The first three layers are rather straightforward to describe since there is a general agreement on how to interpret fault trees and probability distributions. The Event Tree layer is much more delicate to handle. The reason stands in the dynamic nature of event trees and the lack of common interpretation for this formalism. To illustrate this point, we shall consider the toy example pictured in TODO.
This event tree is made of the following elements.
- An initiating event I
- Three functional events F, G, and H
- Six sequences ending in six (a priori) different states S1 to S6
The expected interpretation of this event tree is as follows. A fault tree is associated with each functional event. This fault tree describes how the functional event may occur. For the sake of simplicity, we may assume that its top-event has the same name as the functional event itself.
Upper branches represent a success of the corresponding safety mission, while lower branches represent its failure.
Applying the so-called fault tree linking approach, we obtain the following interpretation for the sequences.
::TODO
S1& = I \land \lnot F \land \lnot H\\
S2& = I \land \lnot F \land H\\
S3& = I \land F \land \lnot G \land \lnot H\\
S4& = I \land F \land \lnot G \land H\\
S5& = I \land F \land G \land \lnot F\\
S6& = I \land F \land G \land H
In practice, things are less simple:
- There may be more than one initiating event because the same event tree can be used with different flavors.
- Values of house events may be changed at some points along the branches to give flavors to fault trees. The value of a house event may be changed either locally to a fault tree, or for all the fault trees encountered after the setting point.
- The flavoring mechanism may be even more complex: some gates or basic events may be negated; some parameters of probability distributions may be impacted.
- The flavor given to a fault tree may depend on what has happened so far in the sequence: initiating event, value of house events, etc.
- Some success branches may not be interpreted as the negation of the associated fault tree but rather as a bypass. This interpretation of success branches is typically tool-dependent: some tools (have options to) ignore success branches; therefore, modelers use this “possibility” to “factorize” models.
- Branching may have more than two alternatives, or represent multi-states, not just success and failure, each alternative being labeled with a different fault tree.
- In the event tree linking approach, branching may involve no fault tree at all, but rather a multiplication by some factor of the current probability of the sequence.
- It is sometimes convenient to replace a sub-tree by a reference to a previously defined sub-tree. For instance, if we identify end-states S1 and S3 one the one hand, S2 and S4 on the other hand, we can merge the two corresponding sub-trees rooted. It saves space (both in computer memory and onto the display device) to replace the latter by a reference to the former.
In a word, event trees cannot be seen as a static description formalism like fault trees. Rather, they should be seen as a kind of graphical programming language. This language is used to collect and modify data when walking along the sequences, and even to decide when to stop to walk a sequence (in the event tree linking approach). The Model Exchange Format should thus reflect this programming nature of event trees.
Next Reading: XML Structure of Event Trees