A Bow-Tie BAsed risk frAmework inTegrATed wiTh A BAyesiAn Belief neTwork Applied To The proBABilisTic risk AnAlysis

The use of probabilistic risk analysis in the jet engines manufacturing process is essential to prevent failure. It has been observed in the literature about risk management that the standard risk assessment is normally inadequate to address the risks in this process. To remedy this problem, the methodology presented in this paper covers the construction of a probabilistic risk analysis model, based on Bayesian Belief Network coupled to a bow-tie diagram. It considers the effects of human, software and calibration reliability to identify critical risk factors in this process. The application of this methodology to a particular jet engine manufacturing process is presented to demonstrate the viability of the proposed approach.


inTrodUcTion
Despite the impressive level of safety of today's aviation system, the accident rate has to be decreased still further.The main reason for that is the projected growth in air traffic movements (Aleet al., 2006).If the accident rate does not decrease, the growth of air traffic will inevitably lead to an increase in the absolute number of accidents regarded by many as unacceptable (Ale et al., 2006).This justifies the search for ways to actively pursue an increase in the jet engines manufacturing safety level by introducing integrated risk assessments and probabilistic risk analysis as an integral part of the manufacturing process.
The traditional method of assessing the system correctness relies on testing and simulation techniques.In simulation, the aim is to capture the system behavior and verify the correctness of the system by simulating different scenarios one by one using a model (Lahtinen et al., 2012).In order to be effective, a risk model should properly represent the interaction among human operator, software, hardware and environment and be able to capture the dependencies between system components.Safety Supervision, Safetyoriented Working Environment and system of Incentives and Penalties should be considered implementation priorities to improve overall performance in an organizational safety culture (Fu et Chan, 2013).Decision making should consider safety and operational risks.One of the most critical issues that every decision maker needs to face is the risk in association with the decisions to be finalized and the actions to be taken.(Lee et al., 2010).
The management of risks integrated with the operations of manufacturing is a huge challenge.However, it reduces accidents (Petersen, 2000) and improves productivity and the economic and financial performance of the company (Rechenthin, 2004).Systemic defects have become the major cause of most aviation accidents.While there has been a dramatic increase in the reliability of machines and computers over the years, the reliability of safety systems has not improved at the same pace.(Liou et al., 2008).The root cause of many disasters originates in maintenance workshops and in the factories, where vital components and systems have been produced (Janic, 2000).The bow-tie technique is suitable to build a model to be used as a tool in management decisions .It is important that the managers and their support teams be familiar with the value and application of these methods.The knowledge of experts in the process of jet engines manufacturing can be used to estimate the probability of engine failure.The information obtained from these experts should be combined in a formal way.Recent articles on human reliability claim that formal procedures are increasingly applied to elicit the opinion of specialists, especially when the quality and transparency of results are important.The goal of these formal methods is to achieve consensus in the ratings as a result.If the data are obtained systematically from well-informed experts in primary and secondary processes, the opinion of experts can offer acceptable precision in quantification.
Modeling is important to support midterm planning and decision making.The main strength of the modeling for companies lies in its ability to support decision processes in an iterative way (Nieuwenhuyse et Mahihenni, 2014).In the analysis process, the common problems faced are the lacking of required information and the accuracy of the information.Thus, it is necessary to have a systematic procedure to record the information for analysis.Still, the developed information collection system should be user friendly so that it is applicable in practical (Ding, Kamaruddin et Azid, 2014).
Considering the context presented above, this paper aims to present a proposal for probabilistic risk analysis based on bow-tie methodology combined with Bayesian Belief Network to analyze critical activities that can affect the reliability of the safety system in the manufacturing of jet engines.The research was focused on two main points.The first was the definition of the methodology to build a model based on fault tree, event tree, bowtie chart and Bayesian Belief Network.The second was the application of the model on a jet engines manufacturing process.The structure of the paper is divided into 5 chapters.The first section is the introduction highlighting the importance of probabilistic risk analysis in the jet engines manufacturing process.The second section presents the context and a brief description of techniques fault tree, event tree, bowtie chart and Bayesian Belief Network.The third section presents the methodology, the phases and the steps followed to build the model.The fourth section describes the application of the model to the jet engine manufacturing process.The fifth section presents the discussion of the results and the sixth and last sections presents the conclusion of the research.

BAckgroUnd And conTexT
Causal modeling using a bow-tie chart is a powerful tool for getting insight into the interdependencies between the constituent parts of complex system such as the manufacturing of jet engines.As far as safety is concerned, the propagation of fault situations in the engine manufacturing process can be modeled and followed.Weaknesses in protection against fault propagation can be systematically determined.The power of causal modeling can be greatly enhanced if probabilities and logical dependencies can be quantified (Nureg, 2001).Quantification has limitations mainly related to complexity of model and scarcity of data (Pasman, 2013).These limitations may be overcome by expert's elicitation of probabilities.
By using causal models, the effect of safety measures or, conversely, the breach of safety barriers, can be quantitatively evaluated allowing comparisons between alternatives and cost benefit considerations.Many accident models have been suggested in the scientific literature; the underlying concept is the same: accidents result from a combination of factors, such as design errors, mechanical failures, software errors, user errors and organizational or regulatory factors (Marais et al., 2012;Ale et al., 2006).Causal models establish the theoretical framework of causes that might lead to engine failure and aircraft accidents.Causal models of assessment of risk and safety of aircraft operations establish the theoretical framework of causes that might lead to aircraft accidents (Netjasov et Janic, 2008).Methodologies for measuring complexity will assist designers in analyzing and mitigating the risks associated with product variety and its impact on manufacturing (Kamrani et al., 2011).
By estimating the probability of occurrence of each cause it is possible to predict the risk of accident.This can be restricted to pure statistical analysis based on available data or it can combine such data with expert judgments of causes (Nureg, 2001).The framework of a causal model can combine Fault Tree Analysis -FTA, Event Tree Analysis -ETA, bow-tie Analysis and Bayesian Networks -BBN to estimate the probability of occurrence of each cause and thus predict the risk of failure of an engine.Based on causal scenarios derived from hazardous events, use of safety goals and risk uncertainty calculations are essential (Kumamoto, 2012).Pereira and Lima (2012a, c, d) describe some factors to be considered in the analysis.Table 1 presents the result of an in depth research about the techniques normally used for causal modeling.The latest papers (A), books (B), regulations and standards (N) about the subject make reference to the use of fault trees, event trees, "bow-tie", human reliability analysis and Bayesian Networks for causal modeling.(2000) the management of hazards and their effects, through the application of a process called Hazard And Effect Management Process, which at its core produces bow-tie diagrams, describes the various hazards that can occur and the existing process and equipment controls to prevent these from occurring, or reducing the impact were these hazards to cause a loss event.Bow-tie analysis can be used for both qualitative and quantitative risk assessments in complex situations.A bow-tie chart is used to show the combination of a fault tree on the left and an event tree on the right.Fig. 1 shows the fault tree connected via the top event named TE to the event tree.  1, the left side of a bow-tie diagram resembles a Fault Tree.The fault tree method was created in 1962 and quickly became popular in the nuclear and aviation industry.A fault tree uses Boolean AND/OR gates to model causal relationships between events (the method is mostly used to model the causality of unwanted events, but it is possible to model any kind of causal relationship).In order to quantify the event tree, the probabilities of occurrence of the initial event and the success or failure of the reactive layers are considered.Considering that the fault trees are used to obtain the probability of a system failure, the fault tree may be combined with the event tree to form a bow-tie diagram.The pivot event is the final failure event obtained with the fault tree and the initial event for the event tree.The pivot event may occur or not, which leads to different final situations.Each path through the diagram is a scenario.A bow-tie based model employs the combined fault tree and event tree and allows the representation of several scenarios.
The bow-tie method is most often used for the analysis of Major Hazard Scenarios in which the consequence spectrum is so bad that keeping control over these Hazards is of major importance, regardless of the actual probability of the consequences.Fortunately there is little accurate information available about the frequency of these worstcase-scenario consequences.Bow-tie models are tools for integrating broad classes of cause-consequence models.The familiar fault tree and event tree models are 'bow tied' in this way; indeed, attaching the fault tree's top event with the event tree's initiating event originally suggested the bow-tie terminology.However, any other cause and consequence models can be used as well (Ale et al., 2006).

Bayesian network modelling
Bayesian Networks, also called Bayesian Belief Networks (BBNs), have become an increasingly popular part of the risk and reliability analysis framework due to their ability to incorporate qualitative and quantitative information from different sources, to model interdependency, and to provide a causal structure that allows probability risk analysis practitioners to gain deeper insight into risk drivers and into specific interventions that reduce risk (Mosleh 1992;Rechenthin, 2004).A Bayesian network is a powerful tool for various analyses (E.g.: inference analysis, sensitivity analysis, evidence propagation, etc.) Sutrisnowati et al., 2014).There has been an increasing trend in the literature and in the application of Bayesian networks in fields related to reliability, safety and maintenance (Mahadevan et al., 2001;Weber et al. 2012).Bayesian approaches to aggregate expert judgments on probabilities have been extensively investigated in risk and reliability analysis (Podofillini, Dang, 2013, Mosleh, 1986;Droguett et al., 2004).BNs provide a framework for addressing many of the shortcomings of human reliability analysis from a researcher perspective and from a practitioner perspective (Groth, Swiler, 2013, Boring et al., 2010).External human performance factors depend on company, society and technology (Calixto et al., 2013).The human reliability analysis is a systematic framework, which evaluates the process of human performance and the associated impacts on structures, systems and components for a complex facility (Cepin, He, 2006, Cepin, 2007).
There are many varieties of Bayesian analysis.The fullest version of the Bayesian paradigm casts statistical problems in the framework of decision making.It entails formulating subjective prior probabilities to express pre-existing information, careful modelling of the data structure, checking and allowing for uncertainty in model assumptions, formulating a set of possible decisions and a utility function to express how the value of each alternative decision is affected by the unknown model parameters.Due to their ability to incorporate qualitative and quantitative information from different sources, Bayesian Networks (BNs), also called Bayesian Belief Networks (BBNs) have become an increasingly popular part of the risk and reliability analysis framework to model interdependency, and to provide a causal structure that allows probability risk analysis practitioners to gain deeper insight into risk drivers and into specific interventions that reduce risk (Mosleh, 1992;Rechenthin, 2004).Over the last decade, bibliographical reviews in the state of the art literature have focused on the use of Bayesian networks on dependability, risk analysis and maintenance.It shows an increasing trend of the literature to address the application of Bayesian networks in fields related to reliability, safety and maintenance (Mahadevan et al., 2001;Weber et al., 2012).The node represents random variables and arcs represent direct dependency between variables relations.The arcs direction represents cause effect relation between variables.Fig. 2 represents the Bayesian Network, being node H consequence from causes T and P. In Figure 2, nodes T and P are fathers of H and are called ancestral of H.In Human Reliability analysis, for example, the Nodes T and P represents performance human factors and node H represents human error probability conditioned to human performance factors T and P. In each node there is a conditional probability table, which represents variables.General equation ( 1) represents the probability of occurrence of variable H conditioned to the occurrence of variables T and P.
(1) Equation ( 2) estimates the probability of variable H becoming true, conditioned to variables P and T being true or false. (2) In human reliability, the Bayesian belief networks (BBN) methodology provides a greater flexibility as it not only allows for a more realistic representation of the dynamic nature of man and system, but also allows for the use of a methodology to represent a relationship of dependence among the events and performance shaping factors.

indUsTry ApplicATion: proBABilisTic risk AnAlysis of JeT engine fAilUre
The operational system in jet engine manufacturing process needs to represent the causes of failure and their respective consequences.For this reason, a single representation of a scenario, with a cause-consequence diagram, is employed.This scenario considers the factors affecting human failure, software failure and calibration failure as related to engine failures.This cause-consequence method involves visualizing the possible alternative sequences composed by factors affecting human failure, software failure and calibration failure, and allows the undesirable event probabilities to be calculated from the factors affecting basic event probabilities.Application of a structured qualitative process risk analysis methodology, such as the Probabilistic Risk Analysis (PRA) allows quick identification and evaluation of the main risks of installations (Esteves et al., 2005).To identify the specific details, possible causes or contributing factors of risk events in the jet engines manufacturing process the entire process need to be mapped out and a qualitative risk analysis performed.
Figure 3 shows the process map and the pivotal event, which is the incorrect assembly of an engine.
Process 6 shown in Figure 3 represents the pivotal element.The building blocks of the flowchart shown in Figure 3 represent the critical processes of the jet engine manufacturing system.In order to identify the critical steps and factors of risk in an operational situation, as well as to apply modeling methodologies suggested by the literature, specific sequences were followed.The proposed methodology utilizes fault tree, event tree and Bayesian networks combined in only one model and applied in an operational situation.Figure 4 shows the sequence of phases proposed to build the model.In the first phase the causal model for application in the jet engine manufacturing process was conceived.To attain this objective, an in depth research was conducted, followed by a field research with experts in the process and then a detailed analysis of the data obtained against the applicable literature was performed in order to define the methodology to build the model to be used for the probability risk analysis.The result of this analysis is detailed in Pereira (2014b) an in Pereira . et al., (2014f, g).In the second phase the jet engine manufacturing process was mapped out and the pivot element was identified.The pivot event going in one of the directions, failure or non-failure was derived from the flow chart of the jet engine manufacturing process.In this specific model, the pivot event is the engine being manufactured with or without a defect.In the sequence, the fault tree was built with the sub-assembly processes and their respective preventive layers, then the event tree was built with the subprocesses and the reactive layers occurring after the pivot element.The fault tree and event tree are then combined to form the bow-tie chart.The last step in this phase is the preparation of Bayesian Belief Networks based on the primary risk factors and their interdependency.The bowtie chart and its application to jet engine manufacturing process are detailed in the paper entitled "Probabilistic Risk Analysis in Manufacturing Situational Operation" (Pereira, Lima, 2014g).In the third phase the probability of engine failure is estimated.The first step in this phase is to elicit the probabilities from experts, then populate the software with the elicited probabilities and adjust the model.The final step in this phase is to conduct sensitivity analysis to verify the accuracy and repeatability of the model.The result of the sensitivity analysis is being the object of a future paper in preparation.

resUlTs And discUssion
The fault-trees are constructed and quantified on the basis of the top event and expert opinion and a combination of different events causing the top event.These are connected by the logical gates and may have as many processes and preventive layers, as necessary, as shown in Figure 5.
Figure 5 represents different processes with their respective preventive layers.Each process may fail due to basic events related to failure of technicians in the execution process, software failure or calibration failure.These events are combined by the logical gate OR and the occurrence of any of the events will cause the occurrence of the process failure.The probability of failure of process 1 and preventive layer 1 is determined by Eq. ( 5), which is the combination of ( 3) and (4).all probabilities results in a probability of engine failure of 0.0079.This value was obtained assigning the probability of failure of 0.01 to all primary independent variables.
Figure 8 shows that the probability of engine failure is 0.0079.A failure in testing contributes with a probability of 0.1983, while a failure in compressor balancing has a probability of 0.0393.In the test failure, the human failure contributes with 0.0772, software failure with 0.0772 and calibration failure with 0.0582.The failure of assembling and balancing the compressor contributes with 0.1983.In the compressor assembly failure, the human failure contributes with 0.0772, the software failure with 0.0772 and calibration failure with 0.0585.The same happens to the failure of balancing.The final result is a probability of engine failure of 0.0079.

conclUsion
This paper presents a model that combines Fault Tree analysis, Event Tree analysis and Bayesian Belief Networks in an integrated model that can be used by decision makers to identify critical risk factors in order to allocate resources to improve the safety of the system.The result of this study adds to the body of evidence that the methodology for probabilistic risk analysis and causal model in jet engine manufacturing industry is feasible and the model is a powerful tool to be used by decision makers in the jet engine manufacturing industry.
The methodology for building the structure of the model, which is a causal model for probabilistic risk assessment in the manufacturing of jet engines, has been presented and consists of a procedure for the construction of the Bayesian belief network fault tree, event tree and bow tie in a situational operation.The single homogeneous structure of the model allows consistent handling of probabilities of the factors affecting engine failure and their interdependence.

Fig 1 -
Fig 1 -Bow-tie Diagram -Vesely (1981)Pereira et al., (2014e, f, g)  addressed the bow-tie diagram shown in Figure1, the left side of a bow-tie diagram resembles a Fault Tree.The fault tree method was created in 1962 and quickly became popular in the nuclear and aviation industry.A fault tree uses Boolean AND/OR gates to model causal relationships between events (the method is mostly used to model the causality of unwanted events, but it is possible to model any kind of causal relationship).In order to quantify the event tree, the probabilities of occurrence of the initial event and the success or failure of the reactive layers are considered.Considering that the fault trees are used to obtain the probability of a system failure, the fault tree may be combined with the event tree to form a bow-tie diagram.The pivot event is the final failure event obtained with the fault tree and the initial event for the event tree.The pivot event may occur or not, which leads to different final situations.Each path through the diagram is a scenario.A bow-tie based model employs the combined fault tree and event tree and allows the representation of several scenarios.

Fig. 3 .
Fig.3.Combination of a fault tree and event tree

Fig. 5 .
Fig.5.Processes and protective layers Each protective layer may also fail due to the same basic causes related to failure of technician in the execution process, software failure or calibration failure.The basic events originating the failure of the processes and preventive layers may be triggered by several different factors that may have interdependency.Assuming independence, these factors are combined by using BBN.Equation (3) determines the probability of failure of intermediate event (Process 1):

Fig. 7 .
Fig.7.Combination of a fault tree and event tree Equation 13 determines the probability of engine operational failure and combines all equations.

Fig. 8 .
Fig.8.Bayesian network of compressor assembly process Figure 8 shows an example of general Bayesian network obtained with the combination of specific Bayesian networks generated from the fault tree and event trees.The network represents the node "failure in compressor assembly", the node failure in compressor balancing" and the node "failure in engine testing".A Bayesian network software is used to run the model, the probability values obtained for the nodes are also shown in the Figure 8.The aggregation of

Table 1 -
Carr (2000)s referencing techniques for causal modelingTable1shows that the modeling techniques most referenced by authors in state of the art literature about probabilistic risk analysis are fault tree, event tree, bow tie and Bayesian networks.The following items describe these techniques in detail.2.1 Bow-tie modelingTrbojevic etCarr (2000)state that in the most known uses of the bow-tie technique, it is utilized as part of assessments undertaken with a view to reduce accidents based on equipment failure.According to Zuijderduijn