD IRS=
FREE MODULE NAME=
LEAF INS=
MOC INS=
KESII= 25
NESTIt= 27
NESTIC= 28"
NESi10= 29
NESTIt= 31
FREE NODULE NAME=
LEAF INS=
MOD INS=
NES11C 39
NES1ItE t 0
NfSIlt 41
NES1IEC= 42
5 VALIF=
4
0
6 VA EtIE
0
17 VAL'E=
to
2 NOn LEAF 1MP=
2 NO ffL EAF IMP=
2 Win LEAF IN'=
4 "ill "On INP=
4 NUR ROD top=
6 "If" "fill 110P
0
18 VALUE= 2 NNR LEAF IMP= 4 Nilff NoD ImP=
37
0
30 VAL9Ev
56
0
1 110M LEAF tNP= 2 Nilf nOD I NP&
57
FREE NODULE NArE: 44 VALUE=
LEAF INS= 70-
NOD INS: 0
NESTIL= 45
NESTIE= 49
NEST C.- 50
NESTIC: 51
NESTIC= 52
2 N01N LEAF INP-= 5 Nil" ROD INP=
71
1 of 5
I
7
10 11
J
1
32
j
I
33
il
34
39
I
J
J
.4,
i
72
)
73 7
4)
4,
WIIIIIIJ 11111111 . ifil 11 1111111111
FREE NOCULE NAME-
LEAF INSa
MOD INS=
FREE MODULE NAMBUa
LEAF INS=
NOD INS=
FREE NODULE NAMEw
LEAF INS4
45
MOD INS=
FREE MODULF NAME=
LEAF INS=
120
141
FRtE MODULE NAME-
LEAF INS=
1311
NESTIL)= 63
NESIIC= 22
NESTID 55
FREE NODULE MAE-=
LEAF INS=
M0 INS=
NFS'lTiD- 0
NES11 9
FRI9 NODULE NAME=
LEAF INS=
no INS-
NELSID= 23
NES1IC= 24
NFS11C= 30
NES11c= 35
NESTIC= 37
NESI110- 43
UESITIC= 47
NtsTlC'= 48
NiSTIC= 56
NESTID= 20
NES1II= 21
NFilc= 54
NESTIC= 53
57 VALUE-
99
0
59 VALUE=
110
0
60 VALUE=
40
46
0
6i VALUE=
115
121
142
0
62 VALUE=
126
132
0
2 NUN LEAF INP
2 NUm I.FAF iNP-
2 NUM LEAF INP-
2 NUK LEAP 1NIa
2 NUN LEAP INP=
100
2
111
41
47-
13
116
122
11
1271
133
2 VALUE= 1 NUM L.EAF INPa
0
5
11 VALUE=
0
17
1 NUN L.AF INP-
NUN MOD INP=
NUN OD INPm
NilN HOD IMP-
NlN A01.) ImNPi
NUN "OD IMP=
1 HNit NOD INP=
1 Nif HOD INP=
1
I0TAL SUN REP-w 38OCLEAR HAS DEEN CALLED
PARENT MODULE NAME=
LEAF INSz
51
12
"OD INS=
NEST1EE MODULE NAME=
VALUE=
48
54
13
2
VA LUE=
2 NUM LEAF INIP=
1 NUM LEAF IMPa
13
4.9
'iS
NUM MOD INP
1 NUN NOD INP-
2 of 5
101
1
102 103
)
-j
j
J
142
112
117
123
43
113
11f
124
129
135
128
134
44
114
119
125
130
136
2
jD
-A
-A
-A
wA
0
C0
-A
3
50
11
51
2
52
3 j
I/1
-A
-'I
j
I
1
LEAF INS=
not INS-
&S1'2C NOCULE VA6E=
LEAF INS.
- nOC INss
oESTEC N0oELK
LEAF INS=
hOC 1355
LSIEt NODULE
LEAF INS-
NOD INS=
NESTEC nCCULE
LEAF INS&
hOC INS-
NES1kE NODULE
LEAF INS-
Not IMSW
NES1EC NODULE
LEAP INS=
hoc INSW
lESIEC NODULE
LEAr INS=
HOC INS-
NEAEC NODULE
LEAF INS=
NOD lNss
NESTED MODULE
LEAF INSs
NoC INS=
NESTIE NOCULE
LLAE INS-
NOD INS-.
NISItt OCULE
LEAF INS-
HOC INS=
NL.IEC NODULE
LEAF IlSz
H0c INS=
NESTC MCCULE
LEAF INS=
HOC INS'
NESTEL NOCULL
-L:AF INS=
HOC INS=
NAlign
MANE=
NANE=
MARI=
NAE=F
NANE'
NAMES
#AMER*
MARES
0
0
p VALUES
0
35
37
22
23
20
21
67
.3
53
13
14
15'
VALUES
0
0
VALUE=
0
0
VALUES
136
0
VALUE
0
0
VALUE-
0
0
VALUE=
a
0
VALU Fa
0
0
VALUES
0
0
44VAlUE=
0
0
0
VALUE=
VALUE=
22
0
VA L41s
22
0
I NUN LEAF INV=
1 NUN LEAF IMP-
NU%
NUl
NUN
NUN
NUN
NUN
NUn
NUN
NUN
NUN
NUn
NUN
LEAF
LEAF
LEA?
LEAF
LEAF
LEAF
LEAP
LEAF
LEAF
LEAP
LEAF
LEAF
INP
I NP a
INF
IMP='
IMP'
INP=
INP=
Np a
lops
1 NU# ROD IMPS
1 sUn Nop INp
1
1
1
21
NUN
mn
1NU
NUN
NUR
NUn
NUN
NUN
NUn
NUn
NWU
NUN
ROD
NO.
N00
NON
OU
1101
NOD
NO'
NOll
NOB
gag
NOD
I NI"
INPI=
INP'
IMPs
INpa'
IN Pu
Impa
ZNP
lops
4
-J
1
1
)
-'A
J
LA)
0
H
"A
-I
J
"A
"A
"A
"A
1
2(.
20
24
17
21
2%
1
1
MSTEC NODULE MANE' 16 VALUE' 2 NUP LEAP 1Px. 4 NUN no# IMPs
3 of 5
3 of' 5 "
LEAF INSm 26 27 28 29
BUD INS* 0 )
NESTEC HODULE NES 39 VALUE. 2 00D LEAF INP* 2 oi" f0lo 111' 1
LEAF INS= 58 59
HUD INS= 0
NESTEC NoDULE NANE- 40 VALUE= 2 NUN LEAF INP= 2 NUN OD IMPx 1
LEAr IDS= 60 61
HOD INS-
NESTED HOCULE NAftE= 41 VALUE= 2 09n LEAf INP= 4 Nit" HOD IMP= I
LEAP INS=t 62 61l 64 65
MOU INS= 0
NESTEC MODULE NAME- 42 VALUE- 2 NUN LEAF IMP= 4 NUN NOD INP= 1
LEAF INS= 66 67 68 69
hoc INS= 0
NESTEC NODULE NAN1E= 27 VALUE= 2 Nun LEAF INPa I NUn MO INP= 1
LEAF INS= 139
H00 INS= 0
NESTLE NOCiULE NAME= 25 VALUE- 2 HUN LEAF IMP= 1 NUN MD IMP= 1
LEAP INS 137
noD INS= 0
NESTLE NODULE NAME 24 VALUE' 2 tUN LEAF IMP- 1 NUN Mn IMP= 1
LEAr INS= 140
HOE INS=
NESTED MODULE NAME- 29 VALUE' 2 NUN LEAF INP- 1 NUN MoD IMP 1.
LkAF' INS'10
nor iuS= 0
NESTED MODULE MANE= 30 VALUE= 2 NUM LEAF IMP= 1 NUM H0D INP= 1
LEAF INS=
Moc INS=
NESTIE NOCULE NAME= 49 VALUE' 2 NUN LFAF IMP- 4 NUN MOD INP= 1
LEAF INS- '1 02 43 R4
nOt INS= 0
NESTED tODULE NAMt= 50 VALUE= 2 HUM LEAF INP' 4 Null No)p IMP= 1
LEAF INS- or) 06 87 0
hoc INS= 0
NESTEC MODULE NANE= 51 VALUE= 2 NUN LEAF IMPr 4 NUN MO'INP I
LEAF INS= 09 90 91 92
NO0 INSz 0
NESTED NODULE MANtE 52' VALUE- 2 NUn LEAF IMP= 4 Nun non IMP= I
LEAF INS 91 94 95 96
NOC INS= 0
NESTED NODULE NAH!E 45 VALUE= 2 SUN LEAF IMP= 6 NUn non IP- 1
LEAP INS 75 76 77 76 79
80
NOU INs* 0
4 or 5
EHhh'!~ I'''
11 .11, , All"Ail"11611111 Mm w& 11 111 111 uldi" IIII . .1
TABLE 4.10 (CONTINUED)
NESTEC MOCULE
LEAF INS=
107
NOD INS=
NESIED NODULE
LEAF INS=
NOD INS=
NESTEV MOEULE
LEAF INS=
NO INS=
NESTE. NODULE
LEAF INS=
HOD INS=
NESTED NOULE
LEAF INSr
NOD INS-
NESTED IIOFOLE
LEAF INS=
HOE INS=
NARFE 55 VALUE- 2 NUN LEAF INP-
108
0
NAME=
NAIE=
54 VALUE-
97
0
20 VALUE=
0
0
2 NUN LEAF INP=
1 NUN LFAF INP=
.31 VALUE= I NUN LEAF INP=
0
0
NAME= 56 VALUE=
0
57
63 VALUE=
8
0
1 NU1l LEAF INP=
2 NIlN LEAF NP=
6 NUN ROD Ip=
109
1 NUm ROD IMP=
1 NUN NOn Imp=
1 NUll 110 INP=
1 NUN NOD ImP=
I Nun "On IMP=
5 of 5
1
104 105
1
)
106
j
1
1
1
J
-JLU
0)
LU
-j
J
JU4
TABLE 4.11
HPIS
1MEE MOCULE
MUDULI NAMES
1RE MOCULE
NODULE NAME-
FaiE RMCULE
NOCULE NAME-
FREE MODULE
HOCULE NAME-
FREE mOCULE
KOCULE NARE=
FREE HOCULE
MODULE SARE
BiE aOULE
REDUCED FAULT TREE MODULAR UNAVAILABILITIES
5
6
17
18
38
44
8 1
SIL=
Fll=
FIL
5!L-
BEL-
MOCUI NAMEw 57 IEL-
F3E1 MOCULE
NODULE MAKE= 59 BILm
FREE MOCULE
NODULE NAME= 60 BELm
?REE NOULE
NODULE NAME- 61 FELs
FRE NOCULE
doULE NAME= 62 lILa
ftREE MODULE
aCCULE NaItS 2 ILm
FrEE NoCUL!
80CULE NAMEm 11 BEL*
REP MO0ULEa49011 RELV
RP COULE=49013 REL=
RIP RODULE=39412 RlLu
RIP NODULEa29010 BEL-
P5tEIARCH SUEMOCULE
NODULE NAME- 1 REL=
1ESTEC MCCULE
BOCULE NAniz 8 FELM
NESTEC MODULE
MCCULE NAME- 9 SEL-
DESTIC NOCULE
ODLE NAME= 35 BEL-
NESTIC daCULE
NODULk NAME- 37 FEL=
NESTEC OUotLE
0CULE NAME& 22 !EL-
EISTEC ROCULE
MUCULE NAtE: 23 BFL.
NESEC MOCULE
NODULE NAME 20 EL=
mESlEC NOCULE
NOCULE NAMEZ 21 IL-
NESTIEC RCCULE
NOCULE NNE- 47 FEL-
NESTEC NODULE
ACCULI NANE 48 BEL=
5ES-EC MOCULE
MOCULE NAPtv ~43 EEL*
NESTIC MOCULE
MODULE NAME- 53 VEL=
NESTEC ROCULE
ROCULE NAMEE 13 IL=
lIST1C MODULE
M0CULE NAME: 14 BEL-
N3STEC MOCULE
NODULE NARE: 15 EL .
NESTED MOCULE
NODULE NAME= 16 EL-
NESTEE MOCULE
NUCULE NAME:- 39 FELM
NESTEC M0CULE
NGCULI ANE- 40 BEL-
NESTIC MOCULE
MODULE NAME 41 FEL-
NESTEC MCULE
00ULE NAEME 42 IEL-
8ESTEC MOCULE
2.7C0000E-03
3.6CCOOCE-03
2.8999991-03
5.0296971-03
e.9999961-08
1.5299991-02
2.2245991-02
4.4000001-02
2.94559ST-02
2.9498071-02
2. 9455981-02
S.7199971-06
1.4586121-05
2.945598E-q2
2. 945598E-02
2.9496071-02
4.4COCCU-02
1. 12599(41-03
1. CCo0000 +00
1.0C0000E+00
1.C00000E+00
1. C00000 100
1.0C0000-02
1.CC0000E+00
1.CC000E+00
1.0000001+0C
1.CC0000E00C
1.CC00000+00
1.5299991-02
1.COOOOCI+00
2.416300E-02
2.6300001-03
2. 416 3001-02
2.6300001-03
1.9219991-02
1.9219991-02
8.9759941-03
8.975994E-03
305
TABLE 4.11 (CONTINUED)
NODULE MANEv 27 BEL-
MISTEC NODULE
NODULE NASI 25 FEL=
NESTED NODULE
NOcULE NAN EL 24 lLw
NESTEC ROULA
NODULE NANga 29 FEL=
MASTEC NODULE
NODULE 4MANM 30 OEL=
NESTEC NOCULE
ROCULE $ANR 49 PELv
NESTEC NODULE
SCCULE lAME= 50 BEL=
NESTIC NOrULE
NODULE NANE 51 RELU
NESTEC NOtULE
NODULE PARta 52 BELm
MESTEC NOCULE
MOCULE NANXA 45 OIL=
MlsTEC RODMLE
NCCULE VANE= 55 sEL*
NESTEC NODULE
NODOLE lANta 54 Bltz
NES21 NODLE
NODULE VANIE 28 iELv
NESTIC 00ULE
N0CULE MANE* 31 OtLa
MISTIC NODULE
NOCULE 1ANE- 56 BEL%
NISTIC No uit
NODULE MANE* 63 BEL=
PITRIANCH NODULE
NODULE NAf 1L---
INLEra
1.9000002-02
1. 90COO0-02
9.9999991-05
C.C00000E+00
0. 0000001 600
2.C51999E-02
2.C51999E-02k
2.0519991-02
2.0519991-02
3.254399E-12
2.8039991-03
1.1000001-04
1. 000000E+00
1.CooooE+00
2.2245991-02
9.9999991-04
4.711870E-03
306
TABLE 4.12
HPIS REDUCED FAULT TREE VESELY-FUSSELL MODULAR
IMPORTANCES
MODULES
MODu.F NAPE=
"OCULE &AhN=
5OCULE NAAEm
MOCULE NAMEm
ODULE NAME=
MODULE NAME-
NOCULE NANE=
NOCULE IAMEa
NGCLE NARE
NOCULk NANt=
MODULI NAM!=
NODULE NAPE=
ROCULE NAME*
MOCIT!.! NAlor.
NOCULE NAZ'E=B  W4r!
NOCULE NAME*
NODULE NANE
NOCULE N!Ar
NODULE NAaE=
NODULE NANExUL  ME.
NODULE NAN!=no0DO . F NAME=N0CULE NWE
MODULE NAnE=s
50CULE SAME*
NODULE NANE=
50CULE $Ant=
NOCULE hANE=
NODULE NAME=
NODULL NAME=
MODULE NAME=
RODULT SAME-
NODULE IAMN!
NODULE NAMEU
NOCULE NAnE-
NOCULE NAME=
NODULE IANEst
MODULE NAME=
NOCULE pAN.E
NOCULE NANE-
MODULE NAME=
MODULE NAME=
NOILE SAME=
NODULE NAME=
MODULE fAr'u
AODuLE NAME!
NODULE NAnEM
MODULE NAMtz
THE END
5
6
17
18
38
44
57
39
60
61
62
2
11
37
22
23
20
21
47
4"3
43
53
13
114
15
39
40
41
42
27
25
24
29
30
49
50
51
52
45
55
54
28
31
56
63
Illps
INPU
INE P
IMP=I M P's
t1221
IN F,
I! Np.
INP.
ItiPF
'I'.=
IMP=
IMP=
IN P=
INP.
139=
IMP-%
IMF*
INEu
IMF-
IMP=
In= f
In!.
1N 9.
INP=
IM P-2
N Es[NP=
INE=
INFrp
IMP=
Z A E a
IMf=
2.062873E-03
2. 06 2n7 3,E-,3 3
3.C95610E-03
J.091C510E-n3
1..9100671-05
1. 056777E-C 1
2.0774P 89-01
2.0877311-01l
2. 392970E-02
2.35dO88E-C2
2.33 123 21-12
2. C6287 1E- 3
3.095610f-03
2.389697E-01
1.3720421-02
1.372042E-02
7.873422E-02
1. 72556 1 E-0 2
J.4998702E-03
L'.9388561-03
9.976272F-ll
5. 69817,-j3
1.474741E-01
1.4747 0-01
1.056777E-01
2. 088525 E-) 1
1.36971aE-02
1. 35C90 1E-02
1.369718 1F-02
1. 35098 1E-02
7.8566671-02
7.856667E-02
1.717714E-02
1.-717714E-02
3.5037021-03
3. 906935E-03
1. 029b56E-03
0. oCooALt00
0.000000E+0o
1.148009E-11
1. 14800OE-01
1.148009E-01
1.140009E-01
1.05674 1E-01
7.935319E-05
1. 19265 IE-03
8.946620E-03
S. 135 154 E-f)3
2. 077488 -1 1
1. 123841E-05
1.00000*00
307
CHAPTER FIVE
CONCLUSIONS AND RECOMMENDATIONS
V.1. Summary and Conclusions
The methodology to analyze a fault tree in terms of its
modular structure has been developed in this thesis. An algorithm
to derive a fault tree's modular composition directly from its
diagram was given. The procedure consists of piecewise collaps-
ing and modularizing portions of the tree, until eventually the
full tree structure is described as a set of modular equations
recursively relating the top tree event to its basic component
inputs.
The structural representation of fault trees containing
replicated events was shown to necessitate the use of higher
order gate modules. A Boolean vector representation was chosen
to express the family of minimal cut-sets corresponding to a
higher order gate.
Once the modular structure for a fault tree has been
obtained, it was demonstrated how a quantitative evaluation of
reliability and importance parameters may be efficiently per-
formed. Thus, by following the same order in which the fault
tree modules were originally found (i.e., starting with the
bottom gate branches), each modular occurrence probability can
can be easily computed as a function of the occurrence probabili-
ties of its basic event and modular inputs. In contrast, basic
event and modular Vesely-Fussell importance measures are best
evaluated by starting at the top tree event and successively
308
applying the modular importance chain rule.
The modular approach to fault tree analysis outlined
above was implemented into the computer program PL-MOD. The code
was written in PL/1 in order to take advantage of the list pro-
cessing capabilities available in this computer language. In
particular, extensive use was made of based structures, pointer
variables and dynamical storage allocation. Moreover, the manipu-
lation of Boolean state vectors, required to handle higher order
modular structures, was conveniently performed using bit-string
variables.
PL-MOD was used to analyze a number of nuclear reactor
safety system fault trees, and its performance was tested against
that of the minimal cut-set generation codes PREP and MOCUS. It
was demonstrated that the code's execution time to modularize
a larger sized fault tree will be significantly smaller than
that taken to generate the thousands of minimal cut-sets required
to characterize the fault tree. Thus, the execution time to
modularize the High Pressure Injection System reduced fault tree,
composed of 63 gates and 151 components, was 25 times faster
than that taken by MOCUS to generate the 13 single event, 294
double event, and 2477 triple event minimal cut-sets associated
with the fault tree. Furthermore, because of the structural
organization of the modular information describing a fault tree,
the evaluation of its reliability parameters is easier to perform
using this information than from a mere listing of its minimal
cut-sets.
309
V.2. Recommendations for Future Work
In its present form PL-MOD generates a complete Boolean
vector representation for the modular minimal cut-sets of a
fault tree. In practice,. however, it is sufficient to generate
those minimal cut-sets. which significantly contribute to the
occurrence of the top tree event. Thus, the incorporation in
PL-MOD of a capability to generate only those modular minimal
cut-sets which require the occurrence of less than N simultaneous
modular events (with N = 2,3,4,etc.) would be highly desirable.
. In the Reactor Safety Study reduced fault trees were
derived by eliminating those basic events which contribute to
the TOP tree event only through minimal cut-sets of high order,
say quadruple or quintuple event cut-sets. This reduction pro-
cedure has however never been automated. PL-MOD would be particu-
larly suited as a tool for deriving reduced fault trees, since
the following two criteria for cutting off portions of a tree
are available in the code:
Ca) Modular events, rather than basic events, contri-
buting to the top tree event only through minimal cut-sets of
an order larger than N may be deleted as explained above.
(b) Once an upper limit N has been chosen, the Vesely-
Fussell modular importances calculated by PL-MOD can be used to
further reduce the tree by cutting off modules whose importances
are smaller than a preselected cut-off value.
In order to handle more effectively fault trees which
extensively include common mode failure events, it is recommended
that the following two capabilities be incorporated into the PL-
MOD code:
W _ - _-". -.- ---- , __--'- -'.-'-'_";-'_____'-_.. , - . . .- .- I I I "I'll, _- 1. 11 1 11 - " - 1".., 11 1 -_1_-,- - -- .. ........
310
(a) In its present version, PL-MOD can only handle
replicated modular gates, i.e., only replicated gates representing
a supercomponent event independent from all other gates in the
tree may be treated. In general, replicated gates may exist
which do not represent a supercomponent event. Eliminating this
restriction would significantly enhance the capabilities of the
code.
(b) Similarly, PL-MOD allows the appearance of explicit
symmetric (k-out of -n) gates, only if the inputs to these gates
are non-replicated components or super-component events, It is
proposed that symmetric gates be allowed to operate on input
events which are replicated elsewhere in the fault tree.
Thus far, PL-MOD has been restricted to a deterministic
evaluation of steady-state occurrence probabilities for a fault
tree. Given the efficient recursive computational procedure
used by the code, the inclusion of a time-dependent (kinetic)
tree analysis capability as well as of a Monte-Carlo package
enabling the code to perform a probabilistic. distributional
analysis would be justified.
311
REFERENCES-
1. R.E. Barlow and F. Proschan; Statistical Theory of Reliabi-
bility and Life Testing; Holt, Reinhart and Winston
(1975).
2. R.E. Barlow and F. Proschan; Importance of System Components
and Fault Tree Analysis; ORC-74-3 (1974).
3. R.E. Barlow and H.E. Lambert; Introduction to Fault Tree
Analysis, Reliability and Fault Tree Analysis;
SIAM (1975).
4. A. Blin et al; PATREC-DE Code: Evaluation of Common Mode
Failures Impact on Reliability; Transactions on
European Nuclear Society Conference (April, 1975).
5. Z.W. Birnbaum; On the Importance of Different Components in
a Multicomponent System, Multivariate Analysis II,
edited by P. Krisnaiah; Academic Press (1969).
6. P. Chatterjee; Fault Tree Analysis , Reliability Theory and
Systems Safety Analysis; ORC 74-34(1974).
7. P. Chatterjee; Modularization of Fault Trees: A Method to
Reduce the Cost of Analysis, Reliability and Fault
Tree Analysis; SIAM (1975).
8. J.D. Esary and F. Proschan; Coherent Structures with Non-
Identical Components; Technometrics 5 p. 191 (1963)
9. J.B. Fussell et al; MOCUS - A Computer Program to Obtain
Minimal Sets from Fault Trees; Aerojet Nuclear Co.
ANCR-1156 (August, 1974).
10. J.B. Fussell; Special Techniques for Fault Tree Analysis;
Aerojet Nuclear No. (April, 1974).
11. I.B.M. Systems Reference Library; PL/l Language Reference
Manual and Programmer's Guide; C28-8201-2 and C28
-6594.
12. B.V. Koen and A. Carnino; Reliability Calculations with a
List Processing Technique; IEEE Transactions on
Reliability Vol. B-23 No. l(April, 1974).
13. H.E. Lambert; Measures of Importance of Events and Cut-sets
in Fault Trees, Reliability and Fault Tree Analysis;
SIAM (1975).
312
14. H.E. Lambert; Fault Trees for Decision Making in Systems
Analysis; UCRL-51829 (Oct., 1975).
15. J. Murchland; Fundamental Probability Relations for Repairable
Items; NATO Advanced Study Institute on Generic Tech-
niques in System Reliability Assessment, the Univer-
sity of Liverpool (July, 1973).
16. P.K. Pande et al; Computerized Fault Tree Analysis: TREEL
and MICSUP; ORC 75-3 (1975).
17. W. Quine; The Problem of Simplifying Truth Functions, Am.
Math. Monthly, 59(1952).
18. E.T. Rumble et al; Generalized Fault Tree Analysis for
Reactor Safety; EPRI 217-2-2(1975).
19. Reactor Safety Study; Appendix II (Volume 1) Fault Tree Meth-
odology; WASH-1400 Draft (August, 1974).
20. Reactor Safety Study; Appendix II (Volume 2) PWR Fault Trees;
WASH-1400 Draft (August, 1974).
21. R.B. Worrell; Using the Set Equation Transformation System
in Fault Tree Analysis, Reliability and Fault Tree
Analysis; SIAM (1975).
22. R.B. Worrell and G.R. Burdick; Qualitative Analysis in
Reliability and Safety Studies; IEEE Transactions
on Reliability, Volume R-25, Number 3 (August, 1976).
23. W.E. Vesely and R.E. Narum; PREP and KITT: Computer Codes
for the Automatic Evaluation of Fault Trees; Idaho
Nuclear Co. (1970).
313
APPENDIX
PL-MOD'S INPUT AND OUTPUT DESCRIPTION
Data Input,
No FORMAT restrictions exist as. far as the listing of
data items is concerned. Each data item is only required to
be delimited by one or more blank spaces or a comma.
1st Item: 'TITLE' = a set of CHARACTERS enclosed by a
pair of single quote marks.
2nd Item: DEL a number of reliability parameters to
be computed (FIXED DECIMAL). (In the present PL-MOD version
DEL = 1 or 2)
3rd Item: GUM = total number of fault tree gates (FIXED
DECIMAL).
4th Item: RMOD = total number of replicated modules
(FIXED DECIMAL).
5th Item: (I,AGIN(I), ALIL(I),ALIR(I))(FIXED DECIMAL)
I a gate number, AGIN(I) = number of gate inputs,
ALIL(I) = number of free leaf inputs,
ALIR(I) = number of replicated leaf inputs.
(1 = 1,2,...,GUM)
6th Item: (TRIM(IX), TRIN(IX))(FIXED DECIMAL)
TRIM(IX) a replicated leaf name associated with a module
TRIN(IX) a replicated gate number
(IX = 1,2,...,RMOD)
7th Item: NOR = total number of replicated leaf inputs
(FIXED DECIMAL).
8th Item:
314
NODEIN(J): (NAME,VALUE,GIN,PIT(GIN),LILTIL(LIL),LIR,
TIR(LIR)) (FIXED DECIMAL)
(J = l,2,...,GUM)
NAME gate number
VALUE l AND gate2 OR gate
KON K-out of-n gate
GIN = number of gate inputs
PIT(I) = Ith gate input (I-1,2.,..., GIN)
(If GIN = 0 then PIT = 0)
LIL = number of free leaf inputs
TIL(I) = Ith free leaf input (I = 1,2,.. .,LIL)
(If LIL- 0 then TIL = 0)
LIR = number of replicated leaf inputs
TIRf(I) = Ith replicated leaf input (I=1,2,...,LIR)
(If LIR = 0 then TIR = 0)
(5th and 7th Items must be listed in the same
order)
9th Item: FOX = 0 if no numerical evaluation is
desired, FOX = 1 otherwise
If FOX = 0 then delete items 10,11 and 12
10th Item: (FUN,DUN) (FIXED DECIMAL)
FUN = Total number of free leaf inputs
DUN = Total number of replicated leaf inputs
lth Item: (I,STATE(lI)) (FIXED DECIMALFLOAT)
STATE(l,l) = probability associated with Ith free input
occurrence
(I = 1,2,...,FUN)
315
12th Item: (I, STATD (1,1)) (FIXED DECIMAL, FLOAT)
STATD (1,I) = probability associated with Ith replicated
input (If Ith input is associated with a module then STAT D
(1,1) = 0) (I = 1, ... , DUN)
An example of input data is given for the fault tree SAMPLE
PROBLEM shown in Figure A-1. Table A-1 shows the input
deck, whereas Table A-2 represents the output as given by
PL-MOD.
-
316
II
G14
G17
GIS
G20
4
G5
G6
G8
GIO
SAMPLE FAULT TREE
G12
I
'SAMPLE PROBLEM'
26 1
2 1 0
3 0 2
4 1 1
5 1 2
A 2 0
7 1 1 4
A1 1 0
0 2
10 0 2
11 2 2
12 1 0
13 0 1
14 2 0
15 1 e
IA 0 3
17 1 0
1. 2. n
19 1 0
,0- 1 1
0 2
24 U I
P5 1 0
(10 2
?7002 1
7
1. 1. 2
ps ?. I
I, 2. C
4, 2. 1
s, 203.
1, 2. a
7. 12 1
', 1, 1
T. 2, o
10, 2.
11. 1,
12, 2,.
13. 1,
140 2.
15. 1e
16. 2.
17, 1 I
18. 1.
19. 2.
>4 e
'1. 2,
P2. 2,
3. 1.
24. 2.
>I5. 2.
>6. 1,
'4 /
1 1.
2 1.
3 1.
4 1 .
4
(
(
(
317
TABLE A-1 SAMPLE PROBLEM INPUT
I
0
0
1
1
1
1
0
1
0
1
1
I
P 4. 1 14, 0 0.
3. 0 0. 1 22006,
f 0 2 16 17. 0 0,
s. 1 15. 1 2100As.
1 . ? l 19, 0 0.
I 4. 0 0. 0 0,
9. 1 22. 0 0.
11. ) 0. 1 20007.
0. ? ?0 21. 1 20007,
0 0. 2 23 24, 0 0.
2 12 14, 2 1 2. A 0.
1 13, 0 0. 1 21001.
n t, 1 6. 1 2Q002,
2 IS 17. 0 0. 0 0.
I 16. 1 0. 1 p?2n1.
n . 3 3 4 5, o 0.
I 1b. n 0. I 29,)n2,
2 14 ??. o 0, 0 0.
1 Pil. 0 0. 1 21004.
1e 1 ?1. 1 9, 1 20003,
0 0. 2 8 11. 0 0.
1 ?3. 1 7. 1 20005.
2 24 25. 0 0, 0 0.
0 0, 1 10. 1 20001.
1 26', 0 0. 1 n4.
O 0. ? 12 13. 1 ?Pn05,
)E-01
)E-,1
)F.-02
0E-02
318
TABLE A-1
A
10
12
14
16
18
20
22
24
(CONTINUED)
.3E-03
.5E-03
.$E-03
.56-0 3
.)F -0 3
.5E-03
.6-0 3
15
A
7
ii
13
4
7
1 .OE-0 2
1.0E-01I UCE-0 31. OE-03
1 .OE-03
1 .O-03
1.0;7--0 3 i-03
1. E-03
1.0:%-03
1.0E-03
I.0E-01
0
1 .0-01
1 .0E-02
1 .0t-01
TABLE A-2 SAMPLE PROBLEM OUTPUT
TREE ANALYAS'; BY MODIULES
TIE TIMP IS
THE DATE 15
SAMPLE PROBLEM
OPTION= 2
NfIM GATES= 26
NUll REPLICATED HOW;=
NODE (;ATE
1
4
Ii
7
0 ..
9
10
11
12
11
14
16
18
18
JIN:s
2
0
2
1
1
2
1
0
2
1
2
PRvE L11AVFrI
1
0
2
1
2
0
0
2
2
2
0
1
0
0
0
DEP LFAVF:
0
1
0
1
0
0
0
1
0
0
1
1
0
1
0
215r5s52O5
770620
J
J
j
)
)
H
-J
'I
)
J
20 1
21 0'
22 1
23 2
24 0
2'r 1
26 0
RGATE= 1 LEAP-29002
NIIM'nl4 OF Dr'PEND1ENT COMPOtiTS=
NODI= 1 VALtI!=
EP LEAP INPIlTS=
NODE= 2 VALUE=
22006
NOnPE 3 V1f.liP-
EP LAF INP'ITSn
NIDE= ' VALUE=
21006f
D.Ir conP=2100f6 At
Nflfr - 5 VALIIt=
EP L.EAP INPlTS=
NODEZ 6 VALUi=
EP LEAP INPIITS=
KOPF= ' VA1tUR.3
0
NODE= 8 VALOR=
20007
HOOF.= 9 VA Lil I
EP LEAP INP'lTSs
DEP COMPv20007 Al
liODE= 10 VALUI=
EP LEAP INPUTSm
NODS= 11 VALIt'=:
2 DEP IRAF
HODPP 12 VALUlE=
21001
0
2
0
2
1 GATE INPITS:=
0
2 tATE INPITS=
2 GAIE INPUTS=
0
2 .IATE IHPUlTSs
'PEAfANcEs= -2
203 GATE INPUlTS=
0
2 GArE INPUTS=
0
1 ;fTE tNPUITS=
1 GATE INPUTS=
2 GATE INPUTSu
2011107
PPLARANC!S= 2
2 GATE INPllTSx
0
1 GATE INIITS=
INPUTS=
2 dATE INPUTS'.
0
0
2
0
5
6
7
9
In
10
0
0
12
0
11
4 FRL LEAF INPflTS=
FREE LEAF INPUTS=
FREE LEAF INPUTS.
FREL LE.F INPUTS=
FREE LEAF INPUTS'1
J
J
~2
J
IA 0
0
16
15
18
DEP LEAF INPUTS*
DEP LEAF INPUTSm
U FREE LEAF INPUTS-.
FIEE LFAF I"PUITS=
FREE LEAF INPUTS=
PREE LEAP INPUTS=
FREE LEAF INPUiS=
22
0
20
23
14 TREE LEAP INPUTS=.
PREE LEAP INPUTSr
DEP LEAF INPUTS=
DEP LEAF INPIITS=
19 (1
0 D
21 D
0 PEP LEAF INPUTSs
J
J
'dl
J
17 0
LA
24 D
I
-a,
J
J
'dl
MONISM
I
I
N00I= 13 VALU.- I GAT 1NPTS
29002
NODE= 14 VAL1fP= 2 IATf INPUTS
RP LEAP IIPtITSa 0
OD.= 15 VALUE.= 1 GATE. INPIUTS=
22001
DEP (OMP*22001 APPEAVCE=I -2
NI)DF.= 16 VALUE, 2 GATE INPUT:;=
5 OP .EAF [NPUTS
10F02 17 YALhIUz 1 GsArE INP#ITS=
29002
PEP 0OP-29002 APPEARA4CEc 2
NOD- 10 VA L1It 1 ATE INPUTS=
P .EAP INPUTS= 0
NsIr= 19 VALUF= 2 GAT!! INP'iTS=
2100 4
NOD1r 20 VAL.a I OATE IPNPItTN;
NODF-: 21 VAI.IE= 2 4ATE itSPUTSs
EP 1.'AV INPITS= 0
NODU- 22 VALUEs 2 GATE INPIITS=
20005
400E= 21 VALUE= 1 GATE ItIPhITS=
RP I.rFA INPUTS 0
NODr 24 VALt=1I1 2 'tATE INWITS=
20.0 11
Prp con=2000. APPYARANCES 2
NWnE= 25 VALUIf 2 CATE INPU1TS=
22004e
DF"' Cu13P=220014 APPEARANCES= -2
NE) : 26 VALUE'= 1 ATE I 1PUITS=
UP IP4F INPEITS' 20005
DEP COIPV201005 APPEARAvCES- 2
NEI1 Da 9
FREE NODULE NAMEs 10 V4DLIIP. 2
LFAF 1%3= 23
noi INIs 0
NESTID= 13
FREE M9OULE NANE' 16 VALIE= 2
LEAF 1N5 I
0
15
16
2')01
0
2~)
PREE LEAF INPUISs
s
6 DEP LEAF INPUTSm
17 FREE LEAF INPUTSu
FREE LEAF iNPUtS'
FREE LEAP INPUTS-
FREE LEAP INPUTS-
0 DEP LEAF INPUTS*
3
0 DEP LEAF INPUTSm
22 FREE LEAF INPUTS=
FREE LEAp iNPUIrsv
FitrE .EAr INrMTs
FREE L.FAF 2NPUTSv
FREE LEAv INPUTSm
0
9
7
DEP LEAF INPUTS=
PEP LEAF IRI1UIS'
DEP LEA? INPUTSv
25 FOE LEAF INPISTS'
flitE LEAP INPOTS'
26 FH4E LEAF INPUTS=
0 PRIE LEAP INP&ITS=
Pilo LEAP INP=
OUR LEAF INPm
2 Vn moo INPw
3 NUM ROD INPw
10 DEP LEAF INPUTS*
0 EP .EAF INPOTSM
12
1
1
0 0
4
J
J
0 D
11 0
H
J
1) 0
J,
;J 5,
~5,
PI rIE111 ElNmiINh11111
1100 IS0 0
?REP 3f)DVI.Le "Ants 21 VALII=
LEAr iNS- f
OD INS
% EST I Dz 24
NESTIID 26
NESTID= 2
NEST1= 7?YsT1ioz aNE5;rID= 8
4l!T111' 12
4FSTID= 10
NFSTID= 25
T"TAI. SI1 NEPx 2
IOOLAN HAS !WEEN CALLED
PAPENT 40011II NA1E= 6
LF.AF INS%
ROD IN,;=
NESIEf1 M11DULE NAAE= 7
LEAP INS=
MOD INS=
NESTTI NODIILE NA1ME= II
LEAF INS=
.100 INlS=:
NEf.TF IODULE NAMES 9
LF'F 10S=
non r&N=
DIC';b
000101' I
VALtIIn
0
0
VALII E=
22
0
2 NUN L.EAP ItP=
2 NIN LEAF INP4
1 IUN LEAF 1W"'
VALHlE= I 1pul IU . 1F 11Pt1
VALUE=
20
2 MiUM LEAF 11NP
CN M=
C .)!
PARENT MODiLES 6 111111 DEP COMPONENTS-
DEP C113PS= 20007
DEP MOns1
MINMAL CUr SETS
10010
00 101
10100
NEST D 19
H 0 IT ID-= 2A
S1M1 IODiLE
Dp CottP1a
DEP NeIqS=
NAM9= 5 VALIIan 203
6
2 Nn111 MOD ImPs
11
1 NUN ROD INP:
1 NI1 .100 ItiPa
1 NU MOD LNp
2 OUR MOD 1I '
21
$01010' I1
6101010'D -
1 WIN DSP 4ODULES= I
9
-p
19
MINIIAL CUT SETS
101
Oil
11')
NESTID= 22
NrwSTID= 4
H FSTIDa 1
j
1
jp
-p
CORPS 6 10010* CORPS
LAJ
WJ
.1 1 j
jI
I
I
I
TOTAL SUN REP= 2
D0LVAN H AS BEN CALLED
PARENT 1100LE NAnts
flp INS'
NESTED ns)DIILt NAMEz!
LEAF its=a
ROD INSs
NESTED' NODULE NA1E'
LEAF IN=
HOD INSs
BICS
*00110 1' s
PAPFNT 4ODUJLn= 1
DEP CO~tPs=
DEP MODS=
N! I NAl.
001 1
10110
01101
WESTID= 14
TOTAL SlIN REP= I
P00l.EAN I!AS IBEN CAL
PARENT NODULE NA.R=
LEAF INS'
NOD INIt
NE'TPl) 4001itD NALAE
LEAP 14:;
1111 Ilv',-.
NEITEI' !0D1.E ANEnfa
LEAF INS=
MOD 11=
NE:rPD NODULE NAAF=
LFAP ISr
non JOS,,
NESTFD n10DIIL NAIR=
LEAF 145=
Nf0) INS
NESTED NODULE HAlFE=
LEAF INSs
ROD INS
NESTED fi0DLR HARE'
LEAF INS=
"OD INSs
NESTED NODILE NAfRE'
1 VALIOR= 1 NOR LqAP IMP=
14
02 VALIUE= 2 N
A VALttC 2 NI
15
CiUnONP CONPONTSI:
21006
2
CuT SETS
11
12
14
13
1ii
17
19
22
VA LOR=F
VALUE=
0
VALUE= -9
VALUE=
0
VALIfH=
6
0
VALIt F.
0
16
VALnE
0
0
VALUE=
0
VALUE-=
IN LEAP lNPs
1 NUK 00 to*P
2 304 B0U InP
17
Utt LEAF JIP* I *o ON h
'0011 it
* 11100'1t
2 NI3 DEP t00IL3m
. 2200.
4I
Nun
Nun
Uil:
Nu:i
NUN
NUn
NUNl
LEAP
l.?AP
LEAF
LEAF
LEAP
LEAF
LEAP
I a 
INP=
INPW
IHP'
2
2
I
1
I
1I
NUR LPAP INP=
poll
Nil "
N iI)
NUN
mildn
no"il
pul
o(i"
NOD
NOp
NOD
!00
ROD
nub
11OD
Rob'
tPop
2
INP 
IMPw
INP=
Ilp=
iNp
Isa
INP?
Ilop=
11,111 -.,....1..1..1.1-
1
1
COMPM *10110*8 CONAP
-3
-3
-j
.3
.3
.3
.3
.3
.3
.3ILij
)
.3
.3
.3
.3
.3
.3
.3
J
1
I
1
1
1
11 |lon Miilllll"
b z
tI
foooz
r
M.1113 U,10111001010011001100,
-(11103 go1t11001 011 otot 0100.I
z'(10 901011100100001100l01,l
x11f)*lt U.011001. 1l001,0 t.otoo
U,16.03 it.1 t01tt1 110lt001 1 tt1010 t0.
-(1003 lI,10010011000111001100
'(1103 U.0001000101001011110.
-.1103 l0 Oft1060 10100 10010 100.1
adW1(3 QsI,010110010000I00011.to
a-a11103 .016001t10000101001o0
xd1103 0 *0101t1IOf)1001 iC 00110t'0
s-.10 300000011110010100.o
-41103 U.OttonoIOOtolIIl.0b.f
-(1103 8 Is0011010t Ot10 0011J0.
-(1103 U.0000tt1001,001t00100.e
U411103 9.00000101010010010100.
-41103 i000000010000111110101.
-411031 O0000011100000t001~ 01
-41103 06000000110110111000100.
X41103 t.0000000010001000001 1.
04t1103 U.000000000010000001.
.dp03
=,1 w03
d.11103
a U 0.3
-.1111)
r6110:)
=411103
=411103
2,1110
.111103
Sz
Ll.
wdMI GOW MAN t
Wj"I dow Vila 1,
=dAt GOU WIN t
t Sala 1 (1011 MON I
t zdII 1 009 111111 t
L
%actl JV1.1 MON
vddi JV111 URN1
-Jdll 4VH1 WOIN
r
1r
r
I
t
lot
7t wST11d0111 .40 11011
a11 1(ot 00010001o 10 t11004
0.101100lottOMJOtooIO
1110100010010011tot1I0to
01 1)1 o 111001110l10of
U OWN 11001 ol%)It t1o1 tI 1oe
11810oo0110ti 10101010.
1160101000t0l0010111 1100
0 400010!01.1 filoOlplo) 10(0.
9 00001 0000 10101101.ol
1 *01010011100001001 1101,
11 400t 1.1)'001 0ti 101t1001
I) 3101010 ItoooIOooI
o 110160011)001 11)1)11100
a10000100 110001 1010110 1).
if1.0011101 1001 11 OOOIt 0e
9.0110000t100011001I01
11,01)001 1100u1 100.1110
U ,0000)000o0101110101.
9.4000000,1100011101000.l
a 10)0000110001 1.) t0000110.
9 ,00000010000010.4
(1
-31vm '111001 (:4U!ANf 01
=01 IlliVA
0 
-JN4111
'z kftIvA t MUL1VNII 0110 0311.19
0
L.
-1.01 jV31
=-31!vN 311 10f 1 1211
C
Moot010100000001 01Ofo
00000001100 I1 o 10001 10
t mi~1..U d30
a0.L33N0J13 ail 111111 It =21100014 .LN~41Vd
9,1) 10t1illt0011010100.
-.111413 0.10011.0011001111.00
=a11U03. 11610t 10001t0000I 1011)01.
M.110.,0 10 t 1. (10 0 1. 0I.Q1 to 10 00.
-0kill 41, I OOM 10011 (I6It t.01 G;o.
=4 W(':) 0,111(btoolotoultl001 1oo.
-.111(13 ai *011 001 0100101101lo 000.
=d W40) 11 s.00100I(10101.t(t111
=41 11U1 II .011111 loot WIG10001 lot.
-.111(0. 060I(lo 1000100010 101 016
--1110.) 9 UI,010 11 f01U(01,II 0tIs
=11vto91 U 40001t0 0 10 00U110100(I Ito.
=*I10: 11,0t1$Ot I0oot0001100ti1100.
=41 103 11001 Of but0 10 11010OMtou
-d1103 U*00 00 100 10 (1 I110 0
'.11103 I 00001101 bltr00 1001 10.a
-.11Vila)i 10 U D 011 ti I0100) 0 00a
-.111(3 a6COD 1(0t ItbIOOOI UOIt 01.a
&-dNO110 lOi0001161, is,01 .100
JUd 03 U,00000 110 til 10 1.0 (00 1to0o
(I
r
I
IC
r
cm
r
r
r0 =SI 001
0 
-I.;N1 0011
0 =!;NJ ava1
z~~filva~N 00i10 111
r
r.
r.
r.
C
r
r
4
I
40-306666661 *6 fi
40-29r~66666 'k 8
40-2d6666* Lt
,,0-24#b66b11 91 f
110 -JR66'Iu6 'I It
cm 0-91664666i 0
V. 0-U.6bfii 6 ~ b
IO-29666b66 *96 1
I*-2tt6fibG6 I *
V. to-4666666b
[0-9066r66 *6
zO-aI966666*6 z
V. A11111OV1129 ARMIN 32d
L z VSli1N IIJNIf lImt.3VIjdAi MIN
0006 101 000010101101
0O(10100101001f001 100
00001 101000010001 10
00000061010011010100
00000001000011(101 01
I.-
rn
r
r
r
00~*02000 .0
11(1'41400000. tI
ZO -a (664.6c O1
0641,11100000 10
O0#2000000 "0
EO-2066666 *s,
LO-3006L 6?*L
L0-A006Lcl *t
(0-2 000 00s't
60 -1W J6 666 1 t
I O-H bf000t 1 1
IaO-iil6bbbbbZ
004-I00000i It
110-4bbbbbb6 k
(0-i000O!. It
to-ao-oo's6i
ZO-u 966
lo.*A-iO
N0-2066666.!!
t z
C
111i(1.1 (1.1 1 d~If~
slum1) L av 1110011
311100111 41.1S31
u11U0o hiUM IIJI
J1I0IIJ1I, ti )h ;wlII. LIId
311100 U003~-IIIU 211
*12111 .J1vm 41110111
U21110((13 03,LsIf
3111004 UU2Lan
.1 I tt z 1 V21ItN11110Z
J1110011111; I.Ijvt1i. LVJ
3121 9 -2Uim lltUOW
=INV h owv i.WII.LV
2lWUO U4.L5!ddN
=1~U i ~zvw'i :1,1114101
2111001 01b1
-1au 9 414v2 3,10011
10014113 U l:&VU.LVJ
-12!! 91 =21MV# 311t00
=lad1 01 =2hvN 311100M
:6..6 V 12b11
211dO 03SJ
666d 9 =JV E I(O
iliJ000 0 f.)VI.V C
C
(.
r
I-
r
)
NES!TED KOOtiLK
HO~PIILF VAMP 22 XCLv 9. 9911 4)9f.- 04
YKST'I) HODULB
M0DHIIIF #Alit= 20 NFL= *.SO0ORiP-06
MnOOILE NANF.- 23 REL- 1. 800000Fb*00d
NESTE~D rtIoD11.6
MOtDULE t4AKE- 26 UCts 6.9919fI-04
NESTE.D IUDlIIE
MlODUlLE NAR?.= 25 NHLs O.000OO00~o
NESTED NtOfltl.E
AlfDtILF MAliIf 21v 1191a .9499st F-07
PATh11ICrHl MODULE
1?WFZ- IIP1ROP. I
PA?Pm 11I1IPs 1.000000st00
NOT1STATE=224101 In P- 9. 30116 1 -0 I
1= IPER. TAR 1;29002ItEx 2'. l0b'IlF-l1
I: 6P9R.rAP=20003R?1= 2.i37554)29-16
1j' 5PEU.TARz2tOO6R9Ym 1.46604J1912
1. 6P8R.TARxz~oe'.REvx 7. 155111 r.- 16
H0T5TArEn220 IMP=~ 1. 02 14 2 4 -0S W~
I= lPZR.TAl~a202')5IEV= 1.45 VIM.- 12 1.300007..Ol -
Gill.0' 2PlOI'- III
GOLD= 3PROP- 13
- GuLP-s IIJ'lOPT I5
GOLI)- SPIIOP'i 17
6.tI' (ap~hP= * 19
GOL.D= IP= 22
GOLDa OhRhOPW 20
GOLD- IhfR'AIP 21
(WO.D= 11PUOPU 24
Gol-D= 12180p- 26
lhilhTPtRiPc I
N0TSTA7E=220O6 lirs 6.t8945591-02 PUGS *.OOOO00~o
GOLI). Ippop= 16
C. .D a 2Pitop= 21
60I.11- )PROP= 2
GO.t)n 6P30Pv 4 alto* 1.00OOOR'00
GOLD=. IPROP* S
IIOSTPRnPa 5 814&1.00000C#00
C.OLP= MPha 6
IIOSTPREIP. 6 116 .00009600
GOLD=. IPIOPM 7J
GOLD= 21'AUPu a
GOLD* 3PIVOPS 7 11110 r
GOLD-u ipROP= 10 MarG
VESELY -1IISSALL IRP0RTIPC'%S
I.
I=
I.
Is
I=
Ir
1=
16
17
In
19
21
2
1lEPLICaTED EVENTS
2
Ia3
Ia6
7a
MODLILEr
M ODUILE MAIT,
MOMI)ILT. N44P=
NUPIILE HA41F=
h0IIIE NIAME-
MoIIDlLE N A ft
floflILE MAIIF3
H'l)lII.ri NaIIEw
PIODULI. NAflFz
it) OilL F MA H 1'
HODIIIL. WAIIEm
114101D1. JgUfMj
16
21
*4
19
2
3T A T 2,1)u 1.U00139#00;
STATIC(252) IN 11 E-0000F1:'
:;TAT (2,) w1. 10I12.')E-01;
SrATE(2,,6)v 9.b5IM1-01;
3frET(2,7)= i.154110S-04;
2;tATE (2.9) -1. 1210 RE-05;
STAUh(2. 12)a 0.90)00e *90:
STATE(2,13)- 0. )0001) *O;
ST I El. t, S)~ 6.)912 I1E-02;
SFATC(A.11)= 6.20102r-01;,
STACE (A. 11)s aN. 19I4E-05;
5TATE (1. 1191- tI.191OL-51
STATE ( 220) a 2.6221F-06;l
5 MR. 12,2 1) w5. 24&421#1- 011;
NT A rc (2. 221 u r.. U)291 IE-O.;
NTATIP (2, 21) a 1. 0111111r-05;
STATE V,24) - .244126F.06;-
STATUJ(2.1) a
ST AT D (2, 2)=
SfATD (1,31-
ST41T9(,11) a
STAID (.?.5) =
StATD (2,6) a
STAID (2.1)a
IMP=a
111pm
IMP=
1 . 1 z*
lIra
tp=P
IFIP*
I N pla
I ira
1. 4 l It VC- 02.-
f. 00000F4O0;
1. 127-431-05;
6.96)61i"-02;.
2. 011770E-05;
1. 571 2114)2-05
1). 301141i IC-O
1.1271)IF.-05
0. 00100.'j0
I). 1129.12F-06
1. 5 112 C.hO- 05
0. 0 )00U0 #)
1. ti04000n
1. 1105'atai-01
6.11979,1119-02
1.000000C400)
0. 630404lQ10v(I
9. 611930UE-0)
9.3014m1I-01
ft. * 6 170 IE -0
0. 00,000F 01)0
111 4L
till's
IhIrs
Ilia=
1100000OOE0O
0. 0000JP400
-'5
.3
)
.3
.3
.3
)
-j
LA)
2.6 11,575-05
1. 000000r.*00
1.000000OE4 00
.3
.3
.3
)
a)
.3
J
110011LV. NAPna 2.1 111Ps 1.O2'121U-05J
MODULE NANE. 2.1 J5Ka 1.021OM0Oa
PIODUl? NAIlto 24 IfNP O.OO'@004000
MEOULE. UNtr~ 2(. IRPS A. 00oatOO1#)J
Ti1le END
i
.. . .. ... 
NUCLEAR~ rmNEER1NG
READING kuu~ -
