BDMP (Boolean logic Driven Markov Processes) ® as an alternative to Event Trees M. Bouissou EDF R&D, Clamart, France
ABSTRACT: Event trees are the core methodology of probabilistic safety assessments (PSA) in the nuclear industry. This paper proposes an alternative to the most widely used kind of event tree, corresponding to the "fault-tree linking" method, in order to make the construction of models easier, and to eliminate some ambiguities inherent to the standard method. The proposed formalism is called BDMP: this new kind of model, with a graphical representation very close to fault-trees, was first introduced in 2002. Its primary objective was to facilitate the specification and processing of very large Markov models. Here we prove by taking several examples, typical of situations encountered in nuclear PSA, that BDMP are easier to build than event trees, while being more precise because they explicitly describe sequential (in)dependences, in a graphical way. The quantification of BDMP can be done with the best precision using Markov analysis tools in the case of small and medium models; but for large ones, BDMP can be automatically transformed into Boolean functions and quantified via standard PSA tools. 1 INTRODUCTION There are two kinds of event trees, corresponding to the two methods called fault-tree linking and eventtree linking. The merits and drawbacks of these two methods have been discussed in (Wakefield & Epstein 2002), a paper based on the experience of the authors, gained on real PSA. One of the constatations of this paper is that event-tree linking leads to much larger event trees than fault-tree linking. This is due to the necessity to add generic events corresponding to the components or support systems shared by two or more front line systems ensuring the main safety functions. Thanks to the existence of these generic events, the failure of a front line system is modeled and quantified conditionally to a given situation for the shared components/support systems. Then, all the sequences of the global event tree are mutually exclusive, and it is possible to obtain the exact probability of a particular sequence by a simple multiplication of the (conditional) probabilities of the branches this sequence is made of. The crystal clear theory of this quantitative method was given in (Papazoglou 1998a). On the other hand, fault-tree linking, which is by far the most often used method in the PSA community, allows to take into account many inter-system dependences with much simpler event trees; the only problem with these models is that there is no universally accepted method to quantify them. This means that the same
event tree, input in two different tools, may lead to significantly different results (Epstein & Rauzy 2005). In fact, PSA analysts have a lot of experience about the particular processing algorithm they use, and take its features into account when they build event trees. What they want, in fact, is the correct set of minimal cutsets, since the quantification relies completely on this set. They are more concerned with the conciseness of the event trees than with their readability, therefore the order they choose for generic events may not respect the chronological order. This fact, and also the fact that, on the other hand, parallelism between the missions of two safety systems cannot be explicitly specified in the event tree, may make the understanding of an event tree problematic, especially if it has several dozens of sequences, like nuclear PSA event trees. In this paper, we will show on several examples that event trees can be replaced by BDMP, with the following advantages: suppression of ambiguities, better conciseness and readability, possibility to automatically (and efficiently) obtain the same minimal cutsets as with the event tree, and (if it is relevant) possibility to quantify the model with less conservatism by taking into account temporal dependences that are neglected by the cutset quantification approach. This paper is organized as follows: in section 2, we recall two alternative representations (for event trees) that were already proposed in the literature,
along with their limitations. In section 3, we quickly remind a simplified definition of BDMP. In section 4, we take several examples, obtained by the reduction of difficulties encountered in real PSA to the description of their theoretical core problem. In section 5 we show that using BDMP, all these problems are much reduced or even totally eliminated. Finally, in section 6 we give the theoretical limits we can foresee for the use of BDMP as a replacement for event trees.
fied, but operational variant of ESD is so close to event trees, that its only advantage is a slightly better readability, obtained by the naming of generic events in boxes at each split of a branch, instead of putting the names in a single line at the top of the event tree.
init
A
B1
B2
C1 C2 C3 C3
Avoidance
2 PREVIOUS WORK ON ALTERNATIVE REPRESENTATIONS FOR EVENT TREES One obvious drawback of event trees is their size and complexity. Unless if they are reduced by merging sequences leading to the same final state of the system, their size is an exponential function of the number of generic events. The article (Papazoglou 1998b) proposes an alternative representation, called "functional block diagrams", that can be seen as a generalization of reliability block diagrams obtained by considering more than two states for blocks and "flows" between the blocks. The graphical representation of a functional block diagram does not contain all the information needed to generate an event tree; it must be completed by tables that give the state of the output of a block as a function of its internal state and the states of its inputs. Nonetheless, this representation can be much more concise than event trees and provide good abstractions, thanks to the use of breakdown levels for the blocks; moreover, it can be automatically transformed into an event tree. The problem with the method given in (Papazoglou 1998b) is that it is intractable for a very large number of functional blocks. With such a large model, the necessary optimization of the order of the blocks (in order to merge efficiently the sequences with the same consequences) is likely to lead to a combinatorial explosion. The tool SIMFIA is based on functional block diagrams. The algorithms it uses are much more robust than the method of (Papazoglou 1998b): SIMFIA can automatically produce a faulttree corresponding to each category of consequence for the whole system, by backward chaining along the flows of the diagram. The remaining problem with functional block diagrams is that they are static representations: they cannot model complex dependencies between the components of a system (like standby redundancies). Another representation, called "Event Sequence Diagrams" has been proposed as an alternative to event trees. The theoretical definition of ESD, as it is given in (Swaminathan & Smidts 1999) is very complex, and there is no tool that implements it fully. However, a simplified version of ESD is available in the QRAS tool (Groen et al. 2006), dedicated to the construction and quantification of PSA. This simpli-
Brakes B1
B2
Figure 1. Event tree and equivalent functional block diagram
Figure 1 (upper) represents an event tree corresponding to the following situation: an obstacle suddenly appears in the trajectory of a cyclist. The cyclist successively tries to avoid the obstacle then to apply the brakes. If the avoidance is successful, then the consequence is C1 (no damage). In case it is not, then it requires a good functioning of both brakes to mitigate the accident (consequence C2). If at least one of the brakes does not function, the consequence is a serious accident (consequence C3). Init
Avoidance
B1
C1
B2
C2
C3
C3
Figure 2. Event Sequence Diagram equivalent to the event tree of Figure 1
Figure 1 (lower) depicts an equivalent functional block diagram (this picture should be completed by truth tables) and Figure 2 an equivalent ESD. 3 SHORT PRESENTATION OF BDMP BDMP are a formal graphical model that seems very close to fault trees. In fact they assign a new semantics to the traditional graphical representation of fault trees, augmented only by a new kind of links. These links are called "triggers" and are represented by dotted arrows. They enable the analyst to combine conventional fault trees and Markov models in a brand new way. BDMP have very interesting mathematical properties, which allow a dramatic reduction of combinatorial problems when they are converted into continu-
ous time Markov chains for their solving. Moreover, they allow to obtain particularly relevant qualitative information in the form of minimal sequences leading to the occurrence of the top event. The general idea of BDMP, as suggested by their name, is to associate a Markov process (which represents the behavior of a component or a subsystem) to each leaf of a fault tree. This fault tree is the structure function of the system. What is really new with BDMP is that: � The basic Markov processes have two "modes", corresponding to the fact that the components or subsystems that they model are required or are in standby (of course, they can also have only one mode, and the meaning of the modes may be different in some cases), � At any time, the choice of the mode of one of the Markov processes (unless it is independent) depends on the value of a Boolean function of other processes. An extreme case is when the processes are independent. This corresponds to a fault tree, the leaves of which are associated to independent Markov processes. 3.1 The elements of a BDMP A BDMP (F, r, T, (Pi)) is made of: a multi-top coherent fault-tree F, a main top event r of F, a set T of triggers, a set of "triggered Markov processes" Pi associated to the basic events (i.e. the leaves) of F, the definition of two categories of states for the processes Pi. A trigger is represented graphically with a dotted arrow. The origin and the target of a trigger can be any gate or basic event of F. However, two triggers must not have the same target. This means that it is sometimes necessary to create an additional gate (like G1 in Figure 3) whose only function is to define the origin of a trigger.
Such a process Pi is associated to each basic event i of the fault-tree. Pi is the following set of elements: {Z 0i (t ), Z 1i (t ), f 0i→1 , f1i→0 }, where
{Z
i 0
}
(t ), Z 1i (t )
are two homogeneous Markov processes
with discrete state spaces. For k ∈{ 0,1} , the state space of Z ki (t ) is Aki . Each Aki contains a subset Fki , which generally corresponds to failure states of the component or subsystem modeled by the process Pi . f 0i→1 and f 1i→ 0 are two "probability transfer functions" defined as follows: - for any x ∈ A0i , f 0i→1 ( x) is a probability distribution on A1i , such that if x ∈ F0i , then Pr( f 0i→1 ( x ) ∈ F1i ) = 1
- for any x ∈ A1i ,
f 1i→0 ( x ) is a probability
distribution on A0i , such that if x ∈ F1i , then Pr( f 1i→ 0 ( x ) ∈ F0i ) = 1 Such a process is said to be "triggered" because it switches instantaneously from one of its modes to the other one, via the relevant transfer function, according to the state of some externally defined Boolean variable, called "process selector". The process selectors are defined by means of triggers. The function of a trigger is to modify the mode of the processes associated to the leaves in the sub-tree under its target when the event that is the origin of the trigger changes from FALSE to TRUE (or conversely). The exact definition of the semantics of a BDMP (in particular when there are several triggers) is too complex to be explained in the present paper, but it can be found in (Bouissou & Bon 2003).
We give in § 3.3 and 3.4 the two simple triggered processes that are most often used in BDMP, and that are sufficient in the perspective of replacing event trees by BDMP. Another triggered Markov process, that is very useful for modeling multiphase systems, is depicted in (Bouissou et al. 2005). 3.3 The warm standby repairable leaf
r
G2
G1
f1
3.2 Definition of a "triggered Markov process"
f2
f3
f4
Figure 3. A simple BDMP
Figure 3 is an example of graphical representation of all the notions of BDMP. In this example, we have a fault-tree with two tops: r (the main one) and G1. The basic events are f1, f2, f3, and f4: they can belong to one of the two standard triggered Markov processes defined below. There is only one trigger, from G1 to G2.
This process is used to model a component that can fail both when it is in standby and when it works (this mode corresponds to a process selector equal to 1), but with different failure rates. This component can be repaired whatever its mode. When λs = 0 , the model represents in fact a cold standby repairable component, and when λs = λ, it represents a hot standby component. S
λs µ Process 0
F
W
λ µ
F
Process 1
The transfer functions simply state that when the value of the process selector changes, the component goes from state Standby to Working (or vice-versa) or remains in Failure state with probability 1.
f 0→1 ( S ) = {Pr(W ) = 1,Pr( F ) = 0} ,
justification, and the fact that when a branch is not subdivided for a given generic event, it can be interpreted either in a static or a dynamic way. For example, in the event tree of Figure 1, the success branch for A is not subdivided according to the outcome of B1 or B2. This can have two meanings:
f 0→1 ( F ) = {Pr( F ) = 1,Pr(W ) = 0} . f 1→0 (W ) = {Pr( S ) = 1,Pr( F ) = 0} ,
f 1→0 ( F ) = {Pr( F ) = 1, Pr( S ) = 0} .
� 3.4 The on-demand repairable failure leaf This model is used to represent an on-demand failure that can happen (with probability γ) when the process selector changes from mode 0 to mode 1.
W
µ
F
W
Process 0
µ
F
Process 1
f 0→1 (W ) = { Pr(W ) = 1 − γ , Pr( F ) = γ } , f 0→1 ( F ) = {Pr( F ) = 1,Pr(W ) = 0} .
f 1→0 (W ) = {Pr(W ) = 1,Pr( F ) = 0} , f 1→0 ( F ) = {Pr( F ) = 1, Pr(W ) = 0} .
3.5 Transformation of BDMP into standard Boolean functions In order to replace event trees by BDMP, our aim being to obtain Boolean models to be able to use the powerful quantification algorithms dedicated to these models, we will need only simplified versions of the above described triggered processes. The first one will be considered only with λs = µ = 0, and graphically represented in this article by this symbol: !
I !
, and the second one, represented as will be considered only with µ = 0. We have developed the theory necessary to transform state based models into Boolean functions in (Bouissou 2006). We have also given two algorithms to do this transformation efficiently for BDMP in the same article. 4 DIFFICULTIES ENCOUNTERED WITH EVENT TREES
4.1 Ambiguity There is a fundamental ambiguity with event trees: they are considered by most analysts as dynamic models, as suggested by the associated vocabulary (in particular the term "sequence" to designate a branch of the tree), but in fact all the methods used to quantify them in real nuclear PSA are (for tractability reasons) static methods. In the case of the fault-tree linking method, all the calculations are based on sets of minimal cutsets. From our point of view, this ambiguity has two reasons: the fact that the graphical representation of an event tree forces to choose an order for generic events, which suggests the notion of sequence even when it has no
�
Dynamic interpretation: Avoidance is tried first, and if it is successful, it is not even necessary to apply the brakes. In that case, we have a true sequential behavior, and a dependence from A to B1 and B2. Static interpretation: Avoidance and braking are all tried at the same time, and whatever the outcome for the brakes, if avoidance is successful, the consequence is the same (C1).
Since the chosen interpretation has no effect on the probability calculation (as long as a static quantification method is used), this ambiguity is harmless. But it is clear that the event tree strongly suggests the dynamic interpretation. According to that privileged interpretation, the event tree apparently represents the fact that B1 and B2 are applied in that order, and that B2 is not applied in case of failure of B1. But in fact, according to our hypothesis, B1 and B2 play symmetric roles and are simultaneously applied.
Owing to that problem, we could ask ourselves: why not use a simple fault-tree, whose minimal cutsets would coincide with those derived from the event tree for the quantification? Doing that, we would loose some information, but this information can be easily traced graphically, thanks to a BDMP, as the reader will see in §5. 4.2 Size and "volatility" of event trees In our example, whatever the real order of events in the physical process, a skilled analyst will put A as the first generic event in the event tree. This is because he knows that whatever the order chosen for the generic events, the quantification, if it is based on "classical" algorithms (see next paragraph for more details), will rely on the Boolean function A_fails AND (B1_fails OR B2_fails) for C3, and on the function A_fails AND NOT (B1_fails OR B2_fails) for C2. An inexperienced analyst, on the other hand, could put A as the last generic event in order to "respect" the physical process, where the first reflex is to reduce speed, in order to be able to avoid the obstacle: in that case, he would have to develop 6 branches instead of only 4. No part of this event tree would be identical to another part of the 4 branches event tree built by the expert (the model would have to be entirely rebuilt – this is what we call "volatility" of event trees), and yet the final result would be exactly the same. It is easy to see that this kind of problems in the context of a complex event tree, with a dozen of generic events or more, is really time consuming. In order to
moderate that inconvenient, analysts use a few ordering heuristics, like placing support systems before front-line systems in the list of generic events. This is not sufficient to guarantee a manageable size of the event trees, so it is necessary to truncate part of the sequences. This truncation being manual, it is not robust in case of hypothesis changes.
pressions represent the best second-order approximations for the two models). Fortunately, the event tree is conservative; but is it always acceptable to be so conservative? If the number of successive failures to reach an undesirable state was n, the ratio between the static and dynamic models quantifications would be n!. tire1
tire2
OK
4.3 The processing of success branches This is the most challenging problem related to event trees. It is much too complex to be developed in this article. Ref. (Epstein & Rauzy 2005) shows that, depending on the way success branches are treated by quantification algorithms, very different results can be obtained. This is why it is not recommended to quantify with a method that rigorously takes into account success branches an event tree built by an analyst who had in mind the classical "delete terms" approximate algorithm. This issue is related to the existence of non-coherent Boolean functions to process. In fact, there are two kinds of non-coherent functions in an event tree: a single sequence corresponds to a non-coherent function as soon as it contains a success. But a single sequence very often does not correspond to something of interest for the analysis. What is really meaningful is the disjunction of a set of sequences (which may be a singleton), leading to a common consequence. Consequences can also correspond to non-coherent functions (this is pretty obvious for intermediate consequences, like C2 in our cycling example), and in that case, quantification algorithms able to give exact results on non-coherent functions should (ideally) be considered. A BDMP directly relates basic events to consequences. Therefore, by using a BDMP instead of an event tree, we do not have to care about a problem that is a pure artifact due to the method: the non coherence of sequences. The only problem that remains is: should the non-coherent function corresponding to a given consequence be replaced by a coherent approximation? The answer will depend on the performances of the processing algorithms and on the ease of interpretation of the results (in terms of dominant cutsets, importance factors etc.). 4.4 Temporal dependences Let us now consider another annoying situation for our cyclist: he is on a long trip (planned duration: T) and experiences a tire puncture. He has a spare tire and can replace the failed one. But if another nail happens to be on his route, then the cyclist will fail to reach his destination. In such a case, supposing that the rate of occurrence of a tire puncture is λ, the quantification of the event tree of Figure 4 will give approximately (λT)2 whereas the quantification of the corresponding BDMP, if done with a Markov analysis tool, will give only (λT)2/2 (these two ex-
OK
Interruption
UE_1_1
AND trip_interruption
!
!
First_tire_puncture
Second_tire_puncture
Figure 4. Modeling successive failures (temporal dependence)
5 SOLUTIONS TO THESE PROBLEMS WITH BDMP
5.1 The general principles BDMP are not ambiguous: the graphical representation of a BDMP specifies a uniquely defined continuous time Markov chain (Bouissou & Bon 2003). In the perspective of using a BDMP instead of an event tree, this Markov model can be used directly by Markov quantification tools such as FIGSEQ (Bouissou & Lefbvre 2002), or it can be considered only as a qualitative description of a state graph. We have proven in (Bouissou 2006) that such a state graph is a good basis for the definition of what we call the "minimal contents of sequences", a concept that generalizes to sequential systems the concept of "set of minimal cutsets", defined only for static models. For example, the three BDMP of Figure 5 represent the three variants of the behavior of the cyclist and his bike we have described in §4. Those three situations cannot be distinguished with event trees, as we have explained in §4.1. For a better readability of BDMP, it can be a good practice to always orient triggers from left to right. We did not do it there to emphasize the robustness of the representation with regards to hypothesis changes and the fact that the semantics of BDMP is defined independently of the order of the sons of a given gate on the drawing.
Since BDMP are much more compact than event trees, there is no necessity to truncate them.
UE_1
!
UE_1
!
AND
Init
Init
C3
I !
A_fa ils
AND C3
I !
OR
A_fa ils
Insuffic ient_braking
I !
B1_fa ils
I !
OR Insuffic ient_braking
I !
B2_fails
B1_fa ils
I !
B2_fails
UE_1
!
AND
Init
C3
I !
A_fa ils
OR Insuffic ient_braking
I !
B1_fa ils
I !
B2_fails
Figure 5. Three different models leading to the same minimal contents of sequences
The models of Figure 5 only give the definition of consequence C3 (the worst case). In order to define also C2, we would have to add an "observation function" to the BDMP. Such a function does not at all intervene in the process described by the BDMP. It is there only to specify in which case C2 happens. For all three models, C2 would be defined as: C2= A_fails AND NOT (B1_fails OR B2_fails). Any Boolean observation function could be defined graphically, preferably with specific colors or symbols not to be confused with the BDMP. Finally, if it were necessary, we could consider the leaves of the BDMP as the top of standard faulttrees, just like the generic events of an event tree can be developed as fault-trees.
is tried. The failure of A can be explained by a failure proper to A, or the failure of a support system X; this can be written as the fault-tree: A_fails = a_fails OR X_fails. Similarly, B_fails = b_fails OR X_fails. Unacceptable consequences (UC) are reached if at least one of the countermeasures and its backup fail. The three event trees of Figure 6 seem to represent the hypothesis we have given. But, if one uses the classical "delete-terms" algorithm to process them, he will obtain the following sets of minimal cutsets: {(a_fails, D_fails), (b_fails, C_fails), (X_fails, D_fails)} with the first event tree, {(a_fails, D_fails), (b_fails, C_fails), (X_fails, C_fails)} with the second one, and {(a_fails, D_fails), (b_fails, C_fails), (X_fails, C_fails), (X_fails, D_fails)} with the third one. It requires a good level of expertise about event trees to be able to detect that difference, and to see that the third event tree is the only one to be "symmetrical". Finally, which is the good model? It depends on the hypothesis on the system, given more precisely than what was said above. The three BDMP of Figure 7 correspond respectively to the three event trees of Figure 6 (in the same order), and they make the differences of hypothesis quite obvious. In the two first cases, the asymmetry stems from the fact that only D (resp. only C) is tried when X fails. A (a OR X) B (b OR X) C
UC UC
B (b OR X) A (a OR X) C
D UC UC
A (a OR X) B (b OR X) C
5.2 A non trivial example showing the advantage of using a BDMP instead of an event tree So far, all the examples we have used were extremely simple. We are now going to show a possible trap due to the existence of basic events shared by the fault-trees linked to generic events of an event tree, and how this trap is necessarily avoided by building a BDMP. Because of the lack of space, we cannot give the meaning of events A, B, C, D, but this example is a simplified view of a situation encountered in a nuclear PSA. The physical process to model is as follows: after the initiating event, the countermeasures A and B are both necessary. If A fails, D is tried, and if B fails, C
D
D UC UC UC UC
Figure 6. Three seemingly equivalent event trees
6 THE LIMITS OF THE USE OF BDMP AS REPLACEMENT FOR EVENT TREES UE_1
The structure function of a BDMP must be coherent: not respecting that constraint would ruin all its good mathematical properties.
OR At_least_one_safety _function_lost
AND
AND
A_and_D_fail
B_and_C_fail
!
OR
D_fails
A_fails
!
OR
C_fails
B_fails
!
! !
a_fails
b_fails X_fails
UE_1
Therefore, the method consisting in modeling with a BDMP the worst possible consequences on a system, then in defining intermediate consequences by means of (maybe non coherent) observation functions on the BDMP (this is what we have done in the previous paragraphs) may not be applicable to truly non-coherent systems. For example, in our cycling emergency situation, we could imagine that if only the front brake functions, the cyclist will pass over the handlebar without having any chance to avoid the obstacle and will be seriously wounded (consequence C3), whereas if only the rear brake functions he will limit the consequences to C2 if he fails to avoid the obstacle. There is no simple way to model such a situation with a BDMP, and using farfetched models would be worse than using an event tree.
OR
7 CONCLUSION
At_least_one_safety _function_lost
AND
AND
A_and_D_fail
B_and_C_fail
!
OR
D_fails
A_fails
!
OR
C_fails
B_fails
!
! !
a_fails
b_fails X_fails
UE_1
OR At_least_one_safety _function_lost
OR A_fails
AND
AND
A_and_D_fail
B_and_C_fail
!
!
OR
D_fails
REFERENCES C_fails
B_fails
!
! !
a_fails
b_fails X_fails
Figure 7. Three obviously different BDMP
In this paper, we have proven on a set of examples typical of real problems encountered by PSA analysts, that BDMP can be used as a substitution for event trees in the fault-tree linking method. Thanks to this substitution, one can gain a better precision of the models because they explicitly describe the sequential dependences, in a graphical way (with the BDMP triggers). The quantification of BDMP can be done with the best precision using Markov analysis tools in the case of small models; but for large ones, BDMP can be automatically transformed into Boolean functions and quantified via standard PSA tools. Of course, the latter process implies approximations, but the huge complexity of the event trees needed to assess the safety of a nuclear power plant necessarily calls for approximate solution methods. The encouraging results we have given in this paper still need to be confirmed on real size PSA; this trial will have to face mixtures of all the difficulties we have treated separately so far, in large size models.
Bouissou, M. & Lefebvre, Y. 2002. "A Path-Based Algorithm to Evaluate Asymptotic Unavailability for Large Markov Models", RAMS 2002, Seattle. Bouissou, M. & Bon, J.L. 2003. "A new formalism that combines advantages of fault-trees and Markov models: Boolean logic Driven Markov Processes", Reliability Engineering and System Safety, 82(2) pp. 149-163.
Bouissou, M., Dutuit, Y., Maillard, S. 2005. "Reliability Analysis of a Dynamic Phased Mission System: Comparison of Two Approaches" Chapter in Modern Statistical and Mathematical Methods in Reliability, Wilson A, Limnios N, Keller-McNulty S, Armijo Y (eds) World Scientific, Singapore, 87104. Bouissou, M. 2006. "Détermination efficace de scenarii minimaux de défaillance pour des systèmes séquentiels", 15ème colloque de fiabilité et maintenabilité, Lille, (France). Epstein, S. & Rauzy, A. 2005. "Can we trust PRA?", Reliability Engineering and System Safety, 88(3) pp. 195-205. Groen, F. J., Smidts, C., Mosleh A. 2006. "QRAS—the quantitative risk assessment system" Reliability Engineering and System Safety, 91 pp. 292-304.
Papazoglou, I. A. 1998a. "Mathematical foundations of event trees", Reliability Engineering and System Safety, 58 pp. 169-183. Papazoglou, I. A. 1998b. "Functional block diagrams and automated construction of event trees", Reliability Engineering and System Safety, 61 pp. 185-214. Swaminathan, S. & Smidts C. 1999. "The mathematical formulation for the event sequence diagram framework", Reliability Engineering and System Safety 65 pp. 103-118. Wakefield, D. J. & Epstein, S. 2002. "Fault Tree Linking vs. Event Tree Linking", 13ème colloque de fiabilité et maintenabilité, Lyon, (France). SIMFIA tool. http://www.apsys.eads.net KB3-BDMP tool. http://rdsoft.edf.fr (French and English versions can be downloaded)
