Uncertainty-Aware Dynamic Reliability Analysis Framework for Complex Systems

Critical technological systems exhibit complex dynamic characteristics such as time-dependent behavior, functional dependencies among events, sequencing and priority of causes that may alter the effects of failure. Dynamic fault trees (DFTs) have been used in the past to model the failure logic of such systems, but the quantitative analysis of DFTs has assumed the existence of precise failure data and statistical independence among events, which are unrealistic assumptions. In this paper, we propose an improved approach to reliability analysis of dynamic systems, allowing for uncertain failure data and statistical and stochastic dependencies among events. In the proposed framework, DFTs are used for dynamic failure modeling. Quantitative evaluation of DFTs is performed by converting them into generalized stochastic Petri nets. When failure data are unavailable, expert judgment and fuzzy set theory are used to obtain reasonable estimates. The approach is demonstrated on a simplified model of a cardiac assist system.


I. INTRODUCTION
Fault tree analysis (FTA) is widely used for safety and reliability analysis of systems.FTA models are well-structured and easily understood.However, they are unable to model some aspects of system behavior such as dependencies between subsystems and components, and ordering among the component failure occurrences.For this reason, application of classical FTA is limited to systems whose components have no stochastic and temporal dependencies.However, in practical technological systems, not all events are statistically independent, and in such situations, the assumption of statistical and stochastic independence of events can lead to an inappropriate estimation of system reliability.In order to model dependencies among events, classical FTA has been extended to introduce dynamic fault trees [1] and temporal fault trees (TFTs) [2], [3].
DFTs is a well-established dynamic version of the Fault Tree (FT) that enables modeling time-dependent behavior in dynamic systems.Temporal dependencies among the system components and ordering among events are modelled using DFT gates such as functional dependency (FDEP), Priority-AND (PAND), and SPARE gates.These gates capture temporal behavior, and therefore classical combinatorial solutions for the quantification of FTs are not suitable for DFTs.Alternative analytical solutions have been proposed in [4], [5], but these approaches do not account for stochastic dependencies among events or cater for uncertainty in failure data.
DFTs can be quantified by converting them into Markov chains [6], [7].However, Markov chains are limited to exponential distributions and the associated memoryless property.This requirement may be too tight for modeling complex systems.Bayesian networks (BN) based methodologies [8]- [12] have also been developed for the quantitative analysis of DFTs.BN-based approaches can use both discrete-and continuous-time models.When BN models are used to quantify DFTs, first it is necessary to decide the model of time.On the one hand, with discrete-time models the issue of time-discretisation arises [9].On the other hand, with continuous-time models it may become tedious to express the joint probability distribution of internal nodes with many parents with a probability density function.Expert judgments are often used for this purpose, but the integration of expert judgement may become more tedious because it will be necessary to specify the information as probability density functions instead of rules, and this is not always intuitive for the designer and engineers.
Generalized Stochastic Petri Nets (GSPNs) [12] are also used to quantify DFTs.The underlying reachability graph of a GSPN is isomorphic to a continuous time Markov chain.However, in contrast to Markov chains, GSPN models are able to model non-exponential distributions.Similar to BN-based models, GSPN can model stochastic dependencies among events.In fact, Generalized Continuous time BN (GCTBN) models [13] are solved by converting them to GSPN.In addition to the benefits of BN-based models for DFT modeling, GSPN models provide a one-to-one interface for other purposes such as formal specification and verification, which cannot be handled with other formalisms.Accordingly, this work adopts GSPN as an underlying stochastic modeling formalism to quantify and evaluate DFT models.
Generally, quantitative FTA assumes known failure rates or probabilities of failure of system components.In practice, it is often difficult to obtain this data for all the components, which introduces uncertainty in the analysis.A few methods have been proposed to perform quantitative analysis with unknown and uncertain failure data.One of such approaches is the fuzzy fault tree analysis (FFTA) [14], which is an extension to classical fault trees where fuzzy failure data are used in the reliability quantification process instead of crisp values.More information about FFTA and its applications in different areas can be found in [15].As FFTA is an extension to classical FTs, it inherits all the limitations of the classical FTA.
Recently, some attempts such as [16]- [23] have been made to incorporate the concept of uncertainty in DFT analysis.In this paper, we propose a comprehensive uncertainty-aware framework for reliability analysis of complex dynamic systems.The framework combines DFTs with GSPN and fuzzy set theory.DFTs are used to model the dynamic failure behavior of systems.To quantify the DFTs including statistical and stochastic dependencies, DFTs are translated into a GSPN model.Fuzzy set theory and expert judgments are combined together to obtain estimates of failure data for basic events (BEs) of the DFT when such data are unavailable.
Accordingly, the contribution of this paper is the proposal of a novel method, which is able to take into account statistical and temporal dependencies in the failure logic as well as uncertainty modeling in component failure data.This approach quantifies complex and dynamic systems accurately taking into account temporal and stochastic dependencies, and it enables the reliability analysis of complex systems with lack of exact failure data of its constituent components.
The rest of this paper is organised as follows.Section II presents fundamental concepts and related work.Section III introduces the proposed reliability analysis framework.Section IV applies the proposed approach to a numerical case study and finally, Section V draws conclusions.

II. BACKGROUND AND RELATED WORKS A. DYNAMIC FAULT TREE ANALYSIS
Fault tree analysis was first introduced by Bell laboratories in 1962 for a ballistic control system [24].The process to design an FTA model follows a top-down procedure, starting from the undesired system level top-event (TE), which represents the system failure condition.The TE is decomposed into a combination of intermediate events, which are defined with Boolean logic.The intermediate events are further decomposed by using Boolean logic down to the specification of the lowest-level event causes, which are named Basic Events (BEs).Fig. 1 shows an FTA example.
FTA cannot accommodate temporal dependencies.For instance, Boolean logic does not allow temporal ordering of events the effect of which may be significant.For instance, many systems use activation mechanisms to activate spares when primary systems fail.Whether the activation mechanism has failed before or after failure of the primary defines whether the spare is activated.To address such issues, classical FTA was augmented with gates that capture dynamics in the DFT method [1].Fig. 2 below shows the main static and dynamic gates used in DFT analysis, the function of which is briefly defined as follows: • Y = AND (X 1 , . . ., X N ), Y occurs only if all the BEs {X 1 , . . ., X N } fail simultaneously.
• FDEP (T, D 1 , . . ., D N ): the occurrence of the trigger event T enforces the occurrence of the BEs {D 1 , . . ., D N }.This gate has no logical output.
• Y = SEQ(X 1 , . . ., X N ) models the sequence enforcing event, which enforces the events to occur in an specific left-to-right order.A DFT model can be analysed qualitatively and quantitatively.The main result of qualitative analysis is the Minimal Cut Sequence Set (MCSQ) expression, which determines which are the temporal combination of minimal necessary BEs that can cause the system-level failure.The main outcome of quantitative analysis is the failure probability of the top event (TE), typically representing the probability of a system failure.The work presented in this paper focuses on quantitative analysis.
Quantitative analysis requires specification of probabilistic distributions of BEs.Widely accepted distributions include Weibull and exponential distributions, but this is dependent on the specific system under study.Note that the quantitative analysis is not only limited to the system level failure probability, other assessments and metrics can be extracted from the DFT model such as the criticality analysis, which calculates the contribution of each BE to the occurrence of the TE.

B. PETRI NETS
Petri nets (PNs) are a graphical and mathematical modeling formalism suitable for the specification and analysis of complex, distributed and concurrent systems [25].A conventional PN is a bipartite directed graph containing a finite set of places, a finite set of transitions, and a finite set of directed arcs.In a PN model, places and transitions are graphically represented by circles and rectangles, respectively.Directed arcs are used to connect places to transitions and transitions to places.Tokens (black dots) are used to specify the states of the places in a PN model.The enabling condition of a transition is defined as the presence of a certain number of tokens in its input place(s).When a transition fires, a certain number of tokens are deposited to the output place(s) of the transition.
Classical PNs are suitable to model simple behavior of systems, however, to model more complex scenarios, PNs have been extended with different features.One such feature is the inhibitor arc, which is usually represented by an arc that ends in a small circle.This type of arc is different from a normal arc because it enables a transition when the input place has no token and it disables a transition when a place has a token, i.e., opposite behavior of the normal arc.Stochastic Petri nets (SPNs) [26] are another extension of PNs that allow defining exponentially distributed transition delays.GSPNs [13] extended SPNs by allowing inclusion of immediate and timed transitions in a single PN model.Black and white bars are used to represent immediate and timed transitions, respectively.In a GSPN model, an immediate transition has priority over a timed transition and fires first when both are enabled to fire simultaneously.
Application of PNs for system safety and reliability analysis can be traced back to 1980s [27], [28].In [29] and [30] methodologies have been proposed to convert classical fault trees to PNs for reliability evaluation.DFTs have been translated into GSPNs for reliability analysis of dynamic systems in [31]- [33].

C. FUZZY SETS IN UNCERTAINTY ANALYSIS
The fuzzy set theory was formalized in 1965 by Zadeh [34], and also has been widely applied, including for dealing with uncertainty in safety and reliability analysis.The use of qualitative fuzzy terms indeed provides flexible modeling of imprecise data and information.The main purpose of fuzzy terms is to assist gradual transition between varieties of conditions.A classical set contains expressions, which satisfy exact characteristics of membership.On the other hand, a fuzzy set contains expressions that satisfy ambiguous characteristics of membership, i.e. the characteristics of fuzzy set expressions can be partial.A comparison between a classical set (Boolean) and a fuzzy set can be seen in Fig. 4. As it can be seen for classical sets, in a universe U, an element D can either be a member of some crisp set S or not.This binary characteristic of membership can be defined as follows: The characteristic of the binary membership is extended by Zadeh to incorporate the different rate of membership on the real continuous distance interval from zero to one [0, 1].Zero means that there is no membership whereas the endpoint of the distance (one) indicates complete membership.A set of universe U, which accommodates rates of membership is named a fuzzy set.Thus, using the mathematical notation µ S (D) [0, 1], a fuzzy set S can be defined with µ S (D) the rate of membership of element D in S, or briefly membership of S. The value of µ S (D) belongs in the distance interval [0, 1] and corresponds to the rate to which element D is a member of fuzzy set S. The higher the value of µ S (D) the stronger the rate of membership of D in S. Information about arithmetic operations on fuzzy numbers can be found in [36].
Several developments of fuzzy set theory have been proposed to improve the flexibility of conventional fuzzy set theory.Atanassov [37] introduced an extension of fuzzy set theory called intuitionistic fuzzy sets.These include membership as well as non-membership functions, and can deal better with uncertainties that may happen from biased results.However, intuitionistic fuzzy sets increase complexity and computation time.Chen and Hwang [38] developed fuzzy reasoning using algebraic properties of fuzzy sets in order to provide a solution to complex problems, including bounded-sum, unbounded-sum, union, intersection, and algebraic product.In addition, Atanassov [39] introduced an extension to intuitionistic fuzzy sets with hesitation margin groups to cope with complexity.However, computation time remains a significant limitation of this model.

III. THE PROPOSED UNCERTAINTY-AWARE DYNAMIC RELIABILITY APPROACH
The framework of the proposed approach is shown in Fig. 5

A. FAULT TREE MODELLING
In this step, the dynamic behavior of systems is modelled using DFT.As DFT is an extended version of classical fault trees, it can be created following the procedure described in the fault tree handbook [40].The objectives of a DFT in general include (1) identifying all possible ways of causing an undesired event which is called top event (TE), (2) providing a provable record of the analysis process, and (3) providing the foundations of design evaluation and practical alternatives [41].
Selection of a TE requires good knowledge of system function and from that projection of hazardous deviations from that function.An example TE is ''failure of control circuit M which sends a signal when it is necessary'' [42], [43].Boundary conditions are then determined distinguishing which failures and contributing factors will be included in the analysis and which are not.Finally, the resolution is determined defining the level of detail in the analysis of root causes.DFTs are constructed in a topdown fashion using the logic gates outlined in section II.A to show the logical and temporal connections between events.The following sections deal with DFT evaluation.

B. PETRI NET MODELLING
This step takes the DFT generated in the previous step as input and converts it into a GSPN model.Each DFT module (e.g., basic event, logic gate) is translated into a GSPN subnet and all the sub-nets are combined to obtain an overall GSPN of the DFT.The conversion of DFTs to GSPN is done by following the concepts from [29]- [32], [44].The GSPN model of a BE is shown in Fig. 6.The place x.up represents the state when the basic event x has not occurred, i.e., the component associated with the BE has not failed.The timed transition x.f is characterised by the failure rate of the BE.If the failure rate (λ) is exponentially distributed, then the probability that the transition is fired at the time instant t is 1−e −λt .The place x.dn represents the failed state of the basic event x.This place receives token when x.f fires.Note that the failure rate of some BEs may not be available.The GSPN of   such events would still be created, but the value of the firing rate of the timed transition is left empty, and incorporated later on using expert judgment.
GSPN of Boolean gates (AND and OR) are shown in Figs.7 and 8, respectively.In the GSPN model of the AND gate, all input places (X 1 .dn,X 2 .dn, . . ., X n .dn)are connected to a single immediate transition.When all the input places get a token, then the immediate transition fires and deposits a token to the output place, X.dn, i.e. all inputs of the AND gate must be true to make the outcome of the AND gate true.Unlike the GSPN model of the AND gate, the GSPN model of the OR gate represents disjunction of events.In the latter, each of the input places is connected to distinct immediate transition, which makes sure that the output place will get a token when any of the place gets a token, i.e., the output of  the OR gate becomes true when any of the inputs becomes true.
In the GSPN model of the PAND gate, the place X.dn represents the outcome of the PAND gate.If events occur in a required sequence, then this place gets a token.If the sequencing is violated, then the place X.ok gets a token, a confirmation that PAND gate output cannot be true.This place is connected to the immediate transition T n using an inhibitor arc, which ensures that the place representing the PAND gate outcome will not get a token if all the input events of the PAND gate occur but not in the required sequence.
The GSPN model in Fig. 10 models the behavior of the FDEP gate.As seen in section II.A, the FDEP gate has no logical output.If the trigger event occurs, the dependent event will also occur.In the GSPN model, the place T.dn represents the failed state of the trigger event, whereas the places {D 1 .dn, . . ., D n .dn}represent the failed state of the dependent events.The dependent events can fail independently due to their internal failures and the places representing their failed states can get tokens.However, as seen in the Fig. 10, the places {D 1 .dn, . . ., D n .dn}will get a token if the place T.dn gets a token, i.e., dependent events will occur if the trigger event occurs.
The GSPN model of a warm spare gate is shown in Fig. 11.The places S1.dn and S2.dn represent the failed state of the two spare components S1 and S2, respectively.For both components, it is possible to reach the failed state in two ways.In the first way, when the components are in passive mode, the internal failure of the components will take them to failed states.In the GSPN model, S1.passive and S2.passive represent the passive modes of the two spare components.Timed transitions S1.p_f and S2.p_f are two timed transitions representing the failure rate of the components in passive mode.Firing of these transitions will take the components to their failed mode.In the second way, firstly, the spare components are activated due to the failure of the primary component.This scenario is modelled by immediate transitions wsp1 and wsp2 for components S1 and S2, respectively.Timed transitions S1.a_f and S2.a_f are two timed transitions representing the failure rate of the components in their active mode and firing of these transitions will take the components from their active mode to their failed mode.When places P.dn, S1.dn and S2.dn get marked (i.e., all components failed), the immediate transition wsp3 will fire and deposit a token to place Y.dn, i.e., making the outcome of the spare gate true.A cold spare gate can be modelled using GSPN in the similar way; however, for the cold spare gate the part showing the failure of the spare components in passive mode will not be required.
A GSPN model of a SEQ gate is shown in Fig. 12.This model forces the input events to occur in a sequence.For instance, if we consider timed transition X 2 .f, this can fire only after X 1 .dngets a token, i.e., when the event X 1 occurs.In this way, the GSPN model ensures that the event X 2 can occur only after X 1 .The place X.dn represents the outcome of the SEQ gate and this place will get a token when the last event in the SEQ gate becomes true thus maintaining the sequencing.
Given the above conversion rules for the basic event and the logic gates, Fig. 13 shows a pseudocode of a function that converts a DFT to GSPN in the course of a depth first traversal of the DFT.We assume a typical computational representation of a tree, where a gate is a 'node' pointing to a 'child' (first input to the gate) which is then linked to a list of siblings representing the rest of gate inputs.Basic events do not have a child and can be detected as such.
The function is called with the top event of the DFT as argument.The tree is traversed via a recursive call until basic events are found and translated to simple GSPN modules using the rules given in the paper.When gates are encountered, the algorithm determines whether inputs to the gate have been translated to GSPN or not.If inputs have not yet been translated, a recursive call is initiated to do the translation bottom up at lower levels first.On the other hand, if inputs to the gate have been translated, then a GSPN module for the gate can be constructed using the rules given in this section for each type of gate and the input GSPNs.Progressively, gates at higher level of the tree and ultimately the top event of the DFT are translated to GSPN using appropriate rules and input GSPN modules.The computational complexity of this translation process depends on the size and complexity of the DFT itself.Moreover, the types of logic gates that are translated also affects the performance of the translation process.

C. FAILURE DATA COLLECTION
The BEs of the DFT can be classed into those with known failure rates and those with unknown failure rates.Known failure rates are typically determined by consulting reliability data handbooks such as PDS or OREDA [45], [46].For estimation of unknown failure rates, methods include statistical extrapolation, and expert judgment [47].In this study, the expert judgment method is used as an integration of fuzzy set theory and subjective opinions [48].Various methods are available to aggregate experts' opinion, such as fuzzy priority relations, game theory, arithmetic averaging operation, max-min Delphi method, and similarity aggregation method (SAM) [49], [50], [51].Liu et al. [52] have argued that there is no way to determine which technique is superior.
In this study, we have opted for the SAM method, which considers both homogeneous and heterogeneous groups of experts.The qualitative terms used in the study to express and collect the experts' opinions are defined as a combination of fuzzy triangular and fuzzy trapezoidal numbers from which failure rates are estimated [53].The group of experts was defined heterogeneous because in practice their opinion brings different value and weight to the final result.Consequently, for qualifying the measurements, the relevance of the experts was ranked using a methodology that takes into account the professional position, job experience, education level, and age (see [54]- [59]).The score rating of the experts was determined according to Table 1.
The rating of an expert judgment can be done according to the weight given to each BE.The concept of linguistic expressions has a high value in dealing with any circumstances that are ill-defined or complex to be described in the old model of quantitative expression [24].In order to convert qualitative terms to corresponding fuzzy numbers, Chen and Hwang [38] represented a numerical approximation.To acquire this criterion, there are common verbal expressions in the system.Chen's conversion scale is provided in Table 2 in which scale one contains two verbal terms and scale eight contains thirteen verbal terms [60], [61].In addition, Lavasani et al. [58] suggested that humans are capable of distinguishing effectively between five and nine linguistic expressions that cover a range of possible outcomes.Using this theory, we have opted for a scale of six using five verbal terms that provide options for the subjective evaluation of experts with regards to estimating the probability of failure.Table 3 presents the fuzzy membership function in the form of trapezoidal numbers.The linguistic expressions of Fig. 14 are in the form of both triangular and trapezoidal fuzzy numbers and it is possible to transform all the triangular fuzzy numbers to the corresponding trapezoidal fuzzy numbers.Table 3 illustrates the fuzzy numbers of Fig. 14 in the form of trapezoidal numbers.Let us assume that each expert, E l (l = 1, 2, . . ., m) expresses their viewpoint about a specific attribute in a certain context using qualitative terms.The qualitative terms are converted to the corresponding fuzzy numbers as follows: Step 1: Computing the degree of similarity (degree of agreement).S uv Ru , Rv is defined as similarity between opinions of each pair of experts E u and E v .If Ã = (a 1 , a 2 , a 3 ) and B = (b 1 , b 2 , b 3 ,) are the two standard triangular fuzzy numbers, the degree of agreement function of S is defined as: Step 2: When ( Ã, B) ∈ [0, 1], the greater the value of S ( Ã, B) the higher the similarity between two experts with respect to fuzzy numbers Ã and B. For two standard trapezoidal fuzzy numbers, the value of j in Equation ( 2) should be equal to 4.
The Average of Agreement (AA) degree AA(E u ) of an expert's opinions is given by: Step 3: The Relative Agreement (RA) degree, RA(E u ) of all experts is given by: Step 4: The Consensus Coefficient (CC) degree, CC(E u ) of expert opinions, E u (u = 1, 2, . . ., m) is given by: Where W (E u ) is the weighting factor for expert E u .Using the weighting criteria from Table 1, W (E u ) can be calculated as: where WS(E j ) is the total weight scored by an expert E j .The coefficient β in Equation ( 5) is presented as a relaxation factor of the untaken procedure satisfying 0 ≤ β ≤ 1.It illustrates the importance of W(E u ) over RA(E u ).When β = 0, no weight could be given to it by the experts and thereby a homogenous group of experts should be employed, whereas β = 1 signifies that the consensus degree among the different expert opinions is high enough to assign it to good weight.
Hsu and Chen [62] suggest that the consensus coefficient of each expert is better known when the comparative competency of each expert opinion is estimated.Therefore, it is important for the decision maker to obtain a proper value of β.Step 5: The aggregated result of the experts' judgment RAG , can be calculated as follows: Step 6: Defuzzification procedure.In the fuzzy set theory, defuzzification is employed to arrive at a crisp quantified outcome.Zhao and Govind [63] explore defuzzification issues in the application of fuzzy control in industrial operations.In general, the way defuzzification is done defines further decision making in a fuzzy environment.In this study, the center of area (CoA) of the defuzzification environment method is employed to obtain crisp failure possibilities (CFPs) of BEs.This method was extended by Sugeno et al. [64].Equation (8) defines how deffuzzified output is derived using this technique from fuzzy membership functions: where X * denotes the defuzzified output, µ i (x) models the aggregated membership function, and x denotes the output variable.

TABLE 4.
The CAS basic events (components) and their reference tags.
Equation ( 8) can be applied to both trapezoidal and triangular fuzzy numbers.
Step 7: Converting corresponding crisp possibility of BEs into failure probability (FP).
Equation ( 11) is expressed by Onisawa [65] to convert crisp possibility of BEs into corresponding FP.Onisawa [65], [66] have mentioned that this Equation is obtained by certain characteristics including appropriateness of anthropomorphic feeling to the logarithmic amount of a physical value.
If the FP is obtained for exponentially distributed data and for time t, then the failure rate of the BE can be determined as: The timed transitions of the GSPN model created in step 3 can now be completed with the failure data that have been estimated using fuzzy set theory and expert judgment.At this point, a mission time for the system can be defined and the completed GSPN model can be simulated to predict the reliability of the system for this mission time.

1) CRITICALITY ANALYSIS
Criticality analysis allows identifying the critical BEs in the dynamic fault tree.The criticality of a BE is determined by calculating its contribution to the TE probability.This information can identify the weakest parts of the system, thus pointing towards areas for design improvement.Different criticality analysis techniques such as Birnbaum importance measures (BIM) and risk reduction worth [40] are widely used.
Using BIM, the contribution of a BE to the occurrence of the TE is determined by taking the difference between the TE probability, by setting the occurrence of the BE to 1 and 0, respectively.In our proposed framework, we can use the GSPN model to obtain BIM of BEs as follows: Where I BIM BE i is the BIM of the basic event BE i , P (Top Event|BE i = 1) is the probability of the TE given that the probability of the BE i is 1 and P (Top Event|BE i = 0) is the probability of the TE given that the probability of the BE i is 0.
To make the probability of the BE i equal to 1, in the GSPN model, we have to set the firing rate of the corresponding timed transition to 1. On the other hand, to make a component fully available, i.e. consider the probability of a BE to be 0, we need to remove the token from the place representing the event.By doing this, we are ensuring that the transition connected to the place will never fire during the simulation.When the BIM of all components have been determined, we can rank them.The higher the BIM of an event, the more the critical the event is.

IV. NUMERICAL EXAMPLE
To illustrate the application of the proposed method, we use a benchmark case study of a simplified Cardiac Assist System (CAS) in [8].The system consists of four modules: trigger, CPU unit, motor section, and pumps.The DFT of the CAS is shown in Fig. 15.BEs of the DFT with reference tags are shown in Table 4.As seen in the DFT, the trigger connected to the FDEP gate can become true due to the failure of either the crossbar switch (CS) or the system supervision (SS) or both.This trigger will cause both CPU units (P and B) to fail.The CPUs themselves are in warm spare configuration, where P is the primary unit and the B is the backup unit with a dormancy factor of 0.5.For the motor section of the system to fail, both MOTOR and MOTORC have to fail.The pump unit contains two cold spare gates and for the pump unit to fail the CSPGate_1 has to fail before CSPGate_2.CSPGate_1 and CSPGate_2 have PUMP_1 and PUMP_2 as their primary unit, respectively, and both CSP gates share a common spare (Backup_PUMP).
We have considered that the failure rates of the BEs of the DFT are unknown.Following the process described in section III.B, the DFT in Fig. 15 is translated into a GSPN model and unknown failure rates of the BEs are collected according to the process described in section III.C.The GSPN model of the DFT after incorporating the failure rates of the BEs (values for timed transitions) is shown in Fig. 16.For the data collection process for BEs, a heterogeneous group of experts was employed.
As it is evident from Table 1, the experts' weights are not same (see Table 5).Four experts participated in this study to make the judgments.Two of them have a M.Sc.degree in systems engineering and had been working as system analysts for over 8 years.The third expert has a B.Sc. degree in manufacturing engineering and he had been working as a consultant and trainer for over four years.The last expert has a Ph.D. in industrial engineering and she had been working as an academic staff for over ten years.Job tenure and current activities of these experts are summarized in Table 6.
The experts' decision on the BEs which have unknown failure rates is given in Table 7.
The SAM technique was used to aggregate expert opinions for t=1000 hours.BE.1 is taken as an example and the details of aggregation are provided in Table 8.To compute consensus coefficient using Equation ( 5), relaxation factor (β) is considered to be 0.5 to give the weight of the experts and their relative agreement an equal importance.
In addition, Equations ( 9) and ( 10) are applied to defuzzify the failure possibility of each BEs and also to transfer the corresponding fuzzy number to FP, respectively.The computation of BE.1 is done as an example and the results of other BEs are provided in Table 9.From this FP value, using Equation ( 12) the failure rate is calculated as: In the last step, we simulated the GSPN model of Fig. 16.Note that we use ORIS Petri net simulator [67] to create and simulate the GSPN model.The unreliability of the CAS system for mission times is graphically presented in Fig. 17.The criticality of the BEs of the DFT was calculated using the process described in section III.D.1 and BEs were ranked based on their criticality, as shown in Table 10.As seen in the table, the basic events BE.1 and BE.2 are identified as the two most critical events.These BEs represent the crossbar switch (CS) and system supervision (SS), respectively.Thus, if the analysts want to increase the reliability of the system then they may consider replacing these critical components using components with higher reliability or they may consider introducing redundant components parallel with the critical components.

V. CONCLUSION
Reliability analysis of complex and dynamic systems such as cyber physical systems is intricate.There are multiple stochastic and temporal dependencies that need to be taken into account and not all the existing stochastic formalisms are able to grasp these dependencies.Besides, the failure specification of some components, i.e., failure rate, is difficult to obtain.Frequently, the engineers have a qualitative knowledge about the possible failure behavior, but with existing state-of-the-art methods this is not enough to quantify they system reliability.
In this context, this paper presents a novel uncertaintyaware dynamic reliability analysis approach.The approach enables the specification of failure data from expert judgement for components with unknown failure rates.Statistical, stochastic and temporal dependencies among events are treated in the analysis through Dynamic Fault Trees (DFT) and Generalized Stochastic Petri Nets (GSPN).There are other approaches that have addressed some of these issues in an isolated manner.However, to the best of the authors' knowledge, not all issues have been covered in a single approach.Here this is achieved by combining DFT, GSPN, and fuzzy set theory.
The use of DFTs helped to model time-dependant failure behavior, dependency among events, redundancy in the system model, and priorities among events.Fuzzy set theory and expert judgment us to collect uncertain failure data and also to explicitly highlight the areas of uncertainty in the data.GSPN was used to take into account the statistical and stochastic dependencies among events, which helped to avoid inaccurate reliability estimation of the system by performing analysis under realistic assumptions.
The effectiveness of the approach was demonstrated via application to a benchmark case study.The result obtained is believed to be improved and more useful than results derived with more traditional approaches due to the combined capabilities of the method.
The use of expert judgement in estimating failure probabilities of BEs is not expected to be faultless, but can contribute to usefully quantifying what was previously unquantifiable.Note that the current method only obtained an exponentially distributed failure rate, however, to utilise the full potential of GSPN, it would be worthwhile to explore methods to obtain the failure rate function for other distributions.The criticality analysis allows analysts to identify weak areas of the system early and to focus redesign efforts correspondingly.The extent of scalability of this approach for the analysis of large-scale systems is not yet determined.It could be the case that GSPNs grow to sizes that make computations very demanding.However, if issues arise then modularisation techniques such as [68]- [71] may help to improve scalability of the analysis.

FIGURE 3 .
FIGURE 3. Example of a PN.

FIGURE 4 .
FIGURE 4. Diagrams for a classical set (Boolean) and a fuzzy set [35].
. The approach consists of four steps: Fault Tree Modeling, Petri Net Modeling, Failure Data Collection, and Reliability Quantification.Fault Tree Modeling deals with the creation of a DFT of the system under study.Petri Net Modeling and Failure Data Collection are executed in parallel, where in the Petri Net Modeling step the DFT is mapped into a GSPN model and in the Failure Data Collection step the failure rate of BEs with unknown data are collected.These data are then incorporated into the GSPN model.The final step is the Reliability Quantification, where all the analyses are performed on the GSPN model.Detailed descriptions of the steps are provided in the following subsections.

FIGURE 5 .
FIGURE 5. Framework of the proposed uncertainty-aware approach.

FIGURE 17 .
FIGURE 17. System unreliability for different mission times.

TABLE 1 .
Score rating according to the expert's traits.

TABLE 3 .
Fuzzy numbers of conversion scale six.

TABLE 7 .
Experts' decision on the unknown BEs (components).

TABLE 8 .
Aggregation calculations for the BE.1.

TABLE 9 .
Defuzzification of numbers and corresponding FP of each BEs.