fault tree analysis in an early design stage using the ...h500049/forschung/... · valve or...
TRANSCRIPT
Aven CH090.tex 17/5/2007 10: 44 Page 713
Risk, Reliability and Societal Safety – Aven & Vinnem (eds)© 2007 Taylor & Francis Group, London, ISBN 978-0-415-44786-7
Fault tree analysis in an early design stage using the Dempster-Shafertheory of evidence
P. LimbourgInformation Logistics, University of Duisburg-Essen, Germany
R. SavicZF Friedrichshafen AG, Germany
J. Petersen & H.-D. KochsInformation Logistics, University of Duisburg-Essen, Germany
ABSTRACT: The Dempster-Shafer Theory of Evidence (DST) has been considered as an alternative to prob-abilistic modelling if both a large amount of uncertainty and a conservative treatment of this uncertainty arenecessary. Both requirements are normally met in early design stages. Expert estimates replace field data andhardly any accurate test results are available. Therefore, a conservative uncertainty treatment is beneficial toassure a reliable and safe design. The paper investigates the applicability of DST which merges interval-basedand probabilistic uncertainty modelling on a fault tree analysis from the automotive area. The system underinvestigation, an automatic transmission from the ZF AS Tronic series is still in the development stage. Weinvestigate the aggregation of expert estimates and the propagation of the resulting mass function through thesystem model. An exploratory sensitivity based on a nonspecifity measure indicates which components con-tribute to the overall model uncertainty. The results are used to predict if the system complies with a given targetfailure measure.
1 INTRODUCTION
In the recent past, the demand for uncertainty mod-elling in the fields of automotive reliability and func-tional safety has grown. Since the release of theGerman industry guideline VDI 2206 and a growingimportance of the IEC 61508 (IEC 2001) for mecha-tronic design, there has been a noticeable growth ininterest for quantitative prediction over all projectphases (Kochs & Petersen 2004; Kochs 2004). Inearly design stages, the research focus moved fromqualitative models without uncertainty treatment toprediction models analyzing and controlling the uncer-tainties, too (Jäger & Bertsche 2005). In automotivesystems, Safety Integrity Levels (SIL 1–4) accordingto the IEC 61508 are used to define system safetyrequirements. Uncertainty analyses of the predictedsystem safety provide both a robust way to demon-strate that the system complies with the target failuremeasure and an indicator for possible violation of thesetargets.
Quantitative reliability and safety prediction in anearly design stage needs to deal with uncertainties
from various sources. Data is obtained from expertestimates, tests and experiences from past projects.Models have a low degree of detail and may be onlyan inaccurate description of the real failure behaviour.Thus, uncertainty preserving models are a must foran adequate support of the decision maker. Preciseoutputs would neglect the high uncertainty of theinput data.
In this study, we consider a fault tree analysis ofan automatic transmission from the ZF AS Tronicproduct line. We investigate if the system complieswith the target failure measure of SIL 2 and carryout a sensitivity analysis on the nonspecifity measure.These results indicate which uncertainty reduction inthe input parameters could be the most efficient ones.
2 SYSTEM AND PREDICTION FRAMEWORK
The system under investigation is a currently devel-oped member of the ZF AS Tronic series (Figure 1).ZF-ASTronic has been developed especially for truckswith EDC (Electronic Diesel Control) engines and
713
Aven CH090.tex 17/5/2007 10: 44 Page 714
CAN (ControllerArea Network) communications.Thetransmission system combines proven ZF technologywith modern electronics. The integrated modulardesign simplifies both installation and maintenanceand provides protection from outside influences. If thetruck needs to perform other work during or after therun, it needs a power take-off. This is also possiblewith AS Tronic. The transmission can be equippedwith one or more clutch-dependent power take-offs,even after it has been installed in the truck.The outputscan be shifted independently of each other. A speed-dependent power take-off system to drive auxiliarysteering pumps is also available.
Figure 1. Automatic transmission from the ZF AS Tronicproduct line: (1) Transmission actuator, (2) Gearbox, (3)Clutch actuator.
Critical failure oftransmission
OR
Clutch system fails
Critical Gearbox failure
Gearbox electronics fails
Housings 3x
Neutral sw .fails
Tacho sensorerroneous
Plate/cover/bearing
Actuator wiringelect.
Lever mechanism
OR
Plate/cover/bearing
Actuator wiringelect.
Lever mechanism
OR
Transmission actuator
ElectronicsUndet . fail. of pressure red.
valve
OR
Overhaul
AND
Gearbox failure Overhaul
AND
Gearbox failureAND
Oil seal 1leaks
Oil seal 2leaks
OR
Oil seal 1leaks
Oil seal 2leaks
OR
Oil seal failure undetected
Oil temp. sensor erroneous
Oil temperature above limit
ANDOutput shaft sensor down
Gear switch in progress
Output shaft sensor
erroneousAND
OR
Output shaft sensor down
Gear switch in progress
Output shaft sensor
erroneousAND
OR
OR OR
Pressure too high
AND
Figure 2. Early design stage fault tree of an automatic transmission.
AS Tronic handles gear selection and clutch andshifting manoeuvres. The 12-speed shifts electropneu-matically. Engine power is always transmitted opti-mally. The ZF-MissionSoft driving programme keepsthe motor at an efficient engine speed. The drivercan correct the automatic gear selection or switchto manual operation at any time and set the gearusing the touch lever. These fully integrated trans-missions are mainly used in busses, trucks and otherspecial-purpose vehicles.
2.1 System fault tree model
Being only a subsystem in the power train that isagain a subsystem in a modern car, it is difficult tospecify exactly which failure modes may lead to asafety-critical situation for the driver. However, certainconditions can be identified as a critical failure, suchas a failure of the clutch system or an uncovered fail-ure in the gearbox electronics. In our study, the detaillevel of the fault tree (Figure 2) is quite low. Subsys-tems are not separated into different components, asthe structure of the system is not yet fully determined.
The system is composed of three different subsys-tems. The clutch system contains mostly mechanicalcomponents that are highly reliable. Therefore noadditional sensors that can discover safety-critical situ-ations are planned. The gearbox with a set of mechanicand hydraulic components will include several sen-sors that may detect failures or near-failure conditions.
714
Aven CH090.tex 17/5/2007 10: 44 Page 715
The gearbox electronics being the interface to thedriver are modelled as a separate subsystem.
The presented expert estimates are idealized to illus-trate the application of DST.We emphasize that they donot reflect the real failure behaviour of the AS Tronic.
2.2 The IEC 61508: a framework for safetyrequirements
According to the IEC 61508, it has to be shownfor a safety-critical function that the probability of acritical failure is below a certain threshold (target fail-ure measure) to comply with a certain SIL. Systemsare classified according to their usage frequency intohigh demand and low demand. For systems with highdemand such as the transmission under investigation,Table 1 shows the target failure measure (failure prob-ability per hour of service). The IEC 61508 providesintervals for these target failure measures. This motiv-ates the use of uncertainty preserving methods suchas DST. If it can be shown that the predicted failuremeasure ps is possibly lower than the lower pTF boundand with a high degree of confidence below the higherpTF bound, the safety arguments are much stronger.
The IEC61508 moreover defines limits on the SILthat can be reached by a system executing the safetyfunction depending on data quality and fault-tolerance.(Sub-) systems are classified based on the quality ofavailable data. A (sub-) system is of the (preferable)type A if
1. the behaviour of all components in case of failureis well-defined and
2. the behaviour of the subsystem in case of failure iswell-defined and
3. reliable failure data from field experience exists.
A system is of type B if one of the given factors is nottrue. In an early design stage, type B can be consideredto occur much more likely. Even if criteria 1&2 arewell-defined, it is unlikely that there exists enough datato fulfil criterion 3.
Due to the recursivity of this definition, systemscontaining one type B subsystem have to be consideredas type B, too. However, this has a strong impact on
Table 1. Tolerated target failure measurefor safety-critical functions (high demand orcontinuous mode) (IEC 2001).
SIL PTF
4 [10−9, 10−8]3 [10−8, 10−7]2 [10−7, 10−6]1 [10−6, 10−5]
the safety requirements.Table 2 shows the limiting SILfor a given level of fault tolerance (level n: n + 1 sub-system failures lead to a system failure) and fractionof safe failures of a (sub-) system. It can be seen thatsystems of type A can reach higher SILs with the samelevel of fault-tolerance and fraction of safe failures.
It may be desirable to be able to classify a systemof type A. If criteria 1 and 2 are fulfilled, but exactfailure data is missing, yet the (sub-) system needs tobe classified as type A, it may be reasonable to workwith a conservative uncertainty model. If the uncer-tainty model can be considered as reliable (regardingcriterion 3), the system may be treated as typeA.There-fore, very conservative uncertainty modelling such asimplicitly done by DST can help to provide argumentsfor shifting the (sub-)system from type B to type A.
In contrast to purely probabilistic uncertainty treat-ment, it is possible in DST to include uncertainty inform of intervals. This eases the communicability ofthe uncertainty study. While arguing that the systemfalls into type A, modelling the uncertainty of a cri-tical variable in a probabilistic way needs to satisfy thequestion of the right choice of the distribution. Facinga sceptical observer, an answer may not be easy. Ina scenario involving DST, these questions can be cir-cumvented by capturing such critical uncertainties inintervals.
3 DEMPSTER-SHAFER THEORY OFEVIDENCE
The Dempster-Shafer Theory of evidence was firstdescribed by (Dempster 1967) and extended by (Shafer1976). Originally applied in artificial intelligenceand sensor fusion, a growth in interest of reliabilityscientists was observed after the epistemic uncertainty
Table 2. Fraction of safe failures and degree of redundancynecessary to comply with a specific SIL (type A and type B)(IEC 2001).
Level of fault tolerance
Safe failure fraction 0 1 2
(Type A)<60% SIL1 SIL2 SIL360%–<90% SIL2 SIL3 SIL490%–<99% SIL3 SIL4 SIL4≥99% SIL3 SIL4 SIL4
(Type B)<60% – SIL1 SIL260%–<90% SIL1 SIL2 SIL390%–<99% SIL2 SIL3 SIL4≥99% SIL3 SIL4 SIL4
715
Aven CH090.tex 17/5/2007 10: 44 Page 716
project (Ferson et al. 2003) including an expert work-shop of the Sandia National Laboratories in 2002.The outcome of this workshop, a well-defined frame-work for representing and propagating both epistemicand aleatory uncertainty based on DST, motivatedfurther research in this field. Overviews of DST inreliability are provided by (Utkin & Coolen 2007) and(Rakowsky 2005). In (Guth 1991), first order DSTreplaced normal probabilistic calculation for fault treecalculation. A similar approach is shown in (Chinet al. 2000). In (Berleant & Zhang 2004), the boundson the lifetime distribution of a 2-component systemwith lack of knowledge regarding failure distributionsand dependency are modelled. (Savic 2005) generatesbelief and plausibility bounds using neural networks.However, in spite of the rising number of applica-tions, DST is still not well-known. Therefore, a shortintroduction to the general concepts of this theory isgiven here.A detailed description can be found in (Klir2005).
Our approach models the uncertainty on the failureprobabilities using DST on the real line and can there-fore be interpreted as a second order DST approach.Moreover contributions of this work are the applica-tion of DST to a realistic model and the utilization ofsensitivity indices to investigate the impact of intervaluncertainty.
3.1 Representation
A popular tool in reliability and safety assessment arefault trees using Boolean component representations.The probability of a component i ∈ {1, . . . , n} to bein state “failed” is described by a failure probabilitypi ∈ [0, 1]. In a first order probabilistic model (Bur-master & Wilson 1996), pi has a known value, e.g.pi = a. The component probability vector p representsthe combined representation of all component failureprobabilities:
The system failure probability ps can then be obtainedvia fault-tree computation from the p. We denote thisfunction φ as
However, most likely it is the case that the knowledgeon pi is limited and we would like to express ouruncertainty. In second order (discrete) probabilisticmodel (Burmaster & Wilson 1996), a probability mass
ηi(a) for each component failure probability could bedefined with
The probability of pi to fall into an interval is thengiven by
Uncertainty in pi is therefore expressed by η. How-ever, regarding this second level it is not a givenfact that probability calculus is the best choice torepresent uncertainty induced by lack of knowledge(Walley 1991). In second order DST, the uncertaintyrepresentation resembles second order discrete prob-ability distributions with one important difference:Evidence may not only be put on singular elements butalso on sets. The equivalent to η, the basic probabilityassignment (BPA) m is a mapping m : 2P → [0, 1],relaxing the assumption of sharp mass distributions. In this study, only uncertainty defined on intervalshas a practical meaning. Without loss of generality weconstrain the BPA to m : P × P → [0, 1], as proposedin (Ferson et al. 2003). The option to specify uncer-tainties using distributions, intervals or a mixture ofboth provides an enlarged freedom of modelling to theexperts.
Definition 1:A basic probability assignment (BPA)m over [0,1] is a mapping m : 2P → [0, 1] providedthat:
Dempster-Shafer variables can also be described bythe set of focal elements, such as discrete probabilitiesmay be described by the set of nonzero probabilitymasses.
Definition 2: A focal element g = [g, g] is an inter-val with a nonzero mass m(g) > 0. The set of focalelements of a BPA m is denoted as G.
Considering our model, we can assume a BPAmi describing our information on component x. Ifthe mass function contains also masses on inter-vals, it is not possible to obtain an exact probabilityP(pi ∈ [a, a]) using eq. (4). Due to the uncertaintyintroduced by these intervals, it is only possible toobtain bounds limiting P(pi ∈ [a, a]).
Associated with each BPA are two functions Bel,Pl:P × P → [0, 1], which are referred to as belief andplausibility of an interval:
Definition 3: Belief Bel(pi ∈ [a, a]) and plausibilityPl(pi ∈ [a, a]) of an interval [a, a] ⊆ R are defined as:
716
Aven CH090.tex 17/5/2007 10: 44 Page 717
1 2 3 4 5
x 10-3
0
0.2
0.4
0.6
0.8
1
a
P(p
x[0
,a])
Pl([0,a])Bel([0,a])
Pl([0,a])Bel([0,a])
Figure 3. Plot of a BPA, Bel(pi ∈ [0, a]) and Pl(pi ∈ [0, a]).
Both eq. (7) and (8) are extensions that reduce to eq.(4) if m is a discrete probability distribution. It isobvious, that Bel(pi ∈ [a, a]) ≤ Pl(pi ∈ [a, a]), becauseB �= Ø, B ⊆ [a, a] ⇒ [a, a] ∩ B �= Ø.
Informally, the belief function Bel(pi ∈ [0, a])therefore represents the minimal value that wedespite all interval uncertainty “believe” to bea lower bound on P(pi ∈ [a, a]), the plausibil-ity function Pl(pi ∈ [0, a]) represents the highest“plausible” value of P(pi ∈ [a, a]). If the differ-ence Pl(pi ∈ [a, a]) − Bel(pi ∈ [a, a]) is large, then ouruncertainty on the exact probability P(pi ∈ [a, a]) isvery high.
Bel(pi ∈ [0, a]) =, ≤ P(pi ∈ [0, a]) ≤ Pl(pi ∈ [0, a])forms the bounds on all possible cumulative distri-bution functions according to the given BPA and willbe used in the latter to plot a Dempster-Shafer variable(Figure 3).
3.2 Propagation
Propagating uncertainties specified in the Dempster-Shafer framework through system functions is a two-step process similar to probabilistic calculus. The jointBPA m1…n of the component failure probabilities isgiven as:
In the first step, m1…n must be determined. This is(given independent component BPAs m1 . . . mn)
If dependence is considered, copulas (Embrechts et al.2003) can be applied to DST as described in (Fersonet al. 2004) to obtain mS from the marginal BPAs.
Propagating a focal element through the systemfunction is not as straightforward as for probabilis-tic functions. Being a synthesis between probabilisticand interval arithmetic, DST relies on optimization topropagate focal elements through the system function.Given a focal element from the joint distribution, themass is propagated through the system function as
with ms representing the BPA of the system functionand
Thus, the propagation of a focal element involves thesolution of two optimization problems (min, max).The propagation speed therefore heavily depends onthe “well-behaving” of the function and the requiredaccuracy. Fortunately, most reliability and safety prob-lems including the fault tree presented are continuousand monotonously increasing (increased componentfailure probability will not decrease system failureprobability), reducing eq. (12) to:
3.3 Combination of evidence
Dempster-Shafer Theory has its big advantage in thenatural way of combining different sources of evi-dence. If there are several estimates on component irepresented by the BPAs mi1, . . . , mik many methodshave been proposed to construct an aggregation mi ofthe BPAs. Perhaps the most popular method (Sentz &Ferson 2002) but also the most controversial part inDST is Dempster’s rule. Its precondition is that eachestimate contains at least one focal element enclos-ing the true value of the event. In expert estimatesthis is not necessarily the case. If there is just a lowdegree of conflict between the experts, it may be agood choice, but if the preconditions are not met, therule does not produce any results other than an emptyBPA. Thus, (Ferson et al. 2003) propose the methodof weighted mixing as a robust alternative which isuseful if there is a big amount of conflict. Weightedmixing allows assigning a degree of importance w1...kto specific estimates. If this is not desired (as in our
717
Aven CH090.tex 17/5/2007 10: 44 Page 718
1 1.2 1.4 1.6 1.8 2 2.2 2.4
x 10-9
0
0.2
0.4
0.6
0.8
1
a
P(p
x[0
,a])
Pl([0,a])Bel([0,a])
Figure 4. Resulting BPA of three point estimates.
case study), w1...k are set to 1. The weighted mixtureof the BPAs mi1, . . . , mik is given as:
We used the weighted mixture aggregation to mergeestimates because of the above properties but do notassign diverse weights to different experts. As can beseen in Figure 4, both Bel and Pl functions collapse toa normal cdf if there are only pointwise focal elements.
3.4 Measuring nonspecifity
In DST, uncertainty splits up into randomness and non-specifity. Randomness is broadly speaking the spreadof the focal elements and similar to uncertainty inprobability. Nonspecifity on the other hand is uncer-tainty contributed by the width of intervals. In (Klir2005), several measures for nonspecifity of a BPA mare proposed.The generalized Hartley measure GH fordiscrete frames of discernment is given as:
As can be seen from the logarithmic expression, thegeneralized Hartley measure does not readily extendto the real line. If log2|g| is replaced with log2(g − g),masses on points (g = g) will lead to negative infin-ity. For our purposes, we use the slightly modifiedexpression
The constant ε > 0 which is ideally much smaller thanthe smallest interval focal element mimics the real
line as a very large discrete set. For this example,ε = 1E−10 was chosen. It is necessary to mention thatGH’(m) is no nonspecifity measure in the strict frame-work defined in ..(Klir 2005). However, it serves goodfor practical purposes.
Another way to estimate the nonspecifity, which ismore intuitive is the aggregated width of all intervals:
As of (Ferson & Tucker 2006), there is no generalagreement on which measure to use. We will showcalculations on both presented measures.
A sort of sensitivity analysis regarding the non-specifity can be carried out by measuring the totalnonspecifity of the whole model AW (ms) in relationto the nonspecifity of AW (ms/i):
ms,i is the joint mass distribution where mi has beenreplaced by a point value (and thus zero nonspecifity).Using Monte Carlo selection of a focal element anduniform sampling inside the selected element, suchpoint values were sampled from mi. With an adequatesampling size, a stable si value may be obtained. sireflects the contribution of mi to the overall modeluncertainty and can be used to analyze where add-itional component information can have the largestimpact.
4 QUANTIFICATION OF THE INPUTSOURCES
As indicated, the advantage of DST lies in its flexibil-ity to handle expert estimates. Therefore we providedifferent ways of predicting failure probabilities. Theexperts were provided with the possibility to predictpi using several methods:
• Estimate a sharp value for pi.• Estimate an interval that may contain pi.• Estimate mean µ and standard deviation σ of a nor-
mal distribution (censored to [0,1]) describing theuncertainty in pi.
Experts were also allowed to provide several esti-mates on the same component that were aggregatedas described in 3.3. Intervals and sharp values weredirectly converted to a focal element with mass 1. Esti-mates on µ and σ could be given as values or intervals.The estimates were converted by sampling the inverse
718
Aven CH090.tex 17/5/2007 10: 44 Page 719
0.5 1 1.5 2 2.5
x 10-7
0
0.2
0.4
0.6
0.8
1
a
P(p
x[0
,a])
Conf (Pl)Conf (Bel)ODF (Pl)ODF (Bel)
Figure 5. Visualization of the confidence (conf.) and theODF sampling strategy for µ = 10−7 and σ = [10−8, 4·10−8].
cdf of the distribution function. However, the specifi-cation of parameters of a probability distribution in theDST describes a set of functions that each encloses theprobability distribution. Sampling can be interpretedas propagating the estimated distribution parameters µand σ together with a BPA on the sampling probabilityπ through the distribution function:
Two different sampling techniques were supported, theouter discretisation (Tonon 2004) (ODF) and confi-dence sampling. By using outer discretisation sam-pling, a focal element is generated by dividing theprobability range in d equally probable intervals.These intervals are propagated through the inverse cdf.The set of focal elements Gπ describing π consists ofd focal elements with mass 1/d:
Confidence sampling is a very conservative way totreat the information on the mean and variance of thedistribution. In this case, d confidence intervals aresampled from the distribution. The obtained boundsare far larger:
Figure 5 illustrates the two different sampling proce-dures. Table 3 shows estimates from different expertson the basic fault tree events.
5 RESULTS
Fault tree models have a very low amount of com-putation. Thus, 106 samples of the joint BPA werepropagated through the system function using MonteCarlo sampling. All calculations performed and allplots shown were generated using the imprecise prob-ability toolbox for MATLAB. This free & open sourcetool is available at (IP Toolbox 2006).
Figure 6 shows the prediction on Belief and Plausi-bility of the system failure probability. The verticallines represent the upper and lower failure probabilityrequired by SIL 2. It can be seen that the stricter SILprobability is not reached. However, the lower thresh-old 10E−6 is not surpassed with both high Beliefand Plausibility. The uncertainty contributed by theinterval width is quite high.
Table 4 gives some characteristics of the resultingBPA. Expectation value and median are approximatelythe same level. These values, which average over theuncertainty modelled by distributions but not over theinterval uncertainty can be given in bounds. Thesebounds are narrower for the median than for the expect-ation value. The overall uncertainty measures GH andAW are also listed.
Dealing with a second order DST uncertainty treat-ment, it is necessary to communicate the meaningof the uncertainty expressed by the system output.The uncertainty is not generated by a random pro-cess (which is inherently modelled by the probabilisticfault-tree model). It stems from expert uncertaintyand conflict between estimates. It could not simplybe “averaged out” if more than one system is pro-duced. This important difference has to be pointed outif results were to be used in a decision process.
The sensitivity analysis performed shows clearlywhere to collect more evidence. As can be seen inFigure 7, a reduction of the nonspecifity on the tachosensor failure (ID 16) and the failure of the neutralswitch (ID 15) may lead to the largest reduction of non-specifity in the model output. The plate/cover/bearingfailure (ID 1) seems to contribute highly to the generalnonspecifity, too. Other components such as oil sealleakage (IDs 4,5,6) contribute less or zero nonspeci-fity. This may either be the case because the amountof information on the component is already high orbecause the component plays an insignificant role inthe system model.
6 CONCLUSIONS & OUTLOOK
This paper illustrated on a real world example theadvantages but also some pitfalls if DST was appliedto system safety prediction. Expert estimates can bemerged, added and updated in a comprehensible way.Because of the conservative uncertainty treatment
719
Aven CH090.tex 17/5/2007 10: 44 Page 720
Table 3. Expert estimates on the failure probability of different components.
Basic Event ID Source Failure prob./h of service Type
Plate/Cover/ 1 Expert 1 [1E−08, 3E−08] IntervalBearing Expert 2 4E−08 Point
Expert 3 µ = 1E−07, σ = [1E−08, 2E−08] ODF
Actuator wiring 2 Expert 1 µ = 1E−08, 2E−08], σ = 1E−09 ODFelect. Expert 2 4E−08 Point
Expert 3 µ = 2E−08, σ = 1E−09 Conf
Lever 3 Expert 1 [0, 1E−8] Interval
Oil seal 1 leaks 4 Expert 1 [1E−07, 3E−07] IntervalExpert 2 µ = 3E−07, σ = [1E−07, 2E−07] ODFExpert 3 µ = 3E−07, 5E−07], σ = 1E−08 ODF
Oil seal 2 leaks 5 Expert 1 [1E−07, 3E−07] IntervalExpert 3 µ = 2E−07, σ = 1E−08 Conf
Oil seal failure 6 Expert 2 1E−09 Pointundetected
Oil temp. above 7 Expert 2 [0.01, 0.03] Intervallimit
Oil temperature 8 Expert 1 3E−07 Pointsensor Expert 3 µ = 4E−07, σ = 1E−08 Conf
Housings 3x 9 Expert 2 0 PointExpert 3 [0, 1E−9] Interval
Transmission 10 Expert 1 1E−08, 3E−08] Intervalactuator Expert 2 µ = 7E−08, σ = 3E−09 ODF
Expert 3 [2E−08, 4E−08] Interval
Electronics 11 Expert 2 µ = 3E−06, σ = 5E−07 ODF
Undet. fail. of 12 Expert 1 [7E−08, 1.5E−07] Intervalpressure red. Expert 2 [1E−07, 2E−07] Intervalvalve Expert 3 4E−07 Point
Pressure too 13 Expert 3 0.02 Pointhigh
Overhaul fails 14 Expert 1 [0.003, 0.005] IntervalExpert 2 µ = [1E−03, 2E−03], σ = 2E−04 ConfExpert 3 µ = 3E−03, σ = [1E−04, 2E−04] Conf
Neutral sw. fails 15 Expert 1 6E−08 PointExpert 2 [0, 1E−07] Interval
Tacho sensor 16 Expert 2 5E−07 Pointerroneous Expert 3 [2E−07, 4.5E−07] IntervalGear switch in 17 Expert 3 0.04 Pointprogress
Output shaft 18 Expert 2 µ = 2E−07, σ = 4E−08 ODFsensor downOutput shaft 19 Expert 1 µ = 3E−08, σ = 1E−08 ODFsensor Expert 2 µ = 4E−08, σ = 1E−08 ODFerroneous Expert 3 µ = 7E−08, σ = 2E−08 ODF
inherently included in DST, results could be furtherutilized, even in a sceptical environment. Experts havethe possibility to describe critical uncertainties byintervals without the need to justify a distributionassumption. Therefore the method is especially useful
in reliability and safety prediction during the firstdesign stages.
The focus of the sensitivity study was to illus-trate with a simple method how to study the effectsof nonspecifity such as it the common practice for
720
Aven CH090.tex 17/5/2007 10: 44 Page 721
0 0.2 0.4 0.6 0.8 1 1.2
x 10-6
0
0.2
0.4
0.6
0.8
1
a
P(p
S[0
,a])
Pl([0,a])Bel([0,a])
SIL 2 Upper boundSIL 2 Lower bound
Figure 6. Results of the fault tree analysis and the illustratedbound to comply with SIL2.
Table 4. Statistics on the resulting belief function.
Data source Failure probability
Exp. [5.1806e−007 8.4600e−007]Median [5.7649e−007 8.4037e−007]5% [3.0306e−007 6.3564e−007]95% [7.3770e−007 1.0354e−007]Bel/PI(psys<10−6) 0.9104/1Bel/PI(psys<10−7) 0/0GH′, ε = 1e-010 11.4485AW 3.2794e−007
0 2 4 6 8 10 12 14 16 18 200
5
10
15
20
25
30
35
40
FT Basic event ID
s in
%
Figure 7. Reduction of the overall nonspecifity givenperfect information of one component.
randomness in probabilistic models. The sensitiv-ity method used was fairly simple and could beextended using much more sophisticated methodssuch as described in (Saltelli et al. 2004). Furtherextension could include the application of combinedmeasures of randomness and nonspecifity to make useon the interval-distribution synthesis which is the coreof DST.
REFERENCES
Berleant, D. & Zhang, J. 2004. Bounding the Times to Failureof 2-Component Systems. IEEETransaction on Reliability53(4): 542–550.
Burmaster, D. E. & Wilson, A. M. 1996. An Introduction toSecond-Order Random Variables in Human Health RiskAssessments. Human and Ecological Risk Assessment2(4): 892–919.
Chin, W. C., Ramachandran, V. & Cho, C. W. 2000. Evi-dence Sets Approach For Web Service Fault Diagnosis.Malaysian Journal Of Computer Science 13(1): 84–89.
Dempster, A. P. 1967. Upper and lower probabilities inducedby a multivalued mapping. Annals of Math. Statistics 38:325–339.
Embrechts, P., Lindskog, F. & McNeil, A. 2003. Mod-elling dependence with copulas and applications to RiskManagement. In S. Rachev, ed., Handbook of HeavyTailed Distributions in Finance: 329–384. Amsterdam,NL: Elsevier.
Ferson, S., Hajagos, J., Berleant, D., Jianzhong Zhang, TroyTucker, W., Ginzburg, L. & Oberkampf, W. 2004. Depend-ence in Dempster-Shafer theory and probability boundsanalysis. Albuquerque: Sandia National Laboratories.
Ferson, S., Kreinovich, V., Ginzburg, L., Myers, D. S. &Sentz, K. 2003. Constructing Probability Boxes andDempster-Shafer Structures.Albuquerque: Sandia NationalLaboratories.
Ferson, S. & Tucker, W. T. 2006. Sensitivity in Risk Analyseswith Uncertain Numbers. Albuquerque: Sandia NationalLaboratories.
Guth, M.A. S. 1991.A probabilistic foundation for vaguenessand imprecision in fault-tree analysis. IEEE Transactionon Reliability 40(5).
IEC. 2001. IEC 61508 Functional Safety of electrical/ elec-tronic/ programmable electronic safety-related systems –Part 1 to Part 7. Geneva, Switzerland: IEC.
Imprecise probability toolbox for MATLAB. 2006: http://www.uni-duisburg-essen.de/il/software.php
Jäger, P. & Bertsche, B. 2005. An approach for early reli-ability evaluation of mechatronic systems. In EuropeanConference on Safety and Reliability – ESREL 2005,Gdynia-Sopot-Gdansk, Poland, 925–932.
Klir, G. J. 2005. Uncertainty and Information : Foundationsof Generalized Information Theory. Wiley-IEEE Press.
Kochs, H.-D. 2004. Dependability of Mechatronic Units –Mechatronic Dependability – with Focus on Key Fac-tors. In 28th Annual International Computer Softwareand Application Conference (COMPSAC 2004) – PanelSession, Hong Kong.
Kochs, H.-D. & Petersen, J. 2004. A Framework for Depend-ability Evaluation of Mechatronic Units. In ARCS 2004Organic and Pervasive Computing, Augsburg, 92–105.
Rakowsky, U. K. 2005. Some Notes on Probabilities and Non-Probabilistic Reliability Measures. In European Confer-ence on Safety and Reliability – ESREL 2005, Gdynia-Sopot-Gdansk, Poland, 1645–1654.
Saltelli, A., Tarantola, S., Campolongo, F. & Ratto, M. 2004.Sensitivity Analysis in Practice. A Guide to AssessingScientific Models. New York: Wiley.
Savic, R. 2005. Neural generation of uncertainty reliabil-ity functions bounded by belief and plausibility frontiers.
721
Aven CH090.tex 17/5/2007 10: 44 Page 722
In European Conference on Safety and Reliability –ESREL 2005, Gdynia-Sopot-Gdansk, Poland, 1757–1762.
Sentz, K. & Ferson, S. 2002. Combination of Evidence inDempster-Shafer Theory. SAND REPORT 2002–0835.
Shafer, G. 1976. A Mathematical Theory of Evidence. Prince-ton, NJ, USA: Princeton University Press.
Tonon, F. 2004. Using random set theory to propagateepistemic uncertainty through a mechanical system. Reli-ability Engineering and System Safety 85(1–3): 169–181.
Utkin, L. V. & Coolen, F. P. A. 2007. Imprecise reliability:an introductory overview. In G. Levitin, ed., Computa-tional Intelligence in Reliability Engineering: 261–306.New York: Springer.
Walley, P. 1991. Statistical Reasoning with Imprecise Prob-abilities. London: Chapman and Hall.
722