A BAyesiAn networks ApproAch for event tree time-dependency AnAlysis on phAsed-mission system

[1, 4, 13, 23]. PMS reliability attracts substantial attentions, and various techniques have been developed to deal with the phase-dependency. The analytical techniques for the PMS can be classified into two categories: combinatorial models (e.g., mini-components, sum of disjoint phase products, BDD) and state-space transition models (e.g., Markov models, Petri nets) [19, 21]. The combinatorial method is based on the


Introduction
Among several techniques available to model sequence and quantify the failure probability in probabilistic risk assessment (PRA), event trees (ETs) are the most recognized methods that develop logical relationship among the events leading to the possible consequences, while fault trees (FTs) best represent the logic corresponding to pivotal events (PEs) and estimate the probabilities [16].
Dependencies in event tree/ fault tree (E/FT) model are frequently encountered, and, if neglected, may result in an error estimation.Hosseini and Takahashi [4] classify dependencies into two categoriesimplicit and explicit.Explicit dependencies are due to shared basic events (SBEs) such as shared utilities or shared components which appear in more than one corresponding FTs, while the expression of implicit dependencies is a bit vague.Nývlt and Rausand [13] expanded the before-mentioned division to cover more types of dependencies such as common cause failures and cascading effect, and further classified the explicit dependencies with static and dynamic behaviour.Many of the classical methods, such as Binary Decision Diagram (BDD) [1], Markov Chain (MC) [23] and Petri net [13] have been exploited and developed, in order to deal with different kinds of dependencies in E/FT analysis.
However, in practice of aerospace PRA, such as lunar exploration which has the characteristics of the phased-mission system (PMS), ETs are typically used to portray progressions of phase mission over time, and the time interval between pivotal events (PEs) is not negligible, dependencies therefore become phase-dependency (as a subset of time-dependency in this context), and make the E/FT based reliability and risk analysis more difficult [1,13].
In ET analysis, not so much work has been done with time-dependency analysis, and the papers cited above are mainly based on the hypothesis about static or time-independent behaviour [1,4,13,23].PMS reliability attracts substantial attentions, and various techniques have been developed to deal with the phase-dependency.The analytical techniques for the PMS can be classified into two categories: combinatorial models (e.g., mini-components, sum of disjoint phase products, BDD) and state-space transition models (e.g., Markov models, Petri nets) [19,21].The combinatorial method is based on the static PMS, whose assumption is that all the states of all the system components are s-independent.Esary and Ziehams [3] used a set of independent mini-components to replace the component in each phase to deal with the phase-dependency.Over the past decade, researchers have proposed a new algorithms based on BDD for fault tree analysis of PMS by incorporating phase algebra into the generation and traversal of the BDD to deal with phase-dependency [17,21,24].The other method solves the dependency across the phases using state-based approaches, which are flexible and powerful in modelling complex dynamic systems [12,15].The above PMS reliability theory is gradually perfecting, but there are still some inadequacies in its application.For the BDD-based fault tree analysis of PMS, the ordering of variables is critical, and, it is not capable of treating other kinds of dependencies of system dynamic behaviour [22].For MC-based method, it is unreasonable to construct a single Markov model due to the obvious disadvantage that the size would face a state-space explosion problem when modelling largescale systems [17].
To address the above-mentioned problems, this paper proposes a recently developed methodology based on Bayesian networks (BN).The whole ET with all related FTs is mapped into BNs, and all the FTs resulted BNs are combined by connecting the nodes that represent the same component but belong to different PEs.Thus, the purpose is to demonstrate an alternative perspective on the problem of complex time-dependencies and offer a basis for safety and reliability analysis of PMS.
This paper consists of 5 sections.In the rest sections, we first discuss the dependencies by a demonstrative E/FT model of PMS in Section 2. Section 3 introduces our BN-based approach for E/FT time-dependency analysis.Section 4 describes two examples to demonstrate our proposed approach.Section 5 concludes the paper.

Problem statement: time-dependencies in PMS-E/ FT model
PMS is subject to multiple, consecutive and non-overlapping phases (time periods) of operation, in which the system configuration, success criteria and component behaviour may vary from phase to phase [19].To demonstrate the complex dependencies in E/FT model when performing PMS reliability and risk analysis, a simple E/FT model with n phases is discussed as shown in Fig. 1.There are three PEs (means ternate consecutive phases) represented by three fault trees FT i-1 , FT i and FT i+1 respectively.Because some basic events (e.g."C") occur in more than one FT, there is an explicit dependency between PEs.
A problem related to solving explicit dependencies is that the behaviour such as time-independency and time-dependency should be distinguished.The former is a behaviour assumed in most of the papers within a basic assumption is the occurrence/ nonoccurrence of the SBE is the same in every associated FT [1,4,13,23], which means that C C ⋅ and C C ⋅ are always impossible to occur and should be neglected.
However, it is not realistic especially when E/FT are typically used to portray the phases' evolvation over time.The time and the order of events are critical for the occurrence or not of consequences.The sequences such as C C ⋅ and C C ⋅ always occur in these situations as follow: When an event tree has been done regarding PMS such as (1) space exploration, the component "C" may work in the previous phase, but fail in the subsequent phase.Therefore, the sequence C C ⋅ should be taken into account.If components are repairable, they can be repaired once the (2) failure occurs during test or work.It means that the sequence

C C
⋅ comes true and should be taken into account.This dynamic behaviour is closer to reality, but it is also more complicated to model, and the painful aspect is that the basic event probability may change with time.The BDD-based method and statebased method use phase algebra and time dependent rate respectively to deal with the dependency across phases.However, these methods have to confront various degrees of problem with the increase of phases number.In the next section, we will introduce a new approach based on Bayesian networks to model the PMS, and show how to use conditional probability to give expression of the phase-dependency, and further expand the model by the dynamic Bayesian networks (DBN) to cope with more complex time-dependency.

Introduction of BN and DBN
A BN is a graphical inference technique and it's defined by two components: qualitative structure and quantitative parameters.The qualitative part is a directed acyclic graph comprised of nodes and arcs in which the nodes represent Random Variables (RVs) and the arcs symbolize dependencies or cause effect relationships among the RVs.The quantitative part is the conditional probabilistic table (CPT), which presents the quantitative relations between each node and its parents [25].
Benefiting from the modelling advantages, BN is a powerful tool for global systems estimation and can better address some aspects such as multi-state, failures' dependencies, coverage factors, etc. [9], and the unique bidirectional inference mechanism which can be used either to predict the probability or to update the probability of known variables as well as diagnostic [8].In recent years, BNs have become popular as a robust alternative to most classical methods such as FT [2,5], ET [10], Bow-tie(BT) [6] etc.In order to represent temporal dependencies, the time-dependency of some random variables that follows a Markov process can be integrated into a dynamic BN.Montani et al. [11] developed the RADYBAN software for converting dynamic FT into a 2-time-slice dynamic BN.Their work was further developed by Portinale et al. [14], enabling the modelling of repair systems by introducing the repair box gate.Weber et al. [20] gave an exhaustive review of BN application and showed its obvious superiority over classical methods in terms of modelling and analysis capabilities.However, details of proposed combination of E/FT with BN for the PMS reliability and risk analysis are not given.

Translating PMS-ET into PMS-BN
In practice of a simple PMS, ET is used to model the mission using ordinal linked phase-PEs with a single entry point.Since the system mission will fail if any phase fails, the success of the current mission is conditioned on that of the previous mission and the system survival of current individual phase supporting subsystem (IPSS), which is always represented by a corresponding FT in E/FT model.The logical relationships of the overall mission success criteria are easily presented by the conditional probability as shown in Eq.( 1).
Where, i PMS and i IPSS respectively symbolize the state of i'th PMS and IPSS.The number 0 represents the success, and number 1 represents the failure.Different from the mapping rules of ET according to [10], the PMS-ET is translated into corresponding BN as shown in Fig. 2.

Translating FT into corresponding BN
The IPSS is modelled by the corresponding FT, and Fig. 3 illustrates a simplified process of FT 2/3vote gate being converted to the BN, the primary events, intermediate events, and the top event of FT are represented as IPSS node, intermediate node, and leaf node in the corresponding BN, and the CPTs of the IPSS nodes is developed according to the type of logic gate.More basic gates mapping cases and mapping rules can be seen in the work of Bobbio et.al.[2] and Khakzad et.al.[5].

Incorporating BN
After the equivalent the corresponding BNs of the FTs are developed, they are added into Fig. 2 to construct an integrated BN model via the following two steps: first, incorporate IPSS nodes in Fig. 2 with corresponding nodes of the phase-FTs top events; second, add the direct arc to connect the SBE-nodes that represent the same components but belong to different IPSS-BNs.
A three-level hierarchical PMS-BN model which can be equivalent to the PMS-E/FT in Fig. 1 is developed and illustrated in Fig. 4.
The three levels respectively represent the entire mission states, the reliability of IPSS and the component states.The phase-dependency is defined by the connection of the nodes in the first level and shared nodes of adjacent phases in the third level.The CPTs of the basic events nodes can be computed as follows.
The basic event "C" is taken as as a example and supposed to have functioned in all the previous phases.According to the total probability law, the failure function of "C" in the end of phase i is given by Where, C respectively symbolize the random states of "C" at the end of i-1'th and i'th phase, and j denotes the states of the component.Considering the component is non-repairable, once "C" fails in phase i-1, it will maintain its status in phase i, which means Substituting Eq.( 3) and ( 4) into (2), thus, Where, f t is the failure density function of "C" in the phase i; T i is the duration of phase i; i C F presents the component cumulative failure probabilities at the end of phase i, which equals to the conditional failure probability of mini-component given by [3,24].
If the failure rate of "C" is exponentially distributed, Eq. ( 5) and ( 6) can be calculated as:

Fig. 2. A Bayesian network representing the Event Tree
Phase i

Extending more complex time dependencies by dynamic BN
If the IPSS exhibits dynamic interactions between components and is modelled by a dynamic fault tree (DFT), it makes the PMS analysis more complex.In this section, we introduce the DBN with further expansion to consider more complex time-dependency.

Translating DFT into corresponding DBN
Dynamic BN extend the BN formalism by providing an explicit discrete temporal dimension.Fig. 5 illustrates a DFT functional dependency (FDEP) gate converted to the IPSS-DBN, the CPTs of the IPSS node is developed according to the type of gate.More basic dynamic gates mapping cases and mapping rules can be seen in the work of Montani et.al.[11].

Incorporating DBN
The adjacent phases (e.g.phase i-1 and phase i) are two consecutive and non-overlapping phases, therefore the initial probability in phase i should be equal to the end probability in phase i-1 for each state.The PMS time line is partitioned into a finite number of time instants (e.g.t-1, t, t+1), and, the n mission phases can be treated as ( 1, 2,... ) i N i n = ∑ smaller phases.The difference is that identical BN structures are generated for each time instantly during an individual phase merely, while different BN structureS occur across the phase.The PMS-DBN model which can be equivalent to the PMS-E/FT in Fig. 1 is developed and illustrated in Fig. 6.
The relationships between basic events in an individual phase at successive time steps are represented by inter-slice arcs, ( ) ( ) + ∆ , and the relationships of SBEs between adjacent phases are represent by cross-phase arcs, 1 ( ) ( ) . The same procedure in section 3.2.3 may be easily adapted to obtain the CPTs in PMS-DBN model, as shown in Table 1.

Algorithm summary
Based on the above discussion, we depict our approach of combination of E/FT with BN for modelling and analysing the time-dependency with a 5-step procedure as follows: Build the E/FT or E/DFT model to ex-1) press the PMS for reliability or risk analysis.
Transform ET into the BN mainly based 2) on the work of section 3.2.1.
Transform FT/DFT into the correspond-3) ing BN/DBN according the work of section 3.2.1 and 3.3.1.Incorporate IPSS nodes with the top nodes of corresponding 4) BN, and add the direct arc to connect the shared nodes of adjacent phases that represent the phase-dependency, and The CPTs between two time slices are subsequently established.Finally, the whole BNs are equally able to analyse the reliabil-5) ity and safety of the PMS system based on the mature reasoning arithmetic of commercial software.

Case 1: A simple static PMS
In this section, we apply our approach to a simple example with 2 phases and 3 components (A, B, C), and the E/FT model of system configurations in two phases are shown in Fig. 7.The system parameters are given in table2.
Fig. 8 is the PMS-BN model of the example system shown in Fig. 7 using GeNIe 2.0 (http://genie.sis.pitt.edu),then the nodes conditional probabilities can be calculated using Eq. ( 1)~( 8).The whole PMS reliability is 0.775584, which is consistent with that using of the BDD-based method according to the reference [18].

Example description and preliminary analysis
The APU as a safety-critical system is used to generate power to drive hydraulic pumps that produce pressure for the orbiter's hydraulic system [22].The orbiter is equipped with three hydraulic systems to supply redundant power to all hydraulically driven components.Each t t+Ti

B(t+Ti) C(t+Ti)
2/3 vote  system is divided into three subsystems.Since the APU is to serve as an integrating platform for the other two subsystems, the single hydraulic system can be modeled as an APU for ease of presentation.

IPSS (i,t+Ti)
The system failure mode criteria is defined as such that (1) no loss of any APU unit is regarded as mode OK, (2) loss of any single APU is considered as failure mode Fl, (3) loss of any two APUs is failure mode F2, and the worst case (4) loss of all three APUs is failure mode F3.Such accident scenario can be modelled using an ET, as shown in Fig. 9(a).
In this case study, the mission of APU system was simplified into two phases for operation: on Ascent and on Entry.The difference between these two phases is that the APU control spare, denoted by "A", is only available during the entry phase.Fig. 9(b) and Fig. 10 give the scenario model of APU launch mission by ET and DFTs in two phases for a better comparison.Symbols in the Fig. 10 are explained in [22].
The following assumptions are made for this example.
The time of failure of all components is exponentially distrib- (1) uted.The failure rates of all given basic events and the mission duration of both phases are represented in [22].
All components are non-repairable.Once a component fails, it (2) will maintain its status for the remainder of the mission.Based on the above-mentioned presentation, the combining E/ DFTs are presented along with application to the APU system includ-ing multi-type dependencies (Shared APUi, external common cause failure modelled by FDEP gate, hot spare, and phase-dependency).

Construction of PMS-DBN
In the first phase, APU system can be treated as a single system, and the DBN model of ascent phase is easily constructed as shown in Fig. 11(a).In the second phase, because phase 1 and phase 2 are consecutive and non-overlapped, the end net (as seen in right hand of Fig. 11 (a)) in phase 1 at time T1 is the initial conditions of the phase 2 at time T1, and the initial probabilities in phase 2 at time T1 are equal to the end probabilities in phase 1 for each state.The PMS temporal behaviour in phase 2 is the same as phase 1 other than the APU control spare, denoted by "A", activated in phase2.Finally we obtain the established model of DBN using GeNIe, as seen in Fig. 11 (b).

Quantitative analysis results
Based on the exact reasoning algorithm of the GeNIe software platform, the complete failure probability during the mission time with all the four failure modes can be calculated as shown in Fig. 12.
Fig. 12 presents that the failure mode curves in the conversion time of first phase and second phase are jumping, and the probabilities of mode OK and mode F1 increase in different degrees.Therefore, the redundancy of "A" can reduce the failure probability greatly to improve the system reliability.
To assess the risk of catastrophic failure in the mission, we define the mission success criteria as follow: (1) On Ascent: mode OK and failure mode F l are considered as success, and failure mode F 2 and F 3 are considered as failure; (2) On Entry: mode OK is considered as mission success, and once any APU fails, lunch mission will fail.Fig. 13 is the risk curve of mission loss, because the second mission success criterion is more rigorous than the previous phase, there is a remarkable jump in the conversion time of the first and second phase.Considering different configuration and mission phase success criteria, it is observed that DBN produces a more explicit measure of the system reliability and risk level over time.

Validation of the method
Xu and Dugan [22] introduced MC-based E/DFT for APU reliability analysis, and proposed a modularization method to improve efficiency due to the problem of building a single MC for the whole system.Results of four ET outcome mode probabilities obtained from the Xu and Dugan's work are shown in column 2 of Table 3.
Compared to the MC model, the modified DBN to account four outcome modes is easily constructed by adding several nodes and corresponding arcs to obtain different combinations of APUi status (as shown in Fig. 14), and all the outcome mode probabilities are given in column 3 of Table 3.
This result shows that small percentage errors exist between DBNbased method and MC-based method even in this complex system, besides that, DBN can construct a more integrative system scenarios model relative to Markov method.

Conclusion
This study has presented a new method to analyze time-dependencies in E/FT model when performing PMS reliability and risk analysis by using Bayesian networks.Various types of dependencies especially time-dependency in event trees are discussed.The proposed method shows how to use conditional probability to give expression of the phase-dependency, and further expands by the dynamic BN to cope with more complex time-dependency.The results obtained from a real auxiliary power unit system have shown this method's engineering applicability on large and complex engineering systems.
The advantage of the BN-based approach is that it is easy to understand and use in practice owe to the flexible modeling ability and mature inference algorithm of Bayesian networks.And yet for all that, it is just the beginning of our work.One challenge is related to the unnecessarily large networks due to the DBN repeating the same structure for each time instance, but may find its solution within the any time horizon of 2-time-slice BN structures.Future works may be devoted to extensions of the proposed approach, such as modeling the units with the reparable function, and more complex mission success logical relationships, so that the model can be closer to the reality of the system.

Table 3 .
Probabilities comparison of outcome modes under DBN and MC