Bug in ormore FTA probability math #2927
Description
Summary
When using "N ormore" to develop a probability of 2 of 4 failures or 3 of 4 failures, I noticed that 3/4 failures was returning a less reliable result then 2/4 failures which didn't make sense. Failing when there are "4 or more" failures out of 4 units is even more non-sensical as it returns a very unreliable number when it should be highly reliable.
Expected behavior
Actual behavior
I tested multiple K of N values for N=3 and 4. In each case the contributors were the same probability of failure of 1e-5.
| K of N | result | expected | correct? |
|---|---|---|---|
| 1 of 3 | 3e-5 | 3e-5 | yes |
| 2 of 3 | 3e-10 | 3e-10 | yes |
| 3 of 3 | 3e-5 | 1e-15 | NO |
| ------ | ------- | -------- | -------- |
| 1 of 4 | 4e-5 | 4e-5 | yes |
| 2 of 4 | 4e-15 | 6e-10 | NO |
| 3 of 4 | 6e-10 | 4e-15 | NO |
| 4 of 4 | 4e-5 | 1e-20 | NO |
| ------ | ------- | -------- | -------- |
Steps To Reproduce
package test_normore
public
annex EMV2 {**
error behavior Simple
states
Good: initial state;
Failed: state;
end behavior;
**};
system power_bus
annex EMV2 {**
use behavior test_normore::Simple;
component error behavior
events
PowerBusFail: error event;
transitions
Good -[PowerBusFail]-> Failed;
end component;
properties
EMV2::OccurrenceDistribution => [ProbabilityValue => 10.0e-6; Distribution => Fixed;] applies to PowerBusFail;
**};
end power_bus;
system implementation power_bus.i
end power_bus.i;
system redundant_thing
end redundant_thing;
system implementation redundant_thing.i3_1
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 1 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i3_1;
system implementation redundant_thing.i3_2
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 2 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i3_2;
system implementation redundant_thing.i3_3
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 3 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i3_3;
system implementation redundant_thing.i4_1
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
power_bus_4: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 1 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed, power_bus_4.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i4_1;
system implementation redundant_thing.i4_2
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
power_bus_4: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 2 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed, power_bus_4.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i4_2;
system implementation redundant_thing.i4_3
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
power_bus_4: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 3 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed, power_bus_4.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i4_3;
system implementation redundant_thing.i4_4
subcomponents
power_bus_1: system power_bus.i;
power_bus_2: system power_bus.i;
power_bus_3: system power_bus.i;
power_bus_4: system power_bus.i;
annex EMV2 {**
use behavior test_normore::Simple;
composite error behavior
states
[ 4 ormore(power_bus_1.Failed, power_bus_2.Failed, power_bus_3.Failed, power_bus_4.Failed) ]-> Failed;
end composite;
**};
end redundant_thing.i4_4;
end test_normore;
Desktop (please complete the following information):
- OSATE version 2.15.0
- Ubuntu 22.04
Additional context
My belief is that "ormore" or Komore refers to the probability of the events occurring. In this context, the events are failures, but they are whatever they are. So if the events are power supply failures and there are 4, I might want to fail if 3 or more fail. In the referenced paper, p was the reliability and q=1 - p, the unreliability. So there is a step where this implementation where it subtracts the probability from 1. I then does the same thing at the end. This is unnecessary. Because we are looking for the probability that something will happen, neither the inputs nor outputs should be converted. In the context of the paper, the author was looking for the "reliability" so he performed this conversion. Because of deMorgans law this is apparently computing some kind of "AND LESS" function, but I don't think it's valid due to which sums are being added.