2018 Book SystemDependabilityEvaluationI

Hans-Dieter Kochs
System Dependability
Evaluation Including
S-dependency and
Uncertainty
Model-Driven Dependability Analyses
System Dependability Evaluation Including
S-dependency and Uncertainty
Hans-Dieter Kochs
System Dependability
Evaluation Including
S-dependency and
Uncertainty
Model-Driven Dependability Analyses
13
Hans-Dieter Kochs
Lehrstuhl für Informationslogistik
Universität Duisburg-Essen
Duisburg
Germany
ISBN 978-3-319-64990-0 ISBN 978-3-319-64991-7 (eBook)

DOI 10.1007/978-3-319-64991-7
Library of Congress Control Number: 2017950274
© Springer International Publishing AG 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or
information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, express or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The introduction of new technologies and the increasing complexity of systems make
dependability (reliability and availability, defined in IEC 60050-192:2015) analyses in-
dispensable in avoiding economic disaster and huge penalties in the case of unreli-
able systems. Poor dependability can cause expensive rectification and loss of trust,
reputation, and market share. Thus, dependability modeling and evaluation should be
basic tasks of every systems engineer. Their results should be fixed in technical
specifications and contracts by manufacturers and customers of industrial systems.
Stochastic dependency (s-dependency) between components and the influence of
uncertainty can have significant impact on system dependability. In practice, s-de-
pendency and uncertainty are often not taken into account.
The book focuses on system dependability modeling and calculation, considering the
impact of s-dependency and uncertainty. The best suited approaches for practical sys-
tem dependability modeling and calculation, (1) the minimal cut approach, (2) the
Markov process approach, and (3) the Markov minimal cut approach as a combina-
tion of (1) and (2) are described in detail and applied to several examples. The strin-
gently used Boolean logic during the whole development process of the approaches
is the key for the combination of the approaches on a common basis. For large and
complex systems, efficient approximation approaches, e.g. the probable Markov path
approach, have been developed, which can take into account s-dependencies be-
tween components of complex system structures. A comprehensive analysis of alea-
tory uncertainty (due to randomness) and epistemic uncertainty (due to lack of knowl-
edge), and their combination, developed on the basis of basic reliability indices and
evaluated with the Monte Carlo simulation method, has been carried out. The uncer-
tainty impact on system dependability is investigated and discussed using several ex-
amples at different levels of difficulty. The applications cover a wide variety of large
and complex (real-world) systems. Actual state-of-the-art definitions of terms of the
IEC 60050-192:2015 standard, as well as the dependability indices, are used uniformly
in all six chapters of the book.
Pre-knowledge: Mathematical interest, basic knowledge of Boolean algebra, probabil-

ity theory, and theory of stochastic processes.
V
Preface VI
Why this book? The vast majority of current books and publications on dependability
is highly mathematical and often only for small systems. The intention of this
book is to bridge the gap between theory and practice, and to concentrate on easy
and effective approaches for dependability analyses of systems including s-depend-
ency and uncertainty, which have been proved to be applicable to industrial systems.
The developed modeling and calculation approaches are embedded in a framework
consisting of 8 steps, based on the author’s theoretical and industrial dependability
experience and application over several decades. A further aim of the book is also to
emphasize the close relationship between network models and Markov models,
based on the Boolean logic, which easily (and clearly) enables their combination. The
developed approaches are applicable to all large and complex systems that can be
structured as illustrated in Fig. 1.1, 3.7, and 5.1, which apply to all industrial systems
within the scope of this book. The aspiration of the author is to describe depend-
ability theory and its application in an understandable and applicable way. The depend-
ability approaches are compatible for all systems.
What the book is not? The book is not a summary or a collection of the wide variety of
pure theoretical dependability evaluation approaches.
Acknowledgements: I am greatly indebted and wish to thank all my colleagues and

my former research assistants at my chair of Computer Engineering and Information
Logistics at the University of Duisburg-Essen, Germany, for their innovative contribu-
tion and cooperation around the scope of dependability. I am also grateful to my col-
leagues from the Cooperative Institute of Mechatronik (imech) and the Collaborative
Research Centre 291 (Speaker Prof. M. Hiller) of the German Research Foundation
DFG, which have enabled extensive applied research work on system dependability.
Furthermore, the periodical meetings of the Fault Tolerant Discussion Panel (FTDP),
which took place alternately at different universities, have provided continuous stimulus
over the last 25 years. Representative for the FTDP, I particularly would like to thank
Prof. K. Echtle and Prof. W. G. Schneeweiss (initiators of FTDP) for their valuable
contributions and substantial discussions. I would like to thank all industrial coopera-
tion partners. The research cooperation with industry, especially the cooperation with
ABB Ladenburg, Germany, and ABB Basel, Switzerland, on areas such as automa-
tion and control systems, was very productive and stimulates new ideas concerning
the applicability of the developed dependability approaches. Research on the topic
uncertainty was carried out by Dr. Ph. Limbourg and Dr. P. Kongniratsaikul in co-
operation with Dr. F. Lutz (IPL technology). The close combination of theory and
Preface VII
practice in different application areas gave valuable impulses for the improvement of
the approaches, which are described in this book. Furthermore, I would like to thank
Dr. J. Petersen for the continual cooperation and discussions as well as for the
technical support. I am very grateful to Ms. S. Heidtmann for a large number of rele-
vant remarks and the correction of the manuscript.
The author thanks the International Electrotechnical Commission (IEC) for permis-
sion to reproduce Information from its International Standards. All such extracts are
copyright of IEC, Geneva, Switzerland. All rights reserved. Further information on the
IEC is available from www.iec.ch. IEC has no responsibility for the placement and
context in which the extracts and contents are reproduced by the author, nor is IEC in
any way responsible for the other content or accuracy therein (IEC 60050-192 ed.
1.0, Copyright © 2015 IEC Geneva, Switzerland. www.iec.ch).
The author thanks the Management of the Museum for Communication Berlin and
Mr. St. Sous (artist) for the permission to take photos for analyzing the stagecoach,
which is exhibited as an art object (slogan “Berliner Luft Post“) in an exploded view. It
offers a unique and clear insight into its construction details, which is used favorably
for the system dependability analysis (Chapter 3.9).
Finally, but by no means least, I would like to particularly highlight and cordially thank
my wife Anne for her persevarence and encouragement of the work. Without it, it
would not have been possible to produce the book.
Professional career: Hans-Dieter Kochs was head of the Chair of Computer Engi-
neering and Information Logistics at the University Duisburg-Essen, Germany (retired
2009). He received a Diploma-Degree in Electrical Engineering (1972) and a Dr.-Ing.
Degree (1976) from the Technical University (RWTH) Aachen, Germany. From 1972
to 1979 he was a member of the Institute of Power Systems and Power Economics
(IAEW) at the RWTH Aachen (Prof. K.W. Edwin) as a research assistant. From 1979
to 1991 he had leading positions in industry (AEG/Daimler Frankfurt, FAG Kugel-
fischer Erlangen, and ESWE Wiesbaden, Germany). Since 1991, he has been a full
Professor. From 1972 up till now he has been engaged in scientific and industrial de-
pendability analysis and studies. (e-mail: hans-dieter.kochs@uni-due.de)
Special thanks are also due to the Springer staff, especially Dr. J.-Ph. Schmidt and
Ms. P. Jantzen as well as the Springer production team of Mr. Jayanthan Veeraraghavan
for their editorial support.
Content
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V
List of definitions ..................................................................................................................................... XV
List of figures ......................................................................................................................................... XVII
List of tables .......................................................................................................................................... XXV
List of symbols and abbreviations .......................................................................................... XXVII
1 Definitions and objective ..................................................................................... 1

1.1 Definition of basic terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Objective of system dependability evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Brief review of system dependability approaches ........................................ 23

2.1 Application area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Assessment criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3 Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4 Framework for system dependability modeling and evaluation . . . . . . . . . . . . . . . . . . . 32
2.5 Notes on guarantee declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3 Network approaches ............................................................................................ 39

3.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 Input data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3 Basic network models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.1 Series system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.3.2 Parallel system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.4 Minimal cut (MC) approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.1 Definitions and preconditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.4.3 Calculation of the objective indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4.4 Calculation of the MC indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.5 Minimal path (MP) approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.1 Definitions and preconditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.2 Examples .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.3 Calculation of the objective indices ........................................................... 54
3.5.4 Calculation of the MP indices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.6 Approximation: Probable minimal cut (pMC) approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.6.1 Mathematical basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.6.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.3 Reduction of system model complexity by MC segmentation . . . . . . . . . 62
IX
Content Page 2 of X
4
3.6.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.6.5 Conclusive remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.7 Interrelation between combination approach and MC/MP approach . . . . . . . . 66
3.7.1 Example: Series structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.7.1.1 Combination approach (Truth table) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.7.1.2 MC approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.7.1.3 MC/MP approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.7.2 Example: Parallel structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.7.2.1 Combination approach (Truth table) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.7.2.2 MC approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.7.2.3 MC/MP approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.7.3 Combination approach (Truth table) versus MC/MP approach . . . . . . . 74
3.8 Historical example 1: Communication chain in ancient Persia 500 BC . . . . . 76
3.9 Historical example 2: Horse-drawn stagecoach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.10 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.10.1 Derivation of Eq. 1.137 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.10.2 Derivation of VFC 2DF , VFC2FD , and VMC 2DF . . . . . . . . . . . . . . . . . . . . . . . . . .117
4 State-space approach ...........................................................................................125

4.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.2 Input data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.3 Definition of different types of stochastic processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.3.1 2-state process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.3.2 Multi-state process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
4.4. Markov modeling and calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
4.4.1 Markov equations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
4.4.2 Modeling of components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
4.4.3 Modeling and calculation of systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
4.4.3.1 Analytical approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.4.3.2 Numerical iteration approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
4.4.3.3 Objective indices of a parallel structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
4.4.3.4 Objective indices of a series structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.5 Approximation: Probable Markov path (pMp) approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
4.5.1 Mathematical basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
4.5.2 System with two s-independent components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
4.5.2.1 pMp calculation of the parallel system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
4.5.2.2 pMp calculation of the series system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
4.5.3 r-out-of-n system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
4.5.4 System of 4.5.2.1 with limited repair capacity and repair priority . . . . . . . 161
4.5.5 System of 4.5.4 with common cause failures (CCF) . . . . . . . . . . . . . . . . . . . . . . . . . .164
Content Page 3 ofXI
4
4.5.6
System of 4.5.4 with scheduled maintenance .................................. 168
4.5.7
Segmentation of the Markov model of 4.5.6 and aggregation of
the partial Markov models ........................................................................ 170
4.5.8 System with redundancy switching ...................................................... 172
4.5.8.1 pMp approach ............................................................................ 173
4.5.8.2 Numerical iteration approach ............................................... 175
4.5.8.3 Examples...................................................................................... 176
4.5.9 System excluding repair during system operation .......................... 177
4.5.9.1 Long-term process behavior ................................................ 178
4.5.9.2 Short-term process behavior ................................................ 180
4.5.10 Item with periodic fault diagnosis........................................................... 181
4.5.11 Paradox of the periodic inspection and the short-term behavior...... 188
4.6 Appendix ......................................................................................................................... 190
4.6.1 Modeling and calculation of the alternating 2-state renewal
process in Fig. 4.2 ....................................................................................... 190
4.6.2 Decision trees of the processes [ Z ( t ) ,t > 0] graphically high-
lighted in Fig. 4.6-8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
5 Markov minimal cut (MMC) approach .............................................................. 203

5.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
5.2 S-dependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
5.3 Integration of Markov process models into minimal cuts - MMC approach . . . 207
5.4 Definition of various types of s-dependency and their impact . . . . . . . . . . . . . . . . . . . 209
5.4.1 S-dependency of type 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.4.2 S-dependency of type 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
5.5 Theoretical study example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
5.6 Set of examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
5.7 Theoretical study example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
5.8 General conclusions concerning MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
5.9 Application example 1: Process automation and control system . . . . . . . . . . . . . . 231
5.10 Application example 2: Mechatronic system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
5.11 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
5.11.1 Derivation of the c term of Eq. 5.45 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
5.11.2 Steady state of the MMC model, Fig. 5.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
5.11.5 Transient state of the MMC model, Fig. 5.19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Content XII
5.11.8 Comparative study to Appendix 5.11.2 and 5.11.5 . . . . . . . . . . . . . . . . . . . . . . . . . 279

5.11.9 Comparative study to Appendix 5.11.3 and 5.11.6 . . . . . . . . . . . . . . . . . . . . . . . . . 280
5.11.10 Comparative study to Appendix 5.11.4 and 5.11.7 . . . . . . . . . . . . . . . . . . . . . . 282
6 Uncertainty ......................................................................................................... 283

6.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.2 Statistical concepts for the evaluation of uncertainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.2.1 Measures of central tendency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
6.2.2 Measures of location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
6.2.3 Measures of dispersion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
6.3 Uncertainty evaluation in dependability analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.4 Aleatory uncertainty (AU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
6.4.1 AU STEP 1. Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
6.4.2 AU STEP 2. Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
6.4.3 AU STEP 3. Simulation: pdf f(t(US)) and f(t(DS)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
6.4.4 AU STEP 4. Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
6.4.4.1 Input indices for the examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
6.4.4.2 Simulation of components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
6.4.4.3 Simulation of series systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
6.4.4.4 Simulation of parallel systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
6.4.4.5 AU conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
6.4.5 Approximation: Drenick’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
6.5 Epistemic uncertainty (EU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
6.5.1 EU STEP 1. Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
6.5.2 EU STEP 2. Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
6.5.3 EU STEP 3. Simulation: pdf f(ti(US)), f(ti(DS)), and f(pr(DS)) . . . . . . . . 327
6.5.4 EU STEP 4. Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
6.5.4.1 Input indices for the examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
6.5.4.2 Simulation of components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
6.5.4.3 Simulation of series systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
6.5.4.4 Simulation of parallel systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
6.5.4.5 EU conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
6.6 Combination of epistemic and aleatory uncertainty (EUAU) . . . . . . . . . . . . . . . . . . . . . . 345
6.6.1 EUAU STEP 1. Initial scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
6.6.2 EUAU STEP 2. Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
6.6.3 EUAU STEP 3. Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
6.6.3.1 EUAU simulation of measures of central tendency and
location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
6.6.3.2 EUAU conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Content Page 5 of 4
XIII
6.7 Framework of dependability evaluation approaches regarding uncer-

tainty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
6.8 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
6.8.1 AU algorithm of series systems, Fig. 6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
6.8.2 AU algorithm of parallel systems, Fig. 6.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
6.8.3 EU algorithm of series systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
6.8.4 EU algorithm of parallel systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
7 Reference ............................................................................................................ 363

List of definitions
Definition 1.1 (item).

Definition 1.2 (component, <in dependability>).
Definition 1.3 (system, <in dependability>).
Definition 1.4 (complex system, <in dependability>).
Definition 1.5 (required function).
Definition 1.6 (up state, <of an item>, available state,<of an item>).
Definition 1.7 (up time).
Definition 1.8 (operating state, <of an item>).
Definition 1.9 (operating time).
Definition 1.10 (operating time to failure, <of an item>).
Definition 1.11 (operating time to first failure, <of an item>).
Definition 1.12 (down state, <of an item>, unavailable state, <of an item>).
Definition 1.13 (down time).
Definition 1.14 (restoration).
Definition 1.15 (time to restoration, <of an item>).
Definition 1.16 (maintenance).
Definition 1.17 (preventive maintenance time).
Definition 1.18 (corrective maintenance time).
Definition 1.19 (repair).
Definition 1.20 (repair time).
Definition 1.21 (FFE taxonomy).
Definition 1.22 (common cause failures, CCF).
Definition 1.23 (reliability, <of an item>).
Definition 1.24 (availability, <of an item>).
Definition 1.25 (dependability, <of an item>).
Definition 1.26 (mechatronic dependability).
Definition 1.27 (incompleteness).
Definition 1.28 (indeterminacy).
Definition 1.29 (aleatory uncertainty, AU).
Definition 1.30 (epistemic uncertainty, EU).
Definition 3.1 (cut, minimal cut, MC).
Definition 3.2 (order of a MC).
Definition 3.3 (path, minimal path, MP).
Definition 3.4 (probable MC, pMC).
Definition 3.5 (universe state Z , universe space Ω ).
XV
List of definitions XVI
Definition 4.1 (Markov state condition).

Definition 4.2 (Markov time condition).
Definition 4.3 (homogeneous Markov process).
Definition 4.4 (semi-Markov process).
Definition 4.5 (non-Markov process).
Definition 4.6 (strongly connected Markov process).
Definition 4.7 (steady state or stationary state).
Definition 4.8 (probable Markov path, pMp).
Definition 4.9 (periodic steady state).
Definition 5.1 (s-dependency).
Definition 5.2 (Markov minimal cut, MMC).
Definition 5.3 (s-dependency impact, sDI).
List of figures
Fig. 1.1. DBD levels of dependability analyses based on the terms component and
system.
Fig. 1.2. Times and states related to operation and maintenance [IEC 60050-
192:2015, Figure 1-2] .
Fig. 1.3. FFE taxonomy according to [Avizienis et al. 2004] , illustrated on the de-
scribed examples.
Fig. 1.4. Example 7, FFE reconstruction based on [BEA 2000, Kochs 2001] .
Fig. 1.5. Common cause failures (CCF).
Fig. 1.6. Uncertainty by sources, types, and effects [Kongniratsaikul 2014] .
Fig. 1.7. Objective model: (Steady) 2-state model of systems with the basic indices
Pr and Ti of the states US and DS .
Fig. 2.1. Classification of appropriate system dependability approaches for sys-
stems such as in Fig. 1.1.
Fig. 2.2. Framework for system dependability modeling and calculation.
Fig. 3.1. 2-state real-time diagram for components with up and down times.
Fig. 3.2. Input model for DBD: (Steady) 2-state model of components with the ba-
sic indices Pr and Ti of the states U C and D C .
Fig. 3.3. Basic network models (DBD) of systems (up state mode).
Fig. 3.4. DBD with identification of the MC (up state mode).
Fig. 3.5. Approximate DBD of the bridge system, Fig. 3.4 (up state mode).
Fig. 3.6. Corresponding DBD of Fig. 3.5 (up state mode).
Fig. 3.7. Reduction of a complex system to a logical series structure (DBD) by the
MC segmentation technique (up state mode).
Fig. 3.8. DBD with the illustration of s-dependency due to CCF (Chapter 5).
Fig. 3.9. DBD composed of MC (up state mode).
Fig. 3.10. DBD of the series structure.
Fig. 3.11. Reduction of a multi-state model to a 2-state model as the basis for the
application of network approaches (approximation).
Fig. 3.12. DBD of Fig. 3.10 (up state mode).
Fig. 3.13. DBD of the parallel structure.
Fig. 3.14. The Persian Empire about 500 BC under Darius I with the Royal High-
way [Lendering 2014].
Fig. 3.15. Illustration of the component model (112 components).
Fig. 3.16. DBD (up state mode related to D S ).
XVII
List of figures XVIII
Fig. 3.17. DBD (up state mode related to F S ).

Fig. 3.18. DBD (up state mode related to DF S ).
Fig. 3.19. DBD (up state mode related to U S ).
Fig. 3.20. Network requirements of the cross structure, routing according to Table
3.3.
Fig. 3.21. VMC 4D (illustrated in Fig. 3.24).
Fig. 3.22. VMC DF (illustrated in Fig. 3.24).
Fig. 3.23. VMC 2F (illustrated in Fig. 3.24).
Fig. 3.24. Overview scheme of the umbrella expressions V… with their Z expan-
4 ⋅ 112
sion tree of the cross structure. Ω S contains 3 Z.
Fig. 3.25. Old horse-drawn stagecoach mfk 2015 (Museum for Communication
[ ]
at Berlin).
Fig. 3.26. Components of the chassis [mfk 2015] .
Fig. 3.28. DBD of each cartwheel subsystem w_x (1 wheel).
Fig. 3.29. DBD of the cartwheel subsystem 4w (without spare wheel).
Fig. 3.30. DBD of the cartwheel subsystem 6w (with front and rear spare wheels).
Fig. 3.31. DBD of the system: Chassis of the carriage, 4w_c and 6w_c.
Fig. 3.32. VFC 2DF ⊂ VMCDF (illustrated in Fig. 3.24).
Fig. 3.33. VFC 2FD ⊂ VMC 2F , VFC2FD ⊂ VMC 2F .
1, 3 1 2, 4 2
Fig. 3.34. VFC 2FD ⊂ VMC 2F , VFC2FD ⊂ VMC 2F .
5, 7 3 6, 8 4
Fig. 3.35. VFC 2FD ⊂ VMC2F , VFC2FD ⊂ VMC 2F .
9, 11, 13 5 10, 12, 14 6
Fig. 3.36. VFC 2FD ⊂ VMC 2F , VFC 2FD ⊂ VMC 2F .
15, 17, 19 7 16, 18, 20 8
21, 23, 25 9 22, 24, 26 10
Fig. 3.38. VFC 2FD ⊂ VMC 2F , VFC2FD ⊂ VMC 2F ,
27, 29, 31 11 28, 30, 32 12
VFC 2FD ⊂ VMC2F .
Fig. 3.39. Estimation of VMC 2DF (3rd order) and Pr ( VMC2DF ) .
Fig. 4.1. 2-state time model of an item.
Fig. 4.2. Alternating 2-state renewal process of an item.
Fig. 4.3. Input cdf for the 2-state stochastic process model in Fig. 4.2.
Fig. 4.4. Approximate down state probability of the model in Fig. 4.2 with the cdf
from Fig. 4.3.
Fig. 4.5. State time models as basis for the multi-state stochastic process
[ Z ( t ) ,t > 0 ] and corresponding series and parallel system.
Fig. 4.6. Example of a homogeneous Markov process sequence [ Z ( t ) ,t > 0 ] with
exponential pdf of the components’ up and down times (Case 1 in Fig.
List of figures XIX
4.3), corresponding Markov model see Fig. 4.10, cutouts of the decision
tree models are shown in Fig. 4.35-36.
Fig. 4.7. Example of a non-Markov process sequence [ Z ( t ) ,t > 0 ] with exponential
pdf of the up times and jump function of the down times of the compo-
nents (Case 2 in Fig. 4.3), cutouts of the decision tree models are shown in
Fig. 4.37-38.
Fig. 4.8. Example of a non-Markov process sequence [ Z ( t ) ,t > 0 ] with Weibull pdf
of the components’ up and down times, cutouts of the decision tree models
are shown in Fig. 4.39-40.
Fig. 4.9. 2-state Markov model of a component, corresponding to the models in
Fig. 4.1-2.
Fig. 4.10. Markov model of a system consisting of two s-independent component
models of Fig. 4.9.
Fig. 4.11. Markov model based on Fig. 4.10 and its relationship to the network mod-
el: Parallel structure.
Fig. 4.12. Markov model based on Fig. 4.10 and its relationship to the network mod-
el: Series structure.
Fig. 4.13. Cutout of a Markov model with pMp from the initial state to the objective
state Zk .
Fig. 4.14. Markov model of Fig. 4.11 used to demonstrate pMp and the relation-
ship to the network model: Parallel structure.
Fig. 4.15. Markov model of Fig. 4.12 used to demonstrate pMp and the relation-
ship to the network model: Series structure.
Fig. 4.16. Markov model of the 2-oo-3 system.
Fig. 4.17. Minimal cut model of the 2-oo-3 system.
Fig. 4.18. 3-state time model for a component with postponable repair due to limit-
ed repair capacity and repair priority (first-failed-first-repaired).
Fig. 4.19. Markov model for a system with two component models with limited re-
pair capacity and repair priority (first-failed-first-repaired).
Fig. 4.20a. Markov model with CCF (Definition 1.22), limited repair capacity, and
repair priority (Fig. 4.19).
Fig. 4.20b. Markov model of Fig. 4.20a with reoperation after both failed compon-
ents are repaired.
Fig. 4.21. 4-state time model for components with postponable maintenance (blue)
and postponable repair (red) due to limited repair capacity (Fig. 4.18-19).
Fig. 4.22. Markov model of a 2-component system, constructed of two component
models according to Fig. 4.21.
Fig. 4.23. Segmentation of the Markov model of Fig. 4.22 and assembling of the
List of figures XX
partial Markov cutouts.

Fig. 4.24. Markov model of component i with redundancy switching.
Fig. 4.25. Markov model of a system with two components with standby function
according to Fig. 4.24 and repair priority due to limited repair capacity
according to Fig. 4.19.
Fig. 4.26. 4-state Markov system model.
Fig. 4.27. Fault diagnosis model with discrete diagnosis times.
Fig. 4.28. Item model with periodic fault diagnosis.
Fig. 4.29. Case 1: Calculation of the state probabilities of Fig. 4.28.
Fig. 4.31. Final result: Periodic discrete time diagnosis (periodic fault detection,
black line) versus continuous fault detection (dotted line) of an item.
Fig. 4.32. Paradox of the short-term probability. Fallacy: Pr ( D, t i ) = 0 at each in-
spection point t i , i = 1, 2, 3, ... (based on the model of Fig. 4.4).
Fig. 4.33. Models of a 2-state alternating renewal process with arbitrary cdf (differ-
ent representation form of the same process).
Fig. 4.34. Cumulative (probability) distribution functions G … ( t ) and the associated
probabilities of the up and down states (qualitative).
Fig. 4.35. Cutout of the decision tree of the Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.6,
series system.
Fig. 4.36. Cutout of the decision tree of the Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.6,
parallel system.
Fig. 4.37. Cutout of the decision tree of the non-Markov process [ Z ( t ) ,t > 0 ] of Fig.
4.7, series system.
4.7, parallel system.
4.8, series system.
4.8, parallel system.
Fig. 5.1. Boolean logic driven DBD based on MC and MMC models (advanced
model of Fig. 3.7).
Fig. 5.2. S-dependency impact model of type 1 (cutout of a DBD, Fig. 5.1).
Fig. 5.4. DBD of the bridge structure with illustration of the impact of s-depend-
ency between the components.
Fig. 5.5. S-dependency impact model of the bridge structure with s-dependent
failures (CCF), caused by a failure of component 1.
List of figures XXI
Fig. 5.6. Approximate s-dependency impact model of the bridge structure, Fig. 5.4,
with illustration of the s-dependency impact.
Fig. 5.7. DBD for study of the repair impact, highlighted by red arrows.
Fig. 5.8. Markov component model.
Fig. 5.9. Markov system model.
Fig. 5.10. Inflow to and outflow of a Markow state, Eq. 5.75.
Fig. 5.11. Technological model of the automation and control system.
Fig. 5.12. Component models.
Fig. 5.13. Markov model of the network switching subsystem (SwSystem,
Fig. 5.11).
Fig. 5.14. DBD according to Fig. 5.1 for system states 1 (up state mode). One fail-
ure of ReCon... causes system down state 1 (21 MC).
Fig. 5.15. DBD according to Fig. 5.1 for system states 2 (up state mode). Two
failures of ReCon... cause system down state 2 (191 MC).
Fig. 5.16. Research prototype of a manipulator as an example of a complex me-
chatronic system, example of [ DFG 2001] .
Fig. 5.17. Markov models of the mechatronic components.
Fig. 5.18. DBD of the 5-link system and its subsystems in the up state mode (notations
of the components are given in Fig. 5.16-17).
Fig. 5.19. MMC model of MC 6…15 = D M ∧ D M , Eq. 5.132.
i j
Fig. 5.20. MMC model of MC 16…35 = D M ∧ D E , Eq. 5.133.
i j
Fig. 5.21. MMC model of MC 36…45 = D E ∧ D E , Eq. 5.134.
i j
Fig. 5.22. Transient and steady state probability of the system down state.
Fig. 5.23. Comparative calculation to Fig. 5.22 (see Comment in Table 5.5).
Fig. 5.24. Usually, for dependability analyses, the different technological items of
mechatronic systems cannot be separately modeled and calculated.
Fig. 5.25. Markov model with four components including CCF (red transitions).
Multiple CCF such as c 1, 2, 3 , c 1, 2, 3, 4 or c 1, 2 ⋅ c 2, 3 ⋅ … are excluded.
Fig. 5.26. Cutout of the decision tree of the MMC model of MC 6…15 = D M ∧ D M ,
i j
Fig. 5.19, developed for calculation of the transient probability (e.g. ap-
plicable for dependability monitoring).
Fig. 5.27. Cutout of the decision tree of the MMC model of MC 16…35 = D M ∧ D E ,
i j
Fig. 5.28. Cutout of the decision tree of the MMC model of MC 36…45 = D E ∧ D E ,
i j
List of figures XXII
Fig. 6.1. Skewness and kurtosis in probability distributions.

Fig. 6.2. The process of dependability assessment under aleatory uncertainty.
Fig. 6.3. AU-simulation framework for series systems.
Fig. 6.4. AU-simulation framework for parallel systems.
Fig. 6.5. System pdf with their indices (graphic is based on Fig. 6.15, red curves).
Fig. 6.6. Calculation of min-max boundary indices (graphic is based on Fig. 6.15,
red curves).
Fig. 6.7. Weibull pdf of t ( U C ) , t ( D C ) of AU-1c (input pdf).
Fig. 6.8. Simulation of AU-1c with indices from Table 6.5.
Fig. 6.9. DBD examples of series systems.
Fig. 6.10. Simulation of AU-10s with indices from Table 6.6-7.
Fig. 6.11. AU-100s with indices from Table 6.8-9.
Fig. 6.12. AU-simulation of various series systems.
Fig. 6.14. DBD examples of parallel systems.
Fig. 6.15. Simulation of AU-2p with indices from Table 6.14-15.
Fig. 6.16. Simulation of AU-2p transient phase of Fig. 6.15.
Fig. 6.19. The process of dependability assessment under epistemic uncertainty.
Fig. 6.20. Dependability indices under epistemic uncertainty, modeled as uniform
distributions.
Fig. 6.21. Example histogram, approximate pdf, and estimations of EU system de-
pendability indices.
Fig. 6.22. EU-1c with low and high uncertainty.
Fig. 6.23. EU-series systems with low uncertainty, Table 6.21-22 (MTTSF,
MTTSR, Pr(DS) are calculated indices, disregarding uncertainties).
Fig. 6.24. EU-series systems with high uncertainty, Table 6.23-24 (MTTSF,
Fig. 6.25. EU-parallel systems with low and high uncertainty, Table 6.26-27
(MTTSF, MTTSR, Pr(DS) are calculated indices, disregarding uncer-
tainties).
(MTTSF, MTTSR, Pr(DS) are calculated indices, disregarding uncer-
tainties).
Fig. 6.27. The process of dependability assessment under combined AU and EU
List of figures XXIII
(EUAU).
Fig. 6.28. Relationship between EU and EUAU and their indices.
Fig. 6.29. Overview of the system dependability approaches with consideration of
uncertainties.
List of tables
Table 3.1. Complete universe space Ω S of the example in Fig. 3.10.

Table 3.3. Routing function (voting) at the stations within a defined time slot.
Table 3.4. Input indices: Assumed MDTF, Ti(U), Ti(D), and their epistemic uncer-
tainty parameter (min-max, uniform pdf of the Ti values) of the compo-
nents of the chassis.
Table 3.5. Cartwheel subsystem w_x (1 wheel).
Table 3.7. Cartwheel subsystem 4w.
Table 3.11. System 4w_c.
Table 4.1. Classification of different process types.
Table 5.1. Objective indices of the system states 1 and 2.
Table 5.2. Component indices with numerical values (estimated, gained from exper-
ience, or from databooks, e.g. [ NPRD 1995, NPRD 2016 ] ).
Table 5.3. Probability of the system down state (Definition 1.12).
Table 5.4. Frequency of the system down state (Definition 1.12) and MSUT (mean
system up time, Definition 1.7).
Tabel 5.5. Comparative calculation: Results of Table 5.3 with consideration of the
changes described in the Comment.
Table 5.6. Comparative calculation: Results of Table 5.4 with consideration of the
changes described in the Comment.
Table 6.1. Comparison of the surveyed uncertainty frameworks and the proposed
framework (last line) [Kongniratsaikul 2014].
Table 6.2. Most commonly applied distribution in dependability evaluation.
Table 6.3. Important distribution in dependability evaluation.
Table 6.5. Estimations of AU-1c-b05/1, AU-1c-b1/1, and AU-1c-b3/1 (renewal pro-
cess, Fig. 4.1-2. ttr is in all variants exponentially distributed).
Table 6.6. Estimations of AU-10s-b05/1, AU-10s-b1/1, and AU-10s-b3/1.
Table 6.7. Approximation of AU-10s by exponentially distributed ttsf and ttsr
XXV
List of tables XXVI
( t ( U S ) , t ( D S ) ).
Table 6.9. Approximation of AU-100s by exponentially distributed ttsf and ttsr,
( t ( U S ) , t ( D S ) ).
Table 6.10. Input for AU simulation (similar components for each system version).
Table 6.11. Input for AU-10s (various MTTF).
Table 6.12. Estimations of AU-10s (various MTTF) according to Table 6.11.
Table 6.13. Approximation of AU-10s (various MTTF) by exponentially distributed
ttsf and ttsr ( t ( U S ) , t ( D S ) ).
Table 6.14. Estimations of AU-2p-b05/1, AU-2p-b1/1, and AU-2p-b3/1.
Table 6.15. Approximation of AU-2p by exponentially distributed ttsf and ttsr
( t ( U S ) , t ( D S ) ).
( t ( U S ) , t ( D S ) ).
Table 6.18. Components of series systems with low and high EU.
Table 6.19. EU-1c-low.
Table 6.20. EU-1c-high.
Table 6.21. EU-10s-low.
Table 6.23. EU-10s-high.
Table 6.25. Components of parallel systems with low and high EU.
Table 6.26. EU-2p-low.
Table 6.27. EU-2p-high.
Table 6.30. Component input for the following EUAU examples with low and high
uncertainty.
Table 6.31. Summary of the evaluated indices for EUAU-10s-low.
Table 6.32. Summary of the evaluated indices for EUAU-10s-high.
Table 6.33. Summary of the evaluated indices for EUAU-2p-low.
Table 6.34. Summary of the evaluated indices for EUAU-2p-high.
List of symbols and abbreviations
1 Concerning all chapters: No distinction is made between singular and plural

notation of the abbreviations, e.g. MC, pMC, MP, pMp, pdf, cdf, DB, DBD,
CCF, STEP, etc., indicate the singular as well as the plural form.
2 A few abbreviations, which are used exclusively in an application example or
in only one chapter without relationship to other chapters, are not listed here
(this concerns mainly Chapter 5.9, 5.10, and 6).
3 Abbreviations are listed in alphabetical order. Indices are treated equivalently.
a constant transition rate (transfer rate)

A transition matrix
a i, j constant transition rate, Z i → Z j
AND logical AND (conjunction, ∧ )
AU aleatory uncertainty
Av availability
c component
C index for component
CCF , CCF i, k , c i, k common cause failures, impact of component i on k,
probability of CCF i, k
cdf (cumulative) distribution function F ( x ) (discrete and
continuous), sum or integral of pdf
CI confidence interval
D , DC , DS down state due to failure; general term, for compo-
nent C , and for system S
D ≡ ¬D = U , negation of D
DB dependability block, e.g. U, D, MC, MP, or Markov
states, etc., or their negations (DB represents the up
state mode or the down state mode)
DBD dependability block diagram, consists of DB (DBD
represents the up state mode or the down state
mode)
DD down state detected
dep index for s-dependent
DF D∨F
DFG Deutsche Forschungsgemeinschaft (German Re-
XXVII
Symbols and abbreviations XXVIII
search Foundation)
DU down state undetected
ECC electric, communication, computer
E[X] expectation value of X (mean of X )
EU epistemic uncertainty
F failed message state
F(x ) cdf
FZ ( t ) 1 – R Z ( t ) , Pr ( T ( Z ) ≤ t )
FC failed message cut (Fault cut)
FFE failure, fault, error (FFE taxonomy)
f(fr(Z)) pdf of fr ( Z )
FMEA failure modes and effects analysis
FMECA failure modes, effects and criticality analysis
f(pr(Z)) pdf of pr ( Z )
Fr ( Z ) (arithmetic) mean frequency of a state Z
fr ( Z ) i calculated frequency of i-th simulation sample of state
Z (used for epistemic uncertainty analysis)
Fr ( Z )max maximal frequency of a state Z
Fr ( Z )mean (arithmetic) mean frequency of a state Z
Fr ( Z )min minimal frequency of a state Z
Fr ( Z )x% frequency of a state Z at x -th percentile
FS subset of VMC
f(ti(Z)) pdf of ti ( Z )
f(t(Z)) pdf of t ( Z )
f(x) probability (density) function pdf
F(x) (cumulative) distribution function cdf for any real vari-
able x of a stochastic variable X (discrete and con-
tinuous)
FZ ( t ) cdf of down state ( ≡ F ( t ( Z ) ), Pr ( T ( Z ) ≤ t )
G… ( t ) cdf disjunction of random up/down state durations
h(X) relative frequency of a stochastic variable X
n ( Z )i
h ⎛⎝ -------------⎞⎠ relative frequency
n( Z)
IEC International Electrotechnical Commission
ind index for s-independency (s-independent)
Symbols and abbreviations XXIX
L{…} Laplace transform

M… indication of maintenance states, Fig. 1.2
MACMT mean active corrective maintenance time, Fig. 1.2
MC minimal cut
MC ≡ ¬MC , negation of MC
MCMT mean corrective maintenance time, Fig. 1.2
MDT mean down time, Fig. 1.2 (MDT used for component,
MSDT used for system)
MDTF mean distance to failure, Table 3.4
MFDT mean fault detection time, Fig. 1.2
MMC Markov minimal cut
MP minimal path
MRT mean repair time, Fig. 1.2
MSDT mean system down time (in the sense of IEC, analo-
gous to MDT )
MSUT mean system up time (in the sense of IEC, analogous
to MUT )
mttf random mean operating time to failure
MTTF mean operating time to failure, Fig. 1.2 (Part of MUT ,
(not conform with the older term mean time to failure,
which is deprecated by IEC 60050-192 ed.1.0)
MTTFStandby mean standby time, Fig 1.2
mttr random mean time to restoration
MTTR mean time to restoration, Fig. 1.2 (not conform with
the older term mean time to repair, which is deprecat-
ed by IEC 60050-192 ed.1.0)
mttsf random mean operating time to system failure
MTTSF mean operating time to system failure (in the sense of
IEC, analogous to MTTF)
mttsr random mean time to system restoration
MTTSR mean time to system restoration (in the sense of IEC,
analogous to MTTR)
MTTT mean time to travel, Table 3.4
MUT mean up time, Fig. 1.2 (MUT used for component,
MSUT used for system)
Symbols and abbreviations XXX
NAv non-availability or unavailability

n(Z) number of Z
n ( Z )i number of simulated Z
oo out of, e.g. r-oo-n system
OR logical OR (disjunction, ∨ )
p abbreviation for parallel, e.g. 2p (2 components con-
nected in parallel)
pdf probability (density) function f(x) (discrete and contin-
uous)
pMC probable MC
pMp probable Markov path
Pr ( Z ) (arithmetic) mean probability of a state Z
pr ( Z ) i calculated probability of i-th simulation sample of
state Z (used for epistemic uncertainty analysis)
Pr ( Z ) max maximal probability of a state Z
Pr ( Z ) mean (arithmetic) mean probability of a state Z
Pr ( Z ) min minimal probability of a state Z
Pr ( Z ) x% probability of a state Z at x -th percentile
Pr ( Z, t ) probability of Z
Pr ( Zi, t ) probability of Z i of a renewal process
R reserve state, standby state
RB reliability block, replaced by DB
RBD reliability block diagram, replaced by DBD
R&D research and development
R(t) reliability function
RZ ( t ) 1 – F Z ( t ) , Pr ( T ( Z ) > t )
s abbreviation for series, e.g. 10s (10 components con-
nected in series)
s variable of Laplace transformed functions
S index for system
S.D. standard deviation ( σ )
sDI , sDI ( MC dep ) s-dependency impact
… Sp index: system, parallel
… Ss index: system, series
Symbols and abbreviations XXXI
t realisation of T
t ( Z )mean (arithmetic) mean time (duration), used in Au and EUAU
tables
SFB Sonderforschungsbereich der DFG (Collaborative
Research Centre of the DFG)
T stochastic variable (time, duration)
t 1, t 2 , t 3 , … interval points of t
td random down time ( ≡ ttr)
ti ( Z ) i random value, i-th simulation sample of Ti ( Z ) , e.g.
mttf, mttr, mttsf, mttsr (used for epistemic uncertainty
analysis)
Ti ( Z ) (arithmetic) mean time (duration) of state Z , e.g. MT-
TF, MTTR, MTTSF, MTTSR, M... values in Fig. 1.2
Ti ( Z )max maximal mean time (duration) of a state Z
Ti ( Z )mean (arithmetic) mean time (duration) of a state Z
Ti ( Z )min minimal mean time (duration) of a state Z
Ti ( Z )x% mean time (duration) of a state Z at x -th percentile
t I = Δt discrete inspection period
t Sd random system down time ( ≡ ttsr)
t Su random system up time ( ≡ ttsf)
ttf operating time to failure
ttr time to restoration
ttsf operating time to system failure
ttsr time to system restoration
tu random up time ( ≡ ttf)
t(Z) time of state Z , e.g. ttf, ttr, ttsf, ttsr
t ( Z )i random value, i-th simulation sample of t ( Z ) , e.g. ttf,
ttr, ttsf, ttsr (used for aleatory uncertainty analysis)
U , UC , US up state (operation); general term, for component C ,
for system S
U ≡ ¬U = D , negation of U
VFC logical OR-connection of FC
VMC logical OR-connection of MC
x realisation of X
X stochastic variable (discrete and continuous)
Symbols and abbreviations XXXII
[ Z( t ), t ≥ 0 ] stochastic process
Z (1) steady-state, e.g. Z = {U,D}, {U C,D C}, {U S,D S}
(2) universe state
(3) Markov state
α scale parameter of a Weibull distribution
β shape parameter of a Weibull distribution
λ failure rate of an exponential function
μ restoration rate of an exponential function
Ω universe space
σX standard deviation of X ( S.D. )
2
σX variance of X
1 Definitions and objective
1.1 Definition of basic terms

1.2 Objective of system dependability evaluation
This chapter provides an overview of definitions and terms as the basis for de-
pendability analyses and their approaches described in this book. A subset of the
IEC 60050-192:2015 ed. 1.0 is used with kind permission of ICE.
1.1 Definition of basic terms
Numerous standards and definitions of dependability (reliability and availability) for

different application areas were developed in the last decades, e.g. summarized in
[ Rakowsky et al. 2001] . In this book, the following definitions are used, referred
to the actual standard [ IEC 60050-192:2015] . It reflects the state-of-the-art defini-
tions, which in the opinion of the author, are not only limited to electrical and elec-
tronic applications, but also applicable to other areas.
Definition 1.1 (item). Subject being considered (192-01-01).

Note*)1: The item may be an individual part, component, device, functional
unit, equipment, subsystem, or system.
Note 2: The item may consist of hardware, software, people or any combina-
tion thereof.
Note 3: The item is often comprised of elements that may each be individually
considered. See sub item (192-01-02) and indenture level (192-01-05).
Remark 1**): Often the term unit is used equivalently to the term item.
Remark 2: A Human can be regarded as an item (e.g. in Chapter 3.8). A hu-
man error can be considered as a transition from one state to another (e.g. as
interaction between component states, see Fig. 5.17, 5.19-21). Human errors
are not the primary scope of this book.
Remark 3: In an extended view, the term item can be used in a logical or a
technical context, depending on the application. The views (logical or techni-
cal) can easily be differentiated from the application.
*) Note is an original part of the respective definition of IEC 60050-192:2015, ab-

breviated with (192- ...-...).
**) Remark is a comment by the author with respect to the definition. It represents
the viewpoint of the author.
© Springer International Publishing AG 2018 1

H.-D. Kochs, System Dependability Evaluation
Including S-dependency and Uncertainty,
DOI 10.1007/978-3-319-64991-7_1
Chapter 1 2
For dependability analysis, an item can be considered either as a component or a

system.
Definition 1.2 (component, <in dependability>*)). An item under considera-

tion, which is not further subdivided from the dependability (or statistical) point
of view.
Remark 1: A component is considered to have a defined real or abstract
boundary.
Remark 2: A component becomes a system, when regarded microscopically,
Fig. 1.1.
Definition 1.3 (system, <in dependability>). Set of interrelated items that col-
lectively fulfill a requirement (192-01-03).
Note 1: A system is considered to have a defined real or abstract boundary.
Note 2: External resources (from outside the system boundary) may be re-
quired for the system to operate.
Note 3: A system structure may be hierarchical, e.g. system, subsystem, com-
ponent, etc.
Remark 1: A system becomes a component when regarded macroscopically,
Fig. 1.1.
Remark 2: (192-01-04) defines a subsystem as part of a system, which is it-
self, a system.
Remark 3: External resources (from outside the system boundary), although
being necessary for the system to operate, are not considered in dependability
analyses.
Definition 1.4 (complex system, <in dependability>). System which cannot

be represented by series or parallel structures.
Remark 1: Complex systems cannot be calculated with the product rule (e.g.
Eq. 3.21, 3.30).
Remark 2: Examples are systems with intermeshed network structures
(Chapter 3), bridge structures, r-oo-n structures (Chapter 4), and systems with
stochastic dependencies (s-dependencies, Chapter 5).
Remark 3: Large and complex systems are designated as real-world systems.
Industrial systems can be considered as real-world systems.
*)
The definition with the additive <in dependability> means with respect to de-
pendability.
Chapter 1 3
Fig. 1.1 describes in principle the modeling process in dependability analysis. The
decision whether an item is regarded as a component or as a system depends on
the point of view (abstraction).
An item can be subdivided into a set of interrelated items, which can further be sub-
divided and so on (from left to right, top-down view). On the other hand items can
be bundled to an item and so on (from right to left, bottom-up view).
DBD at level 1 DBD at level 2 DBD at level n

(top level) (intermediate level) (bottom level)
...
...
DB of a component
(boundary) DB of the system
(boundary)
Top-down (microscopic) view, Bottom-up (macroscopic) view,

decomposition of components aggregation of components
DBD dependability block diagram

DB dependability block
DB := state of an item or combination of states of items, demonstrated
e.g. in Fig. 3.28-3.31 and in a general representation in Fig. 3.7, 5.1
Fig. 1.1. DBD levels of dependability analyses based on the terms compo-
nent and system.
The definition of the terms component and system is an important step in depend-
ability modeling and calculation, see STEP 4, Fig. 2.2.
Fig. 1.2 shows an overview of the IEC 60050-192:2015 definitions. Some defini-
tions or terms related to the applications discussed here are taken over from the
standard and were extended if necessary. Deviations from the IEC definitions are
indicated.
Up state (192-02-01) Down state (192-02-20)
MUT Up time (192-02-02) Down time (192-02-21) MDT
Chapter 1
(192-08-09) Disabled Enabled (192-08-10)

Enabled time (192-02-17) time time Disabled time (192-02-19)
(192-02-19) (192-02-17)
Operating Non-operating (up) time Operating

state time Non-operating time (192-02-07)
(192-02-07) (192-02-05)
(192-02-04)
Time to restoration (192-07-06) MTTR
Operating Preventive
time Corrective main- (192-07-23)
maintenance
(192-02-05)
time (192-07-05) tenance time
Operating (192-07-07)
Idle time
60050-192:2015, Figure 1-2] .

Externally
(192-02-24)
time to
(192-02-13)
(192-02-15)
tion time
delay
Standby time
disabled time
Fault detec-
(192-07-11)
For network approaches
failure Maintenance time (192-07-02)

(192-07-12)
Administrative
(192-05-01)
MTTF MTTFStandby MCMT MFDT

(192-05-11)
Maintenance time (192-07-02)

Preventive maintenance
Corrective maintenance time (192-07-07)
time (192-07-05)
MACMT Active maintenance time (192-07-04)
(192-07-22) Logistic Active corrective maintenance time (192-07-10) (192-07-08)
delay (192-07-15)
Technical Fault Fault Function
and simulation approaches
(192-07-09)
For state space approaches
(192-07-13) delay localization time correction time checkout time (192-07-16)

(192-07-15) (192-07-18) (192-07-14) (192-07-16) (192-07-13)
Repair time (192-07-19)
MRT
(192-07-21)
Fig. 1.2. Times and states related to operation and maintenance [IEC
All times mentioned in the figure are time intervals or a sequence of time intervals. Abbreviations in capital letters are mean values (M...).
4
Chapter 1 5
Definition 1.5 (required function). Function considered necessary to fulfill a

given requirement (192-01-14).
Note 1: The required function may be stated or implied (i.e. that the purchaser
would be entitled to expect).
Note 2: The required function, by implication, also covers what the item shall
not do.
Note 3: Essential internal functions of a system, which may not be visible to
the user, are also required functions. (Remark: e.g. basic fault tolerance re-
quirements of components, Chapter 5.9).
Definition 1.6 (up state, <of an item>, available state, <of an item>). State of
being able to perform as required (192-02-01).
Note 1: The absence of necessary external resources may prevent operation,
but do not affect the up state. See externally disabled state (192-02-23).
Note 2: Up state relates to the availability of the item (up ≡ available).
Note 3: An item may be considered to be in an up state for some functions
and in a down state for others, concurrently.
Abbreviation *): U ≡ up state.
Definition 1.7 (up time). Time interval for which the item is in an up state
(192-02-02).
Remark 1: The detailed composition of the up time is outlined in Fig. 1.2.
Abbreviation: MUT ≡ mean up time (192-08-09).
Definition 1.8 (operating state, <of an item>). State of performing as re-

quired (192-02-04).
Note 1: The adjective “operating” designates an item in an operating state.
Note 2: In some applications, an item in an idle state is considered to be op-
erating.
Remark 1: In many applications up state : = operating state.
Definition 1.9 (operating time). Time interval for which an item is in an op-
erating state (192-02-05).
Note 1: The duration of operating time may be expressed in units appropriate
to the item concerned, e.g. calendar time, operating cycles, distance run, etc.,
and the units should always be clearly stated.
*) Abbreviation is a notation by the author used in this book.

Chapter 1 6
Definition 1.10 (operating time to failure, <of an item>). Operating time ac-
cumulated from the first use, or from restoration, until failure (192-05-01).
Note 1: See also operating time (192-02-05).
Remark 1: Mean operating time to failure is defined as MTTF (192-05-11).
Remark 2: For many applications MUT : = MTTF , when the other times in
Fig. 1.2 are not considered.
Definition 1.11 (operating time to first failure, <of an item>). Operating time
accumulated from the first use until failure (192-05-02).
Note 1: Operating time to first failure is a special case of operating time to
failure (192-05-01).
Note 2: In the case of non-repairable items, the operating time to first failure is
the operating time to failure (192-05-01).
Remark 1: Operating time to first failure determines significantly the transient
behavior of items, even in case of repairable items, see Appendix 5.11.5-10.
Definition 1.12 (down state, <of an item>, unavailable state, <of an item>).
State of being unable to perform as required, due to internal fault, or preven-
tive maintenance (192-02-20).
Note 1: Down state relates to unavailability of the item.
Remark 1: In many applications down state : = non-operating state (192-
02-06) if maintenance is excluded.
Abbreviation: D ≡ down state.
Definition 1.13 (down time). Time interval for which the item is in a down
state (192-02-21).
Note 1: Down time excludes disabled time due to lack of external resources,
but includes maintenance time.
Remark 1: The detailed composition of down time is outlined in Fig. 1.2.
Remark 2: In (192-02-19) the term outage is used for disabled time. This term
is not used here, since disabled time can also be a part of the up time, see
Fig. 1.2.
Abbreviation: MDT ≡ mean down time (192-08-10).
Definition 1.14 (restoration). Event at which the up state is re-established af-

ter failure (192-06-23).
Remark 1: Restoration is the transition from the down state to the up state of
an item ( D → U ).
Chapter 1 7
Remark 2: After restoration the up state is considered to be “as-good-as-new".
Definition 1.15 (time to restoration, <of an item>). Time interval, from the in-
stant of failure, until restoration (192-07-06).
Note 1: If the instant of failure is indeterminate, the time interval is assumed to
commence upon failure detection.
Remark 1: Mean time to restoration is defined as MTTR (192-07-23).
Remark 2: Due to the application requirement MDT : = MTTR , or MCMT , or
MACMT , or MRT , see Fig. 1.2 (if only subintervals are considered).
Definition 1.16 (maintenance). Combination of all technical and manage-

ment actions intended to retain an item in, or restore it to, a state in which it
can perform as required (192-06-01).
Note 1: Management is assumed to include supervision activities.
Remark 1: Maintenance includes corrective maintenance (192-06-06) and
preventive maintenance (192-06-05).
Definition 1.17 (preventive maintenance time). Part of the maintenance

time taken to perform preventive maintenance, including technical delays and
logistic delays inherent in preventive maintenance (192-07-05).
Definition 1.18 (corrective maintenance time). Part of the maintenance

time taken to perform corrective maintenance, including technical delays and
logistic delays inherent in corrective maintenance (192-07-07).
Definition 1.19 (repair). Direct action taken to effect restoration (192-06-14).

Note 1: Repair includes fault localization (192-06-19), fault diagnosis (192-06-
20); fault correction (192-06-21); and function checkout (192-06-22). See also
repairable item (192-01-11).
Remark 1: In this book, the term repair is used as a superordinate term in-
cluding all activities during repair time, Definition 1.20.
Definition 1.20 (repair time). Part of active corrective maintenance time tak-
en to complete repair action (192-07-19).
Note 1: Repair time is comprised of fault localization time (192-07-18), fault
correction time (192-07-14) and function checkout time (192-07-16), Fig. 1.2.
Remark 1: MRT ≡ mean repair time (192-07-21).
Chapter 1 8
[ Avizienis et al. 2004 ] divides the cause of a down state into three levels of impair-
ment: failure, fault, and error, described in this book as FFE taxonomy. The IEC
60050-192 defined these terms as follows.
Definition 1.21 (FFE taxonomy).

Failure, <of an item>: Loss of ability to perform as required (192-03-01).
Note 1: A failure of an item is an event that results in a fault of that item,
see fault (192-04-01)
Note 2: Qualifiers, such as catastrophic, critical, major, minor, marginal
and insignificant, may be used to categorize failures according to the se-
verity of consequences, the choice and definitions of severity criteria de-
pending upon the field of application.
Note 3: Qualifiers, such as misuse, mishandling and weakness, may be
used to categorize failures according to the cause of failure.
Remark 1: Failures are caused by errors.
Remark 2 (to Note 1): A failure in an item results either in a fault within
the item (and concerns only parts of the item, not the whole item, e.g. mi-
nor failure) or results in the transition from the up state to the down state
U → D of the item itself (significant failure), see Fig. 1.3.
Fault, <of an item>: Inability to perform as required, due to an internal state

(192-04-01).
Note 1: A fault of an item results from a failure, either of the item itself, or
from a deficiency in an earlier stage of the life cycle, such as specifica-
tion, design, manufacture, or maintenance. See latent fault (192-04-08).
Note 2: Qualifiers, such as specification, design, manufacture, mainte-
nance or misuse, may be used to indicate the cause of a fault.
Note 3: The type of fault may be associated with the type of associated
failure, e.g. wear-out fault and wear-out failure.
Note 4: The adjective “faulty” designates an item having one or more
faults.
Error: Discrepancy between a computed, observed, or measured value or

condition, and the true, specified or theoretically correct value or condition
(192-03-02).
Note 1: An error within a system may be caused by failure of one or
more of its components, or by the activation of a systematic fault.
Note 2: See also human error (192-03-14).
Chapter 1 9
Remark 1: According to [ Avizienis et al. 2004], a failure is the result of an

error (Fig. 1.3).
Remark 2: According to [ Avizienis et al. 2004], the cause of an error is a
fault.
Remark: The FFE taxonomy [ Avizienis et al. 2004] is originally developed for
computer, information, and communication items. Nevertheless, it can be ap-
plied in a similar way to a wider field of electrical, mechanical, and mechatronic
items.
[Avizienis et al. 2004]: A failure does not occur in all cases of a deviation from the
functional specification. The deviation, e.g. a not activated part of an item, is called
a fault. If the part of the item is activated, then the fault will represent an error, which
can cause or propagate a failure at the same or a later time. The failure is visible af-
ter its occurence as a state transition from the up to the down state. A failure in a
component may lead to a fault in its subsystem, and so on. A missing or incorrect
human action is usually considered as an error. The three terms of the Definition
1.21 are illustrated with the example in Fig. 1.3.
Chapter 1 10
Example 5 Failure Fault Error
Example 6 Fault Error
Example 1 Fault Error
n
on tio
l/ l tio
n ati tio
n tio
n
ga
rna erna v a pa
g
sa tiv
a
op
a
e t ti o u Pr
Int ex Ac Pr Ca Ac
Fault Error Failure Fault Error Failure
Basic sequence of FFE
Up state (U)
(see Fig. 1.7 and Fig. 3.2)
Down state (D)
Fig. 1.3. FFE taxonomy according to [Avizienis et al. 2004] , illustrated on

the described examples.
F-F-E cycles are often complex and fluid. Failure, fault, and error cannot always be
separated. The following examples shall make the FFE taxonomy transparent.
Example 1 [ Avizienis et al. 2004]: A short circuit occurring in an integrated circuit is

a failure (e.g. critical, major, minor, marginal, or insignificant). The consequence is a
fault that will remain dormant as long as it is not activated. Upon activation, the fault
becomes active and produces an error, which is likely to propagate and create oth-
er errors. If and when the propagated error(s) affect(s) the required function (false
information, delivered information out of time), a failure occurs.
Chapter 1 11
Example 2 [Avizienis et al. 2004]: The result of an error by a programmer leads to a

failure to write the correct instruction or data that in turn results in a (dormant) fault
in the written software (faulty instruction(s) or data). Upon activation, the fault be-
comes active and produces an error. If and when the error affects the required func-
tion (false information, delivered information out of time), a failure occurs. This
example is not restricted to errors caused by a programmer, it can also be assigned
to maintenance errors, etc..
Example 3 [Avizienis et al. 2004]: The result of an error caused by a specifier leads
to a failure in the description of a function of the item, which in turn results in a fault
in the written specification, e.g. incomplete description of the function. When an
input data is such that the service corresponding to the missing function should be
delivered, the fault becomes active and produces an error, which causes a failure.
Example 4: The use of wrong lubrication in an engine is an error caused by service

or maintenance personnel. From the viewpoint of the correct specification this is a
failure, which causes a fault in the engine. If the engine is used, the fault acivates
an error (e.g. sluggishness of bearings), which causes sooner or later a wear-out
failure (damage of the engine), depending on the environmental conditions and
terms of use. If the engine is used only during very short time intervals, the error will
probably not cause a failure. Otherwise, during long operation times the error will
cause a failure ( → down state of the engine).
Example 5: The “abnormal“ wear of an engine, induced by operating personnel in

violation (consciously or unconsciously) of the control instruction, is an error. From
the viewpoint of the control instruction this is an operating failure inducing a mecha-
nical overload fault that activates an (premature wear) error, which propagates a
failure of the item ( → down state of the engine).
Example 6: The bearing clearance is slightly outside of the tolerance limit (does not
comply with the specification). This is a failure, which causes a fault in the engine
(the engine performs its function further as required for a certain time). The fault re-
mains dormant as long as it induces an error, which propagates a failure ( → down
state of the engine).
Example 7 [BEA 2000, Kochs 2001]: A sequence of 5 severe FFE sequences

caused the total crash of the Concorde at Gonesse, near Paris, on July 25, 2000.
The threat analysis according to the FFE taxonomy is outlined in Fig. 1.4. For ex-
ample, if one or more of the errors (error_1, error_2, error_3, etc.) did not occur, or
the failure sequence could have been interrupted, then there would have been the
chance to prevent the crash.
Chapter 1 12
FFE conclusion
For dependability analyses only the transition from the up state U to the down state
D of an item is important. Thus, only the term failure is decisive, not the whole (in-
herent) FFE cycle(s). Most statistics are failure statistics, not FFE statistics. Fur-
thermore, the term failure within the applications is restricted to internally induced
random failure of the item. Failures which are caused by actions outside the item
(e.g. specification, design, manufacture, preventive maintenance, or misuse) are
excluded. Before the transition U → D takes place, many FFE cycles of parts in-
side the item could have been carried out (example 7), which may be important to
the developer and designer of the item itself or for understanding the FFE se-
quence, but not for the dependability analysts (referred to objective system evalua-
tion). Therefore, it is indispensable to comprehensively analyze the system
requirements in STEP 1, Fig. 2.2, and to correctly define STEP 2-5, before perfor-
ming the evaluation in STEP 6-8.
Chapter 1 13
Causation Activation Propagation

Failure_1 Fault_1 Error_1
Prior airplane lost a Metal strip re- Concorde crossed the
metal strip on the mained on the run- metal strip with high
runway. way. speed.
A tire was cut by A piece of the de- Hydrodynamic pressure

the metal strip. stroyed tire, thrown surge caused deforma-
against the wing, in- tion of the tank(s).
duced a complex physi-
cal shock process.
A large piece of Fuel was running Ignition of the leaking fuel,

tank was ripped out. either caused by an electric
out. arc, due to a destroyed
electrical cable in the dam-
aged landing bay, or due to
contact with the hot parts of
the engine.
A large fire under The airplane burnt Decreasing power of the

the aircraft’s wing mainly under the adjoint engines (the en-
broke out. aircraft’s wing. gines were damaged,
probably due to fire and
other failures).
Failure_5 Total crash

At first, severe loss of thrust on engine 2, then
on engine 1. The engines became uncontrol-
lable, thus, the airplane became uncontrol-
lable.
Fig. 1.4. Example 7, FFE reconstruction is based on [BEA 2000, Kochs 2001] .
Chapter 1 14
Severe type of failures are the common cause failures (CCF) (previously desig-
nated as common mode failures). The following definition includes the definitions in
[Billinton et al. 1979, 1981, 1992, NUREG 1998 ] and covers a wide range of appli-
cations, some of which are listed in Chapter 5.2.
Definition 1.22 (common cause failures, CCF). A single event causes failu-
res of multiple items simultaneously, or within a defined time interval Δt, where
the failures are not consequences of each other.
Remark 1: (192-03-18) describes CCF in a similar way as failures of multiple

items (however, independent of Δt ), which would otherwise be considered in-
dependent of one another, resulting from a single cause.
Remark 2: CCF are illustrated in Fig. 1.5. The single event is the common
cause.
Remark 3: It depends on the defined time delay Δt after a single event
whether multiple failures are described as CCF or as concatenation failures.
Remark 4: In this book, CCF are related to technical component failures as
well as human errors if they are part of the analyzed system (inside of the sys-
tem boundary).
Remark 5: It is assumed that human errors do not increase dependability, and
successful repairs do not reduce dependability (according to monotony condi-
tions for network approaches, Chapter 3.4.1, Point 3).
Remark 6: 0 ≤ c i, k ≤ 1 , i, k ∈ S , is the probability that a failure of component i
inside of the system causes simultaneously a failure of component k inside of
the same system. CCF should be c i, k « 1 .
Remark 7: CCF reduce the effectiveness of system redundancy.
n
Failure 1
tio
a
ag
op
Pr
Single event Failure 2

(e.g. Fault error)
...
Failure n
Fig. 1.5. Common cause failures (CCF).

Chapter 1 15
In reality CCF scenarios are complex, an impression gives Example 7 in Fig. 1.4.
A comprehensive and systematic overview of different kind of failures, faults, and

errors is given in [Laprie 1992, 1995, Avizienis et al. 2004]. A mathematical treatise
of s-dependency including CCF is described in Chapter 5.
Definition 1.23 (reliability, <of an item>). Ability to perform as required, with-

out failure, for a given time interval, under given conditions (192-01-24).
Note 1: The time interval duration may be expressed in units appropriate to
the item concerned, e.g. calendar time, operating cycles, distance run, etc.,
and the units should always be clearly stated.
Note 2: Given conditions include aspects that affect reliability, such as: mode
of operation, stress levels, environmental conditions, and maintenance.
Remark 1: Required external resources (outside the system) are not consid-
ered.
Remark 2: Previously, the term reliability is often used for the reliability
function R ( t ) (item without repair).
Remark 3: Today, reliability is widely used as a general term for items exclud-
ing or including corrective maintenance (repair).
Remark 4: The DIN 40041 defines reliability in a similar way.
Remark 5: The antonym for reliability (reliable) is unreliability (unreliable).
Definition 1.24 (availability, <of an item>). Ability to be in a state to perform

as required (192-01-23).
Note 1: Availability depends upon the combined characteristics of the reliabil-
ity (192-01-24), recoverability (192-01-25), and maintainability (192-01-27) of
the item, and the maintenance support performance (192-01-29).
Remark 1: Required external resources (outside the system) are not consid-
ered.
Remark 2: The antonym for availability (available) is unavailability (unavail-
able) or non-availability (nonavailable).
Definition 1.25 (dependability, <of an item>). Ability to perform as and when

required (192-01-22).
Note 1: Dependability includes availability (192-01-23), reliability (192-01-24),
recoverability (192-01-25), maintainability (192-01-27), and maintenance sup-
port performance (192-01-29), and, in some cases, other characteristics such
as durability (192-01-21), safety and security.
Chapter 1 16
Note 2: Dependability is used as a collective term for the time-related quality

characteristics of an item.
Remark 1: The antonym for dependability (dependable) is undependability
(undependable).
Remark 2: IFIP WG 10.4 has proposed to use dependability as an umbrella
term and reliability as a mathematical function (e.g. R ( t ) ).
In this book the term dependability is used as a generic term for reliability
and availability, even in the case that the terms reliability or availability alone
are sufficient for the description.
A comprehensive system requirement analysis has to be performed in the first

STEP (Fig. 2.2) of the dependability analysis process. The definition of the sys-
tem state(s) (STEP 2) is based on the ability of the item (STEP 4) to perform as re-
quired under given conditions (STEP 3) for a given time interval. Dependability can
be evaluated by appropriate approaches (STEP 5-8).
Further definitions of dependability for computer systems can be found in [Laprie

1992, Misra 1993, Pradhan 1995, Avizienis et al. 2004 ]. In [ Kochs et al. 2004 ], the
term mechatronic dependability is defined as follows.
Definition 1.26 (mechatronic dependability). Qualitative and quantitative

assessment of degree of performance of reliability and safety related predefi-
nitions taking into consideration all relevant influencing factors (attributes)
[Kochs 2002, 2004, Kochs et al. 2004] .
A design methodology for mechatronic systems is defined in [ VDI 2006] .
Uncertainty is usually defined from different perspectives [Kongniratsaikul 2014] .

From a statistical perspective, uncertainty is classified by the following two sources:
incompleteness and indeterminacy.
Definition 1.27 (incompleteness). Is caused by a simplifying representation

which permits the usage of only a partial amount of information available
[Walley 1991] .
Definition 1.28 (indeterminacy). Reflects limitations of the available informa-

tion [Walley 1991] .
Referring to [Walley 1991 ], fourteen types of uncertainty sources are given. In prac-
tice, it is hard to find the line between the incompleteness and the indeterminacy of
uncertainty. However, the tendency towards either one can be noticed. Fig 1.6 illus-
Chapter 1 17
trates an overlapping area between an incompleteness and an indeterminacy.
Limited Sources of Types of Effects of uncertainty

knowledge uncertainty uncertainty
Indeterminacy Epistemic
Central
tendency
g
ea pin
g
ea pin
min max
ar lap
ar lap
er
er
ov
ov
Local
tendency
Incompleteness Aleatory
Simplifying
knowledge
Fig. 1.6. Uncertainty by sources, types, and effects [ Kongniratsaikul 2014] .
The probabilistic perspective classifies uncertainty into aleatory uncertainty and

epistemic uncertainty.
Definition 1.29 (aleatory uncertainty, AU). Aleatory uncertainty is the in-

herent variation associated with the physical system or the environment under
consideration [Oberkampf et al. 2004] .
Remark: Aleatory uncertainty is also referred to as intrinsic or inherent uncer-
tainty, stochastic uncertainty, and irreducible uncertainty, which cannot be re-
duced by more accurate experiments.
Aleatory uncertainty occurs due to random behavior of components and systems,

and can be expressed by well-known pdf (probability (density) functions) of statistical
distributed up and down times of components and systems.
Definition 1.30 (epistemic uncertainty, EU). Epistemic uncertainty is uncer-

tainty of the outcome due to any lack of knowledge or information in any
phase or activity of the modeling process [Oberkampf et al. 2004] .
Remark: Epistemic uncertainty is also referred to as extrinsic uncertainty or
Chapter 1 18
reducible uncertainty, which can be reduced by complete information of the

item.
Similar to the statistical perspective, uncertainty tends to be aleatory if complete

knowledge is given. However, if the knowledge is very limited, it tends to be
epistemic. Still, there is no clear division between the aleatory uncertainty and the
epistemic uncertainty as illustrated in Fig. 1.6.
Chapter 1 19
1.2 Objective of system dependability evaluation
The objective is to calculate the dependability of systems structured according to

Fig. 1.1. Fig. 1.7 shows the basic objective system model with its indices for de-
pendability evaluation according to the previous definitions. The focus lies on
steady state or periodic steady state behavior of the system dependability. The ob-
jective model can be interpreted as an alternating renewal process based on the
mean durations Ti ( U S ) and Ti ( D S ) (as jump functions).
x
Definition 1.21
Definition 1.14
Restoration
Z S ( Ti )
Failure
Definition 1.23-25
US
Pr ( U S ) =: Av S
... ...
DS Pr ( D S ) =: NAv S
Ti
Ti(US) Ti(DS)
Result: Eq. 1.3 Eq. 1.4
Fig. 1.7. Objective model: (Steady) 2-state model of systems with the basic
indices Pr and Ti of the states U S and D S .
System states (defined in STEP 2, Fig. 2.2)
US up state, Definition 1.6 (1.1)

DS down state, Definition 1.12 (1.2)
Steady state system indices (calculated values, STEP 6-8, Fig. 2.2)
Ti (US) ≡ MSUT, mean system up time, Definition 1.7 (1.3)

Ti (DS) ≡ MSDT, mean system down time, Definition 1.13 (1.4)
Chapter 1 20
*)
Pr(US), Pr(DS) probabilities (1.5)
Fr(US), Fr(DS) mean frequencies
Ti(US), Ti(DS) mean times (mean durations)
The evaluation of these indices are the objective of the system dependability eval-
uation. They are used consistently throughout all chapters of this book.
Probabilities
Ti ( U S )
Pr ( U S ) = ------------------------------------------ (1.6)
Ti ( U S ) + Ti ( D S )
Ti ( D S )
Pr ( D S ) = ------------------------------------------ (1.7)
Ti ( U S ) + Ti ( D S )
Pr ( U S ) + Pr ( D S ) = 1 (1.8)
Frequencies
1
Fr ( DS ) = Fr ( U S ) = ------------------------------------------ (1.9)
Ti ( U S ) + Ti ( D S )
Relationship
Pr ( U S ) = Ti ( U S ) ⋅ Fr ( U S ) (1.10)
Pr ( D S ) = Ti ( D S ) ⋅ Fr ( D S ) (1.11)
In addition to these indices, the following indices (Definition 1.24) are also used.
AvS := Pr ( U S ) availability (1.12)

NAv S := Pr ( D S ) non-availability or unavailability (1.13)
The steady state indices, Eq. 1.6-13, are independent from the shape of the proba-
bility functions (pdf) of the up and down times of the corresponding states, see
Appendix 4.6.1.
Uncertainty
Another objective of this book is the assessment of the influence of aleatory and
*) The set of indices is simply named as Eq. 1.5.

Chapter 1 21
epistemic uncertainty on the objective system state indices, Eq. 1.5.
Remark
Whereas the objective of system dependability evaluation (Fig. 1.7) is equal for all
approaches, the input models depend on the approaches described in the following
chapters.
2 Brief review of system dependability approaches
2.1 Application area

2.2 Assessment criteria
2.3 Approaches
2.4 Framework for system dependability modeling and evaluation
2.5 Notes on guarantee declaration
Most dependability approaches are sophisticated mathematical procedures, which

do not permit precise modeling and calculation of large and complex systems. Fur-
thermore, input values are mostly uncertain. Dependability methods, procedures,
and approaches, which cover a wide area of engineering applications, have been
described in [Barlow et al. 1965, Singh et al. 1977, MBB 1977, Endrenyi 1978,
Schneeweiss 1980, 1992, 2001, Dhillon et al. 1981, Kochs 1984, Billinton et al.
1992, Misra 1993, Andrews et al. 2002, Kececioglu 2002, O’Connor et al. 2002,
Pham 2003, Meyna et al. 2010, Kochs 2012]. They represent the methodology in
dependability analyses over several decades and outline the relevant steps for fur-
ther development of effective methods and approaches. Fig. 2.1 gives an overview
of dependability evaluation approaches and their applicability to industrial or real-
world systems in general. A framework for system dependability modeling and
evaluation is proposed in Fig. 2.2.
2.1 Application area
The approaches in Fig. 2.1 are applicable to a variety of large and complex techni-
cal systems, e.g.
- automation and control systems (e.g. for process, environment, energy, and
traffic),
- mechatronic systems,
- automotive systems,
- computer systems,
- energy generation, transmission, and distribution systems,
- power stations, e.g. transformer stations and switching stations.
Selected examples, both, up-to-date and historical examples, which demonstrate

the applicability of the approaches to large and complex system structures are ana-
lyzed and evaluated in the following chapters in detail.
DOI 10.1007/978-3-319-64991-7_2
Chapter 2 24
pe . 2 )
. 2)
de nd
nd
n se
s- e
bo y, l rity g ep
ti o en
te lit la in -d
ta p
:
ria
hi abi , c lud g s
x
en e
te
(W ctic ncy inc din
m p.
cu m
C le ms cri
a re . 1) lu
o
Pr spa yst exc
do c
t
en
x) ow
an x t. 1)
sm
Tr ple ys
te
es
s
s
om sys
om x
ss
p
A
e
rg
La
C
ANALYTICAL APPROACHES
Network approaches
Boolean algebra x x x
Series and parallel structures x x x x
Easy calculation of
Minimal path (MP) 3) x x x x x simple structured sys-
Minimal cut (MC) 3) x x x x x stems (excluding s-
dependency).
Probable minimal cut (pMC) x x x x x
(Sub)models, easy to
State space approaches calculate, can be em-
bedded in MC
Probable Markov path (pMp) x x x x (MMC).
Markov process 4) x x x Complete modeling is
extensive or not pos-
Semi-/non-Markov process 5) x sible.
Combination (truth table) x x x Easy modeling of
small systems.
Combined approach
Easy calculation of
Markov minimal cut (MMC) x x x x x large and complex 1,2)
systems.
SIMULATION APPROACHES
Petri networks 6, 7) x x
For comprehensive
Monte Carlo simulation 6) x x analyses, uncertainty
studies.
x: Constraint fulfilled to a high degree, x: Particularly suitable in the opinion of the author.
1) Definition 1.4.
2) Definition 5.1.
3) Preferably usable for a few number of MP or a limited number of MC.
4) Preferably usable for a limited number of Markov states.
5) Modeling and calculation are generally difficult.
6) If the failure probabilities of the components are very low, then the calculation time of sys-
tem indices can increase extremely.
7) Suitable for transient behavior, slow motion effect possible.
Fig. 2.1. Classification of appropriate system dependability approaches for sys-

tems such as in Fig. 1.1. The approaches in the shaded areas are primarily de-
scribed and applied in this book, reference is [Kochs 1984].
Chapter 2 25
2.2 Assessment criteria
The following assessment criteria are important for the selection of the suitable ap-
proach.
Large systems
As a rule, technical systems are considered as large systems with several (namely
100 and more) significant components. Industrial systems are usually large sys-
tems that can be structured according to Fig. 1.1 and modeled according to Fig.
3.7 and 5.1.
Complex systems
According to Definition 1.4, complex systems are characterized by (1) an inter-

meshed logical network structure (DBD) and/or (2) a stochastic dependency be-
tween the component states.
Remark 3 of Definition 1.4 states that large and complex systems are designated
as real-world systems in this book. Industrial systems can be considered as real-
world systems.
S-dependencies
S-dependency (stochastic-dependency) between components can have severe im-

pact on system operational and non-operational behavior, depending on the inter-
action between the components (Chapter 4, 5). In technical systems, a variety of s-
dependencies can occur. In Chapter 5, a measure is introduced to assess the im-
pact of s-dependency on dependability.
Transparency, clarity
The approaches and the way of calculation should be transparent. Transparency

means that the approaches are understandable and have to agree with current
state-of-the-art and -science as well as relevant standards. The results should be
conservative (on the “safe-side“), reproducible, explainable, and interpretable, tak-
ing into consideration all the preconditions and assumptions defined in STEP 3,
Fig. 2.2.
Chapter 2 26
Practicability, low computational expense
Approaches should be applicable for a variety of technical systems, not only for sci-
entists, but also for development engineers, project engineers, systems engineers,
or consultants. A dependability evaluation of a project should be subject to a cost-
benefit assessment. If a dependability evaluation process exceeds the predeter-
mined time, then the costs can grow rapidly and get out of control. Preferably used
for industrial analyses are approaches that have been proved and that don’t need
need reading academic papers or theses before making a dependability study.
(White box) documentation
The documentation of the complete dependability analyses is often a critical point

with respect to time and cost, both, for suppliers as well as customers. If the fore-
going criteria are fulfilled, then an important precondition for preparing a compre-
hensive documentation is already satisfied. Especially, for the agreement of
penalties in contracts, an exact documentation with adequate interpretation of the
evaluated results is indispensable. All steps of Fig. 2.2 should be documented and
interpreted according to Chapter 2.5.
Chapter 2 27
2.3 Approaches
Generally, a differentiation is made between analytical and simulation approaches.

The analytical approaches are divided into network approaches and state space
approaches [Singh et al. 1977] . Analytical approaches are preferably used for engi-
neering applications, because their analytical results fulfill the assessment criteria to
a more or less large extent and enable estimation of the impact of the component
parameters (including s-dependency) on system dependability (sensitivity).
In this book, a network is defined as a connection of components (Definition 1.2),

either up states or down states. A representation form is the network model, where
dependability blocks (DB*)) are connected together to dependability block diagrams
(DBD). To avoid misunderstandings to functional or physical block diagrams, often
depicted as RBD in the literature, a DBD is defined as a logical structure, not a
functional or physical structure. A dependability block (DB) represents a Boolean
variable or an expression ( MC , see Chapter 3-5), not a functional or physical item
item. The mathematical basis for the calculation of DBD is the Boolean algebra
and the probability theory. Remark: DBD are closely related to Fault trees.
A state space comprises all universe states (Definition 3.5) of a stochastic process.
Due to their outstanding importance, Markov process models are emphasized in
this book. The mathematical basis for state space approaches is the theory of
stochastic processes.
The approaches in Fig. 2.1 are briefly described with focus on the application areas
in Chapter 2.1. Some primary references for engineering applications are given.
The relevant approaches (shaded areas in Fig. 2.1) are described and discussed in
depth in the following chapters.
Boolean algebra
Boolean algebra is suitable and simple to use for small system structures without
considering s-dependencies, e.g. [MBB 1977, Schneeweiss 1989, 1992, 2001 ].
Time dependency cannot be considered. For real-world systems, Boolean algebra
did not prove sucessful. Nevertheless, Boolean algebra is the basis for the follow-
ing approaches and their combinations.
*) Remark: No distinction is made between singular and plural notation of abbre-

viations (see List of Symbols and abbreviations, Point 1).
Chapter 2 28
Approaches for series and parallel system structures
These well-known approaches are easily applicable to series and parallel struc-
tures. The approaches are based on elementary probability theory. Complex sys-
tems cannot be calculated, except in special cases. Basic references are e.g.
[MBB 1977, Singh et al. 1977, Endrenyi 1978, Billinton et al. 1992] .
Minimal path (MP) approach
The MP approach is based on logical OR connected MP. A MP consists of logical

AND connected up states (U) of the relevant components. Because the probabil-
ities of the component up states are normally closely to 1 (e.g. 0.999 ...), the calcu-
lation is more elaborate than the MC approach with exception of pure series sy-
stems. Basic references are e.g. [Singh et al. 1977, Endrenyi 1978, AEG 1981,
Billinton et al. 1992].
Minimal cut (MC) approach
The MC approach is based on logical OR connected MC. A MC consists of logical

AND connected down states (D) of the relevant components. A MC can be derived
directly from the functional structure of the system, which is of advantage in case of
complex systems. Another way is the determination of the MC directly from a DBD,
provided that it is given. The same is valid for Fault trees, which are not the scope of
this book. In most applications, system calculation based on MC is easier than the
calculation with MP. A difficulty is the identification of all MC of real-world applica-
tions, whose number can “explode“ (i.e. > 100.000). Thus, all MC are not manage-
able. To overcome this obstacle the pMC approach is developed in the next step. S-
dependency cannot be considered with the “conventional“ MC approach (similar to
series and parallel system structures). Basic references are e.g. [AMCP 1976a, b,
Singh et al. 1977, Endrenyi 1978, AEG 1981, Kochs 1984, Billinton et al. 1992] .
Probable minimal cut (pMC) approach
In practice, only a few number of lowest or lower order MC (i.e. about 10 to 100) sig-
nificantly influence system dependability. The significant or probable MC (pMC) can
be determined “manually“ from the physical and functional system structure.
„Manual“ in contrast to automatical determination of MC is of advantage in order to
get a deep insight into the operational and non-operational behavior of systems
(transparency). Furthermore, up until now, no automatical determination procedure
or algorithm for complex system structures (e.g. as analyzed in Chapter 3.8, 5.9,
and 5.10) is known. In any case, the determination of all pMC needs careful consid-
eration and comprehensive system know-how.
Chapter 2 29
Markov process approach
A Markov process approach is a fundamental and powerful dependability tool for

systems including s-dependent components. A Markov space can be seen as an
universe space, where universe states (Definition 3.5) are interconnected together
via transition paths. An universe state of a Markov space is referred to Markov state.
state. A Markov process model, hereinafter simply called Markov model, is con-
structed of Markov states and application oriented transition paths between
them, which are characterized by constant transition rates (meaning exponential
pdf of the state durations). Basic references are e.g. [MBB 1977, Singh et al. 1997,
Endrenyi 1978, AEG 1981, Billinton et al. 1992 ].
A Markov state can be interpreted as a dependability block (DB), where component

states are logical AND-connected, analogous to the construction of an universe
state (Definition 3.5). This interpretation allows the integration of Markov DB into a
DBD (MMC approach, Fig. 5.1), or in other words, Markov DB can be embedded
into DBD.
Probable Markov path (pMp) approach
Even small systems can theoretically span great Markov spaces (universe space),
which are difficult or impossible to model and to calculate (an impression of this dif-
ficulty is given by the applications in Chapter 5.10-11). In order to overcome the dif-
ficulty in modeling and calculation, the idea is to concentrate only on those sub-
Markov spaces, which are significant for the system dependability. A sub-Markov
space includes all Markov states along the probable path(s) from the initial Markov
state(s) to the objective Markov state(s). A probable path is generally a direct path
from the initial state to the objective state without reverse transitions or loops. The
Markov states along the probable path can be approximately calculated in a simple
analytical way without the necessity to solve the complete system of differential or
linear equations. The pMp approach drastically reduces the modeling and calcula-
tion effort, even makes an evaluation possible [Kochs1984]. The basis of this ap-
proach has already been laid in the research work of [Endrenyi 1978, Dib 1978,
Nachtkamp 1979] .
Markov minimal cut (MMC) approach
Markov models (or pMp models) overcome the disadvantage of MC models (or
pMC models), namely taken into account s-dependency (according to Definition
5.1). Thus, the idea is to integrate Markov models into minimal cut models to ben-
efit from the advantages of each approach and to avoid their disadvantages. The
Chapter 2 30
basis of this method has already been laid in the research work of [Endrenyi 1978,
Dib 1978, Nachtkamp 1979, Singh 1980a, b].
The consistent use of Boolean algebra, as a common basis for the different ap-
proaches in Chapter 3 and 4, enables their combination, described in Chapter 5.
The combined approach is called Markov minimal cut (MMC) approach (Verfahren
der Markov(schen) Minimalschnitte [AEG 1981, Kochs 1984] ). It fulfills all relevant
criteria, stated in Fig. 2.1, to a high degree. More recent R&D of MMC and applica-
tion to industrial systems are published in [Kochs et al. 1999, Kochs 2002, Kochs
2012] , to name a few. The Markov minimal cut (MMC) approach has proven to be
most effective for dependability evaluation of large and complex systems.
The described approaches can be incorporated in other methods, e.g. Fault tree
approaches [IEC 61025:2006, Schneeweiss 2009a] .
[IEC 61078:2015] describes a similar way and calls the combined method RBD
driven Markov process.
Semi Markov and non-Markov process approaches
These process types are characterized by stochastic processes with at least one
non-constant transition rate ( ≡ non-exponential pdf of the state duration). Because
of the difficulty in modeling and calculation of semi- or non-Markov processes, e.g.
[Singh et al. 1977, Edwin et al. 1979b, c] , they only have a niche role. Chapter 4.3
defines and illustrates the different types of stochastic processes.
Combination approach (Truth table)
The combination approach is based on universe states (Definition 3.5), which form
the universe space, e.g. shown in Table 3.1 and Table 3.2 (9 universe states). Each
universe state is identical to the corresponding Markov state or Markov DB, namely
logical AND connected component states. The only difference is that no transitions
between the universe states of the combination approach (truth table) are taken
into account. Thus, their frequency (for DS or U S ) cannot be calculated. S-depend-
ency cannot be taken into account. With an increasing number of components, the
4⋅ 112
number of universe states or Markov states increases rapidly, e.g. to 3 in Eq.
3.171.
Petri networks
Petri networks mainly serve as figurative representation of dynamic procedures, es-

pecially of complex internal interconnections. Petri networks are related to Markov
Chapter 2 31
processes. Petri networks can be calculated with simulation approaches, Fig. 2.1.
The advantage is the comprehensive modeling capability for small and complex sys-
tems and the determination of time dependent events (transient behavior, time
scaling effect usable). Problems with statistical data (slow convergence, long calcu-
lation time, calculation of estimates) are the same as for simulation. Application
areas are e.g. complex operational, non-operational, and maintenance scenarios.
A basic reference is [ Schneeweiss 1999] .
Monte Carlo simulation approach
Monte Carlo simulation allows a simple calculation of complex systems with the dis-
advantage that it normally needs extensive calculation time due to slow conver-
gence, depending mainly on component indices and on the system structure, e.g.
parallel systems. The higher the component dependability (the smaller the failure
rate), the higher is the calculation time. The results are estimated values of the sys-
tem indices with an accuracy depending on the number of simulations. The calcula-
tion results cannot be exactly verified (black box approach).
Conclusion
The following approaches are preferred and discussed in depth in this book: The
probable minimal cut (pMC) approach and the probable Markov path (pMp) ap-
proach, which are combined to the Markov minimal cut (MMC) approach. The MMC
approach is easy but effective. The MMC approach permits the simple derivation of
analytic approximations for the system indices. For industrial applications, the MMC
approach fulfills all described assessment criteria of Fig. 2.1 to a high degree. The
way of calculation is fully transparent, the results traceable, and thus, easy to docu-
ment (white box approach).
Chapter 2 32
2.4 Framework for system dependability modeling and evaluation
For systematic dependability modeling and evaluation, the easily applicable frame-
work in Fig. 2.2 with 8 steps is developed based on state-of-the-art research, rele-
vant standards, and practicability.
The framework can be combined with the failure modes and effects analysis FMEA
[IEC 60812:2006] , which is not considered here.
STEP 1. System requirement analysis
Each system dependability evaluation starts with a comprehensive requirement

analysis of the application as a basis for STEP 2-8, taken into consideration the
definitions of Chapter 1.1 and the objective of Chapter 1.2.
STEP 2. Definition of the objective system states
The definition of the system states, namely
up state US (Eq. 1.1) and down state DS (Eq. 1.2)
is related to the ability of the system to perform as required (required function(s))

(Definition 1.23-25). The definition of the system states depends on the system re-
quirements, analyzed in STEP 1. If different functions of the system have to be re-
garded, the definition of several objective system states is necessary, since each of
the objective system states has an appropriate logical system structure (STEP 7).
STEP 3. Definition of preconditions and assumptions
The stated or given conditions and the given time interval (Definition 1.23-25) are
considered in the preconditions and assumptions. Special attention should be paid
to s-dependency and its impact (Chapter 4 and 5), uncertainty assessment (Chap-
ter 6), and influencing factors due to environment, protection, and complexity struc-
ture. The given time interval or period of time is often limited to the steady state
behavior (constant part of the bathtub curve, no infant failure or early failure period,
no wearout failure).
Chapter 2 33
STEP 4. Definition of components and system(s)
For an application several items have to be considered. An item (Definition 1.1)

should be understood as an abstraction entity with fixed boundaries, which has to
be regarded as a component (Definition 1.2) or a system (Definition 1.3), depend-
ing on the viewing position (abstraction), Fig. 1.1. The decision, whether an item is
considered as a component or as a system, depends not only on the physical struc-
ture, but also on the dependability objective, functional performance, statistical char-
acteristics, and so on. Fig. 1.1 shows the viewing process of subdividing and bun-
dling of items.
STEP
System requirement analysis

1. Specification, construction/design, function, and failure behavior
Preliminary steps
(definition phase)
Objective system
2. states
Preconditions and
3. assumptions
Precision loop
4. Components
and system(s)
5. Input data
Modeling and calculation steps
6. Component modeling
Calculation
7. System modeling
approach(es)
Evaluation, assessment,
8. and documentation
Fig. 2.2. Framework for system dependability modeling and calculation.

Chapter 2 34
STEP 5. Definition of input data
The indices (Chapter 3.2, input data) of the components are evaluated based on
their statistics. These can be laboratory tests, with often confidential results
(only available for internal and not for public use), operating tests, estimations from
expert knowledge or handbooks, e.g. [WASH 1975, NPRD 1995, 2016, Akhmedja-
nov 2001, TM 5-698-5 2006, NUREG 2007, TM 5-698-1 2007, ICDE 2011, Kochs
et al. 2012]. Several MIL-STD Reference Documents exist and are available to a
large extend. Furthermore, in the last 20 years, many data sources for special tasks
have become available via the Internet. Companies publish more and more depend-
ability indices on the technical data sheet of their products. In most cases, the input
indices are not exactly calculated, thus, they are uncertain (Chapter 6).
The preliminary STEP 1-5 are absolutely necessary for modeling of components
and systems in the next steps. If these steps are solved, then the following mod-
eling and calculation steps are relatively simple to apply. In industrial applications,
STEP 1-5 can take up to 50 % of the workload. STEP 1-5 are similar to FMEA or
FMECA.
STEP 6. Component modeling
The term component is defined in Definition 1.2 with reference to Definition 1.1, Re-
mark 3. For each dependability approach, appropriate models have to be de-
veloped. In many dependability analyses, a complex functional component and
subsystem structure cannot be modeled exactly with reasonable effort. Therefore,
the task is to simplify dependability models and evaluation methods with regard to
conservative dependability estimations, e.g. [Kochs 2012] .
STEP 7. System modeling
The objective of this step is the development of system models due to the
system states U S , D S (Eq. 1.1-2)
defined in STEP 2, taking into account STEP 3-6. The term system is defined in
Definition 1.3 with reference to Definition 1.1, Remark 3. If the definition of several
pairs of system states is required, then different system models have to be design-
ed and evaluated.
Several approaches for system dependability modeling and calculation are de-
Chapter 2 35
scribed in numerous literature. This book concentrates on those efficient ap-

proaches for system dependability evaluation which can be structured according to
Fig. 1.1 and which have been proved in different areas of real-world applications.
STEP 8. Evaluation, assessment, and documentation
The objective of this step is the evaluation of the
system indices Pr , Fr , Ti (Eq. 1.3-5) of the system states U S , D S , de-

fined in STEP 2.
Besides the calculation of the objective indices, sensitivity analyses are an essen-
tial part of dependability analyses for identifying weak points and improving unreli-
able items. Attention is to be paid when interpreting the objective indices, see
Chapter 2.5.
Remark to STEP 6-8
The Stringently used Boolean logic during the whole developement process of the
approaches is the key for their combination on a common model basis, named as
Boolean logic driven dependability block diagram (DBD) based on minimal cuts
(MC) and Boolean logic driven Markov minimal cut (MMC) models.
Chapter 2 36
2.5 Notes on guarantee declaration
Dependability evaluations are based on the theory of probability and stochastic

processes. Therefore, the objective indices, Eq. 1.5, should not be guaranteed in a
determinstic sense, but in the meaning of probability.
The input data, e.g. MUT (Definition 1.10) and MDT (1.15) of the components, are
estimated (arithmetic) mean values, which are uncertain (Chapter 6). Thus, the cal-
culated values of the system indices are also uncertain. The following two types of
uncertainty are considered in the book (see also Fig. 1.6).
AU: In many applications, probability density functions (pdf ) of the up times and the
down times are not used (concerning STEP 5), but these are the basis for cal-
culating measures of central tendency and location (aleatory uncertainty, AU,
Chapter 6).
EU: In many applications, no exact data exist due to lack of statistical data or lack
of knowledge, which is the case if new technology is used (concerning STEP
5). This is another kind of uncertainty (epistemic uncertainty, EU, Chapter 6).
As a rule, conservative assumptions, conservative input indices, and conservative

modeling of components and systems should be made, if possible.
For correct interpretation of the objective indices, Eq. 1.5, the documents and con-
tracts should point out the following declaration statements.
1. Definition of the system states US and DS (STEP 2), which are the absolutely
necessary basis for dependability modeling and evaluation.
2. Definition of the preconditions and assumptions, STEP 3.
3. The evaluated values of the objective indices are probability values (not deter-
ministic values) and should be interpreted as such.
4. Reference to uncertainty according to the comments above.
5. The evaluated values of the objective indices are normally steady state values
and refer to the constant part of the bathtube curve, initial failures and wearout
failures are excluded.
6. If (arithmetic) mean values are contractually required, then this should be

mentioned explicitly, otherwise see Chapter 6 for consideration of aleatory
and epistemic uncertainty.
7. A field test (real-live test) in order to verify the values of the evaluated objec-
Chapter 2 37
tive indices cannot be provided by a failure statistic over a short time after
commissioning of the system, if the statistic is not representative, which is
mostly the case (interpretation of Point 3).
Despite all uncertainties, model and approach simplifications, the great advantage
of dependability evaluation is that systems with calculated high dependability re-
sults normally are highly reliable in reality. Furthermore, dependability analyses
based on the approaches in Fig. 2.1 and the framework in Fig. 2.2, allow a deep
understanding of the operational and non-operational behavior. Weak points can be
identified (sensitivity analyses). An actual study of an industrial dependability analy-
sis is given in [Kochs 2012] .
3 Network approaches
3.1 Scope
3.2 Input data
3.3 Basic network models
3.3.1 Series system
3.3.2 Parallel system
3.4 Minimal cut (MC) approach
3.4.1 Definitions and preconditions
3.4.2 Examples
3.4.3 Calculation of the objective indices
3.4.4 Calculation of the MC indices
3.5 Minimal path (MP) approach
3.5.2 Examples
3.5.4 Calculation of the MP indices
3.6 Approximation: Probable minimal cut (pMC) approach
3.6.1 Mathematical basics
3.6.2 Example
3.6.3 Reduction of system model complexity by MC segmentation
3.6.4 Example
3.6.5 Conclusive remarks
3.7 Interrelation between combination approach and MC/MP approach
3.7.1 Example: Series structure
3.7.1.1 Combination approach (Truth table)
3.7.1.2 MC approach
3.7.1.3 MC/MP approach
3.7.2 Example: Parallel structure
3.7.2.2 MC approach
3.7.3 Combination approach (Truth table) versus MC/MP approach
3.8 Historical example 1: Communication chain in ancient Persia 500 BC
3.9 Historical example 2: Horse-drawn stagecoach
3.10 Appendix
3.10.1 Derivation of Eq. 1.137
3.10.2 Derivation of VFC 2DF , VFC 2FD , and VMC2DF
The basis of network approaches [Singh et al. 1977, Billinton et al. 1992] is the 2-
state model of an item (Definition 1.1, Remark 3 (logical view) and Definition 1.2
and 1.3) in Fig. 3.2. A network is defined as a connection of items, either in the up
state mode (Fig.3.3) or the down state mode.

DOI 10.1007/978-3-319-64991-7_3
Chapter 3 40
3.1 Scope
Objective model, objective states, and objective indices of systems are described in
Chapter 1.2, which serves as the basis for the development and application of the
network approaches.
3.2 Input data
Fig. 3.1 outlines the basic 2-state real-time diagram of components (index C) for
network approaches with individual up times t ( U C ) i and down times t ( D C ) i .
ZC(t)
UC
DC
t(UC)1 t(UC)2 t(DC)3 t
t(DC)1 t(DC)2 t(UC)3
Fig. 3.1. 2-state real-time diagram for components with up and down times.
With representative statistics of t(UC)i and t(DC)i , the expectation values of the
(arithmetic) mean up time Ti ( U C ) and the (arithmetic) mean down time Ti ( DC ) can
be derived with the following well-known basic probability calculus, given e.g. in
standard text books such as [ Kreyszig 1979, Birolini 2010, Fahrmeier et al. 2010] .
1 n ( UC )
Ti ( UC ) : = E [ t ( U C ) ] = lim ---------------- ∑ t ( UC )i (3.1)
n ( UC ) i = 1
n ( UC ) → ∞
1 n ( DC )
n ( D C ) ∑i = 1
Ti ( DC ) : = E [ t ( DC )] = lim ---------------
- t ( DC )i (3.2)
n ( DC ) → ∞
with n ( U C ) and n ( D C ) numbers of observed random times t ( U C ) i and t ( D C ) i . In

reality the conditions n ( UC ) → ∞ and n ( D C ) → ∞ are not fulfilled. Thus, Ti (UC )
and Ti ( DC ) are estimates, which can be derived by applying the theory of statis-
tics, which is not the scope of this book. Ti ( U C ) and Ti ( D C ) of the components
(Definition 1.2) are the basic input indices for the evaluation of the system indices,
Eq. 1.5.
Chapter 3 41
Further, statistical parameters, which are necessary for dependability calculations

considering uncertainty, are described in Chapter 6. The complete set of input in-
dices for evaluation of the system indices are
Component states
UC up state, Definition 1.6 (3.3)
DC down state, Definition 1.12 (3.4)
Steady state component indices

Ti (UC) ≡ MUT, mean up time, Definition 1.7 (3.5)
Ti (DC) ≡ MDT, mean down time, Definition 1.13 (3.6)
Remark 1: The term mean operating time to failure MTTF (IEC 192-05-11) is part of
the mean up time MUT (IEC 192-08-09). The term mean time to restoration MTTR
(IEC 192-07-23) is part of the mean down time MDT (IEC 192-08-10). For many ap-
plications is valid MUT := MTTF (Definition 1.10) and MDT := MTTR , or
MCMT , or MACMT , or MRT (Definition 1.15), see also Fig. 1.2.
Remark 2: If no preventive maintenance is considered, MTTR is identical to MDT.

In the IEC standard the term mean repair time is defined as MRT (IEC 192-07-21)
≤ MACMT ≤ MCMT ≤ MTTR ≤ MDT, see Fig. 1.2.
With the mean times Ti ( U C ) and Ti ( DC ) , the (steady state) component model is
developed in Fig. 3.2. All following indices are steady state indices as basis for the
system dependability evaluation.
Pr(UC), Pr(DC) *) probabilities (3.7)

Fr(UC), Fr(DC) mean frequencies
Ti(UC), Ti(DC) mean times (mean durations)
Probabilities
Ti ( U C )
Pr ( U C ) = ------------------------------------------- (3.8)
Ti ( U C ) + Ti ( D C )
Ti ( D C )
Pr ( D C ) = ------------------------------------------- (3.9)
Ti ( U C ) + Ti ( D C )
Pr ( U C ) + Pr ( D C ) = 1 (3.10)

Chapter 3 42
Definition 1.21
Definition 1.14
Restoration
Z C ( Ti )
Failure
Definition 1.23-25
UC
Pr ( U C ) =: AvC
... ...
DC Pr ( D C ) =: NAv C
Ti(UC) Ti(DC) Ti
Input: Eq. 3.5 Eq. 3.6
Fig. 3.2. Input model for DBD: (Steady) 2-state model of components
with the basic indices Pr and Ti of the states U C and D C .
Frequencies
1
Fr ( DC ) = Fr ( U C ) = ------------------------------------------- (3.11)
Ti ( U C ) + Ti ( D C )
Relationship
Pr ( U C ) = Ti ( U C ) ⋅ Fr ( U C ) (3.12)
Pr ( D C ) = Ti ( D C ) ⋅ Fr ( D C ) (3.13)
In addition to these indices, the following indices (Definition 1.24) are also used
AvC := Pr ( U C ) availability (3.14)

NAv C := Pr ( D C ) non-availability or unavailability (3.15)
Assuming exponential pdf for up and down times (Fig. 3.1), the failure rate λ C and
restoration rate μ C are defined as
1
λ C = ------------------ (3.16)
Ti ( UC )
1
μ C = ------------------ (3.17)
Ti ( D C )
Chapter 3 43
The steady state input indices, Eq. 3.8-15, are independent of the shape of the
probability functions (pdf *)) of the up and down times in Fig. 3.1, see Appendix
4.6.1. The indices of Eq. 3.7 are the basic input indices of network models for sys-
tem dependability calculation.
3.3 Basic network models
The dependability of system structures can be modeled by means of dependability

block diagrams (DBD), represented in Fig. 3.3 (similar to reliability block diagrams
(RBD), e.g. in [IEC 61078:2015] ). A DBD is defined as a logical structure, not a
functional or physical structure. A dependability block (DB) in a DBD represents a
Boolean variable or expression, not a functional or physical item. According to the
binary basis of the Boolean logic, the following two forms of representation exist.
DBD in the up state mode: Each dependability block DBi, i = 1, 2, ... n, deno-
tes an up state U i of the component i , as shown in Fig. 3.3.
Remark: In Chapter 3.6.3 and Chapter 5 the DB are extended to MC ( ≡ up
states).
DBD in the down state mode: Each dependability block DBi, i = 1, 2, ... n,
denotes a down state Di of the component i .
Each network model can be converted from the up state mode into the down state
mode using the Boolean algebra: D S = U S and vice versa U S = D S .
On the one hand, each DB can be split up into sub DBD in a top-down view accord-
ing to Fig. 1.1 until the bottom level is reached. On the other hand, sub DBD can be
aggregated (in a structured form) to DB in a bottom-up view, depending on the ap-
plication, sufficient statistical material, expert knowledge, etc..

viations (see List of symbols and abbreviations, Point 1).
Chapter 3 44
Series structure DB Parallel structure

...
US US
U1
U1 U2 U3 Un
U2
Bridge structure
...
(intermeshed structure)
US Un
U1 U3
U5
U2 U4
r-out-of-n (r-oo-n) structure
US
U1
Mixed structure (series-parallel)
US U2
U2 r-oo-n
...
U1
U3 Un
Fig. 3.3. Basic network models (DBD) of systems (up state mode).
Often, systems can be modeled as a combination of the basic network models of

Fig. 3.3. In the following network models, restorable components are assumed. The
focus is on steady state behavior.
Chapter 3 45
3.3.1 Series system
System states
US = U1 ∧ U2 ∧ … ∧ Un (3.18)
DS = US (3.19)
System indices
Probabilities
Pr(U S) = Pr(U 1 ∧ U 2 ∧ … ∧ U n) (3.20)
The equation with s-independent components can be calculated by using the sim-
ple multiplication.
Pr(U S) = Pr(U 1) ⋅ Pr(U 2) ⋅ … ⋅ Pr(U n) (3.21)

Pr(D S) = 1 – Pr(U S) (3.22)
Reciprocal mean time of the system up state [Kochs 1984]
1 1 1 1
---------------- = ---------------- + ---------------- + … + ---------------- (3.23)
Ti(US) Ti(U 1) Ti(U 2) Ti(U n)
Frequencies
Pr(U S)
Fr(U S) = ----------------- (3.24)
Ti(U S)
Fr(D S) = Fr(U S) (3.25)
Mean time of the system down state
Pr(D S)
Ti(DS) = ----------------- (3.26)
Fr(D S)
Chapter 3 46
3.3.2 Parallel system
System states
DS = D1 ∧ D2 ∧ … ∧ Dn (3.27)
US = DS (3.28)
System indices
Probabilities
Pr(D S) = Pr(D 1 ∧ D 2 ∧ … ∧ D n) (3.29)
The equation with s-independent components can be calculated by using the sim-
ple multiplication.
Pr(D S) = Pr(D 1) ⋅ Pr(D 2) ⋅ … ⋅ Pr(D n) (3.30)

Pr(U S) = 1 – Pr(D S) (3.31)
Reciprocal mean time of the system down state [Kochs 1984]
1 1 1 1
---------------- = ---------------- + ---------------- + … + ---------------- (3.32)
Ti(DS) Ti(D 1) Ti(D 2) Ti(D n)
Frequencies
Pr(D S)
Fr(D S) = ----------------- (3.33)
Ti(D S)
Fr(U S) = Fr(D S) (3.34)
Mean time of the system down state
Pr(U S)
Ti(US) = ----------------- (3.35)
Fr(U S)
Complex structures can be transformed into simple structures using the minimal cut
approach, which is briefly described in the following Chapter 3.4.
Chapter 3 47
3.4 Minimal cut (MC) approach
Several methods for dependability calculation of networks are well-known, see Fig.
2.1. An universal and powerful tool is the MC approach (pMC approach for large sys-
tem structures, see Chapter 3.6), on which the following chapters concentrate. The
MC approach is also known as the MC set approach. The following selection of ba-
sic literature is recommended [Singh et al. 1977, MBB 1977, Endrenyi 1978,
Schneeweiss 1980, Dhillon et al. 1981, Billinton et al. 1992, Birolini 2010] , from
which methodology and procedures have been adopted and further developed.
A major advantage of the MC approach is the possibility to integrate Markov models
(Chapter 4, 5).
Definition 3.1 (cut, minimal cut, MC). A cut is a set of component down
states D C that will result in the system down state D S . A minimal cut (MC)
is a cut where the set remaining after any one component transition D C → U C
is no longer a cut (adapted from [Endrenyi 1978] ).
Remark 1: In each cut and each MC, the component down states D C are logi-
cally AND-connected.
Definition 3.2 (order of a MC). Number of component down states of a MC.
Example
⎧ Di 1st order (3.36)

⎪
⎪ Di ∧ Dj 2nd order
MC = ⎨
⎪ Di ∧ Dj ∧ Dk 3rd order
⎪
⎩ …
Preconditions for the application of the MC approach
1. The system is modeled by the system up state U S and the system down state
D S according to Fig. 1.7.
2. Each component of the system is modeled by two states, the component up
state U C and the component down state D C , according to Fig. 3.2. Approxi-
mations can be developed for components with more than two states, Chap-
ter 3.7 and Chapter 5.
Chapter 3 48
3. The following monotony conditions (monotonicity) have to be fulfilled.

a. If all components are in U C , then the system is in U S .
b. If all components are in D C , then the system is in D S .
c. If the system is in D S and if additionally an intact component will fail
U C → D C , then the system shall not move from D S → U S . This condition
means: U C → D C shall not increase the system dependability.
d. If the system is in U S and if additionally a failed component will be put into
operation D C → U C , then the system shall not fail or move from
U S → D S . This condition means: DC → U C shall not decrease the system
dependability.
4. S-independency of components is not a mandatory precondition for the appli-
cation of the MC approach (Eq. 3.43-49), but s-dependency leads to the fact
that the MC can be s-dependent from each other, see solution in Chapter 5.
In most technical systems, the monotony conditions are fulfilled, exceptions are de-
scribed in [Kochs 1984] and in Chapter 3.7, 3.8. Nevertheless, violations of the
monotony conditions can sometimes be neglected, depending on the application.
3.4.2 Examples
The following examples refer to the network models in Fig. 3.3.
Series system
MC 1 = D 1 MC of 1st order (3.37)

MC 2 = D 2
…
MC n = D n
Parallel system
MC = D 1 ∧ D 2 ∧ … ∧ D n MC of nth order (3.38)
Bridge system (intermeshed structure)
MC 1 = D 1 ∧ D 2 MC of 2nd order ( 3.39 )

MC 2 = D 3 ∧ D4
MC 3 = D 1 ∧ D 4 ∧ D 5 MC of 3rd order
MC 4 = D 2 ∧ D 3 ∧ D 5
Chapter 3 49
r-oo-n system (For the system up state at least r components have to be in the up
state.), example: n = 3
1-oo-3 (parallel system)
MC = D 1 ∧ D 2 ∧ D 3 MC of 3rd order (3.40)
2-oo-3 (three 2-component parallel subsystems in series)
MC 1 = D 1 ∧ D 2 MC of 2nd order (3.41)

MC 2 = D 1 ∧ D 3
MC 3 = D 2 ∧ D 3
3-oo-3 (series system)
MC 1 = D 1 MC of 1st order (3.42)

MC 2 = D 2
MC 3 = D 3
D S occurs when at least one MC occurs. The system down state is a logical OR-
connection of all MC belonging to the system S (short form notation:
∀i ∈ S := ∀MC i ∈ D S ).
DS = MC i , US = MC i (3.43)
∀i ∈ S ∀i ∈ S
These are fundamental expressions because the dependability structures of techni-

cal systems can be represented either by the OR-connection of MC or the AND-
connection of MC , modeled by DBD (in the down state or the up state mode), see
the examples in Chapter 4, 5. These equations are valid for s-independent as well
as for s-dependent component states.
Applying the probability theory, the objective indices of Eq. 1.5 can be calculated
according to [Singh et al. 1977, Endrenyi 1978, Kochs 1984] based on D S of Eq.
3.43.
Pr ( D S ) = ∑ Pr ( MC i ) – ∑ Pr ( MC i ∧ MC j ) + (3.44)
∀i ∈ S ∀( i < j ) ∈ S
+ ∑ Pr ( MCi ∧ MC j ∧ MC k ) -… + …
∀( i < j < k ) ∈ S
Chapter 3 50
Fr ( DS ) = ∑ Fr ( MCi ) – ∑ Fr ( MC i ∧ MC j ) + (3.45)
∀i ∈ S ∀( i < j ) ∈ S
+ ∑ Fr ( MC i ∧ MC j ∧ MC k ) -…+…
∀( i < j < k ) ∈ S
Eq. 3.44-45 (and also the following Eq. 3.46-49) are generally valid for s-indepen-
dent and s-dependent components. S-dependency can occur inside MC and be-
tween MC (Chapter 5).
One severe problem of these equations is that the number of terms rapidly in-
creases with the number of MC. Upper and lower boundaries can be calulated
using the laws of probability theory [Singh et al. 1977, Endrenyi 1978, Kochs
1984 ] .
Upper boundaries
Pr ( D S ) ≤ ∑ Pr ( MC i ) (3.46)
∀i ∈ S
Fr ( DS ) ≤ ∑ Fr ( MC i ) (3.47)
∀i ∈ S
The upper boundaries are also known as First Bonferroni inequality [Schneeweiss
2009a] .
Lower boundaries
Pr ( D S ) ≥ ∑ Pr ( MC i ) – ∑ Pr ( MC i ∧ MC j ) (3.48)
∀i ∈ S ∀( i < j ) ∈ S
Fr ( DS ) ≥ ∑ Fr ( MC i ) – ∑ Fr ( MC i ∧ MC j ) (3.49)
∀i ∈ S ∀( i < j ) ∈ S
The lower boundaries are also known as Second Bonferroni inequality [Schnee-
weiss 2009a] .
In technical systems (with realistic assumptions), the results of the upper and lower
boundaries are close together. Thus, the combination terms MCi ∧ MCj can be neg-
lected. This is also mostly valid for s-dependent components (Chapter 5). Eq. 3.46-
47 are appropriate estimations for most applications. The examples in Chapter 3.9
compare results of exact and approximate calculations of the MC approach to de-
monstrate the minimal difference.
Chapter 3 51
Exception
In the rare situation that the estimation n ⋅ MDT/MUT « 1 (number of components

multiplied with the approximate component unavailability) is not fulfilled, it may be
necessary to consider MC conjunctions MC i ∧ MC j ∧ … of Eq. 3.44-45.
Completion of the objective indices
The other objective indices of Eq. 1.5 can be easily calculated using Pr ( D S ) and
Fr ( D S ) .
Pr ( U S ) = 1 – Pr ( D S ) (3.50)
Fr ( US ) = Fr ( D S ) (3.51)
Pr ( U S )
Ti ( US ) = ------------------
- mean system up time (MSUT) (3.52)
Fr ( U S )
Pr ( D S )
Ti ( DS ) = ------------------
- mean system down time (MSDT) (3.53)
Fr ( D S )
3.4.4 Calculation of the MC indices
The next step is the calculation of the probability Pr and the frequency Fr of the
MC i regarding Eq. 3.44-49.
MC i = Dk (3.54)
∀k ∈ i
In case of s-independent components the indices are
Pr ( MC i ) = ∏ Pr ( Dk ) (3.55)
∀k ∈ i
Fr ( MC i ) = ∑ Fr ( Dm ) ∏ Pr ( Dk ) (3.56)
∀m ∈ i ∀k ∈ i
k≠m
Eq. 3.56 can be easily calculated with the following equations [ Kochs 1984 ] .
1 1
--------------------- =
Ti ( MCi )
∑ -----------------
Ti ( D k )
(3.57)
∀k ∈ i
Pr ( MC )
Fr ( MC i ) = ---------------------i - (3.58)
Ti ( MC i )
Chapter 3 52
Summary
Pr ( MC i ) = ∏ Pr ( D k ) (3.59)
∀k ∈ i
1 1
--------------------- =
Ti ( MC i )
∑ -----------------
Ti ( D k )
(3.60)
∀k ∈ i
Pr ( MC )
Fr ( MC i ) = ---------------------i - (3.61)
Ti ( MC i )
Whereas dependability calculation with s-independent components is quite easy,

the consideration of s-dependent components is more sophisticated (Chapter 5).
Conclusion
An unbeatable advantage of the MC approach is that the MC can be determined
either from DBD (or similar structures, e.g. Fault trees), or directly from the physical
structure of the system under consideration of its functional behavior. The MC re-
veal the influence (sensitivity) of components on system dependability, thus, the
MC reveal weak points.
A further advantage of the MC approach lies in its applicability to large and complex
systems (according to Definition 1.4). This is enabled by (1) using Eq. 3.46-47 and
Eq. 3.59-61, (2) reduction of the vast number of MC of real systems to a manage-
able low number by considering only probable MC (pMC, Eq. 3.87-88), and (3)
modeling of MC with Markov models (MMC, Chapter 5).
Chapter 3 53
3.5 Minimal path (MP) approach
The MP approach is the complementary approach to the MC approach. In most

cases, the MP approach has no advantage compared to the MC approach (see
description under Eq. 3.70). Only in special cases (few MP), the MP approach can
be used favorably.
Definition 3.3 (path, minimal path, MP). A path is a set of component up

states U C that will result in the system up state U S . A minimal path (MP) is a
path where the set remaining after any one component transition U C → D C is
no longer a path (adapted from [Endrenyi 1978] ).
Remark 1: In each path and each MP, the component up states U C are logi-
cally AND-connected.
Remark 2: Instead of path, the term tie is also common.
The preconditions for the MP approach are similar to the ones for the MC ap-
proach, listed in Chapter 3.4.1.
3.5.2 Examples
The following examples refer to the network models in Fig. 3.3.
Series system
MP = U 1 ∧ U 2 ∧ … ∧ U n (3.62)
Parallel system
MP 1 = U 1 (3.63)
MP 2 = U 2
…
MP n = U n
Bridge system (meshed structure)

MP 1 = U 1 ∧ U 3 (3.64)
MP 2 = U 2 ∧ U 4
MP 3 = U 1 ∧ U 4 ∧ U 5
MP 4 = U 2 ∧ U 3 ∧ U 5
Chapter 3 54
r-oo-n system, example: n = 3

1-oo-3 (parallel system)
MP 1 = U 1 (3.65)
MP 2 = U 2
MP 3 = U 3
2-oo-3 (three 2-component series subsystems in parallel)

MP 1 = U 1 ∧ U 2 (3.66)
MP 2 = U 1 ∧ U 3
MP 3 = U 2 ∧ U 3
3-oo-3 (series system)

MP = U 1 ∧ U 2 ∧ U 3 (3.67)
At least one MP is necessary for U S . Therefore, the system up state is a logical

OR-connection of all MP belonging to the system S (notation:
∀i ∈ S := ∀MP i ∈ U S ).
US = MP i , DS = MP i (3.68)
∀i ∈ S ∀i ∈ S
Similar to Eq. 3.44-45, the following objective indices are developed.
Pr ( U S ) = ∑ Pr ( MP i ) – ∑ Pr ( MP i ∧ MP j ) + (3.69)
∀i ∈ S ∀( i < j ) ∈ S
+ ∑ Pr ( MP i ∧ MP j ∧ MP k ) -…+…
∀( i < j < k ) ∈ S
Fr ( U S ) = ∑ Fr ( MP i ) – ∑ Fr ( MP i ∧ MP j ) + (3.70)
∀i ∈ S ∀( i < j ) ∈ S
+ ∑ Fr ( MP i ∧ MP j ∧ MP k ) -…+…
∀( i < j < k ) ∈ S
Eq. 3.69-70 are generally valid for s-independent and s-dependent components.
One severe problem is (1) that the number of terms increases rapidly with increas-
ing number of MP and (2) that the alternating +/- terms will be in the order of 1 (in
contrast to Eq. 3.44-45), which makes a numerical calculation difficult. In the worst
case, all MP combinations such as MP i ∧ MP j ∧ MP k ∧ … have to be considered.
Chapter 3 55
No abort criteria or boundary equations (similar to probable MC) exist in order to

minimize the number of MP combinations.
Completion of the objective indices
The other objective indices of Eq. 1.5 can be easily calculated using the indices
Pr ( U S ) and Fr ( U S ) above.
Pr ( D S ) = 1 – Pr ( U S ) (3.71)
Fr ( D S ) = Fr ( US ) (3.72)
Pr ( U S )
Ti ( US ) = ------------------
- mean system up time (MSUT) (3.73)
Fr ( U S )
Pr ( D S )
Ti ( DS ) = ------------------
- mean system down time (MSDT) (3.74)
Fr ( D S )
3.5.4 Calculation of the MP indices
The next step contains the calculation of the probability Pr and the frequency Fr of
the MP i of Eq. 3.69-70.
MP i = Uk (3.75)
∀k ∈ i
Probability and frequency of MP in case of s-independent components
Pr ( MP i ) = ∏ Pr ( Uk ) (3.76)
∀k ∈ i
Fr ( MP i ) = ∑ Fr ( U m ) ∏ Pr ( Uk ) (3.77)
∀m ∈ i ∀k ∈ i
k≠m
Eq. 3.77 can be easily calculated with the following equations [Kochs 1984 ] .
1 1
--------------------- =
Ti ( MP i )
∑ -----------------
Ti ( U k )
(3.78)
∀k ∈ i
Pr ( MP i )
Fr ( MP i ) = ---------------------
- (3.79)
Ti ( MP i )
Chapter 3 56
Summary
Pr ( MP i ) = ∏ Pr ( Uk ) (3.80)
∀k ∈ i
1 1
--------------------- =
Ti ( MP i )
∑ -----------------
Ti ( Uk )
(3.81)
∀k ∈ i
Pr ( MP i )
Fr ( MP i ) = ---------------------
- (3.82)
Ti ( MP i )
Conclusion
The advantage of the MP lies within the calculation of series structures such as in
Fig. 3.3. Because the alternating +/- terms of Eq. 3.69-70 are in the order of 1 (in
contrast to the MC approach), the calculation of networks other than pure series
connections can be extremely burdensome.
For a series structure with one MP, as shown in Fig. 3.3, the formulas are simple to
apply to s-independent components (similar to Eq. 3.21, 3.23-24).
n
Pr ( U S ) = Pr ( MP ) = ∏i = 1 Pr ( Ui ) , i, n ∈ S (3.83)
n
1 1
------------------ =
Ti ( U S )
∑i = 1 Ti
----------------
( Ui )
(3.84)
Pr ( U S )
Fr ( U S ) = ------------------- (3.85)
Ti ( U S )
Chapter 3 57
3.6 Approximation: Probable minimal cut (pMC) approach
Eq. 3.44-49 calculate exact values or boundaries, if all MC in the calculation process
are included. Thus, the calculation effort of large-scale systems can rapidly incr-
ease. Already more than 10,000 MC (in medium sized systems) to more than
1,0001000 MC (in large-scale systems) of several orders can occur, so that even the
determination of the upper boundaries can be very tedious. The issue arises, whether
all MC have to be considered.
Definition 3.4 (probable MC, pMC). Assuming set pMC = { ∀MC i with
severe impact on D S } is a subset of the total set MC = { ∀MC j ∈ D S } :
set pMC ⊆ set MC . Then, pMC i ∈ set pMC is defined as probable MC (pMC).
There is no automatism or algorithm for a direct identification or selection of pMC of

real-world systems. pMC are identified by “viewing“ of experts ( ≡ “manually“). It is
possible to evaluate the MC from a Fault tree by using algorithms. Nevertheless,
the construction of a Fault tree will be as difficult as the identification of the MC.
Eq. 3.43 is simplified to ( ≈ instead of ≤ )
DS ≈ pMC i , US ≈ MC i (3.86)
∀i ∈ S ∀i ∈ S
The equations are valid for s-independent as well as s-dependent components, see
Chapter 5.
Criteria for selection pMC
Analyzing technical systems, MC of 1st, 2nd, or 3rd order dominate D S in the fol-
lowing, roughly drafted way.
1. MC of 1st order ( D i ) are typical for economically working systems without

high dependability constraints. A single component down state will cause D S .
- Examples: Engine, computer, electrical circuit, etc. (arrangement of the com-
ponents similar to a chain as in series systems).
2. MC of 2nd order ( D i ∧ D j ) are typical for high dependable structures (fail-de-
pendable structures), e.g. 1-oo-2 structure (only the failure of two parallel
components cause D S ) or in general (n-1)-oo-n systems. - Examples: Brake
and steering mechanism in automotive, high dependable computer system,
Chapter 3 58
high voltage transmission system, 4-oo-5 structure (e.g. four automobile tires
and one spare tire), example in [Kochs 2002] .
3. MC of 3rd order ( D i ∧ D j ∧ D k ) are typical for safety related structures (fail-
safe-structures) or in general (n-2)-oo-n systems. - Example: 2-oo-3 computer
systems with voter function.
4. MC ( D i ∧ D j ∧ D k ∧ … ) of higher than 3rd order are typical for extrem high
safety related structures. - Examples: Emergency care cooling system in a
nuclear power plant, computer control system in an aircraft system, mecha-
tronic system.
Generally, MC of higher order are negligible compared to the MC of lower order
(valid for MUT » MDT, s-independent components), i.e. MC of 1st order influence
D S more than MC of 2nd or higher order and so on. The estimations of Eq. 3.46-47
are replaced by the following approximations, which drastically decrease the com-
putation effort.
Pr ( D S ) ≈ ∑ Pr ( pMC i ) (3.87)
∀i ∈ S
Fr ( D S ) ≈ ∑ Fr ( pMC i ) (3.88)
∀i ∈ S
These equations are valid, both, for s-independent and for s-dependent components,
due to the assumptions described in Chapter 5. S-dependency between the MC is
in most cases negligible. S-dependency inside of the MC becomes noticeable only
in the calculation of the Pr ( pMCi ) and Fr ( pMC i ) (Chapter 5).
Exceptions
MC of higher order may be noticable in the following exceptions.

1. Components with considerably differing values of the indices (i.e. MUT, MDT),
e.g. of mechatronic systems.
2. In the case of a great number of higher order MC of large structures, e.g.
n > 100 in low voltage distribution systems with many branches, sensor sys-
tems, and telecontrol systems.
3. Components with (strong) s-dependencies, e.g. common cause failures
(CCF), whereby c i, k « 1 is not fulfilled (can be an indication of a poor system
design), e.g. see [ICDE 2011] .
4. In the case of series structure, if n ⋅ MDT/MUT « 1 is not fulfilled. In this case
the MP approach may be a preferred approach.
Chapter 3 59
Remark
The system indices, Eq. 1.5, are based on assumed exact mean values of the com-
ponent indices of Eq. 3.7. In reality, two types of uncertainty influence dependabil-
ity: (1) aleatory uncertainty and (2) epistemic uncertainty, which are analyzed in
Chapter 6.
3.6.2 Example
US
U1 U3
U5
U2 U4
MC 4 MC 1 MC 2 MC3
Fig. 3.4. DBD with identification of the MC (up state mode).
Minimal cuts
MC 1 = D 1 ∧ D 2 MC of 2nd order (3.89)

MC 2 = D 3 ∧ D 4
MC 3 = D 1 ∧ D 4 ∧ D 5 MC of 3rd order
MC 4 = D 2 ∧ D 3 ∧ D 5
System states
D S = MC 1 ∨ MC 2 ∨ MC 3 ∨ MC 4 (3.90)
US = DS (3.91)
Chapter 3 60
System indices, Eq. 3.46-47

4
Pr ( D S ) ≤ ∑ Pr ( MC i ) unavailability (3.92)
i=1
4
Fr ( DS ) ≤ ∑ Fr ( MC i ) (3.93)
i=1
MC indices, Eq. 3.59-61, assumed s-independent components
Pr ( MC 1 ) = Pr ( D 1 ) ⋅ Pr ( D 2 ) (3.94)
1 1 1
---------------------- = ----------------- + ----------------- (3.95)
Ti ( MC1 ) Ti ( D 1 ) Ti ( D 2 )
Pr ( MC 1 )
Fr ( MC 1 ) = ----------------------- (3.96)
Ti ( MC 1 )
... ... ...
Completion of the system indices
Pr ( U S ) = 1 – Pr ( D S ) availability (3.97)
Fr ( US ) = Fr ( D S ) (3.98)
Pr ( U S )
Ti ( US ) = ------------------
- MSUT (3.99)
Fr ( U S )
Pr ( D S )
Ti ( DS ) = ------------------
- MSDT (3.100)
Fr ( D S )
Approximation of the bridge system in Fig. 3.4 by a series-parallel system
The pMC are the MC of lowest order (2nd order), according to Eq. 3.89.
MC 1 = D 1 ∧ D 2 (3.101)
MC 2 = D 3 ∧ D 4
The corresponding network model (DBD) is given in Fig. 3.5, which is an approxi-
mate model of Fig. 3.4.
Chapter 3 61
US
U1 U3
U2 U4
MC 1 MC 2
Fig. 3.5. Approximate DBD of the bridge system, Fig. 3.4 (up state
mode).
System states
D S ≈ MC 1 ∨ MC 2 (3.102)
U S = D S ≈ MC 1 ∨ MC 2 = MC 1 ∧ MC 2 (3.103)
Fig. 3.6 shows the network model (DBD) of Fig. 3.5.
US
MC1 MC2
Fig. 3.6. Corresponding DBD of Fig. 3.5 (up state mode).
System indices according to Eq. 3.87-88
Pr ( D S ) ≈ Pr ( MC 1 ) + Pr ( MC 2 ) (3.104)
Fr ( DS ) ≈ Fr ( MC 1 ) + Fr ( MC 2 ) (3.105)
Chapter 3 62
3.6.3 Reduction of system model complexity by MC segmentation
The procedure described in the previous chapter as an example can be general-

ized by the expressions of Eq. 3.43.
DS = MC i , US = MC i (3.106)
∀i ∈ S ∀i ∈ S
These equations are the basis for the decomposition of a complex system in order
to receive a simple series structure composed of MC (e.g. Fig. 3.6). The procedure
is generalized in Fig. 3.7.
Chapter 3 63
System
(technological and functional structure
or DBD)
MC identification
n
MCDSS ==i = 1
MC i
MC i
DBD
US
MC1 MC2 MC3 MCi MCn
MCi
MCi Ui,1
Ui or
...
Ui,k
typical: k = 2, 3, 4
Fig. 3.7. Reduction of a complex system to a logical series structure

(DBD) by the MC segmentation technique (up state mode).
Chapter 3 64
3.6.4 Example
The MC segmentation technique is illustrated by the example in Fig. 3.8. S-depen-

dency between the components with their impact on one another is demonstrated
by the red arrows. CCF i, j denotes the s-dependency impact of component i on j.
US
U1 U2
CCF2,4
CCF3,1
CCF4,2
CCF1,3
U3 U4
Fig. 3.8. DBD with the illustration of s-dependency due to CCF (Chapter 5).
Minimal cuts
MC 1 = D 1 ∧ D 3 (3.107)
MC 2 = D 1 ∧ D 4
MC 3 = D 2 ∧ D 3
MC 4 = D 2 ∧ D 4
System indices
D S = MC 1 ∨ MC 2 ∨ MC 3 ∨ MC 4 (3.108)
US = DS (3.109)
The segmented network model due to Fig. 3.8 is drawn in Fig. 3.9.
Chapter 3 65
US
U1 U1 U2 U2
CCF2,4
CCF4,2
CCF1,3
CCF3,1
U3 U4 U3 U4
MC1 MC2 MC3 MC4
US
MC1 MC2 MC3 MC4
Fig. 3.9. DBD composed of MC (up state mode).
System indices due to Eq. 3.46-47
Pr ( D S ) ≤ Pr ( MC 1 ) + Pr ( MC 2 ) + Pr ( MC 3 ) + Pr ( MC 4 ) (3.110)
Fr ( DS ) ≤ Fr ( MC 1 ) + Fr ( MC 2 ) + Fr ( MC 3 ) + Fr ( MC 4 ) (3.111)
Eq. 3.110-111 are valid, also in the case of the red highlighted s-dependency inside
of MC, see Conclusive remarks in Chapter 3.6.5 and further details in Chapter 5. In
this example, all MC are considered, thus, ≤ is valid.
3.6.5 Conclusive remarks
1. With the MC (or pMC) approach real-world systems (industrial systems) can
be reduced to series systems as shown in Fig. 3.7.
2. Eq. 3.44-49 ( = , ≤ , ≥ ): Consideration of all MC, both, for s-independent com-
Chapter 3 66
ponents and for s-dependent components (all MC are usually difficult to iden-
tify and/or to manage).
3. Eq. 3.87-88 ( ≈ ): The calculation effort of Eq. 3.44-49 can be drastically re-
duced if only the probable MC (pMC) are considered.
4. In Chapter 5, the term s-dependency is defined and the Markov minimal cut
(MMC) approach is introduced with which Markov models with s-dependent
components can be be embedded into MC.
Remark: According to the opinion of the author, the MMC approach is the first
choise for dependability evaluation of real-world applications with the essen-
tial features like flexibility in modeling s-dependencies, low calculation effort,
and simple analytical solutions. See the classification of the approaches in
Fig. 2.1.
3.7 Interrelation between combination approach and MC/MP ap-

proach
Automation, communication, and computer systems contain components, which

can be modeled by the three states U , D , and F , described in this chapter. The
combination approach (Truth table) is explained by means of the series and parallel
system models with the three component states in Fig. 3.10 and 3.13 and compa-
red with the MC approach.
Input: Component states
For each component (e.g. computer, communication line), the following three states
are defined.
U up state (processing/delivering of the correct message within time).
D down state (no processing/delivering of the message or message out of
time, e.g. due to failure of computer, breakage of transport line, etc.).
F fault message state (processing/delivering of faulty message, e.g. faulty
processing or transferring of incorrect message, falsified or corrupted
message).
DF = D ∨ F (3.112)
Assumption: The components are s-independent.

Chapter 3 67
Objective: System states
US up state (processing/delivering of the correct message within time).

DS down state (no processing/delivering of the message or message out of
time).
FS fault message state (processing/delivering of faulty message).
DF S = D S ∨ F S (3.113)
U S = DF S (3.114)
3.7.1 Example: Series structure
Example:
US
Pr ( U 1 ) = Pr ( U 2 ) = 0.98
U1 U2 Pr ( D 1 ) = Pr ( D 2 ) = 0.01
Pr ( F 1 ) = Pr ( F 2 ) = 0.01
Fig. 3.10. DBD of the series structure.
The combination approach yields, as a result, all universe states of an universe

space. An example is given in Table 3.1.
Definition 3.5 (universe state Z , universe space Ω ). An universe state Z is

defined as a logical AND-connection of one of the states U i , D i , and F i of
component i with one of the states U j , D j , and F j of each other component j
of the system. The number of D and F in Z of an universe state determines
its order. All Z OR-connected together cover the universe space Ω of the
system.
One distinguishes between the terms universe state and system state, the latter is
used as the objective system state of the system evaluation defined in STEP 2,
Fig. 2.2. In Table 3.1 Z 9 = F 1 ∧ F2 is defined as a 2nd order Z . All Z are mutually
Chapter 3 68
exclusive. All Z OR-connected map the complete universe space Ω ( Pr ( Ω ) = 1 )

of a component or a system, depending on the viewpoint. In the following, Ωi is
the complete universe space of component i and Ω S the complete universe space
of the system, Table 3.1.
Ω S = Ω 1 ∧ Ω 2 with Ω i = U i ∨ D i ∨ F I , i = 1, 2 (3.115)
The meaning of the order of Z (Definition 3.5) has to be distinguished from the
meaning of the order of MC (Definition 3.2). The difference is that each MC, e.g.
MC 1 ≈ D 1 (Eq. 3.126), implicitly contains U , D , and F of the other - not in MC
included - component states (beyond of D 1 , virtual invisible), which can be empha-
sized by extension of MC 1 by D 1 ∧ Ω 2 , see also Chapter 3.7.3.
With the assumption

n
∑i = 1 Pr ( D i ) + Pr ( Fi ) « 1 , n number of components (3.116)
the lowest order Z with respect to D and F is in all cases dominant over the high-
er order Z . It should be noticed that Eq. 3.116 is not a precondition for the applica-
tion of the combination approach, Table 3.1, 3.2.
Components
1 2 Zi Pr ( Z i ∈ U S ) Pr ( Z i ∈ D S ) Pr ( Z i ∈ F S )
U U 1 9.604 10-1
U D 2 9.800 10-3
U F 3 9.800 10-3
D U 4 9.800 10-3
D D 5 1.000 10-4
D F 6 1.000 10-4
F U 7 9.800 10-3
F D 8 1.000 10-4
F F 9 1.000 10-4
Assuming s-independent components, the following equations are valid.
Pr ( Z 1 ∨ Z 2 ) = Pr ( Z 1 ) + Pr ( Z 2 ) (3.117)
Pr ( Z 1 ∧ Z 2 ) = 0 (3.118)
Chapter 3 69
Pr ( Z 1 ) = Pr ( U1 ∧ U 2 ) = Pr ( U 1 ) ⋅ Pr ( U 2 ) (3.119)
... ... ...
... ... ...
9
∑i = 1 Pr ( Zi ) = 1 (3.120)
The calculation yields
–1
Pr ( U S ) = Pr ( Z1 ) = 9.604 ⋅ 10 (3.121)
–2
Pr ( D S ) = Pr ( Z2 ) + Pr ( Z 4 ) + Pr ( Z 5 ) + Pr ( Z6 ) + Pr ( Z 8 ) = 1.990 ⋅ 10 (3.122)
–2
Pr ( F S ) = Pr ( Z 3 ) + Pr ( Z 7 ) + Pr ( Z 9 ) = 1.970 ⋅ 10 (3.123)
Pr ( DF ) = Pr ( D S ∨ F S ) = Pr ( D S ) + Pr ( FS ) – Pr ( D S ∧ F S ) =
–2
= Pr ( D S ) + Pr ( F S ) = 3.960 ⋅ 10 ( 3.124 )
Pr ( U S ) + Pr ( DF ) = 1.0 (3.125)
Exact values can be calculated with the combination approach (Table 3.1), and can
be taken as reference values for the following MC approach. The advantage is that
Z i can be individually shifted to U S , D S or FS , according to the functional require-
ments. Their influence on MC and FC must be carefully analyzed.
3.7.1.2 MC approach
The combination approach can be easily applied to small system models similar to
the models in Fig. 3.10 and 3.13. For large systems, similar to those in Chapter 3.8,
the number of system states explodes and cannot be managed with the combina-
tion approach. For those systems the MC approach is applied.
For applying the MC approach, the Preconditions 1 and 2 in Chapter 3.4.1 (2-state
models) have to be fulfilled. Therefore, the 2-state models in Fig. 3.11 are de-
veloped. Two types of cuts are introduced: Minimal cut (MC) and the new cut type,
named (minimal) fault cut (FC). Both types are interpreted in the sense of Definition
3.1, 3.2, based on Fig. 3.11. For example, D comprises the states U and F and F
the states U and D. Due to the aggregation, MC and FC are approximate cuts based
on 2-state models, e.g. in Eq. 3.126-127 and so on.
Chapter 3 70
Component F
D D
U U
F F
D
DF
System FS
DS DS
US US
FS FS
DS
DF S
Fig. 3.11. Reduction of a multi-state model to a 2-state model as the
basis for the application of network approaches (approximation).
The MC and FC can be identified directly from Fig. 3.10 (also in Fig. 3.13) by using
the two 2-state models indicated by the dashed lines and envelopes. The following
equations are based on the well-known development steps. For Pr ( D S ) and Pr ( F S ) ,
the upper boundary estimations, Eq. 3.46-47, are used.
MC 1 ≈ D 1 MC 2 ≈ D 2 (3.126)
FC 1 ≈ F1 FC 2 ≈ F 2 (3.127)
Remark: MC 1 ≈ D1 is an approximate MC, which gives adequate results for

Pr ( D ) + Pr ( F ) « 1 . Reason: MC 1 = D 1 = U 1 ∨ F1 (Fig. 3.11), the same is valid for
the other MC and FC.
D S = MC 1 ∨ MC 2 (3.128)
–2
Pr ( D S ) ≤ Pr ( MC 1 ) + Pr ( MC 2 ) ≈ 2.0 ⋅ 10 (3.129)
F S = FC 1 ∨ FC 2 (3.130)
–2
Pr ( F S ) ≤ Pr ( FC 1 ) + Pr ( FC 2 ) ≈ 2.0 ⋅ 10 (3.131)
DF S = D S ∨ FS (3.132)
Chapter 3 71
–2
Pr ( DF S ) ≤ Pr ( D S ) + Pr ( F S ) ≈ 4.00 ⋅ 10 (3.133)
Pr ( U S ) = 1 – Pr ( DF S ) ≈ 0.96 (3.134)
An alternative approximate calculation method for series structures, where the as-
sumption Eq. 3.116 needs not to be kept, can be developed due to the DBD in Fig.
3.12, which can be calculated with the MP approach, Eq. 3.69 or 3.83 (only one
path), or the approach for series structure, Eq. 3.20-21.
U S = DF S = D S ∨ F S =
= MC 1 ∨ MC 2 ∨ FC 1 ∨ FC 2 = MC 1 ∧ MC 2 ∧ FC 1 ∧ FC2 ( 3.135 )
Pr ( U S ) = Pr ( MC1 ∧ MC 2 ∧ FC 1 ∧ FC 2 ) ≈ Pr ( D 1 ∧ D 2 ∧ F 1 ∧ F 2 ) =
= Pr ( D 1 ) ⋅ Pr ( D 2 ) ⋅ Pr ( F 1 ) ⋅ Pr ( F 2 ) =
= 0.99 ⋅ 0.99 ⋅ 0.99 ⋅ 0.99 = 0.9606 ( 3.136 )
The deviation between the exact calculated value (Eq. 3.121) and the approximate
value is incredibly small, thus, usually negligible. Eq. 3.136 provides easy to calcu-
late appropriate approximate results for large systems (Chapter 3.8).
The development of Pr ( MC 1 ∧ MC 2 ∧ FC 1 ∧ FC 2 ) in Eq. 3.136 to the product of

the form Pr ( D 1 ) ⋅ Pr ( D 2 ) ⋅ Pr ( F 1 ) ⋅ Pr ( F 2 ) yields an approximate result ( ≈ ). Ex-
ample: D 1 overlaps with F 1 (Fig. 3.11), they share U 1 , the same is true for U 2 .
Exact calculation: D 1 ∧ F 1 = U 1 , D 2 ∧ F 2 = U2 : Pr ( U 1 ) ⋅ Pr ( U 2 ) = 0.98 ⋅ 0.98 =
0.9604
Precondition for using the Eq. 3.136
The calculation of the maximal possible number n of components in the case of D

and F under consideration of the maximal acceptable deviation ΔPr ( U S ) rel (caused
by bundling of U ∨ F or U ∨ D , Fig. 3.11) is given below. The derivative is specified
in Appendix 3.10.1. The result is
ΔPr ( U S )rel ⋅ Pr ( U )
n ≈ ------------------------------------------------ (3.137)
Pr ( D ) ⋅ Pr ( F )
Chapter 3 72
Example: Pr ( D ) = Pr ( F ) = 0.01 , ΔPr ( U S ) rel = 0.03 . With Eq. 3.137 the result is
n ≈ 294 . Despite of the large number of components in series, the deviation of
Pr ( U S ) is not more than 3%.
US
MC1 MC2 FC1 FC2
Fig. 3.12. DBD of Fig. 3.10 (up state mode).
3.7.2 Example: Parallel structure
Notice the information and remarks provided in the previous Chapter 3.7.1.
Example:
US Pr ( U 1 ) = Pr ( U 2 ) = 0.98
U1 Pr ( D 1 ) = Pr ( D 2 ) = 0.01
Pr ( F 1 ) = Pr ( F2 ) = 0.01
U2 Voter
Table 3.2
Fig. 3.13. DBD of the parallel structure.

Chapter 3 73
Components
1 2 Zi Pr ( Z i ∈ U S ) Pr ( Z i ∈ D S ) Pr ( Z i ∈ F S )
U U 1 9.604 10-1
U D 2 9.800 10-3
U F 3 9.800 10-3
D U 4 9.800 10-3
D D 5 1.000 10-4
D F 6 1.000 10-4
F U 7 9.800 10-3
F D 8 1.000 10-4
F F 9 1.000 10-4 F1 ≠ F2
The decision, whether Z 9 is assigned to D S or F S , depends on the voter function or

human decision. In this example, F 1 ≠ F 2 (s-independent components) and the vo-
ter (assumed 100% dependable) stops the transfer ( DS ).
9
∑i = 1 Pr ( Zi ) = 1 (3.138)
–1
Pr ( U S ) = Pr ( Z1 ) + Pr ( Z 2 ) + Pr ( Z 4 ) = 9.80 ⋅ 10 (3.139)
–2
Pr ( D S ) = Pr ( Z3 ) + P r ( Z 5 ) + Pr ( Z 7 ) + P r ( Z9 ) = 1.98 ⋅ 10 (3.140)
–4
Pr ( F S ) = Pr ( Z 6 ) + Pr ( Z 8 ) = 2.00 ⋅ 10 (3.141)
Pr ( DF ) = Pr ( D S ∨ F S ) = Pr ( D S ) + Pr ( FS ) – Pr ( D S ∧ F S ) = (3.142)
–2
= Pr ( D S ) + Pr ( F S ) = 2.00 ⋅ 10
Pr ( U S ) + Pr ( DF ) = 1.0 (3.143)
The exact values of the combination approach can be taken as reference values for
the approximations of the MC approach.
3.7.2.2 MC approach
The 2-state models in Fig. 3.11 represent the basis for the calculation.
Chapter 3 74
MC 1 ≈ D 1 ∧ D 2 , MC 2 ≈ F 1 , MC 3 ≈ F 2 (3.144)
FC 1 ≈ F1 ∧ D 2 , FC 2 ≈ D 1 ∧ F 2 (3.145)
D S = MC 1 ∨ MC 2 ∨ MC 3 (3.146)
–2
Pr ( D S ) ≤ Pr ( MC 1 ) + Pr ( MC 2 ) + Pr ( MC 3 ) ≈ 2.01 ⋅ 10 (3.147)
F S = FC 1 ∨ FC 2 (3.148)
–4
Pr ( F S ) ≤ Pr ( FC 1 ) + Pr ( FC 2 ) ≈ 2.0 ⋅ 10 (3.149)
DF S = D S ∨ FS (3.150)
–2
Pr ( DF S ) ≤ Pr ( D S ) + Pr ( F S ) ≈ 2.03 ⋅ 10 (3.151)
–1
Pr ( U S ) = 1 – Pr ( DF S ) ≈ 9.797 ⋅ 10 (3.152)
–2
In this example, F S ⊂ D S is valid, thus, Pr ( DF S ) = Pr ( DS ) ≈ 2.01 ⋅ 10 . This can
be proven by expansion of MC 2 ∧ Ω 2 and Ω 1 ∧ MC 3 according to the procedure in
Eq. 3.155-158.
Series structure of MC and FC
U S = DF S = MC 1 ∨ MC 2 ∨ MC 3 ∨ F C 1 ∨ FC 2 =
= MC 1 ∧ MC 2 ∧ MC 3 ∧ FC 1 ∧ FC 2 ( 3.153 )
Pr ( U S ) = Pr ( MC 1 ∧ MC 2 ∧ MC 3 ∧ F C 1 ∧ FC 2 ) ≈
–1
≈ 0.9999 ⋅ 0.99 ⋅ 0.99 ⋅ 0.9999 ⋅ 0.9999 = 9.798 ⋅ 10 ( 3.154 )
The deviation between the exact calculated indices (Eq. 3.139-142) and the approx-
imate values is incredibly small.
3.7.3 Combination approach (Truth table) versus MC/MP approach
Each MC comprises all universe states Zi , which can be completely developed by

logical AND-extension of the universe spaces Ω of the components not included
in the MC or FC.
Example: Development of the universe states of the MC and FC of the series

structure, Fig. 3.10, Table 3.1, Eq. 3.126-127.
Chapter 3 75
MC 1 ≈ D 1 = D 1 ∧ Ω 2 = D 1 ∧ ( U 2 ∨ D 2 ∨ F 2 ) =
= D 1 ∧ U 2 ∨ D 1 ∧ D 2 ∨ D 1 ∧ F2 = Z 4 ∨ Z 5 ∨ Z 6 ( 3.155 )
MC 2 ≈ D 2 = Ω 1 ∧ D 2 = ( U 1 ∨ D 1 ∨ F 1 ) ∧ D 2 =
= U1 ∧ D 2 ∨ D 1 ∧ D 2 ∨ F 1 ∧ D 2 = Z2 ∨ Z 5 ∨ Z 8 ( 3.156 )
FC 1 ≈ F 1 = F 1 ∧ Ω 2 = F 1 ∧ ( U 2 ∨ D 2 ∨ F 2 ) =
= F 1 ∧ U 2 ∨ F 1 ∧ D 2 ∨ F 1 ∧ F2 = Z 7 ∨ Z 8 ∨ Z 9 ( 3.157 )
FC 2 ≈ F 2 = Ω 1 ∧ F 2 = ( U 1 ∨ D 1 ∨ F 1 ) ∧ F 2 =
= U 1 ∧ F 2 ∨ D 1 ∧ F2 ∨ F 1 ∧ F 2 = Z 3 ∨ Z 6 ∨ Z 9 ( 3.158 )
The MC and FC contain all associated Z i ∈ DS and Z i ∈ F S of lowest order that

determine the MC and FC. The Z of higher order have only a marginal influence
on the D S and FS results.
Summarized remarks concerning the MC/MP approach
Applying Eq. 3.129, 3.131, 3.133, 3.147, 3.149, and 3.151, the following approxi-
mations should be noted.
1. Identical Z i in MC and FC , revealed by the Ω -extension of Eq. 3.155-158,
are not eliminated by the idempotency rule. This statement can be expanded
to large systems, e.g. STEP 7, 8, Chapter 3.8.
2. Besides Point 1, the Ω extension of MC and FC implicitly contains higher or-
der Z i , which are embedded in both (thus, they are not excluded). This Ω ex-
tension can be applied to large systems, e.g. STEP 7, 8, Chapter 3.8.
3. Moreover, Z i of higher order may emerge, which violates the monotony condi-
tions (Chapter 3.4.1, preconditions). In large systems those Z i are normally
difficult to identify, e.g. STEP 7, 8, Chapter 3.8.
4. Z i of higher order in Point 1-3 have insignificant influence on the system re-
sults, assuming that Eq. 3.116 is fulfilled. Furthermore, their inherent consid-
eration strengthens the conservative result ( ≤ ) of D S and F S of Eq. 3.46-47
(they are not removed in the system result). - Remark: Zi that violate the
monotony conditions may be relevant in safety oriented systems!
Conclusion
The analyses in the previous chapters justify the application of the MC and MP ap-
proach to the examples described. On the one side, the combination approach
(Truth table) is only applicable to small systems. On the other side, the combination
approach gives a deep insight into the operational and non-operational behavior of
a system. A larger example in Chapter 3.8 emphasizes the advantage of the ap-
proaches.
Chapter 3 76
3.8 Historical example 1: Communication chain in ancient Persia

500 BC
In the old Persian Empire under the reign of Darius the Great (521-485 BC), a royal
highway for travel, military, and communication undertaking from Sardes to Susa
existed, as reported by the Greek researcher Herodotus, fifth century BC. This his-
torical example, described by [Ostertag 1810, Lendering 2014 ] and referring to
Herodotus, is taken as the basis for analyzing the dependability of rapid (“ultra fast“
for its time) broadcasting of important messages (e.g. military actions) using the
royal highway. Early news could decide over victory or defeat in wars. No prior
dependability evaluation of the communication transfer using the royal road is known,
thus, it is the first one.
STEP 1 (Fig. 2.2). System requirement analysis
Fig. 3.14 shows the Persian Empire about 500 BC with the royal road (red line). Ac-
cording to [Ostertag 1810, Lendering 2014]., the total length of the royal road from
Sardes to Susa extended over 2,500 km. Over the whole distance, 112 road sec-
tions and 111 stations (stages + initial station + endstation) for resting and informa-
tion delivery from the predecessor to the successor existed, which are considered
as the nodes of the road. The road with its nodes represents the communication
network.
STEP 2. Objective system states
The normal travel time from Sardes to Susa (and vice versa) was about 90 days as
reported in [Ostertag 1810, pp. 351 ]. The ultra fast communication of important
messages took 7-10 days for the complete distance, when deploying messages by
riding on horseback throughout the day and night, as reported by Ostertag. The fol-
lowing system states should be analyzed and evaluated.
System states
US up state (transfer of the correct message over the 112 road sections
(2,500 km) within ultra fast transport time).
DS down state (no transfer of the message or message out of time, e.g.
due to line interruption or loss of a message).
FS fault message state (delivering of a faulty message, e.g. undetected
manipulation, falsification, or corruption of message).
DF S = D S ∨ F S (3.159)
U S = DF S (3.160)
Chapter 3 77
STEP 3. Preconditions and assumptions
Many failures, which may cause system failure, are conceivable, e.g. loss of rider
and horse due to injure, accident, attack, or wrong decision-making in stressful or
extreme situations during the uninterrupted journey, betrayal of secrets, fraudulent
messages, attack at the stations (nodes), etc.. Furthermore, the unavailability of a
well-rested horseback messenger can lead to an intolerable time delay (loss of the
scheduled time slot), which causes system failure.
STEP 4. Components and system(s)
The component is defined with focus on delivering a message from one station to
the next over the road section (STEP 6). Thus, the component (Definition 1.2, Re-
mark 1) comprises of (1) the traversability of the road section and (2) the horseback
messenger (rider and horse). A component covers the transport of a message and
does not include the nodes (change stations).
Assumptions
1. Horseback messengers are assumed to be replaced at each station by well-
rested ones.
[Lendering 2014]: “At Persepolis, many tablets were found that refer to the sys-
tem of horse changing on the Royal road; it was called pirradaziš.“
2. For insurmountable obstacles, other alternatives of communications were

used or combined.
[Lendering 2014, with reference to Diodorus, World history 19.17.5-6.]: “Per-
sia is cut by many narrow valleys and has many lookout posts that are high
and close together, on which those of the inhabitants who had the loudest
voices had been stationed. Since these posts were separated from each other
by the distance at which a man's voice can be heard, those who received the
order passed it on in the same way to the next, and then these in turn to
others until the message had been delivered at the border of the satrapy.“
This part of transmission of news shall be inherent considered in the compo-
nent parameter (and may increase human failure probability).
3. All parameters of the components are assumed to be the same. For compo-
nent indices see, STEP 6 (component modeling).
The physical system is defined as the total communication chain in Fig. 3.14, consi-
sting of the 112 components modeled in Fig. 3.15.
Chapter 3 78
[Lendering 2014, with reference to Herodotus, Histories 8.98.]: “Neither snow nor
rain nor heat nor darkness of night prevents them from accomplishing the task pro-
posed to them with the very utmost speed. The first one rides and delivers the mes-
sage with which he is charged to the second, and the second to the third; and after
that it goes through them handed from one to the other, as in the torch race among
the Greeks, which they perform for Hephaestus.“
STEP 5. Input data
The probability of a component failure for ultra speed communication transfer de-
pends on the road condition (e.g. passable, not passable, good or bad surface) and
the capability of the horseback messenger to manage the task. The dependability
of the horseback messenger depends (1) on the familiarity with the infrastructure,
the human skills and experience to overcome all the obstacles during the message
transport, e.g. road condition, weather condition, and (2) on the health status of the
horse (well-rested, stressed, tired).
Because of the ultra speed message delivery, human and horse are under severe
stress. Thus, the failure probability may spread over a wide range. No statistic for
this task is available, but an orientation for human failure in industrial tasks can be
given by [Swain et al. 1983 ] or [WASH 1975 ] . Here, an human error probability
–3 –2
span of 10 …10 is taken as a basis for the example.
Chapter 3
Macedon Pontus Euxinus Massagetans
Ca
(Black Sea) C au
sp
cas
u s
ia n
S
Sardes
ea
Armenia Sogdiana
111
Cilicia
M
Bactria
e
Me Parthia
d
dit
er ran
ia
ean The Persian Empire
ria
Se
a
Sy
Lib Susa Sagartians
ya
1 Arachosia
Carmanians
Eg y
Persepolis Gedrosia
Pe
pt
r
Arabia Utians
si
on
R ed
G
ul
f
Se a
Arabian Sea
Fig. 3.14. The Persian Empire about 500 BC under Darius I with the Royal Highway [ Lendering 2014 ] . Parameters of
the royal road (Susa - Sardes): About 2,500 km, 111 stages, 112 road sections, assumed normal travel time 90 days
[ Ostertag 1810 ] .
79
Chapter 3 80
STEP 6. Component modeling - Concerning CASE study 1 and CASE study 2
Fig 3.15 illustrates the model of the components that is defined in STEP 4. The
stations (nodes) are not considered in the component model ( ≡ assumed to be
100% dependable).
Ui,j Ui+1,j
Fi+1,j
Di+1,j
Time slot
Delivering time Delivering time
Station (node) i-1 Station (node) i
Road section i Road section i+1
Component Component
i,j i+1,j
i = 1 ... 111, j = 1 (for series structure) and j = 1 ... 4 (for cross structure)
U i, j up state of component j of the road section i

D i, j down state of component j of the road section i
F i, j fault message state of component j of the road section i
Fig. 3.15. Illustration of the component model (112 components).
The following 3 states are defined for each of the components (112 for the series
structure in CASE study 1, 4 ⋅ 112 for the cross structure in CASE study 2).
U up state (transfer of the correct message from one node to the next with-
in a given transfer time),
Pr ( U ) = 0.989 probability of the up state.
D down state (no transfer of the message due to failure of the component,
e.g. line interruption, loss of message, or exceedance of transfer time),
Pr ( D ) = 0.01 probability of the down state.
F fault message state (delivering of faulty message, e.g. undetected mani-
pulation, falsification, corruption of message),
Pr ( F ) = 0.001 probability of the fault message state.
Chapter 3 81
DF = D ∨ F (3.161)
U = DF (3.162)
The appropriate 3-state component model and the reduction to 2-state models is
shown in Fig. 3.11.
Assumptions
1. All components are s-independent.
2. Stations (nodes) are not considered (corresponds to 100% dependable).
3. All components have the same dependability indices.
4. A faulty message is not detected at the station.
STEP 7, 8. System modeling and evaluation - Concerning CASE study 1: Se-

ries system
Fig 3.16-19 outline the system models. The dependability calculation is done twice,
using the approximate MC/MP approach and the exact calculation, described in
Chapter 3.7.1.
Applying the approximate MC/MP approach according to Eq. 3.135-136, the maxi-
mal possible number of components has to be calculated at first in order to remain
below the limit of deviation: ΔPr ( U S ) rel = 0.01 . Eq. 3.137 is calculated to n ≈ 989 .
Thus, the actual number of components (112) is far below the maximal possible
number of components, which indicates high accuracy of the MC/MP approach.
Calculation of D S , Fig. 3.16, analogous to Eq. 3.136 ( F excluded).

112 112
112
Pr ( D S ) = Pr ( MC i ) = ∏i = 1 Pr ( Di ) = 0.99 = 0.324 (3.163)
i = 1
Pr ( D S ) = 1 – Pr ( D S ) = 0.676 (3.164)
DS
D1 D2 D3 D112
Fig. 3.16. DBD (up state mode related to D S ).

Chapter 3 82
Calculation of F S , Fig. 3.17, analogous to Eq. 3.136 ( D excluded).
112 112
112
Pr ( F S ) = Pr ( FC i ) = ∏i = 1 Pr ( Fi ) = 0.999 = 0.894 (3.165)
i = 1
Pr ( F S ) = 1 – Pr ( F S ) = 0.106 (3.166)
FS
F1 F2 F3 F112
Fig. 3.17. DBD (up state mode related to F S ).
Approximate calculation of DF S , Fig. 3.18, analogous to Eq. 3.136.
Pr ( DF S ) ≈ Pr ( D S )Pr ( F S ) = 0.290 (3.167)

Pr ( DF S ) = 1 – Pr ( DF S ) ≈ 0.710 (3.168)
DF S
DS FS
Fig. 3.18. DBD (up state mode related to DF S ).
Exact calculation due to Fig. 3.19 and the remarks to the Eq. 3.136.
112 112
112
Pr ( U S ) = Pr ( ( Di ∨ Fi ) ) = ∏i = 1 Pr ( Ui ) = 0.989 = 0.290 (3.169)
i = 1
Pr ( DF S ) = 1 – Pr ( U S ) = 0.710 (3.170)
A calculation with 9 digits precision results in a deviation of about 0.00113 (0.113

%) between the approximate and the exact calculation.
Chapter 3 83
U S = DF S
DF1 DF2 DF3 DF112
Fig. 3.19. DBD (up state mode related to U S ).
Result
1. For about 3 to 4 transported messages, only 1 message can be transfered

correctly (!) by the series communication system, Fig. 3.19 ( U S ). Thus, based
on the assumed parameters, a message transfer over such a great distance
was not probable to function accurately with high dependability by ways of se-
ries structure.
2. Even a multiplication of the total communication line would not have led to an
outstanding result and, thus, to an appropriate solution. Example: 4 parallel s-
independent communication chains (each of them of the type of Fig. 3.19)
4
have the result (with Eq. 3.170): Pr ( DF S ) ≈ 0.71 = 0.254 , Pr ( U S ) ≈ 0.746 .
STEP 7, 8. System modeling and evaluation - Concerning CASE study 2:

Cross structure
The following question arises: How can a system with high dependability be de-
veloped for a communication chain? To answer this, a more theoretical system
study is depicted on the basis of Fig. 3.20.
Additional assumptions (to CASE study 1, STEP 6)

5. Each station (node) has the routing function of Table 3.3 (according to STEP
6, the node itself is not part of the components).
6. Only different messages can be detected by the router.
7. The routing function is carried out during a time slot. A message out of the
time slot is defined as lost ( D ).
8. U → F of different components are assumed to be different ( FX , F Y ).
9. The transitions F → U , D → U and D → F are excluded on the royal road.
Chapter 3 84
10. The transition F → D within a component (double failure) is excluded, the

transition F → D in different components are possible (down state of a faulty
message, occured in a previous component).
11. The change FX → F Y is generally excluded.
U1 ∧ U2 routing of messages (Fig. 3.20, a)

U1 ∧ D2 copy of message and routing (c)
U1 ∧ F2 stop of routing (voter function) (f)
D1 ∧ U2 copy of message and routing (c)
D1 ∧ D2 no routing
D1 ∧ F2 copy of (faulty) message and routing (d)
F1 ∧ U2 stop of routing (voter function) (f)
F1 ∧ D2 copy of (faulty) message and routing (d)
F1 ∧ F2 stop of routing in the case of F 1 ≠ F 2 ( F X , F Y ) (e)
F1 ∧ F2 routing of faulty message in the case of F 1 = F 2 (b)
Indices 1, 2 denote the incoming messages to the station/node

FX and FY denote different faulty messages
Table 3.3. Routing function (voting) at the stations within a de-

fined time slot.
Fig. 3.20 shows the system model with some U, D, and F constellations based on
Table 3.3.
Universe space
The total universe space of the example is

112 4
ΩS = Ω i, j with Ω i, j = U i, j ∨ D i, j ∨ Fi, j (3.171)
i = 1 j = 1
4 ⋅ 112
i designates the road section and j the component. Ω S comprises 3 universe
states Z (Definition 3.5) due to U , D , and F . In the example, only those Z with the
lowest or lower order are significant for D S and FS . The basics have been de-
veloped in Chapter 3.7.
Chapter 3 85
component
road section
i–1 i i+1 i+2 US
1 U
2 U
3 U
4 U
a) b)
U Forwarding U FX Forwarding FX
U U
FX FX
c) Copy and d) Copy and

D routing U D routing FX
U FX
U
FX
e) f) Stop
Stop
FX U
FY F
Fig. 3.20. Network requirements of the cross structure, routing according

to Table 3.3.
Chapter 3 86
System state D S
Each MC in the summarized VMC causes D S .
Fig. 3.21: VMC 4D (3.172)

Fig. 3.22: VMC DF (3.173)
Fig. 3.23: VMC 2F (3.174)
D S ≈ VMC4D ∨ VMCDF ∨ VMC 2F (3.175)
whereas VMC 4D contains MC of the 4th order, VMC DF and VMC 2F contain MC
of the 2nd order. Beyond this, MC of higher order, e.g. VMC 2DF (Fig. 3.39) are not
taken into account.
System state F S
The following VFC, pictured in the Appendix 3.10.2, cause F S .
Fig. 3.32: VFC2DF ⊂ VMCDF (3.176)

Fig. 3.33-38: VFC 2FD ⊂ VMC2F (3.177)
F S ≈ ( V FC 2DF ∨ VFC 2FD ) ⊂ D S (3.178)
Thus, Eq. 3.175 contains F S .
Remarks
1. Strictly speaking, VFC2DF and VFC2FD do not represent minimal cuts with
respect to F S .
2 In VMCDF or VMC 2F , Z emerge causing U S and F S , which are of higher F /
D order (Definition 3.5) and therefore, they are not significant for D S , also in
case of a large number. Furthermore, VMCDF and VMC 2F contain states
that violate the monotony conditions (see e.g. Fig. 3.22 and 3.32), which are
of higher order. Not removing these Z leads to conservative results (tendency
< in Pr ( D S ) ).
Chapter 3 87
Objective indices
Assumptions
1. All components are s-independent.
2. Consideration only of Z of lowest (or lower) order in their classes of D S and
F S (Eq. 3.184-185, see overview illustration, Fig. 3.24).
–2 –3
3. All components have the same indices: Pr ( D ) = 10 , Pr ( F ) = 10 .
4. For simplification, it is accepted that the initial section 1 and the final section
112 are identical to the others.
5. The following equations contain the approximations: (1) neglection of MC and FC
of higher order (first approximation ≈ ) due to Eq. 3.87, (2) inaccuracies due to
the 2-state modeling of U , D , and F , according to Fig. 3.11 (see also Eq.
3.126-127, second approximation ≈ ), and (3) beyond this, inaccuracies occur
through the violation of the monotony conditions (Appendix 3.10.2), which are
not removed (they are of higher order and strenghen the tendency < of the re-
sults of Eq. 3.180-181).
Pr ( VMC 4D ) ≈ ∑ Pr ( M C 4D ) ≈ 334 ⋅ Pr ( D ) = 3.34 ⋅ 10

4 –6
Fig. 3.21:
∀MC ∈ VMC 4D ( 3.179 )
Pr ( VMC DF ) ≈ ∑ Pr ( M C DF ) ≈ 444 ⋅ Pr ( F )Pr ( D ) = 4.44 ⋅ 10

–3
Fig. 3.22:
∀MC ∈ VMC DF ( 3.180 )
Pr ( VMC 2F ) ≈ ∑ Pr ( M C 2F ) ≈ 1, 328 ⋅ Pr ( F ) = 1.328 ⋅ 10

2 –3
Fig. 3.23:
∀MC ∈ VMC 2F
( 3.181 )
Pr ( VFC 2DF ) ≈ ∑ Pr ( F C 2DF ) ≈ 888 ⋅ Pr ( F )Pr ( D ) = 8.88 ⋅ 10

2 –5
Fig. 3.32:
∀FC ∈ VFC 2DF ( 3.182 )
Fig. 3.33-38: Pr ( VFC 2FD ) ≈ ∑ Pr ( F C 2FD ) ≈ 3, 544 ⋅ Pr ( F ) Pr ( D ) = 3.544 ⋅ 10

2 –5
∀FC ∈ VFC 2FD ( 3.183 )

It follows
–3
Pr ( D S ) ≈ Pr ( VMC 4D ) + Pr ( VMC DF ) + Pr ( VMC2F ) ≈ 5.771 ⋅ 10 (3.184)
Fig 3.39 shows the estimation of VMC 2DF (3rd order ) and its influence on Pr ( D S ) .
–4
Pr ( F S ) ≈ Pr ( VFC 2DF ) + Pr ( VFC2FD ) ≈ 1.242 ⋅ 10 (3.185)
–3
Pr ( DF S ) ≈ Pr ( D S ) ≈ 5.771 ⋅ 10 (see Eq. 3.176-178) (3.186)
Pr ( U S ) = 1 – Pr ( DFS ) ≈ 0.9942 (3.187)
Chapter 3 88
Result
1. Compared to the pure series structure in CASE study 1, the undependability of

the cross structure decreases drastically from 0.710 (Eq. 3.170) to 0.005771
(Eq. 3.186) around the factor 123. Only 1 of 173 delivered messages are lost
( D S ) and only 1 of 8,052 messages is a (undetected) faulty message ( F S )!
Whether the cross structure with its assumptions was technologically realiz-
able with ancient means is not investigated here. But nevertheless, the ana-
lyzed cross structure may be an interesting theoretical study example of the
applicability of the MC approach. An enlargement of the 2-state modeling
(Fig. 3.11) on complex Markov models is described in Chapter 5.9 and 5.10.
2. Comparative study
Assumption: (1) The stations shall have no copy and no voter function (Table
3.3 as well as Point 6-7 in STEP 7, 8, CASE Study 2, are neglected). The sta-
tions are only for resting, transit, and replacement of horse and rider. The
other assumptions remain valid. A lost message remains lost. Different mes-
sages at the stations remain different (no stop at the stations). (2) Only at the
endstation the voter function is valid.
System result under this assumption: The result is nearly similar to the calcu-
lation of 4 parallel s-independent communication chains of STEP 7, 8, CASE
study 1, Results Point 2. This indicates that the comparative cross structure
has no significant advantage! - The copy and voter function increase consi-
derably the system dependability.
Chapter 3 89
i i+1
1
4
112
VMC4D = D i, 1 ∧ D i, 2 ∧ D i, 3 ∧ D i, 4
1 i = 1
111
VMC 4D = D i, 1 ∧ D i, 3 ∧ D i + 1, 3 ∧ D i + 1, 4
2
i = 1
111
VMC 4D = D i, 2 ∧ D i, 4 ∧ D i + 1, 1 ∧ D i + 1, 2
3 i = 1
MC 4D (see Fig. 3.24)

i, j = 1…3
VMC 4D = VMC4D ∨ VMC4D ∨ VMC 4D

1 2 3
Fig. 3.21. VMC 4D (illustrated in Fig. 3.24).

Chapter 3 90
I
111
VMCDF = F i, 1 ∧ D i, 3
1 i = 1
II 111
VMCDF = F i, 3 ∧ D i, 1
2 i = 1
III 111
VMC DF = F i, 2 ∧ D i, 4
3 i = 1
IV 111
VMC DF = F i, 4 ∧ D i, 2
4 i = 1
VMCDF = VMC DF ∨ VMC DF ∨ VMCDF ∨ VMC DF

1 2 3 4
VMC DF contains states of higher order, which violate the monotony

conditions (see Appendix 3.10.2).
Fig. 3.22. VMC DF (illustrated in Fig. 3.24).

Chapter 3 91
V + VI (mirrored, symmetric) VII + VIII
112 112
VMC 2F = F i, 1 ∧ F i, 2 VMC 2F = F i, 1 ∧ F i, 4
1 i = 1 3 i = 1
112 112
VMC 2F = F i, 3 ∧ F i, 4 VMC 2F = F i, 2 ∧ F i, 3
2 i = 1 4 i = 1
IX + X XI + XII
110 110
VMC 2F = F i, 3 ∧ F i + 1, 3 VMC 2F = F i, 3 ∧ F i + 1, 4
5 i = 1 7 i = 1
110 110
VMC 2F = F i, 2 ∧ F i + 1, 2 VMC 2F = F i, 2 ∧ F i + 1, 1
6 i = 1 8
i = 1
XIII + XIV XV + XVI
110 110
VMC2F = F i, 1 ∧ Fi + 1, 3 VMC 2F = Fi, 1 ∧ F i + 1, 4
9 11 i = 1
i = 1
110 110
VMC2F = F i, 4 ∧ F i + 1, 2 VMC2F = F i, 4 ∧ F i + 1, 1
10 12
i = 1 i = 1
12
VMC2F = VMC2F
i = 1 i
VMC 2F contains states of higher order, which violate the monotony con-
ditions (see Appendix 3.10.2).
Fig. 3.23. VMC 2F (illustrated in Fig. 3.24).

Chapter 3 92
Umbrella expressions ΩS
VMC DF
VMC 2F
VMC 2DF
VFC2DF
VFC2FD
VMC4D
MC4D
i, j
Ω VMC
4D
(includes all Z
of VMC 4D )
Fig. 3.24. Overview scheme of the umbrella expressions V… with their Z

4 ⋅ 112
expansion tree of the cross structure. Ω S contains 3 Z.
Chapter 3 93
Universe space analysis of an example
The development of the universe space Ω DF is demonstrated on the example

MC DF = F i, 1 ∧ D i, 3 ∈ VMC DF , Fig. 3.22.I. With Ω i, j = U i, j ∨ D i, j ∨ F i, j of each
i, 1 1
component, j = 1…4 , of the road section i the universe states can be evaluated
with the following Ω -expansion.
Ω DF = Ω 1, 1 ∧ Ω 1, 2 ∧ Ω 1, 3 ∧ Ω 1, 4 ∧ …
i, 1
… ∧ F i, 1 ∧ Ω i, 2 ∧ D i, 3 ∧ Ω i, 4 ∧ … ( 3.188 )
… ∧ Ω 111, 1 ∧ Ω 111, 2 ∧ Ω 111, 3 ∧ Ω 111, 4
111
Ω DF = Ω DF ( 3.189 )
1 i, 1
i = 1
4
Ω DF = Ω DF ( 3.190 )
j
j = 1
Different universe spaces can overlap, that means that they have similar universe
states. These states are of higher order (Definition 3.5) and are mostly negligible.
Example 1: The subuniverse spaces Ω DF and Ω DF overlap. Both contain the

i, 1 i + 1, 1
same universe state with the term … ∧ F i, 1 ∧ D i, 3 ∧ … ∧ F i + 1, 1 ∧ D i + 1, 3 ∧ … ,
which are of higher order.
Example 2: In contrast to Ω DF and Ω DF (Fig. 3.22.I and III), which contain the
i, 1 i, 3
overlapping universe state with the expression … ∧ F i, 1 ∧ D i, 3 ∧ Fi, 2 ∧ D i, 4 ∧ … ,
the subuniverse spaces Ω DF and Ω DF (Fig. 3.22.I and II) don’t have overlap-
i, 1 i, 2
ping universe states.
Overlapping universe spaces are illustrated in Fig. 3.24.

Chapter 3 94
3.9 Historical example 2: Horse-drawn stagecoach
In this chapter, the application of network approaches combined with uncertainty

evaluation (Chapter 6) are demonstrated on the example of a historical four-seater
horse-drawn stagecoach from 1880, used for mail traffic in the area of Freiburg
(Breisgau), Germany. The original stagecoach has been restored and installed at
the Museum for Communication Berlin [mfk 2015] , Fig. 3.25. This stagecoach is
exhibited as an art object (“Berliner Luft Post“, artist Mr. St. Sous ) in an exploded
view, which offers a unique and clear insight into its construction details. The
stagecoach as study object, Fig. 3.25-27, is used with kind permission of the
management of the Museum for Communication Berlin. No further dependability
evaluation of coaches is known, thus, it is the first one.
Both, the dependability structures and the dependability evaluation approaches, are
in principle the same as for modern cars, although the technology is completely dif-
ferent and substantially more complex. The series and parallel structures with com-
bination of uncertainty evaluation (Chapter 6) make the application illustrative and
interesting for similar system structures.
The stagecoach (or carriage) is defined as the complete vehicle ready for travel,
which consists of the construction, the coachman, and the horse(s). According to
[ Felton 1794] , which is one of the first treatise of coaches, the stagecoach is divid-
ed into the lower subsystem (chassis), where the wheels are fixed, and the upper
subsystem (body), in which the passengers find room.
The dependability analysis is concentrated on the chassis, as shown in Fig. 3.25.

The body for the passengers is not considered here. Form and construction of old
coaches have been nearly the same over decades, whether of light or heavy con-
struction, depends on its purpose and the road conditions, e.g. rough or uneven
road surface.
In contrast to modern high-tech vehicles, where comprehensive specification of

each item and its interaction to other items is carried out in detail, no specification
and no dependability data of stagecoaches are known. In former times, only the
knowledge and the experience of the coach-maker (manufacturer) and the coach-
man (driver) are responsible for the stagecoach dependability. To understand the
former way of thinking as a basis for construction, manufacturing, operation, and
maintenance the treatise of [Felton 1794] is informative. The following excerpt is
mentioned as an example:
Chapter 3 95
(physical system)
Chassis
Fig. 3.25. Old horse-drawn stagecoach [mfk 2015 ] (Museum for Communi-
cation at Berlin).
The photos in Fig 3.25-27 are taken by the author with kind permission of the
Management of the Museum for Communication Berlin and the participating
artist [mfk 2015 ].
Chapter 3 96
su_6
su_7 (part 1-of-2)
dd_2
su_5
w_1
su_4
w_1.5
cp_1
cp_2
su_3
w_1.4
dd_1
w_1.2
w_1.1
cp_2
w_1.3
ax_1
sp_1
sp_2
dd_1
(part 1-of-2)
su_7
cp_1
su_1
w_2
Fig.Fig.
3.33.3.26.
Components of the
Components chassis
of the (Communication
chassis [mfk 2015] . Muse-
um Berlin, photo with courtesy of [ Sous 1999 ]).
Chapter 3 97
br_1 (br_2 opposite)
w_3
ax_2
sp_4
sp_3
w_4
(part 2-of-2)
su_7
su_2

Chapter 3 98
[Felton 1794]: “Carriages frequently get out of repair, from the ignorance or inatten-
tion of the coachman, whose peculiar province it is to watch over the least injury the
carriage may sustain, and, by an immediate application of the proper remedy, to
prevent the extraordinary expence that must ensue, by suffering the injury to
remain for any considerable space of time unrepaired.“
The statement means that both, up time and down time, strongly depend on the
judgement and the decision of the coachman, which can vary from person to per-
son (high degree of uncertainty).
The objective is the evaluation of the indices of Eq. 1.5 (Chapter 1.2) of the follow-
ing system states including the consideration of aleatory and epistemic uncertainty
(Chapter 6).
System states 1
U 4w_c system up state 1 (operating state 1, Definition 1.6, 1.8): The stage-
coach (index c) runs without severe failure of the chassis (4 wheels).
D 4w_c system down state 1 (non-operating state 1, Definition 1.12):
D 4w_c = U 4w_c (severe failure which causes an interruption of the
journey).
System states 2
U 6w_c system up state 2 (operating state 2): The stagecoach runs without
severe failure of the chassis (4 wheels, additionally 1 front spare
wheel and 1 rear spare wheel (6 wheels)).
D 6w_c system down state 2 (non-operating state 2): D 6w_c = U 6w_c (se-
vere failure of the chassis, which causes an interruption of the jour-
ney).
Remark: In case of postponable stop due to component failure, the stage-

coach will be considered as being in the system up state (perhaps with restric-
tion of the speed or reduced brake effect).
The component indices in Table 3.4 consider only severe failure, which will
cause a system down state, hence an interruption of the journey.
Chapter 3 99
No difference will be made with respect to stagecoach construction, e.g. light or

heavy, various road conditions, number of horses, e.g. two or six. For the analysis,
it is assumed that the stagecoach shall be run over a mix of good and bad struc-
tured routes, which is taken into account by a wide range of uncertainty in the cal-
culation of the system states, Table 3.4, red min-max area. Further, it is assumed
that at each central post station the chassis is inspected and, if necessary, main-
tained, which e.g. includes lubrication of the stressed mechanical sliding parts, pre-
ventive replacement of damaged or worn parts (if possible during a short stay,
otherwise the chassis is considered as D S ). These assumptions influence the input
indices of Table 3.4.
With introduction of the express post (1821 in Preußen) the travel speed has been
doubled to 8-10 km/hour on average [Büsch 1992] , on well-developed routes even
higher. For the following analysis, the mean travel speed (average speed) is defined
as 15 km/hour (express mail).
The physical components are marked in Fig. 3.26-27. Only those components are
considered that are relevant for the system dependability. The mechanical parts,
made of timber and forged iron, are regarded as components.
Other definitions of physical components are also possible if component bounda-

ries are plausible and if statistical data exist or can be plausibly assumed. Often,
the definition of components is not simple, it depends on their impact on the sys-
tem. A component does not need to be one physical entity, it can consist of several
“distributed“ parts, e.g. su_7 consists of two parts (Fig. 3.26-27), which is a matter
of consideration of the item (Definition 1.2, abstraction). All components include
their mounting or attachment parts, e.g. splinting or screws. The brake subsystem
consists of two brake shoes including their brake mechanism parts. A distinction is
made between rear wheels and front wheels, the latter are normally smaller and
more stressed than rear wheels, for which two different spare wheels are neces-
sary if they are taken into account. In the dependability analysis, two spare wheels,
one for the front wheels and one for the rear wheels, are considered to study a
possible increase of system dependability.
The chassis of the stagecoach, Fig. 3.25, is defined as the physical system (with
four wheels (4w) or with six wheels including two spare wheels (6w)). For the eva-
luation of the objective indices, several subsystems (Definition 1.3, Note 3) are mod-
eled in Fig.3.28-30.
Chapter 3 100
STEP 5. Input data
As mentioned before, no dependability data exist. The input data of Table 3.4 are
rough estimations of severe failures assumed by the author. The (arithmetic) mean
values are placed between the epistemic uncertainty values (min-max boundary,
similar to Eq. 6.27-28, Fig. 6.20), which are highlighted in red. High epistemic
uncertainty is assumed, taking into account the lack of knowledge, different opera-
tion modes, and a wide range of road conditions (bad - good). Many components
are made of timber and cast iron, whose quality in the 19th century could differ
widely, e.g. depending on wood specification, manufacture, etc..
Epistemic and aleatory uncertainty are described in Chapter 6. Although the under-
standing of Chapter 6 is necessary, uncertainty results are incorporated here to
complete the example, instead of scattering the example accross the chapters.
Each component is modeled as a 2-state model, Fig. 3.2, with terms of Fig. 1.2.
UC component up state := operating state (Definition 1.6, 1.8),

Ti ( UC ) := mean operating time to failure, MTTF (Definition 1.10).
DC component down state := non-operating state (Definition 1.12),
Ti ( DC ) := mean time to restoration, MTTR (Definition 1.15).
Assumptions
1. Components are s-independent.
2. Components can contain a variety of failures. The effect ranges from an im-
mediate stop to a postponed stop.
Mean values and epistemic uncertainty boundaries min - max (uniform pdf)
Chapter 3
Components Abbre- MDTF1) MDTF1) MDTF1) Ti(U)2) Ti(U)2) Ti(U)2) Ti(D)3) Ti(D)4 Ti(D)3)
viation min Mean max min Mean max min Mean max
km km km h h h h h h
Wood spoked wheel inclusive w_x.1 15,000 82,500 150,000 1,000 5,500 10,000 4 10 16
wheel hub 4), x = 1 ... 4, (5, 6)
Iron mounting ring w_x.2 30,000 165,000 300,000 2,000 11,000 20,000 4 10 16
Wheel bearing mountig parts w_x.3-5 150,000 825,000 1,500,000 10,000 55,000 100,000 12 30 48
Axle ax_1, 2 150,000 825,000 1,500,000 10,000 55,000 100,000 12 30 48
Drawbar, part 1 and 2 dd_1, 2 150,000 825,000 1,500,000 10,000 55,000 100,000 4 10 16
Center pivot ring cp_1, 2 30,000 165,000 300,000 2,000 11,000 20,000 12 30 48
(steerable front axle)
Leaf spring, sideways (wheels) sp_1-4 45,000 247,500 450,000 3,000 16,500 30,000 4 10 16
Suspension for leaf springs, su_1-7 45,000 247,500 450,000 3,000 16,500 30,000 12 30 48
leaf springs crossbars (body)
Brake blocks 5) br_1,2 15,000 82,500 150,000 1,000 5,500 10,000 4 10 16
1)
MDTF: Mean distance to failure, MTTT: Mean time to travel.
Relationship: MDTF = Ti(U) . MTTT (=15 km/h).
2) Ti(U) = MTTF: (Arithmetic) mean operating time to failure (Definition 1.10).
3)
Ti(D) = MTTR: (Arithmetic) mean time to restoration (Definition 1.15)
4)
Assumption: The rupture of only one stroke is already defined as breakage of the wheel.
5) Assumption: The stagecoach is able to continue its journey with only one intact brake.
Table 3.4. Input indices: Assumed MDTF, Ti(U), Ti(D), and their epistemic uncertainty parameter (min-max, uniform
pdf of the Ti values) of the components of the chassis.
101
Chapter 3 102
STEP 7, 8. System modeling and evaluation
Fig. 3.28-31 show the stepwise developed DBD of the subsystems and the sys-
tem. Table 3.5-14 show their calculation results. The system model corresponds to
Fig 1.7.
The system indices of Eq. 1.5 (Chapter 1.2) are calculated in the following three
ways.
1. MC-approach, upper boundary approximation, Eq. 3.46-47, results in Eq.
3.191-232.
2. Exact calculation, Eq. 3.21-26 (for series structure), Eq. 3.30-35 (for parallel
structure), results in Table 3.5, 3.7, 3.9, 3.11, and 3.13.
3. AU calculation and EUAU simulation take into account the red highlighted
uncertainty parameters of Table 3.4 (according to the procedure in Chapter 6,
Fig. 6.29). For each cycle of the EUAU evaluation, every single MC of the Fig.
3.28-31 is simulated and connected together according to Fig. 3.7. The eva-
luation results are shown in Table 3.6, 3.8, 3.10, 3.12, and 3.14.
Numerical deviations can occur due to limited number of simulations, discretization

steps, and rounding errors. The deviations between the approximate results of the
MC-approach and the exact calculation are negligibly small.
Uw_x, x = 1 - 6
Wood spoked Iron mounting Wheel bearing mounting parts
wheel ring
Uw_x.1 Uw_x.2 Uw_x.3 Uw_x.4 Uw_x.5
x = 5, 6: Spare wheels
MCw_x.1 MCw_x.2 MCw_x.3 MCw_x.4 MCw_x.5
Fig. 3.28. DBD of each cartwheel subsystem w_x (1 wheel).
Component indices
Ti ( D w_x.i )
Pr ( D w_x.i ) = ----------------------------------------------------------
- , x = 1…6 , i = 1…5 (3.191)
Ti ( U w_x.i ) + Ti ( D w_x.i )
1
Fr ( D w_x.i ) = ----------------------------------------------------------- , x = 1…6 , i = 1…5 (3.192)
Ti ( U w_x.i ) + Ti ( D w_x.i )
Chapter 3 103
Mean values of the w_x subsystem (1 wheel) are calculated with the approximate
MC approach, Eq. 3.46-47.
5
Pr ( D w_x ) ≤ ∑ Pr ( MC w_x.i ) = ∑i = 1 Pr ( Dw_x.i ) = 4.36E-03 (3.193)
∀i
Pr ( U w_x ) = 1 – Pr ( Dw_x ) > 0.99564 (3.194)
5
Fr ( D w_x ) ≤ ∑ Fr ( MC w_x.i ) = ∑i = 1 Fr ( Dw_x.i ) –1
= 3.27E-04h (3.195)
∀i
–1
Fr ( U w_x ) = Fr ( D w_x ) ≤ 3.27E-04h (3.196)
Pr ( U w_x )
Ti ( U w_x ) = ------------------------ ≈ 3.05E+03h MTTSF (3.197)
Fr ( U w_x )
Pr ( D w_x )
Ti ( D w_x ) = ------------------------ ≈ 1.33E+01h MTTSR (3.198)
Fr ( D w_x )
The exact mean values of the w_x subsystem are shown in Table 3.5. The AU and
EUAU indices are listed in Table 3.6.
x
Fig. 3.28 Exact calculation
–1 –1
Ti ( Uw_x ) ⁄ h Ti ( Dw_x ) ⁄ h Pr ( U w_x ) Pr ( D w_x ) Fr ( Uw_x ) ⁄ h Fr ( D w_x ) ⁄ h
(Arithmetic) Mean 3.06E+03 1.33E+01 0.99565 4.35E-03 3.26E-04 3.26E-04

Chapter 3 104
w_x AU calculation (Drenick’s Theorem)1)

t ( Uw_x ) ⁄ h t ( D w_x ) ⁄ h Pr ( Dw_x ) 2)
min 10% 3.22E+02 1.40E+00 1.99E-04
Median(50%) 2.12E+03 9.22E+00
Mean 3.06E+03 1.33E+01 4.35E-03 3) MTTSF MTTSR
max 90% 7.05E+03 3.06E+01 8.68E-02
w_x EUAU
t ( Uw_x ) ⁄ h t ( Dw_x ) ⁄ h Pr ( D w_x ) 2)
min 10% 2.34E+02 1.43E+00 2.33E-04
Median(50%) 1.63E+03 9.58E+00 MTTSFEUAU ≡ MTTSFEU4)
Mean 2.56E+03 1.42E+01 6.11E-03 5)
max 90% 6.13E+03 3.31E+01 1.24E-01 MTTSREUAU ≡ MTTSREU4)
1)
Basis for the AU calculation are the rounded values in Table 3.5.
2)
min-max-boundary calculation of Pr ( D w_x ) .
3)
Pr ( D w_x ) = t ( D w_x ) mean ⁄ ( t ( U w_x ) mean + t ( D w_x ) mean ) , independent of the
shape of the f ( t ( … ) ) . Minor deviation compared to the exact calculation is caused
by rounding errors of the t ( … ) mean values.
4)
Minor deviations are caused by numerical errors, see Remark in Appendix 6.8.
5)
Pr ( D w_x ) is transfered from EU simulation (here not displayed).
An overview of the calculation/simulation steps is given in Fig. 6.29.

Chapter 3 105
U4w
Uw_1 Uw_2 Uw_3 Uw_4
MC4w_1 MC4w_2 MC4w_3 MC4w_4

Fig. 3.29. DBD of the cartwheel subsystem 4w (without spare
wheel).
Component indices
Ti ( D w_i )
Pr ( D w_i ) = --------------------------------------------------- , i = 1…4 (3.199)
Ti ( U w_i ) + Ti ( D w_i )
1
Fr ( D w_i ) = --------------------------------------------------- , i = 1…4 (3.200)
Ti ( Uw_i ) + Ti ( D w_i )
Mean values of the 4w subsystem are calculated with the approximate MC ap-
proach.
4
Pr ( D 4w ) ≤ ∑ Pr ( MC4w_i ) = ∑i = 1 Pr ( Dw_i ) = 1.74E-02 (3.201)
∀i
Pr ( U 4w ) = 1 – Pr ( D 4w ) > 0.9826 (3.202)
4
Fr ( D 4w ) ≤ ∑ Fr ( MC 4w_i ) = ∑i = 1 Fr ( Dw_i ) –1
= 1.31E-03h (3.203)
∀i
–1
Fr ( U 4w ) = Fr ( D4w ) ≤ 1.31E-03h (3.204)
Pr ( U 4w )
Ti ( U 4w ) = ---------------------- ≈ 7.52E+02h MTTSF (3.205)
Fr ( U 4w )
Pr ( D 4w )
Ti ( D 4w ) = ---------------------
-
Fr ( D 4w ) ≈ 1.33E+01h MTTSR (3.206)
The exact mean values of the 4w subsystem are shown in Table 3.7. The AU and
Chapter 3 106
x
–1 –1
Ti ( U 4w ) ⁄ h Ti ( D 4w ) ⁄ h Pr ( U 4w ) Pr ( D 4w ) Fr ( U 4w ) ⁄ h Fr ( D 4w ) ⁄ h
4w AU calculation (Drenick’s Theorem)1)

t ( U 4w ) ⁄ h t ( D4w ) ⁄ h Pr ( D 4w ) 2)
min 10% 8.05E+01 1.41E+00 8.00E-04
Median(50%) 5.30E+02 9.29E+00
max 90% 1.76E+03 3.09E+01 2.77E-01
4w EUAU
t ( U4w ) ⁄ h t ( D4w ) ⁄ h Pr ( D 4w ) 2)
min 10% 5.73E+01 1.43E+00 1.07E-03
Mean 5.71E+02 1.38E+01 2.42E-02 5)
max 90% 1.33E+03 3.20E+01 3.58E-01
MTTSREUAU ≡ MTTSREU4)
1)
2)
min-max-boundary calculation of Pr ( D 4w ) .
3)
Pr ( D 4w ) = t ( D 4w ) mean ⁄ ( t ( U 4w ) mean + t ( D 4w ) mean ) , independent of the shape
of the f ( t ( … ) ) . Minor deviation compared to the exact calculation is caused by
rounding errors of the t ( … ) mean values.
4)
5)
Pr ( D 4w ) is transfered from EU simulation (here not displayed).

U6w
Chapter 3
U3w-front U3w-rear
Uw_1 Uw_3
2oo3*) Uw_2 2oo3*) Uw_4
Uw_f_res Uw_r_res
*) 2-oo-3 *) 2-oo-3
≡
U6w_1 U6w_4 U6w
Uw_1 Uw_1 Uw_2 Uw_3 Uw_3 Uw_4
Uw_2 Uw_f_res Uw_f_res Uw_4 Uw_r_res Uw_r_res
MC6w_1 MC6w_2 MC6w_3 MC6w_4 MC6w_5 MC6w_6
Fig. 3.30. DBD of the cartwheel subsystem 6w (with front and rear spare wheels).
107
Chapter 3 108
With Eq. 3.59-61, the indices Pr , Ti , and Fr of MC 6w_i are calculated.
Pr ( MC 6w_i ) = Pr ( D 6w_i ) = Pr ( D w_j )Pr ( D w_k ) , i = 1, 2…6 (3.207)

Pr ( MC 6w_i ) = 1.90E-05 (3.208)
1 1 1 –1
------------------------------ = ---------------------- + ----------------------- = 1.50E-01h (3.209)
Ti ( MC 6w_i ) Ti ( Dw_j ) Ti ( D w_k )
Pr ( MC 6w_i ) –1
Fr ( MC 6w_i ) = ------------------------------- = 2.85E-06h (3.210)
Ti ( MC 6w_i )
Mean values of the 6w subsystem (4w+2w spare) are calculated with the approxi-
mate MC approach.
Pr ( D 6w ) ≤ ∑ Pr ( MC6w_i ) = 1.14E-04 , i = 1, 2…6 (3.211)

∀i
Pr ( U 6w ) = 1 – Pr ( D 6w ) > 0.999886 (3.212)
Fr ( D 6w ) ≤ ∑ Fr ( MC 6w_i ) = 1.71E-05h
–1
(3.213)
∀i
–1
Fr ( U 6w ) = Fr ( D6w ) ≤ 1.71E-05h (3.214)
Pr ( U 6w )
Ti ( U 6w ) = ---------------------- ≈ 5.85E+04h MTTSF (3.215)
Fr ( U 6w )
Pr ( D 6w )
Ti ( D 6w ) = ---------------------- ≈ 6.67h MTTSR (3.216)
Fr ( D 6w )
The exact mean values of the 6w subsystem are shown in Table 3.9. The AU and
x
–1 –1
Ti ( U 6w ) ⁄ h Ti ( D 6w ) ⁄ h Pr ( U 6w ) Pr ( D 6w ) Fr ( U 6w ) ⁄ h Fr ( D 6w ) ⁄ h

Chapter 3 109
6w AU calculation (Drenick’s Theorem)1)

t ( U6w ) ⁄ h t ( D6w ) ⁄ h Pr ( D 6w ) 2)
min 10% 6.16E+03 7.03E-01 5.21E-06
Median(50%) 4.05E+04 4.62E+00
max 90% 1.35E+05 1.54E+01 2.49E-03
6w EUAU
t ( U6w ) ⁄ h t ( D 6w ) ⁄ h Pr ( D6w ) 2)
min 10% 3.40E+03 6.10E-01 8.06E-06
Mean 3.28E+04 5.77E+00 1.77E-04 5)
1) Basis for the AU calculation are the rounded values in Table 3.9.
2) min-max-boundary calculation of Pr ( D 6w ) .
3) Pr ( D
6w ) = t ( D 6w ) mean ⁄ ( t ( U 6w ) mean + t ( D 6w ) mean ) , independent of the shape
of the f ( t ( … ) ) . Minor deviation compared to the exact calculation is caused by
rounding errors of the t ( … ) mean values.
4) Minor deviations are caused by numerical errors, see Remark in Appendix 6.8.
5) Pr ( D
6w ) is transfered from EU simulation (here not displayed).

Uchassis
Chapter 3
2 Center pivot rings

2 Axles Drawbar, part 1 Drawbar, part 2 (steerable front axle) 4 Leaf springs
Uax_1 Uax_2 Udd_1 Udd_2 Ucp_1 Ucp_2 Usp_1
MC1 MC2 MC3 MC4 MC5 MC6 MC7
7 Suspensions for the leaf springs

Usp_2 Usp_3 Usp_4 Usu_1 Usu_2 Usu_3 Usu_4
MC8 MC9 MC10 MC11 MC12 MC13 MC14
2 Brakes
U br_1,2
Ubr_2
Usu_5 Usu_6 Usu_7
Ubr_1 MC18
MC15 MC16 MC17
Cartwheel subsystem, Fig. 3.29 and 3.30
U4w and U6w
4w_c (38 MC): MC1 - MC38 (MC1 ... MC18 + MC4w_1 ... MC4w_4, each MC4w... consists of 5 MC)
6w_c (168 MC): MC1 - MC168 (MC1 ... MC18 + MC6w_1 ... MC6w_6, each MC6w... consists of 25 MC)
Fig. 3.31. DBD of the system: Chassis of the carriage, 4w_c and 6w_c.
110
Chapter 3 111
With Eq. 3.59-61, the indices of MC br_1, 2 are calculated.
Pr ( MC br_1, 2 ) = Pr ( D br_1,2 ) = Pr ( D br_1 )Pr ( D br_2 ) = (3.217)

Ti ( D br_1 ) Ti ( D br_2 )
= ⎛ --------------------------------------------------------⎞ ⎛ --------------------------------------------------------⎞ = 3.29E-06 (3.218)
⎝ Ti ( U br_1 ) + Ti ( D br_1 )⎠ ⎝ Ti ( U br_2 ) + Ti ( D br_2 )⎠
1 1 1 –1
----------------------------------- = ------------------------ + ------------------------ = 2.00E-01h (3.219)
Ti ( MC br_1, 2 ) Ti ( D br_1 ) Ti ( D br_2 )
Pr ( MC br_1, 2 ) –1
Fr ( MC br_1, 2 ) = ------------------------------------ = 6.59E-07h (3.220)
Ti ( MC br_1, 2 )
Mean values of the 4w-chassis (4w_c) are calculated with the approximate MC ap-
proach.
Pr ( D 4w_c ) ≤ Pr ( D4w ) + ∑ Pr ( MC i ) = 3.95E-02 , i = 1…18 (3.221)

∀i
Pr ( U 4w_c ) = 1 – Pr ( D4w_c ) > 0.9605 (3.222)
Fr ( D 4w_c ) ≤ Fr ( D 4w ) + ∑ Fr ( MC i ) = 2.23E-03h
–1
, i = 1…18 (3.223)
∀i
–1
Fr ( U 4w_c ) = Fr ( D 4w_c ) ≤ 2.23E-03h (3.224)
Pr ( U 4w_c )
Ti ( U 4w_c ) = --------------------------- ≈ 4.31E+02h MTTSF (3.225)
Fr ( U 4w_c )
Pr ( D 4w_c )
Ti ( D 4w_c ) = --------------------------- ≈ 1.77E+01h MTTSR (3.226)
Fr ( D 4w_c )
The exact mean values of the 4w_c system are shown in Table 3.11. The AU and
x
–1 –1
Ti ( U4w_c ) ⁄ h Ti ( D4w_c ) ⁄ h Pr ( U 4w_c ) Pr ( D4w_c ) Fr ( U4w_c ) ⁄ h Fr ( D4w_c ) ⁄ h

Chapter 3 112
4w_c AU calculation (Drenick’s Theorem)1)

t ( U 4w_c ) ⁄ h t ( D 4w_c ) ⁄ h Pr ( D 4w_c ) 2)
min 10% 4.72E+01 1.91E+00 1.85E-03
Median(50%) 3.11E+02 1.25E+01
max 90% 1.03E+03 4.17E+01 4.69E-01
4w_c EUAU
t ( U 4w_c ) ⁄ h t ( D4w_c ) ⁄ h Pr ( D 4w_c ) 2)
min 10% 3.37E+01 1.91E+00 2.52E-03
Mean 3.26E+02 1.84E+01 5.30E-02 5)
max 90% 7.55E+02 4.25E+01 5.58E-01
1)
2)
min-max-boundary calculation of Pr ( D 4w_c ) .
3)
Pr ( D 4w_c ) = t ( D 4w_c ) mean ⁄ ( t ( U 4w_c ) mean + t ( D 4w_c ) mean ) , independent of
the shape of the f ( t ( … ) ). Minor deviation compared to the exact calculation is
caused by rounding errors of the t ( … ) mean values.
4)
5)
Pr ( D 4w_c ) is transfered from EU simulation (here not displayed).

Chapter 3 113
Mean values of the 6w-chassis (6w_c) calculated with the approximate MC ap-
proach.
Pr ( D 6w_c ) ≤ Pr ( D6w ) + ∑ Pr ( MC i ) = 2.21E-02 , i = 1…18 (3.227)

∀i
Pr ( U 6w_c ) = 1 – Pr ( D6w_c ) > 0.9779 (3.228)
Fr ( D 6w_c ) ≤ Fr ( D 6w ) + ∑ Fr ( MC i ) = 9.38E-04h
–1
, i = 1…18 (3.229)
∀i
–1
Fr ( U 6w_c ) = Fr ( D 6w_c ) ≤ 9.38E-04h (3.230)
Pr ( U 6w_c )
Ti ( U 6w_c ) = --------------------------- ≈ 1.04E+03h MTTSF (3.231)
Fr ( U 6w_c )
Pr ( D 6w_c )
Ti ( D 6w_c ) = --------------------------- ≈ 2.36E+01h MTTSR (3.232)
Fr ( D 6w_c )
The exact mean values of the 6w_c system are shown in Table 3.13.The AU and
x

–1 –1
Ti ( U6w_c ) ⁄ h Ti ( D6w_c ) ⁄ h Pr ( U 6w_c ) Pr ( D6w_c ) Fr ( U6w_c ) ⁄ h Fr ( D6w_c ) ⁄ h

Chapter 3 114
6w_c AU calculation (Drenick’s Theorem)1)

t ( U6w_c ) ⁄ h t ( D 6w_c ) ⁄ h Pr ( D6w_c ) 2)
min 10% 1.13E+02 2.52E+00 1.02E-03
Median(50%) 7.42E+02 1.66E+01
max 90% 2.46E+03 5.50E+01 3.27E-01
6w_c EUAU
t ( U6w_c ) ⁄ h t ( D 6w_c ) ⁄ h Pr ( D 6w_c ) 2)
min 10% 8.00E+01 2.49E+00 1.37E-03
Mean 7.79E+02 2.41E+01 3.07E-02 5)
1)
2)
min-max-boundary calculation of Pr ( D 6w_c ) .
3)
Pr ( D 6w_c ) = t ( D 6w_c ) mean ⁄ ( t ( U 6w_c ) mean + t ( D 6w_c )mean ) , independent of
the shape of the f ( t ( … ) ) . Minor deviation compared to the exact calculation is
caused by rounding errors of the t ( … ) mean values.
4)
5)
Pr ( D 6w_c ) is transfered from EU simulation (here not displayed).
Conclusion
1. System 4w_c (Fig. 3.31, no spare wheels, EUAU Table 3.12, t ( U 4w_c ) ): 90%
of stagecoaches run free of severe failure for 506 km (33.7 h x 15 km/h), 50%
more than 3,345 km (223 h x 15 km/h) and 10% more than 11,325 km (755 h
x 15 km/h).
2. System 6w_c (Fig. 3.31, with spare wheels, EUAU Table 3.14, t ( U 6w_c ) ): 90
% of stagecoaches run free of severe failure for 1,200 km (80 h x 15 km/h),
50% more than 7,965 km (531 h x 15 km/h) and 10 % more than 27,150 km
(1,810 h x 15 km/h).
Redundancy (including spare wheels) improves dependability of the stage-
coach, e.g. from 3,345 km (median t ( U 4w_c ) ) to 7,965 km (median t ( U 6w_c ) ),
not redundant components ( MC 1 - MC 17 ) enclosed, Fig. 3.31.
Chapter 3 115
3. Cartwheel subsystem 4w (series structure, Fig. 3.29, EUAU Table 3.8): Me-
dian: Failure free running time 5,760 h (384 h x 15 km/h).
4. Cartwheel subsystem 6w (series of parallel structures, Fig. 3.30, EUAU

Table 3.10): Median: Failure free running time 337,500 h (22,500 h x 15 km/
h).
The spare wheels increase dependability of the cartwheel subsystem about
the factor 59 (median). The additional series structure, expressed by
MC 1 -MC 17 , Fig. 3.31, deteriorates dependability of the systems 4w_c and
6w_c, resulting in a strong decline from the factor 59 to 2.4 (see Point 2).
5. AU and high EU of the input parameters are responsible for the wide spread
of the results (min/max values of EUAU), see Table 3.6, 3.8, 3.10, 3.12, and
3.14.
6. Despite the high uncertainty of the (analytically calculated) AU results (grey

highlighted tables) the simulated EUAU results (grey/red highlighted tables)
yield appropriate results (e.g. ratio t ( U 4w_c ) AU / t ( U 4w_c ) EUAU ≤ 1.40 ,
t ( U 6w_c ) AU / t ( U 6w_c ) EUAU ≤ 1.41 ). That is because of the fact that AU has a
larger influence than EU (in EUAU).
Despite the wide spread of the EU-component uncertainties (factor 10), the
EU additionally to AU deteriorate the system results only by less than the
factor 1.4 (see Chapter 6.6.3.2 (EUAU conclusion)).
Chapter 3 116
3.10 Appendix
3.10.1 Derivation of Eq. 3.137

n n
Starting: (Eq. 3.136, approximation) Pr ( U S ) ≈ = ( 1 – Pr ( D ) ) ( 1 – Pr ( F ) ) minus
n
(Eq. 3.121, exact) Pr ( U S ) = = Pr ( U ) results in ΔPr ( U S ) abs , which can be solved
for n.
ΔPr ( U S ) abs = Pr ( U S ) – Pr ( U S ) (3.233)

≈ =
n n n
= ( 1 – Pr ( D ) ) ( 1 – Pr ( F ) ) – Pr ( U ) (3.234)
n n
= ( ( 1 – Pr ( D ) ) ( 1 – Pr ( F ) ) ) – Pr ( U ) (3.235)
n n
= 1 – Pr ( D ) – Pr ( F ) + Pr ( D )PrF ) – Pr ( U ) (3.236)
n n
= ( Pr ( U ) + Pr ( D )Pr ( F ) ) – Pr ( U ) (3.237)
ΔPr ( US ) abs Pr ( D )Pr ( F ) n
ΔPr ( U S ) rel = ------------------------------ = ⎛ 1 + -------------------------------⎞ – 1 (3.238)
n ⎝ Pr ( U ) ⎠
Pr ( U )
Pr ( D )Pr ( F ) n
ΔPr ( U S ) rel = ⎛⎝ 1 + -------------------------------⎞⎠ – 1 (3.239)
Pr ( U )
⎛ 1 + Pr ( D )Pr ( F ) n
⎝ -------------------------------⎞⎠ = ΔPr ( U S ) rel + 1 (3.240)
Pr ( U )
ln ( 1 + ΔPr ( U S ) rel )
n = ---------------------------------------------------- (3.241)
Pr ( D )Pr ( F )
ln ⎛⎝ 1 + -------------------------------⎞⎠
Pr ( U )
With the approximation ln ( 1 + x ) ≈ x for x « 1 follows
ΔPr ( U S ) rel Pr ( U ) Pr ( D )Pr ( F )

n ≈ -------------------------------------------- for ΔPr ( U S )rel « 1 and ------------------------------- « 1 (3.242)
Pr ( D )Pr ( F ) Pr ( U )
Chapter 3 117
3.10.2 Derivation of VFC 2DF , VFC2FD , and VMC 2DF
I (Fig. 3.22, initial structure)

Remark: All the following
combinations are included in
VMC DF
1 VMC DF . The same is valid
1
for the following pages.
1 2
111
Violate monotony condition VFC 2DF = F i, 1 ∧ D i, 3 ∧ Di + 1, 3
1 i = 1
(with reference to VMCDF )
1
3 4
111
Violate monotony condition VFC2DF = F i, 1 ∧ D i, 3 ∧ D i + 1, 4
2
(with reference to VMC DF ) i = 1
1
The same constellation for II, III, and IV (Fig. 3.22): VFC2DF …VFC 2DF
3 8
8
VFC2DF = VFC 2DF
i
i = 1
Fig. 3.32. VFC2DF ⊂ VMC DF (illustrated in Fig. 3.24).

Chapter 3 118
V + VI (Fig. 3.23, two initial structures)

FX
VMC 2F , VMC 2F
1 2
FY
1 2
112 112
VFC 2FD = F i, 1 ∧ F i, 2 ∧ D i, 3 VFC 2FD = F i, 1 ∧ F i, 2 ∧ D i, 4
1 i = 1 3 i = 1
112 112
VFC 2FD = F i, 3 ∧ F i, 4 ∧ D i, 2 VFC 2FD = F i, 3 ∧ F i, 4 ∧ D i, 1
2 i = 1 4 i = 1

1, 3 1 2, 4 2
VII + VIII (Fig. 3.23, two initial structures)
VMC2F , VMC2F
3 4
1 2
112 112
VFC2FD = F i, 1 ∧ F i, 4 ∧ D i, 3 VFC 2FD = F i, 1 ∧ Fi, 4 ∧ D i, 2
5 i = 1 7 i = 1
112 112
VFC2FD = F i, 2 ∧ F i, 3 ∧ D i, 1 VFC 2FD = F i, 2 ∧ Fi, 3 ∧ D i, 4
6 i = 1 8 i = 1

5, 7 3 6, 8 4
Chapter 3 119
IX + X (Fig. 3.23, two symmetric initial structures)
VMC 2F , VMC2F
5 6
1 FX ≠ FY 2
3
111
VFC2FD = F i, 3 ∧ F i + 1, 3 ∧ D i, 4
9 i = 1
111
VFC2FD = F i, 2 ∧ F i + 1, 2 ∧ D i, 1
10 i = 1
110
4
VFC2FD = F i, 3 ∧ Fi + 1, 3 ∧ D i + 2, 3
11 i = 1
110
VFC2FD = Fi, 2 ∧ F i + 1, 2 ∧ D i + 2, 2
12 i = 1
5 Violate monotony condition

6
Violate monotony condition

7 8
110
VFC2FD = F i, 3 ∧ F i + 1, 3 ∧ D i + 2, 4
13 i = 1
110
VFC 2FD = F i, 2 ∧ Fi + 1, 2 ∧ D i + 2, 1
14 i = 1
Fig. 3.35. VFC2FD ⊂ VMC 2F , VFC 2FD ⊂ VMC 2F

9, 11, 13 5 10, 12, 14 6
Chapter 3 120
XI + XII (Fig. 3.23, two symmetric initial structures)
VMC 2F , VMC 2F
7 8
1 2
FX ≠ FY
3
111
VFC2FD = F i, 3 ∧ F i + 1, 4 ∧ D i + 1, 3
15 i = 1
111
VFC2FD = F i, 2 ∧ F i + 1, 1 ∧ D i + 1, 2
16 i = 1
110
4 VFC2FD = F i, 3 ∧ F i + 1, 4 ∧ D i + 2, 1
17 i = 1
110
VFC 2FD = F i, 2 ∧ F i + 1, 1 ∧ D i + 2, 4
18
i = 1
5 6 Violate monotony condition
7 8 Violate monotony condition
110
VFC 2FD = F i, 3 ∧ F i + 1, 4 ∧ D i + 2, 2
19 i = 1
110
VFC2FD = Fi, 2 ∧ F i + 1, 1 ∧ Di + 2, 3
20
i = 1

15, 17, 19 7 16, 18, 20 8
Chapter 3 121
XIII + XIV (Fig. 3.23, two symmetric initial structures)
VMC2F , VMC 2F
9 10
1 FX ≠ FY 2
3
111
VFC2FD = F i, 1 ∧ F · ∧ D i + 1, 4
21 i = 1 i + 1, 3
111
VFC 2FD = F i, 4 ∧ F i + 1, 2 ∧ D i + 1, 1
22
i = 1
4 110
VFC2FD = F i, 1 ∧ F i + 1, 3 ∧ D i + 2, 3
23 i = 1
110
VFC 2FD = F i, 4 ∧ F i + 1, 2 ∧ D i + 2, 2
24 i = 1

5 6

7 8
110
VFC 2FD = F i, 1 ∧ Fi + 1, 3 ∧ D i + 2, 4
25 i = 1
110
VFC2FD = F i, 4 ∧ Fi + 1, 2 ∧ D i + 2, 1
26 i = 1

21, 23, 25 9 22, 24, 26 10
Chapter 3 122
XV + XVI (Fig. 3.23, two symmetric initial structures)
VMC2F , VMC 2F
11 12
1 2
F X ≠ FY
3
111
VFC2FD = F i, 1 ∧ F · ∧ D i + 1, 3
27 i = 1 i + 1, 4
111
VFC 2FD = F i, 4 ∧ Fi + 1, 1 ∧ D i + 1, 2
28
i = 1
4 110
VFC 2FD = F i, 1 ∧ F i + 1, 4 ∧ D i + 2, 1
29 i = 1
110
VFC2FD = Fi, 4 ∧ F i + 1, 1 ∧ D i + 2, 4
30 i = 1
5 6
7 8
110 32
VFC2FD = F i, 1 ∧ F i + 1, 4 ∧ D i + 2, 2 VFC2FD = VFC2FD ⊂ VMC2F
31 i = 1 i = 1 i
110
VFC2FD = Fi, 4 ∧ F i + 1, 1 ∧ D i + 2, 3 (illustrated in Fig. 3.24)
32 i = 1
Fig. 3.38. VFC 2FD ⊂ VMC 2F , VFC 2FD ⊂ VMC 2F , VFC 2FD ⊂ VMC 2F .
27, 29, 31 11 28, 30, 32 12
Chapter 3 123
VMC 2DF (4 x 112 MC) VMC 2DF (4 x 110 MC)

1 2
(4: symmetrically exchanged)
VMC 2DF (4 x 111 MC)

3
Examples for cuts

Included in Fig. 3.22, I Included in Fig. 3.22, II
Included in Fig. 3.22, III Included in Fig. 3.22, IV
3
VMC 2DF = VMC2DF (1,332 MC)
i = 1 i
–4
Pr ( VMC 2DF ) ≈ 1.332 ⋅ 10 , about 2,3% deviation of Pr ( D S )
Fig. 3.39. Estimation of VMC 2DF (3rd order) and Pr ( VMC 2DF ) .
4 State-space approach
4.1 Scope
4.2 Input data
4.3 Definition of different types of stochastic processes
4.3.1 2-state process model
4.3.2 Multi-state process model
4.4 Markov modeling and calculation
4.4.1 Markov equations
4.4.2 Modeling of components
4.4.3 Modeling and calculation of systems
4.4.3.1 Analytical approach
4.4.3.2 Numerical iteration approach
4.4.3.3 Objective indices of a parallel structure
4.4.3.4 Objective indices of a series structure
4.5 Approximation: Probable Markov path (pMp) approach
4.5.2 System with two s-independent components
4.5.2.1 pMp calculation of the parallel system
4.5.2.2 pMp calculation of the series system
4.5.3 r-out-of-n system
4.5.4 System of 4.5.2.1 with limited repair capacity and repair priority
4.5.5 System of 4.5.4 with common cause failures (CCF)
4.5.6 System of 4.5.4 with scheduled maintenance
4.5.7 Segmentation of the Markov model of 4.5.6 and aggregation of
the partial Markov models
4.5.8 System with redundancy switching
4.5.8.1 pMp approach
4.5.8.3 Examples
4.5.9 System excluding repair during system operation
4.5.9.1 Long-term process behavior
4.5.9.2 Short-term process behavior
4.5.10 Item with periodic fault diagnosis
4.5.11 Paradox of the periodic inspection and the short-term behavior
4.6 Appendix
4.6.1 Modeling and calculation of the alternating 2-state renewal process
in Fig. 4.2
4.6.2 Decision trees of the processes [ Z ( t ) ,t > 0 ] , graphically highlighted in
Fig. 4.6-8
Up state and down state sequence (Fig. 4.1) of an item (Definition 1.1, Remark 3
(logical view) and Definition 1.2-3) can be described as a stochastic process
[ Z ( t ) ,t > 0 ] with time-dependent discrete states Z ( t ) .

DOI 10.1007/978-3-319-64991-7_4
Chapter 4 126
Notation
The Definition 3.5 (universe state Z , universe space Ω ) can also be applied analo-
gously to the Markov processes. Here, the universe state Z is defined as the Mar-
kov state, and the universe space Ω as the Markov space of a Markov process. A
Markov process model (shortly referred to as the Markov model) represents the
model of the Markov space including the transitions between the Markov states.
4.1 Scope
The focus of this chapter is modeling and calculation of Markov processes in order to
calculate the steady state indices
*) probability ( 4.1 )
Pr(Zi)
Fr(Zi) mean frequency
Ti(Zi) mean duration
which are necessary to evaluate the system states US and DS (Eq. 1.5) of the asso-
ciated renewal processes.
Relationship
Pr ( Z i ) = Fr ( Z i ) ⋅ Ti ( Z i ) (4.2)
The Markov process theory enables the modeling of stochastic processes with
complex operational and non-operational behavior by appropriate Markov states Zi
and their transitions. However, the precise modeling and calculation of real-world
applications become very tedious. Large Markov models can be calculated numeri-
cally by simulation techniques, but their results are not transparent (black box re-
sults). Thus, analytical solutions are preferred. The objective is the development of
Markov models and easy to achieve approximate analytical expressions of complex
(homogeneous) Markov processes, which will be described in the following chap-
ters and demonstrated using examples.

Chapter 4 127
4.2 Input data
The input data for the Markov model of an item, defined in Fig. 2.2, STEP 6 and 7,
are
1. Definition of the Markov states Z i .

2. Definition of the constant transition rates from one state Z i to another state
Z i + 1 , e.g. Fig. 4.10.
3. Assignment of the Markov states Z i either to US or D S , e.g. Fig. 4.11.
4.3 Definition of different types of stochastic processes
The Markov process holds a leading role among other stochastic processes becau-
se of: (1) Operational and non-operational behavior of items can be modeled ap-
propriately, assuming the Markov condition (Definition 4.3) is fulfilled, and (2)
Markov models or decisive parts of Markov models can be easily derived and cal-
culated (Chapter 4.5).
What are the criteria to classify whether a stochastic process is a Markov process
or not?
Definition 4.1 (Markov state condition). A state transition from one state Zi
to another state Z i + 1 depends only on the state Z i and not on prior states.
Remark: Similar to a frog in a lily pond, which jumps from one lily to another,
independent of prior frog routes.
Definition 4.2 (Markov time condition). A state transition at time ( t, t + Δt )

with Δt → 0 depends only on the time t and not on prior times x < t .
Remark: In Δt → 0 only one s-independent state transition can occur.
With these definitions the following process types are defined.
Definition 4.3 (homogeneous Markov process). A process that fulfills the

Markov time condition (for all states of the Markov space).
Remark 1: The Markov state condition is automatically fulfilled if the Markov
time condition is fulfilled.
Remark 2: If all transition rates of a stochastic process are constant, then it re-
presents a homogeneous Markov process. Constant transition rates are a nec-
Chapter 4 128
essary and sufficient condition for a homogeneous Markov process. Constant

transition rates imply exponential pdf of the state durations.
Remark 3: The transitions of a homogeneous Markov process are called ho-
mogeneous Markov transitions.
Remark 4: In this book, the homogeneous Markov process is shortly termed
as the Markov process and the transitions as Markov transitions.
Remark 5: s-Independency of the component states inside a Markov state is
not required (Chapter 5.2).
Definition 4.4 (semi-Markov process). A process which fulfills the Markov

state transition (Definition 4.1), but not the Markov time condition (Definition
4.2).
Remark: A 2-state process (renewal process, Fig. 4.2) is either a homoge-
neous Markov process or a semi-Markov process.
Definition 4.5 (non-Markov process). A process that does not fulfill the Mar-
kov state condition (Definition 4.1).
Remark 1: This case arises if state transitions are non-constant (except: 2-
state processes, see Definition 4.4, Remark).
Remark 2: If at least one state transition does not fulfill the Markov state con-
dition (e.g. Fig. 4.7), then the process will be defined as a non-Markov pro-
cess.
Table 4.1 summarizes the process types.

x
Process type State condition Time condition
(homogeneous) Markov Automatically fulfilled Fulfilled ( ≡ constant

process if the time condition is transition rates)
fulfilled
Semi-Markov process Fulfilled Not fulfilled
Non-Markov process Not fulfilled Automatically not ful-

filled if the state con-
dition is not fulfilled
Table 4.1. Classification of different process types.

Chapter 4 129
The following definition is introduced, which is a prerequisite for the development of

approximate dependability approaches in this book.
Definition 4.6 (strongly connected Markov process). A Markov process is

strongly connected if a path exists from each Markov state to every single
Markov state of the Markov space (or: Each Markov state is reachable from
every other Markov state).
Remark 1: A strongly connected Markov process has a steady state behavior
(Definition 4.7) or periodic steady state behavior for t → ∞ (Definition 4.9).
Remark 2: A strongly connected Markov process has no absorbing state.
Remark 3: Technical systems with restorable items often represent strongly
connected Markov processes.
Many industrial processes can be represented by strongly connected Markov pro-

cesses, which are the main subject of this book.
4.3.1 2-state process model
An often used simple 2-state process model of an item is outlined in Fig. 4.1, which
can be described by the alternating renewal process, Fig. 4.2. Alternating renewal
processes have two types of intervals which alternate. [Schneeweiss 2009b] is re-
commended for an indepth mathematical description with examples of the renewal
theory.
x
Z(t)
U = Z1
D = Z2
t1(U) t1(D) t2(U) t3(D) t
t2(D) t3(U)
Fig. 4.1. 2-state time model of an item.

Chapter 4 130
U1 D1 U2 D2 ∞
t1(U) t1(D) t2(U) t2(D)
Fig. 4.2. Alternating 2-state renewal process of an item.
The state durations are described by the probability (density) functions (pdf)
f ( t ( U ) ) (up times) and f ( t ( D ) ) (down times), or by cumulative (probability)
functions (cdf) F ( t ( U ) ) and F ( t ( D ) ) . To analyze different cases of time dependent
state behavior, the input functions in Fig. 4.3 are taken in pairs. At first the following
question is of interest: After which time will Pr ( U ) and Pr ( D ) reach their steady
states?
x
F(t(D))
F(t(U))
1 1 Case 1
Exp. cdf Exp. cdf
0 0
1⁄λ t 1⁄μ t
F(t(U))
F(t(D))
1 1 Case 2
Exp. cdf Jump cdf
0 0
1⁄λ t t
F(t(D))
F(t(U))
1 1 Case 3
Exp. cdf Weibull cdf
0 t 0 t
1⁄λ
Ti(D)
Ti(U)
MDT
MUT
Fig. 4.3. Input cdf for the 2-state stochastic process model in Fig. 4.2.
Chapter 4 131
The probabilities of the up state U and the down state D in Fig. 4.2 are (see Ap-
pendix 4.6.1)
∞
Pr ( U, t ) = ∑i = 1 Pr ( Ui, t ) (4.3)
∞
Pr ( D, t ) = ∑i = 1 Pr ( Di, t ) (4.4)
Pr ( U, t ) + Pr ( D, t ) = 1 (4.5)
Fig. 4.4 shows the time dependent probabilities of the down state of Fig. 4.2 with
the cdf from Fig. 4.3. The results are taken from [ Kochs 1974 ] .
Pr ( D, t )
Case 3b
Ti ( D )
Case 2 ------------------------------------ ≈ λTi ( D )
Ti ( U ) + Ti ( D )
t Case 3a
------------------------------------ ≈ λt
Ti ( U ) + Ti ( D )
Case 1
0 Ti ( D ) 2Ti ( D ) 3Ti ( D ) t
MDT 2 MDT 3 MDT
Fig. 4.4. Approximate down state probability of the model in Fig. 4.2 with
the cdf from Fig. 4.3.
Case 1: The stochastic process is a Markov process.

Case 2: The stochastic process is a semi-Markov process. Time to restoration is
described by a jump cdf, Ti ( D ) « Ti ( U ) (low unavailability).
Case 3a: The stochastic process is a semi-Markov process. Here, the curves are
located within the grey area, depending on the Weibull parameter β ≥ 1 (Table 6.3).
Case 3b: Similar to Case 3a with the assumption Ti ( D ) « Ti ( U ) (high unavailability)
Theoretically, overshooting values (shaded area Case 3b) occur in case of (unreal-
istic) high unavailability. In practice, the linear bold line can be seen as a realistic
Chapter 4 132
approximation of the upper limit. The process behavior in 0 ≤ t < Ti ( D ) is deter-

mined mainly by the first state transition of the renewal process of Fig. 4.2, descri-
bed by the following equations.
Transient state probability
1 1
Pr ( D, t ) ≈ Pr ( D 1, t ) ≈ λt for 0 ≤ t < Ti ( D ) , Ti ( U ) = --- , λ « -------------- (4.6)
λ Ti ( D )
Steady state probability
Ti ( D )
Pr ( D ) = ------------------------------------ for t ≥ Ti ( D ) (4.7)
Ti ( U ) + Ti ( D )
Conclusion
1. The time dependent state probability of a 2-state renewal process similar to

Fig. 4.2 is in the time range of one to a few Ti ( D ) . Thus, the steady state is
reached after a few hours to some days.
2. The steady state indices of the 2-state renewal process
Ti ( D )
Pr ( D ) = ------------------------------------ , Pr ( U ) = 1 – Pr ( D ) (4.8)
Ti ( U ) + Ti ( D )
1
Fr ( D ) = ------------------------------------ , Fr ( U ) = Fr ( D ) (4.9)
Ti ( U ) + Ti ( D )
are independent of the shape of the pdf *) of time to failure and time to restora-
tion, thus, it is valid for arbitrary pdf, see Appendix 4.6.1. The 2-state renewal
process (model) is the basis for the system dependability evaluation in this
book.
3. Because of the short time range, the transient behavior of the state probabil-
ities is insignificant in most dependability or availability analyses of stochastic
processes with restorable items. Exceptions are, for example, items with dis-
crete diagnostic functions (zig-zag curves, Chapter 4.5.10 and 4.5.11), de-
pendability monitoring task (Chapter 5.10, Fig. 5.22-23), items with absorbing
states, and power reserve determination [Kochs 1976, Edwin et al. 1979a] .
*) Remark: No distinction is made between singular and plural notation (without s)

of abbreviations (see List of symbols and abbreviations).
Chapter 4 133
4.3.2 Multi-state process model
Fig. 4.5 shows a stochastic process [ Z ( t ) ,t > 0 ] of two s-independent components

connected in series and in parallel. The stochastic process [ Z ( t ) ,t > 0 ] can be a
Markov, semi-Markov, or a non-Markov process, depending on the pdf of the state
transitions ( ≡ pdf of duration of the states). To illustrate the different types of stochas-
tic processes, the following three examples are regarded.
- [ Z ( t ) ,t > 0 ] in Fig. 4.6 represents a (homogeneous) Markov process (input:

pdf of Case 1, Fig. 4.3). Each component represents a Markov process.
- [ Z ( t ) ,t > 0 ] in Fig. 4.7 represents a non-Markov process (input: pdf of Case 2,
Fig. 4.3). Each component represents a semi-Markov process.
- [ Z ( t ) ,t > 0 ] in Fig. 4.8 represents a non-Markov process. Each component re-
presents a semi-Markov process.
A homogeneous Markov process is characterized by an exponential pdf of each

state duration (constant transition rates). After each state transition, the Markov
state starts again with exponential pdf (residual exponential pdf are also exponen-
tial). That means, that preceding Markov states have no effect (process is memory-
less). Exclusively in case of the exponential pdf f ( t ( U 1 ) ) , f ( t ( U 2 ) ) , f ( t ( D 1 ) ) ,
and f ( t ( D 2 ) ) of the components (Fig. 4.6), the stochastic process represents a homo-
geneous Markov process.
If the pdf are not exponential, the stochastic process is usually a non-Markov pro-
cess, illustrated in Fig. 4.7 and 4.8 (independently whether the components are s-
dependent or not). In each state, the transition starts with the residual pdf of the
components. [ Z ( t ) ,t > 0 ] can be evaluated by simulation techniques. Analytical
calculation is generally very difficult [ Edwin et al. 1979b, c ] .
Appendix 4.6.2 shows the development of the state sequence of the different pro-
cesses [ Z ( t ) ,t > 0 ] as decision trees.
In the following chapters homogeneous Markov processes are studied exclusively.

Chapter 4 134
Component 1, Fig. 4.1

ZC1
U1
D1
t ( U 1 )1 t ( D1 ) 1 t ( U 1 )2 t ( D1 ) 2 t ( U1 )3 t
Component 2, Fig. 4.1
ZC2
U2
D2
t ( U2 )1 t ( D 2 )1 t ( U2 ) 2 t ( D 2 )2 t ( U2 ) 3 t
Markov states, Fig. 4.10

1 2 3 4 5 6 7 8 9
[ Z ( t ) ,t > 0 ] Z1 Z2 Z1 Z3 Z1 Z2 Z4 Z3 Z1
Series system, Fig. 4.12
ZSs
US
DS
t ( US )1 t ( D S )1 t ( U S )2 t ( D S ) 2 t ( U S )3 t ( DS )3 t ( US )4
t
Parallel system, Fig. 4.11
ZSp
US
DS
t ( US )1 t ( D S )1 t ( US ) 2 t
Fig. 4.5. State time models as basis for the multi-state stochastic pro-
cess [ Z ( t ) ,t > 0 ] and corresponding series and parallel system.
Chapter 4 135
Component 1, Fig. 4.3, Case 1 (exponential pdf) Residual pdf =

–λ 1 t
exponential pdf
f(t(U1)) λ1 ⋅ e
...
–μ1 t
f(t(D1)) μ1 ⋅ e
ZC1
U1
D1
t
Component 2, Fig. 4.3, case 1 (exponential pdf)
– λ2 t
f(t(U2)) λ2 ⋅ e
f(t(D2)) – μ2 t
μ2 ⋅ e
ZC2
U2
D2
t
1 2 3 4 5 6 7 8 9
[ Z ( t ) ,t > 0 ] Z1 Z2 Z1 Z3 Z1 Z2 Z4 Z3 Z1
Fig. 4.6. Example of a homogeneous Markov process sequence

[ Z ( t ) ,t > 0 ] with exponential pdf of the components’ up and down times
(Case 1 in Fig. 4.3), corresponding Markov model see Fig. 4.10, cutouts of
the decision tree models are shown in Fig. 4.35-36.
Chapter 4 136
Non-Markov
transition
Transition Z4->Z3 depends on Z2
Definition 4.1 is not fulfilled
Component 1 Residual pdf =
exponential pdf
–λ 1 t
f(t(U1)) λ1 ⋅ e
...
f(t(D1))
Ti ( D 1 ) Ti ( D 1 )
ZC1
U1
D1
t
Component 2
– λ2 t
f(t(U2)) λ2 ⋅ e
f(t(D2))
ZC2 Ti ( D2 ) Ti ( D 2 )
U2
D2
t
1 2 3 4 5 6 7 8 9
[ Z ( t ) ,t > 0 ] Z1 Z2 Z1 Z3 Z1 Z2 Z4 Z3 Z1
Fig. 4.7. Example of a non-Markov process sequence [ Z ( t ) ,t > 0 ] with expo-

nential pdf of the up times and jump function of the down times of the com-
ponents (Case 2 in Fig. 4.3), cutouts of the decision tree models are shown in
Fig. 4.37-38.
Chapter 4 137
Component 1 Residual pdf

...
f(t(U1))
f(t(D1))
Residual pdf
ZC1
U1
D1
t
Component 2
f(t(U2))
f(t(D2))
ZC2
U2
D2
t
1 2 3 4 5 6 7 8 9
[ Z ( t ) ,t > 0 ] Z1 Z2 Z1 Z3 Z1 Z2 Z4 Z3 Z1
Fig. 4.8. Example of a non-Markov process sequence [ Z ( t ) ,t > 0 ] with

Weibull pdf of the components’ up and down times, cutouts of the decision
tree models are shown in Fig. 4.39-40.
Chapter 4 138
The following two examples demonstrate the influence of time dependency (tran-
sient behavior) of down state probabilities.
Example 1: n-oo-n system (series system)
All components start at t = 0 with Pr ( D 1, t = 0 ) = 0 . All n components are similar

and s-independent, each having the pairwise cdf of Fig. 4.3. The n-oo-n system has
-
n minimal cuts (MC) of first order. With the assumption nPr ( D ) « 1 , the probability
of the system down state can be approximately calculated with the MC approach to
Pr ( D S, t ) ≤ nPr ( D 1, t ) with Pr ( D 1, t ) according to Eq. 4.6 (4.10)
Example 2: (n-1)-oo-n system
All components start at t = 0 with Pr ( D 1, t = 0 ) = 0 . All n components are similar

and s-independent, each having the pairwise cdf of Fig. 4.3. The (n-1)-oo-n system
has n ( n – 1 ) ⁄ 2 minimal cuts (MC) of second order. With the assumption
nPr ( D ) « 1 , the probability of the system down state can be approximately calcu-
lated with the MC approach to
n( n – 1) 2
Pr ( D S, t ) ≤ --------------------- Pr ( D 1, t ) with Pr ( D 1, t ) according to Eq. 4.6 (4.11)
2
For n = 2 the system represents a parallel system. See also short-term behavior,
Chapter 4.5.9.2, and Chapter 5.10.
Conclusion
The time dependency (transient state behavior) of the probability of the example
systems is in the time range of one to a few MDT , shown in Fig. 4.4, thus, very
short. Depending on the application, the transient behavior can be neglected in
most applications, exceptions are described in detail in Chapter 5.10.
Chapter 4 139
4.4 Markov modeling and calculation
The advantage of Markov modeling and calculation is shortly outlined in Chapter 2.

The basic equations are shortly described in the following chapter. Standard proce-
dures are described in [ IEC 61165:2006 ] .
4.4.1 Markov equations
Fig. 4.5 outlines the formation rule of the Markov states Z1, Z2, Z3, and Z4 as well
as the allocation to a series and parallel structure with two s-independent compo-
nents. Exclusively in case of exponential pdf f ( t ( U ) ) and f ( t ( D ) ) (Case 1, Fig. 4.3)
of the components 1 and 2, the stochastic process represents a homogeneous
Markov process, Fig. 4.6. The corresponding Markov models are outlined in Fig.
4.10-12, composed of two component models as shown in Fig. 4.9.
The state probabilities Pr ( Z i ) of a homogeneous Markov process can be described

as a system of linear differential equations of first order [ Singh et al. 1977, Endrenyi
1978, Kochs 1984, Kochs 1996 ] .
T
dPr ( Z, t ) T
--------------------------- = Pr ( Z, t )A (4.12)
dt
T
Pr ( Z, t ) is the row-vector, A the transition matrix.
– a 1,1 a 1, 2 … (4.13)
A = a 2, 1 – a 2, 2 …
… … …
a i, k is the transition rate from Z i to Z k . The diagonal elements a i, i are the sum of
the line elements.
a i, i = ∑ a i, j (4.14)
∀j ≠ i
With the secondary condition
∑ Pr ( Zi, t ) = 1 (4.15)
∀i
the system of equations can be solved.

Chapter 4 140
Although the focus is on strongly connected Markov processes, it is to note that the
Definition 4.6 is not a precondition for Eq. 4.12-15. Thus, they are generally valid for
Markov processes according to Definition 4.3.
For the dependability analysis of strongly connected Markov processes (periodic

processes excluded, see Chapter 4.5.10), the steady state behavior is highly im-
portant.
Definition 4.7 (steady state or stationary state). The steady state of an item
is defined as
T
dPr ( Z, t ) T
lim --------------------------- = 0 (4.16)
t→∞ dt
Remark: A Markov process with steady states is named steady state Markov
process.
For calculation of the steady states, Eq. 4.12 is transformed into a system of linear
equations.
T T
0 = Pr ( Z )A (4.17)
The mean time in each state Z i of a Markov process is
1
Ti ( Zi ) = ------- with Eq. 4.14 (4.18)
a i, i
With these basic Markov equations, the indices of the Markov states Zi of Eq. 4.1
can be calculated.
4.4.2 Modeling of components
If the transition rates λ and μ are constant (Case 1, Fig. 4.3), then the Markov pro-
cess can be represented by the 2-state Markov model in Fig. 4.9, which is a renew-
al process, Appendix 4.6.1.
Chapter 4 141
Z1 Z2
λ
U μ D
U = Z1 Markov up state
D = Z2 Markov down state
λ failure rate
μ restoration rate
Fig. 4.9. 2-state Markov model of a component, correspond-

ing to the models in Fig. 4.1-2.
The steady state process in Fig. 4.9 is described by the following equations.
Input indices
1
λ = -------------- , Ti ( U ) ≡ MUT (4.19)
Ti ( U )
1
μ = -------------- , Ti ( D ) ≡ MDT (4.20)
Ti ( D )
Markov equation
T T (4.21)
0 Pr ( Z 1 )
= ⋅ –λ λ
0 Pr ( Z 2 ) μ –μ
Objective indices
1
Pr ( U ) = Pr ( Z 1 ) = ------------- availability (4.22)
λ
1 + ---
μ
λ
---
μ
Pr ( D ) = Pr ( Z 2 ) = ------------- unavailability (4.23)
λ
1 + ---
μ
Fr ( U ) = Fr ( Z 1 ) = μPr ( Z 2 ) (4.24)
Chapter 4 142
Fr ( D ) = Fr ( Z2 ) = λPr ( Z 1 ) (4.25)
Fr ( U ) = Fr ( D ) (4.26)
Pr ( U )
Ti ( U ) = --------------- MUT (4.27)
Fr ( U )
Pr ( D )
Ti ( D ) = --------------- MDT (4.28)
Fr ( D )
4.4.3 Modeling and calculation of systems
The design of Markov models is based on Boolean logic, called “Boolean logic
driven Markov models“, which can be integrated easily into DBD, Fig. 5.1. [ Bouis-
sou 2003 ] defines the term “Boolean logic driven Markov process“ in the context
of fault-trees.
Fig. 4.10 shows the Markov model of a system corresponding to the state time mod-
el in Fig. 4.6. The Markov model consists of the four Markov states Z1, Z2, Z3, and
Z4, which form the Markov space. It represents all possible combinations of the
component states (logical AND connections) with their transitions.
x
Z2
D1 ∧ U2
λ1 λ2
μ1 μ2
Z1 Z4
U1 ∧ U2 D1 ∧ D2
λ2 λ1
μ2 μ1
Z3
U1 ∧ D2
Fig. 4.10. Markov model of a system consisting of two s-independent

component models of Fig. 4.9.
This model is analyzed in the next chapters.

Chapter 4 143
4.4.3.1 Analytical approach
Markov equation (steady state)
T
0
T Pr ( Z 1 ) –( λ1 + λ 2 ) λ1 λ2 0 ( 4.29 )
0 Pr ( Z 2 ) μ1 –( μ 1 + λ2 ) 0 λ2
= ⋅
0 Pr ( Z 3 ) μ2 0 –( μ 2 + λ1 ) λ1
0 Pr ( Z 4 ) 0 μ2 μ1 –( μ1 + μ2 )
Abbreviation
λ1 λ2
q = ⎛ 1 + ------⎞ ⎛ 1 + ------⎞ (4.30)
⎝ μ 1⎠ ⎝ μ 2⎠
Probability of the Markov states
1 1 λ1
Pr ( Z 1 ) = --- , Pr ( Z 2 ) = --- ------ (4.31-32)
q q μ1
1 λ2 1 λ1λ2
Pr ( Z 3 ) = --- ------ , Pr ( Z 4 ) = --- ------------ (4.33-34)
q μ2 q μ1μ2
Mean time of the Markov states
1
Ti ( Zi ) = ------- , i = 1... 4 , (according to Eq. 4.14 and 4.18) (4.35)
a i, i
Mean frequency of the Markov states

Pr ( Z i )
Fr ( Z i ) = ---------------- , i = 1... 4 (4.36)
Ti ( Z i )
In case of s-independent components, Pr ( Z i ) can be determined easily with the

well-known product rule, demonstrated by the example of Z 4 .
λ1 λ2
------ ------
μ1 μ2
Pr ( Z 4 ) = Pr ( D 1 ∧ D 2 ) = Pr ( D 1 ) ⋅ Pr ( D 2 ) = ---------------
λ1
- ⋅ ----------------
λ2 (4.37)
1 + ------ 1 + ------
μ1 μ2
The other states can be calculated in a similar way.

Chapter 4 144
An alternative to the analytical approach is the numerical iteration approach, ap-

plied to the example in Fig. 4.10.
Initial values: Pr ( Z 1 ) 0 = 1 , Pr ( Z j ) 0 = 0 , j = 2…4 (4.38)
Ti ( Z1 ) = 1 ⁄ ( λ 1 + λ 2 ) , Ti ( Z2 ) = 1 ⁄ ( μ 1 + λ 2 ) (4.39-40)
Ti ( Z3 ) = 1 ⁄ ( λ 1 + μ 2 ) , Ti ( Z4 ) = 1 ⁄ ( μ 1 + μ 2 ) (4.41-42)
Starting with i = 0 and increment i for each cycle (4.43)

do {
Fr ( Z 1 ) i + 1 = Pr ( Z 1 ) i ⁄ Ti ( Z 1 ) (4.44)
Fr ( Z 2 ) i + 1 = Pr ( Z 1 ) i λ 1 + Pr ( Z 4 ) i μ 2 (4.45)
Pr ( Z 2 ) i + 1 = Fr ( Z 2 ) i + 1 ⋅ Ti ( Z 2 ) (4.46)
Fr ( Z 3 ) i + 1 = Pr ( Z 1 ) i λ 2 + Pr ( Z 4 ) i μ 1 (4.47)
Pr ( Z 3 ) i + 1 = Fr ( Z 3 ) i + 1 ⋅ Ti ( Z 3 ) (4.48)
Fr ( Z 4 ) i + 1 = Pr ( Z 2 ) i λ 2 + Pr ( Z 3 ) i λ 1 (4.49)
Pr ( Z 4 ) i + 1 = Fr ( Z 4 ) i + 1 ⋅ Ti ( Z 4 ) (4.50)
4
Pr ( Z 1 ) i + 1 = 1 – ∑ Pr ( Z j ) i + 1 (4.51)
j=2
} while ( Pr ( Z 1 ) i + 1 – Pr ( Z 1 ) i > error limit ) (4.52)
For most Markov models representing technical systems, the first iteration step is
sufficiently accurate if the initial values are realistic as in Eq. 4.38. This assumption
is the justification for the development of the probable Markov path (pMp) approach
in Chapter 4.5.
Chapter 4 145
Example of the numerical iteration

–4 –1 –4 –1
λ 1 = 10 h , λ 2 = 10 h
–1 –1 –1 –1
μ 1 = 10 h , μ 2 = 10 h (4.53)
6 iterations: Pr ( Z 1 ) = 9.980030E-01 (4.55)

Pr ( Z 2 ) = 9.980030E-04 (4.56)
Pr ( Z 3 ) = 9.980030E-04 (4.57)
Pr ( Z 4 ) = 9.980030E-07 (4.58)
Conclusion
The numerical calculation yields, after at most six iterations, with an accuracy of at
least seven decimal places, the same results as the analytical calculation with Eq.
4.29-36.
Chapter 4 146
4.4.3.3 Objective indices of a parallel structure
The following chapters describe the modeling and calculation of renewal processes
in order to reach the objective in Chapter 1.2.
x
US DS
Z2
D1 ∧ U2
λ1 λ2
μ1 μ2
Z1 Z4
U1 ∧ U2 D1 ∧ D2
λ2 λ1
μ2 μ1
Z3
MC = Z 4
U1 ∧ D2
MC
DBD US
U1
U2
Dependability blocks (DB) := framed blocks
Fig. 4.11. Markov model based on Fig. 4.10 and its relationship to the
network model: Parallel structure.
Objective states
U S = Z 1 ∨ Z 2 ∨ Z3 (4.59)
DS = Z4 (4.60)
Chapter 4 147
Objective indices
Pr ( U S ) = Pr ( Z1 ) + Pr ( Z 2 ) + Pr ( Z 3 ) = 1 – Pr ( DS ) availability (4.61)
Pr ( D S ) = Pr ( Z4 ) unavailability (4.62)
Fr ( DS ) = Pr ( Z 2 )λ 2 + Pr ( Z 3 )λ 1 (4.63)
Fr ( US ) = Pr ( Z 4 ) ( μ 1 + μ 2 ) ≡ Fr ( DS ) (4.64)
Pr ( U S )
Ti ( U S ) = ------------------- MUT (4.65)
Fr ( U S )
Pr ( D S )
Ti ( D S ) = ------------------- MDT (4.66)
Fr ( D S )
Relationship between the Markov model and the network model, Fig. 4.11
MC = D 1 ∧ D2 ≡ Z 4 (4.67)
D S = MC (4.68)
U S = MC (4.69)
Chapter 4 148
4.4.3.4 Objective indices of a series structure

x
US DS
Z2
λ1 MC1
D1 ∧ U2
λ2
μ2
Z1 μ1 Z4
U1 ∧ U2 D1 ∧ D2
λ2 λ1
μ2 μ1
Z3
U1 ∧ D2
MC2
MC 1 = Z 2 ∨ Z 4
MC 2 = Z 3 ∨ Z 4
DBD US
MC1 MC2
U1 U2
Dependability blocks (DB) := framed blocks
Fig. 4.12. Markov model based on Fig. 4.10 and its relationship to the
network model: Series structure.
Objective states
US = Z1 (4.70)
DS = Z2 ∨ Z3 ∨ Z4 (4.71)
Objective indices
Pr ( U S ) = Pr ( Z1 ) availability (4.72)
Pr ( D S ) = Pr ( Z2 ) + Pr ( Z 3 ) + Pr ( Z 4 ) = 1 – Pr ( U S ) unavailability (4.73)
Chapter 4 149
Fr ( US ) = Pr ( Z 2 )μ 1 + Pr ( Z3 )μ 2 (4.74)
Fr ( DS ) = Pr ( Z 1 ) ( λ 1 + λ 2 ) ≡ Fr ( U S ) (4.75)
Pr ( U S )
Ti ( U S ) = ------------------- MUT (4.76)
Fr ( U S )
Pr ( D S )
Ti ( D i ) = ------------------- MDT (4.77)
Fr ( D S )
The following equations show the relationship between the Markov model and the
network model, see Fig. 4.12
MC 1 = Z 2 ∨ Z 4 = D 1 (4.78)
MC 2 = Z 3 ∨ Z 4 = D 2 (4.79)
D S = MC 1 ∨ MC 2 = Z 2 ∨ Z 3 ∨ Z 4 = D 1 ∨ D 2 (4.80)
US = DS = U1 ∧ U2 (4.81)
Only Markov models consisting of a few number of states can be calculated with
minimal effort using Eq. 4.29. Beyond five states the calculation becomes very te-
dious. Programs for numerical calculations of large Markov processes exist. However,
due to their transparancy, practicability (user-friendliness), and flexibility, analytical
solutions are preferred. There is another severe problem to be solved: Large and
complex systems cannot be completely modeled. Thus, segmentation of the Markov
process and approximation approaches have been developed (e.g. pMp and MMC
approaches).
Chapter 4 150
4.5 Approximation: Probable Markov path (pMp) approach

In this chapter, a simple and efficient approximation approach, the probable Markov
path approach, is described [Kochs 1984, Kochs et al. 1999, DFG 2001, Kochs
et al. 2004 ]. The basis of this approach has already been laid in the research work
of [Endrenyi 1978, Dib 1978, Nachtkamp 1979 ] .
Definition 4.8 (probable Markov path, pMp). A pMp is the concatenation of

probable transitions that directly leads from the initial state to the objective
state.
Remark 1: A pMp has no reverse paths or loops (e.g. due to repair).
Remark 2: The pMp approach is generally applicable to strongly connected
Markov processes (Definition 4.6).
Remark 3: The pMp approach is also applicable to short-term behavior (e.g.
see Appendix 4.6.2 and 5.11.5-7), even if the Definition 4.6 is not fulfilled.
With the pMp approach, only those transitions are considered which are significant
for the operational and non-operational behavior of an item. A pMp can be identi-
fied and evaluated without modeling the complete Markov model of an application,
which is of essential advantage in case of complex process structures with a theo-
retically large number of Markov states. The pMp approach enables easy to calcu-
late analytical expressions for the objective indices, Eq. 4.1.
The pMp approach will be described based on the partial view of the Markov model
in Fig. 4.13. Assuming Z 1 is the initial state from which the pMp leads directly to the
objective state Z k . With the condition
a i, k « a k , k = ∑ a k, j ( a i, k ≡ inflow to k, a k, k ≡ total outflow from k) (4.82)

∀j ≠ k
for all n states along all pMp (multiple pMp possible), the probability of the initial
state Z 1 is
n
Pr ( Z 1 ) » ∑ Pr ( Z k ) , then Pr ( Z 1 ) ≈ 1 (for one inital state) (4.83)
k=2
If only one initial state exists and Eq. 4.82 is fulfilled, then Pr ( Z 1 ) ≈ 1 , and the pMp
approach can be used favorably and easily. If Eq. 4.82 is not fulfilled, then the de-
termination of Pr ( Z 1 ) is - as a rule - more complex. In this case the Markov equa-
Chapter 4
Zi + 1
a i + 1, k
Zi + 2
a k, i + 1
a k, i + 2
a 2, x
Z1 a 1, 2
a 2, 1 ak,i Zk
Initial state a 2, i
Z2 a k, i + 3
a i, 2 ai,k Objective state
Zi Zi + 3
a i, x
Z Markov process state

a constant transition rate
Fig. 4.13. Cutout of a Markov model with pMp from the initial state to the objective state Z k .
151
Chapter 4 152
tions, Eq. 4.12-18, applied step-by-step for each state, can be an appropriate - but
more extensive - alternative calculation method, see e.g. Chapter 4.5.9 and 5.7. In
this case, numerical iteration approaches as described in Chapter 4.4.3.2, 4.5.8.2,
and 4.5.8.3 can also be applied.
Additionally, several intial states are also possible, e.g. Fig. 4.25 and 5.13. In case
of more than one objective state, several pMp also exist, e.g. Fig. 4.25. Many pMp
can enter into the pMp chain, while other pMp can split up in new chains, e.g. Fig.
5.19-5.21.
The pMp in Fig. 4.13 (and also in all following chapters) is indicated by bold printed
arrows. Thus, pMp are decoupled from branching transitions (e.g. restoration) dur-
ing the calculation method between the initial state to the objective state. Decoup-
ling leads to simple cutout models reduced to the pMp. Therefore, decoupling can
considerably contribute to the reduction of complexity.
Starting at the initial state Z 1 , the indices probability Pr, frequency Fr, and time Ti
(Eq. 4.1) of each state along the pMp are calculated step by step until the objective
state is reached. For calculation of the indices of the state under consideration, only
the incoming transitions of the immediate previous states and the outgoing transi-
tions have to be taken into account.
The mathematical initial equation is derived from the well-known Markov differential
equation for each Markov state Z k [Kochs 1984 ] .
d
dt
Pr ( Z k, t ) = ∑ Pr ( Z i ,t )a i, k – Pr ( Z k ,t ) ∑ a k, i (4.84)
∀i → k k → ∀i
With Eq. 4.17 the steady state equation is
0 = ∑ Pr ( Z i )a i, k – Pr ( Z k ) ∑ a k, i (4.85)
∀i → k k → ∀i
The notation ∀i → k stands for transitions from all Z i to Z k , and k → ∀i stands for
transitions from Z k to all Z i . This equilibrium condition is interpreted in the following
way: The probability inflow to Z k (left term) is equal to the probability outflow from
Z k (right term). With a k, k = ∑ a k, i , the probability of Z k is calculated easily with
Eq. 4.85. k → ∀i
1
Pr ( Z k ) = ----------
a k, k ∑ Pr ( Z i )a i, k (4.86)
∀i → k
The mean time of Z k is the reciprocal value of the diagonal transition rate, Eq. 4.18.
Chapter 4 153
1
Ti ( Z k ) = ---------- (4.87)
a k, k
With Eq. 4.2 and 4.86-87, the mean frequency of Z k is calculated with the following
relation.
Pr ( Z k )
Fr ( Z k ) = ----------------
Ti ( Z k )
- = ∑ Pr ( Z i )a i, k (4.88)
∀i → k
With step-by-step application of this triple equation set (Eq. 4.86-88) along the pMp,
the indices, starting in Z1, until the state Zk , can easily be calculated without solving
large systems of differential or linear equations (Eq. 4.12 and 4.17). For practical
applications, the triple set of Z -indices can be represented by the following forma-
tion rule.
Fr ( Zk ) = ∑ Pr ( Z i )a i, k (4.89)
pMp i → k
1
Ti ( Z k ) = ---------- (4.90)
a k, k
Pr ( Z k ) = Fr ( Zk ) ⋅ Ti ( Z k ) (4.91)
The notation pMp i → k denotes the transition Z i → Z k along the pMp.
Example, Fig. 4.13: According to this formation rule, the indices for
Z 1 → Z2 → Z i → Z k are
a 1, 2 a 2, i
Fr ( Z k ) = Pr ( Z 1 ) -------------------------------------------
a + a + a ⋅ a + a + a ⋅ a i, k
- ---------------------------------------- (4.92)
2, 1 2, i 2, x i, 2 i, k i, x
1
Ti ( Zk ) = ------------------------------------------------------------------------------ (4.93)
a k, i + a k, i + 1 + a k, i + 2 + a k, i + 3
Pr ( Z k ) = Fr ( Z k ) ⋅ Ti ( Z k ) (4.94)
Approved in numerous applications, this approximation approach is sufficiently ac-

curate. As a rule, one (analytical) calculation cycle provides acceptable accuracy,
see Chapter 4.5.8.3.
Remark 1: The approximation of Fr ( Z k ) in Eq. 4.89 is based on (1) the assump-

tion of Eq. 4.83 and (2) neglecting the Markov states outside the pMp.
Remark 2: If all Markov states and all transition rates of a Markov process are
Chapter 4 154
taken into account, then Eq. 4.89-91 yield the same results as the solution of Eq.
4.17.
The following examples represent Markov models that can be regarded as modules
for the integration into the MC approach (Chapter 5).
4.5.2 System with two s-independent components
4.5.2.1 pMp calculation of the parallel system
US DS
Z2
D1 ∧ U2
λ1 λ2
μ1 μ2
Z1 Z4
U1 ∧ U2 λ1 D1 ∧ D2
λ2
μ2
Z3 μ1 MC = Z4
U1 ∧ D2
MC
DBD US
U1
U2
Fig. 4.14. Markov model of Fig. 4.11 used to demonstrate pMp and the
relationship to the network model: Parallel structure.
Chapter 4 155
Assumption: λ … « μ … , thus, Pr ( Z 1 ) ≈ 1 (Eq. 4.82 is fulfilled) (4.95)
pMp Z 1 → Z 2
Fr ( Z2 ) = Pr ( Z 1 )λ 1 ≈ λ 1 (4.96)
1 1
μ1 + λ2 ≈ μ1
- ------
Ti ( Z2 ) = ----------------- (4.97)
λ1
Pr ( Z 2 ) = Fr ( Z 2 )Ti ( Z 2 ) ≈ ------ (4.98)
μ1
pMp Z 1 → Z 3
Fr ( Z3 ) = Pr ( Z 1 )λ 2 ≈ λ 2 (4.99)
1 1
Ti ( Z3 ) = -----------------
μ2 + λ1 ≈ μ2
- ------ (4.100)
λ2
Pr ( Z 3 ) = Fr ( Z 3 )Ti ( Z 3 ) ≈ ------ (4.101)
μ2
pMp Z 2 → Z 4 + Z 3 → Z 4
λ 1 λ2 λ 2 λ 1 1 1
Fr ( Z4 ) = Pr ( Z 2 )λ 2 + Pr ( Z3 )λ 1 ≈ ------------ + ------------ = λ 1 λ 2 ⎛ ------ + ------⎞ (4.102)
μ1 μ2 ⎝ μ 1 μ 2⎠
1
Ti ( Z4 ) = ------------------ (4.103)
μ1 + μ2
λ 1 λ2
Pr ( Z 4 ) = Fr ( Z 4 )Ti ( Z 4 ) ≈ ------------ (4.104)
μ1 μ2
Objective state
DS = Z4 (4.105)
Objective indices
Pr ( D S ) = Pr ( Z 4 ) (4.106)
Fr ( DS ) = Fr ( Z4 ) (4.107)
Pr ( U S ) 1 1 μ1μ2
Ti ( US ) = ------------------- ≈ ------------------ = ----------------- ≈ ------------------------------------ (4.108)
Fr ( U S ) Fr ( D S ) Fr ( Z 4 ) λ 1 2 ( μ1 + μ2 )
λ
The other system indices are easily calculated with Eq. 1.8-11.
Chapter 4 156
Relationship to the MC approach
MC = D 1 ∧ D 2 ≡ Z 4 (4.109)
4.5.2.2 pMp calculation of the series system
US DS
Z2
λ1 MC1
D1 ∧ U2
λ2
μ2
Z1 μ1 Z4
U1 ∧ U2 D1 ∧ D2
λ2 λ1
μ2 Z3 μ1
U1 ∧ D 2
MC2
MC 1 = Z 2 ∨ Z 4 ≈ Z2
MC 2 = Z 3 ∨ Z 4 ≈ Z 3
DBD US
MC1 MC2
U1 U2
Fig. 4.15. Markov model of Fig. 4.12 used to demonstrate pMp and
the relationship to the network model: Series structure.
Chapter 4 157
Markov state indices
Fr ( Z i ) , Ti ( Z i ) , Pr ( Z i ) , i = 2, 3 , obtained from Eq. 4.96-101.
Objective state
DS ≈ Z2 ∨ Z3 (4.111)
Objective indices
λ1 λ2
Pr ( D S ) ≈ Pr ( Z 2 ) + Pr ( Z 3 ) ≈ ------ + ------ (4.112)
μ1 μ2
Fr ( D S ) ≈ Fr ( Z 2 ) + Fr ( Z 3 ) ≈ λ 1 + λ 2 (4.113)
Pr ( U S ) 1 1
Ti ( U S ) = ------------------- ≈ ------------------ ≈ ------------------ (4.114)
Fr ( U S ) Fr ( D S ) λ 1 + λ 2
The other system indices can be calculated easily with Eq. 1.8-11.
MC 1 = D 1 ≡ D1 ∧ U2 ∨ D1 ∧ D2 (4.115)
MC 2 = D 2 ≡ U1 ∧ D2 ∨ D1 ∧ D2 (4.116)
λ1
Pr ( MC 1 ) ≈ -----
μ1 ,
- Fr ( MC 1 ) ≈ λ 1 (4.117-118)
λ2
Pr ( MC 2 ) ≈ -----
μ ,
- Fr ( MC 2 ) ≈ λ 2 (4.119-120)
2
Pr ( D S ) ≤ Pr ( MC 1 ) + Pr ( MC 2 ) (4.121)
Fr ( D S ) ≤ Fr ( MC 1 ) + Fr ( MC 2 ) (4.122)
Chapter 4 158
4.5.3 r-out-of-n system
Exact Markov modeling and calculation of the 2-oo-3 system
US DS
Z2 λ2 Z5
μ2
λ1 D1 ∧ U2 ∧ U3 D 1 ∧ D2 ∧ U3 MC 1
λ1 MC2
μ3 μ3 λ3
Z1 Z3 λ3 Z6 Z8
μ1 λ2 λ2
U 1 ∧ U2 ∧ U3 U 1 ∧ D 2 ∧ U3 μ1 λ1 D 1 ∧ U2 ∧ D 3 D1 ∧ D2 ∧ D3
μ2 μ2
λ1
μ3 μ3
λ3 λ3
Z4 Z7 μ1
μ1
U1 ∧ U2 ∧ D3
λ2
U1 ∧ D2 ∧ D3 MC 3
μ2
Fig. 4.16. Markov model of the 2-oo-3 system.
Assumption: The components are s-independent and their indices are the same.
3 2
μ λμ
Pr ( Z 1 ) = -------------------3- , Pr ( Z2 ) = Pr ( Z3 ) = Pr ( Z 4 ) = -------------------3- (4.123-124)
(μ + λ) (μ + λ)
4 3 2
μ + 3λμ
Pr ( U S ) = ∑i = 1 Pr ( Zi ) = -------------------------
3
- (4.125)
(μ + λ)
2 2
6λ μ
Fr ( DS ) = Pr ( Z 2 ) ⋅ 2λ + Pr ( Z 3 ) ⋅ 2λ + Pr ( Z 4 ) ⋅ 2λ = -------------------3- (4.126)
(μ + λ)
Pr ( U S ) μ + 3λ
Ti ( US ) = ------------------- = ----------------
2 ≡ MTTF (4.127)
Fr ( D S ) 6λ
Approximate calculation with the pMp approach
Assumption: The components are s-independent, their indices are the same, and
λ « μ.
The pMp in Fig. 4.16 are indicated by bold arrows. The following steps yield the ap-
proximate results.
Chapter 4 159
Pr ( Z 1 ) ≈ 1 (4.128)
λ λ
Pr ( Z 2 ) = Pr ( Z3 ) = Pr ( Z 4 ) ≈ P ( Z1 ) --- ≈ --- (4.129)
μ μ
2
6λ
Fr ( D S ) = Pr ( Z 2 ) ⋅ 2λ + Pr ( Z 3 ) ⋅ 2λ + Pr ( Z 4 ) ⋅ 2λ ≈ --------- (4.130)
μ
1 μ
Ti ( US ) ≈ ------------------ ≈ --------2- ≡ MTTF (4.131)
Fr ( D S ) 6λ
Exact modeling and calculation of the 2-oo-3 system using the MC approach
DBD US
U1 U1 U2
U2 U3 U3
MC1 MC2 MC3
Fig. 4.17. Minimal cut model of the 2-oo-3 system.
Assumption: The components are s-independent and their indices are the same.
( i = 1, 2 , 3 ) ∈ S
2 2
λ 1 Pr ( MC ) 2λ μ
Pr ( MC i ) = -------------------2- , Ti ( MC i ) = ------- , Fr ( MC i ) = ---------------------i - = -------------------2-
(μ + λ) 2μ Ti ( MC i ) (μ + λ)
(4.132-134)
i, j = 1, 2 or 1, 3 or 2, 3
3
λ 1
Pr ( MC i ∧ MC j ) = -------------------3- , Ti ( MCi ∧ MC j ) = ------- (4.135-136)
(μ + λ) 3μ
Pr ( MC i ∧ MC j )
Fr ( MC i ∧ MC j ) = ---------------------------------------
- (4.137)
Ti ( MC i ∧ MC j )
MC 1 ∧ MC 2 ∧ MC 3 ≡ MC i ∧ MC j (4.138)
Chapter 4 160
These expressions inserted into Eq. 3.44-45 yield the following equations.
3 2
Pr ( D S ) = ∑i = 1 Pr ( MCi ) – ∑i = 1 Pr ( MCi ∧ MCj ) (4.139)
3 2
Fr ( D S ) = ∑i = 1 Fr ( MCi ) – ∑i = 1 Fr ( MCi ∧ MCj ) (4.140)
2 2 2
λ ( 3μ + λ ) 6λ μ
Pr ( D S ) = ---------------------------
3
-, Fr ( DS ) = -------------------3- (4.141-142)
(μ + λ) (μ + λ)
3 2
μ + 3μ λ
Pr ( U S ) = 1 – Pr ( D S ) = -------------------------
3
- (4.143)
(μ + λ)
Pr ( U S ) μ + 3λ
- = ----------------
Ti ( US ) = ------------------ 2 ≡ MTTF (4.144)
Fr ( D S ) 6λ
Approximate calculation using the MC approach
Assumption: The components are s-independent, their indices are the same, and
λ « μ.
( i = 1, 2 , 3 ) ∈ S
2 Pr ( MC i ) 2λ 2
λ 1
Pr ( MC i ) ≈ -----2- , Ti ( MC i ) = ------- , Fr ( MCi ) = ---------------------- ≈ --------
-
μ 2μ Ti ( MC i ) μ
(4.145-147)
The MC-indices inserted into Eq. 3.46-47 yield the following results
3 2
3λ
Pr ( D S ) ≤ ∑ Pr ( MC i ) = 3Pr ( MC ) ≈ --------
2
- (4.148)
i=1 μ
3 2
6λ
Fr ( D S ) ≤ ∑ Fr ( MC i ) = 3Fr ( MC ) ≈ --------
μ
- (4.149)
i=1
1 μ
MTTF ≈ ------------------ ≈ --------2- (4.150)
Fr ( DS ) 6λ
The presented procedures are applicable to arbitrary r-oo-n systems. [ Schnee-

weiss 2009b] calculates the 2-oo-3 system with the theory of the Laplace transfor-
mation.
Chapter 4 161
4.5.4 System of 4.5.2.1 with limited repair capacity and repair priority
Repair of failed components shall be carried out with the priority first-failed-first-re-
paired. For example, if two components fail one after the other, the first failed com-
ponent will be repaired before the second failed component. Due to the repair
priority the components are s-dependent. Fig. 4.18 shows the component state
time model. The s-dependency is highligted in red. Examples of standby systems
are also described in [ Endrenyi 1978, Billinton et al. 1992] .
Restoration
Restoration
Failure
Failure
Z(t)
U
D wait → D
D
Wait for repair Repair t
U up state
D down state due to failure
D wait → D down state due to failure with repair priority
Fig. 4.18. 3-state time model for a component with postponable repair
due to limited repair capacity and repair priority (first-failed-first-repaired).
Fig. 4.19 shows the Markov model of the system with two components. The s-de-
pendency is highlighted in red.
Chapter 4 162
US DS
Z2 Z4
λ2
D1 ∧ U2 D 1 ∧ D 2, wait → D 2
λ1
μ1 μ1
Z1
U1 ∧ U2
λ2
μ2
μ2 Z3 Z5
λ1
U1 ∧ D2 D 1, wait → D 1 ∧ D 2
Fig. 4.19. Markov model for a system with two component models with
limited repair capacity and repair priority (first-failed-first-repaired).
pMp Z 1 → Z 2 → Z 4
λ1 λ 1 λ2
Fr ( Z 4 ) ≈ Pr ( Z 1 ) ------ λ 2 ≈ ------------ (4.152)
μ1 μ1
1 (4.153)
Ti ( Z4 ) = ------
μ1
Pr ( Z 4 ) = Fr ( Z 4 )Ti ( Z 4 ) (4.154)
pMp Z 1 → Z 3 → Z 5
λ2 λ 2 λ1
Fr ( Z 5 ) ≈ Pr ( Z 1 ) ------ λ 1 ≈ ------------ (4.155)
μ2 μ2
1 (4.156)
Ti ( Z5 ) = ------
μ2
Pr ( Z 5 ) = Fr ( Z 5 )Ti ( Z 5 ) (4.157)
Chapter 4 163
Objective state
DS = Z4 ∨ Z5 (4.158)
Objective indices
1 1
Pr ( D S ) = Pr ( Z4 ) + Pr ( Z 5 ) ≈ λ 1 λ 2 ⎛ -------- + --------⎞ (4.159)
⎝ 2 2 ⎠
μ 1 μ2
1 1
Fr ( DS ) = Fr ( Z 4 ) + Fr ( Z 5 ) ≈ λ 1 λ 2 ⎛ ------ + ------⎞ (4.160)
⎝ μ 1 μ 2⎠
Assuming λ = λ 1 = λ 2 , μ = μ 1 = μ 2 (4.161)
2 (4.162)
λ
Pr ( D S ) Fig. 4.14 ≈ ------ no limited repair capacity (two repair teams)
2
μ
2 (4.163)
λ
Pr ( D S ) Fig.4.19 ≈ 2 -----2- limited repair capacity (one repair team)
μ
MC = Z4 ∨ Z 5 (4.164)
Chapter 4 164
4.5.5 System of 4.5.4 with common cause failures (CCF)
In a homogeneous Markov process only one random transition can occur in

( t , t + Δt ) with Δt → 0 , which depends on the time t and not on prior times x < t
(Definition 4.2, 4.3). Basic publications are [Billinton et al. 1979, Billinton et al.
1981] .
According to Definition 1.22, CCF are caused by one single event (e.g. an error,
see Fig. 1.5). Thus, CCF can be modeled by the transitions from Z 1 to Z 4 and Z5
(highlighted in red), which are regarded as s-dependent transitions in Fig. 4.20a.
US DS
1
c1, 2 λ 1 + --- c λ Ext
2 Ext
Z2 Z4
λ 2 + c Ext λ Ext
D1 ∧ U2 D 1 ∧ D 2, wait → D 2
μ1 μ1
Z1
( 1 – c 1, 2 )λ 1
U1 ∧ U2
( 1 – c 2, 1 )λ 2
μ2
μ2 Z3 Z5
λ 1 + c Ext λ Ext
U 1 ∧ D2 D 1, wait → D 1 ∧ D 2
1
c 2, 1 λ 2 + --- c λ Ext
2 Ext
λ CCF = c 1, 2 λ 1 + c 2, 1 λ 2
c 1, 2 probability: Failure of component 1 (due to an error) causes failure

of component 2 simultaneously.
c Ext probability: External influencing factor causes failure of the compo-
nents 1 and 2 (e.g. due to environmental influence or human errors).
Fig. 4.20a. Markov model with CCF (Definition 1.22), limited repair capacity,
and repair priority (Fig. 4.19).
Chapter 4 165
Assumption: λ … « μ … , 0 ≤ c … « 1 , c Ext = 0 , and Pr ( Z 1 ) ≈ 1 (Eq. 4.82 is fulfilled)

(4.165)
pMp Z 1 → Z 2 → Z 4 and Z 1 → Z 4
( 1 – c 1, 2 )λ 1
-(λ + c λ ) + c λ + 1
Fr ( Z4 ) ≈ Pr ( Z 1 ) ------------------------------ -c λ ≈
μ1 2 Ext Ext 1, 2 1 --
2 Ext Ext
λ1λ2
≈ ------------ + c1, 2 λ 1 ( 4.166 )
μ1
1 (4.167)
Ti ( Z4 ) = ------
μ1
Pr ( Z 4 ) = Fr ( Z 4 )Ti ( Z 4 ) (4.168)
pMp Z 1 → Z 3 → Z 5 and Z 1 → Z 5
( 1 – c 2, 1 )λ 2
-(λ + c λ ) + c λ + 1
Fr ( Z 5 ) ≈ Pr ( Z 1 ) ------------------------------ -c λ ≈
μ2 1 Ext Ext 2, 1 2 --
2 Ext Ext
λ1 λ2
≈ ------------ + c 2, 1 λ 2 ( 4.169 )
μ2
1 (4.170)
Ti ( Z5 ) = ------
μ2
Pr ( Z 5 ) = Fr ( Z 5 )Ti ( Z 5 ) (4.171)
Objective state
DS = Z4 ∨ Z5 (4.172)
Objective indices
Pr ( D S ) = Pr ( Z 4 ) + Pr ( Z 5 ) (4.173)
Fr ( D S ) = Fr ( Z 4 ) + Fr ( Z 5 ) (no interaction between Z 4 ↔ Z 5 ) (4.174)
1 – Pr ( D S )
Ti ( U S ) = ---------------------------- with Fr ( U S ) = Fr ( DS ) (4.175)
Fr ( U S )
MC = Z 4 + Z5 (4.176)
Pr ( D S ) = Pr ( MC ) (4.177)
Fr ( D S ) = Fr ( MC ) (4.178)
Chapter 4 166
Fig. 4.20b shows the Markov model of Fig. 4.20a with reoperation only if both failed
components are repaired.
US DS
1
c 1, 2 λ 1 + --- c Ext λ Ext
2
Z2 Z4
λ 2 + c Ext λ Ext
( 1 – c 1, 2 )λ 1 D1 ∧ U2 D 1 ∧ D 2, wait → D 2
μ1
Z1
1
U1 ∧ U2 μ 1, 2 = -------------------
1 1
------ + ------
μ1 μ2
μ2 Z3 Z5
λ 1 + c Ext λ Ext
( 1 – c 2, 1 )λ 2 U 1 ∧ D2 D 1, wait → D 1 ∧ D 2
1
c 2, 1 λ 2 + --- c Ext λ Ext
2
λ CCF = c 1, 2 λ 1 + c 2, 1 λ 2

cExt probability: External influencing factor causes failure of compo-
nents 1 and 2 (e.g. due to environmental influence or human errors).
Fig. 4.20b. Markov model of Fig. 4.20a with reoperation after both failed
components are repaired.
The only difference to Fig. 4.20a lies in the transitions Z 4 → Z 1 and Z 5 → Z 1 and
the transition rates, which influence Eq. 4.167 and 4.170, as follows.
1
Ti ( Z4 ) = ---------- (4.179)
μ 1, 2
Chapter 4 167
1
Ti ( Z5 ) = ---------- (4.180)
μ 1, 2
The other equations remain unchanged. It is also possible to summarize the Mar-
kov states Z 4 and Z 5 to one state, because they have the same goal Z 1 and the
same restoration rate μ 1, 2 (see also Fig. 4.26).
Chapter 4 168
4.5.6 System of 4.5.4 with scheduled maintenance
Many technical components are maintained depending on a maintenance plan (IEC

192-06-12). Scheduled maintenance of a component should be postponed in case
of other component failures in order to prevent a system failure. Fig. 4.21 outlines
the state time model for components including two s-dependencies: maintenance
with postponable shut down (blue) and postponable repair (red). Fig. 4.22 repre-
sents the corresponding Markov model.
Scheduled maintenance
with postponable shut down
for maintenance
Postponed repair start

Restoration
Restoration
Restarting
Z(t)
Failure
Failure
M
D wait → D
D
Repair Maintenance Wait for repair t
U up state
D down state due to failure
M maintenance state (scheduled maintenance)
D wait → D postponable down state
Fig. 4.21. 4-state time model for components with postponable mainte-
nance (blue) and postponable repair (red) due to limited repair capacity
(Fig. 4.18-19).
Chapter 4 169
US DS
Z2 λ2 Z6
M1 ∧ U2 M1 ∧ D2
λ M, 1 μ2
μ M, 1
Z3 Z7
μ M, 1 λ1 λ2
D1 ∧ U2 D 1 ∧ D 2, wait → D2
Z1 μ1 μ1
U1 ∧ U2
λ2 μ2
μ2 Z4 Z8
λ1
U1 ∧ D2 D 1, wait → D 1 ∧ D 2
λ M, 2
μ M, 2
μ M, 2 Z5 λ1 Z9
U1 ∧ M2 D1 ∧ M2
μ1
Fig. 4.22. Markov model of a 2-component system, constructed of two

component models according to Fig. 4.21.
pMp Z 1 → Z 2 → Z 6 (upper maintenance path)
λ M, 1 λ 2 λ M, 1 λ 2 1
Fr ( Z6 ) ≈ Pr ( Z 1 ) ------------------ ≈ ------------------ , Ti ( Z 6 ) = ------------------------ (4.182-183)
μ M, 1 μ M, 1 μ 2 + μ M, 1
Pr ( Z 6 ) = Fr ( Z6 )Ti ( Z 6 ) (4.184)
pMp Z 1 → Z 3 → Z 7
λ1 λ1 1
Fr ( Z7 ) ≈ Pr ( Z 1 ) ------ λ 2 ≈ ------ λ 2 , Ti ( Z7 ) = ------ (4.185-186)
μ1 μ1 μ1
Chapter 4 170
Pr ( Z 7 ) = Fr ( Z 7 )Ti ( Z 7 ) (4.187)
pMp Z 1 → Z 4 → Z 8
λ2 λ2 1
Fr ( Z8 ) ≈ Pr ( Z 1 ) ------ λ 1 ≈ ------ λ 1 , Ti ( Z8 ) = ------ (4.188-189)
μ2 μ2 μ2
Pr ( Z 8 ) = Fr ( Z 8 )Ti ( Z 8 ) (4.190)
pMp Z 1 → Z 5 → Z 9 (lower maintenance path)
λ M, 2 λ 1 λ M, 2 λ 1 1
Fr ( Z9 ) ≈ Pr ( Z 1 ) ------------------ ≈ ------------------ , Ti ( Z 9 ) = ------------------------ (4.191-192)
μ M, 2 μ M, 2 μ 1 + μ M, 2
Pr ( Z 9 ) = Fr ( Z9 )Ti ( Z 9 ) (4.193)
Objective state
DS = Z6 ∨ Z7 ∨ Z8 ∨ Z9 (4.194)
Objective indices
Pr ( D S ) = Pr ( Z 6 ) + Pr ( Z 7 ) + Pr ( Z 8 ) + Pr ( Z 9 ) (4.195)
Fr ( DS ) = Fr ( Z6 ) + Fr ( Z7 ) + Fr ( Z 8 ) + Fr ( Z 9 ) (4.196)
(no interaction between Z 6 ↔ Z 7 ↔ Z 8 ↔ Z 9 )
MC = Z6 ∨ Z 7 ∨ Z 8 ∨ Z 9 (4.197)
Pr ( D S ) = Pr ( MC ) (4.198)
Fr ( DS ) = Fr ( MC ) (4.199)
4.5.7 Segmentation of the Markov model of 4.5.6 and aggregation of the par-
tial Markov models
The Markov model, Fig. 4.22, can be divided into three partial models or submodels
(cutouts), outlined in Fig. 4.23. The partial models can be approximated separately
with the initial probabilities
Pr ( Z 1, 1 ) ≈ Pr ( Z 1, 2 ) ≈ Pr ( Z 1, 3 ) ≈ 1 (4.200)
Results: Outcomes are equal to Eq. 4.182-199. The partial results have to be add-
ed.
Chapter 4 171
Z2 λ2 Z6
M ∧ U2 M1 ∧ D 2
1
λ M, 1 μ2
μ M, 1
μ M, 1
Z1,1
U1 ∧ U2
+
Z3 Z7
λ1 λ2
D1 ∧ U2 D 1 ∧ D 2, wait → D 2
Z1,2
μ1 μ1
U1 ∧ U2
λ2 μ2
Z4 Z8
μ2 U 1 ∧ D2 D 1, wait → D 1 ∧ D 2
λ1
Z1,3
U1 ∧ U2
λ M, 2
μ M, 2
μ M, 2 Z5 λ1 Z9
U1 ∧ M2 D 1 ∧M 2
μ1
Fig. 4.23. Segmentation of the Markov model of Fig. 4.22 and as-
sembling of the partial Markov cutouts.
Chapter 4 172
4.5.8 System with redundancy switching
Fig. 4.24 displays the component model, including a standby state (IEC 192-02-10),
for redundancy switching, start-up failure, and system dependent transitions.
λi Di
μi
λ R, i
Ui μi
s R, i ⋅ λ k = i
Depends on
application Ri
(error free)
( 1 – s R, i ) ⋅ λ k = i
Ui up state
Di down state due to failure
Ri standby state (failures are immediately detected)
λ i failure rate in Ui, μ i restoration rate of component i, λ R, i failure rate

of component i in Ri, λ k ≠ i failure rate of adjacent component k , which
requests the error-free switching from Ri to Ui with ( 1 – s R, i ) ⋅ λ k ≠ i and
the failed switch-over with s R, i ⋅ λ k ≠ i ( s R, i start-up failure)
System dependent transition, highlighted in red and black
Fig. 4.24. Markov model of component i with redundancy switching.
Fig. 4.25 shows the system model with two components. The procedure can be ap-
plied to several components [Kochs et al. 2012 ] .
Chapter 4 173
US DS
Z1 λ R, 1 Z3 Z5
λ2
R1 ∧ U2 μ1 D1 ∧ U2 D 1 ∧ D 2, wait → D 2
s R, 2 ⋅ λ 1 μ1
( 1 – s R, 1 ) ⋅ λ 2
( 1 – sR, 2 ) ⋅ λ 1 μ2
s R, 1 ⋅ λ 2
U1 ∧ R2 λ R, 2 U1 ∧ D2 D 1, wait → D 1 ∧ D 2
μ2 λ1
Z2 Z4 Z6
Fig. 4.25. Markov model of a system with two components with standby
function according to Fig. 4.24 and repair priority due to limited repair
capacity according to Fig. 4.19.
4.5.8.1 pMp approach
In case of identical components, the pMp approach can be applied easily. Inital
states are Z1 and Z 2 with the initial values Pr ( Z 1 ) = Pr ( Z2 ) = 0.5 (symmetrical
halves of the model).
Assumption: λ … « μ … and s R « 1 (Eq. 4.82 is fulfilled) (4.201)

…
pMp Z 1 → Z 3 → Z 5
λ R, 1 λ R, 1 λ 2 1
Fr ( Z 5 ) 1 ≈ Pr ( Z 1 ) ----------- λ 2 ≈ 0.5 ----------------- , Ti ( Z5 ) = ------ (4.202-203)
μ1 μ1 μ1
Pr ( Z 5 ) 1 = Fr ( Z 5 ) 1 Ti ( Z 5 ) (4.204)
pMp Z 1 → Z 6
1
Fr ( Z 6 ) 2 = Pr ( Z 1 )s R, 1 λ 2 ≈ 0.5s R, 1 λ 2 , Ti ( Z6 ) = ------ (4.205-206)
μ2
Pr ( Z 6 ) 2 = Fr ( Z 6 ) 2 Ti ( Z 6 ) (4.207)
Chapter 4 174
pMp Z 1 → Z 4 → Z 6
(4.208-209)
( 1 – s R, 1 )λ 2 ( 1 – s R, 1 )λ 2 1
Fr ( Z 6 ) 3 ≈ Pr ( Z 1 ) -------------------------------λ 1 ≈ 0.5 -------------------------------λ 1 , Ti ( Z 6 ) = ------
μ2 μ2 μ2
Pr ( Z 6 ) 3 = Fr ( Z 6 ) 3 Ti ( Z 6 ) (4.210)
pMp Z 2 → Z 4 → Z 6
λ R, 2 λ R, 2 λ 1 1
Fr ( Z 6 ) 4 ≈ Pr ( Z 2 ) ----------- λ 1 ≈ 0.5 ----------------- , Ti ( Z 6 ) = ------ (4.211-212)
μ2 μ2 μ2
Pr ( Z 6 ) 4 = Fr ( Z 6 ) 4 Ti ( Z 6 ) (4.213)
pMp Z 2 → Z 5
1
Fr ( Z 5 ) 5 = Pr ( Z 2 )s R, 2 λ 1 ≈ 0.5s R, 2 λ 1 , Ti ( Z 5 ) = ------ (4.214-215)
μ1
Pr ( Z 5 ) 5 = Fr ( Z 5 ) 5 Ti ( Z 5 ) (4.216)
pMp Z 2 → Z 3 → Z 5
(4.217-218)
( 1 – s R, 2 )λ 1 ( 1 – s R, 2 )λ 1 1
Fr ( Z 5 ) 6 ≈ Pr ( Z 2 ) ------------------------------- λ 2 ≈ 0.5 ------------------------------- λ 2 , Ti ( Z 5 ) = ------
μ1 μ1 μ1
Pr ( Z 5 ) 6 = Fr ( Z 5 ) 6 Ti ( Z 5 ) (4.219)
Objective indices
DS = Z5 ∨ Z6 (4.220)
Additional assumption: λ = λ 1 = λ 2 , λ R = λ R, 1 = λ R, 2 , μ = μ 1 = μ 2 , and

s R = sR, 1 = s R, 2 (4.221)
2 λ λ
Pr ( D S ) = ∑ Pr ( Z5 )i + ∑ Pr ( Z6 )i ≈ -----
λ
2
R
2
λ
- + sR ---
- + ---------
μ
(4.222)
i = 1, 5, 6 i = 2, 3, 4 μ μ
2 λ λ
Fr ( D S ) = ∑ Fr ( Z5 )i + ∑ Fr ( Z6 )i ≈ -----
λ
μ
R
- + ---------- + s R λ
μ
(4.223)
i = 1, 5, 6 i = 2, 3, 4
MC = Z5 ∨ Z 6 (4.224)
Chapter 4 175
If the indices of the components are different from each other, then the initial val-
ues Pr ( Z 1 ) and Pr ( Z 2 ) are different. Eq. 4.83 is not fulfilled. In this case, the follow-
ing numerical iteration approach, as applied in Chapter 4.4.3.2, can be an appro-
priate approach. The approach can be initialized with any initial values, e.g.
Pr ( Z 1 ) = 1 . The numerical iteration approach does not need the restrictions as re-
quired in Eq. 4.201 (Eq. 4.82 does not need to be fulfilled).

Ti ( Z1 ) = 1 ⁄ ( λ 2 + λ R, 1 ) , Ti ( Z2 ) = 1 ⁄ ( λ 1 + λ R, 2 ) (4.226-227)
Ti ( Z3 ) = 1 ⁄ ( μ 1 + λ 2 ) , Ti ( Z 4 ) = 1 ⁄ ( μ 2 + λ 1 ) (4.228-229)
Ti ( Z5 ) = 1 ⁄ μ 1 , Ti ( Z 6 ) = 1 ⁄ μ 2 (4.230-231)
Starting with i = 0 and increment i for each cycle

do {
Fr ( Z 1 ) i + 1 = Pr ( Z 1 ) i ⁄ Ti ( Z 1 ) (4.232)
Fr ( Z 2 ) i + 1 = Pr ( Z 4 ) i μ 2 (4.233)
Pr ( Z 2 ) i + 1 = Ti ( Z 2 )Fr ( Z2 ) i + 1 (4.234)
Fr ( Z 3 ) i + 1 = Pr ( Z 1 ) i λ R, 1 + Pr ( Z 2 ) i ( 1 – s R, 2 )λ1 + Pr ( Z 6 ) i μ 2 (4.235)
Pr ( Z 3 ) i + 1 = Ti ( Z 3 )Fr ( Z3 ) i + 1 (4.236)
Fr ( Z 4 ) i + 1 = Pr ( Z 2 ) i λ R, 2 + Pr ( Z 1 ) i ( 1 – s R, 1 )λ2 + Pr ( Z 5 ) i μ 1 (4.237)
Pr ( Z 4 ) i + 1 = Ti ( Z 4 )Fr ( Z4 ) i + 1 (4.238)
Fr ( Z 5 ) i + 1 = Pr ( Z 3 ) i λ 2 + Pr ( Z 2 ) i s R, 2 λ 1 (4.239)
Pr ( Z 5 ) i + 1 = Ti ( Z 5 )Fr ( Z5 ) i + 1 (4.240)
Fr ( Z 6 ) i + 1 = Pr ( Z 4 ) i λ 1 + Pr ( Z 1 ) i s R, 1 λ 2 (4.241)
Pr ( Z 6 ) i + 1 = Ti ( Z 6 )Fr ( Z6 ) i + 1 (4.242)
6
Pr ( Z 1 ) i + 1 = 1 – ∑ Pr ( Z j ) i + 1 ) (4.243)
j=2
} while ( Pr ( Z 1 ) i + 1 – Pr ( Z 1 ) i > error limit ) (4.244)

Chapter 4 176
4.5.8.3 Examples
Example 1: numerical iteration, similar components (1 = 2)

–4 – 1 –4 –1
λ 1 = λ 2 = 10 h , λ R, 1 = λ R, 2 = 10 h
–1 –1 –2
μ 1 = μ 2 = 10 h , sR, 1 = s R, 2 = 2 ⋅ 10 (4.245)
Initial values: Pr ( Z 1 ) 0 = 1 , Pr ( Z j ) = 0 , j = 2…6 (4.246)
15 iterations: Pr ( Z 1 ) = 4.989910E-01 (4.247)

Pr ( Z 2 ) = 4.989910E-01 (4.248)
Pr ( Z 5 ) = 1.097780E-05 (4.249)
Pr ( Z 6 ) = 1.097780E-05 (4.250)
After at most 15 iterations, the steady state values have been calculated with an
accuracy of at least 7 decimal places.
Example 2: pMp approximation, similar components (1 = 2 )

Input indices are the same as in Example 1. Due to identical component in-
dices, the initial values are divided in half: Pr ( Z1 ) = Pr ( Z2 ) = 0.5 .
pMp calculation: Pr ( Z 5 ) ≈ 1.100000E-05 (4.251)

Pr ( Z 6 ) ≈ 1.100000E-05 (4.252)
The pMp calculation needs only one calculation step. The deviation to Eq. 4.249-
250 is negligibly small. (Eq. 4.201 has to be fulfilled)
Example 3: numerical iteration, different components (1 ≠ 2)
–5 –1 –4 –1
λ 1 = 10 h , λ 2 = 10 h (4.253)
–5 – 1 – 4 –1
λ R, 1 = 10 h , λ R, 2 = 10 h
–1 –1 –1 –1
μ 1 = 10 h , μ 2 = 10 h
–2 –1
s R, 1 = 10 , s R, 2 = 10
Initial values: Pr ( Z 1 ) = 1 , Pr ( Z j ) = 0 , j = 2…6 (4.254)
20 iterations: Pr ( Z 1 ) = 8.324939E-02 (4.255)

Chapter 4 177
Pr ( Z 2 ) = 9.156417E-01 (4.256)
Pr ( Z 5 ) = 9.247991E-06 (4.257)
Pr ( Z 6 ) = 9.332145E-07 (4.258)
After at most 20 iterations, the steady state values have been calculated with an
accuracy of at least 7 decimal places.
If the component input values differ, as in this example, the pMp approach does not
offer an advantage compared to the iteration approach, because the initial values
Pr ( Z 1 ) and Pr ( Z 2 ) can not be estimated prior to starting the calculation. This is the
case in all applications if more than one initial states with different component in-
dices have to be considered.
4.5.9 System excluding repair during system operation
US DS
Z2
D1 ∧ U2
( 1 – c 1, 2 )λ 1
3
1 λ2
Z1 λ CCF Z4
5
U1 ∧ U2 D1 ∧ D2
μ 1, 2
2 λ1
Z3 4
( 1 – c 2, 1 )λ 2
U1 ∧ D2
λ CCF, c1, 2, c 2, 1, μ 1, 2 as given in Fig. 4.20b ( cExt = 0 ).
Fig. 4.26. 4-state Markov system model.

Chapter 4 178
4.5.9.1 Long-term process behavior
Eq. 4.82 is not fulfilled, thus, Pr ( Z 1 ) is not known. Therefore, the Markov equa-
tions, Eq. 4.12-18, are directly applied step-by-step (with unknown Pr ( Z 1 ) ).
Z 1 → Z2
( 1 – c 1, 2 )λ 1
Pr ( Z 2 ) = Pr ( Z1 ) ------------------------------- (4.259)
λ2
Z 1 → Z3
( 1 – c 2, 1 )λ 2
Pr ( Z 3 ) = Pr ( Z1 ) ------------------------------- (4.260)
λ1
Z 2 → Z4 + Z 3 → Z 4 + Z 1 → Z 4
Fr ( Z4 ) = Pr ( Z 2 )λ 2 + Pr ( Z3 )λ 1 + Pr ( Z 1 )λ CCF
= P r ( Z 1 ) ( ( 1 – c 1, 2 )λ 1 + ( 1 – c 2, 1 )λ 2 + λ CCF )
= Pr ( Z1 ) ( λ 1 + λ 2 ) (4.261)
1
Ti ( Z4 ) = ---------- (4.262)
μ 1, 2
λ1 + λ 2
Pr ( Z 4 ) = Fr ( Z 4 )Ti ( Z 4 ) = Pr ( Z 1 ) -----------------
μ
- (4.263)
1, 2
Calculation of Pr ( Z 1 )
4
Secondary condition: ∑i = 1 Pr ( Zi ) = 1 (4.264)
1
Pr ( Z 1 ) = ------------------------------------------------------------------------------------------------------- (4.265)
( 1 – c 1, 2 ) λ 1 ( 1 – c 2, 1 )λ 2 λ 1 + λ 2
1 + ------------------------------- + ------------------------------- + ------------------
λ2 λ1 μ 1, 2
With μ 1, 2 » λ 1, λ 2 , the following estimation is valid.
( 1 – c 1, 2 )λ 1 ( 1 – c 2, 1 )λ 2 λ 1 + λ 2
1 + ------------------------------- + ------------------------------- » -----------------
- (4.266)
λ2 λ1 μ 1, 2
Chapter 4 179
With c 1, 2, c2, 1 « 1 follows the approximation

1
Pr ( Z 1 ) ≈ ---------------------------- (4.267)
λ1 λ 2
1 + ------ + ------
λ2 λ 1
Example: λ = λ 1 = λ 2
1
P ( Z 1 ) ≈ --- (4.268)
3
λ
Fr ( Z2 ) = Fr ( Z 3 ) ≈ --- (4.269)
3
1
Pr ( Z 2 ) = Pr ( Z3 ) ≈ --- (4.270)
3
2
Fr ( Z4 ) ≈ --- λ (4.271)
3
2 λ
Pr ( Z 4 ) ≈ --- ---------- (4.272)
3 μ 1, 2
pMp approach
As mentioned before, Pr ( Z 1 ) ≈ 1 is not valid. Therefore, the initial probability is cal-

culated with the condition Pr ( Z 1 ) + Pr ( Z2 ) + Pr ( Z 3 ) ≈ 1 ( λ 1 = λ 2 and
c 1, 2 = c 2, 1 ).
1
Pr ( Z 1 ) ≈ --- (4.273)
3
This equation inserted in Eq. 4.259-261 and 4.263 yields directly the solution, Eq.
4.269-272.
Objective indices
Fr ( DS ) = Fr ( Z4 ) (4.274
Pr ( D S ) = Pr ( Z 4 ) = Fr ( Z4 )Ti ( Z 4 ) (4.275)
Conclusion
Long-term behavior: In the steady state, CCF with c 1 , 2, c 2 , 1 « 1 have no significant

impact on system failure. Parallel structures in similar systems do not increase
(long-term) system dependability.
Chapter 4 180
4.5.9.2 Short-term process behavior
The short-term probability is simple to calculate using Eq. 4.294-303. 1 ... 5 in

Fig. 4.26 denote the G-functions.
Assumption: Pr ( Z 1, t = 0 ) = 1 , λ 1 t, λ 2 t « 1 , t < 1 ⁄ μ 1, 2 , and c 1, 2, c 2, 1 « 1
–λ1 t
F1 ( t ) = F4 ( t ) = 1 – e ≈ λ1t (4.276)
–λ2 t
F2 ( t ) = F3 ( t ) = 1 – e ≈ λ2t (4.277)
– λ CCF t
F5 ( t ) = 1 – e ≈ λ CCF t = ( c 1, 2 λ 1 + c 2, 1 λ 2 )t (4.278)
G1 ( t ) ≈ F1 ( t ) (4.279)
G2 ( t ) ≈ F2 ( t ) (4.280)
t 2
dG 1 ( x ) λ λ t
G3( t ) = ∫ ------------------
dx
1 2
F 3 ( t – x ) dx ≈ ----------------
2
- (4.281)
0
t 2
dG 2 ( x ) λ2λ1t
G4( t ) = ∫ dx 4
------------------ F ( t – x ) dx ≈ ----------------
2
- (4.282)
0
G 5 ( t ) = F 5 ( t ) ≈ ( c 1, 2 λ 1 + c 2, 1 λ 2 )t (4.283)
2
Pr ( Z 4 ,t ) ≈ λ 1 λ 2 t + ( c 1, 2 λ 1 + c 2, 1 λ 2 )t (4.284)
CCF dominate the short-term probability.
Example
–5 –1 –2
Assumption: λ = λ 1 = λ 2 = 10 h ,c=c 1, 2 = c 2, 1 = 10 , and t = 10h
2 –9 –1 –6 – 1
Pr ( Z 4, t ) ≈ ( λt ) + 2cλt = 10 h + 2 ⋅ 10 h (4.285)
Conclusion
Short-term behavior: CCF ( λ CCF ) have significant influence on system dependabil-
ity during short-term operating time, also for c 1 , 2, c2 , 1 « 1. Further example see also
Chapter 5.10.
Chapter 4 181
4.5.10 Item with periodic fault diagnosis
Periodic diagnosis is used for items with (1) no continuous fault detection, (2) rare
request, and (3) standby state (non-operating state, but ready for use). Items with
periodic diagnosis are used in automation systems, protection and safety items,
etc.. Fig. 4.27 illustrates the effect of diagnosis with discrete times (e.g. automatic
or by inspection). The terms and definitions are taken from Fig. 1.2, [IEC 60050-
192:2015] .
Chapter 4 182
Diagnosis times
t0 t1 t2 t3 t4 t5 t6 t7
Fault
D
DU DD times
MFDT MACMT
MTTR
t 0, t 1, t 2, … discrete fault diagnosis times (can stretch the range
from μ sec ... years)
U up state
DU part of down state with undetected fault
DD part of down state with detected fault
D = DU ∨ DD down state
MFDT mean fault detection time (IEC 192-07-11, Fig. 1.2)

MACMT mean active corrective maintenance time (IEC 192-
07-22, Fig. 1.2) or mean repair time MRT (IEC 192-
07-21, Fig. 1.2), depending on the application
MTTR (total) mean time to restoration (IEC 192-07-23, Fig.
1.2) excluding administrative delay (IEC 192-07-12,
Fig. 1.2): MFDT + MACMT
Fig. 4.27. Fault diagnosis model with discrete diagnosis times.
Item model
Fig. 4.1 and 4.2 show the item model with immediate fault detection (corresponding
to continuous (inherent) fault detection). In general, this model is used without ex-
plicitly emphasizing this fact.
The item model in Fig. 4.27 was first described in [Kochs 1984, Example 4.3 ]. Here,
it is constructed with two symmetrical half models as seen in Fig. 4.28 (indicated
Chapter 4 183
with 1 and 2), which are cyclically run through due to the diagnosis rhythm. The two
half models allow to start each with a new starting position (Pr ( U 1 ⁄ 2) = 1) after each
diagnosis, depicted in the diagrams in Fig. 4.29 and 4.30.
D1 D2
MACMT λ
DD 2 U1 DU 1
Diagnosis times
t 0, t 1, t 2, …
DU 2 U2 DD 1
λ
MACMT
t 0, t 1 , t 2 , … discrete diagnosis times

U 1, U 2 half model up states
U = U1 ∨ U2 up state (of item)
DU 1, DU 2 half model down states, undetected fault

DD 1, DD 2 half model down states, detected fault
D 2 = DU 2 ∨ DD 2 half model down state
D 1 = DU 1 ∨ DD 1 half model down state
D = D1 ∨ D2 down state (of component)
λ failure rate 1 ⁄ MUT (MUT, Definition 1.7, Fig. 1.2)
MUT mean up time := MTTF (Definition 1.10, Fig.1.2),
assumed exponentially distributed operating time
to failure
MACMT mean active corrective maintenance time as part
of MDT (Definition 1.13, 1.15, Fig. 1.2). It can be re-
stricted to MRT (Definition 1.15, Fig. 1.2), depen-
ding on the application, here jump function or
discrete time is assumed
Fig. 4.28. Item model with periodic fault diagnosis.
Example: When starting with U 1 and without a transition from U 1 → DU 1, then

the 1st diagnosis forces a transition from U 1 → U 2 . If there is a transition from
Chapter 4 184
U 1 → DU 1 (undetected fault), then the 1st diagnosis has forced the transition
DU 1 → DD 1 (detected fault) with repair in DD 1 . The 2nd diagnosis starts in U 2
and so on.
Model assumptions
1. Periodic diagnosis times t I : t 0, t 1, t 2, … ≡ t 0, t 0 + Δt, t 0 + 2 Δt, t 0 + 3 Δt, … with
constant Δt . The diagnosis times can cover a wide area: μ sec ... year (inde-
pendent of MACMT).
2. λ Δt « 1
Input parameter
Cumulative distribution functions (cdf) of U 1 → DU 1 , U 2 → DU 2 (exponential

function)
– λt
F U ( t ) = Pr ( T U ≤ t ) = 1 – e (4.286)
Cumulative distribution functions (cdf) of DD 1 → U 2 , DD 2 → DU 1 (jump function)
⎧ 0 for t < Ti ( DD ) = MACMT

FD ( t ) = ⎨ (4.287)
⎩ 1 for t ≥ Ti ( DD ) = MACMT
Model calculation and results
Alternating initial probabilities are
Pr ( U 1 ⁄ 2, t I ) ≈ 1 , Pr ( U 2 ⁄ 1, t I ) = 0 (4.288)
The procedure and the determination of the results are clearly visualized for differ-
ent cases in Fig. 4.29-30. In each case, the discrete time diagnosis causes a serrat-
ed curve for the probability of down state Pr ( D ) (bottom of the diagram), depend-
ing on the length of the diagnosis period Δt . If Δt → 0 , which means continuous
time diagnosis, the serrated curve tends to the dotted line (model in Fig. 4.31).
Chapter 4 185
t0 t1 t2 t3 t4 t5 t6 t7 t8
Δt
DU1 λt
λ Δt
MACMT := 2 Δt
DD1
λ Δt
DU2
DD2
DU1
DD1
DU2
DD2
DU1
DD1
DU2
DD2
MACMT
MACMT
Pr ( D, t ) MACMT
λt --------------------------------------------
Ti ( U ) + MACMT
≈ λ MACMT
t
Chapter 4 186
t0 t1 t2 t3 t4
Δt
DU1 λt MACMT := 1 ⁄ 4 ⋅ Δt
λ Δt
DD1 λ Δt
DU2
DD2
DU1
DD1
DU2
DD2
Pr ( D, t )
λt
MACMT
--------------------------------------------
Ti ( U ) + MACMT
t ≈ λ MACMT
MACMT
Δt
MACMT

Chapter 4 187
t0 t1 t2 t3 t4
Δt
Pr ( D, t )
λt
MACMT
--------------------------------------------
Ti ( U ) + MACMT
≈ λ MACMT
t
MACMT
t 1 + MACMT t 3 + MACMT
t 0 + MACMT t 2 + MACMT
Fig. 4.31. Final result: Periodic discrete time diagnosis (periodic fault detec-
tion, black line) versus continuous fault detection (dotted line) of an item.
Fig. 4.31 depicts the final results of the discrete diagnosis times (inspection) versus
continuous diagnosis. The serrated curve shows the periodic steady state probabil-
ity.
Definition 4.9 (periodic steady state). A periodic steady state is defined as

T T
lim Pr ( Z, t + Δt ) = lim Pr ( Z, t ) (4.289)
t→∞ t→∞
Corresponding to the Definition 4.9, the average probability of the down state of an
item is
1
Pr ( D ) ≈ --- λ Δt + λMACMT (4.290)
2
This result is valid for a wide range of discrete diagnosis times under consideration
of the Model assumptions 1 and 2 above.
For MACMT « Δt « MUT the MACMT term in Eq. 4.290 is negligible (red serrated
curve in Fig. 4.31), thus
1
Pr ( D ) ≈ --- λ Δt (4.291)
2
Chapter 4 188
4.5.11 Paradox of the periodic inspection and the short-term behavior
Fig. 4.4 shows the time dependent down state probability of an item. Although, the
thought could arise that the down state probability decreases for shorter inspection
intervals Δt and tends to zero for Δt → 0 (Fig. 4.32), it would be a fallacy. The rea-
son is that the thought is based on the point of view t = 0 (present) and directed to-
wards the future, where each inspection point t i , i = 1, 2, 3, ... is accepted to start
with the down state probability Pr ( D, t i ) = 0 . In consequence, with decreasing in-
spection intervals Δt → 0, it is assumed that the average probability Pr ( D ) tends to
zero. Thus, the dependability tends to 1, which is a fallacy.
Solution of the mystery: In each inspection point t i (in the future), the item can be in
a down state that means Pr ( D, t i ) ≠ 0 , which is clearly represented in Fig. 4.29-31.
If the inspection intervals are Δt = 0 (which means continuous inspection), then
Pr ( D ) ≈ λTi ( D ) (Fig. 4.4) or Pr ( D ) ≈ λMACMT (Fig. 4.31) and not Pr ( D ) = 0 !
This paradox was first published in [Kochs 1976] and further published in [Edwin et
al. 1979a] within the context of the determination of the short-term power reserve for
bulk power generating plants.
Chapter 4 189
Periodic inspections
Pr ( D, t ) t1 t2 t3 t4 t5 t6
Δt
Pr ( D )
0 Ti ( D ) 2Ti ( D ) 3Ti ( D ) t
MDT 2 MDT 3 MDT
Pr ( D, t )
Pr ( D )
0 Ti ( D ) 2Ti ( D ) 3Ti ( D ) t
MDT 2 MDT 3 MDT
Fig. 4.32. Paradox of the short-term probability. Fallacy Pr ( D, t i ) = 0 at

each inspection point t i , i = 1, 2, 3, ... (based on the model of Fig. 4.4).
Chapter 4 190
4.6 Appendix
4.6.1 Modeling and calculation of the alternating 2-state renewal process in

Fig. 4.2
It is proven that the steady state probabilities (Eq. 4.8-9)
Ti ( U )
Pr ( U ) = ------------------------------------ (4.292)
Ti ( U ) + Ti ( D )
Ti ( D )
Pr ( D ) = ------------------------------------ (4.293)
Ti ( U ) + Ti ( D )
of the 2-state renewal process are valid for arbitrary pdf [Kochs 1984 ]. Fig. 4.33
shows the models.
x
a) FU ( t ) F D ( t ) cdf
T(U) T ( D ) stochastic variables (durations)
Ti ( U ) Ti ( D ) mean durations
U D
Pr ( U, t ) Pr ( D, t ) state probabilities
b) FU ( t ) FD ( t ) FU ( t ) FD ( t )
T( U) T(D ) T(U) T(D)
U1 D1 U2 D2 ∞
T ( U1 )
T ( U1 ∨ D1 )
T ( U1 ∨ D1 ∨ U2 )
Fig. 4.33. Models of a 2-state alternating renewal process with arbitrary

cdf (different representation form of the same process).
The distribution functions cdf of the up and down states are
F U ( t ) = Pr ( T ( U ) ≤ t ) , F D ( t ) = Pr ( T ( D ) ≤ t ) (4.294-295)
where T ( U ) and T ( D ) are the stochastic variables in the up and down states of the
item, which are calculated with the following well-known equations.
Chapter 4 191
∞ ∞
Ti ( U ) = ∫ ( 1 – F U ( t ) ) dt , Ti ( D ) = ∫ ( 1 – F ( tD ) ) dt (4.296-297)
0 0
G U ( t ) and G D ( t ) are the cumulative (probability) distribution functions (cdf) of the

i i
disjunctions of the random up/down state durations, started in each case at U 1 ,
Fig. 4.33.
G U ( t ) = Pr ( T ( U 1 ) ≤ t ) (4.298)
1
G D ( t ) = Pr ( T ( U 1 ∨ D 1 ) ≤ t ) (4.299)
1
G U ( t ) = Pr ( T ( U 1 ∨ D 1 ∨ U 2 ) ≤ t ) (4.300)
2
... ... ...
GU ( t ) = FU ( t ) (4.301)
1
t
dG U ( x )
GD ( t ) =
1
∫ --------------------
dx
1
-F D ( t – x ) dx (4.302)
0
t
dG D ( x )
GU ( t ) =
2
∫ --------------------
dx
1
-F U ( t – x ) dx (4.303)
0
... ... ...
For all cdf G … ( t ) is valid
lim G … ( t ) = 1 (4.304)
t→∞
With Eq. 4.301-303, the probabilitiy of the states in Fig. 4.33b are calculated, see
also Fig. 4.34,
Pr ( U 1, t ) = 1 – G U ( t ) (4.305)
1
Pr ( D 1, t ) = G U ( t ) – G D ( t ) (4.306)
1 1
Pr ( U 2, t ) = G D ( t ) – G U ( t ) (4.307)
1 2
... ... ...
and summarized for the 2-state model of Fig. 4.33a.

∞ ∞
Pr ( D, t ) = ∑i = 1 Pr ( Di, t ) = ∑i = 1 [ G U ( t ) – G D ( t ) ]
i i
(4.308)
∞
Pr ( U, t ) = ∑i = 1 Pr ( Ui, t ) = 1 – Pr ( D, t ) (4.309)
Chapter 4 192
G… ( t )
GU ( t ) GD ( t ) GU ( t )
1 1 2
... ... ...
0
0 t
Pr … ( t )
Pr ( U1, t ) Pr ( U 2, t )
1
Pr ( D 1, t )
... ... ...
0
0 t
Fig. 4.34. Cumulative (probability) distribution functions G … ( t )

and the associated probabilities of the up and down states (qua-
litative).
The Laplace (L) transformation is now used for the proof of Eq. 4.292-293. The L-
transformation of the convolution integrals, Eq. 4.302, ... correspond to the multipli-
cation
L { GU ( t ) } = L { FU ( t ) } (4.310)
1
L { G D ( t ) } = sL { G U ( t ) }L { FD ( t ) } (4.311)
1 1
L { G U ( t ) } = sL { G D ( t ) }L { FU ( t ) } (4.312)
2 1
... ... ...
Eq. 4.310, ... in a more general context are
2 i–1
L { G U ( t ) } = L { G U ( t ) } [ s L { F U ( t ) }L { F D ( t ) } ] (4.313)
i 1
L { G D ( t ) } = sL { G U ( t ) }L { FD ( t ) } (4.314)
i i
Chapter 4 193
The Laplace transform of Eq. 4.308 is

∞
L { Pr ( D, t ) } = ∑i = 1 [ L { G U ( t ) } – L { G D ( t ) } ]
i i
(4.315)
Eq. 4.313-314 inserted into Eq. 4.315 yields
L { Pr ( D, t ) } = L { F U ( t ) } [ 1 – sL { FD ( t ) } ] ⋅
∞ i
⋅∑
2
[ s L { FU ( t ) }L { FD ( t ) } ] (4.316)
i=0
With the estimation of F ( t ) ≤ 1 , the Laplace transformation of F… ( t ) yields

∞ ∞
– st – st
sL { F… ( t ) } = s ∫ F… ( t )e dt < s ∫ e dt = 1 (4.317)
0 0
Because the individual addends in Eq. 4.316 are smaller than 1, the power series
converges and yields the following expression.
∞ i 1
∑i = 0 [ s2 L { FU ( t ) }L { FD ( t ) } ] = ---------------------------------------------------------------
2
- (4.318)
1 – s L { F U ( t ) }L { F D ( t ) }
This equation and the following three equations
R U ( t ) = Pr ( T U > t ) (4.319)
R D ( t ) = Pr ( T D > t ) (not to be confused with the reliability function) (4.320)
1
L { F… ( t ) } = --- – L { R … ( t ) } (4.321)
s
inserted into Eq. 4.316 shows
L { Pr ( D, t ) } = L { F U ( t ) } ⋅
sL { R D ( t ) }
⋅ ----------------------------------------------------------------------------------------------------------------------------
2
- (4.322)
sL { R U ( t ) } + sL { R D ( t ) } – s L { R U ( t ) }L { R D ( t ) }
The steady state values ( t → ∞ ) are obtained for s → 0 . Because the steady state
values of Pr ( D, t ) and F U ( t ) obviously exist, the following expressions are valid.
lim s L { Pr ( D, t ) } = Pr ( D ) (4.323)
s→0
lim s L { F U ( t ) ) } = 1 (4.324)
s→0
These relationships inserted into Eq. 4.322 yield

Chapter 4 194
lim L { R D ( t ) }
s→0
Pr ( D ) = lim s L { Pr ( D, t ) } = ------------------------------------------------------------------------------- (4.325)
s→0 lim L { R U ( t ) } + lim L { R D ( t ) }
s→0 s→0
The Laplace transforms of the R-functions are

∞
∫ R… ( t )e
– st
L { R… ( t ) } = dt (4.326)
0
with arbitrary functions R… ( t ) , Eq. 4.319-320. Because the exponential function

– st
e converges more strictly against zero than every other function, the Laplace
transform can be developed as a converging row by expansion of the exponential
function
∞
2
( st )
L { R… ( t ) } = ∫ R… ( t ) 1 – st + ------------ – … dt
2
(4.327)
0
s → 0 yields
∞
lim L { R… ( t ) } =
s→0
∫ R… ( t ) dt = Ti ( … ) (4.328)
0
which is carried out for each Laplace transform of Eq. 4.325. The insertion of Eq.
4.296-297 and Eq. 4.328 into Eq. 4.325 yields the result
Ti ( D )
Pr ( D ) = ------------------------------------ q.e.d. (4.329)
Ti ( U ) + Ti ( D )
Pr ( U ) = 1 – Pr ( D ) (4.330)
Pr ( U )
Fr ( U ) = --------------- (4.331)
Ti ( U )
Fr ( D ) = Fr ( U ) (4.332)
With Eq. 4.329-332, the steady state indices of Eq. 1.5 of a 2-state renewal process
with arbitrary F U ( t ) and F D ( t ) are completely described for dependability analyses
in this book.
As mentioned earlier in Chapter 1.2, 3.2, 4.3.1, and the following chapters, the re-
newal process has an outstanding role in dependability modeling and calculation,
because it is the basis for dependability analyses.
Chapter 4 195
4.6.2 Decision trees of the processes [ Z ( t ) ,t > 0 ] , graphically highlighted in

Fig. 4.6-8
Fig. 4.35-40 show the cutouts of the decision trees of [ Z ( t ) ,t > 0 ] , clearly illustrated
in Fig. 4.6-8. The decision trees have in all cases (series and parallel structures and
different transition pdf) the same state sequence. The differences lie in the depend-
ency of the state transitions. The total decision trees span a state-space with theo-
retically infinite number of states. The numbers 1 ... 8, for example, denote the pro-
cess sequence, such as Fig. 4.6-8 show, which is one of several possible se-
quences, but not the most probable one. The bold arrows are the probable paths,
which approximately determine the transient behavior (for λ « μ ).
Not to be confused: Although the components are assumed to be s-independent,

the transitions can depend on prior transitions, which is emphasized in Fig. 4.35-40
by the appropriate conditional transitions, paths 1-8.
Fig. 3.35-36: [ Z ( t ) ,t > 0 ] represents a homogeneous Markov process, all transi-

tion rates are constant (exponential pdf of the state durations). The Markov transiti-
ons are independent of prior states (memoryless).
Transient behavior of the series system: Pr ( Z 2 ∨ Z 3, t ) ≈ 2λt , 0 ≤ t < Ti ( D ) , analo-

gous to Eq. 4.10.
1 2
Transient behavior of the parallel system: Pr ( Z 4 ∨ Z 4, t ) ≈ ( λt ) , 0 ≤ t < Ti ( D ) , analo-
gous to Eq. 4.11.
Fig. 3.37-40: [ Z ( t ) ,t > 0 ] represent non-Markov processes. The transitions depend

partially or completely on prior states.
What are the advantages of decision trees?
It is impossible to model and evaluate the infinite number of the states of a decision
tree, but sometimes it can be of interest to evaluate the first sequence of states or
transitions, though it is complex and burdensome (mathematical approach: e.g.
with convolution integrals or simulation methods). Thus, decision trees can be used
for special tasks, e.g. short-term or transient probability, for which only a few tran-
sitions starting from Z1 are necessary. Examples can be found in [Kochs 1976,
Edwin et al. 1979a ] and in Chapter 5.10. For the majority of dependability analyses
of industrial systems, the modeling of decision trees and the calculation of the tran-
sient behavior are not of primary importance.
1
Z2
3 2 4
1 Z4 Z1
Z1 Z1 5
Chapter 4
D1 ∧ U2 6
1 2
U1 ∧ U2 Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
2 3 7
Z2 U1 ∧ D2
U1 ∧ D2
D1 ∧ U2
Z4
1
Z1
D1 ∧ D2
Transitions: 1 Z1 → Z2 Z1 Transition concerns component 1
U1 ∧ U2 1 1
1
D1 ∧ D2 2 Z2 → Z1 Z2
1 1
Z3
1 1 1 1
Z4 3 Z1 → Z3 Z1 Transition concerns component 2
U1 ∧ D2 2 2
1 3 1
4 Z3 → Z1 Z3
2 2
U1 ∧ U2 3 1 3
5 Z1 → Z2 Z 1
2 1 1
Z1 1 2 1
6 Z2 → Z4 Z2
2 2
Decisive for transient behavior
2 2 2
7 Z4 → Z3 Z4
1 1 All transitions are homogeneous
2 4 2
8 Z 3 → Z1 Z 3 Markov transitions.
2 2
Fig. 4.35. Cutout of the decision tree of the Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.6, series system. The grey blocks are a
subset of D S , and the white blocks are a subset of U S .
196
1
Z2
3 2 4
Chapter 4
1 Z4 Z1
Z1 Z1 5 D1 ∧ U2
1
6 2
U1 ∧ U2 Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
2 3 7
Z2 U1 ∧ D2
U1 ∧ D2
D1 ∧ U2
Z4
1
Z1 D1 ∧ D 2
U1 ∧ U2
The decision tree and the transitions are the same as in Fig. 4.35.
D1 ∧ D2
Z3
1
Z4
U1 ∧ D2
U1 ∧ U2
2
Z1
Fig. 4.36. Cutout of the decision tree of the Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.6, parallel system. The grey blocks are a
197
1
Z2
3 2 4
1
Chapter 4
Z1 Z1 5 D1 ∧ U2 Z4 Z1
1 6 2
U1 ∧ U2 Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
2 3 7
Z2 U1 ∧ D2
U1 ∧ D2
D1 ∧ U2
Z4
1
Z1 D1 ∧ D2
U1 ∧ U2
D1 ∧ D2 Transitions: 1 Z1 → Z 2 Z 1
Z3 1 1
1 1
Z4 2 Z2 → Z1 Z2 semi-Markov transition
U1 ∧ D2 1 1
1 1 1
3 Z1 → Z3 Z1
2 2
U1 ∧ U2
1 3 1
2 4 Z3 → Z1 Z3 semi-Markov transition
2 2
Z1
3 1 3
5 Z1 → Z2 Z1
1 1
1 2 1
6 Z2 → Z 4 Z 2
2 2
2 2 2 1
7 Z 4 → Z 3 Z 4, Z 2 non-Markov transition
1 1
2 4 2 2
8 Z 3 → Z 1 Z 3, Z 4 non-Markov transition
2 2
Fig. 4.37. Cutout of the decision tree of the non-Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.7, series system. The grey blocks are
a subset of D S , and the white blocks are a subset of U S .
198
1
Z2
3 2 4
Chapter 4
1 Z4 Z1
Z1 Z1 5 D1 ∧ U2
1
6 2
U1 ∧ U2 Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
2 3 7
Z2 U1 ∧ D2
U1 ∧ D2
D1 ∧ U2
Z4
1
Z1 D1 ∧ D 2
U1 ∧ U2
D1 ∧ D2
Z3
1
Z4
U1 ∧ D2
U1 ∧ U2
2
Z1
Fig. 4.38. Cutout of the decision tree of the non-Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.7, parallel system. The grey blocks are
199
1
Z2
3 2 4
Chapter 4
1 Z4 Z1
Z1 Z1 5 D1 ∧ U2
1
6 2
U1 ∧ U2 Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
2 3 7
Z2 U1 ∧ D2
U1 ∧ D2
D1 ∧ U2
Z4
1
Z1 D1 ∧ D2
Transitions: 1 Z 1 → Z 2 Z1 Except transition 1, all other transi-
1 1
U1 ∧ U2 tions are non-Markov transitions.
1
D1 ∧ D2 2 Z2 →
1
Z1
1
Z 2, Z 1
Z3 1 1 1
1 3 Z1 → Z3 Z 1, Z 2, Z 1
2 2
Z4
U1 ∧ D2
1 3 1 1
4 Z 3 → Z 1 Z 3, Z 1
2 2
U1 ∧ U2 3 1 3 1 1
5 Z 1 → Z 2 Z 1, Z 3, Z 1
2 1 1
Z1 1 2 1 1
6 Z 2 → Z 4 Z 2, Z 1
2 2
2 2 2 1
7 Z 4 → Z 3 Z 4, Z 2
1 1
2 4 2 2
8 Z 3 → Z 1 Z 3, Z 4
2 2
Fig. 4.39. Cutout of the decision tree of the non-Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.8, series system. The grey blocks are a
200
1
Z2
3 2 4
Chapter 4
1 Z4 Z1
Z1 Z1 5 D1 ∧ U2
1 6 2
Z3 4 U1 ∧ U2 D1 ∧ D2 Z3 8 U1 ∧ U2
U1 ∧ U2 3 7
Z2 2
U1 ∧ D2 U1 ∧ D2
D1 ∧ U2
Z4
1
Z1 D1 ∧ D2
U1 ∧ U2
D1 ∧ D2
Z3
1
Z4
U1 ∧ D2
U1 ∧ U2
2
Z1
Fig. 4.40. Cutout of the decision tree of the non-Markov process [ Z ( t ) ,t > 0 ] of Fig. 4.8, parallel system. The grey blocks are
201
5. Markov minimal cut (MMC) approach
5.1 Scope
5.2 S-dependency
5.3 Integration of Markov process models into minimal cuts - MMC approach
5.4 Definition of various types of s-dependency and their impact
5.4.1 S-dependency of type 1
5.5 Theoretical study example 1
5.6 Set of examples
5.8 General conclusions concerning MMC
5.9 Application example 1: Process automation and control system
5.10 Application example 2: Mechatronic system
5.11 Appendix
5.11.1 Derivation of the c term of Eq. 5.45
5.11.2 Steady state of the MMC model, Fig. 5.19
5.11.5 Transient state of the MMC model, Fig. 5.19
5.11.8 Comparative study to Appendix 5.11.2 and 5.11.5
5.1 Scope
A minimal cut (MC) can be modeled as a Markov process (Chapter 4) and embed-
ded into the MC approach (Chapter 3). The combination of both methods is de-
noted as the Markov minimal cut (MMC) approach, with which stochastic depend-
encies between components can be taken into account. S-dependencies can have
a decisive impact on dependability of subsystems, even producing a system crash.
The term s-dependency is defined for strongly connected Markov processes (Defini-
tion 4.6) in the steady state (Definition 4.7). A method is proposed to evaluate the
severity of s-dependency and its impact on system dependability.
5.2 S-dependency
Z i , Z j , ... are steady Markov states of a Markov space, and Zi , Z i , ... , Zj , Z j , ...
x y x y
denote the states of the components x, y ∈ S of the Markov model.

DOI 10.1007/978-3-319-64991-7_5
Chapter 5 204
Definition 5.1 (s-dependency). The transition Z i → Z j is defined as stochas-

tic dependent (s-dependent) if Z i → Zj depends on the adjacent component
x x
state Z i , ... or its transition Zi → … , e.g. due to (random) failure, restoration
y y
(repair), maintenance, or human activities within the defined system formally
described by the conditional transition
Z i → Z j := Z i → Z j Z i or Z i → … ( 5.1 )
x x y y
i≠j
x≠y
x, y ∈ S
Remark 1: The Markov time condition (Definition 4.2, Table 4.1) has to be ful-
filled for all Z i .
Remark 2: The definition of s-dependency can be transferred also to MC *)
and their combinations.
Remark 3: The term s-independent is equivalent to the term independent.
Example Fig. 4.10

Z 2 → Z 4 := Z 2 → Z 4 = U 2 → D 2 (s-independent) (5.2)
2 2
Example Fig. 4.20a

Z 2 → Z 4 := Z 2 → Z 4 Z2
2 2 1
= U 2 → ( D 2, wait → D 2 ) D 1 (s-dependent) (5.3)
Z1 → Z 4 := Z1 → Z4 Z1 → Z4
2 2 1 1
= U 2 → ( D 2, wait → D2 ) U 1 → D 1 (s-dependent) (5.4)
CCF1, 2
Z 4 → Z 3 := Z 4 → Z 3 Z 4 → Z3
2 2 1 1
= ( D 2, wait → D 2 ) → D 2 D 1 → U 1 (s-dependent) (5.5)
Example Fig. 4.25

Z 1 → Z 4 := Z 1 → Z 4 Z1 → Z4
1 1 2 2
= R1 → U1 U2 → D2 (s-dependent) (5.6)
Z 1 → Z 3 := Z 1 → Z 3 = R 1 → D 1 (s-independent) (5.7)
1 1
Example Fig. 5.9

Z 2 → Z 5 := Z 2 → Z 5 Z2 → Z5
1 1 3 3
= D'1 → D''1 U 3 → D''3 ( s-dependent ) ( 5.8 )

viations (see List of Symbols and abbreviations).
Chapter 5 205
Typical s-dependencies are caused by

- common cause failures (CCF) (Definition 1.22, Fig. 1.5),
- preventive maintenance (IEC 192-06-05) and corrective maintenance (IEC
192-06-06), e.g. repair priority due to limited repair or service capacity,
- deferrable shut down (for repair, maintenance),
- redundancy switching (e.g. switching to standby parallel items, bus system
change over, electrical lines change over),
- shut down of adjacent intact components due to component failure, e.g. to
establish a protection or safety area in robot systems [ DFG 2001] or in high
voltage switching stations of power plant units [Nachtkamp 1979] ,
- human-machine interaction if it is defined as part of the system.
- Earlier approaches to s-dependency in the area of power (sub)systems can
be found in [Endrenyi 1978, Dib 1978, Edwin et al. 1979a-c, Nachtkamp
1979, Singh 1980a, b] .
The CCF mechanism and impact can differ widely and be very complex, from a par-
tial or degraded to a complete CCF. [WASH 1975, Billinton et al. 1979, ANSI 1987,
NUREG 2007, ICDE 2011 ] gives a selected (not representative) overview of CCF
analysis methods of key components as part of the safety and protection systems
in the power industry. Several causes of CCF are described in the publications
mentioned above and are referenced in the following. It is also worth mentioning
the earlier CCF research and development activities (modeling and evaluation) of
[Singh et al. 1977, Singh 1978, Allan et al. 1979, Singh 1980a, Dhillon et al. 1981,
Billinton et al. 1992 ] in the area of power system networks.
CCF have also significant impact especially on hardware and software systems,
e.g.
- bus failure in electronic networks due to controller or transceiver error,
- error of an electronic distributor of a switch cabinet,
- software error when the identical software is installed in similar parallel com-
ponents (can cause multiple dependent failures),
- babbling idiot error in communication systems,
- failure of the ventilation in an electronic cabinet causes thermal overload of
one or more components of the system (only if ventilation is considered as
part of the defined system),
- loosening of switching contacts (error) due to vibration.
In (not publicly accessible) industrial specifications the probability of CCF in elec-

tronic systems (hardware and software) are documented between 0.01 and 0.02.
Chapter 5 206
There are other kinds of dependencies subsumed under the term influencing fac-
tors. Their causes arise outside the defined system boundary and affect compo-
nents adversely inside the system. Typical influencing factors are: structural kind
(e.g. encapsulate or open housing), environmental kind (e.g. dust, dirt, humidity,
temperature, moisture, vibration, radiation), shut down of component groups to
establish a protection area, failure of common external power supply, human in-
teraction. Also regulations by insurance or laws can influence system dependabil-
ity, e.g. in case of forced immediate shut down requirements. These features can
be specified through expert knowledge (e.g. from documents, expert interviews) and
are important in case of comparing well-known real systems with new concepts or
new technologies with lack of experience, especially in the early design stage [Kochs
et al. 2012] . Influencing factors are not the scope of this book.
Both, s-dependencies as well as influencing factors are more or less uncertain due
to incomplete or insufficient knowledge and/or limited data samples (epistemic
uncertainty, Chapter 6).
In the following Chapter 5.3, the framework of the MMC approach is outlined, and in
Chapter 5.4, the different types of s-dependency impact on system operational and
non-operational behavior is described formally.
Chapter 5 207
5.3 Integration of Markov process models into minimal cuts -

MMC approach
Definition 5.2 (Markov minimal cut, MMC). A MMC is a MC that is modeled

as a Markov process.
Remark: MMC is named also as Markov minimal cut set or simply as Markov
cut set. Markov is also written as Markoff.
The integration of Markov models into MC models was primarily developed for
power systems and their substations in [Endrenyi 1978, Dib 1978, Nachtkamp
1979, Singh 1980a, b, Kochs 1982], and further developed and named as “Mar-
kov(scher) Minimalschnitt“ in [AEG 1981, Kochs 1984] . Fig. 5.1 shows the frame-
work of the MMC approach as extention of the procedure introduced in Fig. 3.7.
For system dependability evaluation, the operational behavior of systems can be

modeled by a series system (logical AND) of negated MC ( MC , Fig. 5.1, up state
mode). Thus, system dependability evaluation can be concentrated on the impact
of s-dependency between component states inside each MC and between MC. A
big challenge is the integration of s-dependency into the MMC approach. The MMC
approach is seen here as the best practice approach for system dependability evalu-
ations, which has been applied to several industrial applications by the author.
Chapter 5 208
System
(technological and functional structure
or DBD)
MC identification
n
MCDSS ==i = 1
MC i
MC i
DBD
US
MC1 MC2 MC3 MCi MCn
Markov minimal cuts (MMC)

MMC: MC modeled as a Markov process
Fig. 5.1. Boolean logic driven DBD based on MC and MMC models (advanced
model of Fig. 3.7).
Chapter 5 209
5.4 Definition of various types of s-dependency and their impact
One objective is to identify s-dependencies between components and to estimate

their impact on MC.
Definition 5.3 (s-dependency impact, sDI). sDI is defined as

sDI ( MC dep ) := sDI ( Pr ( MC ind ); Pr ( MCdep ) ) (5.9)
where Pr ( MC dep ) is the probability of the MC including s-dependent compo-

nents, and Pr ( MC ind ) is the equivalent term including s-independent com-
ponents.
The ratio Pr ( MC dep ) ⁄ Pr ( MC ind ) is defined as the sDI-factor, which is an esti-
mation of the impact of s-dependency on MC .
Remark 1: Pr ( MC ind ) is the reference term (benchmark).
Remark 2: sDI is generally applicable to MC combinations as
MC i ∨ MC j ∨ … and MC i ∧ MC j ∧ … , thus, applicable to DBD of Fig. 5.1.
Remark 3: Instead of “: =“ (Eq. 5.9), the sign “=“ is used hereinafter.
S-dependency classification
If Pr ( MC ind ) ≈ Pr ( MCdep ) , then the components are s-independent. (5.10)
If Pr ( MC ind ) < Pr ( MCdep ) , then the components are slightly s-de-

pendent (here < means less than 2, 3, … ). (5.11)
If Pr ( MC ind ) « Pr ( MCdep ) then s-dependency has a major impact

(highly undependable). (5.12)
In case of
Pr ( MC ind ) « Pr ( MC dep )* < Pr ( MC dep ) (5.13)
the following estimation can greatly simplify the application.
sDI ( MC dep ) > sDI ( Pr ( MC ind ); Pr ( MC dep )* ) (5.14)
S-dependency can range from minor to major impact. Cases in which

Pr ( MC ind ) > Pr ( MCdep ) (more dependable, e.g. in case of postponed shut-down)
are also possible. However, the intention is to identify s-dependencies in a system
which deteriorate the dependability significantly, e.g. weak spots.
For most applications, MC consist either of one 2-state component, or two, or three
parallel connected 2-state components, see Fig. 3.7 and Fig. 5.1, on which the
Chapter 5 210
book concentrates. The comparative probability of two s-independent components,

each with two states ( λ « μ ) connected in parallel, is
λj λk
Pr ( MC ind ) ≈ ---- ----- (5.15)
μj μk
and of three s-independent components, each with two states connected in parallel,
λj λk λ l
Pr ( MC ind ) ≈ ---- ----- ---- (5.16)
μj μk μl
As mentioned in Definition 5.3, Remark 2, the method is similarly applicable to con-

junctions of MC, e.g. of Eq. 3.44. According to Fig. 5.1, the impact of s-dependency
between components on systems can be limited to the analysis of the following two
cases.
1. Assessment of s-dependency inside MC (type 1).
2. Assessment of s-dependency between MC (type 2).
In the following study, s-dependency on MC as shown in the Fig. 5.2-7, is highligh-

ted with red arrows. The study concentrates on CCF, because they strongly influ-
ence system dependability. CCF are used here representatively for other kinds of s-
dependency (Chapter 4.5).
The higher level s-dependency impact representations in Fig. 5.2-3 and 5.5-6 can
be modeled and calculated with Markov models.
CCF j, k denote the impact of component j on k , and c j, k its probability (Definition

1.22, Remark 6). For the study, the following assumptions are made.
2-state model, λ … « μ … , 0 ≤ c j, k ≤ 1 (realistic is 0 ≤ c j, k « 1 ), multiple CCF like

c j, k, l, … and c j, k ⋅ ck, l ⋅ … are excluded (5.17)
c j, k = 0 means s-independency.
Chapter 5 211
S-dependency of type 1 occurs between components inside MC, demonstrated in

Fig. 5.2. An error in component j causes simultaneously failure in the components j
and k.
US
MCi
U i, j D i, j
CCF j, k
U i, k D i, k
Fig. 5.2 represents a DB of a series structure of Fig. 5.1: Markov model with two
components in parallel and
CCF j, k ≡ U i, k → D i, k U i, j → D i, j (5.18)
As example serves a model with two s-independent components connected in par-

allel (Fig. 4.14) with additional CCFj,k. Eq. 5.15 and
λj λk λj
Pr ( MC i dep ) ≈ ---------- + c j, k ------------------ (5.19)
μj μk μ1 + μ2
inserted into Eq. 5.9 yield
λ j λ k λ j λk λj
sDI ( MC i dep ) ≈ sDI ⎛⎝ ---- -----; ---------- + cj, k ------------------⎞⎠ (5.20)
μj μk μj μk μ1 + μ2
The term to the left of the semicolon in the sDI-expression indicates s-independent
components j, k . The s-term to the right characterizes the s-dependency impact of
component j on k , caused by an error and failure of j . Component j fails s-inde-
pendently.
Chapter 5 212
–5 –1 –1 –1 –2
Example: λ … = 10 h , μ … = 10 h , cj, k = 10
–8 –8 –7
sDI ( MC i dep ) ≈ sDI ( 10 ; 10 + 5 ⋅ 10 ) (5.21)
Result: The s-term to the right of the semicolon dominates the term to the left
with a sDI-factor of approximately 50. Thus, CCFj,k has a strong impact on
MC i in Fig. 5.2 (according to Eq. 5.12).
Conclusion 1
S-dependency of type 1 (inside MC) can have a strong impact on system depend-
ability. Further examples are given in Chapter 5.6.
S-dependency impact of type 2 occurs between components of different MC inside

the logical connection MC i ∨ MC i + 1 ∨ … , demonstrated in Fig. 5.3. An error in
component j causes simultaneously failures in the components j and k.
CCF j, k US
MCi MCi+1
U i, j D i, j U i + 1, k D i + 1, k
Fig. 5.3 is a cutout of a series structure (MC of 1st order, Fig. 5.1). Eq. 3.43 and
3.44 serve as the general basis for disjunctions of this type.
Pr ( MC i ∨ MC i + 1 ) = Pr ( MC i ) + Pr ( MC i + 1 ) – Pr ( MC i ∧ MC i + 1 ) (5.22)
The s-dependency in Fig. 5.3 can be expressed as
CCF j, k ≡ U i + 1, k → D i + 1, k Ui, j → D i, j (5.23)

Chapter 5 213
As example serves a model with two components connected in parallel (calculated

with the pMp approach, similar to Fig. 4.15, including CCFj,k ).
sDI ( ( M C i ∨ MC i + 1 ) j →k) = 5.24
= sDI ( P r ( ( MC i ∨ MC i + 1 ) ind ) ; Pr ( ( M C i ∨ MC i + 1 ) j→ k)) ≈

λ j λ k ( 1 – c j, k )λ j λ k λj λ j λk λj λ k
≈ sDI ⎛⎝ ---- + ----- ; --------------------------- + ----- + c j, k -----------------⎞⎠ ≈ sDI ⎛⎝ ---- + ----- ; ---- + -----⎞⎠
μj μk μj μk μj + μk μj μk μj μk
–5 – 1 – 1 –1 –2
Example: λ … = 10 h , μ … = 10 h , c j, k = 10
–4 –4
sDI ( ( M C i ∨ MC i + 1 ) j → k) ≈ sDI ( 2 ⋅ 10 ; 2 ⋅ 10 ) (5.25)
Result 1: The s-term to the right of the semicolon is approximately equal to

the term to the left, which indicates practically no impact of s-dependency on
the disjunction MC i ∨ MC i + 1 (series connected MC ) according to Eq. 5.10.
Result 2: This approximation can be transferred to the conjunction terms of
MC in Eq. 3.44 and 3.45, which can be neglected in most applications.
Conclusion 2
S-dependency of type 2 (between MC) has no significant impact on system de-

pendability.
Chapter 5 214
The possible impact of s-depedency (red arrows) on the system down state can be
analyzed on the bridge structure in Fig. 5.4.
US
U1 U3
U5
U2 U4
Fig. 5.4. DBD of the bridge structure with illustration of the impact
of s-dependency between the components.
A failure of component 1 with CCF to all other components is analyzed in Fig. 5.5
as a worst case scenario (no other s-dependency is considered). The indices
Pr ( D S ) and Fr ( D S ) can be calculated with Eq. 3.39, 3.44, and 3.45 in order to
estimate the impact of CCF1,... (Fig. 5.5) between components inside MC and bet-
ween MC of the logical OR and AND connections MC i ∨ MC j ∨ … and
MC i ∧ MC j ∧ … .
All other component failures with their impact of s-dependency on dependability

can be analyzed in the same way.
Chapter 5
CCF 1, 2 US
CCF 1, 3
CCF 1, 4
CCF 1, 5
MC3 MC4
MC1 MC2
U1 D1 U2 D2
U1 D1 U3 D3
U4 D4 U3 D3
U2 D2 U4 D4
U5 D5 U5 D5
Fig. 5.5. S-dependency impact model of the bridge structure with s-dependent failures (CCF) caused by a failure
of component 1.
215
Chapter 5 216
Assumption: For the following examples the numerical values are assumed to be:
– 5 –1 –1 –1 –2
λ … = 10 h , μ … = 10 h , c … = 10 (Eq. 5.17 is fulfilled).
Notation example: MC 1 : = U 1, 2 → D 1, 2 U 1, 1 → D 1, 1 .
CCF1 → 2
MC 1 CCF 1 → 2
( D1 ∧ D2 )
λ1 λ2
Pr ( MC 1 ind ) ≈ ------ ------ (5.26)
μ1 μ2
λ λ λ1
Pr ( MC 1 CCF 1 → 2
) ≈ -----1- -----2- + c1, 2 ---------- (5.27)
μ1 μ2 μ 1, 2
sDI ( MC 1 CCF 1 → 2 ) = sDI ( Pr ( MC 1 ind ); Pr ( MC 1 ind CCF 1 → 2 ) ) (5.28)
–8 –8 –6
Example: sDI ( MC 1 CCF 1 → 2 ) ≈ sDI ( 10 ; 10 + 10 ) (5.29)
Result: CCF inside MC1 have a strong impact on MC1 (2nd order).
MC 3 CCF 1 → 4, 5 ( D1 ∧ D4 ∧ D5 )
λ1 λ4 λ5
Pr ( MC 3 ind ) ≈ ------ ------ ------ (5.30)
μ1 μ4 μ5
λ1 λ4 λ5 λ1 λ5 λ1 λ4
Pr ( MC 3 CCF 1 → 4, 5 ) ≈ ------ ------ ------ + c 1, 4 ---------- --------------- + c 1, 5 ---------- --------------- +
μ1 μ4 μ5 μ 1, 4 μ 1, 4, 5 μ 1, 5 μ 1, 4, 5
λ4 λ1 λ5 λ1
+ ------ c1, 5 --------------- + ------ c1, 4 --------------- (5.31)
μ4 μ 1, 4, 5 μ 5 μ 1, 4, 5
sDI ( MC 3 CCF 1 → 4, 5 ) = sDI ( Pr ( MC 3 ind ) ; Pr ( M C 3 CCF 1 → 4, 5 ) ) (5.32)
– 12 – 12 – 10
Example: sDI ( MC 3 CCF 1 → 4, 5 ) ≈ sDI ( 10 ;10 + 4 ⋅ 10 ) (5.33)
Result 1: CCF inside MC3 have a strong impact on MC3 (3rd order).
Result 2: The result is negligible compared to MC 1 CCF 1 → 2 .
Exception: It may not be negligible in case of multiple CCF, which are excluded in
Eq. 5.17.
MC 2 CCF 1 → 3, 4 ( D3 ∧ D4 )
λ3 λ4
Pr ( MC 2 ind ) ≈ ------ ------ (5.34)
μ3 μ4
Chapter 5 217
λ3 λ 4 λ 1 λ4 λ1 λ3
Pr ( MC 2 CCF 1 → 3, 4 ) ≈ ------ ------ + c 1, 3 ------ ---------- + c 1, 4 ------ ---------- (5.35)
μ3 μ4 μ 3 μ 3, 4 μ 4 μ 3, 4
sDI ( MC 2 CCF 1 → 3, 4 ) = sDI ( P r ( MC 2 ind ); Pr ( MC 2 CCF 1 → 3, 4 ) ) (5.36)
–8 –8 – 10
Example: sDI ( MC 2 CCF 1 → 3, 4 ) ≈ sDI ( 10 ; 10 + 2 ⋅ 10 ) (5.37)
Result 1: CCF outside MC2 have a minor impact on MC2 , according to Eq. 5.11.
Exception: It may not be negligible in case of multiple CCF, excluded in Eq. 5.17.
MC 4 CCF 1 → 2, 3, 5 ( D2 ∧ D3 ∧ D5 )
λ2 λ3 λ5
Pr ( MC 4 ind ) ≈ ------ ------ ------ (5.38)
μ2 μ3 μ5
λ λ λ λ λ3 λ 5 λ 5 λ3
Pr ( MC 4 CCF 1 → 2, 3, 5 ) ≈ -----2- -----3- -----5- + c 1, 2 -----1- ⎛ ---------- --------------- + ---------- ---------------⎞ +
μ2 μ3 μ5 μ 2 ⎝ μ 2, 3 μ 2, 3, 5 μ 2, 5 μ 2, 3, 5⎠
(5.39)
λ1 ⎛ λ2 λ5 λ5 λ2 ⎞ λ1 ⎛ λ2 λ3 λ3 λ2 ⎞
+ c 1, 3 ------ ⎝ ---------- --------------- + ---------- ---------------⎠ + c1, 5 ------ ⎝ ---------- --------------- + ---------- ---------------⎠
μ 3 μ 2, 3 μ 2, 3, 5 μ 3, 5 μ 2, 3, 5 μ 5 μ 2, 5 μ 2, 3, 5 μ 3, 5 μ 2, 3, 5
sDI ( MC 4 CCF 1 → 2, 3, 5 ) = sDI ( Pr ( MC 4 ind ) ; Pr ( MC 4 CCF 1 → 2, 3, 5 ) ) (5.40)
– 12 – 12 – 14
Example: sDI ( MC 4 CCF 1 → 2, 3, 5 ) ≈ sDI ( 10 ;10 + 6 ⋅ 10 ) (5.41)
Result 1: CCF outside MC4 have a minor impact on MC 4 (3rd order).

Exception: It may not be negligible in case of multiple CCF, which are excluded in
Eq. 5.17.
( MC1 ∨ MC2 ) CCF 1 → 2, 3, 4 (logical OR connection)
It is assumed that Eq. 5.17 is valid. The disjunction as part of Eq. 3.44 is investiga-
ted with respect to the given example values.
Pr ( MC 1 CCF 1 → 2 ∨ MC 2 CCF 1 → 3, 4 ) = Pr ( MC1 CCF 1 → 2 ) +
+ Pr ( MC 2 CCF 1 → 3, 4 ) – Pr ( ( MC 1 ∧ MC 2 ) CCF 1 → 2, 3, 4
) (5.42)
S-dependency affects only the conjunction term. For sDI, both, s-independent MC
Chapter 5 218
and s-dependent MC are investigated.
Pr ( ( MC 1 ∧ MC 2 ) ind MC ) = Pr ( MC 1 CCF 1 → 2 ) ⋅ Pr ( MC 2 CCF 1 → 3, 4 ) (5.43)
– 14
Example: Pr ( ( M C 1 ∧ MC 2 )ind MC ) ≈ 2 ⋅ 10 (5.44)
Similar components are assumed in order to simplify the evaluation, see Appendix
5.11.1.
4 3
λ λ
Pr ( ( M C 1 ∧ MC 2 ) CCF - + 18c -----3-
1 → 2, 3, 4 ) ≈ -----
4
(5.45)
μ μ
Due to Eq. 5.17, multiple CCF are excluded.
– 13
Example: Pr ( ( M C 1 ∧ MC 2 ) CCF 1 → 2, 3, 4 ) ≈ 1.8 ⋅ 10 (5.46)
sDI ( M C 1 CCF 1 → 2 ∨ MC 2 CCF 1 → 3, 4 ) = (5.47)

= sDI ( Pr ( ( MC 1 ∨ MC 2 ) ind MC ) ; Pr ( ( MC 1 ∨ MC 2 ) CCF 1 → 2, 3, 4 ) )
Example: sDI ( M C 1 CCF 1 → 2 ∨ MC 2 CCF 1 → 3, 4 ) ≈

–8 –6 –8 – 10 – 14
≈ sDI ( 10 + 10 + 10 + 2 ⋅ 10 – 2 ⋅ 10 ;…
–8 –6 –8 – 10 – 13
…10 + 10 + 10 + 2 ⋅ 10 – 1.8 ⋅ 10 ) (5.48)
Result: The calculation reveals a minor impact of s-dependency on the disjunction.

Thus, in most applications the conjunction terms in Eq. 3.44-3.45 are negligible. Ex-
ception: Conjunction terms may not be negligible in case of multiple CCF, which are
excluded in Eq. 5.17.
Conclusions
Due to the assumptions of Eq. 5.17, the following general estimations of the bridge
structure are derived.
1. The 2nd order MC 1 and MC 2 determine system dependability, regardless

whether the components are s-independent or not.
2. MC of higher than 2nd order do not significantly influence system depend-

ability, even in case of s-dependency.
Chapter 5 219
The s-dependencies (here CCF) between the components 1 and 2 as well as 3 and
4 have the strongest impact on the bridge structure, as revealed by the s-depend-
ency impact measure.
λ1 λ2 λ 1 λ 2 λ1 λ2
sDI ( MC1 1 → 2, 2 → 1 ) ≈ sDI ⎛ -----
- ------ ; ------ ------ + c 1, 2 ---------- + c 2, 1 ----------⎞ (5.49)
⎝ μ1 μ2 μ1 μ2 μ 1, 2 μ 2, 1⎠
λ3 λ4 λ 3 λ 4 λ3 λ4
sDI ( MC2 3 → 4, 4 → 3 ) ≈ sDI ⎛ -----
- ------ ; ------ ------ + c 3, 4 ---------- + c 4, 3 ----------⎞ (5.50)
⎝ μ3 μ4 μ3 μ4 μ 3, 4 μ 4, 3⎠
If 1 ≥ c… » λ … ⁄ μ … , then CCF have major impact on system dependability, other-

–2
wise the impact decreases with decreasing CCF . If, e.g. c … = 10 ,
– 5 –1 –1 –1 –8 –6
λ … = 10 h , and μ … = 10 h , then sDI ( 10 ; 2 ⋅ 10 ) , which indicates
strong s-dependency between the component states inside MC 1 and MC 2 . If, e.g.
–4 –8 –8 –8
c … = 10 , then sDI ( 10 ;10 + 2 ⋅ 10 ) indicates only a minor impact on sys-
tem dependability. In this case, high expenditure to reduce CCF may not be
worthwhile.
According to the previous analysis, the bridge structure of Fig. 5.4 is clearly repre-
sented in the corresponding s-dependency impact model, Fig. 5.6. The sDI meas-
ure reveals the sensitivity of the CCF on the system.
US
MC1 MC2
U1 D1 U3 D3
CCF 1, 2 CCF 2, 1 CCF 3, 4 CCF 4, 3
U2 D2 U4 D4
Fig. 5.6. Approximate s-dependency impact model of the bridge

structure, Fig. 5.4, with illustration of the s-dependency impact.
Chapter 5 220
5.6 Set of examples
The application of the sDI-measure will be further illustrated by the following ex-
amples, with their results well-known from Chapter 4.5.
Example Fig. 4.19 (limited repair resource and repair priority)
MC dep = Z 4 ∨ Z 5 (5.51)
⎛ λ1 λ2 ⎛ 1 1 ⎞⎞
sDI ( MC dep ) ≈ sDI ⎜ ------ ------ ; λ 1 λ 2 ⎜ -------- --------
2 + 2 ⎟⎟ (5.52)
⎝ μ 1 μ 2 ⎝ μ1 μ2 ⎠ ⎠
Pr ( MC dep ) μ2 μ1
sDI-factor = ----------------------------- = ------ + ------ ≥ 2 (5.53)
Pr ( MC ind ) μ1 μ2
Result: If μ 1 = μ 2 , then the components are slightly s-dependent (according to Eq.

5.11). If μ 1 > μ 2 and vice versa, then the s-dependent components can have a ma-
–1 –1
jor impact on dependability. For example, if μ 1 = 1h and μ 2 = 10h , then the
sDI-factor = 10.1 (major impact). The failure rates λ 1 and λ 2 have no influence on
s-dependency.
Example Fig. 4.20a (regarded as a parallel system including CCF)
MC = Z 4 ∨ Z 5 (5.54)
⎛ λ 1 λ 2 λ 1 λ 2 λ 1 λ 2 c 1, 2 λ 1 c 2, 1 λ 2⎞
sDI ( MC dep ) ≈ sDI ⎜ ------------ ; -----------
- - + ---------------- + ----------------⎟
2 + -----------
2
(5.55)
⎝ μ1μ2 μ1 μ2 μ1 μ2 ⎠
–2 –5 –1 –1 – 1
Example: c … = 10 , λ 1 = λ 2 = 10 h , μ 1 = μ 2 = 10 h
–8 –8 –6
sDI ( MC dep ) ≈ sDI ( 10 ; 2 ⋅ 10 + 2 ⋅ 10 ) (5.56)
Result: The s-term on the right represents a strong impact of s-dependency inside
MC (inside a parallel connection).
Example Fig. 4.20a (regarded as a series system including CCF)
MC 1 dep = Z 2 ∨ Z4 ∨ Z 5 (5.57)
MC 2 dep = Z 3 ∨ Z4 ∨ Z 5 (5.58)
Chapter 5 221
λ1 λ1 λ2
Pr ( MC 1 dep ) ≈ ------ + c 1, 2 ------ + c 2, 1 ------ (5.59)
μ1 μ1 μ2
λ2 λ2 λ1
Pr ( MC 2 dep ) ≈ ------ + c 2, 1 ------ + c 1, 2 ------ (5.60)
μ2 μ2 μ1
Pr ( MC1 ∨ MC 2 ) dep ≤ Pr ( MC 1 dep ) + Pr ( MC 2 dep ) ≈
λ1 λ2
≈ ------ + ------ with c… « 1 (5.61)
μ1 μ2
λ1
Pr ( MC 1 ind ) ≈ ------ (5.62)
μ1
λ2
Pr ( MC 2 ind ) ≈ ------ (5.63)
μ2
Pr ( ( MC 1 ∨ MC 2 ) ind ) ≤ Pr ( MC 1 ind ) + Pr ( MC 2 ind ) ≈

λ1 λ2
≈ ------ + ------ (5.64)
μ1 μ2
λ 1 λ 2 λ 1 λ 2⎞
sDI ( ( M C 1 ∨ MC 2 ) dep ) ≈ sDI ⎛⎝ ------ + ------ ; -----
- + ------ (5.65)
μ 1 μ 2 μ 1 μ 2⎠
Result 1: The s-term on the right of the sDI-expression represents a minor impact
of s-dependency, both, inside the MC and between the MC .
Result 2: As a rule s-dependency of parallel connected components has a major

impact on system dependability. S-dependency of series connected components
has a minor impact on system dependability. Thus, it is negligible.
Example Fig. 4.22 (preventive maintenance)
Assumption: λ = λ 1 = λ 2 , μ = μ 1 = μ 2 , λ M = λ M1 = λ M2 , μ M = μ M1 = μ M2
MC dep = Z 6 ∨ Z 7 ∨ Z 8 ∨ Z9 (5.66)
2 λM λ
λ
Pr ( MC dep ) ≈ 2 -----2- + 2 ----------------------------- (5.67)
μ μM ( μM + μ )
MC ind = ( M 1 ∨ D 1 ) ∧ ( M 2 ∨ D 2 ) (5.68)
Pr ( MC ind ) = Pr ( M 1 ∧ M 2 ) ∨ Pr ( M 1 ∧ D 2 ) ∨ Pr ( D 1 ∧ M 2 ) ∨ Pr ( D 1 ∧ D 2 )
λM 2 λM λ λ 2
≈ ⎛ -------⎞ + 2 ------- --- + ⎛⎝ ---⎞⎠ ( 5.69 )
⎝ μ M⎠ μM μ μ
sDI ( MC dep ) = sDI ( Pr ( MC ind ); Pr ( MC dep ) ) (5.70)

Chapter 5 222
–4 –1 –1 –1 –4 –1 –2 –1
Example: λ = 10 h , μ = 10 h , λ M = 10 h , μ M = 10 h :
–4 –5
sDI ( MC dep ) ≈ sDI ( 1.21 ⋅ 10 ; 2.02 ⋅ 10 ) (5.71)
Result 1: The term on the left of the sDI-expression is greater than the term on the
right, which means that exact modeling shows an increasing dependability, result.
Result 2: Maintenance can have a significant impact on system dependability if the
maintenance time period is extensive, which is often fulfilled, e.g. in power plant
items and transformer substations, or when no spare parts are available, etc..
Example Fig. 4.25 (redundancy switching)
Assumption: λ = λ 1 = λ 2 , λ R = λ R1 = λ R2 , μ = μ 1 = μ 2 , s R = s R1 = sR2
MC dep = Z 5 ∨ Z 6 (5.72)
2 2
⎛λ λ λR λ λ⎞
sDI ( MC dep ) ≈ sDI ⎜ -----2- ; -----2- + ---------
2
- + s R ---⎟ (5.73)
⎝μ μ μ ⎠
μ
–4 – 1 –1 –1
Example: λ = λ R = 10 h , μ = 10 h , s R = 0.01
–6 –5
sDI ( MC dep ) ≈ sDI ( 10 ; 1.2 ⋅ 10 ) (5.74)
Result: As a rule, start-up failures (or switching failures) of standby parallel compo-
nent(s) can have a significant impact on system dependability.
Chapter 5 223
Fig. 5.7 shows the network model of the study example composed of three 3-state-
component models, based on Fig. 5.8. The network model can be considered as a
subsystem of a larger network model, e.g illustrated by the dashed white frame of
Fig. 5.1 (DBD). It is assumed that failed components during the system up state U S
(system operating state) shall not be repaired. Repair is only carried out in MC 1
and MC 2 . The example will be analyzed with emphasis on the following issues.
1. Modeling of MC 1 , MC 2 , U S , D S .
2. S-dependency impact on MC 1 , MC 2 , MC 1 ∨ MC 2 , MC 1 ∧ MC 2 .
3. Integration into the system structure (DBD) according to Fig. 5.1.
US
U1 U2
U3
Fig. 5.7. DBD for study of the repair impact, highlighted by red arrows.
Modeling and calculation
Fig. 5.9 depicts the Markov model of the system, composed of the component mod-
els from Fig. 5.8, according to the network model in Fig. 5.7.
Chapter 5 224
D i′ Wait for repair until MC occurs

λi
Ui 0…λ j j≠i
μi Repair (in MC)

D ′i′
Ui up state ≡ operating state (Definition 1.8)
Fig. 5.8. Markov component model.
μ1 + μ2 + μ3
US μ1 + μ3 D S = MC 1 ∨ MC 2
Z2 Z5
λ3
D 1′ ∧ U 2 ∧ U 3 D1″ ∧ U 2 ∧ D 3″ MC 1
λ2 λ2
λ1
Z1 Z3 λ1 Z6 Z8
λ2 λ1 λ3
U1 ∧ U2 ∧ U3 U 1 ∧ D 2′ ∧ U 3 D1′ ∧ D2′ ∧ U 3 D1″ ∧ D ″2 ∧ D 3″
λ3 λ3
Z7 λ1
Z4
λ2
U 1 ∧ U 2 ∧ D 3′ U 1 ∧ D ″2 ∧ D 3″
MC2
μ2 + μ3
Fig. 5.9. Markov system model.
System state indices
Assumption: λ = λ 1 = λ 2 , μ = μ 1 = μ 2 , λ « μ
Compared to the 2-state model in Fig. 4.9, the 3-state model in Fig. 5.8 reveals a
crucial difference. The postponed time to repair of the components can last for as
long as 1 ⁄ λ or, in other words, the outgoing state transitions of Z 2, Z 3, Z 4, and Z6
Chapter 5 225
are represented by λ (no repair rates). Thus, in these operating states the assump-
tion of Eq. 4.82, highlighted in Eq. 5.75 and depicted in Fig. 5.10
a k ak (5.75)
is not fulfilled. As a consequence, Pr ( Z 1 ) ≈ 1 can not be stated.
a k Zk ak
Fig. 5.10. Inflow to and outflow of a Markow state, Eq. 5.75.
Markov approach
Pr ( Z 1 ) is unknown. The Markov equations applied step-by-step yield the solution

for the state probabilities.
λ1 1
Pr ( Z 2 ) = Pr ( Z1 ) ------------------ = Pr ( Z 1 ) --- (5.76)
λ2 + λ3 2
λ2 1
Pr ( Z 3 ) = Pr ( Z1 ) ------------------ = Pr ( Z 1 ) --- (5.77)
λ1 + λ3 2
λ3 1
Pr ( Z 4 ) = Pr ( Z1 ) ------------------ = Pr ( Z 1 ) --- (5.78)
λ1 + λ2 2
λ3 λ1 λ (5.79)
Pr ( Z 5 ) = Pr ( Z2 ) ------------------------------- + Pr ( Z 4 ) ------------------------------- = Pr ( Z 1 ) ----------------
λ2 + μ1 + μ3 λ2 + μ 1 + μ3 λ + 2μ
λ2 λ1
Pr ( Z 6 ) = Pr ( Z2 ) ------ + Pr ( Z 3 ) ------ = Pr ( Z 1 ) (5.80)
λ3 λ3
λ3 λ2 λ
------------------------------
Pr ( Z 7 ) = Pr ( Z3 ) ------------------------------- + Pr ( Z 4 ) λ - = Pr ( Z 1 ) ----------------
λ1 + μ2 + μ3 1 + μ 2 + μ 3 λ + 2μ (5.81)
λ2 λ3 λ1
Pr ( Z 8 ) = Pr ( Z5 ) ------------------------------- + Pr ( Z6 ) ------------------------------- + Pr ( Z7 ) ------------------------------- =
μ1 + μ2 + μ3 μ1 + μ2 + μ3 μ1 + μ2 + μ3
λ 3λ + 2μ
------- ⎛ --------------------⎞
= Pr ( Z 1 ) 3μ (5.82)
⎝ λ + 2μ ⎠
Chapter 5 226
With the secondary condition

8
∑i = 1 Pr ( Zi ) = 1 (5.83)
the system state indices are approximately calculated as follows.

2
Pr ( Z 1 ) ≈ --- (5.84)
7
1
Pr ( Z 2 ) = Pr ( Z3 ) = Pr ( Z 4 ) ≈ --- (5.85)
7
1λ
Pr ( Z 5 ) = Pr ( Z7 ) ≈ --
- ---
7μ (5.86)
2
Pr ( Z 6 ) ≈ --
7
- (5.87)
2λ
Pr ( Z 8 ) ≈ -----
21 μ
- --- (5.88)
The following approaches are also applied in order to demonstrate their rela-
tionship to the MC approach and the Markov approach.
MC approach, Eq. 3.44 and 3.45
MC 1 = Z 5 ∨ Z 8 , MC 2 = Z 7 ∨ Z 8 (5.89, 5.90)
MC 1 ∧ MC 2 = Z 8 MC 1 ∨ MC 2 = Z 5 ∨ Z 7 ∨ Z 8 (5.91, 5.92)
MC indices
5λ
Pr ( MC 1 ) = Pr ( Z 5 ) + Pr ( Z 8 ) ≈ ------ --- (5.93)
21 μ
5λ
Pr ( MC 2 ) = Pr ( Z 7 ) + Pr ( Z 8 ) ≈ ------ --- (5.94)
21 μ
Pr ( Z 5 ) Pr ( Z 8 ) 4
Fr ( MC 1 ) = -------------------------
- + ----------------- = Pr ( Z 5 )2μ + Pr ( Z 8 )3μ ≈ --- λ (5.95)
Ti ( Z 5 → 1 ) Ti ( Z8 ) 7
Pr ( Z 7 ) Pr ( Z 8 ) 4
Fr ( MC 2 ) = -------------------------
- + ----------------- = Pr ( Z 7 )2μ + Pr ( Z 8 )3μ ≈ --
7
-λ (5.96)
Ti ( Z 7 → 1 ) Ti ( Z8 )
System states
D S = MC 1 ∨ MC 2 (5.97)
US = DS (5.98)
Chapter 5 227
System indices
Pr ( D S ) = Pr ( MC 1 ∨ MC 2 ) = Pr ( MC 1 ) + Pr ( MC 2 ) – Pr ( MC1 ∧ MC2 ) (5.99)

1λ 1λ 2 λ 8λ
Pr ( D S ) = Pr ( Z 5 ) + Pr ( Z 7 ) + Pr ( Z 8 ) ≈ --- --- + --- --- + ------ --- = ------ --- (5.100)
7 μ 7 μ 21 μ 21 μ
13 λ
Pr ( U S ) = 1 – Pr ( D S ) ≈ ------ --- (5.101)
21 μ
Fr ( D S ) = Fr ( MC 1 ∨ MC 2 ) = Fr ( MC 1 ) + Fr ( MC 2 ) – Fr ( MC1 ∧ MC2 ) (5.102)
6
Fr ( D S ) = Pr ( Z 2 )λ 3 + Pr ( Z 3 )λ 3 + Pr ( Z 4 ) ( λ 1 + λ 2 ) + Pr ( Z 6 )λ 3 ≈ --- λ (5.103)
7
6
Fr ( U S ) = Pr ( Z 5 ) ( μ 1 + μ 3 ) + Pr ( Z 7 ) ( μ 2 + μ 3 ) + Pr ( Z 8 ) ( μ 1 + μ 2 + μ 3 ) ≈ --- λ
7
(5.104)
Approximate MC approach, Eq. 3.46 and 3.47
The system indices can be calculated approximately using Eq. 5.93-96.

10- --λ-
Pr ( D S ) ≤ Pr ( MC 1 ∨ MC 2 ) = Pr ( MC 1 ) + Pr ( MC 2 ) ≈ -----
21 μ (5.105)
8-
Fr ( D S ) ≤ Fr ( MC 1 ∨ MC 2 ) = Fr ( MC 1 ) + Fr ( MC 2 ) ≈ --
7
λ (5.106)
The DBD in Fig. 5.7 can be transformed to the simple DBD in Fig. 5.1 with two
MMC .
pMp approach
As mentioned before Pr ( Z 1 ) ≈ 1 is not valid. Therefore, in calculation step 1 the

initial probability is calculated using the following equations.
∑∀Z ∈ Ui S
Pr ( Z i ) ≈ 1 (5.107)
With Eq. 5.76-78 and 5.80 follows
3 2
Pr ( Z 1 ) ⎛ 1 + --- + 1⎞ ≈ 1 and Pr ( Z 1 ) ≈ --- (5.108)
⎝ 2 ⎠ 7
2
In calculation step 2 the starting probability Pr ( Z 1 ) ≈ --- is inserted directly in Eq.
7
5.79 and 5.81-82, which yield the results of Eq. 5.85-88.
A numerical iteration approach according to Chapter 4.4.3.2 and 4.5.8.2 can be an

alternative approach.
Chapter 5 228
S-dependency impact
The application of the sDI expression according to Definition 5.3 yields

λ1 λ3 5 λ
sDI ( Pr ( M C 1 ind ) ; Pr ( MC 1 dep ) ) ≈ sDI ⎛ ------ ------ ; -------- ---⎞ (5.109)
⎝ μ 1 μ 3 21 μ⎠
λ2 λ3 5 λ
sDI ( Pr ( MC 2 ind ) ; Pr ( M C 2 dep ) ) ≈ sDI ⎛ ------ ------ ; -------- ---⎞ (5.110)
⎝ μ 2 μ 3 21 μ⎠
–4 –1 –1 – 1
Example: λ = 10 h , μ = 10 h
–6 –3
sDI ( Pr ( MC 1 ind ) ; Pr ( MC 1 dep ) ) ≈ sDI ( 10 ; 0.24 ⋅ 10 ) (5.111)
–6 –3
sDI ( Pr ( MC 2 ind ) ; Pr ( MC 2 dep ) ) ≈ sDI ( 10 ; 0.24 ⋅ 10 ) (5.112)
Result: The s-terms to the right of the semicolon are much greater than the
terms to the left, which indicate a strong impact of the s-dependency “no re-
pair during system operation“ on inside MC1 and MC2.
sDI ( P r ( ( MC 1 ∨ MC 2 )ind ) ; Pr ( ( MC 1 ∨ MC 2 ) dep ) ) = (5.113)

= sDI ( P r ( MC 1 ) + Pr ( MC 2 ) – Pr ( ( M C 1 ∧ MC 2 ) ind ) ; …
…Pr ( MC 1 ) + Pr ( MC 2 ) – Pr ( ( M C 1 ∧ MC 2 )dep ) )
Example
5λ 5λ 10 λ
Pr ( MC 1 ) + Pr ( MC 2 ) ≈ ------ --- + ------ --- = ------ --- (Eq. 5.93-94) (5.114)
21 μ 21 μ 21 μ
2
5λ 5λ 25 λ
Pr ( MC 1 ∧ MC 2 ) ind = Pr ( MC 1 ) ⋅ Pr ( MC2 ) ≈ ------ --- ⋅ ------ --- = ---------- -----2- (5.115)
21 μ 21 μ 441 μ
2λ
Pr ( MC 1 ∧ MC 2 ) dep = Pr ( Z 8 ) ≈ ------ --- (5.116)
21 μ
10 λ 8 λ
sDI ( P r ( ( MC 1 ∨ MC 2 )ind ) ; Pr ( ( MC 1 ∨ MC 2 ) dep ) ) ≈ sDI ⎛⎝ ------ --- ; ------ ---⎞⎠ (5.117)
21 μ 21 μ
Result: Despite the strong impact of s-dependency inside MC 1 and MC 2 , it

has only a relatively small impact on the disjunction MC 1 ∨ MC 2 . The reason
is that the two negativ addends Pr ( MC 1 ) ⋅ Pr ( MC 2 ) and Pr ( MC 1 ∧ MC 2 ) are
much smaller or smaller than Pr ( MC 1 ) + Pr ( MC 2 ) . The summations are
nearly similar, which indicate insignificant impact of s-dependency on the dis-
junction.
Chapter 5 229
Conclusions of the study example 2
1. Despite the strong s-dependency “no repair during system operation“ of the
components inside MC, the MC approach (Eq. 3.44-47) is applicable using
the interim solutions of the Markov approach in order to consider s-depend-
ency.
2. Even the strong s-dependency “no repair during system operation“ of the com-
ponents does not have significant impact on the logical OR-connection
MC 1 ∨ MC 2 (see MMC approach , Fig. 5.1).
3. The Framework in Fig. 5.1 is applicable.
Chapter 5 230
5.8 General conclusions concerning MMC
Large and complex systems can be modeled and calculated analytically by the
MMC approach, represented with the framework in Fig. 5.1. The following points
are highlighted.
1. Modeling and calculation of MC of lowest order (pMC) are in most applications

sufficient, with and without consideration of s-dependency. Higher order MC
can be integrated if necessary.
2. S-dependency between component states inside MC can have a major im-
pact. It can be modeled and calculated individually by the Markov process tech-
nique and integrated into the minimal cut (MMC) approach, Fig. 5.1.
3. S-dependency of component states between logical OR connected MC has
only a minor or insignificant impact, even in case of strong s-dependency.
Chapter 5 231
5.9 Application example 1: Process automation and control sys-

tem
In this example the MMC approach is used to evaluate the dependability indices of
an automation and control system, which is part of an extensive industrial study
[ Kochs 2012 ] based on previous analyses [ Kochs et al. 1993, 1996, Kochs 1996 ] .
Essential features are highlighted here.
Fig. 5.11 shows an overview of the automation and control system, which consists
of two redundant communication networks, six redundant switches and 20 redun-
dant controllers for the automation process control (e.g. for a production process, a
power plant, or energy generation). PNet1, PNet2, PSw1-PSw6 are defined as pri-
mary components. SNet1, SNet2, SSw1-SSw6 are defined as secondary compo-
nents. The primary components are active, the secondary are passive. If a primary
switch fails, the primary network with all PSw1-PSw6 is automatically switched over
to the secondary network with the switches SSw1-SSw6 (see the description of the
operational and non-operational behavior of the components, STEP 4). Primary
and secondary components are identical. Other redundancy procedures are pos-
sible, but not regarded here.
The system is fully redundant. Thus, no single point of failure will cause system
failure. The pictured blocks illustrate the components of the system. The system it-
self is highlighted by the external dashed frame. The internal dashed frame com-
prises the switch subsystem (SwSystem).
Two alternative operational and non-operational scenarios should be analyzed by

the following two system states.
System states 1
U S1 system up state 1 (operating state 1): The networks PNet1/SNet1,
PNet2/SNet2, SwSystem, and the 20 controllers have to function cor-
rectly. They are supervised and controlled via the workplaces, which are
not part of the analyzed system (no failure in a controller is accepted
≡ 20-oo-20 structure).
D S1 system down state 1 (non-operating state 1): D S1 = U S1 .
not part of the analyzed system (no failure in a controller is accepted

Chapter 5 232
System states 2
U S2 system up state 2 (operating state 2): The networks PNet1/SNet1,
PNet2/SNet2, SwSystem, and 19 of the 20 controllers have to function
correctly (the failure of one controller is accepted ≡ 19-oo-20 structure).
D S2 system down state 2 (non-operating state 2): D S2 = U S2 .
1. All components are assumed to be free of error considering hardware and

software (design, manufacture, maintenance, and operation), as is realistic
e.g. for mass products (although software changes can cause failures, which
is not considered here).
2. Defect components are replaced by equivalent spare components, which are
sufficiently available in stock.
3. Influencing factors (outside the system) such as climatic influence (e.g. tem-
perature and humidity), mechanical impacts (e.g. physical shock and vibration),
electromagnetic impacts, and power supply are not considered in this study.
Influencing factors have to meet the specification requirements.
4. Operating staff must be well-trained and perform its job free of error at the
workplaces of the central supervisory and control system.
In this example, the components and the system are specified by the technological
model in Fig. 5.11. The components should fulfill the following basic fault tolerance
requirements.
1. Each component checks automatically (see also STEP 5) its behavior and de-
cides for itself, whether it is in the up state or in the down state (in case of
FFE, Definition 1.21).
2. Each component in the up state shall function free of FFE.
3. Each component in the down state shall not react, even when requested. The
central supervisory and control system detects failed components by a mis-
sing response to a given request (time error).
The physical communication lines (cables), PNet1, SNet1, PNet2, and SNet2 are
assumed to be 100% dependable (e.g. no cable break is taken into account). Network
switching is 100% dependable.
A profound modeling and calculation of the redundant controllers ReCon1-

ReCon20, regarded as components, is given in [Kochs 2012].
Technological model of the system
Chapter 5
Central supervisory
and control system PNet1
(workplaces) SNet1
PSw1 PSw2 PSw6
SSw1 SSw2 SSw6 SwSystem
... 6 redundant Switches
PNet2
SNet2
ReCon1 ReCon2 ReCon20
20 redundant Controller
...
Automation and control system level (process level)
Fig. 5.11. Technological model of the automation and control system.

233
Chapter 5 234
STEP 5. Input data
The input data MTTF ( = 1 ⁄ λ ) are widely taken over from [Kochs 2012 ] , which are
based on industrial standards. In principle, one has to decide between MTTF and
MTTFStandby (see Fig. 1.2).
–6 –1
PSw1-6, SSw1-6: λ = 5.3 ⋅ 10 h (redundant)
–6 –1
ReCon1-ReCon20: λ = 2.0 ⋅ 10 h (redundant)
The MTTR ( = 1 ⁄ μ ) is assumed to be eight hours for all components. This is a typi-
cal value (reference value) in most dependability analyses if no other specification
is given. The necessary component indices depend on the component modeling,
see STEP 6, Point 1 and 2.
ReCon1-ReCon20, Fig. 5.12: μ = 1 ⁄ 8h , automatically detected failure

PSw1-6, SSw1-6, Fig. 5.12,
Case 1: μ∗ = μ = 1 ⁄ 8h , automatically detected failure
Case 2: μ∗ = 1 ⁄ 720h , time interval detected failure
Case 3: μ∗ = 1 ⁄ 8,760h , time interval detected failure
The MTTR Rep + SysStart ( = 1 ⁄ μ Rep + SysStart ) for the complete repair and restart of
the switch system (Fig. 5.13, state Z 7 ) is assumed to be eight hours.
The dependability model of the three component types is shown in Fig. 5.12. For
the components PSw1-6, SSw1-6 the following cases are analyzed.
1. Failure in the standby state of a switch is automatically (continuously) detect-

ed.
2. Failure in the standby state of a switch is only detected during the inspection
time t I .
2
μ∗ = --- , assuming MTTR « t I « MTTF (Eq. 4.291), (5.118)
tI
Example: t I = 2 months (1,440 h) and 2 years (17,520 h)
The partial Markov model of the switches ( R D∗) can be evaluated accord-
ing to Chapter 4.5.10 (item with periodic fault diagnosis).
Chapter 5 235
3. Network switching (PNet1/SNet1 ↔ PNet2/SNet2) takes place error-free

( U R ).
PSw1, SSw1 ReCon1

... PNet1, SNet1
...
PNet2, SNet2
PSw6, SSw6 ReCon20
λ
U μ Rep + SysStart D U U
Transition in case
of failure in an op-
μ erating component
λ μ
λ
R D* R D
μ∗
Standby Standby
D∗ , μ∗ depend on automatic
failure detection or time interval
inspection
s-dependent transition
Fig. 5.12. Component models.
STEP 7. System modeling and calculation
The SwSystem (switch subsystem for network switching) is modeled as a Markov

process, Fig 5.13, and integrated into the system models, Fig. 5.14-15, as MC Sw .
Fig. 5.14-15 show the dependability system models (DBD) according to the defined
objective system states (STEP 2), which are evaluated with the MMC approach. In
total, 21, respectively 191 MC have been identified.
s ks
s k s he or
he or itc tw
itc tw sw ne
Chapter 5
sw ne a ry ary
y y
ar ar nd nd
r im Pr im e co eco Network switching PNet1, 2 ⇔ SNet 1,2
P S S
:= := := :=
- 6 , 2 - 6 2
1 1 1 1,
w et w et Z3
Z1 PS PN SS SN
6 6 6 6 6
nλ
∧ U ∧U
i PNet1, 2 ∧R k ∧ R SNet1, 2 ∨ j
D ∧R ∧ R i PNet1, 2 ∧ U k ∧ U SNet1, 2
i=1 k=1 j=1 i=1 k=1
i≠j 0.5 μRep+SysStart
nλ
Z4
6 6 6
nλ
μ∗ *
∧ U ∧U
i PNet1, 2 ∨ j
D ∧R k ∧ R SNet1, 2
i=1 j=1 k=1
k≠j nλ Z7
6 6 6 6
∨ j
D ∧R ∧R i PNet1, 2 k
∧R ∧R l SNet1, 2
i=1
j=1
∨ D l=1
k=1
μ μ i≠j
Z5 l≠k
6 6 6
nλ
*
∨D ∧ jR ∧R i PNet1, 2 ∧ U k ∧ U SNet1, 2
MC Sw
μ∗ j=1 i=1 k=1
i≠j nλ
Z2 nλ
Z6
6 6 nλ 6 6 6
0.5 μRep+SysStart
∧R ∧Ri PNet1, 2 ∧U k ∧ U SNet1, 2 ∧ U ∧U
i PNet1, 2 ∨ j
D ∧R k ∧ R SNet1, 2
i=1 k=1 i=1 j=1 k=1
k≠j
Fig. 5.13. Markov model of the network switching subsystem (SwSystem, Fig. 5.11).
236
Chapter 5 237
U S1
MC Sw MC 1 MC 2 ... MC 20
SwSystem ReCon1 ReCon2 ReCon20
Fig. 5.14. DBD according to Fig. 5.1 for system states 1 (up state mode).
One failure of ReCon... causes system down state 1 (21 MC).
U S2
MC Sw MC 1 MC 2 ... MC190
SwSystem ReCon1, ReCon1, ReCon19,

ReCon2 ReCon3 ReCon20
Fig. 5.15. DBD according to Fig. 5.1 for system states 2 (up state mode).
Two failures of ReCon... cause system down state 2 (191 MC).
STEP 8. Evaluation, assessment, and documentation
The evaluation of the automation and control system is subdivided into the follow-
ing steps.
The SwSystem, calculated with the pMp approach (bold paths, Fig. 5.13) yields the
MC Sw indices.
Chapter 5 238
2
2 λ μ
Pr ( MC Sw ) ≈ n -----2- ------------------------------------ ⎛ 1 + ------⎞ ,
μ
n = 6 (5.119)
μ μ Rep + SysStart ⎝ μ∗⎠
2
2 λ ⎛ μ⎞
Fr ( MC Sw ) ≈ n -----
-
μ ⎝ 1 + -----
- , n = 6 (5.120)
μ∗⎠
MC indices for ReCon1-ReCon20 of the system states 1

λ
Pr ( MC 1 )…Pr ( MC 20 ) ≈ --μ- , 20-oo-20 (20 MC in series) (5.121)
Fr ( MC 1 )…Fr ( MC 20 ) ≈ λ (5.122)
MC indices for ReCon1-ReCon20 of the system states 2
λ⎞ 2
Pr ( MC 1 )…Pr ( MC 190 ) ≈ ⎛⎝ ---
μ⎠ , 19-oo-20 (190 MC : U ReCon i ∨ U ReCon j ,
∀i, j > i , i, j = 1…20 in series) (5.123)
2
λ
Fr ( MC 1 )…Fr ( MC 190 ) ≈ -----
μ
- (5.124)
Objective indices
Fig. 5.14, System states 1

20
Pr ( D S1 ) ≤ Pr ( MC Sw ) + ∑ Pr ( MC i ) (5.125)
i=1
20
Fr ( DS1 ) ≤ Fr ( MC Sw ) + ∑ Fr ( MCi ) (5.126)
i=1
Pr ( U S1 ) 1
Ti ( US1 ) = --------------------- ≈ --------------------- = : MTTSFS1 (5.127)
Fr ( US1 ) Fr ( DS1 )
Fig. 5.15, System states 2

190
Pr ( D S2 ) ≤ Pr ( MC Sw ) + ∑ Pr ( MC i ) (5.128)
i=1
190
Fr ( DS2 ) ≤ Fr ( MC Sw ) + ∑ Fr ( MCi ) (5.129)
i=1
Pr ( U S2 ) 1
Ti ( US2 ) = --------------------- ≈ --------------------- = : MTTSFS2 (5.130)
Fr ( US2 ) Fr ( DS2 )
Chapter 5 239
MTTR tI tI
System states 1
8h 2 months 2 years
–7 –6 –5
Pr ( MC Sw ) 1.2944 ⋅ 10 5.8895 ⋅ 10 7.0932 ⋅ 10
20 –4 –4 –4
20-oo-20 ∑i = 1 Pr ( MCi ) 3.2000 ⋅ 10 3.2000 ⋅ 10 3.2000 ⋅ 10
–4 –4 –4
Pr ( D S1 ) 3.2013 ⋅ 10 3.2589 ⋅ 10 3.9093 ⋅ 10
–8 – 1 –7 – 1 –6 –1
Fr ( MCSw ) 1.6180 ⋅ 10 h 7.3618 ⋅ 10 h 8.8666 ⋅ 10 h
20 –5 –1 –5 –1
∑i = 1 Fr ( MC i )
–5 –1
20-oo-20 4.0000 ⋅ 10 h 4.0000 ⋅ 10 h 4.0000 ⋅ 10 h
–5 –1 –5 –1 –5 –1
Fr ( D S1 ) 4.0016 ⋅ 10 h 4.0736 ⋅ 10 h 4.8867 ⋅ 10 h
4
Ti ( US1 ) ≡ MTTSFS1 2.4990 ⋅ 10 4 h 4
2.4548 ⋅ 10 h 2.0464 ⋅ 10 h
20-oo-20 ReCon determines the system states 1 (series system)
MTTR tI tI
System states 2
8h 2 months 2 years
–7 –6 –5
Pr ( MC Sw ) 1.2944 ⋅ 10 5.8895 ⋅ 10 7.0932 ⋅ 10
190 –8
∑i = 1 Pr ( MCi ) –8 –8
19-oo-20 4.8640 ⋅ 10 4.8640 ⋅ 10 4.8640 ⋅ 10
–7 –6 –5
Pr ( D S2 ) 1.7808 ⋅ 10 5.9381 ⋅ 10 7.0981 ⋅ 10
– 8 –1 –7 – 1 –6 – 1
Fr ( MC Sw ) 1.6180 ⋅ 10 h 7.3618 ⋅ 10 h 8.8666 ⋅ 10 h
190 –9 – 1
19-oo-20 ∑i = 1 Fr ( MCi ) 6.0800 ⋅ 10 h –9 –1
6.0800 ⋅ 10 h
–9 – 1
6.0800 ⋅ 10 h
–8 – 1 –7 – 1 –6 – 1
Fr ( DS2 ) 2.2260 ⋅ 10 h 7.4226 ⋅ 10 h 8.8727 ⋅ 10 h
7 6 5
Ti ( US2 ) ≡ MTTSF S2 4.4924 ⋅ 10 h 1.3472 ⋅ 10 h 1.1271 ⋅ 10 h
SwSystem with automatic (continuous) error detection is mandatory for

the system states 2 (parallel subsystems in series).
Table 5.1. Objective indices of the system states 1 and 2.

Chapter 5 240
Conclusion
The results of the calculation are documented in Table 5.1 and highlight the following
points.
1. For the system states 1, system dependability is determined significantly by
the controller dependability (20-oo-20 controllers).
2. The SwSystem (six redundant switches) with automatic (continuous) failure
detection is highly dependable and has no significant influence on system
states 1.
3. If the switches have only time interval failure detection instead of automatic
(continuous) failure detection, then the dependability of the SwSystem
decreases rapidly, but nevertheless, the effect on system states 1 is minor.
4. For system states 2, the dependability of the controllers (19-oo-20 controllers)
falls into the background compared to the SwSystem. In this case, the SwSys-
tem mainly determines system dependability, especially for long inspection
times t I . If the analysis of system states 2 is required, fully redundant struc-
tures with automatic failure detection should be mandatory.
5. In case of system states 1 and 2, high system dependability can only be
achieved with a redundant switching network, preferably with automatic fail-
ure detection.
Chapter 5 241
5.10 Application example 2: Mechatronic system
Mechatronic systems integrate multitechnological areas with complex interactions

between the different items of mechanics, electronics, actuators, sensors, comput-
ers, and human-machine interfaces, controlled by computers as well as humans. In
this chapter, the dependability of the system “arm motion mechanism and control“
of a large scale heavy load manipulator (human controlled robot for heavy loads) for
operation in complex and possibly dangerous environments is analyzed. The basis
for the advanced R&D study is the manipulator in Fig. 5.16 as an example of a
complex mechatronic system, which goes beyond existing technological solutions
[Kochs et al. 1997, McLaughlin et al. 1997]. The R&D study, promoted by the Ger-
man Research Foundation DFG as Collaborative Research Centre 291 [ DFG 2001] ,
was the first study in this area, and the dependability analysis the first research
project of it.
In this chapter, the further developed example demonstrates the advantage of the
powerful modeling and calculation techniques, e.g. the pMp and MMC approach,
including s-dependencies.
The system “arm motion mechanism and control“ of the manipulator is shown in
Fig. 5.16 with its components. The system consists of five flexible links. Each link
comprises mechanics (hydraulics, joints, flexible cantilevers), electronics, sensors,
information, and communication subsystems, including computers (e.g. for supervi-
sory and interactive control).
The five links of the manipulator represent a kinematic redundant system with vari-
ous degrees of freedom for link motions. The trajectory of the links depends on the
task, the position of the manipulator, the environment (e.g. obstacles), and on the
safety areas. Thus, the mechatronic system comprises various inherent and vari-
able parameters of fault-tolerant operation (regarding dependability), which have to
be analyzed. Consequently, the idea is to plan the trajectory under aspects of de-
pendability. This can be performed off-line (in the planning phase for different sce-
narios before starting the application) or during the operation. Especially, for risky
applications or for operations in dangerous work areas, it can be necessary to plan
the motion with high dependability (safety and/or reliability), e.g. to have the chance
to retract the link system in case of a failure or to finish the scheduled operation.
Chapter 5 242
System
Arm motion mechanism and control
Link 4 Link 3 Li
5 nk
nk 2 Components of each link
EE Li
D K P W
O8
TR
AS2 Z2 UM2 AR2 KOM2
L in
k1
G
Joint i+1 Cantilever i
Hydraulic actuator
(cylinder) i ZH
ZR
Joint i
SV
Attachment i
m Arm
en s Technological areas:
t ( eg
lin - Mechanics
k)
i Sensors, EE
Electric, communication,
computer (ECC)
AR link computer SV central electric power supply system

AS hydraulic actuator control item TR mechanical structure (cantilever)
D position sensor UM attachment
EE end effector W angle measurement sensor
G joint Z hydraulic actuator (cylinder)
K force/load sensor ZH central hydraulic system
KOM local area network ZR central computer system
O optoelectronic sensors
P pressure sensor
Fig. 5.16. Research prototype of a manipulator as an example of a com-

plex mechatronic system, example of [DFG 2001] .
Chapter 5 243
This study concentrates on developing models with the goal to evaluate the de-
pendability of the system “arm motion mechanism and control“ (Fig. 5.16).
System states
US system up state (operating state): The end effector (e.g. gripper or work-
ing cage) shall be moved (or ready to be move) from a starting point to a
scheduled endpoint by a 4-oo-5 link-subsystem.
DS system down state (non-operating state): D S = U S .
The following preconditions and assumptions are to be considered.
1. Multi-state stochastic process, e.g. up state, down state, rupture state of the
cantilever possibly due to mechanical wear out, ready state for operating after
repair. Preventive maintenance (IEC192-06-05) is considered as an external
activity, which is not regarded here, nevertheless, it can be assessed according
to Chapter 4.5.6. Influencing factors from outside the system boundary
are not considered.
2. Errors during the operation time are continuously detected. Failed compo-
nents are not restored during the operation time (in the operating state).
3. Possibility to postpone system shut down in case of errors in the mechanics.
4. Failed mechanics and failed electronics are restored in the down state ( MC )
according to the strategy: First-failure-first-repair. Restarting operation in the
system down state takes place only if all failed components are repaired and
are in the ready state for operating. Spare parts are always in stock (no
delay).
5. Restart or start-up failures of repaired components.
6. Shut down of intact components or subsystems, e.g. to establish a protection
area in order to repair or maintain failed components.
7. Common cause failures (CCF) in the electronics.
8. Human errors as “erroneous shut down of an intact component of a link due to
a failure of a component in another link“ caused by stress situations, e.g.
wrong decision-making.
These preconditions and assumptions cause interactions between component

states, which are s-dependent. They are considered in the following models.
Chapter 5 244
The (technological) components of each link are given in Fig. 5.16. The (technologi-
cal) system is delineated by the dashed line.
STEP 5. Input data
The assumed input data are listed in Table 5.2. The data are based on experience
or estimations.
Indices Numerical values
λM failure rate of the mechanics M of each link 1 . 10-5h-1

λ TR break through rate of each cantilever 1 . 10-10h-1
λE failure rate of the electronics E of each link 1 . 10-6h-1
μM repair rate (including replacement) of M of each link 5 . 10-2h-1
μE repair rate (including replacement) of E of each link 2 . 10-1h-1
μ
TR
repair rate (including replacement) of the cantilever 1 . 10-2h-1
pM probability of postponed shut down of M 0 ≤ pM ≤ 1
ρ start up rate of MM, ME and EE 2 h-1
ΘM postponed shut down rate of M, concerns the p M portion,
–2
typical value 1 ⋅ 10 h-1 < Θ < 2h-1
αM , αE probability of human errors of M and E, 1 . 10-2
δM , δE probability of restart or start-up failures after repair of M and E 1 . 10-2
cE probability of CCF of E of each link 1 . 10-2
Table 5.2. Component indices with numerical values (estimated, gained from
experience, or from databooks, e.g. [ NPRD 1995, NPRD 2016 ] ).
Figure 5.17 shows the basic models of the mechatronic components. In order to
match the preconditions and assumptions (STEP 3), three separate models are de-
veloped. The operating states of the three models are represented by U i (assum-
ing Pr ( U i ) ≈ 1, according to the segmentation technique described in Chapter
4.5.7). Remark: The maintenance model is added only for completion of the model
scenario, it is not further regarded in this example.
The dashed arrows offer the possibility to take into account interactions between the
component states (s-dependencies) in the appropriate MMC models. Therefore,
the MMC models are very flexible in the consideration of the preconditions and as-
sumptions. The advantage of the separated decoupled models is that they are
Chapter 5 245
small and easy to apply and to manipulate. This advantage leads to the inaccura-
cies U i', U i'', U i''' ≈ U i , which are negligible compared to the possibility to easily take
into consideration the preconditions and assumptions. A problem is that the estimat-
ed input indices (transition rates, e.g. failure, restoration or repair rates) are uncer-
tain, especially for components with new technologies.
SV, ZH, and ZR are not considered in the dependability analysis.

Chapter 5 246
Di
Wi λ Tr U i'''
Mechanics M
μ Tr Sensors, EE
( 1 – δ )ρ E
ECC
Ri
Rupture model U i', U i'', U i''' : = U i

for TR
Human error
Di Di
PMi ω U i' U i'' λ Fi
( 1 – δ )ρ
υ αλ x δρ Start-up
( 1 – δ )ρ failure
μ
δρ
Fi Ri Ri
μ
Maintenance model Failure model
for E, M for E, M
D down state
ECC electric, communication, and computers
E electronics (Sensors + ECC)
EE end effector
F failure state
M mechanics
PM preventive maintenance state
R ready state for operating
TR cantilever (physical part)
U up state (operating state)
U‘, U‘‘, U‘‘’ separated (fragmented) up states
W rupture state of the cantilever, e.g. due to wear out (external influence
like mechanical overload are not considered)
α probability of human error
δ probability of restart or start-up failure
λ failure rate
μ repair rate (including replacement), first-failure-first-repair
ρ start-up rate
ν maintenance rate
ω scheduled maintenance shut down rate
λx releasing transition rate from neighboring component x
Fig. 5.17. Markov models of the mechatronic components.

Chapter 5 247
STEP 7, 8. System modeling and calculation
I. Steady state
Figure 5.18 outlines the DBD of the 5-link system with its subsystems consisting of
the electronics E and the mechanics M [DFG 2001]. Due to the degree of freedom
of the kinematic redundancy, there is a countless number of link motions possible to
perform an operation, which are all represented by a workspace, taken into account
several variables, e.g. the work position of the manipulator, the obstacles of the en-
vironment, and the disposition of safety areas for human presence or working.
Whereas some of the link motions have to be carried out with high dependability,
others need only lower dependability. In order to match the definition of U S , the re-
sulting workspace and the work position will be determined in a trajectory calcula-
tion (prior to the operation or on-line during the operation), which is not the objec-
tive of this analysis. In general, kinematic redundancies can be understood as a
complex type of a r-oo-n-structure. It can be static or dynamic (e.g. time-depend-
ent), that means it can vary during the operation (r(t)-oo-n). The time dependency
of r ( t ) is not considered in this study. As an example, the system operating state,
defined in STEP 2 (static 4-oo-5 links), is analyzed.
The DBD in Fig. 5.18 outlines that the components of the different technological
areas (mechanics, sensors, electric, communication, and computer) are meshed.
Thus, it is not possible to model the components of the different areas separately,
and thereafter combine them as Fig. 5.24 shows. The dependability indices Pr , Fr ,
Ti , λ , and μ of the components E i and M i of Fig. 5.18 are calculated (due to the
microscopic view, Fig. 1.1) with the approaches of series and parallel structures,
which is not done in this book. Table 5.2 shows the values for λ E , λ M , μ E , and μ M
as well as for the other indices.
Using the DBD of Fig. 5.18, the MC are determined.
MC i = W TR , ∀i = 1…5 (5.131)
i
These MC of 1st order represent the mechanical rupture of the cantilever. The 4-
oo-5 system in Fig. 5.18 comprises following MC of 2nd order.
MC 6…15 = D M ∧ D M , ∀i, j = 1…5 , i < j (Fig. 5.19) (5.132)

i j
MC 16…35 = D M ∧ D E , ∀i, j = 1…5 , i ≠ j (Fig. 5.20) (5.133)

i j
MC 36…45 = D E ∧ D E , ∀i, j = 1…5 , i < j (Fig. 5.21) (5.134)

i j
Chapter 5 248
Arm motion mechanism and control US

Electronics Mechanics
D M ∧ D E (Eq. 5.133, Fig. 5.20)
3 2
E1 M1 Link 1
Cantilever of the links E2 M2 Link 2
TR1 ... TR5 4-oo-5 E3 M3 Link 3
E4 M4 Link 4
D E ∧ D E (Eq. 5.134, Fig. 5.21)
4 5
E5 M5 Link 5
Ei i = 1 ... 5 UE
Sensors Computers for
vibration control
O1
4-oo-8 KOM1
...
W AR1
EE O8
P
D AR2 KOM2
K
Mi i = 1 ... 5 UM
Actuators and mechanical items
Joint
AS1 Z1 UM1
G
AS2 Z2 UM2
Each block represents the up state U of the denoted component.

Technological areas:
Mechanics M
Sensors, EE
E
Electric, communication, computer (ECC)
Fig. 5.18. DBD of the 5-link system and its subsystems in the up state mode
(notations of the components are given in Fig. 5.16-17).
Chapter 5 249
Remark: As a comparative example, a non-redundant 5-link system (5-oo-5 sys-

tem, series structure) would consist of
MC 6…10 = D M (5.135)
i
MC 11…15 = D E (5.136)
i
This series system is not further treated here. The system down state D S and the
system up state U S are
DS = MC i and U S = D S , i = 1…45 (5.137, 5138)

∀i
The Markov space Ω S = U S ∨ D S can be developed by using the conjunction:

Ω i = ( U i ∨ W TR, i ∨ R TR, i ∨ F M, i ∨ R M, i ∨ F E, i ∨ R E, i ) , ∀i = 1…5 , (compo-
nents are TR, E, M of the five links, Fig. 5.17, preventive maintenance excluded).
5
Thus, the Markov space of the system theoretically consists of 7 = 16, 807 sys-
tem Markov states (assuming s-independent components, see also Chapter
3.7.1.1). If preventive maintenance or s-dependencies have to be considered (Fig.
5.19-21), the complexity of the system model increase as well as the number of
Markov states. No method is known in order to model the complete Markov space of
this size and complexity with all its transitions.
The following three tasks have to be considered in the modeling process: (1) Identi-
fication of those Markov states which have considerable influence on the defined
system states, (2) modeling of s-dependencies caused by the preconditions and
assumptions, and (3) determination of their impact on the system dependability.
Thus, the overall goal is to find out which component states interact mutually and
influences significantly system dependability. As described in the chapters before,
s-dependency inside MC can have a strong impact on MC, whereas s-dependency
between logical OR connected MC has an insignificant impact. Thus, the focus is
on modeling s-dependencies inside MC.
General remarks to the development of the MMC models, Fig. 5.19-21
The aim is to model the MC as MMC with respect to DS and to calcuate the pro-
babilities Pr ( MC ) , Pr ( D S ) and frequencies Fr ( MC ) , Fr ( DS ) as well as MSUT
(mean system up time, Definition 1.7). The MMC models in Fig. 5.19-21 take into
account the assumptions and preconditions of STEP 3, which cause interactions
between the component states. Precondition 1-8 of STEP 3 are modeled by appro-
priate Markov states and transitions. The preconditions are numbered in the MMC
models. It is assumed that the five links are of similar type. The MMC models fulfill
Definition 4.6 (strongly connected Markov processes).
Chapter 5 250
MMC model of D M ∧ D M
Z4MM
F M ∧ U' M MC 6…15 = D M ∧ D M
(3) p M λM i j
Z2MM
F M ∧ UM Θ M (6, 4) (4)
Z6MM Z8MM
(3) μM
(2) FM ∧ FM RM ∧ FM
( 1 – p M )λ M rep rep
μM (4)
( 1 – α M )λ M
j i
(8) α M λ M (5) δ M ⋅ ρ Z10MM
i j
Z1MM U M ∧ U M ( 1 – 2δ M )ρ RM ∧ R M
i j
(8) α M λ M (5) δ M ⋅ ρ
(2) j i
Z7MM Z9MM
( 1 – α M )λ M μM μM
i j ( 1 – p M )λM FM ∧ FM FM ∧ RM
rep rep
Z3MM (3)
(4)
UM ∧ FM Θ M (6, 4)
(3) pM λ M U' M ∧ F M
Z5MM
ZiMM Markov state i, composed of two M blocks (Fig.5.18)

F, R, U component states (Fig. 5.17, failure model)
D down state
(2, 3, ... ) preconditions of STEP 3
probable transitions/paths
Fig. 5.19. MMC model of MC 6…15 = D M ∧ D M , Eq. 5.132.

i j
Precondition 2 (“Failed components are not restored during the operating time (in
the operating state)” ) is considered by omitting the return transitions Z 2MM → Z 1MM
and Z 3MM → Z 1MM (the same applies to the following figures).
Postponed shut down (Precondition 3, p M, Θ M ) is considered with the transitions

Z 2MM → Z 4MM → Z 6MM and Z 3MM → Z 5MM → Z 7MM . Nevertheless, the transitions
Z 2MM → Z 6MM and Z 3MM → Z 7MM are caused by failures that can not be defer-
red ( 1 – p M ). Postponed shut down may be important in case of dangerous (fail-safe
oriented) operations in order to retract the link system to a defined safe position
(Precondition 6).
Chapter 5 251
Precondition 4 considers the restoration strategy: “First-failure-first-repair“. Repairs

are carried out only in the down state (MC) of the manipulator and finished in
Z 10MM . If the two components M are repaired, ready for operation, and restarted,
the manipulator will pass to Z 1MM .
Restart or start-up failures of M (Precondition 5, δ M ) during restart can occur, which

cause the transitions Z 10MM → Z 8MM and Z 10MM → Z 9MM .
The human error “erroneous shut down of the mechanics of a link due to a failure of
the mechanics in another link“ (Precondition 8, α M ) is modeled by the transitions
Z 1MM → Z 8MM and Z 1MM → Z 9MM . Typical numerical values are between 0.01 -
0.001. In this application, human errors are modeled by appropriate state transi-
tions. Human errors are described in literature, e.g. in “Technique for Human Error
Rate Prediction - THERP“ [ Swain 1983 ] . As an example, [ Bubb 1992 ] published
–3
the probability α = 3 ⋅ 10 for the human failure “mistake of a switch in case of
normal stress conditions“.
The MC is composed of the Markov states Z 6MM to Z 10MM . The MMC approach
with embedded pMp makes a very simple approximate calculation possible. The
probability Pr and the mean frequency Fr of D M ∧ D M are calculated in Appendix
5.11.2.
10
Pr ( MC 6…15 ) = Pr ( D M ∧ D M ) = ∑i = 6 P ( ZiMM ) ≈
2 λM λM λM ⎞
≈ --- ⎛ ------
- + ( 1 + α M ) ------
- ------- ( 5.139 )
3 ⎝ μM μM + ( 1 + αM ) ρ ⎠
Fr ( MC6…15 ) = Fr ( DM ∧ D M ) = Fr ( Z 10MM → Z 1MM ) ≈ Pr ( Z10MM )ρ ≈

2
≈ --- ( 1 + α M )λ M ( 5.140 )
3
Result
MM1. The values represent steady state values (long-term system dependabil-
ity), which are necessary for availability studies.
MM2. The redundant structure (4-oo-5) of the arm segment does not increase the
long term system dependability. The cause for it is justified in Precondition
2 of STEP 3. This is also the reason why postponed shut down ( p M, ΘM )
has no effect on the steady state results. However, the advantage of the
redundant structure may become important in case of transient state be-
havior, see Appendix 5.11.5-7. Then, failure in the mechanics can be post-
poned until the end of the actual operating mission (with probability p M ),
which increases transient system dependability.
Chapter 5 252
MM3. Human errors ( α M ) do not significantly affect the long term system de-
pendability. In contrast to this, human errors do significantly affect transient
system dependability, see Appendix 5.11.5.
MM4. Restart or start-up failures (δ M ) have only a small influence, hence they
are neglected, see Eq. 5.168-170.
The next step regards the impact of s-dependency between the mechanic compo-
nents inside MC 6 = D M ∧ D M as an example, using the sDI-expression, Defini-
1 2
tion 5.3. The component indices are taken from Table 5.2. With Eq. 5.9-14 follows
2 2λ M λ M⎞
Pr ( MC6 > Pr ( ( D M ∧ D M )∗dep ) ≈ --- ⎛⎝ ---------- ------- (5.141)
dep ) 1 2 3 μM + ρ ⎠
2
λM
Pr ( MC 6 ind ) = Pr ( ( DM ∧ D M ) ) ≈ ------
2
- (5.142)
1 2 ind
μM
–8 –4
sDI ( MC 6 dep ) >
∼ sDI ( 4 ⋅ 10 ; 2.70 ⋅ 10 ) (strong impact) (5.143)
The components inside MC 6 are strongly s-dependent. The terms λ M ⁄ μ M of Eq.

5.139 determines the s-dependency impact inside MC 6 as well as the other
MC 7…15 . The sDI-factor is greater than 6,750.
Chapter 5 253
MMC model of D M ∧ D E
MC 16…35 = DM ∧ D E
i j
Z2ME Z5ME (4)
λE
FM ∧ UE FM ∧ FE μM (4)
rep
Z7ME
(2)
RM ∧ FE
( 1 – αE ) λM rep μE
(4)
(8) α M λ E (5) δ E ⋅ ρ Z9ME
Z1ME UM ∧ UE ( 1 – δM –δE ) ρ RM ∧ RE
(2) (8) α E λ M (5) δ M ⋅ ρ
Z6ME Z8ME
( 1 – αM ) λE μM
(3) FM ∧ FE FM ∧ RE
rep rep
Z3ME ( 1 – p M )λ M μE
(4)
UM ∧ FE
Z4ME Θ M (6, 4)
(3) pM λ M
U' M ∧ F E
Fig. 5.20. MMC model of MC 16…35 = D M ∧ D E , Eq. 5.133.

i j
The probability Pr and the frequency Fr of D M ∧ D E are calculated in Appendix

5.11.3.
9
Pr ( MC 16…35 ) = Pr ( D M ∧ D E ) = ∑i = 5 P ( ZiME ) ≈
1 λM λE λ M αM λE λ E αE λ M
≈ ------------------------------- ⎛⎝ ------- + ------ + ------- + -------------- + ------- + -------------- +
λM λE μM μE μE μE μM μM
1 + ------- + -------
λE λ M λ M αM λ E λ E αE λM
+ ------- + -------------- + ------ + -------------- ⎞ ( 5.144 )
ρ ρ ρ ρ ⎠
Fr ( MC 16…35 ) = Fr ( D M ∧ D E ) = Fr ( Z 9ME → Z1ME ) ≈ Pr ( Z 9ME )ρ ≈

1
≈ ------------------------------- ( ( 1 + α E )λ M + ( 1 + α M )λ E ) ( 5.145 )
λ M λE
1 + ------- + -------
λE λM
Chapter 5 254
Result
ME1. ≡ MM1
ME2. ≡ MM2
ME3. Human errors ( α M, α E ) do not significantly affect the long term system de-
pendability. In contrast to this, human errors do significantly affect transient
system dependability, see Appendix 5.11.6.
ME4. Restart or start-up failures ( δ M, δ E ) have only a small influence, they are
neglected, similarly as in MM4.
Similarly to Eq. 5.141-143, s-dependency between the components inside

MC 16 = D M ∧ D E is regarded as an example. The component indices are taken
1 2
from Table 5.2.
Pr ( MC16 dep ) > Pr ( ( DM ∧ D E )∗ )≈

1 2 dep
1 λ M λ M λ E λE λ M λE
≈ ------------------------------- ⎛ ------- + ------- + ------ + ------- + ------- + ------ ⎞ ( 5.146 )
λ M λE μM μE μE μ M ρ ⎝ ρ⎠
1 + ------- + -------
λ E λM
λM λE
Pr ( MC 16 ind ) = Pr ( ( D M ∧ D E ) ) ≈ ------- ------ (5.147)
1 2 ind μM μE
–9 –5
sDI ( MC16 dep ∼ sDI ( 10 ; 2.53 ⋅ 10 )
)> (strong impact) (5.148)
MC 16…35 = D M ∧ D E represent typical mechatronic minimal cuts. The analysis

i j
shows how closely the mechanics and the electronics are interwoven. The six terms
of Eq. 5.146 mainly cause the s-dependency with considerable impact on system
dependability. The sDI-factor is greater than 25,270.
Chapter 5 255
MMC model of D E ∧ DE
MC 36…45 = D E ∧ D E
i j
(4)
Z2EE Z4EE
λE
FE ∧ UE FE ∧ FE μE (4)
rep
Z6EE
(2)
RE ∧ FE
( 1 – α E – cE ) λE c E λ E (7) rep μE (4)
j i, j i i, j i
(8) α E ⋅ λE Z8EE
i j (5) δ E ⋅ ρ
Z1EE U E ∧ U E
i j
( 1 – 2δ E ) ρ RE ∧ RE
(2) (8) α E ⋅ λE (5) δ E ⋅ ρ
j i
( 1 – αE – c E ) λE Z7EE
i j, i j c E λ E (7) FE ∧ RE μE
j, i j
rep
Z3EE Z5EE
λE μE (4)
UE ∧ FE FE ∧ FE
rep
(4)
Fig. 5.21. MMC model of MC 36…45 = D E ∧ D E , Eq. 5.134.

i j
Additional to the previous models, Precondition 7 (CCF in the electronics) is mod-

eled by the transitions Z1EE → Z4EE and Z1EE → Z 5EE . The human error “erroneous
shut down of an intact component of a link due to a failure of a component in another
link“ (Precondition 8) is modeled by the transitions Z 1EE → Z 6EE and Z 1EE → Z7EE .
The probability Pr and the frequency Fr of D E ∧ D E are calculated in Appendix
5.11.4.
8
Pr ( MC 36…45 ) = Pr ( D E ∧ D E ) = ∑ P ( Z iEE ) ≈
i=4
2 λ λE λE
≈ --- ⎛ ( 1 + c E ) ------ + ( 1 + c E + α E ) ------ + ( 1 + c E + α E ) ------⎞
E
( 5.149 )
3⎝ μE μE ρ⎠
Fr ( MC 36…45 ) = Fr ( D E ∧ D E ) = Fr ( Z 8EE → Z 1EE ) ≈ Pr ( Z 8EE )ρ ≈
2
≈ --- ( 1 + c E + αE )λ E ( 5.150 )
3
Chapter 5 256
Result
EE1. ≡ MM1
EE2. ≡ MM2 (without mechanics)
EE3. Human errors ( α E ), common cause failures ( c E ), and restart or start-up
failures ( δ E ) do not significantly affect the long term system dependability.
In contrast to this, human errors and common cause failures do significant-
ly affect transient system dependability, see Appendix 5.11.7.
EE4. Restart or start-up failures ( δ E ) can be neglected, similarly as in MM4.
S-depedency of the electronic components inside MC 36 = D E ∧ D E is regarded

1 2
as an example. The component indices are taken from Table 5.2.
2 2λ λ
Pr ( MC36 dep ) > Pr ( ( D E ∧ D E )∗ ) ≈ --- ⎛ ---------E- + -----E-⎞ (5.151)
1 2 dep 3 ⎝ μE ρ⎠
2
λE
Pr ( MC 36 ind ) = Pr ( ( D E ∧ D E ) ) ≈ -----2- (5.152)
1 2 ind
μE
– 11 –6
sDI ( MC 36 ind ) >
∼ sDI ( 2.5 ⋅ 10 ; 7.0 ⋅ 10 ) (strong impact) (5.153)
The terms λ E ⁄ μ E of Eq. 5.149 determine the s-dependency inside MC 36 to a

large extend. The sDI-factor is greater than 280,000. In this example, the failure
rate of the electronics is 10 times smaller than the failure rate of the mechanics.
The smaller the failure rate, the greater is its s-dependency impact sDI.
Summary of the sDI results

1. DM ∧ DM : sDI-factor: >
∼ 6,750 (5.154)
2. DM ∧ DE : sDI-factor: >
∼ 25,270 (5.155)
3. DE ∧ DE : sDI-factor: > 280,000
∼ (5.156)
The s-dependencies within the electronics have the greatest impact on system de-
pendability.
The objective indices probability Pr and frequency Fr of the system states are cal-
culated with Eq. 3.87-88.
45
Pr ( D S ) ≈ ∑ Pr ( MC i ) (5.157)
i=1
45
Fr ( D S ) ≈ ∑ Fr ( MC i ) (5.158)
i=1
Chapter 5 257
The results of the system calculation are listed in Table 5.3 and Table 5.4, using the
component indices and the numerical values given in Table 5.2.
Conclusion I (steady state)
The predominant impact factor on steady state probability and frequency is Precon-
dition 2 (STEP 3) (“Failed components are not restored during the operating time
(in the operating state)”), thus, no transitions of Z 2… → Z 1… and Z3… → Z 1… are
considered. All other preconditions, such as common cause failures (c E ) and human
errors (α M , α E ),have no significant impact on the steady state dependability. In con-
trast to this scenario see the results in Table 5.5-6 as well as the following
calculation of the transient system dependability.
System down state p M has no effect on steady state Comment
αM = αE = cE = δM = δE = All preconditions are considered
Chapter 5
0 0.01 0.1
–8 –8 –8
5 ⋅ Pr ( D TR ) 5.00 ⋅ 10 … 5.00 ⋅ 10 … 5.00 ⋅ 10 Fig. 5.18: 5 DB of TR in series.
–3 –3 –3
10 ⋅ Pr ( D M ∧ D M ) 2.70 ⋅ 10 … 2.71 ⋅ 10 … 2.84 ⋅ 10 Fig. 5.19, Eq. 5.139
–4 –4 –4
20 ⋅ Pr ( D M ∧ D E ) 5.05 ⋅ 10 … 5.09 ⋅ 10 … 5.40 ⋅ 10 Fig. 5.20, Eq. 5.144
–5 –5 –5
10 ⋅ Pr ( D E ∧ D E ) 7.00 ⋅ 10 … 7.11 ⋅ 10 … 8.07 ⋅ 10 Fig. 5.21, Eq. 5.149
–3 –3 –3
Pr ( D S ) = ∑: 3.28 ⋅ 10 … 3.29 ⋅ 10 … 3.46 ⋅ 10 Eq. 5.157
Table 5.3. Probability of the system down state (Definition 1.12).
System down state p M has no effect on steady state Comment

αM = α E = c E = δM = δE = All preconditions are considered
0 0.01 0.1
– 10 –1 – 10 –1 – 10 –1
5 ⋅ Fr ( D TR ) 5.00 ⋅ 10 h … 5.00 ⋅ 10 h … 5.00 ⋅ 10 h Fig. 5.18: 5 DB of TR in series.
– 5 –1 – 5 –1 – 5 –1
10 ⋅ Fr ( D M ∧ D M ) 6.67 ⋅ 10 h … 6.73 ⋅ 10 h … 7.33 ⋅ 10 h Fig. 5.19, Eq. 5.140
– 5 –1 – 5 –1 – 5 –1
20 ⋅ Fr ( D M ∧ D E ) 1.98 ⋅ 10 h … 2.00 ⋅ 10 h … 2.18 ⋅ 10 h Fig. 5.20, Eq. 5.145
– 6 –1 – 6 –1 –6 – 1
10 ⋅ Fr ( D E ∧ D E ) 6.67 ⋅ 10 h … 6.80 ⋅ 10 h … 8.00 ⋅ 10 h Fig. 5.21, Eq. 5.150
– 5 –1 – 5 –1 – 4 –1
Fr ( D S ) = ∑: 9.32 ⋅ 10 h … 9.42 ⋅ 10 h … 1.03 ⋅ 10 h Eq. 5.158
MSUT (MTTSF) 10,735h … 10,621h … 9,696h Eq. 1.3, 1.8-10

Table 5.4. Frequency of the system down state (Definition 1.12) and MSUT (mean system up time, Definition 1.7).
258
Chapter 5 259
II. Transient state
The transient probability can be used for operational monitoring tasks. Only the first
transitions in the MMC models in Fig. 5.19-21 are decisive for the transient proba-
bility. The equations are derived in Appendix 5.11.5-7.
Assumption: λ TR t, λ M t, λ E t « 1 , 0 ≤ α M, α E, p M, cE ≤ 1 , and α E + c E ≤ 1 . The fol-

lowing equation is composed of Eq. 5.199, 5.219, 5.229 (added are 5 ⋅ λ TR t , Eq.
5.131).
2
Pr ( D S, t ) ≈ 5 ⋅ λ TR t + 10 ⋅ ( 2α M λ M t + ( 1 – α M ) ( 1 – p M ) ( λ M t ) ) +
λM λE 2 λM λE 2
+ 20 ⋅ ⎛ α E λ M t + α M λ E t + ( 1 – α E ) -------------- t + ( 1 – α M ) ( 1 – p M ) -------------- t ⎞ +
⎝ 2 2 ⎠
2
+ 10 ⋅ ( 2α E λ E t + 2c E λ E t + ( 1 – α E – c E ) ( λ E t ) ) ( 5.159 )
Fig. 5.22 shows the calculated transient probabilities Pr ( D S, t ) . They are calculat-
ed until the steady state is reached. Because only the first transitions in the models,
Fig. 5.26-28, are considered, the curves give conservative results (the colored final
states serve as absorbing states, which give conservative estimations). The spread-
ing of the transient probabilities Pr ( D S, t ) (red curves, Fig. 5.22) extends over sev-
eral decades, depending strongly on human errors ( α M , α E Precondition 8) and on
common cause failures ( c E , Precondition 7). This is contrary to the steady state
probabilities, Eq. 5.139, 5.144, and 5.149, which are almost independent of these
preconditions. The same tendency (due to CCF) is observed in the model of Fig.
4.26 in Chapter 4.5.9. On the other hand, postponed shut down ( p M , Precondition
4) has only little impact on the transient system dependability, because postponed
shut down concerns only the second failure, which is improbable during short op-
eration times. Restart failures ( δ M , δ E , Precondition 5) have - as mentioned before
- no impact on the transient behavior.
Example:
–2
Regarding curve III in Fig. 5.22 with the assumed values α M = α E = 10 ,
–2 –2
δ M = δ E = 10 , c E = 10 , and p M = 0.5 .
1. Starting with Pr ( D S, t = 0 ) = 0 the manipulator fails after an operating time of
–5
10 hours with Pr ( D S, t = 10h ) = 4.61 ⋅ 10 .
–4
2. After 100 hours the manipulator fails with Pr ( D S, t = 100h ) = 4.67 ⋅ 10 ,
which is about 10 times larger.
–4
3. If, for example, a limit value of Pr ( D S, t = Tmax ) limit = 1.0 ⋅ 10 h should not
be exceeded, then the manipulator can be operated until T max = 21.7h .
Chapter 5 260
4. The steady state is reached at 651 h.
In order to avoid a fallacy with the interpretation of the short-term probability, please
take note of the explanation in Chapter 4.5.11.
Conclusion II (transient state)
In the transition phase, the process depends strongly on human errors ( α M, α E )

and common cause failures ( c E ), in contrast to the steady state.
Chapter 5 261
10-2
–3
Pr ( D S ) ≈ 3.28…3.46 ⋅ 10
Pr ( D S, t )
IV.
10-3
10-4
III.
10-5
II.
10-6
I.
10-7
10-8
1 10 100 t⁄h 1000
Typical scheduled
operating time 651 h
I. α M = αE = 0 , δ M = δ E = 0 , c E = 0 , p M = 0.5
–3 –3 –3
II. α M = αE = 10 , δ M = δ E = 10 , c E = 10 , p M = 0.5
–2 –2 –2
III. α M = αE = 10 , δ M = δ E = 10 , c E = 10 , p M = 0.5
–1 –1 –1
IV. α M = αE = 10 , δ M = δ E = 10 , c E = 10 , p M = 0.5
Further parameters see Table 5.2.
Fig. 5.22. Transient and steady state probability of the system down state.
Chapter 5 262
III. Comparative study
In the previous Section I und II, the steady state probabilities and the transient state
probabilities depend strongly on Precondition 2 (STEP 3) (“Failed components are
not restored during the operating time (in the operating state)”), which is realized by
omitting the return transitions Z2… → Z 1… and Z 3… → Z 1… in Fig. 5.19-21. The fol-
lowing comparative study investigates the influence of repairs of the components
in Z 2… and Z 3… by adding the return transitions Z 2… → Z 1… and Z 3… → Z 1… .
Steady state
The steady state behavior with the transitions Z 2… → Z 1… and Z 3… → Z 1… , which

are not specially represented drawn in the figures, is calculated in Appendix 5.11.8-10.
The objective indices probability Pr and frequency Fr of the system state DS are
calculated with Eq. 5.157-158 including Eq. 5.131, 237, 238, 246, 247, 255, and 256.
Table 5.5 and 5.6 show results of the steady state probability Pr ( D S ) and the mean
frequency Fr ( DS ) as a function of α … , c … , and δ … . Pr ( D S ) lies within the range
of 1.80 E-06 to 8.65 E-04, MSUT (MTTSF) lies within the range of 2.172 E+04 h to
2.193 E+07 h.
Transient state
The models in Fig. 5.26-28 remain unchanged up to pM = 0. Repairs during the

transition phase are unlikely, thus, they are neglected. The assumptions are the
same as in Appendix 5.11.5-7. Pr ( D S, t ) is described by Eq. 5.159.
Fig. 5.23 shows the result of Pr ( D S, t ) and the dependence on α … , c … , and δ … .

The transient durations in this scenario are very short.
Remark: A strongly connected Markov process (Definition 4.6) with the condition of
Eq. 5.75 (pictured in Fig. 5.10) concerning all Markov states, has a short transient
phase.
System down state pM = 0 Comment
αM = α E = c E = δ M = δE = Additional transitions
Chapter 5
0 0.01 0.1 Z 2… → Z 1… Z 3… → Z 1…
–8 –8 –8
5 ⋅ Pr ( D TR ) 5.00 ⋅ 10 … 5.00 ⋅ 10 … 5.00 ⋅ 10 Fig. 5.18: 5 DB of TR in series.
–6 –5 –4
10 ⋅ Pr ( D M ∧ D M ) 1.62 ⋅ 10 … 4.26 ⋅ 10 … 4.12 ⋅ 10 Fig. 5.19, Eq. 5.237
–7 –5 –4
20 ⋅ Pr ( D M ∧ D E ) 1.28 ⋅ 10 … 4.22 ⋅ 10 … 4.21 ⋅ 10 Fig. 5.20, Eq. 5.246
– 10 –6 –5
10 ⋅ Pr ( D E ∧ D E ) 5.50 ⋅ 10 … 3.20 ⋅ 10 … 3.20 ⋅ 10 Fig. 5.21, Eq. 5.255
–6 –5 –4
Pr ( D S ) = ∑: 1.80 ⋅ 10 … 8.81 ⋅ 10 … 8.65 ⋅ 10 Eq. 5.157
Table 5.5. Comparative calculation: Results of Table 5.3 with consideration of the changes described in the
Comment.
System down state pM = 0 Comment

α M = αE = c E = δM = δE = Additional transitions
0 0.01 0.1 Z 2… → Z 1… Z 3… → Z1…
– 10 –1 – 10 – 1 – 10 –1
5 ⋅ Fr ( D TR ) 5.00 ⋅ 10 h … 5.00 ⋅ 10 h … 5.00 ⋅ 10 h Fig. 5.18: 5 DB of TR in series.
–8 –1 – 6 –1 – 5 –1
10 ⋅ Fr ( D M ∧ DM ) 4.00 ⋅ 10 h … 2.04 ⋅ 10 h … 2.00 ⋅ 10 h Fig. 5.19, Eq. 5.238
–9 –1 – 6 –1 – 5 –1
20 ⋅ Fr ( D M ∧ DE ) 5.00 ⋅ 10 h … 2.21 ⋅ 10 h … 2.20 ⋅ 10 h Fig. 5.20, Eq. 5.247
– 10 –1 –7 –1 – 6 –1
10 ⋅ Fr ( D E ∧ D E ) 1.00 ⋅ 10 h … 4.00 ⋅ 10 h … 4.00 ⋅ 10 h Fig. 5.21, Eq. 5.256
–8 –1 – 6 –1 – 5 –1
Fr ( D S ) = ∑: 4.56 ⋅ 10 h … 4.65 ⋅ 10 h … 4.60 ⋅ 10 h Eq. 5.158
7 5 4
MSUT (MTTSF) 2.193 ⋅ 10 h … 2.153 ⋅ 10 h … 2.172 ⋅ 10 h Eq. 1.3, 1.8-10
Table 5.6. Comparative calculation: Results of Table 5.4 with consideration of the changes described in the Comment.
263
Chapter 5 264
10-2
Pr ( D S, t )
10-3
IV.
-4
10
III.
10-5
II.
10-6
I.
10-7
10-8
1 10 100 t⁄h 1000
Typical scheduled 38.4 h
operating time
I. αM = αE = 0 , δM = δE = 0 , cE = 0 , pM = 0
–3 –3 –3
II. α M = α E = 10 , δ M = δ E = 10 , c E = 10 , pM = 0
–2 –2 –2
III. α M = α E = 10 , δ M = δ E = 10 , c E = 10 , p M = 0
–1 –1 –1
IV. α M = α E = 10 , δ M = δ E = 10 , c E = 10 , p M = 0
Further parameters see Table 5.2.
Fig. 5.23. Comparative calculation to Fig. 5.22 (see Comment in Table 5.5).
Chapter 5 265
Conclusion
For the mechatronic system, an efficient dependability analysis method is present-

ed. The procedure gives insight into some aspects of dependability analyses of me-
chatronic systems. The dependability, which is affected by “real-world“ conditions,
can cover a wide range. The aim of this example is to demonstrate how realistic as-
sumptions and conditions can be modeled and calculated, including CCF, human
errors, and inherent fault-tolerance mechanisms (kinematic redundancy) of special
mechatronic systems. The dependability analysis gives an idea on how closely the
components of the different areas are interwoven. Thus, their items usually cannot
be separately modeled and connected together to a series system like Fig. 5.24.
Sensors, Human-
Mechanics ECC
actuators interface
Fig. 5.24. Usually, for dependability analyses, the different technological items
of mechatronic systems cannot be separately modeled and calculated.
Remark
Exact modeling of real-world applications and exact calculation of the indices are
impossible because of
1. Assumptions of real-world conditions, which affect the component models, the
MC models, and the system models.
2. Uncertainty of data (aleatory and epistemic, Chapter 6).
3. Model assumptions and mathematical approximations (e.g. pMp approach, re-
striction to MC of lowest or lower order (pMC), and neglection of conjunctions of
the MC approach). These mathematical inaccuracies are mostly negligible in
practical dependability evaluations.
4. It is not possible to evaluate boundary values for real applications, thus conser-
vative estimations ( <∼ ) are the focus of the calculations.
Even if the deviations cannot be exactly evaluated, the approximations should be

always conscious.
c 1, 2 2c 1, 2 c 1, 2
Chapter 5
c 1, 3 2c 1, 3 c 1, 3
c 1, 4 2c 1, 4 c 1, 4
5.11 Appendix
D1 ∧ D2 ∧ U3 ∧ U4
D 1 ∧ U2 ∧ U 3 ∧ U 4 D1 ∧ U2 ∧ D3 ∧ U4 D1 ∧ D2 ∧ D3 ∧ U4
U1 ∧ D2 ∧ U3 ∧ U4 D1 ∧ U2 ∧ U3 ∧ D4 D1 ∧ D2 ∧ U3 ∧ D4
U1 ∧ U2 ∧ U3 ∧ U4 D1 ∧ D2 ∧ D3 ∧ D4
U1 ∧ U2 ∧ D3 ∧ U4 U1 ∧ D2 ∧ D3 ∧ U4 D1 ∧ U2 ∧ D3 ∧ D4
U1 ∧ U2 ∧ U3 ∧ D4 U1 ∧ D2 ∧ U3 ∧ D4 U1 ∧ D2 ∧ D3 ∧ D4
5.11.1 Derivation of the c term of Eq. 5.45
U1 ∧ U2 ∧ D3 ∧ D4
λ λ λ λ λ λ λ λ λ λ 3
pMp (red transitions): 3c --- ⋅ 2 --- ⋅ --- + 3 --- ⋅ 2c --- ⋅ --- + 3 --- ⋅ 2 --- ⋅ c --- = 18c ⎛ ---⎞
μ μ μ μ μ μ μ μ μ ⎝ μ⎠
Fig. 5.25. Markov model with four components including CCF (red transitions). Multiple CCF such as c1, 2, 3 ,
c 1, 2, 3, 4 or c1, 2 ⋅ c 2, 3 ⋅ … are excluded. For simplicity, μ = μ 1, 2, … , etc..
266
Chapter 5 267
At first, the initial value of Pr ( Z 1MM ) is calculated according to the procedure de-
veloped in Chapter 5.7. Only the Markov operating states of D M ∧ DM are decisive
i j
for the start value.
General remark to Eq. 5.131-134 and Fig. 5.19-21: Pr ( MC i ) ≈ 1 , i = 1…45 .
Assumption: M i ≡ M j , ∀i, j = 1…5 (similar components), Θ M, ρ, μ M » λ M , α M, δ M « 1,

and 0 ≤ p M ≤ 1
Calculation of the Markov states using the pMp approach.

( 1 – α M )λ M
Pr ( Z 2MM ) = Pr ( Z 1MM ) ----------------------------- ≈ Pr ( Z 1MM ) (5.160)
λM
( 1 – α M )λ M
Pr ( Z 3MM ) = Pr ( Z 1MM ) ----------------------------- ≈ Pr ( Z 1MM ) (5.161)
λM
pM λM pM λM
Pr ( Z 4MM ) = Pr ( Z 2MM ) -------------- ≈ Pr ( Z 1MM ) -------------- « Pr ( Z 1MM ) (5.162)
ΘM ΘM
pM λM pM λM
Pr ( Z 5MM ) = Pr ( Z 3MM ) -------------- ≈ Pr ( Z 1MM ) -------------- « Pr ( Z 1MM ) (5.163)
ΘM ΘM
With
5
∑i = 1 Pr ( ZiMM ) ≈ 1 (5.164)
follows the values
1
Pr ( Z 1MM ) ≈ Pr ( Z 2MM ) ≈ Pr ( Z 3MM ) ≈ --- (5.165)
3
10
∑i = 6 Pr ( ZiMM ) is neglected for the calculation of the initial value.
( 1 – p M )λ M ΘM λM
Pr ( Z 6MM ) = Pr ( Z 2MM ) ----------------------------- + Pr ( Z 4MM ) -------- ≈ Pr ( Z 1MM ) ------- (5.166)
μM μM μM
Pr ( Z 7MM ) = Pr ( Z 6MM ) (5.167)
μM αM λM δM ρ
Pr ( Z8MM ) = Pr ( Z6MM ) ------
- + Pr ( Z 1MM ) --------------- + Pr ( Z 10MM ) ---------- ≈
μM μM μM
λM δM ρ
≈ Pr ( Z 1MM ) ( 1 + α M ) ------- + Pr ( Z 10MM ) ---------- ( 5.168 )
μM μM
Chapter 5 268
Pr ( Z 9MM ) = Pr ( Z 8MM ) (5.169)
μM μM
Pr ( Z 10MM ) = Pr ( Z 8MM ) ------- + Pr ( Z 9MM ) ------- ≈
ρ ρ
λM
≈ 2Pr ( Z 1MM ) ( 1 + α M ) ------- + 2Pr ( Z 10MM )δ M
ρ
λM
2Pr ( Z 1MM ) ( 1 + α M ) ------- λM
ρ
Pr ( Z 10MM ) ≈ ------------------------------------------------------------ ≈ 2Pr ( Z 1MM ) ( 1 + α M ) ------
- ( 5.170 )
( 1 – 2δ M ) ρ
Remark to the pMp approach: The return transitions ( Z10MM → Z 8MM and Z 9MM ,
framed terms in Eq. 5.168-170) can be neglected, they do not represent probable
paths (pMp). Thus, Precondition 5 (restart failures) have negligible influence on the
system probability and freqency. This concerns also Fig. 5.20-21 and their equa-
tions respectively.
Result: Eq. 5.139-140

Chapter 5 269
At first, the initial value of Pr ( Z 1ME ) is calculated according to the procedure de-
veloped in Chapter 5.11.2. Only the Markov operating states of D M ∧ D E are deci-
i j
sive for the start value.
Assumption: Mi ≡ Mj , Ei ≡ E j , ∀i, j = 1…5 (similar components),

Θ M, ρ, μ M, μ E » λ M, λ E , α M, α E, δ M, δ E « 1 , and 0 ≤ p M ≤ 1
( 1 – αE )λ M λM
Pr ( Z 2ME ) = Pr ( Z 1ME ) ---------------------------- ≈ Pr ( Z 1ME ) ------- (5.171)
λE λE
( 1 – αM )λ E λE
λM λM
pM λM λE pM
Pr ( Z 4ME ) = Pr ( Z 3ME ) -------------- ≈ Pr ( Z 1ME ) -------------- « Pr ( Z 1ME ) (5.173)
ΘM ΘM
With
4
∑i = 1 Pr ( ZiME ) ≈ 1 (5.174)
follows the initial value
1
Pr ( Z 1ME ) ≈ ------------------------------- (5.175)
λ M λE
1 + ------- + -------
λE λM
9
∑i = 5 Pr ( ZiME ) is neglected for the calculation of the initial value.
λE λM λE λM
Pr ( Z 5ME ) = Pr ( Z 2ME ) ------- ≈ Pr ( Z 1ME ) ------- ------- = Pr ( Z1ME ) ------- (5.176)
μM λE μ M μM
( 1 – p M )λ M ΘM
Pr ( Z 6ME ) = Pr ( Z 3ME ) ----------------------------- + Pr ( Z 4ME ) -------- ≈ ( 5.177 )
μE μE
λ E ( 1 – p M )λ M λE p M ΘM λE
≈ Pr ( Z 1ME ) ------- ----------------------------- + Pr ( Z 1ME ) -------------- -------- = Pr ( Z1ME ) ------
λM μE ΘM μE μE
μM αM λE
Pr ( Z 7ME ) = Pr ( Z 5ME ) ------- + Pr ( Z1ME ) -------------- ≈ ( 5.178 )
μE μE
λM μM αM λE λM αM λE
≈ Pr ( Z 1ME ) ------- ------- + Pr ( Z 1ME ) -------------- = Pr ( Z 1ME ) ⎛⎝ ------- + --------------⎞⎠
μM μE μE μE μE
Chapter 5 270
μE αE λM
Pr ( Z 8ME ) = Pr ( Z 6ME ) ------- + Pr ( Z 1ME ) -------------- ≈ ( 5.179 )
μM μM
λE μE αE λM λE αE λM
≈ Pr ( Z 1ME ) ------ ------- + Pr ( Z 1ME ) -------------- = Pr ( Z1ME ) ⎛⎝ ------- + --------------⎞⎠
μE μM μM μM μM
μE μM
Pr ( Z 9ME ) = Pr ( Z 7ME ) ------ + Pr ( Z 8ME ) ------- ≈
ρ ρ
λ α λ μ λE αE λM μM
≈ Pr ( Z 1ME ) ⎛⎝ ⎛ ------- + --------------⎞ ------ + ⎛ ------- + --------------⎞ -------⎞⎠ =
M M E E
⎝ μE μE ⎠ ρ ⎝ μM μM ⎠ ρ
λ M αM λE λE αE λ M
= Pr ( Z 1ME ) ⎛⎝ ------- + -------------- + ------ + --------------⎞⎠ ( 5.180 )
ρ ρ ρ ρ
Result: Eq. 5.144-145

Chapter 5 271
The initial value of Pr ( Z 1EE ) is calculated according to the procedure developed in

Appendix 5.11.2.
Assumption: E i ≡ E j , ∀i, j = 1…5 (similar components), ρ, μ E » λ E , and

α E, δ E, c E « 1
1
Pr ( Z 1EE ) ≈ Pr ( Z 2EE ) ≈ Pr ( Z 3EE ) ≈ --- (5.181)
3
λE cE λE λE
Pr ( Z 4EE ) = Pr ( Z 2EE ) ------ + Pr ( Z1EE ) ------------- ≈ Pr ( Z 1EE ) ( 1 + c E ) ------ ( 5.182 )
μE μE μE
Pr ( Z 5EE ) = Pr ( Z 4EE ) (5.183)

μE αE λE λE
Pr ( Z 6EE ) = Pr ( Z 4EE ) ------ + Pr ( Z1EE ) ------------- ≈ Pr ( Z 1EE ) ( 1 + c E + α E ) ------
μE μE μE
Pr ( Z 7EE ) = Pr ( Z 6EE ) (5.184, 5.185)
μE μE λE
Pr ( Z 8EE ) = Pr ( Z 6EE ) ------ + Pr ( Z 7EE ) ------ ≈ 2 ⋅ Pr ( Z 1EE ) ( 1 + c E + α E ) ------
ρ ρ ρ
( 5.186 )
Result: Eq. 5.149-150

Chapter 5 272
The transient state probability can be evaluated by expanding the MMC model as a
decision tree according to the procedure described in Appendix 4.6.2 (the same is
valid for the following MMC models in the appendices). For the interpretation of the
transient or short term behavior, Chapter 4.5.10 and 4.5.11 are to be considered.
The decision tree model of the MMC model is developed and calculated with the
pMp approach. Fig. 5.26 shows the cutout of the decision tree for the first state
transitions, which determine predominantly the transient behavior.
MC 6…15 = D M ∧ D M
i j
(6) 1
Z4MM Z 6MM
ΘM
(3) pM λ M F M ∧ U' M 5 FM ∧ FM
rep
Z2MM 4
FM ∧ UM
3 Z6MM
(2) FM ∧ FM
( 1 – p M )λM rep
( 1 – α M )λ M 1 Z8MM
j i
(8) α M λ M RM ∧ FM
2 i j rep
Z1MM U M ∧ U M
i j
(8) α M λ M FM ∧ RM
(2) j i rep
Z7MM
( 1 – α M )λM Z9MM
i j ( 1 – p M )λ M FM ∧ FM
rep
Z3MM
UM ∧ FM
1
Z 7MM
(3) p M λM U' M ∧ F M F M ∧ FM
rep
ΘM
Z5MM (6)
1 ... G-function, see Eq. 4.294-303, and 4.305-307
Fig. 5.26. Cutout of the decision tree of the MMC model of

MC 6…15 = D M ∧ D M , Fig. 5.19, developed for calculation of the tran-
i j
sient probability (e.g. applicable for dependability monitoring).
Chapter 5 273
Assumption: M i ≡ M j , ∀i, j = 1…5 (similar components), λ M t « 1 , 0 ≤ α M, p M ≤ 1 ,

and Pr ( Z 1MM, t = 0 ) = 1
– ( 1 – α M )λ M t
F1 ( t ) = 1 – e ≈ ( 1 – α M )λ M t (5.187)
–αM λM t
F2 ( t ) = 1 – e ≈ αM λM t (5.188)
– ( 1 – p M )λ M t
F3 ( t ) = 1 – e ≈ ( 1 – p M )λ M t (5.189)
– pM λM t
F4 ( t ) = 1 – e ≈ pM λM t (5.190)
– ΘM t
F5 ( t ) = 1 – e (5.191)
Eq. 4.301-303 yield
G 1MM ( t ) = F 1 ( t ) ≈ ( 1 – αM )λ M t (5.192)
G 2MM ( t ) = F 2 ( t ) ≈ α M λ M t (5.193)
t 2
dG 1MM ( x ) ( λM t )
G 3MM ( t ) = ∫ --------------------------
dx
F 3 ( t – x ) dx ≈ ( 1 – α M ) ( 1 – p M ) ----------------
2 (5.194)
0
t 2
dG 1MM ( x ) ( λM t )
G 4MM ( t ) = ∫ --------------------------
dx
F 4 ( t – x ) dx ≈ ( 1 – α M )p M ----------------
2 (5.195)
0
t
dG 4MM ( x ) ⎛t –ΘM t
t
ΘM x
⎞
2 ⎜ ⎟
G 5MM ( t ) = ∫ -------------------------- F 5 ( t – x ) dx ≈ ( 1 – α M )p M λ M ⎜ ∫ x dx – e ∫ xe d x⎟
dx
0 2 2
⎝0 0 ⎠
( λM t ) λM –Θ M t
= ( 1 – αM )p M ---------------- + ( 1 – α M )p M ---------- -( 1 – Θ M t – e ) ( 5.196 )
2 Θ
2
M
The upper and lower part of the MMC model of Fig. 5.26 yield the transient probabil-
ity until the steady state is reached.
Pr ( D M ∧ D M, t ) ≈ 2 ( G 2MM ( t ) + G 3MM ( t ) + G 5MM ( t ) ) (5.197)
The duration of a typical postponed shut down lies in the range of

0.5h < 1 ⁄ Θ M < 100h . The following borderline cases are regarded.
Borderline case 1
Θ M t « 1 and ΘM > 0 : System shut down can always be postponed at the end of the
operating time, e.g. 10 hours.
Chapter 5 274
2
–ΘM t ( ΘM t )
The function e is expanded to 1 – Θ M t + ------------------ – … and inserted in Eq. 5.196
2
(the terms in place of … are neglected). The second term of Eq. 5.196 is equal
(and negative) to the first term. Thus, G 5MM ( t ) = 0 which means no transition 5 to
1
Z 6MM occurs.
Pr ( D M ∧ D M, t ) ≈ 2 ( G 2MM ( t ) + G 3MM ( t ) ) (5.198)

9
Pr ( MC 6…15, t ) = Pr ( DM ∧ D M, t ) = ∑i = 6 P ( ZiMM, t ) ≈
2
≈ 2α M λ M t + ( 1 – α M ) ( 1 – p M ) ( λ M t ) ( 5.199 )
Borderline case 2
p M = 0 : Shut down is not postponed. The system has to be shut down immediate-
ly after failure λ M of the second component.
Pr ( D M ∧ D M, t ) ≈ 2 ( G 2MM ( t ) + G3MM ( t ) ) (5.200)

9
Pr ( MC 6…15, t ) = Pr ( DM ∧ D M, t ) = ∑i = 6 P ( ZiMM, t ) ≈
2
≈ 2αM λ M t + ( 1 – α M ) ( λ M t ) ( 5.201 )
The same result is received with Θ M t » 1 (Eq. 5.197 with Θ M → ∞ ).

Chapter 5 275
MC16…35 = DM ∧ D E
i j
Z2ME λE Z5ME
FM ∧ UE 2 FM ∧ FE
rep
(2)
( 1 – α E )λM 1 Z7ME
(8) α M λ E RM ∧ FE
7 rep
Z1ME UM ∧ UE
8 (8) α E λ M FM ∧ RE
(2) rep
3 Z6ME
( 1 – α M )λ E Z8ME
( 1 – p M )λ M FM ∧ FE
rep
4
UM ∧ FE
1
5 Z4ME Z 6ME
Z3ME
(3) p M λM U'M ∧ F E 6 FM ∧ FE
rep
ΘM
(6)
1 ... G-function, see Eq. 4.294-303, 4.305-307

MC 16…35 = DM ∧ D E , Fig. 5.20, developed for calculation of the tran-
i j
Assumption: M i ≡ M j , E i ≡ E j , ∀i, j = 1…5 (similar components), λ M t, λ E t « 1 ,

0 ≤ α M, α E, p M ≤ 1 , and Pr ( Z 1ME, t = 0 ) = 1
– ( 1 – α E )λ M t
F1 ( t ) = 1 – e ≈ ( 1 – α E )λ M t (5.202)
–λE t
F2 ( t ) = 1 – e ≈ λE t (5.203)
– ( 1 – α M )λ E t
F3 ( t ) = 1 – e ≈ ( 1 – α M )λ E t (5.204)
Chapter 5 276
– ( 1 – p M )λ M t
F4 ( t ) = 1 – e ≈ ( 1 – p M )λ M t (5.205)
– pM λM t
F5 ( t ) = 1 – e ≈ pM λM t (5.206)
– ΘM t
F6 ( t ) = 1 – e (5.207)
– αE λM t
F7 ( t ) = 1 – e ≈ αEλM t (5.208)
– αM λE t
F8 ( t ) = 1 – e ≈ αM λEt (5.209)
Eq. 4.301-4.303 yield
G 1ME ( t ) = F 1 ( t ) ≈ ( 1 – α E )λ M t (5.210)
t
dG 1ME ( x ) λ λ
G 2ME ( t ) = ∫ -------------------------
dx E
M E 2
- F2 ( t – x ) dx ≈ ( 1 – α ) -------------
2
-t (5.211)
0
G 3ME ( t ) = F 3 ( t ) ≈ ( 1 – α M )λ E t (5.212)
t
dG 3ME ( x ) λM λE 2
G 4ME ( t ) = ∫ -------------------------
dx
- F4 ( t – x ) dx ≈ ( 1 – αM ) ( 1 – p M ) -------------- t
2
(5.213)
0
t
dG 3ME ( x ) λM λE 2
G 5ME ( t ) = ∫ -------------------------
dx
- F5 ( t – x ) dx ≈ ( 1 – αM )p M -------------- t
2
(5.214)
0
The result is taken over from Eq. 5.196.

t
dG 5ME ( x )
G 6ME ( t ) = ∫ -------------------------
dx
- F 6 ( t – x ) dx ≈ ( 5.215 )
0
λM λ E 2 λM λE –ΘM t
≈ ( 1 – α M ) p M -------------
- t + ( 1 – α M )p M -------------
-( 1 – Θ M t – e )
2 Θ
2
M
G 7ME ( t ) = F 7 ( t ) ≈ α E λ M t (5.216)
G 8ME ( t ) = F 8 ( t ) ≈ α M λ E t (5.217)
Result:
For the lower M part of Fig. 5.27, the Borderline case 1 is assumed.
Pr ( D M ∧ D E, t ) = G 2ME ( t ) + G 4ME ( t ) + G 7ME ( t ) + G 8ME ( t ) (5.218)

8
Pr ( MC 16…35, t ) = Pr ( D M ∧ D E, t ) = ∑i = 5 P ( ZiME, t ) ≈ ( 5.219 )
λM λE 2 λM λE 2
≈ α E λ M t + α M λ E t + ( 1 – αE ) -------------- t + ( 1 – αM ) ( 1 – p M ) -------------- t
2 2
Chapter 5 277
MC 36…45 = D E ∧ D E
i j
Z2EE Z4EE
λE
FE ∧ UE 2 FE ∧ FE
rep
(2) 4
( 1 – αE – c E ) λE 1 c E λE (7)
i, j i
Z6ME
j i, j i
(8) α E λ E RE ∧ FE
3 i j rep
Z1EE U E ∧ UE
i j
(8) α E λ E FE ∧ RE
(2) j i rep
( 1 – α E – cE ) λE Z7ME
i j, i j c E λ E (7)
j, i j
Z5ME
λE
UE ∧ FE FE ∧ FE
rep
Z3EE
1 ... G-function, see Eq. 4.294-303, 4.305-307

MC 36…45 = D E ∧ D E , Fig. 5.21, developed for calculation of the tran-
i j
Assumption: E i ≡ E j , ∀i, j = 1…5 (similar components), λ E t « 1, 0 ≤ α E + c E ≤ 1,

and Pr ( Z 1EE, t = 0 ) = 1
– ( 1 – α E – c E )λ E t
F1 ( t ) = 1 – e ≈ ( 1 – α E – c E )λ E t (5.220)
–λE t
F2 ( t ) = 1 – e ≈ λE t (5.221)
– αE λE t
F3 ( t ) = 1 – e ≈ αE λE t (5.222)
– cE λE t
F4 ( t ) = 1 – e ≈ cE λEt (5.223)
Chapter 5 278
G 1EE ( t ) = F 1 ( t ) ≈ ( 1 – α E – c E )λ E t (5.224)
t 2
dG 1EE ( x ) (λ t)
G 2EE ( t ) = ∫ ------------------------
dx
E
- F 2 ( t – x ) dx ≈ ( 1 – α E – cE ) ---------------
2
- (5.225)
0
G 3EE ( t ) = F 3 ( t ) ≈ α E λ E t (5.226)
G 4EE ( t ) = F 4 ( t ) ≈ c E λ E t (5.227)
Result:
Pr ( D E ∧ D E, t ) = 2 ( G 2EE ( t ) + G 3EE ( t ) + G 4EE ( t ) ) (5.228)

7
Pr ( MC 36…45, t ) = Pr ( D E ∧ D E, t ) = ∑i = 4 P ( ZiEE, t ) ≈
2
≈ 2α E λ E t + 2c E λ E t + ( 1 – α E – c E ) ( λ E t ) ( 5.229 )
Chapter 5 279
Steady states, Fig. 5.19
Precondition 2 is not fulfilled. The model in Fig. 5.19 is changed as follows: Failed
components in the states Z2MM and Z 3MM are repaired, thus Z 2MM → Z 1MM and
Z 3MM → Z 1MM are added. The further assumptions are the same as in Appendix
5.11.2 (PM = 0). The calculation with the pMp approach yields the following expres-
sions.
The initial value is Pr ( Z 1MM ) ≈ 1 .
( 1 – α M )λ M λM
Pr ( Z 2MM ) = Pr ( Z 1MM ) ----------------------------- ≈ Pr ( Z 1MM ) ------- (5.230)
μM + λM μM
Pr ( Z 3MM ) = Pr ( Z 2MM ) (5.231)
λM λM 2
Pr ( Z 6MM ) = Pr ( Z 2MM ) ------- ≈ Pr ( Z 1MM ) ⎛ -------⎞ (5.232)
μM ⎝ μ M⎠
Pr ( Z 7MM ) = Pr ( Z 6MM ) (5.233, 5.34)
μM αM λM λM λM
Pr ( Z 8MM ) = Pr ( Z 6MM ) ------- + Pr ( Z 1MM ) --------------- ≈ Pr ( Z 1MM ) ⎛ ------- + α M⎞ -------
μM μM ⎝ μM ⎠ μM
Pr ( Z 9MM ) = Pr ( Z 8MM ) (5.235)
μM μM λM λM
Pr ( Z 10MM ) = Pr ( Z 8MM ) ------- + Pr ( Z 9MM ) ------- ≈ 2Pr ( Z 1MM ) ⎛ ------- + α M⎞ ------- (5.236)
ρ ρ ⎝ μM ⎠ ρ
10
Pr ( MC 6…15 ) = Pr ( D M ∧ D M ) = ∑i = 6 P ( ZiMM ) ≈
λ M⎞ 2 ⎛ λ M λ M ⎛ λM ⎞λ
≈ 2 ⎛ ⎛ ------
- ------- ⎞ ------
- ------- M- ⎞
------
⎝ ⎝ μ M⎠ + ⎝ μ M + α M⎠ μ M + ⎝ μ M + α M⎠ ρ ⎠ ( 5.237 )
Fr ( MC 6…15 ) = Fr ( DM ∧ D M ) = Fr ( Z 10MM → Z 1MM ) ≈ Pr ( Z10EE )ρ ≈

λM
≈ 2 ⎛ ------- + α M⎞ λ M ( 5.238 )
⎝ μM ⎠
Chapter 5 280
components in the states Z2ME and Z 3ME are repaired, thus Z 2ME → Z1ME and
Z 3ME → Z 1ME are added. The further assumptions are the same as in Appendix
5.11.3 (PM = 0). The calculation with the pMp approach yields the following expres-
sions.
The initial value is Pr ( Z 1ME ) ≈ 1 .
( 1 – αE )λ M λM
μM + λE μM
( 1 – αM )λ E λE
Pr ( Z 3ME ) = Pr ( Z 1ME ) ---------------------------- ≈ Pr ( Z 1ME ) ------ (5.240)
μE + λM μE
λE λM λE
Pr ( Z 5ME ) = Pr ( Z 2ME ) ------- ≈ Pr ( Z 1ME ) -------------
2
- (5.241)
μM μ M
λM λE λ M
Pr ( Z 6ME ) = Pr ( Z 3ME ) ------- ≈ Pr ( Z 1ME ) -------------
2
- (5.242)
μE μE
μM αM λE
Pr ( Z 7ME ) = Pr ( Z 5ME ) ------- + Pr ( Z 1ME ) -------------- ≈
μE μE
λM λE
≈ Pr ( Z 1ME ) ⎛ ------- + α M⎞ ------ ( 5.243 )
⎝ μM ⎠ μE
μE αE λM
Pr ( Z 8ME ) = Pr ( Z 6ME ) ------- + Pr ( Z 1ME ) -------------- ≈
μM μM
λ λM
≈ Pr ( Z 1ME ) ⎛ -----E- + α E⎞ ------
- ( 5.244 )
⎝ μE ⎠ μM
μE μM
Pr ( Z 9ME ) = Pr ( Z 7ME ) ------ + Pr ( Z 8ME ) ------- ≈
ρ ρ
λ λ λE λM
≈ Pr ( Z1ME ) ⎛⎝ ⎛⎝ ------- + αM⎞⎠ ------ + ⎛⎝ ------ + α E⎞⎠ ------- ⎞
M E
( 5.245 )
μM ρ μE ρ⎠
Chapter 5 281
9
Pr ( MC 16…35 ) = Pr ( D M ∧ D E ) = ∑i = 5 P ( ZiME ) ≈
λM λE λE λ M ⎛ λ M λE λE λM
≈ -------------
2
- + ⎝ ------- + α M⎞⎠ ------ + ⎛⎝ ------ + α E⎞⎠ ------- +
- + -------------
2
μM μE μM μE μE μM
λ λ λ λ
+ ⎛ ------- + α M⎞ ------ + ⎛ ------ + αE⎞ -------
M E E M
⎝ μM ⎠ ρ ⎝ μE ⎠ ρ ( 5.246 )
Fr ( MC 16…35 ) = Fr ( D M ∧ D E ) = Fr ( Z 9ME → Z 1ME ) ≈ Pr ( Z 9EE )ρ ≈

λM λE
≈ ⎛ ------- + α M⎞ λ E + ⎛ ------ + αE⎞ λ M ( 5.247 )
⎝ μM ⎠ ⎝ μE ⎠
Chapter 5 282
components in the states Z 2EE and Z 3EE are repaired, thus Z 2EE → Z 1EE and
Z 3EE → Z 1EE . The further assumptions are the same as in Appendix 5.11.4. The
calculation with the pMp approach yields the following expressions.
The initial value is Pr ( Z 1EE ) ≈ 1 .
( 1 – α E – c E )λ E λE
Pr ( Z 2EE ) = Pr ( Z 1EE ) ---------------------------------------- ≈ Pr ( Z 1EE ) ------ (5.248)
μE + λE μE
Pr ( Z 3EE ) = Pr ( Z 2EE ) (5.249)
λE cE λE λE λE
Pr ( Z 4EE ) = Pr ( Z 2EE ) ------ + Pr ( Z1EE ) ------------- ≈ Pr ( Z 1EE ) ⎛⎝ ------ + c E⎞⎠ ------ (5.250)
μE μE μE μE
Pr ( Z 5EE ) = Pr ( Z 4EE ) (5.251, 5.252)
μE αE λE λE λE
Pr ( Z 6EE ) = Pr ( Z 4EE ) ------ + Pr ( Z1EE ) ------------- ≈ Pr ( Z 1EE ) ⎛ ------ + c E + α E⎞ ------
μE μE ⎝ μE ⎠ μE
Pr ( Z 7EE ) = Pr ( Z 6EE ) (5.253, 5.254)
μE μE λE λE
Pr ( Z 8EE ) = Pr ( Z 6EE ) ------ + Pr ( Z7EE ) ------ ≈ 2 ⋅ Pr ( Z 1EE ) ⎛⎝ ------ + cE + α E⎞⎠ ------
ρ ρ μE ρ
8
Pr ( MC 36…45 ) = Pr ( D E ∧ D E ) = ∑i = 4 P ( ZiEE ) ≈ ( 5.255 )
λE λE λE λE λE λE
≈ 2 ⎛ ⎛⎝ ------ + c E⎞⎠ ------ + ⎛⎝ ------ + c E + α E⎞⎠ ------ + ⎛⎝ ------ + c E + α E⎞⎠ ------⎞
⎝ μE μE μE μE μE ρ⎠
Fr ( MC 36…45 ) = Fr ( D E ∧ D E ) = Fr ( Z 8EE → Z 1EE ) ≈ Pr ( Z 8EE )ρ ≈

λE
≈ 2 ⎛⎝ ------ + c E + α E⎞⎠ λ E ( 5.256 )
μE
6 Uncertainty
6.1 Scope
6.2 Statistical concepts for the evaluation of uncertainty
6.2.1 Measures of central tendency
6.2.2 Measures of location
6.2.3 Measures of dispersion
6.3 Uncertainty evaluation in dependability analyses
6.4 Aleatory uncertainty (AU)
6.4.1 AU STEP 1. Identification
6.4.2 AU STEP 2. Formulation
6.4.3 AU STEP 3. Simulation: pdf f(t(US)) and f(t(DS))
6.4.4 AU STEP 4. Evaluation
6.4.4.1 Input indices for the examples
6.4.4.2 Simulation of components
6.4.4.3 Simulation of series systems
6.4.4.4 Simulation of parallel systems
6.4.4.5 AU conclusion
6.4.5 Approximation: Drenick’s Theorem
6.5 Epistemic uncertainty (EU)
6.5.1 EU STEP 1. Identification
6.5.2 EU STEP 2. Formulation
6.5.3 EU STEP 3. Simulation: pdf f(ti(US)), f(ti(DS)), and f(pr(DS))
6.5.4 EU STEP 4. Evaluation
6.5.4.5 EU conclusion
6.6 Combination of epistemic and aleatory uncertainty (EUAU)
6.6.1 EUAU STEP 1. Initial scenario
6.6.2 EUAU STEP 2. Formulation
6.6.3 EUAU STEP 3. Evaluation
6.6.3.1 EUAU simulation of measures of central tendency and location
6.6.3.2 EUAU conclusion
6.7 Framework of dependability evaluation approaches regarding
uncertainty
6.8 Appendix
6.8.1 AU algorithm of series systems, Fig. 6.3
6.8.2 AU algorithm of parallel systems, Fig. 6.4
6.8.3 EU algorithm of series systems
6.8.4 EU algorithm of parallel systems

DOI 10.1007/978-3-319-64991-7_6
Chapter 6 284
6.1 Scope
An overview of several case studies carried out for a variety of organizational and
industrial applications is given in [Rocquigny et al. 2008] . The focus of this book is
narrower, namely on quantitative uncertainty in system dependability evaluation to
complement the dependability approaches in the previous chapters.
Main conventional (standard) dependability evaluation approaches have been fur-

ther developed in the previous chapters. The approaches are bounded by the fol-
lowing assumptions.
I. The dependability indices in the chapters so far represent mean values.

II. There is no uncertainty in the statistical data and knowledge.
Uncertainty is classified into the following two classes: Incompleteness (Definition

1.27) and indeterminacy (Definition 1.28). The difference between the two classes
is not exact, rather fuzzy or fluent (Fig. 1.6). Uncertainty can be categorized by its
probabilistic properties as the aleatory uncertainty (Definition 1.29) and the epi-
stemic uncertainty (Definition 1.30). The two types of uncertainty affect the determi-
nation of dependability.
An arithmetic mean value can be used as a measure of central tendency. If the de-
pendability indices are based only on mean values, as is the case of conventional
dependability evaluation procedures, the effects of its uncertain behavior cannot be
shown. To study the effects of uncertainty, measures of location and measures of
dispersion have to be considered apart from the central tendency. These measures
form the basis for dependability evaluation under consideration of aleatory and epi-
stemic uncertainty, which is the scope of this chapter.
6.2 Statistical concepts for the evaluation of uncertainty
A brief overview of the statistical concepts in this chapter is taken over from [Kong-
niratsaikul 2014 ]. Statistical methods are the foundation for receiving valuable infor-
mation through the analysis of data, e.g. they can yield estimations or forcasts
about a large group of data under study through the examination of a smaller group
of data. All members in this specified data group are called a population. Most of
the time, it is impractical or even impossible to address all members of a popula-
tion, thus, a subset of a population called a sample is observed instead.
Data is usually summarized and presented as a histogram, which represents the

Chapter 6 285
basis for probability (densitiy) function (pdf) and (cumulative) distribution function
(cdf). The purpose of the data presentation is to illustrate the data in a more under-
standable way. In order to describe characteristics of data, the following three dif-
ferent types of measures are commonly used: Measures of central tendency, meas-
ures of location, and measures of dispersion.
6.2.1 Measures of central tendency
The most frequently used measure of central tendency is an arithmetic mean, or

simply called a mean. One of the reasons for its popularity is the mathematical sim-
plicity, which can be described by taking the sum of the observations and divide it
by the total number of observations [DeFusco et al. 2004], Eq. 3.1-2. A drawback of
the mean is its sensitivity to extreme values, or more general the dependency of the
distribution shape. A few observations at extreme values may shift the mean signifi-
cantly. In this case the use of the mean may mislead to describe characteristics of
data.
The second measure of central tendency is the median, which is the middle value
(50%) of a set of samples or of a population, that has been sorted into ascending or
descending order [DeFusco et al. 2004 ]. The median is not affected by extreme val-
ues. However, one drawback is that it does not describe the size and magnitude of
the observations.
Another measure of central tendency is the mode, which is the most frequently oc-
curring value in all observations [DeFusco et al. 2004]. In a histogram, the mode is
always described by the highest bar. One drawback of the mode is that in a popula-
tion or a set of samples there can be more than one mode, or even no mode at all.
There are other important measures such as the geometric mean, which describes
the growth rate of the observations, or the harmonic mean, which describes the
averaging amount of the observations. More details of these measures can be
found in [DeFusco et al. 2004, Kreyszig 1997, 2010, Yates et al. 2004] .
6.2.2 Measures of location
It is often necessary to determine where the specified proportions of the data lie.
The most general approach is to describe these locations as quantiles. One of the
most commonly used quantiles is percentiles.
Chapter 6 286
Percentiles divide the data distribution into hundredths, and the x-th percentile is a
value at x percent of the observations. For instance, the tenth percentile is the loca-
tion of a distribution with ten percent of the distribution spread below it.
In dependability engineering practice, quantiles and percentiles are usually used

when a part of the data is highly scrutinized, e.g. the power stations below the fifth
or tenth percentile of the entire power failure samples are inspected for the causes
of the failures. The application of percentiles is extensively used in this book.
6.2.3 Measures of dispersion
Dispersion, or the scattering of data around the mean value, is another important
measure to understand the data itself. The simplest measure of dispersion is the
range of data, which is the difference between the minimum and the maximum val-
ues of the entire observations. However, the range can be affected by extreme val-
ues and may mislead to describe characteristics of the data.
2
The most frequently used measure of dispersion is the variance, denoted by σ , or
its square root, denoted as standard deviation (S.D.). The mathematical formula of
the sample variance, and the population variance, the sample standard deviation,
and the population standard deviation respectively, can be found in [DeFusco et al.
2004, Kreyszig 2010, Yates et al. 2004].
Sometimes only the conservative side of the dispersion is considered, especially,

when the distribution of the observations is not symmetric. The semivariance and
the semi-standard deviation are the measures which are only concerned with the
downside risk. If the distribution is not symmetric, it is called skewed. The skew-
ness is a measure of asymmetry. The distribution is called positive skewed if it is
skewed to the right, and called negative skewed if it is skewed to the left. This is il-
lustrated in Fig. 2.1.
Kurtosis is a measure which describes whether the data is peaked or flat relative to
a normal distribution [NIST/SEMATECH 2014]. The normal distribution has the kur-
tosis equal to 3, therefore, it is more practical to use an excess kurtosis, which
equals to the kurtosis minus 3. A distribution with a positive excess kurtosis is more
peaked and has more extreme values than the normal distribution, and a distribu-
tion with a negative excess kurtosis is less peaked and has fewer extreme values.
The focus in this book is on measures of central tendency and location of system
dependability. Application of other measures can be found in [Kongniratsaikul
2014 ].
Chapter 6 287
Standard normal distribution
Mean
Median
Mode
Negative skew Positive skew
Median
Mean
Median
Mode
Mode
Mean
Negative excess kurtosis

Positve excess kurtosis
Mean Mean
Median Median
Mode Mode
Fig. 6.1. Skewness and kurtosis in probability distributions.
A number of literature regarding the consideration of uncertainty in dependability

evaluation (Table 6.1) has been surveyed and reviewed concerning its approach
and limitations. Later in this chapter, a dependability framework is introduced to
overcome these limitations of the existing approaches.
Chapter 6 288
6.3 Uncertainty evaluation in dependability analyses
The classification of uncertainty into aleatory and epistemic is commonly accepted.

Most literature tries to deal with the difficulties by using different classes of probabil-
ity, namely empirical probability, subjective probability, and a-priori probability.
Table 6.1 summarizes and compares characteristics of frameworks under review

and the proposed framework of uncertainty. The following table and text sections in
this chapter are mainly taken over from [ Kongniratsaikul 2014].
Dependability indices
Statistical
Uncertainty Probability
measures
Location or
Subjective
dispersion
Epistemic
Empirical
tendency
Aleatory
A-priori
Literature
Central
[Coit et al. 2004,
Coit et al. 2009, X X partial X X
Tekiner et al. 2011]
[Limbourg 2008,
Limbourg et al. 2006, X X X partial X
Limbourg et al. 2007a,
Rocquigny 2008]
[Heard et al. 2006] X X X partial X X
[Kochs et al. 2012,

X X X X full X
Kongniratsaikul 2009]
[Frank 1995,
X X X partial X
Frank 1996]
Proposed framework X X X X X full X X
Table 6.1. Comparison of the surveyed uncertainty frameworks and the pro-
posed framework (last line) [Kongniratsaikul 2014].
A variety of dependability studies [Coit et al. 2004, Coit et al. 2009, Tekiner et al.
2011] mentions the use of the measures of location and the measures of disper-
Chapter 6 289
sion. Here, the usage of empirical probability has been extensively applied. How-
ever, the studies focused on the aleatory uncertainty. Indeterminacy, or a lack of
knowledge, has not been taken into consideration and epistemic uncertainty still re-
mains.
Dempster-Shafer’s theory has been used to evaluate epistemic uncertainty

[Limbourg et al. 2006, 2007a, b, Limbourg 2008, Rocquigny 2008] . Expert knowl-
edge or a form of subjective probability has been used to find the “upper bound”
and “lower bound” of the dependability and undependability functions. The usage
of empirical probability was not explicitly evaluated and the aleatory uncertainty still
remains. Most of the dependability indices except the frequency were evaluted by
its central tendency.
In [Heard et al. 2006] and similarly in [Kongniratsaikul 2009], the system under
consideration was in an early design stage. The parameters of the system unde-
pendability function were unknown. Thus, computer simulations were carried out to
find a distribution or a confidence interval of the undependability function. These
approaches showed that a-priori probability or a logical analysis can be used with
an empirical probability to overcome epistemic uncertainty. A number of statistical
measures of partial dependability indices are calculated in [ Heard et al. 2006] . The
dependability evaluation can be united with a subjective probability in the form of
expert knowledge [Kochs et al. 2012, Kongniratsaikul 2009 ].
It is important to note that the dependability evaluation in an early design stage is

usually incorporated with a-priori probability or a logical analysis of system design
itself. This is consistent to [Frank 1995, Frank 1996] which considered systems in
the design stage. The calculations were based on both, empirical probability and a-
priori probability.
So far, the existing frameworks of dependability evaluation either focus on aleatory

uncertainty or epistemic uncertainty, but not combined in the sense of Chapter 6.6.
This roots from the different perspective on uncertainty, and whether the given
Knowledge is sufficient. If the knowledge is sufficient, one may treat the uncertainty
due to the evaluation as aleatory. But, if the knowledge is not sufficient, subjective
probability and a-priori probability has to be applied to solve the epistemic uncer-
tainty caused by the limited knowledge.
Unlike the existing works in the subject of uncertainty in dependability evaluation,

both types of uncertainty in dependability analyses are described in this book
based on the framework in [Kongniratsaikul 2014] and applied to several ex-
amples. Measures of central tendency and measures of location (Chapter 6.2) are
used to quantify aleatory and epistemic uncertainty.
Further reports about uncertainty analyses of nuclear power plants are e.g. given in
[Briggs 2008, OECD 2013].
Chapter 6 290
6.4 Aleatory uncertainty (AU)
In this chapter, aleatory uncertainty is investigated with regards to dependability.

The definition of aleatory uncertainty is given in Definition 1.29. In conventional de-
pendability evaluation methods, where aleatory uncertainty is not regarded, the
evaluation of dependability generally focuses on the mean values MTTF and MTTR
of the components and MTTSF and MTTSR of the systems. These indices can be
calculated with the approaches described in Chapter 2.
It can be assumed that two systems with similar MTTSF and MTTSR, but different
component pdf *) of operating time to failure (ttf) and time to restoration (ttr) may
have a different system dependability profile, which is reflected by their system pdf
of operating time to system failure (ttsf) and time to system restoration (ttsr). With-
out the knowledge of the pdf of ttsf and ttsr, uncertainty of dependability indices is
hidden (intrinsic or inherent), which can be subsumed under the term aleatory
uncertainty (Definition 1.29). It can be uncovered by evaluation of measures of cen-
tral tendency and location (and others), e.g. confidence intervals with min and max
percentiles, median, and mean values. The AU approach can be divided into the 4
steps [Kongniratsaikul 2014 ], illustrated in Fig. 6.2.
Aleatory Uncertainty (AU)
AU STEP 1. Identification Empirical probability.
Formulation of the component pdf

AU STEP 2. Formulation f ( t ( U C ) ) and f ( t ( D C ) ) with simulated
random “real-times“ t ( U C ) and t ( D C )
(ttf, ttr).
Simulation of the system pdf f ( t ( U S ) ) ,
AU STEP 3. Simulation
and f ( t ( D S ) ) .
Evaluation of statistical measures (esti-

AU STEP 4. Evaluation mations) of the system indices.
Fig. 6.2. The process of dependability assessment under aleatory uncertainty.

viations (see List of symbols and abbreviations, Point 1).
Chapter 6 291
6.4.1 AU STEP 1. Identification
Aleatory uncertainty is an inherent peculiarity of the items and occurs due to their
statistical (random) behavior. It can be expressed by pdf of randomly distributed up
and down times of components and systems. Aleatory uncertainty cannot be sup-
pressed by more accurate measurements. Therefore, a common feature for aleato-
ry uncertainty is irreducible uncertainty.
6.4.2 AU STEP 2. Formulation
In this chapter the following acronyms and descriptions are used.
UC up state of component,
DC down state of component,
US up state of system,
DS down state of system,
Ti ( UC ) mean up time of component := mean operating time to component

failure MTTF (IEC 192-05-11),
Ti ( DC ) mean down time of component := mean time to component resto-
ration MTTR (IEC 192-07-23),
Ti ( US ) mean up time of system := mean operating time to system failure
MTTSF (IEC 192-05-11),
Ti ( DS ) mean down time of system := mean time to system restoration
MTTSR (IEC 192-07-23).
Other mean times in Fig. 1.2 (M...) can also be considered in a similar way.
The following short forms are used for textual description.

t ( U C ) ≡ ttf simulated random operating time to component failure (IEC
192-05-01) (input value),
t ( D C ) ≡ ttr simulated random time to component restoration (IEC 192-07-06)
input value),
t ( U S ) ≡ ttsf simulated random operating time to system failure (IEC 192-
05-01) (result),
t ( D S ) ≡ ttsr simulated random time to system restoration (IEC 192-07-06)
(result).
With the given component pdf f ( t ( U C ) ) and f ( t ( D C ) ) the system pdf of the series
and parallel systems and their indices can be simulated according to Fig. 6.3-4 with
the associated algorithms in Appendix 6.8.1 and 6.8.2. The following pdf, which are
often used in dependability studies, are shortly described.
Chapter 6 292
Exponential distribution
The exponential distribution is the most widely used distribution in dependability

evaluation of electronic items, because it represents ttf of units almost realistically
[MIL-HDBK-217F 1991, TM 5-698-1 2007]. Another reason for its widespread use
is its simple applicability. The exponential distribution is the necessary and suf-
ficient condition for homogeneous Markov processes (Chapter 4). Nevertheless, re-
strictions must be observed when using the exponential distribution [Murphy et al.
2002] . Table 6.2 presents an overview of the exponential distribution with widely
used parameters. Furthermore, a number of interesting parameters, e.g. skewness
and kurtosis (Chapter 6.2) are described in the extensive literature.
Distribution pdf Most applicable to
Exponential f ( t a ) = a exp ( – at ), t≥0 Electronic items (a = λ ,

μ ).
a > 0 constant rate
Mean E[T] = 1 --- Easily applicable,

a easy Markov modeling.
1-
σ = -----
Standard T 2
deviation (S.D.) a
Table 6.2. Most commonly applied distribution in dependability evaluation.
Weibull distribution
The Weibull distribution often represents the ttf and ttr of mechanical and mechatron-
ic items, pipelines, etc. better than the exponential distribution, e.g. [ TM 5-698-1
2007, IWW 2012, Wallerath et al. 2014 ]. An introduction about mechanical dependa-
bility gives [Dhillon et al. 1981 ]. However, the application to systems is difficult and
cannot be modeled by a Markov process. Table 6.3 presents an overview of
some widely used parameters of the Weibull distribution.
Chapter 6 293

β t β–1 t β
Weibull f ( t α, β ) = --- ⋅ ⎛ ---⎞ exp ⎛ – ⎛⎝ ---⎞⎠ ⎞ , t ≥ 0 Mechanic and mecha-
α ⎝ α⎠ ⎝ α ⎠
tronic items.
α>0 scale parameter
β>0 shape parameter Difficult to apply, not
suitable for Markov
1
Mean E [ T ] = α ⋅ Γ ⎛ 1 + ---⎞ modeling, exceptions
⎝ β⎠ in [Singh et al. 1977] .
Standard
2 1
σ T = α Γ ⎛ 1 + ---⎞ – Γ ⎛ 1 + ---⎞
2
deviation ⎝
(S.D.) β⎠ ⎝ β⎠
Fig. 6.7 shows that under similar E [ T ] ( ≡ MTTF or MTTR) the shape of pdf varies
greatly depending on the selection of β . β < 1 can be used for the distribution of
short ttf (e.g. early failure) and short ttr (e.g. reset, replacement), β = 1 (exponen-
tial pdf) for the failure and restoration behavior of electrical and electronic items
(constant failure and repair rate), β > 1 for the distribution of ttr.
Log-normal distribution
For repairable items the, Log-normal pdf can be used as an adequate pdf to repre-
sent distributions of ttr, e.g. [Edwin et al. 1978, Edwin et al. 1979a, Siemes 1980,
NUREG 2001] . Table 6.4 presents an overview of Log-normal parameters.
1 ⎛ ( ln t – μ ) 2⎞ Power system items,

Log-normal f ( t σ, μ ) = ------------------ exp ⎜ – -----------------------
-⎟ , t > 0
t 2Πσ ⎝ 2σ
2
⎠ transmission lines.
–∞ < μ < ∞ Log mean Difficult to apply,

σ ≥ 0 Log standard deviation not suitable for Mar-
2 kov modeling.
E [ T ] = exp ⎛ μ + ------⎞
σ
Mean ⎝ 2⎠
Standard 2
deviation σ T = E [ T ] exp ( σ ) – 1
(S.D.)

Chapter 6 294
For determination of the estimations of f ( t |…〉 ) , E [ T ] , σ T , skewness, and kurtosis,

etc. based on the data gathered from samples or observed data, reference is made
to the well-known literature.
6.4.3 AU STEP 3. Simulation: pdf f ( t ( U S ) ) and f ( t ( D S ) )
Input: Simulation of ttf and ttr according to their given pdf f ( t ( U C ) ) and f ( t ( D C ) ) .
Output: Simulation of ttsf ( f ( t ( U S ) ) ) and ttsr ( f ( t ( D S ) ) ). In addition, estimations of
the measures: Confidence intervals with min and max percentiles, namely
t(U S) min , t(U S) max , t(D S) min , and t(D S) max (Fig. 6.5). Median, mean and the
min-max boundary values are calculated in AU STEP 4. The basic algorithms are
described in Appendix 6.8.1 and 6.8.2.
Basic series and parallel systems are selected to illustrate the evaluation of de-
pendability under aleatory uncertainty. (If the system is more complex, then the MC
approach can be used to reduce the complex network structure to simpler networks
of series and parallel structures (DBD, e.g. Chapter 3.6.3, Fig. 3.7)).
Series systems, Fig. 6.3, algorithm in Appendix 6.8.1
At the beginning of the simulation all components are assumed to be in the up

state. Simulation sequence: tu1, tu2, tu3, ... . The next simulation starts at the shor-
test up time tu2, with td1, tu4, td2, tu5, and is continued as long as the next up time,
here tu3, is overhauled. Then, the simulations continue with td3, tu6, td4, tu7, before
the simulation sequence is switched to td5, tu8, td6, tu9, td7. In a series system each
down state of a component causes the system down state, pointed out in the sys-
tem line in Fig. 6.3.
Chapter 6 295
Simulation sequence (tu... - ..., td... - ...),

system simulation result (tSu... - ..., tSd... - ...)
0
t u1 t d5 t u8 t d7
1
Component
t u2 t d1 t u4 t d2 t u5 t d6 t
u9
2
t u3 t u6 t u7
3
t d3 t d4
... ... ...
t Su1 t Su2 t Su3 t Su4 t Su5 t Su6 t Su7
System
t Sd1 t Sd2 t Sd3 t Sd4 t Sd5 t Sd6
(tu1, tu2, tu3) 1st simulation sequence (start)
Fig. 6.3. AU-simulation framework for series systems.
Parallel systems, Fig. 6.4, algorithm in Appendix 6.8.2
At the beginning of the simulation all components are assumed to be in the up

state, analogous to series systems. The simulation sequence is described in detail
in Fig. 6.4. If the down states of all components overlap, then the parallel system is
in the down state, Fig. 6.4, b ( t Sd1 ). The decisive criteria for the down state is
min { t u1 + t d1, t u2 + t d2, t u3 + t d3 } > max { t u1, t u2, t u3 } (6.1)
which has to be checked after each simulation. In the simulation procedure, the as-
sumption
t u » t d , thus, t u + t d ≈ t u (6.2)
is made. It should be noted that the system state processes in Fig. 6.4-5 are non
Markov processes for non-exponential pdf (see also Fig. 4.8).
Chapter 6 296
a) ith simulation (tu1, tu2, tu3, td1, td2, td3)
t u1 t d1
1
Component
t u2 t d2
2
t u3 t d3
3
System
(i+1st simulation)
min { t u1 + t d1, t u2 + t d2, t u3 + t d3 } = t u1 + t d1
max { t u1, t u2, t u3 } = t u2
t u1 + t d1 < t u2 ⇒ No system down state
b) i+1st simulation (tu1, tu3, td1, td3)
t u1 t d1
1
Component
t u2res t d2
2
t u3 t d3
3
*
t d3res
System
t Su1 t Sd1
* Assumption: t u… » t d…: neglection of
td3res of the proceeding td3 (case a)
(i+2nd simulation)
min { t u1 + t d1, t u2res + t d2, t u3 + t d3 } = t u2res + t d2

max { t u1, t u2res, t u3 } = t u3
t u2res + t d2 > t u3 ⇒ System down state
c) i+2nd simulation (tu1, tu2, tu3, td1, td2, td3), analogous to case a)
Fig. 6.4. AU-simulation framework for parallel systems.

Chapter 6 297
With the algorithms in Appendix 6.8.1 and 6.8.2, f ( t ( U S ) ) and f ( t ( D S ) ) can be sim-
ulated and their indices evaluated.
f ( t ( US ) )
t ( US )min t ( U S ) max t ( US )
≡ ttsf min ≡ ttsf max ≡ ttsf
t ( U S ) mean
≡ Ti ( U S )
= : MTTSF
f ( t ( DS ) )
t ( D S )min t ( D S ) max t ( DS )
≡ ttsr min ≡ ttsr max ≡ ttsr
t ( D S )mean
≡ Ti ( DS )
= : MTTSR
Fig. 6.5. System pdf with their indices (graphic is based on Fig. 6.15,
red curves).
Chapter 6 298
6.4.4 AU STEP 4. Evaluation
Based on the simulated f ( t ( U S ) ) and f ( t ( D S ) ) , the min-max boundary approach

(Fig. 6.6) was developed to evaluate the interval tendency of the system depend-
ability indices [Kongniratsaikul 2014].
Note that f ( pr ( D S ) ) can also be evaluated on the basis of the simulated pairs t Suj
and t Sdj (Fig. 6.3-4), but it cannot be determined with the approximation approa-
ches for AU and EUAU described in the following chapters. Thus, the min-max
boundary approach is prefered, which yields easy to determine (rough) estimations
for the limits Pr(D S) max and Pr(D S) min .
The confidence interval ( CI ) is defined as
Pr(t(U S) min ≤ t(U S) ≤ t(U S) max) = CI ( t(U S) ) (6.3)

Pr(t(D S) min ≤ t(D S) ≤ t(D S) max) = CI ( t(D S) ) (6.4)
CI is a value between 0 and 1.0.
Example
CI ( t(U S) ) = [ 0.1, 0.9 ] = 0.8 (6.5)
CI ( t(D S) ) = [ 0.2, 0.8 ] = 0.6 (6.6)
The combined CI for this example is
[ CI ( t(US) ), CI ( t(D S) ) ] = [ [ 0.1, 0.9 ], [ 0.2, 0.8 ] ] = [ 0.8, 0.6 ] (6.7)
Interpretation: t(U S) (ttsf) and t(D S) (ttsr) are in the range of 80 % and 60 %.
The following constraint is introduced for calculation of useful min-max indices.
t ( U S ) max > t ( U S ) min » t ( D S ) max > t ( D S ) min > 0 (6.8)
The boundary system probabilities are
t ( U S ) max
Pr(U S) max = ---------------------------------------------------- (6.9)
t ( U S ) max + t ( D S ) min
t ( US ) min
Pr(U S) min = ---------------------------------------------------- (6.10)
t ( U S ) min + t ( D S ) max
t ( D S ) max
Pr(D S) max = ---------------------------------------------------- (6.11)
t ( U S ) min + t ( D S ) max
Chapter 6 299
t ( DS )min
Pr(D S) min = ---------------------------------------------------- (6.12)
t ( U S ) max + t ( D S ) min
f ( t( US ) )
t ( U S ) min t ( U S ) max t ( US )
f ( t ( DS ) )
t ( D S ) min t ( D S ) max t ( DS )
Fig. 6.6. Calculation of min-max boundary indices (graphic is based

on Fig. 6.15, red curves).
Now, it is obvious that the min and max values of Pr ( D S ) can be calculated by the
following equations.
Pr(D S) min = 1 – Pr(U S) max (6.13)

Pr(D S) max = 1 – Pr(US) min (6.14)
Chapter 6 300
The frequency indices can be calculated in the same manner.
Pr(U S) max 1
--------------------------- = ---------------------------------------------------- = Fr ( U S ) min (6.15)
t ( U S ) max t ( U S ) max + t ( D S ) min
Pr(U S) min 1
------------------------- = ---------------------------------------------------- = Fr ( U S ) max (6.16)
t ( U S ) min t ( U S ) min + t ( D S ) max
Fr ( DS ) max ≡ Fr ( U S ) max (6.17)
Fr ( DS )min ≡ Fr ( US )min (6.18)
Pr(D S) max 1
--------------------------- = ---------------------------------------------------- = Fr ( D S ) max (6.19)
t ( D S ) max t ( U S ) min + t ( D S ) max
Pr(D S) min 1
------------------------- = ---------------------------------------------------- = Fr ( D S ) min (6.20)
t ( D S ) min t ( U S ) max + t ( D S ) min
Fig. 6.7 shows the different Weibull pdf of the components based on the following
examples.
Assumption for the series systems
MTTF = 100,000 h and MTTR = 10 h (6.21)
Assumption for the parallel systems
MTTF = 10,000 h and MTTR = 10 h (6.22)
Weibull pdf for ttf and ttr: β = 0.5, 1.0 (exponential), 3.0 . The simulations are car-
6 11
ried out with 10 – 10 samples, depending on the system structure. In the follow-
ing figures b ≡ β .
Chapter 6 301
2 ⁄ MTTF
2 ⁄ MTTR
f ( t ( UC ) ) AU-1c-b05 (blue)
f ( t ( DC ) ) AU-1c-b1 (black)
AU-1c-b3 (red)
1 ⁄ MTTF
1 ⁄ MTTR
0
0 MTTF t ( U C ) ≡ ttf 5 ⋅ MTTF
0 MTTR t ( D C ) ≡ ttr 5 ⋅ MTTR
Fig. 6.7. Weibull pdf of t ( U C ) , t ( D C ) of AU-1c (input pdf).
Table 6.8 shows the simulated pdf of the ttf and ttr of the components, modeled as
a renewal process, Fig. 3.1. The simulations are carried out with the algorithms de-
scribed in Appendix 6.8.1 and 6.8.2 (both algorithms yield the same result for 1c).
Denotations, such as AU-1c-b05/1 mean aleatory uncertainty of 1 component
with β = 0.5 for the ttf pdf and β = 1 for the ttr pdf. The exponential distri-
bution ( β = 1 ) is used for ttr, which does not represent a restriction. Fig. 6.8 shows
the simulated pdf, and Table 6.5 shows the estimations of the measures of central
tendency and location.
Chapter 6 302
2 ⁄ MTTF
AU-1c-b05/1 (blue)
f ( t ( UC ) )
AU-1c-b1/1 (black, grey)
AU-1c-b3/1 (red)
1 ⁄ MTTF
0
0 MTTF t ( U C ) ≡ ttf 5 ⋅ MTTF
100,000h
1 ⁄ MTTR
f ( t ( DC ) ) AU-1c-b.../1 (black, grey)
.../ means almost inde-

pendent of f(t(UC))
0
0 MTTR t ( D C ) ≡ ttr 5 ⋅ MTTR
10h
Fig. 6.8. Simulation of AU-1c with indices from Table 6.5.
Chapter 6 303
Component input
f ( t ( UC ) ) f ( t( DC ) )
Weibull β = 0.5 MTTF = 100, 000h Weibull β = 1 (exponential), MTTR = 10h
Weibull β = 1 MTTF = 100, 000h
1c Conventional calculation
–1 –1
Ti ( UC ) ⁄ h Ti ( D C ) ⁄ h Pr ( U C ) Pr ( DC ) Fr ( U C ) ⁄ h Fr ( D C ) ⁄ h
Mean 1.00E+05 1.00E+01 9.999E-01 9.999E-05 9.999E-06 9.999E-06
MTTF ≡ Ti ( U C ) , MTTR ≡ Ti ( D C )
1c AU simulation AU min-max-calculation
–1 –1
1.0E+06 simulations t ( UC ) ⁄ h t ( DC ) ⁄ h Pr ( U C ) Pr ( D C ) Fr ( U C ) ⁄ h Fr ( D C ) ⁄ h
β = 0.5 min 10% 5.56E+02 1.05E+00 9.60E-01 3.96E-06 3.77E-06 3.77E-06
Median 2.40E+04 6.92E+00
Mean 9.92E+04 1.00E+01 <1.00E+00 1.01E-04 1.01E-05 1.01E-05
max 90% 2.65E+05 2.30E+01 <1.00E+00 3.97E-02 1.73E-03 1.73E-03
β = 1.0 min 10% 1.06E+04 1.05E+00 9.98E-01 4.57E-06 4.35E-06 4.35E-06

Median 6.92E+04 6.90E+00
Mean 1.00E+05 9.98E+00 <1.00E+00 9.98E-05 1.00E-05 1.00E-05
max 90% 2.30E+05 2.30E+01 <1.00E+00 2.17E-03 9.41E-05 9.41E-05
β = 3.0 min 10% 5.28E+04 1.06E+00 <1.00E+00 7.16E-06 6.76E-06 6.76E-06

Median 9.90E+04 6.91E+00
Mean 1.00E+05 9.99E+00 <1.00E+00 9.99E-05 1.00E-05 1.00E-05
max 90% 1.48E+05 2.30E+01 <1.00E+00 4.35E-04 1.89E-05 1.89E-05
Table 6.5. Estimations of AU-1c-b05/1, AU-1c-b1/1, and AU-1c-b3/1 (renewal

process, Fig. 4.1-2. ttr is in all variants exponentially distributed).
Chapter 6 304
The following series systems are simulated using the algorithm in Appendix 6.8.1.
Each of the various examples contains 10 and 100, respectively 1, 2, 3, 5, and 10
similar components, as illustrated in Fig. 6.9. These systems cover a wide range of
applications (e.g. 1, 2, 3, 5,... 10, and 100 MC).
US
m = 1, 10, 100
U1 U2 ... Um
m = 1, 2, 3, 5, 10
(for comparison)
MC of 1st order
Fig. 6.9. DBD examples of series systems.
Overview of the simulations

System 10s: Fig. 6.10, Table 6.6-7
System 100s: Fig. 6.11, Table 6.8-9
System 1, 2, 3, 5, 10s: Fig. 6.12, Table 6.10
System 10 different c: Fig. 6.13, Table 6.11-13
Chapter 6 305
2 ⁄ MTTSF
AU-10s-b05/1 (blue)
f ( t( US) )
AU-10s-b1/1 (black)
AU-10s-b3/1 (red)
1 ⁄ MTTSF
t(US) exponential curve (grey)
for comparison
0
0 MTTSF t ( U S ) ⁄ h ≡ ttsf 5 ⋅ MTTSF
10,000h
1 ⁄ MTTSR
AU-10s-b.../1 (black), nearly inde-

f ( t ( DS ) ) pendent of t(US), nearly identical
with t(DS) exponential curve (grey)
0
0 MTTSR t ( D S ) ≡ ttsr 5 ⋅ MTTSR
10.00450h
Chapter 6 306
Component input
f ( t ( UC ) ) f ( t( DC ) )
10s Conventional calculation

–1 –1
Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
Mean 1.00E+04 1.00E+01 9.99E-01 9.99E-04 9.99E-05 9.99E-05
MTTSF ≡ Ti ( U S ) = 1.00E+04h , MTTSR ≡ Ti ( D S ) = 1.000450E+01h
10s AU simulation AU min-max-calculation

–1 –1
1.0E+06 simulations t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
β = 0.5 min 10% 3.07E+02 1.05E+00 9.30E-01 4.12E-05 3.92E-05 3.92E-05
Median 5.01E+03 6.91E+00
Mean 9.94E+03 9.99E+00 9.99E-01 1.00E-03 1.01E-04 1.01E-04
max 90% 2.55E+04 2.30E+01 <1.00E+00 6.97E-02 3.03E-03 3.03E-03
β = 1.0 min 10% 1.05E+03 1.06E+00 9.78E-01 4.61E-05 4.35E-05 4.35E-05

Median 6.91E+03 6.92E+00
Mean 9.98E+03 9.98E+00 9.99E-01 9.99E-04 1.01E-04 1.01E-04
max 90% 2.30E+04 2.31E+01 <1.00E+00 2.15E-02 9.32E-04 9.32E-04
β = 3.0 min 10% 1.16E+03 1.05E+00 9.81E-01 4.65E-05 4.42E-05 4.42E-05

Median 7.39E+03 6.92E+00
Mean 1.00E+04 9.98E+00 9.99E-01 9.97E-04 9.99E-05 9.99E-05
max 90% 2.26E+04 2.30E+01 <1.00E+00 1.94E-02 8.45E-04 8.45E-04
AU calculation AU min-max-calculation
–1 –1
β = 1 : t ( US ) ⁄ h β = 1 : t ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
min 10% 1.05E+03 1.05E+00 9.79E-01 4.57E-05 4.35E-05 4.35E-05
Median 6.93E+03 6.93E+00
Mean 1.00E+04 1.00E+01 9.99E-01 9.99E-04 9.99E-05 9.99E-05
max 90% 2.30E+04 2.30E+01 <1.00E+00 2.14E-02 9.32E-04 9.32E-04

( t ( U S ) , t ( D S ) ).
Chapter 6 307
2 ⁄ MTTSF
AU-100s-b05/1 (blue)
f ( t( US) )
AU-100s-b1/1 (black)
AU-100s-b3/1 (red)

1 ⁄ MTTSF for comparison
0
0 MTTSF t ( U S ) ≡ ttsf 5 ⋅ MTTSF
1,000h
1 ⁄ MTTSR
f ( t ( DS ) )
AU-100s-b.../1 (black), nearly iden-
tical with exponential curve of t(DS)
(grey)
0
10.04966h
Fig. 6.11. AU-100s with indices from Table 6.8-9.
Chapter 6 308
Component input
f ( t ( UC ) ) f ( t ( DC ) )

–1 –1
Mean 1.00E+03 1.00E+01 9.90E-01 9.95E-03 9.90E-04 9.90E-04

–1 –1
1.0E+06 simulations t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( U S ) Pr ( DS ) Fr ( US ) ⁄ h Fr ( DS ) ⁄ h
β = 0.5 min 10% 6.98E+01 1.05E+00 7.52E-01 4.39E-04 4.18E-04 4.18E-04
Median 6.25E+02 6.91E+00
Mean 9.91E+02 9.99E+00 9.90E-01 9.98E-03 9.99E-04 9.99E-04
max 90% 2.39E+03 2.30E+01 <1.00E+00 2.48E-01 1.08E-02 1.08E-02
β = 1.0 min 10% 1.05E+02 1.05E+00 8.20E-01 4.56E-04 4.35E-04 4.35E-04

Median 6.91E+02 6.91E+00
Mean 9.99E+02 9.99E+00 9.90E-01 9.90E-03 9.91E-04 9.91E-04
max 90% 2.30E+03 2.30E+01 <1.00E+00 1.80E-01 7.81E-03 7.81E-03
β = 3.0 min 10% 1.06E+02 1.05E+00 8.21E-01 4.56E-04 4.35E-04 4.35E-04

Median 6.97E+02 6.91E+00
Mean 1.00E+03 9.97E+00 9.90E-01 9.87E-03 9.90E-04 9.90E-04
max 90% 2.30E+03 2.31E+01 <1.00E+00 1.79E-01 7.75E-03 7.75E-03
–1 –1
min 10% 1.05E+02 1.05E+00 8.20E-01 4.56E-04 4.35E-04 4.35E-04

Median 6.93E+02 6.93E+00
Mean 1.00E+03 1.00E+01 9.90E-01 9.90E-03 9.90E-04 9.90E-04
max 90% 2.30E+03 2.30E+01 <1.00E+00 1.80E-01 7.81E-03 7.81E-03

( t ( U S ) , t ( D S ) ).
Chapter 6 309
Component input
f ( t ( U C ) ) , Weibull β = 3 f ( t ( D C ) ) , Weibull β = 1 (exponential), β = 3
MTTF = 100,000h for C = 1, 2, 3, 5, 10 MTTR = 10h for C = 1, 2, 3, 5, 10
Table 6.10. Input for AU simulation (similar components for each system ver-
sion).
1 ⁄ MTTSF
f ( t ( US ) )
AU-10s-b3/1
AU-1c-b3/1
AU-2s-b3/1
0.5 ⁄ MTTSF AU-3s-b3/1
AU-5s-b3/1
0
1 ⁄ MTTSR
For all series systems with
f ( t ( DS ) ) b3 down state pdf
For all series systems with

b1 down state pdf
0
0 MTTSR ≈ t ( DS ) ≡ ttsr 5 ⋅ MTTSR
MTTR
Fig. 6.12. AU-simulation of various series systems.

Chapter 6 310
Component input
f ( t ( U C ) ) , Weibull β = 0.5 , β = 1 (exp.), β = 3 f ( t ( D C ) ) , Weibull β = 1 (exponential), β = 3
for C = 10: MTTF = 10,000h MTTR = 10h for all C
MTTF = 20,000h
MTTF = 30,000h
MTTF = 40,000h
MTTF = 50,000h
MTTF = 60,000h
MTTF = 70,000h
MTTF = 80,000h
MTTF = 90,000h
MTTF = 100,000h
Table 6.11. Input for AU-10s (various MTTF).

Chapter 6 311
1 ⁄ MTTSF
AU-10s-b05/1-various MTTF (blue)

f ( t ( US ) ) AU-10s-b1/1-various MTTF (black)
AU-10s-b3/1-various MTTF (red)
0.5 ⁄ MTTSF t(US) exponential curve (grey)

for comparison
0
0 MTTSF t ( US ) ≡ ttsf 5 ⋅ MTTSF
3,414.172h
1 ⁄ MTTSR
AU-10s-b.../1
f ( t ( DS ) )
AU-10s-b.../3
0
10.01201h

Chapter 6 312

–1 –1
Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
Mean 3.41E+03 1.00E+01 9.97E-01 2.92E-03 2.92E-04 2.92E-04

–1 –1
1.0E+06 simulations t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
β = 0.5 min 10% 8.18E+01 1.05E+00 7.81E-01 1.19E-04 1.13E-04 1.13E-04
Median 1.58E+03 6.92E+00
Mean 3.41E+03 1.00E+01 9.97E-01 2.92E-03 2.92E-04 2.92E-04
max 90% 8.84E+03 2.30E+01 <1.00E+00 2.19E-01 9.54E-03 9.54E-03
β = 1.0 min 10% 3.58E+02 1.04E+00 9.39E-01 1.32E-04 1.27E-04 1.27E-04

Median 2.36E+03 6.92E+00
Mean 3.41E+03 1.00E+01 9.97E-01 2.92E-03 2.92E-04 2.92E-04
max 90% 7.85E+03 2.31E+01 <1.00E+00 6.06E-02 2.62E-03 2.62E-03
β = 3.0 min 10% 4.34E+02 1.05E+00 9.50E-01 1.41E-04 1.34E-04 1.34E-04

Median 2.69E+03 6.92E+00
Mean 3.41E+03 9.98E+00 9.97E-01 2.92E-03 2.92E-04 2.92E-04
max 90% 7.47E+03 2.30E+01 <1.00E+00 5.03E-02 2.19E-03 2.19E-03
Table 6.12. Estimations of AU-10s (various MTTF) according to Table 6.11.
–1 –1
min 10% 3.60E+02 1.05E+00 9.40E-01 1.34E-04 1.27E-04 1.27E-04
Median 2.37E+03 6.94E+00
Mean 3.41E+03 1.00E+01 9.97E-01 2.92E-03 2.92E-04 2.92E-04
max 90% 7.86E+03 2.30E+01 <1.00E+00 6.01E-02 2.61E-03 2.61E-03
Table 6.13. Approximation of AU-10s (various MTTF) by exponentially distributed

ttsf and ttsr ( t ( U S ) , t ( D S ) ).
The steady-state mean values Pr ( U C ) , Pr ( D C ) , Ti ( UC ) , Ti ( D C ) , Fr ( UC ) , and

Fr ( D C ) (Table 6.5) of the components are independent from the shape of the pdf of
f ( t ( U C ) ) and f ( t ( D C ) ) , see Appendix 4.6.1. Thus, the mean values Pr ( U S ) ,
Pr ( D S ) , Ti ( US ) , Ti ( D S ) , Fr ( US ) , and Fr ( D S ) of the systems in Table 6.6-13 (as
well as the systems in Table 6.14-17) are also independent from the shape of the
component pdf (contrary to median, min10%, and max90%, which depend on the pdf
shape). The calculations are carried out with the Monte-Carlo-Integration approach,
Appendix 6.8.1. Numerical errors can occur due to (minor) approximations in the al-
Chapter 6 313
gorithms, the discretization of the interval steps, the limited number of simulations
and rounding errors. However, the main differences are because of the min-max
boundary indices, which depend on the confidence intervals, Eq. 6.3-4, here
[ 0.1, 0.9 ] . It can be seen that if β is smaller, the min-max boundary indices will be
wider.
Parallel systems are commonly used if high system dependability is required, Fig.
6.14. Therefore, parallel systems with two and three components are investigated.
MTTF = 10,000h , which is ten times shorter compared to the components of the
series systems, in order to demonstrate the increase in system dependability inspite
of lower component dependability. MTTR = 10h is assumed for all components.
The simulation of parallel systems is carried out using the algorithm in Appendix
6.8.2.
US
U1
US
U1
U2
U2
U3
MC of 2nd order
MC of 3rd order
Fig. 6.14. DBD examples of parallel systems.
Fig. 6.15-18 shows the simulation curve and Table 6.14-17 the simulation results of
the parallel systems.
Fig. 6.16 shows the short transition phase for AU-2p-b05/... and AU-2p-b3/..., which
is insignificant regarding the objective of this book.
Chapter 6 314
f ( t ( US ) )
AU-2p-b05/... (blue)
AU-2p-b1/... (black)
1 ⁄ MTTSF AU-2p-b3/... (red)
/... almost independent of f(t(DC))

for comparison
0
5.010000E+06h
AU-2p-b... /05 (blue)

f ( t ( DS ) ) AU-2p-b... /1 (black)
AU-2p-b... /3 (red)
AU-2p-b... /deterministic (fixed) (red dashed)
1 ⁄ MTTSR
.../ almost independent of f(t(UC))
t(DS) exponential curve (grey)

for comparison
0
5.000000h

Chapter 6 315
4 ⁄ MTTSF
AU-2p-b05/... (blue)
f ( t ( US ) ) AU-2p-b3/... (red)
2 ⁄ MTTSF t(US) exponential curve (grey)

for comparison
1 ⁄ M TTSF
0
0 t ( U S ) ≡ ttsf 1 ⁄ 100 ⋅ MTTSF
AU-2p-b05/...: Pr ( T S < 1 ⁄ 100 ⋅ MTTSF ) = F ( 1 ⁄ 100 ⋅ MTTSF ) = 2.22E-02
AU-2p-b1/...: Pr ( T S < 1 ⁄ 100 ⋅ MTTSF ) = F ( 1 ⁄ 100 ⋅ MTTSF ) = 9.89E-03
AU-2p-b3/...: Pr ( TS < 1 ⁄ 100 ⋅ MTTSF ) = F ( 1 ⁄ 100 ⋅ MTTSF ) = 8.87E-03
4 ⁄ MTTSR
AU-2p-b.../05(blue)
AU-2p-b.../1 (black)
AU-2p-b.../3 (red)
f ( t ( DS ) )
2 ⁄ MTTSR
for comparison
1 ⁄ M TTSR
0
0 t ( D S ) ≡ ttsr 1 ⁄ 10 ⋅ MTTSR
AU-2p-b.../05: F ( 1 ⁄ 10 ⋅ MTTSR ) = 3.00E-01
AU-2p-b.../1: F ( 1 ⁄ 10 ⋅ MTTSR ) = 9.51E-02
AU-2p-b.../3: F ( 1 ⁄ 10 ⋅ MTTSR ) = 5.13E-03
Fig. 6.16. Simulation of AU-2p transient phase of Fig. 6.15.

Chapter 6 316
Component input
f ( t ( UC ) ) f ( t( DC ) )
Weibull β = 0.5 MTTF = 10, 000h Exponential MTTR = 10h
2p Conventional calculation
–1 –1
pdf independent Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
Mean 5.01E+06 5.00E+00 <1.00E+00 9.98E-07 2.00E-07 2.00E-07
2p AU simulation AU min-max-calculation
About 1.0E+05 relevant simulation sample out of 1.0E+08 simulations
–1 –1
t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
β = 0.5 min 10% 4.76E+05 5.23E-01 <1.00E+00 4.39E-08 8.40E-08 8.40E-08

Median 3.51E+06 3.45E+00
Mean 5.18E+06 4.99E+00 <1.00E+00 9.63E-07 1.93E-07 1.93E-07
max 90% 1.19E+07 1.15E+01 <1.00E+00 2.42E-05 2.10E-06 2.10E-06
β = 1.0 min 10% 5.30E+05 5.22E-01 <1.00E+00 4.50E-08 8.62E-08 8.62E-08

Median 3.47E+06 3.46E+00
Mean 5.02E+06 4.98E+00 <1.00E+00 9.92E-07 1.99E-07 1.99E-07
max 90% 1.16E+07 1.15E+01 <1.00E+00 2.17E-05 1.89E-06 1.89E-06
β = 3.0 min 10% 5.32E+05 5.34E-01 <1.00E+00 4.60E-08 8.62E-08 8.62E-08

Median 3.49E+06 3.46E+00
Mean 4.99E+06 5.01E+00 <1.00E+00 1.00E-06 2.00E-07 2.00E-07
max 90% 1.16E+07 1.15E+01 <1.00E+00 2.16E-05 1.88E-06 1.88E-06
Table 6.14. Estimations of AU-2p-605/1, AU-2p-b1/1, and AU-2p-b3/1.
–1 –1
min 10% 5.28E+05 5.27E-01 <1.00E+00 4.58E-08 8.70E-08 8.70E-08
Median 3.47E+06 3.47E+00
Mean 5.01E+06 5.00E+00 <1.00E+00 9.98E-07 2.00E-07 2.00E-07
max 90% 1.15E+07 1.15E+01 <1.00E+00 2.18E-05 1.89E-06 1.89E-06

( t ( U S ) , t ( D S ) ).
Chapter 6 317
f ( t ( US ) ) AU-3p-b05/... (blue)
AU-3p-b3/... (red)
1 ⁄ MTTSF

for comparison
0
3.343343E+09h
f ( t ( DS ) ) AU-3p-b.../05 (blue)
AU-3p-b.../1 (black)

1 ⁄ MTTSR
for comparison
0
3.333333E+00h

Chapter 6 318
f ( t ( DS ) )
AU-3p-b.../3 (red)

1 ⁄ MTTSR
for comparison
0
0 MTTSR t ( DS ) ≡ ttsr 5 ⋅ MTTSR
3.333333E+00h
f ( t ( DS ) ) AU-3p-b.../deterministic repair (blue)

1 ⁄ MTTSR
for comparison
0
3.333333E+00h

Chapter 6 319
Component input
f ( t ( UC ) ) f ( t( DC ) )
Weibull β = 0.5 MTTF = 10, 000h Exponential MTTR = 10h
3p Conventional calculation
–1 –1
pdf independent Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
Mean 3.34E+09 3.33E+00 <1.00E+00 9.97E-10 2.99E-10 2.99E-10
MTTSF ≡ Ti ( U S ) = 3.343343E+09h , MTTSR ≡ Ti ( DS ) = 3.333333E+00h
3p AU simulation AU min-max-calculation
About 1.0E+04 relevant simulation sample out of 1.0E+11 simulations
–1 –1
t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( DS ) ⁄ h
β = 0.5 min 10% 3.40E+08 3.00E-01 <1.00E+00 3.55E-11 1.18E-10 1.18E-10

Median 2.40E+09 2.34E+00
Mean 3.68E+09 3.13E+00 <1.00E+00 8.51E-10 2.72E-10 2.72E-10
max 90% 8.46E+09 7.80E+00 <1.00E+00 2.29E-08 2.94E-09 2.94E-09
β = 1.0 min 10% 3.50E+08 3.60E-01 <1.00E+00 4.78E-11 1.32E-10 1.32E-10

Median 2.32E+09 2.21E+00
Mean 3.23E+09 3.21E+00 <1.00E+00 9.94E-10 3.10E-10 3.10E-10
max 90% 7.53E+09 8.16E+00 <1.00E+00 2.33E-08 2.86E-09 2.86E-09
β = 3.0 min 10% 3.65E+08 3.65E-01 <1.00E+00 4.66E-11 1.28E-10 1.28E-10

Median 2.31E+09 2.29E+00
Mean 3.45E+09 3.34E+00 <1.00E+00 9.68E-10 2.90E-10 2.90E-10
max 90% 7.84E+09 7.73E+00 <1.00E+00 2.12E-08 2.74E-09 2.74E-09
–1 –1
min 10% 3.52E+08 3.51E-01 <1.00E+00 4.56E-11 1.30E-10 1.30E-10

Median 2.32E+09 2.31E+00
Mean 3.34E+09 3.33E+00 <1.00E+00 9.97E-10 2.99E-10 2.99E-10
max 90% 7.70E+09 7.68E+00 <1.00E+00 2.18E-08 2.84E-09 2.84E-09

( t ( U S ) , t ( D S ) ).
Chapter 6 320
6.4.4.5 AU conclusion
1. The definition of aleatory uncertainty is given in Definition 1.29. The exclusive

use of the mean values MTTF and MTTR as well as MTTSF and MTTSR hide
the uncertainty of the dependability parameters, e.g. median, min10%,
max90%, or other measures. To uncover uncertainty, the determination of sys-
tem pdf of ttsf and ttsr are necessary.
2. In applications, the minx% value may be of interest to assure a dependability

level to at least (100-x)%.
Example
Table 6.14, AU-2p-b3/1, t ( US ) min10% = 5.32E+05h means that with a
probability of 0.9, the system up time is greater than 5.32E+05h, or with a
probability of 0.1, less than 5.32E+05h. t ( U S )median = 3.49E+06h means
that with a probability of 0.5, the system up time will be greater than (or less
than) 3.49E+06h.
Remark to the notation: AU-2p-b3/1 means aleatory uncertainty of a sys-
tem with two parallel components with the Weibull parameter β = 3.0 for
ttf and β = 1.0 (exponential) for the distribution of ttr.
The median has always a probability of 0.5, whereas the probability of the
mean depends on the shape of the pdf, Fig. 6.1. Mean values are basic in-
dices of conventional system approaches, Chapter 3 and 4.
3. Besides the basic AU indices of ttsf and ttsr (Point 1), which can be simulated
with high accuracy, the min and max percentiles of Pr ( U S ) , Pr ( D S ) , Fr ( U S ) ,
and Fr ( DS ) can only be estimated roughly with the min-max boundary ap-
proach.
4. pdf of ttsf of series systems depend on the number of components ( ≡ the

number of MC ). With an increasing number of components the pdf of ttsf
tends to be exponential, nearly independent of the pdf of ttf and ttr of the com-
ponents (see next Chapter 6.4.5).
5. pdf of ttsf of parallel systems: In AU-2p and AU-3p the pdf of ttsf tends to be
exponential as well, nearly independent of the pdf of ttf and ttr of the compo-
nents (after a short transient phase, Fig. 6.16)
6. pdf of ttsr of series systems: The system down state is determined by the
down state of one component, which is due to the fact that in series systems
Chapter 6 321
MC of 1st order dominate over MC of higher order. Thus, f ( t ( D S ) ) ≈ f ( t ( D C ) ) ,

assumed all components are similar.
7. If the spread of a component’s ttr can be reduced, then the spread of the cal-
culated system indices Pr ( U S ) , Pr ( D S ) , Fr ( US ) , and Fr ( DS ) can be reduced.
Example 1
Table 6.12, AU-10s-b3/1 (various MTTF of the components), Pr ( D S ) is in
the range of [ 1.41E-04, 5.03E-02 ] , assuming [ CI ( t(US) ), CI ( t(D S) ) ] =
[ 0.8, 0.8 ] (according to Eq. 6.7) (max/min factor: 357).
If the component’s ttr can be determined (fixed) to 10 h, then the range of
Pr ( D S ) will be narrowed to [ 1.34E-03, 2.25E-02 ] , assuming
[ CI ( t(U S) ), CI ( t(D S) ) ] = [ 0.8, 1.0 ] (max/min factor: 17).
Thus, the manipulation of the distribution of ttr has a potential for reducing
the spread of the min-max boundary value.
Example 2
Table 6.14, AU-2p-b3/1, Pr ( D S ) is in the range of [ 4.60E-08, 2.16E-05 ] ,
assuming [ CI ( t(US) ), CI ( t(D S) ) ] = [ 0.8, 0.8 ] (max/min factor: 470)
If the component’s ttr can be determined (fixed) to 10h, then the range will
be narrowed drastically to [ 8.62E-07, 1.88E-05 ] assuming
[ CI ( t(US) ), CI ( t(D S) ) ] = [ 0.8, 1.0 ] (max/min factor: 22).
A similar conclusion can be drawn when considering 3 components in par-

allel.
The examples demonstrate that Pr(D S) max and Pr(D S) min can be estimated on the
basis of t ( U S ) min , t ( U S ) max , and fixed t ( D S ) mean , however, they do not represent
min-max boundary values.
8. Using the MC approach, a complex system structure can be reduced to sim-

ple series and parallel structures, which can be simulated and calculated with
the described procedures.
9. As the previous chapters impressively show, aleatory uncertainty of the series

and the parallel systems can be approximated by exponentially distributed
ttsf, which allow a simple to apply analytical calculation instead of eloborate
simulations.
Chapter 6 322
6.4.5 Approximation: Drenick’s Theorem
Point 9 of the last chapter is confirmed by Drenick’s Theorem [ Drenick 1960 ] ,

which is based on the following conditions [ Barlow et al. 1965, Kececioglu 2002,
TM 5-698-1] 2007 .
1. The number of n similar components connected in series tends to infinity.

2. The operating time tends to infinity.
3. The components fail s-independently.
4. A failed component is replaced immediately by a new one of the same kind.
With these conditions, ttsf tends to be exponentially distributed, independent of the

ttf distribution of each component. Thus, the shape of the ttf distributions of the
components can remain unconsidered, since it is known that the overall system
will fail exponentially, which simplifies the calculation effort to a great extend.
In the previous examples, exponential distributions according to Drenick’s Theorem

are applied, and can also be applied to repairable components with ttf and ttr distri-
butions (Table 6.7, 6.9, 6.13, 6.15, and 6.17). The deviations from the four con-
straints above are as follows.
5. Deviation from 1: The number n of components is finite ( n « ∞ ).

6. Deviation from 2: The operating time is limited.
7. Deviation from 4: A failed component will be repaired or replaced, t repair ≠ 0 .
8. Extension: In redundant systems, ttsf and ttsr tend to be nearly exponentially
distributed as well.
In the following, the exponential approximation will be discussed.
ttsf distribution
According to Drenick’s Theorem, under the stated assumptions, the ttsf distribution
of a series system is exponential with 1 ⁄ λ S = MTTSF , irrespective of the original
ttf distribution of the components.
– λ S t ( US )
Pr ( T ≥ t ( U S ) ) = e (6.23)
t ( U S ) = – MTTSF ⋅ ln Pr ( T ≥ t ( U S ) ) (6.24)
T is the stochastic lifetime variable. The boundary values t ( U S ) min and t ( U S ) max
of the confidence interval (0.8 in the examples, see Eq. 6.5) can be calculated us-
ing the equations
Chapter 6 323
Pr ( T ≥ t ( U S ) min ) = 0.9 ⇒ t ( U S ) min = 0.105 ⋅ M TTSF (6.25)

Pr ( T ≥ t ( U S ) max ) = 0.1 ⇒ t ( U S ) max = 2.303 ⋅ MTTSF (6.26)
The calculated indices are shown in Table 6.7, 6.9, 6.13, 6.15, and 6.17. In most
cases, they are nearly equal to the simulated results.
[Blischke et al. 2003] summarizes: “Why not simplify matters and assume that the
component’s time-to-failure distribution is exponential to begin with? ... Then there
is no need for complicated data analysis procedures for parameter estimation, and
a great deal of work can be avoided.“ Drenick’s Theorem can be seen as a justifica-
tion to the method of the MIL-HDBK 217, summing up the estimated failure rates of
the electronic items. Nevertheless, one should proceed with caution if the con-
straints above are not completely fulfilled.
ttsr distribution
In series systems, the MC of 1st order dominate system failure. Combinations of

MC i ∧ MC j ∧ … are neglected. Thus, the ttsr distribution is nearly identical to the ttr
distribution of one failed component, assuming that all components have the same
ttr distributions.
Extension: ttsf and ttsr distribution of parallel systems
In redundant systems, ttsf and ttsr can be estimated roughly by exponential distribu-
tions also. Likewise, Eq. 6.23-26 are valid in an appropriate way.
Chapter 6 324
6.5 Epistemic uncertainty (EU)
In this chapter the other type of uncertainty, namely epistemic uncertainty, is inves-
tigated. The definition of epistemic uncertainty is given in Definition 1.30. The pro-
cess of dependability assessment under epistemic uncertainty can be divided into
the 4 steps [Kongniratsaikul 2014] , illustrated in Fig. 6.19.
Epistemic Uncertainty (EU)
EU STEP 1. Identification Empirical, subjective, a-priori probability.
Formulation of the component pdf

f ( ti ( U C ) ) and f ( ti ( D C ) ) with simulated
EU STEP 2. Formulation
random mean times ti ( U C ) and ti ( D C )
(mttf and mttr).
Simulation of the system pdf f ( ti ( U S ) ) ,
EU STEP 3. Simulation
f ( ti ( D S ) ) , and f ( pr ( D S ) ) .
Evaluation of statistical measures (esti-

EU STEP 4. Evaluation mations) of the system indices.
Remark: t designates random/simulated real-times (e.g. ttf, ttr, ttsf, and

ttsr, Fig. 6.2),
ti designates random/simulated mean times or durations (e.g.
mttf, mttr, mttsf, and mttsr) (t and ti are uniformly used in all
chapters).
Fig. 6.19. The process of dependability assessment under epistemic uncer-

tainty.
6.5.1 EU STEP 1. Identification
Epistemic uncertainty is an extrinsic peculiarity of the items. The sources of the epi-
stemic uncertainty are usually, unlike the aleatory uncertainty, not statistically inter-
preted and are commonly in a qualitative form. The use of the empirical probability
Chapter 6 325
depends on more or less quantitative limited information. The subjective probability

and the a-priori probability can compensate the lack of this quantitative information.
A gain of information about the system or environmental factors can lead to a re-
duction of epistemic uncertainty. Therefore, a common feature for epistemic uncer-
tainty is reducible uncertainty.
The most common form of the epistemic uncertainty occurs when two or more de-
pendability data sources give inconsistent conclusions, or two or more experts have
a different understanding about the component and system behavior. The use of
only one data source or one expert perspective may lead to a fallacy. Thus, two or
more data sources, or two or more expert perspectives have to be taken into ac-
count.
6.5.2 EU STEP 2. Formulation
The decisive difference between AU and EU lies in the formulation of STEP 2.

Whereas AU is based on the simulation of assumed (or given) component pdf
f ( t ( U C ) ) (ttf) and f ( t ( D C ) ) (ttr), EU is based on the simulation of estimated
f ( ti ( U C ) ) (mttf) and f ( ti ( D C ) ) (mttr) (the other mean values M... in Fig. 1.2 can be
applied in the same way, which depends on the application). Thus, the algorithms
for AU and EU are completely different as well as the interpretation of AU and EU.
EU will be explained on the following simple example: Suppose that a component
under consideration is measured by two experts. The first expert gives an estima-
tion of MTTF = 50,000 h and MTTR = 15 h . The second expert gives a different
estimation of MTTF = 150,000 h and MTTR = 5 h , and so on. There could be
many reasons behind the dissimilarity, for instance, experts have different knowl-
edge or may use different sources of dependability data or information [BfS 2005,
D2.7] .
The following acronyms are used additionally to those in Chapter 6.4.2 as a de-
scriptive form.
ti ( U C ) ≡ mttf simulated random mean operating time to component failure
(IEC 192-05-11) (input value),
ti ( D C ) ≡ mttr simulated random mean time to component restoration (IEC
192-07-23) (input value),
ti ( U S ) ≡ mttsf simulated random mean operating time to system failure
(IEC 192-05-11) (result)
ti ( D S ) ≡ mttsr simulated random mean time to system restoration (IEC
192-07-23) (result).
Chapter 6 326
Also the cause of uncertainty can lie in different data sources. In a simplified case
of two contradictory data sources, each of the data sources yields its own conclusion
of a mean value. The larger mean values are indicated as Ti(U C) max and
Ti(D C)max , and the smaller as Ti(U C) min and Ti(D C) min . If the two given data
sources have the same degree of trustworthiness, the most likely estimate of the
true value must lie somewhere between the min and max values. Epistemic uncer-
tainty makes the determination of the true mean value difficult.
The evaluation of dependability can be based upon the consideration of all possible
outcomes for ti(U C) and ti(D C) of values between min and max. If the probabilities
of the values are uniformly distributed, as illustrated in Fig. 6.20, the pdf can be de-
scribed in Eq. 6.27-28. The uniform distribution can be seen as a worst case sce-
nario [Kongniratsaikul 2014]. Any other pdf can also be applied if more knowlege
and expertise is available.
⎧
⎪ 1
⎪ --------------------------------------------------------- ,Ti(U C) min ≤ Ti(U C) ≤ Ti(U C) max (6.27)
f(ti(U C)) = ⎨ Ti(U C)max – Ti(U C) min
⎪
⎪ 0 , otherwise
⎩
⎧
⎪ 1
⎪ --------------------------------------------------------- ,Ti(D C) min ≤ Ti(D C) ≤ Ti(D C) max (6.28)
f(ti(D C)) = ⎨ Ti(D C)max – Ti(U C) min
⎪
⎪ 0 , otherwise
⎩
Chapter 6 327
f ( ti ( U C ) )
f ( ti ( D C ) )
Ti ( UC ) min Ti ( U C )max ti ( U C ) Ti ( D C ) min Ti ( D C ) max ti ( D C )
≡ mttf ti ( D C ) i ≡ mttr
ti ( U C ) i
ti ( U C ) i and ti ( D C ) i are simulated mean values of ti ( U C ) and ti ( D C ) of the

simulation step i.
Fig. 6.20. Dependability indices under epistemic uncertainty, modeled as

uniform distributions.
In the conventional dependability evaluation, mean values are used for the calcula-
tion of the dependability indices. In order to see how the epistemic uncertainty af-
fects the dependability indices, a computer simulation is developed to determine all
possible outcomes of the dependability indices in EU STEP 3. These indices are
compared to those calculated using conventional approaches in EU STEP 4.
6.5.3 EU STEP 3. Simulation: pdf f ( ti ( U S ) ) , f ( ti ( D S ) ) , and f ( pr ( D S ) )
The simulation algorithm for EU is simpler than the algorithm for AU, because EU is
based on the simulated mean values mttf and mttr (Fig. 6.20) instead of ttf and ttr
(Fig. 6.7). Algorithms are developed in Appendix 6.8.3 and 6.8.4. In the next sec-
tion the epistemic uncertainty of ti(U C) and ti(D C) of each component is modeled
as uniform distribution between min and max values. Simulation samples of con-
crete mean values ti ( U C ) i and ti ( D C ) i are generated from these distributions. The
calculation procedure of the algorithms is based on Eq. 3.8-11.
ti(U C) i
pr(U C) i = --------------------------------------
- (6.29)
ti(U C) i + ti(DC) i
ti(D C) i
pr(D C) i = --------------------------------------
- (6.30)
ti(U C) i + ti(DC) i
pr ( U C ) i + pr ( D C ) i = 1 (6.31)
Chapter 6 328
1
fr(U C) i = fr(DC) i = --------------------------------------- (6.32)
ti(U C) i + ti(D C) i
where i indicates the simulation sample. With a large amount of simulation sam-
ples, the characteristics of the population, or all possible outcomes of component
dependability indices, can be estimated. The system dependability indices of a se-
ries system with n s-independent components can be calculated directly from Eq.
3.20-26.
n
pr(U S) i = ∏C = 1 pr(UC)i (6.33)
pr(D S) i = 1 – pr(U S)i (6.34)
1
ti(U S) i = ----------------------------------- (6.35)
n 1
∑C = 1 ti---------------
(U C) i
-
pr(U S) i
fr(U S) i = -----------------
- (6.36)
ti(U S) i
fr(D S) i = fr(US) i (6.37)
pr(D S) i
ti(D S) i = -----------------
- (6.38)
fr(D S) i
where i indicates the index of simulation samples and n the total number of com-
ponents.
In case of a parallel system with n s-independent components, the system depend-

ability indices are calculated directly from Eq. 3.29-35 as follows.
n
pr(D S) i = ∏C = 1 pr(DC)i (6.39)
pr(U S) i = 1 – pr(D S)i (6.40)
1
ti(D S) i = ----------------------------------
n
- (6.41)
1
∑C = 1 ti---------------
(D C) i
-
pr(D S) i
fr(D S) i = ------------------ (6.42)
ti(D S) i
fr(U S) i = fr(DS) i (6.43)
pr(U S)
ti(U S) i = ------------------i (6.44)
fr(U S) i
If a system contains more complicated interconnections, the MC approach can be

Chapter 6 329
used to reduce the interconnection into a set of parallel and series systems as
described in Chapter 3.6.3, Fig. 3.7 or Chapter 5.2, Fig. 5.1.
With the simulation samples, the histogram can be plotted as illustrated in the ex-
ample in Fig. 6.21. These samples can be used to find approximated pdf, estima-
tions of mean values, confidence intervals, and other statistical measures of the
simulated system.
f ( ti ( US ) ) Confidence interval
f ( ti ( D S ) )
Upper boundary
Lower boundary
f ( pr ( D S ) )
f ( fr ( D S ) )
j = 1 2 3 ... j ... n-1 n

min (Arithmetic) max ti ( U S ) ≡ mttsf
Mean
ti ( D S ) ≡ mttsr
ti ( U S ) i, j
pr ( D S )
ti ( D S ) i, j Ti ( US ) = E [ ti ( U S ) ] ≡ MTTSF
Ti ( D S ) = E [ ti ( D S ) ] ≡ MTTSR fr ( D S )
pr ( D S ) i, j
Pr ( D S ) = E [ pr ( D S ) ] ≡ NAv
fr ( DS )i, j
Fr ( D S ) = E [ fr ( D S ) ]
Simulation step i in
interval j
Fig. 6.21. Example histogram, approximate pdf, and estimations of EU

system dependability indices.
6.5.4 EU STEP 4. Evaluation
The following examples outline a broad spectrum of EU applications.

Chapter 6 330
Table 6.18 and 6.25 show the input indices for the series and parallel systems.
Components with low EU (highlighted in blue) and high EU (highlighted in red) are
analyzed in order to investigate their influence on basic series and parallel struc-
6
tures. At least 10 simulations are performed for the calculation of the indices of
the series and parallel systems.
Component input for the series systems (low EU)

min/h max/h Arithmetic mean/h
Ti ( U C ) ≡ MTTF 50,000 150,000 100,000
TI ( D C ) ≡ MTTR 5 15 10
Component input for the series systems (high EU)

Ti ( U C ) ≡ MTTF 10,000 1,000,000 505,000
TI ( DC ) ≡ MTTR 1 19 10
Table 6.18. Components of series systems with low and high EU.
mttf and mttr of the components in Table 6.18 and 6.25 are assumed to be uniform-
ly distributed according to Chapter 6.5.2. In contrast to AU-1c (Chapter 6.4.4.2), the
EU-1c calculation is not modeled as a renewal process, but modeled with the simu-
lated mean values mttf and mttr. The same is valid for the EU systems (Note: Eq.
1.10-11 and 3.12-13 are not valid). Fig. 6.22 shows the simulated pdf of components
with low and high uncertainty, and Table 6.19-20 show the related estimated indi-
ces.
Chapter 6 331
2 ⁄ MTTF
f ( ti ( UC ) ) EU-1c-low
EU-1c-high
0
0 MTTF ti ( UC ) ≡ mttf 2.5 ⋅ MTTF
2 ⁄ MTTR
f ( ti ( DC ) ) EU-1c-low
EU-1c-high
0
0 MTTR ti ( D C ) ≡ mttr 2.5 ⋅ MTTR
1 ⁄ Pr ( D C )
EU-1c-low
f ( pr ( D C ) )
EU-1c-high
0
0 Pr(DC) pr ( D C ) 5 ⋅ Pr ( D C )
Remark: f ( fr ( D C ) ) is not plotted in this figure and the following ones.
Fig. 6.22. EU-1c with low and high uncertainty.

Chapter 6 332
Component input (low EU) for the series systems

MTTF 50,000 150,000 100,000
MTTR 5 15 10
1c Conventional calculation (Uncertainty not regarded)

–1 –1
Ti ( UC ) ⁄ h Ti ( DC ) ⁄ h Pr ( U C ) Pr ( D C ) Fr ( UC ) ⁄ h Fr ( D C ) ⁄ h
Mean 1.00E+05 1.00E+01 <1.00E+00 1.00E-04 1.00E-05 1.00E-05
MTTF ≡ Ti ( UC ) , MTTR ≡ Ti ( D C )
1c EU simulation
–1 –1
Ti ( U C ) ⁄ h Ti ( DC ) ⁄ h Pr ( UC ) Pr ( DC ) Fr ( U C ) ⁄ h Fr ( D C ) ⁄ h
min 10% 6.00E+04 6.00E+00 <1.00E+00 5.55E-05 7.14E-06 7.14E-06
Median 9.99E+04 9.99E+00 <1.00E+00 9.99E-05 1.00E-05 1.00E-05
Mean 1.00E+05 1.00E+01 <1.00E+00 1.10E-04 1.10E-05 1.10E-05
max 90% 1.40E+05 1.40E+01 <1.00E+00 1.80E-04 1.67E-05 1.67E-05
Table 6.19. EU-1c-low.
Component input (high EU) for the series systems

MTTF 10,000 1,000,000 505,000
MTTR 1 19 10
1c Conventional calculation (Uncertainty not regarded))

–1 –1
Ti ( UC ) ⁄ h Ti ( DC ) ⁄ h Pr ( U C ) Pr ( D C ) Fr ( UC ) ⁄ h Fr ( D C ) ⁄ h
Mean 5.05E+05 1.00E+01 <1.00E+00 1.98E-05 1.98E-06 1.98E-06
MTTF ≡ Ti ( UC ) , MTTR ≡ Ti ( D C )
1c EU simulation
–1 –1
Ti ( U C ) ⁄ h Ti ( DC ) ⁄ h Pr ( UC ) Pr ( DC ) Fr ( U C ) ⁄ h Fr ( D C ) ⁄ h
min 10% 1.09E+05 2.79E+00 <1.00E+00 5.33E-06 1.11E-06 1.11E-06

Median 5.05E+05 1.00E+01 <1.00E+00 1.98E-05 1.98E-06 1.98E-06
Mean 5.05E+05 1.00E+01 <1.00E+00 4.67E-05 4.67E-06 4.67E-06
max 90% 9.01E+05 1.72E+01 <1.00E+00 9.17E-05 9.20E-06 9.20E-06
Table 6.20. EU-1c-high.

Chapter 6 333
In this chapter series systems (Fig. 6.9) with 10 and 100 components are investigat-
ed. The series systems represent 10 or 100 MC (Fig. 5.1). The systems are evalu-
ated with low and high EU parameters. For simplifying purposes each system is
composed of a number of similar components. Calculated are measures of central
tendency like mean and median as well as measures of location such as min-max
percentiles and min-max boundary values to determine the confidence interval. The
book focuses on the 80% confidence interval. For other measures such as variance,
S.D., skewness, and excess kurtosis see [Kongniratsaikul 2014] . The result of the
simulations are histograms ( ≡ approximated pdf).
Fig. 6.23-24 show the simulated f ( ti ( U S ) ) , f ( ti ( D S ) ) , and f ( pr ( D S ) ) of the compo-

nents and the systems with similar components, referred to as EU-1c-low, EU-10s-
low, EU-100s-low (blue), EU-1c-high, EU-10s-high, and EU-100s-high (red).
To compare the tendency of EU, each figure contains all three variants of each
category - low and high - based on MTTSF and MTTSR. Thus, the effect of EU
on the systems is comparable.
Table 6.21-24 show both, the analytical calculated values (grey) as well as the sim-
ulated values (blue and red).
The simulations are carried out with the algorithm described in Appendix 6.8.3.
Chapter 6 334
4 ⁄ MTTSF
Tendency of increasing
f ( ti ( U S ) )
number of components
2 ⁄ MTTSF EU-100s-low
EU-10s-low
EU-1c-low
(component)
0
0 MTTSF ti ( U S ) ≡ mttsf 2.5 ⋅ MTTSF
4 ⁄ MTTSR
f ( ti ( DS ) )
2 ⁄ MTTSR EU-100s-low
EU-10s-low
EU-1c-low
(component)
0
0 MTTSR ti ( D S ) ≡ mttsr 2.5 ⋅ MTTSR
2 ⁄ Pr ( D S )
f ( pr ( D S ) )
EU-100s-low
1 ⁄ Pr ( D S )
EU-10s-low
EU-1c-low
(component)
0
0 Pr(DS) pr ( D S ) 5 ⋅ Pr ( DS )
Fig. 6.23. EU-series systems with low uncertainty, Table 6.21-22 (MTTSF,
Chapter 6 335

min/h max/h Arithmetic Mean
MTTF 50,000 150,000 100,000
MTTR 5 15 10
10s Conventional calculation (Uncertainty not regarded)

–1 –1
Ti ( U S ) ⁄ h Ti ( D S ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
Mean 1.00E+04 1.00E+01 <1.00E+00 9.99E-04 9.99E-05 9.99E-05
MTTSF ≡ Ti ( U S ) , MTTSR ≡ Ti ( D S )
10s EU simulation
–1 –1
Ti ( US ) ⁄ h Ti ( D S ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
min 10% 8.02E+03 8.85E+00 9.99E-01 1.02E-03 9.56E-05 9.56E-05
Median 9.14E+03 1.01E+01 9.99E-01 1.09E-03 1.09E-04 1.09E-04
Mean 9.20E+03 1.01E+01 9.99E-01 1.10E-03 1.10E-04 1.10E-04
max 90% 1.05E+04 1.13E+01 9.99E-01 1.18E-03 1.25E-04 1.25E-04

min/h max/h Arithmetic Mean
MTTF 50,000 150,000 100,000
MTTR 5 15 10

–1 –1
Mean 1.00E+03 1.00E+01 9.90E-01 9.95E-03 9.90E-04 9.90E-04
100s EU simulation
–1 –1
min 10% 8.74E+02 9.67E+00 9.89E-01 1.07E-02 1.04E-03 1.04E-03

Median 9.10E+02 1.01E+01 9.89E-01 1.09E-02 1.09E-03 1.09E-03
Mean 9.11E+02 1.01E+01 9.89E-01 1.09E-02 1.09E-03 1.09E-03
max 90% 9.49E+02 1.05E+01 9.89E-01 1.11E-02 1.13E-03 1.13E-03

Chapter 6 336
4 ⁄ MTTSF
f ( ti ( U S ) ) Tendency of increasing
2 ⁄ MTTSF EU-100s-high
EU-1c-high
EU-10s-high (component)
0
4 ⁄ MTTSR
f ( ti ( D S ) )
EU-100s-high
2 ⁄ MTTSR
EU-10s-high
EU-1c-high
(component)
0
2 ⁄ Pr ( DS )
f ( pr ( D S ) ) number of components
EU-10s-high
1 ⁄ Pr ( DS ) EU-1c-high EU-100s-high
(component)
0
0 Pr(DS) pr ( D S ) 5 ⋅ Pr ( D S )
Fig. 6.24. EU-series systems with high uncertainty, Table 6.23-24
(MTTSF, MTTSR, Pr(DS) are calculated indices, disregarding
uncertainties).
Chapter 6 337

MTTF 10,000 1,000,000 505,000
MTTR 1 19 10

–1 –1
Mean 5.05E+04 1.00E+01 <1.00E+00 1.98E-04 1.98E-05 1.98E-05
10s EU simulation
–1 –1
min 10% 1.17E+04 7.16E+00 <1.00E+00 2.37E-04 2.14E-05 2.14E-05
Median 2.66E+04 1.05E+01 <1.00E+00 3.66E-04 3.75E-05 3.75E-05
Mean 2.81E+04 1.04E+01 <1.00E+00 4.65E-04 4.65E-05 4.65E-05
max 90% 4.68E+04 1.35E+01 <1.00E+00 8.26E-04 8.57E-05 8.57E-05

MTTF 10,000 1,000,000 505,000
MTTR 1 19 10

–1 –1
Mean 5.05E+03 1.00E+01 9.98E-01 1.98E-03 1.98E-04 1.98E-04
100s EU simulation
–1 –1
min 10% 1.71E+03 8.70E+00 9.96E-01 3.58E-03 3.57E-04 3.57E-04

Median 2.19E+03 1.01E+01 9.95E-01 4.52E-03 4.55E-04 4.55E-04
Mean 2.23E+03 1.01E+01 9.95E-01 4.64E-03 4.63E-04 4.63E-04
max 90% 2.79E+03 1.14E+01 9.94E-01 5.86E-03 5.80E-04 5.80E-04

Chapter 6 338
In this chapter parallel systems of Fig. 6.14 with two and three components are in-
vestigated. The parallel systems represent two and three MC of 2nd and 3rd order.
The input data, the conventional calculation and the simulation results are present-
ed in Table 6.25-29, the histograms are pictured in Fig. 6.25-26. The simulations
are carried out with the algorithm described in Appendix 6.8.4.
Component input for the parallel systems (low EU)

Ti ( U C ) ≡ MTTF 5,000 15,000 10,000
TI ( D C ) ≡ MTTR 5 15 10
Component input (high EU) for the parallel systems (high EU)
Ti ( U C ) ≡ MTTF 1,000 100,000 50,500
TI ( DC ) ≡ MTTR 1 19 10
Table 6.25. Components of parallel systems with low and high EU.
Chapter 6 339
2 ⁄ MTTSF
f ( ti ( U S ) )
EU-2p-high EU-2p-low
1 ⁄ MTTSF
0
2 ⁄ MTTSR
f ( ti ( D S ) )
EU-2p-low
1 ⁄ MTTSR EU-2p-high
0
1 ⁄ Pr ( DS )
f ( pr ( D S ) )
0.5 ⁄ Pr ( D S )
EU-2p-low
EU-2p-high
0
0 Pr(DS) pr ( D S ) 5 ⋅ Pr ( D S )
(MTTSF, MTTSR, Pr(DS) are calculated indices, disregarding uncertainties).
Chapter 6 340
Component input (low EU) for the parallel systems

Ti ( U C ) ≡ MTTF 5,000 15,000 10,000
TI ( D C ) ≡ MTTR 5 15 10
2p Conventional calculation (Uncertainty not regarded)

–1 –1
Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( US ) Pr ( DS ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
Mean 5.01E+06 5.00E+00 <1.00E+00 9.98E-07 2.00E-07 2.00E-07
MTTSF ≡ Ti ( U S ) , MTTSR ≡ Ti ( DS )
2p EU simulation
–1 –1
Ti ( US ) ⁄ h Ti ( D S ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( DS ) ⁄ h
min 10% 2.79E+06 3.47E+00 <1.00E+00 5.54E-07 1.32E-07 1.32E-07
Median 4.80E+06 4.68E+00 <1.00E+00 9.98E-07 2.08E-07 2.08E-07
Mean 5.01E+06 4.79E+00 <1.00E+00 1.10E-06 2.30E-07 2.30E-07
max 90% 7.55E+06 6.32E+00 <1.00E+00 1.79E-06 3.58E-07 3.58E-07
Component input (high EU) for the parallel systems

Ti ( U C ) ≡ MTTF 1,000 100,000 50,500
TI ( D C ) ≡ MTTR 1 19 10

–1 –1
Mean 1.28E+08 5.00E+00 <1.00E+00 3.92E-08 7.84E-09 7.84E-09
2p EU simulation
–1 –1
min 10% 1.66E+07 1.53E+00 <1.00E+00 1.12E-08 3.76E-09 3.76E-09

Median 1.04E+08 4.09E+00 <1.00E+00 4.19E-08 9.59E-09 9.59E-09
Mean 1.25E+08 4.28E+00 <1.00E+00 1.02E-07 3.17E-08 3.17E-08
max 90% 2.65E+08 7.33E+00 <1.00E+00 2.02E-07 6.01E-08 6.01E-08

Chapter 6 341
2 ⁄ MTTSF
f ( ti ( U S ) ) EU-3p-high
EU-3p-low
EU-2p-high
1 ⁄ MTTSF EU-2p-low
0
2 ⁄ MTTSR
f ( ti ( D S ) )
EU-3p-high EU-3p-low
1 ⁄ MTTSR
EU-2p-low
EU-2p-high
0
1 ⁄ Pr ( DS )
f ( pr ( D S ) )
EU-2p-high
EU-3p-low
0.5 ⁄ Pr ( D S )
EU-2p-low
EU-3p-high
0
0 Pr(DS) pr ( D S ) 5 ⋅ Pr ( D S )
(MTTSF, MTTSR, Pr(DS) are calculated indices, disregarding uncertainties).
Chapter 6 342
Component input (low EU) for the parallel systems

Ti ( U C ) ≡ MTTF 5,000 15,000 10,000
TI ( D C ) ≡ MTTR 5 15 10

–1 –1
Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( US ) ⁄ h Fr ( D S ) ⁄ h
Mean 3.34E+09 3.33E+00 <1.00E+00 9.97E-10 2.99E-10 2.99E-10
MTTSF ≡ Ti ( U S ) , MTTSR ≡ Ti ( DS )
3p EU simulation
–1 –1
Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( DS ) Fr ( U S ) ⁄ h Fr ( D S ) ⁄ h
min 10% 1.80E+09 2.42E+00 <1.00E+00 5.54E-10 1.94E-10 1.94E-10
Median 3.16E+09 3.08E+00 <1.00E+00 9.97E-10 3.17E-10 3.17E-10
Mean 3.34E+09 3.14E+00 <1.00E+00 1.09E-09 3.50E-10 3.50E-10
max 90% 5.16E+09 3.96E+00 <1.00E+00 1.79E-09 5.55E-10 5.55E-10
Component input (high EU) for the parallel systems

Ti ( U C ) ≡ MTTF 1,000 100,000 50,500
TI ( D C ) ≡ MTTR 1 19 10

–1 –1
Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( U S ) Pr ( D S ) Fr ( U S ) ⁄ h Fr ( DS ) ⁄ h
Mean 4.30E+11 3.33E+00 <1.00E+00 7.76E-12 2.33E-12 2.33E-12
3p EU simulation
–1 –1
min 10% 4.49E+10 1.11E+00 <1.00E+00 2.36E-12 1.08E-12 1.08E-12

Median 2.98E+11 2.49E+00 <1.00E+00 8.89E-12 3.35E-12 3.35E-12
Mean 4.06E+11 2.63E+00 <1.00E+00 2.25E-11 1.17E-11 1.17E-11
max 90% 9.23E+11 4.38E+00 <1.00E+00 4.42E-11 2.22E-11 2.22E-11

Chapter 6 343
6.5.4.5 EU conclusion
1. The definition of epistemic uncertainty is given in Definition 1.30. Epistemic

uncertainty is caused by a lack of information. Thus, EU is a type of indetermi-
nacy (Definition 1.28).
There is a fundamental difference between AU and EU in system dependabil-
ity evaluation. AU is based on mean values (e.g. MTTF and MTTR), while EU
is based on randomly distributed mean values (e.g. mttf, mttr). Therefore, the
results of AU and EU are not directly comparable. AU evaluation approaches
provide measures of simulated real-time values, EU evaluation approaches
provide measures of simulated mean values.
2. If knowledge is very limited, EU tends to be high. If knowledge is excellent,

EU tends to be zero (theoretical case).
Assumption: In the examples, the quotient max ⁄ min ≤ 3 means low uncer-
tainty (blue) and max ⁄ min = 10 to 100 high uncertainty (red). The influence
of EU on system indices is summarized by the following examples.
3. Series systems: min10%, max90% of Pr ( D S )

- Table 6.21 (EU-10s-low): [ 1.02E-03, 1.18E-03 ] (max/min factor: 1.16)
- Table 6.22 (EU-100s-low): [ 1.07E-02, 1.11E-02 ] (max/min factor: 1.04)
- Table 6.23 (EU-10s-high): [ 2.37E-04, 8.26E-04 ] (max/min factor: 3.49)
- Table 6.24 (EU-100s-high): [ 3.58E-03, 5.86E-03 ] (max/min factor: 1.64)
The increase of system uncertainty is not as high as the component uncertain-
ty might suggest. In series systems the spread of uncertainty will be narrowed
with an increasing number of components.
4. Parallel systems: min10%, max90% of Pr ( D S )

- Table 6.26 (EU-2p-low): [ 5.54E-07, 1.79E-06 ] (max/min factor: 3.23)
- Table 6.28 (EU-3p-low): [ 5.54E-10, 1.79E-09 ] (max/min factor: 3.23)
- Table 6.27 (EU-2p-high): [ 1.12E-08, 2.02E-07 ] (max/min factor: 18.0)
- Table 6.29 (EU-3p-high): [ 2.36E-12, 4.42E-11 ] (max/min factor: 18.7)
Despite a broad spread of the min-max-indices (high uncertainty), redundant
systems show a significant increase in dependability, which may be explained
by the fact that the whole spread is shifted to a higher dependability level.
5. Result: The examples show that low epistemic uncertainty has less impact on
dependability indices. High epistemic uncertainty can have significant impact
on dependability results, especially on parallel systems (see also Chapter
6.6).
Chapter 6 344
6. The EU approach can be seen as an intermediate step towards the combined

EUAU approach, Chapter 6.6.
7. In cases where subjective probability is not enough, or subjective probability

may lead to controversial results, which can occur in an early stage of system
design, the study in [Kochs et al. 2012, Kongniratsaikul 2014] describes a
third approach dealing with subjective and a-priori probability.
Chapter 6 345
6.6 Combination of epistemic and aleatory uncertainty (EUAU)
In the previous chapters, AU and EU are evaluated separately, e.g. AU results in

t ( U S ) min and t ( U S ) max , and EU results in the mean values Ti ( US )min and
Ti ( U S )max , which have - as concluded in the last chapter - different significance,
thus they are not directly comparable. Decisive for dependability assessment are the
final results pdf (t (U S ) ) and pdf ( t ( D S ) ) , which can be obtained by combination of
EU and AU (EU with embedded AU), described in this chapter. The EUAU process
can be divided into the 3 steps, illustrated in Fig. 6.27.
Combination of epistemic and

aleatory uncertainty (EUAU)
Scenario which is based on the re-

EUAU STEP 1. Initial scenario
sults of the EU steps.
Formulation of Drenick’s Theorem,

EUAU STEP 2. Formulation Chapter 6.4.5, applied to ti ( U S ) j
and ti ( D S ) j .
Evaluation of the pdf f ( t ( U S ) ) and

EUAU STEP 3. Evaluation
f ( t ( D S ) ) and their indices.
Fig. 6.27. The process of dependability assessment under combined AU

and EU (EUAU).
6.6.1 EUAU STEP 1. Initial scenario
The initial scenario is given by the probability functions f ( ti ( U S ) ) (also f ( ti ( D S ) ) ),

demonstrated in Fig. 6.28, upper histogram.
6.6.2 EUAU STEP 2. Formulation
The abbreviations in AU STEP 2 and EU STEP 2 are also used in the following des-
cription. The relationship between EU ( ti ( U S )) and AU ( t ( U S ) ) or mttsf and ttsf,
Chapter 6 346
can be determined by the following equations based on Drenick’s Theorem, Fig.

6.28, lower histogram. Each mttsf ( Δpr ( ti k ) ) in the EU-histogram is transferred as a
differential part ΔΔpr ( t l, ti k ) of ttsf ( Δpr ( t l ) ) by the Drenick’s transfer function
Dr ( t l, ti k ) .
Abbreviations: l= Δt ( U S ) l , k= Δti ( US )k , t i = t ( U S )l , ti k = ti ( U S )k (6.45)
Δpr ( ti k ) = f ( ti k ) k (6.46)
ΔΔpr ( t l, ti k ) = Δpr ( ti k ) Dr ( t l, ti k ) , k = 1…n , l = 1…m (6.47)
n
Δpr ( t l ) = ∑k = 1 ΔΔpr ( tl, tik ) (6.48)
Cumulative distribution function

l
F ( tl ) = ∑j = 1 Δpr ( tl ) (6.49)
F ( tm ) = 1 (6.50)
Drenick’s transfer function
tl
– -----
tik
Dr ( t l, ti k ) = 1 – e with t l = Il, ti k = k k , Δ: equidistant (6.51)
The same procedure can be applied to D S . The relationship between ti ( U S ) ,

t ( U S ) and ti ( D S ) , t ( D S ) opens the possibility to easily combine EU with AU. The
objective is to determine t ( U S ) min and t ( U S ) max if the min-max boundary values
Pr ( t ( U S ) ) min and Pr ( t ( U S ) ) max are given, e.g. CI ( t(U S) ) = [ 0.1, 0.9 ] = 0.8 .
t ( U S ) min and t ( U S ) max can be determined with the Monte Carlo approach.
Chapter 6 347
MTTSFEU
2.81E+04 MTTSF
5.05E+04
2 ⁄ MTTSF
EU-10s-high
f ( ti ( U S ) ) (Fig. 6.24, upper diagram)
k
Δpr ( ti k )
k
0
0 n 2.5 ⋅ MTTSF
min10% max90% ti ( U S ) ≡ mttsf
2 ⁄ MTTSF
EUAU-10s-high
f ( t ( US ) ) l
Δpr ( t l )
ΔΔpr ( t l, ti k )
0
0 l MTTSF m
2.5 ⋅ MTTSF
t ( U S ) ≡ ttsf
min10% max90%
MTTSFEUAU
≡ MTTSFEU
Fig. 6.28. Relationship between EU and EUAU and their indices.

Chapter 6 348
6.6.3 EUAU STEP 3. Evaluation
6.6.3.1 EUAU simulation of measures of central tendency and location
Table 6.30 shows the component input indices as basis for the examples in Table
6.31-34 in order to stepwise demonstrate the influence of the different approaches.
The (component) mttf and mttr are uniformly distributed according to Fig. 6.20. Fur-
thermore, Table 6.31-34 contain an overview of the various indices of MTTSF.
EUAU-10s-low
MTTF 50,000 150,000 100,000
MTTR 5 15 10
EUAU-10s-high
MTTF 10,000 1,000,000 505,000
MTTR 1 19 10
EUAU-2p-low
MTTF 50,000 150,000 100,000
MTTR 5 15 10
EUAU-2p-high
MTTF 10,000 1,000,000 505,000
MTTR 1 19 10
Table 6.30. Component input for the following EUAU examples with low and
high uncertainty.
The indices evaluated with the EUAU approach are the final results used in the
evaluation of system dependability. An answer to the question “How much do EU
and AU influence system dependability“ can be given by the EUAU indices.
Chapter 6 349
Table 6.6 Conventional calculation

Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )
Arithmetic mean 1.00E+04 1.00E+01 9.99E-04 MTTSF MTTSR
Table 6.7 AU calculation (Drenick’s Theorem)1)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 1.05E+03 1.05E+00 4.57E-05
Median(50%) 6.93E+03 6.93E+00
Mean 1.00E+04 1.00E+01 9.99E-04 3) 4) MTTSF MTTSR
max 90% 2.30E+04 2.30E+01 2.14E-02
Table 6.6 AU simulation (AU-10s-b1/1)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 1.05E+03 1.06E+00 4.61E-05
Median(50%) 6.91E+03 6.92E+00 MTTSFAUsim
Mean 9.98E+03 9.98E+00 9.99E-04 3) 5)
MTTSRAUsim
max 90% 2.30E+04 2.31E+01 2.15E-02
Table 6.21 EU simulation (EU-10s-low)

Ti ( US ) ⁄ h Ti ( D S ) ⁄ h Pr ( D S )
min 10% 8.02E+03 8.85E+00 1.02E-03
Median(50%) 9.14E+03 1.01E+01 1.09E-03
Mean 9.20E+03 1.01E+01 1.10E-03 MTTSFEU MTTSREU
max 90% 1.05E+04 1.13E+01 1.18E-03
new EUAU (EUAU-10s-low)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 9.64E+02 1.06E+00 4.95E-05
Mean 9.22E+03 1.01E+01 1.10E-03 7)
1)
Basis of the AU calculation are the rounded values of the conventional calculation.
2)
min-max-boundary calculation of Pr ( D S ) .
3)
Pr ( D S ) = t ( D S ) mean ⁄ ( t ( U S ) mean + t ( D S ) mean ) , independent of the shape of
f ( t ( U S ) ) and f ( t ( D S ) ) , Eq. 4.8-9.
4)
Minor deviations of Pr (DS ) compared to the conventional calculation result are
caused by rounding errors of the t ( … ) values.
5)
Minor deviations of the line values compared to the conventional calculation results
are caused by numerical errors of the t ( … ) values, see Remark in Appendix 6.8.
6) Minor deviations are caused by numerical errors, see Remark in Appendix 6.8.
7)
Pr ( D S ) is transferred from the EU simulation result.
Table 6.31. Summary of the evaluated indices for EUAU-10s-low.

Chapter 6 350
Table 6.23 Conventional calculation

Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )
Arithmetic mean 5.05E+04 1.00E+01 1.98E-04 MTTSF
MTTSR
new AU calculation (Drenick’s Theorem)1)
t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.32E+03 1.05E+00 9.05E-06
Median(50%) 3.50E+04 6.93E+00
max 90% 1.16E+05 2.30E+01 4.30E-03
new AU simulation (AU-10s-b1/1)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.32E+03 1.05E+00 9.05E-06
Median(50%) 3.50E+04 6.93E+00
Mean 5.05E+04 9.99E+00 1.98E-04 3) 5) MTTSFAUsim
max 90% 1.16E+05 2.30E+01 4.30E-03 MTTSRAUsim
Table 6.23 EU simulation (EU-10s-high)

Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )
min 10% 1.17E+04 7.16E+00 2.37E-04
Median(50%) 2.66E+04 1.05E+01 3.66E-04
max 90% 4.68E+04 1.35E+01 8.26E-04
new EUAU (EUAU-10s-high)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 2.36E+03 1.04E+00 1.51E-05
Median(50%) 1.71E+04 7.01E+00 MTTSFEUAU ≡ MTTSFEU 6)
Mean 2.86E+04 1.06E+01 4.65E-04 7)
max 90% 6.90E+04 2.45E+01 1.03e-02 MTTSREUAU ≡ MTTSREU6)
1) Basis of the AU calculation are the rounded values of the conventional calculation.
2)
3)
f ( t ( U S ) ) and f ( t ( D S ) ) , Eq. 4.8-9.
4) Minor deviations of Pr ( D ) compared to the conventional calculation result are
S
5)
6)
7)
Pr ( D S ) is transferred from the EU simulation result.
Table 6.32. Summary of the evaluated indices for EUAU-10s-high.

Chapter 6 351
new Conventional calculation

Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.27E+07 5.27E-01 4.58E-10
Median(50%) 3.47E+08 3.47E+00
max 90% 1.15E+09 1.15E+01 2.18E-07
new AU simulation (AU-2p-b1/1)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.28E+07 5.25E-01 4.57E-10
Median(50%) 3.50E+08 3.46E+00
MTTSFAUsim
Mean 4.99E+08 5.00E+00 1.00E-08 3) 5)
max 90% 1.15E+09 1.15E+01 2.18E-07
MTTSRAUsim
new EU simulation (EU-2p-low)

Ti ( U S ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )
min 10% 2.78E+08 3.47E+00 5.55E-09
Median(50%) 4.79E+08 4.68E+00 1.00E-08
max 90% 7.54E+08 6.32E+00 1.80E-08
new EUAU (EUAU-2p-low)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.18E+07 4.89E-01 3.79E-10
Mean 5.02E+08 4.38E+00 1.10E-08 7)
2)
3)
f ( t ( U S ) ) and f ( t ( D S ) ) , Eq. 4.8-9.
4)
Minor deviations of Pr ( DS ) compared to the conventional calculation result are
5) Minor deviations of the line values compared to the conventional calculation results
6)
7) Pr ( D ) is transferred from the EU simulation result.
S
Table 6.33. Summary of the evaluated indices for EUAU-2p-low.

Chapter 6 352
new Conventional calculation

Ti ( U S ) ⁄ h Ti ( D S ) ⁄ h Pr ( D S )

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 1.35E+09 5.27E-01 1.79E-11
Median(50%) 8.87E+09 3.47E+00
max 90% 2.95E+10 1.15E+01 8.52E-09
new AU simulation (AU-2p-b1/1)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 1.34E+09 5.35E-01 1.82E-11
Median(50%) 8.81E+09 3.53E+00 MTTSFAUsim
Mean 1.27E+10 5.03E+00 3.96E-10 3) 5)
max 90% 2.94E+10 1.17E+01 8.73E-09 MTTSRAUsim
new EU simulation (EU-2p-high)

Ti ( US ) ⁄ h Ti ( DS ) ⁄ h Pr ( D S )
min 10% 1.66E+09 1.53E+00 1.13E-10
Median(50%) 1.04E+10 4.10E+00 4.19E-10
max 90% 2.65E+10 7.33E+00 2.02E-09
new EUAU (EUAU-2p-high)

t ( US ) ⁄ h t ( DS ) ⁄ h Pr ( D S ) 2)
min 10% 5.43E+08 3.39E-01 1.02E-11
Mean 1.26E+10 4.31E+00 1.02E-09 7)
max 90% 3.31E+10 1.06E+01 1.95E-08
2)
3)
f ( t ( U S ) ) and f ( t ( D S ) ) , Eq. 4.8-9.
4) Minor deviations of Pr (D ) compared to the conventional calculation result are
S
5)
6)
7) Pr ( D ) is transferred from the EU simulation result.
S
Table 6.34. Summary of the evaluated indices for EUAU-2p-high.
Chapter 6 353
6.6.3.2 EUAU conclusion
1. AU and EU have a different scope and a different mathematical basis. It is not

possible to directly compare these types of uncertainty in order to come to a
conclusion (simulated real-time values versus main values). Whereas, AU
evaluation gives a more differentiated consideration on dependability (Chap-
ter 6.2) than conventional calculation (e.g. based only on mean values), EU
decreases dependability. EU impact on parallel systems is stronger (due to
several factors) than on series systems. For a complete system dependability
analysis, an EU approach combined with an AU approach (EUAU) will give
meaningful dependability results.
2. Low EU, example: EUAU-10s-low (Table 6.31) and EUAU-2p-low (Table

6.33), regarding t ( U S ) :
Low uncertainty according to the definition in Table 6.30 (blue) has only minor
influence on dependability indices of the series and parallel systems. The final
EUAU simulation results and the AU results are close together.
Peer comparison of t ( U S ) : min 10% , median, mean, max90%
- Ratio: EUAU/AU-10s: 0.92, 0.92, 0.92, 0.93
- Ratio: EUAU/AU-2p: 0.98, 1.01, 1.01, 1.12
(< 1: EUAU results are conservative, compared to AU results)
Final remark: For low EU, the AU calculation (Drenick’s Theorem, left box of
Fig. 6.29) is an easy to use analytical approximation approach with little com-
putation time.
3. High EU, example: EUAU-10s-high (Table 6.32) and EUAU-2p-high (Table

6.34), regarding t ( U S ) :
High uncertainty according to the definition of Table 6.30 (red) can have great
influence on dependability indices of series and parallel systems. Neverthe-
less, the deviations of the system indices are much lower than the deviations
of the component indices (max/min-factor 100 (MTTF) and 19 (MTTR), Table
6.30).
Peer comparison of t ( U S ) : min 10% , median, mean, max90%
- Ratio: EUAU/AU-10s: 0.44, 0.49, 0.57, 0.59
- Ratio: EUAU/AU-2p: 0.41, 0.67, 0.99, 1.13
(< 1: EUAU results are conservative, compared to AU results)
Final remark: For high EU, the EUAU approach in the lower box of Fig. 6.29 is
proposed.
Chapter 6 354
4. Result: In spite of large deviations of component indices, system indices do

not deviate as much. Conventional calculation (for the mean) and AU calcula-
tion (Drenick’s Theorem) can give acceptable results for low EU depending
on the assumptions (e.g. uniform pdf), the requirements of the application,
and contractual commitment.
5. The previous statement may not be generally valid for all systems, but shows
a tendency of the impact of uncertainty on system dependability. Moreover, the
examples show the systematic applicability of the developed approaches.
Chapter 6 355
6.7 Framework of dependability evaluation approaches regarding

uncertainty
Fig. 6.29 shows an overview of the system dependability approaches developed in

this book. The upper box displays the initial approaches, which may be sufficiently
precise for system dependability analyses, depending on the requirements. The re-
sults are mean values without regarding AU and EU.
The AU and EU approaches on the lower level provide differentiated evaluation re-
sults for practical (industrial) applications.
A combined approach based on EU simulation with embedded AU calculation have

proved as the best practice approach with little computation time (EUAU, bottom
box).
System dependability evalua-
Chapter 6
tion, Chapter 3, 4, 5
- Summary of the approaches, Fig. 2.1.

- Fast analytical calculation.
- Mean values for input and output.
AU calculation, Drenick’s AU simulation, EU simulation,

←=
Theorem, Chapter 6.4.5 Chapter 6.4 Chapter 6.5
- Analytical calculation based on com- - Partially very high simulation effort, - Little computation time for series and
puted MTTSF and MTTSR. especially for parallel structures. parallel structures.
- In case of low EU, AU calculation
yields appropriate approximation for
the EUAU results (AU dominates EU).
- In case of high EU, AU calculation is
embedded as part of the EUAU ap- EUAU, Chapter 6.6
proach.
- Little computation time. EU simulation with embedded AU simulation, preferrabe
calculation
- Combination of EU simulation and AU simulation or calculation.

- High EU decreases dependability level, for parallel systems stronger than for series sys-
tems.
- Little computation time with AU calculation (left box).
Fig. 6.29. Overview of the system dependability approaches with consideration of uncertainties.
356
Chapter 6 357
6.8 Appendix
Acronyms used in AU and EU algorithms.
alpha Weibull scale parameter

beta Weibull shape parameter, for our examples: beta = 0.5, 1.0, 3.0
c component
C number of components (array)
cdf cumulative distribution function
d down state
f probability function (for discrete random values) or probability density
function pdf (for continuous random values)
F distribution function cdf (discrete or continous random variables)
fr random mean freqency
min minimal
max maximal
partial part of
pdf probability density function
pr random mean probability
resi residual part
sim simulation
sys system
t random time
ti random mean time
Ti mean time, e.g. MTTF, MTTR
u up state
ud u plus d
Combination of the acronyms, connected with “_“, e.g.

ti_sys_u random mean system up time (used for EU)
t_sys_u random system up time (used for AU)
t_ud_min minimum of random ud time
f_ti_sys_d, probability (density) function of ti_sys_d
Remark: The following algorithms are progammed in C/C++ using the Monte-Carlo-
Integration approach. Numerical errors can occur due to (minor) approximations in
the algorithms (Fig. 6.4), the discretization of the interval steps, the limited number
of simulations, and rounding errors.
Chapter 6 358
6.8.1 AU algorithm of series systems, Fig. 6.3
The algorithms are oriented on C/C++.
for(c=1, c<= C, c++) { t_u(c) = 0, t_d(c) = 0, pr_d(c) = 0 } /* initializing */

for(c=1, c<= C, c++) {
SIMULATION: t_u(c) /* from input up time pdf */
}
for(sim=1, sim<=sim_max, sim++) { /* simulation */
for(c=1, c<=C, c++) {
SEARCH: minimum t_u(c) /* (c_min = c) */
}
SIMULATION: t_d(c_min) /* from input down time pdf */
ADDITION: ti_sys_u = t_u(c_min) → f_t_sys_u, F_t_sys_u
ADDITION: ti_sys_d = t_d(c_min) → f_t_sys_d, F_t_sys_d
/* MC conjunctions are ignored */
CALCULATION: dependability indices
for(c=1, c<=C, c++) {
t_u(c) = t_u(c) - t_u(c_min) /* residual t_u(c) */
}
SIMULATION: t_u(c_min) /* from input up time pdf */
/* t_d(c) neglected */
}
CALCULATION: min-max boundaries, Chapter 6.4.4
Chapter 6 359
6.8.2 AU algorithm of parallel systems, Fig. 6.4
t_sys_partial = 0 /* initializing */
for(c=1, c<= C, c++) { t_u(c) = 0, t_d(c) = 0, pr_d(c) = 0 } /* initializing*/
for(c=1, c<=C, c++) {
SIMULATION: t_d(c) /* from input down time pdf */
t_ud(c) = t_u(c) + t_d(c)
}
for(sim=1, sim<=sim_max, sim++) {
SEARCH: min of: { (t_ud(1), t_ud(2), t_ud(3) } = t_ud_min
SEARCH: max of: { (t_u(1), t_u(2), t_u(3) } = t_u_max
if(t_ud_min < t_u_max) { /* no system down, case Fig. 6.4 a) */
/* search of point for the next simulation, blue line in Fig. 6.4 */
A: for(c=1, c<=C, c++) {
if(t_u(c) <= t_ud_min) { /* appropriate t_d(c) neglected */
} else {
t_u(c) = t_u(c) - t_ud_min /* residual t_u(c) */
/* t_dc of the proceeding simulation not changed */
}
}
t_sys_partial = t_sys_partial + t_ud_min
} else { /* system down, case Fig 6.4 b) */
B: ADDITION: t_sys_u = t_sys_partial + t_u_max
→ f_t_sys_u, F_t_sys_u
ADDITION: t_sys_d = t_ud_min-t_u_max
→ f_t_sys_d, F_t_sys_d
for(c=1, c<=C, c++) {
t_sys_partial = 0
}
}
}
CALCULATION: min-max boundaries, Chapter 6.4.4
Chapter 6 360
6.8.3 EU algorithm of series systems
for(c=1, c<= C, c++) { ti_u(c) = 0, ti_d(c) = 0 } /* initializing of mean times */

pr_sys_u = 1
ti_sys_u_reciprocal = 0
for(c=1, c<= C, c++) {
SIMULATION: ti_u(c) /* from input mean up time pdf */
SIMULATION: ti_d(c) /* from input mean down time pdf */
pr_sys_u = pr_sys_u * ti_u(c) / (ti_u(c) + ti_d(c))
ti_sys_u_reciprocal = ti_sys_u_reciprocal + 1 / ti_u(c)
}
pr_sys_d = 1 - pr_sys_u
ti_sys_u = 1 / ti_sys_u_reciprocal
fr_sys_u = pr_sys_u / ti_sys_u
fr_sys_d = fr_sys_u
ti_sys_d = pr_sys_d / fr_sys_d
ADDITION: ti_sys_u → f_ti_sys_u, F_ti_sys_u

ADDITION: ti_sys_d → f_ti_sys_d, F_ti_sys_d
ADDITION: pr_sys_d → f_pr_sys_d, F_pr_sys_d
ADDITION: fr_sys_d → f_fr_sys_d, F_fr_sys_d
}
Chapter 6 361
6.8.4 EU algorithm of parallel systems
for(c=1, c<= C, c++) { ti_u(c) = 0, ti_d(c) = 0 } /* initializing of mean times */

pr_sys_d = 1
ti_sys_d_reciprocal = 0
for(c=1, c<= C, c++) {
SIMULATION: ti_u(c) /* from input mean up time pdf */
SIMULATION: ti_d(c) /* from input mean down time pdf */
pr_sys_d = pr_sys_d * ti_d(c) / (ti_u(c) + ti_d(c))
ti_sys_d_reciprocal = ti_sys_d_reciprocal + 1 / ti_d(c)
}
pr_sys_u = 1 - pr_sys_d
ti_sys_d = 1 / ti_sys_d_reciprocal
fr_sys_d = pr_sys_d / ti_sys_d
fr_sys_u = fr_sys_d
ti_sys_u = pr_sys_u / fr_sys_u
ADDITION: ti_sys_u → f_ti_sys_u, F_pr_sys_u

ADDITION: ti_sys_d → f_ti_sys_d, F_pr_sys_d
ADDITION: pr_sys_d → f_pr_sys_d, F_pr_sys_d
ADDITION: fr_sys_d → f_fr_sys_d, F_fr_sys_d
}
Notation: In the algorithms above, the arrays start with “1“. In C/C++ the arrays start
with “0“.
According to Fig. 3.7 and Fig. 5.1, dependability structures of real-world systems
can be transformed to series and parallel structures. For these structures the algo-
rithms can be easily combined. In Chapter 3.9, series and parallel systems are cal-
culated as an example.
7 Reference
[AEG 1981]
AEG Forschungsbericht: Heiner, G., Kochs, H.-D., Schmidt, S., Brauner, G.
(1981). Zuverlässigkeit und Sicherheit in der Energietechnik (Reliability and
safety in energy engineering). AEG-Telefunken Forschungsbericht. ET 4398
A für das BMFT, August 1981.
[Akhmedjanov 2001]
Akhmedjanov, F. M. (2001). Reliability Databases: State-of-the-Art and Per-
spectives. Riso National Laboratory, Roskilde (Riso-R-1235(EN)), ISBN 87
550 2809 8, ISBN 87 550 2810 1 (Internet), ISSN 0106 2840, Print: Pitney Bo-
wes Management Services Danmark A/S, 2001.
[Allan et al. 1979]
Allan, R. N., Dialynas, E. N., Homer, I. R. (1979). Modelling common-mode
failures in the reliability evaluation of power system networks. IEEE Paper A
79 040 7, PES Winter Meeting, New York, February 1979.
[AMCP 1976a]
AMC Pamphlet No. 706-196 (1976). Engineering Design Handbook - De-
velopment Guide for Reliability - Part Two, Design for Reliability. Department
of the Army Headquarters US Army Material Command, Alexandria.
[AMCP 1976b]
AMC Pamphlet No. 706-197 (1976). Engineering Design Handbook - De-
velopment Guide for Reliability - Part Three, Reliability Prediction. Depart-
ment of the Army Headquarters US Army Material Command, Alexandria.
[Andrews et al. 2002]
Andrews, J. D. and Moss, T. R. (2002). Reliability and Risk Assessment. 2nd
edn, Professional Engineering Publishing, London, United Kingdom: ASM
International, ISBN 978 1 8605 8290 5.
[ANSI 1987]
ANSI/IEEE Std 352-1987 (1987). IEEE Guide for General Principles of Reli-
ability Analysis of Nuclear Power Generating Station Safety Systems. Ameri-
can National Standards Institute, New York, E-ISBN 0-7381-0685-2, DOI
10.1109/IEEESTD.1987.101069.
[Avizienis et al. 2004]
Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C. (2004). Basic Concepts
and Taxonomy of Dependable and Secure Computing. IEEE Transactions on
Dependable and Secure Computing, Vol. 1, No. 1, January-March 2004.

DOI 10.1007/978-3-319-64991-7_7
Chapter 7 364
[Barlow et al. 1965]

Barlow, R. E., Proschan, F. (1965). With contribution by L. C. Hunter (1965).
Mathematical Theory of Reliability. John Wiley & Sons, Inc. New York, 1965,
ISBN 0 89871 369 2, DOI 10.1126/science, 148.3674.1208-a.
[BEA 2000]
Bureau Enquetes-Accidents (2000). Accident on 25 July 2000 at “La Patte
d’Oie“ in Gonesse (95), to the Concorde, registered F-BTSC, operated by Air
France: Reports (I) f-sc000725pa, (II) f-sc000725ae, (III) f-sc000725e2.
[BfS 2005]
Bundesamt für Strahlenschutz (2005). Methoden zur probabilistischen Si-
cherheitsanalyse für Kernkraftwerke. BfS-SCHR-37/05, ISBN 3 86509 414 7,
Wirtschaftsverlag NW, Bremerhaven, Salzgitter.
[ Billinton et al. 1979 ]
Billinton, R, Medicherla, T. K. P., Sachdev, M. S. (1979). Application of Com-
mon-Cause Outage Models in Composite System Reliability Evalu- ation.
IEEE PES (Power Engineering Society) Paper A 79 461-5.
[Billinton et al. 1981]
Billinton, R., Medicherla, T. K. P., Sachdev, M. S. (1981). Application of Com-
mon-Cause Outage Models in composite System Reliability Evaluation. IEEE
Transactions on Power Apparatus and Systems, Volume PAS-100, Issue 7,
July 1981 (also IEEE Paper A 79 461-5, PES Summer Meeting, Vancouver,
July 1979).
[Billinton et al. 1992]
Billinton, R., Allan, R. N. (1992). Reliability Evaluation of Engineering Systems
- Concepts and Techniques. Plenum Press, New York, 1992, ISBN 0 306
44063 6, 453 pages.
[Birolini 2010]
Birolini, A. (2010). Reliability Engineering - Theory and Practise. Springer-
Verlag Berlin Heidelberg, Sixth Edition, ISBN 978 3 642 14951 1, 2010.
[Blischke et al. 2003]
Blischke, W. R., Murthy, D. N. P. (2003). Case Studies in Reliability and
Maintenance. John Wiley & Sons, 2003, ISBN 0 471 41373 9.
[Bouissou 2003]
Bouissou, M., Bon, J.-L. (2003).A new formalism that combines advantages
of fault-trees and Markov models: Boolean logic driven Markov processes.
Reliability Engineering & System Safety, Volume 82, Issue 2, November
2003, pp 149-163.
[Briggs 2008]
Briggs, L. L. (2008). Status Uncertainty Quantification Approaches for Ad-
vanced Reactor Analysis. Nuclear Engineering Division, Argonne National La-
boratory, ANL-GenIV-110, September 30, 2008.
Chapter 7 365
[Bubb 1992]
Bubb, H. (1992). Menschliche Zuverlässigkeit: Definitionen, Zusammen-
hänge, Bewertung. ecomed, Landsberg/Lech, 1992.
[Büsch 1992]
Büsch, O. (1992). Handbuch der Preussischen Geschichte. Walter der Gruy-
ter & Co., Berlin, ISBN 3 11 008322 1.
[Coit et al. 2004]
Coit, D. W., Jin, T., Wattanapongsakorn, N. (2004). System Optimization
Considering Component Reliability Estimation Uncertainty: A Multi-Criteria
Approach. IEEE Transactions on Reliability, Volume: 53 , Issue: 3, Sept. 2004,
pp. 369-380.
[Coit et al. 2009]
Coit, D. W., Jin, T., Tekiner, H. (2009). Review and Comparison of System
Reliability Optimization Algorithms Considering Reliability Estimation Uncer-
tainty. ICRMS 2009, 8th International Conference on Reliability, Maintainabil-
ity and Safety, July 2009, pp. 49-53.
[DeFusco et al. 2004]
DeFusco, R. A., Pinto, J. E., Runkle, D. E., McLeavey, D. W. (2004). Quantita-
tive Methods For Investment Analysis. 2nd edition, CFA Institute, ISBN 978 1
9324 9508 9.
[DFG 2001]
DFG-SFB 291 (2001). Elastische Handhabungssysteme für schwere Lasten
in komplexen Operationsbereichen. Deutsche Forschungsgemeinschaft
(DFG, German Research Foundation) - Sonderforschungsbereich (SFB 291,
Collaborative Research Center 291), Gerhard-Mercator-Universität Duisburg,
1996-2000, Bonn.
[Dhillon et al. 1981]
Dhillon, B. S., Singh, C. (1981). Engineering Reliability - New Techniques and
Applications. John Wiley & Sons, Inc. Publishers, USA (1981) ISBN 0 471
05014 8, pp. 339.
[Dib 1978]
Rib, R. (1978). Kombinierte Anwendung der Minimalschnitt-Methode und der
Theorie Markoffscher Prozesse zur Zuverlässigkeitsberechnung von Kraft-
werks-Eigenbedarfsanlagen und von Hochspannungsnetzen. Diplom-Thesis
am Institut für Elektrische Anlagen und Energiewirtschaft (IAEW) der RWTH
Aachen, 1978.
[Drenick 1960]
Drenick, R. F. (1960). The Failure Law of Complex Equipment. The Journal of
the Society for Industrial Applications of Mathematics, Dec. 1960, Vol. 8, No.
4, pp. 680-689.
Chapter 7 366
[Edwin et al. 1978]

Edwin, K. W., Siemes, B. (1978). The Influence of Data Uncertainties on the
Reliability Evaluation of Power Systems. International Symposium on System
Reliability for Power Engineering, Stockholm 1978.
[Edwin et al. 1979a]
Edwin, K. W., Kochs, H.-D., Traeder, G. (1979.) Untersuchung der Kraftwerks-
reserve in Verbundsystemen. Forschungsbericht des Landes Nordrhein-
Westfalen, Nr. 2816, ISBN 3 531 02816 2, Westdeutscher Verlag 1979, 247
Seiten.
[Edwin et al. 1979b]
Edwin, K. W., Kochs, H.-D. (1979). Reliability determination of non-Markovian
power systems, Part I: An analytical procedure. IEEE Paper A 79502-6, PES
Summer Meeting, Vancouver, July 1979.
[Edwin et al. 1979c]
Edwin, K. W., Kochs, H.-D., Danda, R. (1979). Reliability determination of
non-Markovian power systems, Part II: A basic simulation technique. IEEE
Paper A 79503-4, PES Summer Meeting, Vancouver, July 1979.
[Endrenyi 1978]
Endrenyi, J. (1978). Reliability Modelling in Electric Power Systems. Toronto/
Canada: J. Wiley & Sons (338 pages), ISBN 0 471 99664 5.
[Fahrmeier et al. 2010]
Fahrmeier, L., Künstler, R., Pigeot, I., Tutz, G. (2010). Statistik. Der Weg zur
Datenanalyse. Springer-Verlag Berlin, 7. Auflage, ISBN 978 3 642 01938 8,
610 Seiten.
[Felton 1794]
Felton, W. (1794). A Treatise on Carriages: Comprehending Coaches, Cha-
riots, Phaetons, Curricles, Whiskeys, &c. (321 pages), https://archive.org.
[Frank 1995]
Frank, M. V. (1995). Choosing among safety improvement strategies: a dis-
cussion with example of risk assessment and multi-criteria decision approach-
es for NASA. Reliability engineering & systems safety, vol. 49, no 3, pp. 311-
324, Elsevier, Oxford, 1995.
[Frank 1996]
Frank, M. V. (1996). Reliability Considerations in the Mission Architecture of
the Micro-Meteorological Mission to Mars. Proceedings of the Probabilistic
Safety Assessment and Management Conference, Crete, Greece, Springer-
Verlag, June 1996.
[Heard et al. 2006]
Heard, A., Pensky, M. (2006). Confidence Intervals for Reliability and Quantile
Chapter 7 367
Functions With Application to NASA Space Flight Data. IEEE Transactions on

Reliability, Volume 55 , Issue 4, Dec. 2006, pp. 591-601.
[ICDE 2011]
Johanson, G., Lindberg, S. (2011). ICDE International Common-Cause-
Failure Data Exchange. Summary of several ICDE Project Reports (operated
under the umbrella of OECD/NEA/CSNI, WGOE) https://www.eskonsult.se/
ProjectPortal2/ICDE?M=1703 (accessed on March 2016).
[IEC 60050-192:2015]
IEC 60050-192:2015. International electrotechnical vocabulary - Part 192: De-
pendability: International Electrotechnical Commission. IEC 60050-192 ed.
1.0, Copyright © 2015 IEC Geneva, Switzerland. www.iec.ch.
[IEC 60812:2006]
IEC 60812-2006-01 (2006). Analysis techniques for system reliability - Proce-
dure for failure mode and effects analysis (FMEA). CEI IEC 60812.
[IEC 61025:2006]
IEC 61025 (2006). Fault tree analysis (FTA). IEC 61025:2006-12.
[IEC 61078:2015]
IEC 61078 (2015). Analysis techniques for dependability - Reliability block
diagram and Boolean methods. E DIN EN 61078:2015-04 (Draft).
[IEC 61165:2006]
IEC 61165 (2006). Anwendung des Markoff-Verfahrens. (Application of Mar-
kov techniques.) DKE Deutsche Kommission Elektrotechnik Elektronik Infor-
mationstechnik im DIN und VDE.
[IWW 2012]
Rheinisch-Westfälisches Institut für Wasser IWW (2012). Technisch-wissen-
schaftliche Neubewertung des Alterungs- und Ausfallverhaltens von Rohrlei-
tungen in Wasserverteilungssystemen. IWW (Herausgeber), Mülheim an der
Ruhr, Deutschland, Abschlussbericht zum DVGW-Forschungsprojekt W 6/03/
07, Januar 2012.
[Kececioglu 2002]
Kececioglu, D. (2002). Reliability Engineering Handbook, Volume 2. DEStech
Publications, Lancaster, Pennsylvania, USA, ISBN 1 932078 00 2.
[Kochs 1974]
Kochs, H.-D. (1974). Wahrscheinlichkeitstheoretisches Modell zur Beschrei-
bung des mehrstufigen stochastischen Betriebsverhaltens elektrischer Anla-
gen. Berichte über Untersuchungen des Instituts für Elektrische Anlagen und
Energiewirtschaft (IAEW) der RWTH Aachen in Verbindung mit der For-
schungsgesellschaft Energie (FGE) an der RWTH Aachen, S. 72-87.
[Kochs 1976]
Kochs, H.-D. (1976). Zuverlässigkeitsmodelle zur Berechnung des Leistungs-
Chapter 7 368
verhaltens von Kraftwerkssystemen. Dissertation am Institut für Elektrische

Anlagen und Energiewirtschaft (IAEW) der RWTH Aachen, 1976, 106 Seiten.
[Kochs 1982]
Kochs, H.-D. (1982). Application of the Markov Cut-Set Approach to Industrial
Systems. Reliability in Electrical and Electronic Components and Systems,
EUROCON ’82 Copenhagen, North-Holland Publishing Company, pp. 438-
445.
[Kochs 1984]
Kochs, H.-D. (1984). Zuverlässigkeit elektrotechnischer Anlagen - Einführung
in die Methodik, die Verfahren und ihre Anwendung. Springer-Verlag Berlin
Heidelberg New York Tokyo, ISBN 3 540 13475 1 und ISBN 0 387 13475 1,
400 Seiten.
[Kochs 1985]
Kochs, H.-D. (1985). Zuverlässigkeitsberechnung von Leitsystemen - Metho-
dik, Verfahren und Anwendung. etz Archiv Bd. 7 (1985), H. 9.
[Kochs et al. 1993]
Kochs, H.-D., Dieterle, W., Dittmar, E. (1993). Zuverlässigkeit verteilter Leitsy-
steme - eine praxisorientierte Analyse. Automatisierungstechnische Praxis
atp 35 (12/1993).
[Kochs 1996]
Kochs, H.-D. (1995/1996). Zuverlässigkeitsermittlung großer und komplexer
Systeme mit effizienten Näherungsverfahren. at - Automatisierungstechnik,
Theorie für den Anwender, Teil 1: 11/1995, Teile 2 bis 7/1996, Oldenbourg-
Verlag.
[Kochs et al. 1996]
Kochs, H.-D., Dieterle, W., Dittmar, E. (1996). Reliability Evaluation of Highly
Reliable Computer Control Systems for Energy Generation, Transmission and
Distribution. European Transactions on Electrical Power (ETEP), Vol. 6, No.
2, March/April 1996, pp. 111-118.
[Kochs et al. 1997]
Kochs, H.-D., Jankowiak, F., Hilmer, H. (1997). Systematisierungsansätze zur
Sicherheits- und Zuverlässigkeitsanalyse von Handhabungssystemen. VDI-
Berichte 1315, VDI-Verlag, Düsseldorf, 1997, Seite 53-73.
[Kochs et al. 1999]
Kochs, H.-D., Hilmer, H., Nisbach, T. (1999). Efficient Approximate Reliability
Evaluation using the Markovian Minimal Cut Approach. Journal of Universal
Computer Science. vol. 5, no. 10 (1999), Springer Pub. Co., pp. 644-667.
[Kochs 2001]
Kochs, H.-D. (2001). Schwachstellenanalyse am Beispiel der Concorde. Au-
tomatisierungstechnische Praxis atp, 10/2001, Seite 38-43.
Chapter 7 369
[Kochs 2002]
Kochs, H.-D. (2002). Mechatronic System Dependability Analysis - An Appli-
cation Example. Architecture of Computing Systems, ARCS 2002, Workshop
Proceedings, Karlsruhe, VDE Verlag GmbH Berlin Offenbach, ISBN 3 8007
2686 6, pp. 55-65.
[Kochs 2004]
Kochs, H.-D. (2004). Key Factors of Dependability of Mechatronic Units:
Mechatronic Dependability. In: Panel Session on Risk Management and
Dependability - What are the Key Factors? 28th Annual International Comput-
er Software and Applications Conference (COMPSAC 2004), IEEE Computer
Society Press, Hong Kong 2004, pp. 584-586.
[Kochs et al. 2004]
Kochs, H.-D., Petersen, J. (2004). A Framework for Dependability Evaluation
of Mechatronic Units. International Conference on Architecture of Computer
Systems ARCS. Gesellschaft für Informatik (GI), Bonn, Proceedings, ISBN 3
8857 370 9, ISSN 1617 5468, pp. 92-105. Auch publiziert in GI/VDI/VDE-
GMA/ITG Mitteilungen Fachgruppe fehlertolerierende Rechensysteme. St.
Augustin: FhG-AiS, 2005, ISSN 0724 5319.
[Kochs et al. 2012]
Kochs, H.-D., Kongniratsaikul, P., Lutz, F. (2012). Comparing System Reli-
ability Considering Insufficient Knowledge: Application to HVDC Converter
Stations. IEEE-PES (Power & Energie Society), 22.-26.07.2012, San Diego,
CA, USA.
[Kochs 2012]
Kochs, H.-D. (2012). Ermittlung der Zuverlässigkeit / Verfügbarkeit industri-
eller Systeme - Anwendung auf ein Prozessleitsystem. (Reliability / Availability
Evaluation of Industrial Systems - Application to a Process Control System)
Fortschritt - Berichte VDI, Reihe 21, Nr. 403, ISBN 978 3 18 340321 9, 90 Seiten.
https://duepublico.uni-duisburg-essen.de/servlets/DocumentServlet?id=44357
[Kongniratsaikul 2009]
Kongniratsaikul, P. (2009). Evaluation of System Reliability Using the
Example of HVDC Systems. Master Thesis, University of Duisburg-Essen,
Germany, 2009.
[Kongniratsaikul 2014]
Kongniratsaikul, P. (2014). Uncertainty in Reliability Evaluation - A Frame-
work and Practical Case Studies. Dissertation, University of Duisburg-Essen,
2014, 152 pages.
[Kreyszig 1979]
Kreyszig, E. (1979). Statistische Methoden und ihre Anwendung. 7. Auflage,
Vandenhoeck & Rupprecht Göttingen, ISBN 3 525 40717 3.
Chapter 7 370
[Kreyszig 2010]
Kreyszig, E. (2010). Advanced Engineering Mathematics. 10th Edition, John
Wiley & Sons, ISBN 978 0 470 45836 4.
[Laprie 1992]
Laprie, J. C. (1992). Dependability: Basic Concepts and Terminology in
English, French, German, Italian and Japanese. Springer-Verlag, ISBN 978 0
387 82296 9.
[Laprie 1995]
Laprie, J. C. (1995). Dependability - Its Attributes, Impairments and Means in
Predictability Dependable Computing Systems. B. Randell, J. C. Laprie, H.
Kopetz and B. Littlewood Ed., Springer-Verlag, 1995.
[Lendering 2014]
Lendering, J. (2014). Royal Road. Articles on ancient history. Herodotus
Histories 8.98. http://www.livius.org/articles/concept/royal-road/? (Text last
modified on 16. August 2015). (accessed on March 2016).
[Limbourg et al. 2006]
Limbourg, P., Kochs, H.-D. (2006). Predicting Imprecise Failure Rates from
Similar Components: a Case Study using Neural Networks and Gaussian Pro-
cesses. ARCS Workshop "Dependability and Fault Tolerance", Frankfurt,
2006.
[Limbourg et al. 2007a]
Limbourg, P., Savic, R., Petersen, J., Kochs, H.-D. (2007). Fault tree analysis
in an early design stage using the Dempster-Shafer theory of evidence. Euro-
pean Safety and Reliability Conference, ESREL 2007, Stavanger, Norway,
2007 Taylor & Francis Group, pp. 713-722, ISBN 978 0 415 44786 7.
[Limbourg et al. 2007b]
Limbourg, P., Kochs, H.-D., Echtle, K., Eusgeld, I. (2007). Reliability Predic-
tion in Systems with Correlated Component Failures - An Approach Using
Copulas. ARCS Workshop Dependability and Fault Tolerance, Zürich,
Switzerland, 2007 VDE-Verlag, pp. 55-62.
[Limbourg 2008]
Limbourg, P. (2008). Dependability Modelling under Uncertainty - An Impre-
cise Probabilistic Approach. Springer-Verlag Berlin Heidelberg, ISBN 978 3
540 69286 7, 139 pages.
[MBB 1977]
Messerschmitt-Bölkow-Blohm (Herausgeber) (1977). Technische Zuverlässig-
keit. Springer-Verlag Berlin Heidelberg New York 1971, 2. Auflage 1977, ISBN
0-387-08237-9.
[McLaughlin et al. 1997]
McLaughlin Harpel, B., Bechta Dugan, J., Walker, I. D., Cavallaro, J. R.
Chapter 7 371
(1997). Analysis of robots for hazardous environments. IEEE Annual Reliabil-

ity and maintainability symposium 1997, pp. 111-116.
[Meyna et al. 2010]
Meyna, A., Pauli, B. (2010). Zuverlässigkeitstechnik - Quantitative Bewer-
tungsverfahren. 2. überarbeitete und erweiterte Auflage, Carl Hanser Verlag
München Wien 2010, ISBN 978 3 446 41966 7.
[mfk 2015]
Museum für Kommunikation Berlin, (2015). Berliner Luft Post - Installation von
Stefan Sous, 1999, Postkutsche der Deutschen Reichspost 1880. Exhibition.
[MIL-HDBK-217F 1991]
MIL-HDBK-217F (1991). Reliability Prediction of Electronic Equipment.
Department of Defense, Washington D.C., USA.
[MIL-STD-1629A 1980]
MIL-STD-1629A (1980). Procedures for Performing a Failure Mode, Effects
and Criticality Analysis. Department of the Navy, Lakehurst, NJ, 1980.
[Misra 1993]
Misra, K. B. (1993). New Trends in System Reliability Evaluation. Elsevier,
Amsterdam, 1993, ISBN 978 0 444 56526 6.
[Murphy et al. 2002]
Murphy, K. E., Carter, C. M., Brown, S. B. (2002). The Exponential Distribu-
tion: the Good, the Bad and the Ugly. A Practical Guide to its Implementation.
IEEE 2002 RAMS Conference, pp. 550-555.
[Nachtkamp 1979]
Nachtkamp, J. (1979). Verfügbarkeitsorientierte Zuverlässigkeitsunter-
suchung der Netzeinbindung und der Eigenbedarfsversorgung großer
Wärmekraftwerksblöcke. Dissertation am Institut für Elektrische Anlagen und
Energiewirtschaft (IAEW) der RWTH Aachen, 1979.
[NIST/SEMATECH 2014]
NIST/SEMATECH (2014). e-Handbook of Statistical Methods. Internet: http://
www.itl.nist.gov/div898/handbook/ (accessed on February 2014).
[NPRD 1995]
NPRD95 (1995). Nonelectronic Parts Reliability Data. IIT Research Institute /
Reliability Analysis Center, 201 Mill Street, Rome, New York 13440-6916,
1995.
[NPRD 2016]
NPRD95 (2016). Nonelectronic Parts Reliability Data. Reliability Databook
Series, Quanterion Solutions Incorporated. ISBN-10: 1 933904 76 3, ISBN-
13: 978 1 933904 76 4.
Chapter 7 372
[NUREG 2007]
Wiermann, T. E., Rasmuson, D. M., Mosleh, A. (2007). Common-Cause
Failure Database and Analysis - System: Event Data Collection, Classifica-
tion, and Coding. NUREG/CR-6268, Rev. 1, INL/EXT-07-12969, U.S. Nuclear
Regulatory Commission, Washington, DC 20555-0001, Date Published: Sep.
2007.
[Oberkampf et al. 2004]
Oberkampf, W. L., Helton, J. C., Joslyn, C. A., Wojtkiewicz, S. F., Ferson, S.
(2004). Challenge Problems: Uncertainty in System Response Given Uncer-
tain Parameters. Reliability Engineering and System Safety, vol. 85 (1-3),
2004, pp. 11-19.
[O’Connor et al. 2002]
O'Connor, P. D. T., Newton, D., Bromley, R. (2002). Practical Reliability Engi-
neering. 4 ed. Chichester, United Kingdom: Wiley &Sons, Websites. ISBN 0
470 84462 0.
[OECD 2013]
OECD/CSNI (2013). OECD/CSNI Workshop on Best Estimate Methods and
Uncertainty Evaluations. Nuclear Energy Agency, Workshop Proceedings,
Barcelona, Spain, 16-18 Nov. 2011, Part 1, NEA/CSNI/R(2013)8/PART1
(English version 28 Nov. 2013).
[Ostertag 1810]
Ostertag, J. Ph. (1810). Auswahl aus den kleinen Schriften. Sulzach, im Ver-
lage der Kommerzienrath Seidelschen Kunst- u. Buchhandlung, 1810, pp.
351.
[Pham 2003]
Pham, H. (Editor) (2003). Handbook of Reliability Engineering. Springer-Ver-
lag London (663 pages), ISBN 1 85233 453 3.
[Pradhan 1995]
Pradhan, Dhiraj K. (1995). Fault-tolerant computer system design. Prentice
Hall PTR, New Jersey, 1995, ISBN 978 0 130 57887 7.
[Rakowsky et al. 2001]
Rakowsky, U. K., Richardson, N. (2001). Wörterbuch der Zuverlässigkeit:
Begriffe, Definitionen, Stichworte. 2001 LiLoLe-Verlag Hagen. ISBN 3 934447
21 X.
[Rocquigny et al. 2008]
Rocquigny, E., Devictor, N., Tarantola, S. (2008). Uncertainty in Industrial
Practice - A guide to quantitative uncertainty management. ESReDA Project
Group on Uncertainty Management, Chichester, United Kingdom, Wiley, ISBN
978 0 470 99447 4.
Chapter 7 373
[Schneeweiss 1980]
Schneeweiss, W. G. (1980). Zuverlässigkeits-Systemtheorie. Köln, Datakon-
text, 1980, ISBN 3 921899 15 X.
[Schneeweiss 1989]
Schneeweiss, W. G. (1989). Boolean Functions with Engineering Applications
and Computer Programs. Springer-Verlag New York, 1989, ISBN 0 387 18892
4.
[Schneeweiss 1992]
Schneeweiss, W. G. (1992). Zuverlässigkeitstechnik - von den Komponenten
zum System. Datakontext, Köln, 1999, ISBN: 978 3 9218 9915 1.
[Schneeweiss 1999]
Schneeweiss, W. G. (1999). Petri Nets for Reliability Modeling. LiLoLe-Verlag
GmbH, Hagen, 1999, ISBN 3 934447 00 7.
[Schneeweiss 2001]
Schneeweiss, W. G. (2001). Reliability Modeling. LiLoLe-Verlag GmbH,
Hagen, 2001, ISBN 978 3 9344 4704 2.
[Schneeweiss 2009a]
Schneeweiss, W. G. (2009). Advanced Use of Fault Trees. LiLoLe-Verlag
GmbH, Hagen, 2009, ISBN 978 3 934447 12 7.
[Schneeweiss 2009b]
Schneeweiss, W. G. (2009). Renewal Processes for Reliability Modeling.
LiLoLe-Verlag GmbH, Hagen, 2009, ISBN 978 3 934447 13 4.
[Siemes 1980]
Siemes, B. (1980). Zur Berücksichtigung ungenauer Eingangsdaten bei der
Zuverlässigkeitsberechnung von Systemen der elektrischen Energieversor-
gung. Dissertation am Institut für Elektrische Anlagen und Energiewirtschaft
(IAEW) der RWTH Aachen, 1980.
[Singh et al. 1977]
Singh, C., Billinton, R. (1977). System Reliability Modelling and Evaluation.
Hutchinson & Co. London, 1977, ISBN 0091265002, 248 pages.
[Singh 1980a]
Singh, C. (1980). Markov cut-set approach for the reliability evaluation of
transmission and distribution systems. IEEE Paper A 80069-5, PES Winter
Meeting, New York, February 1980.
[Singh 1980b]
Singh, C. (1980). A cut-set method for reliability evaluation of systems having
s-dependent components. IEEE Transactions on Reliability, Vol. R-29, No. 5,
December 1980.
Chapter 7 374
[Swain et al. 1983]

Swain, A. D., Guttman H. E. (1983). Handbook of Human Reliability Analysis
with Emphasis on Nuclear Power Plant Applications. NUREG/CR-1278, San-
dia Laboratories, Albuquereque, 1983.
[Tekiner et al. 2011]
Tekiner, H., Coit, D. W. (2011). System Reliability Optimization Considering
Uncertainty: Minimization of the Coefficient of Variation for Series-Parallel
Systems. IEEE Transactions on Reliability, Vol. 60, No. 3, Sept. 2011, pp.
667-674.
[TM 5-698-5 2006]
Technical Manual 5-698-5. (2006). Survey of Reliability and Availability Infor-
mation for Power Distribution, Power Generation, and Heating, Ventilating and
Air Conditioning (HVAC) Components for Commercial, Industrial, and Util-ity
Installations. Headquarters, Department of the United States Army, Wa-
shington, DC, 22 July 2006.
[TM 5-698-1 2007]
Technical Manual 5-698-1 (2007). Reliability / Availability of Electrical &
Mechanical Systems for Command, Control, Communications, Computer,
Intelligence, Surveillance and Reconnaissance (C4ISR) Facilities. Headquar-
ters, Department of the United States Army, Washington, DC, 19 January
2007.
[VDI 2206]
VDI 2206 (2004). Design methodology for mechatronic systems. VDI, Beuth
Verlag, Berlin.
[Walley 1991]
Walley, P. (1991). Statistical Reasoning with Imprecise Probabilities. Chap-
man and Hall, Bruxelles.
[Wallerath et al. 2014]
Wallerath, M., Wehr, R. (2014). Neubestimmung der technischen Nutzungs-
dauer von Rohrleitungen. energie / wasser-praxis, 7/8 2014.
[WASH 1975]
WASH-1400 (NUREG-75/014) (1975). Reactor Safety Study - An As-
sessment of Accident Risks in U.S. Commercial Nuclear Power Plants. Ap-
pendices III and IV. United States Nuclear Regulatory Commission, Oct.
1975, National Technical Information Service, Springfield, Virginia 22161.
[Yates et al. 2004]
Yates, R. D., Goodman, D. (2004). Probability and Stochastic Processes: A
Friendly Introduction for Electrical and Computer Engineers. 2nd edition, Wi-
ley, ISBN 978 0 4712 7214 4.

2018 Book SystemDependabilityEvaluationI

Uploaded by

Copyright:

Available Formats

You might also like

2018 Book SystemDependabilityEvaluationI

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2018 Book SystemDependabilityEvaluationI

Uploaded by

Copyright:

Available Formats

Hans-Dieter Kochs

ISBN 978-3-319-64990-0 ISBN 978-3-319-64991-7 (eBook)

Library of Congress Control Number: 2017950274

© Springer International Publishing AG 2018

Printed on acid-free paper

This Springer imprint is published by Springer Nature

Pre-knowledge: Mathematical interest, basic knowledge of Boolean algebra, probabil-

Acknowledgements: I am greatly indebted and wish to thank all my colleagues and

1 Definitions and objective ..................................................................................... 1

2 Brief review of system dependability approaches ........................................ 23

3 Network approaches ............................................................................................ 39

4 State-space approach ...........................................................................................125

5 Markov minimal cut (MMC) approach .............................................................. 203

5.11.8 Comparative study to Appendix 5.11.2 and 5.11.5 . . . . . . . . . . . . . . . . . . . . . . . . . 279

6 Uncertainty ......................................................................................................... 283

6.7 Framework of dependability evaluation approaches regarding uncer-

7 Reference ............................................................................................................ 363

Definition 1.1 (item).

Definition 4.1 (Markov state condition).

Fig. 3.17. DBD (up state mode related to F S ).

partial Markov cutouts.

Fig. 6.1. Skewness and kurtosis in probability distributions.

Table 3.1. Complete universe space Ω S of the example in Fig. 3.10.

1 Concerning all chapters: No distinction is made between singular and plural

3 Abbreviations are listed in alphabetical order. Indices are treated equivalently.

a constant transition rate (transfer rate)

L{…} Laplace transform

NAv non-availability or unavailability

1.1 Definition of basic terms

1.1 Definition of basic terms

Numerous standards and definitions of dependability (reliability and availability) for

Definition 1.1 (item). Subject being considered (192-01-01).

*) Note is an original part of the respective definition of IEC 60050-192:2015, ab-

the viewpoint of the author.

© Springer International Publishing AG 2018 1

For dependability analysis, an item can be considered either as a component or a

Definition 1.2 (component, <in dependability>*)). An item under considera-

Definition 1.4 (complex system, <in dependability>). System which cannot

DBD at level 1 DBD at level 2 DBD at level n

Top-down (microscopic) view, Bottom-up (macroscopic) view,

DBD dependability block diagram

(192-08-09) Disabled Enabled (192-08-10)

Operating Non-operating (up) time Operating

60050-192:2015, Figure 1-2] .

failure Maintenance time (192-07-02)

MTTF MTTFStandby MCMT MFDT

Maintenance time (192-07-02)

(192-07-13) delay localization time correction time checkout time (192-07-16)

Definition 1.5 (required function). Function considered necessary to fulfill a

Definition 1.8 (operating state, <of an item>). State of performing as re-

*) Abbreviation is a notation by the author used in this book.

Definition 1.14 (restoration). Event at which the up state is re-established af-

Remark 2: After restoration the up state is considered to be “as-good-as-new".

Definition 1.16 (maintenance). Combination of all technical and manage-

Definition 1.17 (preventive maintenance time). Part of the maintenance

Definition 1.18 (corrective maintenance time). Part of the maintenance

Definition 1.19 (repair). Direct action taken to effect restoration (192-06-14).

Definition 1.21 (FFE taxonomy).

Fault, <of an item>: Inability to perform as required, due to an internal state