Printable version of all EFCalc Help Pages.
| Contact: | Robert H. Morris | PO Box 2008, MS 6085 | |
|---|---|---|---|
| Program Manager | Oak Ridge, TN 37830 | ||
| Modeling and Simulation Group | tel: (865) 576-5878 | ||
| Computational Sciences and Engineering Division | fax: (865) 576-0003 | ||
| Computing and Computational Sciences Directorate | email: visac@ornl.gov | ||
| Oak Ridge National Laboratory | web: visac.ornl.gov |
This program calculates general event tree/fault tree problems using either a direct solve technique or a Monte Carlo simulation. The user supplies six input decks and the program creates two output files. All of these files are kept together in a project directory. EFcalc is written in Java 1.4 and can be run from either the command prompt (Windows or Unix) or called by other Java routines. EFcalc does not suffer from any predefined limits on array sizes. Therefore, there are no code-induced limits to the number of equations, number of sequences in an event tree, number of event trees, number of inputs into a gate, etc. The only limiting factor will be the computer memory.
Event tree/fault tree problems are fairly straightforward to calculate - the failure probabilities of the basic events are combined in either "and" or "or" gates to evaluate the probability of failure for the system gates, which are then combined to find the probability of occurrence for each sequence in each of the event trees. When a basic event is used in more than one location in the fault trees (like most real problems), this simple approach cannot be used. These common components destroy the independence of the gates above them, making the straightforward approach unusable. Most event tree/fault tree software packages use cut-set approaches to handle common components but the approximations commonly used with cut-set analysis do no perform well for systems that have high failure probabilities.
For small numbers of common components, say M, EFcalc evaluates 2^M event/fault tree problems with every combination of the common components in either a failed (p=1.0) or not-failed (p=0.0) state. These 2^M problems are then added together, weighted by the actual probability of those components being in those states. For example, if there were two power systems (A and B) used in multiple places in the fault trees, four separate problems are computed: A failed, B failed; A failed, B not-failed; A not-failed, B failed; A not-failed and B not-failed. The probability for each sequence in the event trees for each of the four cases are added together, weighted by: p(A)*p(B); p(A)*(1-p(B)); (1-p(A))*p(B); (1-p(A))*(1-p(B)). This is called the direct method.
Computing 2^M cases can get quite time-consuming as M increases, so for large numbers of common components, a Monte Carlo approach is used. For each Monte Carlo trial, the common components are sampled, based on their true failure probabilities, to be either failed or not-failed. These are then combined with the other basic events to calculate the fault trees and event tree sequences. The more trials that are made, the less uncertainty there will be in the final answers for the probabilities of each sequence. The user can control the number of trials and what type of stopping criteria to use, such as an absolute uncertainty or a relative uncertainty on the sequences or consequences of the problem. The user can also control when the direct method is used and when the Monte Carlo approach is used.
Results are given for each sequence in each event tree, each consequence for each event tree, the branch probabilities for each branch of the event trees and the failure probability for every gate in the fault trees. The direct method reports just the probabilities and the Monte Carlo method reports probabilities and uncertainties for each result.
Seven input files are used to describe the event tree/fault tree problem and list the calculation parameters to solve that problem. Three of the files are required, four will use default values if the files are not present.
Describes each of the basic events used in the fault tree equations. Three items are required: a shortname (no spaces, quotes or other special characters), the downtime, and a longname in quotes. All items are required, even if they consist only of empty quotes. The downtimes are not used by EFcalc but are for other programs that use the same *.bas file for other things.
sg1a 1.1 "Steam generator 1a"
sg1a.2 1.1 "Steam generator 1a"
sg1b 2.2 "Steam generator 1b"
hda 3.3 "Steam generator relief valve header 1a"
hdb 4.4 "Steam generator relief valve header 1b"
Describes the fault tree logic in terms of equations. The equations are specified by a variable name (system or intermediate gate name), an operator ('and', 'or', 'not', 'nand', 'nor', 'xor'), then the shortnames of the arguments (intermediate gates or basic events listed in the *.bas file). After all of the arguments, a long name in quotes describing the gate is given. Shortnames must be simple strings and may not contain spaces, quotes, or other special characters. If no longname is desired, an empty set of quotes must be given.
loop or power control tformers "Off-Site Power (1 of 29)"
ep or control bothtrains sws "On-site Power (28 of 29)"
bothtrains and traina trainb "Diesel Systems"
traina or busesa tadiesel "Train A Diesel Power"
trainb or busesb tbdiesel "Train B Diesel Power"
tadiesel or DT1A1 DT1A2 GTA SAA D1A "Diesel System A (r8 of 29)"
tap or busesa powera "Train A Power (r7 of 29)"
powera and tadiesel loop "Power Supply A"
Six different operators can be used. They are listed in the table below.
| name | inputs | failed if ... |
|---|---|---|
| and | >0 | all inputs are failed |
| or | >0 | at least one input is failed |
| not | 1 | input is not failed |
| nand | >0 | at least one input is not-failed |
| nor | >0 | all inputs are not-failed |
| xor | 2 | only 1 input is failed |
Gate equations can also include "not"'s just before a child's gate/event name. The symbols '-' and '/' can both be used for the not and must imeadeately precede the name (no space). The following example are legal equations:
top or gate1 gate2 gate3 gate4 gate5 gate6 "top level gate"
gate1 and a b -c -d "and gate"
gate2 or a b -c -d "or gate"
gate3 not k "not gate"
gate4 nand e f -g -h "nand gate"
gate5 nor e f -g -h "nor gate"
gate6 xor i j "xor gate"
Describes the event trees of the problem by listing which systems are failed/not-failed for each sequence of each event tree. First, a list of all of the top-level gates is made (these are the gates that appear in the top banner of any of the event trees), preceded by the total number of top-level gates. These gates should all be defined in the *.equ file. Associated with each top-level gate is a simple failure probability, which will be zero for most applications, and a downtime associated with that gate.
After the list of top-level gates, one or more event trees can be described. First, a line containing the number of sequences in the event tree, the event tree shortname (no special characters) and the event tree longname description (in quotes) is given. After that, one line for each sequence in that event tree is listed. A sequence is described by its consequence short name, then the list of top-level gates. If a sequence includes the failure of a top-level system, that is represented as just the gate short name. If a sequence includes the not-failing of that same system, that is represented by the gate short name preced by a minus sign.
Event tree sequences can also point to other event trees instead of consequences. This allows very large event trees to be broken up in to smaller trees (easier for other programs to display). An event tree that lists other event trees as consequences is called a master event tree. Event trees that it refers to are called slave trees. In a master tree, each consequence must be the name of the slave tree. If master trees refer to other master trees, the event trees must be listed in order from highest master to lowest slave.
The format of the *.etr file is as follows:
20
loop 0.0 0.25
loca 0.0 0.25
rt 0.003162 0.25
afw 0.009798 0.25
.
.
rhr 0.02324 0.25
hpr 0.05 0.25
4 summary "Summary of LOOP and LOCA"
RT -loop -loca
LOCA -loop loca
LOOP loop -loca
LPLA loop loca
19 RT "RT Event Tree"
okay -rt -afw -porvlift -porvrseat
okay -rt -afw -porvlift porvrseat -hpi -rcscool -rhr
moderate -rt -afw -porvlift porvrseat -hpi -rcscool rhr
okay -rt -afw -porvlift porvrseat -hpi rcscool -hpr
moderate -rt -afw -porvlift porvrseat -hpi rcscool hpr
moderate -rt -afw -porvlift porvrseat hpi
okay -rt -afw porvlift
okay -rt afw -mfw -porvlift2 -porvrseat
okay -rt afw -mfw -porvlift2 porvrseat -hpi -rcscool -rhr
moderate -rt afw -mfw -porvlift2 porvrseat -hpi -rcscool rhr
okay -rt afw -mfw -porvlift2 porvrseat -hpi rcscool -hpr
moderate -rt afw -mfw -porvlift2 porvrseat -hpi rcscool hpr
moderate -rt afw -mfw -porvlift2 porvrseat hpi
okay -rt afw -mfw porvlift2
okay -rt afw mfw -feedbleed -recovssc
okay -rt afw mfw -feedbleed recovssc -hpr
moderate -rt afw mfw -feedbleed recovssc hpr
moderate -rt afw mfw feedbleed
moderate rt
This file contains information dealing with the consequences referred to in the *.etr file. For each consequence, one line is required - first a shortname (no special characters, quotes or spaces), then a longname in quotes.
okay "everything is okay"
cd "core damage - release to environment"
fire "fire in containment, possible release"
If this file is not present, a default set of consequences will be assumed. The defaults are the first two consequences listed above, "okay" and "cd".
Describes the user set calculation parameters. Comments may appear to the right of each number.
0.0001 ! epsilon, how close to 1 or 0 to count as a house event
15 ! nComcut, how many common variables before going MC
2 ! istop, MC stop criteria method, 1-4
0.01 ! errmax, MC stop criteria errmax
1000 ! nHinit, number of trials to start
5000 ! nHmax, maximum number of trials, no matter what
13579 ! IX, random seed (use large odd number)
Common house events (events that have failure probabilities identically equal to zero or one) are taken out of the list of common variables to speed up the calculation. The value epsilon describes how close to zero or one a probability must be in order to be considered a house event. This helps remove very small or very large probabilities from consideration. Recommended values are 0.0 to 0.001.
For problems with a small number of common variables, a direct solve will be used. For larger numbers of common variables, a Monte Carlo solution may be faster. nComcut fixes the number of common components where the Monte Carlo solution will be used instead of the direct solve. The recommended value is 15.
For Monte Carlo solutions, there are four different methods used for stopping criteria that the user can select. Each method (istop is 1 through 4) requires one number describing the maximum error (errmax). The stopping methods are:
istop stopping method
1 absolute error on each sequence is below errmax
2 absolute error on each consequence is below errmax
3 relative error on each sequence is below errmax
4 relative error on each consequence is below errmax
Relative error will be controlled by the smallest probability sequences, so use istop=3 or 4 with care, the errmax should not be set too low (less than 0.01) or long run times could result. When using the Monte Carlo solution, nHinit trials are run at the start. From these trials, an estimate of how many more trials are required to meet the stopping criteria is made. nHmax is the maximum number of trials to make, even if the stopping criteria is not met. This protects the user from long run times.
IX is the seed value for the random number generator. It is required to be a large odd number.
If the *.cal file is not present, default settings (the ones shown above) will be used and saved.
Damage to components is separated from the list of basic events so that the damaged list can change without changing the larger list of basic events. The *.dmg file lists those components that have a probability of being damaged. Any basic event not listed is assumed to have a failure probability of 0. All that is required are the basic event names and the probabilities of failure.
SG1A 1.00
SG1B 0.20
V 0.05
AH1A 0.95
AV1A1 0.85
AV1A2 1.00
AV1A3 0.75
If the *.dmg file is not present, it will be assumed that nothing is damaged - the probability of failure for every basic event is 0.
Accidents do not break basic events but instead force top-level gates to be failed. The *.btl file contains a list of the names of broken top-level gates.
loop
loca
If the *.btl file is not present, it will be assumed that no top-level gate is forced to be failed.
Two output files are created by EFcalc. The answer file is to be read by other programs but written in a way to still be readable by the user. The report file lists the actions of the program while it is running, which can then be used for tracking down any errors that might occur.
Numerical listing of answers designed to be read by other programs but also still readable by the user. The format of the first part of the answer file is as follows:
2 ! Number of Event Trees
19 ! Number of sequences
0.177278+00 0.81700E-03 ! Probability and uncertainty of
0.247908-03 0.68579E-05 ! each sequence
. !
. !
0.83566E-01 0.38293E-02 !
0.31620E-02 0.14426E-10 !
2 ! Number of consequences
2 0.90837E+00 0.38871E-02 ! Consequence, probability and
4 0.91620E-01 0.38871E-02 ! uncertainty of each consequence
8 ! Number of branch pts in event tree
3 11 0.56382E+00 ! Location of event tree branch is
5 12 0.58377E+00 ! described by two integers: the
. ! sequence number and the system
. ! number.
18 2 0.10485E+00 ! Failure probability of that branch
19 1 0.31620E-02 ! is then given. (No uncert available)
(repeated for each event tree). Following the event tree information, the individual fault tree gate probabilities and their uncertainties are then given.
tap .166800E+00 .527214E-02 ! Each gate in the fault tree
tap .166800E+00 .527214E-02 ! *.equ file - its failure
tbp .206600E+00 .572566E-02 ! probability and the uncertainty
g0002 .76900E+00 .59605E-02 !
g0003 .76180E+00 .60242E-02 !
Of course, the program should already know the number of sequences, the number of consequences and the number of branch points (#seq -1). These are added to make the file more readable to the human and for possible use in other programs.
Uncertainties represent stochastic uncertainties only. They do not reflect the uncertainties in the input probabilities. If the direct solve method is used, these uncertainties will be zero.
Note that the number of consequences could be 0. This is from a master event tree that listed other event trees as its consequences.
When called from the command line, EFcalc will automatically produce the *.ans file. When called from inside other Java programs, the *.ans file is not written to disk unless the user specifically requests so.
Lists the actions of the program while it is running. This is supplied for the user to look for any problems in the event/fault trees such as undefined gates or circular logic errors, that might have been introduced into the logic during editing. This also gives the user the uncertainties on the probabilities calculated. If an error occurs, a message is printed to this file before the subroutine is stopped.
This report is available for a VISAC incident throught the Incident/Incident Calculation Report Menu.
The following example problem is used in the popular SAPHIRE code, used by many in the probabilistic risk analysis field. The problem has two fault trees, shown below:
The problem has one event tree with only two top-level systems, ecs and ccs.
To compute this problem using EFcalc, the following input files are used (default values for demo.cal were used):
demo.bas -
tank 0.0 "RWST supply to the inject and cool systems"
dga 0.0 "Emergency diesel generator A"
dgb 0.0 "Emergency diesel generator B"
cmov1 0.0 "CCS suction isolation valve"
emov1 0.0 "ECS suction isolation valve"
ccva 0.0 "CCS Train A pump discharge check valve"
cmova 0.0 "CCS Train A pump discharge isolation valve"
cpumpa 0.0 "CCS Train A motor-driven pump"
ccvb 0.0 "CCS Train B pump discharge check valve"
cmovb 0.0 "CCS Train B pump discharge isolation valve"
cpumpb 0.0 "CCS Train B motor-driven pump"
ecva 0.0 "ECS Train A pump discharge check valve"
emova 0.0 "ECS Train A pump discharge isolation valve"
epumpa 0.0 "ECS Train A motor-driven pump"
ecvb 0.0 "ECS Train B pump discharge check valve"
emovb 0.0 "ECS Train B pump discharge isolation valve"
epumpb 0.0 "ECS Train B motor-driven pump"
demo.equ
ccs or ccssupply ccstrains "CCS Fails to Spray Water in Cntnmnt"
ccssupply or tank cmov1fails "No Water to the Pump Trains"
cmov1fails or cmov1 dgb "C-MOV-1 Fails to Open"
ccstrains and ccsa ccsb "Both Pump Trains Fail to Inject"
ccsa or ccva cmova cpumpa dga "CCS Train A Fails to Supply Flow"
ccsb or ccvb cmovb cpumpb dgb "CCS Train B Fails to Supply Flow"
ecs or ecssupply ecstrains "ECS Fails to Inj Wat in the R Ves"
ecssupply or tank emov1fails "No Water to the Pump Trains"
emov1fails or dga emov1 "E-MOV-1 Fails to Open"
ecstrains and ecsa ecsb "Both Pump Trains Fail to Inject"
ecsa or ecva emova epumpa dga "ECS Train A Fails to Inject"
ecsb or ecvb emovb epumpb dgb "ECS Train B Fails to Inject"
demo.etr
2
ecs 0.0 0.0
ccs 0.0 0.0
3 eventtree "The SAPHIRE Event Tree"
con1 -ecs
con2 ecs -ccs
con3 ecs ccs
demo.con
con1 "All Right"
con2 "Large Release"
con3 "Small Release"
demo.dmg
tank 0.0000001
dga 0.02
dgb 0.02
cmov1 0.001
emov1 0.001
ccva 0.0001
cmova 0.005
cpumpa 0.003
ccvb 0.0001
cmovb 0.005
cpumpb 0.003
ecva 0.0001
emova 0.005
epumpa 0.003
ecvb 0.0001
emovb 0.005
epumpb 0.003
Running EFcalc produce the following *.ans file:
1 Number of Event Trees
3 Sequence probabilities and uncertainties
0.978799 0.000000
0.020444 0.000000
0.000757 0.000000
3 Consequence probabilities and uncertainties
1 0.978799 0.000000
2 0.020444 0.000000
3 0.000757 0.000000
2 Event tree branch probabilities
3 2 0.0357
3 1 0.0212
cmov1fails 0.020980 0.000000
ccsa 0.027923 0.000000
ccsb 0.027923 0.000000
emov1fails 0.020980 0.000000
ecsa 0.027923 0.000000
ecsb 0.027923 0.000000
ccssupply 0.020980 0.000000
ccstrains 0.000780 0.000000
ecssupply 0.020980 0.000000
ecstrains 0.000780 0.000000
ccs 0.021201 0.000000
ecs 0.021201 0.000000
Note that this example only had only 3 common components, so the direct method of computation was used. This is the reason that the uncertainty for every calculated value is zero. Had the Monte Carlo approach been used, these uncertainties would have had values.
The report file, demo.rpt, produced by the EFcalc run looks like the following:
---------------------------------------------------------------------
Reading Main Input Files...
Reading basic event definitions from demo.bas
Reading gate equations from demo.equ
Reading event tree sequences from demo.etr
Reading calculation parameters from demo.cal
Reading consequence names from demo.con
Reading failure probabilities from demo.dmg
---------------------------------------------------------------------
Setting up the basic event probabilities...
Resetting all basic event probabilities to zero.
---------------------------------------------------------------------
Manipulating and Checking Data...
Setting consquences for each event tree
Checking calculational parameters
Checking basic event probabilities
Checking simple failure probabilities of top level gates
Checking gate (12) and basic event (17) usage
Number of basic events: 17
Number of events not used: 0
Number of events used once: 14
Number of common events: 3
Number of house events: 0
Number of commons (exc. house): 3
Problem Overview
Number of basic events 17
Number of equations 12
Number of top-level systems 2
Number of event trees 1
Number of consequences 3
---------------------------------------------------------------------
Solving the Event Tree/Fault Tree System...
Method of Solution: Brute force on common variables
Determining event tree branch probabilities
---------------------------------------------------------------------
Event Tree Event Tree 1
seq 1 1 0.978799 0.000000
seq 2 2 0.020444 0.000000
seq 3 3 0.000757 0.000000
total 1.000000
con 1 con1 0.978799 0.000000
con 2 con2 0.020444 0.000000
con 3 con3 0.000757 0.000000
total 1.000000
With different failure probabilities in the demo.dmg file, different results are obtained:
| name | Standard | Case 2 | Case 3 | |
|---|---|---|---|---|
| tank | 10-7 | 10-6 | 10-5 | |
| dga | 0.02 | 0.2 | 0.2 | |
| dgb | 0.02 | 0.2 | 0.2 | |
| cmov1 | 0.001 | 0.01 | 0.1 | |
| emov1 | 0.001 | 0.01 | 0.1 | |
| ccva | 0.0001 | 0.001 | 0.01 | |
| cmova | 0.005 | 0.05 | 0.5 | |
| cpumpa | 0.003 | 0.03 | 0.3 | |
| ccvb | 0.0001 | 0.001 | 0.01 | |
| cmovb | 0.005 | 0.05 | 0.5 | |
| cpumpb | 0.003 | 0.03 | 0.3 | |
| ecva | 0.0001 | 0.001 | 0.01 | |
| emova | 0.005 | 0.05 | 0.5 | |
| epumpa | 0.003 | 0.03 | 0.3 | |
| ecvb | 0.0001 | 0.001 | 0.01 | |
| emovb | 0.005 | 0.05 | 0.5 | |
| epumpb | 0.003 | 0.03 | 0.3 | |
| Results | Standard | Case 2 | Case 3 | |
| Seq 1 | /ecs | 0.9788 | 0.7754 | 0.3799 |
| Seq 2 | ecs /ccs | 0.0204 | 0.1561 | 0.2097 |
| Seq 3 | ecs ccs | 0.0008 | 0.0685 | 0.4104 |
Oak Ridge National Laboratory, 2004