Introduction Phased mission system (PMS) consists of consecutive, non-overlapping time periods, called phases during which the system conguration, suc

Transcription

1 A BDD-Based Algorithm for Reliability Evaluation of Phased Mission System Xinyu Zang, Hairong Sun and Kishor S. Trivedi fxzang, hairong, Center for Advanced Computing and Communications Department of Electrical and Computer Engineering Duke University Durham, NC 2778 Abstract In this paper, a new algorithm based on Binary Decision Diagram (BDD) for reliability evaluation of Phased Mission System (PMS) is proposed. This algorithm uses phase algebra to deal with the dependence among the phases, and a new BDD operation is proposed to incorporate the phase algebra. Due to the nature of BDD, cancelation of common components among the phases can be combined with the BDD generation without additional operations, and the sum of disjoint products (SDP) can be implicitly represented by the nal BDD, so that it can avoid huge storage for large number of SDPs. Several examples and experiments show the eciency of this algorithm. This paper also presents the expression for the transient behavior of PMS when the failure function of components are general rather than exponential. Index Terms: Phased Mission System (PMS), Reliability Evaluation, Transient Analysis, Fault Trees, Binary Decision Diagram (BDD) This research was supported in part by the National Science Foundation under Grant No. EEC948765, and by the Department of Defense as an enhancement project to the Center for Advanced Computing and Communications in Duke University.

2 Introduction Phased mission system (PMS) consists of consecutive, non-overlapping time periods, called phases during which the system conguration, success criteria, and component behavior may vary from phase to phase. Many practical systems are actually phased mission systems, e.g., the voyage of an aircraft can be divided into several phases, such as take o, cruise and landing, each with completely dierent reliability requirements and behaviors. Compared with single phased systems, the reliability evaluation of PMS is much more complex, because of the dependence across the phases. For instance, the state of a component at the beginning of a new phase is identical to its state at the end of the previous phase[]. The dynamic structure and conguration of the PMS usually requires a distinct model for each phase, which also increases the complexity of modeling and analysis. Although reliability evaluation of PMS has been studied for more than twenty years, the size of problems that can be solved is still very small due to the high computational complexity of the methods for the evaluation of PMS. Generally, there are two classes of models to address PMS problems: Markov chain based models [,, 9, 4, 2, 2, 5, 22, 3] and combinatorial models [23,, 6, 2, 6, 2]. The main idea of Markov chain based models is to directly or indirectly (e.g., starting with a Petri Net) construct a Markov chain to represent the system behavior. These models at once take into account of the dependence among the components within a phase and the dependence across phases. However, the Markov chain based models suer from state explosion problem especially when the number of components becomes large. The assumption of combinatorial models for PMS is that all the components in system are independent. This assumption can simplify the analysis, however limits the application of the models because the dependence does exists in some PMSs. Special methods have 2

3 to be used to address the dependence across phases. In [], Esary and Ziehms introduced a method which can deal with the dependence across phases, i.e., using a series of independent mini-components to replace the component in each phase. However, this method causes the size of the problem to become very large as the number of phases increases. Cancelation method was introduced by Pedar and Sarma in [6], which, however, needs additional calculation on mincuts. In [23], Somani and Trivedi used phase algebra to address such dependence. Based on this, Ma and Trivedi [2] combined the idea of phase algebra with cancelation method, but still needed to obtain the sum of disjoint product (SDP) explicitly. As the number of components becomes large, the number of SDPs also increases rapidly, which subsequently increases the amount of storage and computation time. The computational complexity of combinatorial models is much less than that of Markov chain based models. However, these models normally need to nd mincuts of systems and calculate the sum of disjoint products, which is still computationally-intensive. Binary Decision Diagrams (BDD) were, at rst, used in VLSI design and verication as an ecient method to manipulate Boolean expressions [5, 4]. Bryant [5] and other researchers have shown that, in most cases, BDDs use less memory to represent large Boolean expressions than representing them explicitly. Because BDDs are based on Shannon's decomposition, reliability expression is easily from the BDD format. Several researchers have used BDD to do reliability analysis for fault trees [7, 7, 8, 9, 8]. In this paper, a new algorithm for PMS based on BDD is proposed. As in [23], this algorithm uses phase algebra to deal with the dependence across phases. The nature of BDD ensures that the cancelation of components from an earlier phase when it is accounted in a later phase is automatic and does not increas any extra computations. The nal BDD of the system can represent the SDPs implicitly, avoiding the huge storage for large number 3

4 of SDPs. Thus there is considerable reduction in computing and storage requirements over the earlier approaches. The paper is organized as follows. Section 2 presents some preliminary concepts, such BDD, phase algebra, etc. Section 3 presents our PMS algorithm based on BDDs. Several examples are provided in Section 4 to show the eciency of the algorithm. Section 5 presents the advantage of BDD algorithm by comparison with other approaches. The last section gives the conclusion and future work. 2 Preliminary concepts 2. Binary Decision Diagrams (BDD) In [5], Bryant gave the basic denitions for BDD (also known as function graph). A subset of general BDD, reduced ordered binary decision diagrams (ROBDD) were introduced as ecient means to manipulate the Boolean expressions. Several researchers [7, 7, 8] applied BDD to reliability evaluation for fault trees. Here we will review some basic concepts of BDD. 2.. Shannon's decomposition and ite format Theorem Shannon's Decomposition: let f be a Boolean expression on X, and x be a variable of X, then, f = x f x= + x f x= () where f evaluated in x = v is denoted by f x=v. 4

5 Shannon's decomposition is the basis of using BDD. In order to express Shannon's decomposition concisely, the If-Then-Else (ite) format is dened as: f = ite(x; F ; F 2 ) = x F + x F 2 (2) where F = f x= and F 2 = f x= BDD A BDD is a directed acyclic graph (DAG) that is based on Shannon's decomposition. The graph has two sink nodes, labeled and, representing the two corresponding constant and. Each non-sink node is labeled with a Boolean variable x and has two outgoing edges that represent the two corresponding expressions in the Shannon's decomposition. These two edges are called -edge (or else-edge) and -edge (or then-edge). The node linked by -edge represents the Boolean expression when x =, i.e., f x= in Eqn. (), while the node linked by -edge represents the Boolean expression when x =, i.e., f x= in Eqn. (). Thus, each non-sink node in BDD encodes an ite format. Obviously, one of the key feature of BDD is the disjoint nature of the two subexpressions. An ordered binary decision diagram (OBDD) is a BDD with the constraint that the variables are ordered and every source to sink path in the OBDD visits the variables in ascending order. A reduced ordered binary decision diagram (ROBDD) is an OBDD where each node represents a distinct Boolean expression. In practice, ROBDDs are widely used. Actually, to generate a ROBDD, the ordering of the variables has to be selected rst and this order of variables is not changed during the generation. In this paper, we denote x i < x j as variable x j is behind variable x i in the order of variables. Fig. shows the ROBDD for several Boolean expressions. We do not consider the dynamic reordering of BDD in this paper 5

6 G b a G2 c H c a H2 b (a) g = a c + b c (b) h = a b + c Figure : BDD representation of Boolean expressions 2..3 Manipulation of BDDs BDDs represent Boolean expressions graphically. The manipulation of BDDs using logical operations is very easy. For instance, consider a logic operation AN D on two Boolean expressions g and h. We rst generate two BDDs for g and h respectively using the same ordering of variables. We assume that the rst variable is common to g and h. Let this common variable be denoted by x,. Using Eqn. (2), the ite formats of the expressions are g = ite(x; g x= ; g x= ) = ite(x; G ; G 2 ) The g + h represented by ite format will be: h = ite(x; h x= ; h x= ) = ite(x; H ; H 2 ) ite(x; G ; G 2 ) + ite(x; H ; H 2 ) = g + h 6

7 a G+H G2+H2 a b b REDUCE b +H G2+H H+G2 +G2 c c c Figure 2: OR operation of two BDDs 7

8 = ite(x; (g + h) x= ; (g + h) x= ) = ite(x; (g x= + h x= ); (g x= + h x= )) = ite(x; (G + H ); (G 2 + H 2 )) (3) The recursive method can be used for G + H and G 2 + H 2 till one of them becomes a constant expression, or, or they do not have the rst variable in common. Next we assume h does not have variable x, but has variable y, and x < y in order of variables. The ite formats of the expressions are The g + h represented by ite format will be: g = ite(x; g x= ; g x= ) = ite(x; G ; G 2 ) h = ite(y; h y= ; h y= ) = ite(y; H ; H 2 ) ite(x; G ; G 2 ) + ite(y; H ; H 2 ) = g + h = ite(x; (g + h) x= ; (g + h) x= ) = ite(x; (g x= + h); (g x= + h)) = ite(x; (G + h); (G 2 + h)) (4) In the above example, we used OR operation, but any other logical operation can be used and the only dierence is to use the dierent truth tables when one of the operands becomes constant expression. Actually, in practice, the BDD is generated by using logical operations on variables rather than using Shannon's decomposition directly. Fig. 2 shows the OR operation of two Boolean expressions in Fig.. Note that two reductions are made \on-the-y" while carrying out the operation: 8

9 Because the result of +H and G2+H is the same, node b at left becomes irrelevant and can be removed. Because the -edge of node b at right is linked to the same subtree as the -edge of node a(the node b at left is reduced), these two subtrees can be reduced to a single one. 2.2 Failure function of a component in a specic phase As stated in Section, the dependence across phases for a given component increases the complexity of reliability analysis for PMS. Esary and Ziehms [] introduced a method to deal with such dependence, i.e., by using a series of independent mini-components to replace the component in a specic phase. For instance, a component A in phase j can be replaced by a system of mini-components a, a 2,, a j in series. Fig 3 shows the reliability block diagram (RBD) and fault tree (FT) format of Esary's solution. The component A is operational in phase j if and only if it functioned in all previous phases. In [23], the failure function of component A in phase j, i.e., F A;j (t) was given assuming the failure function is exponential. We wprovide here F A;j (t) when the failure function is general. Let p A;i (t) be the failure function of mini-component a i, dened as: 8 >< P [X A (t) = ] i = p A;i (t) = >: P [X A (t + T i?) = j X A (T i?) = ] < i j where T i is the duration time of phase i. Because all a i ; i = ; 2; : : : ; j are in series, the failure function for component A in phase j is given by: 9

10 Aj Aj a a2 aj a a a 2 j Figure 3: RBD and FT format of Esary's solution Lemma j? Y F A;j (t) =? ( (? p A;i (T i )))(? p A;j (t)) i= j? Y j? Y = (? (? p A;i (T i ))) + ( (? p A;i (T i )))p A;j (t) (5) i= Here time t is measured from the beginning of phase j so that t T k. T i represents the duration for phase i. The rst term in Exp. (5) represents the probability that component has already failed in the previous phases (phase ; 2; : : : ; j? ). The second term represents the failure probability distribution of the component in phase j. The time origin for phase j is reinitialized to the beginning of the phase. Exp. (5) can be used to study the transient behavior of the phased mission system. i=

11 Failure Failure Failure A B C A B C A B C Phase X Phase Y Phase Z Figure 4: System conguration in three phases 2.3 Phase algebra In [], after replacing the component A by a series system of independent mini-components a, a 2, and a i, a new equivalent system is formed by subsystems in series. In [], it is shown that the ordinary reliability of this equivalent system is the same as the phasedmission reliability of the original system. Consider a simple example: Example : The system has three phases X, Y and Z whose congurations are shown in Fig. 4 in FT format. The equivalent system is shown in Fig. 5. Let A = (or A = ) mean that component A has failed and A = mean that component A is operational. Using this notation, we can use Boolean expression to describe the failure combinations for each phase. Let E i denote the Boolean expression specifying the failure combinations for phase i, the system unreliability is then given by: n[ UR = P [ E i ] (6) i= As in [23], we use a variable A i whose failure function is F A;i in Exp. (5) to represent behavior of component A in phase i. Because the dependence exists among A i

12 Failure a b c a a 2 b b 2 c c 2 a a 2 a 3 b b b c c c Figure 5: Equivalent system for the end of mission (i = ; 2; : : : ; j? ), special treatment is needed for the combination terms which contain more than one A i ; i n. Phase algebra can be used to deal with this. Let i and j be two phases (i < j). The rules of phase algebra are listed in Table. Twocombinations, A iaj and Ai + A j, are not given in [23]. The rst combination, i.e., A iaj, means that component A is operational until the end of phase i and then fails sometime during phase j. The probability of this term is iy jy P (A iaj ) = ( (? p A;k (T k )))(? (? p A;k (T k ))) = k= iy (? p A;k (T k ))? k=i+ (? p A;k (T k )) k= k= = F A;i (T i )? F A;j (T j ) = P (A i )? P (A j ) (7) The second term, i.e., Ai + A j, has no physical meaning. 2 jy

13 A i A j! A j Ai + Aj! Aj A i Aj! Ai A i + A j! A i A i A j! A i + Aj! Table : Rules of phase algebra Note that the phase algebra rules are to be applied to variables belonging to the same component. The ordinary Boolean relations still hold for the variables representing dierent components. Note also that the variables such as A i and B j are independent. 3 BDD algorithm for phased mission system 3. BDD operation for phase algebra The relations of phase algebra in Table are dierent from the ordinary logical relations. A special BDD operation should be derived for these relations. We call these BDD operations as phase dependent operations (PDO). Because BDD operations heavily depend on the order of variables, there are two classes of PDOs: forward PDO: the order of variables is the same as the phase order, i.e., A, A 2,, A n. backward PDO: the order of variables is the reverse of the phase oder, i.e., A n, A n?,, A. Let E i and E j denote the Boolean expressions specifying the failure combinations for phases i and j (i < j), respectively, and assume Ai exists in E i and Aj exists in E j. Using 3

14 ite format, E i and E j can be written as: E i = ite( Ai ; (E i ) Ai = ; (E i) Ai =) = ite( Ai ; G ; G 2 ) E j = ite( Aj ; (E j ) Aj = ; (E j) Aj =) = ite( Aj ; H ; H 2 ) We use to denote logical operations AND or OR. Lemma 2 For the forward PDO, ite( Ai ; G ; G 2 ) ite( Aj ; H ; H 2 ) = ite( Ai ; G H ; G 2 E j ) (8) Proof: Because component A must be in failed state in phase j if it has already failed in phase i, i.e., Ai = implies Aj =, hence 2 ite( Ai ; G ; G 2 ) ite( Aj ; H ; H 2 ) = E i E j = ite( Ai ; (E i E j ) Ai = ; (E i E j ) Ai = ) = ite( Ai ; (E i ) Ai = (E j) Aj = ; (E i) Ai = (E j) Ai = ) = ite( Ai ; G H ; G 2 E j ) (9) Lemma 3 For the backward PDO, ite( Ai ; G ; G 2 ) ite( Aj ; H ; H 2 ) = ite( Aj ; E i H ; G 2 H 2 ) () Proof: Because component A must be operational in phase i if it is operational in phase j, i.e., Aj = implies Ai =, hence ite( Ai ; G ; G 2 ) ite( Aj ; H ; H 2 ) = E i E j = ite( Aj ; (E i E j ) Aj = ; (E i E j ) Aj = ) = ite( Aj ; (E i ) Aj = (E j) Aj = ; (E i) Ai = (E j) Aj =) = ite( Aj ; E i H ; G 2 H 2 ) () 4

15 2 Fig 6 shows the algorithm for the forward and backward PDO. The function of the computed-table and unique-table are explained in [4]. 3.2 Ordering strategy The order of variables is very important for BDD generation. The size of BDD (the number of nodes in BDD) heavily depends on the order. But the problem of computing an ordering that minimizes the size of BDD is itself a co NP-complete problem. The previous study showed that a set of heuristics may be used to select an adequate ordering [5]. We us heuristic H 4 [3] to decide the order of each component. After ordering the components, we replace each component with a series of variables that represent this component in each phase. As stated in the preceeding section, there are two classes of PDO available, each one requires a specic ordering of these variables that belong to the same component. Checking the sizes of nal BDDs (shown in Fig. 7) generated by forward PDO and backward PDO, we nd that the size of BDD generated by backward PDO is smaller than that generated by forward PDO. Observing the BDD in Fig. 7(b), we note that variable A does not occur in it. This means that A is a common component which is accounted for in later phases. Therefore, if backward PDO is used to generate the BDD for PMS, the cancelation of common components can be done automatically during the generation of BDD without any additional operations. 5

16 pdo(op, F, G) { if ((F == ) or (F == ) or (G == ) or (G == )) return op(f, G) /* call to the truth table of op */ else if (cpomupted-table has entry {(op, F, G),R}) return R else { x = the top variable of F y = the top variable of G v = top of x and y if (x, y are the variables of different components) { F = F(v=), F2 = F(v=) G = G(v=), G2 = G(v=) } else if (x == v) { F = F(x=), F2 = F(x=) if (forward PDO) G = G(y=), G2 = G else G = G, G2 = G(y=) } else { if (forward PDO) F = F(x=), F2 = F else F = F, F2 = F(x=) G = G(y=), G2 = G(y=) } T = dpo(op, F, G) E = dpo(op, F2, G2) if (T == E) return T R = find_or_add_unique_table(v, T, E) insert_computed_table({(op, F, G), R}) return R } } Figure 6: Algorithm for PDO 6

17 A A 2 A 3 A 3 A 2 B B B 3 B 2 B 2 B 2 B 3 B B C C C C 3 C 2 C 2 C 3 C (a) forward PDO (b) backward PDO Figure 7: BDD generated by PDO 7

18 . Use Exp.(5) to obtain the value for each variable 2. Order components and their corresponding variables 3. Generate BDD for each phase 4. Using PDO combine these BDDs to obtain the nal BDD 5. Evaluate the nal BDD to obtain the result. Figure 8: BDD algorithm for PMS 3.3 BDD algorithm for PMS Fig. 8 gives the main procedure of reliability evaluation of PMS using BDD. First step is to order the variables using the heuristics mentioned in the preceeding section. BDDs can be generated for each phase by using ordinary logical operations. Then phase algebra and the corresponding backward PDO operation is applied to generate the nal BDD from the BDDs of each phase. Finally, an evaluation algorithm is used to obtain the unreliability of the PMS. All the procedures except evaluation algorithm are discussed in the preceding sections. Now we will present an evaluation algorithm which deals with the dependence among the variables that belong to the same component. Fig. 9 shows the details of the evaluation algorithm. Observing the BDD generated by backward PDO, we see that the -edge always links two variables that belong to dierent components. But for the -edge, there are two cases which need to be evaluated dierently: the -edge linking the variables of dierent components and the -edge linking the variables of the same component. 8

19 Prob(G) { if (G == ) return else if (G == ) return else if (computed-table has entry {G, P_G}) return P_G else { /* G = ite(x, G, G2), G = ite(y, H, H2) */ P_G = Prob(G), P_G2 = Prob(G2) if (x, y are variables of different components) P_G = P_G + ( - P(x)) * (P_G2 - P_G) else P_G = P_G + ( - P(x)) * (P_G2 - Prob(H2)) } insert_computed_table({g, P_G}) return P_G } Figure 9: Algorithm for evaluation of BDD of PMS For the -edge linking the variables of dierent components, it is the same as the ordinary BDD. Ordinary evaluation method for BDD can be used as: G = ite( Aj ; G ; G 2 ) = Aj G + A j G 2 P (G) = P (ite( Aj ; G ; G 2 )) = P ( Aj G + A j G 2 ) = P ( Aj )P (G ) + P (A j )P (G 2 ) = P (G ) + (? P ( Aj ))(P (G 2 )? P (G )) (2) For the -edge linking the variables of the same component, because A i and A j are not independent, a special treatment is needed for this case: G = ite( Aj ; G ; G 2 ) = Aj G + A j G 2 9

20 G = ite( Ai ; H ; H 2 ) = Ai H + A i H 2 P (G) = P (ite( Aj ; G ; G 2 )) = P ( Aj G + A i G 2 ) = P ( Aj ( Ai H + A i H 2 )) + P (A j )P (G 2 ) = P ( Aj Ai H + Aj A i H 2 ) + (? P ( Aj ))P (G 2 ) (3) According to rules of phase algebra A i = Aj Ai and We can obtain A i = A j + A i = A j + Aj A i P (G ) = P ( Ai H + A i H 2 ) = P ( Aj Ai H + ( Aj A i + A j )H 2 ) = P (A j H 2 ) + P ( Aj Ai H + Aj A i H 2 ) therefore, P ( Aj Ai H + Aj A i H 2 ) = P (G )? P (A j H 2 ) = P (G )? (? P ( Aj ))P (H 2 ) (4) Substituting Exp. (4) to Exp. (3), we have P (G) = P (G )? (? P ( Aj ))P (H 2 ) + (? P ( Aj ))P (G 2 ) = P (G ) + (? P ( Ai ))(P (G 2 )? P (H 2 )) (5) 2

21 Therefore, according to the type of the variables linked by -edge, Exp. (2) or Exp. (5) is chosen to evaluate each node in BDD. The probability of the root node of the nal BDD gives the unreliability of the PMS. 3.4 Transient analysis Transient analysis refers to reliability of PMS at any time during the mission. Let t be the time point at which the reliability of a system is considered. Assume the system has completed phase i? (i.e., P i? k= T k < t, where T k is the duration of phase k), and is in phase i. Using the same algorithm in preceeding section and Exp.(5), we can generate the BDD of PMS upto phase i and evaluate its unreliability at time t. In [2], latent failures were dened to address the upwards change in the unreliability value at the phase transition time which corresponds the case that some of the success states in phase i may be failed states in phase i +. It should be noted that the time point t might happen to be the phase transition time, i.e., t = P i? k= T k. In this case, we evaluate the unreliability: at t?, i.e., the system being at the end of the phase i?. at t +, i.e., the system being at the beginning of the phase i. 4 Examples Example 2: In Example, the phase order is X Y Z. The BDDs for the other ve permutations, i.e., X Z Y, Y X Z, Y Z X, Z X Y, Z Y X, are shown in Fig.. We assume that the durations of all the three phases are hours each and the failure rate of each component is :/hour. The unreliability of six permutations is listed in Table 2. Note 2

22 Perm t = t = ()? t = () + t = (2)? t = (2) + t = 3 X Y Z.e e e e e e-3 X Z Y.e e e e e e-3 Y X Z.e+.4987e e e e e-3 Y Z X.e+.4987e e-3.56e e e-3 Z X Y.e e e e e e-3 Z Y X.e e-.4987e e e e-3 Table 2: Unreliability of six permutations in Example 2 that there are some latent failures at the phase transition times. For example, at t = and t = 2 in permutation Z Y X, there are jumps in the unreliability function. Example 3: Modifying the space application in [5], we get an example whose mission alternates between operational phases Launch, Asteroid, Comet, with Hibernation phases. There are four types of equipments: La and Lb: only needed for Launch, at least one of them should be functional during the Launch phase. Aa and Ab: only needed for Asteroid, at least one of them should be functional during the Asteroid phase. Ca and Cb: only needed for Comet, at least one of them should be functional during the Comet phase. Ha, Hb, Hc, Hd: Ha and Hb work during all phases, and Hc and Hd only work during the operational phases. During the operational phases, at least three of them should be functional, and during the hibernation phases, at least one of them should be functional. The system conguration is shown in Fig. (a). The BDD of the system at the end of 22

23 A 3 A 3 A 2 B 3 B 3 B B 2 B 2 C 3 C 3 C C 2 (a) X Z Y (b) Y X Z A 3 B 3 A 3 B 2 A 3 B 3 C 3 B 3 C 3 C 2 C 3 (c) Y Z X (d) Z X Y (e) Z Y X Figure : BDD of ve permutations of phase X, Y and Z 23

24 Phase Name Launch Hibern Asteroid Hibern2 Comet Duration(Hours) Failure rate of Lx.5 Failure rate of Ax. Failure rate of Cx. Failure rate of Hx..... Table 3: System parameters in Example 3 the mission is shown in Fig. (b). The failure rate of each equipment is listed in Table 3. The unreliability of the system during the mission, i.e., the transient behavior, is shown in Fig. 2. From this gure, we can also observe that there are latent failures at some phase transition points, i.e., at the transition from Hibern2 to Comet, and at the transition from Hibern to Asteriod (which is insignicant). At the other transition points, no latent failure occurs. 5 Advantages of BDD algorithm for PMS As seen in preceeding sections, BDDs have some advantages in reliability evaluation of PMS: Cancelation can be done automatically by backward PDO without additional operations. In most cases, the sizes of nal BDDs are not very large. Because BDD is based on Shannon's Decomposition, the evaluation of nal BDD is easy and fast. Let n be the number of nodes in the nal BDD, the evaluation procedure only needs n multiplications and 2n additions. 24

25 Failure Failure 2/4 Ha Hb Ca 5 Ha Hb Hc Hd La Lb Phase 2: Hibern. Cb 5 Phase : Launch Failure Failure Ha 5 Hb 5 Hb 5 2/4 Ha Hb Hc 5 Hc 5 Ha Hb Hc Hd Aa Ab Phase 4: Hibern.2 Hd 5 Phase 3: Asteroid Failure Aa 3 Ab 3 2/4 La Ha Hb Hc Hd Ca Cb Lb Phase 5: Comet (a) System conguration (b) BDD representation Figure : System conguration and its BDD represtation 25

26 .2. Operational Phase Non Operational Phase.8 Unreliability Time (hours) x 4 Figure 2: Unreliability of space application 26

27 Mission Name Phase Number Mission Conguration M 2 Phase A, Phase E M 2 3 Phase A, Phase B, Phase E M 3 4 Phase A, Phase B, Phase C, Phase E M 4 5 Phase A, Phase B, Phase C, Phase D, Phase E Table 4: Mission conguration In this section, we will give some experimental results to show the eciency of our algorithm. At least in one case 2 we also provide a comparison with the MT algorithm in [2]. The latter is based on an MVI SDP method of solving fault trees. Consider a system consists of 7 groups of components and each group has n components, some system congurations are shown in Fig. 3 and Fig. 4, and the mission congurations are listed in Table 4. We vary the value of n from 2 to 5 amd obtain the experimental results shown in Table 5. 6 Conclusion We presented a BDD-based algorithm for reliability evaluation of phased mission systems. Phase dependent operations were developed for BDD to realize the phase algebra, and a special evaluation procedure was proposed for these phase dependent BDDs. Due to the natures of BDD, this algorithm is more ecient than the algorithm based on SDP method in both computation time and storage space, which makes it possible for us to study some practically large phased mission systems. 2 For the case n = 2 and mission M, the MT algorithm needed :59 seconds and produced 232 disjoint phase products 27

28 Failure x, x,n x2, x2,n x3, x3,n x4, x4,n x5, x5,n x6, x6,n x7, x7,n Phase A Failure x, x,n x x x x x x x x x x x x 2, 2,n 3, 3,n 4, 4,n 5, 5,n 6, 6,n 7, 7,n Phase B Failure x, x,n x2, x2,n x3, x3,n x4, x4,n x5, x5,n x6, x6,n x 7, x 7,n Phase C Figure 3: System conguration 28

29 Failure x, x,n x x x x x x x x x x x x 2, 2,n 3, 3,n 4, 4,n 5, 5,n 6, 6,n 7, 7,n Phase D Failure x, x,n x x 2, 2,n x x 3, 3,n x x 4, 4,n x x 5, 5,n x x 6, 6,n x x 7, 7,n Phase E Figure 4: System conguration (continued) 29

30 n Mission # of Nodes Time(s) M M 2 7. M M M M 2 4. M M M M M M M M M M Table 5: Experimental results 3

31 References [] M. Alam and U.M. Al-Saggaf. Quantitative reliability evaluation of repairable phasedmission systems using markov approach. IEEE Transaction on Reliability, R-35(5):498{ 53, 986. [2] J. Arlat, T. Eliasson, K. Kanoun, D. Noyes, D. Powell, and J. Torin. Evaluation of fault-tolerant data handling systems for spacecraft: Measures, techniques and example applications. Technical Report 86.32, LAAS-CNRS, 986. [3] A. Bondavalli, I. Mura, and M. Nelli. Analytical modeling and evaluation of phasedmission systems for space applications. Proceedings IEEE High-Assurance System Engineering Workshop (HASE-97), Bethesda, Maryland, 997. [4] K. Brace, R. Rudell, and R. Bryant. Ecient implementation of a bdd package. Proc. 27th ACM/IEEE Design Automation Conference, pages 4{45, 99. [5] R. Bryant. Graph based algorithms for boolean function manipulation. IEEE Transactions on Computer, 35(8):677{69, 987. [6] G. R. Burdick, J.B. Fussel, D.M. Rasmussen, and J.R. Wilson. Phased mission analysis: A review of new developments and an application. IEEE Transaction on Reliability, 26():43{49, 977. [7] O. Coudert and J.C. Madre. Metaprime: An interactive fault-tree analyzer. IEEE Transactions on Reliability, 43():2{27,

32 [8] S.A. Doyle and J.B. Dugan. Dependability assessment using binary decision diagrams. Proc. 25th International Symposium on Fault-Tolerant Computing, pages 249{258, 995. [9] J.B. Dugan. Automated analysis of phased-mission reliability. IEEE Transaction on Reliability, 4():45{52, 99. [] J.D. Esary and H. Ziehms. Reliability analysis of phased missions. Proc. Conference on Reliability and Fault Tree Analysis, pages 23{236, 975. [] K. Kim and K.S. Park. Phased-mission system reliability under markov environment. IEEE Transaction on Reliability, 43(2):3{39, 994. [2] Y. Ma and K.S. Trivedi. An algorithm for reliability analysis of phased-mission systems. accepted subject to revision, Reliability Engineering. [3] M.Bouissou. An ordering heuristic for building binary decision diagrams from faulttrees. Proc. 996 Annual Reliability and Maintainability Symposium, pages 28{24, 996. [4] J.F. Meyer, D.G. Furchgott, and L.T. Wu. Performability evaluation of the sift computer. Proc. 979 IEEE Fault-Tolerant Computing Symposium (FTCS-79), Madison Wisconsin, pages 43{5, 979. [5] I. Mura, A. Bondavalli, X. Zang, and K.S. Trivedi. Dependability modeling and evaluation of phased mission systems: a dspn approach. accepted, Proc. Dependable Computing for Critical Applications (DCCA) 7. [6] A. Pedar and V.V.S. Sarma. Phased-mission analysis for evaluating the eectiveness of aerospace computing systems. IEEE Transaction on Reliability, 3(5):429{437,

33 [7] A. Rauzy. New algorithms for fault tree analysis. Reliability Engineering and System Safety, 4:23{2, 993. [8] R.M. Sinnamon and J.D. Andrews. Improved accuracy in quantitative fault tree analysis. Quality and Reliability Engineering International, 3:285{292, 997. [9] R.M. Sinnamon and J.D. Andrews. Improved eciency in qualitative fault tree analysis. Quality and Reliability Engineering International, 3:293{298, 997. [2] M. Smotherman and K. Zemoudeh. A non-homogeneous markov model for phasedmission reliability analysis. IEEE Transaction on Reliability, 38(5):585{59, 989. [2] A.K. Somani. Simplied phased-mission system analysis for systems with independent component repairs. International Journal of Reliability, Quality and Safety Engineering, 4(2):67{89, 997. [22] A.K. Somani, J.A. Ritcey, and S.H.L. Au. Computationally ecient phased-mission reliability analysis for systems with variable congurations. IEEE Transaction on Reliability, 4(4):54{5, 992. [23] A.K. Somani and K.S. Trivedi. Phased-mission systems using boolean algebraic methods. Performance Evaluation Review: Proc. 994 ACM SIGMETRICS Conference, 22():98{7,