BLIPS-PA: a qualitative-physics-based method for fault causality and probabilistic analysis of novel designs

Abstract

Fault analysis at the early design stages of an engineering system is crucial for ensuring reliability and safety during operation. Given the limited information on system components and configurations available at this stage, such analysis heavily relies on historical data and expert knowledge. Traditional methods like Fault Tree, Bayesian networks, and Markov chains depend on manually established causality models for system failures. In complex systems with numerous components, creating these causality models becomes increasingly time-consuming and susceptible to human-error in identifying potential causal relationships. One of the major reasons for the modeling errors is that the causality models lack the support of physics. To address these limitations, this article introduces a novel approach for formally establishing causal relations between faults and system failures and calculating the probabilities of each cause. Even at conceptual design stage, the proposed method can automatically deduce all possible causes and fault propagation paths for each system failure corresponding to the physics modeled by the analyst. The entire approach is divided into two major steps: the first step identifies the system trajectories for a known condition using qualitative physics and symbolic AI, and the second step calculates the conditional probabilities of the causes outlined in the first step for a given initial condition. Knowledge about the probabilistically weighted causes of system failures allows designers to identify potential issues that have a relatively high likelihood of occurrence and severe consequences. The article demonstrates the method’s application by analyzing a simplified secondary loop of a nuclear power plant.

Introduction

The safe operation of systems with higher failure consequences is vital for the safety of the public and the environment. However, as modern engineering designs have become more complicated, consequently making safety verification and validation itself more complex. Furthermore, as rising demand requires faster time-to-market, these factors have led to constrained project completion schedules. An effective approach to address this situation is integration of safety in the earlier stages of design. System failure analysis early in the design process effectively reduces risk, maintains synergy between safety and system design, and provides economic advantages due to fewer design changes, fewer project delays, and lower validation time (Anderson, 2004; Frijters and Swuste, 2008; Lough et al., 2008; Miljkovic, 2011; Mutha et al., 2013; Mhenni et al., 2018; Park, 2020). Safety assessment is a crucial component of the design process for engineering systems that carry the potential for severe consequences, both in terms of financial impact and the safety of the public and the environment in the event of a failure. It is not difficult to envisage that even with the delineated safety specifications, analyzing a system design at an early design stage is a complicated task due to a lack of sufficient experience or historical data, especially when dealing with novel designs.

Hale et al. (2007) highlighted the need for improved methods that can effectively assist designers in addressing crucial concerns from both physical and behavioral perspective. Furthermore, Hale et al. noted that these methods should encourage designers to question their conventional design assumptions and choices. Considering that the design process typically follows a top-down approach centered around system goals, including operational and safety objectives, information about desired and undesired system states is available during the conceptual design stage (also referred to as the architectural design stage in some publications). Such information can be used to perform a safety analysis of the conceptual system design, and this leads us to the concept of achieving an early robust design by minimizing significant design errors. Therefore, we designed a method that incorporates the physics and behavior of a system. During the initial design phase, only high-level system design information is typically available, while detailed design specifications are lacking. While this information outlines functional and safety goals, it often lacks potential causes behind system failures. Therefore, when conducting safety analyses at a conceptual design stage, it is preferable to employ methods capable of handling partial system design information. This becomes crucial when the cause or effect of certain states of the system remains unknown.

Various methodologies have been developed to perform failure analysis, including mathematical system-model approaches, data-driven methods, and signal-based methods (Patton, 1994; Isermann, 2005; Ma and Jiang, 2011; Gao et al., 2015; Kan et al., 2018; Wen, 2018; Gangsar and Tiwari, 2020; Wang et al., 2021; Chen, 2022). Traditional mathematical system-modeling-based strategies require complete details of the design, and the simulation of these detailed models requires extensive computational resources. However, such details may be abstracted using behavioral modeling at the conceptual design stage for an early analysis. Data-driven approaches, such as artificial neural networks applied by Wen (2018) and Yao et al. (2024), particle swarm optimization by Huang et al. (2025), deep learning by (Deng et al., 2025; Li et al., 2025), necessitate a sufficiently large database and system training before fault identification and diagnosis, which are not available during the early design stage of novel systems. These limitations can be addressed by using the underlying physics of failure for the analysis, as utilized by Ge et al. (2021), Jata and Parthasarathy (2011), Modarres (2024), and Pecht and Gu (2009), which reduces the dependence on the operational data, and using a methodology for functional analysis (Reifman, 1997; Kurtoglu & Tumer, 2008; Tumer and Smidts, 2011) to assess the design at a higher level of abstraction. The use of behavioural models with a suitable level of abstraction for analyzing an early design alleviates the issue of solving the computationally taxing physics-based models using iterative numerical methods, as demonstrated by Mutha et al. (2013).

Fault analysis during the early design stage aids the designer in developing a robust early design and reduces the need for design modifications. However, during the conceptual design phase, a designer would be naturally interested in identifying the faults that may lead to a failure of interest. For instance, a safety analyst would be interested in identifying the conditions that may lead to a loss-of-coolant accident in a nuclear power plant. Therefore, an instinctive approach to the analysis would be to backtrack toward the system faults that may lead to the accident of interest, instead of inductively assessing each fault individually and then as combinations of multiple faults for their relevance to failure. Such an analysis would be a deductive analysis, that is, a backward propagation of failure to identify the possible system’s faulty states that may lead to a specific or a combination of consequences.

In view of the foregoing, a method for deductive analysis using Symbolic AI and Qualitative Physics was introduced in (Mansoor et al., 2021, 2023, 2024), which finds its application in many engineering domains, for example, nuclear, mechanical, aerospace, process, electrical/electronics, telecommunication, automotive, and so forth. Let us call it Backwards Logic Inferred Propagation for Safety Analysis (BLIPS). BLIPS generates all possible backward propagation paths or system trajectories encompassing the entire state-space satisfying the qualitative physics model, that is, states of system functions, modes of components, and states of physical variables of the system. Among the unique features of BLIPS, it is notable that the method formally proves or disproves the validity of inferred trajectories of the system, caters to the entire state-space, and uses qualitative physics for system modeling, which can also be applied to a conceptual design stage. Other physics-based methods rely on high-fidelity process simulators, for example, Hazard and Operability Study (HAZOP) with process simulation, dynamic Failure Mode and Effect Analysis (FMEA), and Probabilistic Risk Assessment (PRA); however, this method proves valid and invalid conditions over the entire variable space analytically. Moreover, symbolic inference can prove/disprove numerous system states in one pass, while innumerable simulations will be required to obtain the same conclusion using physics-based methods that use numerical methods.

BLIPS Probabilistic Augmentation (BLIPS -PA) is a valuable extension to BLIPS that quantifies the importance of each failure sequence relative to all other sequences identified for that failure. The augmentation is meant to show the impact of the controlled parameter(s) upon the given failure sequence in terms of varying normalized probability of a failure sequence as a function of the probability of the parameter(s). For instance, let us consider a noticeable failure, such as a car not starting. This failure can be attributed to various underlying causes, including a dead battery, blown fuses, corroded spark plugs, and so on. However, each case holds a different level of significance with respect to failure. From a designer’s perspective, it is crucial to conduct a study on how the likelihood of failure changes in response to the changes in the probability of each cause. Understanding this relationship is important to prioritize the factors contributing to failure and address them accordingly. While numerous methods exist to estimate such likelihood, they typically rely heavily on an expert knowledge base to construct models to determine causal relationships. However, such detailed information is often absent during the conceptual design stage, especially for novel designs. Hence, it is necessary to devise a method capable of capturing causality independently of operational history.

Collectively, BLIPS-PA allows the user to automate causal inference along with the associated likelihood with exhaustive state-space validation based on underlying physics. In this article, we introduce probabilistic augmentation (PA) of BLIPS, which includes:

1. i. approach for fuzzification of the logical rules for deductive inference,

2. ii. extension of the fuzzy-probability theory to support multiple fuzzy sets,

3. iii. derivation of an expression to compute the probability of a component mode when the state of a function is known,

4. iv. derivation of an expression to compute the probability of a component-mode when states of multiple functions are known, and

5. v. derivation of an expression to compute the probability for the state(s) of physical variables in a trajectory.

Section “Related Work” of this article discusses related work. Sections “Methodology” and “Demonstration of the method” present the formalization of PA, and an illustrative application, respectively. Section “Conclusion” provides the conclusion and nomenclature describing the symbols/acronyms used in the article is provided as Appendix A.

Related work

Among the deductive reasoning methods that deal with fault analysis and uncertainty (Kiureghian and Ditlevsen, 2009), Fault Tree Analysis (FTA) (Lee, 1985) is a notable method. FTA is a graphical deductive failure analysis technique that represents the logical relationships between events within the system and the top event (i.e., undesirable system event) as a logic relation. The logic relations are solved using Boolean algebra and quantified using probability theory. Rauzy (1993) uses binary decision diagrams to compute the probability of the top event when the probabilities of basic events are provided. By extending this approach, Khan and Abbasi (1999) developed a tool, PROFAT, that takes the probabilities of the basic events as probability distribution functions (PDFs) and uses Monte-Carlo (MC) to simulate the already found minimal cut sets for the probability of the top event. Khan and Abbasi (2000) proposed a new approach that employs fuzzified probabilities for basic events, represented using a trapezoidal shape instead of a PDF. Mbaye et al. (2025) proposed Computational Functional Hazard Assessment (CFHA) for novel aviation systems to enable improved designs based on operational data, behavioral modeling, and using computation for functional hazard analysis. Similarly, Dempere et al. (2017) suggested an inductive method called Time-Based Failure Flow Evaluator (TBFFE) for risk quantification by modeling time-dependent failure probabilities from external initiating events, using discrete time steps and functional modeling. It maps initiating events to functional failures with time-dependent probabilities. However, both CFHA and TBFFE lack formalism and are inclined toward incorporating the lessons learned from operational data.

Another widely used technique for probabilistic analysis and deduction includes Bayesian networks (BNs) and Markov chains (MC). BNs (Heckerman, 1998; Ben-Gal, 2008; Pearl, 2011; Yin et al., 2021) are often used to model complex systems with many variables to capture the causal relationship between them. BN combines graphical model techniques with probability theory. A Markov chain is an approach to model stochastic processes and predicts the sequence of their future states. It assumes that the current state of the process is only dependent upon the preceding state of the system – known as the Markov property. MC, in comparison to BNs, defines independence using a Markov blanket, which contains the minimum set of variables that need to be observed to establish independence (Ben-Gal, 2008). Markov networks are usually used for inductive probabilistic modeling rather than deductive reasoning. However, Yang and Aldemir (2016) introduced a backtracking algorithm for the Markov/cell-to-cell-mapping (CCMT) technique that estimates the probability of a system transitioning into a certain state from the given state. Later, Hejase (2018) introduced an efficient algorithm for Markov CCMT, which tracked the past states of a system using mathematical expressions that excluded the matrix inversion process.

The proposed method, BLIPS-PA, exhibits significant differences (Table 1) when compared to the existing methods for failure analysis. The major difference between BLIPS-PA and the said methods is the use of qualitative physics for system modeling, which enables an automatic determination of causal relationships among the system events using symbolic AI. The symbolic AI is implemented in BLIPS with a combination of Propositional Logic (PL) (Büning and Lettmann, 1999) and Satisfiability Modulo Theories (SMTs) (De Moura and Bjørner, 2011), and implemented using Microsoft Z3 (de Moura and Bjørner, 2008).

Table 1. A comparison of features for traditional fault analysis methods and BLIPS-PA

On the other hand, methods like FMEA, FTA, PRA, MCs, CFHA, TBFFE, and CCMT rely on experts to establish causal relationships between the events, which may lead to incomplete capture of the state-space due to human limitations. Furthermore, some of the methods discussed above lack formalism, whereas BLIPS leverages qualitative physics-based inference, which enables a formal analysis at the conceptual design stage without process simulations.

Several studies have been performed for fault detection and diagnosis using qualitative models (Venkatasubramanian et al., 2003). Moreover, several domain-specific qualitative physics-based fault diagnosis methods have been developed, such as the ones for electrical power systems (Echavarria et al., 2008; Jensen et al., 2009), autonomous underwater vehicles (Zhang et al., 2015), high-speed trains (Cheng et al., 2021), and kinematic robots (Liu * et al., 2005). Recently, Xia and Yamashita (2020) proposed a hybrid fault diagnosis method combining qualitative reasoning and data-driven techniques without using faulty datasets. Extended attributes derived from normal operating conditions are used to integrate these techniques. The simplified qualitative reasoning model facilitates the diagnosis by providing multiple reasoning routes for potential root causes. Hu et al. (2014) extended the first-principles theory to diagnose faults in dynamic and continuous systems. It proposes a qualitative fault diagnosis algorithm using the STanford Research Institute Problem Solver (STRIPS) (Fikes and Nilsson, 1971) technique to build a system model and diagnose multiple faults by reasoning from effects to causes.

To perform fault analysis at the early design stage, Gabbar (2007) proposes an improved framework for qualitative fault propagation analysis in chemical and petrochemical plants. It uses a robust modeling methodology to synthesize and assess all possible fault propagation scenarios corresponding to the system’s physics model, integrating real-time process data, simulation data, and human experience. Fault models link deviations with symptoms, faults, causes, and consequences. DeStefano and Jensen (2015) propose a qualitative, function-based failure analysis method for early design phases. The technique utilizes Simulink-based state machines to create abstract models of component performance states, facilitating the identification and propagation of faults in complex systems. The approach is demonstrated through a case study of a nanochannel DNA sequencing device. Stralen and Pimentel (2012) present a simulation framework for early design space exploration of multimedia multiprocessor system-on-chip systems. The framework integrates fault-tolerance patterns, such as active redundancy, and uses simulation to evaluate the trade-offs between performance, energy, cost, and reliability. The framework facilitates early decision-making by providing detailed metrics and a Pareto front of design options. Kurtoglu and Tumer (2008) and Tumer and Smidts (2011) proposed the functional failure identification and propagation (FFIP) framework that simulates fault propagation paths across different subsystems, identifying potential hazards and their combined impacts. The framework is demonstrated through a case study on a boiling water nuclear reactor. Sierla et al. (2012) applied the FFIP method for early risk assessment in the design phase of mechatronic systems. Kurtoglu et al. (2010) associate the FFIP analysis with the criticality of functional losses to enable trade-offs between competing conceptual system architectures. O’Halloran et al. (2012) present a methodology to integrate reliability analysis early in the design process by using function-flow failure rates. The methodology involves creating a functional model, reformatting it using a reliability block diagram (RBD) structure, gathering failure rate data, mitigating failure rates, and performing RBD calculations. Papakonstantinou et al. (2013) automated event tree generation by extending the FFIP framework, and proposed a metamodel to structure event trees for systematically analyzing failure scenarios. Jiao et al. (2021) proposed an improved FFIP method by introducing standardized mathematical expressions of logic, value, and time in FFIP analysis, and the use of SysML (Wolny et al., 2020) for FFIP modeling and improvement of state-machine diagrams. While these methods describe components’ behaviors using qualitative physics, they lack formal technologies for automatically inferring the causes of system failures and proceeding the analysis in a reverse direction, that is, failure to cause. This gap was addressed by BLIPS (Mansoor et al., 2021, 2023), a method that enabled deductive analysis, reversal of functional and behavioral rules (BRs), and automatic causal inference to generate failure trajectories. However, the matter of attaching importance/weights to the trajectories remains unresolved at this point. This article presents the method of PA to BLIPS for adding weights – BLIPS-PA.

Although probabilistic quantification has been utilized by other methods to attach weights to the inferred results. The inferred probabilities by BLIPS-PA are different in the sense that they are conceived. For instance, Markov chains and BNs use theoretical probability and conditional probability to model the dependencies, respectively. On the other hand, the result from a PRA and TBFFE provides a frequency of failure based on empirical data. The concept of relative frequency deals with performing the repeatable experiment over and over again to observe the ratio of favorable outcomes to the other outcomes, which is different from inferring the possibility of favorable outcomes, but it is limited due to the practical impossibility of performing an experiment an infinite number of times and having an experiment that can be claimed to be accurately repeatable. On the other hand, a priori theories introduced the idea of a degree of belief bereft of statistical evidence, similar to classical probability, which relies upon logical reasoning about the experiment to infer the objective probability. In contrast to objective probabilities, the concept of subjective probability refers to an individual’s degree of belief that can be quantified between 0 and 100%. Nevertheless, the dependence upon an individual can be reduced when the probability is updated upon the provision of statistical evidence – using Bayes theorem (Joyce, 2003; Koch, 2007). Brown (1993) extended the a priori theories by adding the concept of ideal (but not perfect) information and analysis. The epistemic uncertainty in prior probability can be reduced by diligent effort to acquire as much information as possible, known as ideal information. However, there will still be some uncertainty that cannot be settled, hence keeping the information from being perfect. Brown believed that as long as ideal information was collected, the result would be a good approximation of the true value of probability. Therefore, bolstered by statistical inference, the prior probability can be regarded as impersonal probability. The probability calculation in BLIPS-PA uses the impersonal prior probability of the events to estimate the conditional probability of a specific trajectory.

Methodology

Theoretical background

Fault causality analysis focuses on pinpointing potential causes of system failures. When a system is in operation, faults in its components can activate, resulting in error states. These error states may trigger faults in neighboring components or alter their conditions, allowing the original fault to propagate across the system. This propagation can ultimately shift the system from its normal state to a faulty one, leading to failure. The path that a fault follows as it spreads through the system is referred to as a fault trajectory. BLIPS-PA is designed to formally generate an exhaustive list of fault trajectories corresponding to the model of physics defined, and their probabilities of occurrence, considering factors such as functional states, component modes, and physical variables.

A generic representation of a trajectory is provided in Figure 1a. A trajectory comprises the initially known parameters and the inferred parameters. Referring to label-1 in the figure, the initial state of the system comprises the assumed/known states of the following types of parameters, individually or as a combination: states of functions, modes (states) of components, and states of physical variables. The state of a function is assumed to be “Operating,” “Failed,” or “Degraded,” and so forth – the system model defines the possible states for a function – as an initial condition by the user; usually, for safety analysis, safety-critical function(s) are assumed to be in a failed state. Similarly, the modes of certain components and the states of some physical variables can also be included in the initial condition, as deemed necessary by the user. Depending upon the initially available information, the modes of components are inferred based on known functional states and/or states of physical variables.

Figure 1. (a) The generic view of a trajectory. (b) The propagation view of a trajectory.

The relevant components (label-2) are the components directly associated with the functions whose functional states are known, and the components whose modes and/or states of physical variable(s) are known. The components connected to the relevant components are the adjacent components (label-3). The states of physical variables are inferred based on functional states, component modes, and other physical variables. When the states and modes of all physical variables and components, respectively, in a trajectory have been inferred based on the initial condition, this information allows us to infer the states of the functions whose states are unknown (label-4).

The trajectories include information about all abstraction levels, for instance, the functional level and component level pertinent to our discussion so far. Figure 1b shows an example of the propagation view of a trajectory obtained with multiple known functional states. The functions #1F and #NF are associated with two relevant components each, namely #1C and #3C for function #1F, and #2C and #NC for function #NF.

The mode of adjacent component #2C is inferred based on the relevant components #1C and #3C. The backward propagation through one node to the other considers the relationship of physical variables among the nodes that hold true for the given premises. It may be noted that the current version of the method does not support temporal analysis of system faults; when included in future versions, it will enable the method to reveal the evolution of system states over time.

In this article, we define a trajectory as a set of parameters of states of all the functions ( $ {s}_f^i $ ), modes of all components ( $ {m}_c^i $ ), and states of all physical variables ( $ {q}_t^i $ ), of the system under consideration. Let us write it in condensed notation as follows:

(1) $$ Trajector{y}^i=\left\{\bigcap \limits_{f\in F}{s}_f^i,\bigcap \limits_{c\in C}{m}_c^i,\bigcap \limits_{t\in T}{q}_t^i\right\} $$

In the equation, let “F,” “C,” and “T” represent the complete sets of functions, components, and interfaces, respectively. The subscripts “f,” “c,” and “t” act as indices for specific functions, components, and interfaces, respectively, within the system. The symbols “s,” “m,” and “q” denote the instantaneous state of function “f,” the current mode of component “c,” and the present state of physical variable “q,” respectively, while the superscript “i” indexes the current trajectory. The notation $ \bigcap (x) $ implies that if each element in set “x” is treated as a proposition, all propositions must hold true. For instance, in a system with two functions, “A” and “B,” each having two potential states (Operating or Lost), if $ {s}_A^i= operating $ and $ {s}_B^i= Lost $ , then $ {\bigcap \limits}_{f\in F}{s}_f^i $ indicates that, in trajectory “I,” the propositions “function A is operating” and “function B is lost” are both true simultaneously.

Some superscripts used later in the text are: observed (obs), controlled (con), relevant (rel), inferred (inf), adjacent (adj), input from outside the system (inp), and every element of that class (All).

An occurrence probability can be calculated based on formal inference for each trajectory based on observed functional states, $ {s}^{obs} $ , observed modes of components, $ {m}^{obs}, $ and observed states of physical variables, $ {q}^{obs} $ . Specifically, the probability for the component-level parameters in a trajectory (the abstraction levels in a trajectory are shown in Fig. 1b) is the joint probability of the components’ modes and the states of physical variables in that trajectory. Inference begins at the node(s) at which the states of physical variable(s) are known – referred to as starting terminal node. The last node inferred in the process of propagation, which does not contribute to further inference, is referred to as the ending terminal node. An example of the terminal nodes is shown in Figure 1b; the inference begins at components #1C and #3C based on modes of the components inferred from functions #1F and #3F. Further, component #NC does not contribute to a further inference; hence, it is the ending terminal node.

In a trajectory, the parameters from the lower level – component modes and states of physical variables – are an assertion of PL, that is, a probability of 1. To investigate the influence of the individual parameters on the overall likelihood of the trajectory, it is essential to treat the parameters’ probabilities as variables. These probabilities can be represented as either a point probability or an interval of probabilities. To compute the probability at the component level of the trajectory, it is necessary to identify the controlled parameters and the observable parameters. The controlled parameters are the parameters whose impact is being studied on the probability of the overall trajectory. These parameters can be states of variable(s) and/or mode(s) of component(s). To derive the expression for probability, which will be conditional probability, some parameters serve as conditions and will be assigned a probability of 1 because they are observable parameters. The term “observable” implies that the state of these parameters can be observed or measured, ensuring certainty of their state. Here onwards, the physical variables (flow rate, temperature, etc.) that are declared as observable parameters are called observed-variables. Similarly, the modes are called observed-modes; and both the modes and physical variables that can be observed, together, are referred to as observed-modes-variables of the trajectory.

Figure 2a shows an example of observed-mode, the mode of component#1 is declared as an observable parameter; hence, the states of physical variables at the output and the input of the component are inferred based on the observed-mode, and the parameters of component#2 are inferred from component#1. Figure 2b shows an example of an observed-variable, the valid modes of component#1 are inferred from the states of physical variables at the output of the component, and the states of physical variables at the input of the component are inferred from the mode of the component, given the states of physical variables at the output.

Figure 2. Examples of observed parameters of a trajectory at the component level: (a) observed-mode, (b) observed-variables, (c) observed-modes and variables (example1), and (d) observed-modes-variables (example2).

Figure 2c,d are examples of observed parameters (OPs) comprising both observed-mode and observed-variable. In the first example, states of physical variables at the input of component#1 are inferred from the mode of the component and states of physical variables at the output of the component. Subsequently, the parameters of component#2 are inferred from the states of physical variables at the input of component#1. For the second example, the OPs are states of physical variables at the output of component#1 and the mode of component#2. In this case, the inference is bi-directional: the valid states of physical variables at the input of component#1 – which are the same as the states of physical variables at the output of component#2 – are inferred based on known parameters of component#1 and #2. For component#2, input variables are inferred based on the mode of component#2 and the inferred states of physical variables at the output of component#2.

The concept of evidence-based-independence is used to calculate probability at the component level. This concept stems from the fact that inference of the parameters of a component is dependent on the parameters associated with the components (i.e., states of physical variables and mode), and on the states of the physical variables of the neighboring component that are common between the two components (where states of these common variables are established truth, and they dictate the inference for the next component). Therefore, the inferred parameters of a component can be considered independent from the parameters of the neighboring components, other than the common parameters between the component under consideration and the immediate neighboring component(s). For example, if the mode of a Tank is inferred from a physical variable, such as output flow of the tank, whereas it has already been established that the flow is higher than zero based on the information from a neighboring component that has an interface with the Tank. In this situation, the mode of the Tank is limited to either Nominal or Overflow, but cannot be Dryout.

BLIPS-PA calculates the conditional probability of a trajectory, given OPs whose states/modes are known to us as an initial condition. The OPs include states of observed functions ( $ {s}^{\mathrm{obs}} $ ), modes of observed components ( $ {m}^{\mathrm{obs}} $ ), states of observed physical variables ( $ {q}^{\mathrm{obs}} $ ), or any combination of these parameters, that is,

(2) $$ Observed\ parameters=\mathrm{OP}=\left\{{s}^{\mathrm{obs}},{\mathrm{m}}^{\mathrm{obs}},{\mathrm{q}}^{\mathrm{obs}}\right\} $$

Similarly, the controlled parameters can be written as,

(2-a) $$ Controlled\ parameters=\mathrm{CP}=\left\{{s}^{\mathrm{con}},{\mathrm{m}}^{\mathrm{con}},{\mathrm{q}}^{\mathrm{con}}\right\} $$

Recall that a relevant component is a component for which some sort of information is observable, that is, either its mode, state of associated function, or state of associated physical variables, which can be used to infer other associated information. The parameters inferred for relevant components can be written as.

(3) $$ \begin{array}{c} Inferred\ parameters\ for\ relevant\ components=\mathrm{IPRC}\\ {}=\left\{{s}^{\mathrm{inf}},{\mathrm{m}}^{\mathrm{inf}},{\mathrm{q}}^{\mathrm{inf}}\right\}\end{array} $$

So, the probability of a trajectory would be:

(4) $$ P(Trajectory)=P\left( CP\hskip0.35em \cap \hskip0.35em IPRC\;|\; OP\right)\hskip0.24em $$

Overview of the methodology

BLIPS-PA provides all the possible causes that may lead to the system’s condition being analyzed, typically, a failure state. However, in order to make effective decisions about the design changes, information about the relative importance of the trajectories is vital because the occurrence of all the causes is not equally likely. Therefore, the probabilistic information empowers designers to make decisions using a graded approach, that is, enhancing the system’s reliability by allocating resources more effectively to address issues that are highly likely to occur. BLIPS-PA consists of two essential methods, including the BLIPS and its PA.

BLIPS-PA is engineered to formally produce a complete set of fault trajectories aligned with the specified physics model, determining their likelihood of occurrence by evaluating functional states, component behaviors, and physical parameters. As shown in Figure 3a, BLIPS utilizes the system model of the Integrated System Failure Analysis (ISFA) to conduct backward logic inference.

Figure 3. (a) Overview of BLIPS, (b) assessment of probability for component modes given functional state, and (c) probability calculation at the component level.

ISFA (Mutha et al., 2013) is an inductive method for fault analysis that propagates a fault through the system based on the rules defined using qualitative physics. ISFA is particularly effective for diagnostics, with published applications for sensor deployment (Li et al., 2022), failure diagnosis (Li et al., 2016), online monitoring system development (Diao et al., 2018), ontology-based analysis for safety-critical computer systems (Diao et al., 2022), risk analysis of functional failure (Wang et al., 2021), and so forth.

The ISFA model comprises Behavioral Rules (BRs), the Functional Failure Logics (FFLs), and the system configuration. BRs map the modes of the components onto physical variables, and FFLs are IF-THEN-based rules that map the state of system functions onto the modes of components. BLIPS converts these rules into mathematical notation using Propositional Logic (PL), BRs and FFLs for a Tank (in PL syntax) are shown in Table 2. The system configuration refers to the structure of a system, for example, SLDs for electrical systems, P&IDs for mechanical systems, and so forth. The output of ISFA includes the fault propagation paths and the final states of the functions, modes of the components, and the state of the physical variables.

Table 2. Reversed and traditional FFL/BRs for Tank using propositional logic semantics (Mansoor et al., 2023) (iT: input of tank; L: Level; LTH: lower threshold; oT: output of tank; Q: flowrate; UTH: upper threshold)

BLIPS leverages the logical rules (BRs and FFLs) used in ISFA for deductive failure analysis. A brief label-wise overview, Figure 3a, of BLIPS is as follows:

1. 1. First (Label-1 in the figure), the rules are translated into PL (Büning and Lettmann, 1999) syntax for mathematical manipulation. The framework employs ISFA’s FFLs and BRs, but in a reversed manner. The premises for the derivation comprise FFL and BRs in PL syntax and a set of system constraints. The constraints cater to the logical and physical limitations of the system. For example, flows and levels cannot be less than zero, component modes are exclusive, and so forth. In order to derive the reversed rules, the ISFA rules are initially translated into PL syntax. This translation is intended to enable mathematical manipulation for the derivation of the reversed rules.

2. 2. Second (Label-2), the translated rules are reversed for the deductive analysis. The derivation of the reversed rules is carried out using PL’s laws of inference. The reversed rules are derived using the PL laws of inference, while the FFL, BRs, and Constraints serve as the premises for the proof. The reversed rules are called reversed FFL (RFFL) and reversed BRs (RBRs). An example of the reversed rules is shown in Table 2. At this point, the updated system model comprises RFFLs, RBRs, Constraints, and System configuration. The RFFL and RBRs are proved using SMTs (De Moura and Bjørner, 2011) based on the given premises. This process allows us to obtain an updated model of the system that comprises the reversed rules, constraints, and system configuration.

3. 3. Third (Label-3), an assumed initial state of the system is traversed backward to logically infer the states of unknown parameters of the system using the updated system model. Typically, an initial condition is a state of a function. However, it may also be modes of component(s) and/or state of physical variables, or a combination of all three elements. The deductive or backward trajectories are determined by setting an initial condition, which represents the condition of the system to be studied. This initial condition can include functional states, component modes, states of physical variables, or a combination of these parameters. The assumed condition is then propagated through the system based on causal inference. At each node of the propagation, valid system parameters (functional states, component modes, and states of physical variables) are inferred by the engine of logic inference, which is based upon the system’s functional and behavioral model governed by the physics of the system and the laws of PL to formally prove or disprove the conclusion utilizing the SMT solver. The inference engine works based on an updated system model, which includes RFFLs, RBRs, and Constraints. The outcome of the process is an exhaustive set of trajectories, where each trajectory is unique.

The Probabilistic Augmentation (PA) is detailed in the following text. Figure 3b,c show the steps for PA and the two sub-methods are linked to Figure 3a with the connectors PA1 and PA2.

The objective of PA is to devise a methodology for determining the probability of a fault trajectory given the state of system functions. This is a conditional probability of a specific set of component modes when a functional state is known. This conditional probability is calculated by the fuzzified RFFL. The process of finding the component modes’ probabilities given a functional state is explained in Figure 3b:

1. 1. First, a fuzzification of RFFLs from the updated system model is performed. The RFFLs are obtained from the updated system model for BLIPS (connector PA1); the RFFLs are the fuzzy sets. The members of a fuzzy set are the sub-RFFLs; sub-RFFLs are extracted from RFFLs and have a degree of membership toward the RFFL (details on fuzzification are provided in Section “Fuzzification of RFFL”). The applicable fuzzy RFFL is utilized to compute the probability of a component mode given a functional state. The calculation requires the values of the membership functions, as well as a prior probability for the sub-RFFLs.

2. 2. Second, it can be envisioned that even the simplest of systems is expected to have more than one RFFL. An expression for probability is derived (details in Section “Normalized Probability for Members of Fuzzy Sets”) that caters to the existence of multiple fuzzy sets. The probability obtained using the expression gives the probability of a component mode given a functional state. However, if a component is associated with multiple functions, the conditional probability of the component mode given states of those functions becomes a special case due to the dependence of the functions on each other.

3. 3. An expression for the conditional probability of the component mode given multiple functional states is derived in Section “Probability of the component mode given multiple relevant functional states” . The derived expression is a function of the probabilities obtained in step 2, known functional states, and the prior probabilities of component modes.

4. 4. Since all trajectories satisfy the initial condition of the system, the probability for each trajectory is normalized with respect to all other trajectories to obtain a numerical value that is easy to comprehend and represents the relative importance of the trajectory. As shown in Figure 3c, the expression for conditional probability (Section “Probability calculation at the component level”) is developed using the trajectories obtained from the deductive analysis. The computation is carried out by setting the probabilities of the observable parameters to “1” and user-defined probabilities for the controlled parameters. The result of this exercise is a multidimensional relationship between the probability of the trajectory and the controlled parameters.

As discussed in the preceding sections, inference unfolds in a dual-stage manner: it first descends from a higher level of abstraction to a lower level, and subsequently sweeps across the lower level, where the available information consists of OPs at the lower level and inferred parameters of the relevant components. That makes two special scenarios for the conditional probability:

1. a. Probability of OP in Eq. (2) at a higher level of abstraction, having a fuzzy association with a CP in Eq. (2-a) at the lower level.

2. b. Probability of CP at the lower level with known OP or inferred parameters for relevant component (IPRC in Eq. (3)) at the lower level.

Therefore, first, we will formalize the relationship between OP at a higher level of abstraction and an IPRC at a lower level of abstraction. Afterward, the calculus for probability $ P\left( IPRC\;\right|\; OP\Big) $ of the fuzzified sets is derived. Lastly, the calculus for the probability $ P\left( CP\cap IPRC\;|\; OP\right) $ at the lower level is formalized.

Formalization

Fuzzification of RFFL

It may be noted that the method allows us to introduce multiple levels of abstraction during system modeling, and that maintaining exclusivity becomes challenging when modeling the relationships between higher-level functions and lower-level components, particularly when the model is employed for deductive analysis. It is possible that one component mode may appear in different RFFLs; therefore, it is necessary to deal with this imprecision. For instance, the mode “Dryout” of the component “Tank” is related to the “Lost” and the “Operating” states of the function “Store Fluid,” which means that the same mode of a component may be valid for different functional states. Moreover, the degree to which a specific component mode is associated with different functional states cannot be defined precisely. Zadeh (1988) proposed treating such uncertainty with fuzzy logic, a logic that allows imprecise reasoning. Fuzzy logic is a multivalued logic that expresses the truth as a degree of membership instead of either true or false.

Furthermore, Zadeh (1995) suggested that probability theory should be used in concert with fuzzy set theory to model vagueness and uncertainty in the same problem. Therefore, we would follow this approach to cater for epistemic uncertainty, that is, the degree to which a component mode holds a membership toward a functional state is dependent upon the analyst’s subjective interpretation. However, the process of probability calculation requires the integration of fuzzy set theory and probability theory. In that regard, Singpurwalla and Booker (2004) reasoned that Fuzzy sets could be incorporated within the framework of probability theory using the fuzzy membership function and the prior probability assigned by the analyst to the outcome belonging to the fuzzy set.

To utilize the existing understanding from the previous sections, let us consider the component Tank has two functions, “Store fluid” and “Supply fluid,” and Tank’s modes “Dryout,” “Nominal,” and “Overflow.” The function Store Fluid refers to the ability of the Tank to hold all incoming Fluid, and the function Supply Fluid refers to the ability of the Tank to provide flow at the output. The “Nominal” mode strictly refers to the condition when the water level in the tank is between upper and lower thresholds, and input and output flows are equal. The “Overflow” mode strictly refers to the situation when the water level exceeds the upper threshold. The mode “Dryout” strictly refers to the condition when the water level is below the lower threshold; it does not imply any information (degraded or normal) about the ability of the tank to hold water. It is interesting to observe that the tank can be in Dryout mode in both scenarios, that is, when the function Store fluid is operating and when the function is lost. This points out the fact that the relationship between function(s) and component mode(s) may not be one-to-one, that is, the fuzzy nature of RFFL. It is reiterated that each RFFL relates a state of a function to the modes of a component. The inference made from an RFFL provides the mode of a component. This inference has a fuzzy nature, as the same resulting mode can be obtained from two different inferences. So, the degree of membership of modes of a component needs to be defined, and this is achieved by fuzzifying the RFFLs. This aspect is captured by fuzzy RFFLs.

The fuzzification of RFFL is accomplished by utilizing a membership function, a function that represents an expert’s opinion. The expert’s opinion may be based upon operational experience, feedback from similar systems, design specifications, standards, regulatory requirements, and so forth. For instance, Figure 4 displays the membership function for the system function “Store Fluid” performed by the component “Tank.” It depicts that the mode “Dryout” has a membership of 70% and 30% toward the Store Fluid’s states Lost and Operating, respectively.

Figure 4. Membership functions for the Functions associated with the component ‘Tank’

The modes of a component are mutually exclusive and exhaustive, which means that a component can only assume a single mode out of the combination outlined in the RFFL for a given functional state. Therefore, one RFFL can be seen as a fuzzy set of multiple logic statements – these statements are referred to as sub-RFFL in Table 3 – mapping a state of a function onto a mode of a component. These sub-RFFLs of an RFFL are mutually exclusive from each other, and they are members of the fuzzy sets. A fuzzy set is denoted by adding the accent, “~,” on the set’s name. For instance, $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right) $ , refers to the fuzzy set of RFFL of the function “ $ f $ ,” whose state is observed “ $ {s}^{obs} $ .” For ease of representation and readability, let us utilize the superscript “i” to show the instantaneous functional states, component modes, and states of physical variables. For example, the Tank has four fuzzy sets for the two functions, that is, $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Operating}\right) $ , $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right) $ , $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{SupplyFluid}^{Operating}\right) $ , and $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{SupplyFluid}^{Lost}\right) $ . Mathematically,

(5) $$ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right)=\left\{\begin{array}{c}\left( su{b}_1 RFFL\left({s}_f^i\right),{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_1 RFFL\right)\right),\\ {}\left( su{b}_2 RFFL\left({s}_f^i\right),{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_2 RFFL\right)\right),\\ {}\dots \dots, \left( su{b}_B RFFL\left({s}_f^i\right),{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_B RFFL\right)\right)\end{array}\right\} $$

where “B” is the total number of sub-RFFLs for the given RFFL, $ {\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_b RFFL\right) $ is the membership function of “ $ su{b}_b RFFL\left({s}_f^i\right) $ ” toward the fuzzy set $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right) $ , where “b” is the index of sub-RFFL, for example:

$$ \begin{array}{c}\overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right)=\\ {}\left\{\left( su{b}_1 RFFL\left({s}_{StoreFluid}^{Lost}\right),1\right),\left( su{b}_2 RFFL\left({s}_{StoreFluid}^{Lost}\right),0.7\right)\right\},\end{array} $$

where,

$$ {\displaystyle \begin{array}{c} su{b}_1 RFFL\left({s}_{StoreFluid}^{Lost}\right)=\\ {}\left\{ State\left( StoreFluid(tank):= L\right)\right\}\to \left\{\left[ Mode(tank):= Overflow\right]\right\}\\ {} su{b}_2 RFFL\left({s}_{StoreFluid}^{Lost}\right)=\\ {}\left\{ State\left( StoreFluid(tank):= L\right)\right\}\to \left\{\left[ Mode(tank):= Dryout\right]\right\}\end{array}} $$

Table 3. Sub-RFFLs for the component Tank

Normalized probability for members of fuzzy sets

After defining the RFFL as a fuzzy set, the subsequent step involves formulating an expression to calculate the conditional probability, $ P\left( IPRC\;|\; OP\right) $ , of transitioning from a higher level of abstraction (functional state) to a lower level (component mode) within the inference process. The IPRC, which corresponds to the sub-RFFLs (members) of the fuzzy set (RFFL), holds true based on the known membership functions of these sub-RFFLs with respect to the RFFL. Additionally, the OP represents the known state of a function.

Singpurwalla and Booker (2004) developed the expression for the probability, $ P\left(x\in \overset{\sim }{\boldsymbol{A}};{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right) $ , of an outcome of an experiment “ $ x $ ” belonging to the fuzzy set “ $ \overset{\sim }{\boldsymbol{A}} $ ,” given the membership function “ $ {\mu}_{\overset{\sim }{\boldsymbol{A}}}(x) $ ,” which represents the outcome’s degree of membership toward the fuzzy set. Singpurwalla’s expression for probability maps to our problem as follows:

(6) $$ P\left(x\in \overset{\sim }{\boldsymbol{A}};{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)\equiv P\left( su{b}_b RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right);{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_b RFFL\right)\right) $$

Equation (6) represents the probability of the inferred component mode from a sub-RFFL – when sub-RFFL’s membership is provided – being the valid mode for the RFFL of the given functional state. It is worth noting that this probability is based on the likelihood (membership) of a sub-RFFL belonging to a fuzzy set; therefore, the sum of the probabilities for all the cases does not necessarily add to “1.” In order to make the information more intuitive, Singpurwalla’s expression for normalized probability is adopted. To use the fuzzified RFFLs in the framework of probability theory, we refer to equation 09 of Singpurwalla and Booker (2004), which presents the probability of “ $ x $ ” belonging to the fuzzy set “ $ \overset{\sim }{\boldsymbol{A}} $ ”:

(7) $$ \begin{array}{c}P\left(x\in \overset{\sim }{\boldsymbol{A}};{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)=\\ {}\left[\;\frac{L\left(x\in \overset{\sim }{\boldsymbol{A}},{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)P\left(x\in \overset{\sim }{\boldsymbol{A}}\right)\;}{L\left(x\in \overset{\sim }{\boldsymbol{A}},{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)P\left(x\in \overset{\sim }{\boldsymbol{A}}\right)+L\left(x\notin \overset{\sim }{\boldsymbol{A}},{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)P\left(x\notin \overset{\sim }{\boldsymbol{A}}\right)}\;\right]\end{array} $$

On the right hand side, “ L()” stands for likelihood, “ P()” stands for prior probability, and “ $ {\mu}_{\overset{\sim }{\boldsymbol{A}}}(x) $ ” is the degree of membership of “ $ x $ ’ toward “ $ \overset{\sim }{\boldsymbol{A}} $ .” On the left-hand side, “ P(;)” stands for the probability of a member belonging to a fuzzy set given the membership function. For the problem under consideration, “ $ x $ ’ represents a sub-RFFL and “ $ \overset{\sim }{\boldsymbol{A}} $ ” corresponds to the fuzzy RFFL set.

Multiple fuzzy RFFL sets are highly likely to exist, for example, $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right)\; and\;\overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Operating}\right) $ are two out of the four fuzzy sets for Tank in the example being discussed. Hence, we derive Eq. (8) from Eq. (7) to cater for multiple RFFLs, that is, multiple fuzzy sets. By using, $ \boldsymbol{P}\left(x\notin \overset{\sim }{\boldsymbol{A}}\right)=1-\boldsymbol{P}\left(x\mathbf{\in}\overset{\sim }{\boldsymbol{A}}\right),\boldsymbol{L}\left(x\mathbf{\in}\overset{\sim }{\boldsymbol{A}},{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)={\mu}_{\overset{\sim }{\boldsymbol{A}}}(x), and\;\boldsymbol{L}\left(x\notin \overset{\sim }{\boldsymbol{A}},{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)=1-{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x) $ (Singpurwalla and Booker, 2004), we obtain the normalized probability:

(8) $$ P\left(x\in \overset{\sim }{\boldsymbol{A}};{\mu}_{\overset{\sim }{\boldsymbol{A}}}(x)\right)=\left[\left(\frac{\mu_{\overset{\sim }{\boldsymbol{A}}}(x)\;P\left(x\in \overset{\sim }{\boldsymbol{A}}\right)}{{\sum \limits}_{\overset{\sim }{\boldsymbol{p}}}\hskip0.35em {\mu}_{\overset{\sim }{\boldsymbol{p}}}(x)P\left(x\in \overset{\sim }{\boldsymbol{p}}\right)}\right){\left({\sum \limits}_{b^{\prime }}\frac{\mu_{\overset{\sim }{\boldsymbol{A}}}\left({b}^{\prime}\right)\;P\left({b}^{\prime}\in \overset{\sim }{\boldsymbol{A}}\right)}{{\sum \limits}_{\overset{\sim }{{\boldsymbol{p}}^{\prime }}}{\mu}_{\overset{\sim }{{\boldsymbol{p}}^{\prime }}}\left({b}^{\prime}\right)P\left({b}^{\prime}\in \overset{\sim }{\boldsymbol{p}\prime}\right)}\right)}^{-1}\;\right] $$

where $ \overset{\sim }{\boldsymbol{p}} $ and $ \overset{\sim }{\boldsymbol{p}^{\prime }} $ are the indices of fuzzy sets (it is noteworthy that these indices cover all the fuzzy sets of a function), and b’ is the index of members of the sets. Moreover, as discussed earlier, “ $ x $ ” represents a sub-RFFL and “ $ \overset{\sim }{\boldsymbol{A}} $ ” corresponds to the fuzzy RFFL set. Rewriting the equation according to the notation pertinent to the subject of this research:

(9) $$ {\displaystyle \begin{array}{c}P\left( su{b}_b RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right);{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_b RFFL\right)\right)=\\ {}\left(\frac{\mu_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_b RFFL\right)\;P\left( su{b}_b RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right)\right)}{{\sum \limits}_{\overset{\sim }{\boldsymbol{p}}\;}\ {\mu}_{\hskip0.15em }\left( su{b}_b RFFL\right)P\left( su{b}_b RFFL\in \overset{\sim }{\boldsymbol{p}}\right)}\right)\\ {}\;{\left({\sum \limits}_{b^{\prime }}\frac{\mu_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_{b^{\prime }} RFFL\right)\;P\left( su{b}_{b^{\prime }} RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right)\right)}{{\sum \limits}_{\overset{\sim }{{\boldsymbol{p}}^{\prime }}\;}{\mu}_{\overset{\sim }{{\boldsymbol{p}}^{\prime }}}\left( su{b}_{b^{\prime }} RFFL\right)P\left( su{b}_{b^{\prime }} RFFL\in \overset{\sim }{{\boldsymbol{p}}^{\prime }}\right)}\right)}^{-\mathbf{1}}\end{array}} $$

For instance, consider that the state of the Tank’s function “Store Fluid” is “Lost,” then using the membership from Figure 4 and a uniform distribution for the prior probabilities for modes of the tank, the expression for the probability of the mode of the Tank being “Dryout” using Eq. (9) is:

(10) $$ P\left(\begin{array}{c}\left\{ State\left( StoreFluid(tank):= L\right)\right\}\to \left\{\left[ Mode(tank):= Dryout\right]\right\}\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right)\\ {};{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left(\left\{ State\left( StoreFluid(tank):= L\right)\right\}\to \left\{\left[ Mode(tank):= Dryout\right]\right\}\right)\end{array}\right)=0.4118 $$

The implication connective of the PL, represented by the $ \to $ symbol, means that if the proposition on the left side is true, the proposition on the right-hand side has to be true. Further, a sub-RFFL, which is a propositional statement that implies a mode of a component from a functional state, being a member of a fuzzy RFFL – that is, $ su{b}_b RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right) $ — means that the component mode is a member of a fuzzy RFFL, given that the proposition about the functional state is true. Therefore, the left-hand side of Eq. (9), while the state of the function and the degree of membership for the mode of component toward the state of function are known, can be seen as:

(10-a) $$ \begin{array}{c}\boldsymbol{P}\left( su{b}_b RFFL\left({s}_f^i\right)\in \overset{\sim }{\boldsymbol{RFFL}}\left({s}_f^i\right);{\mu}_{\overset{\sim }{\boldsymbol{RFFL}}}\left( su{b}_b RFFL\right)\right)=\\ {}\boldsymbol{P}\left( Mode(component)\;|\; State(function)\right)\end{array} $$

So, the left-hand side of Eq. (10) is:

(10-b) $$ \boldsymbol{P}\left(\left\{\left[ Mode(tank):= Dryout\right]\right\}|\;\left\{ State\left( StoreFluid(tank):= L\right)\right\}\;\right)=0.4118 $$

It may be noted that the sub-RFFLs are propositions, where the mode(s) of a component are implied by the state of a function, that is, if the proposition defining the state of the function is true, then the implied mode(s) must hold true. Therefore, the probability of inference from a sub-RFFL is the conditional probability of the mode(s) of components given the state of a function. The normalized conditional probabilities for the modes of the component “Tank” given the functional states of “Store Fluid (StF)” and “Supply Fluid” being either “Operating (O)” or “Lost (L)” – along with the degree of membership(s) and prior probabilities – are presented in Table 4. The Table has four sections – for each state of the two functions – presenting the normalized conditional probabilities [using Eq. (9)] for each mode of the tank given a functional state. It is assumed that “ $ x $ ,” which represents the sub-RFFL, is equally likely to belong to both states of a function.

Table 4. Conditional probabilities of the modes of “Tank” given the functional state(s) (DO: dryout; NOM: nominal; OF: overflow; Oper: operating; SpF: supply fluid; StF: store fluid)

Indices of Eq. (9) for the functional state Store Fluid Lost: $ f $ = Store Fluid; $ {s}_f^i $ = Lost, Operating; $ b $ = DO, OF; b՛= DO, NOM, OF; $ p=\overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right) $ _, $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Operating}\right) $ ; p՛ $ =\overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Lost}\right) $ _, $ \overset{\sim }{\boldsymbol{RFFL}}\left({s}_{StoreFluid}^{Operating}\right) $ .

Probability of the component mode given multiple relevant functional states

In Section “Normalized Probability for Members of Fuzzy Sets” , an expression has been developed to calculate the probability of a component mode given a functional state. However, it is conceivable that “OP” in the conditional probability expression $ P\left( IPRC\;|\; OP\right) $ can represent states of more than one function associated with a relevant component. To address the interdependence of functions associated with a component, we need to formulate the probability of a component mode given multiple relevant functional states. Consequently, we derive the expression for the conditional probability $ P\left({m}^{inf}\;|\bigcap {s}^{obs}\right) $ of a component mode (IPRC) given the states of relevant functions (OP) by utilizing Bayes’ theorem (Joyce, 2003), and assuming that the functional states are conditionally independent of each other given the mode of the component, that is, $ \boldsymbol{P}\left({\bigcap \limits}_{obs erved\ functions}{s}^{obs}\;|\;{m}^{inf}\right)={\prod \limits}_{obs erved\ functions}\boldsymbol{P}\left({s}^{obs}|\;{m}^{inf}\right) $ , we obtain the normalized probability of a component mode given the states of functions:

(11) $$ \begin{array}{c}\boldsymbol{P}\left({m}^{inf}\;|\bigcap {s}^{obs}\right)=\\ {}\frac{\left({\prod \limits}_{obs erved\ functional\ states}\left[\;\frac{\boldsymbol{P}\left({m}^{inf}\;|\;{\mathrm{s}}^{\mathrm{obs}}\right)}{\boldsymbol{P}\left({m}^{inf}\right)}\;\right]\right)\;\boldsymbol{P}\left({m}^{inf}\;\right)}{{\sum \limits}_{modes\ of\ the\ component\;}\left(\left({\prod \limits}_{obs erved\ functions}\left[\;\frac{\boldsymbol{P}\left({m}^{inf}\;|\;{\mathrm{s}}^{\mathrm{obs}}\right)}{\boldsymbol{P}\left({m}^{inf}\right)}\;\right]\right)\;\boldsymbol{P}\left({m}^{inf}\;\right)\right)}\end{array} $$

It is noteworthy that the probabilities for the modes of components in Eq. (11) are the prior probabilities. These probabilities serve as design constraints outlined by the designer based on regulatory requirements, backup systems, the role of the system/subsystem in the integrated environment, and so forth.

For example, let us compute the conditional probability of the modes of the Tank when states of relevant functions, Store-Fluid and Supply-Fluid, are known. The normalized conditional probabilities for the Tank modes, while considering that all modes of the Tank are equally likely, are presented in Table 5.

Table 5. Normalized conditional probabilities for Tank: P (Mode | States of Functions)

Probability calculation at the component level

After the probabilities for the component modes for the inference in the direction descending from a higher level of abstraction to a lower level have been computed, the conditional probability for the component mode(s) given functional state(s) – IPRC – and the observed parameters – OP – including component modes and states of physical variables are known at the lower level. For this level, both the IPRC and OP can be treated as OPs, as both of them are known at this point of calculation. This subsection deals with the calculation of the probability at the component level. The parameters in the lower level of a trajectory include modes of components and states of physical variables. The physical variables at the output side (following the system’s configuration, i.e., in the forward direction) of a component and the input side of a component (Figure 2) are referred to as output physical variables and input physical variables, respectively. The conditional probability of the modes of components and states of physical variables in the trajectory given observable-variables, that is, $ \boldsymbol{P}\left({m}^{All}.{q}^{con}.{q}^{inp}\;|\;{q}^{obs\bigoplus \mathit{\operatorname{inf}}}\right) $ .

Using Baye’s theorem and invoking the tautology of initial condition, the RBRs are interpreted in terms of probability as: $ {m}^{obs}\to \left({q}^{obs\bigoplus \mathit{\operatorname{inf}}}\cap {q}^{con\bigoplus inp}\right)\equiv \boldsymbol{P}\left({q}^{obs\bigoplus \mathit{\operatorname{inf}}}\cap {q}^{con\bigoplus inp}\;|{m}^{obs}\right)=1 $ , and assuming independence between modes of different components, output physical variables of different components, and input physical variables of different components, we obtain:

(12) $$ \boldsymbol{P}\left({m}^{All}.{q}^{con}.{q}^{inp}\;|\;{q}^{obs\bigoplus \mathit{\operatorname{inf}}}\right)=\left[\prod \boldsymbol{P}\left({m}^{All}\right)\;\right]\;\left[\prod \boldsymbol{P}\left(\;{q}^{inp}\right)\;\right] $$

Similarly, the expression obtained when the given condition comprises observed-modes:

(13) $$ \boldsymbol{P}\left({m}^{con}.{q}^{All}\;|\;{m}^{obs\bigoplus \mathit{\operatorname{inf}}}\right)=\left[\prod \boldsymbol{P}\left({m}^{con}\right)\;\right]\;\left[\prod \boldsymbol{P}\left({q}^{inp}\right)\;\right] $$

and, the expression obtained when the given condition comprises observed-modes and observed-variables:

(14) $$ \boldsymbol{P}\left({m}^{con}.{q}^{con}.{q}^{inp}\;|\;{m}^{obs\bigoplus \mathit{\operatorname{inf}}}.{q}^{obs/\mathit{\operatorname{inf}}}\right)=\left[\prod \boldsymbol{P}\left({m}^{con}\right)\right]\;\left[\prod \boldsymbol{P}\left({q}^{inp}\right)\;\right] $$

The probabilities defined in Eqs. (12)–( 14) are for an individual trajectory, $ P(Trajectory) $ . The terms on the right-hand side of these equations are the required input for the analysis. The values for these parameters can be obtained from the operational history, design specifications, expert opinion, regulatory requirements, and so forth. A relative weight of a branch is obtained by normalizing the probability of an individual branch, using the following expression:

(15) $$ P(Trajectory)=\frac{P(Trajectory)}{{\sum \limits}_{\#}P\left( Branch\#\right)},\#\mathrm{is}\ \mathrm{the}\ \mathrm{index}\ \mathrm{of}\;\mathrm{a}\;\mathrm{trajectory} $$

Demonstration of the method

In this section, we refer to the case study system as presented in Mansoor et al. (2023). It may be noted that the conclusions mentioned in this section are not an exhaustive list of all the lessons learned from the analysis. Moreover, the modeling of the sample system(s) can be enhanced by capturing more details of the underlying physics and by incorporating more failure modes.

Simplified secondary loop of a pressurized water reactor (PWR)

A simplified secondary PWR loop was described to demonstrate BLIPS in [20], as shown in Figure 5. The secondary loop of a PWR receives the energy generated by nuclear fission in the reactor core (primary loop) through the intermediary component called the Steam generator (SG).

Figure 5. Simplified secondary loop of PWR [20].

The SG acts like a heat exchanger, which transfers heat from the primary coolant on the primary side to the feed water on the secondary side while maintaining physical separation between both sides. The feed water enters the SG and is then converted into steam during the process of heat transfer, which is then used to rotate the turbine for the production of electricity by an electrical generator. The steam is transferred to the condenser after passing through the turbine. The condenser removes the residual heat from the steam and converts it back from a gaseous state to a liquid state, that is, feed water. The feed water is pumped back into the SG by the pumps after passing through the feed water control valve (FV) and pipe sections. It was assumed that at least one pump should be in nominal working mode to maintain normal flow. The nominal mode of a pump refers to the operating mode when the output pressure is increased by the pump to the desired pressure, and output pressure not changed (OPNC) refers to the mode when the pump fails to increase the pressure but retains the same pressure as the input. The pressure of the feed water is increased in multiple stages by the different pumps; a similar representation is depicted by the multiple pumps in the simplified loop. As the name suggests, the FV is intended to control the flow rate of feed water into the SG. The flow rate of feed water should be adjusted in such a way that ensures enough feed water flow to remove an adequate amount of heat from the primary coolant to prevent reactivity and pressure transients due to overcooling and undercooling of the primary loop. The major functions of the secondary loop are listed below:

1. i. “Generate steam” – Conversion of feed water into steam in the SG.

2. ii. “Transfer Fluid” – Transferring the steam or water through the pipe sections.

3. iii. “Condensate Steam” – Conversion of steam into feed water in the Condenser.

4. iv. “Regulate Fluid Flow” – Control the flow rate of the fluid in the loop using valves.

5. v. “Increase Fluid Pressure” – Increase the pressure of the fluid in the circuit using pumps.

6. vi. “Transform Energy” – Conversion of energy from steam into the rotational motion of the turbine shaft.

The reader is referred to Mansoor et al. (2023) for the detailed system model, assumptions, constraints, and implementation of BLIPS. The loop is assessed for the failure of the function “Generate Steam” while the function “Condensate Steam” was operating. The functions “Generate Steam” and “Condensate Steam” are performed by the components SG and “Condenser”, respectively. The SG was presumed to have failed with the mode “Under heat and Output flow low” (UH and OFL). UH and OFL refer to the condition when there is not enough heat being supplied to the SG to convert the feed water into steam to meet the demand at the turbine. The situation when the steam generation has been reduced also accompanies the mismatch between the flow rates of the steam flowing out from the SG as compared to the feed water entering the SG. The resulting trajectories for the assumed functional conditions were generated using BLIPS, which add up to a total of 240 valid trajectories, as shown in Table 6.

Table 6. Trajectories for the assumed initial condition of the simplified secondary loop of PWR (CND: condenser; CNP: condensate pump; FP: feed pump; FTC: failed to close, FV: feedwater control valve; OPL: output pressure lower than input; OPNC: output pressure not changed; SG: steam generator; UH and OFL: underheat and output flow low)

Analysis

As discussed above, an adequate flow of feed water is necessary for both the production of steam for the generation of electricity and to avoid transients in the primary loop. When sufficient head is available from the pumps, the control of the feed water flow rate into the SG is primarily dependent upon the FV and the pipe sections. To study the effect of the parameters that affect the feed water flow when the “Condensate Pump” (CNP) and the “Feed Pump” are in the nominal and OPNC modes, respectively, let us define modes of the FV and Pipe-sections as controlled variables. The relevant trajectories for this study would be 48 out of the total of 240 valid trajectories when the function “Generate Steam” is lost, and “Condensate” steam is operating. The probabilities of some trajectories for the aforementioned conditions are given in Table 8. It may be noted that the algorithm for the deductive analysis terminates the impossible trajectories. Some representative trajectories of these invalid trajectories are shown in the table. The invalid trajectories include the scenarios that are not possible, given the imposed initial condition. For this study, the FV cannot hold any such mode which brings the flow in the secondary loop to zero, as the initial condition assumes that there is a flow at the output of the SG. Similarly, none of the pipe sections can be in Burst mode, as this would reduce the flow to zero in the loop. Upon observing that certain modes of the components are invalid – that is, no valid trajectory exists containing that mode – the prior probabilities of the component modes should be normalized to take into account the observation that certain modes of the components are improbable. The prior probabilities of the component modes and the updated probabilities are shown in Table 7.

Table 7. Probabilities of pipe sections and valve for the simplified secondary loop of a PWR

Table 8. Normalized conditional probability of the simplified secondary loop given the functions Generate Steam Lost and Condensate Steam Operating (CND: condenser; CNP: condensate pump; FP: feed pump; FTC: failed to close; FV: feedwater control valve; LK: leak; NOM: nominal; OPNC: output pressure not changed; SG: steam generator)

To reduce the number of variables involved in the calculations and observe the overall result in terms of particular parameters, the probabilities that a pipe would be in a given mode are defined in terms of the probability of the pipe mode “Leak,” and for the valve, the probabilities of the modes are defined in terms of valve mode “fail to close (FTC).” The lower and the upper probability bounds for the Pipe mode “Leak” and Valve mode “FTC” are reasonably set to 2E-5 to 2E-2 and 1E-5 to 4E-2, respectively.

In Table 8, it may be noted that the modes of the SG and Feed pump are the OPs, which are “Low flow and Underheat” and “Output pressure not increasing,” respectively. The trajectories 01, 02, 03, 05, 17, and 25 have a relatively high probability when compared to the other trajectories. These trajectories have either one of the pipe sections or the valve in failure mode, while the rest of the controlled parameters are in nominal mode. Therefore, the probability of these trajectories is higher owing to the higher prior probability of nominal modes. The normalized probability for some representative trajectories out of the total of 48 trajectories is shown in Figure 6.

Figure 6. Representative trajectories of the simplified secondary loop of a PWR for the assumed scenario.

The modes of all the components in Trajectory no. 01 are nominal, other than the SG; the SG is assumed to be in a failure mode as an initial condition. This trajectory refers to a single-failure (failure of SG) leading to the failure of the function of Generate Steam. On the other hand, trajectories 02, 03, 05, 17, and 25 infer that at least one of the controlled parameters is in a failure mode. The scenarios portrayed in these trajectories depict the occurrence of at least one more failure other than the failure of the SG, that is, either a leak in a pipe section or an FV. The probability of the occurrence of such a scenario can be reduced by reducing the prior probability of the controlled parameters. For instance, the plot for trajectory no. 02 (Figure 6) shows that the likelihood of the trajectory is the lowest when the probability of the pipe being in the leak mode is at its lowest. The trajectories with their pipe section(s) in a leak mode and their valve in a fail-to-close mode reach their highest probability value as the probability of pipe leak and valve fail-to-close approach their maximum values. The minimum probability of failure for such trajectories is toward the lower values of the probabilities of the controlled parameters. This forms a plane of minimum values. For example, trajectory 18 shows this behavior because it has two components in failure mode, that is, pipe section no. 4 in leak mode and FV in FTC mode. On the contrary, the likelihood of trajectory 17 increases with the increasing probability of FV being in FTC mode only, as it does not include a pipe section in leak mode.

As we are studying the impact of the components, pipe sections, and feed control valve for the assumed functional failure. We consider the 47 trajectories after excluding trajectory no. 01 because it does not include any controlled parameters in a failure mode. Upon aggregating the 47 trajectories, a three-dimensional plot of the linear combination of the trajectories is shown in Figure 7. The figure shows that the minimum value of the probabilities of the failure mode of the components is of the order of 10⁻⁵, which is toward the lower end of the interval of the probabilities that are specified for the pipe sections and the valve. Furthermore, it is evident that the amplitude of the rising edge on the “FV in FTC mode” axis is notably lower compared to that on the “Pipe sections leak mode” axis. This indicates the higher relative significance of the “Transfer Fluid” function and its associated pipe sections over the “Regulate fluid” function and the feedwater control valve. This discrepancy can be attributed to the increased likelihood of pipe failures due to the presence of multiple sections, as opposed to failures in the FV, which are given by prior probabilities. Moreover, the increased probability of pipe section leaks when the FV is in FTC mode significantly enhances the likelihood of this scenario compared to the situation where the probability of the FV being in FTC mode is increased while the probability of pipe section leaks is at its maximum. This represents the greater importance of pipe sections in this context. Nevertheless, it is inferred that the overall probability of losing the “Generate steam” function is of the order of 10⁻¹ for this system configuration when considering the mentioned prior probabilities.

Figure 7. Aggregated representation of 47 trajectories for the function “Generate Steam” in Lost state.

Even though we knew that the SG was in a failure mode (Underheat and Low output flow), which may give an initial impression that there is a leak in SG, causing the mismatch between the input and output flows. However, the analysis shows that even if the possibility of SG leak has been remedied, the functions Transfer fluid and Regulate Fluid can also be a contributor to the loss of the function Generate Steam. Further, the significance of the Transfer Fluid function over the Regulate Fluid is attributed to the possibility of multiple pipe-section failures. As Transfer Fluid and Regulate Fluid are associated with the loss of Generate Steam, lowering the probability of the pipe being in the Leak mode and FV in failure modes will reduce the probability of losing Generate Steam. The following are some sample recommendations for improvement that can be drawn up based on the analysis:

1. i. As seen in Figure 7, the likelihood of losing the function Generate Steam is at its highest when the likelihood of failure for the valve and the pipe sections is the highest. This means that the failure being analyzed is most likely when both components fail simultaneously. Therefore, routine inspection should be conducted on the components to avoid their simultaneous failure and/or redundancy may be used in the loop to reduce the risk.

2. ii. A restriction should be imposed on the conditions of operation, such that the power plant should be brought to lower power or in a safe shutdown condition, when one of the two functions, Transfer fluid or Regulate Fluid, is found to be lost.

3. iii. As it is inferred that the function Transfer Fluid contributes relatively more as compared to Regulate Fluid to the failure of the function Generate Steam. Therefore, an alternate route of feedwater injection should be in place at the input of the SG to compensate for the loss of feedwater in the closed loop in case of the unavailability of the main feeding channel to bring the system to a safe state. Moreover, in order to detect that an incidence of failure for the Generate Steam is associated with pipe sections, flow rate monitoring should be ensured.

4. iv. As shown by trajectory no. 1, a single failure of the SG has the highest likelihood of causing the loss of the function Generate Steam, even when all other functions and components are normal. Therefore, the component should be manufactured in accordance with standards of a higher safety class ensuring a lower probability of single failure.

5. v. The aggregated probability from the 47 trajectories of failure for losing the function Generate Steam is of the order of 10^–1, which is quite high for such systems. It should be reduced by reducing the component’s probability of being in the failure mode, that is, the prior probability.

The bases for the recommendations are the dependency of the function Generate steam upon the function Transfer fluid, and the varying likelihood of the failure in relation to the probability of modes of the Pipe and the Valve, which are obtained from BLIPS and the PA, respectively. These bases cannot be easily obtained by manually analyzing a complex system. Probabilistic augmentation of BLIPS’ trajectories allow insights about how the probability of failure varies in relation to the change in probabilities of other system parameters (even beyond the three dimensions shown in Figures 6 and 7), these relationships would be difficult to deduce with a manual analysis.

Discussion

The probabilistic view enables the user to assess the state space by declaring some parameters as OPs and observing the effect of the controlled parameters on the overall trajectory. The probability of the controlled parameters can be selected as a numerical value or an interval of probabilities to understand their effect on a trajectory. The impossible trajectories are terminated during the deduction process; therefore, their contribution is not present in the probabilistic overlay of the results. Furthermore, it may be noted that the analysis does not require high fidelity simulator for the analysis, which significantly reduces the computational resources needed for the analysis. SMT solvers are generally faster than high-fidelity numerical solvers for tasks like verification and constraint solving, as they leverage symbolic reasoning to resolve logical queries in seconds to minutes for large-scale problems, such as billions of queries processed annually in systems like AWS Zelkova (Backes et al., 2018). In contrast, numerical methods, for example, in the domain of computational fluid mechanics, thermal hydraulics, particle transport, and so forth, often require hours to days on powerful computers for large datasets due to their iterative and complex mathematical operations.

The inference drawn from the case study may seem plausible through brainstorming; however, the utility the method increases with increasing degrees of freedom (controlled parameters) when the complexity of the problem limits our ability to reason analytically. Further, it is worth mentioning that analyzing successful conditions instead of imposing an initial condition of failure can also provide valuable insights into system functionality and component reliability when the system is operating optimally. This approach can help identify parameters that may require less emphasis in terms of manufacturing and backup resources, thereby potentially reducing costs. On the other hand, one may wonder about the effectiveness of the method for more complex systems with more components. It is worth mentioning that Gao et al. (2020) classified a majority of AP1000 nuclear power plant’s components into 16 types for analysis. Using the mentioned classification, an analyst needs to define 16 BRs for analysis using BLIPS. Moreover, as the libraries for failure logic and BRs evolve, the effort required for modeling will reduce significantly.

The extent of a trajectory is defined by the analyst, depending on the analysis being performed. It may encompass the entire system or a part of it. Moreover, the controlled parameters can be selected at any level of abstraction. Similarly, the number of levels of abstraction is the choice of the analyst. The probability of a trajectory represents the conditional joint probability of events in the trajectory, given that the initial condition has been observed. It is worth noting that when the mode of a component is known, we assume that the functional states are conditionally independent of each other given a mode of the relevant component.

Various combinations of controlled variables can be experimented with to gain deeper insights and draw more conclusions. However, including a large number of controlled parameters in a system can hinder analysts from effectively visualizing the data. Challenges arise in representing results when attempting to visually display all parameters concurrently during analysis. Therefore, trade-offs are necessary to restrict the degrees of freedom in visual data analysis. A gradient descent algorithm (Désidéri, 2014) can be used to determine the minimum values of the controlled parameters. Further research is required on the use of machine learning algorithms specific to BLIPS, for example, the results of the 48 trajectories of the PWR loop can be subdivided into different categories, where one group has higher importance than the other; this would become a bilevel optimization problem (Colson et al., 2007; Sinha et al., 2018; Liu et al., 2022). Furthermore, there is significant research potential to further extend the method and explore temporal relationships among the trajectories for an assumed failure and among the trajectories of different assumed failures. This can help in better understanding the underlying mechanisms of failure occurrences and their interconnections. However, the inference of the improvements based on the results is the job of the analyst.

While concluding from the results, it should be kept in mind that the trajectories with more components in a nominal mode have a higher weight as compared to the trajectories that have relatively more components in modes other than nominal due to the fact that the probability of components being in nominal mode is generally higher than being in a failure mode. Therefore, out of the 48 trajectories, the highest and the lowest weights in the case study are associated with trajectory no. 01 and 40, respectively. Trajectory no. 01 has the highest weight because it comprises nominal modes of the controlled component modes, which have a higher likelihood. Conversely, trajectory no. 40 comprises the failure modes of all the controlled component modes, which is very unlikely to happen. This representation is highly valuable when used with operational data or component testing records. Nevertheless, in contrast, the sensitivity analysis offers a detailed perspective when faced with scarcity of such information.

Conclusion

In this article, Probabilistic Augmentation (PA) has been introduced to quantify the results of failure analysis obtained from the method (BLIPS) described in Mansoor (2023) and Mansoor et al. (2021, 2023, 2024), jointly referred to as BLIPS-PA. BLIPS-PA employs qualitative physics and symbolic AI for causal inference, and fuzzy logic and probability theory for PA. This method allows automated causal inference guided by the physics of the system, allowing the user to make design-related decisions at the early stages of design – particularly, decisions related to safety – by observing the valid states of the system along with their likelihood of occurrence. Notable advantages of BLIPS-PA are validation of the entire state space; the ability to conduct failure analysis at a conceptual design stage without high-fidelity process simulators leading to less computational burden; inherent causal inference alleviates the challenges due to scarcity of data; formally proven results; captures the fuzzy nature of the real world; probabilistic insights; allows multiple levels of abstraction; and automatic termination of invalid failure trajectories.

The application of the method has been demonstrated using a simplified secondary loop of a PWR-type nuclear power plant for the function Generate Steam being Lost while the function Condensate Steam is Operating. It was learned that for the 48 failure trajectories, one pump has to be in a failure mode and one pump in a nominal mode. It may be noted that any trajectory involving a pipe section in the closed loop, operating in pipe mode “burst” mode with the feed valve either in “Nominal close” or “Fail to open” positions, was terminated by the algorithm. Moreover, it was learned that a single-failure of the SG may be the sole cause of the assumed failure. Furthermore, the loss of the function Transfer Fluid also contributes to the loss of function Generate Steam, while Generate Steam has a significant chance of being lost due to a fault in the SG without the contribution of pipe leaks or a valve leak. Based on the observations, a few recommendations were made to improve the design.

The method can be used to model any system in terms of qualitative physics as long as the underlying phenomenon is understood. However, at the current development stage, libraries defining the physics model for components and systems are not available, which requires the analyst to model the underlying physics. The current focus of BLIPS-PA is primarily on the steady-state analysis of a system. Further research is underway for enhancement of the method, including, integration of temporal aspects to enhance the depth of insights obtainable through this method; detailing of a procedure for analyst for providing the prior probabilities based on design specifications, operational history of similar systems, regulations, or engineering judgment; leveraging artificial intelligence and machine learning to assist in drawing conclusions and extracting detailed insights from the analysis, which could be otherwise difficult for analysts to draw manually; and integrating the proposed PA method with other statistical and qualitative approaches.